Malicious
Malicious

README.docm

MS Word Document
|
MD5: 201d86ccf6fe607b6ccdcd63bed5c20f
|
Size: 288.56 KB
|
application/msword

Infection Chain
Summary by MalvaGPT
Characteristics
Hash
 Hash Value
MD5
201d86ccf6fe607b6ccdcd63bed5c20f
Sha1
e98a16eee1f386c9b735bf43c3758a3080c3acbd
Sha256
90d1fc9272b5cdfba07a71d20338cf56f6bd4db8322cc44fbf7b7c284aaf06cf
Sha384
ac97c6967f9ffb72a6ebc189c6708daa56e75e4f457e8581260889ad9d48607f9987de9f9f2d2eff72c8738823c2c7ae
Sha512
d7997b6daadd64c49feb20c6d61f100676ea011529f58fcf1c5c1107f0474bcc29f75253490fc35e97eb6594f649e6d4e35a7b7351b2ea24d7c521a947df4ca9
SSDeep
6144:xgvZXFkAqS2EDoT76iNjZoZKACezorEWdAaeZry+P2og:QVl7emisFANdfcuH
TLSH
DE541340D376A59EF083D13D6BE153ECD809759D6340C8E7D61F87EACA02E8EA3645A3
File Structure
README.docm
Malicious
[Content_Types].xml
_rels
.rels
word
Malicious
document.xml
_rels
document.xml.rels
vbaProject.bin.rels
vbaProject.bin
Malicious
.
Malicious
Root Entry
Malicious
VBA
Malicious
dir
ThisDocument
Malicious

ThisDocument

Malicious
[Stored VBA]
Malicious
[Stored VBA].deobfuscated.vbs
Malicious
[PCode]
[Decompiled VBA]
Malicious
[Decompiled VBA].deobfuscated.vbs
Malicious
_VBA_PROJECT
PROJECT
PROJECTwm
media
image1.png
image1.png-preview.png
theme
theme1.xml
vbaData.xml
settings.xml
styles.xml
webSettings.xml
fontTable.xml
docProps
core.xml
app.xml
Malware Configuration - URLs in VBA/VBS Code
Config. Field
 Value
URL #1

http://192.168.63.132/dowload.pdf
README.docm (288.56 KB)
File Structure
README.docm
Malicious
[Content_Types].xml
_rels
.rels
word
Malicious
document.xml
_rels
document.xml.rels
vbaProject.bin.rels
vbaProject.bin
Malicious
.
Malicious
Root Entry
Malicious
VBA
Malicious
dir
ThisDocument
Malicious

ThisDocument

Malicious
[Stored VBA]
Malicious
[Stored VBA].deobfuscated.vbs
Malicious
[PCode]
[Decompiled VBA]
Malicious
[Decompiled VBA].deobfuscated.vbs
Malicious
_VBA_PROJECT
PROJECT
PROJECTwm
media
image1.png
image1.png-preview.png
theme
theme1.xml
vbaData.xml
settings.xml
styles.xml
webSettings.xml
fontTable.xml
docProps
core.xml
app.xml
Characteristics

vbaDNA - VBA Stomping & Purging Stategy detection

Module Name
ThisDocument
Blacklist VBA
VBA Macro

Missing P-Code: The Office document under analysis has been identified as having undergone VBA Purging techniques, as the P-Code block within the document is currently inaccessible. As a result, the decompilation of the code was not possible, leaving only the stored code available in textual format for analysis.

VBA Purging essentially involves the elimination of the PerformanceCache section from the module streams.

To fully erase any traces of the P-Code section, the MODULEOFFSET between the two sections is adjusted to 0 by altering the _VBA_PROJECT stream, and all SRP streams that also house PerformanceCache data are removed. Following the removal of the compiled code, antivirus engines and Yara rules, which depend on precise string matches, are rendered ineffective.

This allows macros to bypass them effortlessly, owing to the compressed format of the remaining source code.
Malware Configuration - URLs in VBA/VBS Code
Config. Field
 Value
URL #1

http://192.168.63.132/dowload.pdf
You must be signed in to post a comment.
An error has occurred. This application may no longer respond until reloaded. Reload 🗙