Malicious
Malicious

148a026124126abf74c390c69fbd0bcebce06b600c[...]5fc

MS Excel Document
|
MD5: 2433e76542036ab53b138a98eeda548a
|
Size: 94.83 KB
|
application/vnd.ms-excel

Infection Chain
Summary by MalvaGPT
Characteristics
Hash
 Hash Value
MD5
2433e76542036ab53b138a98eeda548a
Sha1
fa75a6ce57ec974345eb05a9d5e587a1eef772be
Sha256
148a026124126abf74c390c69fbd0bcebce06b600c6a35630cdce29a85a765fc
Sha384
7802cc8d02a278d3c8d5c1f53f8af08699461c4f25e48f41e204884e287c4239a67da65544755d2a2eaaa8a1ef6974ab
Sha512
3ae2f70b3d39d85d1befea180ee75815abb20349a90cf3678db2e001d5ac362f68230e30680c897e33a05a6dbc1d8a776505751da043797b15327bb38251d243
SSDeep
1536:cEXdg7zjhJFdTI4uZNMNhC0br1j0EeewkHergIaYtaBQmxcC6VmIjYobFzM4yede:DXi7z9JFtI2hC0bZUewkaANCzpzru3
TLSH
D59302C5346ED453D3FE96BD12AB0559EC8A60ED50EDCB289E9023646080ECB4D1F8FE
File Structure
148a026124126abf74c390c69fbd0bcebce06b600c6a35630cdce29a85a765fc
Malicious
[Content_Types].xml
_rels
.rels
xl
Malicious
workbook.xml
_rels
workbook.xml.rels
worksheets
sheet1.xml
_rels
sheet1.xml.rels
drawings
drawing1.xml
_rels
drawing1.xml.rels
styles.xml
media
image3.jpg
image3.jpg-preview.png
vbaProject.bin
Malicious
.
Malicious
<Root>
Malicious
VBA
Malicious
dir
Sheet 1
Malicious
[Stored VBA]
Malicious
[Stored VBA].deobfuscated.vbs
Malicious
ThisWorkbook
Malicious
[Stored VBA]
Malicious
[Stored VBA].deobfuscated.vbs
Malicious
_VBA_PROJECT
PROJECT
PROJECTwm
sharedStrings.xml
148a026124126abf74c390c69fbd0bcebce06b600c6a35630cdce29a85a765fc (94.83 KB)
File Structure
148a026124126abf74c390c69fbd0bcebce06b600c6a35630cdce29a85a765fc
Malicious
[Content_Types].xml
_rels
.rels
xl
Malicious
workbook.xml
_rels
workbook.xml.rels
worksheets
sheet1.xml
_rels
sheet1.xml.rels
drawings
drawing1.xml
_rels
drawing1.xml.rels
styles.xml
media
image3.jpg
image3.jpg-preview.png
vbaProject.bin
Malicious
.
Malicious
<Root>
Malicious
VBA
Malicious
dir
Sheet 1
Malicious
[Stored VBA]
Malicious
[Stored VBA].deobfuscated.vbs
Malicious
ThisWorkbook
Malicious
[Stored VBA]
Malicious
[Stored VBA].deobfuscated.vbs
Malicious
_VBA_PROJECT
PROJECT
PROJECTwm
sharedStrings.xml
Characteristics

vbaDNA - VBA Stomping & Purging Stategy detection

Module Name
Sheet 1
VBA Macro
VBA Purging
ATT&CK T1564.007
Malicious
Malicious Document

Missing P-Code: The Office document under analysis has been identified as having undergone VBA Purging techniques, as the P-Code block within the document is currently inaccessible. As a result, the decompilation of the code was not possible, leaving only the stored code available in textual format for analysis.

VBA Purging essentially involves the elimination of the PerformanceCache section from the module streams.

To fully erase any traces of the P-Code section, the MODULEOFFSET between the two sections is adjusted to 0 by altering the _VBA_PROJECT stream, and all SRP streams that also house PerformanceCache data are removed. Following the removal of the compiled code, antivirus engines and Yara rules, which depend on precise string matches, are rendered ineffective.

This allows macros to bypass them effortlessly, owing to the compressed format of the remaining source code.

ThisWorkbook
Blacklist VBA
VBA Macro
VBA Purging
ATT&CK T1564.007
Malicious
Malicious Document

Missing P-Code: The Office document under analysis has been identified as having undergone VBA Purging techniques, as the P-Code block within the document is currently inaccessible. As a result, the decompilation of the code was not possible, leaving only the stored code available in textual format for analysis.

VBA Purging essentially involves the elimination of the PerformanceCache section from the module streams.

To fully erase any traces of the P-Code section, the MODULEOFFSET between the two sections is adjusted to 0 by altering the _VBA_PROJECT stream, and all SRP streams that also house PerformanceCache data are removed. Following the removal of the compiled code, antivirus engines and Yara rules, which depend on precise string matches, are rendered ineffective.

This allows macros to bypass them effortlessly, owing to the compressed format of the remaining source code.
No malware configuration were found at this point.
You must be signed in to post a comment.
An error has occurred. This application may no longer respond until reloaded. Reload 🗙