316ab7d35cc31cfcb3090e435857a7e4

MS Word Document
|
MD5: 316ab7d35cc31cfcb3090e435857a7e4
|
Size: 34.66 KB
|
application/msword

Infection Chain

Summary by MalvaGPT

Characteristics

Hash	Hash Value
MD5	316ab7d35cc31cfcb3090e435857a7e4
Sha1	9cd262fa709ad122d7d697f6947e495d8379b79a
Sha256	3399333d5145ba202fb5fcddad2ce46ecc9f63d357f9490d62a5d49fad112884
Sha384	afb6e0ce6426aa2dd5179b331a8bba7485f30e3b8406cb01d278bd4a58d2233609d7c7e6f3625b0677e7c7ace798a3d2
Sha512	41f2958ca2869410893ba45bf8cda2ce49bac4b960fe73c937fcb615dea47aa527547f06e5aa1c117ab359a670387983da8d891a0a40665f8a73b706b790733e
SSDeep	768:42QP+NAiJQucR7gWUU/510d4OLFBkAgptiCe1o2H3Crp+:41+WqQuctgdGmdXPNciCOXCl+
TLSH	3EF2E019BBDB6520C34BB37E70065D8CF50B5E17E2DEB66636A092CC8D52D5246037CB

File Structure

NewMacros

Artefacts

316ab7d35cc31cfcb3090e435857a7e4 (34.66 KB)

File Structure

NewMacros

Characteristics

vbaDNA - VBA Stomping & Purging Stategy detection

	Module Name0
	NewMacros	VBA Stomping ATT&CK T1564.007 Malicious Malicious Document Blacklist VBA VBA Macro
PCode Decompiled VBA Stored VBA Partial Diff. Full Diff. Missing P-Code: The Office document under analysis has been identified as having undergone VBA Purging techniques, as the P-Code block within the document is currently inaccessible. As a result, the decompilation of the code was not possible, leaving only the stored code available in textual format for analysis. VBA Purging essentially involves the elimination of the PerformanceCache section from the module streams. To fully erase any traces of the P-Code section, the MODULEOFFSET between the two sections is adjusted to 0 by altering the _VBA_PROJECT stream, and all SRP streams that also house PerformanceCache data are removed. Following the removal of the compiled code, antivirus engines and Yara rules, which depend on precise string matches, are rendered ineffective. This allows macros to bypass them effortlessly, owing to the compressed format of the remaining source code.

No malware configuration were found at this point.

Artefacts

Name0	Value	Location
URLs in VB Code - #1	http://www.motobit.com	316ab7d35cc31cfcb3090e435857a7e4 > word > vbaProject.bin
URLs in VB Code - #2	http://Motobit.cz	316ab7d35cc31cfcb3090e435857a7e4 > word > vbaProject.bin
URLs in VB Code - #1	http://www.motobit.com	316ab7d35cc31cfcb3090e435857a7e4 > word > vbaProject.bin > VBA > NewMacros
URLs in VB Code - #2	http://Motobit.cz	316ab7d35cc31cfcb3090e435857a7e4 > word > vbaProject.bin > VBA > NewMacros
URLs in VB Code - #1	http://www.motobit.com	316ab7d35cc31cfcb3090e435857a7e4 > word > vbaProject.bin > VBA > NewMacros > [Stored VBA]
URLs in VB Code - #2	http://Motobit.cz	316ab7d35cc31cfcb3090e435857a7e4 > word > vbaProject.bin > VBA > NewMacros > [Stored VBA]
URLs in VB Code - #1	http://www.motobit.com	316ab7d35cc31cfcb3090e435857a7e4 > word > vbaProject.bin > VBA > NewMacros > [Decompiled VBA]
URLs in VB Code - #2	http://Motobit.cz	316ab7d35cc31cfcb3090e435857a7e4 > word > vbaProject.bin > VBA > NewMacros > [Decompiled VBA]
URLs in VB Code - #1	http://www.motobit.com	316ab7d35cc31cfcb3090e435857a7e4 > word > vbaProject.bin > VBA > NewMacros > [Full Diff]
URLs in VB Code - #2	http://Motobit.cz	316ab7d35cc31cfcb3090e435857a7e4 > word > vbaProject.bin > VBA > NewMacros > [Full Diff]

You must be signed in to post a comment.