44767d1ee04bab52f99fb0ca26440987

MS Word Document
|
MD5: 44767d1ee04bab52f99fb0ca26440987
|
Size: 35.82 KB
|
application/msword

Infection Chain

Summary by MalvaGPT

Characteristics

Hash	Hash Value
MD5	44767d1ee04bab52f99fb0ca26440987
Sha1	bcdae44c2dd384c00d61ee3323d20077912a1fe9
Sha256	78e22cf4ce317530bbefe5017b16423aa99bb949543ca905e983a1fd1b84fa9c
Sha384	af998f70d92b4518a54f3a2f7277642620c3b05a38f5c12ea49a6ce6ee033f83898556bbf20ff30b573faf9589217bee
Sha512	5df8d61ffbe1545d424b78980d71110a458e6a3daec362889d7de833b1f981820d9b9a54b6ffc413b8a6ea15c7d7c5fd1c65bc4d969fdc1cba393e911c2fbfc4
SSDeep	768:23QP+NAiJQucR7gWUU/A10IXOLB+dTiGVtiLe1o2H3CrpW:2y+WqQuctgdfmIgMdTiGbiLOXClW
TLSH	1DF2E019EB8A7170C74BB37A20466D8CF90A5E37E1DE766B76D091CCCD02C92C603A87

File Structure

NewMacros

Artefacts

44767d1ee04bab52f99fb0ca26440987 (35.82 KB)

File Structure

NewMacros

Characteristics

vbaDNA - VBA Stomping & Purging Stategy detection

	Module Name0
	NewMacros	VBA Stomping ATT&CK T1564.007 Malicious Malicious Document Blacklist VBA VBA Macro
PCode Decompiled VBA Stored VBA Partial Diff. Full Diff. Missing P-Code: The Office document under analysis has been identified as having undergone VBA Purging techniques, as the P-Code block within the document is currently inaccessible. As a result, the decompilation of the code was not possible, leaving only the stored code available in textual format for analysis. VBA Purging essentially involves the elimination of the PerformanceCache section from the module streams. To fully erase any traces of the P-Code section, the MODULEOFFSET between the two sections is adjusted to 0 by altering the _VBA_PROJECT stream, and all SRP streams that also house PerformanceCache data are removed. Following the removal of the compiled code, antivirus engines and Yara rules, which depend on precise string matches, are rendered ineffective. This allows macros to bypass them effortlessly, owing to the compressed format of the remaining source code.

No malware configuration were found at this point.

Artefacts

Name0	Value	Location
URLs in VB Code - #1	http://www.motobit.com	44767d1ee04bab52f99fb0ca26440987 > word > vbaProject.bin
URLs in VB Code - #2	http://Motobit.cz	44767d1ee04bab52f99fb0ca26440987 > word > vbaProject.bin
URLs in VB Code - #1	http://www.motobit.com	44767d1ee04bab52f99fb0ca26440987 > word > vbaProject.bin > VBA > NewMacros
URLs in VB Code - #2	http://Motobit.cz	44767d1ee04bab52f99fb0ca26440987 > word > vbaProject.bin > VBA > NewMacros
URLs in VB Code - #1	http://www.motobit.com	44767d1ee04bab52f99fb0ca26440987 > word > vbaProject.bin > VBA > NewMacros > [Stored VBA]
URLs in VB Code - #2	http://Motobit.cz	44767d1ee04bab52f99fb0ca26440987 > word > vbaProject.bin > VBA > NewMacros > [Stored VBA]
URLs in VB Code - #1	http://www.motobit.com	44767d1ee04bab52f99fb0ca26440987 > word > vbaProject.bin > VBA > NewMacros > [Decompiled VBA]
URLs in VB Code - #2	http://Motobit.cz	44767d1ee04bab52f99fb0ca26440987 > word > vbaProject.bin > VBA > NewMacros > [Decompiled VBA]
URLs in VB Code - #1	http://www.motobit.com	44767d1ee04bab52f99fb0ca26440987 > word > vbaProject.bin > VBA > NewMacros > [Full Diff]
URLs in VB Code - #2	http://Motobit.cz	44767d1ee04bab52f99fb0ca26440987 > word > vbaProject.bin > VBA > NewMacros > [Full Diff]

You must be signed in to post a comment.