459a8eb5c77c6a257e9349246b18c664

MS Excel Document
|
MD5: 459a8eb5c77c6a257e9349246b18c664
|
Size: 612.39 KB
|
application/vnd.ms-excel

Infection Chain

Summary by MalvaGPT

Characteristics

Hash	Hash Value
MD5	459a8eb5c77c6a257e9349246b18c664
Sha1	581edcc35bb6751719b9f2a497021800885c0204
Sha256	3dcc673a854935ef98a19331d51622000a866396a430f81014795b9dca996a04
Sha384	44c202fd4f4a24fb0bab25c0ce36b9b9dbcee06794cb2db54ecee28f99e50d7f70e189935785c83d735ec4fb93abe401
Sha512	7fc35013758a486ae3efc78297cb28e531a35bbdef78c5ccb7ef7bb5d2ebba19d3376122cb1a26e8fe5b886911e7156dd472824dedbda3fdf7238674c1eacc27
SSDeep	12288:k6WfUhPlwLBa9qsoxbM7LIfwuM3ut7aVndUXTPYIH4pmQ:k6WfUl6LBrN+nIflM+RKMgRoQ
TLSH	53D4239E8D30F88EDD8864722E4F025E8EE575ECF1A6231D0DE142DE4ED8D421B479AD

File Structure

bneMain

BneBrowser

BneVBAMessage

Artefacts

Name0	Value
URLs in VB Code - #1	http://www.oracle.com/bne
URLs in VB Code - #2	http://support.microsoft.com/kb/161930
URLs in VB Code - #1	http://www.oracle.com/bne
URLs in VB Code - #1	http://www.oracle.com/bne
URLs in VB Code - #1	http://www.oracle.com/bne
URLs in VB Code - #1	http://www.oracle.com/bne
URLs in VB Code - #1	http://support.microsoft.com/kb/161930
URLs in VB Code - #1	http://support.microsoft.com/kb/161930

459a8eb5c77c6a257e9349246b18c664 (612.39 KB)

File Structure

bneMain

BneBrowser

BneVBAMessage

Characteristics

vbaDNA - VBA Stomping & Purging Stategy detection

	Module Name0
	Sheet1	Blacklist VBA VBA Macro
	Sheet2	VBA Macro
	bneMain	VBA Stomping ATT&CK T1564.007 Malicious Malicious Document Blacklist VBA VBA Macro
PCode Decompiled VBA Stored VBA Partial Diff. Full Diff. Missing P-Code: The Office document under analysis has been identified as having undergone VBA Purging techniques, as the P-Code block within the document is currently inaccessible. As a result, the decompilation of the code was not possible, leaving only the stored code available in textual format for analysis. VBA Purging essentially involves the elimination of the PerformanceCache section from the module streams. To fully erase any traces of the P-Code section, the MODULEOFFSET between the two sections is adjusted to 0 by altering the _VBA_PROJECT stream, and all SRP streams that also house PerformanceCache data are removed. Following the removal of the compiled code, antivirus engines and Yara rules, which depend on precise string matches, are rendered ineffective. This allows macros to bypass them effortlessly, owing to the compressed format of the remaining source code.
	BneLayout	VBA Macro
	BneBrowser	VBA Stomping ATT&CK T1564.007 Malicious Malicious Document Blacklist VBA VBA Macro
PCode Decompiled VBA Stored VBA Partial Diff. Full Diff. Missing P-Code: The Office document under analysis has been identified as having undergone VBA Purging techniques, as the P-Code block within the document is currently inaccessible. As a result, the decompilation of the code was not possible, leaving only the stored code available in textual format for analysis. VBA Purging essentially involves the elimination of the PerformanceCache section from the module streams. To fully erase any traces of the P-Code section, the MODULEOFFSET between the two sections is adjusted to 0 by altering the _VBA_PROJECT stream, and all SRP streams that also house PerformanceCache data are removed. Following the removal of the compiled code, antivirus engines and Yara rules, which depend on precise string matches, are rendered ineffective. This allows macros to bypass them effortlessly, owing to the compressed format of the remaining source code.
	BneVBAGraph	VBA Macro
	bneMsgLogger	VBA Macro
	BneVBAGraphs	VBA Macro
	ThisWorkbook	Blacklist VBA VBA Macro
	BneVBAMessage	VBA Stomping ATT&CK T1564.007 Malicious Malicious Document VBA Macro
PCode Decompiled VBA Stored VBA Partial Diff. Full Diff. Missing P-Code: The Office document under analysis has been identified as having undergone VBA Purging techniques, as the P-Code block within the document is currently inaccessible. As a result, the decompilation of the code was not possible, leaving only the stored code available in textual format for analysis. VBA Purging essentially involves the elimination of the PerformanceCache section from the module streams. To fully erase any traces of the P-Code section, the MODULEOFFSET between the two sections is adjusted to 0 by altering the _VBA_PROJECT stream, and all SRP streams that also house PerformanceCache data are removed. Following the removal of the compiled code, antivirus engines and Yara rules, which depend on precise string matches, are rendered ineffective. This allows macros to bypass them effortlessly, owing to the compressed format of the remaining source code.
	BneLayoutBlock	VBA Macro
	bneRibbonUtils	Blacklist VBA VBA Macro
	BneVBAMessages	VBA Macro
	BneVBAProperty	VBA Macro
	BneVBAUploader	Blacklist VBA VBA Macro
	BneLayoutColumn	VBA Macro
	BneSummarySheet	VBA Macro
	BneVBAParameter	VBA Macro
	bneReadOnlyUtils	VBA Macro
	BneVBAParameters	VBA Macro
	BneVBAProperties	VBA Macro
	BneUploadSettings	Blacklist VBA VBA Macro
	BneVBAInterfaceCol	VBA Macro
	BneDownloadHTTPHandler	VBA Macro

No malware configuration were found at this point.

Artefacts

Name0	Value	Location
URLs in VB Code - #1	http://www.oracle.com/bne	459a8eb5c77c6a257e9349246b18c664 > xl > vbaProject.bin
URLs in VB Code - #2	http://support.microsoft.com/kb/161930	459a8eb5c77c6a257e9349246b18c664 > xl > vbaProject.bin
URLs in VB Code - #1	http://www.oracle.com/bne	459a8eb5c77c6a257e9349246b18c664 > xl > vbaProject.bin > Root Entry > VBA > BneVBAMessages > [Stored VBA]
URLs in VB Code - #1	http://www.oracle.com/bne	459a8eb5c77c6a257e9349246b18c664 > xl > vbaProject.bin > Root Entry > VBA > BneVBAMessages > [Decompiled VBA]
URLs in VB Code - #1	http://www.oracle.com/bne	459a8eb5c77c6a257e9349246b18c664 > xl > vbaProject.bin > Root Entry > VBA > BneVBAProperties > [Stored VBA]
URLs in VB Code - #1	http://www.oracle.com/bne	459a8eb5c77c6a257e9349246b18c664 > xl > vbaProject.bin > Root Entry > VBA > BneVBAProperties > [Decompiled VBA]
URLs in VB Code - #1	http://support.microsoft.com/kb/161930	459a8eb5c77c6a257e9349246b18c664 > xl > vbaProject.bin > Root Entry > VBA > BneUploadSettings > [Stored VBA]
URLs in VB Code - #1	http://support.microsoft.com/kb/161930	459a8eb5c77c6a257e9349246b18c664 > xl > vbaProject.bin > Root Entry > VBA > BneUploadSettings > [Decompiled VBA]

You must be signed in to post a comment.

459a8eb5c77c6a257e9349246b18c664

MS Excel Document | MD5: 459a8eb5c77c6a257e9349246b18c664 | Size: 612.39 KB | application/vnd.ms-excel

MS Excel Document
|
MD5: 459a8eb5c77c6a257e9349246b18c664
|
Size: 612.39 KB
|
application/vnd.ms-excel