48d1325ad75a2a4f017e406922183c84

MS Excel Document
|
MD5: 48d1325ad75a2a4f017e406922183c84
|
Size: 583.22 KB
|
application/vnd.ms-excel

Infection Chain

Summary by MalvaGPT

Characteristics

Hash	Hash Value
MD5	48d1325ad75a2a4f017e406922183c84
Sha1	550a0de8d4c4f0a1e79c7a560a3b689ee9d1318a
Sha256	ed03afe2e38d3b9af9762b6b0731d7f409261c36119d100b2eec7021a6bea8eb
Sha384	713e32c05c6d06875daa8ee527432aee0a6b0a4b1365733d467dde2af81d3e01c10e70d738282092ff0b6b43fecf80ae
Sha512	814aa8dbf81a00b0d8bb98190211d73c348feea6007767c6828f115c1bfd5d81546b2618c1ca42e57b73f9e052a16de5d46462fe2d333e9e5e4a2cd4a09d88c1
SSDeep	12288:NnSOdExq6mqym7VOrvgjYrX6bj2PeX62RQ5s3odXh4eOVN:0OdExom74szyGXNRgsYdx4eO
TLSH	0BC4236C4928788CC72D1835C60C6BF37E497CC40126A88B3A64B691AF365EF53DF65E

File Structure

Sheet7

CSHA256

Module1

Module2

Module3

Artefacts

Name0	Value
URLs in VB Code - #1	http://www.frez.co.uk
URLs in VB Code - #1	http://www.frez.co.uk
URLs in VB Code - #1	http://www.frez.co.uk

48d1325ad75a2a4f017e406922183c84 (583.22 KB)

File Structure

Sheet7

CSHA256

Module1

Module2

Module3

Characteristics

vbaDNA - VBA Stomping & Purging Stategy detection

	Module Name0
	Sheet7	VBA Stomping ATT&CK T1564.007 Malicious Malicious Document VBA Macro
PCode Decompiled VBA Stored VBA Partial Diff. Full Diff. Missing P-Code: The Office document under analysis has been identified as having undergone VBA Purging techniques, as the P-Code block within the document is currently inaccessible. As a result, the decompilation of the code was not possible, leaving only the stored code available in textual format for analysis. VBA Purging essentially involves the elimination of the PerformanceCache section from the module streams. To fully erase any traces of the P-Code section, the MODULEOFFSET between the two sections is adjusted to 0 by altering the _VBA_PROJECT stream, and all SRP streams that also house PerformanceCache data are removed. Following the removal of the compiled code, antivirus engines and Yara rules, which depend on precise string matches, are rendered ineffective. This allows macros to bypass them effortlessly, owing to the compressed format of the remaining source code.
	Sheet8	VBA Macro
	Sheet9	VBA Macro
	CSHA256	VBA Stomping ATT&CK T1564.007 Malicious Malicious Document VBA Macro
PCode Decompiled VBA Stored VBA Partial Diff. Full Diff. Missing P-Code: The Office document under analysis has been identified as having undergone VBA Purging techniques, as the P-Code block within the document is currently inaccessible. As a result, the decompilation of the code was not possible, leaving only the stored code available in textual format for analysis. VBA Purging essentially involves the elimination of the PerformanceCache section from the module streams. To fully erase any traces of the P-Code section, the MODULEOFFSET between the two sections is adjusted to 0 by altering the _VBA_PROJECT stream, and all SRP streams that also house PerformanceCache data are removed. Following the removal of the compiled code, antivirus engines and Yara rules, which depend on precise string matches, are rendered ineffective. This allows macros to bypass them effortlessly, owing to the compressed format of the remaining source code.
	Module1	VBA Stomping ATT&CK T1564.007 Malicious Malicious Document Blacklist VBA VBA Macro
PCode Decompiled VBA Stored VBA Partial Diff. Full Diff. Missing P-Code: The Office document under analysis has been identified as having undergone VBA Purging techniques, as the P-Code block within the document is currently inaccessible. As a result, the decompilation of the code was not possible, leaving only the stored code available in textual format for analysis. VBA Purging essentially involves the elimination of the PerformanceCache section from the module streams. To fully erase any traces of the P-Code section, the MODULEOFFSET between the two sections is adjusted to 0 by altering the _VBA_PROJECT stream, and all SRP streams that also house PerformanceCache data are removed. Following the removal of the compiled code, antivirus engines and Yara rules, which depend on precise string matches, are rendered ineffective. This allows macros to bypass them effortlessly, owing to the compressed format of the remaining source code.
	Module2	Blacklist VBA VBA Macro
PCode Decompiled VBA Stored VBA Partial Diff. Full Diff. Missing P-Code: The Office document under analysis has been identified as having undergone VBA Purging techniques, as the P-Code block within the document is currently inaccessible. As a result, the decompilation of the code was not possible, leaving only the stored code available in textual format for analysis. VBA Purging essentially involves the elimination of the PerformanceCache section from the module streams. To fully erase any traces of the P-Code section, the MODULEOFFSET between the two sections is adjusted to 0 by altering the _VBA_PROJECT stream, and all SRP streams that also house PerformanceCache data are removed. Following the removal of the compiled code, antivirus engines and Yara rules, which depend on precise string matches, are rendered ineffective. This allows macros to bypass them effortlessly, owing to the compressed format of the remaining source code.
	Module3	VBA Stomping ATT&CK T1564.007 Malicious Malicious Document Blacklist VBA VBA Macro
PCode Decompiled VBA Stored VBA Partial Diff. Full Diff. Missing P-Code: The Office document under analysis has been identified as having undergone VBA Purging techniques, as the P-Code block within the document is currently inaccessible. As a result, the decompilation of the code was not possible, leaving only the stored code available in textual format for analysis. VBA Purging essentially involves the elimination of the PerformanceCache section from the module streams. To fully erase any traces of the P-Code section, the MODULEOFFSET between the two sections is adjusted to 0 by altering the _VBA_PROJECT stream, and all SRP streams that also house PerformanceCache data are removed. Following the removal of the compiled code, antivirus engines and Yara rules, which depend on precise string matches, are rendered ineffective. This allows macros to bypass them effortlessly, owing to the compressed format of the remaining source code.
	Sheet14	VBA Macro
	Sheet17	VBA Macro
	Sheet221	VBA Macro
	Sheet222	VBA Macro
	ThisWorkbook	VBA Macro

No malware configuration were found at this point.

Artefacts

Name0	Value	Location
URLs in VB Code - #1	http://www.frez.co.uk	48d1325ad75a2a4f017e406922183c84 > xl > vbaProject.bin
URLs in VB Code - #1	http://www.frez.co.uk	48d1325ad75a2a4f017e406922183c84 > xl > vbaProject.bin > Root Entry > VBA > CSHA256 > [Stored VBA]
URLs in VB Code - #1	http://www.frez.co.uk	48d1325ad75a2a4f017e406922183c84 > xl > vbaProject.bin > Root Entry > VBA > CSHA256 > [Decompiled VBA]

You must be signed in to post a comment.

48d1325ad75a2a4f017e406922183c84

MS Excel Document | MD5: 48d1325ad75a2a4f017e406922183c84 | Size: 583.22 KB | application/vnd.ms-excel

MS Excel Document
|
MD5: 48d1325ad75a2a4f017e406922183c84
|
Size: 583.22 KB
|
application/vnd.ms-excel