4d56fcd9609e7c2acd345254ad2e3e8b

MS Word Document
|
MD5: 4d56fcd9609e7c2acd345254ad2e3e8b
|
Size: 34.65 KB
|
application/msword

Infection Chain

Summary by MalvaGPT

Characteristics

Hash	Hash Value
MD5	4d56fcd9609e7c2acd345254ad2e3e8b
Sha1	e2aeef2b6df9c510970aa422ad9ff33494f52ebc
Sha256	9779b841a22ca39777f4230bdc3a8b0bc9cfe5a4f34c232c3c22ece2c38cb44b
Sha384	ca0ec213e39c8e9851ddb9ac42296013c1caffb395b94b33b49330d547f82bc1fb57697dc0613c281020e4684679a608
Sha512	efe58cced8108aa1893dea1106025511dab592a21b1a1992508f18e8cb2a35b25ea0d36eab9ce5d8e87ce63101a27a5200c5a197d1e79ebcb24dcad72e41f26a
SSDeep	768:oAQP+NAiJQucR7gWUU/X10feOL9Pftike1o2H3Crpl:on+WqQuctgd8mfxllikOXCll
TLSH	5AF2E03AEA9A6530C347B77B20466D8DF90B5E07D1FEB66F37A591CC8D128514703A82

File Structure

NewMacros

Artefacts

4d56fcd9609e7c2acd345254ad2e3e8b (34.65 KB)

File Structure

NewMacros

Characteristics

vbaDNA - VBA Stomping & Purging Stategy detection

	Module Name0
	NewMacros	VBA Stomping ATT&CK T1564.007 Malicious Malicious Document Blacklist VBA VBA Macro
PCode Decompiled VBA Stored VBA Partial Diff. Full Diff. Missing P-Code: The Office document under analysis has been identified as having undergone VBA Purging techniques, as the P-Code block within the document is currently inaccessible. As a result, the decompilation of the code was not possible, leaving only the stored code available in textual format for analysis. VBA Purging essentially involves the elimination of the PerformanceCache section from the module streams. To fully erase any traces of the P-Code section, the MODULEOFFSET between the two sections is adjusted to 0 by altering the _VBA_PROJECT stream, and all SRP streams that also house PerformanceCache data are removed. Following the removal of the compiled code, antivirus engines and Yara rules, which depend on precise string matches, are rendered ineffective. This allows macros to bypass them effortlessly, owing to the compressed format of the remaining source code.

No malware configuration were found at this point.

Artefacts

Name0	Value	Location
URLs in VB Code - #1	http://www.motobit.com	4d56fcd9609e7c2acd345254ad2e3e8b > word > vbaProject.bin > VBA > NewMacros > [Full Diff]
URLs in VB Code - #2	http://Motobit.cz	4d56fcd9609e7c2acd345254ad2e3e8b > word > vbaProject.bin > VBA > NewMacros > [Full Diff]
URLs in VB Code - #1	http://www.motobit.com	4d56fcd9609e7c2acd345254ad2e3e8b > word > vbaProject.bin > VBA > NewMacros > [Decompiled VBA]
URLs in VB Code - #2	http://Motobit.cz	4d56fcd9609e7c2acd345254ad2e3e8b > word > vbaProject.bin > VBA > NewMacros > [Decompiled VBA]
URLs in VB Code - #1	http://www.motobit.com	4d56fcd9609e7c2acd345254ad2e3e8b > word > vbaProject.bin > VBA > NewMacros > [Stored VBA]
URLs in VB Code - #2	http://Motobit.cz	4d56fcd9609e7c2acd345254ad2e3e8b > word > vbaProject.bin > VBA > NewMacros > [Stored VBA]
URLs in VB Code - #1	http://www.motobit.com	4d56fcd9609e7c2acd345254ad2e3e8b > word > vbaProject.bin > VBA > NewMacros
URLs in VB Code - #2	http://Motobit.cz	4d56fcd9609e7c2acd345254ad2e3e8b > word > vbaProject.bin > VBA > NewMacros
URLs in VB Code - #1	http://www.motobit.com	4d56fcd9609e7c2acd345254ad2e3e8b > word > vbaProject.bin
URLs in VB Code - #2	http://Motobit.cz	4d56fcd9609e7c2acd345254ad2e3e8b > word > vbaProject.bin

You must be signed in to post a comment.