Malicious
Malicious
Infection Chain
Summary by MalvaGPT
Characteristics
Hash
 Hash Value
MD5
5c44f354eb2dbc466dbaa99252660d05
Sha1
58a8820fc7b7ec097ae058a81f270d48f30186fe
Sha256
148a66e153761e6bc969fbc4f98a40ed0a27d52469901eefe8cd6965ab4d09c5
Sha384
441dfd6fbadf00408bfe6c7abb2acf2193dd2efe42b5575455030ce941fb942aaac8b72660403835c836a37c3e86eb8a
Sha512
dd1639c97a7eddb6fc15f961ec4d7b44000c2c0e53ab5f62b991c53509b0027d905b0e4480767d239aa512b70c1056c8de009f4daac995afa8231ec69bedd115
SSDeep
24576:7nsJ39LyjbJkQFMhmC+6GD9d+kk0kqx2ciXD:7nsHyjtk2MYC5GDL+/cYD
TLSH
C745BF32F2D16437D1361FFD8C5BB3A85839BA511E24754E3BE41E8E4E3A2822D652D3

PeID

BobSoft Mini Delphi -> BoB / BobSoft
Borland Delphi 4.0
Borland Delphi v3.0
Borland Delphi v6.0 - v7.0
Borland Delphi v6.0 - v7.0
D1S1G v1.1 beta --> D1N
D1S1G v1.1 beta --> D1N
Microsoft Visual C++ v6.0 DLL
Pe123 v2006.4.4-4.12
File Structure
5c44f354eb2dbc466dbaa99252660d05
Malicious
[Repaired @0x001299DC]
Malicious
[Content_Types].xml
_rels
.rels
xl
Malicious
_rels
workbook.xml.rels
workbook.xml
vbaProject.bin
Malicious
.
Malicious
Root Entry
Malicious
VBA
Malicious
dir
__SRP_0
__SRP_1
__SRP_2
__SRP_3
ThisWorkbook
Malicious
[Stored VBA]
Malicious
[Stored VBA].deobfuscated.vbs
Malicious
[PCode]
[Decompiled VBA]
Malicious
[Decompiled VBA].deobfuscated.vbs
Malicious
_VBA_PROJECT
PROJECT
PROJECTwm
theme
theme1.xml
styles.xml
worksheets
sheet1.xml
docProps
core.xml
app.xml
Structure
DosHeader
PE Header
Optional Header (x86)
Section Headers
CODE
DATA
BSS
.idata
.tls
.rdata
.reloc
.rsrc
Resources
RT_ICON
ID:0001
ID:0
ID:1055
RT_STRING
ID:0FE9
ID:0
ID:0FEA
ID:0
ID:0FEB
ID:0
ID:0FEC
ID:0
ID:0FED
ID:0
ID:0FEE
ID:0
ID:0FEF
ID:0
ID:0FF0
ID:0
ID:0FF1
ID:0
ID:0FF2
ID:0
ID:0FF3
ID:0
ID:0FF4
ID:0
ID:0FF5
ID:0
ID:0FF6
ID:0
ID:0FF7
ID:0
ID:0FF8
ID:0
ID:0FF9
ID:0
ID:0FFA
ID:0
ID:0FFB
ID:0
ID:0FFC
ID:0
ID:0FFD
ID:0
ID:0FFE
ID:0
ID:0FFF
ID:0
ID:1000
ID:0
RT_RCDATA
ID:0000
ID:0
Structure
DosHeader
PE Header
Optional Header (x86)
Section Headers
tSPxW
.text
.rsrc
.Invalid
Wrong
.Xerin
.reloc
V:TnF)+5
Resources
RT_ICON
ID:0001
ID:0
ID:0-preview.png
RT_GROUP_CURSOR4
ID:7F00
ID:0
RT_VERSION
ID:0001
ID:0
RT_MANIFEST
ID:0001
ID:0
ID:1055
Structure
DosHeader
PE Header
Optional Header (x86)
Section Headers
CODE
DATA
BSS
.idata
.edata
.reloc
.rsrc
Resources
RT_RCDATA
ID:0000
ID:0
RT_GROUP_CURSOR4
ID:0000
ID:1055
RT_VERSION
ID:0001
ID:2052
Malware Configuration - URLs in VBA/VBS Code
Config. Field
 Value
URL #1

https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download
URL #2

https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1
5c44f354eb2dbc466dbaa99252660d05 (1.24 MB)
File Structure
5c44f354eb2dbc466dbaa99252660d05
Malicious
[Repaired @0x001299DC]
Malicious
[Content_Types].xml
_rels
.rels
xl
Malicious
_rels
workbook.xml.rels
workbook.xml
vbaProject.bin
Malicious
.
Malicious
Root Entry
Malicious
VBA
Malicious
dir
__SRP_0
__SRP_1
__SRP_2
__SRP_3
ThisWorkbook
Malicious
[Stored VBA]
Malicious
[Stored VBA].deobfuscated.vbs
Malicious
[PCode]
[Decompiled VBA]
Malicious
[Decompiled VBA].deobfuscated.vbs
Malicious
_VBA_PROJECT
PROJECT
PROJECTwm
theme
theme1.xml
styles.xml
worksheets
sheet1.xml
docProps
core.xml
app.xml
Structure
DosHeader
PE Header
Optional Header (x86)
Section Headers
CODE
DATA
BSS
.idata
.tls
.rdata
.reloc
.rsrc
Resources
RT_ICON
ID:0001
ID:0
ID:1055
RT_STRING
ID:0FE9
ID:0
ID:0FEA
ID:0
ID:0FEB
ID:0
ID:0FEC
ID:0
ID:0FED
ID:0
ID:0FEE
ID:0
ID:0FEF
ID:0
ID:0FF0
ID:0
ID:0FF1
ID:0
ID:0FF2
ID:0
ID:0FF3
ID:0
ID:0FF4
ID:0
ID:0FF5
ID:0
ID:0FF6
ID:0
ID:0FF7
ID:0
ID:0FF8
ID:0
ID:0FF9
ID:0
ID:0FFA
ID:0
ID:0FFB
ID:0
ID:0FFC
ID:0
ID:0FFD
ID:0
ID:0FFE
ID:0
ID:0FFF
ID:0
ID:1000
ID:0
RT_RCDATA
ID:0000
ID:0
Structure
DosHeader
PE Header
Optional Header (x86)
Section Headers
tSPxW
.text
.rsrc
.Invalid
Wrong
.Xerin
.reloc
V:TnF)+5
Resources
RT_ICON
ID:0001
ID:0
ID:0-preview.png
RT_GROUP_CURSOR4
ID:7F00
ID:0
RT_VERSION
ID:0001
ID:0
RT_MANIFEST
ID:0001
ID:0
ID:1055
Structure
DosHeader
PE Header
Optional Header (x86)
Section Headers
CODE
DATA
BSS
.idata
.edata
.reloc
.rsrc
Resources
RT_RCDATA
ID:0000
ID:0
RT_GROUP_CURSOR4
ID:0000
ID:1055
RT_VERSION
ID:0001
ID:2052
Characteristics

vbaDNA - VBA Stomping & Purging Stategy detection

Module Name
ThisWorkbook
Blacklist VBA
VBA Macro

Missing P-Code: The Office document under analysis has been identified as having undergone VBA Purging techniques, as the P-Code block within the document is currently inaccessible. As a result, the decompilation of the code was not possible, leaving only the stored code available in textual format for analysis.

VBA Purging essentially involves the elimination of the PerformanceCache section from the module streams.

To fully erase any traces of the P-Code section, the MODULEOFFSET between the two sections is adjusted to 0 by altering the _VBA_PROJECT stream, and all SRP streams that also house PerformanceCache data are removed. Following the removal of the compiled code, antivirus engines and Yara rules, which depend on precise string matches, are rendered ineffective.

This allows macros to bypass them effortlessly, owing to the compressed format of the remaining source code.
Malware Configuration - URLs in VBA/VBS Code
Config. Field
 Value
URL #1

https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download
URL #2

https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1
You must be signed in to post a comment.
An error has occurred. This application may no longer respond until reloaded. Reload 🗙