Malicious
Malicious
Infection Chain
Summary by MalvaGPT
Characteristics
Hash
 Hash Value
MD5
5f6b4d56557dc8daf07b3f2c0043ae4e
Sha1
b18f9e5ed1f960a6257bcce311434910768e1c29
Sha256
9635f7683247fc44b627853d9eff6454325ada17faffb3cc06e7869e0da3bcdd
Sha384
4f33b989822552ef2bfb879a5907a2c29df06ef1098a204c29b80741a54ad786f1a49b01afe53d1acc8b5468f9c0cfd8
Sha512
98fb63d5f6dd0956fe392265905cbeee3fbd81c40036829b377e0ff798865dc4330fa142a73cb066eb7634a42f0f3c9f6e505ccb49ccd3447c85fc67104a4372
SSDeep
6144:WUkgSqkdQ8HET7S+llYbeKWXAevC93umjM:WL5H6GMlvXzyi
TLSH
2A54235AC25D2BE7F6D1C33657652384D520B59C6ACB419F58AF22D52C20FCEF32118B
File Structure
README_EvilClippy.docm
Malicious
[Content_Types].xml
docProps
app.xml
core.xml
word
Malicious
document.xml
fontTable.xml
settings.xml
styles.xml
vbaData.xml
vbaProject.bin
Malicious
.
Malicious
Root Entry
Malicious
VBA
Malicious
dir
ThisDocument
Malicious
[Stored VBA]
Malicious
[Stored VBA].deobfuscated.vbs
Malicious
[PCode]
Malicious
[Decompiled VBA]
Malicious
[Decompiled VBA].deobfuscated.vbs
Malicious
[Full Diff]
Malicious
[Partial Diff]
Malicious
_VBA_PROJECT
PROJECT
PROJECTwm
webSettings.xml
media
image1.png
image1.png-preview.png
theme
theme1.xml
_rels
document.xml.rels
vbaProject.bin.rels
_rels
.rels
Malware Configuration - URLs in VBA/VBS Code
Config. Field
 Value
URL #1

http://192.168.63.132/dowload.pdf
README_EvilClippy.docm (283.21 KB)
File Structure
README_EvilClippy.docm
Malicious
[Content_Types].xml
docProps
app.xml
core.xml
word
Malicious
document.xml
fontTable.xml
settings.xml
styles.xml
vbaData.xml
vbaProject.bin
Malicious
.
Malicious
Root Entry
Malicious
VBA
Malicious
dir
ThisDocument
Malicious
[Stored VBA]
Malicious
[Stored VBA].deobfuscated.vbs
Malicious
[PCode]
Malicious
[Decompiled VBA]
Malicious
[Decompiled VBA].deobfuscated.vbs
Malicious
[Full Diff]
Malicious
[Partial Diff]
Malicious
_VBA_PROJECT
PROJECT
PROJECTwm
webSettings.xml
media
image1.png
image1.png-preview.png
theme
theme1.xml
_rels
document.xml.rels
vbaProject.bin.rels
_rels
.rels
Characteristics

vbaDNA - VBA Stomping & Purging Stategy detection

Module Name
ThisDocument
VBA Stomping
ATT&CK T1564.007
Malicious
Malicious Document
VBA Macro

Missing P-Code: The Office document under analysis has been identified as having undergone VBA Purging techniques, as the P-Code block within the document is currently inaccessible. As a result, the decompilation of the code was not possible, leaving only the stored code available in textual format for analysis.

VBA Purging essentially involves the elimination of the PerformanceCache section from the module streams.

To fully erase any traces of the P-Code section, the MODULEOFFSET between the two sections is adjusted to 0 by altering the _VBA_PROJECT stream, and all SRP streams that also house PerformanceCache data are removed. Following the removal of the compiled code, antivirus engines and Yara rules, which depend on precise string matches, are rendered ineffective.

This allows macros to bypass them effortlessly, owing to the compressed format of the remaining source code.
Malware Configuration - URLs in VBA/VBS Code
Config. Field
 Value
URL #1

http://192.168.63.132/dowload.pdf
You must be signed in to post a comment.
An error has occurred. This application may no longer respond until reloaded. Reload 🗙