Malicious
General
Structural Analysis
Config.1
Yara Rules2
Sync
Insights
Community
Infection Chain
Summary by MalvaGPT
Characteristics
|
Hash | Hash Value |
|---|---|
| MD5 | 5f6b4d56557dc8daf07b3f2c0043ae4e
|
| Sha1 | b18f9e5ed1f960a6257bcce311434910768e1c29
|
| Sha256 | 9635f7683247fc44b627853d9eff6454325ada17faffb3cc06e7869e0da3bcdd
|
| Sha384 | 4f33b989822552ef2bfb879a5907a2c29df06ef1098a204c29b80741a54ad786f1a49b01afe53d1acc8b5468f9c0cfd8
|
| Sha512 | 98fb63d5f6dd0956fe392265905cbeee3fbd81c40036829b377e0ff798865dc4330fa142a73cb066eb7634a42f0f3c9f6e505ccb49ccd3447c85fc67104a4372
|
| SSDeep | 6144:WUkgSqkdQ8HET7S+llYbeKWXAevC93umjM:WL5H6GMlvXzyi
|
| TLSH | 2A54235AC25D2BE7F6D1C33657652384D520B59C6ACB419F58AF22D52C20FCEF32118B
|
File Structure
README_EvilClippy.docm
Zip Archive
VBA Stomping
ATT&CK T1564.007
Malicious
Malicious Document
DeObfuscated
VBScript
T1059.005
Obfuscated
WinHttp.WinHttpRequest.5.1
ADODB.Stream
Scripting.FileSystemObject
Malicious
[Content_Types].xml
Archive Entry
docProps
app.xml
Archive Entry
core.xml
Archive Entry
word
Malicious
document.xml
Archive Entry
fontTable.xml
Archive Entry
settings.xml
Archive Entry
styles.xml
Archive Entry
vbaData.xml
Archive Entry
vbaProject.bin
Archive Entry
Office Document
VBA Stomping
ATT&CK T1564.007
Malicious
Malicious Document
DeObfuscated
VBScript
T1059.005
Obfuscated
WinHttp.WinHttpRequest.5.1
ADODB.Stream
Scripting.FileSystemObject
Malicious
.
Malicious
Root Entry
Malicious
VBA
Malicious
dir
ThisDocument
VBA Stomping
ATT&CK T1564.007
Malicious
Malicious Document
VBA Macro
Malicious
[Stored VBA]
VBA Stomping
ATT&CK T1564.007
Malicious
Malicious Document
VBA Macro
Visual Basic
DeObfuscated
VBScript
T1059.005
Obfuscated
Malicious
[Stored VBA].deobfuscated.vbs
DeObfuscated
VBScript
T1059.005
Malicious
[PCode]
VBA Stomping
ATT&CK T1564.007
Malicious
Malicious Document
VBA Macro
VBA P-Code
Disassembly
Malicious
[Decompiled VBA]
VBA Stomping
ATT&CK T1564.007
Malicious
Malicious Document
VBA Macro
Visual Basic
Decompiled
WinHttp.WinHttpRequest.5.1
ADODB.Stream
Scripting.FileSystemObject
DeObfuscated
VBScript
T1059.005
Obfuscated
Malicious
[Decompiled VBA].deobfuscated.vbs
DeObfuscated
VBScript
T1059.005
Malicious
[Full Diff]
VBA Stomping
ATT&CK T1564.007
Malicious
Malicious Document
VBA Macro
Visual Basic
Malicious
[Partial Diff]
VBA Stomping
ATT&CK T1564.007
Malicious
Malicious Document
VBA Macro
Visual Basic
Malicious
_VBA_PROJECT
PROJECT
PROJECTwm
webSettings.xml
Archive Entry
media
image1.png
Archive Entry
image1.png-preview.png
theme
theme1.xml
Archive Entry
_rels
document.xml.rels
Archive Entry
vbaProject.bin.rels
Archive Entry
_rels
.rels
Archive Entry
Malware Configuration - URLs in VBA/VBS Code
|
Config. Field0 | Value |
|---|---|
| URL #1 | http://192.168.63.132/dowload.pdf |
README_EvilClippy.docm (283.21 KB)
File Structure
README_EvilClippy.docm
Zip Archive
VBA Stomping
ATT&CK T1564.007
Malicious
Malicious Document
DeObfuscated
VBScript
T1059.005
Obfuscated
WinHttp.WinHttpRequest.5.1
ADODB.Stream
Scripting.FileSystemObject
Malicious
[Content_Types].xml
Archive Entry
docProps
app.xml
Archive Entry
core.xml
Archive Entry
word
Malicious
document.xml
Archive Entry
fontTable.xml
Archive Entry
settings.xml
Archive Entry
styles.xml
Archive Entry
vbaData.xml
Archive Entry
vbaProject.bin
Archive Entry
Office Document
VBA Stomping
ATT&CK T1564.007
Malicious
Malicious Document
DeObfuscated
VBScript
T1059.005
Obfuscated
WinHttp.WinHttpRequest.5.1
ADODB.Stream
Scripting.FileSystemObject
Malicious
.
Malicious
Root Entry
Malicious
VBA
Malicious
dir
ThisDocument
VBA Stomping
ATT&CK T1564.007
Malicious
Malicious Document
VBA Macro
Malicious
[Stored VBA]
VBA Stomping
ATT&CK T1564.007
Malicious
Malicious Document
VBA Macro
Visual Basic
DeObfuscated
VBScript
T1059.005
Obfuscated
Malicious
[Stored VBA].deobfuscated.vbs
DeObfuscated
VBScript
T1059.005
Malicious
[PCode]
VBA Stomping
ATT&CK T1564.007
Malicious
Malicious Document
VBA Macro
VBA P-Code
Disassembly
Malicious
[Decompiled VBA]
VBA Stomping
ATT&CK T1564.007
Malicious
Malicious Document
VBA Macro
Visual Basic
Decompiled
WinHttp.WinHttpRequest.5.1
ADODB.Stream
Scripting.FileSystemObject
DeObfuscated
VBScript
T1059.005
Obfuscated
Malicious
[Decompiled VBA].deobfuscated.vbs
DeObfuscated
VBScript
T1059.005
Malicious
[Full Diff]
VBA Stomping
ATT&CK T1564.007
Malicious
Malicious Document
VBA Macro
Visual Basic
Malicious
[Partial Diff]
VBA Stomping
ATT&CK T1564.007
Malicious
Malicious Document
VBA Macro
Visual Basic
Malicious
_VBA_PROJECT
PROJECT
PROJECTwm
webSettings.xml
Archive Entry
media
image1.png
Archive Entry
image1.png-preview.png
theme
theme1.xml
Archive Entry
_rels
document.xml.rels
Archive Entry
vbaProject.bin.rels
Archive Entry
_rels
.rels
Archive Entry
Characteristics
vbaDNA - VBA Stomping & Purging Stategy detection
|
Module Name0 | ||
|---|---|---|
| ThisDocument | VBA Stomping ATT&CK T1564.007 Malicious Malicious Document VBA Macro |
|
Malware Configuration - URLs in VBA/VBS Code
|
Config. Field0 | Value |
|---|---|
| URL #1 | http://192.168.63.132/dowload.pdf |
You must be signed in to post a comment.
You need a premium account to access this feature.
You must be signed in to post a comment.
You must be signed in to post a comment.