Malicious
Malicious

632568cb2adde20bae264e09e8ef9502

MS Office Document
|
MD5: 632568cb2adde20bae264e09e8ef9502
|
Size: 138.75 KB
|
application/vnd.ms-office

Infection Chain
Summary by MalvaGPT
Characteristics
Hash
 Hash Value
MD5
632568cb2adde20bae264e09e8ef9502
Sha1
87f4659a463e7eef6970ec81dff07ce632693a23
Sha256
cbf238a9bec97b767fe53b13949f5acbaa30c40692216e9628f5f71842c60889
Sha384
a32e326c51fea6f510fc4a5487b8aa697daf19f1c17d9dbec64662f654829d04e787fb8466874629a6ef6f649d82b370
Sha512
0bdedf62b7d837c21ac8aa853676dd1e6a057997845223beeebfd1d8f6a09cb5982a9a465d34a4539083f6a15cb8f8fa375575dc9b414616ebd2cb2c80913dfe
SSDeep
3072:1H/pTzyqtdQ2YJlAZiV8TtnAYZv76N7X872:B/pyqvQ3JleikBZj6VXK
TLSH
7CD3C07874B5EC17FA65C0300EA7C9BEF729FC4468C1410717167B2E693A2E98B66B09
File Structure
632568cb2adde20bae264e09e8ef9502
Malicious
[Repaired @0x00018000]
Malicious
[Content_Types].xml
_rels
.rels
theme
theme
themeManager.xml
theme1.xml
_rels
themeManager.xml.rels
Root Entry
Malicious
Data
1Table
Malicious
[Repaired @0x00000600]
Malicious
CompObj
WordDocument
SummaryInformation
DocumentSummaryInformation
Macros
Malicious
PROJECT
PROJECTwm
VBA
Malicious
dir
ThisDocument
Malicious

ThisDocument

Malicious
[Stored VBA]
Malicious
[PCode]
Malicious
[Decompiled VBA]
Malicious
[Full Diff]
Malicious
[Partial Diff]
Malicious
_VBA_PROJECT
632568cb2adde20bae264e09e8ef9502 (138.75 KB)
File Structure
632568cb2adde20bae264e09e8ef9502
Malicious
[Repaired @0x00018000]
Malicious
[Content_Types].xml
_rels
.rels
theme
theme
themeManager.xml
theme1.xml
_rels
themeManager.xml.rels
Root Entry
Malicious
Data
1Table
Malicious
[Repaired @0x00000600]
Malicious
CompObj
WordDocument
SummaryInformation
DocumentSummaryInformation
Macros
Malicious
PROJECT
PROJECTwm
VBA
Malicious
dir
ThisDocument
Malicious

ThisDocument

Malicious
[Stored VBA]
Malicious
[PCode]
Malicious
[Decompiled VBA]
Malicious
[Full Diff]
Malicious
[Partial Diff]
Malicious
_VBA_PROJECT
Characteristics

vbaDNA - VBA Stomping & Purging Stategy detection

Module Name
ThisDocument
VBA Stomping
ATT&CK T1564.007
Malicious
Malicious Document
Blacklist VBA
VBA Macro

Missing P-Code: The Office document under analysis has been identified as having undergone VBA Purging techniques, as the P-Code block within the document is currently inaccessible. As a result, the decompilation of the code was not possible, leaving only the stored code available in textual format for analysis.

VBA Purging essentially involves the elimination of the PerformanceCache section from the module streams.

To fully erase any traces of the P-Code section, the MODULEOFFSET between the two sections is adjusted to 0 by altering the _VBA_PROJECT stream, and all SRP streams that also house PerformanceCache data are removed. Following the removal of the compiled code, antivirus engines and Yara rules, which depend on precise string matches, are rendered ineffective.

This allows macros to bypass them effortlessly, owing to the compressed format of the remaining source code.
No malware configuration were found at this point.
You must be signed in to post a comment.
An error has occurred. This application may no longer respond until reloaded. Reload 🗙