6a5c5c5325024b73fb6189ac0fd668d9

MS Word Document
|
MD5: 6a5c5c5325024b73fb6189ac0fd668d9
|
Size: 34.66 KB
|
application/msword

Infection Chain

Summary by MalvaGPT

Characteristics

Hash	Hash Value
MD5	6a5c5c5325024b73fb6189ac0fd668d9
Sha1	0222c54bdf99491e82451c6d48bb5bb5233c9888
Sha256	0f188a5741c7753b90d4e51b6096541e018abfb3db33d502d718ccc29f89e98b
Sha384	31c2b26a4106df3ee1b7cc02e3c71fc65f28dadaf2ca215fa1203b3f6ca0baeab2463baceb0badf67d413fe249289d7c
Sha512	975a7ff838b5d17d0f96324847d9c27f6b963c01824e3e8329d13deff10325c45f5489b40afdfb32d46e4b15ff0704c6b5df44637ce388fd58ea4408e187b852
SSDeep	768:uBQP+NAiJQucR7gWUU/G10SVOLtk+iOyztite1o2H3CrpE:uk+WqQuctgdlmSCWXZitOXClE
TLSH	FDF2D029EBCA6621C347B37E20475D8CF51B9A1BD1DFB56736E492CC8D12861C603A47

File Structure

NewMacros

Artefacts

6a5c5c5325024b73fb6189ac0fd668d9 (34.66 KB)

File Structure

NewMacros

Characteristics

vbaDNA - VBA Stomping & Purging Stategy detection

	Module Name0
	NewMacros	VBA Stomping ATT&CK T1564.007 Malicious Malicious Document Blacklist VBA VBA Macro
PCode Decompiled VBA Stored VBA Partial Diff. Full Diff. Missing P-Code: The Office document under analysis has been identified as having undergone VBA Purging techniques, as the P-Code block within the document is currently inaccessible. As a result, the decompilation of the code was not possible, leaving only the stored code available in textual format for analysis. VBA Purging essentially involves the elimination of the PerformanceCache section from the module streams. To fully erase any traces of the P-Code section, the MODULEOFFSET between the two sections is adjusted to 0 by altering the _VBA_PROJECT stream, and all SRP streams that also house PerformanceCache data are removed. Following the removal of the compiled code, antivirus engines and Yara rules, which depend on precise string matches, are rendered ineffective. This allows macros to bypass them effortlessly, owing to the compressed format of the remaining source code.

No malware configuration were found at this point.

Artefacts

Name0	Value	Location
URLs in VB Code - #1	http://www.motobit.com	6a5c5c5325024b73fb6189ac0fd668d9 > word > vbaProject.bin > VBA > NewMacros > [Full Diff]
URLs in VB Code - #2	http://Motobit.cz	6a5c5c5325024b73fb6189ac0fd668d9 > word > vbaProject.bin > VBA > NewMacros > [Full Diff]
URLs in VB Code - #1	http://www.motobit.com	6a5c5c5325024b73fb6189ac0fd668d9 > word > vbaProject.bin > VBA > NewMacros > [Decompiled VBA]
URLs in VB Code - #2	http://Motobit.cz	6a5c5c5325024b73fb6189ac0fd668d9 > word > vbaProject.bin > VBA > NewMacros > [Decompiled VBA]
URLs in VB Code - #1	http://www.motobit.com	6a5c5c5325024b73fb6189ac0fd668d9 > word > vbaProject.bin > VBA > NewMacros > [Stored VBA]
URLs in VB Code - #2	http://Motobit.cz	6a5c5c5325024b73fb6189ac0fd668d9 > word > vbaProject.bin > VBA > NewMacros > [Stored VBA]
URLs in VB Code - #1	http://www.motobit.com	6a5c5c5325024b73fb6189ac0fd668d9 > word > vbaProject.bin > VBA > NewMacros
URLs in VB Code - #2	http://Motobit.cz	6a5c5c5325024b73fb6189ac0fd668d9 > word > vbaProject.bin > VBA > NewMacros
URLs in VB Code - #1	http://www.motobit.com	6a5c5c5325024b73fb6189ac0fd668d9 > word > vbaProject.bin
URLs in VB Code - #2	http://Motobit.cz	6a5c5c5325024b73fb6189ac0fd668d9 > word > vbaProject.bin

You must be signed in to post a comment.