Malicious
Malicious
Infection Chain
Summary by MalvaGPT
Characteristics
Hash
 Hash Value
MD5
775186db727a3218ea45a3bcd51072aa
Sha1
97f833b00edd5144fd6e3122e3fcb5b51a064692
Sha256
fb897c9c6dcfef94e6a2cea168ff19bd448af3205b19aeaed2d4ed5df1354452
Sha384
c974052e4881aa51bc2c4550af7a795faea17fd54a42f78c13c30732d40e5ecfe8525c1529a62a077efb6e58c071fc08
Sha512
dcef936b4edf973c3087c2d807eb7c75dd818676c1d56c0f19f73692d1a6dfc2416bb12e3397b85a446010d759e770013794f701eb55b1ae82c9e3aaa327a1a8
SSDeep
1536:wX+WqQuctgdkmLpl40/jDxhihCuwsKTgDg92CldcTmiYOXClG:g+X8YZ7ZDihP0ygIkOmtOC0
TLSH
6F830202B90E7A31D74797B527CD9AEDF807233792F7A2861AF527E885044600D97A8B
File Structure
invoice.docm
Malicious
[Content_Types].xml
_rels
.rels
word
Malicious
_rels
document.xml.rels
vbaProject.bin.rels
document.xml
theme
theme1.xml
settings.xml
stylesWithEffects.xml
styles.xml
fontTable.xml
webSettings.xml
vbaData.xml
vbaProject.bin
Malicious
PROJECT
PROJECTwm
VBA
Malicious
dir
NewMacros
Malicious

NewMacros

Malicious
[Stored VBA]
Malicious
[PCode]
Malicious
[Decompiled VBA]
Malicious
[Full Diff]
Malicious
[Full Diff].deobfuscated.vbs
Malicious
[Partial Diff]
Malicious
_VBA_PROJECT
ThisDocument
docProps
thumbnail.jpeg
thumbnail.jpeg.exif
thumbnail.jpeg-preview.png
core.xml
[Base64-Block @0x000001E1]
Overlay_95eb479e.bin
Structure
DosHeader
PE Header
Optional Header (x86)
Section Headers
.text
.rdata
.data
.rsrc
Resources
RT_VERSION
ID:0001
ID:1033
app.xml
customXml
itemProps1.xml
_rels
item1.xml.rels
item1.xml
Artefacts
Name
 Value
URLs in VB Code - #1

http://www.motobit.com
URLs in VB Code - #2

http://Motobit.cz
URLs in VB Code - #1

http://www.motobit.com
URLs in VB Code - #2

http://Motobit.cz
URLs in VB Code - #1

http://www.motobit.com
URLs in VB Code - #2

http://Motobit.cz
URLs in VB Code - #1

http://www.motobit.com
URLs in VB Code - #2

http://Motobit.cz
URLs in VB Code - #1

http://www.motobit.com
URLs in VB Code - #2

http://Motobit.cz
invoice.docm (85.49 KB)
File Structure
invoice.docm
Malicious
[Content_Types].xml
_rels
.rels
word
Malicious
_rels
document.xml.rels
vbaProject.bin.rels
document.xml
theme
theme1.xml
settings.xml
stylesWithEffects.xml
styles.xml
fontTable.xml
webSettings.xml
vbaData.xml
vbaProject.bin
Malicious
PROJECT
PROJECTwm
VBA
Malicious
dir
NewMacros
Malicious

NewMacros

Malicious
[Stored VBA]
Malicious
[PCode]
Malicious
[Decompiled VBA]
Malicious
[Full Diff]
Malicious
[Full Diff].deobfuscated.vbs
Malicious
[Partial Diff]
Malicious
_VBA_PROJECT
ThisDocument
docProps
thumbnail.jpeg
thumbnail.jpeg.exif
thumbnail.jpeg-preview.png
core.xml
[Base64-Block @0x000001E1]
Overlay_95eb479e.bin
Structure
DosHeader
PE Header
Optional Header (x86)
Section Headers
.text
.rdata
.data
.rsrc
Resources
RT_VERSION
ID:0001
ID:1033
app.xml
customXml
itemProps1.xml
_rels
item1.xml.rels
item1.xml
Characteristics

vbaDNA - VBA Stomping & Purging Stategy detection

Module Name
NewMacros
VBA Stomping
ATT&CK T1564.007
Malicious
Malicious Document
Blacklist VBA
VBA Macro

Missing P-Code: The Office document under analysis has been identified as having undergone VBA Purging techniques, as the P-Code block within the document is currently inaccessible. As a result, the decompilation of the code was not possible, leaving only the stored code available in textual format for analysis.

VBA Purging essentially involves the elimination of the PerformanceCache section from the module streams.

To fully erase any traces of the P-Code section, the MODULEOFFSET between the two sections is adjusted to 0 by altering the _VBA_PROJECT stream, and all SRP streams that also house PerformanceCache data are removed. Following the removal of the compiled code, antivirus engines and Yara rules, which depend on precise string matches, are rendered ineffective.

This allows macros to bypass them effortlessly, owing to the compressed format of the remaining source code.
No malware configuration were found at this point.
Artefacts
Name
 Value Location
URLs in VB Code - #1

http://www.motobit.com

invoice.docm > word > vbaProject.bin
URLs in VB Code - #2

http://Motobit.cz

invoice.docm > word > vbaProject.bin
URLs in VB Code - #1

http://www.motobit.com

invoice.docm > word > vbaProject.bin > VBA > NewMacros
URLs in VB Code - #2

http://Motobit.cz

invoice.docm > word > vbaProject.bin > VBA > NewMacros
URLs in VB Code - #1

http://www.motobit.com

invoice.docm > word > vbaProject.bin > VBA > NewMacros > [Stored VBA]
URLs in VB Code - #2

http://Motobit.cz

invoice.docm > word > vbaProject.bin > VBA > NewMacros > [Stored VBA]
URLs in VB Code - #1

http://www.motobit.com

invoice.docm > word > vbaProject.bin > VBA > NewMacros > [Decompiled VBA]
URLs in VB Code - #2

http://Motobit.cz

invoice.docm > word > vbaProject.bin > VBA > NewMacros > [Decompiled VBA]
URLs in VB Code - #1

http://www.motobit.com

invoice.docm > word > vbaProject.bin > VBA > NewMacros > [Full Diff]
URLs in VB Code - #2

http://Motobit.cz

invoice.docm > word > vbaProject.bin > VBA > NewMacros > [Full Diff]
You must be signed in to post a comment.
An error has occurred. This application may no longer respond until reloaded. Reload 🗙