7a7a99eee3855c2fe0fe0f5c20d0490c

MS Excel Document
|
MD5: 7a7a99eee3855c2fe0fe0f5c20d0490c
|
Size: 54.13 KB
|
application/vnd.ms-excel

Infection Chain

Summary by MalvaGPT

Characteristics

Hash	Hash Value
MD5	7a7a99eee3855c2fe0fe0f5c20d0490c
Sha1	8ad35a846868037787ef8ca0f06c3ad902c234a3
Sha256	785c48c170d677ceee0112f843d8959ff7b701866283c2e503451c96c82f63ce
Sha384	38ec98e2fbbf5da6554763dc8ff04fe998b78dd033ed22830194e470ab7f65f22cd3210105bcaa72a50be94d47af6fb1
Sha512	c750be811c0f30c52ac9176042b2487b4511efbe7938cd68facb970203b4e9a2b48838ff21c7b5d32d148c7dbfb0c91f536add21453d8c10cdfb42036f5baa66
SSDeep	768:AK66xWpl+5Bfz1nsyWkGYqq6b/DQ0g9a3VICkjnsDmgMGHNKaF04FxUp8GSjOrmD:AK66xWgzdsZpYETAalIRkdM45xCm/3JB
TLSH	E5330152E0307E8DCA2584FC97990FB24D5949756F20AFE6FD60CDDC3E8168B35098AD

File Structure

Module1

Artefacts

7a7a99eee3855c2fe0fe0f5c20d0490c (54.13 KB)

File Structure

Module1

Characteristics

vbaDNA - VBA Stomping & Purging Stategy detection

	Module Name0
	Module1	Blacklist VBA VBA Macro
PCode Decompiled VBA Stored VBA Partial Diff. Full Diff. Missing P-Code: The Office document under analysis has been identified as having undergone VBA Purging techniques, as the P-Code block within the document is currently inaccessible. As a result, the decompilation of the code was not possible, leaving only the stored code available in textual format for analysis. VBA Purging essentially involves the elimination of the PerformanceCache section from the module streams. To fully erase any traces of the P-Code section, the MODULEOFFSET between the two sections is adjusted to 0 by altering the _VBA_PROJECT stream, and all SRP streams that also house PerformanceCache data are removed. Following the removal of the compiled code, antivirus engines and Yara rules, which depend on precise string matches, are rendered ineffective. This allows macros to bypass them effortlessly, owing to the compressed format of the remaining source code.
	ProgressForm	VBA Macro

No malware configuration were found at this point.

Artefacts

Name0	Value	Location
URLs in VB Code - #1	http://www.google.com	7a7a99eee3855c2fe0fe0f5c20d0490c > xl > vbaProject.bin
URLs in VB Code - #2	http://www.microsoft.com	7a7a99eee3855c2fe0fe0f5c20d0490c > xl > vbaProject.bin
URLs in VB Code - #1	http://www.google.com	7a7a99eee3855c2fe0fe0f5c20d0490c > xl > vbaProject.bin > Root Entry > VBA > Module1
URLs in VB Code - #2	http://www.microsoft.com	7a7a99eee3855c2fe0fe0f5c20d0490c > xl > vbaProject.bin > Root Entry > VBA > Module1
URLs in VB Code - #1	http://www.google.com	7a7a99eee3855c2fe0fe0f5c20d0490c > xl > vbaProject.bin > Root Entry > VBA > Module1 > [Stored VBA]
URLs in VB Code - #2	http://www.microsoft.com	7a7a99eee3855c2fe0fe0f5c20d0490c > xl > vbaProject.bin > Root Entry > VBA > Module1 > [Stored VBA]
URLs in VB Code - #1	http://www.google.com	7a7a99eee3855c2fe0fe0f5c20d0490c > xl > vbaProject.bin > Root Entry > VBA > Module1 > [Decompiled VBA]
URLs in VB Code - #2	http://www.microsoft.com	7a7a99eee3855c2fe0fe0f5c20d0490c > xl > vbaProject.bin > Root Entry > VBA > Module1 > [Decompiled VBA]

You must be signed in to post a comment.