7d96341d1d91464b990e998cb0703cb0

MS Word Document
|
MD5: 7d96341d1d91464b990e998cb0703cb0
|
Size: 34.62 KB
|
application/msword

Infection Chain

Summary by MalvaGPT

Characteristics

Hash	Hash Value
MD5	7d96341d1d91464b990e998cb0703cb0
Sha1	d118786757b20d954511cb75569148efbcad5688
Sha256	558bb6eb15dcac4cff35a953b35bd6b067df71db3d36c7b6f29f7f82fcd73fb8
Sha384	9d2dff841981d2e10b26234b7e4e6cd42314fca04435f2729abd4c3b61eccdd4d27a5181c9082d2c690259ded21bdd62
Sha512	6a61525ba6ab5c2ba8b4cd93280eefe719315a04ed2c8559ca032aff0859404248950bb99d6eeda821cc8cdb43dd55c7d645efe7c6caf2fbb870fd3318840d74
SSDeep	768:K1QP+NAiJQucR7gWUU/+10ilOLB8Jtite1o2H3CrpU:KA+WqQuctgdxmiSiHitOXClU
TLSH	CAF2E129AACAF530C347B37A20465D8DF9075E1BD1EE726B3EA492CCCD0185D4607A47

File Structure

NewMacros

Artefacts

7d96341d1d91464b990e998cb0703cb0 (34.62 KB)

File Structure

NewMacros

Characteristics

vbaDNA - VBA Stomping & Purging Stategy detection

	Module Name0
	NewMacros	VBA Stomping ATT&CK T1564.007 Malicious Malicious Document Blacklist VBA VBA Macro
PCode Decompiled VBA Stored VBA Partial Diff. Full Diff. Missing P-Code: The Office document under analysis has been identified as having undergone VBA Purging techniques, as the P-Code block within the document is currently inaccessible. As a result, the decompilation of the code was not possible, leaving only the stored code available in textual format for analysis. VBA Purging essentially involves the elimination of the PerformanceCache section from the module streams. To fully erase any traces of the P-Code section, the MODULEOFFSET between the two sections is adjusted to 0 by altering the _VBA_PROJECT stream, and all SRP streams that also house PerformanceCache data are removed. Following the removal of the compiled code, antivirus engines and Yara rules, which depend on precise string matches, are rendered ineffective. This allows macros to bypass them effortlessly, owing to the compressed format of the remaining source code.

No malware configuration were found at this point.

Artefacts

Name0	Value	Location
URLs in VB Code - #1	http://www.motobit.com	7d96341d1d91464b990e998cb0703cb0 > word > vbaProject.bin > VBA > NewMacros > [Full Diff]
URLs in VB Code - #2	http://Motobit.cz	7d96341d1d91464b990e998cb0703cb0 > word > vbaProject.bin > VBA > NewMacros > [Full Diff]
URLs in VB Code - #1	http://www.motobit.com	7d96341d1d91464b990e998cb0703cb0 > word > vbaProject.bin
URLs in VB Code - #2	http://Motobit.cz	7d96341d1d91464b990e998cb0703cb0 > word > vbaProject.bin
URLs in VB Code - #1	http://www.motobit.com	7d96341d1d91464b990e998cb0703cb0 > word > vbaProject.bin > VBA > NewMacros > [Decompiled VBA]
URLs in VB Code - #2	http://Motobit.cz	7d96341d1d91464b990e998cb0703cb0 > word > vbaProject.bin > VBA > NewMacros > [Decompiled VBA]
URLs in VB Code - #1	http://www.motobit.com	7d96341d1d91464b990e998cb0703cb0 > word > vbaProject.bin > VBA > NewMacros > [Stored VBA]
URLs in VB Code - #2	http://Motobit.cz	7d96341d1d91464b990e998cb0703cb0 > word > vbaProject.bin > VBA > NewMacros > [Stored VBA]
URLs in VB Code - #1	http://www.motobit.com	7d96341d1d91464b990e998cb0703cb0 > word > vbaProject.bin > VBA > NewMacros
URLs in VB Code - #2	http://Motobit.cz	7d96341d1d91464b990e998cb0703cb0 > word > vbaProject.bin > VBA > NewMacros

You must be signed in to post a comment.