8a3803a54a1e9bb1cea7a227c2bb9399

MS Word Document
|
MD5: 8a3803a54a1e9bb1cea7a227c2bb9399
|
Size: 34.62 KB
|
application/msword

Infection Chain

Summary by MalvaGPT

Characteristics

Hash	Hash Value
MD5	8a3803a54a1e9bb1cea7a227c2bb9399
Sha1	1d50eee3b3f49279509b1020b11eb20cd7ad4077
Sha256	7dc57e2042ca79bf1b5bdaad3640dd59140c947968721d12cbaec59682d4746a
Sha384	859dde3fb599256af4195f31019324bc98748228d7948c283556054808ea621bc9bf7ad4ec881a5ec488d497cdc643dd
Sha512	46bdb319c1a9b8f168d975d2896bb37f68022da8d8145c0fc54d567e625393db27da1053ad057ba98b3f9400c3f4af355924d0ffe8a4ca5d5a33d0abee108271
SSDeep	768:UaQP+NAiJQucR7gWUU/V10JIOLV5oti2e1o2H3Crpy:UB+WqQuctgdCmJnDsi2OXCly
TLSH	DBF2E139EADAD520C347B37B20456E8EF8079E17F1EDB26B37A4D1CC8D828514607A47

File Structure

NewMacros

Artefacts

8a3803a54a1e9bb1cea7a227c2bb9399 (34.62 KB)

File Structure

NewMacros

Characteristics

vbaDNA - VBA Stomping & Purging Stategy detection

	Module Name0
	NewMacros	VBA Stomping ATT&CK T1564.007 Malicious Malicious Document Blacklist VBA VBA Macro
PCode Decompiled VBA Stored VBA Partial Diff. Full Diff. Missing P-Code: The Office document under analysis has been identified as having undergone VBA Purging techniques, as the P-Code block within the document is currently inaccessible. As a result, the decompilation of the code was not possible, leaving only the stored code available in textual format for analysis. VBA Purging essentially involves the elimination of the PerformanceCache section from the module streams. To fully erase any traces of the P-Code section, the MODULEOFFSET between the two sections is adjusted to 0 by altering the _VBA_PROJECT stream, and all SRP streams that also house PerformanceCache data are removed. Following the removal of the compiled code, antivirus engines and Yara rules, which depend on precise string matches, are rendered ineffective. This allows macros to bypass them effortlessly, owing to the compressed format of the remaining source code.

No malware configuration were found at this point.

Artefacts

Name0	Value	Location
URLs in VB Code - #1	http://www.motobit.com	8a3803a54a1e9bb1cea7a227c2bb9399 > word > vbaProject.bin
URLs in VB Code - #2	http://Motobit.cz	8a3803a54a1e9bb1cea7a227c2bb9399 > word > vbaProject.bin
URLs in VB Code - #1	http://www.motobit.com	8a3803a54a1e9bb1cea7a227c2bb9399 > word > vbaProject.bin > VBA > NewMacros
URLs in VB Code - #2	http://Motobit.cz	8a3803a54a1e9bb1cea7a227c2bb9399 > word > vbaProject.bin > VBA > NewMacros
URLs in VB Code - #1	http://www.motobit.com	8a3803a54a1e9bb1cea7a227c2bb9399 > word > vbaProject.bin > VBA > NewMacros > [Stored VBA]
URLs in VB Code - #2	http://Motobit.cz	8a3803a54a1e9bb1cea7a227c2bb9399 > word > vbaProject.bin > VBA > NewMacros > [Stored VBA]
URLs in VB Code - #1	http://www.motobit.com	8a3803a54a1e9bb1cea7a227c2bb9399 > word > vbaProject.bin > VBA > NewMacros > [Decompiled VBA]
URLs in VB Code - #2	http://Motobit.cz	8a3803a54a1e9bb1cea7a227c2bb9399 > word > vbaProject.bin > VBA > NewMacros > [Decompiled VBA]
URLs in VB Code - #1	http://www.motobit.com	8a3803a54a1e9bb1cea7a227c2bb9399 > word > vbaProject.bin > VBA > NewMacros > [Full Diff]
URLs in VB Code - #2	http://Motobit.cz	8a3803a54a1e9bb1cea7a227c2bb9399 > word > vbaProject.bin > VBA > NewMacros > [Full Diff]

You must be signed in to post a comment.