Malicious
Malicious

9b67ef980e345153a07848c8677bda3f

MS Word Document
|
MD5: 9b67ef980e345153a07848c8677bda3f
|
Size: 18.19 KB
|
application/msword

Infection Chain
Summary by MalvaGPT
Characteristics
Hash
 Hash Value
MD5
9b67ef980e345153a07848c8677bda3f
Sha1
4480a9c08a687300057808057b81656b448dbf21
Sha256
bc2597ce09987022ff0498c6710a9b51a1a47ed8082ac044be2838b384157527
Sha384
2f226b7ffe4f8e709e71f1b9149f2eb5d376d8ef772f04d6fa9a7056e2efb1e077d3266f7d90fcfbe9d19d1b539326fb
Sha512
e9bf6c54a1e5f0bd9a9e88749ff3b4f9eb20d5b2a15cccb6a8b57128ffc1044c04267c4fcb31e8fd3397c03957ba2c2fb0e9bc8e8677dc181d6a2b49a678b2b1
SSDeep
384:/ikF8hpXDvtHdHJIT2fetAkSorlNxt/ZtNNhycxTahO+30OnnbOiP:/SFnI4aZDDxllNovk+3BB
TLSH
6582BF79DA06F495D49B86FED44F0EFDF1925081622265AF3848ABCEC820CB70F5785E
File Structure
9b67ef980e345153a07848c8677bda3f
Malicious
[Content_Types].xml
_rels
.rels
word
Malicious
document.xml
_rels
document.xml.rels
vbaProject.bin.rels
vbaProject.bin
Malicious
Root Entry
Malicious
PROJECT
PROJECTwm
VBA
Malicious
dir
__SRP_0
__SRP_1
__SRP_2
__SRP_3
NewMacros
Malicious
[Stored VBA]
Malicious
[Stored VBA].deobfuscated.vbs
Malicious
[PCode]
_VBA_PROJECT
theme
theme1.xml
vbaData.xml
settings.xml
styles.xml
webSettings.xml
fontTable.xml
docProps
core.xml
app.xml
Artefacts
Name
 Value
URLs in VB Code - #1

http://91.107.150.184/office.bat
9b67ef980e345153a07848c8677bda3f (18.19 KB)
File Structure
9b67ef980e345153a07848c8677bda3f
Malicious
[Content_Types].xml
_rels
.rels
word
Malicious
document.xml
_rels
document.xml.rels
vbaProject.bin.rels
vbaProject.bin
Malicious
Root Entry
Malicious
PROJECT
PROJECTwm
VBA
Malicious
dir
__SRP_0
__SRP_1
__SRP_2
__SRP_3
NewMacros
Malicious
[Stored VBA]
Malicious
[Stored VBA].deobfuscated.vbs
Malicious
[PCode]
_VBA_PROJECT
theme
theme1.xml
vbaData.xml
settings.xml
styles.xml
webSettings.xml
fontTable.xml
docProps
core.xml
app.xml
Characteristics

vbaDNA - VBA Stomping & Purging Stategy detection

Module Name
NewMacros
Blacklist VBA
VBA Macro

Missing P-Code: The Office document under analysis has been identified as having undergone VBA Purging techniques, as the P-Code block within the document is currently inaccessible. As a result, the decompilation of the code was not possible, leaving only the stored code available in textual format for analysis.

VBA Purging essentially involves the elimination of the PerformanceCache section from the module streams.

To fully erase any traces of the P-Code section, the MODULEOFFSET between the two sections is adjusted to 0 by altering the _VBA_PROJECT stream, and all SRP streams that also house PerformanceCache data are removed. Following the removal of the compiled code, antivirus engines and Yara rules, which depend on precise string matches, are rendered ineffective.

This allows macros to bypass them effortlessly, owing to the compressed format of the remaining source code.
No malware configuration were found at this point.
Artefacts
Name
 Value Location
URLs in VB Code - #1

http://91.107.150.184/office.bat

9b67ef980e345153a07848c8677bda3f > word > vbaProject.bin > Root Entry > VBA > NewMacros > [Stored VBA]
You must be signed in to post a comment.
An error has occurred. This application may no longer respond until reloaded. Reload 🗙