9c834c208d4f109e1e9e1ec0386525da

MS Office Document
|
MD5: 9c834c208d4f109e1e9e1ec0386525da
|
Size: 64.51 KB
|
application/vnd.ms-office

Infection Chain

Summary by MalvaGPT

Characteristics

Hash	Hash Value
MD5	9c834c208d4f109e1e9e1ec0386525da
Sha1	a35edba7014afb0f0c01930346dad0653966655f
Sha256	9a1a07caef95485ed3b67cee28cd179755ae10003978601bf3173c31ea5b603b
Sha384	1047420e688cd737df4de49f2a91ccf075ad614c10f4aa9de2804ea42836c6d68a67d100f23466ca9d074f917c63591e
Sha512	cbc6d782e4262186cabcc3665920121aec6b2c632ecd0d4768450815e260a0db04059d2358edd40581d9fa2f62888b24145b3acb757b47cafb399ca6668fa870
SSDeep	1536:/WxEtjPOtioVjDGUU1qfDlaGGx+cL2QnAZxrd7s+miHm2hOZyL:/WxEtjPOtioVjDGUU1qfDlaGGx+cL2Qs
TLSH	E253A5967685D8C5DA4847350CE7C2E66727BC019F5B87CB328CB71E2F716808CD2A5B

File Structure

Artefacts

Name0	Value
URLs in VB Code - #1	http://ns.adobe.com/xap/1.0/
URLs in VB Code - #2	http://www.w3.org/1999/02/22-rdf-syntax-ns#
URLs in VB Code - #3	http://purl.org/dc/elements/1.1/

9c834c208d4f109e1e9e1ec0386525da (64.51 KB)

File Structure

Characteristics

vbaDNA - VBA Stomping & Purging Stategy detection

	Module Name0
	Module1	VBA Stomping ATT&CK T1564.007 Malicious Malicious Document VBA Macro
PCode Decompiled VBA Stored VBA Partial Diff. Full Diff. Missing P-Code: The Office document under analysis has been identified as having undergone VBA Purging techniques, as the P-Code block within the document is currently inaccessible. As a result, the decompilation of the code was not possible, leaving only the stored code available in textual format for analysis. VBA Purging essentially involves the elimination of the PerformanceCache section from the module streams. To fully erase any traces of the P-Code section, the MODULEOFFSET between the two sections is adjusted to 0 by altering the _VBA_PROJECT stream, and all SRP streams that also house PerformanceCache data are removed. Following the removal of the compiled code, antivirus engines and Yara rules, which depend on precise string matches, are rendered ineffective. This allows macros to bypass them effortlessly, owing to the compressed format of the remaining source code.
	ThisWorkbook	VBA Stomping ATT&CK T1564.007 Malicious Malicious Document Blacklist VBA VBA Macro
PCode Decompiled VBA Stored VBA Partial Diff. Full Diff. Missing P-Code: The Office document under analysis has been identified as having undergone VBA Purging techniques, as the P-Code block within the document is currently inaccessible. As a result, the decompilation of the code was not possible, leaving only the stored code available in textual format for analysis. VBA Purging essentially involves the elimination of the PerformanceCache section from the module streams. To fully erase any traces of the P-Code section, the MODULEOFFSET between the two sections is adjusted to 0 by altering the _VBA_PROJECT stream, and all SRP streams that also house PerformanceCache data are removed. Following the removal of the compiled code, antivirus engines and Yara rules, which depend on precise string matches, are rendered ineffective. This allows macros to bypass them effortlessly, owing to the compressed format of the remaining source code.

No malware configuration were found at this point.

Artefacts

Name0	Value	Location
URLs in VB Code - #1	http://ns.adobe.com/xap/1.0/	9c834c208d4f109e1e9e1ec0386525da
URLs in VB Code - #2	http://www.w3.org/1999/02/22-rdf-syntax-ns#	9c834c208d4f109e1e9e1ec0386525da
URLs in VB Code - #3	http://purl.org/dc/elements/1.1/	9c834c208d4f109e1e9e1ec0386525da

You must be signed in to post a comment.

9c834c208d4f109e1e9e1ec0386525da

MS Office Document | MD5: 9c834c208d4f109e1e9e1ec0386525da | Size: 64.51 KB | application/vnd.ms-office

MS Office Document
|
MD5: 9c834c208d4f109e1e9e1ec0386525da
|
Size: 64.51 KB
|
application/vnd.ms-office