An error occurred while loading filenames.

Malicious

a43bcb6aefde2133474a3a3cc069f2f7

MS Office Document

MD5: a43bcb6aefde2133474a3a3cc069f2f7

Size: 1.3 MB

application/vnd.ms-office

Summary by MalvaGPT

Characteristics

Hash	Hash Value
MD5	a43bcb6aefde2133474a3a3cc069f2f7
Sha1	3e7822f1045a025010cf50110f90d54924f40a25
Sha256	751f9fabe3997ba63e604599dc50b6a1ec3f7ed4a0d86ae3dff6d562a6277a23
Sha384	944cb019fe2b67ee9a16f9b03c55d6d79d42573511491ea4c9dffa8c1e414f4a742c0f8d84608cacdf612c939f60cef4
Sha512	762482873baf40a65404129c22dfdce04e4f300ac9b1d315d48efc3ab3b3a974ec1b0100a80c5c48f27d586d419d64a9539844252d0b4e579a4c2d338b4d88e3
SSDeep	24576:LJ9yggpgCkqY586TYyiMptZmjFBFojyQtKIOIKlHpVQ6l7LIWIulQB5kilPXIRI8:LoWntAQtve
TLSH	A955D511F603C62BC699223148BAA3F53778AC491A864B57725CB33D3FF6B90DA47784

File Structure

Sheet6

CSHA256

Module1

Module2

Module3

Artefacts

Name	Value
URLs in VB Code - #1	http://www.frez.co.uk
URLs in VB Code - #1	http://www.frez.co.uk
URLs in VB Code - #1	http://www.frez.co.uk
URLs in VB Code - #1	http://www.frez.co.uk

a43bcb6aefde2133474a3a3cc069f2f7 (1.3 MB)

File Structure

Sheet6

CSHA256

Module1

Module2

Module3

Characteristics

vbaDNA - VBA Stomping & Purging Stategy detection

	Module Name0
	Sheet6	VBA Stomping ATT&CK T1564.007 Malicious Malicious Document VBA Macro
PCode Decompiled VBA Stored VBA Partial Diff. Full Diff. Missing P-Code: The Office document under analysis has been identified as having undergone VBA Purging techniques, as the P-Code block within the document is currently inaccessible. As a result, the decompilation of the code was not possible, leaving only the stored code available in textual format for analysis. VBA Purging essentially involves the elimination of the PerformanceCache section from the module streams. To fully erase any traces of the P-Code section, the MODULEOFFSET between the two sections is adjusted to 0 by altering the _VBA_PROJECT stream, and all SRP streams that also house PerformanceCache data are removed. Following the removal of the compiled code, antivirus engines and Yara rules, which depend on precise string matches, are rendered ineffective. This allows macros to bypass them effortlessly, owing to the compressed format of the remaining source code.
	Sheet7	VBA Macro
	Sheet8	VBA Macro
	Sheet9	VBA Macro
	CSHA256	VBA Stomping ATT&CK T1564.007 Malicious Malicious Document VBA Macro
PCode Decompiled VBA Stored VBA Partial Diff. Full Diff. Missing P-Code: The Office document under analysis has been identified as having undergone VBA Purging techniques, as the P-Code block within the document is currently inaccessible. As a result, the decompilation of the code was not possible, leaving only the stored code available in textual format for analysis. VBA Purging essentially involves the elimination of the PerformanceCache section from the module streams. To fully erase any traces of the P-Code section, the MODULEOFFSET between the two sections is adjusted to 0 by altering the _VBA_PROJECT stream, and all SRP streams that also house PerformanceCache data are removed. Following the removal of the compiled code, antivirus engines and Yara rules, which depend on precise string matches, are rendered ineffective. This allows macros to bypass them effortlessly, owing to the compressed format of the remaining source code.
	Module1	VBA Stomping ATT&CK T1564.007 Malicious Malicious Document Blacklist VBA VBA Macro
PCode Decompiled VBA Stored VBA Partial Diff. Full Diff. Missing P-Code: The Office document under analysis has been identified as having undergone VBA Purging techniques, as the P-Code block within the document is currently inaccessible. As a result, the decompilation of the code was not possible, leaving only the stored code available in textual format for analysis. VBA Purging essentially involves the elimination of the PerformanceCache section from the module streams. To fully erase any traces of the P-Code section, the MODULEOFFSET between the two sections is adjusted to 0 by altering the _VBA_PROJECT stream, and all SRP streams that also house PerformanceCache data are removed. Following the removal of the compiled code, antivirus engines and Yara rules, which depend on precise string matches, are rendered ineffective. This allows macros to bypass them effortlessly, owing to the compressed format of the remaining source code.
	Module2	Blacklist VBA VBA Macro
PCode Decompiled VBA Stored VBA Partial Diff. Full Diff. Missing P-Code: The Office document under analysis has been identified as having undergone VBA Purging techniques, as the P-Code block within the document is currently inaccessible. As a result, the decompilation of the code was not possible, leaving only the stored code available in textual format for analysis. VBA Purging essentially involves the elimination of the PerformanceCache section from the module streams. To fully erase any traces of the P-Code section, the MODULEOFFSET between the two sections is adjusted to 0 by altering the _VBA_PROJECT stream, and all SRP streams that also house PerformanceCache data are removed. Following the removal of the compiled code, antivirus engines and Yara rules, which depend on precise string matches, are rendered ineffective. This allows macros to bypass them effortlessly, owing to the compressed format of the remaining source code.
	Module3	VBA Stomping ATT&CK T1564.007 Malicious Malicious Document Blacklist VBA VBA Macro
PCode Decompiled VBA Stored VBA Partial Diff. Full Diff. Missing P-Code: The Office document under analysis has been identified as having undergone VBA Purging techniques, as the P-Code block within the document is currently inaccessible. As a result, the decompilation of the code was not possible, leaving only the stored code available in textual format for analysis. VBA Purging essentially involves the elimination of the PerformanceCache section from the module streams. To fully erase any traces of the P-Code section, the MODULEOFFSET between the two sections is adjusted to 0 by altering the _VBA_PROJECT stream, and all SRP streams that also house PerformanceCache data are removed. Following the removal of the compiled code, antivirus engines and Yara rules, which depend on precise string matches, are rendered ineffective. This allows macros to bypass them effortlessly, owing to the compressed format of the remaining source code.
	Sheet10	VBA Macro
	Sheet11	VBA Macro
	Sheet12	VBA Macro
	Sheet13	VBA Macro
	Sheet14	VBA Macro
	Sheet15	VBA Macro
	Sheet16	VBA Macro
	Sheet18	VBA Macro
	Sheet20	VBA Macro
	Sheet21	VBA Macro
	Sheet36	VBA Macro
	ThisWorkbook	VBA Macro

No malware configuration were found at this point.

Artefacts

Name	Value	Location
URLs in VB Code - #1	http://www.frez.co.uk	a43bcb6aefde2133474a3a3cc069f2f7
URLs in VB Code - #1	http://www.frez.co.uk	a43bcb6aefde2133474a3a3cc069f2f7 > [Repaired @0x0001AA65]
URLs in VB Code - #1	http://www.frez.co.uk	a43bcb6aefde2133474a3a3cc069f2f7 > Root Entry > _VBA_PROJECT_CUR > VBA > CSHA256 > [Stored VBA]
URLs in VB Code - #1	http://www.frez.co.uk	a43bcb6aefde2133474a3a3cc069f2f7 > Root Entry > _VBA_PROJECT_CUR > VBA > CSHA256 > [Decompiled VBA]

You must be signed in to post a comment.

An error has occurred. This application may no longer respond until reloaded. Reload 🗙