Malicious
Malicious

Opticsense New Order.doc.zip

ZIP Archive
|
MD5: a7577c20087cd33d9863a6b23c76e025
|
Size: 21.88 KB
|
application/zip

Infection Chain
Summary by MalvaGPT
Characteristics
Hash
 Hash Value
MD5
a7577c20087cd33d9863a6b23c76e025
Sha1
d05697982159623c9721a121b589e18b1d0de393
Sha256
fe43a95ba28c47da676746f127d6d46514d150e723e07948c8b482b57d18eaec
Sha384
560a2b3b2e286b59266bde30a69f969739aee34f4a75a6a9b699f3e0618e7a8b5621ad19eca9a6f96af759abbaad2174
Sha512
4e089b93e9b0e27c72a007e7178c1c9adaa56b3340b0a39af74823bbaeac41fde1f18eafc260d1bb2fc15cc852b3dace78bc2a03fd4dbf4949de34667cc4e08d
SSDeep
384:94VpNulcwLoMF/MRi5HX64KgjH85Es5+XmZXHZrLFgFu/Yv:M/9aoC/MEHLX785EINgIAv
TLSH
F1A2D0BED27FA41B807B5D6A8FB4453901F473B7808FAC8355828EB883ECB552F91149
File Structure
Opticsense New Order.doc.zip
Malicious
Opticsense New Order.doc.bin
Malicious
[Content_Types].xml
docProps
app.xml
core.xml
word
Malicious
document.xml
fontTable.xml
settings.xml
styles.xml
vbaData.xml
vbaProject.bin
Malicious
.
Malicious
Root Entry
Malicious
VBA
Malicious
dir
Module1
Malicious

Module1

Malicious
[Stored VBA]
Malicious
[PCode]
Malicious
[Decompiled VBA]
Malicious
[Decompiled VBA].deobfuscated.vbs
Malicious
[Full Diff]
Malicious
__SRP_0
__SRP_1
__SRP_2
__SRP_3
_VBA_PROJECT
PROJECT
PROJECTwm
webSettings.xml
media
image1.jpeg
image1.jpeg-preview.png
theme
theme1.xml
_rels
document.xml.rels
vbaProject.bin.rels
_rels
.rels
Opticsense New Order.doc.zip (21.88 KB)
File Structure
Opticsense New Order.doc.zip
Malicious
Opticsense New Order.doc.bin
Malicious
[Content_Types].xml
docProps
app.xml
core.xml
word
Malicious
document.xml
fontTable.xml
settings.xml
styles.xml
vbaData.xml
vbaProject.bin
Malicious
.
Malicious
Root Entry
Malicious
VBA
Malicious
dir
Module1
Malicious

Module1

Malicious
[Stored VBA]
Malicious
[PCode]
Malicious
[Decompiled VBA]
Malicious
[Decompiled VBA].deobfuscated.vbs
Malicious
[Full Diff]
Malicious
__SRP_0
__SRP_1
__SRP_2
__SRP_3
_VBA_PROJECT
PROJECT
PROJECTwm
webSettings.xml
media
image1.jpeg
image1.jpeg-preview.png
theme
theme1.xml
_rels
document.xml.rels
vbaProject.bin.rels
_rels
.rels
Characteristics

vbaDNA - VBA Stomping & Purging Stategy detection

Module Name
Module1
VBA Stomping
ATT&CK T1564.007
Malicious
Malicious Document
VBA Macro

Missing P-Code: The Office document under analysis has been identified as having undergone VBA Purging techniques, as the P-Code block within the document is currently inaccessible. As a result, the decompilation of the code was not possible, leaving only the stored code available in textual format for analysis.

VBA Purging essentially involves the elimination of the PerformanceCache section from the module streams.

To fully erase any traces of the P-Code section, the MODULEOFFSET between the two sections is adjusted to 0 by altering the _VBA_PROJECT stream, and all SRP streams that also house PerformanceCache data are removed. Following the removal of the compiled code, antivirus engines and Yara rules, which depend on precise string matches, are rendered ineffective.

This allows macros to bypass them effortlessly, owing to the compressed format of the remaining source code.
No malware configuration were found at this point.
You must be signed in to post a comment.
An error has occurred. This application may no longer respond until reloaded. Reload 🗙