a7dde5c63ee3f1b66a4a15af5390acb9

MS Word Document
|
MD5: a7dde5c63ee3f1b66a4a15af5390acb9
|
Size: 35.04 KB
|
application/msword

Infection Chain

Summary by MalvaGPT

Characteristics

Hash	Hash Value
MD5	a7dde5c63ee3f1b66a4a15af5390acb9
Sha1	2306d004b3953ee790e2d4d6226345680d4e1b77
Sha256	1c8e8efb28bc86ddce2049fbedf4a76b5c3a50f63ae49066f4e8d9efa5d8bbac
Sha384	a190ed0392d9d55f7e2b0fd042b17550986b162c7584dd59ad60dc05949341941b0c85bb43aa0cdc72883ef87d244d80
Sha512	f15c2b7987e972d5455a8ad904efa2851c13fa38dfb3c2c58a7df62693dcbc1260a3be1fd2bb14d9dfdc57b83a89e540531d185f1516a7f10265a744a28d5eda
SSDeep	768:q0HqguJBZ4Gb6NDOrnk9Vr1Wf8zIzbwvDiMl:znuJEZOLkb68UzEZl
TLSH	93F2E14EDA225430EAC343F0A596261DDE47D70DB18F9AA23D5375ECB0B7ACA1380BC4

File Structure

NewMacros

Artefacts

a7dde5c63ee3f1b66a4a15af5390acb9 (35.04 KB)

File Structure

NewMacros

Characteristics

vbaDNA - VBA Stomping & Purging Stategy detection

	Module Name0
	NewMacros	VBA Stomping ATT&CK T1564.007 Malicious Malicious Document Blacklist VBA VBA Macro
PCode Decompiled VBA Stored VBA Partial Diff. Full Diff. Missing P-Code: The Office document under analysis has been identified as having undergone VBA Purging techniques, as the P-Code block within the document is currently inaccessible. As a result, the decompilation of the code was not possible, leaving only the stored code available in textual format for analysis. VBA Purging essentially involves the elimination of the PerformanceCache section from the module streams. To fully erase any traces of the P-Code section, the MODULEOFFSET between the two sections is adjusted to 0 by altering the _VBA_PROJECT stream, and all SRP streams that also house PerformanceCache data are removed. Following the removal of the compiled code, antivirus engines and Yara rules, which depend on precise string matches, are rendered ineffective. This allows macros to bypass them effortlessly, owing to the compressed format of the remaining source code.

No malware configuration were found at this point.

Artefacts

Name0	Value	Location
URLs in VB Code - #1	http://www.motobit.com	a7dde5c63ee3f1b66a4a15af5390acb9 > word > vbaProject.bin
URLs in VB Code - #2	http://Motobit.cz	a7dde5c63ee3f1b66a4a15af5390acb9 > word > vbaProject.bin
URLs in VB Code - #1	http://www.motobit.com	a7dde5c63ee3f1b66a4a15af5390acb9 > word > vbaProject.bin > VBA > NewMacros
URLs in VB Code - #2	http://Motobit.cz	a7dde5c63ee3f1b66a4a15af5390acb9 > word > vbaProject.bin > VBA > NewMacros
URLs in VB Code - #1	http://www.motobit.com	a7dde5c63ee3f1b66a4a15af5390acb9 > word > vbaProject.bin > VBA > NewMacros > [Stored VBA]
URLs in VB Code - #2	http://Motobit.cz	a7dde5c63ee3f1b66a4a15af5390acb9 > word > vbaProject.bin > VBA > NewMacros > [Stored VBA]
URLs in VB Code - #1	http://www.motobit.com	a7dde5c63ee3f1b66a4a15af5390acb9 > word > vbaProject.bin > VBA > NewMacros > [Decompiled VBA]
URLs in VB Code - #2	http://Motobit.cz	a7dde5c63ee3f1b66a4a15af5390acb9 > word > vbaProject.bin > VBA > NewMacros > [Decompiled VBA]
URLs in VB Code - #1	http://www.motobit.com	a7dde5c63ee3f1b66a4a15af5390acb9 > word > vbaProject.bin > VBA > NewMacros > [Full Diff]
URLs in VB Code - #2	http://Motobit.cz	a7dde5c63ee3f1b66a4a15af5390acb9 > word > vbaProject.bin > VBA > NewMacros > [Full Diff]

You must be signed in to post a comment.