Malicious
Malicious

0211_38602014674781.doc.bin

MS Word Document
|
MD5: b346a01d3398a728758895b1aaf2748b
|
Size: 340.42 KB
|
application/msword

Infection Chain
Summary by MalvaGPT
Characteristics
Hash
 Hash Value
MD5
b346a01d3398a728758895b1aaf2748b
Sha1
d1f569be335e637d6a43e859bd7969b9624e68e8
Sha256
5134951dfe74a2803ae255e7ba55e765fb16b1f212ecaa957aa612e304423ecd
Sha384
5c10dd9daffb6c68c77aa99e2323034c252032b7fcb94debfa4bd185166e9438bef3c2aadec7c93f2311b6f525448e41
Sha512
ca38ab17a297ddae23d8585aaaf9f8a3e482fb11db5dffe852870f070aa2dbce1b415f660d17f64bee3d637a188d3efe51364ec585e8e5cf30a2503bb61d80e6
SSDeep
6144:KZTlgziRpd2Sc2RqMuZDPbsTOi3fpolSKuPpXdGuffCbn81Vf:KZKmv7hRbuh6hoUhNlfqbn8Xf
TLSH
6B740117CC5C4EABDA18DBF3BF870F58BB18121EAE4435FC61225DC96FA85426E0650B
File Structure
0211_38602014674781.doc.bin
Malicious
[Content_Types].xml
_rels
.rels
word
Malicious
_rels
document.xml.rels
vbaProject.bin.rels
document.xml
vbaProject.bin
Malicious
Root Entry
Malicious
PROJECT
PROJECTwm
VBA
Malicious
dir
Module1
Malicious

Module1

Malicious
[Stored VBA]
Malicious
[Stored VBA].deobfuscated.vbs
Malicious
[PCode]
Module2

Module2

[Stored VBA]
Malicious
[PCode]
Module3

Module3

[Stored VBA]
Malicious
[PCode]
Module4

Module4

[Stored VBA]
Malicious
[Stored VBA].deobfuscated.vbs
[PCode]
Module5

Module5

[Stored VBA]
Malicious
[Stored VBA].deobfuscated.vbs
[PCode]
ThisDocument

ThisDocument

[Stored VBA]
Malicious
[PCode]
[Decompiled VBA]
Malicious
_VBA_PROJECT
embeddings
oleObject1.bin
Root Entry
CompObj
ObjInfo
Ole10Native
theme
theme1.xml
media
image1.jpeg
image1.jpeg.exif
image1.jpeg-preview.png
image2.emf
settings.xml
vbaData.xml
webSettings.xml
styles.xml
fontTable.xml
docProps
app.xml
core.xml
0211_38602014674781.doc.bin (340.42 KB)
File Structure
0211_38602014674781.doc.bin
Malicious
[Content_Types].xml
_rels
.rels
word
Malicious
_rels
document.xml.rels
vbaProject.bin.rels
document.xml
vbaProject.bin
Malicious
Root Entry
Malicious
PROJECT
PROJECTwm
VBA
Malicious
dir
Module1
Malicious

Module1

Malicious
[Stored VBA]
Malicious
[Stored VBA].deobfuscated.vbs
Malicious
[PCode]
Module2

Module2

[Stored VBA]
Malicious
[PCode]
Module3

Module3

[Stored VBA]
Malicious
[PCode]
Module4

Module4

[Stored VBA]
Malicious
[Stored VBA].deobfuscated.vbs
[PCode]
Module5

Module5

[Stored VBA]
Malicious
[Stored VBA].deobfuscated.vbs
[PCode]
ThisDocument

ThisDocument

[Stored VBA]
Malicious
[PCode]
[Decompiled VBA]
Malicious
_VBA_PROJECT
embeddings
oleObject1.bin
Root Entry
CompObj
ObjInfo
Ole10Native
theme
theme1.xml
media
image1.jpeg
image1.jpeg.exif
image1.jpeg-preview.png
image2.emf
settings.xml
vbaData.xml
webSettings.xml
styles.xml
fontTable.xml
docProps
app.xml
core.xml
Characteristics

vbaDNA - VBA Stomping & Purging Stategy detection

Module Name
Module1
Blacklist VBA
VBA Macro

Missing P-Code: The Office document under analysis has been identified as having undergone VBA Purging techniques, as the P-Code block within the document is currently inaccessible. As a result, the decompilation of the code was not possible, leaving only the stored code available in textual format for analysis.

VBA Purging essentially involves the elimination of the PerformanceCache section from the module streams.

To fully erase any traces of the P-Code section, the MODULEOFFSET between the two sections is adjusted to 0 by altering the _VBA_PROJECT stream, and all SRP streams that also house PerformanceCache data are removed. Following the removal of the compiled code, antivirus engines and Yara rules, which depend on precise string matches, are rendered ineffective.

This allows macros to bypass them effortlessly, owing to the compressed format of the remaining source code.

Module2
VBA Macro
Module3
VBA Macro
Module4
VBA Macro
Module5
VBA Macro
ThisDocument
Blacklist VBA
VBA Macro
No malware configuration were found at this point.
You must be signed in to post a comment.
An error has occurred. This application may no longer respond until reloaded. Reload 🗙