Malicious
Malicious

b83db7fd41187833d7f3dca59f9de0bb

MS Office Document
|
MD5: b83db7fd41187833d7f3dca59f9de0bb
|
Size: 154.62 KB
|
application/vnd.ms-office

Infection Chain
Summary by MalvaGPT
Characteristics
Hash
 Hash Value
MD5
b83db7fd41187833d7f3dca59f9de0bb
Sha1
d276edbfefb5e6b6041f038d8acdb2bd53b499f2
Sha256
32a52586e742cb7d213b9eb5b2c6038f26d8c647a092ee8b23ff2fb94deaff57
Sha384
fa555e4ac73e9b384dd9f852ccffd9e4a3067a81e76b3c9804ced8903f702f5b424407ec89842251c9134fd5c083d496
Sha512
143bc7dadcbc643074aed58db09a2baa35737e6cb0448ede7f530c0a7337a93ab8e5415cd268b9b8a63aa37b6207aaa60dd68fcbfc1cb64f73c4365d90fc4efe
SSDeep
3072:aH/pTzyqtdQ2YJlAZiV8TtUsi76N7X872Rx8DI1uQ/UwQ4g9P:U/pyqvQ3JleikqsE6VXKw
TLSH
9FE3CF7839E1FC1AFDB080305EA6C9BEF72DAD14BDC2412712063F7D193A6E98716649
File Structure
b83db7fd41187833d7f3dca59f9de0bb
Malicious
[Repaired @0x00018000]
Malicious
[Content_Types].xml
_rels
.rels
theme
theme
themeManager.xml
theme1.xml
_rels
themeManager.xml.rels
Root Entry
Malicious
Data
1Table
Malicious
[Repaired @0x00000600]
Malicious
CompObj
WordDocument
SummaryInformation
DocumentSummaryInformation
Macros
Malicious
PROJECT
PROJECTwm
VBA
Malicious
dir
ThisDocument
Malicious

ThisDocument

Malicious
[Stored VBA]
Malicious
[PCode]
Malicious
[Decompiled VBA]
Malicious
[Full Diff]
Malicious
[Partial Diff]
Malicious
_VBA_PROJECT
b83db7fd41187833d7f3dca59f9de0bb (154.62 KB)
File Structure
b83db7fd41187833d7f3dca59f9de0bb
Malicious
[Repaired @0x00018000]
Malicious
[Content_Types].xml
_rels
.rels
theme
theme
themeManager.xml
theme1.xml
_rels
themeManager.xml.rels
Root Entry
Malicious
Data
1Table
Malicious
[Repaired @0x00000600]
Malicious
CompObj
WordDocument
SummaryInformation
DocumentSummaryInformation
Macros
Malicious
PROJECT
PROJECTwm
VBA
Malicious
dir
ThisDocument
Malicious

ThisDocument

Malicious
[Stored VBA]
Malicious
[PCode]
Malicious
[Decompiled VBA]
Malicious
[Full Diff]
Malicious
[Partial Diff]
Malicious
_VBA_PROJECT
Characteristics

vbaDNA - VBA Stomping & Purging Stategy detection

Module Name
ThisDocument
VBA Stomping
ATT&CK T1564.007
Malicious
Malicious Document
Blacklist VBA
VBA Macro

Missing P-Code: The Office document under analysis has been identified as having undergone VBA Purging techniques, as the P-Code block within the document is currently inaccessible. As a result, the decompilation of the code was not possible, leaving only the stored code available in textual format for analysis.

VBA Purging essentially involves the elimination of the PerformanceCache section from the module streams.

To fully erase any traces of the P-Code section, the MODULEOFFSET between the two sections is adjusted to 0 by altering the _VBA_PROJECT stream, and all SRP streams that also house PerformanceCache data are removed. Following the removal of the compiled code, antivirus engines and Yara rules, which depend on precise string matches, are rendered ineffective.

This allows macros to bypass them effortlessly, owing to the compressed format of the remaining source code.
No malware configuration were found at this point.
You must be signed in to post a comment.
An error has occurred. This application may no longer respond until reloaded. Reload 🗙