Malicious
Malicious

bc0af2a0c2c42bd2ed7f6bdaf0b923a0

MS Office Document
|
MD5: bc0af2a0c2c42bd2ed7f6bdaf0b923a0
|
Size: 54.78 KB
|
application/vnd.ms-office

Infection Chain
Summary by MalvaGPT
Characteristics
Hash
 Hash Value
MD5
bc0af2a0c2c42bd2ed7f6bdaf0b923a0
Sha1
5fe217e9cf6aec139f64f759da3de19839607989
Sha256
c29ae3440fdedb73695e61c3b63cc272ead3850f4cb7d3c04599cd2531829eb8
Sha384
fa0c31fa0d907f56ea426ab35447fd49dce057bb284da6bcdd6ec7383f64ee50383180fc1d3544809e58570a7ba76c9c
Sha512
26efe1f32b4605d0eb677785288e8cd8696b51d53fe6172227af32c72be5759f565bafbee0766d200528ae0a0b31e14821c7140007163a52276b0618e632e2fc
SSDeep
1536:1TFxEtjPOtioVjDGUU1qfDlaGGx+cL2QnAnVPQ5NnksWgr:5FxEtjPOtioVjDGUU1qfDlaGGx+cL2Q9
TLSH
9433C4A2F282E84AC61403344CDBDAD62736BC555F67834B3389F32F6F37A90C952616
File Structure
bc0af2a0c2c42bd2ed7f6bdaf0b923a0
Malicious
Root Entry
Malicious
CompObj
Workbook
SummaryInformation
DocumentSummaryInformation
_VBA_PROJECT_CUR
Malicious
PROJECT
PROJECTwm
VBA
Malicious
dir
__SRP_0
__SRP_1
__SRP_2
__SRP_3
ThisWorkbook
Malicious
[Stored VBA]
Malicious
[PCode]
Malicious
[Decompiled VBA]
Malicious
[Full Diff]
Malicious
[Partial Diff]
Malicious
_VBA_PROJECT
bc0af2a0c2c42bd2ed7f6bdaf0b923a0 (54.78 KB)
File Structure
bc0af2a0c2c42bd2ed7f6bdaf0b923a0
Malicious
Root Entry
Malicious
CompObj
Workbook
SummaryInformation
DocumentSummaryInformation
_VBA_PROJECT_CUR
Malicious
PROJECT
PROJECTwm
VBA
Malicious
dir
__SRP_0
__SRP_1
__SRP_2
__SRP_3
ThisWorkbook
Malicious
[Stored VBA]
Malicious
[PCode]
Malicious
[Decompiled VBA]
Malicious
[Full Diff]
Malicious
[Partial Diff]
Malicious
_VBA_PROJECT
Characteristics

vbaDNA - VBA Stomping & Purging Stategy detection

Module Name
ThisWorkbook
VBA Stomping
ATT&CK T1564.007
Malicious
Malicious Document
Blacklist VBA
VBA Macro

Missing P-Code: The Office document under analysis has been identified as having undergone VBA Purging techniques, as the P-Code block within the document is currently inaccessible. As a result, the decompilation of the code was not possible, leaving only the stored code available in textual format for analysis.

VBA Purging essentially involves the elimination of the PerformanceCache section from the module streams.

To fully erase any traces of the P-Code section, the MODULEOFFSET between the two sections is adjusted to 0 by altering the _VBA_PROJECT stream, and all SRP streams that also house PerformanceCache data are removed. Following the removal of the compiled code, antivirus engines and Yara rules, which depend on precise string matches, are rendered ineffective.

This allows macros to bypass them effortlessly, owing to the compressed format of the remaining source code.
No malware configuration were found at this point.
You must be signed in to post a comment.
An error has occurred. This application may no longer respond until reloaded. Reload 🗙