bd0edb96fe6f64271fca11c33708efb3

MS Word Document
|
MD5: bd0edb96fe6f64271fca11c33708efb3
|
Size: 34.88 KB
|
application/msword

Infection Chain

Summary by MalvaGPT

Characteristics

Hash	Hash Value
MD5	bd0edb96fe6f64271fca11c33708efb3
Sha1	4e2456a14574c03a66b929874daad1a328a06f99
Sha256	513a2bbd8758003f748f097a852cbfdfba2b65191db3463cffd2663f13f6da68
Sha384	8a2910b56cae042e92e69cc2f4ea43b6f3b03bd76eb573c3db909c6b1cb14e5d8e47652cba731eafb15e1ad608ca3dbd
Sha512	08b4394b2801bfaf85d0e661fb8de223a5b7d1c3d2f432828ccc025e6ec3a3aaf1432eb3e843f46f5357c470b9fe24c45274b4ca268e8abb1ae68a5861683218
SSDeep	768:UiQP+NAiJQucR7gWUU/t10BwOLVxN50Xti+e1o2H3CrpD:UZ+WqQuctgd6mBPLNSi+OXClD
TLSH	8FF2E12ADBCEB520C347B77A20467DCDF9071E2BE1FEB2673AA995CC8D028514607647

File Structure

NewMacros

Artefacts

bd0edb96fe6f64271fca11c33708efb3 (34.88 KB)

File Structure

NewMacros

Characteristics

vbaDNA - VBA Stomping & Purging Stategy detection

	Module Name0
	NewMacros	VBA Stomping ATT&CK T1564.007 Malicious Malicious Document Blacklist VBA VBA Macro
PCode Decompiled VBA Stored VBA Partial Diff. Full Diff. Missing P-Code: The Office document under analysis has been identified as having undergone VBA Purging techniques, as the P-Code block within the document is currently inaccessible. As a result, the decompilation of the code was not possible, leaving only the stored code available in textual format for analysis. VBA Purging essentially involves the elimination of the PerformanceCache section from the module streams. To fully erase any traces of the P-Code section, the MODULEOFFSET between the two sections is adjusted to 0 by altering the _VBA_PROJECT stream, and all SRP streams that also house PerformanceCache data are removed. Following the removal of the compiled code, antivirus engines and Yara rules, which depend on precise string matches, are rendered ineffective. This allows macros to bypass them effortlessly, owing to the compressed format of the remaining source code.

No malware configuration were found at this point.

Artefacts

Name0	Value	Location
URLs in VB Code - #1	http://www.motobit.com	bd0edb96fe6f64271fca11c33708efb3 > word > vbaProject.bin > VBA > NewMacros > [Full Diff]
URLs in VB Code - #2	http://Motobit.cz	bd0edb96fe6f64271fca11c33708efb3 > word > vbaProject.bin > VBA > NewMacros > [Full Diff]
URLs in VB Code - #1	http://www.motobit.com	bd0edb96fe6f64271fca11c33708efb3 > word > vbaProject.bin > VBA > NewMacros > [Decompiled VBA]
URLs in VB Code - #2	http://Motobit.cz	bd0edb96fe6f64271fca11c33708efb3 > word > vbaProject.bin > VBA > NewMacros > [Decompiled VBA]
URLs in VB Code - #1	http://www.motobit.com	bd0edb96fe6f64271fca11c33708efb3 > word > vbaProject.bin > VBA > NewMacros > [Stored VBA]
URLs in VB Code - #2	http://Motobit.cz	bd0edb96fe6f64271fca11c33708efb3 > word > vbaProject.bin > VBA > NewMacros > [Stored VBA]
URLs in VB Code - #1	http://www.motobit.com	bd0edb96fe6f64271fca11c33708efb3 > word > vbaProject.bin > VBA > NewMacros
URLs in VB Code - #2	http://Motobit.cz	bd0edb96fe6f64271fca11c33708efb3 > word > vbaProject.bin > VBA > NewMacros
URLs in VB Code - #1	http://www.motobit.com	bd0edb96fe6f64271fca11c33708efb3 > word > vbaProject.bin
URLs in VB Code - #2	http://Motobit.cz	bd0edb96fe6f64271fca11c33708efb3 > word > vbaProject.bin

You must be signed in to post a comment.