be0efa4c2c6e815b49749a21186f6660

MS Word Document
|
MD5: be0efa4c2c6e815b49749a21186f6660
|
Size: 35.21 KB
|
application/msword

Infection Chain

Summary by MalvaGPT

Characteristics

Hash	Hash Value
MD5	be0efa4c2c6e815b49749a21186f6660
Sha1	f821158b7b9ffe88e9c5e55c910b5bf45609093f
Sha256	071207d36467fe346209d513ffa7366491479b6af4592d5ed43efdbf6007dbbe
Sha384	f43299c05ff3c003cff0ad271dd0c78b239c1f8f56b7c321e9d5d348ee52746a524ee285e3bf5a22c6fa602137a5a35d
Sha512	6881835f6805f5ea56c47223b07b2db0a2c4e9a96e0b500124d08d8c167ee6c41365196cfcf259dc65a8d4854d136886aa5f3f9ed1500ae458a211e2c7ede4af
SSDeep	768:2/QP+NAiJQucR7gWUU/410g/OLh2FHtize1o2H3Crpc:2K+WqQuctgdXmgIkFNizOXClc
TLSH	27F2E12596DE5531C387B37B20466D8CF5079E27D2EDB96B36E052CC8D16CA25303747

File Structure

NewMacros

Artefacts

be0efa4c2c6e815b49749a21186f6660 (35.21 KB)

File Structure

NewMacros

Characteristics

vbaDNA - VBA Stomping & Purging Stategy detection

	Module Name0
	NewMacros	VBA Stomping ATT&CK T1564.007 Malicious Malicious Document Blacklist VBA VBA Macro
PCode Decompiled VBA Stored VBA Partial Diff. Full Diff. Missing P-Code: The Office document under analysis has been identified as having undergone VBA Purging techniques, as the P-Code block within the document is currently inaccessible. As a result, the decompilation of the code was not possible, leaving only the stored code available in textual format for analysis. VBA Purging essentially involves the elimination of the PerformanceCache section from the module streams. To fully erase any traces of the P-Code section, the MODULEOFFSET between the two sections is adjusted to 0 by altering the _VBA_PROJECT stream, and all SRP streams that also house PerformanceCache data are removed. Following the removal of the compiled code, antivirus engines and Yara rules, which depend on precise string matches, are rendered ineffective. This allows macros to bypass them effortlessly, owing to the compressed format of the remaining source code.

No malware configuration were found at this point.

Artefacts

Name0	Value	Location
URLs in VB Code - #1	http://www.motobit.com	be0efa4c2c6e815b49749a21186f6660 > word > vbaProject.bin
URLs in VB Code - #2	http://Motobit.cz	be0efa4c2c6e815b49749a21186f6660 > word > vbaProject.bin
URLs in VB Code - #1	http://www.motobit.com	be0efa4c2c6e815b49749a21186f6660 > word > vbaProject.bin > VBA > NewMacros
URLs in VB Code - #2	http://Motobit.cz	be0efa4c2c6e815b49749a21186f6660 > word > vbaProject.bin > VBA > NewMacros
URLs in VB Code - #1	http://www.motobit.com	be0efa4c2c6e815b49749a21186f6660 > word > vbaProject.bin > VBA > NewMacros > [Stored VBA]
URLs in VB Code - #2	http://Motobit.cz	be0efa4c2c6e815b49749a21186f6660 > word > vbaProject.bin > VBA > NewMacros > [Stored VBA]
URLs in VB Code - #1	http://www.motobit.com	be0efa4c2c6e815b49749a21186f6660 > word > vbaProject.bin > VBA > NewMacros > [Decompiled VBA]
URLs in VB Code - #2	http://Motobit.cz	be0efa4c2c6e815b49749a21186f6660 > word > vbaProject.bin > VBA > NewMacros > [Decompiled VBA]
URLs in VB Code - #1	http://www.motobit.com	be0efa4c2c6e815b49749a21186f6660 > word > vbaProject.bin > VBA > NewMacros > [Full Diff]
URLs in VB Code - #2	http://Motobit.cz	be0efa4c2c6e815b49749a21186f6660 > word > vbaProject.bin > VBA > NewMacros > [Full Diff]

You must be signed in to post a comment.