c2db86b46eb27d46d7d710b707876ef1

MS Word Document
|
MD5: c2db86b46eb27d46d7d710b707876ef1
|
Size: 34.62 KB
|
application/msword

Infection Chain

Summary by MalvaGPT

Characteristics

Hash	Hash Value
MD5	c2db86b46eb27d46d7d710b707876ef1
Sha1	860b2a444665370cf63f5fe6e80d5e2c89f33b59
Sha256	9818172dd6c8550a50ba902ec59300f68f8caa8afcbd585d2d7a60353668159d
Sha384	a6fd6de6cd96b45633c2d103b410300d745885c6f9f54026c2b6f87251a6351d6c4549fb8d93f9bce63cf211589a88d7
Sha512	4a4d01a28484f35c30e6ac395d78eed8d91f4a7000e9257f6f06af41f859406fb730d8930f7242844943e2b544f116e597f52949f52cce0793d8212a35016058
SSDeep	768:azQP+NAiJQucR7gWUU/410gPOL92m5Vti7e1o2H3Crps:am+WqQuctgdLmgYQWi7OXCls
TLSH	AEF2D039DA9A7520D34BB37A20466DCEF9065E17D3FEB666369492CC8E028514703ACB

File Structure

NewMacros

Artefacts

c2db86b46eb27d46d7d710b707876ef1 (34.62 KB)

File Structure

NewMacros

Characteristics

vbaDNA - VBA Stomping & Purging Stategy detection

	Module Name0
	NewMacros	VBA Stomping ATT&CK T1564.007 Malicious Malicious Document Blacklist VBA VBA Macro
PCode Decompiled VBA Stored VBA Partial Diff. Full Diff. Missing P-Code: The Office document under analysis has been identified as having undergone VBA Purging techniques, as the P-Code block within the document is currently inaccessible. As a result, the decompilation of the code was not possible, leaving only the stored code available in textual format for analysis. VBA Purging essentially involves the elimination of the PerformanceCache section from the module streams. To fully erase any traces of the P-Code section, the MODULEOFFSET between the two sections is adjusted to 0 by altering the _VBA_PROJECT stream, and all SRP streams that also house PerformanceCache data are removed. Following the removal of the compiled code, antivirus engines and Yara rules, which depend on precise string matches, are rendered ineffective. This allows macros to bypass them effortlessly, owing to the compressed format of the remaining source code.

No malware configuration were found at this point.

Artefacts

Name0	Value	Location
URLs in VB Code - #1	http://www.motobit.com	c2db86b46eb27d46d7d710b707876ef1 > word > vbaProject.bin
URLs in VB Code - #2	http://Motobit.cz	c2db86b46eb27d46d7d710b707876ef1 > word > vbaProject.bin
URLs in VB Code - #1	http://www.motobit.com	c2db86b46eb27d46d7d710b707876ef1 > word > vbaProject.bin > VBA > NewMacros
URLs in VB Code - #2	http://Motobit.cz	c2db86b46eb27d46d7d710b707876ef1 > word > vbaProject.bin > VBA > NewMacros
URLs in VB Code - #1	http://www.motobit.com	c2db86b46eb27d46d7d710b707876ef1 > word > vbaProject.bin > VBA > NewMacros > [Stored VBA]
URLs in VB Code - #2	http://Motobit.cz	c2db86b46eb27d46d7d710b707876ef1 > word > vbaProject.bin > VBA > NewMacros > [Stored VBA]
URLs in VB Code - #1	http://www.motobit.com	c2db86b46eb27d46d7d710b707876ef1 > word > vbaProject.bin > VBA > NewMacros > [Decompiled VBA]
URLs in VB Code - #2	http://Motobit.cz	c2db86b46eb27d46d7d710b707876ef1 > word > vbaProject.bin > VBA > NewMacros > [Decompiled VBA]
URLs in VB Code - #1	http://www.motobit.com	c2db86b46eb27d46d7d710b707876ef1 > word > vbaProject.bin > VBA > NewMacros > [Full Diff]
URLs in VB Code - #2	http://Motobit.cz	c2db86b46eb27d46d7d710b707876ef1 > word > vbaProject.bin > VBA > NewMacros > [Full Diff]

You must be signed in to post a comment.