Malicious
Malicious

c4503a69698140d64ffba8ff2ea7de82

MS Word Document
|
MD5: c4503a69698140d64ffba8ff2ea7de82
|
Size: 76.15 KB
|
application/msword

Infection Chain
Summary by MalvaGPT
Characteristics
Hash
 Hash Value
MD5
c4503a69698140d64ffba8ff2ea7de82
Sha1
98ee66dc417e415fd059b0de961f8fd3c4b2eb31
Sha256
8c491ff716a5b1fca672bc23db6308d080bc3aba37f7b217364f7e1a2b9e8d7c
Sha384
82badbb8174809da3469a78d16b0515c069d2733526b887296a0d4b4a00c9bbb07742922268bf9dc21ed121ea313f1cd
Sha512
8a4b01983fd04108fe23e1c29e519e6e58fff466a2b3b30b5e34a0228103fdec27da7a9fd723376a6dfe1575dda3c441577a40e30a18f5796089b3bb197dbe06
SSDeep
1536:vvusxs8JgCpJ6wQfxf28aBotckqVHmvru5266DeqkET3+C1KnQ:vWsxsYb7kraGtcNVGvru526ges+KIQ
TLSH
177337A79C095AC7F22C83F9BE160CE96F09031CE9827EFF04265FD67E506135C5A46A
File Structure
c4503a69698140d64ffba8ff2ea7de82
Malicious
[Content_Types].xml
_rels
.rels
word
Malicious
_rels
document.xml.rels
vbaProject.bin.rels
document.xml
vbaProject.bin
Malicious
Root Entry
Malicious
PROJECT
PROJECTwm
VBA
Malicious
dir
__SRP_0
__SRP_1
__SRP_2
__SRP_3
__SRP_4
__SRP_5
NewMacros
Malicious

NewMacros

Malicious
[Stored VBA]
Malicious
[PCode]
Malicious
[Decompiled VBA]
Malicious
[Full Diff]
Malicious
[Partial Diff]
Malicious
ThisDocument
Malicious

ThisDocument

Malicious
[Stored VBA]
Malicious
[Stored VBA].deobfuscated.vbs
Malicious
[Command #0]
Malicious
[PCode]
Malicious
[Decompiled VBA]
Malicious
[Full Diff]
Malicious
[Partial Diff]
Malicious
_VBA_PROJECT
media
image1.jpg
image1.jpg-preview.png
theme
theme1.xml
settings.xml
vbaData.xml
fontTable.xml
stylesWithEffects.xml
webSettings.xml
styles.xml
docProps
app.xml
core.xml
Artefacts
Name
 Value
URLs in VB Code - #1

https://cloud-storage.art/doc/Y1.ps1
URLs in VB Code - #1

https://cloud-storage.art/doc/Y1.ps1
c4503a69698140d64ffba8ff2ea7de82 (76.15 KB)
File Structure
c4503a69698140d64ffba8ff2ea7de82
Malicious
[Content_Types].xml
_rels
.rels
word
Malicious
_rels
document.xml.rels
vbaProject.bin.rels
document.xml
vbaProject.bin
Malicious
Root Entry
Malicious
PROJECT
PROJECTwm
VBA
Malicious
dir
__SRP_0
__SRP_1
__SRP_2
__SRP_3
__SRP_4
__SRP_5
NewMacros
Malicious

NewMacros

Malicious
[Stored VBA]
Malicious
[PCode]
Malicious
[Decompiled VBA]
Malicious
[Full Diff]
Malicious
[Partial Diff]
Malicious
ThisDocument
Malicious

ThisDocument

Malicious
[Stored VBA]
Malicious
[Stored VBA].deobfuscated.vbs
Malicious
[Command #0]
Malicious
[PCode]
Malicious
[Decompiled VBA]
Malicious
[Full Diff]
Malicious
[Partial Diff]
Malicious
_VBA_PROJECT
media
image1.jpg
image1.jpg-preview.png
theme
theme1.xml
settings.xml
vbaData.xml
fontTable.xml
stylesWithEffects.xml
webSettings.xml
styles.xml
docProps
app.xml
core.xml
Characteristics

vbaDNA - VBA Stomping & Purging Stategy detection

Module Name
NewMacros
VBA Stomping
ATT&CK T1564.007
Malicious
Malicious Document
VBA Macro

Missing P-Code: The Office document under analysis has been identified as having undergone VBA Purging techniques, as the P-Code block within the document is currently inaccessible. As a result, the decompilation of the code was not possible, leaving only the stored code available in textual format for analysis.

VBA Purging essentially involves the elimination of the PerformanceCache section from the module streams.

To fully erase any traces of the P-Code section, the MODULEOFFSET between the two sections is adjusted to 0 by altering the _VBA_PROJECT stream, and all SRP streams that also house PerformanceCache data are removed. Following the removal of the compiled code, antivirus engines and Yara rules, which depend on precise string matches, are rendered ineffective.

This allows macros to bypass them effortlessly, owing to the compressed format of the remaining source code.

ThisDocument
VBA Stomping
ATT&CK T1564.007
Malicious
Malicious Document
Blacklist VBA
VBA Macro

Missing P-Code: The Office document under analysis has been identified as having undergone VBA Purging techniques, as the P-Code block within the document is currently inaccessible. As a result, the decompilation of the code was not possible, leaving only the stored code available in textual format for analysis.

VBA Purging essentially involves the elimination of the PerformanceCache section from the module streams.

To fully erase any traces of the P-Code section, the MODULEOFFSET between the two sections is adjusted to 0 by altering the _VBA_PROJECT stream, and all SRP streams that also house PerformanceCache data are removed. Following the removal of the compiled code, antivirus engines and Yara rules, which depend on precise string matches, are rendered ineffective.

This allows macros to bypass them effortlessly, owing to the compressed format of the remaining source code.
No malware configuration were found at this point.
Artefacts
Name
 Value Location
URLs in VB Code - #1

https://cloud-storage.art/doc/Y1.ps1

c4503a69698140d64ffba8ff2ea7de82 > word > vbaProject.bin > Root Entry > VBA > ThisDocument > [Stored VBA]
URLs in VB Code - #1

https://cloud-storage.art/doc/Y1.ps1

c4503a69698140d64ffba8ff2ea7de82 > word > vbaProject.bin > Root Entry > VBA > ThisDocument > [Decompiled VBA]
You must be signed in to post a comment.
An error has occurred. This application may no longer respond until reloaded. Reload 🗙