Malicious
Malicious

c762581ddd5a6741513e35db24d6de3a

MS Office Document
|
MD5: c762581ddd5a6741513e35db24d6de3a
|
Size: 156.16 KB
|
application/vnd.ms-office

Infection Chain
Summary by MalvaGPT
Characteristics
Hash
 Hash Value
MD5
c762581ddd5a6741513e35db24d6de3a
Sha1
3c1f1121dbdc2b65d5583dc1450f1058447f4f7e
Sha256
7a97229ab5c1e0fb376635abfa1c2833344b326b5e00d01be978c9cc1d7d263e
Sha384
974312f23da143e297b9a8b8c0a718d23716132258c72bea660ae897190a760e644ca9908cc4310f8ea1905b7df51583
Sha512
78c564ec7fe723b775597c61a7f066e82e314f6aaf002a209fccf5a27a171f366e40011b1be64b6a62e27e1b3b0904311af1b883613c424ebe7c1d98b32ddd52
SSDeep
3072:4H/pTzyqtdQ2YJlAZiV8Tt5hi76N7X872Rx8DI1uQ/UwQ4g9P:2/pyqvQ3JleikvhE6VXKw
TLSH
AEE3DF7835E5FC1AFDA0C0305EB6CABEF769AC14B9C2412712063F3D193A6E98726745
File Structure
c762581ddd5a6741513e35db24d6de3a
Malicious
[Repaired @0x00018000]
Malicious
[Content_Types].xml
_rels
.rels
theme
theme
themeManager.xml
theme1.xml
_rels
themeManager.xml.rels
Root Entry
Malicious
Data
1Table
Malicious
[Repaired @0x00000600]
Malicious
CompObj
WordDocument
SummaryInformation
DocumentSummaryInformation
Macros
Malicious
PROJECT
PROJECTwm
VBA
Malicious
dir
ThisDocument
Malicious

ThisDocument

Malicious
[Stored VBA]
Malicious
[PCode]
Malicious
[Decompiled VBA]
Malicious
[Full Diff]
Malicious
[Partial Diff]
Malicious
_VBA_PROJECT
c762581ddd5a6741513e35db24d6de3a (156.16 KB)
File Structure
c762581ddd5a6741513e35db24d6de3a
Malicious
[Repaired @0x00018000]
Malicious
[Content_Types].xml
_rels
.rels
theme
theme
themeManager.xml
theme1.xml
_rels
themeManager.xml.rels
Root Entry
Malicious
Data
1Table
Malicious
[Repaired @0x00000600]
Malicious
CompObj
WordDocument
SummaryInformation
DocumentSummaryInformation
Macros
Malicious
PROJECT
PROJECTwm
VBA
Malicious
dir
ThisDocument
Malicious

ThisDocument

Malicious
[Stored VBA]
Malicious
[PCode]
Malicious
[Decompiled VBA]
Malicious
[Full Diff]
Malicious
[Partial Diff]
Malicious
_VBA_PROJECT
Characteristics

vbaDNA - VBA Stomping & Purging Stategy detection

Module Name
ThisDocument
VBA Stomping
ATT&CK T1564.007
Malicious
Malicious Document
Blacklist VBA
VBA Macro

Missing P-Code: The Office document under analysis has been identified as having undergone VBA Purging techniques, as the P-Code block within the document is currently inaccessible. As a result, the decompilation of the code was not possible, leaving only the stored code available in textual format for analysis.

VBA Purging essentially involves the elimination of the PerformanceCache section from the module streams.

To fully erase any traces of the P-Code section, the MODULEOFFSET between the two sections is adjusted to 0 by altering the _VBA_PROJECT stream, and all SRP streams that also house PerformanceCache data are removed. Following the removal of the compiled code, antivirus engines and Yara rules, which depend on precise string matches, are rendered ineffective.

This allows macros to bypass them effortlessly, owing to the compressed format of the remaining source code.
No malware configuration were found at this point.
You must be signed in to post a comment.
An error has occurred. This application may no longer respond until reloaded. Reload 🗙