Malicious
Malicious

e0f6437928527aae837ef14f81b048ff

MS Excel Document
|
MD5: e0f6437928527aae837ef14f81b048ff
|
Size: 142.24 KB
|
application/vnd.ms-excel

Infection Chain
Summary by MalvaGPT
Characteristics
Hash
 Hash Value
MD5
e0f6437928527aae837ef14f81b048ff
Sha1
89e11670675ce9a44ee1e9320bfbea01245438fc
Sha256
e4475526196a357d12a6b152279d653b2530eee23fec14202292aaba565900eb
Sha384
b1a8d6818135d27051551219c0e73d1c6c165a629e9e29d0edbbaa5fc508a33d72f3506f8087e00c5839591656b7af5c
Sha512
51f90c2773339910304fa02576442c5e4a48c9a568d44b1846132f6d67dbc2c4fd41dc6f3d12463177071b107946fd9510274a7e1755fae1a8bdc194c1ce8510
SSDeep
3072:xIEW8w2tDkE/wfbrR7WjtV+GTTNw7hRAVbjnWcATWFbWQ:xId26LjMbzoDAVPWcwCSQ
TLSH
8BD312DABAD52CF3D04209BF6A29A4F811F77D64D28C7C4CB8179A99CC41193B5E708A
File Structure
e0f6437928527aae837ef14f81b048ff
Malicious
[Content_Types].xml
_rels
.rels
xl
Malicious
_rels
workbook.xml.rels
workbook.xml
theme
theme1.xml
drawings
_rels
drawing1.xml.rels
drawing1.xml
worksheets
_rels
sheet1.xml.rels
sheet2.xml
sheet3.xml
sheet1.xml
styles.xml
vbaProject.bin
Malicious
Root Entry
Malicious
PROJECT
PROJECTwm
VBA
Malicious
dir
__SRP_0
__SRP_1
__SRP_2
__SRP_3
ThisWorkbook
Malicious

ThisWorkbook

Malicious
[Stored VBA]
Malicious
[PCode]
Malicious
[Decompiled VBA]
Malicious
[Full Diff]
Malicious
[Partial Diff]
Malicious
_VBA_PROJECT
media
image1.png
image1.png-preview.png
image2.png
image2.png-preview.png
docProps
app.xml
core.xml
e0f6437928527aae837ef14f81b048ff (142.24 KB)
File Structure
e0f6437928527aae837ef14f81b048ff
Malicious
[Content_Types].xml
_rels
.rels
xl
Malicious
_rels
workbook.xml.rels
workbook.xml
theme
theme1.xml
drawings
_rels
drawing1.xml.rels
drawing1.xml
worksheets
_rels
sheet1.xml.rels
sheet2.xml
sheet3.xml
sheet1.xml
styles.xml
vbaProject.bin
Malicious
Root Entry
Malicious
PROJECT
PROJECTwm
VBA
Malicious
dir
__SRP_0
__SRP_1
__SRP_2
__SRP_3
ThisWorkbook
Malicious

ThisWorkbook

Malicious
[Stored VBA]
Malicious
[PCode]
Malicious
[Decompiled VBA]
Malicious
[Full Diff]
Malicious
[Partial Diff]
Malicious
_VBA_PROJECT
media
image1.png
image1.png-preview.png
image2.png
image2.png-preview.png
docProps
app.xml
core.xml
Characteristics

vbaDNA - VBA Stomping & Purging Stategy detection

Module Name
ThisWorkbook
VBA Stomping
ATT&CK T1564.007
Malicious
Malicious Document
Blacklist VBA
VBA Macro

Missing P-Code: The Office document under analysis has been identified as having undergone VBA Purging techniques, as the P-Code block within the document is currently inaccessible. As a result, the decompilation of the code was not possible, leaving only the stored code available in textual format for analysis.

VBA Purging essentially involves the elimination of the PerformanceCache section from the module streams.

To fully erase any traces of the P-Code section, the MODULEOFFSET between the two sections is adjusted to 0 by altering the _VBA_PROJECT stream, and all SRP streams that also house PerformanceCache data are removed. Following the removal of the compiled code, antivirus engines and Yara rules, which depend on precise string matches, are rendered ineffective.

This allows macros to bypass them effortlessly, owing to the compressed format of the remaining source code.
No malware configuration were found at this point.
You must be signed in to post a comment.
An error has occurred. This application may no longer respond until reloaded. Reload 🗙