Malicious
Malicious

59657f4537018aa3621450282e9a973895e33[...]004.docm

MS Word Document
|
MD5: e9e6f32925c8fb28a3834e4a4575d566
|
Size: 85.51 KB
|
application/msword

Infection Chain
Summary by MalvaGPT
Characteristics
Hash
 Hash Value
MD5
e9e6f32925c8fb28a3834e4a4575d566
Sha1
7b220d821d5cc32cf8a9fa105985b1bb550029b5
Sha256
59657f4537018aa3621450282e9a973895e33e6f236f4f644769a505c498c004
Sha384
0b9e9255c49667026cd297666ab83b1efcac20ee42301e1b333c853bc017d4853df32fb680e8c51f9787c82a00c8198b
Sha512
acbbb209b5b94781dd9600a7c20476d0b39d5bbb9fb1806aee68f2264d8725f03fc9427683db88862d3d7d81bd53fa47f88f4be579b66a966fcc0ea6f618db20
SSDeep
1536:+o+WqQuctgdRm+yapjClC3H5wCVG3OrH65/7VUs0ngCjuYbgGvtioOXClI:R+X8YfHtC2HV4O7eTv0ngCjuBGvtFOC2
TLSH
8E83026ED7FE4921D147F3BC301A2C49E21E6B8FF0EDB19639D1A3CC87268A18752546
File Structure
59657f4537018aa3621450282e9a973895e33e6f236f4f644769a505c498c004.docm
Malicious
[Content_Types].xml
_rels
.rels
word
Malicious
_rels
document.xml.rels
vbaProject.bin.rels
document.xml
theme
theme1.xml
settings.xml
stylesWithEffects.xml
styles.xml
fontTable.xml
webSettings.xml
vbaData.xml
vbaProject.bin
Malicious
.
Malicious
VBA
Malicious
dir
NewMacros
Malicious

NewMacros

Malicious
[Stored VBA]
Malicious
[Stored VBA].deobfuscated.vbs
Malicious
[PCode]
Malicious
[Decompiled VBA]
Malicious
[Decompiled VBA].deobfuscated.vbs
Malicious
[Full Diff]
Malicious
[Full Diff].deobfuscated.vbs
Malicious
[Partial Diff]
Malicious
_VBA_PROJECT
PROJECT
PROJECTwm
docProps
thumbnail.jpeg
thumbnail.jpeg.exif
thumbnail.jpeg-preview.png
core.xml
[Base64-Block @0x000001E1]
Structure
DosHeader
PE Header
Optional Header (x86)
Section Headers
.text
.rdata
.data
.rsrc
Resources
RT_VERSION
ID:0001
ID:1033
app.xml
customXml
itemProps1.xml
_rels
item1.xml.rels
item1.xml
Malware Configuration - URLs in VBA/VBS Code
Config. Field
 Value
URL #1

http://www.motobit.com
URL #2

http://Motobit.cz
59657f4537018aa3621450282e9a973895e33e6f236f4f644769a505c498c004.docm (85.51 KB)
File Structure
59657f4537018aa3621450282e9a973895e33e6f236f4f644769a505c498c004.docm
Malicious
[Content_Types].xml
_rels
.rels
word
Malicious
_rels
document.xml.rels
vbaProject.bin.rels
document.xml
theme
theme1.xml
settings.xml
stylesWithEffects.xml
styles.xml
fontTable.xml
webSettings.xml
vbaData.xml
vbaProject.bin
Malicious
.
Malicious
VBA
Malicious
dir
NewMacros
Malicious

NewMacros

Malicious
[Stored VBA]
Malicious
[Stored VBA].deobfuscated.vbs
Malicious
[PCode]
Malicious
[Decompiled VBA]
Malicious
[Decompiled VBA].deobfuscated.vbs
Malicious
[Full Diff]
Malicious
[Full Diff].deobfuscated.vbs
Malicious
[Partial Diff]
Malicious
_VBA_PROJECT
PROJECT
PROJECTwm
docProps
thumbnail.jpeg
thumbnail.jpeg.exif
thumbnail.jpeg-preview.png
core.xml
[Base64-Block @0x000001E1]
Structure
DosHeader
PE Header
Optional Header (x86)
Section Headers
.text
.rdata
.data
.rsrc
Resources
RT_VERSION
ID:0001
ID:1033
app.xml
customXml
itemProps1.xml
_rels
item1.xml.rels
item1.xml
Characteristics

vbaDNA - VBA Stomping & Purging Stategy detection

Module Name
NewMacros
VBA Stomping
ATT&CK T1564.007
Malicious
Malicious Document
Blacklist VBA
VBA Macro

Missing P-Code: The Office document under analysis has been identified as having undergone VBA Purging techniques, as the P-Code block within the document is currently inaccessible. As a result, the decompilation of the code was not possible, leaving only the stored code available in textual format for analysis.

VBA Purging essentially involves the elimination of the PerformanceCache section from the module streams.

To fully erase any traces of the P-Code section, the MODULEOFFSET between the two sections is adjusted to 0 by altering the _VBA_PROJECT stream, and all SRP streams that also house PerformanceCache data are removed. Following the removal of the compiled code, antivirus engines and Yara rules, which depend on precise string matches, are rendered ineffective.

This allows macros to bypass them effortlessly, owing to the compressed format of the remaining source code.
Malware Configuration - URLs in VBA/VBS Code
Config. Field
 Value
URL #1

http://www.motobit.com
URL #2

http://Motobit.cz
You must be signed in to post a comment.
An error has occurred. This application may no longer respond until reloaded. Reload 🗙