ea34ec65732e63723618fbf730391cbc

MS Word Document
|
MD5: ea34ec65732e63723618fbf730391cbc
|
Size: 34.66 KB
|
application/msword

Infection Chain

Summary by MalvaGPT

Characteristics

Hash	Hash Value
MD5	ea34ec65732e63723618fbf730391cbc
Sha1	d9f74bb87813ee934c0c8aee41c17b2b607ed9f9
Sha256	c4aed35c30c862c466e504ab4c0ebec8fb4c9a84e24ca02378378fb1693d1caf
Sha384	91fafa6e33f073ac23a02976d535470e9ea407a6193b45121220a706aa50cd2dd1040df5f05d6d9370e2ed17486de184
Sha512	845ed6c1e134b576089f82d99b96ae7e3bac299870b9fe3f5559884ff4aeba26025fa109476132088ea0a9e86d03286247f522b973dde403c8a4613ee28b6d8e
SSDeep	768:arQP+NAiJQucR7gWUU/A10wzOLJKbjtiTe1o2H3CrpR:aO+WqQuctgdrmwk09iTOXClR
TLSH	3DF2E02ADBDB6631C347B77A20466DCCFD075E17E1EDB26A36A491CCCE22C514603A47

File Structure

NewMacros

Artefacts

ea34ec65732e63723618fbf730391cbc (34.66 KB)

File Structure

NewMacros

Characteristics

vbaDNA - VBA Stomping & Purging Stategy detection

	Module Name0
	NewMacros	VBA Stomping ATT&CK T1564.007 Malicious Malicious Document Blacklist VBA VBA Macro
PCode Decompiled VBA Stored VBA Partial Diff. Full Diff. Missing P-Code: The Office document under analysis has been identified as having undergone VBA Purging techniques, as the P-Code block within the document is currently inaccessible. As a result, the decompilation of the code was not possible, leaving only the stored code available in textual format for analysis. VBA Purging essentially involves the elimination of the PerformanceCache section from the module streams. To fully erase any traces of the P-Code section, the MODULEOFFSET between the two sections is adjusted to 0 by altering the _VBA_PROJECT stream, and all SRP streams that also house PerformanceCache data are removed. Following the removal of the compiled code, antivirus engines and Yara rules, which depend on precise string matches, are rendered ineffective. This allows macros to bypass them effortlessly, owing to the compressed format of the remaining source code.

No malware configuration were found at this point.

Artefacts

Name0	Value	Location
URLs in VB Code - #1	http://www.motobit.com	ea34ec65732e63723618fbf730391cbc > word > vbaProject.bin
URLs in VB Code - #2	http://Motobit.cz	ea34ec65732e63723618fbf730391cbc > word > vbaProject.bin
URLs in VB Code - #1	http://www.motobit.com	ea34ec65732e63723618fbf730391cbc > word > vbaProject.bin > VBA > NewMacros
URLs in VB Code - #2	http://Motobit.cz	ea34ec65732e63723618fbf730391cbc > word > vbaProject.bin > VBA > NewMacros
URLs in VB Code - #1	http://www.motobit.com	ea34ec65732e63723618fbf730391cbc > word > vbaProject.bin > VBA > NewMacros > [Stored VBA]
URLs in VB Code - #2	http://Motobit.cz	ea34ec65732e63723618fbf730391cbc > word > vbaProject.bin > VBA > NewMacros > [Stored VBA]
URLs in VB Code - #1	http://www.motobit.com	ea34ec65732e63723618fbf730391cbc > word > vbaProject.bin > VBA > NewMacros > [Decompiled VBA]
URLs in VB Code - #2	http://Motobit.cz	ea34ec65732e63723618fbf730391cbc > word > vbaProject.bin > VBA > NewMacros > [Decompiled VBA]
URLs in VB Code - #1	http://www.motobit.com	ea34ec65732e63723618fbf730391cbc > word > vbaProject.bin > VBA > NewMacros > [Full Diff]
URLs in VB Code - #2	http://Motobit.cz	ea34ec65732e63723618fbf730391cbc > word > vbaProject.bin > VBA > NewMacros > [Full Diff]

You must be signed in to post a comment.