Malicious
Malicious
Infection Chain
Summary by MalvaGPT
Characteristics
Hash
 Hash Value
MD5
ea7621bbadc447b5b2c90b8d5c0cdf38
Sha1
4bd66612402b89c51ff8349f9d5735bc98fa593d
Sha256
cc19ce71f2296b2a685abc9a7c5a3fe4136ac906a023ffa9219c91c5267fdf86
Sha384
d719d9b611ad5d39ffa3b2dd892a00d97d980eadbac244a3e1615c9a8856b48cc1f52aad12850cb3f21aa8942d04a968
Sha512
383f2bbe6f38df00a0d941d2180a01ea765b648558c3edf962435f51262dc4e2198100ac686d5284c0e990bac902e2861f989a973375ce5474e91e5a9b56525c
SSDeep
6144:JSkgSqkdQ8HET7S+llYbeKWXAevC93umTJ:Jh5H6GMlvXzyT
TLSH
7254235AC31E2FE7F2E1C33657651384D920A5987ACB419E58BB22D66C24FCDF32118B
File Structure
README_PURGED.docm
Malicious
[Content_Types].xml
docProps
app.xml
core.xml
word
Malicious
document.xml
fontTable.xml
settings.xml
styles.xml
vbaData.xml
vbaProject.bin
Malicious
.
Malicious
Root Entry
Malicious
VBA
Malicious
dir
ThisDocument
Malicious
[Stored VBA]
Malicious
[Stored VBA].deobfuscated.vbs
Malicious
_VBA_PROJECT
PROJECT
PROJECTwm
webSettings.xml
media
image1.png
image1.png-preview.png
theme
theme1.xml
_rels
document.xml.rels
vbaProject.bin.rels
_rels
.rels
Malware Configuration - URLs in VBA/VBS Code
Config. Field
 Value
URL #1

http://192.168.63.132/dowload.pdf
README_PURGED.docm (281.89 KB)
File Structure
README_PURGED.docm
Malicious
[Content_Types].xml
docProps
app.xml
core.xml
word
Malicious
document.xml
fontTable.xml
settings.xml
styles.xml
vbaData.xml
vbaProject.bin
Malicious
.
Malicious
Root Entry
Malicious
VBA
Malicious
dir
ThisDocument
Malicious
[Stored VBA]
Malicious
[Stored VBA].deobfuscated.vbs
Malicious
_VBA_PROJECT
PROJECT
PROJECTwm
webSettings.xml
media
image1.png
image1.png-preview.png
theme
theme1.xml
_rels
document.xml.rels
vbaProject.bin.rels
_rels
.rels
Characteristics

vbaDNA - VBA Stomping & Purging Stategy detection

Module Name
ThisDocument
Blacklist VBA
VBA Macro
VBA Purging
ATT&CK T1564.007
Malicious
Malicious Document

Missing P-Code: The Office document under analysis has been identified as having undergone VBA Purging techniques, as the P-Code block within the document is currently inaccessible. As a result, the decompilation of the code was not possible, leaving only the stored code available in textual format for analysis.

VBA Purging essentially involves the elimination of the PerformanceCache section from the module streams.

To fully erase any traces of the P-Code section, the MODULEOFFSET between the two sections is adjusted to 0 by altering the _VBA_PROJECT stream, and all SRP streams that also house PerformanceCache data are removed. Following the removal of the compiled code, antivirus engines and Yara rules, which depend on precise string matches, are rendered ineffective.

This allows macros to bypass them effortlessly, owing to the compressed format of the remaining source code.
Malware Configuration - URLs in VBA/VBS Code
Config. Field
 Value
URL #1

http://192.168.63.132/dowload.pdf
You must be signed in to post a comment.
An error has occurred. This application may no longer respond until reloaded. Reload 🗙