Malicious
Malicious

eeef8d43d5c01e722708f5ac11b9a376

MS Office Document
|
MD5: eeef8d43d5c01e722708f5ac11b9a376
|
Size: 59.9 KB
|
application/vnd.ms-office

Infection Chain
Summary by MalvaGPT
Characteristics
Hash
 Hash Value
MD5
eeef8d43d5c01e722708f5ac11b9a376
Sha1
c6b949596eadacf12d1c18eb67d47af334123b4f
Sha256
a845d78bb580f0e945968e893f9359bcc4aa001489e73a49c8c9876190cda2df
Sha384
83d2ca1220473afd35b2fd6e51dd84fbe08b42cb577a9cfb72edde1f41ab94e643c1c977cf3381c413daf2509bb7c0a5
Sha512
5013cb16fbd3ffd5d2fa5e9f2c876d2be26075bd91c65c50a8e2b60f9043d0832ce7cd88d486694f38dc13fafd110a8ecf6494254f975b003f8bad7d427fb785
SSDeep
1536:6oxEtjPOtioVjDGUU1qfDlaGGx+cL2QnAJxrd7s+mtJGid:6oxEtjPOtioVjDGUU1qfDlaGGx+cL2QN
TLSH
FE43A4A2B695D8C6D94807310CE6C2E66727BC515F6783CB328DB72F6F726808CC2657
File Structure
eeef8d43d5c01e722708f5ac11b9a376
Malicious
Root Entry
Malicious
CompObj
Workbook
SummaryInformation
DocumentSummaryInformation
_VBA_PROJECT_CUR
Malicious
PROJECT
PROJECTwm
VBA
Malicious
dir
Module1
Malicious
[Stored VBA]
Malicious
[PCode]
Malicious
[Decompiled VBA]
Malicious
[Full Diff]
Malicious
[Partial Diff]
Malicious
__SRP_0
__SRP_1
__SRP_2
__SRP_3
ThisWorkbook
Malicious
[Stored VBA]
Malicious
[PCode]
Malicious
[Decompiled VBA]
Malicious
[Full Diff]
Malicious
[Partial Diff]
Malicious
_VBA_PROJECT
Artefacts
Name
 Value
URLs in VB Code - #1

http://ns.adobe.com/xap/1.0/
URLs in VB Code - #2

http://www.w3.org/1999/02/22-rdf-syntax-ns#
URLs in VB Code - #3

http://purl.org/dc/elements/1.1/
eeef8d43d5c01e722708f5ac11b9a376 (59.9 KB)
File Structure
eeef8d43d5c01e722708f5ac11b9a376
Malicious
Root Entry
Malicious
CompObj
Workbook
SummaryInformation
DocumentSummaryInformation
_VBA_PROJECT_CUR
Malicious
PROJECT
PROJECTwm
VBA
Malicious
dir
Module1
Malicious
[Stored VBA]
Malicious
[PCode]
Malicious
[Decompiled VBA]
Malicious
[Full Diff]
Malicious
[Partial Diff]
Malicious
__SRP_0
__SRP_1
__SRP_2
__SRP_3
ThisWorkbook
Malicious
[Stored VBA]
Malicious
[PCode]
Malicious
[Decompiled VBA]
Malicious
[Full Diff]
Malicious
[Partial Diff]
Malicious
_VBA_PROJECT
Characteristics

vbaDNA - VBA Stomping & Purging Stategy detection

Module Name
Module1
VBA Stomping
ATT&CK T1564.007
Malicious
Malicious Document
VBA Macro

Missing P-Code: The Office document under analysis has been identified as having undergone VBA Purging techniques, as the P-Code block within the document is currently inaccessible. As a result, the decompilation of the code was not possible, leaving only the stored code available in textual format for analysis.

VBA Purging essentially involves the elimination of the PerformanceCache section from the module streams.

To fully erase any traces of the P-Code section, the MODULEOFFSET between the two sections is adjusted to 0 by altering the _VBA_PROJECT stream, and all SRP streams that also house PerformanceCache data are removed. Following the removal of the compiled code, antivirus engines and Yara rules, which depend on precise string matches, are rendered ineffective.

This allows macros to bypass them effortlessly, owing to the compressed format of the remaining source code.

ThisWorkbook
VBA Stomping
ATT&CK T1564.007
Malicious
Malicious Document
Blacklist VBA
VBA Macro

Missing P-Code: The Office document under analysis has been identified as having undergone VBA Purging techniques, as the P-Code block within the document is currently inaccessible. As a result, the decompilation of the code was not possible, leaving only the stored code available in textual format for analysis.

VBA Purging essentially involves the elimination of the PerformanceCache section from the module streams.

To fully erase any traces of the P-Code section, the MODULEOFFSET between the two sections is adjusted to 0 by altering the _VBA_PROJECT stream, and all SRP streams that also house PerformanceCache data are removed. Following the removal of the compiled code, antivirus engines and Yara rules, which depend on precise string matches, are rendered ineffective.

This allows macros to bypass them effortlessly, owing to the compressed format of the remaining source code.
No malware configuration were found at this point.
Artefacts
Name
 Value Location
URLs in VB Code - #1

http://ns.adobe.com/xap/1.0/

eeef8d43d5c01e722708f5ac11b9a376
URLs in VB Code - #2

http://www.w3.org/1999/02/22-rdf-syntax-ns#

eeef8d43d5c01e722708f5ac11b9a376
URLs in VB Code - #3

http://purl.org/dc/elements/1.1/

eeef8d43d5c01e722708f5ac11b9a376
You must be signed in to post a comment.
An error has occurred. This application may no longer respond until reloaded. Reload 🗙