Malicious
Malicious

f8d9b7c864fb7558e8bad4cfb5c8e6ff

MS Office Document
|
MD5: f8d9b7c864fb7558e8bad4cfb5c8e6ff
|
Size: 262.14 KB
|
application/vnd.ms-office

Infection Chain
Summary by MalvaGPT
Characteristics
Hash
 Hash Value
MD5
f8d9b7c864fb7558e8bad4cfb5c8e6ff
Sha1
a45ab1a9dec488278ee9682735d42d61dfc38b9e
Sha256
8f4bca3c62268fff0458322d111a511e0bcfba255d5ab78c45973bd293379901
Sha384
254172425f1fe4e4336d6fe1dadc74978cf75436f9d15d23880713290b96f3d63a1ae9b1997c9f214be3e2921ad01a3c
Sha512
b4b41bec3fdffc630ab3a76780f766a367b484d5dfd672ec8f47ee34c8f1086d2089b319793e22e5565559070d7f2cbb1c41d56c480b60baa6487483052d8d7f
SSDeep
6144:5FlXoKOs8GeWQ6BSpQS6eFlqoKOs8GeWQ6BSpQS6:flXowSpQS66lqowSpQS6
TLSH
1944D699F05AC12EC7D815361C9AD7FE26B97C079DC0DB8336AE732E2FB6A59C040641
File Structure
f8d9b7c864fb7558e8bad4cfb5c8e6ff
Malicious
Root Entry
Malicious
DigitalSignature
OutlookProjectData
OutlookVbaData
Malicious
PROJECT
PROJECTwm
VBA
Malicious
dir
_VBA_PROJECT
ThisOutlookSession
Malicious

ThisOutlookSession

Malicious
[Stored VBA]
Malicious
[Stored VBA].deobfuscated.vbs
Malicious
[PCode]
Malicious
[Decompiled VBA]
Malicious
[Decompiled VBA].deobfuscated.vbs
Malicious
[Full Diff]
Malicious
[Full Diff].deobfuscated.vbs
Malicious
[Partial Diff]
Malicious
f8d9b7c864fb7558e8bad4cfb5c8e6ff (262.14 KB)
File Structure
f8d9b7c864fb7558e8bad4cfb5c8e6ff
Malicious
Root Entry
Malicious
DigitalSignature
OutlookProjectData
OutlookVbaData
Malicious
PROJECT
PROJECTwm
VBA
Malicious
dir
_VBA_PROJECT
ThisOutlookSession
Malicious

ThisOutlookSession

Malicious
[Stored VBA]
Malicious
[Stored VBA].deobfuscated.vbs
Malicious
[PCode]
Malicious
[Decompiled VBA]
Malicious
[Decompiled VBA].deobfuscated.vbs
Malicious
[Full Diff]
Malicious
[Full Diff].deobfuscated.vbs
Malicious
[Partial Diff]
Malicious
Characteristics

vbaDNA - VBA Stomping & Purging Stategy detection

Module Name
ThisOutlookSession
VBA Stomping
ATT&CK T1564.007
Malicious
Malicious Document
Blacklist VBA
VBA Macro

Missing P-Code: The Office document under analysis has been identified as having undergone VBA Purging techniques, as the P-Code block within the document is currently inaccessible. As a result, the decompilation of the code was not possible, leaving only the stored code available in textual format for analysis.

VBA Purging essentially involves the elimination of the PerformanceCache section from the module streams.

To fully erase any traces of the P-Code section, the MODULEOFFSET between the two sections is adjusted to 0 by altering the _VBA_PROJECT stream, and all SRP streams that also house PerformanceCache data are removed. Following the removal of the compiled code, antivirus engines and Yara rules, which depend on precise string matches, are rendered ineffective.

This allows macros to bypass them effortlessly, owing to the compressed format of the remaining source code.
No malware configuration were found at this point.
You must be signed in to post a comment.
An error has occurred. This application may no longer respond until reloaded. Reload 🗙