fd853c922dc870a857c56414740e12f2

MS Excel Document
|
MD5: fd853c922dc870a857c56414740e12f2
|
Size: 215.99 KB
|
application/vnd.ms-excel

Infection Chain

Summary by MalvaGPT

Characteristics

Hash	Hash Value
MD5	fd853c922dc870a857c56414740e12f2
Sha1	230892cbe83cde2cd90e270040d5149b3f780c7f
Sha256	fa1998eddd638d281e38c7d855ccba5deef27d57485080333e79603b01a56312
Sha384	8a7895f5a0bd128e1269969c037e27df0400800ae16c47ec5623cba38d747f73bbf504922b7c9cacbbdce9cee5dd69f7
Sha512	2e2a06ccc115f2bf3df672e754d16b37328e78dd3d5cb1dbe68307f39598fe252cb4dd2d051ee7eb8ef37cafe9729e62e144271a1a64b5caa36b41e4ea627fb5
SSDeep	6144:lHn6mNayNffUDmJZf49Y8SABkDScItd35QpNyk73i:lHn6CxfiOF0SpWd3erS
TLSH	1624026DE659F85EC787E438821C16E78904E05AD2B4F12F3C8976E5B5814EB6F0C28A

File Structure

Module1

Malware Configuration - Remote Template

Config. Field0	Value
Target	file:///\\FSS048-01BR.group.pirelli.com\CAMPCUSTOS\BASES_DE_CUSTO\Base_Materiais_Contas.xlsx
Path	externalLink1.xml.rels
XPath	/Relationships/Relationship
Outer XML	<Relationship Id="rId2" Type="http://schemas.openxmlformats.org/officeDocument/2006/relationships/externalLinkPath" Target="file:///\\FSS048-01BR.group.pirelli.com\CAMPCUSTOS\BASES_DE_CUSTO\Base_Materiais_Contas.xlsx" TargetMode="External" xmlns="http://schemas.openxmlformats.org/package/2006/relationships" />

Artefacts

Name0	Value
Remote Template - Highly Suspicious	file:///\\FSS048-01BR.group.pirelli.com\CAMPCUSTOS\BASES_DE_CUSTO\Base_Materiais_Contas.xlsx

fd853c922dc870a857c56414740e12f2 (215.99 KB)

File Structure

Module1

Characteristics

vbaDNA - VBA Stomping & Purging Stategy detection

	Module Name0
	Module1	VBA Stomping ATT&CK T1564.007 Malicious Malicious Document Blacklist VBA VBA Macro
PCode Decompiled VBA Stored VBA Partial Diff. Full Diff. Missing P-Code: The Office document under analysis has been identified as having undergone VBA Purging techniques, as the P-Code block within the document is currently inaccessible. As a result, the decompilation of the code was not possible, leaving only the stored code available in textual format for analysis. VBA Purging essentially involves the elimination of the PerformanceCache section from the module streams. To fully erase any traces of the P-Code section, the MODULEOFFSET between the two sections is adjusted to 0 by altering the _VBA_PROJECT stream, and all SRP streams that also house PerformanceCache data are removed. Following the removal of the compiled code, antivirus engines and Yara rules, which depend on precise string matches, are rendered ineffective. This allows macros to bypass them effortlessly, owing to the compressed format of the remaining source code.
	Module2	Blacklist VBA VBA Macro
	Module3	VBA Macro

Malware Configuration - Remote Template

Config. Field0	Value
Target	file:///\\FSS048-01BR.group.pirelli.com\CAMPCUSTOS\BASES_DE_CUSTO\Base_Materiais_Contas.xlsx
Path	externalLink1.xml.rels
XPath	/Relationships/Relationship
Outer XML	<Relationship Id="rId2" Type="http://schemas.openxmlformats.org/officeDocument/2006/relationships/externalLinkPath" Target="file:///\\FSS048-01BR.group.pirelli.com\CAMPCUSTOS\BASES_DE_CUSTO\Base_Materiais_Contas.xlsx" TargetMode="External" xmlns="http://schemas.openxmlformats.org/package/2006/relationships" />

Artefacts

Name0	Value	Location
Remote Template - Highly Suspicious	file:///\\FSS048-01BR.group.pirelli.com\CAMPCUSTOS\BASES_DE_CUSTO\Base_Materiais_Contas.xlsx Malicious	fd853c922dc870a857c56414740e12f2 > xl > externalLinks > _rels > externalLink1.xml.rels

You must be signed in to post a comment.