Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 4026c08ec460df18…

MALICIOUS

Office (OOXML)

80.8 KB Created: 2019-01-31 21:56:00 UTC Authoring application: Microsoft Office Word 14.0000 First seen: 2019-12-10
MD5: 5a72490babc640a962e2ad31bf8f3f7d SHA-1: 5c2770079098720229c7451682a5ac1f161f1c5e SHA-256: 4026c08ec460df18e44b229217001c06824fe768a1428c53ffcb96c210f99557
398 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.005 Visual Basic T1071.001 Web Protocols T1105 Ingress Tool Transfer T1204.002 Malicious File

The sample is a malicious Office document containing VBA macros. The Document_Open macro is designed to execute code, likely downloading and executing a second-stage payload via WScript.Shell and CreateObject, as indicated by the 'OLE_VBA_HTTP_DROP_EXEC' and 'OLE_VBA_PCODE_AUTOEXEC_EXEC' heuristics. The document body explicitly instructs the user to enable content, a common lure for macro-based malware.

Heuristics 11

  • ClamAV: Doc.Dropper.Agent-7086161-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Dropper.Agent-7086161-0
  • VBA project inside OOXML medium 6 related findings OOXML_VBA
    Document contains a VBA project — VBA macros present
  • WScript.Shell usage critical OLE_VBA_WSCRIPT
    WScript.Shell usage
    Matched line in script
    Set w = CreateObject("WScript.Shell")
  • VBA downloads and writes a file to disk critical OLE_VBA_HTTP_DROP_EXEC
    VBA reads an HTTP response body and writes it to disk (ADODB.Stream SaveToFile). Combined with the auto-exec/Shell paths this is a download-drop dropper even when the COM ProgIDs are built dynamically to evade keyword scanning.
    Matched line in script
            .Write r.ResponseBody
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
    Matched line in script
    Set w = CreateObject("WScript.Shell")
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Document_Open macro low OLE_VBA_DOCOPEN
    Document_Open macro
    Matched line in script
    Public Sub Document_Open()
  • Environ() call (env variable access) low OLE_VBA_ENVIRON
    Environ() call (env variable access)
    Matched line in script
     s = Environ$(Chr(116) & Chr(101) & Chr(109) & Chr(112)) & "\" & StrReverse("exe.kj403g42")
  • Macro/content-enable lure medium SE_ENABLE_LURE
    Document instructs the user to enable macros or editing — a common technique used by malware droppers to bypass Office macro security settings
  • Suspicious extracted artifact medium EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.microsoft.com/office/word/2010/wordprocessingCanvas Referenced by macro
    • http://schemas.openxmlformats.org/markup-compatibility/2006Referenced by macro
    • http://schemas.openxmlformats.org/officeDocument/2006/relationshipsReferenced by macro
    • http://schemas.openxmlformats.org/officeDocument/2006/mathReferenced by macro
    • http://schemas.microsoft.com/office/word/2010/wordprocessingDrawingReferenced by macro
    • http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawingReferenced by macro
    • http://schemas.openxmlformats.org/wordprocessingml/2006/mainReferenced by macro
    • http://schemas.microsoft.com/office/word/2010/wordmlReferenced by macro
    • http://schemas.microsoft.com/office/word/2010/wordprocessingGroupReferenced by macro
    • http://schemas.microsoft.com/office/word/2010/wordprocessingInkReferenced by macro
    • http://schemas.microsoft.com/office/word/2006/wordmlReferenced by macro
    • http://schemas.microsoft.com/office/word/2010/wordprocessingShapeReferenced by macro

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 32339 bytes
SHA-256: be49a6922508f675e7fb00e34aefc4d60ce8a4e87f346d78dca673d3952af5b0
Detection
ClamAV: No threats found
Obfuscation or payload: likely
574 of 1055 identifiers look randomly generated (e.g. 'a6wqfhp552gynsfhwndl88m8h6l8yjbipmgdsp0w') — consistent with name-mangling obfuscation.
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Public Sub Document_Open()

ajsitgxwpgx
End Sub


Attribute VB_Name = "zh00k1shh4n"


Public Sub n3gypehwn3q()

Dim orw10fqmsby As String
Dim AA34onqsgn0or As String
Dim n0qv2kxui0p As String
Dim AA3aud25ms1n2 As String
Dim fz2aeaf4axl As String
Dim mpbm5nqogqv As String
Dim AA2mj20xyte4b As String
Dim k33igqvknoi As String
Dim b0ekvxny1gz As String
Dim nng5kxmi0xl As String
Dim c0pgekqulei As String
Dim nfufnfg2lsg As String
Dim AA4suxueouoli As String
Dim hj1qs2vomez As String
Dim vvqyz4ukzrs As String
Dim hmhbiz2fx1z As String
Dim jvocub0u2ia As String
Dim nyqxnuwctfq As String
Dim vicu3lc243f As String
Dim AA2ugg5z3hrj5 As String
End Sub

Public Sub l4koevaxd0i()

Dim AA1l1dvhtyneb As String
Dim AA31biw0gsaey As String
Dim la01liyqxgq As String
Dim AA2nsgpw3cfbc As String
Dim g1qesxlvt1k As String
Dim ko1lfcnksnz As String
Dim AA2o1aik05yap As String
Dim AA3kbgzovsefz As String
Dim AA5bvhjup0oxw As String
Dim AA5wa3mqy11y0 As String
Dim wu44hgip1ts As String
Dim wwg1inxixdh As String
Dim fygpfq330j2 As String
Dim jfd4zhbatlw As String
Dim AA1kfargl0cx3 As String
Dim o43skk5wdxi As String
Dim AA2kyx5ito1ml As String
Dim wpv20cy4lul As String
Dim hwi1lka4z15 As String
Dim pdrvh1cndzb As String
End Sub

Public Sub ufisfojfm0z()

Dim n3pakiyrumf As String
Dim AA5borkb3exrh As String
Dim AA3qscvhxfwf5 As String
Dim og0oqyybnvd As String
Dim qdgse2me4vj As String
Dim tid3c2wyebb As String
Dim iwfmjkhxwj4 As String
Dim youmhcerqf5 As String
Dim hxr0ytj100r As String
Dim e1k4vbdra2y As String
Dim AA3liw4e2qzsr As String
Dim vf13kltpbo0 As String
Dim AA05x3l3avpre As String
Dim qpkkgvmolma As String
Dim ghmwikxlv0s As String
Dim b31gtlgral2 As String
Dim vqx5c2aqggg As String
Dim AA5qatn12s4kc As String
Dim iv1hkbvg1x0 As String
Dim AA4liz20eqntm As String
End Sub

Public Sub AA53imhlo43yq()

Dim AA4n5phnp1qb2 As String
Dim z1xgtmhcfm4 As String
Dim AA4vbuiu3r143 As String
Dim foe3wdre54v As String
Dim q3cxeqxhckn As String
Dim AA05qlgnrlfss As String
Dim cc2e0aplom3 As String
Dim jaagdqhv334 As String
Dim oooeqgpxbsd As String
Dim dbby4ntncis As String
Dim ycimoe0gyc2 As String
Dim ioymrb0ghcf As String
Dim stycxmh2a4n As String
Dim i4tsrwhzojw As String
Dim hvwhw4u4ul3 As String
Dim qtyffgbtsi5 As String
Dim pe4vere4vwh As String
Dim xrdqoitno1s As String
Dim fzy1kxvawtg As String
Dim vqwgdk5b2ju As String
End Sub

Public Sub AA3c1ubnv3aik()

Dim dwvkjiqxtmh As String
Dim n0jhy2b50ol As String
Dim ftcbkvgnluj As String
Dim t02jw03onib As String
Dim e54n13a334l As String
Dim gl1gj0uoy42 As String
Dim goyxlsfts1n As String
Dim AA5n4kce0kfvl As String
Dim frzcf0soad1 As String
Dim a4o3i0dnngh As String
Dim sehmvoynhjt As String
Dim AA5n04uq5xdvn As String
Dim tr1vqmw0vvc As String
Dim sphzlimlyxg As String
Dim zy3fmym15eh As String
Dim bb53djxozs0 As String
Dim AA3ftmuq1dw0i As String
Dim nc2fnpov4pq As String
Dim jrxi4dpzwwh As String
Dim wsoceng5kmn As String
End Sub

Public Sub lt15otj1s0v()

Dim mrulfvduue4 As String
Dim opqnjwc2kst As String
Dim ts2c32vlagu As String
Dim de11lujqoss As String
Dim AA52ghf32y40y As String
Dim in1nyyih3se As String
Dim sjkyti3nz1w As String
Dim lp5npgtbvnh As String
Dim bsti2golcay As String
Dim qqifshll113 As String
Dim wpaanm4flyx As String
Dim ow1dfeg4trb As String
Dim t32k5retija As String
Dim rea3an4hume As String
Dim avgt34rdvhb As String
Dim zrnttddvyci As String
Dim vbhtn03szye As String
Dim AA0xiwqkunxz0 As String
Dim cm53wjgyzto As String
Dim fvbk2rdrt21 As String
End Sub

Public Sub abg3fe1hup5()

Dim hhpolyfkpuv As String
Dim hajozwquite As String
Dim fwl40dbkvyw As String
Dim kolcfojbgyo As String
Dim AA5yvjk5owtyr As String
Dim ypfl4gqssil As String
Dim vcoguztfql1 As String
Dim AA521rdg44bfl As String
Dim q2fbez1tnvt As String
Dim qsqci4xae32 As String
Dim xr2de5cwt4d As String
Dim l43oqnfgodh As String
Dim AA1fz3rekpel3 As String
Dim AA0kohlrcuotq As String
Dim q2mxeqt5rz2 As String
Dim nvutio1oyzm As String
Dim vds05i4bbxf As String
Dim xwdcnxohzmt As String
Dim sg45bfjnv0e As String
Dim po2we1d0efj As String
End Sub

Public Sub y0ii2actz0w()

Dim y0ipfb2lxcc As String
Dim qagoi1c1uev As String
Dim calybqorkp2 As String
Dim qzl2ozf2oxb As String
Dim coyvnrjbumj As String
Dim AA0mmai2nxf4v As String
Dim kqp53i4bkta As String
Dim sfgoyr4iysl As String
Dim skfvoko4znk As String
Dim hzdxxthn4sq As String
Dim AA3taa2ibpi5d As String
Dim nvoibhjwzxr As String
Dim j1bj3ayg1p4 As String
Dim qlaf2b5pauv As String
Dim t5wgii50moa As String
Dim z4n3smlbwqy As String
Dim rqd31htlyoo As String
Dim mvbdx3c0zmv As String
Dim qyxsm4sq23j As String
Dim qdtjrxy44nt As String
End Sub

Public Sub glay223xtiw()

Dim fkvgby1iwgr As String
Dim AA5rdyaj2hdve As String
Dim AA5tgnridql0k As String
Dim AA1220ltndk5r As String
Dim er2zayrqgmj As String
Dim AA0fwy0dm2iwe As String
Dim dxrqa3imgab As String
Dim apyym3uxxtx As String
Dim v3mzuey1rr0 As String
Dim rbwxiv1wtkj As String
Dim x1fpjfybd5c As String
Dim ob51axodinr As String
Dim dgh2zcyqhob As String
Dim zrmqdgjtuv1 As String
Dim pvbbscmi3mx As String
Dim j10sqxp1j4r As String
Dim noagp5ruvd1 As String
Dim xpq3tzzlvw5 As String
Dim yovrksi0ckl As String
Dim aktyhgzz3vr As String
End Sub

Public Sub yxdxtnvoaeq()

Dim gtxopm1waxp As String
Dim hmrkejconld As String
Dim bygp25ryahu As String
Dim ze4swjuaxi1 As String
Dim uyjprpg2rjv As String
Dim AA5305z0velvh As String
Dim ajtsk54z2oz As String
Dim AA5hcg4zlhxs3 As String
Dim jdz4zgeykjs As String
Dim vljepsebedi As String
Dim gjpeay2bxwe As String
Dim AA3slyi52j3nu As String
Dim sd055ywuz1d As String
Dim xr4k1lti43p As String
Dim m4p2ocjhal1 As String
Dim AA3f5liuwlrsd As String
Dim xl4k1nc2wjv As String
Dim cq2mxet3mnk As String
Dim AA0ysw3jpgava As String
Dim wimgcrsiqli As String
End Sub

Public Sub xcy4stybaka()

Dim p3gcawqwr4d As String
Dim lfijbw1sb1g As String
Dim AA5nabpp0buto As String
Dim hpvmctretqc As String
Dim knhf5jwlrpt As String
Dim AA5jly5zkttco As String
Dim xprrp4cdcad As String
Dim okgqrmi5hmv As String
Dim jb1vgscrf3u As String
Dim kgxje2lzltn As String
Dim mc5cajp3zxl As String
Dim eswdx0my2ab As String
Dim h0hdvhmtxsp As String
Dim xzlk4aqpxo3 As String
Dim ngezfwztmt5 As String
Dim AA5n2tbpnwany As String
Dim zxlxluyco5h As String
Dim jqepktl1hac As String
Dim AA32f4nucmxp5 As String
Dim t4dd5i13ucp As String
End Sub

Public Sub zsqs3stwt5f()

Dim qoekagw40cc As String
Dim hxvypltzrtv As String
Dim mcjqpmtmwrb As String
Dim dlez4izol2j As String
Dim q1ke2xxist2 As String
Dim jybtogymndp As String
Dim luq3pbyrjsn As String
Dim vvffxzfa54x As String
Dim tajmhgug0sh As String
Dim AA4uk412rhwky As String
Dim AA5c2fun2ppw3 As String
Dim gaalhf2jpmf As String
Dim m3ayjbog3j4 As String
Dim AA55d1vinwvmq As String
Dim AA4emzx2ady03 As String
Dim AA30a5ujvnvxh As String
Dim sb2mnlgoi5h As String
Dim mtuvsy0d52r As String
Dim kfif32ri1jk As String
Dim AA10z0umopyel As String
End Sub

Public Sub rcbxw5bfcpi()

Dim evuvhhwfdbb As String
Dim fdr22i4vvbx As String
Dim wvqfrcebq3e As String
Dim xxgzickhtdz As String
Dim ps12rry0op2 As String
Dim lywvcgobf14 As String
Dim l0qd1jzvsid As String
Dim mj2hzrnpzny As String
Dim khjljfiaovs As String
Dim m3ehhpickfp As String
Dim mfci33dvhlg As String
Dim ziu5dyluxoa As String
Dim AA20efiq5t0bl As String
Dim b20sqwpd0ee As String
Dim urrl4yyayu0 As String
Dim AA51o0b04krln As String
Dim AA5c2chawbbgq As String
Dim AA40gmskfnvsv As String
Dim aac31yj1ua4 As String
Dim AA3ijqipovm14 As String
End Sub

Public Sub jjp33m1ks5d()

Dim flehhpphgl1 As String
Dim n5fmiqec4bg As String
Dim bqp3ddgsrep As String
Dim glu1v33jcc5 As String
Dim z2c0dexcop3 As String
Dim p3zrsupaump As String
Dim ejv5oylugrl As String
Dim lepg4oej3uw As String
Dim ttk2onu1ono As String
Dim aqryyl0mrpj As String
Dim AA1sm5ca2hliv As String
Dim s0vq5vmzqrc As String
Dim fj5ts3xjrk5 As String
Dim AA03gq1ivsngx As String
Dim AA1cgnvw1ks15 As String
Dim gqwfwg10t4r As String
Dim hoou12boskw As String
Dim ddmawaryhug As String
Dim AA3vwiwzyqchi As String
Dim okpxqkjadzg As String
End Sub

Public Sub umn2zd2ze0a()

Dim x5pexxqzkvc As String
Dim AA23fk2rtqg0m As String
Dim zrgjjabnmic As String
Dim ceein3vvk2r As String
Dim uvrvc2y3glj As String
Dim AA5hrchwdzlny As String
Dim idqb2wvml2e As String
Dim luy1zqnvrv5 As String
Dim AA5ojk3onty00 As String
Dim AA3pezivjscd5 As String
Dim zdenvypwpsm As String
Dim rftyu1mqqwc As String
Dim jsmjqlqsfhu As String
Dim AA2hsirlb44ge As String
Dim bl30z3awiy2 As String
Dim AA4oozdx31oht As String
Dim s54slkn2ehv As String
Dim yfs4mmosawg As String
Dim kxyf4xv24sn As String
Dim e5ssofyvh2c As String
End Sub

Public Sub AA3uhmfdttmeg()

Dim ch4nzezpjwe As String
Dim sy2wkzp4h2k As String
Dim xjv1gbmbkfw As String
Dim AA1ywiuibgtgg As String
Dim AA2uux4o4q2jo As String
Dim nylzvxkh1hl As String
Dim AA1giofzzwqe4 As String
Dim yksrty3tnkd As String
Dim ybsbpciscc1 As String
Dim rw3baf23mwi As String
Dim AA5renkpuiml4 As String
Dim AA5hannx32b4q As String
Dim AA3ug1s0d2ryo As String
Dim mqympocdefm As String
Dim xk05ijcjgrs As String
Dim sujhaupsc1l As String
Dim wott2zfrlc1 As String
Dim ybcqwytp4qw As String
Dim xklvynnbpcy As String
Dim m4u5g5c0rif As String
End Sub

Public Sub d15lcaoglq4()

Dim dkaxfsokkxn As String
Dim el11jrtwc2w As String
Dim ohurlklr4ug As String
Dim tacovv505y5 As String
Dim AA53hm2sid3sc As String
Dim AA5cftyn54ege As String
Dim kccphqst3cg As String
Dim b4caqwllnde As String
Dim AA50pzsca0uzq As String
Dim kzv2chmabtb As String
Dim AA25mk2oeg2jm As String
Dim frsftbfzuqb As String
Dim yroixp33unp As String
Dim tjjg414o2ng As String
Dim ef5kqbkgn5o As String
Dim AA1s23l0sa023 As String
Dim vcrsopprwm2 As String
Dim izbbprfqv4h As String
Dim cqio3bj4yxt As String
Dim AA2t1py5btfyg As String
End Sub

Public Sub nbhwe0pewvx()

Dim pog3wxfljbw As String
Dim ut4a0wwucdn As String
Dim jy4twz0hy3e As String
Dim dnlgj2av31w As String
Dim lsgmcglde4u As String
Dim dquzt2t2xba As String
Dim gp54ww3hmlj As String
Dim i1qcx20pfu0 As String
Dim h3bapak3euo As String
Dim nbzpioswyoi As String
Dim AA1lhpkp5hlfa As String
Dim xcv0yolnp12 As String
Dim cmyty3fu4uo As String
Dim fgwzmgk1s2q As String
Dim j0yhxjk0do2 As String
Dim ov1xclvx3q0 As String
Dim x2s5ohu2wnd As String
Dim io1zaz1zwre As String
Dim AA1wpqxxx4ugj As String
Dim lb32tmhiyhl As String
End Sub

Public Sub xbjqtqhs02n()

Dim ayjvasxiko2 As String
Dim AA1mxkrrsf3pa As String
Dim jd0kfbw2x5j As String
Dim AA5kq44usaofi As String
Dim fnol2vpm5v2 As String
Dim AA3s5lxlxxnwe As String
Dim AA3r5ndoanaen As String
Dim mx2gaiti0dz As String
Dim kjcljfaqzs0 As String
Dim yywh21pz5ie As String
Dim ehogn3kk3br As String
Dim axyidraz0u1 As String
Dim AA0fwnwmymb2x As String
Dim AA3aqiiidfrbp As String
Dim c0uzlij2i0b As String
Dim ujterzdsnuu As String
Dim AA0b52qj5gmfm As String
Dim m44sygrh5pv As String
Dim xgicewwkuev As String
Dim AA5jd2fywhajn As String
End Sub

Public Sub AA2vobfdmio3r()

Dim x4cdnrvtqga As String
Dim o1hplg3tvyr As String
Dim svg5yqztq21 As String
Dim AA4owj5jwro04 As String
Dim lzc3z1ury1e As String
Dim AA1uizkd3xjsg As String
Dim q0pebsdqd1a As String
Dim jzaiw0ci3xb As String
Dim grt2suziijo As String
Dim AA3md0wlsiqmf As String
Dim xkplpj52tvd As String
Dim ih5gne5z40u As String
Dim cbzxbhsitjx As String
Dim kt2g2okiwf1 As String
Dim cxubjgapt5t As String
Dim s3d0aqlr2e3 As String
Dim b1r31lj12gt As String
Dim i1pkrgyohzk As String
Dim apbu1l11ji3 As String
Dim kvqdj5wctrx As String
End Sub

Public Sub cmgbkan5zsy()

Dim cye0v2yrl0n As String
Dim dgvrgb0jlh0 As String
Dim uufct3j25jy As String
Dim pakv4xpgzyh As String
Dim xtwfhulw5zj As String
Dim t00a0z1wiao As String
Dim mgckxd5iak2 As String
Dim AA2rwbrwe2nyg As String
Dim l2oytkaa02h As String
Dim yqjjnvn42pb As String
Dim pz52s4ukajw As String
Dim g3iopkybsi1 As String
Dim wekaid5azbi As String
Dim bhn3vpr5lvb As String
Dim ukswlamccny As String
Dim AA5nn4sv51oax As String
Dim o454fhpvy1k As String
Dim qddrrae01ye As String
Dim ztbkow2msr2 As String
Dim AA2yd3zrqvxd3 As String
End Sub

Public Sub u03mv4y2s1k()

Dim viviilbsznz As String
Dim sauvdxqxxoc As String
Dim d0ht0na1lyo As String
Dim tihqk5qmg1l As String
Dim r2novx1mpyl As String
Dim gcbqjce30e3 As String
Dim ldff0fttpmc As String
Dim jeed5y3n21v As String
Dim skhafj1jhb3 As String
Dim ghs0u5gvtpt As String
Dim m4wetqg0hnk As String
Dim fhrhxz54dne As String
Dim yh0qxt40arb As String
Dim wckjf3voxe1 As String
Dim xovvjh42fdl As String
Dim AA5ale3y01yut As String
Dim rjyklo51c3l As String
Dim st0v2zetuk0 As String
Dim apljz3prbk3 As String
Dim aqaw21jrfxu As String
End Sub

Public Sub wo5snnve355()

Dim q2xaungoj25 As String
Dim AA1vbdnjag2xd As String
Dim gwfqflhcha1 As String
Dim AA1zfqns1woym As String
Dim bzc2hgrpofa As String
Dim e0hocf3muxd As String
Dim xnanyhsxyss As String
Dim y0ztgvergbq As String
Dim ubwukavhz4u As String
Dim x0j4ikvyg2o As String
Dim hrcwcgjx23d As String
Dim t3corjlqwli As String
Dim jviqoykauzo As String
Dim bpzhjo1w3s5 As String
Dim d4rvxswkvjq As String
Dim udpijsvq5hw As String
Dim AA32xanxlfcbp As String
Dim qkfv3h12qy0 As String
Dim yeamuahpmsh As String
Dim AA231maq5v5qv As String
End Sub

Public Sub AA3ltyjnfvjze()

Dim wzqpwsfmawc As String
Dim mtorrukxp01 As String
Dim bkkxkzr2ifa As String
Dim sfjkxxbkr1h As String
Dim bra0cbcabpu As String
Dim adk254kduej As String
Dim ylbwdrbfifh As String
Dim AA2p1yofl4tgj As String
Dim ecmb1l5m24j As String
Dim r40y25bwtgh As String
Dim taedlfgqcil As String
Dim AA2gwledsil5t As String
Dim AA3hvzuxioo0t As String
Dim malwiogfeab As String
Dim vfbi3o5eldd As String
Dim vla0sp1114f As String
Dim ivoiiqbvy5e As String
Dim u2rweimnzmr As String
Dim y53d13bspbl As String
Dim uglva5loaw3 As String
End Sub

Public Sub pp5qrkjc45n()

Dim mm2knhqd3dz As String
Dim zylkwvmlb15 As String
Dim qtpwt4lp3so As String
Dim e0eybum4d3n As String
Dim g1i5oltegls As String
Dim ztcou5ouwmk As String
Dim axhrecmtqmy As String
Dim AA5qfrzeftfxd As String
Dim b5qkw4jcuyj As String
Dim dhwxutyb43x As String
Dim y15kuf0q3rd As String
Dim AA5ekleyzrjzg As String
Dim sie03osvw0v As String
Dim hric3mzgo30 As String
Dim r4nygkqqtkr As String
Dim vtaqrtiisrl As String
Dim qsfngpg5d5v As String
Dim oh4hqdemayg As String
Dim bv4mncaaqqd As String
Dim cubc54ddkab As String
End Sub

Public Sub xjrqvuwhllw()

Dim eizmle1oya0 As String
Dim ihmq1looqg1 As String
Dim scqjrok0s3y As String
Dim y4jzecsbsoq As String
Dim yybnf2h0oko As String
Dim wde1rzv0swe As String
Dim rqalvgd4xsg As String
Dim vxtthyijaxd As String
Dim AA5mp2s4vohpy As String
Dim oybzltkbiiw As String
Dim petuzspp3ex As String
Dim lynnsqqrfov As String
Dim asdjnqpy4vh As String
Dim lo12qkttypd As String
Dim ln53uqgkfhw As String
Dim ore3qrgmpv3 As String
Dim psmynwwqs0p As String
Dim hiesl3vzx5q As String
Dim AA10go0eodwli As String
Dim ycgwukddxai As String
End Sub

Public Sub cippjctfvmt()

Dim oafrzyjvhvi As String
Dim adxj1bf1vzb As String
Dim tj4ral0kybd As String
Dim j14gjkrbb3t As String
Dim lewqftxliqi As String
Dim uunkgop1wjh As String
Dim o5t2odyxc2x As String
Dim fst3fgp34dq As String
Dim e0fytxuz41a As String
Dim deha4ixjpxk As String
Dim f5g1zpxr3dg As String
Dim AA4wttwza0npn As String
Dim mi1xcv54qvk As String
Dim kdszoglqmgp As String
Dim AA2xfxeijnmrs As String
Dim k1boqmpm34y As String
Dim unjachvqdte As String
Dim afn2utpofrx As String
Dim fa5gtuiy4uo As String
Dim AA42qz24cl1hb As String
End Sub

Public Sub c23t4cvgyzj()

Dim AA0ov35z33tnr As String
Dim t1vxgincyfo As String
Dim jsrcfvs2m2h As String
Dim ddpgn04crky As String
Dim lyquyr2tdpa As String
Dim enwtbmjfvlo As String
Dim xube4cxpkqd As String
Dim c5ykfbuau5e As String
Dim AA0oea3zvy01l As String
Dim AA0qbov45njv2 As String
Dim wlfae2kwj1p As String
Dim oum3fioafpo As String
Dim iuoqv2xxs4s As String
Dim qbbmmvehwmb As String
Dim AA0e31f5zptmk As String
Dim AA4racrhgo2vo As String
Dim wr2mw1tdwse As String
Dim AA3oyxklnesdt As String
Dim AA3araujjkery As String
Dim wyawplxtqeb As String
End Sub

Public Sub b24odqfkyzy()

Dim ej5dqaque5o As String
Dim owkvikn25r4 As String
Dim olmmysixc4n As String
Dim gnsndcqfwsg As String
Dim gabzrxb0z24 As String
Dim xpczbz4ptbr As String
Dim dekwhrwkrid As String
Dim AA3zyrmqcqcux As String
Dim vosjfoilvvh As String
Dim AA5faohv0cx2y As String
Dim dsuxzmej5jn As String
Dim nsppx0sw422 As String
Dim ptgpmwgyakd As String
Dim qrkgnxgwd2d As String
Dim ul1cqahand0 As String
Dim od5l4lhgazk As String
Dim h1hlpfl4cjk As String
Dim cgppyg2mmum As String
Dim cnjlbajfjjc As String
Dim AA1pcciexbrvb As String
End Sub

Public Sub ipk0spk0zzf()

Dim hwahur0yd1y As String
Dim wmmm451bt0n As String
Dim jgytful02wf As String
Dim AA1km4pch1csn As String
Dim AA0nizmxp0zwd As String
Dim AA3j2zvbv42xt As String
Dim bopjbtsodt0 As String
Dim cvebkocmcqk As String
Dim v00tkx31tts As String
Dim xem0n1o33wn As String
Dim chsd4ejg0ed As String
Dim oz1fioxhpln As String
Dim p1uzxoz1iot As String
Dim h0yj2vbq1td As String
Dim zfboyshjgtl As String
Dim iwbpvl0n1w3 As String
Dim d0qqxht3ce0 As String
Dim AA3dh011xziu1 As String
Dim mm0dn0nxzsy As String
Dim eim4qlnhlp3 As String
End Sub

Public Sub of14pyc1cnp()

Dim hboizmjb21l As String
Dim zypysxvh2yd As String
Dim AA0mjqjbgiwj0 As String
Dim AA3j0yqojuloa As String
Dim AA55ueeiep5y4 As String
Dim AA2iojebbezcr As String
Dim vrhtpuvjywf As String
Dim smjegexxkfg As String
Dim wd2ckk4isdo As String
Dim hh3tqrfxfks As String
Dim AA4cfkazn4kri As String
Dim AA5aig4cyrctz As String
Dim nfpxvy5n1im As String
Dim n0udx3mku3b As String
Dim AA2fuq5bf0ffn As String
Dim ogseusllqsq As String
Dim zp5yijbkd4y As String
Dim AA5m53beav2ik As String
Dim nq2iljyqhj2 As String
Dim AA5q0lqnsqbw1 As String
End Sub

Public Sub srohue2unpm()

Dim x5eojy5hieq As String
Dim joydhxuo55z As String
Dim mjgsubtebqz As String
Dim AA2y5dkufnzpv As String
Dim jzoqietzkzp As String
Dim eumgml443ix As String
Dim m4zz4t0acck As String
Dim tjr3xvoclqd As String
Dim AA35q5jlpdkys As String
Dim vnmmqsoy42q As String
Dim dikq11rqhns As String
Dim janjbajcbuh As String
Dim o4rlf1dssve As String
Dim kc4xh5yh4el As String
Dim pwl3j05mhsm As String
Dim AA5a1khhqaucm As String
Dim apisaxcqvau As String
Dim AA5g3yhedyo4f As String
Dim pmuvnvztpjc As String
Dim rmegam5pzxe As String
End Sub

Public Sub n4f5hqfbveh()

Dim AA54xzknmj0zh As String
Dim dyytukpyowf As String
Dim eicjme0pdyj As String
Dim AA3vovtax1yno As String
Dim rhferxgjd5t As String
Dim zr1sizjhdav As String
Dim ipvgeb5expx As String
Dim qyfy3h5cnlh As String
Dim ondfxt3kobz As String
Dim d0eydoom43k As String
Dim ng2z4njtufb As String
Dim va2chiqqmco As String
Dim fzvdn45p1uh As String
Dim AA1svag03jx5i As String
Dim AA02pd2fc1ruu As String
Dim yvj3amjc1fk As String
Dim gkg53axsw0g As String
Dim vryyx0slian As String
Dim hii0rpm3hro As String
Dim pgktxmcbp3j As String
End Sub

Public Sub vjbjrltvtsp()

Dim m5wu3kgnoce As String
Dim AA34ebobuxxa0 As String
Dim zfuqlfui3wy As String
Dim AA3x15iq2yrem As String
Dim AA5pnvks2iigr As String
Dim n450uvbyhmy As String
Dim ttysxzxoebq As String
Dim fldcam3lzrh As String
Dim hqtfgpiaqxr As String
Dim htlkyukmd50 As String
Dim qphj0jxnjsp As String
Dim o1c4miki022 As String
Dim AA4pjb2whvmm4 As String
Dim menucf3p54j As String
Dim AA5ny0req0qgc As String
Dim jokaeygtpfp As String
Dim zdewvoahquy As String
Dim AA3vnohvjlmwc As String
Dim AA5ec3cmtv1br As String
Dim sfikhghancq As String
End Sub

Public Sub adtxs1towmh()

Dim qkfjonywj4j As String
Dim qq2asps5qef As String
Dim u4xowzwv4bt As String
Dim vnicim1f1od As String
Dim AA2rpedlnz23p As String
Dim hqzctbzgumd As String
Dim bejqrypehed As String
Dim qfopnrum1ca As String
Dim AA34wzdg0mu5b As String
Dim mon2y4cvui2 As String
Dim jqip4zcuwkp As String
Dim htygh31hmst As String
Dim AA0eigwsel1hi As String
Dim f50jlz0qtgm As String
Dim AA1gxjg0zibj4 As String
Dim wodjsxcbz2x As String
Dim aac01o45aul As String
Dim jcihaz1s4ba As String
Dim h4xhcstscxd As String
Dim dv4nqjg1heh As String
End Sub

Public Sub AA04fool0dnt3()

Dim AA0ed5jq1s3ed As String
Dim AA4d3wdd0r43z As String
Dim betv1deoenu As String
Dim wcwlt5n04nt As String
Dim AA3qrwarpqqq5 As String
Dim ubpgcm04kis As String
Dim xcyc2ubyabv As String
Dim AA4xhxajgnttr As String
Dim gopzg3wdbzm As String
Dim p2mf2r0av3w As String
Dim v5ndhbg4snp As String
Dim mbng4hmxjr3 As String
Dim ouc1445irnh As String
Dim AA3j4sz35xqr4 As String
Dim kbzcj0kvuv4 As String
Dim e5rlhrezwea As String
Dim mebbmi1maec As String
Dim AA2hltcgcxjhv As String
Dim txvmjyjaiiw As String
Dim zhhzywzv4j0 As String
End Sub

Public Sub wq5syf20q2z()

Dim lbfnae3ny1k As String
Dim etat1kgmcyg As String
Dim ctubtyx0wbo As String
Dim kq0vr2o2pe0 As String
Dim gbvsegqxmiz As String
Dim djrsc3ynfvp As String
Dim tavxqgn3eym As String
Dim trfwcivw2jp As String
Dim oppqynponpr As String
Dim bkvijah2ju4 As String
Dim q5idejj3lmb As String
Dim ge54km3zps5 As String
Dim qzreaicehgc As String
Dim AA2wgilxlz1ou As String
Dim AA5mpsihkxacy As String
Dim fn2fe10mq1f As String
Dim ctyftxmsrgu As String
Dim bavof1os3g2 As String
Dim q0nqaf5ihtz As String
Dim tggidrfg03k As String
End Sub

Public Sub t5dlkvol411()

Dim xbl0nspy2kl As String
Dim ekgvxvefzqc As String
Dim oyndhncx2gn As String
Dim s5wpc4ytswy As String
Dim ln34erwkphk As String
Dim ey5twzlcnxl As String
Dim fwpzfnxkuvd As String
Dim iukpjpowtzz As String
Dim AA4pgctuedj0m As String
Dim AA3q2gkk1xde5 As String
Dim actckzhmrt1 As String
Dim ch4lzkdtwhl As String
Dim poo1tofzdub As String
Dim AA3ddssfno2jc As String
Dim dz0sdw3xump As String
Dim o5yhatrx1cz As String
Dim m1lw0eewgcu As String
Dim gymzeinpand As String
Dim xc20rv22ogw As String
Dim zjrnutihpyy As String
End Sub

Public Sub dekvnrsltue()

Dim b2qf3uqepxt As String
Dim jbw2nrs3ixd As String
Dim AA0mgwfqxsryv As String
Dim m3qa5m0hacs As String
Dim crqlakhsyvg As String
Dim rp1erqt5ydi As String
Dim AA5bpddu4y2qj As String
Dim gdvtofodk5h As String
Dim AA2zxskazxobg As String
Dim pdigrsvj0dx As String
Dim e01yuhqgryp As String
Dim a0xmh4jem5g As String
Dim cqnzmglfreb As String
Dim a4hydlgxliu As String
Dim nmfawgctvij As String
Dim AA5pv3p05crfw As String
Dim vgziarrlse2 As String
Dim k2v3jejiy2l As String
Dim qdprqjyj1yv As String
Dim mdj0mksabxe As String
End Sub

Public Sub zpjpwobxsjy()

Dim AA04owah042ky As String
Dim blsefvlagnr As String
Dim kon51k0pft0 As String
Dim AA1l1qovhw5yz As String
Dim AA5tmz05j3bll As String
Dim AA0y0rz5tbdod As String
Dim l34objvw0wb As String
Dim ljpjbmmxvec As String
Dim fqgraf5clti As String
Dim ba50w0uabiz As String
Dim AA2ybkijyzwp1 As String
Dim bcl4d1v1gnb As String
Dim fi2irjn20ee As String
Dim lzqiwn32okj As String
Dim arm1ip0yr1m As String
Dim AA4ot5cdhpk4h As String
Dim AA0wcjo0vjkvd As String
Dim sh3lhkuynbg As String
Dim uyja5ydovse As String
Dim uegsba2zzdh As String
End Sub

Public Sub f3pg02lehau()

Dim ylpsojplplh As String
Dim alda2fmgu0w As String
Dim iwfrvqp0hgf As String
Dim AA02vvodvn4fp As String
Dim ggesbduhs3b As String
Dim AA32ywernbzzy As String
Dim a45ws0oqs1x As String
Dim g1hdxubpz4j As String
Dim gg0nqd1yaoi As String
Dim ozunb24kj2c As String
Dim ivejodwdbzi As String
Dim ozfqwtbquhh As String
Dim lyuskz0f5mi As String
Dim AA2ii5yb5njlv As String
Dim msqnqrzz2na As String
Dim zeh1mx1uama As String
Dim AA1vnily5c2uv As String
Dim tvm0g1qb2d3 As String
Dim AA2kze2ot1u5t As String
Dim ejabkwqvqit As String
End Sub
…
vbaProject_00.bin vba-project OOXML VBA project: word/vbaProject.bin 102400 bytes
SHA-256: 3c18acd5d1b9bd90e243dde61a6169565620ffd9cbf9627617d47c82b1647314
Detection
ClamAV: Doc.Dropper.Agent-7086161-0
Obfuscation or payload: unlikely