Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 8ad3cdf085f828e0…

MALICIOUS

Office (OOXML)

75.2 KB Created: 2020-08-25 13:34:43 UTC Authoring application: Microsoft Excel 16.0300 First seen: 2021-01-23
MD5: b9e5f262dece584c73b0fa74d3823efe SHA-1: e30da5741e912497ad4f9e20e6b79fed2f43d1f3 SHA-256: 8ad3cdf085f828e083a973580f5845baa1ecd854a5e1a3798f04e7ea1a03dee3
212 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1204.002 Malicious Link T1566.001 Spearphishing Attachment

The sample is an Excel document containing VBA macros that utilize WScript.Shell and CreateObject to execute code. The primary macro, 'o0001110001011110110', attempts to open a hyperlink to 'http://planlamamuhendisi.com/lisans.html' using the FollowHyperlink method. This indicates a likely attempt to lure the user to a malicious website, potentially for phishing or further exploitation. The VBA project part was also renamed to evade detection.

Heuristics 8

  • VBA project inside OOXML medium 5 related findings OOXML_VBA
    Document contains a VBA project — VBA macros present (project part renamed away from vbaProject.bin: xl/printerSettings.bin)
  • WScript.Shell usage critical OLE_VBA_WSCRIPT
    WScript.Shell usage
    Matched line in script
    Set o1001001000000001001 = CreateObject("WScript.Shell")
  • VBA project part renamed to evade filename detection high OOXML_VBA_PROJECT_RENAMED
    The VBA project is bound through the OOXML relationship/content type but its part is not named vbaProject.bin. Legitimate Office producers always emit vbaProject.bin; renaming it hides the macros from path-only scanners (observed in the SVCReady loader).
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
    Matched line in script
    Set o0100001010111110100 = CreateObject("System.Text.UTF8Encoding")
  • GetObject call high OLE_VBA_GETOBJ
    GetObject call
    Matched line in script
    Set o0011111110010101001 = GetObject("WinMgmts:")
  • Environ() call (env variable access) low OLE_VBA_ENVIRON
    Environ() call (env variable access)
    Matched line in script
    o0111111001010001101 = Left(Environ$(resicplphrou("636f6d70757465726e616d65")), 2) & Left(o1100111101010110100, 4) & Left(o1100011110101001000, 4)
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://planlamamuhendisi.com In document text (OOXML body / shared strings)

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 23858 bytes
SHA-256: 5edcdc13276b208fd86fd6c586e200cc215747a45c46369ae480589ffe4f825d
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 6 long base64-like blob(s).
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "BuÇalışmaKitabı"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "Sayfa1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "o0001011111001100101"
Sub o0001110001011110110()
Application.ScreenUpdating = False
If Not ActiveWorkbook Is Nothing Then
ActiveWorkbook.FollowHyperlink Address:=resicplphrou("687474703a2f2f7777772e706c616e6c616d616d7568656e646973692e636f6d2f6c6973616e732e68746d6c"), NewWindow:=True
Else
Workbooks.Add
ActiveWorkbook.FollowHyperlink Address:=resicplphrou("687474703a2f2f7777772e706c616e6c616d616d7568656e646973692e636f6d2f6c6973616e732e68746d6c"), NewWindow:=True
Workbooks.Close
End If
End Sub
Sub o1000111110111110110()
MsgBox resicplphrou("4cfc7466656e2062697220646f7379612061e7fd6efd7a21")
End Sub
Sub o0000111001010001100()
Dim C As Integer
C = ActiveSheet.Cells.SpecialCells(xlLastCell).Column
Do Until C = 0
If WorksheetFunction.CountA(Columns(C)) = 0 Then
Columns(C).Delete
End If
C = C - 1
Loop
End Sub
Public Sub o0000110101011001001(ByRef control As Office.IRibbonControl)
Dim i           As Long, o0011001010101001100 As Range, o1011010101100011110 As Range
Dim o0010101100110101110          As Range
Dim o0101000110111101111   As Range
Dim o0000001110101010101   As Range
Dim o1001000000100111111     As Range
Dim o1100000100010100001       As String
Dim o1001101001100011100     As Long
Dim o1001001000011111110     As Long
Dim k           As Integer
Dim X           As Integer
Dim o0000111110100100111      As Integer
Dim o1111001011000011011     As Integer
Dim o1110001001110001001      As Integer
Dim o1011110101010111010    As String
Dim o1011000010011101100    As String
Dim o1111001100010111010   As String
Dim o0011101111000101000      As Range
Dim o1011001001101101100 As String
Dim o1110001010001100111         As String
Dim o1100111101010110100      As String
Dim o0001010000010001101   As String
Dim o0111000001000110011  As String
Dim o0000001000001001001       As String
Dim o1100011110101001000         As String
Dim o0111111001010001101  As String
Dim o0010000010001011011    As String
Dim o0011010011101111100     As String
Dim o0010000101110100000    As Integer
o1100111101010110100 = o1000001110010010110()
o1100011110101001000 = o0100110001000110111()
o0111111001010001101 = Left(Environ$(resicplphrou("636f6d70757465726e616d65")), 2) & Left(o1100111101010110100, 4) & Left(o1100011110101001000, 4)
o0001010000010001101 = Trim(Left(o1100011110101001000, 2) & Mid(o1100111101010110100, 2) & Left(o1100011110101001000, 3) & Left(o1100111101010110100, 2) & Right(o1100111101010110100, 3) & Mid(o1100011110101001000, 3))
o0010000010001011011 = resicplphrou("484b45595f43555252454e545f555345525c534f4654574152455c57425352656e6b6c656e6469725c57425352656e6b6c656e646972")
o1011001001101101100 = StrReverse(o1101111111000011100(StrReverse(o0000001100000100101(o0001010000010001101))))
o0000001000001001001 = Left(Trim(o1011001001101101100), 5) & resicplphrou("2d") & Mid(o1011001001101101100, 12, 5) & resicplphrou("2d") & Mid(o1011001001101101100, 19, 5) & resicplphrou("2d") & Mid(o1011001001101101100, 31, 5) & resicplphrou("2d") & Right(o1011001001101101100, 5)
If o1101100101110001101(o0010000010001011011) = "" Then
MsgBox resicplphrou("456b6c656e74697969206b756c6c616e6162696c6d656e697a2069e7696e206c6973616e7320616e6168746172fd206769726d656e697a20676572656b6d656b74656469722e"), vbInformation, resicplphrou("4c6973616e7320416e6168746172fd21")
o0111001000100000000.Show
Exit Sub
ElseIf o0000001000001001001 = o1101100101110001101(o0010000010001011011) Then
Else
MsgBox resicplphrou("4c6973616e7320616e6168746172fd206465f069fe746972696c6d69fe207665796120626f7a756c6d75fe206f6c6162696c69722e20446ff07275206c6973616e7320616e6168746172fd6efd7afd2074656b726172206769726d656e697a20676572656b6d656b74656469722e"), vbCritical, resicplphrou("4c6973616e7320416e6168746172fd21")
o0111001000100000000.Show
Exit Sub
End If
If Application.Workbooks.Count = 0 Then
Call o1000111110111110110
Exit Sub
End If
On Error Resume Next
Set o0011101111000101000 = Application.InputBox(resicplphrou("4bfd72fd6cfd6d2069e76572656e206b6f6c6f6e75207365e7696e697a"), resicplphrou("4b6f6c6f6e205365e7"), "", 50, 50, Type:=8)
On Error GoTo 0
On Error Resume Next
If o0011101111000101000 Is Nothing Then
MsgBox (resicplphrou("4b6f6c6f6e205365e76d6564696e697a21"))
Exit Sub
End If
If Application.CountA(o0011101111000101000) = 0 Then
MsgBox resicplphrou("5365e7696c656e204b6f6c6f6e20426ffe21")
Exit Sub
End If
o0011101111000101000.SpecialCells(xlCellTypeBlanks).EntireRow.Delete
Call o0000111001010001100
o0000111110100100111 = o0011101111000101000.Column
o1111001011000011011 = o0000111110100100111 - 1
o1011110101010111010 = Split(Cells(1, o0000111110100100111).Address, resicplphrou("24"))(1)
Columns(resicplphrou("41")).EntireColumn.Insert
Columns(resicplphrou("41")).HorizontalAlignment = xlCenter
Range(resicplphrou("4131")).Value = resicplphrou("574253204c6576656c")
Columns(resicplphrou("41")).Columns.AutoFit
o0000111110100100111 = o0011101111000101000.Column
o1111001011000011011 = o0000111110100100111 - 1
o1011110101010111010 = Split(Cells(1, o0000111110100100111).Address, resicplphrou("24"))(1)
o1111001100010111010 = Split(Cells(1, o1111001011000011011).Address, resicplphrou("24"))(1)
o1001101001100011100 = ActiveSheet.Range(o1011110101010111010 & Rows.Count).End(xlUp).Row
o1001001000011111110 = ActiveSheet.Cells(1, Columns.Count).End(xlToLeft).Column
o1011000010011101100 = Split(Cells(1, o1001001000011111110).Address, resicplphrou("24"))(1)
counteven = 0
Dim o1000100010110110110 As Integer
For i = 2 To o1001101001100011100
o1100000100010100001 = ActiveSheet.Cells(i, o0000111110100100111).Value
o1000100010110110110 = (Application.WorksheetFunction.Find(Left(Trim(o1100000100010100001), 1), o1100000100010100001) - 1) Mod 2
If (Application.WorksheetFunction.Find(Left(Trim(o1100000100010100001), 1), o1100000100010100001) - 1) Mod 2 = 0 Then
counteven = counteven + 1
ElseIf (Application.WorksheetFunction.Find(Left(Trim(o1100000100010100001), 1), o1100000100010100001) - 1) Mod 2 = 1 Then
countodd = countodd + o1000100010110110110
End If
Next i
If counteven > countodd Then
For i = 2 To o1001101001100011100
Dim o0011011010001011101 As Long
o1100000100010100001 = ActiveSheet.Cells(i, o0000111110100100111).Value
ActiveSheet.Cells(i, 1).Value = (Application.WorksheetFunction.Find(Left(Trim(o1100000100010100001), 1), o1100000100010100001) - 1) / 2
If (ActiveSheet.Cells(i, 1).Value) <> Int(ActiveSheet.Cells(i, 1).Value) Then
ActiveSheet.Columns(1).Delete
MsgBox o1111001100010111010 & i & resicplphrou("2068fc63726573696e6465206b61796d61207661722e20dd6c67696c692068fc6372656e696e20626ffe6c756b20736179fd73fd6efd206b6f6e74726f6c206564696e697a2e20") & vbCrLf & resicplphrou("42656e7a657220574253207665796120616b74697669746520696c652061796efd2068697a616461206f6c6475f0756e64616e20656d696e206f6c756e757a21"), vbOKOnly + vbCritical, resicplphrou("4861746121")
Exit Sub
End If
Next i
ElseIf counteven < countodd Then
For i = 2 To o1001101001100011100
o1100000100010100001 = ActiveSheet.Cells(i, o0000111110100100111).Value
ActiveSheet.Cells(i, 1).Value = (Application.WorksheetFunction.Find(Left(Trim(o1100000100010100001), 1), o1100000100010100001) - 1) / 3
If (ActiveSheet.Cells(i, 1).Value) <> Int(ActiveSheet.Cells(i, 1).Value) Then
ActiveSheet.Columns(1).Delete
MsgBox o1111001100010111010 & i & resicplphrou("2068fc63726573696e6465206b61796d61207661722e20dd6c67696c692068fc6372656e696e20626ffe6c756b20736179fd73fd6efd206b6f6e74726f6c206564696e697a2e20") & vbCrLf & resicplphrou("42656e7a657220574253207665796120616b74697669746520696c652061796efd2068697a616461206f6c6475f0756e64616e20656d696e206f6c756e757a21"), vbOKOnly + vbCritical, resicplphrou("4861746121")
Exit Sub
End If
Next i
End If
For i = 2 To o1001101001100011100
o1110001001110001001 = Application.WorksheetFunction.Max(ActiveSheet.Range(resicplphrou("41313a41") & o1001101001100011100))
Set o0011001010101001100 = Range(resicplphrou("41") & i)
Set o1011010101100011110 = Range(resicplphrou("41") & i & resicplphrou("3a") & o1011000010011101100 & i)
If o0011001010101001100.Value = o1110001001110001001 Then
o1011010101100011110.Interior.ColorIndex = 2
ElseIf o0011001010101001100.Value = 0 Then
o1011010101100011110.Interior.Color = RGB(0, 0, 255)
o1011010101100011110.Font.Color = vbYellow
o1011010101100011110.Font.Bold = True
ElseIf o0011001010101001100.Value = 1 Then
o1011010101100011110.Interior.Color = RGB(128, 255, 128)
o1011010101100011110.Font.Color = vbBlack
ElseIf o0011001010101001100.Value = 2 Then
o1011010101100011110.Interior.Color = RGB(255, 255, 0)
o1011010101100011110.Font.Color = vbBlue
ElseIf o0011001010101001100.Value = 3 Then
o1011010101100011110.Interior.Color = RGB(0, 0, 255)
o1011010101100011110.Font.Color = vbWhite
ElseIf o0011001010101001100.Value = 4 Then
o1011010101100011110.Interior.Color = RGB(255, 0, 0)
o1011010101100011110.Font.Color = vbWhite
ElseIf o0011001010101001100.Value = 5 Then
o1011010101100011110.Interior.Color = RGB(128, 255, 255)
o1011010101100011110.Font.Color = vbBlack
ElseIf o0011001010101001100.Value = 6 Then
o1011010101100011110.Interior.Color = RGB(255, 128, 255)
o1011010101100011110.Font.Color = vbBlack
ElseIf o0011001010101001100.Value = 7 Then
o1011010101100011110.Interior.Color = RGB(255, 255, 128)
o1011010101100011110.Font.Color = vbBlack
ElseIf o0011001010101001100.Value = 8 Then
o1011010101100011110.Interior.Color = RGB(0, 0, 0)
o1011010101100011110.Font.Color = vbWhite
ElseIf o0011001010101001100.Value = 9 Then
o1011010101100011110.Interior.Color = RGB(192, 192, 192)
o1011010101100011110.Font.Color = vbWhite
ElseIf o0011001010101001100.Value = 10 Then
o1011010101100011110.Interior.Color = RGB(0, 128, 0)
o1011010101100011110.Font.Color = vbWhite
ElseIf o0011001010101001100.Value = 11 Then
o1011010101100011110.Interior.Color = RGB(0, 0, 160)
o1011010101100011110.Font.Color = vbWhite
ElseIf o0011001010101001100.Value = 12 Then
o1011010101100011110.Interior.Color = RGB(128, 64, 0)
o1011010101100011110.Font.Color = vbWhite
ElseIf o0011001010101001100.Value = 13 Then
o1011010101100011110.Interior.Color = RGB(128, 0, 128)
o1011010101100011110.Font.Color = vbWhite
ElseIf o0011001010101001100.Value = 14 Then
o1011010101100011110.Interior.Color = RGB(255, 128, 64)
o1011010101100011110.Font.Color = vbWhite
ElseIf o0011001010101001100.Value = 15 Then
o1011010101100011110.Interior.Color = RGB(128, 128, 192)
o1011010101100011110.Font.Color = vbWhite
ElseIf o0011001010101001100.Value = 16 Then
o1011010101100011110.Interior.Color = RGB(128, 128, 64)
o1011010101100011110.Font.Color = vbWhite
ElseIf o0011001010101001100.Value = 17 Then
o1011010101100011110.Interior.Color = RGB(128, 128, 128)
o1011010101100011110.Font.Color = vbWhite
ElseIf o0011001010101001100.Value = 18 Then
o1011010101100011110.Interior.Color = RGB(64, 128, 192)
o1011010101100011110.Font.Color = vbWhite
ElseIf o0011001010101001100.Value = 19 Then
o1011010101100011110.Interior.Color = RGB(128, 128, 192)
o1011010101100011110.Font.Color = vbWhite
End If
Next i
Cells.ClearOutline
Range(resicplphrou("4131") & resicplphrou("3a") & o1011000010011101100 & resicplphrou("31")).Interior.Color = RGB(240, 240, 240)
Rows(1).RowHeight = 30
Rows(1).VerticalAlignment = xlCenter
Rows(1).HorizontalAlignment = xlCenter
Dim cell        As Range
Set o0000001110101010101 = Range(resicplphrou("41") & 2)
Set o1001000000100111111 = o0000001110101010101.End(xlDown)
Set o0101000110111101111 = Range(o0000001110101010101, o1001000000100111111)
For Each cell In o0101000110111101111
Dim o0010010000111100111 As Integer
o0010010000111100111 = 1
Do While cell.Offset(o0010010000111100111) > cell And cell.Offset(o0010010000111100111).Row <= o1001000000100111111.Row
o0010010000111100111 = o0010010000111100111 + 1
Loop
If o0010010000111100111 > 1 Then
Range(cell.Offset(1), cell.Offset(o0010010000111100111 - 1)).EntireRow.Group
End If
Next cell
o1010101100011101001.Show
Application.ScreenUpdating = False
End Sub
Public Sub o1111111110000010011(ByRef control As Office.IRibbonControl)
If Application.Workbooks.Count = 0 Then
Call o1000111110111110110
Exit Sub
End If
If Range(resicplphrou("4231")).Interior.ColorIndex <> xlNone Then
ActiveSheet.Cells.ClearFormats
ActiveSheet.Rows.UseStandardHeight = True
ActiveSheet.Cells.ClearOutline
If Range(resicplphrou("6131")) = resicplphrou("574253204c6576656c") Then
Columns(resicplphrou("41")).Columns.Delete
End If
Else
MsgBox resicplphrou("4765726920616cfd6e6163616b2068657268616e6769206269722069fe6c656d20796f6b2e")
End If
If Range(resicplphrou("4131")) = resicplphrou("574253204c6576656c") Then
Columns(resicplphrou("41")).Columns.Delete
Else
End If
End Sub

Attribute VB_Name = "o1010101100011101001"
Attribute VB_Base = "0{1BF00633-B3D4-484A-A45B-FF8E9D343BD8}{95AB26B2-92C4-450B-93ED-49E44A61A80B}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Private Sub o1100010000011100110_Click()
Unload o1010101100011101001
End Sub
Private Sub o0100111101100010110_Click()
If Range(resicplphrou("4231")).Interior.ColorIndex <> xlNone Then
ActiveSheet.Cells.ClearFormats
ActiveSheet.Rows.UseStandardHeight = True
ActiveSheet.Cells.ClearOutline
If Range(resicplphrou("6131")) = resicplphrou("574253204c6576656c") Then
Columns(resicplphrou("41")).Columns.Delete
End If
Else
MsgBox resicplphrou("4765726920616cfd6e6163616b2068657268616e6769206269722069fe6c656d20796f6b2e")
End If
If Range(resicplphrou("4131")) = resicplphrou("574253204c6576656c") Then
Columns(resicplphrou("41")).Columns.Delete
Else
End If
End Sub
Private Sub o1101111010100110011_Click()
End Sub
Private Sub Label5_Click()
ActiveWorkbook.FollowHyperlink Address:=resicplphrou("68747470733a2f2f7777772e6c696e6b6564696e2e636f6d2f696e2f67676563696369"), NewWindow:=True
Unload Me
End Sub
Private Sub o0111101010100101011_Click()
ActiveWorkbook.FollowHyperlink Address:=resicplphrou("6d61696c746f3a6775726b616e67656369636940676d61696c2e636f6d"), NewWindow:=True
Unload Me
End Sub
Private Sub Label8_Click()
ActiveWorkbook.FollowHyperlink Address:=resicplphrou("687474703a2f2f706c616e6c616d616d7568656e646973692e636f6d"), NewWindow:=True
Unload Me
End Sub
Private Sub UserForm_Click()
End Sub

Attribute VB_Name = "o0111001000100000000"
Attribute VB_Base = "0{B73802F4-C969-46CA-AD58-E7332843C15A}{59434B0C-581D-4C56-AC0E-C2483638AFE9}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Private Sub o0101010100001110001_Click()
Call o0001110001011110110
End Sub
Private Sub o1000110100110010100_Click()
Dim o0110111100011001110 As New DataObject
Dim o1011001101100100001 As String
o1011001101100100001 = o0110111011110110111.text
o0110111100011001110.SetText o1011001101100100001
o0110111100011001110.PutInClipboard
MsgBox resicplphrou("5043204944204b6f7079616c616e64fd21"), vbInformation
End Sub
Private Sub o1101111010100110011_Click()
End Sub
Private Sub o0110111011110110111_Change()
End Sub
Private Sub UserForm_Initialize()
Dim o1100111101010110100 As String
Dim o1100011110101001000 As String
Dim o0001010000010001101 As String
o1100111101010110100 = o1000001110010010110()
o1100011110101001000 = o0100110001000110111()
o0001010000010001101 = Trim(Left(o1100011110101001000, 2) & Mid(o1100111101010110100, 2) & Left(o1100011110101001000, 3) & Left(o1100111101010110100, 2) & Right(o1100111101010110100, 3) & Mid(o1100011110101001000, 3))
o0110111011110110111.text = o0001010000010001101
End Sub
Private Sub o1011101011001011100_Change()
If o1011101011001011100.Value = "" Then
o1100010000011100110.Enabled = False
Else
o1100010000011100110.Enabled = True
End If
End Sub
Public Sub o1100010000011100110_Click()
Dim o1110001010001100111 As String
Dim o1100111101010110100 As String
Dim o0001010000010001101 As String
Dim o0111000001000110011 As String
Dim o0000001000001001001 As String
Dim o1011001001101101100 As String
Dim o1100011110101001000 As String
Dim o0111111001010001101 As String
Dim i As Integer
Dim o0010000010001011011 As String
Dim o0011010011101111100 As String
Dim o0010000101110100000 As Integer
o1100111101010110100 = o1000001110010010110()
o1100011110101001000 = o0100110001000110111()
o0111111001010001101 = Left(Environ$(resicplphrou("636f6d70757465726e616d65")), 2) & Left(o1100111101010110100, 4) & Left(o1100011110101001000, 4)
o0001010000010001101 = Trim(Left(o1100011110101001000, 2) & Mid(o1100111101010110100, 2) & Left(o1100011110101001000, 3) & Left(o1100111101010110100, 2) & Right(o1100111101010110100, 3) & (Mid(o1100011110101001000, 3)))
o0010000010001011011 = resicplphrou("484b45595f43555252454e545f555345525c534f4654574152455c57425352656e6b6c656e6469725c57425352656e6b6c656e646972")
For i = 2 To Len(o0001010000010001101)
o0111000001000110011 = o0001010000010001101 & Hex((Asc(Mid(o0001010000010001101, i, 1))))
Next
o1011001001101101100 = StrReverse(o1101111111000011100(StrReverse(o0000001100000100101(o0001010000010001101))))
o0000001000001001001 = Left(Trim(o1011001001101101100), 5) & resicplphrou("2d") & Mid(o1011001001101101100, 12, 5) & resicplphrou("2d") & Mid(o1011001001101101100, 19, 5) & resicplphrou("2d") & Mid(o1011001001101101100, 31, 5) & resicplphrou("2d") & Right(o1011001001101101100, 5)
o0011010011101111100 = o0000001000001001001
If o1011101011001011100.text = o0000001000001001001 Then
o1111100101010100100 o0010000010001011011, o0011010011101111100
MsgBox resicplphrou("4c6973616e73fd6efd7a206261fe6172fd796c6120616b746966206564696c64692e"), vbOKOnly + vbInformation, resicplphrou("4c6973616e73204261fe6172fd6cfd21")
Unload Me
Else
MsgBox resicplphrou("4c6973616e73206b6f64756e757a20686174616cfd21"), vbOKOnly + vbCritical, resicplphrou("4861746121")
End If
End Sub

Attribute VB_Name = "o1011001111100000010"
Public Function o1101111111000011100(ByVal s As String) As String
Dim o0100001010111110100 As Object, o1100111100010010100 As Object
Dim o1000000000011001101() As Byte, i As Integer
Set o0100001010111110100 = CreateObject("System.Text.UTF8Encoding")
Set o1100111100010010100 = CreateObject("System.Security.Cryptography.SHA1CryptoServiceProvider")
o1000000000011001101 = o1100111100010010100.ComputeHash_2(o0100001010111110100.GetBytes_4(s))
o1101111111000011100 = ""
For i = LBound(o1000000000011001101) To UBound(o1000000000011001101)
o1101111111000011100 = o1101111111000011100 & Hex(o1000000000011001101(i) \ 16) & Hex(o1000000000011001101(i) Mod 16)
Next
End Function
Function o1101100101110001101(o0011001010000010011 As String) As String
Dim o1001001000000001001 As Object
On Error Resume Next
Set o1001001000000001001 = CreateObject("WScript.Shell")
o1101100101110001101 = o1001001000000001001.RegRead(o0011001010000010011)
End Function
Function o1011011010010111111(o0011001010000010011 As String) As Boolean
Dim o1001001000000001001 As Object
On Error GoTo ErrorHandler
Set o1001001000000001001 = CreateObject("WScript.Shell")
o1001001000000001001.RegRead o0011001010000010011
o1011011010010111111 = True
Exit Function
ErrorHandler:
o1011011010010111111 = False
End Function
Sub o1111100101010100100(o0011001010000010011 As String, o1001110000110001101 As String, Optional o1111100111010110011 As String = "REG_SZ")
Dim o1001001000000001001 As Object
Set o1001001000000001001 = CreateObject("WScript.Shell")
o1001001000000001001.RegWrite o0011001010000010011, o1001110000110001101, o1111100111010110011
End Sub
Function o0111101000001111001(o0011001010000010011 As String) As Boolean
Dim o1001001000000001001 As Object
On Error GoTo ErrorHandler
Set o1001001000000001001 = CreateObject("WScript.Shell")
o1001001000000001001.RegDelete o0011001010000010011
o0111101000001111001 = True
Exit Function
ErrorHandler:
o0111101000001111001 = False
End Function
Public Function o1000001110010010110() As String
Dim o0011100100000110101 As Object
Dim o0110111100011001110 As Object
Dim o0011111110010101001 As Object
Dim o1110111010110010101 As String
Set o0011111110010101001 = GetObject("WinMgmts:")
Set o0011100100000110101 = o0011111110010101001.InstancesOf("Win32_BaseBoard")
For Each o0110111100011001110 In o0011100100000110101
o1110111010110010101 = o1110111010110010101 & o0110111100011001110.SerialNumber
If o1110111010110010101 < o0011100100000110101.Count Then o1110111010110010101 = o1110111010110010101 & ","
Next
o1000001110010010110 = o1110111010110010101
End Function
Function o0000001100000100101(text$)
Dim b
With CreateObject("ADODB.Stream")
.Open: .Type = 2: .Charset = "utf-8"
.WriteText text: .Position = 0: .Type = 1: b = .Read
With CreateObject("Microsoft.XMLDOM").createElement("o1000000100010100110")
.DataType = "bin.base64": .nodeTypedValue = b
o0000001100000100101 = Replace(Mid(.text, 5), vbLf, "")
End With
.Close
End With
End Function
Function o1110010101111110111(o1000000100010100110$)
Dim b
With CreateObject("Microsoft.XMLDOM").createElement("o1000000100010100110")
.DataType = "bin.base64": .text = o1000000100010100110
b = .nodeTypedValue
With CreateObject("ADODB.Stream")
.Open: .Type = 1: .Write b: .Position = 0: .Type = 2: .Charset = "utf-8"
o1110010101111110111 = .ReadText
.Close
End With
End With
End Function
Function o0100110001000110111() As String
Dim o1001011100100100010 As String
Dim o0011111110010101001 As Variant
Dim o1110000000100001011 As Variant
Dim o1100011110101001000 As Variant
Dim o0000010110111110100 As String
o1001011100100100010 = "."
Set o0011111110010101001 = GetObject("winmgmts:" & "{impersonationLevel=impersonate}!\\" & o1001011100100100010 & "\root\cimv2")
Set o1110000000100001011 = o0011111110010101001.ExecQuery("Select * from " & "Win32_Processor")
For Each o1100011110101001000 In o1110000000100001011
o0000010110111110100 = o0000010110111110100 & ", " & o1100011110101001000.ProcessorId
Next o1100011110101001000
If Len(o0000010110111110100) > 0 Then o0000010110111110100 = Mid$(o0000010110111110100, 3)
o0100110001000110111 = o0000010110111110100
End Function

Public Function resicplphrou(ByVal xqbrracgzypu As String) As String
Dim htbqcxngxkgq As Long
For htbqcxngxkgq = 1 To Len(xqbrracgzypu) Step 2
resicplphrou = resicplphrou & Chr$(Val("&H" & Mid$(xqbrracgzypu, htbqcxngxkgq, 2)))
Next htbqcxngxkgq
End Function

Attribute VB_Name = "o0011000110101101101"

Attribute VB_Name = "Module1"

Attribute VB_Name = "Module2"

Attribute VB_Name = "Module3"

Attribute VB_Name = "Module4"

Attribute VB_Name = "Module5"

Attribute VB_Name = "DPB"
Attribute VB_Base = "0{A9252DAF-E6E4-46AA-864D-7C46DE174235}{F93BDBFA-0431-4774-ABFA-ACC2CD0FF850}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
vbaProject_00.bin vba-project OOXML VBA project: xl/vbaProject.bin 93184 bytes
SHA-256: 7866aab45f0d6eb33424caf6f18ac94de846e0b908d26344b351f63bd7d39bdc
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 6 long base64-like blob(s).
vbaProject_01.bin vba-project OOXML VBA project: xl/printerSettings.bin 94739 bytes
SHA-256: c2f92f55ecd86442266945af23b219216a4290423353daac976dc4209ef23dd3
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 6 long base64-like blob(s).

Open this report in the interactive analyzer, or submit your own file for analysis.