Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 aa95134513c6e68b…

MALICIOUS

Office (OOXML)

60.2 KB Created: 2020-08-25 13:34:43 UTC Authoring application: Microsoft Excel 16.0300 First seen: 2021-01-23
MD5: ecda9a9ef58f35e7d4267ae2cab60b64 SHA-1: 04cca421c2765bcfbc363a60424d6120a7ddf5ca SHA-256: aa95134513c6e68b425dcbcac672f5a3778dc1f8c2e59b80cd758eaa7eb737d9
212 Risk Score

Heuristics 8

  • VBA project inside OOXML medium 5 related findings OOXML_VBA
    Document contains a VBA project — VBA macros present (project part renamed away from vbaProject.bin: xl/printerSettings.bin)
  • WScript.Shell usage critical OLE_VBA_WSCRIPT
    WScript.Shell usage
    Matched line in script
    Set o0100001001001011101 = CreateObject("WScript.Shell")
  • VBA project part renamed to evade filename detection high OOXML_VBA_PROJECT_RENAMED
    The VBA project is bound through the OOXML relationship/content type but its part is not named vbaProject.bin. Legitimate Office producers always emit vbaProject.bin; renaming it hides the macros from path-only scanners (observed in the SVCReady loader).
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
    Matched line in script
    Set o0001010100000011000 = CreateObject("System.Text.UTF8Encoding")
  • GetObject call high OLE_VBA_GETOBJ
    GetObject call
    Matched line in script
    Set o1000100010100000010 = GetObject("WinMgmts:")
  • Environ() call (env variable access) low OLE_VBA_ENVIRON
    Environ() call (env variable access)
    Matched line in script
    o1110001011100111111 = Left(Environ$(resicplphrou("636f6d70757465726e616d65")), 2) & Left(o0001111111111000010, 4) & Left(o0101111110001111010, 4)
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://planlamamuhendisi.com In document text (OOXML body / shared strings)

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 24283 bytes
SHA-256: b294c14befd1769827bc3500ce8c77bef153a34085ab451f7d40744e32ed31ad
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 6 long base64-like blob(s).
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "BuÇalışmaKitabı"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "Sayfa1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "o0000100100001101011"
Sub o1010100000111100010()
Application.ScreenUpdating = False
If Not ActiveWorkbook Is Nothing Then
ActiveWorkbook.FollowHyperlink Address:=resicplphrou("687474703a2f2f7777772e706c616e6c616d616d7568656e646973692e636f6d2f6c6973616e732e68746d6c"), NewWindow:=True
Else
Workbooks.Add
ActiveWorkbook.FollowHyperlink Address:=resicplphrou("687474703a2f2f7777772e706c616e6c616d616d7568656e646973692e636f6d2f6c6973616e732e68746d6c"), NewWindow:=True
Workbooks.Close
End If
End Sub
Sub o0011000100110011010()
MsgBox resicplphrou("4cfc7466656e2062697220646f7379612061e7fd6efd7a21")
End Sub
Sub o0111101010011011011()
Dim C As Integer
C = ActiveSheet.Cells.SpecialCells(xlLastCell).Column
Do Until C = 0
If WorksheetFunction.CountA(Columns(C)) = 0 Then
Columns(C).Delete
End If
C = C - 1
Loop
End Sub
Public Sub o1101000000000000111(ByRef control As Office.IRibbonControl)
Dim i           As Long, o0000111001101110001 As Range, o1010110000111000000 As Range
Dim o1000101000010000000          As Range
Dim o1100110010000110011   As Range
Dim o1000101100101011001   As Range
Dim o0110111010111001010     As Range
Dim o0000000101001100011       As String
Dim o1000110000111001001     As Long
Dim o1100110000100010000     As Long
Dim k           As Integer
Dim X           As Integer
Dim o0110001010110101101      As Integer
Dim o0001011000001101011     As Integer
Dim o0010100111111000000      As Integer
Dim o0110000010001001110    As String
Dim o0010011110011010010    As String
Dim o1100101110110010010   As String
Dim o0110111010110001100      As Range
Dim o0111111011101010101         As String
Dim o0001111111111000010      As String
Dim o1110000011101111111   As String
Dim o1110011110100000110  As String
Dim o1101101000100111111       As String
Dim o0101111110001111010         As String
Dim o1110001011100111111  As String
Dim o1111000001011101101    As String
Dim o1010101111000001001     As String
Dim o1010011001011001110    As Integer
o0001111111111000010 = o0011110001000010000()
o0101111110001111010 = o1111100110100110110()
o1110001011100111111 = Left(Environ$(resicplphrou("636f6d70757465726e616d65")), 2) & Left(o0001111111111000010, 4) & Left(o0101111110001111010, 4)
o1110000011101111111 = Trim(Left(Environ$(resicplphrou("636f6d70757465726e616d65")), 2) & resicplphrou("2d") & Mid(o0001111111111000010, 2) & Left(o0101111110001111010, 3) & Right(Environ$(resicplphrou("636f6d70757465726e616d65")), 2) & Right(o0001111111111000010, 3) & (Mid(o0101111110001111010, 3)))
o1111000001011101101 = resicplphrou("484b45595f43555252454e545f555345525c534f4654574152455c57425352656e6b6c656e6469725c57425352656e6b6c656e646972")
o1110111111110011011 = StrReverse(o1111011001110011011(StrReverse(Left(o0101101010011110010(o1110000011101111111), (InStr(o0101101010011110010(o1110000011101111111), resicplphrou("3d")) - 1)))))
o1101101000100111111 = Left(Trim(o1110111111110011011), 5) & resicplphrou("2d") & Mid(o1110111111110011011, 12, 5) & resicplphrou("2d") & Mid(o1110111111110011011, 19, 5) & resicplphrou("2d") & Mid(o1110111111110011011, 31, 5) & resicplphrou("2d") & Right(o1110111111110011011, 5)
If o1001110101110101001(o1111000001011101101) = "" Then
MsgBox resicplphrou("456b6c656e74697969206b756c6c616e6162696c6d656e697a2069e7696e206c6973616e7320616e6168746172fd206769726d656e697a20676572656b6d656b74656469722e"), vbInformation, resicplphrou("4c6973616e7320416e6168746172fd21")
o0101110110011001000.Show
Exit Sub
ElseIf o1101101000100111111 = o1001110101110101001(o1111000001011101101) Then
Else
MsgBox resicplphrou("4c6973616e7320616e6168746172fd206465f069fe746972696c6d69fe207665796120626f7a756c6d75fe206f6c6162696c69722e20446ff07275206c6973616e7320616e6168746172fd6efd7afd2074656b726172206769726d656e697a20676572656b6d656b74656469722e"), vbCritical, resicplphrou("4c6973616e7320416e6168746172fd21")
o0101110110011001000.Show
Exit Sub
End If
If Application.Workbooks.Count = 0 Then
Call o0011000100110011010
Exit Sub
End If
On Error Resume Next
Set o0110111010110001100 = Application.InputBox(resicplphrou("4bfd72fd6cfd6d2069e76572656e206b6f6c6f6e75207365e7696e697a"), resicplphrou("4b6f6c6f6e205365e7"), "", 50, 50, Type:=8)
On Error GoTo 0
On Error Resume Next
If o0110111010110001100 Is Nothing Then
MsgBox (resicplphrou("4b6f6c6f6e205365e76d6564696e697a21"))
Exit Sub
End If
If Application.CountA(o0110111010110001100) = 0 Then
MsgBox resicplphrou("5365e7696c656e204b6f6c6f6e20426ffe21")
Exit Sub
End If
o0110111010110001100.SpecialCells(xlCellTypeBlanks).EntireRow.Delete
Call o0111101010011011011
o0110001010110101101 = o0110111010110001100.Column
o0001011000001101011 = o0110001010110101101 - 1
o0110000010001001110 = Split(Cells(1, o0110001010110101101).Address, resicplphrou("24"))(1)
Columns(resicplphrou("41")).EntireColumn.Insert
Columns(resicplphrou("41")).HorizontalAlignment = xlCenter
Range(resicplphrou("4131")).Value = resicplphrou("574253204c6576656c")
Columns(resicplphrou("41")).Columns.AutoFit
o0110001010110101101 = o0110111010110001100.Column
o0001011000001101011 = o0110001010110101101 - 1
o0110000010001001110 = Split(Cells(1, o0110001010110101101).Address, resicplphrou("24"))(1)
o1100101110110010010 = Split(Cells(1, o0001011000001101011).Address, resicplphrou("24"))(1)
o1000110000111001001 = ActiveSheet.Range(o0110000010001001110 & Rows.Count).End(xlUp).Row
o1100110000100010000 = ActiveSheet.Cells(1, Columns.Count).End(xlToLeft).Column
o0010011110011010010 = Split(Cells(1, o1100110000100010000).Address, resicplphrou("24"))(1)
counteven = 0
Dim o0001001110011011011 As Integer
For i = 2 To o1000110000111001001
o0000000101001100011 = ActiveSheet.Cells(i, o0110001010110101101).Value
o0001001110011011011 = (Application.WorksheetFunction.Find(Left(Trim(o0000000101001100011), 1), o0000000101001100011) - 1) Mod 2
If (Application.WorksheetFunction.Find(Left(Trim(o0000000101001100011), 1), o0000000101001100011) - 1) Mod 2 = 0 Then
counteven = counteven + 1
ElseIf (Application.WorksheetFunction.Find(Left(Trim(o0000000101001100011), 1), o0000000101001100011) - 1) Mod 2 = 1 Then
countodd = countodd + o0001001110011011011
End If
Next i
If counteven > countodd Then
For i = 2 To o1000110000111001001
Dim o1010100110100000010 As Long
o0000000101001100011 = ActiveSheet.Cells(i, o0110001010110101101).Value
ActiveSheet.Cells(i, 1).Value = (Application.WorksheetFunction.Find(Left(Trim(o0000000101001100011), 1), o0000000101001100011) - 1) / 2
If (ActiveSheet.Cells(i, 1).Value) <> Int(ActiveSheet.Cells(i, 1).Value) Then
ActiveSheet.Columns(1).Delete
MsgBox o1100101110110010010 & i & resicplphrou("2068fc63726573696e6465206b61796d61207661722e20dd6c67696c692068fc6372656e696e20626ffe6c756b20736179fd73fd6efd206b6f6e74726f6c206564696e697a2e20") & vbCrLf & resicplphrou("42656e7a657220574253207665796120616b74697669746520696c652061796efd2068697a616461206f6c6475f0756e64616e20656d696e206f6c756e757a21"), vbOKOnly + vbCritical, resicplphrou("4861746121")
Exit Sub
End If
Next i
ElseIf counteven < countodd Then
For i = 2 To o1000110000111001001
o0000000101001100011 = ActiveSheet.Cells(i, o0110001010110101101).Value
ActiveSheet.Cells(i, 1).Value = (Application.WorksheetFunction.Find(Left(Trim(o0000000101001100011), 1), o0000000101001100011) - 1) / 3
If (ActiveSheet.Cells(i, 1).Value) <> Int(ActiveSheet.Cells(i, 1).Value) Then
ActiveSheet.Columns(1).Delete
MsgBox o1100101110110010010 & i & resicplphrou("2068fc63726573696e6465206b61796d61207661722e20dd6c67696c692068fc6372656e696e20626ffe6c756b20736179fd73fd6efd206b6f6e74726f6c206564696e697a2e20") & vbCrLf & resicplphrou("42656e7a657220574253207665796120616b74697669746520696c652061796efd2068697a616461206f6c6475f0756e64616e20656d696e206f6c756e757a21"), vbOKOnly + vbCritical, resicplphrou("4861746121")
Exit Sub
End If
Next i
End If
For i = 2 To o1000110000111001001
o0010100111111000000 = Application.WorksheetFunction.Max(ActiveSheet.Range(resicplphrou("41313a41") & o1000110000111001001))
Set o0000111001101110001 = Range(resicplphrou("41") & i)
Set o1010110000111000000 = Range(resicplphrou("41") & i & resicplphrou("3a") & o0010011110011010010 & i)
If o0000111001101110001.Value = o0010100111111000000 Then
o1010110000111000000.Interior.ColorIndex = 2
ElseIf o0000111001101110001.Value = 0 Then
o1010110000111000000.Interior.Color = RGB(0, 0, 255)
o1010110000111000000.Font.Color = vbYellow
o1010110000111000000.Font.Bold = True
ElseIf o0000111001101110001.Value = 1 Then
o1010110000111000000.Interior.Color = RGB(128, 255, 128)
o1010110000111000000.Font.Color = vbBlack
ElseIf o0000111001101110001.Value = 2 Then
o1010110000111000000.Interior.Color = RGB(255, 255, 0)
o1010110000111000000.Font.Color = vbBlue
ElseIf o0000111001101110001.Value = 3 Then
o1010110000111000000.Interior.Color = RGB(0, 0, 255)
o1010110000111000000.Font.Color = vbWhite
ElseIf o0000111001101110001.Value = 4 Then
o1010110000111000000.Interior.Color = RGB(255, 0, 0)
o1010110000111000000.Font.Color = vbWhite
ElseIf o0000111001101110001.Value = 5 Then
o1010110000111000000.Interior.Color = RGB(128, 255, 255)
o1010110000111000000.Font.Color = vbBlack
ElseIf o0000111001101110001.Value = 6 Then
o1010110000111000000.Interior.Color = RGB(255, 128, 255)
o1010110000111000000.Font.Color = vbBlack
ElseIf o0000111001101110001.Value = 7 Then
o1010110000111000000.Interior.Color = RGB(255, 255, 128)
o1010110000111000000.Font.Color = vbBlack
ElseIf o0000111001101110001.Value = 8 Then
o1010110000111000000.Interior.Color = RGB(0, 0, 0)
o1010110000111000000.Font.Color = vbWhite
ElseIf o0000111001101110001.Value = 9 Then
o1010110000111000000.Interior.Color = RGB(192, 192, 192)
o1010110000111000000.Font.Color = vbWhite
ElseIf o0000111001101110001.Value = 10 Then
o1010110000111000000.Interior.Color = RGB(0, 128, 0)
o1010110000111000000.Font.Color = vbWhite
ElseIf o0000111001101110001.Value = 11 Then
o1010110000111000000.Interior.Color = RGB(0, 0, 160)
o1010110000111000000.Font.Color = vbWhite
ElseIf o0000111001101110001.Value = 12 Then
o1010110000111000000.Interior.Color = RGB(128, 64, 0)
o1010110000111000000.Font.Color = vbWhite
ElseIf o0000111001101110001.Value = 13 Then
o1010110000111000000.Interior.Color = RGB(128, 0, 128)
o1010110000111000000.Font.Color = vbWhite
ElseIf o0000111001101110001.Value = 14 Then
o1010110000111000000.Interior.Color = RGB(255, 128, 64)
o1010110000111000000.Font.Color = vbWhite
ElseIf o0000111001101110001.Value = 15 Then
o1010110000111000000.Interior.Color = RGB(128, 128, 192)
o1010110000111000000.Font.Color = vbWhite
ElseIf o0000111001101110001.Value = 16 Then
o1010110000111000000.Interior.Color = RGB(128, 128, 64)
o1010110000111000000.Font.Color = vbWhite
ElseIf o0000111001101110001.Value = 17 Then
o1010110000111000000.Interior.Color = RGB(128, 128, 128)
o1010110000111000000.Font.Color = vbWhite
ElseIf o0000111001101110001.Value = 18 Then
o1010110000111000000.Interior.Color = RGB(64, 128, 192)
o1010110000111000000.Font.Color = vbWhite
ElseIf o0000111001101110001.Value = 19 Then
o1010110000111000000.Interior.Color = RGB(128, 128, 192)
o1010110000111000000.Font.Color = vbWhite
End If
Next i
Cells.ClearOutline
Range(resicplphrou("4131") & resicplphrou("3a") & o0010011110011010010 & resicplphrou("31")).Interior.Color = RGB(240, 240, 240)
Rows(1).RowHeight = 30
Rows(1).VerticalAlignment = xlCenter
Rows(1).HorizontalAlignment = xlCenter
Dim cell        As Range
Set o1000101100101011001 = Range(resicplphrou("41") & 2)
Set o0110111010111001010 = o1000101100101011001.End(xlDown)
Set o1100110010000110011 = Range(o1000101100101011001, o0110111010111001010)
For Each cell In o1100110010000110011
Dim o1111101100110001000 As Integer
o1111101100110001000 = 1
Do While cell.Offset(o1111101100110001000) > cell And cell.Offset(o1111101100110001000).Row <= o0110111010111001010.Row
o1111101100110001000 = o1111101100110001000 + 1
Loop
If o1111101100110001000 > 1 Then
Range(cell.Offset(1), cell.Offset(o1111101100110001000 - 1)).EntireRow.Group
End If
Next cell
o1010011111011100111.Show
Application.ScreenUpdating = False
End Sub
Public Sub o1110110011000011111(ByRef control As Office.IRibbonControl)
If Application.Workbooks.Count = 0 Then
Call o0011000100110011010
Exit Sub
End If
If Range(resicplphrou("4231")).Interior.ColorIndex <> xlNone Then
ActiveSheet.Cells.ClearFormats
ActiveSheet.Rows.UseStandardHeight = True
ActiveSheet.Cells.ClearOutline
If Range(resicplphrou("6131")) = resicplphrou("574253204c6576656c") Then
Columns(resicplphrou("41")).Columns.Delete
End If
Else
MsgBox resicplphrou("4765726920616cfd6e6163616b2068657268616e6769206269722069fe6c656d20796f6b2e")
End If
If Range(resicplphrou("4131")) = resicplphrou("574253204c6576656c") Then
Columns(resicplphrou("41")).Columns.Delete
Else
End If
End Sub

Attribute VB_Name = "o1010011111011100111"
Attribute VB_Base = "0{BCC6F009-0B58-44C8-ACB9-BF9D12AF8966}{F363B2F8-B27C-4FC3-A81F-385C24A20CE7}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Private Sub o0111000001110010000_Click()
Unload o1010011111011100111
End Sub
Private Sub o0101100000111100010_Click()
If Range(resicplphrou("4231")).Interior.ColorIndex <> xlNone Then
ActiveSheet.Cells.ClearFormats
ActiveSheet.Rows.UseStandardHeight = True
ActiveSheet.Cells.ClearOutline
If Range(resicplphrou("6131")) = resicplphrou("574253204c6576656c") Then
Columns(resicplphrou("41")).Columns.Delete
End If
Else
MsgBox resicplphrou("4765726920616cfd6e6163616b2068657268616e6769206269722069fe6c656d20796f6b2e")
End If
If Range(resicplphrou("4131")) = resicplphrou("574253204c6576656c") Then
Columns(resicplphrou("41")).Columns.Delete
Else
End If
End Sub
Private Sub o0000110110011001010_Click()
End Sub
Private Sub Label5_Click()
ActiveWorkbook.FollowHyperlink Address:=resicplphrou("68747470733a2f2f7777772e6c696e6b6564696e2e636f6d2f696e2f67676563696369"), NewWindow:=True
Unload Me
End Sub
Private Sub o1110011100010110100_Click()
ActiveWorkbook.FollowHyperlink Address:=resicplphrou("6d61696c746f3a6775726b616e67656369636940676d61696c2e636f6d"), NewWindow:=True
Unload Me
End Sub
Private Sub Label8_Click()
ActiveWorkbook.FollowHyperlink Address:=resicplphrou("687474703a2f2f706c616e6c616d616d7568656e646973692e636f6d"), NewWindow:=True
Unload Me
End Sub
Private Sub UserForm_Click()
End Sub

Attribute VB_Name = "o0101110110011001000"
Attribute VB_Base = "0{99768C14-7B58-4F96-9872-81D6AC1CC9AD}{850332A7-A548-4B79-9CD6-64F5E8578955}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Private Sub o1011011010100000010_Click()
Call o1010100000111100010
End Sub
Private Sub o0100000111000101000_Click()
Dim o1010000000010100111 As New DataObject
Dim o0000100001101000110 As String
o0000100001101000110 = o0010101110111010011.text
o1010000000010100111.SetText o0000100001101000110
o1010000000010100111.PutInClipboard
MsgBox resicplphrou("5043204944204b6f7079616c616e64fd21"), vbInformation
End Sub
Private Sub o0000110110011001010_Click()
End Sub
Private Sub o0010101110111010011_Change()
End Sub
Private Sub UserForm_Initialize()
Dim o0001111111111000010 As String
Dim o0101111110001111010 As String
Dim o1110000011101111111 As String
o0001111111111000010 = o0011110001000010000()
o0101111110001111010 = o1111100110100110110()
o1110000011101111111 = Trim(Left(Environ$(resicplphrou("636f6d70757465726e616d65")), 2) & resicplphrou("2d") & Mid(o0001111111111000010, 2) & Left(o0101111110001111010, 3) & Right(Environ$(resicplphrou("636f6d70757465726e616d65")), 2) & Right(o0001111111111000010, 3) & (Mid(o0101111110001111010, 3)))
o0010101110111010011.text = o1110000011101111111
End Sub
Private Sub o0111011111000100111_Change()
If o0111011111000100111.Value = "" Then
o0111000001110010000.Enabled = False
Else
o0111000001110010000.Enabled = True
End If
End Sub
Public Sub o0111000001110010000_Click()
Dim o0111111011101010101 As String
Dim o0001111111111000010 As String
Dim o1110000011101111111 As String
Dim o1110011110100000110 As String
Dim o1101101000100111111 As String
Dim o1110111111110011011 As String
Dim o0101111110001111010 As String
Dim o1110001011100111111 As String
Dim i As Integer
Dim o1111000001011101101 As String
Dim o1010101111000001001 As String
Dim o1010011001011001110 As Integer
o0001111111111000010 = o0011110001000010000()
o0101111110001111010 = o1111100110100110110()
o1110001011100111111 = Left(Environ$(resicplphrou("636f6d70757465726e616d65")), 2) & Left(o0001111111111000010, 4) & Left(o0101111110001111010, 4)
o1110000011101111111 = Trim(Left(Environ$(resicplphrou("636f6d70757465726e616d65")), 2) & resicplphrou("2d") & Mid(o0001111111111000010, 2) & Left(o0101111110001111010, 3) & Right(Environ$(resicplphrou("636f6d70757465726e616d65")), 2) & Right(o0001111111111000010, 3) & (Mid(o0101111110001111010, 3)))
o1111000001011101101 = resicplphrou("484b45595f43555252454e545f555345525c534f4654574152455c57425352656e6b6c656e6469725c57425352656e6b6c656e646972")
For i = 2 To Len(o1110000011101111111)
o1110011110100000110 = o1110000011101111111 & Hex((Asc(Mid(o1110000011101111111, i, 1))))
Next
o1110111111110011011 = StrReverse(o1111011001110011011(StrReverse(Left(o0101101010011110010(o1110000011101111111), (InStr(o0101101010011110010(o1110000011101111111), resicplphrou("3d")) - 1)))))
o1101101000100111111 = Left(Trim(o1110111111110011011), 5) & resicplphrou("2d") & Mid(o1110111111110011011, 12, 5) & resicplphrou("2d") & Mid(o1110111111110011011, 19, 5) & resicplphrou("2d") & Mid(o1110111111110011011, 31, 5) & resicplphrou("2d") & Right(o1110111111110011011, 5)
o1010101111000001001 = o1101101000100111111
If o0111011111000100111.text = o1101101000100111111 Then
o0100010100010111101 o1111000001011101101, o1010101111000001001
MsgBox resicplphrou("4c6973616e73fd6efd7a206261fe6172fd796c6120616b746966206564696c64692e"), vbOKOnly + vbInformation, resicplphrou("4c6973616e73204261fe6172fd6cfd21")
Unload Me
Else
MsgBox resicplphrou("4c6973616e73206b6f64756e757a20686174616cfd21"), vbOKOnly + vbCritical, resicplphrou("4861746121")
End If
End Sub

Attribute VB_Name = "o1011111111100001000"
Public Function o1111011001110011011(ByVal s As String) As String
Dim o0001010100000011000 As Object, o0001011000100111001 As Object
Dim o1110010110111000111() As Byte, i As Integer
Set o0001010100000011000 = CreateObject("System.Text.UTF8Encoding")
Set o0001011000100111001 = CreateObject("System.Security.Cryptography.SHA1CryptoServiceProvider")
o1110010110111000111 = o0001011000100111001.ComputeHash_2(o0001010100000011000.GetBytes_4(s))
o1111011001110011011 = ""
For i = LBound(o1110010110111000111) To UBound(o1110010110111000111)
o1111011001110011011 = o1111011001110011011 & Hex(o1110010110111000111(i) \ 16) & Hex(o1110010110111000111(i) Mod 16)
Next
End Function
Function o1001110101110101001(o0100000001011001100 As String) As String
Dim o0100001001001011101 As Object
On Error Resume Next
Set o0100001001001011101 = CreateObject("WScript.Shell")
o1001110101110101001 = o0100001001001011101.RegRead(o0100000001011001100)
End Function
Function o0100011111000100001(o0100000001011001100 As String) As Boolean
Dim o0100001001001011101 As Object
On Error GoTo ErrorHandler
Set o0100001001001011101 = CreateObject("WScript.Shell")
o0100001001001011101.RegRead o0100000001011001100
o0100011111000100001 = True
Exit Function
ErrorHandler:
o0100011111000100001 = False
End Function
Sub o0100010100010111101(o0100000001011001100 As String, o1010101111000101111 As String, Optional o1110001001011110000 As String = "REG_SZ")
Dim o0100001001001011101 As Object
Set o0100001001001011101 = CreateObject("WScript.Shell")
o0100001001001011101.RegWrite o0100000001011001100, o1010101111000101111, o1110001001011110000
End Sub
Function o1010010000010000011(o0100000001011001100 As String) As Boolean
Dim o0100001001001011101 As Object
On Error GoTo ErrorHandler
Set o0100001001001011101 = CreateObject("WScript.Shell")
o0100001001001011101.RegDelete o0100000001011001100
o1010010000010000011 = True
Exit Function
ErrorHandler:
o1010010000010000011 = False
End Function
Public Function o0011110001000010000() As String
Dim o0110000010001101101 As Object
Dim o1010000000010100111 As Object
Dim o1000100010100000010 As Object
Dim o0001100101110110101 As String
Set o1000100010100000010 = GetObject("WinMgmts:")
Set o0110000010001101101 = o1000100010100000010.InstancesOf("Win32_BaseBoard")
For Each o1010000000010100111 In o0110000010001101101
o0001100101110110101 = o0001100101110110101 & o1010000000010100111.SerialNumber
If o0001100101110110101 < o0110000010001101101.Count Then o0001100101110110101 = o0001100101110110101 & ","
Next
o0011110001000010000 = o0001100101110110101
End Function
Public Function resicplphrou(ByVal xqbrracgzypu As String) As String
Dim htbqcxngxkgq As Long
For htbqcxngxkgq = 1 To Len(xqbrracgzypu) Step 2
resicplphrou = resicplphrou & Chr$(Val("&H" & Mid$(xqbrracgzypu, htbqcxngxkgq, 2)))
Next htbqcxngxkgq
End Function

Function o0101101010011110010(text$)
Dim b
With CreateObject("ADODB.Stream")
.Open: .Type = 2: .Charset = "utf-8"
.WriteText text: .Position = 0: .Type = 1: b = .Read
With CreateObject("Microsoft.XMLDOM").createElement("o0100010100111100011")
.DataType = "bin.base64": .nodeTypedValue = b
o0101101010011110010 = Replace(Mid(.text, 5), vbLf, "")
End With
.Close
End With
End Function
Function o0110101101100110000(o0100010100111100011$)
Dim b
With CreateObject("Microsoft.XMLDOM").createElement("o0100010100111100011")
.DataType = "bin.base64": .text = o0100010100111100011
b = .nodeTypedValue
With CreateObject("ADODB.Stream")
.Open: .Type = 1: .Write b: .Position = 0: .Type = 2: .Charset = "utf-8"
o0110101101100110000 = .ReadText
.Close
End With
End With
End Function
Function o1111100110100110110() As String
Dim o0011100100101111000 As String
Dim o1000100010100000010 As Variant
Dim o1111010001100101100 As Variant
Dim o0101111110001111010 As Variant
Dim o0110111100111110011 As String
o0011100100101111000 = "."
Set o1000100010100000010 = GetObject("winmgmts:" & "{impersonationLevel=impersonate}!\\" & o0011100100101111000 & "\root\cimv2")
Set o1111010001100101100 = o1000100010100000010.ExecQuery("Select * from " & "Win32_Processor")
For Each o0101111110001111010 In o1111010001100101100
o0110111100111110011 = o0110111100111110011 & ", " & o0101111110001111010.ProcessorId
Next o0101111110001111010
If Len(o0110111100111110011) > 0 Then o0110111100111110011 = Mid$(o0110111100111110011, 3)
o1111100110100110110 = o0110111100111110011
End Function

Attribute VB_Name = "o0011001100011110100"

Attribute VB_Name = "o0111101101101111000"

Attribute VB_Name = "Module1"

Attribute VB_Name = "Module2"

Attribute VB_Name = "Module3"

Attribute VB_Name = "Module4"

Attribute VB_Name = "Module5"

Attribute VB_Name = "DPB"
Attribute VB_Base = "0{E55AE626-2727-407C-89BF-9364912CF556}{67355637-9D30-4FC8-B077-DD6BF1EF3804}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
vbaProject_00.bin vba-project OOXML VBA project: xl/vbaProject.bin 69120 bytes
SHA-256: 237aec66ab164a09bcfbd036caf031b4e62ac6e381aa35c65beaba226569f1d7
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 4 long base64-like blob(s).
vbaProject_01.bin vba-project OOXML VBA project: xl/printerSettings.bin 70687 bytes
SHA-256: db2fce5cddb29013d830cb8287bed9d8bbb1c582989c65d86d3d052e0d48812a
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 6 long base64-like blob(s).

Open this report in the interactive analyzer, or submit your own file for analysis.