Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 07068677e5c216bf…

MALICIOUS

Office (OLE)

3.93 MB Created: 2012-01-05 15:37:00 Authoring application: Microsoft Office Word First seen: 2014-04-29
MD5: 9e51748062b0f08802149476234d4be6 SHA-1: 7722f79b6d02f8538474283586c0a4bd9e6bea16 SHA-256: 07068677e5c216bf8d24a9b910cf884199b12cb279333ab297d927ec80b01f1a
290 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution T1059.005 Visual Basic

The sample is a malicious Office document that leverages VBA macros. Heuristics indicate exploitation of CVE-2012-0158 and CVE-2015-0097, which are known vulnerabilities allowing for client execution. The presence of LoadLibrary and CreateObject calls within the VBA code suggests the macro is designed to load additional components or execute commands, likely to download and execute a secondary payload.

Heuristics 9

  • MSCOMCTL.ListView — CVE-2012-0158 high CVE likely CVE_2012_0158
    MSCOMCTL.ListView — CVE-2012-0158
  • ADODB.RecordSet — CVE-2015-0097 related high CVE related CVE_2015_0097_RELATED
    ADODB.RecordSet — CVE-2015-0097 related
  • VBA macros detected medium 4 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Potential Shell call in VBA critical OLE_VBA_SHELL
    Potential Shell call in VBA
    Matched line in script
            shell "Notepad.exe " & strPath, 1
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
    Matched line in script
            Set xlApp = CreateObject("Excel.Application")
  • GetObject call high OLE_VBA_GETOBJ
    GetObject call
    Matched line in script
            Set xlApp = GetObject(, "Excel.Application")
  • Environ() call (env variable access) low OLE_VBA_ENVIRON
    Environ() call (env variable access)
    Matched line in script
            strPath = Environ("temp") & "\" & Format(Now, "yyyy-mm-dd hhnnss") & " DescribeActiveShape.txt"
  • Reference to LoadLibrary API high SC_STR_LOADLIBRARY
    Reference to LoadLibrary API
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://ocsp.verisign.com0 In document text (OLE body)
    • http://schemas.openxmlformats.org/drawingml/2006/mainIn document text (OLE body)
    • http://logo.verisign.com/vslogo.gif0In document text (OLE body)
    • https://www.verisign.com/rpaIn document text (OLE body)
    • http://csc3-2010-crl.verisign.com/CSC3-2010.crl0DIn document text (OLE body)
    • https://www.verisign.com/rpa0In document text (OLE body)
    • http://csc3-2010-aia.verisign.com/CSC3-2010.cer0In document text (OLE body)
    • https://www.verisign.com/cps0*In document text (OLE body)
    • http://logo.verisign.com/vslogo.gif04In document text (OLE body)
    • http://crl.verisign.com/pca3-g5.crl04In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas🔏 SignedVBA project digital signature
Covers VBA source only — not the compiled p-code. A digital signature does not by itself mean the macro is safe.
vba-macro oletools.olevba.extract_macros (decoded VBA source) 2929150 bytes
SHA-256: a3a9731f3fcdb4717e36a44a764b1356ed5e41d4403b8e9090bb908941ba2a75
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "0{00020906-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "BBPTv2_frmLink"
Attribute VB_Base = "0{367EE890-BD8E-4623-BD72-C632C09DA570}{CEF2AC78-19F6-4D27-934D-6C17CF690D89}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False



Option Explicit

'version:
'   2011-09-09.1

Private mParent                 As BBPTv2_clsLinks
Private mbleClosing             As Boolean

Private Enum lvcListViewLinkColumns
    lvcID = 0
    lvcSlideIndex = 1
    lvcShapeName = 2
    lvcFullName = 3
    lvcFileName = 4
    lvcLastModify = 5
    lvcLastLink = 6
    lvcStatus = 7
End Enum
'

'---------------------
'custom properties
'---------------------
Public Property Get Parent() As BBPTv2_clsLinks
    Set Parent = mParent
End Property
Public Property Set Parent(pParent As BBPTv2_clsLinks)
    Set mParent = pParent
End Property

Public Property Get Closing() As Boolean
    Closing = mbleClosing
End Property

'---------------------
'form events
'---------------------
Private Sub UserForm_Activate()
    Add_ListItems
    Select_SelectedShape
End Sub

Private Sub UserForm_Initialize()
    mbleClosing = False
    Format_ListView
End Sub

Private Sub UserForm_QueryClose(Cancel As Integer, CloseMode As Integer)
    mbleClosing = True
    ListViewFullRowSelectOff lvLink
    mParent.CleanUpMyExcelHandler
End Sub

'---------------------
'ListView events
'---------------------
Private Sub lvLink_Click()
    Enable_ViewSaveButtons
End Sub

Private Sub lvLink_ColumnClick(ByVal ColumnHeader As MSComctlLib.ColumnHeader)
    Call ListViewSort(lvLink, ColumnHeader)
End Sub

'---------------------
'other control events
'---------------------
Private Sub ckUpdatesOnly_AfterUpdate()
    Refresh_ListItems
End Sub

Private Sub cmdCancel_Click()
    Unload Me
End Sub

Private Sub cmdManage_Click()
On Error GoTo handleError
    
    Dim MyLink      As BBPTv2_clsLink
    Dim strMsg      As String
    Dim bleOpen     As Boolean
    
    TempEnable_ViewSaveButtons False
    
    Set MyLink = SelectedLink
    If Not (MyLink Is Nothing) Then
        bleOpen = True
        If MyLink.IsBroken = True Then
            mParent.Mode = lumBrokenLinks
        Else
            Select Case MyLink.ReadyState
                Case lrsCannotOpenWbkCorrupt, lrsCannotOpenWbkFilenameCollision
                    strMsg = BBPTv2_LinkReadyStateMsg(MyLink.ReadyState)
                    MsgBox BbgLocalizeString(strMsg, "UpdateLink"), vbExclamation, "Cannot open workbook"
                    bleOpen = False
                Case lrsNewerFiles
                    mParent.Mode = lumUpdateLinks
                Case Else
                    mParent.Mode = lumManageLinks
            End Select
        End If
        
        If bleOpen = True Then
            Me.Hide
            BBPTv2_Open_BBPTv2_frmModifyLink MyLink
        End If
    End If

ExitHere:
    TempEnable_ViewSaveButtons True
    Set MyLink = Nothing
    Exit Sub
handleError:
    Gen_ErrHandle "BBPTv2_frmLink.cmdManage_Click", "UpdateLink"
    Resume ExitHere
End Sub

Private Sub cmdOpenExcel_Click()
On Error GoTo handleError

    Dim MyLink      As BBPTv2_clsLink
    
    TempEnable_ViewSaveButtons False
    Set MyLink = SelectedLink
    
    If Not (MyLink Is Nothing) Then
        MyLink.ShowMe
    End If
    
ExitHere:
    Set MyLink = Nothing
    TempEnable_ViewSaveButtons True
    Exit Sub
handleError:
    Gen_ErrHandle "BBPTv2_frmLink.cmdOpenExcel_Click", "UpdateLink"
    Resume ExitHere
End Sub

Private Sub cmdOpenPowerPoint_Click()
'    Dim bleShrink       As Boolean
    
    Show_Shape
        
'    If cmdOpenPowerPoint.Caption = "View in Slide" Then
'        bleShrink = True
'        cmdOpenPowerPoint.Caption = "Restore"
'    Else
'        bleShrink = False
'        cmdOpenPowerPoint.Caption = "View in Slide"
'    End If
'    Resize_Form bleShrink
End Sub

Private Sub cmdOK_Click()
    TempEnable_ViewSaveButtons False

    uEcho_CustomMsgBox "Preparing...", "Update Links", True
    mbleClosing = True
    If mParent.BatchUpdate = True Then
        uClose_CustomMsgBox
        cmdCancel_Click
    Else
        TempEnable_ViewSaveButtons True
        mbleClosing = False
'Added the following code to address DRQS 28986742
        uClose_CustomMsgBox
        cmdCancel_Click
    End If
End Sub

'---------------------
'custom methods
'---------------------
''  handle ListView
''--------------------
Private Sub Format_ListView()
    With lvLink
        .ColumnHeaders.Add , , "ID", 0
        .ColumnHeaders.Add , , "Slide", 30
        .ColumnHeaders.Add , , "Shape", 100
        .ColumnHeaders.Add , , "FullName", 0
        .ColumnHeaders.Add , , "Link File Name", 120
        .ColumnHeaders.Add , , "File Last Modified", 90
        .ColumnHeaders.Add , , "Link Last Updated", 90
        .ColumnHeaders.Add , , "Link Status", 160
        .HideColumnHeaders = False
        .View = lvwReport
        .Gridlines = True
        .LabelEdit = lvwManual
    End With
    ListViewFullRowSelectOn lvLink
End Sub

Private Sub Add_ListItems()
On Error GoTo handleError

    Dim MyLink      As BBPTv2_clsLink
    Dim li          As ListItem
    Dim strNm       As String
'    Dim lngLast     As Long

    lvLink.ListItems.Clear
'    lngLast = vbRed

    For Each MyLink In mParent.Links
        With MyLink
            If .ReadyState <> lrsReady Or ckUpdatesOnly.Value = False Then
                Set li = lvLink.ListItems.Add(key:=.id)
                li.SubItems(lvcSlideIndex) = .ShapeData("SlideIndex")
                li.SubItems(lvcShapeName) = .ShapeData("ShapeName")
                strNm = .CurrentWbkName
                li.SubItems(lvcFullName) = strNm
                li.SubItems(lvcFileName) = uPathOrFileNm("FileNm", strNm)
                li.SubItems(lvcLastModify) = .CurrentWbkLastModified
                li.SubItems(lvcLastLink) = .TagInfo.TagTimestamp
                li.SubItems(lvcStatus) = .ReadyStateDescription
            End If
        End With
'        ColorListviewRow li, lngLast, lvLink.ColumnHeaders.Count
'        If lngLast = vbRed Then
'            lngLast = vbBlue
'        ElseIf lngLast = vbBlue Then
'            lngLast = vbRed
'        End If
    Next MyLink
    
    ListViewSort lvLink, lvLink.ColumnHeaders(3)
    ListViewSort lvLink, lvLink.ColumnHeaders(2)
    lvLink.Sorted = True
    
    If Not (lvLink.SelectedItem Is Nothing) Then
        lvLink.SelectedItem.Selected = False
        Set lvLink.SelectedItem = Nothing
    End If
    
ExitHere:
    Set li = Nothing
    Set MyLink = Nothing
    Exit Sub
handleError:
    Gen_ErrHandle "BBPTv2_frmLink.Add_ListItems", "UpdateLink"
    Resume ExitHere
    Resume
End Sub

Private Sub Refresh_ListItems()
    
    Dim MyLink  As BBPTv2_clsLink
    Dim MyItem  As ListItem
    
    Set MyLink = SelectedLink
    
    Add_ListItems
    
    If Not (MyLink Is Nothing) Then
        For Each MyItem In lvLink.ListItems
            If MyItem.key = MyLink.id Then
                MyItem.Selected = True
                Exit For
            End If
        Next MyItem
    End If
    
    Enable_ViewSaveButtons
    
    Set MyItem = Nothing
    Set MyLink = Nothing
End Sub

Private Sub Enable_ViewSaveButtons()
    Dim MyLink          As BBPTv2_clsLink
    Dim bleIsSelected   As Boolean
    
    Set MyLink = SelectedLink
    bleIsSelected = (Not MyLink Is Nothing)
    
    If bleIsSelected = True Then
        cmdOpenExcel.Enabled = MyLink.WbkNameIsValid
    End If
    cmdOpenPowerPoint.Enabled = bleIsSelected
    cmdManage.Enabled = bleIsSelected
    cmdOK.Enabled = CanIUpdate
    
    Set MyLink = Nothing
End Sub

Private Sub Select_SelectedShape()
    Dim shp             As Word.InlineShape
    Dim li              As ListItem
    Dim lngIndex        As Long
    
    If pptHasActiveDocument = True Then
        If pptSelectionIsInlineShape = True Then
'During Word 2007/2003 compatibility - next 2 lines
'In a .doc files, the following line with ShapeRange caused an error when Update document
'is done after selecting one of the shapes
            If ActiveWindow.Selection.InlineShapes.Count = 1 Then
                Set shp = ActiveWindow.Selection.InlineShapes(1)
                lngIndex = pptCurrentSlideIndex(pbleForInsert:=False)
                For Each li In lvLink.ListItems
'During Word 2007/2003 compatibility - next line
                    If (li.SubItems(lvcShapeName) = shp.AlternativeText) Then
                        li.Selected = True
                        Exit For
                    End If
                Next li
            End If
        End If
    End If
    
    lvLink_Click
    Set li = Nothing
    Set shp = Nothing
End Sub

Private Function SelectedLink() As BBPTv2_clsLink
'On Error Resume Next
    If Not (lvLink.SelectedItem Is Nothing) Then
        If Not (mParent Is Nothing) Then
            Set SelectedLink = mParent.GetLinkById(lvLink.SelectedItem.key)
        End If
    End If
If Err.Number <> 0 Then Err.Clear
End Function

Private Function CanIUpdate() As Boolean
    If Not (mParent Is Nothing) Then
        CanIUpdate = (mParent.ReadyStateCount(lrsReady) > 0)
    End If
End Function

Private Function AmIAllReady() As Boolean
    If Not (mParent Is Nothing) Then
        AmIAllReady = mParent.AllLinksReady
    End If
End Function

Private Sub Show_Shape()
    If Not (lvLink.SelectedItem Is Nothing) Then
        With ActiveDocument
            .InlineShapes(BBPTv2_GetInlineShapeIndexFromName(ActiveDocument, lvLink.SelectedItem.SubItems(lvcShapeName))).Select
'            .GotoSlide lvLink.SelectedItem.SubItems(lvcSlideIndex)
'            .Slide.Shapes(lvLink.SelectedItem.SubItems(lvcShapeName)).Select
        End With
    End If
End Sub

Private Sub Resize_Form(pbleShrink As Boolean)
    
    Dim lngIndex            As Long
    Dim lngBtnLeftOffset    As Long
    
    Const LVHEIGHT_TALL     As Long = 270
    Const LVHEIGHT_SHORT    As Long = 40
    Const BTNL_EXCEL        As Long = 222
    Const BTNL_PPT          As Long = 300
    Const BTNL_MANAGE       As Long = 390
    Const BTNL_OK           As Long = 468
    Const BTNL_CANCEL       As Long = 546
    Const OFFSET_BTNTOP     As Long = 10
    Const OFFSET_FRMHEIGHT  As Long = 28
    Const OFFSET_FRMWIDTH   As Long = 12
        
    If Not (lvLink.SelectedItem Is Nothing) Then
        lngIndex = lvLink.SelectedItem.Index
    End If
    
    If lngIndex > 0 Then
        If pbleShrink = True Then
            lvLink.Height = LVHEIGHT_SHORT
            lngBtnLeftOffset = cmdOpenExcel.Left - lvLink.Left
        Else
            lvLink.Height = LVHEIGHT_TALL
            lngBtnLeftOffset = 0
        End If
        
        If pbleShrink = True Then
            With lvLink.SelectedItem
                txtFilename.Value = .SubItems(lvcFileName)
                txtLastModified.Value = .SubItems(lvcLastModify)
                txtLastUpdated.Value = .SubItems(lvcLastLink)
                txtLinkStatus.Value = .SubItems(lvcStatus)
            End With
        Else
        End If
        
        lblTxtFilename.Visible = pbleShrink
        lblTxtLastModified.Visible = pbleShrink
        lblTxtLastUpdated.Visible = pbleShrink
        lblTxtLinkStatus.Visible = pbleShrink
        txtFilename.Visible = pbleShrink
        txtLastModified.Visible = pbleShrink
        txtLastUpdated.Visible = pbleShrink
        txtLinkStatus.Visible = pbleShrink
        
        lvLink.Visible = Not pbleShrink
        ckUpdatesOnly.Visible = Not pbleShrink
        
        cmdOpenExcel.Left = BTNL_EXCEL - lngBtnLeftOffset
        cmdOpenPowerPoint.Left = BTNL_PPT - lngBtnLeftOffset
        cmdManage.Left = BTNL_MANAGE - lngBtnLeftOffset
        cmdOK.Left = BTNL_OK - lngBtnLeftOffset
        cmdCancel.Left = BTNL_CANCEL - lngBtnLeftOffset
        
        cmdOK.Top = lvLink.Top + lvLink.Height + OFFSET_BTNTOP
        cmdOpenExcel.Top = cmdOK.Top
        cmdOpenPowerPoint.Top = cmdOK.Top
        cmdManage.Top = cmdOK.Top
        cmdCancel.Top = cmdOK.Top
        Me.Height = cmdOK.Top + cmdOK.Height + OFFSET_FRMHEIGHT
        
        lvLink.ListItems(lngIndex).Selected = True
        If pbleShrink = True Then
            Me.Width = txtLastModified.Left + txtLastModified.Width + OFFSET_FRMWIDTH
        
            If Not (ActiveWindow.Selection Is Nothing) Then
'                Me.StartUpPosition = 0
'                If ActiveWindow.Selection.ShapeRange.Top > 250 Then
'                    If Me.Top > ActiveWindow.Height / 2 Then
'                        Me.Top = 25
'                    End If
'                ElseIf Me.Top < ActiveWindow.Height / 2 Then
'                    Me.Top = ActiveWindow.Height / 2 + 25
'                End If
            End If
        Else
'            Me.StartUpPosition = 1
            Me.Width = lvLink.Left + lvLink.Width + OFFSET_FRMWIDTH
            ListViewFullRowSelectOn lvLink
            lvLink.SetFocus
        End If
    End If
End Sub

Private Sub TempEnable_ViewSaveButtons(pbleEnable As Boolean)
    If pbleEnable = True Then
        Enable_ViewSaveButtons
        cmdCancel.Enabled = True
    Else
        If lvLink.Visible = True Then
            lvLink.SetFocus
        Else
            txtFilename.SetFocus
        End If
        cmdOpenExcel.Enabled = False
        cmdOpenPowerPoint.Enabled = False
        cmdManage.Enabled = False
        cmdOK.Enabled = False
        cmdCancel.Enabled = False
    End If
End Sub


Attribute VB_Name = "BBPTv2_modExcelLinkHandler"
Option Explicit

'version:
'   2011-09-08.1

'Const defined in winuser.h
Private Const OBJID_NATIVEOM    As Long = &HFFFFFFF0
'IDispatch pointer to native object model
Private Const Guid_Excel        As String = "{00020400-0000-0000-C000-000000000046}"
'for throttle caching
Private Const THROTTLE_UNCACHED As Long = -2

'class names to search by
Private mstrAppClass            As String
Private mstrChildClass          As String
'title (a.k.a. filename, all/partial) to search for
Private mstrFullPath            As String
Private mstrFindTitle           As String
Private mstrTitleNoExt          As String
Private mstrFindTitlePart       As String
'result handles - "default" app instance and child with object
#If VBA7 Then
Private mlngFirstHwnd           As LongPtr
Private mlngChildHwnd           As LongPtr
#Else
Private mlngFirstHwnd           As Long
Private mlngChildHwnd           As Long
#End If
'counters (not used)
'Private mlngWinCounter          As Long
'Private mlngChildWinCounter     As Long
'stop on find?
'Private mbleFindAll             As Boolean

Private mTest       As BBPTv2_clsExcelLinkHandler
Private CachedXlApp           As Object
'
Public Sub BBPTv2_xlClearCachedInstance(Optional quit As Boolean = False)
''''    On Error Resume Next
    If Not CachedXlApp Is Nothing Then
        Dim i As Integer
        Dim n As Integer
        n = CachedXlApp.Workbooks.Count
        For i = 1 To n
            CachedXlApp.Workbooks(i).Saved = True
            CachedXlApp.Workbooks(i).Close
        Next i
        If quit Then
            CachedXlApp.quit
            Set CachedXlApp = Nothing
        End If
    End If
End Sub
Public Function BBPTv2_xlGetWbk(pstrFullName As String, _
                Optional pbleShow As Boolean = False, _
                Optional pbleWasOpenOutput As Boolean) As Object

    Dim xlApp           As Object
    Dim xlWbk           As Object
    Dim strWbkNameOnly  As String

    Set xlApp = BBPTv2_xlGetApplicationForWbkPath(pstrFullName, pbleWasOpenOutput)

    If pbleWasOpenOutput = False Then
        'load it, without flicker, if you plan to show it
        If pbleShow = False Then
            xlApp.ScreenUpdating = False
        End If
        Set xlWbk = xlApp.Workbooks.Open(pstrFullName)
    Else
        'get it by its (pathless, if saved) name
        strWbkNameOnly = uPathOrFileNm("FileNm", pstrFullName)
        Set xlWbk = xlApp.Workbooks(strWbkNameOnly)
    End If
    
    Set BBPTv2_xlGetWbk = xlWbk

    Set xlWbk = Nothing
    Set xlApp = Nothing
End Function

Public Function BBPTv2_xlGetWbkNoLoad(pstrName As String) As Object

'NB: pstrName may be either a full path or a workbook name
'(to check for loaded instance of a workbook name regardless of full path)

    Dim xlApp           As Object
    Dim bleHwndIsChild  As Boolean
    Dim strWbkNameOnly  As String
    
#If VBA7 Then
    Dim lngHwnd         As LongPtr
#Else
    Dim lngHwnd         As Long
#End If

    lngHwnd = BBPTv2_xlFindWbkOrFirstAppHandle(pstrName, bleHwndIsChild)

    If lngHwnd > 0 Then
        If bleHwndIsChild = True Then
            Set xlApp = BBPTv2_xlGetApplicationForHwnd(lngHwnd, bleHwndIsChild)
            
            If Not (xlApp Is Nothing) Then
                'get it by its (pathless, if saved) name
                strWbkNameOnly = uPathOrFileNm("FileNm", pstrName)
                Set BBPTv2_xlGetWbkNoLoad = xlApp.Workbooks(strWbkNameOnly)
            End If
        End If
    End If

    Set xlApp = Nothing
End Function
Public Sub prepareAndCacheExcelInstance()
    If BBPTv2_InLinkManager Then
        If IsLinkManagerV2NewCallToExcelEnabled Then
            Set CachedXlApp = BBPTv2_xlGetOrOpenApplicationForHwnd(WPFLinkManager_CreateNewExcelInstance(), True, True)
        Else
            Set CachedXlApp = BBPTv2_xlGetOrOpenApplicationForHwnd(0, True, True)
        End If
        CachedXlApp.Workbooks.Add
    End If
End Sub
Public Function getCachedInstance() As Object
    If CachedXlApp Is Nothing Then
        prepareAndCacheExcelInstance
    End If
    Set getCachedInstance = CachedXlApp
End Function

Public Function BBPTv2_xlGetApplicationForWbkPath(pstrFullName As String, pbleWbkWasOpenOutput As Boolean, Optional pbleLoadAddIns As Boolean = True, Optional CreateNewExcelInstance As Boolean = False) As Object
    pushTrace "[XL:BBPT_modExcelLinkHandler.bas],Public Function xlGetApplicationForWbkPath"
    Dim xlApp           As Object
    Dim bleAppRunning   As Boolean
    Dim localCachedXlApp As Object
    #If VBA7 Then
    Dim lngHwnd         As LongPtr
    #Else
    Dim lngHwnd         As Long
    #End If
    
    'Set localCachedXlApp = getCachedInstance
    
    'If CreateNewExcelInstance Or (localCachedXlApp Is Nothing) Then
    '    lngHwnd = 0
    '    Set xlApp = BBPTv2_xlGetOrOpenApplicationForHwnd(lngHwnd, pbleWbkWasOpenOutput, pbleLoadAddIns)
    '    '''Set CachedXlApp = xlApp
    'Else
        'get a handle, and determine whether it's for a workbook or an app instance
        lngHwnd = BBPTv2_xlFindWbkOrFirstAppHandle(pstrFullName, pbleWbkWasOpenOutput)
        
        'if a handle came back, at least one instance of Excel is running
        '(this isn't particularly useful; just check XLApp.Visible when you're done getting/opening;
        'if it's a hidden instance, it wasn't running)
        bleAppRunning = (lngHwnd > 0)
        
        If mlngChildHwnd = 0 Then
            Set localCachedXlApp = getCachedInstance
        End If
        
        If mlngChildHwnd = 0 And Not (localCachedXlApp Is Nothing) Then
            Set xlApp = localCachedXlApp
        Else
            'get an app instance.
            Set xlApp = BBPTv2_xlGetOrOpenApplicationForHwnd(lngHwnd, pbleWbkWasOpenOutput, pbleLoadAddIns)
        End If
    'End If
    
    Set BBPTv2_xlGetApplicationForWbkPath = xlApp
    
popTrace
End Function

#If VBA7 Then
Private Function BBPTv2_xlFindWbkOrFirstAppHandle(pstrFullName As String, _
                                           pbleIsChildWindowOutput As Boolean) As LongPtr
#Else
Private Function BBPTv2_xlFindWbkOrFirstAppHandle(pstrFullName As String, _
                                           pbleIsChildWindowOutput As Boolean) As Long
#End If

    Dim retval  As Long
    Dim i       As Long
    
    'defaults
    mstrAppClass = "XLMAIN"
    mstrChildClass = "" '"EXCEL7"
    mstrFullPath = pstrFullName
    mstrFindTitle = uPathOrFileNm("FileNm", pstrFullName)
    i = InStrRev(mstrFindTitle, ".")
    If i > 0 Then
        mstrTitleNoExt = Trim(Left(mstrFindTitle, i - 1))
    End If
    mstrFindTitlePart = ""
    mlngFirstHwnd = 0
    mlngChildHwnd = 0

    'find
    retval = EnumWindows(AddressOf BBPTv2_EnumWindowsProc, 0)
    
    If mlngChildHwnd > 0 Then
        pbleIsChildWindowOutput = True
        BBPTv2_xlFindWbkOrFirstAppHandle = mlngChildHwnd
    Else
        BBPTv2_xlFindWbkOrFirstAppHandle = mlngFirstHwnd
    End If
    
End Function


#If VBA7 Then
Private Function BBPTv2_xlGetOrOpenApplicationForHwnd(plngHWnd As LongPtr, _
                                               pbleIsChild As Boolean, _
                                               pbleLoadAddIns As Boolean) As Object
#Else
Private Function BBPTv2_xlGetOrOpenApplicationForHwnd(plngHWnd As Long, _
                                               pbleIsChild As Boolean, _
                                               pbleLoadAddIns As Boolean) As Object
#End If
On Error GoTo handleError

    Dim xlApp               As Object
    Dim AI                  As Object
    Dim i                   As Long
    Dim lngAICount          As Long
    Dim bleUseExistingApp As Boolean
    
    If plngHWnd > 0 Then
        Set xlApp = BBPTv2_xlGetApplicationForHwnd(plngHWnd, pbleIsChild)
        If xlApp Is Nothing Then
            bleUseExistingApp = False
            Else
            bleUseExistingApp = True
        End If
    End If
    
    If Not bleUseExistingApp Then
        'no Excel running
        '''''TODO:''''uEcho_CustomMsgBox BbgLocalizeString("Opening Excel...")
        
        Set xlApp = CreateObject("Excel.Application")
        If pbleLoadAddIns = True Then
            'explicitly reload add-ins (automation doesn't)
            For Each AI In xlApp.AddIns
                If AI.Installed Then lngAICount = lngAICount + 1
            Next AI
            For Each AI In xlApp.AddIns
                If AI.Installed Then
                    i = i + 1
                    '''''TODO:''''uEcho_CustomMsgBox BbgLocalizeString("Loading Add-Ins (" & i & " of " & lngAICount & ")...")
                    On Error GoTo NextAI
                    If Mid(AI.Author, 1, 9) = "Bloomberg" Then
                        xlApp.Workbooks.Open (AI.FullName)
                    Else
                        AI.Installed = False
                        AI.Installed = True
                    End If
                End If
NextAI:
            Next AI
        End If
    End If
    
    Set BBPTv2_xlGetOrOpenApplicationForHwnd = xlApp
    
ExitHere:
    Set AI = Nothing
    Set xlApp = Nothing
    Exit Function
handleError:
    Gen_ErrHandle "xlGetOrOpenApplicationForHwnd(" & plngHWnd & ")"
    Resume ExitHere
End Function


#If VBA7 Then
Private Function BBPTv2_xlGetApplicationForHwnd(plngHWnd As LongPtr, _
                                         pbleIsChild As Boolean) As Object
#Else
Private Function BBPTv2_xlGetApplicationForHwnd(plngHWnd As Long, _
                                         pbleIsChild As Boolean) As Object
#End If
On Error GoTo handleError

    Dim xlApp   As Object
    Dim xlWbk As Object

    'get only, no load
    If pbleIsChild = True Then
        'get the parent instance using accessibility
        Set xlApp = BBPTv2_xlGetApplicationFromHwnd(plngHWnd)
        Set BBPTv2_xlGetApplicationForHwnd = xlApp
    Else
        'get the "default" instance
        Set xlApp = GetObject(, "Excel.Application")
        'Let it error out if the xl state is no good..
        xlApp.DisplayAlerts = False
        xlApp.Interactive = False
        xlApp.ScreenUpdating = False
        
        If xlApp.Visible Then
            If xlApp.Workbooks.Count = 0 Then
                xlApp.DisplayAlerts = True
                xlApp.Interactive = True
                xlApp.ScreenUpdating = True
                Set xlWbk = Nothing
                Set BBPTv2_xlGetApplicationForHwnd = xlApp
                Set xlApp = Nothing
                Exit Function
            End If
        End If
        
        If xlApp.Workbooks.Count > 0 Then
            Set xlWbk = xlApp.Workbooks(1)
            xlWbk.Activate
            xlApp.Run "DummyMacroToTestAppState"
            xlApp.DisplayAlerts = True
            xlApp.Interactive = True
            xlApp.ScreenUpdating = True
            Set xlWbk = Nothing
            Set BBPTv2_xlGetApplicationForHwnd = xlApp
            Else
            Set BBPTv2_xlGetApplicationForHwnd = Nothing
        End If
    End If
    
ExitHere:
    Set xlApp = Nothing
    Exit Function
handleError:
    'Gen_ErrHandle "xlGetApplicationForHwnd(" & plngHWnd & ")"
    Set BBPTv2_xlGetApplicationForHwnd = Nothing
    Resume ExitHere
End Function

#If VBA7 Then
Public Function BBPTv2_uWindowClass(ByVal Hwnd As LongPtr) As String
#Else
Public Function BBPTv2_uWindowClass(ByVal Hwnd As Long) As String
#End If
    Dim strBuffer   As String
    Dim retval      As Long
    strBuffer = Space(256)
    retval = GetClassName(Hwnd, strBuffer, 255)
    BBPTv2_uWindowClass = Left(strBuffer, retval)
End Function

#If VBA7 Then
Public Function BBPTv2_uWindowTitle(ByVal Hwnd As LongPtr, _
                    Optional pbleRemoveBracketTag As Boolean = True) As String
#Else
Public Function BBPTv2_uWindowTitle(ByVal Hwnd As Long, _
                    Optional pbleRemoveBracketTag As Boolean = True) As String
#End If

    Dim lngLen      As Long
    Dim strBuffer   As String
    Dim retval      As Long
    Dim strOut      As String
    Dim i           As Long
    
    lngLen = GetWindowTextLength(Hwnd) + 1
    If lngLen > 1 Then
        'title found - pad buffer
        strBuffer = Space(lngLen)
        '...get titlebar text
        retval = GetWindowText(Hwnd, strBuffer, lngLen)
        strOut = Left(strBuffer, lngLen - 1)
    End If
    If Len(strOut) > 0 And pbleRemoveBracketTag = True Then
        'e.g. MyFile.xls [Compatibility Mode]
        i = InStr(1, strOut, "[")
        If i > 0 Then
            strOut = Trim(Left(strOut, i - 1))
        End If
    End If
    
    BBPTv2_uWindowTitle = strOut
    
End Function

#If VBA7 Then
Public Function BBPTv2_uWindowState(ByVal Hwnd As LongPtr) As swcShowWindowCmd
#Else
Public Function BBPTv2_uWindowState(ByVal Hwnd As Long) As swcShowWindowCmd
#End If

    Dim wp As WINDOWPLACEMENT
    wp.Length = Len(wp)
    GetWindowPlacement Hwnd, wp
    
    BBPTv2_uWindowState = wp.showCmd

End Function

#If VBA7 Then
Public Sub BBPTv2_uShowWindow(ByVal Hwnd As Long, _
              Optional pShowType As swcShowWindowCmd = swcRestore)
#Else
Public Sub BBPTv2_uShowWindow(ByVal Hwnd As Long, _
              Optional pShowType As swcShowWindowCmd = swcRestore)
#End If

    Dim lngState    As swcShowWindowCmd
    Dim lngToState  As Long
    Dim retval      As Long
    
    lngState = BBPTv2_uWindowState(Hwnd)
    Select Case lngState
        Case swcMaximized, swcNormal, swcRestore, swcShow
            Select Case pShowType
                Case swcMaximized, swcNormal, swcRestore, swcShow
                    'already showing
                    lngToState = lngState
                Case Else
                    lngToState = pShowType
            End Select
        Case Else
            Select Case pShowType
                Case swcMaximized, swcNormal, swcRestore, swcShow
                    lngToState = pShowType
                Case Else
                    lngToState = lngState
            End Select
    End Select
    
    retval = ShowWindow(Hwnd, lngToState)
    
    Select Case pShowType
        Case swcMaximized, swcNormal, swcRestore, swcShow
            BringWindowToTop Hwnd
            SetFocus Hwnd
    End Select
    
End Sub

#If VBA7 Then
Private Function BBPTv2_EnumWindowsProc(ByVal Hwnd As LongPtr, ByVal lParam As Long) As Long
#Else
Private Function BBPTv2_EnumWindowsProc(ByVal Hwnd As Long, ByVal lParam As Long) As Long
#End If
    Dim strThisClass    As String
    'Dim strThisTitle    As String
    Dim retval          As Long
    Dim bleMatch        As Boolean
    
    'mlngWinCounter = mlngWinCounter + 1
    'type of window is all you need for parent
    strThisClass = BBPTv2_uWindowClass(Hwnd)
    bleMatch = (strThisClass = mstrAppClass)
    
    If bleMatch = True Then
        'strThisTitle = uWindowTitle(hWnd)
        'Debug.Print "Window #"; mlngWinCounter; " : ";
        'Debug.Print strThisTitle; "(" & strThisClass & ") " & hWnd
        If mlngFirstHwnd = 0 Then mlngFirstHwnd = Hwnd
        
        'mlngChildWinCounter  0
        retval = EnumChildWindows(Hwnd, AddressOf BBPTv2_EnumChildProc, 0)
        
        If mlngChildHwnd > 0 Then
        'If mbleFindAll = False And mlngChildHwnd > 0 Then
            'stop EnumWindows by setting result to 0
            BBPTv2_EnumWindowsProc = 0
        Else
            BBPTv2_EnumWindowsProc = 1
        End If
    Else
        BBPTv2_EnumWindowsProc = 1
    End If
End Function

#If VBA7 Then
Private Function BBPTv2_EnumChildProc(ByVal Hwnd As LongPtr, ByVal lParam As Long) As Long
#Else
Private Function BBPTv2_EnumChildProc(ByVal Hwnd As Long, ByVal lParam As Long) As Long
#End If

    Dim strThisClass    As String
    Dim strThisTitle    As String
    Dim retval          As Long
    Dim bleMatch        As Boolean
    
    strThisClass = BBPTv2_uWindowClass(Hwnd)
    strThisTitle = BBPTv2_uWindowTitle(Hwnd)
    
    If Len(mstrChildClass) > 0 And Len(mstrFindTitle) > 0 Then
        bleMatch = (strThisClass = mstrChildClass And (strThisTitle = mstrFindTitle Or strThisTitle = mstrTitleNoExt))
    ElseIf Len(mstrChildClass) > 0 And Len(mstrFindTitlePart) > 0 Then
        bleMatch = (strThisClass = mstrChildClass And InStr(1, strThisTitle, mstrFindTitlePart) > 0)
    ElseIf Len(mstrChildClass) > 0 Then
        bleMatch = (strThisClass = mstrChildClass)
    ElseIf Len(mstrFindTitle) > 0 Then
        If Len(strThisTitle) > 0 Then
            If StrComp(strThisTitle, mstrFindTitle, vbTextCompare) = 0 Then
                bleMatch = True
            ElseIf StrComp(strThisTitle, mstrTitleNoExt, vbTextCompare) = 0 Then
                bleMatch = True
            End If
        End If
    ElseIf Len(mstrFindTitlePart) > 0 Then
        bleMatch = (InStr(1, strThisTitle, mstrFindTitlePart) > 0)
    Else
        'everything matches, because there are no criteria
        bleMatch = True
    End If

    If bleMatch = True Then
        If BBPTv2_TestHwndForExcel(Hwnd, strThisTitle) = True Then
            mlngChildHwnd = Hwnd
            BBPTv2_EnumChildProc = 0
        End If
    Else
        BBPTv2_EnumChildProc = 1
    End If
    
End Function

#If VBA7 Then
Private Function BBPTv2_TestHwndForExcel(plngChildHwnd As LongPtr, _
                                  pstrWbkName As String) As Boolean
#Else
Private Function BBPTv2_TestHwndForExcel(plngChildHwnd As Long, _
                                  pstrWbkName As String) As Boolean
#End If
    Dim xlApp As Object
    Dim xlWbk As Object
…