Edit tour

Windows Analysis Report
1_13904442253.xla.xlsx

Overview

General Information

Sample name:	1_13904442253.xla.xlsx
Analysis ID:	1523148
MD5:	6054b5d65c7124cb7a2c43de68776e32
SHA1:	8c386a9bec4fd0a2638e98a3c1a838133456e773
SHA256:	72b0b09f6114190a5cc8e628a2bc581081d83489b02ad2e7c7e5cf6fbce7d2b2
Tags:	xlaxlsxuser-abuse_ch
Infos:

Detection

Score:	48
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Document contains VBA stomped code (only p-code) potentially bypassing AV detection

Document contains an embedded VBA with many string operations indicating source code obfuscation

Document contains embedded VBA macros

Document embeds suspicious OLE2 link

Classification

Process Tree

System is w7x64

EXCEL.EXE (PID: 3344 cmdline: "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding MD5: D53B85E21886D2AF9815C377537BCAC3)

cleanup

Malware Configuration

⊘No configs have been found

Yara Signatures

⊘No yara matches

Sigma Signatures

⊘No Sigma rule has matched

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Source: 1_13904442253.xla.xls.0.dr	String found in binary or memory: http://sakhteman.wordpress.co
Source: 96730000.0.dr	String found in binary or memory: http://sakhteman.wordpress.com
Source: 1_13904442253.xla.xlsx	String found in binary or memory: http://sakhteman.wordpress.comb
Source: 96730000.0.dr	String found in binary or memory: http://sakhteman.wordpress.cxom

Source: 1_13904442253.xla.xlsx	OLE indicator, VBA macros: true
Source: 1_13904442253.xla.xls.0.dr	OLE indicator, VBA macros: true
Source: 96730000.0.dr	OLE indicator, VBA macros: true

Source: 1_13904442253.xla.xlsx

Stream path '_VBA_PROJECT_CUR/VBA/__SRP_0' : http://sakhteman.wordpress.comhError! for help visit http://sakhteman.wordpress.comb

Source: classification engine

Classification label: mal48.evad.winXLSX@1/8@0/0

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\Desktop\~$1_13904442253.xla.xlsx

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Temp\CVR7C9E.tmp

Jump to behavior

Source: 1_13904442253.xla.xlsx	OLE indicator, Workbook stream: true
Source: 1_13904442253.xla.xls.0.dr	OLE indicator, Workbook stream: true
Source: 96730000.0.dr	OLE indicator, Workbook stream: true

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Data Obfuscation

Document contains an embedded VBA with many string operations indicating source code obfuscation

Source: 1_13904442253.xla.xlsx	Stream path '_VBA_PROJECT_CUR/VBA/Module1' : High number of string operations
Source: 1_13904442253.xla.xlsx	Stream path '_VBA_PROJECT_CUR/VBA/Module2' : High number of string operations
Source: VBA code instrumentation	OLE, VBA macro, High number of string operations: Module Module1	Name: Module1
Source: VBA code instrumentation	OLE, VBA macro, High number of string operations: Module Module2	Name: Module2
Source: 1_13904442253.xla.xls.0.dr	Stream path '_VBA_PROJECT_CUR/VBA/Module1' : High number of string operations
Source: 1_13904442253.xla.xls.0.dr	Stream path '_VBA_PROJECT_CUR/VBA/Module2' : High number of string operations
Source: 96730000.0.dr	Stream path '_VBA_PROJECT_CUR/VBA/Module1' : High number of string operations
Source: 96730000.0.dr	Stream path '_VBA_PROJECT_CUR/VBA/Module2' : High number of string operations

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Document contains VBA stomped code (only p-code) potentially bypassing AV detection

Source: 1_13904442253.xla.xls.0.dr

OLE indicator, VBA stomping: true

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	11 Scripting	Valid Accounts	Windows Management Instrumentation	11 Scripting	Path Interception	1 Masquerading	OS Credential Dumping	1 File and Directory Discovery	Remote Services	Data from Local System	Data Obfuscation	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	1 Obfuscated Files or Information	Boot or Logon Initialization Scripts	1 Obfuscated Files or Information	LSASS Memory	1 System Information Discovery	Remote Desktop Protocol	Data from Removable Media	Junk Data	Exfiltration Over Bluetooth	Network Denial of Service

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
1_13904442253.xla.xlsx	0%	Virustotal		Browse
1_13904442253.xla.xlsx	0%	ReversingLabs

Dropped Files

⊘No Antivirus matches

Unpacked PE Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

Source	Detection	Scanner	Label	Link
http://sakhteman.wordpress.com	0%	Virustotal		Browse

Domains and IPs

Contacted Domains

⊘No contacted domains info

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://sakhteman.wordpress.cxom	96730000.0.dr	false		unknown
http://sakhteman.wordpress.co	1_13904442253.xla.xls.0.dr	false		unknown
http://sakhteman.wordpress.comb	1_13904442253.xla.xlsx	false		unknown
http://sakhteman.wordpress.com	96730000.0.dr	false	0%, Virustotal, Browse	unknown

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1523148
Start date and time:	2024-10-01 07:39:57 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 3m 45s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	defaultwindowsofficecookbook.jbs
Analysis system description:	Windows 7 x64 SP1 with Office 2010 SP1 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
Number of analysed new started processes analysed:	4
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled GSI enabled (VBA) AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	1_13904442253.xla.xlsx
Detection:	MAL
Classification:	mal48.evad.winXLSX@1/8@0/0
EGA Information:	Failed
HCA Information:	Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Found application associated with file extension: .xlsx Found Word or Excel or PowerPoint or XPS Viewer Attach to Office via COM Scroll down Close Viewer

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

⊘No simulations

Joe Sandbox View / Context

IPs

⊘No context

Domains

⊘No context

ASNs

⊘No context

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

C:\Users\user\AppData\Local\Temp\~DF4E6106C13B7F04D6.TMP

Download File

Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	data
Category:	dropped
Size (bytes):	16384
Entropy (8bit):	1.1296879193468892
Encrypted:	false
SSDEEP:	96:1nU43AgdLSUX2dINN7RMx7tJgiHQc/0c/Wc/:1nU43AgdLSUXbQ5/1/r/
MD5:	01492E12E4B635D1FA0F6D8C076F74CC
SHA1:	DD11B84874C8D36A787B97EECFE8A4D105190D1D
SHA-256:	54EEBDACDE08789D995A9E4EE656E064E0E8D05A383D26B1B8708295058DAF2C
SHA-512:	251D787D50F7D8273D52D18DA5E77A22F7BD325B52EF42B709929246501A034FE709FA1D0ED73EE883D59A151886DA60E7C98D2CC11895028BFAB50BF1E6FCFB
Malicious:	false
Reputation:	low
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\~DFAB23D18ACD7A39C8.TMP

Download File

Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	data
Category:	dropped
Size (bytes):	512
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	BF619EAC0CDF3F68D496EA9344137E8B
SHA1:	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
SHA-256:	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
SHA-512:	DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
Malicious:	false
Reputation:	high, very likely benign file
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\~DFC6228DFBF7598270.TMP

Download File

Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	FCD6BCB56C1689FCEF28B57C22475BAD
SHA1:	1ADC95BEBE9EEA8C112D40CD04AB7A8D75C4F961
SHA-256:	DE2F256064A0AF797747C2B97505DC0B9F3DF0DE4F489EAC731C23AE9CA9CC31
SHA-512:	73E4153936DAB198397B74EE9EFC26093DDA721EAAB2F8D92786891153B45B04265A161B169C988EDB0DB2C53124607B6EAAA816559C5CE54F3DBC9FA6A7A4B2
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\Desktop\1_13904442253.xla.xls

Download File

Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	Composite Document File V2 Document, Little Endian, Os: Windows, Version 5.1, Code page: 1252, Author: a.asghari, Last Saved By: ali, Name of Creating Application: Microsoft Excel, Create Time/Date: Tue Sep 14 13:30:26 2004, Last Saved Time/Date: Tue Sep 9 18:31:55 2008, Security: 0
Category:	dropped
Size (bytes):	71168
Entropy (8bit):	4.079784123714033
Encrypted:	false
SSDEEP:	384:EbQ5tjJtLfm2wm1nLsc9M3Qo7Iud+a9L0Dt4gE1gbdXz8xa+J7eptbMtMYuYqEAH:Estjx1sc8a21gRD80+JvWPRyZ3ANdJ
MD5:	032398D809582FE0884563B2F54B475A
SHA1:	78E3DEA1C4639928CB2BE745296C72C69603F108
SHA-256:	49CBCF538A865E3428D0A94C898764417CBB04EDCC34BA59D500AF1ACA922B6D
SHA-512:	64E6D9D92EC1AC9F0E33A970D6DD5043062C6729FD1974FBBEBED684387A769EBE63611AB486544CC7B2758CD468FEF6415FBB4AE21BAD887338BF1012AEBFB1
Malicious:	false
Reputation:	low
Preview:	......................>...................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................;...U........................................... ...!..."...#...$...%...&...'...(...)...*...+...,...-......./...0...1...2...3...4...5...6...7...8...9...:.......V...=...>...?...@...A...B...C...D...E...F...G...H...I...J...K...L...M...N...O...P...Q...R...S...T.......Z...W...X...Y...[...~...p...o...........................................................................t...q...r...s...\|...u...v...w...x...y...z...

C:\Users\user\Desktop\5EEB3888.tmp (copy)

Download File

Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	Composite Document File V2 Document, Little Endian, Os: Windows, Version 5.1, Code page: 1252, Author: a.asghari, Last Saved By: ali, Name of Creating Application: Microsoft Excel, Create Time/Date: Tue Sep 14 13:30:26 2004, Last Saved Time/Date: Tue Sep 9 18:31:55 2008, Security: 0
Category:	dropped
Size (bytes):	71168
Entropy (8bit):	4.079784123714033
Encrypted:	false
SSDEEP:	384:EbQ5tjJtLfm2wm1nLsc9M3Qo7Iud+a9L0Dt4gE1gbdXz8xa+J7eptbMtMYuYqEAH:Estjx1sc8a21gRD80+JvWPRyZ3ANdJ
MD5:	032398D809582FE0884563B2F54B475A
SHA1:	78E3DEA1C4639928CB2BE745296C72C69603F108
SHA-256:	49CBCF538A865E3428D0A94C898764417CBB04EDCC34BA59D500AF1ACA922B6D
SHA-512:	64E6D9D92EC1AC9F0E33A970D6DD5043062C6729FD1974FBBEBED684387A769EBE63611AB486544CC7B2758CD468FEF6415FBB4AE21BAD887338BF1012AEBFB1
Malicious:	false
Reputation:	low
Preview:	......................>...................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................;...U........................................... ...!..."...#...$...%...&...'...(...)...*...+...,...-......./...0...1...2...3...4...5...6...7...8...9...:.......V...=...>...?...@...A...B...C...D...E...F...G...H...I...J...K...L...M...N...O...P...Q...R...S...T.......Z...W...X...Y...[...~...p...o...........................................................................t...q...r...s...\|...u...v...w...x...y...z...

C:\Users\user\Desktop\96730000

Download File

Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1252, Author: a.asghari, Last Saved By: user, Name of Creating Application: Microsoft Excel, Create Time/Date: Tue Sep 14 13:30:26 2004, Last Saved Time/Date: Tue Oct 1 06:41:51 2024, Security: 0
Category:	dropped
Size (bytes):	83968
Entropy (8bit):	4.564453149253163
Encrypted:	false
SSDEEP:	1536:unxEtjPOtioVjDGUU1qfDlaGGx+cL2QnzVCGeYaYLXIlaw+78SUlKqCDUFy:unxEtjPOtioVjDGUU1qfDlaGGx+cL2Qn
MD5:	CD83F5FA8B3EE27745E55F6C0515897B
SHA1:	9840E5EB4E44B2F5A28397B2977C2BBDB5E4FB6D
SHA-256:	C7BF2B2D9ACF02FD1DD7339D35068E465549BD8C1F26F8C0FF1EE07BEECE0D27
SHA-512:	DC024C1338DF9C86B2D7494015CB6DE7FBF23190B3511B8CB29025315923E6BE60F5BB155D031EC2B5017A970BE0C2F507258E566084AC2551392F8195043771
Malicious:	false
Reputation:	low
Preview:	......................>.......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................%...0....... ...!..."...#...$...&...*...'...(...)...+.../...,...-.......Y...{.......2...<...4...5...6...7...8...9...:...;...1...=...>...?...@...A...B...C...D...E...F...G...H...I...J...K...L...M...N...O...P...Q...R...S...T...U...V...W...X.......Z...[...\...\|...^..._...`...a...b...c...p...e...f...g...h...i...j...k...l...m...n...o...]...q...r...s...t...u...v...w...x...y...z...

C:\Users\user\Desktop\96730000:Zone.Identifier

Download File

Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	false
Preview:	[ZoneTransfer]....ZoneId=0

C:\Users\user\Desktop\~$1_13904442253.xla.xlsx

Download File

Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	data
Category:	dropped
Size (bytes):	165
Entropy (8bit):	1.4377382811115937
Encrypted:	false
SSDEEP:	3:vZ/FFDJw2fV:vBFFGS
MD5:	797869BB881CFBCDAC2064F92B26E46F
SHA1:	61C1B8FBF505956A77E9A79CE74EF5E281B01F4B
SHA-256:	D4E4008DD7DFB936F22D9EF3CC569C6F88804715EAB8101045BA1CD0B081F185
SHA-512:	1B8350E1500F969107754045EB84EA9F72B53498B1DC05911D6C7E771316C632EA750FBCE8AD3A82D664E3C65CC5251D0E4A21F750911AE5DC2FC3653E49F58D
Malicious:	true
Preview:	.user ..A.l.b.u.s. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Static File Info

General

File type:	Composite Document File V2 Document, Little Endian, Os: Windows, Version 5.1, Code page: 1252, Author: a.asghari, Last Saved By: ali, Name of Creating Application: Microsoft Excel, Create Time/Date: Tue Sep 14 13:30:26 2004, Last Saved Time/Date: Tue Sep 9 18:31:55 2008, Security: 0
Entropy (8bit):	4.8296063912625975
TrID:	Microsoft Excel sheet (30009/1) 47.99% Microsoft Excel sheet (alternate) (24509/1) 39.20% Generic OLE2 / Multistream Compound File (8008/1) 12.81%
File name:	1_13904442253.xla.xlsx
File size:	68'096 bytes
MD5:	6054b5d65c7124cb7a2c43de68776e32
SHA1:	8c386a9bec4fd0a2638e98a3c1a838133456e773
SHA256:	72b0b09f6114190a5cc8e628a2bc581081d83489b02ad2e7c7e5cf6fbce7d2b2
SHA512:	cc61296d6715244cb6de109163eed43cbd2402b472fb6e9a8d3463a9d0f2cf0050d4c51080895e04964c57c98090d2e13f14eeb0788cf065d79e264b9e504f28
SSDEEP:	768:IstjD1b+scl1ENa6A80+b/tpvOGbXbJyrPK3ANY:p1bpclK3/bvxbXw7MAN
TLSH:	046384027245C63BE76A1D330ECBEBFA27B67C85DE6452C77144BB2E7EB66108522740
File Content Preview:	........................>......................................................................................................................................................................................................................................

File Icon


Icon Hash:	2562ab89a7b7bfbf

Static OLE Info

General

Document Type:	OLE
Number of OLE Files:	1

OLE File "1_13904442253.xla.xlsx"

Indicators

Has Summary Info:
Application Name:	Microsoft Excel
Encrypted Document:	False
Contains Word Document Stream:	False
Contains Workbook/Book Stream:	True
Contains PowerPoint Document Stream:	False
Contains Visio Document Stream:	False
Contains ObjectPool Stream:	False
Flash Objects Count:	0
Contains VBA Macros:	True

Summary

Code Page:	1252
Author:	a.asghari
Last Saved By:	ali
Create Time:	2004-09-14 12:30:26
Last Saved Time:	2008-09-09 17:31:55
Creating Application:	Microsoft Excel
Security:	0

Document Summary

Document Code Page:	1252
Thumbnail Scaling Desired:	False
Company:	Nargan Engineers and Constructors
Contains Dirty Links:	False
Shared Document:	False
Changed Hyperlinks:	False
Application Version:	727464

Streams with VBA

VBA File Name: Module1.bas, Stream Size: 18705

General
Stream Path:	_VBA_PROJECT_CUR/VBA/Module1
VBA File Name:	Module1.bas
Stream Size:	18705
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . = . . . . . . . . . . . C " B . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . ( . . . . . 6 . . . . . . < . . . . . < . . . . . . . < . . . . . . . . . . . . . . . . . . . . . . . . . +
Data Raw:	01 16 01 00 03 f0 00 00 00 dc 1a 00 00 d4 00 00 00 b0 01 00 00 ff ff ff ff 0a 1b 00 00 02 3d 00 00 04 00 00 00 01 00 00 00 2e 43 22 42 00 00 ff ff 03 00 00 00 00 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff 04 00 ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

VBA Code

Attribute VB_Name = "Module1"

Private Function Ceil(Number As Single) As Long
    Ceil = -Sgn(Number) * Int(-Abs(Number))
End Function

'
' Determine Julian day from Persian date
'
Function persian_jdn(iYear, iMonth, iDay)
    Const PERSIAN_EPOCH = 1948321 ' The JDN of 1 Farvardin 1
    Dim epbase As Long
    Dim epyear As Long
    Dim mdays As Long
    If iYear >= 0 Then
        epbase = iYear - 474
    Else
        epbase = iYear - 473
    End If
    epyear = 474 + (epbase Mod 2820)
    If iMonth <= 7 Then
        mdays = (CLng(iMonth) - 1) * 31
    Else
        mdays = (CLng(iMonth) - 1) * 30 + 6
    End If
    persian_jdn = CLng(iDay)             + mdays             + Fix(((epyear * 682) - 110) / 2816)             + (epyear - 1) * 365             + Fix(epbase / 2820) * 1029983             + (PERSIAN_EPOCH - 1)
End Function
'
Sub jdn_persian(jdn, iYear, iMonth, iDay)
    Dim depoch
    Dim cycle
    Dim cyear
    Dim ycycle
    Dim aux1, aux2
    Dim yday
    depoch = jdn - persian_jdn(475, 1, 1)
    cycle = Fix(depoch / 1029983)
    cyear = depoch Mod 1029983
    If cyear = 1029982 Then
        ycycle = 2820
    Else
        aux1 = Fix(cyear / 366)
        aux2 = cyear Mod 366
        ycycle = Int(((2134 * aux1) + (2816 * aux2) + 2815) / 1028522) + aux1 + 1
    End If
    iYear = ycycle + (2820 * cycle) + 474
    If iYear <= 0 Then
        iYear = iYear - 1
    End If
    yday = (jdn - persian_jdn(iYear, 1, 1)) + 1
    If yday <= 186 Then
        iMonth = Ceil(yday / 31)
    Else
        iMonth = Ceil((yday - 6) / 30)
    End If
    iDay = (jdn - persian_jdn(iYear, iMonth, 1)) + 1
End Sub
Function civil_jdn(ByVal iYear, ByVal iMonth, ByVal iDay)
    Dim lYear
    Dim lMonth
    Dim lDay
    Dim calendatType
    calendarType = Gregorian
    If calendarType = Gregorian And ((iYear > 1582)         Or ((iYear = 1582) And (iMonth > 10))         Or ((iYear = 1582) And (iMonth = 10) And (iDay > 14))) Then

        lYear = CLng(iYear)
        lMonth = CLng(iMonth)
        lDay = CLng(iDay)
        civil_jdn = ((1461 * (lYear + 4800 + ((lMonth - 14) \ 12))) \ 4)                 + ((367 * (lMonth - 2 - 12 * (((lMonth - 14) \ 12)))) \ 12)                 - ((3 * (((lYear + 4900 + ((lMonth - 14) \ 12)) \ 100))) \ 4)                 + lDay - 32075
    Else
        civil_jdn = julian_jdn(iYear, iMonth, iDay)
    End If

End Function
Sub jdn_julian(jdn, iYear, iMonth, iDay)
    Dim L As Long
    Dim K As Long
    Dim n As Long
    Dim I As Long
    Dim j As Long

    j = jdn + 1402
    K = ((j - 1) \ 1461)
    L = j - 1461 * K
    n = ((L - 1) \ 365) - (L \ 1461)
    I = L - 365 * n + 30
    j = ((80 * I) \ 2447)
    iDay = I - ((2447 * j) \ 80)
    I = (j \ 11)
    iMonth = j + 2 - 12 * I
    iYear = 4 * K + n + I - 4716

End Sub
Function julian_jdn(iYear, iMonth, iDay) As Long
   
    julian_jdn = 367 * lYear -             ((7 * (lYear + 5001 + ((lMonth - 9) \ 7))) \ 4)             + ((275 * lMonth) \ 9) + lDay + 1729777

End Function
Sub jdn_civil(jdn, iYear, iMonth, iDay)

    Dim L
    Dim K
    Dim n
    Dim I
    Dim j

    If (jdn > 2299160) Then
        L = jdn + 68569
        n = ((4 * L) \ 146097)
        L = L - ((146097 * n + 3) \ 4)
        I = ((4000 * (L + 1)) \ 1461001)
        L = L - ((1461 * I) \ 4) + 31
        j = ((80 * L) \ 2447)
        iDay = L - ((2447 * j) \ 80)
        L = (j \ 11)
        iMonth = j + 2 - 12 * L
        iYear = 100 * (n - 49) + I + L
    Else
        Call jdn_julian(jdn, iYear, iMonth, iDay)
    End If

End Sub


'Function m2s(myDate)
'    iDay = Day(myDate)
'    iMonth = Month(myDate)
'    iYear = Year(myDate)
'    jdn = civil_jdn(iYear, iMonth, iDay)
'    Call jdn_persian(jdn, iYear, iMonth, iDay)
'    m2s = iYear & "/" & iMonth & "/" & iDay
'End Function

Function s2m(myDate)
   Dim iYear, iMonth, iDay
    For I = 1 To Len(myDate)
        st = Mid(myDate, I, 1)
        
        If (st = "/" Or st = "-" Or st = "." Or st = "\") And x <> 1 Then
                x = 1
                If I = 3 Then S = "13" & S
        Else
                If (st = "/" Or st = "-" Or st = "." Or st = "\") And x = 1 Then
                    x = 2
                    If I = 5 Or I = 7 Then S = Left(S, Len(S) - 1) & "0" & Right(S, 1)
                Else
                    S = S & st
                End If
       End If
     Next
        If Len(S) = 7 Then S = Left(S, 6) & "0" & Right(S, 1)
    myDate = S
    iYear = Mid(myDate, 1, 4)
    iMonth = Mid(myDate, 5, 2)
    iDay = Mid(myDate, 7, 2)
    If (iDay > 30 And iMonth > 6) Or iDay > 31 Or iMonth > 12 Then s2m = "Error": Exit Function
    
    If (iDay = 30 And iMonth = 12) Then
    iYear1 = iYear + 1
    iMonth1 = 1
    iDay1 = 1
    jdn1 = persian_jdn(iYear1, iMonth1, iDay1)
    jdn = persian_jdn(iYear, iMonth, iDay)
    If jdn1 = jdn Then s2m = "Error": Exit Function
    End If
    
    jdn = persian_jdn(iYear, iMonth, iDay)
    Call jdn_civil(jdn, iYear, iMonth, iDay)
    s2m = iYear & "/" & iMonth & "/" & iDay
End Function

Function m2s(myDate, Optional Format = 0)
    iDay = Day(myDate)
    iMonth = Month(myDate)
    iYear = Year(myDate)
    iWeekday = Weekday(myDate)
            
    jdn = civil_jdn(iYear, iMonth, iDay)
    Call jdn_persian(jdn, iYear, iMonth, iDay)
    
    Select Case iWeekday
    Case 1
        Rooz = ChrW(1740) & ChrW(1705) & ChrW(1588) & ChrW(1606) & ChrW(1576) & ChrW(1607)
    Case 2
        Rooz = ChrW(1583) & ChrW(1608) & ChrW(1588) & ChrW(1606) & ChrW(1576) & ChrW(1607)
    Case 3
        Rooz = ChrW(1587) & ChrW(1607) & ChrW(8204) & ChrW(1588) & ChrW(1606) & ChrW(1576) & ChrW(1607)
    Case 4
        Rooz = ChrW(1670) & ChrW(1607) & ChrW(1575) & ChrW(1585) & ChrW(1588) & ChrW(1606) & ChrW(1576) & ChrW(1607)
    Case 5
        Rooz = ChrW(1662) & ChrW(1606) & ChrW(1580) & ChrW(8204) & ChrW(1588) & ChrW(1606) & ChrW(1576) & ChrW(1607)
    Case 6
        Rooz = ChrW(1580) & ChrW(1605) & ChrW(1593) & ChrW(1607)
    Case 7
        Rooz = ChrW(1588) & ChrW(1606) & ChrW(1576) & ChrW(1607)
    End Select
    
   
   Select Case iMonth
    
    Case 1
        mah = ChrW(1601) & ChrW(1585) & ChrW(1608) & ChrW(1585) & ChrW(1583) & ChrW(1740) & ChrW(1606)
    Case 2
        mah = ChrW(1575) & ChrW(1585) & ChrW(1583) & ChrW(1740) & ChrW(1576) & ChrW(1607) & ChrW(1588) & ChrW(1578)
    Case 3
        mah = ChrW(1582) & ChrW(1585) & ChrW(1583) & ChrW(1575) & ChrW(1583)
    Case 4
        mah = ChrW(1578) & ChrW(1740) & ChrW(1585)
    Case 5
        mah = ChrW(1605) & ChrW(1585) & ChrW(1583) & ChrW(1575) & ChrW(1583)
    Case 6
        mah = ChrW(1588) & ChrW(1607) & ChrW(1585) & ChrW(1740) & ChrW(1608) & ChrW(1585)
    Case 7
        mah = ChrW(1605) & ChrW(1607) & ChrW(1585)
    Case 8
        mah = ChrW(1570) & ChrW(1576) & ChrW(1575) & ChrW(1606)
    Case 9
        mah = ChrW(1570) & ChrW(1584) & ChrW(1585)
    Case 10
        mah = ChrW(1583) & ChrW(1740)
    Case 11
        mah = ChrW(1576) & ChrW(1607) & ChrW(1605) & ChrW(1606)
    Case 12
        mah = ChrW(1575) & ChrW(1587) & ChrW(1601) & ChrW(1606) & ChrW(1583)
       
    End Select

    Select Case Format
    
    Case 1
            m2s = Rooz & "," & iYear & "/" & iMonth & "/" & iDay
    Case 2
        m2s = Rooz & " " & horofi(iDay) & " " & mah & " " & ChrW(1605) & ChrW(1575) & ChrW(1607) & " " & horofi(iYear)
    Case 3
        m2s = iYear
    Case 4
        m2s = iMonth
    Case 5
        m2s = iDay
    Case 0
        m2s = iYear & "/" & iMonth & "/" & iDay
    Case Else
        m2s = "Only one of this number as format(0,1,2,3,4,5) for help visit http://sakhteman.wordpress.com"
    End Select
    
End Function

VBA File Name: Module2.bas, Stream Size: 12557

General
Stream Path:	_VBA_PROJECT_CUR/VBA/Module2
VBA File Name:	Module2.bas
Stream Size:	12557
Data ASCII:	. . . . . . . . $ . . . . . . . . . . . . * . . . . . . . . . . . C z . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . P . . . . . > . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . < . . . . . .
Data Raw:	01 16 01 00 06 f0 00 00 00 24 0e 00 00 d4 00 00 00 d8 01 00 00 ff ff ff ff c0 0e 00 00 d8 2a 00 00 00 00 00 00 01 00 00 00 2e 43 7a a6 00 00 ff ff 03 00 00 00 00 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff 04 00 ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

VBA Code

Attribute VB_Name = "Module2"
Function horofi(ByVal Number As Double) As String
Number = Int(Number)
If Number = 0 Then Adad = ChrW(1589) & ChrW(1601) & ChrW(1585): Exit Function

Dim Flag As Boolean
Dim S As String
Dim I, L As Byte
Dim K(1 To 5) As Double

S = Trim(Str(Number))
L = Len(S)
If L > 15 Then
Adad = ChrW(1576) & ChrW(1587) & ChrW(1610) & ChrW(1575) & ChrW(1585) & ChrW(1576) & ChrW(1586) & ChrW(1585) & ChrW(1711) & " "
Exit Function
End If
For I = 1 To 15 - L
S = "0" & S
Next I
For I = 1 To Int((L / 3) + 0.99)
K(5 - I + 1) = Val(Mid(S, 3 * (5 - I) + 1, 3))
Next I
Flag = False
S = " "
For I = 1 To 5
If K(I) <> 0 Then
Select Case I
Case 1
S = S & Three(K(I)) & " " & ChrW(1578) & ChrW(1585) & ChrW(1610) & ChrW(1604) & ChrW(1610) & ChrW(1608) & ChrW(1606) & " "
Flag = True
Case 2
S = S & IIf(Flag = True, ChrW(1608), " ") & Three(K(I)) & " " & ChrW(1605) & ChrW(1610) & ChrW(1604) & ChrW(1610) & ChrW(1575) & ChrW(1585) & ChrW(1583) & " "
Flag = True
Case 3
S = S & IIf(Flag = True, ChrW(1608), " ") & Three(K(I)) & " " & ChrW(1605) & ChrW(1610) & ChrW(1604) & ChrW(1610) & ChrW(1608) & ChrW(1606) & " "
Flag = True
Case 4
S = S & IIf(Flag = True, ChrW(1608), " ") & Three(K(I)) & " " & ChrW(1607) & ChrW(1586) & ChrW(1575) & ChrW(1585) & " "
Flag = True
Case 5
S = S & IIf(Flag = True, ChrW(1608), " ") & Three(K(I)) & " "
End Select
End If
Next I
horofi = Trim(S)
End Function


Function Three(ByVal Number As Integer) As String
Dim S As String
Dim I, L As Long
Dim h(1 To 3) As Byte
Dim Flag As Boolean
L = Len(Trim(Str(Number)))
If Number = 0 Then
Three = " "
Exit Function
End If
If Number = 100 Then
Three = ChrW(1610) & ChrW(1603) & ChrW(1589) & ChrW(1583) & " "
Exit Function
End If

If L = 2 Then h(1) = 0
If L = 1 Then
h(1) = 0
h(2) = 0
End If

For I = 1 To L
h(3 - I + 1) = Mid(Trim(Str(Number)), L - I + 1, 1)
Next I

Select Case h(1)
Case 1
S = " " & ChrW(1610) & ChrW(1603) & ChrW(1589) & ChrW(1583) & " "
Case 2
S = " " & ChrW(1583) & ChrW(1608) & ChrW(1610) & ChrW(1587) & ChrW(1578) & " "
Case 3
S = " " & ChrW(1587) & ChrW(1610) & ChrW(1589) & ChrW(1583) & " "
Case 4
S = " " & ChrW(1670) & ChrW(1607) & ChrW(1575) & ChrW(1585) & ChrW(1589) & ChrW(1583) & " "
Case 5
S = " " & ChrW(1662) & ChrW(1575) & ChrW(1606) & ChrW(1589) & ChrW(1583) & " "
Case 6
S = " " & ChrW(1588) & ChrW(1588) & ChrW(1589) & ChrW(1583) & " "
Case 7
S = " " & ChrW(1607) & ChrW(1601) & ChrW(1578) & ChrW(1589) & ChrW(1583) & " "
Case 8
S = " " & ChrW(1607) & ChrW(1588) & ChrW(1578) & ChrW(1589) & ChrW(1583) & " "
Case 9
S = " " & ChrW(1606) & ChrW(1607) & ChrW(1589) & ChrW(1583) & " "
End Select

Select Case h(2)
Case 1
Select Case h(3)
Case 0
S = S & ChrW(1608) & " " & ChrW(1583) & ChrW(1607) & "  "
Case 1
S = S & ChrW(1608) & " " & ChrW(1610) & ChrW(1575) & ChrW(1586) & ChrW(1583) & ChrW(1607) & " "
Case 2
S = S & ChrW(1608) & " " & ChrW(1583) & ChrW(1608) & ChrW(1575) & ChrW(1586) & ChrW(1583) & ChrW(1607) & " "
Case 3
S = S & ChrW(1608) & " " & ChrW(1587) & ChrW(1610) & ChrW(1586) & ChrW(1583) & ChrW(1607) & " "
Case 4
S = S & ChrW(1608) & " " & ChrW(1670) & ChrW(1607) & ChrW(1575) & ChrW(1585) & ChrW(1583) & ChrW(1607) & " "
Case 5
S = S & ChrW(1608) & " " & ChrW(1662) & ChrW(1575) & ChrW(1606) & ChrW(1586) & ChrW(1583) & ChrW(1607) & " "
Case 6
S = S & ChrW(1608) & " " & ChrW(1588) & ChrW(1575) & ChrW(1606) & ChrW(1586) & ChrW(1583) & ChrW(1607) & " "
Case 7
S = S & ChrW(1608) & " " & ChrW(1607) & ChrW(1601) & ChrW(1583) & ChrW(1607) & " "
Case 8
S = S & ChrW(1608) & " " & ChrW(1607) & ChrW(1580) & ChrW(1583) & ChrW(1607) & " "
Case 9
S = S & ChrW(1608) & " " & ChrW(1606) & ChrW(1608) & ChrW(1586) & ChrW(1583) & ChrW(1607) & " "
End Select

Case 2
S = S & ChrW(1608) & " " & ChrW(1576) & ChrW(1610) & ChrW(1587) & ChrW(1578) & " "
Case 3
S = S & ChrW(1608) & " " & ChrW(1587) & ChrW(1610) & " "
Case 4
S = S & ChrW(1608) & " " & ChrW(1670) & ChrW(1607) & ChrW(1604) & " "
Case 5
S = S & ChrW(1608) & " " & ChrW(1662) & ChrW(1606) & ChrW(1580) & ChrW(1575) & ChrW(1607) & " "
Case 6
S = S & ChrW(1608) & " " & ChrW(1588) & ChrW(1589) & ChrW(1578) & " "
Case 7
S = S & ChrW(1608) & " " & ChrW(1607) & ChrW(1601) & ChrW(1578) & ChrW(1575) & ChrW(1583) & " "
Case 8
S = S & ChrW(1608) & " " & ChrW(1607) & ChrW(1588) & ChrW(1578) & ChrW(1575) & ChrW(1583) & " "
Case 9
S = S & ChrW(1608) & " " & ChrW(1606) & ChrW(1608) & ChrW(1583) & " "
End Select

If h(2) <> 1 Then
Select Case h(3)
Case 1
S = S & ChrW(1608) & " " & ChrW(1610) & ChrW(1603)
Case 2
S = S & ChrW(1608) & " " & ChrW(1583) & ChrW(1608)
Case 3
S = S & ChrW(1608) & " " & ChrW(1587) & ChrW(1607)
Case 4
S = S & ChrW(1608) & " " & ChrW(1670) & ChrW(1607) & ChrW(1575) & ChrW(1585)
Case 5
S = S & ChrW(1608) & " " & ChrW(1662) & ChrW(1606) & ChrW(1580)
Case 6
S = S & ChrW(1608) & " " & ChrW(1588) & ChrW(1588)
Case 7
S = S & ChrW(1608) & " " & ChrW(1607) & ChrW(1601) & ChrW(1578)
Case 8
S = S & ChrW(1608) & " " & ChrW(1607) & ChrW(1588) & ChrW(1578)
Case 9
S = S & ChrW(1608) & " " & ChrW(1606) & ChrW(1607)
End Select
End If
S = IIf(L < 3, Right(S, Len(S) - 1), S)
Three = S
End Function

VBA File Name: Module3.bas, Stream Size: 1717

General
Stream Path:	_VBA_PROJECT_CUR/VBA/Module3
VBA File Name:	Module3.bas
Stream Size:	1717
Data ASCII:	. . . . . . . . . . . . . . . . . " . . . N . . . . . . . . . . . . C . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . ( . . . . . 6 . . . . . . < . . . . . . . < . . . . . . . < . . . . . . . . . . . . . . ` . . . . . . . . .
Data Raw:	01 16 01 00 03 f0 00 00 00 f4 02 00 00 d4 00 00 00 b0 01 00 00 ff ff ff ff 22 03 00 00 4e 05 00 00 00 00 00 00 01 00 00 00 2e 43 07 0c 00 00 ff ff 03 00 00 00 00 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff 04 00 ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

VBA Code

Attribute VB_Name = "Module3"
     Sub Delete_Every_Named_Range_With_A_Reference_Error()
         Dim nm As Object
         Dim mystr As String

         ' Loops through each name in the active workbook.
         For Each nm In ActiveWorkbook.Names

            ' Check for #REF! in the defined name reference.
            If InStr(1, nm.RefersTo, "#REF!") Then

               ' Delete the defined name if it is a match.
               nm.Delete

            End If
         Next
      End Sub

VBA File Name: Sheet1.cls, Stream Size: 1150

General
Stream Path:	_VBA_PROJECT_CUR/VBA/Sheet1
VBA File Name:	Sheet1.cls
Stream Size:	1150
Data ASCII:	. . . . . . . . . < . . . . . . . . . . j . . . x . . . . . . . . . . . . . . . C . . . # . . . . . . . . . . . . . . . . . < . . . j # I . . . . . . . . . . . . . . . F . . . . . . . . . . . . . . . . . . . . f . G . r v . . . . . . . . . . . . . . . . . . . . . . . x . . . . f . G . r v . j # I . . . . . . M E . . . . . . . . . . . . . . . . . . . . . ( . . . . . S L . . . . S . . . . . S . . . . 6 " . . . . . . . . . . N . 0 . { . 0 . 0 . 0 . 2 . 0 . 8 . 2 . 0 . - . 0 . 0 . 0 . 0 . - . 0 . 0 . 0 .
Data Raw:	01 16 01 00 02 00 01 00 00 3c 03 00 00 e4 00 00 00 10 02 00 00 6a 03 00 00 78 03 00 00 cc 03 00 00 00 00 00 00 01 00 00 00 2e 43 d9 90 00 00 ff ff 23 00 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff 3c 00 ff ff 00 00 97 81 20 85 e0 6a 23 49 99 f0 8b ee a9 b3 05 b1 20 08 02 00 00 00 00 00 c0 00 00 00 00 00 00 46 00 00 00 00 00 00 00 00 00 00 00 00 00

VBA Code

Attribute VB_Name = "Sheet1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

VBA File Name: Sheet2.cls, Stream Size: 1150

General
Stream Path:	_VBA_PROJECT_CUR/VBA/Sheet2
VBA File Name:	Sheet2.cls
Stream Size:	1150
Data ASCII:	. . . . . . . . . < . . . . . . . . . . j . . . x . . . . . . . . . . . . . . . C . . # . . . . . . . . . . . . . . . . . < . . . ` Q . d 6 - L . I 2 6 . . . . . . . . . . . . . F . . . . . . . . . . . . . . . . . . . . m o . . M M D . . . . . . . . . . . . . . . . . . . . . . . . x . . . . m o . . M M D . . ` Q . d 6 - L . I 2 6 . . . . M E . . . . . . . . . . . . . . . . . . . . . ( . . . . . S L . . . . S . . . . . S . . . . 6 " . . . . . . . . . . N . 0 . { . 0 . 0 . 0 . 2 . 0 . 8 . 2 . 0 . - . 0 . 0
Data Raw:	01 16 01 00 02 00 01 00 00 3c 03 00 00 e4 00 00 00 10 02 00 00 6a 03 00 00 78 03 00 00 cc 03 00 00 00 00 00 00 01 00 00 00 2e 43 c9 f3 00 00 ff ff 23 00 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff 3c 00 ff ff 00 00 60 51 90 0b 64 36 2d 4c ae 81 97 02 49 32 36 fa 20 08 02 00 00 00 00 00 c0 00 00 00 00 00 00 46 00 00 00 00 00 00 00 00 00 00 00 00 00

VBA Code

Attribute VB_Name = "Sheet2"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

VBA File Name: Sheet3.cls, Stream Size: 1150

General
Stream Path:	_VBA_PROJECT_CUR/VBA/Sheet3
VBA File Name:	Sheet3.cls
Stream Size:	1150
Data ASCII:	. . . . . . . . . < . . . . . . . . . . j . . . x . . . . . . . . . . . . . . . C > d . . # . . . . . . . . . . . . . . . . . < . . . n . * } . A 2 ! . . n : . . . . . . . . . . . . . F . . . . . . . . . . . . . . . . . . . . j @ R . A I [ N F p . . . . . . . . . . . . . . . . . . . . . . x . . . . j @ R . A I [ N F p n . * } . A 2 ! . . n : . . . . M E . . . . . . . . . . . . . . . . . . . . . ( . . . . . S L . . . . S . . . . . S . . . . 6 " . . . . . . . . . . N . 0 . { . 0 . 0 . 0 . 2 . 0 . 8 . 2 . 0
Data Raw:	01 16 01 00 02 00 01 00 00 3c 03 00 00 e4 00 00 00 10 02 00 00 6a 03 00 00 78 03 00 00 cc 03 00 00 00 00 00 00 01 00 00 00 2e 43 3e 64 00 00 ff ff 23 00 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff 3c 00 ff ff 00 00 e4 6e 05 2a 7d c8 0d 41 85 32 21 09 7f 6e a9 3a 20 08 02 00 00 00 00 00 c0 00 00 00 00 00 00 46 00 00 00 00 00 00 00 00 00 00 00 00 00

VBA Code

Attribute VB_Name = "Sheet3"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

VBA File Name: ThisWorkbook.cls, Stream Size: 1158

General
Stream Path:	_VBA_PROJECT_CUR/VBA/ThisWorkbook
VBA File Name:	ThisWorkbook.cls
Stream Size:	1158
Data ASCII:	. . . . . . . . . < . . . . . . . . . . j . . . x . . . . . . . . . . . . . . . C b s . . # . . . . . . . . . . . . . . . . . < . . . . . [ F M . [ . . . . . . . . . . . . . . . F . . . . . . . . . . . . . . . . . . . . . d . L . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . d . L . . . . [ F M . [ . . . . . M E . . . . . . . . . . . . . . . . . . . . . ( . . . . . S L . . . . S . . . . . S . . . . 6 " . . . . . . . . . . N . 0 . { . 0 . 0 . 0 . 2 . 0 . 8 . 1 . 9 . - . 0 . 0 . 0 . 0 . - . 0 . 0
Data Raw:	01 16 01 00 02 00 01 00 00 3c 03 00 00 e4 00 00 00 10 02 00 00 6a 03 00 00 78 03 00 00 cc 03 00 00 00 00 00 00 01 00 00 00 2e 43 62 73 00 00 ff ff 23 00 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff 3c 00 ff ff 00 00 d2 aa 1c ef fd 5b a6 46 8f a2 4d 1c e1 5b 18 b3 19 08 02 00 00 00 00 00 c0 00 00 00 00 00 00 46 00 00 00 00 00 00 00 00 00 00 00 00 00

VBA Code

Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Streams

Stream Path: \x1CompObj, File Type: data, Stream Size: 109

General
Stream Path:	\x1CompObj
CLSID:
File Type:	data
Stream Size:	109
Entropy:	4.120875394312492
Base64 Encoded:	False
Data ASCII:	. . . . . . . . . . . . . . . . . . . F ! . . . M i c r o s o f t O f f i c e E x c e l W o r k s h e e t . . . . . B i f f 8 . . . . . E x c e l . S h e e t . 8 . 9 q . . . . . . . . . . . .
Data Raw:	01 00 fe ff 03 0a 00 00 ff ff ff ff 20 08 02 00 00 00 00 00 c0 00 00 00 00 00 00 46 21 00 00 00 4d 69 63 72 6f 73 6f 66 74 20 4f 66 66 69 63 65 20 45 78 63 65 6c 20 57 6f 72 6b 73 68 65 65 74 00 06 00 00 00 42 69 66 66 38 00 0e 00 00 00 45 78 63 65 6c 2e 53 68 65 65 74 2e 38 00 f4 39 b2 71 00 00 00 00 00 00 00 00 00 00 00 00

Stream Path: \x5DocumentSummaryInformation, File Type: data, Stream Size: 296

General
Stream Path:	\x5DocumentSummaryInformation
CLSID:
File Type:	data
Stream Size:	296
Entropy:	3.438077761941826
Base64 Encoded:	False
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . + , 0 . . . . . . . . . . . . . . P . . . . . . . X . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . $ . . . N a r g a n E n g i n e e r s a n d C o n s t r u c t o r s . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . S h e e t 1 . . . . . S h e e t 2 . . . . . S h e e t 3 . . . . . . . . . . . . . . .
Data Raw:	fe ff 00 00 05 01 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 02 d5 cd d5 9c 2e 1b 10 93 97 08 00 2b 2c f9 ae 30 00 00 00 f8 00 00 00 09 00 00 00 01 00 00 00 50 00 00 00 0f 00 00 00 58 00 00 00 17 00 00 00 84 00 00 00 0b 00 00 00 8c 00 00 00 10 00 00 00 94 00 00 00 13 00 00 00 9c 00 00 00 16 00 00 00 a4 00 00 00 0d 00 00 00 ac 00 00 00 0c 00 00 00 d5 00 00 00

Stream Path: \x5SummaryInformation, File Type: data, Stream Size: 208

General
Stream Path:	\x5SummaryInformation
CLSID:
File Type:	data
Stream Size:	208
Entropy:	3.5482052906304347
Base64 Encoded:	False
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . O h . . . + ' 0 . . . . . . . . . . . . . . @ . . . . . . . H . . . . . . . \\ . . . . . . . h . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . a . a s g h a r i . . . . . . . . . . . a l i . . . . . . . . . M i c r o s o f t E x c e l . @ . . . . . V . @ . . . w . . . . . . . . . . .
Data Raw:	fe ff 00 00 05 01 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 e0 85 9f f2 f9 4f 68 10 ab 91 08 00 2b 27 b3 d9 30 00 00 00 a0 00 00 00 07 00 00 00 01 00 00 00 40 00 00 00 04 00 00 00 48 00 00 00 08 00 00 00 5c 00 00 00 12 00 00 00 68 00 00 00 0c 00 00 00 80 00 00 00 0d 00 00 00 8c 00 00 00 13 00 00 00 98 00 00 00 02 00 00 00 e4 04 00 00 1e 00 00 00 0c 00 00 00

Stream Path: Workbook, File Type: Applesoft BASIC program data, first line number 16, Stream Size: 3194

General
Stream Path:	Workbook
CLSID:
File Type:	Applesoft BASIC program data, first line number 16
Stream Size:	3194
Entropy:	4.2500977308024215
Base64 Encoded:	False
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . \\ . p . . . . O m i d M o t a m e d i k h o u y B . . . . a . . . . . . . . = . . . . . . . . . . . . . . . . . . T h i s W o r k b o o k . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . = . . . x . . \\ : < . . . . . . . X . @ . . . . . . . . . .
Data Raw:	09 08 10 00 00 06 05 00 a0 19 cd 07 c9 c0 00 00 06 03 00 00 87 00 00 00 e1 00 02 00 b0 04 c1 00 02 00 00 00 e2 00 00 00 5c 00 70 00 0d 00 00 4f 6d 69 64 20 4d 6f 74 61 6d 65 64 69 6b 68 6f 75 79 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20

Stream Path: _VBA_PROJECT_CUR/PROJECT, File Type: ASCII text, with CRLF line terminators, Stream Size: 660

General
Stream Path:	_VBA_PROJECT_CUR/PROJECT
CLSID:
File Type:	ASCII text, with CRLF line terminators
Stream Size:	660
Entropy:	5.286838873515312
Base64 Encoded:	True
Data ASCII:	I D = " { 2 F C 2 3 6 7 D - 4 5 3 1 - 4 7 3 F - 8 E 6 1 - B 7 1 9 C C 8 E 5 1 3 2 } " . . D o c u m e n t = T h i s W o r k b o o k / & H 0 0 0 0 0 0 0 0 . . D o c u m e n t = S h e e t 1 / & H 0 0 0 0 0 0 0 0 . . D o c u m e n t = S h e e t 2 / & H 0 0 0 0 0 0 0 0 . . D o c u m e n t = S h e e t 3 / & H 0 0 0 0 0 0 0 0 . . M o d u l e = M o d u l e 1 . . M o d u l e = M o d u l e 2 . . M o d u l e = M o d u l e 3 . . N a m e = " V B A P r o j e c t " . . H e l p C o n t e x t I D = " 0 " . . V e r s i o n
Data Raw:	49 44 3d 22 7b 32 46 43 32 33 36 37 44 2d 34 35 33 31 2d 34 37 33 46 2d 38 45 36 31 2d 42 37 31 39 43 43 38 45 35 31 33 32 7d 22 0d 0a 44 6f 63 75 6d 65 6e 74 3d 54 68 69 73 57 6f 72 6b 62 6f 6f 6b 2f 26 48 30 30 30 30 30 30 30 30 0d 0a 44 6f 63 75 6d 65 6e 74 3d 53 68 65 65 74 31 2f 26 48 30 30 30 30 30 30 30 30 0d 0a 44 6f 63 75 6d 65 6e 74 3d 53 68 65 65 74 32 2f 26 48 30 30 30

Stream Path: _VBA_PROJECT_CUR/PROJECTwm, File Type: data, Stream Size: 176

General
Stream Path:	_VBA_PROJECT_CUR/PROJECTwm
CLSID:
File Type:	data
Stream Size:	176
Entropy:	3.2626338963809376
Base64 Encoded:	False
Data ASCII:	T h i s W o r k b o o k . T . h . i . s . W . o . r . k . b . o . o . k . . . S h e e t 1 . S . h . e . e . t . 1 . . . S h e e t 2 . S . h . e . e . t . 2 . . . S h e e t 3 . S . h . e . e . t . 3 . . . M o d u l e 1 . M . o . d . u . l . e . 1 . . . M o d u l e 2 . M . o . d . u . l . e . 2 . . . M o d u l e 3 . M . o . d . u . l . e . 3 . . . . .
Data Raw:	54 68 69 73 57 6f 72 6b 62 6f 6f 6b 00 54 00 68 00 69 00 73 00 57 00 6f 00 72 00 6b 00 62 00 6f 00 6f 00 6b 00 00 00 53 68 65 65 74 31 00 53 00 68 00 65 00 65 00 74 00 31 00 00 00 53 68 65 65 74 32 00 53 00 68 00 65 00 65 00 74 00 32 00 00 00 53 68 65 65 74 33 00 53 00 68 00 65 00 65 00 74 00 33 00 00 00 4d 6f 64 75 6c 65 31 00 4d 00 6f 00 64 00 75 00 6c 00 65 00 31 00 00 00 4d 6f

Stream Path: _VBA_PROJECT_CUR/VBA/_VBA_PROJECT, File Type: data, Stream Size: 4759

General
Stream Path:	_VBA_PROJECT_CUR/VBA/_VBA_PROJECT
CLSID:
File Type:	data
Stream Size:	4759
Entropy:	4.977148052780576
Base64 Encoded:	True
Data ASCII:	a y . . . . ) . . . . . . . . . . . . . . . . . . . . . . . . . * . \\ . G . { . 0 . 0 . 0 . 2 . 0 . 4 . E . F . - . 0 . 0 . 0 . 0 . - . 0 . 0 . 0 . 0 . - . C . 0 . 0 . 0 . - . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 4 . 6 . } . # . 4 . . . 0 . # . 9 . # . C . : . \\ . P . R . O . G . R . A . ~ . 1 . \\ . C . O . M . M . O . N . ~ . 1 . \\ . M . I . C . R . O . S . ~ . 1 . \\ . V . B . A . \\ . V . B . A . 6 . \\ . V . B . E . 6 . . . D . L . L . # . V . i . s . u . a . l . . B . a . s . i . c . . F . o . r .
Data Raw:	cc 61 79 00 00 01 00 ff 29 04 00 00 09 04 00 00 e4 04 01 00 00 00 00 00 00 00 00 00 01 00 04 00 02 00 fa 00 2a 00 5c 00 47 00 7b 00 30 00 30 00 30 00 32 00 30 00 34 00 45 00 46 00 2d 00 30 00 30 00 30 00 30 00 2d 00 30 00 30 00 30 00 30 00 2d 00 43 00 30 00 30 00 30 00 2d 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 34 00 36 00 7d 00 23 00 34 00 2e 00 30 00 23 00

Stream Path: _VBA_PROJECT_CUR/VBA/__SRP_0, File Type: data, Stream Size: 2502

General
Stream Path:	_VBA_PROJECT_CUR/VBA/__SRP_0
CLSID:
File Type:	data
Stream Size:	2502
Entropy:	3.9188199515662276
Base64 Encoded:	True
Data ASCII:	K * y . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . r U . . . . . . . . . . . . . . . ~ . . . ~ . . . ~ . . . ~ . . . ~ . . . ~ . . . ~ . . . ~ . . . ~ . . . ~ . . . ~ . . . ~ . . . ~ . . . ~ . . . ~ . . . ~ . . . ~ . . . ~ . . . ~ . . . ~ . . . ~ . . . ~ . . . ~ . . . ~ . . . ~ * . . . . . . . . . . . . . . . . . . . . . . . . . . . q . . . . . . . 9 C J . <
Data Raw:	93 4b 2a 79 01 00 10 00 00 00 ff ff 00 00 00 00 01 00 02 00 ff ff 00 00 00 00 01 00 02 00 04 00 00 00 00 00 01 00 00 00 04 00 00 00 00 00 01 00 02 00 05 00 00 00 00 00 01 00 00 00 05 00 00 00 00 00 01 00 00 00 06 00 00 00 00 00 01 00 02 00 06 00 00 00 00 00 01 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 00 00 72 55 80 02 00 00 80 00 00 00 80 00 00 00 80 00 00 00 04 00 00 7e

Stream Path: _VBA_PROJECT_CUR/VBA/__SRP_1, File Type: data, Stream Size: 190

General
Stream Path:	_VBA_PROJECT_CUR/VBA/__SRP_1
CLSID:
File Type:	data
Stream Size:	190
Entropy:	3.2332760140840655
Base64 Encoded:	False
Data ASCII:	r U . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . N u m b e r . . . . . . . . i Y e a r . . . . . . . . i M o n t h . . . . . . . . i D a y . . . . . . . . j d n . . . . . . . . m y D a t e . . . . . . . . F o r m a t ` . . . . . . .
Data Raw:	72 55 80 00 00 00 00 00 00 00 80 00 00 00 80 00 00 00 00 00 00 00 0a 00 00 00 09 00 00 00 00 00 00 00 ff ff ff ff ff ff ff ff ff ff ff ff 00 00 00 00 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff 09 00 00 00 00 00 02 00 09 00 00 00 00 00 04 00 09 00 00 00 00 00 07 00 02 00 00 08 06 00 00 00 4e 75 6d 62 65 72 02 00 00 08 05 00 00 00 69 59 65 61 72 02 00 00 08 06 00 00 00 69 4d 6f

Stream Path: _VBA_PROJECT_CUR/VBA/__SRP_2, File Type: data, Stream Size: 628

General
Stream Path:	_VBA_PROJECT_CUR/VBA/__SRP_2
CLSID:
File Type:	data
Stream Size:	628
Entropy:	2.548777600161881
Base64 Encoded:	True
Data ASCII:	r U . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ( . . . . . . . . . . . ` . . . . . . a . . . . . . . . . . . . * 0 . . . . . . . . . . . ` . . . . . . y . . . . . . . . . . . . . . . . . . . . . . . . . . / / / 8 . . . . . . . . . . . ` . . . . . . . . . . . . . y . . . . . . . . . . . . . . . . . . . . . . . . . . / / / / 0 . . . . . . . . . . . ` . . . . . . y . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 . ! . . . . . . . . . . ` . . . . . . . . . . . . .
Data Raw:	72 55 80 00 00 00 00 00 00 00 80 00 00 00 80 00 00 00 00 00 00 00 10 00 00 00 09 00 00 00 00 00 03 00 ff ff ff ff ff ff ff ff 00 00 00 00 08 00 00 00 04 00 28 00 81 00 00 00 00 00 03 00 00 00 00 60 04 00 fc ff ff ff ff ff ff ff ff ff ff ff 00 00 00 00 61 00 00 00 00 00 01 00 00 00 00 00 08 2a 30 00 a9 00 00 00 00 00 03 00 01 00 00 60 0c 00 fd ff ff ff ff ff ff ff ff ff ff ff 00 00

Stream Path: _VBA_PROJECT_CUR/VBA/__SRP_3, File Type: data, Stream Size: 164

General
Stream Path:	_VBA_PROJECT_CUR/VBA/__SRP_3
CLSID:
File Type:	data
Stream Size:	164
Entropy:	2.445506534926882
Base64 Encoded:	False
Data ASCII:	r U . . . . . . . . . . . . . . . ~ \| . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . C . . . . . . .
Data Raw:	72 55 80 00 00 00 80 00 00 00 80 00 00 00 80 00 00 00 02 00 00 7e 7c 00 00 7f 00 00 00 00 0e 00 00 00 09 00 00 00 00 00 00 00 09 00 00 00 00 00 02 00 08 00 00 00 00 00 03 00 00 00 00 00 00 00 00 00 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff 04 00 00 12 00 00 04 00 00 12 01 00 04 00 00 12 02 00 04 00 00 12 03 00 04 00

Stream Path: _VBA_PROJECT_CUR/VBA/__SRP_4, File Type: data, Stream Size: 158

General
Stream Path:	_VBA_PROJECT_CUR/VBA/__SRP_4
CLSID:
File Type:	data
Stream Size:	158
Entropy:	2.220758987604236
Base64 Encoded:	False
Data ASCII:	r U . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ( . . . . . . . . . . . ` . . . . . . a . . . . . . . . . . . . . ( . . . . . . . . . . . ` . . . . . . a . . . . . . . . . . . . . . . . . . . n . . . . . . .
Data Raw:	72 55 80 00 00 00 00 00 00 00 80 00 00 00 80 00 00 00 00 00 00 00 10 00 00 00 09 00 00 00 00 00 05 00 ff ff ff ff ff ff ff ff 00 00 00 00 08 00 00 00 04 00 28 00 81 00 00 00 00 00 05 00 00 00 00 60 04 00 fd ff ff ff ff ff ff ff ff ff ff ff 00 00 00 00 61 00 00 00 00 00 01 00 00 00 00 00 10 0b 28 00 a9 00 00 00 00 00 05 00 01 00 00 60 04 00 fd ff ff ff ff ff ff ff ff ff ff ff 00 00

Stream Path: _VBA_PROJECT_CUR/VBA/__SRP_5, File Type: data, Stream Size: 9044

General
Stream Path:	_VBA_PROJECT_CUR/VBA/__SRP_5
CLSID:
File Type:	data
Stream Size:	9044
Entropy:	5.087497951561232
Base64 Encoded:	False
Data ASCII:	r U . . . . . . . . . . . . . . . ~ \| . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . i . . . . . . . q . . . . . . . . . . . . . . ! . . . . . . . . . . . . . . . . . . . . . . y . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . o . . t . . . . o . . . . d . . I 5 . . . . h . . . . . . h A . . . . X . . . . . . X H 1 . . . . 8 . . . . . . 8 ( . 6 . . h X H 8 . . . . + . . . M . @ . h . . . . . . h . X . . . . . . X ` 1 . 6 . .
Data Raw:	72 55 80 00 00 00 80 00 00 00 80 00 00 00 80 00 00 00 02 00 00 7e 7c 00 00 7f 00 00 00 00 0e 00 00 00 09 00 00 00 00 00 00 00 09 00 00 00 00 00 04 00 08 00 00 00 00 00 05 00 02 00 02 00 0b 00 00 00 89 0a 00 00 00 00 00 00 f9 0a 00 00 00 00 00 00 69 0b 00 00 00 00 00 00 71 0a 00 00 00 00 00 00 e1 08 00 00 00 00 00 00 21 09 00 00 00 00 00 00 09 0c 00 00 00 00 00 00 a9 00 00 00 00 00

Stream Path: _VBA_PROJECT_CUR/VBA/__SRP_6, File Type: data, Stream Size: 84

General
Stream Path:	_VBA_PROJECT_CUR/VBA/__SRP_6
CLSID:
File Type:	data
Stream Size:	84
Entropy:	1.9350146163917232
Base64 Encoded:	False
Data ASCII:	r U . . . . . . . . . . . . . . . ~ \| . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . k . . . . . . .
Data Raw:	72 55 80 00 00 00 80 00 00 00 80 00 00 00 80 00 00 00 02 00 00 7e 7c 00 00 7f 00 00 00 00 0e 00 00 00 09 00 00 00 00 00 00 00 09 00 00 00 00 00 07 00 08 00 00 00 00 00 06 00 00 00 00 00 00 00 00 00 ff ff ff ff 04 00 00 12 00 00 6b 00 00 7f 00 00 00 00

Stream Path: _VBA_PROJECT_CUR/VBA/__SRP_7, File Type: data, Stream Size: 103

General
Stream Path:	_VBA_PROJECT_CUR/VBA/__SRP_7
CLSID:
File Type:	data
Stream Size:	103
Entropy:	1.8914181386563995
Base64 Encoded:	False
Data ASCII:	r U . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . $ . . . . . . . . . . . ` . . . . . . . . . . . . . . . . . n . . . . . . .
Data Raw:	72 55 80 00 00 00 00 00 00 00 80 00 00 00 80 00 00 00 00 00 00 00 10 00 00 00 09 00 00 00 00 00 06 00 ff ff ff ff ff ff ff ff 00 00 00 00 08 00 00 00 04 00 24 00 81 00 00 00 00 00 06 00 00 00 00 60 00 00 fd ff ff ff ff ff ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 6e 00 00 7f 00 00 00 00

Stream Path: _VBA_PROJECT_CUR/VBA/dir, File Type: data, Stream Size: 637

General
Stream Path:	_VBA_PROJECT_CUR/VBA/dir
CLSID:
File Type:	data
Stream Size:	637
Entropy:	6.520919933609091
Base64 Encoded:	True
Data ASCII:	. y . . . . . . . . 0 * . . . . p . . H . . . . d . . . . . . . V B A P r o j e c t . . 4 . . @ . . j . . . = . . . . r . . . . . . . . . l 9 I J . . . . J < . . . . . r s t d o l e > . . . s . t . d . o . l . e . . . f . % . \\ . . * \\ G { 0 0 0 2 0 4 3 0 - . . . . . C . . . . . . 0 0 4 . 6 } # 2 . 0 # 0 . # C : \\ W I N N . T \\ s y s t e m . 3 2 \\ . c 2 . t l . b # O L E A u . t o m a t i o n . . ^ . . D O f f i c . D O > f . i . c 5 D . . D 2 D . F 8 D 0 4 C - 5 . B F A - 1 0 1 B - B D E 5 D A A 5 B 4
Data Raw:	01 79 b2 80 01 00 04 00 00 00 01 00 30 2a 02 02 90 09 00 70 14 06 48 03 00 82 02 00 64 e4 04 04 00 0a 00 1c 00 56 42 41 50 72 6f 6a 65 88 63 74 05 00 34 00 00 40 02 14 6a 06 02 0a 3d 02 0a 07 02 72 01 14 08 05 06 12 09 02 12 6c 39 49 4a 02 94 00 0c 02 4a 3c 02 0a 16 00 01 72 80 73 74 64 6f 6c 65 3e 02 19 00 73 00 74 00 64 00 6f 00 80 6c 00 65 00 0d 00 66 00 25 02 5c 00 03 2a 5c 47

Network Behavior

⊘No network behavior found

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

System Behavior

Analysis Process: EXCEL.EXEPID: 3344, Parent PID: 564

General

Target ID:	0
Start time:	01:40:47
Start date:	01/10/2024
Path:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
Imagebase:	0x13f770000
File size:	28'253'536 bytes
MD5 hash:	D53B85E21886D2AF9815C377537BCAC3
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Chronological Activities

Disassembly

Code Analysis

VBA Code

Call Graph

Graph

Entrypoint
Decryption Function
Executed
Not Executed
Show Help

Module: Module1

Declaration

Line	Content
1	Attribute VB_Name = "Module1"

Non-Executed Functions

Function
m2sAPIs: 51, Strings: 2, Number of lines: 66, Relevance: 79.566

APIs	Meta Information
Day
Month
Year
Weekday
Part of subcall function civil_jdn@Module1: Gregorian
Part of subcall function civil_jdn@Module1: Gregorian
Part of subcall function civil_jdn@Module1: CLng
Part of subcall function civil_jdn@Module1: CLng
Part of subcall function civil_jdn@Module1: CLng
Part of subcall function jdn_persian@Module1: Fix
Part of subcall function jdn_persian@Module1: Fix
Part of subcall function jdn_persian@Module1: Int
ChrW
ChrW
ChrW
ChrW
ChrW
ChrW
ChrW
ChrW
ChrW
ChrW
ChrW
ChrW
ChrW
ChrW
ChrW
ChrW
ChrW
ChrW
ChrW
Part of subcall function horofi@Module2: Int
Part of subcall function horofi@Module2: ChrW
Part of subcall function horofi@Module2: Trim
Part of subcall function horofi@Module2: Str
Part of subcall function horofi@Module2: Len
Part of subcall function horofi@Module2: ChrW
Part of subcall function horofi@Module2: Int
Part of subcall function horofi@Module2: Val
Part of subcall function horofi@Module2: Mid
Part of subcall function horofi@Module2: ChrW
Part of subcall function horofi@Module2: IIf
Part of subcall function horofi@Module2: ChrW
Part of subcall function horofi@Module2: IIf
Part of subcall function horofi@Module2: ChrW
Part of subcall function horofi@Module2: IIf
Part of subcall function horofi@Module2: ChrW
Part of subcall function horofi@Module2: IIf
Part of subcall function horofi@Module2: ChrW
Part of subcall function horofi@Module2: Trim
ChrW

Strings	Decrypted Strings
"Only one of this number as format(0,1,2,3,4,5) for help visit http://sakhteman.wordpress.com"
"Only one of this number as format(0,1,2,3,4,5) for help visit http://sakhteman.wordpress.com"

Line	Instruction	Meta Information
184	Function m2s(myDate, optional Format = 0)
185	iDay = Day(myDate)	Day
186	iMonth = Month(myDate)	Month
187	iYear = Year(myDate)	Year
188	iWeekday = Weekday(myDate)	Weekday
190	jdn = civil_jdn(iYear, iMonth, iDay)
191	Call jdn_persian(jdn, iYear, iMonth, iDay)
193	Select Case iWeekday
194	Case 1
195	Rooz = ChrW(1740) & ChrW(1705) & ChrW(1588) & ChrW(1606) & ChrW(1576) & ChrW(1607)	ChrW
196	Case 2
197	Rooz = ChrW(1583) & ChrW(1608) & ChrW(1588) & ChrW(1606) & ChrW(1576) & ChrW(1607)	ChrW
198	Case 3
199	Rooz = ChrW(1587) & ChrW(1607) & ChrW(8204) & ChrW(1588) & ChrW(1606) & ChrW(1576) & ChrW(1607)	ChrW
200	Case 4
201	Rooz = ChrW(1670) & ChrW(1607) & ChrW(1575) & ChrW(1585) & ChrW(1588) & ChrW(1606) & ChrW(1576) & ChrW(1607)	ChrW
202	Case 5
203	Rooz = ChrW(1662) & ChrW(1606) & ChrW(1580) & ChrW(8204) & ChrW(1588) & ChrW(1606) & ChrW(1576) & ChrW(1607)	ChrW
204	Case 6
205	Rooz = ChrW(1580) & ChrW(1605) & ChrW(1593) & ChrW(1607)	ChrW
206	Case 7
207	Rooz = ChrW(1588) & ChrW(1606) & ChrW(1576) & ChrW(1607)	ChrW
208	End Select
211	Select Case iMonth
213	Case 1
214	mah = ChrW(1601) & ChrW(1585) & ChrW(1608) & ChrW(1585) & ChrW(1583) & ChrW(1740) & ChrW(1606)	ChrW
215	Case 2
216	mah = ChrW(1575) & ChrW(1585) & ChrW(1583) & ChrW(1740) & ChrW(1576) & ChrW(1607) & ChrW(1588) & ChrW(1578)	ChrW
217	Case 3
218	mah = ChrW(1582) & ChrW(1585) & ChrW(1583) & ChrW(1575) & ChrW(1583)	ChrW
219	Case 4
220	mah = ChrW(1578) & ChrW(1740) & ChrW(1585)	ChrW
221	Case 5
222	mah = ChrW(1605) & ChrW(1585) & ChrW(1583) & ChrW(1575) & ChrW(1583)	ChrW
223	Case 6
224	mah = ChrW(1588) & ChrW(1607) & ChrW(1585) & ChrW(1740) & ChrW(1608) & ChrW(1585)	ChrW
225	Case 7
226	mah = ChrW(1605) & ChrW(1607) & ChrW(1585)	ChrW
227	Case 8
228	mah = ChrW(1570) & ChrW(1576) & ChrW(1575) & ChrW(1606)	ChrW
229	Case 9
230	mah = ChrW(1570) & ChrW(1584) & ChrW(1585)	ChrW
231	Case 10
232	mah = ChrW(1583) & ChrW(1740)	ChrW
233	Case 11
234	mah = ChrW(1576) & ChrW(1607) & ChrW(1605) & ChrW(1606)	ChrW
235	Case 12
236	mah = ChrW(1575) & ChrW(1587) & ChrW(1601) & ChrW(1606) & ChrW(1583)	ChrW
238	End Select
240	Select Case Format
242	Case 1
243	m2s = Rooz & "," & iYear & "/" & iMonth & "/" & iDay
244	Case 2
245	m2s = Rooz & " " & horofi(iDay) & " " & mah & " " & ChrW(1605) & ChrW(1575) & ChrW(1607) & " " & horofi(iYear)	ChrW
246	Case 3
247	m2s = iYear
248	Case 4
249	m2s = iMonth
250	Case 5
251	m2s = iDay
252	Case 0
253	m2s = iYear & "/" & iMonth & "/" & iDay
254	Case Else
255	m2s = "Only one of this number as format(0,1,2,3,4,5) for help visit http://sakhteman.wordpress.com"
256	End Select
258	End Function

Function
s2mAPIs: 26, Strings: 21, Number of lines: 46, Relevance: 70.546

APIs	Meta Information
Len
Mid
Left
Len
Right
Len
Left
Right
Mid
Mid
Mid
Part of subcall function persian_jdn@Module1: CLng
Part of subcall function persian_jdn@Module1: CLng
Part of subcall function persian_jdn@Module1: CLng
Part of subcall function persian_jdn@Module1: Fix
Part of subcall function persian_jdn@Module1: PERSIAN_EPOCH
Part of subcall function persian_jdn@Module1: CLng
Part of subcall function persian_jdn@Module1: CLng
Part of subcall function persian_jdn@Module1: CLng
Part of subcall function persian_jdn@Module1: Fix
Part of subcall function persian_jdn@Module1: PERSIAN_EPOCH
Part of subcall function persian_jdn@Module1: CLng
Part of subcall function persian_jdn@Module1: CLng
Part of subcall function persian_jdn@Module1: CLng
Part of subcall function persian_jdn@Module1: Fix
Part of subcall function persian_jdn@Module1: PERSIAN_EPOCH

Strings	Decrypted Strings
"-"
"."
"/"
"13"
"\"
"-"
"."
"/"
"13"
"\"
"13"
"13"
"-"
"."
"/"
"\"
"Error"
"Error"
"Error"
"Error"
"Error"

Line	Instruction	Meta Information
146	Function s2m(myDate)
147	Dim iYear, iMonth, iDay
148	For I = 1 To Len(myDate)	Len
149	st = Mid(myDate, I, 1)	Mid
151	If (st = "/" Or st = "-" Or st = "." Or st = "\") And x <> 1 Then
152	x = 1
153	If I = 3 Then
153	S = "13" & S
153	Endif
154	Else
155	If (st = "/" Or st = "-" Or st = "." Or st = "\") And x = 1 Then
156	x = 2
157	If I = 5 Or I = 7 Then
157	S = Left(S, Len(S) - 1) & "0" & Right(S, 1)	Left Len Right
157	Endif
158	Else
159	S = S & st
160	Endif
161	Endif
162	Next	Len
163	If Len(S) = 7 Then	Len
163	S = Left(S, 6) & "0" & Right(S, 1)	Left Right
163	Endif
164	myDate = S
165	iYear = Mid(myDate, 1, 4)	Mid
166	iMonth = Mid(myDate, 5, 2)	Mid
167	iDay = Mid(myDate, 7, 2)	Mid
168	If (iDay > 30 And iMonth > 6) Or iDay > 31 Or iMonth > 12 Then
168	s2m = "Error"
168	Exit Function
168	Endif
170	If (iDay = 30 And iMonth = 12) Then
171	iYear1 = iYear + 1
172	iMonth1 = 1
173	iDay1 = 1
174	jdn1 = persian_jdn(iYear1, iMonth1, iDay1)
175	jdn = persian_jdn(iYear, iMonth, iDay)
176	If jdn1 = jdn Then
176	s2m = "Error"
176	Exit Function
176	Endif
177	Endif
179	jdn = persian_jdn(iYear, iMonth, iDay)
180	Call jdn_civil(jdn, iYear, iMonth, iDay)
181	s2m = iYear & "/" & iMonth & "/" & iDay
182	End Function

Subroutine
jdn_persianAPIs: 24, Strings: 0, Number of lines: 29, Relevance: 30.029

APIs	Meta Information
Part of subcall function persian_jdn@Module1: CLng
Part of subcall function persian_jdn@Module1: CLng
Part of subcall function persian_jdn@Module1: CLng
Part of subcall function persian_jdn@Module1: Fix
Part of subcall function persian_jdn@Module1: PERSIAN_EPOCH
Fix
Fix
Int
Part of subcall function persian_jdn@Module1: CLng
Part of subcall function persian_jdn@Module1: CLng
Part of subcall function persian_jdn@Module1: CLng
Part of subcall function persian_jdn@Module1: Fix
Part of subcall function persian_jdn@Module1: PERSIAN_EPOCH
Part of subcall function Ceil@Module1: Sgn
Part of subcall function Ceil@Module1: Int
Part of subcall function Ceil@Module1: Abs
Part of subcall function Ceil@Module1: Sgn
Part of subcall function Ceil@Module1: Int
Part of subcall function Ceil@Module1: Abs
Part of subcall function persian_jdn@Module1: CLng
Part of subcall function persian_jdn@Module1: CLng
Part of subcall function persian_jdn@Module1: CLng
Part of subcall function persian_jdn@Module1: Fix
Part of subcall function persian_jdn@Module1: PERSIAN_EPOCH

Line	Instruction	Meta Information
34	Sub jdn_persian(jdn, iYear, iMonth, iDay)
35	Dim depoch
36	Dim cycle
37	Dim cyear
38	Dim ycycle
39	Dim aux1, aux2
40	Dim yday
41	depoch = jdn - persian_jdn(475, 1, 1)
42	cycle = Fix(depoch / 1029983)	Fix
43	cyear = depoch Mod 1029983
44	If cyear = 1029982 Then
45	ycycle = 2820
46	Else
47	aux1 = Fix(cyear / 366)	Fix
48	aux2 = cyear Mod 366
49	ycycle = Int(((2134 * aux1) + (2816 * aux2) + 2815) / 1028522) + aux1 + 1	Int
50	Endif
51	iYear = ycycle + (2820 * cycle) + 474
52	If iYear <= 0 Then
53	iYear = iYear - 1
54	Endif
55	yday = (jdn - persian_jdn(iYear, 1, 1)) + 1
56	If yday <= 186 Then
57	iMonth = Ceil(yday / 31)
58	Else
59	iMonth = Ceil((yday - 6) / 30)
60	Endif
61	iDay = (jdn - persian_jdn(iYear, iMonth, 1)) + 1
62	End Sub

Function
civil_jdnAPIs: 8, Strings: 0, Number of lines: 15, Relevance: 10.015

APIs	Meta Information
Gregorian
Gregorian
CLng
CLng
CLng
Part of subcall function julian_jdn@Module1: lYear
Part of subcall function julian_jdn@Module1: lMonth
Part of subcall function julian_jdn@Module1: lDay

Line	Instruction	Meta Information
63	Function civil_jdn(ByVal iYear, ByVal iMonth, ByVal iDay)
64	Dim lYear
65	Dim lMonth
66	Dim lDay
67	Dim calendatType
68	calendarType = Gregorian	Gregorian
69	If calendarType = Gregorian And ((iYear > 1582) Or ((iYear = 1582) And (iMonth > 10)) Or ((iYear = 1582) And (iMonth = 10) And (iDay > 14))) Then	Gregorian
73	lYear = CLng(iYear)	CLng
74	lMonth = CLng(iMonth)	CLng
75	lDay = CLng(iDay)	CLng
76	civil_jdn = ((1461 * (lYear + 4800 + ((lMonth - 14) \ 12))) \ 4) + ((367 * (lMonth - 2 - 12 * (((lMonth - 14) \ 12)))) \ 12) - ((3 * (((lYear + 4900 + ((lMonth - 14) \ 12)) \ 100))) \ 4) + lDay - 32075
80	Else
81	civil_jdn = julian_jdn(iYear, iMonth, iDay)
82	Endif
84	End Function

Function
persian_jdnAPIs: 5, Strings: 0, Number of lines: 18, Relevance: 6.268

APIs	Meta Information
CLng
CLng
CLng
Fix
PERSIAN_EPOCH

Line	Instruction	Meta Information
10	Function persian_jdn(iYear, iMonth, iDay)
11	Const PERSIAN_EPOCH = 1948321
12	Dim epbase as Long
13	Dim epyear as Long
14	Dim mdays as Long
15	If iYear >= 0 Then
16	epbase = iYear - 474
17	Else
18	epbase = iYear - 473
19	Endif
20	epyear = 474 + (epbase Mod 2820)
21	If iMonth <= 7 Then
22	mdays = (CLng(iMonth) - 1) * 31	CLng
23	Else
24	mdays = (CLng(iMonth) - 1) * 30 + 6	CLng
25	Endif
26	persian_jdn = CLng(iDay) + mdays + Fix(((epyear * 682) - 110) / 2816) + (epyear - 1) * 365 + Fix(epbase / 2820) * 1029983 + (PERSIAN_EPOCH - 1)	CLng Fix PERSIAN_EPOCH
32	End Function

Function
CeilAPIs: 3, Strings: 0, Number of lines: 3, Relevance: 3.753

APIs	Meta Information
Sgn
Int
Abs

Line	Instruction	Meta Information
3	Private Function Ceil(Number as Single) as Long
4	Ceil = - Sgn(Number) * Int(- Abs(Number))	Sgn Int Abs
5	End Function

Function
julian_jdnAPIs: 3, Strings: 0, Number of lines: 3, Relevance: 3.753

APIs	Meta Information
lYear
lMonth
lDay

Line	Instruction	Meta Information
104	Function julian_jdn(iYear, iMonth, iDay) as Long
106	julian_jdn = 367 * lYear - ((7 * (lYear + 5001 + ((lMonth - 9) \ 7))) \ 4) + ((275 * lMonth) \ 9) + lDay + 1729777	lYear lMonth lDay
110	End Function

Subroutine
jdn_civilAPIs: 0, Strings: 0, Number of lines: 21, Relevance: 0.021

Line	Instruction	Meta Information
111	Sub jdn_civil(jdn, iYear, iMonth, iDay)
113	Dim L
114	Dim K
115	Dim n
116	Dim I
117	Dim j
119	If (jdn > 2299160) Then
120	L = jdn + 68569
121	n = ((4 * L) \ 146097)
122	L = L - ((146097 * n + 3) \ 4)
123	I = ((4000 * (L + 1)) \ 1461001)
124	L = L - ((1461 * I) \ 4) + 31
125	j = ((80 * L) \ 2447)
126	iDay = L - ((2447 * j) \ 80)
127	L = (j \ 11)
128	iMonth = j + 2 - 12 * L
129	iYear = 100 * (n - 49) + I + L
130	Else
131	Call jdn_julian(jdn, iYear, iMonth, iDay)
132	Endif
134	End Sub

Subroutine
jdn_julianAPIs: 0, Strings: 0, Number of lines: 17, Relevance: 0.017

Line	Instruction	Meta Information
85	Sub jdn_julian(jdn, iYear, iMonth, iDay)
86	Dim L as Long
87	Dim K as Long
88	Dim n as Long
89	Dim I as Long
90	Dim j as Long
92	j = jdn + 1402
93	K = ((j - 1) \ 1461)
94	L = j - 1461 * K
95	n = ((L - 1) \ 365) - (L \ 1461)
96	I = L - 365 * n + 30
97	j = ((80 * I) \ 2447)
98	iDay = I - ((2447 * j) \ 80)
99	I = (j \ 11)
100	iMonth = j + 2 - 12 * I
101	iYear = 4 * K + n + I - 4716
103	End Sub

Module: Module2

Declaration

Line	Content
1	Attribute VB_Name = "Module2"

Non-Executed Functions

Function
horofiAPIs: 249, Strings: 3, Number of lines: 46, Relevance: 378.046

APIs	Meta Information
Int
ChrW
Trim
Str
Len
ChrW
Int
Val
Mid
Part of subcall function Three@Module2: Len
Part of subcall function Three@Module2: Trim
Part of subcall function Three@Module2: Str
Part of subcall function Three@Module2: ChrW
Part of subcall function Three@Module2: Mid
Part of subcall function Three@Module2: Trim
Part of subcall function Three@Module2: Str
Part of subcall function Three@Module2: ChrW
Part of subcall function Three@Module2: ChrW
Part of subcall function Three@Module2: ChrW
Part of subcall function Three@Module2: ChrW
Part of subcall function Three@Module2: ChrW
Part of subcall function Three@Module2: ChrW
Part of subcall function Three@Module2: ChrW
Part of subcall function Three@Module2: ChrW
Part of subcall function Three@Module2: ChrW
Part of subcall function Three@Module2: ChrW
Part of subcall function Three@Module2: ChrW
Part of subcall function Three@Module2: ChrW
Part of subcall function Three@Module2: ChrW
Part of subcall function Three@Module2: ChrW
Part of subcall function Three@Module2: ChrW
Part of subcall function Three@Module2: ChrW
Part of subcall function Three@Module2: ChrW
Part of subcall function Three@Module2: ChrW
Part of subcall function Three@Module2: ChrW
Part of subcall function Three@Module2: ChrW
Part of subcall function Three@Module2: ChrW
Part of subcall function Three@Module2: ChrW
Part of subcall function Three@Module2: ChrW
Part of subcall function Three@Module2: ChrW
Part of subcall function Three@Module2: ChrW
Part of subcall function Three@Module2: ChrW
Part of subcall function Three@Module2: ChrW
Part of subcall function Three@Module2: ChrW
Part of subcall function Three@Module2: ChrW
Part of subcall function Three@Module2: ChrW
Part of subcall function Three@Module2: ChrW
Part of subcall function Three@Module2: ChrW
Part of subcall function Three@Module2: ChrW
Part of subcall function Three@Module2: ChrW
Part of subcall function Three@Module2: ChrW
Part of subcall function Three@Module2: ChrW
Part of subcall function Three@Module2: IIf
Part of subcall function Three@Module2: Right
Part of subcall function Three@Module2: Len
ChrW
IIf
ChrW
Part of subcall function Three@Module2: Len
Part of subcall function Three@Module2: Trim
Part of subcall function Three@Module2: Str
Part of subcall function Three@Module2: ChrW
Part of subcall function Three@Module2: Mid
Part of subcall function Three@Module2: Trim
Part of subcall function Three@Module2: Str
Part of subcall function Three@Module2: ChrW
Part of subcall function Three@Module2: ChrW
Part of subcall function Three@Module2: ChrW
Part of subcall function Three@Module2: ChrW
Part of subcall function Three@Module2: ChrW
Part of subcall function Three@Module2: ChrW
Part of subcall function Three@Module2: ChrW
Part of subcall function Three@Module2: ChrW
Part of subcall function Three@Module2: ChrW
Part of subcall function Three@Module2: ChrW
Part of subcall function Three@Module2: ChrW
Part of subcall function Three@Module2: ChrW
Part of subcall function Three@Module2: ChrW
Part of subcall function Three@Module2: ChrW
Part of subcall function Three@Module2: ChrW
Part of subcall function Three@Module2: ChrW
Part of subcall function Three@Module2: ChrW
Part of subcall function Three@Module2: ChrW
Part of subcall function Three@Module2: ChrW
Part of subcall function Three@Module2: ChrW
Part of subcall function Three@Module2: ChrW
Part of subcall function Three@Module2: ChrW
Part of subcall function Three@Module2: ChrW
Part of subcall function Three@Module2: ChrW
Part of subcall function Three@Module2: ChrW
Part of subcall function Three@Module2: ChrW
Part of subcall function Three@Module2: ChrW
Part of subcall function Three@Module2: ChrW
Part of subcall function Three@Module2: ChrW
Part of subcall function Three@Module2: ChrW
Part of subcall function Three@Module2: ChrW
Part of subcall function Three@Module2: ChrW
Part of subcall function Three@Module2: ChrW
Part of subcall function Three@Module2: ChrW
Part of subcall function Three@Module2: ChrW
Part of subcall function Three@Module2: ChrW
Part of subcall function Three@Module2: IIf
Part of subcall function Three@Module2: Right
Part of subcall function Three@Module2: Len
IIf
ChrW
Part of subcall function Three@Module2: Len
Part of subcall function Three@Module2: Trim
Part of subcall function Three@Module2: Str
Part of subcall function Three@Module2: ChrW
Part of subcall function Three@Module2: Mid
Part of subcall function Three@Module2: Trim
Part of subcall function Three@Module2: Str
Part of subcall function Three@Module2: ChrW
Part of subcall function Three@Module2: ChrW
Part of subcall function Three@Module2: ChrW
Part of subcall function Three@Module2: ChrW
Part of subcall function Three@Module2: ChrW
Part of subcall function Three@Module2: ChrW
Part of subcall function Three@Module2: ChrW
Part of subcall function Three@Module2: ChrW
Part of subcall function Three@Module2: ChrW
Part of subcall function Three@Module2: ChrW
Part of subcall function Three@Module2: ChrW
Part of subcall function Three@Module2: ChrW
Part of subcall function Three@Module2: ChrW
Part of subcall function Three@Module2: ChrW
Part of subcall function Three@Module2: ChrW
Part of subcall function Three@Module2: ChrW
Part of subcall function Three@Module2: ChrW
Part of subcall function Three@Module2: ChrW
Part of subcall function Three@Module2: ChrW
Part of subcall function Three@Module2: ChrW
Part of subcall function Three@Module2: ChrW
Part of subcall function Three@Module2: ChrW
Part of subcall function Three@Module2: ChrW
Part of subcall function Three@Module2: ChrW
Part of subcall function Three@Module2: ChrW
Part of subcall function Three@Module2: ChrW
Part of subcall function Three@Module2: ChrW
Part of subcall function Three@Module2: ChrW
Part of subcall function Three@Module2: ChrW
Part of subcall function Three@Module2: ChrW
Part of subcall function Three@Module2: ChrW
Part of subcall function Three@Module2: ChrW
Part of subcall function Three@Module2: ChrW
Part of subcall function Three@Module2: ChrW
Part of subcall function Three@Module2: ChrW
Part of subcall function Three@Module2: ChrW
Part of subcall function Three@Module2: IIf
Part of subcall function Three@Module2: Right
Part of subcall function Three@Module2: Len
IIf
ChrW
Part of subcall function Three@Module2: Len
Part of subcall function Three@Module2: Trim
Part of subcall function Three@Module2: Str
Part of subcall function Three@Module2: ChrW
Part of subcall function Three@Module2: Mid
Part of subcall function Three@Module2: Trim
Part of subcall function Three@Module2: Str
Part of subcall function Three@Module2: ChrW
Part of subcall function Three@Module2: ChrW
Part of subcall function Three@Module2: ChrW
Part of subcall function Three@Module2: ChrW
Part of subcall function Three@Module2: ChrW
Part of subcall function Three@Module2: ChrW
Part of subcall function Three@Module2: ChrW
Part of subcall function Three@Module2: ChrW
Part of subcall function Three@Module2: ChrW
Part of subcall function Three@Module2: ChrW
Part of subcall function Three@Module2: ChrW
Part of subcall function Three@Module2: ChrW
Part of subcall function Three@Module2: ChrW
Part of subcall function Three@Module2: ChrW
Part of subcall function Three@Module2: ChrW
Part of subcall function Three@Module2: ChrW
Part of subcall function Three@Module2: ChrW
Part of subcall function Three@Module2: ChrW
Part of subcall function Three@Module2: ChrW
Part of subcall function Three@Module2: ChrW
Part of subcall function Three@Module2: ChrW
Part of subcall function Three@Module2: ChrW
Part of subcall function Three@Module2: ChrW
Part of subcall function Three@Module2: ChrW
Part of subcall function Three@Module2: ChrW
Part of subcall function Three@Module2: ChrW
Part of subcall function Three@Module2: ChrW
Part of subcall function Three@Module2: ChrW
Part of subcall function Three@Module2: ChrW
Part of subcall function Three@Module2: ChrW
Part of subcall function Three@Module2: ChrW
Part of subcall function Three@Module2: ChrW
Part of subcall function Three@Module2: ChrW
Part of subcall function Three@Module2: ChrW
Part of subcall function Three@Module2: ChrW
Part of subcall function Three@Module2: ChrW
Part of subcall function Three@Module2: IIf
Part of subcall function Three@Module2: Right
Part of subcall function Three@Module2: Len
IIf
ChrW
Part of subcall function Three@Module2: Len
Part of subcall function Three@Module2: Trim
Part of subcall function Three@Module2: Str
Part of subcall function Three@Module2: ChrW
Part of subcall function Three@Module2: Mid
Part of subcall function Three@Module2: Trim
Part of subcall function Three@Module2: Str
Part of subcall function Three@Module2: ChrW
Part of subcall function Three@Module2: ChrW
Part of subcall function Three@Module2: ChrW
Part of subcall function Three@Module2: ChrW
Part of subcall function Three@Module2: ChrW
Part of subcall function Three@Module2: ChrW
Part of subcall function Three@Module2: ChrW
Part of subcall function Three@Module2: ChrW
Part of subcall function Three@Module2: ChrW
Part of subcall function Three@Module2: ChrW
Part of subcall function Three@Module2: ChrW
Part of subcall function Three@Module2: ChrW
Part of subcall function Three@Module2: ChrW
Part of subcall function Three@Module2: ChrW
Part of subcall function Three@Module2: ChrW
Part of subcall function Three@Module2: ChrW
Part of subcall function Three@Module2: ChrW
Part of subcall function Three@Module2: ChrW
Part of subcall function Three@Module2: ChrW
Part of subcall function Three@Module2: ChrW
Part of subcall function Three@Module2: ChrW
Part of subcall function Three@Module2: ChrW
Part of subcall function Three@Module2: ChrW
Part of subcall function Three@Module2: ChrW
Part of subcall function Three@Module2: ChrW
Part of subcall function Three@Module2: ChrW
Part of subcall function Three@Module2: ChrW
Part of subcall function Three@Module2: ChrW
Part of subcall function Three@Module2: ChrW
Part of subcall function Three@Module2: ChrW
Part of subcall function Three@Module2: ChrW
Part of subcall function Three@Module2: ChrW
Part of subcall function Three@Module2: ChrW
Part of subcall function Three@Module2: ChrW
Part of subcall function Three@Module2: ChrW
Part of subcall function Three@Module2: ChrW
Part of subcall function Three@Module2: IIf
Part of subcall function Three@Module2: Right
Part of subcall function Three@Module2: Len
Trim

Strings	Decrypted Strings
"0"
"0"
" "

Line	Instruction	Meta Information
2	Function horofi(ByVal Number as Double) as String
3	Number = Int(Number)	Int
4	If Number = 0 Then
4	Adad = ChrW(1589) & ChrW(1601) & ChrW(1585)	ChrW
4	Exit Function
4	Endif
6	Dim Flag as Boolean
7	Dim S as String
8	Dim I, L as Byte
9	Dim K(1 To 5) as Double
11	S = Trim(Str(Number))	Trim Str
12	L = Len(S)	Len
13	If L > 15 Then
14	Adad = ChrW(1576) & ChrW(1587) & ChrW(1610) & ChrW(1575) & ChrW(1585) & ChrW(1576) & ChrW(1586) & ChrW(1585) & ChrW(1711) & " "	ChrW
15	Exit Function
16	Endif
17	For I = 1 To 15 - L
18	S = "0" & S
19	Next I
20	For I = 1 To Int((L / 3) + 0.99)	Int
21	K(5 - I + 1) = Val(Mid(S, 3 * (5 - I) + 1, 3))	Val Mid
22	Next I	Int
23	Flag = False
24	S = " "
25	For I = 1 To 5
26	If K(I) <> 0 Then
27	Select Case I
28	Case 1
29	S = S & Three(K(I)) & " " & ChrW(1578) & ChrW(1585) & ChrW(1610) & ChrW(1604) & ChrW(1610) & ChrW(1608) & ChrW(1606) & " "	ChrW
30	Flag = True
31	Case 2
32	S = S & IIf(Flag = True, ChrW(1608), " ") & Three(K(I)) & " " & ChrW(1605) & ChrW(1610) & ChrW(1604) & ChrW(1610) & ChrW(1575) & ChrW(1585) & ChrW(1583) & " "	IIf ChrW
33	Flag = True
34	Case 3
35	S = S & IIf(Flag = True, ChrW(1608), " ") & Three(K(I)) & " " & ChrW(1605) & ChrW(1610) & ChrW(1604) & ChrW(1610) & ChrW(1608) & ChrW(1606) & " "	IIf ChrW
36	Flag = True
37	Case 4
38	S = S & IIf(Flag = True, ChrW(1608), " ") & Three(K(I)) & " " & ChrW(1607) & ChrW(1586) & ChrW(1575) & ChrW(1585) & " "	IIf ChrW
39	Flag = True
40	Case 5
41	S = S & IIf(Flag = True, ChrW(1608), " ") & Three(K(I)) & " "	IIf ChrW
42	End Select
43	Endif
44	Next I
45	horofi = Trim(S)	Trim
46	End Function

Function
ThreeAPIs: 46, Strings: 21, Number of lines: 110, Relevance: 100.61

APIs	Meta Information
Len
Trim
Str
ChrW
Mid
Trim
Str
ChrW
ChrW
ChrW
ChrW
ChrW
ChrW
ChrW
ChrW
ChrW
ChrW
ChrW
ChrW
ChrW
ChrW
ChrW
ChrW
ChrW
ChrW
ChrW
ChrW
ChrW
ChrW
ChrW
ChrW
ChrW
ChrW
ChrW
ChrW
ChrW
ChrW
ChrW
ChrW
ChrW
ChrW
ChrW
ChrW
IIf
Right
Len

Strings	Decrypted Strings
" "
" "
" "
" "
" "
" "
" "
" "
" "
" "
" "
" "
" "
" "
" "
" "
" "
" "
" "
" "
" "

Line	Instruction	Meta Information
49	Function Three(ByVal Number as Integer) as String
50	Dim S as String
51	Dim I, L as Long
52	Dim h(1 To 3) as Byte
53	Dim Flag as Boolean
54	L = Len(Trim(Str(Number)))	Len Trim Str
55	If Number = 0 Then
56	Three = " "
57	Exit Function
58	Endif
59	If Number = 100 Then
60	Three = ChrW(1610) & ChrW(1603) & ChrW(1589) & ChrW(1583) & " "	ChrW
61	Exit Function
62	Endif
64	If L = 2 Then
64	h(1) = 0
64	Endif
65	If L = 1 Then
66	h(1) = 0
67	h(2) = 0
68	Endif
70	For I = 1 To L
71	h(3 - I + 1) = Mid(Trim(Str(Number)), L - I + 1, 1)	Mid Trim Str
72	Next I
74	Select Case h(1)
75	Case 1
76	S = " " & ChrW(1610) & ChrW(1603) & ChrW(1589) & ChrW(1583) & " "	ChrW
77	Case 2
78	S = " " & ChrW(1583) & ChrW(1608) & ChrW(1610) & ChrW(1587) & ChrW(1578) & " "	ChrW
79	Case 3
80	S = " " & ChrW(1587) & ChrW(1610) & ChrW(1589) & ChrW(1583) & " "	ChrW
81	Case 4
82	S = " " & ChrW(1670) & ChrW(1607) & ChrW(1575) & ChrW(1585) & ChrW(1589) & ChrW(1583) & " "	ChrW
83	Case 5
84	S = " " & ChrW(1662) & ChrW(1575) & ChrW(1606) & ChrW(1589) & ChrW(1583) & " "	ChrW
85	Case 6
86	S = " " & ChrW(1588) & ChrW(1588) & ChrW(1589) & ChrW(1583) & " "	ChrW
87	Case 7
88	S = " " & ChrW(1607) & ChrW(1601) & ChrW(1578) & ChrW(1589) & ChrW(1583) & " "	ChrW
89	Case 8
90	S = " " & ChrW(1607) & ChrW(1588) & ChrW(1578) & ChrW(1589) & ChrW(1583) & " "	ChrW
91	Case 9
92	S = " " & ChrW(1606) & ChrW(1607) & ChrW(1589) & ChrW(1583) & " "	ChrW
93	End Select
95	Select Case h(2)
96	Case 1
97	Select Case h(3)
98	Case 0
99	S = S & ChrW(1608) & " " & ChrW(1583) & ChrW(1607) & " "	ChrW
100	Case 1
101	S = S & ChrW(1608) & " " & ChrW(1610) & ChrW(1575) & ChrW(1586) & ChrW(1583) & ChrW(1607) & " "	ChrW
102	Case 2
103	S = S & ChrW(1608) & " " & ChrW(1583) & ChrW(1608) & ChrW(1575) & ChrW(1586) & ChrW(1583) & ChrW(1607) & " "	ChrW
104	Case 3
105	S = S & ChrW(1608) & " " & ChrW(1587) & ChrW(1610) & ChrW(1586) & ChrW(1583) & ChrW(1607) & " "	ChrW
106	Case 4
107	S = S & ChrW(1608) & " " & ChrW(1670) & ChrW(1607) & ChrW(1575) & ChrW(1585) & ChrW(1583) & ChrW(1607) & " "	ChrW
108	Case 5
109	S = S & ChrW(1608) & " " & ChrW(1662) & ChrW(1575) & ChrW(1606) & ChrW(1586) & ChrW(1583) & ChrW(1607) & " "	ChrW
110	Case 6
111	S = S & ChrW(1608) & " " & ChrW(1588) & ChrW(1575) & ChrW(1606) & ChrW(1586) & ChrW(1583) & ChrW(1607) & " "	ChrW
112	Case 7
113	S = S & ChrW(1608) & " " & ChrW(1607) & ChrW(1601) & ChrW(1583) & ChrW(1607) & " "	ChrW
114	Case 8
115	S = S & ChrW(1608) & " " & ChrW(1607) & ChrW(1580) & ChrW(1583) & ChrW(1607) & " "	ChrW
116	Case 9
117	S = S & ChrW(1608) & " " & ChrW(1606) & ChrW(1608) & ChrW(1586) & ChrW(1583) & ChrW(1607) & " "	ChrW
118	End Select
120	Case 2
121	S = S & ChrW(1608) & " " & ChrW(1576) & ChrW(1610) & ChrW(1587) & ChrW(1578) & " "	ChrW
122	Case 3
123	S = S & ChrW(1608) & " " & ChrW(1587) & ChrW(1610) & " "	ChrW
124	Case 4
125	S = S & ChrW(1608) & " " & ChrW(1670) & ChrW(1607) & ChrW(1604) & " "	ChrW
126	Case 5
127	S = S & ChrW(1608) & " " & ChrW(1662) & ChrW(1606) & ChrW(1580) & ChrW(1575) & ChrW(1607) & " "	ChrW
128	Case 6
129	S = S & ChrW(1608) & " " & ChrW(1588) & ChrW(1589) & ChrW(1578) & " "	ChrW
130	Case 7
131	S = S & ChrW(1608) & " " & ChrW(1607) & ChrW(1601) & ChrW(1578) & ChrW(1575) & ChrW(1583) & " "	ChrW
132	Case 8
133	S = S & ChrW(1608) & " " & ChrW(1607) & ChrW(1588) & ChrW(1578) & ChrW(1575) & ChrW(1583) & " "	ChrW
134	Case 9
135	S = S & ChrW(1608) & " " & ChrW(1606) & ChrW(1608) & ChrW(1583) & " "	ChrW
136	End Select
138	If h(2) <> 1 Then
139	Select Case h(3)
140	Case 1
141	S = S & ChrW(1608) & " " & ChrW(1610) & ChrW(1603)	ChrW
142	Case 2
143	S = S & ChrW(1608) & " " & ChrW(1583) & ChrW(1608)	ChrW
144	Case 3
145	S = S & ChrW(1608) & " " & ChrW(1587) & ChrW(1607)	ChrW
146	Case 4
147	S = S & ChrW(1608) & " " & ChrW(1670) & ChrW(1607) & ChrW(1575) & ChrW(1585)	ChrW
148	Case 5
149	S = S & ChrW(1608) & " " & ChrW(1662) & ChrW(1606) & ChrW(1580)	ChrW
150	Case 6
151	S = S & ChrW(1608) & " " & ChrW(1588) & ChrW(1588)	ChrW
152	Case 7
153	S = S & ChrW(1608) & " " & ChrW(1607) & ChrW(1601) & ChrW(1578)	ChrW
154	Case 8
155	S = S & ChrW(1608) & " " & ChrW(1607) & ChrW(1588) & ChrW(1578)	ChrW
156	Case 9
157	S = S & ChrW(1608) & " " & ChrW(1606) & ChrW(1607)	ChrW
158	End Select
159	Endif
160	S = IIf(L < 3, Right(S, Len(S) - 1), S)	IIf Right Len
161	Three = S
162	End Function

Module: Module3

Declaration

Line	Content
1	Attribute VB_Name = "Module3"

Non-Executed Functions

Subroutine
Delete_Every_Named_Range_With_A_Reference_ErrorAPIs: 5, Strings: 2, Number of lines: 9, Relevance: 10.509

APIs	Meta Information
Names
ActiveWorkbook
InStr
RefersTo
Delete

Strings	Decrypted Strings
"#REF!"
"#REF!"

Line	Instruction	Meta Information
2	Sub Delete_Every_Named_Range_With_A_Reference_Error()
3	Dim nm as Object
4	Dim mystr as String
7	For Each nm in ActiveWorkbook.Names	Names ActiveWorkbook
10	If InStr(1, nm.RefersTo, "#REF!") Then	InStr RefersTo
13	nm.Delete	Delete
15	Endif
16	Next	Names ActiveWorkbook
17	End Sub

Module: Sheet1

Declaration

Line	Content
1	Attribute VB_Name = "Sheet1"
2	Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
3	Attribute VB_GlobalNameSpace = False
4	Attribute VB_Creatable = False
5	Attribute VB_PredeclaredId = True
6	Attribute VB_Exposed = True
7	Attribute VB_TemplateDerived = False
8	Attribute VB_Customizable = True

Module: Sheet2

Declaration

Line	Content
1	Attribute VB_Name = "Sheet2"
2	Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
3	Attribute VB_GlobalNameSpace = False
4	Attribute VB_Creatable = False
5	Attribute VB_PredeclaredId = True
6	Attribute VB_Exposed = True
7	Attribute VB_TemplateDerived = False
8	Attribute VB_Customizable = True

Module: Sheet3

Declaration

Line	Content
1	Attribute VB_Name = "Sheet3"
2	Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
3	Attribute VB_GlobalNameSpace = False
4	Attribute VB_Creatable = False
5	Attribute VB_PredeclaredId = True
6	Attribute VB_Exposed = True
7	Attribute VB_TemplateDerived = False
8	Attribute VB_Customizable = True

Module: ThisWorkbook

Declaration

Line	Content
1	Attribute VB_Name = "ThisWorkbook"
2	Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
3	Attribute VB_GlobalNameSpace = False
4	Attribute VB_Creatable = False
5	Attribute VB_PredeclaredId = True
6	Attribute VB_Exposed = True
7	Attribute VB_TemplateDerived = False
8	Attribute VB_Customizable = True

Reset < >

Strings	Decrypted Strings
" "
" "
" "
" "
" "
" "
" "
" "
" "
" "
" "
" "
" "
" "
" "
" "
" "
" "
" "
" "
" "

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make a payload or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the device or in transit. This is common behavior that can be used across different platforms and the network to evade defenses. Payloads may be compressed, archived, or encrypted in order to avoid detection. These payloads may be used during Initial Access or later to mitigate detection. Portions of files can also be encoded to hide the plaintext strings that would otherwise help defenders with discovery. Payloads may also be split into separate, seemingly benign files that only reveal malicious functionality when reassembled.
Tactics:	Defense Evasion
Data Sources:
Platforms:	Android, iOS
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Strings	Decrypted Strings
" "
" "
" "
" "
" "
" "
" "
" "
" "
" "
" "
" "
" "
" "
" "
" "
" "
" "
" "
" "
" "

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report 1_13904442253.xla.xlsx

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

Compliance

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

HIPS / PFW / Operating System Protection Evasion

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Temp\~DF4E6106C13B7F04D6.TMP

C:\Users\user\AppData\Local\Temp\~DFAB23D18ACD7A39C8.TMP

C:\Users\user\AppData\Local\Temp\~DFC6228DFBF7598270.TMP

C:\Users\user\Desktop\1_13904442253.xla.xls

C:\Users\user\Desktop\5EEB3888.tmp (copy)

C:\Users\user\Desktop\96730000

C:\Users\user\Desktop\96730000:Zone.Identifier

C:\Users\user\Desktop\~$1_13904442253.xla.xlsx

Static File Info

General

File Icon

Static OLE Info

General

OLE File "1_13904442253.xla.xlsx"

Indicators

Summary

Document Summary

Streams with VBA

VBA File Name: Module1.bas, Stream Size: 18705

General

VBA Code

VBA File Name: Module2.bas, Stream Size: 12557

General

VBA Code

VBA File Name: Module3.bas, Stream Size: 1717

General

VBA Code

VBA File Name: Sheet1.cls, Stream Size: 1150

General

VBA Code

Windows Analysis Report
1_13904442253.xla.xlsx

Function
m2sAPIs: 51, Strings: 2, Number of lines: 66, Relevance: 79.566

Function
s2mAPIs: 26, Strings: 21, Number of lines: 46, Relevance: 70.546

Subroutine
jdn_persianAPIs: 24, Strings: 0, Number of lines: 29, Relevance: 30.029

Function
civil_jdnAPIs: 8, Strings: 0, Number of lines: 15, Relevance: 10.015

Function
persian_jdnAPIs: 5, Strings: 0, Number of lines: 18, Relevance: 6.268

Function
CeilAPIs: 3, Strings: 0, Number of lines: 3, Relevance: 3.753

Function
julian_jdnAPIs: 3, Strings: 0, Number of lines: 3, Relevance: 3.753

Subroutine
jdn_civilAPIs: 0, Strings: 0, Number of lines: 21, Relevance: 0.021

Subroutine
jdn_julianAPIs: 0, Strings: 0, Number of lines: 17, Relevance: 0.017

Strings	Decrypted Strings
" "
" "
" "
" "
" "
" "
" "
" "
" "
" "
" "
" "
" "
" "
" "
" "
" "
" "
" "
" "
" "